From 03eccbd6af14bcdf75e1fdd715105e2a50637e12 Mon Sep 17 00:00:00 2001 From: Swarsel Date: Thu, 17 Oct 2024 10:20:11 +0200 Subject: [PATCH] chore: work cleanup --- SwarselSystems.org | 1619 ++--------------- flake.nix | 63 - profiles/TEMPLATE/home.nix | 135 -- profiles/TEMPLATE/nixos.nix | 104 -- profiles/common/home/ssh.nix | 62 +- profiles/mysticant/default.nix | 2 +- profiles/optional/nixos/work.nix | 9 + profiles/server/common/transmission.nix | 20 +- profiles/server1/TEMPLATE/nixos.nix | 41 - .../calibre/hardware-configuration.nix | 27 - profiles/server1/calibre/nixos.nix | 70 - .../jellyfin/hardware-configuration.nix | 32 - .../server1/matrix/hardware-configuration.nix | 27 - profiles/server1/matrix/nixos.nix | 308 ---- .../server1/nginx/hardware-configuration.nix | 27 - profiles/server1/nginx/nixos.nix | 205 --- .../paperless/hardware-configuration.nix | 27 - profiles/server1/paperless/nixos.nix | 94 - .../server1/sound/hardware-configuration.nix | 33 - profiles/server1/sound/nixos.nix | 152 -- .../spotifyd/hardware-configuration.nix | 27 - profiles/server1/spotifyd/nixos.nix | 93 - .../transmission/hardware-configuration.nix | 27 - profiles/server1/transmission/nixos.nix | 275 --- secrets/calibre/secrets.yaml | 55 - secrets/matrix/secrets.yaml | 56 - secrets/nginx/secrets.yaml | 54 - secrets/omatrix/secrets.yaml | 57 - secrets/paperless/secrets.yaml | 52 - secrets/sound/secrets.yaml | 52 - secrets/spotifyd/secrets.yaml | 53 - secrets/transmission/secrets.yaml | 57 - 32 files changed, 165 insertions(+), 3750 deletions(-) delete mode 100644 profiles/TEMPLATE/home.nix delete mode 100644 profiles/TEMPLATE/nixos.nix delete mode 100644 profiles/server1/TEMPLATE/nixos.nix delete mode 100644 profiles/server1/calibre/hardware-configuration.nix delete mode 100644 profiles/server1/calibre/nixos.nix delete mode 100644 profiles/server1/jellyfin/hardware-configuration.nix delete mode 100644 profiles/server1/matrix/hardware-configuration.nix delete mode 100644 profiles/server1/matrix/nixos.nix delete mode 100644 profiles/server1/nginx/hardware-configuration.nix delete mode 100644 profiles/server1/nginx/nixos.nix delete mode 100644 profiles/server1/paperless/hardware-configuration.nix delete mode 100644 profiles/server1/paperless/nixos.nix delete mode 100644 profiles/server1/sound/hardware-configuration.nix delete mode 100644 profiles/server1/sound/nixos.nix delete mode 100644 profiles/server1/spotifyd/hardware-configuration.nix delete mode 100644 profiles/server1/spotifyd/nixos.nix delete mode 100644 profiles/server1/transmission/hardware-configuration.nix delete mode 100644 profiles/server1/transmission/nixos.nix delete mode 100644 secrets/calibre/secrets.yaml delete mode 100644 secrets/matrix/secrets.yaml delete mode 100644 secrets/nginx/secrets.yaml delete mode 100644 secrets/omatrix/secrets.yaml delete mode 100644 secrets/paperless/secrets.yaml delete mode 100644 secrets/sound/secrets.yaml delete mode 100644 secrets/spotifyd/secrets.yaml delete mode 100644 secrets/transmission/secrets.yaml diff --git a/SwarselSystems.org b/SwarselSystems.org index 0f34af4..9e343d1 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -604,69 +604,6 @@ This section used to be much longer, since I performed all of my imports right h ]; }; - nginx = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - inputs.sops-nix.nixosModules.sops - ./profiles/server1/nginx/nixos.nix - ]; - }; - - calibre = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - inputs.sops-nix.nixosModules.sops - ./profiles/server1/calibre/nixos.nix - ]; - }; - - jellyfin = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - ./profiles/server1/jellyfin/nixos.nix - ]; - }; - - transmission = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - inputs.sops-nix.nixosModules.sops - ./profiles/server1/transmission/nixos.nix - ]; - }; - - matrix = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - inputs.sops-nix.nixosModules.sops - ./profiles/server1/matrix/nixos.nix - ]; - }; - - sound = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - inputs.sops-nix.nixosModules.sops - ./profiles/server1/sound/nixos.nix - ]; - }; - - spotifyd = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - inputs.sops-nix.nixosModules.sops - ./profiles/server1/spotifyd/nixos.nix - ]; - }; - - paperless = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - inputs.sops-nix.nixosModules.sops - ./profiles/server1/paperless/nixos.nix - ]; - }; - #ovm swarsel sync = nixpkgs.lib.nixosSystem { specialArgs = { inherit inputs; }; @@ -721,35 +658,6 @@ Nix on Android also demands an own flake output, which is provided here. #+end_src -*** nixos-generators -:PROPERTIES: -:CUSTOM_ID: h:6a08495a-8566-4bb5-9fac-b03df01f6c81 -:END: - -This builds my Proxmox template. It is defined as a separate output so that I can already apply some rudimentary configuration before even setting up the system. - -Usage: - -#+begin_src shell :tangle no :export both - -nix build ~/.dotfiles/#proxmox-lxc - -#+end_src - -The resulting image can then be loaded in Proxmox. - -#+begin_src nix :tangle no :noweb-ref flakenixosgenerators - - proxmox-lxc = inputs.nixos-generators.nixosGenerate { - inherit system; - modules = [ - ./profiles/server1/TEMPLATE/nixos.nix - ]; - format = "proxmox-lxc"; - }; - -#+end_src - * System :PROPERTIES: :CUSTOM_ID: h:02cd20be-1ffa-4904-9d5a-da5a89ba1421 @@ -2061,1311 +1969,175 @@ My work machine. Built for more security, this is the gold standard of my config mpd = false; matrix = true; nextcloud = true; - immich = true; - paperless = true; - transmission = true; - syncthing = true; - }; - }; - - } - - -#+end_src - -**** Magicant (Phone) - - -#+begin_src nix :tangle profiles/mysticant/default.nix - - { pkgs, ... }: { - environment = { - packages = with pkgs; [ - vim - git - openssh - toybox - dig - man - gnupg - ]; - - etcBackupExtension = ".bak"; - extraOutputsToInstall = [ - "doc" - "info" - "devdoc" - ]; - motd = null; - }; - - home-manager.config = { - - imports = [ - ../common/home/ssh.nix - ]; - services.ssh-agent.enable = true; - - }; - - android-integration = { - termux-open.enable = true; - termux-xdg-open.enable = true; - termux-open-url.enable = true; - termux-reload-settings.enable = true; - termux-setup-storage.enable = true; - }; - - # Backup etc files instead of failing to activate generation if a file already exists in /etc - - # Read the changelog before changing this value - system.stateVersion = "23.05"; - - # Set up nix for flakes - nix.extraOptions = '' - experimental-features = nix-command flakes - ''; - } - - -#+end_src - -*** Virtual hosts -:PROPERTIES: -:CUSTOM_ID: h:4dc59747-9598-4029-aa7d-92bf186d6c06 -:END: - -My server setup is built on Proxmox VE; back when I started, I created all kinds of wild Debian/Ubuntu/etc. KVMs and LXCs on there. However, the root disk has suffered a weird failure where it has become unable to be cloned, but it is still functional for now. I am currently rewriting all machines on there to use NixOS instead; this is a ongoing process. - -In the long run, I am thinking about a transition to kubernetes or using just a server running NixOS and using the built-in container functionality. For now however, I like the network management provided by Proxmox, as I am a bit intimidated by doing that from scratch. - -**** TEMPLATE -:PROPERTIES: -:CUSTOM_ID: h:292c583e-0b67-4456-bdba-a72d4e53ce66 -:END: -***** NixOS -:PROPERTIES: -:CUSTOM_ID: h:598a2a4c-4d99-46d6-9d4a-dd9e73704f09 -:END: - -#+begin_src nix :tangle profiles/server1/TEMPLATE/nixos.nix - { pkgs, modulesPath, ... }: - - { - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ]; - - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - ]; - - services.xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - networking = { - hostName = "TEMPLATE"; # Define your hostname. - useDHCP = true; - enableIPv6 = false; - firewall.enable = false; - }; - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - # users.users.root.password = "TEMPLATE"; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - } - -#+end_src - -**** NGINX -:PROPERTIES: -:CUSTOM_ID: h:90340ea4-5ef0-4466-92cf-12d8ece805ba -:END: -***** NixOS -:PROPERTIES: -:CUSTOM_ID: h:519899ad-adcd-435b-8857-71635afbc756 -:END: - -#+begin_src nix :tangle profiles/server1/nginx/nixos.nix - { config, pkgs, modulesPath, ... }: - { - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./hardware-configuration.nix - ]; - - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - lego - nginx - ]; - - services.xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/.dotfiles/secrets/nginx/secrets.yaml"; - validateSopsFiles = false; - secrets.dnstokenfull = { owner = "acme"; }; - templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} - ''; - }; - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - networking = { - hostName = "nginx"; # Define your hostname. - useDHCP = true; - enableIPv6 = false; - firewall.enable = false; - }; - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - # users.users.root.password = "TEMPLATE"; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - security.acme = { - acceptTerms = true; - preliminarySelfsigned = false; - defaults.email = "mrswarsel@gmail.com"; - defaults.dnsProvider = "cloudflare"; - defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; - }; - - environment.shellAliases = { - nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - services.nginx = { - enable = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - virtualHosts = { - - - "stash.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "https://192.168.1.5"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - # "/push/" = { - # proxyPass = "http://192.168.2.5:7867"; - # }; - "/.well-known/carddav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - "/.well-known/caldav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - }; - }; - - "matrix2.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://192.168.1.23:8008"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - - "sound.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://192.168.1.13:4040"; - proxyWebsockets = true; - extraConfig = '' - proxy_redirect http:// https://; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; - }; - }; - - "scan.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://192.168.1.24:28981"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - "screen.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://192.168.1.16:8096"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - "matrix.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://192.168.1.20:8008"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - "scroll.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://192.168.1.22:8080"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - "blog.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "https://192.168.1.7"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - }; - }; - - } - -#+end_src - -**** [Manual steps required] Calibre -:PROPERTIES: -:CUSTOM_ID: h:12152533-a000-4e7e-8038-43f8e501cedd -:END: - -This machine requires manual setup: -1) (obsolete for now) Set up calibre-web: - - Create metadata.db with 664 permissions, make sure parent directory is writeable - - Login @ books.swarsel.win using initial creds: - - user: admin - - pw: admin123 - - point to metadata.db file, make sure you can upload - - Change pw, create normal user -2) Setup kavita: - - Login @ scrolls.swarsel.win - - Create admin user - - Import Libraries - - Create normal user - -In general, I am not amazed by this setup; Kavita is the reader of choice, calibre-web mostly is there to have a convenient way to fullfill the opinionated folder structure when uploading ebooks (calibre-web does not work on its own since it forces sqlite which does not work nicely with my NFS book store). I hope that in the future Kavita will implement ebook upload, or that calibre-web will ditch the sqlite constraints. - -***** NixOS -:PROPERTIES: -:CUSTOM_ID: h:0094ccd0-36e4-46cb-a422-6f1aefb786d6 -:END: - -#+begin_src nix :tangle profiles/server1/calibre/nixos.nix - { config, pkgs, modulesPath, ... }: - - { - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./hardware-configuration.nix - ]; - - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - calibre - ]; - - users.groups.lxc_shares = { - gid = 10000; - members = [ - "kavita" - "calibre-web" - "root" - ]; - }; - - services.xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/.dotfiles/secrets/calibre/secrets.yaml"; - validateSopsFiles = false; - secrets.kavita = { owner = "kavita"; }; - }; - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - networking = { - hostName = "calibre"; # Define your hostname. - useDHCP = true; - enableIPv6 = false; - firewall.enable = false; - }; - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - environment.shellAliases = { - nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - services.kavita = { - enable = true; - user = "kavita"; - port = 8080; - tokenKeyFile = config.sops.secrets.kavita.path; - }; - - - } - -#+end_src - -**** Jellyfin -:PROPERTIES: -:CUSTOM_ID: h:4a194546-9a9e-47c4-8d03-8d2428d45d30 -:END: -***** NixOS -:PROPERTIES: -:CUSTOM_ID: h:9e94efd9-f63b-46ce-b34c-ec3128de5ed9 -:END: - -#+begin_src nix :tangle profiles/server1/jellyfin/nixos.nix - { config, pkgs, modulesPath, ... }: - - { - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./hardware-configuration.nix - ]; - - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - ]; - - users.groups.lxc_shares = { - gid = 10000; - members = [ - "jellyfin" - "root" - ]; - }; - - users.users.jellyfin = { - extraGroups = [ "video" "render" ]; - }; - - services.xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - networking = { - hostName = "jellyfin"; # Define your hostname. - useDHCP = true; - enableIPv6 = false; - firewall.enable = false; - }; - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - environment.shellAliases = { - nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - nixpkgs.config.packageOverrides = pkgs: { - vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; - }; - hardware.graphics = { - enable = true; - extraPackages = with pkgs; [ - intel-media-driver # LIBVA_DRIVER_NAME=iHD - vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) - vaapiVdpau - libvdpau-va-gl - ]; - }; - - services.jellyfin = { - enable = true; - user = "jellyfin"; - # openFirewall = true; # this works only for the default ports - }; - - } - -#+end_src - -**** [WIP/Incomplete/Untested] Transmission -:PROPERTIES: -:CUSTOM_ID: h:dffc1243-8d6a-4cac-8a5d-3a27d4546235 -:END: - -This stuff just does not work, I seem to be unable to create a working VPN Split Tunneling on NixOS. Maybe this is introduced by the wonky Proxmox-NixOS container interaction, I am not sure. For now, this machine does not work at all and I am stuck with my Debian Container that does this for me ... - -***** NixOS -:PROPERTIES: -:CUSTOM_ID: h:2a2ebf94-b262-4e83-ab86-d8b1ebec492d -:END: - -#+begin_src nix :tangle profiles/server1/transmission/nixos.nix - { config, pkgs, modulesPath, ... }: - - { - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./hardware-configuration.nix - # ./openvpn.nix #this file holds the vpn login data - ]; - - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - openvpn - jq - iptables - busybox - wireguard-tools - ]; - - users.groups.lxc_shares = { - gid = 10000; - members = [ - "vpn" - "radarr" - "sonarr" - "lidarr" - "readarr" - "root" - ]; - }; - users.groups.vpn = { }; - - users.users.vpn = { - isNormalUser = true; - group = "vpn"; - home = "/home/vpn"; - }; - - services.xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/.dotfiles/secrets/transmission/secrets.yaml"; - validateSopsFiles = false; - }; - - boot.kernelModules = [ "tun" ]; - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - networking = { - hostName = "transmission"; # Define your hostname. - useDHCP = true; - enableIPv6 = false; - firewall.enable = false; - }; - - services = { - radarr = { - enable = true; - }; - readarr = { - enable = true; - }; - sonarr = { - enable = true; - }; - lidarr = { - enable = true; - }; - prowlarr = { - enable = true; - }; - }; - - networking.iproute2 = { - enable = true; - rttablesExtraConfig = '' - 200 vpn - ''; - }; - environment.etc = { - "openvpn/iptables.sh" = - { - source = ../../../scripts/server1/iptables.sh; - mode = "0755"; - }; - "openvpn/update-resolv-conf" = - { - source = ../../../scripts/server1/update-resolv-conf; - mode = "0755"; - }; - "openvpn/routing.sh" = - { - source = ../../../scripts/server1/routing.sh; - mode = "0755"; - }; - "openvpn/ca.rsa.2048.crt" = - { - source = ../../../secrets/certs/ca.rsa.2048.crt; - mode = "0644"; - }; - "openvpn/crl.rsa.2048.pem" = - { - source = ../../../secrets/certs/crl.rsa.2048.pem; - mode = "0644"; - }; - }; - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - listenAddresses = [{ - port = 22; - addr = "0.0.0.0"; - }]; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - # users.users.root.password = "TEMPLATE"; - - environment.shellAliases = { - nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - sops = { - templates = { - "transmission-rpc" = { - owner = "vpn"; - content = builtins.toJSON { - rpc-username = config.sops.placeholder.rpcuser; - rpc-password = config.sops.placeholder.rpcpass; - }; - }; - - pia.content = '' - ${config.sops.placeholder.vpnuser} - ${config.sops.placeholder.vpnpass} - ''; - - vpn.content = '' - client - dev tun - proto ${config.sops.placeholder.vpnprot} - remote ${config.sops.placeholder.vpnloc} - resolv-retry infinite - nobind - persist-key - persist-tun - cipher aes-128-cbc - auth sha1 - tls-client - remote-cert-tls server - - auth-user-pass ${config.sops.templates.pia.path} - compress - verb 1 - reneg-sec 0 - - crl-verify /etc/openvpn/crl.rsa.2048.pem - ca /etc/openvpn/ca.rsa.2048.crt - - disable-occ - dhcp-option DNS 209.222.18.222 - dhcp-option DNS 209.222.18.218 - dhcp-option DNS 8.8.8.8 - route-noexec - ''; - }; - secrets = { - vpnuser = { }; - rpcuser = { owner = "vpn"; }; - vpnpass = { }; - rpcpass = { owner = "vpn"; }; - vpnprot = { }; - vpnloc = { }; - }; - }; - services.openvpn.servers = { - pia = { - autoStart = false; - updateResolvConf = true; - config = "config ${config.sops.templates.vpn.path}"; - }; - }; - - services.transmission = { - enable = true; - credentialsFile = config.sops.templates."transmission-rpc".path; - user = "vpn"; - group = "lxc_shares"; - settings = { - - alt-speed-down = 8000; - alt-speed-enabled = false; - alt-speed-time-begin = 0; - alt-speed-time-day = 127; - alt-speed-time-enabled = true; - alt-speed-time-end = 360; - alt-speed-up = 2000; - bind-address-ipv4 = "0.0.0.0"; - bind-address-ipv6 = "::"; - blocklist-enabled = false; - blocklist-url = "http://www.example.com/blocklist"; - cache-size-mb = 4; - dht-enabled = false; - download-dir = "/media/Eternor/New"; - download-limit = 100; - download-limit-enabled = 0; - download-queue-enabled = true; - download-queue-size = 5; - encryption = 2; - idle-seeding-limit = 30; - idle-seeding-limit-enabled = false; - incomplete-dir = "/var/lib/transmission-daemon/Downloads"; - incomplete-dir-enabled = false; - lpd-enabled = false; - max-peers-global = 200; - message-level = 1; - peer-congestion-algorithm = ""; - peer-id-ttl-hours = 6; - peer-limit-global = 100; - peer-limit-per-torrent = 40; - peer-port = 22371; - peer-port-random-high = 65535; - peer-port-random-low = 49152; - peer-port-random-on-start = false; - peer-socket-tos = "default"; - pex-enabled = false; - port-forwarding-enabled = false; - preallocation = 1; - prefetch-enabled = true; - queue-stalled-enabled = true; - queue-stalled-minutes = 30; - ratio-limit = 2; - ratio-limit-enabled = false; - rename-partial-files = true; - rpc-authentication-required = true; - rpc-bind-address = "0.0.0.0"; - rpc-enabled = true; - rpc-host-whitelist = ""; - rpc-host-whitelist-enabled = true; - rpc-port = 9091; - rpc-url = "/transmission/"; - rpc-whitelist = "127.0.0.1,192.168.3.2"; - rpc-whitelist-enabled = true; - scrape-paused-torrents-enabled = true; - script-torrent-done-enabled = false; - seed-queue-enabled = false; - seed-queue-size = 10; - speed-limit-down = 6000; - speed-limit-down-enabled = true; - speed-limit-up = 500; - speed-limit-up-enabled = true; - start-added-torrents = true; - trash-original-torrent-files = false; - umask = 2; - upload-limit = 100; - upload-limit-enabled = 0; - upload-slots-per-torrent = 14; - utp-enabled = false; - }; - }; - - - } - -#+end_src - -**** [Manual steps needed] Matrix -:PROPERTIES: -:CUSTOM_ID: h:1d6221c4-1f48-4f83-b262-5298ed99218e -:END: - -1) After the initial setup, run the - - /run/secrets-generated/matrix_user_register.sh -command to register a new admin user. -2) All bridges will fail on first start, copy the registration files using: - - cp /var/lib/mautrix-telegram/telegram-registration.yaml /var/lib/matrix-synapse/ - - chown matrix-synapse:matrix-synapse var/lib/matrix-synapse/telegram-registration.yaml -Make sure to also do this for doublepuppet.yaml -3) Restart postgresql.service, matrix-synapse.service, mautrix-whatsapp.service, mautrix-telegram.service - -***** NixOS -:PROPERTIES: -:CUSTOM_ID: h:a0b2d610-7258-4875-adb4-9ec4afe05b02 -:END: - -#+begin_src nix :noweb yes :tangle profiles/server1/matrix/nixos.nix - { config, pkgs, modulesPath, sops, ... }: - let - matrixDomain = "matrix2.swarsel.win"; - in - { - <> - - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./hardware-configuration.nix - # we import here a service that is not available yet on normal nixpkgs - # this module is hence not in the modules list, we add it ourselves - ]; - - networking = { - hostName = "matrix"; # Define your hostname. - firewall.enable = false; - }; - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - matrix-synapse - lottieconverter - ffmpeg - ]; - - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/.dotfiles/secrets/matrix/secrets.yaml"; - validateSopsFiles = false; - secrets = { - matrixsharedsecret = { owner = "matrix-synapse"; }; - mautrixtelegram_as = { owner = "matrix-synapse"; }; - mautrixtelegram_hs = { owner = "matrix-synapse"; }; - mautrixtelegram_api_id = { owner = "matrix-synapse"; }; - mautrixtelegram_api_hash = { owner = "matrix-synapse"; }; - }; - templates = { - "matrix_user_register.sh".content = '' - register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008 - ''; - matrixshared = { - owner = "matrix-synapse"; - content = '' - registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} - ''; - }; - mautrixtelegram = { - owner = "matrix-synapse"; - content = '' - MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as} - MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} - MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} - MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} - ''; - }; - }; - }; - - services.postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; - CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; - CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; - CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - }; - - services.matrix-synapse = { - enable = true; - settings = { - app_service_config_files = [ - "/var/lib/matrix-synapse/telegram-registration.yaml" - "/var/lib/matrix-synapse/whatsapp-registration.yaml" - "/var/lib/matrix-synapse/signal-registration.yaml" - "/var/lib/matrix-synapse/doublepuppet.yaml" - ]; - server_name = matrixDomain; - public_baseurl = "https://${matrixDomain}"; - listeners = [ - { - port = 8008; - bind_addresses = [ "0.0.0.0" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = true; - } - ]; - } - ]; - }; - extraConfigFiles = [ - config.sops.templates.matrixshared.path - ]; - }; - - services.mautrix-telegram = { - enable = true; - environmentFile = config.sops.templates.mautrixtelegram.path; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - address = "http://localhost:29317"; - hostname = "0.0.0.0"; - port = "29317"; - provisioning.enabled = true; - id = "telegram"; - # ephemeral_events = true; # not needed due to double puppeting - public = { - enabled = false; - }; - database = "postgresql:///mautrix-telegram?host=/run/postgresql"; - }; - bridge = { - relaybot.authless_portals = true; - allow_avatar_remove = true; - allow_contact_info = true; - sync_channel_members = true; - startup_sync = true; - sync_create_limit = 0; - sync_direct_chats = true; - telegram_link_preview = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - animated_sticker = { - target = "gif"; - args = { - width = 256; - height = 256; - fps = 30; # only for webm - background = "020202"; # only for gif, transparency not supported - }; - }; - }; - }; - }; - systemd.services.mautrix-telegram.path = with pkgs; [ - lottieconverter # for animated stickers conversion, unfree package - ffmpeg # if converting animated stickers to webm (very slow!) - ]; - - services.mautrix-whatsapp = { - enable = true; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - address = "http://localhost:29318"; - hostname = "0.0.0.0"; - port = 29318; - database = { - type = "postgres"; - uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql"; - }; - }; - bridge = { - displayname_template = "{{or .FullName .PushName .JID}} (WA)"; - history_sync = { - backfill = true; - max_initial_conversations = -1; - message_count = -1; - request_full_sync = true; - full_sync_config = { - days_limit = 900; - size_mb_limit = 5000; - storage_quota_mb = 5000; - }; - }; - login_shared_secret_map = { - matrixDomain = "as_token:doublepuppet"; - }; - sync_manual_marked_unread = true; - send_presence_on_typing = true; - parallel_member_sync = true; - url_previews = true; - caption_in_message = true; - extev_polls = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - }; - }; - }; - - services.mautrix-signal = { - enable = true; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - - address = "http://localhost:29328"; - hostname = "0.0.0.0"; - port = 29328; - database = { - type = "postgres"; - uri = "postgresql:///mautrix-signal?host=/run/postgresql"; - }; - }; - bridge = { - displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)"; - login_shared_secret_map = { - matrixDomain = "as_token:doublepuppet"; - }; - caption_in_message = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - }; - }; - }; - - # restart the bridges daily. this is done for the signal bridge mainly which stops carrying - # messages out after a while. - - systemd.timers."restart-bridges" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "1d"; - OnUnitActiveSec = "1d"; - Unit = "restart-bridges.service"; - }; - }; - - systemd.services."restart-bridges" = { - script = '' - systemctl restart mautrix-whatsapp.service - systemctl restart mautrix-signal.service - systemctl restart mautrix-telegram.service - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; + immich = true; + paperless = true; + transmission = true; + syncthing = true; }; }; } -#+end_src -**** Sound -:PROPERTIES: -:CUSTOM_ID: h:b36415bf-77fa-4d51-842c-8cde0e46b844 -:END: -***** NixOS -:PROPERTIES: -:CUSTOM_ID: h:4bb55d69-9e09-4338-9f1e-a77ce37f02ed -:END: +#+end_src -#+begin_src nix :noweb yes :tangle profiles/server1/sound/nixos.nix - { config, pkgs, modulesPath, ... }: +**** Magicant (Phone) - { - <> - proxmoxLXC.privileged = true; # manage hostname myself +#+begin_src nix :tangle profiles/mysticant/default.nix - users = { - groups = { - lxc_pshares = { - gid = 110000; - members = [ - "navidrome" - "mpd" - "root" - ]; - }; + { pkgs, ... }: { + environment = { + packages = with pkgs; [ + vim + git + openssh + toybox + dig + man + gnupg + ]; - navidrome = { - gid = 61593; - }; + etcBackupExtension = ".bak"; + extraOutputsToInstall = [ + "doc" + "info" + "devdoc" + ]; + motd = null; + }; - mpd = { }; - }; + home-manager.config = { - users = { - navidrome = { - isSystemUser = true; - uid = 61593; - group = "navidrome"; - extraGroups = [ "audio" "utmp" ]; - }; + imports = [ + ../common/home/ssh.nix + ]; + services.ssh-agent.enable = true; - mpd = { - isSystemUser = true; - group = "mpd"; - extraGroups = [ "audio" "utmp" ]; - }; - }; }; - sound = { - enable = true; + android-integration = { + termux-open.enable = true; + xdg-open.enable = true; + termux-open-url.enable = true; + termux-reload-settings.enable = true; + termux-setup-storage.enable = true; }; - hardware.enableAllFirmware = true; - networking = { - hostName = "sound"; # Define your hostname. - firewall.enable = false; - }; - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - pciutils - alsa-utils - mpv - ]; + # Backup etc files instead of failing to activate generation if a file already exists in /etc - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/.dotfiles/secrets/sound/secrets.yaml"; - validateSopsFiles = false; - secrets.mpdpass = { owner = "mpd"; }; - }; + # Read the changelog before changing this value + system.stateVersion = "23.05"; - services.navidrome = { - enable = true; - settings = { - Address = "0.0.0.0"; - Port = 4040; - MusicFolder = "/media"; - EnableSharing = true; - EnableTranscodingConfig = true; - Scanner.GroupAlbumReleases = true; - ScanSchedule = "@every 1d"; - # Insert these values locally as sops-nix does not work for them - LastFM.ApiKey = TEMPLATE; - LastFM.Secret = TEMPLATE; - Spotify.ID = TEMPLATE; - Spotify.Secret = TEMPLATE; - UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png"; - UIWelcomeMessage = "~SwarselSound~"; - }; - }; - services.mpd = { - enable = true; - musicDirectory = "/media"; - user = "mpd"; - group = "mpd"; - network = { - port = 3254; - listenAddress = "any"; - }; - credentials = [ - { - passwordFile = config.sops.secrets.mpdpass.path; - permissions = [ - "read" - "add" - "control" - "admin" - ]; - } - ]; - }; + # Set up nix for flakes + nix.extraOptions = '' + experimental-features = nix-command flakes + ''; } + + #+end_src -**** Spotifyd +*** Virtual hosts +:PROPERTIES: +:CUSTOM_ID: h:4dc59747-9598-4029-aa7d-92bf186d6c06 +:END: + +My server setup was originally built on Proxmox VE; back when I started, I created all kinds of wild Debian/Ubuntu/etc. KVMs and LXCs on there. However, the root disk has suffered a weird failure where it has become unable to be cloned, but it is still functional for now. I was for a long time rewriting all machines on there to use NixOS instead; this process is now finished. + +I have removed most of the machines from this section. What remains are some hosts that I have deployed on OCI (mostly sync for medium-important data) and one other machine that I left for now as a reference. + +**** Jellyfin (Local) :PROPERTIES: -:CUSTOM_ID: h:23032961-346c-4141-97b9-a4d5469dc7d8 +:CUSTOM_ID: h:4a194546-9a9e-47c4-8d03-8d2428d45d30 :END: ***** NixOS :PROPERTIES: -:CUSTOM_ID: h:857bb1f6-9aeb-4600-ac79-a85ef011c847 +:CUSTOM_ID: h:9e94efd9-f63b-46ce-b34c-ec3128de5ed9 :END: -#+begin_src nix :noweb yes :tangle profiles/server1/spotifyd/nixos.nix - { pkgs, modulesPath, ... }: +#+begin_src nix :tangle profiles/server1/jellyfin/nixos.nix + { config, pkgs, modulesPath, ... }: { - <> + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + ]; - proxmoxLXC.privileged = true; # manage hostname myself + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + ]; - users.groups.spotifyd = { - gid = 65136; + users.groups.lxc_shares = { + gid = 10000; + members = [ + "jellyfin" + "root" + ]; }; - users.users.spotifyd = { - isSystemUser = true; - uid = 65136; - group = "spotifyd"; - extraGroups = [ "audio" "utmp" ]; + users.users.jellyfin = { + extraGroups = [ "video" "render" ]; }; - sound = { - enable = true; + services.xserver.xkb = { + layout = "us"; + variant = "altgr-intl"; }; - hardware.enableAllFirmware = true; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + proxmoxLXC = { + manageNetwork = true; # manage network myself + manageHostName = false; # manage hostname myself + }; networking = { - hostName = "spotifyd"; # Define your hostname. + hostName = "jellyfin"; # Define your hostname. + useDHCP = true; + enableIPv6 = false; firewall.enable = false; }; - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys ]; - services.spotifyd = { + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + environment.shellAliases = { + nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + }; + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver # LIBVA_DRIVER_NAME=iHD + vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) + vaapiVdpau + libvdpau-va-gl + ]; + }; + + services.jellyfin = { enable = true; - settings = { - global = { - dbus_type = "session"; - use_mpris = false; - device = "default:CARD=PCH"; - device_name = "SwarselSpot"; - mixer = "alsa"; - zeroconf_port = 1025; - }; - }; + user = "jellyfin"; + # openFirewall = true; # this works only for the default ports }; } #+end_src -**** Sync +**** Sync (OCI) :PROPERTIES: :CUSTOM_ID: h:4c5febb0-fdf6-44c5-8d51-7ea0f8930abf :END: @@ -3542,7 +2314,7 @@ Make sure to also do this for doublepuppet.yaml #+end_src -**** [Manual steps required] Swatrix +**** [Manual steps required] Swatrix (OCI) :PROPERTIES: :CUSTOM_ID: h:39553a9c-7095-4db8-b0df-bf47d91cb937 :END: @@ -3551,7 +2323,7 @@ Make sure to also do this for doublepuppet.yaml :CUSTOM_ID: h:441d367d-cddd-40d7-9db7-d170e61e1c52 :END: -The files mentioned by +This is a backup matrix server that is meant to be deployed on OCI. I have not gotten to that yet. #+begin_src nix :tangle no @@ -3938,67 +2710,7 @@ Lastly, the machine that runs matrix needs to regularly update, as otherwise you #+end_src -**** Paperless -:PROPERTIES: -:CUSTOM_ID: h:17b9ba9d-94c9-44d5-99dd-776174d4bcc9 -:END: -***** NixOS -:PROPERTIES: -:CUSTOM_ID: h:1fc355ca-ca8c-4b02-ab3f-5656f2992112 -:END: - -#+begin_src nix :noweb yes :tangle profiles/server1/paperless/nixos.nix -{ config, pkgs, modulesPath, ... }: - -{ - <> - - users.groups.lxc_shares = { - gid = 10000; - members = [ - "paperless" - "root" - ]; - }; - - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - ]; - - networking = { - hostName = "paperless"; # Define your hostname. - firewall.enable = false; - }; - - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/root/.dotfiles/secrets/paperless/secrets.yaml"; - validateSopsFiles = false; - secrets.admin = { owner = "paperless"; }; - }; - - services.paperless = { - enable = true; - mediaDir = "/media"; - user = "paperless"; - port = 28981; - passwordFile = config.sops.secrets.admin.path; - address = "0.0.0.0"; - extraConfig = { - PAPERLESS_OCR_LANGUAGE = "deu+eng"; - PAPERLESS_URL = "scan.swarsel.win"; - PAPERLESS_OCR_USER_ARGS = builtins.toJSON { - optimize = 1; - pdfa_image_compression = "lossless"; - }; - }; - }; - -} -#+end_src ** Overlays, packages, and modules :PROPERTIES: :CUSTOM_ID: h:ab272ab4-3c93-48b1-8f1e-f710aa9aae5d @@ -7708,32 +6420,32 @@ Also, the system state version is set here. No need to touch it. client_max_body_size 0; ''; }; - "/radarr" = { - proxyPass = "http://127.0.0.1:7878"; + "= /radarr" = { + proxyPass = "http://127.0.0.1:7878/"; extraConfig = '' client_max_body_size 0; ''; }; - "/readarr" = { - proxyPass = "http://127.0.0.1:8787"; + "= /readarr" = { + proxyPass = "http://127.0.0.1:8787/"; extraConfig = '' client_max_body_size 0; ''; }; - "/sonarr" = { - proxyPass = "http://127.0.0.1:8989"; + "= /sonarr" = { + proxyPass = "http://127.0.0.1:8989/"; extraConfig = '' client_max_body_size 0; ''; }; - "/lidarr" = { - proxyPass = "http://127.0.0.1:8686"; + "= /lidarr" = { + proxyPass = "http://127.0.0.1:8686/"; extraConfig = '' client_max_body_size 0; ''; }; - "/prowlarr" = { - proxyPass = "http://127.0.0.1:9696"; + "= /prowlarr" = { + proxyPass = "http://127.0.0.1:9696/"; extraConfig = '' client_max_body_size 0; ''; @@ -7998,6 +6710,15 @@ Integrates 1password mostly. There are more options at [[#h:f0b2ea93-94c8-48d8-8 #+begin_src nix :tangle profiles/optional/nixos/work.nix { pkgs, ... }: { + sops = { + secrets = { + clad = { }; + dcad = { }; + wsad = { }; + imbad= { }; + }; + }; + # boot.initrd.luks.yubikeySupport = true; programs.browserpass.enable = true; programs._1password.enable = true; @@ -8428,69 +7149,14 @@ It is very convenient to have SSH aliases in place for machines that I use. This SetEnv TERM=xterm-256color ''; matchBlocks = { - "nginx" = { - hostname = "192.168.1.14"; - user = "root"; - }; - "jellyfin" = { - hostname = "192.168.1.16"; - user = "root"; - }; + # Local machines "pfsense" = { hostname = "192.168.1.1"; user = "root"; }; - "proxmox" = { + "winters" = { hostname = "192.168.1.2"; - user = "root"; - }; - "transmission" = { - hostname = "192.168.1.6"; - user = "root"; - }; - "fetcher" = { - hostname = "192.168.1.7"; - user = "root"; - }; - "omv" = { - hostname = "192.168.1.3"; - user = "root"; - }; - "webbot" = { - hostname = "192.168.1.11"; - user = "root"; - }; - "nextcloud" = { - hostname = "192.168.1.5"; - user = "root"; - }; - "sound" = { - hostname = "192.168.1.13"; - user = "root"; - }; - "spotify" = { - hostname = "192.168.1.17"; - user = "root"; - }; - "wordpress" = { - hostname = "192.168.1.9"; - user = "root"; - }; - "turn" = { - hostname = "192.168.1.18"; - user = "root"; - }; - "hugo" = { - hostname = "192.168.1.19"; - user = "root"; - }; - "matrix" = { - hostname = "192.168.1.23"; - user = "root"; - }; - "scroll" = { - hostname = "192.168.1.22"; - user = "root"; + user = "swarsel"; }; "minecraft" = { hostname = "130.61.119.129"; @@ -8510,7 +7176,6 @@ It is very convenient to have SSH aliases in place for machines that I use. This }; "efficient" = { hostname = "g0.complang.tuwien.ac.at"; - forwardAgent = true; user = "ep01427399"; }; }; diff --git a/flake.nix b/flake.nix index fa08fcf..f1c6908 100644 --- a/flake.nix +++ b/flake.nix @@ -227,69 +227,6 @@ ]; }; - nginx = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - inputs.sops-nix.nixosModules.sops - ./profiles/server1/nginx/nixos.nix - ]; - }; - - calibre = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - inputs.sops-nix.nixosModules.sops - ./profiles/server1/calibre/nixos.nix - ]; - }; - - jellyfin = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - ./profiles/server1/jellyfin/nixos.nix - ]; - }; - - transmission = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - inputs.sops-nix.nixosModules.sops - ./profiles/server1/transmission/nixos.nix - ]; - }; - - matrix = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - inputs.sops-nix.nixosModules.sops - ./profiles/server1/matrix/nixos.nix - ]; - }; - - sound = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - inputs.sops-nix.nixosModules.sops - ./profiles/server1/sound/nixos.nix - ]; - }; - - spotifyd = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - inputs.sops-nix.nixosModules.sops - ./profiles/server1/spotifyd/nixos.nix - ]; - }; - - paperless = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - inputs.sops-nix.nixosModules.sops - ./profiles/server1/paperless/nixos.nix - ]; - }; - #ovm swarsel sync = nixpkgs.lib.nixosSystem { specialArgs = { inherit inputs; }; diff --git a/profiles/TEMPLATE/home.nix b/profiles/TEMPLATE/home.nix deleted file mode 100644 index 656ba59..0000000 --- a/profiles/TEMPLATE/home.nix +++ /dev/null @@ -1,135 +0,0 @@ -{ config, pkgs, ... }: - -{ - - - - home = { - username = "TEMPLATE"; - homeDirectory = "/home/TEMPLATE"; - stateVersion = "23.05"; # TEMPLATE -- Please read the comment before changing. - keyboard.layout = "us"; # TEMPLATE - home.packages = with pkgs; [ - # --------------------------------------------------------------- - # if schildichat works on this machine, use it, otherwise go for element - # element-desktop - # --------------------------------------------------------------- - ]; - }; - # update path if the sops private key is stored somewhere else - sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; - - # waybar config - TEMPLATE - update for cores and temp - programs.waybar.settings.mainBar = { - #cpu.format = "{icon0} {icon1} {icon2} {icon3}"; - cpu.format = "{icon0} {icon1} {icon2} {icon3} {icon4} {icon5} {icon6} {icon7}"; - temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon1/temp3_input"; - }; - - # ----------------------------------------------------------------- - # is this machine always connected to power? If yes, use this block: - # - # programs.waybar.settings.mainBar."custom/pseudobat" = { - # format = ""; - # on-click-right = "wlogout -p layer-shell"; - # }; - # programs.waybar.settings.mainBar.modules-right = [ - # "custom/outer-left-arrow-dark" - # "mpris" - # "custom/left-arrow-light" - # "network" - # "custom/vpn" - # "custom/left-arrow-dark" - # "pulseaudio" - # "custom/left-arrow-light" - # "custom/pseudobat" - # "battery" - # "custom/left-arrow-dark" - # "group/hardware" - # "custom/left-arrow-light" - # "clock#2" - # "custom/left-arrow-dark" - # "clock#1" - # ]; - # - # ----------------------------------------------------------------- - - # ----------------------------------------------------------------- - # if not always connected to power (laptop), use this (default): - - programs.waybar.settings.mainBar.modules-right = [ - "custom/outer-left-arrow-dark" - "mpris" - "custom/left-arrow-light" - "network" - "custom/vpn" - "custom/left-arrow-dark" - "pulseaudio" - "custom/left-arrow-light" - "custom/pseudobat" - "battery" - "custom/left-arrow-dark" - "group/hardware" - "custom/left-arrow-light" - "clock#2" - "custom/left-arrow-dark" - "clock#1" - ]; - - # ----------------------------------------------------------------- - - wayland.windowManager.sway = { - config = rec { - # update for actual inputs here, - input = { - "36125:53060:splitkb.com_Kyria_rev3" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; - "1:1:AT_Translated_Set_2_keyboard" = { - # TEMPLATE - xkb_layout = "us"; - xkb_options = "grp:win_space_toggle"; - # xkb_options = "ctrl:nocaps,grp:win_space_toggle"; - xkb_variant = "altgr-intl"; - }; - "type:touchpad" = { - dwt = "enabled"; - tap = "enabled"; - natural_scroll = "enabled"; - middle_emulation = "enabled"; - }; - - }; - - output = { - DP-1 = { - mode = "2560x1440"; # TEMPLATE - scale = "1"; - bg = "~/.dotfiles/wallpaper/TEMPLATE.png fill"; - }; - }; - - keybindings = - let - inherit (config.wayland.windowManager.sway.config) modifier; - in - { - # TEMPLATE - "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkschildi.sh\""; - # "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkelement.sh\""; - }; - - startup = [ - - { command = "nextcloud --background"; } - { command = "vesktop --start-minimized"; } - { command = "element-desktop --hidden -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; } - { command = "ANKI_WAYLAND=1 anki"; } - { command = "OBSIDIAN_USE_WAYLAND=1 obsidian"; } - { command = "nm-applet"; } - - ]; - }; - }; -} diff --git a/profiles/TEMPLATE/nixos.nix b/profiles/TEMPLATE/nixos.nix deleted file mode 100644 index 39d80bd..0000000 --- a/profiles/TEMPLATE/nixos.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ pkgs, ... }: - -{ - - - imports = - [ - ./hardware-configuration.nix - ]; - - - services = { - getty.autologinUser = "TEMPLATE"; - greetd.settings.initial_session.user = "TEMPLATE"; - }; - - # Bootloader - boot.loader.grub = { - enable = true; - device = "/dev/sda"; # TEMPLATE - if only one disk, this will work - useOSProber = true; - }; - - # -------------------------------------- - # you might need a configuration like this instead: - # Bootloader - # boot = { - # kernelPackages = pkgs.linuxPackages_latest; - # loader.grub = { - # enable = true; - # devices = ["nodev" ]; - # useOSProber = true; - # }; - # }; - # -------------------------------------- - - networking.hostName = "TEMPLATE"; # Define your hostname. - - stylix.image = ../../wallpaper/TEMPLATEwp.png; - - enable = true; - base16Scheme = ../../../wallpaper/swarsel.yaml; - # base16Scheme = "${pkgs.base16-schemes}/share/themes/shapeshifter.yaml"; - polarity = "dark"; - opacity.popups = 0.5; - cursor = { - package = pkgs.capitaine-cursors; - name = "capitaine-cursors"; - size = 16; - }; - fonts = { - sizes = { - terminal = 10; - applications = 11; - }; - serif = { - # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); - package = pkgs.cantarell-fonts; - # package = pkgs.montserrat; - name = "Cantarell"; - # name = "FiraCode Nerd Font Propo"; - # name = "Montserrat"; - }; - - sansSerif = { - # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); - package = pkgs.cantarell-fonts; - # package = pkgs.montserrat; - name = "Cantarell"; - # name = "FiraCode Nerd Font Propo"; - # name = "Montserrat"; - }; - - monospace = { - package = pkgs.nerdfonts; # has overrides - name = "FiraCode Nerd Font Mono"; - }; - - emoji = { - package = pkgs.noto-fonts-emoji; - name = "Noto Color Emoji"; - }; - }; - - - # Configure keymap in X11 (only used for login) - services.xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - users.users.TEMPLATE = { - isNormalUser = true; - description = "TEMPLATE"; - extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" ]; - packages = with pkgs; [ ]; - }; - - environment.systemPackages = with pkgs; [ - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - -} diff --git a/profiles/common/home/ssh.nix b/profiles/common/home/ssh.nix index 331ec5e..4a3b584 100644 --- a/profiles/common/home/ssh.nix +++ b/profiles/common/home/ssh.nix @@ -7,69 +7,14 @@ _: SetEnv TERM=xterm-256color ''; matchBlocks = { - "nginx" = { - hostname = "192.168.1.14"; - user = "root"; - }; - "jellyfin" = { - hostname = "192.168.1.16"; - user = "root"; - }; + # Local machines "pfsense" = { hostname = "192.168.1.1"; user = "root"; }; - "proxmox" = { + "winters" = { hostname = "192.168.1.2"; - user = "root"; - }; - "transmission" = { - hostname = "192.168.1.6"; - user = "root"; - }; - "fetcher" = { - hostname = "192.168.1.7"; - user = "root"; - }; - "omv" = { - hostname = "192.168.1.3"; - user = "root"; - }; - "webbot" = { - hostname = "192.168.1.11"; - user = "root"; - }; - "nextcloud" = { - hostname = "192.168.1.5"; - user = "root"; - }; - "sound" = { - hostname = "192.168.1.13"; - user = "root"; - }; - "spotify" = { - hostname = "192.168.1.17"; - user = "root"; - }; - "wordpress" = { - hostname = "192.168.1.9"; - user = "root"; - }; - "turn" = { - hostname = "192.168.1.18"; - user = "root"; - }; - "hugo" = { - hostname = "192.168.1.19"; - user = "root"; - }; - "matrix" = { - hostname = "192.168.1.23"; - user = "root"; - }; - "scroll" = { - hostname = "192.168.1.22"; - user = "root"; + user = "swarsel"; }; "minecraft" = { hostname = "130.61.119.129"; @@ -89,7 +34,6 @@ _: }; "efficient" = { hostname = "g0.complang.tuwien.ac.at"; - forwardAgent = true; user = "ep01427399"; }; }; diff --git a/profiles/mysticant/default.nix b/profiles/mysticant/default.nix index baee810..fc37bc2 100644 --- a/profiles/mysticant/default.nix +++ b/profiles/mysticant/default.nix @@ -30,7 +30,7 @@ android-integration = { termux-open.enable = true; - termux-xdg-open.enable = true; + xdg-open.enable = true; termux-open-url.enable = true; termux-reload-settings.enable = true; termux-setup-storage.enable = true; diff --git a/profiles/optional/nixos/work.nix b/profiles/optional/nixos/work.nix index b587e63..c01f145 100644 --- a/profiles/optional/nixos/work.nix +++ b/profiles/optional/nixos/work.nix @@ -1,5 +1,14 @@ { pkgs, ... }: { + sops = { + secrets = { + clad = { }; + dcad = { }; + wsad = { }; + imbad = { }; + }; + }; + # boot.initrd.luks.yubikeySupport = true; programs.browserpass.enable = true; programs._1password.enable = true; diff --git a/profiles/server/common/transmission.nix b/profiles/server/common/transmission.nix index 89a97d7..4f51ef5 100644 --- a/profiles/server/common/transmission.nix +++ b/profiles/server/common/transmission.nix @@ -93,32 +93,32 @@ client_max_body_size 0; ''; }; - "/radarr" = { - proxyPass = "http://127.0.0.1:7878"; + "= /radarr" = { + proxyPass = "http://127.0.0.1:7878/"; extraConfig = '' client_max_body_size 0; ''; }; - "/readarr" = { - proxyPass = "http://127.0.0.1:8787"; + "= /readarr" = { + proxyPass = "http://127.0.0.1:8787/"; extraConfig = '' client_max_body_size 0; ''; }; - "/sonarr" = { - proxyPass = "http://127.0.0.1:8989"; + "= /sonarr" = { + proxyPass = "http://127.0.0.1:8989/"; extraConfig = '' client_max_body_size 0; ''; }; - "/lidarr" = { - proxyPass = "http://127.0.0.1:8686"; + "= /lidarr" = { + proxyPass = "http://127.0.0.1:8686/"; extraConfig = '' client_max_body_size 0; ''; }; - "/prowlarr" = { - proxyPass = "http://127.0.0.1:9696"; + "= /prowlarr" = { + proxyPass = "http://127.0.0.1:9696/"; extraConfig = '' client_max_body_size 0; ''; diff --git a/profiles/server1/TEMPLATE/nixos.nix b/profiles/server1/TEMPLATE/nixos.nix deleted file mode 100644 index e49c3cf..0000000 --- a/profiles/server1/TEMPLATE/nixos.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ pkgs, modulesPath, ... }: - -{ - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ]; - - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - ]; - - services.xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - networking = { - hostName = "TEMPLATE"; # Define your hostname. - useDHCP = true; - enableIPv6 = false; - firewall.enable = false; - }; - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - # users.users.root.password = "TEMPLATE"; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change -} diff --git a/profiles/server1/calibre/hardware-configuration.nix b/profiles/server1/calibre/hardware-configuration.nix deleted file mode 100644 index 7f001b2..0000000 --- a/profiles/server1/calibre/hardware-configuration.nix +++ /dev/null @@ -1,27 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ lib, ... }: { - imports = [ ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/mapper/pve-vm--120--disk--0"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/profiles/server1/calibre/nixos.nix b/profiles/server1/calibre/nixos.nix deleted file mode 100644 index b8cb066..0000000 --- a/profiles/server1/calibre/nixos.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ config, pkgs, modulesPath, ... }: - -{ - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./hardware-configuration.nix - ]; - - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - calibre - ]; - - users.groups.lxc_shares = { - gid = 10000; - members = [ - "kavita" - "calibre-web" - "root" - ]; - }; - - services.xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/.dotfiles/secrets/calibre/secrets.yaml"; - validateSopsFiles = false; - secrets.kavita = { owner = "kavita"; }; - }; - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - networking = { - hostName = "calibre"; # Define your hostname. - useDHCP = true; - enableIPv6 = false; - firewall.enable = false; - }; - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - environment.shellAliases = { - nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - services.kavita = { - enable = true; - user = "kavita"; - port = 8080; - tokenKeyFile = config.sops.secrets.kavita.path; - }; - - -} diff --git a/profiles/server1/jellyfin/hardware-configuration.nix b/profiles/server1/jellyfin/hardware-configuration.nix deleted file mode 100644 index a072c10..0000000 --- a/profiles/server1/jellyfin/hardware-configuration.nix +++ /dev/null @@ -1,32 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ lib, ... }: { - imports = [ ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/mapper/pve-vm--121--disk--0"; - fsType = "ext4"; - }; - - fileSystems."/media/Videos" = { - device = "//192.168.1.3/Eternor"; - fsType = "cifs"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/profiles/server1/matrix/hardware-configuration.nix b/profiles/server1/matrix/hardware-configuration.nix deleted file mode 100644 index 639dcac..0000000 --- a/profiles/server1/matrix/hardware-configuration.nix +++ /dev/null @@ -1,27 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ lib, ... }: { - imports = [ ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/mapper/pve-vm--102--disk--0"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/profiles/server1/matrix/nixos.nix b/profiles/server1/matrix/nixos.nix deleted file mode 100644 index 827d9c7..0000000 --- a/profiles/server1/matrix/nixos.nix +++ /dev/null @@ -1,308 +0,0 @@ -{ config, pkgs, modulesPath, sops, ... }: -let - matrixDomain = "matrix2.swarsel.win"; -in -{ - - - services = { - xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - listenAddresses = [{ - port = 22; - addr = "0.0.0.0"; - }]; - }; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - - networking = { - useDHCP = true; - enableIPv6 = false; - }; - - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - environment.shellAliases = { - nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./hardware-configuration.nix - # we import here a service that is not available yet on normal nixpkgs - # this module is hence not in the modules list, we add it ourselves - ]; - - networking = { - hostName = "matrix"; # Define your hostname. - firewall.enable = false; - }; - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - matrix-synapse - lottieconverter - ffmpeg - ]; - - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/.dotfiles/secrets/matrix/secrets.yaml"; - validateSopsFiles = false; - secrets = { - matrixsharedsecret = { owner = "matrix-synapse"; }; - mautrixtelegram_as = { owner = "matrix-synapse"; }; - mautrixtelegram_hs = { owner = "matrix-synapse"; }; - mautrixtelegram_api_id = { owner = "matrix-synapse"; }; - mautrixtelegram_api_hash = { owner = "matrix-synapse"; }; - }; - templates = { - "matrix_user_register.sh".content = '' - register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008 - ''; - matrixshared = { - owner = "matrix-synapse"; - content = '' - registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} - ''; - }; - mautrixtelegram = { - owner = "matrix-synapse"; - content = '' - MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as} - MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} - MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} - MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} - ''; - }; - }; - }; - - services.postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; - CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; - CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; - CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - }; - - services.matrix-synapse = { - enable = true; - settings = { - app_service_config_files = [ - "/var/lib/matrix-synapse/telegram-registration.yaml" - "/var/lib/matrix-synapse/whatsapp-registration.yaml" - "/var/lib/matrix-synapse/signal-registration.yaml" - "/var/lib/matrix-synapse/doublepuppet.yaml" - ]; - server_name = matrixDomain; - public_baseurl = "https://${matrixDomain}"; - listeners = [ - { - port = 8008; - bind_addresses = [ "0.0.0.0" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = true; - } - ]; - } - ]; - }; - extraConfigFiles = [ - config.sops.templates.matrixshared.path - ]; - }; - - services.mautrix-telegram = { - enable = true; - environmentFile = config.sops.templates.mautrixtelegram.path; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - address = "http://localhost:29317"; - hostname = "0.0.0.0"; - port = "29317"; - provisioning.enabled = true; - id = "telegram"; - # ephemeral_events = true; # not needed due to double puppeting - public = { - enabled = false; - }; - database = "postgresql:///mautrix-telegram?host=/run/postgresql"; - }; - bridge = { - relaybot.authless_portals = true; - allow_avatar_remove = true; - allow_contact_info = true; - sync_channel_members = true; - startup_sync = true; - sync_create_limit = 0; - sync_direct_chats = true; - telegram_link_preview = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - animated_sticker = { - target = "gif"; - args = { - width = 256; - height = 256; - fps = 30; # only for webm - background = "020202"; # only for gif, transparency not supported - }; - }; - }; - }; - }; - systemd.services.mautrix-telegram.path = with pkgs; [ - lottieconverter # for animated stickers conversion, unfree package - ffmpeg # if converting animated stickers to webm (very slow!) - ]; - - services.mautrix-whatsapp = { - enable = true; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - address = "http://localhost:29318"; - hostname = "0.0.0.0"; - port = 29318; - database = { - type = "postgres"; - uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql"; - }; - }; - bridge = { - displayname_template = "{{or .FullName .PushName .JID}} (WA)"; - history_sync = { - backfill = true; - max_initial_conversations = -1; - message_count = -1; - request_full_sync = true; - full_sync_config = { - days_limit = 900; - size_mb_limit = 5000; - storage_quota_mb = 5000; - }; - }; - login_shared_secret_map = { - matrixDomain = "as_token:doublepuppet"; - }; - sync_manual_marked_unread = true; - send_presence_on_typing = true; - parallel_member_sync = true; - url_previews = true; - caption_in_message = true; - extev_polls = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - }; - }; - }; - - services.mautrix-signal = { - enable = true; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - - address = "http://localhost:29328"; - hostname = "0.0.0.0"; - port = 29328; - database = { - type = "postgres"; - uri = "postgresql:///mautrix-signal?host=/run/postgresql"; - }; - }; - bridge = { - displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)"; - login_shared_secret_map = { - matrixDomain = "as_token:doublepuppet"; - }; - caption_in_message = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - }; - }; - }; - - # restart the bridges daily. this is done for the signal bridge mainly which stops carrying - # messages out after a while. - - systemd.timers."restart-bridges" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "1d"; - OnUnitActiveSec = "1d"; - Unit = "restart-bridges.service"; - }; - }; - - systemd.services."restart-bridges" = { - script = '' - systemctl restart mautrix-whatsapp.service - systemctl restart mautrix-signal.service - systemctl restart mautrix-telegram.service - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; - -} diff --git a/profiles/server1/nginx/hardware-configuration.nix b/profiles/server1/nginx/hardware-configuration.nix deleted file mode 100644 index 030f8ce..0000000 --- a/profiles/server1/nginx/hardware-configuration.nix +++ /dev/null @@ -1,27 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ lib, ... }: { - imports = [ ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/mapper/pve-vm--119--disk--0"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/profiles/server1/nginx/nixos.nix b/profiles/server1/nginx/nixos.nix deleted file mode 100644 index 20fc44a..0000000 --- a/profiles/server1/nginx/nixos.nix +++ /dev/null @@ -1,205 +0,0 @@ -{ config, pkgs, modulesPath, ... }: -{ - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./hardware-configuration.nix - ]; - - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - lego - nginx - ]; - - services.xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/.dotfiles/secrets/nginx/secrets.yaml"; - validateSopsFiles = false; - secrets.dnstokenfull = { owner = "acme"; }; - templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} - ''; - }; - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - networking = { - hostName = "nginx"; # Define your hostname. - useDHCP = true; - enableIPv6 = false; - firewall.enable = false; - }; - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - # users.users.root.password = "TEMPLATE"; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - security.acme = { - acceptTerms = true; - preliminarySelfsigned = false; - defaults.email = "mrswarsel@gmail.com"; - defaults.dnsProvider = "cloudflare"; - defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; - }; - - environment.shellAliases = { - nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - services.nginx = { - enable = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - virtualHosts = { - - - "stash.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "https://192.168.1.5"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - # "/push/" = { - # proxyPass = "http://192.168.2.5:7867"; - # }; - "/.well-known/carddav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - "/.well-known/caldav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - }; - }; - - "matrix2.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://192.168.1.23:8008"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - - "sound.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://192.168.1.13:4040"; - proxyWebsockets = true; - extraConfig = '' - proxy_redirect http:// https://; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; - }; - }; - - "scan.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://192.168.1.24:28981"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - "screen.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://192.168.1.16:8096"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - "matrix.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://192.168.1.20:8008"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - "scroll.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://192.168.1.22:8080"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - "blog.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "https://192.168.1.7"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - }; - }; - -} diff --git a/profiles/server1/paperless/hardware-configuration.nix b/profiles/server1/paperless/hardware-configuration.nix deleted file mode 100644 index 208f084..0000000 --- a/profiles/server1/paperless/hardware-configuration.nix +++ /dev/null @@ -1,27 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ lib, ... }: { - imports = [ ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/mapper/pve-vm--117--disk--0"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/profiles/server1/paperless/nixos.nix b/profiles/server1/paperless/nixos.nix deleted file mode 100644 index 323413e..0000000 --- a/profiles/server1/paperless/nixos.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ config, pkgs, modulesPath, ... }: - -{ - - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./hardware-configuration.nix - ]; - - - - services = { - xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - listenAddresses = [{ - port = 22; - addr = "0.0.0.0"; - }]; - }; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - - networking = { - useDHCP = true; - enableIPv6 = false; - }; - - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - environment.shellAliases = { - nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - - - users.groups.lxc_shares = { - gid = 10000; - members = [ - "paperless" - "root" - ]; - }; - - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - ]; - - networking = { - hostName = "paperless"; # Define your hostname. - firewall.enable = false; - }; - - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/root/.dotfiles/secrets/paperless/secrets.yaml"; - validateSopsFiles = false; - secrets.admin = { owner = "paperless"; }; - }; - - services.paperless = { - enable = true; - mediaDir = "/media"; - user = "paperless"; - port = 28981; - passwordFile = config.sops.secrets.admin.path; - address = "0.0.0.0"; - extraConfig = { - PAPERLESS_OCR_LANGUAGE = "deu+eng"; - PAPERLESS_URL = "scan.swarsel.win"; - PAPERLESS_OCR_USER_ARGS = builtins.toJSON { - optimize = 1; - pdfa_image_compression = "lossless"; - }; - }; - }; - -} diff --git a/profiles/server1/sound/hardware-configuration.nix b/profiles/server1/sound/hardware-configuration.nix deleted file mode 100644 index 2050883..0000000 --- a/profiles/server1/sound/hardware-configuration.nix +++ /dev/null @@ -1,33 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ lib, ... }: { - imports = [ ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/mnt/data/images/118/vm-118-disk-0.raw"; - fsType = "ext4"; - options = [ "loop" ]; - }; - - fileSystems."/media" = { - device = "//192.168.1.3/Eternor"; - fsType = "cifs"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/profiles/server1/sound/nixos.nix b/profiles/server1/sound/nixos.nix deleted file mode 100644 index cdb0316..0000000 --- a/profiles/server1/sound/nixos.nix +++ /dev/null @@ -1,152 +0,0 @@ -{ config, pkgs, modulesPath, ... }: - -{ - - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./hardware-configuration.nix - ]; - - - - services = { - xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - listenAddresses = [{ - port = 22; - addr = "0.0.0.0"; - }]; - }; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - - networking = { - useDHCP = true; - enableIPv6 = false; - }; - - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - environment.shellAliases = { - nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - - - proxmoxLXC.privileged = true; # manage hostname myself - - users = { - groups = { - lxc_pshares = { - gid = 110000; - members = [ - "navidrome" - "mpd" - "root" - ]; - }; - - navidrome = { - gid = 61593; - }; - - mpd = { }; - }; - - users = { - navidrome = { - isSystemUser = true; - uid = 61593; - group = "navidrome"; - extraGroups = [ "audio" "utmp" ]; - }; - - mpd = { - isSystemUser = true; - group = "mpd"; - extraGroups = [ "audio" "utmp" ]; - }; - }; - }; - - sound = { - enable = true; - }; - - hardware.enableAllFirmware = true; - networking = { - hostName = "sound"; # Define your hostname. - firewall.enable = false; - }; - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - pciutils - alsa-utils - mpv - ]; - - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/.dotfiles/secrets/sound/secrets.yaml"; - validateSopsFiles = false; - secrets.mpdpass = { owner = "mpd"; }; - }; - - services.navidrome = { - enable = true; - settings = { - Address = "0.0.0.0"; - Port = 4040; - MusicFolder = "/media"; - EnableSharing = true; - EnableTranscodingConfig = true; - Scanner.GroupAlbumReleases = true; - ScanSchedule = "@every 1d"; - # Insert these values locally as sops-nix does not work for them - LastFM.ApiKey = TEMPLATE; - LastFM.Secret = TEMPLATE; - Spotify.ID = TEMPLATE; - Spotify.Secret = TEMPLATE; - UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png"; - UIWelcomeMessage = "~SwarselSound~"; - }; - }; - services.mpd = { - enable = true; - musicDirectory = "/media"; - user = "mpd"; - group = "mpd"; - network = { - port = 3254; - listenAddress = "any"; - }; - credentials = [ - { - passwordFile = config.sops.secrets.mpdpass.path; - permissions = [ - "read" - "add" - "control" - "admin" - ]; - } - ]; - }; -} diff --git a/profiles/server1/spotifyd/hardware-configuration.nix b/profiles/server1/spotifyd/hardware-configuration.nix deleted file mode 100644 index dcdcfd0..0000000 --- a/profiles/server1/spotifyd/hardware-configuration.nix +++ /dev/null @@ -1,27 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ lib, ... }: { - imports = [ ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/mapper/pve-vm--123--disk--0"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/profiles/server1/spotifyd/nixos.nix b/profiles/server1/spotifyd/nixos.nix deleted file mode 100644 index 90506b9..0000000 --- a/profiles/server1/spotifyd/nixos.nix +++ /dev/null @@ -1,93 +0,0 @@ -{ pkgs, modulesPath, ... }: - -{ - - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./hardware-configuration.nix - ]; - - - - services = { - xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - listenAddresses = [{ - port = 22; - addr = "0.0.0.0"; - }]; - }; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - - networking = { - useDHCP = true; - enableIPv6 = false; - }; - - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - environment.shellAliases = { - nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - - - proxmoxLXC.privileged = true; # manage hostname myself - - users.groups.spotifyd = { - gid = 65136; - }; - - users.users.spotifyd = { - isSystemUser = true; - uid = 65136; - group = "spotifyd"; - extraGroups = [ "audio" "utmp" ]; - }; - - sound = { - enable = true; - }; - - hardware.enableAllFirmware = true; - networking = { - hostName = "spotifyd"; # Define your hostname. - firewall.enable = false; - }; - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - ]; - - services.spotifyd = { - enable = true; - settings = { - global = { - dbus_type = "session"; - use_mpris = false; - device = "default:CARD=PCH"; - device_name = "SwarselSpot"; - mixer = "alsa"; - zeroconf_port = 1025; - }; - }; - }; - -} diff --git a/profiles/server1/transmission/hardware-configuration.nix b/profiles/server1/transmission/hardware-configuration.nix deleted file mode 100644 index 293818e..0000000 --- a/profiles/server1/transmission/hardware-configuration.nix +++ /dev/null @@ -1,27 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ lib, ... }: { - imports = [ ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/mapper/pve-vm--122--disk--0"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/profiles/server1/transmission/nixos.nix b/profiles/server1/transmission/nixos.nix deleted file mode 100644 index b94a621..0000000 --- a/profiles/server1/transmission/nixos.nix +++ /dev/null @@ -1,275 +0,0 @@ -{ config, pkgs, modulesPath, ... }: - -{ - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./hardware-configuration.nix - # ./openvpn.nix #this file holds the vpn login data - ]; - - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - openvpn - jq - iptables - busybox - wireguard-tools - ]; - - users.groups.lxc_shares = { - gid = 10000; - members = [ - "vpn" - "radarr" - "sonarr" - "lidarr" - "readarr" - "root" - ]; - }; - users.groups.vpn = { }; - - users.users.vpn = { - isNormalUser = true; - group = "vpn"; - home = "/home/vpn"; - }; - - services.xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/.dotfiles/secrets/transmission/secrets.yaml"; - validateSopsFiles = false; - }; - - boot.kernelModules = [ "tun" ]; - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - networking = { - hostName = "transmission"; # Define your hostname. - useDHCP = true; - enableIPv6 = false; - firewall.enable = false; - }; - - services = { - radarr = { - enable = true; - }; - readarr = { - enable = true; - }; - sonarr = { - enable = true; - }; - lidarr = { - enable = true; - }; - prowlarr = { - enable = true; - }; - }; - - networking.iproute2 = { - enable = true; - rttablesExtraConfig = '' - 200 vpn - ''; - }; - environment.etc = { - "openvpn/iptables.sh" = - { - source = ../../../scripts/server1/iptables.sh; - mode = "0755"; - }; - "openvpn/update-resolv-conf" = - { - source = ../../../scripts/server1/update-resolv-conf; - mode = "0755"; - }; - "openvpn/routing.sh" = - { - source = ../../../scripts/server1/routing.sh; - mode = "0755"; - }; - "openvpn/ca.rsa.2048.crt" = - { - source = ../../../secrets/certs/ca.rsa.2048.crt; - mode = "0644"; - }; - "openvpn/crl.rsa.2048.pem" = - { - source = ../../../secrets/certs/crl.rsa.2048.pem; - mode = "0644"; - }; - }; - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - listenAddresses = [{ - port = 22; - addr = "0.0.0.0"; - }]; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - # users.users.root.password = "TEMPLATE"; - - environment.shellAliases = { - nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - sops = { - templates = { - "transmission-rpc" = { - owner = "vpn"; - content = builtins.toJSON { - rpc-username = config.sops.placeholder.rpcuser; - rpc-password = config.sops.placeholder.rpcpass; - }; - }; - - pia.content = '' - ${config.sops.placeholder.vpnuser} - ${config.sops.placeholder.vpnpass} - ''; - - vpn.content = '' - client - dev tun - proto ${config.sops.placeholder.vpnprot} - remote ${config.sops.placeholder.vpnloc} - resolv-retry infinite - nobind - persist-key - persist-tun - cipher aes-128-cbc - auth sha1 - tls-client - remote-cert-tls server - - auth-user-pass ${config.sops.templates.pia.path} - compress - verb 1 - reneg-sec 0 - - crl-verify /etc/openvpn/crl.rsa.2048.pem - ca /etc/openvpn/ca.rsa.2048.crt - - disable-occ - dhcp-option DNS 209.222.18.222 - dhcp-option DNS 209.222.18.218 - dhcp-option DNS 8.8.8.8 - route-noexec - ''; - }; - secrets = { - vpnuser = { }; - rpcuser = { owner = "vpn"; }; - vpnpass = { }; - rpcpass = { owner = "vpn"; }; - vpnprot = { }; - vpnloc = { }; - }; - }; - services.openvpn.servers = { - pia = { - autoStart = false; - updateResolvConf = true; - config = "config ${config.sops.templates.vpn.path}"; - }; - }; - - services.transmission = { - enable = true; - credentialsFile = config.sops.templates."transmission-rpc".path; - user = "vpn"; - group = "lxc_shares"; - settings = { - - alt-speed-down = 8000; - alt-speed-enabled = false; - alt-speed-time-begin = 0; - alt-speed-time-day = 127; - alt-speed-time-enabled = true; - alt-speed-time-end = 360; - alt-speed-up = 2000; - bind-address-ipv4 = "0.0.0.0"; - bind-address-ipv6 = "::"; - blocklist-enabled = false; - blocklist-url = "http://www.example.com/blocklist"; - cache-size-mb = 4; - dht-enabled = false; - download-dir = "/media/Eternor/New"; - download-limit = 100; - download-limit-enabled = 0; - download-queue-enabled = true; - download-queue-size = 5; - encryption = 2; - idle-seeding-limit = 30; - idle-seeding-limit-enabled = false; - incomplete-dir = "/var/lib/transmission-daemon/Downloads"; - incomplete-dir-enabled = false; - lpd-enabled = false; - max-peers-global = 200; - message-level = 1; - peer-congestion-algorithm = ""; - peer-id-ttl-hours = 6; - peer-limit-global = 100; - peer-limit-per-torrent = 40; - peer-port = 22371; - peer-port-random-high = 65535; - peer-port-random-low = 49152; - peer-port-random-on-start = false; - peer-socket-tos = "default"; - pex-enabled = false; - port-forwarding-enabled = false; - preallocation = 1; - prefetch-enabled = true; - queue-stalled-enabled = true; - queue-stalled-minutes = 30; - ratio-limit = 2; - ratio-limit-enabled = false; - rename-partial-files = true; - rpc-authentication-required = true; - rpc-bind-address = "0.0.0.0"; - rpc-enabled = true; - rpc-host-whitelist = ""; - rpc-host-whitelist-enabled = true; - rpc-port = 9091; - rpc-url = "/transmission/"; - rpc-whitelist = "127.0.0.1,192.168.3.2"; - rpc-whitelist-enabled = true; - scrape-paused-torrents-enabled = true; - script-torrent-done-enabled = false; - seed-queue-enabled = false; - seed-queue-size = 10; - speed-limit-down = 6000; - speed-limit-down-enabled = true; - speed-limit-up = 500; - speed-limit-up-enabled = true; - start-added-torrents = true; - trash-original-torrent-files = false; - umask = 2; - upload-limit = 100; - upload-limit-enabled = 0; - upload-slots-per-torrent = 14; - utp-enabled = false; - }; - }; - - -} diff --git a/secrets/calibre/secrets.yaml b/secrets/calibre/secrets.yaml deleted file mode 100644 index 1a5c0e5..0000000 --- a/secrets/calibre/secrets.yaml +++ /dev/null @@ -1,55 +0,0 @@ -smbuser: ENC[AES256_GCM,data:Xlz/NzVjKk0=,iv:DvhZOoOb0eXc4jIZPwDXGRkZxWI4Fg5MC9s1IRhYWuY=,tag:ApTT/Y9K7p0uPRZAlXgekA==,type:str] -smbpassword: ENC[AES256_GCM,data:t5ic3YoNkc3k2brjN6ZRjNKPEYD9WKk=,iv:lBtSSuEnUKipapqq7gYWmkdA8tcMIZuNy8EmqqKHFWU=,tag:qas1f2wlZm0mpcgPhsZtPA==,type:str] -smbdomain: ENC[AES256_GCM,data:TepG9EMhs8I=,iv:w+CxqNxrjIBx2G33EoKkLSuTHrSSzvDQ2JXuOHtUTmw=,tag:oy5vKyhYc/bOV76xEDaVqA==,type:str] -kavita: ENC[AES256_GCM,data:g+2WXcm7d8OxLhrtWXx15SdRx8VXax1SG2GHoWizXDUZEKnEwlQe7/Yk6DQ=,iv:bQ9s5z6jNGkf59cxzR1o+etA+GA3Y8L6Bgfv9e1Txww=,tag:NOB7iBH3yoE0/DtmuQyaBg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1q2k4j9m6ge6dgygehulzd8vqjcdgv5s7s4zrferaq29qlu94a4uqpv76s5 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGejQ4Vm9KWlJYeW9UdElP - MWVUNWx5V3dDQWNPSkRJNjl2a3ZLWVpQMXdJCkdjVlh6andkM0oyMWkvaDd5Zi9H - eEVZalFYQjNpQUszUW5HV1gzRU9FVXMKLS0tIGorWGRnQkE3TXhYRHArMDUrQU4v - UnVYNGRlZTRoZ29YQ1B5S0U1ZE84VHMKgp2XRaVtRcubXfjttQfk9UKbqZ6EbL/O - coZUAPXRrT//oRh2JFu0Q4+5zoewI2j1DhUS9HuejM5CIColYUasJg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-23T04:28:28Z" - mac: ENC[AES256_GCM,data:aLI7dMi2merChhkQaqmrlbvC2V6Bh0D67RE1RxTqZLYmFE8AINBewBka1ktIVc83IYYFyhpTLZDmhZF5q3McIOGXjlZUcEDtb1C2zZZEkXJrbFe3yoZG+DE/fOB4I2uXjzp5iOG+lZyWAGQgrSHMSFV+IbAg4bb++OilZ2oXWYk=,iv:M+rOanpm+LakksTb4jCzZph3zC7MI6XeV7nyXN7qo50=,tag:Ec+HJtUtzUtrxbeCe+wDJg==,type:str] - pgp: - - created_at: "2023-12-22T23:23:45Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAwDh3VI7VctTAQ//Y7LOX5knf4s2Dku9DsVIgxUe5Ox3u65uBKL6vTE5tLuN - Oeuyvd8eGaOWvPWcu/7bbr2Nd5Y3fyyG6yTSzjweyvPgnNbBswaYZxPhj+GfHSL/ - yRcdEVX8QTEirlUYhFTVuD3LLGAxiJI5dvIHF87FGfr9U+xiTg9fblwFlEGb9F5q - TYUOSLvXUS6KbSuGnNQR7kZua2eZ/nvAIW9gVh1RrTjLzSyGdPgiqRFC657MFOvP - IlVOVKEngY+FTFBUH8kRzAxAz94Gtern2oqpuuQu0agriizeE6TA9OPOoMNGhsQD - C/DK+pa8AQ2JV17iy64rPkpRGGXr7PqEEmV386z6+O6Nbq0e+1lqigPYkxJqWJjR - 5K55znA7jRxdit6AN978pKerY9xSmbiRx35qWoGa2WK3iZ5ACcsXbAxW4lHagmdH - TmcIB4qzzHdsYQ/TxLcUioFx1EooiNZ59Asa+Lj16QgMAyDF9SZ6Z8HhQGwIBdub - HNvu8+f3/D70I7/DreortuwSvzV370+OBb0knoVZcG+i7DlAM64LukZmety9PJIj - JhUVdvp/haL7FWI7zU2Aj5j/kXGKjmYlb3N5Zes3I+MLXdL+8qqeOG+NsQR0Xvxq - xEsgEUyqaXuMwJfyPFw89NkF7oj3qqWlbnLGBEXcrXRI28Urkpwet1Z//p+WpDCF - AgwDC9FRLmchgYQBD/4lskxdD99hF0I5Zx2h8Lt1UqXI+lMROqRjjTI726Z+R7xK - 2PEJ4l2neJIP02QMm3HTAOQJ5P5t0Lb0kM1vbBY8WOF3v6aLt6Va8pwBF6TxlfGn - 5UUCUQ8nLwHUyKGAI+atveZCcUkyfhy3y4pMbXK6BQ+2tbLGEjFeqVeakk9e5MGo - 8BwYbU0Rr4KqAeSVkYb/qCErycM9fQb07r8xiPqSnKuZe4RxolWfMTnwP6IEI3GJ - AteS6MdMOtK1BufP/XKX80aXIY9U/BimyEndmT4b/83aAid42xPH25BZTfC0r0Wh - EArA0CR2rop7wE1GQq1R+stet4kSyBPWefvJg3wVSpF3Xj/IsJHz3LAp452v18W5 - rEWa8bzUT3vlVBjINhoqUJt4VHGx74kJml6WY334XyCy2xxY1C3sSD53tw3O34Qf - rmcV6m/BeCwL4t4rsG+vWzwaZSmjqr1D6H4JI9h2HvwXb45y4m28OewvAu0FMcyK - tpjxnwdXAOQC/GdgKPuM1eomgurGBrfCeHbfXHsu3n2LPTm6RULWKW4jzj9dbjCC - CuD4IzflExz8E+lqTBW4CppBgfCBDx5IIS1sv7YVfqFf1Upl434kknKffkmkq6mk - G70ATAlUX8Ci94rUv/JCokCj5GcIzVmKUiI+zq0rCQKxcJ6uLMFYZGQ9v34kQ9Je - AQ+3j+iSzV7DGtkdHI9LEAsLj6ZeFPtePULfxsHc3tjfpUFTQgurMS/QDojQMMEn - 73sQEYv+ihSsV+WToRpgExM1ANIEZ5eFTloxKKmULkYQ6tiL8SIywxz1vJW81A== - =nyE3 - -----END PGP MESSAGE----- - fp: 4BE7925262289B476DBBC17B76FD3810215AE097 - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/matrix/secrets.yaml b/secrets/matrix/secrets.yaml deleted file mode 100644 index a779a2f..0000000 --- a/secrets/matrix/secrets.yaml +++ /dev/null @@ -1,56 +0,0 @@ -matrixsharedsecret: ENC[AES256_GCM,data:0VA//FJ+vlFAKpMPIHw/VLsXMgN5pnGwqXr8Xow5F/I9R5IgVip7b4qUPx+PU32D7eeEhW8QgbrwjeqI5wrt3g==,iv:A2iAYeDRQf1SFyF2hEKK1TLakcM40HBJMyi+Sv0rRuU=,tag:t+B6OFe1gNQg3w6qlU1AOQ==,type:str] -mautrixtelegram_as: ENC[AES256_GCM,data:6i7JlAbz3OwhxQjftjkHB4o9YCYhMmnHNgRW0cnXLcMYsG3SME5b5RLOvGgavvIG+9HBv45fZRIICh1K6xZ1ZQ==,iv:FXC15XJZxwepIP1QEWceQlthwyISsiA89w5MXrxUDnI=,tag:hfnDn1rEhPENKDvpXH9sgQ==,type:str] -mautrixtelegram_hs: ENC[AES256_GCM,data:ZMXfosvSZlMs/IEVNfhYRWrjS0l4u2Fc3u+nB3nrTGXuQNXN7X65y8fbbzLVSX2TKgPK1HOiQjtTcIxX+GstFA==,iv:xQkD+152yfOQM0S9ZtlEb0VV8EROLkPeD54Y9/FHkzk=,tag:8qCOZLQY6a0+9bKP4PqV6Q==,type:str] -mautrixtelegram_api_id: ENC[AES256_GCM,data:paljhNLosw==,iv:D4hiwm5/3nUoNRdcN3yoJMGE3anUIJ8lEQYbN48v4/Y=,tag:SpZ/9phnQI+F5m9OTGxU1A==,type:str] -mautrixtelegram_api_hash: ENC[AES256_GCM,data:GoVLL22uNQMNxlesc3pmuSWxz6YVTMIu4VBnQO0Y1jc=,iv:WSOZlHrWCBgCdCl+CAsc+FrGzTH79+GePMUCm+0/FCg=,tag:Ti6MNpjBBbUnmtRIVAPBwQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1t2uj8arq8nnmd5s3h32p7z7masj2gqe5ec49dtr8ex2nlgef3yfqtgcnj6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUGwrb0VncGtIc1BPN0N0 - dGpLamE5R05GQnp4VXYrekttTEFvQ1BZNEVzCjl1K0syTEQwTWZqRUVWREtuZ0U5 - VHo2WEF5dUwvZlhJOWZDcXdWWDZ4OGcKLS0tIE1YRDMzbVMwMU1ZL0RjbmkyRm1y - L0Fobml3T3puL2Z0dW5EaEZQSEdZRFkK/nnz1NrsGqU0MYV+4T9gRMP/iMkCWWB1 - B0yqYsJjUuWLIr1DckTF8di+uLIAwM9l/3t64dAsQPrEfkatGkh3+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-29T21:35:56Z" - mac: ENC[AES256_GCM,data:MeJ+FU+5AFMPrZpze7F0f5Of17lvNq1xdjOjLt4zNSO7qdwxEjtVLneQcIMMNAuDi5Uv20bCA83qFz7xPtwZ1Ftw36tySh/yrrsqTwIPNTZtZKzDvrHcxZsoi4VTvLnFR8b+Mxw+60LUxnztIPAHDcfbqaAGDaK7oKKZpj/jiMc=,iv:U73mNdp7vt19lHcjjzpSv6jaPMoHf3cwYi3SlbK5MdA=,tag:CwNHYXtBypDk5lt54U+Ihg==,type:str] - pgp: - - created_at: "2023-12-29T21:35:36Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAwDh3VI7VctTAQ//UtkRIJ7tpD27NQK+pFXWjurxppYbyTtt4ZvBiHLkUTFW - Em9gjI2n90rSYdy+Nf4EpnaVRoSmjkjlJbNWp14GDfxegrmgSd2QY1dFCl5UYBLD - a6inlamwajmAlSHXW4JpMvbvSdqcnGX2AKkUvvoFsFrTCekqBRWiqxOW15MAKRLY - GWlJ6uVeqvyNOtEy4FCC4OOHb8yh/qHttboN5JtOukJtTGPrrN1W457sgB7SEm7G - df4OzynX9X7Utz9+HvIHTbvLlvUdL05ATVRJMa4PIwKUzWf8bLciZh2DYDEUOh5E - G6G9AL7t9E6kNeL9s2UCZdcxUlxzkDRvCoIPnrxpBSrLxkMCJkxIBlE6vemz6jGw - AB8wXxIAhDwMSQHnaa6jrFqVpQ7xo5vaOFQIckIl1FdCwyfd3X1SPwF16xW3f9dV - pj4gxDV9QlR+lh702TZihNwbVDv9+xIUsrOyoBPeLzgPikcRHvm6dtc3ueA+vo77 - WR81K/3jhqgQJMKowRDr+tYxHJtiY5OOCxnY3pUElFawbUd6dZzmU8GQCMa8+TjV - ln4aCa8IwwDG95XpctOzMSpOi4OhsVh6kuvc8378xi5kOsv+d8QR6Cj7Ene0MAlZ - i8UpD8AQgPR2FPuud9gkKfEVW37F/PYLbgs25rN4gLpM20ca6nFiFAWUv9Qarm2F - AgwDC9FRLmchgYQBD/wPZ4CfC58Cwq4Qnvam+ddSZLkih/w/tYj2V07dXip4/+yD - pej09oQCqdIxC8NFKUj23MjKRS0wouMiVXq9Mo+iAp1ujrjQKY69OzfD4tVM7opW - 5SXHHlXyQwAlgZOVwiuV3odbUip2aax31uzgB9aXtb1UXc5Mh2zdN2OdEJ9jtFGN - Yi/DHHdJno/hTgEvV7L5xBSDrWTGzvdLvICm/okqmM+lCG/HARng21TV/sPDDz61 - DGhfGw8b/MuF5mTU3GYjUcVgg9+26YGUxi5SunJ11zuLNHwl7CEC67+Cw8hzkaaa - UapTIB5RlQP4Q8vI8436MqFrQn1D3GdZKrE5tN8pFoJRSD/uMe4ICBC7xc2Oq0XR - iwXsBKlP5+o0yvC278eb9FnHQHLHlExBAL+TkSt4fT6hbu1V6niGX8/ziac1r9Dx - mmEyt7QJA+1MIjT4MoQCQLVl+4zf/f3kF8WBz6Y60oTaiLgxwJt6YnHfVUl7A0OZ - W40oiRRHWSYdibTGVBS1KT2fA+n1MeH+bzw0PoyHDN4sQtAGj8xlY8/+lzBO8E4B - 8lJp0GPoyxUnztNVXAuoTXp7yB2YxMFipXsGi5rirsbc22Nb7A8W21ZYx1mxG3pj - k+PIZqMlYA5QGfWST0ESDiWn8lSC1rH9wtHzzWjOTZfWaNSKumyUbiO+41cjbdJe - AcuaYiRLmC06pFLdZ4OS/iAfvIeybondx01VWSMmhFvA5RntQG3Hz9ke//PKtjsa - YizbQ23YPPGIq1wdcOuPq4F/LpZ/zQPZ5n9F6UC6cQf3RHVOfHxHZc1y0Tq8Sw== - =Th9r - -----END PGP MESSAGE----- - fp: 4BE7925262289B476DBBC17B76FD3810215AE097 - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/nginx/secrets.yaml b/secrets/nginx/secrets.yaml deleted file mode 100644 index f55f007..0000000 --- a/secrets/nginx/secrets.yaml +++ /dev/null @@ -1,54 +0,0 @@ -dnsmail: ENC[AES256_GCM,data:sDKEORfYYHg3sXvQhs/2ZoQtIKpe,iv:DkzqpxVrFEu2En0PEwc/ZAAeAM927ZaX3Ll6eAxjYyc=,tag:+FrjolbwzCloyOyhw3XZlg==,type:str] -dnstoken: ENC[AES256_GCM,data:FD9G9D2e6GEmGzVcYAAGMia9m/dVIjXtdc8WZJ/7+F8Lwi0kQH/VRA==,iv:FMSakGp/r3L5MwhXFhvH3nTNY+B37XU4dMe5Wajs9ZU=,tag:cQsxWB/FGUbuClgrgqA0ng==,type:str] -dnstokenfull: ENC[AES256_GCM,data:5I9nJpwDxJb9QVZZ1YnQEBgYnkM1gCBnyhR2XSgVQRNejzd0NXAA1g==,iv:0jmRdEMg7S+SoOTserDeYsvh6fPq8k7VIxnuT0Gnmak=,tag:3EAH4xSoTTGweOyE0sfMhg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1zyts3egct4he229klgrfkd9r442xw9r3qg3hyydh44pvk3wjhd3s2zjqvt - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNDJNZ3JrTzg5anRXZ2VP - cEo0aUEyU3I4VnVDaWhkemhRNi9vV3JwT2lZCi8wMm5wZFIrUEx1bmZUaWNFWXEr - bWxua0VCdWhRdVRmVmZTY0JDbjdLdlEKLS0tIGFVaXdnVzZUcVhkbjBFOE9PNFZv - SHJwU1NDSVg5MENDamJVYndjNU15M1kKHuibOTqcSUBwtrQVj0xzu2icc8dOxRTq - uILxeOCwd8eX/hyuyTe/9prPD/Q9rlwGji3gPJxEpm5X+R36yN4hWA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-25T01:23:07Z" - mac: ENC[AES256_GCM,data:18rZUjQ0LPsMZakxoU5DICZ73NNCM1Y0l8Uufd3e9sogwS6PGOXqtK1bq7yTDPsjsa+upIalXeuqvldubB7gvK9NVr6hQF2rOwVmzROTQVE0G61bTyOCzqqJ3BXdbbiCK7QBXZcboiOYeCuSHinr8qKrAQDATBj7myyYdLyZcdY=,iv:tiBp1JDu55jsfh6tMHSQ/3+hPAlpCQdHeMNxRWbwB30=,tag:iaXBEH51KbyqHmrfvQEJpQ==,type:str] - pgp: - - created_at: "2023-12-22T22:43:24Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAwDh3VI7VctTARAA0d33RcKMjMVlH0X0rBK5eIDz4XufU/E/ACJZQfqmzKla - SVF6xlYPVT9OYYvYaoEy1nDwd+bizPaGkp0t4o8Gh7BFRSHOT9f5lWggQ3SvPT4u - F/zhssgMWgVktAgimtlC593cYrnn/TbIPls7iLTstJznYYsGIFmD0UMcEeM97Tg9 - pgusMstRkRYrL9TLNeumV+KoUoHbh6G2ZNJXBOhA9c5d5CiCYicfqBHSbM0TSXH+ - 0AZK+4Ll9W/Bn2b1gTPwVzVhtyqMYOklJXoP6xhJhh1niO4OJwhkgbc5GFRmvqBl - lequVFZt0WH0HK8hcyf/HWZYwu/Y5tXujI+Qulov5KRkE413Zu70l7jyjwsGAojo - e+PtUwhH/qjGhD7wou+4fE6Gz3RAAnkqs1081RmowxzTpfRHBTxrk+PheFVYoyQX - VTWtr+DJRPyWyQ31Ljdaw/baci/8yfnViRhA0rY/XdsNGJn8BjLXmBmrMMYPudrf - hykvigmsr1+exwFbpwXqX5BDK9urvsagr+2oDIOR3AEEsBkShGrbqWi1U+syX3Y3 - g2bmoxD2W59+ODWfykTwhDOS2ZQ/PyI6Kq5AKdFWSOAhrwvwmwBt9hE6RAuYSoc5 - Od0BnY024SkE3WPlw+o9JZomPcKN/4xV5SzUZerB/5N7unP/3NQvMipvIt4SCW+F - AgwDC9FRLmchgYQBD/4yXIyRjhn0+41CgcfjWjqb8gyQWDq8oSUMlUSo0W7VJqSv - zojbWQ8YoJmdHWCazBGi6dLxaqkupC2YyRlfVgCvjlxfvP1b1JlLD5/QKfGJ+rzp - ZFC/FrzrHKLudutAZ0mwqEK6WC0zKLytSkpi+IKtFXJSbtagU0jETIjfYuKCxFZn - Sp/qzlbTfNdm50Gx7b6b9JmJEHwa9GevTVZER3e41+8beRFIocDnfBx1Z8FFTVng - F9fcc7/aNcMLBY8lmSCpPSpmcu207y3S9SFJsrLF+qOKcGKwZ5xnLAYAvAXY+EFo - 19ltQO3KyTsKjw00ljSdJ/kPQPanOlsDDlji0cQ2HgJ0rTNd9CNCLg8XzoCJh+Uy - lYImamgYqCW1BxBdYCt9+LPVpxR1D78oq22n3hKeKgJuSGzWXE7oIi61+jQCucWP - 2H8lSZ22kCzjQXu8sccNv1saOF6M7dnFhWAbFTuXaSUROBUnfzMaLx0HcI585p+X - oTrOkZr+pgKFIeGYhqXqJtDhKvCkJ5gO4mu/qNWqxt9TXOYEiEnd1T1BtmfFMMr/ - Ed01waKAxrqkED853CBG0L0ogGd+diMpVL1TBVq/9Bf85P1CGB2RsGgPl0eFkjck - 4KR4dvmSykZhusRRdih64ksktB/4quEZ+FvDxy33+OD4gO0NvfSJwKAEBJmlf9Je - AXCKsM/JHpqgBJCkJnb8gBYlJSl02BCIMmdhBLulqZA81KeWazu+yXEdfR8mbBks - OUX8+f/+cZwFVB8eGtDc2BKqL9mudLVr0tHfoEvT6i6mRfU5olUkSforH9urcg== - =aq6G - -----END PGP MESSAGE----- - fp: 4BE7925262289B476DBBC17B76FD3810215AE097 - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/omatrix/secrets.yaml b/secrets/omatrix/secrets.yaml deleted file mode 100644 index 337827a..0000000 --- a/secrets/omatrix/secrets.yaml +++ /dev/null @@ -1,57 +0,0 @@ -matrixsharedsecret: ENC[AES256_GCM,data:fgHmBP2hprqpUE4TmoBDv+Vd05sJDbAJWDs034Dxnru09aDPwjqPnxCU+nf7Mqmnd5/z441bqG7hPdKM7H3SSQ==,iv:r8wos/EZhjw2Zf2v+OAvKlWensbL4jqU04CPoc05Y04=,tag:epKklBJ2hPdKsMCROmEaMA==,type:str] -mautrixtelegram_as: ENC[AES256_GCM,data:MBS0UzGRIOVZ4Miqrwz0bbezNuqrlU96QyN6T60lOh7KgNUTYR0eB2Im4tcjUvtTVhkM5I4t88jzv/WuUE5oNA==,iv:7GUcJpKkoKsp/wFzFSnPL7S1eU2Bfzy42A3hm4WbWu4=,tag:Z9621h5+K+PQgZNt4RYyhQ==,type:str] -mautrixtelegram_hs: ENC[AES256_GCM,data:p4jJxkD43ivaRQFMSAtzEc/ylYZEuwoEv7tIJZtcF4cJVvqDYDWjAwuu9QXHWuEqEs/djLHjx82KfdqDvpOmxA==,iv:MUTNSyafrWx3rKn5rMStuzZAXueqR9gBCgYUu5DFBy8=,tag:fpVYokTTWK/Snlx+SPWkBQ==,type:str] -mautrixtelegram_api_id: ENC[AES256_GCM,data:CoY2x/2icA==,iv:EHv73YK5H6wAOF6Sssx0hulX+cK9IFb2GOoOTKo5vO8=,tag:wWiioGdAe/F+Y10FdNJpDA==,type:str] -mautrixtelegram_api_hash: ENC[AES256_GCM,data:WS6nrYQ+g1MFsiwHQigEWWFk1Xvv3mS/cs+gCIFc8V4=,iv:6aJ2XqmBedDO4U2/eG/Ne1orUDbyGTC3aFiMOYTWfj4=,tag:fgs22Q8aCb6hOof8qZj6RQ==,type:str] -dnstokenfull: ENC[AES256_GCM,data:XffZv2uZKdIkNTwoO3KqSvoJ2R/RJqHYRkLxscXZyErHu3WH5EU3Dg==,iv:+ME40HBH6L/uWwqHbmW1PA3Y4p+dtcCl12UyiLflGX4=,tag:rsUWdOiBOyFCshqa6MUIng==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age198gj3dmryk7sya5c77tsrm3gdrct6xh7w7cx4gsfywe675aehu8sw2xw6q - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNlFlUVFhOEJNdWR3OWxl - RWhza2ovR1ZCRXRPYnQ0MDJKak9qZTV2WFVFCjZNSUI0azBSMi9MK2c5dE1xb1Z2 - YzBHMGpCU05VcllQNWJtcFNUcThzMmcKLS0tIFkvcGU3aWROZ21KZ2lRYmZlSTdX - d1JqTGFiNHlBLythc3J4RjJLVDBhYkkKz56uLu8f+SblqcyRhU0Lvjoh50h1BQgj - L/R2VaCLZEz04/AzM08bmjOpcORmvPTSqobeKDrh76vp536SUX01XA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-21T01:56:14Z" - mac: ENC[AES256_GCM,data:Ce27me4iu6pMYYekgT7C1pKYJ+cdd1PQAb4Wyb/w9rrgTJeTrQFBmYC3GRRcpijwMVzlWq8KampuFEAiGFmuLoE+G94nEbKZskKqbV43BWhrdnthoBoPxizwRLhEOOi3rNJW2L26TNMsjDG4kelfhxFbKYetdPV1M73mBywxWr8=,iv:MzuzBom0YikkDCvjsYUR8VuN/JEX4+ygasgUU6AaPtM=,tag:XDmxmmGcNvNhfXqLJAoxxg==,type:str] - pgp: - - created_at: "2024-03-21T01:51:54Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAwDh3VI7VctTARAAssl+AF2Y2zr1/zWquYmB4cZolN99Tr1sQjIbHPEDC6ym - DnH5vHx4eGc0svrAL0Vv3TBQ3W8gS5w4EHSumxa0oerfVY1bwk+BN5nOHgg6l7mG - LMA1H7g2QNNEsUTH7IuaOVWofsVWzhxZwZILUEQlsYWLYkl/hz2aOZHiOTLTwz1Y - RtfbRzYTf1jYg7lks2elrlmhd2d+QoxoYxT+tg8oagaVM5VGDRS/9evnrZ/E3fNd - 87BNUxc+SswMwonWfuLtOkPPo+jckVy7yg0zpZn1p9vnYQAyuQy52aRjTzY0vZCq - DwW46Y+fgHnsfI2Ym03pL32Z1lemqqcOKXZc3TJRv/4a+dcR2G4j6sckAg6al1U1 - P0fcnOlYpO+bWoy35l1HD0sHLIn7+PE1JfxzTcvvWrLz/w22/g6RwG8uYg47YXnt - uKxIYmQUGSSDCDddnF8xwuwRzyAVUgYZr71jnwUtiXURW6VorUtA69O+tdq0hLZR - wW6zJ1nY+cJy3DKfnlrrPEOIjFP/OBibftB7CvqYG4xAgKjubAq5MhB5RpRajC3L - aeuUCKEe0dzpBFE/g10KQF9OFUnptN0LfrLcAkMjKqyXmPdbMKhD4Obhv4lJA0Ks - v+SbKtKWohGA6nzt1yrOvzFkiAkmj6pa9DEZgQ6jKumTTBi4mSUptezI4X3VcmaF - AgwDC9FRLmchgYQBD/41T1tegaRsb477ffMtHlKmZguvPIviJQoNKbUvlcXC5+mT - IsJEwhanypP7YpaWNlvep9Qtr8/NplkIF+n2uB0cAaZWK3dZsKe8Erfqik08oj7N - yGYNgm4ykC3y/TTJaX+xcmRrHtGAY6RNT/TaeJ2ip8DxsHIwA8wqFmnVqLXjhmFl - hYV87+mtX2M22Xc/YEPsvocbWiQCyLHLVQsS1VfN6nRFkNi/pc5lyBYxRRKa7Exp - azfRUr/sWkFtwPptUdA5l7Z21nVBBd4GKrdwbbn5u6mgH4GIwqAwFk9U3RWrCAEq - vcEekyabBOFAm1+Lt//FYtL/nuyN5Pq6p87bxnh6H3IrMdmkwERI8O9IYdUBOhNr - cx5vPH0oKxkdznc11xHQHyoojmCuerPzROlNNhL1knI1XalfKCxfZhYk3VvYPnmk - maEsw7zbwmdtKi6F377Di08jhp60846zvXz351rLPolaFAlAxp0BSL/XJEvxTd9N - wPg9tR+aC+6yQIJeXQ5q+pzxM2wSwTcIAcBxYj5eOB1/sehKLraBBMtZU5IyekiP - s7I7hp/gDD3BpFogXf3BU/jtHz8yPv48Z3My4N8YkrHVR8JP55xpBpGuxJ2568bC - R64dhas0pZxJ9rnq/yJmbadmcVZpL7wNlZnNGgyTTJI6jWAJtqhKFi5R2G+3fdJe - AT8Qvl4IZ1IMfR1TMf0w+uWDAQsxJGxNqTlHwgF2YiHZdC7YA8npEDLzFSeYnzls - pJmMnciuK/enCETBuZInYojD0/ZgjayD0ImAfQDbFplagm/mWmHjG70eef9ESw== - =ECO+ - -----END PGP MESSAGE----- - fp: 4BE7925262289B476DBBC17B76FD3810215AE097 - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/paperless/secrets.yaml b/secrets/paperless/secrets.yaml deleted file mode 100644 index d2f19f3..0000000 --- a/secrets/paperless/secrets.yaml +++ /dev/null @@ -1,52 +0,0 @@ -admin: ENC[AES256_GCM,data:4ltsTj6tWqw3Rx2Odx7e9OH25yzeBuIRrQ==,iv:uzRdWh9g0iNkjjo5Nrx7lVu8vZlOw2r3WJ1PXPEm/5U=,tag:Xv2Qwq/w+DYRYvXw+Bhnyg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1j4y7mwh6hg8kvktgvq5g3xstnmlnaxkdhfrps8lnl029nfpr03dq2nr4cd - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1UWg0RTZEZjdhK01JUHI1 - TDkwSUJwN3RJMFM5WTdBU1Y5NktJdXdrMUQwCkt5Y2hUWkRLeWgwRTh5YVRFWmho - MjNSWWxZajB5YXhoc3J1VFVqNkdPYzQKLS0tIEJRd2R2d2xkNzFLOGE0Nng2OWVh - NVlkWWRDUlQ0Mll2cGFFYWVuYW9VZVEKBHP7b1vFmVQGwAEfI8o/cWECr+qFUB2q - /BNRW7fcyLVrPU9BvqTIo84t4rvUTqfG3K/fdJ60h/0N6OUrCai0EQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-05T13:43:43Z" - mac: ENC[AES256_GCM,data:tHd4ZbDyhBowlztWEdY+ohp2obLOTXDqZ1ROOBYsXO4N6glMEYLiqxKvpZ5+RcKkv/GIrFSvGS3AtSCCfGhAq9YVOsICpx7JJjbpbnPR4d797WIK5IauHpTSeTjoOMjVzA5O32m6Ux7TSk5Y1EPwcgOfvd4Ah0SMrOblHyAi9H0=,iv:oKgwFUC523K/s/05SmWY5uADd8n0Qm2mz8WJB59uA7E=,tag:Kx2NCDWcB82OUUGcbeW21w==,type:str] - pgp: - - created_at: "2024-02-05T13:43:25Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQILAwDh3VI7VctTAQ/3RuSGSlr+pGQIrnWIjZl/i6ZuMwHVolIN1cTshchZ/Pga - j9teHAYZWnQ9d+bym3uxzc9S58U3sNKU13Rpb8zPOrlssa4sLrt0cTAQRzPLIH/b - 66SSWHm4RKzlDaPHrY/iVYDqEy0/zLmIxmKZThfCZIVsj7g5bvP2Y9iNDR3EMQsf - rHuMePsoE0eUvudgNWuyuUSBdRX3JK/lLpe3BfXmkdZgMXWKrFwKuv7XevDquRVu - gZ6SQPShASN3ErptDBLoewasCDJuzV0wmgGB0JqGwADzjRnS+OGiBAYJB7GDjLoj - iWLqy6xhkboFCiVgEyF51u4MfVAgZCWwVRRDrzv8Q8L93Umm4Frp0J3hOb0rC9u7 - UJCt1/VcsQ8VX7wRyEwZWWktIRb07yMIKoYsy7q1J4qU0AjSNVVX2y1sFa6qi9Cs - b2krAzRhzV2qd7V2QsoOSTO+RePE5qD6OTC5GeXaZoPaNoHi8u3SLGqWVug954SX - rNJrcgpl0VkoYlnanuA3s20BiHSpAk/9RiosXCI5kg8XPikp2j0iB/8WuKnMWlc9 - 40EZRRaXQZF0LMxdyE+8QTF9CvUCCTOkSfrslEXd6gpX8GB+KUdWyMvqjIamQ6ov - 7Msuq1gFKtZulzwZJ/pC6TbmSXMt3MgHu5vFqOvOE7UEWwY+FVwp9WZtwX9OQoUC - DAML0VEuZyGBhAEP/iqLYs6MX3U/odqG0IFCayIdbGDoU8+CvIehPnTJKilzW2AW - QpTqPFUI8arz+yPQYmKI8/VwPELp/W/iU1DNTlaWjXSw/nXmQMB0MERu0ZqAbZ6m - Z5n+j8Ggz56I6EX1PpEkAXL4bmSM6iEsDREkecML/ZTNy+OeSodlEq6A0jGYlQF2 - /mmsUnXj+FSoLoyeIlJNtr3HrJNzlikWLczP4ETxeYscqunsQbbgQ6c2xHrgSLrQ - GbVuxOMFbP67B9DyCKnsIQSllps6lFIZUTDeItzUNuiClDpTChFE+GJyTE4iB+Wn - MgcxFadezGhKPVPyEgLviv/gudGQpLxJBUGHdfsv76wAno5IrSWWYt6YdjTpGUE6 - n//fcV2jHV23EhfnUFyPiQkLlo49vrtXwY6AhAUYfOOTlDMyQJ+humXWnpqV+by3 - xFTq2lCqz3PqmcBDSUIgTGxUDNiK94pJVQC9uquQwXbxRYMpXuZLFB/OCumMWDuN - xkqe6XYvx7PR9GW379OPqiAPB3PDyIRcwcOYiiycyFwVOrMYlEW67ujI2Kj/8EFb - 5dncfD/TgiLKCYH3lxFvFk8ddun05WozDk1jfS1aDVh1ZWndd3ByRNe5q6baARoO - KwcVHtKSPjjrURk+CbGWzDvTAgvURSNpxJ5ubGEYea/E7Jb4JwEUURnymRD90l4B - gcRSQrYEI0sAsMaa7WEniMwSiOUJxb2q6crj6aOasEE5NSaPrG+zqs/emfDhfkHS - 25Sx8KwuzctJpCq0ajnH3yYfuZyL9euBFvk/SZ9bqDSDzXSxm6wKYZfWRf71 - =W0a4 - -----END PGP MESSAGE----- - fp: 4BE7925262289B476DBBC17B76FD3810215AE097 - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/sound/secrets.yaml b/secrets/sound/secrets.yaml deleted file mode 100644 index 0ca210f..0000000 --- a/secrets/sound/secrets.yaml +++ /dev/null @@ -1,52 +0,0 @@ -mpdpass: ENC[AES256_GCM,data:oPwpdBAg7Z1kfLm/awaTxXKZTIVWMQDTUw==,iv:jGWviJ+zwolzmYUkjfiFNepEPXSw7oJH530PaEV+GwY=,tag:nUr7TJCgkumAUZ1JrziI/g==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1w7tfe7k0r0hm6mzz0kmz8302kfn0rlh96w7g6zwqd4muqg7u9anqv07745 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdW50NGJRM0Z5YytVa1pQ - akR1M21Ib3pyZWZWdUpCR04rb1pRalBiQ2tJCnNzajZpbVNVZWRrWEFvU2RnM1g5 - akhEaGZCN0V5dHR1Qm9IRVZvV2hGMUUKLS0tIHVGWUs2NnpTYlFxa0p5T0RJTFB3 - eFdSYkpPbzhGU0ZiM2FEWUtqcmtOa1UKCsQiVQpSI3GWpvU3zlvKSZPbnDbVNJJl - UFpygD0jqPWUvBFqALHKh8i3Li7B+ItR32IUO67R1bigS8HjYzdkkQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-30T20:54:55Z" - mac: ENC[AES256_GCM,data:XhknSHukwELPxfdskHSu6ewK1keNl3lcMQW0PqXqDn/ZxQtjQX1Dj5lez5QMHSFq5UAzXt4zljxRNvUtLNfnRBpTe5vWCgC7Bt1ZHz4ikmbp8/VCMteZVh3rWr+jM3j0eGsTo4LZD46IRUN6FDhVVFb4fCiiJGVKAusFonjaYOU=,iv:IP/iOv3Jb2O0PT96K4gBCf77PsMl5wt5V0O/xOUwnRE=,tag:enWN7CAMvFMvgPGuhqu3iw==,type:str] - pgp: - - created_at: "2024-01-30T20:54:19Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAwDh3VI7VctTARAAlhqb8zkCNVWJ3Iayj4IvqlHe6FZiYUtu1jucKh0Yniwh - LmctvOhIwB1UP6NEeX0ReqbMCBJLpB7Fh661RgYguOA+mU7qB9dkTi7OMVYN0fnS - OXeAl2+9SKNO9Tel3XqFtJZ9eCgSE3AR78U55SH8lhe+243U99+dXBx20Qzh8fYk - YGggcMhzJewou9OziOdQtq3hKh6BDlOPU8VEufreeoQUN3CDbWXeUzbDbH1Z5lbk - Ibp61T7RZ63IcfQu9GPWxyaxkCw1YOtbRxUN2H1BYIGjNuGag7Q1dRud9v1iQPAv - SN1JWq6y5q7zxIYUVliquMsiMRkkX4mAINnY6fo/J4aOTbZCUyO5bsqTHYjrsUwW - lDDErVl5HS4iAfEGZrKRlY5b9aZMZ3o/+DxEa61mvl5nFaSvpy6zQXV4TK73B++j - 3EqUji9V3RTcKXKJqu5dNL5Sh31GSv2U8RADpbPh2ned1igx+3DodC1RL64z/jP1 - HKFbhz2hYhfKxPLQTcYvmmrQbICjjuLNP46hQy7Fkk1IvPZw2hDEXFuZnKsFMLPc - tnIC4/yhnykdDU6Hx/LQbSJWs69daN+M2ty9fjqvW/Thl+lkCb89I9dA+H5TcHF8 - aFfosBJniw7Nm0tUOMYCtjh2lRYzs1Hm8GyYmL3SXkNq41n8kIF4viW/Q3SVVqGF - AgwDC9FRLmchgYQBEACiTLmTrucjVeNf5iRI+n927+S0KOqvjRJSAGC/2jjRQBxG - 8pX725XK3EuYHB0pWe/cwat/XzgrKbHhHLTOAoZLXkL8mailFYqDkyPWyY0KUOv0 - reeGO0oQxbbVaurtTsXVfNvkHYeAPcIgZoHgSaPh2fTsxQuvBpo5El7Nk6EGWp6R - I/obM0XMS72gUnxOEMReyk28C5xncsQXmC02NK7zvq2abKS0mv8KmMR7nvLWg0nh - Hy2Jh4e0B7CvMyLOdJo2VXBxoJhb4CGoyidXg8Fq+fHQSDOFCF7Tb2bgCfdqWowK - ip6CdHnj8mj331LWdpW/Yo/TYDN4fnVVHMO9aISiC1S50Lb06uwhJlBYG8HnWJ3Q - JCbftxDdiToJA0fDq/L+sRMcqN/l+WoaxS8PsmSF/6xuQsa+bt4S23XITQkWrtx2 - S7reh/xsl9YKR1L6cxOUiaazuYn3aGlUTqSY0PfGVsfVo5+vN95q5SYOqqx8s8+Z - h3jFLe2cGQu3yOSeUhHJYBjqho3dcRW3Mo6crCh0bj7LSIoeIntCC1G21MzAcXoL - Xa+u/gM5HzPQ0Czi9v/bdwtN9eELEx8gOVvq7zhJTM1ot+hxyt0XAz6nCkkVLr3D - sasN1xs20+VsiRqqKwPpNxvDwkSyt6zMHf7zDxVW0YhyTqiIHeWSA4f2aqxqstJe - AfxPey5NzP1PX2ovInUhaqVQc/L8u+04aJa7JFiW1wjZP6BesPiy/mRA7rBMUmE5 - tVlrec9utTLVp7aerjuODBsDarVILmFJetgDPb7vI42BvxTpjjCiJJjXPXQzcA== - =6npP - -----END PGP MESSAGE----- - fp: 4BE7925262289B476DBBC17B76FD3810215AE097 - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/spotifyd/secrets.yaml b/secrets/spotifyd/secrets.yaml deleted file mode 100644 index 64a3228..0000000 --- a/secrets/spotifyd/secrets.yaml +++ /dev/null @@ -1,53 +0,0 @@ -username: ENC[AES256_GCM,data:8c739M/ygFSYP/xsDovnPem5wrUr,iv:LarOsdIzdz7UP2WtGt08bBTTZLo3Ne8RQM74mFJpHLI=,tag:r8GrK0d8+7C6m74vJ0X3mQ==,type:str] -password: ENC[AES256_GCM,data:E6CLOD1IZUzsjzQ=,iv:EL/EvTUOTatCBCZijCrnrz8ZIeP85znZWCM0PpCJ2y4=,tag:Dlas9VApM34F48l5/CVF6Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age16d6wulu4vzuawvsnqv0cqjhxdz9e20qm3xdnzq2lp7787srl8shqsqlfps - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmaUZRRlVoUE9PTGhSbFl5 - UU5GNnVqcm81RzZsaGNwaWc1ZmVKeHRiQldrCkVNUmFGeWhIaUlSTkM2UmtUakU0 - S2VMeGM1K1pJUjZJeGUyREo0OTlvTlkKLS0tIEw2d2xRNWsrT1ZmYkpxeDlwUVZS - bnk0T2dPRWFrTUg4dEpORjZLaWRFenMKw5pkVC3jaHlACgH2vCGcwoGP36ZRWfuu - yI3dITX/r02hZnDMuUrCT4W38VHhSYHckUs0NnpkkCKAL0CREgSo9w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-30T06:13:01Z" - mac: ENC[AES256_GCM,data:IwZsL3uIw83Z3AflvpsqH0ML0VCUeTJT7AWzCDORFOxhyvWhzGGBnUHQiNOngKlepyV+WKclMOMpe7aHI/lMZXjA1cLiY22A2cNV6PCjKbnahzr2N7s6XyZ+9de0G7EIdR1fMR5aMECUR4Uwbb5AsOMVtO2wwhldBF3jn7pQV1o=,iv:wRY/RvhwFKECNSVt6xmGD6RWFPFuje58A9OLkmSL9II=,tag:cpBmf/1z1CnxGLY0WBvEQQ==,type:str] - pgp: - - created_at: "2024-01-30T06:12:12Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAwDh3VI7VctTAQ//QgyjJi1IFK+0ybpoeXE5nAbjXxJipG9viMhPhh2PD4wc - ZgCynE+sox+vzA0mzK72z+RqLAZctCafISjTzpDIxupz4HBQHjeWGHeZH/RqH+3Y - x0Z75Cv8G9n4S9SyDaMPN4dWC+LJ8SP2oMZvQ7G0HcZntHdWH7lcxQfw1WvbBx89 - obZ+duliV3QFsBMYT/Yci2z1mgJ93SIhFRBVv1F3VLlSVGtB/6uWNKgAtvgD9jls - VPO6XuUMIdyv+vv1nZ8n2gBOskhoyowX08w+ztDiMure1kS5LgsDxm7alx2eywip - HIqxpTTp0HTcWy0RIVlv0tnl00PzVRZ63KKGRaTmrNIfGHdE+qpSJdKWd2SuCimR - Zje7mOTPtqcE2TnTy2auWgRgOHaw1Js52Nwod15Z+3XotumMfFdIbEvbFOoew3Im - gbj7/YeTML2BAiAE7VnzVMTelB6ElqcFM/ZDfHCxFM3iWby5XZGyF90rBk3v/Z7T - tc+o+ImyvVPjFDJs0nizNDwEtTOJKCyA+KHfznzRw1qRYrSwUVpYQB7q8TvH5IcS - f2s7rySqpNp+79XMRPYoimw5tFebhR+IgSBZ/VdjwWLBXaebAdu8Sf3FtfLvGnD+ - CujOYuq/6t+EpSsgAOH3D7QZ9BlFwPFA762sSBqa92VEm1BULDZpZ3nB4qsT0/+F - AgwDC9FRLmchgYQBEACfOZetLUBqqa7Cgb6b+DZig+PuLHaCq9p6LqQPFmP4KL7M - /04xEAvL+2Tz+PhuNY3YtkimTeue2vZLJD6hHfxCYJO/GDr+ea2Rv9g23FvEFulw - klqRoDYCgjHp+Uk+9ux0fS8FJsDmQ8ZBPClx/OPGQTdQJ7sXB0AF+FT4TJY7gQP0 - 7+kcFbUwkXHH8EBw8tTnQHakPd1AIj2EVkMTAlU9mlZcJYmoCjSrH511zz94eQnR - L1J66vckCCdLPhrOq+NI8LTTr4ypjHRmJwW9TBcfamdXnsxZBrl1QTq3AAZURRPL - K7Bo6mWHJ7QBNNUnY1bKwpcY7zss7KzKklgPLuG+GxLZHfyKBMOe6Y/xLvfbtZ4u - sOdZSTrgruU7tuejPRlgP6eyh+yE9MSLJ0p4g0jkKf7qngA1Ec1IO21m7KnmqQ3a - Gr6+rI0K0FCUIf5q412OLg1cYixmlqb0Zfi566rJPYoHEoRhWUsP2ndvizNyULPJ - ocCaxEEV/kGk8vUwnSsb6EKfJxo3P0Xp4uFQ1SAhexbLXrqqlaLGYxulrXgwwgnf - 55Abk6B+O7RL3V401Phn4vRfzrSajzlXDUwFz+TPy6VMY+yx+FweIedjlJFTMtuX - 3EUyYyl6fuvAd7qmN6I1HlwVEJFEeMRKKxt+ufGj1m6fiqLvcus8Xw4r40zDO9Je - ATeO4b//yaoIs2lAshj2p97mVpU4xKzd48NOmuaZn+Y7/3m5xXk6vdb2dK2Gky/V - gSf+7TfGBdOOn9zlKxmuf9Q+HOyR/AbCibXUvhL6Ni9wqRHu4B0P6jIrTg1NCg== - =v009 - -----END PGP MESSAGE----- - fp: 4BE7925262289B476DBBC17B76FD3810215AE097 - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/transmission/secrets.yaml b/secrets/transmission/secrets.yaml deleted file mode 100644 index afa4a5e..0000000 --- a/secrets/transmission/secrets.yaml +++ /dev/null @@ -1,57 +0,0 @@ -vpnuser: ENC[AES256_GCM,data:7wytXrH3c6s=,iv:yoaWl5NCFuF/Ic2nkFXpvSZj9fQCHRtzKOHef+EEolQ=,tag:jzX5ewkmAHZhJMaq2ke90w==,type:str] -rpcuser: ENC[AES256_GCM,data:lO3735Ynaw==,iv:PDhpAifNEjKpZk2slowOqVUXxaVup+ZLrvGPq80RV40=,tag:8sb8PxZrEVnxhFIRu+Q/FA==,type:str] -vpnpass: ENC[AES256_GCM,data:pTnZjMu+fCJMOQ==,iv:aKLOtjJlXsr0uy+5OrcMxMBqaU8vwaG2Vcn6SirbYas=,tag:Pv2D8Qn+a7ihz16jSkUTbg==,type:str] -rpcpass: ENC[AES256_GCM,data:nknsULbLZMo68c2P7lmWBEZcyaLqDXrU,iv:1NUnew6AL9kmBTnLTXgwA8cm2AO85He0I2fP2oXhrdA=,tag:G7YgBNR7h7QmukVQLhG1pg==,type:str] -vpnprot: ENC[AES256_GCM,data:Ue2A,iv:NcYpWxPWhIKewOde7kYS4TJnipnADLq9+7Pb/l0xgkU=,tag:ACoL3u2gPHXaM2HlW9Msaw==,type:str] -vpnloc: ENC[AES256_GCM,data:X83semtc/SINDnJblMZduEO6UhSTUeziJRHO,iv:9u4ddDGisgDLlwQGQRL0AZHo1mPD15s6+X3qn9gDf4M=,tag:OeLdoXIDrfxJesJwCEWI2Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1wevwwytv5q8wx8yttc85gly678hn4k3qe4csgnq2frf3wxes63jqlt8kqs - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNc2F6RlBjTDRLcU5FYlhQ - c3ppdFI5REZpazc1cnFubE5iaUx1bEFDQUdFCmM5R2orbVUrSDI4bzgxSWt6amlJ - NkdBQkM3b0RWSVFuSE9GM1NsNWJuS2MKLS0tIGtWdi9Qd1BSTjduWCs2dWViQUlZ - UCtqdEMxZmIwVk5wY3RGUU50NUNMY1kKuCCh64itbGbWc1DrxV3BupImnZoIuqga - eC8BcM+CjEmeXDb+tAo81OADCVnnfH4UP1gJ5hHxn5rF7/zOkljXeA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-28T23:15:15Z" - mac: ENC[AES256_GCM,data:BS7Ma6oSrJxEMYHbCtEDwVePqIhgmgdWchUyVZhf/dlg2JJfE87gr9jDZrlGPmZM9pUD/gDm8VO1wtOLx61jpII5m1bfSfq6O8XEOQ+cLrJDHHaDo0JTF/TOWWpWPEbnNLpa+BjUb75aAX5Y8+Dw0yAqIRIGNxoanTbyh3NuZyk=,iv:gS4xdaF3DWaJ1bYBBmHgXfHrnr7diw0jtWVYR715RGo=,tag:LXDDCP7k/C660h2AzbuxCw==,type:str] - pgp: - - created_at: "2023-12-28T23:14:56Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAwDh3VI7VctTAQ//WKTeke13O+mZdeXrSaxQWQQ3gex86o8+hIDdkKxvUR/x - bATUaNh0GGU5ovosDFEIWM9F4FQzmAidYKl0i0j9zsR8tIj+0JH1ahmL0oxM/xbC - sh8/IKczRsPQjZYrO7g4fH8Is2d8zFh8nWIEwDuEQ1/TB6hzip4npKcLlp3hqsLx - 5/SwQvSSh3q6iND0YFLGYKwtlNV3ZhcTU0TeaOYJTmzaWU/XjsvTL3lOcHpVtXsY - IK6/b5bitB28zR5J1h3zpHiza+OabAlG/hXHkL5q9NDb1qkmkgxZfbBC9qJiu0ke - rBX5pPYF1yDZF/3QmCmsId3Rx0vEKJzw3vdkqHje4se9zNbnXJ968Gva/3QJJF81 - iYtetvO4/v3BR7xCwfpW4V6CnNQ+N87T0N6jC8racl/GeCiFmSvSUmOktN06AHBm - JO6Ie9vmzmnVH+sKMvRtFETzkqcxCsgNhPnvnGqzDZFf15nJAtRjzYTjMrrIEyTO - MC3V0GMOrdkorRPBbCcXDYC54sorbWuVdjxSX+pElvFO6XKhZJSfnZO2/QHlWU87 - 1EvyO0jS7314vwksrU0965nQ+uJA3lLZpIK7ZivoOK94Oo7lqi+IVbyUOKeQTRBe - USITZY8gTcGDvTGBkAPVBEIJMHOu5gMdPh4wbVwzGXwItSGfXOvh/SaL47AJ9QCF - AgwDC9FRLmchgYQBD/9ZsUCvmiC6BbkHBOSCpyksC1+GQ0k3jUMV6VYt/tIqt6a0 - ILU9Bw+jkOfo7i+t/7uTp7wXyb2JwsohiP/YreYDOOCHxXdJJExBI/tOXoS7nKC+ - dBjKwIz4BPDQz/1METECNoB3v23iUr+GeKTI9gjOO5btEh7UdiKO3inJttSRqVE8 - /kXN2kzSz9VY7W76h7JIMuqhmzorrn/FmSaZWZ4cWW8wvgkQ9mf96dwJElXpZ6I0 - JyPMPpnkd8UPI96MXJbrLToFdmTHgK2TQNmJKPACe2CEQFMvfADKpuC6vq+OckxD - oFZqr+jUsXXGXJUA9Zn59Pcw3FJDiDfJ/4/BqYgPx4IMU7pdp5UEj0PE02BhCPl4 - nkFHRqDA3oynBLFaKXAPa/ND4WLaF789V34RTOBvuiIpe9sGhI5gWhIuqW+eZfhA - Xtf9Wes+FDS+23K4zZ9aB6oTeV0W/JE1xAQ4NYCilrfsF3rwx/x4WYspe7WJjvGJ - e/LzfCaxna3gf6WyY+5Go/PI0JlicrEuPK/DWi5dTlgnx66mcskO0AIGG6a2syyZ - i4UvX/h165NbzoeswyHq3Mz4r/6WXpzO3Znb/pyfdAbifxatGtitm5X960/4tmFE - RZzig35VbhntomBSL2I/KBzEnrqwY+/nnf3DdjOJNbk9XWudaVRCnFJOSiuNFtJe - ASR5liWrbDKUkdnG2Pdqk//CYsg28xobBgVRG5roi3EuGFHkZCno0nC+r7e8Ad1A - l7CTOPtmhNr2RxNKbTzaYJDaivDmo9iILxOfX7i20m+DhtWTsPuML/LHfFc9hQ== - =Abzg - -----END PGP MESSAGE----- - fp: 4BE7925262289B476DBBC17B76FD3810215AE097 - unencrypted_suffix: _unencrypted - version: 3.8.1