Compare commits
8 Commits
45fbd6e8a8
...
dad468fec4
Author | SHA1 | Date |
---|---|---|
Ciapa | dad468fec4 | |
Ciapa | 1573b9d4f1 | |
Ciapa | 29eb675b80 | |
Ciapa | 85e8b63f08 | |
Ciapa | 862c5e9cc1 | |
Ciapa | e15a8bb3eb | |
Ciapa | 18198b5d00 | |
Ciapa | b17770b56b |
|
@ -7,6 +7,7 @@ keys:
|
||||||
- &host_kinda_sus_lol age187hkscvxar33wta3zvgypj6kkc02g6sewwmfwmup26z2fuhwpamsa2d8yh
|
- &host_kinda_sus_lol age187hkscvxar33wta3zvgypj6kkc02g6sewwmfwmup26z2fuhwpamsa2d8yh
|
||||||
- &host_nyx_lewd_wtf age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya
|
- &host_nyx_lewd_wtf age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya
|
||||||
- &host_phoenix_lewd_wtf age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
|
- &host_phoenix_lewd_wtf age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
|
||||||
|
- &host_sphinx_lewd_wtf age1myz28jqex5kpcsjqg2a0la8cyuutzj4cxf53vs3v8ey6fqzvk3ws8z8k3h
|
||||||
creation_rules:
|
creation_rules:
|
||||||
# kinda.sus.lol
|
# kinda.sus.lol
|
||||||
- path_regex: hosts/kinda.sus.lol/secrets/.*
|
- path_regex: hosts/kinda.sus.lol/secrets/.*
|
||||||
|
@ -26,3 +27,9 @@ creation_rules:
|
||||||
- age:
|
- age:
|
||||||
- *admin_ecchi
|
- *admin_ecchi
|
||||||
- *host_phoenix_lewd_wtf
|
- *host_phoenix_lewd_wtf
|
||||||
|
# sphinx.lewd.wtf
|
||||||
|
- path_regex: hosts/sphinx.lewd.wtf/secrets/.*
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *admin_ecchi
|
||||||
|
- *host_sphinx_lewd_wtf
|
||||||
|
|
18
flake.lock
18
flake.lock
|
@ -146,11 +146,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-stable_2": {
|
"nixpkgs-stable_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716061101,
|
"lastModified": 1716655032,
|
||||||
"narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
|
"narHash": "sha256-kQ25DAiCGigsNR/Quxm3v+JGXAEXZ8I7RAF4U94bGzE=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
|
"rev": "59a450646ec8ee0397f5fa54a08573e8240eb91f",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -162,11 +162,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716137900,
|
"lastModified": 1716769173,
|
||||||
"narHash": "sha256-sowPU+tLQv8GlqtVtsXioTKeaQvlMz/pefcdwg8MvfM=",
|
"narHash": "sha256-7EXDb5WBw+d004Agt+JHC/Oyh/KTUglOaQ4MNjBbo5w=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "6c0b7a92c30122196a761b440ac0d46d3d9954f1",
|
"rev": "9ca3f649614213b2aaf5f1e16ec06952fe4c2632",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -193,11 +193,11 @@
|
||||||
"nixpkgs-stable": "nixpkgs-stable_2"
|
"nixpkgs-stable": "nixpkgs-stable_2"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716087663,
|
"lastModified": 1716692524,
|
||||||
"narHash": "sha256-zuSAGlx8Qk0OILGCC2GUyZ58/SJ5R3GZdeUNQ6IS0fQ=",
|
"narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "0bf1808e70ce80046b0cff821c019df2b19aabf5",
|
"rev": "962797a8d7f15ed7033031731d0bb77244839960",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
23
flake.nix
23
flake.nix
|
@ -21,6 +21,16 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"sphinx.lewd.wtf" = nixpkgs.lib.nixosSystem {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
specialArgs = { inherit inputs self; };
|
||||||
|
modules = [
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
|
./default.nix
|
||||||
|
./hosts/sphinx.lewd.wtf/configuration.nix
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
"aztul.elmosco.lewd.wtf" = nixpkgs.lib.nixosSystem {
|
"aztul.elmosco.lewd.wtf" = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
specialArgs = { inherit inputs self; };
|
specialArgs = { inherit inputs self; };
|
||||||
|
@ -75,7 +85,18 @@
|
||||||
user = "root";
|
user = "root";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
"sphinx.lewd.wtf" = {
|
||||||
|
sshOpts = [ "-p" "222" "-o" "StrictHostKeyChecking=no" ];
|
||||||
|
hostname = "sphinx.lewd.wtf";
|
||||||
|
fastConnection = true;
|
||||||
|
|
||||||
|
profiles.system = {
|
||||||
|
sshUser = "root";
|
||||||
|
path =
|
||||||
|
deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."sphinx.lewd.wtf";
|
||||||
|
user = "root";
|
||||||
|
};
|
||||||
|
};
|
||||||
"aztul.elmosco.lewd.wtf" = {
|
"aztul.elmosco.lewd.wtf" = {
|
||||||
sshOpts = [ "-p" "22111" "-o" "StrictHostKeyChecking=no" ];
|
sshOpts = [ "-p" "22111" "-o" "StrictHostKeyChecking=no" ];
|
||||||
hostname = "aztul.elmosco.lewd.wtf";
|
hostname = "aztul.elmosco.lewd.wtf";
|
||||||
|
|
|
@ -17,6 +17,10 @@ in {
|
||||||
device = "/mnt/zbigdata/media";
|
device = "/mnt/zbigdata/media";
|
||||||
options = [ "bind" ];
|
options = [ "bind" ];
|
||||||
};
|
};
|
||||||
|
"/export/c3moc/games" = lib.mkIf cfg.switchNfs {
|
||||||
|
device = "/mnt/zbigdata/games";
|
||||||
|
options = [ "bind" ];
|
||||||
|
};
|
||||||
"/export/c3moc/dropfolder" = lib.mkIf cfg.switchNfs {
|
"/export/c3moc/dropfolder" = lib.mkIf cfg.switchNfs {
|
||||||
device = "/mnt/zbigdata/c3moc_dropfolder";
|
device = "/mnt/zbigdata/c3moc_dropfolder";
|
||||||
options = [ "bind" ];
|
options = [ "bind" ];
|
||||||
|
@ -27,13 +31,19 @@ in {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostAddress = "192.168.69.1";
|
hostAddress = "192.168.69.1";
|
||||||
|
hostAddress6 = "aa69::1";
|
||||||
localAddress = "192.168.69.10";
|
localAddress = "192.168.69.10";
|
||||||
|
localAddress6 = "aa69::69";
|
||||||
|
|
||||||
bindMounts = {
|
bindMounts = {
|
||||||
"/home/c3moc/media" = {
|
"/home/c3moc/media" = {
|
||||||
hostPath = "/mnt/zbigdata/media";
|
hostPath = "/mnt/zbigdata/media";
|
||||||
isReadOnly = true;
|
isReadOnly = true;
|
||||||
};
|
};
|
||||||
|
"/home/c3moc/games" = {
|
||||||
|
hostPath = "/mnt/zbigdata/games";
|
||||||
|
isReadOnly = true;
|
||||||
|
};
|
||||||
"/home/c3moc/dropfolder" = {
|
"/home/c3moc/dropfolder" = {
|
||||||
hostPath = "/mnt/zbigdata/c3moc_dropfolder";
|
hostPath = "/mnt/zbigdata/c3moc_dropfolder";
|
||||||
isReadOnly = false;
|
isReadOnly = false;
|
||||||
|
@ -125,6 +135,8 @@ in {
|
||||||
services.nfs.server.exports = mkIf cfg.switchNfs ''
|
services.nfs.server.exports = mkIf cfg.switchNfs ''
|
||||||
/export (ro,fsid=0,no_subtree_check)
|
/export (ro,fsid=0,no_subtree_check)
|
||||||
/export/c3moc (ro,nohide,insecure,no_subtree_check)
|
/export/c3moc (ro,nohide,insecure,no_subtree_check)
|
||||||
|
/export/c3moc/games (ro,nohide,insecure,no_subtree_check)
|
||||||
|
/export/c3moc/media (ro,nohide,insecure,no_subtree_check)
|
||||||
/export/c3moc/dropfolder (rw,nohide,insecure,no_subtree_check)
|
/export/c3moc/dropfolder (rw,nohide,insecure,no_subtree_check)
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
@ -167,8 +179,91 @@ in {
|
||||||
proto = "tcp";
|
proto = "tcp";
|
||||||
sourcePort = 445;
|
sourcePort = 445;
|
||||||
}
|
}
|
||||||
|
# FTP
|
||||||
|
{
|
||||||
|
destination = "aa69::69:20";
|
||||||
|
proto = "tcp";
|
||||||
|
sourcePort = 20;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
destination = "aa69::69:21";
|
||||||
|
proto = "tcp";
|
||||||
|
sourcePort = 21;
|
||||||
|
}
|
||||||
|
# SFTP
|
||||||
|
{
|
||||||
|
destination = "aa69::69:22";
|
||||||
|
proto = "tcp";
|
||||||
|
sourcePort = 22;
|
||||||
|
}
|
||||||
|
# SMB
|
||||||
|
{
|
||||||
|
destination = "aa69::69:137";
|
||||||
|
proto = "udp";
|
||||||
|
sourcePort = 137;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
destination = "aa69::69:138";
|
||||||
|
proto = "udp";
|
||||||
|
sourcePort = 138;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
destination = "aa69::69:139";
|
||||||
|
proto = "tcp";
|
||||||
|
sourcePort = 139;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
destination = "aa69::69:445";
|
||||||
|
proto = "tcp";
|
||||||
|
sourcePort = 445;
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
# Monitoring Stuff
|
||||||
|
services.prometheus.exporters.node = {
|
||||||
|
enable = true;
|
||||||
|
port = 9100;
|
||||||
|
enabledCollectors = [
|
||||||
|
"logind"
|
||||||
|
"systemd"
|
||||||
|
];
|
||||||
|
disabledCollectors = [
|
||||||
|
"textfile"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
services.prometheus = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
scrapeConfigs = [
|
||||||
|
{
|
||||||
|
job_name = "node";
|
||||||
|
static_configs = [{
|
||||||
|
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
|
||||||
|
}];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
services.grafana = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
server = {
|
||||||
|
# Listening Address
|
||||||
|
http_addr = "127.0.0.1";
|
||||||
|
# and Port
|
||||||
|
http_port = 3000;
|
||||||
|
# Grafana needs to know on which domain and URL it's running
|
||||||
|
domain = "gpn22.c3moc.lol";
|
||||||
|
root_url = "https://gpn22.c3moc.lol/stats/"; # Not needed if it is `https://your.domain/`
|
||||||
|
serve_from_sub_path = true;
|
||||||
|
};
|
||||||
|
"auth.anonymous" = {
|
||||||
|
enabled = true;
|
||||||
|
org_name = "Public";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
# Nginx Stuff
|
# Nginx Stuff
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
virtualHosts."gpn22.c3moc.lol" = {
|
virtualHosts."gpn22.c3moc.lol" = {
|
||||||
|
@ -219,6 +314,11 @@ in {
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
proxy_set_header X-Forwarded-Host $http_host;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
"/stats/" = {
|
||||||
|
proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -14,8 +14,8 @@ let
|
||||||
in {
|
in {
|
||||||
inherit imports;
|
inherit imports;
|
||||||
|
|
||||||
c3moc.enable = true;
|
c3moc.enable = false;
|
||||||
c3moc.switchNfs = true;
|
c3moc.switchNfs = false;
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = false;
|
boot.loader.systemd-boot.enable = false;
|
||||||
boot.loader.grub = {
|
boot.loader.grub = {
|
||||||
|
|
|
@ -35,6 +35,11 @@
|
||||||
fsType = "zfs";
|
fsType = "zfs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
fileSystems."/mnt/zbigdata/games" = {
|
||||||
|
device = "zbigdata/games";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
fileSystems."/var/lib/attic/storage" = {
|
fileSystems."/var/lib/attic/storage" = {
|
||||||
device = "zbigdata/attic";
|
device = "zbigdata/attic";
|
||||||
fsType = "zfs";
|
fsType = "zfs";
|
||||||
|
|
|
@ -5,8 +5,9 @@
|
||||||
"br0" = {
|
"br0" = {
|
||||||
interfaces = [
|
interfaces = [
|
||||||
"eno2"
|
"eno2"
|
||||||
"enp23s0"
|
"enp2s0"
|
||||||
"enp23s0d1"
|
"enp101s0"
|
||||||
|
"enp101s0d1"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -19,18 +20,13 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.interfaces.br0.ipv4.addresses = [
|
networking.interfaces.br0.ipv4.addresses = [
|
||||||
{
|
|
||||||
address = "10.0.69.69";
|
|
||||||
prefixLength = 16;
|
|
||||||
}
|
|
||||||
{
|
{
|
||||||
address = "192.168.0.42";
|
address = "192.168.0.42";
|
||||||
prefixLength = 22;
|
prefixLength = 22;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
# networking.defaultGateway = "10.0.0.1";
|
||||||
networking.defaultGateway = "10.0.0.1";
|
networking.defaultGateway = "192.168.0.1";
|
||||||
# networking.defaultGateway = "192.168.0.1";
|
|
||||||
networking.nameservers = [ "1.1.1.1" ];
|
networking.nameservers = [ "1.1.1.1" ];
|
||||||
|
|
||||||
networking.firewall.enable = false;
|
networking.firewall.enable = false;
|
||||||
|
|
|
@ -3,10 +3,12 @@ let
|
||||||
utils = import ../../../util/include.nix { lib = lib; };
|
utils = import ../../../util/include.nix { lib = lib; };
|
||||||
imports =
|
imports =
|
||||||
(utils.includeDir ./services) ++
|
(utils.includeDir ./services) ++
|
||||||
|
(utils.includeDir ./storage_users) ++
|
||||||
[
|
[
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./networking.nix
|
./networking.nix
|
||||||
./users.nix
|
./users.nix
|
||||||
|
./sftp_jail.nix
|
||||||
];
|
];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
|
@ -14,5 +14,12 @@
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Shared stuff
|
||||||
|
fileSystems."/sftp_jail/melic" = {
|
||||||
|
device = "/home/rene/shared";
|
||||||
|
options = [ "bind,ro" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
services.qemuGuest.enable = true;
|
services.qemuGuest.enable = true;
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
{
|
||||||
|
services.openssh.extraConfig = ''
|
||||||
|
Match Group sftponly
|
||||||
|
ChrootDirectory /sftp_jail
|
||||||
|
ForceCommand internal-sftp
|
||||||
|
AllowTcpForwarding no
|
||||||
|
'';
|
||||||
|
|
||||||
|
users.groups.sftponly = {};
|
||||||
|
}
|
|
@ -0,0 +1,12 @@
|
||||||
|
{
|
||||||
|
users.users.melic = {
|
||||||
|
group = "sftponly";
|
||||||
|
isNormalUser = true;
|
||||||
|
home = "/sftp_jail/melic";
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERtfY26/h5xl+bzZm2htR4+Wd879DvZRPHsosFaEqIW gaming@DESKTOP-4ACM3JU"
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcJKdwwvygRMH/91brR++Fk7sP47wuB8zuTtx+1OZBL+ZyeSmyiwZFXU5WfhwEZndOG4XlLTvJwvgYTMEyvZqh9DuasLv7AqbMfTVkQx1RJOUuLBDLFcjVI5RvGJz1aFRY8Uu0lWll+Nd7Onl8qSDnfSe+mRXw7O90cJI+nELDITxrG5wZ1Onm/ApsaX3S8iPLT5o74hWzE6tKBQqbEcRJJs5snLhxeIXNpaHFN40tJr2MEaLjpdu+9EiKUoVhV8JyUWKHeJFinyAwCC7g7IWte8t43IwQrSfIA19r7+HAMi6bJk5++LBm8p4APSV+rw+tFOzSV+jkAvizTKTUGC/CHMBnq2R1FF+ilSmWSecu2XI4KmKeAD64o5YndXrb0VWCIcVZjphqp52lzk4YNA97xsA6l1VVdfbhKu95Z+HV8kLXW8Nf4d36RUrxgtFnO1MkIh+yO6+xeVak4Fizbu42g49QZe6i3pcCUvB73kHFFfprnSgKouK3/TN4YCIyDsk= melic@Erika"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
{ self, config, pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
utils = import ../../util/include.nix { lib = lib; };
|
||||||
|
imports =
|
||||||
|
(utils.includeDir ./services) ++
|
||||||
|
[
|
||||||
|
./hardware-configuration.nix
|
||||||
|
./networking.nix
|
||||||
|
./secrets.nix
|
||||||
|
];
|
||||||
|
in
|
||||||
|
{
|
||||||
|
inherit imports;
|
||||||
|
|
||||||
|
networking.hostName = "sphinx";
|
||||||
|
networking.domain = "lewd.wtf";
|
||||||
|
|
||||||
|
boot.loader.grub = {
|
||||||
|
enable = true;
|
||||||
|
efiSupport = false;
|
||||||
|
devices = [ "/dev/sda" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
}
|
|
@ -0,0 +1,11 @@
|
||||||
|
{ modulesPath, ... }:
|
||||||
|
{
|
||||||
|
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||||
|
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
|
||||||
|
boot.kernelModules = [ "nvme" ];
|
||||||
|
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/sda1";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,32 @@
|
||||||
|
{ lib, ... }: {
|
||||||
|
# This file was populated at runtime with the networking
|
||||||
|
# details gathered from the active system.
|
||||||
|
networking = {
|
||||||
|
nameservers = [ "8.8.8.8" ];
|
||||||
|
defaultGateway = "172.31.1.1";
|
||||||
|
defaultGateway6 = {
|
||||||
|
address = "fe80::1";
|
||||||
|
interface = "eth0";
|
||||||
|
};
|
||||||
|
dhcpcd.enable = false;
|
||||||
|
usePredictableInterfaceNames = lib.mkForce false;
|
||||||
|
interfaces = {
|
||||||
|
eth0 = {
|
||||||
|
ipv4.addresses = [
|
||||||
|
{ address="116.203.182.240"; prefixLength=32; }
|
||||||
|
];
|
||||||
|
ipv6.addresses = [
|
||||||
|
{ address="2a01:4f8:1c1b:7a9b::1"; prefixLength=64; }
|
||||||
|
{ address="fe80::9400:3ff:fe62:dffe"; prefixLength=64; }
|
||||||
|
];
|
||||||
|
ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
|
||||||
|
ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services.udev.extraRules = ''
|
||||||
|
ATTR{address}=="96:00:03:62:df:fe", NAME="eth0"
|
||||||
|
|
||||||
|
'';
|
||||||
|
}
|
|
@ -0,0 +1,13 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
|
||||||
|
# Vaultwarden
|
||||||
|
sops.secrets."services/vaultwarden/.env" = {
|
||||||
|
mode = "0400";
|
||||||
|
owner = config.users.users.vaultwarden.name;
|
||||||
|
group = config.users.users.vaultwarden.group;
|
||||||
|
sopsFile = ./secrets/vaultwarden.env;
|
||||||
|
format = "dotenv";
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,11 @@
|
||||||
|
ADMIN_TOKEN=ENC[AES256_GCM,data:xAMhqj/wAqmDPUEo+IUMsaY9+/dTOmdwm5NKu7LC9PGgyORRVjowI5Fu/3j47u9JKLXPyGvQM33s+S3VqNhspQ==,iv:yCdNQbQx86CZU7GvShcL9YxOlzGr/bTfTp5DDMudTDs=,tag:QRsgnB9K1DcEcHlGrUA2EQ==,type:str]
|
||||||
|
SMTP_PASSWORD=ENC[AES256_GCM,data:JvSxXTTPQmox2O7n28018A==,iv:uA3WytiA9o/3qohl/eaMD7gVbORo4YZg2gzT/qZZHbA=,tag:v3Rkhp4HpjZE8Z45N3jcxQ==,type:str]
|
||||||
|
YUBICO_SECRET_KEY=ENC[AES256_GCM,data:oUXZDR5F1eXNKFYYiK9BQfeuves36PdqfKE1Yb7Z,iv:XDmIl7dqV8R7bykwtQz3EQIf1qJHh3wPbL9RAu6ZWEk=,tag:F5kb5XqY0JPeBGYOFrQC8g==,type:str]
|
||||||
|
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcWZxL3Q4dElaV0hjWm9J\nN1ViOEZkS3Z1RlAvRHFKZjdhU2drNWFZT3dBClY3Rm1lK1FaR1hmSTZ5dUJSNktK\ndGhneVdXS2R3MXB4N01yaTBlaGxjSEUKLS0tIHY3ejBnUzNlRWs3L0c3bkpBRFk5\ndHJNdG9ESHZ3ZzlPMExwNmpZSHpYZVUK9d6xS6ji8N3rZS1OmXJU7VZd6jZNETPK\nZTozNHhcvQiXTdlc23cSUZOHeJyugV+IjRpkDUBjh/0f/YzBNH7gsA==\n-----END AGE ENCRYPTED FILE-----\n
|
||||||
|
sops_age__list_0__map_recipient=age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
|
||||||
|
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtTEdOT3RaQWNzQkhzd0ds\ncS9tVWZJbDNMUmNCcWpRSDJwbDV4cUpHZ0ZJCkdBUGRxOUp2QnpYSnRpdzFxK2Fj\nSW9lRUIxbFBoWDFYVEhDK3FvOGk0VzgKLS0tIENBVkpTa0ZpTFFpVG4yR1p2c1lT\nZExSWmdUTXR5SS8yZzQ1VExGdkk0alkKIebJqoBgEv9KK8Nmtyo4xYAd8UA7czBC\noRHZv9cduFhA55iDvEQIdfrDJGMTCAbnuXEGlh0hee0KFFrsar7FEg==\n-----END AGE ENCRYPTED FILE-----\n
|
||||||
|
sops_age__list_1__map_recipient=age1myz28jqex5kpcsjqg2a0la8cyuutzj4cxf53vs3v8ey6fqzvk3ws8z8k3h
|
||||||
|
sops_lastmodified=2024-06-06T10:12:52Z
|
||||||
|
sops_mac=ENC[AES256_GCM,data:KRi4A7W8/SWaSdX6kz1r00u0s0e+H9T1DlNlWXjbL5ZqUiACBGvmnlU0Ylqter7JBnP6hM3y34wuTH3XzqpAmcPLSCg6bhLqV24AIzTxb/xJJUj0G2uTle//LUipVVem19ECVS0refj36nDd4Lzuyy6fe6uowQMkt2vzLlmr6t8=,iv:1DTq4KQLJwyByoFP6inLp4DmrFra+ca1EEAGgUJ5NMs=,tag:oovcb4hGB1dyOzR5GV5wog==,type:str]
|
||||||
|
sops_unencrypted_suffix=_unencrypted
|
||||||
|
sops_version=3.7.3
|
|
@ -0,0 +1,7 @@
|
||||||
|
{
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,60 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
users.users.vaultwarden.extraGroups = [ config.users.groups.keys.name ];
|
||||||
|
|
||||||
|
services.vaultwarden = {
|
||||||
|
enable = true;
|
||||||
|
environmentFile = "/run/secrets/services/vaultwarden/.env";
|
||||||
|
config = {
|
||||||
|
DOMAIN = "https://vault.lewd.wtf";
|
||||||
|
SIGNUPS_ALLOWED = false;
|
||||||
|
SIGNUPS_VERIFY = true;
|
||||||
|
INVITATIONS_ALLOWED = false;
|
||||||
|
WEBSOCKET_ENABLED = true;
|
||||||
|
WEBSOCKET_PORT = 3012;
|
||||||
|
ROCKET_PORT = 8222;
|
||||||
|
SMTP_HOST = "mail.your-server.de";
|
||||||
|
SMTP_FROM = "vaultwarden@lewd.wtf";
|
||||||
|
SMTP_FROM_NAME = "Vaultwarden";
|
||||||
|
SMTP_USERNAME = "vaultwarden@lewd.wtf";
|
||||||
|
YUBICO_CLIENT_ID = 88022;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.clientMaxBodySize = "128M";
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."vault.lewd.wtf" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8222";
|
||||||
|
proxyWebsockets = true; # needed if you need to use WebSocket
|
||||||
|
extraConfig =
|
||||||
|
"proxy_set_header Host $host;" +
|
||||||
|
"proxy_set_header X-Real-IP $remote_addr;" +
|
||||||
|
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
|
||||||
|
"proxy_set_header X-Forwarded-Proto $scheme;"
|
||||||
|
;
|
||||||
|
};
|
||||||
|
locations."/notifications/hub/negotiate" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8222";
|
||||||
|
proxyWebsockets = true; # needed if you need to use WebSocket
|
||||||
|
extraConfig =
|
||||||
|
"proxy_set_header Host $host;" +
|
||||||
|
"proxy_set_header X-Real-IP $remote_addr;" +
|
||||||
|
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
|
||||||
|
"proxy_set_header X-Forwarded-Proto $scheme;"
|
||||||
|
;
|
||||||
|
};
|
||||||
|
locations."/notifications/hub" = {
|
||||||
|
proxyPass = "http://127.0.0.1:3012";
|
||||||
|
proxyWebsockets = true; # needed if you need to use WebSocket
|
||||||
|
extraConfig =
|
||||||
|
"proxy_set_header Host $host;" +
|
||||||
|
"proxy_set_header X-Real-IP $remote_addr;" +
|
||||||
|
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
|
||||||
|
"proxy_set_header X-Forwarded-Proto $scheme;"
|
||||||
|
;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -5,7 +5,7 @@
|
||||||
gc = {
|
gc = {
|
||||||
automatic = true;
|
automatic = true;
|
||||||
dates = "weekly";
|
dates = "weekly";
|
||||||
options = "--delete-older-than 15";
|
options = "--delete-older-than 15d";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue