diff --git a/flake.lock b/flake.lock index 2ad393a..8ddb761 100644 --- a/flake.lock +++ b/flake.lock @@ -45,6 +45,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734701201, + "narHash": "sha256-hk0roBX10j/hospoWIJIJj3i2skd7Oml6yKQBx7mTFk=", + "owner": "nix-community", + "repo": "disko", + "rev": "2ee76c861af3b895b3b104bae04777b61397485b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -138,6 +158,7 @@ "root": { "inputs": { "agenix": "agenix", + "disko": "disko", "home-manager": "home-manager_2", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index 2b4a6f5..ec74963 100644 --- a/flake.nix +++ b/flake.nix @@ -12,9 +12,18 @@ url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; }; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = - { nixpkgs, agenix, ... }@inputs: + { + nixpkgs, + agenix, + disko, + ... + }@inputs: let mkSystem = host: { "${host}" = nixpkgs.lib.nixosSystem rec { @@ -23,6 +32,7 @@ modules = [ (./hosts + "/${host}") agenix.nixosModules.default + disko.nixosModules.disko { environment.systemPackages = [ agenix.packages.${system}.default ]; } ]; }; @@ -32,8 +42,9 @@ nixosConfigurations = nixpkgs.lib.mergeAttrsList ( nixpkgs.lib.forEach [ "APPA" - "T430" "IROH" + "MOMO" + "T430" ] mkSystem ); }; diff --git a/hosts/APPA/default.nix b/hosts/APPA/default.nix index b36814b..17f7066 100644 --- a/hosts/APPA/default.nix +++ b/hosts/APPA/default.nix @@ -13,6 +13,8 @@ ]; bchmnn = { + home.enable = true; + git = { signing = { key = "0x7753026D577922A6"; diff --git a/hosts/APPA/services/adguard-home.nix b/hosts/APPA/services/adguard-home.nix index e0b2b74..ad54709 100644 --- a/hosts/APPA/services/adguard-home.nix +++ b/hosts/APPA/services/adguard-home.nix @@ -50,10 +50,6 @@ domain = "anki.dryb.org"; answer = "192.168.2.40"; } - { - domain = "vaultwarden.dryb.org"; - answer = "192.168.2.40"; - } { domain = "paperless.dryb.org"; answer = "192.168.2.40"; @@ -62,6 +58,22 @@ domain = "jellyfin.dryb.org"; answer = "192.168.2.40"; } + { + domain = "momo.dryb.org"; + answer = "188.245.216.128"; + } + { + domain = "momo.dryb.org"; + answer = "2a01:4f8:1c1e:8abc::1"; + } + { + domain = "syncthing.dryb.org"; + answer = "momo.dryb.org"; + } + { + domain = "vaultwarden.dryb.org"; + answer = "momo.dryb.org"; + } ]; }; dhcp = { diff --git a/hosts/APPA/services/default.nix b/hosts/APPA/services/default.nix index 87c397f..204482b 100644 --- a/hosts/APPA/services/default.nix +++ b/hosts/APPA/services/default.nix @@ -11,6 +11,5 @@ ./nginx.nix ./paperless.nix ./postgresql.nix - ./vaultwarden.nix ]; } diff --git a/hosts/APPA/services/homepage-dashboard.nix b/hosts/APPA/services/homepage-dashboard.nix index dfcf273..6e507cb 100644 --- a/hosts/APPA/services/homepage-dashboard.nix +++ b/hosts/APPA/services/homepage-dashboard.nix @@ -111,13 +111,6 @@ icon = "si-anki"; }; } - { - "Vaultwarden" = { - description = "https://vaultwarden.dryb.org"; - href = "https://vaultwarden.dryb.org"; - icon = "vaultwarden"; - }; - } { "Paperless" = { description = "https://paperless.dryb.org"; diff --git a/hosts/APPA/services/nginx.nix b/hosts/APPA/services/nginx.nix index 49ac1b3..0ac7da1 100644 --- a/hosts/APPA/services/nginx.nix +++ b/hosts/APPA/services/nginx.nix @@ -36,13 +36,6 @@ proxyPass = "http://127.0.0.1:8004"; }; }; - virtualHosts."vaultwarden.dryb.org" = { - useACMEHost = "dryb.org"; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:8005"; - }; - }; virtualHosts."paperless.dryb.org" = { useACMEHost = "dryb.org"; forceSSL = true; diff --git a/hosts/APPA/services/postgresql.nix b/hosts/APPA/services/postgresql.nix index 907facd..c04d80a 100644 --- a/hosts/APPA/services/postgresql.nix +++ b/hosts/APPA/services/postgresql.nix @@ -5,15 +5,10 @@ enable = true; ensureDatabases = [ config.services.gitea.user - "vaultwarden" config.services.paperless.user ]; ensureUsers = [ - { - name = "vaultwarden"; - ensureDBOwnership = true; - } { name = config.services.paperless.user; ensureDBOwnership = true; @@ -23,14 +18,12 @@ # type database DBuser auth-method mapping authentication = '' local gitea all ident map=gitea-users - local vaultwarden all ident map=vaultwarden-users local paperless all ident map=paperless-users ''; # name sysuser dbuser identMap = '' gitea-users gitea gitea - vaultwarden-users vaultwarden vaultwarden paperless-users paperless paperless ''; }; diff --git a/hosts/MOMO/default.nix b/hosts/MOMO/default.nix new file mode 100644 index 0000000..dce8cd2 --- /dev/null +++ b/hosts/MOMO/default.nix @@ -0,0 +1,38 @@ +{ ... }: +{ + imports = [ + ./services + ./hardware.nix + ./network.nix + ../../modules + ]; + + bchmnn = { + network = { + resolved.enable = true; + networkd.enable = true; + }; + collections = { + cli-utils.enable = true; + }; + }; + + services.openssh = { + settings = { + PasswordAuthentication = false; + }; + }; + + users.users.root = { + openssh = { + authorizedKeys = { + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOG8Sja2i6nepkEkuxYdu86XbT9vS5uniBmZifSMZ0t jacob.bachmann@posteo.de" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrE1fMXjJXI8f1mKvhLquwSsb4tvLh5Tq0n+yOakQks gandalf@appa.dryb.com" + ]; + }; + }; + }; + + documentation.nixos.enable = false; +} diff --git a/hosts/MOMO/hardware.nix b/hosts/MOMO/hardware.nix new file mode 100644 index 0000000..2a302c4 --- /dev/null +++ b/hosts/MOMO/hardware.nix @@ -0,0 +1,68 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "ahci" + "xhci_pci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = true; + }; + + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "BOOT"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "ROOT"; + end = "-8G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + plainSwap = { + size = "100%"; + content = { + type = "swap"; + discardPolicy = "both"; + }; + }; + }; + }; + }; + }; + + networking.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/MOMO/network.nix b/hosts/MOMO/network.nix new file mode 100644 index 0000000..6eb2781 --- /dev/null +++ b/hosts/MOMO/network.nix @@ -0,0 +1,22 @@ +{ ... }: +{ + networking = { + hostName = "MOMO"; + interfaces.enp1s0 = { + ipv6.addresses = [ + { + address = "2a01:4f8:1c1e:8abc::1"; + prefixLength = 64; + } + ]; + }; + defaultGateway6 = { + address = "fe80::1"; + interface = "enp1s0"; + }; + nameservers = [ + "2a01:4ff:ff00::add:1" + "2a01:4ff:ff00::add:2" + ]; + }; +} diff --git a/hosts/MOMO/services/acme.nix b/hosts/MOMO/services/acme.nix new file mode 100644 index 0000000..3556fab --- /dev/null +++ b/hosts/MOMO/services/acme.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + security.acme = { + acceptTerms = true; + defaults.email = "gendulf@posteo.de"; + }; +} diff --git a/hosts/MOMO/services/default.nix b/hosts/MOMO/services/default.nix new file mode 100644 index 0000000..cd167d2 --- /dev/null +++ b/hosts/MOMO/services/default.nix @@ -0,0 +1,9 @@ +{ + imports = [ + ./acme.nix + ./nginx.nix + ./postgresql.nix + ./syncthing.nix + ./vaultwarden.nix + ]; +} diff --git a/hosts/MOMO/services/nginx.nix b/hosts/MOMO/services/nginx.nix new file mode 100644 index 0000000..5ced4f0 --- /dev/null +++ b/hosts/MOMO/services/nginx.nix @@ -0,0 +1,27 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts."syncthing.dryb.org" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8384"; + }; + }; + virtualHosts."vaultwarden.dryb.org" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8005"; + }; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ + 80 + 443 + ]; + }; +} diff --git a/hosts/MOMO/services/postgresql.nix b/hosts/MOMO/services/postgresql.nix new file mode 100644 index 0000000..10315c1 --- /dev/null +++ b/hosts/MOMO/services/postgresql.nix @@ -0,0 +1,26 @@ +{ ... }: +{ + + services.postgresql = { + enable = true; + ensureDatabases = [ "vaultwarden" ]; + + ensureUsers = [ + { + name = "vaultwarden"; + ensureDBOwnership = true; + } + ]; + + # type database DBuser auth-method mapping + authentication = '' + local vaultwarden all ident map=vaultwarden-users + ''; + + # name sysuser dbuser + identMap = '' + vaultwarden-users vaultwarden vaultwarden + ''; + }; + +} diff --git a/hosts/MOMO/services/syncthing.nix b/hosts/MOMO/services/syncthing.nix new file mode 100644 index 0000000..69ff84f --- /dev/null +++ b/hosts/MOMO/services/syncthing.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + services.syncthing = { + enable = true; + openDefaultPorts = true; + }; +} diff --git a/hosts/APPA/services/vaultwarden.nix b/hosts/MOMO/services/vaultwarden.nix similarity index 89% rename from hosts/APPA/services/vaultwarden.nix rename to hosts/MOMO/services/vaultwarden.nix index a2e9e3b..f418fe7 100644 --- a/hosts/APPA/services/vaultwarden.nix +++ b/hosts/MOMO/services/vaultwarden.nix @@ -2,9 +2,6 @@ { age.secrets.environments-vaultwarden = { file = ../../../secrets/environments/vaultwarden.age; - # mode = "640"; - # owner = "vaultwarden"; - # group = "vaultwarden"; }; users.users.vaultwarden = { diff --git a/modules/core/applications.nix b/modules/core/applications.nix index ec3048f..6206881 100644 --- a/modules/core/applications.nix +++ b/modules/core/applications.nix @@ -32,6 +32,8 @@ pkgs.inotify-tools # a c library and a set of command-line programs providing a simple interface to inotify pkgs.mkcert # a simple tool for making locally-trusted development certificates pkgs.hexedit + pkgs.gdu # fast disk usage analyzer with console interface written in go + pkgs.duf # disk usage/free utility - a better 'df' alternative ] ++ lib.optionals (config.bchmnn.collections.cli-utils.enable && config.bchmnn.nvidia.enable) [ pkgs.nvtopPackages.full diff --git a/modules/core/network.nix b/modules/core/network.nix index c9f1d8a..f5376d1 100644 --- a/modules/core/network.nix +++ b/modules/core/network.nix @@ -1,10 +1,22 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: { options.bchmnn = { + network = { + nm = { + enable = lib.mkEnableOption "nm"; + }; + resolved = { + enable = lib.mkEnableOption "resolved"; + }; + networkd = { + enable = lib.mkEnableOption "networkd"; + }; + }; collections = { vpn = { dryborg = { @@ -15,14 +27,16 @@ }; config = { networking = { - networkmanager.enable = true; + networkmanager.enable = config.bchmnn.network.nm.enable; }; - systemd.services = { + systemd.services = lib.mkIf (config.bchmnn.network.nm.enable) { NetworkManager-wait-online.enable = false; }; - services.resolved.enable = config.bchmnn.collections.vpn.enable; + services.resolved.enable = ( + config.bchmnn.network.nm.enable || config.bchmnn.collections.vpn.enable + ); environment.systemPackages = lib.optionals (config.bchmnn.collections.vpn.enable) [ pkgs.openvpn3 @@ -31,31 +45,35 @@ ]; services.mullvad-vpn.enable = config.bchmnn.collections.vpn.enable; - age.secrets = lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) { - keys-wireguard-dryborg-privatekey = { - file = ../../secrets/keys/wireguard/dryborg/privatekey.age; - }; - keys-wireguard-dryborg-presharedkey = { - file = ../../secrets/keys/wireguard/dryborg/presharedkey.age; - }; - }; + age.secrets = + lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) + { + keys-wireguard-dryborg-privatekey = { + file = ../../secrets/keys/wireguard/dryborg/privatekey.age; + }; + keys-wireguard-dryborg-presharedkey = { + file = ../../secrets/keys/wireguard/dryborg/presharedkey.age; + }; + }; - networking.wg-quick.interfaces = lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) { - "vpn.dryb.org" = { - autostart = false; - privateKeyFile = config.age.secrets.keys-wireguard-dryborg-privatekey.path; - address = [ "10.200.200.1/24" ]; - dns = [ "192.168.2.1" ]; - peers = [ - { - publicKey = "JY5fb0RS7C8WyPPEeymzuMSUeIhDtICGk1FYJgTRnTs="; - presharedKeyFile = config.age.secrets.keys-wireguard-dryborg-presharedkey.path; - allowedIPs = [ "0.0.0.0/0" ]; - endpoint = "vpn.dryb.org:53280"; - persistentKeepalive = 21; - } - ]; - }; - }; + networking.wg-quick.interfaces = + lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) + { + "vpn.dryb.org" = { + autostart = false; + privateKeyFile = config.age.secrets.keys-wireguard-dryborg-privatekey.path; + address = [ "10.200.200.1/24" ]; + dns = [ "192.168.2.1" ]; + peers = [ + { + publicKey = "JY5fb0RS7C8WyPPEeymzuMSUeIhDtICGk1FYJgTRnTs="; + presharedKeyFile = config.age.secrets.keys-wireguard-dryborg-presharedkey.path; + allowedIPs = [ "0.0.0.0/0" ]; + endpoint = "vpn.dryb.org:53280"; + persistentKeepalive = 21; + } + ]; + }; + }; }; } diff --git a/modules/core/shell.nix b/modules/core/shell.nix index 890d44d..b5b9073 100644 --- a/modules/core/shell.nix +++ b/modules/core/shell.nix @@ -1,4 +1,9 @@ -{ pkgs, ... }: +{ + lib, + config, + pkgs, + ... +}: let common = import ./common.nix; in @@ -7,8 +12,10 @@ in enable = true; }; - users.users.gandalf = { - shell = pkgs.zsh; + users.users = lib.mkIf (config.bchmnn.home.enable) { + gandalf = { + shell = pkgs.zsh; + }; }; environment = { diff --git a/modules/default.nix b/modules/default.nix index 374ed82..d9872c0 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,6 +1,11 @@ { lib, ... }: { options.bchmnn = with lib; { + + home = { + enable = mkEnableOption "home"; + }; + user = { extraGroups = mkOption { type = types.listOf types.str; diff --git a/modules/home-manager/applications.nix b/modules/home-manager/applications.nix index 6df1cfb..afef240 100644 --- a/modules/home-manager/applications.nix +++ b/modules/home-manager/applications.nix @@ -5,8 +5,6 @@ pkgs.gopass-jsonapi # enables communication with gopass via json messages pkgs.bitwarden-cli # secure and free password manager for all of your devices pkgs.yt-dlp # command-line tool to download videos from youtube.com and other sites (youtube-dl fork) - pkgs.gdu # fast disk usage analyzer with console interface written in go - pkgs.duf # disk usage/free utility - a better 'df' alternative pkgs.stress # simple workload generator for posix systems. it imposes a configurable amount of cpu, memory, i/o, and disk stress on the system pkgs.s-tui # stress-terminal ui monitoring tool pkgs.fio # flexible io tester - an io benchmark tool diff --git a/modules/home-manager/default.nix b/modules/home-manager/default.nix index 24b6909..c0a6786 100644 --- a/modules/home-manager/default.nix +++ b/modules/home-manager/default.nix @@ -1,63 +1,64 @@ -{ config, ... }@inputs: +{ lib, config, ... }@inputs: let common = import ../core/common.nix; in { - imports = [ inputs.home-manager.nixosModules.home-manager ]; - users.users.gandalf = { - isNormalUser = true; - extraGroups = config.bchmnn.user.extraGroups; - openssh = { - authorizedKeys = { - keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOG8Sja2i6nepkEkuxYdu86XbT9vS5uniBmZifSMZ0t jacob.bachmann@posteo.de" - ]; + config = lib.mkIf (config.bchmnn.home.enable) { + users.users.gandalf = { + isNormalUser = true; + extraGroups = config.bchmnn.user.extraGroups; + openssh = { + authorizedKeys = { + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOG8Sja2i6nepkEkuxYdu86XbT9vS5uniBmZifSMZ0t jacob.bachmann@posteo.de" + ]; + }; }; }; - }; - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.extraSpecialArgs = { - inherit inputs; - }; + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = { + inherit inputs; + }; - home-manager.users.gandalf = rec { - imports = [ - ./gui - ./scripts - ./applications.nix - ./audio.nix - ./dconf.nix - ./git.nix - ./gnupg.nix - ./keyd.nix - ./neovim.nix - ./shell.nix - ./zsh.nix - ]; + home-manager.users.gandalf = rec { + imports = [ + ./gui + ./scripts + ./applications.nix + ./audio.nix + ./dconf.nix + ./git.nix + ./gnupg.nix + ./keyd.nix + ./neovim.nix + ./shell.nix + ./zsh.nix + ]; - config = { - home = { - username = "gandalf"; - homeDirectory = "/home/gandalf"; - shellAliases = common.aliases; - stateVersion = "23.05"; - }; + config = { + home = { + username = "gandalf"; + homeDirectory = "/home/gandalf"; + shellAliases = common.aliases; + stateVersion = "23.05"; + }; - xdg.userDirs = { - enable = true; - createDirectories = true; - desktop = "${config.home.homeDirectory}/tmp"; - documents = "${config.home.homeDirectory}/docs"; - download = "${config.home.homeDirectory}/dl"; - music = "${config.home.homeDirectory}/music"; - pictures = "${config.home.homeDirectory}/pics"; - publicShare = "${config.home.homeDirectory}/public"; - templates = "${config.home.homeDirectory}/templates"; - videos = "${config.home.homeDirectory}/vids"; + xdg.userDirs = { + enable = true; + createDirectories = true; + desktop = "${config.home.homeDirectory}/tmp"; + documents = "${config.home.homeDirectory}/docs"; + download = "${config.home.homeDirectory}/dl"; + music = "${config.home.homeDirectory}/music"; + pictures = "${config.home.homeDirectory}/pics"; + publicShare = "${config.home.homeDirectory}/public"; + templates = "${config.home.homeDirectory}/templates"; + videos = "${config.home.homeDirectory}/vids"; + }; }; }; }; diff --git a/secrets/environments/acme.age b/secrets/environments/acme.age index 254458f..b3edd33 100644 Binary files a/secrets/environments/acme.age and b/secrets/environments/acme.age differ diff --git a/secrets/environments/vaultwarden.age b/secrets/environments/vaultwarden.age index 5b332f2..fdfd8bc 100644 Binary files a/secrets/environments/vaultwarden.age and b/secrets/environments/vaultwarden.age differ diff --git a/secrets/keys/wireguard/dryborg/presharedkey.age b/secrets/keys/wireguard/dryborg/presharedkey.age index 9940f01..e09e427 100644 Binary files a/secrets/keys/wireguard/dryborg/presharedkey.age and b/secrets/keys/wireguard/dryborg/presharedkey.age differ diff --git a/secrets/keys/wireguard/dryborg/privatekey.age b/secrets/keys/wireguard/dryborg/privatekey.age index 887a24c..5e9ae3a 100644 --- a/secrets/keys/wireguard/dryborg/privatekey.age +++ b/secrets/keys/wireguard/dryborg/privatekey.age @@ -1,9 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 lfMVeg wulS3MiEAmeRiQWR+2m6WB2lPgPvbGLIoPpIcpTjwEE -I0SrCm+wG3tRn1St9+bnwAJGSWAIA2TP6LKPQCaVCdc --> ssh-ed25519 2ycGcg +gfN9hAI6S+2CVGp0xi+M3OJ2JfqNCubYFhKwXa86yM -yWls3U6P8ViO9a+gNuT/fW4txOfDD7wqOmQz6k6O2fA --> ssh-ed25519 SiBV3Q 8+vLtNNsx2DWecy31lkXpGac78wpHu2xSu/NF+RDZGM -l4FaoEWeMgPIGnEuPJkDoFAmoxAM3gFLmiASxqZ/Gt4 ---- RsgxQpG7CP2JVKUmJC5975cY5hCuXeDYF4wMoOBM2XM -,\j^NvϕwGτI YԅDO_@un诔S'H&v)lQ \ No newline at end of file +-> ssh-ed25519 OFTJeQ GLjSObPnRwi54E90PLmN56+01/XWV4ncMb2hIQVAIRM +K5wnX6U4R7vWxJIAhR46Y93nYbfY8ywgCBTpl32h3Ok +-> ssh-ed25519 lfMVeg P/y5kw0684nepV8zw7AVrKJdVXp1m9QRB92emoZtgic +3jdvPwfHqNCipa4FZCheRyloGTpl+nWopB+VmYxmnEo +-> ssh-ed25519 2ycGcg i/V1Jxl9MZXbkFceyTx/jA5mgt55u6pXvyZMUnJKnSI +mzZDa0QvpixtEyk7kR98a2MBTHq3FXLIifQ/RH7WsIo +-> ssh-ed25519 SiBV3Q 3ihfgMuU8fsUkCHOjhg9+lZxK3hreLV+OD38nfJvNVQ +TzKuRHW2Za7NLK32MFzXlXlBJnyTvaL7907Fv42s2/k +--- fMhdIsuJ19h9GqERg+zyub8z2L46vIoIb/RF3NC3Izs +Qgyz˄1r&ʿMV9*T#`:TQtƖ 92$vR_ Q4sFf4 \ No newline at end of file diff --git a/secrets/passwords/anki/admin.age b/secrets/passwords/anki/admin.age index 0210eda..7c14ef2 100644 Binary files a/secrets/passwords/anki/admin.age and b/secrets/passwords/anki/admin.age differ diff --git a/secrets/passwords/ddclient/cloudflare.age b/secrets/passwords/ddclient/cloudflare.age index a2bf30a..22dcc36 100644 --- a/secrets/passwords/ddclient/cloudflare.age +++ b/secrets/passwords/ddclient/cloudflare.age @@ -1,9 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 OFTJeQ Duzy5R4T6qjIQNDaM/rMLtn6owinrOPR7bsj+zNyF1s -vuz3upwrRY+p9neicV+/MYqIpqPP8LxKjb/MSd3AG50 --> ssh-ed25519 lfMVeg F5b0npiotrpPjEqEEmq13iIWrEG1duL/r+A+fFt9MUw -hXV7o5UqSnrOYmTO4PudLMH2nTn3z134YuD78ogNS+Q --> ssh-ed25519 ueRyzQ Msn3gbqPbt4anEbYGvuroa3Clgldv0c2yjJm8sviWig -qwsS+8V0LvR6aWWlC6/8V7oP4ClTPIH6UF7vIbSFLM0 ---- /UJ64tEwx0Jus9JEby8z4X9LtlPoYMCUTMk3T50Flbk -} EuKh<}gף)NGxMߣ{*$g`)?rNF*(w 'i \ No newline at end of file +-> ssh-ed25519 OFTJeQ YV3PYBAAYyXqFKJZMzgWcvUiUMr0FXT1mIVu5c8ADi0 +iYOSAD0fp2AQx2xYrwZVKz8jcxLI6dZaUYAEeRco6n0 +-> ssh-ed25519 lfMVeg aTw9/kKTrhfe3wuJU61+4WWhu0boEmNQW4PH4WymfQc +pW37WMQO10S9gn4FPlNQ9I8SZiJ8zrN539WjZ5riG4U +-> ssh-ed25519 ueRyzQ jduJfxSB+1+TXaoZQk8IC2OluzEhIf2PKLrqgZPgPgU +DFnKYH1DGcvdBblibUO+1apJ6658bUJOsb+ZCVPScy0 +-> ssh-ed25519 IYnDOQ ccAK15UhEam0UtwKEPpjPdIOdOFmBRY6riNAaoUNfRE +RqOsV0RIp8kB+pDQeidONMviP4dKu1hiwTR73oa3Uxo +--- 67ZWOJB/9Zc7tUTHgVFFMWWeHOU6RzIf2HN2qXH05RQ +I%8!F;wwkK}?K d y.N$fe?r \ No newline at end of file diff --git a/secrets/passwords/gitea/db.age b/secrets/passwords/gitea/db.age index 64ac79a..73cd556 100644 Binary files a/secrets/passwords/gitea/db.age and b/secrets/passwords/gitea/db.age differ diff --git a/secrets/passwords/nextcloud/admin.age b/secrets/passwords/nextcloud/admin.age index 3761b2d..9406572 100644 --- a/secrets/passwords/nextcloud/admin.age +++ b/secrets/passwords/nextcloud/admin.age @@ -1,9 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 OFTJeQ ZR/HXJbMffa0GONFhLI54XbnMfUa44IBtmc35WfFalE -5k336aLzA40CP1qy1bhpAeOBMf/v8acDsbT3ehJgNH8 --> ssh-ed25519 lfMVeg rNkPlKPIOnU3MX1DRAAqUrVCl2aFCD1LiULqgT94ih0 -s1dizDfvjFexbtOaY+8LHT4rASAmna+YtI6sThwY2lo --> ssh-ed25519 ueRyzQ yXUlKmMDvGQpYHDPax8AOmAupPm1MlOB8O0dWLZlPxI -a/+l6l8f6Bwl6cmfob0lZnBriQ5uGE/zK/JDRwsp3+o ---- k6YDdEeu5493P74E1pt8yOaWrlKxq5KEEfokK+FaFq4 -Єunh(Qy5bY< ZDw0 #8t! \ No newline at end of file +-> ssh-ed25519 OFTJeQ Z0zahyJ9ZN+iPyEGZcdqkctRGtZHedg0n9hpw7yCr1w +tTaDe8+Ki2S7v3F/+0KgJ6EyS89WETy3/pSWUf3qA2g +-> ssh-ed25519 lfMVeg 7yJmsdpEXhgRekyoMU5Ut62hvo7sI+ZyLoasrzjtOmI +qpH5kucqYFin9PZw38am7WkJWH+Cp0C7em22QiQsQJ4 +-> ssh-ed25519 ueRyzQ WGMVo2WuCuHNTZ6/a+3cPOXU50EEK/yhnyX//IrtUx8 +2t+CUgdBuivea8Ij4tavUQTX2mzTpIUz/8FuweVJ6uA +-> ssh-ed25519 IYnDOQ P5amA/utlNaNK4/YP1L3RkL/k1N0MtucTobGZxeKqw8 +TBwo9Y/YTzJxw0rmzz6V1W8kmQYHw8YNt+/MLOQalyM +--- Ykljx1ff/c4OkoyHs4rzrKnfIEuAW3zM5MCk5p/UT1g +. g:ոdJ~xYe߬,@<CKk0w`r~}K \ No newline at end of file diff --git a/secrets/passwords/paperless/admin.age b/secrets/passwords/paperless/admin.age index 7425ee9..e359ea4 100644 Binary files a/secrets/passwords/paperless/admin.age and b/secrets/passwords/paperless/admin.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 17f0ff6..6bd29a8 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,6 +2,8 @@ let APPA = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvQbYHiB17BfsvHBgPYJN50Th+da+rtbsTIjOSaT+1Y root@APPA"; gandalf_at_appa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrE1fMXjJXI8f1mKvhLquwSsb4tvLh5Tq0n+yOakQks gandalf@appa.dryb.com"; + MOMO = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQ8YOOaQj3NnMlTjlFX9iWDIpPMrO2W4EkL65GJP+y4 root@MOMO"; + T430 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPQKzUqdLY58tFTB5zOeiTjbbrDvHA1speD/Rg6oOfz root@T430"; IROH = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYiK3Dl8QvAZfY7Cl1OlF9aXKa/an32mtrCNkavlSNG root@IROH"; @@ -14,10 +16,16 @@ let systems = [ APPA + MOMO T430 IROH ]; + servers = [ + APPA + MOMO + ]; + clients = [ T430 IROH @@ -25,13 +33,13 @@ let in { - "environments/acme.age".publicKeys = users ++ [ APPA ]; - "environments/vaultwarden.age".publicKeys = users ++ [ APPA ]; - "keys/wireguard/dryborg/privatekey.age".publicKeys = [ gandalf ] ++ clients; - "keys/wireguard/dryborg/presharedkey.age".publicKeys = [ gandalf ] ++ clients; - "passwords/anki/admin.age".publicKeys = users ++ [ APPA ]; - "passwords/ddclient/cloudflare.age".publicKeys = users ++ [ APPA ]; - "passwords/gitea/db.age".publicKeys = users ++ [ APPA ]; - "passwords/nextcloud/admin.age".publicKeys = users ++ [ APPA ]; - "passwords/paperless/admin.age".publicKeys = users ++ [ APPA ]; + "environments/acme.age".publicKeys = users ++ servers; + "environments/vaultwarden.age".publicKeys = users ++ servers; + "keys/wireguard/dryborg/privatekey.age".publicKeys = users ++ clients; + "keys/wireguard/dryborg/presharedkey.age".publicKeys = users ++ clients; + "passwords/anki/admin.age".publicKeys = users ++ servers; + "passwords/ddclient/cloudflare.age".publicKeys = users ++ servers; + "passwords/gitea/db.age".publicKeys = users ++ servers; + "passwords/nextcloud/admin.age".publicKeys = users ++ servers; + "passwords/paperless/admin.age".publicKeys = users ++ servers; }