From 6ca4dd9e57fd0e26b6eb09a1ae8242ad5af6cff3 Mon Sep 17 00:00:00 2001 From: Jacob Bachmann Date: Wed, 1 Jan 2025 21:33:50 +0100 Subject: [PATCH] feat(MOMO): setup syncthing and vaultwarden --- flake.lock | 21 ++++ flake.nix | 15 ++- hosts/APPA/default.nix | 2 + hosts/APPA/services/adguard-home.nix | 20 +++- hosts/APPA/services/default.nix | 1 - hosts/APPA/services/homepage-dashboard.nix | 7 -- hosts/APPA/services/nginx.nix | 7 -- hosts/APPA/services/postgresql.nix | 7 -- hosts/MOMO/default.nix | 38 +++++++ hosts/MOMO/hardware.nix | 68 ++++++++++++ hosts/MOMO/network.nix | 22 ++++ hosts/MOMO/services/acme.nix | 7 ++ hosts/MOMO/services/default.nix | 9 ++ hosts/MOMO/services/nginx.nix | 27 +++++ hosts/MOMO/services/postgresql.nix | 26 +++++ hosts/MOMO/services/syncthing.nix | 7 ++ hosts/{APPA => MOMO}/services/vaultwarden.nix | 3 - modules/core/applications.nix | 2 + modules/core/network.nix | 82 +++++++++------ modules/core/shell.nix | 13 ++- modules/default.nix | 5 + modules/home-manager/applications.nix | 2 - modules/home-manager/default.nix | 97 +++++++++--------- secrets/environments/acme.age | Bin 498 -> 608 bytes secrets/environments/vaultwarden.age | Bin 579 -> 689 bytes .../keys/wireguard/dryborg/presharedkey.age | Bin 477 -> 587 bytes secrets/keys/wireguard/dryborg/privatekey.age | 18 ++-- secrets/passwords/anki/admin.age | Bin 483 -> 593 bytes secrets/passwords/ddclient/cloudflare.age | 18 ++-- secrets/passwords/gitea/db.age | Bin 484 -> 594 bytes secrets/passwords/nextcloud/admin.age | 18 ++-- secrets/passwords/paperless/admin.age | Bin 465 -> 575 bytes secrets/secrets.nix | 26 +++-- 33 files changed, 419 insertions(+), 149 deletions(-) create mode 100644 hosts/MOMO/default.nix create mode 100644 hosts/MOMO/hardware.nix create mode 100644 hosts/MOMO/network.nix create mode 100644 hosts/MOMO/services/acme.nix create mode 100644 hosts/MOMO/services/default.nix create mode 100644 hosts/MOMO/services/nginx.nix create mode 100644 hosts/MOMO/services/postgresql.nix create mode 100644 hosts/MOMO/services/syncthing.nix rename hosts/{APPA => MOMO}/services/vaultwarden.nix (89%) diff --git a/flake.lock b/flake.lock index 2ad393a..8ddb761 100644 --- a/flake.lock +++ b/flake.lock @@ -45,6 +45,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734701201, + "narHash": "sha256-hk0roBX10j/hospoWIJIJj3i2skd7Oml6yKQBx7mTFk=", + "owner": "nix-community", + "repo": "disko", + "rev": "2ee76c861af3b895b3b104bae04777b61397485b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -138,6 +158,7 @@ "root": { "inputs": { "agenix": "agenix", + "disko": "disko", "home-manager": "home-manager_2", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index 2b4a6f5..ec74963 100644 --- a/flake.nix +++ b/flake.nix @@ -12,9 +12,18 @@ url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; }; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = - { nixpkgs, agenix, ... }@inputs: + { + nixpkgs, + agenix, + disko, + ... + }@inputs: let mkSystem = host: { "${host}" = nixpkgs.lib.nixosSystem rec { @@ -23,6 +32,7 @@ modules = [ (./hosts + "/${host}") agenix.nixosModules.default + disko.nixosModules.disko { environment.systemPackages = [ agenix.packages.${system}.default ]; } ]; }; @@ -32,8 +42,9 @@ nixosConfigurations = nixpkgs.lib.mergeAttrsList ( nixpkgs.lib.forEach [ "APPA" - "T430" "IROH" + "MOMO" + "T430" ] mkSystem ); }; diff --git a/hosts/APPA/default.nix b/hosts/APPA/default.nix index b36814b..17f7066 100644 --- a/hosts/APPA/default.nix +++ b/hosts/APPA/default.nix @@ -13,6 +13,8 @@ ]; bchmnn = { + home.enable = true; + git = { signing = { key = "0x7753026D577922A6"; diff --git a/hosts/APPA/services/adguard-home.nix b/hosts/APPA/services/adguard-home.nix index e0b2b74..ad54709 100644 --- a/hosts/APPA/services/adguard-home.nix +++ b/hosts/APPA/services/adguard-home.nix @@ -50,10 +50,6 @@ domain = "anki.dryb.org"; answer = "192.168.2.40"; } - { - domain = "vaultwarden.dryb.org"; - answer = "192.168.2.40"; - } { domain = "paperless.dryb.org"; answer = "192.168.2.40"; @@ -62,6 +58,22 @@ domain = "jellyfin.dryb.org"; answer = "192.168.2.40"; } + { + domain = "momo.dryb.org"; + answer = "188.245.216.128"; + } + { + domain = "momo.dryb.org"; + answer = "2a01:4f8:1c1e:8abc::1"; + } + { + domain = "syncthing.dryb.org"; + answer = "momo.dryb.org"; + } + { + domain = "vaultwarden.dryb.org"; + answer = "momo.dryb.org"; + } ]; }; dhcp = { diff --git a/hosts/APPA/services/default.nix b/hosts/APPA/services/default.nix index 87c397f..204482b 100644 --- a/hosts/APPA/services/default.nix +++ b/hosts/APPA/services/default.nix @@ -11,6 +11,5 @@ ./nginx.nix ./paperless.nix ./postgresql.nix - ./vaultwarden.nix ]; } diff --git a/hosts/APPA/services/homepage-dashboard.nix b/hosts/APPA/services/homepage-dashboard.nix index dfcf273..6e507cb 100644 --- a/hosts/APPA/services/homepage-dashboard.nix +++ b/hosts/APPA/services/homepage-dashboard.nix @@ -111,13 +111,6 @@ icon = "si-anki"; }; } - { - "Vaultwarden" = { - description = "https://vaultwarden.dryb.org"; - href = "https://vaultwarden.dryb.org"; - icon = "vaultwarden"; - }; - } { "Paperless" = { description = "https://paperless.dryb.org"; diff --git a/hosts/APPA/services/nginx.nix b/hosts/APPA/services/nginx.nix index 49ac1b3..0ac7da1 100644 --- a/hosts/APPA/services/nginx.nix +++ b/hosts/APPA/services/nginx.nix @@ -36,13 +36,6 @@ proxyPass = "http://127.0.0.1:8004"; }; }; - virtualHosts."vaultwarden.dryb.org" = { - useACMEHost = "dryb.org"; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:8005"; - }; - }; virtualHosts."paperless.dryb.org" = { useACMEHost = "dryb.org"; forceSSL = true; diff --git a/hosts/APPA/services/postgresql.nix b/hosts/APPA/services/postgresql.nix index 907facd..c04d80a 100644 --- a/hosts/APPA/services/postgresql.nix +++ b/hosts/APPA/services/postgresql.nix @@ -5,15 +5,10 @@ enable = true; ensureDatabases = [ config.services.gitea.user - "vaultwarden" config.services.paperless.user ]; ensureUsers = [ - { - name = "vaultwarden"; - ensureDBOwnership = true; - } { name = config.services.paperless.user; ensureDBOwnership = true; @@ -23,14 +18,12 @@ # type database DBuser auth-method mapping authentication = '' local gitea all ident map=gitea-users - local vaultwarden all ident map=vaultwarden-users local paperless all ident map=paperless-users ''; # name sysuser dbuser identMap = '' gitea-users gitea gitea - vaultwarden-users vaultwarden vaultwarden paperless-users paperless paperless ''; }; diff --git a/hosts/MOMO/default.nix b/hosts/MOMO/default.nix new file mode 100644 index 0000000..dce8cd2 --- /dev/null +++ b/hosts/MOMO/default.nix @@ -0,0 +1,38 @@ +{ ... }: +{ + imports = [ + ./services + ./hardware.nix + ./network.nix + ../../modules + ]; + + bchmnn = { + network = { + resolved.enable = true; + networkd.enable = true; + }; + collections = { + cli-utils.enable = true; + }; + }; + + services.openssh = { + settings = { + PasswordAuthentication = false; + }; + }; + + users.users.root = { + openssh = { + authorizedKeys = { + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOG8Sja2i6nepkEkuxYdu86XbT9vS5uniBmZifSMZ0t jacob.bachmann@posteo.de" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrE1fMXjJXI8f1mKvhLquwSsb4tvLh5Tq0n+yOakQks gandalf@appa.dryb.com" + ]; + }; + }; + }; + + documentation.nixos.enable = false; +} diff --git a/hosts/MOMO/hardware.nix b/hosts/MOMO/hardware.nix new file mode 100644 index 0000000..2a302c4 --- /dev/null +++ b/hosts/MOMO/hardware.nix @@ -0,0 +1,68 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "ahci" + "xhci_pci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = true; + }; + + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "BOOT"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "ROOT"; + end = "-8G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + plainSwap = { + size = "100%"; + content = { + type = "swap"; + discardPolicy = "both"; + }; + }; + }; + }; + }; + }; + + networking.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/MOMO/network.nix b/hosts/MOMO/network.nix new file mode 100644 index 0000000..6eb2781 --- /dev/null +++ b/hosts/MOMO/network.nix @@ -0,0 +1,22 @@ +{ ... }: +{ + networking = { + hostName = "MOMO"; + interfaces.enp1s0 = { + ipv6.addresses = [ + { + address = "2a01:4f8:1c1e:8abc::1"; + prefixLength = 64; + } + ]; + }; + defaultGateway6 = { + address = "fe80::1"; + interface = "enp1s0"; + }; + nameservers = [ + "2a01:4ff:ff00::add:1" + "2a01:4ff:ff00::add:2" + ]; + }; +} diff --git a/hosts/MOMO/services/acme.nix b/hosts/MOMO/services/acme.nix new file mode 100644 index 0000000..3556fab --- /dev/null +++ b/hosts/MOMO/services/acme.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + security.acme = { + acceptTerms = true; + defaults.email = "gendulf@posteo.de"; + }; +} diff --git a/hosts/MOMO/services/default.nix b/hosts/MOMO/services/default.nix new file mode 100644 index 0000000..cd167d2 --- /dev/null +++ b/hosts/MOMO/services/default.nix @@ -0,0 +1,9 @@ +{ + imports = [ + ./acme.nix + ./nginx.nix + ./postgresql.nix + ./syncthing.nix + ./vaultwarden.nix + ]; +} diff --git a/hosts/MOMO/services/nginx.nix b/hosts/MOMO/services/nginx.nix new file mode 100644 index 0000000..5ced4f0 --- /dev/null +++ b/hosts/MOMO/services/nginx.nix @@ -0,0 +1,27 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts."syncthing.dryb.org" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8384"; + }; + }; + virtualHosts."vaultwarden.dryb.org" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8005"; + }; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ + 80 + 443 + ]; + }; +} diff --git a/hosts/MOMO/services/postgresql.nix b/hosts/MOMO/services/postgresql.nix new file mode 100644 index 0000000..10315c1 --- /dev/null +++ b/hosts/MOMO/services/postgresql.nix @@ -0,0 +1,26 @@ +{ ... }: +{ + + services.postgresql = { + enable = true; + ensureDatabases = [ "vaultwarden" ]; + + ensureUsers = [ + { + name = "vaultwarden"; + ensureDBOwnership = true; + } + ]; + + # type database DBuser auth-method mapping + authentication = '' + local vaultwarden all ident map=vaultwarden-users + ''; + + # name sysuser dbuser + identMap = '' + vaultwarden-users vaultwarden vaultwarden + ''; + }; + +} diff --git a/hosts/MOMO/services/syncthing.nix b/hosts/MOMO/services/syncthing.nix new file mode 100644 index 0000000..69ff84f --- /dev/null +++ b/hosts/MOMO/services/syncthing.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + services.syncthing = { + enable = true; + openDefaultPorts = true; + }; +} diff --git a/hosts/APPA/services/vaultwarden.nix b/hosts/MOMO/services/vaultwarden.nix similarity index 89% rename from hosts/APPA/services/vaultwarden.nix rename to hosts/MOMO/services/vaultwarden.nix index a2e9e3b..f418fe7 100644 --- a/hosts/APPA/services/vaultwarden.nix +++ b/hosts/MOMO/services/vaultwarden.nix @@ -2,9 +2,6 @@ { age.secrets.environments-vaultwarden = { file = ../../../secrets/environments/vaultwarden.age; - # mode = "640"; - # owner = "vaultwarden"; - # group = "vaultwarden"; }; users.users.vaultwarden = { diff --git a/modules/core/applications.nix b/modules/core/applications.nix index ec3048f..6206881 100644 --- a/modules/core/applications.nix +++ b/modules/core/applications.nix @@ -32,6 +32,8 @@ pkgs.inotify-tools # a c library and a set of command-line programs providing a simple interface to inotify pkgs.mkcert # a simple tool for making locally-trusted development certificates pkgs.hexedit + pkgs.gdu # fast disk usage analyzer with console interface written in go + pkgs.duf # disk usage/free utility - a better 'df' alternative ] ++ lib.optionals (config.bchmnn.collections.cli-utils.enable && config.bchmnn.nvidia.enable) [ pkgs.nvtopPackages.full diff --git a/modules/core/network.nix b/modules/core/network.nix index c9f1d8a..f5376d1 100644 --- a/modules/core/network.nix +++ b/modules/core/network.nix @@ -1,10 +1,22 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: { options.bchmnn = { + network = { + nm = { + enable = lib.mkEnableOption "nm"; + }; + resolved = { + enable = lib.mkEnableOption "resolved"; + }; + networkd = { + enable = lib.mkEnableOption "networkd"; + }; + }; collections = { vpn = { dryborg = { @@ -15,14 +27,16 @@ }; config = { networking = { - networkmanager.enable = true; + networkmanager.enable = config.bchmnn.network.nm.enable; }; - systemd.services = { + systemd.services = lib.mkIf (config.bchmnn.network.nm.enable) { NetworkManager-wait-online.enable = false; }; - services.resolved.enable = config.bchmnn.collections.vpn.enable; + services.resolved.enable = ( + config.bchmnn.network.nm.enable || config.bchmnn.collections.vpn.enable + ); environment.systemPackages = lib.optionals (config.bchmnn.collections.vpn.enable) [ pkgs.openvpn3 @@ -31,31 +45,35 @@ ]; services.mullvad-vpn.enable = config.bchmnn.collections.vpn.enable; - age.secrets = lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) { - keys-wireguard-dryborg-privatekey = { - file = ../../secrets/keys/wireguard/dryborg/privatekey.age; - }; - keys-wireguard-dryborg-presharedkey = { - file = ../../secrets/keys/wireguard/dryborg/presharedkey.age; - }; - }; + age.secrets = + lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) + { + keys-wireguard-dryborg-privatekey = { + file = ../../secrets/keys/wireguard/dryborg/privatekey.age; + }; + keys-wireguard-dryborg-presharedkey = { + file = ../../secrets/keys/wireguard/dryborg/presharedkey.age; + }; + }; - networking.wg-quick.interfaces = lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) { - "vpn.dryb.org" = { - autostart = false; - privateKeyFile = config.age.secrets.keys-wireguard-dryborg-privatekey.path; - address = [ "10.200.200.1/24" ]; - dns = [ "192.168.2.1" ]; - peers = [ - { - publicKey = "JY5fb0RS7C8WyPPEeymzuMSUeIhDtICGk1FYJgTRnTs="; - presharedKeyFile = config.age.secrets.keys-wireguard-dryborg-presharedkey.path; - allowedIPs = [ "0.0.0.0/0" ]; - endpoint = "vpn.dryb.org:53280"; - persistentKeepalive = 21; - } - ]; - }; - }; + networking.wg-quick.interfaces = + lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) + { + "vpn.dryb.org" = { + autostart = false; + privateKeyFile = config.age.secrets.keys-wireguard-dryborg-privatekey.path; + address = [ "10.200.200.1/24" ]; + dns = [ "192.168.2.1" ]; + peers = [ + { + publicKey = "JY5fb0RS7C8WyPPEeymzuMSUeIhDtICGk1FYJgTRnTs="; + presharedKeyFile = config.age.secrets.keys-wireguard-dryborg-presharedkey.path; + allowedIPs = [ "0.0.0.0/0" ]; + endpoint = "vpn.dryb.org:53280"; + persistentKeepalive = 21; + } + ]; + }; + }; }; } diff --git a/modules/core/shell.nix b/modules/core/shell.nix index 890d44d..b5b9073 100644 --- a/modules/core/shell.nix +++ b/modules/core/shell.nix @@ -1,4 +1,9 @@ -{ pkgs, ... }: +{ + lib, + config, + pkgs, + ... +}: let common = import ./common.nix; in @@ -7,8 +12,10 @@ in enable = true; }; - users.users.gandalf = { - shell = pkgs.zsh; + users.users = lib.mkIf (config.bchmnn.home.enable) { + gandalf = { + shell = pkgs.zsh; + }; }; environment = { diff --git a/modules/default.nix b/modules/default.nix index 374ed82..d9872c0 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,6 +1,11 @@ { lib, ... }: { options.bchmnn = with lib; { + + home = { + enable = mkEnableOption "home"; + }; + user = { extraGroups = mkOption { type = types.listOf types.str; diff --git a/modules/home-manager/applications.nix b/modules/home-manager/applications.nix index 6df1cfb..afef240 100644 --- a/modules/home-manager/applications.nix +++ b/modules/home-manager/applications.nix @@ -5,8 +5,6 @@ pkgs.gopass-jsonapi # enables communication with gopass via json messages pkgs.bitwarden-cli # secure and free password manager for all of your devices pkgs.yt-dlp # command-line tool to download videos from youtube.com and other sites (youtube-dl fork) - pkgs.gdu # fast disk usage analyzer with console interface written in go - pkgs.duf # disk usage/free utility - a better 'df' alternative pkgs.stress # simple workload generator for posix systems. it imposes a configurable amount of cpu, memory, i/o, and disk stress on the system pkgs.s-tui # stress-terminal ui monitoring tool pkgs.fio # flexible io tester - an io benchmark tool diff --git a/modules/home-manager/default.nix b/modules/home-manager/default.nix index 24b6909..c0a6786 100644 --- a/modules/home-manager/default.nix +++ b/modules/home-manager/default.nix @@ -1,63 +1,64 @@ -{ config, ... }@inputs: +{ lib, config, ... }@inputs: let common = import ../core/common.nix; in { - imports = [ inputs.home-manager.nixosModules.home-manager ]; - users.users.gandalf = { - isNormalUser = true; - extraGroups = config.bchmnn.user.extraGroups; - openssh = { - authorizedKeys = { - keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOG8Sja2i6nepkEkuxYdu86XbT9vS5uniBmZifSMZ0t jacob.bachmann@posteo.de" - ]; + config = lib.mkIf (config.bchmnn.home.enable) { + users.users.gandalf = { + isNormalUser = true; + extraGroups = config.bchmnn.user.extraGroups; + openssh = { + authorizedKeys = { + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOG8Sja2i6nepkEkuxYdu86XbT9vS5uniBmZifSMZ0t jacob.bachmann@posteo.de" + ]; + }; }; }; - }; - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.extraSpecialArgs = { - inherit inputs; - }; + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = { + inherit inputs; + }; - home-manager.users.gandalf = rec { - imports = [ - ./gui - ./scripts - ./applications.nix - ./audio.nix - ./dconf.nix - ./git.nix - ./gnupg.nix - ./keyd.nix - ./neovim.nix - ./shell.nix - ./zsh.nix - ]; + home-manager.users.gandalf = rec { + imports = [ + ./gui + ./scripts + ./applications.nix + ./audio.nix + ./dconf.nix + ./git.nix + ./gnupg.nix + ./keyd.nix + ./neovim.nix + ./shell.nix + ./zsh.nix + ]; - config = { - home = { - username = "gandalf"; - homeDirectory = "/home/gandalf"; - shellAliases = common.aliases; - stateVersion = "23.05"; - }; + config = { + home = { + username = "gandalf"; + homeDirectory = "/home/gandalf"; + shellAliases = common.aliases; + stateVersion = "23.05"; + }; - xdg.userDirs = { - enable = true; - createDirectories = true; - desktop = "${config.home.homeDirectory}/tmp"; - documents = "${config.home.homeDirectory}/docs"; - download = "${config.home.homeDirectory}/dl"; - music = "${config.home.homeDirectory}/music"; - pictures = "${config.home.homeDirectory}/pics"; - publicShare = "${config.home.homeDirectory}/public"; - templates = "${config.home.homeDirectory}/templates"; - videos = "${config.home.homeDirectory}/vids"; + xdg.userDirs = { + enable = true; + createDirectories = true; + desktop = "${config.home.homeDirectory}/tmp"; + documents = "${config.home.homeDirectory}/docs"; + download = "${config.home.homeDirectory}/dl"; + music = "${config.home.homeDirectory}/music"; + pictures = "${config.home.homeDirectory}/pics"; + publicShare = "${config.home.homeDirectory}/public"; + templates = "${config.home.homeDirectory}/templates"; + videos = "${config.home.homeDirectory}/vids"; + }; }; }; }; diff --git a/secrets/environments/acme.age b/secrets/environments/acme.age index 254458f0f1f4858921d2e0a3070a283dc2e667ba..b3edd33cccf6b32e2df3caba43a2100f7d53825c 100644 GIT binary patch delta 554 zcmeyw{D5VGPJOwFYmRqmSb3hCp-*vHv5}jZrL(rbVXkROh>@3BXlY4$Vw9(cyH8Y} zFIS?OQFdr{ZdHkqd5V6OyKz8(sbz4ATaHhXQL;x)UPMwxMj7V5j+Lesm1Y4Y$@=<+1=^tzS!E%9foZPJA%R@EmVRYH zo^EA9iA6?XX~qFYnPIL01!=A&1|FVH&H;JO`j+l#xrrfB!6xV)@r=xK@efq62=+A0 zad-1}_AyVX%t|zKulLqY4R=k?(6KZw&B{x1vvl+13h~RxG|mahF)S)I zFU`)&3h)cn&(0{!FRJt|&x>%)@<}rb@eK>`b2AU+($&>f$P3H&(k_flbk6oEDD$f< zNirx*^exaY4bD#T_sR3MbjnCE%P}=_EGR1Gn$L^4quq-cE_RNe hwr_s>si!GzOKys$(1S;;RayHJ+2+}{{CRr20swe5$D05E delta 443 zcmaFB@`-tZPJK>TR*7r6Q*dTtxOupvyN9=dPgSwEX+>hOc8E{0L0)QUsCkIHW0rQF zD_3clWm!(TYeYt*bDoKLNoquz!PDFCPS+b|LUwCi zw$p7-VtGx{%xi!Coiy&hWXZB+^3B@@HL9F{1D7shyYHX&W9{w!up(bq_qm7t&QF`= oZ?3s@`tp^NgTi~P`{%s;wWqXvr^wcMYdW78^m<;&NcyA(0Hp4rv;Y7A diff --git a/secrets/environments/vaultwarden.age b/secrets/environments/vaultwarden.age index 5b332f293fe4927d81da9d108b57aed6915b733c..fdfd8bc634b12dcb975c7e61e54b9ac17acc1bd3 100644 GIT binary patch delta 637 zcmX@ivXOOyPJL=ov38JKkgG*bNPxSUt9emsfJL%Fen4@tp?snqPWqS!r09 z30IV5xVC$qWqM|*SCvz?d4x%db5VguVq~JXlS#Uhr-@r?ghy_gcaD#f1(&X!LUD11 zZfc5=si~o*LQa}*SZcaLK!sbrvAc0ZaH@7#WwMKtqg!ftsGDhNVw7`6PqyM#Z5%WkIFdmR^o7&aS>(7G8yE zo>l2drXDG#7U3Dju0e$%rsh>1MZu0i5fKL7QQ2AfenBn<0nUNwKJkpqbMX&U2rdiP z&u}vdbBqe}G7HNKji@gv33Ey}$_Yyj4h)GZ@XxjgE!TDoba4qa;VSUWGIDYcG|0Ei zax*9lEyymc@NmgBN%p8P@T2nsa~&-0EdD~~Y9=c*D}wPM9b@7VgQb)2^5SzDrJgtRPv z!>?-b@YA}fAun8aI$-Dm>z4rdcw4IFPuEnc+ZGFeWqLM zA>sMg)91*y^STEoYG1nk>%=yxhn6<#E#G|42wRJ?2^fi-5s8_$@38o8BY|-CW8&9$ zPCM{so>1qSLw~=z8NV^U^;qZb%|uuE*64j{J8$r(*d8!Du#k0U+r-+lewTV*%vgK7 RFE;4TvffJ9s=Lkn(g4EX?-2k1 delta 526 zcmdnUdYEN`PQ9OxK~`m9luKT?lUcrJs;{$la!^EsL7``2fWARUa#dPjrBhXAo=;&` zC|5yBMPixL6uvOhmn3+I+w1ULUD11 zZfc5=si~o*LQa}*SZcaLPGVTTW2$~tZfT}(YGOrjikpi;rbl{Fl3P?jsfA^FK$uCG zcSM0tRBDzhS6+T;mUoG1c7C>DU{aQ;UwLGphqGx=nwz&6?MWq&bMxMrL0p-Eo#qNG4;o-)i!Kr1&7On9r} ze!+Q;CMl++VFo^B`i2!g8BxVmc_H~F5g}gnkrgH(+NP-nT&t&CTgP`XbdPf8UDf-m zx{Bvq+8=+^e$uk5a_e6D_%lS^lV2v&VUYCq{%Jmzz}IzxFE34%&MAI!&ZqpwJ;{r= zMVG#r!?r^yOL@&Rg&&8%ovN9(#N~k1EOpnFA0DV&HCuC3Y@yFA2HD)O&r6SA3jLAp zFYmfpLsZE2$+|G9<}c26{2d=Z3f%tD{B&7f`n)$S&koqdY~qvrki4^B;&jVJ`Oh-* Ywym}P_Ru2gqS|diF`MknC5L=H0r8U1wg3PC diff --git a/secrets/keys/wireguard/dryborg/presharedkey.age b/secrets/keys/wireguard/dryborg/presharedkey.age index 9940f018442812bea110720fa37a5d15dbd49926..e09e42728f1cdb7e43f675d313388db136ef4cef 100644 GIT binary patch delta 541 zcmcc1e41r~YQ4W(h*xT$f{AfOfMIHhdq7ZCNcadC!jYKoDmsiCDpPMU96YPv$WaZtKpR)$f2V11rRu3>4Ur=MrKOIC7ra$%06 zSCF=+Ygk}ureU~gPM{~3e{oh&W^TD}nO|O1mY-jMVR>0{hNZt_aG9Z(VTor{g?Cki zg-Ky{c%?78bw-uR?#by2g{6L(;V#JqN#S7y+RnbIk*VIUK^2bamRX55#;IPZMPZSS zX{iRG#i`k@Tt1a1N&d##DaQT*L2I)!e#^q_|1>xS2 z6F-XAhgO<~g-3+tl@^61`$ZUsWrnzVm`3@hm!$_9>pPcaq?%P`q=vYa`rF-Nj`kNP+J863dy1SPbS!5aI2ODO(SOl7wRtB1924}i*>FVk#lsh_BxhHy> zm75k|Wk7nkV`5%ba%f1ErJ-+H zQgA??Us`xNms_@RfJcOWerj%NsJCO1Q=~}a>`kv0^CW%?$?&ZmO$vMSb{sk35 zMrNLsVTHw!mChOId8q{+#>xH}QH6zug#rFaZlM)kNreH%rDo-m;~B;4i;UAEO^rkH z(+pfJ%0i6HqqIv4d>u0?qg=GZgA6_V+#EAQ^|LJWeT=fXGRjLMiwq;n{oM?WoLs#e zlfyy^!t%WXGYmsZ(@KlN-Lmrh10p@cy^VaibaizVlKc{rJOfNp!i~*bGmE1FEdx`+ z(j&bh!+nFIqKeWi!_2kA(o%}FJzRa#xi%m8^tho-C~0%otR2F~SH7yViMqao`AeeT zd1GU?g%?x&8D=;(ls;pyoW7rfZ=J8M(%N^T8k@~rj;`o%*ng;S ssh-ed25519 lfMVeg wulS3MiEAmeRiQWR+2m6WB2lPgPvbGLIoPpIcpTjwEE -I0SrCm+wG3tRn1St9+bnwAJGSWAIA2TP6LKPQCaVCdc --> ssh-ed25519 2ycGcg +gfN9hAI6S+2CVGp0xi+M3OJ2JfqNCubYFhKwXa86yM -yWls3U6P8ViO9a+gNuT/fW4txOfDD7wqOmQz6k6O2fA --> ssh-ed25519 SiBV3Q 8+vLtNNsx2DWecy31lkXpGac78wpHu2xSu/NF+RDZGM -l4FaoEWeMgPIGnEuPJkDoFAmoxAM3gFLmiASxqZ/Gt4 ---- RsgxQpG7CP2JVKUmJC5975cY5hCuXeDYF4wMoOBM2XM -,\j^NvϕwGτI YԅDO_@un诔S'H&v)lQ \ No newline at end of file +-> ssh-ed25519 OFTJeQ GLjSObPnRwi54E90PLmN56+01/XWV4ncMb2hIQVAIRM +K5wnX6U4R7vWxJIAhR46Y93nYbfY8ywgCBTpl32h3Ok +-> ssh-ed25519 lfMVeg P/y5kw0684nepV8zw7AVrKJdVXp1m9QRB92emoZtgic +3jdvPwfHqNCipa4FZCheRyloGTpl+nWopB+VmYxmnEo +-> ssh-ed25519 2ycGcg i/V1Jxl9MZXbkFceyTx/jA5mgt55u6pXvyZMUnJKnSI +mzZDa0QvpixtEyk7kR98a2MBTHq3FXLIifQ/RH7WsIo +-> ssh-ed25519 SiBV3Q 3ihfgMuU8fsUkCHOjhg9+lZxK3hreLV+OD38nfJvNVQ +TzKuRHW2Za7NLK32MFzXlXlBJnyTvaL7907Fv42s2/k +--- fMhdIsuJ19h9GqERg+zyub8z2L46vIoIb/RF3NC3Izs +Qgyz˄1r&ʿMV9*T#`:TQtƖ 92$vR_ Q4sFf4 \ No newline at end of file diff --git a/secrets/passwords/anki/admin.age b/secrets/passwords/anki/admin.age index 0210eda8c0e1b429ae126a0a8a04331337b9fa31..7c14ef2e14d8a63da9af77a1371ace89ce6d3708 100644 GIT binary patch delta 540 zcmaFNe34~>PJL2oxN}gMUqEn9X||8KpFu`Og=vVnM_#^mc7S7f~}B@xM7rN#ly z?j>HPl}1q^1qQzQ5e0eWkpX$(rM{_#C8bWDhCvy@#+gMyL6#=yKJkpqbMX&Uh^)x5 z$TDy$F(}D3bj~kz%&yP#DoHmitOyCU^b9R?jr0wzNOCp`F3&M2=W;1B4k!t$aIZA7 z@HhANiu4LhHwsQRNH5lo^2tvta&`?b(2g_?%5(H^< zjv@lG^%GtSgE;CgUIn=e9@>w)(__W3M-s&Woa6$@X# z{>0y@QHB0aZV9hUZ#&#(dda<*p@F?H?^=Aby~;DC6HAPj`twY?zawcwoc`%Rg(V-l S^%j{5MlAaneAprA={W#fq`d9` delta 429 zcmcb}@|byoPJLmezGqIcYiWQ%gll5Cw^LbVnq{76ajs*KQ&OZ$Xi0u)RYqoNP=%Y5 z0hf`Hp|PuZNSJ=Ut9yo{Pe7@ko1=ASfo#2Kw+Wl z#E;_jX65N2P98p<#koH2g+>)=#aX_g#UYuQj=?FG?oojm73HQz5X;KrT_o{ diff --git a/secrets/passwords/ddclient/cloudflare.age b/secrets/passwords/ddclient/cloudflare.age index a2bf30a..22dcc36 100644 --- a/secrets/passwords/ddclient/cloudflare.age +++ b/secrets/passwords/ddclient/cloudflare.age @@ -1,9 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 OFTJeQ Duzy5R4T6qjIQNDaM/rMLtn6owinrOPR7bsj+zNyF1s -vuz3upwrRY+p9neicV+/MYqIpqPP8LxKjb/MSd3AG50 --> ssh-ed25519 lfMVeg F5b0npiotrpPjEqEEmq13iIWrEG1duL/r+A+fFt9MUw -hXV7o5UqSnrOYmTO4PudLMH2nTn3z134YuD78ogNS+Q --> ssh-ed25519 ueRyzQ Msn3gbqPbt4anEbYGvuroa3Clgldv0c2yjJm8sviWig -qwsS+8V0LvR6aWWlC6/8V7oP4ClTPIH6UF7vIbSFLM0 ---- /UJ64tEwx0Jus9JEby8z4X9LtlPoYMCUTMk3T50Flbk -} EuKh<}gף)NGxMߣ{*$g`)?rNF*(w 'i \ No newline at end of file +-> ssh-ed25519 OFTJeQ YV3PYBAAYyXqFKJZMzgWcvUiUMr0FXT1mIVu5c8ADi0 +iYOSAD0fp2AQx2xYrwZVKz8jcxLI6dZaUYAEeRco6n0 +-> ssh-ed25519 lfMVeg aTw9/kKTrhfe3wuJU61+4WWhu0boEmNQW4PH4WymfQc +pW37WMQO10S9gn4FPlNQ9I8SZiJ8zrN539WjZ5riG4U +-> ssh-ed25519 ueRyzQ jduJfxSB+1+TXaoZQk8IC2OluzEhIf2PKLrqgZPgPgU +DFnKYH1DGcvdBblibUO+1apJ6658bUJOsb+ZCVPScy0 +-> ssh-ed25519 IYnDOQ ccAK15UhEam0UtwKEPpjPdIOdOFmBRY6riNAaoUNfRE +RqOsV0RIp8kB+pDQeidONMviP4dKu1hiwTR73oa3Uxo +--- 67ZWOJB/9Zc7tUTHgVFFMWWeHOU6RzIf2HN2qXH05RQ +I%8!F;wwkK}?K d y.N$fe?r \ No newline at end of file diff --git a/secrets/passwords/gitea/db.age b/secrets/passwords/gitea/db.age index 64ac79a8584dd538e996d17679fec852fa5eb909..73cd556ac838635c8d940e58ba13931f4206187e 100644 GIT binary patch delta 541 zcmaFDe2Ha(PJLCWew49SR&jx)PpC^yX<>1tTToh2No9qRsk2vFqLX=KaAtUFW<{c_ z1(%aWkfooQL5O=wq+6v zP^m$FsBum)SD2%ppI2F^ky*Z@e^OMssdDC5uGvMA!ByFTS>9nu&Q*zi6>b5J?p2;#DG??{ z-c=D!nf_iS6{&>tzAE>ChS=hD^HRWJxHitzQyHO))UsS5FT z57l>c3o|mvb}r1SGV%#G)i*UNv2+YCbj!^$;942xY-qE+Qpkt%W0I?-YM!9*?l~2? zg0;_ndv0g?$XS+qx%SrQEy9oZij*VV^2%epU;N(~6lj~R7@c$7{mWxsC%X^r1?ijE S{QtZ$KcBC^W^(DvXD$Hh9lg!~ delta 430 zcmcb_@`QPUPQ8(Vr<-M1WvIK4vu9F%Zg{DmOJKf>nWLFwM3GTIuwiyZp__JAL}hY? zCzp1jTTq}yW>}C#m}`J(NJvpYfpe&Ns+qrEsY`%&v3G@^sYP&FMu}s90hg|wLUD11 zZfc5=si~o*LQa}*SZcb0rD2#!P(*G~x`%UKkz1&fzMHq9rB79+xo?0)p}t|Zdst{n zWoCs-g?D&5mtRGcZ>gK3g^O8Wfu*shi+4&!N~uM1c|>T0c9waNX^4qSdSH=rfwqsy z#E;_jCC ssh-ed25519 OFTJeQ ZR/HXJbMffa0GONFhLI54XbnMfUa44IBtmc35WfFalE -5k336aLzA40CP1qy1bhpAeOBMf/v8acDsbT3ehJgNH8 --> ssh-ed25519 lfMVeg rNkPlKPIOnU3MX1DRAAqUrVCl2aFCD1LiULqgT94ih0 -s1dizDfvjFexbtOaY+8LHT4rASAmna+YtI6sThwY2lo --> ssh-ed25519 ueRyzQ yXUlKmMDvGQpYHDPax8AOmAupPm1MlOB8O0dWLZlPxI -a/+l6l8f6Bwl6cmfob0lZnBriQ5uGE/zK/JDRwsp3+o ---- k6YDdEeu5493P74E1pt8yOaWrlKxq5KEEfokK+FaFq4 -Єunh(Qy5bY< ZDw0 #8t! \ No newline at end of file +-> ssh-ed25519 OFTJeQ Z0zahyJ9ZN+iPyEGZcdqkctRGtZHedg0n9hpw7yCr1w +tTaDe8+Ki2S7v3F/+0KgJ6EyS89WETy3/pSWUf3qA2g +-> ssh-ed25519 lfMVeg 7yJmsdpEXhgRekyoMU5Ut62hvo7sI+ZyLoasrzjtOmI +qpH5kucqYFin9PZw38am7WkJWH+Cp0C7em22QiQsQJ4 +-> ssh-ed25519 ueRyzQ WGMVo2WuCuHNTZ6/a+3cPOXU50EEK/yhnyX//IrtUx8 +2t+CUgdBuivea8Ij4tavUQTX2mzTpIUz/8FuweVJ6uA +-> ssh-ed25519 IYnDOQ P5amA/utlNaNK4/YP1L3RkL/k1N0MtucTobGZxeKqw8 +TBwo9Y/YTzJxw0rmzz6V1W8kmQYHw8YNt+/MLOQalyM +--- Ykljx1ff/c4OkoyHs4rzrKnfIEuAW3zM5MCk5p/UT1g +. g:ոdJ~xYe߬,@<CKk0w`r~}K \ No newline at end of file diff --git a/secrets/passwords/paperless/admin.age b/secrets/passwords/paperless/admin.age index 7425ee9adaa0c2ebe5eae754b6450a691b761bce..e359ea467bd27206c82ade373682e0a9b7958999 100644 GIT binary patch delta 522 zcmcb}yq{%)PJNzlM1f~TQi`{mL6Dn;ucc{FcuGldWVS_`YjRY!ldDfp+SMO z0aw1hu|YtvdsJ#bR$)Y_cB!jjM4*qQpIKBzeraf;cSwkLsE37TZn;mGE0?aFLUD11 zZfc5=si~o*LQa}*SZcb0vw?3xW^s9nf3k;mgm;9SuUnOAq*JnfepQ5iinEt#k&~gh zL7|0*X-b4ASFn?thksd!b7HY`s*90lfswmOib1+bK$=%-NkNcdc)6ihm05a0aA`^L z#E;_j+CE9feinI_`L1TZM*g0@zNwj6m0?CvW)Vrw=D99O0X~L>X^|Pu9u?(WUWM+3 zMcL&ZWk!XjQU0!pxt1wr`aZ6vMP~jcjzMOT`d$&)PL8e?sb<;eKJkpqbMX&UFgGv` zHPg>bbT2E)b2N_(_Nb34HSmk{_pEX$^hpjWF32nmHcbplGBgkM<#Md_Pl-shOe+dc zb}w-(Dk;v*4fb#}Gx0Jo@{Gtg40ZEM2{-k&G{_H4=hD^HRq*jBbgjrT3dl|@Fm`eF z2u~}DG&QuyEvYascMgq;2&$^Eu*i0)a*NcDZW- delta 411 zcmdnba*=t0PQ9m>Z$zkDW>r**segJ!RfSt=X<1@faH*kpW^q}TVUVklQA%)rda8v- zC|6=gR+)K0xNDY0P@-Y5ep!);vq@lZSdw{GxN)LaW>BGzg+WSGuxWvrE0?aFLUD11 zZfc5=si~o*LQa}*SZcaLW>%DYxU+jfP)2!%qqCEnv0I*DqLWLJZ)sL!xrw&7d1gdJ ziNB>`Kxv)vYENRc}9_Ch<}({Mp3CzrH`?3q_LUr z#E;_j*_kEY`Dvz+7G`B3-kz4)=Kj8hrbdOK1_1@-2H6?uRn8vfmA?5^?uNx&MlK1O%P z5uOFwE~aj#2HJrxMR|GI9>JE`PM#^1p23A)!KsCnmEi%AT)PrenVo8;o$zsEvbg-I z`gX$GjXO