diff --git a/.sops.yaml b/.sops.yaml index c164f0d..4b38475 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,6 +7,9 @@ keys: - &swarsel 4BE7925262289B476DBBC17B76FD3810215AE097 - &hosts - &winters age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 + - &twothreetunnel age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d + - &liliputsteps age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx + - &stoicclub age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm - &belchsfactory age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6 - &eagleland age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8 - &hintbooth age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x @@ -14,7 +17,6 @@ keys: - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl - &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy - - &milkywell age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h - &moonside age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh creation_rules: - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$ @@ -23,6 +25,9 @@ creation_rules: - *swarsel age: - *winters + - *twothreetunnel + - *liliputsteps + - *stoicclub - *belchsfactory - *eagleland - *hintbooth @@ -30,7 +35,6 @@ creation_rules: - *toto - *surface - *nbl - - *milkywell - *moonside - path_regex: secrets/repo/[^/]+$ key_groups: @@ -38,6 +42,9 @@ creation_rules: - *swarsel age: - *winters + - *twothreetunnel + - *liliputsteps + - *stoicclub - *belchsfactory - *eagleland - *hintbooth @@ -45,7 +52,6 @@ creation_rules: - *toto - *surface - *nbl - - *milkywell - *moonside - path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$ key_groups: @@ -53,6 +59,9 @@ creation_rules: - *swarsel age: - *nbl + - *twothreetunnel + - *liliputsteps + - *stoicclub - *belchsfactory - *eagleland - *hintbooth @@ -149,18 +158,44 @@ creation_rules: - - path_regex: secrets/milkywell/[^/]+\.(yaml|json|env|ini)$ + - path_regex: secrets/stoicclub/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: - *swarsel age: - - *milkywell - - path_regex: hosts/nixos/x86_64-linux/milkywell/secrets/pii.nix.enc + - *stoicclub + - path_regex: hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc key_groups: - pgp: - *swarsel age: - - *milkywell + - *stoicclub + + - path_regex: secrets/liliputsteps/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *swarsel + age: + - *liliputsteps + - path_regex: hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc + key_groups: + - pgp: + - *swarsel + age: + - *liliputsteps + + - path_regex: secrets/twothreetunnel/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *swarsel + age: + - *twothreetunnel + - path_regex: hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc + key_groups: + - pgp: + - *swarsel + age: + - *twothreetunnel - path_regex: hosts/nixos/x86_64-linux/summers/secrets/ key_groups: diff --git a/SwarselSystems.org b/SwarselSystems.org index 042da43..61821f7 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -24,7 +24,6 @@ I used to have two separate files (=Emacs.org= and =Nixos.org=) because the NixO This configuration is part of a NixOS system that is (nearly) fully declarative and can be found here: - [[https:github.com/Swarsel/.dotfiles][~SwarselSystems~ on github.com]] -- [[https:swagit.swarsel.win/Swarsel/.dotfiles][~SwarselSystems~ on swagit.swarsel.win]] This literate configuration lets me explain my choices to my future self as well as you, the reader. I go to great lengths to explain the choices for all configuration steps that I take in order for me to pay due diligence in crafting my setup, and not simply copying big chunks of other peoples code. Also, the literate configuration approach is very convenient to me as I only need to keep of (ideally) a single file to manage all of my configuration. I hope that this documentation will make it easier for beginners to get into Emacs and NixOS as I know it can be a struggle in the beginning. @@ -789,7 +788,7 @@ Concerning the =flake = _:= part: forEachLinuxSystem = f: lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: f pkgsFor.${system}); readHosts = type: lib.attrNames (builtins.readDir "${self}/hosts/${type}"); - readNix = type: lib.filter (name: name != "default.nix") (lib.attrNames (builtins.readDir "${self}/${type}")); + readNix = type: lib.filter (name: name != "default.nix" && name != "optional" && name != "darwin") (lib.attrNames (builtins.readDir "${self}/${type}")); mkImports = names: baseDir: lib.map (name: "${self}/${baseDir}/${name}") names; }; @@ -983,7 +982,6 @@ The rest of the outputs either define or help define the actual configurations: inputs.lanzaboote.nixosModules.lanzaboote inputs.microvm.nixosModules.host inputs.microvm.nixosModules.microvm - inputs.niri-flake.nixosModules.niri inputs.nix-index-database.nixosModules.nix-index inputs.nix-minecraft.nixosModules.minecraft-servers inputs.nix-topology.nixosModules.default @@ -1066,7 +1064,6 @@ The rest of the outputs either define or help define the actual configurations: }; modules = [ inputs.stylix.homeModules.stylix - inputs.niri-flake.homeModules.niri inputs.nix-index-database.homeModules.nix-index # inputs.sops-nix.homeManagerModules.sops inputs.spicetify-nix.homeManagerModules.default @@ -1600,49 +1597,50 @@ Otherwise, I define the function =mkTemplates= here which builds a named attribu Defines a formatter that can be called using =nix flake format=. While a nice utility, I have stronger tools to perform this job. #+begin_src nix-ts :tangle nix/formatter.nix - { inputs, ... }: - { - imports = [ - inputs.treefmt-nix.flakeModule - ]; + { inputs, ... }: + { + imports = [ + inputs.treefmt-nix.flakeModule + ]; - perSystem = { pkgs, ... }: { - # formatter = pkgs.nixpkgs-fmt; - # formatter is set by treefmt to: - # formatter = lib.mkIf config.treefmt.flakeFormatter (lib.mkDefault config.treefmt.build.wrapper); - treefmt = { - projectRootFile = "flake.nix"; - programs = { - nixfmt = { - enable = true; - package = pkgs.nixpkgs-fmt; - }; - deadnix.enable = true; - statix.enable = true; - shfmt = { - enable = true; - indent_size = 4; - simplify = true; - # needed to replicate what my Emacs shfmt does - # there is no builtin option for space-redirects - package = pkgs.symlinkJoin { - name = "shfmt"; - buildInputs = [ pkgs.makeWrapper ]; - paths = [ pkgs.shfmt ]; - postBuild = '' - wrapProgram $out/bin/shfmt --append-flags '-sr' - ''; + perSystem = { pkgs, ... }: { + # formatter = pkgs.nixpkgs-fmt; + # formatter is set by treefmt to: + # formatter = lib.mkIf config.treefmt.flakeFormatter (lib.mkDefault config.treefmt.build.wrapper); + treefmt = { + projectRootFile = "flake.nix"; + programs = { + nixfmt = { + enable = true; + package = pkgs.nixpkgs-fmt; }; + deadnix.enable = true; + statix.enable = true; + shfmt = { + enable = true; + indent_size = 4; + simplify = true; + # needed to replicate what my Emacs shfmt does + # there is no builtin option for space-redirects + package = pkgs.symlinkJoin { + name = "shfmt"; + buildInputs = [ pkgs.makeWrapper ]; + paths = [ pkgs.shfmt ]; + postBuild = '' + wrapProgram $out/bin/shfmt \ + --add-flags '-sr' + ''; + }; + }; + shellcheck.enable = true; }; - shellcheck.enable = true; + settings.formatter.shellcheck.options = [ + "--shell" + "bash" + ]; }; - settings.formatter.shellcheck.options = [ - "--shell" - "bash" - ]; }; - }; - } + } #+end_src ** TODO Modules @@ -2167,15 +2165,16 @@ My work machine. Built for more security, this is the gold standard of my config ./disk-config.nix ./hardware-configuration.nix - ]; + "${self}/modules/nixos/optional/amdcpu.nix" + "${self}/modules/nixos/optional/amdgpu.nix" + "${self}/modules/nixos/optional/framework.nix" + "${self}/modules/nixos/optional/gaming.nix" + "${self}/modules/nixos/optional/hibernation.nix" + "${self}/modules/nixos/optional/nswitch-rcm.nix" + "${self}/modules/nixos/optional/virtualbox.nix" + "${self}/modules/nixos/optional/work.nix" - swarselmodules = { - optional = { - amdcpu = true; - amdgpu = true; - hibernation = true; - }; - }; + ]; swarselsystems = { lowResolution = "1280x800"; @@ -2224,10 +2223,6 @@ My work machine. Built for more security, this is the gold standard of my config } // lib.optionalAttrs (!minimal) { swarselprofiles = { personal = true; - optionals = true; - work = true; - uni = true; - framework = true; }; } @@ -2425,6 +2420,10 @@ My personal laptop. Closely follows the =pyramid= config, but leaves out some se ./disk-config.nix ./hardware-configuration.nix + "${self}/modules/nixos/optional/gaming.nix" + "${self}/modules/nixos/optional/nswitch-rcm.nix" + "${self}/modules/nixos/optional/virtualbox.nix" + ]; swarselsystems = { @@ -2446,7 +2445,6 @@ My personal laptop. Closely follows the =pyramid= config, but leaves out some se isSwap = true; rootDisk = "/dev/nvme0n1"; swapSize = "4G"; - hostName = config.node.name; }; home-manager.users."${primaryUser}" = { @@ -2645,7 +2643,7 @@ This is my main server that I run at home. It handles most tasks that require bi :CUSTOM_ID: h:8ad68406-4a75-45ba-97ad-4c310b921124 :END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/winters/default.nix - { lib, config, minimal, ... }: + { lib, minimal, ... }: { imports = [ @@ -2674,7 +2672,6 @@ This is my main server that I run at home. It handles most tasks that require bi isNixos = true; proxyHost = "moonside"; server = { - inherit (config.repo.secrets.local.networking) localNetwork; restic = { bucketName = "SwarselWinters"; paths = [ @@ -2803,12 +2800,14 @@ This is my main server that I run at home. It handles most tasks that require bi :CUSTOM_ID: h:dc2233df-cd78-43cc-bb45-57568a83fb24 :END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/default.nix - { inputs, lib, config, minimal, nodes, globals, ... }: + { self, inputs, lib, config, minimal, nodes, globals, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix + + "${self}/modules/nixos/optional/microvm-host.nix" ]; boot = { @@ -2835,9 +2834,6 @@ This is my main server that I run at home. It handles most tasks that require bi }; swarselmodules = { - optional = { - microvmHost = true; - }; server = { diskEncryption = lib.mkForce false; # TODO: disable nfs = false; @@ -3074,8 +3070,11 @@ This is my main server that I run at home. It handles most tasks that require bi :CUSTOM_ID: h:b9af4b1c-f35a-48a5-afa7-030c2be9c808 :END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix - { lib, minimal, ... }: + { self,lib, minimal, ... }: { + imports = [ + "${self}/modules/nixos/optional/microvm-guest.nix" + ]; swarselsystems = { info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM"; @@ -3087,12 +3086,6 @@ This is my main server that I run at home. It handles most tasks that require bi server = false; }; - swarselmodules = { - optional = { - microvmGuest = false; - }; - }; - microvm = { mem = 1024 * 4; vcpu = 2; @@ -3112,7 +3105,7 @@ This is my main server that I run at home. It handles most tasks that require bi :CUSTOM_ID: h:624b3c6a-6e31-4734-a6ea-7c5b461a3429 :END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/default.nix - { lib, config, minimal, ... }: + { lib, minimal, ... }: { imports = [ @@ -3132,9 +3125,6 @@ This is my main server that I run at home. It handles most tasks that require bi rootDisk = "/dev/sda"; swapSize = "8G"; networkKernelModules = [ "igb" ]; - server = { - inherit (config.repo.secrets.local.networking) localNetwork; - }; }; } // lib.optionalAttrs (!minimal) { @@ -3611,9 +3601,7 @@ This machine mainly acts as my proxy server to stand before my local machines. isBtrfs = true; isNixos = true; isLinux = true; - proxyHost = "moonside"; server = { - inherit (config.repo.secrets.local.networking) localNetwork; restic = { bucketName = "SwarselMoonside"; paths = [ @@ -3809,11 +3797,13 @@ This machine mainly acts as my proxy server to stand before my local machines. :END: #+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/belchsfactory/default.nix - { lib, config, minimal, ... }: + { self, lib, minimal, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" ]; node.lockFromBootstrapping = lib.mkForce false; @@ -3835,9 +3825,7 @@ This machine mainly acts as my proxy server to stand before my local machines. isNixos = true; isLinux = true; isCloud = true; - proxyHost = "belchsfactory"; server = { - inherit (config.repo.secrets.local.networking) localNetwork; garage = { data_dir = { capacity = "150G"; @@ -3860,6 +3848,7 @@ This machine mainly acts as my proxy server to stand before my local machines. }; swarselmodules.server = { + ssh-builder = lib.mkDefault true; postgresql = lib.mkDefault true; attic = lib.mkDefault true; garage = lib.mkDefault true; @@ -4019,105 +4008,74 @@ This machine mainly acts as my proxy server to stand before my local machines. } #+end_src -**** Milkywell (OCI) -:PROPERTIES: -:CUSTOM_ID: h:d8869eca-cbde-45f0-9e54-9da8320b6a31 -:END: +**** Stoicclub (OCI) ***** Main Configuration -:PROPERTIES: -:CUSTOM_ID: h:314601a0-e1b7-4996-a96c-663b121f9377 -:END: -#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/milkywell/default.nix - { lib, config, minimal, ... }: +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/stoicclub/default.nix + { self, lib, minimal, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" ]; - node.lockFromBootstrapping = false; - sops = { - age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; - }; topology.self = { icon = "devices.cloud-server"; }; + swarselmodules.server.nginx = false; - networking = { - domain = "subnet03112148.vcn03112148.oraclevcn.com"; - firewall = { - allowedTCPPorts = [ 53 ]; - }; - }; - - system.stateVersion = "23.11"; swarselsystems = { flakePath = "/root/.dotfiles"; - info = "VM.Standard.E2.1.Micro"; + info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM"; isImpermanence = true; isSecureBoot = false; - isCrypted = false; - isSwap = true; - swapSize = "8G"; - rootDisk = "/dev/sda"; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-360e1a5236f034316a10a97cc703ce9e3"; isBtrfs = true; isNixos = true; isLinux = true; - server = { - inherit (config.repo.secrets.local.networking) localNetwork; - }; + isCloud = true; + isBastionTarget = true; }; } // lib.optionalAttrs (!minimal) { swarselprofiles = { server = true; }; + swarselmodules.server = { + nsd = true; + nginx = false; + }; } #+end_src ***** hardware-configuration -:PROPERTIES: -:CUSTOM_ID: h:b1f37b5b-aa18-405a-bf76-4d95642b5acc -:END: -#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/milkywell/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix { lib, modulesPath, ... }: - { - imports = - [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; boot = { initrd = { - availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; - kernelModules = [ "dm-snapshot" ]; + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; }; - kernelModules = [ "kvm-amd" ]; + kernelModules = [ ]; extraModulePackages = [ ]; }; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens3.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; } - #+end_src ***** disko -:PROPERTIES: -:CUSTOM_ID: h:cec82b06-39ca-4c0e-b4f5-c1fda9b14e6d -:END: -#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/milkywell/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/stoicclub/disk-config.nix { lib, pkgs, config, ... }: let type = "btrfs"; @@ -4239,6 +4197,388 @@ This machine mainly acts as my proxy server to stand before my local machines. fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; } + +#+end_src +**** Liliputsteps (OCI) + +***** Main Configuration + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/liliputsteps/default.nix + { self, lib, minimal, ... }: + { + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-360fb180663ec4f2793a763a087d46885"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + mainUser = "jump"; + }; + } // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + nginx = false; + bastion = true; + # ssh = false; + }; + + # users.users.swarsel.enable = lib.mkForce false; + # home-manager.users.swarsel.enable = lib.mkForce false + } + +#+end_src +***** hardware-configuration + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix + { lib, modulesPath, ... }: + { + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; + } +#+end_src +***** disko + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/liliputsteps/disk-config.nix + { lib, pkgs, config, ... }: + let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; + in + { + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + } + +#+end_src +**** Twothreetunnel (OCI) + +***** Main Configuration + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/twothreetunnel/default.nix + { self, lib, minimal, ... }: + { + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-3608deb9b0d4244de95c6620086ff740d"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + }; + } // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + nginx = false; + }; + + } + +#+end_src +***** hardware-configuration + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix + { lib, modulesPath, ... }: + { + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; + } +#+end_src +***** disko + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix + { lib, pkgs, config, ... }: + let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; + in + { + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + } + #+end_src **** Eagleland (Hetzner) :PROPERTIES: @@ -4251,63 +4591,19 @@ This machine mainly acts as my proxy server to stand before my local machines. :END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/eagleland/default.nix - { lib, config, minimal, ... }: + { self, lib, minimal, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" ]; topology.self = { icon = "devices.cloud-server"; }; - networking = { - useDHCP = lib.mkForce false; - useNetworkd = true; - dhcpcd.enable = false; - renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) ( - config.repo.secrets.local.networking.networks or { } - ); - }; - boot.initrd.systemd.network = { - enable = true; - networks = { - inherit (config.systemd.network.networks) "10-wan"; - }; - }; - - systemd = { - network = { - enable = true; - wait-online.enable = false; - networks = - let - netConfig = config.repo.secrets.local.networking; - in - { - "10-wan" = { - address = [ - "${netConfig.wanAddress4}/32" - "${netConfig.wanAddress6}/64" - ]; - gateway = [ "fe80::1" ]; - routes = [ - { Destination = netConfig.defaultGateway4; } - { - Gateway = netConfig.defaultGateway4; - GatewayOnLink = true; - } - ]; - matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac; - networkConfig.IPv6PrivacyExtensions = "yes"; - linkConfig.RequiredForOnline = "routable"; - }; - }; - }; - }; - - swarselmodules.server.mailserver = true; swarselsystems = { flakePath = "/root/.dotfiles"; @@ -4323,11 +4619,11 @@ This machine mainly acts as my proxy server to stand before my local machines. isNixos = true; isLinux = true; proxyHost = "eagleland"; - server = { - inherit (config.repo.secrets.local.networking) localNetwork; - }; }; } // lib.optionalAttrs (!minimal) { + + swarselmodules.server.mailserver = true; + swarselprofiles = { server = true; }; @@ -5295,6 +5591,11 @@ in "nginx" "virtualHosts" ] + [ + "swarselsystems" + "server" + "dns" + ] ]; attrsForEachOption = @@ -5415,7 +5716,8 @@ in if netSubmod.config.cidrv6 == null then null else - lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv6; + # if we use the /32 wan address as local address directly, do not use the network address in ipv6 + lib.net.cidr.hostCidr (if hostSubmod.config.id == 0 then 1 else hostSubmod.config.id) netSubmod.config.cidrv6; }; }; }) @@ -5529,6 +5831,10 @@ in main = mkOption { type = types.str; }; + externalDns = mkOption { + type = types.listOf types.str; + description = "List of external dns nameservers"; + }; }; }; }; @@ -5606,7 +5912,7 @@ in }) // (lib.optionalAttrs modules.emacs { emacs-radicale-pw = { owner = mainUser; }; github-forge-token = { owner = mainUser; }; - }) // (lib.optionalAttrs modules.optional.work { + }) // (lib.optionalAttrs (modules ? optional-work) { harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; }) // (lib.optionalAttrs modules.anki { anki-user = { owner = mainUser; }; @@ -5647,7 +5953,7 @@ in }; } #+end_src -**** General NixOS settings (nix, stateVersion) +**** General NixOS settings (nix config, stateVersion) :PROPERTIES: :CUSTOM_ID: h:24c9146f-2147-4fd5-bafc-d5853e15cf12 :END: @@ -5681,144 +5987,148 @@ A breakdown of the flags being set: #+begin_src nix-ts :tangle modules/nixos/common/settings.nix { self, lib, pkgs, config, outputs, inputs, minimal, globals, ... }: - let - inherit (config.swarselsystems) mainUser; - inherit (config.repo.secrets.common) atticPublicKey; - settings = if minimal then { } else { - environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" '' - assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false; - { } - ''; + let + inherit (config.swarselsystems) mainUser; + inherit (config.repo.secrets.common) atticPublicKey; + settings = if minimal then { } else { + environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" '' + assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false; + { } + ''; - nix = - let - flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; - in - { - settings = { - connect-timeout = 5; - bash-prompt-prefix = "$SHLVL:\\w "; - bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ "; - fallback = true; - min-free = 128000000; - max-free = 1000000000; - flake-registry = ""; - auto-optimise-store = true; - warn-dirty = false; - max-jobs = 1; - use-cgroups = lib.mkIf config.swarselsystems.isLinux true; - }; - gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 10d"; - }; - optimise = { - automatic = true; - dates = "weekly"; - }; - channel.enable = false; - registry = rec { - nixpkgs.flake = inputs.nixpkgs; - # swarsel.flake = inputs.swarsel; - swarsel.flake = self; - n = nixpkgs; - s = swarsel; - }; - nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; - }; + nix = + let + flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; + in + { + settings = { + connect-timeout = 5; + bash-prompt-prefix = "$SHLVL:\\w "; + bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ "; + fallback = true; + min-free = 128000000; + max-free = 1000000000; + flake-registry = ""; + auto-optimise-store = true; + warn-dirty = false; + max-jobs = 1; + use-cgroups = lib.mkIf config.swarselsystems.isLinux true; + }; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 10d"; + }; + optimise = { + automatic = true; + dates = "weekly"; + }; + channel.enable = false; + registry = rec { + nixpkgs.flake = inputs.nixpkgs; + # swarsel.flake = inputs.swarsel; + swarsel.flake = self; + n = nixpkgs; + s = swarsel; + }; + nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; + }; - services.dbus.implementation = "broker"; + services.dbus.implementation = "broker"; - systemd.services.nix-daemon = { - environment.TMPDIR = "/var/tmp"; - }; + systemd.services.nix-daemon = { + environment.TMPDIR = "/var/tmp"; + }; - }; - in - { - options.swarselmodules.general = lib.mkEnableOption "general nix settings"; - config = lib.mkIf config.swarselmodules.general - (lib.recursiveUpdate - { - sops.secrets.github-api-token = lib.mkIf (!minimal) { - owner = mainUser; - }; + }; + in + { + options.swarselmodules.general = lib.mkEnableOption "general nix settings"; + config = lib.mkIf config.swarselmodules.general + (lib.recursiveUpdate + { + sops.secrets = lib.mkIf (!minimal) { + github-api-token = { owner = mainUser; }; + }; - nix = - let - nix-version = "2_30"; - in - { - package = pkgs.nixVersions."nix_${nix-version}"; - settings = { - experimental-features = [ - "nix-command" - "flakes" - "ca-derivations" - "cgroups" - "pipe-operators" - ]; - substituters = [ - "https://${globals.services.attic.domain}/${mainUser}" - ]; - trusted-public-keys = [ - atticPublicKey - ]; - trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ]; - }; - # extraOptions = '' - # plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins - # extra-builtins-file = ${self + /nix/extra-builtins.nix} - # '' + lib.optionalString (!minimal) '' - # !include ${config.sops.secrets.github-api-token.path} - # ''; - # extraOptions = '' - # plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: { - # buildInputs = [config.nix.package pkgs.boost]; - # patches = o.patches or []; - # })}/lib/nix/plugins - # extra-builtins-file = ${self + /nix/extra-builtins.nix} - # ''; + nix = + let + nix-version = "2_30"; + in + { + package = pkgs.nixVersions."nix_${nix-version}"; + settings = { + experimental-features = [ + "nix-command" + "flakes" + "ca-derivations" + "cgroups" + "pipe-operators" + ]; + substituters = [ + "https://${globals.services.attic.domain}/${mainUser}" + ]; + trusted-public-keys = [ + atticPublicKey + ]; + trusted-users = [ + "@wheel" + "${config.swarselsystems.mainUser}" + (lib.mkIf config.swarselmodules.server.ssh-builder "builder") + ]; + }; + # extraOptions = '' + # plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins + # extra-builtins-file = ${self + /nix/extra-builtins.nix} + # '' + lib.optionalString (!minimal) '' + # !include ${config.sops.secrets.github-api-token.path} + # ''; + # extraOptions = '' + # plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: { + # buildInputs = [config.nix.package pkgs.boost]; + # patches = o.patches or []; + # })}/lib/nix/plugins + # extra-builtins-file = ${self + /nix/extra-builtins.nix} + # ''; - extraOptions = - let - nix-plugins = pkgs.nix-plugins.override { - nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; - }; - in - '' - plugin-files = ${nix-plugins}/lib/nix/plugins - extra-builtins-file = ${self + /nix/extra-builtins.nix} - '' + lib.optionalString (!minimal) '' - !include ${config.sops.secrets.github-api-token.path} - ''; - }; + extraOptions = + let + nix-plugins = pkgs.nix-plugins.override { + nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; + }; + in + '' + plugin-files = ${nix-plugins}/lib/nix/plugins + extra-builtins-file = ${self + /nix/extra-builtins.nix} + '' + lib.optionalString (!minimal) '' + !include ${config.sops.secrets.github-api-token.path} + ''; + }; - system.stateVersion = lib.mkDefault "23.05"; + system.stateVersion = lib.mkDefault "23.05"; - nixpkgs = { - overlays = [ - outputs.overlays.default - (final: prev: - let - additions = final: _: import "${self}/pkgs/config" { - inherit self config lib; - pkgs = final; - homeConfig = config.home-manager.users.${config.swarselsystems.mainUser}; - }; - in - additions final prev - ) - ]; - config = { - allowUnfree = true; - }; - }; + nixpkgs = { + overlays = [ + outputs.overlays.default + (final: prev: + let + additions = final: _: import "${self}/pkgs/config" { + inherit self config lib; + pkgs = final; + homeConfig = config.home-manager.users.${config.swarselsystems.mainUser}; + }; + in + additions final prev + ) + ]; + config = { + allowUnfree = true; + }; + }; - } - settings); - } + } + settings); + } #+end_src **** Setup home-manager base @@ -6894,6 +7204,96 @@ I use sops-nix to handle secrets that I want to have available on my machines at } #+end_src +**** Remote building + +#+begin_src nix-ts :tangle modules/nixos/client/remotebuild.nix + { lib, config, globals, ... }: + let + inherit (config.swarselsystems) homeDir mainUser isClient; + in + { + options.swarselmodules.remotebuild = lib.mkEnableOption "enable remote builds on this machine"; + config = lib.mkIf config.swarselmodules.remotebuild { + + sops.secrets = { + builder-key = lib.mkIf isClient { owner = mainUser; path = "${homeDir}/.ssh/builder"; mode = "0600"; }; + nixbuild-net-key = { owner = mainUser; path = "${homeDir}/.ssh/nixbuild-net"; mode = "0600"; }; + }; + + nix = { + settings.builders-use-substitutes = true; + distributedBuilds = true; + buildMachines = [ + (lib.mkIf isClient { + hostName = config.repo.secrets.common.builder1-ip; + system = "aarch64-linux"; + maxJobs = 20; + speedFactor = 10; + }) + (lib.mkIf isClient { + hostName = globals.hosts.belchsfactory.wanAddress4; + system = "aarch64-linux"; + maxJobs = 4; + speedFactor = 2; + protocol = "ssh-ng"; + }) + { + hostName = "eu.nixbuild.net"; + system = "x86_64-linux"; + maxJobs = 100; + speedFactor = 2; + supportedFeatures = [ "big-parallel" ]; + } + ]; + }; + programs.ssh = { + knownHosts = { + nixbuild = { + hostNames = [ "eu.nixbuild.net" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM"; + }; + builder1 = lib.mkIf isClient { + hostNames = [ config.repo.secrets.common.builder1-ip ]; + publicKey = config.repo.secrets.common.builder1-pubHostKey; + }; + jump = lib.mkIf isClient { + hostNames = [ globals.hosts.liliputsteps.wanAddress4 ]; + publicKey = config.repo.secrets.common.jump-pubHostKey; + }; + builder2 = lib.mkIf isClient { + hostNames = [ globals.hosts.belchsfactory.wanAddress4 ]; + publicKey = config.repo.secrets.common.builder2-pubHostKey; + }; + }; + extraConfig = '' + Host eu.nixbuild.net + ConnectTimeout 1 + PubkeyAcceptedKeyTypes ssh-ed25519 + ServerAliveInterval 60 + IPQoS throughput + IdentityFile ${config.sops.secrets.nixbuild-net-key.path} + '' + lib.optionalString isClient '' + Host ${config.repo.secrets.common.builder1-ip} + ConnectTimeout 1 + User ${mainUser} + IdentityFile ${config.sops.secrets.builder-key.path} + + Host ${globals.hosts.belchsfactory.wanAddress4} + ConnectTimeout 5 + ProxyJump ${globals.hosts.liliputsteps.wanAddress4} + User builder + IdentityFile ${config.sops.secrets.builder-key.path} + + Host ${globals.hosts.liliputsteps.wanAddress4} + ConnectTimeout 1 + User jump + IdentityFile ${config.sops.secrets.builder-key.path} + ''; + }; + }; + } +#+end_src + **** Theme (stylix) :PROPERTIES: :CUSTOM_ID: h:e6e44705-94af-49fe-9ca0-0629d0f7d932 @@ -7790,7 +8190,7 @@ Auto login for the initial session. comment = "Sway compositor managed by UWSM"; binPath = "/run/current-system/sw/bin/sway"; }; - niri = { + niri = lib.mkIf (config.swarselmodules ? niri) { prettyName = "Niri"; comment = "Niri compositor managed by UWSM"; binPath = "/run/current-system/sw/bin/niri-session"; @@ -7801,45 +8201,6 @@ Auto login for the initial session. } #+end_src -**** Niri -:PROPERTIES: -:CUSTOM_ID: h:58162d08-3ded-441d-861e-2ebf30e32538 -:END: - -Auto login for the initial session. - -#+begin_src nix-ts :tangle modules/nixos/client/niri.nix - { lib, config, pkgs, ... }: - let - moduleName = "niri"; - in - { - options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings"; - config = lib.mkIf config.swarselmodules.${moduleName} { - - environment.systemPackages = with pkgs; [ - wl-clipboard - wayland-utils - libsecret - cage - gamescope - xwayland-satellite-unstable - ]; - - - programs.niri = { - enable = true; - package = pkgs.niri-unstable; # the actual niri that will be installed and used - }; - } // { - niri-flake.cache.enable = true; - programs.niri = { - package = null; - }; - }; - } -#+end_src - *** Server :PROPERTIES: :CUSTOM_ID: h:e492c24a-83a0-4bcb-a084-706f49318651 @@ -8012,7 +8373,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in #+begin_src nix-ts :tangle modules/nixos/server/nginx.nix { pkgs, lib, config, ... }: let - inherit (config.repo.secrets.common) dnsProvider; + inherit (config.repo.secrets.common) dnsProvider dnsBase; inherit (config.repo.secrets.common.mail) address3; serviceUser = "nginx"; @@ -8075,9 +8436,12 @@ Here we just define some aliases for rebuilding the system, and we allow some in ]; sops = { - secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; }; + secrets = { + acme-dns-token = { inherit (config.swarselsystems) sopsFile; }; + }; templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token} + ACME_DNS_API_BASE=${dnsBase} + ACME_DNS_STORAGE_PATH=${config.sops.placeholder.acme-dns-token} ''; }; @@ -8191,6 +8555,10 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t PasswordAuthentication = false; KbdInteractiveAuthentication = false; PermitRootLogin = "yes"; + AllowUsers = [ + "root" + config.swarselsystems.mainUser + ]; }; hostKeys = [ { @@ -8202,10 +8570,12 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [ (self + /secrets/keys/ssh/yubikey.pub) (self + /secrets/keys/ssh/magicant.pub) + # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub)) ]; users.users.root.openssh.authorizedKeys.keyFiles = [ (self + /secrets/keys/ssh/yubikey.pub) (self + /secrets/keys/ssh/magicant.pub) + # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub)) ]; security.sudo.extraConfig = '' Defaults env_keep+=SSH_AUTH_SOCK @@ -8214,6 +8584,120 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t } #+end_src +**** Bastion + +#+begin_src nix-ts :tangle modules/nixos/server/bastion.nix + { self, lib, config, ... }: + { + options.swarselmodules.server.bastion = lib.mkEnableOption "enable bastion on server"; + config = lib.mkIf config.swarselmodules.server.bastion { + + users = { + groups = { + jump = { }; + }; + users = { + "jump" = { + isNormalUser = true; + useDefaultShell = true; + group = lib.mkForce "jump"; + createHome = lib.mkForce true; + openssh.authorizedKeys.keyFiles = [ + (self + /secrets/keys/ssh/yubikey.pub) + (self + /secrets/keys/ssh/magicant.pub) + (self + /secrets/keys/ssh/builder.pub) + ]; + }; + }; + }; + + + services.openssh = { + enable = true; + startWhenNeeded = lib.mkForce false; + authorizedKeysInHomedir = false; + extraConfig = '' + Match User jump + PermitTTY no + X11Forwarding no + PermitTunnel no + GatewayPorts no + AllowAgentForwarding no + ''; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = lib.mkDefault "no"; + AllowUsers = [ + "jump" + ]; + }; + hostKeys = lib.mkIf (!config.swarselmodules.server.ssh) [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; + + home-manager.users.jump.config = { + home.stateVersion = lib.mkDefault "23.05"; + programs.ssh = { + enable = true; + enableDefaultConfig = false; + matchBlocks = { + "*" = { + forwardAgent = false; + }; + } // config.repo.secrets.local.ssh.hosts; + }; + }; + }; + } +#+end_src + +**** ssh builder config + +Restricts access to the system by the nix build user as per https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834. + +#+begin_src nix-ts :tangle modules/nixos/server/ssh-builder.nix + { self, pkgs, lib, config, ... }: + let + ssh-restrict = "restrict,pty,command=\"${wrapper-dispatch-ssh-nix}/bin/wrapper-dispatch-ssh-nix\" "; + + wrapper-dispatch-ssh-nix = pkgs.writeShellScriptBin "wrapper-dispatch-ssh-nix" '' + case $SSH_ORIGINAL_COMMAND in + "nix-daemon --stdio") + exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-daemon --stdio + ;; + "nix-store --serve --write") + exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-store --serve --write + ;; + ,*) + echo "Access only allowed for using the nix remote builder" 1>&2 + exit + esac + ''; + in + { + options.swarselmodules.server.ssh-builder = lib.mkEnableOption "enable ssh-builder config on server"; + config = lib.mkIf config.swarselmodules.server.ssh-builder { + users = { + groups.builder = { }; + users.builder = { + useDefaultShell = true; + isSystemUser = true; + group = "builder"; + openssh.authorizedKeys.keys = [ + ''${ssh-restrict} ${builtins.readFile "${self}/secrets/keys/ssh/builder.pub"}'' + ]; + }; + }; + + }; + } +#+end_src + **** Network settings :PROPERTIES: :CUSTOM_ID: h:0ff3acc5-9ce8-4b22-a2e2-f6f1e69d47a5 @@ -8224,29 +8708,41 @@ Generate hostId using =head -c4 /dev/urandom | od -A none -t x4= #+begin_src nix-ts :tangle modules/nixos/server/network.nix { lib, config, ... }: let - inherit (config.swarselsystems.server) localNetwork; + netConfig = config.repo.secrets.local.networking; + netName = "${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}"; in { - options.swarselmodules.server.network = lib.mkEnableOption "enable server network config"; - options.swarselsystems.server.localNetwork = lib.mkOption { - type = lib.types.str; - default = "home"; + options = { + swarselmodules.server.network = lib.mkEnableOption "enable server network config"; + swarselsystems.server = { + localNetwork = lib.mkOption { + type = lib.types.str; + default = ""; + }; + netConfigName = lib.mkOption { + type = lib.types.str; + default = netName; + readOnly = true; + }; + }; }; config = lib.mkIf config.swarselmodules.server.network { - globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${localNetwork}".hosts.${config.node.name} = { - inherit (config.repo.secrets.local.networking.networks.${localNetwork}) id; - mac = config.repo.secrets.local.networking.networks.${localNetwork}.mac or null; + swarselsystems.server.localNetwork = netConfig.localNetwork or ""; + + globals.networks.${netName}.hosts.${config.node.name} = { + inherit (netConfig.networks.${netConfig.localNetwork}) id; + mac = netConfig.networks.${netConfig.localNetwork}.mac or null; }; globals.hosts.${config.node.name} = { inherit (config.repo.secrets.local.networking) defaultGateway4; - wanAddress4 = config.repo.secrets.local.networking.wanAddress4 or null; - wanAddress6 = config.repo.secrets.local.networking.wanAddress6 or null; + wanAddress4 = netConfig.wanAddress4 or null; + wanAddress6 = netConfig.wanAddress6 or null; }; networking = { - inherit (config.repo.secrets.local.networking) hostId; + inherit (netConfig) hostId; hostName = config.node.name; nftables.enable = lib.mkDefault false; enableIPv6 = lib.mkDefault true; @@ -8291,8 +8787,8 @@ lspci -k -d 14c3:0616 #+begin_src nix-ts :tangle modules/nixos/server/disk-encrypt.nix { self, pkgs, lib, config, globals, minimal, ... }: let - localIp = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4; - subnetMask = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".subnetMask4; + localIp = globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4; + subnetMask = globals.networks.${config.swarselsystems.server.netConfigName}.subnetMask4; gatewayIp = globals.hosts.${config.node.name}.defaultGateway4; hostKeyPathBase = "/etc/secrets/initrd/ssh_host_ed25519_key"; @@ -8327,7 +8823,7 @@ lspci -k -d 14c3:0616 files = [ hostKeyPathBase ]; }; - boot = lib.mkIf (!config.swarselsystems.isLaptop) { + boot = lib.mkIf (!config.swarselsystems.isClient) { kernelParams = lib.mkIf (!config.swarselsystems.isCloud) [ "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none" ]; @@ -8379,6 +8875,20 @@ lspci -k -d 14c3:0616 } #+end_src +**** BTRFS + +#+begin_src nix-ts :tangle modules/nixos/server/btrfs.nix + { lib, config, ... }: + { + options.swarselmodules.btrfs = lib.mkEnableOption "optional btrfs settings"; + config = lib.mkIf config.swarselmodules.btrfs { + boot = { + supportedFilesystems = lib.mkIf config.swarselsystems.isBtrfs [ "btrfs" ]; + }; + }; + } +#+end_src + **** Router :PROPERTIES: :CUSTOM_ID: h:b54f2bbb-0088-46b2-957d-fd8234b772c3 @@ -8462,7 +8972,7 @@ lspci -k -d 14c3:0616 calibre ]; - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -8535,7 +9045,7 @@ lspci -k -d 14c3:0616 options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -8613,7 +9123,7 @@ lspci -k -d 14c3:0616 options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -8981,7 +9491,7 @@ lspci -k -d 14c3:0616 options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -9330,7 +9840,7 @@ lspci -k -d 14c3:0616 options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -9412,7 +9922,7 @@ lspci -k -d 14c3:0616 options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -9503,7 +10013,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -9862,7 +10372,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = { "${globals.services.${specificServiceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -10061,7 +10571,7 @@ This section exposes several metrics that I use to check the health of my server options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -10310,7 +10820,7 @@ This is a WIP Jenkins instance. It is used to automatically build a new system w options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -10410,7 +10920,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -10527,7 +11037,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -10694,7 +11204,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -10801,7 +11311,7 @@ To get other URLs (token, etc.), use https:///oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid/ s3:/// 0; - message = "If Garage is enabled, at least one key must be specified in atro.garage.keys"; + message = "If Garage is enabled, at least one key must be specified in swarselsystems.server.${serviceName}.keys"; } { assertion = @@ -12611,7 +13121,7 @@ or 2) use classic path addressing =aws s3 cp s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// toolkit.legacyUserProfileCustomizations.styleshe Sets environment variables. Here I am only setting the EDITOR variable, most variables are set in the [[#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20][Sway]] section. #+begin_src nix-ts :tangle modules/home/common/env.nix - { lib, config, nixosConfig ? config, ... }: + { lib, config, confLib, globals, ... }: let - inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; - inherit (nixosConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name; - inherit (nixosConfig.repo.secrets.common) fullName openrouterApi; + inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; + inherit (confLib.getConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name; + inherit (confLib.getConfig.repo.secrets.common) fullName openrouterApi instaDomain sportDomain; inherit (config.swarselsystems) isPublic homeDir; DISPLAY = ":0"; @@ -14882,6 +15542,12 @@ Sets environment variables. Here I am only setting the EDITOR variable, most var DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private"; FLAKE = "${config.home.homeDirectory}/.dotfiles"; } // lib.optionalAttrs (!isPublic) { + SWARSEL_DOMAIN = globals.domains.main; + SWARSEL_RSS_DOMAIN = globals.services.freshrss.domain; + SWARSEL_MUSIC_DOMAIN = globals.services.navidrome.domain; + SWARSEL_FILES_DOMAIN = globals.services.nextcloud.domain; + SWARSEL_INSTA_DOMAIN = instaDomain; + SWARSEL_SPORT_DOMAIN = sportDomain; SWARSEL_MAIL1 = address1; SWARSEL_MAIL2 = address2; SWARSEL_MAIL3 = address3; @@ -14894,7 +15560,7 @@ Sets environment variables. Here I am only setting the EDITOR variable, most var SWARSEL_CAL3NAME = source3-name; SWARSEL_FULLNAME = fullName; SWARSEL_MAIL_ALL = lib.mkDefault allMailAddresses; - GITHUB_NOTIFICATION_TOKEN_PATH = nixosConfig.sops.secrets.github-notifications-token.path; + GITHUB_NOTIFICATION_TOKEN_PATH = confLib.getConfig.sops.secrets.github-notifications-token.path; OPENROUTER_API_KEY = openrouterApi; }; }; @@ -15164,10 +15830,10 @@ Eza provides me with a better =ls= command and some other useful aliases. Here I set up my git config, automatic signing of commits, useful aliases for my ost used commands (for when I am not using [[#h:d2c7323d-f8c6-4f23-b70a-930e3e4ecce5][Magit]]) as well as a git template defined in [[#h:5ef03803-e150-41bc-b603-e80d60d96efc][Linking dotfiles]]. #+begin_src nix-ts :tangle modules/home/common/git.nix - { lib, config, globals, minimal, nixosConfig ? config, ... }: + { lib, config, globals, minimal, confLib, ... }: let - inherit (nixosConfig.repo.secrets.common.mail) address1; - inherit (nixosConfig.repo.secrets.common) fullName; + inherit (confLib.getConfig.repo.secrets.common.mail) address1; + inherit (confLib.getConfig.repo.secrets.common) fullName; gitUser = globals.user.name; in @@ -15451,7 +16117,7 @@ lib.mkMerge [ zshConfigEarlyInit zshConfig ]; Currently I only use it as before with =initExtra= though. #+begin_src nix-ts :tangle modules/home/common/zsh.nix - { config, pkgs, lib, minimal, inputs, globals, nixosConfig ? config, ... }: + { config, pkgs, lib, minimal, inputs, globals, confLib, ... }: let inherit (config.swarselsystems) flakePath isNixos; crocDomain = globals.services.croc.domain; @@ -15580,8 +16246,8 @@ Currently I only use it as before with =initExtra= though. ''; sessionVariables = lib.mkIf (!config.swarselsystems.isPublic) { CROC_RELAY = crocDomain; - CROC_PASS = "$(cat ${nixosConfig.sops.secrets.croc-password.path or ""})"; - GITHUB_TOKEN = "$(cat ${nixosConfig.sops.secrets.github-nixpkgs-review-token.path or ""})"; + CROC_PASS = "$(cat ${confLib.getConfig.sops.secrets.croc-password.path or ""})"; + GITHUB_TOKEN = "$(cat ${confLib.getConfig.sops.secrets.github-nixpkgs-review-token.path or ""})"; QT_QPA_PLATFORM_PLUGIN_PATH = "${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins"; # QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox"; }; @@ -16958,10 +17624,10 @@ Currently I only use it as before with =initExtra= though. Normally I use 4 mail accounts - here I set them all up. Three of them are Google accounts (sadly), which are a chore to setup. The last is just a sender account that I setup SMTP for here. #+begin_src nix-ts :tangle modules/home/common/mail.nix - { lib, config, inputs, globals, nixosConfig ? config, ... }: + { lib, config, inputs, globals, confLib, ... }: let - inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4; - inherit (nixosConfig.repo.secrets.common) fullName; + inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4; + inherit (confLib.getConfig.repo.secrets.common) fullName; inherit (config.swarselsystems) xdgDir; in { @@ -17100,7 +17766,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl address = address4; userName = address4; realName = fullName; - passwordCommand = "cat ${nixosConfig.sops.secrets.address4-token.path}"; + passwordCommand = "cat ${confLib.getConfig.sops.secrets.address4-token.path}"; mu.enable = true; msmtp = { enable = true; @@ -17129,7 +17795,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl address = address1; userName = address1; realName = fullName; - passwordCommand = "cat ${nixosConfig.sops.secrets.address1-token.path}"; + passwordCommand = "cat ${confLib.getConfig.sops.secrets.address1-token.path}"; gpg = { key = "0x76FD3810215AE097"; signByDefault = true; @@ -17143,7 +17809,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl address = address2; userName = address2; realName = address2-name; - passwordCommand = "cat ${nixosConfig.sops.secrets.address2-token.path}"; + passwordCommand = "cat ${confLib.getConfig.sops.secrets.address2-token.path}"; } defaultSettings; @@ -17153,7 +17819,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl address = address3; userName = address3; realName = address3-name; - passwordCommand = "cat ${nixosConfig.sops.secrets.address3-token.path}"; + passwordCommand = "cat ${confLib.getConfig.sops.secrets.address3-token.path}"; } defaultSettings; @@ -18302,7 +18968,7 @@ I am currently using SwayFX, which adds some nice effects to sway, like rounded Currently, I am too lazy to explain every option here, but most of it is very self-explaining in any case. #+begin_src nix-ts :tangle modules/home/common/sway.nix - { config, lib, vars, nixosConfig ? config, ... }: + { config, lib, vars, confLib, ... }: let eachOutput = _: monitor: { inherit (monitor) name; @@ -18685,7 +19351,7 @@ Currently, I am too lazy to explain every option here, but most of it is very se export XDG_CURRENT_DESKTOP=sway; export XDG_SESSION_DESKTOP=sway; export _JAVA_AWT_WM_NONREPARENTING=1; - export GITHUB_NOTIFICATION_TOKEN_PATH=${nixosConfig.sops.secrets.github-notifications-token.path}; + export GITHUB_NOTIFICATION_TOKEN_PATH=${confLib.getConfig.sops.secrets.github-notifications-token.path}; '' + vars.waylandExports; # extraConfigEarly = " # exec systemctl --user import-environment DISPLAY WAYLAND_DISPLAY SWAYSOCK @@ -18732,226 +19398,6 @@ Currently, I am too lazy to explain every option here, but most of it is very se } #+end_src -**** Niri -:PROPERTIES: -:CUSTOM_ID: h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb -:END: - -#+begin_src nix-ts :tangle modules/home/common/niri.nix - { config, pkgs, lib, vars, ... }: - { - options.swarselmodules.niri = lib.mkEnableOption "niri settings"; - config = lib.mkIf config.swarselmodules.niri { - - programs.niri = { - package = pkgs.niri-unstable; # which package to use for niri validation - settings = { - xwayland-satellite = { - enable = true; - path = "${lib.getExe pkgs.xwayland-satellite-unstable}"; - }; - prefer-no-csd = true; - layer-rules = [ - { matches = [{ namespace = "^notifications$"; }]; block-out-from = "screencast"; } - { matches = [{ namespace = "^wallpaper$"; }]; place-within-backdrop = true; } - ]; - window-rules = [ - { - matches = [{ app-id = ".*"; }]; - opacity = 0.95; - default-column-width = { proportion = 0.5; }; - shadow = { - enable = true; - draw-behind-window = true; - }; - geometry-corner-radius = { top-left = 2.0; top-right = 2.0; bottom-left = 2.0; bottom-right = 2.0; }; - } - { matches = [{ app-id = "at.yrlf.wl_mirror"; }]; opacity = 1.0; } - { matches = [{ app-id = "Gimp"; }]; opacity = 1.0; } - { matches = [{ app-id = "firefox"; }]; opacity = 0.99; } - { matches = [{ app-id = "^special.*"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; } - { matches = [{ app-id = "chromium-browser"; }]; opacity = 0.99; } - { matches = [{ app-id = "^qalculate-gtk$"; }]; open-floating = true; } - { matches = [{ app-id = "^blueman$"; }]; open-floating = true; } - { matches = [{ app-id = "^pavucontrol$"; }]; open-floating = true; } - { matches = [{ app-id = "^syncthingtray$"; }]; open-floating = true; } - { matches = [{ app-id = "^Element$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; } - # { matches = [{ app-id = "^Element$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; } - { matches = [{ app-id = "^vesktop$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; } - # { matches = [{ app-id = "^vesktop$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; } - { matches = [{ app-id = "^com.nextcloud.desktopclient.nextcloud$"; }]; open-floating = true; } - { matches = [{ title = ".*1Password.*"; }]; excludes = [{ app-id = "^firefox$"; } { app-id = "^emacs$"; } { app-id = "^kitty$"; }]; open-floating = true; block-out-from = "screencast"; } - { matches = [{ title = "(?:Open|Save) (?:File|Folder|As)"; }]; open-floating = true; } - { matches = [{ title = "^Add$"; }]; open-floating = true; } - { matches = [{ title = "^Picture-in-Picture$"; }]; open-floating = true; } - { matches = [{ title = "Syncthing Tray"; }]; open-floating = true; } - { matches = [{ title = "^Emacs Popup Frame$"; }]; open-floating = true; } - { matches = [{ title = "^Emacs Popup Anchor$"; }]; open-floating = true; } - { matches = [{ app-id = "^spotifytui$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; } - { matches = [{ app-id = "^kittyterm$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; } - ]; - environment = { - DISPLAY = ":0"; - } // vars.waylandSessionVariables; - screenshot-path = "~/Pictures/Screenshots/screenshot_%Y-%m-%d-%H%M%S.png"; - input = { - mod-key = "Super"; - keyboard = { - xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - }; - mouse = { - natural-scroll = false; - }; - touchpad = { - enable = true; - tap = true; - tap-button-map = "left-right-middle"; - natural-scroll = true; - scroll-method = "two-finger"; - click-method = "clickfinger"; - disabled-on-external-mouse = true; - drag = true; - drag-lock = false; - dwt = true; - dwtp = true; - }; - }; - cursor = { - hide-after-inactive-ms = 2000; - hide-when-typing = true; - }; - layout = { - background-color = "transparent"; - border = { - enable = true; - width = 1; - }; - focus-ring = { - enable = false; - }; - gaps = 5; - }; - binds = with config.lib.niri.actions; let - sh = spawn "sh" "-c"; - in - { - - # "Mod+Super_L" = spawn "killall -SIGUSR1 .waybar-wrapped"; - "Mod+z".action = spawn "killall -SIGUSR1 .waybar-wrapped"; - "Mod+Shift+t".action = toggle-window-rule-opacity; - # "Mod+Escape".action = "mode $exit"; - "Mod+m".action = focus-workspace-previous; - "Mod+Shift+Space".action = toggle-window-floating; - "Mod+Shift+f".action = toggle-windowed-fullscreen; - "Mod+q".action = close-window; - "Mod+f".action = spawn "firefox"; - "Mod+Space".action = spawn "fuzzel"; - "Mod+Shift+c".action = spawn "qalculate-gtk"; - "Mod+Ctrl+p".action = spawn "1password" "--quick-acces"; - "Mod+Shift+Escape".action = spawn "kitty" "-o" "confirm_os_window_close=0" "btm"; - "Mod+h".action = sh ''hyprpicker | wl-copy''; - # "Mod+s".action = spawn "grim" "-g" "\"$(slurp)\"" "-t" "png" "-" "|" "wl-copy" "-t" "image/png"; - # "Mod+s".action = screenshot { show-pointer = false; }; - "Mod+s".action.screenshot = { show-pointer = false; }; - # "Mod+Shift+s".action = spawn "slurp" "|" "grim" "-g" "-" "Pictures/Screenshots/$(date +'screenshot_%Y-%m-%d-%H%M%S.png')"; - # "Mod+Shift+s".action = screenshot-window { write-to-disk = true; }; - "Mod+Shift+s".action.screenshot-window = { write-to-disk = true; }; - # "Mod+Shift+v".action = spawn "wf-recorder" "-g" "'$(slurp -f %o -or)'" "-f" "~/Videos/screenrecord_$(date +%Y-%m-%d-%H%M%S).mkv"; - - "Mod+e".action = sh "emacsclient -nquc -a emacs -e '(dashboard-open)'"; - "Mod+c".action = sh "emacsclient -ce '(org-capture)'"; - "Mod+t".action = sh "emacsclient -ce '(org-agenda)'"; - "Mod+Shift+m".action = sh "emacsclient -ce '(mu4e)'"; - "Mod+Shift+a".action = sh "emacsclient -ce '(swarsel/open-calendar)'"; - - "Mod+a".action = spawn "swarselcheck-niri" "-s"; - "Mod+x".action = spawn "swarselcheck-niri" "-k"; - "Mod+d".action = spawn "swarselcheck-niri" "-d"; - "Mod+w".action = spawn "swarselcheck-niri" "-e"; - - "Mod+p".action = spawn "pass-fuzzel"; - "Mod+o".action = spawn "pass-fuzzel" "--otp"; - "Mod+Shift+p".action = spawn "pass-fuzzel" "--type"; - "Mod+Shift+o".action = spawn "pass-fuzzel" "--otp" "--type"; - - "Mod+Left".action = focus-column-or-monitor-left; - "Mod+Right".action = focus-column-or-monitor-right; - "Mod+Down".action = focus-window-or-workspace-down; - "Mod+Up".action = focus-window-or-workspace-up; - "Mod+Shift+Left".action = move-column-left; - "Mod+Shift+Right".action = move-column-right; - "Mod+Shift+Down".action = move-window-down-or-to-workspace-down; - "Mod+Shift+Up".action = move-window-up-or-to-workspace-up; - # "Mod+Ctrl+Shift+c".action = "reload"; - # "Mod+Ctrl+Shift+r".action = "exec swarsel-displaypower"; - # "Mod+Shift+e".action = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'"; - # "Mod+r".action = "mode resize"; - # "Mod+Return".action = "exec kitty"; - "Mod+Return".action = spawn "swarselzellij"; - "XF86AudioRaiseVolume".action = spawn "swayosd-client" "--output-volume" "raise"; - "XF86AudioLowerVolume".action = spawn "swayosd-client" "--output-volume" "lower"; - "XF86AudioMute".action = spawn "swayosd-client" "--output-volume" "mute-toggle"; - "XF86MonBrightnessUp".action = spawn "swayosd-client" "--brightness raise"; - "XF86MonBrightnessDown".action = spawn "swayosd-client" "--brightness lower"; - "XF86Display".action = spawn "wl-mirror" "eDP-1"; - "Mod+Escape".action = spawn "wlogout"; - "Mod+Equal".action = set-column-width "+10%"; - "Mod+Minus".action = set-column-width "-10%"; - - "Mod+1".action = focus-workspace 1; - "Mod+2".action = focus-workspace 2; - "Mod+3".action = focus-workspace 3; - "Mod+4".action = focus-workspace 4; - "Mod+5".action = focus-workspace 5; - "Mod+6".action = focus-workspace 6; - "Mod+7".action = focus-workspace 7; - "Mod+8".action = focus-workspace 8; - "Mod+9".action = focus-workspace 9; - "Mod+0".action = focus-workspace 0; - - "Mod+Shift+1".action = move-column-to-index 1; - "Mod+Shift+2".action = move-column-to-index 2; - "Mod+Shift+3".action = move-column-to-index 3; - "Mod+Shift+4".action = move-column-to-index 4; - "Mod+Shift+5".action = move-column-to-index 5; - "Mod+Shift+6".action = move-column-to-index 6; - "Mod+Shift+7".action = move-column-to-index 7; - "Mod+Shift+8".action = move-column-to-index 8; - "Mod+Shift+9".action = move-column-to-index 9; - "Mod+Shift+0".action = move-column-to-index 0; - }; - spawn-at-startup = [ - # { command = [ "vesktop" "--start-minimized" "--enable-speech-dispatcher" "--ozone-platform-hint=auto" "--enable-features=WaylandWindowDecorations" "--enable-wayland-ime" ]; } - # { command = [ "element-desktop" "--hidden" "--enable-features=UseOzonePlatform" "--ozone-platform=wayland" "--disable-gpu-driver-bug-workarounds" ]; } - # { command = [ "anki" ]; } - # { command = [ "obsidian" ]; } - # { command = [ "nm-applet" ]; } - { command = [ "niri" "msg" "action" "focus-workspace" "2" ]; } - ]; - workspaces = { - # "01-Main" = { - # name = "Scratchpad"; - # }; - "99-Scratchpad" = { - name = ""; - }; - }; - }; - }; - - } // { - programs.niri = lib.mkIf (!config.swarselmodules.niri) { - package = null; - config = null; - settings = null; - }; - }; - } -#+end_src - **** Kanshi :PROPERTIES: :CUSTOM_ID: h:eb94df98-2bcd-4555-9f88-e252f93b924f @@ -19143,9 +19589,9 @@ When setting up a new machine: This service changes the screen hue at night. I am not sure if that really does something, but I like the color anyways. #+begin_src nix-ts :tangle modules/home/common/gammastep.nix - { lib, config, nixosConfig ? config, ... }: + { lib, config, confLib, ... }: let - inherit (nixosConfig.repo.secrets.common.location) latitude longitude; + inherit (confLib.getConfig.repo.secrets.common.location) latitude longitude; in { options.swarselmodules.gammastep = lib.mkEnableOption "gammastep settings"; @@ -19197,10 +19643,10 @@ This service changes the screen hue at night. I am not sure if that really does :END: #+begin_src nix-ts :tangle modules/home/common/obsidian.nix - { lib, config, pkgs, nixosConfig ? config, ... }: + { lib, config, pkgs, confLib, ... }: let moduleName = "obsidian"; - inherit (nixosConfig.repo.secrets.common.obsidian) userIgnoreFilters; + inherit (confLib.getConfig.repo.secrets.common.obsidian) userIgnoreFilters; name = "Main"; in { @@ -19359,7 +19805,7 @@ This service changes the screen hue at night. I am not sure if that really does #+begin_src nix-ts :tangle modules/home/common/anki.nix - { lib, config, pkgs, globals, inputs, nixosConfig ? config, ... }: + { lib, config, pkgs, globals, inputs, confLib, ... }: let moduleName = "anki"; inherit (config.swarselsystems) isPublic isNixos; @@ -19384,11 +19830,11 @@ This service changes the screen hue at night. I am not sure if that really does syncMedia = true; autoSyncMediaMinutes = 5; url = "https://${globals.services.ankisync.domain}"; - usernameFile = nixosConfig.sops.secrets.anki-user.path; + usernameFile = confLib.getConfig.sops.secrets.anki-user.path; # this is not the password but the syncKey # get it by logging in or out, saving preferences and then # show details on the "settings wont be saved" dialog - keyFile = nixosConfig.sops.secrets.anki-pw.path; + keyFile = confLib.getConfig.sops.secrets.anki-pw.path; }; addons = let @@ -19434,7 +19880,7 @@ This service changes the screen hue at night. I am not sure if that really does #+begin_src nix-ts :tangle modules/home/common/element.nix - { lib, config, ... }: + { lib, config, globals, ... }: let moduleName = "element-desktop"; in @@ -19446,7 +19892,7 @@ This service changes the screen hue at night. I am not sure if that really does settings = { default_server_config = { "m.homeserver" = { - base_url = "https://swatrix.swarsel.win/"; + base_url = "https://${globals.services.matrix.domain}/"; }; }; UIFeature = { @@ -19472,10 +19918,10 @@ This service changes the screen hue at night. I am not sure if that really does #+begin_src nix-ts :tangle modules/home/common/hexchat.nix - { lib, config, nixosConfig ? config, ... }: + { lib, config, confLib, ... }: let moduleName = "hexchat"; - inherit (nixosConfig.repo.secrets.common.irc) irc_nick1; + inherit (confLib.getConfig.repo.secrets.common.irc) irc_nick1; in { options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings"; @@ -19754,7 +20200,7 @@ This service changes the screen hue at night. I am not sure if that really does :END: #+begin_src nix-ts :tangle modules/home/common/opkssh.nix - { lib, config, ... }: + { lib, config, globals, ... }: let moduleName = "opkssh"; in @@ -19769,7 +20215,7 @@ This service changes the screen hue at night. I am not sure if that really does providers = [ { alias = "kanidm"; - issuer = "https://sso.swarsel.win/oauth2/openid/opkssh"; + issuer = "https://${globals.services.kanidm.domain}/oauth2/openid/opkssh"; client_id = "opkssh"; scopes = "openid email profile"; redirect_uris = [ @@ -19880,6 +20326,230 @@ Akin to the [[#h:f9aa9af0-9b8d-43ff-901d-9ffccdd70589][Optional]] NixOS modules. } #+end_src +**** Niri +:PROPERTIES: +:CUSTOM_ID: h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb +:END: + +#+begin_src nix-ts :tangle modules/home/optional/niri.nix + { inputs, config, pkgs, lib, vars, ... }: + { + imports = [ + inputs.niri-flake.homeModules.niri + ]; + options.swarselmodules.niri = lib.mkEnableOption "niri settings"; + config = lib.mkIf config.swarselmodules.niri + { + + programs.niri = { + package = pkgs.niri-unstable; # which package to use for niri validation + settings = { + xwayland-satellite = { + enable = true; + path = "${lib.getExe pkgs.xwayland-satellite-unstable}"; + }; + prefer-no-csd = true; + layer-rules = [ + { matches = [{ namespace = "^notifications$"; }]; block-out-from = "screencast"; } + { matches = [{ namespace = "^wallpaper$"; }]; place-within-backdrop = true; } + ]; + window-rules = [ + { + matches = [{ app-id = ".*"; }]; + opacity = 0.95; + default-column-width = { proportion = 0.5; }; + shadow = { + enable = true; + draw-behind-window = true; + }; + geometry-corner-radius = { top-left = 2.0; top-right = 2.0; bottom-left = 2.0; bottom-right = 2.0; }; + } + { matches = [{ app-id = "at.yrlf.wl_mirror"; }]; opacity = 1.0; } + { matches = [{ app-id = "Gimp"; }]; opacity = 1.0; } + { matches = [{ app-id = "firefox"; }]; opacity = 0.99; } + { matches = [{ app-id = "^special.*"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; } + { matches = [{ app-id = "chromium-browser"; }]; opacity = 0.99; } + { matches = [{ app-id = "^qalculate-gtk$"; }]; open-floating = true; } + { matches = [{ app-id = "^blueman$"; }]; open-floating = true; } + { matches = [{ app-id = "^pavucontrol$"; }]; open-floating = true; } + { matches = [{ app-id = "^syncthingtray$"; }]; open-floating = true; } + { matches = [{ app-id = "^Element$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; } + # { matches = [{ app-id = "^Element$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; } + { matches = [{ app-id = "^vesktop$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; } + # { matches = [{ app-id = "^vesktop$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; } + { matches = [{ app-id = "^com.nextcloud.desktopclient.nextcloud$"; }]; open-floating = true; } + { matches = [{ title = ".*1Password.*"; }]; excludes = [{ app-id = "^firefox$"; } { app-id = "^emacs$"; } { app-id = "^kitty$"; }]; open-floating = true; block-out-from = "screencast"; } + { matches = [{ title = "(?:Open|Save) (?:File|Folder|As)"; }]; open-floating = true; } + { matches = [{ title = "^Add$"; }]; open-floating = true; } + { matches = [{ title = "^Picture-in-Picture$"; }]; open-floating = true; } + { matches = [{ title = "Syncthing Tray"; }]; open-floating = true; } + { matches = [{ title = "^Emacs Popup Frame$"; }]; open-floating = true; } + { matches = [{ title = "^Emacs Popup Anchor$"; }]; open-floating = true; } + { matches = [{ app-id = "^spotifytui$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; } + { matches = [{ app-id = "^kittyterm$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; } + ]; + environment = { + DISPLAY = ":0"; + } // vars.waylandSessionVariables; + screenshot-path = "~/Pictures/Screenshots/screenshot_%Y-%m-%d-%H%M%S.png"; + input = { + mod-key = "Super"; + keyboard = { + xkb = { + layout = "us"; + variant = "altgr-intl"; + }; + }; + mouse = { + natural-scroll = false; + }; + touchpad = { + enable = true; + tap = true; + tap-button-map = "left-right-middle"; + natural-scroll = true; + scroll-method = "two-finger"; + click-method = "clickfinger"; + disabled-on-external-mouse = true; + drag = true; + drag-lock = false; + dwt = true; + dwtp = true; + }; + }; + cursor = { + hide-after-inactive-ms = 2000; + hide-when-typing = true; + }; + layout = { + background-color = "transparent"; + border = { + enable = true; + width = 1; + }; + focus-ring = { + enable = false; + }; + gaps = 5; + }; + binds = with config.lib.niri.actions; let + sh = spawn "sh" "-c"; + in + { + + # "Mod+Super_L" = spawn "killall -SIGUSR1 .waybar-wrapped"; + "Mod+z".action = spawn "killall -SIGUSR1 .waybar-wrapped"; + "Mod+Shift+t".action = toggle-window-rule-opacity; + # "Mod+Escape".action = "mode $exit"; + "Mod+m".action = focus-workspace-previous; + "Mod+Shift+Space".action = toggle-window-floating; + "Mod+Shift+f".action = toggle-windowed-fullscreen; + "Mod+q".action = close-window; + "Mod+f".action = spawn "firefox"; + "Mod+Space".action = spawn "fuzzel"; + "Mod+Shift+c".action = spawn "qalculate-gtk"; + "Mod+Ctrl+p".action = spawn "1password" "--quick-acces"; + "Mod+Shift+Escape".action = spawn "kitty" "-o" "confirm_os_window_close=0" "btm"; + "Mod+h".action = sh ''hyprpicker | wl-copy''; + # "Mod+s".action = spawn "grim" "-g" "\"$(slurp)\"" "-t" "png" "-" "|" "wl-copy" "-t" "image/png"; + # "Mod+s".action = screenshot { show-pointer = false; }; + "Mod+s".action.screenshot = { show-pointer = false; }; + # "Mod+Shift+s".action = spawn "slurp" "|" "grim" "-g" "-" "Pictures/Screenshots/$(date +'screenshot_%Y-%m-%d-%H%M%S.png')"; + # "Mod+Shift+s".action = screenshot-window { write-to-disk = true; }; + "Mod+Shift+s".action.screenshot-window = { write-to-disk = true; }; + # "Mod+Shift+v".action = spawn "wf-recorder" "-g" "'$(slurp -f %o -or)'" "-f" "~/Videos/screenrecord_$(date +%Y-%m-%d-%H%M%S).mkv"; + + "Mod+e".action = sh "emacsclient -nquc -a emacs -e '(dashboard-open)'"; + "Mod+c".action = sh "emacsclient -ce '(org-capture)'"; + "Mod+t".action = sh "emacsclient -ce '(org-agenda)'"; + "Mod+Shift+m".action = sh "emacsclient -ce '(mu4e)'"; + "Mod+Shift+a".action = sh "emacsclient -ce '(swarsel/open-calendar)'"; + + "Mod+a".action = spawn "swarselcheck-niri" "-s"; + "Mod+x".action = spawn "swarselcheck-niri" "-k"; + "Mod+d".action = spawn "swarselcheck-niri" "-d"; + "Mod+w".action = spawn "swarselcheck-niri" "-e"; + + "Mod+p".action = spawn "pass-fuzzel"; + "Mod+o".action = spawn "pass-fuzzel" "--otp"; + "Mod+Shift+p".action = spawn "pass-fuzzel" "--type"; + "Mod+Shift+o".action = spawn "pass-fuzzel" "--otp" "--type"; + + "Mod+Left".action = focus-column-or-monitor-left; + "Mod+Right".action = focus-column-or-monitor-right; + "Mod+Down".action = focus-window-or-workspace-down; + "Mod+Up".action = focus-window-or-workspace-up; + "Mod+Shift+Left".action = move-column-left; + "Mod+Shift+Right".action = move-column-right; + "Mod+Shift+Down".action = move-window-down-or-to-workspace-down; + "Mod+Shift+Up".action = move-window-up-or-to-workspace-up; + # "Mod+Ctrl+Shift+c".action = "reload"; + # "Mod+Ctrl+Shift+r".action = "exec swarsel-displaypower"; + # "Mod+Shift+e".action = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'"; + # "Mod+r".action = "mode resize"; + # "Mod+Return".action = "exec kitty"; + "Mod+Return".action = spawn "swarselzellij"; + "XF86AudioRaiseVolume".action = spawn "swayosd-client" "--output-volume" "raise"; + "XF86AudioLowerVolume".action = spawn "swayosd-client" "--output-volume" "lower"; + "XF86AudioMute".action = spawn "swayosd-client" "--output-volume" "mute-toggle"; + "XF86MonBrightnessUp".action = spawn "swayosd-client" "--brightness raise"; + "XF86MonBrightnessDown".action = spawn "swayosd-client" "--brightness lower"; + "XF86Display".action = spawn "wl-mirror" "eDP-1"; + "Mod+Escape".action = spawn "wlogout"; + "Mod+Equal".action = set-column-width "+10%"; + "Mod+Minus".action = set-column-width "-10%"; + + "Mod+1".action = focus-workspace 1; + "Mod+2".action = focus-workspace 2; + "Mod+3".action = focus-workspace 3; + "Mod+4".action = focus-workspace 4; + "Mod+5".action = focus-workspace 5; + "Mod+6".action = focus-workspace 6; + "Mod+7".action = focus-workspace 7; + "Mod+8".action = focus-workspace 8; + "Mod+9".action = focus-workspace 9; + "Mod+0".action = focus-workspace 0; + + "Mod+Shift+1".action = move-column-to-index 1; + "Mod+Shift+2".action = move-column-to-index 2; + "Mod+Shift+3".action = move-column-to-index 3; + "Mod+Shift+4".action = move-column-to-index 4; + "Mod+Shift+5".action = move-column-to-index 5; + "Mod+Shift+6".action = move-column-to-index 6; + "Mod+Shift+7".action = move-column-to-index 7; + "Mod+Shift+8".action = move-column-to-index 8; + "Mod+Shift+9".action = move-column-to-index 9; + "Mod+Shift+0".action = move-column-to-index 0; + }; + spawn-at-startup = [ + # { command = [ "vesktop" "--start-minimized" "--enable-speech-dispatcher" "--ozone-platform-hint=auto" "--enable-features=WaylandWindowDecorations" "--enable-wayland-ime" ]; } + # { command = [ "element-desktop" "--hidden" "--enable-features=UseOzonePlatform" "--ozone-platform=wayland" "--disable-gpu-driver-bug-workarounds" ]; } + # { command = [ "anki" ]; } + # { command = [ "obsidian" ]; } + # { command = [ "nm-applet" ]; } + { command = [ "niri" "msg" "action" "focus-workspace" "2" ]; } + ]; + workspaces = { + # "01-Main" = { + # name = "Scratchpad"; + # }; + "99-Scratchpad" = { + name = ""; + }; + }; + }; + }; + + } // { + programs.niri = lib.mkIf (!config.swarselmodules.niri) { + package = null; + config = null; + settings = null; + }; + }; + } +#+end_src + **** Gaming :PROPERTIES: :CUSTOM_ID: h:84fd7029-ecb6-4131-9333-289982f24ffa @@ -19888,13 +20558,12 @@ Akin to the [[#h:f9aa9af0-9b8d-43ff-901d-9ffccdd70589][Optional]] NixOS modules. The rest of the settings is at [[#h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431][gaming]]. #+begin_src nix-ts :tangle modules/home/optional/gaming.nix - { lib, config, pkgs, nixosConfig ? config, ... }: + { config, pkgs, confLib, ... }: let inherit (config.swarselsystems) isNixos; in { - options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings"; - config = lib.mkIf config.swarselmodules.optional.gaming { + config = { # specialisation = { # gaming.configuration = { home.packages = with pkgs; [ @@ -19934,7 +20603,7 @@ The rest of the settings is at [[#h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431][gaming gamescope umu-launcher ]; - steamPackage = if isNixos then nixosConfig.programs.steam.package else pkgs.steam; + steamPackage = if isNixos then confLib.getConfig.programs.steam.package else pkgs.steam; winePackages = with pkgs; [ wineWow64Packages.waylandFull ]; @@ -19965,398 +20634,428 @@ When setting up a new machine: #+end_src #+begin_src nix-ts :tangle modules/home/optional/work.nix :noweb yes - { self, inputs, config, pkgs, lib, vars, nixosConfig ? config, ... }: + { self, inputs, config, pkgs, lib, vars, confLib, ... }: let inherit (config.swarselsystems) homeDir mainUser; - inherit (nixosConfig.repo.secrets.local.mail) allMailAddresses; - inherit (nixosConfig.repo.secrets.local.work) mailAddress; + inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses; + inherit (confLib.getConfig.repo.secrets.local.work) mailAddress; certsSopsFile = self + /secrets/certs/secrets.yaml; in { - options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings"; - config = lib.mkIf config.swarselmodules.optional.work - ({ - home = { - packages = with pkgs; [ - stable.teams-for-linux - shellcheck - dig - docker - postman - # rclone - libguestfs-with-appliance - prometheus.cli - tigervnc - # openstackclient + options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption; + config = { + home = { + packages = with pkgs; [ + stable.teams-for-linux + shellcheck + dig + docker + postman + # rclone + libguestfs-with-appliance + prometheus.cli + tigervnc + # openstackclient - vscode - dev.antigravity + vscode + dev.antigravity - rustdesk-vbc + rustdesk-vbc + ]; + sessionVariables = { + AWS_CA_BUNDLE = confLib.getConfig.sops.secrets.harica-root-ca.path; + }; + }; + systemd.user.sessionVariables = { + DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work"; + } // lib.optionalAttrs (!config.swarselsystems.isPublic) { + SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses; + SWARSEL_MAIL_WORK = lib.mkForce mailAddress; + }; + + accounts.email.accounts.work = + let + inherit (confLib.getConfig.repo.secrets.local.work) mailName; + in + { + primary = false; + address = mailAddress; + userName = mailAddress; + realName = mailName; + passwordCommand = "pizauth show work"; + imap = { + host = "outlook.office365.com"; + port = 993; + tls.enable = true; # SSL/TLS + }; + smtp = { + host = "outlook.office365.com"; + port = 587; + tls = { + enable = true; # SSL/TLS + useStartTls = true; + }; + }; + thunderbird = { + enable = true; + profiles = [ "default" ]; + settings = id: { + "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth + "mail.server.server_${id}.authMethod" = 10; # oauth + # "toolkit.telemetry.enabled" = false; + # "toolkit.telemetry.rejected" = true; + # "toolkit.telemetry.prompted" = 2; + }; + }; + msmtp = { + enable = true; + extraConfig = { + auth = "xoauth2"; + host = "outlook.office365.com"; + protocol = "smtp"; + port = "587"; + tls = "on"; + tls_starttls = "on"; + from = "${mailAddress}"; + user = "${mailAddress}"; + passwordeval = "pizauth show work"; + }; + }; + mu.enable = true; + mbsync = { + enable = true; + expunge = "both"; + patterns = [ "INBOX" ]; + extraConfig = { + account = { + AuthMechs = "XOAUTH2"; + }; + }; + }; + }; + + # wayland.windowManager.sway.config = { + # output = { + # "Applied Creative Technology Transmitter QUATTRO201811" = { + # bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}"; + # }; + # "Hewlett Packard HP Z24i CN44250RDT" = { + # bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}"; + # }; + # "HP Inc. HP 732pk CNC4080YL5" = { + # bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}"; + # }; + # }; + # }; + + wayland.windowManager.sway = + let + inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress; + in + { + config = { + keybindings = + let + inherit (config.wayland.windowManager.sway.config) modifier; + in + { + "${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}"; + "${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}"; + }; + }; + }; + + stylix = { + targets.firefox.profileNames = + let + inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3; + in + [ + "${user1}" + "${user2}" + "${user3}" + "work" ]; - sessionVariables = { - AWS_CA_BUNDLE = nixosConfig.sops.secrets.harica-root-ca.path; + }; + + programs = + let + inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds; + in + { + openstackclient = { + enable = true; + inherit clouds; }; - }; - systemd.user.sessionVariables = { - DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work"; - } // lib.optionalAttrs (!config.swarselsystems.isPublic) { - SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses; - SWARSEL_MAIL_WORK = lib.mkForce mailAddress; - }; - - accounts.email.accounts.work = - let - inherit (nixosConfig.repo.secrets.local.work) mailName; - in - { - primary = false; - address = mailAddress; - userName = mailAddress; - realName = mailName; - passwordCommand = "pizauth show work"; - imap = { - host = "outlook.office365.com"; - port = 993; - tls.enable = true; # SSL/TLS - }; - smtp = { - host = "outlook.office365.com"; - port = 587; - tls = { - enable = true; # SSL/TLS - useStartTls = true; - }; - }; - thunderbird = { - enable = true; - profiles = [ "default" ]; - settings = id: { - "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth - "mail.server.server_${id}.authMethod" = 10; # oauth - # "toolkit.telemetry.enabled" = false; - # "toolkit.telemetry.rejected" = true; - # "toolkit.telemetry.prompted" = 2; - }; - }; - msmtp = { - enable = true; - extraConfig = { - auth = "xoauth2"; - host = "outlook.office365.com"; - protocol = "smtp"; - port = "587"; - tls = "on"; - tls_starttls = "on"; - from = "${mailAddress}"; - user = "${mailAddress}"; - passwordeval = "pizauth show work"; - }; - }; - mu.enable = true; - mbsync = { - enable = true; - expunge = "both"; - patterns = [ "INBOX" ]; - extraConfig = { - account = { - AuthMechs = "XOAUTH2"; - }; - }; - }; + awscli = { + enable = true; + package = pkgs.stable24_05.awscli2; + # settings = { + # "default" = { }; + # "profile s3-imagebuilder-prod" = { }; + # }; + # credentials = { + # "s3-imagebuilder-prod" = { + # aws_access_key_id = "5OYXY4879EJG9I91K1B6"; + # credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key"; + # }; + # }; }; + git.settings.user.email = lib.mkForce gitMail; - # wayland.windowManager.sway.config = { - # output = { - # "Applied Creative Technology Transmitter QUATTRO201811" = { - # bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}"; - # }; - # "Hewlett Packard HP Z24i CN44250RDT" = { - # bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}"; - # }; - # "HP Inc. HP 732pk CNC4080YL5" = { - # bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}"; - # }; - # }; - # }; - - wayland.windowManager.sway = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress; - in - { - config = { - keybindings = - let - inherit (config.wayland.windowManager.sway.config) modifier; - in - { - "${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}"; - "${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}"; - }; + zsh = { + shellAliases = { + dssh = "ssh -l ${user1Long}"; + cssh = "ssh -l ${user2Long}"; + wssh = "ssh -l ${user3Long}"; }; - }; - - stylix = { - targets.firefox.profileNames = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3; - in - [ - "${user1}" - "${user2}" - "${user3}" - "work" + cdpath = [ + "~/Documents/Work" ]; - }; - - programs = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds; - in - { - openstackclient = { - enable = true; - inherit clouds; - }; - awscli = { - enable = true; - package = pkgs.stable24_05.awscli2; - # settings = { - # "default" = { }; - # "profile s3-imagebuilder-prod" = { }; - # }; - # credentials = { - # "s3-imagebuilder-prod" = { - # aws_access_key_id = "5OYXY4879EJG9I91K1B6"; - # credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key"; - # }; - # }; - }; - git.settings.user.email = lib.mkForce gitMail; - - zsh = { - shellAliases = { - dssh = "ssh -l ${user1Long}"; - cssh = "ssh -l ${user2Long}"; - wssh = "ssh -l ${user3Long}"; - }; - cdpath = [ - "~/Documents/Work" - ]; - dirHashes = { - d = "$HOME/.dotfiles"; - w = "$HOME/Documents/Work"; - s = "$HOME/.dotfiles/secrets"; - pr = "$HOME/Documents/Private"; - ac = path1; - }; - - sessionVariables = { - VSPHERE_USER = "$(cat ${nixosConfig.sops.secrets.vcuser.path})"; - VSPHERE_PW = "$(cat ${nixosConfig.sops.secrets.vcpw.path})"; - GOVC_USERNAME = "$(cat ${nixosConfig.sops.secrets.govcuser.path})"; - GOVC_PASSWORD = "$(cat ${nixosConfig.sops.secrets.govcpw.path})"; - GOVC_URL = "$(cat ${nixosConfig.sops.secrets.govcurl.path})"; - GOVC_DATACENTER = "$(cat ${nixosConfig.sops.secrets.govcdc.path})"; - GOVC_DATASTORE = "$(cat ${nixosConfig.sops.secrets.govcds.path})"; - GOVC_HOST = "$(cat ${nixosConfig.sops.secrets.govchost.path})"; - GOVC_RESOURCE_POOL = "$(cat ${nixosConfig.sops.secrets.govcpool.path})"; - GOVC_NETWORK = "$(cat ${nixosConfig.sops.secrets.govcnetwork.path})"; - }; + dirHashes = { + d = "$HOME/.dotfiles"; + w = "$HOME/Documents/Work"; + s = "$HOME/.dotfiles/secrets"; + pr = "$HOME/Documents/Private"; + ac = path1; }; - ssh = { - matchBlocks = { - "${loc1}" = { - hostname = "${loc1}.${domain2}"; - user = user4; - }; - "${loc1}.stg" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.staging" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.dev" = { - hostname = "${loc1}.${lifecycle2}.${domain2}"; - user = user4; - }; - "${loc2}" = { - hostname = "${loc2}.${domain1}"; - user = user1Long; - }; - "${loc2}.stg" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "${loc2}.staging" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "*.${domain1}" = { - user = user1Long; - }; - }; - }; - - firefox = { - profiles = - let - isDefault = false; - in - { - "${user1}" = lib.recursiveUpdate - { - inherit isDefault; - id = 1; - settings = { - "browser.startup.homepage" = "${site1}|${site2}"; - }; - } - vars.firefox; - "${user2}" = lib.recursiveUpdate - { - inherit isDefault; - id = 2; - settings = { - "browser.startup.homepage" = "${site3}"; - }; - } - vars.firefox; - "${user3}" = lib.recursiveUpdate - { - inherit isDefault; - id = 3; - } - vars.firefox; - work = lib.recursiveUpdate - { - inherit isDefault; - id = 4; - settings = { - "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}"; - }; - } - vars.firefox; - }; - }; - - chromium = { - enable = true; - package = pkgs.chromium; - - extensions = [ - # 1password - "gejiddohjgogedgjnonbofjigllpkmbf" - # dark reader - "eimadpbcbfnmbkopoojfekhnkhdbieeh" - # ublock origin - "cjpalhdlnbpafiamejdnhcphjbkeiagm" - # i still dont care about cookies - "edibdbjcniadpccecjdfdjjppcpchdlm" - # browserpass - "naepdomgkenhinolocfifgehidddafch" - ]; + sessionVariables = { + VSPHERE_USER = "$(cat ${confLib.getConfig.sops.secrets.vcuser.path})"; + VSPHERE_PW = "$(cat ${confLib.getConfig.sops.secrets.vcpw.path})"; + GOVC_USERNAME = "$(cat ${confLib.getConfig.sops.secrets.govcuser.path})"; + GOVC_PASSWORD = "$(cat ${confLib.getConfig.sops.secrets.govcpw.path})"; + GOVC_URL = "$(cat ${confLib.getConfig.sops.secrets.govcurl.path})"; + GOVC_DATACENTER = "$(cat ${confLib.getConfig.sops.secrets.govcdc.path})"; + GOVC_DATASTORE = "$(cat ${confLib.getConfig.sops.secrets.govcds.path})"; + GOVC_HOST = "$(cat ${confLib.getConfig.sops.secrets.govchost.path})"; + GOVC_RESOURCE_POOL = "$(cat ${confLib.getConfig.sops.secrets.govcpool.path})"; + GOVC_NETWORK = "$(cat ${confLib.getConfig.sops.secrets.govcnetwork.path})"; }; }; - services = { - kanshi = { - settings = [ + ssh = { + matchBlocks = { + "${loc1}" = { + hostname = "${loc1}.${domain2}"; + user = user4; + }; + "${loc1}.stg" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.staging" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.dev" = { + hostname = "${loc1}.${lifecycle2}.${domain2}"; + user = user4; + }; + "${loc2}" = { + hostname = "${loc2}.${domain1}"; + user = user1Long; + }; + "${loc2}.stg" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "${loc2}.staging" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "*.${domain1}" = { + user = user1Long; + }; + }; + }; + + firefox = { + profiles = + let + isDefault = false; + in { - # seminary room - output = { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - }; - } - { - # work main screen - output = { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.0; - mode = "3840x2160"; - }; - } - { - # work side screen - output = { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "270"; - }; - } - { - profile = { + "${user1}" = lib.recursiveUpdate + { + inherit isDefault; + id = 1; + settings = { + "browser.startup.homepage" = "${site1}|${site2}"; + }; + } + vars.firefox; + "${user2}" = lib.recursiveUpdate + { + inherit isDefault; + id = 2; + settings = { + "browser.startup.homepage" = "${site3}"; + }; + } + vars.firefox; + "${user3}" = lib.recursiveUpdate + { + inherit isDefault; + id = 3; + } + vars.firefox; + work = lib.recursiveUpdate + { + inherit isDefault; + id = 4; + settings = { + "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}"; + }; + } + vars.firefox; + }; + }; + + chromium = { + enable = true; + package = pkgs.chromium; + + extensions = [ + # 1password + "gejiddohjgogedgjnonbofjigllpkmbf" + # dark reader + "eimadpbcbfnmbkopoojfekhnkhdbieeh" + # ublock origin + "cjpalhdlnbpafiamejdnhcphjbkeiagm" + # i still dont care about cookies + "edibdbjcniadpccecjdfdjjppcpchdlm" + # browserpass + "naepdomgkenhinolocfifgehidddafch" + ]; + }; + }; + + services = { + kanshi = { + settings = [ + { + # seminary room + output = { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + }; + } + { + # work main screen + output = { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.0; + mode = "3840x2160"; + }; + } + { + # work side screen + output = { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "270"; + }; + } + { + profile = { + name = "lidopen"; + exec = [ + "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" + ]; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "enable"; + scale = 1.5; + position = "1462,0"; + } + { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.4; + mode = "3840x2160"; + position = "-1280,0"; + } + { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "90"; + position = "-2480,0"; + } + ]; + }; + } + { + profile = + let + monitor = "Applied Creative Technology Transmitter QUATTRO201811"; + in + { name = "lidopen"; exec = [ "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'" ]; outputs = [ { criteria = config.swarselsystems.sharescreen; status = "enable"; - scale = 1.5; - position = "1462,0"; + scale = 1.7; + position = "2560,0"; } { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.4; - mode = "3840x2160"; - position = "-1280,0"; - } - { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; scale = 1.0; - mode = "1920x1200"; - transform = "90"; - position = "-2480,0"; + mode = "1280x720"; + position = "10000,10000"; } ]; }; - } - { - profile = - let - monitor = "Applied Creative Technology Transmitter QUATTRO201811"; - in + } + { + profile = { + name = "lidclosed"; + exec = [ + "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" + ]; + outputs = [ { - name = "lidopen"; - exec = [ - "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'" - ]; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "enable"; - scale = 1.7; - position = "2560,0"; - } - { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - position = "10000,10000"; - } - ]; - }; - } - { - profile = { + criteria = config.swarselsystems.sharescreen; + status = "disable"; + } + { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.4; + mode = "3840x2160"; + position = "-1280,0"; + } + { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "270"; + position = "-2480,0"; + } + ]; + }; + } + { + profile = + let + monitor = "Applied Creative Technology Transmitter QUATTRO201811"; + in + { name = "lidclosed"; exec = [ - "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" ]; outputs = [ { @@ -20364,272 +21063,241 @@ When setting up a new machine: status = "disable"; } { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.4; - mode = "3840x2160"; - position = "-1280,0"; - } - { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; scale = 1.0; - mode = "1920x1200"; - transform = "270"; - position = "-2480,0"; + mode = "1280x720"; + position = "10000,10000"; } ]; }; - } - { - profile = - let - monitor = "Applied Creative Technology Transmitter QUATTRO201811"; - in - { - name = "lidclosed"; - exec = [ - "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" - ]; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "disable"; - } - { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - position = "10000,10000"; - } - ]; - }; - } - ]; - }; - }; - - systemd.user.services = { - pizauth.Service = { - ExecStartPost = [ - "${pkgs.toybox}/bin/sleep 1" - "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'" - ]; - }; - - teams-applet = { - Unit = { - Description = "teams applet"; - Requires = [ "tray.target" ]; - After = [ - "graphical-session.target" - "tray.target" - ]; - PartOf = [ "graphical-session.target" ]; - }; - - Install = { - WantedBy = [ "graphical-session.target" ]; - }; - - Service = { - ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; - }; - }; - - onepassword-applet = { - Unit = { - Description = "1password applet"; - Requires = [ "tray.target" ]; - After = [ - "graphical-session.target" - "tray.target" - ]; - PartOf = [ "graphical-session.target" ]; - }; - - Install = { - WantedBy = [ "graphical-session.target" ]; - }; - - Service = { - ExecStart = "${pkgs._1password-gui}/bin/1password"; - }; - }; - - }; - - services.pizauth = { - enable = true; - extraConfig = '' - auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi"; - error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\""; - token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state"; - ''; - accounts = { - work = { - authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; - tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; - clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; - clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; - scopes = [ - "https://outlook.office365.com/IMAP.AccessAsUser.All" - "https://outlook.office365.com/SMTP.Send" - "offline_access" - ]; - loginHint = "${nixosConfig.repo.secrets.local.work.mailAddress}"; - }; - }; - - }; - - xdg = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3; - in - { - mimeApps = { - defaultApplications = { - "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; - }; - }; - desktopEntries = - let - terminal = false; - categories = [ "Application" ]; - icon = "firefox"; - in - { - firefox_work = { - name = "Firefox (work)"; - genericName = "Firefox work"; - exec = "firefox -p work"; - inherit terminal categories icon; - }; - "firefox_${user1}" = { - name = "Firefox (${user1})"; - genericName = "Firefox ${user1}"; - exec = "firefox -p ${user1}"; - inherit terminal categories icon; - }; - - "firefox_${user2}" = { - name = "Firefox (${user2})"; - genericName = "Firefox ${user2}"; - exec = "firefox -p ${user2}"; - inherit terminal categories icon; - }; - - "firefox_${user3}" = { - name = "Firefox (${user3})"; - genericName = "Firefox ${user3}"; - exec = "firefox -p ${user3}"; - inherit terminal categories icon; - }; - - - }; - }; - swarselsystems = { - startup = [ - # { command = "nextcloud --background"; } - # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; } - # { command = "element-desktop --hidden --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; } - # { command = "anki"; } - # { command = "obsidian"; } - # { command = "nm-applet"; } - # { command = "feishin"; } - # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; } - # { command = "1password"; } + } ]; - monitors = { - work_back_middle = rec { - name = "LG Electronics LG Ultra HD 0x000305A6"; - mode = "2560x1440"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-10"; - output = name; - }; - work_front_left = rec { - name = "LG Electronics LG Ultra HD 0x0007AB45"; - mode = "3840x2160"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-7"; - output = name; - }; - work_back_right = rec { - name = "HP Inc. HP Z32 CN41212T55"; - mode = "3840x2160"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-3"; - output = name; - }; - work_middle_middle_main = rec { - name = "HP Inc. HP 732pk CNC4080YL5"; - mode = "3840x2160"; - scale = "1"; - position = "-1280,0"; - workspace = "11:M"; - # output = "DP-8"; - output = name; - }; - work_middle_middle_side = rec { - name = "Hewlett Packard HP Z24i CN44250RDT"; - mode = "1920x1200"; - transform = "270"; - scale = "1"; - position = "-2480,0"; - workspace = "12:S"; - # output = "DP-9"; - output = name; - }; - work_seminary = rec { - name = "Applied Creative Technology Transmitter QUATTRO201811"; - mode = "1280x720"; - scale = "1"; - position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse - workspace = "14:T"; - # output = "DP-4"; - output = name; - }; - }; - inputs = { - "1133:45081:MX_Master_2S_Keyboard" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; - # "2362:628:PIXA3854:00_093A:0274_Touchpad" = { - # dwt = "enabled"; - # tap = "enabled"; - # natural_scroll = "enabled"; - # middle_emulation = "enabled"; - # drag_lock = "disabled"; - # }; - "1133:50504:Logitech_USB_Receiver" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; - "1133:45944:MX_KEYS_S" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; + }; + }; + + systemd.user.services = { + pizauth.Service = { + ExecStartPost = [ + "${pkgs.toybox}/bin/sleep 1" + "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'" + ]; + }; + + teams-applet = { + Unit = { + Description = "teams applet"; + Requires = [ "tray.target" ]; + After = [ + "graphical-session.target" + "tray.target" + ]; + PartOf = [ "graphical-session.target" ]; }; - }; - } // lib.optionalAttrs (inputs ? sops) { - sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) { - harica-root-ca = { - sopsFile = certsSopsFile; - path = "${homeDir}/.aws/certs/harica-root.pem"; - owner = mainUser; + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + + Service = { + ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }; }; - }); + onepassword-applet = { + Unit = { + Description = "1password applet"; + Requires = [ "tray.target" ]; + After = [ + "graphical-session.target" + "tray.target" + ]; + PartOf = [ "graphical-session.target" ]; + }; + + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + + Service = { + ExecStart = "${pkgs._1password-gui}/bin/1password"; + }; + }; + + }; + + services.pizauth = { + enable = true; + extraConfig = '' + auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi"; + error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\""; + token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state"; + ''; + accounts = { + work = { + authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; + tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; + clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; + clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; + scopes = [ + "https://outlook.office365.com/IMAP.AccessAsUser.All" + "https://outlook.office365.com/SMTP.Send" + "offline_access" + ]; + loginHint = "${confLib.getConfig.repo.secrets.local.work.mailAddress}"; + }; + }; + + }; + + xdg = + let + inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3; + in + { + mimeApps = { + defaultApplications = { + "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; + }; + }; + desktopEntries = + let + terminal = false; + categories = [ "Application" ]; + icon = "firefox"; + in + { + firefox_work = { + name = "Firefox (work)"; + genericName = "Firefox work"; + exec = "firefox -p work"; + inherit terminal categories icon; + }; + "firefox_${user1}" = { + name = "Firefox (${user1})"; + genericName = "Firefox ${user1}"; + exec = "firefox -p ${user1}"; + inherit terminal categories icon; + }; + + "firefox_${user2}" = { + name = "Firefox (${user2})"; + genericName = "Firefox ${user2}"; + exec = "firefox -p ${user2}"; + inherit terminal categories icon; + }; + + "firefox_${user3}" = { + name = "Firefox (${user3})"; + genericName = "Firefox ${user3}"; + exec = "firefox -p ${user3}"; + inherit terminal categories icon; + }; + + + }; + }; + swarselsystems = { + startup = [ + # { command = "nextcloud --background"; } + # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; } + # { command = "element-desktop --hidden --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; } + # { command = "anki"; } + # { command = "obsidian"; } + # { command = "nm-applet"; } + # { command = "feishin"; } + # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; } + # { command = "1password"; } + ]; + monitors = { + work_back_middle = rec { + name = "LG Electronics LG Ultra HD 0x000305A6"; + mode = "2560x1440"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-10"; + output = name; + }; + work_front_left = rec { + name = "LG Electronics LG Ultra HD 0x0007AB45"; + mode = "3840x2160"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-7"; + output = name; + }; + work_back_right = rec { + name = "HP Inc. HP Z32 CN41212T55"; + mode = "3840x2160"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-3"; + output = name; + }; + work_middle_middle_main = rec { + name = "HP Inc. HP 732pk CNC4080YL5"; + mode = "3840x2160"; + scale = "1"; + position = "-1280,0"; + workspace = "11:M"; + # output = "DP-8"; + output = name; + }; + work_middle_middle_side = rec { + name = "Hewlett Packard HP Z24i CN44250RDT"; + mode = "1920x1200"; + transform = "270"; + scale = "1"; + position = "-2480,0"; + workspace = "12:S"; + # output = "DP-9"; + output = name; + }; + work_seminary = rec { + name = "Applied Creative Technology Transmitter QUATTRO201811"; + mode = "1280x720"; + scale = "1"; + position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse + workspace = "14:T"; + # output = "DP-4"; + output = name; + }; + }; + inputs = { + "1133:45081:MX_Master_2S_Keyboard" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + # "2362:628:PIXA3854:00_093A:0274_Touchpad" = { + # dwt = "enabled"; + # tap = "enabled"; + # natural_scroll = "enabled"; + # middle_emulation = "enabled"; + # drag_lock = "disabled"; + # }; + "1133:50504:Logitech_USB_Receiver" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + "1133:45944:MX_KEYS_S" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + }; + + }; + } // lib.optionalAttrs (inputs ? sops) { + sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) { + harica-root-ca = { + sopsFile = certsSopsFile; + path = "${homeDir}/.aws/certs/harica-root.pem"; + owner = mainUser; + }; + }; + + }; } @@ -20641,29 +21309,27 @@ When setting up a new machine: :END: #+begin_src nix-ts :tangle modules/home/optional/uni.nix :noweb yes - { config, lib, nixosConfig ? config, ... }: + { confLib, ... }: { - options.swarselmodules.optional.uni = lib.mkEnableOption "optional uni settings"; - config = lib.mkIf config.swarselmodules.optional.uni - { - services.pizauth = { - enable = true; - accounts = { - uni = { - authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; - tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; - clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; - clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; - scopes = [ - "https://outlook.office365.com/IMAP.AccessAsUser.All" - "https://outlook.office365.com/SMTP.Send" - "offline_access" - ]; - loginHint = "${nixosConfig.repo.secrets.local.uni.mailAddress}"; - }; + config = { + services.pizauth = { + enable = true; + accounts = { + uni = { + authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; + tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; + clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; + clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; + scopes = [ + "https://outlook.office365.com/IMAP.AccessAsUser.All" + "https://outlook.office365.com/SMTP.Send" + "offline_access" + ]; + loginHint = "${confLib.getConfig.repo.secrets.local.uni.mailAddress}"; }; }; }; + }; } #+end_src @@ -20676,10 +21342,9 @@ When setting up a new machine: This holds configuration that is specific to framework laptops. #+begin_src nix-ts :tangle modules/home/optional/framework.nix - { lib, config, ... }: + _: { - options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings"; - config = lib.mkIf config.swarselmodules.optional.framework { + config = { swarselsystems = { inputs = { "12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = { @@ -20713,12 +21378,24 @@ TODO: check which of these can be replaced but builtin functions. options.swarselsystems = { proxyHost = lib.mkOption { type = lib.types.str; - default = ""; + default = config.node.name; + }; + isBastionTarget = lib.mkOption { + type = lib.types.bool; + default = false; }; isCloud = lib.mkOption { type = lib.types.bool; default = false; }; + isServer = lib.mkOption { + type = lib.types.bool; + default = config.swarselsystems.isCloud; + }; + isClient = lib.mkOption { + type = lib.types.bool; + default = config.swarselsystems.isLaptop; + }; withHomeManager = lib.mkOption { type = lib.types.bool; default = true; @@ -21046,17 +21723,17 @@ In short, the options defined here are passed to the modules systems using =_mod :CUSTOM_ID: h:a33322d5-014a-4072-a4a5-91bc71c343b8 :END: #+begin_src nix-ts :noweb yes :tangle modules/shared/config-lib.nix - { config, lib, globals, ... }: + { config, lib, globals, nixosConfig ? null, ... }: { _module.args = { confLib = rec { - addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4 else "localhost"; + addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4 else "localhost"; domainDefault = service: config.repo.secrets.common.services.domains.${service}; proxyDefault = config.swarselsystems.proxyHost; - getConfig = config; + getConfig = if nixosConfig == null then config else nixosConfig; gen = { name, user ? name, group ? name, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec { servicePort = port; @@ -22097,8 +22774,8 @@ This program sets up a new NixOS host remotely. It also takes care of secret man if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then green "Adding ssh host fingerprints for git{lab,hub}" - $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /home/$target_user/.ssh/known_hosts" - $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /root/.ssh/known_hosts" + $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /home/$target_user/.ssh/known_hosts" + $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /root/.ssh/known_hosts" fi # -------------------------- @@ -23264,7 +23941,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a lowBattery = lib.mkDefault false; network = lib.mkDefault true; networkDevices = lib.mkDefault true; - niri = lib.mkDefault false; nix-ld = lib.mkDefault true; nvd = lib.mkDefault true; packages = lib.mkDefault true; @@ -23273,6 +23949,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a ppd = lib.mkDefault true; programs = lib.mkDefault true; pulseaudio = lib.mkDefault true; + remotebuild = lib.mkDefault true; security = lib.mkDefault true; sops = lib.mkDefault true; stylix = lib.mkDefault true; @@ -23340,34 +24017,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a #+end_src -**** Optionals -:PROPERTIES: -:CUSTOM_ID: h:07086976-8c36-4d3e-a9fe-693348411b53 -:END: - -#+begin_src nix-ts :tangle profiles/nixos/optionals/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.optionals = lib.mkEnableOption "is this a host with optionals"; - config = lib.mkIf config.swarselprofiles.optionals { - swarselmodules = { - optional = { - gaming = lib.mkDefault true; - virtualbox = lib.mkDefault true; - nswitch-rcm = lib.mkDefault true; - }; - }; - - home-manager.users."${config.swarselsystems.mainUser}" = { - swarselprofiles = { - optionals = lib.mkDefault true; - }; - }; - }; - - } - -#+end_src **** Hotel :PROPERTIES: :CUSTOM_ID: h:b79fbb59-9cf2-48eb-b469-2589223dda95 @@ -23427,87 +24076,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a #+end_src -**** Work -:PROPERTIES: -:CUSTOM_ID: h:cb3631a8-9c1b-42f2-ab01-502c7b4c273d -:END: - -#+begin_src nix-ts :tangle profiles/nixos/work/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.work = lib.mkEnableOption "is this a work host"; - config = lib.mkIf config.swarselprofiles.work { - swarselmodules = { - optional = { - work = lib.mkDefault true; - }; - }; - home-manager.users."${config.swarselsystems.mainUser}" = { - swarselprofiles = { - work = lib.mkDefault true; - }; - }; - - }; - - } - -#+end_src - -**** Uni -:PROPERTIES: -:CUSTOM_ID: h:87a83b10-3c2f-407c-89aa-922ad77748a4 -:END: - -#+begin_src nix-ts :tangle profiles/nixos/uni/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.uni = lib.mkEnableOption "is this a uni host"; - config = lib.mkIf config.swarselprofiles.uni { - # swarselmodules = { - # optional = { - # uni = lib.mkDefault true; - # }; - # }; - home-manager.users."${config.swarselsystems.mainUser}" = { - swarselprofiles = { - uni = lib.mkDefault true; - }; - }; - - }; - - } - -#+end_src - -**** Framework -:PROPERTIES: -:CUSTOM_ID: h:eb272c99-842a-4095-bc65-283562749300 -:END: - -#+begin_src nix-ts :tangle profiles/nixos/framework/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host"; - config = lib.mkIf config.swarselprofiles.framework { - swarselmodules = { - optional = { - framework = lib.mkDefault true; - }; - }; - home-manager.users."${config.swarselsystems.mainUser}" = { - swarselprofiles = { - framework = lib.mkDefault true; - }; - }; - - }; - - } - -#+end_src - **** Server :PROPERTIES: :CUSTOM_ID: h:dfc076fd-ee74-4663-b164-653370c52b75 @@ -23618,7 +24186,6 @@ This holds modules that are to be used on most hosts. These are also the most im kitty = lib.mkDefault true; mail = lib.mkDefault true; mako = lib.mkDefault true; - niri = lib.mkDefault false; nix-index = lib.mkDefault true; nixgl = lib.mkDefault true; nix-your-shell = lib.mkDefault true; @@ -23696,7 +24263,6 @@ This holds modules that are to be used on most hosts. These are also the most im kitty = lib.mkDefault true; mail = lib.mkDefault false; mako = lib.mkDefault false; - niri = lib.mkDefault false; nix-index = lib.mkDefault true; nixgl = lib.mkDefault true; nix-your-shell = lib.mkDefault true; @@ -23735,28 +24301,6 @@ This holds modules that are to be used on most hosts. These are also the most im #+end_src -**** Optionals -:PROPERTIES: -:CUSTOM_ID: h:0554a271-f8ec-4885-b46f-2a02dfd967bd -:END: - -#+begin_src nix-ts :tangle profiles/home/optionals/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.optionals = lib.mkEnableOption "is this a host with optionals"; - config = lib.mkIf config.swarselprofiles.optionals { - swarselmodules = { - optional = { - gaming = lib.mkDefault true; - uni = lib.mkDefault true; - }; - }; - }; - - } - -#+end_src - **** Minimal :PROPERTIES: :CUSTOM_ID: h:26512487-8c29-4b92-835b-d67394c3f5ef @@ -23833,93 +24377,6 @@ This holds modules that are to be used on most hosts. These are also the most im #+end_src -**** toto -:PROPERTIES: -:CUSTOM_ID: h:e1d4f141-af11-448a-9796-fc822a8f77ec -:END: - -#+begin_src nix-ts :tangle profiles/home/toto/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.toto = lib.mkEnableOption "is this a toto (setup) host"; - config = lib.mkIf config.swarselprofiles.toto { - swarselmodules = { - general = lib.mkDefault true; - sops = lib.mkDefault true; - ssh = lib.mkDefault true; - kitty = lib.mkDefault true; - git = lib.mkDefault true; - }; - }; - - } - -#+end_src - -**** Work -:PROPERTIES: -:CUSTOM_ID: h:7b091523-a5b0-48b6-8b03-4dc2405e2d81 -:END: - -#+begin_src nix-ts :tangle profiles/home/work/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.work = lib.mkEnableOption "is this a work host"; - config = lib.mkIf config.swarselprofiles.work { - swarselmodules = { - optional = { - work = lib.mkDefault true; - }; - }; - }; - - } - -#+end_src - -**** Uni -:PROPERTIES: -:CUSTOM_ID: h:56f509b9-3271-4212-b5ea-482dbe288bda -:END: - -#+begin_src nix-ts :tangle profiles/home/uni/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.uni = lib.mkEnableOption "is this a uni host"; - config = lib.mkIf config.swarselprofiles.uni { - swarselmodules = { - optional = { - uni = lib.mkDefault true; - }; - }; - }; - - } - -#+end_src - -**** Framework -:PROPERTIES: -:CUSTOM_ID: h:712b9d7f-16c0-42b3-b02b-6d79ee15cfcc -:END: - -#+begin_src nix-ts :tangle profiles/home/framework/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host"; - config = lib.mkIf config.swarselprofiles.framework { - swarselmodules = { - optional = { - framework = lib.mkDefault true; - }; - }; - - }; - - } - -#+end_src - **** Local Server :PROPERTIES: :CUSTOM_ID: h:8027b858-369e-4f12-bbaf-f15eeee3d904 @@ -26257,9 +26714,13 @@ This adds elfeed, a neat RSS reader for Emacs. I use this as a client for [[#h:9 (setq elfeed-protocol-enabled-protocols '(fever)) (setq elfeed-protocol-fever-update-unread-only t) (setq elfeed-protocol-fever-fetch-category-as-tag t) - (setq elfeed-protocol-feeds '(("fever+https://Swarsel@signpost.swarsel.win" - :api-url "https://signpost.swarsel.win/api/fever.php" - :password-file "~/.emacs.d/.fever"))) + + (let ((domain (getenv "SWARSEL_RSS_DOMAIN"))) + (setq elfeed-protocol-feeds + `((,(concat "fever+https://Swarsel@" domain) + :api-url ,(concat "https://" domain "/api/fever.php") + :password-file "~/.emacs.d/.fever")))) + (define-key elfeed-show-mode-map (kbd ";") 'visual-fill-column-mode) (define-key elfeed-show-mode-map (kbd "j") 'elfeed-goodies/split-show-next) @@ -27184,7 +27645,7 @@ This provides a beautiful calender to emacs. :init ;; set org-caldav-sync-initalization (setq swarsel-caldav-synced 0) - ;; (setq org-caldav-url "https://schedule.swarsel.win/swarsel/calendar") + ;; (setq org-caldav-url "https://cal.example.org/swarsel/calendar") ;; (setq org-caldav-calendars ;; '((:calendar-id "personal" ;; :inbox "~/Calendars/leon_cal.org"))) @@ -27258,59 +27719,66 @@ This sets up the =dashboard=, which is really quite useless. But, it looks cool :config (dashboard-setup-startup-hook) ;; (setq initial-buffer-choice (lambda () (get-buffer-create "*dashboard*"))) - (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal - dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package - dashboard-set-file-icons t - dashboard-items '((recents . 5) - (projects . 5) - (agenda . 5)) - dashboard-set-footer nil - dashboard-banner-logo-title "Welcome to SwarsEmacs!" - dashboard-image-banner-max-height 300 - dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png" - dashboard-projects-backend 'projectile - dashboard-projects-switch-function 'magit-status - dashboard-set-navigator t - dashboard-startupify-list '(dashboard-insert-banner - dashboard-insert-newline - dashboard-insert-banner-title - dashboard-insert-newline - dashboard-insert-navigator - dashboard-insert-newline - dashboard-insert-init-info - dashboard-insert-items - ) - dashboard-navigator-buttons - `(;; line1 - ((,"" - "SwarselSocial" - "Browse Swarsele" - (lambda (&rest _) (browse-url "instagram.com/Swarsele"))) - (,"" - "SwarselSound" - "Browse SwarselSound" - (lambda (&rest _) (browse-url "sound.swarsel.win")) ) - (,"" - "SwarselSwarsel" - "Browse Swarsel" - (lambda (&rest _) (browse-url "github.com/Swarsel")) ) - (,"" - "SwarselStash" - "Browse SwarselStash" - (lambda (&rest _) (browse-url "stash.swarsel.win")) ) - (,"󰫑" - "SwarselSport" - "Browse SwarselSports" - (lambda (&rest _) (browse-url "social.parkour.wien/@Lenno"))) - ) - ( - (,"󱄅" - "swarsel.win" - "Browse swarsel.win" - (lambda (&rest _) (browse-url "swarsel.win"))) - ) - ))) + (let ((files-domain (getenv "SWARSEL_FILES_DOMAIN")) + (music-domain (getenv "SWARSEL_MUSIC_DOMAIN")) + (insta-domain (getenv "SWARSEL_INSTA_DOMAIN")) + (sport-domain (getenv "SWARSEL_SPORT_DOMAIN")) + (swarsel-domain (getenv "SWARSEL_DOMAIN")) + ) + (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal + dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package + dashboard-set-file-icons t + dashboard-items '((recents . 5) + (projects . 5) + (agenda . 5)) + dashboard-set-footer nil + dashboard-banner-logo-title "Welcome to SwarsEmacs!" + dashboard-image-banner-max-height 300 + dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png" + dashboard-projects-backend 'projectile + dashboard-projects-switch-function 'magit-status + dashboard-set-navigator t + dashboard-startupify-list '(dashboard-insert-banner + dashboard-insert-newline + dashboard-insert-banner-title + dashboard-insert-newline + dashboard-insert-navigator + dashboard-insert-newline + dashboard-insert-init-info + dashboard-insert-items + ) + dashboard-navigator-buttons + `(;; line1 + ((,"" + "SwarselSocial" + "Browse Swarsele" + (lambda (&rest _) (browse-url ,insta-domain))) + + (,"" + "SwarselSound" + "Browse SwarselSound" + (lambda (&rest _) (browse-url ,(concat "https://" music-domain))) ) + (,"" + "SwarselSwarsel" + "Browse Swarsel" + (lambda (&rest _) (browse-url "https://github.com/Swarsel")) ) + (,"" + "SwarselStash" + "Browse SwarselStash" + (lambda (&rest _) (browse-url ,(concat "https://" files-domain))) ) + (,"󰫑" + "SwarselSport" + "Browse SwarselSports" + (lambda (&rest _) (browse-url ,sport-domain))) + ) + ( + (,"󱄅" + ,swarsel-domain + ,(concat "Browse " main-domain) + (lambda (&rest _) (browse-url ,(concat "https://" swarsel-domain)))) + ) + )))) #+end_src diff --git a/files/emacs/init.el b/files/emacs/init.el index f095b6a..26d3439 100644 --- a/files/emacs/init.el +++ b/files/emacs/init.el @@ -1201,9 +1201,13 @@ create a new one." (setq elfeed-protocol-enabled-protocols '(fever)) (setq elfeed-protocol-fever-update-unread-only t) (setq elfeed-protocol-fever-fetch-category-as-tag t) -(setq elfeed-protocol-feeds '(("fever+https://Swarsel@signpost.swarsel.win" - :api-url "https://signpost.swarsel.win/api/fever.php" - :password-file "~/.emacs.d/.fever"))) + +(let ((domain (getenv "SWARSEL_RSS_DOMAIN"))) + (setq elfeed-protocol-feeds + `((,(concat "fever+https://Swarsel@" domain) + :api-url ,(concat "https://" domain "/api/fever.php") + :password-file "~/.emacs.d/.fever")))) + (define-key elfeed-show-mode-map (kbd ";") 'visual-fill-column-mode) (define-key elfeed-show-mode-map (kbd "j") 'elfeed-goodies/split-show-next) @@ -1711,7 +1715,7 @@ create a new one." :init ;; set org-caldav-sync-initalization (setq swarsel-caldav-synced 0) - ;; (setq org-caldav-url "https://schedule.swarsel.win/swarsel/calendar") + ;; (setq org-caldav-url "https://cal.example.org/swarsel/calendar") ;; (setq org-caldav-calendars ;; '((:calendar-id "personal" ;; :inbox "~/Calendars/leon_cal.org"))) @@ -1774,59 +1778,66 @@ create a new one." :config (dashboard-setup-startup-hook) ;; (setq initial-buffer-choice (lambda () (get-buffer-create "*dashboard*"))) - (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal - dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package - dashboard-set-file-icons t - dashboard-items '((recents . 5) - (projects . 5) - (agenda . 5)) - dashboard-set-footer nil - dashboard-banner-logo-title "Welcome to SwarsEmacs!" - dashboard-image-banner-max-height 300 - dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png" - dashboard-projects-backend 'projectile - dashboard-projects-switch-function 'magit-status - dashboard-set-navigator t - dashboard-startupify-list '(dashboard-insert-banner - dashboard-insert-newline - dashboard-insert-banner-title - dashboard-insert-newline - dashboard-insert-navigator - dashboard-insert-newline - dashboard-insert-init-info - dashboard-insert-items - ) - dashboard-navigator-buttons - `(;; line1 - ((,"" - "SwarselSocial" - "Browse Swarsele" - (lambda (&rest _) (browse-url "instagram.com/Swarsele"))) - (,"" - "SwarselSound" - "Browse SwarselSound" - (lambda (&rest _) (browse-url "sound.swarsel.win")) ) - (,"" - "SwarselSwarsel" - "Browse Swarsel" - (lambda (&rest _) (browse-url "github.com/Swarsel")) ) - (,"" - "SwarselStash" - "Browse SwarselStash" - (lambda (&rest _) (browse-url "stash.swarsel.win")) ) - (,"󰫑" - "SwarselSport" - "Browse SwarselSports" - (lambda (&rest _) (browse-url "social.parkour.wien/@Lenno"))) - ) - ( - (,"󱄅" - "swarsel.win" - "Browse swarsel.win" - (lambda (&rest _) (browse-url "swarsel.win"))) - ) - ))) + (let ((files-domain (getenv "SWARSEL_FILES_DOMAIN")) + (music-domain (getenv "SWARSEL_MUSIC_DOMAIN")) + (insta-domain (getenv "SWARSEL_INSTA_DOMAIN")) + (sport-domain (getenv "SWARSEL_SPORT_DOMAIN")) + (swarsel-domain (getenv "SWARSEL_DOMAIN")) + ) + (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal + dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package + dashboard-set-file-icons t + dashboard-items '((recents . 5) + (projects . 5) + (agenda . 5)) + dashboard-set-footer nil + dashboard-banner-logo-title "Welcome to SwarsEmacs!" + dashboard-image-banner-max-height 300 + dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png" + dashboard-projects-backend 'projectile + dashboard-projects-switch-function 'magit-status + dashboard-set-navigator t + dashboard-startupify-list '(dashboard-insert-banner + dashboard-insert-newline + dashboard-insert-banner-title + dashboard-insert-newline + dashboard-insert-navigator + dashboard-insert-newline + dashboard-insert-init-info + dashboard-insert-items + ) + dashboard-navigator-buttons + `(;; line1 + ((,"" + "SwarselSocial" + "Browse Swarsele" + (lambda (&rest _) (browse-url ,insta-domain))) + + (,"" + "SwarselSound" + "Browse SwarselSound" + (lambda (&rest _) (browse-url ,(concat "https://" music-domain))) ) + (,"" + "SwarselSwarsel" + "Browse Swarsel" + (lambda (&rest _) (browse-url "https://github.com/Swarsel")) ) + (,"" + "SwarselStash" + "Browse SwarselStash" + (lambda (&rest _) (browse-url ,(concat "https://" files-domain))) ) + (,"󰫑" + "SwarselSport" + "Browse SwarselSports" + (lambda (&rest _) (browse-url ,sport-domain))) + ) + ( + (,"󱄅" + ,swarsel-domain + ,(concat "Browse " main-domain) + (lambda (&rest _) (browse-url ,(concat "https://" swarsel-domain)))) + ) + )))) (use-package vterm :ensure t) diff --git a/files/scripts/swarsel-bootstrap.sh b/files/scripts/swarsel-bootstrap.sh index f4a557a..4c4fef3 100644 --- a/files/scripts/swarsel-bootstrap.sh +++ b/files/scripts/swarsel-bootstrap.sh @@ -329,8 +329,8 @@ $ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519 if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then green "Adding ssh host fingerprints for git{lab,hub}" - $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /home/$target_user/.ssh/known_hosts" - $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /root/.ssh/known_hosts" + $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /home/$target_user/.ssh/known_hosts" + $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /root/.ssh/known_hosts" fi # -------------------------- diff --git a/hosts/nixos/aarch64-linux/belchsfactory/default.nix b/hosts/nixos/aarch64-linux/belchsfactory/default.nix index d1a510a..cd85107 100644 --- a/hosts/nixos/aarch64-linux/belchsfactory/default.nix +++ b/hosts/nixos/aarch64-linux/belchsfactory/default.nix @@ -1,8 +1,10 @@ -{ lib, config, minimal, ... }: +{ self, lib, minimal, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" ]; node.lockFromBootstrapping = lib.mkForce false; @@ -24,9 +26,7 @@ isNixos = true; isLinux = true; isCloud = true; - proxyHost = "belchsfactory"; server = { - inherit (config.repo.secrets.local.networking) localNetwork; garage = { data_dir = { capacity = "150G"; @@ -49,6 +49,7 @@ }; swarselmodules.server = { + ssh-builder = lib.mkDefault true; postgresql = lib.mkDefault true; attic = lib.mkDefault true; garage = lib.mkDefault true; diff --git a/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc index 2900ace..efc25e8 100644 --- a/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc +++ b/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:asdaPhz9nquyhCH8NuvAMdgEXW/RxPCEpqwFbyCYxfjMeWjvEe8yzWJDjVlTjP+73ql/CGSRajcahRNhOd1rgGoyMm71HJGxSWA2rbn7oNmll9lOquUJkDwXLHk5ApgIrTbvUX1C5rha/L/JSli5Hiy59WU/FB4WWDizhcN3XFSVdNYIKoA992JT0GjJ1dzHvzi+rw/8Mw+BJzm592t1CxhpS8qXRTpuyPSh09IWACNSJYBuEoEwA7aB9EVwG6SskUJKvU3bwyaI9nuc0iXHGbL5VLVJ95e2fcn7K3w2OEq1oigu4q5bpNUazX+mhLv7S8HN3c6/JJn69LaCkQeXhnNmrfy8J5+6i6fnXCdvXxHy00DI2p7fIeEM/MqaymhqoxoGxQs+vBcb2iY1OmvI6zrPRPKEghAo2zvzKHQF7ykRTi3ed6V6aVMSpu1rO1Z0UwwVbvEzSHtVnEU/gp4=,iv:lSRKdYmGE/XeGcalDIM0yuU+GaXMrxJrjqfVhHd7lIY=,tag:dD9LkrzuHLsoa2UcGfXHWA==,type:str]", + "data": "ENC[AES256_GCM,data:8qaX0CjyxK8qoAyVyxwfXlejWyGSY579EVmmUCi9PPyB5LyPjfDvXxlRFCOlC6eYbSJ1AWLqqZ6yYgZaimUHkOTh7dL+D4wSkmGeRnxZoQhq9n9sYZPJUfqEhMwEGxlrAvchXJuruZG+Tp9+Ev0if9f9J9qdU1y+yLGQxc2vnibMg2uxdpfYjHaDWa9bybRQZxINkD//um8uxkRs0xvWgZu63ReQZMPjx9K3vNtdJTZsW5+ZUB368QA2mnry2Zf60PWJT/+NsNKIwyzjhUNJ/eTFxjNJ4zPj/AnXFezfGvpVu6XFYsLk5uPb3XfpUlCj4mTVvmVlA40lf4rOhyoRRAW8d28puJArBf3nPzIkWQUfmFwO5EE3qPDkjMlaRa/RdRx0dvrbLDv7Ujt1XaK8bl3Vkz77oumCYFPV7J4mAeu3/LFBAoWKik6Wj8WQE+QwUWo=,iv:ZQaOO2Blpqn+Xnzt4fcPu+rNAvEdluwJEYRxPVItLcU=,tag:rKJ5g27ZK1wCpcyCVfffpA==,type:str]", "sops": { "age": [ { @@ -7,8 +7,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbi9PZkRob2JkcjlEMUJu\nSG5TemplWkhWVXZNWStCVXhrUlFRSUtPeWk4CjZEQVN4b1lYVkxYQmU0SEJ0QnAv\nTE9IdHZUYmVjb0hxSno1QWxGN1ZMUFEKLS0tIEwrVU5uZmZPRGdZcjVsVk1IQ1Vv\nRXdMcW0xR2g5SCswKzF5RkIwUmtocDgKVI/EMQuvfKGeJH7wFm8VP5rKLhYKOlPt\nA+QIDAdrtFogW9Swwhzxu1tIOfMXzfyW9P+ec/b6/vU96PMqJQ6ZGg==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-24T23:34:04Z", - "mac": "ENC[AES256_GCM,data:O7COFKQkK6aGkX8fp/ihHBxRVV8UM3khi549O6RWMFGDxgwMTh1qr3hNIJa3B4sTfhFuvOxpfxLjR4Yw02JH6wuwuuzANFzQ9uiVsVv5UDVDD0msYneTXVbSBo92gLFr4ZXcAoTtf9AKitkjwWjLK2sTJcZ608NjQSpOo+rSJ3o=,iv:s5wB+8B+igS7PhDTHL6XS17QBdhvobXFgCzHxHu52q4=,tag:ulySxIPinWRRRY8XbE8pWg==,type:str]", + "lastmodified": "2025-11-28T14:15:06Z", + "mac": "ENC[AES256_GCM,data:TxnVPtRHzUEr9StM3RlOgqD11036yM74HL1Q8ZkNSU89geAaUoDj8LJD1QKglDT5UNzfKeaZD4DT6bqill+H5FUuonOgLPxNoFKMyWhppQkMWM5F/bw8JUulacmE28b2Rd5zRVOYe3TkE11kMAbxRD+CvqEFBrLsZAndr9QdfUc=,iv:uzjzk1FUN52oAE0cuw7OLLmMRxE/VLQ+tUExxYQjwTQ=,tag:+BOG6wRb0h/jhyy7l8ZA/A==,type:str]", "pgp": [ { "created_at": "2025-11-25T18:32:49Z", diff --git a/hosts/nixos/aarch64-linux/liliputsteps/default.nix b/hosts/nixos/aarch64-linux/liliputsteps/default.nix new file mode 100644 index 0000000..dc866d7 --- /dev/null +++ b/hosts/nixos/aarch64-linux/liliputsteps/default.nix @@ -0,0 +1,41 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-360fb180663ec4f2793a763a087d46885"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + mainUser = "jump"; + }; +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + nginx = false; + bastion = true; + # ssh = false; + }; + + # users.users.swarsel.enable = lib.mkForce false; + # home-manager.users.swarsel.enable = lib.mkForce false +} diff --git a/hosts/nixos/x86_64-linux/milkywell/disk-config.nix b/hosts/nixos/aarch64-linux/liliputsteps/disk-config.nix similarity index 100% rename from hosts/nixos/x86_64-linux/milkywell/disk-config.nix rename to hosts/nixos/aarch64-linux/liliputsteps/disk-config.nix diff --git a/hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix b/hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix new file mode 100644 index 0000000..2278aaf --- /dev/null +++ b/hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix @@ -0,0 +1,15 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; +} diff --git a/hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc new file mode 100644 index 0000000..bd5dbdf --- /dev/null +++ b/hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:GntHmFTkr7OKUlAVPP1aPeGJEoM1/W9xoZzdXG/udBrKB8eadaOsdsT9/I4Q4zydLnAUZAb+k+/pu3inqiGPClNWU0LUMj7wTwPuVe57EyLaO2oaN4z2nvWhJnwfatvdLrFICz3MN7XLnpEe3D+3ovN2hmys1pd6cAJtEKDtmLJ3RNAhEXrMwOZ0MSzylApoi9yXULH8PqNBX7jPOZYYZ0jlnIbZB267Ln19ES0bZcK7L0608NdB+Q3xb3TQ+oSfnvsdxKyPkPqjxAto40feG97UYVW6AgYV1KlRp9etjEhIRZgn1qDvigGM/Y4HLgLxPM83h79LIVHDj1OySMyYR4bfwAR1U+Ij2nX0Wv6Q/nKx0Nmghen40AqLYp762ACLVRd30DALthhtMxhsiYIT6za3dNFRNnL1Lfss1+IwDm+XHBehBQsjXbs06nZcQURfszW03Y9KH1h5ePIS93gmkdUyH5Ya1JT609s8faukz4fcNmnXlZcnCW4fUawW3YS1zpWPGDNm54GFI06vii5JuVORrf6m2HJEIyYSzeYASC+rZOfEF8gXGjyaeh/B9nAzSq2Q/Nfm+fsceXfOkhD+ZD/nYg+whYPPfA38B5oWvwnSNRNipJLYVvdLLd6M9pTV2FHuEsFKpXwumuwMAhl287jpDVb5B6gYPnWm4zOXYX3KXd68KVFNOGCC1XrrlqVBwQqraozD+1e77eCK4OEyF8R2Wt+mCFDwrMp5hKiiFCHEX67RYqWwmZVx2hS1bovBfacoXknUaSQnfpUd5GYIVYqonyqo6cdn6LKR/0d+7wR+JuL+PO83XcEQvegfHXAXmxIEzPdsL2PqVWGL2B/qyyAZGb3hoY7hmrpEeCCefYhSkxewVDCuvL7xLBCFjq0PsPJw0CqYE0KDIgXxcGLQ5f+pn6O07YDfN+7PVPrPAaN/UTwd+2Xa9UfVELdKKhAWiywsiDCUVO9vkpvgSoYYSrtB8Ceg3RXWohbO8VrjF6UhUxnslAw8TBnBx4FtaSuI73UiJnkg9V1es47NmOA7,iv:JYRzdtAYu24aWIL/hfWLbkS8xpcPw3ylZROuuUMVmIY=,tag:Ot7G/QiTLhmnlYe7Z9aOTQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVU5HTGhyL0ZBRXkzZ3hq\ndzBMd1JZTktZbWNFMGRzcXhFK3RHb090cFdBCmpMa0FNMWFCenBjYk9FaDIrTkFS\nSnN6S210ejN5SVVhd2FWRG1SUHB4WWcKLS0tIDV2K0h1QWxwUXkwVnZlYnR6eEtl\nUVR0UGJOR1hadUtNcjYyWE9wblAwWFUKVM+J/pqtZFADYTQHfWCdvPzlhtgR6zAy\nu0EWk77+K2J0GeBuDr1W5yblUCknht6WZCJZcO6fW7AuWSQK3e/EVA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-12-01T16:51:40Z", + "mac": "ENC[AES256_GCM,data:SWLGPgFcdiGSvN5BTmE8Nq7+pBiNJM05H1hhqJY6wJqYZehKhQrQRj6/DSlYWPvYE/DdWo5Tiuc3RNY3NANwhki+7kl0OBxHoaHqBgOTa96rdPwe6V3s55v++jtm0xg/qLHEPCqrKqw/aiBAQLJkDOh/IykeEXBMW3S6EM+aQ0U=,iv:2wn4jQHdWWhIzOyGhZxow8WG6W0VgA2gwhb5X+k9ja0=,tag:8g4wQb0u7vbIPkVX8Ey0eA==,type:str]", + "pgp": [ + { + "created_at": "2025-12-01T15:59:42Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cl6I+s/JLwwTCX7WKdzeOIkrsK9DpY3pXBuzoZRSRSJE\nwFJO99Uc7/uH1DSsEB/25CWI6eWx7k6l7YDbcbXQgi5ZNoAt7BePeCu2LK/3coZB\nJe4SManP0sPqxrSd92Tnm6Zl9EL4cJ/5D2C2RBTWOaOtZHR8gyxx5+rzCotCoTXA\nJseGE4B8r/M0O7PAS9+oD14AwCndhuvkmFOq0Y1/wXldV6yCdgc//0oJBSTCBJUZ\nYMSQLovEYGvF9bFfpWYU8J53WqlGn7QKVccDN0/gfi8IVGVZGccUA58VaVqkzR41\ndYlRZ/sjtd+VXmOg8Fx79bOlzTn+RBCp9y+q5yKnzUKGe0/Lrnt6+j7+ieIowi76\npBd0bEaoh6wqdCJ7GSjsj5kdSXRop3Ae0ff+J0pBQNctehpcWj5/TpeA1zyslwEC\nD1B/KVN+Gh0XBCg636dUkt2E4NPNDckSRuvTLy+8IkTm7aQqTjqDu3WUOSPzZiZK\nBUGZWwXAS+xPPMH26X6gPTfZj+7Gdv6yxTVIwkphDbWfihxIP//WNbKX1QN4VSHf\nCmoPOrriIdgZ7d2olZEJxPgEVzavkRkiMSFQbQgzjx5Af3ccdav3mxlubjXldmpe\n689Joj8cgBPg1Yfk/yl7tVK9TFJgYXTqKfsXwscrSlsV+dRAN0pHuq1uo9cTE/SF\nAgwDC9FRLmchgYQBEADCJ5IVMNp+PgUDOiajCfpNq3/HsntzIWG0tIjCb5L9TFWQ\nMA2LQWhcU5CRBh7Sakf8IFi/U40SD+dILUh8JR/7g2i9mCS+1e0pkUwSIYxzAI+z\nQeycuyOrdQJFrk+nFbTdZVAerElxew/wQUiC2uoI8tA5+XyNeNfipaptPh9FpFuz\nXhFbkZDJ4kapGzsAn4FgUdmdqAgZ5n2W46WAmDmVKM0W1F0zZdkBEdkEKkv1gRpZ\nRntb/mVEiGAdXv6yAzvHrxgIBkxazzstRmCMXa252RUIakXqvkP1vw7B6ChSFQR+\nq9WNo9x0EYXivd/+ROjHT7WNhEToWems/3CQpQd1LEFXajLdpAWd875acqhBJqtY\nkpKqUG5F4JmTZ7hMuGI0g30nOofMtmFhDX/gCpJ97lEudHyNrHe0KWaQAwtRknz+\nrcPrZQmGRRcf4xcBVe/EDUNlkp9fPWEhFAwKMsVkkvCAADZbvdhLR6URJMmUj5KG\nOuwglHnSOMxCovAQUd3vCtNkkAnRPNOW/WMThr+qfjq8oKdDIaYBxjzjSz1FIsho\nKiz4W3flRzUcALjKTXadQl/jJEhpP3C6Ivh0d29SiKyrWG+Y4KlDIRctub9UjH46\nb2wqbnBzSrC8u9xJINIB4yryXsZiQyP5b39guSKIPjURebus7LBxq+0I7Z1OptJe\nAYk5htmFDe9Sgc+Do1L0kdxjblaoWOc0OiwYshQ9cMv+/IsU0U6T7w2A+8QkzPFc\nGVEmrW1Jyz2O3eMpq/Nl2IsmPDYTEPqhkRtAshBuYsoZJUz73/EovcSxyJ2moA==\n=o5Pw\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosts/nixos/aarch64-linux/moonside/default.nix b/hosts/nixos/aarch64-linux/moonside/default.nix index f339b23..1c3cf3f 100644 --- a/hosts/nixos/aarch64-linux/moonside/default.nix +++ b/hosts/nixos/aarch64-linux/moonside/default.nix @@ -137,9 +137,7 @@ in isBtrfs = true; isNixos = true; isLinux = true; - proxyHost = "moonside"; server = { - inherit (config.repo.secrets.local.networking) localNetwork; restic = { bucketName = "SwarselMoonside"; paths = [ diff --git a/hosts/nixos/aarch64-linux/stoicclub/default.nix b/hosts/nixos/aarch64-linux/stoicclub/default.nix new file mode 100644 index 0000000..217d272 --- /dev/null +++ b/hosts/nixos/aarch64-linux/stoicclub/default.nix @@ -0,0 +1,39 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + swarselmodules.server.nginx = false; + + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-360e1a5236f034316a10a97cc703ce9e3"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + isBastionTarget = true; + }; +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + nsd = true; + nginx = false; + }; +} diff --git a/hosts/nixos/aarch64-linux/stoicclub/disk-config.nix b/hosts/nixos/aarch64-linux/stoicclub/disk-config.nix new file mode 100644 index 0000000..9a98cce --- /dev/null +++ b/hosts/nixos/aarch64-linux/stoicclub/disk-config.nix @@ -0,0 +1,121 @@ +{ lib, pkgs, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix b/hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix new file mode 100644 index 0000000..2278aaf --- /dev/null +++ b/hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix @@ -0,0 +1,15 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; +} diff --git a/hosts/nixos/x86_64-linux/milkywell/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc similarity index 57% rename from hosts/nixos/x86_64-linux/milkywell/secrets/pii.nix.enc rename to hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc index d5c5740..e292b25 100644 --- a/hosts/nixos/x86_64-linux/milkywell/secrets/pii.nix.enc +++ b/hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:pikVONWg81bulGRM+enUyBGxFw4C51177O3WrhRzvCiWpulc9RHVH12AfVh4uAkoOANrPyLZuEUGdu8hvFgcTWBzJXPSPZ2sMfAjx593RhSsW+VM58IS0Oa+N9XxwpYnKiUBHrvAxgJD3vhVgCIrL+1LSylZG/RF4Wj6fw4dkttlCqioRkyNPufBtpMEN+MTw9IFsAKaCV5LTFnetIzm6wUPepExaPOpdFhf61JYyzsHkKZslA4FKs1cWgK5ggJkfQS1aA3KCh8pU8vU6uXRgl4ixyUzn/l1HnGZRhFxjcc0x4RqrJYFW9Qyj7oehHU6AxuzD2bf0vuVxZn7nQy8MrDfsvYL5yU34MSdokwrvg3IBXvPogbmjWoBLl6+0WSlV5s6o8GbTkhFi0kWv5H9AKcywY54ltyzoxAQ/9hsZa9IIGCNMFjVfcrKPQKAfrdLbYQxdioq62lHX0LbXKWU9WPRhiG9eRsETudIPan8VRMvHx/6qS6bXSaEjYkKsVSmUOhcVYp7bp58wl9JKu4qYUOLyE2T00IdmbUWrQ+MP14lj6XKNyLN6//8qFyTyhDBLPBJ5DxOMt6qn1qe/lqD4R8Iqvvj63IFq3/psdDXHu+WNmq2/LQH3Y8GTxIoEQ+uPK/I7Tqdh2DXQgKYK162ybczcqsQwGwQWe+DWtno8fauypNrFp6Wgd7c62pxY+8nJzTU9gYSyAIHWEHmRW1LV231X+7kB+JwB2AxfDFXRChuNtJkOK9pdwo4SSS/tGDS5RLmsO4VpE2mPmhxA78IuU88c0LF/e4fC8N5hteecXjMMsSswbC1VUO/3B0JfN8nI0/BnE5Hhau8McSZ1Z06/GsxC+6ArX+zIXthcLIr95nAnLDgJUOKOU7XvLQ9Y22u4lmYWedSTg+vjdljjUG3aBNyp5ZI2xXQmOOgL21aE9aQgBN27GQGqgzECrNEbK0osBefjw14sxv/aZlWU9hHlVROLVbpyWl3edN9ZEMYSJDCpMPwFkEOshlkZ78IfQw7fWRKoBW3W9uHyRPEFeldy8KQ2Lux8A5KwokgFFrp4JI92gjUSubfFsCZp/NHrV5k5UltfMz50QdaKw==,iv:5tRqYZwfz4AeC/HSetPfDaysniUoAgklLl7mEiWBqiM=,tag:7TnVeBMtP8Q81eqeRu02gg==,type:str]", + "data": "ENC[AES256_GCM,data:4C3fdXBKI/x/7B56b2n6OshGRaGgwYc4HQv4CRgXi+Y83hQj6wfbcqA55Xm9cXOfGAm2NNGIcUrVyuGHKlur7lUkvoNYe+a5A4GEkXVxiAoJKGcHa2nqfmR+GQJRAE6gNm9wgUL24CfKonEb09NgFBFfL7srXtkU8R1TMduUiYvzH7eNy45jQnWdQ3xgNYkb65iIZ3KCkcbjKrlOtN1Qu8+PuQmMl175gUVJcaLmpMgsz5IPetyHUWIkmqjgwhim4CyTZGwOaQW376Xq2mZUf9IOhdqLyR8GcKFLsY/GLDzp1eGfx9xUpAu3NMmjblHDdIyRcv0EjS+Cj/EUQwTrw3R2szXAb1m33sIVyloGT8RyVsu1J+RSIQOEKpVLaTxsCoulIfyBj5h9vajMVFdMmyqAFPJTVF8fNmy57VuBiDR1WYY5WT2QkBwe4A5ZZLpRmudeZAqEjD+R8Itcin4Ce8K4LtkpfLZeCUpnoaWk1u0CH5QuFCyd+s2+S2DBnFqfBmhTVzEtwXyd6zEeLo+LGCh2Eu2XwYi+DV5Xfdp4leTwEXQ+63MB2ZtOQkoxT6pi/w1rSlEcVknJJIc0HRhrRSx685i29qmcWGfjw765ECxCM2RKJKdwtYHwyLQGyTkGgzNlWr/EzskD7wwtanR0K0NUBS3MGbBaSmeI+bJ+B1ld2n7Efp1eg8AdMz/VHywvFQpS6HY5ItPCWNcDB9DMerUQINO1EtP1Dd57vafzQGGcduUKW+ywuwUdOU/XTXPaVP7VWdX9EFIlv/RMK4UX/l3Yy/Vf6iciT45zouIgoFECRe59Uz0185BHTn9xeE9oYGiLfKzlnxhNpXNaNmYGVRxKxKwfMNrA+hRtuoGrD0uE/Ev6F5ytMYMZGsQ5D6TJOHXPfAVWo5MzPA1Q2dgoCF9zZvYgCaOcSZTntoJY9X1MiwMkYIbtOtTQ4jJOI9DfXX+kOp/fejHrQEyAasCvh2zxCW2FjMckREdqtYxPEDsHGc8+0BDGgj+00a5wC19U60jolvdLsUwy41inmirgxBMaQhuavMXEpFXT0hEecZfJn8eJqPVPDVLC8LvlB+C593ByHeoR3VOIfFVv3bgCP+cQudAR+U/b8YO4gSpuVV4WF7JXLCwRCi0Flw7EzAuhuR9JYd8GKUEDctGmAYiPy1YiQCLFnAWmZvHQ2q6TeVDTQ5LPmjqM1b4iqoqn3AHhMu9HWswy4LFNujZblSo0hSHRZ+2P/+Xjrgfz2d3QF66ngEjW1tanw7hxGmiZJXXyPN+2bdB04B8ZnL/gBzQ2661fGYGYCBU=,iv:mU4ydooaOySi7MTe+b/DGfs1fzpDXbkASUo1cDsh4O8=,tag:Jh18+kJPLJFlGx5HymywOw==,type:str]", "sops": { "age": [ { @@ -7,8 +7,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZzY0QVQ4ZUxxZkdhQ2Zn\nOHpmTnRaR0R3cXh2Z2JFM1RDVDB2QnE3M3prCm43NjQyOS93UTZKaUlUUmhVcTdG\nUWp1YU1kVmZPc0tBN2FMY2FFVkI1a0UKLS0tIFovZi9FQlhMaXpvcnRYN2FiSm16\nTzJESjNyZ1NzajJRNDR6ZTd2TitoQTgKe2hC6OpYIzgqzhmeJuHWe0yXNE+/Ek26\nGt7s1B6OKnrj+S3es84ePOjAbLHr/ez282b/h0y55ws4R7jMemUIrQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-25T15:37:26Z", - "mac": "ENC[AES256_GCM,data:nZoyO4iZKAgecFiQ0tBdTEogMIDhe+Tg28L73DLVGCDTaG4QTR4ulvh77R3+Guun6eV5CsH86hTgENgDvybEVJV9bZmJWVbVQ0a+QYsZKIVDcH+o1ZK5EiOoaUb+Tfze1CGey2aw8zBgz3hl7ZeVjb5XNsKOhQz00Oc8xQ7z2CQ=,iv:x7oSgep++DVe2JQ1PPORcqfgBpCRbjO+MNPpDVSlzeI=,tag:JlibH3nTCf64bqxpnCxJAg==,type:str]", + "lastmodified": "2025-12-01T12:12:55Z", + "mac": "ENC[AES256_GCM,data:AhvfUvZnKSnhQCTHJpqs5OBELhGYv66on1+kSLX2lONyTbNfwHYsJHII4zHY+bS5cBkZbjtzMfJQkFWtDbU7c8wvdJnHN6H11MOEzC+GfI3R7UzwzJsUjNYE03u8FJCuLvI1SO3EObiKIgH80MV8qlXC+1+f7mKnfZNH8Kekor8=,iv:pAEz8tDZzaFee1EcNBd6zrl0yN55ywVK/eGof/B5MAU=,tag:LbjMr3rOb3By87yOfUK/3A==,type:str]", "pgp": [ { "created_at": "2025-11-20T01:03:05Z", diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/default.nix b/hosts/nixos/aarch64-linux/twothreetunnel/default.nix new file mode 100644 index 0000000..8a30e09 --- /dev/null +++ b/hosts/nixos/aarch64-linux/twothreetunnel/default.nix @@ -0,0 +1,36 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-3608deb9b0d4244de95c6620086ff740d"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + }; +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + nginx = false; + }; + +} diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix b/hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix new file mode 100644 index 0000000..9a98cce --- /dev/null +++ b/hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix @@ -0,0 +1,121 @@ +{ lib, pkgs, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix b/hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix new file mode 100644 index 0000000..2278aaf --- /dev/null +++ b/hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix @@ -0,0 +1,15 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; +} diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc new file mode 100644 index 0000000..e82a9a3 --- /dev/null +++ b/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:G3Q+Hn7QkvBZeXzNR+0Bax+Va5sK5E0K3hNTkdsNJx4C6pIwrBEBOt3IKv/c00QhpAnPqo9gbKqWU9gv7I56nEOwVtVH3lrMlbxNl9LIiSv9SvSxVkTOow2msSJV/U+1KpjNQ/LnOo2Fxebfz1yiRtgi7hSazzqzIazZAFBldlKkjLR5SFCG8t5s/nccqZU+cLmS7hJDS5LtgW1XeunqUY7jnKuh7gT2I6fPsu15Vy+YeKLmYIt0a20bWGePBIlyiGRtpnMgtIt5gk5+OpSndO8P/GMgUzRwRZEL1b8U57jbhkPLdnwwy/iV6rEFCD9i6qB0ufVW/euc+y5mN0dx8op9FwJVzkJhUIIy9Qbbc8WOjjjWlwbKJNkWfYX7pTtx+xfBKuPF+IwaoMS9j+C3etkoYe5QCr9YGYM5Xer/HL0otYNacQU5S0VqPBzDnLu7NxzB4i22,iv:aFPDBmZasoqEFCbhrRtA2QMB27khuT3rdfCGAafjov0=,tag:GQGuHL5aYPc98tzc6Bb5mA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEhDamZTRUhQZFNDTTl4\nVVVNNGZXa2h2THVzY0JWMjE2WjNJT0ZoblV3ClYzeEt4c0dWRzlISnN3NGthR21M\nTEtDQ011dFdhRVdPWlpweS9ma0N3dmsKLS0tIHFPQzQ5VzkyODZyY1JpcE4xR2Nl\nY2MrSERXTWkvNVZCR2xHUGh4ZXMvYTgK7pxPjnh3idl4QzBkR6LHyRskgqA3apS2\nkbg7As6wlEs34TAO8reyZknKTUd3Xif1v9RXiTcu1sEKHqkcqEoDog==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-12-01T22:45:54Z", + "mac": "ENC[AES256_GCM,data:b2sWPq+S5qqSM6lON+9A//LehgR7Wy7x8EfqeiFOFo9RT3niwaKjfp/Jnf6nKbXF43XM4dsn+dIX52fgxyd0KVLnJTqinhz97sSSs7hYFdXa2FGRhI+VwmuGVvr2ylAJODQgTn+MD7I+s/3DTfh6h0V47IZvxrUpYgg7tJrxzBc=,iv:g4XVN24+COVtRQPzTiI4iki1crjBUVc7vpnJ/vucd2A=,tag:gcnfSvPWvLqG2wTZELRMsg==,type:str]", + "pgp": [ + { + "created_at": "2025-12-01T23:06:36Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//RhpX1uVa49yA8FIfj/y/2C92Z7iBl+l1TGjaYMnuLAp5\nYybqAHwi1gzbnhKvpqO3ndm7qHNwbPBuYBDhu1ZDkQnzyzIthx3JA2G+je4Jem+N\nF8XWUglO+lEUpHD62s9JdOSS2dNRHSd/mcu/GV+k0/DzkXDn3TzzOciKBLn1u03+\n6T3mipG5cm00EEstR+iX46FSzOPX3M2+hYY+HY9rQa1RKUrUUsBBdCEYWgMsQOA9\nDGyweibxkcyxIGZIc882gxa06QxM07ON7NuZjW7vvUz3k7CI3bf5IBfaCvDywaDL\n0AKeTAVGVLnzdapZoP9lZmu6T639wu8BKMxSHiGeUenOrhs/Gl+CA2iCU5XimZCw\nbwPvKRbOGLu2eiBL/BHEMg1XpRw6bh24o3vNIchGRqDKbXICgkKr2gXhvli3qPrH\nCXokXF48e51bERfr9YWi0ryW5tgVEMwyubRi85cYnslwqfT78xzKMNRwF8wJ6PxG\ngwT6bEJ/f7QzXkw9VPY2HbaBBhe7XUBRDhLnV5sPBiZW2JDOt9rXH1LqWQLo7Ot6\nLWvOicAtmY5vnRIm9x1pPFKipmTWj7NzRCLEq5yt0borQsPO5RTC6fvhL/1Lpe1B\nzjAIjJBfQptEn4xjA0unZk6x45UDp9KpJz5zdKF43DSvGOkEF8NuTdEXNpeYHzCF\nAgwDC9FRLmchgYQBEADA36phB2C1d2DvEzi7AB7lK5gGExmaYSCzMJkSfjNQ4SO5\nwMhvRZZyIf5PT9wdJ6hCtOSqqhh0cubmZadrFnz/qjXLVSv9aTD4PFshF5lYgT0x\n2GkiIOkrVZ6vuP6/iIW/p+CqztDymVRR6DAhNNX6gx2NARdhii2K/hitW0QejoJk\nWY07qUIb2z0fPVp5TfAf3Nr87u3faYr0usW8GGABFA7IzJwCK1VA1284UZm4zj6Z\naHm+0wK/1g7Ck2sjzbhqzK3HlZVKd6lBIhmwdzcG1y0Ua5L7PIauLR6ArZkFD3WO\naHyyZ5hyNmoyOMjuTvPCIhiZ3T+aQK2f8pzyOApEWX4piCNhIvcSSy9AQ/f5hvVd\nWLG68dIMnmOWYxHX68jdNttSCcc9oJKNboOPKDdmEblZxGx5HZpYYL7X+Q0JKoMO\nqCXVc7GlIVLX0GghAvgC9Xww8XMQTWgJJJAVOa0tlTDJ4ybvCiyy850+ZPTevlHV\nfvlKSSCGHtjVIuZ5b+jMtBqg0aPDY0OqNFSvJ6x6wk0uICMesv2LNAKF7tUkMvHF\ncHljW96IOLocW96bwVR+nQG7U/ZY7/P6+2Nva8AgbrCd0erEZ/2lIvRV4IEzCk2g\nVzuzg+7pjkh1iHYUX+VX6CbyIPyx2Ic+VNaMrbqtC1YiPK6Bx+SF3eYHw9DYJ9Jc\nASJeqALtG3vg/TOKZwOfTp1GNvSExTUKqhEHpcCCty1UxIpNCPByvvsUqY0Q63DA\nyJ4TVO1QLCLwKz8nK8NWSRGrZ29jNJfAjcNDV/FrPiFqSPHVAErd4Vnbeu8=\n=Yn71\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosts/nixos/x86_64-linux/bakery/default.nix b/hosts/nixos/x86_64-linux/bakery/default.nix index 98252bc..3927663 100644 --- a/hosts/nixos/x86_64-linux/bakery/default.nix +++ b/hosts/nixos/x86_64-linux/bakery/default.nix @@ -10,6 +10,10 @@ in ./disk-config.nix ./hardware-configuration.nix + "${self}/modules/nixos/optional/gaming.nix" + "${self}/modules/nixos/optional/nswitch-rcm.nix" + "${self}/modules/nixos/optional/virtualbox.nix" + ]; swarselsystems = { @@ -31,7 +35,6 @@ in isSwap = true; rootDisk = "/dev/nvme0n1"; swapSize = "4G"; - hostName = config.node.name; }; home-manager.users."${primaryUser}" = { diff --git a/hosts/nixos/x86_64-linux/eagleland/default.nix b/hosts/nixos/x86_64-linux/eagleland/default.nix index 47ef03e..baa5bd5 100644 --- a/hosts/nixos/x86_64-linux/eagleland/default.nix +++ b/hosts/nixos/x86_64-linux/eagleland/default.nix @@ -1,60 +1,16 @@ -{ lib, config, minimal, ... }: +{ self, lib, minimal, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" ]; topology.self = { icon = "devices.cloud-server"; }; - networking = { - useDHCP = lib.mkForce false; - useNetworkd = true; - dhcpcd.enable = false; - renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) ( - config.repo.secrets.local.networking.networks or { } - ); - }; - boot.initrd.systemd.network = { - enable = true; - networks = { - inherit (config.systemd.network.networks) "10-wan"; - }; - }; - - systemd = { - network = { - enable = true; - wait-online.enable = false; - networks = - let - netConfig = config.repo.secrets.local.networking; - in - { - "10-wan" = { - address = [ - "${netConfig.wanAddress4}/32" - "${netConfig.wanAddress6}/64" - ]; - gateway = [ "fe80::1" ]; - routes = [ - { Destination = netConfig.defaultGateway4; } - { - Gateway = netConfig.defaultGateway4; - GatewayOnLink = true; - } - ]; - matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac; - networkConfig.IPv6PrivacyExtensions = "yes"; - linkConfig.RequiredForOnline = "routable"; - }; - }; - }; - }; - - swarselmodules.server.mailserver = true; swarselsystems = { flakePath = "/root/.dotfiles"; @@ -70,11 +26,11 @@ isNixos = true; isLinux = true; proxyHost = "eagleland"; - server = { - inherit (config.repo.secrets.local.networking) localNetwork; - }; }; } // lib.optionalAttrs (!minimal) { + + swarselmodules.server.mailserver = true; + swarselprofiles = { server = true; }; diff --git a/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc index e7516a5..7407819 100644 --- a/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc +++ b/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:vLTAWtyZJVHtXifwicSRYRYj1PjoEiumhE3bcsMuhj5P0PjyT9f2wzse7GDtusUFXDNWQXNWMNwk1V0auQmWayJa0zvpfRGtnGJrwdl/dImK+UN7ddJ6x6tNU6kjNZ05UplaUsJAJ9tm4eg050muY7KLBuEw1E4Ki9clDDxhxULXv4bdv5QpXaYSiK33ZORnD2EWcYvqUJayU/d8zSRTHV456ePHDIJPfXo22XQSLY7//q1v44ZMKDptOwlktxVQr9/asvE4eLDjdDTA5DXHTfsAGBDZCHqPI33CxZbHENM9UOHw7S0qYpKW2f232Huwv4J7llmsOIT8Axppz6fC8neBKOFPH+n4bZQTaZUL/xSLCQrF/T8k8k84lKJ3eBJdfyTpU8oInu8VAe/w+s2lC+n/zAjGoSGIF412xQ5VS0fsG1Wi/veRDr50KybYUuYQNjwtIXle3fUibUaMGFwd4Y9uSlxrWwWQxJhFpoZhoPPfeNMrT+7BSpVax27HvM7p9+VKkLfWtHiwuSZNSI3HKRmrsxHJVUxuJdXO87TCbabQAvPWoqR6qKMwixN/gvN1JNZ6Ml59HPSe6SKBAh5SI95kzXaBMZ9d7Yy7bUy/xkbbFHNYLwXR62H89XyK3yW6CMr+M7JLSC0WErAVHkUEuIEkWILBIiTeqU3Q,iv:KoTbJUnhbZp7jX/jPmX8gBobDJDoLPAvhBU9j9RYr/g=,tag:qhd6OAHNkbn0xN7wJhF1Fw==,type:str]", + "data": "ENC[AES256_GCM,data:nIgv3b+6o5Ce9X9xZtBK62f6dgsAGLPqq7aVFCw2qjD9UiHCrAY9vTn5NSW2O2pbLAfx6h7falS3/0yU+AkJ2H3zhxBy7ZxQ0m9dLoQGrYY/E9Z45xZmdFRxtzexCaxr2DxbP8haJKomQ22cHk07HGsrEZ/CFGkyjRxUr3Y4rewgZPBXahVtM75mWbNpVGApc8cs/W4JbjuXw3qlCQcACz8sZVPHKCjbEypypo6nTmU7NO7worrAJ2QgU75oGJ9g96wp9paFMEDofVp2Y25IVYReGg8T1Qi/kTcZzfzGfSpEwnQBB/ZCW6gNYhMK3shfB8DxKy6+romVXm1K+/0yUmwsCM8xC5zJX0GsO8Uu63YFrW/Y2E6aYZfBHdIgfy4lYOFKC2o0ixirw9EO8HyfsDt47QYB970vLPjYZfKNAZBgltbV3KPsOHxmgiZbTbAl0cb9zRc+jV2voH9T5VhFiUWdfaLBY1HUAVAjU7h62uZoCsi1HWyAroEROKS96npTD+3/vHehYuEGBf1IxYnLwHnKeqsr/Bqoukf3OecOH2EkMTTFQ7E0k9s0keRypoHmeYIh2a3dRcaXXbNEgiAMfabhgUh1NNcYKSZhcIekN8WN8azXjbVIrfEakJ8S+PUf5fJdspN/3Ppm06fDLv7yLHnLc8Eae2COOR8vYKIo3Onu4doxNjisfpHujLXYaCGhWpINEGWF7fkeC1B7,iv:v9MxvhcHg+P00UnOWujSgVlMNcOnDm/gK8kNcN54E2E=,tag:XnPMzsDeGJMt9yv6GnFzqg==,type:str]", "sops": { "age": [ { @@ -7,8 +7,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJR1ZPZFUxRTh0QjB6UDJ4\nOFd2c2lFejhHck5UdUxVbmFFbVRYNEJaSzJZCkNxbndVVThObDkxUmx2WW9ESzhh\na2o0LzFCbWdJVlRIV00rTVUwTktoek0KLS0tIC9qalVvZmpGQXZsV3RIYWRPbmRY\nam80NkRkT2l0ak8wV3pTSW9kSC9nZ3cKCH8eEMmku6WMliEDdAiW2Lk1jAGH9SoP\nWQ5Y6e90jEnp8XbGE7KYiG+jy5fHSc6Y5/YyMmi/b9bF9AhmRT6rdw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-25T15:44:12Z", - "mac": "ENC[AES256_GCM,data:EqEvcd75Si3I0Tgxm0ffeVRKrKNqaFNI+NqZcB02mKPYPWTR6fX4VT2oVhLIxvn+5MQY2BBR/VzSxblcX6K149REpk/22aGuHfk45giq8q1xBnZeNzEQDuhoY8XZd8dzqxk1pHmQFS+jL/zl42a2Qib/jVmlnPof0bcwa/HlZDU=,iv:5V2zSQOCG/XkRF7zgFe1oDuzrP3dx6pWZpsvdVT8hz8=,tag:DYHQIFEedflw43aCTT/ACA==,type:str]", + "lastmodified": "2025-11-28T10:50:22Z", + "mac": "ENC[AES256_GCM,data:lwkkp8YSzX8NM7E65kmPpF/q9Vn+FnCTeePLswDH6AVgndo/7QOy0GtJeXmiwt2YsA4AhRqxexWl2R8tjEysP35pyfQJ4vEkVi+V2tEnoLgftriNJzpoeVuRNXLxTPhPezOZgAcTDDL4yyqJXpcFj0PE1DPHKxazT28BoilaBYE=,iv:3dcAqkw/y6rAPL8wb5iewz37S4xszYFGHxvQiQ98sLk=,tag:SEmbptei6GrTXXyb7zwrIg==,type:str]", "pgp": [ { "created_at": "2025-11-23T15:25:41Z", diff --git a/hosts/nixos/x86_64-linux/hintbooth/default.nix b/hosts/nixos/x86_64-linux/hintbooth/default.nix index 4f3412c..dbb6c6b 100644 --- a/hosts/nixos/x86_64-linux/hintbooth/default.nix +++ b/hosts/nixos/x86_64-linux/hintbooth/default.nix @@ -1,4 +1,4 @@ -{ lib, config, minimal, ... }: +{ lib, minimal, ... }: { imports = [ @@ -18,9 +18,6 @@ rootDisk = "/dev/sda"; swapSize = "8G"; networkKernelModules = [ "igb" ]; - server = { - inherit (config.repo.secrets.local.networking) localNetwork; - }; }; } // lib.optionalAttrs (!minimal) { diff --git a/hosts/nixos/x86_64-linux/milkywell/default.nix b/hosts/nixos/x86_64-linux/milkywell/default.nix deleted file mode 100644 index 3945349..0000000 --- a/hosts/nixos/x86_64-linux/milkywell/default.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ lib, config, minimal, ... }: -{ - imports = [ - ./hardware-configuration.nix - ./disk-config.nix - ]; - node.lockFromBootstrapping = false; - sops = { - age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; - }; - - topology.self = { - icon = "devices.cloud-server"; - }; - - networking = { - domain = "subnet03112148.vcn03112148.oraclevcn.com"; - firewall = { - allowedTCPPorts = [ 53 ]; - }; - }; - - system.stateVersion = "23.11"; - - swarselsystems = { - flakePath = "/root/.dotfiles"; - info = "VM.Standard.E2.1.Micro"; - isImpermanence = true; - isSecureBoot = false; - isCrypted = false; - isSwap = true; - swapSize = "8G"; - rootDisk = "/dev/sda"; - isBtrfs = true; - isNixos = true; - isLinux = true; - server = { - inherit (config.repo.secrets.local.networking) localNetwork; - }; - }; -} // lib.optionalAttrs (!minimal) { - swarselprofiles = { - server = true; - }; - -} diff --git a/hosts/nixos/x86_64-linux/milkywell/hardware-configuration.nix b/hosts/nixos/x86_64-linux/milkywell/hardware-configuration.nix deleted file mode 100644 index 61b6d63..0000000 --- a/hosts/nixos/x86_64-linux/milkywell/hardware-configuration.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ lib, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot = { - initrd = { - availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; - kernelModules = [ "dm-snapshot" ]; - }; - kernelModules = [ "kvm-amd" ]; - extraModulePackages = [ ]; - }; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens3.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/nixos/x86_64-linux/pyramid/default.nix b/hosts/nixos/x86_64-linux/pyramid/default.nix index 1d5b350..d5e9942 100644 --- a/hosts/nixos/x86_64-linux/pyramid/default.nix +++ b/hosts/nixos/x86_64-linux/pyramid/default.nix @@ -10,15 +10,16 @@ in ./disk-config.nix ./hardware-configuration.nix - ]; + "${self}/modules/nixos/optional/amdcpu.nix" + "${self}/modules/nixos/optional/amdgpu.nix" + "${self}/modules/nixos/optional/framework.nix" + "${self}/modules/nixos/optional/gaming.nix" + "${self}/modules/nixos/optional/hibernation.nix" + "${self}/modules/nixos/optional/nswitch-rcm.nix" + "${self}/modules/nixos/optional/virtualbox.nix" + "${self}/modules/nixos/optional/work.nix" - swarselmodules = { - optional = { - amdcpu = true; - amdgpu = true; - hibernation = true; - }; - }; + ]; swarselsystems = { lowResolution = "1280x800"; @@ -67,9 +68,5 @@ in } // lib.optionalAttrs (!minimal) { swarselprofiles = { personal = true; - optionals = true; - work = true; - uni = true; - framework = true; }; } diff --git a/hosts/nixos/x86_64-linux/summers/default.nix b/hosts/nixos/x86_64-linux/summers/default.nix index ebc92ff..347a7d0 100644 --- a/hosts/nixos/x86_64-linux/summers/default.nix +++ b/hosts/nixos/x86_64-linux/summers/default.nix @@ -1,9 +1,11 @@ -{ inputs, lib, config, minimal, nodes, globals, ... }: +{ self, inputs, lib, config, minimal, nodes, globals, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix + + "${self}/modules/nixos/optional/microvm-host.nix" ]; boot = { @@ -30,9 +32,6 @@ }; swarselmodules = { - optional = { - microvmHost = true; - }; server = { diskEncryption = lib.mkForce false; # TODO: disable nfs = false; diff --git a/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix b/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix index a08c95c..7363993 100644 --- a/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix +++ b/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix @@ -1,5 +1,8 @@ -{ lib, minimal, ... }: +{ self, lib, minimal, ... }: { + imports = [ + "${self}/modules/nixos/optional/microvm-guest.nix" + ]; swarselsystems = { info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM"; @@ -11,12 +14,6 @@ server = false; }; - swarselmodules = { - optional = { - microvmGuest = false; - }; - }; - microvm = { mem = 1024 * 4; vcpu = 2; diff --git a/hosts/nixos/x86_64-linux/winters/default.nix b/hosts/nixos/x86_64-linux/winters/default.nix index 58c6bc2..2fb27c2 100644 --- a/hosts/nixos/x86_64-linux/winters/default.nix +++ b/hosts/nixos/x86_64-linux/winters/default.nix @@ -1,4 +1,4 @@ -{ lib, config, minimal, ... }: +{ lib, minimal, ... }: { imports = [ @@ -27,7 +27,6 @@ isNixos = true; proxyHost = "moonside"; server = { - inherit (config.repo.secrets.local.networking) localNetwork; restic = { bucketName = "SwarselWinters"; paths = [ diff --git a/modules/home/common/anki.nix b/modules/home/common/anki.nix index 4c857b7..995cd3a 100644 --- a/modules/home/common/anki.nix +++ b/modules/home/common/anki.nix @@ -1,4 +1,4 @@ -{ lib, config, pkgs, globals, inputs, nixosConfig ? config, ... }: +{ lib, config, pkgs, globals, inputs, confLib, ... }: let moduleName = "anki"; inherit (config.swarselsystems) isPublic isNixos; @@ -23,11 +23,11 @@ in syncMedia = true; autoSyncMediaMinutes = 5; url = "https://${globals.services.ankisync.domain}"; - usernameFile = nixosConfig.sops.secrets.anki-user.path; + usernameFile = confLib.getConfig.sops.secrets.anki-user.path; # this is not the password but the syncKey # get it by logging in or out, saving preferences and then # show details on the "settings wont be saved" dialog - keyFile = nixosConfig.sops.secrets.anki-pw.path; + keyFile = confLib.getConfig.sops.secrets.anki-pw.path; }; addons = let diff --git a/modules/home/common/element.nix b/modules/home/common/element.nix index f9ba831..0398726 100644 --- a/modules/home/common/element.nix +++ b/modules/home/common/element.nix @@ -1,4 +1,4 @@ -{ lib, config, ... }: +{ lib, config, globals, ... }: let moduleName = "element-desktop"; in @@ -10,7 +10,7 @@ in settings = { default_server_config = { "m.homeserver" = { - base_url = "https://swatrix.swarsel.win/"; + base_url = "https://${globals.services.matrix.domain}/"; }; }; UIFeature = { diff --git a/modules/home/common/env.nix b/modules/home/common/env.nix index b58be8a..4fb6ae4 100644 --- a/modules/home/common/env.nix +++ b/modules/home/common/env.nix @@ -1,8 +1,8 @@ -{ lib, config, nixosConfig ? config, ... }: +{ lib, config, confLib, globals, ... }: let - inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; - inherit (nixosConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name; - inherit (nixosConfig.repo.secrets.common) fullName openrouterApi; + inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; + inherit (confLib.getConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name; + inherit (confLib.getConfig.repo.secrets.common) fullName openrouterApi instaDomain sportDomain; inherit (config.swarselsystems) isPublic homeDir; DISPLAY = ":0"; @@ -18,6 +18,12 @@ in DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private"; FLAKE = "${config.home.homeDirectory}/.dotfiles"; } // lib.optionalAttrs (!isPublic) { + SWARSEL_DOMAIN = globals.domains.main; + SWARSEL_RSS_DOMAIN = globals.services.freshrss.domain; + SWARSEL_MUSIC_DOMAIN = globals.services.navidrome.domain; + SWARSEL_FILES_DOMAIN = globals.services.nextcloud.domain; + SWARSEL_INSTA_DOMAIN = instaDomain; + SWARSEL_SPORT_DOMAIN = sportDomain; SWARSEL_MAIL1 = address1; SWARSEL_MAIL2 = address2; SWARSEL_MAIL3 = address3; @@ -30,7 +36,7 @@ in SWARSEL_CAL3NAME = source3-name; SWARSEL_FULLNAME = fullName; SWARSEL_MAIL_ALL = lib.mkDefault allMailAddresses; - GITHUB_NOTIFICATION_TOKEN_PATH = nixosConfig.sops.secrets.github-notifications-token.path; + GITHUB_NOTIFICATION_TOKEN_PATH = confLib.getConfig.sops.secrets.github-notifications-token.path; OPENROUTER_API_KEY = openrouterApi; }; }; diff --git a/modules/home/common/gammastep.nix b/modules/home/common/gammastep.nix index c8862c8..07d6644 100644 --- a/modules/home/common/gammastep.nix +++ b/modules/home/common/gammastep.nix @@ -1,6 +1,6 @@ -{ lib, config, nixosConfig ? config, ... }: +{ lib, config, confLib, ... }: let - inherit (nixosConfig.repo.secrets.common.location) latitude longitude; + inherit (confLib.getConfig.repo.secrets.common.location) latitude longitude; in { options.swarselmodules.gammastep = lib.mkEnableOption "gammastep settings"; diff --git a/modules/home/common/git.nix b/modules/home/common/git.nix index 1fb7ad8..cda162b 100644 --- a/modules/home/common/git.nix +++ b/modules/home/common/git.nix @@ -1,7 +1,7 @@ -{ lib, config, globals, minimal, nixosConfig ? config, ... }: +{ lib, config, globals, minimal, confLib, ... }: let - inherit (nixosConfig.repo.secrets.common.mail) address1; - inherit (nixosConfig.repo.secrets.common) fullName; + inherit (confLib.getConfig.repo.secrets.common.mail) address1; + inherit (confLib.getConfig.repo.secrets.common) fullName; gitUser = globals.user.name; in diff --git a/modules/home/common/hexchat.nix b/modules/home/common/hexchat.nix index f0d813a..97f70c0 100644 --- a/modules/home/common/hexchat.nix +++ b/modules/home/common/hexchat.nix @@ -1,7 +1,7 @@ -{ lib, config, nixosConfig ? config, ... }: +{ lib, config, confLib, ... }: let moduleName = "hexchat"; - inherit (nixosConfig.repo.secrets.common.irc) irc_nick1; + inherit (confLib.getConfig.repo.secrets.common.irc) irc_nick1; in { options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings"; diff --git a/modules/home/common/mail.nix b/modules/home/common/mail.nix index 5d067d4..6c46e4a 100644 --- a/modules/home/common/mail.nix +++ b/modules/home/common/mail.nix @@ -1,7 +1,7 @@ -{ lib, config, inputs, globals, nixosConfig ? config, ... }: +{ lib, config, inputs, globals, confLib, ... }: let - inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4; - inherit (nixosConfig.repo.secrets.common) fullName; + inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4; + inherit (confLib.getConfig.repo.secrets.common) fullName; inherit (config.swarselsystems) xdgDir; in { @@ -140,7 +140,7 @@ in address = address4; userName = address4; realName = fullName; - passwordCommand = "cat ${nixosConfig.sops.secrets.address4-token.path}"; + passwordCommand = "cat ${confLib.getConfig.sops.secrets.address4-token.path}"; mu.enable = true; msmtp = { enable = true; @@ -169,7 +169,7 @@ in address = address1; userName = address1; realName = fullName; - passwordCommand = "cat ${nixosConfig.sops.secrets.address1-token.path}"; + passwordCommand = "cat ${confLib.getConfig.sops.secrets.address1-token.path}"; gpg = { key = "0x76FD3810215AE097"; signByDefault = true; @@ -183,7 +183,7 @@ in address = address2; userName = address2; realName = address2-name; - passwordCommand = "cat ${nixosConfig.sops.secrets.address2-token.path}"; + passwordCommand = "cat ${confLib.getConfig.sops.secrets.address2-token.path}"; } defaultSettings; @@ -193,7 +193,7 @@ in address = address3; userName = address3; realName = address3-name; - passwordCommand = "cat ${nixosConfig.sops.secrets.address3-token.path}"; + passwordCommand = "cat ${confLib.getConfig.sops.secrets.address3-token.path}"; } defaultSettings; diff --git a/modules/home/common/obsidian.nix b/modules/home/common/obsidian.nix index 5020502..03219bc 100644 --- a/modules/home/common/obsidian.nix +++ b/modules/home/common/obsidian.nix @@ -1,7 +1,7 @@ -{ lib, config, pkgs, nixosConfig ? config, ... }: +{ lib, config, pkgs, confLib, ... }: let moduleName = "obsidian"; - inherit (nixosConfig.repo.secrets.common.obsidian) userIgnoreFilters; + inherit (confLib.getConfig.repo.secrets.common.obsidian) userIgnoreFilters; name = "Main"; in { diff --git a/modules/home/common/opkssh.nix b/modules/home/common/opkssh.nix index 9d5b86d..1481701 100644 --- a/modules/home/common/opkssh.nix +++ b/modules/home/common/opkssh.nix @@ -1,4 +1,4 @@ -{ lib, config, ... }: +{ lib, config, globals, ... }: let moduleName = "opkssh"; in @@ -13,7 +13,7 @@ in providers = [ { alias = "kanidm"; - issuer = "https://sso.swarsel.win/oauth2/openid/opkssh"; + issuer = "https://${globals.services.kanidm.domain}/oauth2/openid/opkssh"; client_id = "opkssh"; scopes = "openid email profile"; redirect_uris = [ diff --git a/modules/home/common/settings.nix b/modules/home/common/settings.nix index 3e5e47a..c624b34 100644 --- a/modules/home/common/settings.nix +++ b/modules/home/common/settings.nix @@ -40,7 +40,11 @@ in trusted-public-keys = [ atticPublicKey ]; - trusted-users = [ "@wheel" "${mainUser}" ]; + trusted-users = [ + "@wheel" + "${mainUser}" + (lib.mkIf config.swarselmodules.server.ssh-builder "builder") + ]; connect-timeout = 5; bash-prompt-prefix = "$SHLVL:\\w "; bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ "; diff --git a/modules/home/common/ssh.nix b/modules/home/common/ssh.nix index 562f68a..e575925 100644 --- a/modules/home/common/ssh.nix +++ b/modules/home/common/ssh.nix @@ -1,7 +1,7 @@ -{ lib, config, nixosConfig ? config, ... }: +{ inputs, lib, config, confLib, ... }: { options.swarselmodules.ssh = lib.mkEnableOption "ssh settings"; - config = lib.mkIf config.swarselmodules.ssh { + config = lib.mkIf config.swarselmodules.ssh ({ programs.ssh = { enable = true; enableDefaultConfig = false; @@ -18,11 +18,15 @@ serverAliveCountMax = 3; hashKnownHosts = false; userKnownHostsFile = "~/.ssh/known_hosts"; - controlMaster = "no"; + controlMaster = "auto"; controlPath = "~/.ssh/master-%r@%n:%p"; - controlPersist = "no"; + controlPersist = "5m"; }; - } // nixosConfig.repo.secrets.common.ssh.hosts; + } // confLib.getConfig.repo.secrets.common.ssh.hosts; }; - }; + } // lib.optionalAttrs (inputs ? sops) { + sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) { + builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; }; + }; + }); } diff --git a/modules/home/common/sway.nix b/modules/home/common/sway.nix index 12ebb83..83f894a 100644 --- a/modules/home/common/sway.nix +++ b/modules/home/common/sway.nix @@ -1,4 +1,4 @@ -{ config, lib, vars, nixosConfig ? config, ... }: +{ config, lib, vars, confLib, ... }: let eachOutput = _: monitor: { inherit (monitor) name; @@ -381,7 +381,7 @@ in export XDG_CURRENT_DESKTOP=sway; export XDG_SESSION_DESKTOP=sway; export _JAVA_AWT_WM_NONREPARENTING=1; - export GITHUB_NOTIFICATION_TOKEN_PATH=${nixosConfig.sops.secrets.github-notifications-token.path}; + export GITHUB_NOTIFICATION_TOKEN_PATH=${confLib.getConfig.sops.secrets.github-notifications-token.path}; '' + vars.waylandExports; # extraConfigEarly = " # exec systemctl --user import-environment DISPLAY WAYLAND_DISPLAY SWAYSOCK diff --git a/modules/home/common/yubikey.nix b/modules/home/common/yubikey.nix index 3a5507b..095e90c 100644 --- a/modules/home/common/yubikey.nix +++ b/modules/home/common/yubikey.nix @@ -1,4 +1,4 @@ -{ lib, config, inputs, nixosConfig ? config, ... }: +{ lib, config, inputs, confLib, ... }: let inherit (config.swarselsystems) homeDir; in @@ -9,8 +9,8 @@ in pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) { ids = [ - nixosConfig.repo.secrets.common.yubikeys.dev1 - nixosConfig.repo.secrets.common.yubikeys.dev2 + confLib.getConfig.repo.secrets.common.yubikeys.dev1 + confLib.getConfig.secrets.common.yubikeys.dev2 ]; }; } // lib.optionalAttrs (inputs ? sops) { diff --git a/modules/home/common/zsh.nix b/modules/home/common/zsh.nix index 50ce19a..7f7b6e3 100644 --- a/modules/home/common/zsh.nix +++ b/modules/home/common/zsh.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, minimal, inputs, globals, nixosConfig ? config, ... }: +{ config, pkgs, lib, minimal, inputs, globals, confLib, ... }: let inherit (config.swarselsystems) flakePath isNixos; crocDomain = globals.services.croc.domain; @@ -127,8 +127,8 @@ in ''; sessionVariables = lib.mkIf (!config.swarselsystems.isPublic) { CROC_RELAY = crocDomain; - CROC_PASS = "$(cat ${nixosConfig.sops.secrets.croc-password.path or ""})"; - GITHUB_TOKEN = "$(cat ${nixosConfig.sops.secrets.github-nixpkgs-review-token.path or ""})"; + CROC_PASS = "$(cat ${confLib.getConfig.sops.secrets.croc-password.path or ""})"; + GITHUB_TOKEN = "$(cat ${confLib.getConfig.sops.secrets.github-nixpkgs-review-token.path or ""})"; QT_QPA_PLATFORM_PLUGIN_PATH = "${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins"; # QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox"; }; diff --git a/modules/home/optional/framework.nix b/modules/home/optional/framework.nix index 9e8a9d8..3d4baab 100644 --- a/modules/home/optional/framework.nix +++ b/modules/home/optional/framework.nix @@ -1,7 +1,6 @@ -{ lib, config, ... }: +_: { - options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings"; - config = lib.mkIf config.swarselmodules.optional.framework { + config = { swarselsystems = { inputs = { "12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = { diff --git a/modules/home/optional/gaming.nix b/modules/home/optional/gaming.nix index d9657db..04b2817 100644 --- a/modules/home/optional/gaming.nix +++ b/modules/home/optional/gaming.nix @@ -1,10 +1,9 @@ -{ lib, config, pkgs, nixosConfig ? config, ... }: +{ config, pkgs, confLib, ... }: let inherit (config.swarselsystems) isNixos; in { - options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings"; - config = lib.mkIf config.swarselmodules.optional.gaming { + config = { # specialisation = { # gaming.configuration = { home.packages = with pkgs; [ @@ -44,7 +43,7 @@ in gamescope umu-launcher ]; - steamPackage = if isNixos then nixosConfig.programs.steam.package else pkgs.steam; + steamPackage = if isNixos then confLib.getConfig.programs.steam.package else pkgs.steam; winePackages = with pkgs; [ wineWow64Packages.waylandFull ]; diff --git a/modules/home/common/niri.nix b/modules/home/optional/niri.nix similarity index 99% rename from modules/home/common/niri.nix rename to modules/home/optional/niri.nix index 699881f..5873b62 100644 --- a/modules/home/common/niri.nix +++ b/modules/home/optional/niri.nix @@ -1,5 +1,8 @@ -{ config, pkgs, lib, vars, ... }: +{ inputs, config, pkgs, lib, vars, ... }: { + imports = [ + inputs.niri-flake.homeModules.niri + ]; options.swarselmodules.niri = lib.mkEnableOption "niri settings"; config = lib.mkIf config.swarselmodules.niri { diff --git a/modules/home/optional/uni.nix b/modules/home/optional/uni.nix index ef2d2c4..a841620 100644 --- a/modules/home/optional/uni.nix +++ b/modules/home/optional/uni.nix @@ -1,24 +1,22 @@ -{ config, lib, nixosConfig ? config, ... }: +{ confLib, ... }: { - options.swarselmodules.optional.uni = lib.mkEnableOption "optional uni settings"; - config = lib.mkIf config.swarselmodules.optional.uni - { - services.pizauth = { - enable = true; - accounts = { - uni = { - authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; - tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; - clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; - clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; - scopes = [ - "https://outlook.office365.com/IMAP.AccessAsUser.All" - "https://outlook.office365.com/SMTP.Send" - "offline_access" - ]; - loginHint = "${nixosConfig.repo.secrets.local.uni.mailAddress}"; - }; + config = { + services.pizauth = { + enable = true; + accounts = { + uni = { + authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; + tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; + clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; + clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; + scopes = [ + "https://outlook.office365.com/IMAP.AccessAsUser.All" + "https://outlook.office365.com/SMTP.Send" + "offline_access" + ]; + loginHint = "${confLib.getConfig.repo.secrets.local.uni.mailAddress}"; }; }; }; + }; } diff --git a/modules/home/optional/work.nix b/modules/home/optional/work.nix index c7611a5..26b377a 100644 --- a/modules/home/optional/work.nix +++ b/modules/home/optional/work.nix @@ -1,395 +1,425 @@ -{ self, inputs, config, pkgs, lib, vars, nixosConfig ? config, ... }: +{ self, inputs, config, pkgs, lib, vars, confLib, ... }: let inherit (config.swarselsystems) homeDir mainUser; - inherit (nixosConfig.repo.secrets.local.mail) allMailAddresses; - inherit (nixosConfig.repo.secrets.local.work) mailAddress; + inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses; + inherit (confLib.getConfig.repo.secrets.local.work) mailAddress; certsSopsFile = self + /secrets/certs/secrets.yaml; in { - options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings"; - config = lib.mkIf config.swarselmodules.optional.work - ({ - home = { - packages = with pkgs; [ - stable.teams-for-linux - shellcheck - dig - docker - postman - # rclone - libguestfs-with-appliance - prometheus.cli - tigervnc - # openstackclient + options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption; + config = { + home = { + packages = with pkgs; [ + stable.teams-for-linux + shellcheck + dig + docker + postman + # rclone + libguestfs-with-appliance + prometheus.cli + tigervnc + # openstackclient - vscode - dev.antigravity + vscode + dev.antigravity - rustdesk-vbc + rustdesk-vbc + ]; + sessionVariables = { + AWS_CA_BUNDLE = confLib.getConfig.sops.secrets.harica-root-ca.path; + }; + }; + systemd.user.sessionVariables = { + DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work"; + } // lib.optionalAttrs (!config.swarselsystems.isPublic) { + SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses; + SWARSEL_MAIL_WORK = lib.mkForce mailAddress; + }; + + accounts.email.accounts.work = + let + inherit (confLib.getConfig.repo.secrets.local.work) mailName; + in + { + primary = false; + address = mailAddress; + userName = mailAddress; + realName = mailName; + passwordCommand = "pizauth show work"; + imap = { + host = "outlook.office365.com"; + port = 993; + tls.enable = true; # SSL/TLS + }; + smtp = { + host = "outlook.office365.com"; + port = 587; + tls = { + enable = true; # SSL/TLS + useStartTls = true; + }; + }; + thunderbird = { + enable = true; + profiles = [ "default" ]; + settings = id: { + "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth + "mail.server.server_${id}.authMethod" = 10; # oauth + # "toolkit.telemetry.enabled" = false; + # "toolkit.telemetry.rejected" = true; + # "toolkit.telemetry.prompted" = 2; + }; + }; + msmtp = { + enable = true; + extraConfig = { + auth = "xoauth2"; + host = "outlook.office365.com"; + protocol = "smtp"; + port = "587"; + tls = "on"; + tls_starttls = "on"; + from = "${mailAddress}"; + user = "${mailAddress}"; + passwordeval = "pizauth show work"; + }; + }; + mu.enable = true; + mbsync = { + enable = true; + expunge = "both"; + patterns = [ "INBOX" ]; + extraConfig = { + account = { + AuthMechs = "XOAUTH2"; + }; + }; + }; + }; + + # wayland.windowManager.sway.config = { + # output = { + # "Applied Creative Technology Transmitter QUATTRO201811" = { + # bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}"; + # }; + # "Hewlett Packard HP Z24i CN44250RDT" = { + # bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}"; + # }; + # "HP Inc. HP 732pk CNC4080YL5" = { + # bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}"; + # }; + # }; + # }; + + wayland.windowManager.sway = + let + inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress; + in + { + config = { + keybindings = + let + inherit (config.wayland.windowManager.sway.config) modifier; + in + { + "${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}"; + "${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}"; + }; + }; + }; + + stylix = { + targets.firefox.profileNames = + let + inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3; + in + [ + "${user1}" + "${user2}" + "${user3}" + "work" ]; - sessionVariables = { - AWS_CA_BUNDLE = nixosConfig.sops.secrets.harica-root-ca.path; + }; + + programs = + let + inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds; + in + { + openstackclient = { + enable = true; + inherit clouds; }; - }; - systemd.user.sessionVariables = { - DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work"; - } // lib.optionalAttrs (!config.swarselsystems.isPublic) { - SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses; - SWARSEL_MAIL_WORK = lib.mkForce mailAddress; - }; - - accounts.email.accounts.work = - let - inherit (nixosConfig.repo.secrets.local.work) mailName; - in - { - primary = false; - address = mailAddress; - userName = mailAddress; - realName = mailName; - passwordCommand = "pizauth show work"; - imap = { - host = "outlook.office365.com"; - port = 993; - tls.enable = true; # SSL/TLS - }; - smtp = { - host = "outlook.office365.com"; - port = 587; - tls = { - enable = true; # SSL/TLS - useStartTls = true; - }; - }; - thunderbird = { - enable = true; - profiles = [ "default" ]; - settings = id: { - "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth - "mail.server.server_${id}.authMethod" = 10; # oauth - # "toolkit.telemetry.enabled" = false; - # "toolkit.telemetry.rejected" = true; - # "toolkit.telemetry.prompted" = 2; - }; - }; - msmtp = { - enable = true; - extraConfig = { - auth = "xoauth2"; - host = "outlook.office365.com"; - protocol = "smtp"; - port = "587"; - tls = "on"; - tls_starttls = "on"; - from = "${mailAddress}"; - user = "${mailAddress}"; - passwordeval = "pizauth show work"; - }; - }; - mu.enable = true; - mbsync = { - enable = true; - expunge = "both"; - patterns = [ "INBOX" ]; - extraConfig = { - account = { - AuthMechs = "XOAUTH2"; - }; - }; - }; + awscli = { + enable = true; + package = pkgs.stable24_05.awscli2; + # settings = { + # "default" = { }; + # "profile s3-imagebuilder-prod" = { }; + # }; + # credentials = { + # "s3-imagebuilder-prod" = { + # aws_access_key_id = "5OYXY4879EJG9I91K1B6"; + # credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key"; + # }; + # }; }; + git.settings.user.email = lib.mkForce gitMail; - # wayland.windowManager.sway.config = { - # output = { - # "Applied Creative Technology Transmitter QUATTRO201811" = { - # bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}"; - # }; - # "Hewlett Packard HP Z24i CN44250RDT" = { - # bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}"; - # }; - # "HP Inc. HP 732pk CNC4080YL5" = { - # bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}"; - # }; - # }; - # }; - - wayland.windowManager.sway = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress; - in - { - config = { - keybindings = - let - inherit (config.wayland.windowManager.sway.config) modifier; - in - { - "${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}"; - "${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}"; - }; + zsh = { + shellAliases = { + dssh = "ssh -l ${user1Long}"; + cssh = "ssh -l ${user2Long}"; + wssh = "ssh -l ${user3Long}"; }; - }; - - stylix = { - targets.firefox.profileNames = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3; - in - [ - "${user1}" - "${user2}" - "${user3}" - "work" + cdpath = [ + "~/Documents/Work" ]; - }; - - programs = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds; - in - { - openstackclient = { - enable = true; - inherit clouds; - }; - awscli = { - enable = true; - package = pkgs.stable24_05.awscli2; - # settings = { - # "default" = { }; - # "profile s3-imagebuilder-prod" = { }; - # }; - # credentials = { - # "s3-imagebuilder-prod" = { - # aws_access_key_id = "5OYXY4879EJG9I91K1B6"; - # credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key"; - # }; - # }; - }; - git.settings.user.email = lib.mkForce gitMail; - - zsh = { - shellAliases = { - dssh = "ssh -l ${user1Long}"; - cssh = "ssh -l ${user2Long}"; - wssh = "ssh -l ${user3Long}"; - }; - cdpath = [ - "~/Documents/Work" - ]; - dirHashes = { - d = "$HOME/.dotfiles"; - w = "$HOME/Documents/Work"; - s = "$HOME/.dotfiles/secrets"; - pr = "$HOME/Documents/Private"; - ac = path1; - }; - - sessionVariables = { - VSPHERE_USER = "$(cat ${nixosConfig.sops.secrets.vcuser.path})"; - VSPHERE_PW = "$(cat ${nixosConfig.sops.secrets.vcpw.path})"; - GOVC_USERNAME = "$(cat ${nixosConfig.sops.secrets.govcuser.path})"; - GOVC_PASSWORD = "$(cat ${nixosConfig.sops.secrets.govcpw.path})"; - GOVC_URL = "$(cat ${nixosConfig.sops.secrets.govcurl.path})"; - GOVC_DATACENTER = "$(cat ${nixosConfig.sops.secrets.govcdc.path})"; - GOVC_DATASTORE = "$(cat ${nixosConfig.sops.secrets.govcds.path})"; - GOVC_HOST = "$(cat ${nixosConfig.sops.secrets.govchost.path})"; - GOVC_RESOURCE_POOL = "$(cat ${nixosConfig.sops.secrets.govcpool.path})"; - GOVC_NETWORK = "$(cat ${nixosConfig.sops.secrets.govcnetwork.path})"; - }; + dirHashes = { + d = "$HOME/.dotfiles"; + w = "$HOME/Documents/Work"; + s = "$HOME/.dotfiles/secrets"; + pr = "$HOME/Documents/Private"; + ac = path1; }; - ssh = { - matchBlocks = { - "${loc1}" = { - hostname = "${loc1}.${domain2}"; - user = user4; - }; - "${loc1}.stg" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.staging" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.dev" = { - hostname = "${loc1}.${lifecycle2}.${domain2}"; - user = user4; - }; - "${loc2}" = { - hostname = "${loc2}.${domain1}"; - user = user1Long; - }; - "${loc2}.stg" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "${loc2}.staging" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "*.${domain1}" = { - user = user1Long; - }; - }; - }; - - firefox = { - profiles = - let - isDefault = false; - in - { - "${user1}" = lib.recursiveUpdate - { - inherit isDefault; - id = 1; - settings = { - "browser.startup.homepage" = "${site1}|${site2}"; - }; - } - vars.firefox; - "${user2}" = lib.recursiveUpdate - { - inherit isDefault; - id = 2; - settings = { - "browser.startup.homepage" = "${site3}"; - }; - } - vars.firefox; - "${user3}" = lib.recursiveUpdate - { - inherit isDefault; - id = 3; - } - vars.firefox; - work = lib.recursiveUpdate - { - inherit isDefault; - id = 4; - settings = { - "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}"; - }; - } - vars.firefox; - }; - }; - - chromium = { - enable = true; - package = pkgs.chromium; - - extensions = [ - # 1password - "gejiddohjgogedgjnonbofjigllpkmbf" - # dark reader - "eimadpbcbfnmbkopoojfekhnkhdbieeh" - # ublock origin - "cjpalhdlnbpafiamejdnhcphjbkeiagm" - # i still dont care about cookies - "edibdbjcniadpccecjdfdjjppcpchdlm" - # browserpass - "naepdomgkenhinolocfifgehidddafch" - ]; + sessionVariables = { + VSPHERE_USER = "$(cat ${confLib.getConfig.sops.secrets.vcuser.path})"; + VSPHERE_PW = "$(cat ${confLib.getConfig.sops.secrets.vcpw.path})"; + GOVC_USERNAME = "$(cat ${confLib.getConfig.sops.secrets.govcuser.path})"; + GOVC_PASSWORD = "$(cat ${confLib.getConfig.sops.secrets.govcpw.path})"; + GOVC_URL = "$(cat ${confLib.getConfig.sops.secrets.govcurl.path})"; + GOVC_DATACENTER = "$(cat ${confLib.getConfig.sops.secrets.govcdc.path})"; + GOVC_DATASTORE = "$(cat ${confLib.getConfig.sops.secrets.govcds.path})"; + GOVC_HOST = "$(cat ${confLib.getConfig.sops.secrets.govchost.path})"; + GOVC_RESOURCE_POOL = "$(cat ${confLib.getConfig.sops.secrets.govcpool.path})"; + GOVC_NETWORK = "$(cat ${confLib.getConfig.sops.secrets.govcnetwork.path})"; }; }; - services = { - kanshi = { - settings = [ + ssh = { + matchBlocks = { + "${loc1}" = { + hostname = "${loc1}.${domain2}"; + user = user4; + }; + "${loc1}.stg" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.staging" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.dev" = { + hostname = "${loc1}.${lifecycle2}.${domain2}"; + user = user4; + }; + "${loc2}" = { + hostname = "${loc2}.${domain1}"; + user = user1Long; + }; + "${loc2}.stg" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "${loc2}.staging" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "*.${domain1}" = { + user = user1Long; + }; + }; + }; + + firefox = { + profiles = + let + isDefault = false; + in { - # seminary room - output = { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - }; - } - { - # work main screen - output = { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.0; - mode = "3840x2160"; - }; - } - { - # work side screen - output = { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "270"; - }; - } - { - profile = { + "${user1}" = lib.recursiveUpdate + { + inherit isDefault; + id = 1; + settings = { + "browser.startup.homepage" = "${site1}|${site2}"; + }; + } + vars.firefox; + "${user2}" = lib.recursiveUpdate + { + inherit isDefault; + id = 2; + settings = { + "browser.startup.homepage" = "${site3}"; + }; + } + vars.firefox; + "${user3}" = lib.recursiveUpdate + { + inherit isDefault; + id = 3; + } + vars.firefox; + work = lib.recursiveUpdate + { + inherit isDefault; + id = 4; + settings = { + "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}"; + }; + } + vars.firefox; + }; + }; + + chromium = { + enable = true; + package = pkgs.chromium; + + extensions = [ + # 1password + "gejiddohjgogedgjnonbofjigllpkmbf" + # dark reader + "eimadpbcbfnmbkopoojfekhnkhdbieeh" + # ublock origin + "cjpalhdlnbpafiamejdnhcphjbkeiagm" + # i still dont care about cookies + "edibdbjcniadpccecjdfdjjppcpchdlm" + # browserpass + "naepdomgkenhinolocfifgehidddafch" + ]; + }; + }; + + services = { + kanshi = { + settings = [ + { + # seminary room + output = { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + }; + } + { + # work main screen + output = { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.0; + mode = "3840x2160"; + }; + } + { + # work side screen + output = { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "270"; + }; + } + { + profile = { + name = "lidopen"; + exec = [ + "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" + ]; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "enable"; + scale = 1.5; + position = "1462,0"; + } + { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.4; + mode = "3840x2160"; + position = "-1280,0"; + } + { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "90"; + position = "-2480,0"; + } + ]; + }; + } + { + profile = + let + monitor = "Applied Creative Technology Transmitter QUATTRO201811"; + in + { name = "lidopen"; exec = [ "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'" ]; outputs = [ { criteria = config.swarselsystems.sharescreen; status = "enable"; - scale = 1.5; - position = "1462,0"; + scale = 1.7; + position = "2560,0"; } { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.4; - mode = "3840x2160"; - position = "-1280,0"; - } - { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; scale = 1.0; - mode = "1920x1200"; - transform = "90"; - position = "-2480,0"; + mode = "1280x720"; + position = "10000,10000"; } ]; }; - } - { - profile = - let - monitor = "Applied Creative Technology Transmitter QUATTRO201811"; - in + } + { + profile = { + name = "lidclosed"; + exec = [ + "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" + ]; + outputs = [ { - name = "lidopen"; - exec = [ - "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'" - ]; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "enable"; - scale = 1.7; - position = "2560,0"; - } - { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - position = "10000,10000"; - } - ]; - }; - } - { - profile = { + criteria = config.swarselsystems.sharescreen; + status = "disable"; + } + { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.4; + mode = "3840x2160"; + position = "-1280,0"; + } + { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "270"; + position = "-2480,0"; + } + ]; + }; + } + { + profile = + let + monitor = "Applied Creative Technology Transmitter QUATTRO201811"; + in + { name = "lidclosed"; exec = [ - "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" ]; outputs = [ { @@ -397,271 +427,240 @@ in status = "disable"; } { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.4; - mode = "3840x2160"; - position = "-1280,0"; - } - { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; scale = 1.0; - mode = "1920x1200"; - transform = "270"; - position = "-2480,0"; + mode = "1280x720"; + position = "10000,10000"; } ]; }; - } - { - profile = - let - monitor = "Applied Creative Technology Transmitter QUATTRO201811"; - in - { - name = "lidclosed"; - exec = [ - "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" - ]; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "disable"; - } - { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - position = "10000,10000"; - } - ]; - }; - } - ]; - }; - }; - - systemd.user.services = { - pizauth.Service = { - ExecStartPost = [ - "${pkgs.toybox}/bin/sleep 1" - "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'" - ]; - }; - - teams-applet = { - Unit = { - Description = "teams applet"; - Requires = [ "tray.target" ]; - After = [ - "graphical-session.target" - "tray.target" - ]; - PartOf = [ "graphical-session.target" ]; - }; - - Install = { - WantedBy = [ "graphical-session.target" ]; - }; - - Service = { - ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; - }; - }; - - onepassword-applet = { - Unit = { - Description = "1password applet"; - Requires = [ "tray.target" ]; - After = [ - "graphical-session.target" - "tray.target" - ]; - PartOf = [ "graphical-session.target" ]; - }; - - Install = { - WantedBy = [ "graphical-session.target" ]; - }; - - Service = { - ExecStart = "${pkgs._1password-gui}/bin/1password"; - }; - }; - - }; - - services.pizauth = { - enable = true; - extraConfig = '' - auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi"; - error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\""; - token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state"; - ''; - accounts = { - work = { - authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; - tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; - clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; - clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; - scopes = [ - "https://outlook.office365.com/IMAP.AccessAsUser.All" - "https://outlook.office365.com/SMTP.Send" - "offline_access" - ]; - loginHint = "${nixosConfig.repo.secrets.local.work.mailAddress}"; - }; - }; - - }; - - xdg = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3; - in - { - mimeApps = { - defaultApplications = { - "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; - }; - }; - desktopEntries = - let - terminal = false; - categories = [ "Application" ]; - icon = "firefox"; - in - { - firefox_work = { - name = "Firefox (work)"; - genericName = "Firefox work"; - exec = "firefox -p work"; - inherit terminal categories icon; - }; - "firefox_${user1}" = { - name = "Firefox (${user1})"; - genericName = "Firefox ${user1}"; - exec = "firefox -p ${user1}"; - inherit terminal categories icon; - }; - - "firefox_${user2}" = { - name = "Firefox (${user2})"; - genericName = "Firefox ${user2}"; - exec = "firefox -p ${user2}"; - inherit terminal categories icon; - }; - - "firefox_${user3}" = { - name = "Firefox (${user3})"; - genericName = "Firefox ${user3}"; - exec = "firefox -p ${user3}"; - inherit terminal categories icon; - }; - - - }; - }; - swarselsystems = { - startup = [ - # { command = "nextcloud --background"; } - # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; } - # { command = "element-desktop --hidden --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; } - # { command = "anki"; } - # { command = "obsidian"; } - # { command = "nm-applet"; } - # { command = "feishin"; } - # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; } - # { command = "1password"; } + } ]; - monitors = { - work_back_middle = rec { - name = "LG Electronics LG Ultra HD 0x000305A6"; - mode = "2560x1440"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-10"; - output = name; - }; - work_front_left = rec { - name = "LG Electronics LG Ultra HD 0x0007AB45"; - mode = "3840x2160"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-7"; - output = name; - }; - work_back_right = rec { - name = "HP Inc. HP Z32 CN41212T55"; - mode = "3840x2160"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-3"; - output = name; - }; - work_middle_middle_main = rec { - name = "HP Inc. HP 732pk CNC4080YL5"; - mode = "3840x2160"; - scale = "1"; - position = "-1280,0"; - workspace = "11:M"; - # output = "DP-8"; - output = name; - }; - work_middle_middle_side = rec { - name = "Hewlett Packard HP Z24i CN44250RDT"; - mode = "1920x1200"; - transform = "270"; - scale = "1"; - position = "-2480,0"; - workspace = "12:S"; - # output = "DP-9"; - output = name; - }; - work_seminary = rec { - name = "Applied Creative Technology Transmitter QUATTRO201811"; - mode = "1280x720"; - scale = "1"; - position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse - workspace = "14:T"; - # output = "DP-4"; - output = name; - }; - }; - inputs = { - "1133:45081:MX_Master_2S_Keyboard" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; - # "2362:628:PIXA3854:00_093A:0274_Touchpad" = { - # dwt = "enabled"; - # tap = "enabled"; - # natural_scroll = "enabled"; - # middle_emulation = "enabled"; - # drag_lock = "disabled"; - # }; - "1133:50504:Logitech_USB_Receiver" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; - "1133:45944:MX_KEYS_S" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; + }; + }; + + systemd.user.services = { + pizauth.Service = { + ExecStartPost = [ + "${pkgs.toybox}/bin/sleep 1" + "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'" + ]; + }; + + teams-applet = { + Unit = { + Description = "teams applet"; + Requires = [ "tray.target" ]; + After = [ + "graphical-session.target" + "tray.target" + ]; + PartOf = [ "graphical-session.target" ]; }; - }; - } // lib.optionalAttrs (inputs ? sops) { - sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) { - harica-root-ca = { - sopsFile = certsSopsFile; - path = "${homeDir}/.aws/certs/harica-root.pem"; - owner = mainUser; + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + + Service = { + ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }; }; - }); + onepassword-applet = { + Unit = { + Description = "1password applet"; + Requires = [ "tray.target" ]; + After = [ + "graphical-session.target" + "tray.target" + ]; + PartOf = [ "graphical-session.target" ]; + }; + + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + + Service = { + ExecStart = "${pkgs._1password-gui}/bin/1password"; + }; + }; + + }; + + services.pizauth = { + enable = true; + extraConfig = '' + auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi"; + error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\""; + token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state"; + ''; + accounts = { + work = { + authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; + tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; + clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; + clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; + scopes = [ + "https://outlook.office365.com/IMAP.AccessAsUser.All" + "https://outlook.office365.com/SMTP.Send" + "offline_access" + ]; + loginHint = "${confLib.getConfig.repo.secrets.local.work.mailAddress}"; + }; + }; + + }; + + xdg = + let + inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3; + in + { + mimeApps = { + defaultApplications = { + "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; + }; + }; + desktopEntries = + let + terminal = false; + categories = [ "Application" ]; + icon = "firefox"; + in + { + firefox_work = { + name = "Firefox (work)"; + genericName = "Firefox work"; + exec = "firefox -p work"; + inherit terminal categories icon; + }; + "firefox_${user1}" = { + name = "Firefox (${user1})"; + genericName = "Firefox ${user1}"; + exec = "firefox -p ${user1}"; + inherit terminal categories icon; + }; + + "firefox_${user2}" = { + name = "Firefox (${user2})"; + genericName = "Firefox ${user2}"; + exec = "firefox -p ${user2}"; + inherit terminal categories icon; + }; + + "firefox_${user3}" = { + name = "Firefox (${user3})"; + genericName = "Firefox ${user3}"; + exec = "firefox -p ${user3}"; + inherit terminal categories icon; + }; + + + }; + }; + swarselsystems = { + startup = [ + # { command = "nextcloud --background"; } + # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; } + # { command = "element-desktop --hidden --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; } + # { command = "anki"; } + # { command = "obsidian"; } + # { command = "nm-applet"; } + # { command = "feishin"; } + # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; } + # { command = "1password"; } + ]; + monitors = { + work_back_middle = rec { + name = "LG Electronics LG Ultra HD 0x000305A6"; + mode = "2560x1440"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-10"; + output = name; + }; + work_front_left = rec { + name = "LG Electronics LG Ultra HD 0x0007AB45"; + mode = "3840x2160"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-7"; + output = name; + }; + work_back_right = rec { + name = "HP Inc. HP Z32 CN41212T55"; + mode = "3840x2160"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-3"; + output = name; + }; + work_middle_middle_main = rec { + name = "HP Inc. HP 732pk CNC4080YL5"; + mode = "3840x2160"; + scale = "1"; + position = "-1280,0"; + workspace = "11:M"; + # output = "DP-8"; + output = name; + }; + work_middle_middle_side = rec { + name = "Hewlett Packard HP Z24i CN44250RDT"; + mode = "1920x1200"; + transform = "270"; + scale = "1"; + position = "-2480,0"; + workspace = "12:S"; + # output = "DP-9"; + output = name; + }; + work_seminary = rec { + name = "Applied Creative Technology Transmitter QUATTRO201811"; + mode = "1280x720"; + scale = "1"; + position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse + workspace = "14:T"; + # output = "DP-4"; + output = name; + }; + }; + inputs = { + "1133:45081:MX_Master_2S_Keyboard" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + # "2362:628:PIXA3854:00_093A:0274_Touchpad" = { + # dwt = "enabled"; + # tap = "enabled"; + # natural_scroll = "enabled"; + # middle_emulation = "enabled"; + # drag_lock = "disabled"; + # }; + "1133:50504:Logitech_USB_Receiver" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + "1133:45944:MX_KEYS_S" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + }; + + }; + } // lib.optionalAttrs (inputs ? sops) { + sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) { + harica-root-ca = { + sopsFile = certsSopsFile; + path = "${homeDir}/.aws/certs/harica-root.pem"; + owner = mainUser; + }; + }; + + }; } diff --git a/modules/nixos/client/remotebuild.nix b/modules/nixos/client/remotebuild.nix new file mode 100644 index 0000000..0ce54c3 --- /dev/null +++ b/modules/nixos/client/remotebuild.nix @@ -0,0 +1,85 @@ +{ lib, config, globals, ... }: +let + inherit (config.swarselsystems) homeDir mainUser isClient; +in +{ + options.swarselmodules.remotebuild = lib.mkEnableOption "enable remote builds on this machine"; + config = lib.mkIf config.swarselmodules.remotebuild { + + sops.secrets = { + builder-key = lib.mkIf isClient { owner = mainUser; path = "${homeDir}/.ssh/builder"; mode = "0600"; }; + nixbuild-net-key = { owner = mainUser; path = "${homeDir}/.ssh/nixbuild-net"; mode = "0600"; }; + }; + + nix = { + settings.builders-use-substitutes = true; + distributedBuilds = true; + buildMachines = [ + (lib.mkIf isClient { + hostName = config.repo.secrets.common.builder1-ip; + system = "aarch64-linux"; + maxJobs = 20; + speedFactor = 10; + }) + (lib.mkIf isClient { + hostName = globals.hosts.belchsfactory.wanAddress4; + system = "aarch64-linux"; + maxJobs = 4; + speedFactor = 2; + protocol = "ssh-ng"; + }) + { + hostName = "eu.nixbuild.net"; + system = "x86_64-linux"; + maxJobs = 100; + speedFactor = 2; + supportedFeatures = [ "big-parallel" ]; + } + ]; + }; + programs.ssh = { + knownHosts = { + nixbuild = { + hostNames = [ "eu.nixbuild.net" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM"; + }; + builder1 = lib.mkIf isClient { + hostNames = [ config.repo.secrets.common.builder1-ip ]; + publicKey = config.repo.secrets.common.builder1-pubHostKey; + }; + jump = lib.mkIf isClient { + hostNames = [ globals.hosts.liliputsteps.wanAddress4 ]; + publicKey = config.repo.secrets.common.jump-pubHostKey; + }; + builder2 = lib.mkIf isClient { + hostNames = [ globals.hosts.belchsfactory.wanAddress4 ]; + publicKey = config.repo.secrets.common.builder2-pubHostKey; + }; + }; + extraConfig = '' + Host eu.nixbuild.net + ConnectTimeout 1 + PubkeyAcceptedKeyTypes ssh-ed25519 + ServerAliveInterval 60 + IPQoS throughput + IdentityFile ${config.sops.secrets.nixbuild-net-key.path} + '' + lib.optionalString isClient '' + Host ${config.repo.secrets.common.builder1-ip} + ConnectTimeout 1 + User ${mainUser} + IdentityFile ${config.sops.secrets.builder-key.path} + + Host ${globals.hosts.belchsfactory.wanAddress4} + ConnectTimeout 5 + ProxyJump ${globals.hosts.liliputsteps.wanAddress4} + User builder + IdentityFile ${config.sops.secrets.builder-key.path} + + Host ${globals.hosts.liliputsteps.wanAddress4} + ConnectTimeout 1 + User jump + IdentityFile ${config.sops.secrets.builder-key.path} + ''; + }; + }; +} diff --git a/modules/nixos/client/uwsm.nix b/modules/nixos/client/uwsm.nix index 28888f0..5c9d66e 100644 --- a/modules/nixos/client/uwsm.nix +++ b/modules/nixos/client/uwsm.nix @@ -13,7 +13,7 @@ in comment = "Sway compositor managed by UWSM"; binPath = "/run/current-system/sw/bin/sway"; }; - niri = { + niri = lib.mkIf (config.swarselmodules ? niri) { prettyName = "Niri"; comment = "Niri compositor managed by UWSM"; binPath = "/run/current-system/sw/bin/niri-session"; diff --git a/modules/nixos/common/globals.nix b/modules/nixos/common/globals.nix index b152069..9cae3d7 100644 --- a/modules/nixos/common/globals.nix +++ b/modules/nixos/common/globals.nix @@ -82,7 +82,8 @@ let if netSubmod.config.cidrv6 == null then null else - lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv6; + # if we use the /32 wan address as local address directly, do not use the network address in ipv6 + lib.net.cidr.hostCidr (if hostSubmod.config.id == 0 then 1 else hostSubmod.config.id) netSubmod.config.cidrv6; }; }; }) @@ -196,6 +197,10 @@ in main = mkOption { type = types.str; }; + externalDns = mkOption { + type = types.listOf types.str; + description = "List of external dns nameservers"; + }; }; }; }; diff --git a/modules/nixos/common/home-manager-secrets.nix b/modules/nixos/common/home-manager-secrets.nix index d55fac5..f853132 100644 --- a/modules/nixos/common/home-manager-secrets.nix +++ b/modules/nixos/common/home-manager-secrets.nix @@ -25,7 +25,7 @@ in }) // (lib.optionalAttrs modules.emacs { emacs-radicale-pw = { owner = mainUser; }; github-forge-token = { owner = mainUser; }; - }) // (lib.optionalAttrs modules.optional.work { + }) // (lib.optionalAttrs (modules ? optional-work) { harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; }) // (lib.optionalAttrs modules.anki { anki-user = { owner = mainUser; }; diff --git a/modules/nixos/common/nodes.nix b/modules/nixos/common/nodes.nix index a2d1ad7..fe667aa 100644 --- a/modules/nixos/common/nodes.nix +++ b/modules/nixos/common/nodes.nix @@ -34,6 +34,11 @@ let "nginx" "virtualHosts" ] + [ + "swarselsystems" + "server" + "dns" + ] ]; attrsForEachOption = diff --git a/modules/nixos/common/settings.nix b/modules/nixos/common/settings.nix index 52fe175..2ab4bbe 100644 --- a/modules/nixos/common/settings.nix +++ b/modules/nixos/common/settings.nix @@ -59,8 +59,8 @@ in config = lib.mkIf config.swarselmodules.general (lib.recursiveUpdate { - sops.secrets.github-api-token = lib.mkIf (!minimal) { - owner = mainUser; + sops.secrets = lib.mkIf (!minimal) { + github-api-token = { owner = mainUser; }; }; nix = @@ -83,7 +83,11 @@ in trusted-public-keys = [ atticPublicKey ]; - trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ]; + trusted-users = [ + "@wheel" + "${config.swarselsystems.mainUser}" + (lib.mkIf config.swarselmodules.server.ssh-builder "builder") + ]; }; # extraOptions = '' # plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins diff --git a/modules/nixos/optional/amdcpu.nix b/modules/nixos/optional/amdcpu.nix index 9051b9d..64ea60d 100644 --- a/modules/nixos/optional/amdcpu.nix +++ b/modules/nixos/optional/amdcpu.nix @@ -1,7 +1,6 @@ -{ lib, config, ... }: +_: { - options.swarselmodules.optional.amdcpu = lib.mkEnableOption "optional amd cpu settings"; - config = lib.mkIf config.swarselmodules.optional.amdcpu { + config = { hardware = { cpu.amd.updateMicrocode = true; }; diff --git a/modules/nixos/optional/amdgpu.nix b/modules/nixos/optional/amdgpu.nix index 7af14c6..f81461c 100644 --- a/modules/nixos/optional/amdgpu.nix +++ b/modules/nixos/optional/amdgpu.nix @@ -1,7 +1,6 @@ -{ lib, config, ... }: +_: { - options.swarselmodules.optional.amdgpu = lib.mkEnableOption "optional amd gpu settings"; - config = lib.mkIf config.swarselmodules.optional.amdgpu { + config = { hardware = { amdgpu = { opencl.enable = true; diff --git a/modules/nixos/optional/framework.nix b/modules/nixos/optional/framework.nix index 5f0d00d..cade27e 100644 --- a/modules/nixos/optional/framework.nix +++ b/modules/nixos/optional/framework.nix @@ -1,7 +1,13 @@ -{ lib, config, ... }: +{ self, config, ... }: { - options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings"; - config = lib.mkIf config.swarselmodules.optional.framework { + config = { + + home-manager.users."${config.swarselsystems.mainUser}" = { + imports = [ + "${self}/modules/home/optional/framework.nix" + ]; + }; + services = { fwupd = { enable = true; diff --git a/modules/nixos/optional/gaming.nix b/modules/nixos/optional/gaming.nix index 5f28872..09dcec1 100644 --- a/modules/nixos/optional/gaming.nix +++ b/modules/nixos/optional/gaming.nix @@ -1,7 +1,13 @@ -{ pkgs, lib, config, ... }: +{ self, pkgs, config, ... }: { - options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings"; - config = lib.mkIf config.swarselmodules.optional.gaming { + config = { + + home-manager.users."${config.swarselsystems.mainUser}" = { + imports = [ + "${self}/modules/home/optional/gaming.nix" + ]; + }; + programs.steam = { enable = true; package = pkgs.steam; diff --git a/modules/nixos/optional/hibernation.nix b/modules/nixos/optional/hibernation.nix index d6f0758..29c9675 100644 --- a/modules/nixos/optional/hibernation.nix +++ b/modules/nixos/optional/hibernation.nix @@ -1,6 +1,5 @@ { lib, config, ... }: { - options.swarselmodules.optional.hibernation = lib.mkEnableOption "optional amd gpu settings"; options.swarselsystems = { hibernation = { offset = lib.mkOption { @@ -13,7 +12,7 @@ }; }; }; - config = lib.mkIf config.swarselmodules.optional.hibernation { + config = { boot = { kernelParams = [ "resume_offset=${builtins.toString config.swarselsystems.hibernation.offset}" diff --git a/modules/nixos/optional/microvm-guest.nix b/modules/nixos/optional/microvm-guest.nix index 8650fbc..a90a2cf 100644 --- a/modules/nixos/optional/microvm-guest.nix +++ b/modules/nixos/optional/microvm-guest.nix @@ -1,11 +1,9 @@ -{ lib, config, ... }: +_: { - options.swarselmodules.optional.microvmGuest = lib.mkEnableOption "optional microvmGuest settings"; # imports = [ # inputs.microvm.nixosModules.microvm - # "${self}/profiles/nixos" - # "${self}/modules/nixos" # ]; - config = lib.mkIf config.swarselmodules.optional.microvmGuest + + config = { }; } diff --git a/modules/nixos/optional/microvm-host.nix b/modules/nixos/optional/microvm-host.nix index 97a9059..2948824 100644 --- a/modules/nixos/optional/microvm-host.nix +++ b/modules/nixos/optional/microvm-host.nix @@ -1,10 +1,7 @@ -{ lib, config, ... }: +{ config, lib, ... }: { - options = { - swarselmodules.optional.microvmHost = lib.mkEnableOption "optional microvmHost settings"; - }; # imports = [ - # inputs.microvm.nixosModules.host + # inputs.microvm.nixosModules.host # ]; config = lib.mkIf (config.guests != { }) { diff --git a/modules/nixos/client/niri.nix b/modules/nixos/optional/niri.nix similarity index 86% rename from modules/nixos/client/niri.nix rename to modules/nixos/optional/niri.nix index 4724319..80b5c5a 100644 --- a/modules/nixos/client/niri.nix +++ b/modules/nixos/optional/niri.nix @@ -1,8 +1,11 @@ -{ lib, config, pkgs, ... }: +{ inputs, lib, config, pkgs, ... }: let moduleName = "niri"; in { + imports = [ + inputs.niri-flake.nixosModules.niri + ]; options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings"; config = lib.mkIf config.swarselmodules.${moduleName} { diff --git a/modules/nixos/optional/nswitch-rcm.nix b/modules/nixos/optional/nswitch-rcm.nix index 3af88db..00fb2c1 100644 --- a/modules/nixos/optional/nswitch-rcm.nix +++ b/modules/nixos/optional/nswitch-rcm.nix @@ -1,7 +1,6 @@ -{ lib, config, pkgs, ... }: +{ pkgs, ... }: { - options.swarselmodules.optional.nswitch-rcm = lib.mkEnableOption "optional nswitch-rcm settings"; - config = lib.mkIf config.swarselmodules.optional.nswitch-rcm { + config = { services.nswitch-rcm = { enable = true; package = pkgs.fetchurl { diff --git a/modules/nixos/optional/systemd-networkd-server.nix b/modules/nixos/optional/systemd-networkd-server.nix new file mode 100644 index 0000000..059072b --- /dev/null +++ b/modules/nixos/optional/systemd-networkd-server.nix @@ -0,0 +1,50 @@ +{ lib, config, globals, ... }: +{ + networking = { + useDHCP = lib.mkForce false; + useNetworkd = true; + dhcpcd.enable = false; + renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) ( + config.repo.secrets.local.networking.networks or { } + ); + }; + boot.initrd.systemd.network = { + enable = true; + networks."10-${config.swarselsystems.server.localNetwork}" = config.systemd.network.networks."10-${config.swarselsystems.server.localNetwork}"; + }; + + systemd = { + network = { + enable = true; + wait-online.enable = false; + networks = + let + netConfig = config.repo.secrets.local.networking; + in + { + "10-${config.swarselsystems.server.localNetwork}" = { + address = [ + "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv4}" + "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv6}" + ]; + routes = [ + { + Gateway = netConfig.defaultGateway6; + GatewayOnLink = true; + } + { + Gateway = netConfig.defaultGateway4; + GatewayOnLink = true; + } + ]; + networkConfig = { + IPv6PrivacyExtensions = true; + IPv6AcceptRA = false; + }; + matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac; + linkConfig.RequiredForOnline = "routable"; + }; + }; + }; + }; +} diff --git a/modules/nixos/optional/uni.nix b/modules/nixos/optional/uni.nix new file mode 100644 index 0000000..1edf3b4 --- /dev/null +++ b/modules/nixos/optional/uni.nix @@ -0,0 +1,11 @@ +{ self, config, ... }: +{ + config = { + + home-manager.users."${config.swarselsystems.mainUser}" = { + imports = [ + "${self}/modules/home/optional/work.nix" + ]; + }; + }; +} diff --git a/modules/nixos/optional/virtualbox.nix b/modules/nixos/optional/virtualbox.nix index dc5aa61..2d70471 100644 --- a/modules/nixos/optional/virtualbox.nix +++ b/modules/nixos/optional/virtualbox.nix @@ -1,7 +1,6 @@ { lib, config, pkgs, ... }: { - options.swarselmodules.optional.virtualbox = lib.mkEnableOption "optional VBox settings"; - config = lib.mkIf config.swarselmodules.optional.virtualbox { + config = { # specialisation = { # VBox.configuration = { virtualisation.virtualbox = { diff --git a/modules/nixos/optional/vmware.nix b/modules/nixos/optional/vmware.nix index 4236080..d79ff04 100644 --- a/modules/nixos/optional/vmware.nix +++ b/modules/nixos/optional/vmware.nix @@ -1,8 +1,7 @@ -{ lib, config, ... }: +_: { - options.swarselmodules.optional.vmware = lib.mkEnableOption "optional vmware settings"; - config = lib.mkIf config.swarselmodules.optional.vmware { + config = { virtualisation.vmware.host.enable = true; virtualisation.vmware.guest.enable = true; }; diff --git a/modules/nixos/optional/work.nix b/modules/nixos/optional/work.nix index edec1bb..ccfbe7a 100644 --- a/modules/nixos/optional/work.nix +++ b/modules/nixos/optional/work.nix @@ -1,4 +1,4 @@ -{ self, lib, pkgs, config, configName, ... }: +{ self, lib, pkgs, config, ... }: let inherit (config.swarselsystems) mainUser homeDir; iwd = config.networking.networkmanager.wifi.backend == "iwd"; @@ -6,18 +6,24 @@ let sopsFile = self + /secrets/work/secrets.yaml; in { - options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings"; options.swarselsystems = { hostName = lib.mkOption { type = lib.types.str; - default = configName; + default = config.node.name; }; fqdn = lib.mkOption { type = lib.types.str; default = ""; }; }; - config = lib.mkIf config.swarselmodules.optional.work { + config = { + + home-manager.users."${config.swarselsystems.mainUser}" = { + imports = [ + "${self}/modules/home/optional/work.nix" + ]; + }; + sops = let secretNames = [ diff --git a/modules/nixos/server/ankisync.nix b/modules/nixos/server/ankisync.nix index f9ca2cd..6c283b3 100644 --- a/modules/nixos/server/ankisync.nix +++ b/modules/nixos/server/ankisync.nix @@ -9,7 +9,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/attic.nix b/modules/nixos/server/attic.nix index 0a2f005..3cd0a69 100644 --- a/modules/nixos/server/attic.nix +++ b/modules/nixos/server/attic.nix @@ -10,7 +10,7 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/atuin.nix b/modules/nixos/server/atuin.nix index 9cb6747..ab782c8 100644 --- a/modules/nixos/server/atuin.nix +++ b/modules/nixos/server/atuin.nix @@ -6,7 +6,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/bastion.nix b/modules/nixos/server/bastion.nix new file mode 100644 index 0000000..3d797d7 --- /dev/null +++ b/modules/nixos/server/bastion.nix @@ -0,0 +1,67 @@ +{ self, lib, config, ... }: +{ + options.swarselmodules.server.bastion = lib.mkEnableOption "enable bastion on server"; + config = lib.mkIf config.swarselmodules.server.bastion { + + users = { + groups = { + jump = { }; + }; + users = { + "jump" = { + isNormalUser = true; + useDefaultShell = true; + group = lib.mkForce "jump"; + createHome = lib.mkForce true; + openssh.authorizedKeys.keyFiles = [ + (self + /secrets/keys/ssh/yubikey.pub) + (self + /secrets/keys/ssh/magicant.pub) + (self + /secrets/keys/ssh/builder.pub) + ]; + }; + }; + }; + + + services.openssh = { + enable = true; + startWhenNeeded = lib.mkForce false; + authorizedKeysInHomedir = false; + extraConfig = '' + Match User jump + PermitTTY no + X11Forwarding no + PermitTunnel no + GatewayPorts no + AllowAgentForwarding no + ''; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = lib.mkDefault "no"; + AllowUsers = [ + "jump" + ]; + }; + hostKeys = lib.mkIf (!config.swarselmodules.server.ssh) [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; + + home-manager.users.jump.config = { + home.stateVersion = lib.mkDefault "23.05"; + programs.ssh = { + enable = true; + enableDefaultConfig = false; + matchBlocks = { + "*" = { + forwardAgent = false; + }; + } // config.repo.secrets.local.ssh.hosts; + }; + }; + }; +} diff --git a/modules/nixos/optional/btrfs.nix b/modules/nixos/server/btrfs.nix similarity index 100% rename from modules/nixos/optional/btrfs.nix rename to modules/nixos/server/btrfs.nix diff --git a/modules/nixos/server/croc.nix b/modules/nixos/server/croc.nix index 67e2508..bc15734 100644 --- a/modules/nixos/server/croc.nix +++ b/modules/nixos/server/croc.nix @@ -17,7 +17,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/disk-encrypt.nix b/modules/nixos/server/disk-encrypt.nix index 61fb055..54e678a 100644 --- a/modules/nixos/server/disk-encrypt.nix +++ b/modules/nixos/server/disk-encrypt.nix @@ -1,7 +1,7 @@ { self, pkgs, lib, config, globals, minimal, ... }: let - localIp = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4; - subnetMask = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".subnetMask4; + localIp = globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4; + subnetMask = globals.networks.${config.swarselsystems.server.netConfigName}.subnetMask4; gatewayIp = globals.hosts.${config.node.name}.defaultGateway4; hostKeyPathBase = "/etc/secrets/initrd/ssh_host_ed25519_key"; @@ -36,7 +36,7 @@ in files = [ hostKeyPathBase ]; }; - boot = lib.mkIf (!config.swarselsystems.isLaptop) { + boot = lib.mkIf (!config.swarselsystems.isClient) { kernelParams = lib.mkIf (!config.swarselsystems.isCloud) [ "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none" ]; diff --git a/modules/nixos/server/firefly-iii.nix b/modules/nixos/server/firefly-iii.nix index dc5eece..b97ba94 100644 --- a/modules/nixos/server/firefly-iii.nix +++ b/modules/nixos/server/firefly-iii.nix @@ -11,7 +11,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/forgejo.nix b/modules/nixos/server/forgejo.nix index f1f029d..d9d4123 100644 --- a/modules/nixos/server/forgejo.nix +++ b/modules/nixos/server/forgejo.nix @@ -9,7 +9,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/freshrss.nix b/modules/nixos/server/freshrss.nix index 75787b4..d136f6c 100644 --- a/modules/nixos/server/freshrss.nix +++ b/modules/nixos/server/freshrss.nix @@ -8,7 +8,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/garage.nix b/modules/nixos/server/garage.nix index 1f3f410..b84fb50 100644 --- a/modules/nixos/server/garage.nix +++ b/modules/nixos/server/garage.nix @@ -54,11 +54,11 @@ in assertions = [ { assertion = config.swarselsystems.server.${serviceName}.buckets != [ ]; - message = "If Garage is enabled, at least one bucket must be specified in atro.garage.buckets"; + message = "If Garage is enabled, at least one bucket must be specified in swarselsystems.server.${serviceName}.buckets"; } { assertion = builtins.length (lib.attrsToList config.swarselsystems.server.${serviceName}.keys) > 0; - message = "If Garage is enabled, at least one key must be specified in atro.garage.keys"; + message = "If Garage is enabled, at least one key must be specified in swarselsystems.server.${serviceName}.keys"; } { assertion = @@ -71,7 +71,7 @@ in } ]; - swarselsystems.server.dns.${baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${baseDomain}.subdomainRecords = { "${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; "${subDomain}admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6; "${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6; @@ -121,7 +121,7 @@ in rpc_bind_addr = "[::]:${builtins.toString garageRpcPort}"; # we are not joining our nodes, just use the private ipv4 - rpc_public_addr = "${globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4}:${builtins.toString garageRpcPort}"; + rpc_public_addr = "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4}:${builtins.toString garageRpcPort}"; rpc_secret_file = config.sops.secrets.garage-rpc-secret.path; diff --git a/modules/nixos/server/homebox.nix b/modules/nixos/server/homebox.nix index 065454d..1d1c9ea 100644 --- a/modules/nixos/server/homebox.nix +++ b/modules/nixos/server/homebox.nix @@ -6,7 +6,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/immich.nix b/modules/nixos/server/immich.nix index 455a9e5..674ce80 100644 --- a/modules/nixos/server/immich.nix +++ b/modules/nixos/server/immich.nix @@ -6,7 +6,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/jellyfin.nix b/modules/nixos/server/jellyfin.nix index 5a2899b..b5c078f 100644 --- a/modules/nixos/server/jellyfin.nix +++ b/modules/nixos/server/jellyfin.nix @@ -6,7 +6,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/jenkins.nix b/modules/nixos/server/jenkins.nix index 20c7e25..f6bc9b1 100644 --- a/modules/nixos/server/jenkins.nix +++ b/modules/nixos/server/jenkins.nix @@ -6,7 +6,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix index ba4e8f8..5bb4472 100644 --- a/modules/nixos/server/kanidm.nix +++ b/modules/nixos/server/kanidm.nix @@ -31,7 +31,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/kavita.nix b/modules/nixos/server/kavita.nix index 8da5e2e..bc5decd 100644 --- a/modules/nixos/server/kavita.nix +++ b/modules/nixos/server/kavita.nix @@ -11,7 +11,7 @@ in calibre ]; - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/koillection.nix b/modules/nixos/server/koillection.nix index d6c6f89..1c89adf 100644 --- a/modules/nixos/server/koillection.nix +++ b/modules/nixos/server/koillection.nix @@ -14,7 +14,7 @@ in config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; sops.secrets = { diff --git a/modules/nixos/server/mailserver.nix b/modules/nixos/server/mailserver.nix index a19777b..06270b2 100644 --- a/modules/nixos/server/mailserver.nix +++ b/modules/nixos/server/mailserver.nix @@ -11,7 +11,7 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/matrix.nix b/modules/nixos/server/matrix.nix index 02f0d60..24b4865 100644 --- a/modules/nixos/server/matrix.nix +++ b/modules/nixos/server/matrix.nix @@ -20,7 +20,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/microbin.nix b/modules/nixos/server/microbin.nix index 8e5517f..06b830f 100644 --- a/modules/nixos/server/microbin.nix +++ b/modules/nixos/server/microbin.nix @@ -10,7 +10,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/minecraft/default.nix b/modules/nixos/server/minecraft/default.nix index bc90c47..dbb7d27 100644 --- a/modules/nixos/server/minecraft/default.nix +++ b/modules/nixos/server/minecraft/default.nix @@ -8,7 +8,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/monitoring.nix b/modules/nixos/server/monitoring.nix index ac7f5af..4a115a5 100644 --- a/modules/nixos/server/monitoring.nix +++ b/modules/nixos/server/monitoring.nix @@ -16,7 +16,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/navidrome.nix b/modules/nixos/server/navidrome.nix index 2abd922..e64dfd1 100644 --- a/modules/nixos/server/navidrome.nix +++ b/modules/nixos/server/navidrome.nix @@ -6,7 +6,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/network.nix b/modules/nixos/server/network.nix index 4ef8d14..91e9608 100644 --- a/modules/nixos/server/network.nix +++ b/modules/nixos/server/network.nix @@ -1,28 +1,40 @@ { lib, config, ... }: let - inherit (config.swarselsystems.server) localNetwork; + netConfig = config.repo.secrets.local.networking; + netName = "${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}"; in { - options.swarselmodules.server.network = lib.mkEnableOption "enable server network config"; - options.swarselsystems.server.localNetwork = lib.mkOption { - type = lib.types.str; - default = "home"; + options = { + swarselmodules.server.network = lib.mkEnableOption "enable server network config"; + swarselsystems.server = { + localNetwork = lib.mkOption { + type = lib.types.str; + default = ""; + }; + netConfigName = lib.mkOption { + type = lib.types.str; + default = netName; + readOnly = true; + }; + }; }; config = lib.mkIf config.swarselmodules.server.network { - globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${localNetwork}".hosts.${config.node.name} = { - inherit (config.repo.secrets.local.networking.networks.${localNetwork}) id; - mac = config.repo.secrets.local.networking.networks.${localNetwork}.mac or null; + swarselsystems.server.localNetwork = netConfig.localNetwork or ""; + + globals.networks.${netName}.hosts.${config.node.name} = { + inherit (netConfig.networks.${netConfig.localNetwork}) id; + mac = netConfig.networks.${netConfig.localNetwork}.mac or null; }; globals.hosts.${config.node.name} = { inherit (config.repo.secrets.local.networking) defaultGateway4; - wanAddress4 = config.repo.secrets.local.networking.wanAddress4 or null; - wanAddress6 = config.repo.secrets.local.networking.wanAddress6 or null; + wanAddress4 = netConfig.wanAddress4 or null; + wanAddress6 = netConfig.wanAddress6 or null; }; networking = { - inherit (config.repo.secrets.local.networking) hostId; + inherit (netConfig) hostId; hostName = config.node.name; nftables.enable = lib.mkDefault false; enableIPv6 = lib.mkDefault true; diff --git a/modules/nixos/server/nextcloud.nix b/modules/nixos/server/nextcloud.nix index f313593..aac65d8 100644 --- a/modules/nixos/server/nextcloud.nix +++ b/modules/nixos/server/nextcloud.nix @@ -10,7 +10,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix index a321c21..a869b23 100644 --- a/modules/nixos/server/nginx.nix +++ b/modules/nixos/server/nginx.nix @@ -1,6 +1,6 @@ { pkgs, lib, config, ... }: let - inherit (config.repo.secrets.common) dnsProvider; + inherit (config.repo.secrets.common) dnsProvider dnsBase; inherit (config.repo.secrets.common.mail) address3; serviceUser = "nginx"; @@ -63,9 +63,12 @@ in ]; sops = { - secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; }; + secrets = { + acme-dns-token = { inherit (config.swarselsystems) sopsFile; }; + }; templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token} + ACME_DNS_API_BASE=${dnsBase} + ACME_DNS_STORAGE_PATH=${config.sops.placeholder.acme-dns-token} ''; }; diff --git a/modules/nixos/server/nsd/default.nix b/modules/nixos/server/nsd/default.nix index d10179b..6e79fad 100644 --- a/modules/nixos/server/nsd/default.nix +++ b/modules/nixos/server/nsd/default.nix @@ -1,10 +1,7 @@ -{ inputs, lib, config, globals, dns, confLib, ... }: +{ lib, config, globals, dns, confLib, ... }: let - inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName; - # servicePort = 53; - # serviceDomain = config.repo.secrets.common.services.domains."${serviceName}"; - # serviceAddress = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4; - + inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName servicePort proxyAddress4 proxyAddress6; + inherit (config.swarselsystems) sopsFile; in { options = { @@ -14,7 +11,7 @@ in lib.types.submodule { options = { subdomainRecords = lib.mkOption { - type = lib.types.attrsOf inputs.dns.subzone; + type = lib.types.attrsOf dns.lib.types.subzone; default = { }; }; }; @@ -23,14 +20,69 @@ in }; }; config = lib.mkIf config.swarselmodules.server.${serviceName} { + + sops.secrets = { + tsig-key = { inherit sopsFile; }; + }; + + # services.resolved.enable = false; + networking = { + # nameservers = [ "1.1.1.1" "8.8.8.8" ]; + firewall = { + allowedUDPPorts = [ servicePort ]; + allowedTCPPorts = [ servicePort ]; + }; + }; + services.nsd = { enable = true; - zones = { - "${globals.domains.main}" = { - # provideXFR = [ ... ]; - # notify = [ ... ]; - data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns; }); + keys = { + "${globals.domains.main}.${proxyAddress4}" = { + algorithm = "hmac-sha256"; + keyFile = config.sops.secrets.tsig-key.path; }; + "${globals.domains.main}.${proxyAddress6}" = { + algorithm = "hmac-sha256"; + keyFile = config.sops.secrets.tsig-key.path; + }; + "${globals.domains.main}" = { + algorithm = "hmac-sha256"; + keyFile = config.sops.secrets.tsig-key.path; + }; + }; + interfaces = [ + "10.1.2.157" + "2603:c020:801f:a0cc::9d" + ]; + zones = { + "${globals.domains.main}" = + let + keyName4 = "${globals.domains.main}.${proxyAddress4}"; + keyName6 = "${globals.domains.main}.${proxyAddress6}"; + keyName = "${globals.domains.main}"; + transferList = [ + "213.239.242.238 ${keyName4}" + "2a01:4f8:0:a101::a:1 ${keyName6}" + "213.133.100.103 ${keyName4}" + "2a01:4f8:0:1::5ddc:2 ${keyName6}" + "193.47.99.3 ${keyName4}" + "2001:67c:192c::add:a3 ${keyName6}" + ]; + + in + { + outgoingInterface = "2603:c020:801f:a0cc::9d"; + notify = transferList ++ [ + "216.218.130.2 ${keyName}" + ]; + provideXFR = transferList ++ [ + "216.218.133.2 ${keyName}" + "2001:470:600::2 ${keyName}" + ]; + + # dnssec = true; + data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns proxyAddress4 proxyAddress6; }); + }; }; }; diff --git a/modules/nixos/server/nsd/site1.nix b/modules/nixos/server/nsd/site1.nix index 925bbf8..8cf0deb 100644 --- a/modules/nixos/server/nsd/site1.nix +++ b/modules/nixos/server/nsd/site1.nix @@ -1,40 +1,35 @@ -{ config, globals, dns, ... }: +{ config, globals, dns, proxyAddress4, proxyAddress6, ... }: with dns.lib.combinators; { SOA = { nameServer = "soa"; - adminEmail = "admin@${globals.domains.main}"; - serial = 2025112101; + adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin") + serial = 2025120201; # update this on changes for secondary dns }; useOrigin = false; NS = [ - "soa.${globals.domains.name}." - "ns1.he.net" - "ns2.he.net" - "ns3.he.net" - "ns4.he.net" - "ns5.he.net" - "oxygen.ns.hetzner.com" - "pola.ns.cloudflare.com" - ]; + "soa" + "srv" + ] ++ globals.domains.externalDns; - A = [ "75.2.60.5" ]; + + A = [ config.repo.secrets.local.dns.homepage-ip ]; SRV = [ { service = "_matrix"; proto = "_tcp"; port = 443; - target = "${globals.services.matrix.baseDomain}.${globals.domains.main}"; + target = "${globals.services.matrix.subDomain}"; priority = 10; - wweight = 5; + weight = 5; } { service = "_submissions"; proto = "_tcp"; port = 465; - target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}"; + target = "${globals.services.mailserver.subDomain}"; priority = 5; weight = 0; ttl = 3600; @@ -43,7 +38,7 @@ with dns.lib.combinators; { service = "_submission"; proto = "_tcp"; port = 587; - target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}"; + target = "${globals.services.mailserver.subDomain}"; priority = 5; weight = 0; ttl = 3600; @@ -52,7 +47,7 @@ with dns.lib.combinators; { service = "_imap"; proto = "_tcp"; port = 143; - target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}"; + target = "${globals.services.mailserver.subDomain}"; priority = 5; weight = 0; ttl = 3600; @@ -61,7 +56,7 @@ with dns.lib.combinators; { service = "_imaps"; proto = "_tcp"; port = 993; - target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}"; + target = "${globals.services.mailserver.subDomain}"; priority = 5; weight = 0; ttl = 3600; @@ -71,13 +66,7 @@ with dns.lib.combinators; { MX = [ { preference = 10; - exchange = "${globals.services.mailserver.baseDomain}.${globals.domains.main}"; - } - ]; - - CNAME = [ - { - cname = "www.${glovals.domains.main}"; + exchange = "${globals.services.mailserver.subDomain}"; } ]; @@ -90,28 +79,22 @@ with dns.lib.combinators; { } ]; - DMARC = [ - { - p = "none"; - ttl = 10800; - } - ]; - TXT = [ - (with spf; strict [ "a:${globals.services.mailserver.baseDomain}.${globals.domains.main}" ]) + (with spf; strict [ "a:${globals.services.mailserver.subDomain}.${globals.domains.main}" ]) "google-site-verification=${config.repo.secrets.local.dns.google-site-verification}" ]; DMARC = [ { - selector = "mail"; - k = "rsa"; p = "none"; ttl = 10800; } ]; - subdomains = config.swarselsystems.server.dns.${globals.domain.main}.subdomainRecords // { - "minecraft" = host "130.61.119.12" null; + subdomains = config.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords // { + "www".CNAME = [ "${globals.domains.main}." ]; + "_acme-challenge".CNAME = [ "${config.repo.secrets.local.dns.acme-challenge-domain}." ]; + "soa" = host proxyAddress4 proxyAddress6; + "srv" = host proxyAddress4 proxyAddress6; }; } diff --git a/modules/nixos/server/oauth2-proxy.nix b/modules/nixos/server/oauth2-proxy.nix index e4cdf49..1c838b7 100644 --- a/modules/nixos/server/oauth2-proxy.nix +++ b/modules/nixos/server/oauth2-proxy.nix @@ -119,7 +119,7 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/paperless.nix b/modules/nixos/server/paperless.nix index 3b2e201..7a249a4 100644 --- a/modules/nixos/server/paperless.nix +++ b/modules/nixos/server/paperless.nix @@ -11,7 +11,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/radicale.nix b/modules/nixos/server/radicale.nix index db5a9a5..b71ea61 100644 --- a/modules/nixos/server/radicale.nix +++ b/modules/nixos/server/radicale.nix @@ -9,7 +9,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/shlink.nix b/modules/nixos/server/shlink.nix index 99ed6fd..1ed909c 100644 --- a/modules/nixos/server/shlink.nix +++ b/modules/nixos/server/shlink.nix @@ -12,7 +12,7 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/slink.nix b/modules/nixos/server/slink.nix index 4edfa0b..fe61faa 100644 --- a/modules/nixos/server/slink.nix +++ b/modules/nixos/server/slink.nix @@ -10,7 +10,7 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/snipe-it.nix b/modules/nixos/server/snipe-it.nix index 03b9666..aad544f 100644 --- a/modules/nixos/server/snipe-it.nix +++ b/modules/nixos/server/snipe-it.nix @@ -11,7 +11,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/ssh-builder.nix b/modules/nixos/server/ssh-builder.nix new file mode 100644 index 0000000..3791bf7 --- /dev/null +++ b/modules/nixos/server/ssh-builder.nix @@ -0,0 +1,35 @@ +{ self, pkgs, lib, config, ... }: +let + ssh-restrict = "restrict,pty,command=\"${wrapper-dispatch-ssh-nix}/bin/wrapper-dispatch-ssh-nix\" "; + + wrapper-dispatch-ssh-nix = pkgs.writeShellScriptBin "wrapper-dispatch-ssh-nix" '' + case $SSH_ORIGINAL_COMMAND in + "nix-daemon --stdio") + exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-daemon --stdio + ;; + "nix-store --serve --write") + exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-store --serve --write + ;; + *) + echo "Access only allowed for using the nix remote builder" 1>&2 + exit + esac + ''; +in +{ + options.swarselmodules.server.ssh-builder = lib.mkEnableOption "enable ssh-builder config on server"; + config = lib.mkIf config.swarselmodules.server.ssh-builder { + users = { + groups.builder = { }; + users.builder = { + useDefaultShell = true; + isSystemUser = true; + group = "builder"; + openssh.authorizedKeys.keys = [ + ''${ssh-restrict} ${builtins.readFile "${self}/secrets/keys/ssh/builder.pub"}'' + ]; + }; + }; + + }; +} diff --git a/modules/nixos/server/ssh.nix b/modules/nixos/server/ssh.nix index a588edf..41b1e23 100644 --- a/modules/nixos/server/ssh.nix +++ b/modules/nixos/server/ssh.nix @@ -9,6 +9,10 @@ PasswordAuthentication = false; KbdInteractiveAuthentication = false; PermitRootLogin = "yes"; + AllowUsers = [ + "root" + config.swarselsystems.mainUser + ]; }; hostKeys = [ { @@ -20,10 +24,12 @@ users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [ (self + /secrets/keys/ssh/yubikey.pub) (self + /secrets/keys/ssh/magicant.pub) + # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub)) ]; users.users.root.openssh.authorizedKeys.keyFiles = [ (self + /secrets/keys/ssh/yubikey.pub) (self + /secrets/keys/ssh/magicant.pub) + # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub)) ]; security.sudo.extraConfig = '' Defaults env_keep+=SSH_AUTH_SOCK diff --git a/modules/nixos/server/syncthing.nix b/modules/nixos/server/syncthing.nix index 09986d3..3babd67 100644 --- a/modules/nixos/server/syncthing.nix +++ b/modules/nixos/server/syncthing.nix @@ -42,7 +42,7 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = { "${globals.services.${specificServiceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/shared/config-lib.nix b/modules/shared/config-lib.nix index 4ecc055..ba5e8bf 100644 --- a/modules/shared/config-lib.nix +++ b/modules/shared/config-lib.nix @@ -1,14 +1,14 @@ -{ config, lib, globals, ... }: +{ config, lib, globals, nixosConfig ? null, ... }: { _module.args = { confLib = rec { - addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4 else "localhost"; + addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4 else "localhost"; domainDefault = service: config.repo.secrets.common.services.domains.${service}; proxyDefault = config.swarselsystems.proxyHost; - getConfig = config; + getConfig = if nixosConfig == null then config else nixosConfig; gen = { name, user ? name, group ? name, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec { servicePort = port; diff --git a/modules/shared/options.nix b/modules/shared/options.nix index 0367bd9..911cf5b 100644 --- a/modules/shared/options.nix +++ b/modules/shared/options.nix @@ -3,12 +3,24 @@ options.swarselsystems = { proxyHost = lib.mkOption { type = lib.types.str; - default = ""; + default = config.node.name; + }; + isBastionTarget = lib.mkOption { + type = lib.types.bool; + default = false; }; isCloud = lib.mkOption { type = lib.types.bool; default = false; }; + isServer = lib.mkOption { + type = lib.types.bool; + default = config.swarselsystems.isCloud; + }; + isClient = lib.mkOption { + type = lib.types.bool; + default = config.swarselsystems.isLaptop; + }; withHomeManager = lib.mkOption { type = lib.types.bool; default = true; diff --git a/nix/formatter.nix b/nix/formatter.nix index a716372..88bb5a6 100644 --- a/nix/formatter.nix +++ b/nix/formatter.nix @@ -28,7 +28,8 @@ buildInputs = [ pkgs.makeWrapper ]; paths = [ pkgs.shfmt ]; postBuild = '' - wrapProgram $out/bin/shfmt --append-flags '-sr' + wrapProgram $out/bin/shfmt \ + --add-flags '-sr' ''; }; }; diff --git a/nix/hosts.nix b/nix/hosts.nix index c27c011..858322a 100644 --- a/nix/hosts.nix +++ b/nix/hosts.nix @@ -20,7 +20,6 @@ inputs.lanzaboote.nixosModules.lanzaboote inputs.microvm.nixosModules.host inputs.microvm.nixosModules.microvm - inputs.niri-flake.nixosModules.niri inputs.nix-index-database.nixosModules.nix-index inputs.nix-minecraft.nixosModules.minecraft-servers inputs.nix-topology.nixosModules.default @@ -103,7 +102,6 @@ }; modules = [ inputs.stylix.homeModules.stylix - inputs.niri-flake.homeModules.niri inputs.nix-index-database.homeModules.nix-index # inputs.sops-nix.homeManagerModules.sops inputs.spicetify-nix.homeManagerModules.default diff --git a/nix/lib.nix b/nix/lib.nix index 6ca74b6..c3f0338 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -78,7 +78,7 @@ let forEachLinuxSystem = f: lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: f pkgsFor.${system}); readHosts = type: lib.attrNames (builtins.readDir "${self}/hosts/${type}"); - readNix = type: lib.filter (name: name != "default.nix") (lib.attrNames (builtins.readDir "${self}/${type}")); + readNix = type: lib.filter (name: name != "default.nix" && name != "optional" && name != "darwin") (lib.attrNames (builtins.readDir "${self}/${type}")); mkImports = names: baseDir: lib.map (name: "${self}/${baseDir}/${name}") names; }; diff --git a/profiles/home/chaostheatre/default.nix b/profiles/home/chaostheatre/default.nix deleted file mode 100644 index 1bcb3fb..0000000 --- a/profiles/home/chaostheatre/default.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ lib, config, ... }: -{ - options.swarselprofiles.chaostheatre = lib.mkEnableOption "is this a chaostheatre host"; - config = lib.mkIf config.swarselprofiles.chaostheatre { - swarselmodules = { - packages = lib.mkForce true; - ownpackages = lib.mkForce true; - general = lib.mkForce true; - nixgl = lib.mkForce true; - sops = lib.mkForce true; - yubikey = lib.mkForce false; - ssh = lib.mkForce true; - stylix = lib.mkForce true; - desktop = lib.mkForce true; - symlink = lib.mkForce true; - env = lib.mkForce false; - programs = lib.mkForce true; - nix-index = lib.mkForce true; - direnv = lib.mkForce true; - eza = lib.mkForce true; - git = lib.mkForce false; - fuzzel = lib.mkForce true; - starship = lib.mkForce true; - kitty = lib.mkForce true; - zsh = lib.mkForce true; - zellij = lib.mkForce true; - tmux = lib.mkForce true; - mail = lib.mkForce false; - emacs = lib.mkForce true; - waybar = lib.mkForce true; - firefox = lib.mkForce true; - gnome-keyring = lib.mkForce true; - kdeconnect = lib.mkForce true; - mako = lib.mkForce true; - swayosd = lib.mkForce true; - yubikeytouch = lib.mkForce true; - sway = lib.mkForce true; - kanshi = lib.mkForce true; - gpgagent = lib.mkForce true; - gammastep = lib.mkForce false; - }; - }; - -} diff --git a/profiles/home/dgxspark/default.nix b/profiles/home/dgxspark/default.nix index 9a9a4c2..81c41e0 100644 --- a/profiles/home/dgxspark/default.nix +++ b/profiles/home/dgxspark/default.nix @@ -30,7 +30,6 @@ kitty = lib.mkDefault true; mail = lib.mkDefault false; mako = lib.mkDefault false; - niri = lib.mkDefault false; nix-index = lib.mkDefault true; nixgl = lib.mkDefault true; nix-your-shell = lib.mkDefault true; diff --git a/profiles/home/framework/default.nix b/profiles/home/framework/default.nix deleted file mode 100644 index b4c28e2..0000000 --- a/profiles/home/framework/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, config, ... }: -{ - options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host"; - config = lib.mkIf config.swarselprofiles.framework { - swarselmodules = { - optional = { - framework = lib.mkDefault true; - }; - }; - - }; - -} diff --git a/profiles/home/optionals/default.nix b/profiles/home/optionals/default.nix deleted file mode 100644 index 697de20..0000000 --- a/profiles/home/optionals/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, config, ... }: -{ - options.swarselprofiles.optionals = lib.mkEnableOption "is this a host with optionals"; - config = lib.mkIf config.swarselprofiles.optionals { - swarselmodules = { - optional = { - gaming = lib.mkDefault true; - uni = lib.mkDefault true; - }; - }; - }; - -} diff --git a/profiles/home/personal/default.nix b/profiles/home/personal/default.nix index e04e2af..c9ce74f 100644 --- a/profiles/home/personal/default.nix +++ b/profiles/home/personal/default.nix @@ -29,7 +29,6 @@ kitty = lib.mkDefault true; mail = lib.mkDefault true; mako = lib.mkDefault true; - niri = lib.mkDefault false; nix-index = lib.mkDefault true; nixgl = lib.mkDefault true; nix-your-shell = lib.mkDefault true; diff --git a/profiles/home/toto/default.nix b/profiles/home/toto/default.nix deleted file mode 100644 index 2f1473a..0000000 --- a/profiles/home/toto/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ lib, config, ... }: -{ - options.swarselprofiles.toto = lib.mkEnableOption "is this a toto (setup) host"; - config = lib.mkIf config.swarselprofiles.toto { - swarselmodules = { - general = lib.mkDefault true; - sops = lib.mkDefault true; - ssh = lib.mkDefault true; - kitty = lib.mkDefault true; - git = lib.mkDefault true; - }; - }; - -} diff --git a/profiles/home/uni/default.nix b/profiles/home/uni/default.nix deleted file mode 100644 index e816f45..0000000 --- a/profiles/home/uni/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ lib, config, ... }: -{ - options.swarselprofiles.uni = lib.mkEnableOption "is this a uni host"; - config = lib.mkIf config.swarselprofiles.uni { - swarselmodules = { - optional = { - uni = lib.mkDefault true; - }; - }; - }; - -} diff --git a/profiles/home/work/default.nix b/profiles/home/work/default.nix deleted file mode 100644 index a89b300..0000000 --- a/profiles/home/work/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ lib, config, ... }: -{ - options.swarselprofiles.work = lib.mkEnableOption "is this a work host"; - config = lib.mkIf config.swarselprofiles.work { - swarselmodules = { - optional = { - work = lib.mkDefault true; - }; - }; - }; - -} diff --git a/profiles/nixos/chaostheatre/default.nix b/profiles/nixos/chaostheatre/default.nix deleted file mode 100644 index 31ce621..0000000 --- a/profiles/nixos/chaostheatre/default.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ lib, config, ... }: -{ - options.swarselprofiles.chaostheatre = lib.mkEnableOption "is this a chaostheatre host"; - config = lib.mkIf config.swarselprofiles.chaostheatre { - swarselmodules = { - packages = lib.mkForce true; - general = lib.mkForce true; - home-manager = lib.mkForce true; - xserver = lib.mkForce true; - users = lib.mkForce true; - sops = lib.mkForce true; - env = lib.mkForce true; - security = lib.mkForce true; - systemdTimeout = lib.mkForce true; - hardware = lib.mkForce true; - pulseaudio = lib.mkForce true; - pipewire = lib.mkForce true; - network = lib.mkForce true; - time = lib.mkForce true; - stylix = lib.mkForce true; - programs = lib.mkForce true; - zsh = lib.mkForce true; - syncthing = lib.mkForce true; - blueman = lib.mkForce true; - networkDevices = lib.mkForce true; - gvfs = lib.mkForce true; - interceptionTools = lib.mkForce true; - swayosd = lib.mkForce true; - ppd = lib.mkForce true; - yubikey = lib.mkForce false; - ledger = lib.mkForce true; - keyboards = lib.mkForce true; - login = lib.mkForce true; - nix-ld = lib.mkForce true; - impermanence = lib.mkForce true; - nvd = lib.mkForce true; - gnome-keyring = lib.mkForce true; - sway = lib.mkForce true; - xdg-portal = lib.mkForce true; - distrobox = lib.mkForce true; - appimage = lib.mkForce true; - lid = lib.mkForce true; - lowBattery = lib.mkForce true; - lanzaboote = lib.mkForce true; - autologin = lib.mkForce true; - }; - - }; - -} diff --git a/profiles/nixos/framework/default.nix b/profiles/nixos/framework/default.nix deleted file mode 100644 index 060c3ec..0000000 --- a/profiles/nixos/framework/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ lib, config, ... }: -{ - options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host"; - config = lib.mkIf config.swarselprofiles.framework { - swarselmodules = { - optional = { - framework = lib.mkDefault true; - }; - }; - home-manager.users."${config.swarselsystems.mainUser}" = { - swarselprofiles = { - framework = lib.mkDefault true; - }; - }; - - }; - -} diff --git a/profiles/nixos/optionals/default.nix b/profiles/nixos/optionals/default.nix deleted file mode 100644 index ddb7846..0000000 --- a/profiles/nixos/optionals/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ lib, config, ... }: -{ - options.swarselprofiles.optionals = lib.mkEnableOption "is this a host with optionals"; - config = lib.mkIf config.swarselprofiles.optionals { - swarselmodules = { - optional = { - gaming = lib.mkDefault true; - virtualbox = lib.mkDefault true; - nswitch-rcm = lib.mkDefault true; - }; - }; - - home-manager.users."${config.swarselsystems.mainUser}" = { - swarselprofiles = { - optionals = lib.mkDefault true; - }; - }; - }; - -} diff --git a/profiles/nixos/personal/default.nix b/profiles/nixos/personal/default.nix index 1d8f99a..dc9583c 100644 --- a/profiles/nixos/personal/default.nix +++ b/profiles/nixos/personal/default.nix @@ -26,7 +26,6 @@ lowBattery = lib.mkDefault false; network = lib.mkDefault true; networkDevices = lib.mkDefault true; - niri = lib.mkDefault false; nix-ld = lib.mkDefault true; nvd = lib.mkDefault true; packages = lib.mkDefault true; @@ -35,6 +34,7 @@ ppd = lib.mkDefault true; programs = lib.mkDefault true; pulseaudio = lib.mkDefault true; + remotebuild = lib.mkDefault true; security = lib.mkDefault true; sops = lib.mkDefault true; stylix = lib.mkDefault true; diff --git a/profiles/nixos/uni/default.nix b/profiles/nixos/uni/default.nix deleted file mode 100644 index 24fa649..0000000 --- a/profiles/nixos/uni/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ lib, config, ... }: -{ - options.swarselprofiles.uni = lib.mkEnableOption "is this a uni host"; - config = lib.mkIf config.swarselprofiles.uni { - # swarselmodules = { - # optional = { - # uni = lib.mkDefault true; - # }; - # }; - home-manager.users."${config.swarselsystems.mainUser}" = { - swarselprofiles = { - uni = lib.mkDefault true; - }; - }; - - }; - -} diff --git a/profiles/nixos/work/default.nix b/profiles/nixos/work/default.nix deleted file mode 100644 index 0740cc4..0000000 --- a/profiles/nixos/work/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ lib, config, ... }: -{ - options.swarselprofiles.work = lib.mkEnableOption "is this a work host"; - config = lib.mkIf config.swarselprofiles.work { - swarselmodules = { - optional = { - work = lib.mkDefault true; - }; - }; - home-manager.users."${config.swarselsystems.mainUser}" = { - swarselprofiles = { - work = lib.mkDefault true; - }; - }; - - }; - -} diff --git a/secrets/belchsfactory/secrets.yaml b/secrets/belchsfactory/secrets.yaml index 5c8aae5..a199923 100644 --- a/secrets/belchsfactory/secrets.yaml +++ b/secrets/belchsfactory/secrets.yaml @@ -1,5 +1,6 @@ #ENC[AES256_GCM,data:WqtrDDqt,iv:Ksv7cH9opsgWoXj+YnTct3VtAT6qbaAr78uaZxkN+zc=,tag:9KPeAi/JZvxjKh1w4scsdQ==,type:comment] -acme-dns-token: ENC[AES256_GCM,data:KT8UnkuGVmCLm5TNPU5NUGhwBXF6/MN873BfLYxw9i9bdGsdXXZLFw==,iv:I1X/9UUABVEpHOhah0uwMPnIyFsZ8lXqipQ8JGNjXdo=,tag:SD4y7koXjsjRYqkrhO3Mzg==,type:str] +#ENC[AES256_GCM,data:kwewartySAHzmyssuWFPv0XODI/njYrSXxqEE2JBJvuCsJKwZrq4+EzKOtwOlyssEpAvaxxejmb7,iv:p3KO21NvM7zfp4U0s9TVW5jfnOzvQkn06mcFgHp9xVA=,tag:sn/zQwI8EdhWb2w9F+V4rw==,type:comment] +acme-dns-token: ENC[AES256_GCM,data:Fj1V4MMKYJdXTur3xc7EDnYGXg8GBVPx8X/I6A7bRIdm7cX63yRrtw==,iv:Gaz6xYtEkQilaQG6+5Bz2gHWN3sIRQmCqLryZZYjefM=,tag:lGu+e1u6JOdxq8l8J+6+cw==,type:str] #ENC[AES256_GCM,data:IaG0khKtH/NwwvpDAWwZ9kVhtxI=,iv:IFP93sRIw3Lkze3ut20VBYWxBC1/6euA+uJoggFP5SU=,tag:dq2cU1tB2MPA99BJtp0gZA==,type:comment] garage-rpc-secret: ENC[AES256_GCM,data:QzyqeNuJPjtG7MTyO+6f+KfquWhHbDGBJ6hrEGDh+3kg6wkCGx/0pUjeOMAaren1jMIwk1iKaAnSbq7NW1GcLA==,iv:WmCRD/kNtmBljkA78Vb5guUVrsQxdoZfRE2tNlt0iWQ=,tag:6wKCXlwbLzxvLpACJbACEg==,type:str] #ENC[AES256_GCM,data:guiRBJqw3HqM3e0Zw27bhc/h8sPcni0=,iv:J1Bc5LPzYdhlTUeenn8QqpBzrsoKGr+b499h8T+ilNo=,tag:kjXtd7tH5PzQLWt7EWbMaQ==,type:comment] @@ -19,8 +20,8 @@ sops: NHZwMEl2ZWVONkNuVWprUFhsek91NzQK84WqkK9mtR4q1G2wS6gKqflEUv0VefUJ jcQij+3T2O81paZytTzZNPX3JuebyyitC5KeEoz3Z99uSrCDaLuZAQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-27T01:18:20Z" - mac: ENC[AES256_GCM,data:WUZzmexNAz5PabpUDL7yHCrkZolDWWXhJ01PBWd+Q58xeJZrQLeoLrjx+Z9XflWCskxYwxb7OsxLLi1fN1CkE+M9n/ELeF/EuhAL3+IamUi64tb50HbMbCJ8XvuPH2rPhYlNo9Tt3nZHChsb7w+DQA1P602zy1UYbYOOgdpjbzQ=,iv:t4Xma1r/nJJjc95WcZaRTr6xi56FauZYzdIlAtUKlqk=,tag:00LKuFIKgv+QLu7vddf8qw==,type:str] + lastmodified: "2025-11-28T17:45:56Z" + mac: ENC[AES256_GCM,data:t+L6NWHaZCrSbHJhFja28E0vSNGHf5hyH183J0KPL/SrJDcK/XuxwSbbCTfwMQtRiuhjprjPjH4ioqZV/eCiLEd3C3LikEwlXb7CutYknpjceNuhi3aJ5+oRVb8vwcrMAtbPKKB1ZJc7PNcRWIFk6oEF7M8NjkC92/3C4fSH9Q4=,iv:t/YjiqCEPJkyHz/W/p6T19An2Lyr8khmwsv8it/nnZM=,tag:lccvtgBMM4NgMfKwgWoeQw==,type:str] pgp: - created_at: "2025-11-26T12:40:31Z" enc: |- diff --git a/secrets/certs/secrets.yaml b/secrets/certs/secrets.yaml index f45c150..7bc7436 100644 --- a/secrets/certs/secrets.yaml +++ b/secrets/certs/secrets.yaml @@ -8,116 +8,143 @@ sops: - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3Vzk2RWVCUk51cWtVRk1K - dXA4dmJSNGVMQ2VlUXJsbGZjbjRaMUFZdVJFCm1RMk1PbDQyOWpjaXVVdWoxVUJq - dGQxMmlVcEovZGZ4bzdnbS9kRE9NZHMKLS0tIFdEeHJVS0NjcElNQ2hDNkJNaURZ - VWR2RXZHd2ZON2VQZW9KL1NlME5hNDgKvEn7GMfQgA3FBDmimP32i8QQ8NuUAt4p - uM2Z7UJP8i75x6GWku6eEKWO3M+rNsTPFL1VJfYORjiG8JKGWb4IOw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ0p3QlY2c1dGcGIvektO + c1BRWWFJTndub0dxUXhlMTlreDUyUlZ5U0NjCldCamVrN24yZ1QycksxTDV4Sk9V + aklIT1dGVHJKL0ZWNFN6WnhJN1Z4SzQKLS0tIC9lZUI0cE5aYzBHcWlWc3FkS041 + bTdlMU5qbHRBZ1V0ZXhjL3FKYmR0Z0EKpA48GyFC1W2+O3WL7Dgjb5dRRfkyJNFi + Yl3i2st6zBGH6OFJGdLlBAJ/lqw9LgHKxYbId7XcuAfMkDTNz4Fjjg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WDBMV3RUYUovS0ZmV0JJ + bWdqSWE1TTA4MjNvbzFtM1NoY1FsL0FIWm5nCkV5cSt5VWVzYmM1MytuTUJsVHBB + a2hoMTNwcXZaYzl4d3lmZUZIVDBQekUKLS0tIHlTcEFqR2pIQTBFU21EZ0h0Z3hL + UHN3QmtreUpUMmxTNy8vbXRnV25jRFEKTaCbReUitrOJGVncdR/VQBXmM+mTzTKj + HzRnYSUmuuRdkHC/ljjeYR4rkSjN4RJABX0fraKdARBfkoi+x5ulCQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJM0k4SW96SXVJejBGcHJR + UVZneUVBT0VzZXNlazJKcU1DYWNPZGNiTFc0CmRtTEdCSkF6dTZZamhPWTF2dWlw + QmdNTmJ2Q2JiNXhJd3kxdTdZNXkzU1UKLS0tIHoyMEU0UUJEN3lkZDlGNjJKWjFI + Z3A1b1BJNVg3SDNXZ2JPUDZwOXpHTkEKv+NRRLHfnc8j4rVmBDrLdTTtNyb9sUUm + EhEmbKkXZfHUQtx3bYUJQeod2wd7CYGzvfrbU96xpFkTAqvUJtWAJw== + -----END AGE ENCRYPTED FILE----- + - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdXJzVkxzZDlZaStpQm0y + d3lyQnFZcUNaZDdrdm1sSW1HS1Y1VkN2cmdJClVuM2Z3ckF0RWsrQ3RkN1Q4SGFF + M0d6THFpRDlXTXZseWJjQzU2OCtCWUEKLS0tIGJ6ajNRSmJqNVMveFBSUWF3TmRh + VnlXdTd0VS9RSnUwWit5M2RqYk5FVzgKLD8+uG/KUxBUTu4WFcgl187eKapyPrVq + 0+nL/jITbzy0HA3cTdVR1b2pueKODohBdVIqD+JpPs86z8FaLro80Q== -----END AGE ENCRYPTED FILE----- - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMHlrMUlkYnJWTkZPSEhq - VnpVd2c0VUxwZnJsaElxcXVCQldMblhoc1hVClJGOEZReVgyaDBTUndFUUhJaU9r - QkxySldYMFVpSjh2VVQ2aXBleUFFM0UKLS0tIEtZZW9KNS9sMzd6STdJTXQ4Vkxo - UU0rRTZDUnJsRkVrdFljRXlEanF6RTgKuXPEvoGgBtQX21yBJGBJSRnDw5uK7iUa - NIB6YUZjGpzzjgdStSrqBe74Q5Jz0z1uy41l5r1YW4SMs8xP9N2EzA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcUYwUHZYNmNLYjV0WGhV + N09HUVo5SUpvUS92UThaV3hvVlN1Tnc4RGhBCk9HL0pXalBiMnJtSWlaOEFKNVlX + S3g3eTVtYXJwRy8vSGtmUDBpOGlYMGsKLS0tIDBnMkJaTnBnUGx5d0hXLzJPNWVZ + aHc3KzhBT2I0YkNCNkpBdWZPTDB2cm8KSwgUwcFRqWFxEqGrnTd6a7sle5SBXI3J + KyfOOrS1agk+nTaUJNpxLOG3aUWPSG8DBlEvP4Z1Kx5kG4e7/kRapQ== -----END AGE ENCRYPTED FILE----- - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjK2tQYVUzOGxlWGE3Ulc2 - TmFpMnVaanQrdFoyUW1iKzdjQkFra0JSUEZJCmxObElTWExJanBxNVVPV3dLZzZw - WThURHFkQUlpOXBEZGZFTUkxZ3lMbVkKLS0tIGI2QTg3UUhPRjlZVDFWQjZiT0px - MGdUdjR3S1k0V0FzTzFTQ3ZXSkxaMlUKxH8TdDacUtyTmG/rpDg7tmpN7XGUXzgj - Fqg5QSpDSB06945MGt+zgHGEArcg9v+PtfX0MbF/Lj6uW871J6Ihiw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRWdKL0VjSkJZRERNWWVD + eWNobG15RUtQUXpWMlZTYXNBbFowc3pQOEM0CndTK2cwc3ZRWGxiSjQvb2l6YXEy + SGdHNVQrZy9tc3k4emRBeVByZExmd1UKLS0tIEdBZFRMejVtalE0WGh0WTExM1Ay + R29XRC9wNE4wMUdyTTFpYkh6VnJ5NHcKEDsie612hQqxjH/IdM61a449jiSaqNvW + fG6x6U3GQxnjH6yM+Fn1S87c7ZihTIAPzbAmbIiTmVbv7cp8XVz/LA== -----END AGE ENCRYPTED FILE----- - recipient: age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLa1hlZ2JuS0JOc01IZTBv - ZkUrQ25SeGU3VC9YcXFrbzlpeEtLZ09DLzJRClRZc1NuNG9OTlY1enphbjdrc1BZ - L0w1ZVR1SGNSekdSb0FSdXRYMDAvc28KLS0tIEJHSFo5YzZIVVNaNUdOa1pHamlq - bFNWM0g4MG9ZQnIwTG40VFVXL3ByS1kKPOt/Y66db5aZ/PRihBX1JMMjtZGV4RJd - s6REyW9R2VvwCtDQMewEFTSXZgeGQeyH6i3hEuYRDxb0VNZibXFHIQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTkNHVmtwK2JOdHM1ZUJ6 + aWhTeUxpc0pFd0tXcThYb1NkS3V4V3pwU21NClA1Y29QN29nc2dsY0Z0SmdFZUtE + Rk9PdUVhU3ZvSmsxcVhGU3gyMktwcnMKLS0tIGF3dEs3dnBoa1VIWUorZjJwRkJl + SStnREZnTGFpMmFGZ1B2MVF2RWRqN2cK5HHfMKlmLG1UQpDYr1Gg8GU3Gg+oGebE + y2efhe+oiIwr2uo9+zielNVAykKg2hvwUmyAXBsXsl95sIXFfN2WQw== -----END AGE ENCRYPTED FILE----- - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQXdwNWhEK3dodjNaK2Zm - cWVWQ3BsTWQybVRUOUx6TWNDcjhRam01ODFFCi9BcUFFSHN0UVZoOUdrQ3piejFY - R0grN3M1U0NLYXlFUEpjdEpVOEJmckUKLS0tIEtKc0N2OXF0aXg0bGhWMUZBNlJ6 - NTdWcmtVNHA4WUczb0xpZVc0TGczV0kKmnoGm9V6amumqlClGjlFcGIX05KeV2qW - f11xsg8pjGpPldzT/Wqb6vWYJDJL7c7J/AJkm9d8k/7GtJQ1qKngCg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRXRVSk1SRzdIZkpobFV4 + Qjg3K3NrTDRGY2VZWWNOTXhDLzlodVhTeG1FCjJvanhyN2pITnVBOXRINUtCbE10 + TlBEK1hoRHIzRGtoSDRCQmRnZVg4RUUKLS0tIGF3Q1RKL2h1WGdSRWc4MzF1cTBE + K3Z2TEZycktQRC9NN3R6bVVUSE9FTE0KOtBDjkAezsWR6wfrfnrdUcpdQgnCXm+s + WS/RX6Q5Jw5nOSgkR5SyhHqOpalYlCnYQdE0zmW7n3C/BqnX+53T1A== -----END AGE ENCRYPTED FILE----- - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUHJVd1BQeXYyQ1BzSlFv - bkpBYTA2Z0J0WGtWZ3NxOE5wYmZRSU92aFc4Clg4Ly9qREV6eGV6ZWk1WTY4SjBB - QzZTVmlRSTgwSlUxTVJTOWIrZnNKWnMKLS0tIGtiSTJ0Y3F4S09FSnR6WGdJaC9D - a2FvbEgwejlob0U3Q25lK1M2TDczT1kKTzSG1q51CEr/dBgYJ37HceXZYS5cnBtJ - 1zxmURZaXpsOtzB9KJn6iUt7FwpqIJss/+p1AELvHUZgjJI9DiFfkg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdXQxOWNveEtZUGkwclVp + aER3dERtUHZxRjBweDBYdERROVA3OTNYQTFjCjBZSEVYRGpEWFFUNnM1SU5aWjhs + MWNUdUt3UTQ5SUF3MVVHMW5Wam9KazAKLS0tIEtUekJPVlpyYjFzcmJ2Z200OXNs + N25JN3BJenVhNnhmYXdFVnZEM25mdXMKpzEJ0eqnUoiyboiy9FBeeZFBNHRrO52Y + RICf2lc1bx6i7fLjOhbV+ewjNk7p6ApdJPHaE6Pxa+jJ0O5vVVJjiw== -----END AGE ENCRYPTED FILE----- - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVTzc5NjI0TnRYREVIZFIr - VDFkK1Q4WmJGNnBBLzN3SVJBQ3dZMTVrWkE0ClpselBZaEdNeEdjTGQ3SjJuUkhH - alpEbGF6TDRSRVZLelROcVJxcG5id0EKLS0tIFRPMG82VG45Qm9uNlBzQWVFdC9C - UzFWUGhINDRQUS9TZHRLblRybzBIU0kKV3nNWCLMZliDnW4PCZ/6HAMJSTy6arjE - Eh89+SCKBpVecZM+DrwPDQOYY3BSihTYD4bawfhbTxFI8RQXA/ljkw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NEpqQjN3WkFYSlNrOUZj + aXNDd1JSWnlXNEJCREN0VE04QktNK1gyOHhVCnhCcWdEV2NVYk9vK0xNY1RTRVdU + YS9kRWMrSnE1T04yUER1eGMrM1RsS1EKLS0tIFM4dWxCRTBJNExsakxCOTBQSUxQ + ZjRQRTQwK0k1bzdzQVBYalBlcE5OV3cK1vkdKETqGDbsj/WMjwLmjwUz38yPXh/H + vjJxq20D05HNI3PdBMzZZcaaBzVqf3hx+afk3jQPxggrDiysiRNWLg== -----END AGE ENCRYPTED FILE----- - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByQjlhcGtKRDdCdkFMZ1l5 - Mm4zUXJCTmdkMVh5TUpwc2dndFNOUHBLaTI0CmZGaDQxRHAwcWdyT1BtUDRQT2xq - NEZsYnNVOEpzckZYUEM5WTg4eU9yUjQKLS0tIDRzeFRkZHZUQkpiNGFjeSt5SThK - NXVYOUdMQk9NRjlKTFlHTU1leFZISkUK/hudtpolmk19shnGFstPflmotm3uvfF/ - 5ZiXoVKcptQne33YczlhY13+0QPpV7hXuXBw+YTHRRXvjGN3wrtgNA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSnZNQlZVWlIrVm9HcDVa + Q0lCN1pKaVd1amkwdTFibU83bWlzcmdzM2xrCjU2bExsQ2JhN0laK2hocDVBUnNS + Y2MyTGp6WGUyUmkyc0VLa1JBSDIySHcKLS0tIHBVYXVQKzFUdEJjdGlBL2VHMldG + UzZhUDBCWC94b2lyWEdWeWpJK0tqcWsKH8QLyHTIIEwzUAZCTeUBbOAd78fNHlqk + uImJM5y/vjVw8490Uo7rkypQ5Faab+ekcWqPSj6sE/nFEBWTCKdSrA== -----END AGE ENCRYPTED FILE----- - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1dHJTL2I4NEFxakJmTk5F - RURmSUVwcGEvR0NLRE8yNlkwbW9WRWV0c2hZCm5KUXROZ3k3ZzBpV1dQcnN0TWNI - R2lTbUNjaWlpQ3dXd0dVS3IrbmYzVjgKLS0tIHlHTk1ITDE0d0tnNW02T3Q1OFVM - UitSdTNFM1JTTVYycDNoeEdhSmpOajAK3G02xLW42AEcJxHKmqoSsmss33xXkH5j - 9ewQOxAAdR0teBoHRC8hE5wNrnL4u4xGTOAq3zXxhidEq0fMc0C9tg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNlNabmNqK29OQzZJWjFX + Sk5OM0FTcGxUVCs4OXV0VUE2dXNMVG5oZUJjCmtRR3l2SHlEd2xBQVFPcjlMMzFR + TCtDTmEwVS9ZMFV0Y1VOWEJGWGtSUlEKLS0tIExZUWVMWTVkUisvMEFmUy9QZ1VG + RnBDMFZ3TmJObElRYVg2SGFBaWxkZFEKq7un72Bpl2st9AUvAXE9rBir1mORSkAA + GnHQyN1tVPurKINQeAmuA8gIn7UlaIi5MxpIkaJFqmO1/6H5e7tkGg== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-11-19T14:09:27Z" mac: ENC[AES256_GCM,data:tZ6QzVPivueZiC9Qfb3KNZAv02QatgHRNnlM+Y0iV4BZkYoBjxeDojutizvAMwUarnubUdk5I6m2OZK1mvVDZKXyI6zALX4JMeT2xYQWRHYzHpOygLhhGwTFVhV+0C4jN+eJFF2cNf9lu7NuZI9ylZSOY8I3YKUl+l0l3CkXUl4=,iv:JSGOUq+j9T/NXspn70dfu0J4ISV6vVFZUe/Z1CirrJk=,tag:Hm9N55f9qMc056nSTR1piw==,type:str] pgp: - - created_at: "2025-11-25T18:32:47Z" + - created_at: "2025-12-01T23:06:33Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAwDh3VI7VctTARAAzpWulcVroUoACaD2ruC3zk49IbaTntS5BnduZgckvHWU - YREVjz48tuE2KLDm/AHkEdJAOlTS5jkhz5L2k74wg9MehqwVEzMfaLaJyDm7J9oW - CdsI16TPpr3j68m7yMn45GUwNMmMj0NBYfpd+ydFbqcswC4Is5vFn9hIPAlQgQLt - G3uKh8IWOxWT/6rHSL2ajQNGTg6h08yvgoIas8JBq3J7RPa5vPL/XJXh3yCUIjgF - wFNprivM9CiYf7rwJUEa9TUdjPoj0Vo4mfZIBh85YJ7LCI3hyxFLMgxqNNFtq+Op - NKrznWjpzyxDSrXGz4os2khg8bVWXEbV5H0pvvwtLf9ADRp9KhB7Jdd5VX61KHta - 0j32SuX86m3KAFzXV+s8xM/abVcfb3g2ECZIJ0qjX7kJ3q5F/Zzv99JoutjJ1Qko - Zv1XrsfdFPR9Z6XJyU2No4aegiYtFxKp3Uo8u5yAetXO8uG/aPXXVI1VphYAheuU - TKaWirIRC6jA9I2fI0WEk9pKi0vcjbK/RdkYUyfeTmxzE8F50rCuclXRkR4yVWCm - 09xrcyZK04BkYdgSx5ldhq3LpW0DqtP79KFZ9M2Vr8+9wOcJFkA2g5jQh+/b/0U0 - 0lOUVg+PRkBQ4SEi4UauFmhgnt/nrMfXwty5XyW6MvTUSZo3N1SW4CaSmBEGxUKF - AgwDC9FRLmchgYQBD/9iknczA7d6KW/t1Ek/R2MIcvHN4lndzcLzzctR5CpJVbne - dHuz6DEFb/x/134iSPZhkJHLLUgCBaasgEzL8vniaoWq6uccdxYL6nK/P11z2fVA - NFUwR4t1NWodi8xZ2lKiv6MFpDekjphS/9qL9NTmjdXxpyd6gnz+tRn3Kdnm4cSx - /ESJQ9DOVGxa04EEup6TN5HttGIoP/kxJfgGCTG93AAIYbCRJEQJaLqpoiuUZmL6 - EccOivMlqwEaV3fAFx93tPJzMOZwJeVO03qnAPjqrIsJpuFBSqerLZdxZcgipoia - skIW/FMI1ei5qTFgq29mJZvEixK0zu86jRi53pNmyPHKqNEaH9rRi5X7zJXk4Wij - 1KdeNl9XdbtXjNmqOQHD8D5cIV43Hko69ZAxCXVJ1dYq3tjM6OuDTUWAxhfXOcE4 - qfb9hdQ5l7NpPaK44NEVCjVZHyNYq9Tu2V/5od3uz18Y7L7RPX1EnnSq6swsE1Yk - qBg10Uh1a9vh3tu2gcoHA5qUrpukzX+ndWmtJ7P0k51VqdQGSkamo2YfPj1BYxQa - TJ0VMIo9936rcBPFy8WxemERhkOPtzWfIaeiK4sUREK/z6bQl1aY1y85pKS1vyPn - CFx+7lt4ITRgiuaTCGRgTQ3xYBhqUufA1+dtbLDf9WOT3kBtktXU3KNjC+QEWNJc - AQSLv5CljoYo/FV16RZKwmCWADMZ6qB5cuJTGpI/TDyiap7jDiVXYX0A97FbwS09 - a+XS7M5vCVpPLY+lXsM34m3Enn7uLnfsj8Y6GDFs+7vn43ajcsWJtuN1sbk= - =ySlA + hQIMAwDh3VI7VctTAQ/9HmPTBEVh2e92ES0g0sOUx7S9I1zoRFm3ONWNoaT6hld4 + UJiKqbHMQTyjr8m2IvkzT7MhXr6fPsspAFguxdXLAD6LSeWJUkBn6IBT43ISvbkZ + 1KrJnZHzwMjxMGe1MrBk4C17YPlAwB+CDNNehkKHWkSPfVqNurY4gtNoTrZn7HIz + 5Npvi9d5W984CeuFoCmY+w7DbKINk0J0YkgT9zBMdfGw1cVAV5aUS5lIBqvo0YAO + yIQf5tbG9aCa5CL3OH0JD72GBUkODLfWFzcTpzfjYtjx1rsbu6gqkLcH1eGFqTsa + cQ7+A0wbB+9iDN0OXmmPNVix+uMY1yQpxMve3r34v18R9KTCvsSK9gOpk0ilg/T1 + lBG5wFNEutJmwuXai1Zme5+MJLK0ggUQYywhYY9auGmwC74ZRtRQ48o3SsQ0HJTc + tLG0thDciyF/Xy2IPjqnp9vCfITnVw42ZsSIbXfHHYoEBYu4mYhqAP0pmHFzY3jE + rc8LzraecOslqfLVgdCPo/7moBpegIfJfCkX+gYxZKRJsuOHNiTVyFHceP2mztKu + F6MIVxsJsQjRnkavaHXEwNFr+X+YlzoOAid3UNzO78rKAGUw6mJ8PvLBekqw3wfI + zXOWNOgNR/aCUTAbSPn1VBLSM1kioGAKrs6+bAeRypmQGaYiLsDkvOU+qfNxtaKF + AgwDC9FRLmchgYQBD/9iq1JX0DpTayA4qSDo7i9qeET6MKK5VmrawaV2LqQpxOk/ + dEEIT8+ZBhAGjKRIPRZdF0bgcBP92IeOOduPvcdJcRstB1va3nyeKDXkYwaBN0XY + FPKMrTk2hifnmlGdBzN3RWGOXURDZdhqjsR0g4M1/85//0ZA1ogFnUsqtPI07TVd + oKoZqdt068pgBDgAxiwA4Y6WbSSdEo2xQIQ0JTRMGnIycHGnU8UYWElEjnusGKSc + jpC2jzc9TUABawOjCnauExHkBp6PhPRlAbzLA7Kq7v7lLkMKQdnJ0T7kIJUd5LlS + 7TVXSq97WvGBhtQ45cSIZTskjnXEx3TQip9gNrV+MkZ14ASOwc9Lmw1O4z6cVUte + IHzUELZsupE8KQPifgMOyx2Q4OQPQ/vv0CSYJwozbpK+g3XRAtsm70mSlagCtye2 + MsNNQFfZe3vSV4o+vQfbWQ/LMxP/8YcRmh1/2q02yXS6sjW4MWiAjcW6nTRCxJbI + SjMKmIbGNn60MOqn+9MNHA/S12SS1yI2cTPenebbhXAbMnCOHW31D5ufr/UR7Pkm + xiBXOT2jROYtvFozH35OpkIPr7tV0O4riUVvPw7swlqTVrJKR67Fi7ORsGJKbztv + YgUuZC3679TzXyWRMGauTmOPQO1+jZ0WD1QYtKkXPpTZNLx02a0XaGcc4if3gNJc + ATICbOTfcwy5HkC+KcLy0KADtfrO004fSIXV4TNrdfyXNnUshnutAmZBRAilvvdG + OQRfyr8P0jKoZw2UUoAFEGFU2GaNg8NvCoZTOesN2BNhSVIdA6QKjnZOzBI= + =HuIS -----END PGP MESSAGE----- fp: 4BE7925262289B476DBBC17B76FD3810215AE097 unencrypted_suffix: _unencrypted diff --git a/secrets/eagleland/secrets.yaml b/secrets/eagleland/secrets.yaml index 96c7a89..ec63b57 100644 --- a/secrets/eagleland/secrets.yaml +++ b/secrets/eagleland/secrets.yaml @@ -1,5 +1,6 @@ #ENC[AES256_GCM,data:TeJxdPs=,iv:M76JVBlBfgjjm1SuT/0tG/98FXpkIPpGng4u4F5p07I=,tag:RXAqa2R0HmEOjW0dD1treA==,type:comment] -acme-dns-token: ENC[AES256_GCM,data:39nbceTlpOCKThRLBVvA0b39+ZMo7IQwXjRED3niNzVk8aCsOq077g==,iv:px8OoxEN+OsCN9ve87eXw0Zc8lhXVC9tOk3VVhoKlt0=,tag:hcUVsH2XkgclmfEsC+NeaA==,type:str] +#ENC[AES256_GCM,data:YczkPHAlYVsdVPPGyuByxK9wvRVbAuR6rR9rSFjMvMGxg0QUdIa/yo8o0ppe8I2ywwlLSROp3WLJ,iv:ltLRGMLZsOte9jQEi/VW4Diu/Od8kHPbzsmvPqVgLCE=,tag:YbtxLcYhvPZrC+QFfxtMrA==,type:comment] +acme-dns-token: ENC[AES256_GCM,data:5U/74jeGpQH39kyjuVwLU3WBYk5MrCMZSFouRFRVbB5FhOkiJtqYBA==,iv:f1TgdiVVbAB+580AtQAe8mCXU0WuS9JX7AWukKbDYj4=,tag:Ut0tbtiNcV/NxfStyZA9XA==,type:str] #ENC[AES256_GCM,data:dZiEtGPKsbsd9g==,iv:lNgXQHx/w7pm3EUTBwyFnqv2j0T7zQ59nFLom8F0hQ8=,tag:1cF89QMfjipYZgfl08qSOA==,type:comment] user1-hashed-pw: ENC[AES256_GCM,data:uPyDpGOVIqE6cCyvhXIM6v8sTqEx9dV96oqMYS7fRMLiR0kYlCmgNBEeDFmTNRskqwW/WGXrOBn555ZH,iv:KbHW2mOGzOw4t9aOrKLOIobkUNLWj69dk7fFuy1x3aQ=,tag:51+qAavIiM6K256MkhBaZw==,type:str] user2-hashed-pw: ENC[AES256_GCM,data:+BES2HwH+Jj6wl7MVzsdmPGxp6AuiPLx+XuOpJClksm9SlbAyqATAHeNokAHmj7yLS79rJF5C3YBBtT4,iv:bSX0PLcriKal3eir24DTyePfropgVhh83U0JdR6/2Cs=,tag:TiSKjApnJg3di+77vV9l6Q==,type:str] @@ -15,8 +16,8 @@ sops: SmZrb2xuVW5VVjM0b244U0lkVmlkVGcKin/6A8ONfW72fbQmvJWiNCzAZfGUtxCI WV0DaPvO7sO5y7q37QxVUOxgJgF0WpKiNel4Y9E06xbl3TK6jXk2MA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-24T13:05:23Z" - mac: ENC[AES256_GCM,data:/wmUX+WUP9Jbai9hv+a7/yqzJuL/y2BnjOjaONoce1RGD1ULZb3/qjXJr2NdqQNLbDDq6z3UafX1c+ki8CDs8Q3psO4P5jXrntcc9mgNuioy69TWJtCz8nWYaoZQLyOwe6sAClmJb3prGbSXmt1VO+5RBd3GN482eoA9+NWuhjg=,iv:tLfkcFYWMs+DErWocrT4c3YfBJtGtSGX+E3i8b+qKFM=,tag:QH6IMxpZPVvvKgFPTnis0Q==,type:str] + lastmodified: "2025-11-28T17:45:38Z" + mac: ENC[AES256_GCM,data:dQYfZvGJukraN3/rPbu4JxItMxrsEIY2mkLf3ZWmC+wNZ1qLaI+EuqmLRDicNJqQ9cGljystJvrZouUhJXQNwsg4WNck5+WAfFZ4MRevxbZre+LqFfsFi4of6b65iwRTGIahtiLApNoSI6SfcjCt28i1CIofjuQIEk8LBrBlEys=,iv:fKeo9Ot8sG6qYOBE3gt06VqoYKM1/aXMs/jj9dNNFhs=,tag:sOuhoIO4SBUITo8WfCmwaw==,type:str] pgp: - created_at: "2025-11-24T12:05:01Z" enc: |- diff --git a/secrets/general/secrets.yaml b/secrets/general/secrets.yaml index 12d8016..bc0079d 100644 --- a/secrets/general/secrets.yaml +++ b/secrets/general/secrets.yaml @@ -31,130 +31,151 @@ github-nixpkgs-review-token: ENC[AES256_GCM,data:/4ssZAEwEc9fZeR69GCvLMm4eRv4uab #ENC[AES256_GCM,data:PI5MX6PgK1y0lqyoYA0=,iv:25UAvFaANHFD04GRafGlCzOc5h+15YPtSES2z2tmpXw=,tag:+XLwQ01+AtGWjtsSQhQ1AQ==,type:comment] anki-user: ENC[AES256_GCM,data:WoGaNDAHFw==,iv:ZSjHfKMIjlgOuvGl7hVxJc1fE80nfxxXYLgsKangBCs=,tag:UP8ZI7gzOrJJjNDHovIkyg==,type:str] anki-pw: ENC[AES256_GCM,data:z2SCsSvZIqN2/2VK1EdmcAnl42x5A15PAiK932k3n50Vj1jczGRoSw==,iv:keQCutY4vizVzu5YzPBJLgDLveYDb2VGeEnYmO7CeQw=,tag:KGplFfC5xktNAOTbIlt+Tg==,type:str] +#ENC[AES256_GCM,data:KCqwghIJ8tlGFxMt94svo6285cA1YRbYoeivx6A=,iv:qlZCGrCn5fU1xPQF9wfOMarU6Z7oa3mLtd1LzVzMbuI=,tag:Qq5lBtUsd3lQMx6ffk+kzQ==,type:comment] +builder-key: ENC[AES256_GCM,data:OOoA7oRIFJwS48qs42WmIXU4vLTQLRi6Nzb6IUNXAwnj7E9Q/uzOnmJ6ZihqUr3uP3/kqICdZqkB5Lf+lwUqrPmGi8PH8c4uq3L9ZVQyRTKRWvS5biYRMd/NI1ACRevxFJygKZ/q1dH8Cf++m26Jo9On24liepQbogwIctmN8bLXuXrUYVYMcLyGb2W2uznj5Jtwyji87S1xc/TTh/IOFexPY7yAnlwSZ7IoPTOj8o/00Hny8KIwRVf0uLBmtarIS8u4kfjkFUN38X9xmzQqhITaZNRmwerb3JDbD3SYapfsyeLzkzVgsDooOniCRehX1pg7KJu/qHnFM8t7e4qZe9u4PZP08aVAS3tqChuG/Nm4fv3vnF0SwctGQsar2HDmby1IXAw3fSNCW/v/l8VY4IaRX9s7e6c95gd5NX7/CJ2CJUDb4s3e7U0SkftOUz/B1zX47xBHSibZ2Js24N6Tvq/5S4OJFwryvt57Ed+cY+zSROlJwjrTgaGcuwH3MHLfHJlA,iv:2RpiHF4b7+520UJcHVobfJs165EjgxaTATSyOx7HJik=,tag:tGddPi0YeO3E0kHl+E7uGA==,type:str] +nixbuild-net-key: ENC[AES256_GCM,data:aAa6iyZsjH1sAb6ucSPJb2R+QiG2bTj46Csnjg58+2ngYdfuim6SzWEid8IHJV1+M0s/hVTbZWiPsU2KQ+JCdJ84as520avxs6I0URvNx+VmFi6DNGbBJJJJKdTXIKvtmLHqHobs9XtIHahQKoyUpXiSY88DcwAt4e2mUTa6olgrDv66+/fEGeexP4S7AVB0wYeegyMgWODRrA9gS/YLMxMdqk/VHuwIQpWkhxX+AY8mXkx7LalxrbtV/24qdNtr2GittrvYBAkYGWAVZYotBVKjaWVUVzqF3BU+wmg0c56OG5qtt9eD1THAqNauN3iIfUnV301S+TvVtYjpy7gOj3WzntO/kh4kD+7FnfleLXIVSLgBRc0vHhd+7HKKtVRnAINyPkyjaBpnnBa4cksBvHtI0uis0Pi+4JtObD3m+5dywTeL+HDQfHwu+7CgjvXHQYKvEaJ8z6alyXL88Q6uT2Ikaoyrkpi7OJsuIBiNbs5YzRReSfLVyepm8SAtA8UIwnMiTtgFvwGUEW19ne96,iv:2HN9X9CA1liWuY+LYqTCX6Zy3xARMS/TOL61r2UKsE8=,tag:XcPBwYrQjqhexI7u+0zXQw==,type:str] sops: age: - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cmdUWlNuSDdOcWo3eHRD - c0tGY3FmWjdhclN0dFdJSlEveDJPbGxPSnlnCnlTM1dKNTY4SC82MWJqMVFLQ1pi - ZXNwaVAvNnJnRDlyQm5DRFM3MktRcmcKLS0tIGF2bTcxRFRGamZ0N3U4YnFoeXdT - ZENWbnBjM0VlSitYdXhCVVlUQ1ZKUjgKetWVsf1xLsqfAKkO0yQSJWDmxETYWBCQ - CSJn0mbabacvgLFZh9CIbm1GBm1CRR+pPVdygwy2ISQSpB27tbHApg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeU14bE1QWGlneTBhYXJy + eFU5WTZwVlFXTlFOMVdmZGpYNkdMNFk4M1VzClhTeW8zdkRzcUhLRkpKdWxCZnVj + R0JaN3RvYk4wTjMrR2JzTU1taFE2blUKLS0tIElUaEVCVDNGbGtCZUZTZ2hwNEdZ + ZlhHZDBROW9HQUx0RE5KSlRFNkJVM00KVKIC6Il9Vq4lwNS4Va/Zy+EciImnjEE7 + uK9asNYPNFLWOGH8WRUYmcsDGupKBCtSJszd9+DoQ28nWo5f2DjHAg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSXA5YnZyQkJrUUI1UGp1 + TFdPZVhTS1RwNVJ6SVhNeWV6TzhMTnZJUnpRClZuRWxPNXdWUk9GS0ZIUUVsUVdJ + RFNtMjVQVURWVW9iQXhWblFRQTYxVUEKLS0tIExFMFZ1eUorbmxCeGFqV0lEa0ow + c1VSTjFXVCt6alprYlZaZkVCUHB5R2sKGrXDZrwhZ/IZhX5EheYrM0nBMrAvzKRC + o9lLy+KZg/0JTZFE9iz+lPLzzPBVnrSXMSC79Tj28YKTR7xOOPTBnw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYzAyZG85d3hRaUJrajZT + R0crcFJNT1Z2YjZEU3BuZEJwYnhleEZBMGd3CkxnNGppRVhqRjRjbWlpaTJRdWI1 + NVpiNVBJSW1OTWNMNGlRdFVIRW50bjQKLS0tIEQrVmlwdUkxajNtK2ZhV1l0ZXBt + Vnp4eDd3Y0RrUlhMbUxNcFpsTkZ3UGsKv1HuzJH4rm1onXAlV7KO0MLNIxndRVNX + hFFSSV4QelNtjdEmqYwGpqAuILRpZ7g2/wMLVMMQ7l978KrfL5BFZw== + -----END AGE ENCRYPTED FILE----- + - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRlNiY2ZRYy93SFZqWlZh + Q1NaUFlmQVhUMVE4bVp1Smw2cGNzSDJjQzJrClFEZ3BKdEUzVTZCT2tpb2NHNGVH + RzR3SzhvbFNzNzB2eU1oTUZEUmlsUVUKLS0tIEVzTlRodkZWOFpoc0pFendwS3dL + YUV0OHJiVDY5enhUYnIyYUZ3RG0weFkKIW1K8NVG4M/YvrGYwbGL6IyaV6dX7qtV + tFd57d/A8A3vugzQcMCYvRuiEl1uqqId9Npof+GdS//8AhGeH/LOQQ== -----END AGE ENCRYPTED FILE----- - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydTFkbFVtUGFQUFpBbjhx - cnZwVEVaWElKbVN4bWM0RnR5T1g3NndvejJrCngrY1NJVXpxNC9TN3dmK3VzZTFx - bG1FZEpubU8rSWYyU1NObW42TG1uancKLS0tIGg1dEowTVM0R2hKUWIyVVlRY3N6 - YitZNW5TamlJbWtNUFhiWmNoV3dXN00KDaQWoCLomSLPzt969bwa/pxOdlAUqPKg - 5jbzSJX22N671dhwzJY1IiGTRKNnh54hCZbb1Jvl0l2mUifkxZazIg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TUVkT0xrblI4V1NXVkl3 + am1FK2VsTTMyS0ZqT2lzTG1NYTdkS3pvNFV3CmdzakU5ZnpJdEdncEVFcXBaYVMv + dE5aMXlzRUVtZTJQSXJSWlArSzBtZzgKLS0tIFhxYVFWa1R1VFhDOGNyZmdPc1Rh + N2VRNE02ZTNxUDNVWnNMb0ttc0JEZzAKCSgy9q357fSjSjnivOEgaNmhocNpzaPK + TIzJqTsUoLvGBdpXa5bNSe+guuIZgZfm7PCohyKrcm1AUhFJOWZ5yQ== -----END AGE ENCRYPTED FILE----- - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArMUlHOGE3cjVuVnkzSS9L - aFRWZExPbUJDZUhXL29oaVlyZ2JUSmtpV3pvCkhGREdZYWVPZ29KSkErSkgrUVBt - YjNPVXVaeXlyNXIrdzRBVFVEMDR0VEkKLS0tIHFNdHFlQUtwcWx4TDMrRDFac3hW - M2ozakkvSGxSTi80Q3YzV0lJbUx4eTQKC7bf1qkqKM2YkHYuk67Ub7XAO3engfBi - nk/kDjf47A5LWUzGFDYb7UizmaI7lkPjw2mOhWPLGfX6uFK7sZAt2Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOEVyV0ZwSWREWDFab1RB + VFczcWxkckk4SkVZU2Nlc1c3UDREaEpHb2dNClIzN3hsMFgwT0VuZVM5aGFKcmx2 + azNBeXVrMGJyVmM2S0p6eWd6VHNPV2sKLS0tIE1JZVRWWTFnUjYwR3dTZUl1aCtu + RFpEREJhRVBacGEzRWhCY010NllET28KqGfrDBjMUogZLG8oGWxUi/J0MNql1Wb8 + vPbOdd5PI36qAjxWEoax/WMG1LBDWxgJJva5VgI2uNoQtpo6rWHTeg== -----END AGE ENCRYPTED FILE----- - recipient: age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZOE1xRTJaWUR3cDBhS0ZX - eDJ3aW1vU1o1eW1yRW5UUWN4QWN6TFY2QUVnCnRGUkgvNmRFMkdFRHhPMlZrczB5 - VjRvb05NTHRxTkQ2Rmx3clJwUVovVTAKLS0tIGRzdm5vL2NTdTRpNmY1dUtXcGN2 - OEVSOEIydnRJaTdocVBNK3pQSk9lOVEKgD2xXVdgrk4Ur6UdbdEMsjCqu+w1VxTc - HIvvvx6JhXU5ZD7kjFru2eg2g9ZalikZuL7wt4OGfIkyZZrg0QwLZw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlc1hldmx0cVJaQ3lkY2hR + TDcyQVJ0ampnWFdva05YTzdNZHB2VHdkR2trCmtMaDJUSEhPeUZFS2dXZjRSUEY2 + dER0T2N5cFpNSVNtVDBtU3Avb1JwZmsKLS0tIHhJY0ErOEhUMkNjTXVCbWFSeW0x + WmhYaFpXVXlFTWlhNzY3eVk5bFkvK0UKVf0W1kcQr8uHyY89KW5LfZxkb5tKhsEj + H8SwJ2pvLuY5aRudkmnbXQwpF1i7oL17DWKcQI8qIZovxtdJqovmtg== -----END AGE ENCRYPTED FILE----- - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQTU9jZXBtanR3RFZxRk91 - OGNDcnJFSU5UTEZDMHFRTmh0bGg3VkxNdTJBCitDNzVQZ3NOSWtGR0RhS3NvdC9E - NTFyejl6TFAyZk9ZK0hBMXVLUHplNU0KLS0tIGwyWnl4aVZxZ1BoR09kZDE1Z1hP - UWhnZVdhaGNtekdqVWV4UENJTGhiWUUK2Mo/VAq6pTUC919opBOVoqe8rDhx+7YG - WEEbFrsuncwU5E7lTRveIhI3E9cEA2+Fy88dN/p8ntCR2doaZjlu8w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBweWlhVGhyMUR5QTFlcytP + T1ZMSEkrbVNjdGNjZUU1VzB0Um52S3ZNd1FNCnBjRzUxMyt0VzFnQkJTWVM4YWw5 + NFhxR1dZeENndVhkU2lkdmQ5RWpoYlkKLS0tIDYzK1pzL29jTXI4SStKYmRWQjBW + MWt4NmhOdWlOckIzejJTYStnV01nN28K96etySWmQwVux8Xdo8pXFmCgT9qRq4ZJ + X1Bl/iIKZDkeFSZjt+wunABbgG2e086xUFsiUvAXclVKBEnuUf6RDQ== -----END AGE ENCRYPTED FILE----- - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5V1ZTYW9KUmFKWFdWanpH - Q0dTcDZVd0pDSTVUWlVYVGptRndkVU1sRjNFCnVmQ0ZFRnBVWGk0ZExHeW5oTFNN - eFRYVzV2SDA1RmNZRXlrRmV4SGMvZzgKLS0tIHpkZS9ZbnViYmtqa1A3WmZjU2x5 - M3FaM0RaeURQT1lCb1oyNVcvbU1iRUUKDk3bCkZf+xGf40JoiC/lLmI9xVVrkHaK - AwSeHtRHhvunWdFRyNlO5gLeeAqQuIBAUlwuMTgMdLYKzueOjdzJiQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0RjhEVkNhc3VUcm9zZXFY + djJ1QXc1UTJTUlltNHJpblU4TU5PQUZXM1d3CkUzWVVucWp5VGd6TmFQQ2oyaTEy + c21leUY1Qy9hMm9KajAyOWRCNERwVkkKLS0tIFlMeEFKRUZTZ1U5OVBvOGNpaUhQ + WWZPbWtyYTU1dFRoSWw5NTFRTG5IbzQKyDv4/mBPR8Ev3cGrHzHw/+nGnw39GkB3 + YGjqlKMpfX1Y8BGlPRxCVRH0c+iQqEBxdqVwOQDC/njKGcMXMT90tA== -----END AGE ENCRYPTED FILE----- - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTMVB4N1NvWlN3d2IrYm84 - d09jWU00RUtUVTY4WTZ1d0w3N2tPZmcwVFFRCk9qNjM4UFB1b3NTTFowV3dmWGl5 - bEJNeE5LSlNGdGdGcjAzZ3A3RENqeE0KLS0tIDR2a0RXSVFQRHNSZzRjVThkVm5B - U1NhUjNYcmpVV1JBdGVEYWZha3dEbzQKeci1Kak+wj+tCEsQiKg52IvWbjrmx/aZ - ZEpwZOeuputFvxDVUAvkTtE/qthfstDjFnHYtKgTz2vtBUDachnhhw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcElsLy9WV2NmNVRwTi9G + YWM3MHZEYUdLMmI0NENTV0JXWXlneU9iOFdJCkxUWE14ZkJtUUF1VFNFcTRRU2hj + YmRoUkxJcStEcFQ2eUtPSnEya25xaU0KLS0tIHlweHZlTkovRVEzNkl5ZmppeEI2 + TTVQUGlaZzB6WjhEeFp3eUdzMGJIVWMK5dQgr7YfvilutGW5nieHcsyTQu3pxzVF + gYoCAmKUESrmIubSPOD0RifFBQTFObHJDU5xiDC4a+vampqH/5uOTw== -----END AGE ENCRYPTED FILE----- - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpYmpJMFgwWmsySWlzZk8v - OGtTTG9xZXNQL0pHMnlSdWxNSDlWY0NKdmdzCkd5VG5vcTZKSTBOVnFYQkdGNzRB - M0lPOGdNamJHcWxHRUFXUEp0ejF6eFEKLS0tIFM1VVpFK2UrcDk0YWoxOXo1Z2JO - OWpGV09wOVBEWnZ0M0xBdmc4TFlnYTgKlPTvteJrwkEfNAPGOKK84WNXz0ZWEkFQ - irEIJV+SQD75KCfsFQRNL9s0Phd6t1wknqAbB5L4GLPdLAZKY2hf1A== - -----END AGE ENCRYPTED FILE----- - - recipient: age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4OE5nYkFrbTZUWmdnVWN0 - YUhDNFRmblU2MFk4UFlXNmtoOVYvZkY2cWlRCmJ2VGwxUENxS0VKbnRXUVNRSWNW - ZlFTcTNVVnZKVXhqczc4ekF4M1FUTFEKLS0tIFhiR2QrYTFNcTZtZjduTWg3OFAz - aThXZ0c4MmNVU21NK2UyZGJjUkNQencKiyEdqY1J9MGYfbEQ6U/7xOulYFTemU9i - 2gg0P+3MhxBu1zcVTq+0+YbOxjw7O3/TKTO9Qj7MqdM3Gh1DXlix+A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxTzhUM3ZOaEdoT3ZqQ2p2 + VjBvS3RrVG11ZjVnKzVmM0grTlg0b0RKNVNzCjZhb254b3QyUHg5UFppc1o1bGZZ + M29yZDNvRnVKL0JqQWoxUGNKNHJXRncKLS0tIEdYWGQ0SmQwT256dGsxZEhqRGY0 + VThvSXAvMVA3cW9qMW53Q01TdHFtZm8KoiRiL8tDLUJeLocbRIfnGWuUG/0Up5pp + exdFlTaLNUej8UT7UCUPZvvYN89Zq1ea110xr9Nim5zzFBErJfRPKA== -----END AGE ENCRYPTED FILE----- - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEQnZpbi80Qmx3WTYzc3p5 - TElMWkJYVlNLdlVZS0Q5cFNTei9ITVVkd0dZCldrdGQyZmxPUFFMLzFnL1c0VWpk - Z09XdktuNHQzTzh6ZnJueXoySHYwa28KLS0tIEc0ZXBHZ3ZvOVVlelVhNTZpS0hL - ZmhYMGhpcndEMlNFMWVPWmFUQitmRkEKQoi4hri+lEDo7FWiiYlbw11MK+PRnIbD - YYGmu44YDEMFZWAfszAaT6dYF0tJpyEuH0bOgcDEg7GlQf+BIIogtg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNVZ1WGR6NnJtMC80STNH + dFZuRC9jT0lDdGlSWlFIZmJCUEFDanNib25RCm00YVZyakl0RkRBbUM2THNaWEpC + K0JtaUVtM2N5NEdyeEtpTDUyTElaQTQKLS0tIHcyN1Brd2hYYTdIZDNoeDBVMjZH + NS9yV0dlc3lVOXNIS3dVR2pmYnNwVjAKlbBNLNA7Pl7tUg0S9X3BTICkbehkmTP/ + mqVVce7F1Ml0dXi0t8AsxK6HyrR14ZF3QsFr2q9PgQ7qnLv9o4xzUw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-25T21:30:24Z" - mac: ENC[AES256_GCM,data:kdyRIJYzWvHJp6Zu/1+JySrcfhjZpD5JQPIAuyHM5mxuUKBdH3dQGhrcJ3I7MOJBUrF+Bby4zakA57L7NBzwshNXsCFv9kCFolvE6m/Vhpv0SW2mzE8SguwxiU1xFC0kx2849YN539plhOEXK2be4TBxgTaFlimVtD4TtoWqt8c=,iv:DHKISvoLH4PFwqrd/iYULl+dFG7DYC57WuPHB5OyrAQ=,tag:TzTu8PWUBBAIBUmg6/fK+A==,type:str] + lastmodified: "2025-12-01T19:57:43Z" + mac: ENC[AES256_GCM,data:2CLFlduO1fsxtvF1fbH18kadQuawMwIYEjsJBvZ65tecIdjT5efPD07+czmysKWBh6FQuVPL8a3uVlqT2WUW57AjQZtxloCMAFS9m2S//I6I8GsLVccGnmudiHUdXFnt+gI1gtb6ukZMEps4m/LSqUHGSptVwqrIN2gBM6Yy9Mo=,iv:S/crBYhr2HTzMYn83bK2YYO7kwfDspF0gvkoiuI9J7o=,tag:+sO+jFMFGZSsCb7PGnlUmw==,type:str] pgp: - - created_at: "2025-11-25T18:32:48Z" + - created_at: "2025-12-01T23:06:34Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAwDh3VI7VctTARAA2KVbwbh02Bofe+Fp5xuwOZ8vezg5dQp9ZRq57NlnvTcN - LgygtWBkBYhle9PtkU+GoaIxD12cTErEXjwt70HpFlUtSQso8xzi8/wo0cvSynDp - pN7j6SLF4jNjQzF8d0CP2Pw0nz/kK2yt20G3WOEAsRdvaHsbd+IefPWX91hhM0cr - svTkPU1sVT/svhyhgSw6MllAxxHQ8s35RJD456MIzoQMr/R28cJz539R+R3NGQ8s - ecLK+8qaqBrKWkXvucs2E4zOMyN41ND7vWDbxQGHy2RY5xpXzXSvpw3eDljK8mcY - 6MOiuWgGzLl20ww5TD/c7EwD/V3mecu+DO/qReWFe+UzAZOP7DdH4gcrbmDyvrIk - vM5Es3rkLwp+N31bBEZoBOX7ebD5CjToz4WUgWDgiaIpiSsAsCW5wO4e85Lc6L0+ - MgqqicIcLQrUHLK6t/X68lFTHCmjKttKCYFnvA3pVi0BCpcTjGJiF7ywHhbVeBEE - Zp4zjbrz6hP6Sg4yE6DUFBf7cK5BrTbdw9DNO6h6wre2SFCGan3AlWyr2l+U6gq4 - fCgtLHJcjchf41bIdCNod+FImRBrkJYGdIff+ZqFQ8a3C10blmqoaHXii72ig+RJ - vwR/ND0BQWsV56tNkviEapBr3n196xR4ueXFTuXe69PX0BI95jP4ybyQlUmx6rCF - AgwDC9FRLmchgYQBD/95o/4k1QFCtDhpD0H2RXtlP9HH3Mlul9vsd1Heqf9I4oZ/ - XcwrXcaep/3Sf3VWIzzYtiid3gkO4yO/jBdxaQUY06h+32v9EsEbbE8TcpRCjUXz - fh5TBtPIPCDaZjj8Zg8CbJPeQL/9ePg85OLk8OL3kwbS8j77cAYnJwk2ghoyHMAD - Ty4Vy/qzyxmSMXXK/V8WDBuUb8D41iD8lTk0swTUKkwPQmn9IZvpD4uHB3M2L4ll - GneOcFET5RqpltUmm72DOoy/wcOCAb19IzRz1j9Emtob4BElhYyMHShyXof/8JUr - PiwMm5PWj30YRD7GvsfWpEHhpmN+uTauoRlQ5WNSDIMuDIVjIMq5whEQ3cnO1Wp0 - LPqL2KqE8U7nl2lsxEp9siZpt8yawOBZlHRqXrqsdQ94UrgBa/AkfqNC/WgSHi/5 - mgFKulRqT82Y7Gr0HZYmfAF3M1z4NZ1xOk3/LsmhkEc5NvMV1sWqIEOahKrUMwL6 - EfhxIdfYZ4RBf19A+L1ZFV9cxeI7NhBTK8IZNgJypTpih7Ue3igECuYNHxOrtTON - tIAqRU3Ow8V/JvO5SGXYtDk3SmFyaEEPQXb/ZDTuh0c3nRhbeIaHjF26nD22krht - B4MxaK+/UOsD61W3OICanep5fBREUN+Ku6BuYyT8hvZUJ+Kjjnp0G+EvL3dKX9Je - AZkb6xguhuMcgbS0K+mEItPcrozbNZ6t6KN9Gk/dn+6D9kONypkSlRveETyQHPkx - +jPJtJnro7ADZyFHzQTF2/2o6pEnyG2xwn3m32n9UAU0vZ30gV04AQYE9zMa0g== - =Z5aJ + hQIMAwDh3VI7VctTARAAq+50+eWOM8TOM93JkwnSjUFLjwO17fT5jfBwWxqLRULp + SgO5pCfJSCr2xFgzcuS40+c/ewP8NHwI+S8Mu8lcJ6Olyx279QyZJxdKvVba46Ti + 7Dgb31UzMQKjjOW8/nhf0JFIq6KH5HUQP+LmmQK59VEdoEnz4XYdxq7mGeJQsn26 + E0AG5UvIKjjSrZQXbx8zojIEwE3l1t7Ipw2oTzHCalWf5at41cXyWmfIzomWHElC + XPwO8mjcBY5LQXDeTu2Xv0mBvFzXNBIFaEhrdphFxJIvpfl1FLefK6LKCDLhQtal + HNDBziTORUAnvP9JiIviSr+OUhTHTkDqSMYE6SD3SFsvQ/nArQHRin/FvPPNMVhU + TD0yec1VgXTJDJGe0jq+PiWNTwwnxwSRmKdXutp2DPEuv0amRGVOkeAJNSQPADOk + ZUGBKqjr+trvcKWReCC+gi6jMTP5N7rpjemufQ/p0pOTKmPeapTcWitqtRvAvGQ9 + +Q59sDqTgG5w3oSAnvboDwITFil7Pr39Oiwn01btDDlGXj0+ieer1mHOT3vI+NPE + LSrFqUa/kMMW4+zZHGlwMoNHZbwLWHGX0O0KZFKauht3ypSsjrJbOeBIGgAq57S/ + 1U+oerlPbnCCrUTuP5Mns0Q86mEbOmQQyGMgfigJ0zFkMOlO3306T01keUv35giF + AgwDC9FRLmchgYQBD/4vNejy7yGJSxzL9ouoEDqEaIGx1+pzzAyU+P0GYXV4rwat + P6YL8a0CikYLdkjgUsVDfFV7/Ou2Q1aPBn8AGRG6eaMlaICYK1UX0xiP9196dENl + qxkm3zQWCfxAkgWyUFernSzzWeE1z9FgEfrTOqKaETprFVxxv5tUKVABcXHSPNqD + hYqllb8tL1tS2QrqvxIOcrL7KHAnRPhHimIFeByNN5lN81Z3hLFRQ1Bl3LwDPeF3 + /kEhVjmGqzw2jEkH60Am9I6xZ2nlSimF7Bi4pcu6QCWhN7PMwWEyGxj+Qu8Osr6F + 3ab4M2vkyTZyewUGsn9qO3CcPAHPxyvf+pyV/q87ejuE2e4wR8LYcJnk8BOKsNRJ + m3sJffhhmB+f58HLzy9TwvaQqMno+/KnbV118lJrdzf8iCJrlUNY62MEjBFo3QhQ + 2rc4vJXk9VINiZlHW3y9ZXV+dTus/gHKjN137dxq/RPU9tf/1Y3Ow407fDu39DT3 + YrAAXj3jfEK1aoTtHpLZAp563Q99NYyBQLt3C32X9YZb4VuYCXvGsi3kqjdQl/zg + ZxUVlB3Wzm1jhL2KPOu1SuPAT9HLwu1QdDw+kw050DNBWgeLJx9i8/U8LC05vF6z + VWyozdZIdIfAKnMrFOU/8pJ/lNYb6pXbIYwbpSIDslV3Cj60KWx7X6JgVUf6d9Je + AQZ83SkdK0sBXS3sfjwCewyY+ta7i8zWYcG8KDbW2s7hxRb05u2nYKhJZZJ5xLcK + eRhg3W/bMUWk1bYZ+Whz77uSIC3n/mgzIlsaRjMokiX9i0a1jXVyH4LEluPO5Q== + =MgE6 -----END PGP MESSAGE----- fp: 4BE7925262289B476DBBC17B76FD3810215AE097 unencrypted_suffix: _unencrypted diff --git a/secrets/keys/ssh/builder.pub b/secrets/keys/ssh/builder.pub new file mode 100644 index 0000000..a13b0ed --- /dev/null +++ b/secrets/keys/ssh/builder.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0y5NPuZhHPvXUJANrg8JQTSq2x4dP5YNIsN75PCS/h dgx diff --git a/secrets/keys/ssh/jump.pub b/secrets/keys/ssh/jump.pub new file mode 100644 index 0000000..45355ef --- /dev/null +++ b/secrets/keys/ssh/jump.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICFHUnLmDa9lK5fTTPERGp+xsGAgSNrRE7/l+F/C4vyz jump diff --git a/secrets/liliputsteps/secrets.yaml b/secrets/liliputsteps/secrets.yaml new file mode 100644 index 0000000..fb6586c --- /dev/null +++ b/secrets/liliputsteps/secrets.yaml @@ -0,0 +1,48 @@ +jump-key: ENC[AES256_GCM,data:JLGy1LiNMjn1Kz0NmLYyiqarAj3evsoilCmiqXMc1JeZiFwLYoPiQjLYXg0b4Z77O5g71/OjRwKmocrLV3VBxo0rbw4rpnljGyZ8ehc/kyvoFQN44yGF+6EkKvVn9I8qTzwukTxCs4H7JgsjALAL8a4CGEowfXJlmZxk/a2SKsTr8qPB9XbCsUwrGBpBHa0bjIb52B/srXvKBfPAxIbWNlWdXFKuDyVJ01WNqlADj2sMAGRvI/X99o/EhyKL/3lMZ1rbSzq+RDlzKd6RFNyLM9751WRIc3xT+YHS13MYgpUu0B+2tKqJLXCSoGbRRSYlBw99JF66ns/fB3+Z/KnpoUGGfRN3S1orCnXkTp61UO8zskSIwU0MamrKGL8DM7kDJk1QLxTPU3usBZPXasTOxK4KAdOYo7nk8OvoZKtNj9xci6R9jeMfSh8CycKdxvcqsOw7vVeATUAGrml5Kf+/8AjYZdGdt2EiFL+7o0e8NgI/lkbiFzNISLBc/lrg0rk61pv/,iv:fPbPAptt3Gsgi7v1xCCHRClSJOXokBsvyCuLz/BoGP4=,tag:NhzeHRxwhQNI9HUFwLYMYg==,type:str] +sops: + age: + - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJM2J4a0pNZFRXQ0VjOFFQ + YVJIL3hFVlg0SlNFaXRvbkxMV3RhZm00Umg4CkszSnZLTXBXWUJHQTlmRllQRjhi + OENYMWRaVitPOFAvYXpJMFFYRnVYZ3MKLS0tIHk1UXhOL3FuZjZWNUxzNFdBT2E1 + R3MrQ2IvVWxGOCtkSDBPZWF1dWdHSk0Kz+zJhpJNmHHj6npV6tQ+n4F01A93haSm + nyT+MAs+VxRlRNNbAih8En2uxRlzSHjFekrLLaGbVYTrRtMfLiKyvg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-01T16:49:44Z" + mac: ENC[AES256_GCM,data:RIz594CVnEbUw3Zugj+WO82o6yqOD4JwSFzkqFOfd0M+LOFM68tT/14D7vxPitXEPqLvJC6MHG5vQ61PgU4fG9JoIEqxjvq4AAYmSdCwmB64MCeUIr+V4/fcYrRxuRyiXC79z+rJneO7SkGCX95pfVhGjaLftzSjfiNPPsC5pps=,iv:D345cMUSPCGzrL9uWuDwAkAqz2mTvVTL3QVqHesldGk=,tag:HkBF29S1c9g68aKKSYSWhA==,type:str] + pgp: + - created_at: "2025-12-01T15:59:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/6AsofKCzZ3PjJRHeHSt4XfdIVCCvWScjT1JuvOnq2fXIO + ZcgXPtVoDvd5vSv/fZed+1WJNRpiuNBdmD8cj7N+XqJotgCsQt3HwROCD1UC70Ww + cyHxh3MyukexrO/uIMbQ6ugtIHPVaeC7XyAOugJfHFWZG49aW9LYDkPRGluc0/zh + 7X/p+hZFLpljfL/qdZAakBDw2V0+yt1+5JW5V57jIXRX62BRSFoHqLrasHjvDgyX + h3ktgaIeDL+WssV7jra0oetGsXOL8+GPpo5PVgWONrOl4FBBS1qmNRAbLkJ77KVN + bBDV6Oy1DLqYvv/3UcqWy5XW9VxepEVsAaR+gtLzemMQo9e+qBmhE6tNR6Gvi0y4 + WmVqUZL/gF38sCHoYDT7oWq1cMJ7/zT9Xz5AXgXXSbtBKaxZAFs6QwZfw1rW7dj6 + Is1lXDNCtprsvc3Kxf/R4hHWT5nVFJN4xpKT+epLnumMA1YvkhWx0uziiky4ZH+6 + u+RkK9YZYpGdIYPg7ZK+xLmGLU0YwdIbgiyyH5Jo9JJcqgS405ftAe0iyQjHpiU4 + 0b9JvGMWPzJxWvi8rzwYcI/cfd2n7ZPchTT7KTgva9xeFbn4g1ZOlEKOWg/ZoBr4 + WhpI1SPS9kW0huGXS1k7Dsu0GzRBmv37AEm2mVtYPYwsK0PYLKfd4XGFQnrL0euF + AgwDC9FRLmchgYQBD/4jbW4xGw3JC4OLE7o+GqOoAFz5c034IHiEdgStYNx1RrFm + m4lstvzqUNL0DFyYdMi74iBtqnnFc+KymCTxiAlKiJThosMbV2sffc7e6CI/z9/Q + dsssJwPhv5h8XTbDSeGDk6gEr2kyKV1+9UZky9UYASHii4uzonofnV0RO+PdgTPk + mp36YufsnW2yVuKpsbCdMddEXqyaSYuhsU/bMAG2orlWFqqp7kyaARNrdI9hBnYQ + ITZTM4pPKQ334qhqUd/JYIR4luBbmBxJgTWSe5VqWqshK7u1aHr2mfXUip43+5hA + mxNEp0bmR0SnczKcxiZjZK2ZN+fBTqBnPQAxzCgsBjWrCd4a3CzIDOR/Uf3rEx2W + ccDJWRFI+cSpjLps1BphJvgkFjd31XcplLR41R78h28Mec1bE6xHMi21XUbGrITy + IuOmWAv4EDwRQtnfq+9qJ2DbmA3Ldo5pNPhldH7njET0TZVvB0ugq7EIvKxiNmX1 + kHcq0nV1udSRPr/ta/eHInBD0VbVwNhk/z13xzPGKQVkhpcgy1dJj9FeJnUXqzWt + 7xvHCqeGXVo46YeXYXglxUvEzBtdTGdEC2NTntEGhX6dEC1gl/g1VYcPfJJlk+S4 + RENvBpCa1Ji51ix8L6u18jT2epfbxcZcSFS/0Nv8a0IUktvOeLe6y6jdYJHYPtJc + AQk4Y0lgOBoqiaNtybNCd8c/rO/yQ8m+xIxmiyyghjmPGWzEX8fHrR9fE9TVY0s3 + 8iBJVVDZEwtiLiELlbce0zkdCIH4UiyyEovhP/EEwxF8BrnAXo0NnVzcDGI= + =2NIK + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/milkywell/secrets.yaml b/secrets/milkywell/secrets.yaml deleted file mode 100644 index 1177071..0000000 --- a/secrets/milkywell/secrets.yaml +++ /dev/null @@ -1,51 +0,0 @@ -#ENC[AES256_GCM,data:VljHjyZqPvnVxhuoEMhGrWA=,iv:nCHj+sdhAOJx37fGFkRzfrK+PsEP+tRELBhnP3bfoIU=,tag:fH5QNt5TeM3K4nXkeIC4wA==,type:comment] -anki-pw: ENC[AES256_GCM,data:TR3roG7I1213Lj8=,iv:bK3WIC8Q4Cm6cccXPFx4K25GRRUq7Le6bEAVdEZdNPA=,tag:LLC/agUxZT0MIKxk+TSevw==,type:str] -#ENC[AES256_GCM,data:EUHyFduvRqc=,iv:RHW3wsx8P1V4hkwnrl456qMgi9uz/1qoSOg5AvqwmhM=,tag:p26hGYMn5fbuNJ7Qr98E0Q==,type:comment] -kanidm-forgejo-client: ENC[AES256_GCM,data:LuOFq+bj9TIbaN6Arz/etcjEO0WnjswJNw==,iv:eqACcjjr7usTl7Dv8HTqH53cHDa0+HV5IYN8Rh5aChg=,tag:upBfWOUOEoZRPgUtlMZE4Q==,type:str] -sops: - age: - - recipient: age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNN3FrdkRTeUVOR2JsRWNT - QTV4bUw1TXN0SVRnNUREQ3VxNzdHN0duS0hRCm1FTGh0a1UxSDlLYnNxRndWNHpP - Um51WDlEZm9SMklXWDhjRFBRRHRkaE0KLS0tIDlkK0xhWXAvcTZjcmt2TUJyVGJ6 - cUUxYkVGN0hVZ3UrNHdmSXBQbVpkNTQK7yfeX133PekxsK/2BXxsx0pxmWBcZkZY - UO4ZHCcZQQKMg22BY/3pPz/Ui+uUfZ7AIdLjQb6WQvUbmgz5Lb0M9w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-09T13:41:17Z" - mac: ENC[AES256_GCM,data:9SntfZTrKnCMwrQAncIcGO9qPXM4PT+ZWnmk0F6S0Lb2xx5O35/i39P9vYN/QMPMzKc5KmmLCzhictWvBE8mr4+17pfJBH0KgiAqaOm9Vgy8Zg79/xH4fCia8bwYDfKe5uNwvRwknM3u5/eXLNcr6MnkDspDYTusXhw/qTQav54=,iv:P+fHF35oMNP24vadFA/rAYDm6n0ieAMB43ovP+7vJCo=,tag:4gJqIhqRg+3P84aUgRIPbA==,type:str] - pgp: - - created_at: "2024-12-17T11:38:27Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAwDh3VI7VctTAQ/6AvUzw5v7J7zEN+rBs6A0CkOD4U9TG2akgch7eKkdKSB8 - FfVOheGz/R4IvrCx328yonhx1c6oNdaKE/zlQ4TZhzAiuKcPmAjYogi03OeIsPoH - X58lN44KrIIp47UGD0gPSfLDVjCy0M6UoNhXiYaDcvCngoQQT7o8KKPkqNCMK3Qd - yomU6Te4uO9A635z6N/dUeO6vmHK2Xt3ek/AaVdGbhjPzcLRq2t6vfsTT+fP1gLZ - V182+fPQ7aftyH0zuNCXOxrd2VbvCY8cmq/Sqztr7V/k2Wr1V2G2RTwlYo/VIEgL - 35Vpz0YXa/aUk27Ifvy40zscK31YH/N3UssgsCBzUHGl4JsbVntDtUrZmU/3Gi5r - yvz4icX4fXi/k3UyKxRcakfz+L5Lh0x/lI7+rCG/1AuxGawKxGBuBZzA4gsRNV8o - va1JzdxMvMDUkCx/kKCcH7Cn4vuDzmvhoLiATqWyMjjNSiBwaDL0Elc3Zydt9Y7B - 4ZKfeYW3wPxXqsqoxfKt9X2g6UYZZXSWoXmgcXhV66uUr66aPp2qqL9p47Mlm1tp - TpxuGYbtPnTCp5XT+AUHzUv4oFzTt0f6cpr82og0mOjOsy6huKZzpEC4O+QV5tX9 - aKbmSplCrcuUrELxqy1xec45N1lIHS0r5+BkIMirIrUwMDEgmkP8lBkVjyTr6ViF - AgwDC9FRLmchgYQBD/9ISXYyr89r9L1LchFKKSbffMn752vbUULJXa5/wY9yl3ad - jh9yLY//4Z317zMs1JjmVubjiwufYZvDEnHmZYdsREXzrpDTjGzdq7bg0pUp85rV - VXzX/1ZpQmYeCu6/DRSSHjGxbxWa5he77WtyKKhDK/uasHe6GFoSJTdi/I+/ps3K - mC0Famrj3QlC1G1RbyTMNUzUJO3+ggVdaDJhUIQUhQ4mYk/7p9VvmYbXUc49zyBY - tmkl5ULEfvwuYaDZumlfCtJwDuFBPVmZvB9c6pT1x+HD/t/+2hwpozQS88Kzvuwx - 6MblAjZiYiA0n4tteKjELjrQbmCrz0K+/euJi5DeIspAkjzJKac8/R6poVcDPuUk - OlpSe2mSJDyXjpK+zS46412eIyG7FtmtXscCFaru5PKU+7PCFWkXY0gErEZEyi9Q - LyrKhgsKAagaNhh87Ar9Sm/NKjhkRvgqk5lHkDp13hl7y7PX9qc5/tJukK0DIJEG - 08KGLjM6+vudjRJA0JljBNeCnlDljwcOLKNbxqVzeNQFLH7PVjOzC2O4QLJTxlE3 - 1QmPnVBewqfz4V5oQs6su52n81QTU+ywFJfhMjCr91+pqpZrh8j2fo7oMhHmR9QN - VYCVE61prZzV5B6rylXvk1aqyy9a1WMahBImqtsJS4xP6avNqXN41fog0B7FA9Jc - AexORDzza/Hp0SeiV4UQZlBpJ34HrONUiSUry9m2UZ4vbFAxBSXZdt6CVpBGHvCR - Dl4GxekAxaiaj2hvNNXJaVMupsMYpOCzyuUBayv0BFouCuaIFkoqOK9tAy0= - =pG8D - -----END PGP MESSAGE----- - fp: 4BE7925262289B476DBBC17B76FD3810215AE097 - unencrypted_suffix: _unencrypted - version: 3.10.2 diff --git a/secrets/moonside/secrets.yaml b/secrets/moonside/secrets.yaml index d365eb7..08480fc 100644 --- a/secrets/moonside/secrets.yaml +++ b/secrets/moonside/secrets.yaml @@ -1,5 +1,6 @@ #ENC[AES256_GCM,data:HCHFN2Q=,iv:Z3tD7Hn5eudPR9DuX6etamkpNnYB/NRYGppWdyuUDuM=,tag:tbuWEFDmh4HAyksOZOihLw==,type:comment] -acme-dns-token: ENC[AES256_GCM,data:lW/XJCHwApvIofSZHL5h7AUPISjARfmDnpSnprDBHQYzj0u5ZlZS5A==,iv:/y3gjgC9AEU3r+l8Uq6P7DAU2C8i+qTQ9DP4t0g8ZhE=,tag:v24WRudw8NB84b3XBFupHQ==,type:str] +#ENC[AES256_GCM,data:cEw0zCAIF5242UDWZeHCxNHVWQ18mnmaRyjd62orx2P+uq9fiaoDP39ez1Y+wGh1d+FyyYUlh2l4,iv:TfK44vaoHmvShckrn7ztRvWnEUftaMVNNf8O+c70sS0=,tag:/fDK7VrkBLrcWfbBe/A4wA==,type:comment] +acme-dns-token: ENC[AES256_GCM,data:qajr+/1OpVno7yyt1z7cXuSFqjZ4aUW41RP6ww1ZxJ0FhZQxhF8OTA==,iv:8QxdzLc7T803XB0E7ZeVmSLnkUQICZP0Jk1zpoWjdqA=,tag:xERubWmq/vxwFk5V59o69w==,type:str] #ENC[AES256_GCM,data:XdLlonkGBN0b,iv:wimLW/7+a4MJCVg4zazY0ogakxXjdyPNZmZt0CzpXao=,tag:rg7FEi1qaYMkCXX+dwjFLA==,type:comment] wireguard-private-key: ENC[AES256_GCM,data:aBQSwDyASfVPhU+5/yT9P99DCEfgt4SvhVq/aLe+AUcXwSqMiI2DkM5THO4=,iv:iAW/OUihMXHoQpX8pX+f/mz2nclj+n/ygwYxx7PVxnQ=,tag:zhlxjoIkfa237RoFNblszw==,type:str] wireguard-home-preshared-key: ENC[AES256_GCM,data:yr4vO9Bn+3PJheJHbeNRHu0ozCkgxCGuKBJnb/3zzHVQAsI7GonXXQxFjBM=,iv:1r9QgfdLkXCtrRS+/2+f251FjHiAm9nf/Zfzu+CYuws=,tag:kWiXCTfj4Rrzhx+SpSp/dg==,type:str] @@ -29,8 +30,8 @@ sops: bURRem1aY203VW0ya0tZWUY3WTJLQ3MKonflaevgNP91G1cVgzoE6/K800kyG6BK Goe81HCYFfm86pzv5wV3/38j7fTZNeZnKwPFkMgEUueF1kA8J9V5CA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-27T14:38:31Z" - mac: ENC[AES256_GCM,data:PgNvIZeLRnGo6XYuzYsWhc/5pyKUpNQyXBwlgHk0F734lDlsX0ZPinekq35uDEn8NceWnh7Qi8ATZI/oFMsZn8EcB3SnMj8vzRH20Gm5bpESP2nu5Wxki/m0Eq+6afHFTc0k7dPnbvyQcL0MbUiA+nrembqHWRWo8lmrATWZrSc=,iv:Suf3RdzzeXTVebR4cSvhFCO2kWJV+ZECHy+REMa3KAs=,tag:2LSxZDge/aRMzzMcqWULOg==,type:str] + lastmodified: "2025-11-28T17:44:47Z" + mac: ENC[AES256_GCM,data:h3skmRhVfBa/W6GB35O3sHdDLmo/4VQ3rgFbltdweDP+9qbQv+6tduRGknGiQjnyuaGGVyPlEOqfLKzYjP8Jsx+XnprblNfD75yiGckBFQaBKhd8l+hfcYVRNTrKCWkFUrYXIfCWgbrXNmq47SHn0+TBedXRw+9LoSyqsRdIJOk=,iv:Js2C7XfOD4d5fF+Otn7xJxBw0Nfh1cB7oLjyCrUA9es=,tag:4flxdWSlXyslNErlEFM2VA==,type:str] pgp: - created_at: "2025-06-13T21:18:31Z" enc: |- diff --git a/secrets/repo/globals.nix.enc b/secrets/repo/globals.nix.enc index a1d18bb..b9e9770 100644 --- a/secrets/repo/globals.nix.enc +++ b/secrets/repo/globals.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:4xUewD3bW8oAY4nG78bYXC6LxCyG9Wd8S6bzlvOBpUNkkVdNpQo5OarlkKZrP7dNOFDw3fYjthRympGhPiWS/0JGTgCocEZyvTFbYdHsqtGvS0MBSd7tWcaQNfYcGUS69ueQz2xa9WN5AL5r3XMvdZzXWdOX3uap0m/KmfnRmrKsF060pMO1Ll7TCCRSOrj31r64HPG6mcwSPYe3DhkuMeOCKQRUNsfpe5T3PaQqwfgFqGrtKturYGg3YzwN1p7l5m+jc2BEWAswIJg7IuKgTSRqqtgfbduTlGZADxTcGDpczJ+wazH3LGqhhRB/ZUKeA0l5oezBrML7sJdTEfgiM/7xHT4cpW2TQewCQoSNDPxnHBxOz+2wa1mz9gXrBx24gLFpeHKYSIu7X3k/t4sG1ll2a1DjFvV+I+B4ALEj6kVkMnlieTpzreI7zsnuWR7TbhTFIN5xiPSWPITZpRH5SkYwicwv6j8KZqPVDoMnEKBq7PSZnjEFODzchrrEXCkahEJ/1Hw27Lz8PSLIsA+HQyjzhYJ/35OkG6QCbSoms8FONnJ6uK0iNXNau8mBO7memlXJNSdnuPtU/jd5CiGrBc85BaWU0aTOlXPJA+kJ2FKaL66JkOtObIEYhQWqt9ao4FwH+gXupnZDdPyX0ZpP/4CGa95FlhqpSVV3vzOFZyXhUi/QN8bBC5ESa0WgnXOf2p8y4Z35+AHbJX/RMsjG5yk8gDQU0BDU7+aXWNYX+JrQZgVFShgba5KFN7G45oYz8hbFBfpkOjfe8i8xiEMoGPnov9QhqjRpEN9eRFoT/tD4fY/6ztfBMcqr4pPZuZCU+wcZGM8k1y6/eguX+cJ0sVPYhB7ZZ/pa6Dea3JVekRFUdqQJBElteRIloRGoNuNaU+LLNTfO+H3ys9f4rhMOVumU4sffWTmnSwgQCCoPxbY1A4a5G69N2DnnRQwsN5qtsbN7aUb9eRECfNHcmldpwhUeUYOlfoLVKaJitfEU8+GgXB0umpd0wr6LD6GlmxPYKA/NZfnDk8+mkzJx1eul/x1YweH79+ifqdu1+TURc5AYEFcB5P2vxz185Q3HiWYMLvjClO4jyKaWZ0IuNq8jENmBYjsk8/G7Cec+/tdHFBbV5Ctn7g0gzwziAJ9mPgDUpRF7BpNWgJOpW8E1giFkiBUdPJoO/zfKJHdV5CKY6Qyq4kAv/eLyi2qhfHhKTkSiuW4nCYpqHDsFi51QnGM=,iv:N3Bs1Arc+0g9tCd66OMsrPyeB2be+76EFYBPPSchIpE=,tag:h5zh01CkvZj3ikWWwbJXEQ==,type:str]", + "data": "ENC[AES256_GCM,data:q80uSaX4Xyy7mMSskw8lnCagLIci19YvQC60/jqv1O877lEDHnHXh7DlK0XcWM6pa96mISk6zILfJk/eMxG0CyR12ryBlPHtzARmcpAQspD9oRaLKEuKDqvm57BmL5J5yItapJlBKfWQwQS/pEI4HJF8+xVrX8eTsMB+pBk/HsBLl7w1VU6Ob/hlEzyn8v5QMS+nB01v/61GTPuluslneXKnHC221A8ek2lyPN/D1uj6hXnifRsuo8DoPghe5asQ3VM8mOZa2SJ4NWEvWJ7V5SLbgPLvNGi0G+XfQ1kgb4qDSdNpBlCWY2hlqEquEO9YJoLjr9jNYGMysPtnmIGPEinGF5SLDLpQomph5krAZsQPxG/oTiB89SYN9hF5SuUzSHuuRJao5hVgWj4d/KPy/xjZ5rN9dOL7c35EiCuMViH+vsYBue1ehYSww7Y+JR49ho84+sSJeEHTdpnnhtogRxbekPawBbYs9w3gXx/pUhVGZJS8QqcNLsGeEvWgDGmfbsZagQHG9Mdib5wAVp8o8O318EFoptlf2TrRK07BS/ibSc7GE6KIOde31OVamVwfAYL0p5JopQNEDuW9YStMhDQa5YhfuRCrlZFteXqXAMh775uXQge14pwtETExTE5PxI3hBWKIqrb8XP5ke+j73cx4A0VsuG6TtXf7YfWohiuRBkcojp1r0FY12jzkCOstJ2DjBFBI+5u5dF0R6SbezQ9vZs8yWbYF0kICTtZ32cEWnE/pVgdS8S9CqVsVyflpjtM/DeedkpoLh9JtN1oKSDos7+SJA+r8/ilXIhRTwb7tt3hSBw0AFkZ/rnSHOGHTBRY4T5lH5IkOqOQqAqbH0ta6hhxPoDjKzj8R2JatCnZGOLzL6tK50w/Xm80Wtj0LxDmmzmYPxCRI14nUobeFqDi1aGU4jpqKUayUHZcnTVgfURtSV/lT5QrsXdTXt1k9ywwq+1oT37D8Irk6+gaSZNcI6PQG/KpBPzmeS7r2ubrKhwhVMNlwF0QxDGR3273+AD90rAZq9niuS2yJRINXs0pImPK8y20uKDiv77B1HSpP+CpoPlikGy4jAgCqbpyrUYyYUB0O5MMZ6VK4aLwJABsE12Ef+WGC8tbtGNxGTAGm3gxRZ3/iKNl++WKZWo3khVflHWb026iYqEl5oOnUif7TVmXGbEiccjos0QoygbEtxSqeN4IxxXg2QxRh5rbfxsFiURln6lhGhjUj7SrSnbRZT6o38xdhKrLqs1zM5ss6na/9W0rHel3wmy+Ocz6UgJ8Nj412EM2dwo/oQq3k0epRLOGBJE8f86qjQAn+GZXnq0pwGq8MijhRWJDc+4uBxoYLiHrFJIy9MvqNRgQ3QRwgMXDB0psnKpybMyHd7VDWmNd7GLopEfQEv/o6Fk53ZW6rLu6l6EdS9GuZONOJsjHB7rVoUl9qi/AjXWenzZYaDrqAY6P3lDWdoNZLmV4AQu+t4EIaMz1QjLfzeDhVG/v13+hZ7UbCIOtr/FQ6hfKjZ0A6l7sfLKcuerH5AwMs9/TYEcqEppfrcAKtBK47kJiB6Vnr0uVg13D3w3PlL/8kA54xuJzQUO3+ns73yPLjjhpqt52WfyzUmhpymzNo+3EPuUC/l8GWohvdNntb0rkx0ibJA3LirgGE1IQK6qzeZNkvXVHvY1pYVV1nDRWi3HlpsA3UCMI4IxRX+brFQqM49o0cqoE7CZPnEQR3UoUg9qQ0RJpiW3BlaIPUexxdgn1j9RbUt47zQsEI7+5gvg7EYLbj9ZPEJCxUH+UkukrPESHauKXPvI1EbbUncMd2sLyxn6IX7Zili26O9vON7PM1gL/Y1s25T3meBn2CqT76Zl0HjB2Mzh4XjuDGE01Agp4BETiKrCMprZB7+mR89PQywIyaJWS1mvDSmzbaTXk4VZVqH3lpwNC4QpaxOb1ZFjj80uPKErBZ4yeLKIEVaDW1fwQyjkXWjIwHhUle3AJgnAfxsM33fvxFucjGyc91FAJgX7IhTSATnjsf3dUm9FyW4xR4RXbJ1OCuZZ9C/M8LIHZSuXYNNmjOq0D7qUiCR2Lesth6hquHCnomLDxcPtzYlUlC7ZdF71jLyaop6QWk2n3nKbURLV5Vm+DrLi3Zuy6OAy2K/MLJhKEi1LhMw9pJYbNgq1z8SGFz8O+k96JXuZnIDZxzj9zdlTOjawkCu3WCGSAOqLcvPryZqe8LYOlozyVQcDQ7d1h9fTlz5gA6a6UViH9dl7uzkR0i0srEVbhuZLw/YTM4dEANtXT9MbKE/KoqG0jmzI4vf+mAux8mgIGNTQ04AfFxG+Coghn6WHWFJtEdOOT8hCfoZxs1qJA446Q2+ACCNeZgMiT4BE3x5L+wiS7Km/7d01XV3KCuOC4P5GwkVcH0l9WToJN0ViuM2bi6uz7JcEvgCb8AiVfpLk2NCE0YAcWY8nMV+aw1hOAKvuzIwt8vptTb3TApUQ==,iv:Xbgn+Nv6py85+Sl72aYxyDgfPEGsWK4+YqiYTQ/5pw8=,tag:CInhg7J3Au9HcgIWkisiOg==,type:str]", "sops": { "age": [ { @@ -39,8 +39,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHblFPenlYNDA2WnlVdFBm\nait3bEpqR2ZUUjlOM0tMT1Q4UEpFSXpNUGxFCmtvQjVyc3RUT2pMKzdBbHNwaFUz\nelFFRVZFVzdSekY3c2M3RmJvcDR1N28KLS0tIFZBazRsTW41N0tHdXJWZnpwUUJB\nNk1iMkxZOFFDY2JtVnM4WU5KUVVEVmsKHb8PCo8cTyipymup/F8Oue5DiP+uPznd\nXbD74jiB732WPPNOrXh+wU74Uj7EpYoazvTcs4tHu30cCpbCz6cqCw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-24T23:32:32Z", - "mac": "ENC[AES256_GCM,data:OAAUaCDJF3BOex3Mwl3CViPvrvkyYosgiC+hj1yvVDstRxM1hdpztl4GXA68jEykH3cw7tvSAom5ldeIr0FvZfwQ0WZXoYad6zPcQVvrdmuqev3B1TVnclvYTDKnt4UaJJleM9rYXmWYUgZSkKOr8Fgntx/YITl07kvJ8fCeIqc=,iv:a9utBRpGmwlhneyZEKWDytM8sD1z31fHQ942MTXzZ+8=,tag:n4sp39nXsmYlOXl4y37b9Q==,type:str]", + "lastmodified": "2025-12-01T12:37:59Z", + "mac": "ENC[AES256_GCM,data:F9Ma+RYXq2sAYc+uPn2u/A6hxbhybc0wDDVVspFJNIYBu1aUi34xKjxPaPQ+H5hWJEa4V3FtUugCJnMSv63gbA9sKPdxHI/AXIUAK3f7b4aPXEs4RTAQaxuvlAz98wi8cU59BDmdzRpYxfN0+FsIeIxjT7lcDS1JIcFo3M2o6+U=,iv:qWMGQYH+DERoSiMTJ5i/eviFD0diTujCjHGK+c+U0y4=,tag:hvrPpfhzdD/g/JXLwKRrtg==,type:str]", "pgp": [ { "created_at": "2025-11-23T20:29:01Z", diff --git a/secrets/repo/pii.nix.enc b/secrets/repo/pii.nix.enc index 2b632c9..6e6edd2 100644 --- a/secrets/repo/pii.nix.enc +++ b/secrets/repo/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:64kCBNazJSPYmdAr3f0t5VqXu7IeYXKOimQfXI+PGTdKq+GRfzXtm4c7Dn1ZS/qU+1fS6XvzrX5RMLwd5JEFFi8+UAvyfHQaggZ8hIAxbn90rfvYrdPwdzpBaX2DGvGRxtvA+7d44a2/QKkenwPvryfL+lkLmJ7s5bU8KGcSZtIqVO5AgQ8LvY4GN4GWJzVSdaksTnimywEyrzecNPByqMWxjVWJaxmfW1cc8sBeoXvxrg6rvAvqvVNNtMng2+O3rkIxC8w2EKf3WKVgjds8hSdML6yvShkVgI6rJAJq28dX6IG1Ju3orw4Ky+jc1qNWiPR+iKxvNzX9MmiUZR941I2znlfi9F5Z8fLzZO1oyiiJbTzqkOpVfP5UcIG7dk+JfHnW1JMg4BUmWX2i+KdwLUY/6X81CNedHpTgYnKsv8Ds9juAlgHvwGVF1Y0CoX6vhhKk0MPc2mKBdnz2VdXEdS9XMbkakLrF7CjsBSpuX9jJNJhRJ1lPKom0iezhyzUPNYwHmdulcGyI1Znu9XQZeQnMOXWa13PsQhae5Nx2lbIjaLtlabXPDIJNQGsUXkUGrumeh9OscAjuqvd2ld9AdRdXm/Irz/SifnkrFLiEefAlrhwUnViJOQ6trGDv3VD/1Py4PS2Ilq8Gevr6RPliVFatIMBLKnMUzviqO58cqoZw0hF4bRWUk8zX7ATCYx9l+SW7qCxvK9dIGzzS0IkXbiYYv1yaCYV/9FTiJJnKHiLQeOUmhiZgil7AW5A31klYesWAGNCMTKPkLQXqLCcQnwwEnM+wc7ud5+PbJZXr/Uy/0dzkcbcS4Q7NfIfn4N5MuOcV+FFKGS/brvrHSXfR+/tfFZrAe55px5OpxvO4Kt9PF4B/j49QmW7GxoAh2PpxkGaMfqAL91fJskrxx0YUa++ogxiI5XraUYbKPX5PJUjyHabC06P/mcwnw0mprdtJadhkVN3/9Xz67J4dpcLFFV3KF8JTimpnKgZVv3G7vmEuvitnUVERL7nG6mMFDOv2LkYrs6Rghg8tQHGTBybbIleOcdLeYk0kGtBuDNzjW4PN44syftMrBk17ALVRoeqVJxdvucLmRvhbpW70Whg9raJUwnuLj95cAGt2gH5lPLf6inX+iCxOxIojrUzH410hzqOLcLmTx/vZ5bxzWot/9WzyFlb4onk25lceJtDHF6LkoVx10rDaa3I0WPs95sCCN88ZfuDwMqaSm8ZeW/dZGgDsar45MBFWqJNSwxg25k19ifSFmUCxfbxd7nJfI8REXs8AOzsq12c8Ll9Z1UmoILla5QwRBnVGONqbl08AET99JPIoLUgmp8IbxRWhpzxpASH60zfzlZbbf79qGbP8B0EyCMdTzR2G98fxTyuIgHeCSA7sEiXuZtyZ/5yCGwPcAmy4sKZn55NdvANAWeyqYpXflMOqDtgyyyt0cHp8r6vwClB6T4nt6gvqmcx0fDh36yRyQmfpL/j5uIOSITq32OUw9C5FH+3uJi18QZPN7t6sdjI/OuoynFoXDTpjjRTzBQgItsaXPM1QdmkxMC68yvs/rMqNkdKZSzjVXKmM82QqtwObyiL41sJBj1Sqea29DMscSlKvdjJpHyDk5avO+ZBM6LdzU7sbr+E7DUOSKN0JPtrPnCfZV/OJjpNzsZjAeXXr4pMciRU0qHoKIpdvyA66gFTEvfZ1kenuOJ0jDuHR5+DqNUgVM/gvexRxpCMKESURomnJQCILjcHyAjpgQtuhLPyQQ2CUW/1b1JhULDIZBdjaTr8cIFyEtmOvnGMwCqo7glpmjmsy2tVqClqs7YK5wt5HjkWxUHl3xMwOxC2pFeZm+Qg7Cvh2nU7wP2hSQKCYl7HvxS6LlOQaA4ds0Nft1Iv0Af76d2C37pQUfCk02CheXub6glCDwnEwpgjMMRovuz3e+EJB5b9QZwBKY3tkiSs5vpcQa+PKrdEiSoUAagqEqeU4bakIkruLvQlfyV37qIw1GWf4btJP/i1zRNhKlBrK4ycd6Jxxcs141iyorrt1cH4wVDmLD9RZsJBJXXoq3bK5TDkqTSTBNtBSoMAB+Z4OPrd85NPlhbrIjN5rx7F2boP99j47rRS2Ja1bUHVoWoxqmG2I2ksEmgBGdwyQPNJXP2/uF9fGytQLT/J9wdkqt12Gse7Brrd//sFzk4tffkSdWrgwwRhTmxbR6MbDRWi3wT/6zvwQ2n5RQfmzA2aOyCBVMOvdymINc+DWT3F6tnqLkyv7hW5DZmf5OGnj3dOpdrt3no+TRrbF1O/tJ3fAOwrflJ17QOpBAVVSPIIU5CJ4hSUXszHhKwBUE3UXz+QRvN0n/ZfoQ0EwttpIF3fPV1Ob8PPQ6i6RJdIhFwYXSm0UwdUuW8Kb24LuLgSFJk5n7woX/5fquT2cV/4hTkSzV8vYotGic2sQzm+yyBR/VVVyO5r6Md1ippOg1kXeg5Yf3uBq5CCuXr0JeOEXDlcKPVGpTMAhvso2p10ylfhKvFdJRbVweUK3k5UADsMYqiAInThJZg1gxvVXWp6P6Oi/hwXCJvV0Zmu48A0T8q+AQ0FegwqoucbjatxUZVIJOtU35gFxiFxNvoVGslbzhDlZ7dmdv8Bsp3RR1CuNxKcTwXCb4q8JgEK3f2YlqnWSUmBNngYysx60AqYJ7+m+CKdaQyWsf0sMb+dkWgQ8ZZt/flyUT8AIMU/c6tcLRjpN9HgM+NXl8DfQnqXLOyJcVm56Ie5W4z8FLCnG9qPXanUQPuVD/LxRvUXlFPCnCCy91rhwSKP9uQAWi5NNuHq828EcKVZsJcqg5Cj5fAOdGJADQUnGyKM9Xdj91xnRXpnnUlbPG9kl72g/39epRfLonyhekCIgxeDWHPfLvS3YtXVnjtJ+CydcQ8/EpoYh9b22hcmgVXz1i7ufI9iwskb0VEtSxXE0cTpOL5e0XYkyMo1ZS51MSZamyrtkbsFXGYhWJEq1/yIdVQgTIHDU3SXmamoGWHZr4FJ29ErYk2BofzeLctmX3sATTyaYE3brA9X7q8LP3rYqf7bH+TzURE2SQmDysMCXs4dboww7RxjV5FjdeswLgkV0Sq2xaqxnUR4WzzvWeE+Yimz9ub1/T/oO6d2C1Qu5sEuVawrdeG94rleErp065EbiBcR6PK9/EZ4Ipls5qZ33GZ5NpL14J7ZWlLM91EPVtSsO+qDgh31pU9ZHGEwzmyYfLCh1ohA5yRyYJlNRUBbQg6vcbCj4R8Z1ufa1T7BdXm0onC85uQ4kRbRCfmY28uFPNXbVO9IOkajuiqwypl2Yp1DX7IjMCEwXsNlZtu+WSxSOsnciYSKRvKsgpXwx6C6dLiDIFx5fNCaWMeYIv95XoKYeH0ROB25JkKIA7RcwkyGegRkxQpVRk4UOLUm0MVuJtpDDzqG39BnereuNT8pmQelYWJTnVMUhx8Y2gtTjzp/EaRSyRuPddxsSvjT5gafuW47VaAKR+/iL1zLE6F+GcQS3J4rt22Kz6Y5M7cHXx0pqb3e6tRentbSjmTeVQDoqDIm7xbdxWJkMhM5Jlut1gqZHR3yAhr2+Jl8ouo9SA9Yu1A2VzyMBMOtG8fBDifvJY72RbhiZIwA2XMpBcHb8ll8gHgmiIS/lBAia4CsU6m+CVFdTntLQiD6xymqEAPGvVpQBiHqsivwKrqQTY2b7TVVgO4WUMRvJtvcyg5HOGwMS5tjkOw13ICEpUh+7pC54tGD/k/z1MeveJvv+EH5Ov59BtHXme3PCs8M4wHKbZOw/G344jI6ClkYt18u17dogo9FK9s2zlA6GVLhK/2R2w46bY1SN2xZ8vBATnJaeBXT66Ta3S21CqaiZ4VmweZ7TsVI/5nH7+d1NMOSnOHEojkg/vObtg4q5WNW2XeSY+ymOAWDH9tEz2wcKnAlWrLLITO0wVQiJkQqskLzqNvkrTrKEZplbxwd2+R+fiP8PivLXIV9ibThIvr0p2UhrCpSJ703nksYdzcYOt5+JAYYC0+2f3CGc1hd9fZ2Qlfc/1JgVrOHBhoixaJgYWqPQU6gAXWlPMnXepDrR0YXL/4yIi8VDNRCFmdOxFlG94kF4Ha6Q6NQGhONUajkT+JoYGFVHLnt+ZPOzcnLyCrNh/BCEEDr1vYfA625tUsTrol+7qP8UWH87qzRh6EdPwkaNOKSuMSIEyWV8hgZuephvfFdYSYf9VE9pkzQAtgFXvqwmI+6VW2vQ8XX0mGYuTk1DW8SFGYIcKmEUzAW6+mBk7F4uzD5Ziv0kmlYJbR5RifQpqgGDAN7LtmAr9ePcdzgErKxzNYwh9l28PRFyAZlNtQKXfom2XpmokyHFE/dLfMuab8/J12MOF2f4iECqyQSLBugNQCQFbDsmi4znRlP+YKvop7bI04VGe9Hd2bUYhb75xo8LMaU2bwuetW44NKjQa0lb/RK/oKHGVumcJhZsz2MbPNYCxoJ5E3W6IqtAY4QisGAh5YU0NEsgN6DTjFDMc8GxvbkD/H+HsONBfvErWvMQjOAa8I6/33bNJmlwDyw4JZkGjO0HAO9ng+lDIGZ0nAvFsgavVNRZJApXMnOKDFMHA2JeFPZCLl088C6MvG4t7b+4fJqlezbjavs/V7yXZ8h7fzWRr9ZFk2mBe7LwLCk/TVOPdNHD+DTjV+tMZPcL8ElhLPGHe29py8/TlS7KEJ7AsZ1VIbul+ljMJsuSFqjEwiIjJtaVi0AwSS64Afsj6NvxJhkgyNQC170gMCJx9xp/YEJpxw8w2skfnHaBc2XstSGDDkWTk1cgxIYtUR2aU1jxHraf+n9Y6HOz+QPYzezEMrBYscRK1OTjPlJ2+YDxicDcyiYBMtmREA+fJftwyffw2SjRWUinkM6Ax6QVCP3mbNRsrJivlhBrde2iLC7qyiJhjcz4o7oYz14AOIzJx8fDq1IxN2V5UMbBKwQQOarCqZwKW1k9kqVQ4orTqK6FHh7T1Qtiyy9p++cDv531y519l4nZZjL+OiCWASukIvN4du+VLNqiGMReh5ll218qwS6ldDV9dcYyTxL8TLNlNn43sF5HEP63tGEU4cQ35D7Ku/K62xp2dWWfvQay2F138jDjPem874iEd+bqKgxyOck24k/XRU8IsAUe7I1WkrJj7QtgLiQwohKedago3UOv3AZSgXCoeavSTngt+O95CUztCi2iH1mcHU+TIfqwP4v2GO2GbE5FWN5hE6Eqhf1FXZyvpE4qhVJ3wDg1vr9IQNsW+w/WQsQdRaP9hI31OS5YeIqTmqj57X7kkK6pa9vw0PJpcLOrdhETUdlThjMknlxxshXhKB1loBZa5YIQ0CAvgyFUFJMH7Ebe+NKKcmEReEs+kMqaf38cFJKuIDSrBvBkJvWqTAsOD38JiFJ8mT3OcKpHnOzCa18oulfe1jrXNnzXl9o7LnRQ3u0Cpyuo/07Z8+CM06aH2CMfUG7CG4E/xllKsvMfp/yf193j/gokYG8tfM3Tsxx167NgDYxuQ4T3m/eHDS9YjmvFzNOwQYTLV+uEYn4LniNYVtj3Z0tCSZcamA/UdayU3Xp3dE3qmjYCkIM9IynO+5m+d9iQhjNvG5L2oe7DXUoGfLFkDWb2TS9fBbpDekHSgXsWuEEgL7bYpcfZZmF18SNsT62JG//OJnWGrcRyPym4L7391jIrQuDsi7Uj5Mt1wSwEet9m/05b0kzro7EqegBsGJ50/3a5ou2ngJY0FDc6+ThgCTyjNNwfqt+Gv54KdpVgdRkEgWB0Q9VUPFxSmhV/u1EEveTHAX8Cwu0LvZrSFT5nT5D/r75+aqyAM7dmNJIrR4jiLa8h3eht+L0ROKXRny1uWz/ABKIHWPITM+UlxFF+ImRlDZpTzCZwXGzlSn53SP7k/clbLFJGdfJoQ04uV/NNA7Gs1IC4RFbXUAuAiLdMIVlbPfiBtJGw4MUkQ6qImrFjg4Gruch/1rTiHbCaVzc6yjQoRLAt3fVT93FbgcdSBIwqOH96PBI9GFKM2QF0T7/gt16zcjRrYtcspfGl2odzhql/lUrR0NysVSat5G2WBjPr2zLj/qZ2iVzTPf7rXUOaEoVMaNcrKKFhiplHTkuNV0xzrlN+xtBYy4mi1+GHw/rtqdeDnQS59y99T0ujhUFRMt7hR6Exv1vSw0PcrtOHWXRzPlpc7vKGjhvJi0NQxJi5L+iON1hFeozamvCoE4gCQsI3soCojavVRd8ywdx08ZCAHcpJkh1RVEuCGNng50IKOr48IP9jbaCO87RZTGjFUXVk3c7fn7nDIlCoKDM8O5apYYAbN0ueZF/n8qn8VJhC7fziUGkZye7oy6zGUMwSVPCYehsu/VE=,iv:kscgLxpTxzGmXqsLpjVzCQC/G7BAHVGskJwIW5bBbPI=,tag:CG29z/rzs9vhcWfzy6ZHkQ==,type:str]", + "data": "ENC[AES256_GCM,data:+wL1DglgGMBEfAqSj3Vgtb4HFkDa/fa0dvH5BjSUWoRSnMHC+kj6PtF6w2xVryTsxrELIkpuUdCFwHQkuMeODTXR90ZgH5CpGGkoIKEMEqvoIGj6oULysrLsSPpkhhkgpQRRs5l+EEVDbHbi7XRJtMDh9E84+ZtAk+VvdusIlvyd9D1p2+8A0/lm+Oo3Bv1lt7S1Slnj6wmwgr82SHEmtn7Rof+9jEXuT4qi9M4zT2ogYHKsNNqI9DUXp4SQmLkQ4deZjo6aqNn+Uf3mTUSUUUJ89TjYIgcajw8ukJVBh34+bQb7rCqIjNGxJyUl9rHoiakO8zjD85zH2p+vZSFlR03gVx2ZLfaGhM7EXJfhuppYDh4z5C4/G0qzfQ4iV6nh2bt48XFrRKJ+JaJYi57hYRWPQa9OTChNMV5xHIaublcJE/Z+N5GSHEprdN7jna8F0kKNg3KkD33w3fQQ6mia1icAXEBForPRhhjvxUQprygvurLv3vD55gboVFhV9UCZKlqc8gRhSEfYs+rU7zirKA51jJA2uZ290zdrIXu+pprTo40/hxvuZPbEYD4T5zWxzL8vG1MjDDHwbTegah/WYczg+9F+pj/Q+ursF3qym9BGQ6SupvILl/MFpnV6yh7Qr9iWjdF+Q1etTK2crHNsTKLx82tEjT3VxdH46XE4QTZhZJWzBh4TWfeYtuTbAB0i3mqE1l+4pXgfAYv+H50hikDflViGtiFEyjPGPPPnzq5CitWhLZW003GEIATmTPBTpbUC1oPdBuNn52pGvBob09j1Ux9IeCE5sFYm8KFuZhqjMK3hrtsiE6Yj7ey1yMVdh1o8mvLIPZbmfXdAwvYlcGD+QLTXNpDjbsPEpjdXvtnYoR6IVnqPi/pPP8Vy7vBBFOYr+UPRNuKKXbBLNZ+0GOznbC0wNWeTib1roc8t6OIizNCWv6bOQslI0PqB5nJnbdE6NZJyQg4JgzbqDiJwNx84zC6TTLvxVDdYvgY3YVJhTF4xqcpLIADRAN0/hqeLpt+0hRTQzbcEDb+mHqRiNnlAcwG0yAbvJhuOVV3curU0w/CA4ilGnTssn7D9qZyCAcVdNlU1ccZff5vOHw+Fvh9h4w7Slu6LpRAP48lr9XPIZf6bxbBR8JzMJ0rss1Gp/ufuJdkm5UVF5VOpQVv2Je2g3Kv1PFvtTzFRpK504n1VlTsiZZPHSI755iHf/tKOlsoaH0DH5ImnihWbqH1hZ6XiNKtxOc50Q1x11O8PGYlsgjinqJzJPePMVWjySNryFX+a1AErRArGLeg70R1c+2bdO51CisBOtb+m4i74WTGKaPqf7k3pIyukd5/eP2G10LPm8ICltTgXV54PbojZmbn2uadO8E5/jwEIR/JNgehrKYCXF/DWF2EQDzvR81OWeGhK0WQ3NhxRA3tRpsva+DzOqk8zj9WAjlnBQVWxex02jWUKds0g56n/s1ST2qH0DBiTNwucgyhWBCuFdalP0ymsWAM5RFtO5GyEPRfYacFFJDYwJMxAlxK2ANtO1PIf+7hWdBq8Y4/N3kNeDrMvy5UR/gofPtLKEmEBtlDe2G2caka/2S2sjlGhCD+y1DWOs4bsEa28h2wu9isT9edBGQFjpOb4q9ug+WWEFwcU5Lw3PzbH4b8IQREZuEByrEUij/30uA+UcnHadvVfOakEVtrSbQ6vLEdKez1vn2dKAG5DECLW0d7sUZcN73EbeTl2edWONn9dboHuYRbAAkrV3L2U7wr9Gj01PgXA1yjQn+bhU1FJVcX6BnATWWlq1UHaNT+taH8Lq71+zJGDIVKOIuzloNTro0aR+kPkOseN4KzQkjD9eatT41vki3RlK3sz6/qwyas4YWQH+AJ8F3XKd5U0unng66MgaxZ/lFeKg0jn04CQxc9PgeHq1vBJ4br3WltqxEnXZFCHdP7CxxFKMlMWXgrSrBUFPCxICI7xyxhS3jTouQsROfMchLGvb4/7miwPBlLkGP4Nb61CA2uqQOByh/xxn2hp7KNf+YGufjwqm0eEPVol6TcZ0OBs5Ly92v82JwsnPPnsFd5IleS+iJexE4BKAoX7catJIrJQ6GHxonbR8O4toQAR9MTgJUYtVVc+65TCjFbThXwuG/4Us9p9heSr6qA47JgZXsX2PdDA4e04rX6jLpam0W0hE8nka8JvYa0PHtnv5SmeigobgVbWqscP6mV9UyoMU59BE4zrO3ygwRIuLxvQeRHBGfrly2RVWVreiuEZIBMOBY8E710qOU4Pd4ba6utxJfcS97895ZG6BgRf4U47eFPjIun/83QixvN1g9p7Ez04IT0Uu6kE2ju2D9UJuyiCtkiqwmuvZFLkqMeRalX81z4817DK2NRvw71OWW+3fZAyBnrr68OfIQnvkHQFFdtMOYVAVMhcgTezHFMDhcFzBfXgCKUL/fdoqtNCT4fabIO870iRS50cAlpqfYSJTu0r9UD93R4eoUlCAa+tc9IR8jPhTKdh62TQcVsRIW4WXMUMV4gt7GixlHUmnSGO/4hPvdzLey4ZLVL7mjgzHsjTvQdZ2KpF2DhK728vyYWh3AP0u/e12nuiPMzuTnXhB5W1JXevcYQWbVOyKeKJ+muFO6lgVcWTWeF25VJGBjlTAzSiGgA86Ef/gZcU1t0PxMH6gnvXqpI27AmFmRvYkyHJmy3ueVyFVbhOBvisX7XmX0QISRmaQ3VFCf6bN++L9K9oQyZkzYdDcOoLupIMSVGtXBxqdLyvJs2vRuoWx8YZI2nSn8ZeKpQSvfTtLllH5aBL6tOubfKwDvp5q46xHu4rhOAilXKfbDF2PpWn5ldUL/zS1lsba/MIBos3TtGdwvpDvBvEzjcgsEe2ffs69EArL4lCQB2Q5rUvSWfLNusnV4uY7KeYLlG+M9yuQH141LlRXE+cb0UiVroE55C2kRw+5oHATR2AUygDvd8zvuQhGVr8AFM6y66BAfvQG0y8LCO6VwR57uskLXLldZuTdXh2QKLHD6ljHQJ2CP6DYrnOwyry4Y1ZccvGy4yWbgmEPW5h1SZ08TbmCDM05fyrHPe5WInbJo3DPfHLAUFXjzFwGPMHB/OSlbST5u1pppCoOl6VtJo322W3k4h/DG7TxH5xyHlMWthKp3I7Y7EsHyo47LETN+4Ibu/q2N75buKvPoXs8GFn+26p14iVw7QpmJR1u3P4T5CB5aclBBfjvv2qsshVF/IjT61KL6EKeYAqJUpvcuzQJDu0dtHl7syVK/tDucV7ATV5kv+YUM2vxaGRSJjQhRzv7ehzOIoTKPKAhfRVGY7X01fLC9i9vDchbbLXqECMeiklbohQBaSzSdKpQhlBk03+eFuV0kkHMwY4blRx/MlY4+jP/hlP3UDO0FXsI5HcWICdul3jDyiiVtnf3SPf8bLs/r+Nnh1bPTn+cxszRm3sdwMf3j2ysewLmr6yOkSqZfyMEVVOjM6O6sy9uIF3GVZmZtpTm6etZ/BdUv+Z93DMvfaSPcaB59SCYkX4DVqr5BjAEmewaqdKyA0A9vBbvI+3zQGX06BN9VEZYDvIlbh60/MY2CSSyEQeD4KkdhuuKZgKNBXGdz3XQGqZcreWo7RKo8Ezigm1tUblNNwpD3705aPRQgpfFo/1YkBSsnIrPi/LCpoEU77ILYl5eu0zcIdMXMep1mba7Y+R6dJCdgtaJK6wnLgw+u0dT2cjilMLEIFPVPAU7qU6QrloVMPUQBuHRwwogb9T1L+tK9SFzyONpchhH+YLe40X5lTmdBDnH2dZ9xUrHOjFFhrwgXaM71e7qPoXqShw4a73l+e/x9e6w//g5nNmOLizYEMm+9XqsRGEICFWKsYStXOnBz9GJhPG1TwatYlJ3fo4/gtV2qdS7HIL1TopNoHuTIGafOvRctwd9ScxYM3syjudqPt1h6utYyy3VXvpc9bzY/pZUDMFXxhiEmrH9xIjWIbEdqu1D+nRns1GuVariV/cnmkjhqi7vRwuUJ+nx66fJt+kC8RzJIt3gvHQ9IrQN47W4ylAG1JEp8iEX6k78upwyO6msrwLklS1AB5rk+L2KUDwOcbFngsPZrDPs6Ia3ALDW3oJeTdK/9m0w/V6GJiFAEAtyiGLZUQTl+A0GGQF8dglKmIGNfRFutPmlYjUi9AmDhwoEvV+nqA7NW34oAfHWlF0e4Ru9ucaSZIDrqaylpGgeMzbuGC6s/6B5f8I6mqnUqUYBXuk2kUCtcdMbOnfhzEm76DUqh/YxFJI7DR2C3rEOBrlTBFnYNRQrtRk0tqP1al4anY7Kl4dkgfG98hRwyz3AjyRfkfehhY9g2MFBc1Wu5egIjODbeX7xIef5nFrSW6x6EPko3y788lO8gYSVwde5Rs+RJDCQTJw3ZSfTbUz2ycVKTrm8phJz7FPgzEmXuKnysVuStu6nC0RVShk6LZ0C4wjNX7Wt7DjqVwxtT6R69JKs9EkCd7dfIwDr6ezphh0PasZToQo0XT61gv6lMIGFZguBwOvqFn8TKVSsG3P2llFyGrzrvTQoYP0GlE1BVe2mEr2LZQOzg9NRFltQ4mw0seI7GuQm+L5CanfjruohTvlrtyYhoCHcth4iOKpJxpAS0lcwqv68DiTN+kcAbVkfGgJgIMxV85r977aXNS4hlV7SU1DFo8dm3jTO65ppo2csj8KLcFgf1eQyo2X8dq4KNs+Vp+tGtHUsPmHGXGoVkmAyr6Pz2BDMYr5FkIirAxeq32yg29vQWJwOe5FC+gTwVUX4Tv4NT7vVRqPhkC8zHITVoCLlXo+qGvfqBLd5srNYD10bGF1Wk2iV8det08xJHIbDP41xeJsMZWolENRDgEG3Vry+u7vQ1CmTCToO7f4iKCGeDWUXj8PkBPnapZ7K7vBnePayoKjE7MJUpn9u+85BNrrmSMK9UQciIOgUAqUQDc+HHbnpmzEKTeeUUyM6QOTo/kOHFQpjJRlIRoJnWhxefBRDBSqpAKTJPIOcpxMBb9cqvlJIyrBAE0VGpPqrPcd6qSxm9Of8qa4arBfLCdu7e2AGrUmiVAjPoVNFfMnjLh/riSM9mqOFpkpiR3LTGUwDMRNbuyd2uFboc2sz5Um0ZfriOwSwXVkbClLvAH0sz4iEm8ZVrBOHmt3QghGWCnb1v3OBiB3ibp+lvaqVcV04cbb76sCCu+T01kYTX5KmueyUIS4DuehafGd13h2qjPjBjwnvm6GUc/TwyKEhwuBuodoPORatYxCutNVoufzztyytOxPl61vQhjsDPT04V65PlKnCSVL+Kx/7712pqaqc/rItfJekOUFNFE9pF721Sh2EU6vinbWGL/J6X6uDFHYEmhvJN3oBJdWdN6HRsrY+pksoG1nRRREGVxNiL4b7u8+VI/Sp88/zIAhqjz6Kwij9K1MX7ZHVXMmbDLhJLehqXXJU51NEnDr8GdokErsBuzeP31Jgt1DfbUf7wZUe5dbQ3E7dyrZvI1lnAwe50TIXZNUzjAGzs5PQyRALJsErNKSdTN9HrJcDCaX88O9jTIjaSjkATpqVnFpEbgKKAv695yg1X0l8WMXVrWXF05rXT1ybCT5EzPIapPZkjiMB8Jty9yy7swJHgQfr1TxufzpONzGw3KXTR3vDvf2kU2h//1wl2e5ChsTirGXlukKxYKljfyc1avMxqezGkiqdqPXRK/it8P2HVBEEIkOBBJIHWmjdUHLUhyOltGaEELwFNU23fZC4XysX54QbJQwYsswhAufVZOXekABk30tUd+JNJu6fsKoWUVFJUYq9RpUh9VFzf1lCEnCqlsoV6+TGqN9zscvl6xh+jDMvlGYbM0ab2foJ6i6yzdr16ELa7jH6xLNteUE9+yimDrNfuwgwTFM/FQmunFcklaWt/D7i2bsChP/apuHXtatMxCpfIwvvgBz9X5yozxPLTFIPEbNPfxx6bcatOiG9YORp/E3MO9nrYI2I+dJ8hBXxBPvXj+KKIXOBXsXonRJq3QxPNnzWS0jKPtjmSolwsqU/ayY5eLZSlQ9AjbW0Myy2HXHbetORs4YtqXCneZcFDf80p1wxqjXCIskDRL2mXPTYkqEyzpkoLNhe44h3gu9XCK1FGTlwqp7uQgYjhydvJ4Zz6wwKxRsem7vvNeuHmm5iLhsO0BWqg1PF5R42UDmw+V96tojPLkdUnBne4D9XfgC8baY2W/ClCKwF1nusbu0G0X8RnM9Fx3KTOG14ng3KwXP4liNf7DlNMwo3iFvFFy/11dXNeVHFi7WFZ3HQhnZL7nalespqwoTrJ8PFzHE3emOFYUT78alzTeGbDs/3nZk8r0JD1l6d2+u/dZ/lbFjvilKtRvOLIcQfYfbzej+UHQgaWGiPUpT1AZZG48x7VX49ky41IuTMmLjZ0wwS3B228Etu9LuxcGyHNzpRTBroOKIMTL+ld3R24bH2efVHMFxNKNUUx+p3GGkOKCJRtzgI6AjYgl32WI0RkMI6OCf/M549ygNVdXohCtGOaD8oBuxi4ngfeXN7iK+KGRxFq3W79U2HaeTKkt1H8GTYXOQYrwX+c5YMO0yZWVkge7IJFTUerDJ+d9wMDXQMgCVq6DlKxpmUYR/lGkMGgPtW9z2hLnIKxrg6XUFCZdAR3hu4Fx2RtCoGMXRLbzeFA/FdjA+rWLciubnOXGrCwjKxeMEKgqB5jGNSZQK31RNczaUcA32wrYLgo3ee73m0JxrMRhteUgh78frtXGUCd3st/XhIuISGi6PdtwykH2YOWieN9PFjBoItTPhnl9F3530N5gZ2PXgIBD5uaulx8j2lBWzYTD+W1Ihkh+UFoxxpv0kV08ZtUwdF4GIPMdeyt5LCwfyUlRDkPUb2xEOVjhX9yZRi0xrLZ2xEkPT88Lzm1egHyCFY2xF0aBg9+QIJJWSgkc3pvgMfjZG0iYq3Th9cl1sB6v1neUUW7+0WYue7BHZ5j4w0Oi4sWGLHlYP8utJW1xuvHX6SxYYlHifmvJC7Wpq4mvL2lrfI2Er2IVBvmpeqEr1/k+jHVau7umaQapuyixBk7i1sgpiWG/cTJs/rY/uxVTWDjODTP0DoWKhGhvhYS4eiKCiwqjkquK3t5SQR5Wb0hTHjeGD6EiIet21yJ/GRExS1EXdd6nWGDHm6TwTI4IDyAG5EGtshjseJepJqrlLgAMP2m60VcIDddrTVDMy19ypi0QmEQylz08aIbs9i0S2mvAwn+NAae5Mc2JXH9A6E6UfWYY71W8j5mbSxFIlptOPWJORBvrFU7xsoXL/smKgATitf+E34sznQkUjcCA6JQ5uRnRcAV3fmpjiXeGp6xsbCfcTA+SyGNB90UVfMFKMwQ3LH7lcwgdhEaXaLlY+L6oEmk5DiaP0Q2ovWzMstrcT7WkviWtf5KyJbf3hHUOwQvG99yYYpzP0b91W1JtXUdxxPuY6GfIR6dDrB5fL+uE07pgXe/SsxFI18LxYrU1dmMjlrbwM16BIZnAyo87SwrLo6Ut4URxIF1YGycSFBkhbXL1rZIBNSd2+FIVQ+raGYdxVqzg/8fbSeftkgxW4BtojBKc+dUs2SAxXurpMhz1flUgdUT9aIUWRLccwiOA7B/lN7DhW7bN/QF1MajVzPedv0Ax7BxHB82DNAK1tkBBxleNGaBo4ptC1EKWGOvzf5FPRIjX0qSjL67eG+YpZGPfo3maW8jHT/ArGob4CaiAk1ZsMtJZET1zt1a7q9XNpQCCVmIWSApAemMO7NMv6WSlMGh9hkLL4RfFJhRiuoh2I6g6A0Q3hJii2RewVJRQhQVxMo9nIatC19mhNsVtcBPH3J58Qp9I11UFWugaUkyG3BryO7gvoh9hEzVYyIGpTZN+sVB9agNQLazbu7s4DpeLPn0Ze7qw3JRwgy/kAbAY1B9+Q38A66ztvr2q0sUIR0BdHxyXLp4Oxn0U7WbEth3dAH4OYyUEpR1uRVi+br6tYiwccSHl+bDjJki9lu+tnB1Vla2J8gTzSMDjUL9oRoAKd4prX5lr7elI52+EIiel7sHaefZ8gAKfyD15FnkoqDmNaGELvEfOKYU9yfabN5b5bNufKjth1dYKt+LUGLQ9gjV4LH7ABzyqL1aFb1218+nDDNWp3pegY8TXUWnYk1N1Q2Q874HuU8mc7NH+NYrSNYzWnk2faYpDv07423Qqa8LCed10fgJaG3dMYy8UQSx3HytGR/YlpupOUo7mXP5GVJblcVz7htHeCUMuL0rMP+N/u+QatcMunnzWAZTprNYSnCK/XKGcsb0xjLfkINWvja7a7c4asQ/rBdKFZPARFRyhl95VNNnqcj2Rp,iv:cyjC5VQUr4RK2YwZMysK70viAI41VheecfIkCOAFHm0=,tag:N6GPAKgBXYdLddHPv5mtrQ==,type:str]", "sops": { "age": [ { @@ -39,8 +39,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEdC8yODJqc2dBZzFodlJw\ndEJUejNMbVZXZm1uQ0FHeFhKd0craG14N2o4CnlvVkp6eFVLcDlnYStHaVRoajlm\nb05yZXA2aGpNaXROY2paYmpqM0dCencKLS0tIEVhMDR3d0Fla1RKY3l5cXZsNEFP\nZk9vdGl4eGxhcnBxVE91Z3ZoZ3Zzd1UKavS6iLiXL5acrtOc34OT2V/Ol6lWLtCo\nZglO7H8Agh58FRhyQUvDu+bHXTGnxWIhOnyAjJYwP3XUk0p/3E4PPA==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-27T02:14:40Z", - "mac": "ENC[AES256_GCM,data:8APHtkscFHpzAzbvcjtsa6LpYPtTzH0nKDA59DDEZLxLT+IEDUSm+DD+HSF4GX4l7uawPCUGMMMZ9K++uvogi6ctfETFFwTN15a2P68r1DPU19tnrq3Oq4//08rSh0t6KXQXuwTeVda85WTQjd28eqNIcsMj7rtPIa7NzgS67Fs=,iv:JrKP9cU/hjWeN0f8EkNHQOq88GHRgmlmyxAQWc0IhP0=,tag:7MNCxxxCjpgOOhNkjK/qAw==,type:str]", + "lastmodified": "2025-12-01T23:39:07Z", + "mac": "ENC[AES256_GCM,data:WEVxtO3Y7YI/COpOvvadujDYV66MtcKKujiE9P5mrDqqdjG8p2fLwhSNJHVJUwPyV8xAIIxCTqIA3bKmVKJ7vRCn2GQo5tRsWljNVU6g44LcXcX5wSeIgExyvUNjBppLbWsjstvfuJatAZwqDBN7eP/Ntu0R7p3wlr4IddDe/t0=,iv:es5N9A7ypxtNB9wPYT9uumwpLZg7wT/gesO5Q6njtxA=,tag:kgxsF5ZiYvM0wHDq6C19PA==,type:str]", "pgp": [ { "created_at": "2025-11-23T20:29:17Z", diff --git a/secrets/stoicclub/secrets.yaml b/secrets/stoicclub/secrets.yaml new file mode 100644 index 0000000..0f27848 --- /dev/null +++ b/secrets/stoicclub/secrets.yaml @@ -0,0 +1,48 @@ +tsig-key: ENC[AES256_GCM,data:E6fpwErUUmyLbtSyCItzLxvrUfq2UPV//5u1VxnMMn5+TWj/PMuwjvmClEQ=,iv:KJrXIgWMMcs7riIPotAK+Qtj94o/sGKrgi7sOxVs1rU=,tag:YAyz9tEf4vC2LnJV56DMpw==,type:str] +sops: + age: + - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMREU0eVFEbnRaVEJlRG5L + QjhVQ2F2WHZFaXJOM2hsOTBPMTQ2ditVMXpVClA5bndRc1YzV29NUEorSFNDNUxE + eEFwMnJoMHhMbDJtY0J2UnNIME1DRVEKLS0tIHN1dVNLWGRvbTRsWE1rT3c5aS96 + VXBRUEc0eDlQOXg5YlNJSmhDL0ZiUW8KvzVC0PMvMRjBaAS9WhpYvsWc34coUupY + aoF/zkgPmPWj6SY1vURpgUHC5FHolHL3DYQS/SQxdOXSrXIDxlIJyQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-11-28T15:48:32Z" + mac: ENC[AES256_GCM,data:Rd9MTRKzK4AaqzPBsxztoY10pECecWjHZlQAtbQdzzdLVe2TL8hIjH8TlJ8Pju9nmS5gvb/gB2CoaQZcxJsOvYsEYVg27+B2/ITGHslkbK7ngVd8ARNYITbx/eGp9D6VIYIzPBqcz1TkNvtPIuBLZzjCnxrvhA4gX93ZEEAUknM=,iv:Lrhi7Zj2IqC1ApsRT0IwmhJHaHf3dopvi7/4etVOBuQ=,tag:fSTaLrVhJd9A87PsPV+z1A==,type:str] + pgp: + - created_at: "2025-11-28T00:26:23Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAAhPx3hRyNLnIXwbGsjD6lAwhdqhe1yfJikB3+kWa+vaKC + /WOu22h0HB8cQwzeU6+LKeieuy70fEMcE2EHh8HjTuAIoi6kCDFjXA37pEtyIKaJ + 9uAc7EBNPOcv2TzFEnHjJXlMIRX1M4RegiZpOiZbkVkJeC7lJSe1mQhvHEqw3wmT + 7ye3ohDvHB7y2W040AD5wymntNOO3BSxQJEVPaKo7sLmbkUSPXRCBj7H715dHyFe + jf6nWbAElfUVM9oSK/TiYZwVcZv4/LbexAivRrlkFmnPpQMTrTeafS8r0sUtOoDn + 8YKuBu0JQMVFJpLA0hUrH/MIkEalbgv3DWsC5DoEEni5oQY3vC/bd0nM7P0hETop + wGFoBHM/kvGK8AnhcRmWy1fj15/TNrzF4uXn1Xr2tOLFrlLTor3JKCqIYTBWUIAl + Ve98SrZcvEdZKRqQiRyAXueJ1S4R60pCtTp6AtKxc7RyJuw6YM3VD3jcKBeIWf2l + UZr8yKfu24Rhy1WAe8+HT/LBzkB6/RKacBtJZVd0Ffnp8Cjaid3BJN3OQTLSSRCc + /t037ctWN/nSC8M/P6F/ZbSN4xEHRxT75c/qGpSBaMJgtwlD0wNIBCS9McuYD8p6 + e74KFlmm4901fytpHJvrdeQl6IAJCPV80540z3N78cdSxfTOF4Qj4/Dr4Flcp4CF + AgwDC9FRLmchgYQBD/4vX3zwM6MDpwW7+zeKrAgXYsHjIj2TYz8EIJ+bIH5/sUPn + F+o8kZyVjAc/c4AnKcCyWz1aYR47p9iHnk7Tf3mh8+MzZ4LCkuZjKmYjlfExd3RI + J0upRtTak4M/k2nxfVnosYwwFJhUnJpBlIt9DIU1AcDshAHnAOOeysIsfV7ahNQB + iYMvk196d+2HGdIPFPIG5tgJOFqamY3TtHrPmFx5SSj1ep4V2IMPqDudZDoyMscn + /8dYZCgnSFBDTFY/X8ngftxaXsdyRE/0QJFjG+c2M6G5gkccfpxkNU0toAwz3m9p + hS3s2YYkrMem/VdkqEvGW3cHnmM3ZHAttrfO49z91nmRaWDMm2ocl4CNoAsiEmc9 + /pQN9spgQGonDLM/yMpiuHEZNT8Pv+1YDS7kN2FlHuodsTazAi2ZoMDOrvHQhXkG + 9mS8fgVIJncthfxwbswjz77OZo/zyF41WgYzet9Lr8g7RDegmA+nPeFIJ+EVDKXH + o+KMJVbRrCiGnSvcVtBXQtvhcuJLe/LWvXbnsAo18+HPqA1PyaJtuMgc3dihuddV + KXGtDIpiy7UFw5o2w7Plqs2T+N0wQI2MTEkKS/TdWVO5zTMoI1uPE+b5H7z56Cnj + Xa65aUphUxxLMN9rbVXBSfhTyZCFM+nj7fY9pFmoUgfhKSZ83j3w5XlVL6bz9tJR + AUc8r4d6z59EE5vsIuImiM7/jsSudYewau2wnMuli3FmYISiR6kU+bRBmm0nF6Q/ + Kqt5nLxrcGKz2ivRxU6Hxc9D4gRaekoTkeP5J0Cr0IYt + =D/qK + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/twothreetunnel/secrets.yaml b/secrets/twothreetunnel/secrets.yaml new file mode 100644 index 0000000..c232a83 --- /dev/null +++ b/secrets/twothreetunnel/secrets.yaml @@ -0,0 +1,56 @@ +#ENC[AES256_GCM,data:Zj552Ho=,iv:uOiDvsLPsT3D6A1SLgDl8jbAyz5bK8s1h7mIc6WT10k=,tag:rTD510uyO65F/qcD/UTUpw==,type:comment] +#ENC[AES256_GCM,data:a8v9FPS8GcZOyREs74GhUpnAZlYF9Q9lRU3ZdsYERajtDiGncywKPLE61PlnH8o/h+QkkWjpsjy+,iv:Ck+7CaYym5fT4uy44b8yLw+b1FDvvjxrxql3ed+B2as=,tag:sb7vA0tVe1G+TDcJLhQ66g==,type:comment] +acme-dns-token: ENC[AES256_GCM,data:9AvuFB/nYm2H6JK+pKY0wD658dHGZyV9w8B/+PeTKb5PkFJGlqdz0A==,iv:DeH3sRv9hCzhy38jnXVeGlAbUeXWOwf2avdINWuhJb8=,tag:jXjmtG+uoTonlXSSKLkY3g==,type:str] +#ENC[AES256_GCM,data:/+idD/eetpnX,iv:NNXMyIt6uUfT3JVU9g39xjUL71cw5UVmESKVIf54tqc=,tag:pz+D3tUk0gWTfAirJGhlkw==,type:comment] +wireguard-private-key: ENC[AES256_GCM,data:7cSHZL3c1P2oPPOX+HLFCDSg9gcWmdHY8LLb8kBVaRMsvRCk7gx/b2H6+Xg=,iv:YNKe76UGywvChY46X52nunFFHj3c4qJJVQRcU7bkRY0=,tag:uR4UZbtXSm6ywlVOZ4wQIg==,type:str] +wireguard-home-preshared-key: ENC[AES256_GCM,data:YeTvFuNDs7Yb9pvzcb/tHyYeQrVJGpvKzr0l1F+4ch6F1rTpk5ad37bi9kc=,iv:bI+KSgSwbanPjKi0zV38zhXamCo6Lnu9z0PhvA1n82U=,tag:4m7rJ5K0RSkU/dGm1bRInA==,type:str] +#ENC[AES256_GCM,data:IpoTYZX4KGjPA+hZ,iv:Hd1V9//M1f/10HQ7ZEEA9ZtuO8EBtY1kn3n28krYxpg=,tag:We6WirbRgSH1qOjC4g7spg==,type:comment] +oauth2-cookie-secret: ENC[AES256_GCM,data:ZN44Kdai0hUgx0GduynlyMHDnZpdnp1SPAGEaNaNFHGMhM9Q5HPzotiNXQM=,iv:vsYhWriY5G4KLiJ12MLm26B7aBzCL5GAr+S15klH4Bc=,tag:t+MsS0Wgo5papvoeK1nk+g==,type:str] +kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:a90dn//LD6tvDYGSNT2neorQRfo0puo7GA==,iv:a/R6xlwGdrwJNc7qBoo0Zmlh7GkZ1+uU+RzOxRE+okc=,tag:3WpAVThFLXZFsCIl5xM0IQ==,type:str] +sops: + age: + - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcDZzcEJTNE94amhZSEZk + Wlhkc0dXY0d5Y2Myd21YYURORlRnMDRlYTBzCkZ1UEhzSzdTZjJENzAvOHJBVFRH + MDBMb3VmTGhnUXhRRnpYS3p5NE5HYnMKLS0tIHpROEhpeDZQYUNJMkExTDBsNUh3 + NmVFamgzKzRlV2oxS0x0UCsrc240eEEKByZ5WYf+QO8T43VLfO2ym4x7TQltS1nS + ckgZLorWZBWQg2vAwQktxQ0WTcjhM6tktZ7zgCIzKBLbQXtSt7VG9Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-01T22:42:29Z" + mac: ENC[AES256_GCM,data:CTOMF/JUbJjKrO/WCaNqCgNVv/XuBGu5nD7ssRplhg7Fmfpqyg6+qQylZcVO4XXQPvpXsA7VfnACe0irflx2Rh/5eULLfaL6eSVnr15CmwTxxnJatMtvnn1V6tGDX7Fs2s3xdEM0G7Zu022A7WWgibiiVzv/tH09znKuxpNIdio=,iv:iYgbJLaOM3JZK1BGV8fVsq5wrh+7hpQwUdXBbsTQEj8=,tag:cPQdmBkZ+DAlQ3xAQts6BA==,type:str] + pgp: + - created_at: "2025-12-01T23:06:35Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/+O2d2BMDS3DVPfUHLD69K6VsdewczQkPoskMrS5JeQn0R + gDhR318J311UMClomIIrgDlbleoKS9tdC1rM3DoCaGFq4MyydK4MLy0+6wme1n3a + ZyOsQ1jSpdgkWUfbalbxL9/cWtQBwfahXve39L+ocqb34KT8jeLcRNZWORWAst7X + a6fHFp4gZrTnOjn26TJc7dJxYGWQIWk3WBYpzC8kpqkMaIemIy0FHaObNYy3DvM0 + Z++AYqmwEYiz+tG1bVRUZ1ck/z8kR+Zv1Wg0uVM5Jmg6rArrz75xSS297euPZhO3 + bQwEdJ2rcrdaz5LHC6zgsDrVz5LsfoTxilOwIgsqSGqOBIGAN6XttZXjjul6MVyE + XBlHqqrCVlLl+OCumWC0U6vr/bcGV6CaMJPE80Rh//wThtvyKVFRQey8EmJH7IGx + vHtfOaOScJc0sCCyXOx4HBeeGAYq0ogSRTlgK6Z+kXx/MkYRHiw6Vdrw0anmFF08 + 7lYB4SPafnEB4m2IPz1390ZSDXWGT5QmrhpnajuILIIcWwe0mNPfDbLQWF6CZALB + UJs0XvM/gfXhnqVnkayTXc9IrIHkLoKwyMh1g+st+d0fAYaUD2Wd9BI+zi22m4iR + J7Mw0bMBciO4MRIZEEFsCvuv4UzFjQ4mO9ib6LXI7y51sIJuYPkq3lllkntFdCuF + AgwDC9FRLmchgYQBD/9F+tb1K7aKNq73pk2YTmzH+WR2Dr3+MxNgnQlnIJMxdoTi + QE3C9U9UaO5ngdHbnG3ruBQKjGhLI8meFMTJatPwuOFcHPN+I3lEO+PkHGH0VkGQ + A1xkeFizc5l0tfTD9JpatOwaKKr1b4cERZP5hSTZ3MJsRJsykySKmLLpfmC1pZ7L + OWLdJ740YEPXXw76seRgZ66tKou1lADRBXAfHxmlj7yrt/MB2xg0FfPw6/i1HTlV + kwyobNlNO6whpgHjX16Qfcuj5YMRSDmyb+Ol5dheiA+DvoowhkijCGv04Mye10RI + bvjcmhVA+2lNP3tzF2duyIQi4nPDhQLcBs8djH8flKWDZOuz9Jt1QDTb4h6iJzfK + RkfU9j7/GjDiiksOdC0/yYgn90dGdPBI/iR890Uyuav/nwzF9Kz9aHQGPhCbwfRZ + gN7f3zyt9XPw7Qdyf5+zvaarg5xf8i3q6vhYZSGpOGC/ZrRdJcNfo5Sw4gVzrTOD + M9IGoeoyWkCHrjKPjYf8fVW8dDgMsddaT/ub8jh9OcM5YA6mrbeAGyf135mOurLd + PCsu/tNAA1GLImgc/MYplkPsOfC0+7fJ9gCSirXyRgT6Eir1VJLL7wE0zrPYfqdX + NOXYKdHQxfhtk33XlnxNJ73cJVGtBXy3B2kkM2DBHxY2Zj8ysO48zSri280RVdJc + ARILzsczZMXmJVYuR/r103j+doR/kMVEeH+gwhTSyj3yOgP06Ychawx4m8QrjF93 + FfpVVia8JmpXAymJ93fO1HCzpQgZwX+BuhjfGcUoa3kr+lJjzU4571CCI84= + =lNG0 + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/winters/secrets.yaml b/secrets/winters/secrets.yaml index 9c3883a..a418558 100644 --- a/secrets/winters/secrets.yaml +++ b/secrets/winters/secrets.yaml @@ -7,7 +7,7 @@ mautrix-telegram-hs-token: ENC[AES256_GCM,data:bsuGGKASj65MkSri1MbZDEppRlr5qXzdR mautrix-telegram-api-id: ENC[AES256_GCM,data:GLaYJupsuA==,iv:EZ7i3jregI2puUAQbbkUK7OWA9Dnk0GdXRQuF/crD0Y=,tag:FL86Xji+YEkBPIm7m6sStw==,type:str] mautrix-telegram-api-hash: ENC[AES256_GCM,data:vikwgZLPV7YBdKlzf8+LEUnNIMx950CfBMGXKOga2cs=,iv:16+qS4L1LEKyWQKC2+a9l4OugWLJou2I2t9oRfKjS24=,tag:zhjD2dyGkqfMQlAt/LTCzw==,type:str] #ENC[AES256_GCM,data:3ZJfIpB7,iv:bS0q1SvUfAX8s6/R1z9IWoJ1vIitIDc2lGZUjS6P+Ao=,tag:Hc1HVrtkT6gNceN87PF/YA==,type:comment] -acme-dns-token: ENC[AES256_GCM,data:QyOHnPFiNiOXBK41pr6XfG9KCWRysTxzW4cjuUesbGdFOOFi8W4lCQ==,iv:Iuc77X4t5V1xFPu2F1njo93l4oaciou7UfOLBm18gaM=,tag:+40ELYAGxaQfwiTKPPwI4w==,type:str] +acme-dns-token: ENC[AES256_GCM,data:uSgEI33Pz8IsJMqtgNO5Q/HW1dRLMeGmXtJJNrbQ+PNVnAiTTRyS6Q==,iv:5ubDxwyDgEHxK/h50p2HK6S1+2TdfTUFH3yGv7/zcH4=,tag:P3b2b/h86TlgksjXB8Uccg==,type:str] #ENC[AES256_GCM,data:ZbWnE+gcmtR47A==,iv:a/WxLMGb2Y+lenUfUk8c73o/QUB6ImBVRUkHQjfWoq8=,tag:7FHXVb7qBGSXv3oO5f2M1w==,type:comment] paperless-admin-pw: ENC[AES256_GCM,data:8s2WunvnlL0xE8XNN1Re6/9nBAM57AgM9g==,iv:Pol+RjNMKpNYCQWY0BZamRnob+MO/e/14jc8uArtDz4=,tag:FXRrlhR3DpZ+7lSlXb7wsw==,type:str] kanidm-paperless-client: ENC[AES256_GCM,data:1lpf9LzAZeAe0ZJiXPE6KRDZxhi24CQmoA==,iv:eZKA/2JJzojPDJc/I8V4tw9tA7zK9Y7wrpgLww7sigg=,tag:YjlH+hHdzJHqMBdkxTZVwQ==,type:str] @@ -58,8 +58,8 @@ sops: MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-09T20:28:09Z" - mac: ENC[AES256_GCM,data:tLAljNEDR4Ab27OXVJhvDuGmfuxE/L9KSFsJGDo25Vs3P56/HnjrI77y+ytLuf2sK/OHup7jXnlwBWUDAfNWIQzUdjIBtr/OiggkPHgWhr4rH55ayLM1IfZU1ex6MPvliz2yi0nU6jqHXoSlBCqu+hdfyTQri1EmZ9Bh811YDqs=,iv:4VmwBcmQIjQ16mwxYjgud3OUjQE0rH0wN72sAXXs3to=,tag:OQNYvxLZg+0hapvUYsexuA==,type:str] + lastmodified: "2025-11-28T17:45:19Z" + mac: ENC[AES256_GCM,data:lIdIP+Js+FzjJCoClGxqP1epl5fVkPzfJmOVauFNlXKRxx90/E3478oQHi/KbP7eFgPoy+0hAbMwnBmo/1tOKb2ky80/6IMEkbftiO7YZqy8opbSbCtj6ypOOwwPf5rgtXHn0LV+EtDQZzIBY6GhcERO6IQpFRAXeIkSGcpM3TE=,iv:sphhFBg1xgupLGQzRovea0wvsTolzfW/z+gjj9CyklM=,tag:bdo9FlPPYKdl87lsBsiEsQ==,type:str] pgp: - created_at: "2024-12-17T16:24:32Z" enc: |- @@ -93,4 +93,4 @@ sops: -----END PGP MESSAGE----- fp: 4BE7925262289B476DBBC17B76FD3810215AE097 unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0