swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add several NixOS hosts on Proxmox and Oracle Cloud

Browse source
This commit is contained in:
Swarsel 2023-12-22 01:15:04 +01:00
parent 9afb9ec47e
commit acc0ad68e0
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
43 changed files with 4356 additions and 187 deletions
Download patch file Download diff file Expand all files Collapse all files

49
.sops.yaml
View file

@ -7,6 +7,13 @@ keys:
- &server_nixos age1zdjm8qa5t25mca0xxhhkpuh85mgg4l267mqjj2pdttksq7zg4unqdmqyp4
- &server_surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
- &server_stand age1hkajkcje5xvg8jd4zj2e0s9tndpv36hwhn7p38x9lyq2z8g7v45q2nhlej
- &server_nginx age1zyts3egct4he229klgrfkd9r442xw9r3qg3hyydh44pvk3wjhd3s2zjqvt
- &server_calibre age1q2k4j9m6ge6dgygehulzd8vqjcdgv5s7s4zrferaq29qlu94a4uqpv76s5
- &server_transmiss age1wevwwytv5q8wx8yttc85gly678hn4k3qe4csgnq2frf3wxes63jqlt8kqs
- &server_matrix age1t2uj8arq8nnmd5s3h32p7z7masj2gqe5ec49dtr8ex2nlgef3yfqtgcnj6
- &server_spotifyd age16d6wulu4vzuawvsnqv0cqjhxdz9e20qm3xdnzq2lp7787srl8shqsqlfps
- &server_sound age1w7tfe7k0r0hm6mzz0kmz8302kfn0rlh96w7g6zwqd4muqg7u9anqv07745
- &server_sync age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h
creation_rules:
- path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$
key_groups:
@ -22,3 +29,45 @@ creation_rules:
- *admin_swarsel
age:
- *server_surface
- path_regex: secrets/nginx/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *admin_swarsel
age:
- *server_nginx
- path_regex: secrets/calibre/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *admin_swarsel
age:
- *server_calibre
- path_regex: secrets/transmission/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *admin_swarsel
age:
- *server_transmiss
- path_regex: secrets/matrix/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *admin_swarsel
age:
- *server_matrix
- path_regex: secrets/spotifyd/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *admin_swarsel
age:
- *server_spotifyd
- path_regex: secrets/sound/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *admin_swarsel
age:
- *server_sound
- path_regex: secrets/sync/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *admin_swarsel
age:
- *server_sync

44
Emacs.org
View file

@ -412,6 +412,7 @@ Base emacs undo logic is very useful, but not easy to understand. I prefer undo-
"C-c d" 'duplicate-line ; duplicate line on CURSOR
"C-M-j" 'consult-buffer
"C-s" 'consult-line
"C-<f9>" 'my-python-shell-run
)
#+end_src
@ -1068,7 +1069,8 @@ Soon I want to try out this new hot stuff - just at the moment there is too much
#+begin_src emacs-lisp
(use-package auctex)
;; (use-package auctex
;; :ensure nil)
(setq TeX-auto-save t)
(setq TeX-save-query nil)
(setq TeX-parse-self t)
@ -1503,12 +1505,7 @@ NOTE: Make sure to configure a GitHub token before using this package!
(use-package git-timemachine
:hook (git-time-machine-mode . evil-normalize-keymaps)
:init (setq git-timemachine-show-minibuffer-details t)
:general
(general-nmap "SPC g t" 'git-timemachine-toggle)
(git-timemachine-mode-map
"C-k" 'git-timemachine-show-previous-revision
"C-j" 'git-timemachine-show-next-revision
"q" 'git-timemachine-quit))
)
#+end_src
@ -1734,11 +1731,34 @@ Currently unused
#+begin_src emacs-lisp
;; run the python inferior shell immediately upon entering a python buffer
(add-hook 'python-mode-hook 'swarsel/run-python)
;; (add-hook 'python-mode-hook 'swarsel/run-python)
;; (defun swarsel/run-python ()
;; (save-selected-window
;; (switch-to-buffer-other-window (process-buffer (python-shell-get-or-create-process (python-shell-parse-command))))))
;; reload python shell automatically
(defun my-python-shell-run ()
(interactive)
(when (get-buffer-process "*Python*")
(set-process-query-on-exit-flag (get-buffer-process "*Python*") nil)
(kill-process (get-buffer-process "*Python*"))
;; Uncomment If you want to clean the buffer too.
;;(kill-buffer "*Python*")
;; Not so fast!
(sleep-for 0.5))
(run-python (python-shell-parse-command) nil nil)
(python-shell-send-buffer)
;; Pop new window only if shell isnt visible
;; in any frame.
(unless (get-buffer-window "*Python*" t)
(python-shell-switch-to-shell)))
(defun my-python-shell-run-region ()
(interactive)
(python-shell-send-region (region-beginning) (region-end))
(python-shell-switch-to-shell))
(defun swarsel/run-python ()
(save-selected-window
(switch-to-buffer-other-window (process-buffer (python-shell-get-or-create-process (python-shell-parse-command))))))
#+end_src
*** CUDA
@ -2337,7 +2357,7 @@ The following block is 100% stolen from Dominik :P
:config
;; This is set to 't' to avoid mail syncing issues when using mbsync
(setq send-mail-function 'smtpmail-send-it)
(setq send-mail-function 'sendmail-send-it)
(setq mu4e-change-filenames-when-moving t)
(setq mu4e-mu-binary (executable-find "mu"))

1806
Nix.org
View file

File diff suppressed because it is too large Load diff

39
flake.lock generated
View file

@ -537,6 +537,22 @@
"type": "github"
}
},
"nixpkgs-mautrix-signal": {
"locked": {
"lastModified": 1703864075,
"narHash": "sha256-0TtwnLaBydIjpugK1kIIL18dRXZ9KaECfQmkJVBFEa0=",
"owner": "niklaskorz",
"repo": "nixpkgs",
"rev": "d5ba4fc361fbdd71300b190d4fdb82d3c9e46938",
"type": "github"
},
"original": {
"owner": "niklaskorz",
"ref": "nixos-23.11-mautrix-signal",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1701805708,
@ -711,6 +727,27 @@
"type": "github"
}
},
"pia": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1687263775,
"narHash": "sha256-sSVNT3o+4RcdnUqdVloPc3UvM3LancTY6htyzAHrC0w=",
"ref": "development",
"rev": "190f8040cc4837fb6b3c43032711e1536ef2270b",
"revCount": 10,
"type": "git",
"url": "https://git.sr.ht/~rprospero/nixos-pia"
},
"original": {
"ref": "development",
"type": "git",
"url": "https://git.sr.ht/~rprospero/nixos-pia"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
@ -751,7 +788,9 @@
"nixgl": "nixgl",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs_3",
"nixpkgs-mautrix-signal": "nixpkgs-mautrix-signal",
"nur": "nur",
"pia": "pia",
"sops-nix": "sops-nix",
"stylix": "stylix"
}

98
flake.nix
View file

@ -47,6 +47,17 @@
inputs.nixpkgs.follows = "nixpkgs";
};
pia = {
url = "git+https://git.sr.ht/~rprospero/nixos-pia?ref=development";
inputs.nixpkgs.follows = "nixpkgs";
};
# provides expressions for mautrix-signal
nixpkgs-mautrix-signal ={
url = github:niklaskorz/nixpkgs/nixos-23.11-mautrix-signal;
};
};
outputs = inputs@{
@ -62,6 +73,8 @@
stylix,
sops-nix,
lanzaboote,
pia,
nixpkgs-mautrix-signal,
...
}: let
@ -71,9 +84,24 @@
overlays = [ emacs-overlay.overlay
nur.overlay
nixgl.overlay
# (self: super: {
# airsonic = super.airsonic.overrideAttrs (_: rec {
# version = "11.0.2-kagemomiji";
# name = "airsonic-advanced-${version}";
# src = super.fetchurl {
# url = "https://github.com/kagemomiji/airsonic-advanced/releases/download/11.0.2/airsonic.war";
# sha256 = "PgErtEizHraZgoWHs5jYJJ5NsliDd9VulQfS64ackFo=";
# };
# });
# })
];
config.allowUnfree = true;
};
pkgsmautrix = import nixpkgs-mautrix-signal { inherit system;
config.allowUnfree = true;
};
# NixOS modules that can only be used on NixOS systems
nixModules = [ stylix.nixosModules.stylix
./profiles/common/nixos.nix
@ -151,6 +179,76 @@
];
};
nginx = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; };
modules = [
sops-nix.nixosModules.sops
./profiles/server1/nginx/nixos.nix
];
};
calibre = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; };
modules = [
sops-nix.nixosModules.sops
./profiles/server1/calibre/nixos.nix
];
};
jellyfin = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; };
modules = [
# sops-nix.nixosModules.sops
./profiles/server1/jellyfin/nixos.nix
];
};
transmission = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; };
modules = [
sops-nix.nixosModules.sops
pia.nixosModule
./profiles/server1/transmission/nixos.nix
];
};
matrix = nixpkgs.lib.nixosSystem {
# specialArgs = {inherit pkgsmautrix; };
pkgs = pkgsmautrix;
# this is to import a service module that is not on nixpkgs
# this way avoids infinite recursion errors
specialArgs.unstable = nixpkgs-mautrix-signal;
modules = [
sops-nix.nixosModules.sops
./profiles/server1/matrix/nixos.nix
];
};
sound = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; };
modules = [
sops-nix.nixosModules.sops
./profiles/server1/sound/nixos.nix
];
};
spotifyd = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; };
modules = [
sops-nix.nixosModules.sops
./profiles/server1/spotifyd/nixos.nix
];
};
#ovm
sync = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; };
modules = [
sops-nix.nixosModules.sops
./profiles/remote/oracle/sync/nixos.nix
];
};
};
# pure Home Manager setups - for non-NixOS machines

70
profiles/common/home.nix
View file

@ -3,6 +3,12 @@
{
home.packages = with pkgs; [
# audio stuff
spek # spectrum analyzer
losslessaudiochecker
ffmpeg_5-full
flac
# "big" programs
filebot
gimp
@ -205,6 +211,23 @@
# MIGHT NEED TO ENABLE THIS ON SURFACE!!
sops.defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";
sops.validateSopsFiles = false;
# sops.age.keyFile = "${config.home.homeDirectory}/.ssh/key.txt";
# This will generate a new key if the key specified above does not exist
# sops.age.generateKey = true;
# sops.gnupg.home = "/home/swarsel/.dotfiles/secrets/keys";
# since we are using the home-manager implementation, we need to specify the runtime path for each secret
sops.secrets.mrswarsel = {path = "/run/user/1000/secrets/mrswarsel";};
sops.secrets.nautilus = {path = "/run/user/1000/secrets/nautilus";};
sops.secrets.leon = {path = "/run/user/1000/secrets/leon";};
sops.secrets.caldav = {path = "${config.home.homeDirectory}/.emacs.d/.caldav";};
# sops.secrets.leon = { };
# sops.secrets.nautilus = { };
# sops.secrets.mrswarsel = { };
programs.ssh= {
enable = true;
extraConfig = "SetEnv TERM=xterm-256color";
@ -214,6 +237,11 @@ programs.ssh= {
port = 22;
user = "root";
};
"jellyfin" = {
hostname = "192.168.2.16";
port = 22;
user = "root";
};
"pfsense" = {
hostname = "192.168.1.1";
port = 22;
@ -229,6 +257,11 @@ programs.ssh= {
port = 22;
user = "root";
};
"fetcher" = {
hostname = "192.168.1.192";
port = 22;
user = "root";
};
"omv" = {
hostname = "192.168.1.3";
port = 22;
@ -254,6 +287,11 @@ programs.ssh= {
port = 22;
user = "root";
};
"spotify" = {
hostname = "192.168.1.17";
port = 22;
user = "root";
};
"wordpress" = {
hostname = "192.168.2.7";
port = 22;
@ -274,11 +312,26 @@ programs.ssh= {
port = 22;
user = "root";
};
"matrix2" = {
hostname = "192.168.2.20";
port = 22;
user = "root";
};
"database" = {
hostname = "192.168.2.21";
port = 22;
user = "root";
};
"minecraft" = {
hostname = "130.61.119.129";
port = 22;
user = "opc";
};
"sync" = {
hostname = "193.122.53.173";
port = 22;
user = "root"; #this is a oracle vm server but needs root due to nixos-infect
};
"pkv" = {
hostname = "46.232.248.161";
port = 22;
@ -343,23 +396,6 @@ programs.ssh= {
};
};
sops.defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";
sops.validateSopsFiles = false;
# sops.age.keyFile = "${config.home.homeDirectory}/.ssh/key.txt";
# This will generate a new key if the key specified above does not exist
# sops.age.generateKey = true;
# sops.gnupg.home = "/home/swarsel/.dotfiles/secrets/keys";
# since we are using the home-manager implementation, we need to specify the runtime path for each secret
sops.secrets.mrswarsel = {path = "/run/user/1000/secrets/mrswarsel";};
sops.secrets.nautilus = {path = "/run/user/1000/secrets/nautilus";};
sops.secrets.leon = {path = "/run/user/1000/secrets/leon";};
sops.secrets.caldav = {path = "${config.home.homeDirectory}/.emacs.d/.caldav";};
# sops.secrets.leon = { };
# sops.secrets.nautilus = { };
# sops.secrets.mrswarsel = { };
stylix.targets.emacs.enable = false;
# fonts.fontconfig.enable = true;

6
profiles/onett/nixos.nix
View file

@ -14,6 +14,7 @@
xserver.videoDrivers = ["nvidia"];
};
hardware = {
nvidia = {
modesetting.enable = true;
@ -89,6 +90,7 @@
};
networking.hostName = "onett"; # Define your hostname.
networking.enableIPv6 = false;
users.users.swarsel = {
isNormalUser = true;
@ -99,4 +101,8 @@
system.stateVersion = "23.05"; # Did you read the comment?
environment.systemPackages = with pkgs; [
];
}

36
profiles/remote/oracle/sync/hardware-configuration.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a";
fsType = "xfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2B75-2AD5";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/f0126a93-753e-4769-ada8-7499a1efb3a9"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

160
profiles/remote/oracle/sync/nixos.nix Normal file
View file

@ -0,0 +1,160 @@
{ config, pkgs, modulesPath, ... }:
{
imports = [
./hardware-configuration.nix
];
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
];
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
nix.settings.experimental-features = ["nix-command" "flakes"];
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
sops.defaultSopsFile = "/root/.dotfiles/secrets/sync/secrets.yaml";
sops.validateSopsFiles = false;
sops.secrets.swarsel = { owner = "root";};
sops.secrets.dnstokenfull = {owner="acme";};
sops.templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
'';
security.acme = {
acceptTerms = true;
preliminarySelfsigned = false;
defaults.email = "mrswarsel@gmail.com";
defaults.dnsProvider = "cloudflare";
defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts = {
"synki.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://localhost:27701";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
"sync.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://localhost:8384/";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
"git.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = false;
networking.hostName = "sync";
networking.enableIPv6 = false;
networking.domain = "subnet03112148.vcn03112148.oraclevcn.com";
networking.firewall.extraCommands = ''
iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
'';
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../../secrets/keys/authorized_keys
];
system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change
environment.shellAliases = {
nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
};
boot.loader.grub.device = "nodev";
services.anki-sync-server = {
enable = true;
port = 27701;
address = "0.0.0.0";
openFirewall = true;
users = [
{
username = "Swarsel";
passwordFile = config.sops.secrets.swarsel.path;
}
];
};
services.syncthing = {
enable = true;
guiAddress = "0.0.0.0:8384";
openDefaultPorts = true;
};
services.forgejo = {
enable = true;
settings = {
DEFAULT = {
APP_NAME = "~SwaGit~";
};
server = {
PROTOCOL = "http";
HTTP_PORT = 3000;
HTTP_ADDR = "0.0.0.0";
DOMAIN = "git.swarsel.win";
ROOT_URL = "https://git.swarsel.win";
};
service = {
DISABLE_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
};
};
};
}

4
profiles/server1/TEMPLATE/nixos.nix
View file

@ -16,8 +16,10 @@
xkbVariant = "altgr-intl";
};
nix.settings.experimental-features = ["nix-command" "flakes"];
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = true; # manage hostname myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.hostName = "TEMPLATE"; # Define your hostname.
networking.useDHCP = true;
networking.enableIPv6 = false;

29
profiles/server1/calibre/hardware-configuration.nix Normal file
View file

@ -0,0 +1,29 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/mapper/pve-vm--120--disk--0";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

101
profiles/server1/calibre/nixos.nix Normal file
View file

@ -0,0 +1,101 @@
{ config, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix
];
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
calibre
];
users.groups.lxc_shares = {
gid = 10000;
members = [
"kavita"
"calibre-web"
"root"
];
};
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
nix.settings.experimental-features = ["nix-command" "flakes"];
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
sops.defaultSopsFile = "/.dotfiles/secrets/calibre/secrets.yaml";
sops.validateSopsFiles = false;
sops.secrets.kavita = { owner = "kavita";};
# sops.secrets.smbuser = { };
# sops.secrets.smbpassword = { };
# sops.secrets.smbdomain = { };
# sops.templates."smb.cred".content = ''
# user=${config.sops.placeholder.smbuser}
# password=${config.sops.placeholder.smbpassword}
# domain=${config.sops.placeholder.smbdomain}
# '';
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.hostName = "calibre"; # Define your hostname.
networking.useDHCP = true;
networking.enableIPv6 = false;
networking.firewall.enable = false;
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
};
# services.calibre-server = {
# enable = true;
# user = "calibre-server";
# auth.enable = true;
# auth.userDb = "/srv/calibre/users.sqlite";
# libraries = [
# /media/Books/main
# /media/Books/diverse
# /media/Books/language
# /media/Books/science
# /media/Books/sport
# /media/Books/novels
# ];
# };
# services.calibre-web = {
# enable = true;
# user = "calibre-web";
# group = "calibre-web";
# listen.port = 8083;
# listen.ip = "0.0.0.0";
# options = {
# enableBookUploading = true;
# enableKepubify = true;
# enableBookConversion = true;
# };
# };
services.kavita = {
enable = true;
user = "kavita";
port = 8080;
tokenKeyFile = config.sops.secrets.kavita.path;
};
}

34
profiles/server1/jellyfin/hardware-configuration.nix Normal file
View file

@ -0,0 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/mapper/pve-vm--121--disk--0";
fsType = "ext4";
};
fileSystems."/media/Videos" =
{ device = "//192.168.1.3/Eternor";
fsType = "cifs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

77
profiles/server1/jellyfin/nixos.nix Normal file
View file

@ -0,0 +1,77 @@
{ config, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix
];
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
];
users.groups.lxc_shares = {
gid = 10000;
members = [
"jellyfin"
"root"
];
};
users.users.jellyfin = {
extraGroups = [ "video" "render" ];
};
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
nix.settings.experimental-features = ["nix-command" "flakes"];
# sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
# sops.defaultSopsFile = "/.dotfiles/secrets/jellyfin/secrets.yaml";
# sops.validateSopsFiles = false;
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.hostName = "jellyfin"; # Define your hostname.
networking.useDHCP = true;
networking.enableIPv6 = false;
networking.firewall.enable = false;
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
};
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
vaapiVdpau
libvdpau-va-gl
];
};
services.jellyfin = {
enable = true;
user = "jellyfin";
# openFirewall = true; # this works only for the default ports
};
}

29
profiles/server1/matrix/hardware-configuration.nix Normal file
View file

@ -0,0 +1,29 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/mapper/pve-vm--102--disk--0";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

296
profiles/server1/matrix/nixos.nix Normal file
View file

@ -0,0 +1,296 @@
{ config, pkgs, modulesPath, unstable, sops, ... }: let
matrixDomain = "matrix2.swarsel.win";
in {
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
nix.settings.experimental-features = ["nix-command" "flakes"];
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.useDHCP = true;
networking.enableIPv6 = false;
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
};
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix
# we import here a service that is not available yet on normal nixpkgs
# this module is hence not in the modules list, we add it ourselves
(unstable + "/nixos/modules/services/matrix/mautrix-signal.nix")
];
networking.hostName = "matrix"; # Define your hostname.
networking.firewall.enable = false;
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
matrix-synapse
lottieconverter
ffmpeg
];
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
sops.defaultSopsFile = "/.dotfiles/secrets/matrix/secrets.yaml";
sops.validateSopsFiles = false;
sops.secrets.matrixsharedsecret = {owner="matrix-synapse";};
sops.templates."matrix_user_register.sh".content = ''
register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
'';
sops.templates.matrixshared.owner = "matrix-synapse";
sops.templates.matrixshared.content = ''
registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
'';
sops.secrets.mautrixtelegram_as = {owner="matrix-synapse";};
sops.secrets.mautrixtelegram_hs = {owner="matrix-synapse";};
sops.secrets.mautrixtelegram_api_id = {owner="matrix-synapse";};
sops.secrets.mautrixtelegram_api_hash = {owner="matrix-synapse";};
sops.templates.mautrixtelegram.owner = "matrix-synapse";
sops.templates.mautrixtelegram.content = ''
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
'';
# sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";};
# sops.templates.mautrixwhatsapp.owner = "matrix-synapse";
# sops.templates.mautrixwhatsapp.content = ''
# MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared}
# '';
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.matrix-synapse = {
settings.app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-synapse/whatsapp-registration.yaml"
"/var/lib/matrix-synapse/signal-registration.yaml"
"/var/lib/matrix-synapse/doublepuppet.yaml"
];
enable = true;
settings.server_name = matrixDomain;
settings.public_baseurl = "https://${matrixDomain}";
extraConfigFiles = [
config.sops.templates.matrixshared.path
];
settings.listeners = [
{ port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = true;
}
];
}
];
};
services.mautrix-telegram = {
enable = true;
environmentFile = config.sops.templates.mautrixtelegram.path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
};
appservice = {
address= "http://localhost:29317";
hostname = "0.0.0.0";
port = "29317";
provisioning.enabled = true;
id = "telegram";
# ephemeral_events = true; # not needed due to double puppeting
public = {
enabled = false;
};
database = "postgresql:///mautrix-telegram?host=/run/postgresql";
};
bridge = {
# login_shared_secret_map = {
# matrixDomain = "as_token:doublepuppet";
# };
relaybot.authless_portals = true;
allow_avatar_remove = true;
allow_contact_info = true;
sync_channel_members = true;
startup_sync = true;
sync_create_limit = 0;
sync_direct_chats = true;
telegram_link_preview = true;
permissions = {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
# Animated stickers conversion requires additional packages in the
# service's path.
# If this isn't a fresh installation, clearing the bridge's uploaded
# file cache might be necessary (make a database backup first!):
# delete from telegram_file where \
# mime_type in ('application/gzip', 'application/octet-stream')
animated_sticker = {
target = "gif";
args = {
width = 256;
height = 256;
fps = 30; # only for webm
background = "020202"; # only for gif, transparency not supported
};
};
};
};
};
systemd.services.mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
];
services.mautrix-whatsapp = {
enable = true;
# environmentFile = config.sops.templates.mautrixwhatsapp.path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
};
appservice = {
address= "http://localhost:29318";
hostname = "0.0.0.0";
port = 29318;
database = {
type = "postgres";
uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql";
};
};
bridge = {
displayname_template = "{{or .FullName .PushName .JID}} (WA)";
history_sync = {
backfill = true;
max_initial_conversations = -1;
message_count = -1;
request_full_sync = true;
full_sync_config = {
days_limit = 900;
size_mb_limit = 5000;
storage_quota_mb = 5000;
};
};
login_shared_secret_map = {
matrixDomain = "as_token:doublepuppet";
};
sync_manual_marked_unread = true;
send_presence_on_typing = true;
parallel_member_sync = true;
url_previews = true;
caption_in_message = true;
extev_polls = true;
permissions = {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
};
};
};
services.mautrix-signal = {
enable = true;
# environmentFile = config.sops.templates.mautrixwhatsapp.path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
};
appservice = {
address= "http://localhost:29328";
hostname = "0.0.0.0";
port = 29328;
database = {
type = "postgres";
uri = "postgresql:///mautrix-signal?host=/run/postgresql";
};
};
bridge = {
displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)";
login_shared_secret_map = {
matrixDomain = "as_token:doublepuppet";
};
caption_in_message = true;
permissions = {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
};
};
};
# restart the bridges daily. this is done for the signal bridge mainly which stops carrying
# messages out after a while.
systemd.timers."restart-bridges" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1d";
OnUnitActiveSec = "1d";
Unit = "restart-bridges.service";
};
};
systemd.services."restart-bridges" = {
script = ''
systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
}

29
profiles/server1/nginx/hardware-configuration.nix Normal file
View file

@ -0,0 +1,29 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/mapper/pve-vm--119--disk--0";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

243
profiles/server1/nginx/nixos.nix Normal file
View file

@ -0,0 +1,243 @@
{ config, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix
];
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
lego
nginx
];
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
nix.settings.experimental-features = ["nix-command" "flakes"];
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
sops.defaultSopsFile = "/.dotfiles/secrets/nginx/secrets.yaml";
sops.validateSopsFiles = false;
sops.secrets.dnstokenfull = {owner="acme";};
sops.templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
'';
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.hostName = "nginx"; # Define your hostname.
networking.useDHCP = true;
networking.enableIPv6 = false;
networking.firewall.enable = false;
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
# users.users.root.password = "TEMPLATE";
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
security.acme = {
acceptTerms = true;
preliminarySelfsigned = false;
defaults.email = "mrswarsel@gmail.com";
defaults.dnsProvider = "cloudflare";
defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
};
environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts = {
"stash.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "https://192.168.2.5";
extraConfig = ''
client_max_body_size 0;
'';
};
# "/push/" = {
# proxyPass = "http://192.168.2.5:7867";
# };
"/.well-known/carddav" = {
return = "301 $scheme://$host/remote.php/dav";
};
"/.well-known/caldav" = {
return = "301 $scheme://$host/remote.php/dav";
};
};
};
"matrix2.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://192.168.2.23:8008";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
# "sound.swarsel.win" = {
# enableACME = true;
# forceSSL = true;
# acmeRoot = null;
# locations = {
# "/" = {
# proxyPass = "https://192.168.2.13";
# extraConfig = ''
# client_max_body_size 0;
# '';
# };
# };
# };
# "sound.swarsel.win" = {
# enableACME = true;
# forceSSL = true;
# acmeRoot = null;
# locations = {
# "/" = {
# proxyPass = "http://192.168.2.13:4040";
# recommendedProxySettings = false;
# # proxyWebsockets = true;
# extraConfig = ''
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto https;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Port $server_port;
# proxy_set_header Host $host;
# proxy_max_temp_file_size 0;
# proxy_redirect http:// https://;
# proxy_buffering off;
# proxy_request_buffering off;
# client_max_body_size 0;
# '';
# };
# };
# };
"sound.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.2.13:4040";
proxyWebsockets = true;
extraConfig = ''
proxy_redirect http:// https://;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
'';
};
};
};
"screen.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.2.16:8096";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
"matrix.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://192.168.2.20:8008";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
"scroll.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.2.22:8080";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
# "books.swarsel.win" = {
# enableACME = true;
# forceSSL = true;
# acmeRoot = null;
# locations = {
# "/" = {
# proxyPass = "http://192.168.2.22:8083";
# extraConfig = ''
# client_max_body_size 0;
# '';
# };
# };
# };
"blog.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "https://192.168.2.7";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
}

35
profiles/server1/sound/hardware-configuration.nix Normal file
View file

@ -0,0 +1,35 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/mnt/data/images/118/vm-118-disk-0.raw";
fsType = "ext4";
options = [ "loop" ];
};
fileSystems."/media" =
{ device = "//192.168.1.3/Eternor";
fsType = "cifs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

132
profiles/server1/sound/nixos.nix Normal file
View file

@ -0,0 +1,132 @@
{ config, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix
];
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
nix.settings.experimental-features = ["nix-command" "flakes"];
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.useDHCP = true;
networking.enableIPv6 = false;
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
};
proxmoxLXC.privileged = true; # manage hostname myself
users.groups.lxc_pshares = {
gid = 110000;
members = [
"navidrome"
"mpd"
"root"
];
};
users.groups.navidrome = {
gid = 61593;
};
users.groups.mpd = {};
users.users.navidrome = {
isSystemUser = true;
uid = 61593;
group = "navidrome";
extraGroups = [ "audio" "utmp" ];
};
users.users.mpd = {
isSystemUser = true;
group = "mpd";
extraGroups = [ "audio" "utmp" ];
};
sound = {
enable = true;
};
hardware.enableAllFirmware = true;
networking.hostName = "sound"; # Define your hostname.
networking.firewall.enable = false;
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
pciutils
alsa-utils
mpv
];
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
sops.defaultSopsFile = "/.dotfiles/secrets/sound/secrets.yaml";
sops.validateSopsFiles = false;
sops.secrets.mpdpass = { owner = "mpd";};
services.navidrome = {
enable = true;
settings = {
Address = "0.0.0.0";
Port = 4040;
MusicFolder = "/media";
EnableSharing = true;
EnableTranscodingConfig = true;
Scanner.GroupAlbumReleases = true;
ScanSchedule = "@every 1d";
# Insert these values locally as sops-nix does not work for them
LastFM.ApiKey = TEMPLATE;
LastFM.Secret = TEMPLATE;
Spotify.ID = TEMPLATE;
Spotify.Secret = TEMPLATE;
UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png";
UIWelcomeMessage = "~SwarselSound~";
};
};
services.mpd = {
enable = true;
musicDirectory = "/media";
user = "mpd";
group = "mpd";
network = {
port = 3254;
listenAddress = "any";
};
credentials = [
{
passwordFile = config.sops.secrets.mpdpass.path;
permissions = [
"read"
"add"
"control"
"admin"
];
}
];
};
}

29
profiles/server1/spotifyd/hardware-configuration.nix Normal file
View file

@ -0,0 +1,29 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/mapper/pve-vm--123--disk--0";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

85
profiles/server1/spotifyd/nixos.nix Normal file
View file

@ -0,0 +1,85 @@
{ config, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix
];
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
nix.settings.experimental-features = ["nix-command" "flakes"];
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.useDHCP = true;
networking.enableIPv6 = false;
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
};
proxmoxLXC.privileged = true; # manage hostname myself
users.groups.spotifyd = {
gid = 65136;
};
users.users.spotifyd = {
isSystemUser = true;
uid = 65136;
group = "spotifyd";
extraGroups = [ "audio" "utmp" ];
};
sound = {
enable = true;
};
hardware.enableAllFirmware = true;
networking.hostName = "spotifyd"; # Define your hostname.
networking.firewall.enable = false;
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
];
# sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
# sops.defaultSopsFile = "/.dotfiles/secrets/spotifyd/secrets.yaml";
# sops.validateSopsFiles = false;
services.spotifyd = {
enable = true;
settings = {
global = {
dbus_type = "session";
use_mpris = false;
device = "default:CARD=PCH";
device_name = "SwarselSpot";
mixer = "alsa";
zeroconf_port = 1025;
};
};
};
}

29
profiles/server1/transmission/hardware-configuration.nix Normal file
View file

@ -0,0 +1,29 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/mapper/pve-vm--122--disk--0";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

358
profiles/server1/transmission/nixos.nix Normal file
View file

@ -0,0 +1,358 @@
{ config, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix
# ./openvpn.nix #this file holds the vpn login data
];
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
openvpn
jq
iptables
busybox
wireguard-tools
];
users.groups.lxc_shares = {
gid = 10000;
members = [
"vpn"
"radarr"
"sonarr"
"lidarr"
"readarr"
"root"
];
};
users.groups.vpn = {};
users.users.vpn = {
isNormalUser = true;
group = "vpn";
home = "/home/vpn";
};
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
nix.settings.experimental-features = ["nix-command" "flakes"];
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
sops.defaultSopsFile = "/.dotfiles/secrets/transmission/secrets.yaml";
sops.validateSopsFiles = false;
boot.kernelModules = [ "tun" ];
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.hostName = "transmission"; # Define your hostname.
networking.useDHCP = true;
networking.enableIPv6 = false;
networking.firewall.enable = false;
services.radarr = {
enable = true;
};
services.readarr = {
enable = true;
};
services.sonarr = {
enable = true;
};
services.lidarr = {
enable = true;
};
services.prowlarr = {
enable = true;
};
# networking.interfaces = {
# lo = {
# useDHCP = false;
# ipv4.addresses = [
# { address = "127.0.0.1"; prefixLength = 8; }
# ];
# };
#
# eth0 = {
# useDHCP = true;
# };
# };
# networking.firewall.extraCommands = ''
# sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
# '';
networking.iproute2 = {
enable = true;
rttablesExtraConfig = ''
200 vpn
'';
};
# boot.kernel.sysctl = {
# "net.ipv4.conf.all.rp_filter" = 2;
# "net.ipv4.conf.default.rp_filter" = 2;
# "net.ipv4.conf.eth0.rp_filter" = 2;
# };
environment.etc = {
"openvpn/iptables.sh" =
{ source = ../../../scripts/server1/iptables.sh;
mode = "0755";
};
"openvpn/update-resolv-conf" =
{ source = ../../../scripts/server1/update-resolv-conf;
mode = "0755";
};
"openvpn/routing.sh" =
{ source = ../../../scripts/server1/routing.sh;
mode = "0755";
};
"openvpn/ca.rsa.2048.crt" =
{ source = ../../../secrets/certs/ca.rsa.2048.crt;
mode = "0644";
};
"openvpn/crl.rsa.2048.pem" =
{ source = ../../../secrets/certs/crl.rsa.2048.pem;
mode = "0644";
};
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
# users.users.root.password = "TEMPLATE";
environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
};
sops.secrets.vpnuser = {};
sops.secrets.rpcuser = {owner="vpn";};
sops.secrets.vpnpass = {};
sops.secrets.rpcpass = {owner="vpn";};
sops.secrets.vpnprot = {};
sops.secrets.vpnloc = {};
# sops.secrets.crlpem = {};
# sops.secrets.capem = {};
sops.templates."transmission-rpc".owner = "vpn";
sops.templates."transmission-rpc".content = builtins.toJSON {
rpc-username = config.sops.placeholder.rpcuser;
rpc-password = config.sops.placeholder.rpcpass;
};
sops.templates.pia.content = ''
${config.sops.placeholder.vpnuser}
${config.sops.placeholder.vpnpass}
'';
sops.templates.vpn.content = ''
client
dev tun
proto ${config.sops.placeholder.vpnprot}
remote ${config.sops.placeholder.vpnloc}
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass ${config.sops.templates.pia.path}
compress
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
dhcp-option DNS 209.222.18.222
dhcp-option DNS 209.222.18.218
dhcp-option DNS 8.8.8.8
route-noexec
'';
# services.pia.enable = true;
# services.pia.authUserPass.username = "na";
# services.pia.authUserPass.password = "na";
# systemd.services.openvpn-vpn = {
# wantedBy = [ "multi-user.target" ];
# after = [ "network.target" ];
# description = "OpenVPN connection to pia";
# serviceConfig = {
# Type = "forking";
# RuntimeDirectory="openvpn";
# PrivateTmp=true;
# KillMode="mixed";
# ExecStart = ''@${pkgs.openvpn}/sbin/openvpn openvpn --daemon ovpn-pia --status /run/openvpn/pia.status 10 --cd /etc/openvpn --script-security 2 --config ${config.sops.templates.vpn.path} --writepid /run/openvpn/pia.pid'';
# PIDFile=''/run/openvpn/pia.pid'';
# ExecReload=''/run/current-system/sw/bin/kill -HUP $MAINPID'';
# WorkingDirectory="/etc/openvpn";
# Restart="on-failure";
# RestartSec=30;
# ProtectSystem="yes";
# DeviceAllow=["/dev/null rw" "/dev/net/tun rw"];
# };
# };
services.openvpn.servers = {
pia = {
autoStart = false;
updateResolvConf = true;
# up = ''
# export INTERFACE="tun0"
# export VPNUSER="vpn"
# export LOCALIP="192.168.1.191"
# export NETIF="eth0"
# export VPNIF="tun0"
# export GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
# iptables -F -t nat
# iptables -F -t mangle
# iptables -F -t filter
# iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
# iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
# iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
# iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
# iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
# iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# iptables -A INPUT -i $INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i $INTERFACE -j REJECT
# iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
# iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
# iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
# iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
# if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
# ip rule add from all fwmark 0x1 lookup $VPNUSER
# fi
# ip route replace default via $GATEWAYIP table $VPNUSER
# ip route append default via 127.0.0.1 dev lo table $VPNUSER
# ip route flush cache
# '';
# down = "bash /etc/openvpn/update-resolv-conf";
# these are outsourced to a local file, I am not sure if it can be done with sops-nix
# authUserPass = {
# username = "TODO:secrets";
# password = "TODO:secrets";
# };
config = "config ${config.sops.templates.vpn.path}";
};
};
services.transmission = {
enable = true;
credentialsFile = config.sops.templates."transmission-rpc".path;
user = "vpn";
group = "lxc_shares";
settings = {
alt-speed-down= 8000;
alt-speed-enabled= false;
alt-speed-time-begin= 0;
alt-speed-time-day= 127;
alt-speed-time-enabled= true;
alt-speed-time-end= 360;
alt-speed-up= 2000;
bind-address-ipv4= "0.0.0.0";
bind-address-ipv6= "::";
blocklist-enabled= false;
blocklist-url= "http://www.example.com/blocklist";
cache-size-mb= 4;
dht-enabled= false;
download-dir= "/media/Eternor/New";
download-limit= 100;
download-limit-enabled= 0;
download-queue-enabled= true;
download-queue-size= 5;
encryption= 2;
idle-seeding-limit= 30;
idle-seeding-limit-enabled= false;
incomplete-dir= "/var/lib/transmission-daemon/Downloads";
incomplete-dir-enabled= false;
lpd-enabled= false;
max-peers-global= 200;
message-level= 1;
peer-congestion-algorithm= "";
peer-id-ttl-hours= 6;
peer-limit-global= 100;
peer-limit-per-torrent= 40;
peer-port= 22371;
peer-port-random-high= 65535;
peer-port-random-low= 49152;
peer-port-random-on-start= false;
peer-socket-tos= "default";
pex-enabled= false;
port-forwarding-enabled= false;
preallocation= 1;
prefetch-enabled= true;
queue-stalled-enabled= true;
queue-stalled-minutes= 30;
ratio-limit= 2;
ratio-limit-enabled= false;
rename-partial-files= true;
rpc-authentication-required= true;
rpc-bind-address= "0.0.0.0";
rpc-enabled= true;
rpc-host-whitelist= "";
rpc-host-whitelist-enabled= true;
rpc-port= 9091;
rpc-url= "/transmission/";
rpc-whitelist= "127.0.0.1,192.168.3.2";
rpc-whitelist-enabled= true;
scrape-paused-torrents-enabled= true;
script-torrent-done-enabled= false;
seed-queue-enabled= false;
seed-queue-size= 10;
speed-limit-down= 6000;
speed-limit-down-enabled= true;
speed-limit-up= 500;
speed-limit-up-enabled= true;
start-added-torrents= true;
trash-original-torrent-files= false;
umask= 2;
upload-limit= 100;
upload-limit-enabled= 0;
upload-slots-per-torrent= 14;
utp-enabled= false;
};
};
# services.nginx = {
# enable = true;
# virtualHosts = {
# "192.168.1.192" = {
# locations = {
# "/transmission" = {
# proxyPass = "http://127.0.0.1:9091";
# extraConfig = ''
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# '';
# };
# };
# };
# };
# };
}

3
programs/emacs/custom.el
View file

@ -7,7 +7,8 @@
'("7ec8fd456c0c117c99e3a3b16aaf09ed3fb91879f6601b1ea0eeaee9c6def5d9"
"badd1a5e20bd0c29f4fe863f3b480992c65ef1fa63951f59aa5d6b129a3f9c4c"
"2e05569868dc11a52b08926b4c1a27da77580daa9321773d92822f7a639956ce"
default)))
default))
'(send-mail-function 'sendmail-send-it))
;; (custom-set-faces
;; ;; custom-set-faces was added by Custom.
;; ;; If you edit it by hand, you could mess it up, so be careful.

43
programs/emacs/init.el
View file

@ -305,6 +305,7 @@
"C-c d" 'duplicate-line ; duplicate line on CURSOR
"C-M-j" 'consult-buffer
"C-s" 'consult-line
"C-<f9>" 'my-python-shell-run
)
(setq inhibit-startup-message t)
@ -800,7 +801,8 @@
(add-hook 'org-mode-hook (lambda () (add-hook 'after-save-hook #'swarsel/org-babel-tangle-config)))
(use-package auctex)
;; (use-package auctex
;; :ensure nil)
(setq TeX-auto-save t)
(setq TeX-save-query nil)
(setq TeX-parse-self t)
@ -1095,12 +1097,7 @@
(use-package git-timemachine
:hook (git-time-machine-mode . evil-normalize-keymaps)
:init (setq git-timemachine-show-minibuffer-details t)
:general
(general-nmap "SPC g t" 'git-timemachine-toggle)
(git-timemachine-mode-map
"C-k" 'git-timemachine-show-previous-revision
"C-j" 'git-timemachine-show-next-revision
"q" 'git-timemachine-quit))
)
(use-package rainbow-delimiters
:hook (prog-mode . rainbow-delimiters-mode))
@ -1283,11 +1280,33 @@
:mode ("\\.rs" . rustic-mode))
;; run the python inferior shell immediately upon entering a python buffer
(add-hook 'python-mode-hook 'swarsel/run-python)
;; (add-hook 'python-mode-hook 'swarsel/run-python)
(defun swarsel/run-python ()
(save-selected-window
(switch-to-buffer-other-window (process-buffer (python-shell-get-or-create-process (python-shell-parse-command))))))
;; (defun swarsel/run-python ()
;; (save-selected-window
;; (switch-to-buffer-other-window (process-buffer (python-shell-get-or-create-process (python-shell-parse-command))))))
;; reload python shell automatically
(defun my-python-shell-run ()
(interactive)
(when (get-buffer-process "*Python*")
(set-process-query-on-exit-flag (get-buffer-process "*Python*") nil)
(kill-process (get-buffer-process "*Python*"))
;; Uncomment If you want to clean the buffer too.
;;(kill-buffer "*Python*")
;; Not so fast!
(sleep-for 0.5))
(run-python (python-shell-parse-command) nil nil)
(python-shell-send-buffer)
;; Pop new window only if shell isnt visible
;; in any frame.
(unless (get-buffer-window "*Python*" t)
(python-shell-switch-to-shell)))
(defun my-python-shell-run-region ()
(interactive)
(python-shell-send-region (region-beginning) (region-end))
(python-shell-switch-to-shell))
;; (use-package cuda-mode)
@ -1750,7 +1769,7 @@
:config
;; This is set to 't' to avoid mail syncing issues when using mbsync
(setq send-mail-function 'smtpmail-send-it)
(setq send-mail-function 'sendmail-send-it)
(setq mu4e-change-filenames-when-moving t)
(setq mu4e-mu-binary (executable-find "mu"))

21
scripts/server1/doublepuppet.yaml Normal file
View file

@ -0,0 +1,21 @@
# The ID doesn't really matter, put whatever you want.
id: doublepuppet
# The URL is intentionally left empty (null), as the homeserver shouldn't
# push events anywhere for this extra appservice. If you use a
# non-spec-compliant server, you may need to put some fake URL here.
url:
# Generate random strings for these three fields. Only the as_token really
# matters, hs_token is never used because there's no url, and the default
# user (sender_localpart) is never used either.
as_token: doublepuppet
hs_token: notused
sender_localpart: notused
# Bridges don't like ratelimiting. This should only apply when using the
# as_token, normal user tokens will still be ratelimited.
rate_limited: false
namespaces:
users:
# Replace your\.domain with your server name (escape dots for regex)
- regex: '@.*:matrix2\.swarsel\.win'
# This must be false so the appservice doesn't take over all users completely.
exclusive: false

47
scripts/server1/iptables.sh Normal file
View file

@ -0,0 +1,47 @@
#! /usr/bin/env bash
export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="192.168.1.191"
export NETIF="eth0"
# flushes all the iptables rules, if you have other rules to use then add them into the script
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# mark packets from $VPNUSER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# allow responses
iptables -A INPUT -i $INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# block everything incoming on $INTERFACE to prevent accidental exposing of ports
iptables -A INPUT -i $INTERFACE -j REJECT
# let $VPNUSER access lo and $INTERFACE
iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
# all packets on $INTERFACE needs to be masqueraded
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# reject connections from predator IP going over $NETIF
iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
VPNIF="tun0"
VPNUSER="vpn"
GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPNUSER
fi
ip route replace default via $GATEWAYIP table $VPNUSER
ip route append default via 127.0.0.1 dev lo table $VPNUSER
ip route flush cache
exit 0

14
scripts/server1/routing.sh Normal file
View file

@ -0,0 +1,14 @@
#! /usr/bin/env bash
VPNIF="tun0"
VPNUSER="vpn"
GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPNUSER
fi
ip route replace default via $GATEWAYIP table $VPNUSER
ip route append default via 127.0.0.1 dev lo table $VPNUSER
ip route flush cache
bash /etc/openvpn/update-resolv-conf
exit 0

45
scripts/server1/update-resolv-conf Normal file
View file

@ -0,0 +1,45 @@
#! /usr/bin/env bash
foreign_option_1='dhcp-option DNS 209.222.18.222'
foreign_option_2='dhcp-option DNS 209.222.18.218'
foreign_option_3='dhcp-option DNS 8.8.8.8'
[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac

55
secrets/calibre/secrets.yaml Normal file
View file

@ -0,0 +1,55 @@
smbuser: ENC[AES256_GCM,data:Xlz/NzVjKk0=,iv:DvhZOoOb0eXc4jIZPwDXGRkZxWI4Fg5MC9s1IRhYWuY=,tag:ApTT/Y9K7p0uPRZAlXgekA==,type:str]
smbpassword: ENC[AES256_GCM,data:t5ic3YoNkc3k2brjN6ZRjNKPEYD9WKk=,iv:lBtSSuEnUKipapqq7gYWmkdA8tcMIZuNy8EmqqKHFWU=,tag:qas1f2wlZm0mpcgPhsZtPA==,type:str]
smbdomain: ENC[AES256_GCM,data:TepG9EMhs8I=,iv:w+CxqNxrjIBx2G33EoKkLSuTHrSSzvDQ2JXuOHtUTmw=,tag:oy5vKyhYc/bOV76xEDaVqA==,type:str]
kavita: ENC[AES256_GCM,data:g+2WXcm7d8OxLhrtWXx15SdRx8VXax1SG2GHoWizXDUZEKnEwlQe7/Yk6DQ=,iv:bQ9s5z6jNGkf59cxzR1o+etA+GA3Y8L6Bgfv9e1Txww=,tag:NOB7iBH3yoE0/DtmuQyaBg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1q2k4j9m6ge6dgygehulzd8vqjcdgv5s7s4zrferaq29qlu94a4uqpv76s5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGejQ4Vm9KWlJYeW9UdElP
MWVUNWx5V3dDQWNPSkRJNjl2a3ZLWVpQMXdJCkdjVlh6andkM0oyMWkvaDd5Zi9H
eEVZalFYQjNpQUszUW5HV1gzRU9FVXMKLS0tIGorWGRnQkE3TXhYRHArMDUrQU4v
UnVYNGRlZTRoZ29YQ1B5S0U1ZE84VHMKgp2XRaVtRcubXfjttQfk9UKbqZ6EbL/O
coZUAPXRrT//oRh2JFu0Q4+5zoewI2j1DhUS9HuejM5CIColYUasJg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-23T04:28:28Z"
mac: ENC[AES256_GCM,data:aLI7dMi2merChhkQaqmrlbvC2V6Bh0D67RE1RxTqZLYmFE8AINBewBka1ktIVc83IYYFyhpTLZDmhZF5q3McIOGXjlZUcEDtb1C2zZZEkXJrbFe3yoZG+DE/fOB4I2uXjzp5iOG+lZyWAGQgrSHMSFV+IbAg4bb++OilZ2oXWYk=,iv:M+rOanpm+LakksTb4jCzZph3zC7MI6XeV7nyXN7qo50=,tag:Ec+HJtUtzUtrxbeCe+wDJg==,type:str]
pgp:
- created_at: "2023-12-22T23:23:45Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ//Y7LOX5knf4s2Dku9DsVIgxUe5Ox3u65uBKL6vTE5tLuN
Oeuyvd8eGaOWvPWcu/7bbr2Nd5Y3fyyG6yTSzjweyvPgnNbBswaYZxPhj+GfHSL/
yRcdEVX8QTEirlUYhFTVuD3LLGAxiJI5dvIHF87FGfr9U+xiTg9fblwFlEGb9F5q
TYUOSLvXUS6KbSuGnNQR7kZua2eZ/nvAIW9gVh1RrTjLzSyGdPgiqRFC657MFOvP
IlVOVKEngY+FTFBUH8kRzAxAz94Gtern2oqpuuQu0agriizeE6TA9OPOoMNGhsQD
C/DK+pa8AQ2JV17iy64rPkpRGGXr7PqEEmV386z6+O6Nbq0e+1lqigPYkxJqWJjR
5K55znA7jRxdit6AN978pKerY9xSmbiRx35qWoGa2WK3iZ5ACcsXbAxW4lHagmdH
TmcIB4qzzHdsYQ/TxLcUioFx1EooiNZ59Asa+Lj16QgMAyDF9SZ6Z8HhQGwIBdub
HNvu8+f3/D70I7/DreortuwSvzV370+OBb0knoVZcG+i7DlAM64LukZmety9PJIj
JhUVdvp/haL7FWI7zU2Aj5j/kXGKjmYlb3N5Zes3I+MLXdL+8qqeOG+NsQR0Xvxq
xEsgEUyqaXuMwJfyPFw89NkF7oj3qqWlbnLGBEXcrXRI28Urkpwet1Z//p+WpDCF
AgwDC9FRLmchgYQBD/4lskxdD99hF0I5Zx2h8Lt1UqXI+lMROqRjjTI726Z+R7xK
2PEJ4l2neJIP02QMm3HTAOQJ5P5t0Lb0kM1vbBY8WOF3v6aLt6Va8pwBF6TxlfGn
5UUCUQ8nLwHUyKGAI+atveZCcUkyfhy3y4pMbXK6BQ+2tbLGEjFeqVeakk9e5MGo
8BwYbU0Rr4KqAeSVkYb/qCErycM9fQb07r8xiPqSnKuZe4RxolWfMTnwP6IEI3GJ
AteS6MdMOtK1BufP/XKX80aXIY9U/BimyEndmT4b/83aAid42xPH25BZTfC0r0Wh
EArA0CR2rop7wE1GQq1R+stet4kSyBPWefvJg3wVSpF3Xj/IsJHz3LAp452v18W5
rEWa8bzUT3vlVBjINhoqUJt4VHGx74kJml6WY334XyCy2xxY1C3sSD53tw3O34Qf
rmcV6m/BeCwL4t4rsG+vWzwaZSmjqr1D6H4JI9h2HvwXb45y4m28OewvAu0FMcyK
tpjxnwdXAOQC/GdgKPuM1eomgurGBrfCeHbfXHsu3n2LPTm6RULWKW4jzj9dbjCC
CuD4IzflExz8E+lqTBW4CppBgfCBDx5IIS1sv7YVfqFf1Upl434kknKffkmkq6mk
G70ATAlUX8Ci94rUv/JCokCj5GcIzVmKUiI+zq0rCQKxcJ6uLMFYZGQ9v34kQ9Je
AQ+3j+iSzV7DGtkdHI9LEAsLj6ZeFPtePULfxsHc3tjfpUFTQgurMS/QDojQMMEn
73sQEYv+ihSsV+WToRpgExM1ANIEZ5eFTloxKKmULkYQ6tiL8SIywxz1vJW81A==
=nyE3
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.8.1

33
secrets/certs/ca.rsa.2048.crt Normal file
View file

@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----

15
secrets/certs/crl.rsa.2048.pem Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----

4
secrets/general/secrets.yaml
View file

@ -35,8 +35,8 @@ sops:
TGF4USs2YVNlZnZhM3lZNlpHbm80SzgKxwh4DS1DnV3KFVfPw/8+zGWo/YVnhSYd
Yi1hpRD8yD0eglGVGaWCItniPLRFDPpHL2B6kkHsYRx3Rl7daSJUVA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-13T19:28:18Z"
mac: ENC[AES256_GCM,data:5zQWLi1To2XUc2GXCXmwQMk1M/hPORhK1xuNbihLgJVt+ufEBScyQ9kk0BTcmQAbVXUZO7f4qHAx/P8M99CiY5g1H3Zm48kMrohC0ByJfSUHt9w8ApT01TFsyYrbtX8qoSVyAMwu4/dV1wTv0Nm0a0A9MhE8Azr7cPRgcmtixn4=,iv:rsMo8jY4jIkBlgnJ/EdGoyjl1aKKAeSnvde7ndWnBkE=,tag:pEiIb5LLULxR5dcD8RknSA==,type:str]
lastmodified: "2023-12-22T00:14:58Z"
mac: ENC[AES256_GCM,data:BhTS9q5mfdJegV2FA6r9aOxjhvjahhwzE2K7QeJQkEFfj7hnu3qIQy2CN10+9YDvrYVpoSWuEJ3L5uFFzugW6Ubz18SiuXjZGRUxfZn9+AzFDJYntpOs9r8rG72w7tY2ty+UefjhW4oDsTlv7TdPHlAWPVSY5X7H2G5qNxqHAfM=,iv:R3doafqNTyuvvBM9TG3UbZJeAtw5CDAePQDT+aGkA4c=,tag:BKTZBUSd9+CLl56jscjdRg==,type:str]
pgp:
- created_at: "2023-12-13T19:27:54Z"
enc: |-

1
secrets/keys/calibre.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGAkIdo0pObC1/QmOVwqhQnif6uf+CylNwlWnbJL+Zrh calibre sops

1
secrets/keys/nginx.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICtt5v96QEIttEKf1H3R04uwU64JFDB6yqJRvdsiyYz2 nginx sops

56
secrets/matrix/secrets.yaml Normal file
View file

@ -0,0 +1,56 @@
matrixsharedsecret: ENC[AES256_GCM,data:0VA//FJ+vlFAKpMPIHw/VLsXMgN5pnGwqXr8Xow5F/I9R5IgVip7b4qUPx+PU32D7eeEhW8QgbrwjeqI5wrt3g==,iv:A2iAYeDRQf1SFyF2hEKK1TLakcM40HBJMyi+Sv0rRuU=,tag:t+B6OFe1gNQg3w6qlU1AOQ==,type:str]
mautrixtelegram_as: ENC[AES256_GCM,data:6i7JlAbz3OwhxQjftjkHB4o9YCYhMmnHNgRW0cnXLcMYsG3SME5b5RLOvGgavvIG+9HBv45fZRIICh1K6xZ1ZQ==,iv:FXC15XJZxwepIP1QEWceQlthwyISsiA89w5MXrxUDnI=,tag:hfnDn1rEhPENKDvpXH9sgQ==,type:str]
mautrixtelegram_hs: ENC[AES256_GCM,data:ZMXfosvSZlMs/IEVNfhYRWrjS0l4u2Fc3u+nB3nrTGXuQNXN7X65y8fbbzLVSX2TKgPK1HOiQjtTcIxX+GstFA==,iv:xQkD+152yfOQM0S9ZtlEb0VV8EROLkPeD54Y9/FHkzk=,tag:8qCOZLQY6a0+9bKP4PqV6Q==,type:str]
mautrixtelegram_api_id: ENC[AES256_GCM,data:paljhNLosw==,iv:D4hiwm5/3nUoNRdcN3yoJMGE3anUIJ8lEQYbN48v4/Y=,tag:SpZ/9phnQI+F5m9OTGxU1A==,type:str]
mautrixtelegram_api_hash: ENC[AES256_GCM,data:GoVLL22uNQMNxlesc3pmuSWxz6YVTMIu4VBnQO0Y1jc=,iv:WSOZlHrWCBgCdCl+CAsc+FrGzTH79+GePMUCm+0/FCg=,tag:Ti6MNpjBBbUnmtRIVAPBwQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1t2uj8arq8nnmd5s3h32p7z7masj2gqe5ec49dtr8ex2nlgef3yfqtgcnj6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUGwrb0VncGtIc1BPN0N0
dGpLamE5R05GQnp4VXYrekttTEFvQ1BZNEVzCjl1K0syTEQwTWZqRUVWREtuZ0U5
VHo2WEF5dUwvZlhJOWZDcXdWWDZ4OGcKLS0tIE1YRDMzbVMwMU1ZL0RjbmkyRm1y
L0Fobml3T3puL2Z0dW5EaEZQSEdZRFkK/nnz1NrsGqU0MYV+4T9gRMP/iMkCWWB1
B0yqYsJjUuWLIr1DckTF8di+uLIAwM9l/3t64dAsQPrEfkatGkh3+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-29T21:35:56Z"
mac: ENC[AES256_GCM,data:MeJ+FU+5AFMPrZpze7F0f5Of17lvNq1xdjOjLt4zNSO7qdwxEjtVLneQcIMMNAuDi5Uv20bCA83qFz7xPtwZ1Ftw36tySh/yrrsqTwIPNTZtZKzDvrHcxZsoi4VTvLnFR8b+Mxw+60LUxnztIPAHDcfbqaAGDaK7oKKZpj/jiMc=,iv:U73mNdp7vt19lHcjjzpSv6jaPMoHf3cwYi3SlbK5MdA=,tag:CwNHYXtBypDk5lt54U+Ihg==,type:str]
pgp:
- created_at: "2023-12-29T21:35:36Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ//UtkRIJ7tpD27NQK+pFXWjurxppYbyTtt4ZvBiHLkUTFW
Em9gjI2n90rSYdy+Nf4EpnaVRoSmjkjlJbNWp14GDfxegrmgSd2QY1dFCl5UYBLD
a6inlamwajmAlSHXW4JpMvbvSdqcnGX2AKkUvvoFsFrTCekqBRWiqxOW15MAKRLY
GWlJ6uVeqvyNOtEy4FCC4OOHb8yh/qHttboN5JtOukJtTGPrrN1W457sgB7SEm7G
df4OzynX9X7Utz9+HvIHTbvLlvUdL05ATVRJMa4PIwKUzWf8bLciZh2DYDEUOh5E
G6G9AL7t9E6kNeL9s2UCZdcxUlxzkDRvCoIPnrxpBSrLxkMCJkxIBlE6vemz6jGw
AB8wXxIAhDwMSQHnaa6jrFqVpQ7xo5vaOFQIckIl1FdCwyfd3X1SPwF16xW3f9dV
pj4gxDV9QlR+lh702TZihNwbVDv9+xIUsrOyoBPeLzgPikcRHvm6dtc3ueA+vo77
WR81K/3jhqgQJMKowRDr+tYxHJtiY5OOCxnY3pUElFawbUd6dZzmU8GQCMa8+TjV
ln4aCa8IwwDG95XpctOzMSpOi4OhsVh6kuvc8378xi5kOsv+d8QR6Cj7Ene0MAlZ
i8UpD8AQgPR2FPuud9gkKfEVW37F/PYLbgs25rN4gLpM20ca6nFiFAWUv9Qarm2F
AgwDC9FRLmchgYQBD/wPZ4CfC58Cwq4Qnvam+ddSZLkih/w/tYj2V07dXip4/+yD
pej09oQCqdIxC8NFKUj23MjKRS0wouMiVXq9Mo+iAp1ujrjQKY69OzfD4tVM7opW
5SXHHlXyQwAlgZOVwiuV3odbUip2aax31uzgB9aXtb1UXc5Mh2zdN2OdEJ9jtFGN
Yi/DHHdJno/hTgEvV7L5xBSDrWTGzvdLvICm/okqmM+lCG/HARng21TV/sPDDz61
DGhfGw8b/MuF5mTU3GYjUcVgg9+26YGUxi5SunJ11zuLNHwl7CEC67+Cw8hzkaaa
UapTIB5RlQP4Q8vI8436MqFrQn1D3GdZKrE5tN8pFoJRSD/uMe4ICBC7xc2Oq0XR
iwXsBKlP5+o0yvC278eb9FnHQHLHlExBAL+TkSt4fT6hbu1V6niGX8/ziac1r9Dx
mmEyt7QJA+1MIjT4MoQCQLVl+4zf/f3kF8WBz6Y60oTaiLgxwJt6YnHfVUl7A0OZ
W40oiRRHWSYdibTGVBS1KT2fA+n1MeH+bzw0PoyHDN4sQtAGj8xlY8/+lzBO8E4B
8lJp0GPoyxUnztNVXAuoTXp7yB2YxMFipXsGi5rirsbc22Nb7A8W21ZYx1mxG3pj
k+PIZqMlYA5QGfWST0ESDiWn8lSC1rH9wtHzzWjOTZfWaNSKumyUbiO+41cjbdJe
AcuaYiRLmC06pFLdZ4OS/iAfvIeybondx01VWSMmhFvA5RntQG3Hz9ke//PKtjsa
YizbQ23YPPGIq1wdcOuPq4F/LpZ/zQPZ5n9F6UC6cQf3RHVOfHxHZc1y0Tq8Sw==
=Th9r
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.8.1

54
secrets/nginx/secrets.yaml Normal file
View file

@ -0,0 +1,54 @@
dnsmail: ENC[AES256_GCM,data:sDKEORfYYHg3sXvQhs/2ZoQtIKpe,iv:DkzqpxVrFEu2En0PEwc/ZAAeAM927ZaX3Ll6eAxjYyc=,tag:+FrjolbwzCloyOyhw3XZlg==,type:str]
dnstoken: ENC[AES256_GCM,data:FD9G9D2e6GEmGzVcYAAGMia9m/dVIjXtdc8WZJ/7+F8Lwi0kQH/VRA==,iv:FMSakGp/r3L5MwhXFhvH3nTNY+B37XU4dMe5Wajs9ZU=,tag:cQsxWB/FGUbuClgrgqA0ng==,type:str]
dnstokenfull: ENC[AES256_GCM,data:5I9nJpwDxJb9QVZZ1YnQEBgYnkM1gCBnyhR2XSgVQRNejzd0NXAA1g==,iv:0jmRdEMg7S+SoOTserDeYsvh6fPq8k7VIxnuT0Gnmak=,tag:3EAH4xSoTTGweOyE0sfMhg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1zyts3egct4he229klgrfkd9r442xw9r3qg3hyydh44pvk3wjhd3s2zjqvt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNDJNZ3JrTzg5anRXZ2VP
cEo0aUEyU3I4VnVDaWhkemhRNi9vV3JwT2lZCi8wMm5wZFIrUEx1bmZUaWNFWXEr
bWxua0VCdWhRdVRmVmZTY0JDbjdLdlEKLS0tIGFVaXdnVzZUcVhkbjBFOE9PNFZv
SHJwU1NDSVg5MENDamJVYndjNU15M1kKHuibOTqcSUBwtrQVj0xzu2icc8dOxRTq
uILxeOCwd8eX/hyuyTe/9prPD/Q9rlwGji3gPJxEpm5X+R36yN4hWA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-25T01:23:07Z"
mac: ENC[AES256_GCM,data:18rZUjQ0LPsMZakxoU5DICZ73NNCM1Y0l8Uufd3e9sogwS6PGOXqtK1bq7yTDPsjsa+upIalXeuqvldubB7gvK9NVr6hQF2rOwVmzROTQVE0G61bTyOCzqqJ3BXdbbiCK7QBXZcboiOYeCuSHinr8qKrAQDATBj7myyYdLyZcdY=,iv:tiBp1JDu55jsfh6tMHSQ/3+hPAlpCQdHeMNxRWbwB30=,tag:iaXBEH51KbyqHmrfvQEJpQ==,type:str]
pgp:
- created_at: "2023-12-22T22:43:24Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTARAA0d33RcKMjMVlH0X0rBK5eIDz4XufU/E/ACJZQfqmzKla
SVF6xlYPVT9OYYvYaoEy1nDwd+bizPaGkp0t4o8Gh7BFRSHOT9f5lWggQ3SvPT4u
F/zhssgMWgVktAgimtlC593cYrnn/TbIPls7iLTstJznYYsGIFmD0UMcEeM97Tg9
pgusMstRkRYrL9TLNeumV+KoUoHbh6G2ZNJXBOhA9c5d5CiCYicfqBHSbM0TSXH+
0AZK+4Ll9W/Bn2b1gTPwVzVhtyqMYOklJXoP6xhJhh1niO4OJwhkgbc5GFRmvqBl
lequVFZt0WH0HK8hcyf/HWZYwu/Y5tXujI+Qulov5KRkE413Zu70l7jyjwsGAojo
e+PtUwhH/qjGhD7wou+4fE6Gz3RAAnkqs1081RmowxzTpfRHBTxrk+PheFVYoyQX
VTWtr+DJRPyWyQ31Ljdaw/baci/8yfnViRhA0rY/XdsNGJn8BjLXmBmrMMYPudrf
hykvigmsr1+exwFbpwXqX5BDK9urvsagr+2oDIOR3AEEsBkShGrbqWi1U+syX3Y3
g2bmoxD2W59+ODWfykTwhDOS2ZQ/PyI6Kq5AKdFWSOAhrwvwmwBt9hE6RAuYSoc5
Od0BnY024SkE3WPlw+o9JZomPcKN/4xV5SzUZerB/5N7unP/3NQvMipvIt4SCW+F
AgwDC9FRLmchgYQBD/4yXIyRjhn0+41CgcfjWjqb8gyQWDq8oSUMlUSo0W7VJqSv
zojbWQ8YoJmdHWCazBGi6dLxaqkupC2YyRlfVgCvjlxfvP1b1JlLD5/QKfGJ+rzp
ZFC/FrzrHKLudutAZ0mwqEK6WC0zKLytSkpi+IKtFXJSbtagU0jETIjfYuKCxFZn
Sp/qzlbTfNdm50Gx7b6b9JmJEHwa9GevTVZER3e41+8beRFIocDnfBx1Z8FFTVng
F9fcc7/aNcMLBY8lmSCpPSpmcu207y3S9SFJsrLF+qOKcGKwZ5xnLAYAvAXY+EFo
19ltQO3KyTsKjw00ljSdJ/kPQPanOlsDDlji0cQ2HgJ0rTNd9CNCLg8XzoCJh+Uy
lYImamgYqCW1BxBdYCt9+LPVpxR1D78oq22n3hKeKgJuSGzWXE7oIi61+jQCucWP
2H8lSZ22kCzjQXu8sccNv1saOF6M7dnFhWAbFTuXaSUROBUnfzMaLx0HcI585p+X
oTrOkZr+pgKFIeGYhqXqJtDhKvCkJ5gO4mu/qNWqxt9TXOYEiEnd1T1BtmfFMMr/
Ed01waKAxrqkED853CBG0L0ogGd+diMpVL1TBVq/9Bf85P1CGB2RsGgPl0eFkjck
4KR4dvmSykZhusRRdih64ksktB/4quEZ+FvDxy33+OD4gO0NvfSJwKAEBJmlf9Je
AXCKsM/JHpqgBJCkJnb8gBYlJSl02BCIMmdhBLulqZA81KeWazu+yXEdfR8mbBks
OUX8+f/+cZwFVB8eGtDc2BKqL9mudLVr0tHfoEvT6i6mRfU5olUkSforH9urcg==
=aq6G
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.8.1

52
secrets/sound/secrets.yaml Normal file
View file

@ -0,0 +1,52 @@
mpdpass: ENC[AES256_GCM,data:oPwpdBAg7Z1kfLm/awaTxXKZTIVWMQDTUw==,iv:jGWviJ+zwolzmYUkjfiFNepEPXSw7oJH530PaEV+GwY=,tag:nUr7TJCgkumAUZ1JrziI/g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1w7tfe7k0r0hm6mzz0kmz8302kfn0rlh96w7g6zwqd4muqg7u9anqv07745
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdW50NGJRM0Z5YytVa1pQ
akR1M21Ib3pyZWZWdUpCR04rb1pRalBiQ2tJCnNzajZpbVNVZWRrWEFvU2RnM1g5
akhEaGZCN0V5dHR1Qm9IRVZvV2hGMUUKLS0tIHVGWUs2NnpTYlFxa0p5T0RJTFB3
eFdSYkpPbzhGU0ZiM2FEWUtqcmtOa1UKCsQiVQpSI3GWpvU3zlvKSZPbnDbVNJJl
UFpygD0jqPWUvBFqALHKh8i3Li7B+ItR32IUO67R1bigS8HjYzdkkQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-30T20:54:55Z"
mac: ENC[AES256_GCM,data:XhknSHukwELPxfdskHSu6ewK1keNl3lcMQW0PqXqDn/ZxQtjQX1Dj5lez5QMHSFq5UAzXt4zljxRNvUtLNfnRBpTe5vWCgC7Bt1ZHz4ikmbp8/VCMteZVh3rWr+jM3j0eGsTo4LZD46IRUN6FDhVVFb4fCiiJGVKAusFonjaYOU=,iv:IP/iOv3Jb2O0PT96K4gBCf77PsMl5wt5V0O/xOUwnRE=,tag:enWN7CAMvFMvgPGuhqu3iw==,type:str]
pgp:
- created_at: "2024-01-30T20:54:19Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTARAAlhqb8zkCNVWJ3Iayj4IvqlHe6FZiYUtu1jucKh0Yniwh
LmctvOhIwB1UP6NEeX0ReqbMCBJLpB7Fh661RgYguOA+mU7qB9dkTi7OMVYN0fnS
OXeAl2+9SKNO9Tel3XqFtJZ9eCgSE3AR78U55SH8lhe+243U99+dXBx20Qzh8fYk
YGggcMhzJewou9OziOdQtq3hKh6BDlOPU8VEufreeoQUN3CDbWXeUzbDbH1Z5lbk
Ibp61T7RZ63IcfQu9GPWxyaxkCw1YOtbRxUN2H1BYIGjNuGag7Q1dRud9v1iQPAv
SN1JWq6y5q7zxIYUVliquMsiMRkkX4mAINnY6fo/J4aOTbZCUyO5bsqTHYjrsUwW
lDDErVl5HS4iAfEGZrKRlY5b9aZMZ3o/+DxEa61mvl5nFaSvpy6zQXV4TK73B++j
3EqUji9V3RTcKXKJqu5dNL5Sh31GSv2U8RADpbPh2ned1igx+3DodC1RL64z/jP1
HKFbhz2hYhfKxPLQTcYvmmrQbICjjuLNP46hQy7Fkk1IvPZw2hDEXFuZnKsFMLPc
tnIC4/yhnykdDU6Hx/LQbSJWs69daN+M2ty9fjqvW/Thl+lkCb89I9dA+H5TcHF8
aFfosBJniw7Nm0tUOMYCtjh2lRYzs1Hm8GyYmL3SXkNq41n8kIF4viW/Q3SVVqGF
AgwDC9FRLmchgYQBEACiTLmTrucjVeNf5iRI+n927+S0KOqvjRJSAGC/2jjRQBxG
8pX725XK3EuYHB0pWe/cwat/XzgrKbHhHLTOAoZLXkL8mailFYqDkyPWyY0KUOv0
reeGO0oQxbbVaurtTsXVfNvkHYeAPcIgZoHgSaPh2fTsxQuvBpo5El7Nk6EGWp6R
I/obM0XMS72gUnxOEMReyk28C5xncsQXmC02NK7zvq2abKS0mv8KmMR7nvLWg0nh
Hy2Jh4e0B7CvMyLOdJo2VXBxoJhb4CGoyidXg8Fq+fHQSDOFCF7Tb2bgCfdqWowK
ip6CdHnj8mj331LWdpW/Yo/TYDN4fnVVHMO9aISiC1S50Lb06uwhJlBYG8HnWJ3Q
JCbftxDdiToJA0fDq/L+sRMcqN/l+WoaxS8PsmSF/6xuQsa+bt4S23XITQkWrtx2
S7reh/xsl9YKR1L6cxOUiaazuYn3aGlUTqSY0PfGVsfVo5+vN95q5SYOqqx8s8+Z
h3jFLe2cGQu3yOSeUhHJYBjqho3dcRW3Mo6crCh0bj7LSIoeIntCC1G21MzAcXoL
Xa+u/gM5HzPQ0Czi9v/bdwtN9eELEx8gOVvq7zhJTM1ot+hxyt0XAz6nCkkVLr3D
sasN1xs20+VsiRqqKwPpNxvDwkSyt6zMHf7zDxVW0YhyTqiIHeWSA4f2aqxqstJe
AfxPey5NzP1PX2ovInUhaqVQc/L8u+04aJa7JFiW1wjZP6BesPiy/mRA7rBMUmE5
tVlrec9utTLVp7aerjuODBsDarVILmFJetgDPb7vI42BvxTpjjCiJJjXPXQzcA==
=6npP
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.8.1

53
secrets/spotifyd/secrets.yaml Normal file
View file

@ -0,0 +1,53 @@
username: ENC[AES256_GCM,data:8c739M/ygFSYP/xsDovnPem5wrUr,iv:LarOsdIzdz7UP2WtGt08bBTTZLo3Ne8RQM74mFJpHLI=,tag:r8GrK0d8+7C6m74vJ0X3mQ==,type:str]
password: ENC[AES256_GCM,data:E6CLOD1IZUzsjzQ=,iv:EL/EvTUOTatCBCZijCrnrz8ZIeP85znZWCM0PpCJ2y4=,tag:Dlas9VApM34F48l5/CVF6Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16d6wulu4vzuawvsnqv0cqjhxdz9e20qm3xdnzq2lp7787srl8shqsqlfps
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmaUZRRlVoUE9PTGhSbFl5
UU5GNnVqcm81RzZsaGNwaWc1ZmVKeHRiQldrCkVNUmFGeWhIaUlSTkM2UmtUakU0
S2VMeGM1K1pJUjZJeGUyREo0OTlvTlkKLS0tIEw2d2xRNWsrT1ZmYkpxeDlwUVZS
bnk0T2dPRWFrTUg4dEpORjZLaWRFenMKw5pkVC3jaHlACgH2vCGcwoGP36ZRWfuu
yI3dITX/r02hZnDMuUrCT4W38VHhSYHckUs0NnpkkCKAL0CREgSo9w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-30T06:13:01Z"
mac: ENC[AES256_GCM,data:IwZsL3uIw83Z3AflvpsqH0ML0VCUeTJT7AWzCDORFOxhyvWhzGGBnUHQiNOngKlepyV+WKclMOMpe7aHI/lMZXjA1cLiY22A2cNV6PCjKbnahzr2N7s6XyZ+9de0G7EIdR1fMR5aMECUR4Uwbb5AsOMVtO2wwhldBF3jn7pQV1o=,iv:wRY/RvhwFKECNSVt6xmGD6RWFPFuje58A9OLkmSL9II=,tag:cpBmf/1z1CnxGLY0WBvEQQ==,type:str]
pgp:
- created_at: "2024-01-30T06:12:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ//QgyjJi1IFK+0ybpoeXE5nAbjXxJipG9viMhPhh2PD4wc
ZgCynE+sox+vzA0mzK72z+RqLAZctCafISjTzpDIxupz4HBQHjeWGHeZH/RqH+3Y
x0Z75Cv8G9n4S9SyDaMPN4dWC+LJ8SP2oMZvQ7G0HcZntHdWH7lcxQfw1WvbBx89
obZ+duliV3QFsBMYT/Yci2z1mgJ93SIhFRBVv1F3VLlSVGtB/6uWNKgAtvgD9jls
VPO6XuUMIdyv+vv1nZ8n2gBOskhoyowX08w+ztDiMure1kS5LgsDxm7alx2eywip
HIqxpTTp0HTcWy0RIVlv0tnl00PzVRZ63KKGRaTmrNIfGHdE+qpSJdKWd2SuCimR
Zje7mOTPtqcE2TnTy2auWgRgOHaw1Js52Nwod15Z+3XotumMfFdIbEvbFOoew3Im
gbj7/YeTML2BAiAE7VnzVMTelB6ElqcFM/ZDfHCxFM3iWby5XZGyF90rBk3v/Z7T
tc+o+ImyvVPjFDJs0nizNDwEtTOJKCyA+KHfznzRw1qRYrSwUVpYQB7q8TvH5IcS
f2s7rySqpNp+79XMRPYoimw5tFebhR+IgSBZ/VdjwWLBXaebAdu8Sf3FtfLvGnD+
CujOYuq/6t+EpSsgAOH3D7QZ9BlFwPFA762sSBqa92VEm1BULDZpZ3nB4qsT0/+F
AgwDC9FRLmchgYQBEACfOZetLUBqqa7Cgb6b+DZig+PuLHaCq9p6LqQPFmP4KL7M
/04xEAvL+2Tz+PhuNY3YtkimTeue2vZLJD6hHfxCYJO/GDr+ea2Rv9g23FvEFulw
klqRoDYCgjHp+Uk+9ux0fS8FJsDmQ8ZBPClx/OPGQTdQJ7sXB0AF+FT4TJY7gQP0
7+kcFbUwkXHH8EBw8tTnQHakPd1AIj2EVkMTAlU9mlZcJYmoCjSrH511zz94eQnR
L1J66vckCCdLPhrOq+NI8LTTr4ypjHRmJwW9TBcfamdXnsxZBrl1QTq3AAZURRPL
K7Bo6mWHJ7QBNNUnY1bKwpcY7zss7KzKklgPLuG+GxLZHfyKBMOe6Y/xLvfbtZ4u
sOdZSTrgruU7tuejPRlgP6eyh+yE9MSLJ0p4g0jkKf7qngA1Ec1IO21m7KnmqQ3a
Gr6+rI0K0FCUIf5q412OLg1cYixmlqb0Zfi566rJPYoHEoRhWUsP2ndvizNyULPJ
ocCaxEEV/kGk8vUwnSsb6EKfJxo3P0Xp4uFQ1SAhexbLXrqqlaLGYxulrXgwwgnf
55Abk6B+O7RL3V401Phn4vRfzrSajzlXDUwFz+TPy6VMY+yx+FweIedjlJFTMtuX
3EUyYyl6fuvAd7qmN6I1HlwVEJFEeMRKKxt+ufGj1m6fiqLvcus8Xw4r40zDO9Je
ATeO4b//yaoIs2lAshj2p97mVpU4xKzd48NOmuaZn+Y7/3m5xXk6vdb2dK2Gky/V
gSf+7TfGBdOOn9zlKxmuf9Q+HOyR/AbCibXUvhL6Ni9wqRHu4B0P6jIrTg1NCg==
=v009
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.8.1

53
secrets/sync/secrets.yaml Normal file
View file

@ -0,0 +1,53 @@
swarsel: ENC[AES256_GCM,data:WzMlNzg5iAu823s=,iv:U8ZutlrzBqq7z445kSnvluejtta4X/0YMIIOdcQuftg=,tag:IE0WMuXlNwnBHzXtrbVHKA==,type:str]
dnstokenfull: ENC[AES256_GCM,data:hxgxSm6pcXOEHZHdSwQkfZryFccQXrCu9idULJhWK/tQ44FyRIU4Yg==,iv:ObKf1M1qkgCltkKJX+URaPSiK5Itd3xlfBXPjf1iVak=,tag:PASR0pgBdcDYjdTZ2eEUCg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyWGpWaXR6aytqTEM1YzQ2
c3R6SjhWNGo1NnlNY1I0WmpkRWVSQno0cjBnCm1OQ0lhc2xYUHZza2w0R2s2OEkr
VlVSdkZSNW5iclB4N29Fbnl2QTM0cm8KLS0tIEtJbmdKOThaR0ZRaWovZ243UXBW
ckc3MmZZTVFyRGFaTVlVM29ra3JkbzQKNYhBd9oMS/jn2Oqyx9LpqJjQUx2mEZ/B
aUNbenlCRr8KCc+yBXuTyI31LPXJ3YHsI1cfp1K/LGzCY2F0uk4rSw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-01T01:06:53Z"
mac: ENC[AES256_GCM,data:pjpS4BX6PJtGl7d5QAR5vRkuzLceGWUEWIzvCG5NTdz6TX5STHZqjX7V+DEKUbNG8HWTMAqUokr+2uHT+hQ5RxCVYMZeEfUgVqcxpxJHoGHcs+iwLDghqlh3jEZInSVXqhD4UP8A0JSGLtAEBc5o3bELp7pTEw8mLq4trEm4RvM=,iv:hYpEG7ws8RKYcrbeOmH7m4pcZ/F4nIQY4wb6RW3BpR0=,tag:tsAIE4Px9ZPIJ2l/KQUmXQ==,type:str]
pgp:
- created_at: "2024-02-01T01:06:36Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ/9El05oLwUKeG5pg1Ppyn8y+XEqXwbU4IQ/3HbtvdZT8iH
5sywZNP9dtEV0nzEbJ3TR7W+u8Kx/4/EL1DpsUtEefn8XIbeuTb1guX7J6EYzda1
xCCoaUg03iC6xKq3sDvOU86K5qLCoTrxm00DtHHWH8p6flHTdkLKzP/7AWQpu31v
tDLJ5vdJbdRvMBz8XMQ+wuWiTdiVvlmY+6HHuusF8LXx+uj4g2NI2u/bBJ9HIVYI
1NLdIlyvdD7yn5YJSrUgmdH8IXsbnpBIJAjgT8TSZugfUlK3znv1ZB/x4O/h3JO1
LTxm/1wRG8BN+YqLzNfyF7bk/4dTWYNJK0x/AetvLEqbrmo6e00R7Sb+zAA8aeSI
K3QEw4ayTsF7vGK1W5QTjSaYJqucyV1VaW/Heb3ZZSLGRdrZN4jO9q6xHnW6wMMt
GYg100+GNkEHPRzGDDz6fpY2gDsTXKgO2+GUSOLeHmoAkiIAwsvrpUO5ocrqKmrM
BzMKKo4xjr+5oCAwopWLYSFqHKBju6Puth7VL4JhCPt5WyKB7Nup7JMRuupzBZRG
31DyD5nCsgbBeC5fa9Tvv9OVq30UOqUtJOCh5/IWFSBxuMfIPC1wb7zgP6obDZre
6gX+a5XHW5c9wSV2/yP6z5UxCkaOTE1P58Qq/A4wx2XvIDN7jw/l/blni2CYj2aF
AgwDC9FRLmchgYQBD/4hBYKfky8PA5l2cY3xMz27bxVPPoH5jJJ/vSz96EOpQeos
gvksKb6PPngWpQqByHKnLVQgHoR+J1TkYxx69vInR+tMjzvTgJdWnmsn0Qs3oUZ8
mnm27GnsvhvzvaTTMzEdgP32mVAH2WEoqOeSGtVUAyOeQqvehCK3hS/M6WcKX6DO
0m1IkMqqMp3qweyunhgt0HOHbj04Ecw7B0vmlqezc7UF/Sr70Sv1v/u3FKFKyh1+
Ti+I//Fx6X/q52SDEY7Btn12r/xUW3zDm5XeaXtOJbL9TaNnpIgEI9X6BhisajA9
OKuvhtcG5Y+TjD0/o2Wm2AwI8FriwV7NalC4cpNOtDMVxaFMMY55JIvHrubtjCJP
xaObMyDmKceo2bG69Ht6NrITCl+6j4GaD2Iptun5EmgYH6Gc3tDZ4swxwJD8RU5L
qrY1pRWO/ddOA2V5sEesiJoJWB7ZuTjrf5JP0/aT8IIH9qEpIi4MRbvBdLYKDTlH
jhUnLkb2OLQMfolMP9EsnNyw7WOP+olbhlsjZhoSt85N7kXRYErv9TI8wb8s+A/V
fl2DDFkdezY6LdcSW5jmnwQtsgNL0httwOAXapJmpGyS57V3BCgE3nTTWrXnvyqw
uJIz5DuZVT4Bagqp8GBSLPn9bquHtLssKLofIOF+wr6lp7Jm2AdYcRfFSZ4jxtJc
AdY98vAQJxkzQ+2L6YJ/t/hEh4rXUkUeQJpdMwQ786FpMamJAqHPZ9k7PF0rKipH
82p4T6nqBSKD96YiXCxU27D5t9suBeWhXNhkWIW/a5ujJQPP6q3Qy49vopU=
=NNT2
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.8.1

57
secrets/transmission/secrets.yaml Normal file
View file

@ -0,0 +1,57 @@
vpnuser: ENC[AES256_GCM,data:7wytXrH3c6s=,iv:yoaWl5NCFuF/Ic2nkFXpvSZj9fQCHRtzKOHef+EEolQ=,tag:jzX5ewkmAHZhJMaq2ke90w==,type:str]
rpcuser: ENC[AES256_GCM,data:lO3735Ynaw==,iv:PDhpAifNEjKpZk2slowOqVUXxaVup+ZLrvGPq80RV40=,tag:8sb8PxZrEVnxhFIRu+Q/FA==,type:str]
vpnpass: ENC[AES256_GCM,data:pTnZjMu+fCJMOQ==,iv:aKLOtjJlXsr0uy+5OrcMxMBqaU8vwaG2Vcn6SirbYas=,tag:Pv2D8Qn+a7ihz16jSkUTbg==,type:str]
rpcpass: ENC[AES256_GCM,data:nknsULbLZMo68c2P7lmWBEZcyaLqDXrU,iv:1NUnew6AL9kmBTnLTXgwA8cm2AO85He0I2fP2oXhrdA=,tag:G7YgBNR7h7QmukVQLhG1pg==,type:str]
vpnprot: ENC[AES256_GCM,data:Ue2A,iv:NcYpWxPWhIKewOde7kYS4TJnipnADLq9+7Pb/l0xgkU=,tag:ACoL3u2gPHXaM2HlW9Msaw==,type:str]
vpnloc: ENC[AES256_GCM,data:X83semtc/SINDnJblMZduEO6UhSTUeziJRHO,iv:9u4ddDGisgDLlwQGQRL0AZHo1mPD15s6+X3qn9gDf4M=,tag:OeLdoXIDrfxJesJwCEWI2Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1wevwwytv5q8wx8yttc85gly678hn4k3qe4csgnq2frf3wxes63jqlt8kqs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNc2F6RlBjTDRLcU5FYlhQ
c3ppdFI5REZpazc1cnFubE5iaUx1bEFDQUdFCmM5R2orbVUrSDI4bzgxSWt6amlJ
NkdBQkM3b0RWSVFuSE9GM1NsNWJuS2MKLS0tIGtWdi9Qd1BSTjduWCs2dWViQUlZ
UCtqdEMxZmIwVk5wY3RGUU50NUNMY1kKuCCh64itbGbWc1DrxV3BupImnZoIuqga
eC8BcM+CjEmeXDb+tAo81OADCVnnfH4UP1gJ5hHxn5rF7/zOkljXeA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-28T23:15:15Z"
mac: ENC[AES256_GCM,data:BS7Ma6oSrJxEMYHbCtEDwVePqIhgmgdWchUyVZhf/dlg2JJfE87gr9jDZrlGPmZM9pUD/gDm8VO1wtOLx61jpII5m1bfSfq6O8XEOQ+cLrJDHHaDo0JTF/TOWWpWPEbnNLpa+BjUb75aAX5Y8+Dw0yAqIRIGNxoanTbyh3NuZyk=,iv:gS4xdaF3DWaJ1bYBBmHgXfHrnr7diw0jtWVYR715RGo=,tag:LXDDCP7k/C660h2AzbuxCw==,type:str]
pgp:
- created_at: "2023-12-28T23:14:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ//WKTeke13O+mZdeXrSaxQWQQ3gex86o8+hIDdkKxvUR/x
bATUaNh0GGU5ovosDFEIWM9F4FQzmAidYKl0i0j9zsR8tIj+0JH1ahmL0oxM/xbC
sh8/IKczRsPQjZYrO7g4fH8Is2d8zFh8nWIEwDuEQ1/TB6hzip4npKcLlp3hqsLx
5/SwQvSSh3q6iND0YFLGYKwtlNV3ZhcTU0TeaOYJTmzaWU/XjsvTL3lOcHpVtXsY
IK6/b5bitB28zR5J1h3zpHiza+OabAlG/hXHkL5q9NDb1qkmkgxZfbBC9qJiu0ke
rBX5pPYF1yDZF/3QmCmsId3Rx0vEKJzw3vdkqHje4se9zNbnXJ968Gva/3QJJF81
iYtetvO4/v3BR7xCwfpW4V6CnNQ+N87T0N6jC8racl/GeCiFmSvSUmOktN06AHBm
JO6Ie9vmzmnVH+sKMvRtFETzkqcxCsgNhPnvnGqzDZFf15nJAtRjzYTjMrrIEyTO
MC3V0GMOrdkorRPBbCcXDYC54sorbWuVdjxSX+pElvFO6XKhZJSfnZO2/QHlWU87
1EvyO0jS7314vwksrU0965nQ+uJA3lLZpIK7ZivoOK94Oo7lqi+IVbyUOKeQTRBe
USITZY8gTcGDvTGBkAPVBEIJMHOu5gMdPh4wbVwzGXwItSGfXOvh/SaL47AJ9QCF
AgwDC9FRLmchgYQBD/9ZsUCvmiC6BbkHBOSCpyksC1+GQ0k3jUMV6VYt/tIqt6a0
ILU9Bw+jkOfo7i+t/7uTp7wXyb2JwsohiP/YreYDOOCHxXdJJExBI/tOXoS7nKC+
dBjKwIz4BPDQz/1METECNoB3v23iUr+GeKTI9gjOO5btEh7UdiKO3inJttSRqVE8
/kXN2kzSz9VY7W76h7JIMuqhmzorrn/FmSaZWZ4cWW8wvgkQ9mf96dwJElXpZ6I0
JyPMPpnkd8UPI96MXJbrLToFdmTHgK2TQNmJKPACe2CEQFMvfADKpuC6vq+OckxD
oFZqr+jUsXXGXJUA9Zn59Pcw3FJDiDfJ/4/BqYgPx4IMU7pdp5UEj0PE02BhCPl4
nkFHRqDA3oynBLFaKXAPa/ND4WLaF789V34RTOBvuiIpe9sGhI5gWhIuqW+eZfhA
Xtf9Wes+FDS+23K4zZ9aB6oTeV0W/JE1xAQ4NYCilrfsF3rwx/x4WYspe7WJjvGJ
e/LzfCaxna3gf6WyY+5Go/PI0JlicrEuPK/DWi5dTlgnx66mcskO0AIGG6a2syyZ
i4UvX/h165NbzoeswyHq3Mz4r/6WXpzO3Znb/pyfdAbifxatGtitm5X960/4tmFE
RZzig35VbhntomBSL2I/KBzEnrqwY+/nnf3DdjOJNbk9XWudaVRCnFJOSiuNFtJe
ASR5liWrbDKUkdnG2Pdqk//CYsg28xobBgVRG5roi3EuGFHkZCno0nC+r7e8Ad1A
l7CTOPtmhNr2RxNKbTzaYJDaivDmo9iILxOfX7i20m+DhtWTsPuML/LHfFc9hQ==
=Abzg
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.8.1

BIN
wallpaper/navidrome.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 78 KiB