diff --git a/.sops.yaml b/.sops.yaml index f2f2d57..7504f48 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,6 +7,13 @@ keys: - &server_nixos age1zdjm8qa5t25mca0xxhhkpuh85mgg4l267mqjj2pdttksq7zg4unqdmqyp4 - &server_surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - &server_stand age1hkajkcje5xvg8jd4zj2e0s9tndpv36hwhn7p38x9lyq2z8g7v45q2nhlej + - &server_nginx age1zyts3egct4he229klgrfkd9r442xw9r3qg3hyydh44pvk3wjhd3s2zjqvt + - &server_calibre age1q2k4j9m6ge6dgygehulzd8vqjcdgv5s7s4zrferaq29qlu94a4uqpv76s5 + - &server_transmiss age1wevwwytv5q8wx8yttc85gly678hn4k3qe4csgnq2frf3wxes63jqlt8kqs + - &server_matrix age1t2uj8arq8nnmd5s3h32p7z7masj2gqe5ec49dtr8ex2nlgef3yfqtgcnj6 + - &server_spotifyd age16d6wulu4vzuawvsnqv0cqjhxdz9e20qm3xdnzq2lp7787srl8shqsqlfps + - &server_sound age1w7tfe7k0r0hm6mzz0kmz8302kfn0rlh96w7g6zwqd4muqg7u9anqv07745 + - &server_sync age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h creation_rules: - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$ key_groups: @@ -22,3 +29,45 @@ creation_rules: - *admin_swarsel age: - *server_surface + - path_regex: secrets/nginx/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *admin_swarsel + age: + - *server_nginx + - path_regex: secrets/calibre/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *admin_swarsel + age: + - *server_calibre + - path_regex: secrets/transmission/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *admin_swarsel + age: + - *server_transmiss + - path_regex: secrets/matrix/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *admin_swarsel + age: + - *server_matrix + - path_regex: secrets/spotifyd/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *admin_swarsel + age: + - *server_spotifyd + - path_regex: secrets/sound/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *admin_swarsel + age: + - *server_sound + - path_regex: secrets/sync/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *admin_swarsel + age: + - *server_sync diff --git a/Emacs.org b/Emacs.org index 52704e9..94fb388 100644 --- a/Emacs.org +++ b/Emacs.org @@ -412,6 +412,7 @@ Base emacs undo logic is very useful, but not easy to understand. I prefer undo- "C-c d" 'duplicate-line ; duplicate line on CURSOR "C-M-j" 'consult-buffer "C-s" 'consult-line + "C-" 'my-python-shell-run ) #+end_src @@ -1068,18 +1069,19 @@ Soon I want to try out this new hot stuff - just at the moment there is too much #+begin_src emacs-lisp - (use-package auctex) - (setq TeX-auto-save t) - (setq TeX-save-query nil) - (setq TeX-parse-self t) - (setq-default TeX-master nil) + ;; (use-package auctex + ;; :ensure nil) + (setq TeX-auto-save t) + (setq TeX-save-query nil) + (setq TeX-parse-self t) + (setq-default TeX-master nil) - ;; (add-hook 'LaTeX-mode-hook 'visual-line-mode) - ;; (add-hook 'LaTeX-mode-hook 'flyspell-mode) - ;; (add-hook 'LaTeX-mode-hook 'LaTeX-math-mode) + ;; (add-hook 'LaTeX-mode-hook 'visual-line-mode) + ;; (add-hook 'LaTeX-mode-hook 'flyspell-mode) + ;; (add-hook 'LaTeX-mode-hook 'LaTeX-math-mode) - ;; (add-hook 'LaTeX-mode-hook 'turn-on-reftex) - ;; (setq reftex-plug-into-AUCTeX t) + ;; (add-hook 'LaTeX-mode-hook 'turn-on-reftex) + ;; (setq reftex-plug-into-AUCTeX t) #+end_src @@ -1503,12 +1505,7 @@ NOTE: Make sure to configure a GitHub token before using this package! (use-package git-timemachine :hook (git-time-machine-mode . evil-normalize-keymaps) :init (setq git-timemachine-show-minibuffer-details t) - :general - (general-nmap "SPC g t" 'git-timemachine-toggle) - (git-timemachine-mode-map - "C-k" 'git-timemachine-show-previous-revision - "C-j" 'git-timemachine-show-next-revision - "q" 'git-timemachine-quit)) + ) #+end_src @@ -1733,12 +1730,35 @@ Currently unused #+begin_src emacs-lisp - ;; run the python inferior shell immediately upon entering a python buffer - (add-hook 'python-mode-hook 'swarsel/run-python) + ;; run the python inferior shell immediately upon entering a python buffer + ;; (add-hook 'python-mode-hook 'swarsel/run-python) + + ;; (defun swarsel/run-python () + ;; (save-selected-window + ;; (switch-to-buffer-other-window (process-buffer (python-shell-get-or-create-process (python-shell-parse-command)))))) + + ;; reload python shell automatically + (defun my-python-shell-run () + (interactive) + (when (get-buffer-process "*Python*") + (set-process-query-on-exit-flag (get-buffer-process "*Python*") nil) + (kill-process (get-buffer-process "*Python*")) + ;; Uncomment If you want to clean the buffer too. + ;;(kill-buffer "*Python*") + ;; Not so fast! + (sleep-for 0.5)) + (run-python (python-shell-parse-command) nil nil) + (python-shell-send-buffer) + ;; Pop new window only if shell isnt visible + ;; in any frame. + (unless (get-buffer-window "*Python*" t) + (python-shell-switch-to-shell))) + + (defun my-python-shell-run-region () + (interactive) + (python-shell-send-region (region-beginning) (region-end)) + (python-shell-switch-to-shell)) -(defun swarsel/run-python () - (save-selected-window - (switch-to-buffer-other-window (process-buffer (python-shell-get-or-create-process (python-shell-parse-command)))))) #+end_src *** CUDA @@ -2337,7 +2357,7 @@ The following block is 100% stolen from Dominik :P :config ;; This is set to 't' to avoid mail syncing issues when using mbsync - (setq send-mail-function 'smtpmail-send-it) + (setq send-mail-function 'sendmail-send-it) (setq mu4e-change-filenames-when-moving t) (setq mu4e-mu-binary (executable-find "mu")) diff --git a/Nix.org b/Nix.org index 974da1a..caa3a11 100644 --- a/Nix.org +++ b/Nix.org @@ -149,6 +149,51 @@ This is where the theme for the whole OS is defined. This noweb-ref section cann #+end_src +*** Virtual hosts init + +#+begin_src nix :noweb-ref vminitbare + + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + nix.settings.experimental-features = ["nix-command" "flakes"]; + proxmoxLXC.manageNetwork = true; # manage network myself + proxmoxLXC.manageHostName = false; # manage hostname myself + networking.useDHCP = true; + networking.enableIPv6 = false; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + listenAddresses = [{ + port = 22; + addr = "0.0.0.0"; + }]; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + environment.shellAliases = { + nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + +#+end_src + +#+begin_src nix :noweb yes :noweb-ref vminit + + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + ]; + + <> + +#+end_src + ** flake.nix *** Inputs & Inputs@Outputs @@ -164,6 +209,8 @@ This is where the theme for the whole OS is defined. This noweb-ref section cann stylix, sops-nix, lanzaboote, + pia, + nixpkgs-mautrix-signal, #+end_src @@ -213,6 +260,17 @@ This is where the theme for the whole OS is defined. This noweb-ref section cann inputs.nixpkgs.follows = "nixpkgs"; }; + pia = { + url = "git+https://git.sr.ht/~rprospero/nixos-pia?ref=development"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + # provides expressions for mautrix-signal + nixpkgs-mautrix-signal ={ + url = github:niklaskorz/nixpkgs/nixos-23.11-mautrix-signal; + }; + + #+end_src *** let @@ -223,9 +281,24 @@ This is where the theme for the whole OS is defined. This noweb-ref section cann overlays = [ emacs-overlay.overlay nur.overlay nixgl.overlay + # (self: super: { + # airsonic = super.airsonic.overrideAttrs (_: rec { + # version = "11.0.2-kagemomiji"; + # name = "airsonic-advanced-${version}"; + # src = super.fetchurl { + # url = "https://github.com/kagemomiji/airsonic-advanced/releases/download/11.0.2/airsonic.war"; + # sha256 = "PgErtEizHraZgoWHs5jYJJ5NsliDd9VulQfS64ackFo="; + # }; + # }); + # }) ]; config.allowUnfree = true; }; + + pkgsmautrix = import nixpkgs-mautrix-signal { inherit system; + config.allowUnfree = true; + }; + # NixOS modules that can only be used on NixOS systems nixModules = [ stylix.nixosModules.stylix ./profiles/common/nixos.nix @@ -244,58 +317,128 @@ This is where the theme for the whole OS is defined. This noweb-ref section cann #+begin_src nix :noweb-ref flakenixosconf - onett = nixpkgs.lib.nixosSystem { - specialArgs = {inherit inputs pkgs; }; - modules = nixModules ++ [ - ./profiles/onett/nixos.nix - home-manager.nixosModules.home-manager - { - home-manager.users.swarsel.imports = mixedModules ++ [ - ./profiles/onett/home.nix - ]; - } - ]; - }; + onett = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = nixModules ++ [ + ./profiles/onett/nixos.nix + home-manager.nixosModules.home-manager + { + home-manager.users.swarsel.imports = mixedModules ++ [ + ./profiles/onett/home.nix + ]; + } + ]; + }; - twoson = nixpkgs.lib.nixosSystem { - specialArgs = {inherit inputs pkgs; }; - modules = nixModules ++ [ - ./profiles/twoson/nixos.nix - home-manager.nixosModules.home-manager - { - home-manager.users.swarsel.imports = mixedModules ++ [ - ./profiles/twoson/home.nix - ]; - } - ]; - }; + twoson = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = nixModules ++ [ + ./profiles/twoson/nixos.nix + home-manager.nixosModules.home-manager + { + home-manager.users.swarsel.imports = mixedModules ++ [ + ./profiles/twoson/home.nix + ]; + } + ]; + }; - stand = nixpkgs.lib.nixosSystem { - specialArgs = {inherit inputs pkgs; }; - modules = nixModules ++ [ - ./profiles/stand/nixos.nix - home-manager.nixosModules.home-manager - { - home-manager.users.homelen.imports = mixedModules ++ [ - ./profiles/stand/home.nix - ]; - } - ]; - }; + stand = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = nixModules ++ [ + ./profiles/stand/nixos.nix + home-manager.nixosModules.home-manager + { + home-manager.users.homelen.imports = mixedModules ++ [ + ./profiles/stand/home.nix + ]; + } + ]; + }; - threed = nixpkgs.lib.nixosSystem { - specialArgs = {inherit inputs pkgs; }; - modules = nixModules ++ [ - lanzaboote.nixosModules.lanzaboote - ./profiles/threed/nixos.nix - home-manager.nixosModules.home-manager - { - home-manager.users.swarsel.imports = mixedModules ++ [ - ./profiles/threed/home.nix - ]; - } - ]; - }; + threed = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = nixModules ++ [ + lanzaboote.nixosModules.lanzaboote + ./profiles/threed/nixos.nix + home-manager.nixosModules.home-manager + { + home-manager.users.swarsel.imports = mixedModules ++ [ + ./profiles/threed/home.nix + ]; + } + ]; + }; + + nginx = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + sops-nix.nixosModules.sops + ./profiles/server1/nginx/nixos.nix + ]; + }; + + calibre = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + sops-nix.nixosModules.sops + ./profiles/server1/calibre/nixos.nix + ]; + }; + + jellyfin = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + # sops-nix.nixosModules.sops + ./profiles/server1/jellyfin/nixos.nix + ]; + }; + + transmission = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + sops-nix.nixosModules.sops + pia.nixosModule + ./profiles/server1/transmission/nixos.nix + ]; + }; + + matrix = nixpkgs.lib.nixosSystem { + # specialArgs = {inherit pkgsmautrix; }; + pkgs = pkgsmautrix; + # this is to import a service module that is not on nixpkgs + # this way avoids infinite recursion errors + specialArgs.unstable = nixpkgs-mautrix-signal; + modules = [ + sops-nix.nixosModules.sops + ./profiles/server1/matrix/nixos.nix + ]; + }; + + sound = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + sops-nix.nixosModules.sops + ./profiles/server1/sound/nixos.nix + ]; + }; + + spotifyd = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + sops-nix.nixosModules.sops + ./profiles/server1/spotifyd/nixos.nix + ]; + }; + + #ovm + sync = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + sops-nix.nixosModules.sops + ./profiles/remote/oracle/sync/nixos.nix + ]; + }; #+end_src *** homeConfigurations @@ -337,58 +480,6 @@ This is where the theme for the whole OS is defined. This noweb-ref section cann #+end_src -* flake.nix - -This tangles the flake.nix file; This block only needs to be touched when updating the general structure of the flake. For everything else, see the respective noweb-ref block. - -#+begin_src nix :noweb yes :tangle flake.nix - - { - description = "SwarseFlake - Nix Flake for all SwarselSystems"; - - inputs = { - <> - }; - - outputs = inputs@{ - self, - <> - ... - }: let - <> - in { - - # NixOS setups - run home-manager as a NixOS module for better compatibility - # another benefit - full rebuild on nixos-rebuild switch - # run rebuild using `nswitch` - - # NEW HOSTS: For a new host, decide whether a NixOS (nixosConfigurations) or non-NixOS (homeConfigurations) is used. - # Make sure to move hardware-configuration to the appropriate location, by default it is found in /etc/nixos/. - - nixosConfigurations = { - <> - }; - - # pure Home Manager setups - for non-NixOS machines - # run rebuild using `hmswitch` - - homeConfigurations = { - <> - }; - - nixOnDroidConfigurations = { - <> - }; - - packages.x86_64-linux = { - <> - }; - - }; - } - -#+end_src - * TODO System specific configuration This section mainly exists house different `configuration.nix` files for system level configurations of NixOS systems as well as `home.nix` for user level configurations on all systems. @@ -722,6 +813,7 @@ My laptop, sadly soon to be replaced by a new one, since most basic functions ar xserver.videoDrivers = ["nvidia"]; }; + hardware = { nvidia = { modesetting.enable = true; @@ -749,6 +841,7 @@ My laptop, sadly soon to be replaced by a new one, since most basic functions ar }; networking.hostName = "onett"; # Define your hostname. + networking.enableIPv6 = false; users.users.swarsel = { isNormalUser = true; @@ -759,6 +852,10 @@ My laptop, sadly soon to be replaced by a new one, since most basic functions ar system.stateVersion = "23.05"; # Did you read the comment? + environment.systemPackages = with pkgs; [ + ]; + + } #+end_src @@ -1268,6 +1365,11 @@ My home PC, the most powerful machine. Sadly Sway cannot make good use out of it #+end_src ** Virtual hosts + +My server setup is built on Proxmox VE; back when I started, I created all kinds of wild Debian/Ubuntu/etc. KVMs and LXCs on there. However, the root disk has suffered a weird failure where it has become unable to be cloned, but it is still functional for now. I am currently rewriting all machines on there to use NixOS instead; this is a ongoing process. + +In the long run, I am thinking about a transition to kubernetes or using just a server running NixOS and using the built-in container functionality. For now however, I like the network management provided by Proxmox, as I am a bit intimidated by doing that from scratch. + *** TEMPLATE **** NixOS @@ -1291,8 +1393,10 @@ My home PC, the most powerful machine. Sadly Sway cannot make good use out of it xkbVariant = "altgr-intl"; }; + nix.settings.experimental-features = ["nix-command" "flakes"]; + proxmoxLXC.manageNetwork = true; # manage network myself - proxmoxLXC.manageHostName = true; # manage hostname myself + proxmoxLXC.manageHostName = false; # manage hostname myself networking.hostName = "TEMPLATE"; # Define your hostname. networking.useDHCP = true; networking.enableIPv6 = false; @@ -1311,6 +1415,1453 @@ My home PC, the most powerful machine. Sadly Sway cannot make good use out of it #+end_src +*** NGINX +**** NixOS + +#+begin_src nix :tangle profiles/server1/nginx/nixos.nix + + { config, pkgs, modulesPath, ... }: + { + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + ]; + + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + lego + nginx + ]; + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + + nix.settings.experimental-features = ["nix-command" "flakes"]; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/.dotfiles/secrets/nginx/secrets.yaml"; + sops.validateSopsFiles = false; + sops.secrets.dnstokenfull = {owner="acme";}; + sops.templates."certs.secret".content = '' + CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} + ''; + proxmoxLXC.manageNetwork = true; # manage network myself + proxmoxLXC.manageHostName = false; # manage hostname myself + networking.hostName = "nginx"; # Define your hostname. + networking.useDHCP = true; + networking.enableIPv6 = false; + networking.firewall.enable = false; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; + # users.users.root.password = "TEMPLATE"; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + security.acme = { + acceptTerms = true; + preliminarySelfsigned = false; + defaults.email = "mrswarsel@gmail.com"; + defaults.dnsProvider = "cloudflare"; + defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; + }; + + environment.shellAliases = { + nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + virtualHosts = { + + "stash.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "https://192.168.2.5"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + # "/push/" = { + # proxyPass = "http://192.168.2.5:7867"; + # }; + "/.well-known/carddav" = { + return = "301 $scheme://$host/remote.php/dav"; + }; + "/.well-known/caldav" = { + return = "301 $scheme://$host/remote.php/dav"; + }; + }; + }; + + "matrix2.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://192.168.2.23:8008"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + # "sound.swarsel.win" = { + # enableACME = true; + # forceSSL = true; + # acmeRoot = null; + # locations = { + # "/" = { + # proxyPass = "https://192.168.2.13"; + # extraConfig = '' + # client_max_body_size 0; + # ''; + # }; + # }; + # }; + + # "sound.swarsel.win" = { + # enableACME = true; + # forceSSL = true; + # acmeRoot = null; + # locations = { + # "/" = { + # proxyPass = "http://192.168.2.13:4040"; + # recommendedProxySettings = false; + # # proxyWebsockets = true; + # extraConfig = '' + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "Upgrade"; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto https; + # proxy_set_header X-Forwarded-Host $host; + # proxy_set_header X-Forwarded-Port $server_port; + # proxy_set_header Host $host; + # proxy_max_temp_file_size 0; + # proxy_redirect http:// https://; + # proxy_buffering off; + # proxy_request_buffering off; + # client_max_body_size 0; + # ''; + # }; + # }; + # }; + + "sound.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://192.168.2.13:4040"; + proxyWebsockets = true; + extraConfig = '' + proxy_redirect http:// https://; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + }; + }; + }; + + "screen.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://192.168.2.16:8096"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + "matrix.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://192.168.2.20:8008"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + "scroll.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://192.168.2.22:8080"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + # "books.swarsel.win" = { + # enableACME = true; + # forceSSL = true; + # acmeRoot = null; + # locations = { + # "/" = { + # proxyPass = "http://192.168.2.22:8083"; + # extraConfig = '' + # client_max_body_size 0; + # ''; + # }; + # }; + # }; + + "blog.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "https://192.168.2.7"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + }; + }; + + + + + + } + +#+end_src + +*** [Manual steps required] Calibre + +This machine requires manual setup: +1) Set up calibre-web: + - Create metadata.db with 664 permissions, make sure parent directory is writeable + - Login @ books.swarsel.win using initial creds: + - user: admin + - pw: admin123 + - point to metadata.db file, make sure you can upload + - Change pw, create normal user +2) Setup kavita: + - Login @ scrolls.swarsel.win + - Create admin user + - Import Libraries + - Create normal user + +In general, I am not amazed by this setup; Kavita is the reader of choice, calibre-web mostly is there to have a convenient way to fullfill the opinionated folder structure when uploading ebooks (calibre-web does not work on its own since it forces sqlite which does not work nicely with my NFS book store). I hope that in the future Kavita will implement ebook upload, or that calibre-web will ditch the sqlite constraints. + +**** NixOS + +#+begin_src nix :tangle profiles/server1/calibre/nixos.nix + + { config, pkgs, modulesPath, ... }: + + { + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + ]; + + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + calibre + ]; + + users.groups.lxc_shares = { + gid = 10000; + members = [ + "kavita" + "calibre-web" + "root" + ]; + }; + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + + nix.settings.experimental-features = ["nix-command" "flakes"]; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/.dotfiles/secrets/calibre/secrets.yaml"; + sops.validateSopsFiles = false; + sops.secrets.kavita = { owner = "kavita";}; + # sops.secrets.smbuser = { }; + # sops.secrets.smbpassword = { }; + # sops.secrets.smbdomain = { }; + # sops.templates."smb.cred".content = '' + # user=${config.sops.placeholder.smbuser} + # password=${config.sops.placeholder.smbpassword} + # domain=${config.sops.placeholder.smbdomain} + # ''; + proxmoxLXC.manageNetwork = true; # manage network myself + proxmoxLXC.manageHostName = false; # manage hostname myself + networking.hostName = "calibre"; # Define your hostname. + networking.useDHCP = true; + networking.enableIPv6 = false; + networking.firewall.enable = false; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + environment.shellAliases = { + nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + + # services.calibre-server = { + # enable = true; + # user = "calibre-server"; + # auth.enable = true; + # auth.userDb = "/srv/calibre/users.sqlite"; + # libraries = [ + # /media/Books/main + # /media/Books/diverse + # /media/Books/language + # /media/Books/science + # /media/Books/sport + # /media/Books/novels + # ]; + # }; + + # services.calibre-web = { + # enable = true; + # user = "calibre-web"; + # group = "calibre-web"; + # listen.port = 8083; + # listen.ip = "0.0.0.0"; + # options = { + # enableBookUploading = true; + # enableKepubify = true; + # enableBookConversion = true; + # }; + # }; + + services.kavita = { + enable = true; + user = "kavita"; + port = 8080; + tokenKeyFile = config.sops.secrets.kavita.path; + }; + + + } + +#+end_src + +*** Jellyfin +**** NixOS + +#+begin_src nix :tangle profiles/server1/jellyfin/nixos.nix + + { config, pkgs, modulesPath, ... }: + + { + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + ]; + + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + ]; + + users.groups.lxc_shares = { + gid = 10000; + members = [ + "jellyfin" + "root" + ]; + }; + + users.users.jellyfin = { + extraGroups = [ "video" "render" ]; + }; + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + + nix.settings.experimental-features = ["nix-command" "flakes"]; + + # sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + # sops.defaultSopsFile = "/.dotfiles/secrets/jellyfin/secrets.yaml"; + # sops.validateSopsFiles = false; + + proxmoxLXC.manageNetwork = true; # manage network myself + proxmoxLXC.manageHostName = false; # manage hostname myself + networking.hostName = "jellyfin"; # Define your hostname. + networking.useDHCP = true; + networking.enableIPv6 = false; + networking.firewall.enable = false; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + environment.shellAliases = { + nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + }; + hardware.opengl = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver # LIBVA_DRIVER_NAME=iHD + vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) + vaapiVdpau + libvdpau-va-gl + ]; + }; + + services.jellyfin = { + enable = true; + user = "jellyfin"; + # openFirewall = true; # this works only for the default ports + }; + + } + +#+end_src + +*** [WIP/Incomplete/Untested] Transmission + +This stuff just does not work, I seem to be unable to create a working VPN Split Tunneling on NixOS. Maybe this is introduced by the wonky Proxmox-NixOS container interaction, I am not sure. For now, this machine does not work at all and I am stuck with my Debian Container that does this for me ... + +**** NixOS + +#+begin_src nix :tangle profiles/server1/transmission/nixos.nix + + { config, pkgs, modulesPath, ... }: + + { + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + # ./openvpn.nix #this file holds the vpn login data + ]; + + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + openvpn + jq + iptables + busybox + wireguard-tools + ]; + + users.groups.lxc_shares = { + gid = 10000; + members = [ + "vpn" + "radarr" + "sonarr" + "lidarr" + "readarr" + "root" + ]; + }; + users.groups.vpn = {}; + + users.users.vpn = { + isNormalUser = true; + group = "vpn"; + home = "/home/vpn"; + }; + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + + nix.settings.experimental-features = ["nix-command" "flakes"]; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/.dotfiles/secrets/transmission/secrets.yaml"; + sops.validateSopsFiles = false; + + boot.kernelModules = [ "tun" ]; + proxmoxLXC.manageNetwork = true; # manage network myself + proxmoxLXC.manageHostName = false; # manage hostname myself + networking.hostName = "transmission"; # Define your hostname. + networking.useDHCP = true; + networking.enableIPv6 = false; + networking.firewall.enable = false; + + services.radarr = { + enable = true; + }; + + services.readarr = { + enable = true; + }; + services.sonarr = { + enable = true; + }; + services.lidarr = { + enable = true; + }; + services.prowlarr = { + enable = true; + }; + + # networking.interfaces = { + # lo = { + # useDHCP = false; + # ipv4.addresses = [ + # { address = "127.0.0.1"; prefixLength = 8; } + # ]; + # }; + # + # eth0 = { + # useDHCP = true; + # }; + # }; + + # networking.firewall.extraCommands = '' + # sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP + # ''; + networking.iproute2 = { + enable = true; + rttablesExtraConfig = '' + 200 vpn + ''; + }; + # boot.kernel.sysctl = { + # "net.ipv4.conf.all.rp_filter" = 2; + # "net.ipv4.conf.default.rp_filter" = 2; + # "net.ipv4.conf.eth0.rp_filter" = 2; + # }; + environment.etc = { + "openvpn/iptables.sh" = + { source = ../../../scripts/server1/iptables.sh; + mode = "0755"; + }; + "openvpn/update-resolv-conf" = + { source = ../../../scripts/server1/update-resolv-conf; + mode = "0755"; + }; + "openvpn/routing.sh" = + { source = ../../../scripts/server1/routing.sh; + mode = "0755"; + }; + "openvpn/ca.rsa.2048.crt" = + { source = ../../../secrets/certs/ca.rsa.2048.crt; + mode = "0644"; + }; + "openvpn/crl.rsa.2048.pem" = + { source = ../../../secrets/certs/crl.rsa.2048.pem; + mode = "0644"; + }; + }; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + listenAddresses = [{ + port = 22; + addr = "0.0.0.0"; + }]; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + # users.users.root.password = "TEMPLATE"; + + environment.shellAliases = { + nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + sops.secrets.vpnuser = {}; + sops.secrets.rpcuser = {owner="vpn";}; + sops.secrets.vpnpass = {}; + sops.secrets.rpcpass = {owner="vpn";}; + sops.secrets.vpnprot = {}; + sops.secrets.vpnloc = {}; + # sops.secrets.crlpem = {}; + # sops.secrets.capem = {}; + sops.templates."transmission-rpc".owner = "vpn"; + sops.templates."transmission-rpc".content = builtins.toJSON { + rpc-username = config.sops.placeholder.rpcuser; + rpc-password = config.sops.placeholder.rpcpass; + }; + + sops.templates.pia.content = '' + ${config.sops.placeholder.vpnuser} + ${config.sops.placeholder.vpnpass} + ''; + + sops.templates.vpn.content = '' + client + dev tun + proto ${config.sops.placeholder.vpnprot} + remote ${config.sops.placeholder.vpnloc} + resolv-retry infinite + nobind + persist-key + persist-tun + cipher aes-128-cbc + auth sha1 + tls-client + remote-cert-tls server + + auth-user-pass ${config.sops.templates.pia.path} + compress + verb 1 + reneg-sec 0 + + crl-verify /etc/openvpn/crl.rsa.2048.pem + ca /etc/openvpn/ca.rsa.2048.crt + + disable-occ + dhcp-option DNS 209.222.18.222 + dhcp-option DNS 209.222.18.218 + dhcp-option DNS 8.8.8.8 + route-noexec + ''; + + # services.pia.enable = true; + # services.pia.authUserPass.username = "na"; + # services.pia.authUserPass.password = "na"; + + + # systemd.services.openvpn-vpn = { + # wantedBy = [ "multi-user.target" ]; + # after = [ "network.target" ]; + # description = "OpenVPN connection to pia"; + # serviceConfig = { + # Type = "forking"; + # RuntimeDirectory="openvpn"; + # PrivateTmp=true; + # KillMode="mixed"; + # ExecStart = ''@${pkgs.openvpn}/sbin/openvpn openvpn --daemon ovpn-pia --status /run/openvpn/pia.status 10 --cd /etc/openvpn --script-security 2 --config ${config.sops.templates.vpn.path} --writepid /run/openvpn/pia.pid''; + # PIDFile=''/run/openvpn/pia.pid''; + # ExecReload=''/run/current-system/sw/bin/kill -HUP $MAINPID''; + # WorkingDirectory="/etc/openvpn"; + # Restart="on-failure"; + # RestartSec=30; + # ProtectSystem="yes"; + # DeviceAllow=["/dev/null rw" "/dev/net/tun rw"]; + # }; + # }; + services.openvpn.servers = { + pia = { + autoStart = false; + updateResolvConf = true; + # up = '' + # export INTERFACE="tun0" + # export VPNUSER="vpn" + # export LOCALIP="192.168.1.191" + # export NETIF="eth0" + # export VPNIF="tun0" + # export GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1) + # iptables -F -t nat + # iptables -F -t mangle + # iptables -F -t filter + # iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark + # iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 + # iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 + # iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 + # iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1 + # iptables -t mangle -A OUTPUT -j CONNMARK --save-mark + # iptables -A INPUT -i $INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + # iptables -A INPUT -i $INTERFACE -j REJECT + # iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT + # iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT + # iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE + # iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + # iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT + # if [[ `ip rule list | grep -c 0x1` == 0 ]]; then + # ip rule add from all fwmark 0x1 lookup $VPNUSER + # fi + # ip route replace default via $GATEWAYIP table $VPNUSER + # ip route append default via 127.0.0.1 dev lo table $VPNUSER + # ip route flush cache + # ''; + # down = "bash /etc/openvpn/update-resolv-conf"; + # these are outsourced to a local file, I am not sure if it can be done with sops-nix + # authUserPass = { + # username = "TODO:secrets"; + # password = "TODO:secrets"; + # }; + config = "config ${config.sops.templates.vpn.path}"; + }; + }; + + services.transmission = { + enable = true; + credentialsFile = config.sops.templates."transmission-rpc".path; + user = "vpn"; + group = "lxc_shares"; + settings = { + + alt-speed-down= 8000; + alt-speed-enabled= false; + alt-speed-time-begin= 0; + alt-speed-time-day= 127; + alt-speed-time-enabled= true; + alt-speed-time-end= 360; + alt-speed-up= 2000; + bind-address-ipv4= "0.0.0.0"; + bind-address-ipv6= "::"; + blocklist-enabled= false; + blocklist-url= "http://www.example.com/blocklist"; + cache-size-mb= 4; + dht-enabled= false; + download-dir= "/media/Eternor/New"; + download-limit= 100; + download-limit-enabled= 0; + download-queue-enabled= true; + download-queue-size= 5; + encryption= 2; + idle-seeding-limit= 30; + idle-seeding-limit-enabled= false; + incomplete-dir= "/var/lib/transmission-daemon/Downloads"; + incomplete-dir-enabled= false; + lpd-enabled= false; + max-peers-global= 200; + message-level= 1; + peer-congestion-algorithm= ""; + peer-id-ttl-hours= 6; + peer-limit-global= 100; + peer-limit-per-torrent= 40; + peer-port= 22371; + peer-port-random-high= 65535; + peer-port-random-low= 49152; + peer-port-random-on-start= false; + peer-socket-tos= "default"; + pex-enabled= false; + port-forwarding-enabled= false; + preallocation= 1; + prefetch-enabled= true; + queue-stalled-enabled= true; + queue-stalled-minutes= 30; + ratio-limit= 2; + ratio-limit-enabled= false; + rename-partial-files= true; + rpc-authentication-required= true; + rpc-bind-address= "0.0.0.0"; + rpc-enabled= true; + rpc-host-whitelist= ""; + rpc-host-whitelist-enabled= true; + rpc-port= 9091; + rpc-url= "/transmission/"; + rpc-whitelist= "127.0.0.1,192.168.3.2"; + rpc-whitelist-enabled= true; + scrape-paused-torrents-enabled= true; + script-torrent-done-enabled= false; + seed-queue-enabled= false; + seed-queue-size= 10; + speed-limit-down= 6000; + speed-limit-down-enabled= true; + speed-limit-up= 500; + speed-limit-up-enabled= true; + start-added-torrents= true; + trash-original-torrent-files= false; + umask= 2; + upload-limit= 100; + upload-limit-enabled= 0; + upload-slots-per-torrent= 14; + utp-enabled= false; + }; + }; + + # services.nginx = { + # enable = true; + # virtualHosts = { + + # "192.168.1.192" = { + # locations = { + # "/transmission" = { + # proxyPass = "http://127.0.0.1:9091"; + # extraConfig = '' + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # ''; + # }; + # }; + # }; + # }; + # }; + + + } + +#+end_src + +*** [Manual steps needed] Matrix + +1) After the initial setup, run the + - /run/secrets-generated/matrix_user_register.sh +command to register a new admin user. +2) All bridges will fail on first start, copy the registration files using: + - cp /var/lib/mautrix-telegram/telegram-registration.yaml /var/lib/matrix-synapse/ + - chown matrix-synapse:matrix-synapse var/lib/matrix-synapse/telegram-registration.yaml +Make sure to also do this for doublepuppet.yaml +3) Restart postgresql.service, matrix-synapse.service, mautrix-whatsapp.service, mautrix-telegram.service + +**** NixOS + +#+begin_src nix :noweb yes :tangle profiles/server1/matrix/nixos.nix + + { config, pkgs, modulesPath, unstable, sops, ... }: let + matrixDomain = "matrix2.swarsel.win"; + in { + <> + + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + # we import here a service that is not available yet on normal nixpkgs + # this module is hence not in the modules list, we add it ourselves + (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix") + ]; + + networking.hostName = "matrix"; # Define your hostname. + networking.firewall.enable = false; + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + matrix-synapse + lottieconverter + ffmpeg + ]; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/.dotfiles/secrets/matrix/secrets.yaml"; + sops.validateSopsFiles = false; + sops.secrets.matrixsharedsecret = {owner="matrix-synapse";}; + sops.templates."matrix_user_register.sh".content = '' + register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008 + ''; + sops.templates.matrixshared.owner = "matrix-synapse"; + sops.templates.matrixshared.content = '' + registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} + ''; + sops.secrets.mautrixtelegram_as = {owner="matrix-synapse";}; + sops.secrets.mautrixtelegram_hs = {owner="matrix-synapse";}; + sops.secrets.mautrixtelegram_api_id = {owner="matrix-synapse";}; + sops.secrets.mautrixtelegram_api_hash = {owner="matrix-synapse";}; + sops.templates.mautrixtelegram.owner = "matrix-synapse"; + sops.templates.mautrixtelegram.content = '' + MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as} + MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} + MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} + MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} + ''; + # sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";}; + # sops.templates.mautrixwhatsapp.owner = "matrix-synapse"; + # sops.templates.mautrixwhatsapp.content = '' + # MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared} + # ''; + + services.postgresql.enable = true; + services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; + CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; + CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; + CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + + services.matrix-synapse = { + settings.app_service_config_files = [ + "/var/lib/matrix-synapse/telegram-registration.yaml" + "/var/lib/matrix-synapse/whatsapp-registration.yaml" + "/var/lib/matrix-synapse/signal-registration.yaml" + "/var/lib/matrix-synapse/doublepuppet.yaml" + ]; + enable = true; + settings.server_name = matrixDomain; + settings.public_baseurl = "https://${matrixDomain}"; + extraConfigFiles = [ + config.sops.templates.matrixshared.path + ]; + settings.listeners = [ + { port = 8008; + bind_addresses = [ "0.0.0.0" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = true; + } + ]; + } + ]; + }; + + services.mautrix-telegram = { + enable = true; + environmentFile = config.sops.templates.mautrixtelegram.path; + settings = { + homeserver = { + address = "http://localhost:8008"; + domain = matrixDomain; + }; + appservice = { + address= "http://localhost:29317"; + hostname = "0.0.0.0"; + port = "29317"; + provisioning.enabled = true; + id = "telegram"; + # ephemeral_events = true; # not needed due to double puppeting + public = { + enabled = false; + }; + database = "postgresql:///mautrix-telegram?host=/run/postgresql"; + }; + bridge = { + # login_shared_secret_map = { + # matrixDomain = "as_token:doublepuppet"; + # }; + relaybot.authless_portals = true; + allow_avatar_remove = true; + allow_contact_info = true; + sync_channel_members = true; + startup_sync = true; + sync_create_limit = 0; + sync_direct_chats = true; + telegram_link_preview = true; + permissions = { + "*" = "relaybot"; + "@swarsel:${matrixDomain}" = "admin"; + }; + # Animated stickers conversion requires additional packages in the + # service's path. + # If this isn't a fresh installation, clearing the bridge's uploaded + # file cache might be necessary (make a database backup first!): + # delete from telegram_file where \ + # mime_type in ('application/gzip', 'application/octet-stream') + animated_sticker = { + target = "gif"; + args = { + width = 256; + height = 256; + fps = 30; # only for webm + background = "020202"; # only for gif, transparency not supported + }; + }; + }; + }; + }; + systemd.services.mautrix-telegram.path = with pkgs; [ + lottieconverter # for animated stickers conversion, unfree package + ffmpeg # if converting animated stickers to webm (very slow!) + ]; + + services.mautrix-whatsapp = { + enable = true; + # environmentFile = config.sops.templates.mautrixwhatsapp.path; + settings = { + homeserver = { + address = "http://localhost:8008"; + domain = matrixDomain; + }; + appservice = { + address= "http://localhost:29318"; + hostname = "0.0.0.0"; + port = 29318; + database = { + type = "postgres"; + uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql"; + }; + }; + bridge = { + displayname_template = "{{or .FullName .PushName .JID}} (WA)"; + history_sync = { + backfill = true; + max_initial_conversations = -1; + message_count = -1; + request_full_sync = true; + full_sync_config = { + days_limit = 900; + size_mb_limit = 5000; + storage_quota_mb = 5000; + }; + }; + login_shared_secret_map = { + matrixDomain = "as_token:doublepuppet"; + }; + sync_manual_marked_unread = true; + send_presence_on_typing = true; + parallel_member_sync = true; + url_previews = true; + caption_in_message = true; + extev_polls = true; + permissions = { + "*" = "relaybot"; + "@swarsel:${matrixDomain}" = "admin"; + }; + }; + }; + }; + + services.mautrix-signal = { + enable = true; + # environmentFile = config.sops.templates.mautrixwhatsapp.path; + settings = { + homeserver = { + address = "http://localhost:8008"; + domain = matrixDomain; + }; + appservice = { + + address= "http://localhost:29328"; + hostname = "0.0.0.0"; + port = 29328; + database = { + type = "postgres"; + uri = "postgresql:///mautrix-signal?host=/run/postgresql"; + }; + }; + bridge = { + displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)"; + login_shared_secret_map = { + matrixDomain = "as_token:doublepuppet"; + }; + caption_in_message = true; + permissions = { + "*" = "relaybot"; + "@swarsel:${matrixDomain}" = "admin"; + }; + }; + }; + }; + + # restart the bridges daily. this is done for the signal bridge mainly which stops carrying + # messages out after a while. + + systemd.timers."restart-bridges" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1d"; + OnUnitActiveSec = "1d"; + Unit = "restart-bridges.service"; + }; + }; + + systemd.services."restart-bridges" = { + script = '' + systemctl restart mautrix-whatsapp.service + systemctl restart mautrix-signal.service + systemctl restart mautrix-telegram.service + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + + } + +#+end_src + +*** Sound +**** NixOS + +#+begin_src nix :noweb yes :tangle profiles/server1/sound/nixos.nix + + { config, pkgs, modulesPath, ... }: + + { + <> + + proxmoxLXC.privileged = true; # manage hostname myself + + users.groups.lxc_pshares = { + gid = 110000; + members = [ + "navidrome" + "mpd" + "root" + ]; + }; + + users.groups.navidrome = { + gid = 61593; + }; + + users.groups.mpd = {}; + + users.users.navidrome = { + isSystemUser = true; + uid = 61593; + group = "navidrome"; + extraGroups = [ "audio" "utmp" ]; + }; + + users.users.mpd = { + isSystemUser = true; + group = "mpd"; + extraGroups = [ "audio" "utmp" ]; + }; + + sound = { + enable = true; + }; + + hardware.enableAllFirmware = true; + networking.hostName = "sound"; # Define your hostname. + networking.firewall.enable = false; + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + pciutils + alsa-utils + mpv + ]; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/.dotfiles/secrets/sound/secrets.yaml"; + sops.validateSopsFiles = false; + sops.secrets.mpdpass = { owner = "mpd";}; + + services.navidrome = { + enable = true; + settings = { + Address = "0.0.0.0"; + Port = 4040; + MusicFolder = "/media"; + EnableSharing = true; + EnableTranscodingConfig = true; + Scanner.GroupAlbumReleases = true; + ScanSchedule = "@every 1d"; + # Insert these values locally as sops-nix does not work for them + LastFM.ApiKey = TEMPLATE; + LastFM.Secret = TEMPLATE; + Spotify.ID = TEMPLATE; + Spotify.Secret = TEMPLATE; + UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png"; + UIWelcomeMessage = "~SwarselSound~"; + }; + }; + services.mpd = { + enable = true; + musicDirectory = "/media"; + user = "mpd"; + group = "mpd"; + network = { + port = 3254; + listenAddress = "any"; + }; + credentials = [ + { + passwordFile = config.sops.secrets.mpdpass.path; + permissions = [ + "read" + "add" + "control" + "admin" + ]; + } + ]; + }; + } +#+end_src + +*** Spotifyd +**** NixOS + +#+begin_src nix :noweb yes :tangle profiles/server1/spotifyd/nixos.nix + + { config, pkgs, modulesPath, ... }: + + { + <> + + proxmoxLXC.privileged = true; # manage hostname myself + + users.groups.spotifyd = { + gid = 65136; + }; + + users.users.spotifyd = { + isSystemUser = true; + uid = 65136; + group = "spotifyd"; + extraGroups = [ "audio" "utmp" ]; + }; + + sound = { + enable = true; + }; + + hardware.enableAllFirmware = true; + networking.hostName = "spotifyd"; # Define your hostname. + networking.firewall.enable = false; + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + ]; + + # sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + # sops.defaultSopsFile = "/.dotfiles/secrets/spotifyd/secrets.yaml"; + # sops.validateSopsFiles = false; + + services.spotifyd = { + enable = true; + settings = { + global = { + dbus_type = "session"; + use_mpris = false; + device = "default:CARD=PCH"; + device_name = "SwarselSpot"; + mixer = "alsa"; + zeroconf_port = 1025; + }; + }; + }; + + } + +#+end_src + +*** Sync +**** NixOS + +#+begin_src nix :tangle profiles/remote/oracle/sync/nixos.nix + + { config, pkgs, modulesPath, ... }: + + { + imports = [ + ./hardware-configuration.nix + ]; + + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + ]; + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + + nix.settings.experimental-features = ["nix-command" "flakes"]; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/root/.dotfiles/secrets/sync/secrets.yaml"; + sops.validateSopsFiles = false; + sops.secrets.swarsel = { owner = "root";}; + sops.secrets.dnstokenfull = {owner="acme";}; + sops.templates."certs.secret".content = '' + CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} + ''; + + security.acme = { + acceptTerms = true; + preliminarySelfsigned = false; + defaults.email = "mrswarsel@gmail.com"; + defaults.dnsProvider = "cloudflare"; + defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + virtualHosts = { + + "synki.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://localhost:27701"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + "sync.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://localhost:8384/"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + "git.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://localhost:3000"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + }; + }; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = false; + networking.hostName = "sync"; + networking.enableIPv6 = false; + networking.domain = "subnet03112148.vcn03112148.oraclevcn.com"; + networking.firewall.extraCommands = '' + iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT + iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT + iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT + ''; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../../secrets/keys/authorized_keys + ]; + + system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change + + environment.shellAliases = { + nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + boot.loader.grub.device = "nodev"; + + services.anki-sync-server = { + enable = true; + port = 27701; + address = "0.0.0.0"; + openFirewall = true; + users = [ + { + username = "Swarsel"; + passwordFile = config.sops.secrets.swarsel.path; + } + ]; + }; + + services.syncthing = { + enable = true; + guiAddress = "0.0.0.0:8384"; + openDefaultPorts = true; + }; + + services.forgejo = { + enable = true; + settings = { + DEFAULT = { + APP_NAME = "~SwaGit~"; + }; + server = { + PROTOCOL = "http"; + HTTP_PORT = 3000; + HTTP_ADDR = "0.0.0.0"; + DOMAIN = "git.swarsel.win"; + ROOT_URL = "https://git.swarsel.win"; + }; + service = { + DISABLE_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + }; + }; + }; + + } + +#+end_src + * Common NixOS These are system-level settings specific to NixOS machines. All settings that are required on all machines go here. @@ -1590,6 +3141,12 @@ Also, I define some useful shell scripts here. { home.packages = with pkgs; [ + # audio stuff + spek # spectrum analyzer + losslessaudiochecker + ffmpeg_5-full + flac + # "big" programs filebot gimp @@ -1795,6 +3352,35 @@ Also, I define some useful shell scripts here. #+end_src +** sops + +I use sops-nix to handle secrets that I want to have available on my machines at all times. Procedure to add a new machine: +- `ssh-keygen -t ed25519 -C "NAME sops"` in .ssh directory (or wherever) - name e.g. "sops" +- cat ~/.ssh/sops.pub | ssh-to-age | wl-copy +- add the output to .sops.yaml +- cp ~/.ssh/sops.pub ~/.dotfiles/secrets/keys/NAME.pub +- update entry for sops.age.sshKeyPaths + +#+begin_src nix :tangle profiles/common/home.nix + + sops.defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml"; + sops.validateSopsFiles = false; + + # sops.age.keyFile = "${config.home.homeDirectory}/.ssh/key.txt"; + # This will generate a new key if the key specified above does not exist + # sops.age.generateKey = true; + + # sops.gnupg.home = "/home/swarsel/.dotfiles/secrets/keys"; + # since we are using the home-manager implementation, we need to specify the runtime path for each secret + sops.secrets.mrswarsel = {path = "/run/user/1000/secrets/mrswarsel";}; + sops.secrets.nautilus = {path = "/run/user/1000/secrets/nautilus";}; + sops.secrets.leon = {path = "/run/user/1000/secrets/leon";}; + sops.secrets.caldav = {path = "${config.home.homeDirectory}/.emacs.d/.caldav";}; + # sops.secrets.leon = { }; + # sops.secrets.nautilus = { }; + # sops.secrets.mrswarsel = { }; +#+end_src + ** SSH Machines It is very convenient to have SSH aliases in place for machines that I use. This is mainly used for some server machines and some university clusters. @@ -1810,6 +3396,11 @@ It is very convenient to have SSH aliases in place for machines that I use. This port = 22; user = "root"; }; + "jellyfin" = { + hostname = "192.168.2.16"; + port = 22; + user = "root"; + }; "pfsense" = { hostname = "192.168.1.1"; port = 22; @@ -1825,6 +3416,11 @@ It is very convenient to have SSH aliases in place for machines that I use. This port = 22; user = "root"; }; + "fetcher" = { + hostname = "192.168.1.192"; + port = 22; + user = "root"; + }; "omv" = { hostname = "192.168.1.3"; port = 22; @@ -1850,6 +3446,11 @@ It is very convenient to have SSH aliases in place for machines that I use. This port = 22; user = "root"; }; + "spotify" = { + hostname = "192.168.1.17"; + port = 22; + user = "root"; + }; "wordpress" = { hostname = "192.168.2.7"; port = 22; @@ -1870,11 +3471,26 @@ It is very convenient to have SSH aliases in place for machines that I use. This port = 22; user = "root"; }; + "matrix2" = { + hostname = "192.168.2.20"; + port = 22; + user = "root"; + }; "database" = { hostname = "192.168.2.21"; port = 22; user = "root"; }; + "minecraft" = { + hostname = "130.61.119.129"; + port = 22; + user = "opc"; + }; + "sync" = { + hostname = "193.122.53.173"; + port = 22; + user = "root"; #this is a oracle vm server but needs root due to nixos-infect + }; "pkv" = { hostname = "46.232.248.161"; port = 22; @@ -1941,35 +3557,6 @@ It is very convenient to have SSH aliases in place for machines that I use. This #+end_src -** sops - -I use sops-nix to handle secrets that I want to have available on my machines at all times. Procedure to add a new machine: -- `ssh-keygen -t ed25519 -C "NAME sops"` in .ssh directory (or wherever) - name e.g. "sops" -- cat ~/.ssh/sops.pub | ssh-to-age | wl-copy -- add the output to .sops.yaml -- cp ~/.ssh/sops.pub ~/.dotfiles/secrets/keys/NAME.pub -- update entry for sops.age.sshKeyPaths - -#+begin_src nix :tangle profiles/common/home.nix - - sops.defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml"; - sops.validateSopsFiles = false; - - # sops.age.keyFile = "${config.home.homeDirectory}/.ssh/key.txt"; - # This will generate a new key if the key specified above does not exist - # sops.age.generateKey = true; - - # sops.gnupg.home = "/home/swarsel/.dotfiles/secrets/keys"; - # since we are using the home-manager implementation, we need to specify the runtime path for each secret - sops.secrets.mrswarsel = {path = "/run/user/1000/secrets/mrswarsel";}; - sops.secrets.nautilus = {path = "/run/user/1000/secrets/nautilus";}; - sops.secrets.leon = {path = "/run/user/1000/secrets/leon";}; - sops.secrets.caldav = {path = "${config.home.homeDirectory}/.emacs.d/.caldav";}; - # sops.secrets.leon = { }; - # sops.secrets.nautilus = { }; - # sops.secrets.mrswarsel = { }; -#+end_src - ** Fonts + Theme These section allows home-manager to allow theme settings, and handles some other appearance-related settings like cursor styles. Interestingly, system icons (adwaita) still need to be setup on system-level, and will break if defined here. @@ -3429,7 +5016,7 @@ I am currently using SwayFX, which adds some nice effects to sway, like rounded #+end_src -* TODO Manual tasks and Closing Parenthesis (this needs to be the last heading) +* TODO Manual tasks, flake.nix skeleton and Closing Parenthesis (this needs to be the last heading) Here are listed some tasks that I was not able to automate yet, these need to be done automatically for now. Also, this section exists to add an extra closing parenthesis to common.nix so that I do not need to think about this anymore if I ever decide to add more headings towards the end of this file ;) @@ -3439,6 +5026,7 @@ Here are listed some tasks that I was not able to automate yet, these need to be The last blocks exist to close the opening parenthesis of modules/common.nix (home-manager) and profiles/common.nix (NixOS): +** Closing parentheses for common/home.nix and common/nixos.nix #+begin_src nix :tangle profiles/common/home.nix @@ -3451,3 +5039,55 @@ The last blocks exist to close the opening parenthesis of modules/common.nix (ho } #+end_src + +** flake.nix + +This tangles the flake.nix file; This block only needs to be touched when updating the general structure of the flake. For everything else, see the respective noweb-ref block. + +#+begin_src nix :noweb yes :tangle flake.nix + + { + description = "SwarseFlake - Nix Flake for all SwarselSystems"; + + inputs = { + <> + }; + + outputs = inputs@{ + self, + <> + ... + }: let + <> + in { + + # NixOS setups - run home-manager as a NixOS module for better compatibility + # another benefit - full rebuild on nixos-rebuild switch + # run rebuild using `nswitch` + + # NEW HOSTS: For a new host, decide whether a NixOS (nixosConfigurations) or non-NixOS (homeConfigurations) is used. + # Make sure to move hardware-configuration to the appropriate location, by default it is found in /etc/nixos/. + + nixosConfigurations = { + <> + }; + + # pure Home Manager setups - for non-NixOS machines + # run rebuild using `hmswitch` + + homeConfigurations = { + <> + }; + + nixOnDroidConfigurations = { + <> + }; + + packages.x86_64-linux = { + <> + }; + + }; + } + +#+end_src diff --git a/flake.lock b/flake.lock index 5ad0b9d..c2d3241 100644 --- a/flake.lock +++ b/flake.lock @@ -537,6 +537,22 @@ "type": "github" } }, + "nixpkgs-mautrix-signal": { + "locked": { + "lastModified": 1703864075, + "narHash": "sha256-0TtwnLaBydIjpugK1kIIL18dRXZ9KaECfQmkJVBFEa0=", + "owner": "niklaskorz", + "repo": "nixpkgs", + "rev": "d5ba4fc361fbdd71300b190d4fdb82d3c9e46938", + "type": "github" + }, + "original": { + "owner": "niklaskorz", + "ref": "nixos-23.11-mautrix-signal", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1701805708, @@ -711,6 +727,27 @@ "type": "github" } }, + "pia": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1687263775, + "narHash": "sha256-sSVNT3o+4RcdnUqdVloPc3UvM3LancTY6htyzAHrC0w=", + "ref": "development", + "rev": "190f8040cc4837fb6b3c43032711e1536ef2270b", + "revCount": 10, + "type": "git", + "url": "https://git.sr.ht/~rprospero/nixos-pia" + }, + "original": { + "ref": "development", + "type": "git", + "url": "https://git.sr.ht/~rprospero/nixos-pia" + } + }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ @@ -751,7 +788,9 @@ "nixgl": "nixgl", "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs_3", + "nixpkgs-mautrix-signal": "nixpkgs-mautrix-signal", "nur": "nur", + "pia": "pia", "sops-nix": "sops-nix", "stylix": "stylix" } diff --git a/flake.nix b/flake.nix index aa80ff6..0fff8ab 100644 --- a/flake.nix +++ b/flake.nix @@ -47,6 +47,17 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + pia = { + url = "git+https://git.sr.ht/~rprospero/nixos-pia?ref=development"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + # provides expressions for mautrix-signal + nixpkgs-mautrix-signal ={ + url = github:niklaskorz/nixpkgs/nixos-23.11-mautrix-signal; + }; + + }; outputs = inputs@{ @@ -62,6 +73,8 @@ stylix, sops-nix, lanzaboote, + pia, + nixpkgs-mautrix-signal, ... }: let @@ -71,9 +84,24 @@ overlays = [ emacs-overlay.overlay nur.overlay nixgl.overlay + # (self: super: { + # airsonic = super.airsonic.overrideAttrs (_: rec { + # version = "11.0.2-kagemomiji"; + # name = "airsonic-advanced-${version}"; + # src = super.fetchurl { + # url = "https://github.com/kagemomiji/airsonic-advanced/releases/download/11.0.2/airsonic.war"; + # sha256 = "PgErtEizHraZgoWHs5jYJJ5NsliDd9VulQfS64ackFo="; + # }; + # }); + # }) ]; config.allowUnfree = true; }; + + pkgsmautrix = import nixpkgs-mautrix-signal { inherit system; + config.allowUnfree = true; + }; + # NixOS modules that can only be used on NixOS systems nixModules = [ stylix.nixosModules.stylix ./profiles/common/nixos.nix @@ -151,6 +179,76 @@ ]; }; + nginx = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + sops-nix.nixosModules.sops + ./profiles/server1/nginx/nixos.nix + ]; + }; + + calibre = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + sops-nix.nixosModules.sops + ./profiles/server1/calibre/nixos.nix + ]; + }; + + jellyfin = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + # sops-nix.nixosModules.sops + ./profiles/server1/jellyfin/nixos.nix + ]; + }; + + transmission = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + sops-nix.nixosModules.sops + pia.nixosModule + ./profiles/server1/transmission/nixos.nix + ]; + }; + + matrix = nixpkgs.lib.nixosSystem { + # specialArgs = {inherit pkgsmautrix; }; + pkgs = pkgsmautrix; + # this is to import a service module that is not on nixpkgs + # this way avoids infinite recursion errors + specialArgs.unstable = nixpkgs-mautrix-signal; + modules = [ + sops-nix.nixosModules.sops + ./profiles/server1/matrix/nixos.nix + ]; + }; + + sound = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + sops-nix.nixosModules.sops + ./profiles/server1/sound/nixos.nix + ]; + }; + + spotifyd = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + sops-nix.nixosModules.sops + ./profiles/server1/spotifyd/nixos.nix + ]; + }; + + #ovm + sync = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + sops-nix.nixosModules.sops + ./profiles/remote/oracle/sync/nixos.nix + ]; + }; + }; # pure Home Manager setups - for non-NixOS machines diff --git a/profiles/common/home.nix b/profiles/common/home.nix index e0dba4d..68148ff 100644 --- a/profiles/common/home.nix +++ b/profiles/common/home.nix @@ -3,6 +3,12 @@ { home.packages = with pkgs; [ + # audio stuff + spek # spectrum analyzer + losslessaudiochecker + ffmpeg_5-full + flac + # "big" programs filebot gimp @@ -205,6 +211,23 @@ # MIGHT NEED TO ENABLE THIS ON SURFACE!! +sops.defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml"; +sops.validateSopsFiles = false; + +# sops.age.keyFile = "${config.home.homeDirectory}/.ssh/key.txt"; +# This will generate a new key if the key specified above does not exist +# sops.age.generateKey = true; + +# sops.gnupg.home = "/home/swarsel/.dotfiles/secrets/keys"; +# since we are using the home-manager implementation, we need to specify the runtime path for each secret +sops.secrets.mrswarsel = {path = "/run/user/1000/secrets/mrswarsel";}; +sops.secrets.nautilus = {path = "/run/user/1000/secrets/nautilus";}; +sops.secrets.leon = {path = "/run/user/1000/secrets/leon";}; +sops.secrets.caldav = {path = "${config.home.homeDirectory}/.emacs.d/.caldav";}; +# sops.secrets.leon = { }; +# sops.secrets.nautilus = { }; +# sops.secrets.mrswarsel = { }; + programs.ssh= { enable = true; extraConfig = "SetEnv TERM=xterm-256color"; @@ -214,6 +237,11 @@ programs.ssh= { port = 22; user = "root"; }; + "jellyfin" = { + hostname = "192.168.2.16"; + port = 22; + user = "root"; + }; "pfsense" = { hostname = "192.168.1.1"; port = 22; @@ -229,6 +257,11 @@ programs.ssh= { port = 22; user = "root"; }; + "fetcher" = { + hostname = "192.168.1.192"; + port = 22; + user = "root"; + }; "omv" = { hostname = "192.168.1.3"; port = 22; @@ -254,6 +287,11 @@ programs.ssh= { port = 22; user = "root"; }; + "spotify" = { + hostname = "192.168.1.17"; + port = 22; + user = "root"; + }; "wordpress" = { hostname = "192.168.2.7"; port = 22; @@ -274,11 +312,26 @@ programs.ssh= { port = 22; user = "root"; }; + "matrix2" = { + hostname = "192.168.2.20"; + port = 22; + user = "root"; + }; "database" = { hostname = "192.168.2.21"; port = 22; user = "root"; }; + "minecraft" = { + hostname = "130.61.119.129"; + port = 22; + user = "opc"; + }; + "sync" = { + hostname = "193.122.53.173"; + port = 22; + user = "root"; #this is a oracle vm server but needs root due to nixos-infect + }; "pkv" = { hostname = "46.232.248.161"; port = 22; @@ -343,23 +396,6 @@ programs.ssh= { }; }; -sops.defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml"; -sops.validateSopsFiles = false; - -# sops.age.keyFile = "${config.home.homeDirectory}/.ssh/key.txt"; -# This will generate a new key if the key specified above does not exist -# sops.age.generateKey = true; - -# sops.gnupg.home = "/home/swarsel/.dotfiles/secrets/keys"; -# since we are using the home-manager implementation, we need to specify the runtime path for each secret -sops.secrets.mrswarsel = {path = "/run/user/1000/secrets/mrswarsel";}; -sops.secrets.nautilus = {path = "/run/user/1000/secrets/nautilus";}; -sops.secrets.leon = {path = "/run/user/1000/secrets/leon";}; -sops.secrets.caldav = {path = "${config.home.homeDirectory}/.emacs.d/.caldav";}; -# sops.secrets.leon = { }; -# sops.secrets.nautilus = { }; -# sops.secrets.mrswarsel = { }; - stylix.targets.emacs.enable = false; # fonts.fontconfig.enable = true; diff --git a/profiles/onett/nixos.nix b/profiles/onett/nixos.nix index 53db7a9..0b9c390 100644 --- a/profiles/onett/nixos.nix +++ b/profiles/onett/nixos.nix @@ -14,6 +14,7 @@ xserver.videoDrivers = ["nvidia"]; }; + hardware = { nvidia = { modesetting.enable = true; @@ -89,6 +90,7 @@ }; networking.hostName = "onett"; # Define your hostname. + networking.enableIPv6 = false; users.users.swarsel = { isNormalUser = true; @@ -99,4 +101,8 @@ system.stateVersion = "23.05"; # Did you read the comment? + environment.systemPackages = with pkgs; [ + ]; + + } diff --git a/profiles/remote/oracle/sync/hardware-configuration.nix b/profiles/remote/oracle/sync/hardware-configuration.nix new file mode 100644 index 0000000..9b86511 --- /dev/null +++ b/profiles/remote/oracle/sync/hardware-configuration.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a"; + fsType = "xfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/2B75-2AD5"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/f0126a93-753e-4769-ada8-7499a1efb3a9"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/profiles/remote/oracle/sync/nixos.nix b/profiles/remote/oracle/sync/nixos.nix new file mode 100644 index 0000000..2034d6d --- /dev/null +++ b/profiles/remote/oracle/sync/nixos.nix @@ -0,0 +1,160 @@ +{ config, pkgs, modulesPath, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ]; + + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + ]; + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + + nix.settings.experimental-features = ["nix-command" "flakes"]; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/root/.dotfiles/secrets/sync/secrets.yaml"; + sops.validateSopsFiles = false; + sops.secrets.swarsel = { owner = "root";}; + sops.secrets.dnstokenfull = {owner="acme";}; + sops.templates."certs.secret".content = '' + CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} + ''; + + security.acme = { + acceptTerms = true; + preliminarySelfsigned = false; + defaults.email = "mrswarsel@gmail.com"; + defaults.dnsProvider = "cloudflare"; + defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + virtualHosts = { + + "synki.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://localhost:27701"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + "sync.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://localhost:8384/"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + "git.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://localhost:3000"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + }; + }; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = false; + networking.hostName = "sync"; + networking.enableIPv6 = false; + networking.domain = "subnet03112148.vcn03112148.oraclevcn.com"; + networking.firewall.extraCommands = '' + iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT + iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT + iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT + ''; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../../secrets/keys/authorized_keys + ]; + + system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change + + environment.shellAliases = { + nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + boot.loader.grub.device = "nodev"; + + services.anki-sync-server = { + enable = true; + port = 27701; + address = "0.0.0.0"; + openFirewall = true; + users = [ + { + username = "Swarsel"; + passwordFile = config.sops.secrets.swarsel.path; + } + ]; + }; + + services.syncthing = { + enable = true; + guiAddress = "0.0.0.0:8384"; + openDefaultPorts = true; + }; + + services.forgejo = { + enable = true; + settings = { + DEFAULT = { + APP_NAME = "~SwaGit~"; + }; + server = { + PROTOCOL = "http"; + HTTP_PORT = 3000; + HTTP_ADDR = "0.0.0.0"; + DOMAIN = "git.swarsel.win"; + ROOT_URL = "https://git.swarsel.win"; + }; + service = { + DISABLE_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + }; + }; + }; + +} diff --git a/profiles/server1/TEMPLATE/nixos.nix b/profiles/server1/TEMPLATE/nixos.nix index a0c8baa..8e8c222 100644 --- a/profiles/server1/TEMPLATE/nixos.nix +++ b/profiles/server1/TEMPLATE/nixos.nix @@ -16,8 +16,10 @@ xkbVariant = "altgr-intl"; }; + nix.settings.experimental-features = ["nix-command" "flakes"]; + proxmoxLXC.manageNetwork = true; # manage network myself - proxmoxLXC.manageHostName = true; # manage hostname myself + proxmoxLXC.manageHostName = false; # manage hostname myself networking.hostName = "TEMPLATE"; # Define your hostname. networking.useDHCP = true; networking.enableIPv6 = false; diff --git a/profiles/server1/calibre/hardware-configuration.nix b/profiles/server1/calibre/hardware-configuration.nix new file mode 100644 index 0000000..c572cde --- /dev/null +++ b/profiles/server1/calibre/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/mapper/pve-vm--120--disk--0"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/profiles/server1/calibre/nixos.nix b/profiles/server1/calibre/nixos.nix new file mode 100644 index 0000000..ce6a460 --- /dev/null +++ b/profiles/server1/calibre/nixos.nix @@ -0,0 +1,101 @@ +{ config, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + ]; + + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + calibre + ]; + + users.groups.lxc_shares = { + gid = 10000; + members = [ + "kavita" + "calibre-web" + "root" + ]; + }; + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + + nix.settings.experimental-features = ["nix-command" "flakes"]; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/.dotfiles/secrets/calibre/secrets.yaml"; + sops.validateSopsFiles = false; + sops.secrets.kavita = { owner = "kavita";}; + # sops.secrets.smbuser = { }; + # sops.secrets.smbpassword = { }; + # sops.secrets.smbdomain = { }; + # sops.templates."smb.cred".content = '' + # user=${config.sops.placeholder.smbuser} + # password=${config.sops.placeholder.smbpassword} + # domain=${config.sops.placeholder.smbdomain} + # ''; + proxmoxLXC.manageNetwork = true; # manage network myself + proxmoxLXC.manageHostName = false; # manage hostname myself + networking.hostName = "calibre"; # Define your hostname. + networking.useDHCP = true; + networking.enableIPv6 = false; + networking.firewall.enable = false; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + environment.shellAliases = { + nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + + # services.calibre-server = { + # enable = true; + # user = "calibre-server"; + # auth.enable = true; + # auth.userDb = "/srv/calibre/users.sqlite"; + # libraries = [ + # /media/Books/main + # /media/Books/diverse + # /media/Books/language + # /media/Books/science + # /media/Books/sport + # /media/Books/novels + # ]; + # }; + + # services.calibre-web = { + # enable = true; + # user = "calibre-web"; + # group = "calibre-web"; + # listen.port = 8083; + # listen.ip = "0.0.0.0"; + # options = { + # enableBookUploading = true; + # enableKepubify = true; + # enableBookConversion = true; + # }; + # }; + + services.kavita = { + enable = true; + user = "kavita"; + port = 8080; + tokenKeyFile = config.sops.secrets.kavita.path; + }; + + +} diff --git a/profiles/server1/jellyfin/hardware-configuration.nix b/profiles/server1/jellyfin/hardware-configuration.nix new file mode 100644 index 0000000..d0d2466 --- /dev/null +++ b/profiles/server1/jellyfin/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/mapper/pve-vm--121--disk--0"; + fsType = "ext4"; + }; + + fileSystems."/media/Videos" = + { device = "//192.168.1.3/Eternor"; + fsType = "cifs"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/profiles/server1/jellyfin/nixos.nix b/profiles/server1/jellyfin/nixos.nix new file mode 100644 index 0000000..36d209b --- /dev/null +++ b/profiles/server1/jellyfin/nixos.nix @@ -0,0 +1,77 @@ +{ config, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + ]; + + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + ]; + + users.groups.lxc_shares = { + gid = 10000; + members = [ + "jellyfin" + "root" + ]; + }; + + users.users.jellyfin = { + extraGroups = [ "video" "render" ]; + }; + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + + nix.settings.experimental-features = ["nix-command" "flakes"]; + + # sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + # sops.defaultSopsFile = "/.dotfiles/secrets/jellyfin/secrets.yaml"; + # sops.validateSopsFiles = false; + + proxmoxLXC.manageNetwork = true; # manage network myself + proxmoxLXC.manageHostName = false; # manage hostname myself + networking.hostName = "jellyfin"; # Define your hostname. + networking.useDHCP = true; + networking.enableIPv6 = false; + networking.firewall.enable = false; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + environment.shellAliases = { + nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + }; + hardware.opengl = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver # LIBVA_DRIVER_NAME=iHD + vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) + vaapiVdpau + libvdpau-va-gl + ]; + }; + + services.jellyfin = { + enable = true; + user = "jellyfin"; + # openFirewall = true; # this works only for the default ports + }; + +} diff --git a/profiles/server1/matrix/hardware-configuration.nix b/profiles/server1/matrix/hardware-configuration.nix new file mode 100644 index 0000000..0a30877 --- /dev/null +++ b/profiles/server1/matrix/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/mapper/pve-vm--102--disk--0"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/profiles/server1/matrix/nixos.nix b/profiles/server1/matrix/nixos.nix new file mode 100644 index 0000000..a61833b --- /dev/null +++ b/profiles/server1/matrix/nixos.nix @@ -0,0 +1,296 @@ +{ config, pkgs, modulesPath, unstable, sops, ... }: let + matrixDomain = "matrix2.swarsel.win"; +in { + + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + nix.settings.experimental-features = ["nix-command" "flakes"]; + proxmoxLXC.manageNetwork = true; # manage network myself + proxmoxLXC.manageHostName = false; # manage hostname myself + networking.useDHCP = true; + networking.enableIPv6 = false; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + listenAddresses = [{ + port = 22; + addr = "0.0.0.0"; + }]; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + environment.shellAliases = { + nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + # we import here a service that is not available yet on normal nixpkgs + # this module is hence not in the modules list, we add it ourselves + (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix") + ]; + + networking.hostName = "matrix"; # Define your hostname. + networking.firewall.enable = false; + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + matrix-synapse + lottieconverter + ffmpeg + ]; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/.dotfiles/secrets/matrix/secrets.yaml"; + sops.validateSopsFiles = false; + sops.secrets.matrixsharedsecret = {owner="matrix-synapse";}; + sops.templates."matrix_user_register.sh".content = '' + register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008 + ''; + sops.templates.matrixshared.owner = "matrix-synapse"; + sops.templates.matrixshared.content = '' + registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} + ''; + sops.secrets.mautrixtelegram_as = {owner="matrix-synapse";}; + sops.secrets.mautrixtelegram_hs = {owner="matrix-synapse";}; + sops.secrets.mautrixtelegram_api_id = {owner="matrix-synapse";}; + sops.secrets.mautrixtelegram_api_hash = {owner="matrix-synapse";}; + sops.templates.mautrixtelegram.owner = "matrix-synapse"; + sops.templates.mautrixtelegram.content = '' + MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as} + MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} + MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} + MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} + ''; + # sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";}; + # sops.templates.mautrixwhatsapp.owner = "matrix-synapse"; + # sops.templates.mautrixwhatsapp.content = '' + # MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared} + # ''; + + services.postgresql.enable = true; + services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; + CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; + CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; + CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + + services.matrix-synapse = { + settings.app_service_config_files = [ + "/var/lib/matrix-synapse/telegram-registration.yaml" + "/var/lib/matrix-synapse/whatsapp-registration.yaml" + "/var/lib/matrix-synapse/signal-registration.yaml" + "/var/lib/matrix-synapse/doublepuppet.yaml" + ]; + enable = true; + settings.server_name = matrixDomain; + settings.public_baseurl = "https://${matrixDomain}"; + extraConfigFiles = [ + config.sops.templates.matrixshared.path + ]; + settings.listeners = [ + { port = 8008; + bind_addresses = [ "0.0.0.0" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = true; + } + ]; + } + ]; + }; + + services.mautrix-telegram = { + enable = true; + environmentFile = config.sops.templates.mautrixtelegram.path; + settings = { + homeserver = { + address = "http://localhost:8008"; + domain = matrixDomain; + }; + appservice = { + address= "http://localhost:29317"; + hostname = "0.0.0.0"; + port = "29317"; + provisioning.enabled = true; + id = "telegram"; + # ephemeral_events = true; # not needed due to double puppeting + public = { + enabled = false; + }; + database = "postgresql:///mautrix-telegram?host=/run/postgresql"; + }; + bridge = { + # login_shared_secret_map = { + # matrixDomain = "as_token:doublepuppet"; + # }; + relaybot.authless_portals = true; + allow_avatar_remove = true; + allow_contact_info = true; + sync_channel_members = true; + startup_sync = true; + sync_create_limit = 0; + sync_direct_chats = true; + telegram_link_preview = true; + permissions = { + "*" = "relaybot"; + "@swarsel:${matrixDomain}" = "admin"; + }; + # Animated stickers conversion requires additional packages in the + # service's path. + # If this isn't a fresh installation, clearing the bridge's uploaded + # file cache might be necessary (make a database backup first!): + # delete from telegram_file where \ + # mime_type in ('application/gzip', 'application/octet-stream') + animated_sticker = { + target = "gif"; + args = { + width = 256; + height = 256; + fps = 30; # only for webm + background = "020202"; # only for gif, transparency not supported + }; + }; + }; + }; + }; + systemd.services.mautrix-telegram.path = with pkgs; [ + lottieconverter # for animated stickers conversion, unfree package + ffmpeg # if converting animated stickers to webm (very slow!) + ]; + + services.mautrix-whatsapp = { + enable = true; + # environmentFile = config.sops.templates.mautrixwhatsapp.path; + settings = { + homeserver = { + address = "http://localhost:8008"; + domain = matrixDomain; + }; + appservice = { + address= "http://localhost:29318"; + hostname = "0.0.0.0"; + port = 29318; + database = { + type = "postgres"; + uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql"; + }; + }; + bridge = { + displayname_template = "{{or .FullName .PushName .JID}} (WA)"; + history_sync = { + backfill = true; + max_initial_conversations = -1; + message_count = -1; + request_full_sync = true; + full_sync_config = { + days_limit = 900; + size_mb_limit = 5000; + storage_quota_mb = 5000; + }; + }; + login_shared_secret_map = { + matrixDomain = "as_token:doublepuppet"; + }; + sync_manual_marked_unread = true; + send_presence_on_typing = true; + parallel_member_sync = true; + url_previews = true; + caption_in_message = true; + extev_polls = true; + permissions = { + "*" = "relaybot"; + "@swarsel:${matrixDomain}" = "admin"; + }; + }; + }; + }; + + services.mautrix-signal = { + enable = true; + # environmentFile = config.sops.templates.mautrixwhatsapp.path; + settings = { + homeserver = { + address = "http://localhost:8008"; + domain = matrixDomain; + }; + appservice = { + + address= "http://localhost:29328"; + hostname = "0.0.0.0"; + port = 29328; + database = { + type = "postgres"; + uri = "postgresql:///mautrix-signal?host=/run/postgresql"; + }; + }; + bridge = { + displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)"; + login_shared_secret_map = { + matrixDomain = "as_token:doublepuppet"; + }; + caption_in_message = true; + permissions = { + "*" = "relaybot"; + "@swarsel:${matrixDomain}" = "admin"; + }; + }; + }; + }; + + # restart the bridges daily. this is done for the signal bridge mainly which stops carrying + # messages out after a while. + + systemd.timers."restart-bridges" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1d"; + OnUnitActiveSec = "1d"; + Unit = "restart-bridges.service"; + }; + }; + + systemd.services."restart-bridges" = { + script = '' + systemctl restart mautrix-whatsapp.service + systemctl restart mautrix-signal.service + systemctl restart mautrix-telegram.service + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + +} diff --git a/profiles/server1/nginx/hardware-configuration.nix b/profiles/server1/nginx/hardware-configuration.nix new file mode 100644 index 0000000..9d2561f --- /dev/null +++ b/profiles/server1/nginx/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/mapper/pve-vm--119--disk--0"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/profiles/server1/nginx/nixos.nix b/profiles/server1/nginx/nixos.nix new file mode 100644 index 0000000..72ed018 --- /dev/null +++ b/profiles/server1/nginx/nixos.nix @@ -0,0 +1,243 @@ +{ config, pkgs, modulesPath, ... }: +{ + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + ]; + + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + lego + nginx + ]; + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + + nix.settings.experimental-features = ["nix-command" "flakes"]; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/.dotfiles/secrets/nginx/secrets.yaml"; + sops.validateSopsFiles = false; + sops.secrets.dnstokenfull = {owner="acme";}; + sops.templates."certs.secret".content = '' + CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} + ''; + proxmoxLXC.manageNetwork = true; # manage network myself + proxmoxLXC.manageHostName = false; # manage hostname myself + networking.hostName = "nginx"; # Define your hostname. + networking.useDHCP = true; + networking.enableIPv6 = false; + networking.firewall.enable = false; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; + # users.users.root.password = "TEMPLATE"; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + security.acme = { + acceptTerms = true; + preliminarySelfsigned = false; + defaults.email = "mrswarsel@gmail.com"; + defaults.dnsProvider = "cloudflare"; + defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; + }; + + environment.shellAliases = { + nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + virtualHosts = { + + "stash.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "https://192.168.2.5"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + # "/push/" = { + # proxyPass = "http://192.168.2.5:7867"; + # }; + "/.well-known/carddav" = { + return = "301 $scheme://$host/remote.php/dav"; + }; + "/.well-known/caldav" = { + return = "301 $scheme://$host/remote.php/dav"; + }; + }; + }; + + "matrix2.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://192.168.2.23:8008"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + # "sound.swarsel.win" = { + # enableACME = true; + # forceSSL = true; + # acmeRoot = null; + # locations = { + # "/" = { + # proxyPass = "https://192.168.2.13"; + # extraConfig = '' + # client_max_body_size 0; + # ''; + # }; + # }; + # }; + + # "sound.swarsel.win" = { + # enableACME = true; + # forceSSL = true; + # acmeRoot = null; + # locations = { + # "/" = { + # proxyPass = "http://192.168.2.13:4040"; + # recommendedProxySettings = false; + # # proxyWebsockets = true; + # extraConfig = '' + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "Upgrade"; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto https; + # proxy_set_header X-Forwarded-Host $host; + # proxy_set_header X-Forwarded-Port $server_port; + # proxy_set_header Host $host; + # proxy_max_temp_file_size 0; + # proxy_redirect http:// https://; + # proxy_buffering off; + # proxy_request_buffering off; + # client_max_body_size 0; + # ''; + # }; + # }; + # }; + + "sound.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://192.168.2.13:4040"; + proxyWebsockets = true; + extraConfig = '' + proxy_redirect http:// https://; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + }; + }; + }; + + "screen.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://192.168.2.16:8096"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + "matrix.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://192.168.2.20:8008"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + "scroll.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://192.168.2.22:8080"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + # "books.swarsel.win" = { + # enableACME = true; + # forceSSL = true; + # acmeRoot = null; + # locations = { + # "/" = { + # proxyPass = "http://192.168.2.22:8083"; + # extraConfig = '' + # client_max_body_size 0; + # ''; + # }; + # }; + # }; + + "blog.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "https://192.168.2.7"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + }; + }; + + + + + +} diff --git a/profiles/server1/sound/hardware-configuration.nix b/profiles/server1/sound/hardware-configuration.nix new file mode 100644 index 0000000..2e6f899 --- /dev/null +++ b/profiles/server1/sound/hardware-configuration.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/mnt/data/images/118/vm-118-disk-0.raw"; + fsType = "ext4"; + options = [ "loop" ]; + }; + + fileSystems."/media" = + { device = "//192.168.1.3/Eternor"; + fsType = "cifs"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/profiles/server1/sound/nixos.nix b/profiles/server1/sound/nixos.nix new file mode 100644 index 0000000..38664d2 --- /dev/null +++ b/profiles/server1/sound/nixos.nix @@ -0,0 +1,132 @@ +{ config, pkgs, modulesPath, ... }: + +{ + + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + ]; + + + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + nix.settings.experimental-features = ["nix-command" "flakes"]; + proxmoxLXC.manageNetwork = true; # manage network myself + proxmoxLXC.manageHostName = false; # manage hostname myself + networking.useDHCP = true; + networking.enableIPv6 = false; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + listenAddresses = [{ + port = 22; + addr = "0.0.0.0"; + }]; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + environment.shellAliases = { + nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + + + proxmoxLXC.privileged = true; # manage hostname myself + + users.groups.lxc_pshares = { + gid = 110000; + members = [ + "navidrome" + "mpd" + "root" + ]; + }; + + users.groups.navidrome = { + gid = 61593; + }; + + users.groups.mpd = {}; + + users.users.navidrome = { + isSystemUser = true; + uid = 61593; + group = "navidrome"; + extraGroups = [ "audio" "utmp" ]; + }; + + users.users.mpd = { + isSystemUser = true; + group = "mpd"; + extraGroups = [ "audio" "utmp" ]; + }; + + sound = { + enable = true; + }; + + hardware.enableAllFirmware = true; + networking.hostName = "sound"; # Define your hostname. + networking.firewall.enable = false; + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + pciutils + alsa-utils + mpv + ]; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/.dotfiles/secrets/sound/secrets.yaml"; + sops.validateSopsFiles = false; + sops.secrets.mpdpass = { owner = "mpd";}; + + services.navidrome = { + enable = true; + settings = { + Address = "0.0.0.0"; + Port = 4040; + MusicFolder = "/media"; + EnableSharing = true; + EnableTranscodingConfig = true; + Scanner.GroupAlbumReleases = true; + ScanSchedule = "@every 1d"; + # Insert these values locally as sops-nix does not work for them + LastFM.ApiKey = TEMPLATE; + LastFM.Secret = TEMPLATE; + Spotify.ID = TEMPLATE; + Spotify.Secret = TEMPLATE; + UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png"; + UIWelcomeMessage = "~SwarselSound~"; + }; + }; + services.mpd = { + enable = true; + musicDirectory = "/media"; + user = "mpd"; + group = "mpd"; + network = { + port = 3254; + listenAddress = "any"; + }; + credentials = [ + { + passwordFile = config.sops.secrets.mpdpass.path; + permissions = [ + "read" + "add" + "control" + "admin" + ]; + } + ]; + }; +} diff --git a/profiles/server1/spotifyd/hardware-configuration.nix b/profiles/server1/spotifyd/hardware-configuration.nix new file mode 100644 index 0000000..438871d --- /dev/null +++ b/profiles/server1/spotifyd/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/mapper/pve-vm--123--disk--0"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/profiles/server1/spotifyd/nixos.nix b/profiles/server1/spotifyd/nixos.nix new file mode 100644 index 0000000..7bf42ea --- /dev/null +++ b/profiles/server1/spotifyd/nixos.nix @@ -0,0 +1,85 @@ +{ config, pkgs, modulesPath, ... }: + +{ + + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + ]; + + + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + nix.settings.experimental-features = ["nix-command" "flakes"]; + proxmoxLXC.manageNetwork = true; # manage network myself + proxmoxLXC.manageHostName = false; # manage hostname myself + networking.useDHCP = true; + networking.enableIPv6 = false; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + listenAddresses = [{ + port = 22; + addr = "0.0.0.0"; + }]; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + environment.shellAliases = { + nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + + + proxmoxLXC.privileged = true; # manage hostname myself + + users.groups.spotifyd = { + gid = 65136; + }; + + users.users.spotifyd = { + isSystemUser = true; + uid = 65136; + group = "spotifyd"; + extraGroups = [ "audio" "utmp" ]; + }; + + sound = { + enable = true; + }; + + hardware.enableAllFirmware = true; + networking.hostName = "spotifyd"; # Define your hostname. + networking.firewall.enable = false; + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + ]; + + # sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + # sops.defaultSopsFile = "/.dotfiles/secrets/spotifyd/secrets.yaml"; + # sops.validateSopsFiles = false; + + services.spotifyd = { + enable = true; + settings = { + global = { + dbus_type = "session"; + use_mpris = false; + device = "default:CARD=PCH"; + device_name = "SwarselSpot"; + mixer = "alsa"; + zeroconf_port = 1025; + }; + }; + }; + +} diff --git a/profiles/server1/transmission/hardware-configuration.nix b/profiles/server1/transmission/hardware-configuration.nix new file mode 100644 index 0000000..30f4d28 --- /dev/null +++ b/profiles/server1/transmission/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/mapper/pve-vm--122--disk--0"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/profiles/server1/transmission/nixos.nix b/profiles/server1/transmission/nixos.nix new file mode 100644 index 0000000..f802735 --- /dev/null +++ b/profiles/server1/transmission/nixos.nix @@ -0,0 +1,358 @@ +{ config, pkgs, modulesPath, ... }: + + { + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + # ./openvpn.nix #this file holds the vpn login data + ]; + + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + openvpn + jq + iptables + busybox + wireguard-tools + ]; + + users.groups.lxc_shares = { + gid = 10000; + members = [ + "vpn" + "radarr" + "sonarr" + "lidarr" + "readarr" + "root" + ]; + }; + users.groups.vpn = {}; + + users.users.vpn = { + isNormalUser = true; + group = "vpn"; + home = "/home/vpn"; + }; + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + + nix.settings.experimental-features = ["nix-command" "flakes"]; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/.dotfiles/secrets/transmission/secrets.yaml"; + sops.validateSopsFiles = false; + + boot.kernelModules = [ "tun" ]; + proxmoxLXC.manageNetwork = true; # manage network myself + proxmoxLXC.manageHostName = false; # manage hostname myself + networking.hostName = "transmission"; # Define your hostname. + networking.useDHCP = true; + networking.enableIPv6 = false; + networking.firewall.enable = false; + + services.radarr = { + enable = true; + }; + + services.readarr = { + enable = true; + }; + services.sonarr = { + enable = true; + }; + services.lidarr = { + enable = true; + }; + services.prowlarr = { + enable = true; + }; + + # networking.interfaces = { + # lo = { + # useDHCP = false; + # ipv4.addresses = [ + # { address = "127.0.0.1"; prefixLength = 8; } + # ]; + # }; + # + # eth0 = { + # useDHCP = true; + # }; + # }; + + # networking.firewall.extraCommands = '' + # sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP + # ''; + networking.iproute2 = { + enable = true; + rttablesExtraConfig = '' + 200 vpn + ''; + }; + # boot.kernel.sysctl = { + # "net.ipv4.conf.all.rp_filter" = 2; + # "net.ipv4.conf.default.rp_filter" = 2; + # "net.ipv4.conf.eth0.rp_filter" = 2; + # }; + environment.etc = { + "openvpn/iptables.sh" = + { source = ../../../scripts/server1/iptables.sh; + mode = "0755"; + }; + "openvpn/update-resolv-conf" = + { source = ../../../scripts/server1/update-resolv-conf; + mode = "0755"; + }; + "openvpn/routing.sh" = + { source = ../../../scripts/server1/routing.sh; + mode = "0755"; + }; + "openvpn/ca.rsa.2048.crt" = + { source = ../../../secrets/certs/ca.rsa.2048.crt; + mode = "0644"; + }; + "openvpn/crl.rsa.2048.pem" = + { source = ../../../secrets/certs/crl.rsa.2048.pem; + mode = "0644"; + }; + }; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + listenAddresses = [{ + port = 22; + addr = "0.0.0.0"; + }]; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + # users.users.root.password = "TEMPLATE"; + + environment.shellAliases = { + nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + sops.secrets.vpnuser = {}; + sops.secrets.rpcuser = {owner="vpn";}; + sops.secrets.vpnpass = {}; + sops.secrets.rpcpass = {owner="vpn";}; + sops.secrets.vpnprot = {}; + sops.secrets.vpnloc = {}; + # sops.secrets.crlpem = {}; + # sops.secrets.capem = {}; + sops.templates."transmission-rpc".owner = "vpn"; + sops.templates."transmission-rpc".content = builtins.toJSON { + rpc-username = config.sops.placeholder.rpcuser; + rpc-password = config.sops.placeholder.rpcpass; + }; + + sops.templates.pia.content = '' + ${config.sops.placeholder.vpnuser} + ${config.sops.placeholder.vpnpass} + ''; + + sops.templates.vpn.content = '' + client + dev tun + proto ${config.sops.placeholder.vpnprot} + remote ${config.sops.placeholder.vpnloc} + resolv-retry infinite + nobind + persist-key + persist-tun + cipher aes-128-cbc + auth sha1 + tls-client + remote-cert-tls server + + auth-user-pass ${config.sops.templates.pia.path} + compress + verb 1 + reneg-sec 0 + + crl-verify /etc/openvpn/crl.rsa.2048.pem + ca /etc/openvpn/ca.rsa.2048.crt + + disable-occ + dhcp-option DNS 209.222.18.222 + dhcp-option DNS 209.222.18.218 + dhcp-option DNS 8.8.8.8 + route-noexec + ''; + + # services.pia.enable = true; + # services.pia.authUserPass.username = "na"; + # services.pia.authUserPass.password = "na"; + + + # systemd.services.openvpn-vpn = { + # wantedBy = [ "multi-user.target" ]; + # after = [ "network.target" ]; + # description = "OpenVPN connection to pia"; + # serviceConfig = { + # Type = "forking"; + # RuntimeDirectory="openvpn"; + # PrivateTmp=true; + # KillMode="mixed"; + # ExecStart = ''@${pkgs.openvpn}/sbin/openvpn openvpn --daemon ovpn-pia --status /run/openvpn/pia.status 10 --cd /etc/openvpn --script-security 2 --config ${config.sops.templates.vpn.path} --writepid /run/openvpn/pia.pid''; + # PIDFile=''/run/openvpn/pia.pid''; + # ExecReload=''/run/current-system/sw/bin/kill -HUP $MAINPID''; + # WorkingDirectory="/etc/openvpn"; + # Restart="on-failure"; + # RestartSec=30; + # ProtectSystem="yes"; + # DeviceAllow=["/dev/null rw" "/dev/net/tun rw"]; + # }; + # }; + services.openvpn.servers = { + pia = { + autoStart = false; + updateResolvConf = true; +# up = '' +# export INTERFACE="tun0" +# export VPNUSER="vpn" +# export LOCALIP="192.168.1.191" +# export NETIF="eth0" +# export VPNIF="tun0" +# export GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1) +# iptables -F -t nat +# iptables -F -t mangle +# iptables -F -t filter +# iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark +# iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 +# iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 +# iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 +# iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1 +# iptables -t mangle -A OUTPUT -j CONNMARK --save-mark +# iptables -A INPUT -i $INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +# iptables -A INPUT -i $INTERFACE -j REJECT +# iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT +# iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT +# iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE +# iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +# iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT +# if [[ `ip rule list | grep -c 0x1` == 0 ]]; then +# ip rule add from all fwmark 0x1 lookup $VPNUSER +# fi +# ip route replace default via $GATEWAYIP table $VPNUSER +# ip route append default via 127.0.0.1 dev lo table $VPNUSER +# ip route flush cache + # ''; + # down = "bash /etc/openvpn/update-resolv-conf"; + # these are outsourced to a local file, I am not sure if it can be done with sops-nix + # authUserPass = { + # username = "TODO:secrets"; + # password = "TODO:secrets"; + # }; + config = "config ${config.sops.templates.vpn.path}"; + }; + }; + + services.transmission = { + enable = true; + credentialsFile = config.sops.templates."transmission-rpc".path; + user = "vpn"; + group = "lxc_shares"; + settings = { + + alt-speed-down= 8000; + alt-speed-enabled= false; + alt-speed-time-begin= 0; + alt-speed-time-day= 127; + alt-speed-time-enabled= true; + alt-speed-time-end= 360; + alt-speed-up= 2000; + bind-address-ipv4= "0.0.0.0"; + bind-address-ipv6= "::"; + blocklist-enabled= false; + blocklist-url= "http://www.example.com/blocklist"; + cache-size-mb= 4; + dht-enabled= false; + download-dir= "/media/Eternor/New"; + download-limit= 100; + download-limit-enabled= 0; + download-queue-enabled= true; + download-queue-size= 5; + encryption= 2; + idle-seeding-limit= 30; + idle-seeding-limit-enabled= false; + incomplete-dir= "/var/lib/transmission-daemon/Downloads"; + incomplete-dir-enabled= false; + lpd-enabled= false; + max-peers-global= 200; + message-level= 1; + peer-congestion-algorithm= ""; + peer-id-ttl-hours= 6; + peer-limit-global= 100; + peer-limit-per-torrent= 40; + peer-port= 22371; + peer-port-random-high= 65535; + peer-port-random-low= 49152; + peer-port-random-on-start= false; + peer-socket-tos= "default"; + pex-enabled= false; + port-forwarding-enabled= false; + preallocation= 1; + prefetch-enabled= true; + queue-stalled-enabled= true; + queue-stalled-minutes= 30; + ratio-limit= 2; + ratio-limit-enabled= false; + rename-partial-files= true; + rpc-authentication-required= true; + rpc-bind-address= "0.0.0.0"; + rpc-enabled= true; + rpc-host-whitelist= ""; + rpc-host-whitelist-enabled= true; + rpc-port= 9091; + rpc-url= "/transmission/"; + rpc-whitelist= "127.0.0.1,192.168.3.2"; + rpc-whitelist-enabled= true; + scrape-paused-torrents-enabled= true; + script-torrent-done-enabled= false; + seed-queue-enabled= false; + seed-queue-size= 10; + speed-limit-down= 6000; + speed-limit-down-enabled= true; + speed-limit-up= 500; + speed-limit-up-enabled= true; + start-added-torrents= true; + trash-original-torrent-files= false; + umask= 2; + upload-limit= 100; + upload-limit-enabled= 0; + upload-slots-per-torrent= 14; + utp-enabled= false; + }; + }; + + # services.nginx = { + # enable = true; + # virtualHosts = { + + # "192.168.1.192" = { + # locations = { + # "/transmission" = { + # proxyPass = "http://127.0.0.1:9091"; + # extraConfig = '' + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # ''; + # }; + # }; + # }; + # }; + # }; + + + } diff --git a/programs/emacs/custom.el b/programs/emacs/custom.el index 227bd66..fa10b22 100644 --- a/programs/emacs/custom.el +++ b/programs/emacs/custom.el @@ -7,7 +7,8 @@ '("7ec8fd456c0c117c99e3a3b16aaf09ed3fb91879f6601b1ea0eeaee9c6def5d9" "badd1a5e20bd0c29f4fe863f3b480992c65ef1fa63951f59aa5d6b129a3f9c4c" "2e05569868dc11a52b08926b4c1a27da77580daa9321773d92822f7a639956ce" - default))) + default)) + '(send-mail-function 'sendmail-send-it)) ;; (custom-set-faces ;; ;; custom-set-faces was added by Custom. ;; ;; If you edit it by hand, you could mess it up, so be careful. diff --git a/programs/emacs/init.el b/programs/emacs/init.el index b69cac3..cf1e608 100644 --- a/programs/emacs/init.el +++ b/programs/emacs/init.el @@ -305,6 +305,7 @@ "C-c d" 'duplicate-line ; duplicate line on CURSOR "C-M-j" 'consult-buffer "C-s" 'consult-line + "C-" 'my-python-shell-run ) (setq inhibit-startup-message t) @@ -800,7 +801,8 @@ (add-hook 'org-mode-hook (lambda () (add-hook 'after-save-hook #'swarsel/org-babel-tangle-config))) -(use-package auctex) +;; (use-package auctex +;; :ensure nil) (setq TeX-auto-save t) (setq TeX-save-query nil) (setq TeX-parse-self t) @@ -1095,12 +1097,7 @@ (use-package git-timemachine :hook (git-time-machine-mode . evil-normalize-keymaps) :init (setq git-timemachine-show-minibuffer-details t) - :general - (general-nmap "SPC g t" 'git-timemachine-toggle) - (git-timemachine-mode-map - "C-k" 'git-timemachine-show-previous-revision - "C-j" 'git-timemachine-show-next-revision - "q" 'git-timemachine-quit)) +) (use-package rainbow-delimiters :hook (prog-mode . rainbow-delimiters-mode)) @@ -1283,11 +1280,33 @@ :mode ("\\.rs" . rustic-mode)) ;; run the python inferior shell immediately upon entering a python buffer - (add-hook 'python-mode-hook 'swarsel/run-python) + ;; (add-hook 'python-mode-hook 'swarsel/run-python) -(defun swarsel/run-python () - (save-selected-window - (switch-to-buffer-other-window (process-buffer (python-shell-get-or-create-process (python-shell-parse-command)))))) + ;; (defun swarsel/run-python () + ;; (save-selected-window + ;; (switch-to-buffer-other-window (process-buffer (python-shell-get-or-create-process (python-shell-parse-command)))))) + +;; reload python shell automatically +(defun my-python-shell-run () + (interactive) + (when (get-buffer-process "*Python*") + (set-process-query-on-exit-flag (get-buffer-process "*Python*") nil) + (kill-process (get-buffer-process "*Python*")) + ;; Uncomment If you want to clean the buffer too. + ;;(kill-buffer "*Python*") + ;; Not so fast! + (sleep-for 0.5)) + (run-python (python-shell-parse-command) nil nil) + (python-shell-send-buffer) + ;; Pop new window only if shell isnt visible + ;; in any frame. + (unless (get-buffer-window "*Python*" t) + (python-shell-switch-to-shell))) + +(defun my-python-shell-run-region () + (interactive) + (python-shell-send-region (region-beginning) (region-end)) + (python-shell-switch-to-shell)) ;; (use-package cuda-mode) @@ -1750,7 +1769,7 @@ :config ;; This is set to 't' to avoid mail syncing issues when using mbsync - (setq send-mail-function 'smtpmail-send-it) + (setq send-mail-function 'sendmail-send-it) (setq mu4e-change-filenames-when-moving t) (setq mu4e-mu-binary (executable-find "mu")) diff --git a/scripts/server1/doublepuppet.yaml b/scripts/server1/doublepuppet.yaml new file mode 100644 index 0000000..f28f0f7 --- /dev/null +++ b/scripts/server1/doublepuppet.yaml @@ -0,0 +1,21 @@ +# The ID doesn't really matter, put whatever you want. +id: doublepuppet +# The URL is intentionally left empty (null), as the homeserver shouldn't +# push events anywhere for this extra appservice. If you use a +# non-spec-compliant server, you may need to put some fake URL here. +url: +# Generate random strings for these three fields. Only the as_token really +# matters, hs_token is never used because there's no url, and the default +# user (sender_localpart) is never used either. +as_token: doublepuppet +hs_token: notused +sender_localpart: notused +# Bridges don't like ratelimiting. This should only apply when using the +# as_token, normal user tokens will still be ratelimited. +rate_limited: false +namespaces: + users: + # Replace your\.domain with your server name (escape dots for regex) + - regex: '@.*:matrix2\.swarsel\.win' + # This must be false so the appservice doesn't take over all users completely. + exclusive: false diff --git a/scripts/server1/iptables.sh b/scripts/server1/iptables.sh new file mode 100644 index 0000000..dbf2e45 --- /dev/null +++ b/scripts/server1/iptables.sh @@ -0,0 +1,47 @@ +#! /usr/bin/env bash +export INTERFACE="tun0" +export VPNUSER="vpn" +export LOCALIP="192.168.1.191" +export NETIF="eth0" + +# flushes all the iptables rules, if you have other rules to use then add them into the script +iptables -F -t nat +iptables -F -t mangle +iptables -F -t filter + +# mark packets from $VPNUSER +iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark +iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 +iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 +iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 +iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1 +iptables -t mangle -A OUTPUT -j CONNMARK --save-mark + +# allow responses +iptables -A INPUT -i $INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# block everything incoming on $INTERFACE to prevent accidental exposing of ports +iptables -A INPUT -i $INTERFACE -j REJECT + +# let $VPNUSER access lo and $INTERFACE +iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT +iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT + +# all packets on $INTERFACE needs to be masqueraded +iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE +iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# reject connections from predator IP going over $NETIF +iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT + +VPNIF="tun0" +VPNUSER="vpn" +GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1) +if [[ `ip rule list | grep -c 0x1` == 0 ]]; then +ip rule add from all fwmark 0x1 lookup $VPNUSER +fi +ip route replace default via $GATEWAYIP table $VPNUSER +ip route append default via 127.0.0.1 dev lo table $VPNUSER +ip route flush cache + +exit 0 diff --git a/scripts/server1/routing.sh b/scripts/server1/routing.sh new file mode 100644 index 0000000..64e0664 --- /dev/null +++ b/scripts/server1/routing.sh @@ -0,0 +1,14 @@ +#! /usr/bin/env bash +VPNIF="tun0" +VPNUSER="vpn" +GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1) +if [[ `ip rule list | grep -c 0x1` == 0 ]]; then +ip rule add from all fwmark 0x1 lookup $VPNUSER +fi +ip route replace default via $GATEWAYIP table $VPNUSER +ip route append default via 127.0.0.1 dev lo table $VPNUSER +ip route flush cache + +bash /etc/openvpn/update-resolv-conf + +exit 0 diff --git a/scripts/server1/update-resolv-conf b/scripts/server1/update-resolv-conf new file mode 100644 index 0000000..f1e5586 --- /dev/null +++ b/scripts/server1/update-resolv-conf @@ -0,0 +1,45 @@ +#! /usr/bin/env bash +foreign_option_1='dhcp-option DNS 209.222.18.222' +foreign_option_2='dhcp-option DNS 209.222.18.218' +foreign_option_3='dhcp-option DNS 8.8.8.8' + +[ -x /sbin/resolvconf ] || exit 0 +[ "$script_type" ] || exit 0 +[ "$dev" ] || exit 0 + +split_into_parts() +{ + part1="$1" + part2="$2" + part3="$3" +} + +case "$script_type" in + up) + NMSRVRS="" + SRCHS="" + for optionvarname in ${!foreign_option_*} ; do + option="${!optionvarname}" + echo "$option" + split_into_parts $option + if [ "$part1" = "dhcp-option" ] ; then + if [ "$part2" = "DNS" ] ; then + NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3" + elif [ "$part2" = "DOMAIN" ] ; then + SRCHS="${SRCHS:+$SRCHS }$part3" + fi + fi + done + R="" + [ "$SRCHS" ] && R="search $SRCHS +" + for NS in $NMSRVRS ; do + R="${R}nameserver $NS +" + done + echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn" + ;; + down) + /sbin/resolvconf -d "${dev}.openvpn" + ;; +esac diff --git a/secrets/calibre/secrets.yaml b/secrets/calibre/secrets.yaml new file mode 100644 index 0000000..1a5c0e5 --- /dev/null +++ b/secrets/calibre/secrets.yaml @@ -0,0 +1,55 @@ +smbuser: ENC[AES256_GCM,data:Xlz/NzVjKk0=,iv:DvhZOoOb0eXc4jIZPwDXGRkZxWI4Fg5MC9s1IRhYWuY=,tag:ApTT/Y9K7p0uPRZAlXgekA==,type:str] +smbpassword: ENC[AES256_GCM,data:t5ic3YoNkc3k2brjN6ZRjNKPEYD9WKk=,iv:lBtSSuEnUKipapqq7gYWmkdA8tcMIZuNy8EmqqKHFWU=,tag:qas1f2wlZm0mpcgPhsZtPA==,type:str] +smbdomain: ENC[AES256_GCM,data:TepG9EMhs8I=,iv:w+CxqNxrjIBx2G33EoKkLSuTHrSSzvDQ2JXuOHtUTmw=,tag:oy5vKyhYc/bOV76xEDaVqA==,type:str] +kavita: ENC[AES256_GCM,data:g+2WXcm7d8OxLhrtWXx15SdRx8VXax1SG2GHoWizXDUZEKnEwlQe7/Yk6DQ=,iv:bQ9s5z6jNGkf59cxzR1o+etA+GA3Y8L6Bgfv9e1Txww=,tag:NOB7iBH3yoE0/DtmuQyaBg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1q2k4j9m6ge6dgygehulzd8vqjcdgv5s7s4zrferaq29qlu94a4uqpv76s5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGejQ4Vm9KWlJYeW9UdElP + MWVUNWx5V3dDQWNPSkRJNjl2a3ZLWVpQMXdJCkdjVlh6andkM0oyMWkvaDd5Zi9H + eEVZalFYQjNpQUszUW5HV1gzRU9FVXMKLS0tIGorWGRnQkE3TXhYRHArMDUrQU4v + UnVYNGRlZTRoZ29YQ1B5S0U1ZE84VHMKgp2XRaVtRcubXfjttQfk9UKbqZ6EbL/O + coZUAPXRrT//oRh2JFu0Q4+5zoewI2j1DhUS9HuejM5CIColYUasJg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-23T04:28:28Z" + mac: ENC[AES256_GCM,data:aLI7dMi2merChhkQaqmrlbvC2V6Bh0D67RE1RxTqZLYmFE8AINBewBka1ktIVc83IYYFyhpTLZDmhZF5q3McIOGXjlZUcEDtb1C2zZZEkXJrbFe3yoZG+DE/fOB4I2uXjzp5iOG+lZyWAGQgrSHMSFV+IbAg4bb++OilZ2oXWYk=,iv:M+rOanpm+LakksTb4jCzZph3zC7MI6XeV7nyXN7qo50=,tag:Ec+HJtUtzUtrxbeCe+wDJg==,type:str] + pgp: + - created_at: "2023-12-22T23:23:45Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ//Y7LOX5knf4s2Dku9DsVIgxUe5Ox3u65uBKL6vTE5tLuN + Oeuyvd8eGaOWvPWcu/7bbr2Nd5Y3fyyG6yTSzjweyvPgnNbBswaYZxPhj+GfHSL/ + yRcdEVX8QTEirlUYhFTVuD3LLGAxiJI5dvIHF87FGfr9U+xiTg9fblwFlEGb9F5q + TYUOSLvXUS6KbSuGnNQR7kZua2eZ/nvAIW9gVh1RrTjLzSyGdPgiqRFC657MFOvP + IlVOVKEngY+FTFBUH8kRzAxAz94Gtern2oqpuuQu0agriizeE6TA9OPOoMNGhsQD + C/DK+pa8AQ2JV17iy64rPkpRGGXr7PqEEmV386z6+O6Nbq0e+1lqigPYkxJqWJjR + 5K55znA7jRxdit6AN978pKerY9xSmbiRx35qWoGa2WK3iZ5ACcsXbAxW4lHagmdH + TmcIB4qzzHdsYQ/TxLcUioFx1EooiNZ59Asa+Lj16QgMAyDF9SZ6Z8HhQGwIBdub + HNvu8+f3/D70I7/DreortuwSvzV370+OBb0knoVZcG+i7DlAM64LukZmety9PJIj + JhUVdvp/haL7FWI7zU2Aj5j/kXGKjmYlb3N5Zes3I+MLXdL+8qqeOG+NsQR0Xvxq + xEsgEUyqaXuMwJfyPFw89NkF7oj3qqWlbnLGBEXcrXRI28Urkpwet1Z//p+WpDCF + AgwDC9FRLmchgYQBD/4lskxdD99hF0I5Zx2h8Lt1UqXI+lMROqRjjTI726Z+R7xK + 2PEJ4l2neJIP02QMm3HTAOQJ5P5t0Lb0kM1vbBY8WOF3v6aLt6Va8pwBF6TxlfGn + 5UUCUQ8nLwHUyKGAI+atveZCcUkyfhy3y4pMbXK6BQ+2tbLGEjFeqVeakk9e5MGo + 8BwYbU0Rr4KqAeSVkYb/qCErycM9fQb07r8xiPqSnKuZe4RxolWfMTnwP6IEI3GJ + AteS6MdMOtK1BufP/XKX80aXIY9U/BimyEndmT4b/83aAid42xPH25BZTfC0r0Wh + EArA0CR2rop7wE1GQq1R+stet4kSyBPWefvJg3wVSpF3Xj/IsJHz3LAp452v18W5 + rEWa8bzUT3vlVBjINhoqUJt4VHGx74kJml6WY334XyCy2xxY1C3sSD53tw3O34Qf + rmcV6m/BeCwL4t4rsG+vWzwaZSmjqr1D6H4JI9h2HvwXb45y4m28OewvAu0FMcyK + tpjxnwdXAOQC/GdgKPuM1eomgurGBrfCeHbfXHsu3n2LPTm6RULWKW4jzj9dbjCC + CuD4IzflExz8E+lqTBW4CppBgfCBDx5IIS1sv7YVfqFf1Upl434kknKffkmkq6mk + G70ATAlUX8Ci94rUv/JCokCj5GcIzVmKUiI+zq0rCQKxcJ6uLMFYZGQ9v34kQ9Je + AQ+3j+iSzV7DGtkdHI9LEAsLj6ZeFPtePULfxsHc3tjfpUFTQgurMS/QDojQMMEn + 73sQEYv+ihSsV+WToRpgExM1ANIEZ5eFTloxKKmULkYQ6tiL8SIywxz1vJW81A== + =nyE3 + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/certs/ca.rsa.2048.crt b/secrets/certs/ca.rsa.2048.crt new file mode 100644 index 0000000..6deea60 --- /dev/null +++ b/secrets/certs/ca.rsa.2048.crt @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV +BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu +dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx +IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB +FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1 +MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex +EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg +QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE +AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50 +ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy +bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD +L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX +lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp +cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/ +8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB +/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC +OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL +y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO +sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM +b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G +A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg +SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz +czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j +b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn +a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU +ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3 +7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC +GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz +1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt +YDQ8z9v+DMO6iwyIDRiU +-----END CERTIFICATE----- diff --git a/secrets/certs/crl.rsa.2048.pem b/secrets/certs/crl.rsa.2048.pem new file mode 100644 index 0000000..a58ef56 --- /dev/null +++ b/secrets/certs/crl.rsa.2048.pem @@ -0,0 +1,15 @@ +-----BEGIN X509 CRL----- +MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI +EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl +cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw +HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0 +ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl +aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa +MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG +9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5 +jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW +B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re +ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA +5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy +MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A== +-----END X509 CRL----- diff --git a/secrets/general/secrets.yaml b/secrets/general/secrets.yaml index b9e5e06..30feb92 100644 --- a/secrets/general/secrets.yaml +++ b/secrets/general/secrets.yaml @@ -35,8 +35,8 @@ sops: TGF4USs2YVNlZnZhM3lZNlpHbm80SzgKxwh4DS1DnV3KFVfPw/8+zGWo/YVnhSYd Yi1hpRD8yD0eglGVGaWCItniPLRFDPpHL2B6kkHsYRx3Rl7daSJUVA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-13T19:28:18Z" - mac: ENC[AES256_GCM,data:5zQWLi1To2XUc2GXCXmwQMk1M/hPORhK1xuNbihLgJVt+ufEBScyQ9kk0BTcmQAbVXUZO7f4qHAx/P8M99CiY5g1H3Zm48kMrohC0ByJfSUHt9w8ApT01TFsyYrbtX8qoSVyAMwu4/dV1wTv0Nm0a0A9MhE8Azr7cPRgcmtixn4=,iv:rsMo8jY4jIkBlgnJ/EdGoyjl1aKKAeSnvde7ndWnBkE=,tag:pEiIb5LLULxR5dcD8RknSA==,type:str] + lastmodified: "2023-12-22T00:14:58Z" + mac: ENC[AES256_GCM,data:BhTS9q5mfdJegV2FA6r9aOxjhvjahhwzE2K7QeJQkEFfj7hnu3qIQy2CN10+9YDvrYVpoSWuEJ3L5uFFzugW6Ubz18SiuXjZGRUxfZn9+AzFDJYntpOs9r8rG72w7tY2ty+UefjhW4oDsTlv7TdPHlAWPVSY5X7H2G5qNxqHAfM=,iv:R3doafqNTyuvvBM9TG3UbZJeAtw5CDAePQDT+aGkA4c=,tag:BKTZBUSd9+CLl56jscjdRg==,type:str] pgp: - created_at: "2023-12-13T19:27:54Z" enc: |- diff --git a/secrets/keys/calibre.pub b/secrets/keys/calibre.pub new file mode 100644 index 0000000..1f5d83e --- /dev/null +++ b/secrets/keys/calibre.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGAkIdo0pObC1/QmOVwqhQnif6uf+CylNwlWnbJL+Zrh calibre sops diff --git a/secrets/keys/nginx.pub b/secrets/keys/nginx.pub new file mode 100644 index 0000000..01bab6b --- /dev/null +++ b/secrets/keys/nginx.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICtt5v96QEIttEKf1H3R04uwU64JFDB6yqJRvdsiyYz2 nginx sops diff --git a/secrets/matrix/secrets.yaml b/secrets/matrix/secrets.yaml new file mode 100644 index 0000000..a779a2f --- /dev/null +++ b/secrets/matrix/secrets.yaml @@ -0,0 +1,56 @@ +matrixsharedsecret: ENC[AES256_GCM,data:0VA//FJ+vlFAKpMPIHw/VLsXMgN5pnGwqXr8Xow5F/I9R5IgVip7b4qUPx+PU32D7eeEhW8QgbrwjeqI5wrt3g==,iv:A2iAYeDRQf1SFyF2hEKK1TLakcM40HBJMyi+Sv0rRuU=,tag:t+B6OFe1gNQg3w6qlU1AOQ==,type:str] +mautrixtelegram_as: ENC[AES256_GCM,data:6i7JlAbz3OwhxQjftjkHB4o9YCYhMmnHNgRW0cnXLcMYsG3SME5b5RLOvGgavvIG+9HBv45fZRIICh1K6xZ1ZQ==,iv:FXC15XJZxwepIP1QEWceQlthwyISsiA89w5MXrxUDnI=,tag:hfnDn1rEhPENKDvpXH9sgQ==,type:str] +mautrixtelegram_hs: ENC[AES256_GCM,data:ZMXfosvSZlMs/IEVNfhYRWrjS0l4u2Fc3u+nB3nrTGXuQNXN7X65y8fbbzLVSX2TKgPK1HOiQjtTcIxX+GstFA==,iv:xQkD+152yfOQM0S9ZtlEb0VV8EROLkPeD54Y9/FHkzk=,tag:8qCOZLQY6a0+9bKP4PqV6Q==,type:str] +mautrixtelegram_api_id: ENC[AES256_GCM,data:paljhNLosw==,iv:D4hiwm5/3nUoNRdcN3yoJMGE3anUIJ8lEQYbN48v4/Y=,tag:SpZ/9phnQI+F5m9OTGxU1A==,type:str] +mautrixtelegram_api_hash: ENC[AES256_GCM,data:GoVLL22uNQMNxlesc3pmuSWxz6YVTMIu4VBnQO0Y1jc=,iv:WSOZlHrWCBgCdCl+CAsc+FrGzTH79+GePMUCm+0/FCg=,tag:Ti6MNpjBBbUnmtRIVAPBwQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1t2uj8arq8nnmd5s3h32p7z7masj2gqe5ec49dtr8ex2nlgef3yfqtgcnj6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUGwrb0VncGtIc1BPN0N0 + dGpLamE5R05GQnp4VXYrekttTEFvQ1BZNEVzCjl1K0syTEQwTWZqRUVWREtuZ0U5 + VHo2WEF5dUwvZlhJOWZDcXdWWDZ4OGcKLS0tIE1YRDMzbVMwMU1ZL0RjbmkyRm1y + L0Fobml3T3puL2Z0dW5EaEZQSEdZRFkK/nnz1NrsGqU0MYV+4T9gRMP/iMkCWWB1 + B0yqYsJjUuWLIr1DckTF8di+uLIAwM9l/3t64dAsQPrEfkatGkh3+g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-29T21:35:56Z" + mac: ENC[AES256_GCM,data:MeJ+FU+5AFMPrZpze7F0f5Of17lvNq1xdjOjLt4zNSO7qdwxEjtVLneQcIMMNAuDi5Uv20bCA83qFz7xPtwZ1Ftw36tySh/yrrsqTwIPNTZtZKzDvrHcxZsoi4VTvLnFR8b+Mxw+60LUxnztIPAHDcfbqaAGDaK7oKKZpj/jiMc=,iv:U73mNdp7vt19lHcjjzpSv6jaPMoHf3cwYi3SlbK5MdA=,tag:CwNHYXtBypDk5lt54U+Ihg==,type:str] + pgp: + - created_at: "2023-12-29T21:35:36Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ//UtkRIJ7tpD27NQK+pFXWjurxppYbyTtt4ZvBiHLkUTFW + Em9gjI2n90rSYdy+Nf4EpnaVRoSmjkjlJbNWp14GDfxegrmgSd2QY1dFCl5UYBLD + a6inlamwajmAlSHXW4JpMvbvSdqcnGX2AKkUvvoFsFrTCekqBRWiqxOW15MAKRLY + GWlJ6uVeqvyNOtEy4FCC4OOHb8yh/qHttboN5JtOukJtTGPrrN1W457sgB7SEm7G + df4OzynX9X7Utz9+HvIHTbvLlvUdL05ATVRJMa4PIwKUzWf8bLciZh2DYDEUOh5E + G6G9AL7t9E6kNeL9s2UCZdcxUlxzkDRvCoIPnrxpBSrLxkMCJkxIBlE6vemz6jGw + AB8wXxIAhDwMSQHnaa6jrFqVpQ7xo5vaOFQIckIl1FdCwyfd3X1SPwF16xW3f9dV + pj4gxDV9QlR+lh702TZihNwbVDv9+xIUsrOyoBPeLzgPikcRHvm6dtc3ueA+vo77 + WR81K/3jhqgQJMKowRDr+tYxHJtiY5OOCxnY3pUElFawbUd6dZzmU8GQCMa8+TjV + ln4aCa8IwwDG95XpctOzMSpOi4OhsVh6kuvc8378xi5kOsv+d8QR6Cj7Ene0MAlZ + i8UpD8AQgPR2FPuud9gkKfEVW37F/PYLbgs25rN4gLpM20ca6nFiFAWUv9Qarm2F + AgwDC9FRLmchgYQBD/wPZ4CfC58Cwq4Qnvam+ddSZLkih/w/tYj2V07dXip4/+yD + pej09oQCqdIxC8NFKUj23MjKRS0wouMiVXq9Mo+iAp1ujrjQKY69OzfD4tVM7opW + 5SXHHlXyQwAlgZOVwiuV3odbUip2aax31uzgB9aXtb1UXc5Mh2zdN2OdEJ9jtFGN + Yi/DHHdJno/hTgEvV7L5xBSDrWTGzvdLvICm/okqmM+lCG/HARng21TV/sPDDz61 + DGhfGw8b/MuF5mTU3GYjUcVgg9+26YGUxi5SunJ11zuLNHwl7CEC67+Cw8hzkaaa + UapTIB5RlQP4Q8vI8436MqFrQn1D3GdZKrE5tN8pFoJRSD/uMe4ICBC7xc2Oq0XR + iwXsBKlP5+o0yvC278eb9FnHQHLHlExBAL+TkSt4fT6hbu1V6niGX8/ziac1r9Dx + mmEyt7QJA+1MIjT4MoQCQLVl+4zf/f3kF8WBz6Y60oTaiLgxwJt6YnHfVUl7A0OZ + W40oiRRHWSYdibTGVBS1KT2fA+n1MeH+bzw0PoyHDN4sQtAGj8xlY8/+lzBO8E4B + 8lJp0GPoyxUnztNVXAuoTXp7yB2YxMFipXsGi5rirsbc22Nb7A8W21ZYx1mxG3pj + k+PIZqMlYA5QGfWST0ESDiWn8lSC1rH9wtHzzWjOTZfWaNSKumyUbiO+41cjbdJe + AcuaYiRLmC06pFLdZ4OS/iAfvIeybondx01VWSMmhFvA5RntQG3Hz9ke//PKtjsa + YizbQ23YPPGIq1wdcOuPq4F/LpZ/zQPZ5n9F6UC6cQf3RHVOfHxHZc1y0Tq8Sw== + =Th9r + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/nginx/secrets.yaml b/secrets/nginx/secrets.yaml new file mode 100644 index 0000000..f55f007 --- /dev/null +++ b/secrets/nginx/secrets.yaml @@ -0,0 +1,54 @@ +dnsmail: ENC[AES256_GCM,data:sDKEORfYYHg3sXvQhs/2ZoQtIKpe,iv:DkzqpxVrFEu2En0PEwc/ZAAeAM927ZaX3Ll6eAxjYyc=,tag:+FrjolbwzCloyOyhw3XZlg==,type:str] +dnstoken: ENC[AES256_GCM,data:FD9G9D2e6GEmGzVcYAAGMia9m/dVIjXtdc8WZJ/7+F8Lwi0kQH/VRA==,iv:FMSakGp/r3L5MwhXFhvH3nTNY+B37XU4dMe5Wajs9ZU=,tag:cQsxWB/FGUbuClgrgqA0ng==,type:str] +dnstokenfull: ENC[AES256_GCM,data:5I9nJpwDxJb9QVZZ1YnQEBgYnkM1gCBnyhR2XSgVQRNejzd0NXAA1g==,iv:0jmRdEMg7S+SoOTserDeYsvh6fPq8k7VIxnuT0Gnmak=,tag:3EAH4xSoTTGweOyE0sfMhg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zyts3egct4he229klgrfkd9r442xw9r3qg3hyydh44pvk3wjhd3s2zjqvt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNDJNZ3JrTzg5anRXZ2VP + cEo0aUEyU3I4VnVDaWhkemhRNi9vV3JwT2lZCi8wMm5wZFIrUEx1bmZUaWNFWXEr + bWxua0VCdWhRdVRmVmZTY0JDbjdLdlEKLS0tIGFVaXdnVzZUcVhkbjBFOE9PNFZv + SHJwU1NDSVg5MENDamJVYndjNU15M1kKHuibOTqcSUBwtrQVj0xzu2icc8dOxRTq + uILxeOCwd8eX/hyuyTe/9prPD/Q9rlwGji3gPJxEpm5X+R36yN4hWA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-25T01:23:07Z" + mac: ENC[AES256_GCM,data:18rZUjQ0LPsMZakxoU5DICZ73NNCM1Y0l8Uufd3e9sogwS6PGOXqtK1bq7yTDPsjsa+upIalXeuqvldubB7gvK9NVr6hQF2rOwVmzROTQVE0G61bTyOCzqqJ3BXdbbiCK7QBXZcboiOYeCuSHinr8qKrAQDATBj7myyYdLyZcdY=,iv:tiBp1JDu55jsfh6tMHSQ/3+hPAlpCQdHeMNxRWbwB30=,tag:iaXBEH51KbyqHmrfvQEJpQ==,type:str] + pgp: + - created_at: "2023-12-22T22:43:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAA0d33RcKMjMVlH0X0rBK5eIDz4XufU/E/ACJZQfqmzKla + SVF6xlYPVT9OYYvYaoEy1nDwd+bizPaGkp0t4o8Gh7BFRSHOT9f5lWggQ3SvPT4u + F/zhssgMWgVktAgimtlC593cYrnn/TbIPls7iLTstJznYYsGIFmD0UMcEeM97Tg9 + pgusMstRkRYrL9TLNeumV+KoUoHbh6G2ZNJXBOhA9c5d5CiCYicfqBHSbM0TSXH+ + 0AZK+4Ll9W/Bn2b1gTPwVzVhtyqMYOklJXoP6xhJhh1niO4OJwhkgbc5GFRmvqBl + lequVFZt0WH0HK8hcyf/HWZYwu/Y5tXujI+Qulov5KRkE413Zu70l7jyjwsGAojo + e+PtUwhH/qjGhD7wou+4fE6Gz3RAAnkqs1081RmowxzTpfRHBTxrk+PheFVYoyQX + VTWtr+DJRPyWyQ31Ljdaw/baci/8yfnViRhA0rY/XdsNGJn8BjLXmBmrMMYPudrf + hykvigmsr1+exwFbpwXqX5BDK9urvsagr+2oDIOR3AEEsBkShGrbqWi1U+syX3Y3 + g2bmoxD2W59+ODWfykTwhDOS2ZQ/PyI6Kq5AKdFWSOAhrwvwmwBt9hE6RAuYSoc5 + Od0BnY024SkE3WPlw+o9JZomPcKN/4xV5SzUZerB/5N7unP/3NQvMipvIt4SCW+F + AgwDC9FRLmchgYQBD/4yXIyRjhn0+41CgcfjWjqb8gyQWDq8oSUMlUSo0W7VJqSv + zojbWQ8YoJmdHWCazBGi6dLxaqkupC2YyRlfVgCvjlxfvP1b1JlLD5/QKfGJ+rzp + ZFC/FrzrHKLudutAZ0mwqEK6WC0zKLytSkpi+IKtFXJSbtagU0jETIjfYuKCxFZn + Sp/qzlbTfNdm50Gx7b6b9JmJEHwa9GevTVZER3e41+8beRFIocDnfBx1Z8FFTVng + F9fcc7/aNcMLBY8lmSCpPSpmcu207y3S9SFJsrLF+qOKcGKwZ5xnLAYAvAXY+EFo + 19ltQO3KyTsKjw00ljSdJ/kPQPanOlsDDlji0cQ2HgJ0rTNd9CNCLg8XzoCJh+Uy + lYImamgYqCW1BxBdYCt9+LPVpxR1D78oq22n3hKeKgJuSGzWXE7oIi61+jQCucWP + 2H8lSZ22kCzjQXu8sccNv1saOF6M7dnFhWAbFTuXaSUROBUnfzMaLx0HcI585p+X + oTrOkZr+pgKFIeGYhqXqJtDhKvCkJ5gO4mu/qNWqxt9TXOYEiEnd1T1BtmfFMMr/ + Ed01waKAxrqkED853CBG0L0ogGd+diMpVL1TBVq/9Bf85P1CGB2RsGgPl0eFkjck + 4KR4dvmSykZhusRRdih64ksktB/4quEZ+FvDxy33+OD4gO0NvfSJwKAEBJmlf9Je + AXCKsM/JHpqgBJCkJnb8gBYlJSl02BCIMmdhBLulqZA81KeWazu+yXEdfR8mbBks + OUX8+f/+cZwFVB8eGtDc2BKqL9mudLVr0tHfoEvT6i6mRfU5olUkSforH9urcg== + =aq6G + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sound/secrets.yaml b/secrets/sound/secrets.yaml new file mode 100644 index 0000000..0ca210f --- /dev/null +++ b/secrets/sound/secrets.yaml @@ -0,0 +1,52 @@ +mpdpass: ENC[AES256_GCM,data:oPwpdBAg7Z1kfLm/awaTxXKZTIVWMQDTUw==,iv:jGWviJ+zwolzmYUkjfiFNepEPXSw7oJH530PaEV+GwY=,tag:nUr7TJCgkumAUZ1JrziI/g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1w7tfe7k0r0hm6mzz0kmz8302kfn0rlh96w7g6zwqd4muqg7u9anqv07745 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdW50NGJRM0Z5YytVa1pQ + akR1M21Ib3pyZWZWdUpCR04rb1pRalBiQ2tJCnNzajZpbVNVZWRrWEFvU2RnM1g5 + akhEaGZCN0V5dHR1Qm9IRVZvV2hGMUUKLS0tIHVGWUs2NnpTYlFxa0p5T0RJTFB3 + eFdSYkpPbzhGU0ZiM2FEWUtqcmtOa1UKCsQiVQpSI3GWpvU3zlvKSZPbnDbVNJJl + UFpygD0jqPWUvBFqALHKh8i3Li7B+ItR32IUO67R1bigS8HjYzdkkQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-30T20:54:55Z" + mac: ENC[AES256_GCM,data:XhknSHukwELPxfdskHSu6ewK1keNl3lcMQW0PqXqDn/ZxQtjQX1Dj5lez5QMHSFq5UAzXt4zljxRNvUtLNfnRBpTe5vWCgC7Bt1ZHz4ikmbp8/VCMteZVh3rWr+jM3j0eGsTo4LZD46IRUN6FDhVVFb4fCiiJGVKAusFonjaYOU=,iv:IP/iOv3Jb2O0PT96K4gBCf77PsMl5wt5V0O/xOUwnRE=,tag:enWN7CAMvFMvgPGuhqu3iw==,type:str] + pgp: + - created_at: "2024-01-30T20:54:19Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAAlhqb8zkCNVWJ3Iayj4IvqlHe6FZiYUtu1jucKh0Yniwh + LmctvOhIwB1UP6NEeX0ReqbMCBJLpB7Fh661RgYguOA+mU7qB9dkTi7OMVYN0fnS + OXeAl2+9SKNO9Tel3XqFtJZ9eCgSE3AR78U55SH8lhe+243U99+dXBx20Qzh8fYk + YGggcMhzJewou9OziOdQtq3hKh6BDlOPU8VEufreeoQUN3CDbWXeUzbDbH1Z5lbk + Ibp61T7RZ63IcfQu9GPWxyaxkCw1YOtbRxUN2H1BYIGjNuGag7Q1dRud9v1iQPAv + SN1JWq6y5q7zxIYUVliquMsiMRkkX4mAINnY6fo/J4aOTbZCUyO5bsqTHYjrsUwW + lDDErVl5HS4iAfEGZrKRlY5b9aZMZ3o/+DxEa61mvl5nFaSvpy6zQXV4TK73B++j + 3EqUji9V3RTcKXKJqu5dNL5Sh31GSv2U8RADpbPh2ned1igx+3DodC1RL64z/jP1 + HKFbhz2hYhfKxPLQTcYvmmrQbICjjuLNP46hQy7Fkk1IvPZw2hDEXFuZnKsFMLPc + tnIC4/yhnykdDU6Hx/LQbSJWs69daN+M2ty9fjqvW/Thl+lkCb89I9dA+H5TcHF8 + aFfosBJniw7Nm0tUOMYCtjh2lRYzs1Hm8GyYmL3SXkNq41n8kIF4viW/Q3SVVqGF + AgwDC9FRLmchgYQBEACiTLmTrucjVeNf5iRI+n927+S0KOqvjRJSAGC/2jjRQBxG + 8pX725XK3EuYHB0pWe/cwat/XzgrKbHhHLTOAoZLXkL8mailFYqDkyPWyY0KUOv0 + reeGO0oQxbbVaurtTsXVfNvkHYeAPcIgZoHgSaPh2fTsxQuvBpo5El7Nk6EGWp6R + I/obM0XMS72gUnxOEMReyk28C5xncsQXmC02NK7zvq2abKS0mv8KmMR7nvLWg0nh + Hy2Jh4e0B7CvMyLOdJo2VXBxoJhb4CGoyidXg8Fq+fHQSDOFCF7Tb2bgCfdqWowK + ip6CdHnj8mj331LWdpW/Yo/TYDN4fnVVHMO9aISiC1S50Lb06uwhJlBYG8HnWJ3Q + JCbftxDdiToJA0fDq/L+sRMcqN/l+WoaxS8PsmSF/6xuQsa+bt4S23XITQkWrtx2 + S7reh/xsl9YKR1L6cxOUiaazuYn3aGlUTqSY0PfGVsfVo5+vN95q5SYOqqx8s8+Z + h3jFLe2cGQu3yOSeUhHJYBjqho3dcRW3Mo6crCh0bj7LSIoeIntCC1G21MzAcXoL + Xa+u/gM5HzPQ0Czi9v/bdwtN9eELEx8gOVvq7zhJTM1ot+hxyt0XAz6nCkkVLr3D + sasN1xs20+VsiRqqKwPpNxvDwkSyt6zMHf7zDxVW0YhyTqiIHeWSA4f2aqxqstJe + AfxPey5NzP1PX2ovInUhaqVQc/L8u+04aJa7JFiW1wjZP6BesPiy/mRA7rBMUmE5 + tVlrec9utTLVp7aerjuODBsDarVILmFJetgDPb7vI42BvxTpjjCiJJjXPXQzcA== + =6npP + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/spotifyd/secrets.yaml b/secrets/spotifyd/secrets.yaml new file mode 100644 index 0000000..64a3228 --- /dev/null +++ b/secrets/spotifyd/secrets.yaml @@ -0,0 +1,53 @@ +username: ENC[AES256_GCM,data:8c739M/ygFSYP/xsDovnPem5wrUr,iv:LarOsdIzdz7UP2WtGt08bBTTZLo3Ne8RQM74mFJpHLI=,tag:r8GrK0d8+7C6m74vJ0X3mQ==,type:str] +password: ENC[AES256_GCM,data:E6CLOD1IZUzsjzQ=,iv:EL/EvTUOTatCBCZijCrnrz8ZIeP85znZWCM0PpCJ2y4=,tag:Dlas9VApM34F48l5/CVF6Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16d6wulu4vzuawvsnqv0cqjhxdz9e20qm3xdnzq2lp7787srl8shqsqlfps + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmaUZRRlVoUE9PTGhSbFl5 + UU5GNnVqcm81RzZsaGNwaWc1ZmVKeHRiQldrCkVNUmFGeWhIaUlSTkM2UmtUakU0 + S2VMeGM1K1pJUjZJeGUyREo0OTlvTlkKLS0tIEw2d2xRNWsrT1ZmYkpxeDlwUVZS + bnk0T2dPRWFrTUg4dEpORjZLaWRFenMKw5pkVC3jaHlACgH2vCGcwoGP36ZRWfuu + yI3dITX/r02hZnDMuUrCT4W38VHhSYHckUs0NnpkkCKAL0CREgSo9w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-30T06:13:01Z" + mac: ENC[AES256_GCM,data:IwZsL3uIw83Z3AflvpsqH0ML0VCUeTJT7AWzCDORFOxhyvWhzGGBnUHQiNOngKlepyV+WKclMOMpe7aHI/lMZXjA1cLiY22A2cNV6PCjKbnahzr2N7s6XyZ+9de0G7EIdR1fMR5aMECUR4Uwbb5AsOMVtO2wwhldBF3jn7pQV1o=,iv:wRY/RvhwFKECNSVt6xmGD6RWFPFuje58A9OLkmSL9II=,tag:cpBmf/1z1CnxGLY0WBvEQQ==,type:str] + pgp: + - created_at: "2024-01-30T06:12:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ//QgyjJi1IFK+0ybpoeXE5nAbjXxJipG9viMhPhh2PD4wc + ZgCynE+sox+vzA0mzK72z+RqLAZctCafISjTzpDIxupz4HBQHjeWGHeZH/RqH+3Y + x0Z75Cv8G9n4S9SyDaMPN4dWC+LJ8SP2oMZvQ7G0HcZntHdWH7lcxQfw1WvbBx89 + obZ+duliV3QFsBMYT/Yci2z1mgJ93SIhFRBVv1F3VLlSVGtB/6uWNKgAtvgD9jls + VPO6XuUMIdyv+vv1nZ8n2gBOskhoyowX08w+ztDiMure1kS5LgsDxm7alx2eywip + HIqxpTTp0HTcWy0RIVlv0tnl00PzVRZ63KKGRaTmrNIfGHdE+qpSJdKWd2SuCimR + Zje7mOTPtqcE2TnTy2auWgRgOHaw1Js52Nwod15Z+3XotumMfFdIbEvbFOoew3Im + gbj7/YeTML2BAiAE7VnzVMTelB6ElqcFM/ZDfHCxFM3iWby5XZGyF90rBk3v/Z7T + tc+o+ImyvVPjFDJs0nizNDwEtTOJKCyA+KHfznzRw1qRYrSwUVpYQB7q8TvH5IcS + f2s7rySqpNp+79XMRPYoimw5tFebhR+IgSBZ/VdjwWLBXaebAdu8Sf3FtfLvGnD+ + CujOYuq/6t+EpSsgAOH3D7QZ9BlFwPFA762sSBqa92VEm1BULDZpZ3nB4qsT0/+F + AgwDC9FRLmchgYQBEACfOZetLUBqqa7Cgb6b+DZig+PuLHaCq9p6LqQPFmP4KL7M + /04xEAvL+2Tz+PhuNY3YtkimTeue2vZLJD6hHfxCYJO/GDr+ea2Rv9g23FvEFulw + klqRoDYCgjHp+Uk+9ux0fS8FJsDmQ8ZBPClx/OPGQTdQJ7sXB0AF+FT4TJY7gQP0 + 7+kcFbUwkXHH8EBw8tTnQHakPd1AIj2EVkMTAlU9mlZcJYmoCjSrH511zz94eQnR + L1J66vckCCdLPhrOq+NI8LTTr4ypjHRmJwW9TBcfamdXnsxZBrl1QTq3AAZURRPL + K7Bo6mWHJ7QBNNUnY1bKwpcY7zss7KzKklgPLuG+GxLZHfyKBMOe6Y/xLvfbtZ4u + sOdZSTrgruU7tuejPRlgP6eyh+yE9MSLJ0p4g0jkKf7qngA1Ec1IO21m7KnmqQ3a + Gr6+rI0K0FCUIf5q412OLg1cYixmlqb0Zfi566rJPYoHEoRhWUsP2ndvizNyULPJ + ocCaxEEV/kGk8vUwnSsb6EKfJxo3P0Xp4uFQ1SAhexbLXrqqlaLGYxulrXgwwgnf + 55Abk6B+O7RL3V401Phn4vRfzrSajzlXDUwFz+TPy6VMY+yx+FweIedjlJFTMtuX + 3EUyYyl6fuvAd7qmN6I1HlwVEJFEeMRKKxt+ufGj1m6fiqLvcus8Xw4r40zDO9Je + ATeO4b//yaoIs2lAshj2p97mVpU4xKzd48NOmuaZn+Y7/3m5xXk6vdb2dK2Gky/V + gSf+7TfGBdOOn9zlKxmuf9Q+HOyR/AbCibXUvhL6Ni9wqRHu4B0P6jIrTg1NCg== + =v009 + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sync/secrets.yaml b/secrets/sync/secrets.yaml new file mode 100644 index 0000000..3a9182e --- /dev/null +++ b/secrets/sync/secrets.yaml @@ -0,0 +1,53 @@ +swarsel: ENC[AES256_GCM,data:WzMlNzg5iAu823s=,iv:U8ZutlrzBqq7z445kSnvluejtta4X/0YMIIOdcQuftg=,tag:IE0WMuXlNwnBHzXtrbVHKA==,type:str] +dnstokenfull: ENC[AES256_GCM,data:hxgxSm6pcXOEHZHdSwQkfZryFccQXrCu9idULJhWK/tQ44FyRIU4Yg==,iv:ObKf1M1qkgCltkKJX+URaPSiK5Itd3xlfBXPjf1iVak=,tag:PASR0pgBdcDYjdTZ2eEUCg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyWGpWaXR6aytqTEM1YzQ2 + c3R6SjhWNGo1NnlNY1I0WmpkRWVSQno0cjBnCm1OQ0lhc2xYUHZza2w0R2s2OEkr + VlVSdkZSNW5iclB4N29Fbnl2QTM0cm8KLS0tIEtJbmdKOThaR0ZRaWovZ243UXBW + ckc3MmZZTVFyRGFaTVlVM29ra3JkbzQKNYhBd9oMS/jn2Oqyx9LpqJjQUx2mEZ/B + aUNbenlCRr8KCc+yBXuTyI31LPXJ3YHsI1cfp1K/LGzCY2F0uk4rSw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-01T01:06:53Z" + mac: ENC[AES256_GCM,data:pjpS4BX6PJtGl7d5QAR5vRkuzLceGWUEWIzvCG5NTdz6TX5STHZqjX7V+DEKUbNG8HWTMAqUokr+2uHT+hQ5RxCVYMZeEfUgVqcxpxJHoGHcs+iwLDghqlh3jEZInSVXqhD4UP8A0JSGLtAEBc5o3bELp7pTEw8mLq4trEm4RvM=,iv:hYpEG7ws8RKYcrbeOmH7m4pcZ/F4nIQY4wb6RW3BpR0=,tag:tsAIE4Px9ZPIJ2l/KQUmXQ==,type:str] + pgp: + - created_at: "2024-02-01T01:06:36Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/9El05oLwUKeG5pg1Ppyn8y+XEqXwbU4IQ/3HbtvdZT8iH + 5sywZNP9dtEV0nzEbJ3TR7W+u8Kx/4/EL1DpsUtEefn8XIbeuTb1guX7J6EYzda1 + xCCoaUg03iC6xKq3sDvOU86K5qLCoTrxm00DtHHWH8p6flHTdkLKzP/7AWQpu31v + tDLJ5vdJbdRvMBz8XMQ+wuWiTdiVvlmY+6HHuusF8LXx+uj4g2NI2u/bBJ9HIVYI + 1NLdIlyvdD7yn5YJSrUgmdH8IXsbnpBIJAjgT8TSZugfUlK3znv1ZB/x4O/h3JO1 + LTxm/1wRG8BN+YqLzNfyF7bk/4dTWYNJK0x/AetvLEqbrmo6e00R7Sb+zAA8aeSI + K3QEw4ayTsF7vGK1W5QTjSaYJqucyV1VaW/Heb3ZZSLGRdrZN4jO9q6xHnW6wMMt + GYg100+GNkEHPRzGDDz6fpY2gDsTXKgO2+GUSOLeHmoAkiIAwsvrpUO5ocrqKmrM + BzMKKo4xjr+5oCAwopWLYSFqHKBju6Puth7VL4JhCPt5WyKB7Nup7JMRuupzBZRG + 31DyD5nCsgbBeC5fa9Tvv9OVq30UOqUtJOCh5/IWFSBxuMfIPC1wb7zgP6obDZre + 6gX+a5XHW5c9wSV2/yP6z5UxCkaOTE1P58Qq/A4wx2XvIDN7jw/l/blni2CYj2aF + AgwDC9FRLmchgYQBD/4hBYKfky8PA5l2cY3xMz27bxVPPoH5jJJ/vSz96EOpQeos + gvksKb6PPngWpQqByHKnLVQgHoR+J1TkYxx69vInR+tMjzvTgJdWnmsn0Qs3oUZ8 + mnm27GnsvhvzvaTTMzEdgP32mVAH2WEoqOeSGtVUAyOeQqvehCK3hS/M6WcKX6DO + 0m1IkMqqMp3qweyunhgt0HOHbj04Ecw7B0vmlqezc7UF/Sr70Sv1v/u3FKFKyh1+ + Ti+I//Fx6X/q52SDEY7Btn12r/xUW3zDm5XeaXtOJbL9TaNnpIgEI9X6BhisajA9 + OKuvhtcG5Y+TjD0/o2Wm2AwI8FriwV7NalC4cpNOtDMVxaFMMY55JIvHrubtjCJP + xaObMyDmKceo2bG69Ht6NrITCl+6j4GaD2Iptun5EmgYH6Gc3tDZ4swxwJD8RU5L + qrY1pRWO/ddOA2V5sEesiJoJWB7ZuTjrf5JP0/aT8IIH9qEpIi4MRbvBdLYKDTlH + jhUnLkb2OLQMfolMP9EsnNyw7WOP+olbhlsjZhoSt85N7kXRYErv9TI8wb8s+A/V + fl2DDFkdezY6LdcSW5jmnwQtsgNL0httwOAXapJmpGyS57V3BCgE3nTTWrXnvyqw + uJIz5DuZVT4Bagqp8GBSLPn9bquHtLssKLofIOF+wr6lp7Jm2AdYcRfFSZ4jxtJc + AdY98vAQJxkzQ+2L6YJ/t/hEh4rXUkUeQJpdMwQ786FpMamJAqHPZ9k7PF0rKipH + 82p4T6nqBSKD96YiXCxU27D5t9suBeWhXNhkWIW/a5ujJQPP6q3Qy49vopU= + =NNT2 + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/transmission/secrets.yaml b/secrets/transmission/secrets.yaml new file mode 100644 index 0000000..afa4a5e --- /dev/null +++ b/secrets/transmission/secrets.yaml @@ -0,0 +1,57 @@ +vpnuser: ENC[AES256_GCM,data:7wytXrH3c6s=,iv:yoaWl5NCFuF/Ic2nkFXpvSZj9fQCHRtzKOHef+EEolQ=,tag:jzX5ewkmAHZhJMaq2ke90w==,type:str] +rpcuser: ENC[AES256_GCM,data:lO3735Ynaw==,iv:PDhpAifNEjKpZk2slowOqVUXxaVup+ZLrvGPq80RV40=,tag:8sb8PxZrEVnxhFIRu+Q/FA==,type:str] +vpnpass: ENC[AES256_GCM,data:pTnZjMu+fCJMOQ==,iv:aKLOtjJlXsr0uy+5OrcMxMBqaU8vwaG2Vcn6SirbYas=,tag:Pv2D8Qn+a7ihz16jSkUTbg==,type:str] +rpcpass: ENC[AES256_GCM,data:nknsULbLZMo68c2P7lmWBEZcyaLqDXrU,iv:1NUnew6AL9kmBTnLTXgwA8cm2AO85He0I2fP2oXhrdA=,tag:G7YgBNR7h7QmukVQLhG1pg==,type:str] +vpnprot: ENC[AES256_GCM,data:Ue2A,iv:NcYpWxPWhIKewOde7kYS4TJnipnADLq9+7Pb/l0xgkU=,tag:ACoL3u2gPHXaM2HlW9Msaw==,type:str] +vpnloc: ENC[AES256_GCM,data:X83semtc/SINDnJblMZduEO6UhSTUeziJRHO,iv:9u4ddDGisgDLlwQGQRL0AZHo1mPD15s6+X3qn9gDf4M=,tag:OeLdoXIDrfxJesJwCEWI2Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1wevwwytv5q8wx8yttc85gly678hn4k3qe4csgnq2frf3wxes63jqlt8kqs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNc2F6RlBjTDRLcU5FYlhQ + c3ppdFI5REZpazc1cnFubE5iaUx1bEFDQUdFCmM5R2orbVUrSDI4bzgxSWt6amlJ + NkdBQkM3b0RWSVFuSE9GM1NsNWJuS2MKLS0tIGtWdi9Qd1BSTjduWCs2dWViQUlZ + UCtqdEMxZmIwVk5wY3RGUU50NUNMY1kKuCCh64itbGbWc1DrxV3BupImnZoIuqga + eC8BcM+CjEmeXDb+tAo81OADCVnnfH4UP1gJ5hHxn5rF7/zOkljXeA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-28T23:15:15Z" + mac: ENC[AES256_GCM,data:BS7Ma6oSrJxEMYHbCtEDwVePqIhgmgdWchUyVZhf/dlg2JJfE87gr9jDZrlGPmZM9pUD/gDm8VO1wtOLx61jpII5m1bfSfq6O8XEOQ+cLrJDHHaDo0JTF/TOWWpWPEbnNLpa+BjUb75aAX5Y8+Dw0yAqIRIGNxoanTbyh3NuZyk=,iv:gS4xdaF3DWaJ1bYBBmHgXfHrnr7diw0jtWVYR715RGo=,tag:LXDDCP7k/C660h2AzbuxCw==,type:str] + pgp: + - created_at: "2023-12-28T23:14:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ//WKTeke13O+mZdeXrSaxQWQQ3gex86o8+hIDdkKxvUR/x + bATUaNh0GGU5ovosDFEIWM9F4FQzmAidYKl0i0j9zsR8tIj+0JH1ahmL0oxM/xbC + sh8/IKczRsPQjZYrO7g4fH8Is2d8zFh8nWIEwDuEQ1/TB6hzip4npKcLlp3hqsLx + 5/SwQvSSh3q6iND0YFLGYKwtlNV3ZhcTU0TeaOYJTmzaWU/XjsvTL3lOcHpVtXsY + IK6/b5bitB28zR5J1h3zpHiza+OabAlG/hXHkL5q9NDb1qkmkgxZfbBC9qJiu0ke + rBX5pPYF1yDZF/3QmCmsId3Rx0vEKJzw3vdkqHje4se9zNbnXJ968Gva/3QJJF81 + iYtetvO4/v3BR7xCwfpW4V6CnNQ+N87T0N6jC8racl/GeCiFmSvSUmOktN06AHBm + JO6Ie9vmzmnVH+sKMvRtFETzkqcxCsgNhPnvnGqzDZFf15nJAtRjzYTjMrrIEyTO + MC3V0GMOrdkorRPBbCcXDYC54sorbWuVdjxSX+pElvFO6XKhZJSfnZO2/QHlWU87 + 1EvyO0jS7314vwksrU0965nQ+uJA3lLZpIK7ZivoOK94Oo7lqi+IVbyUOKeQTRBe + USITZY8gTcGDvTGBkAPVBEIJMHOu5gMdPh4wbVwzGXwItSGfXOvh/SaL47AJ9QCF + AgwDC9FRLmchgYQBD/9ZsUCvmiC6BbkHBOSCpyksC1+GQ0k3jUMV6VYt/tIqt6a0 + ILU9Bw+jkOfo7i+t/7uTp7wXyb2JwsohiP/YreYDOOCHxXdJJExBI/tOXoS7nKC+ + dBjKwIz4BPDQz/1METECNoB3v23iUr+GeKTI9gjOO5btEh7UdiKO3inJttSRqVE8 + /kXN2kzSz9VY7W76h7JIMuqhmzorrn/FmSaZWZ4cWW8wvgkQ9mf96dwJElXpZ6I0 + JyPMPpnkd8UPI96MXJbrLToFdmTHgK2TQNmJKPACe2CEQFMvfADKpuC6vq+OckxD + oFZqr+jUsXXGXJUA9Zn59Pcw3FJDiDfJ/4/BqYgPx4IMU7pdp5UEj0PE02BhCPl4 + nkFHRqDA3oynBLFaKXAPa/ND4WLaF789V34RTOBvuiIpe9sGhI5gWhIuqW+eZfhA + Xtf9Wes+FDS+23K4zZ9aB6oTeV0W/JE1xAQ4NYCilrfsF3rwx/x4WYspe7WJjvGJ + e/LzfCaxna3gf6WyY+5Go/PI0JlicrEuPK/DWi5dTlgnx66mcskO0AIGG6a2syyZ + i4UvX/h165NbzoeswyHq3Mz4r/6WXpzO3Znb/pyfdAbifxatGtitm5X960/4tmFE + RZzig35VbhntomBSL2I/KBzEnrqwY+/nnf3DdjOJNbk9XWudaVRCnFJOSiuNFtJe + ASR5liWrbDKUkdnG2Pdqk//CYsg28xobBgVRG5roi3EuGFHkZCno0nC+r7e8Ad1A + l7CTOPtmhNr2RxNKbTzaYJDaivDmo9iILxOfX7i20m+DhtWTsPuML/LHfFc9hQ== + =Abzg + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/wallpaper/navidrome.png b/wallpaper/navidrome.png new file mode 100644 index 0000000..4c94ca5 Binary files /dev/null and b/wallpaper/navidrome.png differ