Compare commits
2 commits
507779e306
...
5c67309439
| Author | SHA1 | Date | |
|---|---|---|---|
| 5c67309439 | |||
| def062a84c |
19 changed files with 357 additions and 252 deletions
28
.claude/devil-advocate.md
Normal file
28
.claude/devil-advocate.md
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
# Devil's Advocate Review — Project Conventions
|
||||
|
||||
## Critical rules (must never be violated)
|
||||
|
||||
- **Never update `system.stateVersion`** — it must remain at the original installation version. NixOS upgrades are done by updating the `channel` file, not `stateVersion`.
|
||||
- **Never modify `secrets.yaml` directly** — these are SOPS-encrypted. Changes must be made via `nix-shell -p sops --run 'sops <file>'`.
|
||||
- **No plaintext secrets in Nix files** — passwords, API keys, tokens, and private keys must use `sops.secrets`, never hardcoded strings.
|
||||
|
||||
## Architecture rules
|
||||
|
||||
- **Explicit module imports only** — no wildcard or directory-level imports. Each module must be imported by its explicit path.
|
||||
- **Host structure** — each host in `hosts/<name>/` must have `configuration.nix` and `hardware-configuration.nix`. Symlinks `fleet.nix` and `utils/` point to root level.
|
||||
- **Shared modules** go in `utils/modules/`, not duplicated across hosts.
|
||||
- **Custom packages** in `utils/pkgs/` must include an `update.sh` script for automated version updates.
|
||||
|
||||
## Code style
|
||||
|
||||
- **Two-space indentation** in all Nix files.
|
||||
- **Lower kebab-case** for file and directory naming.
|
||||
- **Conventional Commits** format: `fix:`, `feat:`, `chore:`, with optional scope by host (e.g., `fix(mail):`).
|
||||
- No "Generated with Claude Code" or "Co-Authored-By: Claude" footers in commits.
|
||||
|
||||
## Common review checks
|
||||
|
||||
- New network services must have corresponding `networking.firewall.allowedTCPPorts` or `allowedUDPPorts` entries.
|
||||
- New `sops.secrets.<name>` references must have a corresponding entry in the host's `secrets.yaml` (or the relevant module's `secrets.yaml`).
|
||||
- Changes to `utils/` affect all hosts — verify cross-host compatibility.
|
||||
- Package modifications should be testable with a direct `nix-build`, not just `test-configuration`.
|
||||
26
.claude/lint-fixer.md
Normal file
26
.claude/lint-fixer.md
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
# Lint Fixer Instructions
|
||||
|
||||
## Formatter
|
||||
|
||||
This project uses **nixpkgs-fmt** for Nix file formatting.
|
||||
|
||||
## How to run
|
||||
|
||||
1. Find changed `.nix` files:
|
||||
```bash
|
||||
git diff --name-only --diff-filter=d HEAD | grep '\.nix$'
|
||||
```
|
||||
2. Format only those files:
|
||||
```bash
|
||||
nix run nixpkgs#nixpkgs-fmt -- <file1.nix> <file2.nix> ...
|
||||
```
|
||||
3. Stage any formatting changes:
|
||||
```bash
|
||||
git add <formatted files>
|
||||
```
|
||||
|
||||
## Notes
|
||||
|
||||
- Only format files that were actually modified, not the entire repo.
|
||||
- There is no `.editorconfig` or other formatter config; `nixpkgs-fmt` uses its own defaults.
|
||||
- Non-Nix files do not need formatting.
|
||||
35
.claude/secret-scanner.md
Normal file
35
.claude/secret-scanner.md
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
# Secret Scanner Allowlist
|
||||
|
||||
## False positive patterns to ignore
|
||||
|
||||
### SOPS-encrypted secrets files
|
||||
All `secrets.yaml` files in this repo are **SOPS-encrypted** (not plaintext). They contain encrypted ciphertext, not actual secrets. Ignore:
|
||||
- `hosts/*/secrets.yaml`
|
||||
- `hosts/*/modules/*/secrets.yaml`
|
||||
- `utils/modules/*/secrets.yaml`
|
||||
- Any `.yaml` file matching a `path_regex` in `.sops.yaml`
|
||||
|
||||
### Age public keys
|
||||
The file `.sops.yaml` contains **age public keys** (prefix `age1...`). These are public keys used for encryption, not private keys. Ignore:
|
||||
- Age public keys (`age1...`) in `.sops.yaml`
|
||||
- Age public key references (YAML anchors like `&dominik`, `&fw`, etc.) in `.sops.yaml`
|
||||
|
||||
### Nix hashes and store paths
|
||||
Nix derivations contain SHA256/SRI hashes for source integrity verification. These are not secrets. Ignore:
|
||||
- `sha256` / `hash` attributes in `.nix` files (e.g., `sha256 = "sha256-..."` or `hash = "sha256-..."`)
|
||||
- `npmDepsHash`, `vendorHash`, `cargoHash`, and similar dependency hashes
|
||||
- Nix store paths (`/nix/store/...`)
|
||||
- `nix-prefetch-url` output hashes
|
||||
- SRI hashes (`sha256-...`, `sha512-...`)
|
||||
|
||||
### sops-nix module configuration
|
||||
Nix files reference sops secret paths as configuration, not actual secret values. Ignore:
|
||||
- `sops.secrets.<name>` attribute sets
|
||||
- `sopsFile` path references
|
||||
- `key` attributes within `sops.secrets` blocks (these are YAML key paths, not cryptographic keys)
|
||||
- `neededForUsers` attributes
|
||||
|
||||
### Other safe patterns
|
||||
- `flake.lock` — contains Nix flake input hashes (integrity, not secrets)
|
||||
- SSH **public** key strings in NixOS configuration (e.g., `openssh.authorizedKeys.keys`)
|
||||
- Wireguard **public** keys in NixOS configuration
|
||||
35
.claude/test-runner.md
Normal file
35
.claude/test-runner.md
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
# Test Runner Instructions
|
||||
|
||||
## Determine affected hosts
|
||||
|
||||
Run `git diff --name-only HEAD` (or `git diff --name-only` for unstaged changes) to find changed files.
|
||||
|
||||
### Scope rules
|
||||
|
||||
- If changes are **only** under `hosts/<name>/`, test only that specific host:
|
||||
```bash
|
||||
./scripts/test-configuration <name>
|
||||
```
|
||||
- If changes touch `utils/`, root-level `.nix` files, or any shared configuration, test **all** hosts:
|
||||
```bash
|
||||
for host in amzebs-01 fw mail nas nb web-arm; do
|
||||
./scripts/test-configuration "$host"
|
||||
done
|
||||
```
|
||||
|
||||
### Custom package changes
|
||||
|
||||
If any files under `utils/pkgs/<package-name>/` were modified, also build the package directly:
|
||||
|
||||
```bash
|
||||
nix-build -E 'with import <nixpkgs> { overlays = [ (import ./utils/overlays/packages.nix) ]; config.allowUnfree = true; }; <package-name>'
|
||||
```
|
||||
|
||||
This catches build failures that `test-configuration` (evaluation-only) would miss.
|
||||
|
||||
## Notes
|
||||
|
||||
- Each `test-configuration` run performs a `nix-instantiate` dry-build (evaluation only, no binary builds).
|
||||
- A non-zero exit code from any host means the test failed.
|
||||
- Testable hosts: `amzebs-01`, `fw`, `mail`, `nas`, `nb`, `web-arm`.
|
||||
- `dev` is not independently testable (no `hardware-configuration.nix`); it is deployed as a MicroVM via the `fw` host, so testing `fw` covers `dev`.
|
||||
|
|
@ -89,7 +89,7 @@ nix-build -E 'with import <nixpkgs> { overlays = [ (import ./utils/overlays/pack
|
|||
|
||||
## Workflow
|
||||
|
||||
**IMPORTANT: Always run `./scripts/test-configuration <hostname>` after making any changes** to verify the NixOS configuration builds successfully. This is required before committing.
|
||||
Run `./scripts/test-configuration <hostname>` to verify NixOS configuration changes build successfully.
|
||||
|
||||
## Conventions
|
||||
|
||||
|
|
|
|||
|
|
@ -46,11 +46,7 @@
|
|||
networking.domain = "cloonar.com";
|
||||
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFshMhXwS0FQFPlITipshvNKrV8sA52ZFlnaoHd1thKg"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
|
||||
];
|
||||
users.users.root.openssh.authorizedKeys.keys = import ./utils/ssh-keys.nix;
|
||||
|
||||
programs.ssh = {
|
||||
knownHosts = {
|
||||
|
|
|
|||
|
|
@ -46,10 +46,7 @@ in
|
|||
uid = 1000;
|
||||
home = "/home/dominik";
|
||||
extraGroups = [ "wheel" "docker" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
|
||||
];
|
||||
openssh.authorizedKeys.keys = import ./utils/ssh-keys.nix;
|
||||
};
|
||||
users.groups.users = { };
|
||||
|
||||
|
|
|
|||
|
|
@ -184,10 +184,7 @@
|
|||
zramSwap.enable = true;
|
||||
networking.hostName = "fw";
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
|
||||
];
|
||||
users.users.root.openssh.authorizedKeys.keys = import ./utils/ssh-keys.nix;
|
||||
|
||||
# backups
|
||||
borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg";
|
||||
|
|
|
|||
|
|
@ -1,10 +1,13 @@
|
|||
{ config, lib, pkgs, ... }: let
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
# Short names to fit Linux interface name limit (15 chars for vm-fj-runner-1)
|
||||
runners = [ "fj-runner-1" "fj-runner-2" ];
|
||||
# Offset by 5 to avoid conflicts with Gitea runners (01-02)
|
||||
runnerOffset = 5;
|
||||
in {
|
||||
microvm.vms = lib.mapAttrs (runner: idx: {
|
||||
in
|
||||
{
|
||||
microvm.vms = lib.mapAttrs
|
||||
(runner: idx: {
|
||||
config = {
|
||||
microvm = {
|
||||
mem = 8096;
|
||||
|
|
@ -70,9 +73,7 @@ in {
|
|||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
|
||||
];
|
||||
users.users.root.openssh.authorizedKeys.keys = import ../utils/ssh-keys.nix;
|
||||
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
|
|
@ -81,7 +82,8 @@ in {
|
|||
|
||||
system.stateVersion = "22.05";
|
||||
};
|
||||
}) (lib.listToAttrs (lib.lists.imap1 (i: v: { name=v; value=i; }) runners));
|
||||
})
|
||||
(lib.listToAttrs (lib.lists.imap1 (i: v: { name = v; value = i; }) runners));
|
||||
|
||||
sops.secrets.forgejo-runner-token = { };
|
||||
}
|
||||
|
|
|
|||
|
|
@ -130,10 +130,7 @@ in
|
|||
systemd.services.forgejo.serviceConfig.EnvironmentFile = "/run/secrets/forgejo-mailer-password";
|
||||
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
|
||||
];
|
||||
users.users.root.openssh.authorizedKeys.keys = import ../utils/ssh-keys.nix;
|
||||
|
||||
users.users.forgejo = user;
|
||||
users.groups.forgejo = group;
|
||||
|
|
|
|||
|
|
@ -1,10 +1,13 @@
|
|||
{ config, lib, nixpkgs, pkgs, ... }: let
|
||||
{ config, lib, nixpkgs, pkgs, ... }:
|
||||
let
|
||||
# hostname = "git-02";
|
||||
# json = pkgs.formats.json { };
|
||||
runners = [ "git-runner-1" "git-runner-2" ];
|
||||
indexedRunners = lib.lists.imap1 (i: v: { name = v; value = i; }) runners;
|
||||
in {
|
||||
microvm.vms = lib.mapAttrs (runner: idx: {
|
||||
in
|
||||
{
|
||||
microvm.vms = lib.mapAttrs
|
||||
(runner: idx: {
|
||||
config = {
|
||||
microvm = {
|
||||
mem = 8096;
|
||||
|
|
@ -71,9 +74,7 @@ in {
|
|||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
|
||||
];
|
||||
users.users.root.openssh.authorizedKeys.keys = import ../utils/ssh-keys.nix;
|
||||
|
||||
networking.firewall = {
|
||||
enable = true; # default, but being explicit is fine
|
||||
|
|
@ -82,7 +83,8 @@ in {
|
|||
|
||||
system.stateVersion = "22.05";
|
||||
};
|
||||
}) (lib.listToAttrs (lib.lists.imap1 (i: v: { name=v; value=i; }) runners));
|
||||
})
|
||||
(lib.listToAttrs (lib.lists.imap1 (i: v: { name = v; value = i; }) runners));
|
||||
|
||||
# microvm.vms = {
|
||||
# gitea = {
|
||||
|
|
|
|||
|
|
@ -122,10 +122,7 @@ in
|
|||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
|
||||
];
|
||||
users.users.root.openssh.authorizedKeys.keys = import ../utils/ssh-keys.nix;
|
||||
|
||||
users.users.gitea = user;
|
||||
users.groups.gitea = group;
|
||||
|
|
|
|||
|
|
@ -11,10 +11,7 @@ let
|
|||
gateway = "${config.networkPrefix}.97.1";
|
||||
tapDevice = "vm-openclaw";
|
||||
|
||||
sshAuthorizedKeys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
|
||||
];
|
||||
sshAuthorizedKeys = import ../utils/ssh-keys.nix;
|
||||
|
||||
gitRepoUrl = "https://git.cloonar.com/openclawd/config.git";
|
||||
|
||||
|
|
|
|||
|
|
@ -1,8 +1,10 @@
|
|||
{ lib, pkgs, config, ... }: let
|
||||
{ lib, pkgs, config, ... }:
|
||||
let
|
||||
hostname = "web-02";
|
||||
json = pkgs.formats.json { };
|
||||
impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
|
||||
in {
|
||||
in
|
||||
{
|
||||
microvm.vms = {
|
||||
web = {
|
||||
pkgs = import pkgs.path {
|
||||
|
|
@ -115,10 +117,7 @@ in {
|
|||
}
|
||||
];
|
||||
};
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
|
||||
];
|
||||
users.users.root.openssh.authorizedKeys.keys = import ../../utils/ssh-keys.nix;
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
|
|
|||
|
|
@ -29,10 +29,7 @@
|
|||
environment.systemPackages = with pkgs; [ vim ];
|
||||
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
|
||||
];
|
||||
users.users.root.openssh.authorizedKeys.keys = import ./utils/ssh-keys.nix;
|
||||
|
||||
# backups
|
||||
borgbackup.repo = "u149513-sub7@u149513-sub7.your-backup.de:borg";
|
||||
|
|
|
|||
|
|
@ -2,7 +2,8 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
|
||||
in {
|
||||
in
|
||||
{
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
imports = [
|
||||
|
|
@ -38,10 +39,7 @@ in {
|
|||
|
||||
# SSH server
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
|
||||
];
|
||||
users.users.root.openssh.authorizedKeys.keys = import ./utils/ssh-keys.nix;
|
||||
|
||||
# Firewall
|
||||
networking.firewall.enable = true;
|
||||
|
|
|
|||
|
|
@ -81,10 +81,7 @@
|
|||
networking.hostName = "web-arm";
|
||||
networking.domain = "cloonar.com";
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
|
||||
];
|
||||
users.users.root.openssh.authorizedKeys.keys = import ./utils/ssh-keys.nix;
|
||||
|
||||
programs.ssh = {
|
||||
knownHosts = {
|
||||
|
|
|
|||
2
todos.md
2
todos.md
|
|
@ -6,4 +6,4 @@ switch from gitea to forgejo
|
|||
## chache server
|
||||
https://github.com/zhaofengli/attic
|
||||
|
||||
set ssh keys that each server should accept somewhere globally in utils and each server should implement it
|
||||
# TODO: set ssh keys that each server should accept somewhere globally in utils and each server should implement it
|
||||
|
|
|
|||
5
utils/ssh-keys.nix
Normal file
5
utils/ssh-keys.nix
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
[
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFshMhXwS0FQFPlITipshvNKrV8sA52ZFlnaoHd1thKg"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
|
||||
]
|
||||
Loading…
Add table
Add a link
Reference in a new issue