genebean/dots
1
0
Fork 0
mirror of https://github.com/genebean/dots.git synced 2026-03-27 09:27:44 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #411 from genebean/new-hetznix01

Browse source 
hetznix01 takes over
This commit is contained in:
Gene Liverman 2024-06-19 11:31:25 -04:00 committed by GitHub
commit 3075248fc7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
14 changed files with 453 additions and 141 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -6,6 +6,7 @@
.dccache .dccache
*.swp *.swp
*.kate-swp
# Config files that are not suitable to add to version control: # Config files that are not suitable to add to version control:
link/nix/config/.mono/ link/nix/config/.mono/

2
.sops.yaml
View file

@ -1,6 +1,6 @@
--- ---
keys: keys:
- &system_hetznix01 age1a652ev7gekx4aj589s8fd27ul9j5ugpdwg7pxhmqcwdjwwq9gf2qv38um9 - &system_hetznix01 age1rd55wsu0hhvxk25tm69d9h57z0z0u6556x4ypg09muj3vh4yqs5qaw23nu
- &system_nixnuc age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4 - &system_nixnuc age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4
- &system_rainbow_planet age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck - &system_rainbow_planet age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck
- &user_airpuppet age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77 - &user_airpuppet age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77

14
modules/hosts/nixos/hetznix01/default.nix
View file

@ -1,7 +1,8 @@
{ config, username, ... }: { { pkgs, username, ... }: {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./disk-config.nix ./disk-config.nix
./post-install
]; ];
system.stateVersion = "24.05"; system.stateVersion = "24.05";
@ -14,6 +15,11 @@
efiInstallAsRemovable = true; efiInstallAsRemovable = true;
}; };
environment.systemPackages = with pkgs; [
podman-tui # status of containers in the terminal
podman-compose
];
networking = { networking = {
# Open ports in the firewall. # Open ports in the firewall.
firewall.allowedTCPPorts = [ firewall.allowedTCPPorts = [
@ -34,6 +40,11 @@
services = { services = {
fail2ban.enable = true; fail2ban.enable = true;
logrotate.enable = true;
postgresql = {
enable = true;
package = pkgs.postgresql_16;
};
uptime-kuma = { uptime-kuma = {
enable = true; enable = true;
settings = { settings = {
@ -71,6 +82,7 @@
isNormalUser = true; isNormalUser = true;
description = "Gene Liverman"; description = "Gene Liverman";
extraGroups = [ "networkmanager" "wheel" ]; extraGroups = [ "networkmanager" "wheel" ];
linger = true;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjigwV0KnnaTnFmKjjvnULa5X+hvsy2FAlu+lUUY59f gene@rainbow-planet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjigwV0KnnaTnFmKjjvnULa5X+hvsy2FAlu+lUUY59f gene@rainbow-planet"
]; ];

9
modules/hosts/nixos/hetznix01/hardware-configuration.nix
View file

@ -4,16 +4,15 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
(modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ]; boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
} }

50
modules/hosts/nixos/hetznix01/nginx.nix
View file

@ -1,50 +0,0 @@
{ ... }: let
http_port = 80;
https_port = 443;
in {
imports = [
../../../system/common/linux/lets-encrypt.nix
];
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000 always;";
}
add_header Strict-Transport-Security $hsts_header;
'';
virtualHosts = {
"hetznix01.technicalissues.us" = {
default = true;
listen = [
{ port = http_port; addr = "0.0.0.0"; }
{ port = https_port; addr = "0.0.0.0"; ssl = true; }
];
enableACME = true;
acmeRoot = null;
addSSL = true;
forceSSL = false;
locations."/" = {
return = "200 '<h1>Hello world ;)</h1>'";
extraConfig = ''
add_header Content-Type text/html;
'';
};
};
"utk-eu.technicalissues.us" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://127.0.0.1:3001";
};
}; # end virtualHosts
}; # end nginx
}

61
modules/hosts/nixos/hetznix01/owntracks.nix Normal file
View file

@ -0,0 +1,61 @@
{ config, pkgs, ... }: let
frontend_port = "8082";
in {
environment = {
etc = {
"default/ot-recorder".text = ''
OTR_USER="recorder"
OTR_PASS="toenail-madmen-nazareth-fum"
OTR_GEOKEY="opencage:b85db97221cc4239b34e0ca07e71471e"
OTR_TOPICS="owntracks/#"
OTR_HTTPHOST="127.0.0.1"
OTR_HTTPPREFIX="owntracks"
'';
};
};
services.mosquitto = {
enable = true;
persistence = true;
listeners = [
{
address = "127.0.0.1";
port = 1883;
users = {
recorder.passwordFile = config.sops.secrets.mqtt_recorder_pass.path;
};
}
];
};
users = {
groups.owntracks.gid = config.users.users.owntracks.uid;
users.owntracks = {
isSystemUser = true;
description = "OwnTracks";
group = "owntracks";
home = "/home/owntracks";
};
};
virtualisation.oci-containers.containers = {
"owntracks-frontend" = {
autoStart = true;
image = "docker.io/owntracks/frontend:2.15.3";
environment = {
LISTEN = frontend_port;
SERVER_HOST = "ot-recorder";
};
ports = [ "127.0.0.1:${frontend_port}:80" ];
};
"ot-recorder" = {
autoStart = true;
image = "docker.io/owntracks/frontend:2.15.3";
ports = [ "127.0.0.1:8083:8083" ];
volumes = [
"/etc/default/config:/config"
"/var/spool/owntracks/recorder/store:/store"
];
};
};
}

75
modules/hosts/nixos/hetznix01/owntracks.nix-back Normal file
View file

@ -0,0 +1,75 @@
{ config, pkgs, ... }: let
frontend_port = "8082";
in {
environment = {
etc = {
"default/ot-recorder".text = ''
OTR_USER="recorder"
OTR_PASS="toenail-madmen-nazareth-fum"
OTR_GEOKEY="opencage:b85db97221cc4239b34e0ca07e71471e"
OTR_TOPICS="owntracks/#"
OTR_HTTPHOST="127.0.0.1"
OTR_HTTPPREFIX="owntracks"
'';
};
systemPackages = with pkgs; [
owntracks-recorder
];
};
services.mosquitto = {
enable = true;
persistence = true;
listeners = [
{
address = "127.0.0.1";
port = 1883;
users = {
recorder.passwordFile = config.sops.secrets.mqtt_recorder_pass.path;
};
}
];
};
systemd.services.ot-recorder = {
name = "ot-recorder.service";
unitConfig = {
Description = "OwnTracks Recorder";
Wants = "network-online.target";
After = "network-online.target";
};
serviceConfig = {
Type = "simple";
User = "owntracks";
WorkingDirectory = "/";
ExecStartPre = "${pkgs.coreutils-full.out}/bin/sleep 15";
ExecStart = "${pkgs.owntracks-recorder.out}/bin/ot-recorder --debug";
};
wantedBy = [ "multi-user.target" ];
restartTriggers = [
config.environment.etc."default/ot-recorder".source
];
};
users = {
groups.owntracks.gid = config.users.users.owntracks.uid;
users.owntracks = {
isSystemUser = true;
description = "OwnTracks";
group = "owntracks";
home = "/home/owntracks";
};
};
virtualisation.oci-containers.containers = {
"owntracks-frontend" = {
autoStart = true;
image = "docker.io/owntracks/frontend:2.15.3";
environment = {
LISTEN = frontend_port;
SERVER_HOST = "host.containers.internal";
};
ports = [ "127.0.0.1:${frontend_port}:80" ];
};
};
}

66
modules/hosts/nixos/hetznix01/post-install/default.nix Normal file
View file

@ -0,0 +1,66 @@
{ config, username, ... }: {
imports = [
../../../../system/common/linux/restic.nix
./matrix-synapse.nix
./nginx.nix
];
services = {
restic.backups.daily.paths = [
"/var/lib/uptime-kuma"
];
tailscale = {
enable = true;
authKeyFile = config.sops.secrets.tailscale_key.path;
extraUpFlags = [
"--advertise-exit-node"
"--operator"
"${username}"
"--ssh"
];
useRoutingFeatures = "both";
};
};
sops = {
age.keyFile = /home/${username}/.config/sops/age/keys.txt;
defaultSopsFile = ../secrets.yaml;
secrets = {
local_git_config = {
owner = "${username}";
path = "/home/${username}/.gitconfig-local";
};
local_private_env = {
owner = "${username}";
path = "/home/${username}/.private-env";
};
matrix_secrets_yaml = {
owner = config.users.users.matrix-synapse.name;
restartUnits = ["matrix-synapse.service"];
};
matrix_homeserver_signing_key.owner = config.users.users.matrix-synapse.name;
mqtt_recorder_pass.restartUnits = ["mosquitto.service"];
owntracks_basic_auth = {
owner = config.users.users.nginx.name;
restartUnits = ["nginx.service"];
};
tailscale_key = {
restartUnits = [ "tailscaled-autoconnect.service" ];
};
};
};
# Enable common container config files in /etc/containers
virtualisation.containers.enable = true;
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
};
};
}

42
modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix Normal file
View file

@ -0,0 +1,42 @@
{ config, pkgs, ... }: let
#
in {
services.matrix-synapse = {
enable = true;
configureRedisLocally = true;
enableRegistrationScript = true;
extraConfigFiles = [
config.sops.secrets.matrix_secrets_yaml.path
];
settings = {
server_name = "technicalissues.us";
public_baseurl = "https://matrix.technicalissues.us";
signing_key_path = config.sops.secrets.matrix_homeserver_signing_key.path;
listeners = [
{
port = 8008;
tls = false;
type = "http";
x_forwarded = true;
bind_addresses = [
"::1"
"127.0.0.1"
];
resources = [
{
names = [
"client"
"federation"
];
compress = false;
}
];
}
];
url_preview_enabled = true;
enable_registration = false;
trusted_key_servers = [{ server_name = "matrix.org"; }];
};
};
}

136
modules/hosts/nixos/hetznix01/post-install/nginx.nix Normal file
View file

@ -0,0 +1,136 @@
{ config, ... }: let
domain = "technicalissues.us";
http_port = 80;
https_port = 443;
in {
imports = [
../../../../system/common/linux/lets-encrypt.nix
];
services.nginx = {
enable = true;
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000 always;";
}
add_header Strict-Transport-Security $hsts_header;
'';
defaultListen = [
{ port = https_port; addr = "0.0.0.0"; ssl = true; }
{ port = https_port; addr = "[::]"; ssl = true; }
];
virtualHosts = {
"hetznix01.${domain}" = {
serverAliases = [
"technicalissues.us"
];
default = true;
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations = {
"/" = {
return = "301 https://beanbag.technicalissues.us";
};
"/.well-known/matrix/client" = {
return = ''
200 '{"m.homeserver": {"base_url": "https://matrix.technicalissues.us"}}'
'';
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
"/.well-known/matrix/server" = {
return = ''
200 '{"m.server": "matrix.technicalissues.us"}'
'';
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
};
};
"matrix.${domain}" = {
listen = [
{ port = https_port; addr = "0.0.0.0"; ssl = true; }
{ port = https_port; addr = "[::]"; ssl = true; }
{ port = 8448; addr = "0.0.0.0"; ssl = true; }
{ port = 8448; addr = "[::]"; ssl = true; }
];
enableACME = true;
acmeRoot = null;
forceSSL = true;
extraConfig = ''
client_max_body_size 0;
'';
locations = {
"/" = {
return = "200 '<h1>Hi.</h1>'";
extraConfig = ''
add_header Content-Type text/html;
'';
};
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
# *must not* be used here.
"/_matrix".proxyPass = "http://[::1]:8008";
# Forward requests for e.g. SSO and password-resets.
"/_synapse/client".proxyPass = "http://[::1]:8008";
};
};
"ot.${domain}" = {
enableACME = true;
acmeRoot = null;
forceSSL = true;
basicAuthFile = config.sops.secrets.owntracks_basic_auth.path;
# OwnTracks Frontend container
locations."/".proxyPass = "http://127.0.0.1:8082";
};
"recorder.${domain}" = {
enableACME = true;
acmeRoot = null;
forceSSL = true;
basicAuthFile = config.sops.secrets.owntracks_basic_auth.path;
locations = {
# OwnTracks Recorder
"/" = {
proxyPass = "http://127.0.0.1:8083";
};
"/pub" = { # Client apps need to point to this path
extraConfig = "proxy_set_header X-Limit-U $remote_user;";
proxyPass = "http://127.0.0.1:8083/pub";
};
"/static/" = {
proxyPass = "http://127.0.0.1:8083/static/";
};
"/utils/" = {
proxyPass = "http://127.0.0.1:8083/utils/";
};
"/view/" = {
extraConfig = "proxy_buffering off;";
proxyPass = "http://127.0.0.1:8083/view/";
};
"/ws" = {
extraConfig = "rewrite ^/(.*) /$1 break;";
proxyPass = "http://127.0.0.1:8083";
};
};
};
"utk.${domain}" = {
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://127.0.0.1:3001";
};
}; # end virtualHosts
}; # end nginx
}

26
modules/hosts/nixos/hetznix01/secrets.yaml
View file

@ -1,23 +1,27 @@
local_git_config: ENC[AES256_GCM,data:/1FaGgxRJT01Xg3NYvcGfTaqxklv3PtoBdVN/H7+Mhlxwed5O++leUA=,iv:VKjkzqH8ayRE9hgNrqwSSx4RKCBYVkUkPtA1dvnkfvA=,tag:lfgezmDGQ/yVfLypLBanYA==,type:str] local_git_config: ENC[AES256_GCM,data:BulcGoJ85+BA3maqbMewUdaNOl3feaJMq/4yZL8Y8SLOHqzmA/DUO7k=,iv:V7wpSiEQpt7AhKd+MUyGqTsO6YZovpkj+AaqpLnfRM0=,tag:7f3fFzQX3bpjokVPnUKDPQ==,type:str]
local_private_env: "" local_private_env: ENC[AES256_GCM,data:OFcCaE9/hpd6JIoUTTxg0pEFL3rkUE3G+JzP/wjFXpa/AJa2Rr0Kv42Pu+iwgPMWgcpp50ChjVxGvbceNQ==,iv:I2LyWwvdMdE4wKLb3udLVMu3jFsvYR1ruZvaVt9GG7c=,tag:tBPmlNr0iNdLRU1GIRV2mg==,type:str]
tailscale_key: ENC[AES256_GCM,data:yiAug7VEfZ5jROEg3NVmZcfdbfUxBZk2duM6mG/BVXKuAYj4u0SB1HtMCmvX6nr7P3y3YyuqiLw6,iv:bN5xbBOPWJfH+DxcHp2ODLm95jyzUwjSkKynPmvQvnY=,tag:8b/0hnNH7T64xBFMkXRjeQ==,type:str] matrix_secrets_yaml: ENC[AES256_GCM,data:6DLtAZIYBlL7iQVS/FBeUEhHyAOFZ5JRNqFBqi59GVh7cP0Hp8RBWxKpWAH2eUPYqUqUGCKrSSH3sJqzV+vasSR62tcltV7+13+q+rZVCZNCEf21EwQ5aaxgR3yG4n3YUPqLsCQB6UnWn0tF5HO0ofjYkya0pQ/nX9TBiiqIcPcd4NovbTtf+S0G0VptqyXAuRvJoKCx42ft9IBfV9tF1QsXLemKYlI10hN5l/MgJHwVbwH5xXR2kLKvnlpAyIoST/uJhswQV9DyK9cnl09ZM9ztcXhveBzv6uDW+pme8lFL99SMtMJcbSzxYW/pt+GJgYd1NiaoPbayWM72jdpH0hf2zWchxnIJIyL3H6EzIjD8BE9GnMP7ujQwBZGNZITRSg==,iv:cDtuOhv2v6CZcwiMM3oqjmajIl7D8Im+LkfarcjTM/w=,tag:e7zRQBYslJqESOGN3c4/aw==,type:str]
matrix_homeserver_signing_key: ENC[AES256_GCM,data:+RflNxFfS2w9LbavT7YnCQIhJWI49kN7pOa9/dH0BpDWxKQaLE4ZYBYq0ikAgcHaF3+rBL3f6KxUacw=,iv:6+nZzuxBUwjM74XHCD89YWfyuMRcoIwQlHLiNN4NWdc=,tag:91yigynRz6QdEd4rF7d/9g==,type:str]
mqtt_recorder_pass: ENC[AES256_GCM,data:N44nv2mk5zguWXNHdKsxhoKUjiduD1hzsAb6,iv:aLudKuUBTPXgtAF33exELH/PESD0CqoDaydeqdhcmbA=,tag:3lhrqO8jxJiRHWZjWSRa0g==,type:str]
owntracks_basic_auth: ENC[AES256_GCM,data:GX1U1uf7+erE+g9GzhXK5ED2QicfcbpRCwpJDw6Zr9X2FtdMYleH5mhLxw==,iv:PflRq+P50+oFf4wv5wwlY6V9bApGuJ3tlYTvJZ5mg0E=,tag:VHBY5qv7rX74DGURsYaWpw==,type:str]
tailscale_key: ENC[AES256_GCM,data:Bl00WuIrLvxmt7aNsoXC6G7XFls7waZMzdfo/MsEOZl/i3wHwrjrmgwd3V4GkaJ42UjrC1OLobrkuLves4w=,iv:tlCu0EWgvhvs1ANdtQr7KWHJ2RjpHniUm/rFC4L/MHs=,tag:+8eov9w+SPGZPnjMdrN8gA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age1a652ev7gekx4aj589s8fd27ul9j5ugpdwg7pxhmqcwdjwwq9gf2qv38um9 - recipient: age1rd55wsu0hhvxk25tm69d9h57z0z0u6556x4ypg09muj3vh4yqs5qaw23nu
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2NFBqRFNnSmJCK0ZPYUR5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ejVRcmRBR3p6N2V1anZp
SXRXRDhaMmVCbGFVUWxoYkhPbUczdHBJdkZvClcxcE5IUnMvN0tHbllNU3hwMTY1 RkEwVTBWR09TazdNTnZ3YWlUUU9IOUordDNjClJmdU9sUkttaktTOTR4WldFWXFs
SXlhUHFJd3JCYU5MVDB2UnJPaW5xYncKLS0tIENqd3N1dnZ1NFltQ1pOSjA2dU5N WkQ4a1dWaGJmVE40YmovQWJSRS8rTjQKLS0tIERBQ2wxNGc0Um9IQ2FPOU1jTDhZ
VUIzR0FqbFNvOXAzREZtdDJNTWhjYUEKYfA5s8PRVbefoOefKLs7NiHUd6fYZ62I WkI4ejBaODI0d0tjWHpTT3VWTXNyaXcKMDtvHN4gcZqBNslyC+NwYW05zgs8QuPV
ZwUi9YZt+zHxBxxFFMpduSSd5q50Qz+CMBNQHv2CPOBcGeFjToiDxg== W6EktAz+xu6kx5BJbli5GkUFmj52AtEGIqZ1Sr4a0pKQACC87XcTQA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-06T02:07:39Z" lastmodified: "2024-06-19T01:44:04Z"
mac: ENC[AES256_GCM,data:JWLLdojUJlI0SDdT8Yg0pj03Jmc7eCJL8GHPtXOfw28vcqlK2tnR/yWLI+MClFVu+o4vrV9HZv+41VItqAkeMjBlgAYib9JgTwtkiECZz8o6i8FXEk09Qkml9WKyKrAU1Og/+gt3y1MUSzrmGgg8YkM3YVv7nyGr8lZ0nf/rWb8=,iv:rYtawgUgxsXCY4OHbLW6l2X/x1f+C7X22MoYVlfHIaw=,tag:pdACJHoe56N1lllrFoyHow==,type:str] mac: ENC[AES256_GCM,data:PU4r7DhcG6OgqTCeKBtxyAHDErGH6Eh33sOd+KuImQ74ajgahFNfd4zO27OldZbSERkOYLuFqw7w9+zblV3eaaXRQx97Ek3z4oMtJFv2t9lnNfG0lm45c1eECKV742mzTDi6/bcnQMdn/CaGli8DL45IGGctW+beXRJza0S3wEY=,iv:51WymgQc4OWcannaD4g+fjp4vc75WonWsOMS3Jyz7Xo=,tag:dmNFFgkuKQxy2Snb/HjX/A==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

20
modules/hosts/nixos/hetznix01/sops.nix
View file

@ -1,20 +0,0 @@
{ username, ... }: {
sops = {
age.keyFile = /home/${username}/.config/sops/age/keys.txt;
defaultSopsFile = ./secrets.yaml;
secrets = {
local_git_config = {
owner = "${username}";
path = "/home/${username}/.gitconfig-local";
};
local_private_env = {
owner = "${username}";
path = "/home/${username}/.private-env";
};
tailscale_key = {
restartUnits = [ "tailscaled-autoconnect.service" ];
};
};
};
}

14
modules/hosts/nixos/hetznix01/tailscale.nix
View file

@ -1,14 +0,0 @@
{ config, username, ... }: {
tailscale = {
enable = true;
authKeyFile = config.sops.secrets.tailscale_key.path;
extraUpFlags = [
"--advertise-exit-node"
"--operator"
"${username}"
"--ssh"
];
useRoutingFeatures = "both";
};
}

76
modules/system/common/secrets.yaml
View file

@ -9,71 +9,71 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age1a652ev7gekx4aj589s8fd27ul9j5ugpdwg7pxhmqcwdjwwq9gf2qv38um9 - recipient: age1rd55wsu0hhvxk25tm69d9h57z0z0u6556x4ypg09muj3vh4yqs5qaw23nu
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBseHFTeDZoMElxVUZpWFVa YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2WHN1S29tU21PRmRpcGQ4
dmxvWEFkS0p6aTFraUNyNmtITTQ4bFdLNFVZCnlsTlE3TUVvMWdXS0psb0FOQVdP cm9hTW5wWVRNWlBDWGtOaUlzNWZndDgzd1NZCkVJZExBUkNFOFBNTUJKTDJBR2Vs
UGtTVVQ3ZExQVUdvekFEa0lYZmRxdEkKLS0tIEEyMXdkZ0JyV0orSnVwL3hMWVpy UmVCcWoxRzdGeHAraFZoZitZL21nTzAKLS0tIDNsY0VGVW5nUkY4enoxMWFLZTYr
TTAvb09FUE1JaXpNSm80Mmx3Z292eVUKjJ8Q9y2PhU9NpgCjKYne7zY+I+fXvIhs ay84cjcrZFNyc0d0N3o1RkV6UTdGQ0EKcCzKdxFpXpuVCP/H3vxKsj/nU5MjxUuw
BB/lskZG/AVuGdBDHRf0yIVFd/j6inTWbP1u3wJ+Mf+dBnPAlS9rXg== kW6psp5pA+0HHozeZoN+nv4dTaaz6GQLZdY+b/tfOem81/Bl1YXnnQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4 - recipient: age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWWVCd0ZjMzkxZVdIR1JC YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtd1hvWU8yOUhzKy9WU2NU
Q1plamZveGg1Z1FaK2VPb29CUVVia0Q4aFZ3CkNKUjl0S090SUMwU1dJenRONEpJ SnVra1hHVjNTY05YSmhkL0JpcWo2Z0tPSmhVCnAyWWg4c2NUazA4RTZoazRMUHJz
WnZ6aEFwV2lrelBZV0p0UUQvaWdmS0kKLS0tIGh2OE5iTTRObFEraUpxN0YyTVpx OCtsYmVicmphMmJyVUIwbWlzaHNwSTgKLS0tIHNzMFlsMEw0eVBjdmdVWERnZzZZ
Mk5Sb0VCN1VjMnNNdzBBZWY3Q2FsUFkK7d9MAUNRL7GSF6diz/5X21BmMsyE5Cu3 WEU0NkNvbjd4NkE0KzdhRXIxT0dla0UKxMxIMNdkh5LFm9+A9lAQNO4qWm+URRBu
18ycNiMLtUwGHsfxh+aLliFDBO32LwMI64/tKHDtx4sHQSBGoppsfQ== dDPLuF+Jw1wkd2aZjAolOcMfdCgTS2WUeY1615bT6GoAUl96v0fQHw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck - recipient: age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UEc1M2UwTkduWnEyMG8x YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQ3NXNU82djJnNkI0aUF3
TGVYaUpsSlNVcnBxdHZRWU8ydUJvMnZXTTNZCmtIenlWeDdvM0xQemI3Y1dXNlox WHFpTTQxUnB0Ynlmb1pOUmhYQk1lc1dRS1hRCnhzbnZ5d3NIWHI3c2VtbHIrMm44
SUhNcG5iZE44WGhWL0NwUTZjSzhPNFkKLS0tIHIyaU1DOUxSV0VWVTRaQmhBbXVP QnZMY3FXT25sV1N3YWNGNnFpYkxUQncKLS0tIHlEb2UyMFp6UWhiam5zL0Vqa2px
dGVWRnhIek1mV2FJemF1dzVwMjZqWUUKNvkzOwi6OR369S5e5y6TSfGA4/EH09WK eUVjdzlFdkJKQTBxRitjQ2M3TTVpcHcKs6qM7CfLvcEbpKFjfbmUJjSBLcVZ5SEt
MWlH3fzABkCN+IeRmOmtU/L3MdHIiWanDWp6KdWCJJ3OnBO8cjMEig== 8MG5VefhVJiVGAX8q6SVZn15FpjLm8PtiuAWoBhi2kboLb6/faK2Cw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77 - recipient: age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLOE5pYXFDdXQzblI1N01i YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QlRIRGNwaEsrWGxoQnpp
eFROYzVvK3cxN1pJMHlScW0rZjBScG9SMzBnCko4VDllS0pQMU5NdU5NbndWQWpq dThhRUxBYXJ1ZlBsMmhweHpmd1hjb3RnMmhrCmg4dTZBY0kyUkxnZHZCdXFnOThS
NmhWK1RJSHpITktFWTZIN2JHRklqS2cKLS0tIFFjRE9Ia3Z0TzIyd2MrS2RRWU9k UkJsWnBUeEc1ZG1lTkFrYnlxWnFmS00KLS0tIG5pUTJKaXJydFB5YkxVMHdPanBH
d3FIL3dqTHRtQVJiS255aVVWZ1p3UjQKb+65IgxbWXtkidmlb5w5Cu11izXh5QgR TjZGWjZqbXVhV3kvZ3dHMmJndVRwS28KE1+lw8BZLTv7zeSBw/fd2dqPS/hiq37x
I1YAckCX6RlR3Mlcs/5cTyLakpc3ibm/g4+N9+EhlIQz4wIxmxAtHQ== VfOHwiTw9TDbbCm1pCtBl44/qB5vKlqAOtWBjM7hiv06QcZrDgfxZg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d - recipient: age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNb2hxZElESWd4eTFycFI1 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLZkVWMGFmZU9OSXhQWFF4
YWpKS1ZpWmtYcy9JK2ZPQ1QzSXFjWXM5VzFjCk1CcmJmdE5yL0J1Q2RBN3Npa2hn Q3pjelptQzhHK3pnZGFSS2dCUUkvVGF1eVM4CityNVRFUyswMUxEN0RSakd0Ymp0
WWxZTHkwTnhZaXBYanpZTkRTRUdTcWcKLS0tIFA3SkVuVFFVT2NsbVBlNUdFRlUx ZXdnVXJtVDhycVRRSmR3RWhoMk15RFkKLS0tIGR6bVljY1Rnc2JRU05FaXlXQW1H
UE9sMXVVOW1ib3JBYUR5LzVFRFp3ZWcK2hwlxaEUexjqHcg86dSpJU37b8bkWO6r S0YxZWZ5Q2taQks5VmxGY21CZ01IVUUKU593ro9pDrKkUGAV226dbo0dK7QnI49I
mSygDEjU71u20G6sdMeoSyxepPtWJsVhnAMukFsnKZf6LyfiiCseAQ== VyGJGcQ/bXEBVJazcwWGhIwA6WACY/HldrUU45WsowlVQgIwtPVkfw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1zz34qx3n3dj63sva24kaymetv3apn58lafjq4dl6zw7xxachuyts00mhck - recipient: age1zz34qx3n3dj63sva24kaymetv3apn58lafjq4dl6zw7xxachuyts00mhck
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZndiK3FMOUptbDRGOVQ0 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYkhuWllyTDk4NEpOdVFV
QnNSSEtlVHZtaUlRQlRySzJNUmdqbzRQRFZFCnNyOHRtNFhsWGEvTFRkNTRUbit6 K1JVWUM4THNGSVpkS1V6VTZzNFF3b0xydW44CkpEYlFya0MyTWZLby9zb1dzTGNk
OWh6cVRRTXhlQmxpY3JpNVFRdStuWkkKLS0tIElYZGRVVWVSTlBhRHhVYWRFSFhC WElCYnpEQStKOUFWWXdVM1dWOEpMSWcKLS0tIDB5aDY3T25MSmtUUmw4YVREeU5l
NERwYVhzTjRZUDBmbTM2QzEyay9vT2MK9QIINuuaagTz2wyF9NiNzE0aiwoAHquH WnBoZzdHb3NzSVd2NDhiUDY4YUhUS2MKZg09GBkZrL4kqpA7y/dQNVpStLjZTrYz
GK203V5jVnLXftOV09NIg3027m8KCRc7yEWOtcbH5UkGZxZCqESv9Q== 8jlhf06x0L/oLrSfP4Ct0apnjHRoPJlpTRLZKEVNfE3t0E8JgW3JDg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1rpy8edlpgxuf6w75cvlqexuq2xe4c49h9t2ge6jhc3fzczp8vfasnjelwq - recipient: age1rpy8edlpgxuf6w75cvlqexuq2xe4c49h9t2ge6jhc3fzczp8vfasnjelwq
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNY2xrM1BFRDdtckRGZkIz YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQM1ZrZHplbVRhR3Rtd2dN
Mkc5VzNHQzV5aC9xTzU4US80czFMcHNpbXpzCnlqUWliUjlra1U0Y0dJTDByMGFQ N0RXazhNR1hqQzAxb0lpdCttQW9EUzYwZldzCjlFVjV0RG9oQnM4UHJNTjdnNjlo
MlRTd2FaT1QzMXFWZ3piVjZsZ1ZDemsKLS0tIENRdlVvNE5VT3VOc2hqM2ZnVUVY Y3ZRQ0J0VGxUQ1NYWitWVnFIZHdSRDgKLS0tIG9GdThMKzdQaGZCcy92L3N1TWJZ
ZlBVMUJmWml3dkQ3OTN1ZmF1N0hXNHcKnLOSViooQmhU5yE754VHIBYNRVikgptc OEtqTWJvU2ptTmJEQmhRZDFDTW0zemsKol6EX/Ap98DQXDoMaY8cR9x2N02SiqYg
3bXDiOlkjBbxGru3bnn+vUUJ3n+QdZoAnCgdL7D2/Me3HVrAW5M5LA== /6ufAo+0qxF+BS5dWdxAQJOZnTa9+xRePrlp/8bnnpJ4aalRqZj65w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-07T00:55:24Z" lastmodified: "2024-06-15T21:02:47Z"
mac: ENC[AES256_GCM,data:5GaItFbHP8Qj8Dev5a0kkI7VFovvW5STaI7MPaZibHWCB2Xvcw50ZjKPRVVx6yqsnjz6zf3H2h/siowq/eAvvKJ5gltbof4NAxcCqjcOrqpUaeFT1ykG2SMznX8OezUyH6K7KmFgSFgYv3F/5JhoQOIClJs4NmQIBxUf7afY9KQ=,iv:oJhBRcyyL5zBc324tyyTYF2i1a0Q+CkOxwg4HbyUXkA=,tag:kK9/bQIO/VioSpmxC7P+XA==,type:str] mac: ENC[AES256_GCM,data:vZie4+27bytMtLHLO3cR5X6XsvVjoLWXbZ9gSyeJAg//TYDdojfCKtLatBb22oVyjjeoFKKqcHwVPv888Kpc8SwFIY7C0YxgmFbHXZMkUk4EWsolGPJ4V3p2GdWSRJkn/B9fM0TjvWiHASvtDNUNw03Rs6PT8fP0YTSzomKGR+U=,iv:5UY3+wj8h/uW/l3gkBPub+bWWt2kKabH5jErjmNp4sM=,tag:2DrAzNOS+dd3bNCs42PPbw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1