rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2025-01-18 17:11:39 +01:00
Code Issues Projects Releases Packages Wiki Activity

configured backups

Browse source
This commit is contained in:
Rouven Seifert 2023-07-30 19:41:51 +02:00
parent 60e1f3c3d0
commit b48fa4e383
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
25 changed files with 217 additions and 92 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
flake.lock
View file

@ -171,11 +171,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1690476848, "lastModified": 1690652600,
"narHash": "sha256-PSmzyuEbMxEn2uwwLYUN2l1psoJXb7jm/kfHD12Sq0k=", "narHash": "sha256-Dy09g7mezToVwtFPyY25fAx1hzqNXv73/QmY5/qyR44=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "8d243f7da13d6ee32f722a3f1afeced150b6d4da", "rev": "f58889c07efa8e1328fdf93dc1796ec2a5c47f38",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -272,11 +272,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1690083300, "lastModified": 1690687539,
"narHash": "sha256-xnUtWO/5TuuHkIpmzMXGvHJqS06FSVADnAZ4bvqO4Zo=", "narHash": "sha256-Lnwz9XKtshm+5OeWqCbj/3tKuKK+DL5tUTdKSRrKBlY=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "c1e6fc40dd5c0d16940bc012421268b94e404b0b", "rev": "d74b8171153ae35d7d323a9b1ad6c4cf7a995591",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -287,11 +287,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1690200740, "lastModified": 1690704397,
"narHash": "sha256-aRkEXGmCbAGcvDcdh/HB3YN+EvoPoxmJMOaqRZmf6vM=", "narHash": "sha256-sgIWjcz0e+x87xlKg324VtHgH55J5rIuFF0ZWRDvQoE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "ba9650b14e83b365fb9e731f7d7c803f22d2aecf", "rev": "96e5a0a0e8568c998135ea05575a9ed2c87f5492",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -301,11 +301,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1690272529, "lastModified": 1690548937,
"narHash": "sha256-MakzcKXEdv/I4qJUtq/k/eG+rVmyOZLnYNC2w1mB59Y=", "narHash": "sha256-x3ZOPGLvtC0/+iFAg9Kvqm/8hTAIkGjc634SqtgaXTA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ef99fa5c5ed624460217c31ac4271cfb5cb2502c", "rev": "2a9d660ff0f7ffde9d73be328ee6e6f10ef66b28",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
hosts/falkenstein-1/default.nix
View file

@ -5,6 +5,7 @@
[ [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./modules/backup
./modules/crowdsec ./modules/crowdsec
./modules/mail ./modules/mail
./modules/networks ./modules/networks

32
hosts/falkenstein-1/modules/backup/default.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, pkgs, ... }:
{
sops.secrets."borg/passphrase" = { };
environment.systemPackages = [ pkgs.borgbackup ];
services.borgmatic = {
enable = true;
settings = {
location = {
source_directories = [
"/var/lib"
"/var/log"
"/etc/crowdsec"
"/root"
];
repositories = [
"ssh://root@192.168.10.2/mnt/backup/falkenstein"
];
};
storage = {
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/passphrase".path}";
compression = "lz4";
};
retention = {
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = 3;
};
};
};
}

1
hosts/falkenstein-1/modules/mail/default.nix
View file

@ -3,7 +3,6 @@
let let
domain = "rfive.de"; domain = "rfive.de";
hostname = "falkenstein.vpn.${domain}"; hostname = "falkenstein.vpn.${domain}";
rspamd-domain = "rspamd.${domain}";
in in
{ {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [

49
hosts/falkenstein-1/modules/networks/default.nix
View file

@ -1,5 +1,13 @@
{ ... }: { config, ... }:
{ {
sops.secrets = {
"wireguard/dorm/private" = {
owner = config.users.users.systemd-network.name;
};
"wireguard/dorm/preshared" = {
owner = config.users.users.systemd-network.name;
};
};
networking = { networking = {
hostName = "falkenstein-1"; hostName = "falkenstein-1";
useNetworkd = true; useNetworkd = true;
@ -20,5 +28,44 @@
Gateway = "fe80::1"; Gateway = "fe80::1";
}; };
}; };
netdevs."30-dorm" = {
netdevConfig = {
Kind = "wireguard";
Name = "dorm";
Description = "WireGuard to my Dorm Infra";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wireguard/dorm/private".path;
ListenPort = 51820;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "vUmworuJFHjB4KUdkucQ+nzqO2ysARLomq4UuK1n430=";
PresharedKeyFile = config.sops.secrets."wireguard/dorm/preshared".path;
Endpoint = "dorm.vpn.rfive.de:51820";
AllowedIPs = "10.10.10.0/24, 192.168.10.0/24";
};
}
];
};
networks."30-dorm" = {
matchConfig.Name = "dorm";
networkConfig = {
DNS = "192.168.10.1";
};
addresses = [
{
addressConfig = {
Address = "10.10.10.4/24";
RouteMetric = 30;
};
}
];
routes = [
{ routeConfig = { Gateway = "0.0.0.0"; Destination = "192.168.10.0/24"; Metric = 30; }; }
];
};
}; };
} }

1
hosts/falkenstein-1/modules/nginx/default.nix
View file

@ -11,6 +11,7 @@
virtualHosts."rfive.de" = { virtualHosts."rfive.de" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
root = "/srv/web/rfive.de";
}; };
}; };
security.acme = { security.acme = {

2
hosts/nuc/default.nix
View file

@ -35,6 +35,7 @@
directories = [ directories = [
"/etc/ssh" "/etc/ssh"
"/root/.local/share/zsh" "/root/.local/share/zsh"
"/root/.config/borg/security"
]; ];
files = [ files = [
"/etc/machine-id" "/etc/machine-id"
@ -83,6 +84,7 @@
../../keys/ssh/rouven-thinkpad ../../keys/ssh/rouven-thinkpad
../../keys/ssh/root-thinkpad ../../keys/ssh/root-thinkpad
../../keys/ssh/rouven-pixel ../../keys/ssh/rouven-pixel
../../keys/ssh/root-falkenstein
]; ];
system.stateVersion = "22.11"; system.stateVersion = "22.11";

54
hosts/nuc/modules/backup/default.nix
View file

@ -1,37 +1,35 @@
{ config, pkgs, ... }:
{ {
sops.secrets."borg/passphrase" = { };
environment.systemPackages = [ pkgs.borgbackup ];
fileSystems."/mnt/backup" = fileSystems."/mnt/backup" =
{ {
device = "/dev/disk/by-uuid/f6905cdb-c130-465a-90a3-93997023b5d3 "; device = "dev/disk/by-uuid/74e78699-fe27-4467-a9bb-99fc6e8d52c5";
fsType = "btrfs"; fsType = "ext4";
options = [ "compress=zstd" "noatime" "nofail" ]; options = [ "nofail" ];
neededForBoot = false; neededForBoot = false;
}; };
services.borgmatic = {
enable = true;
settings = {
location.source_directories = [
"/var/lib"
"/var/log"
"/nix/persist"
];
location.repositories = [
"/mnt/backup/nuc"
];
storage = {
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/passphrase".path}";
compression = "lz4";
};
retention = {
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = 3;
fileSystems."/mnt/pool" =
{
device = "/dev/disk/by-uuid/16b0bd14-1b07-477d-a20d-982f9467f6df";
fsType = "btrfs";
options = [ "compress=zstd" "noatime" ];
};
services.btrbk = {
instances."nuc-to-disk".settings = {
snapshot_preserve = "14d";
snapshot_preserve_min = "2d";
target_preserve = "30d 4w 12m";
target_preserve_min = "2d";
volume = {
"/mnt/pool" = {
subvolume = {
log = {
snapshot_create = "always";
};
lib = {
snapshot_create = "always";
};
};
target = "/mnt/backup/nuc";
};
}; };
}; };
}; };

17
hosts/nuc/modules/nextcloud/default.nix
View file

@ -11,19 +11,6 @@ in
}; };
services = { services = {
postgresql = {
enable = true;
ensureUsers = [
{
name = "nextcloud";
ensurePermissions = {
"DATABASE nextcloud" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = [ "nextcloud" ];
};
nextcloud = { nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud27; # Use current latest nextcloud package package = pkgs.nextcloud27; # Use current latest nextcloud package
@ -56,4 +43,8 @@ in
requires = [ "postgresql.service" ]; requires = [ "postgresql.service" ];
after = [ "postgresql.service" ]; after = [ "postgresql.service" ];
}; };
systemd.services."nextcloud-cron" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
} }

2
hosts/thinkpad/default.nix
View file

@ -4,10 +4,10 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
./modules/backup
./modules/networks ./modules/networks
./modules/greetd ./modules/greetd
./modules/virtualisation ./modules/virtualisation
./modules/snapper
]; ];
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.

41
hosts/thinkpad/modules/backup/default.nix Normal file
View file

@ -0,0 +1,41 @@
{ config, pkgs, ... }:
{
sops.secrets."borg/passphrase" = { };
environment.systemPackages = [ pkgs.borgbackup ];
services.borgmatic = {
enable = true;
settings = {
location = {
source_directories = [
"/var/lib"
"/var/log"
"/nix/persist"
"/home"
];
repositories = [
"ssh://root@192.168.10.2/mnt/backup/thinkpad"
];
exclude_patterns = [
"/home/*/.cache"
"/home/*/.zcomp*"
"/home/*/.zcomp*"
"/home/*/.local/share/Steam"
"/home/*/.local/share/Trash"
"/home/*/.local/share/vifm/Trash"
"/home/*/Linux/Isos"
];
};
storage = {
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/passphrase".path}";
compression = "lz4";
};
retention = {
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = 3;
};
};
};
}

19
hosts/thinkpad/modules/snapper/default.nix
View file

@ -1,19 +0,0 @@
{ ... }:
{
services.snapper = {
configs = {
home = {
SUBVOLUME = "/home";
ALLOW_USERS = [ "rouven" ];
TIMELINE_CREATE = true;
TIMELINE_CLEANUP = true;
};
lib = {
SUBVOLUME = "/var/lib";
ALLOW_USERS = [ "rouven" ];
TIMELINE_CREATE = true;
TIMELINE_CLEANUP = true;
};
};
};
}

2
hosts/thinkpad/modules/virtualisation/default.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, pkgs, ... }:
# Virtualisation with gpu passthrough # Virtualisation with gpu passthrough
# Following https://astrid.tech/2022/09/22/0/nixos-gpu-vfio/ # Following https://astrid.tech/2022/09/22/0/nixos-gpu-vfio/
# let # let

2
hosts/vm/default.nix
View file

@ -52,6 +52,6 @@
../../keys/ssh/rouven-thinkpad ../../keys/ssh/rouven-thinkpad
]; ];
}; };
system.stateVersion = "22.11"; system.stateVersion = "23.05";
} }

1
keys/ssh/root-falkenstein Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO9b6MMNbqtBQb3U/ieJu6XLkVXWNlazqXvdmKVC/OZO root@falkenstein-1

1
pkgs/adguardian-term/default.nix
View file

@ -16,6 +16,7 @@ rustPlatform.buildRustPackage rec {
homepage = "https://github.com/lissy93/adguardian-term"; homepage = "https://github.com/lissy93/adguardian-term";
license = with licenses; [ mit ]; license = with licenses; [ mit ];
maintainers = with maintainers; [ therealr5 ]; maintainers = with maintainers; [ therealr5 ];
mainProgram = "adguardian";
}; };
} }

2
pkgs/crowdsec-firewall-bouncer/default.nix
View file

@ -1,4 +1,4 @@
{ lib, buildGoModule, makeWrapper, fetchFromGitHub, playerctl }: { lib, buildGoModule, fetchFromGitHub, playerctl }:
buildGoModule rec { buildGoModule rec {
pname = "crowdsec-firewall-bouncer"; pname = "crowdsec-firewall-bouncer";
version = "0.0.27"; version = "0.0.27";

11
secrets/falkenstein-1.yaml
View file

@ -1,5 +1,12 @@
purge: purge:
token: ENC[AES256_GCM,data:mCK0xAgF4Q8DOTPVRg/O5L8kpDItNj8U0ikoKOOZC3Dv50Yt/nqvq4j4fM0CQ836pxCutir6FkTKbS5xS5XqKoSzu8E/0Q==,iv:JDqyeG+g3RAHmMD4uxS6eyQYYI50X6Bwutp+/v2ngq8=,tag:JkqLWoSwwghNUCD2+I6Njg==,type:str] token: ENC[AES256_GCM,data:mCK0xAgF4Q8DOTPVRg/O5L8kpDItNj8U0ikoKOOZC3Dv50Yt/nqvq4j4fM0CQ836pxCutir6FkTKbS5xS5XqKoSzu8E/0Q==,iv:JDqyeG+g3RAHmMD4uxS6eyQYYI50X6Bwutp+/v2ngq8=,tag:JkqLWoSwwghNUCD2+I6Njg==,type:str]
wireguard:
dorm:
private: ENC[AES256_GCM,data:3DMW+sZ1qEcfithXj8/7CUbKotJ2Ld23Fa6cf9ijLRvJPk5+VZOt8j5AIVY=,iv:pY/uAkkUOyFqEmWqoP8qC418VtbbX/Ws7BMuyGbvlXE=,tag:/u2akzXjchYlKR59Skk4aA==,type:str]
preshared: ENC[AES256_GCM,data:+1O/8fW03NOqd2FJjCDvN1Ktb3mVBManB9gI8S0CensNayjFHLfPj4z64TQ=,iv:YgVsHG30XIr6lR9Is91sDW0jwxmUmmo49rD4tXknU/E=,tag:EKa1NDJIlPlU+AU0bcFu5w==,type:str]
borg:
passphrase: ENC[AES256_GCM,data:54KCMu574Uj01sqnfBX9BqFc5+dx1Se7,iv:NgodekAUw0pNddA36oIranISkvUQIxZRmZW4s1UIHdU=,tag:frep/WspsozTL1V/OfuTxw==,type:str]
key: ENC[AES256_GCM,data:TGwOAKLEF/zy0PTMcdfkgypGR4/HlZ1By8cMT+sUbMQUfcw2HzvZBwbvfchx/abO9JXmbeSC1E7w6yEMIEg5bPAgGkylRdud/X5Ol/fRKZNdc61JyCWO/UT+qiI/vkikRKQxK/cpfB76+8TuTk0dElGOgJ0NTqklwjap200VdS/l5SBOpY50l338V0p4PQAJ50ry7qWlvN5+GKcHypVBTVabmvRUQCBmzK4N9yiW3zBpmA8e1MctmRiwqIBafeZVJ8YzVqC8cKLtFh4sVDd2fkrIEI4TMcGNS+E0VyHD7ZbTY8KBrNjmZPaTZz186g9PhB3rlHv6a6wAHJx3wZgijzxuXeX7yvyfM0NRz4DQaIANm1ggLdddUf6oS5i2kjKuENa2xL4ADpiO/d3U86HC9ldA8u0mHItjGlqZEL5/cBme1qKf70WsrGqN4gWLzMHZM2WkpssaIU3Ws6YksQHGP7iu5gXLIRB7/DqoY5kl2kS7vlyBVfv+G03nVO1981LVMbAWmNrstr0sOpOtGUYcxlCdGRDVOJIuUTfbRuvvuLy8NgVjL3eFHgkMi/r61iNh0e4C5rkbQVzlmwBqobDfizKJ49d4uBPbynDFYsDJwDK+W/BVtDkK4iEYYvfSbpaoKuNpBeibgZ7YOLUR7onxTCI/V5NczTjS1dezFNaF+l+XNLj6EjVWSdhd/ScRdniU0Q1lJU5hsOYPDiwHUPU9WMmaQeo9VezWYYJ2RroALnnw22XdRzfwNHICyGvUkzNqQnvDyUwZU6J2qMy8JnB6ViLWXE0VhsNZSQXFOLrKBMX+YwRm3n8jkeLN7sOnP8ejHYGxcXdKk0NLSdyNChTf9AzVvBGI2k9ky8bZPC5iB9zm2EkFvgtGgrRDpR7OpYJ4u71Xho96chGQ7B9MhnIDdKW2NYFE3ROdDQzfK2yrq18BjPxCaHXTk34JV8bf5LNellr2A80aA3TVmvYC/k2nHied4vW5RK+ngR0ev8b35+wl0HxJ1DnlYl4lSlDzzJwkS7ZlPWL4N2/205Ju8sjN7anp5KDb1jzGB3PTawDXbthiG8xLf2Dyf4ssbe1I,iv:8yl4F9+g+SfjvHVJKCTFXS9JU0Kzy7TqIX3HtQQt/n0=,tag:4r6A1K0zHSycglcZYGnkWw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -15,8 +22,8 @@ sops:
NGlZbU8rcWJRbGE5OEFHdUNqZ2xUS2sK/r7qJHfTP0REcM2PYM95XT0onnCYXzam NGlZbU8rcWJRbGE5OEFHdUNqZ2xUS2sK/r7qJHfTP0REcM2PYM95XT0onnCYXzam
20BgfynX3PJE2QVcgl8rr7ssuKxESi+tY/1VB0l8Tryxe6hr/p5IVg== 20BgfynX3PJE2QVcgl8rr7ssuKxESi+tY/1VB0l8Tryxe6hr/p5IVg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-20T19:34:57Z" lastmodified: "2023-07-30T17:37:40Z"
mac: ENC[AES256_GCM,data:0/r6bPhpdjO/gmQik5NUKA028z0RGmJ7jzum5ZLr/H/540c5nHgPc7URyGcmp2xH5KkmxtcXPloUvZTDep3XsitJtWSmRhME31CrUNan0iWShj4ERbw8/hlLEy5ILc2ko79ofKjjmF6pPxoyeqqQQnSrJBF9qJfQDbQ2jY1GRmY=,iv:0LPC2g6eStt0+tTYBxN3d4sxr6fthCHsudiOhQJTj1A=,tag:nLPVgixzs1+3LroVyvgbFw==,type:str] mac: ENC[AES256_GCM,data:ZoYr+oUDweb5o01qbYVT2b4DITDtfAtsiJBOP1XCU+YZeEOLzMQzCGdcI7X+ho1M6u2sWT5WX0e1SwWBkuxOqs7vF6SeyDKFSmZpSx6Cg6KJDqxFJf2Jy7Ll0X5DkE7m+r1tQjggsVTNKTLMEVXONsZVIzGa0If3kuFVAzSlv9Y=,iv:0XxrIIjL71tNy5PEoxQ62MPJ4QmryMljUX20/LYV7C4=,tag:pD109s/GgbxZmprBpIooNQ==,type:str]
pgp: pgp:
- created_at: "2023-04-12T15:47:07Z" - created_at: "2023-04-12T15:47:07Z"
enc: |- enc: |-

7
secrets/nuc.yaml
View file

@ -5,6 +5,9 @@ nextcloud:
adminpass: ENC[AES256_GCM,data:lfx7t/ewN23/O0qvSVHrX70W4NygAA0zTA==,iv:Px32DXH8BKQphldeW3CdJjRCXnmMgRx6g0YWZ6ON/pY=,tag:3Effg1hKNNlp+intUEmzxQ==,type:str] adminpass: ENC[AES256_GCM,data:lfx7t/ewN23/O0qvSVHrX70W4NygAA0zTA==,iv:Px32DXH8BKQphldeW3CdJjRCXnmMgRx6g0YWZ6ON/pY=,tag:3Effg1hKNNlp+intUEmzxQ==,type:str]
vaultwarden: vaultwarden:
env: ENC[AES256_GCM,data:LZ/geI1sqA6BgFqSYNpDlNm9tn0GVKyHcbsJJoWDs89MUjEgrk7QBK1VighKQkmW+4xJqqruLfDkrNMmsSQdyWXNISawuw==,iv:ukh3ggqJ1R8DqQQDad86QoKbpHBG5mTBx7oKWbgnrZg=,tag:PlYKW5jtYVCrjAWideG1Dg==,type:str] env: ENC[AES256_GCM,data:LZ/geI1sqA6BgFqSYNpDlNm9tn0GVKyHcbsJJoWDs89MUjEgrk7QBK1VighKQkmW+4xJqqruLfDkrNMmsSQdyWXNISawuw==,iv:ukh3ggqJ1R8DqQQDad86QoKbpHBG5mTBx7oKWbgnrZg=,tag:PlYKW5jtYVCrjAWideG1Dg==,type:str]
borg:
passphrase: ENC[AES256_GCM,data:TGs4J64BmfpHi3PljOlfugoCzC21zg==,iv:Z3TyijL/0Ku7Ttx3+wLloUOS8ihA677nY/QTVC4eZwQ=,tag:yZrFkEKd9XtiT+BEX1Q6Yw==,type:str]
key: ENC[AES256_GCM,data:Lcm8DLgp00HZj8krqXkwaPhq/S0ppQOJADYa6ULESqjYGsu8gPU7rlQ22GSDTLZ7F2HW6eU5V/9lobaBesMSJ2U+1GgcKkDmsmlz89H3sctFzrCB6dPMABiOZX1V/dplFX2jp7AXagwYDqEYT1vZi8IEMcNxaGSTFyb0W5zwj3+8wL6eTQYHyYRIrGj19/XuYOh42v+t6jBBrcdzsnBb6F8BYeBKaqYA5iBQJZGxH0mrSCCelBXz5CcsH5GIh6GAbkYLC4Zg7HQuZl6w0IvjgqKMsXfWROMtLCYih86gLioZdDn5qdwMOPqmGWR4nxH9ABjfunR9fSjdtt/aeg9Iz3/sAGbjUfMoUCYqmUVox0FnuT0H/3OjChI/EFFGtOM5ZLSz1CSJ/VyyRmrvtDcTu2aXCvbRYuhXIWRLtOmVPUsNqNXyZnPx49/no3ilgttKJTQkv5A6NTwgmXSh5UMaz7Y6VFnXZlapfocJwihw5NwHHBm7VaxI6871eUwQefljMeaQK+iW3BMeP+eIA/SRX2U67xywsLzHy6esC4UIySXVHVMuNTkoImsJ8zxJYmkIue1vF5S+21M5ajFfCBXI6+Kof6iQxz8kiqDx4rchzy2cV9462BLKFCH//To3aQVrovtCx9dZNk55TYXmpqn0gV9IG6vpl8bt2zKzqfnyg5CSGoUnzvUZ8LongfVeyk6vu617Ye8jQCUU5vmhrfCWeH3nfCwXCRHwMHp+7Ie8ykjJUPUrUxZw1YuMo79X4WDPU2ctNz18Gq+Dni94FOL4eKXxlKcTpVUI1N5DFhb3eV6LoKyJ6GJB6Lf/Y1WbWwHS3QoVn3GIPBKdcy+zCBTqXrO1I+6E/cIEJ0OeMU50AuehLW7iuqlfjDn/MRRtLYcitE7jdwjLkifz1hteSvp/O3EdvlxyNmpAfVp6knidwCZDxVX3qMmIVTewi1Tq4C8XHbR9GTGv1FmPPwvfuRCL9M63T+lv5GB26WYfjQqrH8qPfH7DkUTgoX8pPfVTg5Fe4iBmTpDf3GrCNgVihyYC3loMAWRUvNEv7Jgyk1+P4fDE3MIFlv8uOUU6Ckiy,iv:ce7LXzs+YowBByyz4mQeBZHElLdRs4ifteheNYuYvRU=,tag:9g6J6gdQ0cmpAF9E/SPPeA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -20,8 +23,8 @@ sops:
V3l5WVZhL1dVMUxoV1NYdFhVaElYUU0KtYzj7r6+/j2Sqo7AiVdPPKBqsFBiefpj V3l5WVZhL1dVMUxoV1NYdFhVaElYUU0KtYzj7r6+/j2Sqo7AiVdPPKBqsFBiefpj
4nOJD81tJYMqh7deydKFB1kEYOX4HJ9HfQURzcdbhgWbUv6xys2eyg== 4nOJD81tJYMqh7deydKFB1kEYOX4HJ9HfQURzcdbhgWbUv6xys2eyg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-06-12T18:08:48Z" lastmodified: "2023-07-30T12:14:46Z"
mac: ENC[AES256_GCM,data:YOYNDKkKr8OF3/NIplPpLQe0MnmqZU+yAFWqpMdIDE10oa4AOcC0XCQxsbLCguT3RH4pxJykYtbuRwfmXQzmKDOrZj4cEcr3MpCYHyJR/3GJvTaeHHsfgom+5q3casBhG/wVHMaVbHrK+IoogekP0+sIONY31KZbhj3ot585yo0=,iv:OODBeUeP1VYxw6Gps0QQr6Waxx41Zcrz7OpjaXiqQWM=,tag:Y5CiUpvVq4nXcQ7kQfl6lw==,type:str] mac: ENC[AES256_GCM,data:iD3xYcLD88+2wyNB4mE786FZUEgf10V/gnKCt8PNrpJp2W6f4URzCRUqOZU7G+m88sW/PN7sMEdNOvwJBZCirP4gmzTGuZ5oGjPVKNEiBe6hVSsqGY5D0528GIxqB/wxUhsByYybetGmrKeB8P1WXr/4iyIKwDUygJ8IkeokIC8=,iv:qMl+Jum8LbtdGi5uA9C+IMX2kv4bVCPoj1F0a++4ZHA=,tag:6A+OIA6jiFxEOePOw+M6RQ==,type:str]
pgp: pgp:
- created_at: "2023-06-12T13:53:20Z" - created_at: "2023-06-12T13:53:20Z"
enc: |- enc: |-

8
secrets/rouven.yaml
View file

@ -4,6 +4,10 @@ email:
google: ENC[AES256_GCM,data:044yUHWp8PvtTytFwfCAhg==,iv:nRWzcxXCogombevZQxYsMuLL4us1kv6WKfChRphLR48=,tag:fnHxnweczc5bElK8kGa6rw==,type:str] google: ENC[AES256_GCM,data:044yUHWp8PvtTytFwfCAhg==,iv:nRWzcxXCogombevZQxYsMuLL4us1kv6WKfChRphLR48=,tag:fnHxnweczc5bElK8kGa6rw==,type:str]
ifsr: ENC[AES256_GCM,data:debmpTL+VYNE3InslDyV0FW1sKjBFA==,iv:ZKwyOMsfQivesFoEJeDCNnPzOgwlP0xmJ0GNsA57njM=,tag:CJZhWTb2MfsR+rv2VY6Xmw==,type:str] ifsr: ENC[AES256_GCM,data:debmpTL+VYNE3InslDyV0FW1sKjBFA==,iv:ZKwyOMsfQivesFoEJeDCNnPzOgwlP0xmJ0GNsA57njM=,tag:CJZhWTb2MfsR+rv2VY6Xmw==,type:str]
spotify: ENC[AES256_GCM,data:J9j4aIyXIRZcjcjYH1+J,iv:fEiMS+BiXiq8O/fHV1nBPhQ+mv83Qx2SzntkSGd5aVg=,tag:1BZtXH9szEOJBs83LXhrOw==,type:str] spotify: ENC[AES256_GCM,data:J9j4aIyXIRZcjcjYH1+J,iv:fEiMS+BiXiq8O/fHV1nBPhQ+mv83Qx2SzntkSGd5aVg=,tag:1BZtXH9szEOJBs83LXhrOw==,type:str]
ssh:
git:
private: ENC[AES256_GCM,data:J1gKjZMXa0/KEbc3U3MD/paOVcUTLzvs1h1MSAoanOWRCuTePUSy0gMC8CkAW+HHJNJtYZ6NG9rw9JOAt+ITMo9B0dvqY/n96E0GSvemnJ3W7prSy083PhSsgbfSq3wM1pC/tdiAlcM4xiDAMetH50JElcNb59to1dkaSTczBQCeM9gZ0cAbuyCL3tmDR3pWEe9/BIMxworJw9okubJuphxE7tVUODOkR9V7dvI+bB1k67VLbwm0os1HZwEG5xfKKnke8AIUqP3cvFhM7YP1MSUqGeo29pwmYGld52zHoQWwzAGEy4HGvQcASHX47hBN00KgEeTf/RcTRAUcBtOnXkwnS/pCLJCJnxYNYz7nEWPMsJC2spqb5oZPJcKuKyat/GbVyCOvkSWjmS2Y6jz8qesBFQKIOWDAitXGML9gSKztXd0F1UohuKw+qR2utEjyGO8VOnqYg7UKAy1PRZskg/z+zYFeKkKOItAK0R5rBUouLyUXYiSjYYzVsJq3FoWS2VyZPDDS9GNwUTpcrVFZc/GGa6iqGqgyqtsG,iv:XeIfJ0heXz48jEP8DXct0E9MZLOTE3MJsj5F2zFrN1g=,tag:EnS6eYFymaQvGIQps5l5aA==,type:str]
public_unencrypted: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqjaaB4RSwGGZXHb8UqTLz0GkOWlKctHoxmhpkwsFMI rouven@thinkpad
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -19,8 +23,8 @@ sops:
N08rUm1KNCtOaHlYVnFZUFViZnNHeUkKvQTAtOKQqCJP54eV6bxxCWX5CKACPJQP N08rUm1KNCtOaHlYVnFZUFViZnNHeUkKvQTAtOKQqCJP54eV6bxxCWX5CKACPJQP
MBkKw0jbgjBI4SuDdPQVaXE0gEllJPjENUjqXGVatYbhBStbIraZQQ== MBkKw0jbgjBI4SuDdPQVaXE0gEllJPjENUjqXGVatYbhBStbIraZQQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-02-26T21:31:46Z" lastmodified: "2023-07-29T09:14:57Z"
mac: ENC[AES256_GCM,data:C7zsGBibZB7DB9czb3w7P4NYZNTXqXnpVlj3kJ/l1lRBHBYlzKG7ZZCPB+4/lqqveP68J6gGwZIFPJOjlubJsiNl6Tqfiz0rNl6lQ942/dnt7g4yALeoOUHT09FPJPSzdORWP9ocRNQcpRis1DVADjsk0vqN7jfaoaqWRGQPUk4=,iv:cynOU+rArLUV4esBy0RDKHT5icdDjqDQ2gUfQQi1Sh0=,tag:GzJk7cQ3vmNjf2gJkXtMGQ==,type:str] mac: ENC[AES256_GCM,data:yyNh1dMMhx+wJFZlbIEqPGlyzV7Y5hOdqio6xrf23y5h7AbOwCPHcNvOQE+liM8Hee3L8pVMULISN1PdisAmGfDq0a7gqdSHVCifQwbzi+/CY/X9mN8/ics3sGxQQpZS6ty9Tn5KPkBwLpQIHZlcUmf89hveya1gPYvIz5gXQvI=,iv:xWWpBSihcx5l0mEcZu6UVP2kJkpiLdzUYZhGjVRzaSk=,tag:vRuBoISmmKhSvozLFL2/Pw==,type:str]
pgp: pgp:
- created_at: "2023-02-25T23:44:24Z" - created_at: "2023-02-25T23:44:24Z"
enc: |- enc: |-

7
secrets/thinkpad.yaml
View file

@ -5,6 +5,9 @@ wireguard:
dorm: dorm:
private: ENC[AES256_GCM,data:l2SEIEoljGLrEDWEVdfJiVdLafyAmlR4wKzKtz/xsLL6kEGveK/dgsDvjiU=,iv:5YktJB0g/2Agd+0+synPjZUsxxa5JPorFn975Vr/PF4=,tag:c6CmppUVMcjrip4YraBurQ==,type:str] private: ENC[AES256_GCM,data:l2SEIEoljGLrEDWEVdfJiVdLafyAmlR4wKzKtz/xsLL6kEGveK/dgsDvjiU=,iv:5YktJB0g/2Agd+0+synPjZUsxxa5JPorFn975Vr/PF4=,tag:c6CmppUVMcjrip4YraBurQ==,type:str]
preshared: ENC[AES256_GCM,data:sb6vHcYO6c+m2jegangICr3v2toTFdSwt/rgCKD7q4UB/qR8U5CaAEjQdXY=,iv:QwQbNxx4+xTL14ID10bS7HWxKWzkoMSV6wHu8qytbEU=,tag:ozsK2gqayY56uOTGZtCNqQ==,type:str] preshared: ENC[AES256_GCM,data:sb6vHcYO6c+m2jegangICr3v2toTFdSwt/rgCKD7q4UB/qR8U5CaAEjQdXY=,iv:QwQbNxx4+xTL14ID10bS7HWxKWzkoMSV6wHu8qytbEU=,tag:ozsK2gqayY56uOTGZtCNqQ==,type:str]
borg:
passphrase: ENC[AES256_GCM,data:jhn7XwzEai+MISQpMnUDre6nJg6Gtx7B,iv:B7CDuHICxcnQJCY5fECTyAeSqh2YEmVqiCrzklmCF8w=,tag:DdtVluSE9ot2BiYtq0eUNg==,type:str]
key: ENC[AES256_GCM,data:rce8JHkx8JU83MJKYkMG9ylv1FdIbwSbKzD4JXxU+BEsHMGIHmqy95OASYasKRFJ8VjXiMoJbz2BtS6A5xcBbAKqrHx+ejgQ1qA70x7HFBMebRkBHZYP8n5p4zb2a+wD4pBKCHP2U3qq7A6ywU/2eVwNUPIqrJpTZ4VDxXZGpiz1KhDc60ryqzBZHZHX5QBLLQX+YWkNKd2P25+bZ1ub16VVGVUKA2VNK9prkD4vEtCbVZl/HjjS08bBwUzCvDxGRyqFPB6wtdE+L5tn5hY3/9A2lq0fisjo9tf6+XC8uH2gjgNjE+kzBqBLBk+974OI9BGRrx5mjIhSrx9HVDN/p10vAF7nuQeInIdH5P6vTfu5mEmwF8h6VoJ9UwDeuz82m+XwfvCRVSZh+nV5c7hMYEF255gEOt146BMXkJf2tKE+dBb2J/zr7zI5zHm9PcaDN5/Y57XCdDww2DQzxSCpleXcJhJl4xw3SXRNyZsnhD62INPzlF/ZSroj6QhDFJhDhLWcK7dGlQWgR6YbEiY0iJPNjAB/MeCv6jodyj6xlLBCcwEp8RA+dVIJxDVElFRTSAdmW0b/co3BeyEnjF1k8lExkUpyoVC1qWxanytlVM2lPy9//6iocQcniAFSQBMi9U89BRONMuopFZMGRc3/uEqnvoBq2GHVgj2xtc7R9fLyAOXw8jG+mT06XBNtrVWbjkY3Wl1A6n/rZ2y4No2rISm1PwQidPpNaiUYZJyccB7PZKY4F/E49n3jV3fmg2l/D33PRl347MhRg4Ae6itWc4uzU8/D3xU1LWe9W4AUTHYflpzlQ+xbLNCC4f3NQMbkxNDsks1MePuBW15erUaahsdkcoeqL7D/ry7NtOb1vk5cS181/IVL1F2MFGa/7Jk3b9RpvIByF9qIbR+I2noaSymPfTGDXHkC5urfUSMojzOxzm5dayBGuvHMkoCjfyIv47ZqyYegW1fM/DPn/bo+ck84zYQuj3zJY5ph/A3g7KcwVYNWRs7XQtSYyKm9Ytf2TKBaZBdIlqq2RJIQ0iHiN5W1OCRgKPEk6u9HvxTte7tqTLiV+aJ8vy9235Q=,iv:vRfpAtZoOAfTFLHdLYSUzftX1OaEr5cdm6L4FOKuFUE=,tag:TRpS0iMdU8wIFIBSkLtyJA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -20,8 +23,8 @@ sops:
d1J5UHJDYjlZWEV1aEVDSmxhWDB0anMKMNzyd465AdMyX0o9NxF+hcLyROcd8xoJ d1J5UHJDYjlZWEV1aEVDSmxhWDB0anMKMNzyd465AdMyX0o9NxF+hcLyROcd8xoJ
39K5xIDzcqpu6HfoZk1kZ/TT1DS2Xiw0rDuJHWdfpnS8zNe6DL3a7Q== 39K5xIDzcqpu6HfoZk1kZ/TT1DS2Xiw0rDuJHWdfpnS8zNe6DL3a7Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-14T08:11:45Z" lastmodified: "2023-07-30T13:44:51Z"
mac: ENC[AES256_GCM,data:htH8ETxKS88poYBoI4GxaCveK69XW0+Uq41ESmuRl2KKVAxGwkmgycWqZbbowcY0YHnUn8yh2hb+9zE1MHgdAnDq5VWvzzjo8s2xfRq+9rpOsFBVKwhi94vzfsCHAOs+eez0Dlz0xVjs2lnsVNUl7HIk0K1qqT8v6yEhIi5NnjU=,iv:zQp4yLwRyi3razD9TMO3MYDEM7eE+dvej2PovuUSx5M=,tag:Cy6z0LPQ03itFjdOE7b3Rw==,type:str] mac: ENC[AES256_GCM,data:kddokPxPpClyToDm6a3Iu0UfTFxqN2oRsGYLBgzW3iuScz0NpOJXYfHyOXmzTLyj7LSFr4xuE86/KsaWeGxse8CCqnbnbsj2Ok7nEjWqT26L7fUDklBkTb3EZQqgz1v+rl35mlto+GfsA5kskwwUOiQGuwxqWPZTznf3WqWq6pI=,iv:8qaKsXRh9O57zeWVJQqW4m4U6OgRjMaEQKclnt8jrIQ=,tag:rrC1JqCZH8br3hYlxBCRYA==,type:str]
pgp: pgp:
- created_at: "2023-02-16T20:53:51Z" - created_at: "2023-02-16T20:53:51Z"
enc: |- enc: |-

8
shared/activation.nix
View file

@ -1,7 +1,9 @@
{ lib, pkgs, ... }: { config, ... }:
{ {
system.activationScripts.report-nixos-changes = '' system.activationScripts.report-nixos-changes = ''
PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]} if [ -e /run/current-system ] && [ -e $systemConfig ]; then
nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2) || true echo System package diff:
${config.nix.package}/bin/nix store diff-closures /run/current-system $systemConfig || true
fi
''; '';
} }

10
shared/zsh.nix
View file

@ -24,10 +24,11 @@
la = "ls -a"; la = "ls -a";
less = "bat"; less = "bat";
update = "cd /etc/nixos && nix flake update"; update = "cd /etc/nixos && nix flake update";
garbage = "sudo nix-collect-garbage -d"; garbage = "${lib.getExe pkgs.home-manager} expire-generations \"-0 days\" && sudo nix-collect-garbage -d";
}; };
histSize = 100000; histSize = 100000;
histFile = "~/.local/share/zsh/history"; histFile = "~/.local/share/zsh/history";
syntaxHighlighting.enable = true;
autosuggestions = { autosuggestions = {
enable = true; enable = true;
highlightStyle = "fg=#00bbbb,bold"; highlightStyle = "fg=#00bbbb,bold";
@ -41,6 +42,12 @@
shellInit = shellInit =
'' ''
export MCFLY_KEY_SCHEME=vim
export MCFLY_FUZZY=2
export MCFLY_DISABLE_MENU=TRUE
export MCFLY_RESULTS=30
export MCFLY_INTERFACE_VIEW=BOTTOM
export MCFLY_PROMPT=""
source ${pkgs.zsh-fzf-tab}/share/fzf-tab/fzf-tab.plugin.zsh source ${pkgs.zsh-fzf-tab}/share/fzf-tab/fzf-tab.plugin.zsh
function svpn() { function svpn() {
unit=$(systemctl list-unit-files | grep "openconnect\|wg-quick\|wireguard\|openvpn" | cut -d "." -f1 | fzf --preview 'systemctl status {}') unit=$(systemctl list-unit-files | grep "openconnect\|wg-quick\|wireguard\|openvpn" | cut -d "." -f1 | fzf --preview 'systemctl status {}')
@ -73,6 +80,7 @@
then then
cat ${../images/cat.sixel} cat ${../images/cat.sixel}
fi fi
eval "$(${lib.getExe pkgs.mcfly} init zsh)"
''; '';
}; };
} }

1
users/rouven/modules/packages.nix
View file

@ -6,7 +6,6 @@
wpa_supplicant_gui wpa_supplicant_gui
pcmanfm pcmanfm
xdg-utils # used for xdg-open xdg-utils # used for xdg-open
snapper-gui
# graphics # graphics
evince # pdf viewer evince # pdf viewer

6
users/rouven/modules/ssh/default.nix
View file

@ -1,10 +1,14 @@
{ ... }: { ... }:
let let
git = "~/.ssh/git"; git = "/run/user/1000/secrets/ssh/git/private";
in in
{ {
sops.secrets = {
"ssh/git/private" = { };
};
programs.ssh = rec { programs.ssh = rec {
enable = true; enable = true;
compression = true;
matchBlocks = { matchBlocks = {
"artemis-git.inf.tu-dresden.de" = { "artemis-git.inf.tu-dresden.de" = {
identityFile = git; identityFile = git;