clerie/nixfiles
1
0
Fork 0
Code Activity

Compare commits

base: clerie:migrate-to-lix
Branches Tags
clerie:master clerie:updated-inputs clerie:updated-inputs-2025-11-15-02-03 clerie:updated-inputs-2025-11-13-02-03 clerie:updated-inputs-2025-11-10-02-03 clerie:updated-inputs-2025-11-09-02-03 clerie:updated-inputs-2025-11-07-02-03 clerie:updated-inputs-2025-11-04-02-03 clerie:updated-inputs-2025-11-02-02-03 clerie:updated-inputs-2025-10-30-02-03 clerie:updated-inputs-2025-10-28-02-03 clerie:updated-inputs-2025-10-27-02-03 clerie:updated-inputs-2025-10-25-01-03 clerie:updated-inputs-2025-10-23-01-03 clerie:updated-inputs-2025-10-20-01-03 clerie:updated-inputs-2025-10-16-01-03 clerie:updated-inputs-2025-10-14-01-03 clerie:updated-inputs-2025-10-11-01-03 clerie:updated-inputs-2025-10-09-01-03 clerie:updated-inputs-2025-10-08-01-03 clerie:updated-inputs-2025-10-03-01-03 clerie:updated-inputs-2025-09-30-01-03 clerie:updated-inputs-2025-09-28-01-03 clerie:updated-inputs-2025-09-26-01-03 clerie:updated-inputs-2025-09-24-01-03 clerie:updated-inputs-2025-09-22-01-03 clerie:updated-inputs-2025-09-21-01-03 clerie:updated-inputs-2025-09-20-01-03 clerie:updated-inputs-2025-09-19-01-03 clerie:updated-inputs-2025-09-14-01-03 clerie:updated-inputs-2025-09-12-01-03 clerie:updated-inputs-2025-09-10-01-03 clerie:updated-inputs-2025-09-09-01-03 clerie:updated-inputs-2025-09-08-01-03 clerie:updated-inputs-2025-09-04-01-03 clerie:updated-inputs-2025-08-31-01-03 clerie:updated-inputs-2025-08-30-01-03 clerie:updated-inputs-2025-08-28-01-03 clerie:updated-inputs-2025-08-27-01-03 clerie:updated-inputs-2025-08-21-01-03 clerie:updated-inputs-2025-08-18-01-03 clerie:updated-inputs-2025-08-17-01-03 clerie:updated-inputs-2025-08-16-01-03 clerie:updated-inputs-2025-08-15-01-03 clerie:migrate-to-lix clerie:gpg-test
...
compare: clerie:4fa4c8d66983844739b9192bffba101bca026492
Branches Tags
clerie:updated-inputs clerie:updated-inputs-2025-11-15-02-03 clerie:updated-inputs-2025-11-13-02-03 clerie:updated-inputs-2025-11-10-02-03 clerie:updated-inputs-2025-11-09-02-03 clerie:master clerie:updated-inputs-2025-11-07-02-03 clerie:updated-inputs-2025-11-04-02-03 clerie:updated-inputs-2025-11-02-02-03 clerie:updated-inputs-2025-10-30-02-03 clerie:updated-inputs-2025-10-28-02-03 clerie:updated-inputs-2025-10-27-02-03 clerie:updated-inputs-2025-10-25-01-03 clerie:updated-inputs-2025-10-23-01-03 clerie:updated-inputs-2025-10-20-01-03 clerie:updated-inputs-2025-10-16-01-03 clerie:updated-inputs-2025-10-14-01-03 clerie:updated-inputs-2025-10-11-01-03 clerie:updated-inputs-2025-10-09-01-03 clerie:updated-inputs-2025-10-08-01-03 clerie:updated-inputs-2025-10-03-01-03 clerie:updated-inputs-2025-09-30-01-03 clerie:updated-inputs-2025-09-28-01-03 clerie:updated-inputs-2025-09-26-01-03 clerie:updated-inputs-2025-09-24-01-03 clerie:updated-inputs-2025-09-22-01-03 clerie:updated-inputs-2025-09-21-01-03 clerie:updated-inputs-2025-09-20-01-03 clerie:updated-inputs-2025-09-19-01-03 clerie:updated-inputs-2025-09-14-01-03 clerie:updated-inputs-2025-09-12-01-03 clerie:updated-inputs-2025-09-10-01-03 clerie:updated-inputs-2025-09-09-01-03 clerie:updated-inputs-2025-09-08-01-03 clerie:updated-inputs-2025-09-04-01-03 clerie:updated-inputs-2025-08-31-01-03 clerie:updated-inputs-2025-08-30-01-03 clerie:updated-inputs-2025-08-28-01-03 clerie:updated-inputs-2025-08-27-01-03 clerie:updated-inputs-2025-08-21-01-03 clerie:updated-inputs-2025-08-18-01-03 clerie:updated-inputs-2025-08-17-01-03 clerie:updated-inputs-2025-08-16-01-03 clerie:updated-inputs-2025-08-15-01-03 clerie:migrate-to-lix clerie:gpg-test

127 Commits
migrate-to ... 4fa4c8d669

Author SHA1 Message Date
clerie
4fa4c8d669 configuration/common: Don't force requests ca bundle environment var 2025-05-25 14:15:54 +02:00
clerie
46d23fb98a pkgs/git-show-link: Specify URL format using --remote-type 2025-05-23 14:51:20 +02:00
clerie
4e56adef58 pkgs/git-show-link: Display error message when not executed in a git repo 2025-05-23 14:28:03 +02:00
clerie
b93dc9f16b configuration/common: Make Python requests always use system CA 2025-05-19 18:43:38 +02:00
clerie
44d1a444ba pkgs/git-show-link: Handle branch names with slashes properly 2025-05-19 10:49:32 +02:00
clerie
d0c6ecff4c flake.lock: Update nixos-exporter 2025-05-08 21:50:31 +02:00
clerie
1042cf279f profiles/hydra-build-machine: Migrate configuration to profile 2025-05-08 17:17:01 +02:00
clerie
fe23b7745f configuration/dn42: Remove obsolete configuration 2025-05-08 16:31:33 +02:00
clerie
ced991b911 profiles/router: Migrate configuration to profile 2025-05-08 16:17:26 +02:00
clerie
fa1220dcf8 configuration/router: All hosts using this config don't do BGP and OSPF 2025-05-08 15:55:59 +02:00
clerie
802a731a57 Merge remote-tracking branch 'origin/updated-inputs-2025-05-06-01-03' 2025-05-08 12:19:02 +02:00
clerie
8b9acbb9b1 hosts/monitoring-3: Display pretty scraping address for nixos-validator 2025-05-08 12:13:54 +02:00
clerie
0b6d9623bc modules/monitoring: Migrate firewall from iptables to NixOS declarative 2025-05-08 12:03:35 +02:00
clerie
69ccc0c692 profiles/wg-clerie: Convert systemd timer into a service with sleep 2025-05-08 11:34:05 +02:00
clerie
1c087b0c9f pkgs/overrides: Dino uses OMEMO by default for new conversations 2025-05-07 18:33:59 +02:00
clerie
8d3057758f pkgs/pull-scans: Add script 2025-05-06 21:43:41 +02:00
Flake Update Bot
87b0c38260 Update nixpkgs 2025-05-06-01-03 2025-05-06 03:03:05 +02:00
clerie
70cde0e367 hosts/storage-2: Allow frank access to em 2025-05-05 12:24:26 +02:00
clerie
593739120a hosts/storage-2: Add location em 2025-05-05 12:24:00 +02:00
clerie
1e810adc51 users/frank: Add user 2025-05-05 12:23:15 +02:00
clerie
891b8ae718 hosts/clerie-backup: Update hardware configuration 2025-04-29 17:26:29 +02:00
clerie
f33b8c0cdf hosts/clerie-backup: Move VM to different region 2025-04-28 15:54:28 +02:00
clerie
dffebb92e8 profiles/firefox: Use webcam through pipewire 2025-04-27 14:12:44 +02:00
clerie
ecdb362f60 profiles/firefox: Provide default configuration 2025-04-27 13:55:33 +02:00
clerie
074ab4befc flake.lock: Update rainbowrss 2025-04-26 13:58:55 +02:00
clerie
35d572e414 hosts/dn42-ildix-service: Disable mimalloc in fernglas so it builds with current nixpkgs 2025-04-26 13:45:49 +02:00
Flake Update Bot
0e0bb82ebd Update nixpkgs 2025-04-24-01-03 2025-04-24 03:03:06 +02:00
clerie
4777fb2eae flake.lock: Update fernglas 2025-04-23 20:02:47 +02:00
clerie
c285e4db89 flake.lock: Update lix 2025-04-22 00:03:40 +02:00
clerie
6e2b11e696 pkgs/uptimestatus: Use python instead of python3 2025-04-21 23:30:51 +02:00
clerie
04f8df6c08 pkgs/iot-data: Remove package 2025-04-21 22:32:53 +02:00
clerie
ae8f8961ea flake.lock: Update rainbowrss 2025-04-21 22:29:43 +02:00
clerie
414402561b hosts/backup-4: Replicate backup to palladium 2025-04-18 11:24:06 +02:00
clerie
fed00bd41b modules/backup: Specify backup server as full URL 2025-04-16 22:03:38 +02:00
clerie
c0a8f8116e hosts/nonat: Enable DHCPv6 to try out NTP 2025-04-16 21:05:01 +02:00
clerie
e9210d4ada hosts/backup-4,hosts/palladium: Setup direct VPN tunnel for backups 2025-04-15 20:55:56 +02:00
clerie
47921ea988 hosts/palladium: Enable monitoring 2025-04-15 20:02:38 +02:00
clerie
3fdf10641b hosts/palladium: Enable wg-clerie 2025-04-15 19:52:24 +02:00
clerie
e9695286b6 pkgs/clerie-sops: Write config to temp file as sops can't read config from pipe 2025-04-15 19:32:21 +02:00
clerie
e125d5d3bf hosts/monitoring-3: Alert when GPG key is about to expire 2025-04-14 21:45:09 +02:00
clerie
cc00e92b51 hosts/web-2: asc file type is already in default mime types 2025-04-14 21:28:08 +02:00
clerie
aaf7bb8871 users/clerie: Extend GPG expiry date 2025-04-14 20:07:53 +02:00
clerie
84dffed418 profiles/wg-clerie: Send host originating traffic to targets reachable via wg-clerie via wg-clerie 2025-04-14 19:11:42 +02:00
clerie
83a094bbd0 hosts/*: Disable DHCPv6Client on every host 2025-04-13 17:05:37 +02:00
clerie
32ec59e303 pkgs/clerie-update-nixfiles: Add script to delete old update-nixfiles branches 2025-04-07 21:37:47 +02:00
clerie
8af0eb2386 profiles/common: Make common-networking the default 2025-04-07 21:27:03 +02:00
clerie
323018daaa profiles/common-dns: Fix typo 2025-04-07 21:11:53 +02:00
clerie
98b4cde2e4 pkgs/git-show-link: Pass format args as dataclass 2025-04-07 17:16:00 +02:00
clerie
f9359f4d50 hosts/dn42-ildix-service: Migrate to systemd-networkd 2025-03-24 21:39:04 +01:00
clerie
a44dfd1e65 hosts/dn42-ildix-clerie: Migrate to systemd-networkd 2025-03-24 20:48:17 +01:00
clerie
1d7eb45286 profiles/serial-console: Add profile for serial console and enable on mercury VMs be default 2025-03-23 14:30:17 +01:00
clerie
c100f6e95b hosts/dn42-il-gw1: Migrate to systemd-networkd and dn42-router profile 2025-03-22 17:51:03 +01:00
clerie
d304a47f89 profiles/dn42-router: Fix defaults and decryption of module options 2025-03-22 17:49:52 +01:00
clerie
58f7ba4518 hosts/dn42-il-gw6: Migrate to systemd-networkd and dn42-router profile 2025-03-22 17:27:39 +01:00
clerie
cfbeab8706 profiles/dn42-router: Take over config from configuration/dn42 2025-03-22 17:11:59 +01:00
clerie
032987bce5 hosts/dn42-il-gw5: Migrate to systemd-networkd and dn42-router profile 2025-03-22 17:05:02 +01:00
clerie
89ec7e8394 profiles/dn42-router: Add module for dn42 router 2025-03-22 17:04:16 +01:00
clerie
2e35c7955e hosts/dn42-il-gw1: Remove disconnected AS4242420197 n0emis 2025-03-22 14:40:42 +01:00
clerie
6d774cc8ba hosts/dn42-il-gw1: Remove disconnected AS4242421302 perflyst 2025-03-22 14:38:54 +01:00
clerie
75777aa68c profiles/common-dns,profiles/common: Enable systemd-resolved everywhere 2025-03-22 14:34:40 +01:00
clerie
552d2a964c profiles/wg-clerie: Refresh endpoint selection with systemd timer 2025-03-21 18:19:44 +01:00
clerie
9e7deadfb5 hosts/krypton,hosts/zinc: Migrate to systemd-network 2025-03-20 20:07:06 +01:00
clerie
de3bc903ef profiles/common-networking: Centralize new network config 2025-03-20 20:03:39 +01:00
clerie
fed25f02d8 profiles/wg-clerie: Don't let NetworkManager touch the VPN interface 2025-03-20 19:55:17 +01:00
clerie
7a210b13be hosts/_iso: Migrate to systemd-network 2025-03-20 19:46:54 +01:00
clerie
a29978c95a hosts/astatine: Migrate to systemd-network 2025-03-20 19:44:35 +01:00
clerie
2d6afc2093 profiles/wg-clerie: wg-clerie not required for online 2025-03-20 19:43:57 +01:00
clerie
5a719c2f01 hosts/astatine,hosts/beryllium,hosts/tungsten: Migrate to profiles.clerie.wg-clerie 2025-03-20 19:30:47 +01:00
clerie
effb386e51 profiles/wg-clerie: Only configure sops secret if we want to use that 2025-03-20 19:30:10 +01:00
clerie
3ec00be4d0 profiles/wg-clerie: Migrate wg-clerie to systemd-networkd 2025-03-20 19:06:51 +01:00
clerie
006877c4ae hosts/astatine,hosts/beryllium,hosts/tungsten: Migrate to 
systemd-networkd

Policy routing clashed with the fallback dhcp on any interface module
for some unknown reason, therefore wg-clerie is disabled on all of these
devices
 2025-03-19 20:07:37 +01:00
clerie
3efc575902 hosts/astatine: Remove unused services 2025-03-19 16:48:11 +01:00
clerie
6beb19b93d hosts/krypton: Use okular from kdePackages 2025-03-18 16:33:38 +01:00
Flake Update Bot
f75393544d Update nixpkgs 2025-03-17-02-03 2025-03-17 03:03:59 +01:00
clerie
2f84edcd99 hosts/palladium: Migrate to systemd-network 2025-03-16 19:09:27 +01:00
clerie
3deb7383e1 hosts/storage-2: Migrate to systemd-network 2025-03-16 18:44:55 +01:00
clerie
f79d99be54 hosts/osmium: Migrate to systemd-network 2025-03-16 18:37:08 +01:00
clerie
ca2f13f765 hosts/nonat: Migrate to systemd-network 2025-03-16 18:29:21 +01:00
clerie
604c30edea hosts/monitoring-3: Migrate to systemd-network 2025-03-16 18:21:35 +01:00
clerie
7141a7fadd hosts/hydra-2: Migrate to systemd-network 2025-03-16 18:12:39 +01:00
clerie
f96326de36 hosts/hydra-1: Migrate to systemd-network 2025-03-16 18:00:16 +01:00
clerie
0cb1c4105a hosts/clerie-backup: Enable systemd-networkd 2025-03-16 17:50:59 +01:00
clerie
e6be0bd7a6 hosts/clerie-backup: Remove a lot of deprecated backup automation 2025-03-16 17:46:20 +01:00
clerie
dd164c1284 hosts/backup-4: Migrate to systemd-networkd 2025-03-16 17:07:07 +01:00
clerie
21fa57545b flake.nix: Update lix 2025-03-16 12:20:25 +01:00
clerie
a0a298689e profiles/mercury-vm,profiles/cybercluster-vm: Add profiles for Proxmox VMs 2025-03-16 12:19:08 +01:00
clerie
97d826ef89 hosts/gatekeeper,hosts/mail-2,hosts/web-2: Migrate Hetzner VMs to systemd-networkd 2025-03-13 19:07:31 +01:00
clerie
8eaf11fb57 profiles/hetzner-cloud: Migrate Hetzner VMs to Hetzner Cloud profile 2025-03-13 18:46:11 +01:00
clerie
ec6390be3f profiles/netcup: Add profile for Netcup VM 2025-03-13 18:04:19 +01:00
clerie
e4dc3bdc1f hosts/porter: Migrate to systemd-networkd 2025-03-13 17:42:16 +01:00
clerie
87466f0ac9 hosts/palladium: Fresh system install 2025-03-12 22:18:10 +01:00
clerie
29da5a77c8 pkgs/overlay.nix: Generate overlay from attrset we can use to automatically get the package names for our own packets from 2025-03-12 20:50:49 +01:00
clerie
9bb1d93db7 hosts/palladium: Remove services 2025-03-10 19:18:56 +01:00
clerie
a8b084628f hosts/monitoring-3: Monitor uberspace hosts 2025-03-07 22:03:34 +01:00
clerie
7254525c8e pkgs/git-show-link: Match names with special chars too 2025-03-06 20:14:27 +01:00
clerie
dbd16ed438 pkgs/git-show-link: Add helper to display links to local git objects 2025-03-06 20:05:08 +01:00
clerie
26d1ddfaee hosts/monitoring-3: Enable websockets with Grafana 2025-03-06 18:40:43 +01:00
clerie
3f07e7dbd7 hosts/dn42-il*: Migrate bird config to new module name 2025-03-02 17:36:49 +01:00
clerie
d257df7939 Merge remote-tracking branch 'origin/updated-inputs-2025-02-22-02-03' 2025-03-02 15:06:54 +01:00
clerie
360dbe0a07 hosts/tungsten: Add to monitoring and to wg-clerie 2025-02-25 19:01:57 +01:00
clerie
c4f6bd926e hosts/tungsten: Add storage 2025-02-25 18:14:35 +01:00
Flake Update Bot
07b0f70747 Update nixpkgs 2025-02-22-02-03 2025-02-22 03:03:06 +01:00
clerie
99c82a2898 pkgs/clerie-system-remote-install: Install NixOS system remotely without evaluating anything on remote 2025-02-21 20:33:01 +01:00
clerie
427820aa37 hosts/tungsten: Init host 2025-02-21 20:26:02 +01:00
clerie
822763abe4 hosts/_iso: Allow clerie to log in to root directly with SSH keys 2025-02-21 20:25:39 +01:00
clerie
9ae31d6786 hosts/_iso: Make iso bootable again by disabling systemd in initrd 2025-02-20 20:20:12 +01:00
clerie
12a5d4b816 hosts/clerie-backup,hosts/backup-4: Add backup repo for cleriewi.uber.space 2025-02-16 19:20:35 +01:00
clerie
638721cceb pkgs/nixfiles,pkgs/clerie-sops: Allow htpasswd edit the htpasswd file directly and therefor update existing entries 2025-02-16 18:59:47 +01:00
clerie
5345828a56 pkgs/nixfiles: Display generated backup secrets and make configureing hosts optional 2025-02-16 18:34:15 +01:00
clerie
5b03dd5ef9 hosts/backup-4,hosts/clerie-backup: Add backup targets for clerie.uber.space 2025-02-16 12:11:32 +01:00
clerie
141f956e9a pkgs/clerie-backup: Fix typos 2025-02-15 01:33:12 +01:00
clerie
61a7d64452 modules/backup: Migrate automatic backups to clerie-backup backend 2025-02-14 13:17:26 +01:00
clerie
d17c2855ac pkgs/clerie-backup: Add script to unify backup configs 2025-02-14 13:09:59 +01:00
clerie
f353d7b494 configuration/common: Content-Type utf-8 everywhere 2025-02-05 19:11:48 +01:00
clerie
420e9a65f2 configuration/common: Serve nix files with mime type text/plain over nginx 2025-01-31 21:54:31 +01:00
clerie
df96b9070d configuration/desktop: Update renamed options 2025-01-31 21:53:10 +01:00
clerie
3b7f59a66e hosts/monitoring-3: Warn if storages are almost full 2025-01-21 17:18:41 +01:00
clerie
fd2987c9fe flake.lock: Update harmonia 2025-01-16 22:06:50 +01:00
clerie
9f7517c75c hosts/_iso: Overwrite nixos defaults 2025-01-16 19:15:06 +01:00
Flake Update Bot
a2d4f6a803 Update nixpkgs 2025-01-14-02-03 2025-01-14 03:04:10 +01:00
clerie
b0e19708c0 flake.lock: Update scan-to-gpg 2025-01-11 15:39:50 +01:00
clerie
13dd689240 hosts/web-2: Read feeds from different directory 2025-01-06 18:38:16 +01:00
clerie
e70ff56b28 hosts/web-2: Add feeds.clerie.de 2025-01-05 16:26:46 +01:00
clerie
1b86f094c8 hosts/web-2: Redirect to admin interface of etebase 2025-01-03 22:50:42 +01:00
clerie
aad53d5072 hosts/krypton: Add etesync-dav 2025-01-03 16:15:57 +01:00
clerie
df7fba921f hosts/web-2: Add etebase.clerie.de 2025-01-03 15:49:22 +01:00
clerie
c091d4a952 pkgs/clerie-update-nixfiles: Fix changed nix command 2025-01-03 15:01:09 +01:00
118 changed files with 2800 additions and 1393 deletions
Expand all files Collapse all files

4
configuration/common/backup.nix
View File

@@ -4,8 +4,8 @@
clerie.backup = {
targets = {
cyan.serverName = "cyan.backup.clerie.de";
magenta.serverName = "magenta.backup.clerie.de";
cyan.serverUrl = "https://cyan.backup.clerie.de";
magenta.serverUrl = "https://magenta.backup.clerie.de";
};
};

11
configuration/common/certificates.nix Normal file
View File

@@ -0,0 +1,11 @@
{ config, lib, ... }:
with lib;
{
environment.sessionVariables = {
REQUESTS_CA_BUNDLE = mkDefault config.security.pki.caBundle;
};
}

1
configuration/common/default.nix
View File

@@ -3,6 +3,7 @@
{
imports = [
./backup.nix
./certificates.nix
./initrd.nix
./locale.nix
./networking.nix

4
configuration/common/web.nix
View File

@@ -10,6 +10,10 @@
commonHttpConfig = ''
server_names_hash_bucket_size 64;
charset utf-8;
types {
text/plain nix;
}
map $remote_addr $remote_addr_anon {
~(?P<ip>\d+\.\d+\.\d+)\. $ip.0;
~(?P<ip>[^:]*:[^:]*(:[^:]*)?): $ip::;

2
configuration/desktop/audio.nix
View File

@@ -2,7 +2,7 @@
{
hardware.pulseaudio.enable = false;
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {

4
configuration/desktop/gnome.nix
View File

@@ -2,8 +2,8 @@
{
services.gnome = {
tracker-miners.enable = false;
tracker.enable = false;
localsearch.enable = false;
tinysparql.enable = false;
};
environment.gnome.excludePackages = with pkgs; [

22
configuration/dn42/default.nix
View File

@@ -1,22 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
wireguard-tools
];
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking.firewall.checkReversePath = false;
# Open Firewall for BGP
networking.firewall.allowedTCPPorts = [ 179 ];
# Open Fireall for OSPF
networking.firewall.extraCommands = ''
ip6tables -A INPUT -p ospfigp -j ACCEPT
iptables -A INPUT -p ospfigp -j ACCEPT
'';
}

8
configuration/hetzner-cloud/default.nix
View File

@@ -1,8 +0,0 @@
{ ... }:
{
networking.useDHCP = false;
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
networking.nameservers = [ "2a01:4ff:ff00::add:2" "2a01:4ff:ff00::add:1" "185.12.64.2" "185.12.64.1" ];
}

16
configuration/hydra-build-machine/default.nix
View File

@@ -1,16 +0,0 @@
{ ... }:
{
# Allow Hydra to fetch remote URLs in restricted mode
nix.settings.allowed-uris = "http: https: git+https: github:";
services.openssh.settings= {
PermitRootLogin = "yes";
};
users.extraUsers.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1"
];
}

5
configuration/proxmox-vm/default.nix
View File

@@ -1,5 +0,0 @@
{ ... }:
{
services.qemuGuest.enable = true;
}

27
configuration/router/default.nix
View File

@@ -1,27 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
wireguard-tools
tcpdump
];
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking.firewall.checkReversePath = false;
networking.firewall.allowedTCPPorts = [
# Open Firewall for BGP
179
];
networking.firewall.extraCommands = ''
# Open fireall for OSPF
ip46tables -A nixos-fw -p ospfigp -j nixos-fw-accept
# Open firewall for GRE
ip46tables -A nixos-fw -p gre -j nixos-fw-accept
'';
}

194
flake.lock generated
View File

@@ -58,19 +58,36 @@
"url": "https://git.clerie.de/clerie/chaosevents.git"
}
},
"communities": {
"flake": false,
"locked": {
"lastModified": 1739635166,
"narHash": "sha256-0ZONcN3ctsZgMVM//UMp+9iQfhODJNFHOhyWwx0EoTg=",
"owner": "NLNOG",
"repo": "lg.ring.nlnog.net",
"rev": "686adbfd5222b830ba4fee998188cc8d96c09169",
"type": "github"
},
"original": {
"owner": "NLNOG",
"repo": "lg.ring.nlnog.net",
"type": "github"
}
},
"fernglas": {
"inputs": {
"communities": "communities",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1700408128,
"narHash": "sha256-PLb/q8kIq0wOinkgADHNY6uOB3b3lXQEbLu6ToIFPsU=",
"lastModified": 1741172718,
"narHash": "sha256-YDEJVlmPzOuKfG26iYuJVOlxFvKBVeb8DbAI9WOtnBU=",
"owner": "wobcom",
"repo": "fernglas",
"rev": "407325681e3ad344f6fd05334984a40074aa6347",
"rev": "64e2f9af8aefeeaa63431477066dcc0236d111e0",
"type": "github"
},
"original": {
@@ -122,11 +139,11 @@
]
},
"locked": {
"lastModified": 1712014858,
"narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
"lastModified": 1733312601,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"type": "github"
},
"original": {
@@ -183,11 +200,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
@@ -201,11 +218,11 @@
"systems": "systems_2"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
@@ -238,38 +255,41 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1727121740,
"narHash": "sha256-72nDVSvUfZsLa2HbyricOpA0Eb8gxs/VST25b6DNBpM=",
"lastModified": 1733771848,
"narHash": "sha256-tqkTzUdwnTfVuCrcFag7YKgGkiR9srR45e4v0XMXVCY=",
"owner": "nix-community",
"repo": "harmonia",
"rev": "ff44006a30f93ac40d76c786e15149d901946c2b",
"rev": "c26731351ca38f4953a23ef5490358ffba955ab6",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "harmonia-v1.0.2",
"ref": "harmonia-v2.0.1",
"repo": "harmonia",
"type": "github"
}
},
"hydra": {
"inputs": {
"lix": "lix",
"lix": [
"lix"
],
"nix-eval-jobs": "nix-eval-jobs",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1733503045,
"narHash": "sha256-VoMam8Zzbk+X6dIYwH2f9NqItL6g9YDhQvGybzSl8xQ=",
"ref": "refs/heads/main",
"rev": "eccf01d4fef67f87b6383f96c73781bd08b686ac",
"revCount": 4230,
"lastModified": 1744102671,
"narHash": "sha256-/y92PMLAG1ueMInNKaar27H6voo5m1jDnJhxcIYOp5M=",
"ref": "lix-2.92",
"rev": "dd8114c53075524d06ba1de3346e39610923427b",
"revCount": 4235,
"type": "git",
"url": "https://git.lix.systems/lix-project/hydra.git"
},
"original": {
"ref": "lix-2.92",
"type": "git",
"url": "https://git.lix.systems/lix-project/hydra.git"
}
@@ -279,64 +299,52 @@
"flake-compat": "flake-compat",
"nix2container": "nix2container",
"nixpkgs": [
"hydra",
"nixpkgs"
],
"nixpkgs-regression": "nixpkgs-regression",
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1732112222,
"narHash": "sha256-H7GN4++a4vE49SUNojZx+FSk4mmpb2ifJUtJMJHProI=",
"ref": "refs/heads/main",
"rev": "66f6dbda32959dd5cf3a9aaba15af72d037ab7ff",
"revCount": 16513,
"lastModified": 1742250400,
"narHash": "sha256-be2mY7VFiWcPw7GcaJBbUvpnpoLd39wxqTXagBNTR5w=",
"ref": "release-2.92",
"rev": "d8db15010d2059a23a17f70ef542b4d1e7d2c640",
"revCount": 16651,
"type": "git",
"url": "https://git.lix.systems/lix-project/lix"
"url": "https://git.lix.systems/lix-project/lix.git"
},
"original": {
"ref": "release-2.92",
"type": "git",
"url": "https://git.lix.systems/lix-project/lix"
"url": "https://git.lix.systems/lix-project/lix.git"
}
},
"lix-module": {
"inputs": {
"flake-utils": "flake-utils_2",
"flakey-profile": "flakey-profile",
"lix": "lix_2",
"lix": [
"lix"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1732605668,
"narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=",
"ref": "stable",
"rev": "96824d606a6656650bbe436366bc89d5ee3a6573",
"revCount": 113,
"lastModified": 1742943028,
"narHash": "sha256-fprwZKE1uMzO9tiWWOrmLWBW3GPkMayQfb0xOvVFIno=",
"ref": "release-2.92",
"rev": "3fae818597ca2f1474de62022f850c23be50528d",
"revCount": 134,
"type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module.git"
},
"original": {
"ref": "stable",
"ref": "release-2.92",
"type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module.git"
}
},
"lix_2": {
"flake": false,
"locked": {
"lastModified": 1729298361,
"narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
"rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
}
},
"mitel-ommclient2": {
"inputs": {
"nixpkgs": [
@@ -373,15 +381,16 @@
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1732351635,
"narHash": "sha256-H94CcQ3yamG5+RMxtxXllR02YIlxQ5WD/8PcolO9yEA=",
"ref": "refs/heads/main",
"rev": "dfc286ca3dc49118c30d8d6205d6d6af76c62b7a",
"revCount": 617,
"lastModified": 1737237842,
"narHash": "sha256-tPr61X9v/OMVt7VXOs1RRStciwN8gDGxEKx+h0/Fg48=",
"ref": "release-2.92",
"rev": "fdaeb722d05a3ac58daaa24d4b5fa8db4457d82e",
"revCount": 621,
"type": "git",
"url": "https://git.lix.systems/lix-project/nix-eval-jobs"
},
"original": {
"ref": "release-2.92",
"type": "git",
"url": "https://git.lix.systems/lix-project/nix-eval-jobs"
}
@@ -431,11 +440,11 @@
]
},
"locked": {
"lastModified": 1683625533,
"narHash": "sha256-GvKE97JdQuEZ697TLSMRTNABbVJfGVnJ0vfzK4AIFyI=",
"lastModified": 1746733297,
"narHash": "sha256-CPo/F6oJq3tswg2YT6DsWDFPYXOjw00/3m45JN84PVY=",
"ref": "refs/heads/main",
"rev": "5e86139ee4af27f84228708fd32903bb0c4230f0",
"revCount": 19,
"rev": "f1a832f445c9994d9729a6fa1862b8d4a123bd31",
"revCount": 22,
"type": "git",
"url": "https://git.clerie.de/clerie/nixos-exporter.git"
},
@@ -476,6 +485,22 @@
"type": "github"
}
},
"nixpkgs-0dc1c7": {
"locked": {
"lastModified": 1725718979,
"narHash": "sha256-TNj62uDY5ilnYu0Jne8/IIunfh1kf6kDPY9KdS+Eotw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0dc1c7294c13f5d1dd6eccab4f75d268d7296efe",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0dc1c7294c13f5d1dd6eccab4f75d268d7296efe",
"type": "github"
}
},
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
@@ -526,11 +551,11 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1732521221,
"narHash": "sha256-2ThgXBUXAE1oFsVATK1ZX9IjPcS4nKFOAjhPNKuiMn0=",
"lastModified": 1746328495,
"narHash": "sha256-uKCfuDs7ZM3QpCE/jnfubTg459CnKnJG/LwqEVEdEiw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4633a7c72337ea8fd23a4f2ba3972865e3ec685d",
"rev": "979daf34c8cacebcd917d540070b52a3c2b9b16e",
"type": "github"
},
"original": {
@@ -563,11 +588,11 @@
"pre-commit-hooks": {
"flake": false,
"locked": {
"lastModified": 1726745158,
"narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
"lastModified": 1733318908,
"narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
"rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
"type": "github"
},
"original": {
@@ -576,6 +601,26 @@
"type": "github"
}
},
"rainbowrss": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1745667868,
"narHash": "sha256-T67ZRk+cuFI2P6qJeu8RwbpJD00OORulHGuXebpg9Nw=",
"ref": "refs/heads/main",
"rev": "e43037aa525e36d7a3da187a8fc6baeb71db7fd6",
"revCount": 15,
"type": "git",
"url": "https://git.clerie.de/clerie/rainbowrss.git"
},
"original": {
"type": "git",
"url": "https://git.clerie.de/clerie/rainbowrss.git"
}
},
"root": {
"inputs": {
"berlinerbaeder-exporter": "berlinerbaeder-exporter",
@@ -585,11 +630,14 @@
"fieldpoc": "fieldpoc",
"harmonia": "harmonia",
"hydra": "hydra",
"lix": "lix",
"lix-module": "lix-module",
"nixos-exporter": "nixos-exporter",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_3",
"nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
"nurausstieg": "nurausstieg",
"rainbowrss": "rainbowrss",
"scan-to-gpg": "scan-to-gpg",
"solid-xmpp-alarm": "solid-xmpp-alarm",
"sops-nix": "sops-nix",
@@ -603,11 +651,11 @@
]
},
"locked": {
"lastModified": 1733765838,
"narHash": "sha256-piKf5W1vUl4y36WuW/192LMXBJyATBF83T9YEz9K3/Y=",
"lastModified": 1736606141,
"narHash": "sha256-cIGSrY3tNwOamqt41IPRRw5SPlBtljWZvcXDfCkreUc=",
"ref": "refs/heads/main",
"rev": "b0c07f95146d85a7b62a84fb2a62a773a5942733",
"revCount": 17,
"rev": "9f1aa15509c9b0284774be95ef020f612c385353",
"revCount": 18,
"type": "git",
"url": "https://git.clerie.de/clerie/scan-to-gpg.git"
},
@@ -716,11 +764,11 @@
]
},
"locked": {
"lastModified": 1711963903,
"narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
"lastModified": 1733662930,
"narHash": "sha256-9qOp6jNdezzLMxwwXaXZWPXosHbNqno+f7Ii/xftqZ8=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
"rev": "357cda84af1d74626afb7fb3bc12d6957167cda9",
"type": "github"
},
"original": {

55
flake.nix
View File

@@ -1,6 +1,8 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
# for etesync-dav
nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
berlinerbaeder-exporter = {
url = "git+https://git.clerie.de/clerie/berlinerbaeder-exporter.git";
@@ -19,15 +21,21 @@
inputs.nixpkgs.follows = "nixpkgs";
};
harmonia = {
url = "github:nix-community/harmonia/harmonia-v1.0.2";
url = "github:nix-community/harmonia/harmonia-v2.0.1";
inputs.nixpkgs.follows = "nixpkgs";
};
hydra = {
url = "git+https://git.lix.systems/lix-project/hydra.git";
url = "git+https://git.lix.systems/lix-project/hydra.git?ref=lix-2.92";
inputs.lix.follows = "lix";
inputs.nixpkgs.follows = "nixpkgs";
};
lix = {
url = "git+https://git.lix.systems/lix-project/lix.git?ref=release-2.92";
inputs.nixpkgs.follows = "nixpkgs";
};
lix-module = {
url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=stable";
url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=release-2.92";
inputs.lix.follows = "lix";
inputs.nixpkgs.follows = "nixpkgs";
};
fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
@@ -39,6 +47,10 @@
url = "git+https://git.clerie.de/clerie/nurausstieg.git";
inputs.nixpkgs.follows = "nixpkgs";
};
rainbowrss = {
url = "git+https://git.clerie.de/clerie/rainbowrss.git";
inputs.nixpkgs.follows = "nixpkgs";
};
scan-to-gpg = {
url = "git+https://git.clerie.de/clerie/scan-to-gpg.git";
inputs.nixpkgs.follows = "nixpkgs";
@@ -97,7 +109,12 @@
osmium = {};
palladium = {};
porter = {};
storage-2 = {};
storage-2 = {
modules = [
./users/frank
];
};
tungsten = {};
web-2 = {};
zinc = {
modules = [
@@ -113,6 +130,7 @@
nixosModules = {
nixfilesInputs = import ./flake/modules.nix inputs;
clerie = import ./modules;
profiles = import ./profiles;
default = self.nixosModules.clerie;
};
@@ -124,34 +142,7 @@
packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: let
pkgs = localNixpkgs.${system};
in {
inherit (pkgs)
clerie-keys
clerie-system-upgrade
clerie-merge-nixfiles-update
clerie-update-nixfiles
clerie-sops
clerie-sops-config
clerie-sops-edit
chromium-incognito
factorio-launcher
git-checkout-github-pr
git-diff-word
git-pp
harmonia
iot-data
nix-remove-result-links
nixfiles-auto-install
nixfiles-generate-config
nixfiles-generate-backup-secrets
nixfiles-update-ssh-host-keys
print-afra
run-with-docker-group
ssh-gpg
update-from-hydra
uptimestatus
xmppc;
});
in builtins.mapAttrs (name: value: pkgs."${name}") (import ./pkgs/pkgs.nix));
inherit lib self;

4
flake/nixosConfigurations.nix
View File

@@ -16,6 +16,7 @@ let
modules = modules ++ [
self.nixosModules.nixfilesInputs
self.nixosModules.clerie
self.nixosModules.profiles
({ config, lib, ... }: {
# Set hostname
@@ -51,6 +52,9 @@ let
{};
in
secrets;
# Enable clerie common config
profiles.clerie.common.enable = true;
})
# Config to be applied to every host

11
flake/overlay.nix
View File

@@ -1,28 +1,33 @@
{ self
, nixpkgs-0dc1c7
, berlinerbaeder-exporter
, bij
, chaosevents
, harmonia
, hydra
, nurausstieg
, rainbowrss
, scan-to-gpg
, ssh-to-age
, ...
}@inputs:
final: prev: {
inherit (nixpkgs-0dc1c7.legacyPackages.${final.system})
etesync-dav;
inherit (berlinerbaeder-exporter.packages.${final.system})
berlinerbaeder-exporter;
inherit (bij.packages.${final.system})
bij;
inherit (chaosevents.packages.${final.system})
chaosevents;
harmonia = harmonia.packages.${final.system}.harmonia.override {
nixForHarmonia = final.nixVersions.nix_2_23;
};
inherit (harmonia.packages.${final.system})
harmonia;
inherit (hydra.packages.${final.system})
hydra;
inherit (nurausstieg.packages.${final.system})
nurausstieg;
inherit (rainbowrss.packages.${final.system})
rainbowrss;
inherit (scan-to-gpg.packages.${final.system})
scan-to-gpg;
inherit (ssh-to-age.packages.${final.system})

19
hosts/_iso/configuration.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, lib, modulesPath, ... }:
{ pkgs, lib, modulesPath, config, ... }:
{
imports = [
@@ -6,10 +6,25 @@
../../configuration/gpg-ssh
];
profiles.clerie.network-fallback-dhcp.enable = true;
# systemd in initrd is broken with ISOs
# Failed to mount /sysroot/iso
# https://github.com/NixOS/nixpkgs/issues/327187
boot.initrd.systemd.enable = false;
networking.hostName = "isowo";
isoImage.isoBaseName = "nixos-isowo";
isoImage.isoBaseName = lib.mkForce "nixos-isowo";
environment.systemPackages = with pkgs; [
nixfiles-auto-install
];
# Allow user clerie to log in as root directly with ssh keys
users.users.root.openssh.authorizedKeys.keys = config.users.users.clerie.openssh.authorizedKeys.keys;
services.openssh.settings = {
PermitRootLogin = lib.mkForce "yes";
};
}

2
hosts/aluminium/configuration.nix
View File

@@ -18,7 +18,7 @@
terminal_output serial
";
services.wg-clerie = {
profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8106/128" ];
ipv4s = [ "10.20.30.106/32" ];

17
hosts/astatine/configuration.nix
View File

@@ -4,30 +4,21 @@
imports =
[
./hardware-configuration.nix
./ppp.nix
./programs.nix
./users.nix
];
profiles.clerie.network-fallback-dhcp.enable = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.extraConfig = "
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input serial
terminal_output serial
";
#networking.firewall.enable = false;
services.wg-clerie = {
profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];
ipv4s = [ "10.20.30.108/32" ];

90
hosts/astatine/ppp.nix
View File

@@ -1,90 +0,0 @@
{ pkgs, ... }:
{
# Make space for VLAN header in containing ethernet segment
networking.interfaces."enp1s0".mtu = 1518;
## DSL-Uplink
networking.vlans."enp1s0.7" = {
id = 7;
interface = "enp1s0";
};
services.pppd = {
enable = true;
peers.lns-test = {
config = ''
plugin pppoe.so enp1s0.7
user "criese#regiotest@bsa-vdsl"
ifname ppp-lns-test
persist
maxfail 0
holdoff 5
noipdefault
lcp-echo-interval 20
lcp-echo-failure 3
hide-password
nodefaultroute
+ipv6
debug
'';
};
};
/*
networking.interfaces.lo.useDHCP = true;
networking.interfaces.ppp-lns-test.useDHCP = true;
networking.dhcpcd = {
enable = true;
extraConfig = ''
interface ppp-lns-test
ipv6rs
ia_pd 0 lo/0
'';
};*/
environment.etc."ppp/ip-up" = {
text = ''
#! ${pkgs.runtimeShell} -e
${pkgs.iproute2}/bin/ip route flush table 20001 || true
${pkgs.iproute2}/bin/ip route add default dev ppp-lns-test table 20001
'';
mode = "555";
};
environment.etc."ppp/ip-down" = {
text = ''
#! ${pkgs.runtimeShell} -e
${pkgs.iproute2}/bin/ip route flush table 20001 || true
'';
mode = "555";
};
environment.etc."ppp/ipv6-up" = {
text = ''
#! ${pkgs.runtimeShell} -e
${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
${pkgs.iproute2}/bin/ip -6 route add default dev ppp-lns-test table 20001
'';
mode = "555";
};
environment.etc."ppp/ipv6-down" = {
text = ''
#! ${pkgs.runtimeShell} -e
${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
'';
mode = "555";
};
petabyte.policyrouting = {
enable = true;
rules4 = [
{ rule = "from 212.218.16.237/32 lookup 20001"; prio = 19000; }
{ rule = "from 212.218.16.237/32 unreachable"; prio = 19001; }
];
};
}

9
hosts/astatine/programs.nix
View File

@@ -1,9 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
tcpdump # for remote wireshark
];
}

10
hosts/astatine/users.nix
View File

@@ -1,10 +0,0 @@
{ ... }:
{
users.users.criese-nethinks = {
extraGroups = [
"wheel"
];
};
}

21
hosts/backup-4/configuration.nix
View File

@@ -4,19 +4,32 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
./backup.nix
./replication.nix
./restic-server.nix
./wg-b-palladium.nix
];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffcb::c"; prefixLength = 64; } ];
networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.enable = true;
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2001:638:904:ffcb::c/64"
];
routes = [
{ Gateway = "2001:638:904:ffcb::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true;

20
hosts/backup-4/replication.nix Normal file
View File

@@ -0,0 +1,20 @@
{ lib, ... }:
with lib;
{
clerie.backup = {
enable = true;
targets = mkForce {
palladium.serverUrl = "http://[fd90:37fd:ddec:d921::2]:43242";
};
jobs.replication = {
paths = [
"/mnt/backup-4/magenta"
];
exclude = [
"/mnt/backup-4/magenta/.htpasswd"
];
};
};
}

11
hosts/backup-4/secrets.json
View File

@@ -1,5 +1,8 @@
{
"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:QxdmemBB/iuU+fvc2QRRkbOHO5Ef8ZJqfTdFCnlOqKog5krZ2oIpURuttH9YeggJXV2Cr+kJDGI0b9Ca6BtCkOhahfWicTeFhuODJsSyZJqzw36Ba8pX3nIpqoa7StTydK1Dx5chOi2g8oB4895SvWqDa/qP10yDtBQAYURHYfodb9/tiKzfjJAGDlqsR2h+qmdbAkvR3/oAquBO8Nb493G2sixs20XIG85moYv6l0MPnZtWEXhDT8lM5tw0PCgpSfYaUeMWnmFuzFBj3MQSo3zAjGPeOSYVFlbwbLqFWL507z0dlRgzsxMYB1F4OL38nOpO2CP2/VvbidgbQZjKCfiHMJtWLQfzZIfNEhcF8kq2uhhOwRSKN3G7u1/ezzu+9UlUVMV6PY2jjbZHJ79Knu5SJ3KqphygjjIhdHufqI03BP/aJa0QkE/mGg9is3H0myW5rG9ElA1C4stF,iv:1Ue/H48af3ECUZ5GC0hrMMBfOuCZSuX9wOSAd5XG7Fk=,tag:HchM/ZJEDG4pWQdDanC9cA==,type:str]",
"clerie-backup-job-replication": "ENC[AES256_GCM,data:BxOj/jT/GFBNSLc=,iv:zKDmEqUpOUWbU3fEeKDLniZ8D1yzs4kdGjoFLeNZOpo=,tag:iKAxHnIUpvtZwVO+eJW3Xw==,type:str]",
"clerie-backup-target-palladium": "ENC[AES256_GCM,data:OaszucYAp4n/ds59nF8D4Qn3U9a6L+ONcbPa+BmSz/EprW7E3kCoJ6+EceahPemTnR53mkP6zAndWaXaBTFfdg==,iv:pqi4+LuLPhtmKucm7JqN6d2hwXzNVx8IPimTL6FgHHg=,tag:+91GgLQNKD/lI7uWojCwjA==,type:str]",
"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:gfvmAd7z+jQwoYDJf/Hv2sR9ISJT+Hw4jrHmvW64PXjoETy+LjdsmqEPuRyq/YhrGA2rqW+YodPlkh/eE4crdTL2eNim+ij/OUubliUwBMyJuxsdGKuDUMc+txqN2x6Q24MnnU88P08SKpsm3jciMhz7JEg62W77jhesWlkzsuJDmg9oTlA9SeYOEac3pIKpekfRyE77GSFVUflwwCA+xvcEg5xyuRosFzBWGGEC3kDNB0licF0X6epz3HtlqhCLd/mkuEkftjpkNOFm9oJYzdwYv5PwVNg7G7JOgsUx9e5I29mwWPfhinX1yEFNwxKeB1FbUhYOKhRhdqWD6THVLkDzU0zP8vrm5FXTaxLHZr5+EpKit8/MJS5UBVvpSTDQ0cLExJyonWP2T+zr6rxKwU/q1jQRvsU6DJ7Bt8+9chrXBNOeyPM9xzWN1Zyyrntm9j5Ufj1YFwyrDT5ve2rOgNHA4KoS28+vsP1fcVO8XlLR24zFx5+/1BPG25qSECTPn6KkcL+yV+WS4oOnu4Oo0GVPEz+4SfyYIEVmaV61KC61pKa/6ACeUd6nABcDbReMqPXU7/bksM4sTDoFSmmiAycnxT4xavbaFdfbYIOXVQwYAIjaR1tAqQ6gYVCQ/LtKhIHCGCg10xRXNV3qkPqOUvJ7JnRcre+pQVDVLg==,iv:tvhvTPzhHoG4yG3C+o9s8yh4DafMpPb67nNxbUZcFxQ=,tag:8P5lYeP2EB5AfKgeeBISLg==,type:str]",
"wg-b-palladium": "ENC[AES256_GCM,data:XTenrGQFLDndt/XPaDGRLQthVq1UFKJ2mWK3Z+YfT54YpnWO81cslrMMtPc=,iv:tW8NHOcNj3Q26BJBIz7UPR3bmw3nrb0UkkD+gqngw/w=,tag:XDYkIqj6z2Jvhaoiqeyn0g==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:lCuE2EgUo3ER9NNg1rD24Z4cZS+VZ4KmDojnfCsb/LyBsfyu6uOJ4IVtxOE=,iv:KHRP1pXYXk8Fi23cjUZVUUadu9yWoJ2ddxj2fMJJYE0=,tag:TiFlekXM7WLLHAPlmYbP8w==,type:str]",
"sops": {
"kms": null,
@@ -12,8 +15,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFREUEVzb2JFd3hSaG9y\neVA2a2Fodko0OTI4ZGM0NlZxRmNtYmFDY1hVCm9ncXdWYTJlSU1FSG1WdlNBZ3VW\nM2VtRmZiWldzalRsRWJ0UkV1L1hSMkEKLS0tIGVLQU9kQXhZbC9SUW9CS2JnWGlJ\nQ3RoeXVkRXNkUWNaZ0VQOW1hcEJnNjAKHgZ48PERJlfkkh2TyCLl52zUZY674BXW\n4zPtmhZrb4xlExetINrOd4hZtL7S7qn5GnTxhoxvCddeU+JPPsfWoQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-06-03T18:16:25Z",
"mac": "ENC[AES256_GCM,data:hWCI1hWTbbasov9Si0JDI39rUuBOEqrz+qxTKrNN4S/r9Ktofrk46b3rxSQF3+bC03HrbCMLk9/7XkvIFJXQj5pa9I1aG8MuMbgF0Z8Ft/uNdHPUUyLJwo/4aav4zXVpdg7zNtPdwjk66pw7iRO5XBmYgnQlnXotHM6S9s7RzuA=,iv:VJmLD1SImGtreceQP+DofnzOGp3sm12iCzbPsqzw6SI=,tag:aUryi0xUG7sd/EOmqrMQCg==,type:str]",
"lastmodified": "2025-04-18T08:37:08Z",
"mac": "ENC[AES256_GCM,data:50NF4BI0QUhe622J6nwIF89pLlTdgxVB/MWbO5nWKgQI5xuNrnFghs5yVgZIV7FeONcu2pYykp28fSrFKhvbPt+B90i4HvaaIHdZGDepbEV9ZwK4AU66zZW4KCCPxv4NTYh+AuSi7HTHusXUrNIvRhYvAXjESi7nK7JPm3BTfUk=,iv:fvtTaSXNx6IL6D9DdEa5ovymNYeWJObCBiRiIsG7KeE=,tag:LdfXiAuMHLCb0biThHh1GQ==,type:str]",
"pgp": [
{
"created_at": "2024-05-04T12:30:52Z",
@@ -22,6 +25,6 @@
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
"version": "3.9.4"
}
}

40
hosts/backup-4/wg-b-palladium.nix Normal file
View File

@@ -0,0 +1,40 @@
{ config, ... }:
{
sops = {
secrets.wg-b-palladium = {
owner = "systemd-network";
group = "systemd-network";
};
};
systemd.network.netdevs."10-wg-b-palladium" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-b-palladium";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wg-b-palladium.path;
ListenPort = 51844;
};
wireguardPeers = [
{
PublicKey = "YMTOhRAKWfFX1UVBoROPvgcQxTSN4tny35brAocdnwo=";
AllowedIPs = [ "fd90:37fd:ddec:d921::/64" ];
PersistentKeepalive = 25;
}
];
};
systemd.network.networks."10-wg-b-palladium" = {
matchConfig.Name = "wg-b-palladium";
address = [
"fd90:37fd:ddec:d921::1/64"
];
linkConfig.RequiredForOnline = "no";
};
networking.firewall.allowedUDPPorts = [ 51844 ];
}

38
hosts/beryllium/configuration.nix
View File

@@ -6,6 +6,8 @@
./hardware-configuration.nix
];
profiles.clerie.network-fallback-dhcp.enable = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ];
boot.loader.grub.enable = true;
@@ -20,39 +22,11 @@
networking.firewall.enable = false;
networking.iproute2.enable = true;
networking.iproute2.rttablesExtraConfig = ''
200 wg-clerie
'';
petabyte.policyrouting = {
profiles.clerie.wg-clerie = {
enable = true;
rules6 = [
{ rule = "from 2a01:4f8:c0c:15f1::8107/128 lookup wg-clerie"; prio = 20000; }
{ rule = "from 2a01:4f8:c0c:15f1::8107/128 unreachable"; prio = 20001; }
];
rules4 = [
{ rule = "from 10.20.30.107/32 lookup wg-clerie"; prio = 20000; }
{ rule = "from 10.20.30.107/32 unreachable"; prio = 20001; }
];
};
networking.wireguard.enable = true;
networking.wireguard.interfaces = {
wg-clerie = {
ips = [ "2a01:4f8:c0c:15f1::8107/128" "10.20.30.107/32" ];
table = "wg-clerie";
peers = [
{
endpoint = "vpn.clerie.de:51820";
persistentKeepalive = 25;
allowedIPs = [ "0.0.0.0/0" "::/0" "10.20.30.0/24" "2a01:4f8:c0c:15f1::/113" ];
publicKey = "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=";
}
];
privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
};
ipv6s = [ "2a01:4f8:c0c:15f1::8107/128" ];
ipv4s = [ "10.20.30.107/32" ];
privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
};
clerie.monitoring = {

4
hosts/carbon/configuration.nix
View File

@@ -4,7 +4,6 @@
imports =
[
./hardware-configuration.nix
../../configuration/router
./dns.nix
./mdns.nix
@@ -22,6 +21,9 @@
./wg-clerie.nix
];
profiles.clerie.common-networking.enable = false;
profiles.clerie.router.enable = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ];
boot.loader.grub.enable = true;

80
hosts/clerie-backup/configuration.nix
View File

@@ -4,20 +4,26 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
./restic-server.nix
];
profiles.clerie.ruby-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.useDHCP = false;
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc1::6"; prefixLength = 64; } ];
networking.defaultGateway6 = { address = "2001:638:904:ffc1::1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2a00:fe0:1:21f::a/64"
];
routes = [
{ Gateway ="2a00:fe0:1:21f::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true;
@@ -28,10 +34,6 @@
authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiUWufpvAj/Rdxt/frAjs5Q4+/lzaN2jmf5+W3Gazjzw+CH+Agplux6op+LlzF7kAA32yP+lwQto8Rz92NzReDssXd+0JhgAAHrSMrPOPnQbZrierKOfVvDOteklEM4k5JXqZ+xHIMtNomuMV3wCFc18nvwc8t95pDBOI/HwzAwn2mGhVBod0CNXZs8EyMeQJNKLCRwpUrddOX6fz5x/fbPYO4KB3iPkC0X+e/d5SuBvrmwFdnpr2RkCboMPdd6i/0AsY4MLdMV54arS9Ed2jaFKqYCQR5wRdLxndn+aByyVQHQxVU0gVfO9+53NOgiVzhOFzXm6K2KcC/HZR5uj1r ceea@olbers.uberspace.de" ];
path = "/mnt/clerie-backup/uberspace-ceea";
};
uberspace-cleriewi = {
authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAeU+YezmGNNnntAkOL143NlkADi6ekEcaW9yf9yegdkDxwyIyxaWC89B110kRkNe+6KP+LDwrp9vnFJZjst8Gv+dMs0h9U0IdUafhO7TcbbkqynqmtzIwiSGsLby2K9XOYTMlAa2JOfeNScPWccZ8KgXsIBqRGjo3yQfCHXZu9U/8CGXvYPsTGY5QYNeAw5Uaikuf565GHy4ROx2BN7LGug9lK42Hfv8i1lhCLi7wkhQ0EPGBRPkscjz/0Kb2iABMzyUf6uMrDJX/usKrChxkLfidIM9C5YR1E+wXlmy9lijuNP85NpXUEyVTAp9/XLCp1vskfCjsBLO0l+40XNIt cleriewi@biela.uberspace.de" ];
path = "/mnt/clerie-backup/uberspace-cleriewi";
};
};
# fix borgbackup primary grouping
@@ -51,62 +53,6 @@
compression = "auto,lzma";
startAt = "*-*-* 04:07:00";
};
backup-replication-palladium = {
paths = [
"/mnt/clerie-backup"
];
doInit = true;
repo = "borg@palladium.net.clerie.de:." ;
encryption = {
mode = "none";
};
environment = { BORG_RSH = "ssh -i /var/src/secrets/ssh/borg-backup-replication-palladium"; };
compression = "auto,lzma";
startAt = "*-*-* 06:23:00";
};
backup-replication-external-drive = {
paths = [
"/mnt/clerie-backup"
];
doInit = true;
repo = "borg@palladium.net.clerie.de:." ;
encryption = {
mode = "none";
};
environment = {
BORG_RSH = "ssh -i /var/src/secrets/ssh/borg-backup-replication-external-drive";
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
};
compression = "auto,lzma";
startAt = "*-*-* 08:37:00";
};
};
users.users.backup-replication = {
isNormalUser = true;
group = "backup-replication";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8kCLiDfVFKgoNvEoMb34jp2n1lQG+k7wigzc4qGmrROlWkJ46/Ym4UrSeQJAd6hwHTcKTZkeOrqDAjZZ+jlidpncJHT5VMW5Ah965pxbBq6Qh1Yz5tKj7nLAQ/+bwEH4qqBFNd796876n3pY/FqhwAHWONqWhLKzMXpFursMSITUPmRXcaPwJrgS9DIYspZ9bBhhRSdQ5N1SiGtaszOQwdevLnNYqdtFOBG4rt9SO6IBIHtaiTIHrrMGS2Lt3NMwkq+O+N+TGaKLjbwqtfUPfPOCmY0XH12OawjxHP9hZ+WH3dPtcu5p+VORciSybPvyh9qzXUrDeO4HDuii2GEFU8JFELYXdT/qBwdIMp82tkgww0zKbTJuc0y/9eR7LCXop4OALhR8+8xWDI9c1ccxu3T7S7zUI1OmTlR9i8rx85D4sz2dtp1jirDoW2KVuIdwe6G3NLfTL95FZRmveEQM3MO8MPpfzZ4EvaMbiQQd/c4VAmGovtSLQhySTpT6qSv0= root@backup-4"
#"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRANmJ2LYUr0Mavz/JJ7j+7p1zkqvizf6ZLt5XOJ2fj0enDuK7Dc5fxiESLGYTsLRVWuY4hNXVIL7aeJUj1LPf6LEX87APP4hb95t+TFxcES87tFfnFO48eiBbSd25Av2jmHGb6/wY2viYBxfk/vrLjPR6RgICqFsWFcz20bsWmc48FdzXYJCGJfKjHiW+Ut95VL+M/AlGBQHo33FNDyPXV4zh+MeWVkOFicwfh0k+4NH7Psj5n93m9szAlz306t5YZ32HnhSlvObkMk1Ugy6AzPKXrgKBu11pmatf7sFRx1ikYGUiKiezGjatt/8lYZfE8rQKQjwH+6LPt3ZPv06ncfKpH2vbZfonM0KhSsm1OIhJTse+X7ZMxizO6QqYM+BRJJGMbhH1g+6kFRsdlwakHNPE9YvG4NxZ1NxWTUr6F0gPhUEy61LkTnznt3ct1hgQR02KDQ+9i8PvaYeIIzZzRKufv4tV7OZkDLbN97tvAMkgpLjF+8fCg3qjn2Lckzc= root@palladium"
];
};
users.groups.backup-replication = {};
environment.systemPackages = with pkgs; [
bindfs
];
fileSystems."/clerie-backup-replication" = {
device = "/mnt/clerie-backup";
fsType = "fuse.bindfs";
options = [
"ro"
"force-user=backup-replication"
"force-group=backup-replication"
"perms=0000:ug=rD"
];
};
clerie.monitoring = {

7
hosts/clerie-backup/hardware-configuration.nix
View File

@@ -8,7 +8,7 @@
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
@@ -19,7 +19,7 @@
};
fileSystems."/mnt/clerie-backup" =
{ device = "/dev/disk/by-uuid/69e75b00-23e1-4775-98a6-061a79d806cf";
{ device = "/dev/disk/by-uuid/15a42e2e-57dc-43ff-a50d-8b73952d4558";
fsType = "ext4";
};
@@ -33,4 +33,7 @@
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
boot.swraid.enable = true;
}

6
hosts/clerie-backup/secrets.json
View File

@@ -1,5 +1,5 @@
{
"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:ZKrEv/bU1X+iO7GLlxsM8HhUy6B2+EXRA8JO2X8E8X5nt8Ydwa+wAqTea3hGyW/QNFrNg/nnAFaVg+VNa6UEqOuF0eg4Nf0LOYTtTpNt4uqDHomfFpvFxDfVCbk4a3fnjnJzk51XnZqeVlvuH2JKg9uD6QzTghTuZfysdGePZdD4WRfY+qHsZg2jREgA26WKsRnD1zU4ZnbRAA1s0Lzf5gG4kFciIzovt0x5MYEiVERFeM+HG1a117EvSlsijPNJVLTaFRLTVOlTOYLKXt4KcRJq9KwoZR/LgEz++rUE4DN5f7iQs+Sb9epH9sV/V06R6AKE5ZFcyi5Y+ipt8B4sWX8PQUeFxNlpljXHro8szGNnLnSxxieg10SEwfIEw+nTGVMHToUpvybzdoI4VPUHZGF+kpqv8ejEzhrKZXyPrd7ZCWGDsTdl8gGSefimpEUR8IwuPqImgu2UU8gT,iv:Y/G/odtZ4enBtNc2Wj7bZjsJ3nur5huYAqlu1PgnWlo=,tag:tg3ut7R2jJd+TVvYHIiTdA==,type:str]",
"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:Fe6lcXXy0Hu27Y2LtwQRbk+78+unSGkII144jtstOgK0pyjlJqG2mo8ZG7L+3mmthuu+leZ6XXadEcRGpby3eCwyVEYd3lDr930pPC8hChWYMC5mGkkRUAobYED63iVxcsc36PVFQYMCDbYvtcPk8uQTXfQmhs9kSzCrONrL1Id0L9D+sGoU0snpE+eCNXyiLwuyc1qocchhuHIwkGi4dyVJWgMsKGummF5Pf9zK4KzHmT6RuPouEUAfwHkdPwtOSJ8OqZof/C/CuPYmJQyfOFAqtw8xD9OXUpvyxjC1Kta89sL5cRAE0R15oPvNUmYGaXputm9iMycPjMacpouycx1TXMTEDB0caryX9uEFAyTfPm7keHT86qA1UfImWqEE9QqJ3uCeiwW698SbTZVeKLDBqDCPP+nP/L+N412d+HHyGugPOnTj1gXY50xeOay8Wryw87iDZ9rnJxcn0u5D4+JjOIbjWvydqBXacMD/o0NG2CcQu6LVRAHRiDKoSQWEwx25tzVwn2dsgFV8c3oQ0xQI7050R11Z3M9QWOvPmOZCvYV5VSoxu7r1jMu5asrcPbbhXKatbrabEHCAbDGsBpDkqts3BVUfUaHwboXVR0DxqOC6CHVE34J99SVTGI0kIHXyNqpeUJ36tCXFg7eNPNsu8cra9whjyUUHtw==,iv:Gfg3t3YPw2hz0LJ5hovPftMYOADN2Xjc93VmT2fFVQI=,tag:k6KH4qDPrFYIU2PGgW3F9Q==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:rOpBlDt9K//zlgWo1Bw9IX5jmpLbnit5zi60Ulz8f6tHwqVsKJv5NkxYc9A=,iv:Jlo0QZP6R1CEE20iLa7M/LV/ZX2/33oMv/FzBBo6nvY=,tag:Ttqo7BKd6RuUiMksW6rZnw==,type:str]",
"sops": {
"kms": null,
@@ -12,8 +12,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UCtUZ3NZQWxOK1FUNDhL\nbWhaanN2OEJIVmpMOURzWU1vcGhuODdtcDJnCm9Nb01NaVVpWDJ6Q3JCbXRkRUJP\nUVdFaGVScUdxRnlpSnRNOG1RalNRaFUKLS0tICs0cW1WR0JMUmdaVWVzdTh2bjFm\nenBzaERpb1hCS1E3TUo3cmxpZFUxWmcKcLL5/YTGyZEVLwHSpbEI5XfWGklkI7h+\n0uhCww8Wh23EpUYFslZ0Nnbf5HX5/Z34qBwf20cvN8eLToTAQvTdeg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-06-03T18:16:18Z",
"mac": "ENC[AES256_GCM,data:kWeyNv82yc6H+FJjhTh8vkuxjZ4YFEqmZbqzZr+pEXxXeMUEGi9hr7cauGDNxnRMgWJz9KG1M4tzUyEK8rfVQWLc+Wcf/5Pjsxn1Zg0yJiJAxVFV7AcvGdKUeQuBKgOT5L+Z5+cFdvq9+CU/0M+6/e8jB6OdQWcuy0emBaCut4U=,iv:3w5arXHKapwwo7kgLtHcKfO+dhH22opVP+fjagize0c=,tag:+cCaX2FUG+5UYqutE9IsAA==,type:str]",
"lastmodified": "2025-02-16T18:13:34Z",
"mac": "ENC[AES256_GCM,data:io2WVxTxHSlxrk7JaN6/fUI7YotvPfgbXTD1lEf1tN7QhuGRH/iZrji/VQlhJ8tk2dAS1Pe0rsTuxCMXcXcxRIh4EYbQky5IZj5jpfPcslQOquTcXzmPYdijPUWSqu6leGc0GG/7KccjSFD8TfwAgeuVrc2Br57yfqKoPf+M0fY=,iv:iYp73PrFnLZoI9014mbqQQERhFtfhb5YmzV6HiUi+YM=,tag:2AZEzhVVdEos5FLkg8cr5w==,type:str]",
"pgp": [
{
"created_at": "2024-05-05T12:12:27Z",

293
hosts/dn42-il-gw1/configuration.nix
View File

@@ -4,49 +4,43 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/dn42
];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:1::1"; prefixLength = 64; } ];
# VM Nat Netz mercury
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.23"; prefixLength = 24; } ];
# OSPF Netz
networking.interfaces.ens19 = {};
# IPv6 Uplink
networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffc9::7"; prefixLength = 64; } ];
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens20";
address = [
"2001:638:904:ffc9::7/64"
];
routes = [
{ Gateway = "2001:638:904:ffc9::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.23/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ospf-netz" = {
matchConfig.Name = "ens19";
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
networking.wireguard.enable = true;
networking.wireguard.interfaces = {
# n0emis
wg0197 = {
ips = [
"fe80::42:1/128"
# peer fe80::42:42:1/128
];
postSetup = ''
ip -6 route flush dev wg0197
ip addr del dev wg0197 fe80::42:1/128 && ip addr add dev wg0197 fe80::42:1/128 peer fe80::42:42:1/128
'';
listenPort = 50197;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "himalia.dn42.n0emis.eu:52574";
publicKey = "ObF+xGC6DdddJer0IUw6nzC0RqzeKWwEiQU0ieowzhg=";
}
];
privateKeyFile = config.sops.secrets.wg0197.path;
};
# e1mo
wg0565 = {
ips = [
@@ -126,27 +120,6 @@
];
privateKeyFile = config.sops.secrets.wg1280.path;
};
# perflyst
wg1302 = {
ips = [
"fe80::a14e/128"
# peer fe80::a14d/128
];
postSetup = ''
ip -6 route flush dev wg1302
ip addr del dev wg1302 fe80::a14e/128 && ip addr add dev wg1302 fe80::a14e/128 peer fe80::a14d/128
'';
listenPort = 51302;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "[2a03:4000:6:f6ed::1]:22574";
publicKey = "TSPvvpMY8dCFk6gd58aYtkibtqUn8EzIF6dXP52b3y8=";
}
];
privateKeyFile = config.sops.secrets.wg1302.path;
};
# lutoma
wg4719 = {
ips = [
@@ -169,163 +142,65 @@
};
};
petabyte.policyrouting = {
profiles.clerie.dn42-router = {
enable = true;
rules6 = [
{ rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
{ rule = "from all to all lookup 2342"; prio = 10000; }
{ rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
{ rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
loopbackIp = "fd56:4902:eca0:1::1";
routerId = "192.168.10.23";
ospfInterfaces = [
"ens19"
];
ibgpPeers = [
{
peerName = "gw5";
remoteAddress = "fd56:4902:eca0:5::1";
}
{
peerName = "gw6";
remoteAddress = "fd56:4902:eca0:6::1";
}
];
wireguardPeers = [
{
peerName = "peer_0565";
remoteAddress = "fe80::565";
interfaceName = "wg0565";
remoteAsn = "4242420565";
localAddress = "fe80::2574";
}
{
peerName = "peer_1271_north";
remoteAddress = "fe80::2";
interfaceName = "wg1271";
remoteAsn = "4242421271";
localAddress = "fe80::1";
}
{
peerName = "peer_1271_south";
remoteAddress = "fe80::1:2";
interfaceName = "wg1272";
remoteAsn = "4242421271";
localAddress = "fe80::1:1";
}
{
peerName = "peer_1280_wg1";
remoteAddress = "fde3:4c0d:2836:ff00::20";
interfaceName = "wg1280";
remoteAsn = "4242421280";
localAddress = "fde3:4c0d:2836:ff00::21";
}
{
peerName = "peer_4719";
remoteAddress = "fe80::acab";
interfaceName = "wg4719";
remoteAsn = "64719";
localAddress = "fe80::1";
}
];
};
services.bird2.enable = true;
services.bird2.config = ''
router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
ipv6 table ospf6;
ipv6 table bgp6;
protocol direct {
interface "lo";
ipv6 {
table ospf6;
};
}
protocol static {
ipv6 {
table bgp6;
};
route fd56:4902:eca0::/48 via "lo";
route fd56:4902:eca0::/52 via "lo";
}
protocol kernel {
ipv6 {
table ospf6;
export filter {
krt_prefsrc=fd56:4902:eca0:1::1;
accept;
};
import none;
};
kernel table 1337;
}
protocol kernel {
ipv6 {
table bgp6;
export filter {
krt_prefsrc=fd56:4902:eca0:1::1;
accept;
};
import none;
};
kernel table 2342;
}
protocol ospf v3 {
ipv6 {
table ospf6;
import all;
export all;
};
area 0 {
interface "ens19" {
cost 80;
type broadcast;
};
};
}
protocol bgp gw5 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:5::1 as 4242422574;
source address fd56:4902:eca0:1::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
protocol bgp gw6 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:6::1 as 4242422574;
source address fd56:4902:eca0:1::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
template bgp bgp_peer {
local as 4242422574;
graceful restart on;
ipv6 {
table bgp6;
next hop self;
import keep filtered;
import filter {
if net ~ [fd00::/8{48,64}] then accept;
reject;
};
export filter {
if net ~ [fd00::/8{48,64}] then accept;
reject;
};
};
}
protocol bgp peer_0197_himalia from bgp_peer {
neighbor fe80::42:42:1%wg0197 as 4242420197;
source address fe80::42:1;
}
protocol bgp peer_0565 from bgp_peer {
neighbor fe80::565%wg0565 as 4242420565;
source address fe80::2574;
}
protocol bgp peer_1271_north from bgp_peer {
neighbor fe80::2%wg1271 as 4242421271;
source address fe80::1;
}
protocol bgp peer_1271_south from bgp_peer {
neighbor fe80::1:2%wg1272 as 4242421271;
source address fe80::1:1;
}
protocol bgp peer_1280_wg1 from bgp_peer {
neighbor fde3:4c0d:2836:ff00::20%wg1280 as 4242421280;
source address fde3:4c0d:2836:ff00::21;
}
protocol bgp peer_1302 from bgp_peer {
neighbor fe80::a14d%wg1302 as 4242421302;
source address fe80::a14e;
}
protocol bgp peer_4719 from bgp_peer {
neighbor fe80::acab%wg4719 as 64719;
}
protocol device {
scan time 10;
}
'';
clerie.system-auto-upgrade = {
allowReboot = true;
autoUpgrade = true;

255
hosts/dn42-il-gw5/configuration.nix
View File

@@ -4,181 +4,112 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/dn42
];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
# VM Nat Netz mercury
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.25"; prefixLength = 24; } ];
# OSPF Netz
networking.interfaces.ens19 = {};
# Lokales Netz
networking.interfaces.ens20.ipv6.addresses = [ { address = "fd56:4902:eca0:5::1"; prefixLength = 64; } ];
# IPv6 Uplink
networking.interfaces.ens21.ipv6.addresses = [ { address = "2001:638:904:ffc9::a"; prefixLength = 64; } ];
# Ildix
networking.interfaces.ens22.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::5"; prefixLength = 64; } ];
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens21"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
petabyte.policyrouting = {
enable = true;
rules6 = [
{ rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
{ rule = "from all to all lookup 2342"; prio = 10000; }
{ rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
{ rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens21";
address = [
"2001:638:904:ffc9::a/64"
];
routes = [
{ Gateway = "2001:638:904:ffc9::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.25/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ospf-netz" = {
matchConfig.Name = "ens19";
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-lokales-netz" = {
# Aktuell nicht verwendet, da in lo-dn42 umgezogen
matchConfig.Name = "ens20";
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ildix" = {
matchConfig.Name = "ens22";
address = [
"fd81:edb3:71d8:ffff:2574::5/64"
];
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.bird2.enable = true;
services.bird2.config = ''
router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
profiles.clerie.dn42-router = {
enable = true;
loopbackIp = "fd56:4902:eca0:5::1";
routerId = "192.168.10.25";
ipv6 table ospf6;
ipv6 table bgp6;
ospfInterfaces = [
"ens19"
];
protocol direct {
interface "ens20";
ipv6 {
table ospf6;
};
}
ibgpPeers = [
{
peerName = "gw1";
remoteAddress = "fd56:4902:eca0:1::1";
}
{
peerName = "gw6";
remoteAddress = "fd56:4902:eca0:6::1";
}
];
protocol static {
ipv6 {
table bgp6;
bgpPeers = [
{
peerName = "peer_ildix_clerie";
localAddress = "fd81:edb3:71d8:ffff:2574::5";
remoteAddress = "fd81:edb3:71d8:ffff::13";
remoteAsn = "4242422953";
}
{
peerName = "peer_ildix_nex";
localAddress = "fd81:edb3:71d8:ffff:2574::5";
remoteAddress = "fd81:edb3:71d8:ffff::14";
remoteAsn = "4242422953";
}
];
birdExtraConfig = ''
# Internal
protocol bgp peer_2953_dn42_ildix_service {
local as 4242422574;
neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
source address fd81:edb3:71d8:ffff:2574::5;
multihop 64;
ipv6 {
table bgp6;
igp table ospf6;
next hop keep;
add paths tx;
import filter {
reject;
};
route fd56:4902:eca0::/48 via "lo";
route fd56:4902:eca0::/52 via "lo";
}
protocol kernel {
ipv6 {
table ospf6;
export filter {
krt_prefsrc=fd56:4902:eca0:5::1;
accept;
};
import none;
};
kernel table 1337;
}
protocol kernel {
ipv6 {
table bgp6;
export filter {
krt_prefsrc=fd56:4902:eca0:5::1;
accept;
};
import none;
export filter {
accept;
};
kernel table 2342;
}
protocol ospf v3 {
ipv6 {
table ospf6;
import all;
export all;
};
area 0 {
interface "ens19" {
cost 80;
type broadcast;
};
};
}
protocol bgp gw1 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:1::1 as 4242422574;
source address fd56:4902:eca0:5::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
protocol bgp gw6 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:6::1 as 4242422574;
source address fd56:4902:eca0:5::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
template bgp ildix {
local as 4242422574;
graceful restart on;
source address fd81:edb3:71d8:ffff:2574::5;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import filter {
if net ~ [fd00::/8{8,64}] then accept;
reject;
};
export filter {
if net ~ [fd00::/8{8,64}] then accept;
reject;
};
};
}
protocol bgp peer_ildix_clerie from ildix {
neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
}
protocol bgp peer_ildix_nex from ildix {
neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
}
# Internal
protocol bgp peer_2953_dn42_ildix_service {
local as 4242422574;
neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
source address fd81:edb3:71d8:ffff:2574::5;
multihop 64;
ipv6 {
table bgp6;
igp table ospf6;
next hop keep;
add paths tx;
import filter {
reject;
};
export filter {
accept;
};
};
}
protocol device {
scan time 10;
}
'';
};
}
'';
};
clerie.system-auto-upgrade = {
allowReboot = true;

249
hosts/dn42-il-gw6/configuration.nix
View File

@@ -4,181 +4,106 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/dn42
];
profiles.clerie.cybercluster-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:6::1"; prefixLength = 64; } ];
# IPv6 Uplink
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc9::9"; prefixLength = 64; } ];
# Ildix
networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::6"; prefixLength = 64; } ];
# VM Nat Netz mercury
networking.interfaces.ens20.ipv4.addresses = [ { address = "192.168.10.26"; prefixLength = 24; } ];
# OSPF Netz
networking.interfaces.ens21 = {};
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens20"; };
networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
petabyte.policyrouting = {
enable = true;
rules6 = [
{ rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
{ rule = "from all to all lookup 2342"; prio = 10000; }
{ rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
{ rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2001:638:904:ffc9::9/64"
];
routes = [
{ Gateway = "2001:638:904:ffc9::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens20";
address = [
"192.168.10.26/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ospf-netz" = {
matchConfig.Name = "ens21";
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ildix" = {
matchConfig.Name = "ens19";
address = [
"fd81:edb3:71d8:ffff:2574::6/64"
];
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.bird2.enable = true;
services.bird2.config = ''
router id ${ (lib.head config.networking.interfaces.ens20.ipv4.addresses).address };
profiles.clerie.dn42-router = {
enable = true;
loopbackIp = "fd56:4902:eca0:6::1";
routerId = "192.168.10.26";
ipv6 table ospf6;
ipv6 table bgp6;
ospfInterfaces = [
"ens21"
];
protocol direct {
interface "lo";
ipv6 {
table ospf6;
};
}
ibgpPeers = [
{
peerName = "gw1";
remoteAddress = "fd56:4902:eca0:1::1";
}
{
peerName = "gw5";
remoteAddress = "fd56:4902:eca0:5::1";
}
];
protocol static {
ipv6 {
table bgp6;
bgpPeers = [
{
peerName = "peer_ildix_clerie";
localAddress = "fd81:edb3:71d8:ffff:2574::6";
remoteAddress = "fd81:edb3:71d8:ffff::13";
remoteAsn = "4242422953";
}
{
peerName = "peer_ildix_nex";
localAddress = "fd81:edb3:71d8:ffff:2574::6";
remoteAddress = "fd81:edb3:71d8:ffff::14";
remoteAsn = "4242422953";
}
];
birdExtraConfig = ''
# Internal
protocol bgp peer_2953_dn42_ildix_service {
local as 4242422574;
neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
source address fd81:edb3:71d8:ffff:2574::6;
multihop 64;
ipv6 {
table bgp6;
igp table ospf6;
next hop keep;
add paths tx;
import filter {
reject;
};
#route fd56:4902:eca0::/48 via "lo";
#route fd56:4902:eca0::/52 via "lo";
}
protocol kernel {
ipv6 {
table ospf6;
export filter {
krt_prefsrc=fd56:4902:eca0:6::1;
accept;
};
import none;
export filter {
accept;
};
kernel table 1337;
}
protocol kernel {
ipv6 {
table bgp6;
export filter {
krt_prefsrc=fd56:4902:eca0:6::1;
accept;
};
import none;
};
kernel table 2342;
}
protocol ospf v3 {
ipv6 {
table ospf6;
import all;
export all;
};
area 0 {
interface "ens21" {
cost 80;
type broadcast;
};
};
}
protocol bgp gw1 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:1::1 as 4242422574;
source address fd56:4902:eca0:6::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
protocol bgp gw5 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:5::1 as 4242422574;
source address fd56:4902:eca0:6::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
template bgp ildix {
local as 4242422574;
graceful restart on;
source address fd81:edb3:71d8:ffff:2574::6;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import filter {
if net ~ [fd00::/8{8,64}] then accept;
reject;
};
export filter {
if net ~ [fd00::/8{8,64}] then accept;
reject;
};
};
}
protocol bgp peer_ildix_clerie from ildix {
neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
}
protocol bgp peer_ildix_nex from ildix {
neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
}
# Internal
protocol bgp peer_2953_dn42_ildix_service {
local as 4242422574;
neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
source address fd81:edb3:71d8:ffff:2574::6;
multihop 64;
ipv6 {
table bgp6;
igp table ospf6;
next hop keep;
add paths tx;
import filter {
reject;
};
export filter {
accept;
};
};
}
protocol device {
scan time 10;
}
'';
};
}
'';
};
clerie.system-auto-upgrade = {
allowReboot = true;

58
hosts/dn42-ildix-clerie/configuration.nix
View File

@@ -4,26 +4,47 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
# VM Nat Netz mercury
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.27"; prefixLength = 24; } ];
# Ildix
networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff::13"; prefixLength = 64; } ];
# Route to dn42-ildix-service
networking.interfaces.ens19.ipv6.routes = [ { address = "fd81:edb3:71d8::"; prefixLength = 48; via = "fd81:edb3:71d8:ffff:2953::1"; } ];
# public address
networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffcb::4"; prefixLength = 64; } ];
networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens20"; };
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens20";
address = [
"2001:638:904:ffcb::4/64"
];
routes = [
{ Gateway = "2001:638:904:ffcb::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.27/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ildix" = {
matchConfig.Name = "ens19";
address = [
"fd81:edb3:71d8:ffff::13/64"
];
routes = [
# Route to dn42-ildix-service
{ Destination = "fd81:edb3:71d8::/48"; Gateway = "fd81:edb3:71d8:ffff:2953::1"; }
];
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
# Open Firewall for BGP
networking.firewall.allowedTCPPorts = [ 179 ];
@@ -33,9 +54,10 @@
iptables -A INPUT -p ospfigp -j ACCEPT
'';
services.bird2.enable = true;
services.bird2.config = ''
router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
services.bird.enable = true;
services.bird.package = pkgs.bird2;
services.bird.config = ''
router id 192.168.10.27;
protocol direct {
interface "ens19";

11
hosts/dn42-ildix-service/bird.nix
View File

@@ -1,12 +1,13 @@
{ config, lib, ... }:
{ config, lib, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [ 179 ];
# something doesn't work right
services.bird2.enable = false;
services.bird2.config = ''
router id ${(lib.head config.networking.interfaces.ens18.ipv4.addresses).address};
services.bird.enable = false;
services.bird.package = pkgs.bird2;
services.bird.config = ''
router id 192.168.10.28;
ipv6 table bgp6;
@@ -21,7 +22,7 @@
ipv6 {
table bgp6;
export filter {
krt_prefsrc=${(lib.head config.networking.interfaces.lo.ipv6.addresses).address};
krt_prefsrc=fd81:edb3:71d8::1;
accept;
};
import none;

63
hosts/dn42-ildix-service/configuration.nix
View File

@@ -4,11 +4,13 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
./bird.nix
./fernglas.nix
];
profiles.clerie.mercury-vm.enable = true;
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
# boot.loader.grub.efiSupport = true;
@@ -17,21 +19,52 @@
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
networking.useDHCP = false;
networking.interfaces.lo.ipv6.addresses = [
{ address = "fd81:edb3:71d8::1"; prefixLength = 128; }
{ address = "fd81:edb3:71d8::53"; prefixLength = 128; }
];
# VM Nat Netz mercury
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.28"; prefixLength = 24; } ];
# ildix peering lan
networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2953::1"; prefixLength = 64; } ];
# IPv6 Uplink
networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffc9::c"; prefixLength = 64; } ];
systemd.network.netdevs."10-lo-dn42" = {
netdevConfig = {
Kind = "dummy";
Name = "lo-dn42";
};
};
networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; };
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-lo-dn42" = {
matchConfig.Name = "lo-dn42";
address = [
"fd81:edb3:71d8::1/128"
"fd81:edb3:71d8::53/128"
];
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens20";
address = [
"2001:638:904:ffc9::c/64"
];
routes = [
{ Gateway = "2001:638:904:ffc9::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.28/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ildix" = {
matchConfig.Name = "ens19";
address = [
"fd81:edb3:71d8:ffff:2953::1/64"
];
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true;

11
hosts/dn42-ildix-service/fernglas.nix
View File

@@ -5,20 +5,21 @@
services.fernglas = {
enable = true;
useMimalloc = false;
settings = {
api.bind = "[::1]:3000";
collectors = [
{
collectors = {
bgp_any = {
collector_type = "Bgp";
bind = "[::]:1179";
default_peer_config = {
asn = 4242422953;
router_id = "${(lib.head config.networking.interfaces.ens18.ipv4.addresses).address}";
router_id = "192.168.10.28";
route_state = "Accepted";
add_path = true;
};
}
];
};
};
};
};

24
hosts/gatekeeper/configuration.nix
View File

@@ -4,19 +4,20 @@
imports =
[
./hardware-configuration.nix
../../configuration/router
];
profiles.clerie.hetzner-cloud.enable = true;
profiles.clerie.router.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false;
# Network
networking.interfaces.ens3.ipv4.addresses = [ { address = "78.47.183.82"; prefixLength = 32; } ];
networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:c0c:15f1::1"; prefixLength = 64; } ];
networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
networking.nameservers = [ "213.133.98.98" "213.133.99.99" "213.133.100.100" ];
systemd.network.networks."10-wan" = {
address = [
"2a01:4f8:c0c:15f1::1/64"
"78.47.183.82/32"
];
};
networking.nat = {
enable = true;
@@ -73,7 +74,7 @@
{
# palladium
allowedIPs = [ "2a01:4f8:c0c:15f1::8103/128" "10.20.30.103/32" ];
publicKey = "kxn69ynVyPJeShsAlVz5Xnd7U74GmCAw181b0+/qj3k=";
publicKey = "AetxArlP6uiPEPnrk9Yx+ofhBOgOY4NLTqcKM/EA9mk=";
}
#{
# allowedIPs = [ "2a01:4f8:c0c:15f1::8104/128" "10.20.30.104/32" ];
@@ -114,6 +115,11 @@
allowedIPs = [ "2a01:4f8:c0c:15f1::8111/128" "10.20.30.111/32" ];
publicKey = "o6qxGKIoW2ZSFhXeNRXd4G9BRFeYyjZsrUPulB3KhTI=";
}
{
# tungsten
allowedIPs = [ "2a01:4f8:c0c:15f1::8112/128" "10.20.30.112/32" ];
publicKey = "OI5/psr3ShrwRqKTTr3Kv92OVRietTcMFNVXtsYybRo=";
}
];
listenPort = 51820;
allowedIPsAsRoutes = false;

33
hosts/hydra-1/configuration.nix
View File

@@ -4,14 +4,15 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/hydra-build-machine
./build-machines.nix
./hydra.nix
./nix-cache.nix
];
profiles.clerie.mercury-vm.enable = true;
profiles.clerie.hydra-build-machine.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
@@ -21,12 +22,28 @@
"aarch64-linux"
];
networking.useDHCP = false;
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffcb::a"; prefixLength = 64; } ];
networking.interfaces.ens19.ipv4.addresses = [ { address = "192.168.10.36"; prefixLength = 24; } ];
networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens18"; };
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens19"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2001:638:904:ffcb::a/64"
];
routes = [
{ Gateway = "2001:638:904:ffcb::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens19";
address = [
"192.168.10.36/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true;

24
hosts/hydra-2/configuration.nix
View File

@@ -4,10 +4,11 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/hydra-build-machine
];
profiles.clerie.cybercluster-vm.enable = true;
profiles.clerie.hydra-build-machine.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
@@ -17,12 +18,19 @@
"aarch64-linux"
];
networking.useDHCP = false;
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc1::100"; prefixLength = 64; } ];
networking.interfaces.ens18.ipv4.addresses = [ { address = "141.24.50.112"; prefixLength = 24; } ];
networking.defaultGateway6 = { address = "2001:638:904:ffc1::1"; interface = "ens18"; };
networking.defaultGateway = { address = "141.24.50.1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2001:638:904:ffc1::100/64"
"141.24.50.112/24"
];
routes = [
{ Gateway = "2001:638:904:ffc1::1"; }
{ Gateway = "141.24.50.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
clerie.monitoring = {
enable = true;

1
hosts/krypton/configuration.nix
View File

@@ -9,6 +9,7 @@
./android.nix
./backup.nix
./etesync-dav.nix
#./initrd.nix
./network.nix
./programs.nix

10
hosts/krypton/etesync-dav.nix Normal file
View File

@@ -0,0 +1,10 @@
{ ... }:
{
services.etesync-dav = {
enable = true;
apiUrl = "https://etebase.clerie.de";
};
}

2
hosts/krypton/network.nix
View File

@@ -1,7 +1,7 @@
{ ... }:
{
services.wg-clerie = {
profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8011/128" ];
ipv4s = [ "10.20.30.11/32" ];

7
hosts/krypton/programs.nix
View File

@@ -1,9 +1,7 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
firefox-wayland
];
profiles.clerie.firefox.enable = true;
users.users.clerie.packages = with pkgs; [
keepassxc
@@ -25,10 +23,11 @@
tcpdump
nmap
okular
kdePackages.okular
chromium-incognito
print-afra
git-show-link
factorio-launcher
];

11
hosts/mail-2/configuration.nix
View File

@@ -4,16 +4,21 @@
imports =
[
./hardware-configuration.nix
../../configuration/hetzner-cloud
./mailcow.nix
];
profiles.clerie.hetzner-cloud.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:1c1c:9577::1"; prefixLength = 64; } ];
networking.interfaces.ens3.ipv4.addresses = [ { address = "5.75.187.112"; prefixLength = 32; } ];
systemd.network.networks."10-wan" = {
address = [
"2a01:4f8:1c1c:9577::1/64"
"5.75.187.112/32"
];
};
clerie.backup = {
enable = true;

12
hosts/monitoring-3/alertmanager.nix
View File

@@ -63,6 +63,18 @@
"instance"
];
}
{
target_matchers = [
''alertname = "StorageAlmostFull"''
];
source_matchers = [
''alertname = "StorageFull"''
];
equal = [
"instance"
"mountpoint"
];
}
];
};
};

31
hosts/monitoring-3/configuration.nix
View File

@@ -4,7 +4,6 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
./alertmanager.nix
./berlinerbaeder-exporter.nix
./blackbox.nix
@@ -14,15 +13,33 @@
./uptimestatus.nix
];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false;
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.32"; prefixLength = 24; } ];
networking.interfaces.ens19.ipv6.addresses = [ { address = "2001:638:904:ffca::7"; prefixLength = 64; } ];
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
networking.defaultGateway6 = { address = "2001:638:904:ffca::1"; interface = "ens19"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens19";
address = [
"2001:638:904:ffca::7/64"
];
routes = [
{ Gateway = "2001:638:904:ffca::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.32/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.prometheus.exporters.node.enable = true;

4
hosts/monitoring-3/grafana.nix
View File

@@ -38,6 +38,10 @@
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://[::1]:3001/";
locations."= /api/live/ws" = {
proxyPass = "http://[::1]:3001";
proxyWebsockets = true;
};
};
};
};

59
hosts/monitoring-3/prometheus.nix
View File

@@ -55,6 +55,11 @@ let
eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));
in {
sops.secrets.uberspace-monitor-password = {
owner = "prometheus";
group = "prometheus";
};
networking.hosts = {
"::1" = [ "monitoring-3.mon.clerie.de" ]; # fd00:327:327:327::1
}
@@ -126,6 +131,45 @@ in {
relabelAddressToInstance
];
}
{
job_name = "node-exporter-uberspace";
scrape_interval = "20s";
metrics_path = "/.node-exporter/metrics";
basic_auth = {
username = "monitor";
password_file = config.sops.secrets.uberspace-monitor-password.path;
};
static_configs = [
{
targets = [
"clerie.uber.space;infra"
"cleriewi.uber.space;infra"
];
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
regex = "(.+);(.+)";
target_label = "service_level";
replacement = "\${2}";
}
{
source_labels = [ "__address__" ];
regex = "(.+);(.+)";
target_label = "__address__";
replacement = "\${1}";
}
{
source_labels = [ "__address__" ];
target_label = "instance";
}
{
target_label = "job";
replacement = "node-exporter";
}
];
}
{
job_name = "nixos-exporter";
scrape_interval = "1m";
@@ -156,7 +200,7 @@ in {
relabelAddressToInstance
{
target_label = "__address__";
replacement = "[::1]:9153";
replacement = "monitoring-3.mon.clerie.de:9153";
}
];
}
@@ -375,6 +419,19 @@ in {
relabelAddressToInstance
];
}
{
job_name = "clerie_keys";
scrape_interval = "5m";
scheme = "https";
metrics_path = "/gpg/clerie@clerie.de.metrics.txt";
static_configs = [
{
targets = [
"clerie.de"
];
}
];
}
];
alertmanagers = [
{

24
hosts/monitoring-3/rules.yml
View File

@@ -17,7 +17,7 @@ groups:
annotations:
summary: "Current system of {{ $labels.instance }} not in sync with config"
description: "The current system hash of {{ $labels.instance }} does not match the one generated by hydra based on the current config"
- alert: BackupStorageFull
- alert: StorageFull
expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter"}[5m])) * 100) < 5
for: 30m
labels:
@@ -25,6 +25,14 @@ groups:
annotations:
summary: "Storage of {{ $labels.instance }} is full"
description: "Storage of {{ $labels.instance }} for {{ $labels.mountpoint }} on {{ $labels.device }} is full"
- alert: StorageAlmostFull
expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter"}[5m])) * 100) < 10
for: 30m
labels:
severity: warning
annotations:
summary: "Storage of {{ $labels.instance }} is almost full"
description: "Storage of {{ $labels.instance }} for {{ $labels.mountpoint }} on {{ $labels.device }} is almost full"
- alert: ClerieBackupJobLastSuccessfulRunBehind
expr: time() - last_over_time(clerie_backup_last_successful_run_time{}[5m]) >= 9000
for: 5m
@@ -65,3 +73,17 @@ groups:
annotations:
summary: "Synapse of {{ $labels.target }} unavailable"
description: "The Synapse backend of {{ $labels.target }} is unreachable or returns garbage"
- alert: ClerieKeysExpire
expr: last_over_time(clerie_keys_gpg_key_expire_time[15m]) - time() < 1209600
labels:
severity: critical
annotations:
summary: "GPG {{ $labels.fingerprint }} is expiring"
description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then two weeks"
- alert: ClerieKeysAlmostExpire
expr: last_over_time(clerie_keys_gpg_key_expire_time[15m]) - time() < 3628800
labels:
severity: warning
annotations:
summary: "GPG {{ $labels.fingerprint }} is expiring soon"
description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks"

7
hosts/monitoring-3/secrets.json
View File

@@ -1,4 +1,5 @@
{
"uberspace-monitor-password": "ENC[AES256_GCM,data:NfM9jxZAMkSGFlPYxreP7LJkr9gA2llyVw96okIKNUQ=,iv:z/LW643T36HpKo/xhHcVnF0EqhEXdoiEkDMH6NQzN9A=,tag:KXR2+kizv3To0EvZ66ak9w==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:kYFhMbqL7b0rwE2XIaR4QVT8ahoODmpXKzK5gvkODFJVklubwCmq2bLJk94=,iv:eR+VjxdtS4et9I4okzHyA+if1Rxj2/MuiC0CrWXd0Bg=,tag:rMaYMTvO6gWw6WegehDBFQ==,type:str]",
"xmpp-password": "ENC[AES256_GCM,data:eBZsBYqo+juLrYZjBqTcKFirHViRsul+wt6kkOmMhCp4xU7Ou8eJAPCOuhvHcUGxRE44L0yIyUObhRgAj0T5QA==,iv:DsLJ3qCZyrdolJBZFT9FJUNQ75pc8Vz32K2a8RJHuLc=,tag:wOxs2Ulw1aSMadWfjGSKsw==,type:str]",
"sops": {
@@ -12,8 +13,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxOGNMcm9vRWxMZjBwcmVS\nVGVoS2kwSmZjOHdGMXQwUmlzV3hhbGhhOVhzCkljQi94aUtORldKOFdqeVNXYnJQ\ndS9Vc0hRRisyL1dESk1NOTQ1dVJyMDgKLS0tIE54VlU1cVRXWXRlVGU5RzR5dXkv\nSEZJeElpWDdJYW9WNWxGLzdjdGR1YUUKGZwFPOc4MD97FBRtj1Py4A9Tz/HlzHcK\nX6nYgkYSUycM4g4d3+N+1NKutfWJ7KheuTlhNRDftyLYmmo5wyEtrw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-04-21T17:08:58Z",
"mac": "ENC[AES256_GCM,data:UucT7OiO9S3FcO9b1UKPQYXi7v3Ak7/J/VkDN4P9fssS4nky6PyX4oV5UvGcuR3p0pxLAHGJ4rOXj5QbnOqwDqmHfCnoqdItAlXRT1YPdSrelQ/gHyOfexsuV1XLOUS/OXJoYEi3ymKtza4rMIZow+du0YkRxrJQjwM0y8XSa3I=,iv:mDBaVhbHCLdxx5DC7urPPDdVPsCPYqKgLRwfqjLFdnU=,tag:Wpq6ihxIr/eceG12gpOJwQ==,type:str]",
"lastmodified": "2025-03-07T20:23:25Z",
"mac": "ENC[AES256_GCM,data:6GY06rVSKtQqaV5kLgTU4Wlu+e+dkNhxaPkJqKE8hrfJzO85WU6/iLvuv4ai0u+cUeWcOZatskzUeaVL/NjrRZnsNnxUqWbljLs8//0uUln71D/DWE4Vpb6Uz9I2iHG2Gftv3iyYF3nucrHiSTvyLzb9fDL+eGv0CHa/KmYk97g=,iv:f6xqDtHoBy7h7KRr2J0kYcaf6indqnRrJsYdcv9EHJs=,tag:uliCg2x92qY9SN9hg08Iuw==,type:str]",
"pgp": [
{
"created_at": "2024-04-21T17:08:30Z",
@@ -22,6 +23,6 @@
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
"version": "3.9.4"
}
}

39
hosts/nonat/configuration.nix
View File

@@ -4,28 +4,33 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/router
];
profiles.clerie.mercury-vm.enable = true;
profiles.clerie.router.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
# Network
networking.interfaces.ens18.ipv4.addresses = [
{ address = "141.24.46.169"; prefixLength = 24; }
];
networking.interfaces.ens18.ipv6.addresses = [
{ address = "2001:638:904:ffca::6"; prefixLength = 64; }
];
networking.defaultGateway = { address = "141.24.46.1"; interface = "ens18"; };
networking.defaultGateway6 = { address = "2001:638:904:ffca::1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
networking.interfaces.ens19.ipv4.addresses = [
{ address = "192.168.10.1"; prefixLength = 24; }
];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2001:638:904:ffca::6/64"
"141.24.46.169/24"
];
routes = [
{ Gateway = "141.24.46.1"; }
{ Gateway = "2001:638:904:ffca::1"; }
];
linkConfig.RequiredForOnline = "routable";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens19";
address = [
"192.168.10.1/24"
];
linkConfig.RequiredForOnline = "no";
};
networking.nat = {
enableIPv6 = true;

31
hosts/osmium/configuration.nix
View File

@@ -4,12 +4,13 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
./nixfiles-updated-inputs.nix
./polkit-test.nix
];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
@@ -19,12 +20,28 @@
"aarch64-linux"
];
networking.useDHCP = false;
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.29"; prefixLength = 24; } ];
networking.interfaces.ens19.ipv6.addresses = [ { address = "2001:638:904:ffc7::6"; prefixLength = 64; } ];
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
networking.defaultGateway6 = { address = "2001:638:904:ffc7::1"; interface = "ens19"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens19";
address = [
"2001:638:904:ffc7::6/64"
];
routes = [
{ Gateway = "2001:638:904:ffc7::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.29/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
environment.systemPackages = with pkgs; [
git

44
hosts/palladium/backup-scripts.nix
View File

@@ -1,44 +0,0 @@
{ pkgs, ... }:
let
cb-mount = pkgs.writeScriptBin "cb-mount" ''
#!${pkgs.bash}/bin/bash
DEVICE=/dev/disk/by-path/pci-0000:00:12.0-ata-2-part1
${pkgs.cryptsetup}/bin/cryptsetup luksOpen ''${DEVICE} external-drive
mkdir -p /mnt/external-drive
mount /dev/mapper/external-drive /mnt/external-drive
mkdir -p /mnt/external-drive/clerie-backup
chown borg:borg -R /mnt/external-drive/clerie-backup
'';
cb-unmount = pkgs.writeScriptBin "cb-unmount" ''
#!${pkgs.bash}/bin/bash
umount /mnt/external-drive
${pkgs.cryptsetup}/bin/cryptsetup luksClose external-drive
'';
cb-prepare = pkgs.writeScriptBin "cb-prepare" ''
echo "Formatting disk"
sgdisk -Z /dev/disk/by-path/pci-0000:00:12.0-ata-2
sgdisk -N 1 /dev/disk/by-path/pci-0000:00:12.0-ata-2
partprobe /dev/disk/by-path/pci-0000:00:12.0-ata-2
echo "Creating encrypted partition"
${pkgs.cryptsetup}/bin/cryptsetup luksFormat -c aes-xts-plain64 --hash=sha256 -s 256 /dev/disk/by-path/pci-0000:00:12.0-ata-2-part1
echo "Opening encrypted partition"
${pkgs.cryptsetup}/bin/cryptsetup luksOpen /dev/disk/by-path/pci-0000:00:12.0-ata-2-part1 external-drive
echo "Creating file system"
mkfs.ext4 /dev/mapper/external-drive
echo "Closing encrypted partition"
${pkgs.cryptsetup}/bin/cryptsetup luksClose external-drive
'';
in {
environment.systemPackages = [ cb-mount cb-unmount cb-prepare ];
}

71
hosts/palladium/configuration.nix
View File

@@ -5,52 +5,61 @@
[
./hardware-configuration.nix
./backup-scripts.nix
./restic-server.nix
./wg-b-palladium.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ];
networking.useDHCP = false;
networking.interfaces.enp3s0.ipv6.addresses = [
{ address = "fd00:152:152:4::11"; prefixLength = 64; }
{ address = "2001:4cd8:100:1337::11"; prefixLength = 64; }
];
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp3s0"; };
networking.nameservers = [ "fd00:152:152::1" ];
boot.loader.grub.enable = true;
boot.loader.grub.device = "nodev";
boot.loader.grub.efiSupport = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub.extraConfig = "
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input console serial
terminal_output gfxterm serial
";
boot.initrd.luks = {
devices.lvm = {
device = "/dev/disk/by-uuid/f5597381-b59b-4f19-94b7-fd69aac43d6f";
bypassWorkqueues = true;
};
devices.crypt-storage-palladium = {
device = "/dev/disk/by-uuid/c54396c0-b5d3-4e61-9ef7-483fa2b4a56d";
};
};
boot.swraid.enable = true;
systemd.network.networks."10-wan" = {
matchConfig.Name = "enp3s0";
address = [
"fd00:152:152:4::11/64"
];
networkConfig.DHCP = true;
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
# Keeping the harddrives quiet
services.udev.extraRules = ''
KERNEL=="sd?[0-9]", ENV{ID_MODEL}=="ST1000DM003-1SB102", ACTION=="add", RUN+="${pkgs.hdparm}/sbin/hdparm -S 24 /dev/%k"
'';
services.borgbackup.repos = {
clerie-backup = {
path = "/mnt/palladium/clerie-backup";
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFyk716RnbenPMkhLolyIkU8ywUSg8x7hjsXFFQoJx4I root@clerie-backup"
];
};
external-drive = {
path = "/mnt/external-drive/clerie-backup";
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPuh74Esdp8JPgIZzM372DaCwtAl2QNtRratnIFG0NRB root@clerie-backup"
];
};
profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8103/128" ];
ipv4s = [ "10.20.30.103/32" ];
};
# Disable automatic directory creation for external-drive repo
# The directory gets created by the disk formatting script
# Correct permissons will be set right after mounting
# This prevents borg from filling up the root drive when no drive is mounted
systemd.services.borgbackup-repo-external-drive.enable = false;
clerie.monitoring = {
enable = true;
id = "206";
pubkey = "fHOYNZ5I3E2JPrd9dUrNBmu75weX4KbDih5q+GCk8Xk=";
pubkey = "2Q8mO4Y09Oi9CCfUUvWpZ8yIQezwtE94tz6ZbA0EDwE=";
};
system.stateVersion = "21.03";
system.stateVersion = "25.05";
}

25
hosts/palladium/hardware-configuration.nix
View File

@@ -9,26 +9,37 @@
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/b217f1e1-1337-4ef0-bad5-15829ba32c7a";
{ device = "/dev/disk/by-uuid/fbd14cd4-e402-4ad6-b801-8826d6cfc0fb";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/7A6B-3444";
{ device = "/dev/disk/by-uuid/8B45-EBB4";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/mnt/palladium" =
{ device = "/dev/disk/by-uuid/f20d20ca-6be5-4b16-81fe-e66f31ffd108";
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/e7c41c4d-89d8-4083-ac6e-abbccbebf551";
fsType = "ext4";
};
swapDevices = [ ];
swapDevices =
[ { device = "/dev/disk/by-uuid/6ca5e48f-9b99-4722-b21b-c6f298610157"; }
];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

20
hosts/palladium/restic-server.nix Normal file
View File

@@ -0,0 +1,20 @@
{ ... }:
{
services.restic.server = {
enable = true;
privateRepos = true;
dataDir = "/data/backup";
listenAddress = "[::]:43242";
};
# restic rest server does not support --htpasswd-file in the current version of nixpkgs
# until then we copy the secrets to the common location
sops.secrets.restic-server-backup-htpasswd = {
path = "/data/backup/.htpasswd";
owner = "restic";
group = "restic";
};
networking.firewall.interfaces.wg-b-palladium.allowedTCPPorts = [ 43242 ];
}

19
hosts/palladium/secrets.json
View File

@@ -1,5 +1,8 @@
{
"wg-monitoring": "ENC[AES256_GCM,data:ip6L61RXAVxaPqizhNTr6zVvKgd40CAsgeNFoAXMARM1nl146ayHK2q7mhc=,iv:G4WLmcPpJOxTcW0bHuEwWmth6u8fYoH7GmpkMo8Z3TQ=,tag:xJ+wCVEUMdqfXPcwgr9WSw==,type:str]",
"restic-server-backup-htpasswd": "ENC[AES256_GCM,data:ouHDwNJ3UQID54qq+6tEc9Zmpa/i5jDMvzIw5baBV4oGy27JI+f40A6tqmQlbRRsX68XhMhfRcpczfTDmf2tFV7TcWB4yA==,iv:PkjCOHFQxbBvYdmOhARJUNUUsAbJiEDnLDM1UWZhHXA=,tag:3cGdkx0xNdtse9hHPa9mUQ==,type:str]",
"wg-b-palladium": "ENC[AES256_GCM,data:VBDyrDYwICbiND8jfkiIr/3oDtP1X9817WhonFYXNSTPZHziEY7U886/DFc=,iv:syqo77FROChv4WKgiGWCUa2ziH2Ds14CT5vVRxGmEvQ=,tag:X2G3JUrabXYmsKPBltOafw==,type:str]",
"wg-clerie": "ENC[AES256_GCM,data:fLGZCRbnDrSWQ+9Q/7l3DUKOgw7blcHpd8svHMZFEKMoTfGeZCc37oKAOKU=,iv:GlPXkeVnzSzAnpdSGIydZP+hhEshJ3X/N1fhwJk5Ol4=,tag:0E9RhBPha0Gun6KUNtvYUg==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:3RHk/VI8t9ba/qiWqLkwIxaOt+e0yXw7+f1qpIVdr3JE2NzkVvX6aeP3o2Q=,iv:f4VIK1oyaUilCia1EfEiL18a3zk4+7Ol4ihyhzPounw=,tag:XeTI3iL4qIPS+Z+PDJRGrA==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
@@ -7,20 +10,20 @@
"hc_vault": null,
"age": [
{
"recipient": "age1tl2cd730ctn6jcgg0vf8c5gg9722umk30zwvcwxhejh26p3gt3ds92msyx",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNHllOHpoYkNyQXMwL002\nRDR4eFVRemc4bW8vYS9GWHFkcmpRbWFFc2tzCmFjV1ZNTzhOYjM4VWltRGhaQ0RP\naC9vN2hrM3NSTDlSd1ZJTldXamJ4NUUKLS0tIDFuUzRKWWQrUFU1SXNqdEV2R1lM\nWXU1by9rYTBINTVralo0TTJmSEZHMm8KYEggCHnOyMcQSdJ9+Ujf61OANuja0ZIf\n+wa9ugc2OZrOYepkjN5X/bETdKfU33pIAL208N9HcOttfhcZq70yUQ==\n-----END AGE ENCRYPTED FILE-----\n"
"recipient": "age1s3f9hxcd89dk3st2r5funjw7cjcq85nuz4gq8w0aplky9v2wqy7qwukagx",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpY3p1Mi85WTNxK2U5bFVP\ncmlFRXNlK2dWMUt1eW1abzIrb0liR043VHpnClIvaHZ1VWxRSFR3ajc0MmJyMFAw\nSWdVclB2OGJqUjNXTmI4MktXVTVQbncKLS0tIFpJTTZJRmJGeE1xNFFScE81R29J\nR3MzOGY1cVhmalNEaHdyWjkyaHVRTDAKXyz/+WdHsC2AppYNf3/W1xx2Zcfg4p50\nCAamBntNMUK8zYLdhoSBT54qVYJJuYZ6eD6WOIZrdCK4HKGy0d13uw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-05-10T13:25:28Z",
"mac": "ENC[AES256_GCM,data:fLw0q9h+rlAAiXjtCJeGPi0COEt/UvApRiOpE+ydSrD/jXy+vh2OVW57UZPRBCP1mWtqfUJLiT1BZyOWor7dsPfTvaxCQmYhGcKBLucFEaiUovGgVjxJloD8hDJvSG9SJnlIiDobMsG87MsEWpi70oAbQu3/d4JT1BPSaRpvsjI=,iv:iS7tFqZMa0OzA5ASKPS6CSNTJYYJ0zhjLmBcipjLapg=,tag:Lspazw8Pi5Dxqcrk35A6tA==,type:str]",
"lastmodified": "2025-04-18T08:56:54Z",
"mac": "ENC[AES256_GCM,data:QEEcjNqO+tXpl/4TWx+r8WT+ZsdoBw/CBiz6XpG8rsIl0prBWtQ8YW/DeYAxLPMOlb55HuDsneLEpR2DsBB1x6b0lSyjES/hgMRkweKczFLRxrhHh3qXff/wK9sDaEPLvEzvH99x63+1dAZh7z8CVESDTt8QLKK1qCxOf36QNdc=,iv:NbYc0qz0AUGKWpwKg/1QCuTnZ1+m+e6tQxWAuDogVrw=,tag:JEPtLP7V3N+Lx/quMGq/AQ==,type:str]",
"pgp": [
{
"created_at": "2024-05-10T13:25:16Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/+KsEUiNCgfajBMEEFsqHqNG3utLNQSLOd6VX/Rk56CjT9\nUtfiCdZCSzrtyT3Anu72auTJ+PHNAVhhHPcDiUcwY9JYXEXNETzEn0U/byS+kvOD\nNTpcpR1gSxJCj1aDqDDpfQQ02hSpKO4iw0B71gKcekUXcD2AQeeW0Djq60CusWVk\nRgC3odnyTr1CN1+JRtKVZKIa78rfOkyhmFP2G2gvsSHhUBd5RtMhJdfYVUTMIKXO\nQFB2IGCoIzE0zDitCcAZ8q6Dc8lBuAvNSiVkFanJn7e7etU3JwDhYsZKRO7jvNX3\nmjHnQ9vf0idCWAi0oabZQ1OGdwPbtjssxmQkzzR8R/paw+iRB50i1UG3/5ehXTV4\nTp/2rEwrsF8jO1bahTcrJirR7RPLEy2BvJ4ALzmEYrIoEwWuCIexrY+e2C2rXpy5\nK2+9Ch0YCaz8sc700bgO5ZkyvnmnbVJxGCaMGQtT9LXiEWvc36sUXhbEGJ0K782Z\n7uVFRs4xWsrUQHo8lFTfW/vLZDq7FvkGnDf5xnoEJp4BNYvYmMmsFiaygkbbqEdH\n2aHRCam9q5zcuBq+aA40KI1P4adIFgij+fijwQ+019JrfaMEXcmwgtOfkb2OZNOF\nXQ3tRgYLaxSae7BYJA4uTaFq60kpp1c8qgxw3WKPEiHywtl/SaPcx1XD9VJoVTGF\nAgwDvZ9WSAhwutIBD/9O0inQ/HmpwtD1AnE89SuZNuGQty71LVhX2PQQWsUdQOuz\ndKZN1wy6UxIImFGisBodUH+48k1DjbkDjL5cLSAUOt9OhAxW2Ubp6HA6wDJPqWj1\nYQMHKmHlf2zh5G1qTUXV3NNw6hSaWejVDS73WNODv1WfUFXrPN9DVLaPsS/RJo2Q\nAoDG/iedeQhIIBwrLIcQ8ttjv9MTI1GzsNRC/CjxQpDnHabqQzFzenjnVRLDXcmr\nwfw0HeTPeNh+pLYb+sBqzGUP0j1GWui99/6NUeo/TloBWJbIung4wq23gYZbHn+K\nbWJSxSy980mvjCXiRukzXlNJMwLZDVoBlPQSbe/pOApHM9HTScZ+3VcLlYOPjgZk\nhnCvFNm+4/00ZgF+tcvLOugIfqwxvOuqW4gGGhNAycHinJZuSfDHYe6zCfEiqc7t\nnHlbhNvlhC8zDu+fOurC2ju5eGv8LqFiobfsBFVdKpl9Gj7yg00S+QmjBcz0lkE9\n1BftwEQaj+r4EDa4cJHSgP+K76utv4Xzt9hHZZJo7hvii+lGxFI7rBm0xbV5bSuY\ntOhN6d98HH2++AoXufIW5vmnydGk2NXu7O8vi6sQWzoqed84ZHbJDWLQawQ8YQlR\nkbht2PzH4+rq1oOVHbLslxWkYF9WMsQRUef6ALNpys/Dj8N54gEN4RTV+SxIVoUC\nDAM1GWv08EiACgEP/1eiG0aASQogSByxl8ZbRjRg768YVR1fwTa8GG5tE7wfcGiI\njZF2TI+yQWt7gRS4AKNm1gfWEEjCH1tBOj53/Wfwn9ZuGoNqboA2jgsh2rnVVSXR\nOdXK3is/FMh9JREr669be83nnQ8fNP8nIz3snEvKVYVGcdsdkDXBz4GKmJx52NNb\nauL+4w14/0PydCVH/njsFY8FyWqP9lUFgpJU8jHjX28oTB3khwWrDs0THwqilTFn\nhFjgeCy555zeh5rDpBDPdPbLUNd094RB15zaKzn2dC15F8DMCLoA9ASNET7S/+u3\n1SjvI4XnOpxK9hyETcwjzbWJc2gV7U38VqxhQW9Vch3AvXOufMMTm6cobLjiwxjF\nl3XTMJ5GvHDZXCwrGEapy9GbHQjbd9yi0iFgfSGV4nkNmCj1jtAMUngdCqELDVU2\nZe3a8IeJswlTteGlXAM5mwnDaegMsiD/vwsq5Rtl0gs3iI3uIN4RFXuvxP+UeJ/c\ndJWqpF8vcQI4qGN3kxgB30I7mUiz1aggv5uw6nDWRJHTQKLeOkV8ssTq4FLs4XYL\n4z4qmMT5i+8bGu575py/LRDjvXBldeitnQj1jAN2y/uPNVWsZqU3S+OkEosYIgSQ\njAe3N0EyH5k3j7j43x91toYOCAkulAuPkox6GyUKKq4dCPWxg9fqQ8u4PaSN1GYB\nCQIQ3+GP0DNWupTIkTS4Bk1LwbT99lyr2DyExqb2pgXmzn05Qs6CE4+jcIxXnmUQ\nzCl6PLiw+DJ1nq5gKtTrkO96HtHGyfPiUunDZXty1/zNltYjedk7ebkWF3LNXBhE\nK38c6yE=\n=w0Nn\n-----END PGP MESSAGE-----",
"created_at": "2025-04-15T17:32:56Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//aQe91iy/RiR2PJqXhrZVyovraUmm4ivCjPSoookMCHhY\n5HGNdyzttnBjzHNqT8OFo43nu1VPlOYllgQXNbwEj7rSQN5CZQTx35Fhkc2q9q1N\ns3uI+o/RfCLiZMvr5S80lFvmw25hpopGoF0i3sHrORbh5ennzGV2Dsn2RfcQx5Ji\n11kO4QBDNs37cqZEBP4N4R5xEWFMrWPqxVrRuGZkzxR0MPLy+zCSjic0OIXWxi5G\nSTO3rPGn06s3gbMmFgAPVBMR/nyT2kPDwQFbvv7SWNqnyZ1z5S5C7eSpcEa+49IZ\ngHo3hRa0O30bvgc+yhQ9TxhyFmlgk+HWRsc7p1c7B+HK+mwxxnoixfHQLpWEwiQz\nfT32rTG/v4MqNokiyMCvUqffGwBy57YQ0Koggm8kv3GYPbCSXFuGgdxBCUufaIkj\n5n6WmMfjESOEq0+wRw1FZPp6hl1vtCpldlYqm7raOWyzncULvPKbD8AHj7g0QgP/\ndmcVV2ca1V3vklb+FsuiUOJDkGnvue+uUjQ2f/t4JqLYy1dHlfPSX3X+WEJ4U/Nw\nZtpPb7XdgbWLbcDUTpEUGMhlnrLhdjt9w8iDKjZ+kN95fFfR9J4jTyUANIHd0sW1\nuLGphdWX62nmldEIJeselBaVhwiv5qQduNCdDssgZaMlmmdvZUHiABYh8rqKByOF\nAgwDvZ9WSAhwutIBD/4kxHpGFsX6wsP5dfJHGbh6dakqXjidwgkfbgq9eWd3nM9B\nYbmUZNz4vjdWGFIg/zitxpV6SRHItPPLkF0HEqecKrwBC41iczkMTXJsCN19zCEG\nGyMFtiTgYrkLZiN3yMViKbv5sOwm+38dQCE3tL6TZl8Rqi2Wm390DQ/dFSJSdJFb\nLZmOEvUkyChFvS+C6aCIsChoPSRnoqpxzrpJLoozS3EKGb5hKa7SN7zuSyNbUJgR\n4DaruQGNbbSKmInsigqJWtlUbJsYxbOxRGojw2waMRHEvWJfIN6NdsFuCBCMqHA7\nsil+siC7BXqef7nD9UcsjVBPyl7UAtvBAvWpfA83vYwtvSCR8tBPZ7EifyOWplfS\ntdJQFDd14ZGs/kO6j9Ck5d49Y6NuPEfa+wjs8vZGBevWGiErf+RlN7yYRLmX9pr1\nR72U0jC5rhA7+X1JZHEx1DdpNfGDj8MUokXf82aTzQPpOJPPUXOnJP9a6oHFW3Uv\nWmfTSjVbw//B9i/KM5XmVNgp3TyNZmszU36d79W23tnNQhSFpLNz4E/yr+vhvoO1\neowV8gi0BYxNGnUeM+QOFxdvoW4pNyTwVGFbqrJ7xY0m2gYiRpjxf1qpAP5pzm4Z\nrc4c+en8/71oI3Pt2D1IOHMA1VoJbemCxQKjXMb45RJxtSMZTX6kUMeWgXFLvIUC\nDAM1GWv08EiACgEP/RRLSlzAyA297eWSKzDehvMeuf3XL6EgwGo3W4VUjFQLy/k7\nzgJyzmClLaWxoUnhJY26ciaUVX5xzlyamzsuOk+S/Ke/UxHctFhT4jiSfpCj7SJU\n5E+fl4Q1vaH9CwolP/TppYRHw2PrBFHw62+/5o5PzOuSnOQ9M1Yen0sEv3aK1FYb\nCH5lDD12eZ8Qn+aTQUc4DfHGYUZckKp/yWSOYA3/O80bIimSYWjq73CclNQMXeXU\nE520z43xKArHcmbSVcJhxH+tkG+BNJ16l5XQaiKK9p9LlkPyouVvSmedXLsKdt4U\njYGywDAWh39UiepzTNc8I26eM4XcbDZjfF2D9EoNttTXWaHQpIyP/DyzJwShpVGF\nj5l1FmiCXvBxUXUJHP+4ONRtnEjMTQB/6IMWQJ5etVku+8eFRAqrn5J9B5w5/qqj\nf+99lXlORQXo9RDSANinCn6l/zORCUmNqgqfjnuVgsFPJFnUycbyzFsPgZXyF83H\nc/bqAYkjqSlMWzNuhOTgHuDJzt/SPhmbJXJmBH/ZKR52lQRlYonon9+hNE6Ti1aP\nBUdxIpMl89Cj8IPyg24cWlRIRGssIR/7e2iim76lH8VY5QT0M3qUye7KOtKOiJv/\n38kIftzORJ4PQwJnSl2TFqjs/mYSHEx0xc3WednF5ZCDicMYTjkePKJRMHuT0l4B\nYc0BSK8isG7x9SUNSxXUrb26d67ABWRmik+K+B9o7HeQRbPQuPV65m+qBxVEueVu\nYTi+79/6X2pmj/54NbN6Lqaj9SPthnhyDUrduulMRQBvxC2n9gVQ/+UnxEMy\n=Sp14\n-----END PGP MESSAGE-----",
"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
"version": "3.9.4"
}
}

2
hosts/palladium/ssh.pub
View File

@@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBc/YTf80MjyVeApOecOlxORIlwCaWtJNWtfggc0B374
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0ZrGvZqxqsGEl2+YNnL5JNpeRc3y0DgqZAkuayfeso

38
hosts/palladium/wg-b-palladium.nix Normal file
View File

@@ -0,0 +1,38 @@
{ config, ... }:
{
sops = {
secrets.wg-b-palladium = {
owner = "systemd-network";
group = "systemd-network";
};
};
systemd.network.netdevs."10-wg-b-palladium" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-b-palladium";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wg-b-palladium.path;
};
wireguardPeers = [
{
PublicKey = "VstE42L1SmZCIShH5sOqcpVQOV0Xb9cFgljD0lhvKFQ=";
AllowedIPs = [ "fd90:37fd:ddec:d921::/64" ];
PersistentKeepalive = 25;
Endpoint = "backup-4.net.clerie.de:51844";
}
];
};
systemd.network.networks."10-wg-b-palladium" = {
matchConfig.Name = "wg-b-palladium";
address = [
"fd90:37fd:ddec:d921::2/64"
];
linkConfig.RequiredForOnline = "no";
};
}

24
hosts/porter/configuration.nix
View File

@@ -4,19 +4,27 @@
imports =
[
./hardware-configuration.nix
../../configuration/router
];
profiles.clerie.netcup.enable = true;
profiles.clerie.router.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false;
# Network
networking.interfaces.ens3.ipv4.addresses = [ { address = "5.45.100.191"; prefixLength = 22; } ];
networking.interfaces.ens3.ipv6.addresses = [ { address = "2a03:4000:6:48d::1"; prefixLength = 64; } ];
networking.defaultGateway = { address = "5.45.100.1"; interface = "ens3"; };
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
networking.nameservers = [ "46.38.255.230" "46.38.252.230" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens3";
address = [
"2a03:4000:6:48d::1/64"
"5.45.100.191/22"
];
routes = [
{ Gateway = "fe80::1"; }
{ Gateway = "5.45.100.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
clerie.nginx-port-forward = {
enable = true;

32
hosts/storage-2/configuration.nix
View File

@@ -4,22 +4,40 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
./em.nix
./firmware.nix
./mixcloud.nix
./syncthing.nix
./users.nix
];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
networking.interfaces.ens19.ipv4.addresses = [ { address = "192.168.10.35"; prefixLength = 24; } ];
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc0::4"; prefixLength = 64; } ];
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens19"; };
networking.defaultGateway6 = { address = "2001:638:904:ffc0::1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2001:638:904:ffc0::4/64"
];
routes = [
{ Gateway = "2001:638:904:ffc0::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens19";
address = [
"192.168.10.35/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true;

17
hosts/storage-2/em.nix Normal file
View File

@@ -0,0 +1,17 @@
{ config, lib, pkgs, ... }:
with lib;
{
users.users.data-em = {
group = "data-em";
home = "/data/em";
useDefaultShell = true;
isSystemUser = true;
};
users.groups.data-em = {};
systemd.tmpfiles.rules = [
"d /data/em - data-em data-em - -"
];
}

1
hosts/storage-2/users.nix
View File

@@ -2,4 +2,5 @@
{
users.users.clerie.extraGroups = [ "data-firmware" ];
users.users.frank.extraGroups = [ "data-em" ];
}

38
hosts/tungsten/configuration.nix Normal file
View File

@@ -0,0 +1,38 @@
{ config, pkgs, lib, ... }:
{
imports =
[
./hardware-configuration.nix
];
profiles.clerie.network-fallback-dhcp.enable = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/disk/by-id/ata-InnoDisk_Corp._DRPS-08GJ30AC1QS-A88_20120705AAB200000505";
boot.loader.grub.extraConfig = "
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input serial
terminal_output serial
";
networking.hostName = "tungsten";
profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8112/128" ];
ipv4s = [ "10.20.30.112/32" ];
};
clerie.monitoring = {
enable = true;
id = "216";
pubkey = "bDmf4xndBNwzcvIGCMq6dhyzjdEZOV2ckhv/37V/PWg=";
serviceLevel = "event";
};
system.stateVersion = "25.05";
}

46
hosts/tungsten/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,46 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "ohci_pci" "ehci_pci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7ed9e29c-d771-49a1-ae8a-8894f347c648";
fsType = "ext4";
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/95122f15-5621-457c-972c-c057ca416212";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/02a2afe4-ee00-4d3d-884a-e195b9814bfd";
fsType = "ext4";
};
fileSystems."/mnt/storage-tungsten" =
{ device = "/dev/disk/by-uuid/3d386e15-9d64-42a6-8d6d-571272d5e78e";
fsType = "ext4";
};
boot.initrd.luks.devices."crypt-storage-tungsten".device = "/dev/disk/by-uuid/e4142245-4c69-42e6-9b1f-fa4dc7fef7d8";
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

27
hosts/tungsten/secrets.json Normal file
View File

@@ -0,0 +1,27 @@
{
"wg-clerie": "ENC[AES256_GCM,data:OtSzmacWH9leDuykr7Tp5lR2FDoNGQ61V/9z6xBD1eCDSLOvt8UdILMETJU=,iv:NNGqR7UG3bZWETpZRwEdS4O1nRO4cBT72fljpqSbtyc=,tag:mea+5E8B655ljRzk63IDOw==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:+k7ATUbPnEfb4O4lUs8d4ZlvMPlsxC5mrCi1bXOje47XDcpioDwzRTQNPrU=,iv:p4JdSMbBcb/8Uh/9RuUSs64VBRQJHu6k5FB50UsxXVU=,tag:NRyBs1CO77AV4CbD6a6gig==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1dvl2pylf9vs4vt27g8z8nzpuwt88zl5fj7a68papsmenze7gd3mstyalks",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOGRQMDhycnViTVR5M1Aw\nbjFGbXBINTJsTEdKU1ZoMDVIMUQrU1R2M2hFCk9XY0NxMlZoZXJhMVIvZ1hLUXJt\nSVdzWEpraGc3aUFBUWU2Uk9WK2J1cncKLS0tIEZPUVY1V2Z0RDhJR2VweVFsZnY5\nREp1cERaVzcrTTRhL0tpVWpMc1pCdWcKB3ZbqB8tGdXgXra3fRL/gw4IEpNHBqp+\nKnw9XYYV2MDiL02+HF+bABVHbjngG85EGDRTDZMWnJtlxV4l+vzTVw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-02-25T17:46:27Z",
"mac": "ENC[AES256_GCM,data:EvbkM81pIqbYkvcBSWtyov5GN8D0PauWAiMmRYgWl2fijlH7zEpsCh0XU544prqpb7vh8ShAuCecVpWsdWUIAIT62ToB28NdefDhX2HDl4B1XeIy2X9i+jhnaXLjbwc+r8IhTHOJ/uWeVrNQyb4g9nOaijzDGVJbwKnJ6M+O7fU=,iv:WAIwdemTsTHLnGtFtg/KgyjId3+RpivNDc1LFZjG3jY=,tag:YmaYFT9smKChwd5vVisfLQ==,type:str]",
"pgp": [
{
"created_at": "2025-02-25T17:27:17Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/+In2YZByknfnhl2zYmOUTQCrjpiyXbf8/ai0Ko8TZZCRy\nhrpxyvKP+/u7CMS+giouoxKJ4XLDbHacoz06qF1I9i9iSVelXxQ5epSHk4BLLocw\nP5S6ZnE3jQO4G5goC/LU7nARN2IMwYq2rRZe8o8SLDMTZqGnlk9vBihcE4rN4lpd\nLbSb+cT6wDba32xKNZuP9IRPU2gqjOAg99gbh7Se2zB4Q7AxpgUl6EZZ7OMqVl/C\nbgSQFgwJxFPoH8KBS4wICbHTyWGvg2iEQyh1zNElUwbW112kyfBxGHKFukfEapIj\n2Cv0+Jme3VA750rZmJ4xcOZeoz0n7THBHdFjE122dkXhUdkQmohKzjngIZySUqDI\nuaDf43ebi6tPgCdC6gKLbYUUml+WEOmIRcgmIEswG9iRF/vjOYLK9OxclAKLDDar\nN9zgRFW1qR0HZhAbC61L1CqhKZzjQpNpjYn2pwmR+NnU/DDrlSdJLnHnrMdPeG6l\nBVp7oLhct2DwrypEYOvccrEwRakJSjCyC6cPWbUv7upjovTvcSAh21XNLnHJaMsY\n+sbJf5vshnALIkEXRyMBa5to7RZQvWx9qdklykjbXUEheM9RQATjGdnFQHuM05LI\npWKX038xlEaPe4nJa4PBGub23GZ1zuP3zE+N0W4XTR3r3ZGsMncqntiPJaaBgzWF\nAgwDvZ9WSAhwutIBEADMfdHvINLP6Gu7/DeLUboRnTHpP8x+rfTy9lcIW2RmQHbz\nLeAwBbeqyvLUi9ObjwclVWvPHqbPyGwibt96mTgGnkAEwXCgcXfWz/vCRZ0UHcvT\nimFM4H+ecOKws7t+sf31PAMPE0eSSJIYXVU9pej0qaKzR3zMBvQi6CsB0F1e2Fkz\n0HbilJMELaKFbJJsTXtDyl9Afi8OtVcBoG8P/1ImM/gcJLU548WTwPtzYUufHt5q\nkb45PjEId3m/g6CF6nh4GCQtRwOWjah49Zsk5cuI1aO/Q0gPyndgzFL5fYOfPlGN\nPTQ2KFMUh1dkvVVzyNFFC1vqXx2KH5l2gdTRkzaFQ3Qjjx1kluM5AlEl2Ynx4sbQ\nVaFZHFjQnoFtDn08BzNS7Cu/5SOdXejihen4sg0bGjEz6aVGwHXQJcp0BigH2y3f\n/OtnCK5KjFSQsdgTV5trstQgFQMqbMiVEqd3u+3lTxGJ/dQ7NXerFroITUC4J3Uu\n3VRdWTlgPED8hiA1NQaOiy2bbMzAgaR86qHK6JhxnP/6ETaByPPb27Oisblhhq9p\nCDw4eNGws1WsAyjZkyatzLZwUs2zOt4ZKjDlim8EikdGJpDcHnameRtI97QgPDO/\nzA5zHMrDuMN1iMw92WIAQyEQtJgyy4m3YvUsnlpHqKOgSNpwG/8j1zXHLH2p1IUC\nDAM1GWv08EiACgEQALEoa50qGjadZkaHI2tXFVv8RF1d8nR+L946DyMImjuMObei\n6Sx/Nc3bHzHSMsf27T120EUU0yUERdncoOQTRWBemMoB6tWYGTIAG0uDhrHl6rzW\nOUC5G7023H3cHStXbFFBp+JargnE1XgcapHM0p29GgUCE21UDBXzm7MB6x+9AKdd\nsc6qXD1xNPWc7RSqLL6anvcT/eLZW5Y1Ep2T7r5gQ81Fbxh4RicCphmApDC91Dii\nfZ/Va3JUeFm/82edeE4FqJUO9Akk2sPmVnXBYWPRq55/Uyk61J8u2b8tY7OcLSmr\nw/eaJq2bgDda3MBVzF3G9nr3BGhl8g7lCSCPS3gCFfs7C3Djp/YP0L8rMsH2ym1Q\nEj7rWC3K1xwtqowDx+EcYDMwmUtJqkia6o3WVM1qJM25QuCg2mnv9anMTgWuLpQo\nk1Av4FR+zV6aK3A7mxxjG0BsSUGjrrzoJC5DV1DSZ335lqlZxmthJoF0mda02nbh\nUlzpHEpG3/eWXjfDSbEYU8iVK2HWX9/i2gnXbpREuEnt5xpuSQ/sBT6tmit1FwK2\ntYZ+wtCMjWKkeZtvbP9Fx0nLYhVyMXvLhR1VLosCymKqWCIBj8VINagmPLiToEMd\nfpVs8m35neD4258CZOvBgqFvmxlGb9e27p8PHmlg9UNb/v7sYmSgm4IH0zi11GgB\nCQIQbpoXf1EJlriSHiqcUZCIvY/H37TWSJ6+tCcUSUipA+dLgt4pnKBjeM6RFSPG\n81eTm0AZIpmRDx/i31knPNh5JL6RYm5t66ncM46VkO1FIatkdKDfJbYe9J6ezWCs\nMDYTejoBhQ==\n=EuYe\n-----END PGP MESSAGE-----",
"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

1
hosts/tungsten/ssh.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJq5WWALjFHvmUdcWdKN5BBRS1F/EWaBet6oftrbxt1F

5
hosts/web-2/clerie.nix
View File

@@ -34,11 +34,6 @@
'';
};
locations."/gpg" = {
extraConfig = ''
types {
text/plain asc;
}
'';
root = pkgs.clerie-keys;
};
locations."~ ^/.well-known/openpgpkey/hu/[a-z0-9]+/?$" = {

17
hosts/web-2/configuration.nix
View File

@@ -9,6 +9,8 @@
./chaosevents.nix
./clerie.nix
./drop.nix
./etebase.nix
./feeds.nix
./fieldpoc.nix
./gitea.nix
./ip.nix
@@ -26,16 +28,17 @@
./wetter.nix
];
profiles.clerie.hetzner-cloud.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false;
# Network
networking.interfaces.ens3.ipv4.addresses = [ { address = "88.99.187.135"; prefixLength = 32; } ];
networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:c0c:c580::1"; prefixLength = 64; } ];
networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
networking.nameservers = [ "213.133.98.98" "213.133.99.99" "213.133.100.100" ];
systemd.network.networks."10-wan" = {
address = [
"2a01:4f8:c0c:c580::1/64"
"88.99.187.135/32"
];
};
services.nginx = {
enable = true;

26
hosts/web-2/etebase.nix Normal file
View File

@@ -0,0 +1,26 @@
{ ... }:
{
services.etebase-server = {
enable = true;
port = 8001;
settings.allowed_hosts.allowed_host1 = "etebase.clerie.de";
};
services.nginx.virtualHosts = {
"etebase.clerie.de" = {
enableACME = true;
forceSSL = true;
locations = {
"= /" = {
return = ''302 "/admin/"'';
};
};
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8001";
};
};
};
};
}

49
hosts/web-2/feeds.nix Normal file
View File

@@ -0,0 +1,49 @@
{ pkgs, ... }:
{
users.users."feeds" = {
isSystemUser = true;
group = "feeds";
};
users.groups."feeds" = {};
systemd.tmpfiles.rules = [
"d /data/feeds 0775 root users - -"
"d /var/lib/feeds - feeds feeds - -"
];
services.nginx = {
virtualHosts."feeds.clerie.de" = {
enableACME = true;
forceSSL = true;
root = "/var/lib/feeds";
};
};
systemd.services."feeds" = {
wantedBy = [ "multi-user.target" ];
requires = [ "network.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
WorkingDirectory = "/var/lib/feeds";
RuntimeDirectory = "feeds";
User = "feeds";
Group = "feeds";
ExecStart = ''
${pkgs.feeds-dir}/bin/feeds-dir /data/feeds
'';
};
};
systemd.timers."feeds" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "hourly";
RandomizedDelaySec = "1h";
};
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
};
}

2
hosts/zinc/configuration.nix
View File

@@ -25,7 +25,7 @@
boot.initrd.systemd.enable = false;
services.wg-clerie = {
profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8109/128" ];
ipv4s = [ "10.20.30.109/32" ];

4
hosts/zinc/programs.nix
View File

@@ -2,9 +2,9 @@
{
users.users.clerie.packages = with pkgs; [
firefox
profiles.clerie.firefox.enable = true;
users.users.clerie.packages = with pkgs; [
blender
#cura # libarcus library is currently broken, required for curaengine

53
modules/backup/default.nix
View File

@@ -21,18 +21,11 @@ let
) cfg.jobs
);
backupServiceUnits = listToAttrs (map ({jobName, jobOptions, targetName, targetOptions}: let
jobPasswordFile = if jobOptions.passwordFile != null then jobOptions.passwordFile else
config.sops.secrets."clerie-backup-job-${jobName}".path;
repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath;
targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else
config.sops.secrets."clerie-backup-target-${targetName}".path;
targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username;
in
backupServiceUnits = listToAttrs (map ({jobName, jobOptions, targetName, targetOptions}:
nameValuePair "clerie-backup-${jobName}-${targetName}" {
requires = [ "network.target" "local-fs.target" ];
after = [ "network.target" "local-fs.target" ];
path = [ pkgs.restic ];
path = [ pkgs.clerie-backup ];
serviceConfig = {
Type = "oneshot";
@@ -41,14 +34,7 @@ let
script = ''
set -euo pipefail
export RESTIC_PASSWORD_FILE=${jobPasswordFile}
export RESTIC_REPOSITORY="rest:https://${targetUsername}:$(cat ${targetPasswordFile})@${targetOptions.serverName}${repoPath}"
export RESTIC_PROGRESS_FPS=0.1
export RESTIC_CACHE_DIR=/var/cache/restic
restic snapshots --latest 1 || restic init
restic backup ${optionalString (jobOptions.exclude != []) "--exclude-file ${pkgs.writeText "clerie-backup-${jobName}-${targetName}-excludes" (concatStringsSep "\n" jobOptions.exclude)}"} ${escapeShellArgs jobOptions.paths}
clerie-backup "${jobName}-${targetName}" backup
${optionalString (config.clerie.monitoring.enable) ''
echo "clerie_backup_last_successful_run_time{backup_job=\"${jobName}\", backup_target=\"${targetName}\"} $(date +%s)" > /var/lib/prometheus-node-exporter/textfiles/clerie-backup-${jobName}-${targetName}.prom
@@ -69,32 +55,22 @@ let
}
) jobTargetPairs);
backupCommands = map ({jobName, jobOptions, targetName, targetOptions}: let
backupConfigs = mergeAttrsList (map ({jobName, jobOptions, targetName, targetOptions}: let
jobPasswordFile = if jobOptions.passwordFile != null then jobOptions.passwordFile else
config.sops.secrets."clerie-backup-job-${jobName}".path;
repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath;
targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else
config.sops.secrets."clerie-backup-target-${targetName}".path;
targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username;
in pkgs.writeShellApplication {
name = "clerie-backup-${jobName}-${targetName}";
runtimeInputs = [ pkgs.restic ];
text = ''
set -euo pipefail
export RESTIC_PASSWORD_FILE=${jobPasswordFile}
export RESTIC_REPOSITORY="rest:https://${targetUsername}:$(cat ${targetPasswordFile})@${targetOptions.serverName}${repoPath}"
export RESTIC_PROGRESS_FPS=0.1
export RESTIC_CACHE_DIR=/var/cache/restic
restic "$@"
'';
checkPhase = "";
in {
"clerie-backup/${jobName}-${targetName}/repo_password".source = jobPasswordFile;
"clerie-backup/${jobName}-${targetName}/repo_url".text = "${targetOptions.serverUrl}${repoPath}";
"clerie-backup/${jobName}-${targetName}/auth_username".text = targetUsername;
"clerie-backup/${jobName}-${targetName}/auth_password".source = targetPasswordFile;
"clerie-backup/${jobName}-${targetName}/files".text = concatStringsSep "\n" jobOptions.paths;
"clerie-backup/${jobName}-${targetName}/excludes".text = concatStringsSep "\n" jobOptions.exclude;
}
) jobTargetPairs;
) jobTargetPairs);
targetOptions = { ... }: {
options = {
@@ -106,7 +82,7 @@ let
type = with types; nullOr str;
default = null;
};
serverName = mkOption {
serverUrl = mkOption {
type = types.str;
};
};
@@ -158,6 +134,7 @@ in
systemd.tmpfiles.rules = [
"d /var/cache/restic - - - - -"
];
environment.systemPackages = backupCommands;
environment.systemPackages = [ pkgs.clerie-backup ];
environment.etc = backupConfigs;
};
}

18
modules/monitoring/default.nix
View File

@@ -61,9 +61,6 @@ in
services.prometheus.exporters.node = {
enable = true;
#listenAddress = "${monitoring-network-base}${cfg.id}";
openFirewall = true;
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9100";
enabledCollectors = [
"systemd"
];
@@ -80,14 +77,10 @@ in
services.prometheus.exporters.bird = mkIf cfg.bird {
enable = true;
openFirewall = true;
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9324";
};
services.prometheus.exporters.blackbox = mkIf cfg.blackbox {
enable = true;
openFirewall = true;
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9115";
configFile = pkgs.writeText "blackbox.yml" ''
modules:
icmp6:
@@ -109,8 +102,13 @@ in
listen = "[::]:9152";
};
networking.firewall.extraCommands = ''
ip46tables -A nixos-fw -i wg-monitoring -p tcp -m tcp --dport 9152 -m comment --comment nixos-exporter -j nixos-fw-accept
'';
networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
9100 # node-exporter
9152 # nixos-exporter
] ++ (if cfg.bird then [
9324 # bird-exporter
] else []) ++ (if cfg.blackbox then [
9115 # blackbox-exporter
] else []);
};
}

95
pkgs/clerie-backup/clerie-backup.sh Executable file
View File

@@ -0,0 +1,95 @@
#!/usr/bin/env bash
set -euo pipefail
REPO=
ACTION=
if [[ $# -lt 2 ]]; then
echo "Command not specified"
echo
echo "clerie-backup REPO ACTION"
echo
echo "ACTION: restic,backup"
echo
echo "Available REPOs (/etc/clerie-backup/):"
echo
if [[ -d "/etc/clerie-backup" ]]; then
find "/etc/clerie-backup/" -mindepth 1 -maxdepth 1 -type d -printf "%f\n" | sort -d
fi
exit 1
fi
REPO="$1"
shift
ACTION="$1"
shift
CONFIG_DIR="/etc/clerie-backup/${REPO}"
if [[ ! -d "${CONFIG_DIR}" ]]; then
echo "Config dir ${CONFIG_DIR} for ${REPO} does not exist"
exit 1
fi
ISSUE_EXIST=
if [[ ! -f "${CONFIG_DIR}/repo_password" ]]; then
echo "File ${CONFIG_DIR}/repo_password not found"
ISSUE_EXIST=1
fi
if [[ ! -f "${CONFIG_DIR}/repo_url" ]]; then
echo "File ${CONFIG_DIR}/repo_url not found"
ISSUE_EXIST=1
fi
if [[ ! -f "${CONFIG_DIR}/auth_username" ]]; then
echo "File ${CONFIG_DIR}/auth_username not found"
ISSUE_EXIST=1
fi
if [[ ! -f "${CONFIG_DIR}/auth_password" ]]; then
echo "File ${CONFIG_DIR}/auth_password not found"
ISSUE_EXIST=1
fi
if [[ -n "${ISSUE_EXIST}" ]]; then
exit 1
fi
RESTIC_PASSWORD_FILE="${CONFIG_DIR}/repo_password"
export RESTIC_PASSWORD_FILE
RESTIC_REPOSITORY="rest:$(cat "${CONFIG_DIR}/repo_url")"
export RESTIC_REPOSITORY
RESTIC_REST_USERNAME="$(cat "${CONFIG_DIR}/auth_username")"
export RESTIC_REST_USERNAME
RESTIC_REST_PASSWORD="$(cat "${CONFIG_DIR}/auth_password")"
export RESTIC_REST_PASSWORD
RESTIC_PROGRESS_FPS="0.1"
export RESTIC_PROGRESS_FPS
RESTIC_CACHE_DIR="/var/cache/restic"
export RESTIC_CACHE_DIR
case "${ACTION}" in
restic)
restic "$@"
;;
backup)
ISSUE_EXIST=
if [[ ! -f "${CONFIG_DIR}/excludes" ]]; then
echo "File ${CONFIG_DIR}/excludes not found"
ISSUE_EXIST=1
fi
if [[ ! -f "${CONFIG_DIR}/files" ]]; then
echo "File ${CONFIG_DIR}/files not found"
ISSUE_EXIST=1
fi
if [[ -n "${ISSUE_EXIST}" ]]; then
exit 1
fi
restic snapshots --latest 1 || restic init
restic backup --exclude-file "${CONFIG_DIR}/excludes" --files-from "${CONFIG_DIR}/files"
;;
*)
echo "Unsupported ACTION: ${ACTION}"
exit 1
;;
esac

9
pkgs/clerie-backup/default.nix Normal file
View File

@@ -0,0 +1,9 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "clerie-backup";
text = builtins.readFile ./clerie-backup.sh;
runtimeInputs = with pkgs; [
restic
];
}

5
pkgs/clerie-keys/default.nix
View File

@@ -10,5 +10,8 @@ runCommand "clerie-keys" {
gpg --import-options import-export --armor -o $out/gpg/clerie@clerie.de.asc --import ${../../users/clerie/gpg.asc}
gpg --import-options import-export -o $out/gpg/clerie@clerie.de --import ${../../users/clerie/gpg.asc}
gpg --import-options show-only --with-colons --fingerprint --import ${../../users/clerie/gpg.asc} | awk -F: '$1 == "fpr" {print $10;}' | head -1 > $out/gpg/clerie@clerie.de.fingerprint.txt
gpg --import-options show-only --with-colons --fingerprint --import ${../../users/clerie/gpg.asc} > colons.txt
cat colons.txt | awk -F: '$1 == "fpr" {print $10;}' | head -1 > $out/gpg/clerie@clerie.de.fingerprint.txt
cat colons.txt | awk -F: '$1 == "pub" {print "@", $7;}' | date -f - -Iseconds > $out/gpg/clerie@clerie.de.expires.txt
cat colons.txt | awk '{printf "%s:%s", $0, ($0 ~ /^(pub|sub)/) ? ":" : "\n" }' | awk '$0 ~ /^(pub|sub)/ { print $0}' | awk -F: '{if ($1 == "pub") { fingerprint=$32; keyid=$5 }} {printf "clerie_keys_gpg_key_expire_time{fingerprint=\"%s\", keyid=\"%s\", subkeyfingerprint=\"%s\", subkeykeyid=\"%s\", type=\"%s\"} %s\n", fingerprint, keyid, ($1 == "sub") ? $30 : "", ($1 == "sub") ? $5 : "", $1, $7}' > $out/gpg/clerie@clerie.de.metrics.txt
''

31
pkgs/clerie-sops/clerie-sops-edit.sh
View File

@@ -7,17 +7,19 @@ set -euo pipefail
print_help() {
cat << EOF
clerie-sops-edit <secrets_file> <action> <key>
clerie-sops-edit <secrets_file> <action> <key> [cmd...]
This script allows editing single secrets in a secrets file by key.
<secrets_file> is a sops secrets file
<action> is one of "edit", "read", "set" and "append"
<action> is one of "edit", "cmd", "read", "set" and "append"
<key> is the key of the secret in the secrets file to modify
ACTION "cmd" a command that get passed the decrypted secret in the argument being "{}"
EOF
}
if [[ $# != 3 ]]; then
if [[ $# -lt 3 ]]; then
print_help
exit 1
fi
@@ -33,7 +35,7 @@ fi
ACTION="$2"
if ! echo "edit read set append" | grep -wq "${ACTION}"; then
if ! echo "edit cmd read set append" | grep -wq "${ACTION}"; then
echo "Action \"${ACTION}\" not supported"
echo
print_help
@@ -43,6 +45,15 @@ fi
KEY="$3"
KEY_SELECTOR="$(jq -Rsc '[.]' <(echo -n "${KEY}"))"
if [[ $# -gt 3 && "${ACTION}" != "cmd" ]]; then
print_help
exit 1
fi
shift
shift
shift
if [[ -n $EDITOR ]]; then
EDITOR=vim
fi
@@ -64,6 +75,18 @@ case "${ACTION}" in
edit)
"${EDITOR}" "${TMP_FILE}"
;;
cmd)
CMD=()
while [[ $# -gt 0 ]]; do
if [[ "$1" == "{}" ]]; then
CMD+=("${TMP_FILE}")
else
CMD+=("$1")
fi
shift
done
"${CMD[@]}"
;;
read)
cat "${TMP_FILE}"
;;

4
pkgs/clerie-sops/clerie-sops.nix
View File

@@ -11,6 +11,8 @@ pkgs.writeShellApplication {
if GIT_ROOT=$(git rev-parse --show-toplevel); then
REPO_ROOT="$GIT_ROOT"
fi
exec sops --config <(clerie-sops-config "$REPO_ROOT") "$@"
CONFIG_FILE="$(mktemp)"
clerie-sops-config "$REPO_ROOT" > "$CONFIG_FILE"
exec sops --config "$CONFIG_FILE" "$@"
'';
}

31
pkgs/clerie-system-remote-install/clerie-system-remote-install.sh Executable file
View File

@@ -0,0 +1,31 @@
#!/usr/bin/env bash
set -xeuo pipefail
SYSTEM="$1"
REMOTE_HOST="$2"
REMOTE_ROOT="$3"
nix copy "${SYSTEM}" --to "ssh://${REMOTE_HOST}?remote-store=${REMOTE_ROOT}"
ssh "${REMOTE_HOST}" -- nix-env --store "${REMOTE_ROOT}" -p "${REMOTE_ROOT}/nix/var/nix/profiles/system" --set "${SYSTEM}"
ssh "${REMOTE_HOST}" -- mkdir -p "${REMOTE_ROOT}/tmp"
TMPSH="$(ssh "${REMOTE_HOST}" -- mktemp -p "${REMOTE_ROOT}/tmp")"
# shellcheck disable=SC2087
ssh "${REMOTE_HOST}" -- tee "${TMPSH}" <<EOF
#!/usr/bin/env bash
set -euo pipefail
nix-env --store "${REMOTE_ROOT}" -p "${REMOTE_ROOT}/nix/var/nix/profiles/system" --set "${SYSTEM}"
mkdir -m 0775 -p "${REMOTE_ROOT}/etc"
touch "${REMOTE_ROOT}/etc/NIXOS"
ln -sfn /proc/mounts "${REMOTE_ROOT}/etc/mtab"
NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "${REMOTE_ROOT}" -c "/run/current-system/bin/switch-to-configuration boot"
EOF
ssh "${REMOTE_HOST}" -- bash "${TMPSH}"

6
pkgs/clerie-system-remote-install/default.nix Normal file
View File

@@ -0,0 +1,6 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "clerie-system-remote-install";
text = builtins.readFile ./clerie-system-remote-install.sh;
}

10
pkgs/clerie-update-nixfiles/clerie-cleanup-branches.nix Normal file
View File

@@ -0,0 +1,10 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "clerie-cleanup-branches";
text = builtins.readFile ./clerie-cleanup-branches.sh;
runtimeInputs = with pkgs; [
git
];
}

7
pkgs/clerie-update-nixfiles/clerie-cleanup-branches.sh Executable file
View File

@@ -0,0 +1,7 @@
#!/usr/bin/env bash
# Removes all branches from origin starting with updated-inputs-* except the 8 newest ones
git fetch origin --prune
git branch -r | sed "s/^ *//g" | grep "^origin/updated-inputs-" | sort | head -n -8 | sed "s/^origin\///g" | xargs git push origin --delete

2
pkgs/clerie-update-nixfiles/clerie-update-nixfiles.sh
View File

@@ -56,7 +56,7 @@ echo "[!] Create branch ${UPDATE_BRANCH}"
xgit checkout -b "${UPDATE_BRANCH}"
echo "[!] Update nixpkgs"
nix flake lock --update-input nixpkgs
nix flake update nixpkgs
echo "[!] Commit changes"
xgit add flake.lock

9
pkgs/feeds-dir/default.nix Normal file
View File

@@ -0,0 +1,9 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "feeds-dir";
text = builtins.readFile ./feeds-dir.sh;
runtimeInputs = with pkgs; [
rainbowrss
];
}

9
pkgs/feeds-dir/feeds-dir.sh Executable file
View File

@@ -0,0 +1,9 @@
#!/usr/bin/env bash
set -euo pipefail
IN_DIR="${1:-.}"
for file in "${IN_DIR}"/*.txt; do
rainbowrss --feeds "${file}" --out "$(basename "${file}" ".txt").html" || true
done

13
pkgs/git-show-link/default.nix Normal file
View File

@@ -0,0 +1,13 @@
{ pkgs, ... }:
pkgs.writeTextFile {
name = "git-show-link";
executable = true;
destination = "/bin/git-show-link";
allowSubstitutes = true;
preferLocalBuild = false;
text = ''
#!${pkgs.python3.withPackages (ps: with ps; [])}/bin/python3
${builtins.readFile ./git-show-link.py}
'';
}

121
pkgs/git-show-link/git-show-link.py Executable file
View File

@@ -0,0 +1,121 @@
#!/usr/bin/env python3
import argparse
from dataclasses import dataclass
import re
import subprocess
REMOTE_TYPES = {
"github": {
"match": re.compile(r'git@github.com:(?P<username>[\w\.-]+)/(?P<project>[\w\.-]+).git'),
"format-branch": lambda g: f"https://github.com/{g.username}/{g.project}/tree/{g.branch}/",
"format-commit": lambda g: f"https://github.com/{g.username}/{g.project}/commit/{g.commit}/",
},
"gitea": {
"match": re.compile(r'(?P<gituser>[\w\.-]+)@(?P<host>[\w\.-]+):(?P<username>[\w\.-]+)/(?P<project>[\w\.-]+).git'),
"format-branch": lambda g: f"https://{g.host}/{g.username}/{g.project}/src/branch/{g.branch}/",
"format-commit": lambda g: f"https://{g.host}/{g.username}/{g.project}/commit/{g.commit}/",
},
}
@dataclass
class FormatArgs:
gituser: str = None
host: str = None
username: str = None
project: str = None
commit: str = None
branch: str = None
def is_git_repo():
s = subprocess.run(["git", "rev-parse"], capture_output=True, text=True)
return s.returncode == 0
def get_remote_branch():
s = subprocess.run(["git", "status", "--porcelain", "-uno", "-b", "--no-ahead-behind"], capture_output=True, text=True)
git_status_branch_info = s.stdout.splitlines()[0][3:].split()[0]
branches = git_status_branch_info.split("...")
if len(branches) != 2:
raise Exception("no branch name found")
local_branch, remote_branch = branches
remote, branch = remote_branch.split("/", maxsplit=1)
return {
"remote": remote,
"branch": branch,
}
def get_remote_url(remote):
s = subprocess.run(["git", "remote", "get-url", remote], capture_output=True, text=True)
remote_url = s.stdout.strip()
return remote_url
def get_last_commit():
s = subprocess.run(["git", "rev-parse", "HEAD"], capture_output=True, text=True)
commit = s.stdout.strip()
return commit
def main():
parser = argparse.ArgumentParser(
prog='git-show-link',
)
parser.add_argument("--branch", dest="display_branch", action='store_true', help="Display link to branch, instead to commit")
parser.add_argument("--remote-type", dest="remote_type", choices=REMOTE_TYPES.keys(), help="Specify remote type")
args = parser.parse_args()
if not is_git_repo():
print("Not a git repo")
exit(1)
r = get_remote_branch()
remote_url = get_remote_url(r["remote"])
selected_remote_types = REMOTE_TYPES
if args.remote_type is not None:
selected_remote_types = {
args.remote_type: REMOTE_TYPES[args.remote_type],
}
remote_type_found = False
for remote_type_name, remote_type in selected_remote_types.items():
m = remote_type["match"].match(remote_url)
if m is None:
continue
remote_type_found = True
g = FormatArgs(**m.groupdict())
if args.display_branch:
g.branch = r["branch"]
print(remote_type["format-branch"](g))
else:
commit = get_last_commit()
g.commit = commit
print(remote_type["format-commit"](g))
break
if not remote_type_found:
print("No remote type matched")
exit(1)
if __name__ == "__main__":
main()

30
pkgs/iot-data/default.nix
View File

@@ -1,30 +0,0 @@
{
pkgs,
buildPythonPackage,
flask,
python3,
}:
let
src = pkgs.fetchgit {
url = "https://git.clerie.de/clerie/iot-data.git";
rev = "f60e3a3f89549b4ce88df20888c08a01062d086a";
sha256 = "sha256-D8wusJfYbOkL/Nq6yfYBvhnkBmRcDktORicUpDsIrUE=";
};
pname = "iot-data";
version = "0.0.1";
in buildPythonPackage rec {
inherit src pname version;
propagatedBuildInputs = [
flask
];
postInstall = ''
mkdir -p $out/${python3.sitePackages}/iot_data
'';
doCheck = false;
}

47
pkgs/nixfiles/nixfiles-generate-backup-secrets.sh
View File

@@ -4,17 +4,50 @@ set -euo pipefail
cd "$(git rev-parse --show-toplevel)"
if [[ $# -eq 0 || $# -gt 2 ]]; then
echo "Usage: nixfiles-generate-backup-secrets HOST [--configure-host]"
echo
echo " --configure-host"
echo " Directly sets the secrets in the hosts secret store"
exit 1
fi
host="$1"
CONFIGURE_HOST=
if [[ $# -eq 2 ]]; then
if [[ "$2" == "--configure-host" ]]; then
if [[ ! -f "hosts/${host}/secrets.json" ]]; then
echo "Host ${host} does not have a secrets file, can't configure"
exit 1
fi
CONFIGURE_HOST=1
else
echo "Unknown option $2"
exit 1
fi
fi
job_main="$(pwgen -1 64 1)"
target_cyan="$(pwgen -1 64 1)"
target_cyan_htpasswd="$(htpasswd -nbB "${host}" "${target_cyan}")"
target_magenta="$(pwgen -1 64 1)"
target_magenta_htpasswd="$(htpasswd -nbB "${host}" "${target_magenta}")"
echo "$job_main" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-job-main"
echo "$target_cyan" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-cyan"
echo "$target_magenta" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-magenta"
echo "${target_cyan}" | clerie-sops-edit "hosts/clerie-backup/secrets.json" cmd "restic-server-cyan-htpasswd" htpasswd -iB "{}" "${host}"
echo "${target_magenta}" | clerie-sops-edit "hosts/backup-4/secrets.json" cmd "restic-server-magenta-htpasswd" htpasswd -iB "{}" "${host}"
echo "${target_cyan_htpasswd}" | clerie-sops-edit "hosts/clerie-backup/secrets.json" append "restic-server-cyan-htpasswd"
echo "$target_magenta_htpasswd" | clerie-sops-edit "hosts/backup-4/secrets.json" append "restic-server-magenta-htpasswd"
echo "Repo password main: ${job_main}"
echo
echo "URL cyan: https://cyan.backup.clerie.de/${host}/main"
echo "Auth username cyan: ${host}"
echo "Auth password cyan: ${target_cyan}"
echo
echo "URL magenta: https://magenta.backup.clerie.de/${host}/main"
echo "Auth username magenta: ${host}"
echo "Auth password magenta: ${target_magenta}"
if [[ -n "${CONFIGURE_HOST}" ]]; then
echo "$job_main" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-job-main"
echo "$target_cyan" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-cyan"
echo "$target_magenta" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-magenta"
fi

28
pkgs/overlay.nix
View File

@@ -1,27 +1 @@
final: prev: {
clerie-keys = final.callPackage ./clerie-keys {};
clerie-system-upgrade = final.callPackage ./clerie-system-upgrade/clerie-system-upgrade.nix {};
clerie-merge-nixfiles-update = final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
clerie-sops = final.callPackage ./clerie-sops/clerie-sops.nix {};
clerie-sops-config = final.callPackage ./clerie-sops/clerie-sops-config.nix {};
clerie-sops-edit = final.callPackage ./clerie-sops/clerie-sops-edit.nix {};
clerie-update-nixfiles = final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
chromium-incognito = final.callPackage ./chromium-incognito {};
factorio-launcher = final.callPackage ./factorio-launcher {};
git-checkout-github-pr = final.callPackage ./git-checkout-github-pr {};
git-diff-word = final.callPackage ./git-diff-word {};
git-pp = final.callPackage ./git-pp {};
iot-data = final.python3.pkgs.callPackage ./iot-data {};
nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
print-afra = final.callPackage ./print-afra {};
run-with-docker-group = final.callPackage ./run-with-docker-group {};
ssh-gpg = final.callPackage ./ssh-gpg {};
update-from-hydra = final.callPackage ./update-from-hydra {};
uptimestatus = final.python3.pkgs.callPackage ./uptimestatus {};
xmppc = import ./overrides/xmppc.nix final prev;
}
final: prev: builtins.mapAttrs (name: value: value final prev) (import ./pkgs.nix)

10
pkgs/overrides/dino.nix Normal file
View File

@@ -0,0 +1,10 @@
final: prev:
prev.dino.overrideAttrs (finalAttrs: prevAttrs: {
patches = [
(final.fetchpatch {
# in new chats, enable omemo by default
url = "https://cyberchaos.dev/-/snippets/25/raw/main/omemo-default.patch";
hash = "sha256-WXu9R+SKexgSQ93sQfFXG2CIboW3pYe5d1nsiP07wtE=";
})
];
})

32
pkgs/pkgs.nix Normal file
View File

@@ -0,0 +1,32 @@
{
clerie-backup = final: prev: final.callPackage ./clerie-backup {};
clerie-cleanup-branches = final: prev: final.callPackage ./clerie-update-nixfiles/clerie-cleanup-branches.nix {};
clerie-keys = final: prev: final.callPackage ./clerie-keys {};
clerie-system-remote-install = final: prev: final.callPackage ./clerie-system-remote-install {};
clerie-system-upgrade = final: prev: final.callPackage ./clerie-system-upgrade/clerie-system-upgrade.nix {};
clerie-merge-nixfiles-update = final: prev: final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
clerie-sops = final: prev: final.callPackage ./clerie-sops/clerie-sops.nix {};
clerie-sops-config = final: prev: final.callPackage ./clerie-sops/clerie-sops-config.nix {};
clerie-sops-edit = final: prev: final.callPackage ./clerie-sops/clerie-sops-edit.nix {};
clerie-update-nixfiles = final: prev: final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
chromium-incognito = final: prev: final.callPackage ./chromium-incognito {};
factorio-launcher = final: prev: final.callPackage ./factorio-launcher {};
feeds-dir = final: prev: final.callPackage ./feeds-dir {};
git-checkout-github-pr = final: prev: final.callPackage ./git-checkout-github-pr {};
git-diff-word = final: prev: final.callPackage ./git-diff-word {};
git-pp = final: prev: final.callPackage ./git-pp {};
git-show-link = final: prev: final.callPackage ./git-show-link {};
nix-remove-result-links = final: prev: final.callPackage ./nix-remove-result-links {};
nixfiles-auto-install = final: prev: final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
nixfiles-generate-config = final: prev: final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
nixfiles-generate-backup-secrets = final: prev: final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
nixfiles-update-ssh-host-keys = final: prev: final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
print-afra = final: prev: final.callPackage ./print-afra {};
run-with-docker-group = final: prev: final.callPackage ./run-with-docker-group {};
ssh-gpg = final: prev: final.callPackage ./ssh-gpg {};
update-from-hydra = final: prev: final.callPackage ./update-from-hydra {};
uptimestatus = final: prev: final.python3.pkgs.callPackage ./uptimestatus {};
dino = final: prev: import ./overrides/dino.nix final prev;
xmppc = final: prev: import ./overrides/xmppc.nix final prev;
}

11
pkgs/pull-scans/pull-scan.sh Executable file
View File

@@ -0,0 +1,11 @@
#!/usr/bin/env bash
TMP=$(mktemp -d)
scp "carbon.net.clerie.de:/var/lib/scan-to-gpg/*.asc" "${TMP}"
find "${TMP}" -iname "*.asc" | gpg --decrypt-files
find "${TMP}" -mindepth 1 -not -iname "*.asc" -type f | xargs mv -t .
rm -r "${TMP}"

8
pkgs/uptimestatus/default.nix
View File

@@ -3,7 +3,7 @@
buildPythonPackage,
flask,
requests,
python3,
python,
}:
let
@@ -25,9 +25,9 @@ in buildPythonPackage rec {
];
postInstall = ''
mkdir -p $out/${python3.sitePackages}/uptimestatus
cp -r uptimestatus/static $out/${python3.sitePackages}/uptimestatus/static
cp -r uptimestatus/templates $out/${python3.sitePackages}/uptimestatus/templates
mkdir -p $out/${python.sitePackages}/uptimestatus
cp -r uptimestatus/static $out/${python.sitePackages}/uptimestatus/static
cp -r uptimestatus/templates $out/${python.sitePackages}/uptimestatus/templates
'';
doCheck = false;

22
profiles/common-dns/default.nix Normal file
View File

@@ -0,0 +1,22 @@
{ config, lib, ... }:
with lib;
{
options.profiles.clerie.common-dns = {
enable = mkEnableOption "Common dns config";
};
config = mkIf config.profiles.clerie.common-dns.enable {
# Use systemd-resolved everywhere
services.resolved.enable = true;
# Do not use any DNS servers as fallback
services.resolved.fallbackDns = [];
networking.networkmanager.dns = "systemd-resolved";
};
}

24
profiles/common-networking/default.nix Normal file
View File

@@ -0,0 +1,24 @@
{ config, lib, ... }:
with lib;
{
options.profiles.clerie.common-networking = {
enable = mkEnableOption "Common networking config";
};
config = mkIf config.profiles.clerie.common-networking.enable {
# Disable scripted network
networking.useDHCP = false;
# Enable systemd-networkd
systemd.network.enable = true;
# Don't wait for online, if NetworkManger is running too
systemd.network.wait-online = mkIf (config.networking.networkmanager.enable == true) {
enable = false;
};
};
}

18
profiles/common/default.nix Normal file
View File

@@ -0,0 +1,18 @@
{ config, lib, ... }:
with lib;
{
options.profiles.clerie.common = {
enable = mkEnableOption "Cleries common config";
};
config = mkIf config.profiles.clerie.common.enable {
profiles.clerie.common-dns.enable = mkDefault true;
profiles.clerie.common-networking.enable = mkDefault true;
};
}

Some files were not shown because too many files have changed in this diff Show More