many changes

hosts/fw.cloonar.com/modules/unbound.nix

@@ -117,6 +117,7 @@ let
         "\"shellybulbduo-toilet-1.cloonar.smart IN A 10.42.100.82\""
         # storage
         "\"shelly1-storage-1.cloonar.smart IN A 10.42.100.97\""
+        "\"shellyplug-storage-1.cloonar.smart IN A 10.42.100.98\""
         
         "\"ddl-warez.to IN A 172.67.184.30\""
         "\"cdnjs.cloudflare.com IN A 104.17.24.14\""

hosts/fw.cloonar.com/modules/wol.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 let
   wolScript = pkgs.writeScriptBin "wol-script" ''
-    IP=$(cat /var/lib/kea/dhcp4.leases | grep $1 | awk -F, '{print $1}' | tail -n 1);
+    IP=$(cat /var/lib/kea/dhcp4.leases | grep $1 | awk -F, '{print $1}' | awk -F. 'OFS="." {print $1,$2,$3,255}' | tail -n 1);
     MAC=$(cat /var/lib/kea/dhcp4.leases | grep $1 | awk -F, '{print $2}' | tail -n 1);
     ${pkgs.wol}/bin/wol -i $IP $MAC
   '';

hosts/mail.cloonar.com/modules/openldap.nix

@@ -104,6 +104,44 @@ in {
         ];
       };
 
+      "olcDatabase={3}mdb".attrs = {
+        objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
+
+        olcDatabase = "{3}mdb";
+        olcDbDirectory = "/var/lib/openldap/data";
+
+        olcSuffix = "dc=ghetto,dc=at";
+
+        olcAccess = [
+          ''
+            {0}to attrs=userPassword
+              by self write
+              by anonymous auth
+              by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * none
+          ''
+          ''
+            {1}to *
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+        ];
+      };
+      "olcOverlay=memberof,olcDatabase={3}mdb".attrs = {
+        objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
+        olcOverlay = "memberof";
+        olcMemberOfRefint = "TRUE";
+      };
+      "olcOverlay=ppolicy,olcDatabase={3}mdb".attrs = {
+        objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
+        olcOverlay = "ppolicy";
+        olcPPolicyHashCleartext = "TRUE";
+      };
+
       "olcDatabase={4}mdb".attrs = {
         objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
 
@@ -141,42 +179,6 @@ in {
         olcPPolicyHashCleartext = "TRUE";
       };
 
-      "olcDatabase={5}mdb".attrs = {
-        objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
-
-        olcDatabase = "{5}mdb";
-        olcDbDirectory = "/var/lib/openldap/data";
-
-        olcSuffix = "dc=optiprot,dc=eu";
-
-        olcAccess = [
-          ''
-            {0}to attrs=userPassword
-              by self write
-              by anonymous auth
-              by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
-              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
-              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
-              by * none
-          ''
-          ''
-            {1}to *
-              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
-              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
-              by * read
-          ''
-        ];
-      };
-      "olcOverlay=memberof,olcDatabase={5}mdb".attrs = {
-        objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
-        olcOverlay = "memberof";
-        olcMemberOfRefint = "TRUE";
-      };
-      "olcOverlay=ppolicy,olcDatabase={5}mdb".attrs = {
-        objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
-        olcOverlay = "ppolicy";
-        olcPPolicyHashCleartext = "TRUE";
-      };
 
       "olcDatabase={6}mdb".attrs = {
         objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
@@ -204,16 +206,16 @@ in {
           ''
         ];
       };
-      "olcOverlay=memberof,olcDatabase={6}mdb".attrs = {
-        objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
-        olcOverlay = "memberof";
-        olcMemberOfRefint = "TRUE";
-      };
-      "olcOverlay=ppolicy,olcDatabase={6}mdb".attrs = {
-        objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
-        olcOverlay = "ppolicy";
-        olcPPolicyHashCleartext = "TRUE";
-      };
+      # "olcOverlay=memberof,olcDatabase={6}mdb".attrs = {
+      #   objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
+      #   olcOverlay = "memberof";
+      #   olcMemberOfRefint = "TRUE";
+      # };
+      # "olcOverlay=ppolicy,olcDatabase={6}mdb".attrs = {
+      #   objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
+      #   olcOverlay = "ppolicy";
+      #   olcPPolicyHashCleartext = "TRUE";
+      # };
 
       "olcDatabase={7}mdb".attrs = {
         objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
@@ -253,6 +255,7 @@ in {
       #   olcPPolicyHashCleartext = "TRUE";
       # };
 
+
       # "cn=module{0},cn=config" = {
       #   attrs = {
       #     objectClass = "olcModuleList";

hosts/mail.cloonar.com/secrets.yaml

@@ -1,5 +1,6 @@
 borg-passphrase: ENC[AES256_GCM,data:D6+ZedxUQ7m/m0YkM5m/B4kFsNySJjFyh8Gmhn3Mpe+mqEzzMRjAbwmGzx9i9Lnr1dTjRElUOgevnnvW5J2KRA==,iv:cG4w1KsEm1SOTni9bsbSW1+ypzjjs2Q42I+4xvcCAu0=,tag:WkkNVa27Uy5nFpmXaIH6ww==,type:str]
 borg-ssh-key: ENC[AES256_GCM,data:T/EPWSuY9Ocj6D8nL2pfPg7r/lN4TyS7SiAqhQhkr10Y3R2mzfgMrOZTg/MrYv3/uNCt5h9TBDxwmiAwSmBzBSms0T5qD8aSxLgbmc6MAG7FSm7cGFf6x/7fMgVn7DAlwMz+4t/PkVk1iCRG4IwzimXwBvq73yIZuAiIARq0Azin7YAoSKjxnZ8ACkyRVCecf45pk7ModRmPLSDK8MZcT7bcHpZt6gQKx72OXSCJTD5FRUX180miUaywf7SxF1goEGRSmwtFDhyVs8iThiqyz0IsElB/dPGR+vYQwlFNWOFUshfAifz5tHXkvaKt08EJKyVV2TUqEsUETfFEqQW+8YNym3wBvrlnXm05DrHnfjz9GOEeUr35d9ESNgS+J5SzWVDitK29ca7QiaQ+YfaDn4/4mOGKSbPUnqOgRBoqXhJMV4ddV0lTKgBrg9isBVPgaye2prcHGjtUkVw2Kyh1omT3RKv6y7X+jfOpeOWOiByN73PCsZF7g+FFlP0K5jcfm4y4yaD8y6NlEaozrabuCIpY2ZUdZ/aH11vzLAk+LB8XE6lJ5MKMNPjNRftErJ9iE3OaOyan1ovTzaGqzaEwGtx/MZpk5hWNUwcSrJvZDqDuKO4+OhwMedvCCRKtNFIbEZ49EJrtp326Y1EelhfWgls5nJFPXukHo/C17ybsP4uFySFz/M13RVTIRntn7WKoh0bH7na2XgVGtXmI2plqVA5zppCbVTzr9+pAAD9RvXTX7t12gA1iNmdxM8alOeoZ41JXHd6BDF4bvDLVMhFhlslDLZ3wNV/QPWcSczinpJlvEQ13/WFN/NTO25Y16p+oxY9g8QD3pNEkAVLOMYjnEUlV6+DQcZbxzU8RCfpEzfVsOqbztTihDgHD5ldWt/VpN4ncm/WCVCWBlT33iiTxufC8htY3SjXt8JULEt0049HNIbNwj1awZwqTgT4z06okf7sz0m8Y/U8D5MCu8uNpt7QJBftVHxCKSUmQ4NJRicMDhlrpEJklQYlRtsvKlL/ntnyf5ZoUnkX03AoG0zh4Dh0LydGKC9RsKfwJeU+684d3opBI9eIYL6Rp/XB60LKcUA6Q+m7BgB7Tjck2YbG8nFPLaV3PdmIejlE0agICJ8Hef8rnqdU/r6X92gCEBvGXNbuqsKJvDTYPafQP8U6rXc7Tq+g68zfCOijIuHyKjkzdtIom8KMi5MUdFBSXK22xB1q4ye+QaCaAdN/1Xe6KDxWiafPG+BkpExh7hXbqZU1MyiTYMExpilY30e+CmPXMdxAWmygOxwUk+mPbuWrF0oh16DYN0dS38gUbo2Z4fjRvYIoZea1pu8niQRfhTVgLZVpEN07pYPu2farsPCPIXPalXVcijVO/yi2Dg4uhTsjzW/aRZ6XDIoXRd59v5hG+L27l7gTIXfTx1+htwClRJjYxFy6hTL+ZjcKdNrz/jezXPrR7kRHNEEfJM/ysv8d/7Ghpt+wITgc22bdnxKJv9rWnoKDEQ/FRGm6Y/eMisOttUFFlznQi2lqShOxPXnnuOnpndklcxPM8FowlL4FMDN7QUW3kdXJ2j0GgN4o34oKhqvXjtjf9Dk5r5KB+GTeOhf3SJXgeR4llaSAQXjzGdZqk0g34YTa3qb8rVxDSBKEHOnKs+Cr/4H09k62S/3SzZfrBIaaZ6Ey1b+bFfnbJJlD/Y/1Hwd5IhNbMHj7bfOKC8VabieeHwMbWfkGdnnmdY5LLJqXAwANrCIYZrEpm38pYJiKes5GrAz8caK2rPIhAPShURwkjCsvowmadTvnEbO/KoaUIcqk40wYdM6NAlVme6dLXxeVN7Y3K6UAWFIIZtYarAog0Axncs30shIoy1CGd6dN87tuK+/twO/jr458fJInumXSMRy2X2K0MKPLONF9FcP/EWENa+H43Zcfo1y42HkoYxI70R2YqOlpbtJUk8/8PqVSlJBrbgpBZNzAMCbsIjhrBevISerf8Sa8X6WC/KjwswjfGJ7h+FEnrPutKJg/ajDywAI+RZ3H+5zWm/CZxBYT6k4w6gAWZva0Nlx6jWQExONGQfUBkrRrRfIHhWl3c+k5VrhyzwW9fmAB9XmT1iYbk9T+ZNU/O8HY1bAZWufS4G7GaHchbPIvz3edMvP+zrGBZXPPJE3abls9oUcVZ223NFU1RPMZwG7LqL0fzfHXl4zx82TEXn14dAIBBVr67RAejz5xOGf8I2MpYQ6RAxvfhc7bjWY9/FU1RU09ob7usJCZphm51oa4TR7kz0AH1HxSOGfCJKLdYjBxbylR1GxY1bUTokLVWEYHalCr6d4lyEmUHM3+1vBUQQ6aq81njW33yGvwclUvhWj4sB51WPaREcYQsPkYnftN/dRSKVQoEZckgmIvML3lUwiVMLGlXlcUViyQpktnWAWxXgw5GH6KXMqoI43jRmxTeR3KrVyZRJBlDj/AnGWOD37fndGuMdpmAIGX/1fZnUUCxNhhuou20LvOr8BnjcHP9pBjtRPxu4o9fFmnzNCt43SC2ivMDOLxL/Uq6batacYrRnLtK4XnNqzfpCqe1bkfBsmTbRGnwPIJrA7TThfHH322DLy/GueYiddIa5spqdIH2jI8nfjKq4SxLtwsNZ4GUG/z83YQEg0Z8I/CQhYh3Y8Gcjb4ZUrOg9n84iLADDOn2j9CI1QfsyJAt+qLEDPRJ9yMRefmq7BAxvGbNq+4YUbj4Fo6K2FwaO2quUVl7RpfVgT/WvXTJS4pAndPJt4PrG03X56ra3yOTtlZqPvGR+XGjp56hG5I5AtQ27JmB6S30EncH9sDLDPucNtEzn57cY90kAZSdDYjBkJ5/lC3xJOB4UiAs582UgyIiVlL/mvjXd1kajAcchfUYnjEUkgFuOoRysWDO/rq8aDFYg/jokUNOn4ent7xXzlfEXkpMZ00coZ7gi+CjKOf29+/ZE1wCfbRhBds/mCmAerWJo24vb632lTCWKImbHo36WuBAvKqofFNpVyMRQ+OKm9Bzr2jQD7W4+1CUk/ZatGVWJHCPsEGWt/L0Fj8K3NzF135c9d8aZ9HqC9XNqOKTZpNe9QSMc5S+tD1ZUxHVrDHny0fOKaWGVHtgyNkcyte0l16wet1z+xZcPCKr8ieMSqh+HgfT2/kWjpb1hlmyEDFmPnnbmhCDD2QWstX8vCa9JTdd0OLb3rTgPMlbxPPIiWQGSBc6tig7X3mZbebweRz5ktqrdMvK3ter9bVC9T2TF6EiCktxw+IdS9MONajvoGAaR2k1nGbfKDSVIKk1ialfv1FGJu1gUA8J0pvXqbrTJfSPOH4iuJrWJut0UpJeHrUuh0ODguNriBivobZeaRamUA/PPNvM5KCSUQUtefDnVINsJSoT4yXn55fkRwvb2957AfHI8yMRg9KtNIYj8i5KsEsw4gE53Lr+NU7Wq2O08+v2mUSNjP0REWgu0Dw0M4/Q9eykLV/ZRnhRcbUZyA==,iv:yA1CkRMapP1S3zMwu6Tj0/0/HHpwD1yRAm/qrZx/kPs=,tag:SYg2IoXeD9fMYb35J/AJ1Q==,type:str]
+netdata-claim-token: ENC[AES256_GCM,data:ECx8zLnU/dj08vfA76oVbVzL3JG9MLBoFmxSjtjiFbSiFtdaHtG/8u5FEuyQ1bQMQntV91xj7x1kY8fAp7VNbWyC13pOEOrt6rvJYch14eM3bqNvfGeqgJsHmAaRbY6mBrxJBkiRJBLYVil4e1oDNZVnzFQ4ditXZbMGtAV2063K1MRI/48p,iv:viE84mOp5KSdj8vdK5XxR0W9A54oPxQO5ahnpPLeAdE=,tag:WjzKjGXRRAc7vlzreFHbng==,type:str]
 openldap-rootpw: ENC[AES256_GCM,data:W0em1Dffg+IUoynwwPD4NjFksR38ZO4mhWFI83ALvYcwYIplxw/gDRLGCqbSt6TR5C65CKr1sOUiU+4Xq3UWmw==,iv:BHQhISTIYuwSM3KiSb0mEEo3BMNo6FXEDXoIvI3SZrU=,tag:tX8gfnk1JYnaNionk/jrLg==,type:str]
 dovecot-ldap-password: ENC[AES256_GCM,data:JYAt8/WggwclNEPO9CaWfQsvQBA8DDJCU2km93HpowoVwIdvQ/0lQHeXndPYe1EmJGJ3vLErie+Zn2kDINIMqQ==,iv:HR0QJ0GgQks3NzhfXwjHupCKcPOekkiTcp5Jxbz7CxI=,tag:19m7F6TjGUPOuHQJuUq2pw==,type:str]
 sops:
@@ -44,8 +45,8 @@ sops:
             eC80bWxndE85RlZGRUFTcDdaZ2J1VE0KZ0FERlT1kdUE+WxSi57YowqDQtA9BoV1
             MZoPePwGkRr27MHnPYIhoniUXC7mhQ4rqvcbFy6i1n4r1CqkRFBM3g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-19T12:50:38Z"
-    mac: ENC[AES256_GCM,data:4GtrWeB4m2fO+eQFt/bSoCN0MRR9XdayWLuJVdg8rBZ6iDx3Kf4qSMPsFyaTCRhNC72dCz4k9v011Yco4W6Jkd/iBm4tPHxLeldSRAtgt1X7U03ye6ZqAKZA/F5OjZMGPYsE2gypXAOkLbpQ5qeYuInWc64Ox0RTULhwzsXKxLA=,iv:SmqJUiHh0GJjegFTCXLPH3RKabvsJZ1y+EnbMnbGlOE=,tag:M+v+3GxNqiV/fnpVKn2I+g==,type:str]
+    lastmodified: "2024-07-08T11:20:50Z"
+    mac: ENC[AES256_GCM,data:GPUwpSAz6fj7mRxX1ebEb2sLAMLkQLuKPXk+B3+zZmA6+D7gAKrrBGUWHqYA9DMMY0r32OZSccGRmeKqdA7sWmzdIJTcBu8EyER1nJqVFJiXcOOdTkCLdOM4xW969YE0lBKpIAQ40E7YXYYwkI1JINneIBTuXkvIBmSQ3Bt2+ak=,iv:VEPNQxDLzxyTxkn8dI6xNDe9ESk2RojSNYYEwT+Ggas=,tag:cfUEKU3arSJl+lEOa+4iRA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

hosts/nb-new.cloonar.com/configuration.nix

@@ -73,9 +73,8 @@ in {
 
   services.openssh.enable = true;
 
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.defaultSopsFile = ./secrets.yaml;
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
 
   sops.secrets.epicenter_vpn_ca = {};
   sops.secrets.epicenter_vpn_cert = {};

hosts/nb-new.cloonar.com/users/dominik.nix

@@ -90,22 +90,22 @@ in
     home.persistence."/nix/persist/user/dominik" = {
       allowOther = true;
       directories = [
+        ".ApacheDirectoryStudio"
         ".config/github-copilot"
         ".config/libreoffice"
         ".config/Nextcloud"
         ".config/rustdesk"
         ".config/Signal"
+        ".config/sops"
         ".local/share/keyrings"
         ".mozilla"
+        ".ssh"
         ".thunderbird"
         "cloud.cloonar.com"
         "cloud.epicenter.works"
         "projects"
         "go"
       ];
-      files = [
-        ".ssh/known_hosts"
-      ];
     };
 
     gtk = {
@@ -330,6 +330,8 @@ in
     home.activation.projects = lib.hm.dag.entryAfter ["writeBoundary"] ''
       PATH="${pkgs.git}/bin:${pkgs.openssh}/bin:$PATH"
       set +eu
+      ssh-keygen -R git.cloonar.com
+      ssh-keyscan git.cloonar.com >> ~/.ssh/known_hosts
       git clone gitea@git.cloonar.com:Cloonar/support-invoiced.git /nix/persist/user/dominik/projects/cloonar/support-invoiced 2>/dev/null
       git clone gitea@git.cloonar.com:Cloonar/nixos.git /nix/persist/user/dominik/projects/cloonar/cloonar-nixos 2>/dev/null
       git clone gitea@git.cloonar.com:Cloonar/website.git /nix/persist/user/dominik/projects/cloonar/cloonar-website 2>/dev/null
@@ -343,6 +345,8 @@ in
       git clone gitea@git.cloonar.com:Cloonar/amz-frontend.git /nix/persist/user/dominik/projects/cloonar/amz/amz-frontend 2>/dev/null
       git clone gitea@git.cloonar.com:myhidden.life/web.git /nix/persist/user/dominik/projects/myhidden.life/myhidden.life-web 2>/dev/null
 
+      ssh-keygen -R gitlab.epicenter.works
+      ssh-keyscan gitlab.epicenter.works >> ~/.ssh/known_hosts
       git clone git@gitlab.epicenter.works:epicenter.works/campaigntool.git /nix/persist/user/dominik/projects/epicenter.works/campaigntool 2>/dev/null
       git clone git@gitlab.epicenter.works:epicenter.works/website.git /nix/persist/user/dominik/projects/epicenter.works/epicenter.works 2>/dev/null
       git clone git@gitlab.epicenter.works:epicenter.works/nixos.git /nix/persist/user/dominik/projects/epicenter.works/epicenter-nixos 2>/dev/null
@@ -361,51 +365,45 @@ in
       matchBlocks = {
         "git.cloonar.com" = {
           user = "git";
-          identityFile = "/nix/persist/user/dominik/.ssh/id_rsa";
           identitiesOnly = true;
         };
         "gitlab.epicenter.works" = {
           user = "git";
-          identityFile = "/nix/persist/user/dominik/.ssh/id_rsa";
           identitiesOnly = true;
         };
         "tools.epicenter.works" = {
           user = "root";
-          identityFile = "/nix/persist/user/dominik/.ssh/epicenter.id_rsa";
+          identityFile = "epicenter.id_rsa";
         };
         "*.epicenter.works !tools.epicenter.works" = {
           user = "dominik";
-          identityFile = "/nix/persist/user/dominik/.ssh/epicenter.id_rsa";
+          identityFile = "epicenter.id_rsa";
         };
         "*.dearmep.eu" = {
           user = "root";
-          identityFile = "/nix/persist/user/dominik/.ssh/epicenter.id_rsa";
+          identityFile = "epicenter.id_rsa";
         };
         "*.akvorrat.at" = {
           user = "dominik";
           setEnv = {
             TERM = "xterm-256color";
           };
-          identityFile = "/nix/persist/user/dominik/.ssh/epicenter.id_rsa";
+          identityFile = "epicenter.id_rsa";
         };
         "*.cloonar.com" = {
           user = "root";
-          identityFile = "/nix/persist/user/dominik/.ssh/id_rsa";
         };
         "*.cloonar.smart" = {
           user = "root";
-          identityFile = "/nix/persist/user/dominik/.ssh/id_rsa";
         };
         "*.wsw.at" = {
           user = "wswdpolakovics";
-          identityFile = "/nix/persist/user/dominik/.ssh/id_rsa";
           setEnv = {
             TERM = "xterm-256color";
           };
         };
         "*.nycro.net" = {
           user = "hilgenberg-gmbh.de_kk33i9d2xv"; # prod
-          identityFile = "/nix/persist/user/dominik/.ssh/id_rsa";
           #user = "hilgenberg.gmbh.de_pci2n5aqzt"; # stage
           setEnv = {
             TERM = "xterm-256color";
@@ -413,11 +411,9 @@ in
         };
         "amz-websrv-01.amz.at" = {
           user = "ebs";
-          identityFile = "/nix/persist/user/dominik/.ssh/id_rsa";
         };
         "u149513.your-backup.de" = {
           user = "u149513";
-          identityFile = "/nix/persist/user/dominik/.ssh/id_rsa";
           # user = "u149513-sub2"; # fw.cloonar.com
           port = 23;
         };