ciapa
/
infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: ciapa:update_flake_lock_action
Branches Tags
ciapa:master
ciapa:update_flake_lock_action
ciapa:test
...
pull from: ciapa:master
Branches Tags
ciapa:master
ciapa:update_flake_lock_action
ciapa:test

54 Commits
update_fla ... master

Author SHA1 Message Date
Ciapa dad468fec4 Fix cleanup
ci/woodpecker/push/deploy Pipeline failed Details
2024-06-10 13:20:07 +02:00
Ciapa 1573b9d4f1 Add readonly user to rene box 2024-06-08 11:34:13 +02:00
Ciapa 29eb675b80 Disable c3moc config 2024-06-08 11:21:19 +02:00
Ciapa 85e8b63f08 Fix network config for new PCIe layout 2024-06-08 11:20:53 +02:00
Ciapa 862c5e9cc1 Add game archive mount 2024-06-08 11:20:03 +02:00
Ciapa e15a8bb3eb Finish up first gen of c3moc config 2024-06-08 11:19:02 +02:00
Ciapa 18198b5d00 Update flake.lock 2024-06-08 11:18:36 +02:00
Ciapa b17770b56b Add new host sphinx.lewd.wtf 2024-06-08 11:17:08 +02:00
Ciapa 45fbd6e8a8 Use custom build image
ci/woodpecker/push/deploy Pipeline was successful Details
ci/woodpecker/manual/deploy Pipeline was successful Details
2024-05-20 18:15:06 +02:00
Ciapa 8a9350b114 Try specifying entrypoint explicitly
ci/woodpecker/push/deploy Pipeline failed Details
2024-05-20 16:57:06 +02:00
Ciapa 6d826ee4d2 Add broken workaround to fix nixos deployment
ci/woodpecker/push/deploy Pipeline failed Details
2024-05-20 16:08:27 +02:00
Ciapa 6f92c589c3 Make woodpecker config work again 2024-05-20 16:08:10 +02:00
Ciapa 2e8996767e Update flake.nix
ci/woodpecker/push/deploy Pipeline failed Details
2024-05-20 15:54:44 +02:00
Ciapa 9c5984ba4f Implement c3moc config 2024-05-20 15:53:55 +02:00
Ciapa 24ea080b34 Install unifi controller 2024-05-04 22:54:00 +02:00
Ciapa def048b9a8 Manage SSH key manually until better solution is implemented
ci/woodpecker/push/deploy Pipeline failed Details
2024-04-12 16:51:33 +02:00
Ciapa 1acf5e2d70 Remove gitea actions
ci/woodpecker/push/deploy Pipeline failed Details
ci/woodpecker/manual/deploy Pipeline failed Details
2024-04-12 16:33:32 +02:00
Ciapa f941d15909 Provide very basic woodpecker integration
ci / test (push) Successful in 1m11s Details
ci / deploy (push) Successful in 1m54s Details
ci/woodpecker/push/deploy Pipeline failed Details
2024-04-12 16:24:12 +02:00
Ciapa e008ca453a Ignore error in mail service
ci / test (push) Successful in 48s Details
ci / deploy (push) Successful in 1m34s Details
2024-04-12 00:18:04 +02:00
Ciapa 73b0e2043e Disable attic
ci / test (push) Successful in 39s Details
ci / deploy (push) Has been cancelled Details
2024-04-11 23:07:30 +02:00
Ciapa 7a737ca637 Bump nix action
ci / test (push) Failing after 44s Details
ci / deploy (push) Has been skipped Details
2024-04-11 22:52:30 +02:00
Ciapa 8091266421 Update flake.lock
ci / test (push) Failing after 51s Details
ci / deploy (push) Has been skipped Details
2024-04-11 22:33:44 +02:00
Ciapa 4bbde94059 Add documentation for missing zfs unlock features 2024-04-11 22:33:06 +02:00
ciapa 5b45790d01 Fix secret owner
ci / test (push) Failing after 56s Details
ci / deploy (push) Has been skipped Details
2024-04-11 20:14:53 +00:00
ciapa 64ca121790 Add temp dir to transfer.sh
ci / test (push) Failing after 37s Details
ci / deploy (push) Has been skipped Details
2024-04-11 20:13:33 +00:00
ciapa 2716a5597e Fix transfer-sh deployment
ci / test (push) Failing after 39s Details
ci / deploy (push) Has been skipped Details
2024-04-11 15:09:18 +00:00
ciapa 214b5a62c4 Use upstream transfer-sh module
ci / test (push) Failing after 36s Details
ci / deploy (push) Has been skipped Details
2024-04-11 15:02:55 +00:00
ciapa c804362bb0 Fix vikunja deployment for real
ci / test (push) Failing after 40s Details
ci / deploy (push) Has been skipped Details
2024-04-11 15:00:32 +00:00
ciapa 624aebdc32 Fix vikunja deployment
ci / test (push) Failing after 8s Details
ci / deploy (push) Has been skipped Details
2024-04-11 14:58:07 +00:00
ciapa 08c26262d6 Fix attic package refetence
ci / test (push) Failing after 15s Details
ci / deploy (push) Has been skipped Details
2024-04-11 14:50:48 +00:00
Ciapa 8518832b7d Add deployment for attic
ci / test (push) Failing after 26s Details
ci / deploy (push) Has been skipped Details
2024-04-07 11:48:10 +02:00
Ciapa 094030f4d5 Flake update 2024-04-07 11:18:48 +02:00
Ciapa a75118a5f6 Allow email registration for hedgedoc
ci / test (push) Successful in 41s Details
ci / deploy (push) Successful in 1m27s Details
2024-03-28 17:32:03 +01:00
Ciapa d77f0556bb Adjust nfs mount
ci / test (push) Successful in 48s Details
ci / deploy (push) Successful in 1m41s Details
2024-02-27 08:05:03 +01:00
Ciapa 855a3556a8 Add seedbox for oosi
ci / test (push) Successful in 44s Details
ci / deploy (push) Successful in 3m35s Details
2024-02-23 19:52:58 +01:00
Ciapa f84e17d062 Decommission mirrors
ci / test (push) Successful in 46s Details
ci / deploy (push) Successful in 1m48s Details
2024-02-11 22:53:18 +01:00
Ciapa 6215a962e4 Decommission nyx
ci / test (push) Successful in 1m16s Details
ci / deploy (push) Successful in 6m23s Details
2024-02-10 19:27:37 +01:00
Ciapa e7838b8992 Add services from nyx to phoenix 2024-02-10 19:26:29 +01:00
Ciapa 809eb05edf Add base requirements for NAT
ci / test (push) Successful in 1m10s Details
ci / deploy (push) Successful in 2m39s Details
2024-02-09 22:33:22 +01:00
Ciapa e48cd67df2 Fix wireguard service
ci / test (push) Successful in 1m10s Details
ci / deploy (push) Successful in 2m43s Details
2024-02-09 22:25:13 +01:00
Ciapa c93000421f Configure NAT manually
ci / test (push) Successful in 1m18s Details
ci / deploy (push) Failing after 2m41s Details
2024-02-09 19:13:52 +01:00
Ciapa 5cbb5d2f33 Add test qbit setup
ci / test (push) Successful in 1m14s Details
ci / deploy (push) Successful in 2m58s Details
2024-02-09 00:05:31 +01:00
Ciapa 55f8c82eef Add more users to music service
ci / test (push) Successful in 1m3s Details
ci / deploy (push) Successful in 2m31s Details
2024-02-07 21:41:15 +01:00
Ciapa 00aafb2ad9 Try disabling firewall
ci / test (push) Successful in 1m6s Details
ci / deploy (push) Successful in 4m4s Details
2024-02-06 21:00:41 +01:00
Ciapa cb2ac4c8da Force correct gitea actions runner
ci / test (push) Successful in 52s Details
ci / deploy (push) Failing after 2m28s Details
2024-02-04 20:01:49 +01:00
Ciapa ea047147b9 Configure container for Wireguard NAT tests
ci / test (push) Failing after 2m52s Details
ci / deploy (push) Has been skipped Details
2024-02-04 19:42:16 +01:00
Ciapa 7a704851c0 Configure Wireguard for Phoenix 2024-02-04 19:34:52 +01:00
Ciapa 8543999a8a Ensure network is really up before sending mails
ci / test (push) Successful in 1m10s Details
ci / deploy (push) Successful in 2m53s Details
2024-02-04 12:37:10 +01:00
Ciapa f85dc16246 Yeet fucking DuckDNS
ci / test (push) Successful in 59s Details
ci / deploy (push) Failing after 20m31s Details
2024-02-04 12:11:35 +01:00
Ciapa 597c2f9ff3 Move postCommands to systemd service
ci / test (push) Successful in 55s Details
ci / deploy (push) Failing after 3m46s Details
2024-02-04 02:23:24 +01:00
Ciapa b5f1441bb2 Install additional packages 2024-02-04 01:51:04 +01:00
Ciapa 6e7dd508d0 Fix initrd sshd check
ci / test (push) Failing after 5m52s Details
ci / deploy (push) Has been skipped Details
2024-02-04 01:47:51 +01:00
Ciapa b8a7d1bf0d Update flake.nix
ci / test (push) Failing after 12m48s Details
ci / deploy (push) Has been skipped Details
2024-02-04 01:31:36 +01:00
Ciapa 2d14658dcd Add basic config for Phoenix
ci / test (push) Failing after 2m14s Details
ci / deploy (push) Has been skipped Details
2024-02-04 01:25:42 +01:00
66 changed files with 1350 additions and 614 deletions
Show Stats Expand all files Collapse all files

59
.github/workflows/ci.yml vendored
View File

@ -1,59 +0,0 @@
name: ci
on:
push:
branches:
- master
jobs:
test:
runs-on: ubuntu-latest
container:
volumes:
- /mnt/cache/nix_store:/nix
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install sudo
run: apt update && apt install -y sudo
- name: Install Nix
uses: cachix/install-nix-action@v23
with:
nix_path: nixpkgs=channel:nixos-unstable
github_access_token: ${{ secrets.CUSTOM_GITHUB_TOKEN }}
- name: Flake check
run: nix flake check
deploy:
runs-on: ubuntu-latest
container:
volumes:
- /mnt/cache/nix_store:/nix
needs: test
if: github.ref == 'refs/heads/master'
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install sudo
run: apt update && apt install -y sudo
- name: Install Nix
uses: cachix/install-nix-action@v23
with:
nix_path: nixpkgs=channel:nixos-unstable
github_access_token: ${{ secrets.CUSTOM_GITHUB_TOKEN }}
- name: Load ssh key
uses: webfactory/ssh-agent@v0.8.0
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Deploy
run: nix develop --command deploy --rollback-succeeded false
env:
ACTION_RUNTIME_TOKEN: ''
GITHUB_TOKEN: ''

34
.github/workflows/update.yml vendored
View File

@ -1,34 +0,0 @@
name: update-flake-inputs
on:
schedule:
- cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
jobs:
update-lockfile:
runs-on: ubuntu-latest
container:
volumes:
- /mnt/cache/nix_store:/nix
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install sudo
run: apt update && apt install -y sudo
- name: Install Nix
uses: cachix/install-nix-action@v23
with:
github_access_token: ${{ secrets.CUSTOM_GITHUB_TOKEN }}
extra_nix_config: |
access-tokens = gitnext.lewd.wtf=${{ secrets.AUTOUPDATE_TOKEN }}
- name: Update flake.lock
uses: DeterminateSystems/update-flake-lock@v20
env:
ACTION_RUNTIME_TOKEN: ''
GITHUB_TOKEN: ''
with:
pr-title: "update flake inputs"
pr-labels: |
update
automated

14
.sops.yaml
View File

@ -6,6 +6,8 @@ keys:
# Hosts # Hosts
- &host_kinda_sus_lol age187hkscvxar33wta3zvgypj6kkc02g6sewwmfwmup26z2fuhwpamsa2d8yh - &host_kinda_sus_lol age187hkscvxar33wta3zvgypj6kkc02g6sewwmfwmup26z2fuhwpamsa2d8yh
- &host_nyx_lewd_wtf age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya - &host_nyx_lewd_wtf age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya
- &host_phoenix_lewd_wtf age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
- &host_sphinx_lewd_wtf age1myz28jqex5kpcsjqg2a0la8cyuutzj4cxf53vs3v8ey6fqzvk3ws8z8k3h
creation_rules: creation_rules:
# kinda.sus.lol # kinda.sus.lol
- path_regex: hosts/kinda.sus.lol/secrets/.* - path_regex: hosts/kinda.sus.lol/secrets/.*
@ -19,3 +21,15 @@ creation_rules:
- age: - age:
- *admin_ecchi - *admin_ecchi
- *host_nyx_lewd_wtf - *host_nyx_lewd_wtf
# phoenix.lewd.wtf
- path_regex: hosts/phoenix.lewd.wtf/secrets/.*
key_groups:
- age:
- *admin_ecchi
- *host_phoenix_lewd_wtf
# sphinx.lewd.wtf
- path_regex: hosts/sphinx.lewd.wtf/secrets/.*
key_groups:
- age:
- *admin_ecchi
- *host_sphinx_lewd_wtf

33
.woodpecker/deploy.yaml Normal file
View File

@ -0,0 +1,33 @@
labels:
hostname: "nixos-x86-64"
variables: &nix-config
NIXOS_VERSION: "unstable"
NIXPKGS_ALLOW_UNFREE: "1"
NIXPKGS_ALLOW_INSECURE: "1"
steps:
- name: Check Flake
image: nixlocal
entrypoint: ["/bin/sh", "-c"]
commands:
- nix-channel --add https://nixos.org/channels/nixos-$${NIXOS_VERSION} nixos
- nix-channel --update
- nix flake check
environment:
*nix-config
when:
- evaluate: 'CI_PIPELINE_EVENT != "cron" && CI_PIPELINE_EVENT != "schedule"'
- name: Deploy
image: nixlocal
commands:
- nix-env -iA nixos.openssh
- eval "$(ssh-agent -s)"
- echo $${SSH_PRIVATE_KEY}} | ssh-add -
- nix develop --command deploy
environment:
*nix-config
when:
- evaluate: 'CI_PIPELINE_EVENT != "cron" && CI_COMMIT_BRANCH == "master"'

169
flake.lock
View File

@ -1,19 +1,62 @@
{ {
"nodes": { "nodes": {
"attic": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1711742460,
"narHash": "sha256-0O4v6e4a1toxXZ2gf5INhg4WPE5C5T+SVvsBt+45Mcc=",
"owner": "zhaofengli",
"repo": "attic",
"rev": "4dbdbee45728d8ce5788db6461aaaa89d98081f0",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"repo": "attic",
"type": "github"
}
},
"crane": {
"inputs": {
"nixpkgs": [
"attic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1702918879,
"narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=",
"owner": "ipetkov",
"repo": "crane",
"rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"deploy-rs": { "deploy-rs": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1703087360, "lastModified": 1715699772,
"narHash": "sha256-0VUbWBW8VyiDRuimMuLsEO4elGuUw/nc2WDeuO1eN1M=", "narHash": "sha256-sKhqIgucN5sI/7UQgBwsonzR4fONjfMr9OcHK/vPits=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "b709d63debafce9f5645a5ba550c9e0983b3d1f7", "rev": "b3ea6f333f9057b77efd9091119ba67089399ced",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -23,6 +66,22 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
@ -38,13 +97,76 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1704194953, "lastModified": 1711401922,
"narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=", "narHash": "sha256-QoQqXoj8ClGo0sqD/qWKFWezgEwUL0SUh37/vY2jNhc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "07262b18b97000d16a4bdb003418bd2fb067a932",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1711460390,
"narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "44733514b72e732bd49f5511bd0203dea9b9a434",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1716655032,
"narHash": "sha256-kQ25DAiCGigsNR/Quxm3v+JGXAEXZ8I7RAF4U94bGzE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "59a450646ec8ee0397f5fa54a08573e8240eb91f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1716769173,
"narHash": "sha256-7EXDb5WBw+d004Agt+JHC/Oyh/KTUglOaQ4MNjBbo5w=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6", "rev": "9ca3f649614213b2aaf5f1e16ec06952fe4c2632",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -54,26 +176,11 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1703950681,
"narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0aad9113182747452dbfc68b93c86e168811fa6c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"attic": "attic",
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"utils": "utils_2" "utils": "utils_2"
} }
@ -83,14 +190,14 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1703991717, "lastModified": 1716692524,
"narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=", "narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6", "rev": "962797a8d7f15ed7033031731d0bb77244839960",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -152,11 +259,11 @@
"systems": "systems_2" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1701680307, "lastModified": 1710146030,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github" "type": "github"
}, },
"original": { "original": {

62
flake.nix
View File

@ -1,52 +1,33 @@
{ {
inputs = { inputs = {
attic = { url = "github:zhaofengli/attic"; };
nixpkgs = { url = "github:nixos/nixpkgs/nixos-unstable"; }; nixpkgs = { url = "github:nixos/nixpkgs/nixos-unstable"; };
deploy-rs = { url = "github:serokell/deploy-rs"; inputs.nixpkgs.follows = "nixpkgs"; }; deploy-rs = { url = "github:serokell/deploy-rs"; inputs.nixpkgs.follows = "nixpkgs"; };
utils = { url = "github:numtide/flake-utils"; }; utils = { url = "github:numtide/flake-utils"; };
sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
}; };
outputs = { self, nixpkgs, deploy-rs, utils, sops-nix, ... }@inputs: outputs = { self, attic, nixpkgs, deploy-rs, utils, sops-nix, ... }@inputs:
{ {
nixosConfigurations = { nixosConfigurations = {
"fsn1-1.mirror.lewd.wtf" = nixpkgs.lib.nixosSystem { "phoenix.lewd.wtf" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { inherit inputs self; }; specialArgs = { inherit inputs self; };
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./default.nix ./default.nix
./hosts/fsn1-1.mirror.lewd.wtf/configuration.nix ./hosts/phoenix.lewd.wtf/configuration.nix
./deployments/mirror/default.nix attic.nixosModules.atticd
]; ];
}; };
"master.mirror.lewd.wtf" = nixpkgs.lib.nixosSystem { "sphinx.lewd.wtf" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { inherit inputs self; }; specialArgs = { inherit inputs self; };
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./default.nix ./default.nix
./hosts/master.mirror.lewd.wtf/configuration.nix ./hosts/sphinx.lewd.wtf/configuration.nix
];
};
"mirror.lewd.wtf" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs self; };
modules = [
sops-nix.nixosModules.sops
./default.nix
./hosts/mirror.lewd.wtf/configuration.nix
];
};
"nyx.lewd.wtf" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs self; };
modules = [
sops-nix.nixosModules.sops
./default.nix
./hosts/nyx.lewd.wtf/configuration.nix
]; ];
}; };
@ -92,45 +73,30 @@
}; };
deploy.nodes = { deploy.nodes = {
"master.mirror.lewd.wtf" = { "phoenix.lewd.wtf" = {
sshOpts = [ "-p" "222" "-o" "StrictHostKeyChecking=no" ]; sshOpts = [ "-p" "222" "-o" "StrictHostKeyChecking=no" ];
hostname = "master.mirror.lewd.wtf"; hostname = "192.168.0.42";
fastConnection = true; fastConnection = true;
profiles.system = { profiles.system = {
sshUser = "root"; sshUser = "root";
path = path =
deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."master.mirror.lewd.wtf"; deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."phoenix.lewd.wtf";
user = "root"; user = "root";
}; };
}; };
"sphinx.lewd.wtf" = {
"mirror.lewd.wtf" = {
sshOpts = [ "-p" "222" "-o" "StrictHostKeyChecking=no" ]; sshOpts = [ "-p" "222" "-o" "StrictHostKeyChecking=no" ];
hostname = "new.mirror.lewd.wtf"; hostname = "sphinx.lewd.wtf";
fastConnection = true; fastConnection = true;
profiles.system = { profiles.system = {
sshUser = "root"; sshUser = "root";
path = path =
deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."mirror.lewd.wtf"; deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."sphinx.lewd.wtf";
user = "root"; user = "root";
}; };
}; };
"nyx.lewd.wtf" = {
sshOpts = [ "-p" "222" "-o" "StrictHostKeyChecking=no" ];
hostname = "lewdathome.duckdns.org";
fastConnection = true;
profiles.system = {
sshUser = "root";
path =
deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."nyx.lewd.wtf";
user = "root";
};
};
"aztul.elmosco.lewd.wtf" = { "aztul.elmosco.lewd.wtf" = {
sshOpts = [ "-p" "22111" "-o" "StrictHostKeyChecking=no" ]; sshOpts = [ "-p" "22111" "-o" "StrictHostKeyChecking=no" ];
hostname = "aztul.elmosco.lewd.wtf"; hostname = "aztul.elmosco.lewd.wtf";

4
hosts/kinda.sus.lol/secrets.nix
View File

@ -21,8 +21,8 @@
}; };
sops.secrets."services/nginx/transfersh.htpasswd" = { sops.secrets."services/nginx/transfersh.htpasswd" = {
mode = "0400"; mode = "0400";
owner = config.users.users.transfersh.name; owner = config.users.users.nginx.name;
group = config.users.users.transfersh.group; group = config.users.users.nginx.group;
}; };
# HedgeDoc # HedgeDoc

6
hosts/kinda.sus.lol/secrets/nginx.yaml
View File

@ -2,7 +2,7 @@ services:
nginx: nginx:
admin.htpasswd: ENC[AES256_GCM,data:SYy91gzsVPwca7QHsAFnDV7e9hLoqS1+xeFyLNTa7WwFwT6sbvboMEnZUQ==,iv:RX8+6Ivx0ibZvoMlaxIGzJ1/OzMgOHu94J/lsvF5UqY=,tag:LtBBAlmRI0jskINGR7Gw/Q==,type:str] admin.htpasswd: ENC[AES256_GCM,data:SYy91gzsVPwca7QHsAFnDV7e9hLoqS1+xeFyLNTa7WwFwT6sbvboMEnZUQ==,iv:RX8+6Ivx0ibZvoMlaxIGzJ1/OzMgOHu94J/lsvF5UqY=,tag:LtBBAlmRI0jskINGR7Gw/Q==,type:str]
ecchi.htpasswd: ENC[AES256_GCM,data:w6VYz0uQun4QiSmpqjwVLDRseVND0pHNzFxlD9F/0j7YqeHTo8gl1AI2cQ==,iv:7KKyUyoVtvIiZuQTmtKzWjZwr7heVX2K2C/WRSOPh0A=,tag:iOdURKQGTh+wt4PcEXCGUg==,type:str] ecchi.htpasswd: ENC[AES256_GCM,data:w6VYz0uQun4QiSmpqjwVLDRseVND0pHNzFxlD9F/0j7YqeHTo8gl1AI2cQ==,iv:7KKyUyoVtvIiZuQTmtKzWjZwr7heVX2K2C/WRSOPh0A=,tag:iOdURKQGTh+wt4PcEXCGUg==,type:str]
music.htpasswd: ENC[AES256_GCM,data:kYY/QtHZAjC3d8nn41R5NkVj529oGZdnMcqH0S4GW26HUzQ/yYlKELzCxoHRXq4nqoU+gGdjDsRGnzIiKTn629/MzfwpLwD+objiPFzpnvasD6eEHRKE2w==,iv:TKD8Rbv8XcNJFdrQ9YlruuKGvdXyHOenkAW0B7eytKQ=,tag:CmhQR+u7uvZV1go/YOKR4A==,type:str] music.htpasswd: ENC[AES256_GCM,data:Qfme6JuA2df4jAw+zWIEeUaefOfpalFFl0ZV4CN7x+3v60kRdY408F+dzccDJUp+mLsNe87qY+nKYh1690x51f+980ehBUIyQtXHTGFFH9kuMBf97+BgwImyce+68V7Yzlvc/NvhAZb0H/ua2AMfIK46BPaDDmWkDZJho0TNkveLDm/CZWgjH9nLI7wQ7dC6HXaeIgDwhSVXbudGZ5GUMKoyMHfzoG6HA/9gORrEjFIhPnzCuLS9gXypDbl6J94ITqdpTf7Eeu5ogHInlHZCnu8nU5tio4Yi9pe9rvfCl+7tUMr/H/TWE/9JVEU3jJ1ZgSwkEk5f3+KW5D5U42K7WEJ+oWmH91k0unYE51fPt2zbCo4G+baz+Syfo/4aY2KU7W/E6RI2gGr3w/uP3F920Nec,iv:alWg41vgcpFp9fagrTMd8YmygFdlcH7thCHngQdvmSk=,tag:zC9mnPwZfF2IHKiLD42fLA==,type:str]
transfersh.htpasswd: ENC[AES256_GCM,data:tC4o0/0u2z5vs9FVRBuZrPKujjKXBp/6Ra9g1rnRTvBtM7GUWCUcRItE7Q==,iv:/CLfX+WWahfCCZhHdxIvTUsnTyCymM8pbzkjnVliU/8=,tag:BXHjddJATTeXbnG79du8SA==,type:str] transfersh.htpasswd: ENC[AES256_GCM,data:tC4o0/0u2z5vs9FVRBuZrPKujjKXBp/6Ra9g1rnRTvBtM7GUWCUcRItE7Q==,iv:/CLfX+WWahfCCZhHdxIvTUsnTyCymM8pbzkjnVliU/8=,tag:BXHjddJATTeXbnG79du8SA==,type:str]
sops: sops:
kms: [] kms: []
@ -28,8 +28,8 @@ sops:
a1d3ekVWMDV4dUxrSGNod2JvYmtHMmMKnBaqvtBd53Jz9CtkOeEJ93YBeGA8pmof a1d3ekVWMDV4dUxrSGNod2JvYmtHMmMKnBaqvtBd53Jz9CtkOeEJ93YBeGA8pmof
VlSrnXcJmZ3tG1GwVOu8Q9Xr5gXrvaG4HGvETLsGBafxVtMTU4v8KQ== VlSrnXcJmZ3tG1GwVOu8Q9Xr5gXrvaG4HGvETLsGBafxVtMTU4v8KQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-24T20:03:25Z" lastmodified: "2024-02-07T20:40:57Z"
mac: ENC[AES256_GCM,data:KoNpLDn791EKRgZ1l6TbBLhHfXTPV0j3Wy+knk/Mc6oW9dTQaN9OsqHCSb4HbXJk4E0Vt2C+Ngwgip5+9xvYuWc1q5z8F91MgY/euhbG1raEAHxLp3c9c+J805dYeim2NqTjWbufLQ12ittn3Rv2lArurFsWoJayfvrTUjXImkU=,iv:RpFUctEZ/yxKLeYMTyPEMShufL1A6BxakBefL4v+3uc=,tag:dZNEvnX4mk8mWYTVyJBPAg==,type:str] mac: ENC[AES256_GCM,data:N9P2aGJfdqdvIEykaXUOYPPsJvvInVeF9TklO8jRgjb+yQHsn7e4yM0moYBxYhhdUAf5QOfJMrgrnnnNbSrJ1us+uQckRhiu2KccQZtcK3GqfL6z7HJAkVbNbO9A30qn2bHdIYo1/hCrJW65T+pli7kuiwW+FyZ5BvlrBeWNB6A=,iv:pySnVf0N8nKEONuS8LKreZnwdsN5Zu/Z3niFiw1dtsw=,tag:Q4S+xpDCzAETovwNAM+Xlw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

4
hosts/kinda.sus.lol/services/hedgedoc.nix
View File

@ -9,8 +9,8 @@
domain = "op.pai.wtf"; domain = "op.pai.wtf";
host = "0.0.0.0"; host = "0.0.0.0";
protocolUseSSL = true; protocolUseSSL = true;
email = false; email = true;
allowEmailRegister = false; allowEmailRegister = true;
allowOrigin = [ "op.pai.wtf" ]; allowOrigin = [ "op.pai.wtf" ];
}; };
environmentFile = "/run/secrets/services/hedgedoc/.env"; environmentFile = "/run/secrets/services/hedgedoc/.env";

23
hosts/kinda.sus.lol/services/transfer-sh.nix
View File

@ -1,17 +1,16 @@
{ config, pkgs, ... }: { config, pkgs, lib, ... }:
{ {
imports = [ networking.firewall.allowedTCPPorts = [ 6080 ];
../../../deployments/transfer-sh/module.nix
];
services.transfer-sh = { services.transfer-sh = {
enable = true; enable = true;
openFirewall = true; settings = {
address = "192.168.99.201"; LISTENER = "192.168.99.201:6080";
HTTP_AUTH_HTPASSWD = "/run/secrets/services/nginx/transfersh.htpasswd"; HTTP_AUTH_HTPASSWD = "/run/secrets/services/nginx/transfersh.htpasswd";
TEMP_PATH = "/mnt/data/transfer-sh/temp"; TEMP_PATH = "/mnt/data/transfer-sh/temp";
BASEDIR = "/mnt/data/transfer-sh/store"; BASEDIR = "/mnt/data/transfer-sh/store";
EMAIL_CONTACT = "abuse@lewd.wtf"; EMAIL_CONTACT = "abuse@lewd.wtf";
PURGE_DAYS = "90"; PURGE_DAYS = "90";
};
}; };
systemd.services.transfer-sh.serviceConfig.ReadWritePaths = lib.mkForce "/mnt/data/transfer-sh";
} }

16
hosts/master.mirror.lewd.wtf/mirror_users/abdulsalam.nix
View File

@ -1,16 +0,0 @@
{
users.users.abdulsalam = {
group = "sftponly";
isNormalUser = true;
home = "/sftp_jail/abdulsalam";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERtfY26/h5xl+bzZm2htR4+Wd879DvZRPHsosFaEqIW gaming@DESKTOP-4ACM3JU"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE387jL1I99Ws/6BTS/lbiAlDXpyB9zaf08+KWx9U8kd abdulsalam"
];
};
fileSystems."/sftp_jail/abdulsalam/mirror/saves" = {
device = "/mnt/data/private/nintendo/switch/savegames";
options = [ "bind" ];
};
}

16
hosts/master.mirror.lewd.wtf/mirror_users/archbox.nix
View File

@ -1,16 +0,0 @@
{
users.users.archbox = {
group = "sftponly";
isNormalUser = true;
home = "/sftp_jail/archbox";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERtfY26/h5xl+bzZm2htR4+Wd879DvZRPHsosFaEqIW gaming@DESKTOP-4ACM3JU"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJTWN+J6qFf60b58AIEXW/yuDwb7bwoyONKvM10kolWU archbox"
];
};
fileSystems."/sftp_jail/archbox/mirror/saves" = {
device = "/mnt/data/private/nintendo/switch/savegames";
options = [ "bind" ];
};
}

20
hosts/master.mirror.lewd.wtf/mirror_users/ecks.nix
View File

@ -1,20 +0,0 @@
{
users.users.ecks = {
group = "sftponly";
isNormalUser = true;
home = "/sftp_jail/ecks";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERtfY26/h5xl+bzZm2htR4+Wd879DvZRPHsosFaEqIW gaming@DESKTOP-4ACM3JU"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINczWfNkdndU9bqB2PI1D3glO2CiIaEngXY5FnsodZjt ryusak"
];
};
fileSystems."/sftp_jail/ecks/mirror/ryusak" = {
device = "/mnt/data/mirror/archive/nintendo/switch/ryusak";
options = [ "bind" ];
};
fileSystems."/sftp_jail/ecks/mirror/shaders" = {
device = "/mnt/data/mirror/archive/nintendo/switch/shaders";
options = [ "bind" ];
};
}

14
hosts/master.mirror.lewd.wtf/mirror_users/mirror.nix
View File

@ -1,14 +0,0 @@
{
users.users.mirror = {
group = "mirror";
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBGCcaz+17IbyUC/bbhG+m1yYiPa15Uut8GBywVREo1w root@fsn1-1"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOceXaCKbLpRq2LwS3Su6gZjqeIrCzBZfuA7rsKYa4BZ root@ash1-1"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTUV7UVCWsv0xgLM7rQhGJhCWGX2bgHRG8pHuVEqImZ root@hil1-1"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbd+qkj1A99nW71Ldip59KI6yNOao0A1l7Mv3GcXaA8 root@hel1-1"
];
};
users.groups.mirror = {};
}

18
hosts/master.mirror.lewd.wtf/mirror_users/void.nix
View File

@ -1,18 +0,0 @@
{
users.groups.void = {};
users.users.void = {
group = "void";
isNormalUser = true;
home = "/home/void";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERtfY26/h5xl+bzZm2htR4+Wd879DvZRPHsosFaEqIW gaming@DESKTOP-4ACM3JU"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+zfpUS+6gukPJ2WmU8ZFq7h7WRO9aGcze/gPd2TldyTB9tS/0T/5aDfKXzgE121lTmKX3bQru4bdJI1OIIT1YB8CsHFoKaLXrA+grl5GfIUxdgSKtkgJg1n8jH4qL43Zy/J4m1VrAyJBT6CnneDZEa88PizL0K74XGwxQx4zq6J66Csb+lEZfYly8oxNjoTDPNuXKYAX7ko44F5guv92/3XBtZ0wcRFE0IIaWzAOFMnUNrOjEWDiOjUMLNt18eNidsZFLrqdLc24EdZdztrKDIuuzIbx1H1ir9NUQxCIHd1wdqq8ndpkRdhNyOCjPuO2bgB6+eh6gLsFA+7f5CUOCgQ2wDTQdxi0EuA3Qn3hJhiISYe+og1UjhV5942nwH33qWuAg1fE1Sa0unRPCxoYnFbDddSR1d5SBkoqakgFEW0zjEaqIb4H0TeyV/gDs949lganC55wt2YZfXD41Kbi2qTF5KFS722rgObLZ2/3+2iCgJLjAD4qg2SFbi6sLUsc= master@Project-Kratos"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC614pP9wU/s+u2dFSV/DqpWqo9ngntZ9JpVMUikWc+9UYlq9SpOfr8MM10MOLJiolSeMNMi6NmNQ7Ge5C9O4d0MFQbA87NbGvmQzKYnTsQkRLrQlaDbkTYn8mirqV+vZLBF4ignF2JO0YlbfGXR2dBpdj/zk1WER5w3hIXx6H3ITVxBaOrUpd3gKuHg2YQ7j7whQq/kpoM3PVcdPZUDFB81NttKmyB4vbEmZOYSHx8p53pS8KH3D1kooVTHOuhzILzDPcXrlnFOhtQ5wkknBawq6Tf+1POlQ9TvsSaC79UbExdLOc+776rpGkE1iZ02XWDsAE1E0udDKiX+PhAN+lAXVHX34Jh+THmO36BTxFhSAR35pePL14c6XX+/kta7FEM4O/pl1eIAFnuObHDoL0yF9ruATNJuJWzPfieTBll3DpYH92gENmdT3Rg9sz6yxcY7ubmvZMVAC8R/8QJvlh3pPQC6BckOvOsMHVMdZrI6yBg1veKoZNCqyRl449QGJU= master@DESKTOP-V6SN4JP"
];
};
fileSystems."/home/void/mirror/pico" = {
device = "/mnt/data/mirror/archive/picoxr";
options = [ "bind" ];
};
}

22
hosts/mirror.lewd.wtf/configuration.nix
View File

@ -1,22 +0,0 @@
{ self, config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
./networking.nix
./mirror/default.nix
];
variables.hostName = "new";
variables.domain = "mirror.lewd.wtf";
networking.hostName = "${config.variables.hostName}";
networking.domain = "${config.variables.domain}";
boot.loader.grub = {
enable = true;
efiSupport = false;
devices = [ "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0" ];
};
system.stateVersion = "22.11";
}

18
hosts/mirror.lewd.wtf/hardware-configuration.nix
View File

@ -1,18 +0,0 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-intel" ];
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
fileSystems."/var/www/mirror" = {
device = "/dev/disk/by-label/data";
fsType = "ext4";
};
services.qemuGuest.enable = true;
}

45
hosts/mirror.lewd.wtf/mirror/default.nix
View File

@ -1,45 +0,0 @@
{ config, ... }:
{
imports = [
./xslt_template.nix
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
virtualHosts."mirror.lewd.wtf" = {
serverName = "${config.variables.hostName}.${config.variables.domain}";
enableACME = true;
forceSSL = true;
root = "/var/www/mirror/mirror/";
locations = {
"/" = {
extraConfig = ''
if ($arg_format = "json") {
rewrite ^ /json$request_uri last;
}
autoindex on;
autoindex_format xml;
xslt_stylesheet /etc/nginx/mirror.xslt dirname='$1';
'';
};
"/json/" = {
alias = "/var/www/mirror/mirror/";
extraConfig = ''
autoindex on;
autoindex_format json;
'';
};
"/private/" = {
alias = "/var/www/mirror/private/";
extraConfig = ''
autoindex off;
'';
};
"~ \.xml$" = {
};
};
};
};
}

8
hosts/mirror.lewd.wtf/mirror/xslt_template.nix
View File

@ -1,8 +0,0 @@
{
environment.etc = {
"nginx/mirror.xslt" = {
source = ./xslt_template.xslt;
mode = "0444";
};
};
}

97
hosts/mirror.lewd.wtf/mirror/xslt_template.xslt
View File

@ -1,97 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template name="string-replace-all">
<xsl:param name="text" />
<xsl:param name="replace" />
<xsl:param name="by" />
<xsl:choose>
<xsl:when test="$text = '' or $replace = ''or not($replace)" >
<!-- Prevent this routine from hanging -->
<xsl:value-of select="$text" />
</xsl:when>
<xsl:when test="contains($text, $replace)">
<xsl:value-of select="substring-before($text,$replace)" />
<xsl:value-of select="$by" />
<xsl:call-template name="string-replace-all">
<xsl:with-param name="text" select="substring-after($text,$replace)" />
<xsl:with-param name="replace" select="$replace" />
<xsl:with-param name="by" select="$by" />
</xsl:call-template>
</xsl:when>
<xsl:otherwise>
<xsl:value-of select="$text" />
</xsl:otherwise>
</xsl:choose>
</xsl:template>
<xsl:template match="/">
<html>
<head>
<link href="/private/asset/icons.css" rel="stylesheet" />
<link href="/private/asset/style.css" rel="stylesheet" />
</head>
<body>
<header>
<h3>Lewd.wtf Mirror Service</h3>
<p>Welcome to the mirror service of lewd.wtf! I provide this service free of charge to projects that could benefit from it.</p>
<p>Want to get your files hosted here? Please contact me at <b>mirror_request@lewd.wtf</b> and provide details regarding your projects.</p>
<h1>Proud Sineater and Sin's Cove Hater!</h1>
<p>If you come here from Sin's Cove, please close this page. This site is hosted by Ecchibitionist, the person you constantly harass.</p>
<p>You claim I bullied the original developer of EmuSAK, even though that's a blatant lie (and you know it).</p>
</header>
<main>
<h4>
<xsl:value-of select="$dirname"/>
</h4>
<table>
<tr>
<th>Name</th>
<th>Size</th>
</tr>
<tr>
<td><a href=".."><span class="material-icons back_folder_icon">drive_file_move_rtl</span>../</a></td>
<td align="right"></td>
</tr>
<xsl:for-each select="list/*">
<xsl:sort select="@name"/>
<xsl:variable name="name">
<xsl:call-template name="string-replace-all">
<xsl:with-param name="text" select="." />
<xsl:with-param name="replace" select="'%'" />
<xsl:with-param name="by" select="'%25'" />
</xsl:call-template>
</xsl:variable>
<xsl:variable name="size">
<xsl:if test="string-length(@size) &gt; 0">
<xsl:if test="number(@size) &gt; 0">
<xsl:choose>
<xsl:when test="round(@size div 1024) &lt; 1"><xsl:value-of select="@size" />B</xsl:when>
<xsl:when test="round(@size div 1048576) &lt; 1"><xsl:value-of select="format-number((@size div 1024), '0.0')" />KiB</xsl:when>
<xsl:otherwise><xsl:value-of select="format-number((@size div 1048576), '0.00')" />MiB</xsl:otherwise>
</xsl:choose>
</xsl:if>
</xsl:if>
</xsl:variable>
<tr>
<td>
<a href="{$name}">
<xsl:choose>
<xsl:when test="string-length(@size)=0"><span class="material-icons folder">folder</span></xsl:when>
<xsl:when test="'.zip' = substring($name, string-length($name) - 3)"><span class="material-icons folder_zip"> folder_zip </span></xsl:when>
<xsl:when test="'.rar' = substring($name, string-length($name) - 3)"><span class="material-icons folder_zip"> folder_zip </span></xsl:when>
<xsl:otherwise><span class="material-icons file"> insert_drive_file </span></xsl:otherwise>
</xsl:choose>
<xsl:value-of select="."/>
</a>
</td>
<td align="right"><xsl:value-of select="$size"/></td>
</tr>
</xsl:for-each>
</table>
</main>
<footer>
<p>In case this mirror is hosting files that you believe shouldn't be here, please send a message to <a href="mailto:abuse@lewd.wtf">abuse@lewd.wtf</a> and we'll remove it as soon as possible.</p>
</footer>
</body>
</html>
</xsl:template>
</xsl:stylesheet>

11
hosts/mirror.lewd.wtf/networking.nix
View File

@ -1,11 +0,0 @@
{ ... }:
{
networking.defaultGateway = "192.168.11.1";
networking.nameservers = [ "1.1.1.1" ];
networking.interfaces.ens18.ipv4.addresses = [
{
address = "192.168.11.107";
prefixLength = 24;
}
];
}

24
hosts/nyx.lewd.wtf/configuration.nix
View File

@ -1,24 +0,0 @@
{ self, config, pkgs, lib, ... }:
let
utils = import ../../util/include.nix { lib = lib; };
imports =
(utils.includeDir ./services) ++
[
./hardware-configuration.nix
./networking.nix
./users.nix
./secrets.nix
];
in
{
inherit imports;
networking.hostName = "nyx";
networking.domain = "lewd.wtf";
boot.loader.grub.enable = false;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
system.stateVersion = "22.11";
}

35
hosts/nyx.lewd.wtf/hardware-configuration.nix
View File

@ -1,35 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/adde8f5f-358d-4ed2-835a-8fecbe4a86a4";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/8D9D-CCA2";
fsType = "vfat";
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/6cee1359-6e2c-45fc-927d-f2a558f0ec5d";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/474244b3-df18-4af7-badf-d7b2531ae17c"; }
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

11
hosts/nyx.lewd.wtf/networking.nix
View File

@ -1,11 +0,0 @@
{ ... }:
{
networking.defaultGateway = "192.168.0.1";
networking.nameservers = [ "192.168.0.1" ];
networking.interfaces.enp2s0.ipv4.addresses = [
{
address = "192.168.0.10";
prefixLength = 22;
}
];
}

30
hosts/nyx.lewd.wtf/secrets/services.yaml
View File

@ -1,30 +0,0 @@
example_key: ENC[AES256_GCM,data:MB+njL6mhVGUYKlBww==,iv:wXY3sv0gW37H/Mv5s4caJIZe0NPzrSOu5+/zZV21OsU=,tag:G9EH5DpFHMq2Qx/grNrYNQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5QXk5U3JRZ1FtNzM0cEZJ
b3RXdEpra2VJSWxvT3BwOWZuc1JkWkhBQWlVCmFQUHlybEZYNXYrNVpLT2xPc2pP
UEtxdlJHdWhzK05CRzN1dFlqM01ValkKLS0tIDZVQWo0SXFyV1Nad2RGcGFtcDBt
UHQyVjkvOGZXVXJDYWhQeFN0WFJhOHcKsmRy6Sn3IHPuXdv5j8l373HLBSgBy7M/
Z/uIth3S50OGf6okvvHJxWuZ3xVXwZqUwfYpE5WtJuSXi4rBaJHISw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxamE0eTB3TXVGNDN1azZ3
MmRHalA4TjErZE1Db2tNM1lhd2VHK0l0YlVNClFic2t2VXhKR0pBMGFIVHRFczEy
cE9KZjlDSzZuYlJWTlVEL1ZXOUxRajAKLS0tIHhaekZvdE40YlVlS3A2Y0kxWHVR
SkMwdFUrcmN4aUJ0cms5WlhBWnZKTncKt0JurciGm7hQI8VSalQaHvGzh9xF2Xrl
afe94Ma/mmojj8cEqJQlarMMDtAAGsWjz7zwwam629uE9Yjsr/YRbw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-15T08:13:59Z"
mac: ENC[AES256_GCM,data:ockH8FVoLTeGuCOKknJ3aSQIQEIFFtmJQ+RwmDgorWSYHCUDsriSGy8fVEoAE/6pzGMahjdC1rK2YtaeAFljsNTh1Ct5CpVBmwKZVOCZSM9eWz4d7JFjJolIc+kNSj/9k+NUZBZafUMa1ckIK/8CMM0AysZ/mBeYTsaP8WOfB5g=,iv:aFICxoznCi5Tg+YZrsBAiEWPw7Hw+Abv1wJpdB50PQY=,tag:2sWz7OvFI7pIRsoeHJKpxQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

11
hosts/nyx.lewd.wtf/secrets/vaultwarden.env
View File

@ -1,11 +0,0 @@
ADMIN_TOKEN=ENC[AES256_GCM,data:R1mhyfHnTvnWaeKL7UFUuaA8bmpoQciLXRgLZKTDH0Zvo/M76s/NSenBEtpfpUJMbHGp1hmXqkK6jR5WVemYhg==,iv:yCdNQbQx86CZU7GvShcL9YxOlzGr/bTfTp5DDMudTDs=,tag:yPXiqasJbj2NCc5vIc2zVw==,type:str]
SMTP_PASSWORD=ENC[AES256_GCM,data:dhTGLgXtdn6olKATr/qTRA==,iv:uA3WytiA9o/3qohl/eaMD7gVbORo4YZg2gzT/qZZHbA=,tag:cmcSLz0/YS1/45ZrLSp08Q==,type:str]
YUBICO_SECRET_KEY=ENC[AES256_GCM,data:mIfNhnuU3+KaOJ/MXSabOus5nAGdNmoHimWhba8s,iv:XDmIl7dqV8R7bykwtQz3EQIf1qJHh3wPbL9RAu6ZWEk=,tag:zIUbM5mBqJeQJ2npKPJ+fw==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_mac=ENC[AES256_GCM,data:3EjD4AKgXCOTIwCZrRkq+NYDrRSH7+8LsC4Eop6SNVyXUCP5zyhJwInFpSnrSeYPp81HSxZz0LZEotJH0P6e1/JVfxKz9bOuoGr2856fEh3qmzQW2Mu6UJSFa2rGjtqTuWC+fMvIUpNX5dF2d3nxEGkRbylQedQLWACKgYVmfEo=,iv:EBBRSR84VLpezX7WdFwHyvqu5fZn7bZ/t/2H37Mx44Q=,tag:Rbkcq2V8G0rDwQYiwm0JtQ==,type:str]
sops_age__list_1__map_recipient=age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdTRPUGxqcGowU0FjRE84\nNjhKdEJabFZEVXo3aTArQnNNRjhaMFZiKzNrCmpLbFoxTVlTUkYxOHVJdlFqa0JF\nQStIT29uSlY3SWtzZHFqbjZwTHZ1aEUKLS0tIHJlLzlCV0RJekVvOWRLV3JmZ2pv\nZ0VrUVg5NXVTWU5LRDk2M3dYWXM3bkEKA4KusPniM0pO6oJhHq1khrfcwdSvG+/A\n7rn6Ib23WSHUAquxCxOz9IXL2GDrajEFnv82lyYUgijgb7PEWC2pPQ==\n-----END AGE ENCRYPTED FILE-----\n
sops_version=3.7.3
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UXYrVkxHSmx1V1E1aVlW\nTVMwamo2ZnJrbERDTkJoSS8yanVXZ2pEbEJnCjExM2U5T1U3SkVrNFhIaXg5VE9K\ncnNyUDdQM2IyQ2FpenV0VEhIR1NBaTQKLS0tIEsvOTNDa1BvUlk3UE01VGZydmVG\nZDZOelphR0Nsa3c4aXZ5NDJVWlVvQmsKPxUi8Vgxe+EsHSF/33OfoEdFIUscDTzR\nzjf8rkG5BU616tudvXUGLfdncCiG+hfz7ZvmEYlTEAdGzSYSW8tuhg==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
sops_lastmodified=2023-04-21T17:46:25Z

14
hosts/nyx.lewd.wtf/users.nix
View File

@ -1,14 +0,0 @@
{
users.groups.markus = {};
users.users.markus = {
group = "markus";
isNormalUser = true;
home = "/home/markus";
homeMode = "755";
createHome = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERtfY26/h5xl+bzZm2htR4+Wd879DvZRPHsosFaEqIW gaming@DESKTOP-4ACM3JU"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2eur+tK9VTYqXTgYlJY1/oV1EzUhm4QZGEl4e3/kWr deck@steamdeck"
];
};
}

326
hosts/phoenix.lewd.wtf/c3moc.nix Normal file
View File

@ -0,0 +1,326 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.c3moc;
in {
options.c3moc = {
enable = mkEnableOption "enable c3moc services";
switchNfs = mkEnableOption "switch nfs config to c3moc one";
};
config = mkIf cfg.enable {
fileSystems = {
"/mnt/zbigdata/c3moc_dropfolder" = {
device = "zbigdata/c3moc_dropfolder";
fsType = "zfs";
};
"/export/c3moc/media" = lib.mkIf cfg.switchNfs {
device = "/mnt/zbigdata/media";
options = [ "bind" ];
};
"/export/c3moc/games" = lib.mkIf cfg.switchNfs {
device = "/mnt/zbigdata/games";
options = [ "bind" ];
};
"/export/c3moc/dropfolder" = lib.mkIf cfg.switchNfs {
device = "/mnt/zbigdata/c3moc_dropfolder";
options = [ "bind" ];
};
};
containers.c3moc = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.69.1";
hostAddress6 = "aa69::1";
localAddress = "192.168.69.10";
localAddress6 = "aa69::69";
bindMounts = {
"/home/c3moc/media" = {
hostPath = "/mnt/zbigdata/media";
isReadOnly = true;
};
"/home/c3moc/games" = {
hostPath = "/mnt/zbigdata/games";
isReadOnly = true;
};
"/home/c3moc/dropfolder" = {
hostPath = "/mnt/zbigdata/c3moc_dropfolder";
isReadOnly = false;
};
};
config = { config, pkgs, ... }: {
system.stateVersion = "24.05";
networking = {
firewall = {
enable = true;
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
users.groups.c3moc = {};
users.users.c3moc = {
group = "c3moc";
password = "c3moc";
isNormalUser = true;
home = "/home/c3moc";
};
# Jellyfin
environment.systemPackages = with pkgs; [
jellyfin-ffmpeg
];
services.jellyfin = {
enable = true;
openFirewall = true;
};
# FTP access
services.vsftpd = {
enable = true;
writeEnable = true;
anonymousUser = true;
anonymousUserNoPassword = true;
anonymousUserHome = "/home/c3moc";
anonymousUploadEnable = true;
anonymousMkdirEnable = true;
anonymousUmask = "000";
};
# SFTP access
services.openssh = {
enable = true;
extraConfig = ''
Match Group c3moc
ChrootDirectory /home
ForceCommand internal-sftp
AllowTcpForwarding no
'';
};
# CIFS access
services.samba = {
enable = true;
openFirewall = true;
extraConfig = ''
workgroup = WORKGROUP
server string = c3moc
netbios name = c3moc
security = user
use sendfile = yes
guest account = nobody
map to guest = bad user
'';
shares = {
c3moc = {
path = "/home/c3moc";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0777";
"directory mask" = "0777";
"force user" = "c3moc";
"force group" = "c3moc";
};
};
};
};
};
services.nfs.server.exports = mkIf cfg.switchNfs ''
/export (ro,fsid=0,no_subtree_check)
/export/c3moc (ro,nohide,insecure,no_subtree_check)
/export/c3moc/games (ro,nohide,insecure,no_subtree_check)
/export/c3moc/media (ro,nohide,insecure,no_subtree_check)
/export/c3moc/dropfolder (rw,nohide,insecure,no_subtree_check)
'';
networking.nat.forwardPorts = [
# FTP
{
destination = "192.168.69.10:20";
proto = "tcp";
sourcePort = 20;
}
{
destination = "192.168.69.10:21";
proto = "tcp";
sourcePort = 21;
}
# SFTP
{
destination = "192.168.69.10:22";
proto = "tcp";
sourcePort = 22;
}
# SMB
{
destination = "192.168.69.10:137";
proto = "udp";
sourcePort = 137;
}
{
destination = "192.168.69.10:138";
proto = "udp";
sourcePort = 138;
}
{
destination = "192.168.69.10:139";
proto = "tcp";
sourcePort = 139;
}
{
destination = "192.168.69.10:445";
proto = "tcp";
sourcePort = 445;
}
# FTP
{
destination = "aa69::69:20";
proto = "tcp";
sourcePort = 20;
}
{
destination = "aa69::69:21";
proto = "tcp";
sourcePort = 21;
}
# SFTP
{
destination = "aa69::69:22";
proto = "tcp";
sourcePort = 22;
}
# SMB
{
destination = "aa69::69:137";
proto = "udp";
sourcePort = 137;
}
{
destination = "aa69::69:138";
proto = "udp";
sourcePort = 138;
}
{
destination = "aa69::69:139";
proto = "tcp";
sourcePort = 139;
}
{
destination = "aa69::69:445";
proto = "tcp";
sourcePort = 445;
}
];
# Monitoring Stuff
services.prometheus.exporters.node = {
enable = true;
port = 9100;
enabledCollectors = [
"logind"
"systemd"
];
disabledCollectors = [
"textfile"
];
};
services.prometheus = {
enable = true;
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
}];
}
];
};
services.grafana = {
enable = true;
settings = {
server = {
# Listening Address
http_addr = "127.0.0.1";
# and Port
http_port = 3000;
# Grafana needs to know on which domain and URL it's running
domain = "gpn22.c3moc.lol";
root_url = "https://gpn22.c3moc.lol/stats/"; # Not needed if it is `https://your.domain/`
serve_from_sub_path = true;
};
"auth.anonymous" = {
enabled = true;
org_name = "Public";
};
};
};
# Nginx Stuff
services.nginx = {
virtualHosts."gpn22.c3moc.lol" = {
serverName = "gpn22.c3moc.lol";
enableACME = true;
forceSSL = true;
locations = {
"= /" = {
extraConfig = ''
return 302 https://$host/web/;
'';
};
"/" = {
extraConfig = ''
proxy_pass http://192.168.69.10:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
'';
};
"= /web/" = {
extraConfig = ''
proxy_pass http://192.168.69.10:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
'';
};
"/socket" = {
extraConfig = ''
proxy_pass http://192.168.69.10:8096/socket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
"/stats/" = {
proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
};
};
};
}

36
hosts/phoenix.lewd.wtf/configuration.nix Normal file
View File

@ -0,0 +1,36 @@
{ self, config, pkgs, lib, ... }:
let
utils = import ../../util/include.nix { lib = lib; };
imports =
(utils.includeDir ./services) ++
(utils.includeDir ./containers) ++
[
./hardware-configuration.nix
./networking.nix
./secrets.nix
./c3moc.nix
];
in {
inherit imports;
c3moc.enable = false;
c3moc.switchNfs = false;
boot.loader.systemd-boot.enable = false;
boot.loader.grub = {
enable = true;
efiSupport = false;
copyKernels = true;
mirroredBoots = [
{ path = "/boot-1"; devices = [ "/dev/disk/by-id/ata-Samsung_SSD_860_QVO_1TB_S4CZNF0M558343V" ]; }
{ path = "/boot-2"; devices = [ "/dev/disk/by-id/ata-Samsung_SSD_860_QVO_1TB_S4CZNF0N633130M" ]; }
];
};
networking.hostName = "phoenix";
networking.domain = "lewd.wtf";
system.stateVersion = "24.05"; # Did you read the comment?
}

83
hosts/phoenix.lewd.wtf/containers/test.nix Normal file
View File

@ -0,0 +1,83 @@
{ lib, ... }:
{
networking.nat.forwardPorts = [
{
destination = "192.168.100.11:51506";
proto = "tcp";
sourcePort = 51506;
}
{
destination = "192.168.100.11:51506";
proto = "udp";
sourcePort = 51506;
}
];
fileSystems."/mnt/zbigdata/seedbox_test" = {
device = "zbigdata/seedbox_test";
fsType = "zfs";
};
containers.seedbox-test = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.175.197.82";
localAddress = "192.168.100.11";
bindMounts = {
"/home" = {
hostPath = "/mnt/zbigdata/seedbox_test";
isReadOnly = false;
};
};
config = { config, pkgs, ... }: {
system.stateVersion = "24.05";
networking = {
firewall = {
enable = true;
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
# Custom stuff
environment.systemPackages = [ pkgs.qbittorrent-nox ];
networking.firewall = {
allowedTCPPorts = [ 51506 8888 ];
allowedUDPPorts = [ 51506 ];
};
systemd.services.qbittorrent = {
after = [ "network.target" ];
description = "qBittorrent Daemon";
wantedBy = [ "multi-user.target" ];
path = [ pkgs.qbittorrent-nox ];
serviceConfig = {
ExecStart = ''
${pkgs.qbittorrent-nox}/bin/qbittorrent-nox \
--profile=/home/test/ \
--webui-port=8888
'';
Restart = "on-success";
User = "test";
Group = "test";
UMask = "0002";
LimitNOFILE = 8192;
};
};
users.groups.test = {};
users.users.test = {
group = "test";
isNormalUser = true;
home = "/home/test";
};
};
};
}

52
hosts/phoenix.lewd.wtf/hardware-configuration.nix Normal file
View File

@ -0,0 +1,52 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "mpt3sas" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot-1" = {
device = "/dev/disk/by-uuid/6CA4-1FB2";
fsType = "vfat";
};
fileSystems."/boot-2" = {
device = "/dev/disk/by-uuid/6CA5-F5A2";
fsType = "vfat";
};
fileSystems."/mnt/zvault/desktop" = {
device = "zvault/desktop";
fsType = "zfs";
};
fileSystems."/mnt/zbigdata/media" = {
device = "zbigdata/media";
fsType = "zfs";
};
fileSystems."/mnt/zbigdata/games" = {
device = "zbigdata/games";
fsType = "zfs";
};
fileSystems."/var/lib/attic/storage" = {
device = "zbigdata/attic";
fsType = "zfs";
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

75
hosts/phoenix.lewd.wtf/networking.nix Normal file
View File

@ -0,0 +1,75 @@
{ pkgs, ... }:
{
networking.useDHCP = false;
networking.bridges = {
"br0" = {
interfaces = [
"eno2"
"enp2s0"
"enp101s0"
"enp101s0d1"
];
};
};
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "br0";
enableIPv6 = true;
};
networking.interfaces.br0.ipv4.addresses = [
{
address = "192.168.0.42";
prefixLength = 22;
}
];
# networking.defaultGateway = "10.0.0.1";
networking.defaultGateway = "192.168.0.1";
networking.nameservers = [ "1.1.1.1" ];
networking.firewall.enable = false;
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.175.197.82/32" "fd7d:76ee:e68f:a993:f6b2:9dab:ddd3:a02/128" ];
privateKeyFile = "/run/secrets/services/wireguard/airvpn.private";
allowedIPsAsRoutes = false;
peers = [
{
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
presharedKeyFile = "/run/secrets/services/wireguard/airvpn.psk";
allowedIPs = [ "0.0.0.0/0" ];
endpoint = "134.19.179.213:1637";
persistentKeepalive = 25;
}
];
postSetup = [
# Force traffic from container networks through wg0
"ip route add table 2 default dev wg0"
"ip rule add from 192.168.100.0/24 table 2"
"ip rule add from 192.168.5.0/24 table 2"
# NAT
"${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o wg0 -j MASQUERADE"
# c3moc NAT
"${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o br0 -j MASQUERADE"
# Port forwarding
"${pkgs.iptables}/bin/iptables -A PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
];
};
};
systemd.services.wireguard-wg0.preStop =
# Force traffic from container networks through wg0
"ip rule del from 192.168.100.0/24 table 2" +
"ip rule del from 192.168.5.0/24 table 2" +
"ip route del table 2 default dev wg0" +
# NAT
"${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o wg0 -j MASQUERADE" +
# c3moc NAT
"${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o br0 -j MASQUERADE" +
# Port Forwarding
"${pkgs.iptables}/bin/iptables -D PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
;
}

43
hosts/phoenix.lewd.wtf/secrets.nix Normal file
View File

@ -0,0 +1,43 @@
{ config, ... }:
{
sops.defaultSopsFile = ./secrets/services.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# Vaultwarden
sops.secrets."services/vaultwarden/.env" = {
mode = "0400";
owner = config.users.users.vaultwarden.name;
group = config.users.users.vaultwarden.group;
sopsFile = ./secrets/vaultwarden.env;
format = "dotenv";
};
# Attic
sops.secrets."services/attic/creds.env" = {
mode = "0400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
sopsFile = ./secrets/attic.env;
format = "dotenv";
};
# MSMTP
sops.secrets."services/msmtp/password" = {
mode = "0777";
sopsFile = ./secrets/msmtp.yaml;
};
# Wireguard
sops.secrets."services/wireguard/airvpn.private" = {
mode = "0400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
sopsFile = ./secrets/wireguard.yaml;
};
sops.secrets."services/wireguard/airvpn.psk" = {
mode = "0400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
sopsFile = ./secrets/wireguard.yaml;
};
}

9
hosts/phoenix.lewd.wtf/secrets/attic.env Normal file
View File

@ -0,0 +1,9 @@
ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64=ENC[AES256_GCM,data:VPOq3Ipu7fnpi14mbdFG01MJiZvMuK1FHlQbO+AQi3Xh8ZCScr+wedGekvtqrOkNXk8PBsXpXhXhQ7j7dJkUyfBnE1RAEIxaxwhuWyS2e2ZyTKNjL427hb/9,iv:xgc74cUXxO5dGTRGsl4u3HDRg1f3pOtHdekYoz/mDO8=,tag:j1c0Axfa/oBMgccPtrm5GQ==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MVRwaEJaa21ENi9RbGJn\nQXk2QXN1QW1ZbGFUaXdsaThEM0FJNTNKYjNNCmtDMXM3THQxazJTY2tjZ1JnTHF3\nOHVqZkdXOHdYUnQ4UGVXZGxwaDJGMG8KLS0tIHVNSWdReG9kY3lqa2xnRzVnVTZn\nemJmejIrSnd3amdUNm1TRE1OTTRSVG8Ktzanb6rbmFRE02N9vt+QyuwIpJN+EXCM\ncJRgxdUovzt/4CU6oJDNLrdV0FfCPUHMfg6f6CgEGu0RhvzKAh77Dg==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFbmZsV0ZINVN4QytybDRz\nb2pQVTNoVFVNb3A3QmlYUG9BRnBQVEFxYXk4CnVpZHQrd090WUF0TkVqNk1OM1JN\nS21hdHJ6MkEvUXlwYkFoTmdEeDZPcDgKLS0tIFFMdkhBRVVxelpDUFdxWWNKbEU4\nZkc2d3lEZC9FVHpBZlQ5K1lDK3ZwbFUKFshCxKov4sjuHOokHmoxa+IeOT2ttg7o\nNL75mlP+u6IKETvQNQ4HlHcVF1Zask1JUeJU13xI3b26laIKr0ZBYw==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_1__map_recipient=age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
sops_lastmodified=2024-04-07T09:41:32Z
sops_mac=ENC[AES256_GCM,data:lDQABnYzFbMNT09grDE9y++VWDzbw4wlrIXpXL2WMBK6LnJhtzsWHyUuZ8fxIjCihtxUW5LbeY5YjV53NubAGK+Aw3JysR90iVQ7Mo7Dn5E7Hv3MUx1+1R/HqIZegZ5lY64u58dFKqUV46lOqTCE3nfVSGZ65CiBLtHOOOYs8L4=,iv:4CvbTGLSzDC7IM7mt+V4tL+Js0sX4Z8nnJapC1BwrOk=,tag:PlkagmUsAmZ8FRsZy5x0Dw==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.8.1

32
hosts/phoenix.lewd.wtf/secrets/msmtp.yaml Normal file
View File

@ -0,0 +1,32 @@
services:
msmtp:
password: ENC[AES256_GCM,data:k4pMmcPrv0jQkr2Odd4elg==,iv:/gNqUPgd480v/C8+BOuFUNdjkEXWNjMqzwQ4HxftnC4=,tag:8/HVE/aHCbyHRMlNB2mT8A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYamhaWEhNNVZBUXMvU1dx
cVppQVpNcjFXRzgvTmRXYTk0SFZkbWFWWFNvCndnZnkxd1F0Y3VjVW1FZGhJWGR3
N29zM0ltT2wyUjg0UU9VdU1mY3htMmcKLS0tIDhpclNJT09pUGI2TnpaSEpwZGNk
WWxHUEYxZTkxcktnSXl0YXl6elJ6eTQKit0pzEYgg3hc08swMg1mh17DLbVAXBu9
TaDZYCsH+nYzIVYG8Sp2IZVxENUbr6P5spDJs1dVSvWsRPLj0SXC/Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKU0U4Ujk5dUhOL3ZFRFA0
Ny9UMG9ISmNRbDdCQThKNWtlTjVCLy9aNms4CmtxeXNhU2FmQkJzaDdBY1J4UWsv
MFF1dEdURFJXaDdiRkVaeFNVUXFJSm8KLS0tIFl6bnd3aGk4ZDlIMEdaaGRJUHA3
bFh4ZHF0S1Y4N2srS3dTUUxPRDRyZVkKlJJHMJ7nBcZqZXC893YIh3CDeWwew24n
lm2h3RzTQ993wnD6434FJF6MEKbOAfeunKf2K1GrKjfDO58n7I0edg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-04T00:02:21Z"
mac: ENC[AES256_GCM,data:ULRJMKr3fvp9wDKuj1P62POxY43ZgtA60uhd2MLhTbPtYKM2r1bJbiLpwYi8pXKIC7I6Fl/og/fL2fyEx5ZRA7jME8PRQvmWlTytZnsOa8RCDYot5JxhwGwJ3keIZFAAnUxX3Vc0+Ch4u3qr1+EbffEh6m1Vt9fJiujI9aWdrt8=,iv:qjnWcu9wvnQ4H1Q6zu8edHYHjniJqz80Bx4XOkZ3+l8=,tag:eQk73teW1pBVszamlDdaFQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

30
hosts/phoenix.lewd.wtf/secrets/services.yaml Normal file
View File

@ -0,0 +1,30 @@
example_key: ENC[AES256_GCM,data:0VPRbi+eXJx6TEzSLg==,iv:wXY3sv0gW37H/Mv5s4caJIZe0NPzrSOu5+/zZV21OsU=,tag:66xqln7ExRHqTs84I5FI/g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFaVc2c2ViN3pyYlNValQ2
b2Q4STlST1M1Umh6MWl3ZDAvajJVUXJIbW13CmRvQ3RBbWZrbklKRmU4MmdHdkVN
YlgxSElqZzl3ckZjRWtEU3pmcGhpZU0KLS0tIDlEYklTN3N3RWxFUFNZM2xGMXRI
RE41cnNWdWRrZUVwaG56Qmh6VEwzSnMKi4Hl9IjxZKelOQd2fxf54qN0ZAlx4zzE
O+acAe7wB8v85XgEt/DBJrVi6NYg8bt7uj4R71cAMZxKheBjdNNPXA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArU1ZmY0dkM3FQdWtCdGlP
VFNpMkFaWWZwMGJxS1dqRm5BQURLbGQ0M2hNCnA5OFBScUNUc01tM3R4M3RxNFdl
NlArazJ5aktVVGlxUlpEV0hLK2Zna3cKLS0tIGZYc0lnL1dLRDNxV2RFZFFhUmhN
RmRoZmxVMVhOL1FtTlA3QTNCQ1RlNWcKLitsiPk+4Lzdud4GR/iMgolGLLURU6mO
1FBk0HTP4b+f0G5Uentp9oBPTNA0J6qCo1C79ZgV6LiZoWKunh5QAg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-10T18:21:20Z"
mac: ENC[AES256_GCM,data:euTc5etuk3p8g3OOijis4mvDrgS3dkYf5d3qkqlzftxcocZgPgUI9lJZCL3K11zn7JnbNUm5cMtr/h14WYtCJXztHXXhrpAbfy3HRNKlELCn+gENvbMM7Vtkb/8Uji2xosRHl4ygnTLN3L6/qX0Sn0sQm96UB3Q8ZHOXClQNZ/4=,iv:FNw/OEOhCmAMdbbIpkn3SbNwf2y0eHSHFuJlm58ZykU=,tag:ealqzvWEdGiQkvz/72L6QQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

11
hosts/phoenix.lewd.wtf/secrets/vaultwarden.env Normal file
View File

@ -0,0 +1,11 @@
ADMIN_TOKEN=ENC[AES256_GCM,data:1cRomfcw7QRGJ8FeRBIbVE0Rj7hGgusSxa4h0oLWmlNSqDi1NLuMevCZoQQuwGE4ZgTttdUrZUv6QGwtndaDcQ==,iv:yCdNQbQx86CZU7GvShcL9YxOlzGr/bTfTp5DDMudTDs=,tag:gNN7eZc2mR/90n7JOeg5wg==,type:str]
SMTP_PASSWORD=ENC[AES256_GCM,data:GbBaT0JUsxCT8x3o5EoKvA==,iv:uA3WytiA9o/3qohl/eaMD7gVbORo4YZg2gzT/qZZHbA=,tag:GpP1lzeeNdkZfaI16cufzQ==,type:str]
YUBICO_SECRET_KEY=ENC[AES256_GCM,data:caHlB/H4iWfZP2jQjVrFIUXfYiT1g5q81Cyfb+7q,iv:XDmIl7dqV8R7bykwtQz3EQIf1qJHh3wPbL9RAu6ZWEk=,tag:3eDkQF1+7AroPzTh6PzTTg==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTCtwelNJdENDOERjSGlI\neUgwYnpvNDhnQkZmVmRaTmJSOFlCZFZGWkJjCjQrV3V3VExPZzIwVitJaUtmNEdU\nU09UbENVUi9wWWZ2RzNhbXN4VG5IZWsKLS0tIEpkT0hHZ2JCcEVBeGduWk83WnZm\nWlhkMzFMQXN5R3JBb1pvc0U5Y013dWMK5LiYBFHa2j29Q58VfR/XvxduBv/dy3Wi\nLasyBSqFrK0nngUXhCxPVCn8ZU5gMMaiXCisCPDxXDdX+t7DLErCSw==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvS3o2TkplT1hIa1luKzky\nbEo0cGdIYStlTDg3NDh1UGQ1NTRqcTZqb0RRCk5aaTY2NnFMVDN6Z0ludDNyQW5n\nelNHZjNJZTJXbEVlN2xSNzBsQUV2WDAKLS0tIFBwRkpoWDIzMk5XRWh3dlRpbjR0\nbStON1RnbXprcXAwUm00aVExMVc2Q2sKdOrM7+UT5Bb6z5Rnv6EkVt8+aIEqWfOc\no2fc6d2F5ozmt/GS189dld8QWFvIY/RUQnRqm55txAip8NHynTt+0A==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_1__map_recipient=age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
sops_lastmodified=2024-02-10T18:21:23Z
sops_mac=ENC[AES256_GCM,data:CAm7H/sbSnLD72uryZwK9rlu9ptTqBVMAvWjzI8PzzFx5PQHrkFKOmG73Sdao6Map1QMjM57g/q0DDxkL0tY3iW4X1kc3oUC4Ej4nj4/ZrjRiVpSA6Zs38gi4O30X7lr0iWK1DdD/wCMuo66ixJ5ol/0XBAUIUUUW7UxaTLptDM=,iv:bDvwwPoFeChslZgwnoSMPJzd9yY2Y6Tc8Gdyhxp9Fyk=,tag:BjUnCjdL9DNGg9sbyWOXAQ==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.7.3

33
hosts/phoenix.lewd.wtf/secrets/wireguard.yaml Normal file
View File

@ -0,0 +1,33 @@
services:
wireguard:
airvpn.private: ENC[AES256_GCM,data:COgDVq0CpZcTsjLMx4FLHSv/ZI8eSPRLTxVtJ8XrevzRXc25sVSNMdHiMFA=,iv:QSFKc2U2v58PiOF79PFanx+QlFge3FiMjEOJudr7qKU=,tag:N7KjBhK+59IeRALJeGKc6A==,type:str]
airvpn.psk: ENC[AES256_GCM,data:bxZ/Pk75jCPU/Nhx96JJkmrJCqSAudZLDQjKCXnvAJf/pPpZdwJTw3o7ywM=,iv:EwHiUZTs8py8TZxJciqW53m7O/rU5V8+ZgSCEXlrIJc=,tag:tOtlgWs8VLgt7T6/apkZeA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTndabjF2YXFpTU5RcG9U
UFV4SXVQZDNIK3htYi93U1BhbGNGMUtPcENFCi9nWWR0TmdYV0NhdDJhMFExRm9K
SDYzVXVZbmdOWGFybGxOTWs0K3Y2MlUKLS0tIGJLendISXNaWWdpVU5zcVgyeitJ
ZTZ4eTlxdVpha0NxK3h4dEU2S1dGaXcKkGlvEp+aosaFlnO4zUiQHkU1EFxxIuUU
L3y56QiCJxHo9bv9yvn0cIbxWLl+ow7I88FBf89z0OQxTqKxcpniYQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkUGwvZ3hzaXBkTlA0Z1JX
N2R2cWNzWUIzVml0WGZxQ3FDUXFWOVJkWXdnCnNNbnFrYUVWYzBpdnRSdkdFZXRv
UHFKL3FQZEtST0tiaHZ0QUNzZWpWbTQKLS0tIGpLVW1EVXU5V0Q4QXF1b0xCeWlL
TFlUV2Vkak94YnI0OWpQR1A1TUlaUzAKEDaX7yhVViNG2/2EOcWWEynOOCYlzWZS
tsnOZcBkIDWkk6ZrZFXZ/iKzQiYTSWcznGPJuNd1Q9CnCCVKXtJmbQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-04T18:18:03Z"
mac: ENC[AES256_GCM,data:WM8D1TKT48WomrVcoT84cr8y7GajxbZ7ErQXwDZoPvw3phRLn7PuVdljtykIaTjQ9c0KrjSlLlTeRUhVUdFLJ5qB1ZA5N15wlDSRl7jtuaF8VKeAoS4txmh9YQXutrst1ldjk13nboOdRirNrYjqycdPtCBYQZc/bfvJUekoU7s=,iv:wpi+GlNNrpeMdW6CsLqhchgoyfbFOdTs2bD2pAAORtk=,tag:4QBEhFWszcJ+Gsml4K3Q9A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

39
hosts/phoenix.lewd.wtf/services/atticd.nix Normal file
View File

@ -0,0 +1,39 @@
{ config, pkgs, ... }:
{
# services.atticd = {
# enable = true;
# package = pkgs.attic-server;
#
# credentialsFile = "/run/secrets/services/attic/creds.env";
#
# settings = {
# listen = "0.0.0.0:28842";
#
# chunking = {
# nar-size-threshold = 64 * 1024; # 64 KiB
# min-size = 16 * 1024; # 16 KiB
# avg-size = 64 * 1024; # 64 KiB
# max-size = 256 * 1024; # 256 KiB
# };
# };
# };
#
# services.nginx.virtualHosts."attic.lewd.wtf" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://127.0.0.1:28842";
# extraConfig =
# "proxy_set_header Host $host;" +
# "proxy_set_header X-Real-IP $remote_addr;" +
# "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
# "proxy_set_header X-Forwarded-Proto $scheme;" +
# "proxy_connect_timeout 1800;" +
# "proxy_send_timeout 1800;" +
# "proxy_read_timeout 1800;" +
# "send_timeout 1800;" +
# "client_max_body_size 5G;"
# ;
# };
# };
}

21
hosts/phoenix.lewd.wtf/services/msmtp.nix Normal file
View File

@ -0,0 +1,21 @@
{
programs.msmtp = {
enable = true;
setSendmail = true;
defaults = {
aliases = builtins.toFile "aliases" ''
default: ciapa@lewd.wtf
'';
};
accounts.default = {
auth = "plain";
host = "mail.your-server.de";
port = "587";
from = "phoenix@lewd.wtf";
user = "phoenix@lewd.wtf";
passwordeval = "cat /run/secrets/services/msmtp/password";
};
};
}

18
hosts/phoenix.lewd.wtf/services/nfs.nix Normal file
View File

@ -0,0 +1,18 @@
{ config, lib, ... }:
{
services.nfs.server.enable = true;
fileSystems."/export/desktop" = lib.mkIf (!config.c3moc.switchNfs) {
device = "/mnt/zvault/desktop";
options = [ "bind" ];
};
services.nfs.server.exports = lib.mkIf (!config.c3moc.switchNfs) ''
/export 192.168.0.20(rw,fsid=0,no_subtree_check) 192.168.1.39(ro,nohide,insecure,no_subtree_check,all_squash,anonuid=1000,anongid=1000)
/export/desktop 192.168.0.20(rw,nohide,insecure,no_subtree_check) 192.168.1.39(ro,nohide,insecure,no_subtree_check,all_squash,anonuid=1000,anongid=1000)
'';
networking.firewall.allowedTCPPorts = [ 111 662 892 2049 32769 32803 38467 ];
networking.firewall.allowedUDPPorts = [ 111 662 892 2049 32769 32803 38467 ];
}

0
hosts/nyx.lewd.wtf/services/nginx.nix → hosts/phoenix.lewd.wtf/services/nginx.nix
View File

6
hosts/phoenix.lewd.wtf/services/smartd.nix Normal file
View File

@ -0,0 +1,6 @@
{
services.smartd.enable = true;
services.smartd.notifications.mail.enable = true;
services.smartd.notifications.mail.sender = "phoenix@lewd.wtf";
services.smartd.notifications.mail.recipient = "ciapa@lewd.wtf";
}

8
hosts/phoenix.lewd.wtf/services/unifi-controller.nix Normal file
View File

@ -0,0 +1,8 @@
{ config, pkgs, ... }:
{
services.unifi = {
enable = true;
unifiPackage = pkgs.unifi8;
openFirewall = true;
};
}

0
hosts/nyx.lewd.wtf/services/uptimekuma.nix → hosts/phoenix.lewd.wtf/services/uptimekuma.nix
View File

0
hosts/nyx.lewd.wtf/services/vaultwarden.nix → hosts/phoenix.lewd.wtf/services/vaultwarden.nix
View File

9
hosts/nyx.lewd.wtf/services/vikunja.nix → hosts/phoenix.lewd.wtf/services/vikunja.nix
View File

@ -2,12 +2,19 @@
{ {
services.vikunja = { services.vikunja = {
enable = true; enable = true;
setupNginx = true;
frontendScheme = "https"; frontendScheme = "https";
frontendHostname = "todo.lewd.wtf"; frontendHostname = "todo.lewd.wtf";
}; };
services.nginx.virtualHosts."todo.lewd.wtf" = { services.nginx.virtualHosts."todo.lewd.wtf" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations = {
"/" = {
proxyPass = "http://localhost:3456";
extraConfig = ''
client_max_body_size 20M;
'';
};
};
}; };
} }

98
hosts/phoenix.lewd.wtf/services/zfs.nix Normal file
View File

@ -0,0 +1,98 @@
{ config, pkgs, ... }:
let
sendEmailEvent = { event }: ''
printf "Subject: phoenix ${event} ''$(${pkgs.coreutils}/bin/date --iso-8601=seconds)\n\nzpool status:\n\n''$(${pkgs.zfs}/bin/zpool status)" | ${pkgs.msmtp}/bin/msmtp -a default ciapa@lewd.wtf || true
'';
in
{
# ZFS remote unlocking
boot.initrd.systemd.enable = true;
# TODO: Install ZFS tools
# TODO: Override built-in zfs unlock service
boot.initrd.availableKernelModules = [ "igb" ];
boot.kernelParams = [
"ip=192.168.0.42::192.168.0.1:255.255.252.0:phoenix-initrd:eno2:off:192.168.0.1"
];
boot.initrd.systemd.services.zfsunlock = {
description = "Unlock ZFS pools";
wantedBy = [
"initrd.target"
];
before = [
"zfs-import-zroot.service"
];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
cat <<EOF > /root/.profile
if pgrep -x "zfs" > /dev/null
then
zfs load-key zroot
zpool import -f zbigdata
zfs load-key zbigdata
zpool import -f zvault
zfs load-key zvault
killall zfs
else
echo "zfs not running -- maybe the pool is taking some time to load for some unforseen reason."
fi
EOF
'';
};
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
hostKeys = [
/boot-1/initrd-ssh-key
/boot-2/initrd-ssh-key
];
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
};
};
# ZFS options from https://nixos.wiki/wiki/NixOS_on_ZFS
networking.hostId = "42069420";
boot.supportedFilesystems = [ "zfs" ];
# ZFS notifications
services.zfs.zed.enableMail = true;
services.zfs.zed.settings = {
ZED_EMAIL_ADDR = [ "ciapa@lewd.wtf" ];
ZED_EMAIL_OPTS = "-a 'FROM:phoenix@lewd.wtf' -s '@SUBJECT@' @ADDRESS@";
ZED_NOTIFY_VERBOSE = true;
};
# Timed status mails (Boot, Shutdown, Weekly)
systemd.services."boot-mail-alert" = {
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = sendEmailEvent { event = "just booted"; };
};
systemd.services."shutdown-mail-alert" = {
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = "true";
preStop = sendEmailEvent { event = "is shutting down"; };
};
systemd.services."weekly-mail-alert" = {
serviceConfig.Type = "oneshot";
script = sendEmailEvent { event = "is still alive"; };
};
systemd.timers."weekly-mail-alert" = {
wantedBy = [ "timers.target" ];
partOf = [ "weekly-mail-alert.service" ];
timerConfig.OnCalendar = "weekly";
};
}

25
hosts/seedbox/oosi/configuration.nix Normal file
View File

@ -0,0 +1,25 @@
{ self, config, pkgs, lib, ... }:
let
utils = import ../../../util/include.nix { lib = lib; };
imports =
(utils.includeDir ./services) ++
[
./hardware-configuration.nix
./networking.nix
./users.nix
];
in
{
inherit imports;
networking.hostName = "oosi";
networking.domain = "elmosco.lewd.wtf";
boot.loader.grub = {
enable = true;
efiSupport = false;
devices = [ "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0" ];
};
system.stateVersion = "22.11";
}

4
hosts/master.mirror.lewd.wtf/hardware-configuration.nix → hosts/seedbox/oosi/hardware-configuration.nix
View File

@ -9,8 +9,8 @@
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/mnt/data" = { fileSystems."/home" = {
device = "/dev/disk/by-label/data"; device = "/dev/disk/by-label/home";
fsType = "ext4"; fsType = "ext4";
}; };

4
hosts/master.mirror.lewd.wtf/networking.nix → hosts/seedbox/oosi/networking.nix
View File

@ -1,10 +1,10 @@
{ ... }: { ... }:
{ {
networking.defaultGateway = "192.168.11.1"; networking.defaultGateway = "192.168.99.1";
networking.nameservers = [ "1.1.1.1" ]; networking.nameservers = [ "1.1.1.1" ];
networking.interfaces.ens18.ipv4.addresses = [ networking.interfaces.ens18.ipv4.addresses = [
{ {
address = "192.168.11.110"; address = "192.168.99.106";
prefixLength = 24; prefixLength = 24;
} }
]; ];

15
hosts/seedbox/oosi/services/qbittorrent.nix Normal file
View File

@ -0,0 +1,15 @@
{
imports =
[
../../../../deployments/seedbox/qbittorrent/default.nix
];
variables.qbittorrent = {
user = "oosi";
group = "oosi";
torrentPort = 39510;
uiPort = 8888;
configDir = "/home/oosi";
openFilesLimit = 8192;
};
}

11
hosts/seedbox/oosi/users.nix Normal file
View File

@ -0,0 +1,11 @@
{
users.groups.oosi = {};
users.users.oosi = {
group = "oosi";
isNormalUser = true;
home = "/home/oosi";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERtfY26/h5xl+bzZm2htR4+Wd879DvZRPHsosFaEqIW gaming@DESKTOP-4ACM3JU"
];
};
}

2
hosts/seedbox/rene/configuration.nix
View File

@ -3,10 +3,12 @@ let
utils = import ../../../util/include.nix { lib = lib; }; utils = import ../../../util/include.nix { lib = lib; };
imports = imports =
(utils.includeDir ./services) ++ (utils.includeDir ./services) ++
(utils.includeDir ./storage_users) ++
[ [
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix ./networking.nix
./users.nix ./users.nix
./sftp_jail.nix
]; ];
in in
{ {

7
hosts/seedbox/rene/hardware-configuration.nix
View File

@ -14,5 +14,12 @@
fsType = "ext4"; fsType = "ext4";
}; };
# Shared stuff
fileSystems."/sftp_jail/melic" = {
device = "/home/rene/shared";
options = [ "bind,ro" ];
};
services.qemuGuest.enable = true; services.qemuGuest.enable = true;
} }

0
hosts/master.mirror.lewd.wtf/sftp_jail.nix → hosts/seedbox/rene/sftp_jail.nix
View File

12
hosts/seedbox/rene/storage_users/melic.nix Normal file
View File

@ -0,0 +1,12 @@
{
users.users.melic = {
group = "sftponly";
isNormalUser = true;
home = "/sftp_jail/melic";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERtfY26/h5xl+bzZm2htR4+Wd879DvZRPHsosFaEqIW gaming@DESKTOP-4ACM3JU"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcJKdwwvygRMH/91brR++Fk7sP47wuB8zuTtx+1OZBL+ZyeSmyiwZFXU5WfhwEZndOG4XlLTvJwvgYTMEyvZqh9DuasLv7AqbMfTVkQx1RJOUuLBDLFcjVI5RvGJz1aFRY8Uu0lWll+Nd7Onl8qSDnfSe+mRXw7O90cJI+nELDITxrG5wZ1Onm/ApsaX3S8iPLT5o74hWzE6tKBQqbEcRJJs5snLhxeIXNpaHFN40tJr2MEaLjpdu+9EiKUoVhV8JyUWKHeJFinyAwCC7g7IWte8t43IwQrSfIA19r7+HAMi6bJk5++LBm8p4APSV+rw+tFOzSV+jkAvizTKTUGC/CHMBnq2R1FF+ilSmWSecu2XI4KmKeAD64o5YndXrb0VWCIcVZjphqp52lzk4YNA97xsA6l1VVdfbhKu95Z+HV8kLXW8Nf4d36RUrxgtFnO1MkIh+yO6+xeVak4Fizbu42g49QZe6i3pcCUvB73kHFFfprnSgKouK3/TN4YCIyDsk= melic@Erika"
];
};
}

10
hosts/master.mirror.lewd.wtf/configuration.nix → hosts/sphinx.lewd.wtf/configuration.nix
View File

@ -2,18 +2,18 @@
let let
utils = import ../../util/include.nix { lib = lib; }; utils = import ../../util/include.nix { lib = lib; };
imports = imports =
(utils.includeDir ./mirror_users) ++ (utils.includeDir ./services) ++
[ [
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix ./networking.nix
./sftp_jail.nix ./secrets.nix
]; ];
in in
{ {
inherit imports; inherit imports;
networking.hostName = "master"; networking.hostName = "sphinx";
networking.domain = "mirror.lewd.wtf"; networking.domain = "lewd.wtf";
boot.loader.grub = { boot.loader.grub = {
enable = true; enable = true;
@ -21,5 +21,5 @@ in
devices = [ "/dev/sda" ]; devices = [ "/dev/sda" ];
}; };
system.stateVersion = "22.11"; system.stateVersion = "24.05";
} }

11
hosts/sphinx.lewd.wtf/hardware-configuration.nix Normal file
View File

@ -0,0 +1,11 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.kernelModules = [ "nvme" ];
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
}

32
hosts/sphinx.lewd.wtf/networking.nix Normal file
View File

@ -0,0 +1,32 @@
{ lib, ... }: {
# This file was populated at runtime with the networking
# details gathered from the active system.
networking = {
nameservers = [ "8.8.8.8" ];
defaultGateway = "172.31.1.1";
defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
dhcpcd.enable = false;
usePredictableInterfaceNames = lib.mkForce false;
interfaces = {
eth0 = {
ipv4.addresses = [
{ address="116.203.182.240"; prefixLength=32; }
];
ipv6.addresses = [
{ address="2a01:4f8:1c1b:7a9b::1"; prefixLength=64; }
{ address="fe80::9400:3ff:fe62:dffe"; prefixLength=64; }
];
ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
};
};
};
services.udev.extraRules = ''
ATTR{address}=="96:00:03:62:df:fe", NAME="eth0"
'';
}

1
hosts/nyx.lewd.wtf/secrets.nix → hosts/sphinx.lewd.wtf/secrets.nix
View File

@ -1,6 +1,5 @@
{ config, ... }: { config, ... }:
{ {
sops.defaultSopsFile = ./secrets/services.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# Vaultwarden # Vaultwarden

11
hosts/sphinx.lewd.wtf/secrets/vaultwarden.env Normal file
View File

@ -0,0 +1,11 @@
ADMIN_TOKEN=ENC[AES256_GCM,data:xAMhqj/wAqmDPUEo+IUMsaY9+/dTOmdwm5NKu7LC9PGgyORRVjowI5Fu/3j47u9JKLXPyGvQM33s+S3VqNhspQ==,iv:yCdNQbQx86CZU7GvShcL9YxOlzGr/bTfTp5DDMudTDs=,tag:QRsgnB9K1DcEcHlGrUA2EQ==,type:str]
SMTP_PASSWORD=ENC[AES256_GCM,data:JvSxXTTPQmox2O7n28018A==,iv:uA3WytiA9o/3qohl/eaMD7gVbORo4YZg2gzT/qZZHbA=,tag:v3Rkhp4HpjZE8Z45N3jcxQ==,type:str]
YUBICO_SECRET_KEY=ENC[AES256_GCM,data:oUXZDR5F1eXNKFYYiK9BQfeuves36PdqfKE1Yb7Z,iv:XDmIl7dqV8R7bykwtQz3EQIf1qJHh3wPbL9RAu6ZWEk=,tag:F5kb5XqY0JPeBGYOFrQC8g==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcWZxL3Q4dElaV0hjWm9J\nN1ViOEZkS3Z1RlAvRHFKZjdhU2drNWFZT3dBClY3Rm1lK1FaR1hmSTZ5dUJSNktK\ndGhneVdXS2R3MXB4N01yaTBlaGxjSEUKLS0tIHY3ejBnUzNlRWs3L0c3bkpBRFk5\ndHJNdG9ESHZ3ZzlPMExwNmpZSHpYZVUK9d6xS6ji8N3rZS1OmXJU7VZd6jZNETPK\nZTozNHhcvQiXTdlc23cSUZOHeJyugV+IjRpkDUBjh/0f/YzBNH7gsA==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtTEdOT3RaQWNzQkhzd0ds\ncS9tVWZJbDNMUmNCcWpRSDJwbDV4cUpHZ0ZJCkdBUGRxOUp2QnpYSnRpdzFxK2Fj\nSW9lRUIxbFBoWDFYVEhDK3FvOGk0VzgKLS0tIENBVkpTa0ZpTFFpVG4yR1p2c1lT\nZExSWmdUTXR5SS8yZzQ1VExGdkk0alkKIebJqoBgEv9KK8Nmtyo4xYAd8UA7czBC\noRHZv9cduFhA55iDvEQIdfrDJGMTCAbnuXEGlh0hee0KFFrsar7FEg==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_1__map_recipient=age1myz28jqex5kpcsjqg2a0la8cyuutzj4cxf53vs3v8ey6fqzvk3ws8z8k3h
sops_lastmodified=2024-06-06T10:12:52Z
sops_mac=ENC[AES256_GCM,data:KRi4A7W8/SWaSdX6kz1r00u0s0e+H9T1DlNlWXjbL5ZqUiACBGvmnlU0Ylqter7JBnP6hM3y34wuTH3XzqpAmcPLSCg6bhLqV24AIzTxb/xJJUj0G2uTle//LUipVVem19ECVS0refj36nDd4Lzuyy6fe6uowQMkt2vzLlmr6t8=,iv:1DTq4KQLJwyByoFP6inLp4DmrFra+ca1EEAGgUJ5NMs=,tag:oovcb4hGB1dyOzR5GV5wog==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.7.3

7
hosts/sphinx.lewd.wtf/services/nginx.nix Normal file
View File

@ -0,0 +1,7 @@
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
};
}

60
hosts/sphinx.lewd.wtf/services/vaultwarden.nix Normal file
View File

@ -0,0 +1,60 @@
{ config, ... }:
{
users.users.vaultwarden.extraGroups = [ config.users.groups.keys.name ];
services.vaultwarden = {
enable = true;
environmentFile = "/run/secrets/services/vaultwarden/.env";
config = {
DOMAIN = "https://vault.lewd.wtf";
SIGNUPS_ALLOWED = false;
SIGNUPS_VERIFY = true;
INVITATIONS_ALLOWED = false;
WEBSOCKET_ENABLED = true;
WEBSOCKET_PORT = 3012;
ROCKET_PORT = 8222;
SMTP_HOST = "mail.your-server.de";
SMTP_FROM = "vaultwarden@lewd.wtf";
SMTP_FROM_NAME = "Vaultwarden";
SMTP_USERNAME = "vaultwarden@lewd.wtf";
YUBICO_CLIENT_ID = 88022;
};
};
services.nginx.clientMaxBodySize = "128M";
services.nginx.virtualHosts."vault.lewd.wtf" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true; # needed if you need to use WebSocket
extraConfig =
"proxy_set_header Host $host;" +
"proxy_set_header X-Real-IP $remote_addr;" +
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
"proxy_set_header X-Forwarded-Proto $scheme;"
;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true; # needed if you need to use WebSocket
extraConfig =
"proxy_set_header Host $host;" +
"proxy_set_header X-Real-IP $remote_addr;" +
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
"proxy_set_header X-Forwarded-Proto $scheme;"
;
};
locations."/notifications/hub" = {
proxyPass = "http://127.0.0.1:3012";
proxyWebsockets = true; # needed if you need to use WebSocket
extraConfig =
"proxy_set_header Host $host;" +
"proxy_set_header X-Real-IP $remote_addr;" +
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
"proxy_set_header X-Forwarded-Proto $scheme;"
;
};
};
}

2
modules/base/nix.nix
View File

@ -5,7 +5,7 @@
gc = { gc = {
automatic = true; automatic = true;
dates = "weekly"; dates = "weekly";
options = "--delete-older-than 15"; options = "--delete-older-than 15d";
}; };
}; };
} }

3
modules/base/packages.nix
View File

@ -4,7 +4,8 @@
vim vim
git git
curl curl
htop btop
rclone rclone
screen
]; ];
} }