commit a14cc585532917578406a43385357eb2a7c3530f
parent 0d8149e9114d4d527ca790adc4f1d94af906a904
Author: Leah (ctucx) <git@ctu.cx>
Date: Fri, 12 May 2023 14:07:44 +0200
parent 0d8149e9114d4d527ca790adc4f1d94af906a904
Author: Leah (ctucx) <git@ctu.cx>
Date: Fri, 12 May 2023 14:07:44 +0200
machines: add machine `briefkasten`
11 files changed, 313 insertions(+), 52 deletions(-)
A
|
140
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/hive.nix b/hive.nix @@ -18,6 +18,7 @@ inputs: overlays: lollo = import ./machines/lollo/configuration.nix; #lollo-old = import ./machines/lollo-old/configuration.nix; + briefkasten = import ./machines/briefkasten/configuration.nix; trabbi = import ./machines/trabbi/configuration.nix; wanderduene = import ./machines/wanderduene/configuration.nix;
diff --git a/machines/briefkasten/configuration.nix b/machines/briefkasten/configuration.nix @@ -0,0 +1,140 @@ +{ inputs, config, lib, pkgs, ... }: + +{ + + deployment.targetHost = config.networking.secondaryIP4; + + imports = [ + ./hardware-configuration.nix + ./impermanence.nix + + ../../configurations/linux/services/prometheus-exporters.nix + ../../configurations/linux/services/restic-server.nix + ]; + + networking.usePBBUplink = true; + networking.primaryIP = "2a0f:4ac0:acab::45"; + networking.primaryIP4 = "195.39.246.45"; + networking.secondaryIP4 = "10.0.0.45"; + + dns.zones."ctu.cx".subdomains."${config.networking.hostName}.home" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP); + dns.zones."ctu.cx".subdomains."${config.networking.hostName}".CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.hostName}.home" ]; + + age.secrets = { + restic-server-briefkasten.file = ../../secrets/restic-server/briefkasten.age; + restic-server-wanderduene.file = ../../secrets/restic-server/wanderduene.age; + }; + + boot = { + + kernel.sysctl = { + "net.ipv6.conf.enp1s0.forwarding" = lib.mkIf config.networking.usePBBUplink 0; + "net.ipv6.conf.enp1s0.autoconf" = lib.mkIf config.networking.usePBBUplink 0; + "net.ipv6.conf.enp1s0.accept_ra" = lib.mkIf config.networking.usePBBUplink 0; + }; + + # seems to make realtek ethernet faster? + kernelParams = [ + "pcie_aspm=off" + ]; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + initrd.network = { + enable = true; + ssh = { + enable = true; + port = 22; + hostKeys = [ /etc/ssh/ssh_host_rsa_key ]; + authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); + }; + + postCommands = '' + echo 'cryptsetup-askpass' >> /root/.profile + + '' + lib.optionalString config.networking.usePBBUplink '' + sysctl -w net.ipv6.conf.enp1s0.autoconf=0 + sysctl -w net.ipv6.conf.enp1s0.accept_ra=0 + '' + '' + + ip link set dev enp1s0 up + + ip addr add ${config.networking.primaryIP4}/28 dev enp1s0 + ip addr add ${config.networking.secondaryIP4}/8 dev enp1s0 + ip route add default via 195.39.246.41 dev enp1s0 onlink + + '' + lib.optionalString config.networking.usePBBUplink '' + ip addr add ${config.networking.primaryIP}/128 dev enp1s0 + ip route add default via 2a0f:4ac0:acab::1 dev enp1s0 onlink + ''; + }; + }; + + systemd.network.networks = { + "40-enp1s0".networkConfig.IPv6AcceptRA = lib.mkIf config.networking.usePBBUplink false; + }; + + networking = { + domain = "home.ctu.cx"; + + useDHCP = false; + nameservers = [ "195.39.246.41" "2a0f:4ac0:acab::1" ]; + + defaultGateway = "195.39.246.41"; + defaultGateway6 = lib.mkIf config.networking.usePBBUplink{ + address = "2a0f:4ac0:acab::1"; + interface = "enp1s0"; + }; + + interfaces.enp1s0 = { + ipv4.addresses = [ + (lib.mkIf config.networking.usePBBUplink { + address = config.networking.primaryIP4; + prefixLength = 28; + }) + { + address = config.networking.secondaryIP4; + prefixLength = 8; + } + ]; + + ipv6.addresses = lib.mkIf config.networking.usePBBUplink [{ + address = config.networking.primaryIP; + prefixLength = 62; + }]; + }; + + firewall.enable = true; + firewall.allowedTCPPorts = [ 5201 ]; + firewall.allowedUDPPorts = [ 5201 51820 ]; + firewall.extraCommands = '' + iptables -A nixos-fw -p tcp -s 10.0.0.0/8 -j nixos-fw-accept + iptables -A nixos-fw -p udp -s 10.0.0.0/8 -j nixos-fw-accept + iptables -A nixos-fw -p tcp -s 195.39.246.32/28 -j nixos-fw-accept + iptables -A nixos-fw -p udp -s 195.39.246.32/28 -j nixos-fw-accept + ip6tables -A nixos-fw -p tcp -s 2a0f:4ac0:acab::/48 -j nixos-fw-accept + ip6tables -A nixos-fw -p udp -s 2a0f:4ac0:acab::/48 -j nixos-fw-accept + ''; + }; + + services = { + email-notify.enable = true; + nginx.virtualHosts."${config.networking.fqdn}" = { + enableACME = lib.mkIf (config.networking.usePBBUplink == false) false; + forceSSL = lib.mkIf (config.networking.usePBBUplink == false) false; + kTLS = lib.mkIf (config.networking.usePBBUplink == false) false; + }; + nginx.virtualHosts."restic.${config.networking.hostName}.ctu.cx" = { + enableACME = lib.mkIf (config.networking.usePBBUplink == false) false; + forceSSL = lib.mkIf (config.networking.usePBBUplink == false) false; + kTLS = lib.mkIf (config.networking.usePBBUplink == false) false; + }; + }; + + system.stateVersion = "22.11"; # Did you read the comment? + home-manager.users.leah.home.stateVersion = "22.11"; + +}
diff --git a/machines/briefkasten/hardware-configuration.nix b/machines/briefkasten/hardware-configuration.nix @@ -0,0 +1,45 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "r8169" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ "size=10G" "mode=755" ]; + }; + + fileSystems."/home/leah" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ "size=2G" "mode=777" ]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/96c415eb-b423-4621-b170-ba1b4380dede"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/56D5-115E"; + fsType = "vfat"; + }; + + boot.initrd.luks.devices."nix-store".device = "/dev/disk/by-uuid/d1e0568c-042a-4e76-8901-30bcb9fb8efb"; + + + swapDevices = [ ]; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +}
diff --git a/machines/briefkasten/impermanence.nix b/machines/briefkasten/impermanence.nix @@ -0,0 +1,51 @@ +{ inputs, config, lib, pkgs, ... }: + +{ + + imports = [ + inputs.impermanence.nixosModules.impermanence + ]; + + services.syncthing = { + dataDir = "/nix/persist/home/leah/syncthing"; + configDir = "/nix/persist/home/leah/.config/syncthing"; + }; + + age.identityPaths = [ + "/nix/persist/etc/ssh/ssh_host_ed25519_key" + ]; + + environment.persistence."/nix/persist" = { + directories = [ + "/var/log" + "/var/lib" + ]; + files = [ + "/etc/machine-id" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + }; + + programs.fuse.userAllowOther = true; + + home-manager.users.leah = { + imports = [ + inputs.impermanence.nixosModules.home-manager.impermanence + ]; + + home.persistence."/nix/persist/home/leah" = { + allowOther = true; + directories = [ + "syncthing" + ]; + files = [ + ".bash_history" + ".local/share/mcfly/history.db" + ]; + }; + }; + +}+ \ No newline at end of file
diff --git a/machines/trabbi/configuration.nix b/machines/trabbi/configuration.nix @@ -31,6 +31,7 @@ age.secrets.restic-server-lollo.file = ../../secrets/restic-server/lollo.age; dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP); + age.secrets.restic-server-briefkasten.file = ../../secrets/restic-server/briefkasten.age; age.secrets.restic-server-wanderduene.file = ../../secrets/restic-server/wanderduene.age; boot = {
diff --git a/secrets/briefkasten/restic-server-htpasswd.age b/secrets/briefkasten/restic-server-htpasswd.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBja1ZsTWVOS1JabExRMDBn +MWVBM1V3RlJJdzRrR3NUQ1JzUGF1VGlPQVZJCituOXgrMU03djQxM2wvWklxVVg0 +ZzhCOS9CYzlldXpROXFQKzNBdXpqSlUKLT4gc3NoLWVkMjU1MTkgNGhLQ013IFBo +SHJzUy9SNFplaFYyU29jR2RXelpRWHgrZTFxMUY4WUNzUXB6VTE1MzAKdUZkSUZr +YjN5UW50RG5oOE4wblh4Z2kxdm9UL0VBUEIyVVdQclpqdTRBNAotPiB2Kl82Oi1n +cmVhc2UgY2k5YkFKXyBBVmBPSSB7YGsKSE1JYUEvQXhUaWtSbzJ0dVVxM3RkQQot +LS0gTUU2OG93R2U3aCtPVUpQbXBBalBtYURxQWhpM0FFVy9ZdVJBazZrY2huZwqn +bP7yOAnY0m66FOtNEcGgu1ctvbdL8H7CUr2menDObUxUHB5R7+IN4xShFUg6ZwEd +t201uSZc6C1dZ/VESagLyWpsohdbgI1Iiw== +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/passwords/leah-at-f2k1-de.age b/secrets/passwords/leah-at-f2k1-de.age @@ -1,17 +1,16 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1ZEhEajRIbDBQd0p4eEww -eHBuUDJGM3lKUlJ2OU1hMWVaS3F4NGNCaGtNClFaZVp2Yi9ZUHByN2I1NGxhSit5 -MzlrVitmZHlsaDdJS252ZUJzMXZBRWMKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IFE5 -VExZMUhkZGxkd1ZKWCtjSjRnVlBKdFZrRlNROVhFTTNsVmZqcHk1bXMKdW44NlI2 -SnBpS2xKcUJHeFdXaTJQWnNKa2RSa0x2MVpSaTIvUk5DZXRLMAotPiBzc2gtZWQy -NTUxOSAxcmNjS3cgbytQRisrdktKN2t2bS9RdkVHR1hFMDliOXRFV0liYzRqOVla -cHAxak0zVQpFbElmQ2pjTnJETkJCK1NnSk1ibU1zOTd0UkRLTUVYMU1uUEc2Wjlr -QlI0Ci0+IHNzaC1lZDI1NTE5IDJMdW9aZyBmOHd2cXVjeUZVdUpIVWI3eFVxRUoz -ejA0MUZVaGdJSzdJK0FRMUlyQ1R3CjlFYkc3TGlnVXJqVFYvS0Y4QkFnekNUN1ZR -a1lVY2M4cFU5UVdoTmIrK28KLT4gc3NoLWVkMjU1MTkgc2g4UE9RIE5yNlpxUHRO -YUlOd0djSTlERnIrWUFqekRhbXA5eUVYeUNTZXdTZ3BjaVEKT29oMWNUM0dlOHNk -SWZnMWo5V2EweUpTSTZOMFpNKzNlV1U5RmlVeUE0MAotPiB4LUtBVlBefC1ncmVh -c2UKTllvCi0tLSBBL256UFFsYlZKdEhsazY3RjhUekVjakYvY0c5UnY5eVU2Q09R -T0JUd0dzCsO1q9E/VU6Y9OshhNuGsEZFK4yq/XuMNJm0pxMBCPO6WZ8VBtu5G5eS -K3epelPSMn8= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmazcxQUp2NlBnWk9qa3g5 +RjdYU3NBU1RRZjZlci9UVkQ3MGFnQlZJZURRCk5tbTRVa25ZdFhTenpsb3NKcDIz +dnJmQ21Oeks1MkJaMEJkUFgxRVJnYVUKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IG5h +cFRScXVSUDFmcVdTeTZTbldiQ0gzcnBoV1hpV2tNeTdscFRaUFFTaUEKaTNhZ0tl +ckZuQ1RYNGVMS0JRcC9JNmEraXhCOWtTQzd0Y28yNGNaRUlQRQotPiBzc2gtZWQy +NTUxOSA0aEtDTXcgemNBMVdkd2x2dmZEYmdZZThRczkxMllCckhHNS9ObDV3KzRn +TUtoYUZ5cwo4Vi9oZkU4QzFadWhBN3VlWE1oZWEyd3p4a1hMTnhoTkN6Sjc4NnZs +UHJ3Ci0+IHNzaC1lZDI1NTE5IHNoOFBPUSBBOHRkaUdmUFBhbnk3Q3R5V2l3bHU0 +YUlpRnExTVdCaDh5ZHorcS9qSXl3CnBWU3RFV0Q3WjluUXl4bDNmMHpJNldCaEdF +WmwxanBTb1dBNjRaTUhJVTAKLT4gTGJ5KS1ncmVhc2UgRS9+ZCBKLENScHcgTmNA +IC9bPmZICkxZNzhIeTI2dWJMVVpIZHVMNmdBZ2FCaHQyMHR6OGJQMm9lUG40VjRx +TmRJTDFQUWhZSmZxMk9jazZwY2t2MGkKQkVvCi0tLSAxNzFzQnJFa0NqdGNRL1B1 +ZktTT3YzckVmeUlMT2UvYzJ2QTIwYnhWOCtBCmAutLM8zpZ2B2utUq2D2A7NX2W0 +bHS5maw752QURlCtxXWQosCl9pZ1imOptMTWo64= -----END AGE ENCRYPTED FILE-----
diff --git a/secrets/passwords/leah.age b/secrets/passwords/leah.age @@ -1,20 +1,19 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUFFHc3VBTFQ5a0FLdE5H -UXF1UGVCNU5rNVZkdlpRb2luNEp5ZjhPa0J3CkpKcmFYSXUrWm8xcjBhdVlsdm55 -UXJlTnQyN0pjU2Y0elRIWWM4VzNqQWcKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IFBw -NmVFckVobHdZYjlUR2hncGZ5YjV0d1d0emRzWkJCdk40a1JUWnlPMUEKcXAyUkdU -Y2VPMi9qaWUxREVRUHRFVGxMT2NjTzNPR3VDdW1BVmNlVjd2YwotPiBzc2gtZWQy -NTUxOSAxcmNjS3cgQkp1dHZ4NjkxOTFpNkZ1Y0FRWlNqZ2dhdTdudkVJdnVVb1o0 -Z2J2WGZtMApOZEJYdnFkMkhXRE0zL1M2c1d2eXJiYXEyVGJXT3k4TW5QN0VHeG9H -L3VNCi0+IHNzaC1lZDI1NTE5IDJMdW9aZyBVM2RaOWlwRzV6bENubnlXakd6dk5r -OHN5REQ3NjFNaGQvOURHaWlSaGw4CmRXSFk0cm1IY0Nwby8wamN1YndGa3VNbUcz -ZTlMNUx4RXZ3Y3NxeHFNUDgKLT4gc3NoLWVkMjU1MTkgc2g4UE9RIFI1VFhOa2lX -VlFIN1l0dk9paVBNK0c2M2hjbFh6eTdnSTh6dU1xcytNWDAKc2lBWm1tOHBqaGVz -L2hUcy9oQkRxTVMzUFF4blp6am50Rlp5Vzlia3NiQQotPiAyVGo/KkEtZ3JlYXNl -CkxyVE1nS3ZOUlowYzUwWmRhc3JGZVNnOGl3Znk1OVhlUmhLRzBSNDk3QVJEVDFJ -RVBUYkRoUTVPWTIwS2ZQYksKZ3pBOHJJNGhMQ1RyN0xCK3hRQit4bEdvQTJNWmtB -Ci0tLSBxMHEzVXd1M2JVcC9EdzBZSkN0ZXZhaWIrZUJRMjN5b2lFUEc5WXBJVGow -Cu1xYcBI0yTFRst80egA3iC3qrgh2Gy8USAFr3Dt6+fywAv5H77Af8cb/h7Ylqq2 -XB0ME+ksOYDxx384G6eYy/wUN8lz96M3QwnzDWdZZfUvOla6veR/U0bLioYsEXRi -NeOA/AW6vS8S3oNShWcmw9hzubnSJZK7Cb4bsU4AN7JmXdvr/l2rOoHnyw== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3cTVUK04wM01sYWhkNTN5 +UWpvOXdvN3EvMHlNdXV2L2xHbmNYNm9iWGhzCmd6MGZCb3BrOStmeUxJZU9PT3Fs +azZ2TXhDK3JxTm1MM3ZFOEdFb0VKakkKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IHhM +RUFLT0xKSkQzTFVLYlpQRzN5UURMZThFR3c5cCtGekU3c3hINm5reW8KTXNVb2x5 +azNNSnBFRFBVZFJ0TVRYc3pQTVFFbEI3VzhvMmRxYVFoWEZpRQotPiBzc2gtZWQy +NTUxOSA0aEtDTXcgRGQ2cHR4cUFFaXY5a2lYcXJaTms3T3Z5emRTUHhSUlhSQWpY +RWdHOU5GWQpJcTBNN0FJSW9rYlhoNEpDWit4emZMTTcwNmlrYm1kdW53dkFuYkVk +Z3Q4Ci0+IHNzaC1lZDI1NTE5IHNoOFBPUSBCWDNtc0RPbnQzYm16SVF0ZmZlYVdK +eE5ZUmhMU3VsMWR6VlVadzUvbGcwCllNRDJVTEVJbGxMdmx0VjZWM0lUandEbEps +KzFPYXQ1QVcwZXRqcVVEOEUKLT4gc3NoLWVkMjU1MTkgbTNIanVnIFh0djV1ZnVC +ZjZtTE1XRlVKWXFCak9rUkNWK3dydHZJVlhuVGpYVEF6a2sKWHFvbXYvb3FrS2tz +NHRJK3ByYSt1Z0MxWGo1dWpqWitQRzFWL1VmVmRkSQotPiBsLXBceC9ALWdyZWFz +ZSBqJy5rbih3bwpxcisrNDladEpBCi0tLSBES0RPZnoxN01QS0N3YWZWcHRFR21K +bVI3MjNYc1lVTDBiam5YTDFQeWNzCnVoWbEmrnbOwZ41Lu+kL/XXSBmqs4E74sHk +nELMrbwI0L80vS0u0PIKjEU7IG6ln33ogXC6ATkOZLfBCATvQ5hXef/yEfLMLNdc +ifXEPQeabXXkSeBWCCSIY/bzjdqszChAMN+SfKxeA8zt2U7lNbzZWYC0tM/J5ngU +0O++aD5uAhy3YWVALqJpkg== -----END AGE ENCRYPTED FILE-----
diff --git a/secrets/restic-server/briefkasten.age b/secrets/restic-server/briefkasten.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNM1dHT1gweG1mRFl5SmV6 +VjJrUmRZanVreS9CWkROVWVOTGJDdVRSSUI0CmpJUEJtUlNBWGsrZXY5M0I4WkpK +M2lBOEg2WHJWWGo2ME5LOXhLZDdqNm8KLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IDRs +WDVYcStCZ3NJRWptbm9qN3lwaWZyL1NjVlNObCtqaWtVTGhndit2RmsKVXdPeEF3 +Sks0Nmo3YWY0YURSUXJTQkpQenVBUDVRWDhDRDlMOGZiQno3WQotPiBzc2gtZWQy +NTUxOSA0aEtDTXcgTzFvei8yamsvQ0xxeWM5N0xtaTR0ckJWYVlaR0ZsaUR5RnJN +ZXNNWmlFSQpjaWFZUzIxSDlmOGVzaEptc0pjQk1TdlJhdWFFT21yYmk4bFZvRDRB +aVBjCi0+ICsuV1QtZ3JlYXNlIDhLeWxjMSBbbD5QVApTZEpwYWlnUXRHK3lTczI4 +aC9MWEpheHRORnFaTS8vNGszSW0yNU15UUYvMWxEempTdwotLS0gbXVScjNhZTJB +eDMrVUhqY0k1dG8wWVArOE96NnhQN1llZVQvL0RUYjQvQQpvwkzm9IsSLl0eel0s +Cd7KiBrODPG0iLYuTInAf5zaKD7Bg1INCO65MjCzLrQoRfAXjFprY6VCHYI= +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/restic-server/wanderduene.age b/secrets/restic-server/wanderduene.age @@ -1,18 +1,15 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3U3pQR3UxL3FtRDdCVHpX -VFhoQjRNVVB0NTIrOFIyTEs2SExKaGtObVNzCjRucmdhRy9VRHF3aTMwUDZqbjBQ -TWN5dElxS3RCMXVtUHN6alI2T1BlTXMKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IDVt -UGgwNEJtUjgvU0JoVlEveU9Pb2FMRThSVjJOdDh5Q1NmVmFLMDR2RFEKV2tESjJi -NjBzbFcra0pvUWFRcDhyQWc5TklZNFBCcURvMEdTKy9ac1REMAotPiBzc2gtZWQy -NTUxOSAxcmNjS3cganMvdVBvekRQdlBSbDQwUnhubmVUUHhndXU1VWd1RDRUZVYw -cWJaazRSUQowcXd4VGdtODlwZW5ROWJsdFpRS09TTlY1Zi9NbmQ0U3Zkek44Nmlr -R2JnCi0+IHNzaC1lZDI1NTE5IDJMdW9aZyB4SFBnU2dqRWsxVVloN2JoZWkyZHdF -azl4OU5zcUVRazdGUVdSdXNyR3pZClRtQmU0TUxDK1A3Rmx5Y2RHWnJISmNMZHlx -Z0ZLWVlhNGlObzhwcHlvdXMKLT4gbC1sK2ZZLWdyZWFzZSBXNkwgYjU7cCdFMiAo -OWFPIC55LGsKZ3ZCUkhUaXB0MldHUDgrVWRFMDlsdkF5RlBWeVlXaEtNa2dKUmRU -WEtWSTFpSEx1aFlNYkR4blBEb1ZsTkNTVApqWXFtWkRZZnc1Wi93REpIQS85ckNR -Ci0tLSArV1pjclEyMVY1TGl4Qy92N1JsZVVzMTVwc3ZtTkQvbDNGbFB3SE5JY2Fv -Cr0rL1jlrwjpc9/NfHdc/pMCvAsnHdClASWagoRRJggUXtBMWl3QrLF6BJVV8FrG -DFxR6x/Lk6dGpd39CvIsKGgbrueDV42xYGgQqv0D5uf03yemKxhupqjgJNAwcNRM -bg== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPZnA5RzFTTHp6T0kzY0pR +eFIyN3Zha25HMG5aVXNJY3FWUU9OblMrb1RRCjZNTEdQc2JUWWxlNDlzOG9YUDJK +aFN3WGRpZC9kMmJJY1M2K0xjTkdjYjAKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IGxx +dWlWSVRZU2h4QmZDWlhSQkNhNTg1OTNGek5VSXdtK1YzdjA3bGpMekkKVEl5NnlE +bVhaN1dYRkJPUENpa1c3SDJRRzBiZ3FKUHhraXRqaEFsampKOAotPiBzc2gtZWQy +NTUxOSA0aEtDTXcgTGNITk5BTFBLeTZwVmZNUDgyYXY4aEZJQlFiT1pYWkxSL2Vj +S0gyaXdTNApiSnpMZVRyOVpXeU1PTElGNHRwTWhvZ3htYWd0Y1RycmpEb21yTUwr +UitBCi0+IEdHRS1ncmVhc2UKTTVSazFPcng0RnhWSWEyQkYwbkxzRm9uY0NoeFVo +clk3WWxRNmo5V3RGcTFzdzUyK3d5MVB2MHJjT0JTUC90KwpFeDBmUzVJYkZYdG5l +MjQKLS0tIGx4alBhODlwYUQyZEJITjBYOGJoSnBGUThSZEQ3VjRmdGdLY3dTOUZC +ZDgKawoqDvtdWdWR3S/NiMCZV65b47hI9v6HeRUGdH8gRYBP2Il70llY3pNHQy7a +YNoVLxxWy5X8SUpWjUuZNGU+KJxNDX8grT+VzoKMabJfwuEDvddTddYXocgrH1NK +XzhW -----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix @@ -6,17 +6,19 @@ let #servers lollo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9YnaIwC5gjlp/ETI6lmpwCYfstnX+DZEt0ZDhQKuwM"; lollo-old = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNCdn6aHCgxG1tq5f0XPvQ+lIgsQ/3gzT6FNvokOIgX"; + briefkasten = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8mi9ZKPdhn20g9gyxE7NYBq/vAKemW4lhaQlLw5QVc"; trabbi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLBBZJ9/644d71E8A7IFU7dvDHI+OR/7q79KvqmI/i/"; wanderduene = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+HWYkFCmuHR8HeExYXc2L9CxRdvYZ1UCkbbeDCvF0u"; in { - "passwords/leah-at-f2k1-de.age".publicKeys = [ leah trabbi lollo lollo-old wanderduene ]; - "passwords/leah.age".publicKeys = [ leah trabbi lollo lollo-old wanderduene ]; + "passwords/leah-at-f2k1-de.age".publicKeys = [ leah trabbi lollo lollo-old briefkasten wanderduene ]; + "passwords/leah.age".publicKeys = [ leah trabbi lollo lollo-old briefkasten wanderduene ]; "restic-server/lollo.age".publicKeys = [ leah trabbi lollo lollo-old ]; - "restic-server/wanderduene.age".publicKeys = [ leah trabbi lollo lollo-old ]; + "restic-server/briefkasten.age".publicKeys = [ leah trabbi briefkasten ]; + "restic-server/wanderduene.age".publicKeys = [ leah trabbi lollo lollo-old briefkasten ]; "blechkasten/syncthing/key.age".publicKeys = [ leah blechkasten ]; @@ -64,6 +66,7 @@ in { "lollo/restic/syncthing-blechelse.age".publicKeys = [ leah lollo ]; "lollo/restic/syncthing-cutieshare.age".publicKeys = [ leah lollo ]; "lollo/restic/syncthing-wiki.age".publicKeys = [ leah lollo ]; + "briefkasten/restic-server-htpasswd.age".publicKeys = [ leah briefkasten ]; "lollo/solar-nrw/vpn-secrets.age".publicKeys = [ leah lollo ]; "lollo/solar-nrw/solax2mqtt.age".publicKeys = [ leah lollo ];