diff --git a/flake.lock b/flake.lock
index 0960aa1..d5b20ea 100644
--- a/flake.lock
+++ b/flake.lock
@@ -12,11 +12,11 @@
"systems": "systems"
},
"locked": {
- "lastModified": 1716561646,
- "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
+ "lastModified": 1718371084,
+ "narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
"owner": "ryantm",
"repo": "agenix",
- "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
+ "rev": "3a56735779db467538fb2e577eda28a9daacaca6",
"type": "github"
},
"original": {
@@ -38,11 +38,11 @@
"poetry2nix": "poetry2nix"
},
"locked": {
- "lastModified": 1715166702,
- "narHash": "sha256-PJxwZoT1JWxMaKRdTLMHN55mdYlhZn2L5VpvyevKkug=",
+ "lastModified": 1718106692,
+ "narHash": "sha256-IGMrKVU2fXgn30LQduJIg89HefHLlPMgJ3mnnKpnNfU=",
"owner": "nix-community",
"repo": "authentik-nix",
- "rev": "84c3ce6fe7c174ed1a53cbc5e36cf6a70f4dcc1b",
+ "rev": "11f5e0fd17dd44d9946a23271d201b257df9f0f4",
"type": "github"
},
"original": {
@@ -300,11 +300,11 @@
]
},
"locked": {
- "lastModified": 1717931644,
- "narHash": "sha256-Sz8Wh9cAiD5FhL8UWvZxBfnvxETSCVZlqWSYWaCPyu0=",
+ "lastModified": 1718788307,
+ "narHash": "sha256-SqiOz0sljM0GjyQEVinPXQxaGcbOXw5OgpCWGPgh/vo=",
"owner": "nix-community",
"repo": "home-manager",
- "rev": "3d65009effd77cb0d6e7520b68b039836a7606cf",
+ "rev": "d7830d05421d0ced83a0f007900898bdcaf2a2ca",
"type": "github"
},
"original": {
@@ -448,11 +448,11 @@
]
},
"locked": {
- "lastModified": 1717995391,
- "narHash": "sha256-lcJ7McLYCOZGmoUqWubg739iFIqVtPD+qDNQx6GPWCY=",
+ "lastModified": 1718507237,
+ "narHash": "sha256-xBEWCxWeRpWQggFFp8ugJCDa63cOJsVvx71R9F0Eowg=",
"owner": "nix-community",
"repo": "nix-index-database",
- "rev": "ab78ec24f803bab7a18370220ae3db92d6d33c94",
+ "rev": "6af2c5e58c20311276f59d247341cafeebfcb6f4",
"type": "github"
},
"original": {
@@ -463,11 +463,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1717786204,
- "narHash": "sha256-4q0s6m0GUcN7q+Y2DqD27iLvbcd1G50T2lv08kKxkSI=",
+ "lastModified": 1718895438,
+ "narHash": "sha256-k3JqJrkdoYwE3fHE6xGDY676AYmyh4U2Zw+0Bwe5DLU=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "051f920625ab5aabe37c920346e3e69d7d34400e",
+ "rev": "d603719ec6e294f034936c0d0dc06f689d91b6c3",
"type": "github"
},
"original": {
diff --git a/hosts/falkenstein/modules/mail/rspamd.nix b/hosts/falkenstein/modules/mail/rspamd.nix
index 15dbdde..87223e5 100644
--- a/hosts/falkenstein/modules/mail/rspamd.nix
+++ b/hosts/falkenstein/modules/mail/rspamd.nix
@@ -31,6 +31,74 @@
allow_username_mismatch = true;
path = /var/lib/rspamd/dkim/$domain.key;
'';
+ "reputation.conf".text = ''
+ rules {
+ ip_reputation = {
+ selector "ip" {
+ }
+ backend "redis" {
+ servers = "/run/redis-rspamd/redis.sock";
+ }
+
+ symbol = "IP_REPUTATION";
+ }
+ spf_reputation = {
+ selector "spf" {
+ }
+ backend "redis" {
+ servers = "/run/redis-rspamd/redis.sock";
+ }
+
+ symbol = "SPF_REPUTATION";
+ }
+ dkim_reputation = {
+ selector "dkim" {
+ }
+ backend "redis" {
+ servers = "/run/redis-rspamd/redis.sock";
+ }
+
+ symbol = "DKIM_REPUTATION"; # Also adjusts scores for DKIM_ALLOW, DKIM_REJECT
+ }
+ generic_reputation = {
+ selector "generic" {
+ selector = "ip"; # see https://rspamd.com/doc/configuration/selectors.html
+ }
+ backend "redis" {
+ servers = "/run/redis-rspamd/redis.sock";
+ }
+
+ symbol = "GENERIC_REPUTATION";
+ }
+ }
+ '';
+ "groups.conf".text = ''
+ group "reputation" {
+ symbols = {
+ "IP_REPUTATION_HAM" {
+ weight = 1.0;
+ }
+ "IP_REPUTATION_SPAM" {
+ weight = 4.0;
+ }
+
+ "DKIM_REPUTATION" {
+ weight = 1.0;
+ }
+
+ "SPF_REPUTATION_HAM" {
+ weight = 1.0;
+ }
+ "SPF_REPUTATION_SPAM" {
+ weight = 2.0;
+ }
+
+ "GENERIC_REPUTATION" {
+ weight = 1.0;
+ }
+ }
+ }
+ '';
};
};
redis = {
diff --git a/hosts/fujitsu/default.nix b/hosts/fujitsu/default.nix
index bbac861..3685021 100644
--- a/hosts/fujitsu/default.nix
+++ b/hosts/fujitsu/default.nix
@@ -4,6 +4,7 @@
./hardware-configuration.nix
./modules/networks
./modules/monitoring
+ ./modules/nfs
];
boot.loader.grub.enable = true;
diff --git a/hosts/fujitsu/modules/nfs/default.nix b/hosts/fujitsu/modules/nfs/default.nix
new file mode 100644
index 0000000..890a8be
--- /dev/null
+++ b/hosts/fujitsu/modules/nfs/default.nix
@@ -0,0 +1,19 @@
+{ ... }:
+{
+ fileSystems."/export" = {
+ device = "/dev/sda2";
+ fsType = "btrfs";
+ options = [ "subvol=export" "compress=zstd" "noatime" ];
+ };
+
+ services.nfs.server = {
+ enable = true;
+ exports = ''
+ /export 192.168.42.2(rw,fsid=0,no_subtree_check)
+ /export/movies 192.168.42.2(rw,fsid=0,no_subtree_check)
+ /export/shows 192.168.42.2(rw,fsid=0,no_subtree_check)
+ '';
+ };
+ networking.firewall.allowedTCPPorts = [ 2049 ];
+
+}
diff --git a/hosts/nuc/modules/authentik/default.nix b/hosts/nuc/modules/authentik/default.nix
index 6913f98..5ee7e45 100644
--- a/hosts/nuc/modules/authentik/default.nix
+++ b/hosts/nuc/modules/authentik/default.nix
@@ -12,7 +12,15 @@ in
services.authentik = {
enable = true;
environmentFile = config.age.secrets.authentik-core.path;
+ settings = {
+ cert_discovery_dir = "env://CREDENTIALS_DIRECTORY";
+ };
};
+ systemd.services.authentik-worker.serviceConfig.LoadCredential = [
+ "${domain}.pem:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.crt"
+ "${domain}.key:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.key"
+ ];
+
services.authentik-ldap = {
enable = true;
environmentFile = config.age.secrets.authentik-ldap.path;
diff --git a/hosts/nuc/modules/matrix/default.nix b/hosts/nuc/modules/matrix/default.nix
index 07591f4..161c056 100644
--- a/hosts/nuc/modules/matrix/default.nix
+++ b/hosts/nuc/modules/matrix/default.nix
@@ -72,6 +72,9 @@ in
reverse_proxy /client/* unix//run/matrix-sliding-sync/server.sock
reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync* unix//run/matrix-sliding-sync/server.sock
reverse_proxy 127.0.0.1:8008
+ handle /_synapse/metrics* {
+ respond 404
+ }
'';
# element
diff --git a/hosts/nuc/modules/networks/default.nix b/hosts/nuc/modules/networks/default.nix
index 70f154e..7c260c3 100644
--- a/hosts/nuc/modules/networks/default.nix
+++ b/hosts/nuc/modules/networks/default.nix
@@ -1,5 +1,13 @@
{ ... }:
{
+ fileSystems."/media/movies" = {
+ device = "fujitsu.vpn.rfive.de:/movies";
+ fsType = "nfs";
+ };
+ fileSystems."/media/shows" = {
+ device = "fujitsu.vpn.rfive.de:/movies";
+ fsType = "nfs";
+ };
networking = {
hostName = "nuc";
domain = "rfive.de";
diff --git a/hosts/thinkpad/modules/security/default.nix b/hosts/thinkpad/modules/security/default.nix
index 416969f..f67a81f 100644
--- a/hosts/thinkpad/modules/security/default.nix
+++ b/hosts/thinkpad/modules/security/default.nix
@@ -20,6 +20,30 @@
sudo.u2fAuth = true;
};
};
+ krb5 = {
+ enable = true;
+ settings = {
+ libdefaults = {
+ default_realm = "AGDSN.DE";
+ dns_lookup_realm = false;
+ dns_lookup_kdc = true;
+ ticket_lifetime = "24h";
+ forwardable = "yes";
+ };
+ realms."AGDSN.DE" = {
+ kdc = "idm.agdsn.network:88";
+ master_kdc = "idm.agdsn.network:88";
+ admin_server = "idm.agdsn.network:749";
+ default_domain = "agdsn.de";
+ };
+ domain_realm = {
+ "agdsn.de" = "AGDSN.DE";
+ ".agdsn.de" = "AGDSN.DE";
+ "agdsn" = "AGDSN.DE";
+ ".agdsn" = "AGDSN.DE";
+ };
+ };
+ };
};
services = {
fprintd.enable = true; # log in using fingerprint
diff --git a/hosts/thinkpad/modules/virtualisation/default.nix b/hosts/thinkpad/modules/virtualisation/default.nix
index d38155e..7536dfc 100644
--- a/hosts/thinkpad/modules/virtualisation/default.nix
+++ b/hosts/thinkpad/modules/virtualisation/default.nix
@@ -1,14 +1,9 @@
{ pkgs, ... }:
{
virtualisation = {
- docker = {
- rootless = {
- enable = true;
- setSocketVariable = true;
- daemon.settings = {
- iptables = false;
- };
- };
+ podman = {
+ enable = true;
+ defaultNetwork.settings.dns_enabled = true;
};
libvirtd = {
enable = true;
@@ -27,5 +22,6 @@
programs.virt-manager.enable = true;
environment.systemPackages = with pkgs; [
virt-viewer
+ podman-compose
];
}
diff --git a/users/rouven/default.nix b/users/rouven/default.nix
index 5b89c9e..e2fffc7 100644
--- a/users/rouven/default.nix
+++ b/users/rouven/default.nix
@@ -21,7 +21,7 @@
home-manager.useGlobalPkgs = true;
home-manager.users.rouven = { ... }: {
- imports = [ ./modules ./options ];
+ imports = [ ./modules ];
config = {
home.username = "rouven";
diff --git a/users/rouven/modules/default.nix b/users/rouven/modules/default.nix
index efddb7d..1f50908 100644
--- a/users/rouven/modules/default.nix
+++ b/users/rouven/modules/default.nix
@@ -10,7 +10,7 @@
./mpv
./ssh
./theme
- ./tex
+ # ./tex
./packages.nix
];
}
diff --git a/users/rouven/modules/ssh/default.nix b/users/rouven/modules/ssh/default.nix
index 190dd8c..496cd42 100644
--- a/users/rouven/modules/ssh/default.nix
+++ b/users/rouven/modules/ssh/default.nix
@@ -1,10 +1,11 @@
-{ ... }:
+{ pkgs, ... }:
let
git = "~/.ssh/git";
in
{
programs.ssh = {
enable = true;
+ package = pkgs.openssh_gssapi;
compression = true;
controlMaster = "auto";
controlPersist = "10m";
@@ -67,13 +68,15 @@ in
user = "r5";
extraOptions = {
VerifyHostKeyDNS = "yes";
+ GSSAPIAuthentication = "yes";
};
};
"*.agdsn.network" = {
user = "r5";
extraOptions = {
- ProxyJump = "dijkstra";
+ # ProxyJump = "dijkstra";
VerifyHostKeyDNS = "yes";
+ GSSAPIAuthentication = "yes";
};
};
"git@git.agdsn.de" = {
diff --git a/users/rouven/modules/wayland/shikane.nix b/users/rouven/modules/wayland/shikane.nix
index b4d1ce6..c1580ab 100644
--- a/users/rouven/modules/wayland/shikane.nix
+++ b/users/rouven/modules/wayland/shikane.nix
@@ -1,172 +1,19 @@
+{ pkgs, ... }:
{
- services.shikane = {
- enable = true;
- settings = {
- profile = [
- {
- name = "home";
- output = [
- {
- match = "eDP-1";
- enable = true;
- position = {
- x = 1920;
- y = 0;
- };
- }
- {
- match = "DP-2";
- enable = true;
- position = {
- x = 0;
- y = 0;
- };
- }
- {
- match = "HDMI-A-1";
- enable = true;
- position = {
- x = 3840;
- y = 0;
- };
- }
- ];
- }
- {
- name = "home-vertical";
- output = [
- {
- match = "eDP-1";
- enable = true;
- position = {
- x = 1080;
- y = 0;
- };
- }
- {
- match = "DP-3";
- enable = true;
- position = {
- x = 0;
- y = 0;
- };
- transform = "270";
- }
- {
- match = "HDMI-A-1";
- enable = true;
- position = {
- x = 3000;
- y = 0;
- };
- }
- ];
- }
- {
- name = "external-monitor-default";
- output = [
- {
- match = "eDP-1";
- enable = true;
- position = {
- x = 0;
- y = 0;
- };
- }
- {
- match = "HDMI-A-1";
- enable = true;
- position = {
- x = 1920;
- y = 0;
- };
- }
- ];
- }
- {
- name = "external-monitor-usb-c";
- output = [
- {
- match = "eDP-1";
- enable = true;
- position = {
- x = 0;
- y = 1440;
- };
- }
- {
- match = "/P24h/";
- enable = true;
- mode = {
- height = 1440;
- width = 2560;
- refresh = 60;
- };
- position = {
- x = 0;
- y = 0;
- };
- }
- ];
- }
- {
- name = "external-monitor-usb-c";
- output = [
- {
- match = "eDP-1";
- enable = true;
- position = {
- x = 1920;
- y = 0;
- };
- }
- {
- match = "DP-2";
- enable = true;
- position = {
- x = 0;
- y = 0;
- };
- }
- ];
- }
- # vertical mode if on dp-3
- {
- name = "external-monitor-usb-c-vertical";
- output = [
- {
- match = "eDP-1";
- enable = true;
- position = {
- x = 1080;
- y = 840;
- };
- }
- {
- match = "DP-3";
- enable = true;
- position = {
- x = 0;
- y = 0;
- };
- transform = "270";
- }
- ];
- }
- {
- name = "builtin";
- output = [
- {
- match = "eDP-1";
- enable = true;
- position = {
- x = 0;
- y = 0;
- };
- }
- ];
- }
- ];
+
+ home.packages = [
+ pkgs.shikane
+ ];
+ systemd.user.services.shikane = {
+ Unit = {
+ Description = "Dynamic output configuration tool";
+ Documentation = "man:shikane(1)";
+ After = [ "graphical-session-pre.target" ];
+ PartOf = [ "graphical-session.target" ];
};
+
+ Service = { ExecStart = "${pkgs.shikane}/bin/shikane"; };
+
+ Install = { WantedBy = [ "graphical-session.target" ]; };
};
}
diff --git a/users/rouven/options/default.nix b/users/rouven/options/default.nix
deleted file mode 100644
index f8c03ee..0000000
--- a/users/rouven/options/default.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-{
- imports = [ ./shikane.nix ];
-}
diff --git a/users/rouven/options/shikane.nix b/users/rouven/options/shikane.nix
deleted file mode 100644
index 7b41407..0000000
--- a/users/rouven/options/shikane.nix
+++ /dev/null
@@ -1,77 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
- cfg = config.services.shikane;
- tomlFormat = pkgs.formats.toml { };
-in
-{
- meta.maintainers = [ maintainers.therealr5 ];
- options.services.shikane = {
-
- enable = mkEnableOption
- "shikane, A dynamic output configuration tool that automatically detects and configures connected outputs based on a set of profiles.";
-
- package = mkPackageOption pkgs "shikane" { };
-
- settings = mkOption {
- type = tomlFormat.type;
- default = { };
- example = literalExpression ''
- {
- profile = [
- {
- name = "external-monitor-default";
- output = [
- {
- match = "eDP-1";
- enable = true;
- }
- {
- match = "HDMI-A-1";
- enable = true;
- position = {
- x = 1920;
- y = 0;
- };
- }
- ];
- }
- {
- name = "builtin-monitor-only";
- output = [
- {
- match = "eDP-1";
- enable = true;
- }
- ];
- }
- ];
- }
- '';
- description = ''
- Configuration written to
- $XDG_CONFIG_HOME/shikane/config.toml.
-
- See
- for more information.
- '';
- };
- };
-
- config = mkIf cfg.enable {
- systemd.user.services.shikane = {
- Unit = {
- Description = "Dynamic output configuration tool";
- Documentation = "man:shikane(1)";
- After = [ "graphical-session-pre.target" ];
- PartOf = [ "graphical-session.target" ];
- };
-
- Service = { ExecStart = "${cfg.package}/bin/shikane -c ${tomlFormat.generate "shikane-config.toml" cfg.settings}"; };
-
- Install = { WantedBy = [ "graphical-session.target" ]; };
- };
- };
-}