From 065bc4f68368fd73bd2984ab6d4dd57db8ee3b44 Mon Sep 17 00:00:00 2001 From: Robert Gerus Date: Sun, 3 Sep 2023 13:35:16 +0200 Subject: [PATCH] scaffolding --- .gitignore | 2 + flake.lock | 343 ++++++++++++++ flake.nix | 65 +++ nixos/scylla/configuration.nix | 595 ++++++++++++++++++++++++ nixos/scylla/hardware-configuration.nix | 26 ++ nixos/scylla/pkgs/restool/default.nix | 56 +++ secrets.nix | 39 ++ secrets/cassAuth.age | 14 + secrets/keycloakDatabase.age | 11 + secrets/lan/nibylandia-ddns-bind.age | 13 + secrets/lan/nibylandia-ddns-kea.age | 11 + secrets/mail/apo.age | 13 + secrets/mail/ar.age | Bin 0 -> 641 bytes secrets/mail/enki.age | Bin 0 -> 538 bytes secrets/mail/keycloak.age | 11 + secrets/mail/keycloakPlain.age | Bin 0 -> 587 bytes secrets/mail/madargon.age | 13 + secrets/mail/mastodon.age | 11 + secrets/mail/mastodonPlain.age | 12 + secrets/mail/matrix.age | 11 + secrets/mail/vaultwarden.age | 12 + secrets/mail/vaultwardenPlain.age | 12 + secrets/miniflux.age | Bin 0 -> 595 bytes secrets/nextCloudAdmin.age | Bin 0 -> 504 bytes secrets/nextCloudExporter.age | 11 + secrets/norkclubMinecraftRestic.age | 11 + secrets/stuffAuth.age | 15 + secrets/wg/dn42_w1kl4s_scylla.age | Bin 0 -> 506 bytes secrets/wg/nibylandia_scylla.age | 12 + secrets/wg/nibylandia_zorigami.age | 11 + 30 files changed, 1330 insertions(+) create mode 100644 .gitignore create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 nixos/scylla/configuration.nix create mode 100644 nixos/scylla/hardware-configuration.nix create mode 100644 nixos/scylla/pkgs/restool/default.nix create mode 100644 secrets.nix create mode 100644 secrets/cassAuth.age create mode 100644 secrets/keycloakDatabase.age create mode 100644 secrets/lan/nibylandia-ddns-bind.age create mode 100644 secrets/lan/nibylandia-ddns-kea.age create mode 100644 secrets/mail/apo.age create mode 100644 secrets/mail/ar.age create mode 100644 secrets/mail/enki.age create mode 100644 secrets/mail/keycloak.age create mode 100644 secrets/mail/keycloakPlain.age create mode 100644 secrets/mail/madargon.age create mode 100644 secrets/mail/mastodon.age create mode 100644 secrets/mail/mastodonPlain.age create mode 100644 secrets/mail/matrix.age create mode 100644 secrets/mail/vaultwarden.age create mode 100644 secrets/mail/vaultwardenPlain.age create mode 100644 secrets/miniflux.age create mode 100644 secrets/nextCloudAdmin.age create mode 100644 secrets/nextCloudExporter.age create mode 100644 secrets/norkclubMinecraftRestic.age create mode 100644 secrets/stuffAuth.age create mode 100644 secrets/wg/dn42_w1kl4s_scylla.age create mode 100644 secrets/wg/nibylandia_scylla.age create mode 100644 secrets/wg/nibylandia_zorigami.age diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..84190c9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +result* +.*swp diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..089a961 --- /dev/null +++ b/flake.lock @@ -0,0 +1,343 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": [], + "home-manager": "home-manager", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1694793763, + "narHash": "sha256-y6gTE1C9mIoSkymRYyzCmv62PFgy+hbZ5j8fuiQK5KI=", + "owner": "ryantm", + "repo": "agenix", + "rev": "572baca9b0c592f71982fca0790db4ce311e3c75", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "base16-schemes": { + "flake": false, + "locked": { + "lastModified": 1680729003, + "narHash": "sha256-M9LHTL24/W4oqgbYRkz0B2qpNrkefTs98pfj3MxIXnU=", + "owner": "tinted-theming", + "repo": "base16-schemes", + "rev": "dc048afa066287a719ddbab62b3e19e4b5110cf0", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "base16-schemes", + "type": "github" + } + }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_2", + "utils": "utils" + }, + "locked": { + "lastModified": 1694513707, + "narHash": "sha256-wE5kHco3+FQjc+MwTPwLVqYz4hM7uno2CgXDXUFMCpc=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "31c32fb2959103a796e07bbe47e0a5e287c343a8", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682203081, + "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1694643239, + "narHash": "sha256-pv2k/5FvyirDE8g4TNehzwZ0T4UOMMmqWSQnM/luRtE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "d9b88b43524db1591fb3d9410a21428198d75d49", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nix-colors": { + "inputs": { + "base16-schemes": "base16-schemes", + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1682108218, + "narHash": "sha256-tMr7BbxualFQlN+XopS8rMMgf2XR9ZfRuwIZtjsWmfI=", + "owner": "misterio77", + "repo": "nix-colors", + "rev": "b92df8f5eb1fa20d8e09810c03c9dc0d94ef2820", + "type": "github" + }, + "original": { + "owner": "misterio77", + "repo": "nix-colors", + "type": "github" + } + }, + "nix-formatter-pack": { + "inputs": { + "nixpkgs": "nixpkgs_4", + "nmd": "nmd", + "nmt": "nmt" + }, + "locked": { + "lastModified": 1689022371, + "narHash": "sha256-+jxvMYzmzKaGFh7VDgKBmdP1ZBaGhdzL5WZaspdKpTA=", + "owner": "Gerschtli", + "repo": "nix-formatter-pack", + "rev": "d974547b3d7c7ce2975dc120ef3bc53f9dd61127", + "type": "github" + }, + "original": { + "owner": "Gerschtli", + "repo": "nix-formatter-pack", + "type": "github" + } + }, + "nix-index-database": { + "inputs": { + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1694921880, + "narHash": "sha256-yU36cs5UdzhTwsM9bUWUz43N//ELzQ1ro69C07pU/8E=", + "owner": "Mic92", + "repo": "nix-index-database", + "rev": "9d2bcc47110b3b6217dfebd6761ba20bc78aedf2", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "nix-index-database", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1677676435, + "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1680397293, + "narHash": "sha256-wBpJ73+tJ8fZSWb4tzNbAVahC4HSo2QG3nICDy4ExBQ=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "b18d328214ca3c627d3cc3f51fd9d1397fdbcd7a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1671417167, + "narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1694422566, + "narHash": "sha256-lHJ+A9esOz9vln/3CJG23FV6Wd2OoOFbDeEs4cMGMqc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3a2786eea085f040a66ecde1bc3ddc7099f6dbeb", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1669933672, + "narHash": "sha256-9nzaATSTmEMpTrx+7j3vVwQkcpu9JMkQ1M08iPtu7m4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "da12bb299b2941299b1de24fbd92c5dd35de40e9", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1694767346, + "narHash": "sha256-5uH27SiVFUwsTsqC5rs3kS7pBoNhtoy9QfTP9BmknGk=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ace5093e36ab1e95cb9463863491bee90d5a4183", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { + "locked": { + "lastModified": 1694972439, + "narHash": "sha256-LXkr3gvhm9u+h+RqZB51XQeZQww/wD5QRnDDMq91QZM=", + "owner": "arachnist", + "repo": "nixpkgs", + "rev": "3a369a4140123299311eb6e4a5b430fc52d4ce9e", + "type": "github" + }, + "original": { + "owner": "arachnist", + "ref": "kea-json-includes", + "repo": "nixpkgs", + "type": "github" + } + }, + "nmd": { + "flake": false, + "locked": { + "lastModified": 1666190571, + "narHash": "sha256-Z1hc7M9X6L+H83o9vOprijpzhTfOBjd0KmUTnpHAVjA=", + "owner": "rycee", + "repo": "nmd", + "rev": "b75d312b4f33bd3294cd8ae5c2ca8c6da2afc169", + "type": "gitlab" + }, + "original": { + "owner": "rycee", + "repo": "nmd", + "type": "gitlab" + } + }, + "nmt": { + "flake": false, + "locked": { + "lastModified": 1648075362, + "narHash": "sha256-u36WgzoA84dMVsGXzml4wZ5ckGgfnvS0ryzo/3zn/Pc=", + "owner": "rycee", + "repo": "nmt", + "rev": "d83601002c99b78c89ea80e5e6ba21addcfe12ae", + "type": "gitlab" + }, + "original": { + "owner": "rycee", + "repo": "nmt", + "type": "gitlab" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "deploy-rs": "deploy-rs", + "home-manager": "home-manager_2", + "nix-colors": "nix-colors", + "nix-formatter-pack": "nix-formatter-pack", + "nix-index-database": "nix-index-database", + "nixpkgs": "nixpkgs_6" + } + }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..5bac486 --- /dev/null +++ b/flake.nix @@ -0,0 +1,65 @@ +{ + description = "Nibylandia configurations"; + + inputs = { + nixpkgs.url = "github:arachnist/nixpkgs/kea-json-includes"; + home-manager.url = "github:nix-community/home-manager"; + nix-colors.url = "github:misterio77/nix-colors"; + nix-formatter-pack.url = "github:Gerschtli/nix-formatter-pack"; + nix-index-database.url = "github:Mic92/nix-index-database"; + deploy-rs.url = "github:serokell/deploy-rs"; + agenix = { + url = "github:ryantm/agenix"; + inputs.darwin.follows = ""; + }; + }; + + outputs = { self, nixpkgs, nix-formatter-pack, nix-index-database, deploy-rs + , agenix, ... }: + let forAllSystems = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ]; + in { + # forAllSystems (system: nixpkgs.legacyPackages.${system}.nixfmt); + formatter = forAllSystems (system: + nix-formatter-pack.lib.mkFormatter { + inherit nixpkgs system; + + config = { + tools = { + deadnix = { + enable = true; + noLambdaPatternNames = true; + noLambdaArg = true; + }; + statix.enable = true; + nixfmt.enable = true; + }; + }; + }); + + nixosConfigurations = { + scylla = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = [ + nix-index-database.nixosModules.nix-index + agenix.nixosModules.default + ./nixos/scylla/configuration.nix + ]; + }; + }; + + deploy.nodes.scylla = { + fastConnection = false; + remoteBuild = true; + hostname = "i.am-a.cat"; + profiles.system = { + user = "root"; + sshUser = "root"; + path = deploy-rs.lib.aarch64-linux.activate.nixos + self.nixosConfigurations.scylla; + }; + }; + + checks = builtins.mapAttrs + (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + }; +} diff --git a/nixos/scylla/configuration.nix b/nixos/scylla/configuration.nix new file mode 100644 index 0000000..6aaad89 --- /dev/null +++ b/nixos/scylla/configuration.nix @@ -0,0 +1,595 @@ +{ config, pkgs, ... }: + +{ + imports = [ ./hardware-configuration.nix ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + boot = { + kernelPackages = pkgs.linuxPackages_latest; + kernelParams = + [ "arm-smmu.disable_bypass=0" "pci=pcie_bus_perf" "iommu.passthrough=1" ]; + # Setup SFP+ network interfaces early so systemd can pick everything up. + initrd.extraUtilsCommands = '' + copy_bin_and_libs ${pkgs.restool}/bin/restool + copy_bin_and_libs ${pkgs.restool}/bin/ls-main + copy_bin_and_libs ${pkgs.restool}/bin/ls-addni + # Patch paths + sed -i "1i #!$out/bin/sh" $out/bin/ls-main + ''; + initrd.postDeviceCommands = '' + ls-addni dpmac.7 + ls-addni dpmac.8 + ls-addni dpmac.9 + ls-addni dpmac.10 + ''; + kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + + "net.ipv6.conf.all.accept_ra" = 0; + "net.ipv6.conf.all.autoconf" = 0; + "net.ipv6.conf.all.use_tempaddr" = 0; + }; + }; + + age.secrets = { + wgNibylandiaScylla.file = ../../secrets/wg/nibylandia_scylla.age; + wgDN42Scylla.file = ../../secrets/wg/dn42_w1kl4s_scylla.age; + ddnsKeyKea = { + file = ../../secrets/lan/nibylandia-ddns-kea.age; + mode = "444"; + }; + ddnsKeyBind = { + file = ../../secrets/lan/nibylandia-ddns-bind.age; + mode = "400"; + owner = "named"; + group = "named"; + }; + }; + + networking.hostName = "scylla"; + networking.wireless.enable = false; + + time.timeZone = "Europe/Warsaw"; + + systemd.network.enable = true; + networking.useNetworkd = true; + networking.useDHCP = false; + networking.interfaces = { + eth0 = { + useDHCP = true; + macAddress = "50:7b:9d:b5:fa:e8"; + }; + lan = { + ipv4.addresses = [{ + address = "192.168.24.1"; + prefixLength = 24; + }]; + }; + eth1 = { + ipv4.addresses = [{ + address = "192.168.20.1"; + prefixLength = 24; + }]; + }; + }; + networking.nameservers = [ "192.168.20.1" ]; + networking.vlans = { + lan = { + id = 10; + interface = "eth1"; + }; + }; + networking.wireguard.interfaces = { + wg-nibylandia = { + ips = [ "10.255.255.2/24" ]; + privateKeyFile = config.age.secrets.wgNibylandiaScylla.path; + listenPort = 51315; + allowedIPsAsRoutes = true; + + peers = [{ + publicKey = "xwTYtejNZCtOyPMNcZVlsBIGYae6aUQczh7UwujLxXg="; + allowedIPs = [ "10.255.255.0/24" ]; + endpoint = "zorigami.is-a.cat:51315"; + persistentKeepalive = 15; + }]; + }; + dn42_w1kl4s_1 = { + ips = [ "fd25:af2d:1f51:255::1/64" "fe80::255:acab/64" ]; + privateKeyFile = config.age.secrets.wgDN42Scylla.path; + listenPort = 51516; + allowedIPsAsRoutes = false; + + peers = [{ + publicKey = "zNP632K1qrezFIl8NQK1tR3XEdYHat/YgzdCXnFIWDE="; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "193.31.26.15:53137"; + }]; + + postSetup = '' + ${pkgs.iproute}/bin/ip addr add dev dn42_w1kl4s_1 172.20.148.161/32 peer 172.23.193.2/32 + ''; + }; + }; + + networking.firewall.enable = true; + networking.firewall.logRefusedConnections = false; + networking.nat = { + enable = true; + externalInterface = "eth0"; + internalInterfaces = [ "lan" "eth1" "virbr1" "virbr2" ]; + forwardPorts = [ + { + loopbackIPs = [ "185.102.189.133" ]; + destination = "192.168.101.2:22"; + sourcePort = 11520; + proto = "tcp"; + } # sdomi's vm + + { + loopbackIPs = [ "185.102.189.133" ]; + destination = "192.168.20.31:22"; + sourcePort = 23; + proto = "tcp"; + } + { + loopbackIPs = [ "185.102.189.133" ]; + destination = "192.168.20.32:22"; + sourcePort = 32; + proto = "tcp"; + } + { + destination = "192.168.20.31"; + sourcePort = 2582; + proto = "tcp"; + } + + { + destination = "192.168.20.31"; + sourcePort = "51411:51423"; + proto = "tcp"; + } + { + loopbackIPs = [ "185.102.189.133" ]; + destination = "192.168.20.31:80"; + sourcePort = 80; + proto = "tcp"; + } + { + loopbackIPs = [ "185.102.189.133" ]; + destination = "192.168.20.31:443"; + sourcePort = 443; + proto = "tcp"; + } + { + loopbackIPs = [ "185.102.189.133" ]; + destination = "192.168.20.31:2005"; + sourcePort = 2005; + proto = "tcp"; + } + + { + destination = "192.168.20.31"; + sourcePort = "51411:51423"; + proto = "udp"; + } + { + loopbackIPs = [ "185.102.189.133" ]; + destination = "192.168.20.31:80"; + sourcePort = 80; + proto = "udp"; + } + { + loopbackIPs = [ "185.102.189.133" ]; + destination = "192.168.20.31:443"; + sourcePort = 443; + proto = "udp"; + } + { + loopbackIPs = [ "185.102.189.133" ]; + destination = "192.168.20.31:2005"; + sourcePort = 2005; + proto = "udp"; + } + ]; + }; + networking.firewall.allowedTCPPorts = [ + 179 # bgp + 53 + 5201 + 6443 # k3s + ]; + networking.firewall.allowedUDPPorts = [ + 179 # bgp + 53 + 51315 + 51516 # dn42-w1kl4s + ]; + networking.firewall.interfaces."eth1".allowedTCPPorts = [ 8123 ]; + networking.firewall.interfaces."lan".allowedTCPPorts = [ 8123 ]; + systemd.network.wait-online.extraArgs = [ "--any" ]; + + services.k3s = { + enable = false; + role = "server"; + }; + + services.kea = { + dhcp4 = { + enable = true; + settings = { + interfaces-config = { + interfaces = [ "lan/192.168.24.1" "eth1/192.168.20.1" ]; + }; + + lease-database = { + name = "/var/lib/kea/dhcp4.leases"; + persist = true; + type = "memfile"; + }; + + rebind-timer = 2000; + renew-timer = 1000; + valid-lifetime = 4000; + + dhcp-ddns = { + enable-updates = true; + ncr-protocol = "UDP"; + ncr-format = "JSON"; + server-ip = "127.0.0.1"; + server-port = 53001; + }; + + ddns-send-updates = true; + ddns-replace-client-name = "when-not-present"; + ddns-update-on-renew = true; + ddns-override-client-update = true; + ddns-override-no-update = true; + + subnet4 = [ + { + subnet = "192.168.24.0/24"; + pools = [{ pool = "192.168.24.40 - 192.168.24.240"; }]; + reservations-out-of-pool = true; + reservations-in-subnet = true; + ddns-qualifying-suffix = "nibylandia.lan."; + option-data = [ + { + name = "routers"; + data = "192.168.24.1"; + } + { + name = "domain-name-servers"; + data = "192.168.24.1"; + } + ]; + + reservations = [{ + hw-address = "34:15:13:b6:2a:e7"; + hostname = "yamaha"; + ip-address = "192.168.24.11"; + }]; + } + { + subnet = "192.168.20.0/24"; + pools = [{ pool = "192.168.20.40 - 192.168.20.240"; }]; + reservations-out-of-pool = true; + reservations-in-subnet = true; + ddns-qualifying-suffix = "nibylandia.lan."; + + option-data = [ + { + name = "routers"; + data = "192.168.20.1"; + } + { + name = "domain-name-servers"; + data = "192.168.20.1"; + } + ]; + + reservations = [ + { + hw-address = "00:02:c9:53:9a:c2"; + hostname = "stereolith"; + ip-address = "192.168.20.31"; + } + { + hw-address = "00:30:93:12:0f:bf"; + hostname = "microlith"; + ip-address = "192.168.20.32"; + } + ]; + } + ]; + }; + }; + + dhcp-ddns = { + enable = true; + settings = { + dns-server-timeout = 100; + ip-address = "127.0.0.1"; + ncr-format = "JSON"; + ncr-protocol = "UDP"; + forward-ddns = { + ddns-domains = [{ + key-name = "bind-key-2021-12-27"; + dns-servers = [{ ip-address = "192.168.20.1"; }]; + name = "nibylandia.lan."; + }]; + }; + reverse-ddns = { + ddns-domains = [ + { + key-name = "bind-key-2021-12-27"; + dns-servers = [{ ip-address = "192.168.20.1"; }]; + name = "20.168.192.in-addr.arpa."; + } + { + key-name = "bind-key-2021-12-27"; + dns-servers = [{ ip-address = "192.168.20.1"; }]; + name = "24.168.192.in-addr.arpa."; + } + ]; + }; + tsig-keys = [{ + name = "bind-key-2021-12-27"; + algorithm = "HMAC-SHA512"; + secret = "__keaInclude ${config.age.secrets.ddnsKeyKea.path}"; + }]; + }; + }; + }; + + services.bind = { + enable = true; + listenOn = [ "192.168.20.1" "192.168.24.1" ]; + forwarders = [ "8.8.8.8" "1.1.1.1" "8.8.4.4" "1.0.0.1" ]; + cacheNetworks = [ "192.168.20.0/24" "192.168.24.0/24" ]; + zones = { + "nibylandia.lan" = { + master = true; + file = "/var/lib/bind/nibylandia.lan.zone"; + extraConfig = '' + allow-update { key "bind-key-2021-12-27"; }; + ''; + }; + "20.168.192.in-addr.arpa" = { + master = true; + file = "/var/lib/bind/20.168.192.in-addr.arpa.zone"; + extraConfig = '' + allow-update { key "bind-key-2021-12-27"; }; + ''; + }; + "24.168.192.in-addr.arpa" = { + master = true; + file = "/var/lib/bind/24.168.192.in-addr.arpa.zone"; + extraConfig = '' + allow-update { key "bind-key-2021-12-27"; }; + ''; + }; + }; + extraConfig = '' + key "bind-key-2021-12-27" { + algorithm hmac-sha512; + include "${config.age.secrets.ddnsKeyBind.path}"; + }; + ''; + extraOptions = '' + dnssec-validation no; + ''; + }; + + services.bird2 = { + enable = true; + checkConfig = false; + config = '' + define OWNAS = 4242423137; + define OWNIP = 172.20.148.161; + define OWNIPv6 = fd25:af2d:1f51:255::1; + define OWNNET = 172.20.148.160/27; + define OWNNETv6 = fdc0:b038:c31e::/48; + define OWNNETSET = [ 172.20.148.160/27+ ]; + define OWNNETSETv6 = [ fdc0:b038:c31e::/48+ ]; + + router id OWNIP; + + protocol device { + scan time 10; + } + + /* + * Utility functions + */ + + function is_self_net() { + return net ~ OWNNETSET; + } + + function is_self_net_v6() { + return net ~ OWNNETSETv6; + } + + function is_valid_network() { + return net ~ [ + 172.20.0.0/14{21,29}, # dn42 + 172.20.0.0/24{28,32}, # dn42 Anycast + 172.21.0.0/24{28,32}, # dn42 Anycast + 172.22.0.0/24{28,32}, # dn42 Anycast + 172.23.0.0/24{28,32}, # dn42 Anycast + 172.31.0.0/16+, # ChaosVPN + 10.100.0.0/14+, # ChaosVPN + 10.127.0.0/16{16,32}, # neonetwork + 10.0.0.0/8{15,24} # Freifunk.net + ]; + } + + roa4 table dn42_roa; + roa6 table dn42_roa_v6; + + protocol static { + roa4 { table dn42_roa; }; + include "/etc/bird/roa_dn42.conf"; + }; + + protocol static { + roa6 { table dn42_roa_v6; }; + include "/etc/bird/roa_dn42_v6.conf"; + }; + + function is_valid_network_v6() { + return net ~ [ + fd00::/8{44,64} # ULA address space as per RFC 4193 + ]; + } + + protocol kernel { + scan time 20; + + ipv6 { + import none; + export filter { + if source = RTS_STATIC then reject; + krt_prefsrc = OWNIPv6; + accept; + }; + }; + }; + + protocol kernel { + scan time 20; + + ipv4 { + import none; + export filter { + if source = RTS_STATIC then reject; + krt_prefsrc = OWNIP; + accept; + }; + }; + } + + protocol static { + route OWNNET reject; + + ipv4 { + import all; + export none; + }; + } + + protocol static { + route OWNNETv6 reject; + + ipv6 { + import all; + export none; + }; + } + + template bgp dnpeers { + local as OWNAS; + path metric 1; + + ipv4 { + import filter { + if is_valid_network() && !is_self_net() then { + if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then { + print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; + reject; + } else accept; + } else reject; + }; + + export filter { if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; }; + import limit 1000 action block; + }; + + ipv6 { + import filter { + if is_valid_network_v6() && !is_self_net_v6() then { + if (roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID) then { + print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; + reject; + } else accept; + } else reject; + }; + export filter { if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; }; + import limit 1000 action block; + }; + } + + include "/etc/bird/peers/*"; + ''; + }; + + security.polkit.enable = true; + virtualisation.libvirtd.enable = true; + + services.avahi = { + enable = true; + reflector = true; + allowInterfaces = [ "lan" "eth1" ]; + }; + + nixpkgs.config.allowUnfree = true; + + nixpkgs.overlays = + [ (self: super: { restool = self.callPackage ./pkgs/restool { }; }) ]; + + environment.systemPackages = with pkgs; [ + pv + libarchive + lshw + zip + file + tcpdump + lsof + restool + ethtool + pciutils + usbutils + dig + dstat + wget + bind + nmap + iperf + config.boot.kernelPackages.perf + ]; + + programs = { + mtr.enable = true; + mosh.enable = true; + neovim = { + enable = true; + defaultEditor = true; + viAlias = true; + vimAlias = true; + }; + zsh = { + enable = true; + enableBashCompletion = true; + autosuggestions.enable = true; + syntaxHighlighting.enable = true; + }; + command-not-found.enable = false; + }; + + nix = { + package = pkgs.nixUnstable; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfIRe1nH6vwjQTjqHNnkKAdr1VYqGEeQnqInmf3A6UN ar@khas" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6rEwERSm/Fj4KO4SxFIo0BUvi9YNyf8PSL1FteMcMt arachnist@monolith" + ]; + + services.openssh.enable = true; + system.stateVersion = "22.05"; +} diff --git a/nixos/scylla/hardware-configuration.nix b/nixos/scylla/hardware-configuration.nix new file mode 100644 index 0000000..de2c5fb --- /dev/null +++ b/nixos/scylla/hardware-configuration.nix @@ -0,0 +1,26 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = [ "nvme" "usb_storage" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/9804a5ca-c647-4581-904e-4d784c8c0024"; + fsType = "xfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/65A6-F9A5"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + +} diff --git a/nixos/scylla/pkgs/restool/default.nix b/nixos/scylla/pkgs/restool/default.nix new file mode 100644 index 0000000..6abd546 --- /dev/null +++ b/nixos/scylla/pkgs/restool/default.nix @@ -0,0 +1,56 @@ +{ stdenv, lib, fetchgit, bash, coreutils, dtc, file, gawk, gnugrep, gnused +, pandoc, which }: + +stdenv.mkDerivation rec { + pname = "restool"; + version = "20.12"; + + src = fetchgit { + url = + "https://source.codeaurora.org/external/qoriq/qoriq-components/restool"; + rev = "LSDK-${version}"; + sha256 = "137xvvms3n4wwb5v2sv70vsib52s3s314306qa0mqpgxf9fb19zl"; + }; + + nativeBuildInputs = [ file pandoc ]; + buildInputs = [ bash coreutils dtc gawk gnugrep gnused which ]; + + enableParallelBuilding = true; + makeFlags = [ + "prefix=" + "bindir_completion=/share/bash-completion/completions" + "DESTDIR=$(out)" + "VERSION=${version}" + ]; + + postPatch = '' + # -Werror makes this derivation fragile on compiler version upgrades, patch + # it out. + sed -i /-Werror/d Makefile + ''; + + preFixup = '' + # wrapProgram interacts badly with the ls-main tool, which relies on the + # shell's $0 argument to figure out which operation to run (busybox-style + # symlinks). Instead, inject the environment directly into the shell + # scripts we need to wrap. + for tool in ls-append-dpl ls-debug ls-main; do + sed -i "1 a export PATH=\"$out/bin:${ + lib.makeBinPath buildInputs + }:\$PATH\"" $out/bin/$tool + done + ''; + + meta = with lib; { + description = "DPAA2 Resource Management Tool"; + longDescription = '' + restool is a user space application providing the ability to dynamically + create and manage DPAA2 containers and objects from Linux. + ''; + homepage = + "https://source.codeaurora.org/external/qoriq/qoriq-components/restool/about/"; + license = licenses.bsd3; + platforms = platforms.linux; + maintainers = with maintainers; [ delroth ]; + }; +} diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..62636fc --- /dev/null +++ b/secrets.nix @@ -0,0 +1,39 @@ +let + ar_khas = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfIRe1nH6vwjQTjqHNnkKAdr1VYqGEeQnqInmf3A6UN ar@khas"; + ar_microlith = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6rEwERSm/Fj4KO4SxFIo0BUvi9YNyf8PSL1FteMcMt ar@microlith"; + ar = [ ar_khas ar_microlith ]; + + scylla = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1X7EaPNfLhWH32IAyaZj2dhJz+QLnyGuXPCZUYRTjg"; + zorigami = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/7CsIWlJH2F0VQpgsGgZOQeAd7Zh98WpCvmTyXCTty"; + stereolith = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVuDOcKE8ANKGjd6kfFH1qLLzLwg91o0exJ0isIEw4O"; +in { + + "secrets/wg/nibylandia_scylla.age".publicKeys = ar ++ [ scylla ]; + "secrets/wg/dn42_w1kl4s_scylla.age".publicKeys = ar ++ [ scylla ]; + "secrets/lan/nibylandia-ddns-kea.age".publicKeys = ar ++ [ scylla ]; + "secrets/lan/nibylandia-ddns-bind.age".publicKeys = ar ++ [ scylla ]; + "secrets/nextCloudAdmin.age".publicKeys = ar ++ [ zorigami ]; + "secrets/nextCloudExporter.age".publicKeys = ar ++ [ zorigami ]; + "secrets/norkclubMinecraftRestic.age".publicKeys = ar ++ [ zorigami ]; + "secrets/cassAuth.age".publicKeys = ar ++ [ zorigami ]; + "secrets/miniflux.age".publicKeys = ar ++ [ zorigami ]; + "secrets/stuffAuth.age".publicKeys = ar ++ [ stereolith ]; + "secrets/wg/nibylandia_zorigami.age".publicKeys = ar ++ [ zorigami ]; + "secrets/mail/ar.age".publicKeys = ar ++ [ zorigami ]; + "secrets/mail/apo.age".publicKeys = ar ++ [ zorigami ]; + "secrets/mail/mastodon.age".publicKeys = ar ++ [ zorigami ]; + "secrets/mail/mastodonPlain.age".publicKeys = ar ++ [ zorigami ]; + "secrets/mail/madargon.age".publicKeys = ar ++ [ zorigami ]; + "secrets/mail/enki.age".publicKeys = ar ++ [ zorigami ]; + "secrets/mail/matrix.age".publicKeys = ar ++ [ zorigami ]; + "secrets/mail/vaultwarden.age".publicKeys = ar ++ [ zorigami ]; + "secrets/mail/vaultwardenPlain.age".publicKeys = ar ++ [ zorigami ]; + "secrets/mail/keycloak.age".publicKeys = ar ++ [ zorigami ]; + "secrets/mail/keycloakPlain.age".publicKeys = ar ++ [ zorigami ]; + "secrets/keycloakDatabase.age".publicKeys = ar ++ [ zorigami ]; +} diff --git a/secrets/cassAuth.age b/secrets/cassAuth.age new file mode 100644 index 0000000..3dff285 --- /dev/null +++ b/secrets/cassAuth.age @@ -0,0 +1,14 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg 1T37a0MucAEFYMGcdyS+Nxcbkp027j3JxXy2teCwHRg +3khC9F+CVUToHWx22Cs0b+1dm0/nUwG7/nu4nFqRijY +-> ssh-ed25519 grc4Uw NW49Rzlxh92jldZPNq3mkeJHi460dIA80B3bGqhVrm0 +9j3PAPk/C1DsGUMTHq1PzQMYId2rNoHRtwYBTViJ/A4 +-> ssh-ed25519 DLT88w b/3j37sDUOtFD0TbPl0Gvyd/73MNlmKT4EhXn48ANQI +eHqL7WDztCzYyvb+K+bkZI0514Z2QyWDwvotmpFHI6M +-> ,se-grease UzY[u)e5usC'\eЂt']44h/\-0nXT +]w +6{U`oJ\C`+YnסqdӵߎW \ No newline at end of file diff --git a/secrets/keycloakDatabase.age b/secrets/keycloakDatabase.age new file mode 100644 index 0000000..16ad779 --- /dev/null +++ b/secrets/keycloakDatabase.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg kesf+SaZD83McqpA9DixWtFIrEmRPxXkJ0GwzlUxWmE +fget0ABRpLa1ILPy+j8qB60R2XOBZUkADYHIqShetLM +-> ssh-ed25519 grc4Uw M6nvJkxP3YiZ9HQegvcReYpkLcyhpF2YiAV0Pr6FuiQ +gPV7IhypqI8C655+ef69PbvTBcCEK3ChpVKcckU2hQk +-> ssh-ed25519 DLT88w 8Cvg6k8zYawUgvMf8RQdA3pxxywIhCn7nPNGrMK4Q0o +Kc58s9qkYHVS9pf+MYghheQXLxtImbny+W0zQ6j9eKE +-> $mU5]|V-grease 3;xw\jc ++Fl1I+CYc0AGj429YbhVaz3i/HvkLrHX0Jt2OIhN4xqp/oJNqw +--- IfmaR6Z1bL8wgwgv1A+kuvxTq+xqKb6VD4iKdi0K8mk +:Imi[o|/R27?K"f&{ [7e&1 9I)u\Z>U_y \ No newline at end of file diff --git a/secrets/lan/nibylandia-ddns-bind.age b/secrets/lan/nibylandia-ddns-bind.age new file mode 100644 index 0000000..87dd85c --- /dev/null +++ b/secrets/lan/nibylandia-ddns-bind.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg mk+AfUGcuTUyGVr8Y9eEgL75VA4JEThLGSd7nw9QJSs +edbiwW5zV/j/sr+ynflHv97QnXCLHxoPJqnQnxMLl0E +-> ssh-ed25519 grc4Uw b9BxvDAFU9tIHoujY/scPVQ4uwrj+5eEDmxXNmzOHjg +fRy3YJk+l/2khO3U/38bF+M+c41W1mQUlRJ85D4e8DY +-> ssh-ed25519 CJl5MQ 2C+ipkjQkLzpypr40L8G2H1qgQCNm9jYTTAUR/+m4Uo +zbnzsLEZg1NMV63V66RbyKmPo37Ud8djb1074t77wc8 +-> [-grease Ihg*p WU.7s?UM R,Iyuqy} +yj4NDfJn0E8kP0XdnIiTkmiA3NGcvZoYFM/uXOOIKCdajq3vY7gdgxyn9RiMQZoi +jgdoEbXrgRdEaxt9h31flQRFa72BIvi8ha8hxaCEAarwGQ +--- kjXO5aCKHjk2+BSSFvNdB/b9Avpw6z/KNA51Zs7kZ7Y +3n_`~|͵xo80XBR !|\r;@_TU6!q/)7 +Hr2&DPxJ0jt.*R5~T=qԈmr8Vg=3h \ No newline at end of file diff --git a/secrets/lan/nibylandia-ddns-kea.age b/secrets/lan/nibylandia-ddns-kea.age new file mode 100644 index 0000000..9203bfa --- /dev/null +++ b/secrets/lan/nibylandia-ddns-kea.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg zF0Gy00g+A652+c4MKe5GFlewtlUMjpLLzODkT1HNBw +KoG7CzBBLuTYaPc42+cx/IwDe0WHEwdW7BZD950qx9k +-> ssh-ed25519 grc4Uw oi34sgBlxzAvBNvRnPoNys03fYlQPtGaN521dHQKlyA +AEclTFw+LElZMNng0+ezmB06vmqlIxrhZ5Ug7lO0K2Y +-> ssh-ed25519 CJl5MQ IGMoyGOVqyoczmGdDUrHcQF3zqbKQXESlrg2HkJklls +iH0PiadiTgwEtjf2L1Ry2MCFFxhvb9LFr/eFKJA+M+4 +-> YCy8T-grease 2K|TYGy| ?++k: +jzDT2sSDmnozZA0Prkr6cYgVou+09UwXc9H4KBNOlQ +--- SjezupwORSDfiv2pPCKzoNGfolICCAd7eLNOmCRuuq4 +.3~M%4`7 ?jdzlfy%byɎ&؞[a[w؍dV;,Ǵ5[SMwQu:Vgبoz sb_[;Uڅ$}% \ No newline at end of file diff --git a/secrets/mail/apo.age b/secrets/mail/apo.age new file mode 100644 index 0000000..0c1cb00 --- /dev/null +++ b/secrets/mail/apo.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg N+m6p/zttdGnIbdBfTRIEBuQvAquREmfs8RwDTnROAY +Q5ROKDJmForW63J5UVu4Qf2TagKisGX4PcMaIVx1K7w +-> ssh-ed25519 grc4Uw aSbKCbiCwnipGPVt5dcbCNNBeILtEnAB6Vkfq9LvdEY +biHvwNpy7waPMuOQ4TE2mI+iOzROupSqkZINBi7l5/w +-> ssh-ed25519 DLT88w Qa4VLSyBQRboqa68kVtqnGb7wEH9oyulEheaYXzl2ws +jyDSxSQbzNVJIWsoJIoO3zVpPHy6RWNzPC5IhB5z0tk +-> z-TKn-grease DO*%z p1C +LUYpx4GSo0pNIT9gW8id1xBZWsJ3iJxhwHxSLg/kQS3KBAJO5uqgd8jnTg4TwGeM +NSP31qORZHU +--- AbYdv5y7vwe3ONItmV9Fb73/NeTpZd2kBxpu/msW+50 +X3M;6hQގ=;#ۑu3WPw +?gY4⯨uu`[H87Z$>xOre \ No newline at end of file diff --git a/secrets/mail/ar.age b/secrets/mail/ar.age new file mode 100644 index 0000000000000000000000000000000000000000..e5719d56740fc01fffd7a3ac9f481062f550525c GIT binary patch literal 641 zcmZ9_yNlCs003YIrwk&9h>K)UP-1P9Hfe%z*d~`WZS%aeO^SoL_Lp29O`4>6G@OTn zq6dP*Avy`7;GzdQD2^_N!!05T=W;md9cKuaxSj1D7D`})NF$o*YY9#23eFaHEJ%n^3 zLvlPDSjN~Kt%KTVJ&zjZm}D$X9iqH3mzD(9!U~Dvk8XB6X$*3BL$WQ4iG}O z#Arw$>LQ$%m|M VK6w25?!m=}e{TIfxA@ZD`UlKk;OqbZ literal 0 HcmV?d00001 diff --git a/secrets/mail/enki.age b/secrets/mail/enki.age new file mode 100644 index 0000000000000000000000000000000000000000..0886a1151925a81090a9b87ebb7e8306eb483ab8 GIT binary patch literal 538 zcmZ9_J8RT%003|YU4ry8go+&u@p6|(lSO-Z=iYa@Tpl9y`fo1DHSg!8iwa6n7abHt z2cd(w2u?z0hweUba8*!>hzPFIwZAX$n>#jYhaj!v+>64iQR+0xCWKytv&=>9-4;nU z8FFqxItIJI(>dt zDOS5L74?31lTcZO#05_Vc?$`Hy6c-~Hzx&zR>4$WF|{(SO0Kl@A_t!BSrI>>9{g%8Whhtp@ z5Q?HOo42zelNu85k-CN>u2*Pk45m|2NB9BlXNgMGQiF?J0Cm1TK|bHHPM+-?|GDLW zA4eO=>mkWczDr5+>EhqZ_uibpyLNa$A3nN%bN%_r?c?Et-)kFBx6Zx%_lkcEB;o${ ex1*W&qVeGug)sWT&-YsoKW=|{`z};h7ybhfU%HY2 literal 0 HcmV?d00001 diff --git a/secrets/mail/keycloak.age b/secrets/mail/keycloak.age new file mode 100644 index 0000000..c4f1ab4 --- /dev/null +++ b/secrets/mail/keycloak.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg jevSd+xpTihquLhBQlcSodrwCYiqqYykFtZsfx/MUXE +RdgFHkHiuO/jrEwVijQeRgGPOFMd2cm4YUonkmBaGBQ +-> ssh-ed25519 grc4Uw YaLvY+KF1YTLADjqJIyCavdSO6c/gvg3q8CXPOW4d3g +63dNEGm9HJcg535UmRJSRimPtXttLct0Zs+DRIBO3Io +-> ssh-ed25519 DLT88w efd8g7rCIcAPeukRiVnILPb0zFEznT2Nv8Cnc1VO+Wo +WTSoEuZFsZ0DgefTGievPY2SLshaqCeb6kCGUtiMx/g +-> }&NC]H8U-grease {r]Y~F0 -_ . +5MS38QETyaJdLuwR6FB08TJXIwnw7OdRn/31H4BDU0x7 +--- dtnnxW2bXOIVUhSjC0j/1mkEfaMqbv3Nz/9Trpx0Xbc +ѳhuĒG^PxNEkR+A[gĠsTO\vҦBjbd ϖ̹.ry=dS4 \ No newline at end of file diff --git a/secrets/mail/keycloakPlain.age b/secrets/mail/keycloakPlain.age new file mode 100644 index 0000000000000000000000000000000000000000..6957a2c1b46d06f15e29ef59e1f491f100de1edf GIT binary patch literal 587 zcmZ9}J&V&|003YS2MG#}3JyU;kP!2oHiL&rlhh`cHXlu!6dl?mP2QwUo3G{)M?ule z$v+^Ti<>Ao>LhZjASfs}39e2m>UzK68J>98&9(%a^x7s5u^j=SdvH-iXyB6! zLvV27(qLg)LX=i$l5XBn!i%EqvoErJnni=-BMBFX|I%zcs@pw;&n+eP5J!CdpDn1A+ zDf6>MKdQ_Q8G}q$XH&eSwEvnQ*q6{S59UPxx7roZzjLbtEo7mp-R|JETS^x;kS%Jb@#~C~FkPNbBeFg9v->0GM#DG8WMN|+)x^^SLicdPrz;#pF6O3Y7aG3$aQp82 zlMmk>p1Sew#p6fb(Z%c0(f1R3KVN_O^X=T|rCWb>pZ)&z ssh-ed25519 kY4Rgg zc5A1eT8+ifTb1n4gpadYq6+aMypeBuzeJFH7n8GNFg +czVB29wtzF3exwjggcEDPRSEYtRlK7CPhumLqfsKZhM +-> ssh-ed25519 grc4Uw /t8+HAAwOJltUG6vS0lSrFavTfODeBZdxdj9sqIP6WI +W4qQblzB//Ecwx1EIAYiBxQ2MXfqinN5ho8KO1J2Exw +-> ssh-ed25519 DLT88w 3kNAE5a8AlH49YoNk/yA/64vtQb5Mr4v9wjQYv22Ehs +gP/nL9QGVCYjj0tvJ4peysdTq1CBIpLhMn0R4q74IqU +-> s6-grease &\RtW e6.Ke,J9 +fNZ0mgTK73JZDkZs5+oEQTFgptk7WNY+EwBSLOHe7iyPUsKUR76+P58vKFrcfMSw +vNpqP7fm0OI/fHYMTtyx8w8E+Y7t0URG +--- 4Xe1V66nBtt7+j2hOmmVCL3UHT58oie44PjssufEKws + :ʋgz|NJ ssh-ed25519 kY4Rgg nmFe1Q8A/S76A5Z9vrh4K5dJM890o2mwEEBfSqG8dCw +7LmDmA/ANLSXC6VKc4LDQS99vv9i6wCP1OVANGCo/sI +-> ssh-ed25519 grc4Uw bz2beS+8USpFvN/Re4H/DYgwtsBW3NYHM3jGS0zu0Wk +Al6tJld1jEXh82DEKvyab9ocA8Dbfm+QYmPniwN9gCw +-> ssh-ed25519 DLT88w JRFKPOnkZZcubjOI/IPjfOGxI2cjZ589c8IdKz7Ehz0 +UbIgpFdzvIHSAyrIxCeTNn9vQ1De81rywseR09Fo2f8 +-> ,I}P,-grease Ym 45hJJc j9wn3;kp +GesmMGltPhQ/oM6ViCWYxB4+ULTCP4WNQXlv +--- hQh4YEIVtBGHOtZjk77kAlggMFmh5Si2u5C3OviDDPw +%:cFƛzO 1a~ҋʇ_*$[~لܓ}p߼op84#uŠ~$YmKYge \ No newline at end of file diff --git a/secrets/mail/mastodonPlain.age b/secrets/mail/mastodonPlain.age new file mode 100644 index 0000000..927d5a3 --- /dev/null +++ b/secrets/mail/mastodonPlain.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg EaXiOW4rgkC/TDg8dxvY4BcmVF4tMDzk5oXr3N7JJQU +aNOtg/ny/x5SR5DAUBmM7T+nzdxV1wBbgF2vXICm8ys +-> ssh-ed25519 grc4Uw Q6K4N8fRAZrG6jAHM6GRKUOdgv2nA2iyp+m7D7v3S3w +u3lvKekoO1TNdd3p1dS+BLvOrOvUGRvSNORPcPsy/EY +-> ssh-ed25519 DLT88w x7yNe8dYkHlMMXGO/dty3LK5gGahvIHPW2olVB3sSlw +AnNgJLJPfxkzcZGwjrtW4F60z9Jc2ei/gNScaEx4mng +-> (Z1-grease Seh@;cP +zBeGZGCFTkA0DlMEGfbxntjVqP6HJEaWD3Gjf1mxOIcKuBb23FrBcgL1U/0dsXSE +h1hsT6NMskKdLcDulprc96tuGve/gAoifQ +--- WB8mYOcUNKQd4ALi7FhazPbYHS5OjTTyTGmE1BuKGxE +؃! Clz~ax :2 dk`7?l>\ \ No newline at end of file diff --git a/secrets/mail/matrix.age b/secrets/mail/matrix.age new file mode 100644 index 0000000..b7ef997 --- /dev/null +++ b/secrets/mail/matrix.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg ztEokBJ3yjBiGZI8gPi95D7Ktr3JGkLLt0KTDrnZJ0Q +8N/TnwM/JYzO0JX5etl0K9irG3BdbhVdiEQ6XpUmESI +-> ssh-ed25519 grc4Uw vGO9wZ5nQ7n72H5JLfzBqt58KYPcyOA+4dGiY4U1ay8 +S+ItwCRDrbtt3iC4JtcrkxDaWK1QY8PknMUgm5v1NaM +-> ssh-ed25519 DLT88w sJg7S7AFrQm0oNQJ8dDq0ZbqGL4SL3nVtGvNt+Gx/1A +Rzf0vMw05PVvktceCPRZFqCaPUdM4mXJknLKaZiU7K4 +-> NLrA~@-grease :(KZ28 +b/ap2+msrvg8ST0+OEBSGwnqvP450HaiH+yRhEJz/k69fyM7QM4 +--- VLf28ysvKqN1YemvsQRYz18oEBWUtsBRhIkprFTZaC4 +(kf}ڋ9ety0:eYm|=lC_G hjz bX0wdKշ!Sš˝4SкPw#n \ No newline at end of file diff --git a/secrets/mail/vaultwarden.age b/secrets/mail/vaultwarden.age new file mode 100644 index 0000000..464c1da --- /dev/null +++ b/secrets/mail/vaultwarden.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg /xLFl1s1QHYOBtXbG+pAD3kdljp6PYyZ4ZeiB55Rqz4 +BjESbqD4WEmoj+nLwXrtHI12LXOPt1Paa4ZNkzSi5/M +-> ssh-ed25519 grc4Uw PSzuUvFw+kfU+LXm5JTttX5d4STQ5NbGjoNFR/8FYHo +/i+5AI59JJ4n427NN+yZ1OqFbF6XZFps6IdD7280gUE +-> ssh-ed25519 DLT88w cVgmgyXx7HyMf8FsVUQH2FRABEFVgnm1P6ITIYeOnEw +2l2Pr0Rtp/ohPaTH/V5RR1jwr/j9MmL7svwMjJIndXk +-> Dm-grease `NL%8ot +Jqvm4DqVlRcsExeXS8fhRo/1Zgza/AqcQH21nAjty4/AFEhjkl44Zsx8K0Nooagf +nPEMN8TdDaAZOlhAsnI+spYh7qIIMLssqC9UgfTbXHtjBhc +--- TlY/OpjrwdXQzNIRkNzEcy6Rftd4+LDDN7VedCrJs6w +ÝOC=UЊTm3k޽Ҁ@A.b\P7`G81>⊀Ĕ,ȃ4%a{:6/vl2 ssh-ed25519 kY4Rgg H2bRjZgBqNjr/lB7nGhttRS5+TDqQDdCEMzaUAB+CnA +eLhUYk3iJbqTd+MDUyIAr4hHQsyA95mQhNVabonGvrE +-> ssh-ed25519 grc4Uw yoE0H5dPlzyNu8Fysxf/aw9eCRWtTBxN4U72KCwfvRI +NM8BvnqwnOblcwByE8P8jvXt4DQ9blhzRNn39ZD4jCc +-> ssh-ed25519 DLT88w C6yHb30SPUKVfnBWEBqT1qZuomYNftZrkRH2dyXPjlg +1KGDzd7kvBCAjrO/cw7cIgao5psDJKHol5eH5rzriHU +-> Pcg-grease T5Dl'6?) 4|[; .M]\z(7Y +WbkBRL0MdYxfj25Dzn9ZBAKhfR2QZs8RpMlEv+lg6RW4H3P7zp2xRcuyVwE8kyVB +nRp/qqW+PiHZJqfy +--- cAcFa0wjnhP70bLXBFHMsxhOfm+q3i+Vl5ZoBjEqMPo +@G%Z{Dݓ̟% :!l \ No newline at end of file diff --git a/secrets/miniflux.age b/secrets/miniflux.age new file mode 100644 index 0000000000000000000000000000000000000000..678c1eb00c15b97e9db0a6b527ffd6b5cf344d98 GIT binary patch literal 595 zcmZ9|y^GUe0D$p35rrNi;&xNONn=g&wn^TC2$wWz)5P>E-={;Grb$ej_L3%PKnE4^ z2G2pc!C7z;CkJo7O+|6Mo0Jn*1$7Y)J=gmOo*z86=a${biHq4hm_}Eov4>?useBDd z62I&Y0Z9@yBs8l%&qJIdp&CP0z|}e@D^p0z$%Lj+ATH)?pmq{olIHAu;oIS~1U0S6 z_Y{+78})iJ)O@EHv`5{-#W77B0SiTWN@BYloeRe`FLtVGjuZsZ^2aV?jAuju1iT`l zOy+CJEbA&_zUFOMhEmJ?1dL%xPi@Ah22R?gI=aSa{7kn3!yb`1+cQ{jy>EJH2S!?( z4v%YfNr5m&{Jh`5hMm}5h&4mdWN|@s3$6*8Fpk_Qs3-#w_1hZ&W4k3_iEB(dWAb>d z-Qse(Urj*nLct5z0H85i25l7~%%j5PD(IN-K5Fwfb<89o5Taq?toZ z;5#l~rBFMI`2Om)b))Jmk4Hbx9XxsT`s2#Z=F05ksr~I$ h=kCidXZb^|Cp>lzFPrOo^3Kv3u)O{A(~oCw{sG41%gF!$ literal 0 HcmV?d00001 diff --git a/secrets/nextCloudAdmin.age b/secrets/nextCloudAdmin.age new file mode 100644 index 0000000000000000000000000000000000000000..db07ae695853697da9eea7760f5c090d32e6ff50 GIT binary patch literal 504 zcmZ9_J&%)M007`K8V6kNCvbB^fwmkkr!k?>zNLJW7RtvtVR`!&N+}6~}#w2D(YhkIFmek;R2PUQ~&b`4n;*`F|@~|uAa}Cz4Dq%nvqPTPDg(2|)BW>te zFw{nD+dZHIT2H$Gr_yF^OEV{O#Jd|VW}WGlH1&Bx)9j?JJBqdR_I7LM&K%8T|H6#4$DG0;L<03ec5N9pRDo-m97;S5)awVOO&aJtEZT=&JS3+v&| z^PQ~jX@^#rM6r>I%i{kgP`E%riAZ;~?~&d!>dd_&(C&PtSo?f+N&7k`D2gIg+Ee|i z$j==ngM$%HNd+>_*bo?6pzHNRvJH7C@ljLFe^7ZlN-Gk=slMCDY2YMN%I{*Lx literal 0 HcmV?d00001 diff --git a/secrets/nextCloudExporter.age b/secrets/nextCloudExporter.age new file mode 100644 index 0000000..f0601db --- /dev/null +++ b/secrets/nextCloudExporter.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg JBaQTCttZJeeO5xNkeImjNgnlaG4F3SBVGfeywU+HhU +M2ySbFs6kIIoh9hT6lWVjwmVSdrxUZzncfoupqY5o3E +-> ssh-ed25519 grc4Uw 5fsEOZeC3S4oW2YkGWDMIvzysjrwtie3N1p4z8EyWgo +SNEzpOPR6FEs6jnqjMSnmKsQx01lLeMDMIqjazWBX+M +-> ssh-ed25519 DLT88w lNu1jhfhq1i+rWI8XzNUFvBYnRRDtBDwh5GbsHr8wGY +9czhGyr0F90mIac7KkGp5ZUbkDExFYKNuSvd+M2uM7E +-> (-grease 5_}HQ2\ <^\ JqmV&2! 8c8V^& +JxnyTg +--- xkMLA4q/tdFFoJbKDPEt0+FPcGMr67A7GJhVyi0IyRU +Y 84 ):49+6%]Hr\?<ߑRD>k˖3hu>`:O`U \ No newline at end of file diff --git a/secrets/norkclubMinecraftRestic.age b/secrets/norkclubMinecraftRestic.age new file mode 100644 index 0000000..05df1a4 --- /dev/null +++ b/secrets/norkclubMinecraftRestic.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg 1NxvcBpgpuRaIUgr0tRxKI2FjckkZ3TpuW8wtgJvFCQ +B+tlhpt6KX01Rvr1UdyXCsPQac29VJmtJcMjDtkaLH8 +-> ssh-ed25519 grc4Uw J3YduQ6qneo5ps+XIRCdz130l9WYse4pKv7mLR3qXVo +waXFEcqG2bz3tDw52sAcX2a3iysAIA4BdJhgmAXFfFs +-> ssh-ed25519 DLT88w /+O7Ee5XB+J/XljNecHYrofBT/146xgN30se+5n9kiI +B1bCf+qp5erlqhJZwVSdJmnS7FWDzqn5QzuSSNaKUZY +-> C)-grease ^)h86 sg +|53Up| +hw +--- rAcNSK2oDkJTGy90pmTlPoHPlPqsdRBN7mjCvBBMyDE +e$ Ϋ^Ry(.$Ʀ+hc.ZW _) vm!61ƪ3V4s{7HJ2s \ No newline at end of file diff --git a/secrets/stuffAuth.age b/secrets/stuffAuth.age new file mode 100644 index 0000000..35f3d8e --- /dev/null +++ b/secrets/stuffAuth.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg 1+JwdUharfaJD1nJpaHA//Dg1gEaRBHV57hE72aq3Eg +VajdnXMIjwBT9gvCMriDweLpXxWp2RHSYkAR/E+6cq4 +-> ssh-ed25519 grc4Uw Uy3lVLmSn8Oq3opvluhVFCTZ9uJaE5s+jfC49fORnmc +GHp26W1qINiS49EEwi9qnSVidmymB3qoKivrwAbTWho +-> ssh-ed25519 yqUwfA 6qRcvIAjTmR9XdFIBSZrvWpdnKt2rRyJDdT7vj9lH1g +xzuXNuuexvwKDR04nu7+2spb9aTBZgeZ78Wg4Pmp8ig +-> w9fNc-grease Q +6h4uQx5MvCiJ2jK/xbsuuZ5uv1QcmhsKX5vKozRrNmeV1dZ3hZ1cT2tikIwqnvgd +7V23AA +--- oS+cT6EMUSIfciyC6aQI4ztRG45pX4XumZwMPMyjGAA +u +,~q8Y\>X} +oxV +l^mezќc׽IUZҮ۾@${q \ No newline at end of file diff --git a/secrets/wg/dn42_w1kl4s_scylla.age b/secrets/wg/dn42_w1kl4s_scylla.age new file mode 100644 index 0000000000000000000000000000000000000000..cc0c880f833badc165dc6c9f4b467d5b2c94cfa5 GIT binary patch literal 506 zcmZ9_J&V&|007{dV!2lWDLdCLqMBo#7}V3=H!v8l*X^Pa&LRT`R&DBqByDYEDWW)1erinY}q zQ_<=;jm-rZYwD=iD5;Y2n{YjEEMsnZesfcsHVf3~Q?qty<)Z5(=B7B_$bpiu!b~37 zjbT>73dlxAs9il`5j(5{k}vt3SXVwpYFZyoIFa;b}TM<~gK?VCJC4jq$<5Ylx#Hv24#p1jlhysbhYP?^sYG zC#mU(EYRpA5S#9%m~dhxS=k{-Ob%c^jii6R)So|iIc7gzyczEO*wKx=+3z-97ykM0>YCKSHm*`F-#8+0VE9mB*J4yjTAK DyhW@> literal 0 HcmV?d00001 diff --git a/secrets/wg/nibylandia_scylla.age b/secrets/wg/nibylandia_scylla.age new file mode 100644 index 0000000..cb33eda --- /dev/null +++ b/secrets/wg/nibylandia_scylla.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg bR8KafskOapw+hVVL7cvGL+Yo4/LVRjkxreOuk0+x3M ++nkeESR6bxupeM0SzArzxZHNDfU/Wk0Iwa+3D+YUiP8 +-> ssh-ed25519 grc4Uw zvAs9zeYbmcOpny5BF5LxZbJyKp8YLwX7rJHpJl5V04 +U4E31RGk0GVokms55vNWj+09PJ13F1LYe1fMRN0Dw6Q +-> ssh-ed25519 CJl5MQ Y4WWqfVPc7U0msy8sfj2YItiHN+SiknYCVtHaDGm0Vs +yfbQffAiurHXti+aBWLda/Llpif/xESQ+ErOHUod/RI +-> OTC@(-grease 1kqN +vmMUj1jYd+fNxtmco5Wzgwtp/3nY3EUBZaJvcSfPFNmdwyojA1dhcOWBrwb+nDRo +b4w +--- yZsbIumupuUO9M8dKNKNctu+Jfk/uWyitKgGHbZ3YYU +Ok}UM]m.r؂ݛǎj}5y i{/d_S˒Qx>d̓6;h5׳Wy- \ No newline at end of file diff --git a/secrets/wg/nibylandia_zorigami.age b/secrets/wg/nibylandia_zorigami.age new file mode 100644 index 0000000..b63c028 --- /dev/null +++ b/secrets/wg/nibylandia_zorigami.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg 0QeKtNrwnKpIUmW9iDmuB6IUpgB6soQdFtcKqzaqVmQ +qIS4THj372+x9weQ5Eg1Ny86rCQdX59dRt8gbT7Dikc +-> ssh-ed25519 grc4Uw qAQm3nt/EJFC3bBWu9TJr4fw/Hz9rJ5M0XqkPkOVbTQ +8fXxdfaQL0w5fHqXBjwQn2TH0d6gi22tpfnEGg9Wy/g +-> ssh-ed25519 DLT88w zj9Bz1zV62qR2BO06vqWiRsrFo0ZHFQG0GFeOd+LtEo +uaoeX9B49FM0e+PeCuQCwyEELS77Wgh0UCjF/LvvdvU +-> iM$1zll-grease Ci QSha %&W$S4ht +n7C4vau7H0ImU0fL5wzMPt7xkBaugRw2DuWtQG+eHRd86xGVmUw +--- I8S0mavxA+OhtttjAfJSxGD5dzoOqrd0aTqxt0RUJXg +d&8'ub=];i'2J- ݍ),)bА \ No newline at end of file