coolneng/zion
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: coolneng:master
Branches Tags
coolneng:master
..
compare: coolneng:9bea2be94e5e85585fab1bd1910b8df2fc5d70da
Branches Tags
coolneng:master

1 Commits
master ... 9bea2be94e

Author SHA1 Message Date
coolneng
9bea2be94e Refactor nginx configuration 2021-02-03 03:56:59 +01:00
43 changed files with 356 additions and 1640 deletions
Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
Timeline.org

7
Makefile
View File

@@ -1,7 +0,0 @@
DIR=$(HOME)/Projects/zion
switch:
nixos-rebuild switch --no-reexec --target-host root@zion \
--build-host root@zion --flake path://$(DIR)#zion
.DEFAULT_GOAL := switch

35
README.org
View File

@@ -16,38 +16,3 @@
- Curated articles: information.nix - Curated articles: information.nix
All the modules are imported in *configuration.nix* All the modules are imported in *configuration.nix*
** Installation
1. Download the sdcard image
2. Use initial config file
#+begin_src shell
cp install.nix configuration.nix
#+end_src
3. Move the repo to the server and the agenix key
#+begin_src shell
scp -r Projects/zion zion:/home/nixos/system
scp .ssh/zion root@zion:/etc/ssh/id_ed25519
#+end_src
4. Mount the firmware partition
#+begin_src shell
mount /dev/mmcblk1p1 /boot
#+end_src
5. Rebuild the system using Flakes
#+begin_src shell
nix-shell -p git
sudo nixos-rebuild switch --flake /home/nixos/system#zion
#+end_src
6. Restore the SQL databases
#+begin_src shell
gunzip -c /vault/backups/zion/databases/all.sql.gz | psql -U postgres
#+end_src

272
configuration.nix
View File

@@ -1,270 +1,105 @@
{ { config, pkgs, lib, ... }: {
config, # NixOS wants to enable GRUB by default
inputs, boot.loader.grub.enable = false;
pkgs,
lib,
...
}:
with pkgs; # A bunch of boot parameters needed for optimal runtime on RPi 4B
boot.kernelPackages = pkgs.linuxPackages_rpi4;
{ boot.kernelParams = [
# Kernel configuration "zfs.zfs_arc_max=134217728"
boot = { "console=TTYAMA0,115200"
blacklistedKernelModules = [ "console=tty1"
"btusb" "8250.nr_uarts=1"
"bluetooth"
];
kernelParams = [
"zfs.zfs_arc_max=8589934592"
"zfs.zfs_arc_min=1073741824"
];
supportedFilesystems = [ "zfs" ];
zfs = {
requestEncryptionCredentials = false;
extraPools = [ "vault" ];
};
};
# Secure boot using lanzaboote
boot.loader = {
efi.canTouchEfiVariables = true;
systemd-boot = {
enable = true;
configurationLimit = 50;
editor = false;
};
timeout = 3;
};
# Declare system packages
environment.systemPackages = [
libraspberrypi
htop
neovim
git
inputs.agenix.packages.${config.nixpkgs.localSystem.system}.default
]; ];
boot.loader.raspberryPi = {
enable = true;
version = 4;
};
environment.systemPackages = with pkgs; [ libraspberrypi git htop vim ];
# !!! Adding a swap file is optional, but strongly recommended!
swapDevices = [{
device = "/swapfile";
size = 4096;
}];
# Configure basic SSH access # Configure basic SSH access
services.openssh = { services.openssh = {
enable = true; enable = true;
settings = { permitRootLogin = "yes";
PermitRootLogin = "yes";
PasswordAuthentication = false;
};
}; };
# Cleanup tmp on startup # Cleanup tmp on startup
boot.tmp.cleanOnBoot = true; boot.cleanTmpDir = true;
# Set hostname
networking.hostName = "zion";
# Create coolneng user # Create coolneng user
users.users.coolneng = { users.users.coolneng = {
isNormalUser = true; isNormalUser = true;
home = "/home/coolneng"; home = "/home/coolneng";
extraGroups = [ extraGroups = [ "wheel" "docker" ];
"wheel"
"docker"
];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
# panacea
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea"
# caravanserai
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIX0poiPhFLFh88fhpLFX7n1oCevVRyTxe9ZvGmjPq8n zion"
]; ];
shell = "${fish}/bin/fish"; shell = "${pkgs.fish}/bin/fish";
}; };
# Set neovim as default editor # Set vim as default editor
programs.neovim = { programs.vim.defaultEditor = true;
enable = true;
defaultEditor = true;
};
# Set timezone and synchronize NTP # Set timezone and synchronize NTP
time.timeZone = "Europe/Brussels"; time.timeZone = "Europe/Brussels";
services.timesyncd.enable = true; services.timesyncd.enable = true;
# Enable ZFS support
networking.hostId = "4e74ea68";
boot = {
supportedFilesystems = [ "zfs" ];
zfs.extraPools = [ "vault" ];
};
# Scrub zpool monthly # Scrub zpool monthly
services.zfs.autoScrub = { services.zfs.autoScrub = {
enable = true; enable = true;
interval = "monthly"; interval = "monthly";
}; };
# Run Nix garbage collector, while avoiding recompilation and enable flakes # Auto-upgrade the system and reboot if needed
system.autoUpgrade = {
enable = true;
allowReboot = true;
};
# Run Nix garbage collector, while avoiding recompilation
nix = { nix = {
settings = { autoOptimiseStore = true;
auto-optimise-store = true;
trusted-users = [
"root"
"coolneng"
];
lazy-trees = true;
eval-cores = 2;
};
gc = { gc = {
automatic = true; automatic = true;
options = "--delete-older-than 14d"; options = "--delete-older-than 14d";
dates = "Mon 03:00";
}; };
extraOptions = '' extraOptions = ''
keep-outputs = true keep-outputs = true
keep-derivations = true keep-derivations = true
gc-keep-outputs = true gc-keep-outputs = true
experimental-features = nix-command flakes
''; '';
}; };
# Use same version of nixpkgs for nix-shell
nix.nixPath =
let
path = toString ./.;
in
[
"nixpkgs=${inputs.nixpkgs}"
"nixos-config=${path}/configuration.nix"
];
# Configure fish shell # Configure fish shell
programs.fish.enable = true; programs.fish.enable = true;
users.users.root = { users.users.root = {
shell = "${fish}/bin/fish"; shell = "${pkgs.fish}/bin/fish";
openssh.authorizedKeys.keys = config.users.users.coolneng.openssh.authorizedKeys.keys; openssh.authorizedKeys.keys = [
}; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea"
# Keep logs for a month
services.journald.extraConfig = "MaxRetentionSec=4week";
# Increase inotify limits and maximum buffer size
boot.kernel.sysctl = {
"fs.inotify.max_user_watches" = 204800;
"net.core.rmem_max" = 2500000;
"net.core.wmem_max" = 2500000;
};
# MOTD message
programs.fish.interactiveShellInit = "${./scripts/motd.sh}";
# NixOS version
system.stateVersion = "24.11";
# Specify secrets
age = {
secrets.wireguard = {
file = secrets/wireguard.age;
owner = "systemd-network";
group = "systemd-network";
};
secrets.syncthing.file = secrets/syncthing.age;
secrets.msmtp.file = secrets/msmtp.age;
secrets.gitea = {
file = secrets/gitea.age;
owner = "gitea";
group = "gitea";
};
secrets.miniflux = {
file = secrets/miniflux.age;
owner = "miniflux";
group = "miniflux";
};
secrets.git = {
file = secrets/git.age;
owner = "coolneng";
group = "users";
};
# HACK The owner and group is set by systemd due to the use of DynamicUser
secrets.dendrite = {
file = secrets/dendrite.age;
owner = "63026";
group = "63026";
};
secrets.dendrite-postgres = {
file = secrets/dendrite-postgres.age;
owner = "63026";
group = "63026";
};
secrets.telegram = {
file = secrets/telegram.age;
};
secrets.mqtt-sender = {
file = secrets/mqtt-sender.age;
owner = "mosquitto";
group = "mosquitto";
};
secrets.mqtt-receiver = {
file = secrets/mqtt-receiver.age;
owner = "mosquitto";
group = "mosquitto";
};
secrets.facebook = {
file = secrets/facebook.age;
};
secrets.signal = {
file = secrets/signal.age;
};
secrets.inadyn-duckdns = {
file = secrets/inadyn-duckdns.age;
owner = "inadyn";
group = "inadyn";
};
secrets.inadyn-porkbun = {
file = secrets/inadyn-porkbun.age;
owner = "inadyn";
group = "inadyn";
};
secrets.inadyn-porkbun-secret = {
file = secrets/inadyn-porkbun-secret.age;
owner = "inadyn";
group = "inadyn";
};
secrets.acme-duckdns = {
file = secrets/acme-duckdns.age;
owner = "acme";
group = "nginx";
};
secrets.acme-porkbun = {
file = secrets/acme-porkbun.age;
owner = "acme";
group = "nginx";
};
secrets.microbin = {
file = secrets/microbin.age;
owner = "63026";
group = "63026";
};
secrets.readeck = {
file = secrets/readeck.age;
owner = "63026";
group = "63026";
};
identityPaths = [ "/etc/ssh/id_ed25519" ];
};
# Auto-upgrade the system
system.autoUpgrade = {
enable = true;
allowReboot = true;
flake = "/home/coolneng/system";
flags = [
"--update-input"
"nixpkgs"
"--commit-lock-file"
]; ];
}; };
# Configure git for auto-upgrade # Rotate logs after 7 days
programs.git = { services.journald.extraConfig = "SystemMaxFiles=7";
enable = true;
config = {
user.name = "coolneng";
user.email = "akasroua@gmail.com";
safe.directory = "/home/coolneng/system";
credential.helper = "store --file ${config.age.secrets.git.path}";
};
};
# Disable man pages # Increase inotify limits
documentation.man.enable = false; boot.kernel.sysctl = { "fs.inotify.max_user_watches" = 204800; };
# Import other configuration modules # Import other configuration modules
imports = [ imports = [
@@ -277,7 +112,6 @@ with pkgs;
./modules/periodic.nix ./modules/periodic.nix
./modules/communication.nix ./modules/communication.nix
./modules/information.nix ./modules/information.nix
./modules/containers.nix
]; ];
} }

398
flake.lock generated
View File

@@ -1,398 +0,0 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1762618334,
"narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
"owner": "ryantm",
"repo": "agenix",
"rev": "fcdea223397448d35d9b31f798479227e80183f6",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"determinate": {
"inputs": {
"determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin",
"determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux",
"determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",
"nix": "nix",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1766177528,
"narHash": "sha256-Bl+p766mM7qNCZtMqmTz13RuUbOMKsFa+/vnGYoxgPk=",
"rev": "b159c082f0f9bdefa6c386189a13c5fa0734d8d8",
"revCount": 317,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.15.0/019b3865-57a1-7d80-98c5-962fac29c404/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A"
}
},
"determinate-nixd-aarch64-darwin": {
"flake": false,
"locked": {
"narHash": "sha256-vDaEQ5T4eA7kEPREmm68IVWGR6zT0aDL5slZxA6dkSc=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS"
}
},
"determinate-nixd-aarch64-linux": {
"flake": false,
"locked": {
"narHash": "sha256-Hf4JsIv5G3IR0Q0RHGLSNdmDzFv97sVQQKwzY6A0vV4=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux"
}
},
"determinate-nixd-x86_64-linux": {
"flake": false,
"locked": {
"narHash": "sha256-J+J4E02XpEl0ZkpzMbUmGCf6S4yk0gYCYmiGzZ058ik=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux"
}
},
"devshell": {
"locked": {
"lastModified": 1642188268,
"narHash": "sha256-DNz4xScpXIn7rSDohdayBpPR9H9OWCMDOgTYegX081k=",
"owner": "numtide",
"repo": "devshell",
"rev": "696acc29668b644df1740b69e1601119bf6da83b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1641205782,
"narHash": "sha256-4jY7RCWUoZ9cKD8co0/4tFARpWB+57+r1bLLvXNJliY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b7547d3eed6f32d06102ead8991ec52ab0a4f1a7",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"determinate",
"nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1748821116,
"narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
"rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
"revCount": 377,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1"
}
},
"git-hooks-nix": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": [
"determinate",
"nix"
],
"nixpkgs": [
"determinate",
"nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1747372754,
"narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
"rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
"revCount": 1026,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nix": {
"inputs": {
"flake-parts": "flake-parts",
"git-hooks-nix": "git-hooks-nix",
"nixpkgs": "nixpkgs",
"nixpkgs-23-11": "nixpkgs-23-11",
"nixpkgs-regression": "nixpkgs-regression"
},
"locked": {
"lastModified": 1766174426,
"narHash": "sha256-0ZofAQZNgg5nfIKsVb7g4It6ufmIyLtfFRPOf+6WRkk=",
"rev": "15d6091194b5b90d292e8d6283db77f09c303b1e",
"revCount": 24285,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.15.0/019b3854-cca6-7298-a91c-0fd8551a7270/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A"
}
},
"nix-matrix-appservices": {
"inputs": {
"devshell": "devshell",
"flake-compat": "flake-compat_2",
"nixlib": "nixlib",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1683490239,
"narHash": "sha256-QKzpvl2XrqbobWq/I/smDa9hEniwctjJybXPVILHP0w=",
"owner": "coffeetables",
"repo": "nix-matrix-appservices",
"rev": "e795d2fbc61da45d49802bb3e8f8d0c70ddc1e68",
"type": "gitlab"
},
"original": {
"owner": "coffeetables",
"repo": "nix-matrix-appservices",
"type": "gitlab"
}
},
"nixlib": {
"locked": {
"lastModified": 1643502816,
"narHash": "sha256-Wrbt6Gs+hjXD3HUICPBJHKnHEUqiyx8rzHCgvqC1Bok=",
"owner": "divnix",
"repo": "nixpkgs.lib",
"rev": "ebed7ec5bcb5d01e298535989c6c321df18b631a",
"type": "github"
},
"original": {
"owner": "divnix",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1764440730,
"narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1761597516,
"narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
"rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
"revCount": 811874,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
}
},
"nixpkgs-23-11": {
"locked": {
"lastModified": 1717159533,
"narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
"type": "github"
}
},
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
"narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1765772535,
"narHash": "sha256-aq+dQoaPONOSjtFIBnAXseDm9TUhIbe215TPmkfMYww=",
"rev": "09b8fda8959d761445f12b55f380d90375a1d6bb",
"revCount": 911985,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.911985%2Brev-09b8fda8959d761445f12b55f380d90375a1d6bb/019b25ab-7c11-79e0-a0b0-c94d455b7190/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1766201043,
"narHash": "sha256-eplAP+rorKKd0gNjV3rA6+0WMzb1X1i16F5m5pASnjA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b3aad468604d3e488d627c0b43984eb60e75e782",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"determinate": "determinate",
"nix-matrix-appservices": "nix-matrix-appservices",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_3"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

50
flake.nix
View File

@@ -1,50 +0,0 @@
{
description = "System configuration for zion";
nixConfig = {
extra-substituters = "https://install.determinate.systems";
extra-trusted-public-keys = ''
cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=
'';
};
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nix-matrix-appservices = {
url = "gitlab:coffeetables/nix-matrix-appservices";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{ self, nixpkgs, ... }@inputs:
let
system = "x86_64-linux";
pkgs = import pkgs { inherit system; };
lib = nixpkgs.lib;
in
{
nixosConfigurations.zion = lib.nixosSystem {
inherit system;
modules = [
(import ./configuration.nix)
inputs.agenix.nixosModules.age
inputs.nixos-hardware.nixosModules.aoostar-r1-n100
inputs.determinate.nixosModules.default
];
specialArgs = {
inherit inputs;
};
};
};
}

125
modules/communication.nix
View File

@@ -1,103 +1,44 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
with pkgs;
# NOTE Reference the environment variable set in the corresponding agenix secret
let
database = {
connection_string = "$DB_STRING";
max_open_conns = 100;
max_idle_conns = 5;
conn_max_lifetime = -1;
};
in
{ {
# Matrix server configuration # Matrix server configuration
services.dendrite = { services.matrix-synapse = {
enable = true; enable = true;
httpPort = 8008; server_name = "coolneng.duckdns.org";
environmentFile = config.age.secrets.dendrite-postgres.path; listeners = [{
loadCredential = [ "private_key:${config.age.secrets.dendrite.path}" ]; port = 8008;
tls = false;
resources = [{
compress = true;
names = [ "client" ];
}];
x_forwarded = true;
}];
};
# Telegram bridge for Matrix
services.mautrix-telegram = {
enable = true;
environmentFile = /var/lib/mautrix-telegram/telegram.env;
settings = { settings = {
global = { homeserver = {
server_name = "coolneng.duckdns.org"; address = "https://matrix.coolneng.duckdns.org";
private_key = config.age.secrets.dendrite.path; domain = "coolneng.duckdns.org";
inherit database;
dns_cache.enabled = true;
}; };
# HACK Inherit postgres connection string for the rest of the DBs appservice = {
app_service_api = { provisioning.enabled = false;
inherit database; id = "telegram";
public = {
enabled = true;
prefix = "/public";
external = "https://matrix.coolneng.duckdns.org/public";
};
}; };
media_api = { bridge = {
inherit database; relaybot.authless_portals = false;
}; permissions = { "@admin:matrix.coolneng.duckdns.org" = "admin"; };
room_server = {
inherit database;
};
push_server = {
inherit database;
};
mscs = {
inherit database;
mscs = [
"msc2836"
"msc2946"
];
};
sync_api = {
inherit database;
};
key_server = {
inherit database;
};
federation_api = {
inherit database;
};
user_api = {
account_database = database;
device_database = database;
}; };
}; };
serviceDependencies = [ "matrix-synapse.service" ];
}; };
# Start dendrite after config files are mounted
systemd.services.dendrite.unitConfig.RequiresMountsFor = [
/var/lib/matrix-as-facebook
/var/lib/matrix-as-signal
/var/lib/matrix-as-telegram
];
# MQTT configuration
services.mosquitto = {
enable = true;
dataDir = "/vault/mosquitto";
logType = [
"websockets"
"error"
"warning"
"notice"
"information"
];
logDest = [ "syslog" ];
listeners = [
{
users.homeostasis = {
acl = [ "write #" ];
hashedPasswordFile = config.age.secrets.mqtt-sender.path;
};
users.prometheus = {
acl = [ "read #" ];
hashedPasswordFile = config.age.secrets.mqtt-receiver.path;
};
}
];
};
} }

68
modules/containers.nix
View File

@@ -1,68 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
# Podman setup
virtualisation = {
containers.enable = true;
podman = {
enable = true;
dockerCompat = true;
extraPackages = with pkgs; [ zfs ];
};
oci-containers = {
backend = "podman";
containers = {
# Openbooks configuration
openbooks = {
image = "evanbuss/openbooks@sha256:4fa9188885368c2303b7dc527d48b3159aaa7022010e29b3ed96842018793590";
ports = [ "127.0.0.1:9000:80" ];
cmd = [
"--name"
"bradar"
"--searchbot"
"searchook"
"--persist"
"--tls"
"false"
];
};
# Prometheus MQTT integration
mqtt2prometheus = {
image = "hikhvar/mqtt2prometheus@sha256:8e166d36feaa5ddcad703eef3a2c5167a154d6eef306a40fe6509861580c0714";
ports = [ "127.0.0.1:9641:9641" ];
volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ];
};
# Podcast synchronization
opodsync = {
image = "ganeshlab/opodsync@sha256:32626b732fe38687a5dfd703d515136e413c4b16f286b38656718ad03f0d94c1";
ports = [ "127.0.0.1:9090:8080" ];
volumes = [ "/vault/opodsync:/var/www/server/data" ];
};
# Photo gallery
pigallery2 = {
image = "bpatrik/pigallery2@sha256:c936e4504cfe7158198542a8db794b24afb0301155d89e911f13bd04e0b406c2";
ports = [ "127.0.0.1:9191:80" ];
volumes = [
"/vault/pigallery2/config:/app/data/config"
"/vault/pigallery2/db:/app/data/db"
"/vault/pigallery2/tmp:/app/data/tmp"
"/vault/syncthing/Photos:/app/data/images"
];
cmd = [
"-e"
"NODE_ENV=production"
];
};
};
};
};
# Start services after ZFS mount
systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = [ /vault/mqtt2prometheus ];
}

104
modules/datasync.nix
View File

@@ -1,10 +1,4 @@
{ { config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
{
# Syncthing configuration # Syncthing configuration
services.syncthing = { services.syncthing = {
@@ -12,55 +6,44 @@
openDefaultPorts = true; openDefaultPorts = true;
guiAddress = "0.0.0.0:8384"; guiAddress = "0.0.0.0:8384";
dataDir = "/vault/syncthing"; dataDir = "/vault/syncthing";
key = config.age.secrets.syncthing.path; declarative = {
settings = {
extraOptions.options = {
maxFolderConcurrency = 4;
progressUpdateIntervalS = -1;
};
devices = { devices = {
panacea.id = "VEGVHKF-P4FT3BD-4T3ML7J-65URQOU-3XKNMI5-6LGWSCI-BIQZOUE-RKQ6PQX"; panacea = {
caravanserai.id = "XQAXYEU-FWLAFZM-GTZYDGH-AIRBEXI-4CZD365-JUBTHDA-GOXXOYV-E5LEYQE"; id =
"UNZIABR-GEQ4AWT-XKFADLW-HW3SQ3Y-BEYZ56A-W530DLS-DXGQWKK-2QQ4RQ6";
};
caravanserai = {
id =
"6KSGHNJ-NH4EZGP-X5HGV6B-OQ3ZFE6-WZQACOC-6WKPRGI-TTBRHJ5-U3R2AQ3";
};
}; };
folders = { folders = {
Documents = { Documents = {
id = "wusdj-bfjkr"; id = "wusdj-bfjkr";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Documents"; path = "/vault/syncthing/Documents";
devices = [ devices = [ "panacea" "caravanserai" ];
"panacea"
"caravanserai"
];
}; };
Notes = { Notes = {
id = "kafhz-bfmzm"; id = "kafhz-bfmzm";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Notes"; path = "/vault/syncthing/Notes";
devices = [ devices = [ "panacea" "caravanserai" ];
"panacea"
"caravanserai"
];
}; };
Music = { Music = {
id = "2aqt7-vpprc"; id = "2aqt7-vpprc";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Music"; path = "/vault/syncthing/Music";
devices = [ devices = [ "panacea" "caravanserai" ];
"panacea"
"caravanserai"
];
}; };
Photos = { Photos = {
id = "mjibc-ustcg"; id = "mjibc-ustcg";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Photos"; path = "/vault/syncthing/Photos";
devices = [ devices = [ "panacea" "caravanserai" ];
"panacea"
"caravanserai"
];
}; };
Projects = { Projects = {
@@ -71,43 +54,17 @@
}; };
Phone = { Phone = {
id = "m2007j20cg_vc7r-photos"; id = "m2007j20cg_288y-photos";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Photos/Phone"; path = "/vault/syncthing/Photos/Phone";
devices = [ devices = [ "panacea" "caravanserai" ];
"panacea"
"caravanserai"
];
}; };
Files = { Files = {
id = "tsk52-u6rbk"; id = "tsk52-u6rbk";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Files"; path = "/vault/syncthing/Files";
devices = [ devices = [ "panacea" "caravanserai" ];
"panacea"
"caravanserai"
];
};
Phone-screenshots = {
id = "pp70r-pbr70";
type = "receiveonly";
path = "/vault/syncthing/Photos/Phone-screenshots";
devices = [
"panacea"
"caravanserai"
];
};
Audio = {
id = "tarrs-5mxck";
type = "receiveonly";
path = "/vault/syncthing/Audio";
devices = [
"panacea"
"caravanserai"
];
}; };
}; };
}; };
@@ -116,16 +73,19 @@
# Enable Radicale # Enable Radicale
services.radicale = { services.radicale = {
enable = true; enable = true;
settings = { config = ''
server.hosts = [ "127.0.0.1:5232" ]; [server]
auth = { hosts = 127.0.0.1:5232
type = "htpasswd";
htpasswd_filename = "/vault/radicale/users"; [auth]
htpasswd_encryption = "md5"; type = htpasswd
delay = 1; htpasswd_filename = /vault/radicale/users
}; htpasswd_encryption = md5
storage.filesystem_folder = "/vault/radicale/collections"; delay = 1
};
[storage]
filesystem_folder = /vault/radicale/collections
'';
}; };
# ZFS automatic snapshots # ZFS automatic snapshots
@@ -138,8 +98,4 @@
monthly = 12; monthly = 12;
}; };
# Start services after ZFS mount
systemd.services.syncthing.unitConfig.RequiresMountsFor = [ /vault/syncthing ];
systemd.services.radicale.unitConfig.RequiresMountsFor = [ /vault/radicale ];
} }

34
modules/devops.nix
View File

@@ -1,35 +1,19 @@
{ { config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
{
# Set up Gitea with LFS support # Set up Gitea with LFS support
services.gitea = { services.gitea = {
enable = true; enable = true;
domain = "git.coolneng.duckdns.org";
rootUrl = "https://git.coolneng.duckdns.org";
database = { database = {
type = "postgres"; type = "postgres";
passwordFile = config.age.secrets.gitea.path; passwordFile = "/var/keys/gitea/db";
}; };
cookieSecure = true;
disableRegistration = true;
repositoryRoot = "/vault/git"; repositoryRoot = "/vault/git";
appName = "Gitea"; appName = "Gitea";
lfs = { lfs.enable = true;
enable = true; settings = { ui = { DEFAULT_THEME = "arc-green"; }; };
contentDir = "${config.services.gitea.repositoryRoot}/data/lfs";
};
settings = {
server = {
DISABLE_SSH = true;
DOMAIN = "git.psydnd.org";
ROOT_URL = "https://git.psydnd.org";
};
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
actions.ENABLED = true;
};
}; };
# Start services after ZFS mount
systemd.services.gitea.unitConfig.RequiresMountsFor = [ /vault/git ];
} }

94
modules/hardware-configuration.nix
View File

@@ -4,55 +4,69 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" ]; boot.initrd.availableKernelModules = [ ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "sysion/stateful/root"; device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
fsType = "zfs"; fsType = "ext4";
}; };
fileSystems."/nix" = fileSystems."/boot" = {
{ device = "sysion/ephemeral/nix"; device = "/dev/disk/by-uuid/2178-694E";
fsType = "zfs"; fsType = "vfat";
}; };
fileSystems."/tmp" = fileSystems."/vault" = {
{ device = "sysion/ephemeral/tmp"; device = "vault";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/home/coolneng" = fileSystems."/vault/git" = {
{ device = "sysion/stateful/home"; device = "vault/git";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/boot" = fileSystems."/vault/nextcloud" = {
{ device = "/dev/disk/by-uuid/C332-4650"; device = "vault/nextcloud";
fsType = "vfat"; fsType = "zfs";
options = [ "fmask=0022" "dmask=0022" ]; };
};
swapDevices = fileSystems."/vault/syncthing" = {
[ { device = "/dev/disk/by-uuid/d388feef-a651-4dae-8161-f666136de240"; } device = "vault/syncthing";
]; fsType = "zfs";
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking fileSystems."/vault/backups" = {
# (the default) this is the recommended approach. When using systemd-networkd it's device = "vault/backups";
# still possible to use this option, but it's recommended to use it in conjunction fsType = "zfs";
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. };
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wg0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; fileSystems."/vault/backups/zion" = {
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; device = "vault/backups/zion";
fsType = "zfs";
};
fileSystems."/vault/backups/zion/databases" = {
device = "vault/backups/zion/databases";
fsType = "zfs";
};
fileSystems."/vault/backups/monolith" = {
device = "vault/backups/monolith";
fsType = "zfs";
};
fileSystems."/vault/radicale" = {
device = "vault/radicale";
fsType = "zfs";
};
swapDevices = [ ];
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
} }

47
modules/information.nix
View File

@@ -1,44 +1,27 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
{ {
# Miniflux configuration # Miniflux configuration
services.miniflux = { services.miniflux = {
enable = true; enable = true;
adminCredentialsFile = config.age.secrets.miniflux.path; adminCredentialsFile = "/var/keys/miniflux/admin";
}; config = {
BASE_URL = "https://rss.coolneng.duckdns.org";
# Microbin configuration RUN_MIGRATIONS = "1";
services.microbin = {
enable = true;
passwordFile = config.age.secrets.microbin.path;
settings = {
MICROBIN_PORT = 9091;
MICROBIN_PUBLIC_PATH = "https://bin.psydnd.org";
MICROBIN_QR = true;
MICROBIN_WIDE = true;
}; };
}; };
# Readeck configuration # Php-fpm pool for Wallabag
services.readeck = { services.phpfpm.pools.wallabag = {
enable = true; user = "nginx";
group = "nginx";
settings = { settings = {
server = { "pm" = "dynamic";
host = "127.0.0.1"; "pm.start_servers" = 2;
port = 9092; "pm.max_children " = 4;
allowed_hosts = [ "read.psydnd.org" ]; "pm.min_spare_servers " = 2;
trusted_proxies = [ "127.0.0.1" ]; "pm.max_spare_servers" = 4;
environmentFile = config.age.secrets.readeck.path; "pm.max_requests" = 32;
};
}; };
}; };
# NOTE Load credentials using environment variables
systemd.services.readeck.serviceConfig.EnvironmentFile = config.age.secrets.readeck.path;
} }

89
modules/monitoring.nix
View File

@@ -1,11 +1,4 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
with pkgs;
{ {
# Notify when a disk starts going haywire # Notify when a disk starts going haywire
@@ -13,80 +6,18 @@ with pkgs;
enable = true; enable = true;
notifications.mail = { notifications.mail = {
enable = true; enable = true;
sender = "akasroua+smartd@disroot.org"; recipient = "akasroua@gmail.com";
recipient = "akasroua@disroot.org";
mailer = "${msmtp}/bin/msmtp -t --read-envelope-from";
}; };
}; };
# Notify about zpool problems # Enable trivial MTA for smartd notifications
services.zfs.zed = { services.ssmtp = {
enableMail = false;
settings = {
ZED_EMAIL_ADDR = "akasroua+smartd@disroot.org";
ZED_EMAIL_PROG = "mail";
ZED_EMAIL_OPTS = "-s '@SUBJECT@' @ADDRESS@";
ZED_NOTIFY_VERBOSE = false;
};
};
# Set up msmtp as notifier
programs.msmtp = {
enable = true; enable = true;
defaults = { useTLS = true;
port = 587; useSTARTTLS = true;
tls = true; domain = "gmail.com";
}; hostName = "smtp.gmail.com:587";
accounts = { authUser = "akasroua@gmail.com";
default = { authPassFile = "/run/keys/ssmtp";
auth = true;
host = "disroot.org";
user = "akasroua@disroot.org";
passwordeval = "${coreutils}/bin/cat ${config.age.secrets.msmtp.path}";
};
};
}; };
# Metrics collection
services.prometheus = {
enable = true;
port = 9001;
retentionTime = "10y";
extraFlags = [ "--web.enable-admin-api" ];
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
postgres.enable = true;
smartctl.enable = true;
};
scrapeConfigs = [
{
job_name = "zion";
static_configs = [
{
targets = [
"localhost:${toString config.services.prometheus.exporters.node.port}"
"localhost:${toString config.services.prometheus.exporters.postgres.port}"
"localhost:${toString config.services.prometheus.exporters.smartctl.port}"
"localhost:9641" # MQTT2Prometheus
];
}
];
}
];
};
# Grafana configuration
services.grafana = {
enable = true;
settings.server = {
domain = "grafana.psydnd.org";
http_port = 9009;
http_addr = "127.0.0.1";
};
};
} }

212
modules/networking.nix
View File

@@ -1,61 +1,28 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let password = builtins.readFile /var/lib/ddclient/token;
wireguard_port = 1194;
in in {
{ # Enable zeroconf
# Enable systemd-networkd services.avahi = {
networking = { enable = true;
hostName = "zion"; nssmdns = true;
hostId = "760bfad7"; publish = {
useDHCP = false; enable = true;
useNetworkd = true; userServices = true;
dhcpcd.enable = false; domain = true;
}; workstation = true;
systemd.network.wait-online.enable = false; };
reflector = true;
# Assign a static IP
systemd.network.networks."24-home" = {
name = "enp2s0";
matchConfig.Name = "enp2s0";
address = [ "192.168.128.2/23" ];
gateway = [ "192.168.128.1" ];
dns = [
"127.0.0.1"
"::1"
];
networkConfig.DNSSEC = "no";
}; };
# Dynamic DNS configuration # Dynamic DNS configuration
services.inadyn = { services.ddclient = {
enable = true; enable = true;
interval = "*:0/30"; quiet = true;
settings.provider."duckdns" = { protocol = "duckdns";
hostname = "coolneng.duckdns.org"; domains = [ "coolneng.duckdns.org" ];
include = config.age.secrets.inadyn-duckdns.path; inherit password;
};
};
# Dynamic DNS configuration for Porkbun
# NOTE Temporary workaround until Inadyn fixes the Porkbun module
services.oink = {
enable = true;
apiKeyFile = config.age.secrets.inadyn-porkbun.path;
secretApiKeyFile = config.age.secrets.inadyn-porkbun-secret.path;
settings.interval = 1800;
domains = [
{
domain = "psydnd.org";
subdomain = "";
}
];
}; };
# Firewall configuration # Firewall configuration
@@ -64,126 +31,67 @@ in
80 # HTTP 80 # HTTP
443 # HTTPS 443 # HTTPS
53 # DNS 53 # DNS
8448 # Matrix
1883 # MQTT
]; ];
allowedUDPPorts = [ allowedUDPPorts = [
wireguard_port # Wireguard 1194 # Wireguard
53 # DNS 53 # DNS
]; ];
extraCommands = '' extraCommands = ''
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${ iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
config.systemd.network.networks."24-home".name
} -j MASQUERADE
ip6tables -t nat -A POSTROUTING -s fd00::0/128 -o ${
config.systemd.network.networks."24-home".name
} -j MASQUERADE
''; '';
}; };
# Disable IPv6
networking.enableIPv6 = false;
# Enable NAT for wireguard
networking.nat = {
enable = true;
externalInterface = "eth0";
internalInterfaces = [ "wg0" ];
};
# Wireguard setup # Wireguard setup
systemd.network.netdevs."wg0" = { networking.wireguard.interfaces = {
netdevConfig = { wg0 = {
Kind = "wireguard"; ips = [ "10.8.0.1/24" ];
Name = "wg0"; listenPort = 1194;
}; privateKeyFile = "/home/coolneng/.wg/keys/privatekey";
wireguardConfig = { peers = [
ListenPort = wireguard_port; # panacea
PrivateKeyFile = config.age.secrets.wireguard.path; {
}; publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
wireguardPeers = [ allowedIPs = [ "10.8.0.2/32" ];
# panacea }
{ # caravanserai
PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38="; {
AllowedIPs = [ publicKey = "eFykHmnMALRUluApRfSM32Xw80kTNo7yUsxs47URkX4=";
"10.8.0.2/32" allowedIPs = [ "10.8.0.3/32" ];
"fd00::2/128" }
];
}
# caravanserai
{
PublicKey = "mCsTj09H7lfDDs8vMQkJOlItHtHQ6MPUyfGO5ZjBbVs=";
AllowedIPs = [
"10.8.0.3/32"
"fd00::3/128"
];
}
# kathreftis
{
PublicKey = "qfHtv6LSZjtxvH46d8pysr+/yPo2tV9cZumgIpxBNF4=";
AllowedIPs = [
"10.8.0.4/32"
"fd00::4/128"
];
}
];
};
systemd.network.networks."wg0" = {
matchConfig.Name = "wg0";
networkConfig = {
Address = [
"10.8.0.1/24"
"fd00::1/128"
]; ];
IPv4Forwarding = true;
IPv6Forwarding = true;
}; };
}; };
# Disable systemd-resolved DNS stub
services.resolved = {
enable = true;
llmnr = "false";
extraConfig = ''
MulticastDNS=yes
DNSStubListener=no
'';
};
# DNS server with ad-block # DNS server with ad-block
services.dnsmasq = { services.dnsmasq = {
enable = true; enable = true;
settings = { servers = [ "198.100.148.224" "94.16.114.254" ];
domain-needed = true; extraConfig = ''
bogus-priv = true; domain-needed
no-resolv = true; bogus-priv
no-resolv
listen-address = [ listen-address=127.0.0.1,192.168.13.2,10.8.0.1
"127.0.0.1" bind-interfaces
"192.168.128.2"
"10.8.0.1"
"::1"
"fd00::1"
];
bind-interfaces = true;
server = [ "127.0.0.1#43" ];
cache-size = 10000; cache-size=10000
local-ttl = 300; local-ttl=300
conf-file = "${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf"; conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt
dnssec = false;
address = "/psydnd.org/192.168.128.2";
};
};
# Encrypted DNS address=/coolneng.duckdns.org/192.168.13.2
services.dnscrypt-proxy = { '';
enable = true;
upstreamDefaults = true;
settings = {
listen_addresses = [
"127.0.0.1:43"
"[::1]:43"
];
sources.public-resolvers = {
urls = [ "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
blocked_names.blocked_names_file = "/var/lib/dnscrypt-proxy/blocklist.txt";
};
}; };
} }

47
modules/periodic.nix
View File

@@ -1,16 +1,10 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
stateDir = "/var/lib/dnscrypt-proxy"; stateDir = "/var/lib/dnsmasq";
blocklist = "${stateDir}/blocklist.txt"; blocklist = "${stateDir}/dnsmasq.blacklist.txt";
in in {
{
# PostgreSQL daily backups # PostgreSQL daily backups
services.postgresqlBackup = { services.postgresqlBackup = {
enable = true; enable = true;
@@ -20,32 +14,25 @@ in
}; };
# Fetch hosts-blocklists daily # Fetch hosts-blocklists daily
# TODO Download the list if the file doesn't exist the first time
systemd.services.download-dns-blocklist = { systemd.services.download-dns-blocklist = {
description = "Download hosts-blocklists"; description = "Download hosts-blocklists";
wantedBy = [ "default.target" ]; wantedBy = [ "default.target" ];
path = with pkgs; [ path = with pkgs; [ curl ];
curl script =
coreutils "curl -L https://github.com/notracking/hosts-blocklists/raw/master/dnsmasq/dnsmasq.blacklist.txt -o ${blocklist}";
]; serviceConfig = { Type = "oneshot"; };
script = '' postStop = ''
curl -L https://download.dnscrypt.info/blacklists/domains/mybase.txt -o ${blocklist} chown -R dnsmasq ${stateDir}
systemctl restart dnsmasq
''; '';
serviceConfig.Type = "oneshot";
startAt = "02:00:00";
}; };
# Push zion changes to git daily systemd.timers.download-dns-blocklist = {
systemd.user.services.zion-push = { description = "Daily download of hosts-blocklists";
description = "Push zion changes to git";
wantedBy = [ "default.target" ]; wantedBy = [ "default.target" ];
path = with pkgs; [ git ]; timerConfig = {
script = '' OnCalendar = "02:00:00";
${pkgs.git}/bin/git -C /home/coolneng/system pull Unit = "download-dns-blocklist.service";
${pkgs.git}/bin/git -C /home/coolneng/system push };
'';
serviceConfig.Type = "oneshot";
startAt = "07:00:00";
after = [ "network-online.target" ];
}; };
} }

207
modules/webstack.nix
View File

@@ -1,69 +1,60 @@
# Web services configuration # Web services configuration
{ { config, pkgs, lib, ... }: {
config,
pkgs, environment.systemPackages = with pkgs; [ libressl ];
lib,
...
}:
{
# Reverse proxy configuration # Reverse proxy configuration
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
recommendedBrotliSettings = true; recommendedGzipSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
clientMaxBodySize = "0"; clientMaxBodySize = "0";
sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; sslCiphers =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
sslProtocols = "TLSv1.2 TLSv1.3"; sslProtocols = "TLSv1.2 TLSv1.3";
sslDhparam = "/var/lib/dhparams/nginx.pem"; sslDhparam = "/var/lib/dhparams/nginx.pem";
commonHttpConfig = '' commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests. # Add HSTS header with preloading to HTTPS requests.
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; # Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Minimize information leaked to other domains # Minimize information leaked to other domains
add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks) # Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options SAMEORIGIN;
# This might create errors # This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
''; '';
virtualHosts = { virtualHosts = {
# Old domain being redirected
"coolneng.duckdns.org" = { "coolneng.duckdns.org" = {
useACMEHost = "coolneng.duckdns.org"; enableACME = true;
forceSSL = true; forceSSL = true;
# Redirect from legacy subdirectory URL to subdomain
locations = { locations = {
"/".return = "301 https://psydnd.org$request_uri"; "/radicale/".return = "301 https://radicale.coolneng.duckdns.org";
# Delegation for Matrix "/syncthing/".return = "301 https://sync.coolneng.duckdns.org";
"/.well-known/" = { "/gitea/".extraConfig =
alias = "${../well-known}" + "/"; "rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;";
extraConfig = '' "/miniflux/".extraConfig =
${config.services.nginx.commonHttpConfig} "rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;";
default_type application/json;
add_header Access-Control-Allow-Origin * always;
'';
};
}; };
}; };
# Redirect subdomains "radicale.coolneng.duckdns.org" = {
"~^(?<subdomain>.+)\.coolneng\.duckdns\.org$" = { enableACME = true;
useACMEHost = "coolneng.duckdns.org";
forceSSL = true;
locations."/".return = "301 https://$subdomain.psydnd.org$request_uri";
};
# Current domain
"psydnd.org" = {
useACMEHost = "psydnd.org";
forceSSL = true;
};
"radicale.psydnd.org" = {
useACMEHost = "psydnd.org";
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:5232/"; proxyPass = "http://localhost:5232/";
@@ -73,33 +64,25 @@
''; '';
}; };
}; };
"sync.psydnd.org" = { "sync.coolneng.duckdns.org" = {
useACMEHost = "psydnd.org"; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://localhost:8384/"; locations."/".proxyPass = "http://localhost:8384/";
}; };
"git.psydnd.org" = { "git.coolneng.duckdns.org" = {
useACMEHost = "psydnd.org"; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/".proxyPass = "http://localhost:3000/";
proxyPass = "http://localhost:3000/";
extraConfig = ''
${config.services.nginx.commonHttpConfig}
# Disable embedding as a frame, except from the same origin
add_header Content-Security-Policy "frame-src git.psydnd.org; frame-ancestors git.psydnd.org";
'';
};
}; };
"rss.psydnd.org" = { "rss.coolneng.duckdns.org" = {
useACMEHost = "psydnd.org"; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://localhost:8080/"; locations."/".proxyPass = "http://localhost:8080/";
}; };
"matrix.psydnd.org" = { "matrix.coolneng.duckdns.org" = {
useACMEHost = "psydnd.org"; enableACME = true;
forceSSL = true; forceSSL = true;
listen = [ listen = [
# IPv4
{ {
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 8448; port = 8448;
@@ -110,91 +93,56 @@
port = 443; port = 443;
ssl = true; ssl = true;
} }
# IPv6
{
addr = "[::]";
port = 8448;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
]; ];
locations."~ ^(/_matrix|/_synapse/client)".proxyPass = "http://localhost:8008"; locations."/" = { proxyPass = "http://localhost:8008/"; };
}; };
"element.psydnd.org" = { "element.coolneng.duckdns.org" = {
useACMEHost = "psydnd.org"; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".root = pkgs.element-web.override { locations."/" = {
conf.default_server_config = { root = pkgs.element-web.override {
"m.homeserver"."base_url" = "https://matrix.psydnd.org"; conf = {
"m.identity_server"."base_url" = "https://vector.im"; default_server_config."m.homeserver" = {
"base_url" = "https://matrix.coolneng.duckdns.org";
"server_name" = "coolneng.duckdns.org";
};
};
}; };
}; };
}; };
"books.psydnd.org" = { "wallabag.coolneng.duckdns.org" = {
useACMEHost = "psydnd.org"; root = "${pkgs.wallabag}/web";
forceSSL = true; locations."/" = { tryFiles = "$uri /app.php$is_args$args"; };
locations."/" = { locations."~ ^/app.php(/|$)" = {
proxyPass = "http://localhost:9000/";
proxyWebsockets = true;
extraConfig = '' extraConfig = ''
proxy_set_header Upgrade $http_upgrade; include ${pkgs.nginx}/conf/fastcgi.conf;
proxy_set_header Connection "Upgrade"; fastcgi_pass unix:/run/phpfpm/wallabag.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param WALLABAG_DATA /var/lib/wallabag/app;
fastcgi_param DOCUMENT_ROOT $realpath_root;
internal;
''; '';
}; };
}; };
"grafana.psydnd.org" = {
useACMEHost = "psydnd.org";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:9009/";
proxyWebsockets = true;
};
};
"podcast.psydnd.org" = {
useACMEHost = "psydnd.org";
forceSSL = true;
locations."/".proxyPass = "http://localhost:9090/";
};
"bin.psydnd.org" = {
useACMEHost = "psydnd.org";
forceSSL = true;
locations."/".proxyPass = "http://localhost:9091/";
};
"read.psydnd.org" = {
useACMEHost = "psydnd.org";
forceSSL = true;
locations."/".proxyPass = "http://localhost:9092/";
};
"photos.psydnd.org" = {
useACMEHost = "psydnd.org";
forceSSL = true;
locations."/".proxyPass = "http://localhost:9191/";
};
}; };
}; };
# ACME certs configuration # ACME certs configuration
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { email = "akasroua@gmail.com";
email = "akasroua@disroot.org";
group = "nginx";
};
certs = { certs = {
"coolneng.duckdns.org" = { "coolneng.duckdns.org" = {
domain = "*.coolneng.duckdns.org"; extraDomainNames = [
dnsProvider = "duckdns"; "radicale.coolneng.duckdns.org"
environmentFile = config.age.secrets.acme-duckdns.path; "sync.coolneng.duckdns.org"
}; "git.coolneng.duckdns.org"
"psydnd.org" = { "rss.coolneng.duckdns.org"
domain = "psydnd.org"; "matrix.coolneng.duckdns.org"
extraDomainNames = [ "*.psydnd.org" ]; "element.coolneng.duckdns.org"
dnsProvider = "porkbun"; "wallabag.coolneng.duckdns.org"
environmentFile = config.age.secrets.acme-porkbun.path; ];
}; };
}; };
}; };
@@ -202,14 +150,13 @@
# Generate dhparams # Generate dhparams
security.dhparams = { security.dhparams = {
enable = true; enable = true;
defaultBitSize = 4096; params = { nginx.bits = 2048; };
params.nginx.bits = 4096;
}; };
# PostgreSQL databases configuration # PostgreSQL databases configuration
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_16; package = pkgs.postgresql_11;
authentication = lib.mkForce '' authentication = lib.mkForce ''
# Generated file; do not edit! # Generated file; do not edit!
# TYPE DATABASE USER ADDRESS METHOD # TYPE DATABASE USER ADDRESS METHOD
@@ -217,10 +164,6 @@
host all all 127.0.0.1/32 trust host all all 127.0.0.1/32 trust
host all all ::1/128 trust host all all ::1/128 trust
''; '';
settings = {
max_connections = "300";
shared_buffers = "1024MB";
};
}; };
# Restart reverse proxy after services startup # Restart reverse proxy after services startup
@@ -229,10 +172,8 @@
"syncthing.service" "syncthing.service"
"miniflux.service" "miniflux.service"
"radicale.service" "radicale.service"
"dendrite.service" "matrix-synapse.service"
"grafana.service" "element.service"
"podman-openbooks.service" "phpfpm-wallabag.service"
"podman-mqtt2prometheus.service"
"podman-opodsync.service"
]; ];
} }

66
scripts/install.sh
View File

@@ -1,66 +0,0 @@
#!/bin/sh
partition_disk() {
parted "$DISK" -- mklabel gpt
parted "$DISK" -- mkpart ESP fat32 1MiB 1025MiB
parted "$DISK" -- mkpart linux-swap 1025MiB 17409MiB
parted "$DISK" -- mkpart primary 17409MiB 100%
parted "$DISK" -- set 1 boot on
mkfs.fat -F32 -n BOOT "$DISK"p1
mkswap "$DISK"p2
swapon "$DISK"p2
}
zfs_setup() {
zpool import -f vault
zpool create -f -o ashift=12 -o autotrim=on -O acltype=posixacl -O relatime=on \
-O xattr=sa -O dnodesize=legacy -O normalization=formD -O mountpoint=none \
-O canmount=off -O devices=off -R /mnt -O compression=zstd "$POOL_NAME" "$DISK"p3
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/ephemeral
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/ephemeral/nix
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false -o sync=disabled -o setuid=off "$POOL_NAME"/ephemeral/tmp
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/stateful
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=true "$POOL_NAME"/stateful/home
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/stateful/root
}
mount_datasets() {
mount -t zfs sysion/stateful/root /mnt
mkdir -p /mnt/boot
mount "$DISK"p1 /mnt/boot
mkdir -p /mnt/home/coolneng
mount -t zfs sysion/stateful/home /mnt/home/coolneng
mkdir -p /mnt/nix
mount -t zfs sysion/ephemeral/nix /mnt/nix
mkdir -p /mnt/tmp
mount -t zfs sysion/ephemeral/tmp /mnt/tmp
}
install_system() {
nixos-generate-config --root /mnt
mv /mnt/etc/nixos/hardware-configuration.nix modules/hardware-configuration.nix
nix-shell -p git --command "nixos-install --root /mnt --flake .#zion"
}
usage() {
echo "Usage: install.sh <disk>"
echo "disk: full path to the disk (e.g. /dev/sda)"
exit 1
}
if [ $# != 1 ]; then
usage
fi
DISK="$1"
POOL_NAME="sysion"
echo "Let's start by partitioning the disk"
partition_disk
echo "Starting up the ZFS machinery"
zfs_setup
echo "Mounting the horse"
mount_datasets
echo "Lift off to the NixOS planet"
install_system
echo "All ready, time to rejoice"

50
scripts/motd.sh
View File

@@ -1,50 +0,0 @@
#!/run/current-system/sw/bin/bash
# Kernel information
LINUX=$(uname -rs | cut -d " " -f2)
# System uptime
uptime=$(cut -f1 -d. </proc/uptime)
upDays=$((uptime / 60 / 60 / 24))
upHours=$((uptime / 60 / 60 % 24))
upMins=$((uptime / 60 % 60))
upSecs=$((uptime % 60))
# System load
MEMORY=$(free -m | awk 'NR==2{printf "%s/%sMB (%.2f%%)\n", $3,$2,$3*100/$2 }')
CPU_LOAD=$(uptime | cut -d: -f5)
echo "============================================================
- Kernel..............: $LINUX
- System load.........:$CPU_LOAD
- Memory used.........: $MEMORY
- System uptime.......: $upDays days $upHours hours $upMins minutes $upSecs seconds
============================================================"
services=(
"syncthing.service"
"radicale.service"
"miniflux.service"
"gitea.service"
"dendrite.service"
"nginx.service"
"dnsmasq.service"
"dnscrypt-proxy.service"
"podman-openbooks.service"
"mosquitto.service"
"podman-mqtt2prometheus.service"
"prometheus.service"
"grafana.service"
)
for var in "${services[@]}"; do
if [[ -z $var ]]; then
printf "\n"
else
if systemctl -q is-active "${var}"; then
printf "%-40s [\e[32mOK\e[39m]\n" "$var"
else
printf "%-40s [\e[31mFAIL\e[39m]\n" "$var"
fi
fi
done
echo "============================================================"

BIN
secrets/acme-duckdns.age
View File

Binary file not shown.

5
secrets/acme-porkbun.age
View File

@@ -1,5 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg 7JImhL2Wo/eJEwUGP+NhEf36yq5gHO9q1GYhY2HaMAY
eAMhD0sqHQS+aayBpOsY8+081i72QAhJCFbBe0//uwU
--- 4K8cXsDuWZrmWNJ+rz166ej9o/gLFc7CfJuzAsG0BxA
|.<2E><><EFBFBD> f<><66>f<EFBFBD>=<1D>-<2D>X$P<>:

BIN
secrets/dendrite-postgres.age
View File

Binary file not shown.

BIN
secrets/dendrite.age
View File

Binary file not shown.

BIN
secrets/facebook.age
View File

Binary file not shown.

8
secrets/git.age
View File

@@ -1,8 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg MMf85MfBRho4AAWRJW6WlGxG4Drnuz9qqBlTzpOKiRc
tZSl7z0wkSO0K0mJ44q9Ix3yVCMp3LMh/jllNAOK5+E
-> n5p-grease .1Sb)yr iCEC
lXYS70Iag6qiAErdO8kSpaTqeBwXTWszUTCT1M3Uy4VxFY17
--- iWFH19Fd0y8eP9rkWjHt4xqFXqVC/S6dNEfczvRkGwY
txE <09>Rͫ$Y<><0F><><EFBFBD><EFBFBD>j`<60>n<EFBFBD><6E>j<EFBFBD><6A><EFBFBD><13><14><><EFBFBD>RI<18>P$$Ag<01>]볷<>2<EFBFBD><32>g F
t<EFBFBD>[u<06><><EFBFBD><EFBFBD>M<EFBFBD><1E>nG<6E><47><17><><07>q<07><>;xa<78>š<EFBFBD>qe

7
secrets/gitea.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg qr3AoWBF4bx+2bK0STPQtBRDjU6HW5SfXIIUE8GJfxE
mr9m+Le1RrMFumNjSEXpkqbqK9e6jbT4ltWvx/hRplE
-> !W;iA-grease 343tk
f2Fn5fkaYHB/X9wKx/Fa5pJN
--- RynMspwxpbATQ4tCuRoyB9d62IhnADztJu58ohN7mkw
e<EFBFBD>E<EFBFBD><EFBFBD><EFBFBD><EFBFBD>'+<2B><><><0F><>.0O<EFBFBD><EFBFBD>+$%@YWw|<1A><>v2<76>Ri -<2D>ոi<D5B8><69><18>f<07><>f<1A><>i<EFBFBD><69><EFBFBD>vO<0F>܆<><DC86>w!<1F><><EFBFBD><EFBFBD><EFBFBD>Q<EFBFBD><1D>7<EFBFBD>H<EFBFBD>O<EFBFBD>i<EFBFBD><69>0d9<64>!G-<2D>CY<43>+ẖyOB<1C>?<3F><>)<29>Ю1<D0AE><31>뒚i K<><4B>z-~M<>_|#a<>Z<03>4I<><49>(<28>g<02><><EFBFBD><EFBFBD>o<EFBFBD>

6
secrets/inadyn-duckdns.age
View File

@@ -1,6 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg XMrsd1RQcDq/SpFtqpB4Gj1keCvJsMB+VA58qZirYA4
tf8NQzoEYJXlKBjtX4ZplaPQv51RCW9yHulvKZB8c8g
--- 5wZntAZCQ4pGYrgDFd63w6Y+Taaatcw5z0tDSvShi30
<EFBFBD><EFBFBD>4<EFBFBD><EFBFBD><EFBFBD>Ɖq3<EFBFBD>&
><0E>4<EFBFBD><34>J<EFBFBD>?<3F><0F><> QW<51>jZ<:'<<16>x(<28>Y<16>i<EFBFBD>ZDO#<23>w<7F><77>R<EFBFBD><52><EFBFBD>O@2<>cAj (f<><66><EFBFBD><EFBFBD>M<EFBFBD><4D><EFBFBD>

5
secrets/inadyn-porkbun-secret.age
View File

@@ -1,5 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg paS5BxWWicriSLAZyCBKd2xylLAp4/LcHmogO7me8yQ
MWW/Pkvn+4G4YeYXY9ZPXC92TbcFXQMyHJ2ltFzXpZs
--- ZdFfQ7tHfEo+u/0MmigCNh6OIxkd2bimRN30rMUs1ks
<EFBFBD>9<EFBFBD>7Y<EFBFBD>$B<>sX<0E>ʽb<CABD>O'J<><4A>S'<27>5!<21><>UMʯ-v<>m<EFBFBD><6D><EFBFBD><EFBFBD><EFBFBD>8%|R,<2C>~I<><14><>G<EFBFBD><47>VQE<0E>0D<30>:Qv<<1E><>)<29> <0B><>%fc<66><63>XZչ 7+yB

BIN
secrets/inadyn-porkbun.age
View File

Binary file not shown.

BIN
secrets/microbin.age
View File

Binary file not shown.

BIN
secrets/miniflux.age
View File

Binary file not shown.

8
secrets/mqtt-receiver.age
View File

@@ -1,8 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg JT+as1Cl66qOy5yY3WJNs0bh51DWaCe/+XZLR8m1L0A
/6CyRX6Ks7Wr/ySlJhdfkabcy4N5rQ0VzGtlbxL8RCs
-> L$l;-grease uU_g`a
N00Z5C8AKzdnGZuFUHqY6uZBiMryyT3IXkdNlYW2fVJLOSfkfFdXssIK9hcMObyi
sQENGphUf1Sk16Vo9p4emOL5mtzU
--- flb9q0/Q608TJ6K9fsGULVwi2Pk860Cz750d5DBSfMM
1<EFBFBD>%<25><>=<3D><4C><DAAE>s<EFBFBD>c/<2F>Iy<49><79>oT!<21>ڏ<EFBFBD>&X<0F><><EFBFBD>WՒZ̋<5A><CC8B> <0E>8Z<38><5A><EFBFBD><EFBFBD><EFBFBD>æ<19><><EFBFBD><EFBFBD><06> <09> <0B>tw<74>'<27><> i<>e’<65>_<EFBFBD>}-<2D>V<EFBFBD>$<24>S<EFBFBD><53><EFBFBD><EFBFBD><EFBFBD>خA<D8AE><41><EFBFBD>h<EFBFBD><68><EFBFBD><04><>!<21><>9Z<39><5A><05><>hqіIa<49><61>,

BIN
secrets/mqtt-sender.age
View File

Binary file not shown.

7
secrets/msmtp.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg +E0/YCwuUtJNFQHtniQyN+xU/1s0phXNMd5YYbOGGFA
Xfht0XPm+oflQLicH5MWGF2nLzu44p/DgahpZa2K70k
-> NlBVK_)-grease SRaB^ jo >B#rtU zoC-H]
lAQL9zTNvGOmJv7FhQaYKd9Ac+MdQSKAhN8hgOTzyh4
--- 0ox9Q/KOAhuHxkDHIwj6ab6rzie4T/mU9GIT8p4x+0g
<12>UC<55><43>8<EFBFBD><38>^<5E>UK<55><4B><EFBFBD>x<EFBFBD>U<EFBFBD>^<5E>=<3D>)<29>d<EFBFBD>l<><6C><EFBFBD><12><><EFBFBD><EFBFBD>Q<EFBFBD>ҫpQH<51><48><EFBFBD><EFBFBD>1<EFBFBD><31>x<EFBFBD><78>;K<>U;<3B>lb<><62>K9<4B>*`<60><>:I<>:<3A><><13><>t<EFBFBD><74>SF<53><46>f<EFBFBD>yGU

BIN
secrets/readeck.age
View File

Binary file not shown.

25
secrets/secrets.nix
View File

@@ -1,25 +0,0 @@
let
zion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW";
in
{
"wireguard.age".publicKeys = [ zion ];
"syncthing.age".publicKeys = [ zion ];
"msmtp.age".publicKeys = [ zion ];
"gitea.age".publicKeys = [ zion ];
"miniflux.age".publicKeys = [ zion ];
"git.age".publicKeys = [ zion ];
"dendrite.age".publicKeys = [ zion ];
"dendrite-postgres.age".publicKeys = [ zion ];
"telegram.age".publicKeys = [ zion ];
"mqtt-sender.age".publicKeys = [ zion ];
"mqtt-receiver.age".publicKeys = [ zion ];
"facebook.age".publicKeys = [ zion ];
"signal.age".publicKeys = [ zion ];
"inadyn-duckdns.age".publicKeys = [ zion ];
"inadyn-porkbun.age".publicKeys = [ zion ];
"inadyn-porkbun-secret.age".publicKeys = [ zion ];
"acme-duckdns.age".publicKeys = [ zion ];
"acme-porkbun.age".publicKeys = [ zion ];
"microbin.age".publicKeys = [ zion ];
"readeck.age".publicKeys = [ zion ];
}

8
secrets/signal.age
View File

@@ -1,8 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg J/gZDBtDsIzjCzO1y2vXgxl8YuvWJgcpk+8KMOp63kg
1XF9JFAIscHWFJMTctZOxVIBYhYliUFays5gwjZt6hs
-> vM4\2y\'-grease
bj9VKIuH0l1v5X8N2v4p+u3VySDKjj3WAyVZ7f+wmy16wncrNyMtiUZ+ELBWfqXd
XOyeGZoKBHwd8lOgkZ+va0BEkBJs9piX
--- K2uN9JxuqPQpAxjQ+6dgsqhsq50nTkLsw8QGJprE5hQ
H<EFBFBD><EFBFBD><EFBFBD>S<>:<3A>eJ4}'<27><><EFBFBD>T<EFBFBD><54>˦ <0B><>[<5B>'<27>M<EFBFBD><4D><EFBFBD>9<><07><>E6_<36><12><><EFBFBD><1D><><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD>yPM8''<27>'<15>F<><46><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Rڡ"<22>ݏ<EFBFBD>X<EFBFBD><58><EFBFBD><EFBFBD>;<3B><>4<EFBFBD>J/>k<1C>5<EFBFBD><<15><>:<3A>M<EFBFBD>lK$<24>ӟq<D39F>S<EFBFBD><53><EFBFBD><EFBFBD>#<23>Ō<04>j<EFBFBD>X)<29><>v<EFBFBD><76><EFBFBD>–<EFBFBD>Ou<4F><75>J<>P<EFBFBD><12><>~

BIN
secrets/syncthing.age
View File

Binary file not shown.

BIN
secrets/telegram.age
View File

Binary file not shown.

5
secrets/wallabag-postgres.age
View File

@@ -1,5 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg zWm4+j3/IRqd3uZqGzXVcHvs+urNrvDMOceWKbpl018
HlIKCFYt7n3iKZav5i0YiB4awRMJML0XUowX8sKKH2c
--- ysvYVxgK1OeqCk8KdNF+uWsaQ9EzVRku7nw37aUAW3A
c<EFBFBD><EFBFBD>b<EFBFBD>W|bU<62>B"<22><04>Ե<EFBFBD><D4B5><EFBFBD><EFBFBD><EFBFBD><03><>U<EFBFBD>

BIN
secrets/wallabag.age
View File

Binary file not shown.

BIN
secrets/wireguard.age
View File

Binary file not shown.

5
well-known/matrix/client
View File

@@ -1,5 +0,0 @@
{
"m.homeserver": {
"base_url": "https://matrix.psydnd.org"
}
}

1
well-known/matrix/server
View File

@@ -1 +0,0 @@
{ "m.server": "matrix.psydnd.org:443" }