kopatz/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:Kropatz/dotfiles

Browse Source
This commit is contained in:
Kopatz
2023-10-30 09:02:09 +01:00
parent 6f28864a62 36805901ae
commit 00873c035c
55 changed files with 1347 additions and 176 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
.config/hypr/hyprland.conf → laptop/.config/hypr/hyprland.conf
View File

0
.config/hypr/start.sh → laptop/.config/hypr/start.sh
View File

0
.config/rofi/config.rasi → laptop/.config/rofi/config.rasi
View File

0
.config/rofi/nord.rasi → laptop/.config/rofi/nord.rasi
View File

0
.ideavimrc → laptop/.ideavimrc
View File

0
gnome.nix → laptop/gnome.nix
View File

0
hyperland.nix → laptop/hyperland.nix
View File

0
main.nix → laptop/main.nix
View File

0
plasma.nix → laptop/plasma.nix
View File

176
server.nix
View File

@@ -1,176 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
nix.optimise.automatic = true;
## shared clipboard
virtualisation.vmware.guest.enable = true;
services.adguardhome = {
enable = true;
settings = {
users = [
{
name = "admin";
password = "$2y$15$3RPgWOXmeUU6NGo.XTx2LuL1oKS.YRrLOIa9VmINnzvtkHNY7A4hq";
}
];
dns = {
bind_hosts = [ "127.0.0.1" ];
port = 53;
protection_enabled = true;
filtering_enabled = true;
upstream_dns = [ "quic://doh.tiar.app" "tls://getdnsapi.net"];
use_http3_upstreams = true;
};
querylog = {
enabled = false;
};
filters = [
{
enabled = true;
url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
name = "adguard dns list";
id = 1;
}
{
enabled = true;
url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt";
name = "adguard block list";
id = 2;
}
{
enabled = true;
url = "https://dbl.oisd.nl/";
name = "big block list";
id = 3;
}
];
dhcp = { enabled = false; };
dhcpv6 = { enabled = false; };
tls = {
enabled = true;
};
};
};
# Bootloader.
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.useOSProber = true;
networking.hostName = "server"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Enable networking
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "Europe/Vienna";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "de_AT.UTF-8";
LC_IDENTIFICATION = "de_AT.UTF-8";
LC_MEASUREMENT = "de_AT.UTF-8";
LC_MONETARY = "de_AT.UTF-8";
LC_NAME = "de_AT.UTF-8";
LC_NUMERIC = "de_AT.UTF-8";
LC_PAPER = "de_AT.UTF-8";
LC_TELEPHONE = "de_AT.UTF-8";
LC_TIME = "de_AT.UTF-8";
};
# Enable the X11 windowing system.
services.xserver.enable = true;
# Enable the GNOME Desktop Environment.
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11
services.xserver = {
layout = "at";
xkbVariant = "";
};
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
};
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
virtualisation.docker.enable = true;
# Define a user account. Don't forget to set a password with passwd.
users.users.anon = {
isNormalUser = true;
description = "anon";
extraGroups = [ "networkmanager" "wheel" "docker" ];
packages = with pkgs; [
firefox
# thunderbird
];
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
kate
wget
vim
tcpdump
dig
## for vmware
open-vm-tools
# vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
# wget
];
services.openssh.enable = true;
networking.firewall.allowedTCPPorts = [ 22 ];
networking.firewall.allowedUDPPorts = [ 22 ];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

122
server/configuration.nix Normal file
View File

@@ -0,0 +1,122 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, inputs, ... }:
let
shash = pkgs.writeShellScriptBin "shash" ''
nix hash to-sri --type sha256 $(nix-prefetch-url ''$1)
'';
in{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
systemd.enableEmergencyMode = false;
networking.hostName = "server"; # Define your hostname.
# Set your time zone.
time.timeZone = "Europe/Vienna";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "de_AT.UTF-8";
LC_IDENTIFICATION = "de_AT.UTF-8";
LC_MEASUREMENT = "de_AT.UTF-8";
LC_MONETARY = "de_AT.UTF-8";
LC_NAME = "de_AT.UTF-8";
LC_NUMERIC = "de_AT.UTF-8";
LC_PAPER = "de_AT.UTF-8";
LC_TELEPHONE = "de_AT.UTF-8";
LC_TIME = "de_AT.UTF-8";
};
#### Graphical environment ####
# Enable the X11 windowing system.
services.xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
# Configure keymap in X11
services.xserver = {
layout = "at";
xkbVariant = "";
};
#### Sound and printing ####
# Enable CUPS to print documents.
#services.printing.enable = true;
# Enable sound with pipewire.
#sound.enable = true;
#hardware.pulseaudio.enable = false;
#security.rtkit.enable = true;
#services.pipewire = {
# enable = true;
# alsa.enable = true;
# alsa.support32Bit = true;
# pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
#};
#### Users and Packages ####
# Define a user account. Don't forget to set a password with passwd.
users.users.anon = {
isNormalUser = true;
description = "anon";
extraGroups = [ "networkmanager" "wheel" "docker" ];
packages = with pkgs; [
firefox
kate
# thunderbird
];
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
kate
nixos-option
wget
vim
tcpdump
dig
vscodium
inputs.agenix.packages."x86_64-linux".default
btop
shash
gparted
restic
hdparm
wireguard-tools
openssl
unstable.e2fsprogs
# vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
# wget
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

123
server/flake.lock generated Normal file
View File

@@ -0,0 +1,123 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1696775529,
"narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
"owner": "ryantm",
"repo": "agenix",
"rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1673295039,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682203081,
"narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1677676435,
"narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1698134075,
"narHash": "sha256-foCD+nuKzfh49bIoiCBur4+Fx1nozo+4C/6k8BYk4sg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8efd5d1e283604f75a808a20e6cde0ef313d07d4",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1697957990,
"narHash": "sha256-LlyEQ4z1immaiZV+MQMUXM3KpNoRY/xZVm8mmN5j3yg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b3ddf9649fdac7db15aeea95cb3114c13594d265",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable"
}
}
},
"root": "root",
"version": 7
}

52
server/flake.nix Normal file
View File

@@ -0,0 +1,52 @@
{
description = "A very basic flake";
inputs = {
# secrets management
agenix.url = "github:ryantm/agenix";
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
};
outputs = { self, nixpkgs, nixpkgs-unstable, agenix }@inputs:
let
system = "x86_64-linux";
overlay-unstable = final: prev: {
unstable = nixpkgs-unstable.legacyPackages.${prev.system};
};
in {
nixosConfigurations.server = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
./modules/static-ip-server.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
./configuration.nix
./modules/motd.nix
./modules/postgres.nix
./modules/fail2ban.nix
./modules/nix-settings.nix
./modules/adguard.nix
./modules/git.nix
#./modules/vmware-guest.nix
./modules/github-runner.nix
./modules/synapse.nix
./modules/nextcloud.nix
#./modules/coturn.nix
./modules/acme.nix
./modules/samba.nix
./modules/backup.nix
./modules/nginx.nix
./modules/ssh.nix
./modules/rdp.nix
./modules/docker.nix
./modules/wireguard.nix
./modules/cron.nix
./modules/paperless.nix
#./modules/dyndns.nix i think ddclient is deprecated
#./modules/home-assistant.nix idk dont like this
agenix.nixosModules.default
];
specialArgs = { inherit inputs; };
};
};
}

59
server/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,59 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/1af836fb-ffef-4362-84af-bcb24d4db068";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/B9EB-F6A4";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/e4bf3959-4d3c-4980-82c1-c5ec2104ec93"; }
];
fileSystems."/mnt/2tb" =
{ device = "/dev/disk/by-uuid/99954059-3801-4abb-a536-0e7802a3e6b4";
fsType = "ext4";
options = ["defaults" "nofail"];
};
fileSystems."/mnt/1tb" =
{ device = "/dev/disk/by-uuid/fb0a94c2-95df-4f62-904e-695d372363e9";
fsType = "ext4";
options = ["defaults" "nofail"];
};
fileSystems."/mnt/250ssd" =
{ device = "/dev/disk/by-uuid/80163cf9-2030-4757-ada2-03db96184961";
fsType = "ext4";
options = ["defaults" "nofail"];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp6s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

7
server/modules/acme.nix Normal file
View File

@@ -0,0 +1,7 @@
{
security.acme = {
acceptTerms = true;
# Replace the email here!
defaults.email = "7265381+Kropatz@users.noreply.github.com";
};
}

87
server/modules/adguard.nix Normal file
View File

@@ -0,0 +1,87 @@
{
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
services.adguardhome = {
enable = true;
settings = {
users = [
{
name = "admin";
password = "$2y$15$iPzjmUJPTwWUOsDp46GOPO/LYor/jDJjndwy2QlPddaKSD4QXvq9W";
}
];
dns = {
bind_hosts = [ "127.0.0.1" "192.168.0.6" ];
port = 53;
protection_enabled = true;
filtering_enabled = true;
upstream_dns = [
"https://doh.tiar.app/dns-query"
"tls://getdnsapi.net"
"https://dns.adguard-dns.com/dns-query"
"tls://dot.seby.io"
];
use_http3_upstreams = true;
rewrites = [
{
"domain" = "kopatz.ddns.net";
"answer" = "192.168.0.6";
}
{
"domain" = "server.home";
"answer" = "192.168.0.6";
}
{
"domain" = "server.local";
"answer" = "192.168.0.6";
}
{
"domain" = "adguard.local";
"answer" = "192.168.0.6";
}
{
"domain" = "nextcloud.local";
"answer" = "192.168.0.6";
}
{
"domain" = "turnserver.local";
"answer" = "192.168.2.1";
}
{
"domain" = "inverter.local";
"answer" = "192.168.0.9";
}
];
};
querylog = {
enabled = false;
};
filters = [
{
enabled = true;
url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
name = "adguard dns list";
id = 1;
}
{
enabled = true;
url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt";
name = "adguard block list";
id = 2;
}
{
enabled = true;
url = "https://dbl.oisd.nl/";
name = "big block list";
id = 3;
}
];
dhcp = { enabled = false; };
dhcpv6 = { enabled = false; };
tls = {
enabled = true;
};
};
};
}

63
server/modules/backup.nix Normal file
View File

@@ -0,0 +1,63 @@
{ config, pkgs, lib, inputs, ... }:
{
age.secrets.restic-pw = {
file = ../secrets/restic-pw.age;
};
age.secrets.restic-s3 = {
file = ../secrets/restic-s3.age;
};
services.restic = {
backups = {
localbackup = {
exclude = [
"/home/*/.cache"
];
initialize = true;
passwordFile = config.age.secrets.restic-pw.path;
paths = [
"/home"
"/var/backup/postgresql"
"/mnt/250ssd/matrix-synapse/media_store/"
"/mnt/250ssd/nextcloud"
"/mnt/250ssd/paperless"
];
repository = "/mnt/2tb/restic";
};
localbackup-1tb = {
initialize = true;
passwordFile = config.age.secrets.restic-pw.path;
paths = [
"/home"
"/var/backup/postgresql"
"/mnt/250ssd/matrix-synapse/media_store/"
"/mnt/250ssd/nextcloud"
"/mnt/250ssd/paperless"
];
exclude = [
"/home/*/.cache"
];
repository = "/mnt/1tb/restic";
timerConfig = {
OnCalendar = "*-*-03,06,09,12,15,18,21,24,27,30 02:00:00";
Persistent = true;
};
};
remotebackup = {
exclude = [
"/home/*/.cache"
];
initialize = true;
passwordFile = config.age.secrets.restic-pw.path;
environmentFile = config.age.secrets.restic-s3.path;
paths = [
"/home"
];
timerConfig = {
OnCalendar = "*-*-03,06,09,12,15,18,21,24,27,30 00:00:00";
Persistent = true;
};
repository = "s3:s3.us-west-002.backblazeb2.com/kop-bucket";
};
};
};
}

73
server/modules/coturn.nix Normal file
View File

@@ -0,0 +1,73 @@
{ config, pkgs, lib, inputs, ... }:
{
age.secrets.coturn-secret = {
file = ../secrets/coturn-secret.age;
owner = "turnserver";
group = "turnserver";
};
networking.firewall.allowedUDPPortRanges = [ { from = 49000; to=50000; } ];
networking.firewall.allowedUDPPorts = [ 3478 ]; #5349 ];
networking.firewall.allowedTCPPorts = [ 3478 ]; #5349 ];
services.coturn = {
enable = true;
no-cli = true;
#tls-listening-port = 5349;
listening-port = 3478;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret-file = config.age.secrets.coturn-secret.path;
relay-ips = [
"192.168.2.1"
];
listening-ips = [
"192.168.2.1"
];
realm = "kopatz.ddns.net";
#cert = "${config.security.acme.certs."kopatz.ddns.net".directory}/full.pem";
#pkey = "${config.security.acme.certs."kopatz.ddns.net".directory}/key.pem";
extraConfig = ''
no-sslv3
no-tlsv1
no-tlsv1_1
no-tlsv1_2
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
allowed-peer-ip=192.168.2.0-192.168.2.255
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
#systemd.services.coturn = {
# serviceConfig = {
# User = lib.mkForce "root";
# Group = lib.mkForce "root";
# };
# };
}

5
server/modules/cron.nix Normal file
View File

@@ -0,0 +1,5 @@
{
services.cron = {
enable = true;
};
}

7
server/modules/docker.nix Normal file
View File

@@ -0,0 +1,7 @@
{ config, pkgs, lib, inputs, ... }:
{
virtualisation.docker.enable = true;
environment.systemPackages = with pkgs; [
docker-compose
];
}

12
server/modules/dyndns.nix Normal file
View File

@@ -0,0 +1,12 @@
{ config, pkgs, lib, inputs, ... }:
{
age.secrets.duckdns = {
file = ../secrets/duckdns.age;
};
services.ddclient = {
enable = true;
protocol = "duckdns";
passwordFile = config.age.secrets.duckdns.path;
domains = ["wachbirn.duckdns.org"];
};
}

15
server/modules/fail2ban.nix Normal file
View File

@@ -0,0 +1,15 @@
{
services.fail2ban = {
enable = true;
ignoreIP = [
"192.168.0.0/16"
];
bantime = "24h";
bantime-increment = {
enable = true; # Enable increment of bantime after each violation
multipliers = "1 2 4 8 16 32 64";
maxtime = "168h"; # Do not ban for more than 1 week
overalljails = true; # Calculate the bantime based on all the violations
};
};
}

3
server/modules/git.nix Normal file
View File

@@ -0,0 +1,3 @@
{
programs.git.enable = true;
}

42
server/modules/github-runner.nix Normal file
View File

@@ -0,0 +1,42 @@
{ config, pkgs, lib, inputs, ... }:
{
nixpkgs.config.permittedInsecurePackages = [
"nodejs-16.20.2"
];
users.groups.github-actions-runner = {};
users.users.github-actions-runner = {
isSystemUser = true;
passwordFile = config.age.secrets.github-runner-pw.path;
group = "github-actions-runner";
extraGroups = [ "docker" ];
};
age.secrets.github-runner-token = {
file = ../secrets/github-runner-token.age;
owner = "github-actions-runner";
group = "github-actions-runner";
};
age.secrets.github-runner-pw = {
file = ../secrets/github-runner-pw.age;
owner = "github-actions-runner";
group = "github-actions-runner";
};
systemd.tmpfiles.rules = [
"d /github-actions-runner 0770 github-actions-runner github-actions-runner -"
"d /data 0770 github-actions-runner nginx -"
"d /data/website 0770 github-actions-runner nginx -"
];
services.github-runner = {
enable = true;
name = "nixos-server";
tokenFile = config.age.secrets.github-runner-token.path;
url = "https://github.com/oberprofis";
user = "github-actions-runner";
workDir = "/github-actions-runner";
extraPackages = with pkgs; [ rsync nodePackages.pnpm nodejs_18 ];
serviceOverrides = {
BindPaths= [ "/github-actions-runner" "/data/website" ];
UMask = "022";
};
};
}

19
server/modules/home-assistant.nix Normal file
View File

@@ -0,0 +1,19 @@
{ config, pkgs, ... }:
{
services.home-assistant = {
enable = true;
extraComponents = [
# Components required to complete the onboarding
"esphome"
"met"
"radio_browser"
"fronius"
"adguard"
];
config = {
# Includes dependencies for a basic setup
# https://www.home-assistant.io/integrations/default_config/
default_config = {};
};
};
}

52
server/modules/motd.nix Normal file
View File

@@ -0,0 +1,52 @@
{
users.motd = ''
'';
}

3
server/modules/networkmanager.nix Normal file
View File

@@ -0,0 +1,3 @@
{
networking.networkmanager.enable = true;
}

86
server/modules/nextcloud.nix Normal file
View File

@@ -0,0 +1,86 @@
{ config, pkgs, lib, inputs, ... }:
{
age.secrets.nextcloud-cert = {
file = ../secrets/nextcloud-cert.age;
owner = "nginx";
group = "nginx";
};
age.secrets.nextcloud-key = {
file = ../secrets/nextcloud-key.age;
owner = "nginx";
group = "nginx";
};
# Enable Nginx
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
# Setup Nextcloud virtual host to listen on ports
virtualHosts = {
"nextcloud.local" = {
serverAliases = [ "192.168.2.1" ];
## Force HTTP redirect to HTTPS
forceSSL = true;
locations."~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[s]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)".extraConfig = ''
client_max_body_size 5G;
'';
#sslTrustedCertificate = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
sslCertificate = config.age.secrets.nextcloud-cert.path;
sslCertificateKey = config.age.secrets.nextcloud-key.path;
## LetsEncrypt
#enableACME = true;
};
};
};
age.secrets.nextcloud-admin = {
file = ../secrets/nextcloud-admin.age;
owner = "nextcloud";
group = "nextcloud";
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud27;
https = true;
hostName = "nextcloud.local";
config.adminpassFile = config.age.secrets.nextcloud-admin.path;
config.dbtype = "pgsql";
database.createLocally = true;
config.extraTrustedDomains = [ "192.168.2.1" ];
home = "/mnt/250ssd/nextcloud";
extraApps = {
spreed = pkgs.fetchNextcloudApp rec {
url = "https://github.com/nextcloud-releases/spreed/releases/download/v17.1.1/spreed-v17.1.1.tar.gz";
sha256 = "sha256-LaUG0maatc2YtWQjff7J54vadQ2RE4X6FcW8vFefBh8=";
};
};
phpOptions = {
upload_max_filesize = "5G";
post_max_size = "5G";
};
extraAppsEnable = true;
extraOptions.enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
}

56
server/modules/nginx.nix Normal file
View File

@@ -0,0 +1,56 @@
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
# Setup Nextcloud virtual host to listen on ports
virtualHosts = {
"kopatz.ddns.net" = {
#serverAliases = [
# "www.kopatz.ddns.net"
# "server.home"
# "server.local"
# "192.168.0.6"
#];
root = "/data/website";
forceSSL = true;
enableACME = true;
locations."~* \\.(jpg)$".extraConfig= ''
add_header Access-Control-Allow-Origin *;
'';
locations."~ ^/(stash|resources|css)".extraConfig=''
client_max_body_size 5000M;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:5091;
'';
locations."/tracker-site" = {
tryFiles = "$uri $uri/ /tracker-site/index.html =404";
};
locations."/tracker-site/api" = {
extraConfig =''
rewrite /tracker-site/api/(.*) /$1 break;
'';
proxyPass = "http://127.0.0.1:8080";
};
};
"adguard.local" = {
locations."/".proxyPass = "http://127.0.0.1:3000";
};
};
};
}

4
server/modules/nix-settings.nix Normal file
View File

@@ -0,0 +1,4 @@
{
nix.optimise.automatic = true;
nix.settings.experimental-features = [ "nix-command" "flakes" ];
}

16
server/modules/paperless.nix Normal file
View File

@@ -0,0 +1,16 @@
{ config, pkgs, lib, inputs, ... }:
{
networking.firewall.allowedTCPPorts = [ 28981 ];
age.secrets.paperless = {
file = ../secrets/paperless.age;
owner = "paperless";
group = "paperless";
};
services.paperless = {
enable = true;
port = 28981;
passwordFile = config.age.secrets.paperless.path;
address = "192.168.2.1";
mediaDir = "/mnt/250ssd/paperless";
};
}

22
server/modules/postgres.nix Normal file
View File

@@ -0,0 +1,22 @@
{ pkgs, ... }:
{
services.postgresql = {
enable = true;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method optional_ident_map
local sameuser all peer map=superuser_map
'';
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map postgres postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
};
services.postgresqlBackup = {
enable = true;
location = "/var/backup/postgresql";
backupAll = true;
};
}

5
server/modules/rdp.nix Normal file
View File

@@ -0,0 +1,5 @@
{
services.xrdp.enable = true;
services.xrdp.defaultWindowManager = "startplasma-x11";
services.xrdp.openFirewall = true;
}

37
server/modules/samba.nix Normal file
View File

@@ -0,0 +1,37 @@
{
#services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
#networking.firewall.allowedTCPPorts = [
#5357 # wsdd
#];
#networking.firewall.allowedUDPPorts = [
#3702 # wsdd
#];
services.samba.openFirewall = true;
services.samba = {
enable = true;
securityType = "user";
invalidUsers = [
"root"
];
extraConfig = ''
disable netbios = yes
smb ports = 445
workgroup = WORKGROUP
server string = smbnix
security = user
#use sendfile = yes
#max protocol = smb2
# note: localhost is the ipv6 localhost ::1
hosts allow = 192.168.0. 192.168.174.1 127.0.0.1 localhost
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
'';
shares = {
homes = {
browseable = "no";
writable = "yes";
};
};
};
}

14
server/modules/ssh.nix Normal file
View File

@@ -0,0 +1,14 @@
{
networking.firewall.allowedTCPPorts = [ 22 ];
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "no";
};
users.users.anon.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDb14svyGa2WprTNrtaI5yRl9KP+wzmLueFsHQww0Y6D2CZ5ZEEwoGFg7PrjWzVa/tXYn5AO1ng5eMCRbZPjtX03of448HTAEV8B0BFV9BuemoIBf14TRZ6lhGfQvD7BlTVZ5jKGUUJBfRdf0CZ8Ed5dk77u0xGV8+p3dYAQXowOmOyYFiDg6baKQcLM5Pz2zVxK1GySehEJ4n7GYNjyv7hJhfWMbaE10rIB0V0TuM8yeYvBvIxfGfMzlm4izOHbuSYR1v6RCuQKn1JOQiYqAkYCsXG/4XssMXpl2KxGvp67OJNotIHzap8zRDr7KH8Sk8jHuBFCnqbxDEqzs72Qtan Kopatz@Kopatz-PC"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCsicFT8H/XHR3c0nN6f3dmChxLlkIYalUEQPqP2qROkX7Na6cMXoFiRvegvVPBCgR+DKagp7G2fttZVZ51yBBZ4G/rzDMgKIFgTDNaDeyGWx2n2zCHM5/wletoqTU6ezOUKOEvOfpsZnpcUqVmYtxlrMpakItrtSO+5mawlTKiDTqtazxLfFuyQFzlXVfVcJacxEupd+Ilmp8Y/e8pp6+jGYZ9asNuQKuGDaCepkhsPEGq/cK9AqaATdx/F81H1metV+kf6A3eDlcyzZy+x41GSofiR6HFgUzYafe5uddMVtL7JIKHHPQVpMMqPxkD3tphozh0fq3C9v8aThcqkvoU9eFD7PcN+8U6guA6Qf7cysGXb3pnvrfSeKGlxxpUAxLcpHlJnP66c7/TVRe2buAYFQqykrmRmJfLwqpY2UHoshpcGTwULslEHCMC5/wgc3BPgVGUB148d7F36bS1jTJlRGqwzf712CKnwW122xTZawgybrr8A5Q/bSRFtpz5wys= kopatz@Kopatz-PC2"
];
}

23
server/modules/static-ip-server.nix Normal file
View File

@@ -0,0 +1,23 @@
{
networking = {
defaultGateway = "192.168.0.1";
useDHCP = false;
firewall = {
enable = true;
allowedUDPPorts = [ 5000 ];
};
nameservers = [
"127.0.0.1"
"1.1.1.1"
];
interfaces = {
"enp0s31f6" = {
name = "eth0";
ipv4.addresses = [{
address = "192.168.0.6";
prefixLength = 24;
}];
};
};
};
}

92
server/modules/synapse.nix Normal file
View File

@@ -0,0 +1,92 @@
{ pkgs, lib, config, ... }:
let
fqdn = "${config.networking.domain}";
baseUrl = "https://${fqdn}";
clientConfig."m.homeserver".base_url = baseUrl;
serverConfig."m.server" = "${fqdn}:443";
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
networking.domain = "kopatz.ddns.net";
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
# If the A and AAAA DNS records on example.org do not point on the same host as the
# records for myhostname.example.org, you can easily move the /.well-known
# virtualHost section of the code to the host that is serving example.org, while
# the rest stays on myhostname.example.org with no other changes required.
# This pattern also allows to seamlessly move the homeserver from
# myhostname.example.org to myotherhost.example.org by only changing the
# /.well-known redirection target.
"${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
# This section is not needed if the server_name of matrix-synapse is equal to
# the domain (i.e. example.org from @foo:example.org) and the federation port
# is 8448.
# Further reference can be found in the docs about delegation under
# https://matrix-org.github.io/synapse/latest/delegate.html
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
# This is usually needed for homeserver discovery (from e.g. other Matrix clients).
# Further reference can be found in the upstream docs at
# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
# *must not* be used here.
locations."/_matrix".proxyPass = "http://[::1]:8008";
# Forward requests for e.g. SSO and password-resets.
locations."/_synapse/client".proxyPass = "http://[::1]:8008";
};
};
};
age.secrets.matrix-registration = {
file = ../secrets/matrix-registration.age;
owner = "matrix-synapse";
group = "matrix-synapse";
};
services.matrix-synapse = {
enable = true;
dataDir = "/mnt/250ssd/matrix-synapse";
settings.server_name = config.networking.domain;
# The public base URL value must match the `base_url` value set in `clientConfig` above.
# The default value here is based on `server_name`, so if your `server_name` is different
# from the value of `fqdn` above, you will likely run into some mismatched domain names
# in client applications.
settings.public_baseurl = baseUrl;
extraConfigFiles = [
config.age.secrets.matrix-registration.path
];
settings.listeners = [
{ port = 8008;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [ {
names = [ "client" "federation" ];
compress = true;
} ];
}
];
};
}

8
server/modules/vmware-guest.nix Normal file
View File

@@ -0,0 +1,8 @@
{ config, pkgs, ... }:
{
## shared clipboard
virtualisation.vmware.guest.enable = true;
environment.systemPackages = with pkgs; [
open-vm-tools
];
}

96
server/modules/wireguard.nix Normal file
View File

@@ -0,0 +1,96 @@
{ config, pkgs, lib, inputs, ... }:
{
age.secrets.wireguard-private = {
file = ../secrets/wireguard-private.age;
};
networking.nat.enable = true;
networking.nat.externalInterface = "eth0";
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall.allowedUDPPorts = [ 51820 ];
networking.wg-quick.interfaces = {
wg0 = {
listenPort = 51820;
address = [
"192.168.2.1/24"
];
peers = [
{
allowedIPs = [
"192.168.2.2/32"
];
persistentKeepalive = 25;
endpoint = "192.168.0.6:51820";
publicKey = "dUBPIEnAiHIZCMjqV0ya8qotN3UnMhlEVyGNQcR3gVI=";
}
{
allowedIPs = [
"192.168.2.3/32"
];
persistentKeepalive = 25;
endpoint = "kopatz.ddns.net:51820";
publicKey = "Eg5ZS3zN05mJ/gct6wJlwVAHTlXpkhxFfUd7yscANV0=";
}
{
allowedIPs = [
"192.168.2.4/32"
];
persistentKeepalive = 25;
endpoint = "kopatz.ddns.net:51820";
publicKey = "8Eigfs+k2k2WPaMn+SqDmlSHdMv+I+xcBr/2qhtpGzI=";
}
{
allowedIPs = [
"192.168.2.20/32"
];
persistentKeepalive = 25;
endpoint = "kopatz.ddns.net:51820";
publicKey = "25u1RSfjsx3wb1DMeTm0pvUfUkG7zTjGaN+m0w6ZjCw=";
}
{
allowedIPs = [
"192.168.2.21/32"
];
persistentKeepalive = 25;
endpoint = "kopatz.ddns.net:51820";
publicKey = "S+8F+yxSQvjjoU44LRYqRv1YulqmOKumUtYo/YIh7X8=";
}
{
allowedIPs = [
"192.168.2.22/32"
];
persistentKeepalive = 25;
endpoint = "kopatz.ddns.net:51820";
publicKey = "/dIW7K49vB9HOghFeXvcY7wu2utQltuv6RfgCbxZwlk=";
}
{
allowedIPs = [
"192.168.2.23/32"
];
persistentKeepalive = 25;
endpoint = "kopatz.ddns.net:51820";
publicKey = "89rjQXNcyCRUCihqfqcOnctWmhiNR8snpRFF6dyHAmk=";
}
{
allowedIPs = [
"192.168.2.24/32"
];
persistentKeepalive = 25;
endpoint = "kopatz.ddns.net:51820";
publicKey = "adaWtboVz3UhpNBKFirs7slbU2+Y3GaV5yS2EoafwVU=";
}
{
allowedIPs = [
"192.168.2.5/32"
];
persistentKeepalive = 25;
endpoint = "kopatz.ddns.net:51820";
publicKey = "g5uTlA1IciXgtSbECjhVis0dajRAc53Oa7Hz6dUI+0Q=";
}
];
privateKeyFile = config.age.secrets.wireguard-private.path;
};
};
}

10
server/secrets/coturn-secret.age Normal file
View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 yfCCMw 4ZpkTSszkAJIbBs211PZAuWyYlsbYGx+kh+fIa/X8Q4
zlDBNm+2ykfiugTcPWGgLKsBBCVRDiLkp/GSX8stVnQ
-> ssh-ed25519 IV3DkQ jvo0WmLvaOpAHASPs5Qb4HblklPs7l+wuiZIIapbm2c
KiPkiZMwPF4q5s2Ity1DBiPxDrEpMNEW6p9P7DOBVIY
-> NJJFW+-grease
vUz0h2kED8aYuu4hT4AJw89LzscD0jiKUVlkrhO0IN7n5do6dUkXm5h7wNwnybTl
FoV3HBxV3xAr6tD++Uv8/ej/XqG0jBhd
--- h2fQyC4ajeEOyuzxzt7gf23wJMBoLQSXcc8uKewGyuY
Õ¨ßUD6j==(ž¹>8ôÅ"#Êdþ`‚Ô†bmUù·ß­kk&䦔çžDÌùè­€Ã`1m?W¡Ó¨°¥¹L¢jÖ°ûà5{ý÷ÛLäÏ©©.çÔÊîD½²:vÞÆtQ<74>K

31
server/secrets/create_secrets.md Normal file
View File

@@ -0,0 +1,31 @@
agenix -e secret1.age
example secrets.nix file
```
let
user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
users = [ user1 ];
system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
systems = [ system1 ];
in
{
"secret1.age".publicKeys = [ user1 system1 ];
}
```
use secret in config
```
age.secrets.nextcloud = {
file = ./secrets/secret1.age;
owner = "nextcloud";
group = "nextcloud";
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud25;
hostName = "localhost";
config.adminpassFile = config.age.secrets.nextcloud.path;
};
```

9
server/secrets/duckdns.age Normal file
View File

@@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 yfCCMw qWHcQHXaRWumJlWydl0VLTNR2y4j5uVb3Sbjb0iO9Hk
LrQOKE3+nYVEM9cg3gT+nInpdTBocmVXSBSD7EBb1MQ
-> ssh-ed25519 IV3DkQ QR2R+mQSrk0UBV4GSATs0NQkkgbQzFai7ms5xQX3RTc
sndWMq89BmXeoyE+le7tHJQ6oSjzfhCbas5EpcJIzdc
-> 2/3Ux/5c-grease k;>AI5|g &JI / .{c
kY1TBMB2l6gMU+1aHPbBTCad537N1aa8d0Wi8bYGMmeC9+8PV18a
--- eKaZ9bddh3SF6hitwAHBldIFpUh3s2R6pI9eDstHdk8
·E¦·g˜v:½ô¦ü!µàÆOGy½ïg%ӂĬ

11
server/secrets/github-runner-pw.age Normal file
View File

@@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 yfCCMw wQOSX5WnvkxmKl4xtbD62v312Sj9/g7SoMfQVdS1Q0o
Vv0byaVj1ptj08mDoEI6Go6h55gPVj1Gb0YJc+KhzuM
-> ssh-ed25519 IV3DkQ cAZHkdeXW2UyjIamz0Ab/NQhWhlxwFrj951KIVIRjyw
AV4rahLaZVem+nQDMIv6kMeIhjUAc7/F1wO20g89Eyk
-> e'`r-grease 5rS.MW
/smMPjLrxnS0QF2hU6axJMQlD0m8t9L15JK2CilAElDNVwMf35aynhvQqvCiQ3Sv
ueSLjeLVmEc8QZLORIFUabQAh59QqK3NCm/FVYSLwVZimytMH4/QksjN
--- mSjoAgLw84jJjQYlOf9ZfAvjw8b/2LFA55pM2uYEl2U
Ïåðc“س:I<>ø‰¢:Z{ŠòE@ŽH‡äß~á±Omaê
ñúÄa”A´°<yR]& Í_$|€6Rq“88ÊYí¹µ&¢ Ö<5]B­D/6™í°¿môÉ!4n

12
server/secrets/github-runner-token.age Normal file
View File

@@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 yfCCMw rvIxniIy9V9MEusfISoYDZACLPHWIXlpeTDCsXhbxQ4
Fh5jIyimXuB1xwfsYS5TeTI5yXPxF9K/M7YlBW9DSMw
-> ssh-ed25519 IV3DkQ XzdSfWvjKSu6RiUV5BWvOasK6QFB2uOHybtYEYnDnwg
BhtquDcngJfnGhfb4kHgfuQAZyXLKzm8518zXvwki0o
-> 'Xd:O-grease sG
Z4FSpQUYvPvA3YAf9NoXPQ30KwLYEL0XNJLXtbGESfllNc7cM5tOTn+szfotRwVI
3wGBWkTzE5g0rfLhVGUybFJIlMguXvZVl2EQ
--- xu2w56OhLGufb9mMXZQ/8Y/xTD0Ke8Yvf8h6zVE0p7g
ØJô$ÇC7<43>
¼Í¥ïF˜çßE
I+

10
server/secrets/matrix-registration.age Normal file
View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 yfCCMw cm1Rv6pG2jv5YL2a3jejL3oHyp3w5AdOOkPUuC1RiTQ
OPfb5CCkGwV1wBjxSM63i7YSWzwZrwh2GbIaIMgbnLo
-> ssh-ed25519 IV3DkQ mqIItqMdUx2rypN38qZc2MluanXzEyW82BoRvJRnmgE
FiODCU94Dv0MRhhMjcRxtM8vSzcfWbCiQza6P3iRFK0
-> .H0wQ-grease /9 WqdeDrv> )IMX{vvR >^?
AY2rOa0e0RS1
--- rQj2qpVKjSI/ptv2PUp2kMoAtko06QQw64Fgx46/10s
öfÅ_¬A¤hÂêfþÄÝخފ<C39E>úfg~sv‘ˆ³£&L²IpÑ,Cy-9ϪªRÄi
D%Y와N3Y!Ã><3E>©Ž˜ÿ ¯4òU<C3B2>Š#ìIi(å¬`Êc.ä¯U×ÿº.óáôT#ÛÃwNžªÀô‡øl^x§$œÅƒ€×É-_¶L[6†ÛÍÊB ƒ—å2ã&”vqáX<C3A1>ç¦ö|woìê˜BéP„'ýíRhOD>Å·éÎľIóËW

9
server/secrets/nextcloud-admin.age Normal file
View File

@@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 yfCCMw mo8zrkfdjLd7ojLCZZ8XL0fDQwr4Z5t8pqnbmXykXxQ
bpPiBgz/w14vqnvS8YuXJTo1pDuqdbHEfqXEgdHXs0Q
-> ssh-ed25519 IV3DkQ 3IzYm/7tlIH4hQs2M1fqkeoz7mKw5idUHm6z5TaHTxw
BHnYTqatni/UzwBJSghGiXqWUwuPpHW4HBVjjP1UXjI
-> 9/q5f-grease 3j `{O $R )*.
NPSQgfHqIJIHr8herACNiV+BwRf03K8G8RBDb5/6oZym
--- QTd5uVu6AZspmxpuZ7w32gyICcrKQKkP1www6qnjoDw
Áô;ÞªÍÌOãÍ@!éÝò!½Þb

BIN
server/secrets/nextcloud-cert.age Normal file
View File

Binary file not shown.

BIN
server/secrets/nextcloud-key.age Normal file
View File

Binary file not shown.

BIN
server/secrets/paperless.age Normal file
View File

Binary file not shown.

10
server/secrets/restic-pw.age Normal file
View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 yfCCMw fr9bTdi5DqM3+gHEZLQeYv22HJTnafbicFi8kQxLU1I
THTt5YssgKZyqTukphvhT/XLCp9EnWUoh2LLi1sv25E
-> ssh-ed25519 IV3DkQ 7m6HtNWFwXuVUPBr7GRbk+UopzQ8wdXOSyXL23B0xTE
gXvUsoDrmB9tKRyFIX/ATOCej8hIvwHSuun9A9Q+i+8
-> nuYl73-grease nU#N,Cb8 jdR=c0` eKcsi
G+zZUpeeSiaE8wkzK9tv80hj7wbZScXMbOVHaSYZeFhEfXhEJliFP60X2ZNQTkUG
ArOKaDwOY/zByBc+Jf1P5JLZinVeTLBQRnBN+RrZE20
--- wL204i5S+VYFP+C7JwZsSWSXRC+a4FejQoxFGEnV5Io
tí~õ—ÕˆÃ?nô6f©Y@<>$D½óB¦Ô‡Â<E28093>îNGØá^â\mÚ6cƒAóãhÑ^˜lh;CŸŒÊ!^>tœS¨ ì9Ö

10
server/secrets/restic-s3.age Normal file
View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 yfCCMw kIAiiVGrxQLT8tNcIehkSwAl0RIR8yCblKcJutHKfio
LlI57U6z2Rmzau3yGP7GwgE7axUSHazMZB87CUuvZIo
-> ssh-ed25519 IV3DkQ Lig+2cAx34B1GK28qm8dxfcdjezyjHgusJW4i1JiLFM
FPjcmohS8mLlNLhZsXXlYJB10nnUYZOJonnIQoxcfuY
-> T$pF-grease vM&|GOOo k"jB.( '3~O-3rS
+sxTmNCBIo/fFeSCisPlgGYrIJNZVh/ykKig7UonRDBNYCIq9GoC8MViYEtTOcfF
o13P+1O2apmVg84VclReTiEZOy96TgjUe8A6uc9+
--- ah7cAYBdupOvrBoaJx1m8fTmSceC5Cq/2PPQOvZRTGA
µÞ£ ?4Ðîb®h<C2AE>×>m ö;‡"û”üeµGŸ¦ËNÚÄÍäèéåLD¼¯I{eþ™\”W¸Ó™`éSºÌ;¥2¹½VywÀNW_º<5F>Éó<C389>éU<7F>FžÌS2CðXS<d¹dèëðѧxDˆjôìÛ—T™.œ¹ŽK@<40>E"ö

19
server/secrets/secrets.nix Normal file
View File

@@ -0,0 +1,19 @@
let
nix-test-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVqEb1U1c9UX3AF8otNyYKpIUMjc7XSjZY3IkIPGOqi root@server";
server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAUA7uVKXAF2UcwaIDSJP2Te8Fi++2zkKzSPoRx1vQrI root@server";
systems = [ nix-test-vm server ];
in
{
"github-runner-token.age".publicKeys = [ nix-test-vm server ];
"github-runner-pw.age".publicKeys = [ nix-test-vm server ];
"duckdns.age".publicKeys = [ nix-test-vm server ];
"nextcloud-admin.age".publicKeys = [ nix-test-vm server ];
"nextcloud-cert.age".publicKeys = [ nix-test-vm server ];
"nextcloud-key.age".publicKeys = [ nix-test-vm server ];
"restic-pw.age".publicKeys = [ nix-test-vm server ];
"restic-s3.age".publicKeys = [ nix-test-vm server ];
"wireguard-private.age".publicKeys = [ nix-test-vm server ];
"coturn-secret.age".publicKeys = [ nix-test-vm server ];
"matrix-registration.age".publicKeys = [ nix-test-vm server ];
"paperless.age".publicKeys = [ nix-test-vm server ];
}

2
server/secrets/selfsigned-cert.sh Executable file
View File

@@ -0,0 +1,2 @@
#! /usr/bin/env bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./nc-selfsigned.key -out ./nc-selfsigned.crt

10
server/secrets/wireguard-private.age Normal file
View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 yfCCMw 8R//RguE7Om0PFjixliXpwEchVwPcm9COYTz7TIZxTE
81yMA9B/T6tbZfw6mU4TlYfCd6BEUC3UlBz1hNUXZ30
-> ssh-ed25519 IV3DkQ 0kS9JOiAPfLi8Zoj6BM0pVwSmDr+BnWvIh7rGwZ21G0
jbMIkFk8DEQ2tWgOWho1JrZkwKWW93GW9dzS3fTKMF4
-> $ByN}E,-grease O$8`|NT 17d} %u)^D-
x6SEG984W9vUAb0FCiZP0R4kQkYFOr3BGLpHP8HF8fj9LHWwxNb3PrntcOPJuvf7
oep4FMyBFHchh6RhyrdRlOf6hCLnmybNKzs
--- fCozYj+thQdIGXzdVLgLpLup9CI0QIEdgoMxfFVHGgs
­<EFBFBD>WV”ožEil3õ—ñz`¡†´ø<C2B4>®ð¤ , oسe-ÿºZüAtoOk¬@1åb¢.U<>NrB¢«zrZY…ëÚý

1
server/wg-publickey Normal file
View File

@@ -0,0 +1 @@
vyHNUy97R1cvqEvElznPpFQtoqm7WUHnT96UP6Dquwc=