From b32c7d72b14b8d396099c589476f64bdce9f18b7 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Sun, 23 Jul 2023 09:05:13 +0200 Subject: [PATCH] add git.cloonar.com, remove old stuff --- .sops.yaml | 24 +- README.md | 10 +- fleet.nix | 4 +- hosts/git.cloonar.com/configuration.nix | 49 +++++ hosts/git.cloonar.com/fleet.nix | 1 + .../hardware-configuration.nix | 30 +++ hosts/git.cloonar.com/secrets.yaml | 31 +++ hosts/git.cloonar.com/utils | 1 + hosts/nb-epicenter/configuration.nix | 207 ------------------ hosts/nb-epicenter/hardware-configuration.nix | 63 ------ hosts/nb-epicenter/secrets.yaml | 35 --- hosts/nb-epicenter/utils | 1 - utils/modules/drone-runner.nix | 34 --- utils/modules/drone-server.nix | 57 ----- 14 files changed, 130 insertions(+), 417 deletions(-) create mode 100644 hosts/git.cloonar.com/configuration.nix create mode 120000 hosts/git.cloonar.com/fleet.nix create mode 100644 hosts/git.cloonar.com/hardware-configuration.nix create mode 100644 hosts/git.cloonar.com/secrets.yaml create mode 120000 hosts/git.cloonar.com/utils delete mode 100644 hosts/nb-epicenter/configuration.nix delete mode 100644 hosts/nb-epicenter/hardware-configuration.nix delete mode 100644 hosts/nb-epicenter/secrets.yaml delete mode 120000 hosts/nb-epicenter/utils delete mode 100644 utils/modules/drone-runner.nix delete mode 100644 utils/modules/drone-server.nix diff --git a/.sops.yaml b/.sops.yaml index 3f5a435..2ea3de1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -18,28 +18,26 @@ creation_rules: - age: - *tuxedo - *dominik - - path_regex: computers/git.cloonar.com/[^/]+\.yaml$ + - path_regex: hosts/git.cloonar.com/[^/]+\.yaml$ key_groups: - age: - - *dominik - *git-server - - path_regex: computers/web-01.cloonar.com/[^/]+\.yaml$ + - path_regex: hosts/web-01.cloonar.com/[^/]+\.yaml$ key_groups: - age: - - *dominik - *web-01-server - - path_regex: computers/home-assistant.cloonar.com/[^/]+\.yaml$ + - path_regex: hosts/home-assistant.cloonar.com/[^/]+\.yaml$ key_groups: - age: - *dominik - *home-assistant-server - - path_regex: computers/ldap.cloonar.com/[^/]+\.yaml$ + - path_regex: hosts/ldap.cloonar.com/[^/]+\.yaml$ key_groups: - age: - *dominik - *ldap-server-arm - *ldap-server-test - - path_regex: modules/lego/[^/]+\.yaml$ + - path_regex: utils/modules/lego/[^/]+\.yaml$ key_groups: - age: - *dominik @@ -50,33 +48,33 @@ creation_rules: - *ldap-server-test - *testmodules - *netboot - - path_regex: modules/bitwarden/[^/]+\.yaml$ + - path_regex: utils/modules/bitwarden/[^/]+\.yaml$ key_groups: - age: - *dominik - *web-01-server - - path_regex: modules/drone/[^/]+\.yaml$ + - path_regex: utils/modules/drone/[^/]+\.yaml$ key_groups: - age: - *dominik - *git-server - - path_regex: modules/zammad/[^/]+\.yaml$ + - path_regex: utils/modules/zammad/[^/]+\.yaml$ key_groups: - age: - *dominik - *web-01-server - - path_regex: modules/plausible/[^/]+\.yaml$ + - path_regex: utils/modules/plausible/[^/]+\.yaml$ key_groups: - age: - *dominik - *web-01-server - - path_regex: modules/openldap/[^/]+\.yaml$ + - path_regex: utils/modules/openldap/[^/]+\.yaml$ key_groups: - age: - *dominik - *ldap-server-arm - *ldap-server-test - - path_regex: modules/home-assistant/[^/]+\.yaml$ + - path_regex: utils/modules/home-assistant/[^/]+\.yaml$ key_groups: - age: - *dominik diff --git a/README.md b/README.md index 7f106e2..4e3102a 100644 --- a/README.md +++ b/README.md @@ -2,22 +2,22 @@ - install ubuntu 20.04 - get age key from SSH ```console -$ nix-shell -p ssh-to-age --run 'ssh-keyscan example.com | ssh-to-age' +nix-shell -p ssh-to-age --run 'ssh-keyscan example.com | ssh-to-age' ``` - fix secrets files ```console -$ sops': nix-shell -p sops --run "sops updatekeys -y secrets.yaml" +nix-shell -p sops --run "sops updatekeys -y secrets.yaml" ``` - run install command ```console -$ ./install.sh example.com +./install.sh example.com ``` # 2. Web Server specific - change the permissions for /var/www ```console -$ chown nginx:nginx /var/www -$ chmod 755 /var/www +chown nginx:nginx /var/www +chmod 755 /var/www ``` # 3. Net data diff --git a/fleet.nix b/fleet.nix index 23ea3ad..377eafa 100644 --- a/fleet.nix +++ b/fleet.nix @@ -17,8 +17,8 @@ users = [ { - username = "nb-epicenter"; - key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"; + username = "git.cloonar.com"; + key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCkydX9KuRLbLcqYFn/giWZc0vPCx77oh7/9X4oPJtUkWROw1uyZh91iNCxSzV1AZay6rRM8FEwy7PPeAJ7bjsJgHRranqbxHk27H4YXOojw5H9lBozkhcMq7Z6Lz6OMoHdVhZnE525btVLKHWeGtCuoO0pbN5/BsyXEavlGZEaTQbCTjr5sk+f6mG8GqwtuC5yyEY6fGpSs1i72CiwxavLim7nB4vNlbZdWIhmV6MhyAyY5mgt57xJps/mXqXj+/eRqtS7U8KPtJq3uxwsE4cWInToP7TX9GPce1qz4U6+blNwYjt5LTGQs4/kw0IHnJk6IMh+R5kp5L6d6kBeuj0HjMA/Jxei4tD4fsSaHN6gTMSnh2ZwRDwm8Vsk3UJKAWP2heyQAX+axfxHAK4nDGnoFsX/dQV1pUoCD1MdpVS8oyGhDH1ton8oHw7Hsij8AxLgpoEIGa3fKVXaRKQx+YOnpUwoFuHrKh9XH8I7HhrAR6kQWuxaWjFWBgooqlF/iBM= root@git"; } ]; in { diff --git a/hosts/git.cloonar.com/configuration.nix b/hosts/git.cloonar.com/configuration.nix new file mode 100644 index 0000000..a7733fd --- /dev/null +++ b/hosts/git.cloonar.com/configuration.nix @@ -0,0 +1,49 @@ +{ config, pkgs, ... }: +{ + imports = [ + ./utils/modules/sops.nix + ./utils/modules/lego/lego.nix + # ./modules/gogs.nix + ./utils/modules/gitea.nix + ./utils/modules/drone/server.nix + ./utils/modules/drone/runner.nix + ./utils/modules/borgbackup.nix + ./utils/modules/netdata.nix + ./utils/modules/tang.nix + + ./fleet.nix + + ./utils/modules/autoupgrade.nix + + ./hardware-configuration.nix + ]; + + nixpkgs.overlays = [ (import ./utils/overlays/packages.nix) ]; + + sops.defaultSopsFile = ./secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + boot.loader.grub.device = "/dev/sda"; + + networking.hostName = "git"; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" + ]; + + environment.systemPackages = with pkgs; [ + bento + vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + ]; + + # backups + borgbackup.repo = "u149513-sub3@u149513-sub3.your-backup.de:borg"; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ 22 80 443 8000 ]; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/git.cloonar.com/fleet.nix b/hosts/git.cloonar.com/fleet.nix new file mode 120000 index 0000000..5b16de1 --- /dev/null +++ b/hosts/git.cloonar.com/fleet.nix @@ -0,0 +1 @@ +../../fleet.nix \ No newline at end of file diff --git a/hosts/git.cloonar.com/hardware-configuration.nix b/hosts/git.cloonar.com/hardware-configuration.nix new file mode 100644 index 0000000..0ee9d79 --- /dev/null +++ b/hosts/git.cloonar.com/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/4973f85d-da13-4094-8c71-936c275e24d0"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/049162b7-81f0-4f2d-a440-5956a0958337"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/git.cloonar.com/secrets.yaml b/hosts/git.cloonar.com/secrets.yaml new file mode 100644 index 0000000..e073f9e --- /dev/null +++ b/hosts/git.cloonar.com/secrets.yaml @@ -0,0 +1,31 @@ +borg-passphrase: ENC[AES256_GCM,data:Rlb6pyuZjcR7qYt/O4o5AVjfZixKRWbdiHhR4wiwjLIKpPhgjO2ea2WaMP+XVcy5tDFA3Z30BxBloVIwK9rD6w==,iv:Jm9TIfxI7Tae3KN60VPrnIXvYpOCuquKB0Jf6wmp1oE=,tag:Ca/0FerPFn4+7WWhht1irw==,type:str] +borg-ssh-key: ENC[AES256_GCM,data:KsgiBHWDVFj7s1ueP6r/U0r2s/4aq+NmhGKMDd0rOgpkwn2SnkKCc3c5qsRp57AcDqyF2Vt9fsDCYNNg2mhBLmSbZ9VNy2EawounD5FINJ8gPI0EW9NgQHHEAdmGviH7eMRSoSTAAzPNM9T4I92iVYOjogdSTaHU/uSmJnxNOwVTdb8RGrHfXrj1bAvEYF3teNpdRsPh0Q+bNCCAp7aas9fSuV4NPyiCTwlXkLhM8P5hfCtNuFtpLvzLxMaLv2Z/OZAKjd6Kf/wNKyMdccUtGS/wdOn7fYTNlpmMB8cYprn37fqBmvbQhGOGG6ea6HTVrU6hrOaoDsOP/tXI7xGQW7YVrq6w5/bXQyf1xXbKp+QuVWwamERbh/NZUyJLBoS9rV8JG3vJyjn829mhm7F+UfGS5nBoY8dskKdHT86OBf3+K12mQWU4fS17hc4ugm3SGXMpv1/X8nB/Tv2ok65W+5kehx4Dk1NHu+gaEJ2j3KNZPupX5HOHK/SIkjU9ybUdDxzTQOCsb6kud1D18SZQV/14z8H1dMjxMY9tnqhNX37+yNhjTkFjoYHTbj4Tg4afhvMXWFIAw6dck6tVEMIAJ3L73MlfzaDjvSSxrbNPlfMu9B45FR27YMwBc57pHZ90lvROnEBdJ3NY3inYMNuC9EVAnFPDfGixG61qA54xGJuRF+hUPx5lF1cKxlMC4QDR3lW2oAt4x19irUKa/3ayEcIKj49lfv++pSlj+cP1/2z1/1+kJgxxmSoSanycLPIc8bvcn+RGnaoRkATR27WTGQ18Ga1kGlS106wIBsaxoZvOWghET/OPt1Xm6Y7n/x5vJTeeizFBe36vv1MqtER8oedcfn51vjVuCDVwndi0iyvm4qvlKKfl+DCz4JKOpCDc0uvdpHddQsXjiysZ8z2YVhgpj1ceaWQwU/MlIwK6pIra/mUYpdYXVMODgWNl8Mhtw9CA1BfPqTpUcDuO+sEC2CdgG7T/0GFVAfBiSl6LX4nBElaWQccjWQlxzDotW8xuBXlKvWoGKe9VztLwoJ1LN870mA+btESnIExiGQS2BAQoEWlqyfSB/y6RXuLHvIjuR6tCmkSawDrnS+GtXhPIcacRmSZGG+OsJAhE2JPOct9YSHInepyyn9cOEBsIlsBfDP+bI+cnRsMkYeQkwqQsWJVxRtXMmtj+qJUqU9Bznp3twLqvZIbfK/pE1nVf8lkYExxWrZzp62Rxplbil5UuBTYtaDHeKaSJSFxTSYat4Ap4jcL682h2Ubdssnw0u14u+CGliea3L5Tik09+3R/hKaOPU+zjWLd5GiPLhqoFADSu7NtbTqH/4yphq5tlpaIc9FVD5cheaX5oxVSnXeX3Bb8r/JWL2duNfRaUr+sjJtn5afinCxAR8xJJBFvRDQq5kG3V0iXlbh4KjUr0sridkjjZAq1dNc2zA0w/Y/2+SCGAs8y5IbwqjEBuOCklwlWxjV//3K/vanZIg/qX3mKDBOtVwyoecAzoekdgRhC4A6NSMDzuloQIaLWlwsvcYIvRr7g00BDUBLkwzlCxT+T8xLp3aXKZK8ZHniVdtniHKT52uHsPG5erMr272Bf67rxficStoRRW+h4bqz5DQ7PvGjBQil5DujeckjgIcyqaqNxq7iHaTUUutDQ6oa4UmCEyxzazS+IB89UyjdgQZL+8C4ho+ETFmqnDp7kFsl+qfuesgzaRsj/wb3fECMfUzQo0TBiE41/yiKKoz3Dq6yrESTw6BHBfp2518JUP3Jk21+ZOr0BjRVoZ0PRqFk3nw0QlBcb7eowysC+n/20ysnQ8TOYDfbFsa3//gnyMrv8/VBd004olvq5Om4BYZoOlkpzpwshsZz7ysZyKZlbb/Uxf4aDNVsFUcUdJHqIZE4bzResj0j2OrN3r5s51dm8vJLc8POTkWkCJ8oRmebjfqEwrXi98+LygB+jYUvJzMnrf02X9aBZy+QWDRCeOIyuCRkgnt3v5JS2k4v+vKphs7yg7iy6RbI7X/5QaOZlfBdd2zzOLlID3sRfz7QOXKNvZFFxADGmr2Eek2xUEF+TFfnJYxDVYl1OIQ2Rm3/908nWsLqUWhMhvcsTA/7kzlWDXHxEilvDMQcBsoEdEUoKREwEUJSi4Uxv+RmVG7QbfAjpuVe3QwvjRKntFvRZIinDUgWeqcifVr2A0P+9hnXGJDZzA+f6HRNbyieI9t1CLODU91tyoTXCpS3SmLmwUEx+F2M+Vu4ZLj/hmCiQg5s5380zBAd4wZx+EJ1MutK+VHAfK5yZ2F4HTAIoKW77vXbM998IH4CaH4X+lN0/1PdPqtsj+VvAhP3NP7G2xG4GsCTE1Xf+xgW4Oin+MiEwgPDXBaG6g/1ByqqgAo5iIVZ4tWVaHO9UF18GEu+O+XFGE39YUkEvo9GlLj4oZKRe50W7w5R9fr3DSIrsBj2XWF2Jhhui2KQ7oLrwdrQfuHbz7aS8i3PUTwQacCilLdbxc1joe+mYYQ+Y5Y3GPLebCwzaIWxrMHxIO1WtjDzpZTwj/i1PrwQsK+P9iUlJIo69awfnX6I6J2RNgipdECvLIVFi+gTaZ+XwbbV8WzYNo55fRAaSAEgaCsvUgFlyIlgajKkVVHJNwvffeg8p0hQ/cInBf3QPUBnb5MbYD7UO0p7VnWLGwcsWj1Yd+IuGy89gPzVBTyQcxpVZi0CYxAJ58JZ/8K/HzHKXa2bSOb0RM3C/6Z3HFW80AY20nwq+l0clh8BVbDCov1JwlxKuF6Ri21II2JRj7++ZQ2/9/Jl3Pk2e5DRU/ZQ6LWHAoYZ8zOb5pQxFJa1Mj++TYZhw7pNgIXui2o2ZCvKEVacz3wGND69EUZsxv+xLPH1tJFS/SPCFPBzNQDuVj7jMypFbNqlk8kzuasjUg9zFNcJ8+Uy3xaVOsekJnkjz/xfcwh+0/mjWBAaDxyLQK8AryuQFLfk1/MhY/MqrKcu1K0w7ttgXMdciMwGDJMwOrtHzTt1mf7ZLUgQBu/0cLrKp6Lo8KMKjWj9M52yVY3OKOdcrVxy95Fcu4iAkoAcxa526dcOrH0wtxVeRFJbqpuXhcq7tTstmgDenpzjjAa9mVUhOAX6x7h1oa2ku9p48xTGAMz2TsdAZmoKfruKFhVC0Exp7/4plxWFxl53u40e5cbmvXntFfqHR6/WUv8YTPH+bKyEYCgUbs1wyg9gjjmnGekPYx8ebnr+P91vAsR8VWEqgK4qWrv3NFoUFcttvns0iwTYiT0wrLVHT3l8xtrITKG39JxYruq69SfApQrsfyHi3Hj+bkyBw7+b4IA9L0ndt0K0iF93SmiO+HVk1Z8mw7CvmiJaCaZ8164X66MnVJny5wmlk+vO9hoQ1K8Tnh65q4jPLNQeiDykLFvuZN7tGUDW0SQRnjON+e6IGAxAxmYyd5uO587qC7xTfoBSQS0tYP56DvTULR5LfZDXEIdbtBglwmmQgZ7A==,iv:D+umppfFfO+t0h4Eq4gP+gVd4n1yKxegnELWqsvQVuQ=,tag:018/WLt77v80jG1wZ5RL7g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdVh1RmFlUlh2cGFIWmR4 + WlVmaGlDcmNWVXBRTE9JbEhKZ3AxSzQ5OVdZCnhEcnp3OEZ0Nm53OWU2Q2RNUS9W + ZmFKZnpxTGpDbDRwMWhrd2xlMWRoejAKLS0tIFc0TE5Zc25rWEhzcW5ETGRGRTBN + NFlxOGtuREE2amdKL0RMWjlTcXRuWVUKuOA6ZUfypwdqtm1JEa/OgxZWLFGawzS0 + FxhhIZdb6Ha3VUEnDPjZhImZfVI23JCrT3ljCe/+/XLiIk5zoH9m1g== + -----END AGE ENCRYPTED FILE----- + - recipient: age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTenZjaUNPd1VUcXhRVzI2 + bTYzbHJvUUZlNUFwNytIWFRUanJTYzkxSVdjCmtCTTFoRDNPNXpMdHFlSzBQaEd2 + WGtvSTBGV0gxSit4aG9uNGZtKzFkRHMKLS0tIFNyaDRITDRuZi9GbVRDRUZDVFNE + ZUlvdU9scDZoUDF0VE1QSVlsMFViTDgK130O3XsnwEu05b7mS5Uf8aLBtsjHfOaH + +VaLk/0tEGxtIn4U9WFBtfvIQ3us6b3tD6D9WRS0ElyONId7j/5sQA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-11-12T17:45:33Z" + mac: ENC[AES256_GCM,data:grOUX0hyU+F717M6Y86jnHKEInjRlwDB96G6IxB0E45hNy9kT2nYfDwnevu+swhgYb0GYTqJvLbmvhNPFXtL9x3Uc8aecW96a043YhQPUvUSa0dluCYGTInL6tsiuzAqpS2UgLRdF15lx8otvnCs2Gi+77SS8U7MoaIeKaFKN5s=,iv:MYpxbmM23soEd3t5uieLuMt6hpjiRmAn1sRPeHt50/0=,tag:9GFBtyAt3DxMMJunQlLHvg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/hosts/git.cloonar.com/utils b/hosts/git.cloonar.com/utils new file mode 120000 index 0000000..6b18391 --- /dev/null +++ b/hosts/git.cloonar.com/utils @@ -0,0 +1 @@ +../../utils \ No newline at end of file diff --git a/hosts/nb-epicenter/configuration.nix b/hosts/nb-epicenter/configuration.nix deleted file mode 100644 index 4a8e0e3..0000000 --- a/hosts/nb-epicenter/configuration.nix +++ /dev/null @@ -1,207 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: -{ - nixpkgs.config.allowUnfree = true; - - imports = - [ # Include the results of the hardware scan. - # ./utils/modules/clevis.nix - - ./utils/modules/sops.nix - ./utils/modules/nur.nix - ./utils/modules/sway/sway.nix - # ./modules/gnome.nix - ./utils/modules/nvim/default.nix - ./utils/modules/autoupgrade.nix - - # ./pkgs/howdy/howdy-module.nix - # ./pkgs/howdy/ir-toggle-module.nix - - # ./modules/howdy - - ./hardware-configuration.nix - ./utils/bento.nix - ]; - - nixpkgs.overlays = [ (import ./utils/overlays/packages.nix) ]; - - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" - ]; - - # security.sudo.wheelNeedsPassword = false; - # services.clevis.uuid = "7435d48f-f942-485b-9817-328ad3fc0b93"; - - # nixos cross building qemu - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; - boot.supportedFilesystems = [ "ntfs" ]; - # boot.plymouth.enable = true; - # boot.plymouth.theme = "breeze"; - # boot.kernelParams = ["quiet"]; - # boot.loader.systemd-boot.netbootxyz.enable = true; - # boot.plymouth.themePackages = [ pkgs.nixos-bgrt-plymouth ]; - # boot.plymouth.theme = "nixos-bgrt"; - # allow hibernation - security.protectKernelImage = false; - - nixpkgs.config.permittedInsecurePackages = [ - "openssl-1.1.1u" - "electron-13.6.9" - "nodejs-14.21.3" - ]; - - sops.defaultSopsFile = ./secrets.yaml; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - sops.age.generateKey = true; - - sops.secrets.epicenter_vpn_ca = {}; - sops.secrets.epicenter_vpn_cert = {}; - sops.secrets.epicenter_vpn_key = {}; - sops.secrets.wg_private_key = {}; - sops.secrets.wg_preshared_key = {}; - sops.secrets.wg-cloonar-key = {}; - - virtualisation.docker.enable = true; - virtualisation.virtualbox.host = { - enable = true; - enableExtensionPack = true; - }; - - networking.hostName = "ew-nb-01"; # Define your hostname. - networking.resolvconf.enable = true; - networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - networking.extraHosts = '' - 10.25.0.25 archive.zeichnemit.at epicenter.works en.epicenter.works - 10.25.0.100 download.intra.epicenter.works - 127.0.0.1 wohnservice.local mieterhilfe.local wohnpartner.local wohnberatung.local wienbautvor.local wienwohntbesser.local - 127.0.0.1 wohnservice-wien.local mieterhilfe.local wohnpartner-wien.local wohnberatung-wien.local wienbautvor.local wienwohntbesser.local - 127.0.0.1 diabetes.local - ''; - - # Set your time zone. - time.timeZone = "Europe/Vienna"; - console.keyMap = "de"; - - users.users.dominik = { - isNormalUser = true; - extraGroups = [ "wheel" "disk" "video" "audio" "mysql" "docker" "vboxusers" "networkmanager" "onepassword" "onepassword-cli" "dialout" ]; # Enable ‘sudo’ for the user. - }; - - environment.systemPackages = with pkgs; [ - bento - vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - wget - docker-compose - drone-cli - wireguard-tools - libftdi1 - ]; - - environment.variables = { - TERMINAL_COMMAND = "foot"; - }; - - services.blueman.enable = true; - - services.printing.enable = true; - services.printing.drivers = [ pkgs.brlaser ]; - - services.mysql = { - enable = true; - package = pkgs.mariadb; - ensureUsers = [ - { - name = "dominik"; - ensurePermissions = { - "*.*" = "ALL PRIVILEGES"; - }; - } - ]; - }; - - system.stateVersion = "22.11"; # Did you read the comment? - - security.polkit.enable = true; - systemd = { - user.services.polkit-gnome-authentication-agent-1 = { - description = "polkit-gnome-authentication-agent-1"; - wantedBy = [ "graphical-session.target" ]; - wants = [ "graphical-session.target" ]; - after = [ "graphical-session.target" ]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1"; - Restart = "on-failure"; - RestartSec = 1; - TimeoutStopSec = 10; - }; - }; - }; - - - # networking.firewall = { - # allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport - # # if packets are still dropped, they will show up in dmesg - # logReversePathDrops = true; - # # wireguard trips rpfilter up - # extraCommands = '' - # ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN - # ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN - # ''; - # extraStopCommands = '' - # ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true - # ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true - # ''; - # }; - # networking.wireguard.interfaces = { - # wg0 = { - # # Determines the IP address and subnet of the client's end of the tunnel interface. - # ips = [ "10.42.98.201/32" ]; - # listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) - # - # # Path to the private key file. - # # - # # Note: The private key can also be included inline via the privateKey option, - # # but this makes the private key world-readable; thus, using privateKeyFile is - # # recommended. - # privateKeyFile = config.sops.secrets.wg-cloonar-key.path; - # - # peers = [ - # { - # publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q="; - # allowedIPs = [ "0.0.0.0/0" ]; - # endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 - # persistentKeepalive = 25; - # } - # ]; - # }; - # }; - - # Facial recognition "Windows hello" - # services.ir-toggle.enable = true; - # services.howdy = { - # enable = true; - # device = "/dev/video2"; - # }; - nix = { - settings.auto-optimise-store = true; - # autoOptimiseStore = true; - gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 30d"; - }; - # Free up to 1GiB whenever there is less than 100MiB left. - extraOptions = '' - min-free = ${toString (100 * 1024 * 1024)} - max-free = ${toString (1024 * 1024 * 1024)} - ''; - }; - - -} - diff --git a/hosts/nb-epicenter/hardware-configuration.nix b/hosts/nb-epicenter/hardware-configuration.nix deleted file mode 100644 index e5cd502..0000000 --- a/hosts/nb-epicenter/hardware-configuration.nix +++ /dev/null @@ -1,63 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" "amdgpu" ]; - boot.kernelParams = [ "psmouse.synaptics_intertouch=0" ]; - boot.extraModulePackages = [ ]; -# Bootloader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - # Setup keyfile - boot.initrd.secrets = { - "/crypto_keyfile.bin" = null; - }; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/7c6a872a-457c-40db-9426-d9137aea48a1"; - fsType = "ext4"; - }; - - boot.initrd.luks.devices."luks-4a2ed977-1753-469b-b0d4-6d75996f21fc".device = "/dev/disk/by-uuid/4a2ed977-1753-469b-b0d4-6d75996f21fc"; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/F4F2-7864"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true; - # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - - hardware.opengl.driSupport = true; - # For 32 bit applications - hardware.opengl.driSupport32Bit = true; - - hardware.opengl.extraPackages = with pkgs; [ - amdvlk - ]; - # For 32 bit applications - # Only available on unstable - hardware.opengl.extraPackages32 = with pkgs; [ - driversi686Linux.amdvlk - ]; -} diff --git a/hosts/nb-epicenter/secrets.yaml b/hosts/nb-epicenter/secrets.yaml deleted file mode 100644 index c7fb4ee..0000000 --- a/hosts/nb-epicenter/secrets.yaml +++ /dev/null @@ -1,35 +0,0 @@ -epicenter_vpn_ca: ENC[AES256_GCM,data:DUvpuL92zpQkK0auXGdHDw+f5gzjMARMroBknmgR+eq1LV5aISdA0XOCw7d3VFpMtHY+tPM4pDEWlnGJDoHDJBSFAUdmbLkDq2DvoDR1RBbsidmlXpvu7UnL4OyCgrN9G3I65HQmCh64/453T0Y5MZKUiFZXn9SZJgOU3h0qOnAiIKTQADXmUo6imhLuUdPxjwiLkNp8zHNystbfUuZkF15J+TXV9yndy/E8E4sFs4uysK9E+VM84v0q75zTf48cheE+cBGI9xOP5QMvSND6MloyGYUTPZOiQyz8M9AmJObvQFryysKf5Q1W1GBiTz9FVuSsr1IM7meljdBYwfxQaA5MurdsXVFYfdRgL6NyL5x7WOd367pgtBBwuVyT+cygg5ITIBc6YTuT8thp/q0BsJkq1OdVQrLa4PK12Tg2IOUg2Za/tLJxxiNWqs1gAmTWEIGAeJWmNgCZAjJIISwTGcdbpdWqhjAEgaaLf9ZD0hUXQ5MmSO+KXzP7lIGgqCXoMEc7W7rn3R2VkIrvaVgCBK3psTg6+CxoPQwnYbUKgPLG7ys54eECJyRfc8YPH1957Q67pYkVD166ZP/sDJfplOGH19QyFnaaSLRLoXCAfWuO72NwO/fSljN4+pmB6Ev1cRCe4mXicz7TTqGG740VOam/JW4OJCrnHVs67cs9/MsVSNZOsI+x44TKJjaFph4onaodDh5P7e52IkfRnHnjK6FjEvYPasUr9YDqUR3ucHxhD9UqvINDwhp3L/zyFb2HRuO1KzEQLzmG96xiJpJxBVl8GOTeNrK2owOf6cCuh6o3iPaAFjFok26gI1ujX/mPbBigOxB6S0cLOLoA7oA+E6L22nsoYdIwjU4b6Y/DQvndgsZFnycLsSA4TRYHUH1Q51fGU3S/zAlB66rYchsw3JqODD51axxEdo5uu/2a6K9c8BSDo+stHBPmGvty6IorhM+17IGwSVrnxBFbSICja/Mi9eHmkUuUQWaXe5iWiNGYOIe0Xsbu4PQANhDE0f4U1LboVdI46uVhBV36zLSRJ5hUYARdmaz+aUSfNSE20xwCQiqd4U1cb2W6ZRER5WOfNFa8LCjk1YyhDY1yKCbo5tZrYZtmo4T47EuH/2uyW9vPtDlAhpZWmJJ0LEbZMhl9hIEAgGYmhnxPIVItJWHgq4O+YavYWvu1qgbdBC/FZJ8xx0uSy48oKCbuTUbIBUHQ37/6wp+IC+FAoYc2CDgCKzYvYjGrjMr+l/bhWE6KqI2DE/8yG4sOZIyrKNOYRq/aqDRkaeu96bLSYZECoLpohEKRNLTFQ+J8btjGX+xak0HRNEX9bxx8Zs3ml8mDKfh11uy05zPMVU4jaLrc5VtvmNdCg1EffbtEIRhi88aP5K2flRLxvSsYODd8iisqJ3CEqa8/C/FoHhWqgs7vk9UeRs46CJjGQ2Nx7UeQhAK8ey8FwqqSPQ6hp6jFnAv5ha583GZm3G8CsapajioHOpNcyYRhUW/ekdQ1E7DafOLRRO0hdWws8fsP/96uuWJ1Ir1ec2pepmh8s9zCZl/CKSU6+PUjX03Y9buZDnAYao5nDFsF5hgi2nLCTRbHnCh/S5C4NL/Lss2gi/9HdQUWr3KNONgoGbdRNS4MHtK/t9MtxQT8FOS54fM76XLygYZhQEQuDHUr3vaihOPKXncPNx+M4IGd+tsOoGADfpZk7W4OLd5jl8OiCulKvmRXzGCrmyofifh6XBE/EDa97j4eXt/fZPhUh+kv7i39mLKiccPUqpq9WYA/pqlMc84PAsewRerk3Z7jygFb2oX8LwYX2vDer565q+74n/y+oqz/CQ7jypoGBC8f9a16h2e2ZuvjQZ2sUdBB0xKwmLHC5mXLRkJYZ8Myt0Bzp0iVnC8P,iv:0GfL3sG36nsg/4BPw32kKMB78TmbN+mLq/mqEFp0yas=,tag:x+kxJsS+Fn7VO3MlOmqgwQ==,type:str] -epicenter_vpn_cert: ENC[AES256_GCM,data:y94SNCZISKCGbG3dtMZKPntzHvmvAK9fr0+TASNUPp+RG0o7sWRZHrAk+zs4x6tTJpRMCN3VJUzH0bkSHrsKHsYLwVOT5Sb3l7y0CUjjT463NWj1ZipaMU94NRbtDC6Q4sMkFQPaLEefaOhjQu2a2qMx0FkQ9OA3T4f4u5GVN72/PTftHw3SybhptlF5L1e3Q69J3H0uVGRuXmmrws6HcLb2th9sAYPAi82yEimdzPa154DKIRcBY78QVkRz4X7VVyLFY3X34TMvGTmKP7MsW5lApVd/qoML0MkqvrWdEClMWG7i4jMRjSUSRIVr33DE8ds4aBx565tKQ9rVZT7KPZU7IbFqgKP6TQN8w7g5mY3aImPlRMB/xb7V8a+qBScOgBiwCgdAnz+PKGaCwcaBba80q0m/gONkxgVy+QKLLdALjb3iUpKiGvWFLwsKr/hQ1O0h7MBFDTGqWniiXZbyb39HABZNVtKAC/4qouG/G+hP6fpk/+TMtjRNSh6wWtyiYvTeFOtCWfi6YEC7IZFautr3vcu24soA+Q4vFwYr6lIEPnQYlpBCr/TLVzEvxWEjsR8G2RaBSWGm2E0tre8qVSFkJwz+niL8FQgaQTjnsYmJGHFS8sxseGuAakuSH+gzopc75H6y2pEnZrpQMOMyDq0GMkIW8xGk7x5Ewq1DZ8ji13Y8xtnbLqiJkhPc19JDoXdpls/40K4Ymrz6dOO8zxzvW8SHF47gOYvp+a5d3vqwXFZH2qDUvdScV5eATmK8ltfGod9PbZWgFzhp336dkba5aAspXlyzAlRRqrVhvpff+V8cyHTIz9qA8fhXv+v2pN0E/Es1NTJhtQo09OGnZn82lfVyR93hLtr6AgbDggwhvAOlJr/pAt0YZ5FhehhhnH0+ekUJC0YemUMj0QVbpxIWc4rt5n7nqewSHC8feo6Zfc4NHfE8sWemGGm2sUOdf6C2F9k0h+Snwfyu95XIWccMAC/Ii14ciu/nj0L67bbj8XAECjWCIlhhCJcMXlpxfU3lZX7zEy4WH+IqV1399KmtvUssuObBb9uAMwHjZl0l2GVQPo3clDea2ZP5HDO9B3kWRqpvIrjawh4IM73O43jbIDgjNXMijnH0GJu8FH8igS+7JOhRHrOBQiNc0unx6EgAfXHo3v6o8ktzbtRcUwU8k+wldU1cu9ugpVpG9j8O+zvPYkaH+0xfdAdxDKXz+4e8462O5zr3IVRp63CBBNtnTn6fcwnxgD9ouhgyyLBylzrwCmRAODHyukJovkNARWmhcYCAnYhrYf9KqaCoeRLmFq8sLMeiYGDTJ/+PTyheZMHboaoZbUbnRtrvuXQiCHqDKxSan0OACW+oXgCBgZSshj8lb58A+zjpMVy4Wis8s6K9HFpiPSP4tmHxXvOod2+qL/eZBV4LhLoahO0gg3+DUPTeJVO+4I7YZYLVXBhf0OC7z8jMGf8Q4SjO8p6Vufx2KXIEpcITto0IJFsIAv9UVfsKVyvVeuGaGGi8VQWhexdQxjDtoURRts91EFNpJ86o9HPbQCAWXBx9hlnBH2zZntqPd5eVA57s67i1dWpuudD/oBzGn3fBv3Fck9tpArMNSrOtbtl3sBc6Calo/5+HWSY4tz1Hnrlv0/IxD2EcgzH5dFu6klTn3gaMdgd288/kRPDzfdcVGqlvV8rQJjTD1XN48FK/Zp2ydCede+SKLidqrqz1ISXOwsya0ivfc4Vdk3hhnnkTnqZT3qR88Z69X+9QkYCVNaoojTiBoRCekqNDI3Ev8MKp1eX0E3rXT3AG3E7xEFGulhe2C9RdMwQg0QG/Ws7n/CtTeVwpv+JG73TlDnBzoVHN6fqKBVchbGPtcObM90N2itJ/wf3jXefhrrsQudLch+Mwp72YcvCKqOMsrO3egvNxIiLKrrVOI8buo0NJrPoQE3/+rZQFzx2r0AHkrwEUHGUvr2oHDJyXwSY2/7zCYbewN44Zjo7n5ofOhSUsaGJNySHgC6V74gyU0UCUEBnF8fZK/Y6QgdtT9gApHVtJwXRvLig2P11bIlyWZjISRaAVAUAMKdS8ir8l+P3NL8kBZstfpH2eeYFHIWeZ7VrVTs4CaHDzkyMizui0EBfvf5irWeJvIekCWnetfo047QKJvrKr+6239QxH5ni7wlzWxiZNcewaOfCK2SqOvYz6NIRp+/blZuxL2pXhTInB/XxbP2zHH64dC8AVvViU8bI2DR/HhzbbpEylzD4ttvil7hLt6AMpugFrmAgWd6JU5yM9lXoTSprmXZ7awYTLcQlCQu9cUNXF0JdtELA/oQipEEUz+2lRt3B+0abYGVWb,iv:MVId1jgmyhY/iUxnjca5IpYwlzUAsa6Nwchg52AKgRc=,tag:1RASj3dFAYVNphJ4zjXxtA==,type:str] -epicenter_vpn_key: ENC[AES256_GCM,data:Kt33OLiauTrkzSwib2px/rZoQO6tlCzsy2exxIrZb91ukUDo716+JaZ2dB6FEjx/z0jaUEiU8u3lZbq4gkhwXe/hwUnr7pIW+V1InJhuGOAENfnusDkSu6P5pVpE5FNBKYF6u77/h5pdWwI/bHo7Hfi7f1xVtPkAeSqDScprUOVIoEYeJ0AXo0L9xCQVPSIAsdrh2jZQPe1S4iCLqQTTYK5CvP4/1wjwA2C4PheXEK5Z74Xkxd3pRI0cogpt711+ujMbh01siQNs9tk5+pk8vbXV6M5duzQlJar6iF47GsaomFkLNsk4QvTVZ7kKIMWEfOzwgwniI8YGtDgjxCvd13H1agaeDjsboFxR3i5aI0ZKC4sP7aTASDQbWwTQxoFdMlHjbkMvVWAT1CxUw/phUfwA8L5xLBxzauvHgE0B/R2rW5FU+qaDZfyUts9RyIJzaF+bESz6YKV27i1ZQNp00YPH9jy05uYDjPldLo2PLzgLQHMsSwZ60KKlHU68gGtVI7qtH9fpy34h0/6IsCRAJF1mRHEHHzC8Ny4Q7dtN3GenMPVT07dwgEYczONjbtrpyKoLDHnAf5JguUydLIKvcxDwNmfXlaAcOzX9seEO0L+Wy2sjG5SCKjPA0wTwIvpWuthTpTaptde0KDBauzJZZvkx3FnABF5Ho2VHCY9MkQxnc61488rQXv15FNM2WaTKcI97b/kc+PXK0XbvKD1OKJ/fyNloaLPAJKB7Q+Nu9sSK91nyM5WOALhkp/5PiKQhSO75X1qsd2S35mWY6upES887He2rdmNjt0YPVzETVXhDk48OHwNNcqKTG0qs354/bF00lQJ7asQaHZ9vnomZTy3F+vWdadmUntu3r0lz/74ZEA1rWe+CIyINkuGcT0q48FMwlzms6XXYe4qnVjG1Yu/PknI6XfIpEAHN3aR/dVkpvwSDKzJD9mUr18IoXf7mcbRmhc0yAz7dmoT+Z5x+/z4G5u5xmMa9lvtHOnaXn0RhbMQP/Gziy9hB7GySGyztnBxOLghO6pnY17Etxcd+RDGkHb+PAZY2tJi3ObTry10dT3Zcx4aHNp69EcOjTQ1+629jFatFB2dhgIt2JdWbpgwppE2QB0g5cFY3e8s3rdriHfXsZNFt1xF7aaBYBUb/Z29EeC3EGUyV1fjhG0ZMDuZAw/7UEOObWS1Mx+z707OWWwGXy+5BYdSC/sYzUF9aMfGXjfttsqr36Cza9aSia6Qin5vMmJtpLYl1WGA3TjcgnglVhgKmg9DvEijm/pa1gy5hMX9SQgV0SuHtWfGIo+uleBr3n38CGJ8BOVJbZ4pHR4JQWrAjxE5MHIzZRF1UmbxWUoqL73IyTGZQovPrLO+z6rl+Djd7bGcQgpsBd8nJaOG5qoSH3Y40+onrlAz4WmKWPaSAclSgSPdHE4OEHIPzzrzLOaJWrI9B04LG9qMfhtpMNse/O4XT76QBfgaeDtKHO4Pv7T9PjIHYC4dPljkvrthEPQeJwo1zywDw2uu+I+WyxWuEGuR9JByJ8s7vaSLcDSP1BRkAq+i+YDDB4/a9iWmF4db/mKjVn6c+NRJjmugoCPeVbzyAfkxBm0nXVjQpOAsYGvGneAN53xHJmZ4kO91wrx+i+lXfRsnU3pgYYfHOePEhCUZoFXSVCFy0ksZKSHQSZb+v4x6CsvtpomUP6u0LIukZgZEgNsrpHXn4oQ0uzrts9LwKECAjGpgRINdJ6XCD8uxcIE+uuS5wyOWg/m1TmC5MThTwe4UfpxD0erMiqgGSSJ+xWuwmnjSS62XmLHnfe+VWEiLOk/7vWQxLy3bdHSfSXCee76isRcFpRKY+x59/Tj02I3F5onVuqAehtLkL4zUgdavmLmKI/81uKRTcMtXdFnYuCR+4xBZYauVtL3t7yhozhZwSZe/02mBahe61dwhZIIbAbAqivbrw210H5cKi9R9i+dR85ISJTrGFlXwT1EX/kD8BWdWPZrg9s5JD2jzrl56dKu+oeNPCZNuD6qlCaFBytJOixj/WkggyMGtOcy2do7MZZfuswbLLdD8ClzUx2D+nrRfae7Mze0s7KhyArmtjRyAfh8xqD+vTR7/yh8mgp2k5XOBw2bdCqH79ctq50drdBnpLuILKuruO/A1isS6YkjD0vxXQZh3yt5D3iqlAAOHdIzaWf8q0zUQsHp0aOgZG0WSlVPg44oHEG40O+laDu62fgcI4JisL6KwdJIPidw==,iv:pB/cNgmHi14ugi6kd+J6poWXX79LMHiiakNa03ibZ0Q=,tag:nLfjOesXDm5/QtwHznJROw==,type:str] -wg_private_key: ENC[AES256_GCM,data:A80vGf9aMxowC2xME4FIVTmKpSRLNB2tWiUQeP1v8vCRk6Gt8BKYOuXYt04=,iv:vr7qvfr78syrI5pIytjLouPwZcw4xvBTvEUzzv7ibnQ=,tag:qjALlFkd8JocLJqMKFERaw==,type:str] -wg_preshared_key: ENC[AES256_GCM,data:bhXoD95ahDRawoHd5Z35FY0G6Xv0PHwWJf300fHQ5jNsGN1TQKHsIswx8YI=,iv:fBsIWkVZUt8pahuO9daaRBIEEIWsSnFW5Velj9uP2ZY=,tag:RvbCYhnRv0OrjTxjsNFW6g==,type:str] -wg-cloonar-key: ENC[AES256_GCM,data:ZMEeIZApOD0ij3nPMZeQRwJ4MwVx0sHu08F+m/u6IMHBGid5YwMgxZ7qbLk=,iv:OfIZ9TqBLjToIQi7zRUBATrynBtu0bzXeGVI/EAUPhQ=,tag:mJICT/ak5U76JE/IxJsCKw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age17c4swm58zt07axl5u6kkxrwtr5haqkvu4ye4t98qdph98qdclgtq2cyzkq - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5YU9aUnQ0UGFpQXd1K2Iv - L2N6SGxHdUFyYWJ1VXJaYVhSWXc4cWxCR2swCjAveDVHOTlZUFFTTmpsWVZBL2pK - WC9RQXBzSnhCRER6YUxOYUhsYlVkdXMKLS0tIDBQbEd5cEZaL0hPYnRuTko0K0xj - eG5OS3VxejJ5TlRzZ3J5bEpOYUdYVkEKa2vD9530ZmtJF4WpR5RG7pE28ItBbGl5 - p1+5ywz1j2VPLNLEPMJ5b2T+XlqsG5k7gagGVQkkCcwEUEF+PH7MwQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRFVuLyt2YnFMWktPRzd2 - V1prSDlhVGtJQlVPdjNZWitib3RGLy93UndjCjZzSnlHd2V0MUZJU2laaDM0QWNw - S25sQ0pGSzhic1V3ZHVnaVZGUzZ1Q2sKLS0tIHVtNjFLSGtIbGdmKzlDVTlhYXRO - QTVtNWg4NnV2d0l5ZXpnblFlQXpVRXMKL6ra16PdbJiw0vqo4wA/AwN48rGSDcWD - B9xb/vORVGhGbbQvZmqMHcegkYSydprGPI/Xc2JcKyOUy4oimvrgQw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-30T08:33:24Z" - mac: ENC[AES256_GCM,data:/vJdDVpv+iM66wANeLLl+CPtg2j1OCyKlGHhsQQT/RphUj4IlIsjKj+j59lmM6bRBfebTTRt1scFgz8CCPoyfSH0KrAyPLPs1SPxZT6Le87PkmO2rfH0MpNCrBDUdtpMgKs+kbxSzbqnh6X3+juXnOL3oUB3K0cdF6hAr4cP5xU=,iv:3IxaC/8y8FwKxO3mPP7f/byjYih3O6zZU6HJK2cAPvw=,tag:g8crhgnYs670wLPcC3HIhw==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/hosts/nb-epicenter/utils b/hosts/nb-epicenter/utils deleted file mode 120000 index 7d6b64a..0000000 --- a/hosts/nb-epicenter/utils +++ /dev/null @@ -1 +0,0 @@ -../../utils/ \ No newline at end of file diff --git a/utils/modules/drone-runner.nix b/utils/modules/drone-runner.nix deleted file mode 100644 index 04ba91a..0000000 --- a/utils/modules/drone-runner.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ pkgs, ... }: - -{ - virtualisation.docker.enable = true; - - systemd.services.drone-runner = { - description = "Drone Server (CI CD Service)"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.docker ]; - - serviceConfig = { - # Type = "simple"; - Name = "drone-runner"; - User = "drone-server"; - Group = "drone-server"; - Restart = "always"; - ExecStartPre= '' - -${pkgs.docker}/bin/docker stop %n \ - -${pkgs.docker}/bin/docker rm %n \ - ${pkgs.docker}/bin/docker pull drone/drone:1 - ''; - ExecStart= '' - ${pkgs.docker}/bin/docker run --rm --name %n \ - --volume=/var/run/docker.sock:/var/run/docker.sock \ - --env=DRONE_RPC_PROTO=https \ - --env=DRONE_RPC_HOST=drone.cloonar.com \ - --env=DRONE_RPC_SECRET=super-duper-secret \ - --env=DRONE_RUNNER_CAPACITY=2 \ - drone/drone-runner-docker:1 - ''; - }; - }; -} diff --git a/utils/modules/drone-server.nix b/utils/modules/drone-server.nix deleted file mode 100644 index 9be2448..0000000 --- a/utils/modules/drone-server.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, pkgs, ... }: - -{ - virtualisation.docker.enable = true; - - users.users.drone-server = { - isSystemUser = true; - group = "drone-server"; - home = "/var/lib/drone-server"; - createHome = true; - }; - users.groups.drone-server = { }; - users.groups.docker.members = [ "drone-server" ]; - - systemd.services.drone-server = { - description = "Drone Server (CI CD Service)"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.docker ]; - - serviceConfig = { - # Type = "simple"; - Name = "drone-server"; - User = "drone-server"; - Group = "drone-server"; - Restart = "always"; - ExecStartPre= '' - -${pkgs.docker}/bin/docker stop %n \ - -${pkgs.docker}/bin/docker rm %n \ - ${pkgs.docker}/bin/docker pull drone/drone:1 - ''; - ExecStart= '' - ${pkgs.docker}/bin/docker run --rm --name %n \ - --env=DRONE_AGENTS_ENABLED=true \ - --env=DRONE_GOGS_SERVER=https://git.cloonar.com \ - --env=DRONE_GIT_ALWAYS_AUTH=true \ - --env=DRONE_RPC_SECRET=super-duper-secret \ - --env=DRONE_SERVER_HOST=drone.cloonar.com \ - --env=DRONE_SERVER_PROTO=https \ - --env=DRONE_USER_CREATE=username:dominik.polakovics,admin:true \ - -v /var/lib/drone-server:/data \ - --publish=8080:80 \ - drone/drone:2 - ''; - }; - }; - - services.nginx.enable = true; - services.nginx.virtualHosts."drone.cloonar.com" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - locations."/" = { - proxyPass = "http://localhost:8080"; - }; - }; -}