dns: remove kubernetes

rework thinkpad backup
nuc: rework torrent vpn and add exporter
2025-04-03 21:36:20 +02:00 · 2025-01-22 15:06:10 +01:00 · 2025-01-22 13:36:08 +01:00 · 2025-01-22 13:35:53 +01:00
15 changed files with 101 additions and 34 deletions
--- a/flake.lock
+++ b/flake.lock
@ -12,11 +12,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1723293904,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "lastModified": 1736955230,
+        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
        "type": "github"
      },
      "original": {
@ -301,11 +301,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1736508663,
-        "narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=",
+        "lastModified": 1737461688,
+        "narHash": "sha256-zQCFe5FcSSGzY3qauAAHZcPt7Ej4WSGo78ShSTCSBvU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc",
+        "rev": "bb14224f51ae4caed12a7b26f245d042c8cf8553",
        "type": "github"
      },
      "original": {
@ -450,11 +450,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1736652904,
-        "narHash": "sha256-8uolHABgroXqzs03QdulHp8H9e5kWQZnnhcda1MKbBM=",
+        "lastModified": 1737257306,
+        "narHash": "sha256-lEGgpA4kGafc76+Amnz+gh1L/cwUS2pePFlf22WEyh8=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "271e5bd7c57e1f001693799518b10a02d1123b12",
+        "rev": "744d330659e207a1883d2da0141d35e520eb87bd",
        "type": "github"
      },
      "original": {
@ -524,11 +524,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1736701207,
-        "narHash": "sha256-jG/+MvjVY7SlTakzZ2fJ5dC3V1PrKKrUEOEE30jrOKA=",
+        "lastModified": 1737062831,
+        "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ed4a395ea001367c1f13d34b1e01aa10290f67d6",
+        "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c",
        "type": "github"
      },
      "original": {
--- a/hosts/falkenstein/modules/dns/default.nix
+++ b/hosts/falkenstein/modules/dns/default.nix
@ -47,19 +47,10 @@ let
            A = [ "23.88.121.184" ];
            AAAA = [ "2a01:4f8:c012:49de::1" ];
          };
-          k8s-master-1 = {
-            A = [ "88.198.147.123" ];
-            AAAA = [ "2a01:4f8:c012:ae0a::1" ];
-          };
          ns = falkenstein;
          mail = falkenstein;
          _dmarc.TXT = [ "v=DMARC1; p=none; adkim=s; fo=1; rua=mailto:dmarc@rfive.de; ruf=mailto:dmarc@rfive.de" ];
          _domainkey.subdomains.rspamd.TXT = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoirUMubro4nlmY6a8JMwK9QB2agAXiJzexDU/7ba6KCggONfoSTfUHlrM/XeM1GG/9oKpngApxDPP97adJuxc8/EELyo4HjTyYD8GBFZhg0AN7V8IPaJ1o5k6dGDk8ZLh41ZCnlAVWkhVSKs5pYtzkrlJIfUSzyuoe8nuFsVe3QIDAQAB" ];
-          k8s.subdomains."*" = {
-            A = [ "88.198.147.123" ];
-            AAAA = [ "2a01:4f8:c012:ae0a::1" ];
-          };
-
        }
        (builtins.removeAttrs (genCNAMEs "nuc") [ ":2018" ])
        (builtins.removeAttrs (genCNAMEs "falkenstein") [ "mail" ":2018" ])
--- a/hosts/fujitsu/default.nix
+++ b/hosts/fujitsu/default.nix
@ -41,6 +41,8 @@
    btdu
    tcpdump
    mtr
+    dnsutils
+    mediainfo
  ];
  programs.git = {
    enable = true;
--- a/hosts/nuc/default.nix
+++ b/hosts/nuc/default.nix
@ -65,6 +65,7 @@
    btdu
    tcpdump
    mtr
+    dnsutils
  ];
  programs.git = {
    enable = true;
--- a/hosts/nuc/modules/logseq/default.nix
+++ b/hosts/nuc/modules/logseq/default.nix
@ -4,7 +4,7 @@ let
 in
 {
  virtualisation.oci-containers = {
-    containers.kanboard = {
+    containers.logseq = {
      image = "ghcr.io/logseq/logseq-webapp:latest";
      ports = [ "127.0.0.1:8045:80" ];
    };
--- a/hosts/nuc/modules/monitoring/default.nix
+++ b/hosts/nuc/modules/monitoring/default.nix
@ -141,6 +141,12 @@ in
          targets = [ "nuc.vpn.rfive.de:9300" ];
        }];
      }
+      {
+        job_name = "qbittorrent";
+        static_configs = [{
+          targets = [ "nuc.vpn.rfive.de:8009" ];
+        }];
+      }
      # {
      #   job_name = "pegel_dresden";
      #   metrics_path = "/probe";
--- a/hosts/nuc/modules/torrent/default.nix
+++ b/hosts/nuc/modules/torrent/default.nix
@ -8,9 +8,14 @@ let
  };
 in
 {
+  imports = [
+    ./exporter.nix
+  ];
  age.secrets.mullvad.file = ../../../../secrets/nuc/mullvad.age;
+  age.secrets.airvpn-private.file = ../../../../secrets/nuc/airvpn/private.age;
+  age.secrets.airvpn-psk.file = ../../../../secrets/nuc/airvpn/psk.age;
  environment.etc."netns/torrent/resolv.conf".text = ''
-    nameserver 10.64.0.1
+    nameserver 9.9.9.9
  '';

  systemd.services."netns@" = {
@ -43,20 +48,36 @@ in

  # scripted wireguard since systemd-networkd doesn't support netns yet
  networking.wireguard.useNetworkd = false;
-  networking.wireguard.interfaces."wg0-mullvad" = {
-    # Funny Mole
-    privateKeyFile = config.age.secrets.mullvad.path;
-    ips = [ "10.67.237.93/32" ];
+  # networking.wireguard.interfaces."wg0-mullvad" = {
+  #   # Funny Mole
+  #   privateKeyFile = config.age.secrets.mullvad.path;
+  #   ips = [ "10.67.237.93/32" ];
+  #   peers = [
+  #     {
+  #       publicKey = "QEVIaIycN8p5twXCuZeQTEj9utozakw/MU8H6+/whls=";
+  #       allowedIPs = [ "0.0.0.0/0" ];
+  #       endpoint = "138.199.34.129:51820";
+  #     }
+  #   ];
+  #   interfaceNamespace = "torrent";
+  # };
+  # systemd.services."wireguard-wg0-mullvad" = {
+  #   requires = [ "netns@torrent.service" ];
+  # };
+  networking.wireguard.interfaces."wg1-airvpn" = {
+    privateKeyFile = config.age.secrets.airvpn-private.path;
+    ips = [ " 10.146.65.170/32" "fd7d:76ee:e68f:a993:366:82ed:bc88:b04a/128" ];
    peers = [
      {
-        publicKey = "QEVIaIycN8p5twXCuZeQTEj9utozakw/MU8H6+/whls=";
-        allowedIPs = [ "0.0.0.0/0" ];
-        endpoint = "138.199.34.129:51820";
+        publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
+        presharedKeyFile = config.age.secrets.airvpn-psk.path;
+        allowedIPs = [ "0.0.0.0/0" "::/0" ];
+        endpoint = "europe3.vpn.airdns.org:1637";
      }
    ];
    interfaceNamespace = "torrent";
  };
-  systemd.services."wireguard-wg0-mullvad" = {
+  systemd.services."wireguard-wg1-airvpn" = {
    requires = [ "netns@torrent.service" ];
  };

--- a/hosts/nuc/modules/torrent/exporter.nix
+++ b/hosts/nuc/modules/torrent/exporter.nix
@ -0,0 +1,13 @@
+{ ... }:
+{
+  virtualisation.oci-containers = {
+    containers.qbittorrent-exporter = {
+      image = "caseyscarborough/qbittorrent-exporter";
+      ports = [ "0.0.0.0:8009:17871" ];
+      environment = {
+        QBITTORRENT_PORT = "8081";
+        QBITTORRENT_HOST = "nuc.vpn.rfive.de";
+      };
+    };
+  };
+}
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@ -113,6 +113,7 @@
    devmon.enable = true; # automount stuff
    upower.enable = true;
    fwupd.enable = true; # firmware updates
+    avahi.enable = true;
    btrfs.autoScrub.enable = true;
    mullvad-vpn = {
      enable = true;
--- a/hosts/thinkpad/modules/backup/default.nix
+++ b/hosts/thinkpad/modules/backup/default.nix
@ -32,9 +32,10 @@
        "/home/*/.wine*"
        "/home/*/.mypy_cache*"
        "/home/*/.local/share"
-        # contains very big files that don't need to clutter up the backup
-        # if I ever happen to have important data in virtual machines, this can be reconsidered
+        "/home/rouven/Games"
        "/var/lib/libvirt"
+        "/var/lib/machines"
+        "/var/lib/docker"
      ];
      encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."borg/passphrase".path}";
      compression = "lz4";
--- a/hosts/thinkpad/modules/sound/default.nix
+++ b/hosts/thinkpad/modules/sound/default.nix
@ -2,9 +2,24 @@
 {
  services.pipewire = {
    enable = true;
+    raopOpenFirewall = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
+    extraConfig.pipewire = {
+      "10-airplay" = {
+        "context.modules" = [
+          {
+            name = "libpipewire-module-raop-discover";
+
+            # increase the buffer size if you get dropouts/glitches
+            # args = {
+            #   "raop.latency.ms" = 500;
+            # };
+          }
+        ];
+      };
+    };
  };
  environment.systemPackages = with pkgs; [
    helvum
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -34,7 +34,7 @@ in
  jmri = callPackage ../pkgs/jmri { };
  adguardian-term = callPackage ../pkgs/adguardian-term { };
  python312 = prev.python312.override {
-    packageOverrides = final: prev: {
+    packageOverrides = _final: prev: {
      pysaml2 = prev.pysaml2.overridePythonAttrs (orig: {
        disabledTests =
          orig.disabledTests
--- a/secrets.nix
+++ b/secrets.nix
@ -21,6 +21,8 @@ in
  "secrets/nuc/mautrix-telegram/env.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/mullvad.age".publicKeys = [ rouven nuc ];
+  "secrets/nuc/airvpn/private.age".publicKeys = [ rouven nuc ];
+  "secrets/nuc/airvpn/psk.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/authentik/core.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ];
--- a/secrets/nuc/airvpn/private.age
+++ b/secrets/nuc/airvpn/private.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 uWbAHQ eRn24OdOUxmaXy98cE749nX5YSNFEd/UWZNKgn2XdTM
+rQajaxGqfAO/C0jUuamcQQddKvqM0+TA8eW4yyp7JkE
+-> ssh-ed25519 2TRdXg zRn6vmnqyB4YPSlRH8Oe65VkQoMfWA9zdEYObQEFviE
+sNrVqHwegkwMEBodil9mNAtLweftKU6CWgG9oUnCf64
+--- W++fFNnOMSC6/PWBTBVpi5che6eyqZVLXkdPlpAXAKI
+á‰Èa€^õÝÈ ¨:…;(X†%†¯<E280A0>©DÏÃD©Þõv`<60>)PÇŒ“'ÙàeÜ««r/3ªè.NU×/¯%œ¤gRè£¡/8
--- a/secrets/nuc/airvpn/psk.age
+++ b/secrets/nuc/airvpn/psk.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 uWbAHQ K/v5vDqaxdVlk6EORXlGPMepr2XcqsN9CKw4Z+6KJAI
+a1GVmh+wxVbBhywgI4mkWFPJZnEAHBM31hQFa4NIays
+-> ssh-ed25519 2TRdXg Fl1LKF42rS6mW4qcuV7yRwz2I3O3ueT0ieMaz79SRnA
+sCevZCW6bYxbsOJgS9jn5uOeCyI39swYX/oWbNXk05w
+--- uOZ3aavCOsb0rjofhb2gbNbiLAA3cWWoSX6lqqOJpjk
+SÛòA—çwB<77>Yƒ‰Äå¨*_*~#œ²V1ù¡ „ŠmûV+Q¾?/Ï}õ¼–ö÷’¨GÝîJ”i#`ŠïD´;ÓLe7
Author	SHA1	Message	Date
Rouven Seifert	c3183b9e81	dns: remove kubernetes	2025-01-22 15:06:10 +01:00
Rouven Seifert	46e0511168	rework thinkpad backup	2025-01-22 13:36:08 +01:00
Rouven Seifert	aad5133e9e	nuc: rework torrent vpn and add exporter	2025-01-22 13:35:53 +01:00