diff --git a/.sops.yaml b/.sops.yaml index 774d249..2ca6692 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,7 @@ # Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml # for a more complex example. keys: + - &bitwarden age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7 # nixos age key - &dominik age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d - &dominik2 age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch - &git-server age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58 @@ -14,56 +15,80 @@ keys: - &testmodules age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3 - &ldap-server-arm age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 - &fw age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df + - &fw-new age12msc2c6drsaw0yk2hjlaw0q0lyq0emjx5e8rq7qc7ql689k593kqfmhss2 - &netboot age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw creation_rules: - path_regex: ^[^/]+\.yaml$ key_groups: - age: + - *bitwarden - *dominik - *dominik2 - path_regex: hosts/nb-01.cloonar.com/[^/]+\.yaml$ key_groups: - age: + - *bitwarden - *dominik - *dominik2 - path_regex: hosts/nb-new.cloonar.com/[^/]+\.yaml$ key_groups: - age: + - *bitwarden - *dominik - *dominik2 - path_regex: hosts/fw.cloonar.com/[^/]+\.yaml$ key_groups: - age: + - *bitwarden - *dominik - *dominik2 - *fw + - path_regex: hosts/fw-new/[^/]+\.yaml$ + key_groups: + - age: + - *bitwarden + - *dominik + - *dominik2 + - *fw-new - path_regex: hosts/fw.cloonar.com/modules/web/[^/]+\.yaml$ key_groups: - age: + - *bitwarden - *dominik - *web-02 - path_regex: hosts/web-01.cloonar.com/[^/]+\.yaml$ key_groups: - age: + - *bitwarden - *dominik - *dominik2 - *web-01-server - path_regex: hosts/web-arm/[^/]+\.yaml$ key_groups: - age: + - *bitwarden - *dominik - *dominik2 - *web-arm - path_regex: hosts/mail.cloonar.com/[^/]+\.yaml$ key_groups: - age: + - *bitwarden - *dominik - *dominik2 - *ldap-server-arm - *ldap-server-test + - path_regex: hosts/mail.social-grow.tech/[^/]+\.yaml$ + key_groups: + - age: + - *bitwarden + - *dominik + - *dominik2 + - *mail.social-grow.tech - path_regex: utils/modules/lego/[^/]+\.yaml$ key_groups: - age: + - *bitwarden - *dominik - *dominik2 - *git-server @@ -76,27 +101,32 @@ creation_rules: - *testmodules - *netboot - *fw + - *fw-new - path_regex: hosts/web-01.cloonar.com/modules/bitwarden/[^/]+\.yaml$ key_groups: - age: + - *bitwarden - *dominik - *dominik2 - *web-01-server - path_regex: hosts/web-01.cloonar.com/modules/zammad/[^/]+\.yaml$ key_groups: - age: + - *bitwarden - *dominik - *dominik2 - *web-01-server - path_regex: utils/modules/plausible/[^/]+\.yaml$ key_groups: - age: + - *bitwarden - *dominik - *dominik2 - *web-01-server - path_regex: utils/modules/promtail/[^/]+\.yaml$ key_groups: - age: + - *bitwarden - *dominik - *dominik2 - *git-server @@ -108,9 +138,11 @@ creation_rules: - *testmodules - *netboot - *fw + - *fw-new - path_regex: utils/modules/victoriametrics/[^/]+\.yaml$ key_groups: - age: + - *bitwarden - *dominik - *dominik2 - *git-server @@ -122,3 +154,4 @@ creation_rules: - *testmodules - *netboot - *fw + - *fw-new diff --git a/fömi-tool.md b/fömi-tool.md new file mode 100644 index 0000000..428bd66 --- /dev/null +++ b/fömi-tool.md @@ -0,0 +1 @@ +dialogmail löscht personen die in keiner gruppe sind nach 2 wochen automatisch diff --git a/hosts/fw-new.cloonar.com/modules/gitea-vm.nix b/hosts/fw-new.cloonar.com/modules/gitea-vm.nix deleted file mode 100644 index 6da9b20..0000000 --- a/hosts/fw-new.cloonar.com/modules/gitea-vm.nix +++ /dev/null @@ -1,169 +0,0 @@ -{ nixpkgs, pkgs, ... }: let - hostname = "git-02"; - json = pkgs.formats.json { }; -in { - microvm.vms = { - # gitea = { - # config = { - # microvm = { - # hypervisor = "cloud-hypervisor"; - # shares = [ - # { - # source = "/nix/store"; - # mountPoint = "/nix/.ro-store"; - # tag = "ro-store"; - # proto = "virtiofs"; - # } - # { - # source = "/var/lib/acme/git.cloonar.com"; - # mountPoint = "/var/lib/acme/${hostname}.cloonar.com"; - # tag = "ro-cert"; - # proto = "virtiofs"; - # } - # ]; - # interfaces = [ - # { - # type = "tap"; - # id = "vm-${hostname}"; - # mac = "02:00:00:00:00:01"; - # } - # ]; - # }; - # - # imports = [ - # ../fleet.nix - # ]; - # - # environment.systemPackages = with pkgs; [ - # vim # my preferred editor - # ]; - # - # networking = { - # hostName = hostname; - # firewall = { - # enable = true; - # allowedTCPPorts = [ 22 80 443 ]; - # }; - # }; - # - # services.nginx.enable = true; - # services.nginx.virtualHosts."${hostname}.cloonar.com" = { - # sslCertificate = "/var/lib/acme/${hostname}.cloonar.com/fullchain.pem"; - # sslCertificateKey = "/var/lib/acme/${hostname}.cloonar.com/key.pem"; - # sslTrustedCertificate = "/var/lib/acme/${hostname}.cloonar.com/chain.pem"; - # forceSSL = true; - # locations."/" = { - # proxyPass = "http://localhost:3001/"; - # }; - # }; - # - # services.gitea = { - # enable = true; - # appName = "Cloonar Gitea server"; # Give the site a name - # settings = { - # server = { - # ROOT_URL = "https://${hostname}.cloonar.com/"; - # HTTP_PORT = 3001; - # DOMAIN = "${hostname}.cloonar.com"; - # }; - # openid = { - # ENABLE_OPENID_SIGNIN = true; - # ENABLE_OPENID_SIGNUP = true; - # WHITELISTED_URIS = "auth.cloonar.com"; - # }; - # service = { - # DISABLE_REGISTRATION = true; - # ALLOW_ONLY_EXTERNAL_REGISTRATION = true; - # SHOW_REGISTRATION_BUTTON = false; - # }; - # actions.ENABLED=true; - # }; - # }; - # - # services.openssh.enable = true; - # users.users.root.openssh.authorizedKeys.keys = [ - # "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" - # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" - # ]; - # - # system.stateVersion = "22.05"; - # }; - # }; - - gitea-runner = { - config = { - microvm = { - mem = 12288; - shares = [ - { - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "ro-store"; - proto = "virtiofs"; - } - { - source = "/run/secrets"; - mountPoint = "/run/secrets"; - tag = "ro-token"; - proto = "virtiofs"; - } - ]; - volumes = [ - { - image = "rootfs.img"; - mountPoint = "/"; - size = 102400; - } - ]; - interfaces = [ - { - type = "tap"; - id = "vm-gitea-runner"; - mac = "02:00:00:00:00:02"; - } - ]; - }; - - environment.systemPackages = with pkgs; [ - vim # my preferred editor - ]; - - networking.hostName = "gitea-runner"; - - virtualisation.podman.enable = true; - - services.gitea-actions-runner.instances.vm = { - enable = true; - url = "https://git.cloonar.com"; - name = "vm"; - tokenFile = "/run/secrets/gitea-runner-token"; - labels = [ - "ubuntu-latest:docker://shivammathur/node:latest" - ]; - settings = { - container = { - network = "podman"; - }; - }; - }; - - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" - ]; - - system.stateVersion = "22.05"; - }; - }; - }; - - sops.secrets.gitea-runner-token = {}; - - environment = { - systemPackages = [ - pkgs.qemu - pkgs.quickemu - ]; - }; -} diff --git a/hosts/fw-new/channel b/hosts/fw-new/channel new file mode 100644 index 0000000..cc447dc --- /dev/null +++ b/hosts/fw-new/channel @@ -0,0 +1 @@ +https://channels.nixos.org/nixos-23.11 diff --git a/hosts/fw-new.cloonar.com/configuration.nix b/hosts/fw-new/configuration.nix similarity index 65% rename from hosts/fw-new.cloonar.com/configuration.nix rename to hosts/fw-new/configuration.nix index 49424a8..c21bea0 100644 --- a/hosts/fw-new.cloonar.com/configuration.nix +++ b/hosts/fw-new/configuration.nix @@ -1,4 +1,5 @@ { lib, pkgs, ... }: { + imports = [ ./fleet.nix ./utils/bento.nix @@ -9,20 +10,20 @@ ./utils/modules/autoupgrade.nix ./utils/modules/promtail - ./utils/modules/borgbackup.nix + # ./utils/modules/borgbackup.nix # ./utils/modules/netdata.nix # fw ./modules/networking.nix ./modules/firewall.nix - ./modules/dhcp4.nix + # ./modules/dhcp4.nix ./modules/unbound.nix ./modules/avahi.nix ./modules/openconnect.nix ./modules/wireguard.nix ./modules/podman.nix ./modules/omada.nix - ./modules/ddclient.nix + # ./modules/ddclient.nix # ./modules/wol.nix # microvm @@ -33,30 +34,26 @@ ./modules/web # git - ./modules/gitea.nix + # ./modules/gitea.nix ./modules/fwmetrics.nix # ./modules/firefox-sync.nix - + # home assistant ./modules/home-assistant - ./modules/deconz.nix + # ./modules/deconz.nix # ./modules/mopidy.nix - # ./modules/mosquitto.nix + ./modules/mosquitto.nix ./modules/snapserver.nix # gaming - ./modules/palworld.nix + # ./modules/palworld.nix # ./modules/ark-survival-evolved.nix ./hardware-configuration.nix ]; - nixpkgs.overlays = [ - (import ./utils/overlays/packages.nix) - ]; - nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ]; @@ -67,13 +64,11 @@ time.timeZone = "Europe/Vienna"; - services.logind.extraConfig = "RuntimeDirectorySize=2G"; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.defaultSopsFile = ./secrets.yaml; - + environment.systemPackages = with pkgs; [ - bento + # bento conntrack-tools # view network connection states ethtool # manage NIC settings (offload, NIC feeatures, ...) git @@ -89,36 +84,15 @@ options = "--delete-older-than 60d"; }; - services.auto-cpufreq.enable = true; - services.auto-cpufreq.settings = { - charger = { - governor = "powersave"; - turbo = "auto"; - }; - }; + # services.auto-cpufreq.enable = true; + # services.auto-cpufreq.settings = { + # charger = { + # governor = "powersave"; + # turbo = "auto"; + # }; + # }; - boot = { - kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./pkgs/kernel/vendor.nix {}); - - # kernelParams copy from Armbian's /boot/armbianEnv.txt & /boot/boot.cmd - kernelParams = [ - "rootwait" - - "earlycon" # enable early console, so we can see the boot messages via serial port / HDMI - "consoleblank=0" # disable console blanking(screen saver) - "console=ttyS2,1500000" # serial port - "console=tty1" # HDMI - - # docker optimizations - "cgroup_enable=cpuset" - "cgroup_memory=1" - "cgroup_enable=memory" - "swapaccount=1" - ]; - }; - - boot.tmp.cleanOnBoot = true; - zramSwap.enable = true; + # zramSwap.enable = true; networking.hostName = "fw-new"; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ @@ -126,8 +100,10 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" ]; + services.logind.extraConfig = "RuntimeDirectorySize=8G"; + # backups - borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg"; + # borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg"; system.stateVersion = "23.11"; } diff --git a/hosts/fw-new.cloonar.com/fleet.nix b/hosts/fw-new/fleet.nix similarity index 100% rename from hosts/fw-new.cloonar.com/fleet.nix rename to hosts/fw-new/fleet.nix diff --git a/hosts/fw-new.cloonar.com/hardware-configuration.nix b/hosts/fw-new/hardware-configuration.nix similarity index 90% rename from hosts/fw-new.cloonar.com/hardware-configuration.nix rename to hosts/fw-new/hardware-configuration.nix index 9957eeb..8555557 100644 --- a/hosts/fw-new.cloonar.com/hardware-configuration.nix +++ b/hosts/fw-new/hardware-configuration.nix @@ -4,19 +4,19 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./pkgs/kernel/vendor.nix {}); + kernel.sysctl = { + "kernel.printk" = "1 4 1 7"; + }; supportedFilesystems = lib.mkForce [ "vfat" "fat32" "exfat" "ext4" "btrfs" ]; initrd.includeDefaultModules = lib.mkForce false; - initrd.availableKernelModules = lib.mkForce [ "nvme" "mmc_block" "usbhid" "hid" "input_leds" ]; - initrd.kernelModules = [ ]; - kernelModules = [ ]; - extraModulePackages = [ ]; - kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./pkgs/kernel/vendor.nix {}); + initrd.availableKernelModules = lib.mkForce [ "nvme" "mmc_block" "hid" "dm_mod" "dm_crypt" "input_leds" ]; # kernelParams copy from Armbian's /boot/armbianEnv.txt & /boot/boot.cmd kernelParams = [ @@ -43,7 +43,7 @@ ]; }; - enableRedistributableFirmware = true; + enableRedistributableFirmware = lib.mkForce true; firmware = [ (pkgs.callPackage ./pkgs/orangepi-firmware {}) ]; diff --git a/hosts/fw-new.cloonar.com/modules/ark-survival-evolved.nix b/hosts/fw-new/modules/ark-survival-evolved.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/ark-survival-evolved.nix rename to hosts/fw-new/modules/ark-survival-evolved.nix diff --git a/hosts/fw-new.cloonar.com/modules/avahi.nix b/hosts/fw-new/modules/avahi.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/avahi.nix rename to hosts/fw-new/modules/avahi.nix diff --git a/hosts/fw-new.cloonar.com/modules/ddclient.nix b/hosts/fw-new/modules/ddclient.nix similarity index 95% rename from hosts/fw-new.cloonar.com/modules/ddclient.nix rename to hosts/fw-new/modules/ddclient.nix index 1e27c0c..3a3eb01 100644 --- a/hosts/fw-new.cloonar.com/modules/ddclient.nix +++ b/hosts/fw-new/modules/ddclient.nix @@ -13,6 +13,7 @@ "vpn.cloonar.com" "git.cloonar.com" "palworld.cloonar.com" + "matrix.cloonar.com" ]; }; diff --git a/hosts/fw-new.cloonar.com/modules/deconz.nix b/hosts/fw-new/modules/deconz.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/deconz.nix rename to hosts/fw-new/modules/deconz.nix diff --git a/hosts/fw-new.cloonar.com/modules/dhcp4.nix b/hosts/fw-new/modules/dhcp4.nix similarity index 78% rename from hosts/fw-new.cloonar.com/modules/dhcp4.nix rename to hosts/fw-new/modules/dhcp4.nix index d37b611..575109c 100644 --- a/hosts/fw-new.cloonar.com/modules/dhcp4.nix +++ b/hosts/fw-new/modules/dhcp4.nix @@ -23,15 +23,15 @@ { pools = [ { - pool = "10.42.96.100 - 10.42.96.240"; + pool = "10.42.112.100 - 10.42.112.240"; } ]; - subnet = "10.42.96.0/24"; + subnet = "10.42.112.0/24"; interface = "lan"; option-data = [ { name = "routers"; - data = "10.42.96.1"; + data = "10.42.112.1"; } { name = "domain-name"; @@ -43,18 +43,18 @@ } { name = "domain-name-servers"; - data = "10.42.96.1"; + data = "10.42.112.1"; } ]; reservations = [ { hw-address = "04:7c:16:d5:63:5e"; - ip-address = "10.42.96.5"; + ip-address = "10.42.112.5"; server-hostname = "omada.cloonar.com"; } { hw-address = "30:05:5c:56:62:37"; - ip-address = "10.42.96.100"; + ip-address = "10.42.112.100"; server-hostname = "brn30055c566237.cloonar.com"; } ]; @@ -62,15 +62,15 @@ { pools = [ { - pool = "10.42.97.100 - 10.42.97.240"; + pool = "10.42.113.100 - 10.42.113.240"; } ]; - subnet = "10.42.97.0/24"; + subnet = "10.42.113.0/24"; interface = "server"; option-data = [ { name = "routers"; - data = "10.42.97.1"; + data = "10.42.113.1"; } { name = "domain-name"; @@ -78,33 +78,33 @@ } { name = "domain-name-servers"; - data = "10.42.97.1"; + data = "10.42.113.1"; } ]; reservations = [ { hw-address = "1a:c4:04:6e:29:bd"; - ip-address = "10.42.97.2"; + ip-address = "10.42.113.2"; server-hostname = "omada.cloonar.com"; } { hw-address = "02:00:00:00:00:03"; - ip-address = "10.42.97.5"; + ip-address = "10.42.113.5"; server-hostname = "web-02.cloonar.com"; } { hw-address = "ea:db:d4:c1:18:ba"; - ip-address = "10.42.97.50"; + ip-address = "10.42.113.50"; server-hostname = "git.cloonar.com"; } { hw-address = "c2:4f:64:dd:13:0c"; - ip-address = "10.42.97.20"; + ip-address = "10.42.113.20"; server-hostname = "home-assistant.cloonar.com"; } { hw-address = "1a:c4:04:6e:29:02"; - ip-address = "10.42.97.25"; + ip-address = "10.42.113.25"; server-hostname = "deconz.cloonar.com"; } ]; @@ -112,15 +112,15 @@ { pools = [ { - pool = "10.42.101.100 - 10.42.101.240"; + pool = "10.42.117.100 - 10.42.117.240"; } ]; - subnet = "10.42.101.0/24"; + subnet = "10.42.117.0/24"; interface = "infrastructure"; option-data = [ { name = "routers"; - data = "10.42.101.1"; + data = "10.42.117.1"; } { name = "domain-name"; @@ -128,12 +128,12 @@ } { name = "domain-name-servers"; - data = "10.42.101.1"; + data = "10.42.117.1"; } { name = "capwap-ac-v4"; code = 138; - data = "10.42.97.2"; + data = "10.42.117.2"; } ]; reservations = [ @@ -142,15 +142,15 @@ { pools = [ { - pool = "10.42.99.100 - 10.42.99.240"; + pool = "10.42.115.100 - 10.42.115.240"; } ]; - subnet = "10.42.99.0/24"; + subnet = "10.42.115.0/24"; interface = "multimedia"; option-data = [ { name = "routers"; - data = "10.42.99.1"; + data = "10.42.115.1"; } { name = "domain-name"; @@ -158,43 +158,43 @@ } { name = "domain-name-servers"; - data = "10.42.99.1"; + data = "10.42.115.1"; } ]; reservations = [ { hw-address = "c4:a7:2b:c7:ea:30"; - ip-address = "10.42.99.10"; + ip-address = "10.42.115.10"; hostname = "metz.cloonar.multimedia"; } { hw-address = "f0:2f:9e:d4:3b:21"; - ip-address = "10.42.99.11"; + ip-address = "10.42.115.11"; hostname = "firetv-living"; } { hw-address = "bc:33:29:ed:24:f0"; - ip-address = "10.42.99.12"; + ip-address = "10.42.115.12"; hostname = "ps5"; } { hw-address = "e4:2a:ac:32:3f:79"; - ip-address = "10.42.99.13"; + ip-address = "10.42.115.13"; hostname = "xbox"; } { hw-address = "98:b6:e9:b6:ef:f4"; - ip-address = "10.42.99.14"; + ip-address = "10.42.115.14"; hostname = "switch"; } { hw-address = "f0:2f:9e:c1:74:72"; - ip-address = "10.42.99.21"; + ip-address = "10.42.115.21"; hostname = "firetv-bedroom"; } { hw-address = "30:05:5c:56:62:37"; - ip-address = "10.42.99.100"; + ip-address = "10.42.115.100"; server-hostname = "brn30055c566237"; } ]; @@ -202,15 +202,15 @@ { pools = [ { - pool = "10.42.254.10 - 10.42.254.254"; + pool = "10.42.127.10 - 10.42.127.254"; } ]; - subnet = "10.42.254.0/24"; + subnet = "10.42.127.0/24"; interface = "guest"; option-data = [ { name = "routers"; - data = "10.42.254.1"; + data = "10.42.127.1"; } { name = "domain-name-servers"; @@ -221,15 +221,15 @@ { pools = [ { - pool = "10.42.100.100 - 10.42.100.240"; + pool = "10.42.116.100 - 10.42.116.240"; } ]; - subnet = "10.42.100.0/24"; + subnet = "10.42.116.0/24"; interface = "smart"; option-data = [ { name = "routers"; - data = "10.42.100.1"; + data = "10.42.116.1"; } { name = "domain-name"; @@ -237,7 +237,7 @@ } { name = "domain-name-servers"; - data = "10.42.100.1"; + data = "10.42.116.1"; } ]; reservations = [ @@ -282,89 +282,89 @@ { hw-address = "60:a4:23:97:4a:ec"; - ip-address = "10.42.100.21"; + ip-address = "10.42.116.21"; server-hostname = "shellymotionsensor-60A423974AEC"; } { hw-address = "8c:aa:b5:61:6f:e2"; - ip-address = "10.42.100.103"; + ip-address = "10.42.116.103"; server-hostname = "ShellyBulbDuo-8CAAB5616FE2"; } { hw-address = "8c:aa:b5:61:6e:9e"; - ip-address = "10.42.100.104"; + ip-address = "10.42.116.104"; server-hostname = "ShellyBulbDuo-8CAAB5616E9E"; } { hw-address = "cc:50:e3:bc:27:64"; - ip-address = "10.42.100.112"; + ip-address = "10.42.116.112"; server-hostname = "Nuki_Bridge_1A753F72"; } { hw-address = "e8:db:84:a9:ea:be"; - ip-address = "10.42.100.117"; + ip-address = "10.42.116.117"; server-hostname = "ShellyBulbDuo-E8DB84A9EABE"; } { hw-address = "e8:db:84:a9:d1:8b"; - ip-address = "10.42.100.119"; + ip-address = "10.42.116.119"; server-hostname = "shellycolorbulb-E8DB84A9D18B"; } { hw-address = "3c:61:05:e5:96:e0"; - ip-address = "10.42.100.120"; + ip-address = "10.42.116.120"; server-hostname = "shellycolorbulb-3C6105E596E0"; } { hw-address = "e8:db:84:a9:d7:ef"; - ip-address = "10.42.100.121"; + ip-address = "10.42.116.121"; server-hostname = "shellycolorbulb-E8DB84A9D7EF"; } { hw-address = "e8:db:84:aa:51:aa"; - ip-address = "10.42.100.122"; + ip-address = "10.42.116.122"; server-hostname = "shellycolorbulb-E8DB84AA51AA"; } { hw-address = "34:94:54:79:bc:57"; - ip-address = "10.42.100.130"; + ip-address = "10.42.116.130"; server-hostname = "shellycolorbulb-34945479bc57"; } { hw-address = "48:55:19:d9:a1:b2"; - ip-address = "10.42.100.131"; + ip-address = "10.42.116.131"; server-hostname = "shellycolorbulb-485519d9a1b2"; } { hw-address = "48:55:19:d9:ae:95"; - ip-address = "10.42.100.132"; + ip-address = "10.42.116.132"; server-hostname = "shellycolorbulb-485519d9ae95"; } { hw-address = "48:55:19:d9:4a:28"; - ip-address = "10.42.100.133"; + ip-address = "10.42.116.133"; server-hostname = "shellycolorbulb-485519d94a28"; } { hw-address = "48:55:19:da:6b:6a"; - ip-address = "10.42.100.134"; + ip-address = "10.42.116.134"; server-hostname = "shellycolorbulb-485519da6b6a"; } { hw-address = "48:55:19:d9:e0:18"; - ip-address = "10.42.100.135"; + ip-address = "10.42.116.135"; server-hostname = "shellycolorbulb-485519d9e018"; } { hw-address = "34:6f:24:f3:af:ad"; - ip-address = "10.42.100.137"; + ip-address = "10.42.116.137"; server-hostname = "daikin86604"; } { hw-address = "34:6f:24:c1:f8:54"; - ip-address = "10.42.100.139"; + ip-address = "10.42.116.139"; server-hostname = "daikin53800"; } ]; diff --git a/hosts/fw-new.cloonar.com/modules/firefox-sync.nix b/hosts/fw-new/modules/firefox-sync.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/firefox-sync.nix rename to hosts/fw-new/modules/firefox-sync.nix diff --git a/hosts/fw-new.cloonar.com/modules/firewall.nix b/hosts/fw-new/modules/firewall.nix similarity index 80% rename from hosts/fw-new.cloonar.com/modules/firewall.nix rename to hosts/fw-new/modules/firewall.nix index 363d4fc..e8b2c25 100644 --- a/hosts/fw-new.cloonar.com/modules/firewall.nix +++ b/hosts/fw-new/modules/firewall.nix @@ -32,13 +32,13 @@ iifname "wan" udp dport 51820 counter accept comment "Wireguard traffic" iifname "wan" tcp dport 9273 counter accept comment "Prometheus traffic" iifname "lan" tcp dport 5931 counter accept comment "Spice" - iifname { "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router" + iifname { "wan", "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router" iifname { "multimedia", "smart", "infrastructure", "podman0" } udp dport { 53, 5353 } counter accept comment "DNS" iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" # Accept mDNS for avahi reflection - iifname "server" ip saddr 10.42.97.20/32 tcp dport { llmnr } counter accept - iifname "server" ip saddr 10.42.97.20/32 udp dport { mdns, llmnr } counter accept + iifname "server" ip saddr 10.42.113.20/32 tcp dport { llmnr } counter accept + iifname "server" ip saddr 10.42.113.20/32 udp dport { mdns, llmnr } counter accept # Allow all returning traffic ct state { established, related } counter accept @@ -81,15 +81,15 @@ iifname "multimedia" oifname "server" tcp dport { 1704, 1705 } counter accept iifname "lan" oifname "server" udp dport { 5000, 5353, 6001 - 6011 } counter accept # avahi - iifname "server" ip saddr 10.42.97.20/32 oifname { "lan" } counter accept + iifname "server" ip saddr 10.42.113.20/32 oifname { "lan" } counter accept # smart home coap - iifname "smart" oifname "server" ip daddr 10.42.97.20/32 udp dport { 5683 } counter accept - iifname "smart" oifname "server" ip daddr 10.42.97.20/32 tcp dport { 1883 } counter accept + iifname "smart" oifname "server" ip daddr 10.42.113.20/32 udp dport { 5683 } counter accept + iifname "smart" oifname "server" ip daddr 10.42.113.20/32 tcp dport { 1883 } counter accept # Forward to git server - oifname "server" ip daddr 10.42.97.50 tcp dport { 22 } counter accept - oifname "server" ip daddr 10.42.97.5 tcp dport { 80, 443 } counter accept + oifname "server" ip daddr 10.42.113.50 tcp dport { 22 } counter accept + oifname "server" ip daddr 10.42.113.5 tcp dport { 80, 443 } counter accept # lan and vpn to any # TODO: disable wan when finished @@ -101,11 +101,11 @@ # accept palword server iifname { "wan", "lan" } oifname "podman0" udp dport { 8211, 27015 } counter accept comment "palworld" # forward to ark server - oifname "server" ip daddr 10.42.97.201 tcp dport { 27020 } counter accept comment "ark survival evolved" - oifname "server" ip daddr 10.42.97.201 udp dport { 7777, 7778, 27015 } counter accept comment "ark survival evolved" + oifname "server" ip daddr 10.42.113.201 tcp dport { 27020 } counter accept comment "ark survival evolved" + oifname "server" ip daddr 10.42.113.201 udp dport { 7777, 7778, 27015 } counter accept comment "ark survival evolved" # firefox-sync - oifname "server" ip daddr 10.42.97.51 tcp dport { 5000 } counter accept comment "firefox-sync" + oifname "server" ip daddr 10.42.113.51 tcp dport { 5000 } counter accept comment "firefox-sync" # allow all established, related ct state { established, related } accept comment "Allow established traffic" @@ -137,20 +137,20 @@ chain prerouting { type nat hook prerouting priority filter; policy accept; iifname "server" ip daddr 10.42.96.255 udp dport { 9 } dnat to 10.42.96.255 - iifname "wan" tcp dport { 22 } dnat to 10.42.97.50 - iifname "wan" tcp dport { 80, 443 } dnat to 10.42.97.5 - iifname "wan" tcp dport { 5000 } dnat to 10.42.97.51 - iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to 10.42.97.201 - iifname { "wan", "lan" } tcp dport { 27020 } dnat to 10.42.97.201 + # iifname "wan" tcp dport { 22 } dnat to 10.42.113.50 + iifname "wan" tcp dport { 80, 443 } dnat to 10.42.113.5 + iifname "wan" tcp dport { 5000 } dnat to 10.42.113.51 + iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to 10.42.113.201 + iifname { "wan", "lan" } tcp dport { 27020 } dnat to 10.42.113.201 } # Setup NAT masquerading on external interfaces chain postrouting { type nat hook postrouting priority filter; policy accept; oifname { "wan", "wg_cloonar", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade - iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.50 masquerade - iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.51 masquerade - iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.201 masquerade + iifname { "wan", "wg_cloonar" } ip daddr 10.42.113.50 masquerade + iifname { "wan", "wg_cloonar" } ip daddr 10.42.113.51 masquerade + iifname { "wan", "wg_cloonar" } ip daddr 10.42.113.201 masquerade } ''; }; diff --git a/hosts/fw-new.cloonar.com/modules/fwmetrics.nix b/hosts/fw-new/modules/fwmetrics.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/fwmetrics.nix rename to hosts/fw-new/modules/fwmetrics.nix diff --git a/hosts/fw-new/modules/gitea-vm.nix b/hosts/fw-new/modules/gitea-vm.nix new file mode 100644 index 0000000..8be9112 --- /dev/null +++ b/hosts/fw-new/modules/gitea-vm.nix @@ -0,0 +1,175 @@ +{ config, nixpkgs, pkgs, ... }: let + hostname = "git"; + json = pkgs.formats.json { }; + pkgs-with-gitea = import (builtins.fetchGit { + name = "new-gitea"; + url = "https://github.com/nixos/nixpkgs/"; + rev = "159be5db480d1df880a0135ca0bfed84c2f88353"; + }) {}; +in { + microvm.vms = { + gitea = { + config = { + microvm = { + hypervisor = "cloud-hypervisor"; + shares = [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "ro-store"; + proto = "virtiofs"; + } + { + source = "/var/lib/acme/git.cloonar.com"; + mountPoint = "/var/lib/acme/${hostname}.cloonar.com"; + tag = "ro-cert"; + proto = "virtiofs"; + } + ]; + interfaces = [ + { + type = "tap"; + id = "vm-${hostname}"; + mac = "02:00:00:00:00:01"; + } + ]; + }; + + imports = [ + ../fleet.nix + ]; + + environment.systemPackages = with pkgs; [ + vim # my preferred editor + ]; + + networking = { + hostName = hostname; + firewall = { + enable = true; + allowedTCPPorts = [ 22 80 443 ]; + }; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."${hostname}.cloonar.com" = { + sslCertificate = "/var/lib/acme/${hostname}.cloonar.com/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${hostname}.cloonar.com/key.pem"; + sslTrustedCertificate = "/var/lib/acme/${hostname}.cloonar.com/chain.pem"; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:3001/"; + }; + }; + + services.gitea = { + enable = true; + package = pkgs-with-gitea.gitea; + appName = "Cloonar Gitea server"; # Give the site a name + settings = { + server = { + ROOT_URL = "https://${hostname}.cloonar.com/"; + HTTP_PORT = 3001; + DOMAIN = "${hostname}.cloonar.com"; + }; + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = true; + WHITELISTED_URIS = "auth.cloonar.com"; + }; + service = { + DISABLE_REGISTRATION = true; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + }; + actions.ENABLED=true; + }; + }; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" + ]; + + system.stateVersion = "22.05"; + }; + }; + + gitea-runner = { + config = { + microvm = { + mem = 12288; + shares = [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "ro-store"; + proto = "virtiofs"; + } + { + source = "/run/secrets"; + mountPoint = "/run/secrets"; + tag = "ro-token"; + proto = "virtiofs"; + } + ]; + volumes = [ + { + image = "rootfs.img"; + mountPoint = "/"; + size = 102400; + } + ]; + interfaces = [ + { + type = "tap"; + id = "vm-gitea-runner"; + mac = "02:00:00:00:00:02"; + } + ]; + }; + + environment.systemPackages = with pkgs; [ + vim # my preferred editor + ]; + + networking.hostName = "gitea-runner"; + + virtualisation.podman.enable = true; + + services.gitea-actions-runner.instances.vm = { + enable = true; + url = "https://git.cloonar.com"; + name = "vm"; + tokenFile = "/run/secrets/gitea-runner-token"; + labels = [ + "ubuntu-latest:docker://shivammathur/node:latest" + ]; + settings = { + container = { + network = "podman"; + }; + }; + }; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" + ]; + + system.stateVersion = "22.05"; + }; + }; + }; + + sops.secrets.gitea-runner-token = {}; + + environment = { + systemPackages = [ + pkgs.qemu + pkgs.quickemu + ]; + }; +} diff --git a/hosts/fw-new.cloonar.com/modules/gitea.nix b/hosts/fw-new/modules/gitea.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/gitea.nix rename to hosts/fw-new/modules/gitea.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/3dprinter.nix b/hosts/fw-new/modules/home-assistant/3dprinter.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/3dprinter.nix rename to hosts/fw-new/modules/home-assistant/3dprinter.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/ac.nix b/hosts/fw-new/modules/home-assistant/ac.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/ac.nix rename to hosts/fw-new/modules/home-assistant/ac.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/battery.nix b/hosts/fw-new/modules/home-assistant/battery.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/battery.nix rename to hosts/fw-new/modules/home-assistant/battery.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/default.nix b/hosts/fw-new/modules/home-assistant/default.nix similarity index 83% rename from hosts/fw-new.cloonar.com/modules/home-assistant/default.nix rename to hosts/fw-new/modules/home-assistant/default.nix index 5f0bc3d..ab5cc6e 100644 --- a/hosts/fw-new.cloonar.com/modules/home-assistant/default.nix +++ b/hosts/fw-new/modules/home-assistant/default.nix @@ -1,6 +1,12 @@ { config, pkgs, ... }: let domain = "home-assistant.cloonar.com"; + release2405 = import { config = config.nixpkgs.config; }; + pkgs-with-home-assistant = import (builtins.fetchGit { + name = "new-home-assistant"; + url = "https://github.com/nixos/nixpkgs/"; + rev = "268bb5090a3c6ac5e1615b38542a868b52ef8088"; + }) {}; in { users.users.hass = { @@ -30,26 +36,26 @@ in ephemeral = false; privateNetwork = true; hostBridge = "server"; - hostAddress = "10.42.97.1"; - localAddress = "10.42.97.20/24"; + hostAddress = "10.42.113.1"; + localAddress = "10.42.113.20/24"; extraFlags = [ "--capability=CAP_NET_ADMIN" ]; - allowedDevices = [ - { - modifier = "rwm"; - node = "char-usb_device"; - } - { - modifier = "rwm"; - node = "char-ttyUSB"; - } - ]; + # allowedDevices = [ + # { + # modifier = "rwm"; + # node = "char-usb_device"; + # } + # { + # modifier = "rwm"; + # node = "char-ttyUSB"; + # } + # ]; bindMounts = { - "/dev/ttyUSB0" = { - hostPath = "/dev/ttyUSB0"; - isReadOnly = false; - }; + # "/dev/ttyUSB0" = { + # hostPath = "/dev/ttyUSB0"; + # isReadOnly = false; + # }; "/etc/localtime" = { hostPath = "/etc/localtime"; }; @@ -104,6 +110,7 @@ in environment.systemPackages = [ pkgs.wol + pkgs.mariadb ]; services.nginx.enable = true; @@ -127,6 +134,7 @@ in }; services.home-assistant = { + package = pkgs-with-home-assistant.home-assistant; enable = true; }; @@ -140,6 +148,17 @@ in "tplink_omada" ]; + services.mysql = { + enable = true; + package = pkgs.mariadb; + ensureDatabases = [ "hass" ]; + }; + + services.mysqlBackup = { + enable = true; + databases = [ "hass" ]; + }; + services.home-assistant.config = let hiddenEntities = [ @@ -148,6 +167,9 @@ in ]; in { + recorder = { + db_url = "mysql://hass@localhost/hass?unix_socket=/var/run/mysqld/mysqld.sock"; + }; homeassistant = { name = "Home"; latitude = "!secret home_latitude"; diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/electricity.nix b/hosts/fw-new/modules/home-assistant/electricity.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/electricity.nix rename to hosts/fw-new/modules/home-assistant/electricity.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/enocean.nix b/hosts/fw-new/modules/home-assistant/enocean.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/enocean.nix rename to hosts/fw-new/modules/home-assistant/enocean.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/ldap.nix b/hosts/fw-new/modules/home-assistant/ldap.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/ldap.nix rename to hosts/fw-new/modules/home-assistant/ldap.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/light.nix b/hosts/fw-new/modules/home-assistant/light.nix similarity index 95% rename from hosts/fw-new.cloonar.com/modules/home-assistant/light.nix rename to hosts/fw-new/modules/home-assistant/light.nix index d81a50d..1ef7acb 100644 --- a/hosts/fw-new.cloonar.com/modules/home-assistant/light.nix +++ b/hosts/fw-new/modules/home-assistant/light.nix @@ -370,6 +370,7 @@ { platform = "group"; name = "Livingroom Lights"; + all = true; entities = [ "light.livingroom_switch" "light.living_bulb_1" @@ -380,6 +381,23 @@ "light.living_bulb_6" ]; } + { + platform = "switch"; + name = "Bedroom Switch"; + entity_id = "switch.bedroom_switch"; + } + { + platform = "group"; + name = "Bedroom Lights"; + all = true; + entities = [ + "light.bedroom_switch" + "light.bedroom_bulb_1" + "light.bedroom_bulb_2" + "light.bedroom_bulb_3" + "light.bedroom_bulb_4" + ]; + } ]; }; } diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/locks.nix b/hosts/fw-new/modules/home-assistant/locks.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/locks.nix rename to hosts/fw-new/modules/home-assistant/locks.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/multimedia.nix b/hosts/fw-new/modules/home-assistant/multimedia.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/multimedia.nix rename to hosts/fw-new/modules/home-assistant/multimedia.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/music.nix b/hosts/fw-new/modules/home-assistant/music.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/music.nix rename to hosts/fw-new/modules/home-assistant/music.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/notify.nix b/hosts/fw-new/modules/home-assistant/notify.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/notify.nix rename to hosts/fw-new/modules/home-assistant/notify.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/pc.nix b/hosts/fw-new/modules/home-assistant/pc.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/pc.nix rename to hosts/fw-new/modules/home-assistant/pc.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/presense.nix b/hosts/fw-new/modules/home-assistant/presense.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/presense.nix rename to hosts/fw-new/modules/home-assistant/presense.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/pushover.nix b/hosts/fw-new/modules/home-assistant/pushover.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/pushover.nix rename to hosts/fw-new/modules/home-assistant/pushover.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/roborock.nix b/hosts/fw-new/modules/home-assistant/roborock.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/roborock.nix rename to hosts/fw-new/modules/home-assistant/roborock.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/scene-switch.nix b/hosts/fw-new/modules/home-assistant/scene-switch.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/scene-switch.nix rename to hosts/fw-new/modules/home-assistant/scene-switch.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/shelly.nix b/hosts/fw-new/modules/home-assistant/shelly.nix similarity index 79% rename from hosts/fw-new.cloonar.com/modules/home-assistant/shelly.nix rename to hosts/fw-new/modules/home-assistant/shelly.nix index af556c3..f2f54f9 100644 --- a/hosts/fw-new.cloonar.com/modules/home-assistant/shelly.nix +++ b/hosts/fw-new/modules/home-assistant/shelly.nix @@ -7,17 +7,21 @@ let { name = "Living Bulb 4"; id = "485519D94A28"; } { name = "Living Bulb 5"; id = "485519DA6B6A"; } { name = "Living Bulb 6"; id = "485519D9E018"; } + { name = "Bedroom Bulb 1"; id = "08f9e06f4eb4"; } + { name = "Bedroom Bulb 2"; id = "485519ee0ed9"; } + { name = "Bedroom Bulb 3"; id = "08f9e06fe779"; } + { name = "Bedroom Bulb 4"; id = "485519ee00a0"; } ]; - switches = [ - { name = "Kitchen Switch"; id = "483FDA8274C2"; relay = "0"; } - { name = "Livingroom Switch"; id = "483FDA8274C2"; relay = "1"; } - ]; + switches = []; proswitches = [ - { name = "Hallway Circuit"; id = "c8f09e894448"; relay = "0"; } - { name = "Bathroom Circuit"; id = "c8f09e894448"; relay = "1"; } - { name = "Kitchen Circuit"; id = "c8f09e894448"; relay = "2"; } + { name = "Livingroom Switch"; id = "shellyplus2pm-e86beae5d5d8"; relay = "0"; } + { name = "Kitchen Switch"; id = "shellyplus2pm-e86beae5d5d8"; relay = "1"; } + { name = "Bedroom Switch"; id = "shelly1pmminig3-34b7da933fe0"; relay = "0"; } + { name = "Hallway Circuit"; id = "shellypro3-c8f09e894448"; relay = "0"; } + { name = "Bathroom Circuit"; id = "shellypro3-c8f09e894448"; relay = "1"; } + { name = "Kitchen Circuit"; id = "shellypro3-c8f09e894448"; relay = "2"; } ]; in { services.home-assistant.extraComponents = [ @@ -45,14 +49,14 @@ in { in { name = switch.name; unique_id = unique_id; - state_topic = "shellies/shellypro3-${switch.id}/status/switch:${switch.relay}"; + state_topic = "shellies/${switch.id}/status/switch:${switch.relay}"; value_template = "{{ value_json.output }}"; state_on = true; state_off = false; - command_topic = "shellies/shellypro3-c8f09e894448/rpc"; + command_topic = "shellies/${switch.id}/rpc"; payload_on = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":true}}"; payload_off = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":false}}"; - availability_topic = "shellies/shellypro3-${switch.id}/online"; + availability_topic = "shellies/${switch.id}/online"; payload_available = "true"; payload_not_available = "false"; } diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/sleep.nix b/hosts/fw-new/modules/home-assistant/sleep.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/sleep.nix rename to hosts/fw-new/modules/home-assistant/sleep.nix diff --git a/hosts/fw-new.cloonar.com/modules/home-assistant/snapcast.nix b/hosts/fw-new/modules/home-assistant/snapcast.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/home-assistant/snapcast.nix rename to hosts/fw-new/modules/home-assistant/snapcast.nix diff --git a/hosts/fw-new.cloonar.com/modules/microvm.nix b/hosts/fw-new/modules/microvm.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/microvm.nix rename to hosts/fw-new/modules/microvm.nix diff --git a/hosts/fw-new.cloonar.com/modules/mopidy.nix b/hosts/fw-new/modules/mopidy.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/mopidy.nix rename to hosts/fw-new/modules/mopidy.nix diff --git a/hosts/fw-new.cloonar.com/modules/mosquitto.nix b/hosts/fw-new/modules/mosquitto.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/mosquitto.nix rename to hosts/fw-new/modules/mosquitto.nix diff --git a/hosts/fw-new.cloonar.com/modules/networking.nix b/hosts/fw-new/modules/networking.nix similarity index 71% rename from hosts/fw-new.cloonar.com/modules/networking.nix rename to hosts/fw-new/modules/networking.nix index 97658c7..15f574a 100644 --- a/hosts/fw-new.cloonar.com/modules/networking.nix +++ b/hosts/fw-new/modules/networking.nix @@ -11,13 +11,9 @@ wait-online.anyInterface = true; links = { "10-wan" = { - matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c1"; + matchConfig.PermanentMACAddress = "c0:74:2b:fd:9a:7f"; linkConfig.Name = "wan"; }; - "20-lan" = { - matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c2"; - linkConfig.Name = "lan"; - }; }; netdevs = { "30-server".netdevConfig = { @@ -40,48 +36,42 @@ nameservers = [ "10.42.97.1" ]; # resolvconf.enable = false; vlans = { - infrastructure = { - id = 101; - interface = "enp5s0"; + lan = { + id = 95; + interface = "enP3p49s0"; }; vserver = { id = 97; - interface = "enp5s0"; + interface = "enP3p49s0"; }; multimedia = { - id = 99; - interface = "enp5s0"; + id = 98; + interface = "enP3p49s0"; }; smart = { - id = 100; - interface = "enp5s0"; + id = 99; + interface = "enP3p49s0"; + }; + infrastructure = { + id = 100; + interface = "enP3p49s0"; }; guest = { - id = 254; - interface = "enp5s0"; + id = 111; + interface = "enP3p49s0"; }; }; - # macvlans.server = { - # interface = "vserver"; - # mode = "bridge"; - # }; - # bridges = { - # server = { - # interfaces = [ "vserver" ]; - # }; - # }; interfaces = { # Don't request DHCP on the physical interfaces lan.useDHCP = false; - enp4s0.useDHCP = false; - enp5s0.useDHCP = false; + enP3p49s0.useDHCP = false; # Handle the VLANs wan.useDHCP = true; lan = { ipv4.addresses = [{ - address = "10.42.96.1"; + address = "10.42.95.1"; prefixLength = 24; }]; }; @@ -91,19 +81,19 @@ prefixLength = 24; }]; }; - infrastructure = { + multimedia = { ipv4.addresses = [{ - address = "10.42.101.1"; + address = "10.42.98.1"; prefixLength = 24; }]; }; - multimedia = { + smart = { ipv4.addresses = [{ address = "10.42.99.1"; prefixLength = 24; }]; }; - smart = { + infrastructure = { ipv4.addresses = [{ address = "10.42.100.1"; prefixLength = 24; @@ -111,7 +101,7 @@ }; guest = { ipv4.addresses = [{ - address = "10.42.254.1"; + address = "10.42.111.1"; prefixLength = 24; }]; }; diff --git a/hosts/fw-new.cloonar.com/modules/omada.nix b/hosts/fw-new/modules/omada.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/omada.nix rename to hosts/fw-new/modules/omada.nix diff --git a/hosts/fw-new.cloonar.com/modules/openconnect.nix b/hosts/fw-new/modules/openconnect.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/openconnect.nix rename to hosts/fw-new/modules/openconnect.nix diff --git a/hosts/fw-new.cloonar.com/modules/palworld.nix b/hosts/fw-new/modules/palworld.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/palworld.nix rename to hosts/fw-new/modules/palworld.nix diff --git a/hosts/fw-new.cloonar.com/modules/podman.nix b/hosts/fw-new/modules/podman.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/podman.nix rename to hosts/fw-new/modules/podman.nix diff --git a/hosts/fw-new.cloonar.com/modules/postgresql.nix b/hosts/fw-new/modules/postgresql.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/postgresql.nix rename to hosts/fw-new/modules/postgresql.nix diff --git a/hosts/fw-new.cloonar.com/modules/snapserver.nix b/hosts/fw-new/modules/snapserver.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/snapserver.nix rename to hosts/fw-new/modules/snapserver.nix diff --git a/hosts/fw-new.cloonar.com/modules/staticids.nix b/hosts/fw-new/modules/staticids.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/staticids.nix rename to hosts/fw-new/modules/staticids.nix diff --git a/hosts/fw-new.cloonar.com/modules/sysbox.nix b/hosts/fw-new/modules/sysbox.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/sysbox.nix rename to hosts/fw-new/modules/sysbox.nix diff --git a/hosts/fw-new.cloonar.com/modules/unbound.nix b/hosts/fw-new/modules/unbound.nix similarity index 75% rename from hosts/fw-new.cloonar.com/modules/unbound.nix rename to hosts/fw-new/modules/unbound.nix index 975b394..e47c43d 100644 --- a/hosts/fw-new.cloonar.com/modules/unbound.nix +++ b/hosts/fw-new/modules/unbound.nix @@ -259,81 +259,81 @@ in { enable = true; settings = cfg; }; - systemd.services.unbound-sync = { - enable = true; - path = with pkgs; [ unbound inotify-tools ]; - script = '' - function readFile() { - if [[ "''\$2" == "A" ]] ; then - cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context - do - echo "''\${address},''\${hostname}" - done - else - cat "''\$1" | tail -n +2 | while IFS=, read -r address duid valid_lifetime expire subnet_id pref_lifetime lease_type iaid prefix_len fqdn_fwd fqdn_rev hostname hwaddr state user_context hwtype hwaddr_source - do - echo "''\${address},''\${hostname}" - done - fi - } - - function readFileUnique() { - readFile "''\$1" ''\$2 | uniq | while IFS=, read -r address hostname - do - if echo "''\${1}" | grep -Eq '.*\.(cloonar.com|cloonar.multimedia|cloonar.smart)'; then - echo ''\${hostname} ''\$2 ''\${address} - unbound-control local_data ''\${hostname} ''\$2 ''\${address} - if [[ "''\$2" == "A" ]] ; then - echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3 - do - unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} - unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} - done - fi - else - if [[ "''\$2" == "A" ]] ; then - echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3 - do - if [[ "''\${hostname}" != "" ]]; then - domain=cloonar.com - if [[ "''\${ip2}" == 99 ]]; then - domain=cloonar.multimedia - fi - if [[ "''\${ip2}" == 100 ]]; then - domain=cloonar.smart - fi - if [[ "''\${hostname}" != *. ]]; then - unbound-control local_data ''\${hostname}.''\${domain} ''\$2 ''\${address} - else - unbound-control local_data ''\${hostname}''\${domain} ''\$2 ''\${address} - fi - - fi - unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} - unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} - done - fi - fi - done - } - - function syncFile() { - # readFileUnique "''\$1" "''\$2" - while true; do - readFileUnique "''\$1" "''\$2" - sleep 10 - done - } - - syncFile "/var/lib/kea/dhcp4.leases" A & - # syncFile "/var/lib/kea/dhcp6.leases" AAAA & - wait - ''; - wants = [ "network-online.target" "unbound.service" ]; - after = [ "network-online.target" "unbound.service" ]; - partOf = [ "unbound.service" ]; - wantedBy = [ "multi-user.target" ]; - }; + # systemd.services.unbound-sync = { + # enable = true; + # path = with pkgs; [ unbound inotify-tools ]; + # script = '' + # function readFile() { + # if [[ "''\$2" == "A" ]] ; then + # cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context + # do + # echo "''\${address},''\${hostname}" + # done + # else + # cat "''\$1" | tail -n +2 | while IFS=, read -r address duid valid_lifetime expire subnet_id pref_lifetime lease_type iaid prefix_len fqdn_fwd fqdn_rev hostname hwaddr state user_context hwtype hwaddr_source + # do + # echo "''\${address},''\${hostname}" + # done + # fi + # } + # + # function readFileUnique() { + # readFile "''\$1" ''\$2 | uniq | while IFS=, read -r address hostname + # do + # if echo "''\${1}" | grep -Eq '.*\.(cloonar.com|cloonar.multimedia|cloonar.smart)'; then + # echo ''\${hostname} ''\$2 ''\${address} + # unbound-control local_data ''\${hostname} ''\$2 ''\${address} + # if [[ "''\$2" == "A" ]] ; then + # echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3 + # do + # unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} + # unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} + # done + # fi + # else + # if [[ "''\$2" == "A" ]] ; then + # echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3 + # do + # if [[ "''\${hostname}" != "" ]]; then + # domain=cloonar.com + # if [[ "''\${ip2}" == 99 ]]; then + # domain=cloonar.multimedia + # fi + # if [[ "''\${ip2}" == 100 ]]; then + # domain=cloonar.smart + # fi + # if [[ "''\${hostname}" != *. ]]; then + # unbound-control local_data ''\${hostname}.''\${domain} ''\$2 ''\${address} + # else + # unbound-control local_data ''\${hostname}''\${domain} ''\$2 ''\${address} + # fi + # + # fi + # unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} + # unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} + # done + # fi + # fi + # done + # } + # + # function syncFile() { + # # readFileUnique "''\$1" "''\$2" + # while true; do + # readFileUnique "''\$1" "''\$2" + # sleep 10 + # done + # } + # + # syncFile "/var/lib/kea/dhcp4.leases" A & + # # syncFile "/var/lib/kea/dhcp6.leases" AAAA & + # wait + # ''; + # wants = [ "network-online.target" "unbound.service" ]; + # after = [ "network-online.target" "unbound.service" ]; + # partOf = [ "unbound.service" ]; + # wantedBy = [ "multi-user.target" ]; + # }; networking.firewall.allowedUDPPorts = [ 53 5353 ]; } diff --git a/hosts/fw-new.cloonar.com/modules/update-containers.nix b/hosts/fw-new/modules/update-containers.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/update-containers.nix rename to hosts/fw-new/modules/update-containers.nix diff --git a/hosts/fw-new.cloonar.com/modules/web/default.nix b/hosts/fw-new/modules/web/default.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/web/default.nix rename to hosts/fw-new/modules/web/default.nix diff --git a/hosts/fw-new.cloonar.com/modules/web/proxies.nix b/hosts/fw-new/modules/web/proxies.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/web/proxies.nix rename to hosts/fw-new/modules/web/proxies.nix diff --git a/hosts/fw-new.cloonar.com/modules/web/secrets.yaml b/hosts/fw-new/modules/web/secrets.yaml similarity index 100% rename from hosts/fw-new.cloonar.com/modules/web/secrets.yaml rename to hosts/fw-new/modules/web/secrets.yaml diff --git a/hosts/fw-new.cloonar.com/modules/web/zammad.nix b/hosts/fw-new/modules/web/zammad.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/web/zammad.nix rename to hosts/fw-new/modules/web/zammad.nix diff --git a/hosts/fw-new.cloonar.com/modules/wireguard.nix b/hosts/fw-new/modules/wireguard.nix similarity index 92% rename from hosts/fw-new.cloonar.com/modules/wireguard.nix rename to hosts/fw-new/modules/wireguard.nix index 8420bc4..ff24934 100644 --- a/hosts/fw-new.cloonar.com/modules/wireguard.nix +++ b/hosts/fw-new/modules/wireguard.nix @@ -8,18 +8,18 @@ networking.wireguard.interfaces = { wg_cloonar = { - ips = [ "10.42.98.1/24" ]; + ips = [ "10.42.114.1/24" ]; listenPort = 51820; # publicKey: TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q= privateKeyFile = config.sops.secrets.wg_cloonar_key.path; peers = [ { # Notebook publicKey = "YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8="; - allowedIPs = [ "10.42.98.201/32" ]; + allowedIPs = [ "10.42.114.201/32" ]; } { # iPhone publicKey = "nkm10abmwt2G8gJXnpqel6QW5T8aSaxiqqGjE8va/A0="; - allowedIPs = [ "10.42.98.202/32" ]; + allowedIPs = [ "10.42.114.202/32" ]; } ]; }; diff --git a/hosts/fw-new.cloonar.com/modules/wol.nix b/hosts/fw-new/modules/wol.nix similarity index 100% rename from hosts/fw-new.cloonar.com/modules/wol.nix rename to hosts/fw-new/modules/wol.nix diff --git a/hosts/fw-new.cloonar.com/pkgs/kernel/rk35xx_vendor_config b/hosts/fw-new/pkgs/kernel/rk35xx_vendor_config similarity index 100% rename from hosts/fw-new.cloonar.com/pkgs/kernel/rk35xx_vendor_config rename to hosts/fw-new/pkgs/kernel/rk35xx_vendor_config diff --git a/hosts/fw-new.cloonar.com/pkgs/kernel/vendor.nix b/hosts/fw-new/pkgs/kernel/vendor.nix similarity index 84% rename from hosts/fw-new.cloonar.com/pkgs/kernel/vendor.nix rename to hosts/fw-new/pkgs/kernel/vendor.nix index 56a705d..d7f9c4e 100644 --- a/hosts/fw-new.cloonar.com/pkgs/kernel/vendor.nix +++ b/hosts/fw-new/pkgs/kernel/vendor.nix @@ -15,13 +15,19 @@ }: (linuxManualConfig rec { modDirVersion = "6.1.43"; + # modDirVersion = "5.10.65"; version = "${modDirVersion}-xunlong-rk3588"; extraMeta.branch = "6.1"; + # extraMeta.branch = "5.10"; # https://github.com/orangepi-xunlong/linux-orangepi/tree/orange-pi-6.1-rk35xx src = fetchFromGitHub { owner = "orangepi-xunlong"; repo = "linux-orangepi"; + # rev = "122b41d84d018af909a766e48f3f90cbea9868e0"; + # hash = "sha256-kOhxDP1hbrrIriOXizgZoB0I+3/JWOPcOCdNeXcPJV0="; + # rev = "eb1c681e5184e51d8ce1f351559d149d17f48b57"; + # hash = "sha256-kOhxDP1hbrrIriOXizgZoB0I+3/JWOPcOCdNeXcPJV0="; rev = "752c0d0a12fdce201da45852287b48382caa8c0f"; hash = "sha256-tVu/3SF/+s+Z6ytKvuY+ZwqsXUlm40yOZ/O5kfNfUYc="; }; @@ -41,5 +47,5 @@ }) .overrideAttrs (old: { name = "k"; # dodge uboot length limits - nativeBuildInputs = old.nativeBuildInputs ++ [ubootTools]; + # nativeBuildInputs = old.nativeBuildInputs ++ [ubootTools]; }) diff --git a/hosts/fw-new.cloonar.com/pkgs/mali-firmware/default.nix b/hosts/fw-new/pkgs/mali-firmware/default.nix similarity index 100% rename from hosts/fw-new.cloonar.com/pkgs/mali-firmware/default.nix rename to hosts/fw-new/pkgs/mali-firmware/default.nix diff --git a/hosts/fw-new.cloonar.com/pkgs/orangepi-firmware/default.nix b/hosts/fw-new/pkgs/orangepi-firmware/default.nix similarity index 100% rename from hosts/fw-new.cloonar.com/pkgs/orangepi-firmware/default.nix rename to hosts/fw-new/pkgs/orangepi-firmware/default.nix diff --git a/hosts/fw-new.cloonar.com/secrets.yaml b/hosts/fw-new/secrets.yaml similarity index 88% rename from hosts/fw-new.cloonar.com/secrets.yaml rename to hosts/fw-new/secrets.yaml index d000e01..413975b 100644 --- a/hosts/fw-new.cloonar.com/secrets.yaml +++ b/hosts/fw-new/secrets.yaml @@ -23,29 +23,29 @@ sops: - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpalJkZWNhUzRJdTdhaElh - VlNGd3AzaW5ha1d4ekVESStQSC9mTnBGRzFRCmszVHVBMjFRZjRuejRjenhvdGZl - RkMxMmowbWdndDZvcHc5RDZBNGh2THcKLS0tIFVuU0ZIOXlpZEE1alVGaXhnbWhQ - T1BiZitwUHEvRGx2ZkdTTWJZQzJpOU0KH035L5mbJ1fDjmuNbmfCGZdJ/4eE9FeI - qM5/d51C3fP1uRjeLJFxObNlu/QG9MKql80fYF0NUboVGIUzHwv9gw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1YlN0a1M2cStpbUtMMWFZ + RzQrMGZmbkN2c01yOHhvbllwQUVpcWhmU3lrCkQxeHNQb2pKa3pOYnB3aEFjTGl1 + c1IvSnZnTS9JMFJ1L1E0cXRybEJ6KzQKLS0tIDdPNTNwZDdMRzhyVzNzdXRESlZO + TkRXeUsxTWpodWtIT3Mza3o3SlZGdUkK/U6+p4rYGLhTWSHPOysau+iCoWseiLht + oT8a2hp9dSh1ofseyBfgeDeBN7Td9Z9FTBXBgcM911Sdq3VffQJHgw== -----END AGE ENCRYPTED FILE----- - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIdm01UEx6OFZkOW5QTnp3 - bUpuczZUUFdhRnhBbUxabGNFY0Rzd3pDdGp3CnRZMk9JRTV5Q1Jwa1J5Q1dtd0lM - YzZKVzVRNldEa3JEL3h6TURPcHc4MWMKLS0tIGVEQnJ3N3c1ZHJ1Nitta2JRWDZP - VFZ3Qm5SYzRyVitTV2JkN2hWNEVMSDAKwHMncahsEQTsahAXr9VJFgsahUJ4yrOD - E1x6RAAI+2q8v3hPO8Rd8i6i/sELyM+NdK81WRrGwn8FHR8yZC7zoA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBheVYzaDRndjhXMmhYaGdC + ZFcyUlZNd28wbFdsUEk2OWt5aEYwSzBsWVFrCnZjOHg2bXFPNlgwa3E3NkZlOXpJ + T2llSXJLNmcwWVVYdDdJY24xV1laWmMKLS0tIFhwTFdKaHk4NG91L2Y3OUZ4eHhD + V000QkdMWUhBV3E3dklnbTgvQVFUVG8KRkTaCoXdzF6+di4o9MoZIVUtM7YCxfiF + 3PP2lurWxmSmGDhD7OwIgM+EQ0sKViDbcvGs6Oo8BKClgSx7i9kvPg== -----END AGE ENCRYPTED FILE----- - - recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df + - recipient: age12msc2c6drsaw0yk2hjlaw0q0lyq0emjx5e8rq7qc7ql689k593kqfmhss2 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYWozckZEcGJRK0NoTEcr - N0JsUG9UMGV1NTNxa0RmK3QyYVp0Wm04S25vCkxsSnpWQ3NGaGZMalEreUZkZVZE - ZUk4R1M3cDdaU0NBa21Hc2lTaXFhdGcKLS0tIFcwRGJZU0hmUW5aRHZsNG1NZ25n - ejhXSmVkVjlhRDF3d1JDQlBzd2N3WncK6taU4OsyYoZc5P/2fMrSidLo2tYcH6Yw - tNJRIOqR2Iq1M4ey27jnTdw3NvYKyxjn60ZeW2xcn8CYrpf0X4gLQA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKbUMxNy9VTkJkMkszcUdx + MjJlRDk4TnoxMVEzSDdIK3J5dktWWHl5MHl3CmtjS013OXlqSjNhTlNBWURTRmht + eFVLRU1Kbm5OdUtHRm5Nb3NGdzBwWHMKLS0tIE51M2tnaEUzMlRIeDEzZjhxV3RH + clE0QWFvRit2N1hsaDlUcUpDbFdhUlEKA+8ukUbm61s2B7XzbBclbmL1G+cHP9DO + XGOzmtpNm/kPKZCj9CuMBB3Ze4pEQglv66YQPafzQhmP4LMoWrOQrA== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-08-02T22:57:14Z" mac: ENC[AES256_GCM,data:U9/pKXdqXMvjQgyTIGz0JG+88aBXVgp29Fmm0OE66KMArkX8ungcEtdnGYKhD0gFJKLrKZZY5V8oyAXEq95D+Bh8ZnfmQibYw04cPldc6kTZstsrpbzrWVfn6sqG/ih12oXdsLws+H6IeN+O2qGZHDIVjvPufAdJ3A2X+Yakahg=,iv:mG+dGv3l/PNhggvlujLxDGU5z47qVA9sOTUbU2b2dPo=,tag:Rz2av33iwa9aYR7c0cviEg==,type:str] diff --git a/hosts/fw-new.cloonar.com/utils b/hosts/fw-new/utils similarity index 100% rename from hosts/fw-new.cloonar.com/utils rename to hosts/fw-new/utils diff --git a/hosts/fw.cloonar.com/configuration.nix b/hosts/fw.cloonar.com/configuration.nix index 05fe219..a1c89df 100644 --- a/hosts/fw.cloonar.com/configuration.nix +++ b/hosts/fw.cloonar.com/configuration.nix @@ -49,6 +49,9 @@ ./modules/palworld.nix # ./modules/ark-survival-evolved.nix + # setup network + ./modules/setupnetwork.nix + ./hardware-configuration.nix ]; @@ -84,37 +87,42 @@ inotify-tools ]; - nix.gc = { - automatic = true; - options = "--delete-older-than 60d"; + nix = { + settings.auto-optimise-store = true; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 60d"; + }; + # Free up to 1GiB whenever there is less than 100MiB left. + extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; }; - services.auto-cpufreq.enable = true; - services.auto-cpufreq.settings = { - charger = { - governor = "powersave"; - turbo = "auto"; + services.tlp = { + enable = true; + settings = { + CPU_SCALING_GOVERNOR_ON_AC = "powersave"; # powersave or performance + CPU_ENERGY_PERF_POLICY_ON_AC = "power"; # power or performance + # CPU_MIN_PERF_ON_AC = 0; + # CPU_MAX_PERF_ON_AC = 100; # max 100 }; }; - boot = { - kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./pkgs/kernel/vendor.nix {}); - - # kernelParams copy from Armbian's /boot/armbianEnv.txt & /boot/boot.cmd - kernelParams = [ - "rootwait" - - "earlycon" # enable early console, so we can see the boot messages via serial port / HDMI - "consoleblank=0" # disable console blanking(screen saver) - "console=ttyS2,1500000" # serial port - "console=tty1" # HDMI - - # docker optimizations - "cgroup_enable=cpuset" - "cgroup_memory=1" - "cgroup_enable=memory" - "swapaccount=1" - ]; + systemd.services = { + powertop = { + wantedBy = [ "multi-user.target" ]; + after = [ "multi-user.target" ]; + description = "Powertop tunings"; + path = [ pkgs.kmod ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = "${pkgs.powertop}/bin/powertop --auto-tune && for dev in /sys/class/net/*; do echo on > \"$dev/device/power/control\"; done'"; + }; + }; }; boot.tmp.cleanOnBoot = true; diff --git a/hosts/fw.cloonar.com/hardware-configuration.nix b/hosts/fw.cloonar.com/hardware-configuration.nix index edb9af5..4f482d8 100644 --- a/hosts/fw.cloonar.com/hardware-configuration.nix +++ b/hosts/fw.cloonar.com/hardware-configuration.nix @@ -1,6 +1,9 @@ { lib, config, modulesPath, ... }: { - boot.loader.systemd-boot.enable = true; + boot.loader.systemd-boot = { + enable = true; + configurationLimit = 5; + }; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "vmw_pvscsi" "xen_blkfront" ]; boot.initrd.kernelModules = [ "nvme" "kvm-intel" ]; diff --git a/hosts/fw.cloonar.com/modules/ddclient.nix b/hosts/fw.cloonar.com/modules/ddclient.nix index 1e27c0c..3a3eb01 100644 --- a/hosts/fw.cloonar.com/modules/ddclient.nix +++ b/hosts/fw.cloonar.com/modules/ddclient.nix @@ -13,6 +13,7 @@ "vpn.cloonar.com" "git.cloonar.com" "palworld.cloonar.com" + "matrix.cloonar.com" ]; }; diff --git a/hosts/fw.cloonar.com/modules/dhcp4.nix b/hosts/fw.cloonar.com/modules/dhcp4.nix index d37b611..9d11493 100644 --- a/hosts/fw.cloonar.com/modules/dhcp4.nix +++ b/hosts/fw.cloonar.com/modules/dhcp4.nix @@ -92,6 +92,11 @@ ip-address = "10.42.97.5"; server-hostname = "web-02.cloonar.com"; } + { + hw-address = "02:00:00:00:00:04"; + ip-address = "10.42.97.6"; + server-hostname = "matrix.cloonar.com"; + } { hw-address = "ea:db:d4:c1:18:ba"; ip-address = "10.42.97.50"; diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix index 363d4fc..1a5eb89 100644 --- a/hosts/fw.cloonar.com/modules/firewall.nix +++ b/hosts/fw.cloonar.com/modules/firewall.nix @@ -33,7 +33,7 @@ iifname "wan" tcp dport 9273 counter accept comment "Prometheus traffic" iifname "lan" tcp dport 5931 counter accept comment "Spice" iifname { "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router" - iifname { "multimedia", "smart", "infrastructure", "podman0" } udp dport { 53, 5353 } counter accept comment "DNS" + iifname { "multimedia", "smart", "infrastructure", "podman0", "setup" } udp dport { 53, 5353 } counter accept comment "DNS" iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" # Accept mDNS for avahi reflection @@ -92,10 +92,9 @@ oifname "server" ip daddr 10.42.97.5 tcp dport { 80, 443 } counter accept # lan and vpn to any - # TODO: disable wan when finished - iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "vm-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter log prefix "basic forward allow rule" accept + iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "vm-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar", "guest", "setup" } counter accept iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept - iifname { "infrastructure" } oifname { "server", "vserver" } counter accept + iifname { "infrastructure", "setup" } oifname { "server", "vserver" } counter accept iifname { "lan", "wan" } udp dport { 8211, 27015 } counter accept comment "palworld" # accept palword server @@ -121,6 +120,7 @@ "wg_cloonar", "podman*", "guest", + "setup", "vb-*", "vm-*", } oifname { diff --git a/hosts/fw.cloonar.com/modules/home-assistant/default.nix b/hosts/fw.cloonar.com/modules/home-assistant/default.nix index 5f0bc3d..de2c89c 100644 --- a/hosts/fw.cloonar.com/modules/home-assistant/default.nix +++ b/hosts/fw.cloonar.com/modules/home-assistant/default.nix @@ -1,6 +1,11 @@ { config, pkgs, ... }: let domain = "home-assistant.cloonar.com"; + pkgs-with-home-assistant = import (builtins.fetchGit { + name = "new-home-assistant"; + url = "https://github.com/nixos/nixpkgs/"; + rev = "268bb5090a3c6ac5e1615b38542a868b52ef8088"; + }) {}; in { users.users.hass = { @@ -35,21 +40,21 @@ in extraFlags = [ "--capability=CAP_NET_ADMIN" ]; - allowedDevices = [ - { - modifier = "rwm"; - node = "char-usb_device"; - } - { - modifier = "rwm"; - node = "char-ttyUSB"; - } - ]; + # allowedDevices = [ + # { + # modifier = "rwm"; + # node = "char-usb_device"; + # } + # { + # modifier = "rwm"; + # node = "char-ttyUSB"; + # } + # ]; bindMounts = { - "/dev/ttyUSB0" = { - hostPath = "/dev/ttyUSB0"; - isReadOnly = false; - }; + # "/dev/ttyUSB0" = { + # hostPath = "/dev/ttyUSB0"; + # isReadOnly = false; + # }; "/etc/localtime" = { hostPath = "/etc/localtime"; }; @@ -104,6 +109,7 @@ in environment.systemPackages = [ pkgs.wol + pkgs.mariadb ]; services.nginx.enable = true; @@ -127,6 +133,7 @@ in }; services.home-assistant = { + package = pkgs-with-home-assistant.home-assistant; enable = true; }; @@ -140,6 +147,30 @@ in "tplink_omada" ]; + services.home-assistant.extraPackages = ps: with ps; [ + mysqlclient + ]; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + ensureDatabases = [ "hass" ]; + ensureUsers = [ + { + name = "hass"; + ensurePermissions = { + "hass.*" = "ALL PRIVILEGES"; + }; + } + ]; + + }; + + services.mysqlBackup = { + enable = true; + databases = [ "hass" ]; + }; + services.home-assistant.config = let hiddenEntities = [ @@ -148,6 +179,9 @@ in ]; in { + recorder = { + db_url = "mysql://hass@localhost/hass?unix_socket=/var/run/mysqld/mysqld.sock"; + }; homeassistant = { name = "Home"; latitude = "!secret home_latitude"; diff --git a/hosts/fw.cloonar.com/modules/home-assistant/light.nix b/hosts/fw.cloonar.com/modules/home-assistant/light.nix index d81a50d..3abe142 100644 --- a/hosts/fw.cloonar.com/modules/home-assistant/light.nix +++ b/hosts/fw.cloonar.com/modules/home-assistant/light.nix @@ -370,6 +370,7 @@ { platform = "group"; name = "Livingroom Lights"; + all = true; entities = [ "light.livingroom_switch" "light.living_bulb_1" @@ -380,6 +381,37 @@ "light.living_bulb_6" ]; } + { + platform = "switch"; + name = "Kitchen Switch"; + entity_id = "switch.kitchen_switch"; + } + { + platform = "group"; + name = "Kitchen Lights"; + all = true; + entities = [ + "light.kitchen_switch" + "light.kitchen" + ]; + } + { + platform = "switch"; + name = "Bedroom Switch"; + entity_id = "switch.bedroom_switch"; + } + { + platform = "group"; + name = "Bedroom Lights"; + all = true; + entities = [ + "light.bedroom_switch" + "light.bedroom_bulb_1" + "light.bedroom_bulb_2" + "light.bedroom_bulb_3" + "light.bedroom_bulb_4" + ]; + } ]; }; } diff --git a/hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix b/hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix index 9e15384..c1a02c9 100644 --- a/hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix +++ b/hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix @@ -48,7 +48,7 @@ friendly_name = "Any multimedia device on"; device_class = "connectivity"; value_template = '' - {% if is_state('binary_sensor.ps5', 'on') or is_state('binary_sensor.xbox', 'on') or (states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'off' and states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'unavailable') or (is_state('binary_sensor.steamdeck', 'on') and (states('sensor.steamdeck_power') | float > 5)) %} + {% if is_state('binary_sensor.ps5', 'on') or is_state('binary_sensor.xbox', 'on') or (states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'off' and states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'unavailable') or (is_state('binary_sensor.steamdeck', 'on') and (states('sensor.steamdeck_power') | float(default=0) > 5)) %} on {% else %} off diff --git a/hosts/fw.cloonar.com/modules/home-assistant/shelly.nix b/hosts/fw.cloonar.com/modules/home-assistant/shelly.nix index af556c3..8ecb7f6 100644 --- a/hosts/fw.cloonar.com/modules/home-assistant/shelly.nix +++ b/hosts/fw.cloonar.com/modules/home-assistant/shelly.nix @@ -7,17 +7,22 @@ let { name = "Living Bulb 4"; id = "485519D94A28"; } { name = "Living Bulb 5"; id = "485519DA6B6A"; } { name = "Living Bulb 6"; id = "485519D9E018"; } + { name = "Bedroom Bulb 1"; id = "08F9E06F4EB4"; } + { name = "Bedroom Bulb 2"; id = "485519EE0ED9"; } + { name = "Bedroom Bulb 3"; id = "08F9E06FE779"; } + { name = "Bedroom Bulb 4"; id = "485519EE00A0"; } ]; switches = [ - { name = "Kitchen Switch"; id = "483FDA8274C2"; relay = "0"; } - { name = "Livingroom Switch"; id = "483FDA8274C2"; relay = "1"; } ]; proswitches = [ - { name = "Hallway Circuit"; id = "c8f09e894448"; relay = "0"; } - { name = "Bathroom Circuit"; id = "c8f09e894448"; relay = "1"; } - { name = "Kitchen Circuit"; id = "c8f09e894448"; relay = "2"; } + { name = "Livingroom Switch"; id = "shellyplus2pm-e86beae5d5d8"; relay = "0"; } + { name = "Kitchen Switch"; id = "shellyplus2pm-e86beae5d5d8"; relay = "1"; } + { name = "Bedroom Switch"; id = "shelly1pmminig3-34b7da933fe0"; relay = "0"; } + { name = "Hallway Circuit"; id = "shellypro3-c8f09e894448"; relay = "0"; } + { name = "Bathroom Circuit"; id = "shellypro3-c8f09e894448"; relay = "1"; } + { name = "Kitchen Circuit"; id = "shellypro3-c8f09e894448"; relay = "2"; } ]; in { services.home-assistant.extraComponents = [ @@ -45,14 +50,14 @@ in { in { name = switch.name; unique_id = unique_id; - state_topic = "shellies/shellypro3-${switch.id}/status/switch:${switch.relay}"; + state_topic = "shellies/${switch.id}/status/switch:${switch.relay}"; value_template = "{{ value_json.output }}"; state_on = true; state_off = false; - command_topic = "shellies/shellypro3-c8f09e894448/rpc"; + command_topic = "shellies/${switch.id}/rpc"; payload_on = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":true}}"; payload_off = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":false}}"; - availability_topic = "shellies/shellypro3-${switch.id}/online"; + availability_topic = "shellies/${switch.id}/online"; payload_available = "true"; payload_not_available = "false"; } diff --git a/hosts/fw.cloonar.com/modules/home-assistant/sleep.nix b/hosts/fw.cloonar.com/modules/home-assistant/sleep.nix index db2f580..cad3bc0 100644 --- a/hosts/fw.cloonar.com/modules/home-assistant/sleep.nix +++ b/hosts/fw.cloonar.com/modules/home-assistant/sleep.nix @@ -14,6 +14,14 @@ { delay = 1700; } + { + service = "switch.turn_on"; + entity_id = "switch.hallway_circuit"; + } + { + service = "switch.turn_on"; + entity_id = "switch.bathroom_circuit"; + } { service = "switch.turn_on"; entity_id = "switch.78_8c_b5_fe_41_62_port_2_poe"; # livingroom @@ -64,6 +72,14 @@ service = "switch.turn_off"; entity_id = "switch.78_8c_b5_fe_41_62_port_3_poe"; } + { + service = "switch.turn_off"; + entity_id = "switch.hallway_circuit"; + } + { + service = "switch.turn_off"; + entity_id = "switch.bathroom_circuit"; + } ]; } ]; diff --git a/hosts/fw.cloonar.com/modules/setupnetwork.nix b/hosts/fw.cloonar.com/modules/setupnetwork.nix new file mode 100644 index 0000000..7dc143d --- /dev/null +++ b/hosts/fw.cloonar.com/modules/setupnetwork.nix @@ -0,0 +1,58 @@ +{ ... }: { + networking = { + vlans = { + setup = { + id = 110; + interface = "enp5s0"; + }; + }; + + interfaces = { + setup = { + ipv4.addresses = [{ + address = "10.42.110.1"; + prefixLength = 24; + }]; + }; + }; + }; + + services.kea.dhcp4 = { + settings = { + interfaces-config = { + interfaces = [ + "setup" + ]; + }; + subnet4 = [ + { + pools = [ + { + pool = "10.42.110.100 - 10.42.110.240"; + } + ]; + subnet = "10.42.110.0/24"; + interface = "setup"; + option-data = [ + { + name = "routers"; + data = "10.42.110.1"; + } + { + name = "domain-name"; + data = "cloonar.com"; + } + { + name = "domain-search"; + data = "cloonar.com"; + } + { + name = "domain-name-servers"; + data = "10.42.97.1"; + } + ]; + } + ]; + }; + }; +} diff --git a/hosts/fw.cloonar.com/modules/unbound.nix b/hosts/fw.cloonar.com/modules/unbound.nix index 975b394..e766b67 100644 --- a/hosts/fw.cloonar.com/modules/unbound.nix +++ b/hosts/fw.cloonar.com/modules/unbound.nix @@ -23,9 +23,9 @@ let cfg = { remote-control.control-enable = true; server = { - include = [ - "\"${adblockLocalZones}\"" - ]; + # include = [ + # "\"${adblockLocalZones}\"" + # ]; interface = [ "0.0.0.0" "::0" ]; interface-automatic = "yes"; access-control = [ @@ -56,6 +56,7 @@ let "\"snapcast.cloonar.com IN A 10.42.97.21\"" "\"home-assistant.cloonar.com IN A 10.42.97.20\"" "\"web-02.cloonar.com IN A 10.42.97.5\"" + "\"matrix.cloonar.com IN A 10.42.97.5\"" "\"support.cloonar.com IN A 10.42.97.5\"" "\"git.cloonar.com IN A 10.42.97.50\"" "\"sync.cloonar.com IN A 10.42.97.51\"" @@ -73,6 +74,7 @@ let "\"mieterhilfe.at IN A 10.254.240.109\"" "\"wohnpartner-wien.at IN A 10.254.240.109\"" "\"new.wohnberatung-wien.at IN A 10.254.240.109\"" + "\"new.wohnpartner-wien.at IN A 10.254.240.109\"" "\"wohnberatung-wien.at IN A 10.254.240.109\"" "\"wienbautvor.at IN A 10.254.240.109\"" "\"wienwohntbesser.at IN A 10.254.240.109\"" @@ -94,6 +96,7 @@ let "\"b.stage.mieterhilfe.at IN A 10.254.240.110\"" "\"b.stage.wohnpartner-wien.at IN A 10.254.240.110\"" "\"b.stage.new.wohnberatung-wien.at IN A 10.254.240.110\"" + "\"b.stage.new.wohnpartner-wien.at IN A 10.254.240.110\"" "\"b.stage.wohnberatung-wien.at IN A 10.254.240.110\"" "\"b.stage.wienbautvor.at IN A 10.254.240.110\"" "\"b.stage.wienwohntbesser.at IN A 10.254.240.110\"" diff --git a/hosts/fw.cloonar.com/modules/web/default.nix b/hosts/fw.cloonar.com/modules/web/default.nix index 024ef58..f9afea1 100644 --- a/hosts/fw.cloonar.com/modules/web/default.nix +++ b/hosts/fw.cloonar.com/modules/web/default.nix @@ -1,10 +1,18 @@ -{ lib, nixpkgs, pkgs, ... }: let +{ lib, pkgs, config, ... }: let hostname = "web-02"; json = pkgs.formats.json { }; impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz"; in { microvm.vms = { web = { + pkgs = import pkgs.path { + config = { + permittedInsecurePackages = [ + # needed for matrix + "olm-3.2.16" + ]; + }; + }; config = { microvm = { mem = 4096; @@ -47,6 +55,7 @@ in { # ./zammad.nix ./proxies.nix + ./matrix.nix ]; time.timeZone = "Europe/Vienna"; @@ -93,6 +102,14 @@ in { "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" ]; + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + }; + # backups # borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg"; diff --git a/hosts/fw.cloonar.com/modules/web/matrix.nix b/hosts/fw.cloonar.com/modules/web/matrix.nix new file mode 100644 index 0000000..d30020e --- /dev/null +++ b/hosts/fw.cloonar.com/modules/web/matrix.nix @@ -0,0 +1,484 @@ +{ pkgs, lib, config, ... }: +let + hostname = "matrix"; + fqdn = "${hostname}.cloonar.com"; + baseUrl = "https://matrix.cloonar.com"; + clientConfig."m.homeserver".base_url = baseUrl; + serverConfig."m.server" = "${fqdn}:443"; + mkWellKnown = data: '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; +in { + sops.secrets.matrix-shared-secret = { + }; + sops.secrets.dendrite-private-key = { + }; + + services.postgresql = { + enable = true; + ensureDatabases = [ "dendrite" ]; + ensureUsers = [ + { + name = "dendrite"; + } + ]; + }; + services.postgresqlBackup.enable = true; + services.postgresqlBackup.databases = [ "dendrite" ]; + + services.nginx.virtualHosts."${fqdn}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/".extraConfig = '' + return 404; + ''; + locations."/_dendrite".proxyPass = "http://[::1]:8008"; + locations."/_matrix".proxyPass = "http://[::1]:8008"; + locations."/_synapse/client".proxyPass = "http://[::1]:8008"; + }; + + + services.dendrite = { + enable = true; + settings = { + global = { + server_name = "cloonar.com"; + private_key = "$CREDENTIALS_DIRECTORY/private_key"; + database.connection_string = "postgresql:///dendrite?host=/run/postgresql"; + }; + client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; + app_service_api.config_files = [ + "$CREDENTIALS_DIRECTORY/whatsapp_registration" + "$CREDENTIALS_DIRECTORY/signal_registration" + "$CREDENTIALS_DIRECTORY/discord_registration" + ]; + app_service_api.database.connection_string = ""; + federation_api.database.connection_string = ""; + key_server.database.connection_string = ""; + relay_api.database.connection_string = ""; + media_api.database.connection_string = ""; + room_server.database.connection_string = ""; + sync_api.database.connection_string = ""; + user_api.account_database.connection_string = ""; + user_api.device_database.connection_string = ""; + mscs.database.connection_string = ""; + }; + loadCredential = [ + "private_key:${config.sops.secrets.dendrite-private-key.path}" + "whatsapp_registration:/var/lib/mautrix-whatsapp/whatsapp-registration.yaml" + "signal_registration:/var/lib/mautrix-signal/signal-registration.yaml" + "discord_registration:/var/lib/mautrix-discord/discord-registration.yaml" + ]; + environmentFile = config.sops.secrets.matrix-shared-secret.path; + }; + + users.users.mautrix-whatsapp = { + isSystemUser = true; + group = "mautrix-whatsapp"; + home = "/var/lib/mautrix-whatsapp"; + description = "Mautrix-WhatsApp bridge user"; + }; + + users.groups.mautrix-whatsapp = {}; + systemd.services.mautrix-whatsapp = let + dataDir = "/var/lib/mautrix-whatsapp"; + registrationFile = "${dataDir}/whatsapp-registration.yaml"; + settingsFile = "${dataDir}/config.json"; + settingsFileUnsubstituted = settingsFormat.generate "mautrix-whatsapp-config-unsubstituted.json" defaultConfig; + settingsFormat = pkgs.formats.json {}; + appservicePort = 29318; + defaultConfig = { + homeserver = { + address = "http://[::1]:8008"; + domain = "cloonar.com"; + }; + appservice = { + hostname = "[::]"; + port = appservicePort; + database.type = "sqlite3"; + database.uri = "${dataDir}/mautrix-whatsapp.db"; + id = "whatsapp"; + bot.username = "whatsappbot"; + bot.displayname = "WhatsApp Bridge Bot"; + as_token = ""; + hs_token = ""; + }; + bridge = { + username_template = "whatsapp_{{.}}"; + displayname_template = "{{if .BusinessName}}{{.BusinessName}}{{else if .PushName}}{{.PushName}}{{else}}{{.JID}}{{end}} (WA)"; + double_puppet_server_map = {}; + login_shared_secret_map = {}; + command_prefix = "!wa"; + permissions."*" = "relay"; + permissions."cloonar.com" = "user"; + relay.enabled = true; + history_sync.request_full_sync = false; + encryption = { + allow = true; + default = true; + require = true; + }; + }; + logging = { + min_level = "info"; + writers = lib.singleton { + type = "stdout"; + format = "pretty-colored"; + time_format = " "; + }; + }; + }; + in { + description = "Mautrix-WhatsApp Service - A WhatsApp bridge for Matrix"; + + wantedBy = ["multi-user.target"]; + wants = ["network-online.target"]; + after = ["network-online.target"]; + + preStart = '' + test -f '${settingsFile}' && rm -f '${settingsFile}' + old_umask=$(umask) + umask 0177 + ${pkgs.envsubst}/bin/envsubst \ + -o '${settingsFile}' \ + -i '${settingsFileUnsubstituted}' + umask $old_umask + + # generate the appservice's registration file if absent + if [ ! -f '${registrationFile}' ]; then + ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \ + --generate-registration \ + --config='${settingsFile}' \ + --registration='${registrationFile}' + fi + chmod 640 ${registrationFile} + + umask 0177 + ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token + | .[0].appservice.hs_token = .[1].hs_token + | .[0]' '${settingsFile}' '${registrationFile}' \ + > '${settingsFile}.tmp' + mv '${settingsFile}.tmp' '${settingsFile}' + umask $old_umask + ''; + + serviceConfig = { + User = "mautrix-whatsapp"; + Group = "mautrix-whatsapp"; + # EnvironmentFile = cfg.environmentFile; + StateDirectory = baseNameOf dataDir; + WorkingDirectory = dataDir; + ExecStart = '' + ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \ + --config='${settingsFile}' \ + --registration='${registrationFile}' \ + --ignore-unsupported-server + ''; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + Restart = "on-failure"; + RestartSec = "30s"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = ["@system-service"]; + Type = "simple"; + UMask = 0027; + }; + restartTriggers = [settingsFileUnsubstituted]; + }; + + users.users.mautrix-signal = { + isSystemUser = true; + group = "mautrix-signal"; + home = "/var/lib/mautrix-signal"; + description = "Mautrix-Signal bridge user"; + }; + + users.groups.mautrix-signal = {}; + systemd.services.mautrix-signal = let + pkgswithsignal = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/fd698a4ab779fb7fb95425f1b56974ba9c2fa16c.tar.gz") { + config = { + permittedInsecurePackages = [ + # needed for matrix + "olm-3.2.16" + ]; + }; + }; + dataDir = "/var/lib/mautrix-signal"; + registrationFile = "${dataDir}/signal-registration.yaml"; + settingsFile = "${dataDir}/config.json"; + settingsFileUnsubstituted = settingsFormat.generate "mautrix-signal-config-unsubstituted.json" defaultConfig; + settingsFormat = pkgs.formats.json {}; + appservicePort = 29328; + defaultConfig = { + homeserver = { + address = "http://[::1]:8008"; + domain = "cloonar.com"; + }; + appservice = { + hostname = "[::]"; + port = appservicePort; + database.type = "sqlite3"; + database.uri = "file:${dataDir}/mautrix-signal.db?_txlock=immediate"; + id = "signal"; + bot = { + username = "signalbot"; + displayname = "Signal Bridge Bot"; + }; + as_token = ""; + hs_token = ""; + }; + bridge = { + username_template = "signal_{{.}}"; + displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}"; + double_puppet_server_map = { }; + login_shared_secret_map = { }; + command_prefix = "!signal"; + permissions."*" = "relay"; + permissions."cloonar.com" = "user"; + relay.enabled = true; + encryption = { + allow = true; + default = true; + require = true; + }; + }; + logging = { + min_level = "info"; + writers = lib.singleton { + type = "stdout"; + format = "pretty-colored"; + time_format = " "; + }; + }; + }; + in { + description = "Mautrix-Signal Service - A Signal bridge for Matrix"; + + wantedBy = ["multi-user.target"]; + wants = ["network-online.target"]; + after = ["network-online.target"]; + + preStart = '' + test -f '${settingsFile}' && rm -f '${settingsFile}' + old_umask=$(umask) + umask 0177 + ${pkgs.envsubst}/bin/envsubst \ + -o '${settingsFile}' \ + -i '${settingsFileUnsubstituted}' + umask $old_umask + + # generate the appservice's registration file if absent + if [ ! -f '${registrationFile}' ]; then + ${pkgswithsignal.mautrix-signal}/bin/mautrix-signal \ + --generate-registration \ + --config='${settingsFile}' \ + --registration='${registrationFile}' + fi + chmod 640 ${registrationFile} + + umask 0177 + ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token + | .[0].appservice.hs_token = .[1].hs_token + | .[0] + | if env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET else . end' \ + '${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp' + mv '${settingsFile}.tmp' '${settingsFile}' + umask $old_umask + ''; + + serviceConfig = { + User = "mautrix-signal"; + Group = "mautrix-signal"; + # EnvironmentFile = cfg.environmentFile; + StateDirectory = baseNameOf dataDir; + WorkingDirectory = dataDir; + ExecStart = '' + ${pkgswithsignal.mautrix-signal}/bin/mautrix-signal \ + --config='${settingsFile}' \ + --registration='${registrationFile}' \ + --ignore-unsupported-server + ''; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + Restart = "on-failure"; + RestartSec = "30s"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = ["@system-service"]; + Type = "simple"; + UMask = 0027; + }; + restartTriggers = [settingsFileUnsubstituted]; + }; + + + users.users.mautrix-discord = { + isSystemUser = true; + group = "mautrix-discord"; + home = "/var/lib/mautrix-discord"; + description = "Mautrix-Discord bridge user"; + }; + + users.groups.mautrix-discord = {}; + systemd.services.mautrix-discord = let + pkgswithdiscord = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/5ed627539ac84809c78b2dd6d26a5cebeb5ae269.tar.gz") { + config = { + permittedInsecurePackages = [ + # needed for matrix + "olm-3.2.16" + ]; + }; + }; + dataDir = "/var/lib/mautrix-discord"; + registrationFile = "${dataDir}/discord-registration.yaml"; + settingsFile = "${dataDir}/config.json"; + settingsFileUnsubstituted = settingsFormat.generate "mautrix-discord-config-unsubstituted.json" defaultConfig; + settingsFormat = pkgs.formats.json {}; + appservicePort = 29329; + defaultConfig = { + homeserver = { + address = "http://[::1]:8008"; + domain = "cloonar.com"; + }; + appservice = { + hostname = "[::]"; + port = appservicePort; + database.type = "sqlite3"; + database.uri = "file:${dataDir}/mautrix-discord.db?_txlock=immediate"; + id = "discord"; + bot = { + username = "discordbot"; + displayname = "Discord Bridge Bot"; + }; + as_token = ""; + hs_token = ""; + }; + bridge = { + username_template = "discord_{{.}}"; + displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}"; + double_puppet_server_map = { }; + login_shared_secret_map = { }; + command_prefix = "!discord"; + permissions."*" = "relay"; + permissions."cloonar.com" = "user"; + relay.enabled = true; + encryption = { + allow = true; + default = true; + require = true; + }; + }; + logging = { + min_level = "info"; + writers = lib.singleton { + type = "stdout"; + format = "pretty-colored"; + time_format = " "; + }; + }; + }; + in { + description = "Mautrix-Discord Service - A Discord bridge for Matrix"; + + wantedBy = ["multi-user.target"]; + wants = ["network-online.target"]; + after = ["network-online.target"]; + + preStart = '' + test -f '${settingsFile}' && rm -f '${settingsFile}' + old_umask=$(umask) + umask 0177 + ${pkgs.envsubst}/bin/envsubst \ + -o '${settingsFile}' \ + -i '${settingsFileUnsubstituted}' + umask $old_umask + + # generate the appservice's registration file if absent + if [ ! -f '${registrationFile}' ]; then + ${pkgswithdiscord.mautrix-discord}/bin/mautrix-discord \ + --generate-registration \ + --config='${settingsFile}' \ + --registration='${registrationFile}' + fi + chmod 640 ${registrationFile} + + umask 0177 + ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token + | .[0].appservice.hs_token = .[1].hs_token + | .[0] + | if env.MAUTRIX_DISCORD_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_DISCORD_BRIDGE_LOGIN_SHARED_SECRET else . end' \ + '${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp' + mv '${settingsFile}.tmp' '${settingsFile}' + umask $old_umask + ''; + + serviceConfig = { + User = "mautrix-discord"; + Group = "mautrix-discord"; + # EnvironmentFile = cfg.environmentFile; + StateDirectory = baseNameOf dataDir; + WorkingDirectory = dataDir; + ExecStart = '' + ${pkgswithdiscord.mautrix-discord}/bin/mautrix-discord \ + --config='${settingsFile}' \ + --registration='${registrationFile}' + ''; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + Restart = "on-failure"; + RestartSec = "30s"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = ["@system-service"]; + Type = "simple"; + UMask = 0027; + }; + restartTriggers = [settingsFileUnsubstituted]; + }; +} diff --git a/hosts/fw.cloonar.com/modules/web/secrets.yaml b/hosts/fw.cloonar.com/modules/web/secrets.yaml index 348386c..db256f4 100644 --- a/hosts/fw.cloonar.com/modules/web/secrets.yaml +++ b/hosts/fw.cloonar.com/modules/web/secrets.yaml @@ -1,6 +1,8 @@ borg-passphrase: ENC[AES256_GCM,data:2WjoqMRmXvW9EGMmpMYhrC0Qt0Dk7QWlbEncZPdK2SxVljEoFibjVEr6jeYdAx6UkaXdjk9pD3PBbls2tWt0TiNQdh8=,iv:bHzASNjqqfPsQ/1w/oM7x0FubAzzRkn+iWrZlenU9rs=,tag:ektqi0rqEywg9YGybPQesw==,type:str] borg-ssh-key: ENC[AES256_GCM,data:b/xZnUTfi85IG1s897CBF1HD7BTswQUatbotyZfLmbhxXxEyffUeaiGsT9Gh9yQqOKTstTihA48nVk/4ekAPD/ZGDQ189V1BwKkQ5chN9TSULofekfmemhUhVGjnx8OFl6hYYpTttQSTLHtczmfE2iX1JyrZy2Z+H+w6dbZjkYDayRUt/4+5wCtQJ1Nt7bjzwLWhjdVtwDeBLm/kCywVguZLCgyiuqmXMr1h9jpUS7URZegGz1lFs34Ismu1LtaRjFGRyd8aKaTU6PSxDbjE4dQ3Lh1Hm3nhtOrSkswBZLp8OTP6emrQ7c3oJp1zqO5zQHXxD2V5hkPw6ln0Ee1aQp1rvLD8shRXzRbHG+mySvjKLJvLypnNuYfQklqlnhbG+M1/NN13oVF13nHpKwP5q33sRr49mfHw8YHdRhHuhYHVrpy8ep0AmPXiDYCDM4cnlOMnzlH/toF0fq0YRny6QoqKNpaYhmA61MXRPTZCqoAcE1N+oo7HymjJetzL9b2FkPCoDOx989IJ8SUaBJpzR+agNsFi87htVllRp4ozms/m56dI0AdwqeAre00iMBzpVS0hXURE7fqvAnLHQD1goW9XB2mztqcJ09YafrOgTA3oyazWcAjxgV33GupxxIDmwRdLmavvr4qrHfddYctYLPI7VolqT9JmKN6iVG9vYsDutgoyRlhzbGASKPLgcYn9sGG+LBgTHfZyABnYOaUetVP72mhSN30ZZixcCskVlGg5C53wrW5o6mBv+PyG8PimxLmQylbvHUdGGVLQfMpJaaXgpUjBX1MWdQAVa+Nyjm7QwYdRKoCb3suQ6bOq5O9eotel3GPB8gpKzInhNA/0xiB4UyCGp1i21iRS9+Rc7yufo5s3t56k0643K2DhBUVgssiTsG15BbQdX4c1O28i9zwEZ+wVci1yvLX38M0a3tDDt9iW1BIOWehShS7dpyJR2/OgWLFagw9hYP5h24t5k6Gz2ODhPouaFccYDRUBR6UECxA+gDS+trN8iNSX1oWa0ys0XvgwWpJ2CrdSArNqe1BdhM47BQwudiA3RwaEN3wRh5PeykSk/3BUXK+ZdAr0BZ8ij2q4F8zQexLxnrV6xRqofNcVs62iJAjx6g86InSv0nNjLQ9U/fBTL66u1iRZFJhuxPjDNfLJZqT0TvRR7KBcNWTwTuMCGNp5s9TngMUF4uhHx8qGxtjfH58WjixOhC9lgUt7cYEFIeefcwIO9VVnKoiXK5sPIvIsjtLRzGvejYSd0ZwSF3Ly9FkWLkr+o5rs5bXtGMsSQ+BUFg5nM1BqrHIGv9M+F4kPxhnqm9/JXuMSQ+JUzix5N0vHuSTphCayDpMHJYRUEkDEmwPXMyB9zWVmvMb0ByUnfs/n/jmL4WRuggYqchIR3/xuco5HUqLbEKXiJ39wVgy+i3/biWOOEu5BmMx3qbgQ1+6nlxY+f1qpXZ8br0RlXLOQ6L/O9Qa9gKZaxLm/5GCiFZ+SeU/c5OgUndYqTk6FsbDlNurA69IqjwubG345lpdB9VPoGP7dLsx3VaGKW0bvr06oRaeasMx90SN5bGQJH+0iQFkGPhp0m2v31zpBk1IibXi5Qb1OWGXGYd+iNt1ZQF0HVuEqQEXI62x92QkaR7eHowR4tCRF1xH1ZrBkyjtdofUU2wPqsRrOWqGIZWUh/JpfXkSAZQo9yJKnHcp9d3BPEvWpLWS9g1Jfej5XG497aP6crWw5XawOyzi+PEgz2Y3Q0R/MM3S1W2R7Z+21nekbCfghpNylwIX4UYkeX8YorheiumkUfFXjktPSkFCTuUrYAA89WZjIIqd4/gt3tS7keCsjEiTkW2KdDPlzNItKnC8xWnpRc+Wh6ghA/nt3j4POb880j3scFoDjgOv5lNk2Q84S/IW+DQ3U8o4JrKiXsxchDvmgGbU4FbXZTGLXeM1CybmbZKogIHdwJkhC425oqA1PMiq5tDPLKpl2214JuaV4Xd8R0bwCSHYjQp9gqJT9j1Wg/3P0M3/VGZGoJEVriiBl6PBHP2CcvxK1NADDmMHgGQwwfROoSijAzzPKCy9sgzsquTkqzq8q4aChjGKShxs+52dpnmmuygSlxjyVQCEW9kLERf1Nm1arsLkHJ4ZsWgSrskGvjsPEvyEnpY33gGB7fpy90NW0GtELgGzEw/1nfLcFbRBJ7gH+4Dby2fBTxoV2ks9m0Fv6OWsfIe6H54zWLmqB1RkQaskb1wDKU3HATOmuYo/fByLIsMyR5l3P7LXWF5CJOprzp41rGts/ybJEG1EUtmVCs2epTwbeG/Waq1DB3TFa639ETjxOfGQ65PXp5aT1d5v+ko87LiR+0us6xwlfZ6NMRRZuPt4wycFgPUAAmpdmguwDKifHKA258g9kzotT25JeFFEMVhsMi1PoXEqA+sFomdsLt+Vtpr2aGMUWyHD/E2fgAtybLwxbjqDINi8vXWJxv/UZdH8wBOlWLtaeGg5/jRsMuL/hSSZ84Q2zfRVvV7/BZ7wnxfoXmAwRdTZijAvc9TxWszP6E5mAix7s/znU+1vnseJdxWa4Ff1wOGVL/Tem2K0J/mp75XuzSP7nCYDMgqhnvfzlD8vv6QpxtDUAbdTBDyPkQ4U9L6+y5ul5Aegpui+p0G9/0UHdBYhJiFd90omnhSmyHx2pvgUTfbL/Kv/pk7nwTv89a87NXNA9K6AATwx0kUPgIWs/5FGi8leCXGSsgBbJogL1htC72pKzVH6ckEzKeBzRADmwFLhnPIvp37ZkQPj0rrWRhkd5RqsFcN0166N+M4lPD0hzPd2+nEXDAOHoCK7U+BcRcJ3GUlyPU91dbWfo9otPd3naTvGVZuFDxOihLtBXaLTsxmS4STk6DVRjwNmX8YC9FwXkED19xEeH6KkaFs1nVXnmDqpvi2BcueT96t6TOeu5HcA9fAgFTpOKVT6cK2PcHTtJhjrPkfSYr0/ksJdV7r9N4JgAEfiASMMHS5uQWJlyJKWo92rJ2IvSCQx4lcK3gasgcTsVaYmuRORM+6263r4NKS8W8r55XvVyW/C7vvsVq6wF3xUkQadBkxIUQUVWxxCc1pWOlfWwMs0i+ZssoaWopbs7x45z86i+3HsHmfS6GuXUpQfgvXe9Bn7mOj7VQWaG9NIFUpIxisGfdY9L8+RXobo7etD3da7TNMs40BT+34tijcX53FzKwvG3ESNPB2hjOAITDta6LDOHhJrlVqn90p1DicThHOaT3fxt6ST287EhWqK9S1gpkLrp0gNSA9v+K9mBvWaWYNDXY7sGxOIMzCEIdFT18Pra92NhGTJtC0XizHDMUfGx5WAaard1Iy/PYXvavoAwp30qDCQGF+PgwSProa+JtQQPzoEgtSXNVhUWIzz10TACuo+vHt8sHvFG3VuU7jSOr9sqVrN36KMDUlwo0gavHKsjRxHf2OGh552q7AP+sM6Y5WhA4KhmQSUKCVxYVQ==,iv:U3+fjacm8+gZAjPQNz2mjFYTUbLyltTaPiSKb3lvCmk=,tag:ZR6zI1UijDayIvH3v35Hqg==,type:str] zammad-key-base: ENC[AES256_GCM,data:HO9MuwcwjryuXr5No8sCPfso5bpLtQCoczrC/R214ecVIFwwH1uhMeNO8Tlh6EjRLPo7aVTSz87Vx5yaNVezvHCs55G6TT9mcNS/v/V7sbFz9dNIgbFblY3gFIAa4cViioYc71wdb7d4Tta7qhse5zQ41KhAqCWuGDgFErQA4Oc=,iv:b1wY8fW0psircSlNXwDjPzNWK8NyAMNqegitNcqV6U4=,tag:oQ7nyO9TKOOu6IF7ODzpPA==,type:str] +dendrite-private-key: ENC[AES256_GCM,data:ZHDIa/iYSZGofE67JU63fHRdKbs/ZyEJY45tV6H8WZAOcduGafPYBo2NCZ7nqLbc2Z9dUUgsrpzvkQ3+VaWqFUv7YsE+CbCx4CeiLGMkj8EAGzX4rkJGHMzkkc2UT7v9znCnKACS3fZtU69trqVMcf1PzgqepOHMBku37dzpwOQC/Tc3UTuO72M=,iv:Ljun1/ruY9cDBm9vu62riUrpGjrWtFFx90GeE7uc3Yo=,tag:FF4xPb1SDhK/4ITr/idvYg==,type:str] +matrix-shared-secret: ENC[AES256_GCM,data:HeS4PT0R+TRU6Htwa5TChjK1VAjAdgSS8tSnva+ga3f+mEfJPTQ02pEvS2WFvcnchmEjNYy39zL/rbtX,iv:4yR+VgdJY3VcvLg18v+5jbJDSkFzaeyLNAZ0k8ivjdQ=,tag:RA96iSFDUdlXq30c/vkvpA==,type:str] sops: kms: [] gcp_kms: [] @@ -25,8 +27,8 @@ sops: Q05BN0VnQ0haeHBobWhRV0EzL3dLSEkKWlALiX5mvG8y0WUc8yFWMbcpSRrSGoQx SHaOlDCjYvViZ7GPRLqnSwDGZ1clC6JsTbwKXrMsWdZBKvSO/VIWQw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-16T11:12:23Z" - mac: ENC[AES256_GCM,data:nMLxD/WP3LxLTECQ/wQjiDW3F2Lx8yeMTkNIg97eipebVZwTLiVGg4t+sVzen+X3t4tPixO2a72mWMtIVQKs8d2MzkydLh+LjYItUBP+uw/rnCjB0zfxiPN883+FO6q4+BoT0JJc4LUHbgQQWEDnKaqld4/ICE1xJbPZVEJWo40=,iv:JenHaRqB8ZVDRV5rUOgMURflqQzfOrt9pHege2oiT7g=,tag:xv0p2oW1P0FPqcrRoQ/6tw==,type:str] + lastmodified: "2024-10-14T16:53:41Z" + mac: ENC[AES256_GCM,data:DUi6zUrZBMVaYZ/BvWny7RwPgXe+vQ+odO30fGe8iZHj9d3gzB95F75CqIgENi4gVOA4CQDADE+p45z/mtl04HAh7RiT0/k21RSdQcH2W9AX525fOzeqbxbPA/tXJOctwGrytFwlK9UdJULXkJCwYrJnwNc0XPnBk1FodTykXWs=,iv:q/eapgTVL/rifrrZeIcXT5VO9bEoS4EmmEhYJ2xHvQ4=,tag:xb0Qj/wu17cLTkvefsDqiw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/hosts/fw.cloonar.com/modules/web/zammad.nix b/hosts/fw.cloonar.com/modules/web/zammad.nix index b23b5d8..2dc248f 100644 --- a/hosts/fw.cloonar.com/modules/web/zammad.nix +++ b/hosts/fw.cloonar.com/modules/web/zammad.nix @@ -10,7 +10,6 @@ }; }; - services.nginx.enable = true; services.nginx.virtualHosts."support.cloonar.com" = { forceSSL = true; enableACME = true; diff --git a/hosts/fw.cloonar.com/secrets.yaml b/hosts/fw.cloonar.com/secrets.yaml index d000e01..595a8a6 100644 --- a/hosts/fw.cloonar.com/secrets.yaml +++ b/hosts/fw.cloonar.com/secrets.yaml @@ -11,6 +11,7 @@ gitea-runner-token: ENC[AES256_GCM,data:Nd0vsnuJficsdZaqeBZXa9vD7PLMdDtV9sMX0TxU drone: ENC[AES256_GCM,data:S8WTZqGHfcdpSojavZ87GdE5dagcTAdHBVQEbHHgnB4V7aczS6c5QdEJxK920Pjpf6o54OOQYniVsPiiXSxwjExDKPzhs/DG2hfigmf8RgfkP+3tF2W0KiPmV2jxog8w226ZKnI+hSBs8tuIfJBhrpY7Y/YNmTPfq+cnnLS8ibYqytcpzoogI9I8THzHCu3r+yejoGSyTMs9L4gPhOjz5aK4UV6V,iv:zqN/aSBI3xGGNDnpHPGyQnQP2YZOGUk6dAGtON/QlHU=,tag:o9YFDKAB5uR9lPmChyxB8g==,type:str] home-assistant-ldap: ENC[AES256_GCM,data:uZEPbSnkgQYSd8ev6FD8TRHWWr+vusadtMcvP7KKL2AZAV0h1hga5fODN6I5u0DNL9hq2pNM+FwU0E/svWLRww==,iv:IhmUgSu34NaAY+kUZehx40uymydUYYAyte1aGqQ33/8=,tag:BKFCJPr7Vz4EG78ry/ZD7g==,type:str] home-assistant-secrets.yaml: ENC[AES256_GCM,data:m7uOVo7hPk/RmqqRS6y7NKoMKsR9Bdi1ntatsZdDOAbJMjZmZL2FgPEHi/zF73zCfRfTOca3dwpulR3WXZ9Ic1sbUIggmusJMg4Gellw1CUhx7SbQN5nieAbPbB9GVxMuV4OakD1u7Swz8JggDT6IwojSnuD5omCRCyUH1wvKB+Re59q6EStderlm5MJNVFlVrbKVbLKLcw4yRgTh34BGnTTjcJmgSlQjO1ciu2B7YQmdl0Fw6d8AdbEzgB5TFG5ONc85UhJDE8Wlw==,iv:GCtpcVChN2UMWtfnWURozCfVj2YbRPqp/bH4Jjntybs=,tag:pcxP7gTBtXMNT5iyW5YXTw==,type:str] +matrix-shared-secret: ENC[AES256_GCM,data:67imd3m6WBeGP/5Msmjy8B6sP983jMyWzRIzWgNVV5jZslX+GBJyEYzm3OTDs1iTZf4ScvuYheTH0QFPfw==,iv:7ElCpESWumbIHmmFaedcpkFm5M58ZT3vW9wb9e1Sbh4=,tag:wr4FIymtJBtCerVqae+Xlw==,type:str] palworld: ENC[AES256_GCM,data:rdqChPt4gSJHS1D60+HJ+4m5mg35JbC+pOmevK21Y95QyAIeyBLVGhRYlOaUcqdZM2e4atyTTSf6z4nHsm539ddCbW7J2DCdF5PQkrAGDmmdTVq+jyJAT8gTrbXXCglT1wvFYY5dbf2NKA4ASJIA8bdVNuwRZU0CtFiishzLuc9m8ZcGCNwQ/+xkMZgkUAHYRlEJAZyMpXR6KkFftiR05JRAFczD4N7GXPPe+vyvgXg7QBGtf20Qd4SGBUw0zI/SNTRmifHUuc4Z6+Fe9JHgvTc3uFcTMVnty0fEuL+a29liaVdAFq8BnqJfc5CNV401ZSUeMbG41lCn1cegP/WChs9J6HXNrhWDgiXa6ln++NoKcfOHIfZVbYOCoOxFR6+YWeBU2+sHmdwI9j5XQf5Ly2hmg12j0Ds2Cn8k4PG5aQP+HT2bedqyxwSt6fi97A0Osnh4ig7+DzYAjSNLewbYLzVdK39VdvB9hqLto+yFS3gAaeYOHwPwtqa+COI85c55lHiyKHlSwPhBqYaaiDu00lQTUzq9R5vz6F/l+T3bUjuna5RryUu8yhnk5DyK834KycTOg4ETcZTqro6prfiEBxc+Utsc9JvEtZgwFv6fsVLOu7nHxuiYuvseZ4YA8LlYdwPJboMPO2XsuhwWtT1uz/rh2orH7/vsXvzA/kF8NFemWBEMVLYA8byC5ze8doiGDYp4T5AAf10nJB1ceQ==,iv:gs78fxhvo9KlTaR5nzs12/LdgPChSFPHD2k4VQp3ARo=,tag:lpWBOi9xh2cWkS+71KD/UQ==,type:str] ark: ENC[AES256_GCM,data:YYGyzoVIKI9Ac1zGOr0BEpd3fgBsvp1hSwAvfO07/EQdg8ufMWUkNvqNHDKN62ZK5A1NnY3JTA1p4gyZ4ryQeAOsbwqU1GSk2YKHFyPeEnpLz/Ml82KMsv7XPGXuKRXZ4v3UcLu0R8k1Q0gQsMWo4FjCs3FF5mVtJG/YWxxbCYHoBLJ/di5p0DgjuFgJBQknYBpuLzr+yIoeqEyN7XcGYAJO53trEJuOOxLILULifkqISHjZ66i5F1fHW0iUdRbmeWV4aOAeOrsQqXYv,iv:gJwV5ip84zHqpU0l0uESfWWOtcgihMvEEdLaeI+twcU=,tag:sy8udVQsKxV/jOqwhJmWAg==,type:str] firefox-sync: ENC[AES256_GCM,data:uAJAdyKAuXRuqCFl8742vIejU5RnAPpUxUFCC0s0QeXZR5oH2YOrDh+3vKUmckW4V1cIhSHoe+4+I4HuU5E73DDrJThfIzBEw+spo4HXwZf5KBtu3ujgX6/fSTlPWV7pEsDDsZ0y6ziKPADBDym8yEk0bU9nRedvTBUhVryo3aolzF/c+gJvdeDvKUYa8+8=,iv:yuvE4KG7z7Rp9ZNlLiJ2rh0keed3DuvrELzsfJu4+bs=,tag:HFo1A53Eva31NJ8fRE7TlA==,type:str] @@ -47,8 +48,8 @@ sops: ejhXSmVkVjlhRDF3d1JDQlBzd2N3WncK6taU4OsyYoZc5P/2fMrSidLo2tYcH6Yw tNJRIOqR2Iq1M4ey27jnTdw3NvYKyxjn60ZeW2xcn8CYrpf0X4gLQA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-02T22:57:14Z" - mac: ENC[AES256_GCM,data:U9/pKXdqXMvjQgyTIGz0JG+88aBXVgp29Fmm0OE66KMArkX8ungcEtdnGYKhD0gFJKLrKZZY5V8oyAXEq95D+Bh8ZnfmQibYw04cPldc6kTZstsrpbzrWVfn6sqG/ih12oXdsLws+H6IeN+O2qGZHDIVjvPufAdJ3A2X+Yakahg=,iv:mG+dGv3l/PNhggvlujLxDGU5z47qVA9sOTUbU2b2dPo=,tag:Rz2av33iwa9aYR7c0cviEg==,type:str] + lastmodified: "2024-10-13T22:30:43Z" + mac: ENC[AES256_GCM,data:sEySfQaBevydqFBOab7RPCse8fOwiix6GIsXeR9paBCCCHOxDZDusdn0/k97wLeWzvHi0SJB/8+g8qlqXtRuJ/3mT1vJxfWwoJk3gz2WD+d8recG+KkdtkSGu04addHgBZQqGqhOfkRHYypVW3GaBfLteY08nvob4/yjaHCtGig=,iv:lsHvIovstgHmY6OrV3CO0tju2OQb1AcWgMov8klkSqA=,tag:zcvCoCwTgeZhhS1MOvH3HA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/hosts/fw-new.cloonar.com/channel b/hosts/mail.social-grow.tech/channel similarity index 100% rename from hosts/fw-new.cloonar.com/channel rename to hosts/mail.social-grow.tech/channel diff --git a/hosts/mail.social-grow.tech/configuration.nix b/hosts/mail.social-grow.tech/configuration.nix new file mode 100644 index 0000000..5e8b51d --- /dev/null +++ b/hosts/mail.social-grow.tech/configuration.nix @@ -0,0 +1,49 @@ +{ config, pkgs, ... }: +{ + imports = [ + ./utils/bento.nix + ./utils/modules/sops.nix + ./utils/modules/lego/lego.nix + + # ./modules/self-service-password.nix + ./modules/rspamd.nix + ./modules/openldap.nix + ./modules/dovecot.nix + ./modules/postfix.nix + + ./utils/modules/borgbackup.nix + ./utils/modules/promtail + ./utils/modules/victoriametrics + ./utils/modules/netdata.nix + + ./hardware-configuration.nix + ]; + + + sops.defaultSopsFile = ./secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + networking.hostName = "mail"; + networking.domain = "cloonar.com"; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" + ]; + + # backups + borgbackup.repo = "u149513-sub7@u149513-sub7.your-backup.de:borg"; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ 22 80 443 ]; + }; + + nix.gc = { + automatic = true; + options = "--delete-older-than 60d"; + }; + + system.stateVersion = "22.11"; +} diff --git a/hosts/mail.social-grow.tech/hardware-configuration.nix b/hosts/mail.social-grow.tech/hardware-configuration.nix new file mode 100644 index 0000000..4d91eb3 --- /dev/null +++ b/hosts/mail.social-grow.tech/hardware-configuration.nix @@ -0,0 +1,15 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + configurationLimit = 2; + }; + fileSystems."/boot" = { device = "/dev/disk/by-uuid/105A-0CC0"; fsType = "vfat"; }; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + +} diff --git a/hosts/mail.social-grow.tech/modules/dovecot.nix b/hosts/mail.social-grow.tech/modules/dovecot.nix new file mode 100644 index 0000000..66bf5cc --- /dev/null +++ b/hosts/mail.social-grow.tech/modules/dovecot.nix @@ -0,0 +1,266 @@ +{ pkgs +, config +, ... +}: +let + domain = config.networking.domain; + # domain = "cloonar.com"; + + ldapConfig = pkgs.writeText "dovecot-ldap.conf" '' + hosts = ldap.cloonar.com + tls = yes + dn = "cn=vmail,ou=system,ou=users,dc=cloonar,dc=com" + dnpass = "@ldap-password@" + auth_bind = no + ldap_version = 3 + base = ou=users,dc=%Dd + user_filter = (&(objectClass=mailAccount)(mail=%u)) + user_attrs = \ + quota=quota_rule=*:bytes=%$, \ + =home=/var/vmail/%d/%n/, \ + =mail=maildir:/var/vmail/%d/%n/Maildir + pass_attrs = mail=user,userPassword=password + pass_filter = (&(objectClass=mailAccount)(mail=%u)) + iterate_attrs = =user=%{ldap:mail} + iterate_filter = (objectClass=mailAccount) + scope = subtree + default_pass_scheme = CRYPT + ''; + + doveSync = pkgs.writeShellScriptBin "dove-sync.sh" '' + #!/usr/bin/env bash + SERVER=''${1} + + if [ -z "$SERVER" ]; then + echo "use as dove-sync.sh host.example.com" + exit 1 + fi + + doveadm user *@cloonar.com | while read user; do + doveadm -v sync -u $user $SERVER + done + + doveadm user *@optiprot.eu | while read user; do + doveadm -v sync -u $user $SERVER + done + + doveadm user *@superbros.tv | while read user; do + doveadm -v sync -u $user $SERVER + done + + doveadm user *@ghetto.at | while read user; do + doveadm -v sync -u $user $SERVER + done + + doveadm user *@szaku-consulting.at | while read user; do + doveadm -v sync -u $user $SERVER + done + + doveadm user *@korean-skin.care | while read user; do + doveadm -v sync -u $user $SERVER + done + ''; + + quotaWarning = pkgs.writeShellScriptBin "quota-warning.sh" '' + #!/usr/bin/env bash + PERCENT=''${1} + USER=''${2} + + cat << EOF | /usr/lib/dovecot/deliver -d ''${USER} -o "plugin/quota=dict:User quota::noenforcing:proxy::quotadict" + From: no-reply@$(hostname -f) + Subject: Warning: Your mailbox is now ''${PERCENT}% full. + + Your mailbox is now ''${PERCENT}% full, please clean up some mails for further incoming mails. + EOF + + if [ ''${PERCENT} -ge 95 ]; then + DOMAIN="$(echo ''${USER} | awk -F'@' '{print $2}')" + cat << EOF | /usr/lib/dovecot/deliver -d postmaster@''${DOMAIN} -o "plugin/quota=dict:User quota::noenforcing:proxy::quotadict" + From: no-reply@$(hostname -f) + Subject: Mailbox Quota Warning: ''${PERCENT}% full, ''${USER} + + Mailbox (''${USER}) is now ''${PERCENT}% full, please clean up some mails for + further incoming mails. + EOF + fi + ''; +in +{ + environment.systemPackages = with pkgs; [ + doveSync + ]; + + services.dovecot2 = { + enable = true; + enableImap = true; + enableLmtp = true; + enablePAM = false; + mailLocation = "maildir:/var/vmail/%d/%n/Maildir"; + mailUser = "vmail"; + mailGroup = "vmail"; + extraConfig = '' + ssl = yes + ssl_cert = '. Currently only 'postfix' protocol is supported. + executable = quota-status -p postfix + client_limit = 1 + inet_listener { + address = 127.0.0.1 + port = 12340 + } + } + + protocol sieve { + managesieve_logout_format = bytes ( in=%i : out=%o ) + } + + plugin { + sieve_dir = /var/vmail/%d/%n/sieve/scripts/ + sieve = /var/vmail/%d/%n/sieve/active-script.sieve + sieve_extensions = +vacation-seconds +editheader + sieve_vacation_min_period = 1min + + fts = lucene + fts_lucene = whitespace_chars=@. + + quota_warning = storage=100%% quota-warning 100 %u + quota_warning2 = storage=95%% quota-warning 95 %u + quota_warning3 = storage=90%% quota-warning 90 %u + quota_warning4 = storage=85%% quota-warning 85 %u + + quota_grace = 10%% + + quota_status_success = DUNNO + quota_status_nouser = DUNNO + quota_status_overquota = "552 5.2.2 Mailbox is full" + } + + # If you have Dovecot v2.2.8+ you may get a significant performance improvement with fetch-headers: + imapc_features = $imapc_features fetch-headers + # Read multiple mails in parallel, improves performance + mail_prefetch_count = 20 + ''; + modules = [ + pkgs.dovecot_pigeonhole + ]; + protocols = [ + "sieve" + ]; + }; + + users.users.vmail = { + home = "/var/vmail"; + createHome = true; + isSystemUser = true; + uid = 1000; + shell = "/run/current-system/sw/bin/nologin"; + }; + + security.dhparams = { + enable = true; + params.dovecot2 = { }; + }; + + sops.secrets.dovecot-ldap-password = { }; + + systemd.services.dovecot2.preStart = '' + sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${ldapConfig} > /run/dovecot2/ldap.conf + ''; + + systemd.services.dovecot2 = { + wants = [ "acme-imap.${domain}.service" ]; + after = [ "acme-imap.${domain}.service" ]; + }; + + users.groups.acme.members = [ "openldap" ]; + + /* trigger the actual certificate generation for your hostname */ + security.acme.certs."imap.${domain}" = { + extraDomainNames = [ + "imap-test.${domain}" + "imap-02.${domain}" + ]; + postRun = "systemctl restart dovecot2.service"; + }; + + networking.firewall.allowedTCPPorts = [ + 143 # imap + 993 # imaps + 4190 # sieve + ]; +} diff --git a/hosts/mail.social-grow.tech/modules/openldap.nix b/hosts/mail.social-grow.tech/modules/openldap.nix new file mode 100644 index 0000000..07029aa --- /dev/null +++ b/hosts/mail.social-grow.tech/modules/openldap.nix @@ -0,0 +1,508 @@ +{ + pkgs, + config, + ... +}: +let + domain = config.networking.domain; + # domain = "cloonar.com"; +in { + services.openldap = { + enable = true; + + urlList = [ "ldap:///" "ldaps:///" ]; + + settings.attrs = { + olcLogLevel = "-1"; + + olcTLSCACertificateFile = "/var/lib/acme/ldap.${domain}/full.pem"; + olcTLSCertificateFile = "/var/lib/acme/ldap.${domain}/cert.pem"; + olcTLSCertificateKeyFile = "/var/lib/acme/ldap.${domain}/key.pem"; + olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL"; + olcTLSCRLCheck = "none"; + olcTLSVerifyClient = "never"; + olcTLSProtocolMin = "3.1"; + olcSecurity = "tls=1"; + }; + + settings.children = { + "cn=schema".includes = [ + "${pkgs.openldap}/etc/schema/core.ldif" + "${pkgs.openldap}/etc/schema/cosine.ldif" + "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + "${pkgs.openldap}/etc/schema/nis.ldif" + ]; + + "olcDatabase={1}mdb".attrs = { + objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + + olcSuffix = "dc=cloonar,dc=com"; + + olcRootDN = "cn=admin,dc=cloonar,dc=com"; + olcRootPW.path = config.sops.secrets.openldap-rootpw.path; + + + olcAccess = [ + '' + {0}to attrs=userPassword + by self write + by anonymous auth + by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * none + '' + '' + {1}to attrs=loginShell + by self write + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * none + '' + '' + {2}to dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * none + '' + '' + {3}to * + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by dn="cn=admin,dc=cloonar,dc=com" write + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * none + '' + ]; + }; + "olcOverlay=memberof,olcDatabase={1}mdb".attrs = { + objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; + olcOverlay = "memberof"; + olcMemberOfRefint = "TRUE"; + }; + "olcOverlay=ppolicy,olcDatabase={1}mdb".attrs = { + objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ]; + olcOverlay = "ppolicy"; + olcPPolicyHashCleartext = "TRUE"; + }; + # "olcOverlay=syncprov,olcDatabase={1}mdb".attrs = { + # objectClass = ["olcOverlayConfig" "olcSyncProvConfig"]; + # olcOverlay = "syncprov"; + # olcSpSessionLog = "100"; + # }; + "olcDatabase={2}monitor".attrs = { + olcDatabase = "{2}monitor"; + objectClass = ["olcDatabaseConfig" "olcMonitorConfig"]; + olcAccess = [ + '' + {0}to * + by dn.exact="cn=netdata,ou=system,ou=users,dc=cloonar,dc=com" read + by * none + '' + ]; + }; + + "olcDatabase={3}mdb".attrs = { + objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + + olcDatabase = "{3}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + + olcSuffix = "dc=ghetto,dc=at"; + + olcAccess = [ + '' + {0}to attrs=userPassword + by self write + by anonymous auth + by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write + by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * none + '' + '' + {1}to * + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + ]; + }; + "olcOverlay=memberof,olcDatabase={3}mdb".attrs = { + objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; + olcOverlay = "memberof"; + olcMemberOfRefint = "TRUE"; + }; + "olcOverlay=ppolicy,olcDatabase={3}mdb".attrs = { + objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ]; + olcOverlay = "ppolicy"; + olcPPolicyHashCleartext = "TRUE"; + }; + + "olcDatabase={4}mdb".attrs = { + objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + + olcDatabase = "{4}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + + olcSuffix = "dc=superbros,dc=tv"; + + olcAccess = [ + '' + {0}to attrs=userPassword + by self write + by anonymous auth + by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * none + '' + '' + {1}to * + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + ]; + }; + "olcOverlay=memberof,olcDatabase={4}mdb".attrs = { + objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; + olcOverlay = "memberof"; + olcMemberOfRefint = "TRUE"; + }; + "olcOverlay=ppolicy,olcDatabase={4}mdb".attrs = { + objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ]; + olcOverlay = "ppolicy"; + olcPPolicyHashCleartext = "TRUE"; + }; + + + "olcDatabase={6}mdb".attrs = { + objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + + olcDatabase = "{6}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + + olcSuffix = "dc=szaku-consulting,dc=at"; + + olcAccess = [ + '' + {0}to attrs=userPassword + by self write + by anonymous auth + by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * none + '' + '' + {1}to * + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + ]; + }; + # "olcOverlay=memberof,olcDatabase={6}mdb".attrs = { + # objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; + # olcOverlay = "memberof"; + # olcMemberOfRefint = "TRUE"; + # }; + # "olcOverlay=ppolicy,olcDatabase={6}mdb".attrs = { + # objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ]; + # olcOverlay = "ppolicy"; + # olcPPolicyHashCleartext = "TRUE"; + # }; + + "olcDatabase={7}mdb".attrs = { + objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + + olcDatabase = "{7}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + + olcSuffix = "dc=myhidden,dc=life"; + + olcAccess = [ + '' + {0}to attrs=userPassword + by self write + by anonymous auth + by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write + by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * none + '' + '' + {1}to * + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + ]; + }; + # "olcOverlay=memberof,olcDatabase={7}mdb".attrs = { + # objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; + # olcOverlay = "memberof"; + # olcMemberOfRefint = "TRUE"; + # }; + # "olcOverlay=ppolicy,olcDatabase={7}mdb".attrs = { + # objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ]; + # olcOverlay = "ppolicy"; + # olcPPolicyHashCleartext = "TRUE"; + # }; + + "olcDatabase={8}mdb".attrs = { + objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + + olcDatabase = "{8}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + + olcSuffix = "dc=korean-skin,dc=care"; + + olcAccess = [ + '' + {0}to attrs=userPassword + by self write + by anonymous auth + by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write + by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * none + '' + '' + {1}to * + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + ]; + }; + + # "cn=module{0},cn=config" = { + # attrs = { + # objectClass = "olcModuleList"; + # cn = "module{0}"; + # olcModuleLoad = "ppolicy.la"; + # }; + # }; + + "cn={3}cloonar,cn=schema" = { + attrs = { + cn = "{1}cloonar"; + objectClass = "olcSchemaConfig"; + olcObjectClasses = [ + '' + (1.3.6.1.4.1.28298.1.2.4 NAME 'cloonarUser' + SUP (mailAccount) AUXILIARY + DESC 'Cloonar Account' + MAY (sshPublicKey $ ownCloudQuota $ quota)) + '' + ]; + }; + }; + "cn={2}postfix,cn=schema".attrs = { + cn = "{2}postfix"; + objectClass = "olcSchemaConfig"; + olcAttributeTypes = [ + '' + (1.3.6.1.4.1.12461.1.1.1 NAME 'postfixTransport' + DESC 'A string directing postfix which transport to use' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE)'' + '' + (1.3.6.1.4.1.12461.1.1.5 NAME 'mailbox' + DESC 'The absolute path to the mailbox for a mail account in a non-default location' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) + '' + '' + (1.3.6.1.4.1.12461.1.1.6 NAME 'quota' + DESC 'A string that represents the quota on a mailbox' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) + '' + '' + (1.3.6.1.4.1.12461.1.1.8 NAME 'maildrop' + DESC 'RFC822 Mailbox - mail alias' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}) + '' + ]; + olcObjectClasses = [ + '' + (1.3.6.1.4.1.12461.1.2.1 NAME 'mailAccount' + SUP top AUXILIARY + DESC 'Mail account objects' + MUST ( mail $ userPassword ) + MAY ( cn $ description $ quota)) + '' + '' + (1.3.6.1.4.1.12461.1.2.2 NAME 'mailAlias' + SUP top STRUCTURAL + DESC 'Mail aliasing/forwarding entry' + MUST ( mail $ maildrop ) + MAY ( cn $ description )) + '' + '' + (1.3.6.1.4.1.12461.1.2.3 NAME 'mailDomain' + SUP domain STRUCTURAL + DESC 'Virtual Domain entry to be used with postfix transport maps' + MUST ( dc ) + MAY ( postfixTransport $ description )) + '' + '' + (1.3.6.1.4.1.12461.1.2.4 NAME 'mailPostmaster' + SUP top AUXILIARY + DESC 'Added to a mailAlias to create a postmaster entry' + MUST roleOccupant) + '' + ]; + }; + "cn={1}openssh,cn=schema".attrs = { + cn = "{1}openssh"; + objectClass = "olcSchemaConfig"; + olcAttributeTypes = [ + '' + (1.3.6.1.4.1.24552.500.1.1.1.13 + NAME 'sshPublicKey' + DESC 'MANDATORY: OpenSSH Public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) + '' + ]; + olcObjectClasses = [ + '' + (1.3.6.1.4.1.24552.500.1.1.2.0 + NAME 'ldapPublicKey' + SUP top AUXILIARY + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid )) + '' + ]; + }; + "cn={1}nextcloud,cn=schema".attrs = { + cn = "{1}nextcloud"; + objectClass = "olcSchemaConfig"; + olcAttributeTypes = [ + '' + (1.3.6.1.4.1.39430.1.1.1 + NAME 'ownCloudQuota' + DESC 'User Quota (e.g. 15 GB)' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15') + '' + ]; + olcObjectClasses = [ + '' + (1.3.6.1.4.1.39430.1.2.1 + NAME 'ownCloud' + DESC 'ownCloud LDAP Schema' + AUXILIARY + MUST ( mail $ userPassword ) + MAY ( ownCloudQuota )) + '' + ]; + }; + "cn={1}gogs,cn=schema".attrs = { + cn = "{1}gogs"; + objectClass = "olcSchemaConfig"; + olcObjectClasses = [ + '' + ( 1.3.6.1.4.1.28293.1.2.4 NAME 'gitlab' + SUP uidObject AUXILIARY + DESC 'Added to an account to allow gitlab access' + MUST (mail)) + '' + ]; + }; + "cn={1}homeAssistant,cn=schema".attrs = { + cn = "{1}homeAssistant"; + objectClass = "olcSchemaConfig"; + olcObjectClasses = [ + '' + (1.3.6.1.4.1.28297.1.2.4 NAME 'homeAssistant' + SUP uidObject AUXILIARY + DESC 'Added to an account to allow home-assistant access' + MUST (mail) ) + '' + ]; + }; + # "cn={1}ttrss,cn=schema".attrs = { + # cn = "{1}ttrss"; + # objectClass = "olcSchemaConfig"; + # olcObjectClasses = [ + # '' + # ( 1.3.6.1.4.1.28294.1.2.4 NAME 'ttrss' + # SUP top AUXILIARY + # DESC 'Added to an account to allow tinytinyrss access' + # MUST ( mail $ userPassword )) + # '' + # ]; + # }; + # "cn={1}prometheus,cn=schema".attrs = { + # cn = "{1}prometheus"; + # objectClass = "olcSchemaConfig"; + # olcObjectClasses = [ + # '' + # ( 1.3.6.1.4.1.28296.1.2.4 + # NAME 'prometheus' + # SUP uidObject AUXILIARY + # DESC 'Added to an account to allow prometheus access' + # MUST (mail)) + # '' + # ]; + # }; + # "cn={1}loki,cn=schema".attrs = { + # cn = "{1}loki"; + # objectClass = "olcSchemaConfig"; + # olcObjectClasses = [ + # '' + # ( 1.3.6.1.4.1.28299.1.2.4 + # NAME 'loki' + # SUP uidObject AUXILIARY + # DESC 'Added to an account to allow loki access' + # MUST (mail)) + # '' + # ]; + # }; + # "cn={1}flood,cn=schema".attrs = { + # cn = "{1}flood"; + # objectClass = "olcSchemaConfig"; + # olcObjectClasses = [ + # '' + # (1.3.6.1.4.1.28300.1.2.4 NAME 'flood' + # SUP uidObject AUXILIARY + # DESC 'Added to an account to allow flood access' + # MUST (mail)) + # '' + # ]; + # }; + }; + }; + + /* ensure openldap is launched after certificates are created */ + systemd.services.openldap = { + wants = [ "acme-${domain}.service" ]; + after = [ "acme-${domain}.service" ]; + }; + + users.groups.acme.members = [ "openldap" ]; + + /* trigger the actual certificate generation for your hostname */ + security.acme.certs."ldap.${domain}" = { + extraDomainNames = [ + "ldap-test.${domain}" + "ldap-02.${domain}" + ]; + postRun = "systemctl restart openldap.service"; + }; + + sops.secrets.openldap-rootpw.owner = "openldap"; + + networking.firewall.allowedTCPPorts = [ 389 636 ]; +} diff --git a/hosts/mail.social-grow.tech/modules/postfix.nix b/hosts/mail.social-grow.tech/modules/postfix.nix new file mode 100644 index 0000000..9226b99 --- /dev/null +++ b/hosts/mail.social-grow.tech/modules/postfix.nix @@ -0,0 +1,246 @@ +{ pkgs +, lib +, config +, ... +}: +let + domain = config.networking.domain; + ldapServer = "ldap.cloonar.com"; + # domain = "cloonar.com"; + + domains = pkgs.writeText "domains.cf" '' + server_host = ldap://${ldapServer} + search_base = ou=domains,dc=cloonar,dc=com + version = 3 + bind = yes + start_tls = yes + bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com + bind_pw = @ldap-password@ + scope = one + query_filter = (&(dc=%s)(objectClass=mailDomain)) + result_attribute = postfixTransport + debuglevel = 0 + ''; + + mailboxes = pkgs.writeText "mailboxes.cf" '' + server_host = ldap://${ldapServer} + search_base = ou=users,dc=%2,dc=%1 + version = 3 + bind = yes + start_tls = yes + bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com + bind_pw = @ldap-password@ + scope = sub + query_filter = (&(uid=%u)(objectClass=mailAccount)) + result_attribute = mail + debuglevel = 0 + ''; + + senderLoginMaps = pkgs.writeText "sender_login_maps.cf" '' + server_host = ldap://${ldapServer} + search_base = dc=%2,dc=%1 + version = 3 + bind = yes + start_tls = yes + bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com + bind_pw = @ldap-password@ + scope = sub + query_filter = (|(&(objectClass=mailAccount)(uid=%u))(&(objectClass=mailAlias)(mail=%s))) + result_attribute = maildrop, mail + debuglevel = 0 + ''; + + accountsmap = pkgs.writeText "accountsmap.cf" '' + server_host = ldap://${ldapServer} + search_base = ou=users,dc=%2,dc=%1 + version = 3 + bind = yes + start_tls = yes + bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com + bind_pw = @ldap-password@ + scope = sub + query_filter = (&(objectClass=mailAccount)(uid=%u)) + result_attribute = mail + debuglevel = 0 + ''; + + aliases = pkgs.writeText "aliases.cf" '' + server_host = ldap://${ldapServer} + search_base = ou=aliases,dc=%2,dc=%1 + version = 3 + bind = yes + start_tls = yes + bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com + bind_pw = @ldap-password@ + scope = one + query_filter = (&(objectClass=mailAlias)(mail=%s)) + result_attribute = maildrop + debuglevel = 0 + ''; + + helo_access = pkgs.writeText "helo_access" '' + /^([0-9\.]+)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1}) + cloonar.com REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1}) + ghetto.at REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1}) + ''; +in +{ + services.postfix = { + enable = true; + enableSubmission = true; + hostname = "mail.${domain}"; + domain = "cloonar.com"; + + masterConfig."465" = { + type = "inet"; + private = false; + command = "smtpd"; + args = [ + "-o smtpd_client_restrictions=permit_sasl_authenticated,reject" + "-o syslog_name=postfix/smtps" + "-o smtpd_tls_wrappermode=yes" + "-o smtpd_sasl_auth_enable=yes" + "-o smtpd_tls_security_level=none" + "-o smtpd_reject_unlisted_recipient=no" + "-o smtpd_recipient_restrictions=" + "-o smtpd_relay_restrictions=permit_sasl_authenticated,reject" + "-o milter_macro_daemon_name=ORIGINATING" + ]; + }; + + mapFiles."helo_access" = helo_access; + + config = { + # debug_peer_list = "10.42.96.190"; + # smtp_bind_address = config.networking.eve.ipv4.address; + # smtp_bind_address6 = "2a01:4f9:2b:1605::1"; + mailbox_transport = "lmtp:unix:private/dovecot-lmtp"; + virtual_mailbox_domains = "ldap:/run/postfix/domains.cf"; + virtual_mailbox_maps = "ldap:/run/postfix/mailboxes.cf"; + virtual_alias_maps = "ldap:/run/postfix/accountsmap.cf,ldap:/run/postfix/aliases.cf"; + virtual_transport = "lmtp:unix:private/dovecot-lmtp"; + smtpd_sender_login_maps = "ldap:/run/postfix/sender_login_maps.cf"; + + # Do not display the name of the recipient table in the "User unknown" responses. + # The extra detail makes trouble shooting easier but also reveals information + # that is nobody elses business. + show_user_unknown_table_name = "no"; + compatibility_level = "2"; + + # bigger attachement size + mailbox_size_limit = "202400000"; + message_size_limit = "51200000"; + smtpd_helo_required = "yes"; + smtpd_delay_reject = "yes"; + strict_rfc821_envelopes = "yes"; + + # send Limit + smtpd_error_sleep_time = "1s"; + smtpd_soft_error_limit = "10"; + smtpd_hard_error_limit = "20"; + + smtpd_use_tls = "yes"; + smtp_tls_note_starttls_offer = "yes"; + smtpd_tls_security_level = "may"; + smtpd_tls_auth_only = "yes"; + + smtp_dns_support_level = "dnssec"; + smtp_tls_security_level = "dane"; + + smtpd_tls_cert_file = "/var/lib/acme/mail.cloonar.com/full.pem"; + smtpd_tls_key_file = "/var/lib/acme/mail.cloonar.com/key.pem"; + smtpd_tls_CAfile = "/var/lib/acme/mail.cloonar.com/fullchain.pem"; + + smtpd_tls_dh512_param_file = config.security.dhparams.params.postfix512.path; + smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix2048.path; + + smtpd_tls_session_cache_database = ''btree:''${data_directory}/smtpd_scache''; + smtpd_tls_mandatory_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1"; + smtpd_tls_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1"; + smtpd_tls_mandatory_ciphers = "medium"; + tls_medium_cipherlist = "AES128+EECDH:AES128+EDH"; + + # authentication + smtpd_sasl_auth_enable = "yes"; + smtpd_sasl_local_domain = "$mydomain"; + smtpd_sasl_security_options = "noanonymous"; + smtpd_sasl_tls_security_options = "$smtpd_sasl_security_options"; + smtpd_sasl_type = "dovecot"; + smtpd_sasl_path = "/var/lib/postfix/queue/private/auth"; + smtpd_relay_restrictions = " + permit_mynetworks, + permit_sasl_authenticated, + defer_unauth_destination"; + smtpd_client_restrictions = " + permit_mynetworks, + permit_sasl_authenticated, + reject_invalid_hostname, + reject_unknown_client, + permit"; + smtpd_helo_restrictions = " + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_pipelining, + reject_non_fqdn_hostname, + reject_invalid_hostname, + warn_if_reject reject_unknown_hostname, + permit"; + smtpd_recipient_restrictions = " + permit_mynetworks, + permit_sasl_authenticated, + reject_non_fqdn_sender, + reject_non_fqdn_recipient, + reject_non_fqdn_hostname, + reject_invalid_hostname, + reject_unknown_sender_domain, + reject_unknown_recipient_domain, + reject_unknown_client_hostname, + reject_unauth_pipelining, + reject_unknown_client, + permit"; + smtpd_sender_restrictions = " + reject_non_fqdn_sender, + reject_unlisted_sender, + reject_authenticated_sender_login_mismatch, + permit_mynetworks, + permit_sasl_authenticated, + reject_unknown_sender_domain, + reject_unknown_client_hostname, + reject_unknown_address"; + + smtpd_etrn_restrictions = "permit_mynetworks, reject"; + smtpd_data_restrictions = "reject_unauth_pipelining, reject_multi_recipient_bounce, permit"; + }; + }; + + systemd.tmpfiles.rules = [ "d /run/postfix 0750 postfix postfix -" ]; + + systemd.services.postfix.preStart = '' + sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${domains} > /run/postfix/domains.cf + sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${mailboxes} > /run/postfix/mailboxes.cf + sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${accountsmap} > /run/postfix/accountsmap.cf + sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${aliases} > /run/postfix/aliases.cf + sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${senderLoginMaps} > /run/postfix/sender_login_maps.cf + ''; + + security.dhparams = { + enable = true; + params.postfix512.bits = 512; + params.postfix2048.bits = 1024; + }; + + security.acme.certs."mail.${domain}" = { + extraDomainNames = [ + "mail-test.${domain}" + "mail-02.${domain}" + ]; + postRun = "systemctl restart postfix.service"; + group = "postfix"; + }; + + networking.firewall.allowedTCPPorts = [ + 25 # smtp + 465 # smtps + 587 # submission + ]; +} diff --git a/hosts/mail.social-grow.tech/modules/rspamd.nix b/hosts/mail.social-grow.tech/modules/rspamd.nix new file mode 100644 index 0000000..abab1e2 --- /dev/null +++ b/hosts/mail.social-grow.tech/modules/rspamd.nix @@ -0,0 +1,131 @@ +{ pkgs +, config +, ... +}: +let + domain = config.networking.domain; + + localConfig = pkgs.writeText "local.conf" '' + logging { + level = "notice"; + } + classifier "bayes" { + autolearn = true; + } + dkim_signing { + path = "/var/lib/rspamd/dkim/$domain.$selector.key"; + selector = "default"; + allow_username_mismatch = true; + } + arc { + path = "/var/lib/rspamd/dkim/$domain.$selector.key"; + selector = "default"; + allow_username_mismatch = true; + } + milter_headers { + use = ["authentication-results", "x-spam-status"]; + authenticated_headers = ["authentication-results"]; + } + replies { + action = "no action"; + } + url_reputation { + enabled = true; + } + phishing { + openphish_enabled = true; + # too much memory + #phishtank_enabled = true; + } + neural { + enabled = true; + } + neural_group { + symbols = { + "NEURAL_SPAM" { + weight = 3.0; # sample weight + description = "Neural network spam"; + } + "NEURAL_HAM" { + weight = -3.0; # sample weight + description = "Neural network ham"; + } + } + } + ''; + + sieve-spam-filter = pkgs.callPackage ../pkgs/sieve-spam-filter { }; +in +{ + services.rspamd = { + enable = true; + extraConfig = '' + .include(priority=1,duplicate=merge) "${localConfig}" + ''; + + postfix.enable = true; + workers.controller = { + extraConfig = '' + count = 1; + static_dir = "''${WWWDIR}"; + password = "$2$7rb4gnnw8qbcy3x3m7au8c4mezecfjim$da4ahtt3gnjtbj7ni6bt1q8jwgqtzxp5ck6941m6prjxsz3udfgb"; + enable_password = "$2$xo1qdd1zgozwto8yazr1o35zbarbzcgp$u8mx6hcsb1qdscejb4zadcb3iucmm4mw6btgmim9h6e5d8cpy5ib"; + ''; + }; + }; + + services.dovecot2 = { + mailboxes.Spam = { + auto = "subscribe"; + specialUse = "Junk"; + }; + extraConfig = '' + protocol imap { + mail_plugins = $mail_plugins imap_sieve + } + + plugin { + sieve_plugins = sieve_imapsieve sieve_extprograms + + # From elsewhere to Spam folder + imapsieve_mailbox1_name = Spam + imapsieve_mailbox1_causes = COPY + imapsieve_mailbox1_before = file:/var/lib/dovecot/sieve/report-spam.sieve + + # From Spam folder to elsewhere + imapsieve_mailbox2_name = * + imapsieve_mailbox2_from = Spam + imapsieve_mailbox2_causes = COPY + imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve/report-ham.sieve + + # Move Spam emails to Spam folder + sieve_before = /var/lib/dovecot/sieve/move-to-spam.sieve + + sieve_pipe_bin_dir = ${sieve-spam-filter}/bin + sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment + } + ''; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."rspamd.${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/".extraConfig = '' + proxy_pass http://localhost:11334; + ''; + }; + + # systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "redis-rspamd" ]; + + systemd.services.dovecot2.preStart = '' + mkdir -p /var/lib/dovecot/sieve/ + for i in ${sieve-spam-filter}/share/sieve-rspamd-filter/*.sieve; do + dest="/var/lib/dovecot/sieve/$(basename $i)" + cp "$i" "$dest" + ${pkgs.dovecot_pigeonhole}/bin/sievec "$dest" + done + chown -R "${config.services.dovecot2.mailUser}:${config.services.dovecot2.mailGroup}" /var/lib/dovecot/sieve + ''; +} diff --git a/hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/default.nix b/hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/default.nix new file mode 100644 index 0000000..651fc63 --- /dev/null +++ b/hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/default.nix @@ -0,0 +1,28 @@ +{ stdenv +, makeWrapper +, rspamd +, +}: +stdenv.mkDerivation { + name = "sieve-rspamd-filter"; + nativeBuildInputs = [ makeWrapper ]; + src = ./src; + + installPhase = '' + for sieve in $src/*.sieve; do + install -D "$sieve" "$out/share/sieve-rspamd-filter/$(basename $sieve)" + done + + mkdir $out/bin + cat > $out/bin/learn-spam.sh <<'EOF' + #!/bin/sh + exec ${rspamd}/bin/rspamc -h /run/rspamd.sock learn_spam + EOF + cat > $out/bin/learn-ham.sh <<'EOF' + #!/bin/sh + exec ${rspamd}/bin/rspamc -h /run/rspamd.sock learn_ham + EOF + chmod +x $out/bin/*.sh + ''; +} + diff --git a/hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/move-to-spam.sieve b/hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/move-to-spam.sieve new file mode 100644 index 0000000..4643ffc --- /dev/null +++ b/hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/move-to-spam.sieve @@ -0,0 +1,5 @@ +require ["fileinto"]; + +if header :is "X-Spam" "Yes" { + fileinto "Spam"; +} diff --git a/hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/report-ham.sieve b/hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/report-ham.sieve new file mode 100644 index 0000000..6217a90 --- /dev/null +++ b/hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/report-ham.sieve @@ -0,0 +1,15 @@ +require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"]; + +if environment :matches "imap.mailbox" "*" { + set "mailbox" "${1}"; +} + +if string "${mailbox}" "Trash" { + stop; +} + +if environment :matches "imap.user" "*" { + set "username" "${1}"; +} + +pipe :copy "learn-ham.sh" [ "${username}" ]; diff --git a/hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/report-spam.sieve b/hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/report-spam.sieve new file mode 100644 index 0000000..9d4c74b --- /dev/null +++ b/hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/report-spam.sieve @@ -0,0 +1,7 @@ +require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"]; + +if environment :matches "imap.user" "*" { + set "username" "${1}"; +} + +pipe :copy "learn-spam.sh" [ "${username}" ]; diff --git a/hosts/mail.social-grow.tech/secrets.yaml b/hosts/mail.social-grow.tech/secrets.yaml new file mode 100644 index 0000000..a68e84c --- /dev/null +++ b/hosts/mail.social-grow.tech/secrets.yaml @@ -0,0 +1,52 @@ +borg-passphrase: ENC[AES256_GCM,data:D6+ZedxUQ7m/m0YkM5m/B4kFsNySJjFyh8Gmhn3Mpe+mqEzzMRjAbwmGzx9i9Lnr1dTjRElUOgevnnvW5J2KRA==,iv:cG4w1KsEm1SOTni9bsbSW1+ypzjjs2Q42I+4xvcCAu0=,tag:WkkNVa27Uy5nFpmXaIH6ww==,type:str] +borg-ssh-key: ENC[AES256_GCM,data:T/EPWSuY9Ocj6D8nL2pfPg7r/lN4TyS7SiAqhQhkr10Y3R2mzfgMrOZTg/MrYv3/uNCt5h9TBDxwmiAwSmBzBSms0T5qD8aSxLgbmc6MAG7FSm7cGFf6x/7fMgVn7DAlwMz+4t/PkVk1iCRG4IwzimXwBvq73yIZuAiIARq0Azin7YAoSKjxnZ8ACkyRVCecf45pk7ModRmPLSDK8MZcT7bcHpZt6gQKx72OXSCJTD5FRUX180miUaywf7SxF1goEGRSmwtFDhyVs8iThiqyz0IsElB/dPGR+vYQwlFNWOFUshfAifz5tHXkvaKt08EJKyVV2TUqEsUETfFEqQW+8YNym3wBvrlnXm05DrHnfjz9GOEeUr35d9ESNgS+J5SzWVDitK29ca7QiaQ+YfaDn4/4mOGKSbPUnqOgRBoqXhJMV4ddV0lTKgBrg9isBVPgaye2prcHGjtUkVw2Kyh1omT3RKv6y7X+jfOpeOWOiByN73PCsZF7g+FFlP0K5jcfm4y4yaD8y6NlEaozrabuCIpY2ZUdZ/aH11vzLAk+LB8XE6lJ5MKMNPjNRftErJ9iE3OaOyan1ovTzaGqzaEwGtx/MZpk5hWNUwcSrJvZDqDuKO4+OhwMedvCCRKtNFIbEZ49EJrtp326Y1EelhfWgls5nJFPXukHo/C17ybsP4uFySFz/M13RVTIRntn7WKoh0bH7na2XgVGtXmI2plqVA5zppCbVTzr9+pAAD9RvXTX7t12gA1iNmdxM8alOeoZ41JXHd6BDF4bvDLVMhFhlslDLZ3wNV/QPWcSczinpJlvEQ13/WFN/NTO25Y16p+oxY9g8QD3pNEkAVLOMYjnEUlV6+DQcZbxzU8RCfpEzfVsOqbztTihDgHD5ldWt/VpN4ncm/WCVCWBlT33iiTxufC8htY3SjXt8JULEt0049HNIbNwj1awZwqTgT4z06okf7sz0m8Y/U8D5MCu8uNpt7QJBftVHxCKSUmQ4NJRicMDhlrpEJklQYlRtsvKlL/ntnyf5ZoUnkX03AoG0zh4Dh0LydGKC9RsKfwJeU+684d3opBI9eIYL6Rp/XB60LKcUA6Q+m7BgB7Tjck2YbG8nFPLaV3PdmIejlE0agICJ8Hef8rnqdU/r6X92gCEBvGXNbuqsKJvDTYPafQP8U6rXc7Tq+g68zfCOijIuHyKjkzdtIom8KMi5MUdFBSXK22xB1q4ye+QaCaAdN/1Xe6KDxWiafPG+BkpExh7hXbqZU1MyiTYMExpilY30e+CmPXMdxAWmygOxwUk+mPbuWrF0oh16DYN0dS38gUbo2Z4fjRvYIoZea1pu8niQRfhTVgLZVpEN07pYPu2farsPCPIXPalXVcijVO/yi2Dg4uhTsjzW/aRZ6XDIoXRd59v5hG+L27l7gTIXfTx1+htwClRJjYxFy6hTL+ZjcKdNrz/jezXPrR7kRHNEEfJM/ysv8d/7Ghpt+wITgc22bdnxKJv9rWnoKDEQ/FRGm6Y/eMisOttUFFlznQi2lqShOxPXnnuOnpndklcxPM8FowlL4FMDN7QUW3kdXJ2j0GgN4o34oKhqvXjtjf9Dk5r5KB+GTeOhf3SJXgeR4llaSAQXjzGdZqk0g34YTa3qb8rVxDSBKEHOnKs+Cr/4H09k62S/3SzZfrBIaaZ6Ey1b+bFfnbJJlD/Y/1Hwd5IhNbMHj7bfOKC8VabieeHwMbWfkGdnnmdY5LLJqXAwANrCIYZrEpm38pYJiKes5GrAz8caK2rPIhAPShURwkjCsvowmadTvnEbO/KoaUIcqk40wYdM6NAlVme6dLXxeVN7Y3K6UAWFIIZtYarAog0Axncs30shIoy1CGd6dN87tuK+/twO/jr458fJInumXSMRy2X2K0MKPLONF9FcP/EWENa+H43Zcfo1y42HkoYxI70R2YqOlpbtJUk8/8PqVSlJBrbgpBZNzAMCbsIjhrBevISerf8Sa8X6WC/KjwswjfGJ7h+FEnrPutKJg/ajDywAI+RZ3H+5zWm/CZxBYT6k4w6gAWZva0Nlx6jWQExONGQfUBkrRrRfIHhWl3c+k5VrhyzwW9fmAB9XmT1iYbk9T+ZNU/O8HY1bAZWufS4G7GaHchbPIvz3edMvP+zrGBZXPPJE3abls9oUcVZ223NFU1RPMZwG7LqL0fzfHXl4zx82TEXn14dAIBBVr67RAejz5xOGf8I2MpYQ6RAxvfhc7bjWY9/FU1RU09ob7usJCZphm51oa4TR7kz0AH1HxSOGfCJKLdYjBxbylR1GxY1bUTokLVWEYHalCr6d4lyEmUHM3+1vBUQQ6aq81njW33yGvwclUvhWj4sB51WPaREcYQsPkYnftN/dRSKVQoEZckgmIvML3lUwiVMLGlXlcUViyQpktnWAWxXgw5GH6KXMqoI43jRmxTeR3KrVyZRJBlDj/AnGWOD37fndGuMdpmAIGX/1fZnUUCxNhhuou20LvOr8BnjcHP9pBjtRPxu4o9fFmnzNCt43SC2ivMDOLxL/Uq6batacYrRnLtK4XnNqzfpCqe1bkfBsmTbRGnwPIJrA7TThfHH322DLy/GueYiddIa5spqdIH2jI8nfjKq4SxLtwsNZ4GUG/z83YQEg0Z8I/CQhYh3Y8Gcjb4ZUrOg9n84iLADDOn2j9CI1QfsyJAt+qLEDPRJ9yMRefmq7BAxvGbNq+4YUbj4Fo6K2FwaO2quUVl7RpfVgT/WvXTJS4pAndPJt4PrG03X56ra3yOTtlZqPvGR+XGjp56hG5I5AtQ27JmB6S30EncH9sDLDPucNtEzn57cY90kAZSdDYjBkJ5/lC3xJOB4UiAs582UgyIiVlL/mvjXd1kajAcchfUYnjEUkgFuOoRysWDO/rq8aDFYg/jokUNOn4ent7xXzlfEXkpMZ00coZ7gi+CjKOf29+/ZE1wCfbRhBds/mCmAerWJo24vb632lTCWKImbHo36WuBAvKqofFNpVyMRQ+OKm9Bzr2jQD7W4+1CUk/ZatGVWJHCPsEGWt/L0Fj8K3NzF135c9d8aZ9HqC9XNqOKTZpNe9QSMc5S+tD1ZUxHVrDHny0fOKaWGVHtgyNkcyte0l16wet1z+xZcPCKr8ieMSqh+HgfT2/kWjpb1hlmyEDFmPnnbmhCDD2QWstX8vCa9JTdd0OLb3rTgPMlbxPPIiWQGSBc6tig7X3mZbebweRz5ktqrdMvK3ter9bVC9T2TF6EiCktxw+IdS9MONajvoGAaR2k1nGbfKDSVIKk1ialfv1FGJu1gUA8J0pvXqbrTJfSPOH4iuJrWJut0UpJeHrUuh0ODguNriBivobZeaRamUA/PPNvM5KCSUQUtefDnVINsJSoT4yXn55fkRwvb2957AfHI8yMRg9KtNIYj8i5KsEsw4gE53Lr+NU7Wq2O08+v2mUSNjP0REWgu0Dw0M4/Q9eykLV/ZRnhRcbUZyA==,iv:yA1CkRMapP1S3zMwu6Tj0/0/HHpwD1yRAm/qrZx/kPs=,tag:SYg2IoXeD9fMYb35J/AJ1Q==,type:str] +netdata-claim-token: ENC[AES256_GCM,data:ECx8zLnU/dj08vfA76oVbVzL3JG9MLBoFmxSjtjiFbSiFtdaHtG/8u5FEuyQ1bQMQntV91xj7x1kY8fAp7VNbWyC13pOEOrt6rvJYch14eM3bqNvfGeqgJsHmAaRbY6mBrxJBkiRJBLYVil4e1oDNZVnzFQ4ditXZbMGtAV2063K1MRI/48p,iv:viE84mOp5KSdj8vdK5XxR0W9A54oPxQO5ahnpPLeAdE=,tag:WjzKjGXRRAc7vlzreFHbng==,type:str] +openldap-rootpw: ENC[AES256_GCM,data:W0em1Dffg+IUoynwwPD4NjFksR38ZO4mhWFI83ALvYcwYIplxw/gDRLGCqbSt6TR5C65CKr1sOUiU+4Xq3UWmw==,iv:BHQhISTIYuwSM3KiSb0mEEo3BMNo6FXEDXoIvI3SZrU=,tag:tX8gfnk1JYnaNionk/jrLg==,type:str] +dovecot-ldap-password: ENC[AES256_GCM,data:JYAt8/WggwclNEPO9CaWfQsvQBA8DDJCU2km93HpowoVwIdvQ/0lQHeXndPYe1EmJGJ3vLErie+Zn2kDINIMqQ==,iv:HR0QJ0GgQks3NzhfXwjHupCKcPOekkiTcp5Jxbz7CxI=,tag:19m7F6TjGUPOuHQJuUq2pw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRWdBcmEvQkQrOXZ0SDJW + eFpFSlBxbjlUbFlDVEZzS3dLSXN6MnBFT3lnCkZ1RGhoQjhtcGxEY1E1QlBvNUl0 + RWxnbzNldHBHUjhiZldYQm9iYWppcncKLS0tIG12WFdYSVdDYVZUaEFzUFhJS3A2 + Q0I2b2h4aFlkNkV1a1BFamhyd0ZBWTgKZwxpdydc1lgs3u9gkh2Krs8PGfcKwJTv + n7BV0FNa242wOT4Tu28O9SN7VR1zZR52iOgV7gWsCnhkNDk9kwiLHA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoSHFtMUczc0tXaDZoQllM + eHFpYTFmcnpyYitwT1U2eGNuQm5MQms3YUdJCmpVS2hOVjFmUlVUZy9MZTZxQVlq + SU8xcmd2a0tvWlBMc2M1Wm5XV3ZQZTAKLS0tIG9qa2pQbDFIbFArejM1d1VRRVFY + VjJwdC8yQ1hweEllcGhYclNwTWFyZ1UKDKv14nnVx3FeL87FYFqZMU+niHBOvxHz + 3L3hBMEgpR/uMSuPmF4/NLVJTsktOonW9NKOzm37KsY2HNRXbuHoQg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjY2JOWTA0a3pGL0dYc2t4 + aE8vTUNMNDVML2ZOSW9xeHlFRDQ5K1BLR3l3ClN4a25QZTEzaFk5bnVUYkk2dnRr + SWxNTklrZGM4enJ0WXBKaEJ6UDZUMzAKLS0tIDJudGtSVTVTV3ZrWWh6VnZFdEs3 + UFVlWE9wd3hRS0d3VEg5di9kNHBIeUEKov+NZ0pt4BUd5xXX9cTFSJF355Kg0ios + Va/kbzgG2SMvxMorNFDp+yJgGXM9rOycMJ1ajemKBM3r2QMcsIiMWA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVVRBY1RVdmdkTGxkT3N0 + YjJUdXU5blY3T1R2NFQwQ2MvUitTRjZOUGpjCkNMTUJOaCtGR0s4SGxENXRRd1lQ + cE9RbFUvL1RVZnZ1a3RlZ0YxbmFtOGsKLS0tIE8vMmE1YkZCM210SXEzRFZJeWZL + eC80bWxndE85RlZGRUFTcDdaZ2J1VE0KZ0FERlT1kdUE+WxSi57YowqDQtA9BoV1 + MZoPePwGkRr27MHnPYIhoniUXC7mhQ4rqvcbFy6i1n4r1CqkRFBM3g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-08T11:20:50Z" + mac: ENC[AES256_GCM,data:GPUwpSAz6fj7mRxX1ebEb2sLAMLkQLuKPXk+B3+zZmA6+D7gAKrrBGUWHqYA9DMMY0r32OZSccGRmeKqdA7sWmzdIJTcBu8EyER1nJqVFJiXcOOdTkCLdOM4xW969YE0lBKpIAQ40E7YXYYwkI1JINneIBTuXkvIBmSQ3Bt2+ak=,iv:VEPNQxDLzxyTxkn8dI6xNDe9ESk2RojSNYYEwT+Ggas=,tag:cfUEKU3arSJl+lEOa+4iRA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/hosts/mail.social-grow.tech/utils b/hosts/mail.social-grow.tech/utils new file mode 120000 index 0000000..6b18391 --- /dev/null +++ b/hosts/mail.social-grow.tech/utils @@ -0,0 +1 @@ +../../utils \ No newline at end of file diff --git a/hosts/nb-new.cloonar.com/configuration.nix b/hosts/nb-new.cloonar.com/configuration.nix index 5f5d117..2913050 100644 --- a/hosts/nb-new.cloonar.com/configuration.nix +++ b/hosts/nb-new.cloonar.com/configuration.nix @@ -70,6 +70,8 @@ in { CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; + START_CHARGE_THRESH_BAT0 = 60; + STOP_CHARGE_THRESH_BAT0 = 80; }; }; @@ -215,6 +217,7 @@ in { }; }; + nix = { settings.auto-optimise-store = true; settings.experimental-features = [ "nix-command" "flakes" ]; diff --git a/hosts/nb-new.cloonar.com/modules/sway/sway.conf b/hosts/nb-new.cloonar.com/modules/sway/sway.conf index b03bedd..e528dba 100644 --- a/hosts/nb-new.cloonar.com/modules/sway/sway.conf +++ b/hosts/nb-new.cloonar.com/modules/sway/sway.conf @@ -5,7 +5,7 @@ # i3 config file (v4) # font for window titles and bar -font pango:Source Sans Pro 15 +font pango:Source Sans Pro 10 # use win key set $mod Mod4 @@ -314,7 +314,7 @@ exec 'sleep 2; swaymsg workspace "$ws8"; swaymsg layout tabbed' exec mako --default-timeout=5000 # wallpaper -output eDP-1 scale 1 +output eDP-1 scale 1.5 scale_filter linear output eDP-1 bg #282a36 solid_color output eDP-1 bg ~/.wallpaper.png center output DP-4 bg #282a36 solid_color diff --git a/hosts/nb-new.cloonar.com/modules/sway/sway.nix b/hosts/nb-new.cloonar.com/modules/sway/sway.nix index c9101c7..c9498c6 100644 --- a/hosts/nb-new.cloonar.com/modules/sway/sway.nix +++ b/hosts/nb-new.cloonar.com/modules/sway/sway.nix @@ -81,9 +81,7 @@ in { quickemu brave - chromium firefox - vivaldi # unstable.cura freecad @@ -106,10 +104,13 @@ in { variants = ["qt5"]; }) + kdePackages.neochat + dbus-sway-environment ddev dracula-theme foot + fractal gcc git glib @@ -125,6 +126,7 @@ in { libreoffice mako mqttui + moonlight-qt netflix networkmanagerapplet nextcloud-client diff --git a/hosts/nb-new.cloonar.com/modules/sway/waybar.css b/hosts/nb-new.cloonar.com/modules/sway/waybar.css index 420d839..cc812ab 100644 --- a/hosts/nb-new.cloonar.com/modules/sway/waybar.css +++ b/hosts/nb-new.cloonar.com/modules/sway/waybar.css @@ -1,5 +1,5 @@ * { - font-size: 24px; + font-size: 16px; font-family: monospace; } diff --git a/hosts/nb-new.cloonar.com/users/configs/project_history b/hosts/nb-new.cloonar.com/users/configs/project_history index 6c6ed3c..64d627f 100644 --- a/hosts/nb-new.cloonar.com/users/configs/project_history +++ b/hosts/nb-new.cloonar.com/users/configs/project_history @@ -1,3 +1,4 @@ +/home/dominik/projects/cloonar/renovate-config /home/dominik/projects/cloonar/bento /home/dominik/projects/cloonar/freescout /home/dominik/projects/cloonar/support-invoiced @@ -17,6 +18,7 @@ /home/dominik/projects/socialgrow.tech/sgt-api /home/dominik/projects/epicenter.works/ewcampaign /home/dominik/projects/epicenter.works/epicenter.works +/home/dominik/projects/epicenter.works/epicenter.works-website /home/dominik/projects/epicenter.works/epicenter-nixos /home/dominik/projects/epicenter.works/spenden.akvorrat.at /home/dominik/projects/epicenter.works/dearmep-website diff --git a/hosts/nb-new.cloonar.com/users/dominik.nix b/hosts/nb-new.cloonar.com/users/dominik.nix index 9161916..a5d8787 100644 --- a/hosts/nb-new.cloonar.com/users/dominik.nix +++ b/hosts/nb-new.cloonar.com/users/dominik.nix @@ -10,12 +10,11 @@ let "calendar.alarms.showmissed" = false; "mail.uidensity" = 2; "mail.inline_attachments" = false; - "mail.folder.views.version" = 1; - "calendar.list.sortOrder" = "cloonar-personal"; + "mail.folder.views.version" = 1; "calendar.list.sortOrder" = "cloonar-personal"; "calendar.ui.version" = 3; "calendar.timezone.local" = "Europe/Vienna"; "calendar.week.start" = 1; - "layout.css.devPixelsPerPx" = "1"; + # "layout.css.devPixelsPerPx" = "1"; }; thunderbirdCalendarPersonal = { @@ -139,6 +138,8 @@ let privacy-badger ublock-origin ]; + + persistHome = "/home/dominik"; in { programs.fuse.userAllowOther = true; @@ -192,6 +193,50 @@ in }; }; + systemd.user.services = { + signald = { + Unit = { + Description = "Signal-cli daemon"; + After = [ "graphical-session-pre.target" ]; + PartOf = [ "graphical-session.target" ]; + }; + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + Service = { + ExecStart = "${pkgs.signal-cli}/bin/signal-cli daemon"; + Restart = "always"; + }; + }; + }; + + programs.chromium = { + enable = true; + commandLineArgs = [ + "--enable-features=WebUIDarkMode" + "--force-dark-mode" + ]; + dictionaries = [ + pkgs.hunspellDictsChromium.en_US + pkgs.hunspellDictsChromium.de_DE + ]; + extensions = [ + { + # Ublock + id = "epcnnfbjfcgphgdmggkamkmgojdagdnn"; + } + { + # Privacy Badger + id = "pkehgijcmpdhfbdbbnkijodmdjhbjlgp"; + } + { + # Bitwarden + id = "nngceckbapebfimnlniiiahkandclblb"; + } + ]; + + }; + programs.git = { enable = true; @@ -368,14 +413,14 @@ in id = 0; isDefault = true; settings = firefoxSettings; - userChrome = firefoxUserChrome; + # userChrome = firefoxUserChrome; search = firefoxSearchSettings; extensions = firefoxExtensions; }; social = { id = 1; settings = firefoxSettings; - userChrome = firefoxUserChrome; + # userChrome = firefoxUserChrome; search = firefoxSearchSettings; containersForce = true; containers = { @@ -418,32 +463,34 @@ in set +eu ssh-keygen -R git.cloonar.com ssh-keyscan git.cloonar.com >> ~/.ssh/known_hosts - git clone git@github.com:dpolakovics/bento.git /nix/persist/user/dominik/cloonar/bento 2>/dev/null - git clone gitea@git.cloonar.com:Cloonar/freescout.git /nix/persist/user/dominik/projects/cloonar/freescout 2>/dev/null - git clone gitea@git.cloonar.com:Cloonar/support-invoiced.git /nix/persist/user/dominik/projects/cloonar/support-invoiced 2>/dev/null - git clone gitea@git.cloonar.com:Cloonar/nixos.git /nix/persist/user/dominik/projects/cloonar/cloonar-nixos 2>/dev/null - git clone gitea@git.cloonar.com:Cloonar/website.git /nix/persist/user/dominik/projects/cloonar/cloonar-website 2>/dev/null - git clone gitea@git.cloonar.com:Cloonar/wohnservice-wien-typo3.git /nix/persist/user/dominik/projects/cloonar/wohnservice-wien 2>/dev/null - git clone gitea@git.cloonar.com:Cloonar/gbv-aktuell.git /nix/persist/user/dominik/projects/cloonar/gbv-aktuell 2>/dev/null - git clone gitea@git.cloonar.com:Paraclub/api.git /nix/persist/user/dominik/projects/cloonar/paraclub/paraclub-api 2>/dev/null - git clone gitea@git.cloonar.com:Paraclub/frontend.git /nix/persist/user/dominik/projects/cloonar/paraclub/paraclub-frontend 2>/dev/null - git clone gitea@git.cloonar.com:Paraclub/website.git /nix/persist/user/dominik/projects/cloonar/paraclub/paraclub-website 2>/dev/null - git clone gitea@git.cloonar.com:Paraclub/module.git /nix/persist/user/dominik/projects/cloonar/paraclub/paraclub-module 2>/dev/null - git clone gitea@git.cloonar.com:Cloonar/amz-api.git /nix/persist/user/dominik/projects/cloonar/amz/amz-api 2>/dev/null - git clone gitea@git.cloonar.com:Cloonar/amz-frontend.git /nix/persist/user/dominik/projects/cloonar/amz/amz-frontend 2>/dev/null - git clone gitea@git.cloonar.com:hilgenberg/website.git /nix/persist/user/dominik/projects/cloonar/hilgenberg-website 2>/dev/null - git clone gitea@git.cloonar.com:Cloonar/korean-skin.care.git /nix/persist/user/dominik/projects/cloonar/korean-skin.care 2>/dev/null - git clone gitea@git.cloonar.com:myhidden.life/web.git /nix/persist/user/dominik/projects/myhidden.life/myhidden.life-web 2>/dev/null + git clone gitea@git.cloonar.com:renovate/renovate-config.git ${persistHome}/cloonar/renovate-config 2>/dev/null + git clone git@github.com:dpolakovics/bento.git ${persistHome}/cloonar/bento 2>/dev/null + git clone gitea@git.cloonar.com:Cloonar/freescout.git ${persistHome}/projects/cloonar/freescout 2>/dev/null + git clone gitea@git.cloonar.com:Cloonar/support-invoiced.git ${persistHome}/projects/cloonar/support-invoiced 2>/dev/null + git clone gitea@git.cloonar.com:Cloonar/nixos.git ${persistHome}/projects/cloonar/cloonar-nixos 2>/dev/null + git clone gitea@git.cloonar.com:Cloonar/website.git ${persistHome}/projects/cloonar/cloonar-website 2>/dev/null + git clone gitea@git.cloonar.com:Cloonar/wohnservice-wien-typo3.git ${persistHome}/projects/cloonar/wohnservice-wien 2>/dev/null + git clone gitea@git.cloonar.com:Cloonar/gbv-aktuell.git ${persistHome}/projects/cloonar/gbv-aktuell 2>/dev/null + git clone gitea@git.cloonar.com:Paraclub/api.git ${persistHome}/projects/cloonar/paraclub/paraclub-api 2>/dev/null + git clone gitea@git.cloonar.com:Paraclub/frontend.git ${persistHome}/projects/cloonar/paraclub/paraclub-frontend 2>/dev/null + git clone gitea@git.cloonar.com:Paraclub/website.git ${persistHome}/projects/cloonar/paraclub/paraclub-website 2>/dev/null + git clone gitea@git.cloonar.com:Paraclub/module.git ${persistHome}/projects/cloonar/paraclub/paraclub-module 2>/dev/null + git clone gitea@git.cloonar.com:Cloonar/amz-api.git ${persistHome}/projects/cloonar/amz/amz-api 2>/dev/null + git clone gitea@git.cloonar.com:Cloonar/amz-frontend.git ${persistHome}/projects/cloonar/amz/amz-frontend 2>/dev/null + git clone gitea@git.cloonar.com:hilgenberg/website.git ${persistHome}/projects/cloonar/hilgenberg-website 2>/dev/null + git clone gitea@git.cloonar.com:Cloonar/korean-skin.care.git ${persistHome}/projects/cloonar/korean-skin.care 2>/dev/null + git clone gitea@git.cloonar.com:myhidden.life/web.git ${persistHome}/projects/myhidden.life/myhidden.life-web 2>/dev/null - git clone gitea@git.cloonar.com:socialgrow.tech/sgt-api.git /nix/persist/user/dominik/projects/socialgrow.tech/sgt-api 2>/dev/null + git clone gitea@git.cloonar.com:socialgrow.tech/sgt-api.git ${persistHome}/projects/socialgrow.tech/sgt-api 2>/dev/null ssh-keygen -R gitlab.epicenter.works ssh-keyscan gitlab.epicenter.works >> ~/.ssh/known_hosts - git clone git@github.com:AKVorrat/ewcampaign.git /nix/persist/user/dominik/projects/epicenter.works/ewcampaign 2>/dev/null - git clone git@gitlab.epicenter.works:epicenter.works/website.git /nix/persist/user/dominik/projects/epicenter.works/epicenter.works 2>/dev/null - git clone git@gitlab.epicenter.works:epicenter.works/nixos.git /nix/persist/user/dominik/projects/epicenter.works/epicenter-nixos 2>/dev/null - git clone git@github.com:AKVorrat/spenden.akvorrat.at.git /nix/persist/user/dominik/projects/epicenter.works/spenden.akvorrat.at 2>/dev/null - git clone git@github.com:AKVorrat/dearmep-website.git /nix/persist/user/dominik/projects/epicenter.works/dearmep-website 2>/dev/null + git clone git@github.com:AKVorrat/ewcampaign.git ${persistHome}/projects/epicenter.works/ewcampaign 2>/dev/null + git clone git@gitlab.epicenter.works:epicenter.works/website.git ${persistHome}/projects/epicenter.works/epicenter.works 2>/dev/null + git clone git@github.com:AKVorrat/epicenter.works-website.git ${persistHome}/projects/epicenter.works/epicenter.works-website 2>/dev/null + git clone git@gitlab.epicenter.works:epicenter.works/nixos.git ${persistHome}/projects/epicenter.works/epicenter-nixos 2>/dev/null + git clone git@github.com:AKVorrat/spenden.akvorrat.at.git ${persistHome}/projects/epicenter.works/spenden.akvorrat.at 2>/dev/null + git clone git@github.com:AKVorrat/dearmep-website.git ${persistHome}/projects/epicenter.works/dearmep-website 2>/dev/null set -eu ''; @@ -507,6 +554,13 @@ in TERM = "xterm-256color"; }; }; + "*.social-grow.tech" = { + user = "root"; # prod + identityFile = "~/.ssh/social-grow.tech_id_ed25519"; + setEnv = { + TERM = "xterm-256color"; + }; + }; "amz-websrv-01.amz.at" = { user = "ebs"; }; diff --git a/hosts/web-arm/modules/web/typo3.nix b/hosts/web-arm/modules/web/typo3.nix index 5143596..2dad7ce 100644 --- a/hosts/web-arm/modules/web/typo3.nix +++ b/hosts/web-arm/modules/web/typo3.nix @@ -173,7 +173,6 @@ in }; - config.services.nginx.virtualHosts = mapAttrs' (instance: instanceOpts: let domain = if instanceOpts.domain != null then instanceOpts.domain else instance; @@ -189,6 +188,10 @@ in serverAliases = instanceOpts.domainAliases; extraConfig = '' + if ($host != '${domain}') { + return 301 $scheme://${domain}$request_uri; + } + if (!-e $request_filename) { rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last; } diff --git a/linux-rockchip b/linux-rockchip new file mode 160000 index 0000000..9680c56 --- /dev/null +++ b/linux-rockchip @@ -0,0 +1 @@ +Subproject commit 9680c56a0804b400d92df783009459ccee05b027 diff --git a/raspberry/README.md b/raspberry/README.md index 4358289..774e88a 100644 --- a/raspberry/README.md +++ b/raspberry/README.md @@ -1,5 +1,5 @@ before building set Tempdir because of ramdisk size -export TMPDIR=/nix/persist/user/dominik/tmp/build-sdcard +export TMPDIR=/nix/persist/home/dominik/tmp/build-sdcard # Raspberry Pi Multiroom audio client - change hostname in sd-card.nix @@ -10,3 +10,4 @@ export TMPDIR=/nix/persist/user/dominik/tmp/build-sdcard - change hostname in sd-card-zero.nix - add wifi psk - nix-build '' -A config.system.build.sdImage -I nixos-config=./sd-card-zero.nix --argstr system aarch64-linux + diff --git a/raspberry/buildroot b/raspberry/buildroot new file mode 160000 index 0000000..b98062f --- /dev/null +++ b/raspberry/buildroot @@ -0,0 +1 @@ +Subproject commit b98062f7301bc72d2a59cca733f36525405d3bb9 diff --git a/raspberry/sd-card-zero.nix b/raspberry/sd-card-zero.nix index 4d1b871..d5e8fce 100644 --- a/raspberry/sd-card-zero.nix +++ b/raspberry/sd-card-zero.nix @@ -7,6 +7,11 @@ let hostName = "music-bedroom"; snapserverHost = "snapcast.cloonar.com"; + # customNixpkgs = fetchTarball { + # url = "https://github.com/NixOS/nixpkgs/archive/refs/tags/23.11.tar.gz"; + # sha256 = "sha256:1ndiv385w1qyb3b18vw13991fzb9wg4cl21wglk89grsfsnra41k"; + # }; + # pkgs = import customNixpkgs {}; in { nixpkgs.hostPlatform.system = "aarch64-linux"; @@ -39,7 +44,7 @@ in }; networking.firewall.logRefusedConnections = false; - boot.kernelPackages = pkgs.linuxPackages_rpi3; + # boot.kernelPackages = pkgs.linuxPackages_rpi3; # hardware.deviceTree.enable = true; # hardware.deviceTree.overlays = [ { # name = "hifiberry-dacplus"; @@ -47,10 +52,46 @@ in # } ]; hardware.deviceTree.filter = "bcm2708-rpi-zero*.dtb"; # This line does not change anything in this case + hardware.deviceTree.enable = true; hardware.deviceTree.overlays = [ { name = "hifiberry-dacplusadc"; dtboFile = "${pkgs.device-tree_rpi.overlays}/hifiberry-dacplus.dtbo"; + # dtsText = '' + # /dts-v1/; + # /plugin/; + # + # / { + # compatible = "brcm,bcm2835"; + # + # fragment@0 { + # target = <&i2s>; + # __overlay__ { + # status = "okay"; + # }; + # }; + # + # fragment@1 { + # target-path = "/"; + # __overlay__ { + # dacplus_codec: dacplus-codec { + # #sound-dai-cells = <0>; + # compatible = "hifiberry,hifiberry-dacplus"; + # status = "okay"; + # }; + # }; + # }; + # + # fragment@2 { + # target = <&sound>; + # __overlay__ { + # compatible = "hifiberry,hifiberry-dacplus"; + # i2s-controller = <&i2s>; + # status = "okay"; + # }; + # }; + # }; + # ''; } ]; diff --git a/raspberry/shell.nix b/raspberry/shell.nix new file mode 100644 index 0000000..b73cbb4 --- /dev/null +++ b/raspberry/shell.nix @@ -0,0 +1,19 @@ +{ pkgs ? import {} }: + +pkgs.mkShellNoCC { + packages = with pkgs; [ + gnumake + ncurses + pkg-config + flex + bison + openssl + bc + which + file + ]; + + shellHook = '' + export KCONFIG_CONFIG=.config + ''; +} diff --git a/raspberry/snapos b/raspberry/snapos new file mode 160000 index 0000000..29a5dae --- /dev/null +++ b/raspberry/snapos @@ -0,0 +1 @@ +Subproject commit 29a5daebb0513faa825b12474125c0c2dd66c2ee diff --git a/utils/modules/lego/secrets.yaml b/utils/modules/lego/secrets.yaml index 94be571..4ad10e9 100644 --- a/utils/modules/lego/secrets.yaml +++ b/utils/modules/lego/secrets.yaml @@ -8,110 +8,119 @@ sops: - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzalcxQ2wySWNGZ3B1M3pT - d0tDaTFGMVlZN2tUeFFEOWpmbG1EVWpkb0Y0Cmp5aWFYaEFuTEpVNUFoZHRUVzN6 - K0ZjakpyQ3RXNEk3aTNLMTR0am0xaWMKLS0tIGhDbExpM0hLQzNyL3NoLzZzSkp2 - b3ZZbDJ2cjRNakdsMEE1TFdFaHRHb0kKGQCXJ602pCk1GqtN7/UiQqzGYmVWuSo+ - Pu1wBTNWaR8kjZX8+Kmuaqy4Be33bvqlKZio91RkATSdp618zSH7bA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkd280dnM5WVFpYjZxQTJL + dW03bEM4V1AxYVN5UVpHNkl3UHNJc3hKbG5vCmsyYUViaEc5dE1EZXAyT2tNd3lK + YXNqRzlPQ0Rsa0pod2xKTHpFb05MckkKLS0tIC9JU2dwR0hsZGpYdUd3WUZmNEF5 + clIwcVhkWElVTmVOUkVieWxWZTJkOWsKuk8dt31A15RbC1/A3GB7TnWNqheixYJc + 26ZkAR9SLCkHTgyQPVwE77ZwA4NYOTkKNsvj9rC7B0RGOCs8U5K34Q== -----END AGE ENCRYPTED FILE----- - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVkY2dDhTL2YzZVhsdDJ5 - NWpWdnVITmhuVUlDSUU4TmM5bjNCU1IvRm44CnE0aFhWcXBVWExuYzN4Z3hXRVoy - cWVVN3l6ajFCRE4yNUFKeFNKSlRyQlkKLS0tIFpPSGQ1eUlhdldsdWdYbDFhVjhI - NTFuaURGVzI4Um1rWmlBR0RwZkFPTU0KgEnu51tjyxqxU0Bl7I0wkqhIwMC3FFHg - czn+bfwC3O85ZIl4/30DZ7I1LEGhg9byFp6Ge6ywiUcRg2KEGR5gMQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJYUYwT0IvS2JvbkJUN3Vm + WUV2cVRXMkU3MUFVMUljNktvVTNhVXJoN1VBCkhwc2FpRGJKY1EwTTdYWkVhaU0z + RCtMdGNZQUpjTFFYWjBoMzY5aC93NTgKLS0tIFBvb2FDUjA3OUpBQWdkaFdGMm9m + SVJXN2dodHlCTXZRVDlCbGhlZ3BhTFUKlqx5kTajaseaomJELMTBUdNB/m/CwnYx + PP+sl1n9T/ZmV+l3l30Zh+/lnc1pOCxmmvzZpnN51I9ineal9/YmKg== -----END AGE ENCRYPTED FILE----- - recipient: age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVG9qQTlGcGcxaXVSUTUx - bitjSU40U3hKRHdkdkZ0Ly96MzlzOXFadWowCmp5Wk9NWHo5a0w0U0l6dmdaMzRj - d09sd3IvVnpxaTNZbWRzQ2dqd3JkVEUKLS0tICtmb3dJbkxMOHlEdzMyWEcyR0lm - c0dvaHNYcHk0WUpIZ0V6ejZNcWJTV1UKjUsp7EtC35qhTGDzaqpSzr5jnpSZbpZ/ - 7XgT84m0Y0j2uuOpbuG/GqSLj0QI0WJzxsSVq3lW5COKtrC1yqcaMQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzWDVoM0tnQUtyVFNDajFu + V2IwN2hsTC9HTkRNaFIyKzlLdytoWFJ2Wm04CnU1TTVCS0xtVjFiRkE2WkRidis2 + V040dWhRdG9NLzd2SmxOOWtucWttVEEKLS0tIHExRk9VRnZSd0Q2cUFYQk44aUhu + T3BIeFpRZlk4ckc2SUJlVEsrV3hmNHcKGb5GJITKhhMEEWsZp9aGu+tfDBeebFvJ + +nMy9XPzcKBGSNd5GrIGL4qMWFQAvty17mevXKGZ3hQ9N9DpP9qCCQ== -----END AGE ENCRYPTED FILE----- - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4S1RNZlpkTzl0cXZQa2lx - MGcxZVZyc0dvT3ovRmtRY3h4VFpjWndiYXhBCkZ4enpQejFnVGp5Y1NCVER1OGJJ - ZDNnQklhWkZKWmNOWXo5ZW5sWEhXR0EKLS0tIFdRVnkveitRWW5JWE5Cb2dPbVo5 - eVFoalhMOFF4M0cvcDlLNVZHdHBCZnMK64lm47z0AkLPP0T9XOLWCqgvLtEe9E2v - ydmCqYIRyp8DuGWzcjUZ8dQ2RaPBjcBtbm7GpwdqOvsdHfFhrBTNyQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJTFNDRlFuVndJdFpQcytD + bTJ2SXVsaFNYOXIwcnpKYUhXa2hBMlBNR1hJCm5FUzVkdGgxRkhISitjbE5lUy9C + bnF4TzhRZE5nZEhVWW9FaEFIVUhiNzQKLS0tIHRtcHM1WXdWcngvMDBsMDVBeEtw + OXF3TmdyVngyeHhQV3hnQnIyckFPTjgKOevqNmDR/6SODvZt76dF+kQEgGjXTiYL + /rxu/psNgFe8nYE38/qtYgD52Y3L4q4h4ZgPsKE1a/17Wx0C9rbVkw== -----END AGE ENCRYPTED FILE----- - recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2R05XU3JDTjBhRm5WdDJJ - b3hjYnVKRXYzZ1F1Yk5xWmJsTUJLekpiRUdjCmdaekMxTDZBVG1Pb09mOGdGVVpa - TTc3QmJJSkp5TVFxdXZnWW1XbTYwMHMKLS0tIER1bXk4SkxmbDZhWTRLSjF4YWdC - MGowS3M4WUZqdVlEemdlb3E3RjRBb2MKO9FnhZhNPI+yQraaI7/0HTavIpAGZKTz - Oz4uUsRS+7GD7ylp8dJW8r1pz1//YeVODT5d4fsImknsDu8MSLEI/A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneGxFSG1zWmFBWGxBUk1Z + dGdEd3c4WE9YRXc4RHVmczlCV2Y0bEN6OWljCmw0SG84SGV3RGlWQWJFUFZrSHVD + ZnJnYU1YeHJTNklRVXppRTBtdlBiUHMKLS0tIFZnL3RjRWFiNFJ2OVJQbTdRNTIw + WHRISHhjNnkvR2hjb1RUcVpDeDM2MDQK29wQSqzJtPDBVWdvPX4FFGE3Zs2plrpK + A37UMMFiXvT+Ofc9ncveAjfS9axjLLNpBl595zAHcsy8zP5YIQZyeg== -----END AGE ENCRYPTED FILE----- - recipient: age1ylrpaytkm0k5kcecsxvyv5xd9ts4md0uap48g6wsmj9pwm4lf5esffu0gw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdmczbDhVWkJVNlJGQ1JI - TkNoSlNVSThqM3RBaGt2MG1tOEh4RzQ5a2tzClUzdm1uMGVleXRhU0loRGQyK3E2 - L1ZQYno4VlRnK1Zqd1ArZ3doc1VlM3MKLS0tIG5JM08zM3hMMlJZY0diSC9ZRUxO - SUh6WnpYV2RVZjBWa1Y2d3pSZk56cGsK4gB1IcWHIw1DOCtttU2LoZ0j2kNdGXIr - Z5y1ita0fsiHEwiI1k+aRZre6OL4s2dCrswjcvX4EYFeUSlpuXxn9A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQjdpTW5oa1orWGIzUFdQ + eEZsV0RKY3ZxRUhqTW5CdkpmaG5EU0tEem5nCkhtUkErVnNocjB5UjVHQllWc245 + WnMyeHZDUVFpRG9IL2NkWGZJUWF4V1UKLS0tIC9MOHJDUWREWERzYmx4M1RRYml4 + Z21aTW9QUURUTHRiNjhEb2xROHFxdkEKAycw0fflA3rnojWBoArNRzEE3iozCOsp + uesPaSIxD9BcBtHV8BqWBCUUJ3rZcOkDbS+DYLcPAaJnOWYXSwmpZA== -----END AGE ENCRYPTED FILE----- - recipient: age1ezq2j34qngky22enhnslx6hzh4ekwk8dtmn6c9us0uqxqpn7hgpsspjz58 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhWlVQckZCUy9aVTI3RWRS - WFNyM0tlL1lpTjdWOTYwN05DV3JWdERDMnlrCkxqSTk3M2tLKzFyTVMvMnA5V2xU - WkVaN1ZiZDhkMzlZVkg0OTkzOURjVEUKLS0tIG0vZ1FrZCszQVpkOWswclBWSDh6 - UHoycDk2TEEvMzVFcFlMMmNpVjZJd0kKj0K/EKZ8hrNA3Q8pI+1HHEEQ2JC8qLP2 - IKrm1c7CREB5dpxnhbj0ToDVBQd9iGpso03RL0sd/DAA5w3RCnsB1w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvR3BKQlJXUWxzblRoRE9t + a1V4NzZQMG54TE1tV0tZMjVBVnV5N3QxQWhvCjVIKythdGxib3QyeHI4a3Y0RUlJ + cEVoL2htMk5mZU5OMHd2UTZtQTBqRG8KLS0tIGUrN21oM1NCVXlwR3V1ZnFvY2g0 + QWVxMk94bjRKSmJKSnpWRUEvdUZSZEUK3gGS4A7ldmdNvHvcj1sj2Fp+AAkFLju8 + G3hwTDoIsv3C+RP/nnK8UalahMzpBa7LSF5gh2KqFUnBS/G3Wnasyg== -----END AGE ENCRYPTED FILE----- - recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMT2t2U3dpcjBYL0NoV2lw - MHVBNXZsbDhEcG55UjY2RE01YkFzOXU5bzJNCmxtTWtYaEpPVkJpekVUVFlHS1FX - SWFFU3UwbEhqa1hyMFBVU0hJbUpoQWcKLS0tIHJtazBWR1BiYUxjeTNUc1JGNzFq - Rmc4aDROQnNmTzVDMU9EcUl3dXFjWkUKHdwYkwWVXG5AMY9IuKh3l4CmNtmrHuKa - G63acQDm4L7sbAE6TiHs4aFgmhwDPqOS64MZOEKUWt+/60zH3gbU4w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUXVxNXdJZmZJRFB2VWlG + MysyNUxSMmsyR3N2OVc1azJPR1VHY1hMQWdrClNtNG8xWTg3Q3BEWEtDTWMxdWp2 + bFRwcjZEdVl5ODlqMkRyTjh6c2lXYVkKLS0tIHA1Nkp6V2ErOVZYVVM2SXRmS2s2 + aU5ZRXhJQTFDU0ltbm9QZ0d5alQ4dnMKSOrrVIv2OUqTm831mS1Xc33vqT2r7Sas + sRZHiw/nNVUMkGkWrd9/RqLPiN3JDuEoBvbUXKrUfoesOyZ4fzHgqg== -----END AGE ENCRYPTED FILE----- - recipient: age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWb2YrZkUwWVRyTWRRbW5o - cmVHZWZSWnF4K24za2dLUWpUUjdZNTk4bVRJCjhHeXRnalhybnVwTkNrN3ZTYWdC - VFFEWUNxYkVKemVSL2pMbG42alNpeUUKLS0tIHBVRWF4TDZwWTdSQjUrNWdjN1Fl - TVRvQUZlbTAxUXNiQXJXNFQrVUQ5c28KDlB4prV+/bNTFIp7P0jBzqxWAZioZ8Tq - I6OVD/xKJ8soKhXeIyeGFKZyaWu0MsZiebbNKEQjhQhewaHUtZW0rA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRNlRlNFN5MjBXOEYwdDMy + LzZOZFp1QU5KNUxQWTRpY213dzM4TmV5dFRvCkFway9hTlpTTU4zaElIMTMvV3hR + amYvamp1YndIenJJeEphSW04d2JBTzgKLS0tICsrMUZ0NFZkcGlKNEp6WVRtS0hm + dG96aitZVDBIQTY3QUdobnpTeW9rUWMKNxA6Hr/NB5IAD0JbnVwxEijYd94lPx+n + 6Px0rKlT9nboF2eIY3uY4SeWEv/kaidfDXJgTkUo4d+i6sLF5cdhMQ== -----END AGE ENCRYPTED FILE----- - recipient: age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCYlVBai9TK0pnL1ZxVnI1 - azJJMVliNFJZZDRLcVh0bDJGaEZaSEM2UTBVCmlaa0JnUzVyUG1Fa0hZeW5qK1p5 - RUJtM1lNY0pYYkdxRVBHNW0rWHM0QXMKLS0tIGV0K1IrVnpjTEdoOHd6MkVrcHFG - RFRiZU8ybTB0ckRxVkR2VGlrV212aUkKBO9fi4n77ysamlZ3opIP1P1uEC5Kubaz - j8vSgaPs6qGkon/xknjwVo3RLYzS6zYIAzMIGf2Ru7pPn3ybJV3TYg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmOGxxRGtJcTM4ZS9GRWFQ + Uyt6eTBONHpsK2VCTldLYjh4b1JBZEJPQ3pBCkxXMmVtbnR4YnFuNWw2ckRXc0Nr + bDBqalZobklUWGF4cUtmRXp5Q3dJM1UKLS0tIEdjQ1E1WFAvTkpCajhrcGYrM2dI + YVliY3hPQkFXM3ZhdUw4SG5aVnR6NDAKZxf+Y5ZhqpzV/5g1zq6PTvo/yYClZ8rL + ghZh3MHgXkh6EZLtuZHtHHGvUuDG8oYJLnB7kWfWNXTKAPFn3gEn6Q== -----END AGE ENCRYPTED FILE----- - recipient: age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyL01hMWNGdDJQZlN5blEv - d3NpZDF5N3JLYjdNcElYbUsxL1J4VERHSlQ4CmtmM293MHV4MVhSR0RTZS83YVdr - eE5sWlZOT0lXODBSdDFNY25KaW9zbFEKLS0tIG1wdENYVHFuK0ExbEdBU2o1QXlx - cWt2cVZOOE5VdXRnMjEzSkwxUWRKK0EKo9NInApXiycrBJ1AiWkksFiFixgi7iJu - pUh6ZDGUR2PvnUNId+73YBCoX4DS/raymtAXvfS2Y5NlEJouxCu2Tg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNE9INEQ3MnptcUZwSVhV + dUUwdXNmRjg5SzF3alk4dmJvTGZiN1VSM0M4ClVBOHhYbFN1TExkMzdqSm1Yd21w + NXZiQmpnU0U4R2JIcjZOK0pJVDcwNmMKLS0tIGpXZ0RDOHRvRE01VElaNzFMMGxj + VmlzSFhod2xYa0RJcG5GRXN3TlNVaW8KXt6pIgxUscBFTDND2Ssr7PihrX901dgC + aRKH/AnVdXjUqdD/aN436pCnueh47gGkkzR+rWWuc6zvKItVIHTUFQ== -----END AGE ENCRYPTED FILE----- - recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKb0ZxeEFic2d4dFNIK2RI - QjYvU1lqRldCclJiMnpKU2FRYlVSMENqMUQ4CktnQlFQRUhza09mVEQ4dG1GRmJM - RStuOUpOYTFQekFvc05raVRHV1pkVWMKLS0tIERVc0t4dkZ5UU1EbmtQNTlVRFRR - eHpPeXBwbk0wazBpazZwRzNuaFN0cWcKmVkaXDQ4dBJdc9Fcgtxe3Um4K5kyafR6 - mYDXC1PHkYOr+7JD+NZS9JSwnnAUvH5T8cDsfsfkV2i1tWpxJco16g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLYlh3MXN5MElUdmVOSFgz + aTM3cHc2Q1BjR2ZVNG15ZExlbkFzZGRBSkY0Cmo5YUNvS3RXN1FLTVJONFNVVzZu + SzZ4eEJ2S1pXbVJsSUVVVEJMMm5LQTgKLS0tIFFkMUdzUCtvZlNsNlI5ZHVOR2Y2 + UEM3eUZlVXFyZmsvNUxwT004SzZjNjQKeeHV9O57xgqa3dNyZijQgRSfY7toeWYp + P++LIbGgp69QzvCAF59oZ23/UKpo5AOIuP0gPQGNqUL5Yve6ZZQtlw== + -----END AGE ENCRYPTED FILE----- + - recipient: age12msc2c6drsaw0yk2hjlaw0q0lyq0emjx5e8rq7qc7ql689k593kqfmhss2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVWo4ejBHencrSlhPOHdt + ZzdSTEJVbWp4aUNmdjVBSENyZmcwRWorUEU0ClhPb0NpYlVrMDBQQ3NlUDhaSVpQ + S2lMZDhENy9jUkVWRkZycGZJcTdKUVkKLS0tIG4vY1dnQmE1bjZIRHFZNW4zQ2dr + SEFZU2hJV0h5NUFSQmNKaE1yTEdIbHcKVA6+8h634meNiMbLL4TqtwLmC1hRibfc + g5KfnN97JdfTPDp4cs8+egwQEPI2fxh6pPunIAQXo3P6baUBGZd5ig== -----END AGE ENCRYPTED FILE----- lastmodified: "2022-11-09T07:12:13Z" mac: ENC[AES256_GCM,data:gqsD5gTtE5ZqWzWKAAIscecvIsGSC9j4Cnbik6Yk7Jf7Z5/NIxbkInzDsLmlU3ObbLZAhGAlOAKIrUVy37rCcEZ+I04ICXK1dmUdsVud6E4SvTdDjh9qlXTbEkcDCY2YqXlTuQl6IZyveaPuF6fRe1FMh8JEpDv/foZTl8+AuQQ=,iv:+nV6YW9m1B0qo7xbB1lw9dgiQ877GQ6OxMqjk7lei10=,tag:NmeSwBWRKpqlwZxYYC7trg==,type:str] diff --git a/utils/modules/promtail/secrets.yaml b/utils/modules/promtail/secrets.yaml index 2309241..09b844e 100644 --- a/utils/modules/promtail/secrets.yaml +++ b/utils/modules/promtail/secrets.yaml @@ -8,101 +8,110 @@ sops: - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0SlZtbS9iS2c3Q1dXdkNt - N3JpRUQ2K0hPcERQVXN2UHJrQVBVQkpPTTE4Cm5ycmU4R1cxL3JqUGI3ZFlhd0xz - VC9ON0tybWJZU3JzQ2Y3TzkvVk9iRVUKLS0tIEswQjlQL2tPejM3YnpJWVluR0FC - bGw1MjdqZVhJcE5ja051MnlFVkxjSncKORmQoZynBBzqJe30mnMV4WqQKO+EUaxI - 5SFgveM549T/8BNHDrdI2t9EhJXB7ZnmjgVlbcrO9e/7dHXK0knPXg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMSC9RSzFrWUxST0RjWk5E + UnZzbE5JcFMrQUdVazV3aFJTeFVJTTh0Ymd3CnpmWWFuanlrcWxYckZZSDdsUXVt + V080aE1kVC9ISDN3L2JPSWhQT1JxTTgKLS0tIG5JaGp1R2JzenVLbE1acUw0YkYw + NWdIRUdyOWZhR0N6WldNb2NxM20raUkK0hxq7FNWuknxQ5jIU4/Nl1ZRIjZWOWZe + Es7fOwlS3BGbDpJYGBUbt44OkT1jV4Tcf/VgL67+WpbLjNVUim1P0g== -----END AGE ENCRYPTED FILE----- - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeEhhaWpqbEprOWdaWTJH - aUtxRDJYb04vcWxtUU1RN3lQS09oQzd5eDBrCjF3aGRWWTBkejJPUWt6MUYrd2pP - VHRHQTlNZ2syYndTSStCYzc4eUxpaTgKLS0tIGlpVktoQXdwVmw3dGNEVlVYRnJo - dkk1d1V5VEtHRnRlOWorNFZaaksrcU0K1N/7pGj7mY8gjInL9sdI5tG7VzUn6QCE - mZ6XW7jvYlGIlnqXB4tkq1UWmL0V4KUrs704F8D1bixIr1WW1p8b/w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZWHU5bTdYQ3VXSCtsOWdP + SVU1ZkdBdGFpdWFtdUxvcmJKVkJoaTYvQWdVCjdoelNWUGdXVDVMcko1WDlKbTRO + Wk1PbS9XQ0FyRmRUNis5WE1RUWFGTXMKLS0tIGFCMUhmNUtzUDFUcUppcVFTQ1lI + dWExLzMvVWx2d0I4d296WGpZOGxPV0kKojPDhC9IkyVvDTP/0nzWxFnbzBKqRyL1 + ZsqwpobdR+lamfSaPwGV4L3kgdqA2ozhTex/GE+ybtUjXz7hcuE6jg== -----END AGE ENCRYPTED FILE----- - recipient: age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBWnJCN2hoSlgzYjlia21K - U0FTSHdhdXV2YnJLSHJuTk1TSDZBV1FvVndvCnNYakh3V2V1QXBpZTBmUnMyMXhF - d1B4ZHovOWlCcEtKbnN0Q0pUeEF0cEkKLS0tIG9MNmlQRTRnVnQ4a0ZEMXRZQUNM - UWlHZVJiTnBYUUlDU3Fhb2VJc2tkcGsK89srvqDXzawAKc9PQIXw0vyLQNb+UkOF - f8UCXpjhdd9iRn2RpXlH4uz9sXJTg2/5X/NuaigabnM/KrP5aWDjLw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEdWxuODlPL2R5UDFmTjhx + T3JQZC9ZZ0Rrd0VaNlNhMitMTG16YkNSaVdrCnBEOTE1SkpLOU40ekdvUkc3b3Bp + ZU9JS09YODFUS1VWWHlSc1VDWUVkK2MKLS0tIG1oclN4Q2NzUEZGMVZ0ZVEwS0wx + N1U0U2E4bm9CR1ZWYjIwcVdiK0lCcEUKa6jOsjGsWxrJ9JV6m/Qh/g8J0ztt5all + dpbhX+D8jGLrWdQj1ZLV3i5ewBrw9EI71XRUkcld3m/OQzV/7ybeFQ== -----END AGE ENCRYPTED FILE----- - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3Y3l5YTdEMUx0ZlBKdk01 - T3RpUWJiZm9POEh0VHAybUNIZ01qblRha1ZrClNEakIxMENFZkMxZEdxMkFldEtQ - bFhHS0tkV1U1Nkpucko1aTBzUGh5T1UKLS0tIGE0U2N2YjNvN2VWa3d5WDg3N3hs - SER2RVk1VkVWb0M2d05oV3VJK3NaeFUKbjFAUyz4PS7EZaXqOaQpXr4viJeXTfnw - wr6xkydPzdBp7lURiR3o5W+U/HDVDgIyWfjeHQU7s7gEz1POs3BPVQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxY0JUd1l6SVM2U2NXMVdi + a0FxY0tJMERaUk9xdlBKMlh6UTVHVTJnTXhrClEyUVgyckFVT0NFODBCQjVBeWZm + bmx3YUs1Q2pxZ0c4Z0EvQ2sva1J6RnMKLS0tIGpxTFlIVlpVNzAvUXNvREdjU3R5 + R29tNno4cHVwQWNFRTdVT2NFNVpXR1EKy7wD4YvrwPKarqEfGmSPB/1q+Nl9ya6Y + 5MuGkzs3VyCVPIt7VFM5dzfLR1ocfMuD9l9iYfXecHTqb/RUcT4Jgg== -----END AGE ENCRYPTED FILE----- - recipient: age1ylrpaytkm0k5kcecsxvyv5xd9ts4md0uap48g6wsmj9pwm4lf5esffu0gw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTURzdGxaT3hGb3I2aDB1 - T3UzUm1ybjBNTEUvUkorUjB3NXJPSi9oS1JzCmNTNVMrUldoM09xUVJHM1I3eFBs - Wk5VMldudy9IR2lCR3NRdG5qOEZXdmMKLS0tIEEweVdCMkxKcVR6VUZTY3UrdVlJ - eEpNSWE2clhuS2Z3eWQ4Q2lrd0xCWlkKkJaQ80E1HOgtFY+YpPEBu2frscMUuwdh - Nd9nM+lmMfYAfo0mIHG5UwTgo5sFqVTDGHXd7RuRh873DQ7ckb/xnA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcUpLaHVld3BCMEQ2azFx + dC9TaEtHb3BRRXM5SnYrbzFVTWVwbHFtc2g4ClMyMDNDby92Z0YwMEtOWWkxKy9U + MC9TS2xCZW9YTDdlQkxhN2x1OWNKVkUKLS0tIDlLT082VEszd0pJQTZ0OGFQUGpP + M0o3TStTY29kWk1HRURWWXBVeW5PY28KDpOwP8s5l+DnKa6RWQZl2jYjQrEa3CnD + RAko+jvrRXCaPAgRPl6Z3WftZk6M7oF9I+PEA6SpDtzhgiNIa64jjQ== -----END AGE ENCRYPTED FILE----- - recipient: age1ezq2j34qngky22enhnslx6hzh4ekwk8dtmn6c9us0uqxqpn7hgpsspjz58 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtaEgvMHdVK3RnekFJTi9v - RWpkQXFRU09sNkh2Y3BpcFVLYkI4Mmo2UkRZClBWYmYvaXRtc1NNUzhVN2pPY3RP - dE1acCs0N1RRZVI3ZGMzYlV6TWw4ZGMKLS0tIDBVcXkzZi8zVFBqU2cxdmVteElL - TmdkZDZjK3U5THo5V0lGeFk0TlJLdW8KH5W6ju7bXoov6JAKkyYWQBQ/ZCSabmsN - x+TTWre/fChdiX90ZcenaXvmp/XpqNRHwxgT787hD+C+eljoVj2CBw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIdS9tTUsrRUUrNlpxNGFT + RHpwK21WMmw0QVg1QXFMdVQxS2MwTWJha1V3CmVDWmFrQmg3aWlFSUN2dW9sOFlD + N0FYVDIwSFJ3aWhDUmM4YTFyQnNDaTQKLS0tIEFtR05WZ3J6RlpHTVJxK01POVJC + S3JuK2lsWFJlT1E1VUpKcGhkbWlwa0UKL4DlS8xUjjgk+AYL+uJMMmccDnEVZ8W6 + /HNiz9gOA3lDXO3plyogNXiJa1LeB5fKeuGsNhRHSFPdPZK3w230Xw== -----END AGE ENCRYPTED FILE----- - recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbzR5REtMdzJ0aS9uWFg5 - TzFsZUxmd2UvRnZzTUJBMlc3NS84NHFON0NJClJVR0szeFYyU2EzbzBmWHhBT2Vr - bkN4TzE2TkI1SVJ5RlU2ZTdQdmNuV1kKLS0tIHlqQW13bEhpRlhSZTNKWXFBcGxa - NUVCRXZ3cFIvWWdvZWpzNXhtQ3RPU0EKwpFed9e/DsKQfPMO89Ptxwq0BQabxImT - /S0Uxg3Q5F1USt8soSpHc167UTY8XDh5IPkMcu8uGjUStkliouaklg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaS9zT0ZkeEU5YUJid2VK + RTRyUlhWaXVEODBWRFROanZGQ05BdDdudVY0CjVDRjR3NDdIYzVVTzE0MlJCb2s3 + STJXS1BmbkNFV1dveFFYZC9EUGIxY1EKLS0tIFFzUlJPU1hiNy9ONVlwRk5sQnl1 + c0pvdURCa0tOMlpKT3ZiQmVSWnJNSWMKBxkoJ5tKxySeDbt6/ULfPAZOB+8bei6e + nCra3NCY8pTQQy7KbO+UIYFmYlkC7jEHBUGjzPC9vqSfXBiVVOB2Dg== -----END AGE ENCRYPTED FILE----- - recipient: age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bzJDZHdxRVVLaVFybndH - QmtnNnpzamhNZlVvMC94aEtLNlhYcm5oY1dRCks2cGVGRjV5QVhKZWJZS1N0S3Ar - ZlRrZ1VLL211SGJiUUI4SHRnOWU1VmsKLS0tIFBQVlhSWWxlcGxxUmdkWWU5TGE2 - c1Q0NkZtV3A1dWVkOURUcDkzMTlqV0kK2ZiyOzGiFRj7qBWgbK07hNTpOxfhIQgR - Khdkwj8Cm4mP+kLbxnyxH4sGipu7hXebeQZU5x+rOLNfKTZoJ85NSA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhQ1ZoSUwwS1ZlcFpBa2Rj + VW0wbzlZL0tSM2hlUlRqcTZocGd0ZUZUakNVCnd2eGRRQ3A1a3Jza1FsMWlpM0VC + TTZRaDlvOHdPSTZzaEdmUkxEaFpnMDQKLS0tIGsyWW5YUEtsVEoyL0JPUTJVRUxq + NlBVcnNYUzJDY3pOMmlPekxPYWptRVEKHFf7x/sB6/ss4niPX1txry6fCImtoHxI + xkVuf8cm7fN5Eb+MGaLyoUF7gtPdQrGfDd+4SD5rxaLmWV1kU+aeJQ== -----END AGE ENCRYPTED FILE----- - recipient: age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVRjBnSnlta01oQWZoaUJC - YW9RZTExU2xTZU55aXlGc3pkaE1FTG9TZmlJCjVMdmgvdncyanBiWGc3OWg3UWE0 - NkV3Y3BGTTQrOVhmSS9CTnQ1Q2ZWL1kKLS0tIGVEdE0xWmpNZVZvTDZBT1NDenNF - K1RzM29IMDJzL081a2NXS3BJdkNmZkEKU9SAKVg4XQlIFIMWq2zRIu2/uEMICsUz - KL5uyA1qC6evNZh+QsPMwBVlpBfbqZv+6ub5Z5oTbGkNdoWtTO+Pww== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3OGRhNEpNVmE0NWdsMDBX + RWdxMy9qMERCWmk2UzB2enJTOW1TdmhDcjNNClo2cGZTQnhLUEMwOEhKb0dqbTBO + VWxOY3M5NG9wRHQyL0d5STlxYUhqZ3cKLS0tIEJFL1NrSzMyMjQ1QzlpU29CcXND + bTJtWlRSbEtBSzVBZWRZUmE4NXB5QkEKTjJyX+IsB2xp7Mq48CEMbOUb+O+MAyUP + 1B1WMolzntRuQao1KoX62BBYE+7GgxtTrBoQFnqpri4SNH3qHw2LlQ== -----END AGE ENCRYPTED FILE----- - recipient: age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMm9HNlRFSm1oMU1xck8v - aEYzelBnUjlBdlNpaWFWOUJISlE2eUtxZG5vCnZRSCtJTU53ZWdiR0RkclZlcVFZ - K2tUZTNVSmtsQnIxVjZTbDVZbWJRWVEKLS0tIGxJUFI1S1Y2U2NubmxoaVJQRWVJ - V0pxbHNCbzhScXdrUmJ0bWE0TFlVN00KRn/qB9axbzBJUf1qcrUo3c3tB5spQ8Ht - Uo10Mq6NM1dnHOcV3b1pP2E8D3FE8JDzBP9LWM7QIUDjptmLfy3rcQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKL0NUcjhjTGUrZy9id3oz + dDduNy9KMG8vNWF1YXlna2p1QVdlRm9YajE0CkwvUHRVZitRVlZ0cnlZTDJQVVU0 + OEVPYlE3R08wL0JjUkhNU1F0a3ZOcjAKLS0tIC9KdGxpdWpaUWlyOHdhdlNTYWJ2 + elU3SDgzU01NVmJTWTZOZURYUGlLSTQK17WIxCaVaBUWmT4G8obYvpP8V7Iqd6gt + ooeFgddEiinHYXQUUMeAiGiSrs7Dn2rurtQzJjkElhjiZRkheuyEEw== -----END AGE ENCRYPTED FILE----- - recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOVVXQmhTSzFJRWpFOWxQ - N3kvSEwvend4T1hBSEZ1TkliUDlPd0hvYTBzCmZmVC9HL29MMEpoWGFiQ281cjJM - WHMzaHFYRUdzNUxHSEJ3L1BaOER0ZkUKLS0tIEFPTDlkbTR0Y2p3Qmw2aDIzVHk5 - Qk9kQXJjaDRGaG1KVS9KNkxKV1Bxd0kKIwfnJNgGzt0H5NRwH1xjCx3oBnNYQ/PV - oxFHbRZHtpkHHaxmsxJ58C6bSpuhypNO3RMHc5OIPtHlhuE106aQdw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1UDVuWUJUQ2ppcEtkZThT + dHJ6cnBBM3lTaGRYYTRqZ1RNQzNvUk1GYTFZCjRlRWZQRDcrTEF1aHp5UDI2VkhR + cDk0UVhlTmVZRWE5TnV6Z2VaOSsyT1kKLS0tIGM0NE9mVmtJM2VYTWJ5LzNoUy9t + ajhEYlpkQlVnQTVsUHlBbWhCQkJ2RTgKZaI8JtENqrwloh27SvqYO2iAP0AVeBaK + jFe/vvL5vEm3jT3PT78P5PZw+NlTCckf3vCBTBzDAgYiX1SS0EOWWw== + -----END AGE ENCRYPTED FILE----- + - recipient: age12msc2c6drsaw0yk2hjlaw0q0lyq0emjx5e8rq7qc7ql689k593kqfmhss2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJeUc2ZEN6QjdFNGpRSnB4 + Y05zWk5XS3V1djBRMWdOaG9DdkxIZ2JGWUZVCkw1U1dKRXRPRExWcmhyaytUTENi + TzM5MUh3QUF2bUVUeWZPU2tJem1nOGMKLS0tIHBGSFpZb0E2aXpSVUJCRi9Ba3VG + eXIwZlI1UTcxSHhlMXpWSlk5S3RRSUUKCi7jTflWg4XJ/VH8X7xKGpN0U3fPLCPc + Ea6qYA1pyjEzBh+JO7VQeTZmfCweaMww235HXJQNLhIYCoali522qg== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-08-19T00:05:00Z" mac: ENC[AES256_GCM,data:BO3WZzW4MzXpOLKTi6vzVq5lFMATANvIH8Kl9HJPH4bRTRf+z/IX3GmmowjOQis8aGnbfbMja6K0hBWMSY0mY7WzMN9W2ARHTgbXre9/5l6PfFrW4q36sLwXOJU/mzLVz4errHSt6A3Te5AOqThlULuJO/F4pPX2i0Sgs2F1tVA=,iv:zOTWgbuUzuIhYbJFKocwEdR9DxZ3enjc2aIchkovfuA=,tag:x+2jEytk5XrSAGWvbB6bKw==,type:str] diff --git a/utils/modules/sops.nix b/utils/modules/sops.nix index c3f8032..579aa65 100644 --- a/utils/modules/sops.nix +++ b/utils/modules/sops.nix @@ -1,5 +1,5 @@ { imports = [ - "${builtins.fetchTarball "https://github.com/Mic92/sops-nix/archive/b549832718b8946e875c016a4785d204fcfc2e53.tar.gz"}/modules/sops" + "${builtins.fetchTarball "https://github.com/Mic92/sops-nix/archive/127a96f49ddc377be6ba76964411bab11ae27803.tar.gz"}/modules/sops" ]; } diff --git a/utils/modules/victoriametrics/secrets.yaml b/utils/modules/victoriametrics/secrets.yaml index 2a534fc..5023f31 100644 --- a/utils/modules/victoriametrics/secrets.yaml +++ b/utils/modules/victoriametrics/secrets.yaml @@ -8,101 +8,110 @@ sops: - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIUXJVWXc2TnE2ODJYU1Rn - SDNWeW5LMklTKzc0RWpaN3pVZ2V6VHR3RnpRCnlSUGlHNmFhRGtkMkJHbjNoSTdt - N2JWZ1BjYWZpdVUvVnE1SWh2aTlEUW8KLS0tIGlkUkxweHZVTDlZN2V2YzdPRmtZ - dElvOUpTME4xYlFLS0k2Uk4vMktiaGcKLuGeC7n2sj90/5IOQ/wGqxLGpdfvVZK5 - 2n8YuRbjlxdGcKlR/qPHcF57Y6M6Md2psbg5Ru29rOnimYFPTUvc2g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWStEVHczUUcyYmN5TUJv + OG5vZHV4ZG9iQ0dLZjZFS3k5cDArQkFaQmlVCit2bHBhY29RemhXUVBFUE8rZGxh + YjFCUnNBT1cydFd5cWo2LzZwMDNVNE0KLS0tIFl2MFJ1bmI5UkRycm9xT2cybjJ3 + TDRqak1FbklyNUhaZTNYZmtDY01nTlUKqNhxEWEVgmkOZG1S1ORnsOKHf9uuqGPp + ZwRYELAscjfIcFIyzZ1FWK3/0TuT7NMXnA1r4adY3Oxxuv9NCupKjg== -----END AGE ENCRYPTED FILE----- - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpSFphYUZVc2doS3g4Z1Fw - NHI2clRmWGczd2J0YUdwOG50VDA4YW5hVW1VCkFpN3dWNzgreW9rZytwTlJrVlpx - bUl0aUNTb01nVC9PSTVhRmF3TUpEY3cKLS0tIEVrWVRRVXl3M1JSQ25Fcm4yRnBD - NEZYbEIyWVJ1a1M2REJFY1NoZFF5YTQKFCmtrT8e7GwYwR5PUVUcHIPR7rQYVNqS - eEoYPf/WSmTolIODr2YaCnATWa5ALO/Tkh0OjRDVB5qH1j/gCZeSng== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ODRTOHFSM2RiYnF3cEFE + ZzNjVmNBaHp0N1lqOEF0NUhhdUFCQzEyQUJBCmpEaGNWRnh1M0hqL0FXazN6ZTVS + a0pTc2Q1U2ZPTWZTb090R1RSdUdUU1kKLS0tIEZIMVVOUEtJQlJpSzRGa08rRmxt + Y3diYmRmNnIvUzN0RURaZkx0ZHZSemsKDQPne3eAkV58JefFyAbp7px3LH9QPxn2 + aYLPdhqkjF/s67lk7oEIWr8uOPu+JfxaTYyrY2vfqGrcDAYQfmW9Kg== -----END AGE ENCRYPTED FILE----- - recipient: age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkR1JkZ2gzbkNJNGc3ZjVr - MlY0bXZTRmpaejlVamZvSmNTZjBDYjYzOG40CkJwemR4UnZYTHFSQVlEVUJpRDJW - VEJxTWF4NzhIRitQaEJIT0E2Ykt3YTAKLS0tIDRyRTFFSmFHUzF2Ry83UVpRRnN2 - RHRnYmcwRTBWQzJCTm9KZDFCUWVpYkkK4LBYIZaz4S5KNj2gpZmECs8zOsHU+xPZ - 71lPT6abiW1D1BwLe9PixCLuBNUlrFLXr/OTcVvJc8v/Se3l3dArMA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmM0xlVy9rcTc2VW4rSjdO + ZUZtWUVVb0tmdnpzWW5pbFdROVBuaTV2NW5rCld3ZjYrYU5ySUNyb25jeXVqeW56 + MFNFOWFWTUZ5bXdRSGFKMm9TeUJPYUkKLS0tIGYyK2YxYk9DdkI4aDlIcnhrbmZq + Nmc5MkhXYmp6UVBkV3pUaWNCeWI5RFkKeI5H8gfQa8jKbKDsnth8xq3H5RjvJWT7 + ZXf0QHaoEhw7tYs8Cx2KKiqAnBveLDa6ro4+HpCNeIVtxzbN4LeIQQ== -----END AGE ENCRYPTED FILE----- - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WFhraUNxOVJvRmRnUUN1 - TWRobndtZnIxWHIvTFhiMkduTXI0ZmRVNW1NClg1bGpSVS8vVUttNnBMaHdFTWZx - Q0RHWlE0cEhKYXpKV2JiNmpVY1l2TEEKLS0tIEVPT0M5eDEyUnJSM0pDUTlSUDRF - NytwdGVKNFRoMXRvWEdNSTRFR01CNVUKWF55Z52rODbs2Jzz4oBybzbpApf4klY9 - YRAw08mrjcrPnRv45+D6txY3TZgpaMowrEIUut9FlrpSJlNZ3wqyiw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZU5rSXBtazhoZTh4YkJi + c0ZqNWhjNEp4VHZVTW5GdUwwQmRmcWxkeldJCnJmTDJXbFRtSEw4VENxOUx3NC9Z + bCtOK3dJVEFrbXVXNTBOblp6YnpMMHMKLS0tIFU5WWVUVjlpdEhWalREalBFY1c1 + ekY4SW9namVWK0dlVzNDMEdiNGJobXcKxeaqjwATJ2GbnMX/zI9nlme52FJso7c+ + tljYF36qvxE5M0Gx/g2zkdrXVlnAASodfn1VGgNZU+qyWZpxfiKckg== -----END AGE ENCRYPTED FILE----- - recipient: age1ylrpaytkm0k5kcecsxvyv5xd9ts4md0uap48g6wsmj9pwm4lf5esffu0gw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaeTRsektCYXR4eHVOMlp6 - bTJpaGN3ZTBjZFcyQ0g4ZVEvdVFadGtNVEFvCkZMUDFiV1pGVThFeHhUUFR3ZFdz - TlZCV1FCckQ1OG5XNW5mSVdURlR1cTQKLS0tIFRhQ2JFNnNqaFdEeGtKYkloRFZa - aDQ5N1N5WTVxLzhHNVBzNVo0SmtlRlkKqxV7lOwmcqwobiiMHDvAmcDG4v7depF6 - cHjil9JJP/aQwVM+p6Q179pXggy1vNj4mmoliNCeq6v4m5gSvunfHw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3T2FrRHk5bkMzTjN3bC8v + WXpZK09IUnZYeFJjVWE1cXRUMFhZVGNXYzFrCjc1NlFuR2FoS0ViZ1BmWHhoYzdS + bldIalB6Y3lPcnVMeFdaVlp4QTdieUUKLS0tIGxodFB2TEJ0N0srd05NT0F6WGJv + MmlJc3JiSjRNcWdGa0FZWHBCVE1QOUkK+4koO0X+MacnseXM8n6rzbW38y5qe1qz + sXPUdd2HyvWhgjsLBwzrh47dSg7eg/2GSBL8tg0AtMgcdo+UADaW5Q== -----END AGE ENCRYPTED FILE----- - recipient: age1ezq2j34qngky22enhnslx6hzh4ekwk8dtmn6c9us0uqxqpn7hgpsspjz58 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaem43dCtZQVNTclNsa3Iz - Z0hsckJ6NUV1dlFNY1VSVkd6SFZoL3FyNGtnClpIOGVGUTllTlRlQjBHenVJWHVx - QnJSZll5Y0YzRWM5cVJPMVlodDMvaEUKLS0tIC9aR2I0dUJWN2IzejJMV29pcmw3 - TEdaaUlCaDduTzhlWG9VaExidFFrNmMKlJ1FXJvBs2DKrh68d5CNt7CVP/02PJij - dO6PstwPHlrrGzkDFFsCo2/klnNr6/u1onKrxoF4SIDqKe5uc7lCew== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGYTJZZ0JHOEZhQ0swaCtm + VWhBQnVUaUxJaFBhbUxtY2JCNWM0bWl4ZVFjCmVHSHpMcnh4czFncVFBUDFmMEY2 + bnNjaW0zcjVuMFVVdFE1SG1sQURYRWMKLS0tIC9NNCt6bjhkbE5CMmxEOUEvM3Ns + b3QyQ28vdEw3dXg4NVNsK1k2ZjFMZWsKpLHQeXdE+HrDYJT5ogsnbBDQYsvz7GJ3 + MCb8u1lyi9MjOLeBloYEsCA5Je1ndaHQWdyYwO44jRYmKqMdiy7H2w== -----END AGE ENCRYPTED FILE----- - recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVHFDSVlmZTBGNm9qMHAv - WGlhbGg2RlEwWGgwUThZSDFMWCtaRkovUlJvCmhGdDRsWG05UzQrdnExakxMa012 - YzZMTHk0cngvdEVmMmRLVVJydE9lcUkKLS0tIHN2RS95bEhqZ3Z3TjlaSWZPOWxi - Zmw1SlFmcXRHd0VCLzQ2MzJGeENFMVUKq2ZVDC9b2zaYqCp1ZmZG9Xrg6hzR3uSt - XyTTJZiiOb85iYsxs19MqvKYl74k4Yqmyz8ZjAkMDE1bSOF6BWKutw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4M2dJYnRkclJDOW1MR1pL + bVB2TDMwd2dwZ3hETVlid2NyR1d1bU9pY1c0ClpxSXZvMjkrY1l5UnpIMUpUVXZX + NkdrMmFxdnE5cnF6aVVxMlFjUmxPZGsKLS0tIE5JVGFWWXZ0OVdLUmFRSHNpWnM4 + Ky9VaDF4T2lmVTlJMmJ5aHc4bEVKYjAKrfcusKuMyq+YjPAKZjm/IGyL1OD25LUl + v4CafBt1QnXfBODC3G+CnKQi2SWMttb+0cvhdzbZpMQ1/RaaLxg04Q== -----END AGE ENCRYPTED FILE----- - recipient: age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZUhFZW5yaGxUUEo0WXhy - M1FLQVY2dzkxVzgrbW9qNEJhQm94dGtONFZZCkdreTZ0WklOK2ZSUytTZWNSbThv - OEFFbW1jQkJxaDlZVXZYZlVXRUljbmcKLS0tIDcvRHMvVTNYZFBNamhhSFArMm1i - L3RUTFZVZzZicmwvT3g1ZHRPOWFzcmcKaHQqShGZFMtY8FliQ+OokvEYZIbjFsi9 - zxUHYxDzcLtNkRioYnK4gb3Nv/lA8AOL4RaH0AlU0kQLaXwVVGhiIQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1YlpzNzVid2E0TnBxZTNW + ZFltbmZWaXdodFdJYUdhbkhvSzBZNUFlWTBRClVZS3dBY0thMnJtUDdzaFk2R0Za + TzFVMXIxN3VaSXI5RXlCQVdFWk5QSEUKLS0tIFFMblVLV0ZONXNaa2RhTjhMbUpK + SFhJS2dZU1dSWUR6NFNMZ2pQM2ZSa1EKRz0hZ5vs9UDJBprfc71HqA9e5rra2FV1 + +yAm4cafwIq7d7Tiv8ySsxkD++IUp/a7e5awBRyWjcDtPv00KSMXcQ== -----END AGE ENCRYPTED FILE----- - recipient: age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnSHJuajhUZ2hxODBJNVMx - cTMrSGJKeHoxd2docUpqYS91TUszTHQwcHgwCnV6WG1UcVBmcUIreUVQYU5uODhO - QXVnKy9vUlRhWjRKcnJCWDdNMGVkcDAKLS0tICtoWXlESDB2c1M3UDh0V2k1VHhU - SFhVd1Exd293NEZRK3dVNDBTcS92OUkKj6RDzuAKCX53kGLNL+lygtynYECTjOXn - KgKlvwcp32eNCmo4uzAiNv8seRsBbnV3SeZaGQyTVdEsz5hw8UNNxw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJUnI5bTZ3UlEraXFqODh1 + RjdDdFNLZHdreVFLVHhOMGVsTW9qT1g4c3k4ClFscHplQXBtem5aWjBweC9aN2ZR + YlcwdnNFcEFnNEZscDc0RFhhNzhiMVEKLS0tIEx1SGQ1bTdERWdTZE90OGdCN3F6 + czBnN0JQUEV6bXBZUFdaN3d6ZTFyclEKV+F7KvpPFtHKs9Hm9BTQKUXyiRPGLTHN + EwOPWNBD/2aNTuVb4M9gtV0tA37C5HpbqvIts2E0PPKR1u7wfzfA3Q== -----END AGE ENCRYPTED FILE----- - recipient: age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZ3F0NDgxbGIwUUNTWGNu - QWkxUVVIT1NNVDd3emdVSHVkVEtlZ2lGNmtNCjBPNFJQdm9JQnBNc2RtNmJvOWkr - YjFrTVBqdEk1UncrcWtVaTI1MU9GRlEKLS0tIHlxV1QzN3NDcEROS0ZKbGFrRHBm - NDM0dWFqR3l5QjNxdDZjNVhaaGxIWkkKoIykk64vKTXtojm+iR8mhIHy3wwGKPvt - KI5kkqsHQ8cO8K8JUFJRgizyHd9dPcbcciaE1WrD3e5yhYqgh/VhrA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsREg2d29va0NJMTZBNHYy + c042aVlqYUp1cUFzaFpyWE5kSWtseWkvM3pVCkRWZHFtTzJpMDFZYTJ4aEZHSUlE + MTY5aUxEckZWTmI5Q3VxYkRXZnhLYVEKLS0tIEZkODdWZ2VOcjhtb3N0NGY4Rmo4 + Y2E2QVVXU1MwWVMybklzMHo0Z005Z1UK9pmi+GwuF1S2aE/jFuwQJt+a98ha5gL5 + dHYck4w46WCm8gcHYJcdmsDsjo9L6ctHydb+4t5Y93HuPExCeMM8QA== -----END AGE ENCRYPTED FILE----- - recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFVng0TDlhSHNqOGpqbnZO - Q054VWQ1anR0Q21wUWhBRGhLVXF3cE5Ib0ZjCmYrS0NZYXJ1NHRQR0J3RVZBbDZy - dmRpQXJoYzYwNDRXd2g4NkRKakNIVkUKLS0tIEhVV1Nwcmt3OGhqMzN6L3EzL0JI - YWxOZ2dUd2J3S09QNVl0WW9JWUlJaUUKZWgXbwGlqLwE5XN/kwYFYqWiKvmTJFJo - S1t+iZp5Uc8LFrPk+x6wdiXP/7FHCXqmy+4nOryJNM0evyydUZbVyQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQk8vbjZzZ2NVUUxDUVNi + bjhaR2lvQnBydTh2Z0UwSVNlU1RFdXVQS1ZVCldKQkZ4RlM1d1d4YnVWRUdEcTVZ + SzFPaWZybzlIdHFzWDJ5dUQ5KzJNNnMKLS0tIFpOR29ZWkR5U1luN244VFhrMTli + UlpqRndwSGU0TThhZDlnNThNOGdrVDgKB+XMImAF2bJ8xbN5+MlEF5k0KRGWy++I + EmWK6MCJCEfpVmGXpKMSMKOwqU+Ut7kTv9JaClce8WjIB8gxfYqfog== + -----END AGE ENCRYPTED FILE----- + - recipient: age12msc2c6drsaw0yk2hjlaw0q0lyq0emjx5e8rq7qc7ql689k593kqfmhss2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUWhyTTdHR2lIaWgzWGZx + bnR3LytwR3B2c0VxMXY4d1VNTkcvRDVrSUdFCkhJTmhML1RST2ZaVjB2bC9NekM1 + UURzVW1RWS9mbW96ZVlFVUNXbXlFWE0KLS0tIHNpbzNhWkFUWnJZbytxbTZaZERK + TlFuZXVOOW1yZUx1T2I3ZzRDTnRYZkEKXxEpCNwFJuaxXweoQfv7PB3vc0v2x6cg + suLCk1X1XrsoepeC7vlVKv40yUV63j3MuGpaiRkGuwsQAyQLpwBNVA== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-08-19T08:05:08Z" mac: ENC[AES256_GCM,data:xggGGP0zLQHCh3p8b1K/1m+EfkU8lemWvV4jk4pujJv8ZcXwqbpz5REAibIKy42PHN0vfOQhTkcTBWd8sK9AkmeyrHwKkR8ecBbDf5t1RzJ0vXmy9Ro8OIbUwSPpbAjlOYoFU3NWTwOgOOyCNze8iXI48Zu4prdJoGiAhsOKvQ8=,iv:pYutJgy2lJnckDAG279El8Sas/YEWLHLIM1+/NHxxTQ=,tag:drMFDUQDZ8nJeq9/F5Y+mg==,type:str]