chore: routine maintenance
This commit is contained in:
danny
parent
c45ba82b90
commit
c7743490a7
75 changed files with 1200 additions and 634 deletions
|
|
@ -8,6 +8,7 @@ in
|
|||
{
|
||||
systemConf = {
|
||||
inherit hostname username;
|
||||
face = ../../../home/config/.face;
|
||||
domain = "net.dn";
|
||||
hyprland = {
|
||||
enable = true;
|
||||
|
|
@ -23,6 +24,8 @@ in
|
|||
|
||||
imports = [
|
||||
../../modules/presets/basic.nix
|
||||
../public/dn
|
||||
../public/dn/ntfy.nix
|
||||
./common
|
||||
./games
|
||||
./home
|
||||
|
|
|
|||
|
|
@ -2,25 +2,25 @@ wireguard:
|
|||
wg0.conf: ENC[AES256_GCM,data:drqs+CkZVZH4K87jWZLy33NuqPeqLkyTp6mDoxcOsEYGaIR38pommv4TSynAOvrUC3dCw9O+qLHEiSwlJGoZOQKFzHxUefKrCtkRMCE3ytDKFmJbLoKT/GPxnOOenIm8JxKX6nsLaqCk36ODXzTA8iU8ICN2zqoCiodjx72Ge2KckQzSak04v28B6viuzfl8zipD1Fetm72sOBTX0I0WwoziDBBL77x1hX/8POob3ISrTejhik18dxAPLB9H3iVl1aOHhszsrAYB26IfujY/FxRqIrn8v+H2aFen3oowRjd/wTPtc/rLZj/7n6/Sl3NDzOE+jIYYG7yym7lkUM9Z,iv:oS01iUSG0ufUzIsfPD/jF3/TPEDDBp+CnnLQnyze8dM=,tag:mtmY3OVz3k7eu5Lxe14KLg==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw
|
||||
- recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkczZGckdvWVdlaFFxQmox
|
||||
eWM5eGtoOHIvbTlEc0RnSVN1REVMSTBXZURrCktDeUxMZUY1cHRtKzRLTDNDUU9E
|
||||
aldkcFZ2a0ZzUXdOSjZWeHVPZ1FJY1UKLS0tIGZZTlk4OWtZcERXME5YNk96cmc5
|
||||
M3RPbkRxSFRXeEU5MFZxLzl4clpabDAKiCaiEKZwaCUGi6DRtzb786c8qB+EiiCn
|
||||
YHrCvm5F72vAmDAozqtTjZM1Dt4yQDxPNMWKFyUzxY0TDpboGrgBHA==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqeGx5aDZOeVBDSWpjUlV4
|
||||
WEZuK3JBQnVySmQySFd4dnNKRkdVR01pVVRNClE2WXQveG9aaTZJUHVHaUdoOFht
|
||||
VENZMHF0eHkzb0VTUEN2TW5OYjBxS0UKLS0tIGlOb1VYdHhMMVd5L0RCSEVabzMx
|
||||
Q2wvRjV5SGQwZ3ZRNmYzSW5pdlJNTE0Kyg2/VqHJngn/n+OJbIDSn4fy+KjanN2o
|
||||
AufQbRG46T4kXeOwmtMp+5oRIrxKMibu8bvQpR6DjsHs0xmXhhlFAw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age17rjcght2y5p4ryr76ysnxpy2wff62sml7pyc5udcts48985j05vqpwdfq2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1SzNGcVFkSS93VnQyUlZw
|
||||
YkM0U1BUTTF4ajY5VU5LOHpYbTBaYnBsUFZnCmx2a0R1VCtkcTUrT2VNMGRRc29H
|
||||
R1hVSHNDSjlwdk1RUXZYdkpFeUFkY1EKLS0tIDdVdU92STZIN0JmK0ZPeldsYlRG
|
||||
eWFnVWcrUVpRVDQveTloWk9LVm4yd28KppalVePvXwPks+2TKHqG8a+uZjpgQo3I
|
||||
edhrdNan56Ly5mLFyXmGlww88nqQMTZq4DODtyfF4+rRlyv0i4AEEg==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0N3pUMHNWVGxwOWFKVS9a
|
||||
dEYzREFSdkR0bldMSEV0b3dZMnlsQUE1RTNVCllPblJUMG90RlViZ2N1RU1TS2tO
|
||||
UnlHS0IzT3E3bER4eEg4SlQ5QjNZQ1UKLS0tIGhtTTlUZHVrbUZiRHZCbEt1K2w0
|
||||
V09NYXpBYXBtYWdBajJubmVFL2loY0EKJdYKQHPriOT0eouvRUiCyqLSTzugUZxl
|
||||
BFTwfCez1/K2ERKQkKsMfIARbHaI2SRyDxM2O1IJ+DOIJ2383K6Gvw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-10-15T08:06:35Z"
|
||||
mac: ENC[AES256_GCM,data:sinK5N+aY4PwsqtHhyAI5a6YU7uhKkh5APrtQorgCYHJ1Q3p3Fit//UOnY86kK/CiXS/OQ6oZZi5XjJOKULThp8X2JSu1iAdBK2Sl11AD1kGyDb69vuYr3PlAFWDdp5mbjMAPACukUpeiIL9jfZWL06WqzGSz73hDHP3T90BZAE=,iv:bcT/JWtuy74/5B/S4vzEgv8Vcnw8aMGNr8f2ON7uJI0=,tag:iA/iW+TFxyW1PWZKtr+Kqw==,type:str]
|
||||
lastmodified: "2025-11-21T12:34:30Z"
|
||||
mac: ENC[AES256_GCM,data:LUqoXWMhmQQgqq1AX7I2v7z58ywstjWzsVTav9iu0RrkCxeB1u5V90E4tcnfjtquLwjiabpLSRpkUXE33DhqcgxLIklX0Cpld5TK1Bsdn8DXyKk1Lhfdf3OL7cn14kb4CqXTNlDyqwM+BBsYmdFQzPjb8IPiD9y+mTO5yHuAta0=,iv:mbHhZdv+0lDI9cNUsI3oatwbItQ6Xfvgm0UMQdu9FKA=,tag:aPFWPwahvMjBojzthZZ6vQ==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.11.0
|
||||
|
|
|
|||
|
|
@ -55,6 +55,9 @@ in
|
|||
|
||||
imports = [
|
||||
../../modules/presets/basic.nix
|
||||
../public/dn
|
||||
../public/dn/ntfy.nix
|
||||
./expr
|
||||
./common
|
||||
./games
|
||||
./home
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
{
|
||||
imports = [
|
||||
./netbird.nix
|
||||
# ./netbird.nix
|
||||
./osx-kvm.nix
|
||||
];
|
||||
}
|
||||
|
|
|
|||
14
system/dev/dn-pre7780/expr/osx-kvm.nix
Normal file
14
system/dev/dn-pre7780/expr/osx-kvm.nix
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
inherit (config.systemConf) username;
|
||||
in
|
||||
{
|
||||
virtualisation.libvirtd.enable = true;
|
||||
users.extraUsers."${username}".extraGroups = [ "libvirtd" ];
|
||||
|
||||
boot.extraModprobeConfig = ''
|
||||
options kvm_intel nested=1
|
||||
options kvm_intel emulate_invalid_guest_state=0
|
||||
options kvm ignore_msrs=1 report_ignored_msrs=0
|
||||
'';
|
||||
}
|
||||
|
|
@ -2,9 +2,10 @@
|
|||
pkgs,
|
||||
lib,
|
||||
inputs,
|
||||
system,
|
||||
}:
|
||||
let
|
||||
inherit (pkgs.stdenv.hostPlatform) system;
|
||||
|
||||
vmList =
|
||||
let
|
||||
kubeMasterIP = "192.168.0.6";
|
||||
|
|
|
|||
|
|
@ -2,11 +2,9 @@
|
|||
pkgs,
|
||||
pkgs-stable,
|
||||
config,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
protonGEVersion = "10-15";
|
||||
# ==== Needed for special import ==== #
|
||||
shadps4-7 = pkgs.shadps4.overrideAttrs (_: rec {
|
||||
version = "0.7.0";
|
||||
|
|
@ -39,20 +37,6 @@ in
|
|||
echo "AUTOEXEC LOADED SUCCESSFULLY!"
|
||||
host_writeconfig
|
||||
'';
|
||||
|
||||
# Proton GE
|
||||
".steam/root/compatibilitytools.d/GE-Proton${protonGEVersion}" = {
|
||||
source = fetchTarball {
|
||||
url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton${protonGEVersion}/GE-Proton${protonGEVersion}.tar.gz";
|
||||
sha256 = "sha256:0iv7vak4a42b5m772gqr6wnarswib6dmybfcdjn3snvwxcb6hbsm";
|
||||
};
|
||||
};
|
||||
".steam/root/compatibilitytools.d/CachyOS-Proton10-0_v3" = {
|
||||
source = fetchTarball {
|
||||
url = "https://github.com/CachyOS/proton-cachyos/releases/download/cachyos-10.0-20250714-slr/proton-cachyos-10.0-20250714-slr-x86_64_v3.tar.xz";
|
||||
sha256 = "sha256:0hp22hkfv3f1p75im3xpif0pmixkq2i3hq3dhllzr2r7l1qx16iz";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,4 +1,8 @@
|
|||
{ config, lib, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib) optionalString;
|
||||
inherit (config.systemConf) username;
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@
|
|||
./mail.nix
|
||||
./nginx.nix
|
||||
./wireguard.nix
|
||||
./nextcloud.nix
|
||||
# ./netbird.nix
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,35 +1,42 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
domain = "daccc.info";
|
||||
fqdn = "mx1.daccc.info";
|
||||
inherit (lib) mkIf;
|
||||
mkCondition = (
|
||||
condition: ithen: ielse: [
|
||||
{
|
||||
"if" = condition;
|
||||
"then" = ithen;
|
||||
}
|
||||
{ "else" = ielse; }
|
||||
]
|
||||
);
|
||||
|
||||
rspamdWebPort = 11333;
|
||||
rspamdPort = 31009;
|
||||
domain = "dnywe.com";
|
||||
fqdn = "mx1.dnywe.com";
|
||||
|
||||
rspamdSecretFile = config.sops.secrets."rspamd".path;
|
||||
rspamdSecretPath = "/run/rspamd/rspamd-controller-password.inc";
|
||||
in
|
||||
{
|
||||
networking.firewall.allowedTCPPorts = [ 8080 ];
|
||||
|
||||
imports = [
|
||||
(import ../../../modules/stalwart.nix {
|
||||
inherit domain;
|
||||
|
||||
enableNginx = false;
|
||||
dkimKey = config.sops.secrets."stalwart/dkimKey".path;
|
||||
adminPassFile = config.sops.secrets."stalwart/adminPassword".path;
|
||||
dbPassFile = config.sops.secrets."stalwart/db".path;
|
||||
acmeConf = {
|
||||
directory = "https://acme-v02.api.letsencrypt.org/directory";
|
||||
origin = "${domain}";
|
||||
contact = "admin@${domain}";
|
||||
domains = [
|
||||
domain
|
||||
fqdn
|
||||
];
|
||||
challenge = "dns-01";
|
||||
cache = "${config.services.stalwart-mail.dataDir}/acme";
|
||||
certs."default" = {
|
||||
default = true;
|
||||
provider = "cloudflare";
|
||||
renew-before = "30d";
|
||||
secret = "%{file:${config.sops.secrets."cloudflare/secret".path}}%";
|
||||
cert = "%{file:${config.security.acme.certs.${fqdn}.directory}/cert.pem}%";
|
||||
private-key = "%{file:${config.security.acme.certs.${fqdn}.directory}/key.pem}%";
|
||||
};
|
||||
ldapConf = {
|
||||
type = "ldap";
|
||||
|
|
@ -39,17 +46,19 @@ in
|
|||
base-dn = "ou=people,dc=net,dc=dn";
|
||||
attributes = {
|
||||
name = "uid";
|
||||
email = "mailRoutingAddress";
|
||||
email = "mail";
|
||||
email-alias = "mailRoutingAddress";
|
||||
secret = "userPassword";
|
||||
description = [
|
||||
"cn"
|
||||
"description"
|
||||
];
|
||||
class = "objectClass";
|
||||
groups = [ "memberOf" ];
|
||||
};
|
||||
filter = {
|
||||
name = "(&(objectClass=inetOrgPerson)(|(uid=?)(mail=?)(mailRoutingAddress=?)))";
|
||||
email = "(&(objectClass=inetOrgPerson)(mailRoutingAddress=?))";
|
||||
email = "(&(objectClass=inetOrgPerson)(|(mailRoutingAddress=?)(mail=?)))";
|
||||
};
|
||||
bind = {
|
||||
dn = "cn=admin,dc=net,dc=dn";
|
||||
|
|
@ -62,4 +71,135 @@ in
|
|||
})
|
||||
];
|
||||
|
||||
services.stalwart-mail.settings.spam-filter.enable = !config.services.rspamd.enable;
|
||||
|
||||
services.stalwart-mail.settings.session.milter."rspamd" = mkIf config.services.rspamd.enable {
|
||||
enable = mkCondition "listener = 'smtp'" true false;
|
||||
hostname = "127.0.0.1";
|
||||
port = rspamdPort;
|
||||
stages = [
|
||||
"connect"
|
||||
"ehlo"
|
||||
"mail"
|
||||
"rcpt"
|
||||
"data"
|
||||
];
|
||||
tls = false;
|
||||
allow-invalid-certs = false;
|
||||
options = {
|
||||
tempfail-on-error = true;
|
||||
max-response-size = 52428800; # 50mb
|
||||
version = 6;
|
||||
};
|
||||
};
|
||||
|
||||
services.rspamd = {
|
||||
enable = true;
|
||||
locals = {
|
||||
"redis.conf".text = ''
|
||||
servers = "${config.services.redis.servers.rspamd.unixSocket}";
|
||||
'';
|
||||
"classifier-bayes.conf".text = ''
|
||||
backend = "redis";
|
||||
autolearn = true;
|
||||
'';
|
||||
"dkim_signing.conf".text = ''
|
||||
enabled = false;
|
||||
'';
|
||||
"milter_headers.conf".text = ''
|
||||
enabled = true;
|
||||
extended_spam_headers = true;
|
||||
skip_local = false;
|
||||
use = ["x-spamd-bar", "x-spam-level", "x-spam-status", "authentication-results", "x-spamd-result"];
|
||||
authenticated_headers = ["authentication-results"];
|
||||
'';
|
||||
};
|
||||
localLuaRules =
|
||||
pkgs.writeText "rspamd-local.lua"
|
||||
# lua
|
||||
''
|
||||
-- Temporary fix for double dot issue rspamd#5273
|
||||
local lua_util = require("lua_util")
|
||||
|
||||
rspamd_config.UNQUALIFY_SENDER_HOSTNAME = {
|
||||
callback = function(task)
|
||||
local hn = task:get_hostname()
|
||||
if not hn then return end
|
||||
local san_hn = string.gsub(hn, "%.$", "")
|
||||
if hn ~= san_hn then
|
||||
task:set_hostname(san_hn)
|
||||
end
|
||||
end,
|
||||
type = "prefilter",
|
||||
priority = lua_util.symbols_priorities.top + 1,
|
||||
}
|
||||
'';
|
||||
workers = {
|
||||
rspamd_proxy = {
|
||||
type = "rspamd_proxy";
|
||||
includes = [ "$CONFDIR/worker-proxy.inc" ];
|
||||
bindSockets = [
|
||||
"*:${toString rspamdPort}"
|
||||
];
|
||||
extraConfig = ''
|
||||
self_scan = yes;
|
||||
'';
|
||||
};
|
||||
controller = {
|
||||
type = "controller";
|
||||
includes = [
|
||||
"$CONFDIR/worker-controller.inc"
|
||||
];
|
||||
extraConfig = ''
|
||||
.include(try=true; priority=1,duplicate=merge) "${rspamdSecretPath}"
|
||||
'';
|
||||
bindSockets = [ "127.0.0.1:${toString rspamdWebPort}" ];
|
||||
};
|
||||
};
|
||||
overrides."whitelist.conf".text = ''
|
||||
whiltelist_from {
|
||||
${domain} = true;
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.rspamd = mkIf config.services.rspamd.enable {
|
||||
path = [
|
||||
pkgs.rspamd
|
||||
pkgs.coreutils
|
||||
];
|
||||
serviceConfig = {
|
||||
ExecStartPre = [
|
||||
"${pkgs.writeShellScript "generate-rspamd-passwordfile" ''
|
||||
RSPAMD_PASSWORD_HASH=$(rspamadm pw --password $(cat ${rspamdSecretFile}))
|
||||
echo "enable_password = \"$RSPAMD_PASSWORD_HASH\";" > ${rspamdSecretPath}
|
||||
chmod 770 "${rspamdSecretPath}"
|
||||
''}"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.redis.servers.rspamd = {
|
||||
enable = true;
|
||||
port = 0;
|
||||
user = config.services.rspamd.user;
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
certs."${fqdn}" = {
|
||||
inheritDefaults = false;
|
||||
group = config.systemd.services.stalwart-mail.serviceConfig.Group;
|
||||
dnsProvider = "cloudflare";
|
||||
dnsResolver = "1.1.1.1:53";
|
||||
server = "https://acme-v02.api.letsencrypt.org/directory";
|
||||
validMinDays = 30;
|
||||
email = "dachxy@${domain}";
|
||||
extraDomainNames = [ domain ];
|
||||
environmentFile = config.sops.secrets."cloudflare/secret".path;
|
||||
postRun = ''
|
||||
systemctl reload stalwart-mail
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
87
system/dev/dn-pre7780/services/nextcloud.nix
Normal file
87
system/dev/dn-pre7780/services/nextcloud.nix
Normal file
|
|
@ -0,0 +1,87 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
hostname = "drive.dnywe.com";
|
||||
port = 31007;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
(import ../../../modules/nextcloud.nix {
|
||||
configureACME = false;
|
||||
hostname = hostname;
|
||||
adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
|
||||
trusted-domains = [
|
||||
hostname
|
||||
];
|
||||
trusted-proxies = [ "10.0.0.0/24" ];
|
||||
whiteboardSecrets = [
|
||||
config.sops.secrets."nextcloud/whiteboard".path
|
||||
];
|
||||
})
|
||||
];
|
||||
|
||||
services.nextcloud = {
|
||||
https = lib.mkForce false;
|
||||
extraApps = {
|
||||
inherit (config.services.nextcloud.package.packages.apps) spreed;
|
||||
|
||||
twofactor_totp = pkgs.fetchNextcloudApp {
|
||||
url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.1/twofactor_totp-v6.4.1.tar.gz";
|
||||
sha256 = "sha256-Wa2P6tpp75IxCsTG4B5DQ8+iTzR7yjKBi4ZDBcv+AOI=";
|
||||
license = "agpl3Plus";
|
||||
};
|
||||
|
||||
twofactor_nextcloud_notification = pkgs.fetchNextcloudApp {
|
||||
url = "https://github.com/nextcloud-releases/twofactor_nextcloud_notification/releases/download/v3.9.0/twofactor_nextcloud_notification-v3.9.0.tar.gz";
|
||||
sha256 = "sha256-4fXWgDeiup5/Gm9hdZDj/u07rp/Nzwly53aLUT/d0IU=";
|
||||
license = "agpl3Plus";
|
||||
};
|
||||
|
||||
twofactor_email = pkgs.fetchNextcloudApp {
|
||||
url = "https://github.com/nursoda/twofactor_email/releases/download/2.8.2/twofactor_email.tar.gz";
|
||||
sha256 = "sha256-zk5DYNwoIRTIWrchWDiCHuvAST2kuIoow6VaHAAzYog=";
|
||||
license = "agpl3Plus";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users.groups.signaling = {
|
||||
};
|
||||
|
||||
users.users.signaling = {
|
||||
isSystemUser = true;
|
||||
group = "signaling";
|
||||
};
|
||||
|
||||
systemd.services.nextcloud-spreed-signaling = {
|
||||
requiredBy = [
|
||||
"multi-users.target"
|
||||
"phpfpm-nextcloud.service"
|
||||
];
|
||||
serviceConfig = {
|
||||
User = "signaling";
|
||||
Group = "signaling";
|
||||
ExecStart = "${lib.getExe' pkgs.nextcloud-spreed-signaling "server"} --config ${
|
||||
config.sops.secrets."nextcloud/signaling.conf".path
|
||||
}";
|
||||
};
|
||||
};
|
||||
|
||||
services.nats = {
|
||||
enable = true;
|
||||
settings = {
|
||||
host = "127.0.0.1";
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."${hostname}".listen = lib.mkForce [
|
||||
{
|
||||
port = port;
|
||||
addr = "0.0.0.0";
|
||||
}
|
||||
];
|
||||
}
|
||||
|
|
@ -3,7 +3,9 @@ wireguard:
|
|||
dovecot:
|
||||
openldap: ENC[AES256_GCM,data:U3YYreEqoh+F0Mrli52jgQowrUqIUPmdQps=,iv:vTjHBFsue+89GOCDigVIktgGSZNZv8A2e3GM80o6TXc=,tag:GGh+hsT+yV/I12meXxflbQ==,type:str]
|
||||
nextcloud:
|
||||
adminPassword: ENC[AES256_GCM,data:8LjI2/vQ9aHQfZSMumnjBw==,iv:1hfhKz58v10JfPgipueQVOtlCgBXwruA00BOkhjuN/E=,tag:y/vqcztye4Xlokpbm/jHiw==,type:str]
|
||||
adminPassword: ENC[AES256_GCM,data:69NrA/iP0sfrkdv8ahv7I+ZY,iv:/TXTs0fZw64HELdGr5CzgToO2L2G2mCNdN4Zexz8p+o=,tag:p2hNTxv1xdYmEJ6ZAO3w3Q==,type:str]
|
||||
whiteboard: ENC[AES256_GCM,data:qcZOLX1qJyciKm+4uuOVIopZXG70Jg9Grc07SCjG5ww9DK0myzdqlfWeZKdTsOyTBLMyCE9K7lC5rtBFeSv3ZeqkAUXTQt9QiAN05+tTpHk=,iv:v6fgSz/eh8MZANSbLbeSrKVOdX09pHYZ599BK8Ug2Lo=,tag:JTezfqrInm82K3gB0zpniw==,type:str]
|
||||
signaling.conf: ENC[AES256_GCM,data:Ede61FM7k3VQHt4hO7O4UOE0p5nHk8lYsqaNWh8ZxfdGRJoMoLJYFcJs8nemAj1AGCh1Ep4ehtgQGcFfILUcek280m4paSIfaE2cwsI+1F+diXn98YmsmiR3swryw518gmfTZ7DrHlns7EWr/Udflz91F5+CKAuPNKtsYRSkB4KmJmEc4k2ioPus7hHEz/edLqA4mob/DuRXrWmFkDtlEj4I9aS5CJpyeDrsYoticnp5/QCWBnpxN2itqvbwjspid085Us7p4wbrM7Di/gPjj0D84Hw4biOLWSHm1oMRXqXIBP3ntPvvKJ2sKy7czcbeIGeJAIwEctStG7hqLAv3bfxiMn8DQ8eNp/xWw6tnwYklS4KCBJbDUucGvNcSx41JLCm+TShxaPIv/l6y+Z7Hkvri1WW2WSRvRsMFFEy3PrZLu0GstESYyARBrVdJ+OdaEtt3tthYLCUQcTT5xd484TTEyF9z3d5CBPC62BXZBdFRyEPD696nXV0ztVTBz2oWCmD6jHL0v+nTn3sojTDet0vmPo6o6cE0RqX6G/oVx+Y9l52QirFxOaNALk3R1l/lvXhDhlrAp8EldGhfnZf8y7X2HoC/XHQud9pA0N89Xrgp/Ak+9d+tRtmr4icLNVtwBg91md9P1tCyqPTUGR3JHc1KtmDHVI3NqgekUAmHrNRE5m633fchV2sTYSOfvdtL,iv:/xlMQoexPA9rXIlMd7bTQY1ojHuprBX/5quVSnNslvI=,tag:geAR+vPBmDB37/oSnnpqSA==,type:str]
|
||||
openldap:
|
||||
adminPassword: ENC[AES256_GCM,data:jEGuzgs5QTWfdyJenC3t3g==,iv:StfFOcvbDapnma6eAlpaGiBWnqiD3I/wfQsMBzufol0=,tag:892q7N4KrsSQoZYGy6CQrA==,type:str]
|
||||
lam:
|
||||
|
|
@ -11,13 +13,11 @@ lam:
|
|||
stalwart:
|
||||
adminPassword: ENC[AES256_GCM,data:hHQlmztndbB8Ct5Zig8BChz1,iv:kDgSVglIKxEghV/lkcKKxKCzgwVJqcH4l8aXYt7k+W8=,tag:vD14vP2iJEOG4WR6djab1A==,type:str]
|
||||
tsig: ENC[AES256_GCM,data:wxsM/dbkW2fNf86b6TsLRNAce19h7mBEuSzFT84aIlaVZA/S29g1U4/CAwD4b+h/XfBgpZQCJf/9yT3yo6dbGAIAk5UgjV2cNY9pO1/uF1T6xoKDgfRZxA==,iv:9BvP8vQkTTEaNgYUPfQcfEMcWqDyD045EPBr7NyHmO4=,tag:coBBAe62kpe/L0S6V8NhXg==,type:str]
|
||||
db: ENC[AES256_GCM,data:ZRZ2ZzUotYMe2GfkMS7o7dz0aGg=,iv:ys6ogueueESp0y6A+hUG9zTnqmCVobuIzyqA4WVtewo=,tag:p74G+8XhMcpgDnIfh1aXTg==,type:str]
|
||||
dkimKey: ENC[AES256_GCM,data:oi+XvZ9hMMsgMtFnGPMbVBGagkwQzcPQDi1b0Zd54615V5yuOLHZxpLT5Z3LYlCOQmOcrCaIwn8lQKIZbAuAq6HDUVlNabjgnHeoq3XRIvcswO/B9pljL/22JCZleSrWSBh+WE+RwQIcqUIr0eNerXCUaAQLTE8lYn6mJMa/OoHJJ3R498OGyM/8rbuIMfKj5eqJnctsd9lRWeNmiq7hpQKJ8syLXMsRM9y79NJTPGJrIAJ/5F8SfUJ256/S2N25Cq61pkaXWxTcZzXFgAGU/sa3zsY86BRwEnFEVRMnygJWrVZW/ABYgRjL99r6OBQM8WTFpE8cK9GZTpylTm+QCS9lHsAA2rnUfLTs/09z41klbGSAu5jfokM5jhyFIjmDm9h3hEk4l0F4KTWgQ7avWqGVx4yVPktrVS6eh6W7+I0V6BOUhzH0Pp9xXWwhbFrMPYAYK5MQSLAS5nd3RCQWrxZwWh//ATiWdngUeWPyObxXSTmoV254k230sT39jQmqmTK5zIkOBvokPps9q3nPq1i3UIkSAXo0ZWI+GHiL1rnzJkMMGViugJdGEwUf8nWlYMcYkHmDRUZam6DIxzkf5svtd+kbDTxRa4GzeJrOYizgwDGpD5vRA9u8i7MYBS1Rhw3UVqZ9gkjtv8mqoOkDqVnHVnS2UPtsircecvjHmhu4Tq4hn8phX3F+2I8lhXUIalzPng5zjPGNUcDT+SoCbNeHuSWDDmMYQtzM3/xwae9quP9FXhr9IGGygmFUPGsl3cuxSJ3+Cq9/Hhd7bnTYnxYfv781qTmZsFclMUWNxUJQWLJ+5BQz6u1zW64wh+5SHUGrw7CHFsdgNAKv7YN+GJMNTHOjZr9RTL9R8opDm8Iho5IyQjMP401+DY30mOCq03WKJiC8qehgoaH16ssNV6ZuoHldu2N6JKmiwywgTRq8zQEo8jPnro772CQ9Tg0/5PnkhdlLdphDEIp60IbM+XWqMNwHY57fm6U+81PcgtsoRmI5OklrrhQjv+1aRgz0vRM80FOHMv7kxgEdNkb1x15B4g0ocBXEdLuxJEVaW4uWlP9EIivXOWwaPZf1QjT8ISuUQlFMXvtNj/V3SraW3K1bErJL5JnI16z803kdoAqYijf3IrRK49SKoCq6B2V8yo8iCRod2GFt1P3ADKb/uvJ6iCBSlFRFwiJYr8qu7TPXFCpsoySEmr1edBQdAkzXxFZLDMczHq2BzUo2RPfwtDubG1GMWxzrbZ1T6N3j1+GXiyTX7XuKdpSpFlXtPuJcCIrX4D4xnjv1SqqXEcKJO9oUcdMK6+Eem7wtVDBDDYpWellT+bLmtouvdEgjYE8VG5UGJJ5NpYoJAce9c7RE5/ozuvUH+uMfqfb8igZQlBMl6hbqO7j8m11i+ijS9T6Wu2DCSVIqqBHu8bouz1vyfq8l/whJCl1BkaZtiE5+NLkHoYSOuXGtVvEuXwMhvCWdnkxJtHZxxXQuCcBcVkD9Edg0YTslGv+XUvaYRlfZUqypqYZ9zJ21en9XPK3zafZ5gRLdY0xhXN4OKbGrXXL4cm5jfroTeez9iIL4fJGcA80PRHUGoLfK7ht2z0Lq3U91F4jz5KEhbaDtWDcMryr1Bwb6UXgLrezNM290g8J3GpXLBAdvqDXK79jSdPNqptGYt++VDeCdtA+P3z9K6aMWZzPURkLXxZ1bWy5YXP03MIkUpZWsc5lQmccUiyFe/Y+d9RSAZClmVxsQAY5y90d42EhkrOag06geziV9aaxgr57LdoPJQabD48bIbFFvimhV2DS3Gf/7gFtCXlm9oZiIqSHG+1TMKRp8XVwn6f70d76/Ba5Uiu0EX8V2x0Dsnin6GGynMBFCPKPXssHRe71SfRVxPJrzlLjtfTdPuzW5Q2k/U//z9SWd6Ao3+mzsbTC8MAYGeIzeE4GdsTs4ViEQWg5sSMSfjeKOFfgpTQi20LGomjF4gtTfnchEUBcUAarV6+hT/inYG2SlglyWwr2+LE3Ua5FWRXsZu4tBHcfE0axIb6Ju5KeogPVPo6cNoJCR2XLPNQakB9ONniCxPTW6zOx8h/A2UeIWMgbAn/jNYdd4kFu1IWBAQaZg5kSg1KmSAtnKgFmhb8A0Ope8h5fKfdX5tf0ulW0bjBz+rqNf2FQwcB/ScuEc65LSX+b0bzvIILuZfSRytFQpaQ4svjjA6mP4VIRoPRkkRl+gTEO+Ue4No4VZGE9+YdRFZ7OmtH6S1e5vu1rBiLuTVayHjuSWRu0OmxDiErP6uXPy8Q==,iv:Q5g9kxJKEKLHge2mcgk/UnTNMDFjzeLFLNjlY8KWe60=,tag:yL03NWRK2whOxNjcR3cPyA==,type:str]
|
||||
ldap: ENC[AES256_GCM,data:ygOPMCNIxvWxE9dPBeKGbA==,iv:t+p1/vjEZNDTw7LcaitzYv2xCPtlf/mmQhqXT1OFKXs=,tag:uPYp259FHZu5fut+Bc9eSA==,type:str]
|
||||
acme:
|
||||
pdns: ENC[AES256_GCM,data:eKnahc8HWboYCUpBuEUrdCMhN8A2N2VN0wrmzcyU2OfMeQaswIYSWV4sBzUbj/pono8PaVxK1FBKsn+Ycd4Y6tcxsAkbPfnPkOsbe0FJpz4t9RFLJBLw3U0YTE/TaURiDYipHnvPGYgyq3AziH/xa4WXZxLHGI0x+a/y3PpWy37rT87DWUT2kktPshdO7Mbwn7nSC78WByXmyaUMkT74Sc0FNmCgfijrHk/ATXGb,iv:y3eRZXFbqqf4VuuqHHYdIoiEa1zqRU1XIlEqooJ28lU=,tag:2bIALJFGZyIZT7fyo/y5Nw==,type:str]
|
||||
cloudflare:
|
||||
secret: ENC[AES256_GCM,data:tritGdt3bWm/YtfdF2kO8qIBisa2rGF9/Dpl8R79e6REe//YKZFqFg==,iv:UG53JZ55+gDCPJzKjbVaWnpgOdvqcRoDUg8ef9xOV9A=,tag:JD3s28dsA9G2fqtz4soATA==,type:str]
|
||||
secret: ENC[AES256_GCM,data:Ktk7BtyjaDeOc4Okflz/ZBYpJ7Uy1SeEBV6ofWcToZsvCDT6aTVxGrAKEHIE/eknvnyWOFeSQv/z/Q==,iv:x2ymbLwa1E2FzdomISeyhchya5bowgieO/XuOnoi81w=,tag:Nj+1DRnbvcwiLiEeu2WaRQ==,type:str]
|
||||
netbird:
|
||||
oidc:
|
||||
secret: ENC[AES256_GCM,data:hSVMUEBL0kCvRLD3zd57SLhNIAFOR4eaJPcIIIIUJng=,iv:VhfseftQNlXSDCWuaYQUIklMUCkUbChyWbJl3qgD75M=,tag:vbqov0VgA0XNZfzcr3FZgA==,type:str]
|
||||
|
|
@ -26,6 +26,7 @@ crowdsec:
|
|||
lapi.yaml: ENC[AES256_GCM,data:BpDlz/liFYVZTA66TMWDifGfT4R9l0W9/LOU33rrPVC4YKeFbB1gIxqkUOEDl8fxsou5Jx/MQivyz90lE8yxbcGV/Zzx4ZJaHN+jz6mfM6mADEWp/nUcfO9tECijOhPPYt/8aE3py38NlFZuafZ2CwdL7RmDX7YCjpiIYxXaIjSv61WPD1SLkOkusnoA7bJZ2xmJ/dfEMXEA4LCCOfGQ,iv:922rrz94pD3/R1kGlQyIFkoq/fRSyxaIQ5qllldQMCY=,tag:AAPlwiQP4KMzHZmcMH76AQ==,type:str]
|
||||
capi.yaml: ENC[AES256_GCM,data:UuBESeHfKEPSIzP7RPNES0BVWwJsmPqLP3QJbAeAcm6eQ3sRzUSrVxY8A2yoiLD2lnuJPy2BbYHJpBR7VSfs7oUCc7LljgAp1uB2GH1y8YE46xJLo0TDp873bZJdcsO00ozsbtmWlGWJm7HLrzIUEe0mAjBzZeXe1WDJByGeVqupNLwpXSMaos2ktHjXA6hTGAdE5iIxBAXI6qjldWjRnlqE,iv:hZ2nUaOipU7Top0vsn23yU0XWP9SKcoj85xFo5hD/mU=,tag:32E2o+FOJXM9aMnLQA6KYA==,type:str]
|
||||
consoleToken: ENC[AES256_GCM,data:Q6QWWwcvLd8+ddwPMBzyB+X4gh8I53qSLA==,iv:JD48L59nQYttglAfuKL/lNBzWgBfj01rkIeP8pqmo70=,tag:6cxsQViDGuzjScKkBuO4Bw==,type:str]
|
||||
rspamd: ENC[AES256_GCM,data:8DryYdMyhzBqwqcbYUQ=,iv:5w21u3xqshRSf8IJbG16/Gf6AC2Zw6VnI3MOchN+w8A=,tag:OiiYUDT69SZObgOh1qCL0g==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
|
||||
|
|
@ -37,7 +38,7 @@ sops:
|
|||
MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w
|
||||
lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-10-13T06:51:06Z"
|
||||
mac: ENC[AES256_GCM,data:1+X8f7lPwN+ELJ4DmkTN71Kzvvh4V3yiMilOOnz4NCqLRPdtpiQQz8W4VXkOkBONV5816IOCU2Br4kiQnPAkPEiwpJZzWQItqomZTp4gErSGmmMpVf2lbCRfsU2Eg1tgAaS1ZRQx8/o1vSIJtoPVKiqYdYSsNDx2zbafWqn9+Rk=,iv:uZ4BWoJB6LazGy+RAzdhB8uUCSa109R4TdE6PguryR8=,tag:5G0GRihPQKl9n/fJjZr/Jw==,type:str]
|
||||
lastmodified: "2025-11-22T10:29:33Z"
|
||||
mac: ENC[AES256_GCM,data:hcqqPP7EEDrFWwKU3Yl0XM6h17pLXBsmISMd94qYzaxmT/nKnF5bn8dq6M1C9t0Q0vvLjrPm94Gv2HPPJOX960whYMfwuXv/RkORJGb4qXdkXsGJaCrR9M51HArrd7Ba3pjoEyp3Jz9xTNrqg8kCDphBs0oZRV6dQDJUTdLbR50=,iv:eH5T27fthAad/dM5NxXyQawiVmTGgwJbeRXAiut9kL4=,tag:3lGkJMZKo8O1Zm1fB3DJ9Q==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.11.0
|
||||
|
|
|
|||
|
|
@ -10,6 +10,14 @@ in
|
|||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
};
|
||||
"nextcloud/signaling.conf" = mkIf config.services.nextcloud.enable {
|
||||
owner = "signaling";
|
||||
group = "signaling";
|
||||
mode = "0640";
|
||||
};
|
||||
"nextcloud/whiteboard" = mkIf config.services.nextcloud.enable {
|
||||
owner = "nextcloud";
|
||||
};
|
||||
|
||||
"lam/env" = { };
|
||||
|
||||
|
|
@ -39,6 +47,15 @@ in
|
|||
owner = "crowdsec";
|
||||
mode = "0600";
|
||||
};
|
||||
"cloudflare/secret" = mkIf (hasAttr "acme" config.users.users) {
|
||||
owner = "acme";
|
||||
mode = "0600";
|
||||
};
|
||||
"rspamd" = mkIf config.services.rspamd.enable {
|
||||
owner = config.services.rspamd.user;
|
||||
group = config.services.rspamd.group;
|
||||
mode = "0660";
|
||||
};
|
||||
}
|
||||
// (optionalAttrs config.services.stalwart-mail.enable (
|
||||
let
|
||||
|
|
@ -52,15 +69,6 @@ in
|
|||
"stalwart/tsig" = {
|
||||
inherit group owner;
|
||||
};
|
||||
"stalwart/db" = {
|
||||
inherit group owner;
|
||||
};
|
||||
"stalwart/dkimKey" = {
|
||||
inherit group owner;
|
||||
};
|
||||
"cloudflare/secret" = {
|
||||
inherit group owner;
|
||||
};
|
||||
"stalwart/ldap" = {
|
||||
inherit group owner;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -3,6 +3,6 @@
|
|||
../../../modules/localsend.nix
|
||||
./airplay.nix
|
||||
./davinci-resolve.nix
|
||||
./blender.nix
|
||||
# ./blender.nix
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,6 +19,8 @@ in
|
|||
"maps.rspamd.com"
|
||||
"cdn-hub.crowdsec.net"
|
||||
"api.crowdsec.net"
|
||||
"mx1.daccc.info"
|
||||
"mx1.dnywe.com"
|
||||
];
|
||||
allowedIPs = [
|
||||
"10.0.0.0/24"
|
||||
|
|
@ -43,6 +45,7 @@ in
|
|||
'';
|
||||
|
||||
imports = [
|
||||
../public/dn/default.nix
|
||||
./common
|
||||
./home
|
||||
./network
|
||||
|
|
|
|||
|
|
@ -384,7 +384,15 @@ in
|
|||
"test.local." = "127.0.0.1:5359";
|
||||
};
|
||||
forwardZonesRecurse = {
|
||||
"." = "168.95.1.1";
|
||||
# ==== Rspamd DNS ==== #
|
||||
"multi.uribl.com." = "168.95.1.1";
|
||||
"score.senderscore.com." = "168.95.1.1";
|
||||
"list.dnswl.org." = "168.95.1.1";
|
||||
"dwl.dnswl.org." = "168.95.1.1";
|
||||
|
||||
# ==== Others ==== #
|
||||
"tw." = "168.95.1.1";
|
||||
"." = "8.8.8.8";
|
||||
};
|
||||
dnssecValidation = "off";
|
||||
dns.allowFrom = [
|
||||
|
|
@ -395,6 +403,7 @@ in
|
|||
dns.port = 5300;
|
||||
yaml-settings = {
|
||||
webservice.webserver = true;
|
||||
recordcache.max_negative_ttl = 60;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -451,7 +460,6 @@ in
|
|||
|
||||
virtualisation = {
|
||||
oci-containers = {
|
||||
backend = "docker";
|
||||
containers = {
|
||||
uptime-kuma = {
|
||||
extraOptions = [ "--network=host" ];
|
||||
|
|
|
|||
|
|
@ -1,10 +1,11 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
inputs,
|
||||
system,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (pkgs.stdenv.hostPlatform) system;
|
||||
listenPort = 30098;
|
||||
in
|
||||
{
|
||||
|
|
|
|||
|
|
@ -58,7 +58,7 @@ in
|
|||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnBootSec = 10;
|
||||
OnUnitActiveSec = 60;
|
||||
OnUnitActiveSec = 360;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
imports = [
|
||||
./actual-budget.nix
|
||||
./bitwarden.nix
|
||||
./docmost.nix
|
||||
# ./docmost.nix
|
||||
./mail-server.nix
|
||||
./nextcloud.nix
|
||||
./paperless-ngx.nix
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
{ config, ... }:
|
||||
{ config, lib, ... }:
|
||||
let
|
||||
inherit (lib) mkForce;
|
||||
inherit (config.systemConf) username;
|
||||
in
|
||||
{
|
||||
|
|
@ -46,6 +47,30 @@ in
|
|||
'';
|
||||
secretFile = config.sops.secrets."ldap/password".path;
|
||||
webSecretFile = config.sops.secrets."ldap/env".path;
|
||||
olcAccess =
|
||||
let
|
||||
olcDN = "dc=net,dc=dn";
|
||||
in
|
||||
[
|
||||
''
|
||||
{0}to attrs=userPassword
|
||||
by peername="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
|
||||
by dn.exact="cn=admin,${olcDN}" manage
|
||||
by dn.exact="uid=admin,ou=people,${olcDN}" manage
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none
|
||||
''
|
||||
''
|
||||
{1}to *
|
||||
by peername="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
|
||||
by dn.exact="cn=admin,${olcDN}" manage
|
||||
by dn.exact="uid=admin,ou=people,${olcDN}" manage
|
||||
by self read
|
||||
by anonymous auth
|
||||
by * none
|
||||
''
|
||||
];
|
||||
};
|
||||
rspamd = {
|
||||
secretFile = config.sops.secrets."rspamd".path;
|
||||
|
|
@ -55,4 +80,30 @@ in
|
|||
enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.openldap.settings.attrs.olcLogLevel = mkForce "config";
|
||||
|
||||
services.postfix.settings.main = {
|
||||
# internal_mail_filter_classes = [ "bounce" ];
|
||||
};
|
||||
|
||||
services.rspamd = {
|
||||
locals."logging.conf".text = ''
|
||||
level = "debug";
|
||||
'';
|
||||
locals."settings.conf".text = ''
|
||||
bounce {
|
||||
id = "bounce";
|
||||
priority = high;
|
||||
ip = "127.0.0.1";
|
||||
selector = 'smtp_from.regexp("/^$/").last';
|
||||
|
||||
apply {
|
||||
BOUNCE = -25.0;
|
||||
}
|
||||
|
||||
symbols [ "BOUNCE" ]
|
||||
}
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,11 +4,16 @@
|
|||
(import ../../../modules/nextcloud.nix {
|
||||
hostname = "nextcloud.net.dn";
|
||||
adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
|
||||
trusted-domains = [ "nextcloud.daccc.info" ];
|
||||
trusted-proxies = [ "10.0.0.0/24" ];
|
||||
whiteboardSecrets = [
|
||||
config.sops.secrets."nextcloud/whiteboard".path
|
||||
];
|
||||
})
|
||||
];
|
||||
|
||||
services.nextcloud = {
|
||||
extraApps = {
|
||||
inherit (config.services.nextcloud.package.packages.apps) music;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,7 +19,11 @@ in
|
|||
upstream-base-url = "https://ntfy.sh";
|
||||
behind-proxy = true;
|
||||
proxy-trusted-hosts = "127.0.0.1";
|
||||
auth-default-access = "deny-all";
|
||||
enable-login = true;
|
||||
auth-file = "/var/lib/ntfy-sh/user.db";
|
||||
};
|
||||
environmentFile = config.sops.secrets."ntfy".path;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
|
|
|
|||
|
|
@ -6,14 +6,4 @@
|
|||
passwordFile = config.sops.secrets."paperless/adminPassword".path;
|
||||
})
|
||||
];
|
||||
|
||||
# OIDC
|
||||
services.paperless = {
|
||||
settings = {
|
||||
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
|
||||
PAPERLESS_SOCIAL_AUTO_SIGNUP = true;
|
||||
PAPERLESS_SOCIAL_ALLOW_SIGNUPS = true;
|
||||
};
|
||||
environmentFile = config.sops.secrets."paperless/envFile".path;
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -40,6 +40,7 @@ crowdsec:
|
|||
capi.yaml: ENC[AES256_GCM,data:+13mu3XXst8J5okb+jQ/IPOd5TfdcDgLuTP8L46U53GTgTJChQoT4Ttw6xKQhp6L7vNoArQBQL66leRt3DEXATUjxl/Zoi2eymxqLn6/NUpPkv0g7hszJGVbMZEUGjo3IAk5ZRQWaNXHA9mRq/OkHzpMMM6ZpCd0KpY92QbLSHxJ6yUMazL1Wh4hwvyWyN6lLxujrgnZWOQDPZYQmIi+c/Af,iv:OO+Ujqq89SbWcRoqhwiJX2jtIJIUrtgG9xll7WuDhzw=,tag:R+Mx2UAkwA238quvMKCBLQ==,type:str]
|
||||
consoleToken: ENC[AES256_GCM,data:G/UfbMqHW0lecT7vKmZsusvXzgxz6apdRQ==,iv:JJTN1RPhFNMd2gqE3Vw2FvC+bA/vgOiYNfBhr96veIw=,tag:HKbhtwCWkLte8e8uGDt2Gw==,type:str]
|
||||
opencloud: ENC[AES256_GCM,data:NrhvojLoMUbGkWNkfDN12iAU70F9o1MXa3m8RzYtcBU1r9zk0e+4ZlPAqw2SIobMDC3vo3few7cA21ruYGP2p36lskG6UjafyJPJoHQcxlq04Kp/9GVeSsvI3KP08WLmoaBqk6b+f1K57P4OzSHPYKQ4/f51B4yhmt8n/DNg7RgF8wNKi4KUTOBuC/j+T+51vsJdjqHUuBi1y2ZqaolAwfEYbnswNVJUcOxHUezIAGke/22U0fS01+p1JQ/PAzSeDdxuX8dAMDVYHHZ13A07kXIRchpSb63Y5pTLUUAl25zAaSYoq+fZ0s61DZrYCaityZCishhCpJwmyoOsCWEesOpRFYNjIALIxWmM9b3aU/5G1WNiPRdlfvZpowhm3r+4X7QGCoXvuoI94l8DuXW7wN77XhLr7s4w,iv:TrUgpRHN7NYFZw+tihcxJ+dhNi4nIuNHMxNWgCE53AA=,tag:YZNL/Pv8S0hYtSt5IBE1GA==,type:str]
|
||||
ntfy: ENC[AES256_GCM,data:BapVKt2WzKLMP6KsxZ32+SS0mpIy0waqUTI7Rj0yyWA1mF9bstp0VfRv/6Dna41ttecFjyLRMmlF0jLqHXcNtqmlB3lHiE5IvVcEadjGB5C1fcQKrj5CveVPecvxzc+CfMMt4tlzike9TYL2tP5siGQzU7HvpNfIlT/Qfi40j8l7eT+Tne+XAadu/GQ1CH5dWKr8gPrR8fpfw6CgDvvc05SBLlfM2LsfTxz/UNV3vAbfRLchCsqd9s9jcR4UJPoJv6HVe480HXgY5SLcZA/Gh58=,iv:MqYwns9JITCskQo+ADgWghfRCwiSV+IGdUvi568Fmrc=,tag:Re20TMCnk5EA+X9wQRYg3w==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age17rjcght2y5p4ryr76ysnxpy2wff62sml7pyc5udcts48985j05vqpwdfq2
|
||||
|
|
@ -69,7 +70,7 @@ sops:
|
|||
OFloWEFuTC9GTXJsMG5NNktmdmIrY1kK0yN0ae0xNaydujV5lt2FiwXdyursG0DK
|
||||
9i/B3TTAm9csDMMSTSFbiAUJDzG7kIqn++JU/cxvsGScSnhMqjEK/g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-11-05T08:37:16Z"
|
||||
mac: ENC[AES256_GCM,data:Qyb0Zu2MSu3TVdhh6/5iEMhPBpb+hfYFwkxZUSreXxnMtRKRaasKrcjfG/pBWmublUoJpfN6MMSyg5dqKmtPTCFEA1h2TywjjR1elZao3Fj61artd2gTR60heWMzJ1rRdczgYLkTO4dWp0JB3ShF75T5XQM2kGSB/d2pvfYv4bA=,iv:p3ZNr/ZMQhAbF+KbpxqY3/0mz5kkJ8BcwO7yW3NU6l8=,tag:WS9hH77KeeMYVO9eNu5wWA==,type:str]
|
||||
lastmodified: "2025-11-22T18:17:35Z"
|
||||
mac: ENC[AES256_GCM,data:88NsRj8t483hQ1jWu3u+772he7G2oyybf+pcgyFoBpfrb5GZqXzlae7TpTqstRLvXLcvaXXWI+QUA9WKvuozHEZ2OPzP84JbTjj72POBaIf5k9jHwzNrbXdWPlQF0PLHjnguniDeKLMC8KI7Aypww7CM3N3Gkuyr6bVGGDIsPLw=,iv:D0O8HmtjYyTRd+ZeDkGctA79i+LVOh2f8B1vUjWYqPI=,tag:OU77+XJh9nOOo54fmj35kQ==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.11.0
|
||||
|
|
|
|||
|
|
@ -92,5 +92,9 @@ in
|
|||
group = config.services.opencloud.group;
|
||||
mode = "0600";
|
||||
};
|
||||
"ntfy" = mkIf config.services.ntfy-sh.enable {
|
||||
owner = config.services.ntfy-sh.user;
|
||||
mode = "0600";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
5
system/dev/public/dn/default.nix
Normal file
5
system/dev/public/dn/default.nix
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
imports = [
|
||||
./yubikey.nix
|
||||
];
|
||||
}
|
||||
46
system/dev/public/dn/ntfy.nix
Normal file
46
system/dev/public/dn/ntfy.nix
Normal file
|
|
@ -0,0 +1,46 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.systemConf) username;
|
||||
ntfyWrapper = import ../../../../home/scripts/ntfy.nix { inherit config pkgs lib; };
|
||||
in
|
||||
{
|
||||
sops.secrets."ntfy" = {
|
||||
owner = username;
|
||||
sopsFile = ../../public/sops/dn-secret.yaml;
|
||||
mode = "0600";
|
||||
};
|
||||
|
||||
home-manager.users."${username}" = {
|
||||
home.packages = [
|
||||
ntfyWrapper
|
||||
];
|
||||
|
||||
services.ntfy-client =
|
||||
let
|
||||
icon = builtins.fetchurl {
|
||||
url = "https://docs.ntfy.sh/static/img/ntfy.png";
|
||||
sha256 = "sha256:0igypv27phrhgiccvnrcvi543yz8k8rvsxkn4nha2l3xx92yx6r5";
|
||||
};
|
||||
in
|
||||
{
|
||||
enable = true;
|
||||
settings = {
|
||||
default-host = "https://ntfy.net.dn";
|
||||
subscribe = [
|
||||
{
|
||||
topic = "public-notifications";
|
||||
command = ''
|
||||
notify-send -i ${icon} "[$topic] $title" "$message"
|
||||
'';
|
||||
}
|
||||
];
|
||||
};
|
||||
environmentFile = config.sops.secrets."ntfy".path;
|
||||
};
|
||||
};
|
||||
}
|
||||
18
system/dev/public/dn/yubikey.nix
Normal file
18
system/dev/public/dn/yubikey.nix
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
{
|
||||
config,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.systemConf) username;
|
||||
in
|
||||
{
|
||||
sops.secrets."u2f_keys" = {
|
||||
sopsFile = ../../public/sops/dn-secret.yaml;
|
||||
owner = username;
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /home/${username}/.config/Yubico - ${username} - - -"
|
||||
"L /home/${username}/.config/Yubico/u2f_keys - - - - ${config.sops.secrets."u2f_keys".path}"
|
||||
];
|
||||
}
|
||||
35
system/dev/public/sops/dn-secret.yaml
Normal file
35
system/dev/public/sops/dn-secret.yaml
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
ntfy: ENC[AES256_GCM,data:7m7hwmDWu6qP/mX7QujXPiDAmRC542CKyWzFaOL5sHza,iv:nn1F44LSFmrV2USRDD0z8CNfUhi40LZnvoU3j0nklcU=,tag:WhqQpThDaG10kNTk1tZxOQ==,type:str]
|
||||
u2f_keys: ENC[AES256_GCM,data:boiKENOBo4hBWx9d+KVweCQrmFasDVUejuWrw60oPybPEW0pqTWz5GhQjfG6J0PWNFr/ObABT5eofKiSoy/pZ9uBQQGFO1nAA41axhI1Y9nuyBkkrNPYRnZsojdOcahNGMz1hplXTMzSdKgwutzA4/dsGG1ki/EOiuYRUgzQ/IzjEfqWGeBDlHoq9ohhTFFpsdNgZqgu23m3+Z0hcpquJdY3bhBi0L1nU3B88wJ7MiLyp2mVM3GA7i8jeIUmwqJCEuA3OkG3r3oUHO/l61N+0qtss8bmghf6bsJYtvkhCjXOiEE9R8dpCzjwXEhgAGcYiqiPWzLCl3WyYaytNlVJF/MHC+R0S1ruBV0RLrzCnvxaav8iqa4l3y2ErRB0qUgvO386suGNh2cEYTEEKF4GcQM6mzXbLzUqK4H+nGBC3SdArdphTIgWXP7C+romXzwgGVBLWW/4atRkj0ZF,iv:Rxke3HDAvcLv9sks5jDhNsfxXwSD4TgfGoN7v9HDntk=,tag:IkCsaFVPdgobd9+EX3CwIw==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4L0FPWGRWeVp5SEp2eUpr
|
||||
b1dvaWFBdHBmeEh5cE9Yd2FXV0lZYWNSZGowClJYRXRjdXNKTFNzTXdObXJZbXYr
|
||||
Y1F3ajJNRXhwbzRwMEphTFl0aUhvODgKLS0tIDFrZTN0NWdYU1Bvc0k4NVdWVVUw
|
||||
Q0xOT1JDNDdGWkR1a1FCc0U4YjBCVEUKR+EaZ39bDJWbJdbUey1EmQnJI+bTZ/PN
|
||||
7o1Dn+qqUtUATeNL8a2KuXAiJ8nVqjQGVvL5DLNrqmsgIxJMoRMH6g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiUHlhYXZkdlBPNkV4UDh6
|
||||
aDk1aGFBbThZb3RZV0hJMDY0cW56dDN3L0Z3Ck15Smo2cXBFNUZNeWo1d2h2WHNk
|
||||
Qk1FbmFwTEhGK1UzSWF4c1d0YnFFTVkKLS0tIC9HVEczcDQzclhRZVVQNU5tOEh6
|
||||
WEE0aDRZaE1BQWVKWnpjamQrV3lwUmcKnFWVVNdgfNPgHMiL96568YjckHn4+GYJ
|
||||
Bt5/n9n9YkxZ22AgFyxjzDczDf9dXDmAPpP2PNlIlw+VaEhhUGWw+A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age17rjcght2y5p4ryr76ysnxpy2wff62sml7pyc5udcts48985j05vqpwdfq2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWY3kydFo1V05HbTBWaUtq
|
||||
emZvdm1rVEx2RWxuTGdidjdrMGNmMjZldVFnCmcxS0E3V1RpcGdsZldKLzdhKzIy
|
||||
eXJQbDJUeW1Va0FLcTBvcllkdGlTUWMKLS0tIEJPR2k2cHAvNXVQZHJNSmhYU3gz
|
||||
QWV3VjRjNC9RaXNwbDdLWmVQNS94UzAKeLZSqcXRwkVoUUKd4PuRusbJwFlubdJy
|
||||
kcxGMzvfT0BMYDp61vV+F5Vh4TkgddCzp6Lphbb/6orkWWpjmE9I4g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-11-21T12:34:46Z"
|
||||
mac: ENC[AES256_GCM,data:jec/S+h3feoez+1OaWkZHAlSNhsLv8R4yXPIFjVUaYionJKMUAAizLtVsmpVHNRn8OCBhb7zi+Yk4GClZQqg/I8iTY3tzDTIJJsHoj+KsxuQohRASDikaYLTfdad44vin8ayxSKjSScK3JpwX5B12Rffx8DCPqUtXY0TGa0ULoQ=,iv:R1YiVCx3WDZO4b2d9TbdTnWmVmG4MQye4TUWWdIa4Yk=,tag:ACZoECWIqDRITghc8KwUsA==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.11.0
|
||||
43
system/dev/public/sops/secret.yaml
Normal file
43
system/dev/public/sops/secret.yaml
Normal file
|
|
@ -0,0 +1,43 @@
|
|||
ntfy: ENC[AES256_GCM,data:TIbbEDjzQOnFKtxVYCFJZNDoKD3IJT7a3fZusC0CNkE6,iv:c5+HExq2flbY6f9mlWK6PtYJigWFG7w1hzFxRiOnjw8=,tag:6fCCfA9n3oOKIoEzKmIkqg==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbHlQZW9YL1pVdS9ldmUw
|
||||
Y1pEMlBOS2JFbnlFTmFOYk9KVWxFMG1EdFY0CmdlY2pqWnVUM3dNWm5NWkg0Q01W
|
||||
MlJRQWlFb3dtRG4zMDFGWVpWYzJ5Z2cKLS0tIG1rUnl4cU9rMDdLOVJMZ3ZVYldu
|
||||
MWtQTFIxWDBYWDIrSmhMQXNpUUcrL2MK7ML57L+Wx9ET14VcSl36jBYj/ITQp5CS
|
||||
txIVmUtD34emknZ84iJK5XakExJu6v/yFSlph+TFtm/dQG+6Dah9mg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhT3hIeUs1aFBvcEpKZjla
|
||||
MWk1UndPS25FYS9UTy91alAxbzlMY253T0NJCmxZZHphM1VoQUVubUNZNW5jTnpp
|
||||
T0pDN3NHRzZaaFFwb09HdzF4WnhhQ0kKLS0tIGNEZmtEY29tV0J3OWg5QTJUcWJ5
|
||||
Z2lUUFZiaUdMSGNueGdMTmgyYXFXZWMKCZKSXjNUYPMQb57njPyojUIy+pFb5wdx
|
||||
kpZRL6E1ymHUdqKv+Y4LjKJl5MndzFc5WX1bgCXNX6Ql2EWfnDyy7w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1ar5h06qv72pduau043r04kschwcq0x0lm33wqvxzdh9grmp3cq3sy0ngnz
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxOC9Hem9BQmY0T1VyZjIw
|
||||
cUlkVE1iUC9nM21pSG5WcFRJWjhreWQvMWxnCitET0pDZFlUM3FjV25yNmNVRXBl
|
||||
azR6TFEvbmJ5aWJZQWxIdyt4SFFBT1EKLS0tIEdLVmZhSXZCREl6WWJvbmp5OUs3
|
||||
bHl2SjdmK2hHNXRvZ3lsdEkyRkk4YmsK3jkBYtIm42Rr3elD8I1AGnyv3A6lZ57M
|
||||
6Z7anUS5SlYr2HdHVtQobJeDG8F38kfbWBZQMCDKWayJXy6XAKJAjw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age17rjcght2y5p4ryr76ysnxpy2wff62sml7pyc5udcts48985j05vqpwdfq2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybVBTV3RoYm1yOTgvZXpS
|
||||
S0lYcHpuMVBrcDF0bm5ZUSt3NHV3T2p2V2lZCnQ5MVo0VW96TEx1NE91ZlJaUzVT
|
||||
RlhoVWV2QmZsQzUzaThFQytGdzJxaFUKLS0tIEJ3cmV4eVlEZFNVcEFaVzVRQWpD
|
||||
NnByZmhLdHdIYW1HSTFya0IxZWZseUEKXypAIQLljSCj8pF/29LrlFE3zU3cQ+4t
|
||||
krG89BjB8zXwGdoEbT9OqDfV6R8+TpMo+BsDu/4svbUbXEJvSq8+Yg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-11-21T12:34:48Z"
|
||||
mac: ENC[AES256_GCM,data:UmW1iNQEkZmHyt4X8HNtRreCvNiLu/f9wweomWZPSjDQgeIKq8OYy9cWW3gcRQ1/mCLBoZb7GYXF5KDmrzNNah6MdZ3nAl+GXDhoLjSEzqgnVBPaG26zMixNms+QH8u4YxF7tujk35vWYEqiDyUGCRfQSKxXM/nYrEGHJDUrZiI=,iv:5cJ/iGu7OPH0dKP5MkjseUv+l63mlGz856aSyJwNn/o=,tag:NiiYDb1fRKNTFOfTG//eMA==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.11.0
|
||||
|
|
@ -8,8 +8,6 @@ let
|
|||
inherit (config.systemConf) username;
|
||||
inherit (lib) mkForce optionalString;
|
||||
|
||||
geVersion = "10-15";
|
||||
|
||||
memeSelector = pkgs.callPackage ../../../../home/scripts/memeSelector.nix {
|
||||
url = "https://nextcloud.net.dn/public.php/dav/files/pygHoPB5LxDZbeY/";
|
||||
};
|
||||
|
|
@ -97,22 +95,6 @@ in
|
|||
];
|
||||
})
|
||||
];
|
||||
|
||||
home.file = {
|
||||
# Proton GE
|
||||
".steam/root/compatibilitytools.d/GE-Proton${geVersion}" = {
|
||||
source = fetchTarball {
|
||||
url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton${geVersion}/GE-Proton${geVersion}.tar.gz";
|
||||
sha256 = "sha256:0iv7vak4a42b5m772gqr6wnarswib6dmybfcdjn3snvwxcb6hbsm";
|
||||
};
|
||||
};
|
||||
".steam/root/compatibilitytools.d/CachyOS-Proton10-0_v3" = {
|
||||
source = fetchTarball {
|
||||
url = "https://github.com/CachyOS/proton-cachyos/releases/download/cachyos-10.0-20250714-slr/proton-cachyos-10.0-20250714-slr-x86_64_v3.tar.xz";
|
||||
sha256 = "sha256:0hp22hkfv3f1p75im3xpif0pmixkq2i3hq3dhllzr2r7l1qx16iz";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue