swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 00:57:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat[client,server]: add remote builds, confLib
Some checks failed
Flake check / Check flake (push) Has been cancelled
Details

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-12-02 00:57:35 +01:00 committed by Leon Schwarzäugl
parent c20f1b0b59
commit 9acfc5f934
133 changed files with 4297 additions and 3249 deletions
Download patch file Download diff file Expand all files Collapse all files

34
.sops.yaml
View file

@ -7,6 +7,8 @@ keys:
- &swarsel 4BE7925262289B476DBBC17B76FD3810215AE097
- &hosts
- &winters age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
- &twothreetunnel age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
- &liliputsteps age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
- &stoicclub age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
- &belchsfactory age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
- &eagleland age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
@ -23,6 +25,8 @@ creation_rules:
- *swarsel
age:
- *winters
- *twothreetunnel
- *liliputsteps
- *stoicclub
- *belchsfactory
- *eagleland
@ -38,6 +42,8 @@ creation_rules:
- *swarsel
age:
- *winters
- *twothreetunnel
- *liliputsteps
- *stoicclub
- *belchsfactory
- *eagleland
@ -53,6 +59,8 @@ creation_rules:
- *swarsel
age:
- *nbl
- *twothreetunnel
- *liliputsteps
- *stoicclub
- *belchsfactory
- *eagleland
@ -163,6 +171,32 @@ creation_rules:
age:
- *stoicclub
- path_regex: secrets/liliputsteps/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *swarsel
age:
- *liliputsteps
- path_regex: hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc
key_groups:
- pgp:
- *swarsel
age:
- *liliputsteps
- path_regex: secrets/twothreetunnel/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *swarsel
age:
- *twothreetunnel
- path_regex: hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc
key_groups:
- pgp:
- *swarsel
age:
- *twothreetunnel
- path_regex: hosts/nixos/x86_64-linux/summers/secrets/
key_groups:
- pgp:

4050
SwarselSystems.org
View file

File diff suppressed because it is too large Load diff

123
files/emacs/init.el
View file

@ -1201,9 +1201,13 @@ create a new one."
(setq elfeed-protocol-enabled-protocols '(fever))
(setq elfeed-protocol-fever-update-unread-only t)
(setq elfeed-protocol-fever-fetch-category-as-tag t)
(setq elfeed-protocol-feeds '(("fever+https://Swarsel@signpost.swarsel.win"
:api-url "https://signpost.swarsel.win/api/fever.php"
:password-file "~/.emacs.d/.fever")))
(let ((domain (getenv "SWARSEL_RSS_DOMAIN")))
(setq elfeed-protocol-feeds
`((,(concat "fever+https://Swarsel@" domain)
:api-url ,(concat "https://" domain "/api/fever.php")
:password-file "~/.emacs.d/.fever"))))
(define-key elfeed-show-mode-map (kbd ";") 'visual-fill-column-mode)
(define-key elfeed-show-mode-map (kbd "j") 'elfeed-goodies/split-show-next)
@ -1711,7 +1715,7 @@ create a new one."
:init
;; set org-caldav-sync-initalization
(setq swarsel-caldav-synced 0)
;; (setq org-caldav-url "https://schedule.swarsel.win/swarsel/calendar")
;; (setq org-caldav-url "https://cal.example.org/swarsel/calendar")
;; (setq org-caldav-calendars
;; '((:calendar-id "personal"
;; :inbox "~/Calendars/leon_cal.org")))
@ -1774,59 +1778,66 @@ create a new one."
:config
(dashboard-setup-startup-hook)
;; (setq initial-buffer-choice (lambda () (get-buffer-create "*dashboard*")))
(setq dashboard-display-icons-p t ;; display icons on both GUI and terminal
dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package
dashboard-set-file-icons t
dashboard-items '((recents . 5)
(projects . 5)
(agenda . 5))
dashboard-set-footer nil
dashboard-banner-logo-title "Welcome to SwarsEmacs!"
dashboard-image-banner-max-height 300
dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png"
dashboard-projects-backend 'projectile
dashboard-projects-switch-function 'magit-status
dashboard-set-navigator t
dashboard-startupify-list '(dashboard-insert-banner
dashboard-insert-newline
dashboard-insert-banner-title
dashboard-insert-newline
dashboard-insert-navigator
dashboard-insert-newline
dashboard-insert-init-info
dashboard-insert-items
)
dashboard-navigator-buttons
`(;; line1
((,""
"SwarselSocial"
"Browse Swarsele"
(lambda (&rest _) (browse-url "instagram.com/Swarsele")))
(,""
"SwarselSound"
"Browse SwarselSound"
(lambda (&rest _) (browse-url "sound.swarsel.win")) )
(,""
"SwarselSwarsel"
"Browse Swarsel"
(lambda (&rest _) (browse-url "github.com/Swarsel")) )
(,""
"SwarselStash"
"Browse SwarselStash"
(lambda (&rest _) (browse-url "stash.swarsel.win")) )
(,"󰫑"
"SwarselSport"
"Browse SwarselSports"
(lambda (&rest _) (browse-url "social.parkour.wien/@Lenno")))
)
(
(,"󱄅"
"swarsel.win"
"Browse swarsel.win"
(lambda (&rest _) (browse-url "swarsel.win")))
)
)))
(let ((files-domain (getenv "SWARSEL_FILES_DOMAIN"))
(music-domain (getenv "SWARSEL_MUSIC_DOMAIN"))
(insta-domain (getenv "SWARSEL_INSTA_DOMAIN"))
(sport-domain (getenv "SWARSEL_SPORT_DOMAIN"))
(swarsel-domain (getenv "SWARSEL_DOMAIN"))
)
(setq dashboard-display-icons-p t ;; display icons on both GUI and terminal
dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package
dashboard-set-file-icons t
dashboard-items '((recents . 5)
(projects . 5)
(agenda . 5))
dashboard-set-footer nil
dashboard-banner-logo-title "Welcome to SwarsEmacs!"
dashboard-image-banner-max-height 300
dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png"
dashboard-projects-backend 'projectile
dashboard-projects-switch-function 'magit-status
dashboard-set-navigator t
dashboard-startupify-list '(dashboard-insert-banner
dashboard-insert-newline
dashboard-insert-banner-title
dashboard-insert-newline
dashboard-insert-navigator
dashboard-insert-newline
dashboard-insert-init-info
dashboard-insert-items
)
dashboard-navigator-buttons
`(;; line1
((,""
"SwarselSocial"
"Browse Swarsele"
(lambda (&rest _) (browse-url ,insta-domain)))
(,""
"SwarselSound"
"Browse SwarselSound"
(lambda (&rest _) (browse-url ,(concat "https://" music-domain))) )
(,""
"SwarselSwarsel"
"Browse Swarsel"
(lambda (&rest _) (browse-url "https://github.com/Swarsel")) )
(,""
"SwarselStash"
"Browse SwarselStash"
(lambda (&rest _) (browse-url ,(concat "https://" files-domain))) )
(,"󰫑"
"SwarselSport"
"Browse SwarselSports"
(lambda (&rest _) (browse-url ,sport-domain)))
)
(
(,"󱄅"
,swarsel-domain
,(concat "Browse " main-domain)
(lambda (&rest _) (browse-url ,(concat "https://" swarsel-domain))))
)
))))
(use-package vterm
:ensure t)

4
files/scripts/swarsel-bootstrap.sh
View file

@ -329,8 +329,8 @@ $ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519
if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then
green "Adding ssh host fingerprints for git{lab,hub}"
$ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /home/$target_user/.ssh/known_hosts"
$ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /root/.ssh/known_hosts"
$ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /home/$target_user/.ssh/known_hosts"
$ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /root/.ssh/known_hosts"
fi
# --------------------------

7
hosts/nixos/aarch64-linux/belchsfactory/default.nix
View file

@ -1,8 +1,10 @@
{ lib, config, minimal, ... }:
{ self, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
];
node.lockFromBootstrapping = lib.mkForce false;
@ -24,9 +26,7 @@
isNixos = true;
isLinux = true;
isCloud = true;
proxyHost = "belchsfactory";
server = {
inherit (config.repo.secrets.local.networking) localNetwork;
garage = {
data_dir = {
capacity = "150G";
@ -49,6 +49,7 @@
};
swarselmodules.server = {
ssh-builder = lib.mkDefault true;
postgresql = lib.mkDefault true;
attic = lib.mkDefault true;
garage = lib.mkDefault true;

6
hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc
View file

@ -1,5 +1,5 @@
{
"data": "ENC[AES256_GCM,data:asdaPhz9nquyhCH8NuvAMdgEXW/RxPCEpqwFbyCYxfjMeWjvEe8yzWJDjVlTjP+73ql/CGSRajcahRNhOd1rgGoyMm71HJGxSWA2rbn7oNmll9lOquUJkDwXLHk5ApgIrTbvUX1C5rha/L/JSli5Hiy59WU/FB4WWDizhcN3XFSVdNYIKoA992JT0GjJ1dzHvzi+rw/8Mw+BJzm592t1CxhpS8qXRTpuyPSh09IWACNSJYBuEoEwA7aB9EVwG6SskUJKvU3bwyaI9nuc0iXHGbL5VLVJ95e2fcn7K3w2OEq1oigu4q5bpNUazX+mhLv7S8HN3c6/JJn69LaCkQeXhnNmrfy8J5+6i6fnXCdvXxHy00DI2p7fIeEM/MqaymhqoxoGxQs+vBcb2iY1OmvI6zrPRPKEghAo2zvzKHQF7ykRTi3ed6V6aVMSpu1rO1Z0UwwVbvEzSHtVnEU/gp4=,iv:lSRKdYmGE/XeGcalDIM0yuU+GaXMrxJrjqfVhHd7lIY=,tag:dD9LkrzuHLsoa2UcGfXHWA==,type:str]",
"data": "ENC[AES256_GCM,data:8qaX0CjyxK8qoAyVyxwfXlejWyGSY579EVmmUCi9PPyB5LyPjfDvXxlRFCOlC6eYbSJ1AWLqqZ6yYgZaimUHkOTh7dL+D4wSkmGeRnxZoQhq9n9sYZPJUfqEhMwEGxlrAvchXJuruZG+Tp9+Ev0if9f9J9qdU1y+yLGQxc2vnibMg2uxdpfYjHaDWa9bybRQZxINkD//um8uxkRs0xvWgZu63ReQZMPjx9K3vNtdJTZsW5+ZUB368QA2mnry2Zf60PWJT/+NsNKIwyzjhUNJ/eTFxjNJ4zPj/AnXFezfGvpVu6XFYsLk5uPb3XfpUlCj4mTVvmVlA40lf4rOhyoRRAW8d28puJArBf3nPzIkWQUfmFwO5EE3qPDkjMlaRa/RdRx0dvrbLDv7Ujt1XaK8bl3Vkz77oumCYFPV7J4mAeu3/LFBAoWKik6Wj8WQE+QwUWo=,iv:ZQaOO2Blpqn+Xnzt4fcPu+rNAvEdluwJEYRxPVItLcU=,tag:rKJ5g27ZK1wCpcyCVfffpA==,type:str]",
"sops": {
"age": [
{
@ -7,8 +7,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbi9PZkRob2JkcjlEMUJu\nSG5TemplWkhWVXZNWStCVXhrUlFRSUtPeWk4CjZEQVN4b1lYVkxYQmU0SEJ0QnAv\nTE9IdHZUYmVjb0hxSno1QWxGN1ZMUFEKLS0tIEwrVU5uZmZPRGdZcjVsVk1IQ1Vv\nRXdMcW0xR2g5SCswKzF5RkIwUmtocDgKVI/EMQuvfKGeJH7wFm8VP5rKLhYKOlPt\nA+QIDAdrtFogW9Swwhzxu1tIOfMXzfyW9P+ec/b6/vU96PMqJQ6ZGg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-11-24T23:34:04Z",
"mac": "ENC[AES256_GCM,data:O7COFKQkK6aGkX8fp/ihHBxRVV8UM3khi549O6RWMFGDxgwMTh1qr3hNIJa3B4sTfhFuvOxpfxLjR4Yw02JH6wuwuuzANFzQ9uiVsVv5UDVDD0msYneTXVbSBo92gLFr4ZXcAoTtf9AKitkjwWjLK2sTJcZ608NjQSpOo+rSJ3o=,iv:s5wB+8B+igS7PhDTHL6XS17QBdhvobXFgCzHxHu52q4=,tag:ulySxIPinWRRRY8XbE8pWg==,type:str]",
"lastmodified": "2025-11-28T14:15:06Z",
"mac": "ENC[AES256_GCM,data:TxnVPtRHzUEr9StM3RlOgqD11036yM74HL1Q8ZkNSU89geAaUoDj8LJD1QKglDT5UNzfKeaZD4DT6bqill+H5FUuonOgLPxNoFKMyWhppQkMWM5F/bw8JUulacmE28b2Rd5zRVOYe3TkE11kMAbxRD+CvqEFBrLsZAndr9QdfUc=,iv:uzjzk1FUN52oAE0cuw7OLLmMRxE/VLQ+tUExxYQjwTQ=,tag:+BOG6wRb0h/jhyy7l8ZA/A==,type:str]",
"pgp": [
{
"created_at": "2025-11-25T18:32:49Z",

41
hosts/nixos/aarch64-linux/liliputsteps/default.nix Normal file
View file

@ -0,0 +1,41 @@
{ self, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
];
topology.self = {
icon = "devices.cloud-server";
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM";
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isSwap = false;
rootDisk = "/dev/disk/by-id/scsi-360fb180663ec4f2793a763a087d46885";
isBtrfs = true;
isNixos = true;
isLinux = true;
isCloud = true;
mainUser = "jump";
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
nginx = false;
bastion = true;
# ssh = false;
};
# users.users.swarsel.enable = lib.mkForce false;
# home-manager.users.swarsel.enable = lib.mkForce false
}

121
hosts/nixos/aarch64-linux/liliputsteps/disk-config.nix Normal file
View file

@ -0,0 +1,121 @@
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko = {
imageBuilder.extraDependencies = [ pkgs.kmod ];
devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}

15
hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}

22
hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc Normal file
View file

@ -0,0 +1,22 @@
{
"data": "ENC[AES256_GCM,data:GntHmFTkr7OKUlAVPP1aPeGJEoM1/W9xoZzdXG/udBrKB8eadaOsdsT9/I4Q4zydLnAUZAb+k+/pu3inqiGPClNWU0LUMj7wTwPuVe57EyLaO2oaN4z2nvWhJnwfatvdLrFICz3MN7XLnpEe3D+3ovN2hmys1pd6cAJtEKDtmLJ3RNAhEXrMwOZ0MSzylApoi9yXULH8PqNBX7jPOZYYZ0jlnIbZB267Ln19ES0bZcK7L0608NdB+Q3xb3TQ+oSfnvsdxKyPkPqjxAto40feG97UYVW6AgYV1KlRp9etjEhIRZgn1qDvigGM/Y4HLgLxPM83h79LIVHDj1OySMyYR4bfwAR1U+Ij2nX0Wv6Q/nKx0Nmghen40AqLYp762ACLVRd30DALthhtMxhsiYIT6za3dNFRNnL1Lfss1+IwDm+XHBehBQsjXbs06nZcQURfszW03Y9KH1h5ePIS93gmkdUyH5Ya1JT609s8faukz4fcNmnXlZcnCW4fUawW3YS1zpWPGDNm54GFI06vii5JuVORrf6m2HJEIyYSzeYASC+rZOfEF8gXGjyaeh/B9nAzSq2Q/Nfm+fsceXfOkhD+ZD/nYg+whYPPfA38B5oWvwnSNRNipJLYVvdLLd6M9pTV2FHuEsFKpXwumuwMAhl287jpDVb5B6gYPnWm4zOXYX3KXd68KVFNOGCC1XrrlqVBwQqraozD+1e77eCK4OEyF8R2Wt+mCFDwrMp5hKiiFCHEX67RYqWwmZVx2hS1bovBfacoXknUaSQnfpUd5GYIVYqonyqo6cdn6LKR/0d+7wR+JuL+PO83XcEQvegfHXAXmxIEzPdsL2PqVWGL2B/qyyAZGb3hoY7hmrpEeCCefYhSkxewVDCuvL7xLBCFjq0PsPJw0CqYE0KDIgXxcGLQ5f+pn6O07YDfN+7PVPrPAaN/UTwd+2Xa9UfVELdKKhAWiywsiDCUVO9vkpvgSoYYSrtB8Ceg3RXWohbO8VrjF6UhUxnslAw8TBnBx4FtaSuI73UiJnkg9V1es47NmOA7,iv:JYRzdtAYu24aWIL/hfWLbkS8xpcPw3ylZROuuUMVmIY=,tag:Ot7G/QiTLhmnlYe7Z9aOTQ==,type:str]",
"sops": {
"age": [
{
"recipient": "age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVU5HTGhyL0ZBRXkzZ3hq\ndzBMd1JZTktZbWNFMGRzcXhFK3RHb090cFdBCmpMa0FNMWFCenBjYk9FaDIrTkFS\nSnN6S210ejN5SVVhd2FWRG1SUHB4WWcKLS0tIDV2K0h1QWxwUXkwVnZlYnR6eEtl\nUVR0UGJOR1hadUtNcjYyWE9wblAwWFUKVM+J/pqtZFADYTQHfWCdvPzlhtgR6zAy\nu0EWk77+K2J0GeBuDr1W5yblUCknht6WZCJZcO6fW7AuWSQK3e/EVA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-12-01T16:51:40Z",
"mac": "ENC[AES256_GCM,data:SWLGPgFcdiGSvN5BTmE8Nq7+pBiNJM05H1hhqJY6wJqYZehKhQrQRj6/DSlYWPvYE/DdWo5Tiuc3RNY3NANwhki+7kl0OBxHoaHqBgOTa96rdPwe6V3s55v++jtm0xg/qLHEPCqrKqw/aiBAQLJkDOh/IykeEXBMW3S6EM+aQ0U=,iv:2wn4jQHdWWhIzOyGhZxow8WG6W0VgA2gwhb5X+k9ja0=,tag:8g4wQb0u7vbIPkVX8Ey0eA==,type:str]",
"pgp": [
{
"created_at": "2025-12-01T15:59:42Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cl6I+s/JLwwTCX7WKdzeOIkrsK9DpY3pXBuzoZRSRSJE\nwFJO99Uc7/uH1DSsEB/25CWI6eWx7k6l7YDbcbXQgi5ZNoAt7BePeCu2LK/3coZB\nJe4SManP0sPqxrSd92Tnm6Zl9EL4cJ/5D2C2RBTWOaOtZHR8gyxx5+rzCotCoTXA\nJseGE4B8r/M0O7PAS9+oD14AwCndhuvkmFOq0Y1/wXldV6yCdgc//0oJBSTCBJUZ\nYMSQLovEYGvF9bFfpWYU8J53WqlGn7QKVccDN0/gfi8IVGVZGccUA58VaVqkzR41\ndYlRZ/sjtd+VXmOg8Fx79bOlzTn+RBCp9y+q5yKnzUKGe0/Lrnt6+j7+ieIowi76\npBd0bEaoh6wqdCJ7GSjsj5kdSXRop3Ae0ff+J0pBQNctehpcWj5/TpeA1zyslwEC\nD1B/KVN+Gh0XBCg636dUkt2E4NPNDckSRuvTLy+8IkTm7aQqTjqDu3WUOSPzZiZK\nBUGZWwXAS+xPPMH26X6gPTfZj+7Gdv6yxTVIwkphDbWfihxIP//WNbKX1QN4VSHf\nCmoPOrriIdgZ7d2olZEJxPgEVzavkRkiMSFQbQgzjx5Af3ccdav3mxlubjXldmpe\n689Joj8cgBPg1Yfk/yl7tVK9TFJgYXTqKfsXwscrSlsV+dRAN0pHuq1uo9cTE/SF\nAgwDC9FRLmchgYQBEADCJ5IVMNp+PgUDOiajCfpNq3/HsntzIWG0tIjCb5L9TFWQ\nMA2LQWhcU5CRBh7Sakf8IFi/U40SD+dILUh8JR/7g2i9mCS+1e0pkUwSIYxzAI+z\nQeycuyOrdQJFrk+nFbTdZVAerElxew/wQUiC2uoI8tA5+XyNeNfipaptPh9FpFuz\nXhFbkZDJ4kapGzsAn4FgUdmdqAgZ5n2W46WAmDmVKM0W1F0zZdkBEdkEKkv1gRpZ\nRntb/mVEiGAdXv6yAzvHrxgIBkxazzstRmCMXa252RUIakXqvkP1vw7B6ChSFQR+\nq9WNo9x0EYXivd/+ROjHT7WNhEToWems/3CQpQd1LEFXajLdpAWd875acqhBJqtY\nkpKqUG5F4JmTZ7hMuGI0g30nOofMtmFhDX/gCpJ97lEudHyNrHe0KWaQAwtRknz+\nrcPrZQmGRRcf4xcBVe/EDUNlkp9fPWEhFAwKMsVkkvCAADZbvdhLR6URJMmUj5KG\nOuwglHnSOMxCovAQUd3vCtNkkAnRPNOW/WMThr+qfjq8oKdDIaYBxjzjSz1FIsho\nKiz4W3flRzUcALjKTXadQl/jJEhpP3C6Ivh0d29SiKyrWG+Y4KlDIRctub9UjH46\nb2wqbnBzSrC8u9xJINIB4yryXsZiQyP5b39guSKIPjURebus7LBxq+0I7Z1OptJe\nAYk5htmFDe9Sgc+Do1L0kdxjblaoWOc0OiwYshQ9cMv+/IsU0U6T7w2A+8QkzPFc\nGVEmrW1Jyz2O3eMpq/Nl2IsmPDYTEPqhkRtAshBuYsoZJUz73/EovcSxyJ2moA==\n=o5Pw\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.11.0"
}
}

2
hosts/nixos/aarch64-linux/moonside/default.nix
View file

@ -137,9 +137,7 @@ in
isBtrfs = true;
isNixos = true;
isLinux = true;
proxyHost = "moonside";
server = {
inherit (config.repo.secrets.local.networking) localNetwork;
restic = {
bucketName = "SwarselMoonside";
paths = [

62
hosts/nixos/aarch64-linux/stoicclub/default.nix
View file

@ -1,8 +1,10 @@
{ lib, config, minimal, globals, ... }:
{ self, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
];
topology.self = {
@ -10,57 +12,10 @@
};
swarselmodules.server.nginx = false;
networking = {
useDHCP = lib.mkForce false;
useNetworkd = true;
dhcpcd.enable = false;
renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (
config.repo.secrets.local.networking.networks or { }
);
};
boot.initrd.systemd.network = {
enable = true;
networks."10-${config.swarselsystems.server.localNetwork}" = config.systemd.network.networks."10-${config.swarselsystems.server.localNetwork}";
};
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks =
let
netConfig = config.repo.secrets.local.networking;
in
{
"10-${config.swarselsystems.server.localNetwork}" = {
address = [
"${globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.cidrv4}"
"${globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.cidrv6}"
];
routes = [
{
Gateway = netConfig.defaultGateway6;
GatewayOnLink = true;
}
{
Gateway = netConfig.defaultGateway4;
GatewayOnLink = true;
}
];
networkConfig = {
IPv6PrivacyExtensions = true;
IPv6AcceptRA = false;
};
matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac;
linkConfig.RequiredForOnline = "routable";
};
};
};
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "VM.Standard.A1.Flex, 4 vCPUs, 24GB RAM";
info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM";
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
@ -70,14 +25,15 @@
isNixos = true;
isLinux = true;
isCloud = true;
proxyHost = "stoicclub";
server = {
inherit (config.repo.secrets.local.networking) localNetwork;
};
isBastionTarget = true;
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
nsd = true;
nginx = false;
};
}

6
hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc
View file

@ -1,5 +1,5 @@
{
"data": "ENC[AES256_GCM,data:RvrGk0fGCxkhhxPaJ0zg/Jl24mv3PyMFz5mkX05zaytgQ9l2yUs2rsAe/GW7CjarVQYi+5Mkc+BDWFUPMjsmu7mTXLXckcjv3YPukO2cvUEHr/Cywj8RZXFxzJaZwc0wpN0vZIXcDDhdZWjrb/WuBykPuYekIu2DaNJ6Ioe0OO4wcoyI3dSyj/1dwWHDqvDgn8v8I8FFm87gGoBn4Po2DZ308C2ge+B4vKcL5S1Lwruz1ocJRh03SDR5cyuDvGioyuSiyDSC1+Sz9mwsRSoTkO94Iv7MJDYmUxDBc2cDPyUP2py9L/BAx42tBpGkHxNctjrTQz9gTaRknpx6sfBmxyNCrg6uv6tBlXujXvyIPA4z6mD9dS6LOP1QKmYOjOrg+l3WYorFZYE5wb93G+bfqwPnd8CcnUQsJ17GzWQ0RMEQ+UDJCASvuuU7osSzJJlBi0vMXmF/sXPgjweuO0xiRuT/KiwKchmWUuygWCFW3PvjY3QkVvLe7mTXxHRZTxw2XsMyFvaMgn+fyCKQ0RUic+j5itXcJS93v5PHX62XgNtziQ4RF7Qnxj+gpNWcBWjEDtgS8v+v+imQVTUu5Mvkqv1XhK+e3iPeiHkvqP3S0UJzvxlwgeRoGziKOiOWpqQynig/sRwQNhcN7L8k4woDbFBf6OgAT8yVMB+WwTT2EFk0L12Is8W0vw4nlWChH8D+QyMvP5Wz0Q3clwlVjfHKWm8s4pIntknoKvGDvbzqTkJCQjPs1gTIbnbckvsrWvm9xu9d85vCL/AP4HFWHE+ZS3nYJYMsxegog3qUka1gHBkfbpwh9bbPvVAD4DPzTs7gDQ7ZSQlzA5hAHEsbOJF8vz+fYqhp6raJ8fXN6Yq2iQcEjbzTFhb+ukzcEln8l+6QWviMI+yr730tx4f2OEGEH0ydvFUUEGx/BBcVuKx4EN+SVPC4TkZUaaHtfE+Fz1WxY+Woh5Bl93J9KhVtK8tficRNW0lGRpbbUGixPrLozl3rNS1OHhbAzA0QJ0ZtzKTa848rFS667YEO/85ZBna/kAH7RGLHWXF3taRHCDqUo2aXbQcGSkhNpPi7XOcOgaujvvHNlg==,iv:M+6rUkhstAIiLRK8Tzd6wnXFu3cKupBImGo1yI4AciM=,tag:FMHnrshyG1Fk2QERIzu98g==,type:str]",
"data": "ENC[AES256_GCM,data:4C3fdXBKI/x/7B56b2n6OshGRaGgwYc4HQv4CRgXi+Y83hQj6wfbcqA55Xm9cXOfGAm2NNGIcUrVyuGHKlur7lUkvoNYe+a5A4GEkXVxiAoJKGcHa2nqfmR+GQJRAE6gNm9wgUL24CfKonEb09NgFBFfL7srXtkU8R1TMduUiYvzH7eNy45jQnWdQ3xgNYkb65iIZ3KCkcbjKrlOtN1Qu8+PuQmMl175gUVJcaLmpMgsz5IPetyHUWIkmqjgwhim4CyTZGwOaQW376Xq2mZUf9IOhdqLyR8GcKFLsY/GLDzp1eGfx9xUpAu3NMmjblHDdIyRcv0EjS+Cj/EUQwTrw3R2szXAb1m33sIVyloGT8RyVsu1J+RSIQOEKpVLaTxsCoulIfyBj5h9vajMVFdMmyqAFPJTVF8fNmy57VuBiDR1WYY5WT2QkBwe4A5ZZLpRmudeZAqEjD+R8Itcin4Ce8K4LtkpfLZeCUpnoaWk1u0CH5QuFCyd+s2+S2DBnFqfBmhTVzEtwXyd6zEeLo+LGCh2Eu2XwYi+DV5Xfdp4leTwEXQ+63MB2ZtOQkoxT6pi/w1rSlEcVknJJIc0HRhrRSx685i29qmcWGfjw765ECxCM2RKJKdwtYHwyLQGyTkGgzNlWr/EzskD7wwtanR0K0NUBS3MGbBaSmeI+bJ+B1ld2n7Efp1eg8AdMz/VHywvFQpS6HY5ItPCWNcDB9DMerUQINO1EtP1Dd57vafzQGGcduUKW+ywuwUdOU/XTXPaVP7VWdX9EFIlv/RMK4UX/l3Yy/Vf6iciT45zouIgoFECRe59Uz0185BHTn9xeE9oYGiLfKzlnxhNpXNaNmYGVRxKxKwfMNrA+hRtuoGrD0uE/Ev6F5ytMYMZGsQ5D6TJOHXPfAVWo5MzPA1Q2dgoCF9zZvYgCaOcSZTntoJY9X1MiwMkYIbtOtTQ4jJOI9DfXX+kOp/fejHrQEyAasCvh2zxCW2FjMckREdqtYxPEDsHGc8+0BDGgj+00a5wC19U60jolvdLsUwy41inmirgxBMaQhuavMXEpFXT0hEecZfJn8eJqPVPDVLC8LvlB+C593ByHeoR3VOIfFVv3bgCP+cQudAR+U/b8YO4gSpuVV4WF7JXLCwRCi0Flw7EzAuhuR9JYd8GKUEDctGmAYiPy1YiQCLFnAWmZvHQ2q6TeVDTQ5LPmjqM1b4iqoqn3AHhMu9HWswy4LFNujZblSo0hSHRZ+2P/+Xjrgfz2d3QF66ngEjW1tanw7hxGmiZJXXyPN+2bdB04B8ZnL/gBzQ2661fGYGYCBU=,iv:mU4ydooaOySi7MTe+b/DGfs1fzpDXbkASUo1cDsh4O8=,tag:Jh18+kJPLJFlGx5HymywOw==,type:str]",
"sops": {
"age": [
{
@ -7,8 +7,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZzY0QVQ4ZUxxZkdhQ2Zn\nOHpmTnRaR0R3cXh2Z2JFM1RDVDB2QnE3M3prCm43NjQyOS93UTZKaUlUUmhVcTdG\nUWp1YU1kVmZPc0tBN2FMY2FFVkI1a0UKLS0tIFovZi9FQlhMaXpvcnRYN2FiSm16\nTzJESjNyZ1NzajJRNDR6ZTd2TitoQTgKe2hC6OpYIzgqzhmeJuHWe0yXNE+/Ek26\nGt7s1B6OKnrj+S3es84ePOjAbLHr/ez282b/h0y55ws4R7jMemUIrQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-11-28T00:08:44Z",
"mac": "ENC[AES256_GCM,data:16eXbpMM+scd4NxLrANCiAZuWrtoFMgbjCgo4/TbihhiXGPkO6YP6ERS5F4+Wu282ABRyJoS+ia8EaX2Ug9r5mRtdiNmfbMFibNMXK3hXTqtlquTqCQ0vdYVa5b6XT1dX52MZQ53f9MRSY4V/sPmcpJZaXWbZOIYaqbqxg/iKV4=,iv:1n8OWQuRZzHd2A/uMI7bVkUVyVoe2/GSv3CKlJkFmNE=,tag:Rl0n/9pnJGlKif8TER3cFw==,type:str]",
"lastmodified": "2025-12-01T12:12:55Z",
"mac": "ENC[AES256_GCM,data:AhvfUvZnKSnhQCTHJpqs5OBELhGYv66on1+kSLX2lONyTbNfwHYsJHII4zHY+bS5cBkZbjtzMfJQkFWtDbU7c8wvdJnHN6H11MOEzC+GfI3R7UzwzJsUjNYE03u8FJCuLvI1SO3EObiKIgH80MV8qlXC+1+f7mKnfZNH8Kekor8=,iv:pAEz8tDZzaFee1EcNBd6zrl0yN55ywVK/eGof/B5MAU=,tag:LbjMr3rOb3By87yOfUK/3A==,type:str]",
"pgp": [
{
"created_at": "2025-11-20T01:03:05Z",

36
hosts/nixos/aarch64-linux/twothreetunnel/default.nix Normal file
View file

@ -0,0 +1,36 @@
{ self, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
];
topology.self = {
icon = "devices.cloud-server";
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM";
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isSwap = false;
rootDisk = "/dev/disk/by-id/scsi-3608deb9b0d4244de95c6620086ff740d";
isBtrfs = true;
isNixos = true;
isLinux = true;
isCloud = true;
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
nginx = false;
};
}

121
hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix Normal file
View file

@ -0,0 +1,121 @@
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko = {
imageBuilder.extraDependencies = [ pkgs.kmod ];
devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}

15
hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}

22
hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc Normal file
View file

@ -0,0 +1,22 @@
{
"data": "ENC[AES256_GCM,data:G3Q+Hn7QkvBZeXzNR+0Bax+Va5sK5E0K3hNTkdsNJx4C6pIwrBEBOt3IKv/c00QhpAnPqo9gbKqWU9gv7I56nEOwVtVH3lrMlbxNl9LIiSv9SvSxVkTOow2msSJV/U+1KpjNQ/LnOo2Fxebfz1yiRtgi7hSazzqzIazZAFBldlKkjLR5SFCG8t5s/nccqZU+cLmS7hJDS5LtgW1XeunqUY7jnKuh7gT2I6fPsu15Vy+YeKLmYIt0a20bWGePBIlyiGRtpnMgtIt5gk5+OpSndO8P/GMgUzRwRZEL1b8U57jbhkPLdnwwy/iV6rEFCD9i6qB0ufVW/euc+y5mN0dx8op9FwJVzkJhUIIy9Qbbc8WOjjjWlwbKJNkWfYX7pTtx+xfBKuPF+IwaoMS9j+C3etkoYe5QCr9YGYM5Xer/HL0otYNacQU5S0VqPBzDnLu7NxzB4i22,iv:aFPDBmZasoqEFCbhrRtA2QMB27khuT3rdfCGAafjov0=,tag:GQGuHL5aYPc98tzc6Bb5mA==,type:str]",
"sops": {
"age": [
{
"recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEhDamZTRUhQZFNDTTl4\nVVVNNGZXa2h2THVzY0JWMjE2WjNJT0ZoblV3ClYzeEt4c0dWRzlISnN3NGthR21M\nTEtDQ011dFdhRVdPWlpweS9ma0N3dmsKLS0tIHFPQzQ5VzkyODZyY1JpcE4xR2Nl\nY2MrSERXTWkvNVZCR2xHUGh4ZXMvYTgK7pxPjnh3idl4QzBkR6LHyRskgqA3apS2\nkbg7As6wlEs34TAO8reyZknKTUd3Xif1v9RXiTcu1sEKHqkcqEoDog==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-12-01T22:45:54Z",
"mac": "ENC[AES256_GCM,data:b2sWPq+S5qqSM6lON+9A//LehgR7Wy7x8EfqeiFOFo9RT3niwaKjfp/Jnf6nKbXF43XM4dsn+dIX52fgxyd0KVLnJTqinhz97sSSs7hYFdXa2FGRhI+VwmuGVvr2ylAJODQgTn+MD7I+s/3DTfh6h0V47IZvxrUpYgg7tJrxzBc=,iv:g4XVN24+COVtRQPzTiI4iki1crjBUVc7vpnJ/vucd2A=,tag:gcnfSvPWvLqG2wTZELRMsg==,type:str]",
"pgp": [
{
"created_at": "2025-12-01T23:06:36Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//RhpX1uVa49yA8FIfj/y/2C92Z7iBl+l1TGjaYMnuLAp5\nYybqAHwi1gzbnhKvpqO3ndm7qHNwbPBuYBDhu1ZDkQnzyzIthx3JA2G+je4Jem+N\nF8XWUglO+lEUpHD62s9JdOSS2dNRHSd/mcu/GV+k0/DzkXDn3TzzOciKBLn1u03+\n6T3mipG5cm00EEstR+iX46FSzOPX3M2+hYY+HY9rQa1RKUrUUsBBdCEYWgMsQOA9\nDGyweibxkcyxIGZIc882gxa06QxM07ON7NuZjW7vvUz3k7CI3bf5IBfaCvDywaDL\n0AKeTAVGVLnzdapZoP9lZmu6T639wu8BKMxSHiGeUenOrhs/Gl+CA2iCU5XimZCw\nbwPvKRbOGLu2eiBL/BHEMg1XpRw6bh24o3vNIchGRqDKbXICgkKr2gXhvli3qPrH\nCXokXF48e51bERfr9YWi0ryW5tgVEMwyubRi85cYnslwqfT78xzKMNRwF8wJ6PxG\ngwT6bEJ/f7QzXkw9VPY2HbaBBhe7XUBRDhLnV5sPBiZW2JDOt9rXH1LqWQLo7Ot6\nLWvOicAtmY5vnRIm9x1pPFKipmTWj7NzRCLEq5yt0borQsPO5RTC6fvhL/1Lpe1B\nzjAIjJBfQptEn4xjA0unZk6x45UDp9KpJz5zdKF43DSvGOkEF8NuTdEXNpeYHzCF\nAgwDC9FRLmchgYQBEADA36phB2C1d2DvEzi7AB7lK5gGExmaYSCzMJkSfjNQ4SO5\nwMhvRZZyIf5PT9wdJ6hCtOSqqhh0cubmZadrFnz/qjXLVSv9aTD4PFshF5lYgT0x\n2GkiIOkrVZ6vuP6/iIW/p+CqztDymVRR6DAhNNX6gx2NARdhii2K/hitW0QejoJk\nWY07qUIb2z0fPVp5TfAf3Nr87u3faYr0usW8GGABFA7IzJwCK1VA1284UZm4zj6Z\naHm+0wK/1g7Ck2sjzbhqzK3HlZVKd6lBIhmwdzcG1y0Ua5L7PIauLR6ArZkFD3WO\naHyyZ5hyNmoyOMjuTvPCIhiZ3T+aQK2f8pzyOApEWX4piCNhIvcSSy9AQ/f5hvVd\nWLG68dIMnmOWYxHX68jdNttSCcc9oJKNboOPKDdmEblZxGx5HZpYYL7X+Q0JKoMO\nqCXVc7GlIVLX0GghAvgC9Xww8XMQTWgJJJAVOa0tlTDJ4ybvCiyy850+ZPTevlHV\nfvlKSSCGHtjVIuZ5b+jMtBqg0aPDY0OqNFSvJ6x6wk0uICMesv2LNAKF7tUkMvHF\ncHljW96IOLocW96bwVR+nQG7U/ZY7/P6+2Nva8AgbrCd0erEZ/2lIvRV4IEzCk2g\nVzuzg+7pjkh1iHYUX+VX6CbyIPyx2Ic+VNaMrbqtC1YiPK6Bx+SF3eYHw9DYJ9Jc\nASJeqALtG3vg/TOKZwOfTp1GNvSExTUKqhEHpcCCty1UxIpNCPByvvsUqY0Q63DA\nyJ4TVO1QLCLwKz8nK8NWSRGrZ29jNJfAjcNDV/FrPiFqSPHVAErd4Vnbeu8=\n=Yn71\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.11.0"
}
}

5
hosts/nixos/x86_64-linux/bakery/default.nix
View file

@ -10,6 +10,10 @@ in
./disk-config.nix
./hardware-configuration.nix
"${self}/modules/nixos/optional/gaming.nix"
"${self}/modules/nixos/optional/nswitch-rcm.nix"
"${self}/modules/nixos/optional/virtualbox.nix"
];
swarselsystems = {
@ -31,7 +35,6 @@ in
isSwap = true;
rootDisk = "/dev/nvme0n1";
swapSize = "4G";
hostName = config.node.name;
};
home-manager.users."${primaryUser}" = {

61
hosts/nixos/x86_64-linux/eagleland/default.nix
View file

@ -1,65 +1,16 @@
{ lib, config, minimal, globals, ... }:
{ self, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
];
topology.self = {
icon = "devices.cloud-server";
};
networking = {
useDHCP = lib.mkForce false;
useNetworkd = true;
dhcpcd.enable = false;
renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (
config.repo.secrets.local.networking.networks or { }
);
};
boot.initrd.systemd.network = {
enable = true;
networks = {
inherit (config.systemd.network.networks) "10-wan";
};
};
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks =
let
netConfig = config.repo.secrets.local.networking;
in
{
"10-wan" = {
address = [
"${globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.cidrv4}"
"${globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.cidrv6}"
];
routes = [
{
Gateway = netConfig.defaultGateway6;
GatewayOnLink = true;
}
{
Gateway = netConfig.defaultGateway4;
GatewayOnLink = true;
}
];
networkConfig = {
IPv6PrivacyExtensions = true;
IPv6AcceptRA = false;
};
matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac;
linkConfig.RequiredForOnline = "routable";
};
};
};
};
swarselmodules.server.mailserver = true;
swarselsystems = {
flakePath = "/root/.dotfiles";
@ -75,11 +26,11 @@
isNixos = true;
isLinux = true;
proxyHost = "eagleland";
server = {
inherit (config.repo.secrets.local.networking) localNetwork;
};
};
} // lib.optionalAttrs (!minimal) {
swarselmodules.server.mailserver = true;
swarselprofiles = {
server = true;
};

5
hosts/nixos/x86_64-linux/hintbooth/default.nix
View file

@ -1,4 +1,4 @@
{ lib, config, minimal, ... }:
{ lib, minimal, ... }:
{
imports = [
@ -18,9 +18,6 @@
rootDisk = "/dev/sda";
swapSize = "8G";
networkKernelModules = [ "igb" ];
server = {
inherit (config.repo.secrets.local.networking) localNetwork;
};
};
} // lib.optionalAttrs (!minimal) {

21
hosts/nixos/x86_64-linux/pyramid/default.nix
View file

@ -10,15 +10,16 @@ in
./disk-config.nix
./hardware-configuration.nix
];
"${self}/modules/nixos/optional/amdcpu.nix"
"${self}/modules/nixos/optional/amdgpu.nix"
"${self}/modules/nixos/optional/framework.nix"
"${self}/modules/nixos/optional/gaming.nix"
"${self}/modules/nixos/optional/hibernation.nix"
"${self}/modules/nixos/optional/nswitch-rcm.nix"
"${self}/modules/nixos/optional/virtualbox.nix"
"${self}/modules/nixos/optional/work.nix"
swarselmodules = {
optional = {
amdcpu = true;
amdgpu = true;
hibernation = true;
};
};
];
swarselsystems = {
lowResolution = "1280x800";
@ -67,9 +68,5 @@ in
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
personal = true;
optionals = true;
work = true;
uni = true;
framework = true;
};
}

7
hosts/nixos/x86_64-linux/summers/default.nix
View file

@ -1,9 +1,11 @@
{ inputs, lib, config, minimal, nodes, globals, ... }:
{ self, inputs, lib, config, minimal, nodes, globals, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/microvm-host.nix"
];
boot = {
@ -30,9 +32,6 @@
};
swarselmodules = {
optional = {
microvmHost = true;
};
server = {
diskEncryption = lib.mkForce false; # TODO: disable
nfs = false;

11
hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix
View file

@ -1,5 +1,8 @@
{ lib, minimal, ... }:
{ self, lib, minimal, ... }:
{
imports = [
"${self}/modules/nixos/optional/microvm-guest.nix"
];
swarselsystems = {
info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM";
@ -11,12 +14,6 @@
server = false;
};
swarselmodules = {
optional = {
microvmGuest = false;
};
};
microvm = {
mem = 1024 * 4;
vcpu = 2;

3
hosts/nixos/x86_64-linux/winters/default.nix
View file

@ -1,4 +1,4 @@
{ lib, config, minimal, ... }:
{ lib, minimal, ... }:
{
imports = [
@ -27,7 +27,6 @@
isNixos = true;
proxyHost = "moonside";
server = {
inherit (config.repo.secrets.local.networking) localNetwork;
restic = {
bucketName = "SwarselWinters";
paths = [

6
modules/home/common/anki.nix
View file

@ -1,4 +1,4 @@
{ lib, config, pkgs, globals, inputs, nixosConfig ? config, ... }:
{ lib, config, pkgs, globals, inputs, confLib, ... }:
let
moduleName = "anki";
inherit (config.swarselsystems) isPublic isNixos;
@ -23,11 +23,11 @@ in
syncMedia = true;
autoSyncMediaMinutes = 5;
url = "https://${globals.services.ankisync.domain}";
usernameFile = nixosConfig.sops.secrets.anki-user.path;
usernameFile = confLib.getConfig.sops.secrets.anki-user.path;
# this is not the password but the syncKey
# get it by logging in or out, saving preferences and then
# show details on the "settings wont be saved" dialog
keyFile = nixosConfig.sops.secrets.anki-pw.path;
keyFile = confLib.getConfig.sops.secrets.anki-pw.path;
};
addons =
let

4
modules/home/common/element.nix
View file

@ -1,4 +1,4 @@
{ lib, config, ... }:
{ lib, config, globals, ... }:
let
moduleName = "element-desktop";
in
@ -10,7 +10,7 @@ in
settings = {
default_server_config = {
"m.homeserver" = {
base_url = "https://swatrix.swarsel.win/";
base_url = "https://${globals.services.matrix.domain}/";
};
};
UIFeature = {

16
modules/home/common/env.nix
View file

@ -1,8 +1,8 @@
{ lib, config, nixosConfig ? config, ... }:
{ lib, config, confLib, globals, ... }:
let
inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
inherit (nixosConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name;
inherit (nixosConfig.repo.secrets.common) fullName openrouterApi;
inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
inherit (confLib.getConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name;
inherit (confLib.getConfig.repo.secrets.common) fullName openrouterApi instaDomain sportDomain;
inherit (config.swarselsystems) isPublic homeDir;
DISPLAY = ":0";
@ -18,6 +18,12 @@ in
DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private";
FLAKE = "${config.home.homeDirectory}/.dotfiles";
} // lib.optionalAttrs (!isPublic) {
SWARSEL_DOMAIN = globals.domains.main;
SWARSEL_RSS_DOMAIN = globals.services.freshrss.domain;
SWARSEL_MUSIC_DOMAIN = globals.services.navidrome.domain;
SWARSEL_FILES_DOMAIN = globals.services.nextcloud.domain;
SWARSEL_INSTA_DOMAIN = instaDomain;
SWARSEL_SPORT_DOMAIN = sportDomain;
SWARSEL_MAIL1 = address1;
SWARSEL_MAIL2 = address2;
SWARSEL_MAIL3 = address3;
@ -30,7 +36,7 @@ in
SWARSEL_CAL3NAME = source3-name;
SWARSEL_FULLNAME = fullName;
SWARSEL_MAIL_ALL = lib.mkDefault allMailAddresses;
GITHUB_NOTIFICATION_TOKEN_PATH = nixosConfig.sops.secrets.github-notifications-token.path;
GITHUB_NOTIFICATION_TOKEN_PATH = confLib.getConfig.sops.secrets.github-notifications-token.path;
OPENROUTER_API_KEY = openrouterApi;
};
};

4
modules/home/common/gammastep.nix
View file

@ -1,6 +1,6 @@
{ lib, config, nixosConfig ? config, ... }:
{ lib, config, confLib, ... }:
let
inherit (nixosConfig.repo.secrets.common.location) latitude longitude;
inherit (confLib.getConfig.repo.secrets.common.location) latitude longitude;
in
{
options.swarselmodules.gammastep = lib.mkEnableOption "gammastep settings";

6
modules/home/common/git.nix
View file

@ -1,7 +1,7 @@
{ lib, config, globals, minimal, nixosConfig ? config, ... }:
{ lib, config, globals, minimal, confLib, ... }:
let
inherit (nixosConfig.repo.secrets.common.mail) address1;
inherit (nixosConfig.repo.secrets.common) fullName;
inherit (confLib.getConfig.repo.secrets.common.mail) address1;
inherit (confLib.getConfig.repo.secrets.common) fullName;
gitUser = globals.user.name;
in

4
modules/home/common/hexchat.nix
View file

@ -1,7 +1,7 @@
{ lib, config, nixosConfig ? config, ... }:
{ lib, config, confLib, ... }:
let
moduleName = "hexchat";
inherit (nixosConfig.repo.secrets.common.irc) irc_nick1;
inherit (confLib.getConfig.repo.secrets.common.irc) irc_nick1;
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";

14
modules/home/common/mail.nix
View file

@ -1,7 +1,7 @@
{ lib, config, inputs, globals, nixosConfig ? config, ... }:
{ lib, config, inputs, globals, confLib, ... }:
let
inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
inherit (nixosConfig.repo.secrets.common) fullName;
inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
inherit (confLib.getConfig.repo.secrets.common) fullName;
inherit (config.swarselsystems) xdgDir;
in
{
@ -140,7 +140,7 @@ in
address = address4;
userName = address4;
realName = fullName;
passwordCommand = "cat ${nixosConfig.sops.secrets.address4-token.path}";
passwordCommand = "cat ${confLib.getConfig.sops.secrets.address4-token.path}";
mu.enable = true;
msmtp = {
enable = true;
@ -169,7 +169,7 @@ in
address = address1;
userName = address1;
realName = fullName;
passwordCommand = "cat ${nixosConfig.sops.secrets.address1-token.path}";
passwordCommand = "cat ${confLib.getConfig.sops.secrets.address1-token.path}";
gpg = {
key = "0x76FD3810215AE097";
signByDefault = true;
@ -183,7 +183,7 @@ in
address = address2;
userName = address2;
realName = address2-name;
passwordCommand = "cat ${nixosConfig.sops.secrets.address2-token.path}";
passwordCommand = "cat ${confLib.getConfig.sops.secrets.address2-token.path}";
}
defaultSettings;
@ -193,7 +193,7 @@ in
address = address3;
userName = address3;
realName = address3-name;
passwordCommand = "cat ${nixosConfig.sops.secrets.address3-token.path}";
passwordCommand = "cat ${confLib.getConfig.sops.secrets.address3-token.path}";
}
defaultSettings;

4
modules/home/common/obsidian.nix
View file

@ -1,7 +1,7 @@
{ lib, config, pkgs, nixosConfig ? config, ... }:
{ lib, config, pkgs, confLib, ... }:
let
moduleName = "obsidian";
inherit (nixosConfig.repo.secrets.common.obsidian) userIgnoreFilters;
inherit (confLib.getConfig.repo.secrets.common.obsidian) userIgnoreFilters;
name = "Main";
in
{

4
modules/home/common/opkssh.nix
View file

@ -1,4 +1,4 @@
{ lib, config, ... }:
{ lib, config, globals, ... }:
let
moduleName = "opkssh";
in
@ -13,7 +13,7 @@ in
providers = [
{
alias = "kanidm";
issuer = "https://sso.swarsel.win/oauth2/openid/opkssh";
issuer = "https://${globals.services.kanidm.domain}/oauth2/openid/opkssh";
client_id = "opkssh";
scopes = "openid email profile";
redirect_uris = [

6
modules/home/common/settings.nix
View file

@ -40,7 +40,11 @@ in
trusted-public-keys = [
atticPublicKey
];
trusted-users = [ "@wheel" "${mainUser}" ];
trusted-users = [
"@wheel"
"${mainUser}"
(lib.mkIf config.swarselmodules.server.ssh-builder "builder")
];
connect-timeout = 5;
bash-prompt-prefix = "$SHLVL:\\w ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";

16
modules/home/common/ssh.nix
View file

@ -1,7 +1,7 @@
{ lib, config, nixosConfig ? config, ... }:
{ inputs, lib, config, confLib, ... }:
{
options.swarselmodules.ssh = lib.mkEnableOption "ssh settings";
config = lib.mkIf config.swarselmodules.ssh {
config = lib.mkIf config.swarselmodules.ssh ({
programs.ssh = {
enable = true;
enableDefaultConfig = false;
@ -18,11 +18,15 @@
serverAliveCountMax = 3;
hashKnownHosts = false;
userKnownHostsFile = "~/.ssh/known_hosts";
controlMaster = "no";
controlMaster = "auto";
controlPath = "~/.ssh/master-%r@%n:%p";
controlPersist = "no";
controlPersist = "5m";
};
} // nixosConfig.repo.secrets.common.ssh.hosts;
} // confLib.getConfig.repo.secrets.common.ssh.hosts;
};
};
} // lib.optionalAttrs (inputs ? sops) {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; };
};
});
}

4
modules/home/common/sway.nix
View file

@ -1,4 +1,4 @@
{ config, lib, vars, nixosConfig ? config, ... }:
{ config, lib, vars, confLib, ... }:
let
eachOutput = _: monitor: {
inherit (monitor) name;
@ -381,7 +381,7 @@ in
export XDG_CURRENT_DESKTOP=sway;
export XDG_SESSION_DESKTOP=sway;
export _JAVA_AWT_WM_NONREPARENTING=1;
export GITHUB_NOTIFICATION_TOKEN_PATH=${nixosConfig.sops.secrets.github-notifications-token.path};
export GITHUB_NOTIFICATION_TOKEN_PATH=${confLib.getConfig.sops.secrets.github-notifications-token.path};
'' + vars.waylandExports;
# extraConfigEarly = "
# exec systemctl --user import-environment DISPLAY WAYLAND_DISPLAY SWAYSOCK

6
modules/home/common/yubikey.nix
View file

@ -1,4 +1,4 @@
{ lib, config, inputs, nixosConfig ? config, ... }:
{ lib, config, inputs, confLib, ... }:
let
inherit (config.swarselsystems) homeDir;
in
@ -9,8 +9,8 @@ in
pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
ids = [
nixosConfig.repo.secrets.common.yubikeys.dev1
nixosConfig.repo.secrets.common.yubikeys.dev2
confLib.getConfig.repo.secrets.common.yubikeys.dev1
confLib.getConfig.secrets.common.yubikeys.dev2
];
};
} // lib.optionalAttrs (inputs ? sops) {

6
modules/home/common/zsh.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, minimal, inputs, globals, nixosConfig ? config, ... }:
{ config, pkgs, lib, minimal, inputs, globals, confLib, ... }:
let
inherit (config.swarselsystems) flakePath isNixos;
crocDomain = globals.services.croc.domain;
@ -127,8 +127,8 @@ in
'';
sessionVariables = lib.mkIf (!config.swarselsystems.isPublic) {
CROC_RELAY = crocDomain;
CROC_PASS = "$(cat ${nixosConfig.sops.secrets.croc-password.path or ""})";
GITHUB_TOKEN = "$(cat ${nixosConfig.sops.secrets.github-nixpkgs-review-token.path or ""})";
CROC_PASS = "$(cat ${confLib.getConfig.sops.secrets.croc-password.path or ""})";
GITHUB_TOKEN = "$(cat ${confLib.getConfig.sops.secrets.github-nixpkgs-review-token.path or ""})";
QT_QPA_PLATFORM_PLUGIN_PATH = "${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins";
# QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox";
};

5
modules/home/optional/framework.nix
View file

@ -1,7 +1,6 @@
{ lib, config, ... }:
_:
{
options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings";
config = lib.mkIf config.swarselmodules.optional.framework {
config = {
swarselsystems = {
inputs = {
"12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = {

7
modules/home/optional/gaming.nix
View file

@ -1,10 +1,9 @@
{ lib, config, pkgs, nixosConfig ? config, ... }:
{ config, pkgs, confLib, ... }:
let
inherit (config.swarselsystems) isNixos;
in
{
options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings";
config = lib.mkIf config.swarselmodules.optional.gaming {
config = {
# specialisation = {
# gaming.configuration = {
home.packages = with pkgs; [
@ -44,7 +43,7 @@ in
gamescope
umu-launcher
];
steamPackage = if isNixos then nixosConfig.programs.steam.package else pkgs.steam;
steamPackage = if isNixos then confLib.getConfig.programs.steam.package else pkgs.steam;
winePackages = with pkgs; [
wineWow64Packages.waylandFull
];

5
modules/home/common/niri.nix → modules/home/optional/niri.nix
View file

@ -1,5 +1,8 @@
{ config, pkgs, lib, vars, ... }:
{ inputs, config, pkgs, lib, vars, ... }:
{
imports = [
inputs.niri-flake.homeModules.niri
];
options.swarselmodules.niri = lib.mkEnableOption "niri settings";
config = lib.mkIf config.swarselmodules.niri
{

36
modules/home/optional/uni.nix
View file

@ -1,24 +1,22 @@
{ config, lib, nixosConfig ? config, ... }:
{ confLib, ... }:
{
options.swarselmodules.optional.uni = lib.mkEnableOption "optional uni settings";
config = lib.mkIf config.swarselmodules.optional.uni
{
services.pizauth = {
enable = true;
accounts = {
uni = {
authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
scopes = [
"https://outlook.office365.com/IMAP.AccessAsUser.All"
"https://outlook.office365.com/SMTP.Send"
"offline_access"
];
loginHint = "${nixosConfig.repo.secrets.local.uni.mailAddress}";
};
config = {
services.pizauth = {
enable = true;
accounts = {
uni = {
authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
scopes = [
"https://outlook.office365.com/IMAP.AccessAsUser.All"
"https://outlook.office365.com/SMTP.Send"
"offline_access"
];
loginHint = "${confLib.getConfig.repo.secrets.local.uni.mailAddress}";
};
};
};
};
}

1221
modules/home/optional/work.nix
View file

File diff suppressed because it is too large Load diff

85
modules/nixos/client/remotebuild.nix Normal file
View file

@ -0,0 +1,85 @@
{ lib, config, globals, ... }:
let
inherit (config.swarselsystems) homeDir mainUser isClient;
in
{
options.swarselmodules.remotebuild = lib.mkEnableOption "enable remote builds on this machine";
config = lib.mkIf config.swarselmodules.remotebuild {
sops.secrets = {
builder-key = lib.mkIf isClient { owner = mainUser; path = "${homeDir}/.ssh/builder"; mode = "0600"; };
nixbuild-net-key = { owner = mainUser; path = "${homeDir}/.ssh/nixbuild-net"; mode = "0600"; };
};
nix = {
settings.builders-use-substitutes = true;
distributedBuilds = true;
buildMachines = [
(lib.mkIf isClient {
hostName = config.repo.secrets.common.builder1-ip;
system = "aarch64-linux";
maxJobs = 20;
speedFactor = 10;
})
(lib.mkIf isClient {
hostName = globals.hosts.belchsfactory.wanAddress4;
system = "aarch64-linux";
maxJobs = 4;
speedFactor = 2;
protocol = "ssh-ng";
})
{
hostName = "eu.nixbuild.net";
system = "x86_64-linux";
maxJobs = 100;
speedFactor = 2;
supportedFeatures = [ "big-parallel" ];
}
];
};
programs.ssh = {
knownHosts = {
nixbuild = {
hostNames = [ "eu.nixbuild.net" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM";
};
builder1 = lib.mkIf isClient {
hostNames = [ config.repo.secrets.common.builder1-ip ];
publicKey = config.repo.secrets.common.builder1-pubHostKey;
};
jump = lib.mkIf isClient {
hostNames = [ globals.hosts.liliputsteps.wanAddress4 ];
publicKey = config.repo.secrets.common.jump-pubHostKey;
};
builder2 = lib.mkIf isClient {
hostNames = [ globals.hosts.belchsfactory.wanAddress4 ];
publicKey = config.repo.secrets.common.builder2-pubHostKey;
};
};
extraConfig = ''
Host eu.nixbuild.net
ConnectTimeout 1
PubkeyAcceptedKeyTypes ssh-ed25519
ServerAliveInterval 60
IPQoS throughput
IdentityFile ${config.sops.secrets.nixbuild-net-key.path}
'' + lib.optionalString isClient ''
Host ${config.repo.secrets.common.builder1-ip}
ConnectTimeout 1
User ${mainUser}
IdentityFile ${config.sops.secrets.builder-key.path}
Host ${globals.hosts.belchsfactory.wanAddress4}
ConnectTimeout 5
ProxyJump ${globals.hosts.liliputsteps.wanAddress4}
User builder
IdentityFile ${config.sops.secrets.builder-key.path}
Host ${globals.hosts.liliputsteps.wanAddress4}
ConnectTimeout 1
User jump
IdentityFile ${config.sops.secrets.builder-key.path}
'';
};
};
}

2
modules/nixos/client/uwsm.nix
View file

@ -13,7 +13,7 @@ in
comment = "Sway compositor managed by UWSM";
binPath = "/run/current-system/sw/bin/sway";
};
niri = {
niri = lib.mkIf (config.swarselmodules ? niri) {
prettyName = "Niri";
comment = "Niri compositor managed by UWSM";
binPath = "/run/current-system/sw/bin/niri-session";

4
modules/nixos/common/globals.nix
View file

@ -197,6 +197,10 @@ in
main = mkOption {
type = types.str;
};
externalDns = mkOption {
type = types.listOf types.str;
description = "List of external dns nameservers";
};
};
};
};

2
modules/nixos/common/home-manager-secrets.nix
View file

@ -25,7 +25,7 @@ in
}) // (lib.optionalAttrs modules.emacs {
emacs-radicale-pw = { owner = mainUser; };
github-forge-token = { owner = mainUser; };
}) // (lib.optionalAttrs modules.optional.work {
}) // (lib.optionalAttrs (modules ? optional-work) {
harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; };
}) // (lib.optionalAttrs modules.anki {
anki-user = { owner = mainUser; };

5
modules/nixos/common/nodes.nix
View file

@ -34,6 +34,11 @@ let
"nginx"
"virtualHosts"
]
[
"swarselsystems"
"server"
"dns"
]
];
attrsForEachOption =

10
modules/nixos/common/settings.nix
View file

@ -59,8 +59,8 @@ in
config = lib.mkIf config.swarselmodules.general
(lib.recursiveUpdate
{
sops.secrets.github-api-token = lib.mkIf (!minimal) {
owner = mainUser;
sops.secrets = lib.mkIf (!minimal) {
github-api-token = { owner = mainUser; };
};
nix =
@ -83,7 +83,11 @@ in
trusted-public-keys = [
atticPublicKey
];
trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
trusted-users = [
"@wheel"
"${config.swarselsystems.mainUser}"
(lib.mkIf config.swarselmodules.server.ssh-builder "builder")
];
};
# extraOptions = ''
# plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins

5
modules/nixos/optional/amdcpu.nix
View file

@ -1,7 +1,6 @@
{ lib, config, ... }:
_:
{
options.swarselmodules.optional.amdcpu = lib.mkEnableOption "optional amd cpu settings";
config = lib.mkIf config.swarselmodules.optional.amdcpu {
config = {
hardware = {
cpu.amd.updateMicrocode = true;
};

5
modules/nixos/optional/amdgpu.nix
View file

@ -1,7 +1,6 @@
{ lib, config, ... }:
_:
{
options.swarselmodules.optional.amdgpu = lib.mkEnableOption "optional amd gpu settings";
config = lib.mkIf config.swarselmodules.optional.amdgpu {
config = {
hardware = {
amdgpu = {
opencl.enable = true;

12
modules/nixos/optional/framework.nix
View file

@ -1,7 +1,13 @@
{ lib, config, ... }:
{ self, config, ... }:
{
options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings";
config = lib.mkIf config.swarselmodules.optional.framework {
config = {
home-manager.users."${config.swarselsystems.mainUser}" = {
imports = [
"${self}/modules/home/optional/framework.nix"
];
};
services = {
fwupd = {
enable = true;

12
modules/nixos/optional/gaming.nix
View file

@ -1,7 +1,13 @@
{ pkgs, lib, config, ... }:
{ self, pkgs, config, ... }:
{
options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings";
config = lib.mkIf config.swarselmodules.optional.gaming {
config = {
home-manager.users."${config.swarselsystems.mainUser}" = {
imports = [
"${self}/modules/home/optional/gaming.nix"
];
};
programs.steam = {
enable = true;
package = pkgs.steam;

3
modules/nixos/optional/hibernation.nix
View file

@ -1,6 +1,5 @@
{ lib, config, ... }:
{
options.swarselmodules.optional.hibernation = lib.mkEnableOption "optional amd gpu settings";
options.swarselsystems = {
hibernation = {
offset = lib.mkOption {
@ -13,7 +12,7 @@
};
};
};
config = lib.mkIf config.swarselmodules.optional.hibernation {
config = {
boot = {
kernelParams = [
"resume_offset=${builtins.toString config.swarselsystems.hibernation.offset}"

8
modules/nixos/optional/microvm-guest.nix
View file

@ -1,11 +1,9 @@
{ lib, config, ... }:
_:
{
options.swarselmodules.optional.microvmGuest = lib.mkEnableOption "optional microvmGuest settings";
# imports = [
# inputs.microvm.nixosModules.microvm
# "${self}/profiles/nixos"
# "${self}/modules/nixos"
# ];
config = lib.mkIf config.swarselmodules.optional.microvmGuest
config =
{ };
}

7
modules/nixos/optional/microvm-host.nix
View file

@ -1,10 +1,7 @@
{ lib, config, ... }:
{ config, lib, ... }:
{
options = {
swarselmodules.optional.microvmHost = lib.mkEnableOption "optional microvmHost settings";
};
# imports = [
# inputs.microvm.nixosModules.host
# inputs.microvm.nixosModules.host
# ];
config = lib.mkIf (config.guests != { }) {

5
modules/nixos/client/niri.nix → modules/nixos/optional/niri.nix
View file

@ -1,8 +1,11 @@
{ lib, config, pkgs, ... }:
{ inputs, lib, config, pkgs, ... }:
let
moduleName = "niri";
in
{
imports = [
inputs.niri-flake.nixosModules.niri
];
options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings";
config = lib.mkIf config.swarselmodules.${moduleName}
{

5
modules/nixos/optional/nswitch-rcm.nix
View file

@ -1,7 +1,6 @@
{ lib, config, pkgs, ... }:
{ pkgs, ... }:
{
options.swarselmodules.optional.nswitch-rcm = lib.mkEnableOption "optional nswitch-rcm settings";
config = lib.mkIf config.swarselmodules.optional.nswitch-rcm {
config = {
services.nswitch-rcm = {
enable = true;
package = pkgs.fetchurl {

50
modules/nixos/optional/systemd-networkd-server.nix Normal file
View file

@ -0,0 +1,50 @@
{ lib, config, globals, ... }:
{
networking = {
useDHCP = lib.mkForce false;
useNetworkd = true;
dhcpcd.enable = false;
renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (
config.repo.secrets.local.networking.networks or { }
);
};
boot.initrd.systemd.network = {
enable = true;
networks."10-${config.swarselsystems.server.localNetwork}" = config.systemd.network.networks."10-${config.swarselsystems.server.localNetwork}";
};
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks =
let
netConfig = config.repo.secrets.local.networking;
in
{
"10-${config.swarselsystems.server.localNetwork}" = {
address = [
"${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv4}"
"${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv6}"
];
routes = [
{
Gateway = netConfig.defaultGateway6;
GatewayOnLink = true;
}
{
Gateway = netConfig.defaultGateway4;
GatewayOnLink = true;
}
];
networkConfig = {
IPv6PrivacyExtensions = true;
IPv6AcceptRA = false;
};
matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac;
linkConfig.RequiredForOnline = "routable";
};
};
};
};
}

11
modules/nixos/optional/uni.nix Normal file
View file

@ -0,0 +1,11 @@
{ self, config, ... }:
{
config = {
home-manager.users."${config.swarselsystems.mainUser}" = {
imports = [
"${self}/modules/home/optional/work.nix"
];
};
};
}

3
modules/nixos/optional/virtualbox.nix
View file

@ -1,7 +1,6 @@
{ lib, config, pkgs, ... }:
{
options.swarselmodules.optional.virtualbox = lib.mkEnableOption "optional VBox settings";
config = lib.mkIf config.swarselmodules.optional.virtualbox {
config = {
# specialisation = {
# VBox.configuration = {
virtualisation.virtualbox = {

5
modules/nixos/optional/vmware.nix
View file

@ -1,8 +1,7 @@
{ lib, config, ... }:
_:
{
options.swarselmodules.optional.vmware = lib.mkEnableOption "optional vmware settings";
config = lib.mkIf config.swarselmodules.optional.vmware {
config = {
virtualisation.vmware.host.enable = true;
virtualisation.vmware.guest.enable = true;
};

14
modules/nixos/optional/work.nix
View file

@ -1,4 +1,4 @@
{ self, lib, pkgs, config, configName, ... }:
{ self, lib, pkgs, config, ... }:
let
inherit (config.swarselsystems) mainUser homeDir;
iwd = config.networking.networkmanager.wifi.backend == "iwd";
@ -6,18 +6,24 @@ let
sopsFile = self + /secrets/work/secrets.yaml;
in
{
options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
options.swarselsystems = {
hostName = lib.mkOption {
type = lib.types.str;
default = configName;
default = config.node.name;
};
fqdn = lib.mkOption {
type = lib.types.str;
default = "";
};
};
config = lib.mkIf config.swarselmodules.optional.work {
config = {
home-manager.users."${config.swarselsystems.mainUser}" = {
imports = [
"${self}/modules/home/optional/work.nix"
];
};
sops =
let
secretNames = [

2
modules/nixos/server/ankisync.nix
View file

@ -9,7 +9,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/attic.nix
View file

@ -10,7 +10,7 @@ in
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/atuin.nix
View file

@ -6,7 +6,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

67
modules/nixos/server/bastion.nix Normal file
View file

@ -0,0 +1,67 @@
{ self, lib, config, ... }:
{
options.swarselmodules.server.bastion = lib.mkEnableOption "enable bastion on server";
config = lib.mkIf config.swarselmodules.server.bastion {
users = {
groups = {
jump = { };
};
users = {
"jump" = {
isNormalUser = true;
useDefaultShell = true;
group = lib.mkForce "jump";
createHome = lib.mkForce true;
openssh.authorizedKeys.keyFiles = [
(self + /secrets/keys/ssh/yubikey.pub)
(self + /secrets/keys/ssh/magicant.pub)
(self + /secrets/keys/ssh/builder.pub)
];
};
};
};
services.openssh = {
enable = true;
startWhenNeeded = lib.mkForce false;
authorizedKeysInHomedir = false;
extraConfig = ''
Match User jump
PermitTTY no
X11Forwarding no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
'';
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkDefault "no";
AllowUsers = [
"jump"
];
};
hostKeys = lib.mkIf (!config.swarselmodules.server.ssh) [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
home-manager.users.jump.config = {
home.stateVersion = lib.mkDefault "23.05";
programs.ssh = {
enable = true;
enableDefaultConfig = false;
matchBlocks = {
"*" = {
forwardAgent = false;
};
} // config.repo.secrets.local.ssh.hosts;
};
};
};
}

0
modules/nixos/optional/btrfs.nix → modules/nixos/server/btrfs.nix
View file

2
modules/nixos/server/croc.nix
View file

@ -17,7 +17,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

6
modules/nixos/server/disk-encrypt.nix
View file

@ -1,7 +1,7 @@
{ self, pkgs, lib, config, globals, minimal, ... }:
let
localIp = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4;
subnetMask = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".subnetMask4;
localIp = globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4;
subnetMask = globals.networks.${config.swarselsystems.server.netConfigName}.subnetMask4;
gatewayIp = globals.hosts.${config.node.name}.defaultGateway4;
hostKeyPathBase = "/etc/secrets/initrd/ssh_host_ed25519_key";
@ -36,7 +36,7 @@ in
files = [ hostKeyPathBase ];
};
boot = lib.mkIf (!config.swarselsystems.isLaptop) {
boot = lib.mkIf (!config.swarselsystems.isClient) {
kernelParams = lib.mkIf (!config.swarselsystems.isCloud) [
"ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none"
];

2
modules/nixos/server/firefly-iii.nix
View file

@ -11,7 +11,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/forgejo.nix
View file

@ -9,7 +9,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/freshrss.nix
View file

@ -8,7 +8,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

8
modules/nixos/server/garage.nix
View file

@ -54,11 +54,11 @@ in
assertions = [
{
assertion = config.swarselsystems.server.${serviceName}.buckets != [ ];
message = "If Garage is enabled, at least one bucket must be specified in atro.garage.buckets";
message = "If Garage is enabled, at least one bucket must be specified in swarselsystems.server.${serviceName}.buckets";
}
{
assertion = builtins.length (lib.attrsToList config.swarselsystems.server.${serviceName}.keys) > 0;
message = "If Garage is enabled, at least one key must be specified in atro.garage.keys";
message = "If Garage is enabled, at least one key must be specified in swarselsystems.server.${serviceName}.keys";
}
{
assertion =
@ -71,7 +71,7 @@ in
}
];
swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
"${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
"${subDomain}admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
"${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
@ -121,7 +121,7 @@ in
rpc_bind_addr = "[::]:${builtins.toString garageRpcPort}";
# we are not joining our nodes, just use the private ipv4
rpc_public_addr = "${globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4}:${builtins.toString garageRpcPort}";
rpc_public_addr = "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4}:${builtins.toString garageRpcPort}";
rpc_secret_file = config.sops.secrets.garage-rpc-secret.path;

2
modules/nixos/server/homebox.nix
View file

@ -6,7 +6,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/immich.nix
View file

@ -6,7 +6,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/jellyfin.nix
View file

@ -6,7 +6,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/jenkins.nix
View file

@ -6,7 +6,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/kanidm.nix
View file

@ -31,7 +31,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/kavita.nix
View file

@ -11,7 +11,7 @@ in
calibre
];
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/koillection.nix
View file

@ -14,7 +14,7 @@ in
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
sops.secrets = {

2
modules/nixos/server/mailserver.nix
View file

@ -11,7 +11,7 @@ in
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/matrix.nix
View file

@ -20,7 +20,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/microbin.nix
View file

@ -10,7 +10,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/minecraft/default.nix
View file

@ -8,7 +8,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/monitoring.nix
View file

@ -16,7 +16,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/navidrome.nix
View file

@ -6,7 +6,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

34
modules/nixos/server/network.nix
View file

@ -1,28 +1,40 @@
{ lib, config, ... }:
let
inherit (config.swarselsystems.server) localNetwork;
netConfig = config.repo.secrets.local.networking;
netName = "${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}";
in
{
options.swarselmodules.server.network = lib.mkEnableOption "enable server network config";
options.swarselsystems.server.localNetwork = lib.mkOption {
type = lib.types.str;
default = "home";
options = {
swarselmodules.server.network = lib.mkEnableOption "enable server network config";
swarselsystems.server = {
localNetwork = lib.mkOption {
type = lib.types.str;
default = "";
};
netConfigName = lib.mkOption {
type = lib.types.str;
default = netName;
readOnly = true;
};
};
};
config = lib.mkIf config.swarselmodules.server.network {
globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${localNetwork}".hosts.${config.node.name} = {
inherit (config.repo.secrets.local.networking.networks.${localNetwork}) id;
mac = config.repo.secrets.local.networking.networks.${localNetwork}.mac or null;
swarselsystems.server.localNetwork = netConfig.localNetwork or "";
globals.networks.${netName}.hosts.${config.node.name} = {
inherit (netConfig.networks.${netConfig.localNetwork}) id;
mac = netConfig.networks.${netConfig.localNetwork}.mac or null;
};
globals.hosts.${config.node.name} = {
inherit (config.repo.secrets.local.networking) defaultGateway4;
wanAddress4 = config.repo.secrets.local.networking.wanAddress4 or null;
wanAddress6 = config.repo.secrets.local.networking.wanAddress6 or null;
wanAddress4 = netConfig.wanAddress4 or null;
wanAddress6 = netConfig.wanAddress6 or null;
};
networking = {
inherit (config.repo.secrets.local.networking) hostId;
inherit (netConfig) hostId;
hostName = config.node.name;
nftables.enable = lib.mkDefault false;
enableIPv6 = lib.mkDefault true;

2
modules/nixos/server/nextcloud.nix
View file

@ -10,7 +10,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

9
modules/nixos/server/nginx.nix
View file

@ -1,6 +1,6 @@
{ pkgs, lib, config, ... }:
let
inherit (config.repo.secrets.common) dnsProvider;
inherit (config.repo.secrets.common) dnsProvider dnsBase;
inherit (config.repo.secrets.common.mail) address3;
serviceUser = "nginx";
@ -63,9 +63,12 @@ in
];
sops = {
secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
secrets = {
acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
};
templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token}
ACME_DNS_API_BASE=${dnsBase}
ACME_DNS_STORAGE_PATH=${config.sops.placeholder.acme-dns-token}
'';
};

76
modules/nixos/server/nsd/default.nix
View file

@ -1,10 +1,7 @@
{ inputs, lib, config, globals, dns, confLib, ... }:
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName;
# servicePort = 53;
# serviceDomain = config.repo.secrets.common.services.domains."${serviceName}";
# serviceAddress = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName servicePort proxyAddress4 proxyAddress6;
inherit (config.swarselsystems) sopsFile;
in
{
options = {
@ -14,7 +11,7 @@ in
lib.types.submodule {
options = {
subdomainRecords = lib.mkOption {
type = lib.types.attrsOf inputs.dns.subzone;
type = lib.types.attrsOf dns.lib.types.subzone;
default = { };
};
};
@ -23,14 +20,69 @@ in
};
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
sops.secrets = {
tsig-key = { inherit sopsFile; };
};
# services.resolved.enable = false;
networking = {
# nameservers = [ "1.1.1.1" "8.8.8.8" ];
firewall = {
allowedUDPPorts = [ servicePort ];
allowedTCPPorts = [ servicePort ];
};
};
services.nsd = {
enable = true;
zones = {
"${globals.domains.main}" = {
# provideXFR = [ ... ];
# notify = [ ... ];
data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns; });
keys = {
"${globals.domains.main}.${proxyAddress4}" = {
algorithm = "hmac-sha256";
keyFile = config.sops.secrets.tsig-key.path;
};
"${globals.domains.main}.${proxyAddress6}" = {
algorithm = "hmac-sha256";
keyFile = config.sops.secrets.tsig-key.path;
};
"${globals.domains.main}" = {
algorithm = "hmac-sha256";
keyFile = config.sops.secrets.tsig-key.path;
};
};
interfaces = [
"10.1.2.157"
"2603:c020:801f:a0cc::9d"
];
zones = {
"${globals.domains.main}" =
let
keyName4 = "${globals.domains.main}.${proxyAddress4}";
keyName6 = "${globals.domains.main}.${proxyAddress6}";
keyName = "${globals.domains.main}";
transferList = [
"213.239.242.238 ${keyName4}"
"2a01:4f8:0:a101::a:1 ${keyName6}"
"213.133.100.103 ${keyName4}"
"2a01:4f8:0:1::5ddc:2 ${keyName6}"
"193.47.99.3 ${keyName4}"
"2001:67c:192c::add:a3 ${keyName6}"
];
in
{
outgoingInterface = "2603:c020:801f:a0cc::9d";
notify = transferList ++ [
"216.218.130.2 ${keyName}"
];
provideXFR = transferList ++ [
"216.218.133.2 ${keyName}"
"2001:470:600::2 ${keyName}"
];
# dnssec = true;
data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns proxyAddress4 proxyAddress6; });
};
};
};

59
modules/nixos/server/nsd/site1.nix
View file

@ -1,40 +1,35 @@
{ config, globals, dns, ... }:
{ config, globals, dns, proxyAddress4, proxyAddress6, ... }:
with dns.lib.combinators; {
SOA = {
nameServer = "soa";
adminEmail = "admin@${globals.domains.main}";
serial = 2025112101;
adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin")
serial = 2025120201; # update this on changes for secondary dns
};
useOrigin = false;
NS = [
"soa.${globals.domains.name}."
"ns1.he.net"
"ns2.he.net"
"ns3.he.net"
"ns4.he.net"
"ns5.he.net"
"oxygen.ns.hetzner.com"
"pola.ns.cloudflare.com"
];
"soa"
"srv"
] ++ globals.domains.externalDns;
A = [ "75.2.60.5" ];
A = [ config.repo.secrets.local.dns.homepage-ip ];
SRV = [
{
service = "_matrix";
proto = "_tcp";
port = 443;
target = "${globals.services.matrix.baseDomain}.${globals.domains.main}";
target = "${globals.services.matrix.subDomain}";
priority = 10;
wweight = 5;
weight = 5;
}
{
service = "_submissions";
proto = "_tcp";
port = 465;
target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
target = "${globals.services.mailserver.subDomain}";
priority = 5;
weight = 0;
ttl = 3600;
@ -43,7 +38,7 @@ with dns.lib.combinators; {
service = "_submission";
proto = "_tcp";
port = 587;
target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
target = "${globals.services.mailserver.subDomain}";
priority = 5;
weight = 0;
ttl = 3600;
@ -52,7 +47,7 @@ with dns.lib.combinators; {
service = "_imap";
proto = "_tcp";
port = 143;
target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
target = "${globals.services.mailserver.subDomain}";
priority = 5;
weight = 0;
ttl = 3600;
@ -61,7 +56,7 @@ with dns.lib.combinators; {
service = "_imaps";
proto = "_tcp";
port = 993;
target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
target = "${globals.services.mailserver.subDomain}";
priority = 5;
weight = 0;
ttl = 3600;
@ -71,13 +66,7 @@ with dns.lib.combinators; {
MX = [
{
preference = 10;
exchange = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
}
];
CNAME = [
{
cname = "www.${glovals.domains.main}";
exchange = "${globals.services.mailserver.subDomain}";
}
];
@ -90,28 +79,22 @@ with dns.lib.combinators; {
}
];
DMARC = [
{
p = "none";
ttl = 10800;
}
];
TXT = [
(with spf; strict [ "a:${globals.services.mailserver.baseDomain}.${globals.domains.main}" ])
(with spf; strict [ "a:${globals.services.mailserver.subDomain}.${globals.domains.main}" ])
"google-site-verification=${config.repo.secrets.local.dns.google-site-verification}"
];
DMARC = [
{
selector = "mail";
k = "rsa";
p = "none";
ttl = 10800;
}
];
subdomains = config.swarselsystems.server.dns.${globals.domain.main}.subdomainRecords // {
"minecraft" = host "130.61.119.12" null;
subdomains = config.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords // {
"www".CNAME = [ "${globals.domains.main}." ];
"_acme-challenge".CNAME = [ "${config.repo.secrets.local.dns.acme-challenge-domain}." ];
"soa" = host proxyAddress4 proxyAddress6;
"srv" = host proxyAddress4 proxyAddress6;
};
}

2
modules/nixos/server/oauth2-proxy.nix
View file

@ -119,7 +119,7 @@ in
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/paperless.nix
View file

@ -11,7 +11,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/radicale.nix
View file

@ -9,7 +9,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/shlink.nix
View file

@ -12,7 +12,7 @@ in
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/slink.nix
View file

@ -10,7 +10,7 @@ in
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

2
modules/nixos/server/snipe-it.nix
View file

@ -11,7 +11,7 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};

35
modules/nixos/server/ssh-builder.nix Normal file
View file

@ -0,0 +1,35 @@
{ self, pkgs, lib, config, ... }:
let
ssh-restrict = "restrict,pty,command=\"${wrapper-dispatch-ssh-nix}/bin/wrapper-dispatch-ssh-nix\" ";
wrapper-dispatch-ssh-nix = pkgs.writeShellScriptBin "wrapper-dispatch-ssh-nix" ''
case $SSH_ORIGINAL_COMMAND in
"nix-daemon --stdio")
exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-daemon --stdio
;;
"nix-store --serve --write")
exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-store --serve --write
;;
*)
echo "Access only allowed for using the nix remote builder" 1>&2
exit
esac
'';
in
{
options.swarselmodules.server.ssh-builder = lib.mkEnableOption "enable ssh-builder config on server";
config = lib.mkIf config.swarselmodules.server.ssh-builder {
users = {
groups.builder = { };
users.builder = {
useDefaultShell = true;
isSystemUser = true;
group = "builder";
openssh.authorizedKeys.keys = [
''${ssh-restrict} ${builtins.readFile "${self}/secrets/keys/ssh/builder.pub"}''
];
};
};
};
}

6
modules/nixos/server/ssh.nix
View file

@ -9,6 +9,10 @@
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "yes";
AllowUsers = [
"root"
config.swarselsystems.mainUser
];
};
hostKeys = [
{
@ -20,10 +24,12 @@
users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [
(self + /secrets/keys/ssh/yubikey.pub)
(self + /secrets/keys/ssh/magicant.pub)
# (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub))
];
users.users.root.openssh.authorizedKeys.keyFiles = [
(self + /secrets/keys/ssh/yubikey.pub)
(self + /secrets/keys/ssh/magicant.pub)
# (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub))
];
security.sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK

Some files were not shown because too many files have changed in this diff Show more