commit 4cb3e8f6bbf7040312dbf80a131b5f03060da165
parent daf5bac8e9a312e2103baa5975cc80777cb3b062
Author: Leah (ctucx) <git@ctu.cx>
Date: Fri, 12 May 2023 16:05:06 +0200
parent daf5bac8e9a312e2103baa5975cc80777cb3b062
Author: Leah (ctucx) <git@ctu.cx>
Date: Fri, 12 May 2023 16:05:06 +0200
machines: remove `lollo` and `lollo-old`
29 files changed, 9 insertions(+), 1108 deletions(-)
D
|
67
-------------------------------------------------------------------
D
|
123
-------------------------------------------------------------------------------
D
|
87
-------------------------------------------------------------------------------
D
|
138
-------------------------------------------------------------------------------
D
|
184
-------------------------------------------------------------------------------
D
|
55
-------------------------------------------------------
D
|
85
-------------------------------------------------------------------------------
D
|
61
-------------------------------------------------------------
diff --git a/configurations/common/syncthing-config.nix b/configurations/common/syncthing-config.nix @@ -12,11 +12,6 @@ let name = "briefkasten.home.ctu.cx"; id = "QI2EPUE-4VMZ3XV-LXX3GXP-RHCWTRY-AACLSGL-YG7MIYV-THST74N-KJGIBQ6"; }; - - #lollo-old = { - # name = "lollo-old.ctu.cx"; - # id = "QI2EPUE-4VMZ3XV-LXX3GXP-RHCWTRY-AACLSGL-YG7MIYV-THST74N-KJGIBQ6"; - #}; }; isaDevices = { @@ -29,11 +24,6 @@ let "Blechelse" ]; - #lollo-old = [ - # "ctucx-music-orig" - # "ctucx-media" - # "Blechelse" - #]; briefkasten = [ "ctucx-music-orig" "ctucx-media"
diff --git a/hive.nix b/hive.nix @@ -16,8 +16,6 @@ inputs: overlays: defaults = import ./configurations/common; - lollo = import ./machines/lollo/configuration.nix; - #lollo-old = import ./machines/lollo-old/configuration.nix; briefkasten = import ./machines/briefkasten/configuration.nix; trabbi = import ./machines/trabbi/configuration.nix;
diff --git a/machines/briefkasten/configuration.nix b/machines/briefkasten/configuration.nix @@ -35,6 +35,8 @@ dns.zones."ctu.cx".subdomains."${config.networking.hostName}.home" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP); dns.zones."ctu.cx".subdomains."${config.networking.hostName}".CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.hostName}.home" ]; + dns.zones."ctu.cx".subdomains."legacy.home".CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.hostName}.home" ]; + dns.zones."ctu.cx".subdomains."home".CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.hostName}.home" ]; age.secrets = { restic-server-briefkasten.file = ../../secrets/restic-server/briefkasten.age;
diff --git a/machines/lollo-old/configuration.nix b/machines/lollo-old/configuration.nix @@ -1,67 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - - imports = [ - ./hardware-configuration.nix - -# ./router - - ../../configurations/linux/services/prometheus-exporters.nix - ../../configurations/linux/services/syncthing-nginx.nix - - ./remote-admin.nix - ]; - - dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host "195.39.246.44" "2a0f:4ac0:acab::44"); - - age.secrets.restic-server-lollo.file = ../../secrets/restic-server/lollo.age; - - boot.loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - - services.email-notify.enable = true; - services.syncthing.dataDir = "/home/leah/syncthing"; - - networking = { - useDHCP = false; - nameservers = [ "8.8.8.8" ]; - - defaultGateway = "195.39.246.41"; - defaultGateway6 = { - interface = "enp2s0"; - address = "fe80::1afd:74ff:fe3b:8a10"; - }; - - interfaces.enp2s0 = { - ipv4.addresses = [ - { - address = "195.39.246.44"; - prefixLength = 28; - } - { - address = "10.0.0.44"; - prefixLength = 8; - } - ]; - - ipv6.addresses = [{ - address = "2a0f:4ac0:acab::44"; - prefixLength = 62; - }]; - }; - - firewall = { - enable = true; - allowedTCPPorts = [ 5201 53 80 443 ]; - allowedUDPPorts = [ 5201 53 67 ]; - }; - }; - - - system.stateVersion = "21.11"; - home-manager.users.leah.home.stateVersion = "21.11"; - -}
diff --git a/machines/lollo-old/hardware-configuration.nix b/machines/lollo-old/hardware-configuration.nix @@ -1,31 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/53f739d1-5668-422e-81b5-34c1f60ecba8"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/1344-D403"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - # high-resolution display - hardware.video.hidpi.enable = lib.mkDefault true; -}
diff --git a/machines/lollo-old/remote-admin.nix b/machines/lollo-old/remote-admin.nix @@ -1,37 +0,0 @@ -{ pkgs, lib, ... }: - -{ - - imports = [ - ../../configurations/common/programs/gpg.nix - ../../configurations/common/programs/password-store.nix - ]; - - home-manager.users.leah.services.gpg-agent = { - pinentryFlavor = lib.mkForce "curses"; - defaultCacheTtl = lib.mkForce 300; - defaultCacheTtlSsh = lib.mkForce 300; - maxCacheTtl = lib.mkForce 300; - maxCacheTtlSsh = lib.mkForce 300; - }; - - security.polkit.extraConfig = '' - polkit.addRule(function(action, subject) { - if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") && subject.isInGroup("wheel")) { - return polkit.Result.YES; - } - }); - ''; - - systemd.services.lockGPGCard = { - wantedBy = [ "multi-user.target" ]; - startAt = [ "*-*-* *:*/5" ]; - serviceConfig.User = "leah"; - serviceConfig.Group = "users"; - script = '' - ${pkgs.gnupg}/bin/gpgconf --reload scdaemon; - ${pkgs.coreutils-full}/bin/rm -rf /home/leah/.ssh/master*; - ''; - }; - -}
diff --git a/machines/lollo-old/router/default.nix b/machines/lollo-old/router/default.nix @@ -1,25 +0,0 @@ -{ pkgs, ... }: - -{ - - imports = [ - ./systemd-networkd.nix - ./nftables.nix - ./dnsmasq.nix - ./hostapd.nix - ]; - - boot = { - kernel.sysctl."net.ipv4.ip_forward" = true; - kernel.sysctl."net.ipv6.conf.all.forwarding" = true; - }; - - environment.systemPackages = with pkgs; [ - wireguard-tools - ]; - - services.avahi.interfaces = [ "brlan" ]; - networking.useDHCP = false; - -} -
diff --git a/machines/lollo-old/router/dnsmasq.nix b/machines/lollo-old/router/dnsmasq.nix @@ -1,123 +0,0 @@ -{ config, pkgs, ... }: - -{ - - dns.zones."ctu.cx".subdomains = with pkgs.dns.lib.combinators; { - home.NS = [ "home.ctu.cx." ]; - home.A = [ (a "195.39.246.42") ]; - home.AAAA = [ "2a0f:4ac0:acab::1" ]; - }; - - systemd.services.dnsmasq.onFailure = [ "email-notify@%i.service" ]; - - services = { - - resolved.enable = false; - - dnsmasq = { - enable = true; - extraConfig = '' - local-service - no-resolv - no-hosts - domain-needed - bogus-priv - - - server=1.1.1.1 - server=1.0.0.1 - server=8.8.8.8 - server=8.8.4.4 - - - local=/home.ctu.cx/ - domain=home.ctu.cx - - auth-ttl=600 - auth-server=home.ctu.cx, 195.39.246.42, 2a0f:4ac0:acab::42 - auth-zone=home.ctu.cx, 10.0.0.1/24, 195.39.246.32/28, 2a0f:4ac0:acab::1/64 - - host-record=home.ctu.cx, 195.39.246.42, 2a0f:4ac0:acab::1 - host-record=gateway.home.ctu.cx, 195.39.246.41, 2a0f:4ac0:acab::1 - cname=lollo.home.ctu.cx, home.ctu.cx - cname=legacy.home.ctu.cx, home.ctu.cx - cname=dnsmasq.home.ctu.cx, home.ctu.cx - cname=smart.home.ctu.cx, home.ctu.cx - cname=music.home.ctu.cx, home.ctu.cx - cname=storage.home.ctu.cx, home.ctu.cx - cname=influx.home.ctu.cx, home.ctu.cx - cname=wiki.home.ctu.cx, home.ctu.cx - cname=fedi.home.ctu.cx, home.ctu.cx - cname=things.home.ctu.cx, home.ctu.cx - cname=things.stasicontainer.home.ctu.cx, stasicontainer.home.ctu.cx - - address=/fritz.box/192.168.178.1 - address=/lollo/10.0.0.1 - address=/ads1700w/10.0.0.10 - address=/scanner/10.0.0.10 - - enable-ra - quiet-ra - - dhcp-authoritative - dhcp-rapid-commit - dhcp-sequential-ip - - dhcp-range=private, 10.0.0.100, 10.0.0.200, 255.255.255.0, 48h - dhcp-range=public, 195.39.246.34, static, 255.255.255.240, 195.39.246.47, 48h - dhcp-range= 2a0f:4ac0:acab::100, 2a0f:4ac0:acab::01ff, ra-names,slaac, 64, 48h - - dhcp-option=option6:information-refresh-time, 6h - dhcp-option=option6:dns-server, [2a0f:4ac0:acab::1] - dhcp-option=private, option:router, 10.0.0.1 - dhcp-option=private, option:dns-server, 10.0.0.1 - dhcp-option=public, option:router, 195.39.246.42 - dhcp-option=public, option:dns-server, 195.39.246.42 - - dhcp-host=f4:06:8d:df:1f:e3, accesspoint, 10.0.0.2 - dhcp-host=5c:f3:70:b9:35:9c, ctux-ads1700w, 10.0.0.10 - dhcp-host=50:57:8a:3d:63:4c, ctucx-ipad, 10.0.0.30 - - dhcp-host=00:e0:4c:30:05:ed, cbc-ffm02487, 195.39.246.34 - - dhcp-host=id:e8:6a:64:f4:49:e7, stasicontainer, [2a0f:4ac0:acab::35] - dhcp-host=e8:6a:64:f4:49:e7, stasicontainer, 195.39.246.35 - - dhcp-host=id:04:ea:56:f2:b4:6c, isa-x390, [2a0f:4ac0:acab::36] - dhcp-host=04:ea:56:f2:b4:6c, isa-x390, 195.39.246.36 - - dhcp-host=id:ac:67:5d:12:2f:5a, isa-p2max, [2a0f:4ac0:acab::37] - dhcp-host=ac:67:5d:12:2f:5a, isa-p2max, 195.39.246.37 - - dhcp-host=id:b0:be:83:3a:fa:1e, isabelles-mba, [2a0f:4ac0:acab::38] - dhcp-host=b0:be:83:3a:fa:1e, isabelles-mba, 195.39.246.38 - - dhcp-host=id:1c:57:dc:40:dc:b2, blechkasten, [2a0f:4ac0:acab::43] - dhcp-host=1c:57:dc:40:dc:b2, blechkasten, 195.39.246.43 - ''; - }; - - fcgiwrap.enable = true; - - nginx = { - enable = true; - virtualHosts."dnsmasq.home.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; - locations = { - "/".extraConfig = '' - include "${pkgs.nginx}/conf/fastcgi_params"; - fastcgi_param SCRIPT_FILENAME "${pkgs.dnsmasq-lease-overview}/bin/overview"; - fastcgi_param LEASE_PATH "/var/lib/dnsmasq/dnsmasq.leases"; - fastcgi_param QUERY_STRING $args; - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; - ''; - }; - }; - }; - - }; - -} -
diff --git a/machines/lollo-old/router/hostapd.nix b/machines/lollo-old/router/hostapd.nix @@ -1,14 +0,0 @@ -{ inputs, ... }: - -{ - - services.hostapd = { - enable = false; - ssid = "hostapd.home.ctu.cx"; - wpaPassphrase = inputs.local-secrets.hosts.lollo.hostapd.passphrase; - interface = "wlp3s0"; - extraConfig = "bridge=brlan"; - }; - -} -
diff --git a/machines/lollo-old/router/nftables.nix b/machines/lollo-old/router/nftables.nix @@ -1,15 +0,0 @@ -{ config, pkgs, ... }: - -{ - - networking = { - firewall.enable = false; - - nftables = { - enable = true; - rulesetFile = ./ruleset.nft; - }; - }; - -} -
diff --git a/machines/lollo-old/router/ruleset.nft b/machines/lollo-old/router/ruleset.nft @@ -1,87 +0,0 @@ -flush ruleset - -table inet firewall { - chain inbound { - # By default, drop all traffic unless it meets a filter - # criteria specified by the rules that follow below. - type filter hook input priority 0; - policy drop; - - # Allow traffic from established and related packets. - ct state established,related accept - - # Drop invalid packets. - ct state invalid drop - - # Allow local connections. - iifname lo accept - iifname brlan accept - - # Allow all ICMP and IGMP traffic, but enforce a rate limit - # to help prevent some types of flood attacks. - ip protocol icmp limit rate 5/second accept - ip protocol igmp limit rate 5/second accept - #ip6 protocol ipv6-icmp icmpv6-type redirect drop - #ip6 protocol ipv6-icmp icmpv6-type 139 drop - ip6 nexthdr ipv6-icmp limit rate 5/second accept - - # Allow some ports - tcp dport ssh accept comment "ssh" - tcp dport domain accept comment "dns (tcp)" - udp dport domain accept comment "dns (udp)" - tcp dport http accept comment "http" - tcp dport https accept comment "https" - tcp dport 22000 accept comment "syncthing" - udp dport 21027 accept comment "syncthing" - tcp dport 5201 accept comment "iperf3 (tcp)" - udp dport 5201 accept comment "iperf3 (udp)" - } - - chain forward { - # By default, drop all traffic unless it meets a filter - type filter hook forward priority 0; - policy drop; - - # Allow traffic from established and related packets. - ct state established,related accept - - # Drop invalid packets. - ct state invalid drop - - # local clients can do whatever - iifname brlan accept - - # Allow all ICMP and IGMP traffic, but enforce a rate limit - # to help prevent some types of flood attacks. - ip protocol icmp limit rate 5/second accept - ip6 nexthdr ipv6-icmp limit rate 5/second accept - ip protocol igmp limit rate 5/second accept - - # drop incomming netbios traffic - tcp dport {139, 445} counter drop comment "silently drop NetBios" - udp dport {137, 138} counter drop comment "silently drop NetBios" - - #make public ips world accessible - ip daddr 195.39.246.33/28 accept - } - - chain outbound { - # Allow all outbound traffic - type filter hook output priority 0 - policy accept - } - -} - -table ip nat { - chain prerouting { - type nat hook prerouting priority -100 - policy accept - } - - chain postrouting { - type nat hook postrouting priority 0 - policy accept - oifname enp2s0 masquerade - } -}
diff --git a/machines/lollo-old/router/systemd-networkd.nix b/machines/lollo-old/router/systemd-networkd.nix @@ -1,138 +0,0 @@ -{ config, ... }: - -{ - - age.secrets.wireguard-privkey = { - file = ../../../secrets/lollo/wireguard-privkey.age; - mode = "640"; - owner = "root"; - group = "systemd-network"; - }; - - systemd.network = { - enable = true; - netdevs = { - - "20-brlan" = { - netdevConfig = { - Kind = "bridge"; - Name = "brlan"; - }; - }; - - "30-enp2s0.5" = { - netdevConfig = { - Kind = "vlan"; - Name = "enp2s0.5"; - }; - vlanConfig = { - Id = 5; - }; - }; - - "40-wg-pbb" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg-pbb"; - }; - wireguardConfig = { - PrivateKeyFile = config.age.secrets.wireguard-privkey.path; - ListenPort = 51820; - FirewallMark = 51820; - }; - wireguardPeers = [{ - wireguardPeerConfig={ - Endpoint = "195.39.247.172:51820"; - PublicKey = "QOQTpxvT122fiKBcN4QDADOjoDDzEW9sMWn/qngVF0Q="; - AllowedIPs = [ "0.0.0.0/0" "::/0" ]; - PersistentKeepalive = 10; -# RouteTable = "off"; - }; - }]; - }; - - }; - - networks = { - - "5-enp0" = { - matchConfig = { - Name = "enp0*"; - }; - DHCP = "yes"; - }; - - "10-enp2s0" = { - matchConfig = { - Name = "enp2s0"; - }; - DHCP = "yes"; - vlan = [ "enp2s0.5" ]; - }; - - "20-brlan" = { - matchConfig = { - Name = "brlan"; - Driver = "bridge"; - }; - DHCP = "no"; - address = [ - "10.0.0.1/24" - "195.39.246.42/28" - "2a0f:4ac0:acab::1/62" - ]; - routingPolicyRules = [ - { routingPolicyRuleConfig = { - From = "195.39.246.32/28"; - Table = 254; - Priority = 1900; - SuppressPrefixLength = 0; - };} - { routingPolicyRuleConfig = { - From = "2a0f:4ac0:acab::/62"; - Table = 254; - Priority = 1900; - SuppressPrefixLength = 0; - };} - { routingPolicyRuleConfig = { - From = "195.39.246.32/28"; - Table = 1234; - Priority = 2000; - };} - { routingPolicyRuleConfig = { - From = "2a0f:4ac0:acab::/62"; - Table = 1234; - Priority = 2000; - };} - ]; - }; - - "30-enp2s0.5" = { - matchConfig = { - Name = "enp2s0.5"; - }; - bridge = [ "brlan" ]; - }; - - "40-wg-pbb" = { - matchConfig = { - Name = "wg-pbb"; - }; - linkConfig = { - MTUBytes = "1500"; - }; - routes = [ - { routeConfig = { - Destination = "0.0.0.0/0"; - Table = "1234"; - };} - { routeConfig = { - Destination = "::/0"; - Table = "1234"; - };} - ]; - }; - - }; - }; -}
diff --git a/machines/lollo/bind.nix b/machines/lollo/bind.nix @@ -1,29 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - - deployment.tags = [ "dns" ]; - - services.bind = { - enable = true; - extraConfig = '' - acl "trusted" { - 10.0.0.0/8; - 195.39.246.32/28; - 2a0f:4ac0:acab::/62; - localhost; - }; - ''; - - extraOptions = '' - allow-recursion { trusted; }; - allow-query-cache { trusted; }; - ''; - }; - - networking.firewall = { - allowedTCPPorts = [ 53 ]; - allowedUDPPorts = [ 53 ]; - }; - -}
diff --git a/machines/lollo/configuration.nix b/machines/lollo/configuration.nix @@ -1,184 +0,0 @@ -{ inputs, config, lib, pkgs, ... }: - -{ - - deployment.targetHost = "lollo.ctu.cx"; - - imports = [ - inputs.impermanence.nixosModules.impermanence - - ./hardware-configuration.nix - - #dns server - ./bind.nix - - ../../configurations/linux/services/prometheus-exporters.nix - ../../configurations/linux/services/restic-server.nix - - ./websites - ]; - - networking.usePBBUplink = true; - - dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); - dns.zones."ctu.cx".subdomains."${config.networking.hostName}.home" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); - dns.zones."ctu.cx".subdomains."legacy.home" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); - dns.zones."ctu.cx".subdomains."home" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); - - age.secrets.restic-server-lollo.file = ../../secrets/restic-server/lollo.age; - age.secrets.restic-server-wanderduene.file = ../../secrets/restic-server/wanderduene.age; - - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - - kernel.sysctl = { - "net.ipv6.conf.eno1.forwarding" = lib.mkIf config.networking.usePBBUplink 0; - "net.ipv6.conf.eno1.autoconf" = lib.mkIf config.networking.usePBBUplink 0; - "net.ipv6.conf.eno1.accept_ra" = lib.mkIf config.networking.usePBBUplink 0; - }; - - initrd.network = { - enable = true; - ssh = { - enable = true; - port = 22; - hostKeys = [ /etc/ssh/ssh_host_rsa_key ]; - authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); - }; - - postCommands = '' - echo 'cryptsetup-askpass' >> /root/.profile - - '' + lib.optionalString config.networking.usePBBUplink '' - sysctl -w net.ipv6.conf.eno1.autoconf=0 - sysctl -w net.ipv6.conf.eno1.accept_ra=0 - - '' + '' - - ip link set dev eno1 up - - ip addr add 195.39.246.42/28 dev eno1 - ip addr add 10.0.0.42/8 dev eno1 - ip route add default via 195.39.246.41 dev eno1 onlink - - '' + lib.optionalString config.networking.usePBBUplink '' - ip addr add 2a0f:4ac0:acab::42/128 dev eno1 - ip route add default via 2a0f:4ac0:acab::1 dev eno1 onlink - ''; - }; - }; - - systemd.network.networks = { - "40-eno1".networkConfig.IPv6AcceptRA = lib.mkIf config.networking.usePBBUplink false; - }; - - networking = { - domain = "home.ctu.cx"; - - useDHCP = false; - nameservers = [ "8.8.8.8" ]; - - defaultGateway = "195.39.246.41"; - defaultGateway6 = lib.mkIf config.networking.usePBBUplink { - address = "2a0f:4ac0:acab::1"; - interface = "eno1"; - }; - - interfaces.eno1 = { - ipv4.addresses = [ - (lib.mkIf config.networking.usePBBUplink { - address = "195.39.246.42"; - prefixLength = 28; - }) - { - address = "10.0.0.42"; - prefixLength = 8; - } - ]; - - ipv6.addresses = lib.mkIf config.networking.usePBBUplink [{ - address = "2a0f:4ac0:acab::42"; - prefixLength = 62; - }]; - }; - - firewall.enable = true; - firewall.allowedTCPPorts = [ 5201 ]; - firewall.allowedUDPPorts = [ 5201 51820 ]; - firewall.extraCommands = '' - iptables -A nixos-fw -p tcp -s 10.0.0.0/8 -j nixos-fw-accept - iptables -A nixos-fw -p udp -s 10.0.0.0/8 -j nixos-fw-accept - iptables -A nixos-fw -p tcp -s 195.39.246.32/28 -j nixos-fw-accept - iptables -A nixos-fw -p udp -s 195.39.246.32/28 -j nixos-fw-accept - ip6tables -A nixos-fw -p tcp -s 2a0f:4ac0:acab::/62 -j nixos-fw-accept - ip6tables -A nixos-fw -p udp -s 2a0f:4ac0:acab::/62 -j nixos-fw-accept - ''; - }; - - environment.persistence."/nix/persist" = { - directories = [ - "/var/log" - "/var/lib" - ]; - files = [ - "/etc/machine-id" - "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_rsa_key.pub" - ]; - }; - - systemd.services.syncthing = { - requires = [ "home-manager-leah.service" ]; - after = [ "home-manager-leah.service" ]; - }; - - services.syncthing = { - dataDir = "/nix/persist/home/leah/syncthing"; - configDir = "/nix/persist/home/leah/.config/syncthing"; - }; - - programs.fuse.userAllowOther = true; - - home-manager.users.leah = { - imports = [ inputs.impermanence.nixosModules.home-manager.impermanence ]; - - home.persistence."/nix/persist/home/leah" = { - allowOther = true; - directories = [ - "syncthing" - ]; - files = [ - "addToBikeMap.sh" - ".bash_history" - ".local/share/mcfly/history.db" - ]; - }; - }; - - age.identityPaths = [ - "/nix/persist/etc/ssh/ssh_host_ed25519_key" - ]; - - services = { - email-notify.enable = true; - nginx.virtualHosts."${config.networking.fqdn}" = { - enableACME = lib.mkIf (config.networking.usePBBUplink == false) false; - forceSSL = lib.mkIf (config.networking.usePBBUplink == false) false; - kTLS = lib.mkIf (config.networking.usePBBUplink == false) false; - }; - nginx.virtualHosts."restic.lollo.ctu.cx" = { - enableACME = lib.mkIf (config.networking.usePBBUplink == false) false; - forceSSL = lib.mkIf (config.networking.usePBBUplink == false) false; - kTLS = lib.mkIf (config.networking.usePBBUplink == false) false; - }; - }; - - system.stateVersion = "22.05"; # Did you read the comment? - home-manager.users.leah.home.stateVersion = "22.11"; - -}
diff --git a/machines/lollo/hardware-configuration.nix b/machines/lollo/hardware-configuration.nix @@ -1,55 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "e1000e" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - boot.initrd.luks.devices."nix-store".device = "/dev/disk/by-uuid/ecc0d846-75c4-4f40-b050-4879b98731f8"; - - fileSystems."/" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = [ "size=10G" "mode=755" ]; - }; - - fileSystems."/home/leah" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = [ "size=2G" "mode=777" ]; - }; - - fileSystems."/nix" = { - device = "/dev/disk/by-uuid/c718261d-c79c-4490-b1f1-664e718550aa"; - fsType = "ext4"; - neededForBoot = true; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/0CDC-035A"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eno1.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true; - - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - # high-resolution display - hardware.video.hidpi.enable = lib.mkDefault true; -}
diff --git a/machines/lollo/websites/default.nix b/machines/lollo/websites/default.nix @@ -1,10 +0,0 @@ -{ ... }: - -{ - - imports = [ - ./oeffisear.ch.nix - ]; - -} -
diff --git a/machines/lollo/websites/oeffisear.ch.nix b/machines/lollo/websites/oeffisear.ch.nix @@ -1,85 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - - dns.zones."oeffisear.ch" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); - - users.groups.oeffisearch = {}; - users.users.oeffisearch = { - isSystemUser = true; - home = "/var/lib/oeffisearch"; - group = "oeffisearch"; - }; - - # age.secrets.restic-oeffisearch.file = ../../../secrets/lollo/restic/oeffisearch.age; -# - # restic-backups.oeffisearch = { - # user = "oeffisearch"; - # passwordFile = config.age.secrets.restic-oeffisearch.path; - # paths = [ "/var/lib/oeffisearch" ]; - # }; - - # systemd.services.oeffisearch = { - # wantedBy = [ "multi-user.target" ]; - # after = [ "network.target" ]; - # onFailure = [ "email-notify@%i.service" ]; -# - # serviceConfig = { - # User = "oeffisearch"; - # Group = "oeffisearch"; -# - # WorkingDirectory = "/var/lib/oeffisearch"; - # ReadWritePaths = [ "/var/lib/oeffisearch" ]; -# - # PrivateTmp = true; - # ProtectHome = true; - # ProtectSystem = "strict"; - # ProtectKernelTunables = true; - # ProtectHostname = true; - # ProtectClock = true; - # ProtectControlGroups = true; - # RestrictAddressFamilies = "AF_INET AF_INET6"; -# - # NoNewPrivileges = true; - # PrivateDevices = true; - # RestrictSUIDSGID = true; - # ProtectKernelModules = true; - # MemoryDenyWriteExecute = true; - # RestrictNamespaces = true; - # RestrictRealtime = true; - # LockPersonality = true; -# - # ExecStart = "${pkgs.oeffisearch}/bin/oeffisearch"; -# - # Restart = "on-failure"; - # RestartSec = "5"; - # }; -# - # environment = { - # PORT = "8081"; - # CACHE_PATH = "/var/lib/oeffisearch"; - # }; - # }; -# - services.nginx = { - enable = true; - virtualHosts."oeffisear.ch" = { - enableACME = lib.mkIf config.networking.usePBBUplink true; - forceSSL = lib.mkIf config.networking.usePBBUplink true; - kTLS = lib.mkIf config.networking.usePBBUplink true; - locations = { - "/" = { - root = ./oeffisearch; - index = "index.html"; - }; - # "@api".proxyPass = "http://127.0.0.1:8081"; - # "/" = { - # root = "${pkgs.oeffisearch}/share/oeffisearch"; - # index = "index.html"; - # tryFiles = "$uri $uri/ @api"; - # }; - }; - }; - }; - -}
diff --git a/machines/lollo/websites/oeffisearch/favicon-64x64.png b/machines/lollo/websites/oeffisearch/favicon-64x64.png Binary files differ.
diff --git a/machines/lollo/websites/oeffisearch/index.html b/machines/lollo/websites/oeffisearch/index.html @@ -1,60 +0,0 @@ -<!DOCTYPE html> -<html lang="de"> - <head> - <title>Öffisearch</title> - <meta charset="UTF-8"> - - <meta name="viewport" content="width=device-width, initial-scale=1.0"> - <meta name="theme-color" content="#ffffff"> - <meta name="description" content="Plan your public transport journeys"> - - <link rel="icon" type="image/png" sizes="64x64" href="/favicon-64x64.png"> - <link rel="manifest" href="manifest.json"> - <style> -body { - background-color: #2a2a2a; - min-height: 100vh; - overflow-x: hidden; - overflow-y: visible; -} - -#overlay { - position: fixed; - top: 0; - left: 0; - height: 100vh; - width: 100vw; - overflow: hidden; - display: flex; - flex-direction: column; -} - -#overlay>* { - margin: auto; -} - -#logo { - background-color: #7171e5; - border-radius: 15%; - width: 50vmin; - height: 50vmin; -} - -#logo>svg { - width: 75%; - height: 75%; - margin: 12.5%; - fill: white; -} - </style> - </head> - <body> - <div id="content"></div> - <div id="overlay"> - <div id="logo"> - <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path d="M12 2c-4 0-8 .5-8 4v9.5C4 17.43 5.57 19 7.5 19L6 20.5v.5h2.23l2-2H14l2 2h2v-.5L16.5 19c1.93 0 3.5-1.57 3.5-3.5V6c0-3.5-3.58-4-8-4zM7.5 17c-.83 0-1.5-.67-1.5-1.5S6.67 14 7.5 14s1.5.67 1.5 1.5S8.33 17 7.5 17zm3.5-7H6V6h5v4zm2 0V6h5v4h-5zm3.5 7c-.83 0-1.5-.67-1.5-1.5s.67-1.5 1.5-1.5 1.5.67 1.5 1.5-.67 1.5-1.5 1.5z"/><path fill="none" d="M0 0h24v24H0V0z"/></svg> - </div> - <h1 style="color:white;">Öffisearch is currently unavailable.</h1> - </div> - </body> -</html>- \ No newline at end of file
diff --git a/machines/lollo/websites/oeffisearch/manifest.json b/machines/lollo/websites/oeffisearch/manifest.json @@ -1,21 +0,0 @@ -{ - "name": "Öffisearch", - "short_name": "Öffisearch", - "start_url": ".", - "icons": [ - { - "src": "/favicon-64x64.png", - "sizes": "64x64", - "type": "image/png" - }, - { - "src": "/favicon-512x512.png", - "sizes": "512x512", - "type": "image/png" - } - ], - "theme_color": "#ffffff", - "background_color": "#ffffff", - "display": "standalone" -} -
diff --git a/machines/trabbi/configuration.nix b/machines/trabbi/configuration.nix @@ -28,7 +28,6 @@ networking.primaryIP = "2a0a:4cc0:1:2d7::1"; networking.primaryIP4 = "89.58.62.171"; - age.secrets.restic-server-lollo.file = ../../secrets/restic-server/lollo.age; dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP); age.secrets.restic-server-briefkasten.file = ../../secrets/restic-server/briefkasten.age;
diff --git a/modules/linux/restic-backups.nix b/modules/linux/restic-backups.nix @@ -44,7 +44,7 @@ let targets = mkOption { type = with types; listOf str; - default = [ "wanderduene.ctu.cx" "lollo.ctu.cx" ]; + default = [ "wanderduene.ctu.cx" "briefkasten.ctu.cx" ]; }; timerConfig = mkOption { @@ -99,8 +99,8 @@ in { cp ${backup.passwordFile} /tmp/passwordFile; - ${if builtins.elem "lollo.ctu.cx" backup.targets then '' - cp /run/agenix/restic-server-lollo /tmp/lollo.ctu.cx; + ${if builtins.elem "briefkasten.ctu.cx" backup.targets then '' + cp /run/agenix/restic-server-briefkasten /tmp/briefkasten.ctu.cx; '' else "" } ${if builtins.elem "wanderduene.ctu.cx" backup.targets then ''
diff --git a/secrets/lollo-old/syncthing/cert.age b/secrets/lollo-old/syncthing/cert.age @@ -1,28 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDR3UwZWNueWhpL3NDY3Ru -U3VZS00rMUxxYitLZmJNMkdxMnFYUVMyVWtvCnFCdllMeHhObmt4VU9NRSt6L3NT -bzBMSDduc3ZZRVhnSjUwUkFnR1F3R0kKLT4gc3NoLWVkMjU1MTkgMkx1b1pnIDRi -N0ROdzBOVmRreDNBY3E1U0NzU00vN0JBTXpxMXJONW9vQllpVTEzbU0KTnJOQkZz -WG44czFpcTFRL241STMzZHlGamhEM3owMnBXRGJuUVVGSzVmOAotPiBafDAtZ3Jl -YXNlIDNxPXg9IFJrTiBUR3pUYUJ8IGJ8PiNACk56ck9nNi8yWE9CMzJ2Y1NjaVVK -bWhoTlExQ0dDYmFVbHJaZk5TbWJPYUpjaU5xTkQwN2NnYmVobDZIYTRLaDkKQWpZ -cXBXbWp5YzcwTDVZcFZvRQotLS0gMXZqS2dYZkdENklpWU1XTzUwSzkrNlBLc1dx -RnNNTXViWkpGOHYzUXZVRQq4jUBfstVB1ORQuC71LQl0gs//L2CqFx2K5GkuknMQ -3aBO3UDYOry8Qoc3Xv0iiyp4UVDd+IZZgfp7XVHUfH6V2H8wgN3103arC3+zkNHY -wjRG/dhGPA/ua3iSIpt3NyGHHb4QqAhpKhyjbMToUBADnrP/TLq18LWJiWDaU4Bv -PfsU107VgDKeg6MBM4VKowGKtDPhpIIJLxCAmlbsyhIMSST0EGo1L/UMhyfnKIJV -oBf/HeaHU4yumvdU4JGvmIyMyZoTYXTamq64bGX8oqBVp20dn6mcLxtaGk7r1+qd -j5lmH+wmzFHmwn5xj3d6/gQWPZSMeloPmX1dGCfdY55iDszKMLyTlDy1Quw8M6Em -SbXD2uIoRlHkKEvYg2SMxvgoH6kOBsxrRvzHN7U4KR3tG1D8JOUWJlHHQYdyDzFZ -vU4oY1ohwHWNM/e2gxnBn7y4m7pPrRvdPVDHcV2P/NiZ5+Stj6NKDNhRCCdpFQ2u -dyc8JCniEJnOsc6TXcIE4ayM8nU0fI72wsAk19WYOHJZLR3Dk+KmGAfIC4c9Omjh -wVysydF99BFWhQcyNwAohayk8vvXwT200aODikNoPilmPhYtns+aj+bQgXWfxVAT -ak6XnpmIcN8PDnYDCAgw08E8ITl5b7LvcsVp64uvQ5RQ4bHcl3j/lMkEajyW+ueA -Pfr1kkl03rnqOCt7Ehh9RFdd+ADbDkN7JIFFUp7c5nQOWJfM9Jxo40vftAfIZFvl -LyGNmvISdd1ALkwZczE6xakO/HJWv4orRUX/qpQIPl14y4BSb+QTHB3ftpmBcLYU -0mMJ0BzbY9jyvke5inFG85WFOwyyH+sIqHRY7kHlQVeLJfBOmzKnS62pQC/8mI9y -0CbVv8+iD5tzvJCwMp3d1cXDZnJKKV0HUN50JoYHDnwKifuwyOQ1OGK/cFUNFZTV -zIebjGpRWxaRSL4x9Cb3AHM1d4mHmpJby84/P1TT73SbMC3YhZnCQOfZg2SeK8e3 -y1XcVEBn6fmZmJW3YEiUjapIa486+fPx/E38xvUQwGZSSjbDP2/0ktpH3Epk0DRR -5jZYi7azRKGqb1UvVSj8XteuTmkUj0+rCoZR ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/lollo-old/syncthing/key.age b/secrets/lollo-old/syncthing/key.age @@ -1,18 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUGlnM2tNMkwxYVBzTnp3 -U2ZMQ2poNEF3cVNZblVHK05IRVJhM204em1nClB6MDd2MU5rTHhIQy9aaWZlK29B -SitpWjZUNVlDTFBiQmZ6QVhBNHdlS1kKLT4gc3NoLWVkMjU1MTkgMkx1b1pnIHVN -bWhmRXI2c2o0OUc0U3A4SFdIN3BTbVdRRHdGUTUrbE96WXJTSTdaVXcKZ0VkWEhE -SlFXZURnQ09VWFZHNkRNNHNCRGNmdVVyRnE1OUlXaTBCZ3pscwotPiAkfmJpfS1n -cmVhc2UgbmRvICNTTiB7L1U6dWNeYAp5emhNdlBiS2dGRE41WHVoMmxTSTlwZlR6 -aGlRdEZoa01Yc3Q1MDhNNFRkMkRncHhmMm50R09GTlhJZ3lrV1dVCnI5UEx0Y0Y5 -cmVLTEY5TGl5K20vSC9zdVhQaWpBamtDN1ZrWjhLaHllczZMCi0tLSAwMDE4Y3ZJ -ZnBPcHRvVTh2T1A3bzN2S1h2Y0xaUjNKNmZ2NVFSU0RiWUlNCgtGRxKpUcJizZu4 -mjTSgeJxrZwRwUVmmpTUdbmp8GGhqEPBODdadGLpDWjvLapwL0RcKNmKkyx0OkLC -29mBiuM3vzRqNdfcGclT8knglAEMDxG3lZiIynS4zAGgrJQJXy3pNNpSTc1S1zlC -7hLo4IbnABW6AD8Q0tL0y2HVE9ZW80dYDjTfxsmSAaJgLeScn0HETiAWTWi9vglh -3fcpbtR2KoyWqeS/wrrLzlW7TYJFDePTWiXFHjraaELFif+Wj/nPPBdqRUs5CEIJ -eWjfdUzAEqgWb6IZrLD47Lr1/EPY4CVU2rogeQswCSyRtPJKzHPYjymwwMLD8Eqm -VlHo+gnXZ8bsTrt4DaNf3VFBoUWt1qaaXYUrOMC3njNMmuBp+hQwXPmKJtzVN2eg -VCECGfJnHTHuZ83EnR2w62LrcbhB ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/lollo/restic-server-htpasswd.age b/secrets/lollo/restic-server-htpasswd.age @@ -1,11 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWNDYzYXROemtoQVNFODNK -S3luSXFoMU9GbDdiSzg1OWM0KzByUitaVGo0CkxodEFtSWp1aGZ4YmZOMFhsWlB3 -WUQyN1RWQm55c0VWaDVyWlpxVXFyVDQKLT4gc3NoLWVkMjU1MTkgMXJjY0t3IHUr -elpONmFjN21ZV1B3S016RzQ4NWxzSWx5ckRIbTBSSXA0S2YwUmVpeTgKYkNzL21Z -MjRzQ21kL3p3OGYvb2pNSEl2QWtrSWticjhja2N2U08yVU9IRQotPiAnUyMpLWdy -ZWFzZSBoeD1HK04jIGIKUkhLenZ1NTYKLS0tIGdaRXAvSFZHdmNCTEFtUExnY1dw -akxGd05tNXhVTDBtNkVMNzBubmFTQmMKwsibmN6yLwRhN0lw9UUZRJqiSj60jI1A -UeRQWBjQcPeyiBjdU0HNU/kuFTS+YRyVaiyQja+UenenPmkhie5dcRDmjSPJTmiS -mAU= ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/lollo/restic/oeffisearch.age b/secrets/lollo/restic/oeffisearch.age @@ -1,11 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtb2Y0NVZhZlVWWlM1Qkpo -OG8wSjIxamRrOGpQSGNyMGlHUUliRHU4UmdjClQ5cHdLYjdLTG5pb3RWSDNORS9I -ZGpZeUNGOE1rdXNmdHBkTGZ3NGxNSVEKLT4gc3NoLWVkMjU1MTkgMXJjY0t3IFMw -YXZEa1JsekFybWJsRjZrV2U1cHpBb1RhT0xwb05nRlE2dzFwS3QzVGsKNStsYk54 -anpENGEwalhGbExrVG1NeC9sa1F5MTZDZm5mdU5DdlJMeFJoTQotPiBeMS8hZzxq -Wi1ncmVhc2UgcmJUKyAob2QxWSMoLSAybWUkTj0mQCB5cyhSCms1c1VNRmh1Tk9M -czNHYzZEcmZVR0dRVkMzdTA1cnFoWUVUTmd4SkFsWnlVMHE5NQotLS0gZFVQTndJ -bG1HdHp1OVd3MnhZNURqRW9aVE5udll6OW5jOFUzS3U4K0dCYwqDN9KCwEDuqy+O -grRf1xEGJzqGcg9NtcdEvt8LtNvBEduPnbP63MDIUBjyvmrTJm++JKBAZC6n5n8O ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/lollo/restic/vnstat.age b/secrets/lollo/restic/vnstat.age @@ -1,12 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxWjdhU3dVSzU3OGtJQWYw -SitjQXFESXM2NlRlOHhZVjlndFB5bitkQWxJCi9HeEo3VTNaVW1DVnJDOEwvYmtN -M2dmQUlubU5kUytkZU1nSmVUWDNETHcKLT4gc3NoLWVkMjU1MTkgMXJjY0t3IHVH -K09vcTZIOTUzemlOMXJhWm5jT25uZXhOUEtQby9HWGpNTW8vZTNWVkEKS1RLNlNZ -ekh2V3ovT1Z6anBiSVViTEMzQkw4Qmo4ZWtucEV6K3MvYkpxWQotPiBTRXUoLWdy -ZWFzZSB5dWpRUgpMV0dwb3dXRW5EenRUd0UrdmZ4TGFOY0g4Z3ZPU3Y5ZTVVSk5W -a1pkUXp0aTRWSFJrMWNMMjBpZzBwRy9iZVNkCkxmZ2FtdEVraCt4c3p1UkFPS2VE -aHFJTE83Q1hSNkNLQkNLeTBXSkt2M1hVSDB0ZDdocXNBVXNyCi0tLSBvZVV3cmNw -aFJ2S2xrYmp3L2o5TjM5dTdiM1RWVWRFS2gyKzI0K2s4MVhVCi/ORgT2Inpwcr6F -wkofITHqWbF7lEiWbU2+l/AwQVkVuRGn7xwpqlaa7sNMQQRa8Co= ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/restic-server/lollo.age b/secrets/restic-server/lollo.age @@ -1,17 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MWVEM3pIMTh2WGtjRHF5 -bFp0dWt0M2pnclFOcFdrRHd1RGlvU0grMVJ3Ck5PSndCMk9WUWMxTlZaTjBwSjZi -WFJnUzJaTWFMQUtTNVNrUXpGQm5CNEEKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IEx1 -TkdYeWpLT1FwcFpvQUVFeGJTTVdoN2dtYnVzVWdxZVl1RHVMOXI1eDgKOU16MDRM -SW1BTWJWcGxjT1NDNWQ2b2k0UWx2b1RxT242TmU3MTFpSFFHdwotPiBzc2gtZWQy -NTUxOSAxcmNjS3cgTXhPUFRiYlpTSTZucXBadC9lV2tsNE00SW1xYUJoWVJwaFhm -b2IveGQyMApOQlFoVmlDK28reHIxZVZlOU9JVEYxbU5NeG5lWUN2NkJTSUVEOU9q -ZHNjCi0+IHNzaC1lZDI1NTE5IDJMdW9aZyBNK2RSYXdUQzU5K1J5RUJoMWJGMXBC -M0R5aDlGVlZJZHM4MUdQVW9PemlNCnFwcE02OTZhQzNwNzNudUJ3dytySkgrM2w5 -Z1hCKzRLa0xGSGk4Q0hVemsKLT4gY2FILWdyZWFzZQoxVHRHMDdIWjhjZUdSVENT -Z29jelZpNmtHclVuRjhnNjFGOU5HNndvNHpFTis3UjNEdDE2NDloMytqSXp0cm1p -Ci9semtMeWJEdTRJeVZHU20zelVhMXhzSFFNSkw2RmllaWdodzlBCi0tLSBRSTZB -Q2FYSU1oZCtncXppeHI4bXRBTnV4K1djYWFQS2tKVDY0UzRDSEswCkAIAN1KuDUm -XBJDokE2f+ix6NripiKBhm3y2G0OBobLnaL5RDZwtRtc0u5plt4Khcfhsiq0mYQc -Kw== ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix @@ -4,21 +4,17 @@ let coladose = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2ky7icnZOUMDtBPwVoq5icGFAzf1C5nfNhoqZEins7"; #servers - lollo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9YnaIwC5gjlp/ETI6lmpwCYfstnX+DZEt0ZDhQKuwM"; - lollo-old = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNCdn6aHCgxG1tq5f0XPvQ+lIgsQ/3gzT6FNvokOIgX"; briefkasten = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8mi9ZKPdhn20g9gyxE7NYBq/vAKemW4lhaQlLw5QVc"; trabbi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLBBZJ9/644d71E8A7IFU7dvDHI+OR/7q79KvqmI/i/"; wanderduene = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+HWYkFCmuHR8HeExYXc2L9CxRdvYZ1UCkbbeDCvF0u"; in { - "passwords/leah-at-f2k1-de.age".publicKeys = [ leah trabbi lollo lollo-old briefkasten wanderduene ]; - "passwords/leah.age".publicKeys = [ leah trabbi lollo lollo-old briefkasten wanderduene ]; + "passwords/leah-at-f2k1-de.age".publicKeys = [ leah trabbi wanderduene briefkasten ]; + "passwords/leah.age".publicKeys = [ leah trabbi wanderduene briefkasten ]; - - "restic-server/lollo.age".publicKeys = [ leah trabbi lollo lollo-old ]; "restic-server/briefkasten.age".publicKeys = [ leah trabbi briefkasten ]; - "restic-server/wanderduene.age".publicKeys = [ leah trabbi lollo lollo-old briefkasten ]; + "restic-server/wanderduene.age".publicKeys = [ leah trabbi briefkasten ]; "blechkasten/syncthing/key.age".publicKeys = [ leah blechkasten ]; @@ -45,14 +41,11 @@ in { "briefkasten/solar-nrw/vpn-secrets.age".publicKeys = [ leah briefkasten ]; "briefkasten/solar-nrw/solax2mqtt.age".publicKeys = [ leah briefkasten ]; - "lollo/restic-server-htpasswd.age".publicKeys = [ leah lollo ]; "briefkasten/wireguard-privkey.age".publicKeys = [ leah briefkasten ]; - "lollo/restic/vnstat.age".publicKeys = [ leah lollo ]; - "lollo/restic/oeffisearch.age".publicKeys = [ leah lollo ]; - "briefkasten/radicale-users.age".publicKeys = [ leah briefkasten ]; "briefkasten/gotosocial-env.age".publicKeys = [ leah briefkasten ]; + "briefkasten/radicale-users.age".publicKeys = [ leah briefkasten ]; "briefkasten/restic-server-htpasswd.age".publicKeys = [ leah briefkasten ]; @@ -70,8 +63,6 @@ in { "briefkasten/restic/syncthing-media.age".publicKeys = [ leah briefkasten ]; "briefkasten/restic/syncthing-windoofs.age".publicKeys = [ leah briefkasten ]; - "lollo-old/syncthing/key.age".publicKeys = [ leah lollo-old ]; - "lollo-old/syncthing/cert.age".publicKeys = [ leah lollo-old ]; "briefkasten/restic/syncthing-bahn-richtlinien.age".publicKeys = [ leah briefkasten ]; "briefkasten/restic/syncthing-blechelse.age".publicKeys = [ leah briefkasten ]; "briefkasten/restic/syncthing-cutieshare.age".publicKeys = [ leah briefkasten ];