From b48fa4e3832d54fc3627e8414d1d9b96c8a20551 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sun, 30 Jul 2023 19:41:51 +0200 Subject: [PATCH] configured backups --- flake.lock | 24 ++++----- hosts/falkenstein-1/default.nix | 1 + .../falkenstein-1/modules/backup/default.nix | 32 +++++++++++ hosts/falkenstein-1/modules/mail/default.nix | 1 - .../modules/networks/default.nix | 49 ++++++++++++++++- hosts/falkenstein-1/modules/nginx/default.nix | 1 + hosts/nuc/default.nix | 2 + hosts/nuc/modules/backup/default.nix | 54 +++++++++---------- hosts/nuc/modules/nextcloud/default.nix | 17 ++---- hosts/thinkpad/default.nix | 2 +- hosts/thinkpad/modules/backup/default.nix | 41 ++++++++++++++ hosts/thinkpad/modules/snapper/default.nix | 19 ------- .../modules/virtualisation/default.nix | 2 +- hosts/vm/default.nix | 2 +- keys/ssh/root-falkenstein | 1 + pkgs/adguardian-term/default.nix | 1 + pkgs/crowdsec-firewall-bouncer/default.nix | 2 +- secrets/falkenstein-1.yaml | 11 +++- secrets/nuc.yaml | 7 ++- secrets/rouven.yaml | 8 ++- secrets/thinkpad.yaml | 7 ++- shared/activation.nix | 8 +-- shared/zsh.nix | 10 +++- users/rouven/modules/packages.nix | 1 - users/rouven/modules/ssh/default.nix | 6 ++- 25 files changed, 217 insertions(+), 92 deletions(-) create mode 100644 hosts/falkenstein-1/modules/backup/default.nix create mode 100644 hosts/thinkpad/modules/backup/default.nix delete mode 100644 hosts/thinkpad/modules/snapper/default.nix create mode 100644 keys/ssh/root-falkenstein diff --git a/flake.lock b/flake.lock index 62bf4fb..8805b40 100644 --- a/flake.lock +++ b/flake.lock @@ -171,11 +171,11 @@ ] }, "locked": { - "lastModified": 1690476848, - "narHash": "sha256-PSmzyuEbMxEn2uwwLYUN2l1psoJXb7jm/kfHD12Sq0k=", + "lastModified": 1690652600, + "narHash": "sha256-Dy09g7mezToVwtFPyY25fAx1hzqNXv73/QmY5/qyR44=", "owner": "nix-community", "repo": "home-manager", - "rev": "8d243f7da13d6ee32f722a3f1afeced150b6d4da", + "rev": "f58889c07efa8e1328fdf93dc1796ec2a5c47f38", "type": "github" }, "original": { @@ -272,11 +272,11 @@ ] }, "locked": { - "lastModified": 1690083300, - "narHash": "sha256-xnUtWO/5TuuHkIpmzMXGvHJqS06FSVADnAZ4bvqO4Zo=", + "lastModified": 1690687539, + "narHash": "sha256-Lnwz9XKtshm+5OeWqCbj/3tKuKK+DL5tUTdKSRrKBlY=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "c1e6fc40dd5c0d16940bc012421268b94e404b0b", + "rev": "d74b8171153ae35d7d323a9b1ad6c4cf7a995591", "type": "github" }, "original": { @@ -287,11 +287,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1690200740, - "narHash": "sha256-aRkEXGmCbAGcvDcdh/HB3YN+EvoPoxmJMOaqRZmf6vM=", + "lastModified": 1690704397, + "narHash": "sha256-sgIWjcz0e+x87xlKg324VtHgH55J5rIuFF0ZWRDvQoE=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "ba9650b14e83b365fb9e731f7d7c803f22d2aecf", + "rev": "96e5a0a0e8568c998135ea05575a9ed2c87f5492", "type": "github" }, "original": { @@ -301,11 +301,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690272529, - "narHash": "sha256-MakzcKXEdv/I4qJUtq/k/eG+rVmyOZLnYNC2w1mB59Y=", + "lastModified": 1690548937, + "narHash": "sha256-x3ZOPGLvtC0/+iFAg9Kvqm/8hTAIkGjc634SqtgaXTA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ef99fa5c5ed624460217c31ac4271cfb5cb2502c", + "rev": "2a9d660ff0f7ffde9d73be328ee6e6f10ef66b28", "type": "github" }, "original": { diff --git a/hosts/falkenstein-1/default.nix b/hosts/falkenstein-1/default.nix index a5fe3b1..55923cb 100644 --- a/hosts/falkenstein-1/default.nix +++ b/hosts/falkenstein-1/default.nix @@ -5,6 +5,7 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix + ./modules/backup ./modules/crowdsec ./modules/mail ./modules/networks diff --git a/hosts/falkenstein-1/modules/backup/default.nix b/hosts/falkenstein-1/modules/backup/default.nix new file mode 100644 index 0000000..8767ad9 --- /dev/null +++ b/hosts/falkenstein-1/modules/backup/default.nix @@ -0,0 +1,32 @@ +{ config, pkgs, ... }: +{ + sops.secrets."borg/passphrase" = { }; + environment.systemPackages = [ pkgs.borgbackup ]; + services.borgmatic = { + enable = true; + settings = { + location = { + source_directories = [ + "/var/lib" + "/var/log" + "/etc/crowdsec" + "/root" + ]; + + repositories = [ + "ssh://root@192.168.10.2/mnt/backup/falkenstein" + ]; + }; + storage = { + encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/passphrase".path}"; + compression = "lz4"; + }; + retention = { + keep_daily = 7; + keep_weekly = 4; + keep_monthly = 12; + keep_yearly = 3; + }; + }; + }; +} diff --git a/hosts/falkenstein-1/modules/mail/default.nix b/hosts/falkenstein-1/modules/mail/default.nix index d08f0ba..d0154a4 100644 --- a/hosts/falkenstein-1/modules/mail/default.nix +++ b/hosts/falkenstein-1/modules/mail/default.nix @@ -3,7 +3,6 @@ let domain = "rfive.de"; hostname = "falkenstein.vpn.${domain}"; - rspamd-domain = "rspamd.${domain}"; in { networking.firewall.allowedTCPPorts = [ diff --git a/hosts/falkenstein-1/modules/networks/default.nix b/hosts/falkenstein-1/modules/networks/default.nix index 2ea9447..3d9958e 100644 --- a/hosts/falkenstein-1/modules/networks/default.nix +++ b/hosts/falkenstein-1/modules/networks/default.nix @@ -1,5 +1,13 @@ -{ ... }: +{ config, ... }: { + sops.secrets = { + "wireguard/dorm/private" = { + owner = config.users.users.systemd-network.name; + }; + "wireguard/dorm/preshared" = { + owner = config.users.users.systemd-network.name; + }; + }; networking = { hostName = "falkenstein-1"; useNetworkd = true; @@ -20,5 +28,44 @@ Gateway = "fe80::1"; }; }; + + netdevs."30-dorm" = { + netdevConfig = { + Kind = "wireguard"; + Name = "dorm"; + Description = "WireGuard to my Dorm Infra"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."wireguard/dorm/private".path; + ListenPort = 51820; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + PublicKey = "vUmworuJFHjB4KUdkucQ+nzqO2ysARLomq4UuK1n430="; + PresharedKeyFile = config.sops.secrets."wireguard/dorm/preshared".path; + Endpoint = "dorm.vpn.rfive.de:51820"; + AllowedIPs = "10.10.10.0/24, 192.168.10.0/24"; + }; + } + ]; + }; + networks."30-dorm" = { + matchConfig.Name = "dorm"; + networkConfig = { + DNS = "192.168.10.1"; + }; + addresses = [ + { + addressConfig = { + Address = "10.10.10.4/24"; + RouteMetric = 30; + }; + } + ]; + routes = [ + { routeConfig = { Gateway = "0.0.0.0"; Destination = "192.168.10.0/24"; Metric = 30; }; } + ]; + }; }; } diff --git a/hosts/falkenstein-1/modules/nginx/default.nix b/hosts/falkenstein-1/modules/nginx/default.nix index 7874a85..5a69f15 100644 --- a/hosts/falkenstein-1/modules/nginx/default.nix +++ b/hosts/falkenstein-1/modules/nginx/default.nix @@ -11,6 +11,7 @@ virtualHosts."rfive.de" = { enableACME = true; forceSSL = true; + root = "/srv/web/rfive.de"; }; }; security.acme = { diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index f408ebd..aa421b7 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -35,6 +35,7 @@ directories = [ "/etc/ssh" "/root/.local/share/zsh" + "/root/.config/borg/security" ]; files = [ "/etc/machine-id" @@ -83,6 +84,7 @@ ../../keys/ssh/rouven-thinkpad ../../keys/ssh/root-thinkpad ../../keys/ssh/rouven-pixel + ../../keys/ssh/root-falkenstein ]; system.stateVersion = "22.11"; diff --git a/hosts/nuc/modules/backup/default.nix b/hosts/nuc/modules/backup/default.nix index 741b51a..8fb0e1c 100644 --- a/hosts/nuc/modules/backup/default.nix +++ b/hosts/nuc/modules/backup/default.nix @@ -1,37 +1,35 @@ +{ config, pkgs, ... }: { + sops.secrets."borg/passphrase" = { }; + environment.systemPackages = [ pkgs.borgbackup ]; fileSystems."/mnt/backup" = { - device = "/dev/disk/by-uuid/f6905cdb-c130-465a-90a3-93997023b5d3 "; - fsType = "btrfs"; - options = [ "compress=zstd" "noatime" "nofail" ]; + device = "dev/disk/by-uuid/74e78699-fe27-4467-a9bb-99fc6e8d52c5"; + fsType = "ext4"; + options = [ "nofail" ]; neededForBoot = false; }; + services.borgmatic = { + enable = true; + settings = { + location.source_directories = [ + "/var/lib" + "/var/log" + "/nix/persist" + ]; + location.repositories = [ + "/mnt/backup/nuc" + ]; + storage = { + encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/passphrase".path}"; + compression = "lz4"; + }; + retention = { + keep_daily = 7; + keep_weekly = 4; + keep_monthly = 12; + keep_yearly = 3; - fileSystems."/mnt/pool" = - { - device = "/dev/disk/by-uuid/16b0bd14-1b07-477d-a20d-982f9467f6df"; - fsType = "btrfs"; - options = [ "compress=zstd" "noatime" ]; - }; - - services.btrbk = { - instances."nuc-to-disk".settings = { - snapshot_preserve = "14d"; - snapshot_preserve_min = "2d"; - target_preserve = "30d 4w 12m"; - target_preserve_min = "2d"; - volume = { - "/mnt/pool" = { - subvolume = { - log = { - snapshot_create = "always"; - }; - lib = { - snapshot_create = "always"; - }; - }; - target = "/mnt/backup/nuc"; - }; }; }; }; diff --git a/hosts/nuc/modules/nextcloud/default.nix b/hosts/nuc/modules/nextcloud/default.nix index 9b042af..46efe10 100644 --- a/hosts/nuc/modules/nextcloud/default.nix +++ b/hosts/nuc/modules/nextcloud/default.nix @@ -11,19 +11,6 @@ in }; services = { - postgresql = { - enable = true; - ensureUsers = [ - { - name = "nextcloud"; - ensurePermissions = { - "DATABASE nextcloud" = "ALL PRIVILEGES"; - }; - } - ]; - ensureDatabases = [ "nextcloud" ]; - }; - nextcloud = { enable = true; package = pkgs.nextcloud27; # Use current latest nextcloud package @@ -56,4 +43,8 @@ in requires = [ "postgresql.service" ]; after = [ "postgresql.service" ]; }; + systemd.services."nextcloud-cron" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; } diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index 5070705..de4260e 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -4,10 +4,10 @@ imports = [ ./hardware-configuration.nix + ./modules/backup ./modules/networks ./modules/greetd ./modules/virtualisation - ./modules/snapper ]; # Use the systemd-boot EFI boot loader. diff --git a/hosts/thinkpad/modules/backup/default.nix b/hosts/thinkpad/modules/backup/default.nix new file mode 100644 index 0000000..0820960 --- /dev/null +++ b/hosts/thinkpad/modules/backup/default.nix @@ -0,0 +1,41 @@ +{ config, pkgs, ... }: +{ + sops.secrets."borg/passphrase" = { }; + environment.systemPackages = [ pkgs.borgbackup ]; + services.borgmatic = { + enable = true; + settings = { + location = { + source_directories = [ + "/var/lib" + "/var/log" + "/nix/persist" + "/home" + ]; + + repositories = [ + "ssh://root@192.168.10.2/mnt/backup/thinkpad" + ]; + exclude_patterns = [ + "/home/*/.cache" + "/home/*/.zcomp*" + "/home/*/.zcomp*" + "/home/*/.local/share/Steam" + "/home/*/.local/share/Trash" + "/home/*/.local/share/vifm/Trash" + "/home/*/Linux/Isos" + ]; + }; + storage = { + encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/passphrase".path}"; + compression = "lz4"; + }; + retention = { + keep_daily = 7; + keep_weekly = 4; + keep_monthly = 12; + keep_yearly = 3; + }; + }; + }; +} diff --git a/hosts/thinkpad/modules/snapper/default.nix b/hosts/thinkpad/modules/snapper/default.nix deleted file mode 100644 index 9f4c8c1..0000000 --- a/hosts/thinkpad/modules/snapper/default.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ ... }: -{ - services.snapper = { - configs = { - home = { - SUBVOLUME = "/home"; - ALLOW_USERS = [ "rouven" ]; - TIMELINE_CREATE = true; - TIMELINE_CLEANUP = true; - }; - lib = { - SUBVOLUME = "/var/lib"; - ALLOW_USERS = [ "rouven" ]; - TIMELINE_CREATE = true; - TIMELINE_CLEANUP = true; - }; - }; - }; -} diff --git a/hosts/thinkpad/modules/virtualisation/default.nix b/hosts/thinkpad/modules/virtualisation/default.nix index 5151407..f039376 100644 --- a/hosts/thinkpad/modules/virtualisation/default.nix +++ b/hosts/thinkpad/modules/virtualisation/default.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, pkgs, ... }: # Virtualisation with gpu passthrough # Following https://astrid.tech/2022/09/22/0/nixos-gpu-vfio/ # let diff --git a/hosts/vm/default.nix b/hosts/vm/default.nix index 248994c..bd321c4 100644 --- a/hosts/vm/default.nix +++ b/hosts/vm/default.nix @@ -52,6 +52,6 @@ ../../keys/ssh/rouven-thinkpad ]; }; - system.stateVersion = "22.11"; + system.stateVersion = "23.05"; } diff --git a/keys/ssh/root-falkenstein b/keys/ssh/root-falkenstein new file mode 100644 index 0000000..f8a6fdd --- /dev/null +++ b/keys/ssh/root-falkenstein @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO9b6MMNbqtBQb3U/ieJu6XLkVXWNlazqXvdmKVC/OZO root@falkenstein-1 diff --git a/pkgs/adguardian-term/default.nix b/pkgs/adguardian-term/default.nix index 3bcdf1d..74fb635 100644 --- a/pkgs/adguardian-term/default.nix +++ b/pkgs/adguardian-term/default.nix @@ -16,6 +16,7 @@ rustPlatform.buildRustPackage rec { homepage = "https://github.com/lissy93/adguardian-term"; license = with licenses; [ mit ]; maintainers = with maintainers; [ therealr5 ]; + mainProgram = "adguardian"; }; } diff --git a/pkgs/crowdsec-firewall-bouncer/default.nix b/pkgs/crowdsec-firewall-bouncer/default.nix index 036a1c5..db676e9 100644 --- a/pkgs/crowdsec-firewall-bouncer/default.nix +++ b/pkgs/crowdsec-firewall-bouncer/default.nix @@ -1,4 +1,4 @@ -{ lib, buildGoModule, makeWrapper, fetchFromGitHub, playerctl }: +{ lib, buildGoModule, fetchFromGitHub, playerctl }: buildGoModule rec { pname = "crowdsec-firewall-bouncer"; version = "0.0.27"; diff --git a/secrets/falkenstein-1.yaml b/secrets/falkenstein-1.yaml index e0210a6..de37d04 100644 --- a/secrets/falkenstein-1.yaml +++ b/secrets/falkenstein-1.yaml @@ -1,5 +1,12 @@ purge: token: ENC[AES256_GCM,data:mCK0xAgF4Q8DOTPVRg/O5L8kpDItNj8U0ikoKOOZC3Dv50Yt/nqvq4j4fM0CQ836pxCutir6FkTKbS5xS5XqKoSzu8E/0Q==,iv:JDqyeG+g3RAHmMD4uxS6eyQYYI50X6Bwutp+/v2ngq8=,tag:JkqLWoSwwghNUCD2+I6Njg==,type:str] +wireguard: + dorm: + private: ENC[AES256_GCM,data:3DMW+sZ1qEcfithXj8/7CUbKotJ2Ld23Fa6cf9ijLRvJPk5+VZOt8j5AIVY=,iv:pY/uAkkUOyFqEmWqoP8qC418VtbbX/Ws7BMuyGbvlXE=,tag:/u2akzXjchYlKR59Skk4aA==,type:str] + preshared: ENC[AES256_GCM,data:+1O/8fW03NOqd2FJjCDvN1Ktb3mVBManB9gI8S0CensNayjFHLfPj4z64TQ=,iv:YgVsHG30XIr6lR9Is91sDW0jwxmUmmo49rD4tXknU/E=,tag:EKa1NDJIlPlU+AU0bcFu5w==,type:str] +borg: + passphrase: ENC[AES256_GCM,data:54KCMu574Uj01sqnfBX9BqFc5+dx1Se7,iv:NgodekAUw0pNddA36oIranISkvUQIxZRmZW4s1UIHdU=,tag:frep/WspsozTL1V/OfuTxw==,type:str] + key: ENC[AES256_GCM,data:TGwOAKLEF/zy0PTMcdfkgypGR4/HlZ1By8cMT+sUbMQUfcw2HzvZBwbvfchx/abO9JXmbeSC1E7w6yEMIEg5bPAgGkylRdud/X5Ol/fRKZNdc61JyCWO/UT+qiI/vkikRKQxK/cpfB76+8TuTk0dElGOgJ0NTqklwjap200VdS/l5SBOpY50l338V0p4PQAJ50ry7qWlvN5+GKcHypVBTVabmvRUQCBmzK4N9yiW3zBpmA8e1MctmRiwqIBafeZVJ8YzVqC8cKLtFh4sVDd2fkrIEI4TMcGNS+E0VyHD7ZbTY8KBrNjmZPaTZz186g9PhB3rlHv6a6wAHJx3wZgijzxuXeX7yvyfM0NRz4DQaIANm1ggLdddUf6oS5i2kjKuENa2xL4ADpiO/d3U86HC9ldA8u0mHItjGlqZEL5/cBme1qKf70WsrGqN4gWLzMHZM2WkpssaIU3Ws6YksQHGP7iu5gXLIRB7/DqoY5kl2kS7vlyBVfv+G03nVO1981LVMbAWmNrstr0sOpOtGUYcxlCdGRDVOJIuUTfbRuvvuLy8NgVjL3eFHgkMi/r61iNh0e4C5rkbQVzlmwBqobDfizKJ49d4uBPbynDFYsDJwDK+W/BVtDkK4iEYYvfSbpaoKuNpBeibgZ7YOLUR7onxTCI/V5NczTjS1dezFNaF+l+XNLj6EjVWSdhd/ScRdniU0Q1lJU5hsOYPDiwHUPU9WMmaQeo9VezWYYJ2RroALnnw22XdRzfwNHICyGvUkzNqQnvDyUwZU6J2qMy8JnB6ViLWXE0VhsNZSQXFOLrKBMX+YwRm3n8jkeLN7sOnP8ejHYGxcXdKk0NLSdyNChTf9AzVvBGI2k9ky8bZPC5iB9zm2EkFvgtGgrRDpR7OpYJ4u71Xho96chGQ7B9MhnIDdKW2NYFE3ROdDQzfK2yrq18BjPxCaHXTk34JV8bf5LNellr2A80aA3TVmvYC/k2nHied4vW5RK+ngR0ev8b35+wl0HxJ1DnlYl4lSlDzzJwkS7ZlPWL4N2/205Ju8sjN7anp5KDb1jzGB3PTawDXbthiG8xLf2Dyf4ssbe1I,iv:8yl4F9+g+SfjvHVJKCTFXS9JU0Kzy7TqIX3HtQQt/n0=,tag:4r6A1K0zHSycglcZYGnkWw==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +22,8 @@ sops: NGlZbU8rcWJRbGE5OEFHdUNqZ2xUS2sK/r7qJHfTP0REcM2PYM95XT0onnCYXzam 20BgfynX3PJE2QVcgl8rr7ssuKxESi+tY/1VB0l8Tryxe6hr/p5IVg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-20T19:34:57Z" - mac: ENC[AES256_GCM,data:0/r6bPhpdjO/gmQik5NUKA028z0RGmJ7jzum5ZLr/H/540c5nHgPc7URyGcmp2xH5KkmxtcXPloUvZTDep3XsitJtWSmRhME31CrUNan0iWShj4ERbw8/hlLEy5ILc2ko79ofKjjmF6pPxoyeqqQQnSrJBF9qJfQDbQ2jY1GRmY=,iv:0LPC2g6eStt0+tTYBxN3d4sxr6fthCHsudiOhQJTj1A=,tag:nLPVgixzs1+3LroVyvgbFw==,type:str] + lastmodified: "2023-07-30T17:37:40Z" + mac: ENC[AES256_GCM,data:ZoYr+oUDweb5o01qbYVT2b4DITDtfAtsiJBOP1XCU+YZeEOLzMQzCGdcI7X+ho1M6u2sWT5WX0e1SwWBkuxOqs7vF6SeyDKFSmZpSx6Cg6KJDqxFJf2Jy7Ll0X5DkE7m+r1tQjggsVTNKTLMEVXONsZVIzGa0If3kuFVAzSlv9Y=,iv:0XxrIIjL71tNy5PEoxQ62MPJ4QmryMljUX20/LYV7C4=,tag:pD109s/GgbxZmprBpIooNQ==,type:str] pgp: - created_at: "2023-04-12T15:47:07Z" enc: |- diff --git a/secrets/nuc.yaml b/secrets/nuc.yaml index 326967f..1f5f385 100644 --- a/secrets/nuc.yaml +++ b/secrets/nuc.yaml @@ -5,6 +5,9 @@ nextcloud: adminpass: ENC[AES256_GCM,data:lfx7t/ewN23/O0qvSVHrX70W4NygAA0zTA==,iv:Px32DXH8BKQphldeW3CdJjRCXnmMgRx6g0YWZ6ON/pY=,tag:3Effg1hKNNlp+intUEmzxQ==,type:str] vaultwarden: env: ENC[AES256_GCM,data:LZ/geI1sqA6BgFqSYNpDlNm9tn0GVKyHcbsJJoWDs89MUjEgrk7QBK1VighKQkmW+4xJqqruLfDkrNMmsSQdyWXNISawuw==,iv:ukh3ggqJ1R8DqQQDad86QoKbpHBG5mTBx7oKWbgnrZg=,tag:PlYKW5jtYVCrjAWideG1Dg==,type:str] +borg: + passphrase: ENC[AES256_GCM,data:TGs4J64BmfpHi3PljOlfugoCzC21zg==,iv:Z3TyijL/0Ku7Ttx3+wLloUOS8ihA677nY/QTVC4eZwQ=,tag:yZrFkEKd9XtiT+BEX1Q6Yw==,type:str] + key: ENC[AES256_GCM,data:Lcm8DLgp00HZj8krqXkwaPhq/S0ppQOJADYa6ULESqjYGsu8gPU7rlQ22GSDTLZ7F2HW6eU5V/9lobaBesMSJ2U+1GgcKkDmsmlz89H3sctFzrCB6dPMABiOZX1V/dplFX2jp7AXagwYDqEYT1vZi8IEMcNxaGSTFyb0W5zwj3+8wL6eTQYHyYRIrGj19/XuYOh42v+t6jBBrcdzsnBb6F8BYeBKaqYA5iBQJZGxH0mrSCCelBXz5CcsH5GIh6GAbkYLC4Zg7HQuZl6w0IvjgqKMsXfWROMtLCYih86gLioZdDn5qdwMOPqmGWR4nxH9ABjfunR9fSjdtt/aeg9Iz3/sAGbjUfMoUCYqmUVox0FnuT0H/3OjChI/EFFGtOM5ZLSz1CSJ/VyyRmrvtDcTu2aXCvbRYuhXIWRLtOmVPUsNqNXyZnPx49/no3ilgttKJTQkv5A6NTwgmXSh5UMaz7Y6VFnXZlapfocJwihw5NwHHBm7VaxI6871eUwQefljMeaQK+iW3BMeP+eIA/SRX2U67xywsLzHy6esC4UIySXVHVMuNTkoImsJ8zxJYmkIue1vF5S+21M5ajFfCBXI6+Kof6iQxz8kiqDx4rchzy2cV9462BLKFCH//To3aQVrovtCx9dZNk55TYXmpqn0gV9IG6vpl8bt2zKzqfnyg5CSGoUnzvUZ8LongfVeyk6vu617Ye8jQCUU5vmhrfCWeH3nfCwXCRHwMHp+7Ie8ykjJUPUrUxZw1YuMo79X4WDPU2ctNz18Gq+Dni94FOL4eKXxlKcTpVUI1N5DFhb3eV6LoKyJ6GJB6Lf/Y1WbWwHS3QoVn3GIPBKdcy+zCBTqXrO1I+6E/cIEJ0OeMU50AuehLW7iuqlfjDn/MRRtLYcitE7jdwjLkifz1hteSvp/O3EdvlxyNmpAfVp6knidwCZDxVX3qMmIVTewi1Tq4C8XHbR9GTGv1FmPPwvfuRCL9M63T+lv5GB26WYfjQqrH8qPfH7DkUTgoX8pPfVTg5Fe4iBmTpDf3GrCNgVihyYC3loMAWRUvNEv7Jgyk1+P4fDE3MIFlv8uOUU6Ckiy,iv:ce7LXzs+YowBByyz4mQeBZHElLdRs4ifteheNYuYvRU=,tag:9g6J6gdQ0cmpAF9E/SPPeA==,type:str] sops: kms: [] gcp_kms: [] @@ -20,8 +23,8 @@ sops: V3l5WVZhL1dVMUxoV1NYdFhVaElYUU0KtYzj7r6+/j2Sqo7AiVdPPKBqsFBiefpj 4nOJD81tJYMqh7deydKFB1kEYOX4HJ9HfQURzcdbhgWbUv6xys2eyg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-06-12T18:08:48Z" - mac: ENC[AES256_GCM,data:YOYNDKkKr8OF3/NIplPpLQe0MnmqZU+yAFWqpMdIDE10oa4AOcC0XCQxsbLCguT3RH4pxJykYtbuRwfmXQzmKDOrZj4cEcr3MpCYHyJR/3GJvTaeHHsfgom+5q3casBhG/wVHMaVbHrK+IoogekP0+sIONY31KZbhj3ot585yo0=,iv:OODBeUeP1VYxw6Gps0QQr6Waxx41Zcrz7OpjaXiqQWM=,tag:Y5CiUpvVq4nXcQ7kQfl6lw==,type:str] + lastmodified: "2023-07-30T12:14:46Z" + mac: ENC[AES256_GCM,data:iD3xYcLD88+2wyNB4mE786FZUEgf10V/gnKCt8PNrpJp2W6f4URzCRUqOZU7G+m88sW/PN7sMEdNOvwJBZCirP4gmzTGuZ5oGjPVKNEiBe6hVSsqGY5D0528GIxqB/wxUhsByYybetGmrKeB8P1WXr/4iyIKwDUygJ8IkeokIC8=,iv:qMl+Jum8LbtdGi5uA9C+IMX2kv4bVCPoj1F0a++4ZHA=,tag:6A+OIA6jiFxEOePOw+M6RQ==,type:str] pgp: - created_at: "2023-06-12T13:53:20Z" enc: |- diff --git a/secrets/rouven.yaml b/secrets/rouven.yaml index d383665..7a32651 100644 --- a/secrets/rouven.yaml +++ b/secrets/rouven.yaml @@ -4,6 +4,10 @@ email: google: ENC[AES256_GCM,data:044yUHWp8PvtTytFwfCAhg==,iv:nRWzcxXCogombevZQxYsMuLL4us1kv6WKfChRphLR48=,tag:fnHxnweczc5bElK8kGa6rw==,type:str] ifsr: ENC[AES256_GCM,data:debmpTL+VYNE3InslDyV0FW1sKjBFA==,iv:ZKwyOMsfQivesFoEJeDCNnPzOgwlP0xmJ0GNsA57njM=,tag:CJZhWTb2MfsR+rv2VY6Xmw==,type:str] spotify: ENC[AES256_GCM,data:J9j4aIyXIRZcjcjYH1+J,iv:fEiMS+BiXiq8O/fHV1nBPhQ+mv83Qx2SzntkSGd5aVg=,tag:1BZtXH9szEOJBs83LXhrOw==,type:str] +ssh: + git: + private: ENC[AES256_GCM,data:J1gKjZMXa0/KEbc3U3MD/paOVcUTLzvs1h1MSAoanOWRCuTePUSy0gMC8CkAW+HHJNJtYZ6NG9rw9JOAt+ITMo9B0dvqY/n96E0GSvemnJ3W7prSy083PhSsgbfSq3wM1pC/tdiAlcM4xiDAMetH50JElcNb59to1dkaSTczBQCeM9gZ0cAbuyCL3tmDR3pWEe9/BIMxworJw9okubJuphxE7tVUODOkR9V7dvI+bB1k67VLbwm0os1HZwEG5xfKKnke8AIUqP3cvFhM7YP1MSUqGeo29pwmYGld52zHoQWwzAGEy4HGvQcASHX47hBN00KgEeTf/RcTRAUcBtOnXkwnS/pCLJCJnxYNYz7nEWPMsJC2spqb5oZPJcKuKyat/GbVyCOvkSWjmS2Y6jz8qesBFQKIOWDAitXGML9gSKztXd0F1UohuKw+qR2utEjyGO8VOnqYg7UKAy1PRZskg/z+zYFeKkKOItAK0R5rBUouLyUXYiSjYYzVsJq3FoWS2VyZPDDS9GNwUTpcrVFZc/GGa6iqGqgyqtsG,iv:XeIfJ0heXz48jEP8DXct0E9MZLOTE3MJsj5F2zFrN1g=,tag:EnS6eYFymaQvGIQps5l5aA==,type:str] + public_unencrypted: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqjaaB4RSwGGZXHb8UqTLz0GkOWlKctHoxmhpkwsFMI rouven@thinkpad sops: kms: [] gcp_kms: [] @@ -19,8 +23,8 @@ sops: N08rUm1KNCtOaHlYVnFZUFViZnNHeUkKvQTAtOKQqCJP54eV6bxxCWX5CKACPJQP MBkKw0jbgjBI4SuDdPQVaXE0gEllJPjENUjqXGVatYbhBStbIraZQQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-02-26T21:31:46Z" - mac: ENC[AES256_GCM,data:C7zsGBibZB7DB9czb3w7P4NYZNTXqXnpVlj3kJ/l1lRBHBYlzKG7ZZCPB+4/lqqveP68J6gGwZIFPJOjlubJsiNl6Tqfiz0rNl6lQ942/dnt7g4yALeoOUHT09FPJPSzdORWP9ocRNQcpRis1DVADjsk0vqN7jfaoaqWRGQPUk4=,iv:cynOU+rArLUV4esBy0RDKHT5icdDjqDQ2gUfQQi1Sh0=,tag:GzJk7cQ3vmNjf2gJkXtMGQ==,type:str] + lastmodified: "2023-07-29T09:14:57Z" + mac: ENC[AES256_GCM,data:yyNh1dMMhx+wJFZlbIEqPGlyzV7Y5hOdqio6xrf23y5h7AbOwCPHcNvOQE+liM8Hee3L8pVMULISN1PdisAmGfDq0a7gqdSHVCifQwbzi+/CY/X9mN8/ics3sGxQQpZS6ty9Tn5KPkBwLpQIHZlcUmf89hveya1gPYvIz5gXQvI=,iv:xWWpBSihcx5l0mEcZu6UVP2kJkpiLdzUYZhGjVRzaSk=,tag:vRuBoISmmKhSvozLFL2/Pw==,type:str] pgp: - created_at: "2023-02-25T23:44:24Z" enc: |- diff --git a/secrets/thinkpad.yaml b/secrets/thinkpad.yaml index 395f5c4..ca90b33 100644 --- a/secrets/thinkpad.yaml +++ b/secrets/thinkpad.yaml @@ -5,6 +5,9 @@ wireguard: dorm: private: ENC[AES256_GCM,data:l2SEIEoljGLrEDWEVdfJiVdLafyAmlR4wKzKtz/xsLL6kEGveK/dgsDvjiU=,iv:5YktJB0g/2Agd+0+synPjZUsxxa5JPorFn975Vr/PF4=,tag:c6CmppUVMcjrip4YraBurQ==,type:str] preshared: ENC[AES256_GCM,data:sb6vHcYO6c+m2jegangICr3v2toTFdSwt/rgCKD7q4UB/qR8U5CaAEjQdXY=,iv:QwQbNxx4+xTL14ID10bS7HWxKWzkoMSV6wHu8qytbEU=,tag:ozsK2gqayY56uOTGZtCNqQ==,type:str] +borg: + passphrase: ENC[AES256_GCM,data:jhn7XwzEai+MISQpMnUDre6nJg6Gtx7B,iv:B7CDuHICxcnQJCY5fECTyAeSqh2YEmVqiCrzklmCF8w=,tag:DdtVluSE9ot2BiYtq0eUNg==,type:str] + key: ENC[AES256_GCM,data:rce8JHkx8JU83MJKYkMG9ylv1FdIbwSbKzD4JXxU+BEsHMGIHmqy95OASYasKRFJ8VjXiMoJbz2BtS6A5xcBbAKqrHx+ejgQ1qA70x7HFBMebRkBHZYP8n5p4zb2a+wD4pBKCHP2U3qq7A6ywU/2eVwNUPIqrJpTZ4VDxXZGpiz1KhDc60ryqzBZHZHX5QBLLQX+YWkNKd2P25+bZ1ub16VVGVUKA2VNK9prkD4vEtCbVZl/HjjS08bBwUzCvDxGRyqFPB6wtdE+L5tn5hY3/9A2lq0fisjo9tf6+XC8uH2gjgNjE+kzBqBLBk+974OI9BGRrx5mjIhSrx9HVDN/p10vAF7nuQeInIdH5P6vTfu5mEmwF8h6VoJ9UwDeuz82m+XwfvCRVSZh+nV5c7hMYEF255gEOt146BMXkJf2tKE+dBb2J/zr7zI5zHm9PcaDN5/Y57XCdDww2DQzxSCpleXcJhJl4xw3SXRNyZsnhD62INPzlF/ZSroj6QhDFJhDhLWcK7dGlQWgR6YbEiY0iJPNjAB/MeCv6jodyj6xlLBCcwEp8RA+dVIJxDVElFRTSAdmW0b/co3BeyEnjF1k8lExkUpyoVC1qWxanytlVM2lPy9//6iocQcniAFSQBMi9U89BRONMuopFZMGRc3/uEqnvoBq2GHVgj2xtc7R9fLyAOXw8jG+mT06XBNtrVWbjkY3Wl1A6n/rZ2y4No2rISm1PwQidPpNaiUYZJyccB7PZKY4F/E49n3jV3fmg2l/D33PRl347MhRg4Ae6itWc4uzU8/D3xU1LWe9W4AUTHYflpzlQ+xbLNCC4f3NQMbkxNDsks1MePuBW15erUaahsdkcoeqL7D/ry7NtOb1vk5cS181/IVL1F2MFGa/7Jk3b9RpvIByF9qIbR+I2noaSymPfTGDXHkC5urfUSMojzOxzm5dayBGuvHMkoCjfyIv47ZqyYegW1fM/DPn/bo+ck84zYQuj3zJY5ph/A3g7KcwVYNWRs7XQtSYyKm9Ytf2TKBaZBdIlqq2RJIQ0iHiN5W1OCRgKPEk6u9HvxTte7tqTLiV+aJ8vy9235Q=,iv:vRfpAtZoOAfTFLHdLYSUzftX1OaEr5cdm6L4FOKuFUE=,tag:TRpS0iMdU8wIFIBSkLtyJA==,type:str] sops: kms: [] gcp_kms: [] @@ -20,8 +23,8 @@ sops: d1J5UHJDYjlZWEV1aEVDSmxhWDB0anMKMNzyd465AdMyX0o9NxF+hcLyROcd8xoJ 39K5xIDzcqpu6HfoZk1kZ/TT1DS2Xiw0rDuJHWdfpnS8zNe6DL3a7Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-14T08:11:45Z" - mac: ENC[AES256_GCM,data:htH8ETxKS88poYBoI4GxaCveK69XW0+Uq41ESmuRl2KKVAxGwkmgycWqZbbowcY0YHnUn8yh2hb+9zE1MHgdAnDq5VWvzzjo8s2xfRq+9rpOsFBVKwhi94vzfsCHAOs+eez0Dlz0xVjs2lnsVNUl7HIk0K1qqT8v6yEhIi5NnjU=,iv:zQp4yLwRyi3razD9TMO3MYDEM7eE+dvej2PovuUSx5M=,tag:Cy6z0LPQ03itFjdOE7b3Rw==,type:str] + lastmodified: "2023-07-30T13:44:51Z" + mac: ENC[AES256_GCM,data:kddokPxPpClyToDm6a3Iu0UfTFxqN2oRsGYLBgzW3iuScz0NpOJXYfHyOXmzTLyj7LSFr4xuE86/KsaWeGxse8CCqnbnbsj2Ok7nEjWqT26L7fUDklBkTb3EZQqgz1v+rl35mlto+GfsA5kskwwUOiQGuwxqWPZTznf3WqWq6pI=,iv:8qaKsXRh9O57zeWVJQqW4m4U6OgRjMaEQKclnt8jrIQ=,tag:rrC1JqCZH8br3hYlxBCRYA==,type:str] pgp: - created_at: "2023-02-16T20:53:51Z" enc: |- diff --git a/shared/activation.nix b/shared/activation.nix index 0c975d0..b6c6530 100644 --- a/shared/activation.nix +++ b/shared/activation.nix @@ -1,7 +1,9 @@ -{ lib, pkgs, ... }: +{ config, ... }: { system.activationScripts.report-nixos-changes = '' - PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]} - nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2) || true + if [ -e /run/current-system ] && [ -e $systemConfig ]; then + echo System package diff: + ${config.nix.package}/bin/nix store diff-closures /run/current-system $systemConfig || true + fi ''; } diff --git a/shared/zsh.nix b/shared/zsh.nix index 8b40c9f..4a7d9cd 100644 --- a/shared/zsh.nix +++ b/shared/zsh.nix @@ -24,10 +24,11 @@ la = "ls -a"; less = "bat"; update = "cd /etc/nixos && nix flake update"; - garbage = "sudo nix-collect-garbage -d"; + garbage = "${lib.getExe pkgs.home-manager} expire-generations \"-0 days\" && sudo nix-collect-garbage -d"; }; histSize = 100000; histFile = "~/.local/share/zsh/history"; + syntaxHighlighting.enable = true; autosuggestions = { enable = true; highlightStyle = "fg=#00bbbb,bold"; @@ -41,6 +42,12 @@ shellInit = '' + export MCFLY_KEY_SCHEME=vim + export MCFLY_FUZZY=2 + export MCFLY_DISABLE_MENU=TRUE + export MCFLY_RESULTS=30 + export MCFLY_INTERFACE_VIEW=BOTTOM + export MCFLY_PROMPT="❯" source ${pkgs.zsh-fzf-tab}/share/fzf-tab/fzf-tab.plugin.zsh function svpn() { unit=$(systemctl list-unit-files | grep "openconnect\|wg-quick\|wireguard\|openvpn" | cut -d "." -f1 | fzf --preview 'systemctl status {}') @@ -73,6 +80,7 @@ then cat ${../images/cat.sixel} fi + eval "$(${lib.getExe pkgs.mcfly} init zsh)" ''; }; } diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix index efc4bdd..da58e23 100644 --- a/users/rouven/modules/packages.nix +++ b/users/rouven/modules/packages.nix @@ -6,7 +6,6 @@ wpa_supplicant_gui pcmanfm xdg-utils # used for xdg-open - snapper-gui # graphics evince # pdf viewer diff --git a/users/rouven/modules/ssh/default.nix b/users/rouven/modules/ssh/default.nix index 02f24da..9781ee2 100644 --- a/users/rouven/modules/ssh/default.nix +++ b/users/rouven/modules/ssh/default.nix @@ -1,10 +1,14 @@ { ... }: let - git = "~/.ssh/git"; + git = "/run/user/1000/secrets/ssh/git/private"; in { + sops.secrets = { + "ssh/git/private" = { }; + }; programs.ssh = rec { enable = true; + compression = true; matchBlocks = { "artemis-git.inf.tu-dresden.de" = { identityFile = git;