c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

Compare commits

base: c3d2:master
Branches Tags
c3d2:master
c3d2:flake-update
c3d2:gitea-actions-runner
c3d2:nixos-23.11
c3d2:ds-future
c3d2:container/radius
..
compare: c3d2:nixos-23.11
Branches Tags
c3d2:flake-update
c3d2:master
c3d2:gitea-actions-runner
c3d2:nixos-23.11
c3d2:ds-future
c3d2:container/radius

3 Commits
master ... nixos-23.1

Author SHA1 Message Date
Astro 287989d19c overlays/plume: version all the packages 2023-12-04 03:26:28 +01:00
Astro 4694ce0d08 overlays/plume: fix 2023-12-04 03:12:08 +01:00
Astro 039b56b833 flake.nix: upgrade nixos 23.05 -> 23.11 2023-12-04 03:09:52 +01:00
94 changed files with 2411 additions and 14087 deletions
Show Stats Expand all files Collapse all files

3
.gitattributes vendored
View File

@ -1,2 +1 @@
# see https://github.com/getsops/sops/blob/main/README.rst#47showing-diffs-in-cleartext-in-git how to use this
*.yaml diff=sops
*/**.yaml diff=sops

1
.gitignore vendored
View File

@ -2,4 +2,3 @@
*.retry
result
result-*
/hosts/mediawiki/MediaWikiExtensionsComposer/

102
.sops.yaml
View File

@ -3,7 +3,6 @@ keys:
- &admins
- DD0998E6CDF294537FC604F991FA5E5BF9AA901C # 0xA
- A5EE826D645DBE35F9B0993358512AE87A69900F # astro
- 8F79E6CD6434700615867480D11A514F5095BFA8 # dennis
- 4F9F44A64CC2E438979329E1F122F05437696FCE # poelzi
- 91EBE87016391323642A6803B966009D57E69CC6 # revol-xut
- 53B26AEDC08246715E15504B236B6291555E8401 # sandro
@ -12,24 +11,27 @@ keys:
- &users
- A5EE826D645DBE35F9B0993358512AE87A69900F # astro
- 8F79E6CD6434700615867480D11A514F5095BFA8 # dennis
- 53B26AEDC08246715E15504B236B6291555E8401 # sandro
- 9580391316684474BFBD41EC3E8C55248C19AF2A # xyrill
- &polygon-snowflake age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c # polygon
# Generate AGE keys from SSH keys with:
# nix-shell -p ssh-to-age --run 'ssh some.serv.zentralwerk.org cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
- &activity-relay age1a8k72egc2vg4jn445wwcr0a68y9xu5ft68s2xwehugs5sjawpv4q5nnrmy
# nix shell nixpkgs#ssh-to-age
# ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub
- &auth age1y7lxpxskqclwqluft2ct2c3u8weehus6t8evwk7cdnpakxzgcquspn827x
- &activity-relay age1a8k72egc2vg4jn445wwcr0a68y9xu5ft68s2xwehugs5sjawpv4q5nnrmy
- &bind age1hfzpctkk5tz0ddc86ul9t0nf8c37jtngawepvgxk5rxlvv938vusx4kuc6
- &blogs age1lccjvj9z8de4hfrdeumm9eu7awef4d9jygv3w7zdash3fhv6e53quy53wz
- &broker age1dj0d0339f4law7qvuzcv2fs6sf8why63s3l8tja0f8vsj7wefcds9drvte
- &buzzrelay age1j2euh5qt4a7cvx0t93uj4n9t8y8tkv9h3nefszc6g2q7t7gvngxswhrve0
- &c3d2-web age18h6vmfduhmj28wxdgur8wugn7scm5vwvwkj5sr4f7nl0czr2zvaqscsdsv
- &caveman age13dl5qjzddaazmquf7zfecru5tr4ld8l8xd7xpmhaqqzmchpua4usswqykd
- &dacbert age1g2ewsxcu5uqlesaznp2qwlcz8w66pxh4qxkul8wu7x8g2hw83saqxynpyk
- &dacbert age1hg0mmua5y82ct7l6q9gpc8w940ce5seqcjhm4dgx7tlzvflznyas7v3hf4
- &direkthilfe age1qe8wvy8kdmfdxh505apkqnnquqgtvykd6x6qlxmzqp93cv6wjy4qlu5mpj
- &dn42 age1726t33dl7pv3xrxxlafj2sexh7c0jm8pza84yu6l3wpz3fw5dauqxlass3
- &drone age1w6u8zjfya63q9rjfll98eegnfdsvyaspnwn802t2mxh47gt8p30q0kn898
- &factorio age1av4ww0zzyas0egzwkpdaj4crwz3vwnhpq0nfez2zad4me38zss7sjz5kw2
- &freifunk age17rrjtdgzzwgjatyqqv27pftx42t8xhksls46jc3f78juzw4g04vsd7lr7e
- &ftp age1lkr5rkf3z0976g8snmznf755gnexhjkwpzsw8xxwyesqmneawa4qgsqx77
- &gitea age12n5k6c4rxp4mjnexw9uw83yp34sallt44kldupfmxr2xkppj8a8sdsmv8h
@ -40,34 +42,35 @@ keys:
- &home-assistant age1l2tld2cttpkj4vpuh9hm4xjwq94rmf8vukjgvdzcvwwtze6k6s6qjf0s5r
- &hydra age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459
- &jabber age1tnq862ekxepjkes6efr282uj9gtcsqru04s5k0l2enq5djxyt5as0k0c2a
- &knot age1hfzpctkk5tz0ddc86ul9t0nf8c37jtngawepvgxk5rxlvv938vusx4kuc6
- &mail age15t7hj27j6ccs8u7mfz8su3aa74g4dxp4crkgc3c0rs28hct7q4ssgk8zcm
- &leon age1cm0cjk2764s4pv5g7e67as34g9xtcltex96ga87wckndw62wqqlsvkscqc
- &leoncloud age1aw9s4kcd6ys64ddzzfya9ajzln2tv8pm9uvz6d85v0r6eq4dudqq5vts86
- &mailtngbert age1jr5mc4ekmjf4uk2ue4xcuy0yl202phlu2t6c544qfj45ahzag56s4d0kzj
- &mastodon age1dcpd6u4psq3hehjyjrt3s7kzmnvxd20vsc8urjcdv6anr5v7ky2sq9rhtt
- &matemat age15vmz2evhnkn26fyt4vqvgztfrsr2s8qavd2m6zfjmkh84q2g75csnc5kr6
- &matrix age1s2ww76ll6nclz74gny27tk42xfsepl23z2k0849a8jv8xpnmpe3shgunxr
- &mediawiki age1xjvep7hsnfefgxvuwall8nq0486qu8yknhzwhf0cskw5xlpm8qws9txc56
- &mobilizon age182ms3ygypflk7mtpemp4k4ks9rz4gwhvzc9jlk95u4py5q68ppxstzu2e3
- &mucbot age1qen44cx5sx0y299zl93cz3tflx8agt8y9vtm0d4uxw42t9gyecdsw9jade
- &mucbot age1cqeh03zq0hvz5l78r678q93ey5mlw49lqy4whvgqxgenudth7g6skee6kh
- &nfsroot age18yxgwpakrkzq8ca2enayf79py25se3d8dsed2q523869re30jcaqx6rjln
- &nncp age15853dr2kd6r2329tkcanwnruh6zd2xvsu5twc7gnxeyu3h7t6q5scckaq8
- &oparl age14aq8fscrwkgmu5yv86vj7p7kmxclzs6dp7fpvdhvrnmce83ztphqc4mr9q
- &owncast age1cp9gsuyfu52exk0hr3fvj404v5njhahakzwlugwtneyrs4vgdyaq0sg92f
- &pretalx age1u6xeayzwfdj9l0mg3f4xvjd8e9nemz5psqavauvacjgp2nku95yqc4f29s
- &prometheus age13xhxqulvswuckmpkmy2fgeqd5jx0ar8e2hst33leljt69r6hsvnsrdw63k
- &public-access-proxy age1xcj6peyaf5xvj2673vl9j0z7supwtw7hzuk782zk7gt69k2ykytqe65mg5
- &pulsebert age12hdk2stter0cjexxwx3sqn9wx3vmptkxszvx7knq9zgm9uqzjs7suvkcqu
- &radiobert age1lga6hjmxa95fmtdn3frlmy64ej3hyswxrcuz25qvw0kfsxkqeugs8gjw8q
- &riscbert age148d87gqw59lmst5jv3vynhsu3tv4t4sj49s4lktvnplfcrjq2y5sjcwsu8
- &scrape age1p60rg45qrzpv2hcfzxl8d8k9afkk7dtrhr98cngeyuhlega83ynssmtx5k
- &sdrweb age1makkpv2t74lxmw0nk6m89nespva7j700pmt83pl5a4ldtj2k8fzqakw8h7
- &server10 age15qj8latetnrmgzd7krq02y65kn7lhq2pcwv8cvzej2783u5a9scqs79nmf
- &server6 age15tyk8zlm2v3fkv9gsdm9g75eeef23358wrddeg3slpu2vjncj96q8lu6x5
- &server7 age1xd8x0m27zhvvsm7rq2amtu3a4nvpfnlcdgp9tqt3g47hfzchsa9svgmemz
- &server8 age12jcu0jtw7m96evxnd0vu6lvsm8uswslrdhxd2u655vjrwhljmqdsptry37
- &server9 age15vrlmtckjf4j242juw7l5e0s6eunn67ejr9acaztnl3tmvwpufrsevntva
- &server10 age15qj8latetnrmgzd7krq02y65kn7lhq2pcwv8cvzej2783u5a9scqs79nmf
- &spaceapi age125k9uyqw5ae5jqkfsak4d6c6rcx9q63ywuusk62pmxdnhwzqxgqq2jsau7
- &storage-ng age1qjvds58pedjdk9rj0yqfvad4xhpteapr9chvfucwcgwrsr8n7axqyhg2vu
- &stream age14h2npkt6m40ewkkaee7zx49redew5rjsjpm70qhka8cwkekmspqqpspy4g
- &storage-ng age1qjvds58pedjdk9rj0yqfvad4xhpteapr9chvfucwcgwrsr8n7axqyhg2vu
- &ticker age1kdrpaqsy7gdnf80fpq6qrrc98nqjuzzlqx955uk2pkky3xcxky8sw9cdjl
- &vaultwarden age1xs22728ltpl3yh8hzvwt4g3gk8uc32lg8cqh86fp5d8c2jlvp3gshmejun
- &prometheus age13xhxqulvswuckmpkmy2fgeqd5jx0ar8e2hst33leljt69r6hsvnsrdw63k
creation_rules:
- path_regex: modules/backup\.yaml$
@ -86,17 +89,14 @@ creation_rules:
- *home-assistant
- *hydra
- *jabber
- *mail
- *mailtngbert
- *mastodon
- *matemat
- *matrix
- *mediawiki
- *mobilizon
- *owncast
- *pretalx
- *sdrweb
- *ticker
- *vaultwarden
- *polygon-snowflake
- path_regex: modules/cluster/[^/]+\.yaml$
@ -104,6 +104,8 @@ creation_rules:
- pgp: *admins
age:
- *hydra
- *server6
- *server7
- *server8
- *server9
- *server10
@ -115,12 +117,15 @@ creation_rules:
age:
- *polygon-snowflake
- *auth
- *bind
- *blogs
- *broker
- *buzzrelay
- *c3d2-web
- *dacbert
- *direkthilfe
- *dn42
- *factorio
- *freifunk
- *ftp
- *gitea
@ -130,8 +135,9 @@ creation_rules:
- *hedgedoc
- *hydra
- *jabber
- *knot
- *mail
- *leon
- *leoncloud
- *mailtngbert
- *mastodon
- *matemat
- *matrix
@ -139,7 +145,6 @@ creation_rules:
- *mucbot
- *nfsroot
- *oparl
- *pretalx
- *prometheus
- *public-access-proxy
- *pulsebert
@ -147,14 +152,15 @@ creation_rules:
- *riscbert
- *scrape
- *sdrweb
- *server6
- *server7
- *server8
- *server9
- *server10
- *spaceapi
- *storage-ng
- *stream
- *storage-ng
- *ticker
- *vaultwarden
- path_regex: hosts/activity-relay/secrets\.yaml$
key_groups:
@ -170,11 +176,11 @@ creation_rules:
- *auth
- *polygon-snowflake
- path_regex: hosts/knot/secrets\.yaml$
- path_regex: hosts/bind/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *knot
- *bind
- *polygon-snowflake
- path_regex: hosts/blogs/secrets\.yaml$
@ -288,13 +294,17 @@ creation_rules:
- *jabber
- *polygon-snowflake
- path_regex: hosts/mail/secrets\.yaml$
- path_regex: hosts/mailtngbert/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *mail
- *mailtngbert
- *polygon-snowflake
- path_regex: hosts/mastodon/accounts\.yaml$
key_groups:
- pgp: *users
- path_regex: hosts/mastodon/secrets\.yaml$
key_groups:
- pgp: *admins
@ -329,14 +339,6 @@ creation_rules:
age:
- *mobilizon
- *polygon-snowflake
- path_regex: hosts/mucbot/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *mucbot
- *polygon-snowflake
- path_regex: hosts/oparl/secrets\.yaml$
key_groups:
- pgp: *admins
@ -351,20 +353,6 @@ creation_rules:
- *owncast
- *polygon-snowflake
- path_regex: hosts/pretalx/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *pretalx
- *polygon-snowflake
- path_regex: hosts/sdrweb/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *sdrweb
- *polygon-snowflake
- path_regex: hosts/radiobert/secrets\.yaml$
key_groups:
- pgp: *admins
@ -372,11 +360,18 @@ creation_rules:
- *radiobert
- *polygon-snowflake
- path_regex: hosts/scrape/secrets\.yaml$
- path_regex: hosts/server6/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *scrape
- *server6
- *polygon-snowflake
- path_regex: hosts/server7/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *server7
- *polygon-snowflake
- path_regex: hosts/server8/secrets\.yaml$
@ -427,10 +422,3 @@ creation_rules:
age:
- *stream
- *polygon-snowflake
- path_regex: hosts/vaultwarden/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *vaultwarden
- *polygon-snowflake

3
README.md
View File

@ -34,7 +34,6 @@ If you want to have an additional backport, cherry-pick or other change, please
### nixos-modules repo
The nixos-modules repo lives at <https://github.com/supersandro2000/nixos-modules> and is mirrored to <https://gitea.c3d2.de/c3d2/nixos-modules>.
Auto generated documentation about all options is available at <https://supersandro2000.github.io/nixos-modules/>.
It contains options sandro shares between his private nixos configs and the C3D2 one.
It sets many options by default and when searching for a particular setting you should always grep this repo, too.
In question ask sandro and consider improving the documentation about this with comments and readme explanations.
@ -267,7 +266,7 @@ For the deployment options take a look at [deployment](https://gitea.c3d2.de/c3d
Set the `disko` options for the machine and run:
```shell
$(nix build --print-out-paths --no-link -L '.#nixosConfigurations.HOSTNAME.config.system.build.disko')
$(nix build --print-out-paths --no-link -L '.#nixosConfigurations.HOSTNAME.config.system.build.diskoNoDeps')
```
When adding new disks the paths under ``/dev/disk/by-id/`` should be used, so that the script is idempotent across device restarts.

90
config/default.nix
View File

@ -1,4 +1,4 @@
{ config, hostRegistry, lib, nixos, pkgs, ssh-public-keys, zentralwerk, ... }:
{ config, lib, nixos, pkgs, ssh-public-keys, zentralwerk, ... }:
# this file contains default configuration that may be turned on depending on other config settings.
# options should go to modules.
@ -16,17 +16,13 @@
];
boot = {
enableContainers = false; # should be enabled explicitly
loader.systemd-boot = {
configurationLimit = lib.mkDefault 10;
editor = false;
graceful = true;
};
tmp.cleanOnBoot = true;
kernel.sysctl = {
"kernel.panic" = 60; # reset 60 seconds after a kernel panic
"net.ipv4.tcp_congestion_control" = "bbr";
};
tmp.cleanOnBoot = true;
# recommend to turn off, only on by default for backwards compatibility
zfs.forceImportRoot = false;
};
c3d2 = {
@ -39,12 +35,6 @@
documentation.enable = false;
environment = {
etc."resolv.conf" = lib.mkIf (!config.services.resolved.enable) {
text = lib.concatMapStrings (ns: ''
nameserver ${ns}
'') config.networking.nameservers;
};
gnome.excludePackages = with pkgs; with gnome; [
baobab
cheese
@ -61,14 +51,11 @@
totem
yelp # less webkitgtk's
];
interactiveShellInit = /* sh */ ''
# raise some awareness torwards failed services
systemctl --no-pager --failed || true
'';
noXlibs = !config.services.xserver.enable;
systemPackages = with pkgs; [
bmon
curl
@ -78,24 +65,10 @@
git
htop
iotop
(iproute2.overrideAttrs ({ configureFlags ? [], src, ... }: let
version = "6.8.0";
in {
inherit version;
src = pkgs.fetchurl {
url = "mirror://kernel/linux/utils/net/iproute2/iproute2-${version}.tar.xz";
hash = "sha256-A6bMo9cakI0fFfe0lb4rj+hR+UFFjcRmSQDX9F/PaM4=";
};
configureFlags = configureFlags ++ [
"--color" "auto"
];
}))
jq
lsof # to find lingering nix processes locking files in nix store
mtr
pv
ripgrep
rsync
screen
strace
tcpdump
@ -115,27 +88,11 @@
];
};
networking = {
firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [
# proxy protocol used by public-access-proxy
8080
8443
];
nameservers = with hostRegistry.dnscache; [
ip4
ip6
] ++ (if config.services.resolved.enable then [
"9.9.9.9#dns.quad9.net"
"1.1.1.1#cloudflare-dns.com"
] else [
"9.9.9.9"
"1.1.1.1"
]);
useHostResolvConf = lib.mkIf (!config.services.resolved.enable) true;
};
# TODO: drop when https://github.com/Mic92/sops-nix/pull/555 is merged
sops.environment.SOPS_GPG_EXEC = lib.getExe (pkgs.gnupg.override { enableMinimal = true; });
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [
# proxy protocol used by public-access-proxy
8080
8443
];
nix = {
deleteChannels = true;
@ -153,13 +110,12 @@
];
registry.nixpkgs.flake = nixos;
settings = {
extra-experimental-features = "ca-derivations";
# if a download from hydra fails, we want to stop and retry it, instead of building it
fallback = false;
trusted-public-keys = [
"nix-cache.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
];
stalled-download-timeout = 30; # in case hydra is not reachable fail faster
stalled-download-timeout = 60; # in case hydra is not reachable fail faster
# don't self feed hydra
substituters = lib.mkIf (config.networking.hostName != "hydra") (
lib.mkBefore [ "https://nix-cache.hq.c3d2.de" ]
@ -188,7 +144,7 @@
tmux = {
enable = true;
historyLimit = 50000;
extraConfig = /* tmux */ ''
extraConfig = ''
# mouse control
set -g mouse on
@ -226,10 +182,7 @@
hedgedoc.ldap.userGroup = "hedgedoc-users";
home-assistant.ldap = {
adminGroup = "home-assistant-admins";
userGroup = "home-assistant-users";
};
home-assistant.ldap.userGroup = "home-assistant-users";
hydra.ldap = {
roleMappings = [
@ -266,7 +219,6 @@
# Required for deployment and sops
enable = true;
settings = {
AcceptEnv = "SYSTEMD_PAGER";
LoginGraceTime = 30; # throw out unauthenticated connections earlier than the 120 default
PasswordAuthentication = lib.mkIf (!config.c3d2.k-ot.enable) false;
PermitRootLogin = lib.mkOverride 900 "prohibit-password";
@ -279,15 +231,12 @@
internalIp6 = hosts6.up4.auth;
ldapPreset = true;
# those can't be under hosts/*/default.nix because those are not imported for the auth microvm
seedSettings.groups = map (n: {
long_name = n;
name = lib.toLower (lib.replaceStrings [" "] ["-"] n);
permissions = { };
}) [
"Mail Users"
"Mobilizon Users"
"Vaultwarden Users"
"Vaultwarden Social Media Accounts"
seedSettings.groups = [
{
long_name = "Mobilizon Users";
name = "mobilizon-users";
permissions = {};
}
];
};
@ -318,9 +267,6 @@
'';
systemd = {
# don't kick us out if one disk is missing
enableEmergencyMode = false;
# maybe set enable = false instead?
network.wait-online.anyInterface = true;

337
flake.lock
View File

@ -103,22 +103,6 @@
"url": "https://gitea.c3d2.de/astro/bevy-mandelbrot.git"
}
},
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"buzzrelay": {
"inputs": {
"naersk": [
@ -132,11 +116,11 @@
]
},
"locked": {
"lastModified": 1714004061,
"narHash": "sha256-gvRG8CkCFxQ3jqdiU+O6s9YdZRTPU53yK7XmEwPO3mk=",
"lastModified": 1701026248,
"narHash": "sha256-kr4tV1Y35TuKWs9gcHDpq+aJxsT0gUBIGjL5iUCQvs8=",
"owner": "astro",
"repo": "buzzrelay",
"rev": "c5fddfba89fd2d8dd7f415248a8ed878ffdb1f10",
"rev": "2e39f284ad0585be8f0aaa820121ea633a856271",
"type": "github"
},
"original": {
@ -150,16 +134,16 @@
"nixos-modules": [
"nixos-modules"
],
"nixpkgs": [
"nixpkgs-lib": [
"nixos"
]
},
"locked": {
"lastModified": 1710844300,
"narHash": "sha256-pSP6v7VqWWWgekbYnASTrZXgOW270I7MoDIXLz960KY=",
"lastModified": 1698539257,
"narHash": "sha256-7ql+k40kLpaB41cUzkw0/Ww1ujSYlvG9AEXBi8Nk6r8=",
"ref": "refs/heads/master",
"rev": "319dffc67b5c17c98d3ab77959568fc2b7c46513",
"revCount": 62,
"rev": "c822e0c34fac14b6d037ada62e74af09a4bcea40",
"revCount": 41,
"type": "git",
"url": "https://gitea.c3d2.de/c3d2/nix-user-module.git"
},
@ -184,11 +168,11 @@
]
},
"locked": {
"lastModified": 1713402078,
"narHash": "sha256-gFkpX4PA5hEmuvQxZX+TWBOdIGmwzOXs5bgGAwOEdvA=",
"lastModified": 1699655581,
"narHash": "sha256-NYrnxvrliFrq/izZiusrfIiC5cT3vAaoSqVgKpaVr4U=",
"ref": "main",
"rev": "bc45f3513e952e95660c2e063e7a2a79b350b024",
"revCount": 347,
"rev": "03968b9cbbc279913337ab45a1abaa2a93cdf61d",
"revCount": 338,
"type": "git",
"url": "https://gitea.c3d2.de/astro/caveman.git"
},
@ -225,11 +209,11 @@
]
},
"locked": {
"lastModified": 1714612856,
"narHash": "sha256-W7+rtMzRmdovzndN2NYUv5xzkbMudtQ3jbyFuGk0O1E=",
"lastModified": 1700927249,
"narHash": "sha256-iqmIWiEng890/ru7ZBf4nUezFPyRm2fjRTvuwwxqk2o=",
"owner": "nix-community",
"repo": "disko",
"rev": "d57058eb09dd5ec00c746df34fe0a603ea744370",
"rev": "3cb78c93e6a02f494aaf6aeb37481c27a2e2ee22",
"type": "github"
},
"original": {
@ -238,28 +222,6 @@
"type": "github"
}
},
"dns-nix": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": [
"zentralwerk",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703643450,
"narHash": "sha256-EUUF5oxFFPX/etKm0FNQg+7MPHQlNjmM1XhNgyDf7A0=",
"owner": "SuperSandro2000",
"repo": "dns.nix",
"rev": "70dcce71560d4253f63812fa36dee994c81ae814",
"type": "github"
},
"original": {
"owner": "SuperSandro2000",
"repo": "dns.nix",
"type": "github"
}
},
"fenix": {
"inputs": {
"nixpkgs": [
@ -268,11 +230,11 @@
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1714544767,
"narHash": "sha256-kF1bX+YFMedf1g0PAJYwGUkzh22JmULtj8Rm4IXAQKs=",
"lastModified": 1698819743,
"narHash": "sha256-L3vZfifHmog7sJvzXk8qiKISkpyltb+GaThqMJ7PU9Y=",
"owner": "nix-community",
"repo": "fenix",
"rev": "73124e1356bde9411b163d636b39fe4804b7ca45",
"rev": "1a92c6d75963fd594116913c23041da48ed9e020",
"type": "github"
},
"original": {
@ -282,47 +244,16 @@
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1614513358,
"narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
@ -347,11 +278,11 @@
]
},
"locked": {
"lastModified": 1713125817,
"narHash": "sha256-GpW5PN4JIV5SYp6ZuAeN2qRQH3hyiOUWNbR5J0Jhh2E=",
"lastModified": 1695426234,
"narHash": "sha256-fPLVqhGt9G72MrKrnal31ovp2NXpy4PT6uGV9+BYxtk=",
"ref": "refs/heads/master",
"rev": "9172dc5abd036707d5b5a21bcff5c61f6e55fde1",
"revCount": 73,
"rev": "bb82574d4a36b743b8678e23a0cd3c8b0eaf1821",
"revCount": 68,
"type": "git",
"url": "https://gitea.c3d2.de/astro/heliwatch.git"
},
@ -367,15 +298,14 @@
],
"nixpkgs": [
"nixos"
],
"spectrum": "spectrum"
]
},
"locked": {
"lastModified": 1714764302,
"narHash": "sha256-MmIZR67wOP3Nr9b3XpsvHSZSTDcTmd9cQn2Z8pW1/Hw=",
"lastModified": 1700320345,
"narHash": "sha256-HDBVj9gEOG2ZBGc+UGtjqDsOIvYOQtDxDRGrbiWOXl0=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "e9977efbe34b554c3e393dc9a18509905a4080e5",
"rev": "b16e6261ad2f0bca6ac2a4b7a4d3377cf5e3d95d",
"type": "github"
},
"original": {
@ -391,11 +321,11 @@
]
},
"locked": {
"lastModified": 1713520724,
"narHash": "sha256-CO8MmVDmqZX2FovL75pu5BvwhW+Vugc7Q6ze7Hj8heI=",
"lastModified": 1698420672,
"narHash": "sha256-/TdeHMPRjjdJub7p7+w55vyABrsJlt5QkznPYy55vKA=",
"owner": "nix-community",
"repo": "naersk",
"rev": "c5037590290c6c7dae2e42e7da1e247e54ed2d49",
"rev": "aeb58d5e8faead8980a807c840232697982d47b9",
"type": "github"
},
"original": {
@ -432,11 +362,11 @@
},
"nixos": {
"locked": {
"lastModified": 1714905756,
"narHash": "sha256-JyB6bzbG5F2fHouZNHf7DJo5boMirnZO8izrJY502RA=",
"lastModified": 1701650192,
"narHash": "sha256-OlW7awIgrWkAAdFO+fjkzKD0NHneHRr023r3Ld3JBGQ=",
"owner": "SuperSandro2000",
"repo": "nixpkgs",
"rev": "a0744ef2215a1feb76086167cf6a6dcf2f6e435d",
"rev": "093be9832c89b19c94aebf78186562ef2fc267f1",
"type": "github"
},
"original": {
@ -448,11 +378,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1714885415,
"narHash": "sha256-LG+2IVqVi1fy724rSDAkgqae+f47fGGko4cJhtkN8PE=",
"lastModified": 1701020860,
"narHash": "sha256-NwnRn04C8s+hH+KdVtGmVB1FFNIG7DtPJmQSCBDaET4=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "753176b57b3fcddb140c1c012868e62c025120bd",
"rev": "b006ec52fce23b1d57f6ab4a42d7400732e9a0a2",
"type": "github"
},
"original": {
@ -463,19 +393,16 @@
},
"nixos-modules": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs-lib": [
"nixos"
]
},
"locked": {
"lastModified": 1714345437,
"narHash": "sha256-95Jrew6RACxyEATJg1asSfFq/dzDadLGBAxItb6/LRA=",
"lastModified": 1701643093,
"narHash": "sha256-cJves2E255uJHoQLxdwB/Ipd718IYohE2HRBBse3Q9w=",
"owner": "SuperSandro2000",
"repo": "nixos-modules",
"rev": "1aeeba70ada1b0f1f8bc408ea3131882d35f15c3",
"rev": "bfc7e254acbf9ab43658893e367f3944811f9685",
"type": "github"
},
"original": {
@ -484,52 +411,6 @@
"type": "github"
}
},
"nixos-unstable": {
"locked": {
"lastModified": 1714905535,
"narHash": "sha256-eHjqlZBXypIzJYpb4YWv/NGXC+TG67q4sBYeLFPgUOc=",
"owner": "SuperSandro2000",
"repo": "nixpkgs",
"rev": "204e25c59d57c5b987df18c21120217d0ca6a915",
"type": "github"
},
"original": {
"owner": "SuperSandro2000",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1704290814,
"narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs-23_11": {
"locked": {
"lastModified": 1706098335,
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.11",
"type": "indirect"
}
},
"oparl-scraper": {
"flake": false,
"locked": {
@ -571,11 +452,11 @@
]
},
"locked": {
"lastModified": 1714901161,
"narHash": "sha256-8f+IP2lVzE9AuH3WHFeG+GzLraLVAV0uekgHVEC0KOk=",
"lastModified": 1701083718,
"narHash": "sha256-+XgLJTcOfRLjNa5zGgAuK2vPy1CShn/7a4bdRrH1Mgk=",
"owner": "astro",
"repo": "nix-openwrt-imagebuilder",
"rev": "da7077e22fab0e865ecb62bea2fa0b0e2c0eb0cf",
"rev": "34caf0a0a3cab485491433bd1509bfc4072298b7",
"type": "github"
},
"original": {
@ -604,13 +485,12 @@
"nixos": "nixos",
"nixos-hardware": "nixos-hardware",
"nixos-modules": "nixos-modules",
"nixos-unstable": "nixos-unstable",
"oparl-scraper": "oparl-scraper",
"openwrt": "openwrt",
"openwrt-imagebuilder": "openwrt-imagebuilder",
"rust-overlay": "rust-overlay",
"scrapers": "scrapers",
"simple-nixos-mailserver": "simple-nixos-mailserver",
"secrets": "secrets",
"skyflake": "skyflake",
"sops-nix": "sops-nix",
"spacemsg": "spacemsg",
@ -625,11 +505,11 @@
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1714501997,
"narHash": "sha256-g31zfxwUFzkPgX0Q8sZLcrqGmOxwjEZ/iqJjNx4fEGo=",
"lastModified": 1698762780,
"narHash": "sha256-WzuwMjpitp41dacdNzrdGjjP72Z0fFyGuQR2PJk48pE=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "49e502b277a8126a9ad10c802d1aaa3ef1a280ef",
"rev": "99e94d2938a743f8f48c6b729de4c517eeced99d",
"type": "github"
},
"original": {
@ -649,11 +529,11 @@
]
},
"locked": {
"lastModified": 1714702555,
"narHash": "sha256-/NoUbE5S5xpK1FU3nlHhQ/tL126+JcisXdzy3Ng4pDU=",
"lastModified": 1700187354,
"narHash": "sha256-RRIVKv+tiI1yn1PqZiVGQ9YlQGZ+/9iEkA4rst1QiNk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "7f0e3ef7b7fbed78e12e5100851175d28af4b7c6",
"rev": "e3ebc177291f5de627d6dfbac817b4a661b15d1c",
"type": "github"
},
"original": {
@ -666,11 +546,11 @@
"scrapers": {
"flake": false,
"locked": {
"lastModified": 1713211784,
"narHash": "sha256-WeTVBaVN9UZvw7dy8jkH0Vz8zWhcEqFlwqK9R+VYa0k=",
"lastModified": 1693949006,
"narHash": "sha256-ofwDlj+hBXlIH2rrMYjqaJD/OBqpxFAb7hay2BOIHGI=",
"ref": "refs/heads/master",
"rev": "4bdef3adf8ca8beefc2ebf6a838bb351bf8ca113",
"revCount": 71,
"rev": "d93045ab74f1a9fbd2a360fd24ca624c7cc2c62f",
"revCount": 70,
"type": "git",
"url": "https://gitea.c3d2.de/astro/scrapers.git"
},
@ -679,30 +559,19 @@
"url": "https://gitea.c3d2.de/astro/scrapers.git"
}
},
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": [
"nixos"
],
"nixpkgs-23_05": "nixpkgs-23_05",
"nixpkgs-23_11": "nixpkgs-23_11",
"utils": "utils"
},
"secrets": {
"locked": {
"lastModified": 1713017338,
"narHash": "sha256-BGXZdqdEc8+nFiX08q/kd8rWHgyiO42tacBpt39diMI=",
"owner": "SuperSandro2000",
"repo": "nixos-mailserver",
"rev": "04490c0872d91da865b925a8b7f8ccd3ba982cbb",
"type": "gitlab"
"lastModified": 1699654813,
"narHash": "sha256-cZH9FL8DOSZvLWL8jWiNszeV/g5eHJw80L88R8dPjvI=",
"ref": "refs/heads/master",
"rev": "f4d44f2c75f149c4aeadb635348ee87db4448b86",
"revCount": 164,
"type": "git",
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
},
"original": {
"owner": "SuperSandro2000",
"ref": "quote-ldap-password",
"repo": "nixos-mailserver",
"type": "gitlab"
"type": "git",
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
}
},
"skyflake": {
@ -741,11 +610,11 @@
]
},
"locked": {
"lastModified": 1714878026,
"narHash": "sha256-YJ1k/jyd6vKqmVgGkkAb4n+ZfPPAt8+L5a73eAThqFU=",
"lastModified": 1700967639,
"narHash": "sha256-uuUwD/O1QcVk+TWPZFwl4ioUkC8iACj0jEXSyE/wGPI=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "10dc39496d5b027912038bde8d68c836576ad0bc",
"rev": "4be58d802693d7def8622ff34d36714f8db40371",
"type": "github"
},
"original": {
@ -757,11 +626,11 @@
"spacemsg": {
"flake": false,
"locked": {
"lastModified": 1712512415,
"narHash": "sha256-X4JrvBfD9rKi7UN8R+Qwc1k7tqGIwgRFE4T1OGd1YcY=",
"lastModified": 1697572060,
"narHash": "sha256-p+5TdW/0N47PTLElbtgJaCMr5eVAafXgDkqi41TG/c0=",
"owner": "astro",
"repo": "spacemsg",
"rev": "8842c2ab4144a1b1a9cc5feda5000858882c9617",
"rev": "37c3784940f2b68361d2180f8e7a583baa242b8f",
"type": "github"
},
"original": {
@ -770,22 +639,6 @@
"type": "github"
}
},
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1708358594,
"narHash": "sha256-e71YOotu2FYA67HoC/voJDTFsiPpZNRwmiQb4f94OxQ=",
"ref": "refs/heads/main",
"rev": "6d0e73864d28794cdbd26ab7b37259ab0e1e044c",
"revCount": 614,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
"original": {
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
}
},
"sshlogd": {
"inputs": {
"fenix": [
@ -847,11 +700,11 @@
]
},
"locked": {
"lastModified": 1711570353,
"narHash": "sha256-kpipz1JwZzXD/BxfmWVDFIY2NisteJsubkcMYyIl8rk=",
"lastModified": 1684441791,
"narHash": "sha256-2ZVWrk+Gdt4bmi08bVKnW5LRekVFWDUQW1wdOI2Q/cs=",
"ref": "refs/heads/master",
"rev": "f76b7bc517ffd068972b3660daa67b1f6b22c4cb",
"revCount": 140,
"rev": "eb732ca1254f823770c4cdc3198484d1307ae83a",
"revCount": 133,
"type": "git",
"url": "https://gitea.c3d2.de/astro/ticker.git"
},
@ -863,11 +716,11 @@
"tigger": {
"flake": false,
"locked": {
"lastModified": 1713196297,
"narHash": "sha256-xgEtm7r6AS8UetLWtAKm1Zy9N0Cm4MP9SPjNyksRv6Q=",
"lastModified": 1688587276,
"narHash": "sha256-WsLVsnBYqZxH9QXYJ0Uutqd/g2KNARVNMjd847XLP88=",
"owner": "astro",
"repo": "tigger",
"rev": "073cc63fcd6e25cba775b0b4ad8056c6200da03f",
"rev": "0f6a4776eabb0469ef199b65b8955b56b4b3df52",
"type": "github"
},
"original": {
@ -902,21 +755,6 @@
"url": "https://gitea.c3d2.de/astro/tracer"
}
},
"utils": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"yammat": {
"inputs": {
"nixpkgs": [
@ -924,11 +762,11 @@
]
},
"locked": {
"lastModified": 1705059643,
"narHash": "sha256-Y9SI1WGMXrnv02SOGoNdFIFTAbF6lxgtGBtaO3m+uOo=",
"lastModified": 1696367506,
"narHash": "sha256-oWD8onHmZsWaUdU4V1zgWZcpSkJrnD4rVv+5zy7AGXA=",
"ref": "refs/heads/master",
"rev": "fc279ce4becf8e44d53a2d8a5d68edbf36f19361",
"revCount": 425,
"rev": "5fd3882e04981fa42784eced5d3cb910de60e624",
"revCount": 424,
"type": "git",
"url": "https://gitea.c3d2.de/c3d2/yammat.git"
},
@ -939,7 +777,6 @@
},
"zentralwerk": {
"inputs": {
"dns-nix": "dns-nix",
"nixpkgs": [
"nixos"
],
@ -951,11 +788,11 @@
]
},
"locked": {
"lastModified": 1714598147,
"narHash": "sha256-FxGkLFzY3pWubNHoiXh710FExyZRR5NHXb911BG0QDg=",
"lastModified": 1701027734,
"narHash": "sha256-bUGH+ME3MG0UA1EyYMg1Ly7Bj4q6VYj5jhLjenDU4q0=",
"ref": "refs/heads/master",
"rev": "af5cf82ed28811fa2922edb476cb73e88a90660e",
"revCount": 2029,
"rev": "072867a2a6ad06c356c9c39f92b9f766bc4cf94c",
"revCount": 1886,
"type": "git",
"url": "https://gitea.c3d2.de/zentralwerk/network.git"
},

101
flake.nix
View File

@ -9,7 +9,6 @@
inputs = {
# use sandro's fork full with cherry-picked fixes
nixos.url = "github:SuperSandro2000/nixpkgs/nixos-23.11";
nixos-unstable.url = "github:SuperSandro2000/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:nixos/nixos-hardware";
affection-src = {
@ -66,7 +65,7 @@
url = "git+https://gitea.c3d2.de/c3d2/nix-user-module.git";
inputs = {
nixos-modules.follows = "nixos-modules";
nixpkgs.follows = "nixos";
nixpkgs-lib.follows = "nixos";
};
};
deployment = {
@ -93,6 +92,7 @@
utils.follows = "flake-utils";
};
};
# hydra-ca.url = "github:mlabs-haskell/hydra/aciceri/ca-derivations";
microvm = {
url = "github:astro/microvm.nix";
inputs = {
@ -118,10 +118,7 @@
# NOTE: mirrored to https://gitea.c3d2.de/c3d2/nixos-modules
# If there are questions, things should be added or changed, contact sandro
url = "github:SuperSandro2000/nixos-modules";
inputs = {
flake-utils.follows = "flake-utils";
nixpkgs.follows = "nixos";
};
inputs.nixpkgs-lib.follows = "nixos";
};
oparl-scraper = {
url = "github:offenesdresden/ratsinfo-scraper/oparl";
@ -165,13 +162,8 @@
fenix.follows = "fenix";
};
};
simple-nixos-mailserver = {
# url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
url = "gitlab:SuperSandro2000/nixos-mailserver/quote-ldap-password";
inputs = {
nixpkgs.follows = "nixos";
};
};
# deprecated
secrets.url = "git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs = {
@ -219,7 +211,7 @@
};
};
outputs = inputs@{ self, alert2muc, c3d2-user-module, deployment, disko, fenix, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-modules, buzzrelay, caveman, oparl-scraper, simple-nixos-mailserver, scrapers, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }:
outputs = inputs@{ self, alert2muc, c3d2-user-module, deployment, disko, fenix, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-modules, buzzrelay, caveman, oparl-scraper, scrapers, secrets, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }:
let
inherit (nixos) lib;
@ -246,13 +238,16 @@
inherit system;
modules = [
{
({ pkgs, ... }: {
_module.args = {
inherit hostRegistry libC nixos ssh-public-keys zentralwerk;
# TODO: drop!
is2305 = (lib.versions.majorMinor pkgs.lib.version) == "23.05";
};
nixpkgs.overlays = overlayList;
}
})
self.nixosModules.c3d2
] ++ modules;
@ -284,6 +279,13 @@
];
};
bind = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/bind
];
};
blogs = nixosSystem' {
modules = [
self.nixosModules.microvm
@ -340,13 +342,10 @@
modules = [
self.nixosModules.microvm
./hosts/dn42
];
};
knot = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/knot
{
# TODO: migrate to sops
nixpkgs.overlays = [ secrets.overlays.dn42 ];
}
];
};
@ -374,8 +373,6 @@
gitea = nixosSystem' {
modules = [
self.nixosModules.microvm
self.nixosModules.gitea-actions-registrar
self.nixosModules.gitea-actions-runner
./hosts/gitea
];
};
@ -410,7 +407,6 @@
};
home-assistant = nixosSystem' {
nixos = inputs.nixos-unstable;
modules = [
self.nixosModules.microvm
./hosts/home-assistant
@ -420,7 +416,6 @@
hydra = nixosSystem' {
modules = [
self.nixosModules.cluster
self.nixosModules.gitea-actions-runner
# skyflake.nixosModules.default
./hosts/hydra
];
@ -449,11 +444,10 @@
];
};
mail = nixosSystem' {
mailtngbert = nixosSystem' {
modules = [
self.nixosModules.microvm
simple-nixos-mailserver.nixosModules.mailserver
./hosts/mail
./hosts/mailtngbert
];
};
@ -496,6 +490,10 @@
mucbot = nixosSystem' {
modules = [
"${tigger}/module.nix"
{
# TODO: migrate to sops
nixpkgs.overlays = [ secrets.overlays.mucbot ];
}
./hosts/mucbot
self.nixosModules.cluster-options
self.nixosModules.microvm
@ -524,6 +522,7 @@
nncp = nixosSystem' {
modules = [
self.nixosModules.microvm
self.nixosModules.nncp
./hosts/nncp
];
};
@ -552,13 +551,6 @@
];
};
pretalx = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/pretalx
];
};
prometheus = nixosSystem' {
modules = [
self.nixosModules.microvm
@ -622,12 +614,23 @@
system = "aarch64-linux";
};
schalter = nixosSystem' {
modules = [
"${nixos}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix"
./hosts/schalter
];
system = "x86_64-linux";
};
scrape = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/scrape
{
_module.args = { inherit scrapers; };
# TODO: migrate to sops
nixpkgs.overlays = [ secrets.overlays.scrape ];
}
];
};
@ -635,6 +638,10 @@
sdrweb = nixosSystem' {
modules = [
./hosts/sdrweb
{
# TODO: migrate to sops
nixpkgs.overlays = [ secrets.overlays.mucbot ];
}
heliwatch.nixosModules.heliwatch
self.nixosModules.microvm
self.nixosModules.cluster-options
@ -705,25 +712,11 @@
./hosts/ticker
];
};
vaultwarden = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/vaultwarden
];
};
};
nixosModules = {
c3d2 = {
imports = [
# adds config.system.build.isoImage which can be used to build an iso for any system
# which is very useful to get its networking configuration
# ({ config, modulesPath, ... }: {
# imports = lib.singleton "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix";
# isoImage.edition = lib.mkForce config.networking.hostName;
# })
c3d2-user-module.nixosModule
disko.nixosModules.disko
nixos-modules.nixosModule
@ -735,6 +728,7 @@
./modules/baremetal.nix
./modules/c3d2.nix
./modules/disko.nix
./modules/nncp.nix
./modules/pi-sensors.nix
./modules/plume.nix
./modules/stats.nix
@ -753,12 +747,11 @@
./modules/microvm.nix
];
microvm-host.imports = [
microvm.nixosModules.host
microvm.nixosModules.host
./modules/microvm-host.nix
];
nncp = ./modules/nncp.nix;
rpi-netboot = ./modules/rpi-netboot.nix;
gitea-actions-registrar = ./modules/gitea-actions-registrar.nix;
gitea-actions-runner = ./modules/gitea-actions-runner.nix;
};
# `nix develop`

2
hosts/auth/README.md
View File

@ -12,6 +12,6 @@ See the grafana configuration to see an example on how to use OAuth.
To create a new application edit the dex configuration next to portunus.
The aplication credentials are saved in sops.
For an exmaple ldap configuration see the gitea, hydra or mail.
For an exmaple ldap configuration see the gitea, hydra or mailtngbert.
The ldap settings are documented in portunus in detail.
To connect to `auth.c3d2.de` the nixos-modules option `services.portunus.addToHosts` should be set to true.

120
hosts/bind/default.nix Normal file
View File

@ -0,0 +1,120 @@
{ zentralwerk, config, pkgs, ... }:
let
# wrap reload in freeze/thaw so that zones are reloaded that had
# been updated by dyndns
reloadCommand = with pkgs; writeScriptBin "reload-bind" ''
#!${runtimeShell}
rndc() {
${bind}/sbin/rndc -k /etc/bind/rndc.key $@
}
chmod a+rwx /var/lib/c3d2-dns/zones
rndc freeze
rndc reload
rndc thaw
'';
in
{
c3d2 = {
hq.statistics.enable = true;
deployment.server = "server10";
};
environment = {
etc.gitconfig.text = ''
[url "gitea@gitea.c3d2.de:"]
insteadOf = https://gitea.c3d2.de/
'';
systemPackages = with pkgs; [
rsync # used in drone CI
];
};
networking = {
hostName = "bind";
firewall = {
allowedTCPPorts = [
# DNS
53
];
allowedUDPPorts = [
# DNS
53
];
};
};
# Privileged commands triggered by deploy-c3d2-dns
security.sudo.extraRules = [ {
users = [ "c3d2-dns" ];
commands = [ {
command = "${reloadCommand}/bin/reload-bind";
options = [ "NOPASSWD" ];
} ];
} ];
# DNS server
services.bind = {
enable = true;
extraConfig = ''
include "${config.users.users.c3d2-dns.home}/zones.conf";
include "${zentralwerk.packages.${pkgs.system}.dns-slaves}";
# for collectd
statistics-channels {
inet 127.0.0.1 port 8053;
};
'';
};
# BIND statistics in Grafana
services.collectd.plugins.bind = ''
URL "http://127.0.0.1:8053/";
ParseTime false
OpCodes true
QTypes true
ServerStats true
ZoneMaintStats true
ResolverStats false
MemoryStats true
'';
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"ssh-keys/c3d2-dns/private" = {
owner = "c3d2-dns";
path = "/var/lib/c3d2-dns/.ssh/id_ed25519";
};
"ssh-keys/c3d2-dns/public" = {
owner = "c3d2-dns";
path = "/var/lib/c3d2-dns/.ssh/id_ed25519.pub";
};
};
};
system.stateVersion = "22.05";
systemd.services.bind.serviceConfig = {
Restart = "always";
RestartSec = "5s";
};
systemd.tmpfiles.rules = [
"d ${config.users.users.c3d2-dns.home} 0755 c3d2-dns ${config.users.users.c3d2-dns.group} - -"
"d /var/lib/bind/slave 0755 named nogroup - -"
];
# Build user
users.groups.c3d2-dns = {};
users.users.c3d2-dns = {
isNormalUser = true;
group = "c3d2-dns";
home = "/var/lib/c3d2-dns";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2"
];
packages = [ reloadCommand ];
};
}

14
hosts/knot/secrets.yaml → hosts/bind/secrets.yaml
View File

@ -1,9 +1,7 @@
knot:
keyFile: ENC[AES256_GCM,data:AIljRkmOy8qjkJHM3er0JVJdE3iD2oFJ/hDXsrBDvQ5u2G08/eqz+e9KQoYLaSg7GU5+Io1O6ADUPlCi2g5pGz4rkLFlhLFCVTOUFgex9dkchIQ9gMELPCAm6kAMZlPnfv2UnG9EaQCtT0LpCOItpQ==,iv:d3ARHmPo/+VU/4Dmxth2ar7y1AMF0ruO/7ddqPqTsdA=,tag:F7JuHNkusL92sTgp5a1oRg==,type:str]
ssh-keys:
knot:
public: ENC[AES256_GCM,data:HOKwyNGhZhL0cnK0R3km4nzNi2x7W2RNabfP/pyW/sa7cHe9bOscpsgYz89O47tTkWxGz5eKgr/j+mfNg/QCPLq1AZZp7BwT7WHPlFPDEGhUqxpmgkR/iWEcN/pFHw==,iv:B1WqzrnWxtrfd21QxQUEHtjzG58EdVgW18AlJGmR5a8=,tag:pqIp5yDdxqkCPi5SQ4SpVA==,type:str]
private: ENC[AES256_GCM,data:609QcNk4i7ASGgAmXp4O75Hg/A1j/xmWTDPHPxywBgTe4pW6RBGakzxgKlfqsbTvZKJxDaORJuDb2HMA2cYc5raDMNr6yzquruDHTNu6YgY+0/mOJIOccLk1WSnK9JKLJ/vPRXs30+mZooD2UK8v6FuODGxWcxx7UJXbhCeN8HXqg71D7EaJvpKxfUZDgw4XsOeBGT8MyjZHE7w+k29HZluhYF9Rz3odTdzMFsrWKdWwTlGHxNsRkCUMcHl1P4A/vVEoINBHkjnHRNLFC1SyGUhoiUKikqExLIqbwMk0VuwThNAcwcfX+IWubieySVDtn1zBrvZ2vC+sfwQGibrCqXCWaIP2mRM7YSj79GRwkBLCJZRQwT3c6vyUGPMP27NnEkdIqm/fH/Icd1pQS3ktCnvSFnLJPMH/mRX4VWcuqRyOxaQhXWDsskMcOUkBfmOFdDqFCHqqolwy2D82NxKqHKOXlsQIB7vSQr2XrRnLG2MjasRahGNRolp0vbtK8ygpzlzDmV5N3cXYIpwNpV1r,iv:uwy3u/GMLBnkfRDS4LUfS7A64DWlMjY4BujPC6tZPcI=,tag:PHRZD5I9ftzce2tek/YVdQ==,type:str]
c3d2-dns:
public: ENC[AES256_GCM,data:I+gaK6an/zSCAh4FDH0udy1CYbuSHWdQ5LMV2x80TbRTV7xb8Zvq9ziSqVx/u2A9UtTQTdpU75g/kWOi64GokE38NgUOjhPYwQ4P9FRqRnYEHWLQHLPah7fluy52Mg==,iv:UWSne9LMRwWJEVffAWn8PxRy1/Kqp8ncPbLCso7zHFA=,tag:SHPaVkS1M65Zmsp2To1Pbg==,type:str]
private: ENC[AES256_GCM,data:rQ0VrunyA85O0MarBjN8u7GVtjielMcIzPpsR8utrOkhlLBjkg0zt+uFWhBOGu3cNibqgag63j+xTJ+U/BUSVAOSW7lNm53I8fUKfvh3h1XP2WkcOqBFGl6ai2N0RG5lD5/LcxWb3esmRPHdoD4hmDb522uAzXxe/ayqKr1JUTKO3pElMx3Yh55pKjy5z4LFEps+3AH2yEcpQg5kl4uj6SohcZbQBhXgvcu+6O9f9uKj6k36cYZw1ZOxtqfcfKimil03WeY5MmjwD5JyR1ERTy2t7wfZYmbgph/ZwMMLzMnBZObmrhUkMZeRr4Mm1LLKfgjOUKfqQu3SXg/UVYfVWjuERoHTwWdcrVoTfR5pRjwvOflPfOfou1P73jrOEdC4s539xttdU3pUbPuUChQN+rHHqtUb3b47Ogd6I8A1YYFTXk4Ha7MHFBOUc+hlAXR5aM6ngDECDmOHIBf32e5YC8H9KGJYva/cUmwS4XTCWiqXzv1paCldZQzi3bYzvIswzR5RBwzJj51CxKdXvZsA,iv:AdUU5x5cGh471+aTeqljkC3/6wSXWIFNACd772AQjpg=,tag:pdZSG63OwHt0AMDv3NhMsA==,type:str]
sops:
kms: []
gcp_kms: []
@ -28,8 +26,8 @@ sops:
RyswT3E2Rnh2aTZMdXI0QnJRQVFNYVUKu9yv8wZ7X6mmFc3wj/4cOL9mZrP0Q6F7
fXtdZr93TmTK9cG5EuBYuGDvOooFsPeSLSjP6BFRG+2+X+QxK7nSFg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-05T13:44:20Z"
mac: ENC[AES256_GCM,data:4mKJn5LVx0TsBZNoJeEHpL6BPJ4Hg7QQ5rAAZ+S6OEjtRR/Jku7SwH0FLNNoQZK49MnLhWVqrcW9YLNSPzUCcW1KY4k0ErbnlVJ7sVeTu8IRyNBbHR0neRLxP+6d4CzZY8O0VucbtGbKgOgxxNIUZDr5TNvSJ3uTx3ARfwcy5w8=,iv:IWjhjv5BkSPd/5NXTcMlOiUSNGRbjNXQ2+LydXAe8dA=,tag:6NLnKkfvCTBq73oQjfQ4gw==,type:str]
lastmodified: "2023-03-23T20:33:02Z"
mac: ENC[AES256_GCM,data:wGBfQRtmPZypEIHrImQ5U/N4QGCkdz8x7WC8UY/Z65oDt8OQUv0W0sTglANM7JlZHmnQejJuUa6olJoZDamYNenC+prkcyRej+tgFrEhoaOlpVH/+2OwRyIouQpVAyD328rcgu+tcLw+TmJEeF1LywgowSvlK7owm7GlqSPiK6U=,iv:wtnGIMNSOyNTot6cPxb7dT7IkAKrLP9ln3XYi8w/Fxg=,tag:b81yMYeTTXj29ITkJqrgFw==,type:str]
pgp:
- created_at: "2023-08-08T22:43:21Z"
enc: |
@ -169,4 +167,4 @@ sops:
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.7.3

2
hosts/blogs/default.nix
View File

@ -1,7 +1,7 @@
{ config, ... }:
{
microvm.mem = 3 * 1024;
microvm.mem = 2048;
c3d2.deployment.server = "server10";
networking.hostName = "blogs";

6
hosts/broker/default.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, pkgs, ... }:
let
mymqttui = pkgs.writeScriptBin "mqttui" ''
@ -132,11 +132,11 @@ in
};
};
environment.systemPackages = [
environment.systemPackages = with pkgs; [
mymqttui
];
users.motdFile = lib.mkForce ./motd;
users.motdFile = ./motd;
system.stateVersion = "22.05";
}

46
hosts/c3d2-web/default.nix
View File

@ -2,16 +2,8 @@
{
microvm = {
# Running on server10 which has 40 threads on 20 cores
vcpu = 8;
# drone-ssh-runner clones the git repo into tmpfs which requires some RAM
mem = 2 * 1024;
};
# drone-ssh-runner clones into /tmp which needs to be bigger than the default rootfs tmpfs
boot.tmp = {
useTmpfs = true;
tmpfsSize = "80%";
vcpu = 4;
mem = 2 * 1024; # drone-ssh-runner clones the git repo which requires some RAM
};
c3d2.deployment = {
@ -57,41 +49,35 @@
'';
locations = {
# Mastodon
"~ ^/\\.well-known/webfinger".return = "301 https://c3d2.social/.well-known/webfinger?resource=acct%3ac3d2%40c3d2.social";
"~ ^/.well-known/webfinger".return = "301 https://c3d2.social/.well-known/webfinger?resource=acct%3ac3d2%40c3d2.social";
# Matrix
"~ ^/\\.well-known/matrix/server" = {
"~ ^/.well-known/matrix/server" = {
return = "200 '{\"m.server\": \"matrix.c3d2.de:443\"}'";
extraConfig = ''
default_type application/json;
'';
};
"~ ^/\\.well-known/matrix/client" = {
"~ ^/.well-known/matrix/client" = {
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.c3d2.de\"}}'";
extraConfig = /* nginx */ ''
extraConfig = ''
default_type application/json;
add_header "Access-Control-Allow-Origin" *;
'';
};
"~ ^/schule$".return = "307 /schule/";
"/schule/" = {
alias = "/var/www/cms-slides/";
extraConfig = ''
index index.html;
'';
};
# SpaceAPI
"/status.png".proxyPass = "http://[${hostRegistry.spaceapi.ip6}]:3000/status.png";
"/spaceapi.json".proxyPass = "http://[${hostRegistry.spaceapi.ip6}]:3000/spaceapi.json";
# WKD: Web Key Directory for PGP Keys
"~ ^/openpgp".extraConfig = ''
autoindex off;
default_type "application/octet-stream";
add_header Access-Control-Allow-Origin "* always";
'';
"~ ^/openpgp" = {
extraConfig = ''
autoindex off;
default_type "application/octet-stream";
add_header Access-Control-Allow-Origin "* always";
'';
};
};
};
@ -103,9 +89,9 @@
enableACME = true;
forceSSL = true;
root = "/var/www/c3d2/datenspuren";
extraConfig = /* nginx */ ''
extraConfig = ''
index index.html;
rewrite ^/$ /2024/ redirect;
rewrite ^/$ /2023/ redirect;
'';
# Mastodon
locations."~ ^/.well-known/webfinger".return = "301 https://c3d2.social/.well-known/webfinger?resource=acct%3adatenspuren%40c3d2.social";
@ -114,7 +100,7 @@
"autotopia.c3d2.de" = {
enableACME = true;
forceSSL = true;
locations."/".root = "/var/www/c3d2/autotopia";
root = "/var/www/c3d2/autotopia";
extraConfig = ''
index index.html;
rewrite ^/$ /2020/ redirect;

2
hosts/caveman/default.nix
View File

@ -9,7 +9,7 @@
};
microvm = {
vcpu = 8;
mem = 12 * 1024;
mem = 20 * 1024;
};
networking = {

10
hosts/dacbert/default.nix
View File

@ -107,7 +107,7 @@ in
fileSystems."/" = {
device = "${hostRegistry.nfsroot.ip4}:/var/lib/nfsroot/dacbert";
fsType = "nfs";
options = [ "nfsvers=3" "proto=tcp" "nolock" "hard" "async" "rw" "fsc" ];
options = [ "nfsvers=3" "proto=tcp" "nolock" "hard" "async" "rw" ];
};
networking = {
@ -115,10 +115,6 @@ in
hostName = "dacbert"; # Define your hostname.
useDHCP = false;
interfaces.eth0.useDHCP = true;
firewall.allowedTCPPorts = [
# RDP
3389
];
};
nix = {
@ -210,10 +206,6 @@ in
};
};
# /modules/baremetal.nix assumptions that don't make sense for netboot
services.smartd.enable = lib.mkForce false;
services.fstrim.enable = lib.mkForce true;
systemd = {
services.nix-daemon.serviceConfig = {
LimitNOFILE = lib.mkForce 8192;

278
hosts/dacbert/secrets.yaml
View File

@ -6,161 +6,163 @@ sops:
azure_kv: []
hc_vault: []
age:
- recipient: age1g2ewsxcu5uqlesaznp2qwlcz8w66pxh4qxkul8wu7x8g2hw83saqxynpyk
- recipient: age1hg0mmua5y82ct7l6q9gpc8w940ce5seqcjhm4dgx7tlzvflznyas7v3hf4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UHhuYmNSaXZxQ0l0K1ps
bGo5SFZyQ0ZTVzY4WEdHU2pLSUFieVZvMVVRCkkzcCtkZWI1dXpOck9oSEpTU0Vq
amxKR2VjbXdTTG5QYlBjSi81MW1TVEUKLS0tIDI4Vkx5c2syeXFJczhmR0xnREJL
b1RpVUZBdlY1K2RxVHpJOEFScEEyZkEKYlIVqGQornLAs1FZXoN/xiMliC0Rhx/F
ELOsJciJrx67iOjHawSpZQf7+bGm2uPB8M0toM20w1uY7ZZoWQ/qIw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWUWg5U05pUTFPVTdlWENm
YUxpODJvaDNmZEpOZU5yR2Jaa1lKVWlxN0JrClZLcXJ2TGxWcG1oTnU2a1U5ODQ4
U09tejNwVWhST20wYUY0eUpYVTdlV1UKLS0tIGNsMXN4ZTRlam1SK2JadUxuVzlv
VFZaUDg1TTV5RjVrNElMenRoclBjeHMKvxVO8MPEIyParOQrzbrGLhe8+66DnIhC
pd7EvaIRYhRxkrp4aD5p+bV0sS0YUGlppD3kyHyNeSFzRp2nijM6Eg==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwZU4xL05Na2dnSHdsNFZi
OUQ0ci9ldTdwTm94OTVHeDBLOWczekZ6K0gwCkhiTnR3ZVdHeGRFblAzeForWHZr
KzI0ZEV1LzQzeFpzeFU2UUs1QzJoVjgKLS0tIFgyL2dRbk93WWFLcXJWTUtpY0VC
aStsdEQ2VUdRbkZqNHlhWXZuS3JUM2cKUVQdJx0SH7iUjBgn3Yw3X264q3W/BxDF
Pyw6mqGR4ODXTuBh+wNSAOveb9v2EwdRrhIYvHOnKid2aO+QVuh1hA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6c0xCbEpPUnk0UEFxaGJn
ZjRBNTZhVlNtVnVZaE9rNzlJS3FvMEhZNXdFCjR4aXl6UHlQTFJXalNabndObTYy
TXQ0QktFYmZmME11S3B6RjRGRkNEZzAKLS0tIEszcUdxOHRwRy9wZVRGeHZWNlpr
T0QvWjA1cnFMT25pWUQyZUo5TnBqUk0KBdvbz5lWy2zkmhvj0nLUW3MEyBOZoEsm
7Bm8YgF9G8Oo+Z14a9PxphW06SSVD4kaF+Fk9tX14HFreXoiuAVdgQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-04T21:39:27Z"
mac: ENC[AES256_GCM,data:PQtTAEXBgp6MuPl5+6SE/zaOuYGvDRpl0w9XYgUJJHhDqiIEQfcAYIUEKv+Dvtxj94TQZ3v2kjT4Y3FF0ROYIcN8H1K1PtVXRLu+vptr2+wZ1Mahg6K4Ukk1s0eiBB3vsGrMONqaky5Jqy4My3+0NMnBuIvlqErpoUT3Gin37do=,iv:RUTAvD/hczbaX7w7ROPQZNII3kTRnEBG6aMMkTHuV/M=,tag:XLgfZnnDM1ffv6uBLYJXmg==,type:str]
pgp:
- created_at: "2024-01-25T22:24:28Z"
enc: |-
- created_at: "2023-08-08T22:43:27Z"
enc: |
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7AQ//c6WjwRlhTNzipOZ/5wIRDbfXdUvOntLEkVKm/Nb5MXCN
WAOYhUwxujEAlxxr75JDpS7yglRN+pG2aL6HW26n3CglEJB8BssypnPonMfobKhR
m0eAHFjBtYUxuFmupwss+p5CPoiR68zA/dZsbwukeyUSE77kiSp/L52PC9s5xUkv
FYS5fhCk1mwHwmm/yygMyWWlKiG2Er6pDzBruZrPeV0tP1e15gglyrFVKDadrWqG
Mgh5ifT8dBqgpwaP4rizLxDR4yh6gJ41mvKv3vFh/meb0NzzlrlYi9rpAdt3p/GR
AcJaSWTSOQKcM8b3RqufEzebl2ncf42sDTvLRulxoH/nAtgftch/8Swn6CDX8v39
cwSW97DlXd7M1T7bNpLaXegeH7ZrgsFKM4/uHeoqE2a2ujLCPFxoqTh6K/o5CeyK
Ecg2BKgB1Rvr1/nKPci2ymgi2SqJXAOddN4L/4jk9O/d8CPXOjBEsUaafSxiGUS/
3r0xOY+SFoxdivdVlBRRdMv+Re2Fyp/BFNOdt3JZ6lUMZGoY6QcjQ/kOyNbTXM+r
+dyTwD8e0rVTNgXoewseOU0h+4NJ1kocvePHPlgzEyZh7MuRuVtCdXVC8zGEyClg
jybFAPJU1y6xNxztWlpaL6QYdUKn6+MpRYECKAGz30Bu3lLigw21cfDDG8bOyqDS
UQGfrNgCFwpjLAHeDIPCmvQU0SUegxwGY6wka1slA0a40hzqGL4hGCTZk+0x0abC
AuLGg8PgoFO9UC4MHMCDLDcKkdM4tVRwCav3wkdMMseVew==
=sEDg
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- created_at: "2024-01-25T22:24:28Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA6j84+xkv3y7AQ//QT7Slu59mgb31jzpHKi0l7aFJGhsHKLKj+JvYfVCBQxu
CG5d/WI4hCwFftPFMjWJ2bzIvalmy8osRmydor5uPaWfKn+4olY59WwJ8np8Bbr1
U9pLHPTijB122zLXPC3uaKSfUJQhZKfi5ugDT5ZJKqo713AMhnERcFTz/OnnXCTj
SgEETZuukJFpRk4uppZhydgdqtaelGyAWleY6Z040CTroQD5t1VAC1Wqvswyj5dw
Kw2D3ebvlXdLhIJpFdTcJXRpqYWQgUNWb//u0Itlf9j0BIJ1Bpy1ZNfVE7N/uPHs
+Co1eYAbzpa1bELZ5veyjjXKH8QnkgMW0JIhVl6dGFr4R26rzwiOVJml1W5/aMDY
uISZjImGKnvVKqZHpRI19N3YlJCLnSVPVC79HrwXZcv6hXqX/Xk5o+l66KlCLYlL
ZvK4opqnPJHRgyX0xx1dm0Qq82bCMP7QXD7Ap50hE5v2FL3lrZv6XKc/n3y6IOEz
bp5hJIDpcIzSk3ZI+Sl7NdoPfT9oXbozW2v/aWB2FnJXmltIOEv2Es5AA6fNEr7u
NORXHo6HZjdRaGz3bx/MQ3v4HKasS2yMd91gvwx+AnfIcWE3j6nhWyxlOtl6jlXV
P6+TXTGO4SKmayMtXYUQzHz1mL7jCvxcAKWJM15IEAgMtsd74Vbt4SPo8k9TfajS
UQE1yXVoUERVJrI+YD0wOXpk2MTN85ozzCLbF7U12SjE3fm46fBiLY3gdKMiXMqi
4GZ9LgrT0m3L5ObSA4f+GuVTpk7o0BwVoJC4BzvBia5zLg==
=vAXK
hQIMA6j84+xkv3y7AQ/+I/dA8dcr1Grt4J6bKlwZzjx3AGVRqEBJEwDCkghqUZMR
riXHZxQaz9QFSKCxIgAQMbVDehyAyK4Xn6h9eEh5ltPlaU/pM31mkZaISvZ66mQT
5vj4J7lJeqM+DuTlp3NVEPRsxW3RVt+Gs+HpMCU2ZgywH5ratahdqvYRkrTOD2kX
rbpJwU/tzzdbePWhf1LiGYVjD9p7/+0lWC7FQ/QXrgxJ5x0guUSYokNzZZ6ok9iU
Wypkgepfxpa8jvxECYUZMdFQPesm/dOcq4ppnpz6ne4ZaQxDy1237OmPDJI5fNbE
kXbuTqdS6ipT4kn5Uw2Urm/5Bd0iPQfhABCHMoubDTEq9Bap7gv7Zp1Up4BlUbdZ
rquHs7iKf13RekvgCtrl1+J/arh8K9GexfzQyHkVfQufibIYeiKi30O52wOzUrwg
9gN2YSCdRNXTvAJS4eTsAtb626nY9lggX6knHLga3kcJaRYXzKA3qqyJuJK5hoy7
nt2c/vNO/8JSx94pa7ualI/iKW51WWjP3p4xvaJ3rf/AkC0UUMS8i9Qii7zMPNli
1uw9HhTYaJ7XPQCLgsolOuHuMA+XXzgJRllOMBfh0YBXKocux6wJSh1aCe3ZY8vM
fgEsx2SCDZ3RZpNa/aDUTWdgWKMWG1zM+K+3iKsv3EWnh9ySWZVqqqI52p22BRHS
XAGVJHi8cKkmOvU9JEOwDoakbJt1UXYrvRzUzwQzhTST31rbDCRmcsmOxuwhTAiv
RTyy7+mBerGCSlMytSFhYag2iR4risUmUiTnYkG2pHgwK5HJ2STNx0vnI0Ht
=3vVQ
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2024-01-25T22:24:28Z"
enc: |-
- created_at: "2023-08-08T22:43:27Z"
enc: |
-----BEGIN PGP MESSAGE-----
wcFMAwMCBBrc/JA6AQ//XP54PiwjVinhRdjUz1a+tQHjAqyFSNrkauzTst+BHZSN
cMzipv5F8VxPKgFaSSHHHuWw1Kx5eYvMQXXgROSVot5AJbk5Rd5t6AC/6ZQTMbwB
HAvhvn66cRxQ4ybG9RkPeGRpHOXfY3ie8r3LDA0Th0ktQetbh3escUXqH9/Q67/y
mcaPQiU9qIbaZkXBnCKxV3t1CUmmEZAWN59hTNrQDbbVg8sgs6X9Hwep9U1A2vlu
eESqEQ7FiKxpqb40IRRGIQLxegPmKUsvKtcpl1a23YI54CK6cV6Mj884P3XcVqY6
MriBUsbTCwjlnNGa5k/9kiVLneHsCYmEZdjTyODaiL+zaKdcGbG+JPKvabTBU5X5
SXcTAZ43cASjF9ODfh/pJ/MXaQNby0PhdkbxOa9wsvqsoOn2Rydd14NLvMnqiWft
XWAZ3UEEoLSMYw44zc17t3z7aCFbK7eJ/ebLgvQcvpdWASjiXJQNrrFPpBS1Nx61
PO+N7dxLa2YXeD4NoScNn9qrk25lWjK7dd0Uqx+EDnMTkbb/qF6tkjBR8UEJaDru
rlDdsTXHGmxJO+TCIwxprlVp1AccdXcF05t4WTKfv1KzDXkpcYQfB2YoUT/bvuha
UuIqdb/rtccF72anyBlCrSOY39F3QdfI53BtrVB6pdByOlBQMPRWwpLyHS1DHgDS
UQEm7Gy9W1yBSr/2qV4iLmgMAu9neMXBTCL672eV0ixGTz/vu+rEq5uRSeUdyvbd
gRQiFJlS5WsWv5/NQaVZOzma9xg67k6meYjtj2vU1vUgSA==
=hqjz
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2024-01-25T22:24:28Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA/YLzOYaRIJJARAArYjI+XeF/p4orvMtdUdsYhvyPdguESKmuj5GQ9dcfu9T
rx+RvDwSPSYVP+o2XFfV0LhlPVXBIYKzfrEcShVedgbL7qVMYwjdeDUvJ8ZWOSr9
lD4+xSXXd5ac+cXNJvba4XcBc5xLsEpGb1BmqMscF3ELw4BdQXXSHs3FrL1lOIKc
aw6FcVIYMQxQFAFE2CboF3hSPqyPnyOxkyFDQl7DUtNBM+3dnTj1+vx72MDLUYAt
YVYbpelSQBO4xjxx1HshBYbPbkBqwzm9eXcXfsjWnN3IA9TyIP2YsgFl/aENqFK0
uhDShzwPvawwK8841z9kcaya/EwDvXngLnQXGKV/WHiVDgdJq7ZkXSXChAdE42O+
rpHzEwdY9xkZ5s6OzTexIW6aXsahi5jsH38QVAYbc9p0ONKKgfep72195S9MWSX6
wYQWFufc5RSkhG1qlVAdjRbA39ywYftpCj3XZ0hW6VMulDVV5rATZbuWWuJ59ON0
++ExJIfmTD1PrZNTHVX791CzoBJgiH/mAmb9Wsu9N0qsB+eWKXQRc5eilIBu9B/G
QpiJ7n174N8Y7bHZiFffF/Sm3QyYRahWjR0e51jOO0IjjRZxvYgHO0DhRuJrf1fr
fCm5pt5Ln8zDrSMnwReiIKz1cwZrd8CQLBnQRnZULoR6ydLrnqFRqfIENzhCTFrS
UQGZ6LvF0ALnwwKS+tjSjAUgpr3nJhlejlwf+GhkuPaLYDzEqlU8SzSN+W++RYwM
5wzRD2g+w1ilcALf97GGuCqf641wmH6QpS2jilHi6uUSrQ==
=Jb2A
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2024-01-25T22:24:28Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9qJIVK2WMV7AQ//SrZDDmsI7Q+JKZNobBD5fY2Kk3cYue42L2Ek07+5UrEH
ccvlQTTvHzQMfGBHYTFPNFI6rQKEMTI93WWgShCyrL5cY4CsFkxBgf/pzeWkTEbW
LWBrtdzVvJMC/1D+V/RnVNj+E6Yc1K2MlG1VNvz9eeReQBELBbPCsy07WvSUREVo
n/lSJ9EqA5Mcq9BS71UqaCBnehH3VWxZlJ8zBoHt8TrIxWr9Ha3iHb2rF7CmGvUT
KrqJzIhvgIJhOf73bgMi6tKG+R3LcAso9+an34KUBkQTdLx2UtBbLiEC9tR3hKG3
kkIAHa4dluOEpNB83KZT/DU8aGIVO+YfoHJoMKrXloR+JiWvfgO6PYtE8gLR1fqT
t2wn0W0N5xSfDh7Pat9NOSh3Z3Ft3clrFasGRrOWQsJABUgzkEU4WXfVnxQeAXc1
5AHISWErVklsSNf8tsDi900HmR9Cy3EyAmSliwU6R1Zulz5NoDQ433SYHK/+F11f
pPite+xoruwGm9mieToewZdWsGaQkNmYz1kTLERp0hVrjjojsb1zf8VxEQzrgwO6
Fg1+evXneUnvPYdCHO8gvXJqIpcebmcW8iUb3DwXrsVassmwVvb8Iev0L/TnJy0z
G1yzCOc9ek75QidOUzunVvDpYtoFfCc0EMXv1lax8fjZXN18pfRrdjw8IcncyhzS
UQHZr8Zfg/6nqzktqoYsNO5CLFLz0NFhkkiKMGgB/XWAp1GqXG3YLIWlDnosW8Pj
2UGP+3k7r6Iyvwz5dRCsSdSH4Y3APDNkVDgNEroO9C/xOg==
=HitH
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2024-01-25T22:24:28Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9XEenRNYVGHAQ//ThxdstNeean1d+W5wCjsu8zlv726qJfaewXdujZWK8J3
ptzZtFUl6WbmEB+8ywDcDY0GMqlbU9pMr81aoRgkYbxxJ/OdNCZ78aSQJklmcfuG
5qw1sqoWCMSWEjCTGgICSVQixhePI/k5T9vijoc7c/kT/ZYRrwBv5K+qRjY32y0u
fsCdSMclXbnH973tDEZmNvAEgo5YALMMF6Lmmq6Joq9Kd2Wh7YkFPL5b8DYJX91l
khgxwkV+YiCec1xiuXIpDyAUd76MTCLATbA9TpKPK2mcv9un5dEO8DEBTnL2knDG
1ks1bNKqbdr8PyvEvpFJKVzVW+Tl1yB+tTLh9oVLOiLzRy+P6Nx8+DiwIeFNoDPF
OwWuQ+eluLuQxs0rbFvTu97j0UGmynd7PKIbM7xyzFgrZlkEavdF1SK0F29aVA5d
eNjLYjecyDGAuQ2tqMN1TuOTMP0QJSoSWPAQ538IgxuVZCiUCrn3pNQw4qZyrSln
m2kmYlhYrpJD5Vdujhubgi239dTYQMhPDuvKJbtYMquT01/Gv7XNJQc+4NVPj5mP
/qWhIsda+ZyVXNapOFeoZhSblQEbyGUuWrylhDBwgIU/GPyjq9leOCQbp8F7Hv7n
zjMszLraT/HgEw6xCTbyZ9giKn9pZvrjjPQq7usrAxzLD/MQUlZnHV9AKZ1MzWDS
UQHOIluqXp+3guITV8vTM+pqukvVenmDPpru0P4dxuGa25qmDVLLHKmjDNuIX8QZ
+VGHi1xIxfMeG6l7ZnlRg1ccWH4CCpUACusYcYuL6eiwLA==
=ewXp
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2024-01-25T22:24:28Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA45bZkLXmBFpAQf/Tlbk9V3PFbUWHux7iodUqGF+NzYnZhLu5z8OLZ9zvyxU
RuVIK0sofnF7h1+W0sDFOkyFPXOq9lwhiKSmbStaBLwwmalogFYP4GMmaAorcNXt
UuCDzX7imaTNbcemgc6Q+DaU5VhTUkrcJD+Ipq+fN29FuACtlPMiPf94PEaV3hVa
h+PhJ+ryZcxhXZN3s1X9k8IC7i/IsGevoodpEMlX7ClFYrgIdMlcv0fsGXq6QdhO
nX/XSP//ifNX+TyvWV4oilxj3KCL+3F+hd7oyCr27fvH2XyCBdvzWKR1KcfFLOti
NeBDQRzvwcprhfjHxbehsN37tF1BRYz7B4Wo/0wL8dJRAReA1QjQjsqahcwR/U/g
dQliYypHdEjy/lMSl8zN9vW4joY20q1nehaRfPgFlV4UMoIqUHFR3xmBWWBxE8Aw
EUMSxPMPEUXchXjvgXWzUT5z
=opMv
hQEMA45bZkLXmBFpAQf/T5A1TKNhvhXsqHk+oMgnomqoh6u5MSc8Lx4ST0+HKANm
zqJC7gq/lqEedcQcfiqIljBhlR/szWxp1R7ciB9uISGLNYJXT9duCjIiMJHCqC/Z
DgxIF2HdKmJKGxbzFeAxcOrPDUrZYEk0V2APfTC451lWjcI5Rx6K/limKm9yn8/A
62i4BbH+hcGXl5905y5rGIQNUrcD2IsdondtRIIT4R5TQ8PGIXle1R7NLbNyLsJD
I+qwy5wczmHz2u2vIxGY6T/Vr4kObB8gZuEijNY9tldGvhnpySmuIvVRFUAt5Pab
fZmU3v7G1DvjvX2fuc3/iQR0xjn6btev04i1clMobdJcAVt6KbyLar78Z8m1vMWS
VoCXvAk/HHkzc25h74s8aq8SgLmpBedXXzoQmq+an64YNEUTyxjB1GveNm91EdoN
44fcAHG6Ue9v6i9hmEGafBULYfyd6VUsMR2W07g=
=Fg/N
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
- created_at: "2023-08-08T22:43:27Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6AQ/9HBv8xJUvy3C7pl5V9FeaA+QU5Yz7G+NT9i8vuJVYkR44
pnbWgZqua3VtkvLCUwAVELCzL45M0QQEP9dWYtR529eC7wJ27QB3yuLFhN6UfRwt
qzBM2GDm9XnG0Sp0+tcEb4dy0EAPZH75pswdGv2ndexS1BUzmDDOmxFZ2uq4dNv9
HlnXSWgZ6dTsY238zlQCtw2v827bLQX0pFHL8twFKWw3KBN5l9fR7rgPjOBf8UPM
Zkb7PLcql3mGylioEElOYxLDT9UtSwmvbSxVO8DGPSN8Be0p5Qj1Pe75uqawmJrA
cMHnY/woaLa+iBZIOo8iqMcwSdT9ZxIXewJv06P185V7D8fhlIyebgfIvIIQVKJm
ov0EPEmEhr90/hX0MzzjcWpiJxd+TXJiToFZ2QhsANQ/8pQLNy1wq4moNquPmmRj
d+atejF+HohzjtDIDcpUtZLr0uzuAZu3qDQt+1o4nlVjtFAJGAYQ3x0kl3dpxp6L
QDvsioufBoeMnI0WB+d3N2lW873JdZXG9BLTndjl8/50HTMoIMpObZ7xY12cbywh
36GF02w8u8iGtTjQWpGUk5uAL72nbUbssCvCOOKaiaTKwz+oqcGXs4qOCEejHI7b
Nx3W6K1NyrL+v321/evKbXvq2u3NW2l2g/paTbNR1psxraa0yCpOu+NWaZOsVJDS
mgH/c6DIt0EidrA+6FNLGkg0ieGxVnthQDZ3dScneQcXX/MX9d0HgdbHyZuSH56y
3y1iRpwNuFnIUWqMWAN+xcRERVV4rG1xFglnUrSKvlTI/iKFim4ASQMqmah39Y4R
TYAZZisU7V/Tiv5S2yDWncOwR88FKE2DjmgecwUuh0F5/qjGRtlou9YfKiIb9VKp
ymcToacDPVmw3pM=
=wukA
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2023-08-08T22:43:27Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHAQ/+JbHT8tY2exeqU5c7Nrqvehnhqc1AQxqrbB4lUDl3d2sV
gSoEsUOT2R5L43bGrM2om4/+ENMQq2n8OqgkV0u30yfDWdnWk5IH+MyoMEADfzpw
Xc9xr3qJx+IoCUqrXx8GnBQUsYc3iOY8TFRksjq1nBwEfMOB8DJ23jbJFc1fM92K
3NtKUU/1T3TTBPsSrpekQK5T9jPPqTRyDbaNYSEOrniHwnNbRX6sn2BnACis437E
CyjyHS5WDL+oJO/9Upeq0667HriDL+M/pE6MJiNaucpblBALRPbgL78unfPDF5vr
MVzvr2Y8yTGbcfME9Joj2TwostKdwvE6cKsHzF7wtbWxzdSh0B3BlajbsRhusNoo
1oEsMtr/HfUjHtTaRs2a0lv9QywPxWmsVxu9uKPq1ELfU6yPodEKxycsLecMVQIk
W3enP68kLDk80MJvzKUBldcdDtKbm33Ix9jeot3pAhSNxV9rZ3eJc5JastkcsGcl
o3l6imet8cfvk7KcxoVKe3eHotNPDciejDlG9GQm5dPObya6ZBjMxnPXySOtwjO5
FyuMNhizdkp8/IFrWSdxFprvcEKlhOHiUaInxaViWEYFdOqxt18HNHeFDF2ZEMHk
czX73VQXsrSMXOomm3x/PV0uhvRl8iYHKeO7u3RwR5qB+whoq6yuykYPR00OEi3S
XAEbohXhiNeK2Is+XhwSuZ6wwDYmzu5EkuQHGIaokQiNzLhM11GbtcVbdma5wogc
vLmz4s2HdgjGhPkJRc6bkabeh5SxrVIEM+tiEQ5kDMN0CXGtb/HMK9oCSyEQ
=Yogj
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2023-08-08T22:43:27Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9qJIVK2WMV7AQ/7BGNJ3fGELpuD8QovJ7SxSDBQoWeDI+ooKLgjCq9LsKhV
Qq5n3o01/LbZofAHt95gc+mnFlEswp9SEzWplVqw/Jz8FR8hTAl9ltZMYeN+Xo5H
/EcIt/ekjCJVTvSNR+xaB5B4UI7tDE7Eq8o0RovZmqri5VHFPwe3kGAzgGF9uTiN
qX8Gn4PVfHbTAMyEKbHgpK1mS26rMPNLzp3O6OPqpO6dYhGNpvMSPfoxFEYgGm3j
qUXiP6g6xrxBgYA0bOKmTCWr3c41m5uWl5cm1Qbb/dF3PNI8kG38XMOuG9v9/56p
pbG52JGL1+5lmhWNiBwPtyXtog8dKlMCfYFHJ9NmYfcDsnX+mu2U+G3ZExYGygfJ
2xEyMAwURrm/BEmFtW/RWTDV2QM45VG6K/n1tthiucjVoOjrR21kECZl7JRYfuvb
ikLxDTOVzFigjTUFEluw978uqcyFAeQ5trfdCaBvbvJdlKDRPSZxUszjSCkwaS9Z
wO02Em69vYgUwTnXPOFy5gdDdCG30ng1zMwUHPUqBU5YT4FsYvMxvlTNFnP8jNCc
egPpHVM45ymYF5jX76M3xAnlg0v8f4jqanjfSRX/f9mOOymZZ9egE54dw1RaglXL
dk13NESKOLe1ciMTFb5tcPFc8Z6Q8OSpLxJX3bCKYcAFeRP4fIvROi0jua3nefXS
UQF2MHhUsKHYRy2OcdO1uYCfZ+t7l+6KJW3q+2LL4NkO50GFeOgUQc8fuCEI8ZDt
NtHVl1YkHL0LIP1fdtVhF/EERv9l5NAVCyqbkGVIxvNLvg==
=4SpI
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2023-08-08T22:43:27Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJAQ/+KMsmtkmpApARmcgnysREIK2gSyZku2fm25C4wC+gEksH
TZ4mKETUpgJ4PwKqJ/1Y58P9+icUM7UsEJWwtJTEDWqLw95NfPjSdOijiKZg0r0/
5HR3lYd6bnNghgTRflvh7dOCSzWKurVLTsn+yWjAY1USIEf/rqCYHzTxqKvYVR3d
yMUiECMkLteLaOlBaj7lRQPV2tELyaql7ja5tYp3by883nwZ/FBemD6GV9UHD1YO
iRp0NsPVYrpw46C9HmKCNqGPQT8AS0NKlZucKMWXSyHGFFu3nHvF8ab1VkA3p7rx
yKW7cunjJlN+wrfWo3uB4zuEfgj6JT5xHn97lvxpWH0pYDkdRdOV5w0e76J6FotZ
gkC0LeH2srsFwNMDRJvNO7s2ZxNwF1RYtNTsg+05Z06VOupDLauTKQGzSHhppcS+
D0U30MyvUYZVJJPe21Ygk/7BMR8bj0SDsM1JTEKT6/cS7Ojvmf1uF78wf/l+l4B5
+/La0LtdWR7ootFcxgzOmA6dx/2gEdmsdY+KqDC+G8f4jl5fSTcVhCvsuc2BaZbJ
yAkvYNnWTlCz0h+3SPpFWIlXGvzCD98DpVMH53+HYZ9+ZgwqlsSBXaS4wmrI9w/D
YQF07JZczgczNqNxEleHQeT/j8sDXDxe8dyAg35/mFkFRsbNHJiGpMwMrarF6YTS
XAGUWXqy/akJgaxAftxkYtbBheVVA91NAAaF0ihYpduS8ODORrXgaROwgGNNc0K5
MPbniVpaQyl0lVU13eZxxXJx1Iuhl7yPosHUVYA+Arnj5VNG8h9wDS2DfpXR
=nMM4
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-08-08T22:43:27Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7AQ//bAvQABQJBfWf1A95ciTCCRY47U6/IUpLUF5C/te0c3xp
yiEL3Ic9/vGGf1mXonAuewy4RBM9W/g5TDwwNPblNQ5B4xqr8MCg0n0GECHcQip1
dsP/VW4DPpUiR7jjfVy3XFpYon4ciWhGis7J3FP57v4FLtwxlPZLEHvyzhbU40f3
mp5phiRBzFViUl77Y1iZdsGXovuLmbvtoRfwpH+UrE/Ko78msmRXYvUcRw5iGoST
jkWnLTzgoIeDQR1C7h1o9Gfnok26PPkRFg5iX2LHJea6MMC+mIqomwoIy+wLztgg
r+pjv69fGvR3jrqQrP6U0koZ9Bq1qGVVtAnKaWwict9lVYbulGWLdMorrj20ppDh
6b8xb0bZXwhdcPb6RHtimzBq+9/N/Ip/oWtIlpQwJiCYPZgdOsqrNlNe4GQA0e3S
mWr7COl0N/NIiJDAxlkHz0Mq6pl2+sH7hqqsbaqHY0aDoPo7uRj8ImP68n7h3gBu
D6+1sIIhLqEpc2y8CUnYeF0z3bk6czdysurL87vVunfCgsqf2xS84dsKi5+qn5Vy
IUeYLudYfvM1V/fo02QSSuWtc1BSgysBAmDSqJtLsd3tHSVVkh7JDIHiiSBzDdkA
6pP9WqvIjzax24n5zJFKvdgrj0m2+ipN8/eD0UPQ7UaVV+4CArng4pRZo80U2lnS
UQGsTGrz177oe4P34kouqnkXUSTsxpjT2PZctkBZoQQhJa1uaWY0AIpHWcY6a7dq
b5WL+6Qwh0uDA+847vyhFZkS363TWnC1cYfyU/jb03fVeg==
=AXtg
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.7.3

6
hosts/dn42/default.nix
View File

@ -3,7 +3,7 @@
let
address4 = "172.22.99.253";
address6 = "fe80::deca:fbad";
neighbors = import ./neighbors.nix;
inherit (pkgs) neighbors;
in
{
networking = {
@ -92,9 +92,7 @@ in
'';
up = ''
${pkgs.iproute}/bin/ip addr flush dev $1
${lib.optionalString (conf ? address4) ''
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
''}
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1
'';
};

142
hosts/dn42/neighbors.nix
View File

@ -1,142 +0,0 @@
{
dc16 = {
address4 = "172.22.16.1";
address6 = "fe80::250:bfff:fe41:5e57";
asn = 64616;
description = "Astro";
wireguard = {
listenPort = 2325;
publicKey = "vCtPRpRc2SbTVRxKB6v7qL4DwaGvBAwh4z3uVFeh9BU=";
};
};
dc24 = {
address4 = "172.22.24.1";
address6 = "fe80::cafe:babe";
asn = 64624;
description = "spaceboyz.net";
wireguard = {
publicKey = "5GyoCIRvTeUp6nSusZ8CMNVK/kjUTk1qkOSxKDW8Ng8=";
listenPort = 2399;
endpoint = "spaceboyz.net:2399";
};
};
dc98 = {
address4 = "172.22.100.254";
address6 = "fe80::c3d2";
asn = 64698;
description = "inbert.c3d2.de";
openvpn = ''
remote 217.197.84.54 # dn42.c3d2.de
port 2327
comp-lzo
'';
};
zw = {
interface = "eth0";
address4 = "172.22.99.250";
address6 = "fe80::814:48ff:fe01:2201";
asn = "4242421127";
description = "bgp.c3d2.zentralwerk.org";
};
dc113 = {
address4 = "172.22.113.244";
asn = "64713";
description = "martin89";
openvpn = ''
remote tunnel1.martin89.de 40533 udp4
comp-lzo
'';
};
dc4242421374 = {
asn = "4242421374";
description = "eri";
address4 = "172.23.64.129";
address6 = "fe80::0302";
wireguard = {
listenPort = 2338;
publicKey = "rve99NGZIJLB4mPj2M7mjQmTHWMkLo5sXvFuur6TKiU=";
};
};
dc4242421789 = {
asn = "4242421789";
description = "gregoire.boillet@protonmail.com";
address4 = "172.21.93.97";
address6 = "fe80::17:89";
wireguard = {
listenPort = 64699;
endpoint = "217.12.209.150:64699";
publicKey = "ifxB+zSOdT5vJ/HfdXjvphy962rfezrA9CWYe4ISTgE=";
};
};
dc4242421602 = {
asn = "4242421602";
description = "toon";
address4 = "172.23.162.33";
address6 = "fe80::1602";
wireguard = {
listenPort = 2339;
publicKey = "D9swl/xZOhTDT57IMf9QKq+FR7plZHCtbMo+SE7uJg0=";
};
};
dc4242420604 = {
asn = "4242420604";
description = "http://blog.cas7.moe/peering/";
address4 = "172.23.89.3";
address6 = "fe80::604:3";
multiprotocol = "ipv6";
wireguard = {
listenPort = 2337;
endpoint = "de1.dn42.cas7.moe:34699";
publicKey = "1dJpFLegKHKButkXqbv1KLLMTmS6KtFkWBz6GRo2uxE=";
};
};
dc4242420197 = {
asn = "4242420197";
description = "https://md.n0emis.eu/s/dn42";
address4 = "172.20.190.96";
address6 = "fe80::42:42:1";
multiprotocol = "ipv6";
wireguard = {
listenPort = 24699;
endpoint = "himalia.dn42.n0emis.eu:24699";
publicKey = "ObF+xGC6DdddJer0IUw6nzC0RqzeKWwEiQU0ieowzhg=";
};
};
dc4242423804 = {
asn = "4242423804";
description = "eXO.cat";
address4 = "172.20.206.33";
address6 = "fe80::4242:3804";
wireguard = {
listenPort = 2340;
publicKey = "uAsya5O3yoCQFSpZiDhUwsjWQIaw64//eegHf8D1+ko=";
};
};
dc64738 = {
asn = "64738";
description = "welterde";
# address4 = "";
address6 = "fe80::fcbb";
wireguard = {
listenPort = 2341;
endpoint = "vpngw.edge0.denue3.welterde.net:41003";
publicKey = "In8V093CGV1sLK0XZBh86fJvGW1SCVkYbxR5/MJXinM=";
};
};
dc76140 = {
asn = "76140";
description = "feuerrot";
address4 = "172.23.148.1";
address6 = "fe80::2342";
wireguard = {
listenPort = 2342;
endpoint = "home.dn42.feuerrot.org:51839";
publicKey = "aoq7ctyAf3P9aohQYLhbFa1LbPMFx93tWYpFRr1CfB4=";
};
};
}

12
hosts/dn42/secrets.yaml
View File

@ -29,12 +29,6 @@ neighbors:
dc4242423804:
wireguard:
privateKey: ENC[AES256_GCM,data:O04wJJ+YIbyXgNbr5Z6T1uFr/8xQDK28Hciu1hLu3cf48c4efSro5aCyXYA=,iv:lOoTvVpqb6lSUDXi/EIIXlLjFbd44hCgzmPUVllRrVg=,tag:KHWh1a6JjjSRvYcv2onVGA==,type:str]
dc64738:
wireguard:
privateKey: ENC[AES256_GCM,data:br0ZyD3yU0Ix+JyXntbsbogtvRmBVE1DCIuE4DHZy5Ha+VFiXf49oAcqq1A=,iv:wvdYurVY7UG9XcutsEAOkFzGYod85lUdcbDkbEcAf2w=,tag:zZdIEoJxaJ/FffGngOWVEA==,type:str]
dc76140:
wireguard:
privateKey: ENC[AES256_GCM,data:1+5eJa6lbQlQ5Wh6BxSZXqICbiammadEqgLrTyrx+sBKN9HKmRxBmTdhsf8=,iv:k/QerH5iFq2xJSohiEljS1hybLWmOecl4+TFswZV1kM=,tag:4jmVPTP7NPx8fwLS75OQNg==,type:str]
sops:
kms: []
gcp_kms: []
@ -59,8 +53,8 @@ sops:
UW9MRTM0M0RiUDRVQTE3bGxaeGNuWWsKMwFqlntiTNn/5pFpEFyuKvyKJPUJFXui
7W5COcr0Gzcy9Jvho/RoJVptCNjt1am8GNvayN61BtL2AvxqmM5s3Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-28T20:13:47Z"
mac: ENC[AES256_GCM,data:Plw3BJLWuG4E3TKODiMj9InVr5yR8T9Ui4R1yCOdNPZHFtWaPfbPmi7BBt5aLG5812FtTF6yAkusKVHhih1NLNcZ5fAPktV0PW7MgQ5kdfquofzOdWTrYoYT1VMtbzu0fyP4HoiDsxp9VvA7u/r1nuJ5wAPBLvPx0hAm2XRsPf0=,iv:L9UH19Wk11iIfs3UppPD33PyhaOre+5pFszoQYzHdts=,tag:+40C5hyRZBh2IrCLVWnAEA==,type:str]
lastmodified: "2022-01-06T22:45:31Z"
mac: ENC[AES256_GCM,data:6ooG3L6RBMn+DZ4jFsmc1WuS7Pu2hkYM74uGu6lxGEwwOqTPXsEAORtcMdTeCL2OtDKZradmMqcGPNJwm0MrHNwemgmmfn9GGHjM44SfyIdApa9H8Gpql06QjpcX/r7H8XXdvJT6YpwBX7S5htO0kyJc6P0435dg275Jl8m8+bY=,iv:nH3Gz/h0Ikq9kV7n0nHH7fxYuDoPHqwZsdLlAngZopQ=,tag:UJVpBYg+7sjiGqODirON1g==,type:str]
pgp:
- created_at: "2023-08-08T22:43:28Z"
enc: |
@ -200,4 +194,4 @@ sops:
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.7.1

8
hosts/drone/default.nix
View File

@ -1,5 +1,8 @@
{ config, libC, pkgs, ... }:
let
hostname = "drone.hq.c3d2.de";
in
{
c3d2.deployment.server = "server10";
@ -10,12 +13,11 @@
services = {
nginx = {
enable = true;
virtualHosts."drone.hq.c3d2.de" = {
virtualHosts.${hostname} = {
forceSSL = true;
enableACME = true;
listen = libC.defaultListen;
locations."/".proxyPass = "http://localhost:5000";
serverAliases = [ "drone.c3d2.de" ];
};
};
@ -69,7 +71,7 @@
"DRONE_DATADOG_ENABLED=false"
"DRONE_DATADOG_ENDPOINT=null"
"DRONE_GITEA_SERVER=https://gitea.c3d2.de"
"DRONE_SERVER_HOST=drone.c3d2.de"
"DRONE_SERVER_HOST=${hostname}"
"DRONE_SERVER_PORT=:5000"
"DRONE_SERVER_PROTO=https"
"DRONE_USER_CREATE=username:sandro,admin:true"

5
hosts/ftp/default.nix
View File

@ -48,12 +48,9 @@
locations."/" = {
root = "/var/www/ftp.c3d2.de";
extraConfig = /* nginx */ ''
extraConfig = ''
charset UTF-8; # fix mojibake
# better wget scraping ;)
rewrite /(.*)index.html?$ /$1;
fancyindex on;
fancyindex_exact_size off;
fancyindex_css_href /.theme/style.css;

55
hosts/gitea/Migration.md Normal file
View File

@ -0,0 +1,55 @@
## Migration from [inbert to zentralwerk](https://codimd.c3d2.de/inbert-2021)
[based on https://docs.gitea.io/en-us/backup-and-restore/](https://docs.gitea.io/en-us/backup-and-restore/)
### @inbert
```shell
sudo -u git gitea dump -c /etc/gitea/app.ini
```
### @gitea.hq.c3d2.de (lxc 315 @server6)
- copied `gitea-dump-*.zip` from inbert to `/tmp/`
```shell
/etc/nixos/migrate.sh
```
Check consistency:
```shell
su gitea
cd
export GITEA_WORK_DIR=/var/lib/gitea
/nix/store/*-gitea-1.15.2/bin/gitea doctor --all
```
#### Fix problems caused by database schema changes between Gitea 1.8.3 and 1.15.2
2 Factor Auth didn't work, but was only used by 2 users anyway. We delete the old settings:
```sql
delete from two_factor;
```
There is a new column `repository.owner_name` that needs be set. Otherwise the web frontend displayed links starting with `//`.
Before fixing, we checked the `owner_names` queried by joining via `"user".id = repo.owner_id`:
```sql
select "user".lower_name, repo.owner_name, repo.lower_name from repository as repo inner join "user" on "user".id = repo.owner_id;
```
```sql
UPDATE repository
SET owner_name = map.name
FROM (SELECT "user".lower_name AS name, repository.owner_id AS id
FROM repository INNER JOIN "user" ON "user".id = repository.owner_id
) AS map
WHERE map.id = repository.owner_id;
```
#### Problems with old logins
Till now `PASSWORD_HASH_ALGO` `argon2` was used, but seems not to work in the new version.
Using the password recovery works.

31
hosts/gitea/default.nix
View File

@ -1,10 +1,7 @@
{ config, pkgs, lib, libC, ... }:
{
c3d2 = {
deployment.server = "server10";
hq.sendmail = true;
};
c3d2.deployment.server = "server10";
microvm.mem = 4 * 1024;
@ -27,7 +24,7 @@
gitea = {
enable = true;
appName = "Gitea: with a cup of Mate";
appName = "Gitea: with a cup of Kolle Mate";
database.type = "postgres";
lfs.enable = true;
repositoryRoot = "/var/lib/gitea/repositories";
@ -41,14 +38,19 @@
ldap = {
enable = true;
searchUserPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path;
bindPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path;
};
settings = {
# we use drone for internal tasks and don't want people to execute code on our infrastructure
actions.ENABLED = true;
actions.ENABLED = false;
"cron.delete_generated_repository_avatars".ENABLED = true;
"cron.delete_old_system_notices".ENABLED = true;
"cron.repo_health_check".TIMEOUT = "300s";
"cron.resync_all_sshkeys" = {
ENABLED = true;
RUN_AT_START = true;
};
database.LOG_SQL = false;
# enable if it is actually useful
# federation.ENABLED = true;
@ -108,8 +110,6 @@
};
};
gitea-actions.enableRegistrar = true;
nginx = {
enable = true;
virtualHosts."gitea.c3d2.de" = {
@ -146,5 +146,18 @@
};
};
programs.msmtp = {
enable = true;
accounts.default = {
host = "mail.c3d2.de";
port = 587;
tls = true;
tls_starttls = true;
auth = false;
domain = "gitea.c3d2.de";
from = "mail@c3d2.de";
};
};
system.stateVersion = "21.11";
}

19
hosts/gitea/migrate.sh Executable file
View File

@ -0,0 +1,19 @@
#/usr/bin/env bash -e
DUMP=gitea-dump-1633035257
USER=gitea
DATABASE=gitea
cd /tmp/
unzip ${DUMP}.zip
unzip gitea-repo.zip
systemctl stop gitea
rm -r /var/lib/gitea/repositories/*
mv gitea-repositories/* /var/lib/gitea/repositories/
chown -R gitea:gitea /var/lib/gitea
sudo -u gitea psql -U $USER -d $DATABASE < gitea-db.sql
systemctl start gitea

43
hosts/glotzbert/default.nix
View File

@ -1,31 +1,37 @@
{ lib, pkgs, ... }:
{ pkgs, ... }:
{
imports = [ ./hardware-configuration.nix ];
c3d2 = {
autoUpdate = true;
baremetal = true;
hq.interface = "enp0s25";
k-ot.enable = true;
};
disko.disks = [ {
device = "/dev/disk/by-id/ata-SSD0240S00_20201124BC41037";
name = ""; # empty because disk was formatted before the naming convention
withCeph = false;
withLuks = false;
} ];
nix.settings = {
cores = 4;
max-jobs = 4;
};
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ./secrets.yaml;
};
boot.loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
disko.disks = [ {
device = "/dev/disk/by-id/ata-SSD0240S00_20201124BC41037";
name = "glotzbert";
withCeph = false;
withLuks = false;
} ];
networking = {
domain = "hq.c3d2.de";
firewall = {
@ -56,8 +62,10 @@
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
serviceConfig = {
ExecStart = "${lib.getExe pkgs.x11vnc} -forever -shared -passwd k-ot";
RestartSec = 5;
ExecStart = ''
${pkgs.x11vnc}/bin/x11vnc -shared -forever -passwd k-ot
'';
RestartSec = 3;
Restart = "always";
};
};
@ -123,17 +131,10 @@
wheelNeedsPassword = false;
};
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ./secrets.yaml;
};
users = {
groups."k-ot".gid = 1000;
users."k-ot" = {
group = "k-ot";
extraGroups = [ "networkmanager" ];
};
users.groups."k-ot".gid = 1000;
users.users."k-ot" = {
group = "k-ot";
extraGroups = [ "networkmanager" ];
};
system.stateVersion = "22.11";

63
hosts/glotzbert/hardware-configuration.nix
View File

@ -8,67 +8,10 @@
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_usb_sdmmc" ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" "rtsx_usb_sdmmc" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
fileSystems."/" =
{ device = "glotzbert/data";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/etc" =
{ device = "glotzbert/data/etc";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix" =
{ device = "glotzbert/nixos/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix/store" =
{ device = "glotzbert/nixos/nix/store";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var" =
{ device = "glotzbert/data/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var/lib" =
{ device = "glotzbert/data/var/lib";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var/log" =
{ device = "glotzbert/data/var/log";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home" =
{ device = "glotzbert/data/home";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix/var" =
{ device = "glotzbert/nixos/nix/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/D1E3-1422";
fsType = "vfat";
};
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

23
hosts/grafana/default.nix
View File

@ -112,13 +112,22 @@
};
};
systemd.services = {
# work around our slow storage that can't keep up
influxdb.serviceConfig.LimitNOFILE = "1048576:1048576";
influxdb.serviceConfig.TimeoutStartSec = "infinity";
};
systemd.services =
builtins.foldl'
(services: service:
services // {
"${service}".serviceConfig = {
RestartSec = 60;
Restart = "always";
};
}
)
{ } [ "grafana" "influxdb" ]
// {
# work around our slow storage that can't keep up
influxdb.serviceConfig.LimitNOFILE = "1048576:1048576";
influxdb.serviceConfig.TimeoutStartSec = "infinity";
};
system.stateVersion = "22.05";
users.users.nginx.extraGroups = [ "grafana" ];
}

46
hosts/hedgedoc/default.nix
View File

@ -3,48 +3,6 @@
{
c3d2.deployment.server = "server10";
environment.systemPackages = [
# TODO: move into nixos-modules
(with pkgs.python3.pkgs; buildPythonApplication {
pname = "hedgedoc-util";
version = "unstable-2022-04-20";
format = "other";
src = pkgs.fetchFromGitLab {
domain = "git.cccv.de";
owner = "infra/ansible/roles";
repo = "hedgedoc";
rev = "d69cef4bf6c7fe4e67570363659e4c20b0e102af";
hash = "sha256-dWZtPnQ9ZtS9EEwMA5p9Bhu6zoDQS4fGxVaJ1lPMw/s=";
};
# TODO: upstream this?
patches = [ ./hedgedoc-util-postgres.diff ];
dontBuild = true;
propagatedBuildInputs = [
click
psycopg2
];
installPhase = let
wrapper = pkgs.writeShellScriptBin "hedgedoc-util" ''
cd /var/lib/hedgedoc
sudo=exec
if [[ "$USER" != hedgedoc ]]; then
sudo='exec /run/wrappers/bin/sudo -u hedgedoc --preserve-env'
fi
$sudo $(dirname "$0")/.hedgedoc-util "$@"
'';
in ''
mkdir -p $out/bin
cp files/hedgedoc-util.py $out/bin/.hedgedoc-util
ln -s ${lib.getExe wrapper} $out/bin/hedgedoc-util
'';
})
];
microvm.mem = 1536;
networking.hostName = "hedgedoc";
@ -60,7 +18,6 @@
ldap.enable = true;
settings = {
allowAnonymousEdits = true;
allowEmailRegister = false;
allowFreeURL = true;
allowOrigin = [ "hedgedoc.c3d2.de" ];
csp = {
@ -74,7 +31,6 @@
};
defaultPermission = "freely";
domain = "hedgedoc.c3d2.de";
email = false; # only allow ldap login
loglevel = "warn";
path = "/run/hedgedoc/hedgedoc.sock";
protocolUseSSL = true;
@ -103,7 +59,7 @@
forceSSL = true;
enableACME = true;
locations = {
"^~ /robots\\.txt".return = "200 'User-agent: *\\nDisallow: /'";
"^~ /robots.txt".return = "200 'User-agent: *\\nDisallow: /'";
"/".proxyPass = "http://hedgedoc";
};
};

166
hosts/hedgedoc/hedgedoc-util-postgres.diff
View File

@ -1,166 +0,0 @@
--- a/files/hedgedoc-util.py 2024-02-03 23:19:47.720921062 +0100
+++ b/files/hedgedoc-util.py 2024-02-03 23:19:42.926928390 +0100
@@ -7,9 +7,7 @@
from subprocess import Popen, PIPE
import click
-import pymysql
-import pymysql.cursors
-import configparser
+import psycopg2
class GlobalState():
def __init__(self, options):
@@ -21,23 +19,17 @@
except Exception as e:
click.echo("Database connection failed: {}".format(repr(e)))
sys.exit(2)
- self._check_schema()
def _get_connection(self):
- return pymysql.connect(host=self.config['dbhost'],
- user=self.config['dbuser'],
- password=self.config['dbpw'],
- database=self.config['dbname'],
- charset='utf8mb4',
- cursorclass=pymysql.cursors.DictCursor)
+ dsn = "host="+self.config['dbhost']
+ if 'dbuser' in self.config:
+ dsn += "user="+self.config['dbuser']
+ if 'dbpw' in self.config:
+ dsn += "password="+self.config['dbpw']
+ if 'dbname' in self.config:
+ dsn += "dbname="+self.config['dbname']
- def _check_schema(self):
- with self.db.cursor() as cursor:
- cursor.execute('SELECT name from SequelizeMeta ORDER BY name ASC')
- schema = ','.join([i['name'] for i in cursor.fetchall()])
- if schema != self.config['dbschema']:
- click.echo("Unsupportet db schema: {}".format(schema))
- sys.exit(2)
+ return psycopg2.connect(dsn)
def _load_config(self, path):
result = {}
@@ -69,6 +61,9 @@
def _decode_nested_json(data, fieldnames):
for i in data:
+ if i == None:
+ continue
+
for fieldname in fieldnames:
if fieldname in i:
if i[fieldname] == None:
@@ -84,34 +79,40 @@
def note_id_encode_to_url(input_id):
return base64.urlsafe_b64encode(binascii.unhexlify(input_id.replace('-', '').encode())).decode().replace('=', '')
-def pad_list(db, columns, last_change_older=0, owner=0):
+def pad_list(db, columns, last_change_older, owner):
+ if owner == None:
+ owner = "00000000-0000-0000-0000-000000000000"
with db.cursor() as cursor:
# this is no sql injection vulnerability because we let click verify the content of "columns" to match a whitelist
- cursor.execute(F"SELECT {','.join(columns)} FROM Notes WHERE (%(last_change_older)s = 0 OR DATEDIFF(NOW(), lastchangeAt) > %(last_change_older)s OR (lastchangeAt IS NULL AND DATEDIFF(NOW(), createdAt) > %(last_change_older)s) AND (%(owner)s = '' OR ownerId = %(owner)s)) ORDER BY id", {'last_change_older': last_change_older, 'owner': owner})
+ cursor.execute(F"SELECT {','.join(columns)} FROM \"Notes\" WHERE (%(last_change_older)s = 0 OR NOW() - \"lastchangeAt\" > interval '%(last_change_older)s' OR (\"lastchangeAt\" IS NULL AND NOW() - \"createdAt\" > interval '%(last_change_older)s') AND (%(owner)s = '' OR \"ownerId\" = %(owner)s::uuid)) ORDER BY id", {'last_change_older': last_change_older, 'owner': owner})
return _decode_nested_json(cursor.fetchall(), ['authorship'])
def pad_get(db, id):
with db.cursor() as cursor:
- cursor.execute('SELECT * FROM Notes WHERE id=%s', (id))
+ cursor.execute('SELECT * FROM "Notes" WHERE id=%s', (id,))
return _decode_nested_json([cursor.fetchone()], ['authorship'])[0]
def pad_get_content(db, id):
return pad_get(db, id).get('content', '')
-def pad_delete(db, id):
- pad = pad_get(db, id)
- urlid = note_id_encode_to_url(id)
- with db:
- with db.cursor() as cursor:
- cursor.execute('DELETE FROM Revisions WHERE noteId=%s', (id))
- cursor.execute('DELETE FROM Notes WHERE id=%s', (id))
- cursor.execute('SELECT id,history FROM Users WHERE JSON_SEARCH(history, "one", %s, "", "$[*].id") is not null;', (urlid))
- with db.cursor() as usercursor:
- for i in cursor:
- history = json.loads(i['history'] or '[]')
- history = [ j for j in history if not j.get('id') == urlid ]
- usercursor.execute('UPDATE Users set history=%s WHERE id=%s;', (json.dumps(history), i['id']))
- db.commit()
+def pad_delete(db, ids):
+ for id in ids:
+ if id == "--":
+ continue
+
+ pad = pad_get(db, id)
+ urlid = note_id_encode_to_url(id)
+ with db:
+ with db.cursor() as cursor:
+ cursor.execute('DELETE FROM "Revisions" WHERE "noteId"=%s', (id,))
+ cursor.execute('DELETE FROM "Notes" WHERE id=%s', (id,))
+ cursor.execute('SELECT id,history FROM "Users" u, json_array_elements(u.history::json) h WHERE h->>\'id\'=%s is not null;', (urlid,))
+ with db.cursor() as usercursor:
+ for i in cursor:
+ history = json.loads(i[1] or '[]')
+ history = [ j for j in history if not j.get('id') == urlid ]
+ usercursor.execute('UPDATE "Users" set history=%s WHERE id=%s;', (json.dumps(history), i[0]))
+ db.commit()
def pad_mail(db, id, template, formats):
with db.cursor() as cursor:
@@ -144,12 +145,12 @@
def user_list(db, columns):
with db.cursor() as cursor:
# this is no sql injection vulnerability because we let click verify the content of "columns" to match a whitelist
- cursor.execute('SELECT {} FROM Users ORDER BY id'.format(','.join(columns)))
+ cursor.execute('SELECT {} FROM "Users" ORDER BY id'.format(','.join(columns)))
return _decode_nested_json(cursor.fetchall(), ['profile', 'history'])
def user_get(db, id):
with db.cursor() as cursor:
- cursor.execute('SELECT * FROM Users WHERE id=%s', (id))
+ cursor.execute('SELECT * FROM "Users" WHERE id=%s', (id,))
return _decode_nested_json([cursor.fetchone()], ['profile', 'history'])[0]
def user_get_mail(db, id):
@@ -192,12 +193,11 @@
@click.group()
@click.option('-o', '--output', type=click.Choice(['text', 'json', 'tsv', 'tsv-noheader']), default='text', help='Select output format', show_default=True, show_envvar=True)
-@click.option('--config', default='/usr/local/etc/hedgedoc-util/hedgedoc-util.cfg', type=click.Path(), help='Config to load db and template default settings from', show_envvar=True, show_default=True)
+@click.option('--config', default='/etc/hedgedoc-util/hedgedoc-util.cfg', type=click.Path(), help='Config to load db and template default settings from', show_envvar=True, show_default=True)
@click.option('--dbuser', help='User name used for the db connection', show_envvar=True)
@click.option('--dbpw', help='Password used for the db connection', show_envvar=True)
@click.option('--dbname', help='Database used', show_envvar=True)
-@click.option('--dbhost', help='Host the db is running on', show_envvar=True)
-@click.option('--dbschema', help='Schema string to verify the db schema against', show_envvar=True)
+@click.option('--dbhost', help='Host the db is running on', default='/run/postgresql/', show_envvar=True)
@click.pass_context
def cli(ctx, **kwargs):
ctx.obj = GlobalState(kwargs)
@@ -219,7 +219,7 @@
@cli_pad.command(name="list", help="List all pads")
@click.option('-c', '--columns', default=['id'], type=click.Choice(['id', 'title', 'content', 'ownerId', 'createdAt', 'updatedAt', 'shortid', 'permission', 'viewcount', 'lastchangeuserId', 'lastchangeAt', 'alias', 'deletedAt', 'authorship']), help="Select what data to display. Can be passed multiple times.", multiple=True, show_default=True, show_envvar=True)
@click.option('--last-change-older', type=click.INT, default=0, help='Only list those pads which are older than this value. In days.', show_envvar=True)
-@click.option('--owner', type=click.STRING, default='', help='Only list pads with this owner, pass the user id', show_envvar=True)
+@click.option('--owner', type=click.STRING, help='Only list pads with this owner, pass the user id', show_envvar=True)
@click.pass_obj
def _pad_list(obj, columns, last_change_older, owner):
output_object(pad_list(obj.db, columns, last_change_older=last_change_older, owner=owner))
@@ -231,10 +231,10 @@
output_object(pad_get(obj.db, id))
@cli_pad.command(name="delete", help="Deletes a pad")
-@click.argument('id')
+@click.argument('ids', nargs=-1)
@click.pass_obj
-def _pad_delete(obj, id):
- pad_delete(obj.db, id)
+def _pad_delete(obj, ids):
+ pad_delete(obj.db, ids)
@cli_pad.command(name="get-content", help="Get the content of one pad by its id")
@click.argument('id')

23
hosts/home-assistant/default.nix
View File

@ -24,20 +24,14 @@ in
linkConfig.Name = "c3d2";
};
networks."40-c3d2" = {
dhcpV4Config.UseRoutes = "no";
matchConfig.MACAddress = c3d2MacAddress;
networkConfig = {
DHCP = "no";
IPv6AcceptRA = "no";
LinkLocalAddressing = "yes";
IPv6AcceptRA = "no";
};
};
};
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
];
services = {
avahi.enable = true;
@ -49,6 +43,7 @@ in
home-assistant = {
enable = true;
config = {
automation = "!include automations.yaml";
binary_sensor = [
{
platform = "rest";
@ -65,11 +60,11 @@ in
platform = "rest";
name = "c3d2";
unique_id = "status_c3d2";
resource = "http://schalter.hq.c3d2.de/schalter.json";
resource = "https://c3d2.de/spaceapi.json";
method = "GET";
scan_interval = 60;
verify_ssl = true;
value_template = "{{ value_json['status'] }}";
value_template = "{{ value_json['state']['open'] }}";
device_class = "door";
}
];
@ -92,15 +87,11 @@ in
};
};
extraComponents = [
"esphome"
"met" # Meteorologisk institutt aka the weather widget
"mqtt"
"radio_browser"
# extra things we use
"wled"
"zha" # Zigbee
];
ldap.enable = true;
package = pkgs.home-assistant.override {
package = (pkgs.home-assistant.override {
# those tests take a long(er) time and can't be sped up with pytest-xdist
packageOverrides = _: prev: let
noTests.doCheck = false;
@ -108,7 +99,7 @@ in
aws-sam-translator = prev.aws-sam-translator.overridePythonAttrs (_: noTests);
moto = prev.moto.overridePythonAttrs (_: noTests);
};
};
});
};
nginx = {

131
hosts/hydra/default.nix
View File

@ -1,5 +1,8 @@
{ config, lib, libS, pkgs, ... }:
let
cachePort = 5000;
in
{
imports = [
./hardware-configuration.nix
@ -53,22 +56,22 @@
{
hostName = "client@dacbert.hq.c3d2.de";
system = lib.concatStringsSep "," [
"aarch64-linux" # very slow compared to gallium
# "aarch64-linux" # very slow compared to gallium
"armv6l-linux" "armv7l-linux"
];
speedFactor = 1;
supportedFeatures = [ "kvm" "nixos-test" ];
maxJobs = 1;
}
# {
# hostName = "gallium.s6o.de";
# maxJobs = 4;
# speedFactor = 10;
# sshUser = config.nix.remoteBuilder.name;
# # kvm is not supported because /dev/kvm does not exist
# supportedFeatures = [ "big-parallel" "nixos-test" "benchmark" ];
# system = "aarch64-linux";
# }
{
hostName = "gallium.supersandro.de";
maxJobs = 4;
speedFactor = 10;
sshUser = config.nix.remoteBuilder.name;
# kvm is not supported because /dev/kvm does not exist
supportedFeatures = [ "big-parallel" "nixos-test" "benchmark" ];
system = "aarch64-linux";
}
];
daemonCPUSchedPolicy = "idle";
daemonIOSchedClass = "idle";
@ -98,10 +101,89 @@
'';
};
containers = {
# hydra-binfmt-builder = {
# autoStart = true;
# config = { ... }: {
# imports = [ (modulesPath + "/profiles/minimal.nix") ];
# networking.firewall.allowedTCPPorts = [ 22 ];
# nix = {
# settings = config.nix.settings;
# extraOptions = config.nix.extraOptions;
# };
# services.openssh.enable = true;
# system.stateVersion = "22.11";
# users.users."root".openssh.authorizedKeys.keys = [
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBga6vW8lnbFKl+Yd2xBiF71FRyV14eDUnqcMc2AWifI root@hydra"
# ];
# };
# hostAddress = "192.168.100.1";
# localAddress = "192.168.100.3";
# privateNetwork = true;
# };
# disabled because currently it display `ARRAY(0x4ec2040)` on the website and also uses a perl array in store paths instead of /nix/store
# hydra-ca = {
# autoStart = true;
# config = { ... }: {
# imports = [
# hydra-ca.nixosModules.hydra
# ];
# environment.systemPackages = with pkgs; [ git ];
# networking.firewall.allowedTCPPorts = [ 3001 ];
# nix = {
# settings = {
# allowed-uris = "https://gitea.c3d2.de/ https://github.com/ https://gitlab.com/ ssh://gitea@gitea.c3d2.de/";
# builders-use-substitutes = true;
# experimental-features = "ca-derivations nix-command flakes";
# extra-substituters = "https://cache.ngi0.nixos.org/";
# extra-trusted-public-keys = "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=";
# substituters = [
# "https://cache.ngi0.nixos.org/"
# ];
# trusted-public-keys = [
# "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA="
# ];
# };
# };
# nixpkgs = {
# # config.contentAddressedByDefault = true;
# overlays = [ self.overlay ];
# };
# services = {
# hydra-dev = lib.recursiveUpdate config.services.hydra-dev {
# hydraURL = "https://hydra-ca.hq.c3d2.de";
# port = 3001;
# };
# };
# system.stateVersion = "22.05"; # Did you read the comment? No.
# };
# hostAddress = "192.168.100.1";
# localAddress = "192.168.100.2";
# privateNetwork = true;
# };
};
networking = {
hostId = "3f0c4ec4";
hostName = "hydra";
nameservers = [ "172.20.73.8" "9.9.9.9" ];
# nat = {
# enable = true;
# externalInterface = "serv";
# internalInterfaces = [ "ve-hydra-biLqAU" ];
# };
};
programs.ssh.knownHosts = lib.mkMerge [
@ -124,13 +206,6 @@
];
};
gitea-actions = {
enableRunner = true;
kvm = true;
zfsDataset = "hydra/data/podman";
giteaUrl = "https://gitea.c3d2.de";
};
hydra = {
enable = true;
buildMachinesFiles = [
@ -159,11 +234,15 @@
'';
};
# A rust nix binary cache
harmonia = {
enable = true;
domain = "nix-cache.hq.c3d2.de";
port = 5000;
settings.workers = 20;
settings = {
bind = "[::]:${toString cachePort}";
workers = 20;
max_connection_rate = 1024;
priority = 50;
};
signKeyPath = config.sops.secrets."nix/signing-key/secretKey".path;
};
@ -176,12 +255,22 @@
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
serverAliases = [
"hydra-ca.hq.c3d2.de"
"hydra.serv.zentralwerk.org"
];
};
# "hydra-ca.hq.c3d2.de" = {
# enableACME = true;
# forceSSL = true;
# locations."/".proxyPass = "http://192.168.100.2:3001";
# };
"nix-cache.hq.c3d2.de" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:${toString cachePort}";
serverAliases = [
"nix-serve.hq.c3d2.de"
];
};
};
};
@ -221,7 +310,6 @@
};
"ssh-keys/hydra/private" = {
owner = "hydra";
# used for cloning flake inputs
path = "/var/lib/hydra/.ssh/id_ed25519";
};
"ssh-keys/hydra/public" = {
@ -231,7 +319,6 @@
};
"ssh-keys/root/private" = {
owner = "hydra-queue-runner";
# used to build the actual derivations
path = "/var/lib/hydra/queue-runner/.ssh/id_ed25519";
};
"ssh-keys/root/public" = {

261
hosts/knot/default.nix
View File

@ -1,261 +0,0 @@
{ config, pkgs, zentralwerk, ... }:
{
c3d2 = {
hq.statistics.enable = true;
deployment.server = "server10";
};
environment = {
etc.gitconfig.text = /* gitconfig */ ''
[url "gitea@gitea.c3d2.de:"]
insteadOf = https://gitea.c3d2.de/
'';
systemPackages = with pkgs; [
rsync # used in drone CI
];
};
# changes in knot config cause a rebuild because tools like keymgr are wrapped with the config file *and* contain the man pages
documentation.man.generateCaches = false;
networking = {
hostName = "knot";
firewall = {
allowedTCPPorts = [
# DNS
53
];
allowedUDPPorts = [
# DNS
53
];
};
};
# required for CI
microvm = let
writableStoreOverlayImage = "/var/tmp/nix-store-overlay.img";
in {
preStart = ''
# Discard old writable store overlay
rm -f "${writableStoreOverlayImage}"
'';
volumes = [ {
image = writableStoreOverlayImage;
mountPoint = config.microvm.writableStoreOverlay;
size = 1 * 1024;
} ];
writableStoreOverlay = "/nix/.rw-store";
};
nix.enable = true;
services.knot = {
enable = true;
keyFiles = [ config.sops.secrets."knot/keyFile".path ];
settings = {
acl = [
{
id = "jabber";
key = "jabber.c3d2.de";
action = "update";
update-owner = "name";
update-owner-match = "sub-or-equal";
update-owner-name = [ "jabber.c3d2.de." ];
}
{
id = "axfr";
address = [
# Inbert
"2001:67c:1400:2240::1/128"
# dns.serv.zentralwerk.org
"172.20.73.2/32"
"2a00:8180:2c00:282:2::2"
];
action = [ "transfer" "notify" ];
}
{
# https://www.knot-dns.cz/docs/3.3/singlehtml/index.html#catalog-zones-configuration-examples
id = "zone_xfr";
address = [
# ns.spaceboyz.net
"95.217.229.209" "2a01:4f9:4b:39ec::4"
# ns1.supersandro.de
"188.34.196.104" "2a01:4f8:1c1c:1d38::1"
];
action = "transfer";
}
{
id = "dns.serv.zentralwerk.org_notify";
address = [ /*"172.20.73.2"*/ "2a00:8180:2c00:282:2::2" ];
action = "notify";
}
];
log = [ {
target = "syslog";
any = "info";
} ];
mod-stats = [ {
id = "default";
query-type = "on";
} ];
remote = [
{
id = "ns.spaceboyz.net";
address = [ "95.217.229.209" "2a01:4f9:4b:39ec::4" ];
} {
# TODO: drop
id = "ns0.q-ix.net";
address = [ "217.115.12.65" "2a00:1328:e101:b01::1" ];
} {
id = "ns1.supersandro.de";
# IPv4 doesn't work because of nat
address = [ /*"188.34.196.104"*/ "2a01:4f8:1c1c:1d38::1" ];
} {
id = "dns.serv.zentralwerk.org";
address = [ "172.20.73.2" "2a00:8180:2c00:282:2::2" ];
}
];
remotes = [
{
id = "all";
remote = [ "ns.spaceboyz.net" "ns1.supersandro.de" ];
}
{
# TODO: drop
id = "q-ix";
remote = [ "ns0.q-ix.net" ];
}
];
server = {
answer-rotation = true;
automatic-acl = true;
identity = "ns.c3d2.de";
listen = with zentralwerk.lib.config.site.net.serv; [
"127.0.0.1"
"::1"
hosts4.knot hosts6.up4.knot hosts6.dn42.knot
"2a00:8180:2c00:282:2041:cbff:fe0c:8516"
"fd23:42:c3d2:582:2041:cbff:fe0c:8516"
];
tcp-fastopen = true;
version = null;
};
template = [
{
# default is a magic name and is always loaded.
# Because we want to use catalog-role/catalog-zone settings for all zones *except* the catalog zone itself, we must split the templates
id = "default";
global-module = [ "mod-stats" ];
}
{
id = "c3d2";
catalog-role = "member";
catalog-zone = "c3d2.";
dnssec-signing = true;
file = "%s.zone";
journal-content = "all"; # required for zonefile-load=difference-no-serial and makes cold starts like zone reloads
module = "mod-stats/default";
semantic-checks = true;
serial-policy = "dateserial";
storage = "/var/lib/knot/zones";
zonefile-load = "difference-no-serial";
}
{
id = "zentralwerk_template";
acl = "dns.serv.zentralwerk.org_notify";
master = "dns.serv.zentralwerk.org";
storage = "/var/lib/knot/catalog/zentralwerk";
}
];
zone = [
{
acl = "zone_xfr";
catalog-role = "generate";
domain = "c3d2.";
notify = [ "ns1.supersandro.de" ];
storage = "/var/lib/knot/catalog";
}
{
acl = "dns.serv.zentralwerk.org_notify";
catalog-role = "interpret";
catalog-template = "zentralwerk_template";
domain = "zentralwerk.";
master = "dns.serv.zentralwerk.org";
storage = "/var/lib/knot/catalog";
}
] ++ map ({ acl ? [], notify ? [], ... }@zone: {
inherit (zone) domain;
template = "c3d2";
notify = [ "all" ] ++ notify;
acl = [ "axfr" "zone_xfr" ] ++ acl;
}) [
{ domain = "c3dd.de"; notify = [ "q-ix" ]; }
{ domain = "c3d2.de"; acl = [ "jabber" ]; }
{ domain = "hq.c3d2.de"; }
{ domain = "dyn.hq.c3d2.de"; }
# TODO: consolidate
{ domain = "inbert.c3d2.de"; }
{ domain = "c3d2.ffdd"; }
{ domain = "c3d2.space"; }
{ domain = "c3d2.social"; }
{ domain = "cccdd.de"; notify = [ "q-ix" ]; }
{ domain = "dresden.ccc.de"; }
{ domain = "datenspuren.de"; }
{ domain = "netzbiotop.org"; }
{ domain = "pentamedia.org"; notify = [ "q-ix" ]; }
{ domain = "zentralwerk.ffdd"; }
{ domain = "2001-67c0-1400-2240.ip6.arpa"; }
{ domain = "2a0f-5382-acab-1400.ip6.arpa"; }
{ domain = "40.158.45.in-addr.arpa"; }
{ domain = "99.22.172.in-addr.arpa"; }
];
};
};
security.sudo.extraRules = [ {
users = [ "knot" ];
commands = [ {
command = "/etc/profiles/per-user/knot/bin/reload-knot";
options = [ "NOPASSWD" ];
} ];
} ];
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"knot/keyFile".owner = "knot";
"ssh-keys/knot/private" = {
owner = "knot";
path = "${config.users.users.knot.home}/.ssh/id_ed25519";
};
"ssh-keys/knot/public" = {
owner = "knot";
path = "${config.users.users.knot.home}/.ssh/id_ed25519.pub";
};
};
};
system.stateVersion = "23.11";
users.users.knot = {
home = "/var/lib/knot/zones/";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2"
];
packages = [
(pkgs.writeScriptBin "reload-knot" ''
knotc reload
'')
];
useDefaultShell = true;
};
}

197
hosts/mail/default.nix
View File

@ -1,197 +0,0 @@
{ config, lib, pkgs, ... }:
{
microvm.mem = 2048;
networking.hostName = "mail";
c3d2 = {
deployment.server = "server10";
};
mailserver = let
inherit (config.security) ldap;
ldapFilter = ldap.searchFilterWithGroupFilter "mail-users" "(uid=%n)";
in {
enable = true;
certificateScheme = "acme-nginx";
dmarcReporting = {
# enable = true;
# domain = "c3d2.de";
organizationName = "Netzbiotop Dresden e.V.";
};
debug = true;
domains = [
"c3d2.social"
"netzbiotop.org"
];
dkimKeyBits = 2048;
dkimSelector = "default";
dkimSigning = true;
enableImap = true;
enableImapSsl = true;
enableManageSieve = true;
enablePop3 = true;
enablePop3Ssl = true;
enableSubmission = true;
enableSubmissionSsl = true;
extraVirtualAliases = {};
fqdn = "mail.flpk.zentralwerk.org";
ldap = {
enable = true;
bind = {
dn = ldap.bindDN;
passwordFile = config.sops.secrets."dovecot/ldapSearchUserPassword".path;
};
dovecot = {
passFilter = ldapFilter;
# userAttrs = "uidNumber=uid";
userFilter = ldapFilter;
};
postfix = {
filter = ldap.groupFilter "mail-users";
mailAttribute = "uid";
# uidAttribute = "uid";
};
searchBase = ldap.userBaseDN;
uris = [ "ldaps://${ldap.domainName}" ];
};
mailboxes = {
Drafts = {
auto = "subscribe";
specialUse = "Drafts";
};
Sent = {
auto = "subscribe";
specialUse = "Sent";
};
Spam = {
auto = "subscribe";
specialUse = "Junk";
};
Trash = {
auto = "subscribe";
specialUse = "Trash";
};
};
maxConnectionsPerUser = 10;
messageSizeLimit = 10240000; # 10 MiB
monitoring = {
# enable = true;
# alertAddress = "example@c3d2.de";
};
rejectRecipients = [ config.mailserver.dmarcReporting.localpart ];
virusScanning = false;
vmailGroupName = "vmail";
vmailUserName = "vmail";
};
networking.enableIPv6 = false; # mail is stuck in the 80s
services = {
backup = {
enable = true;
paths = [
"/var/lib/dovecot/"
"/var/lib/postfix/"
"/var/dkim/"
"/var/sieve/"
"/var/vmail/"
];
};
nginx = {
enable = true;
commonHttpConfig = /* nginx */ ''
proxy_headers_hash_bucket_size 96;
'';
virtualHosts."autoconfig.netzbiotop.org" = {
enableACME = true;
forceSSL = true;
serverAliases = [
"autoconfig.netzbiotop.org"
"autodiscover.netzbiotop.org"
];
locations = {
"/".proxyPass = "http://127.0.0.1:4243/";
"/initdb".extraConfig = ''
# Limit access to clients connecting from localhost
allow 127.0.0.1;
deny all;
'';
};
};
};
portunus.addToHosts = true;
postfix.mapFiles."valias" = lib.mkForce "/home/root/valias";
roundcube = {
enable = true;
hostName = config.mailserver.fqdn;
extraConfig = /* php */ ''
# starttls needed for authentication, so the fqdn required to match the certificate
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets."dovecot/ldapSearchUserPassword" = {
owner = config.users.users.dovecot2.name;
};
};
systemd.services.automx2 = {
after = [ "network.target" ];
postStart = let
json = pkgs.writeText "data.json" (builtins.toJSON {
provider = config.mailserver.dmarcReporting.organizationName;
domains = config.mailserver.domains;
servers = [
{ name = config.mailserver.fqdn; type = "imap"; }
{ name = config.mailserver.fqdn; type = "pop3"; }
{ name = config.mailserver.fqdn; type = "smtp"; }
];
});
in ''
sleep 3 && ${lib.getExe pkgs.curl} -X POST --json @${json} http://127.0.0.1:4243/initdb/
'';
serviceConfig = {
Environment = [
"AUTOMX2_CONF=${pkgs.writeText "automx2-conf" /* toml */ ''
[automx2]
loglevel = WARNING
db_uri = sqlite:///:memory:
proxy_count = 1
''}"
"FLASK_APP=automx2.server:app"
"FLASK_CONFIG=production"
];
ExecStart = "${pkgs.python3.buildEnv.override { extraLibs = [ pkgs.python3Packages.automx2 ]; }}/bin/flask run --host=127.0.0.1 --port=4243";
Restart = "always";
StateDirectory = "automx2";
User = "automx2";
WorkingDirectory = "/var/lib/automx2";
};
unitConfig = {
Description = "MUA configuration service";
Documentation = "https://rseichter.github.io/automx2/";
};
wantedBy = [ "multi-user.target" ];
};
system.stateVersion = "23.11";
users = {
groups.automx2 = {};
users.automx2 = {
group = "automx2";
isSystemUser = true;
};
};
}

184
hosts/mail/secrets.yaml
View File

@ -1,184 +0,0 @@
dovecot:
ldapSearchUserPassword: ENC[AES256_GCM,data:NPbf6YO3JQjXOnx/1V+nkltTovO0/x9OlPp2d+kkZ/U=,iv:lKbrhoNw9zKXkVGtpw//w67xAXiTgEi2N9Z1SdWj4KA=,tag:DbekEccg9FZVpQcYcXiYLg==,type:str]
restic:
password: ENC[AES256_GCM,data:VMbQ/QX6naNqc7CxJ6ctd18sUyAoS4ssYYQdQtWQGxM=,iv:oB4x5p6CcMebk0wDcpqTkyZ7Mv7YN1Xhfxj4pR3u3Hw=,tag:G9eBnZHzq3YtLI1u12qhDg==,type:str]
repositories:
server9: ENC[AES256_GCM,data:Rvp0i87VAC30JQiJvcI0QSqXDeRXr7JqRGrLmxMI5GccSTjleK8Br0WgDTqpgKM8oqTX6PH5qcCeP58KhG6W7Ow7N6YKZhCc9w9fPQkQ+zIsqtQs7aXAINNtSH2P0A==,iv:wDRf3lv//WMyq1mL1UEVPJtb6Ye5Pr5KIGlBFSzV/x0=,tag:o0LLDwYUeB8GutG7ZOo4Sg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age15t7hj27j6ccs8u7mfz8su3aa74g4dxp4crkgc3c0rs28hct7q4ssgk8zcm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQ0p1NFJNZ2UzRkRQaVoz
YnlXVzJLdS9pT0hhVi9OUzc0cjJlWFdGVG1rClczcGE2MGJYcEJBeU9aREJVVlRo
alZCaVhrWE1DMXMyYXdibm51OG95TjAKLS0tIHFnMUpPT0thS2xBeXB1MUZOOFVK
azBEdklKUTZwTVZBaGNGd1lwTlNva1kK6oiSn61SWRJhvzCQu4+AYfH+iCDta3lS
gfXfwU+uMK8z9wcE+XRgzyaSLmJ7Dt4M4zse/HKAntEPL3R9o7K4Aw==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRNUVlUFI0K1M1anRxT2p0
Y0pCdVVFWTJJbHpQalVlT1lnU2dIc0x2dVU0Cm4xQjVrZW9NQjZwTlFZVHJDeEJk
Q0lSaUJrSDBOenFuVkliaEJMV2hCeU0KLS0tIHEzVzhqVklkUThjdzZQdStVQjRj
ZUdaTUxGTWVOY2NwZEcvcmg5RThmbkEKXRRI+pIzT9dHD8OUfUxSY2pk/P8xgv5H
Y5iOTS7t4QnS8O3jy1qwd4WraqQZXsTPUxvcJuVz+jHdLVmdU6ihow==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-13T13:28:43Z"
mac: ENC[AES256_GCM,data:zp6O3C1BGvsXP/D26x1wQpTGabk/7cwVfeTpMS+je6co813xRku6yt4FTtd4HUocl2nORc94fIWJlnuSiLbYpXMkoZk6Mc0aupqwrOXJmLQ4rZMwxVWHaaFQUSFqRLABtTB8uTbJ3uHjhwZRdMxbtGR2K2elq5T6j0gzsBFQQ84=,iv:VtbpVlcS2rqHECltJ19g8NTSfnXCf2fqVxaolNKlqHc=,tag:8bLvwYML4ssb+uE4U+u0/w==,type:str]
pgp:
- created_at: "2024-04-12T19:32:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7zUOKwzpAE7AQ/+Jutci6b5WzHhPUcG6qjx9ijRu5A7E5WrbpqSovGY14k2
EBZ8Bb+em54wnZeNZ+54d5pfLtl0Vh1W16rICoopRMEpfSIL0WQokz+TzhIAuOOw
wDZLDhVx/sxL0FE/+tJ4tNTTlRvhwKdsPeQeR8vhIA2waZDGEptuz3frIoltaLsl
0Kzv81KaDSKIJisodYFteKEKV4U85lV/MnfGYeZCb+KpCRlFtgJkQWyehHNEMZB/
paH47FHDrs5oF7mvW75X+yAJZQpwiyRrBTrJRMUHHzRy8HuYXyfKeQt0tkAsjNa9
tOWimEUC///TmoBAuxd7yKMvS/l4JAiFVdiBIsgRCByk9zljOT9x+cg/5cOTeS3H
+aKaSkET5Hiiz1oGFxi8cHI0EmSUb9PomcEJHno6u6FiIqlPWVhKAB2lY8rKCRWH
kQwJ67RlSNtc9d1/YSp0fpvx46GJw+TKX6sxJq3sy61NIjeAdbIhOotTISn7fgyK
2H8MujtM3ExXbIxgpFbSuGc7s/zoDzdwx79xm5gNmk3jvUjv9VM3Kwj2Hwx3RrXe
vaYPMxl1w9JAf59rwmjLDAMptXRd/qdk+idh7HVJI4IIrd1h0UqTsfDu9Dt/HfDC
aukb3l1QxiQ4crz9HCDQP2YGuLrX5tclgs5diielEK/Tl6PSe91BKcETKwogrEzS
XgGRyZY6PYX8WDj8nEaCjABzc5zH9Hjuu/LvXtiD7zUn2ogpPkjo6waiuVuE5lEn
jFBr10p9P8XIvwLEy4FaK4Hc8A1jkp1fcW98+6kABzEG6arVSgr1o3vcxmbIg1w=
=vFHQ
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- created_at: "2024-04-12T19:32:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7AQ/9HH3vPEKR84vKlzQuYs5aY3F0ZRuqmxBrNwyZxo53xM0b
fq/wQ/b1BB9JjjI9i0u946QrIaYUjiC82v5ajWogAjpXuHt0IrQZqdORgNBZVSOg
4VBhExIPLVza6SvvN/1M9VZQEgycnC684Fq3YZBy2LJVcb8m+ZuwJoehRbuI/Bzf
4VPnjYK3wvmSN6lOk63c5jPG2gVzqBzvpC16DI3KLGbP/IR8tJjcMEnqpHbtdPwp
9ngn5DLZMji97M3PBOuuY/0W99ObV1aizIEGdKDcQkwuUJGXfv1EU/X+w1W2JAm/
dPUgX80+xPzT5z+ka1v7/BUs4jmW8EosNJDshqIMPKPONHK1zy/sCb5tyF0bULhg
hwp6Vzea5ogPpoX/jqZKiyrUBRapcuqMwRqSFOuN8b5btKxebEqBvhWEIdK0cs4Y
KWPfd23OHWiMBl1DIplS9lURTuMv+onUEKQYvVukznOmPrfxnhzJj5B1f+kFCB13
D4ZDE1HUhPUpnDCnNtSui0cCW3r66aqODsVdbQhnk6FZmWj1aRk3OxTl5jUQYGst
ynLRXR/Kwo4ReSchNAeOoTWuT4uhDeIF0PjtG4C+uNRLWXizG0XEzNQdS5Jut95E
fe0hrgQSzx+/Z1VBFJMuA3y11uP9Oq5T+isMquGKjpEEeLyd4M1q3Bh+T2iFjorS
XgEHwRbOxiQvC0TIc1Znjk3bh+sch8jVsZM+GPxculrXwLVydrEeBx8kXdPUgieG
p9RqP1wkeXO2Yr6lJfW6t9J+56DDDycn5EHqaPhcN22fvjrcUsQMGYMo8lg9/xM=
=zKJj
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2024-04-12T19:32:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DqDJbhoEBo+ISAQdAslG8/2evMgjnjd79b0Y++mYS5CUAy3Z7DDVESSjjrAcw
fcVKtjacM+mmV0ngtVhYrqkeYv1PqOlfmiQRNVu/8pftEIOu5ehL0rDqLM6iEYef
1GgBCQIQTadoM7Nhu+2LDDbRDQsI4G3TNrX+lnfTL3XxYW4wA6Eq/94KppMoIfjF
uU6/jEs7V1iUERTUtwttag1abH0zwNrNngz2TSlIGtj36HCMilB+4ArJdysITLh3
CMbn1VZTBBq9/g==
=wRSW
-----END PGP MESSAGE-----
fp: 8F79E6CD6434700615867480D11A514F5095BFA8
- created_at: "2024-04-12T19:32:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6ARAAx9hrzJmgjV21zsuDAtF3It0H5dqsEBiTPxQLNvzXn4xd
PqO6gJ5nn1tTlgJW9vD+4jK7DmmbebwBPT3jHYblQRSjldwI9l7N0XDWR3zoyVNp
PDHcGy6dUPa5h7EP1eK408qWBXdZV/5dxrMSWCTsDJlsyJwpn8+4csf5YSD5Mc/y
EnzS3/5xOkQytNAioqA9KsNxgIv91kjJrtZErvoLZfeHsEyoRhUkmwIl0PY2Ff8s
PPwxUKGgeosjX7mwkg9B8KGn51CRemqeuPMGhdJB5g6+gViMa8qHOIzYYCCTun9W
089HgvqdkkrflJsdTSsGi+l+Rw006DXiZ61Kn18CQ+yESUjB/hZUJl7ZSrDfM+CV
3UM1/Szplne6xDK0tMRqdHqpJ2aFAXh8C7mSno2mDRc1WNXGfky6Hpc296aNY2rH
NalRQ7lnk241j6iFRMAajkOO7xhb8pyGSIC3ZWvwJ3C05kFpQlmeC9goUUzALNEY
XQBAZ4VYsi66CWQeMVkYHT775d2ybVW1RU7E96AygcMVPK9YsH0pmxOIG+AAud4K
dSKCi6UuF/ucfvLbUheIuxjc6EHArB+ZWclS7jn4sDlt8YO9KoG5bMXPh8+UMXrV
rI4FGsaqVK7Y3VMl1dpl1170RSxNK3CjGvxPXf9VWm1AX5DEzn0kvc33HkLJ1VDS
lAGfoxjeKYlpVE72QCQiEHvdrNmeaXo2lSdEp3sowH1Xv78Zi0ppZgxIdy+TPNA1
qZ8LqA2U26eUqDEA2jgdLzOcqZbTB3pRwzDpE8uJAuPfqHzvh+JuxB8QDD44i5Tb
Ulj5pM3f32wkzn45EIPmgtCiqBHeOv06l8VSRJbh7DUolfNKEMZXHTlG90TuWMJ2
67zxQeQ=
=vdi4
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2024-04-12T19:32:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJAQ//b9K4yJ/Kh+9QOYfWiwysUBoBR8H4veFe4K3dY0FWFdPk
dAua/g89MmA731qsNU4m93I4uYMUpR7ALL0rWBnjp0pmnXtPF321obM63JXRYX/a
SiVlgp+M99Z/G3ENBtJ4mTkA8uD4PYwbefIA4CucnE52d4dl/Lpu8E2gdMigceo4
Ev88sF9Tncqpl1xBxlPSAXSR4b2zjQYceF+1HZmGdRp41odrbU+ZrL9BHreVp0R9
+WDqXLrYQhP1t1n7Fg95wuQCsLvtdJDP1w8DQqYcynl4XbgG4vQ9Bcl0RguOT+CO
ndzJddivIoJpiT17kxHjl+o5L55blo7pdI/+mSjxo6HhvFcnCAYnJBSoWvFaDXm2
j2+hYTR/ff98vCT+c56KrTjtP7b5z9ceR4VTYtugtFz7pQHUyHv7sl0Z9ljPOYjX
4z5KVgJ2KzHsp2DR/EscZdcQKsrhAHImpIDoi6JDXDuXJS7emEjdzFaLOwqZqX5A
r2wUAZi2YUCks5etqE5wQNJxR3zQSt2YX8iIr0ru0oYYcOsD1VDzz5n/84/2DxO1
DtRpwVT6oh/ZxWVs6gAPqCGUZMDn8d5v6bmwWFrTVnaSGa4r3ek8J3s1eUMJql0h
+I1vhiYqQJd1z2qNh8G/J4Wp/ryzwvTiqpMJ6f6zZfwaXruDdQNSpFwfCx54v6jS
XgGcrxTlO6i6BrHiVlSJgATqQWq8YRljxHYKgDeh6X+PcmKk/yXLEyLZg0mBLqxF
0EtPVN35XDji4s4j1Q3EVETZJ9z9EElheA+MIdiRnr6KdrEAQtPGj4xj59y51LA=
=5yZb
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2024-04-12T19:32:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9qJIVK2WMV7ARAAga2P3hNj81tj/syTQpAxiohjNTiyyO8VKMErfMLByxcy
gQRDBUT7K5UhuxGyiQZ9qvQinih9P559zIGe8hH4kF6+PoQ++O2BmqtcT4TiAWe5
U1TWmhleDAv1b0M0MQ3r+cImLctnsjbIt29DiEOpiv/Qo3TGpen/cy6Rdng68jFp
UAJVRJmpy65RsHCr6PbkxS0U9CgmgccsZKt6eoijeOBA4mvHqhP5Nf/JXvmuF9dU
KSkkYdTs8IinQEeOthW8zT8Tm8UAcPTJPK185qbOEGStGS+8rXDgK5x1TTLOc0Sq
9YVhJgKwLMinCjFK4KFyV2GuUhqGAg4r6X21uyjiHrfnlZjn3Pv2l0rbCqjJ8KGp
FNrJTBUGAELHjd+PjAd0yBFp+xorexx3Y/X7Zawa5CqfXyLLGaV8BCjziqyL2MEl
olHwo7nf0kv7jr44NwSI8JNJ2TOe6la4xYhYbSidqOIKT1c4YymxMMqWtD12b/iz
pxbJa0DfnuX99oXsUgTQMrpC1AZxFfQgoac1CA6SFQh+HYEObuS6oaQogLVTo08s
aqNpZOI4ZeyCdwVh5nLFoFeIa9fb9iszhmrlYlKaTmfZXDs5zkaSzt9AXLitCp+0
0UwKTLvHYj2JmuICHOg/67ymb0P2NCOforkfwkEJDfP0njmLNBeEe/EBlytRel7S
XgHWaH2Qlb6BNMj9Snyp5m7bYHjwwmqblSZoXPXL/qvtdrAM3xBYNlt+6gBCBQnu
37hczx3Baj2RXaHDcIiQchCs8ohJRJfM0jB8y6lXL4v5ri6qMsPBVdt1BOdCiDY=
=Zuev
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2024-04-12T19:32:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHARAAw3q74FPqPAo+kcRPfjTcb25AkuEuV5hH8zTidv4z6sp5
eeEk58eZj94VRmHDHHv6dVzXKFxfxgK1hWNNjt9EDdPxcS7WxRSTSG9YhV7OAcFt
lyTQQt9PhRsMXyIdS7hZu+mF27N5/7+kkHf66yaoruShvrIXjHhIMhjBHqNw/wa2
PCWSQgRsqg5lscfikuP2bHCmk20g4sdkU/oiF5Yux7Z9SYDobwCpOxqO3a0r18vJ
sY7aQVQ2XRstpVv1OzQVsydSb3hatFNPNFsU8/mvMuRsbcZh08151N/bmR5XnEDf
wuhRem1Yr8A0h0c31ar7LpoUZmbyRUacz3Ylq7V4IMFsFJxW4bHJ9AgPumAYRDN6
ZKWSQhZaug6+bsjM56WreG89eWItqRnD3RxKC28/sNJvMYdycjiUaEKdi0lz8Lrb
XWUI7yiJlsW6C2dbryiZrJHG99ErqZUyCxrOiSqgBWGZuFaErdpWAjvPmrHaevNT
yIJg9Ax4G7j6MdKwoQvCefjKmPj4mVLtXu5n9dnOT+LHl7lXGGISqEFN1pKno0uz
npXLVWex149EkZztj9X+MxN6r4Tr5Qwcc2R4UTtQj7eG0lZC9ZGBc0Er0d4CFCBi
Odc7/wPYRM9Jr3NJrtVCrwYFyXveE1dN+lO+Pj88UxeIhWNDTF7ysy0Rn9oFgbPS
XgEbvAeGJD6XEMG5p2FXnYj8vG9azr88/ecwb7B80xyaHJk4TEvcQqbBdr7cI/tl
98KTRuWMQI/ztpsR3bNDSdk8fXPoMWSAYpCiuzkxwaEwo4KMakt+kTjkAFLkhxQ=
=+38B
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2024-04-12T19:32:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQf9GGtPG2Q/RgsLBM0rNwLRd8PT68FkeWZXyiGwQCzBRiZ4
oVi6TMdezVPT5Gjo9HTbM5LOCvewup4VV0w1/4R8jdpP80hRJFpOrwIbjNyGYfYl
oQ3wiM12AdlT4/xBdJuN6eQqCo2CoI5CkqoCjaNw6PqT/8xWt22pA/rBHT9b0V3+
e/0Hf1eHCQscKrzALCw0zuVhXLfvJyuRMjm4mSB558FRz0teAHJd9we/7KfHbCuH
f3DKp0Dy4GE0HGrA3huOOY71Z3Ij+/azNTXSt6XohmiCUwqRbT/iKABM5k2mQU9R
AyLio3mfcVhM4FzacZpPEFbhojWGQtASnT3pP08MttJeAf8oGSuHTkt+6liTOjQr
TnNxTq14TnL/I9dBhS86pSMTYG33zHHvc3qNbBW0a3R3DFtcE1xmwH51YI0ieg5U
jyQszbYEmfLLjuhtEo8K+WSzwwbL+Qu7/qm/6BgHPw==
=c+XU
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
unencrypted_suffix: _unencrypted
version: 3.8.1

228
hosts/mailtngbert/default.nix Normal file
View File

@ -0,0 +1,228 @@
{ config, pkgs, lib, ... }:
let
domain = "mailtngbert.c3d2.de";
ldap-auth-config = pkgs.writeText "ldap-auth-settings" ''
uris = ldaps://auth.c3d2.de
dn = uid=search,ou=users,dc=c3d2,dc=de
!include ${config.sops.secrets."ldap/search-user-pw".path}
auth_bind = yes
auth_bind_userdn = uid=%n,ou=users,dc=c3d2,dc=de
ldap_version = 3
base = ou=users,dc=c3d2,dc=de
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=person)(uid=%n))
pass_filter = (&(objectClass=person)(uid=%n))
'';
in
{
microvm.mem = 2048;
networking = {
hostName = "mailtngbert";
firewall.allowedTCPPorts = [
# postfix (smtp and submission)
25 587
# dovecot (imap)
143
# managesieve
4190
];
};
c3d2 = {
deployment.server = "server10";
hq.statistics.enable = true;
};
services = {
backup = {
enable = true;
paths = [ "/var/lib/dovecot/" "/var/lib/postfix/" ];
};
portunus.addToHosts = true;
postfix = {
enable = true;
enableSmtp = true;
enableSubmission = true;
enableHeaderChecks = true;
domain = "${domain}";
hostname = "${domain}";
sslCert = "/var/lib/acme/${domain}/fullchain.pem";
sslKey = "/var/lib/acme/${domain}/key.pem";
networks = [
"127.0.0.1"
"172.20.77.10" #TODO: take ip directly from server10 config
"[2a00:8180:2c00:284::]/64"
];
virtual = ''
postmaster root
abuse root
root root
garbage root
'';
#TODO: where does root get received?
config = {
myorigin = "${domain}";
mydestination = [
"127.0.0.1"
];
mail_owner = "postfix";
smtp_use_tls = true;
smtp_tls_security_level = "encrypt";
smtpd_use_tls = true;
smtpd_tls_security_level = lib.mkForce "encrypt";
smtpd_recipient_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
"reject_unauth_destination"
];
smtpd_relay_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
"reject_unauth_destination"
];
smtpd_sasl_auth_enable = true;
smtpd_tls_auth_only = true;
smtpd_tls_protocols = [
"!SSLv2"
"!SSLv3"
"!TLSv1"
"!TLSv1.1"
];
smtpd_tls_mandatory_ciphers = "high";
smtpd_sasl_path = "/var/lib/postfix/auth";
smtpd_sasl_type = "dovecot";
virtual_mailbox_domains = [
"${domain}"
];
virtual_gid_maps = "static:5000";
virtual_uid_maps = "static:5000";
virtual_minimum_uid = "1000";
virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
virtual_mailbox_base = "/var/spool/mail";
message_size_limit = "40960000";
};
};
dovecot2 = {
enable = true;
enableImap = true;
enableLmtp = true;
enablePop3 = false;
enablePAM = false;
enableQuota = true;
createMailUser = true;
mailLocation = "maildir:/var/mail/%u";
mailboxes = {
Spam = {
auto = "create";
specialUse = "Junk";
};
Sent = {
auto = "create";
specialUse = "Sent";
};
Drafts = {
auto = "create";
specialUse = "Drafts";
};
Trash = {
auto = "create";
specialUse = "Trash";
};
};
modules = [
pkgs.dovecot_pigeonhole
];
quotaGlobalPerUser = "1G";
sslServerCert = "/var/lib/acme/${domain}/fullchain.pem";
sslServerKey = "/var/lib/acme/${domain}/key.pem";
protocols = [ ];
mailPlugins = {
perProtocol = {
imap = {
enable = [ ];
};
lmtp = {
enable = [ ];
};
};
};
extraConfig = ''
passdb {
driver = ldap
args = ${ldap-auth-config}
}
userdb {
driver = ldap
args = ${ldap-auth-config}
}
service lmtp {
unix_listener dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
service auth {
unix_listener /var/lib/postfix/auth {
group = postfix
mode = 0660
user = postfix
}
user = dovecot2
}
protocol lmtp {
postmaster_address = root@c3d2.de
}
protocol imap {
mail_max_userip_connections = 100
}
mail_uid = ${config.users.users.dovecot2.name}
mail_gid = ${config.users.users.dovecot2.group}
first_valid_uid = ${toString config.users.users.dovecot2.uid}
'';
};
nginx = {
enable = true;
virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
/*
locations."/rspamd/" = {
proxyPass = "http://127.0.0.1:11334/";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
*/
};
};
};
security.acme.certs."${domain}" = {
reloadServices = [
"postfix.service"
"dovecot2.service"
];
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets."ldap/search-user-pw" = {
owner = config.users.users.dovecot2.name;
};
};
system.stateVersion = "22.11";
}

172
hosts/mailtngbert/secrets.yaml Normal file
View File

@ -0,0 +1,172 @@
ldap:
search-user-pw: ENC[AES256_GCM,data:Mq7/jNiK98v5GiE3cIORRlqHCWEdQyPuKKrpfiUsc3cguZQU4gLtKl7CKEw=,iv:PI1+hYfIvswbFxwVhpJtK9wnVoi/4CBjy6JrG3YIR9w=,tag:yehHG79bH+FzpP6wJ8dPyw==,type:str]
restic:
password: ENC[AES256_GCM,data:VMbQ/QX6naNqc7CxJ6ctd18sUyAoS4ssYYQdQtWQGxM=,iv:oB4x5p6CcMebk0wDcpqTkyZ7Mv7YN1Xhfxj4pR3u3Hw=,tag:G9eBnZHzq3YtLI1u12qhDg==,type:str]
repositories:
server9: ENC[AES256_GCM,data:I5x8C/KHQGx+TeLLQ8C+FK1mS7H0mnUpMfZNNn1pzSIhwofMpb4gE/df59egBoAuYh3WPC7TkhcgQlmzXod63HQj/n4pbjzu25LlzXBdsP+9MnIRSSINieg0mb4mJvRYRpyXasA1UzT8hmr9,iv:maerDVaopXLRsjdGC7FKOPj4Qd1UTW0KCbMpjx0CSTo=,tag:OBzP99qYNMIXh02cqJ8Axg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1jr5mc4ekmjf4uk2ue4xcuy0yl202phlu2t6c544qfj45ahzag56s4d0kzj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwWmdxZHFybE0wYWo1TU80
NjY2TjgrTzdWYm52dDlMVkVDMUlKYWNlMTBnClRxMk5UcGI5VXA3ZExDSGZqWWFC
Qk42a04yZWQwT2FSSUcrSldpQ3pLSncKLS0tIFhKWGs0NHVsQjNoNVdCOGQ1OVFX
NFNGbzlNVG1DdVpaWjlLRWxMdUtUQ0UKZIWRyo9dSedG5koms/KYvR7LNF6CtZ85
AJEG+a7RKgBV5vVRI/rDqjvWR7fv8r0hlKtLOtUsbysW5Ka74rAj7w==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3bE5NbVFXcFdrcDVZWVpz
SzlMcnd3M3FYM3NMUmR0RHo1NHBKdlphZzE4CkhLYkgwZEVxS3NnMTRneHN3KzVu
a2FkS1Q3ZVFiK2tnY3NsSVpDcVlQTnMKLS0tIGVjV1NmdEZubmZWR0srOUJZUjlN
TUszOVJBSVFJKzBPQ3N0eGtydEViKzQKaxLy4cTrbfaXAh8EygkUEozRzOjKjlfn
rBnDbsrjgWyab26LcTij2hNxIKUYjxQQso/Qnf2V4oKGtBpUhciwJA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-14T01:38:16Z"
mac: ENC[AES256_GCM,data:qcLIH2hfTpqH2+OdM04bw4Acz9UId1MZg6hiiXm0QMOl1tLfLD2snhGf1O7rVyra6kyBpw0XWbsrfChb5faoMfQrWvB730cA//lSCdnctbYqAx03uGEhF/ngmTqEYnExWmmafssxiqW55PbB88wqxHY0GUYc0UVgZs+9K7t84ts=,iv:CI8OXru8/j2/SlE5vhvq3FFc9WXmbTHyq4SgvU3xMSk=,tag:tQIa/wHFaO+Z6yvGLVS9fg==,type:str]
pgp:
- created_at: "2023-08-08T22:43:37Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7ARAAmFOc5++8Z7Qjhd+4Q4vStusJMwcfbvAMv8R+ZXVoRSE6
rSKSjVtKny1W8PD+8Uv/J5Os17VAQssLPvsLs+PkDYHLF9mTFH89oJaORQMgyHt4
BnEvsYvOOvdlNHFLeYbFY+YoF1hURdrVqDF65Yzi6XrSlBsOPqyvQZzznTdlUyCX
HUUk5KI6bIicxu2Ltz2fs1hT1K2yKlY92vSd+qrsqNsV2jFwS47cR1K6ffNcqLvP
CVoUk/KwJ2JNoTfzVoPr+yfL3mD4i4kc3qFmvUQxzneEAm1uXMo6oXrxgNZfT8By
YxFQ3uR38zBCiRHxA1FHSX8/MshkVyjGiUuhFrr/tGWKQZamnmsmUNFpAwTgbg8K
FQYTkpFpzm+C3ozOa1gzmcHiolvKCapUU5FbCcnPoq+MsTClOiy5JvSSUNWPbH/z
sH0fyNKFZxjJ2rBhuyp7LeuN7qM7OfcQi0EWoLYV63DrUXHvCo0IEha4LvhKFzCH
/ezqAIyRYw4lMyyXQJMoZJnZrKz0s6tQHJ1htRwtt0/Bf75Xz2gr60pXsi3ojqer
zNMJHFlMvMURjwcaBhQS6EkbLLG115pUIXT5n+U3coFe8kzS9m1PeuXGagtDhUIu
Y9RaWeusSYc6MowraM8oBsUVSoTBqeBYtz1KKpPM1vX6PeOM06BO9a5bncMkP6DS
XgEkLhC6DQZ7rOhn2jPRPO43AHujhfKmYd8YLy440GKlLWQtPomg42uv4a6vSdre
CCGkoedPfrZ7xDUxdIRgdxtahIVeNMPbaEt7fDFspSSGLiKOuFYHiqlsGx1O42Y=
=93DD
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2023-08-08T22:43:37Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQf+LdS4p0p3nSZCBszkGSKmJ4MXitvZGSViKmMBk7kz/Ux5
aJC9NYUExu6fVmSHF5xtbuBbF4zu+p/cgcfZE6vF1xgRMwd05yLqvMdEEP4PwqF/
F1J7dIJvjFKsOMdc+FnZBS9aKAdL5JW8LxblEbgGx7E7gU429dVPyxNTfTqFa5g7
ypS0nZtXgUpLNvnU0jEoL0+fkLJ977WXz5EtZkX4xgi7FooNuspnndTsmTiPifI9
PpLpdAcrzD0RcwBFt+dTgQnQHZltpgkaOHiDijepkK3zADtIrBpCjmIjBuPKUn8r
3eMN4Fh1nCmXM08XVgeyfCACOsvDDdReC4ShctJL2tJeAQPE9rhw0ByW1iFQ3rG9
D2JRF4rgnS1ADNdeOg7H29YXBpCnE/VBU9CSui5kX2O2bqaFtLfQqLSXwyQoJ+5V
gKhF7r7/dUQ53CzbxJRyRvG/HcsqpUMkcC5Cu45zgA==
=pbkF
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
- created_at: "2023-08-08T22:43:37Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6AQ/9FIPT7v8T6o4Paf9XQWQJuTbEJ5lC7ULeRF198553gSgR
IJwSvCsGHWxJ58H3x1cW7zpidp2eZE7bkAFCKK+v7ed3JQeEQ5/LnrSV1ePKHImy
lN8SWesmoHo2TjrYUeZRSZnhzrNllGP9kMXBzjOYC6R/3CCGB4ZBdiWxg55gMzoy
vks/Xnv5+WTyHXo0HiDnQHEz2Y4/wEfLAO1G8b/cRMtUzRbwaEgvHgEgoFWBa/21
pGv7LLaCMi55JJ5L8mUkYjasPCmJ92RTQkf6oCvxTbi+MLDt+4nF4Fw6Lx79ksQk
zyEW9Zz+9J4d7Zzxefk/m7mforL44J6IanXiY0SiC4Y+aSTg1DqEQedzIQZNqroR
cFFAolnCnLmqfGpNo8WUaxiUaVsP2qoYTY/zM6gW22Tq5V+TxPg7e9zUGTIX5Rt6
mEQf+9lx8TJX1JJe976Oerr6GAgateYOda0tj9MiXFx1vcwedRO0uUzNUb7GWRzc
ERvojvMDQQf3bITZQabnifYh/7SfT+Tobryd2fOpPuYtkKNQGYiX0QWO4+IqN7Gd
VH/UxSxbJlu/ETYzMUYjG2RU/9kypOBFK4nhdZroR6USBMPiz9flkjr1zEQKX5de
/JMFXNi/KHPJ/x0NqcNT+m8pj/Wz0+KV3A/gwYUOL4BX0Z9WwAKxle+O/kYmylnS
lgGnN/QfKQrE8fVQfA4fMEfY27i8dSissZEiaZqDy4dQ5AEF3mVzjCbiwb6dD4TF
L/gRVJveHEOTKaWvec2gkX2iyNpC0njOcIYZiXgE6d8hJja8twYy7AxjPMwlvMW5
8/P7TgHfXsbvIdkLp4iYv8abRHeOqaFrbPyyA38ju4tdjUfnEb3pZX8XWgIX5oUR
SQQkCPCxPw==
=8KfW
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2023-08-08T22:43:37Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHARAAgSvJTTwVvCIYED6Z1hpUNr7SG4KaqQ38LuRCJL5jbhHj
5vpFy2LQtjCJjLVSf6qgcmuaGEZiOgAO4GGbza7/ITwblP3kEH4LRp5lvXnLdZa1
P8A9F58UTpXgHgxNOl7XG7EiYs7OcY7fXSpEla2R7TDY+fn1PUShI2vkuUYM9Dum
4Npcg5hezqa10tRTu51LAqLHNdjSDfLjrKnS0JKBG3Wd34bIIu+m4t7NEkl2fQib
qT1axQ0NH2+KTx0I2XLqfjL76CPWP+O19jhIdzL1SESjTAtgfdaBo+EE2+MzAsRR
/ZMmutjdBa8eh2kmGtnP/YUBy1OXHnBjUhVSgInF1F/bnV9ojkQFfZVycOW/qXFZ
yoIWvt4ta9CZjnPbBc2LdbSIe+8VoAMiMltxwYq9X4SiX5fHe1VXU8FkMxJziVb0
jKCt1yI6shqBD0UV2aZEzu6KqNFtF62PFSo0elrA8zpQkKrYMWwu0mrOPkJigigz
9HGFJGgdJue3ciEhiktHN1PDSs/wM+6gN2DbAkSvfK+5JUY8cHyYrozhGROHmlxJ
1rtEzthUgoXXvAb5Vswc0i4wppMMIBvDiHhLpRO7xRZeMW+OPaWh8jXlUBLI8hbc
k44k5SD9KOYuq8OfsDxiNqOrOXHKq1LqefoRrQo0kn143mPFwrp5Iz6RXr87Mh7S
XgHozQ6/tcyzOr1+4CYMcLG/JF3j2MJZMDMd++4UczLEu64h5p2vwd6YvrH36VNG
WD2HCIhwnCPh7HS/Ix/H0X1Ru+zOdDUKF2UDxnzgel9tTjk/wX+Wspk/ScdqePg=
=nNAZ
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2023-08-08T22:43:37Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9qJIVK2WMV7AQ//aoP1NdEm02LofcDbue9K+gYnSOa1/6PBaC36c02nfloi
alSFWOjKP3XPXPYiIifF+VFfosIvAepF8UjiHarieaHsKmuShn4gbdm75QAAu+9Q
sBMxaOREh2B0GoieVKtJBbpXINPKCUpGGobPP7j15L/Pl2tK9YKt2H1kmaTAdfMr
Rh4iFDGuwl9tN17X/oLdJE3X+kkb9K3do9IwgDPJs9DX+Pg/b77y4JB34z/RbRnv
AiPmyn6zV8EBu4ANgOfNcwrI+ql3IEneiBFCP+H3G7a9CzCztXd6bHpvF07ooqK1
v/kZ64iEHUqXfARs5zrvEZhvi6bq18oT7XKKXwIO9tVQ1Y+J8anIIDhsflAGMJuE
9auctVJfoJqAVDHLDF0SkGdQLpCkSPcCmXdD9QgK79crzCHbW5i1WFYza6pYVKAE
W9MKZBkRT/3T8yL9CgZW2BwUOyAcwWu7oeCcyXb7EaZ08er3gfDA7clbzLviBUNG
eJjk0u4Wxcz+6/xdPEwXIXZC0f8K5HVaR0b9vrRLenyf97+hgeMXk645QFtI7ZZa
wd41y4Np9sX+iydhPb2K/7sEFY1X2fCEKCRQ8jU2YtZwDxwtMT69218iPeIlAyff
CGVMH2Wo4l9kM0DUI1KrKs2ssjV/E0xDmo9+7iaGDVNIkaN2R3V3QeyI5oDZIcrS
UQGPTZkqXDPhfgmDL++oaYPd9hDNoWNVfJBdy1l8rkeRwQW0tuAD4T7K8G0ulkIw
QvtXjiLgPK2IZb1dbRbwPu3wK9+eMWKTABLCD3XgJsl07w==
=E1R+
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2023-08-08T22:43:37Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJAQ/+NPcayuOcJch5Xz7HIJMjZvAXonvQYM4h0/IQ7/3JMnKS
WBu55P/vCtQCI/w4EfDwrcTOrmesuai4Zs/fcGwEMNA0acz2kLzJ5zXjl14+AXyg
S00JfUD5h06wR000s2xYPbtlwOiilRQtuGp+9V8PbBstygcAX1LWNrBTh7HPf/I7
rjpaia8qMV9UciXvWIMlmOL1s3M56BUQDDGoHNKUYB0pHhXPhAjP5wVVHZx5cNBQ
KGHwud8UGu2hZDUDf0bn8mEHFetd2YJ1jBCFoITEk89nKGyJfWDDqrlZDAbaOM77
wl1rJBB27+FcmJNNefgkXKFmDDWCs8xA18Bf3ajTdTuw35VqNnrZuge76zSGk1x0
2S2ZVrO0/OJ+8GsWBAfLn+i4XLpwjEFmqLxwVDMLSMWMswc7gPMoPi0+Fbz9ACZG
sT3WDaHiThE9fdPzCUXVbiV9KNfYTNqeDwRsgq6RQamVj4ZpFpyY2iDgO4m7xa6G
SrnW/fMbtw95LqpS+lBblKMZZVg1TAOfDkyz9AxlkjirNmDfTR8t//ppBI9fDKpx
e0yiUuWoJOBJEnK+zAZ3Ux1OrkCHT1pQjKmFiUeYnHmsPKtcOGS35sBxowvZc385
RLgsmY+uKfduZxegWutVHAjxaoYaeGmcYflk4Rzb4rSL41CWT/3FzEK4oJDt/jbS
XgFwYdeXgSTC+YMiQ8FdvvKntGCWHNwa+i5ZZ7TQDoI609YWKui6RdpMMVGvZl1M
qTj8aGNLD/QYV5m/hajyv2DDvu/KX0Y09otPmaXFJ6OVQUXMAheWbYvoATrWF98=
=h44Y
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-08-08T22:43:37Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7AQ/7BBPyzS81qOcOm9ZN/UJ4NrmQ0B9iL/Vcn7Or6sbBvW+x
Nfz/VqXUIOLZrCPpD/8hf7wCYIrC+MdJtC+bEwnaXgYxpwaNqlr7NehTBRr1iJVa
fDUrpx6RGoClgSkgAs/yQ4QEq+4e+aF+ttEJAItipfc9+FYwlTY0Oh43FOxPWVyl
/muKktyJnJzOXNz/k8YQzi3nP8sgCOvJdQftqIv1afhgeOClQukYVqLViCyl/cnn
lmpjPFBVB3jsLeFGpStmlaFGOSWSNz4XZ4LqdwGM6oYEH5x4+mJCMHCbK+dZ613H
RejgWioG+mJv4rF+5JeHPgcfqBzIr9sci63Ds7xUb8eXugqcKoDniGvoX2SZZ+AB
bJo9mfqQ2ieEDlS3FOxxJXgtgtgjw0FCeqqwuUdfFr7H9YqRm5H7Ko9fbWqMCBsV
D7XOjXm/gorROYehdSt3usE3JZ9pqfB7EmRJTdM2x2zf5dKN1Zzr/wzj3udUIkbs
UbsIxu0+KXo9xjTNG9owGshAwH2LfrXllu1DsF1gVpkyS3JWSFOGxl/7ELwhUOmO
weA7HPd/xQNfjKWL0XF2IXhCAX/l4LDLxUuVr0y9ALaZUOoK7REMgXO4gSG6JCd+
WTUmytgLSJFq+Pw3F7KEqnB4ssE5uavi2GKsaDOOn5PIlhxyRAUUvjgxUYbbv+/S
UQHjN4ZkVrK1y39fRH9ZZJSvJjtfsJiCmCtggIsGUaJe1DKqz2/heZr0fwxejLna
h6gMWMvMA+4lf23vHc/vrS+LK1s07EBmv81tJhuinnL/ig==
=ckwS
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.8.1

76
hosts/mastodon/accounts.yaml Normal file
View File

@ -0,0 +1,76 @@
c3d2.social:
- '@mail@c3d2.de': ENC[AES256_GCM,data:u7o43T2FlE/bjzcKj5Hax9hbV8P1dIW8ztBJb4x3ppM=,iv:agUE6B8rmF6olyWM3/bu9sNej1oV2nw7EMLbh0TV8fg=,tag:xxt7yLsIBdLqpF3j2UMK4g==,type:str]
- '@datenspuren@c3d2.de': ENC[AES256_GCM,data:dBaDf23yr/iOA4vYVek/n0Q5Iqyn7n87FjfqxPlhPP4=,iv:ViAvydufbTGFrccKOMgabOml6dvnoaeagfndcQ6Wda0=,tag:zesMmIuJVdDGbibI3CzifA==,type:str]
- '@pentaradio@c3d2.de': ENC[AES256_GCM,data:f6IXL7FEqxL4mhXdIVl4nGmpGqX3ikkMZOcElX3LLOA=,iv:2AlrdC1M2uby7McHcxirRzqx3Y6gdeB04Vukmec5ChQ=,tag:R0zwSaxcNul7juvLb0Lclw==,type:str]
- '@spacepi@c3d2.de': ENC[AES256_GCM,data:UiDYRSxcIHdOm8Oj5Lxq6LWmcdAvdz+6hgGDWTQcudU=,iv:HsFFP7217DGQ1LHuOmg9/XWYpa1+Dcx8mecQ34RqvJQ=,tag:x6EMoHUfEiZfiCAz1MgODA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-10-03T22:12:30Z"
mac: ENC[AES256_GCM,data:kcUKoBX/pUhVM3GnHJiGZVAg5J4hFIfwpX8v+X24/EFz4f3RVPiJVCIskEwpIOQezy1O5vTYnwSUecH7SwfHD0ftMdaMcfBF0EkByPM/OuOjp2rSh87MCQ/tgHXmovQRa+hUiAyvIupLz+1Iyd4k+g4sI9ezaWGLh3ljpX4xCis=,iv:kIYkQTTPq7nj5676zroBH5IHtQDXdy9rHefwKWbX6LQ=,tag:iqa2Q3oyUJY1/rlxkbSU/Q==,type:str]
pgp:
- created_at: "2023-10-25T09:46:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7ARAAgaNPeQRpW55d7cWEOSO/OHBCYVmTkXGKOzxsmz5GcT7C
P//poPc0iooch/0qseAcSnqduM0ENMIvRIYT/kGzHGpm9Pj1XqrdVeeP0ALlnnC4
Iad5wBS+glbXtaGwD3uHpiZjJeg0vEqsZWZ8G/gQs8UWaGsOORrj6UCOQjVkID76
Y1wK+DXzM8Kv2PDMpI0+x4RqTFJss6B5WR6bGtxxDl8yv9HcdfZ7Z5sCxLS/UEJz
MrRXSqJvm/ZWvxdhVQOBfSyYvrYZr2qjhs2bBzj4maHX6S/hK/0Gs6IreLBjqWfZ
1R3ne+9SWKBC9pu6ZQw0/x8nZFoTz0uljY7vYxiGSiwJNT8MHsOS8LwgNTuyW6iX
20JK7YepTpl/Z3CDDlkKU1o3uUMnE+reeSiXJNpI6AbYm90gZT6AC1KiyaYMiYG0
JQGNbr0c59jJjxzK1GInu8k3vAL2ACrSvrBZp0IODeaX7HfE+f+tAwVQYugEXH/x
cQ4jtBr/t+ur6ya/Al/T2aeRHOgVH0CPyjUuRHfaxpKuEEuSE6ifPkJ86PKdV8oH
HDyS/S0+tjzJIk4nhgaKBV60gsy9SLeip46kyb8WEi8c5hcJ9IN5DL46eBfav5AE
qfZFR+DarPC30Malz0hd3vtGED//zZdH/PpWgYPjzJXQNPrvfX8Mb2z+VPvf0hzS
XgHKu3RNZ79ZXX0Yet3s+a2stDN48saLcy4c3KKUqCyhwcjTDbjCCGWtVE6NvkYB
Xi++tU2CiWfTFHMiJKtRLuDvXSKJvDfk0phUVty7L8B/V1N+fcELknG0FCL+/c0=
=oyA7
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2023-10-25T09:46:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9qJIVK2WMV7AQ//XCmAsNouI3zSkMC3o32SE+5GToIRINaZ+5FI+NXnfilZ
j5YfG8XPf9GhaIQdzToUM+cF5ILiqzJ2SqIzwhxVwT5Aw3ybabFQM1db41t/AYFs
k+ICfq1eScrLkfRMwB6vEMo1nOIUUytsnf80Sw10mmtcCxy3JyOEjnRNm63cMJfu
qdciGmiw66q11Hrd80OBjBiBZTVWznvqTA2vUl316AarFq+DZcWmknE321RQRcxG
9uZkQiNujcB5+OKbyVQkE3GhkhgATzuXonsCSL8j/zH2lerIhRiCE4QjR0TaiGls
7Itt1l897P9f1SUOi4LfS8Ou48xMGlyqOWXqrZDvt5lSdwS94x8pM0877UBkkNX9
ScGCk/L2/R8yXZ87niCfr9j/bEOhZtfFuO932O5VprAZzWezePtTfZyZHG2LZkw4
aQt5iityZ+i9NJl0Kb3R1KOgJ3goHAf+r0Mkc4fAe2s5ccVTAAd3GvRmiZIpNk7O
BjsXAZnhzUh1WzvK7+J3Ap+dRhtXoUNFKKkayqs7X8OW23jVMGcPKWDkqXM/ZMfz
+nFNQheyq27E0V+pNR9Be7cQWQJqJ8o5uPEYN9Qr5VhgpEdhWj2zHq9czIqcEXl4
wLplJJ69EQOybT4sikFEjK556OfDt445bLNEObi8DJAQhMU8hMzcuIZ41DknbSrS
XgGQYXdmLVqVsBmEIoM2HLjECX5EuPe3NelPfAg5/P1aArTfxS9ehs+fQlzqvtxH
ze8PE8H0alnbSkUvj8Y+lzlt3pFStdZFBVZ99jzMCrgFLmKx4KsfPRYln/Bjs7k=
=CNfD
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2023-10-25T09:46:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1mAEpDp7QgcAQ//QAKEFAN5Jls6zUQSAVS0/yIQN8i4DO4VJqiDNoI1DKK0
had/9JVQ3CTUQurJA4mVj8W8mwMe+TpF9lLbWD1VtAL1Q4LPA/Yi2jSsyqXcc/I4
LB6YiW78cQYz2Su7Bciv/hf8mzilMmujVtmcWyT+5ARZKo/GNbElCiABDQ0hikOs
RChB4S1QcX7+sMfJuFfG5rRS2g8uG6MC9WyTVldqcYbqn2nHZ2xfqjCdQl7FR3Zs
wKk0FXODAq3v/hVQGvFeGMnEGYQvs7wj5fVvLfP7K3CT7KC/2rKjsWD/De0+8Vwy
ZyN+h5f0M7gfozJkQ5y8XL/xQdGoHY1Q66tmzu6/09IenphZH4XVcAFI82lMDTdl
wzxGcsUmQlYAq3gqIowD8ldIGOomxH1CaOp05JfshxjcnGzBbzFj0QChRJtH17kU
eg21+RldUV7bO8t45QVPLBcHzMtYOfDI4jz+vuEyPDKEOPoofoT3PKW3j1AbBxMd
iPNTrKYOd5DZoh0d2T3rJXvvNxtKwU6gkUyy80FESzXnjFBO48KiFlCFnMi+HJrf
TkoJJ5DjbkbiOFk1UpHM2EBsFL71fAsF0Bx9gihYe27KSumpq+D92KhW53Uy5Ox7
mZ9zQuDMNgU/lJs5hcNAK/uK2gJrjWBTYbuvhPpsG4DzyicMWabmO+W1iiKqhonS
XgHgnG61KxQBPPqM8kcDkUOCUm7bUX38m0ggzJt2wEvxFM84WnyiJhIjezMEUmJ4
ddOx3Lu3yxql9ak5WudgRJPkIQxILnDf0STl/5Da1/Sqao6FhQxTwt1cjUC0PGQ=
=9JEe
-----END PGP MESSAGE-----
fp: 9580391316684474BFBD41EC3E8C55248C19AF2A
unencrypted_suffix: _unencrypted
version: 3.8.0

72
hosts/mastodon/default.nix
View File

@ -1,13 +1,10 @@
{ config, lib, pkgs, ... }:
{
c3d2 = {
deployment.server = "server10";
hq.statistics.enable = true;
};
c3d2.hq.statistics.enable = true;
c3d2.deployment.server = "server10";
microvm = {
mem = 8 * 1024;
vcpu = 8;
mem = 16 * 1024;
vcpu = 16;
};
networking.hostName = "mastodon";
@ -120,16 +117,17 @@
enableBirdUITheme = true;
configureNginx = true;
elasticsearch.host = "127.0.0.1";
ldap.enable = true;
streamingProcesses = config.microvm.vcpu - 1;
extraConfig = {
ALTERNATE_DOMAINS = lib.concatStringsSep "," config.services.nginx.virtualHosts.${config.services.mastodon.localDomain}.serverAliases;
DEFAULT_LOCALE = "de";
WEB_CONCURRENCY = toString config.microvm.vcpu;
# MAX_THREADS = toString config.microvm.vcpu;
};
ldap.enable = true;
streamingProcesses = config.microvm.vcpu - 1;
localDomain = "c3d2.social";
otpSecretFile = config.sops.secrets."mastodon/otp-secret".path;
secretKeyBaseFile = config.sops.secrets."mastodon/secret-key".path;
sidekiqThreads = 40; # default 25 are just not doing it anymore, especially after issues
smtp = {
host = "mail.c3d2.de";
port = 587;
@ -163,8 +161,6 @@
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"fedifetcher/access-tokens/1".owner = "mastodon";
"fedifetcher/access-tokens/2".owner = "mastodon";
"mastodon/env".owner = "mastodon";
"mastodon/otp-secret".owner = "mastodon";
"mastodon/secret-key".owner = "mastodon";
@ -173,52 +169,10 @@
};
};
systemd = {
services = {
fedifetcher = let
configFormat = pkgs.formats.json {};
configFile = configFormat.generate "fedifetcher.json" {
server = "c3d2.social";
home-timeline-length = 100;
max-bookmarks = 5;
max-favourites = 5;
max-followers = 10;
max-followings = 10;
from-notifications = 10;
};
in rec {
wants = [ "mastodon-web.service" ];
after = wants;
script = /* bash */ ''
rm -f /var/lib/fedifetcher/lock.lock
${lib.getExe pkgs.fedifetcher} --config "${configFile}" --state-dir "/var/lib/fedifetcher/" \
--access-token "$(cat ${config.sops.secrets."fedifetcher/access-tokens/1".path})" \
--access-token "$(cat ${config.sops.secrets."fedifetcher/access-tokens/2".path})"
'';
serviceConfig = {
User = config.services.mastodon.user;
StateDirectory = "fedifetcher";
WorkingDirectory = "%S/fedifetcher";
};
};
# Inject LDAP secrets
mastodon-init-dirs.script = lib.mkAfter ''
cat ${config.sops.secrets."mastodon/env".path} >> /var/lib/mastodon/.secrets_env
'';
};
timers.fedifetcher = {
wantedBy = [ "timers.target" ];
after = [ "network-online.target" ];
timerConfig = {
Persistent = true;
OnBootSec = "10min";
OnUnitActiveSec = "10min";
Unit = "fedifetcher.service";
};
};
};
system.stateVersion = "22.11";
# Inject LDAP secrets
systemd.services.mastodon-init-dirs.script = lib.mkAfter ''
cat ${config.sops.secrets."mastodon/env".path} >> /var/lib/mastodon/.secrets_env
'';
}

10
hosts/mastodon/secrets.yaml
View File

@ -1,9 +1,3 @@
fedifetcher:
access-tokens:
#ENC[AES256_GCM,data:dyz84C6bTQ==,iv:Fa5YgW7oEqFxEIF1hKyAefWvTx9nBrnhEfAA/BmsiH4=,tag:veJzHYfPRlC1cuirX51ahw==,type:comment]
"1": ENC[AES256_GCM,data:IlVxGXuYRIDAog4xVwI2wNKDEwnJRPdjdIM7Fu16w0Jl49wTtd6uchKNUA==,iv:UJusssHdB35v+bBIA9f9zOaZ27QcoWeqDNddIkEu+ac=,tag:LtNzsrff7lu0U3uFOPJtEg==,type:str]
#ENC[AES256_GCM,data:XQtc0BeQ,iv:bNpjj54yGxq7+XlcurA27ihicmfoCGgznZxTEbajqT0=,tag:mXjucPgc+Kklkmynhni/LA==,type:comment]
"2": ENC[AES256_GCM,data:o6aWdruEk0LXl1/8BjvIRYxpkZHE/9j9CCOOxI5DTOa9J+a39Uh6Jj2FeA==,iv:F96DXxHDpwOVXY6mUhqkYOl8+UIe26P83B1OVR1iabM=,tag:kXCy1W9O/mwYc03Yr+mNjA==,type:str]
mastodon:
env: ENC[AES256_GCM,data:m7NvIAydlGvvNEShlqH8GngjPb6z3TIGkZNcFcBoAWYHCimcp+0c8NNVf4cP7sq3Xg==,iv:PMC4vVN4felWaa7FDUyoYzNk4Eiy56pxK1cOxbAfZ9c=,tag:NQXqWljloBTxXC1tlxylpQ==,type:str]
otp-secret: ENC[AES256_GCM,data:E0aMqXWxy9OwYCn4xalkMOTZi+/Nn0mU605J4BiacAr+QQVu4FHRrf9hnJOnqJH8Wx2ANLBda7W/JqGKHQVYfwmu7brrWWR5tHG+nn2PzldhrcHE40LN0znqtWeDZawwyZZPpAN4O+UF4AycinHp/ZRzyjjcUwZ6E5tQv3DjqPc=,iv:73KJeUdXugklBYJC5VryyjqRv3oopv7xo0p+NVK74UE=,tag:bmjS4Smehi6X4mUYyM+TNw==,type:str]
@ -38,8 +32,8 @@ sops:
VHVUSnJScGxiNkZzWVJjcEpwcElGZ1UKWc3YkbI020m5jG65fb4H/K2k0P/gvf26
BuiCWPt29GEgekrj0CKtO1MZRJrbxDTGgpPs07SpqEIZWj9R5n9wyw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-20T23:12:56Z"
mac: ENC[AES256_GCM,data:9Fb7MN+Zq699rU8j4+HzvYURxuXj5Zv5xLd0bIwE9ZDBnvQgXyDb8prwxZX57DXmWfNnA0mwRtxeELzv0BlajEhcRI4M2rVgH9R6oboyLdhw/EPhNRMs4thtFtcnZU+U9Iy0RG/7c+P/PSdY+80F5UbIAZzsXhzQPiB+R1hSqZg=,iv:hquI3gIaWc+TsU79ojWfbDjh3IUdR/NYvPQtk/99k4U=,tag:nEu4XTLYADroJ/cpb+gwog==,type:str]
lastmodified: "2023-11-11T22:41:34Z"
mac: ENC[AES256_GCM,data:K70YWwWQJGe0in54t2VgXdELe6D5v+JY9oWsoGa3eregqay70lJcvG07hMS+jDGx0lOkVXnwi0eOyGJ7+iWxSuY74GoT4H7qxfFtnUXiWkb1kXKtdmZS+dHeRuDuEY9b5n13VALp4uqukhhXeXKvGJGVZhbQuj/96vIyAK6HOvc=,iv:m0lonNMsK/h1Dc8CIPyPYuh7mrCzzJzgJwQO5JGh9vw=,tag:xaCck6+qP2r6afBvfzW3Nw==,type:str]
pgp:
- created_at: "2023-08-08T22:43:38Z"
enc: |

6
hosts/matemat/default.nix
View File

@ -16,17 +16,13 @@
default = true;
forceSSL = true;
enableACME = true;
listen = libC.defaultListen;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
proxyPass = "http://localhost:3000";
extraConfig = libC.hqNetworkOnly + ''
add_header X-Robots-Tag "noindex" always;
auth_basic secured;
auth_basic_user_file ${config.sops.secrets."nginx/basic-auth".path};
'';
};
serverAliases = [ "mate.c3d2.de" "matemat.c3d2.de" ];
};
};

10
hosts/matrix/default.nix
View File

@ -1,4 +1,4 @@
{ config, libC, pkgs, ... }:
{ config, pkgs, ... }:
{
c3d2.deployment.server = "server10";
@ -9,9 +9,11 @@
networking.hostName = "matrix";
#
nixpkgs.overlays = [
(final: prev: {
matrix-synapse = prev.matrix-synapse.overrideAttrs (_: {
# NOTE: using config.services.matrix-synapse.package does not work because it does not override the matrix-synapse used in matrix-synapse.plugins.matrix-synapse-ldap3
matrix-synapse = prev.matrix-synapse.overridePythonAttrs (_: {
# fail and take a good amount of time
doCheck = false;
});
@ -35,7 +37,7 @@
];
ldap = {
enable = true;
searchUserPasswordFile = config.sops.secrets."matrix-synapse/ldapSearchUserPassword".path;
bindPasswordFile = config.sops.secrets."matrix-synapse/ldapSearchUserPassword".path;
};
settings = {
admin_contact = "mailto:mail@c3d2.de";
@ -82,11 +84,9 @@
nginx = {
enable = true;
virtualHosts."element.c3d2.de".listen = libC.defaultListen;
virtualHosts."matrix.c3d2.de" = {
forceSSL = true;
enableACME = true;
listen = libC.defaultListen;
locations = {
"/".proxyPass = "http://127.0.0.1:8008";
"^~ /_synapse/admin/".return = "403";

3
hosts/mediawiki/.gitignore vendored
View File

@ -1,3 +0,0 @@
/composer.json
/extensions/
/vendor/

5
hosts/mediawiki/composer.local.json
View File

@ -1,5 +0,0 @@
{
"require": {
"mediawiki/semantic-media-wiki": "^4.1"
}
}

9679
hosts/mediawiki/composer.lock generated
View File

File diff suppressed because it is too large Load Diff

75
hosts/mediawiki/default.nix
View File

@ -11,12 +11,9 @@ in
message = "Please keep mediawiki on LTS versions which is required by the LDAP extension";
}
];
c3d2 = {
deployment.server = "server10";
hq.sendmail = true;
};
c3d2.deployment.server = "server10";
microvm.mem = 1536;
microvm.mem = 1024;
networking = {
firewall.allowedTCPPorts = [ 80 443 ]; # httpd, not nginx :(
@ -70,49 +67,20 @@ in
sha256 = "sha256-N1+OV1UdzvU4iXhaS/+fuEoAXqrkVyyEPDirk0vrT8A=";
};
};
name = "C3D2";
nginx.hostName = "wiki.c3d2.de";
package = pkgs.php81.buildComposerProject {
pname = "mediawiki-pre-full";
inherit (pkgs.mediawiki) version postPatch;
src = pkgs.applyPatches {
inherit (pkgs.mediawiki) src;
# update by running the following commands
# nix build .#nixosConfigurations.mediawiki.pkgs.mediawiki
# cp result/share/mediawiki/composer.json .
# composer update
# and updating the vendorHash by trying to deploy once
postPatch = ''
cp ${./composer.local.json} composer.local.json
cp ${./composer.lock} composer.lock
'';
};
composerNoPlugins = false;
vendorHash = "sha256-Ki+rTFWxlWRl5pfeTdVeirgKOFGzXsZ9LQ1QZ0nenhU=";
postInstall = ''
mv $out/share/{php/mediawiki-pre-full,mediawiki}/
rm -r $out/share/php
# https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/web-apps/mediawiki/default.nix#L21-L23
echo "<?php
return require(getenv('MEDIAWIKI_CONFIG'));
?>" > $out/share/mediawiki/LocalSettings.php
substituteInPlace $out/share/mediawiki/includes/config-schema.php \
--replace "\$path/convert" "${pkgs.imagemagick}/bin/convert"
'';
};
#skins = {
# Vector = "${config.services.mediawiki.package}/share/mediawiki/skins/Vector";
# Hector = "${config.services.mediawiki.package}/share/mediawiki/skins/Hector";
#};
# initial admin user password
passwordFile = config.sops.secrets."mediawiki/adminPassword".path;
uploadsDir = "/var/lib/mediawiki/uploads";
webserver = "nginx";
extraConfig = /* php */ ''
$wgAllowUserCss = true;
$wgDBmwschema = "mediawiki";
@ -123,9 +91,6 @@ in
$wgFavicon = "https://c3d2.de/favicon.ico";
$wgLogos = [
'1x' => "https://www.c3d2.de/images/ck.png",
'1.5x' => "https://www.c3d2.de/images/ck.png",
'2x' => "https://www.c3d2.de/images/ck.png",
'icon' => "https://www.c3d2.de/images/ck.png",
];
$wgEmergencyContact = "wiki@c3d2.de";
@ -136,14 +101,12 @@ in
$wgGroupPermissions['user']['edit'] = true;
$wgGroupPermissions['sysop']['userrights'] = true;
$wgNamespacesWithSubpages[NS_MAIN] = true;
define("NS_INTERN", 100);
define("NS_INTERN_TALK", 101);
$wgExtraNamespaces[NS_INTERN] = "Intern";
$wgExtraNamespaces[NS_INTERN_TALK] = "Intern_Diskussion";
$wgNamespacesWithSubpages[NS_INTERN] = true;
$wgNamespacesWithSubpages[NS_INTERN_TALK] = true;
$wgGroupPermissions['intern']['move'] = true;
$wgGroupPermissions['intern']['move-subpages'] = true;
$wgGroupPermissions['intern']['move-rootuserpages'] = true; // can move root userpages
@ -158,6 +121,7 @@ in
$wgGroupPermissions['intern']['minoredit'] = true;
$wgGroupPermissions['intern']['purge'] = true; // can use ?action=purge without clicking "ok"
$wgGroupPermissions['intern']['sendemail'] = true;
$wgNamespacePermissionLockdown[NS_INTERN]['*'] = array('intern');
$wgNamespacePermissionLockdown[NS_INTERN_TALK]['*'] = array('intern');
@ -165,8 +129,6 @@ in
define("NS_I4R_TALK", 103);
$wgExtraNamespaces[NS_I4R] = "IT4Refugees";
$wgExtraNamespaces[NS_I4R_TALK] = "IT4Refugees_Diskussion";
$wgNamespacesWithSubpages[NS_I4R] = true;
$wgNamespacesWithSubpages[NS_I4R_TALK] = true;
$wgGroupPermissions['i4r']['move'] = true;
$wgGroupPermissions['i4r']['move-subpages'] = true;
$wgGroupPermissions['i4r']['move-rootuserpages'] = true; // can move root userpages
@ -189,16 +151,15 @@ in
wfLoadExtension('ConfirmEdit/QuestyCaptcha');
$wgCaptchaClass = 'QuestyCaptcha';
$wgCaptchaQuestions[] = array('question' => 'How is C3D2 logo in ascii?', 'answer' => '<<</>>');
$wgCaptchaQuestions[] = array( 'question' => 'How is C3D2 logo in ascii?', 'answer' => '<<</>>' );
wfLoadExtension('Interwiki');
wfLoadExtension( 'Interwiki' );
$wgGroupPermissions['sysop']['interwiki'] = true;
wfLoadExtension('Cite');
wfLoadExtension('CiteThisPage');
wfLoadExtension('ConfirmEdit');
wfLoadExtension('ParserFunctions');
wfLoadExtension('SyntaxHighlight_GeSHi');
wfLoadExtension('WikiEditor');
// TODO: what about $wgUpgradeKey ?
@ -211,20 +172,6 @@ in
# LDAP
$LDAPProviderDomainConfigs = "${config.sops.secrets."mediawiki/ldapprovider".path}";
$wgPluggableAuth_EnableLocalLogin = true;
# SemanticMediaWiki
wfLoadExtension('SemanticMediaWiki');
# TODO: expose https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/web-apps/mediawiki.nix#L19
$smwgConfigFileDir = "/var/lib/mediawiki";
# default was 100 which is already occupied, using 200 to 215
# https://www.semantic-mediawiki.org/wiki/Help:$smwgNamespaceIndex
$smwgNamespaceIndex = 200;
enableSemantics('${config.services.mediawiki.nginx.hostName}');
$smwgURITypeSchemeList = array_merge(
$smwgURITypeSchemeList, [
'xmpp', 'mumble', 'ssh'
]
);
'';
};
@ -234,7 +181,7 @@ in
# for some reason nginx adds a port for the 301 redirect from / to /wiki/
port_in_redirect off;
'';
virtualHosts."${config.services.mediawiki.nginx.hostName}" = {
virtualHosts."wiki.c3d2.de" = {
enableACME = true;
forceSSL = true;
listen = libC.defaultListen;

2
hosts/mobilizon/default.nix
View File

@ -3,7 +3,7 @@
c3d2.deployment.server = "server10";
microvm = {
mem = 2 * 1024;
mem = 1024;
vcpu = 2;
};

27
hosts/mucbot/default.nix
View File

@ -1,35 +1,24 @@
{ config, ... }:
{ pkgs, ... }:
{
c3d2.deployment.server = "server10";
networking.hostName = "mucbot";
users.users.tigger = {
createHome = true;
isNormalUser = true;
group = "tigger";
};
users.groups.tigger = { };
services.tigger = {
enable = true;
user = "tigger";
group = "tigger";
jid = "astrobot@jabber.c3d2.de";
passwordFile = config.sops.secrets."mucbot/password".path;
inherit (pkgs.mucbot) password;
mucs = [ "c3d2@chat.c3d2.de/Astrobot" "international@chat.c3d2.de/Astrobot" ];
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"mucbot/password".owner = "tigger";
};
};
system.stateVersion = "18.09";
users = {
groups.tigger = { };
users.tigger = {
createHome = true;
isNormalUser = true;
group = "tigger";
};
};
}

180
hosts/mucbot/secrets.yaml
View File

@ -1,180 +0,0 @@
mucbot:
password: ENC[AES256_GCM,data:v1nRBPi20vZvPw==,iv:EByBbBWMw1cEDHhUSQuLktzaSK4Pbikb23xkfRk24KA=,tag:qUMfpJHT0+Y8tq1JpJAShA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1qen44cx5sx0y299zl93cz3tflx8agt8y9vtm0d4uxw42t9gyecdsw9jade
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPR2UyQlBuaXdYNno5S1hK
endRMTdDZ2JSRjJ5cGJ3eC8vM0xqNGY3UTJzCjRXNzVyMllOYlo4WGl4QjZreVU2
RGZWQnpIaUVtZnRVQlQ1SXpuRFUzSTgKLS0tIExvdnFDVVg0OXArVk1yWTkvS3gv
S1FSeXpiS0NVbVd3Wnc5TGZrc3I2KzQK54pedUIwQKik1reXzOYTEfGfjq6bLEoV
obVCr6UbNvG8y7we3qZNGtcMpShfxuvWxXxW08W2YTxcK0QmLYx3cw==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOVjBDaGlhOGVJaml0T2Vo
ZlhMdEIzSWxZU3RpcUNaMk5zZEg0YlZib1hjCkRSb3MzT1phejZ1QWl1cFJnUElT
dG9keE02WjUzOFdIazhSR0g5N0J3YUkKLS0tIFNRek1nYVAvQitDaFp2RDBXM2tU
YVBDTjlDa1hrcWovREoyc28zOGFiMXcKiUUODpXROMdNM3rshh8mpc0cR/uqQhtb
kFvpOmXqrPpSp3Yb8sFqRoTymraqGL+yUBoEqgMAuVhWLSzgU+0yLg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-15T13:31:21Z"
mac: ENC[AES256_GCM,data:Y1tnGTS3Wr3zbpZej+5wlIy1jaOoqHcKHP00hmKpWWR39RberESVkPQViPhP8DmwkKdbU/k+HRgb9Pn+1wgTwv8dFQyYmtWWQ3QHtB6exP3DGvQfI1Jms1Y8FaBIcFyv0BP0Fc8XipKyTG4K+T2j8TPszBCqRrUzgqiezj5Pei0=,iv:8dTU5Hi9qyx5VIGdouR2FVbc9VE4j16tiliv7KvZ0Zs=,tag:zfm2pKWmA0t2tccNinpaNA==,type:str]
pgp:
- created_at: "2024-04-15T14:07:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7zUOKwzpAE7AQ/+P9Wy1kLzRBdb3YFUksDFOi19vOL5WUfp5d2Qh8ZtFtaT
csC/SJyB1MW2ZQ8YVRDbj36I+wFRmMQbVZ5SHEq/xSOoxqMkwk43228tXj+o1em6
6cyKyMgrO8iPlyztvZvBDHHoHBB4sBRHJKuCMzxClKTl2asXwHEn7gmEDWlJ8pBq
FBs0NZY9Z6ZtrzuDvz3n2wdng3whkCHJPsAQPfU1Eo2lx8jotVG5oYhWYdUEbAZz
/0fVZb3mtZoINaxXE8RyDQsYQecrHFJ/Cs//2aQE89QJlLotNt/e7z0ZmKOKnLDY
w/hRk+VlWQy3K5ggD/PZkH+qpz0burh+E7emPYXPdJg4TH9sRVvYM6imQ66NVKwr
S+Ewq/LalOQkptVvHEdqdpLQ6meC2tIM/2upHZfqIjBfx/3NHzDeTKQVOwENZ05y
eNl74+Bom72bTze6/lbpofIsfYVVXLB7i7zChDoBMPIgkDH/glWzVRuBHsuPakG6
7dnPtXaP/qUjyDeuhtHnO3w5upb6DrirD4ilI4Kq+vkX5b+Cfim/fa6qywT1QGqL
0jWnzqt89KGj1WSWm8mr8ZkMj9B1+HmsskSzTRVEans2CPR6alSh+VUzhGPyPjVd
nnLMZpzhBaj5CjTKsT5FGNg9rc8W4XPsS89YFJM5DEOo8DJNg/2uxS6wCWhqGbLS
XgEPGq/Km+ZMC35B0x+mK4A+s9+XOj47TIk0hYzb6mn0aH7sfa1V+TUKmuzsIJq5
h/Mngt3MypP2JiQ7MuHc9jynehi4kMtpXR8Pzby6Rnx5pDMJnaGw67J5a1UIX3w=
=CdIL
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- created_at: "2024-04-15T14:07:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7ARAAgIbXUv9xixa2gfzQXYYU1etLEp9CUeJ/Dk3+KgrtyBKD
JzcKb/R3htSFSd7eLtNW542TQ9xgYufBfM0g7sHR/CJGqx1vKFHS4p6ij79jnCSd
qvzSCSx+b3QAsBweuCeOrjsZzdj0+bwrrpU1t8UL6LDbFQuEXGNQQZ9skGY2CQ2o
bn6KqKtJehU/O5puomdKev0UiFxkeyBtmhVs/1l84eYKFnZ+rvJRCJKnL+hRu+dM
avV/NB5NuXDjAZutC0QfX+g/S88Ar82w4tmV2VKG4OQwfOpH6lKUSaENPVm/i9g7
UO7lbiMxO2dsUwQGejq+naCIA2Fkw/g3AlSJhYcrShCnVyFtyOTsg7SHGe4SwGqn
cWO8AT9BfXVC6wb3S7JcqYvBZbA1oqF4PYqpsqo5sErEoSSsciYxpr5Ah2DkGdv5
1RiASHa4yNVRwb3VoOXkW9c3App6Vf7ZQx2Y5OFcAUEWubczWVuB0nKeyDkhhtes
CuxCvtpnXXolR8d9e2BCU/TUG5w0F+vJK4kqbmknaHvnsn+R1VXlV4bAp2hQhlXS
W1cSKZ5C6SnQgftM+kjx5FCuPha5iTe/ui9MUiLX64GV0x+NTeeM1PxBJYQpANO6
YJEFcvnoK0sB77BKkQKY7ruVpCBhEaEiFq/JS2bBMgx/KTcomHZGnyptKpAIif3S
XgFZZz8vR051UjGcMTpCNWwtHDx33jdfxM92MFD4Xz7b37yWs52oyeTtm5thEHVN
m/6P49y7IbKVrzYRq576PhWTMxYMkqd+xjW2rJF37TX1clSz0mRf1Ht15MofDq8=
=ULlL
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2024-04-15T14:07:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DqDJbhoEBo+ISAQdAuQWfbvMYRvbUy42RXdWE/4kgrP3i5TMuui1p2Jrv82kw
IuqMCiY5tF30GukG9KF22t+K6N8oVNTXnEzzMEDN8HIZFzt915XK6EkTfNpnSA4p
1GgBCQIQiGZYsovtPhqnZOvORisPiRK7Tt0xSTUe0atBFc+1q7z9oRafI1DA73Ut
VXoq87sYMz2ntgVVMAzFs4hXyfef+1/0PHjc9jA5dZkab+iliGEyipxU/0nHRTO9
aKxkvwfBDRPP3w==
=ZqXK
-----END PGP MESSAGE-----
fp: 8F79E6CD6434700615867480D11A514F5095BFA8
- created_at: "2024-04-15T14:07:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6ARAAsQNxjPOdnjkHOTpjDZ3LjSBvhYNO3BGaEsuLGqxygWoR
HVwE4SGbDI8mWxXYpXd5EyRGsg4zBTmXTQ+kWvT4U4wuRflW/Sm8mwWphY1loxQF
VKduPz5XhzYGCb3nHfihMMpn2SNvZOitXW9BGAJLZX1+o/hLUD/3FibvBQycEs6I
zBLbB1D7sHr6YUuXtwP5i7l/j2DGyF4yWKizrpiTjW0mBy4Ii/0zBkaPUbC6B5kL
X31o5LfRXoIqdZqMRsIRfmXCb8FjpGOmGtATMQ1GK+zWl0CWyQ53G4D/BPAmTosc
8exugzJj4T9lDtIsvOHdMwBws/ppCWhFE8YyVAGhmgfOb9w2paXZkYbb9Lkgu5+O
/SWykyzaFOWOEENJwGQkbfHi+FKmrMX04GHo/m1S9xMyk03hWbOjOw/pt+E9j7F+
3Nxwn/Shz/WB5DPAyqn8NRi1pW9WXIVHxGidpexgn1x5IY1p9fyaCpLAOXtTmBVG
S76BA7v6LvyiZw6OfCHO/09KzjFumTkM+7Z1TK2SauUgzD8DTLQqbn7x3RbB1nYG
eu1grJzETftWwVAwOguXi+1YIPCFsYALjjxRMJA3X3rclMsFr5F653id3aFwYtNJ
XMxSXoKFiRk0NSwTBYtbGtF7h9Irza96Og8HSqx26yuKqhk8JBkdoR5hc/SnQk/S
kgEdEzVM5ffPwskUpUnRHY9vMTACs/A6PbGMawz79YoM9iEQpR963W3cOxNOLkPJ
Jj6rbrTebK7n8GlcHuBHQC7a/tQRWptawFlsVSgixpYZJhK9JMxBKwgqDJdKfHj7
xkmpNPcuyRaTRM2BUpZW/AcZnRq9/j2U15gDmMDFfS3ND/I/1NQv+KM5t7AVVDJi
HJj6
=ZU97
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2024-04-15T14:07:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJAQ/9FuJdG5Zw/wdrzn7EOi3IQXDv3fA9kyQp8Gl7I16Ng9re
KSMufSG03xqrDC93VV8faSTZ/qlMEv8yMKCf1hwSdiTOll3FDl3J9D1227MOG9kE
beP/QHtH4HljuWahiMq3ygfPK1sGUtfm33uA6hRu4FfzEtXDqVdZshStmCysqAjZ
4HYNmkr4jK3GhsCtyHrV8SAMOopv/KmFmiit5iAVI4SMwcf6Gr+y4V2QGzhtl0bb
+d6aLYn5oWQgLGmBhViW+Fxf03RGfDHLP+SagUk09b7Yl2zaf1FKDf//gVnlSHyb
H6UfI132zQsdU/lKDlLOocxbk3Lq7/BkE2rTuD7ukMfSzf2xy5KArcAbxHo9l56R
WZzvZmd44D2+hlzAdIy5Ie34PEnGvAn6z8qCnIGKQtduVMIdYtDuIVBAJaHea9jg
lWFZNY+IRJlblFupK2ZKshuZgJ9yDr0846UN/WD+OE733g65pmfpYqZHBhuwdAlS
5KQB5UEbEu6AwqHNhrCHYQ9fOYYMHLDl7qEHawdSBkWA9uLZ7YXvkUKMu7KbgKib
T9JdJqWkHZpyx6GZfnk5CwCZ1hwkiyavCUMmTyOgDaKswt4Vh53lojCXtVoptk/8
8wf/kfWLThzcIq2l8n8NAuUd/E9028xLjBL4LgAkvTcYLM1CgN2s0kwWlUQYLzzS
XgGZV10LBzmUoQ9uQlIgEZh/eJP/0e3rSJC22iXp1e5CIKK+TRpmROMpsrIBTcu9
/1kH8inz8S9cDAPl9qcqQvLWsh4r+YS80ENKYvzxSM4ok9SaCAh0eRwFEwH/318=
=fxj7
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2024-04-15T14:07:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9qJIVK2WMV7ARAAtb8I0j2+bHZACeJ/3r/vIZc85SH+ydppoRlmkgyDL6nj
iuEmjbLqA2ocYjUE0HTUcI6HFbYBU4e4c1pduazTbyv65NnvhmWiu1+6iDSr/Nzw
WIz7JGkar4yOm9LCtPJAvTqSC0dSoKs52gwhgd+hJn6rmBerVCHMpkdaldO04Ykg
AzDf39KGa1upAAhk0t8IQwCfCGqrk7P9IsM2oYtplWRwLLuf1IEbNtwSn4iSk5G9
5zM1yNY8iMUd1zbnffXUDvOusZHL1tEIiK7Y+16Bxi0IJebguPNeiBY1gymIzzuh
TE0vicN/jbCBv40wc9IKJbN+3/jbLj7lHezsMrSrR8Sr1uCG3EBijZ59WSjNFu0d
MDZqqzAjJ9Ftg4gc/f3x7oQDHWQ6eJMMWx6H0IOTQ1+uD8bgEvAcFsCEW8kO708T
bxZQAfOysC6JFFo+/DGaBbBvhnfRTKNXyvSPcmYbOEVB/JC7+kksnuKXAcPO949K
ZHcxk4ND2cOZw+kDS49PMymQaDoBiitir4XXM8Eaq5VZoCvBzLvmE6R+TQlgR+/i
Cm6dlZcvalpX3MhE7TrlMl2rOgGROAAmz3A8BjAsNkyfT9UAtRgMRdjRxx9oP7Aa
gCqSo9ycpHEAvxJBzHMZz1sEwL+UoC9rk0RrQJ55MCeERSsGzKpZvT0JGzwm4qfS
XgFamsh0OMgy4MyAb6dRwkSOlkqK1h/o2Zsh1Q7cwCp0m+tJfROvUYoiCgbFLQhN
AfH0/JkG5Ny2oKXkSfRM71scdJcp2dqfRTfwGTCdjh8T20ngPEYjhhsvn7p9j9o=
=C7Zg
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2024-04-15T14:07:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHARAArGZz6dTadgt8eX4RNmkI/b688E4czr3fncktw4gXX37j
jdV/jUrCAchM0BXPIrqtDZjkX9OFKroIJjjfLphrIYV8zi/y46tPllRs+94bJAsc
t5Bg8fwE0ZkUadclFXuvwGZZCguBB7hcp/cYSeOVmDc9O448P931k3QTT4UX77UN
/V62HPmgywHTaMp6+cOmNYiPH8+G5LowdJ7o89XH3zunGV6+ObTKDcxLeGz8le7p
cIZQKS8ZEUYI+Sgzu/oAmP2l0xbM92mJxDS6DMhJmLbP2OUbpwnT0+wc6khzW0Xp
nxsCK9q1oi3Ku05ZnwkCcnurAYwfrbjRrf2YoGypHp+aON4xzA3z5g88U+hI8Ul1
8xHywSGVEkOl4B3OJ7oMT2UeH7/Dd6BNV4uvTQy5nh5EcSKR5fA83+/LnWZnz+Hu
ILvgt8RHktT7Lqk7ujCCGbXwS1HHTqESIz5NvRqSJZaPEDTSPCYdgV0ykYMqLUYW
bE4X6bjkNXEf0Hp+ZQaLC4qBC5tFa6wvSUyIfDPdyOy+bMeqslBsNCnUpss7KqR+
xx4WFAaaRxCu8/gAn1ULLSp2/TitO/SDOHWiJRVaxS2HqLOg7E1F+9eboEAKjcPX
8VyIJuAgHvJ2J1SDY0BOkCZV9R6eZo6Jjo8ov+wYzsNvoIABruLnsEGyg3FCsK7S
XgGmwHYh4jBjasA31vrziHhyj2Zjmqtm1DAS95UNtnacUuGV+jJoK2jVr4NyuMNW
DfiV0woC8eOOOtUmH/OdXF3lAENcNFy3MuapliXzihgEe0lJ+5URudM1l9+Rqv0=
=OQIw
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2024-04-15T14:07:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQgAopA+PRoSMUMo5AWeHRhWtYu86MtGhQIQgfWtMf4/znxz
0ljSU7NWbXBcCwSjdE6mLRDOWRcDjkFVfn6YwwcbS5k2QyITixGzPRaXcw4S+3LA
vw6/ZhiVoY1VugrhBwf627eWKK62rFCmvbcR5/nOb+myqHBaOBzlWGtHKl5BOLfA
RWKHACZUZnTAYp7JOQDz1/urssQdrmKf3zi8KBzV7vdDZWKP7Lcc3ShmUOkIhrdq
dZSlloFWystXs9O7r4R2eoWSf7OlHRd7mlZdWirKp9DZoW/dcODiG1gdS9//M+jq
KiFkeFUrNPC0V8llodpZ89vSURPtr47NSR87oim98tJeAW5TuqcYAaofMdB1+VVO
nGMduTCTg6ujkYXnNfwEzGWxWtoWU0vdn5NgaUCHoTu3EgjF8IF+LZ14Tg0wpA5G
cdu2Vg40aBhLu4PrC3QoIl/PFmEMDU3578859s3dOA==
=qhBh
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
unencrypted_suffix: _unencrypted
version: 3.8.1

2
hosts/network-homepage/default.nix
View File

@ -14,7 +14,7 @@
virtualHosts."www.zentralwerk.org" = {
forceSSL = true;
enableACME = true;
locations."/".root = "${zentralwerk.packages.${pkgs.system}.homepage}/share/doc/zentralwerk/www";
root = "${zentralwerk.packages.${pkgs.system}.homepage}/share/doc/zentralwerk/www";
};
virtualHosts."zentralwerk.org" = virtualHosts."www.zentralwerk.org" // {
default = true;

36
hosts/nfsroot/default.nix
View File

@ -1,29 +1,10 @@
{ config, lib, pkgs, ... }:
{ lib, ... }:
let
nfsExports = [
"var/lib/nfsroot/dacbert"
"var/lib/nfsroot/riscbert"
"var/lib/dump-dvb/whoopsie"
];
reinstallDacbert = pkgs.writeScriptBin "reinstall-dacbert" ''
SYSTEM=$(${lib.getExe pkgs.curl} -sLH "Accept: application/json" \
https://hydra.hq.c3d2.de/job/c3d2/nix-config/dacbert/latest \
| ${lib.getExe pkgs.jq} -er .buildoutputs.out.path
)
BOOT=$(${lib.getExe pkgs.curl} -sLH "Accept: application/json" \
https://hydra.hq.c3d2.de/job/c3d2/nix-config/dacbert-tftproot/latest \
| ${lib.getExe pkgs.jq} -er .buildoutputs.out.path
)
${lib.getExe config.nix.package} --extra-experimental-features nix-command \
copy \
--from https://nix-cache.hq.c3d2.de \
--to /var/lib/nfsroot/dacbert \
--no-check-sigs \
$SYSTEM $BOOT
cp /var/lib/nfsroot/dacbert/$BOOT/* /var/lib/nfsroot/dacbert/boot/
'';
in {
imports = [
./tftp.nix
@ -34,29 +15,24 @@ in {
hypervisor = "cloud-hypervisor";
mem = 2048;
# shares break nfs
shares = lib.mkForce [];
storeDiskType = "erofs";
volumes = map (export: {
mountPoint = "/${export}";
image = "/dev/zvol/server10-root/vm/nfsroot/${builtins.baseNameOf export}";
image = "/dev/zvol/server10/vm/nfsroot/${builtins.baseNameOf export}";
autoCreate = false;
}) nfsExports;
};
c3d2.deployment = {
server = "server10";
};
c3d2.deployment.server = "server10";
fileSystems = builtins.foldl' (fileSystems: export: fileSystems // {
"/${export}".options = [ "relatime" "discard" ];
}) {} nfsExports;
networking = {
hostName = "nfsroot";
firewall.enable = false;
};
environment.systemPackages = [ reinstallDacbert ];
networking.hostName = "nfsroot";
system.stateVersion = "22.05";
}

6
hosts/owncast/default.nix
View File

@ -13,6 +13,12 @@
hq.statistics.enable = true;
};
# deployment = {
# vcpu = 8;
# mem = 2048;
# persistedShares = [ "/etc" "/home" "/var" ];
# };
networking.hostName = "owncast";
services = {

5
hosts/pipebert/default.nix
View File

@ -27,8 +27,7 @@
rule = {
matches = {
{
-- get node name via: pw-cli ls Node
{ "node.name", "equals", "alsa_output.usb-Roland_UA-22-00.analog-stereo" },
{ "node.name", "equals", "alsa_output.usb-0c76_USB_PnP_Audio_Device-00.analog-stereo" },
},
},
apply_properties = {
@ -96,7 +95,6 @@
default = true;
enableACME = true;
forceSSL = true;
listen = libC.defaultListen;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.octoprint.port}";
proxyWebsockets = true;
@ -163,6 +161,7 @@
octoprint = {
enable = true;
port = 8080;
# extraConfig.webcam = {
# snapshot = "http://localhost:3020?action=snapshot";
# stream = "https://drkkr.hq.c3d2.de/cam/stream";

56
hosts/pretalx/default.nix
View File

@ -1,56 +0,0 @@
{ pkgs, ... }:
{
c3d2.deployment.server = "server10";
microvm.mem = 3 * 1024;
networking.hostName = "pretalx";
services = {
backup.enable = true;
nginx = {
enable = true;
commonHttpConfig = /* nginx */ ''
proxy_headers_hash_bucket_size 64;
'';
virtualHosts."talks.datenspuren.de" = {
default = true;
forceSSL = true;
enableACME = true;
serverAliases = [ "pretalx.c3d2.de" ];
};
};
postgresql = {
enable = true;
package = pkgs.postgresql_16;
upgrade.stopServices = [ "pretalx-web" "pretalx-worker" ];
};
pretalx = {
enable = true;
gunicorn.extraArgs = [
"--name=pretalx"
"--workers=4"
"--max-requests=1200"
"--max-requests-jitter=50"
"--log-level=info"
];
nginx.domain = "talks.datenspuren.de";
settings.mail = {
from = "noreply@c3d2.de";
host = "mail.c3d2.de";
port = "587";
tls = true;
};
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
};
system.stateVersion = "23.11";
}

170
hosts/pretalx/secrets.yaml
View File

@ -1,170 +0,0 @@
restic:
password: ENC[AES256_GCM,data:Ftfewu0ZRptm3WMHhej+pVK3NbiG5OHwQ7+Zh2U9TpE=,iv:cLhRPE81QvCHdaX94Qs0K8ol4SUV/J5WFZ3uUlNUqCQ=,tag:tUXxZSEkJiTfZYYS/t26gg==,type:str]
repositories:
server9: ENC[AES256_GCM,data:8/V1EN6JnO91w1FcNDc3pg7O0wl6PlD7qxTIvIKYND88JMKG4Z30sjhjFkwEd56eeWvkaMPfz7VpiFAoDB2jpijGT85Zx8WnzTlfEqxN6hOutdeedgleMDEyUeMpiwxO+VhAtg==,iv:2PuXLSjOisaILTgOBExHagNnZ8iLTgm2IqEmVfm4P+8=,tag:K31fg8C8+mbneuLFEqqoBA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1u6xeayzwfdj9l0mg3f4xvjd8e9nemz5psqavauvacjgp2nku95yqc4f29s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzcTNPVDZFaXk0ZFJ0Wk9Q
YjRYL1FLTWlSQ3c0YVpuQzY1a0lWUkMrSXhzCnAvRVJDSmg2SGJSLys2MG9pV3JH
am95ajFaOXJyV0sxSGVRMXBmRC9EUjgKLS0tICtBYVBzVjFaelI2L0kxcm5lN2lj
TFBRNDdFWFVjMytOSVFKMlFmMDIramcKKiBLQiLeEgC1Y07ZiPQ1DrreUckGdNJH
AZSpXHM8NnBPRaOnsfwG1HpQHyPzR2JlgtHeCKRcZlYVU80+e2In2A==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiOWZSSTZCR29sLzl0M3A5
aG5kQmpiamhSZGVSb2RZdWgxQnBjRmlCS1FnClVKSTQxSHpZTWZLZktUY3JYQ3VT
ejRRZC9tWEpkcGdxRDJQc1lHNnU1bDAKLS0tIG9HbnpsZEVxQ2FEYnJxdVB2UEJQ
TWk4MUlIMkNRUDg3Skw4UWhaQUk2cFEKuFT0WRhztMTRgT2uoU7V7pvn9JPUoI36
QkL+mwZC4cU5dD/4gAJPcdbyBCTZbdyixpuEG3lKzMO6YkFp0EK/zw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-10T23:28:01Z"
mac: ENC[AES256_GCM,data:Ya9cPSZIymDQ1COrKy9avy6zPVjPHRCEXXsQvwWHffKXZYU4YvkgL8mteLkY+ehzzsO6OrLcyJEjOQmNal+eO2E6aA5Q4T+1jVLdzEnsC7aI/O3idg1i+2NJG/PBPiFToXoFUNvFrl4e+9TRKMFNcEuAoodSGpY9q0bmvtUDQlI=,iv:R//QJSFAq0pHvelhEWkeFVEb0qHoFcsSTKyhM/3BOgA=,tag:kQ5qgLkAfO4/RgxKocbwFA==,type:str]
pgp:
- created_at: "2024-01-10T23:25:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7zUOKwzpAE7AQ//ZrRUgB+kVbq8nQL+m25dI3SJW5Wn9Voqx1WizP6VM0Mv
gOX6fqPAaz7+RpfFESHdybEEOJwWMCH4A0MrvgevEiiqfTeInzuDyLz51/ggcE7X
TBHfbftD18CbK30pKSVy4T1yYO/igjGgIN/iX1YvHPbYXB4pmKCEZABxLaJrnCiP
wMEcMxYP3qCIIMt81u0t1eIPCVpCca5u9D5JDJKBnvk7IeRoqwx6BQjIpvvdUn+q
h8ek4VS7bTaS18Y47XF/FwfzgZoK5LTCMz/lB/3erGXzjzJ7Xpvmc828MUGqK3Po
DDaeYM3X4o/p4vNUpQjGzrkB8/DE4UCDdQtFR90qgddMW6T8wKI2U1TTBECKaN5V
t68UEEdnQUa++PteQhfK31B/EF6aVP0QAjMCCQYP9JUe+2mtbQcXpDdrO60QQNEG
iNYeyCpLrQrveq7U9Iun35yY+mg9X+CX2mrq8kCG/9tynYPgFJ7NDSXNkIbdzYZF
ONORPd/ka7ec1fLc5eWy8PQHTm7p/q9EBiWsCNsybR1RhXUyZ0n/G2x1SJ4llBi3
oIRBx9QOIzr/gxPhuU8mUxx0lRaVW3n3jruGO0VsCIJSPqghC7xmN+ej0tUVvJty
g+k4VHUGQYAPhUghOaNyaKA8G3dPwayjEsmjDdyhxIzxwdaSfZOwVA0zF+TS2zbS
XAHeUuew4kPUR1uT7WNLyWglodmNb52Wyre0ysp83pDaFANRKgIefhUqWQkxzCGD
vzxYAeIqv7flJvUcgQ4CdxiQO7NxgFL2M8wuPzpTiZnAotJxSTQo/u7rNiZG
=W/mL
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- created_at: "2024-01-10T23:25:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7AQ//XQMb8Jl9JODaIUaR91XAzd2rq1SiRFmqcuIGY/Q+iAzx
/G4+KJD6QQE7AWu9sofTTWDjyyKfGNCeqXBHBSLtaEbicAT7xZ5g8WEkEiF4fkc8
ZMkPIzbP33jG1xnPXUOf9GjEUqNl6IbVKB1yg7lH9igpuesXWR8j/k0IcqTnJNRq
CjBVlXra+Uv75ocYl+asrT19u2+YOLBZmOdS3WiSYS5lBtZf1wg4nUmC+amh7fSh
mlTR5EfowvJvcHSbUvjehR4th57vNO0zyCeUxMeF3o174A5eUqZBc0VXDmDItncQ
6cI5NkCNPZqGFh7g+IFpcwZAAYvBTaD+0n+cRtOYOg8uoIgrQD/6B3SCc021lWO7
yeA31Q6Erjl5888tfbELhSx9/4zOfsQshEkMUdfdLGu/BvdH7XCT5BlmZA5gfxkC
GHyJBrRB0m38QjcoKRn9TuFHb3jFJV/pO7j/EAvt3n2RJk5vAE6UnyT6kyvugdX0
QEfQ0XKwG1o0WrT3LCsI56uRDOIELbKa58jNiyb51xCY146y0A+jB395SAM1NYrk
Q7nt2udMIZDxwBLksZ6pobjYA6Lg1NMJ1IJdKYURVxZipeDPkpk+8pDQcfPiLfxS
KYaWD6cKjKmufuDmXN0Ah4qv5x4KCRswZz8tkf1KNT9cRWOrutd4VlYTeP8csefS
XAHX5Z8otY+wpTS+L/88VgnQCnsGh5+Vy/PEBhdY3Rs3IzVaxSsmlkwrH+I5eLL3
MZFwmQxa5PA17zuK0f9QFXR8E8u8Q0qIhXwVizCgzTqhei2sNsq4NurExQOm
=kD81
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2024-01-10T23:25:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6AQ/9EGyIqwto5nDXEbIt11hCPysW5GV45Y7xHhuwe1ir3Qd5
6E7xnlvZ2LpHv4mLprowlzeVgyFi5Xn27V+di0XWTPjgLTNaXE59PQmHl8FV4rmI
kuSb8xe6xDIXEvAKcs6I/00tZIAmB2Kbz/us+o6Lv+m1fH4aLDexNQeiTdOWNGrP
ELGHq3++kMN2eFKdj7+bGPnUFa70vcMIVLVLMcc6hk8Dx2njaGqUPBJc82qSoFWo
n4gJ3XYrjfmiRuIk+UsR2Wz4XP6U7HvtZh5e9thPlFxBTovJYpR4+yFQFDgCcCpM
eN6p49w2LR/UmVxlq5R4j5l0+KWD3nPYF/kRz7CpnpFdXL4Hh9tMoBA3SnVbyrty
rkanz8pNB2leQZBaYE9yQICe+x0bgQr4UceCzLgciqi/Sa6dttDFSUYy4NeIYd+H
pK1JWXEhYb4b2qxy/LjU/KA4W0I9SgN2M2tuPuo9mVMVFNT21vtTF/7sQO906pR7
JZ2IyesK0j89XPfj0pXl/Wz2lICmWmgEtdKCDiHe+jsNxk+KEHigvV0nBFV1OZ+h
OnX3Jcy8DfuDH2o6I8E1GK41E1SNVElU2re4Lf0VFzdS12ZWxkKB1Mh/RNWXAO2m
2hBQBYq/8XFVkmeqymQTkGqPWGDKt1KP5cydFcDxFXuICS5qK+iaLxbTdtdp30PS
lgEuyDh5h3lRPj2kGMopH6Kx3l596kwk5jB1s2UAG9kpBRRic9osVdpjnoSlVncs
S7PZN6K9wR25aiRY4HD7u/4Gh+64Umimxq7PeMNMepzwldylhX8VkDOG0Zor8+zS
mU0bnMtU82SJ57O+mwbha48ANnNGiKL6a9EkN5IohJ76pimdMo2/Fsm1JDTWIKKm
+vr5YhHH0g==
=ZUzH
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2024-01-10T23:25:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJAQ/8CBJxvFqXLzEejnklM1bxJzpsgR1RzcegR2vaFUoZCbbm
uh+3A8blElVrN+tLajxfvJ8y0gqETR5WoBGkScfVOOFKO8YTDzeYxX5WKCRvrIW4
5+8HlQMhPo0UOVaWpyTK2c5lhpiVIYovMgv+Xm0kQPaoZFlL8XigFRC3TLh2OlVC
yR8AJ9D9GcjGn/1eF7Nn/qfJ/i6x7DH7LomsHUm7wYuSJlHpZkQk9WeKSu/nP+EO
H5Db3z5M4T4iQG6K+WM4WvOSqXtgwsFKKsFcizNWeEko4VSM/X/rEgXZwLlt4orZ
fhsWD71GpJcoCBlXYQcBzej8JzrfISeHHc0i7HGbdxWx/HlilMBBKt9XOWEVpz8P
uAZh+nITgB2Z/B0HNMZry1kAUKTGnRFwGs8O0mY2PYsdqEb9JkjCutcT32qQRn8o
GdRYV9D4APuD4OlUBOM2gGK42kgrnV718oi2ETPf1o7e0JRGP+Q1QgNqrzo1dbx5
jAAFC9YWpgOI0VDAF0gK717/ZK2IbAT+PlD0r9GC/FnytMwt/J1IYlZUpG0uDAwb
iSnFjTzIIAbj6iRSvj6GrHStZzZXhnma6GXDpaRNG12jQs5xJNQFkoQOBI4G9bEr
GBu5GidrjcV9rNBQykHF00zVE1YxXfUNZNehjWX8MgIlL++Jx0yZ2TYEVFbIcDvS
XAF0A6WnSFp3i6h2Ib++UAStbvlOd11TKWoUB7tiS+5jsqV1O3Ju0H23VVg2cbac
qAkf+juCXgjBbWo2MNWt3wF1InnW5LdBtNQ/Ew7MDdxckN4bfpAby3ZyP4Ct
=fTgs
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2024-01-10T23:25:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9qJIVK2WMV7ARAAiU7Mo3JpIQvRQbEOVo9sKaZyrcKQr9LZkkS/mSYAS97J
pqsgCTOMptOxVLs/AGIlXzjCySa7hN0taOhmq24AYWalWaUS5M+/3jMLuVFmipjz
+zN8atyXePP/mi454VfI5etJvyKFD/k9emf9GZUcccjWUsCAgLAuxrOsKwof1mG8
pK4otyjqwzIHDAD2wvGEaOn4JsDk5fpu+mAoxnftFUQNXNzpMdNmYqWaJ8gqJPQT
u/Qfd/q+V3zIjn4ac7xvpbSNW3K0MHgJBE0HjUUmcjZAOv35+Gh1kebjxBmVBcz5
ZBYGZn23rJXEJ1B3ll63Hu/bI3cxsJCSQwY0m4gVMaCmcdP6J4Gz2rmfsUofD6/s
hxOz3bd7XtRv3VnwuPg+i55mHKVo+gOV9PKLLo2Qg6qJC/1nTa1tA2S4nz7/tNku
2WUP7EKltchE7UiOcDqzNGBQ0/O/tRm7phRtPQZujqO5IkGdCKrnKx3ufbjgS8lr
m0BeqEXTOv8MnQUj+Ij7WEphnlQZP72D0yn+z43abt7vKDuCQCg4DOkdtvMmSgy3
ozQQ3Nxp0Yq9k7NNNFcXr2CP3wULay4lTEaYkP9069p2IJUlhFuzMdxgZYeaImxP
Y9KeHVjBvCgZC6vDTrpGzruxSTjqPoIuYsZNFB72bGFRHA0mIyg1ulaXH+EtWLLS
XAFeLYmBL/WVdHyTv0qMUiiTxjnXUBggevJKELuG5DQFcGUfqJXiTz4GgPs8MFnU
XNW3PfuUAfBnjUL/lMShK8RwjGV5rB9BMFLiW6KBA4SQtR19+VDj4f6/UG1o
=N2EP
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2024-01-10T23:25:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHAQ/9FKMrVDwiq7jRUKQ4bKmxxeHEzw2q3Vd6Rg60zYen6i9s
lloXo0FPW50Z6pMVWzjaY5Q/5hYZg+ZyZaBQ/7SmPMwx302fWhXhZA8sWOc9IBQM
WodC+Se3/UzbF4y+GMr2McaLb+hWI21v5fxR2dNxamlLkwCsD6uI/6OMM8wb9cwn
/n5Z+b/ZTbWDrIQsCMyoDl3X/K53tq6XMB8JeQRk5T4XS9viTwpFTVh3Z2qfpDbi
IqdQDBtZy+RwQaStsaInfujJ6i2Q+DY9uFeH9gZfpGyv2I/jV834tVt/01XcpMsX
WODs8WFCXV102FQmgE/FtSidHDUZhFanep1Np9289eqBQyPNA6Puc5JaTXJQebH9
1Pkh0gadHXb0AKo5JC9qU64hYHuZj1XVBKiY/FYZYWf9t1UgOD3svd4ARvB3SXYk
zUlXE4IG48tgMypPzsXoWWoKWrZdknk9f3XCAiSMpsGVexSyIBw6MRBUhLy2P+UN
2VTY90HxDot+mMX25ReO7GZuSP0zC0c46pFTnjceDyYLOLX0zEg+C6WVt41n8eh4
21J/Y44z3EOsSV9Se0c0JY6g0SbcoEeeksl6y7/QOGi5lE4+iiZvLycIUSSuAr1w
0KZog7LPFx4x1ldbxSM9IwHP4rjeAKGEcBiurkUwMJONg880KGFiw7Sa4Hj6xzHS
XAGLnEMoxLOAQIOsXnKwJaLE9WlvJygtNWUGjAnJ6QkgbQYLvVxKQKO0qX1OQftC
YL8AbVFIOVEy1Amv3SOV7Clf/eYf/KJstxfuVDtYS6ExZjZP4vPvQwMFv5MC
=QIMx
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2024-01-10T23:25:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQf/WSGRCrTOEjDV9BjWKarS1OxtZxst4Q4mDQpK1P16TbnI
re32mQWTyJ90RHhO00YOM7vbdT4+QMoIjhprsY5bdktHFXt5S7eyUszpKUif2dCj
rt5FaX1R9F/bT6epcWacKknz9ZAlY4R5ZmRb+q4RI50xdFcAUmBzXkKPj2b8jeP/
ONbCVl/tjWlrgpja3D1hnJ94Yo0AtmoioZQXjHKM/8jz8EBAty3clVwEbwaF3pRW
q8gKeoUiQT12Tsp4bUt7ZxrMFiVDRRhxGvlg1hUSn/NEnOH82Bnd/pRWWUAiCUA8
LYskoTfPC359Zv17W1Fx/REmRVRt9bBhZtmt72lj9tJcAf13pB7rFJ40p1E3BAMH
3PsFDEYQVbDKGhdDe2HaSLVDq85sMpCyG+MmkpoukQrgK6VOfh+YqqGjmsqBZLoJ
aHuGUKpRqORu8RkTbiSIFXlnoO2yg/qFLaS1ouE=
=Q2L0
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
unencrypted_suffix: _unencrypted
version: 3.8.1

46
hosts/public-access-proxy/default.nix
View File

@ -6,12 +6,6 @@
./stats.nix
];
boot.kernel.sysctl = {
# table overflow causing packets from nginx to the service to drop
# nf_conntrack: nf_conntrack: table full, dropping packet
"net.netfilter.nf_conntrack_max" = toString (4096*32);
};
c3d2.deployment.server = "server10";
networking.hostName = "public-access-proxy";
@ -19,9 +13,12 @@
services.proxy = {
enable = true;
proxyHosts = [ {
hostNames = [ "vps1.nixvita.de" "vps1.codetu.be" "nixvita.de" ];
proxyTo.host = "172.20.73.51";
matchArg = "-m end";
} {
hostNames = [ "auth.c3d2.de" ];
proxyTo.host = hostRegistry.auth.ip4;
proxyProtocol = true;
} {
hostNames = [ "jabber.c3d2.de" ];
proxyTo = {
@ -50,6 +47,15 @@
host = "172.20.73.69";
};
matchArg = "-m end";
} {
hostNames = [ "c3d2.host.dresden.zone" ];
proxyTo = {
host = "172.20.73.73";
};
matchArg = "-m end";
} {
hostNames = [ "bind.serv.zentralwerk.org" ];
proxyTo.host = hostRegistry.bind.ip4;
} {
hostNames = [ "blogs.c3d2.de" ];
proxyTo.host = hostRegistry.blogs.ip4;
@ -82,11 +88,11 @@
} {
hostNames = [
"hydra.hq.c3d2.de"
"hydra-ca.hq.c3d2.de"
"nix-cache.hq.c3d2.de"
"nix-serve.hq.c3d2.de"
];
proxyTo.host = hostRegistry.hydra.ip4;
# TODO: enable in hydra
# proxyProtocol = true;
} {
hostNames = [
"zentralwerk.org"
@ -94,23 +100,20 @@
];
proxyTo.host = hostRegistry.network-homepage.ip4;
} {
hostNames = [ "mate.c3d2.de" "matemat.c3d2.de" "matemat.hq.c3d2.de" ];
hostNames = [ "matemat.hq.c3d2.de" ];
proxyTo.host = hostRegistry.matemat.ip4;
proxyProtocol = true;
} {
hostNames = [
"element.c3d2.de"
"matrix.c3d2.de"
];
proxyTo.host = hostRegistry.matrix.ip4;
proxyProtocol = true;
} {
hostNames = [ "mobilizon.c3d2.de" ];
proxyTo.host = hostRegistry.mobilizon.ip4;
} {
hostNames = [ "drkkr.hq.c3d2.de" ];
proxyTo.host = hostRegistry.pulsebert.ip4;
proxyProtocol = true;
} {
hostNames = [ "scrape.hq.c3d2.de" ];
proxyTo.host = hostRegistry.scrape.ip4;
@ -131,37 +134,22 @@
} {
hostNames = [ "wiki.c3d2.de" ];
proxyTo.host = hostRegistry.mediawiki.ip4;
proxyProtocol = true;
} {
hostNames = [ "owncast.c3d2.de" ];
proxyTo.host = hostRegistry.owncast.ip4;
} {
hostNames = [ "c3d2.social" ];
proxyTo.host = hostRegistry.mastodon.ip4;
# TODO: enable in mastodon
# proxyProtocol = true;
} {
hostNames = [ "relay.fedi.buzz" ];
proxyTo.host = zentralwerk.lib.config.site.net.serv.hosts4.buzzrelay;
} {
hostNames = [ "drone.c3d2.de" "drone.hq.c3d2.de" ];
hostNames = [ "drone.hq.c3d2.de" ];
proxyTo.host = hostRegistry.drone.ip4;
proxyProtocol = true;
} {
hostNames = [ "home-assistant.hq.c3d2.de" ];
proxyTo.host = hostRegistry.home-assistant.ip4;
# TODO: enable in home-assistant
# proxyProtocol = true;
} {
hostNames = [ "pretalx.c3d2.de" "talks.datenspuren.de" ];
proxyTo.host = hostRegistry.pretalx.ip4;
# TODO: enable in pretalx
# proxyProtocol = true;
} {
hostNames = [ "vaultwarden.c3d2.de" ];
proxyTo.host = hostRegistry.vaultwarden.ip4;
# TODO: enable in vaultwarden
# proxyProtocol = true;
} ];
};

16
hosts/public-access-proxy/proxy.nix
View File

@ -28,7 +28,7 @@ in
type = lib.types.submodule {
options = {
host = lib.mkOption {
type = with lib.types; nullOr str;
type = with lib.types; nullOr string;
default = null;
description = ''
Host to forward traffic to.
@ -73,7 +73,7 @@ in
proxyProtocol = lib.mkOption {
type = lib.types.bool;
default = false;
default = true;
description = "Whether to use proxy protocol to connect to the server.";
};
@ -137,10 +137,8 @@ in
lib.concatMapStrings (hostname: ''
use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
server ${canonicalize hostname}-http ${proxyTo.host}:${
if proxyProtocol then "${toString proxyTo.proxyHttpPort} check send-proxy-v2"
else "${toString proxyTo.httpPort} check"
}
server ${canonicalize hostname}-http ${proxyTo.host}:${toString proxyTo.httpPort} check ${lib.optionalString proxyProtocol "backup"}
${lib.optionalString proxyProtocol "server ${canonicalize hostname}-proxy-http ${proxyTo.host}:${toString proxyTo.proxyHttpPort} check send-proxy-v2"}
'') hostNames
)
) cfg.proxyHosts
@ -161,10 +159,8 @@ in
${lib.concatMapStrings ({ proxyTo, proxyProtocol, ... }: ''
backend ${canonicalize proxyTo.host}-https
server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${
if proxyProtocol then "${toString proxyTo.proxyHttpsPort} check send-proxy-v2"
else "${toString proxyTo.httpsPort} check"
}
server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${toString proxyTo.httpsPort} check ${lib.optionalString proxyProtocol "backup"}
${lib.optionalString proxyProtocol "server ${canonicalize proxyTo.host}-proxy-https ${proxyTo.host}:${toString proxyTo.proxyHttpsPort} check send-proxy-v2"}
'') cfg.proxyHosts}
'';
};

40
hosts/schalter/default.nix Normal file
View File

@ -0,0 +1,40 @@
{ lib, ... }:
{
networking.hostName = "schalter";
hardware.enableRedistributableFirmware = true;
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
boot = {
loader = {
grub.enable = false;
raspberryPi = {
enable = true;
version = 1;
uboot.enable = false;
};
generic-extlinux-compatible.enable = lib.mkForce false;
};
# no zfs required
supportedFilesystems = lib.mkForce [ "vfat" "ext4" ];
tmp.useTmpfs = true;
};
nixpkgs.config.packageOverrides = pkgs: {
makeModulesClosure = x:
# prevent kernel install fail due to missing modules
pkgs.makeModulesClosure (x // { allowMissing = true; });
};
sdImage = {
compressImage = false;
imageBaseName = "schalter";
firmwareSize = 512;
};
# can't find zstd library on armv6...
services.nginx.recommendedZstdSettings = lib.mkForce false;
nixpkgs.crossSystem = lib.systems.examples.raspberryPi;
}

34
hosts/scrape/default.nix
View File

@ -1,4 +1,4 @@
{ lib, config, pkgs, scrapers, ... }:
{ pkgs, config, scrapers, ... }:
let
freifunkNodes = {
@ -30,36 +30,21 @@ in {
default = true;
forceSSL = true;
enableACME = true;
locations."/".root = config.users.users.scrape.home;
root = config.users.users.scrape.home;
extraConfig = ''
autoindex on;
'';
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"scrape/matemat/user".owner = config.users.users.scrape.name;
"scrape/matemat/password".owner = config.users.users.scrape.name;
"scrape/xeri/user".owner = config.users.users.scrape.name;
"scrape/xeri/password".owner = config.users.users.scrape.name;
};
};
systemd.services = let
serviceConfig = {
User = config.users.users.scrape.name;
Group = config.users.users.scrape.group;
};
scraperPkgs = import scrapers { inherit pkgs; };
makeService = {
script,
host ? "",
userFile ? "",
passwordFile ? ""
}: {
script = "${lib.getExe scraperPkgs."${script}"} ${host} ${lib.optionalString (userFile != "") ''"$(cat ${userFile})"''} ${lib.optionalString (passwordFile != "") ''"$(cat ${passwordFile})"''}";
makeService = { script, host ? "", user ? "", password ? "" }: {
script = "${scraperPkgs."${script}"}/bin/${script} ${host} ${user} ${password}";
inherit serviceConfig;
};
makeNodeScraper = nodeId: {
@ -82,18 +67,21 @@ in {
scrape-xeri = makeService {
script = "xerox";
host = "xeri.hq.c3d2.de";
userFile = config.sops.secrets."scrape/xeri/user".path;
passwordFile = config.sops.secrets."scrape/xeri/password".path;
inherit (pkgs.scrape-xeri-login) user password;
};
scrape-roxi = makeService {
script = "xerox";
host = "roxi.hq.c3d2.de";
};
scrape-fhem = makeService {
script = "fhem";
host = "fhem.hq.c3d2.de";
inherit (pkgs.scrape-fhem-login) user password;
};
scrape-matemat = makeService {
script = "matemat";
host = "matemat.hq.c3d2.de";
userFile = config.sops.secrets."scrape/matemat/user".path;
passwordFile = config.sops.secrets."scrape/matemat/password".path;
inherit (pkgs.scrape-matemat-login) user password;
};
scrape-impfee = makeService {
script = "impfee";

185
hosts/scrape/secrets.yaml
View File

@ -1,185 +0,0 @@
scrape:
matemat:
user: ENC[AES256_GCM,data:ApTjMg==,iv:GW5r7RKp7bFCKCSz0svezWOovOvSVil2QcDVRZum3n8=,tag:ZELz/h1lpSWJnkxk3hrzrA==,type:str]
password: ENC[AES256_GCM,data:mWp0GQ==,iv:74Kt126u85Mup/hgRXP0txXWpwdL8bsljm437CAQVEI=,tag:BB5qx9XRKLXBO4rBiDsAFg==,type:str]
xeri:
user: ENC[AES256_GCM,data:S8wqkzQ=,iv:X7q4MZd6YvtGOmSSyIk46zJNqUNWMnqlZN5U28+6sAg=,tag:VyQxKFuGvF855/e0dQiPgg==,type:str]
password: ENC[AES256_GCM,data:0CByy8YUzg==,iv:egZ7zNVkgU7S3qlp2TSzWWJgNIYxMavRmYrChsiLfW8=,tag:tMzGmy4QtDkZLXlyuwjlzA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1p60rg45qrzpv2hcfzxl8d8k9afkk7dtrhr98cngeyuhlega83ynssmtx5k
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSU1uaDhuV0dXV1h5R0pC
SDNtd2hLNDdPT29yTUV0cXJLWmMwKzV6VERzCnpIYmtXOGZjK0dUWnkwNTRrNmZX
SmVJekx3QTNZeHBYRVZRRmFIRlFRRTAKLS0tIGNjM0RVWHB3NGVEd2FIWk83cmwr
R21DUzZqdmx0NVFyUUxncHhFbHFGS0UKfXEJ8xRIgxl6tIYCHdX7lLZrkeMajM9e
ZBRZ3O+MEDoggFFuX+BG9Vgzqnx/VZLqKfV1lPdRTw4MO6FJa3b7Cw==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnTGZhVEpDU1NVd3VaVWk4
WW9XZHA4WktSZ2c5VEZCL0t0amp3MVRBb25rCkpEc25iekVtUkpCNUluQ051aE1k
b0FYbHAxZE9CS0FHNmxTNGFNcnlJMEEKLS0tIEQxWDFvNCtvRlJtUm8wZkkzU0VJ
TENFenF2aXkzdGNIN3RMS2wrVElZTEkKsGGldAOhRoVpCHqwRb3I2HwimFYRKWT0
YeBqNT5Dy27i5BDuPZwXtMrtcHri6Tm6VPhqDO+nZJN9NPZZYm1Kjw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-15T21:12:51Z"
mac: ENC[AES256_GCM,data:YMuDMci1dROUd6Jt7fS6kQVUQL1bsE86Fl9SlCxGWGLhkYMBfWBMSdPU32P6bnalGv/R7MRmMagfKBLbOYNsOSssIqBQVkvdHL+SgO480ffrwlLFJBtxxe55xbtG9wtVGisUT57/YO2/EOB7/SMie3GFgaCw2LZ9vvG+rHm2a2U=,iv:gk0d/6c08Fc4BdWZ3uMsGjt60CpZTFwf7YiL7+KNS2s=,tag:wXNax0sDjFI8MdI+o+QmQA==,type:str]
pgp:
- created_at: "2024-04-15T19:33:46Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7zUOKwzpAE7ARAAg52rUu9zqY5bp0jU7QMjNfmrrioIC76HdYrFfcHrvFWa
at8F6RS0HjHrqboe25anQHIqs5rR2hmHFbok91238FLE34JDziDxsTzg8y9ZFaAJ
3fDLJUxtpmqA+pPTp+agiMArSwjBj9zaGwkaZB/RUFxh2AsGuAae1aoH4jrhrczb
PhXaUtA8iTWtPxVG+vnWAHYaW1ETmdi40jMInmxJFYW33tokQQY8QZmMd4yqVLXy
tXv74cw4EFp+G4YV+LZ/PA3naq9UdjO5e1la4Xo5PQt5B7tOhphpCrhLxBQ5Oklq
QT8XprZZBUrHj9eu4XrG/0OldwhruSXtYc+uLJjSytw2omqq6iqkQ4h6BmToCMdu
p+LSNc0s2RCLZtK/j1Q2RRXcsdplzT4vA3n7mb02xYqxyDKtNqDPNjDY3INwgNVj
DRldSCv7NSuKyDanRLOoVQwO7YnhpyMB7jSnNtHqzlGokQXiQiNFy6Jhm+yT2c7R
BZHXG2QxM1Yo0uvsksIgFmlz+3vbPhjU2HiOMu1yF37AT8iEqSRfdhjJ3Rp8PejN
ZWquOqm4WVbSbkzLvcYzfNXyHROwniqi1ej2t66E6kSwMn0WGxDiCuJpMwxvjXNY
BqjTA5psnMGKOsOEBUNfuDbFRZeUK0LMEq0NNmr5d57bXdUB7tyGjz7XiD/48wvS
XgEk4ykHUoQQbVCXibQaK4YBxFWFbwPVmUccAuqm04PiQxM+zNw+j7gIasC4p7a4
XkMrEMQlR+GbfA8FX9TpHfRDSRNKfGPd9JS4F4J7rRGc5TfLrXnza3qJ+VWIrp0=
=Ah7a
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- created_at: "2024-04-15T19:33:46Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7AQ//aSAxvtWOX3F3DpefehuwM1fzdjbWC2KBuTFof5iLBuCQ
AFMZ7eyRw1pc1Pztgf3e5C8T8hioiTZqSycwBCWg5onaYTh60pBU/HpyJ9t/9f+q
A7xXlG3YWG1Dg8iLmmIMIzSXmELl5fnibpr+FJ4h7xLaDU5NoER3FOFGB4UdLpbM
olgekLPvrrRdvntdrDAMtTIOqLiHiTLg5WF37jasLaSfIBaGDJFeNQS4XGjAsujU
XjNzFFdsswzY09AeK5Bea4jt5vubuF02mIwaUG/oNDADCrJg0Ipb5JMY7GPfsrK9
kSoS5JuPQX8yxCCloyxDY+KwDj/HpaR9NHMPGis4ZUbvekCdwIRf6AU+Ozy9sH11
TtSN9HIu3vWVJnRZaxsIP1kq0gqWNVLFpzF2Q9CwkxkL5+QTc6Ginq8wdOAoKciJ
lV6WpYYNomhzNb3Fg0tQ+ToxnKYk7mq8Rj9Hk8Y8klyk4CkdakdZOuBY+HsJg6Cs
AW6kxln/6IKufJ+vqJabK7VEA9DDILe6etzrgBXOpIrgv2IkFWqMRiy343O0eIFJ
z1g32Qk4XjgLQjPWFZcAup6BDGa8LrcuQRzR8LLE2Cn6m3l2cPzRfAIXw1JF3I0Q
EJzrYtfxeYJ7uvmfCrP5xxeeu6CS8W9BonVmBwg8uUf7xpWqB9im3rbWwiOno5LS
XgFPFk3GTTJ3epZttrBQb1UCj/qRz6syzCJBhWphZ7IDMHCMwz0ciz85s7+1Zx/s
eN6fGW1/eDmLEFbPcJQaOlIoP2m2quyLm2CV1jDWzICaU5vNwNBqx4bAEO1dUWI=
=pzrL
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2024-04-15T19:33:46Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DqDJbhoEBo+ISAQdAaNoODKpQSzZlxoH64hqL6PHGvUqW+VW82LHnncGPlWIw
SNhLu1YlZoP5Im/ypPAbBmCLwingTW6nCs86TyFT0yuTckgg9/lG2gR1dp1xGLmt
1GgBCQIQw4aYzB5FZF+TXerFEznHAZbfLEPslnCdGvbHNY8iVLONIXXL4d0/w/Hd
Pg/61K3sqELrKHJ0WKoLJs1mbVJsMJQZlccrB/nsQgOT6vb/VsvVBjz0Hz2H2jhH
YTa+odDFFyf4/w==
=gnax
-----END PGP MESSAGE-----
fp: 8F79E6CD6434700615867480D11A514F5095BFA8
- created_at: "2024-04-15T19:33:46Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6AQ/+MfHuowztzKaPYiztsu5SjjCYRuo7F0Hy8BPTm+pwOVl5
omTzwKZN3y4ntG/tHKMQWf0eNC5KTYFGzEfrSUkoYYq8S3Sc9NHja/Z9dxaXOdeD
G35K7j5SrarbJ0DqbM5ocY0z6LlXn6pjzb/0sytmS+2lqG8+RV8k5oQoDpoenu9M
3JgQGONstgUJa7a8+2o81h7hQNyL74UvHts2dzaHCJADePlbbnC1mu/7+SuGcaoc
WXOj9TopgqlkOhfnNFQuDevdwpnyNP3rSnVx5bIdU8exqbLEXRIuPH1x/Je1/d94
ZP80x3CKu+u6PUexg+9hmva9eqhxBvaCcov8kYSw7fx+3ln6/nocIrjTGtZJhyca
VASrknMDPAwfl/YtpIwSnJzLL48+QAOv0o65eEiKZpVlP+hgHeQa5R8FoYbvb8Az
oGQbsKrDcljHW38OsHZfeblGQgK8h4aq1LtnxDgEpFrOPy8awSzSyUMrLDh7iqI7
Z8ANEjDOyfoNpzC/076mhKnvdqx4d+ZkqXpc69/abuwem2PK4U9FJg5vrn5X8PDT
XMNiJDDe7vUs/8qXp5KfGrgLMVEJH0yI5rbMmPamsUtluuSOIiSkNcqVgaxTb9gL
vJplfBUrpq0L9y4AZYNQ5tUDiZ2a9g0yg/ZZJi2eE23qBWGhaBrta1OtJ3/C+lPS
kAGDffOrSR8xoIAKzCmMhkFoGfOFMpR07tXSqSnaF0sKQ6cCL8BMXErcpDVKJhWc
QtZL/oL9J3WE6mr+264owKzfDnTZJsLoroTFTYzNZ2+5IYrPhtOgRwfu+YSmOd99
vAuc1OmWXaKoJYaMoPCkpHTxrWSGdOcm8UKNRG3qGEopN0giOuXj277jlPvFl9rh
Dw==
=Iy0+
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2024-04-15T19:33:46Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJAQ/7BZqV4SwzIdBlwXm+9ZA5NTIvLcrmBvensjzIduCtqWHT
l8+SK5Mhh0wTjZI5oppuOqxVjo7pdrq2v92gIowHkIQp7WrR5l2UnMzebjvaAS8M
yOdzuFGUpyJADEvdsJoLzXXOhrbK10wflbLsduSm1nEJGMu79kj8xM3esaN88fjH
PgkmuyBcfQQvArUjxhJ7hKVusJZDhrlyj6XiaQDAF45Is+XctpwLbc8E2t1gbgPI
8Q43BXHBvfYLoUQkztqP5kFsRe2v5QtKESGIiKurE4JhF0CgSny8n/HLCK1Dg26F
JzfQ1yfmUbd4wEvovqn260sUd00H5WAUg2B6sZIqeo72EizeaA2ElIcWETRT1tqG
FabAkJuqh4doJ+rUCv0LmJmOL4b9Uja7xjcZPtyW4JOnuY6xDTh5YO88XUA6ktsB
4s3heYYwdUTEB99VrSBI89ooineCPL+d7oRuZwJT/OJKd0Jxtt2cMhJe0xNeNcwX
ILm7kQnzqq2pK0Zx3VsFDlAsqWdMsmrv1GwfCN98MSd3JIcB5JgAbrACjvQNc77N
fqnZ4FQlBSp9rCdgcnb8mahctgf6IvGLUHg8ySj+k7zq410JxfAIYeCaUllyd90q
/QfqfhehMlXWZZN5R0+BoGI8zj16osU7yi51g8n2u4DgvBV6A19nIb7TanTFCyfS
XgH6t33tJcjqCCnwLacoixny6WJy4GBxEtHmogWKNrpiduS642JmBd6LXx9sYWCO
qu+Vhf69wDc5GFfaOZ9tT1Tj8Go5njBiy/fZlDZ8Sa4DHZwnxjPZ6Xf216lKww8=
=V0vD
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2024-04-15T19:33:46Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9qJIVK2WMV7AQ//UbLwI42i3PdIUgYhIVQlGcLzBIefxdr2JnFudwqa1GOW
ASX46ZqIz+AUUxrmHARpeUZkeju66JbOvYane3LSSggBtgo7UVLIw4L98ag8Rj7P
yNgaE4ugpjH0OJt7WTo9rjIHFiYcFMSRSLn6Jwr+ri5DSKwwUn7x4bPv2XKduo7W
EKXuZ2GSMTvNqiXRhPXNuFapi7XGi06bfp8t0TkFBvBGQj4m8VRWBBqUXaehO9lB
bX9wmJ9HCcTWbRHRKU72Q/rEa44Q2Kakkf+Nwcr2I7e9qrMyYIDIgs5NDY28eMUD
e1Ieu1DIxy8uAKMTK9jDGB3/0+Tl3PLNorjjE0YFOGSgtzClJjbHH16Z+QaRIFL6
4Yat+UxptHqla+eJVznBQ/V1Q5YHkFT5PstdnKWK4Qs9NnGw3rul+f9Q+VzOHhgf
zUGg2yPxhrX+sIfTjqQFIMQgAChV/tonu2hjS8ul2v7y3B7udKuo8knCdohkUE1C
I7PRg5HuO+bfLuIB8p7/u6S9D1ZLCgu4JfCU5hQSJNofJD0NuRUXtysw7sR+oyXB
ti3QltJveCCduz7/Qmor2QrU8EvHguI/MTT6M7bhNjh9W/5M4gxyoSvQafHM825C
gwM2BdTbZ4sRz4LRRtW9fUAlV+ILJZ56yhQVVdQ1CWwUQXxbu0caeBxnchdXDoDS
XgHREHC7hYgOjrAJtC59DKUiugV+Mx7FY51/4pD6xvjUoYX2iRwrk1k0irVyqq4J
d8xNX5/zYAyzKIzPrjOC1DKDVVveLbxDeRiVTMhZm+Buk5pP1f0s3H6EV4ydKQk=
=ZMLo
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2024-04-15T19:33:46Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHARAA1pYvIYefAJF95cIcB3tqOwMCWfCnpVa1Xp8HxxoJ1HMk
i/IhIzK+Fg/nhF/Z90Zmr/YQNtojC4BQ3gSdU0mN0i9nuYRSK6rR86me9T4F+u+8
pOJ9qfhBwaRkRPFEodfOaaaJmm6DJOOMwdb0lqB3vlaK5iW/nAi18YpaSEhPz3fL
GXQ62ralUrGKGxrpm6nYGO5bGmOzuRIqraLsouFuOJkHVjMGWVDdbUs7g/0s46y6
nJbJ4ihfDhNc+NNk9A0Iv+vZb2goKKjFah1Y/hOLOTZITDajP4jRSuvGvP1pMNmV
BbBel2PvoPfGpFommG0QRtEmc9VfXy3TnuSOOrC0BZooDyLSb8HMt1cmeX9t4bOL
lJLlD1/SzP6IGw+X2HmCakRCVW42NDWbOPuHj+YRSMsP95OEGSTVTSus2UJB33f3
A6pbnc2NVDJpsNDZFrhajhrt2TH4dFBiWCKREGeDWxm6XJOXeLX9Zm1vVtM6HtYy
9j47vB2T+GvTdnWXKbU1fL/x6jFWEwZJV0sXRp6HCez4pOt+Ki5wAN3/ZdEFaD8O
LGgRm9Zui7qqx0lXQv3HIFOpGawhwroUl1BO4yec+wm+IpFW25f+TdhmxDIG7Js0
TU3Vfj0hPnsRjwmmbm/mImtY0Bz5ch2VosV+9sqn2ehzFu7AifKi/yzu3kYcqs3S
XgGLN8npMBxBg/cevoiAq9Qkn1RXhko2FhH9hxazTvjzdJ65UiUZ9suFfAXPOsMw
i6l64MaF31TAVIpJaCPIjsx39NIsG7dn2oBhbpv+xc0W0xBsuzMj8spe5ToakEg=
=/76w
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2024-04-15T19:33:46Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQgAmkXZJVHiyEkgLimBwLLQf1zhxd90N9CfJDOt6WMO+3rc
S78RCYhaQZyt5AEbX1VJZiqyJCrSItcoY6GNasSarYT1EWsbLGQ8XD3P46eGeMVP
3clQqvt0hc7T3y+TZvjqTYDb7/ype77ELl7VyQRPqNI2e3VHcdvmziLJfTUniqoZ
bc/fs2EKRz312WhzN568fqQMck4wdkGrip2sfusCvkxzSMmE6faC1OVacKXlIFLh
RWK2nuzK3oEqS3Tak9CYBsF3mO7jBpMg6WOychiaSkqVeaMiBq0ztlBVDNewlwye
WTM5AFgPFR0jX0R9nefoksxlw0wrrBQ4t67ymLnCydJeAcleGr35GpT9WT3ecFZu
+A7aqU1b+t6rLUJVABtpsrEpYvKcRWimn+dZ3elw2b/n46XFN1isGFk+RalpDpDE
b84B1kYvwYQatDuLeOYr72PttJZtqKp6FWny+jIGqA==
=12or
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
unencrypted_suffix: _unencrypted
version: 3.8.1

21
hosts/sdrweb/default.nix
View File

@ -1,9 +1,5 @@
{ hostRegistry, config, pkgs, ... }:
{ hostRegistry, pkgs, ... }:
{
microvm = {
mem = 2048;
vcpu = 8;
};
c3d2 = {
deployment.server = "server10";
hq.statistics.enable = true;
@ -57,13 +53,6 @@
'';
};
heliwatch = {
enable = true;
jid = "astrobot@jabber.c3d2.de";
passwordFile = config.sops.secrets."heliwatch/passwordFile".path;
muc = "luftraum@chat.c3d2.de/Hubschraubereinsatz";
};
nginx = {
enable = true;
virtualHosts."sdr.hq.c3d2.de" = {
@ -95,8 +84,10 @@
openwebrx.enable = true;
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets."heliwatch/passwordFile".owner = "heliwatch";
services.heliwatch = {
enable = true;
jid = "astrobot@jabber.c3d2.de";
inherit (pkgs.mucbot) password;
muc = "luftraum@chat.c3d2.de/Hubschraubereinsatz";
};
}

172
hosts/sdrweb/secrets.yaml
View File

@ -1,172 +0,0 @@
restic:
password: ENC[AES256_GCM,data:rF82Jo3uXFuTGfMNEkrWmJKTg4W0tSEp4RhWU91Us8E=,iv:6lNjPlSZoRhVNwhkiUUOyi9PyxsFCNeA6syNUPaJIa8=,tag:UTX8Vve6Zj3Un+A0uTihpg==,type:str]
repositories:
server9: ENC[AES256_GCM,data:ok/fhJJ7ABH6YfnP1o2DWpH8vbPwST8/7RwsASiQrWdkvyaC4jC4fAie1XofN8GcoC/55b56UbdnH8htdq2ulUVuIfsWHTUeVHbgIB60cum4+QfK/IxNBeV7J7A/7xjlubU=,iv:FAIZ+bhCojiQLVq8WTb/5NFkcV+kqcg6cxiv0wu1Dng=,tag:YB7OzI8jdYx0odqkTXGfFw==,type:str]
heliwatch:
passwordFile: ENC[AES256_GCM,data:RovkihQU9uq1Iw==,iv:GZ/NBBsEi4KUydyMDC8TrktWKa/nDUP4JU5M78v6Y5c=,tag:FySsAVsocDer0X5znGrF/A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1makkpv2t74lxmw0nk6m89nespva7j700pmt83pl5a4ldtj2k8fzqakw8h7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqbTRwMU9jQStCUkRjZUpF
Q2ZEbXlNR29Xa1JMT2t0emVPNWJvdGF2S0FRCjdZMEZLR2N1emVHZGpZdXZGZ1pC
OEpFRWRpZkNCdndNa1BmSXRBOEI1WkkKLS0tIHo0UkxCS3pMbkQwNzFVK3prMFJX
ZFlvRG5kY3EyNFU1eXNwNFl1TEZsa28KHxeUn3NhpMmMSNuY346+jDKNXWXKCMb1
hFhUHtoCa/nMuRmtM00d9omcQ44p597qbRCfhMpgQpF8m1IiKDqX/w==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2UnVtMnovTTJ6QS9Odjl1
K0YvZzV6bDBKckExMEJqWkhuV0FubzdqeWprCmZ0WEg5aHppaUd1REFsRWFiUmxT
MUVRSHZmMjYxbERaSkd3ZVU3SHN0U1EKLS0tIGR0Qlp5ODd2VWJ0eUZ4QTRMc3JC
T01GdFR0MWxwQkpuSjB3R21xdDZXR0UKGHXjDM1KiL8O+MV/TR0ZDTi14Aovklws
qMIUH/4Sc8+HaMKGrwQYOzdUzLT+n4bsmYsz9H149y8MIpSxADsHJQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-13T02:21:09Z"
mac: ENC[AES256_GCM,data:m0BfbJbOQG5odFNxEQcnNFqbvcoGRi1QWZSl0AomFK0efP2JgDQrOEcsp1+LsBbuO1e+zndSEekGhqCpdJf3ZEXitPJYLjHUdVpSnONAh5LIQpe4QqmbLsGq7KxP1iWm9IscUplQxiJy5xRkA1AbmqDnh1e8NS/5Fk0YBz3b++M=,iv:hoMP3yruykzI6WpmMu6sF6oamKM/bftJALd9+LD3ZUM=,tag:rJnYnIN5J1UoHBZyPHgW9g==,type:str]
pgp:
- created_at: "2023-12-11T23:40:37Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7zUOKwzpAE7AQ//Z+ifKYU3S8nr9iQmp+w7Gspm+tat05Ex9245u4vPMC6P
NdD24qjXKDBX4fIhzD3pNNjKQUi46uKly10lrnQUgUJsb8tHHvlsY9OetnZSwhcb
7agKpiKMZTR84U7MSO3acjeqTiqrJSULQt+K+9mGgWXLfCncAn9FrIfE55DZtgTa
/XuCAaDzZD+eTbI5y0KsX6/oN5l0Hr5p6Z4+z8aUFtS0pL5fm1R6oZ1qQgKfw8z3
X5jimY/HRLbJlgZ/t1uuiETlV8UkILtN/crlK4DKCyA1/USk3fmZErqGfZVS6SA6
ySXBCtlRc0feTyABeCyk5B2ORdRDC+6u0U1ZKyIaRW6qSGwrYTa0lnPCEGQUQp8p
OahfSGAuJ3I8/aBchBaUdI2SCOl+yLwGs0WNztKSAgT335MBtQ0QuxSZ2vZvfsEp
iH4AYbuHxwhqkKmroBRi62h++alctquqCfr6XTXbaGCrrgg++WFHMaEryHkt8TAS
T+lm+bmJMeXGsVWgYRr/I+hIeaxVmkJQDtlj92Fa6yDgRxlZ6B4rF5PfzCjRaSze
gg9w3ROou0uKH+xksOw6+6jeRQUB/p/akAFXVx/Rir7oApgo+9VRE585WC/q6lRv
NFvEJmT9TgyOIRFqNRoDk+lio3OxbhObvTP3WritujdDysNmZk4a0Im6VkwErabS
XgHQqIW5UayP6U2vxWHtmhqmIfs7hE26X02J6TIqrSu+R7S1fTj/MY38H+LysPr7
yjX7F2mDYXVRoSeYmLmbDRw6CST3EvC119hMElEJTWs34ghpubqgP8qVmW1vRAY=
=ybnG
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- created_at: "2023-12-11T23:40:37Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7ARAAh77nk1QyKqwrDQ6kEuKxcL9o8BwXkORMW1tarWJQq4de
3funtqw42K6N0mqNTiWdIOqZQw6x/mobzePljNleS/Cpa65X6NDgEKLTSSUB9WOL
8YeOhgb06y1cDmVMKl3yj8HHkoIZy9ZezVcQE+FVk0v0WyediRXvVyIgqEn1e7KS
oSOHgx5dyTGO4yFok/Bd3IjXImahMv+wkZvbQFOS6y5iBIhhWahf7HFyl8uRI61D
ojeMYcWegF6U5mAioRj05WvWZSwpiMFzqNR/o/Ejh8TfSUge+F6giVCqmv/bZJI9
e+lEQkU8M6W6dvCYSS0qlPjSVYC/xv+R2AU0tqwHO4jwLgvG6fKLJF8irtIy0Z/u
RGrMUgw+GuFjCn7XclomncCiSJR4kjQRzCBe/LrnkohJoekY0kDvq3yBgpZeJ1vD
eHRl/wiULPf5ZarIBgDgexIgaRenQWrgHFzjK+hdRjXGsAiNz435EUCeZ46Gi1vp
/9uaTeXMX8VCVJrU+I5yWZZ61Hclh9miKumBPqTtkv8LRPrNu2T3aj939kHHxyLc
3KK0BVw4iFzUiMppgA5a/u+hBfz7p5heLeNAKMqkXrvua5pBnJMmM2Bf9mAGZo0f
50BunsSP4JJigEQYWqaVrvnXoC4WJdFrQDNmZjuG2oI2pc46eusQ2yoea0cbwKDS
XgF8+hos7Lh0STEc0aLPIBSr1O7UUZvW3VA1hq4GeoIi4j0YDjEu9J9JKVerDdKU
SfqAGoDqh44eOjAl//deH96DM7+1JOfbW15f7sgMpPiWvbsyA7xdd4KrFXQ2FHk=
=dQcw
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2023-12-11T23:40:37Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6ARAAisYq4281veEQ++HVQxVMwWt7QV1gV++46HglDZrMRl/s
CnL4pdJO5U4EuqI6UyN3fQVKryHrADW4x158U3DozAIDd3BPowEDNBvKIkcTWAK2
mVhAVbocu8zO/mMFaoQIp/T0R4hOLGv9wLf3CYdh20sLpVo5EdL5VI0v4vBgGcRp
2HESkED/mLzspYDvaqqmaMgsCVJYaYRgR1AEWRdlg1nX/btJcbDkJFPpqDhaP8s3
BB0dMPwRipLUxtuypNrLs7tJBA6H4aHCDmfY7bo9PYJdT0RIx8f8roQPC8nTMNS+
hutNQHFCSw0hv+qRqTJYReVOkUf6Tm4oQFiuatDp3L2X6iGtyELEewaO4a4Iu/8I
tSXpVW5R2jFfOsZDKTwa92ujkFo9R+qzbvOVwRYDzzeWxENc7Wt52dEBL6uXbzU2
Bo3nKRCD/u+H0w2g/fm7XBe8YwDJyVuAfi9GgepASddvOlDbmZFyPPt9AKIsSOCv
o2SJGlE8u7xTFeoNdogVTHfBIHib5CjjWdD+2Wm3ID6ElTrBjmTOP9RQJ12BnRtJ
EdFUbKhT/803oM1bw3/AxfkFBtb73AkJPnS91xoVNrH0npnVU1idHqAd71BC9iBt
s4HATui1B3JDIHVfH4aFpinJZNdWzarUU4QeHVbZ3ijd3EkyjVUQIRrLe8iC/CLS
lgFeN06Dy7FNP5KWqDZ4/rYg3RKd11TiyBXYmdNbwZ5LbWuI2EPLNG2S8cTtbf8S
iG3UrG0tTPQrCauu0kGegS89iCWVl9rK1kYCr/ffgfDHoDG/gtDqExZI9dnoqIzt
+U8p6Wgp91VlTG8X86ih8ZU+QbQ3C06jVEb5b6J6/rCfU68IE1lOFgliKTj871qO
5NILCcUpWA==
=RNJJ
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2023-12-11T23:40:37Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJARAAthMLIosUSuxILN1pYxWaBhGrcoeqB45ysq79aXhJCAH0
MsA7rNrtbdL6MwOEVsBa9OPuwrkf+chje8FICFfyn1SMESm3I+RSHcvSFfe+wYIW
+dt3WGfmq4u4O3feH0wEzW/j8n9/lGgvUoy3dzPD4WzF1uBJx8JCrXDDo1dUDNTI
DQlVfCOROrVX0hE4Ui2tBza6c7W4HByVHAdoQV94VUEj5bA1xPfjKaq0MUXIVm8i
6d4T1VEjVSiBOHlsaLqzsjeSMfrLOFIluW5F7IVo4ndifC5B3WGxfTl5DV5IBMdg
8wCy7q8wZSashr6DJSdqsa+FiIp/+jwYh9OkXr3YBt2S/xDpzYZmC5OhJDfvmwMP
vHEo/TmgGf4lKV50oKsBrx7E5sguQMAW0dJxGQV26SidnWxSJIPtQa4UoiH8hkwW
x4Ywlle+SZArilyGxLc6MUebIbGxDFnu3p82PuoB6LiQJarhealG8TRvcgDZ12/l
UVOVEgH3N3lKII53nBqT4PttEwtycu88yUcT7jV4JvgLFHObWT4u9lvKHyf0MGqT
MWAatTWmojLaAeQCLmnh24dd6eSQlARY4vABCl0LCTDPXRH7g10m6kYiHChJnksI
N4NmI4I5Y72/uzN3XUHu4v2Uf0hd8fCOcfnbiwpdJK3wlVgreEKx4iBUvSDWkkrS
XgFRMoHL0ken07S1k3Hd4p1xP0j37FCuWgkGkvSZY0sr7LfQ//n4D9NFVQ3PDwP5
v39CKPxjMGEdLjMuHXbdWuN+2+muLnvQ0YSjBqkUBrqtAW/IBZ/fqIAj+OfBe7w=
=TyGR
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-12-11T23:40:37Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9qJIVK2WMV7AQ//U4ohdw6nu7GjcEpIR2ZN9Zuv/krzzckpe0UAxoyy717v
8kQeid+wK64B5aevu+T9EHLcxHsCjTwDF1OmNo51JNhGIhdWK1jojqtCsPywQpWT
T8WB8OROfPtvN0AZcZulh4UGYoqB4nVN+ScyENCo/nTWJgbX19/XoPPJPZLav3uZ
U+Jy4yo0EgHQ8/RMpnsosL+7Reu32oFehTSn9ct4Gh9n2YomRPSRewK6SmBbNSg0
h+LgHwhWJQpSgqMqZiKz4xYmqO/Vj8i87aT0/5v9XizFtgtHl1DcxIx5M/c8K3u+
FqU0SDyP7E38LRL3Z8ltH2wD4ZCcaNDVbeBvWwnkuo8O0/uKVptvpA8Qq4u+mKcj
n+9YXgoGPfpgs7+Yz8oJ7+HQ5Rd4lvzSaJi/2MWz0lBeaaSljgMJPScXaIYYdwld
hPzGOSakiq2iCvdM0RKlTnq4Z9TJOiaszWUfmwnYUaMasgODhAJ3+9J/hKb5gTLO
uh/ZJb9wK0XSpXcAtLUqBAITkVlbvcJPmdmFtBn0o7F/9WubWORBNfqfqyoQy6ob
HwobFHLFu6F+p8cdG9pLbs4978gMW4NbUWFJYYHagZLSyv0M+ziZhnTuLjf1CgjL
+B/4OwK0QgQUqKuF8zWLA1To1Xq0DtLl9PLS7I9b700FnMG3nM933iQ/dQl64zfS
XgFeGtE56O/eB2Bqf5X66rGejDoWqZYPyKFIEMYwji0CAeHBVyGsVIl+TzULq52b
IEWB3QBfVHRLBxKWP0TQqzwYgwNxKMZ/TuqVc02aDgl/nxYyV/bJSvpmaxRzeXI=
=Fr+U
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2023-12-11T23:40:37Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHAQ/+LCGF/gd5KoGCemqd9NIvPYdkf/EVyAbC9z+lhN0SyzGi
LDMSAxaOSC33sCL/b2QmFQOSAdi8hjitoLr8HY2HvfnBRACIcOyVfzC/2VgDXueW
8359lQmKWM6pMdHsMCWQVU6fb1alXIxUH2sWgjSzz54cvyYTZIHGkeC3+KllrRGX
mdiCC5oZ5861o5VmjKGtWw7PEDwwWQ2dn/AA1JaYl8kSzVRNRhm+7f84kM7ddHHF
2WhFD7mMXAoX1wyu+efSSCN2KZIbq/TyAZDLalHXAH3YPsV8S/sZ9o2clqs9gl7R
TsLQpVFogLFKs1jFEt5Yp2hZ2ilc/e78tZZ58xDRdyFaEd7HGYYuSw34lyTMUaFG
u+3EiQU3sLkfwjb8HbWzna5wvpERhiMpKUTGVa89tHw2lJsHGtx4Q36nt9q1xKaB
bKZdpe7WhofAWg8FM7UjPZT8/yR+GfpArBFKnx4b4wsImMYfyXXsTzSiJGv5QrQn
i+gYK5ZtlkqKqvVjaJKd95tTXow7QMytMHvpWBuvSiDly0CeAfi9nGMy3ewOtWvJ
2s2oTwpPQUBpIi9mEGo25AEJmk+vQFrFVBxMGT7rSpa5zGcYy6MzBWPqWkWrBa+X
ucj1rTPGKoSigR3WNyamGZzh3yix3RZF9gNeIgVAavWZBwwDJXM75X68Fe1d69jS
XgGvQ157jXgb6aGo8EX815gJCE+muINHjuSGmVL+cc1hXuLkte9CXt2to90+cNSu
oc7PbW1Jchj3/cTXoVn5K5+/vlPTKjNak6fgHWbPqe3iKkWWJKzEUkN1/5aXfkk=
=0DV6
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2023-12-11T23:40:37Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQf/ZI5YUJbMHBmZOS1cEARAvapO8tltcnzuVGsF+Pt99P8l
kxQcSYzEdR2zAMlM9m6bhz+/j70SO2a2tS77WuV8xXe0x7FfwJTG7M2aUadxuPXF
AZkBFmDQXxBW6t82DJuiwEVrxQ+VwGz1jvpHc/fbYSda4MX2F+scoGRZTCt2x6ya
zgF7sW+AiYtSAXVSD0NdD5aFrTCrKN/L4YJtyGaHyqO0f9if9vRsk9xv8s+c9vhk
uniMe6D9t5JxYvk2VdwnwKaiXgLj7lmccV1NFE+e1ClBeUxnX5wiwkDjrEhuiRfu
3lM/POENqV0qgU70tRS7+iQfai7dOWQSxq0Qh2wpPNJeATz0FKEdmygDX5Mr02v8
PHBm0Ju25kTa+P6PLfbb2zVSgUEZMraBsJVt2Olrnxsksiq331QH28Cikx37wXoj
l2UxUxYBohcgS7CiDVONueEchrHy6t7f10QzfNsojg==
=NOne
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
unencrypted_suffix: _unencrypted
version: 3.8.1

22
hosts/server10/default.nix
View File

@ -1,4 +1,4 @@
{ config, lib, options, pkgs, ... }:
{ config, lib, pkgs, ... }:
{
imports = [
@ -8,19 +8,12 @@
c3d2 = {
baremetal = true;
deployment.microvmBaseZfsDataset = "server10-root/vm";
deployment.microvmBaseZfsDataset = "server10/vm";
hq.statistics.enable = true;
};
boot = {
initrd = {
availableKernelModules = [ "e1000e" ];
network = {
enable = true;
ssh.enable = true;
};
};
loader.grub = lib.mkIf (!options?isoImage) {
loader.grub = {
enable = true;
device = "/dev/sda";
};
@ -35,15 +28,6 @@
};
};
# NOTE: stop the raid with: mdadm --stop /dev/md127
disko.disks = [ {
device = "/dev/disk/by-id/ata-Samsung_SSD_860_EVO_1TB_S3Z9NB0M203733F";
name = "root";
partitionTableFormat = "msdos";
withBoot = true;
withLuks = true;
} ];
networking = {
hostName = "server10";
# TODO: change that to something more random

73
hosts/server10/hardware-configuration.nix
View File

@ -5,76 +5,49 @@
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.initrd.luks.devices."server10-root".device = "/dev/disk/by-uuid/b4904afe-22b3-4abe-bd53-049817c1332f";
boot.extraModulePackages = [ ];
boot.supportedFilesystems = [ "ext2" "zfs" ];
boot.zfs.devNodes = "/dev/";
fileSystems."/" =
{ device = "server10-root/root";
{ device = "server10/nixos";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/EB9B-15AA";
fsType = "vfat";
};
fileSystems."/etc" =
{ device = "server10-root/data/etc";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home" =
{ device = "server10-root/home";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix" =
{ device = "server10-root/nix";
{ device = "server10/nixos/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix/store" =
{ device = "server10-root/nix/store";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix/var" =
{ device = "server10-root/nix/var";
{ device = "server10/nixos/nix/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var/backup" =
{ device = "server10-root/data/backup";
fileSystems."/nix/store" =
{ device = "server10/nixos/nix/store";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var/lib" =
{ device = "server10-root/data/lib";
fileSystems."/var" =
{ device = "server10/nixos/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp7s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp7s0f1.useDHCP = lib.mkDefault true;
fileSystems."/home" =
{ device = "server10/home";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/b13a876b-2488-47a3-b9bd-3b03fbac6c85";
fsType = "ext2";
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

3
hosts/server10/microvm-staging.nix
View File

@ -4,7 +4,7 @@ let
staging-data-hoarder.flakeref = "git+https://github.com/tlm-solutions/nix-config";
tram-borzoi.flakeref = "git+file:///tmp/tlms-tram-borzoi";
};
realizeFlake = with pkgs; "${writeScriptBin "realize-flake" /* bash */ ''
realizeFlake = with pkgs; "${writeScriptBin "realize-flake" ''
#! ${runtimeShell} -e
set -x
NAME=$1
@ -43,6 +43,7 @@ in
microvm.autostart = builtins.attrNames microvms;
systemd.services = {
"microvm-update@" = {
description = "Update MicroVMs automatically";
after = [ "network-online.target" ];

7
hosts/server10/secrets.yaml
View File

@ -1,4 +1,3 @@
luks: ENC[AES256_GCM,data:oUwlNQPbCfGOY5nT9th4QhAlDwNXSDgKIyBAtZbPnH+6tqvPPS10AI7amwRgnLuJUwsE1+RzFHNA1poIlKrfjA==,iv:ivhIa2ufbgSpoPpJCC1eE8Tdaz2KeGeky/rUAyNJ5uE=,tag:zMdIbtMuAVmpeTrpxyXuXQ==,type:str]
machine-id: ENC[AES256_GCM,data:Ix/XS0rRXZhWePe41VmMarJ39a/f1kjz2ZALwWGzKa4=,iv:36fENZzal9gR/3DD4CVDq3yMmLr0rxtbMKaRDGH1Kpc=,tag:M/UmDJD0obr2wh8AnjrMSA==,type:str]
ceph:
osd.4:
@ -27,8 +26,8 @@ sops:
TWp5Ym1YNUJVVXAzSXVqMzZQY09sdWcKc1Ke2iT6RYpMxhZF6eoxeuPK2CVCygy9
uxrb+MMsUJJaybt7UKpMEgOhttCqfGPoh2lmXOOU8RKF8SgJilVuTg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-15T22:22:52Z"
mac: ENC[AES256_GCM,data:bVYN0wsSdHLKyv6Vu1HWjaI8NMqw9gbJg2KZfTbP3cjUbYpjnkyKXcDVRqX4NPhPNOxoyl/VMWYdv7DESyqkGUTFPQ/hf3LvTT/sjNVmn3wJ++bsR3QUGIbmftNvCKEFopa0L25giFK+15DEEsgcD49U++xwK1PR7+kh/YjTvYs=,iv:WCtDjc7r2dTCC9xjnY5HKXLLha3V061mB91l1vWUvsE=,tag:VmLKS4gBJfHivb8xKs395w==,type:str]
lastmodified: "2023-01-07T00:22:48Z"
mac: ENC[AES256_GCM,data:jaVrE7H3QO4+kvo7/rO6of8YnxGL67Ey2dIwfa3hpl2WDSwdmIOsav3F9BqTbYKw/MH8BeLb0skEosmoJY/991C8j2B5RNTiEIOJHVakxhRzo0vopBu33Q4C59/zOlwqqJEPRUvwhr5VizZ8HshUApOxpDbDBlBEZNXj1i2N2zM=,iv:emsmabR65nNVoKRBAJMneiIdkJIcL2g1aiV8m8PmMDY=,tag:cs3nrvcutdQUJE027wm/6Q==,type:str]
pgp:
- created_at: "2023-08-08T22:43:51Z"
enc: |
@ -168,4 +167,4 @@ sops:
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.7.3

6
hosts/server9/default.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
{
imports = [
@ -14,7 +14,7 @@
boot = {
loader.grub = {
enable = true;
device = "/dev/disk/by-id/wwn-0x600300570140a0c027cece63a99e8a65";
device = "/dev/sdc";
};
kernelParams = [
"preempt=none"
@ -54,7 +54,7 @@
locations = {
"/archive".return = "307 /archive/";
"/archive/" = {
alias = "/tank/owncast-archive/";
alias = "/tank/owncloud-archive/";
extraConfig = ''
fancyindex on;
fancyindex_exact_size off;

32
hosts/server9/hardware-configuration.nix
View File

@ -27,61 +27,43 @@
fileSystems."/tank" =
{ device = "tank";
fsType = "zfs";
options = [ "zfsutil" "nofail" ];
options = [ "zfsutil" ];
};
fileSystems."/tank/poelzi" =
{ device = "tank/poelzi";
fsType = "zfs";
options = [ "zfsutil" "nofail" ];
options = [ "zfsutil" ];
};
fileSystems."/tank/storage" =
{ device = "tank/storage";
fsType = "zfs";
options = [ "zfsutil" "nofail" ];
options = [ "zfsutil" ];
};
fileSystems."/tank/backup_vms_ceph_migration" =
{ device = "tank/backup_vms_ceph_migration";
fsType = "zfs";
options = [ "zfsutil" "nofail" ];
options = [ "zfsutil" ];
};
fileSystems."/tank/dump-dvb-iq-storage" =
{ device = "tank/dump-dvb-iq-storage";
fsType = "zfs";
options = [ "zfsutil" "nofail" ];
};
fileSystems."/tank/erisbert" =
{ device = "tank/erisbert";
fsType = "zfs";
options = [ "zfsutil" "nofail" ];
};
fileSystems."/tank/shits-and-giggles" =
{ device = "tank/shits-and-giggles";
fsType = "zfs";
options = [ "zfsutil" "nofail" ];
options = [ "zfsutil" ];
};
fileSystems."/tank/storage/ftp" =
{ device = "tank/storage/ftp";
fsType = "zfs";
options = [ "zfsutil" "nofail" ];
};
fileSystems."/tank/storage/sshlog" =
{ device = "tank/storage/sshlog";
fsType = "zfs";
options = [ "zfsutil" "nofail" ];
options = [ "zfsutil" ];
};
fileSystems."/tank/storage/stream" =
{ device = "tank/storage/stream";
fsType = "zfs";
options = [ "zfsutil" "nofail" ];
options = [ "zfsutil" ];
};
swapDevices = [ ];

8
hosts/server9/secrets.yaml
View File

@ -5,9 +5,9 @@ ceph:
osd.7:
keyfile: ENC[AES256_GCM,data:yUDQ8bwnK7a++XFAVRJscbIxuBsLgef9ueGG6qujWNUyrmAZGvCMdg==,iv:MuLAqz5vcM92IuHEC/OeexSmXMdVYiwZgoxunlM0GHs=,tag:pR/JXDJSF1px7dzelpySeg==,type:str]
restic:
password: ENC[AES256_GCM,data:vK2WSxJ6Vsd3WMbVm19x95WRQbdG/QvZxpyzVnPRKHTMRkqFPyA9y4sHNz4LrQZFziQDE0b7TidyNMo0USoBLaWe5GKbQoeevnlQC6Etkbn6/O7hIu187RTzNRcvPD/58mu5LFE7Ng65NsuO5OUBv7g3mLjCiA1j/e3piM3U2SJmKwyQ+Af2UE5oXEtz/KcgCA8NfgOJUikbXMJy6uyl6MLdWZvmwrmwAdhuO9ePljXQpZ/BX3ZvUPSzv/Y5e+sniy1H+9+qYg3ZbJ5MSGeyPLwhR8JvIqISxzQeBDZX42dHwel7cZQ5ZNOJx8SmpFTB4u6mZRvt64kSjsPuMNQ0fixH6xUpQKAYLw5DRe0N+KPIlIxLMwKgV+wV8wyC2/KZb9MHnsiYqDLHwv+Y4vzZy4y4v89W2xSTcVIU/Q1wHTxmxrQsoBqgrPHTD14YxZ49p6CEYSOR3gfztClKGUY0DMFKQoCgGKoe3mL9qVcRZDTLdqOg6l0cHmfW2RzW8+b5Q+u8ggV8Z2j9BBzsjBPbAZSY4/khSqnIswoWTC/xN9mebk3ja5fIqFpt9hAM3OO0M8TbZRiDY2oHoh3f7K7SnX9rvdipip/lE9bw4eHcJ/ydolpZS2bb6zrGBu0E7DVF3itsOHBYnwNXexQLxQx85SDux/nQ8zk3SLBhRESamsqGQjNSMOUKqp83AHMoqT928ouq7c6vkOYE8stT3cNdikct6YWW870hb3qEV8AcKeUlo8dviMHVWSdXwRQ0Pjppm5Z+isXSzg3Z2HDpAhDfZHuNnh/TOBAIa9AjJxIccmI5anNeTF9ll3PGEPXUWvUbQGPHpstP/BRa3u9B0Wie0ZBmt6/pFHGSnPPerjdR9YViVj9OZ7iobMoSPhiJBJ09D9MX3H09KqaPgVyeNdjov+K8qbQ47AzN1shxltY6oKwHD6mBKEKVE51nev245fK22sTd1rPboenrWcBgS+8SIBmp2JxLeKk0AQ1kUIMQkwPZZhFGDREeLnYtc1+P9+mBjsy+FUAt4SkhLnBoR2jkMsT362XcptLgHoTJwgbV967u2cRPClLMromve7Uaj2NnRXtA2UdZNKxMat3km5xuAXOulzk4x7XsDaiNXJOpIQG56I8g8WH4sZxaB8dIV7s4nxIBuDuu7CXeTxKgfmfCU54M4LKvQkHBdF0eUTUEjTIqSobUDjAPfcOpJvrj/hoP1z8IqVi5gT0ZK2ndxWqh+3cNpfKrT3R8olHFuEkRA+Uh2NIggF7g,iv:T23GpbDj1OEV8PTMmswLM1EvD0z//MkhLAtXLw5q7hM=,tag:o/RXrQnXbAPzgFP7fzfqow==,type:str]
password: ENC[AES256_GCM,data:t69DwikgQ4DpqVzJf/zmrTbEQZcgoOIG5w5It9Dr2FBY8DAhZbmYQi/qizVpXHio6wwIbahwqhR/urWAUUrQ6S/3B6+b9112PAWg/cTJr5kXqqin9WjzDk7Ak6baWCVaMM90VYhP/E2jF9f8bQPVpuHPwhcoYU4FeNjS1ieqP1j73DKdD3tpLjuaCJilOvbTAw0zXbb4qf2Tt3+d2AObvM5p/r0k9vXFxxq1rBjcQVU9gEm6x4KukYGzlkHI1S+BL/Xb/RPCtu6PcBZseuBzuxrLDDAgEE/asu0cwQsp1QGnXCA8kR7PcIthGYstzwL9laUc5rKSVFiWS+DYjYRFBWtFtfr7Q0n4VlQejR6DEplUu6nBkRlijh1xjw6Tt+XTG1xMFJncDenvnTqg+FzpZidpGt0uCX2BcOPleoU7LhO7AVJHglV9m1KxlaCBaKzfbwsKcRK/QV9oq5K+JQ+5gRb8IpEvRzfhBBVaqaFqovFNMv9ig6w4KSfC1ewUwv888eJPcOaui6HF8f3tlWqFs7G/qdGMLOmUOJtridTCsu74+uoVY38cXOFrjy+bTbFoATziDpi6hBCzkH4mRkcCdnwF7DNbIHI0zDLK7vTTNJIUh1gdWaNI+e5+OOhVcV2jFr7I1Iazkmhu9z9h97ZvfIULf1KmDUYX+VMtOKIydO70MCBXQ9qdYmtbZLObH4DRhhllom8t4bi+IUpfo+khHlJvLHiNlMcGyUKHv1uERDFoCCh671jUFywUgscP93vR7Ben3RjqLQGvtCHY0v0hsgWQnxzuN/y9k/8IEP2QOiged50nuHE1J/js8LdYNO/j+JYy5Bw1zMlkeQrbr+rVCRMn6IPGSsYiMA8Jjsz/BqFrGqbHQvOBbUFmYyVm7xmMt79+fi5F/BnrF9NCkZmZFfni20fktclxBbQp37QXiJ4cBzWrukNbe7l4fHhqNGJvs7MDkl7y37acdLcdQY7XvgXFEZCb5b8qATbh7wBF60Mo/q8nMWPovLwpjhYuMsZWMWvfHeC2AuaKsUY3MVGKhwcn/gRd9vzWsjBxsCMKTaFoikPnGIt0Z8jK7XjabUd049yak0WwPt//a831EF/T1w==,iv:GxU7Cw9NW91e+HqhbhvPjkc6iKo3xYFrkVFvpliGWt8=,tag:WWwzq3xsPlMcRzYCJmmEUA==,type:str]
#ENC[AES256_GCM,data:PHm96Uz+irAo1jFg8CISWCkQNnXwmCDjBMcMFF0wl513tYYbUvLgxFXqiEDvQZlG9HTB,iv:QK9amqrVzWqzeYhELFWMpoo67uTNfouqMKK0/9Cd4+A=,tag:Y2Ds/bEz/L3FN8C4aq/Trw==,type:comment]
htpasswd: ENC[AES256_GCM,data:HLRSktWJK7w8YZDom2M1O5oKkkgTYUwKthqb45sFpt1IT5+33SEjf1JTzS9cAg0BvmrG3aHCc9zqLG0nY0Nwf/JhoqlN4W4BQAuSWRwAw3P7aFe5Kp/Qcy9mxDPDgqRZ0t6H3FP+DIeuU5Jtz8eOxlEU7ak6z6HWd1kWiFpGXnmrvVaQfoylaGDy9Hx5or46DNCKbs2PLxq2jyNqoqjcYVWQyqoJeMrJvKpYPCZtPbP7fkKbFEt6LpJYHd/1veVcj42uQ1kJEA+CH05Ir3ag2VBJ9QCaE8lCK1lMdI1tSOsOFLYPF2vgJq/ePlIP8sYda2FNZOe0kzjfFSZsuLLUwX1+YvbCYUHG0J25dnOmeKabXTy2kSYFLHpKVDMX+fotCeB3Rts64B/HGUmxmbS6Igg0mxMyyVSfQgLyZDD1hLw1DOlkYqg7WBMtA07k6WZToAqXWwUI7xz+1Y6fZeSfObGsGyVQeyfYtvbqczKqITnJJGs7d/aqyrYx0Au7qmBZPWQle7ClT9KaVev/HAMj6pnOsHkruG9BQDRQ73fHF5VwkFZO+pWJdnRsNMBjJSC5baL7FbqTnl/TIhTJuq1WjTQ6rhEnj6ccIU5qGBkzz42uDbC9iom6712aE8wFtqU1Qg/5qJX1CMuXCgJQzsEgKTJoVMI9jR/JOU+eXPtBtRD9tXLEE6sZehSikW+SwaSCJxKk583r6u8px/CRjgrJgiwShs0IuSnFLDnTt1Q544pdjQrmievV2dVNupo/zsr3D6aMqoJOUH1u75qKmI8Bnls9ZhjU6iX+/wu5/YS3i2vIzS9HPBTMasfy3yHwrm0IxGavvrk0IEkDetM4dHSg7lg/I7STAknEqJB8soWVfh+B3DZPoqIDAoBQIohaNook3pHQVkZXdcgLBVYWifdnsYAunLQOI21U+CIpSkIkEY4Ao2QSIdolaSXBgxUf9lyJVJYUZjq2uHZorhTr9u1m/8itp3t/R5IlgYhz8LriZgFT39gTTiKvHmHzN975G+jNtjUpcBxb/WdcffTMc6rBOzaWbpDhfOSH9AaZLBSMRsDMGJDeSoiAMAWD6lBtjWvq/CJfIyTtqEC9OaeRb4z0iyClENT7VDp+eL+lTBjwoA2UR4ouiVQhFbp+uRiOCxfbRPYi1yNOHM86D503XmzP+vlOUWeP8PW5GyOd9UwlNNmC6EUnS5oN973GmkMqqTb5kbvDd0WaYkgPQI60S3gKLCSKzZe9Vc2YR12TApG8jGPoCf538/U4fPrI98j/bmuQ+K94befQpKGuUDDXqI3dpT9Z+b4gLDEjYZV3mhoMZXM2/oZQ1i4fl4Xm6VkndsXoZ/CaMcDQ2XzYFITy+wg6y6Jqzg5k76HpZp+YgX2PEeBKaz6hGOkj7icOdJzbob6WhVZz8ju6F6ZBRyVJ2dlSjVZQYq9Lq7sJryxqhilu7SDseZQ3om+hrxR9vLqMeqZNuHEBAZk47z1TxJThYojL4JxbVFxD2gFmtJ+ddtirzlHb5zAIJm9GTkNwV/BcI7LKRHgYyjbGwtclVFh5G/Hj7DKFl9ky1Vf8OJFPRht1an6HFRap3b3++6ovO2KCpFKz1+V2ItD9/674jgBQIS3Bw4JHgLo35iqD93cFzytk9uj9rrE1o0NT3tD4mCDn8CL9fYgv1bveEsTd4ZTQTX9tPDnoGcnSbaVsgrmCiL5D1s3nb4few7wFp7ZomCt7af1SwZUTy0ZSbK3QJAfcbIhSPIlhe6qo2ac5YSiuOTfw4dOuCZ9eeFGTbG7cNIVj4Uk2WTBPr+1Fnuw/u55ZMZwyxAU1jpwgYfyybHYp8T0uBbAMYFppe2H0Q29P1F7Lq9DHKls6AvCZkqzyU1aZbarZrHq2Y3HWO2VzFSG6ZtGZaPY+B2cg7vxVKUpIYjczSCAt/0njKYfyJeFmDGSHmzxQwnODYaI3iCNa7wjGsZ0Vhmqwy36NMwxRPAZfEZpUi+ZKGm8G08i6Pf5MVLUlH9g8MXE53VbnwNTXjZCDB5T7CRDGBComWTXJoqmMopPZS/8S45Cte2YcqwvbcJYI1MyqzPOv4PYqur6Ehh3jQt5LBMhw49tiaccon7LQV6C3Q+emq5HfLF8aRUibvFA=,iv:JdMbWgSVyMsryaPRPI3mmzPB/lwsKzTqpuMH6zF4Hmg=,tag:bWKh3uY4+1q5sep8nkMXNA==,type:str]
htpasswd: ENC[AES256_GCM,data:qlGvRx57fgNXeUPrm1aTm+swpn0neptF58rIwXeh5aQy6819+6PkS48Q1gPaJwpR3hGdOSIegRqC6NKWorvXHUZYykE8RXl1N5KsgKzO0Heg+PN/Muxbc0j5Y6/UZH5zCoMFWiUPfCLB2QT/COgpuy8QCjRJvukCiu1qKPcmoshsuzCjASTTfpTBolDCZX9KkwtzzAdmYco9MNS6/o2uBK055OTHVBuEicFARL9laHWDqwUB+RP8uVRMN9qRTZe2s11cddJ6PzJpJWA03/AtCnTeaM4nEqcel91WSCX+JD/DcqMZVpeuMVbhKwcvhxtbKoJwlEjw6ec7A2GWpQL8KM4bvJ2NosdAgn+JAqrodxgkNzdzALPSCW6/aea8rinBLpela6F1c5Ef1LzcUPkw60pfPlDWffTzcLrufaMbs2e7dSuO7s/ut0lnHq95CVcbcOwQ+HpTk8+qJKcR12u70zYTH5BSD8CMmg+j7NLo/9cLM3Sv5NIQhhQhgUSvzIH0ZQ+gEh+e9IrTiXjFUzHrcdhZxfJ5D/E4ZE7twgeK0eutVa8oX6K+A4xQZqKY+RmnjRdkXPnZuWvR5pacTHQzSLwlRRSIckew5MYveEjzNRHJx4mUV32+OIs1hORNmGQIWoDrSXz6ljNWlLo71IA3o3eXkQV3MhPtnMyoVD5FwK8xldTk0hRqrTtTd04ZlJb+tD5coNQ06ZrtU5KK+XSRnqAcTm7HYUayBjRvIdaVuM7h2v7G2MPgU28Y/1kPTFGmDf1hSzLaeEBw3Hq5B75ti78iiMCSNLyZftm36Q9OYa9HxkoLey7gZjWGHcMojpcO+LG8mUdTdhbGdH8qGEsT3Apz0TTI0GXndtIJ+I3OigwI2nv1+DtWKSxhxxWcbj78PUK6aOI8Otmz4Dz9dr1l0gJerQAwjLfyCEPiYOIMXZbeYaWuWoCReMdRNN4+HU45bbc+0yQa43c8vuhz9Hgs6Y01U/nOKRy8mZeTAk2TpsULt95M3epLrkwG3kXDXY3istIdKdeTh2JowsXvx4MwPPzqtt4ippMF/B2jeObc2yn2e4AM7tU8Ax84USXRRz+DSzLB7vcU//1sZ2ESc74fShTyShP3XbC2joZkn9x4yHiX76nfUiYjbKPy+m0+1hEgFm5mYUr43LqyeCIQCkIQWzrR9lUAg7JNO2HSoQkYaYha8j0PgjLKcwS+KuEiMmfYqtt5EHXgVleqvUSd12Us0lRfDZ8d9q07fU/syn7OLPuBB5nfBVDnASlJU6x7W06obyNuw+Qo4G5KvATJXBUyyUQ1zpEuHgXTGaOB1jCQrBuZ/+jf6ruOWFmv/W7++pHwi3jYimtIIq8eTahQ2rviP9uIxVEZibfhy2dUZ4RltHvO8gLQpb1kPJPRqT5BSEz60IPG6G10LHawuqwe44wVVJGUeVWocmsuLSd0MPDiGFwM+uOJXC1THMzi4wO+233hfEheJFiM0U3hepPYVERBuDs0zXevcGLGJfExa3TiVz0vbUq/zyH1xIovIQk5hd44vagcW8c+6oh7bGwIv6VlChc/CD5F10LtV+5qRDD6e+lxN2GS5PsPa+dr2vfTFJlqnLi19XmeybakXndvBzGxVQlpQM5ROa7eCx0l4Cw966qdvZehOnKw5ShQEjZ8E68y4zk65pp7I79VADnZAhe4EVAWhNPPGsVkql445VMZehCYokMuAwF8w1YHli+3jV+eNxCNUFmeN4YUADEszfdsJhzQJQfu0YTzlKQvOh+s4E7f8XPMBBloN8eV41kwhNal3An2jN3VikEyuUY96LpQ+bAS7fTlSrBIeAKYAtMzSqChnc6UZVDnkkmVldsoWvVn,iv:S9atTZFn5WEM1V7RU3MgPf+UvQUVwBpajZ+zkt+Jc84=,tag:GFldR/bV+yQG6ZcQey9K2Q==,type:str]
sops:
kms: []
gcp_kms: []
@ -32,8 +32,8 @@ sops:
cjNaNGNGNVRFU0VCYUp2V3RrY3JHM0UKHyu9ugwq1UJc01UXNKTp16R8mZCs1cSn
kpCNZTBID4lWHTV5lCJ1qtgS5zzjZTzIBm0l7XiwPXBXXhxe9YL9Lw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-27T21:55:28Z"
mac: ENC[AES256_GCM,data:4ruLaXYc2DeS5Oid8UM3cux9sEfIZUqnMP2f9kDTbeiiycBNf16HZucWJ1O+PtjZoPNztPpwwKRCGk6GKT/Fxq9VHf7l40jZipJVpLGTF2CSAMmz0oVSgGZwegnVcE1yj1r1YJYCBzPsAPNWcRbib6GCIlXC4b+9IJDFW/j9WCc=,iv:pF5vkcNd8xd5xujXXJuQcW7ZKUd/ZYjSsVZvG9b3Fq8=,tag:lySjx22Cb60lSeKCIw1J+Q==,type:str]
lastmodified: "2023-11-14T01:34:19Z"
mac: ENC[AES256_GCM,data:RyhLgw6/+f7M0oPZmcfvE1cdStsNzKRAq9p+1HMtPZ2nHPr5CyjuiyjGXK1slfXoA2rBb9fo0E+KlcnglP9d6CKnIku9gpNYypXVsitW8StoydE+BB0I7V2aTd7SeBT6fy2nQu+Rt3HqTOc1KTO9JJSNVRb245xAt8QoIHEiV7I=,iv:Vg8Ro4KVDmgjYyXx18jIqj7t/C3BAfgzmjRVPfR4hZc=,tag:69c7gqwhdmHAi6MWBXVohg==,type:str]
pgp:
- created_at: "2023-08-08T22:43:55Z"
enc: |

8
hosts/ticker/default.nix
View File

@ -145,6 +145,10 @@
url = "https://gaertjen.de/kalender/?ical=1";
color = "#3FDFAF";
};
klimacamp-dresden = {
url = "https://spaceboyz.net/~astro/KlimacampDresden.ics";
color = "#7B996A";
};
gefilte-fest-dresden = {
url = "http://gefilte-fest-dresden.de/feed/my-calendar-google/";
color = "#4B693A";
@ -337,10 +341,6 @@
url = "https://talks.datenspuren.de/ds23/schedule/export/schedule.ics";
color = "#DFDF2F";
};
terminal-digital = {
url = "https://terminal.digital/?ical=1";
color = "#8787c4";
};
};
};
};

107
hosts/vaultwarden/default.nix
View File

@ -1,107 +0,0 @@
{ config, pkgs, ... }:
{
c3d2 = {
deployment.server = "server10";
hq.sendmail = true;
};
networking.hostName = "vaultwarden";
services = {
backup = {
enable = true;
paths = [ "/var/lib/vaultwarden/" ];
exclude = [
"/var/lib/vaultwarden/icon_cache/"
"/var/lib/vaultwarden/tmp/"
];
};
bitwarden-directory-connector-cli = {
enable = true;
inherit (config.services.vaultwarden) domain;
ldap = {
ad = false;
hostname = "auth.c3d2.de";
port = 636;
rootPath = "dc=c3d2,dc=de";
ssl = true;
startTls = false;
username = "uid=search,ou=users,dc=c3d2,dc=de";
};
secrets = {
bitwarden = {
client_path_id = config.sops.secrets."bwdc/client-id".path;
client_path_secret = config.sops.secrets."bwdc/client-secret".path;
};
ldap = config.sops.secrets."bwdc/ldap-password".path;
};
sync = {
creationDateAttribute = "";
groups = true;
groupFilter = "(cn=vaultwarden-*)";
groupNameAttribute = "cn";
groupObjectClass = "groupOfNames";
groupPath = "ou=groups";
largeImport = false;
memberAttribute = "member";
overwriteExisting = false;
removeDisabled = true;
revisionDateAttribute = "";
useEmailPrefixSuffix = false;
userEmailAttribute = "mail";
userFilter = "(isMemberOf=cn=vaultwarden-users,ou=groups,dc=c3d2,dc=de)";
userObjectClass = "person";
userPath = "ou=users";
users = true;
};
};
nginx = {
enable = true;
virtualHosts."vaultwarden.c3d2.de" = {
forceSSL = true;
enableACME = true;
};
};
portunus.addToHosts = true;
postgresql = {
package = pkgs.postgresql_16;
upgrade.stopServices = [ "vaultwarden" ];
};
vaultwarden = {
enable = true;
config = {
PUSH_ENABLED = true;
PUSH_IDENTITY_URI = "https://identity.bitwarden.eu";
PUSH_RELAY_URI = "https://push.bitwarden.eu";
SENDMAIL_COMMAND = "/run/wrappers/bin/sendmail";
SMTP_DEBUG = false;
SMTP_FROM = "noreply@c3d2.de";
SMTP_FROM_NAME = "Vaultwarden";
SHOW_PASSWORD_HINT = false;
SIGNUPS_ALLOWED = false;
USE_SENDMAIL = true;
};
dbBackend = "postgresql";
domain = "vaultwarden.c3d2.de";
environmentFile = config.sops.secrets."vaultwarden/environment".path;
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"bwdc/client-id".owner = "bwdc";
"bwdc/client-secret".owner = "bwdc";
"bwdc/ldap-password".owner = "bwdc";
"vaultwarden/environment".owner = "vaultwarden";
};
};
system.stateVersion = "23.11";
}

176
hosts/vaultwarden/secrets.yaml
View File

@ -1,176 +0,0 @@
bwdc:
client-id: ENC[AES256_GCM,data:pFDg11xfXbx/X40z7Rs9Ps35GuK9ncBbB25VYZJMaRyv17fCbMaVJmnvlnFZOkVidg==,iv:SG7QcH/QHJtEAd6eHzakMIHVs5W6EiaPNsh+G9Zku9A=,tag:ZEL1UGJy9lR9himlbGpSoA==,type:str]
client-secret: ENC[AES256_GCM,data:41ivEval7TegKbYl+Bla2Dgs2h+P1kTBKUr39qPD,iv:BvsO1GcwGbhYCN92yjSFMZiIhX7s3KlrGd0mJEXN1hA=,tag:G2EbHWjz2N5cqOM9MWqStQ==,type:str]
ldap-password: ENC[AES256_GCM,data:DXVH3RNBH+1OguL/yAFPvFUoU1EocEi4TQBT5qVFBF4=,iv:A7IPtApfow+0mWTpNSsZVPWzBw7WjvN4NEAgn9Q8cvY=,tag:7VcvkOjpaDfdPF6fyBbZiQ==,type:str]
restic:
password: ENC[AES256_GCM,data:3t8PjT9cOsv4D6rhRwFSyehsQzofXaXqt/EXK7FiBPg=,iv:HlyNiUsmlma47BhNvLeuew4lx4uldDqL/O8fIsSFOPU=,tag:LBDt+WTU2+z+LfWQ8hqoIw==,type:str]
repositories:
server9: ENC[AES256_GCM,data:bU7kWorWJkUuyjJobONcif/bBhTRX1zxNI+ZjUAXos5pzpiTEMe+VrLtDPusH3Qi+tTB/kqHreb2z0o/P78pow5RjcShawWPVPqTi9DqDmM+AujI0MPW11NVf4OAnoXzkWIUGiB0lEsPEIwt,iv:nqRtZB9/XAV37Ji3t5LUvS7B5v3EnCwFM33peRe2ytA=,tag:8D6Gukx6xwaCUyEQZrpiwg==,type:str]
vaultwarden:
environment: ENC[AES256_GCM,data:LdFZlwHkw4VTBvvO8gXcSD1I0AHBVQznDME1FSbofB5WrtfKH3Bu2Kh9NsB9O94QgPolQewHgmdxVPM0OG3Gl+xC1uv8/+sof6U7xiwiJbVE/SRy9urm8/oNh0T3Br1+C+/326Wnn9+yq1ssX9RAFQkq+YVLUCgq09Janbr/RF3VddMEZjhtl6JvbFKb3wNI4wv1E7BTfehThkGykZXlKKPw5EYxynrKZ7IUsrS+Fk30RS+FRpX3NBlCNnR8kil2hlG85EwHRM1+DaB8WFQ386mEHbS+ak5C2lxtU8yx3WnBlI7mC/BVp+aXoP6Pau/Bk9m1/bsZ3oorS2aFO/UumFlr8GDvw3ajbj3vYhMoVqfpWlq8v+JiH2kaHmzTKMJ4csg5ip9mulgMtRlqgwl/qKluTaqC2G6MftnumrOreex0huH+KRAAcZHHzvS1G7VKWFGb5bg=,iv:8EXDbhA76N6Ml+JOD0fCHhUINlDntWIxLrvt+4rZ4pY=,tag:yEvo70FfwifefoCbiMx7yQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1xs22728ltpl3yh8hzvwt4g3gk8uc32lg8cqh86fp5d8c2jlvp3gshmejun
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0cGdRV2RFTlA4cUJ2aGJr
Rnp5TWJlMDFBVEZYWXBBVnVnVktVbXBzbEg4CnFwU2pIT2diUEZqWWl3L1FSME85
ejM2bkI4ckN3cFY2eE9HZTdFTXBDVzQKLS0tIFRhei82Z2hNeitraytKR0tvbHMx
N3FoUmorc2JSWThaMU40TXBxeG5xeUEKLz+AkDz4oFSB0YND8N0PAvKJ2Cl2hE2S
zJ6t30pNNPjsJFBEOtVW6yhLBIRGwZdOiAzI3MfxxOVNSGSbZxVc3g==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4V0dxMFgxSkVuZ2VJNng0
WmpWbTNNdExrdGtiZkNVOXdZeFExR0hUb25VClNmSllBb0pNNkFLTzBTM09Ba1k3
VGlTSHpFWFk2RkdtbVRsTXd0UmM5cUkKLS0tIEwyODd1cGFrcStFTDdPM3ozR01H
YVljODQybmFBaENvdlZtcGJNaXdyWjAK7TenBrprqo++EzurqXqatEJncCU5g0JH
9aUpNebhTuauCJQcObj89tjx0EKuafe7Nn2wgiV3hNPIGa4+YXnsSw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-25T19:09:35Z"
mac: ENC[AES256_GCM,data:rsQw8nYs78jCTKWHhwOuU8d3SS2pCnKpCo6U3RpWCGIdKMFq8QGBgarycAZgxbGc9ErEct4K4XhZ0pcX5qJgRFPE6YhDuRnKm/kQkmgXe63wPncQhUUq0U3P9q/G1Hs3uJbMyWgnjQQ2Vo8sv9mTbseS8ettbuJUNjK6mnblzIM=,iv:476qCdupCylLCvd9tb+VIDtbbqlw1Z/tezQh/d4jjIo=,tag:azw4aUqFD6zszCCYAny/KA==,type:str]
pgp:
- created_at: "2023-12-20T20:48:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7zUOKwzpAE7AQ/+IRfyl1VjFVpsr4Rwkv0kibZdnxqvSpr5sCErUvrPoJdK
yVWEO+Ps7z5G7WpWwOnGKeWqpXjTqhVps34R3/RPMy+4zL9a3izGa0zKGvrJTNma
b7clOH71InPPp5RQDxyox0StM3Wwk5ItrelfGWSJxfJCxNkKjfhtrsya1bJf6zmo
/KkIlKWMYoiYqpJMvt+sQhOD9HAm3R66D5RdufF76GoeqaGAfdL36hqODs5TC7Lo
0Nf1NlpLQEyvJmZax2sv28H2gySIXocXrZhsCfEnI3VeNbCsuIEfHIS4A9bRRekQ
NzQbwPfYIoy0PkFhCUGtM8i5qUpLiK5TkpNe+Fi6BTLuY8bO5QxtGhAxoDges6Zx
VgFCD6n9ZNiV5saA07pPxsA5gglIuuRf5G53y0uD3RG4itOXJpI6ScY7emgSnSOx
ildpGPmnpzJVeNIhelRRZaJURmeVsMqIfjvzDBHbA30n7AMvqdGqzzSnt5g1qS7e
QtWE7Ei12p86XO4Xg6gkNebLJJI/nR4U9CNkaHHfYDdE1OkIiA4B6kwcjfmnZ236
kg3S+RTFBqp4LtpDBov//hpieiWn2OJQz6Nn8etF5CZp/8uvp0XCDJ2VQuhOfg4r
Pl1Ihc2K3IffPS7mFqY/tXpOGFCnSSwj0cBjtYWEIbqEiKjIQfIQl+LyHfNWFRzS
XgEdpRhxuZqMqjwZwN9N7rc/d7zzBbDQLK8CGIYKfqqpuavK+eV+f844Uz4K4hzp
wqd8MCRqeJyji8wh8tSNEEsj9kPQwxpqcno+9T37UaAj249+wIFNA3e5lHhldTQ=
=KkQQ
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- created_at: "2023-12-20T20:48:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7AQ/9G3gkCoMFiE+80YZw6lBQqIrMSVZPGgEe8PjLx2biqi8C
SJZJNjLvLn5XdGAY/6374TEOi0Yu+vKKt/aOfpkPrhJ3ldg1M1DaWvjFgGB0SvJ1
SPkoW3dBk2V127Bz0lgzXpzCJrUFPYgXKsJAD6b1DA9lcidoIoDNGMGx7U/iylHF
7TSSzI/qjyYDX6mmPxowxC1ydzhFhDRvctY/sIy5ouCLzEAbROyVexGTeQBQWdqm
ba1e39rIq04CXDFWG8Hupz29CDqwlKldRiCRoMjctSvpr+PABWlq89uv5WaHYbje
gUMnOFSNLcWiCGF2oQOPDGgj6Y+p9qU2tZ8SIS+B/ovw54GWG14G8uvfxe4ktWOg
IyynsmeMkhI1GfEJbZ+4GafMuY9ylQiesTuf7GGya5RvYlEJXZl0aGr28kdUlWBc
I0dBKHjRhmqbkpJLB8TXtxfBBt79kQkDfw5UrXpBlovX7UmYGl7rF+07TdrEaAKD
tU4MkOIiFgUkJ6nPv/U1RCU63ISi7UK4eEBkUQyYZQSym9/FUYYaL9m/sTF5wMwd
O1OaHcW9fy6DebtJuUIQdC+ng5riiTFpRiEqkem4G45+nHvI+2lkYYSDiBKtZeW0
uAKZqxXfvOls7UztXcH2hwsdwlSan+Ju+KWoPn9vYBEWDo2JIjFWghkpw/gDPuvS
XgH7R+ZGwqij2yFr/Uu7NQceM//dHlZyuOQtM30+GkfB/kMJj6h4ib4p8USXpgZK
8BgGA4KQHfb4BbiE3l6woCKdCoUAOKSqvzINisYh4w8/Rr/r4UX3M809xs4EsEE=
=fOp0
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2023-12-20T20:48:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6AQ//X0BH4wWWs3DCmXzpF5XF03LlTCbPyBr4mfQo5SV9OwiC
wif9ykFPeGgVMJpYeod3qU8IGu17e9qqJmSOcTRCVgNA/SgjDHExe8qUGrC0hOwO
eg20s3dmgZqkiCLtg/7D7P9QSp8SBxpdkKqLNDq2sLPAGdXQRhVEyIyCfuTg98hJ
Y4ANSdCtUqFpvX82oNLK8k7xL2GwDEBLubNMSjDBkYIPXmQ/vnOHWTQFLqihqV1p
xtNkAtqP6qLWD3k0W+PeF/vJKxK6FfFlw0PpivXhyxy/sPA4xnCVIBUdCvPkkdmp
Vfsa8CZpahxaxL5rfyT3vxPswh1nUyWlBF7+tTeui5L189iVdY5IclCBo3v2yuUt
JnxVrck77jpRyW31CvKiR3DC5XroybpLRUTlL5ac9rSHeEt7vK8yItRArz/lSHcq
JdVSYxlNL/89gURJMcncdRE/QavQWd/HEclYznpGwQHAypTvE4IeTJrx3whyFRB3
2HB7rlmQ7ggCUMDjxFSDbVAgRdXDYFbnlxVd+TK0SFQldo5R7Uodj5u4WjqPI81D
nTcbK494lxAKuXfjtElAJGcVB7wy9npqG35qTca7Pa5D2V1IiOSG5lTF1uTr4mgW
cFDFk3fAIj8wk1iegX68DI6+vkPin6x42IUjvjBlpzpjxPLwPKdP8m40YyL0VcHS
mAFAGzt9GQ6GFMq8FYjPd+I/J/txJIZe3mUW1KIWEjHg+6LvfBn07UXdyIEeSHQz
KhX7QIBTEULA+uEGexbqNpk70l6IG2DMiJTglySKhcBnZ+qU0iGt1wxPxdEa8nL/
5SjftbgiHJ9P+Halaqw/lDSVVaaCuvoPmKoSHZziz8RbyZUQ9fMaRKFpNbVR4CeV
K9kY537JxHDv
=Ar0v
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2023-12-20T20:48:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJARAAyS0biIjy6/JASoBY5b6adOEsQ83Cu3vKGF22aZeMqWsv
CuTY67k6n/oP1mBFLSsEdpDN86BFUW+UfztmunLrxBwLeLy+qPUCopGD4hCiTcD4
CPl9dcbz07y2iTWDdc3U1HHgVn37MRA+Swzx9UN1k0NRjse3KdX4LZl/xiUs63R+
pndwNEfKalcv73oCl/K4I+SOiaEK84jWscxtBM7H1GU0EgHfoY5WFSieBsep+cN6
Twaz04fEyrw9E7FWKtMMqf8wSgl+tLyj6YyLh/+XVG55+qfnzLX7cp4fm3R2ceMF
+FJV3Ao3btXNRBFZHDfUZ61xH82lWWlVgNCqtpwVhUoPDV0AMz41uMkjMhy5EGSY
rU+CWv9v/RKQsKV57u21vjAtiMUQQh1MMj4fwq1hvKVgIvaY45qiYCgrtn9Dzi+0
gwwkTKsGnARh9mLvAlCwBxRxk4a8ync3hO1XxNR9SjvJL7fS3mI9/693M3wGjdBZ
vnmp8bR+e54Q8YuMuL68ND4HBZeZWY92yjF1peTYryepbi9MIDNwqFNeCpT4URSH
7yzE2oo3161tz58FWuAUFSSqbzcV1tdTV0xYhjqrMj1j7i/MWvIxg04sfGIEGbNv
Zju7ZoacNTuL+BNIDqAWAkrfMGxlu1zAXALdKLCF+kRQQrK/wjxpbQf8q1X9CszS
XgHPuqqnbm2mru2VFcYbCC7i7TI4Tvm8UPw5dZDPhnJGUVLoz69w9QDO5gcrOS2P
/2uKNc7pFAON/Sk2KVR1ZOkcvqzbOCu/XUO3EY+PmOxTtws4C+ishzKyw+lLMjc=
=8++X
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-12-20T20:48:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9qJIVK2WMV7AQ/9GC/AT6iMCK1Yakdafd/e2jt89hZb1cyyG+IuK1ms9D87
66+0xdeQ3vu+i0xxUFeZSQD/jS3KQpyaSlXoAVt5crnrcN/HOP3PAMzvGuwofrG8
EEQbK1O4WzIYuuFUdZ9ayddLE0952fqBg9h6HoNX2qAFdXJMOldBRevse5TqFGKp
vVQKFxUIu8FpR2mlWprBdbCc4jMfn7m1R0T9L3qLU/9/Sk4muaQOeBPB2zXxP5qJ
5zlPlBtAvBV2vkLe/Jzg+2XqxBysyPu8wbexLpcefzbxXTPkMgBf++9L2H15/d+E
IcoNTWOJwnd2bLq0jSgwzoFu499+Yl5v5F8E1a7CQ+3qK3u8rgfaZpbwrSvoq2mq
Zi1vBgFLhdghooRS+JW0YLM67bPjRvNDDSRio5Z2By9WlHYqQGMzKwhNatrU8rF2
xfbH7HQxO5A4InsmA3NRAkcj1O5Nfr+XKgPCVWVEw8iD/RaV/Mg6ZNpRZCdWdrlS
6y5il4feL/GcRes/MJD4zQJc4lYE9hvfkptWEsL6VVK+gaSt3FY0vkI6jPu/Sszv
X5LIZJV88Py9+biL5Ro3i1hCPYxERGEFk1g2lZXEz2Gzn8OrXH1NA7L7LCzyiCFc
7RIY/Su1SCOXHxa1Gjg/YCm1zOATXb72zG2od6X9uW7A5vhqZw1fLJB0cDZuI5XS
XgFY2Mp2+TsbDA8PbFT5+krk2k/58pbjibHvNcxKdV1j5rCVV9w2Pro4PpSLNBU7
saONoM+CGhXypwmfQh1fpbeObPpNkNBeykldQoZz12D1EoaYPUkxlSMD9W0QFOU=
=YI8r
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2023-12-20T20:48:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHAQ//Q1bDCF6aIkppEyCHw6082/W3JsDJy/use/miRpM3KS9k
v1WBAXe49P9RY8LD6IM9AipK8kprOfZq10P8CZvbfenA0MdbFQYAQcux+OmjqhBv
jW7d0hNMBKyUp4f2wtpnBZCjYil8R1LFKXUfDLfCP2GDvWUcL/j9xAL3f+EfD0JC
fNs1LMH5WXaEf/lo51G++Di6hyng3VPT1gId7nsrqSnoIw7A7KqxCoEgwYMYy1tR
SGW2FATQ37WwygHInIgpZStbFQO03SNe+kEtXjODufxr6BqZZ+oZ1K3ZcvaRwDLI
g+nzt2R0ncg+vUYEqfbXvlg6VxApMXirziCwfEKN//foltpm3Umh/T1daN0AIxIv
Zi0euE2sGAC+0VRipFxPR4MERugwF+dcpJsl3opF/XYESiWvH/I8PSRBrlVxSSEw
JxRd8kJ21d38CgzCNBOTMtZL1rOfmUHWsA/Z8oCmdFVMzy7x/lCJa+BxY/zy6KBz
xflMLosEhuPEj29gzEuPpZjzgMyMLRZbpHvJDVrJMIFHH02OqPHMHn3nMuFWu9y2
ZvO0CsILXS2ZIvhjB2fLkvwuu1f1AihVQCN7ed0AV12B/Y06rvXoxS5cFDXjiNK5
TQGnWjyONok1bcEqbmSFixAOVgjHptvowGJ528EsFD2WrQMwINmPl1xh4I1JOKrS
XgHuU9QT/du1gqy0/6SdFJebGi1D5soZZCc7SSAFq2g56iLtgNa1TF8XuEh2rbgb
Fz8EauxQC6EFmFrmjnKY8ZNkJw+JtghA4+i/F/i6ufxkiO3lCno8uKZm5T7n7AE=
=OZxN
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2023-12-20T20:48:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQf/dKhs1CUnhYGxmJEeaDHblnLrJN8T0o2PJ0FOexeaejrJ
BwtJX4pMGJVCAcZQRsavKsIKQuYEc9x5EE8gndIeIbchNpg7c8Sa6m9t82bdp0Tn
cUqj67U7BMuEvxcgs6vJwfQeiRF+buz9z5TQTlmfpeQXTbS5UoZFknjWJAg6iQf4
IaGbz7vnZPZZmM5g2mzz3KI/DeWtjH2svJH8tfJfCkUssFH1HG2oWDXjuV+PNaqt
nb6mfOWCLUqv5S3LQ05bIo/c67jO/zMDkfMw40xjsXv7vhwp8R9YTfTgSR2lnVZn
/dFKeFJ+Fa7O+uurFA/JBTm1wnQU61cV6LjlJcfE4NJeAd/uK7WAvJFHqkKChyVP
Iyq6OWfmUfX73mkJK8dvnHqcDIaB/hQrs5bcvy6RZS7/w8KnfG2RIw433LA7vXzb
Jl2pJAFoeDYvBEG5bm4CvoKoiHU3Prm0VGSW/+RdKQ==
=U6O/
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
unencrypted_suffix: _unencrypted
version: 3.8.1

26
keys/dennis.asc
View File

@ -1,26 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZHhWiRYJKwYBBAHaRw8BAQdApLSB6EIA/rIChQzJ/DTuZo0xjZqLd0YanYZN
Hk65RDe0LkRlbm5pcyBXdWl0eiAoTUFJTikgPGRlbm5pcy5oZW5yaXF1ZUB3dWl0
ei5kZT6IkwQTFgoAOxYhBI955s1kNHAGFYZ0gNEaUU9Qlb+oBQJkeFaJAhsDBQsJ
CAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJENEaUU9Qlb+oJEkA/jV6SgEqfLBH
Te5cctEeKi1I6NhF9ygQaQ3E1iOawKjNAP9AKaJU9FZxBkkdQYRUwBT1HT5a9AE5
Sc9Kv0gGjJOxBrg4BGR4VokSCisGAQQBl1UBBQEBB0CIoOJNjVR40yMwH/tJRfvE
FvVc8Vf6S/H0Gn0jqMT5QQMBCAeIeAQYFgoAIBYhBI955s1kNHAGFYZ0gNEaUU9Q
lb+oBQJkeFaJAhsMAAoJENEaUU9Qlb+ozsYA/1WRuFNfGvkGnfxekqZVSFWzV8+7
dxTsdFH6Rp4ShU2IAQC7p0YlJ86tH4cUKX1vgp3Fd5MwysFgwoI9GmPkIjX4BLgz
BGR4V2kWCSsGAQQB2kcPAQEHQJYHv/LMo8N6iM3zFvOKrF7ZLp3eAG/cOED0yDzr
vgkdiO8EGBYKACAWIQSPeebNZDRwBhWGdIDRGlFPUJW/qAUCZHhXaQIbIgCBCRDR
GlFPUJW/qHYgBBkWCgAdFiEErfK/dQolfE3HjkAfURC2OXTM6bgFAmR4V2kACgkQ
URC2OXTM6bjzbwD9Hpa0WcBU6yeSXR/6rmXImdEZSQUrT2T/KGBQQGMoDO8BAO2Z
hb8Twi+tkgabc4+6QzrnnF8owCNi0snngcaqXBwIECoA/io/Rc9XwHYgwI8QkQjU
SwRrkWSL2nHJBOyTNr51aw6jAPwJGFgjiiiqaTPtVJmGhVvjr06W66RMK6IRejPl
AwNBBrgzBGR4WCQWCSsGAQQB2kcPAQEHQAoyEdbEjTAt540SMi4qA3YqioPuE2Y0
omU1cNECTDpKiO8EGBYKACAWIQSPeebNZDRwBhWGdIDRGlFPUJW/qAUCZHhYJAIb
AgCBCRDRGlFPUJW/qHYgBBkWCgAdFiEEaRWBxbY0svsuEwNkS1ay/lwzFeQFAmR4
WCQACgkQS1ay/lwzFeRL6AEAy+o1W/rY3Bwqws+NtEQmZp8ImuNL/VryMy/fvV1g
WJcA/Rr7pVW424dMWNz9MzAJBtxT8DLzwqC+lLl4uduoEIkAPcIA+wSosu1Stl03
qaZg4TW6yawfUu9ixjKRbIv/THjQ26n8AP42LYM+BgT98KHYpCvP5TnNDJ3EX3Jy
1lnOvas0EEuhAA==
=tFtY
-----END PGP PUBLIC KEY BLOCK-----

309
keys/sandro.asc
View File

@ -36,202 +36,115 @@ Wtb8GNmAqtK6WCXEHcj7r1FpXaiVkoDzWfc2pOlNmW9unTCJmHR/UYrSf3ZDvwCP
koHEsfARdtrgrA8FWinTn8l0qOAmMfmbyEetqY1wNlZ0DD2b5MLmd5gHGL2cwXRl
F1Jv/fdGBWhqxCWpsGYbZNinL+j4mh1rXBwHnq8A5o5SGtspUmKxRAi4pe3hCh/b
eiQhsMNuivWE/Mpg2jIhPDP2rB9aapiS77VYkYNRYVVVAFjRkSUTbOvQDSsR3/zz
TN4pX4dxTmkwjab9yu4tbE9FTOGzRN0PUnkM6Ngg0mYqA6zFF6kh4f2JAlQEEwEK
AD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQRTsmrtwIJGcV4VUEsja2KR
VV6EAQUCZO9W7gUJDLPi1AAKCRAja2KRVV6EAQ11D/4901LWzobOukwK11vn6cBd
dfU8Wpb3X/yjizSX7Ombnt4u9xCgpA25vETI3as21cGtNQPTSgwwxcJGKwYfCFks
qYTnIFGnMR/rSTR3BhiUZe27B7qOwD3uWxux5CQpVX/BQo9b8qHzHF/8j1EB5GRV
oiLcX6nI8NEZY1JciNQqV1PiPKyg4p2zS5W//bnSbmqIgGBrmuLo91fWS5Y2L4Ge
0KzFIiJTAHmb0Wwm8nXbORfxqfO4k8E0vaZQKAldVU1CB4A4zYB1uaICaaedlPmh
ATX6fwTCWouu1gi+wKHg/GEnrKR0L1voxYIxAkS9cEZzCx54Qe/ZRnqWLk+CeFM/
1vRvDtpuxjwXuw6Us/zzKALK3XSPzmX75Yo1zsoXD15QqO1QNGRRVQ8hthsfTc2j
nQbGIn6eincaQyTygo8gSI6NV5sVivPagA2wBbVCi3Uw/KPtjuDY6VHFD4ii+vgt
qCO5zhfDmU2Zb+79G69rldBnhVzyNg8h5c+QA1o8and4d+xINQFpoDhwZCS3yPg/
2urNSuDcjpnGydi45Jk+Xynfbdd5wk4ll+0EUwqGNuOSnMPwneHuNuxfj4wkUf1J
HxNTzge6Q3V0n45rg5Fyd0tp5P2xyMGBR30yNtu9vHC87vmyG48Np/pvqUu+6nv1
z6bVQtyHHUXKVpa9KdlaDLQXU2FuZHJvIDxzYW5kcm9AYzNkMi5kZT6JAlQEEwEK
AD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQRTsmrtwIJGcV4VUEsja2KR
VV6EAQUCZMrbjQUJDI9ncwAKCRAja2KRVV6EAQ3BD/4g3G+XWUz1gR4daNUAhN5N
mWROIvNxnERmjMvxM71Tcq8891IkTvA3nkbKlb4LcmBV/afto3mPTCuP9VKOyIxy
HXRSzhvcS2xM5KdkgRgXk2k/2T8F4oXtd0jIXGatDFdb57042U+ZfH/YHdtgXms3
zuH82zF7p+MquLewqFm8DI4oqMlqnZDen3nHB1yK57ho0mfK0mJZdbnvqmd5k/Gi
koDvdLAPZTYs2p7NRoMePNi8emrArcNeJ3sZ+zcC9j72TYpRG7PerUd+Epm/YxVt
BXZAiIlEsYnJRrzSohVpavqvypP+wEPXqbsPtBhEU8Ovn8oeVyxMyMVnwkH6tFQ9
Phu9LZCnT/p8MNIQ9JMojn6dJIS1U5hs9x3UI5JRDJqo5BsrIuJaOHkUd1ouSHUs
28Zs15uElGarAGdQ9SSNKLWxh56+zd1ymVOq4epAWZbi2kYGC9FwE9jKs7Ew6Ci9
dqkhAesTm/5wTNui1zP6kJWIv5hN5WnaC5hWtN2FFEaZY62K2LGUbaMDD4Z2XLJl
9mRrmc8NqjALYs97pOhTgJ8UhtPhbiNt8qI4dXXqvlquIbtIKyzVevxLjHHB0T9w
I8xlLMTB1adKAU4n3f4hOGuX+4UUkOs50DKdBzq4cNKmod9iRlVOvUZ2KoKQfBui
uEtASUBNc7lwRl3Vji3xkYkCVAQTAQoAPhYhBFOyau3AgkZxXhVQSyNrYpFVXoQB
BQJfKxVlAhsDBQkFBi8IBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJECNrYpFV
XoQBAbcQAJ/mTH3yIxS/Qsg6cdeGYw5/sLUGYxKuEM4BehvMTgFX6xmvfxj/WArs
gpoeRwh4tdTCj6YL5YhzN1y2racCAzi5r97qjgRjvQ0u6sPsuYyTK3Sth81dexo3
arqhOEOwzjRUpZNzXraEO/NodiKsnw+Rtz2DwJiaVmnshOys0RaEy0vQXjUmjIZP
onpVgF9olHMUfFBJjtgO3wot69JYtu2qWhnNlBnUpl9j+1HuGX+8HwYryFAQ1wPf
8asxZ5u9C7Y9kKu5pWwZPP9zYMrEW/khOsulHu/R4yY8xmZtuYNi6ZsKnI9YUlG5
S2V+DKoiDzHfJyaGGB+rqHz1FA5l9hDD0jG5zhyswI8IT0IEbLeapeCJImrJuFeG
89lhIMnDd2XjsmSkbfg+ja/6MlfQQVDgRvby5MO+u10Qx5gtKn3BAsfBpK1xV09/
dr855rAYFpYaZdTW7eooaMVzb3wP1dOcHguERlBX2jhB5KYNyyhKITLJ9rIhCXeu
RnLsNACZmD7adHD78tChbBivMp30T1U1u7EqRjm5I4xh8tRKho6CiSVrNOmKQGuN
EP6XznqNJS+SI+YMyc8Jxml9zgwQNzABI7Q9el9BzFnpY+S6wrHpekt2JiqgUGwD
3+leBzmLEuyAyTGqn4CE0CCA+JKQ4ZnWCuYSrqNoVQR+5fmljYyLiQJUBBMBCgA+
AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEEU7Jq7cCCRnFeFVBLI2tikVVe
hAEFAmTvVu4FCQyz4tQACgkQI2tikVVehAEoZw/8DvHjVgZy4r+qmtEALU09y/KS
dBlCTFhkudzRVvTq24zT7uo91zwaOnfhMum/NV7OhMWQGR90fpRqASrSXj/HItf+
B8VgC3aNnShqkXc5B31TDWUSOcq5lh2j7buL8ynuf+XRfVYiTVnoKqImSX4JeRs7
vFpnbBbHRidylLs0o4GwdNSmdm9fhJEfbZLPp1UuTef4/X1JHIv4OKefFL4YA81r
hdZtwZnrkYtQhhTSP65p6OauW00HXJfQbV+JZqOSfVA9rA/vfjD3uLpPiCbzYC81
3meagy1M8g1hCJHvFLmqc1bDzpSGEdFO+jUUpCCGLD2wtXCfGNZHsJ09KKiEdzVI
Dyoxjs2ssKmVKh8vGd97r2fJQC7h3wwUjTPuhKNsZBi9Qb9A8vT7XVsjWLMrOnj1
CLD1Jku3M6XCpyHx8krWjAPezsjxr1WLYRUP2sUerx3rRx986FUIONeVbTfs7Rhy
t/vgjazrpxF8yF4cCdvJOg3psScnSt3Dxp0Fk6G0FxGIW4m3oSwfg9VC2V8nD631
NZxEKy49wkY7y532SYQjX24/va0M3eGxrUWXb1GlqdBuPsthnF59NdH6vg/VExRc
Q+IxplaEkbAdYVWBECfXH8DL+OPGDLeWLwAlIswjonvhaNEzl694GWg2BZhZgaEP
bcyd9J2G1BvJ1woMonC0KVNhbmRybyBKw6Rja2VsIDxzYW5kcm8uamFlY2tlbEBn
bWFpbC5jb20+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE
U7Jq7cCCRnFeFVBLI2tikVVehAEFAmTK240FCQyPZ3MACgkQI2tikVVehAEE2hAA
mIuZ7PNTnnrTh/RVtvjJstrF3vkMZYydaRRngv2cw8ObROT4mFpImUscxnRi9d/I
8Z49TDeuP/ZS+6jTCJiktlNZypFgmlFImhP0u/cI85s2iDsDBWQSvVgPZzxIxr/k
Hb8ciIQpEfkOCGOH2TY0Z119yV0YT0vRCVirScnvXiZQ8eOtdgbmquOSEuwLrdWO
tVNNw8RVHnn+f+NFNanAzjMU1W7V6WIVKbnUmjx7ClKhV5bfRuuDCbMgI4WUOOou
6CV+TEgtLnZappB6a8LMe73T9GgLWhWmXxd32o7SLgBaHKU29bI4jW1mvBmiXX6Y
ZNhjfJW522SY+igq1TptVIrsopWzsEsHuV1j70DiuE6Jo8N2uNd0eI0qsgt5BU6o
GRmiM4yY2rvS3bWHTPWKHnqQssXAzig2M1IiguU3S7GReJhYiZEZXYSBy/Bi2l3N
PiIzI4q2gICNVG8u6OMVjWdEN/vh7RyLXUVq4AWKVFIXuL/IKTvIVU9zzIjmuXP/
jvy6IRU8PGGOjVoBp1amtQs74GLyrL6QHM8U5fZW4JQCubufHAm6oM0+zKWRff4k
fbCFcTN1hU6QLHmLh52YKr3L68SWqxCrDI3ril9/YF0oeK3H1ZhBKK8egRv7V1Fp
SomQQ4YXpjKz4J2cSt/JUQb/Vzlg95dZvIO1K4WYqpmJAlQEEwEKAD4WIQRTsmrt
wIJGcV4VUEsja2KRVV6EAQUCXUGl+gIbAwUJBQYvCAULCQgHAwUVCgkICwUWAgMB
AAIeAQIXgAAKCRAja2KRVV6EAa0nD/wK6OesHttVztozNaw1RocA+ICuQJvDr8oD
jCnTA+aVMXOLDe1NrjfXOCDHsNj9FOGpwMVF+cximZFyTirSbsLM+7oH7lGTFwsb
vcw+6Kit3wheE/fImzrQirsOuEvBiv15VYfzsvThITLLDz0bxqxE3IWtPVemj+Hp
csLcPcJIEEouGPsSHMhUwVt6+GMxIuqHZtSqph2ITy1uMNQLeIecfm0Xox4PN5qy
UA/g72BfUv8BGKzfcrFGYgzPg5Yemo69uCq3pf3SHRscgwWVYUcxpJ+IPCCPGv1F
ruAIkkPOOJ8f7o2E34POdOPGhasU4GyNVPVttOVpHUq7xTxRI5DajcFWjvGIQAdL
S4i2xy7UcGFq7FMXHUfiYRjoDukgBoIv6p5CpINAfPVrWTAmMe5RR/0qJ9just/Z
Aelk7up5up4bqP/W3CtnJ5nyphvmqEEFPXGYrb/NsC8+y85p+DnSy4qQrAAoqd38
IaKUxC9DQgZf3omOXT1bR9w7VsnKqIX8JSMPIrNkauDNvXco+zT1YB+rm8HNHANU
OSQAZ1eMZFPs61KGU17iwy4AiEn8mbOoB/9k3FI8RARe7KYkMGdt96h0H9rkWEaE
op2o0l46NR7+HuT6TMpF4K9ICjhqx5sJZLJ5sp/lUSWW4wVoFCIKtOcyOEIj27KX
+tFhFElfmIkCVAQTAQoAPgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBFOy
au3AgkZxXhVQSyNrYpFVXoQBBQJk71buBQkMs+LUAAoJECNrYpFVXoQBRAcP/j34
ZpKufnFQ8nX1HZ7nN+oDyZL0vZUlYmAahP2Q4nAFF4XGupybW+u8frybpA/3uiKw
dGpvijQYeHZZXFVcY+V8M9YlgYNCK1ws+f6yd18NQ6Kj6DrLGp6WUfNkIWBArXwG
kpTCzIdvYfesCF23pGg6Kg5uLZwbZk0v0rND9CxwF0K0U3PdKto9EnEkG7UMoQZc
hqXI6Wr3g+8zEz0C9wOLPW6wokML5jag0EV8A/2sXwGbXT4zgGUVkCzARd+CIF/g
0cUBjVP15u+SidnH3IsEqVTLQoS33qI6egMw3GUGHTPlpLXa/X5zIuC7TYmMXYmR
WcTCd+NtCXGvLLiYytBzuXXDAkVz4Sc9TzJVbSb6q0SkDduLfKFaEaXBXfZiDfSa
A9svoU/v5MEF4OVFnjZoqxel0+eZrBc2sa/RB7XdNe0UCStTPpZ8zX10wugRRemT
3BnPEs5D+49WMhjvQTgdc4QMLrPfb84srOOZQXadcs1onWHiG/9y7Mdbg4vqDHA+
dJAAn04cTDwFGcjk2JSomCq4TWHnuVPqTUEvQ8kFXraKbty2qarQwmsow39JUPSx
QCiJDfnHgVYEL0CZZhiVL1gsrSfsC2VoxCJznbIVZKCeVRjdM6jvRFAnE5erprAv
03CGfe5Pl6wZQwQymHdEaIA9mYsCJ213Dp+W2YHDtCZTYW5kcm8gSsOkY2tlbCA8
c2FuZHJvQHN1cGVyc2FuZHJvLmRlPokCUgQTAQoAPBYhBFOyau3AgkZxXhVQSyNr
YpFVXoQBBQJlsX3wAhsDBQkMs+LUBAsJCAcEFQoJCAUWAgMBAAIeBQIXgAAKCRAj
a2KRVV6EARgHD/0daLy614F97UxfXEKPfuMsxK9ng3Lb939CkyA/iQQMD38vzDj9
WF6wqdlv9u9L7kNjq3xhPQwc38AjP6DTmG/KZAA2c+AuH48sNapbKEtNIucbQU+i
ptQU9UXcPJjrSm0t4ZxAbNZruRdDAA6PjhJOTdKdDaILWjcp+eGM2iAEdO3FKe6M
tdyifmb3h3ZTWpu1cqJeCzV8xvtEG6UtQ/jt5kkb4254p8PHqudDyywT52DIqDmk
M58V5n/xqj108helQOoIHAnfyE4Zcw/tVvocLc3q5nQmCHM+zZ+micjaB8NCygh/
NM4XjvztyoeVkVlZnoPKBCGQT+KRA2B/wGd3IMPWQNkCrg5/tl4fd5FCBI0hh83t
TFZsczxHRmP5Hoe9mCVi0keLQk93cQBH/RzBTJVoIbcVBcih44b3k7jtn12qLwAr
XOwt6rCXe27Zi/URLdW6U+dHR3fmsOFZXxigFvPyVB4uYhnxyTfqQsudtY07oeP/
60Ck+hFAZEj3HLwR3T8aXjXDDkX9ywb2OaQPaVdi1ZjG/rN09eaB/0O4B4fJ2lEZ
NtB4iWMwtidysz4oQEj60sWk+slDfYhtBMJMStGo2zVn61hR0xsq8cHF7MP9pgV9
/gVBWW82nc6ejfW+N4y+hCcqUrZIGLfS8Lc2HUvkmkZsC+zTY/HZCe/cmLkCDQRb
/dsaARAAwIVj31NgTrJ23CFu9SHPxHgQYCj70lheRYvCgp3R+co4Kpjvqf+C/ctm
nGDPybFaSKm7zXg4SAjUBB/KC5wTbUkQiRdmThPbfwoL52P3XEZhfkLUCsCOj+Hg
fdgLNsixNDSBHZZSwZ7DmzsLNKpRV+kr3QqVxk1zw+fHO2dngjazkw/HZSQ+qoIU
7IXA9q6sJ0Bh2QrgiRSHu4otUps4y6rzWEutZwjI1OhUoG5NeLc4rAUjNDQ6r2zl
okpAOC+LKEqI3/d+6muVREOC8xZEEUJ1KJCbn/1lnw/d7yq5BZYyZSOu9byP1fNL
USieEoWp3FTVEwgl1Gbb1pYGSLMTmSh38vVBFcsutTVUTsDrAWzThS2iG++kb3rj
JEjyp7/5tlZjOh/94ElbqGEkZzTzUIiAOjtCbNA7pxw4wI0CtkKwyg+raOZP9vrT
UghiOLy1INzRLZyLRIr3xpJawcoyAgMiN7ndaWTgMV7R6Ougmq/TcAWvGu7CAHwb
WlwBy0xB0vAiSu728EwVIu34Pztg5ub8LWPpzosOPNaOegrDi3vhW09e4/+uuR5F
9oSGLfh5HxBJ59BITHGNMq+BaJai0wjykdveZob+Cdr0jMr8fwC9o2jdCIlb6z2i
K+cj3mcmyYtT2BaaLgA3cZdK9QM5eL4XnXnZBWJE9jgBAf+67G8AEQEAAYkCPAQY
AQoAJgIbDBYhBFOyau3AgkZxXhVQSyNrYpFVXoQBBQJkytvfBQkMj2fFAAoJECNr
YpFVXoQBGhQP/iTL/M4Kn9qOB02PFl6FAe/uaSuA5DMilnpW2ulg7OeQ2BvVnEpq
himMOjQM2nkh36bfaBi+oCQcIbdx1Hka7RSrlXiWEVOafk+RxwKpLzO5XjUjPjLt
3b3fwWUYH6cQNAGA0Eaae7PxP3sNEO2kOPqT8okKhHD0F6WaFC69sh8ITmKjd2/Z
eykfjWsDf5NokwplsNfbmXlWroJ9svcLNH9gipt8ImkNpluH/jlvHcVgl5C0VCNm
29J0kbKj7iDiYFDvU+J3LyC80WLMgOVK/wSJf34NRvYCxm8x6dF7ywPhcMTNYaF0
1/mqLmQOdjcJSR41M6wfy2TuStconve3kegstoJTrjWdiGQqV0EoWx/vGob/J0Bb
z8u9/IIgOTbXhVRdLMDK4ByIwMvIAHqVJ2hdi2VPL00/OPEknfDKQ5QVZRCxgo3U
jngACao6GfzMn2vTPxM+EpiLZqvtigDsWngSquJsWUzthlWkEuJDphqsMIqvlpUC
f2smEWOWQpuRixboqEhFM02/ft7uEsL2DIBkuQQj1WvZzKjX+oDk7qcjdn8NrDgy
pLE+ZFdf5P+U8WCVB5+82wP4ga+u4Rl5IbsbldC3SmaSXqmclfEjO/tQZG2GU7cV
HeRZEvqUr30JVdI58M0KVvAu+YV9c1bI4Ym/AskZSZ5Ophsc70xIsxBBiQI8BBgB
CgAmAhsMFiEEU7Jq7cCCRnFeFVBLI2tikVVehAEFAmTvVxgFCQyz4v4ACgkQI2ti
kVVehAHDzxAAizEy93/xcOq7olWMUQVOxXcQuJsK3F3kyncXhsR93HCI83UgD1uw
Gylhil0YZr6VLNrajGwuLREL2QezshfuJBJhQHPCoak7Om0l6RoEUk1SwsLw9aq9
xjIYA2BRbLW+zWnbTLD7mNxPuZKyxHFDGio7LA9SzRxFrMBMivMdLhL/WHLh+o7b
Cu82imbCcr6F8ImqBue8stEzHX2UY4sb4uVgEB0NK7HMu8HC+PAudYsz/6zZh5Aw
aj0IQYpa+5wAGwysvZSkIwy6NTGQfLojCCmwCRslhkZO+4k0i8KwcjX4nePQfluu
W5KTmjPscgGDypdHiVVB/lbpPVX1dZ3NgrZeSE+o8osHlBSz8SkmjLOs8UAsdcnM
PVmS7DWu7uh8x0YxXInarkvR3UahNEOq9qX1tpsOKDFEF6KXFJBifE8KF2zy/W7W
dJ6JSqbaMX4/OT9VPYOgeV7IsuIdMh4xcYtwWUBZq41a7TSYeL9GRjsg7LuIp9az
FjWvRG4DIqsyX4IPFTyVM+I0JWbJxWI0ib+MptercULe/KNniAb4Zk+hOQz4vvf+
fMRd/soY0u4Qi4Aug5f0GNOfaVBvg9i/7g/zqhSgfHoJx9KGVe/KuOAlEQYF/fUj
YcVi8rRN1XUCCjkUE538VSOrbtpoLaAkcBexOmhfe7iHgU6R78HjTpC5Ag0EXSt+
4AEQALQI+DXcnrfEtDVVK7esJ2n7pvcxqKd/yKhO/FMVYpWmzL2ZpnQE2+Rc+fPN
YO6rj7KBVLU0sp0Q5ittJ6R1wwc5jP0kOLiBt6qs2W93VQ4ZGpkDbjmiEE7gZ+pX
VD0sgphFyvr6iostuMW0xG8iLf3PrjctswYhs3ic1sblO/z+S3Azg7p6u0Q2Mco8
N//ocZwp9LhIcEapZplJXyohjiPtyiaubSFUHyrBMQKz+ZIHkx+TjFDGzTNkPe3P
y3V1JUtRby7YUr1u95pKj0rOqp9ePeGwYGEVPj6ua4knxyaXdy7/b24b/zLj/8WA
1HfX3Q8kYS79gJSUkkqYRjivDwhSlVdqKMNgSapci+1w1fWiE1ltwGaFz9QjitTc
rwogsQU5UO42QRR3EauCMJub7vzsLY23gjB1lwqOS1uKYOAfEQ0114BQqjk0Ht1S
AemrWkjcZHZav0Zas91ZPd8GTDCbjh4IdJto4T94DPwBMCBF6q/pC0VO0vcqrZSl
A2Kw51QezsFpk77BR2J8eHiCjyO7etPR751RuH/i6j63topTJ6zG2m/OS/WGAyp+
mhMt20Pa7BJXYM4TnXUxuPy1b7V2GS42H4/7M+7c8WFWbWepkDjRdNp0JV4DfxQt
scSY1zECcYwzyp4c9+X8IoaZ1Tw7mENNZooZPbG4Gl0Dp7xdABEBAAGJBHIEGAEK
ACYCGwIWIQRTsmrtwIJGcV4VUEsja2KRVV6EAQUCZMrb3wUJC2HD/wJAwXQgBBkB
CgAdFiEEhxQmicBftapI7EklOvWkOj7swuUFAl0rfuAACgkQOvWkOj7swuXc6g//
Rihq/6PPxQKc0MN8lsWOP4KDoK+J6/5FB3t+NjWDEQ0r6ZK11opiHqZQ3CJU5oQ1
S8nEDwM3hC1c1Ja1gJIjDifDWKbndtFunaDBEDN6k3DAAzkP7NoiA1RDO2bjJPfN
Wgre4BNxfO1zSNI6oINJgZmFRdPfBeWXrj5byioieZW7DO7X3TSOAVt5zBeEJjbl
N1PBhDEP9u0WRGyca3HO6ssbqoyxatPJRxKbgnMMeKyriisct1cU0SfxYULwv6bW
0btZd9LbHY7mvHQT4T9ORkRKMaV5TcyeD3lvo+2qw5dSWN9epi4qTZl2l88FC7VE
1Af/pnWDFpW+ha1/AP02Co51EUU27RCygknO50Hy++Wu4qeeYkEI67zzrcNYPyDW
HiqyptYVhrAPxEpKY8B791WVWiyyUrZbQQmHX+FeX0/nEJqnqtgp/XJYdYfNe/uY
XIggJj3OvpHBvE4bXjK3cKCWkV3wqO2COgpFFtt4LtTYPwzl95/kXsm6N62EqLPI
xD7dmnq0fJfRMfu8aqpynh9d+DvnERGDeRk+9Nt4GrN+RVxtaxFJeaRGGULaJib3
Og7z9TbB6kw+nSN5zneHSuzNwm0B+KjNVL9JBIPQc8zg2JEluK75TiWIMsZBhKbV
rSb/QTYRJ/6x9ZpupX1y8s8r94/hYgqptZgXlM031mcJECNrYpFVXoQBTmkQALEk
sU8+wabPJy49hCiJE47tBg4XsCaNN5AfjLn6QVvKwljINJgA4+xPYM01i4JfLlHE
rtEdU71GBM7SwRx8CTyEPxrZpA7TFVWVcFWcwt7/c+o1bIREwcbGfRZbIkPQUZd4
FZAVmARTpZPQRnc6Ff1nSvLAbqOzljIRwqA7Xgqxt3k4TW6s16/9CVo4YW2wCudN
xqxGqK4WE76jeQJoTxjI3rU3ZGD4AgtXMAntnNot3I1AVDJRB6HBnQWqB1PUoniZ
oo+N916p7mz2UnE6zMi7mP/WG7oW+nbRiCHczkOGaSg0W1KpL3a1//e3GLK9KqLc
bX2ycxqIzBYmJ8Cj0frpoiS9xOLZXl/RV9ZcfCUtqaYcEQOzugLsvyWmnyeJFRyy
1nayKvxdQvL1yVLJ0PECAq0TPTrQ+KRA2xvAuYFsMEM1Jl5crEhXa9qYFA2/lQm/
gd4+p+D24o7W0W/F5X4FdI9cKqG45Jb3U6GLZPettF5PC7Ogs5IDDhdGQ9Gk3ZAU
hmaIEeOdyv2y5uI1a31kbQbkWGCydg9XJwtJOhj28TTTrImw7scvRl3gfHA5kk8g
BiC30kQLFWmOxAk9sP8yOD0G+2n7thH9xucBhCz6K51Kf9G7qHY7gL0c5Hf9uX3E
XpjdtBeHVbkHxk1yi5/QleEgHGRH6k86p918jgQfiQRyBBgBCgAmAhsCFiEEU7Jq
7cCCRnFeFVBLI2tikVVehAEFAmTvVxgFCQuGPzgCQMF0IAQZAQoAHRYhBIcUJonA
X7WqSOxJJTr1pDo+7MLlBQJdK37gAAoJEDr1pDo+7MLl3OoP/0Yoav+jz8UCnNDD
fJbFjj+Cg6Cviev+RQd7fjY1gxENK+mStdaKYh6mUNwiVOaENUvJxA8DN4QtXNSW
tYCSIw4nw1im53bRbp2gwRAzepNwwAM5D+zaIgNUQztm4yT3zVoK3uATcXztc0jS
OqCDSYGZhUXT3wXll64+W8oqInmVuwzu1900jgFbecwXhCY25TdTwYQxD/btFkRs
nGtxzurLG6qMsWrTyUcSm4JzDHisq4orHLdXFNEn8WFC8L+m1tG7WXfS2x2O5rx0
E+E/TkZESjGleU3Mng95b6PtqsOXUljfXqYuKk2ZdpfPBQu1RNQH/6Z1gxaVvoWt
fwD9NgqOdRFFNu0QsoJJzudB8vvlruKnnmJBCOu8863DWD8g1h4qsqbWFYawD8RK
SmPAe/dVlVosslK2W0EJh1/hXl9P5xCap6rYKf1yWHWHzXv7mFyIICY9zr6RwbxO
G14yt3CglpFd8KjtgjoKRRbbeC7U2D8M5fef5F7JujethKizyMQ+3Zp6tHyX0TH7
vGqqcp4fXfg75xERg3kZPvTbeBqzfkVcbWsRSXmkRhlC2iYm9zoO8/U2wepMPp0j
ec53h0rszcJtAfiozVS/SQSD0HPM4NiRJbiu+U4liDLGQYSm1a0m/0E2ESf+sfWa
bqV9cvLPK/eP4WIKqbWYF5TNN9ZnCRAja2KRVV6EAbb+D/9bezmLf54ITSb8aTDu
ATRTnIwPIcOnl0IzawdS/IuPu66ZYP6cTkS6NEp/QH8ZikqUQr/q/eSf1JBdkEL6
MkMel+qqykyqd4wA/vU7mOad5P9eENfbyDNBjqEZGYA7p+Kxu9u/qSyf14UoHkyJ
TigK05CsoFqZD1Unf/cNDydiCelPSVV9DFY3vDNomQEOUYdNE3Dxekgs+i4o/iVO
jrPzkHavOFHWMBm97bTmezgI8a5kf0Gj00G+PxjlQ6PrESLv88PlKYEWLqZTssng
U5g4bI4l1ggZ8hGFta9TsJeaBar6RKp4A6Yt5ub1My61aq143ALZKMKM3YmumSvC
n7GjsFDElBJab0T2TLYeDOLdlf4f8f2F2I6v8fgxhr9GdnbkLbF4TRSMHTi4MoN7
kDzqi3PbfVuqjRhBwIRJgb2acv8AhWi0VoKpdSX+YdtrKlsv4ET9yMGH6RitfJ7h
6d9ZBdV1lo9LEQZBqzaBh1s5+7xiZeAPtb0an8ogn0OZPfGc8pd+06THbgNPsv7M
6e46/BEsAqrx9d6BjPPyQ/eZoxwgyHK8VQktVuEMLSC1K5HyW5Hu85ibBsynW3mQ
shz/VNW2oQfTVTDNCZsBgyoeP1fE6YdDpSs1+NPVV+08QuGtM9xBzSmH39jsob0X
G9KeiV2rKVzF9mbZnoNGEfzLAg==
=TXvy
TN4pX4dxTmkwjab9yu4tbE9FTOGzRN0PUnkM6Ngg0mYqA6zFF6kh4f20F1NhbmRy
byA8c2FuZHJvQGMzZDIuZGU+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEA
Ah4BAheAFiEEU7Jq7cCCRnFeFVBLI2tikVVehAEFAmTK240FCQyPZ3MACgkQI2ti
kVVehAENwQ/+INxvl1lM9YEeHWjVAITeTZlkTiLzcZxEZozL8TO9U3KvPPdSJE7w
N55GypW+C3JgVf2n7aN5j0wrj/VSjsiMch10Us4b3EtsTOSnZIEYF5NpP9k/BeKF
7XdIyFxmrQxXW+e9ONlPmXx/2B3bYF5rN87h/Nsxe6fjKri3sKhZvAyOKKjJap2Q
3p95xwdciue4aNJnytJiWXW576pneZPxopKA73SwD2U2LNqezUaDHjzYvHpqwK3D
Xid7Gfs3AvY+9k2KURuz3q1HfhKZv2MVbQV2QIiJRLGJyUa80qIVaWr6r8qT/sBD
16m7D7QYRFPDr5/KHlcsTMjFZ8JB+rRUPT4bvS2Qp0/6fDDSEPSTKI5+nSSEtVOY
bPcd1COSUQyaqOQbKyLiWjh5FHdaLkh1LNvGbNebhJRmqwBnUPUkjSi1sYeevs3d
cplTquHqQFmW4tpGBgvRcBPYyrOxMOgovXapIQHrE5v+cEzbotcz+pCViL+YTeVp
2guYVrTdhRRGmWOtitixlG2jAw+GdlyyZfZka5nPDaowC2LPe6ToU4CfFIbT4W4j
bfKiOHV16r5ariG7SCss1Xr8S4xxwdE/cCPMZSzEwdWnSgFOJ93+IThrl/uFFJDr
OdAynQc6uHDSpqHfYkZVTr1GdiqCkHwborhLQElATXO5cEZd1Y4t8ZGJAlQEEwEK
AD4WIQRTsmrtwIJGcV4VUEsja2KRVV6EAQUCXysVZQIbAwUJBQYvCAULCQgHAwUV
CgkICwUWAgMBAAIeAQIXgAAKCRAja2KRVV6EAQG3EACf5kx98iMUv0LIOnHXhmMO
f7C1BmMSrhDOAXobzE4BV+sZr38Y/1gK7IKaHkcIeLXUwo+mC+WIczdctq2nAgM4
ua/e6o4EY70NLurD7LmMkyt0rYfNXXsaN2q6oThDsM40VKWTc162hDvzaHYirJ8P
kbc9g8CYmlZp7ITsrNEWhMtL0F41JoyGT6J6VYBfaJRzFHxQSY7YDt8KLevSWLbt
qloZzZQZ1KZfY/tR7hl/vB8GK8hQENcD3/GrMWebvQu2PZCruaVsGTz/c2DKxFv5
ITrLpR7v0eMmPMZmbbmDYumbCpyPWFJRuUtlfgyqIg8x3ycmhhgfq6h89RQOZfYQ
w9Ixuc4crMCPCE9CBGy3mqXgiSJqybhXhvPZYSDJw3dl47JkpG34Po2v+jJX0EFQ
4Eb28uTDvrtdEMeYLSp9wQLHwaStcVdPf3a/OeawGBaWGmXU1u3qKGjFc298D9XT
nB4LhEZQV9o4QeSmDcsoSiEyyfayIQl3rkZy7DQAmZg+2nRw+/LQoWwYrzKd9E9V
NbuxKkY5uSOMYfLUSoaOgoklazTpikBrjRD+l856jSUvkiPmDMnPCcZpfc4MEDcw
ASO0PXpfQcxZ6WPkusKx6XpLdiYqoFBsA9/pXgc5ixLsgMkxqp+AhNAggPiSkOGZ
1grmEq6jaFUEfuX5pY2Mi7QpU2FuZHJvIErDpGNrZWwgPHNhbmRyby5qYWVja2Vs
QGdtYWlsLmNvbT6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AW
IQRTsmrtwIJGcV4VUEsja2KRVV6EAQUCZMrbjQUJDI9ncwAKCRAja2KRVV6EAQTa
EACYi5ns81OeetOH9FW2+Mmy2sXe+QxljJ1pFGeC/ZzDw5tE5PiYWkiZSxzGdGL1
38jxnj1MN64/9lL7qNMImKS2U1nKkWCaUUiaE/S79wjzmzaIOwMFZBK9WA9nPEjG
v+QdvxyIhCkR+Q4IY4fZNjRnXX3JXRhPS9EJWKtJye9eJlDx4612Buaq45IS7Aut
1Y61U03DxFUeef5/40U1qcDOMxTVbtXpYhUpudSaPHsKUqFXlt9G64MJsyAjhZQ4
6i7oJX5MSC0udlqmkHprwsx7vdP0aAtaFaZfF3fajtIuAFocpTb1sjiNbWa8GaJd
fphk2GN8lbnbZJj6KCrVOm1UiuyilbOwSwe5XWPvQOK4Tomjw3a413R4jSqyC3kF
TqgZGaIzjJjau9LdtYdM9YoeepCyxcDOKDYzUiKC5TdLsZF4mFiJkRldhIHL8GLa
Xc0+IjMjiraAgI1Uby7o4xWNZ0Q3++HtHItdRWrgBYpUUhe4v8gpO8hVT3PMiOa5
c/+O/LohFTw8YY6NWgGnVqa1CzvgYvKsvpAczxTl9lbglAK5u58cCbqgzT7MpZF9
/iR9sIVxM3WFTpAseYuHnZgqvcvrxJarEKsMjeuKX39gXSh4rcfVmEEorx6BG/tX
UWlKiZBDhhemMrPgnZxK38lRBv9XOWD3l1m8g7UrhZiqmYkCVAQTAQoAPhYhBFOy
au3AgkZxXhVQSyNrYpFVXoQBBQJdQaX6AhsDBQkFBi8IBQsJCAcDBRUKCQgLBRYC
AwEAAh4BAheAAAoJECNrYpFVXoQBrScP/Aro56we21XO2jM1rDVGhwD4gK5Am8Ov
ygOMKdMD5pUxc4sN7U2uN9c4IMew2P0U4anAxUX5zGKZkXJOKtJuwsz7ugfuUZMX
Cxu9zD7oqK3fCF4T98ibOtCKuw64S8GK/XlVh/Oy9OEhMssPPRvGrETcha09V6aP
4elywtw9wkgQSi4Y+xIcyFTBW3r4YzEi6odm1KqmHYhPLW4w1At4h5x+bRejHg83
mrJQD+DvYF9S/wEYrN9ysUZiDM+Dlh6ajr24Krel/dIdGxyDBZVhRzGkn4g8II8a
/UWu4AiSQ844nx/ujYTfg85048aFqxTgbI1U9W205WkdSrvFPFEjkNqNwVaO8YhA
B0tLiLbHLtRwYWrsUxcdR+JhGOgO6SAGgi/qnkKkg0B89WtZMCYx7lFH/Son2O6y
39kB6WTu6nm6nhuo/9bcK2cnmfKmG+aoQQU9cZitv82wLz7Lzmn4OdLLipCsACip
3fwhopTEL0NCBl/eiY5dPVtH3DtWycqohfwlIw8is2Rq4M29dyj7NPVgH6ubwc0c
A1Q5JABnV4xkU+zrUoZTXuLDLgCISfyZs6gH/2TcUjxEBF7spiQwZ233qHQf2uRY
RoSinajSXjo1Hv4e5PpMykXgr0gKOGrHmwlksnmyn+VRJZbjBWgUIgq05zI4QiPb
spf60WEUSV+YuQINBFv92xoBEADAhWPfU2BOsnbcIW71Ic/EeBBgKPvSWF5Fi8KC
ndH5yjgqmO+p/4L9y2acYM/JsVpIqbvNeDhICNQEH8oLnBNtSRCJF2ZOE9t/Cgvn
Y/dcRmF+QtQKwI6P4eB92As2yLE0NIEdllLBnsObOws0qlFX6SvdCpXGTXPD58c7
Z2eCNrOTD8dlJD6qghTshcD2rqwnQGHZCuCJFIe7ii1SmzjLqvNYS61nCMjU6FSg
bk14tzisBSM0NDqvbOWiSkA4L4soSojf937qa5VEQ4LzFkQRQnUokJuf/WWfD93v
KrkFljJlI671vI/V80tRKJ4ShancVNUTCCXUZtvWlgZIsxOZKHfy9UEVyy61NVRO
wOsBbNOFLaIb76RveuMkSPKnv/m2VmM6H/3gSVuoYSRnNPNQiIA6O0Js0DunHDjA
jQK2QrDKD6to5k/2+tNSCGI4vLUg3NEtnItEivfGklrByjICAyI3ud1pZOAxXtHo
66Car9NwBa8a7sIAfBtaXAHLTEHS8CJK7vbwTBUi7fg/O2Dm5vwtY+nOiw481o56
CsOLe+FbT17j/665HkX2hIYt+HkfEEnn0EhMcY0yr4FolqLTCPKR295mhv4J2vSM
yvx/AL2jaN0IiVvrPaIr5yPeZybJi1PYFpouADdxl0r1Azl4vhededkFYkT2OAEB
/7rsbwARAQABiQI8BBgBCgAmAhsMFiEEU7Jq7cCCRnFeFVBLI2tikVVehAEFAmTK
298FCQyPZ8UACgkQI2tikVVehAEaFA/+JMv8zgqf2o4HTY8WXoUB7+5pK4DkMyKW
elba6WDs55DYG9WcSmqGKYw6NAzaeSHfpt9oGL6gJBwht3HUeRrtFKuVeJYRU5p+
T5HHAqkvM7leNSM+Mu3dvd/BZRgfpxA0AYDQRpp7s/E/ew0Q7aQ4+pPyiQqEcPQX
pZoULr2yHwhOYqN3b9l7KR+NawN/k2iTCmWw19uZeVaugn2y9ws0f2CKm3wiaQ2m
W4f+OW8dxWCXkLRUI2bb0nSRsqPuIOJgUO9T4ncvILzRYsyA5Ur/BIl/fg1G9gLG
bzHp0XvLA+FwxM1hoXTX+aouZA52NwlJHjUzrB/LZO5K1yie97eR6Cy2glOuNZ2I
ZCpXQShbH+8ahv8nQFvPy738giA5NteFVF0swMrgHIjAy8gAepUnaF2LZU8vTT84
8SSd8MpDlBVlELGCjdSOeAAJqjoZ/Myfa9M/Ez4SmItmq+2KAOxaeBKq4mxZTO2G
VaQS4kOmGqwwiq+WlQJ/ayYRY5ZCm5GLFuioSEUzTb9+3u4SwvYMgGS5BCPVa9nM
qNf6gOTupyN2fw2sODKksT5kV1/k/5TxYJUHn7zbA/iBr67hGXkhuxuV0LdKZpJe
qZyV8SM7+1BkbYZTtxUd5FkS+pSvfQlV0jnwzQpW8C75hX1zVsjhib8CyRlJnk6m
GxzvTEizEEG5Ag0EXSt+4AEQALQI+DXcnrfEtDVVK7esJ2n7pvcxqKd/yKhO/FMV
YpWmzL2ZpnQE2+Rc+fPNYO6rj7KBVLU0sp0Q5ittJ6R1wwc5jP0kOLiBt6qs2W93
VQ4ZGpkDbjmiEE7gZ+pXVD0sgphFyvr6iostuMW0xG8iLf3PrjctswYhs3ic1sbl
O/z+S3Azg7p6u0Q2Mco8N//ocZwp9LhIcEapZplJXyohjiPtyiaubSFUHyrBMQKz
+ZIHkx+TjFDGzTNkPe3Py3V1JUtRby7YUr1u95pKj0rOqp9ePeGwYGEVPj6ua4kn
xyaXdy7/b24b/zLj/8WA1HfX3Q8kYS79gJSUkkqYRjivDwhSlVdqKMNgSapci+1w
1fWiE1ltwGaFz9QjitTcrwogsQU5UO42QRR3EauCMJub7vzsLY23gjB1lwqOS1uK
YOAfEQ0114BQqjk0Ht1SAemrWkjcZHZav0Zas91ZPd8GTDCbjh4IdJto4T94DPwB
MCBF6q/pC0VO0vcqrZSlA2Kw51QezsFpk77BR2J8eHiCjyO7etPR751RuH/i6j63
topTJ6zG2m/OS/WGAyp+mhMt20Pa7BJXYM4TnXUxuPy1b7V2GS42H4/7M+7c8WFW
bWepkDjRdNp0JV4DfxQtscSY1zECcYwzyp4c9+X8IoaZ1Tw7mENNZooZPbG4Gl0D
p7xdABEBAAGJBHIEGAEKACYCGwIWIQRTsmrtwIJGcV4VUEsja2KRVV6EAQUCZMrb
3wUJC2HD/wJAwXQgBBkBCgAdFiEEhxQmicBftapI7EklOvWkOj7swuUFAl0rfuAA
CgkQOvWkOj7swuXc6g//Rihq/6PPxQKc0MN8lsWOP4KDoK+J6/5FB3t+NjWDEQ0r
6ZK11opiHqZQ3CJU5oQ1S8nEDwM3hC1c1Ja1gJIjDifDWKbndtFunaDBEDN6k3DA
AzkP7NoiA1RDO2bjJPfNWgre4BNxfO1zSNI6oINJgZmFRdPfBeWXrj5byioieZW7
DO7X3TSOAVt5zBeEJjblN1PBhDEP9u0WRGyca3HO6ssbqoyxatPJRxKbgnMMeKyr
iisct1cU0SfxYULwv6bW0btZd9LbHY7mvHQT4T9ORkRKMaV5TcyeD3lvo+2qw5dS
WN9epi4qTZl2l88FC7VE1Af/pnWDFpW+ha1/AP02Co51EUU27RCygknO50Hy++Wu
4qeeYkEI67zzrcNYPyDWHiqyptYVhrAPxEpKY8B791WVWiyyUrZbQQmHX+FeX0/n
EJqnqtgp/XJYdYfNe/uYXIggJj3OvpHBvE4bXjK3cKCWkV3wqO2COgpFFtt4LtTY
Pwzl95/kXsm6N62EqLPIxD7dmnq0fJfRMfu8aqpynh9d+DvnERGDeRk+9Nt4GrN+
RVxtaxFJeaRGGULaJib3Og7z9TbB6kw+nSN5zneHSuzNwm0B+KjNVL9JBIPQc8zg
2JEluK75TiWIMsZBhKbVrSb/QTYRJ/6x9ZpupX1y8s8r94/hYgqptZgXlM031mcJ
ECNrYpFVXoQBTmkQALEksU8+wabPJy49hCiJE47tBg4XsCaNN5AfjLn6QVvKwljI
NJgA4+xPYM01i4JfLlHErtEdU71GBM7SwRx8CTyEPxrZpA7TFVWVcFWcwt7/c+o1
bIREwcbGfRZbIkPQUZd4FZAVmARTpZPQRnc6Ff1nSvLAbqOzljIRwqA7Xgqxt3k4
TW6s16/9CVo4YW2wCudNxqxGqK4WE76jeQJoTxjI3rU3ZGD4AgtXMAntnNot3I1A
VDJRB6HBnQWqB1PUoniZoo+N916p7mz2UnE6zMi7mP/WG7oW+nbRiCHczkOGaSg0
W1KpL3a1//e3GLK9KqLcbX2ycxqIzBYmJ8Cj0frpoiS9xOLZXl/RV9ZcfCUtqaYc
EQOzugLsvyWmnyeJFRyy1nayKvxdQvL1yVLJ0PECAq0TPTrQ+KRA2xvAuYFsMEM1
Jl5crEhXa9qYFA2/lQm/gd4+p+D24o7W0W/F5X4FdI9cKqG45Jb3U6GLZPettF5P
C7Ogs5IDDhdGQ9Gk3ZAUhmaIEeOdyv2y5uI1a31kbQbkWGCydg9XJwtJOhj28TTT
rImw7scvRl3gfHA5kk8gBiC30kQLFWmOxAk9sP8yOD0G+2n7thH9xucBhCz6K51K
f9G7qHY7gL0c5Hf9uX3EXpjdtBeHVbkHxk1yi5/QleEgHGRH6k86p918jgQf
=YdQV
-----END PGP PUBLIC KEY BLOCK-----

126
modules/audio-server.nix
View File

@ -1,6 +1,47 @@
{ config, lib, pkgs, ... }:
{ config, is2305, lib, pkgs, ... }:
let
# _____ _______ ____ _____
# / ____|__ __/ __ \| __ \
# | (___ | | | | | | |__) |
# \___ \ | | | | | | ___/
# ____) | | | | |__| | |
# |_____/ |_| \____/|_|
#
# errors such as:
# mod.zeroconf-publish: error id:47 seq:349 res:-2 (No such file or directory): enum params id:16 (Spa:Enum:ParamId:ProcessLatency) failed
# are harmless and can be ignored. You most likely want to restart your local avahi-daemon: sudo systemctl restart avahi-daemon
pipewireCfg = contextExec: let
pactl = "${pkgs.pulseaudio}/bin/pactl";
in {
"context.exec" = contextExec ++ [
# should be loaded by "server.address" but that is either to late or razy on 23.05
{
"path" = pactl;
"args" = "load-module module-native-protocol-tcp";
} {
"path" = pactl;
"args" = "load-module module-zeroconf-publish";
}
];
"pulse.properties" = {
"auth-ip-acl" = [
"127.0.0.0/8"
"::1/128"
"fd23:42:c3d2:500::/56"
"172.22.99.0/24"
"172.20.72.0/21"
"2a00:8180:2c00:200::/56"
"2a0f:5382:acab:1400::/56"
];
"pulse.default.tlength" = "96000/48000";
"server.address" = [
"unix:native"
"tcp:4713"
];
};
};
cfg = config.c3d2.audioServer;
in
{
@ -14,55 +55,12 @@ in
boot.kernelPackages = lib.mkOverride 900 pkgs.linuxPackages-rt_latest;
environment = {
# _____ _______ ____ _____
# / ____|__ __/ __ \| __ \
# | (___ | | | | | | |__) |
# \___ \ | | | | | | ___/
# ____) | | | | |__| | |
# |_____/ |_| \____/|_|
#
# errors such as:
# mod.zeroconf-publish: error id:47 seq:349 res:-2 (No such file or directory): enum params id:16 (Spa:Enum:ParamId:ProcessLatency) failed
# are harmless and can be ignored. You most likely want to restart your local avahi-daemon: sudo systemctl restart avahi-daemon
etc = {
"pipewire/pipewire.conf.d/audio-server.conf".text = builtins.toJSON {
"context.modules" = [ {
# https://wiki.archlinux.org/title/PulseAudio/Examples#PulseAudio_over_network
name = "libpipewire-module-rtp-sap";
args = {
"sap.ip" = "0.0.0.0";
"sess.latency.msec" = 10;
};
} ];
};
"pipewire/pipewire-pulse.conf.d/audio-server.conf".text = builtins.toJSON {
"context.exec" = [ {
path = "${pkgs.pulseaudio}/bin/pactl";
args = "load-module module-zeroconf-publish";
} ];
"pulse.properties" = {
"auth-ip-acl" = [
"127.0.0.0/8"
"::1/128"
"fd23:42:c3d2:500::/56"
"172.22.99.0/24"
"172.20.72.0/21"
"2a00:8180:2c00:200::/56"
"2a0f:5382:acab:1400::/56"
];
"pulse.default.tlength" = "96000/48000";
"server.address" = [
"unix:native"
"tcp:4713"
];
};
};
etc = lib.optionalAttrs is2305 {
"pipewire/pipewire.conf.d/audio-server.conf".text = builtins.toJSON (pipewireCfg [ ]);
};
systemPackages = with pkgs; [
mpd
# draws in mesa
(wrapMpv (mpv-unwrapped.override { drmSupport = false; }) { })
mpv
ncmpcpp
ncpamixer
pulseaudio # required for pactl
@ -105,16 +103,22 @@ in
networking.firewall = {
allowedTCPPorts = lib.optional cfg.ledfx 80 ++ [
4713 # pulseaudio/pipewire tcp sink
4713 # pulseaudio/pipewire network sync
];
allowedUDPPorts = [
5353 # mdns
9875 # pulseaudio/pipewire rtp sink
];
};
nixpkgs.overlays = [
(final: prev: {
ledfx = prev.ledfx.overrideAttrs ({ postPatch ? "", ... }: {
postPatch = postPatch + ''
substituteInPlace setup.py \
--replace '"pystray>=0.17",' ""
'';
});
python3 = prev.python3.override {
packageOverrides = python-final: python-prev:
(lib.optionalAttrs config.environment.noXlibs {
@ -156,13 +160,20 @@ in
services.pipewire = {
enable = true;
alsa.enable = lib.mkIf cfg.ledfx true; # required for ledfx
config = lib.mkIf (!is2305) {
pipewire-pulse =
let
default-pipewire-pulse = lib.importJSON (pkgs.path + "/nixos/modules/services/desktops/pipewire/daemon/pipewire-pulse.conf.json");
in
default-pipewire-pulse // (pipewireCfg default-pipewire-pulse."context.exec");
};
pulse.enable = true;
};
# tell Avahi to publish services like Pipewire/PulseAudio
services.avahi = {
enable = true;
nssmdns4 = true;
nssmdns = true;
publish = {
enable = true;
addresses = true;
@ -172,11 +183,13 @@ in
sound.enable = true;
system.userActivationScripts.symlinkPipewireSystemdUnit.text = lib.mkIf config.c3d2.k-ot.enable /* bash */ ''
if [[ $USERNAME == k-ot ]]; then
systemctl --user enable pipewire-pulse
fi
'';
# TODO: change to users.k-ot.lingering when updating to 23.11
system.activationScripts.enableLingering = lib.optionalString config.services.pipewire.pulse.enable (''
rm -r /var/lib/systemd/linger
mkdir /var/lib/systemd/linger
'' + lib.optionalString config.c3d2.k-ot.enable ''
touch /var/lib/systemd/linger/k-ot
'');
systemd = {
services = {
@ -195,7 +208,7 @@ in
mpv-pause = {
script = ''
echo '{ "command": ["set_property", "pause", true] }' | ${lib.getExe pkgs.socat} - /tmp/mpvsocket
echo '{ "command": ["set_property", "pause", true] }' | ${pkgs.socat}/bin/socat - /tmp/mpvsocket
'';
serviceConfig = {
Type = "oneshot";
@ -232,7 +245,6 @@ in
"pulse-access" # required for system wide pulseaudio
"rtkit"
];
linger = true;
packages = with pkgs; [
(yt-dlp.override { withAlias = true; })
];

452
modules/backup.yaml
View File

@ -12,366 +12,330 @@ sops:
- recipient: age1a8k72egc2vg4jn445wwcr0a68y9xu5ft68s2xwehugs5sjawpv4q5nnrmy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrMjdmQmcraXU5d0REMEkv
bUcxdXlUY2dSTWRZbEloOXBnamcwd01WblhvCnVFa2cvNDBKSnpFQzhkMTAzVjZv
bWlLS0xvTktqWVo3UTBqd3BhUHoxWW8KLS0tIElRcU5rL0hkSFZ1Q0N6OElldE9r
N2dCelAveDVaWnl5VWRNOXFyZjVwK1UKHBKL7tyhxm1WFn8rHWI3ibiWd2ZtOK+o
5WhA5jE8Rq9olmKD8EVw2VvpLuOXrXqTAcSz71PkQnOKgMknPXbvlA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUUJUNWJTT291amowWHgw
SlRBL1Z2eVE0UHcrVG5BUlJ0MXB4MmZxbUFvCmdkbS9Ld01JRTREWHBic2M4aGFh
dzdJRTQyMzZ4RjlhdlA0emdTblpoajAKLS0tIHV5Q3dWRHdvb0Zid0d5SmpDQ3A4
b2VvZ1p3TVRrRVlSVDgrMkpaSjB6NncKGbURRHJz7VK8HQWC4l5sGO48tLygoLqE
qwAF0XrOPj7JNiHgTaMCnErL0qlC+fSdF5qJzVDUmVIGylxAiDxfCw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y7lxpxskqclwqluft2ct2c3u8weehus6t8evwk7cdnpakxzgcquspn827x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKSi80QjJua1BtRVJUMDJP
aHl2UTh3bmY5NXJvYWRrNGdFL0NDeVRsRFM0CjI0OGtXVklmekh3RTdVUnNaZE1W
Tnd3UC9PRjRVZjVIQlVhT2k1R0c2cTQKLS0tIFFaL2lwQjhRZy9XVjV0SjFFS21w
QjI0R3poaDFUU2YwQ29IWG0xV3FFSjQKwqGUYdlUBmXxq/DigFvDIKb3acOppMph
rxwZtVSHyGERasIwrHM0XM5iHUxLMrYdB7PWiOJ5retq45kLrFtN4A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5Z0ZtUzNBdU8yV3hNUXRp
Rmhyc2plWWRCNlFoTmQ5WmUrQUFTZzA3QkdjCnlxdXVBSnNaL2hpRUF6V2RaaFRF
QWh2eWUrS3B6a3N0WXdOOVZmMUpsR3MKLS0tIFFuNWxSR29wcXVkRlVidWlxWFV2
S2VYQVhJQkp4WXRwRzFkWWgwL3N2THcKM1+IVyVAf4dweSYOqxbiXeGK8bjOx36g
YOljEhvpD75JITSs5o46mqZ8WFGIIRK3ejKaFzX+h9OSBWPKJpe+Ew==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lccjvj9z8de4hfrdeumm9eu7awef4d9jygv3w7zdash3fhv6e53quy53wz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFaE04M2lDTUVvR1pnRTZH
ODZYNFJaZ3h4VHNMSW1sck9xUmtwcFY4LzA0Cm5HNk53Y3BaTkNuODNGV3JqVlNH
MDJQNWRpSU5VeGFDM25Ncm8zaE9UeTQKLS0tIGpva2JOR0VXZk9HdG5RK2FuMDRy
TUFRbUtHMjhldVRyU0FtRUN1azFCVVkKchvcml8FWgWxyj71iFIeC2qGzvKAUlnG
oJVGDCL9938prZ97nroLx4ec85W+JYjnzhsTK4kBI4SExc3TgmPJDA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkODQybGYyb2ZUK1ZjQ2Zp
TEF0NXQrcjNBYkYvaU1pREJ3WUpCYUFyNFVFCmVxQVdtMVh1eEt5MWM1VlFwSFFa
V0lSQm4yZUlVWGFBVjlCbHJlYUdMZXMKLS0tIFRQZGc2QkJpM1RMK3djUWR3dnpw
d3kzTlovNmhTV2xTKzhsamU0eStQOFUKUpPpGkCOylehKIe6MgVzllYrn10BIeR4
89nJAC2evVgv4WCwkffwNDR/qfJrQBDjyA3uf8Y6qE8u9UgWuNaLHg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2euh5qt4a7cvx0t93uj4n9t8y8tkv9h3nefszc6g2q7t7gvngxswhrve0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWFEvUGhOT2VxRWFMNWV1
QlN3VzV6a0hUd3JHRC9LQU1LbTVlMUM2ajA0Citwemt5MGRZbEJmNXp2UnRvNWly
MmpPY1NNc2Nqc2REVTJQcm8yQjFOaDQKLS0tIDZVWU9YbEhYM0pKYUJsVTVVSFpE
L2xicjB4OXNRbzRLY01HZ3M4RlhuU3cKJW42aO3fUK6USE5V8t6nn76D2FIeN+Ob
aVysYubnrh6ISPoKT6+bP8eD99rhIHZ7DK6Crd9bSgU/tlypN9lVzQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZXB6NC8wbENLTTN5ODlp
RlI0T2ZjUi9BWFd6YTBiWE0yc1R3OTQwOVVFCnJ3bTVGaGh0ajZnOHVJQVFpaklN
cU9zZUo2NmxndlpoRnd6TTFCZlVESFEKLS0tIFVjZm1iRTFaNHlhdEhFa25GVk54
dlZ3RUhXc0tnK2ZUY3BDaWtmNVlHek0K6NorZtxBnvrwWZsNeTAWqeVPgJEhbv4I
NJ0wW/H7kNdoMJt9fzdTXUhaxbIox64fBvMMfnMBvRvcyKc4o+02Dw==
-----END AGE ENCRYPTED FILE-----
- recipient: age13dl5qjzddaazmquf7zfecru5tr4ld8l8xd7xpmhaqqzmchpua4usswqykd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmd1JSNEQ1MVliK01hVWJl
Q2wrbjFVcDBFTmJncGJkT2d1OHhuT3dYSzBJCkFlWmxLbWlmVEJUYmh4SzkyUEVO
TkNieTNuY3AwNUNBUXJPVjNmcmJ2TU0KLS0tIEJOek5leWNJcnFqWnBNWitncU5D
Z1U3L1JpdzFXL1hMWjRXaGd6cDJ5aVUK+47RF6CeOpalMdqvxLDloJNs15HqpMAH
Jz8PP1lyJxRtbvhAhvGAP0pi4oZBKIy9ax4395oWh7EQuwGMJUiA3Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxdnc2V2Z5QWtzeExiWFVm
SnAvQTRjTkp1NTUvbFlkN2NNczNnTEdZd0VFCkZQa2FTRHdON2YrdU1GRWFlVmlp
dkNES3d0dU9jM3hRd0UxaTF6YzBvNUUKLS0tIC9nYm9jQ2sxQmVPcVdjc3dCRVdm
ZmpRcVZKMmM0a3dlYnU0UE9tTVVmaEUKbDVa5Ic5mTaVBFAQyRZ0LTzQfz2jSxwe
KbXYMFbEmMQ5Y3RCOIJqkFUgyPFAmmlIKmXxmF1LVWpQP1Tv+IraUQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w6u8zjfya63q9rjfll98eegnfdsvyaspnwn802t2mxh47gt8p30q0kn898
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIcHFIcDRidzFiYjNZVGVi
bzVSLzh3YmdkdHVEY05NT1VwWGNFSlFOdWprClJpeUFodTBHU0FHT216VUhBWkVz
NnpDWEdJYzRDd25JLzdjL1hWdS9ORW8KLS0tIDRyRlhyUzgxMk9GY2FoSlF2MW1V
QlRFc2hMZEh6OTFpWmt0czBHdnRmTGsKtuFvPrMDSIO4rKoV8XXAUdNrEtocW02r
NttYLrUzAewvVen08ANBs6d4H8g/5aswxLm0iXWBEj/hlunYy5i0lg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbzNrekNDNTcwSnNrOHZE
Z1UrSWFjbnA1R0I3bXpYYUY0L0tQTmpLL1hnCllCN1lCSHZ4dE5KZzBjd3FCc3li
b0U0V0ViNHMxVjVDNjdqSi9aVUs1b3cKLS0tIGFZbytsRXVNNmlSUzUvTG85eXJv
ZjYvWE9IZ3QyUkFKOWxvRDFUME80OEEKNVC1mWSBCDN5XiaB00YtPsluVEtEa6zt
h9foSEx7GksMRS/Z/EeItRPyyoEDvzJCU7IFT9DEUDqvxmXhb8bMKA==
-----END AGE ENCRYPTED FILE-----
- recipient: age12n5k6c4rxp4mjnexw9uw83yp34sallt44kldupfmxr2xkppj8a8sdsmv8h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNks1OVlaQlZZR3JoN2tq
L0lXbU40dU1LZThLNnBxMTlCR1EwOFNwa21RCm9tZUFYNDdzekNwT3lqRVlCSFhx
MWpheFZHWWlka3lZUlk1eDV3eU9XSEUKLS0tIGExSVBnenc5eG9uSFpEZEswYVdH
YUdCR1A2cEhMb3k2NFI5cjRjSVBKeHcKqfuNijzpjuX7icgvfhXWKaz0xtFwiAsQ
XcVn6lYxtVPcIF6BWAsoSzyVk+cW1pTVQMWh0MiRO8XUE6bk6NUj8Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLTmd4MWtEQk5EemM3OGRs
SzFaUmtjYW5JNHlEVXVxTnZWaXFxWEVzQTAwCjBHS3ZZcHFrZGZTZmtVNExhV1I2
Q2VNK0h5Y0ZVR0ZHYUNPTE1ySmVFZG8KLS0tIERNTmcyZnVyQ0lOdmxydExsa1FR
RjMyWVZ0ZE9rSWgwS21hczlZN2gzaXMKB5kyJ7IOc31IhS7Ah2TetGuo8dC/IOjy
Jz3I8gtey1sTTpmfPam99HeCO70bxSFvYjrvKFRmZmVQtk8uJc79uw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yahhqn2620300n20k68az5lr2u42wdgtjwysgqyr99a4cj52ay0qjw02pl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeE1xR3ZwVFRlR3dTREVD
L1BYa3lyTVlxV0dIT2s1eXdoS3ZZWENCOUVnCi9TMVJrWENyZmFIeEdNZHpUMGFa
WnJDZGlYeVFHc01wOFpjOENIWkpyQ1UKLS0tIGJPVXNtYVRWSjVPdTlBek9Idk1i
cS81bHBjTDVhT3g0eWVqb0lxK3g0WFUKDVMVhIt6FtHzO/Bxp62mOCapvg2zwR4t
mW1YpzojZr3rt7/su+Ck5M7vVD99pPRB4sVRpGZ+W60YvzJ7iWJ1UQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIeWQ5SThoUWdxbmw4Rk5V
RFVBOWU5bGlpZmhyb1FoL29HdkdqLy8vUWxRCkNuNVRXUTNjaWdBMzdIcUlDSHZ3
OHJIN3hmRFhLdjBwcmdXV1AzMzNMN3MKLS0tIFVsT2laODJrQnBHRFNGcm52d3F5
M1hFRWNuT05oZ1FPczV3K0p5Z2hvd3MKEVXISQgPLaTTU6YA/IIA4UKyLmCoHWf7
k2/rXVlumhW+WPmMdjJtJ9bc1wNwjiQ1n70jWKN1a9R9c19mR8epcw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jt5pj0c0fvmzg7quaucq4n2rzcx9ajzstp8ruwc8ewjpay5vqfqsdjaal8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRklqS2s2djFrbVh1Z3or
OGIwcnFQT2Rqd1AzNlArWWpyeWdmeFRjZ3pvCldhc0tWKzAwWUFWTnJ4ci91U0ph
dDNiNmx6Yk9EVXhBTkVlN1JmU2pORFUKLS0tIDVnK1dGektxQllEdWF3MllNSjkv
dmFLaUZrLzFLai9KaE5HcU1OZWxKT00Kji+tv+tXIe3wRWZoxA2Qh8VmyfsKZ9eV
LxL3/jmNy6F0aDX4kJYBO6F/wzQt5jsTcmuHrAI6US8nHYiQtjp54g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZMUsyeTJINWVSOXVENlpC
SVhERkNTSUNZMXI0YXRVR3VKWG9OaGdOUkZrCmxEajNMUnN3UDl4bTFlaXpmUG9l
dS9uOFRnMnp1MCt4aXREY0xjbTQ1SHcKLS0tIDhuNVptL00rcndLWWxndU9HZzZW
emRNYk5LNTJRcVF0NzhmNGpVT3pEVmcKm32u460zGZXKSjuitae9y+LUg8T8+BoQ
W3rHqpIhV2gEGwHyLch86hzmpnihBvzq703vChSF7iJhE4Jb6lvqcg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1l2tld2cttpkj4vpuh9hm4xjwq94rmf8vukjgvdzcvwwtze6k6s6qjf0s5r
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUnVMcHVlS0l6M1dxRFo5
WmVJRnUxT3Y1eHJHUFZSVVJUQk9wUXAxYkZBCjF2OGlyYW5RZ0dva2V3b2RMT0Ew
bmFTYmQzdzdEQ3d0QS9ZOHc0NW4rM0EKLS0tIE5SaC9pRjREUGpEM1VuT2ZCSUxH
cDMwWUwybkdNMTFsQmt0dW9GTmpCZWMK9DLVZzlCqyFBhL1sxO3pBe09ymcFvut+
JRgeRZvCW2qiftLLe+MRBeqDtkZ9Axw66B8PHOuZLypzBLBZotPZ3A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqYjB3ZTBvK2JlSEhnUkc4
NlRUWktpazl2LzRSNzBJb2RRcG13ODd5Zm0wCmNIY3ZYWjdvcUd3ZGNtcmxSMWpD
Yzk2NHpvZnh0QjYvZEdWaUM5NFZyMmMKLS0tIFBwdm15NjlMOXNheUJSUWZxOTRD
bEJtcjArYk5scVZoWDJoZXl1dThaWnMKdEnFNJkEYmbdnOVg88YwLN6VIsNv9brN
+b8EPF8ZGyxlofXPRVtgx0RKOMVJeL9KstBAsJxrWbBlwgeQsYygHQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxWXBRU3dCWm4xSko4Ym9V
WDM3c1p0OEJ3bkIvR0wzMi9PUnJDOFhQeVVzCm0vaFJiaWJWbGNsRXl1SEphVXo5
RWlZeE1Ga0Rka1kvQ2k3SXFuYzJ5ck0KLS0tIFowWXNtaWh3Y2NpUWlHZGpsVTJ3
T3lDSnFCNUhwOFhQdjBvVDJlcnE2S1EKJUxaE7NW0UkduN4sEKwl2X0Q+DVyLkyV
zFtLsfepX6LMFT5AXxaaUCnmPPq3y94FSEZn3F21xnNLrAUcyv/TFg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbmNOWmh5ekFhaDZJN2pP
a0szVzNlNXhJVkw2RHNpZGY3QnJ0S3JtbFVzCkRwRWJRMEhpZWJOK3dXTVBVZytF
VTVTVW1tditZaFNjc2NZVE8zQlh5ZlUKLS0tIGtBUWYrVEFrbUNjWWlPbklmMmNq
dXdHcDFJejRRQkJadGlRczVocUl0Q00KMdLrz6l5caU+ZBbHho89PKvUBVXa+0EG
Hnsi7t0fpj44svhXpRyAD/4xhesxTAoSntLzh8z50rAG02uIMzcZLQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tnq862ekxepjkes6efr282uj9gtcsqru04s5k0l2enq5djxyt5as0k0c2a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcEtQOU8zVVNvQzRuVDlu
TVlBRnBKdFlSSXJCVHlOOVd5YVhnaXlJcVU0CmFhbmROUmRCdlR6cDZyMTdQSC9N
Z01Vd09qSWpnRE5vZm1sZUFuRjhOem8KLS0tIDY2V0pFWUpwcHUyYWVubGZFVWNX
SWt3OURIWDhSWlgrSktzWE1zdFI0cTQKU/lahLOisqiKam+A4wf+n9/EhzF61cX0
0GKt8sn7MWZBEwgDEW0vRkybweKK0E6DTGnlHCFi4iRnoHCHKdxreQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQXlyU1JteWREU2U3WjYr
Wjl5VXFZaThDVmo1VFFzRW5yS0hjWWFCeFVnCjF0N1FFZm1OZGcrcHpVRCtFck0z
ekF5UGZKNzhCREZGZHFJVWM5NXJHbDAKLS0tIFRwZXBLSXU1VmEzS29HVXh4ejRw
MEVJc3NrOCtOYkZkYzdLUWlmZzQrK2cKg5Gs+UUFk+e5IwhM2/Ye7OjIXnxnsH+a
zOHgdk7Z3ccTvEpqIAWdkyfpXve+U7IAOn7yLK9Qzp8qlB8wMuWV0A==
-----END AGE ENCRYPTED FILE-----
- recipient: age15t7hj27j6ccs8u7mfz8su3aa74g4dxp4crkgc3c0rs28hct7q4ssgk8zcm
- recipient: age1jr5mc4ekmjf4uk2ue4xcuy0yl202phlu2t6c544qfj45ahzag56s4d0kzj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQ09SRmpzQXRLelByMmRK
eU5SOWdYNWs4K1JyaURHTTF5MzFaZ1k2SGxJClBQbjZjRWluekRheng2YVA1Umto
b0RBeFhlbktGMWFtRWk3cDMrVUFpNzQKLS0tIElvS3M5ekkweEcwV0p3TTA1Qnhn
YXRoWVU3cHpnUm5nUmlpNXNBbHFBWVkK3HjjYpL60fU7n3d2OJZ2W2YHHuyX47rN
g0jqQ3WZ+f5mH28oLnkx1FWMvTc+D5WsTivMIL6gatHLS1KKwHR2fA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlak0reVV3WkEyNWxNZ2Fs
UFF2UWRabnMzVE5jNWZsSU9CemgyT3ZWNUg0CkhjNzBJajBzS1JJTkt6NWpialRU
RDRTM2VMVzh5TGdKTll2cUZObm5aMGcKLS0tIGx2TTcwTWNvMWdiU1gwNzcvQjNa
Mnh3VEFnZ2hEb0lzY2hwRkxVY0pSNzgKRCptD042StOhvcTvP5Wgx/r8hjhaaSHJ
Ba/Ru7kCWpeYZ7VMCxDkvEoqqCCVdAJ9GANal+u7jWgsIvRWy9HJ/w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dcpd6u4psq3hehjyjrt3s7kzmnvxd20vsc8urjcdv6anr5v7ky2sq9rhtt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjS3grTFVsdXNHaFhXd3ZX
L05uQjZBV24yZmxyTytWZGFtOHRlcFN6ZVg4CnRQalMxbFliSlJPanZva3FKWk80
Z3VIY3pQTnBsZys0dWxYaEM0KysxYmsKLS0tIE9PMm9SVkVjenVsWDl2SWZMeUtq
SGpIN3g3cEJCVVpSSGVwMkFhTm9YV0kKi8vRWv5/vpsFI4cG4KSA2lEb8Dr7uk6b
7RXnNe7oFCYoKIydzeSrPmp7ZZZhU8oOzSP9uksypMbo0PK2gwgCwQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OHVXRDhtNnZFaG45UEJ1
emtvci83aUpQYUIwSUQ1RjlaMXQ2YTdCYWxnCnhZOThsNkUwbS9mZmJsUFhTQ2s5
Wm1UNGNRbmtIdVhmRzVJblR0V21rMlUKLS0tIHRYN29NMEppeG8xZ2RYc1RKdXIw
TXZOZlMwVlZvUHJCalNSbTcxaHlWTjAKXLUP2+LaPGGc0YUFUkf3lw1nZBd0iwRF
P0jqpKGE0YB1twFAkW0xjRgu0Smtz5kjO7oalxsKtcDD5+YL/pa36A==
-----END AGE ENCRYPTED FILE-----
- recipient: age15vmz2evhnkn26fyt4vqvgztfrsr2s8qavd2m6zfjmkh84q2g75csnc5kr6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNkQxa3lSRml0WHMzWHNh
NlhYQmtHaWZ4Qm50U2o4ZDQzY1hqK2lXOTNrCkJETCtnWEsyTmtndXU2Z28vR1Ux
Z1czR2lTa3lIS2xibUV4S1h3N0NYTEEKLS0tIEM3WVFDdHVUN2dmbjhBL1p0LzY1
TVFKVTNCSGl3aXluYzlXZUxRS3RYY1EK3oLbAGt0PRwAuqqFdvn/y9Gr2gThkAXg
jRB0zD6RF4UQm50w/U/3EocYAGQt0Qez2+oUCWehGAimyH34s9FgwA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdmRzUUd6VURnTS92MHBG
dXJwOVcxQ3JhU1FiZ0lzSGZ2S1RnZy92bDM4Ci94czJHRmdVTTBXU0p2bjB1c1FP
V0hIeldMaHU0Sm9YRFd1MlFQNTN1YXMKLS0tIEhPeTBIb21WMjBuUzVqQ0JWcW9Q
emRja3Y3TXcxRWNjdXpNYTdmTVRoVkEKcADVTAHmLBnZt9LE4aalXt4ephW8xHMF
IW1WL6LsodilwEMs42rkCirCf8bsBbTuzUfPkEvHbkucpgkrr9JG7w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1s2ww76ll6nclz74gny27tk42xfsepl23z2k0849a8jv8xpnmpe3shgunxr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnQ3RPTTJFTnhtekhSQlhs
QWtmTFNmaDh5dmZ6VGhnYlFqTXdLaXVWanhzCk8welNTeG1MZDF0SzJvelZxTElZ
ODJYLzJtMWc0ZmVCS2taVm9Ic0J3UFEKLS0tIHg0RzRtMU9jY3A0RDNSUHRMTUxV
SHU3LzNKVmg0Z1dsQlBlR3U5MjNpVmcKS0lHBTMy3iqyInpIamaz2gY+0dUWQkfU
212SUmDG6qhZQUhjxgutI/Vh96oJUPPyz7IhCNPqNkUb+x6uqmwzuA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSFlXUlBvc2w4VXFFclBG
eHgxSndXTHJ4T3pmaExGaDJpQXM3dWlCczFjCk9aUTZEUlBwWHNIZGpxSFp4dnl0
MFZEakRUNzhua3N6anFzYjhBWGhYZUUKLS0tIGM3TXRKRk9vUHh2Y0FETkxQMWNx
UThva29zdWNuVHRyd09aRTNvM3NmYUEKVw3hLRB04UXDfdRd6MafCHBDaqtJ7zs1
D3ROK/UyhyptQAWhozZ5WlgPxQTydZoBfZegEpQUd8HvOWX8nqLU/Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xjvep7hsnfefgxvuwall8nq0486qu8yknhzwhf0cskw5xlpm8qws9txc56
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByazMwU0lhVzUvMXoyblF5
aTdISXQ3ZXFZMnhFTWdPNTJaRDdqdnpkdEVZClhicVhwNTR6eTV4bGJPcE5ucG5Z
SWpNQWd2RGtRcUx1T21Ec1FDdVJWekEKLS0tIEU1dDFHaUVaaWk5K0crdXVCNDZy
bE02THRmdHNUdDUzNHEwMUZ6c0w4cEkKyuN5cJI3z6tlQxKeZtsiqH8DC3E2Z6kR
f+xl6LWO4VzihjDMIUw6B9NTLZVGyOumZsLKiV1SiyIp0ZSwPONOCA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMXdKNXJaaEdTQ2w5dFJT
SitoMHJNZC9KaE9QSFlLSkpidU5UQ2FRcFdFCmd2TXAxbnE5QXZIYURQdy9RZWNh
d2s4VTZHRzk0RDQ1ZUtQMHA3MC9vREkKLS0tIFpIRnZ0dDZRSnBGYnF3R2VCRUo3
UytmTGpQZjU0TTFnWk5TY2M5ZzZ3aXcKSIwQV+t5FAv3Ig3w6u++FNqlmgOm/4sE
FOK5FCtyDgowyQwc1yEnvve9UgamUXdaDQCTRNRfzOxFJH9mix8Ezg==
-----END AGE ENCRYPTED FILE-----
- recipient: age182ms3ygypflk7mtpemp4k4ks9rz4gwhvzc9jlk95u4py5q68ppxstzu2e3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsc0F6YkhCTkh4QVRMYkh5
MVNsbmZaM0czc2w1QXJvMXFLUGM1Y01ZUFEwCk5xZVR5b1JiOWtzL3dub2Nyd21H
SUFzVXBHU3Q4NjFZamc0YW5RR1J6aGMKLS0tIHkrY3dzOURFR3R3Nk5HaG45RVJs
UlBKL0VWZGRjWE1wV3FPbktkWE9YMFkKNj6rBosrnREzjGYSAJ+rbto+H/H8d4JN
frdT7xwicVWXbXdddwdnVShx5LyqBEZXCYEpjfZe92NnuHb93Wod3A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvUHFkWTBQM0VXbEtXRk1p
V2VsWUhpODlxSjV6a21YME52Ym13MExpM3hnCmVCMTAxVngvcWVUVzNHTis3Rk5r
SnA4RmlwSWlCbW51NTJ6QWNtajd6SVkKLS0tIGZYTDRyU3JTYTJLd0Nhdkh6MlFC
ckVudW1qMWpwN3MyNkFCZ3BSL1lqUFEKmtlo+UIa+UMD4pXOdPyzyNgHEQ78juvL
Rddx+YQFw/ZbKJp8ca5NEDjAlXj8CRMOKRr1rcPr1Pg3v799kGCpNg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp9gsuyfu52exk0hr3fvj404v5njhahakzwlugwtneyrs4vgdyaq0sg92f
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkYy9LL0owOVlVVVJ4NFZq
Um1GVUpZYmFUOU9VT2dnQkJSdkNKVEU2N1E0CnNXZFFrWDJEcW14WnBSblFrOENE
eG11eXdsQVoySm1Jc0Z6aFA3N3VFcjQKLS0tIGNOYk15czBiWldOK2ZMY09uTHUw
YmVaeEdkcDRlS0ZDMWUrZzVpTVhkeEUKpayxamzNQTp3TAVLb+IibPpqIizvTAkW
y9wzQRq1mB3B3TW4LCpE3Ld0WIEQv/5pXE5Qtz5HpLck226SFhDc6g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u6xeayzwfdj9l0mg3f4xvjd8e9nemz5psqavauvacjgp2nku95yqc4f29s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUVV5aTFOdHIxT3U4a2l1
djIyb05Gc1VJQ0d6TGFvTXdDK29ITGRNSWx3CmVLeG5za21weDFMWm9WWUlzcVZ0
YmY2TDVTdk9yNFo4Q2pPU0t4TXVhTk0KLS0tIFN1bGtrWURIamUwWW9LUFdSQVVP
S2RaKzZ6TDFmbldoako2TzBaUFBFSlEKdIeae287NYngsVxv05EbznwfAYWTxSJU
8u0I7aMylnk7Sicu88bAWU4Xd3gF/F47U3UbFYnknh55eSd5LyWRNw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1makkpv2t74lxmw0nk6m89nespva7j700pmt83pl5a4ldtj2k8fzqakw8h7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2RUpMQ0s4UXMyOUJzclJ1
eGUzSVdvZzY3cFBPcHFDdlhTbTI2bDZPaGtZCkdMeXNBeXJDTmowY2l1eDErajdD
RFpYWmJFM1ZYajhIYWY1anFaNjhyWE0KLS0tIHQwY2dsSzE0elFRMG5qbEJLc2dy
M0xMWDFlV3lNRXNQeGJNNUZ6RThaZTAKCScgBGFndzjFJC5VhnmHQr9ZPlLJBnH1
JJDfHS6Y3AXcO6e+IiRLdtU1N6FvYf9kjN1tEoBPQitunm9Gks9Waw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SjJwS2Q3aVdkTkxHYng5
R2VJTnIrWFRyKzlTMDNnTEJzaEtjaE1ZblJFCnVaNy8xNWpVT1U3bzRTVlFBZktR
KzIra2lVL2NNSFBBVUdLOUVyTkx4dnMKLS0tIGloSjgrUUVJR1BzbEplakcrVVpF
V0lNdVB3dW0yWlc0amptRm12L1gzbEUKEIfwgZbDLv9M6+Z7TL6QkZoV8tgSj4iX
cULGrfBDEcb9qSOaMIGIh3xMHby3eDnMwnrKvMLQk0831ddBZcvpkA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1kdrpaqsy7gdnf80fpq6qrrc98nqjuzzlqx955uk2pkky3xcxky8sw9cdjl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrWGJUZHN5eTgydFRsUHpG
Z29mUFdwNzNhQXp5b3MyQkpqd2hRSmZuRFE4CmpXZnpCdnRKT2RXU3ZDMXozV2Iw
STJrVnM2WjFpWUR0dWJGNkFsWTg4cE0KLS0tIHJsR3h5S1R5UW56RFRNMUd3V2F5
YzFnbmo2QXZYaDNMY1plckt2WDl4U00KMo7wLgGtRI95LHBR2VlLvdKG5EZDq1L6
XgxdaQ6tB9+8RgAeFXA1Yj286clHW4wGa3iZ5kBOEUY/FVrwQPsf7Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xs22728ltpl3yh8hzvwt4g3gk8uc32lg8cqh86fp5d8c2jlvp3gshmejun
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RExXbVJBeDBCYzdmUFpE
R1BXVit1YVNVTC9zcUZNY0NYVFFrNXZIN1JnCmVkNnJrazdaOEhvR1pUK1ZmVlVp
YzdRalhKcEJQY1ZMQVJYaEE4QTVYNUUKLS0tIDJEcjhGU3Z4djJ5YW9DVDJXbGcx
TEpRMTlkL1RvZXBsOHRlcWcrLzFWeG8KD80dS3HA+qgaqX9rdQ2mbLcglT5VHRFF
D6Rg2bLdQ33C0k/k6Jj2ZKmRC2DUts7AfrZCN9641yUtDoz8hQcTJw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TCtyUkFsTElUZ24xWXJT
UHEyQW83Z0FKWVVFUDR5N0VyYkF6VTRVNVNZCmFtdE0xcy85UUVkSWRmeTNTelA2
b0dCRGJpa3YvRzRVYlFBNUtLV0k0QTQKLS0tIEtaL29mU2E2bEpueXhKelp1eUJF
R05UcVFla3RJaTZVbk11aC9Lam0xTHMKQf+dGKhKONHjenWcYR9K1CheKpn5N8Yv
czDM3NPB9M3aT83RYjAnMWwPa3I7idf9cZbP02V208Mm1a4qRLdrHA==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTU50TDdyNXFYeEovbGJ5
UkpLaFdXOUJRcXJuMUdNRHc2VllHQkpYdmk0CjZXS3ZMYnRUa0xTY3JGMXFJaFk3
MnF5a0Jia0tWbWNZeG8ydlRMMUJQWU0KLS0tIFlzeGxNYVBFRXN6S3pla0FPQTAv
YWhlcnRXMENTaTRaY1pLRGtYTktETUkK0CiQKJaM+xs4mP2yZ8AzxPEyYzd0gNXD
UVX/GxFBdnwlMpA0J6QGPdrs4+LLXLM3A4qrDxZ87Een+wRU4zlTzA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OFozcEpQb1orM3ZoM3FO
RWx3N0xGS0R5WVZvbTJmZEp4c1ZmQmtudDBVCndoTm9TUFNDWEp5aXIzRFZkZDF4
Q0tuNnBpSVFHeDZucnFBM2VkbER3amMKLS0tIGhvaThLRVFyZlJpT1JKQk5oUDJM
VTRRK3paS1hILzJOVDVMZis3dzBEMWMKMGmWdiFvZrRaqx6ddJzrNLWJHn/hMV1/
iNpJF4A0B9tWekqPjedGjVs/45ZTDN7dMzp9zqpMHgVP0qxW8jQxKA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-16T23:43:55Z"
mac: ENC[AES256_GCM,data:OAFdTBgFBtobgRR8WTQR+hfByJBeTM1t4gBxjBmcm9rClz2XgDuFQ/rDYRYEoAEKXoztCZhRqa82DSFsEZkaseaMOX6NeGlcsnXGKHzAmjRJrtEdYawpbH6i0o4r9kTBeMbjzCkP6NhxfjY6kvwMAgmUjzj7sQiSUgOLpeZt9tw=,iv:NTQuU4lN2LvvPKT/IpUQlycTaQayqgHEqFHUCWw4dME=,tag:VFfeht6E9xTL1+s7pt+hAQ==,type:str]
pgp:
- created_at: "2024-04-13T21:10:30Z"
- created_at: "2023-11-14T01:43:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7AQ//TJfvgrRgA3Dp/ijlDD7d29BeGimvV0FCel8YiWkUAyg0
PN4lW0cimNm0SoP5gIOrP3o5i6uC6/Cnd0L1/nbvLcwousC3gBI5RhyNFepzRHhx
8YsdXQ5JWUQMcNbA7gu/3JgPpRXOy2L6sRSRZYqX5pK9NSv3P62QP3vOftG391Ex
som2Ma6JxrV3SeJ5NhnXaQkOs6d7+c/kwJRNGfQjOaflmrAO5UHDPxlhQdH6jHQ4
SngIKvg5v3dpZeCLO1zjtbBdL8Qa1IksUr33nEYRm+1T1Jwb/Ds0jPGGJFk6rI7h
Ruum2QqJacnYjLXwEJ08tlZmumY2ru6bSras0ZtWej2GQ/mrrUrDwBVBuN9uqcGb
8vw+02D5/jifFKlxwzWkp48nTA2uf70cQiXDrXJgJW9rnmFcreQctPGV7mF/naBM
7D+0pKYudR83glYxGlPXvvABqPlkWZH753LFvzzrYgTa/FV5XdqCWvEDaoolNY0T
iqEfZ8aW/AKUzpRoRGbaVzPk5ktqZ3HzcDMuc/euPiL7wXZtHUhZO5Q7rtIG6Wip
B14Dpu3F43bk2VKqdCahLcPb3fUfLZdOxpE2KM5Lq5Dm/CBthnZUiBylgEkpjQp9
xnQPKjWcWUMq8n6ac1XtR2PkRXRNHsVSaVSQ1tMPtAff5FoE3BODXE58y5BsI0zS
UQFIS3N4GGPTq6C0XQ96uO2oBKKkqhdoSd6DGVq24pJPACc3c0fIfYNCneuqLbj3
Le/K0ph/7SEhKWItslYg3B8OBzGg3w/uVSikAcoNYNYbwA==
=97ou
hQIMA7zUOKwzpAE7ARAAlqZKSAkMHpW0F3cwQjm0vzGL8P2Nt3M+5P4rqwg2Pigm
r5SmkWZ8PC1yI8Rf5jlnfq13ouolXTqJsD9Wg2L8/OiI7g/r4s+flOCnVwcfxsQ2
ni1fCl9sQ/LBbEok3l3MKZnWIWrZkYrd/WrF2l7xYYyJl54sLDY3fGz3Vkndvw3n
jd8Pxm22jCZl6hz8COIT8n+AXXpxDEuKpjjBKk9idyGrRuDKmsFXOz4Ebvhqewq5
n/g1eCnJVXQ/752bN2VFAqC9oc3dI4BehHuyUp5/ErgUdfDn8hQNu0Xpofk+Aexe
bjytwODqGLrkO0ssf3eeGrb+/Xq4LyaKcRgh2z8IhBLmGO3kkl7jverdZzSJvjGV
X/t3oK+gaICyM+HyMtbfDrtoIic91LhhiyK8SCpup1f1N58TbcCtd/Tty5JhW92O
cHwXthqR6C4eTU84f+CLLc82okvh7Lv1snUvV50+zT0co3CnE5l/HVXHDGzfr9qo
JpeW/xIFTvTgbUC7E38g290P1AQ2NHNTmVbpqS8AxsRjLQSZwn3VXlj+JTFUiTOE
yfYT8YHy6Zv8/ArZj/l4c+KVkkyaubhkpqZi5en4p8UYTgU+joozwn5KGiiTSZd4
x/9AnzQgvRDf1+8rKI3+zw3uFh5JZmiS/ac9fg4YjfR9ZooQHLdqA7d6m7aS8CrS
XgEnwkUBjy93phgVY9ziVgtCORZ2sdmEZagP5gu91xJXV+6uNuO9BgN8ucrd08qc
FRQ0Yd3vx5RBJbyQwrT7e387MxhFbD6SRN91pzC1HKF7xPMA7zCdWq3K22a2u7Y=
=Dehd
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- created_at: "2024-04-13T21:10:30Z"
- created_at: "2023-11-14T01:43:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA6j84+xkv3y7ARAAqOh5UZoVOb0ahU1QcC9HX2RITj/Vsgx5XZAulgyHdROw
6cu8TtMxg436MFm60DLU818MIZ28imEGmaEstr9Fkrd6UC4el0BtY+EhWrO4E2Lv
0AXuDx2SiSx8YR8aBd24TwtScU6d6NWMe/1a/Jfls2jnVN6Bp1cU0mmKyFbFAHbo
30dr9tuvEvvJaNzlHTZcrcEQ03nN0e70+4shQNRlpVNqJzTxZinPj1i43Lb9Myxl
JowBF0Tn6gQJ4Q0IE6E74cFPzkEPVTTZGI89ZoSDLcwfXDB7wbXZt6adPIQeY7m0
K8E7DbxAkTjmb4Geq2n3ljJ6pFzAEHsi1OflWRuJsokfrNvU8AP+rLSuLa2RIfRk
x5gA/OWELpC+Mg7wjxliexjvyAYucfzP6uTG95AxSvVYN6yVuJhHGZKnLG0Z2Aqi
f4bPzW+8LqHjRf2dZryJN1kHFkoLu89K6rIGpXSdsltkXLkp7bjMKxuS5Ui7aMzo
R6qiv6FLIZIudbjaeHetM+/3Es0N+vWiZDA+8LH7Mp/bO6cA9OLQ4Z/9Vy7NAKyM
QrXLoanIMvxFQMPpsxG7xTFPcGfMFY9EQCpNKRKBUpr0SmurSvDEcfK2Anv+Uyo0
y8REnMska6HI2t08ZvpTfB0uwtEiqxtHV6Bq63mjQAg391b3oG0v0YNeMIovRKnS
UQFPafkK6ADBOICosgr9u9vlSTk0IzWg0CnT3JvetUAvLcu0rSo0Qhsq2hRnLB+k
HNGyH6MX+CeJRLBHoE4eURVl3Tvf5b+Yox8F3x6j+PqYrw==
=gRFd
hQIMA6j84+xkv3y7ARAArgOtJ0YG/kUDu4W6R3kxxfj2tJCymQIAVPTii7/J7egc
Pap+YgAHcSLiGAeG5cHqeNtXw1ApInVv/dlFxipewdiS53GmUMkr691VEIR9diaj
Ju0FNiS8NZ6JPyLEZ4i+4rWnFwez64WaeliKEjUNau/eyqc/YH0aGgsQrNqmK12/
HeKwmBaNuCgw+JtEZgFYYjEv7zyQbwoTltr15PtdLKPL7qwtkywf0d0f7zNqDbZp
k8YG5CAKq46n9IYnY5hSdFTo8CbJQHilTHJ8NWsVw8Wf8bxTLRuCTqxyThUmk7mf
FoAPgd33WIJSQXCEt+tBMJaj2LlRNh57W23FqcVh6eSt9Vs3WjHdSKPW2NPv+800
0Yc9R3mgNC2YxNVSozjK4pFMJWfPC1cDkV2q0SQwfpTzFS3qZwoBX0T+PpPcRy5M
x01jLA1O1imsWp3D227QwPwW5h5gba5FNqeFbh0/rWLQv4NqUzdDZvtzcwjic5N3
/tvTgw9qEum6v2yOMn8znkmSM2eI8ks7Ljj/BGmFhp6Vpme+XfRLl+lqM/tbBb7P
OUrmICb58knukyjsVWfYTQR14zSwBjn5uFrAUFD9lyWdENVNnniNzFWmnCV1Ukr1
fxgiGNO/3IJZ/65idY7RjDaVlk+2tCPe71n9mRNorx4LsVmMUUmr/hspbFkXXJ/S
XgEb8FpV3g2lZW7v4i5M6NDiO5hctLMlIlAXIXkv7MW2diuSmFjzRB371aE9R76p
EUbQbM5StTkWaqBxG3kg9FDVvEa74WyP/qk1rrBvhfAhZN6dW1slM9Ncd65nIag=
=YeQ7
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2024-04-13T21:10:30Z"
- created_at: "2023-11-14T01:43:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wV4DqDJbhoEBo+ISAQdANKgSMX4+H+dTgQPQU/heGLLK/kFW4S4bjTWfDGaFwkow
L8K0GkjtgSMP3jhJ9q9ch7GhzriAPUqQsjqIiWiu5zCGndwcCraXaVrl5qzpk6cI
0lEBcMNP7fMNd+nC8BEOca2EVmlOI3BqsR50adoi7dqGqcZNkAmOHjShpPIO6eV6
CucESy2hoELxRY6yOsVEA56fcOQsLWwukzVSkxTrb9Zp13s=
=75Km
-----END PGP MESSAGE-----
fp: 8F79E6CD6434700615867480D11A514F5095BFA8
- created_at: "2024-04-13T21:10:30Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAwMCBBrc/JA6AQ/9FbEeBaPRH2KOr2PnVVBi+plAsXpxJ//11P46yMk5Nq5S
8FHi2HLyY305rcCy79TvnKAab4LXlrraAwQIQVmMLoYWqp+pzOT/L9wLtHzaR5Hb
xjSlpwpKwVpOg9bNJkKfyDmcNcUq51LMLUVffUFnNOOVFSeMXHYhV/17OfM4i4U7
lDCW8BOvJBJRNXsXvCmuSpQszlXU1cQGAKSFltjvMqQkoicfLPrHNvUdRmSD/qyV
p6q9gmtskp1KYqoXBoUjb9USFyrpnFDRnZUnMHsy5pB/DIHcWDhjduGhoGJnMloI
gOQIoEnN+8yHE0VgcrrtSUvi8pv8S0uXPlrG78EAifrBWfJGsn2cd39KwuX8neWH
vnze1wSxCMfGgwvmf7UHHL39ynIVnhMoSuz7s8AonPkmn7D0TuFkhLoFeks7sUzT
ulWXgR2PyU93vUUN+Kd2B2XMEFk+l/qXjDvOqojz7bBlZadHifGb2STYmONX6OEi
rvmBENcYIfkAKNs790+p1KwPEFbi5KsPmSl+BDJfyXgcoRoOeQuI3SVBKFntwfz2
R13m5NgcoJqkrBAM5UiLnym+LdPQlW8tNytx4Ysy5rz7ZvipFYLnZVx63DCANBYg
IFIEmwbtOjwMquvuBFraHPYfbOr5jvnCKuGVg6tTZHFJ0INT/hnr8JTfv6FlBRXS
UQGJS7R6GY5ih8rgAPu7lrAEQqpbAFwUS5iFaexP+6+py4XO7d/bQIRYfGDPo4Q4
IVuSStsWRluZ5EB3jXBJtcQ2DIb1TU6q8jtggcU3NeKOVQ==
=LMIi
hQIMAwMCBBrc/JA6ARAAmPX2VyJu9MIMOOsKWDZrvCUHJDf0I41W86t0vrloFk/a
U3ZK1lOnbGZJFMZUk2gT1MQrqz0sccvb+AxcXysTNJMF5G2y9s4BIW00wBmkaqxM
gGtWEwcu1au/rsrxXYGxMREB1sHyaccTurTB/mokzO0v1RL8A5hJXgjAA5YuQWqG
zaTUG6mJ5he1MTpDb7to80ljR/bmJTqp0Vt3bgmpFaTXiR8x1VukbX/A8/TWdheL
lgJNVRcR9GWiKaHi1agsfJIvtmaOjfgDQvhrHISNCwKpGvMTextMUuixJUG+ZFH8
dAwD0CVkReI78De2oRoISXj2eNSiJ8zVFlfWKNIPZSHWLsewvfcKCVKelRo6SFne
tlr56Wsri5Agp5qZ0hq5wdcjbaYbruCiHS0xbvX3Cb7zIM685ZOxNtVpWwZtiFSV
7grErwFgJoxxkcvbZby4ruLd3pMFpQJ1WxraDqWgL+Fd+Ah31cRQUanMncQzoNRX
i+0ukzj0GH1oYISPYn8+mt0UALvi+UPKiIhSsPctVpv6r6rt6Jqoj1E/QlhYGLPw
k1cuVshYkNEjTOUgwzuYCUtHzv2PmqfrOB3wfFFmnDNbtJWk/ej55XcW87hwjnhB
Jnpmhcx2AIRlMFRXRncNwhKexHpTJRZQTlYKC9FZwbzTw3kPxdauu3X38fL8UB/S
mAEKy9N03Hp+FQGoglvpbkpioHtUT1bMIC8tSWKMAbXOgQVSJhjkXnX/pQyFzINZ
/6X7HovoTv4TFhpXWYpa5dQw0ywJ6H4x1YdZbrrne5m9t8lJo9C035K5g1aw3nYa
h4D/pYI0HT1xACMbhtohS24JLJDBd9Cnqj/pQYbxeo2VTf6nJp8ZBUT+3R8NtOnw
zs79AdvfiGSn
=9Q6o
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2024-04-13T21:10:30Z"
- created_at: "2023-11-14T01:43:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA/YLzOYaRIJJARAAsJP1LaPktuk1nUNuXNhPydRxfCh/PQvOv9P37U148bRo
UlLJtxSCOHHsHXvRD0KIrnhyoLgWTjxzUctAmJgEH/g7uAUxZpwLVk6WGKB5/7jS
Tu9H9aBediJIipLJTj8DrC7A3OuNACUZeRZVe9XviR7Rl6jt+1t69o+57+cTSVxV
IcgNKanf2q9Zfxhnb/P6QsfrFHPnzbaSvtf8tUsGR7GLTLJ8C6GgJoSRQOIGJHp4
4PTPeu7rIMbWlU0E4YBa29l4thxDsgicq1jL9PmLi4xVACTozuBJ5TDeiIAxPsN0
K4d+dxHpYcX+5pBggJ3WWqpOmHIttcfJnmiY5cibNZdhRfQFovqstdtiDXxMLpIt
6hy/GJJNF7cGQ7/b/eVEcAnYbZEugV9fgaE+5x/9DFAwak3i+1PKkiBC58nyT7dD
qCXwWtog6ke6OPaJ5kYaDAe3HNJVJbcgjdhxyjrRy4YAXkqDU51GMZcFLI4/7qMK
fyRVT7YZ72obZhmJXnYKJOYxFB38BKL8/Pu+lAz0mtvFFy20xGLmuJbPEQr7Lid7
7IKxOzZHjftJ3DgvmE6fhjR2YQ0lb+Vjh8p3aXNgov+2/0lllcYFM9epfBV0+dDK
AnAWt5UfsxxANYUwVn8WQ7LC5NJMjq1yvD1zftG0ZiAGitQeTzYvuX0a2ySvU2PS
UQFVxqFMvUQ7m49j6UiRaT+YAAFFJYsTUgPNMVC3Mn4m+c5hI4fGSJrgx1v6l0Ry
Xu2JYNbR94eN2cyjVirmtEqY6okbVgDRSjI+08clSYa1XA==
=rBTq
hQIMA/YLzOYaRIJJAQ//ZBWVucA6Rpfwjs8DEYHV0PIrZ5qfx1bOmbGWNqo+V3rh
A4j4gGy72LecVzVE2l2qAfGNuXFEoOn2Gw+9yg/33CnyuESIugCPHzqt1fOZRQzn
Blfe1O8l1KJp9UkKGkyKvSAj4ET0rOqbk4aINGB8Tbr+ohIs1HA3soEE3/pe2eA7
aIJ26zg8+sxzFGO0bMksT+fIZ64a+LgOl0MvJKBZWC052tif53ItUcgmqdWHoDSI
rRxKicKzt0wRE511k5CbjHQ+Z+hG49sbOYgda4Njp65/iM3wNw3K2U2dh1XfLMLg
MtL6/DzFBORghhHc1/R4RldhYYMVuBTXtXJOuJggdaCxC8AMq88TegVHzOKPR5gb
rbP88F4H7x2+K4ofIFCuL7U8vi9f4qraoetaFg1JY3lDei0qcLSWjcgts57UmvVV
3BtWIEapMOsY3d7PLNm//1WiQAc2qcBypD/j38ZDfiGIQj69cL2BlJV70LMhyyFc
aTR809loHLdCucWWkQCiZmoV/e7xYJ1Ge9n+oJdERRkXkBO1L/409YP16Al8zeO/
9GuVjFUjIVj7f4WYqRVNrENBxHs6uT64alwSa/pfnjR+r3UFQL9CJ3VXaZcJziG7
yHvl9m8IyvSQoiIEujjNSMzpecTe2EbgHzwIx0+MEZyBDBzO01Vj3SU3Ps1KVMHS
XgFlCHqpHfnpsog7ZRnpOuNpCHShvVq7h7ar27uLLPzNC/363GRPfS/8eoI0tRHV
P1cgVAJTf9u/BGvxh1dgzrE7tUF0PgJL+HbHIZQZBl+rUFuMQHozr8I1zwtArcw=
=2SAM
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2024-04-13T21:10:30Z"
- created_at: "2023-11-14T01:43:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9qJIVK2WMV7ARAAtRClrIzX3js9BDbrgrPQL7Xpkvj5GWd47vhw6zVscG21
Nss/i3xyN44Xz8IaK5swaPVyqFJtC79vFSSIxQDI4kIosNFxWcee0RdVF+tljqwl
WNAJIsxzYcTX2YyQbsilqlUzrtamMwc8chBYuZJZQmIcKAwQLqzra1TwWC9PHWT2
AiDankn7rAYFT2EFQjap+Va93ZckktCSWcuC5MdZ/HyG3Vgj+Vu+k0PyL4DxxSr7
oURRUyuNjQpycQrOTGIPN9O2MA10J3rYj1Gbfrqn4p6al3vKT5zWckrbAwRHBW/c
VnagBneF5bdAdwXCrq+pEhggghs5cXlOZlXrn59NqHPh1zOeAwCkWVgMLEBdn/j1
BnynOzh7Cf1T5ksJuf8bkL0cGxj5GfPcwpr32smM8WqlcIUk3gUBPh7uCTjRbhDz
6gxFv1gEO9MrFu7/yV5TV18JtJXXyXtN6qaBbfMEM6ZkYf5AqSP+QODoxaxcagWy
y9dqfBGNLjmi0JrwGIMmLdyOBF06rPmJOSB2M6XaZac5hPeanz6D9jCE6zkhBuVL
+vO41gXecbYPMDl6ok51L74zY8pnXRdIC6VLs2Y9GN1Yhavy0qkZy/3CrZ/IrcQv
fj2s3UABuQ8zEYOzteWk7ZLQ1WjDZHJibh/96IHaSSy4zHcVQqtPvRtKg+Rr+oTS
UQELH4mBQWoTcX5jr+XIoIvDXTNiSVnh1JU3aD6n5SyzHV8IESbg9+0KWgD+KyU5
cHhNISMyKNYkJ059lgUN1uzomXUQNng32b/AriYsqn7k9Q==
=KYMC
hQIMA9qJIVK2WMV7AQ/+Lms8Kgv5TzbMa7qF3g4oXbJFXk2eHvkP14DqJkxsMdWn
ttdEze77gyhkR9U08HDF6g4++oLJP/wvf7aZFyBUTr7PciLiA0x1rIyAoHVcrXfm
3KxO69Fs2VpYVEXwAMwUnT4mhiQ/Rmh9rvvgSQ2Ds3G2yFLhFogBQ3M1oUxvNRut
ckc31EG0sUtf1XDUSKTP2vOLMuUvMEs9G8BUJx6le29xtCfdYXFtDFJoyM7faitA
pM8vYkZhJ3nY7Kfz8VTyqeHQKSBbqc6Qd+Ki14xa++9m5pY7YCmosAe2Yz9wmiHd
/gPxKIXIwsXnYCKqWBzcoAaT3HIXeOHdM8iPAPguTyZcuyFA1FzjqzZHvhoE3wBk
Kt2ByWvlf4RiJXUOLjPNXkq+XKR7nzXcXqvqqLytzI7L4vWJjidma30mt8F4xsJt
rt0iqBTcIkDO/c+bjvl4Vl8DnilN1sO0spDy6hvLX30jRgwB9Ce/HAScneKkxTOu
Fz8Nkir1uB3mGWgEVu8Sy5c9f352+8ZbQ49jUtjDz4LZ6Rqo/+9WeHPgRDhY7mEL
fG5YKFbpTMYavNUzELEfYMe7XxKsR8qpvsgTVIVOIBR1065W5sufCnfecqyVhsRh
LPmwfg10h4YrEU25Ob4s2arB3ZH+UPudM3E6RiCVBmXmG4wPxSpxWZKSj8pn9h/S
XgFXKs4S6eJN0tCXcw7i/AwC5u2J0nKjVJWZyGt0tYlhOGlswd+Dos9ApRB/gHCi
jdk96IveATfIQ5hu7tdbbWTRbXZYHT1dFli0ufciV1G1UI0TuFX3xH7kvtQa+WE=
=cl4y
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2024-04-13T21:10:30Z"
- created_at: "2023-11-14T01:43:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9XEenRNYVGHAQ//aORJBdUUiYRVo0Vu6CxzCU36Xz6M8tqZW8jJ7cQ5fFc4
l8+sqKdoMprg7epXGcfhsRl/s4nUpZIEgbSL1sH2TiBRnTSO92ajLljTpN5J5lPP
HzqKR6K8r/CPAaP7ZNdGiF+kZIwJGYJrbsuI6xtphShTBGBomXsp72XOZmMaREYJ
fmMzLx2n5zXxHTd/DlCVt4qINbQyz0AtktyRWHUUUYiaYy3hGfkJlBm0E2nYu7/u
BnUR4Yp+L3780Ch9jQJWjp2/jatkHnTCiJB0IhlSyNfOYK2iWAeK4zktSJ7S60BF
f4Cqb/7f6hu4UUJR8G7UZZ4aTBxQAIFVPNvuEwxKBmcnl3PXDE/9SNTP7rcYN/jb
+L3QIrg9ww+eFEyPHuJnRixYdXyRMP20LaZH5gQ0ZRYEMAfPcUPJMEri5XPRdE1d
B4DWQAOpw7M+hbjWpUcuS76E3vEU+CsHxViQcbxAWulSgejzmzF2br5HokfFHAJB
QusZjqrZNpdo01b3JCI98qGdil+vTUjI+6oaClgx+IyA1Zjf4xcQqIK0zMSb25UM
aLpudR6+mVFnY/UpIZ+Diu9T/iofh8SBsqMxSEzTvMzOr7tCpS7XSPqVkTaqHJwe
hfUD5XFmW4mEKk1WawcOzxnVEpbHwbD3brubpgRGh5X4SRo7QgWfrkLgXMlV4V/S
UQFD/wzg/1gmF3iOuLm35QHcB6tg2I0Pr9tPgum4+mMz7CSeLDx+/owWKUxDGfRp
oXYIspMalqlb/J9a1pFZiPvSKHiDl3MHC51vEFnWpwkhMg==
=Vxi/
hQIMA9XEenRNYVGHARAAtrIk+dS79ndijDRCUPneUqJ/w98RIQRu2vVC+Q601nrJ
Y48vHPMZKLAaXn4NAhJRtAph5aIPgHldgsNHKx+uT+IIIQKPAG/bTr/tlwABo7yw
rfCKkOuVwCzNTIBzpgSm7/YpAuOpgVU6FlfUrNBXcQ1YCgMkE+veKaXtIGUbvs1U
dd5HfNHpoTY/TNATB7BvcaQMXsUtw4ZAVCkOK4H4xp+7mlSD1cmTdKAOXcAXHWLd
HqTYVyuyn4mhHcmWuVV+30FZEGoZcgiC6Mxwxr1blEMbOm5DSaTGLADnQwVt1dxx
rvHMOO7fPFXbhXxYFDvxD0/ChGvSw5gtvnBK2LVKLztrGEkuW9TRnC/9oriQv+W3
jpo97rGxvLZ6cBVPPRnlaYbkXSr+QF7WGweagXJ+HI2+W1l7UMdNmJpsrqcrjLxm
ng/1VCwAEflyki5OlfAMj2VtFghbx8uYXPew/XhxEkPDKwI+Q5dm9dvchNfZtg9J
1Ln2rcD7YpANxEyko+MEuUcWJZNV2EFSQws/WoviVd+GoHClP/iyxZSn6uN881Sv
+rXVr/aihXjsw70RB2v2lrEnGJj9tA+ntGQFyDiS9+82h5fbG32r3hOneHqn0I11
lxafEw8NL/h/fObJuMdFnVkNKXemJuyu1Y+CyqG5OWCXQWgmqGDWsfwhjloJ/TjS
XgFkR2Id2j8J4KoyCVWsIJmj4z2SkYrdRS9JhtT1WD8czP5rMef30rcGh1TC44aL
rJC/tQLao+d0dV2HZQioXOrkMrkpFG7dkN/Y7VxXDRh+EDTBYPUSGWi/kbGQz04=
=j6DP
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2024-04-13T21:10:30Z"
- created_at: "2023-11-14T01:43:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA45bZkLXmBFpAQf6Am+HdTbceo5UD+fomUqGwWGx62lfcC5OwRZfJaODr2C+
sLFTFAo+x7HupBOi5+WFcplJDqOgeGsfb9E8YELU3E31V7jJ9wjZrSlcfxfSScL6
5LOt6ognD4rJ8HUSUyUl4ZJhR3ZAJUHVQJwwBALW/apZZXCu0zSIuh/lFCFx+Rjy
8eJ92NXVpXw5gsOWT4PKW7BINhYOEquJ1hW8+sna3JYpQkAIwePCrBOZ2KKmG8wb
PboEM8fFSc6iUzTTypWq3gedJcZpCIXS12KFBIsU9Jw9ep799hg9lPPYM9JTqSXo
E/r28bkPXBI41ZmT3dsvONEMsrYMEq4pEcC5zoJL2dJRAWnJDJ0cB3tcpspFKHgV
FevuO8mi+HoP0uaCBQ3Tcq1fjurkbdcCQrIz/WGyV+x/poypBqqq+6N1jO3ytF7y
yJU1rmqjIv49MHTS3ygHdsst
=iRkw
hQEMA45bZkLXmBFpAQf/c4Jzrcw9062U3O1Yh2Bc5L+vLwO0m8+meJ8nAvKEdZ/X
u8Xx+PMKBqwqEBnFZW3F1xZmEHjRSExNAg7cebmplQdcF+v346D8+HH93ziF1qzQ
hph0qeGjezSC5TmugaCdIiXZcJu5BDu6UGHkJEU86kzy2hBYCc9EGgKIgtJ8g4t1
XYpM7rfeX1nG0xNL20Igh0wS45h7I/OEpsyHgrbo8vyKG4UXsNaMWivuilLj23gP
gb7HY1UxWLdPE0ow+pFMZ0yesDol/2XvTWfQ/t+5oKgw55Kw7oRMhynenRARW8i+
cdAaqD+0qCm+APO958GyzuLC+h5H4KbpHtApamrwMNJeATMLsf3zZs0JvKB09pH/
LZCnoTNJUmmvIL67PBUnPvSmvt7l7ccSwjWxIMdDe9s1V+MvkkptEIROoTmCQrGl
oDEJhiwKgGBrQ5vYWMTf83zMaWdXmxz2UViT0FNfeg==
=gfvH
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
unencrypted_suffix: _unencrypted

58
modules/baremetal.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, utils, ... }:
{ config, lib, pkgs, ... }:
{
options.c3d2.baremetal = lib.mkEnableOption "baremetal";
@ -15,40 +15,23 @@
];
boot = {
initrd = {
# make sure to set availableKernelModules to the kernel module used by the connected interface(s) otherwise things will not work!
# the module can be found in a booted system by running `dmesg | rg "Link"` and looking at the first word after the date
availableKernelModules = [ "bridge" "bonding" "8021q" ];
network = {
ssh = {
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
hostKeys = [
initrdEd2219Key
initrdRsaKey
];
port = 4748;
};
postCommands = lib.mkIf (!config.boot.initrd.systemd.enable) ''
cat <<EOF > /root/.profile
cryptsetup-askpass
EOF
'';
};
systemd = {
enable = true;
inherit (config.systemd) network;
contents."/etc/profile".text = ''
systemd-tty-ask-password-agent
'';
services = lib.mkIf config.boot.zfs.enabled {
zfs-import-rpool = let
devices = map (name: "dev-mapper-${utils.escapeSystemdPath name}.device") (lib.attrNames config.boot.initrd.luks.devices);
in {
wants = devices;
after = devices;
};
};
initrd.network = {
enable = true;
ssh = {
# TODO: enable now per machine
# enable = true;
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
hostKeys = [
initrdEd2219Key
initrdRsaKey
];
port = 4748;
};
postCommands = ''
cat <<EOF > /root/.profile
cryptsetup-askpass
EOF
'';
};
kernelParams = [
# "boot.shell_on_fail"
@ -72,17 +55,12 @@
services = {
# just assume there are ssd's everywhere
fstrim.enable = true;
resolved.extraConfig = /* systemd */ ''
# don't cache NXDOMAIN which often happened for nix-cache.hq.c3d2.de after a restart
Cache=no-negative
'';
smartd.enable = true;
};
# this needs to be unconditional because the keys need to be inplace when activating the feature
system.activationScripts.generateInitrdOpensshHostKeys = let
sshKeygen = "${config.programs.ssh.package}/bin/ssh-keygen";
in lib.mkIf config.boot.initrd.network.enable ''
in lib.mkIf config.boot.initrd.network.ssh.enable ''
if [[ ! -e ${initrdEd2219Key} || ! -e ${initrdRsaKey} ]]; then
echo "Generating initrd OpenSSH hostkeys..."
mkdir -m700 -p /etc/ssh/initrd/

106
modules/c3d2.nix
View File

@ -1,4 +1,4 @@
{ zentralwerk, config, lib, pkgs, ... }:
{ zentralwerk, hostRegistry, config, options, lib, pkgs, ... }:
let
cfg = config.c3d2;
@ -58,14 +58,6 @@ in
# broken :(
default = false;
};
sendmail = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Wether to configure sendmail via msmtp.
'';
};
};
nncp = {
@ -90,29 +82,38 @@ in
};
config = {
networking.interfaces = lib.mkIf (cfg.hq.interface != null) {
"${cfg.hq.interface}".ipv6.addresses = [{
address = toHqPrivateAddress config.networking.hostName;
prefixLength = 64;
}];
};
programs.nncp.settings = lib.optionalAttrs cfg.nncp.mergeSettings cfg.nncp;
programs = {
nncp.settings = lib.optionalAttrs cfg.nncp.mergeSettings cfg.nncp;
users =
let
adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys);
in
{
users = {
k-ot = lib.mkIf cfg.k-ot.enable {
createHome = true;
isNormalUser = true;
uid = 1000;
extraGroups = [
"audio"
"video"
"wheel"
];
# get by running mkpasswd logged in as the user
hashedPassword = "$y$j9T$AoK/PRviZS4BDJ6jX/Qt6/$FDM/JfANEU7H0RAIuN0DL2hjYujVAVDdI0jgN5wGwB5";
openssh.authorizedKeys.keys = adminKeys;
};
msmtp = lib.mkIf cfg.hq.sendmail {
enable = true;
accounts.default = {
host = "mail.c3d2.de";
port = 587;
tls = true;
tls_starttls = true;
auth = false;
domain = "gitea.c3d2.de";
from = "mail@c3d2.de";
# TODO: change when on 23.05
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix#L23
# nixos = lib.mkIf (config.system.nixos.variant_id == "installer") { openssh.authorizedKeys.keys = adminKeys; };
# using proxy option to detect iso
# https://github.com/NixOS/nixpkgs/blob/nixos-22.11/nixos/modules/profiles/installation-device.nix#L48
nixos = lib.mkIf (config.services.getty.autologinUser == "nixos") { openssh.authorizedKeys.keys = adminKeys; };
root.openssh.authorizedKeys.keys = adminKeys;
};
};
};
services.vector = lib.mkIf config.c3d2.hq.journalToMqtt {
enable = true;
@ -137,7 +138,7 @@ in
};
secret.mqtt =
let
catSecrets = pkgs.writeScript "cat-vector-secrets" /* bash */ ''
catSecrets = pkgs.writeScript "cat-vector-secrets" ''
#!${pkgs.runtimeShell} -e
echo '{'
COMMA=n
@ -184,31 +185,28 @@ in
}];
};
users =
let
adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys);
in
{
users = {
k-ot = lib.mkIf cfg.k-ot.enable {
createHome = true;
isNormalUser = true;
uid = 1000;
extraGroups = [
"audio"
"video"
"wheel"
];
# get by running mkpasswd logged in as the user
hashedPassword = "$y$j9T$AoK/PRviZS4BDJ6jX/Qt6/$FDM/JfANEU7H0RAIuN0DL2hjYujVAVDdI0jgN5wGwB5";
openssh.authorizedKeys.keys = adminKeys;
};
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix#L23
nixos = lib.mkIf (config.system.nixos.variant_id == "installer") { openssh.authorizedKeys.keys = adminKeys; };
root.openssh.authorizedKeys.keys = adminKeys;
};
networking = {
interfaces = lib.mkIf (cfg.hq.interface != null) {
"${cfg.hq.interface}".ipv6.addresses = [{
address = toHqPrivateAddress config.networking.hostName;
prefixLength = 64;
}];
};
nameservers = with hostRegistry.dnscache; [
ip4
ip6
"9.9.9.9"
];
useHostResolvConf = lib.mkIf (!config.services.resolved.enable) true;
};
environment.etc."resolv.conf" = lib.mkIf (!config.services.resolved.enable) {
text = lib.concatMapStrings
(ns: ''
nameserver ${ns}
'')
config.networking.nameservers;
};
};
}

355
modules/cluster/ceph.yaml
View File

@ -10,187 +10,240 @@ sops:
- recipient: age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSDNRZWJXZ2ZreThjVzZy
TENrbDFKRkZCVXhaQ2VDZnpYTjIwY3FtUnhVCkxOVk9OY0sxeSt5cDFua05oa3pF
blRlTER5T08yMDMwQ3NVNXlZR21rY0UKLS0tIGtqSlZ5RmQxV3hUbzdJWUJtNjdE
cWRhRVpqNHBqTStZZW9tQkVSUXVIV1EKb+auXbwFGHtXk/Ehpk1bcwoDaltnRAPF
xDg40WITKf9hXHTtkqcLwrTZA2T33rw9SVPKiUcbgWkRcKJk6rCc6w==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDSkUzVmJyWjZZb3VsTnVV
QnRVbUpINVJSZ2tSaEVBZWhoMjQ3dVpEcGlZClpXa1NMclFEWmZ0aDM5QWsxYnRw
Q1dFUC8vK1NpeCtrUEtrMVduVzFPN28KLS0tIFY0NWZDaG12b2R3NGR3cjlNM21I
cnYxc0xCZmthNlNZYkYyUXRJZHdLeXcKIXP6kvdgt5m8TrrczYFFe3vuVkR+IMjf
G1EWkfnmZJ2Lji/py5i59g1re5pcBGcA7io5XctULjVYtd1lwhzAzQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age15tyk8zlm2v3fkv9gsdm9g75eeef23358wrddeg3slpu2vjncj96q8lu6x5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwekRsL0RqV04vWHY5VVU4
V3VIcER0aEVIejBrNDRsc3ByQng4eVpvMTFnCmxibWFLTlkvU2tnR3dlb3Ixc0Vm
WS95clBLZWZlZVlNUHdtd0d0ZzhGU3MKLS0tIE55eXpzVk1jS0xXeFB4cUdqc2VD
M0NHWnRWaDNwN2orUERMRnZOaXlvT3cKxLo3ModJfGn/XyrU66eLJzF1k4g0wA5C
qWpqzrHHromQNbbAoU4HRdRh/BBSkLZ2P1XQWJ5oiyGgGZwRUsTwrw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xd8x0m27zhvvsm7rq2amtu3a4nvpfnlcdgp9tqt3g47hfzchsa9svgmemz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RXgxYjVQbi9ueG9wUk91
MkU4dmlpTXR5Si93QTVobEN6SE1JbzIxR2hJCmhFZ1AxbnErSkVDZlhBQ0JqQjVQ
K3cwRDN5dEdLWGF2dnRveFRuZWExaHMKLS0tIGxEVTU1eUp5Q255UTVsUk0vbFRC
OElhejZ2QUhsTHlvTzR4NVowTTVSZEUK8gi637nM8IULhCQMfVvJ3HZIgWQlje9p
AWh88RoLEm+HYpUFryLPquMNuYh+QDRrwaJk5vLRV0dK//1wlGPh+Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age12jcu0jtw7m96evxnd0vu6lvsm8uswslrdhxd2u655vjrwhljmqdsptry37
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCRWl2Q1VONXJJdGJFdi9E
YmlYRzl5L29iTWFwS3NFQjBDUDVETVora0hJCktvOE5YNW55OTlMSWl2a2JEdmpC
SWJ5TTdZY28vejMyQ2RDa1lFTTY4UUkKLS0tIEpkWkNEajZERWlIZnV3NzZTZDFS
emRlUThGUFllU0tCSlpmRHMzYzk1S2cKj9Ib8+ErXAg153Q0d7jzoGTwxfBuYKKR
rza/qk5snAjNm2q9pow6h1+iG5UrZxO7YwBDMdopNayO0GtBlPsNoA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcG5hUlFJUVZIUmhVbkx5
enFhNzhzdUcyR3R6bys5SFB2WGhkK1FxU1dJCmo4Zm9BUHg4eFZqeUgrTjJZcWVn
N0RXRDVEUWJyOU5JbDZnNGU1dHdIOTgKLS0tIHNCOXNTTWhueXYvNTJrRXJVR0Ru
eE9mWGVRaUxXUXJzVDRpajFybmkySncKAEzUlczwVk92DwOzni6UmcrLBsdMnM7V
GhZRe3tOB9ixBKD6sv417X/+WtkpHCpFIgi9jv2VZFdwXUwYO2O0mA==
-----END AGE ENCRYPTED FILE-----
- recipient: age15vrlmtckjf4j242juw7l5e0s6eunn67ejr9acaztnl3tmvwpufrsevntva
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5RzRUTUFVMERLRkpGWFB6
cVdlcTJaNEZSRXJWVy9jOFZ5dVJMSHh3Y1F3CitYUXBSd1N1RmxsUFF5WXd1ZGVw
SHA1WWhyQmxIT0VjVitYanNQekRpQ0kKLS0tIGhza0ttdklaS2hZalRwcVVMUXNB
djdEREZzbWsycC9Mc2NzTExkTHBrNm8Kmk8j5f/FBTTitw8EVBwCm744PVP1Yo8X
/lrsYiOWmsXQxRe/S7ONM7hJGeLqaPZtQ88q5XEH4p1RUr8PwG1Cww==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBna0phS3pzWlRER05UNDQ2
SHNJRlZ1UlJ6cVBnWkNoQWk3ckdERmp1OHdJCjhIR2craUNhd0ZhSXFCM2pnK2to
N1NmeWlRejdBeDdRaWpua3B3MlVsa0UKLS0tIHVpSEU3dTYyckpldDhGbjF0dnhN
eWZkOUlCcGZCcUJFOFU3QXBSOElWckkKrqu/FAn9mliG1QQ9MZuoQzISrJS2b7xP
cpmjPUIjcXmgs6yjo54BoIVeLMwnb+sS4qTyaIdYwxiijWlPkTpAGw==
-----END AGE ENCRYPTED FILE-----
- recipient: age15qj8latetnrmgzd7krq02y65kn7lhq2pcwv8cvzej2783u5a9scqs79nmf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUWDdsMFhuVmFmZ05xNmNj
cUVJODhzSVRtaFJOYzBCVzJuT2htTTg0L1FnCkc0bFpNMWVkai9QVEpGeW5KSGU3
dkwyZERSeDgyTVJ4TEdkQW90eS9ITTQKLS0tIE5tazVRRGIxSkE4WHVkUUMwTmhZ
MUVTTUJEL0cwYnZ4R0pTUzlPTUZCK0EK5AW+WZ9Eon1s1pmLeSgTf3XJb9fWGZo9
C1q0Vw/nsgU1h6EWJ4or/69uQSQ0Kz8RhjZG2g49eg5Llz4adoMGsQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0T3pzdStidzAzYlozcDY2
SDFybGUrM0FsektOZWxDMnJNNkRKaW9OUEZRClN3K2Y1YXRwaVdRRFJrR0tVdk9r
RVRkMG1YZ3I4dWE0NTdsbGo1MWd0NHcKLS0tIEYyZHlDbHNqMGFBeDdDMmJrRzh4
dktQM1E2K0lhdGFzeWU5bGp2YmlWNU0KfzR0LBBWgjjFgLokmMd+zi4oF9g9Mv4f
q4KKvfJeZLD2XNli4ALvzATCwVs1980K2WbuNmu42N+Xp/LoFHIolA==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0dnUwR3ZqdVlTaFZiNVBU
NmMxYzY5aEI5QkFBM2tsemhlcVRkQVBDc1dFCkJ5RVJJbkt5K2hNUUIwN0lxYjNv
Z2FJRzl1RUtMdEg2Q3h0d2R2MmZxbFUKLS0tIGJyeWxvODJ2ZjBPZUg3bVhkOU1X
Q2Z0cFpCZmcxT09zZFd6Nk85MTlJU3MKPpiSH9FzBd6g8nFz/kMkSHhm2mobF6D1
AylfvAWn39Fi/+yc3Er44QOWDXbr6IHyPQKbmQdtn/yn1C7F4OhG6A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUkRFM01sZmRmczFVV0Vu
ZmlJSWFBakh3NkZBN0JIaXFQeDRoOXlJZ1E0Cm04L2xIK0dJaDhpaXdZSnRvdmp4
VzB1Umd6TDZtaG53N3I4Z3Z2NGQ1YjAKLS0tIFVBeGJzWUU0VjArbVc3YzV3OUJL
WlA0RHUvdHJpTXdyMnhiL1NzR2NNcXcKf+DIOhY5rTmT83dtRj9AK7MPnMJh1ZDi
bFoWIo1aung6g1zoYVGDACMpyBDw0t6ZAcLVSQS8Lu3S7J1KeKp6Iw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-06T21:58:08Z"
mac: ENC[AES256_GCM,data:Zw6HzWSo4xnjZJQ9u1J08V/E0zoV4LGoKfY8WgRN5dS04LUxb+O0A5fFEwFTsGs5Ch0IA/0MJ6k4fqGkg97X18w0lK+TLlxl/tcjW1yA5ECbQhNKEUuSajw7rgDdqGGqxJ0BoGOH/Rv5I3VBstoSS6Ad4hmDnRuLiY9VpRYA+RM=,iv:CK0jB87RBsnIv3mOQs7fz0VjBYczE/unP6+14X90qCI=,tag:8SJ1a7Kd9mc7yfdIv/a1Vw==,type:str]
pgp:
- created_at: "2024-01-27T21:08:55Z"
enc: |-
- created_at: "2023-05-21T20:00:30Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA7zUOKwzpAE7AQ//aWKCLT+jh3lav2IK49w+ey30IxIUiI8bZBAqlWtv4KxE
Bi/TjgECE6XTomqihdcRBMo0X3vtns6EIYtoxcsiloYztJT41rzOVr8sbwPaaL6p
T06OvmUTSGYAypvpNVY5qsJh/NCpVlnwj/0CdFHG2MEZVnpxJD786kVw2G+QWNiJ
JLEw7pyot16X3WYxoHhawspyXt2y/+MwR9o7ctE9ECssf9l72EcVcAW0jot+rDC9
KHeAXeT3s0dIO+AXUKfe4xr3CQOX8UF5hH2viQ07DnXToAeGPYF0hnmtSz6oXv3Z
llxLp8wNH7iGLxgMOBMEu0fyYNACpOTECtqs9UHvSctH3dIN1/DIp2qw+QB9yGXH
/YFpWKcg5H67AIimGE3vpxr4H5jQmWFobYcTJinf2FEt+ppp+HCc8fqyQ+9yrCoo
xRNJuTXMHbiwGtxfFjFYiYuUhON5pZdV84SP+SquRqKf8Tv36jdzAFjoqgflsTN+
KDUdFSibTXP36Sl5UzTkA1RLyOY8jQQdaYckr/zVzBfcdzYDw5hUunztdjYbLyqr
obs8q40cEAwK7tc7q8PKY2LxGMUdCzQnC6OEgevuSB9AjRfBNzC8BmHlS45FhNEe
VH0C8iK2Km0C2MwmYtt1ZCNv8dYl2WIf/32yrbx9iIdYJkIQWWrKNoMMxOrLGdnS
XAHHwq4mpA9cAMYXXdZMGn2nZP7maNtDsQ9ebrduc9Gqc8g3ciKkU+c03R8OA1ph
+hjNXmaEEGy16xw0HumlxF/FDFZx/Drn89QfYoWOb139m7RBvEf/GGqpn9WR
=D95K
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- created_at: "2024-01-27T21:08:55Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7ARAAs/UVudpaOMr66QudZSsefriyq8DL2im9R57zL95FB11v
PKTb3ZSEtrPMYWouc6C6uaz3kBFO/O3LK8W8QQH7wVCKuoKyn2lnBYmezahINDXQ
Rww673bqwJTwXMJxWhI/JM9UcQkqQELLiElHpA8mtkboXHtBKORiRSBZV4NhFy17
HRkSU8s+OccM2kLwz7AVf/jJSd1gQaBgQCXbJWfzQivJpfXdssE1ZDslICjETgw4
Hk+mBrwDoS0YdP7jZ6Pnu2fGfMedGYX4gqN7+SYvFDsd+GkZIZVXZPw+xaSnYZw8
YPnqWHP6ZNikTQV38O54jGhHpoSWACp5kqF9pfFXD4tYGpCE7d0/EdtyZ+x8mHFD
VWecKINC/krTkaPVk4Z/YoWV16/TF7tC6KUuYoiJy1HLVYylAh773kzekdoT/aWw
dDCU6FUW41Mwnm+PjDmB+JpqI5U9Dk3v4/knS/fC+a1462KxVVIaGUyHsH99UTFi
aiEYTcrsOoLqz+w5t8JNZEnwUy8xDHM/kTcG4AAH/7TQn7wW6gd95pzABbD6pWb1
1eV5MMpydlIVMAbCwwo0IWpsUnFpHpwG0Yh2W2yj0+SXi3ESFvn78Av/dDZcqd46
zRHHqmkulYM/sUXBhJ0JqWGdueA/XaU0S3SrlfQZSu8kaNmkkYNlf1/ojHY5sT/S
XAE68afCVpvzX0/V0csIVV05R5tXs9GMdyT2JGp0MEvx4xXUok6ApGfKMFp4Z4s8
2fAB7q2PrEyC74B8gXHtOJ4s80WODPUgflgLxw0iK/sJvDAY1lFtRdgnW/G/
=9y4F
hQIMA6j84+xkv3y7AQ//ZFDOKjy5jhqoY75ZedPBpj4jL6cPAToGod/SPi3w5mg+
OUzhPsz9aZm9nFHs8BGpqyMS3Q+jQsHoexNUeQLpjVUF6F5mQoYq53+aF7q75tvh
1xG8BO9ic73/FNQulFoBviXKASv0J2+yKNOHFlMIxKTs+CTEdixbGPNhKWY2VW3q
QMXsPiOFty46JV9SiqFammULe9atJbdypHFKnvVYf8yqFRAKMMvgC/qgWtAIsw+l
9KnRdvAzjuoZlva3kXsApi79dqESdzPHSJ1USEdtLYoaCdr2zBXPI3uqi2TkI8CP
7XD+e4lIDoAOqGsywZbrK2iwSaoh6e1qE8lYr/K0AQoJ0v87oD3zQpFcKIeGblZD
o/Zs8nhGF0lqwr2gB58a+JityOjInvrALGCS/rAj39HIquJuuaFo3qo3jN3FgvFR
YYiNuheI2iW/7fEFJCLhtPQwb8nLS1JxH9ZT/eUK2dE6Nw3g33WT6eVWt38nrlTm
DrMBYmI2I6OXllYKzzcyXNMIpzddGw8ERwli3NC859lS5yWbK+Q7MbYFEkA6vMUt
24inM6bK6I2UA0xnkojadcKdSRVxMT5pIFOmW3b8qDmQYTNwDdSBR5Gcay0tsisu
BQqcwBT0RO37/E0GAHkAFdH0RA1t3H7rvz/YwIiDJz7aNB5ZAeszbeCWVyrDIKrS
XAEs7JzgTFdhWzNcpUiJsjCwdti3G5+JJnjRetiGUgIORGVLkGDjua/pJf/8ufu6
XlWYyCbxIzEiyiLwDAlclAepvA6kZcenKDucuX0DFgJOvjQhDmo4qW8wVBsU
=yUwh
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2024-01-27T21:08:55Z"
enc: |-
- created_at: "2023-05-21T20:00:30Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6ARAAu/4iBqxmT52IvRIJVyalDrZvIdqTJtv3OQ5oQfJIJvh2
JpoyjHwVzaxYfR079deooQ2xu9u270+a9eyzjV/NRb5J8aDBAFKKIWVMcHX3wwjz
qfzFygqtvmucxZd56H9k15OEqgh2esTGmxmpkwG8GNucqWbfI3AqEJ21oEOhpADs
WvsRRFnncKWQ5EFDWonNDOzB1TneQUUpHfW3sOb2uUNhi8FaYqX9EK4cqIGrjMWC
oR+EVl4naa6BEqtJLENfKdoqAX02rTN/JLrTwYovjPHPtrmYc4AMKX7EwCwtlmEZ
Z18KzQgfoWZ/Vh26J16MX89RG3o46bt2spR5vP6f3ES7n2sHkmtXTVsG1Zur4dD7
8cQ61vav6HaAb52ow5H/S5MYtLXamP+u2UAuUFVTKj5T2reb07at+Mu5BKKh0BbZ
Th+R3LpblMKgtvJ1/fN39x29Y1vbXT1aqmOof1cR2EBsVD9TrQcKQe/qEbuF9U4s
6rY0exCPuJtXxH/yd3RrMiOp2df4kSnETbklimCSzHiJYGD+VFghO0UTf8hcHpQe
2A5VHHc74HGa3fGw7uuP1F7W7YN447JmH2kUth2KDhPVQn8uyTnUMsx50AsousHk
zH8C02A+Ur8S0xlIF+15K6z0nIUHWnW6u8xocNu8NX1zOrQyYW//Hyj+JQOvGrHS
kwGhDFYvyT3kobFglO4YmOj5SSgtL4W2Lf7noh+B8WNw2uDHFY2sE/o0RslETJMk
SrMXTL4ea+NUcZpSPyr3Xi9yeENMKDI+WfciZV82k4ACbPReUTljI9ygAxp3SKoI
hv+LxERKFerOluvpmgtM94BWL8L4odPuBVQf1SXuZHLAeYLJoXaTPH0XaPoShdHX
IfTjnw==
=PVA/
hQIMA8zMZ+ak7y/zARAAsESKIaxIHFAz4dLmQBC5eGx85V368gdx/+kRnYo7IMTS
h8kfJyrcPi8Tv3UYr/KpceS7zsVIJiscJJjiIDKk02ibjSRb2kl+aJLobjWjUZic
stVT8Y7FdHi7jaEgDc0EtNMK93rlXS9pWASDjRalxjturxeTv/5jAZcsCg6+FfAO
1CSc+xrGSd6Nq9pkFs09w6eybA+DFCcPpUrlEQpcBMK9/quMfc20zE1HvcxonIU/
lY4LR5VVppSxnDNnXXreBcVv09nv/YuUvEvd7KvIgp+68icdKUhRT1nAvObAypTe
iInhVKLWrckCfmeg8Z3y2Ba/yIZ6z7fpMfnNIm4mjzQLVkqKb3v6w3icj04SsmKi
3vkB6Zo7rLm/KeK9xVr0zCY2R3Xpvv79bgY1Bmx/um0MIYwQT7iH2GU2JWPfVX3p
PU/n5Wyt6P0fGvWM1LA+hzgwbAYe2xUpP+OQV/oul/wYGb5yLTgQhiq4ubT9zOXv
Vz1eQRMMvnVRbi8pXNi11FHJ16nLkh/RXUhTMhFZ06VcZC5rCscneoj8GzM3xGg4
2io7e8FfiTKybAKYQPja3URLSR6mY4vcRoOHt9qfRFohIhN/QL1u6A8xSMJ8YN83
S1UPhfxEl8hk2CvdChpp2yKR+uufBcDbLOC9BVjtHOJBGxa0l2zhZX6BOVDDHn7S
XAHjpNP4mX9RbasF9xiNEiVV8WHUfskQVN1L/QryHzq7opqTaRKoOl73DEUroeVc
t4xVxtW55MCBwWwMft+0EtljOwPvdR8uNR1Im0eoQwDXmnbnc3AgS1lJCLd5
=ly0Q
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2024-01-27T21:08:55Z"
enc: |-
fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A
- created_at: "2023-05-21T20:00:30Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJAQ/+Ps4KNjhM5yckRaurYHI8blWZegGsInCr+IEKFc52cq4l
vpzqbUAB4/2kflWzm0o5kF1jJLba/B8ljiXJSdgf1uxXlrx+ZNkWcspECZ27X7oM
L17E2E+cY/31EIgqkGpl39xoW8nnJmMJyXwEZhf3Iw9KAQ9+R2Vx3Y/15YySR7eY
s40Q+BhZwBhFTtiCd3JsEogndicBeVQT5SbJD9sgAoOtbj4CJ0QRdfVDOVCy/5AP
a3Z62FJEY91XszxnfhEv0H1ySyohF0KihfhqQ4LgzLkV7M8k7XsggnCMsFbn36bJ
FLL9xTa4d0D7jwhqACWVXH8a6An3cDdl8WSB8ksjxxM5EIJOzT12scqr7R9LWOft
7p85k+VjEa4pnjCOGKLSDx+unHtcirl1+chB9Hixa8Sqw+arlbEDu0/QiO7p77Vg
aHtXmu8w9GthhcxiegFURzwL4oer/UDI7Is71v/ZMlgDLk71A2/uunUT5rOB4QY5
SXq28MUzouDUFu5fYnhHSA92Lj2WM5YVvfzYAZhfQTcTj75OyfPSga6S1tSrt6Sj
LfYlXJJR61kR9IvHWHMVaU5tXWUHAc6IUTgaO0OH69r2r4Cb8O6iTj4yX3crRdRB
x8GQ9IaRckruCxc0JCsuEj0XL4Dr2FND6tW1Yri4EIpS1Ol8gzlGn/AFQbb5sQDS
XAG06eRAu+k/50ob7griqSOrAfPPUiBrHSsQOfNsxw33JqVCBGUWYp7bQfxNAp77
EID2pJQCn9OyeEucrYxfo2AWCZ/dmaTHFJDMiY7zeWfqjkiNetwRHKUScSfN
=MXAe
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2024-01-27T21:08:55Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9qJIVK2WMV7ARAAj4sMCPmAs8sB3bxQAGUPfICIHhlFM+kIBhtvQAUxWbir
t7dJ6KfL6J5oZ9zkLNlF4EbETXn+7ytn1CSWig6ZMV8j3ChXFBHf/hUY3v/jz8DY
cptKajNKOJpwfonCh71V5FAJk9PmqJxKt+sycLYniT1BLKhqEcRyYil+wEif+a3f
TW7PTXyeZtMeyeHWg72/aweNRPGMePoOiDpU90JAJgJK8bzZsI2xnTe/5AkIEPGc
mSsxkVZd3nBSNPQYeMU1Qxwg0ciPw0QqIrVwBQbxiNoWfzEy7+XwfZdGAMEP2tHA
/75dcNaVvJAnNi6taM0JZ1CsHNt2XchA/7VRy6bmPqjMwivXU/Ai01zdWqTbt/F3
uH/mOODga87+dw5zOXvP47pM5AutkTi1f2oayEqSOlvnkMGM5QSZhBlXPWpGxDzU
0J+/RPb46DjagYIHw8V76yqe9ksZjmXLBJFAfC9Ll5eGHAkg+eDWQxxEuHWxvgZy
NEdL3FlpJiiyQ/53mQGx2LsnXLDAaOuqTRmkHimVrc4vGGmmsllCdyvH+tMat9/r
Y3pKiEH3NU+L60zn43zkBKifnLL/f0sl4VgT31JBGgy2NPw5cUuxj6jWi3zktAzd
GuSmSYOAbvzFRal54SrrFM3/D0snEMmJ3j4boWWNDjIjT9Zh/4TZIurJ17hm9DjS
XAFCYu1FKxaiYJFV4xiaBM+2/J1PdA5AE+6DyGOrFkD9si9iVJDEubiV3XYSrDGS
MiF/rB5UCg6YeS9SXFmWG82Rbtxi5zA/tChfo2OFM/S3mprXp8Wjr23qp/Ns
=GY6B
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2024-01-27T21:08:55Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHAQ//baeCvZLiRU1d8DH3Ds4t3VqSf9p3sEZSOhOXcujL1D49
D0ccjDw+hqgSAZmwocBF/ircCMUaA8FADbqpQQO4oLbMP2gbaS4RyLFMwq8Cj605
ndyKOwiRXn3YXLAX2NwhFoBxnuUnOeLsinutMLfYxOPuso1Yr/FFA3kgfqFU4in4
Fdluvm36qrRrGNdCHzJW2ZgYZkuDREwGd3xQTWclJXAtPOESqMpQydcCGdY/E/3o
RueMBGqicQnaj3Oi6lrDoUh6NsjvbYACQZlEv3EIwyeOHIz9e9iN+5HVGa7Tiofv
7IxbvRFmTHTJnOFY9ZkTUzVD2ReFyByQzcg1akfndXVyQ0LHFErfr+fyPpmUx7kf
RxDSI8AJ/oS8aVNOPBuIqS5Si00blvaw4OWUbHoKf/eyhgz5I4EWYJr1yQpg+QD+
uVDJcbIkgWRfFrGvY1Jtt2LavDssTLcHdjr+AnE+EkqZu/F+1i52W4i8snmhCBLG
yYBhm6SzUWh+dO/5zBRkfS9eh7oWsCjT5igVOVS3WhCaoclezfz8vWZ6E55dr9+U
h52LEOorDGw5H0k+sam/DSEgmX7aDmyG+rcO72AMfRJ78pA6/XQIwt3T7l8E4H8H
E5W9BCARpSJ7DrMEKWDIrEGrpV3WMqgKUfppdG24UK2Mnlkl92DHjA8JE71Tw+3S
XAHY90u7TPpGRQ3ACRvgZR72K//9KiihEV9xdZziGDfSBGE/KY2tsf4Hrnf+2xCq
IJVrN+DuC+lAuub+1Encpivt83vB8WYNQrisPAR4m83XGDYx0N1muhZ8Iaqt
=GoZo
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2024-01-27T21:08:55Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQf/cJgbblAJdKu87Awpf9Gp88TijOTeXt1mDjFWuDSJuurA
QTq6i1lREAmHODb/WcMkZFc2Q3FodCdFf4Jmj4lDEq4wFLMkPPFo6kHNRjgQj/cQ
MAHrUfFbThFOIj4lGrdP4KmJ4J9BenBMcPWe0EXXEJIS7DUUsHSOkq/VpvnWzvnB
Z5ZyUf2pAGnpplBFdt4/8ImJyiZYYWfiJSGbouFvvJc+SOhlyMplh3l2Omdk5djL
rtGxNXFZGtr14r1/QRYS72yKF7DmfCLKWx3D49D/dwLB67+kS0KvtLfLM4LIKksV
+bN19b2dgdXzkCjGrqDjtBLRtaJvY5iv7QgN+guVFtJcAUyEhfZmtHhCCssLFr58
Usgdxauc9gSvSUx7q6GEVXc+MrzOiACH1NmGEUgz16gnXhcdYfgFdGwzG3fa4hPu
V0v1/tYHjI80Ukqq+BcKmhBzwBiN973tfOcatQ0=
=uMgx
hQEMA45bZkLXmBFpAQf/UJ1SFixS5BZHe1offIfWtuWUbyfqFSbxuPJ0nE6Y2Gw5
HnVRqmgROlX+4fWQI5hvaFUc1j4VPGQtaQJPWpp2h8I4AdXPfksxwVkwhYUJhKgf
Hif54BuStkRSWzHg57eRUV648UZ4XJhHLNbZPALdf74MXJum1MauO2y3Lpe/HR00
TEDBjHkKMG9O0ZKaNRF84lIVKGUYv+HpihehIy+puF2dJBPj8AB6H0kgdb+bQ9ds
VUfGgRKcmf02LAYv+bdflOV+i+E9IAQCBVHHmBvBSfwGqzIhMJ3OgCRWUhZlvaMJ
WnrUt5IQCp6CwdrM4YxoDehZDpKyG9Lu/nz2ZXBXRdJcAbKmKOdZq093a4lGmweo
oZpQb9Mp9oPl0SGCSoSk5Dy4IsimXXWvUWFjdW4EPknRs6Rl4zHIEmEyCuIi30y2
o+ENdF987Ya7kU30VfA+40u16+U7OnATrERQrUo=
=bCvy
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
- created_at: "2023-05-21T20:00:30Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6AQ/+OLQGMR6eBh3BcXejYe0MgFkXAdmtdBjqYDK3h6TnizSS
7B4FWBZpGumD3Ej742e/4aXJr3KLPgX6pMafxonzx7IgVmgCOGIlLP8jgeV++U4j
cYiVUGkl/dLFhvSCU54y1C2+1FutwJQ4+4CUi40cyaNzLUFqWvlEL2ZynDeJHWW+
ya1KcG1L9RP5OChyIuKV4i5xlUzSBMlUic5Qqzjn6CzY7roRZsrXGR9n63UP4Ong
ih3JINu5Gm/rdKU0pubZOHd/i5nhFyA0zHsPPtIytFnjgnvx2O1EIXkeOIKBrLf3
rq5FOAREJOTMiZwxN3u5vmGldsSzJUBiAlLWo5rIYXZv6Sxsrrk3/GUid/c0E0eB
SbV/P2mfawK8rNdhdyY4JcJe9KV3vBk5Os4m92ehz+UjxjFi4mlbhlzUM4PKU0fR
/sGC+DwsJH7K4q29q6SarIEcmH5jUk+x8ox/78MNXs1alp9G3RBdaga03fwpFpS+
sELTVz72BFrMJjvByWx2gFfyKBsC7Au5z9po0iYfjXtoVXpm8qqJMdQQbiDRoCg3
rMcDYOI7a/n5v+awzW0SR0bqmqLGMM1gSGK2n51Ld/3kA2mBoLgvS/iyX5bWzNYE
uhfZ9XLJYbJ5nscRiHJzORHv+aQWOzQkx30Ku5usMrhWjGTjt4HLP25L4LJEy07S
kwHH9bWg6GB2TAG7LnFxdHCNv6qAwiVJZ9QZF3LbHw2avQiC8RD/9CJm3uK9E2Kp
V4heHaf3ew6qEqKsY/OaV9Sn8/NFzwvsqqMyUitIA44zimJsX6oga4hyjlCraNib
ZqHCGE4mpi4+aW7r0ulLj8ZU9vESNl+H3qvq3i7xLjYLQRYWLMfCgkfLnUlToleX
RlXoaA==
=sVzd
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2023-05-21T20:00:30Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHARAA4yLGlhHNFUwhhYp2IQm88M/X9PmGOMbg5i+01ol7CTEd
Y0QSq+v4SyYCns3JXOJqjPF+McK+wC4qsLcE7muF4PkAN31Jh245DRi6wAWhw/tJ
tEgjeMchVPY2z1sM5xvjaxPisJxKCytHTv9VM9mDlx2V0xy5+9txwhxRNwc2whUR
PXqE0dGsm09Q+bdtPSyFLObcTHqivwdnFMCWLDn2es/i93yoA+zGFzVyICMGdhFi
l3G1A5xCaRxGgwuhWH8yZkCGx4Ts/imEK2iAJdnU2JbYIVtHDA/Qbd/uCj9u5h4r
gqiE/a9IknHCGB1WN5OEcFCcYFBCkNrFYM1skFOO4LKvMfuFSSifmVCbWRpcNb64
F737d1Oh7EZNvkgf9DEoVFOtQZFktde7CqDeyt/5IiDMFbarS+qMMyTqHBbS85fx
YLt2335l4cvNATnv9nkWLNGRehD0ryn0g7PRs0xGOgiLCnVRqQCi7hEK513924QT
Xo088VUE2nEekr3RQWnM/XQN0JOTmL+l5pnnK/YkFuBWzvzoAd3YPlF4C4+FvrEg
lijRLUXex8FGjTIdHU5valSVfsQt1j8Kd3ipQpTfR6yWmk9NTc7XeUjV69y5GTEG
jJzU70bSXyD865xRidLLGa3eJw1dwyHBWmd6VorOhxbwAaFutIOQ6Vj4omavXU/S
XAHTiJ21yWMmyiD56gw/aq879WrnqXIj8ZqRYehmXKzUPEH+HzPSnHr9G05IBw3V
zSmx+SRQcGV9vLoI3hA74Lwf+kSfIywin91olJy2P98ezUsO/Rza7Vpo8oZ1
=4DcY
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2023-05-21T20:00:30Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA/Z87ylQaotQAQf7BXLjJE079OKPU+K6aMZxDyZxJD0UhY4j7rpK+smnEVB5
nLXsEdBP99AgOmzonpX00t1TwP7h6xbdgtA3srzIYQt7E/LieE3oE0mBE3E7D/Am
kMfdRBKtD2OpKz2eKEaPE3Q3MV8uhpL7ZsFGCozjhqT/56T9YiGU5gbTu5It390F
t75jF2BvQcqyvfrGUSDLh3Rl1g4Yh5AR/QTZhxCm7uP6HfCAm6X4vGLGqH5b68bx
5krBtB/uL3FoIWrF8ZSCLwZZIe9PWg50/0czxuKod6HE2VQi5/0bzNzFbpFbqNwR
brEWWfMjHhH6t4vhBMADFZYgEjUgsUWhHWI4S56Ao9JRAffrCoTfUkhucncvKSyV
0beA0pL2u0p/95OFo/Je4t1/IGWw5Gu8RntqulscV4XIxXR3yMXPe5cyBUQf/8qH
4IQQcDfiIRqg8qRboKBxHViK
=XLIn
-----END PGP MESSAGE-----
fp: 9EA68B7F21204979645182E4287B083353C3241C
- created_at: "2023-05-21T20:00:30Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9qJIVK2WMV7ARAAtcqR/tECrfAAHt5FpLHjdMsO+q5YoyccpSs0hNfJXVX5
H9AMPCJ9My/9cJNyN3dQzqMwsLdaVHbZIzasq54XwIXnS0nOb9XmadNBBzy2bO5y
vRIXeL/zVoG1TwhDxZBpEHWrAKVgzKsBKmkhZBQGMa7VseD/0drJu3fMmj9nQRob
ONsjiJHi2Aj5Nh5ml3T4uce8ls1p3WprWy5thJ69wgqc3g/Dqz+7iD9yWlgHVu5n
VorTnYpKmcbtyINArKM3+gGFqKEIDUTlNYUB1y6M6aWb591dhWd1iPui9HioUzy3
5326cNOSFgxupnQhar1PIWzvdC/X1ahfhRgmsZtNVJmxG6O+bNGN3TO8SUSv4UFr
WqecvoTvhDzYCI0DS1CIJqVnk8sCNpCjL8uSgMT4cIhdwysXyU8+353yumdDaJIW
lEWqlRatGjRJeVicon8qoj9YhdnAHloIvrSK7P4dcBlsTUqnDzyJX+/3grtVKVIT
nwB6BmpsX5c24EmML32qyvE5AtC9+MR9kCg9d/hSKMvWptYSq85IgUdBthgzYvpT
20C+QePH+fXCUKfjRimI+aiGttBtfN1uqFPmRnLyqBzaN8OltA7z5cCny1lT0hLT
rUL4uNK5QctnJ/99dwv8y/hD8kl3n00IAli8/gyytk1zEhpFmn7LqRQm9mO8x2nS
UQFpB9gr9VilwURFGUy/fFVhzykrEzEx9P+fCFR1QDpDU6JM5irwJHzWIyJGxsEk
MHjlJWLoOPyXSxyIywrXk6tivhGH0tJi8ronbyZIoN0/Xg==
=o7U5
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2023-05-21T20:00:30Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJARAAjJm2UXGtwA00xIqSf1qwyuS6evHG/WcBBZwe3+BLY1Nc
uAxVkk7jkQt7J8+Wthl5p2O9QvMWQ4xoztf5OUab/h9ZDxaNI4poIMyheBhX3hMJ
yCHG2qrnow6UANT2IzwWwVZKbBZ+Yd0xzcit4CzScPcQ0e2I9vfZHpXzL/u17ayp
0rR0oXuN09+A9Qev6wHbG4DBqD8lDzdQfiKcGdH0rooFm37VmoZQbP4xWdCEEnE3
vyk2ZX6TZIXfub7gDg0wZGG7JpykLQn8z8xq/ujVH5e0oqA9XRX3wNwrixpxSs19
BXFM6YrV3imN4W50UZOh/Dyhat2ewEEwiv4UZcytLCSNevVxyETwzCkzI+dg8ESu
130tCQPbaDCN0TxqT4MiJVKWuAgp27jv0tQuViitgbwbMV8QaKu7HHHLDcsuHbNJ
IgTZle/AVxwzWwNl/1LsMzH4U8Oqbnnr/I6nkbUtRWs4MMbnsPjLJb1B5hZ7LHk3
yfcAkGwrQG1Etie/FbqvJb2uOi7+GukuuGJvPwNE6Lir2R50Bk3e+l7XoIzjoMiC
C5ApHl78tKw66r967RFDIVsSqXs81rsdAwZL66R5oWOl07IH0XVmPsnuF8LYgIw6
x8AoGavvBj4sp1ConpmOeH5siHvizJKNC+PvYfi+Tig/TERnZ2K5Kyhz0A2QXxfS
XAEzwzxOO2PJm7Kff4ftQxnMX7yZzOg3bqa3C2z7Al5QVTqca6o1tScSyT3wr7Ci
uPX5Tj06T/aDzSrQIdkM3iVjj5Ufqo/xPje68WV8M9Pj9LRC25SOb4aZjpD0
=ky91
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-05-21T20:00:30Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7AQ//esVo4/13PbtJFjlpYSA4XvV3PSe9RiCcM6KCtOi493MU
kHrM7sbk54BmJ3rtFtVfn1p417fv9JQfHXwCbx/qY1yFnVQKJSkx6ZezCqTXxJa/
qt42JZ4VzRWxtcrhukl21hT6Ue55tvCuLKmUzwDLfqL5bnOTlJfw9/5qt9B/0Dho
0gKkeFILAc0sHW1z9OWtKj5rLT4gxgIbq5w53n/oXHPbcw/q4YkAFllRfanXcZbd
YRd+ri56U8zYKc9X1+XuAr3wlT2QAhtwhlAGXPnFzIi+/XyYy8AhpJCcXAZcWUil
gTtxEAr6qUaa1ZqfQOPtsgOcdL8vB905mk/ljmBzQuBZV265iQcsLpgfKmLnKN6Z
F/dIpUVFtzPcyMPqByW5XgRd8uZ1BzpxxfBhtfWBxXlTng0SS1k937fcAnU7TooL
ZSwSG83wGGYMZ6RJx0QJTG1+s08XORJ6oeynfuyokf8z4fdOvzHuoc/Y0ajuxiVv
9z5O+p71nKSNPFrs4nXa5biw6KM4gKHz2xfBJOd6zsw7JE4k5siEfsRggh8JwV1S
btjK1AgCmWnwfrRCj4kYlAhZ/T7zsE16Rq94J96vTqCuHurPIsuB1HoAac2o9NqJ
iYROKfpvozQN7qXbcGJyN7Pe3jes8TiT0f89iuT/Z/+pdvWzF5yVxyi3ih5F6ovS
UQExn7RX9hfc1k5lxRTCqDI6Q0LhCENhP6W/Q6+6nx0TERiouBvdsCBrSTsjs4dT
pdxoz21XrhmIUeMJlR6a/Y/tgPp09xdJ8CsUCDekfOmdpw==
=zus9
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.7.3

8
modules/cluster/network.nix
View File

@ -50,10 +50,10 @@ in
Name = "${net}";
};
extraConfig = ''
[Bridge]
ForwardDelaySec=2
STP=true
'';
[Bridge]
ForwardDelaySec=2
STP=true
'';
};
# External VLAN interface
"ext-${net}" = {

215
modules/disko.nix
View File

@ -1,7 +1,7 @@
{ config, lib, ... }:
let
cfg = config.disko.disks;
cfg = config.disko;
in
{
options.disko.disks = lib.mkOption {
@ -22,12 +22,6 @@ in
description = "Name of the disk.";
};
partitionTableFormat = lib.mkOption {
type = lib.types.enum [ "gpt" "msdos" ];
default = "gpt";
description = "Which parition table format to use.";
};
withBoot = lib.mkOption {
type = lib.types.bool;
default = true;
@ -36,7 +30,7 @@ in
withCeph = lib.mkOption {
type = lib.types.bool;
default = false;
default = true;
description = "Wether to include a ceph partition.";
};
@ -57,7 +51,7 @@ in
};
config = {
assertions = lib.mkIf (cfg != [ ]) (lib.head (map
assertions = lib.mkIf (cfg.disks != [ ]) (lib.head (map
(disk: [
{
assertion = disk.withCeph || disk.withZfs;
@ -68,31 +62,33 @@ in
message = "Ceph requires Luks!";
}
])
cfg));
cfg.disks));
disko = {
devices = lib.mkIf (cfg != [ ]) (lib.head (map
(disk:
let
diskName = if disk.name != "" then "-${disk.name}" else "";
luksName = "crypt-${config.networking.hostName}${diskName}";
zfs = {
size = "100%FREE";
content = {
pool = zfsName;
type = "zfs";
};
disko.devices = lib.mkIf (cfg.disks != [ ]) (lib.head (map
(disk:
let
diskName = if disk.name != "" then "-${disk.name}" else "";
luksName = "crypt-${config.networking.hostName}${diskName}";
rootSize = 200; # size of the zfs partition if inside of lvm
vgName = "lvm-${config.networking.hostName}${diskName}";
zfs = {
size = if (!disk.withCeph) then "100%FREE" else "${toString rootSize}GiB";
content = {
pool = zfsName;
type = "zfs";
};
zfsName = "${config.networking.hostName}${diskName}";
in
{
disk.${disk.device} = {
inherit (disk) device;
type = "disk";
content = {
type = "table";
format = disk.partitionTableFormat;
partitions = lib.optional disk.withZfs {
};
zfsName = "${config.networking.hostName}${diskName}";
in
{
disk.${disk.device} = {
inherit (disk) device;
type = "disk";
content = {
type = "table";
format = "gpt";
partitions = lib.optional disk.withZfs
{
name = "ESP";
start = "1MiB";
end = "512MiB";
@ -103,87 +99,92 @@ in
mountpoint = "/boot";
};
} ++ [
{
name = "root";
start = if disk.withZfs then "512MiB" else "1MiB";
end = "100%";
part-type = "primary";
content = lib.optionalAttrs disk.withLuks {
{
name = "root";
start = if disk.withZfs then "512MiB" else "1MiB";
end = "100%";
part-type = "primary";
content = lib.optionalAttrs disk.withLuks
{
type = "luks";
name = luksName;
askPassword = true;
inherit (zfs) content;
# trim potential new lines to not have them in the password
keyFile = "tr -d '\n' </$PWD/keyFile";
content = {
type = "lvm_pv";
vg = vgName;
};
} // lib.optionalAttrs (!disk.withLuks) zfs.content;
}
];
};
}
];
};
} // {
zpool.${zfsName} = {
type = "zpool";
# -O
rootFsOptions = {
acltype = "posixacl";
compression = "zstd";
dnodesize = "auto";
normalization = "formD";
xattr = "sa";
};
# -o
options = {
ashift = "12";
autotrim = "on";
};
datasets =
let
dataset = mountpoint: {
};
} // lib.optionalAttrs disk.withLuks {
lvm_vg.${vgName} = {
type = "lvm_vg";
lvs = lib.optionalAttrs disk.withCeph
{
ceph.size = "100%FREE";
} // lib.optionalAttrs disk.withZfs { inherit zfs; };
};
} // {
zpool.${zfsName} = {
type = "zpool";
rootFsOptions.acltype = "posixacl";
options = {
ashift = "12";
autotrim = "on";
};
datasets =
let
dataset = mountpoint: {
inherit mountpoint;
options = {
canmount = "on";
compression = "zstd";
dnodesize = "auto";
normalization = "formD";
xattr = "sa";
inherit mountpoint;
options = {
canmount = "on";
inherit mountpoint;
};
type = "zfs_fs";
};
datasetNoMount = {
mountpoint = null;
options = {
canmount = "off";
mountpoint = "none";
};
type = "zfs_fs";
};
in
{
"root" = dataset "/";
"data" = datasetNoMount;
# used by services.postgresqlBackup and later by restic
"data/backup" = dataset "/var/backup";
"data/etc" = dataset "/etc";
"data/lib" = dataset "/var/lib";
"home" = dataset "/home";
"nix" = lib.recursiveUpdate (dataset "/nix") {
options.atime = "off";
};
"nix/store" = dataset "/nix/store";
"nix/var" = dataset "/nix/var";
# zfs uses copy on write and requires some free space to delete files when the disk is completely filled
"reserved" = lib.recursiveUpdate (dataset "reserved") {
mountpoint = null;
options = {
canmount = "off";
mountpoint = "none";
reservation = "5GiB";
};
type = "zfs_fs";
};
type = "zfs_fs";
};
};
})
cfg));
# we do not want changes to this module render machines unbootable
enableConfig = false;
};
in
{
"data" = dataset "/";
"data/etc" = dataset "/etc";
"data/home" = dataset "/home";
"data/var" = dataset "/var";
# used by services.postgresqlBackup and later by restic
"data/var/backup" = dataset "/var/backup";
"data/var/lib" = dataset "/var/lib";
"data/var/log" = dataset "/var/log";
"nixos" = lib.recursiveUpdate (dataset "nixos") {
mountpoint = null;
options = {
canmount = "off";
mountpoint = "none";
};
type = "zfs_fs";
};
"nixos/nix" = dataset "/nix";
"nixos/nix/store" = lib.recursiveUpdate (dataset "/nix/store") {
options.atime = "off";
};
"nixos/nix/var" = dataset "/nix/var";
# zfs uses copy on write and requires some free space to delete files when the disk is completely filled
"reserved" = lib.recursiveUpdate (dataset "reserved") {
mountpoint = null;
options = {
canmount = "off";
mountpoint = "none";
reservation = "5GiB";
};
type = "zfs_fs";
};
};
};
})
cfg.disks));
};
}

30
modules/gitea-actions-registrar.nix
View File

@ -1,30 +0,0 @@
{ config, lib, ... }:
let
cfg = config.services.gitea-actions;
in {
options.services.gitea-actions.enableRegistrar = lib.mkEnableOption "gitea";
config.systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") cfg.numInstances) (name: {
wantedBy = [ "multi-user.target" ];
after = lib.optional config.services.gitea.enable "gitea.service";
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/${name}" ];
script = ''
set -euo pipefail
token=$(${lib.getExe config.services.gitea.package} actions generate-runner-token)
echo "TOKEN=$token" > /var/lib/gitea-registration/${name}
'';
environment = {
GITEA_CUSTOM = "/var/lib/gitea/custom";
GITEA_WORK_DIR = "/var/lib/gitea";
};
serviceConfig = {
User = "gitea";
Group = "gitea";
StateDirectory = "gitea-registration";
Type = "oneshot";
RemainAfterExit = true;
};
});
}

220
modules/gitea-actions-runner.nix
View File

@ -1,220 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.gitea-actions;
storeDeps = pkgs.buildEnv {
name = "store-deps";
paths = (with pkgs; [
bash
cacert
coreutils
curl
findutils
gawk
git
gnugrep
jq
nix
nodejs
openssh
]) ++ cfg.storeDependencies;
};
in {
options = {
services.gitea-actions = {
enableRunner = lib.mkEnableOption "gitea-actions-runner";
giteaUrl = lib.mkOption {
type = lib.types.str;
default = config.services.gitea.settings.server.ROOT_URL;
};
numInstances = lib.mkOption {
type = lib.types.ints.unsigned;
default = 2;
description = "Number of instances of the gitea-actions-runner service to create";
};
storeDependencies = lib.mkOption {
type = lib.types.listOf lib.types.package;
default = [];
description = "List of packages to symlink into the container";
};
additionalFlakeConfig = lib.mkOption {
type = lib.types.str;
default = "";
example = "accept-flake-config = true";
description = "Additional configuration to add to the nix.conf file";
};
kvm = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable KVM passthrough for the container";
};
zfsDataset = lib.mkOption {
type = lib.types.str;
default = "zroot/root/podman";
};
};
};
config = lib.mkIf cfg.enableRunner (lib.mkMerge [
{
systemd.services.gitea-runner-nix-image = {
wantedBy = [ "multi-user.target" ];
after = [ "podman.service" ];
requires = [ "podman.service" ];
script = ''
set -eu -o pipefail
mkdir -p etc/nix
# Create an unpriveleged user that we can use also without the run-as-user.sh script
touch etc/passwd etc/group
groupid=$(cut -d: -f3 < <(getent group gitea-actions))
userid=$(cut -d: -f3 < <(getent passwd gitea-actions))
groupadd --prefix $(pwd) --gid "$groupid" gitea-actions
emptypassword='$y$j9T$dLJlazrLCVKcOQ/zmu60E1$bAkbdgDaiz7niknOCasvKW3Tjxeca6WA/1fNe4UpeeC'
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G gitea-actions gitea-actions
cat <<NIX_CONFIG > etc/nix/nix.conf
experimental-features = nix-command flakes
${cfg.additionalFlakeConfig}
NIX_CONFIG
cat <<NSSWITCH > etc/nsswitch.conf
passwd: files mymachines systemd
group: files mymachines systemd
shadow: files
hosts: files mymachines dns myhostname
networks: files
ethers: files
services: files
protocols: files
rpc: files
NSSWITCH
# list the content as it will be imported into the container
tar -cv . | tar -tvf -
tar -cv . | podman import - gitea-runner-nix
'';
path = with pkgs; [
config.virtualisation.podman.package
getent
gnutar
shadow
];
serviceConfig = {
RuntimeDirectory = "gitea-runner-nix-image";
WorkingDirectory = "/run/gitea-runner-nix-image";
Type = "oneshot";
RemainAfterExit = true;
};
};
users = {
groups.gitea-actions = { };
users.gitea-actions = {
group = "gitea-actions";
description = "Used for running nix ci jobs";
home = "/run/gitea-runner-nix-image";
isSystemUser = true;
};
};
}
{
virtualisation = {
podman.enable = true;
containers = {
# remove domain name from DoT addresses
containersConf.settings.containers.dns_servers = map (addr: toString (lib.take 1 (builtins.split "#" addr))) config.networking.nameservers;
storage.settings.storage.options.zfs.fsname = lib.mkIf config.boot.zfs.enabled "${cfg.zfsDataset}";
};
};
}
{
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") cfg.numInstances) (name: {
after = [
"gitea-runner-nix-image.service"
];
requires = [
"gitea-runner-nix-image.service"
];
serviceConfig = {
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DeviceAllow = "";
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
UMask = "0066";
ProtectProc = "invisible";
PrivateNetwork = false;
MemoryDenyWriteExecute = false;
ProcSubset = "all";
LockPersonality = false;
DynamicUser = true;
SystemCallFilter = [
"~@clock"
"~@cpu-emulation"
"~@module"
"~@mount"
"~@obsolete"
"~@privileged"
"~@raw-io"
"~@reboot"
"~@swap"
"~capset"
"~setdomainname"
"~sethostname"
];
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
"AF_NETLINK"
];
};
});
services.gitea-actions-runner.instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") cfg.numInstances) (iname: {
enable = true;
name = config.networking.hostName;
url = cfg.giteaUrl;
tokenFile = "/var/lib/gitea-runner/${iname}/token";
labels = [ "nix:docker://gitea-runner-nix" ];
settings.container = {
options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt${lib.optionalString cfg.kvm " --device /dev/kvm"} -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user gitea-actions";
network = "host";
valid_volumes = [
"/nix"
"${storeDeps}/bin"
"${storeDeps}/etc/ssl"
];
};
});
}
]);
}

13
modules/microvm-defaults.nix
View File

@ -9,10 +9,6 @@
boot = {
loader.grub.enable = false;
initrd.kernelModules = [
# required for net.netfilter.nf_conntrack_max appearing in sysfs early at boot
"nf_conntrack"
];
kernel.sysctl =
let
mem = if (config?microvm) then config.microvm.mem else config.deployment.mem;
@ -20,8 +16,12 @@
lib.optionalAttrs (mem <= 2*1024) {
# table overflow causing packets from nginx to the service to drop
# nf_conntrack: nf_conntrack: table full, dropping packet
"net.netfilter.nf_conntrack_max" = lib.mkDefault "65536";
"net.netfilter.nf_conntrack_max" = "65536";
};
kernelModules = [
# required for net.netfilter.nf_conntrack_max appearing in sysfs early at boot
"nf_conntrack"
];
kernelParams = [
"preempt=none"
# No server/router runs any untrusted user code
@ -37,9 +37,8 @@
# nix store is mounted read only
nix = {
enable = lib.mkDefault false;
enable = false;
gc.automatic = false;
optimise.automatic = false;
};
systemd.tmpfiles.rules = [

12
modules/microvm-host.nix
View File

@ -1,4 +1,4 @@
{ self, config, lib, options, pkgs, ... }:
{ self, config, lib, pkgs, ... }:
{
options = with lib; {
c3d2.deployment.microvmBaseZfsDataset = mkOption {
@ -21,14 +21,8 @@
builtins.filter (name:
(self.nixosConfigurations.${name}.config.c3d2.deployment.server or null) == config.networking.hostName
) (builtins.attrNames self.nixosConfigurations);
# don't enable microvm host options in live iso's
host.enable = if (options?isoImage) then false else true;
};
# allow microvm access to zvol
users.users.microvm.extraGroups = [ "disk" ];
systemd.services = {
"microvm-virtiofsd@" = {
requires = [ "microvm-zfs-datasets@%i.service" ];
@ -48,7 +42,7 @@
};
path = with pkgs; [ zfs ];
scriptArgs = "%i";
script = /* bash */ ''
script = ''
zfsExists() {
zfs list $1 >/dev/null 2>/dev/null
}
@ -80,7 +74,7 @@
environment.systemPackages = [ (
# Provide a manual updating script that fetches the latest
# updated+built system from Hydra
pkgs.writeScriptBin "update-microvm" /* bash */ ''
pkgs.writeScriptBin "update-microvm" ''
#! ${pkgs.runtimeShell} -e
if [ $# -lt 1 ]; then

7
modules/microvm.nix
View File

@ -56,6 +56,7 @@ in
mounts = mkOption {
description = "Persistent filesystems to create, without leading /.";
type = with types; listOf str;
default = [ "etc" "home" "var" ];
};
mountBase = mkOption {
@ -66,12 +67,6 @@ in
};
config = {
c3d2.deployment.mounts = [ "etc" "home" "var" ];
# make mounts like /etc /home /var available early so that they can be used in system.activationScripts
fileSystems = lib.genAttrs (map (x: "/" + x) config.c3d2.deployment.mounts)
(_: { neededForBoot = true; });
microvm = {
hypervisor = lib.mkDefault "cloud-hypervisor";
mem = lib.mkDefault 512;

133
modules/nncp.nix Normal file
View File

@ -0,0 +1,133 @@
{ config, lib, ... }:
let
nncpCfgFile = "/run/nncp.hjson";
programCfg = lib.optionalAttrs (config.programs ? nncp) config.programs.nncp;
callerCfg = config.services.nncp.caller;
daemonCfg = config.services.nncp.daemon;
pkg = programCfg.package;
in
{
options = {
services.nncp = {
caller = {
enable = lib.mkEnableOption ''
croned NNCP TCP daemon caller.
The daemon will take configuration from
<xref linkend="opt-programs.nncp.settings"/>
'';
extraArgs = lib.mkOption {
type = with lib.types; listOf str;
description = "Extra command-line arguments to pass to caller.";
default = [ ];
example = [ "-autotoss" ];
};
};
daemon = {
enable = lib.mkEnableOption ''
NNCP TCP synronization daemon.
The daemon will take configuration from
<xref linkend="opt-programs.nncp.settings"/>
'';
socketActivation = {
enable = lib.mkEnableOption ''
Whether to run nncp-daemon persistently or socket-activated.
'';
listenStreams = lib.mkOption {
type = with lib.types; listOf str;
description = ''
TCP sockets to bind to.
See <xref linkend="opt-systemd.sockets._name_.listenStreams"/>.
'';
default = [ "5400" ];
};
};
extraArgs = lib.mkOption {
type = with lib.types; listOf str;
description = "Extra command-line arguments to pass to daemon.";
default = [ ];
example = [ "-autotoss" ];
};
};
};
};
config = lib.mkIf (programCfg.enable or callerCfg.enable or daemonCfg.enable) {
assertions = [{
assertion =
let
callerCongfigured =
let neigh = config.programs.nncp.settings.neigh or { };
in lib.lists.any (x: lib.hasAttr "calls" x && x.calls != [ ])
(lib.attrValues neigh);
in
!callerCfg.enable || callerCongfigured;
message = "NNCP caller enabled but call configuration is missing";
}];
systemd.services = {
"nncp-caller" = {
inherit (callerCfg) enable;
description = "Croned NNCP TCP daemon caller.";
documentation = [ "http://www.nncpgo.org/nncp_002dcaller.html" ];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''
${pkg}/bin/nncp-caller -noprogress -cfg "${nncpCfgFile}" ${
lib.strings.escapeShellArgs callerCfg.extraArgs
}'';
Group = "uucp";
UMask = "0002";
};
};
"nncp-daemon" = lib.mkIf daemonCfg.enable {
enable = !daemonCfg.socketActivation.enable;
description = "NNCP TCP syncronization daemon.";
documentation = [ "http://www.nncpgo.org/nncp_002ddaemon.html" ];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''
${pkg}/bin/nncp-daemon -noprogress -cfg "${nncpCfgFile}" ${
lib.strings.escapeShellArgs daemonCfg.extraArgs
}'';
Restart = "on-failure";
Group = "uucp";
UMask = "0002";
};
};
"nncp-daemon@" = lib.mkIf daemonCfg.socketActivation.enable {
description = "NNCP TCP syncronization daemon.";
documentation = [ "http://www.nncpgo.org/nncp_002ddaemon.html" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = ''
${pkg}/bin/nncp-daemon -noprogress -ucspi -cfg "${nncpCfgFile}" ${
lib.strings.escapeShellArgs daemonCfg.extraArgs
}'';
Group = "uucp";
UMask = "0002";
StandardInput = "socket";
StandardOutput = "inherit";
StandardError = "journal";
};
};
};
systemd.sockets.nncp-daemon = lib.mkIf daemonCfg.socketActivation.enable {
inherit (daemonCfg.socketActivation) listenStreams;
description = "socket for NNCP TCP syncronization.";
conflicts = [ "nncp-daemon.service" ];
wantedBy = [ "sockets.target" ];
socketConfig.Accept = true;
};
};
}

1
modules/plume.nix
View File

@ -71,7 +71,6 @@ in
serviceConfig = {
User = cfg.user;
Group = cfg.group;
Restart = "on-failure";
WorkingDirectory = config.users.users.${cfg.user}.home;
};
};

4
modules/rpi-netboot.nix
View File

@ -24,7 +24,7 @@
enable = true;
flushBeforeStage2 = false;
# DHCP: 120 tries every 1 second
udhcpc.extraArgs = lib.mkIf (!config.boot.initrd.systemd.enable) [ "-t" "120" "-T" "1" ];
udhcpc.extraArgs = [ "-t" "120" "-T" "1" ];
};
supportedFilesystems = lib.mkForce [
"nfs"
@ -34,8 +34,6 @@
"genet"
"usbhid"
];
# TODO: pending https://github.com/NixOS/nixpkgs/pull/270611
systemd.enable = lib.mkForce false;
};
tmp.useTmpfs = true;

4
modules/stats.nix
View File

@ -40,15 +40,15 @@ in
entropy = "";
load = "";
swap = "";
cgroups = "";
vmem = "";
interface = "";
} // lib.optionalAttrs isMetal {
sensors = "";
cpufreq = "";
irq = "";
thermal = "";
} // lib.optionalAttrs (isMetal && config.nixpkgs.system == "x86_64-linux") {
ipmi = "";
thermal = "";
} // lib.optionalAttrs config.services.nginx.enable {
nginx = ''
URL "http://localhost:${toString nginxStatusPort}/nginx_status"

15
overlays/default.nix
View File

@ -79,6 +79,19 @@ with final; {
mlat-client = python3Packages.callPackage ./mlat-client.nix { };
nixVersions = prev.nixVersions // {
stable = (prev.nixVersions.stable.override { withAWS = false; }).overrideAttrs ({ patches ? [ ], ...}: {
patches = patches ++ [
# request compression
# TODO: drop with 23.11
(fetchpatch {
url = "https://github.com/NixOS/nix/pull/7712.patch";
sha256 = "sha256-mAx2h0/r7HayvTjMMxmewaD+L4OOB2gRJaQb3JEb0rk=";
})
];
});
};
openssh = prev.openssh.overrideAttrs (_: {
# takes 30 minutes
doCheck = false;
@ -92,6 +105,8 @@ with final; {
readsb = callPackage ./readsb.nix { };
schalterd = callPackage ./schalterd.nix { };
telme10 = callPackage ./telme10.nix { };
tracer-game =

6
overlays/mlat-client.nix
View File

@ -2,12 +2,12 @@
buildPythonApplication rec {
pname = "mlat-client";
version = "unstable-2023-12-22";
version = "0.4.2";
src = fetchFromGitHub {
owner = "adsbxchange";
repo = "mlat-client";
rev = "fabefdc3543702c6ef950111b94981162c45147d";
hash = "sha256-7FgyoZ08hGoMJWb1O/duIfiVb0udt8jwSoRSDTQ1Y+g=";
rev = "v${version}";
hash = "sha256-V//LpYmBXtT8haX1aZ4XldzzyUY2YN7x3lTpQ2csTmw=";
};
}

15
overlays/schalterd.nix Normal file
View File

@ -0,0 +1,15 @@
{ pkgsCross, fetchFromGitHub }:
pkgsCross.armv7l-hf-multiplatform.pkgsStatic.rustPlatform.buildRustPackage {
name = "schalterd";
src = "${fetchFromGitHub {
owner = "astro";
repo = "spacemsg";
# master of 2023-07-02
rev = "a825a738544e62c285f4497c151a73d417326da2";
sha256 = "sha256-8sM2GdQ2nJ3YCCF5+ZW0vBNTKL3/ulY1/fmyw++5UQQ=";
}}/schalterd";
cargoSha256 = "sha256-OdNztl4XQML2UqK/4BLzKed3pBJNd9rIwHEXaIzLQ4U=";
}

58
packages.nix
View File

@ -30,7 +30,7 @@ lib.attrsets.mapAttrs
ln -s $src $out
'';
list-upgradable = pkgs.writeShellScriptBin "list-upgradable" ''
list-upgradable = pkgs.writeScriptBin "list-upgradable" ''
set -eou pipefail
NORMAL="\033[0m"
@ -41,7 +41,7 @@ lib.attrsets.mapAttrs
${lib.concatMapStringsSep "\n" (name:
let
addr = getHostAddr name;
in lib.optionalString (addr != null) /* bash */ ''
in lib.optionalString (addr != null) ''
echo -n -e "${name}: $RED"
RUNNING=$(ssh -o PreferredAuthentications=publickey -o StrictHostKeyChecking=accept-new root@"${addr}" "readlink /run/current-system")
if [ $? = 0 ] && [ -n "$RUNNING" ]; then
@ -77,7 +77,7 @@ lib.attrsets.mapAttrs
'') (builtins.attrNames self.nixosConfigurations)}
'';
prebuild-all-remote = pkgs.writeShellScriptBin "prebuild-all" ''
prebuild-all-remote = pkgs.writeScriptBin "prebuild-all" ''
set -eou pipefail
nix copy --no-check-sigs --to ssh-ng://$1 ${inputPaths}
@ -93,11 +93,10 @@ lib.attrsets.mapAttrs
let
discardStringCtx = builtins.unsafeDiscardStringContext;
host = getHostAddr name;
target = "root@${host}";
target = ''root@"${host}"'';
rebuildArg = "--flake ${self}#${name} ${overrideInputsArgs} --accept-flake-config";
hostConfig = self.nixosConfigurations."${name}".config;
declaredRunnerDrvPath = discardStringCtx hostConfig.microvm.declaredRunner.drvPath;
declaredRunnerOutPath = discardStringCtx hostConfig.microvm.declaredRunner.outPath;
toplevelDrvPath = discardStringCtx hostConfig.system.build.toplevel.drvPath;
toplevelOutPath = discardStringCtx hostConfig.system.build.toplevel.outPath;
# let /var/lib/microvm/*/flake point to the flake-update branch so that
@ -108,7 +107,7 @@ lib.attrsets.mapAttrs
# Generate a small script for copying this flake to the
# remote machine and bulding and switching there.
# Can be run with `nix run c3d2#…-nixos-rebuild switch`
"${name}-nixos-rebuild" = pkgs.writeShellScriptBin "${name}-nixos-rebuild" ''
"${name}-nixos-rebuild" = pkgs.writeScriptBin "${name}-nixos-rebuild" ''
set -eou pipefail
${lib.optionalString (hostConfig.c3d2.deployment.server or "" != "") ''
@ -127,13 +126,13 @@ lib.attrsets.mapAttrs
ssh ${target} bash -e <<END
set -eou pipefail
nix build --no-link ${toplevelDrvPath}^*
nix build --no-link ${toplevelDrvPath}
${discardStringCtx hostConfig.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set ${toplevelOutPath}
${toplevelOutPath}/bin/switch-to-configuration "''${@:-switch}"
END
'';
"${name}-nixos-rebuild-hydra" = pkgs.writeShellScriptBin "${name}-nixos-rebuild" /* bash */ ''
"${name}-nixos-rebuild-hydra" = pkgs.writeScriptBin "${name}-nixos-rebuild" ''
set -eou pipefail
echo Copying Flakes
@ -160,11 +159,11 @@ lib.attrsets.mapAttrs
EOF
'';
"${name}-nixos-rebuild-local" = pkgs.writeShellScriptBin "${name}-nixos-rebuild" /* bash */ ''
"${name}-nixos-rebuild-local" = pkgs.writeScriptBin "${name}-nixos-rebuild" ''
set -eou pipefail
if [[ ''${1:-} == build ]]; then
hostname="$(ssh root@${target} cat /etc/hostname)"
if [[ ''${1:-} == build; then
hostname=$(ssh root@${target} cat /etc/hostname)"
if [[ "$hostname" != ${name} ]]; then
echo "hostname of ${target} was expected to be ${name} but is $hostname. Aborting to be safe..."
exit 2
@ -174,12 +173,12 @@ lib.attrsets.mapAttrs
_NIXOS_REBUILD_REEXEC=1 ${lib.getExe pkgs.nixos-rebuild} ${rebuildArg} --target-host ${target} --use-remote-sudo "$@"
'';
"${name}-cleanup" = pkgs.writeShellScriptBin "${name}-cleanup" ''
"${name}-cleanup" = pkgs.writeScriptBin "${name}-cleanup" ''
set -eou pipefail
ssh ${target} "time nix-collect-garbage -d && time nix-store --optimise"
'';
} // (let
createDirsCopyCurrent = name: /* bash */ ''
createDirsCopyCurrent = name: ''
mkdir -p /var/lib/microvms/${name}
cd /var/lib/microvms/${name}
chown root:kvm .
@ -188,35 +187,32 @@ lib.attrsets.mapAttrs
rm -f old
[ -e current ] && cp --no-dereference current old
'';
createSymlinks = name: let
gcrootDir = "/nix/var/nix/gcroots/microvm";
in /* bash */ ''
createSymlinks = name: ''
if [[ -e old ]]; then
echo System package diff:
nix --extra-experimental-features nix-command store diff-closures ./old ./current || true
fi
mkdir -p ${gcrootDir}
ln -sfT \$PWD/current ${gcrootDir}/${name}
ln -sfT \$PWD/booted ${gcrootDir}/booted-${name}
ln -sfT \$PWD/old ${gcrootDir}/old-${name}
ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name}
ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name}
ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name}
'';
in {
"microvm-update-${name}" = pkgs.writeShellScriptBin "microvm-update-${name}" (
"microvm-update-${name}" = pkgs.writeScriptBin "microvm-update-${name}" (
if builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]
then let
closureInfo = pkgs.closureInfo { rootPaths = [ hostConfig.system.build.toplevel ]; };
in ''
set -eou pipefail
${hostConfig.system.build.copyToServer} ${declaredRunnerDrvPath} ${discardStringCtx closureInfo.drvPath} ${discardStringCtx hostConfig.nix.package}
${hostConfig.system.build.copyToServer} ${declaredRunnerDrvPath} ${discardStringCtx closureInfo.drvPath}
${hostConfig.system.build.runOnServer} NIXOS_REBUILD="''${NIXOS_REBUILD:-}" bash -e <<END
${createDirsCopyCurrent name}
nix build -L --accept-flake-config -o current ${declaredRunnerDrvPath}^*
nix build -L --accept-flake-config --no-link ${discardStringCtx closureInfo.drvPath}^*
nix build -L --accept-flake-config -o current ${declaredRunnerDrvPath}
nix build -L --accept-flake-config --no-link ${discardStringCtx closureInfo.drvPath}
echo '${selfRef}' > flake
${createSymlinks name}
@ -250,7 +246,7 @@ lib.attrsets.mapAttrs
else throw "${name} is not configured to run on microvm.nix. Is it a physical host or is it deployed in Skyflake?"
);
"microvm-update-${name}-local" = pkgs.writeShellScriptBin "microvm-update-${name}" ''
"microvm-update-${name}-local" = pkgs.writeScriptBin "microvm-update-${name}" ''
set -eou pipefail
${lib.optionalString (!builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) ''
@ -258,15 +254,21 @@ lib.attrsets.mapAttrs
exit 2
''}
nix build -L --no-link ${declaredRunnerDrvPath}^*
${hostConfig.system.build.copyToServer} ${declaredRunnerOutPath}
${hostConfig.system.build.copyToServer} ${declaredRunnerDrvPath}
${hostConfig.system.build.runOnServer} bash -e <<END
set -eou pipefail
hostname=\$(cat /etc/hostname)
if [[ "\$hostname" != ${name} ]]; then
echo "hostname of ${target} was expected to be ${name} but is \$hostname. Aborting to be safe..."
exit 2
fi
${createDirsCopyCurrent name}
ln -sfT ${declaredRunnerOutPath} current
ln -sfT ${hostConfig.microvm.declaredRunner} current
echo '${selfRef}' > flake
${createSymlinks name}
systemctl restart microvm@${name}.service

17
ssh-public-keys.nix
View File

@ -1,16 +1,27 @@
{
# Please use ed25519 keys!
antrares = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDC6Io8mHskJhkUh+vaSo95pi1E/gAoesQ0v+s+7DCTgjpOkB+W6vdJ8U6rblFxrETaWFAIVfkg+I/ZYvNWqCAxu1iWXaZ3IEK2ZiP5Vg0HevAP0ratfIHw50V8wfsyA8/lLVGdpX76xqexdY3G1SYZUcedq6AqWx6FpyoKGVOL2+jlJhmxCoEYfOJe6HbTi02UtAw1qavaD2acvuLksHOiwRAq1+ijPo/OmU3LmaErheceiPC97Wn4H/a98HdnWXJ3AXZCpPzp784/gUxOd/fvKRQPv0Lza9dytmpkAVc9efLMAQZm60w9InpIY0VxJRu2iFDc6msMF/iJp1UXSJfk4hTxUvXL8rPXc4GYKDSQlWO4UXoKd2gZEmCdcsIN/re6VR1lJWcm4eKxI9zJAQRZDrYHZP3ALBJrBY+7pJUHGSB+jCdZ73zkvkiNWUHZ9Wwp4RvdFoCR9qT+AoDU2SMiBMn8/hNMZRUs6RKjUzzn2vhCbZh19QIDxivaFg3DOKq7CCI3XNR3M781MFdmeTXKBLnv2YEVXy5XDIMvucQaZIUoD14fSF2wnncuP9h0gs2H1zG7nQfMagGpE+ro56FO3rBQqfRzz/U528yuq8uf/6TD9u3jTu7ngZ0YpDvAwAh8yG3b2KGFbrcYc3N1zEQOz7IqKixmIt/f3VOOjQ3Yww== antrares@c3d2.de"
];
astro = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJJTSJdpDh82486uPiMhhyhnci4tScp5uUe7156MBC8 astro"
];
dennis = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYHv/LMo8N6iM3zFvOKrF7ZLp3eAG/cOED0yDzrvgkd openpgp:0x74CCE9B8"
];
emery = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgL2kRs+cXAcUzOO2Tp+mtMBVuHqMuslQy3LN+HLSP4 emery"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqAXBEROEfldkHdUbF3TinBhfeX5l4DQ/5MAOhLh09avqCqcHY2FanZN+qmWpD695UZ71Cl+XF6Bj0KO7Rt4SAemvkEDPMBoidkt+ZjLsdnb8GVvbDhu/62JnqW9meYTN5GcjfmKMPDtKFbgSx9PPcjsDaO6LI/GWeyTz+EYQqwTdc7TKffjLXp6bREYLf0oKIBTvW9/oPCBI7ywYmyBaadFKrYSnujJbMejH91L+JN2fJoxjjhsGcRR78ottbjz4q6JxYjt9CG5oa7Lm60xdZkiiA3c4dMuHU9+EWGshjBKL1Fb9BafeAKhHobcs7UG8IVlqHRJC5VAGQlmus/fNagAArz9PnGW4MAOgg+yLjQJLLKqePBMsAsMHZ9XT+sqPyJfcai5dWynGXFP1B63C/oosVMkeZAlBIwDz/CmufpKBCJZXCfFoC3PotWsH/JT3ir/RSdtVHQ169CEgm+AUd7gjBuRwn6j2eBHcYkn0nCbQ93KLPlnYCLXzjByGved8= emery@fuji"
];
eri = [
# TODO: use a RSA4096 or ed25519 key
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqnwexxYY4LG043c53KetolvV06Wz9nnEi8dO2Du3DSMmvKs6+eTqmj83oEyVJkZxGXPsfdx1s3TLc01Opx0n5USCozUXHaaxUK7vrDPGJoz+Uc4f2OszFdKZSeLzEl0Vq6aWOkCKS6539mfbPx5oErT1Nt98GCOWi17cd3CTFA2m83oY5gFiaej3r/jfn5laCZ/NSqlZ9akzE54SXQl0p3/4L1C/QKockRscV8/4iD2+jqdPqaMI0DYKozNtsym5En3n9qt5a0RqGPENBXA1H5ie0ZE5/FXaqiXAY7YJMznnXbv4N8zQP2cFiPhqUNej+lU4RSHRLGaGkfLgYwn2z eri"
];
j03 = [
# TODO: use a RSA4096 or ed25519 key
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDW+YfsFtRz1h/0ubcKU+LyGfxH505yUkbWa5VtRFNWF2fjTAYGj6o5M4dt+fv1h370HXvvOBtt8sIlWQgMsD10+9mvjdXWhTcpnYPx4yWuyEERE1/1BhItrog6XJKAedbCDpQQ+POoewouiHWVAUfFByPj5RXuE8zKUeIEkGev/QKrKTLnTcS8zFs/yrokf1qYYR571B3U8IPDjpV/Y1GieG3MSNaefIMCwAAup1gPkUA0XZ4A1L7NdEiUEHlceKVu9eYiWUM+wDRunBXnLHubeGyP8KmBA7PNKgml3WWRNTZjqNQk4u9Bl+Qea5eCkD8KI257EqgXYXy0QBWNyF8X j03@l302"
];
laalsaas = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhcrBEpbCOM4KTVqjvuEOAcKOPScQ7U4TsNJzzrQW/k laalsaas"
];
marenz = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDixJ6x0QnSk/ebIJ9zlsRM5olZbqrxDaIt0QQmZOuAbbz441SVW+/0/7ks80GMIMxzUy5YpNvrkY+6q/dZVvNybZLm/csdoFB2soOI/F1NUOppM+r2f33db/5ae3iaun/xBOW/D5lQTbm6IfrYjN9z3gW6tTYFPauZyctizZz5P1egwtCrAnMti8aBE3G+lGXVIVbjsjYruqgSN86WM0YM9HH9XB8Kd/TDCI/j9prXFkoj9EuzOQtIDNRA4Asmi08ZmoVKqadbuZAXoYEngPe2nigiiBoV/5fyyWIJSliWPZ8YDXk8X6pRJaOgZyc6mmot0/BLJo+DkhoUDA7wp3wr cardno:000609614306 - marenz"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6edpEvI6/0IBBolm3fX67U7UhA42hBVXPcN2hrTe9DiaRTMC1EnsgHSLYAuV1Ltu9gkDxHZ4aTpa69La7C7I0WPAhzXWAE1BNl2/93CETAcZoum2IYl9CZNGFG5D2Uxd8lnyZH9WtgN5WYLaKm/xFSVclYwbnYtTjI2T9mYmrrDf4bwvvjg6p6KBQUgaotwC+qyADGTJjfSiIsYU8cJhA4XROudmiKa6LAlw0VrkgQoITRYoWvmrdHMgzeCJa5UvKGxyGRqGcPB7wVFQpv2uxJVtCjb5Uhk8ZHzbc/rANBXwCgMr9tmyKDsO9imtcucQXZT7O06mkD5OYCVSdtVsx cardno:000610670724 - marenz"