diff --git a/flake.lock b/flake.lock index 8bad34c..d125474 100644 --- a/flake.lock +++ b/flake.lock @@ -21,27 +21,6 @@ "type": "github" } }, - "actual-budget-server": { - "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1762440797, - "narHash": "sha256-Gl9i+siUDwjAdJ7zUurThP6XhtxV58xVgS0ztsLh7bI=", - "owner": "dachxy", - "repo": "actual-budget-flake", - "rev": "721d97809077c90d895cadbe2002e20e60d182af", - "type": "github" - }, - "original": { - "owner": "dachxy", - "repo": "actual-budget-flake", - "type": "github" - } - }, "aquamarine": { "inputs": { "hyprutils": [ @@ -62,11 +41,11 @@ ] }, "locked": { - "lastModified": 1764370710, - "narHash": "sha256-7iZklFmziy6Vn5ZFy9mvTSuFopp3kJNuPxL5QAvtmFQ=", + "lastModified": 1767024902, + "narHash": "sha256-sMdk6QkMDhIOnvULXKUM8WW8iyi551SWw2i6KQHbrrU=", "owner": "hyprwm", "repo": "aquamarine", - "rev": "561ae7fbe1ca15dfd908262ec815bf21a13eef63", + "rev": "b8a0c5ba5a9fbd2c660be7dd98bdde0ff3798556", "type": "github" }, "original": { @@ -234,29 +213,6 @@ "type": "github" } }, - "chaotic": { - "inputs": { - "flake-schemas": "flake-schemas", - "home-manager": "home-manager", - "jovian": "jovian", - "nixpkgs": "nixpkgs_2", - "rust-overlay": "rust-overlay_2" - }, - "locked": { - "lastModified": 1764847736, - "narHash": "sha256-FMYnfCH2TMNnTJvbc/mraZpRszIL7nc5YI6w/pWNyNs=", - "owner": "chaotic-cx", - "repo": "nyx", - "rev": "e3f8349d60d5daf58951b9ccd089fecb79ea5443", - "type": "github" - }, - "original": { - "owner": "chaotic-cx", - "ref": "nyxpkgs-unstable", - "repo": "nyx", - "type": "github" - } - }, "crane": { "locked": { "lastModified": 1751562746, @@ -274,11 +230,11 @@ }, "crane_2": { "locked": { - "lastModified": 1731098351, - "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", + "lastModified": 1765145449, + "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=", "owner": "ipetkov", "repo": "crane", - "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", + "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5", "type": "github" }, "original": { @@ -374,15 +330,15 @@ "flake-compat_4": { "flake": false, "locked": { - "lastModified": 1761588595, - "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", - "owner": "edolstra", + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "NixOS", "repo": "flake-compat", - "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", "type": "github" }, "original": { - "owner": "edolstra", + "owner": "NixOS", "repo": "flake-compat", "type": "github" } @@ -390,11 +346,11 @@ "flake-compat_5": { "flake": false, "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", "owner": "edolstra", "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", "type": "github" }, "original": { @@ -457,27 +413,6 @@ } }, "flake-parts_2": { - "inputs": { - "nixpkgs-lib": [ - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730504689, - "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "506278e768c2a08bec68eb62932193e341f55c90", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "neovim-nightly-overlay", @@ -498,7 +433,7 @@ "type": "github" } }, - "flake-parts_4": { + "flake-parts_3": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, @@ -516,7 +451,7 @@ "type": "github" } }, - "flake-parts_5": { + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "nvf", @@ -537,7 +472,7 @@ "type": "github" } }, - "flake-parts_6": { + "flake-parts_5": { "inputs": { "nixpkgs-lib": [ "stylix", @@ -573,20 +508,6 @@ "type": "github" } }, - "flake-schemas": { - "locked": { - "lastModified": 1721999734, - "narHash": "sha256-G5CxYeJVm4lcEtaO87LKzOsVnWeTcHGKbKxNamNWgOw=", - "rev": "0a5c42297d870156d9c57d8f99e476b738dcd982", - "revCount": 75, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/flake-schemas/0.1.5/0190ef2f-61e0-794b-ba14-e82f225e55e6/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz" - } - }, "flake-utils": { "inputs": { "systems": "systems" @@ -625,7 +546,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1731533236, @@ -661,7 +582,10 @@ }, "flake-utils_5": { "inputs": { - "systems": "systems_6" + "systems": [ + "niri-nfsm", + "systems" + ] }, "locked": { "lastModified": 1731533236, @@ -679,10 +603,7 @@ }, "flake-utils_6": { "inputs": { - "systems": [ - "niri-nfsm", - "systems" - ] + "systems": "systems_7" }, "locked": { "lastModified": 1731533236, @@ -718,25 +639,7 @@ }, "flake-utils_8": { "inputs": { - "systems": "systems_9" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_9": { - "inputs": { - "systems": "systems_12" + "systems": "systems_11" }, "locked": { "lastModified": 1731533236, @@ -771,8 +674,8 @@ "ghostty": { "inputs": { "flake-compat": "flake-compat_3", - "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_3", + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs_2", "zig": "zig", "zon2nix": "zon2nix" }, @@ -816,7 +719,7 @@ "inputs": { "nixpkgs": [ "lanzaboote", - "pre-commit-hooks-nix", + "pre-commit", "nixpkgs" ] }, @@ -854,27 +757,6 @@ } }, "home-manager": { - "inputs": { - "nixpkgs": [ - "chaotic", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1764788330, - "narHash": "sha256-hE/gXK+Z0j654T0tsW+KcndRqsgZXe8HyWchjBJgQpw=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "fca4cba863e76c26cfe48e5903c2ff4bac2b2d5d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -939,11 +821,11 @@ ] }, "locked": { - "lastModified": 1763733840, - "narHash": "sha256-JnET78yl5RvpGuDQy3rCycOCkiKoLr5DN1fPhRNNMco=", + "lastModified": 1766946335, + "narHash": "sha256-MRD+Jr2bY11MzNDfenENhiK6pvN+nHygxdHoHbZ1HtE=", "owner": "hyprwm", "repo": "hyprgraphics", - "rev": "8f1bec691b2d198c60cccabca7a94add2df4ed1a", + "rev": "4af02a3925b454deb1c36603843da528b67ded6c", "type": "github" }, "original": { @@ -963,17 +845,17 @@ "hyprutils": "hyprutils", "hyprwayland-scanner": "hyprwayland-scanner", "hyprwire": "hyprwire", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_4", "pre-commit-hooks": "pre-commit-hooks", - "systems": "systems_4", + "systems": "systems_3", "xdph": "xdph" }, "locked": { - "lastModified": 1764982118, - "narHash": "sha256-7Ofsbs4eJFyKUhm+PVv2QwTU77SQTmZ5X7yBPqArtR4=", + "lastModified": 1767812022, + "narHash": "sha256-BHBiQhlNl+Lxvp/bBOOTWhxbXYMoVG4xiyv9DE/nuZ4=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "cedadf4fdc63e04ab41cab00c0417ba248ce748e", + "rev": "918e2bb9be0e1d233f9394f1d569137788c43c01", "type": "github" }, "original": { @@ -1015,11 +897,11 @@ ] }, "locked": { - "lastModified": 1764616927, - "narHash": "sha256-wRT0MKkpPo11ijSX3KeMN+EQWnpSeUlRtyF3pFLtlRU=", + "lastModified": 1767023960, + "narHash": "sha256-R2HgtVS1G3KSIKAQ77aOZ+Q0HituOmPgXW9nBNkpp3Q=", "owner": "hyprwm", "repo": "hyprland-guiutils", - "rev": "25cedbfdc5b3ea391d8307c9a5bea315e5df3c52", + "rev": "c2e906261142f5dd1ee0bfc44abba23e2754c660", "type": "github" }, "original": { @@ -1070,11 +952,11 @@ ] }, "locked": { - "lastModified": 1759610243, - "narHash": "sha256-+KEVnKBe8wz+a6dTLq8YDcF3UrhQElwsYJaVaHXJtoI=", + "lastModified": 1765214753, + "narHash": "sha256-P9zdGXOzToJJgu5sVjv7oeOGPIIwrd9hAUAP3PsmBBs=", "owner": "hyprwm", "repo": "hyprland-protocols", - "rev": "bd153e76f751f150a09328dbdeb5e4fab9d23622", + "rev": "3f3860b869014c00e8b9e0528c7b4ddc335c21ab", "type": "github" }, "original": { @@ -1176,11 +1058,11 @@ ] }, "locked": { - "lastModified": 1764637132, - "narHash": "sha256-vSyiKCzSY48kA3v39GFu6qgRfigjKCU/9k1KTK475gg=", + "lastModified": 1766253372, + "narHash": "sha256-1+p4Kw8HdtMoFSmJtfdwjxM4bPxDK9yg27SlvUMpzWA=", "owner": "hyprwm", "repo": "hyprutils", - "rev": "2f2413801beee37303913fc3c964bbe92252a963", + "rev": "51a4f93ce8572e7b12b7284eb9e6e8ebf16b4be9", "type": "github" }, "original": { @@ -1230,11 +1112,11 @@ ] }, "locked": { - "lastModified": 1764773840, - "narHash": "sha256-9UcCdwe7vPgEcJJ64JseBQL0ZJZoxp/2iFuvfRI+9zk=", + "lastModified": 1767473322, + "narHash": "sha256-RGOeG+wQHeJ6BKcsSB8r0ZU77g9mDvoQzoTKj2dFHwA=", "owner": "hyprwm", "repo": "hyprwire", - "rev": "3f1997d6aeced318fb141810fded2255da811293", + "rev": "d5e7d6b49fe780353c1cf9a1cf39fa8970bd9d11", "type": "github" }, "original": { @@ -1243,57 +1125,33 @@ "type": "github" } }, - "jovian": { - "inputs": { - "nix-github-actions": "nix-github-actions_2", - "nixpkgs": [ - "chaotic", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1764746434, - "narHash": "sha256-6ymFuw+Z1C90ezf8H0BP3c2JFZhJYwMq31px2StwWHU=", - "owner": "Jovian-Experiments", - "repo": "Jovian-NixOS", - "rev": "b4c0b604148adacf119b89824ed26df8926ce42c", - "type": "github" - }, - "original": { - "owner": "Jovian-Experiments", - "repo": "Jovian-NixOS", - "type": "github" - } - }, "lanzaboote": { "inputs": { "crane": "crane_2", - "flake-compat": "flake-compat_5", - "flake-parts": "flake-parts_2", "nixpkgs": [ "nixpkgs" ], - "pre-commit-hooks-nix": "pre-commit-hooks-nix", - "rust-overlay": "rust-overlay_3" + "pre-commit": "pre-commit", + "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1737639419, - "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=", + "lastModified": 1765382359, + "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e", + "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607", "type": "github" }, "original": { "owner": "nix-community", - "ref": "v0.4.2", + "ref": "v1.0.0", "repo": "lanzaboote", "type": "github" } }, "mail-ntfy-server": { "inputs": { - "flake-utils": "flake-utils_4", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ] @@ -1319,11 +1177,11 @@ ] }, "locked": { - "lastModified": 1763876586, - "narHash": "sha256-bQ5KRepEVyvF81AlaLxn4IdFfzZJzBq221ix2Zmjtz4=", + "lastModified": 1767713191, + "narHash": "sha256-aVkBzGQjr7yApCQ9SzxCy2wm9vISb0pY1FBSLvyn3v8=", "owner": "dachxy", "repo": "nix-mail-server", - "rev": "238e340ef58db602892e8cde114576612055520c", + "rev": "081438f6f3f5b706cd0b1fd8917017e68cdd68d4", "type": "github" }, "original": { @@ -1350,7 +1208,7 @@ }, "microvm": { "inputs": { - "flake-utils": "flake-utils_5", + "flake-utils": "flake-utils_4", "nixpkgs": [ "nixpkgs" ], @@ -1385,11 +1243,32 @@ "type": "github" } }, + "ndg": { + "inputs": { + "nixpkgs": [ + "nvf", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765720983, + "narHash": "sha256-tWtukpABmux6EC/FuCJEgA1kmRjcRPtED44N+GGPq+4=", + "owner": "feel-co", + "repo": "ndg", + "rev": "f399ace8bb8e1f705dd8942b24d207aa4d75c936", + "type": "github" + }, + "original": { + "owner": "feel-co", + "repo": "ndg", + "type": "github" + } + }, "neovim-nightly-overlay": { "inputs": { - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_2", "neovim-src": "neovim-src", - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1764979571, @@ -1428,7 +1307,7 @@ "nixpkgs": [ "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable_3", + "nixpkgs-stable": "nixpkgs-stable_2", "xwayland-satellite-stable": "xwayland-satellite-stable", "xwayland-satellite-unstable": "xwayland-satellite-unstable" }, @@ -1448,11 +1327,11 @@ }, "niri-nfsm": { "inputs": { - "flake-utils": "flake-utils_6", + "flake-utils": "flake-utils_5", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_7" + "systems": "systems_6" }, "locked": { "lastModified": 1764588231, @@ -1523,29 +1402,6 @@ "type": "github" } }, - "nix-github-actions_2": { - "inputs": { - "nixpkgs": [ - "chaotic", - "jovian", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729697500, - "narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=", - "owner": "zhaofengli", - "repo": "nix-github-actions", - "rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf", - "type": "github" - }, - "original": { - "owner": "zhaofengli", - "ref": "matrix-name", - "repo": "nix-github-actions", - "type": "github" - } - }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -1569,7 +1425,7 @@ "nix-minecraft": { "inputs": { "flake-compat": "flake-compat_6", - "flake-utils": "flake-utils_7", + "flake-utils": "flake-utils_6", "nixpkgs": [ "nixpkgs" ] @@ -1590,8 +1446,8 @@ }, "nix-search-tv": { "inputs": { - "flake-utils": "flake-utils_8", - "nixpkgs": "nixpkgs_7" + "flake-utils": "flake-utils_7", + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1763912269, @@ -1629,7 +1485,7 @@ }, "nixd": { "inputs": { - "flake-parts": "flake-parts_4", + "flake-parts": "flake-parts_3", "flake-root": "flake-root", "nixpkgs": [ "nixpkgs" @@ -1695,22 +1551,6 @@ } }, "nixpkgs-stable_2": { - "locked": { - "lastModified": 1730741070, - "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_3": { "locked": { "lastModified": 1764831616, "narHash": "sha256-OtzF5wBvO0jgW1WW1rQU9cMGx7zuvkF7CAVJ1ypzkxA=", @@ -1726,39 +1566,7 @@ "type": "github" } }, - "nixpkgs_10": { - "locked": { - "lastModified": 1763806073, - "narHash": "sha256-FHsEKDvfWpzdADWj99z7vBk4D716Ujdyveo5+A048aI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "878e468e02bfabeda08c79250f7ad583037f2227", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_2": { - "locked": { - "lastModified": 1764667669, - "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "418468ac9527e799809c900eda37cbff999199b6", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1764947035, "narHash": "sha256-3PmKrux+ApKEM4IMRNAKeuWicwgRiRcprSuEnsbhVe4=", @@ -1771,7 +1579,7 @@ "url": "https://channels.nixos.org/nixpkgs-unstable/nixexprs.tar.xz" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { "lastModified": 1758360447, "narHash": "sha256-XDY3A83bclygHDtesRoaRTafUd80Q30D/Daf9KSG6bs=", @@ -1784,13 +1592,13 @@ "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz" } }, - "nixpkgs_5": { + "nixpkgs_4": { "locked": { - "lastModified": 1764517877, - "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=", + "lastModified": 1767379071, + "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c", + "rev": "fb7944c166a3b630f177938e478f0378e64ce108", "type": "github" }, "original": { @@ -1800,7 +1608,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_5": { "locked": { "lastModified": 1764915887, "narHash": "sha256-CeBCJ9BMsuzVgn8GVfuSRZ6xeau7szzG0Xn6O/OxP9M=", @@ -1816,7 +1624,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_6": { "locked": { "lastModified": 1757584362, "narHash": "sha256-XeTX/w16rUNUNBsfaOVCDoMMa7Xu7KvIMT7tn1zIEcg=", @@ -1832,13 +1640,13 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_7": { "locked": { - "lastModified": 1764947035, - "narHash": "sha256-EYHSjVM4Ox4lvCXUMiKKs2vETUSL5mx+J2FfutM7T9w=", + "lastModified": 1767364772, + "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a672be65651c80d3f592a89b3945466584a22069", + "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa", "type": "github" }, "original": { @@ -1848,7 +1656,7 @@ "type": "github" } }, - "nixpkgs_9": { + "nixpkgs_8": { "locked": { "lastModified": 1764445028, "narHash": "sha256-ik6H/0Zl+qHYDKTXFPpzuVHSZE+uvVz2XQuQd1IVXzo=", @@ -1864,6 +1672,22 @@ "type": "github" } }, + "nixpkgs_9": { + "locked": { + "lastModified": 1763806073, + "narHash": "sha256-FHsEKDvfWpzdADWj99z7vBk4D716Ujdyveo5+A048aI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "878e468e02bfabeda08c79250f7ad583037f2227", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "noctalia": { "inputs": { "nixpkgs": [ @@ -1912,27 +1736,51 @@ "nvf": { "inputs": { "flake-compat": "flake-compat_7", - "flake-parts": "flake-parts_5", + "flake-parts": "flake-parts_4", "mnw": "mnw", + "ndg": "ndg", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_10" + "systems": "systems_9" }, "locked": { - "lastModified": 1764904740, - "narHash": "sha256-TzqXUQlESmS5XGJ3tR1/xdoU0vySyp6YUUpmGF5F0kY=", - "owner": "NotAShelf", + "lastModified": 1767369300, + "narHash": "sha256-QV+tdP2bS+PJBcp4YHhqpMTzcxsxGaS/d6cKMCJ4PnA=", + "owner": "notashelf", "repo": "nvf", - "rev": "249cabe0c5392c384c82fa9d28d3f49fbeb04266", + "rev": "9c75c2a199af39fc95fb203636ce97d070ca3973", "type": "github" }, "original": { - "owner": "NotAShelf", + "owner": "notashelf", "repo": "nvf", "type": "github" } }, + "pre-commit": { + "inputs": { + "flake-compat": "flake-compat_5", + "gitignore": "gitignore_2", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765016596, + "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "pre-commit-hooks": { "inputs": { "flake-compat": "flake-compat_4", @@ -1943,11 +1791,11 @@ ] }, "locked": { - "lastModified": 1763988335, - "narHash": "sha256-QlcnByMc8KBjpU37rbq5iP7Cp97HvjRP0ucfdh+M4Qc=", + "lastModified": 1767281941, + "narHash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "50b9238891e388c9fdc6a5c49e49c42533a1b5ce", + "rev": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa", "type": "github" }, "original": { @@ -1956,33 +1804,6 @@ "type": "github" } }, - "pre-commit-hooks-nix": { - "inputs": { - "flake-compat": [ - "lanzaboote", - "flake-compat" - ], - "gitignore": "gitignore_2", - "nixpkgs": [ - "lanzaboote", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_2" - }, - "locked": { - "lastModified": 1731363552, - "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, "quickshell": { "inputs": { "nixpkgs": [ @@ -2007,14 +1828,12 @@ "root": { "inputs": { "actual-budget-api": "actual-budget-api", - "actual-budget-server": "actual-budget-server", "attic": "attic", "awww": "awww", "caelestia-shell": "caelestia-shell", - "chaotic": "chaotic", "disko": "disko", "ghostty": "ghostty", - "home-manager": "home-manager_2", + "home-manager": "home-manager", "hyprland": "hyprland", "hyprland-plugins": "hyprland-plugins", "lanzaboote": "lanzaboote", @@ -2030,10 +1849,10 @@ "nix-search-tv": "nix-search-tv", "nix-tmodloader": "nix-tmodloader", "nixd": "nixd", - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_7", "noctalia": "noctalia", "nvf": "nvf", - "rust-overlay": "rust-overlay_4", + "rust-overlay": "rust-overlay_3", "sops-nix": "sops-nix", "stylix": "stylix", "yazi": "yazi", @@ -2064,16 +1883,16 @@ "rust-overlay_2": { "inputs": { "nixpkgs": [ - "chaotic", + "lanzaboote", "nixpkgs" ] }, "locked": { - "lastModified": 1764729618, - "narHash": "sha256-z4RA80HCWv2los1KD346c+PwNPzMl79qgl7bCVgz8X0=", + "lastModified": 1765075567, + "narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "52764074a85145d5001bf0aa30cb71936e9ad5b8", + "rev": "769156779b41e8787a46ca3d7d76443aaf68be6f", "type": "github" }, "original": { @@ -2083,27 +1902,6 @@ } }, "rust-overlay_3": { - "inputs": { - "nixpkgs": [ - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1731897198, - "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_4": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -2123,7 +1921,7 @@ "type": "github" } }, - "rust-overlay_5": { + "rust-overlay_4": { "inputs": { "nixpkgs": [ "yazi", @@ -2146,7 +1944,7 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_8" }, "locked": { "lastModified": 1764483358, @@ -2185,13 +1983,13 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-parts": "flake-parts_6", + "flake-parts": "flake-parts_5", "gnome-shell": "gnome-shell", "nixpkgs": [ "nixpkgs" ], "nur": "nur", - "systems": "systems_11", + "systems": "systems_10", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -2257,21 +2055,6 @@ "type": "github" } }, - "systems_12": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "systems_2": { "locked": { "lastModified": 1681028828, @@ -2288,21 +2071,6 @@ } }, "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_4": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", @@ -2317,6 +2085,21 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "systems_5": { "locked": { "lastModified": 1681028828, @@ -2333,21 +2116,6 @@ } }, "systems_6": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_7": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", @@ -2362,6 +2130,21 @@ "type": "github" } }, + "systems_7": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "systems_8": { "locked": { "lastModified": 1681028828, @@ -2570,9 +2353,9 @@ }, "yazi": { "inputs": { - "flake-utils": "flake-utils_9", - "nixpkgs": "nixpkgs_10", - "rust-overlay": "rust-overlay_5" + "flake-utils": "flake-utils_8", + "nixpkgs": "nixpkgs_9", + "rust-overlay": "rust-overlay_4" }, "locked": { "lastModified": 1764949583, @@ -2642,7 +2425,7 @@ }, "zon2nix": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1758405547, diff --git a/flake.nix b/flake.nix index 83334a2..5d43f62 100644 --- a/flake.nix +++ b/flake.nix @@ -41,7 +41,7 @@ neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay"; lanzaboote = { - url = "github:nix-community/lanzaboote/v0.4.2"; + url = "github:nix-community/lanzaboote/v1.0.0"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -112,12 +112,6 @@ inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; }; - actual-budget-server = { - url = "git+file:///home/danny/projects/actual-budget-flake"; - # url = "github:dachxy/actual-budget-flake"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - mail-server = { url = "github:dachxy/nix-mail-server"; inputs.nixpkgs.follows = "nixpkgs"; @@ -234,6 +228,7 @@ inputs.attic.nixosModules.atticd inputs.mail-server.nixosModules.default inputs.niri.nixosModules.niri + inputs.lanzaboote.nixosModules.lanzaboote ./options # ==== Private Configuration ==== # diff --git a/home/options/sunsetr.nix b/home/options/sunsetr.nix index 7e608a8..583edd8 100644 --- a/home/options/sunsetr.nix +++ b/home/options/sunsetr.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: +{ + config, + lib, + pkgs, + ... +}: let inherit (lib) mkIf @@ -11,7 +16,7 @@ in { options.services.sunsetr = { enable = mkEnableOption "Enable sunsetr."; - package = mkPackageOption "sunsetr"; + package = mkPackageOption pkgs "sunsetr" { }; }; config = mkIf cfg.enable { diff --git a/home/scripts/remoteRebuild.nix b/home/scripts/remoteRebuild.nix index 453c073..1997f9e 100644 --- a/home/scripts/remoteRebuild.nix +++ b/home/scripts/remoteRebuild.nix @@ -13,11 +13,13 @@ let --sudo --ask-sudo-password $@''; in pkgs.writeShellScriptBin "rRebuild" '' + NOTIFY="''\${NOTIFY:-0}" TARGET=$1 BUILD=$2 - shift - shift + set -euo pipefail + + shift 2 ${ if shouldNotify then @@ -25,6 +27,11 @@ pkgs.writeShellScriptBin "rRebuild" '' export NTFY_TITLE="🎯 $TARGET built by 🏗️ ''\${BUILD:-${hostName}}" export NTFY_TAGS="gear" + if [ "$NOTIFY" -eq 0 ] ; then + ${rebuildCommand} + exit 0 + fi + if ${rebuildCommand} then ntfy pub system-build "✅ Build success" > /dev/null 2>&1 diff --git a/home/user/shell.nix b/home/user/shell.nix index 6a5d54b..5b8f485 100644 --- a/home/user/shell.nix +++ b/home/user/shell.nix @@ -1,10 +1,12 @@ { + lib, osConfig, config, pkgs, ... }: let + inherit (lib) mkForce; remoteRebuld = import ../scripts/remoteRebuild.nix { inherit osConfig config pkgs; }; in { diff --git a/system/dev/dn-lap/default.nix b/system/dev/dn-lap/default.nix index 207514a..58754d9 100644 --- a/system/dev/dn-lap/default.nix +++ b/system/dev/dn-lap/default.nix @@ -23,6 +23,7 @@ in ./sops ./utility ./virtualisation + ./network ]; users.users."${username}".openssh.authorizedKeys.keys = [ diff --git a/system/dev/dn-lap/network/default.nix b/system/dev/dn-lap/network/default.nix new file mode 100644 index 0000000..3596983 --- /dev/null +++ b/system/dev/dn-lap/network/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ../../../modules/netbird-client.nix + ]; +} diff --git a/system/dev/dn-lap/sops/secret.yaml b/system/dev/dn-lap/sops/secret.yaml index a92f55e..89792fa 100644 --- a/system/dev/dn-lap/sops/secret.yaml +++ b/system/dev/dn-lap/sops/secret.yaml @@ -1,5 +1,7 @@ wireguard: wg0.conf: ENC[AES256_GCM,data:9wegrw4ZbY+T/gNYi0gt4n6Db1/rRpsiqVbQr8QoYTwOiWBjKO2PGTTM5aK3khk5t2pYOTSqEBn5+5J/JYZpQ6nvJMcqn0+31KMuMT9/0akxOm112Tj31vOdBwRvSQVLBzmQtPABgMlV36lRtpVU71lwiNO4M33ygzL/tm7EMt0e75Nr9CZkGI7BGtnATBzbj3ysftsbFPF2iIgZ9fej4I78rJ1HavAsAgcrxksWAJjFZyFGWinkW4eiwDKlqBvRUW0tE8TF897ZmX90UnwXwjtyJcyJH6nzwrRDJgxR7uyRL/HIusmVZHCNSlo8dSaxAROXOw5ULjmQpXzzPAVUxw==,iv:FCv2ADYZXflBYuI9B9xvUSAYX8+v2Qf9EJjZ/TX27sA=,tag:caR4HS3yYrjNP1IzxgoOXA==,type:str] +netbird: + wt0-setupKey: ENC[AES256_GCM,data:bj3w7lGMJ0ZPQpGF0nKuhPKNWb04xVr6wNqoFGNzPnEJ+Q+b,iv:0helVFJqu4TNFY6LTG7LpD3tqsArwJHWH2XnlpPKEZk=,tag:yGrExGSmliHXxKAHqiHK/g==,type:str] sops: age: - recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv @@ -20,7 +22,7 @@ sops: V09NYXpBYXBtYWdBajJubmVFL2loY0EKJdYKQHPriOT0eouvRUiCyqLSTzugUZxl BFTwfCez1/K2ERKQkKsMfIARbHaI2SRyDxM2O1IJ+DOIJ2383K6Gvw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-19T12:39:58Z" - mac: ENC[AES256_GCM,data:tTvNyD6Lekc0RUIr9CpCjhWl2Gb9pHRubeoTrwceUCkm074EjYIzvqwiX5fzt6Cc5/H/k8NWJZBAoI3tOeCrXpo1Lbb0fCjGqxTldGN44pLR/5q9bdAxLom3EEqKiBBryVxqAkkm1a98UXPtnh+oDyaFsqTbS65LolEtFEbV/3U=,iv:J0gMlpWc9TVSCRxcdUnlXtNnmahvbc12EsLeFB4BJlY=,tag:h0EaNQ/sl+3sU9+g4ohjtw==,type:str] + lastmodified: "2026-01-06T08:39:04Z" + mac: ENC[AES256_GCM,data:xPMGZ7SUVih97hWeeARhoZVn4B8D/lNzLuxRRkQEG5PqdtXHwH9HVIHz6AG3Pc72aRKroGF0E2sidJU7WxIUde4IuoktecHq2e2e+tVLZWg50Y/keG7SMR5MamapCiYxK88a9vG4a8PYytSOFvF5DUUjKGkFJZOaelK+ydOPbek=,iv:lh+dwiBl26sEYpvXx6HtUwKs2Mz5F0hRKD4q2q1jlkI=,tag:+gDW5nRmBkjCryFTudyqMA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 diff --git a/system/dev/dn-pre7780/common/boot.nix b/system/dev/dn-pre7780/common/boot.nix index 12868d8..ccaf732 100644 --- a/system/dev/dn-pre7780/common/boot.nix +++ b/system/dev/dn-pre7780/common/boot.nix @@ -3,7 +3,7 @@ ... }: { - boot.kernelPackages = pkgs.linuxPackages_6_17; + boot.kernelPackages = pkgs.linuxPackages_latest; fileSystems."/mnt/ssd" = { device = "/dev/disk/by-label/DN-SSD"; @@ -19,6 +19,7 @@ "uid=1000" "dmask=000" "fmask=000" + "exec" ]; }; diff --git a/system/dev/dn-pre7780/default.nix b/system/dev/dn-pre7780/default.nix index 2209948..880918e 100644 --- a/system/dev/dn-pre7780/default.nix +++ b/system/dev/dn-pre7780/default.nix @@ -44,6 +44,7 @@ in ../public/dn ../public/dn/ntfy.nix ./expr + ./network ./common ./games ./home @@ -53,6 +54,7 @@ in ./virtualisation ../../modules/shells/noctalia ../../modules/sunshine.nix + ../../modules/secure-boot.nix ]; # Live Sync D diff --git a/system/dev/dn-pre7780/expr/default.nix b/system/dev/dn-pre7780/expr/default.nix index c627d79..6f80563 100644 --- a/system/dev/dn-pre7780/expr/default.nix +++ b/system/dev/dn-pre7780/expr/default.nix @@ -1,6 +1,5 @@ { imports = [ - # ./netbird.nix # ./osx-kvm.nix ]; } diff --git a/system/dev/dn-pre7780/expr/netbird.nix b/system/dev/dn-pre7780/expr/netbird.nix deleted file mode 100644 index cbe0647..0000000 --- a/system/dev/dn-pre7780/expr/netbird.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ - domain, - idpSecret, - dataStoreEncryptionKey, - coturnPassFile, - ... -}: -let - port = 51820; -in -{ - services.netbird = { - server = { - enable = true; - domain = "netbird.${domain}"; - enableNginx = true; - management = { - oidcConfigEndpoint = "https://keycloak.net.dn/realms/master/.well-known/openid-configuration"; - settings = { - DataStoreEncryptionKey = { - _secret = dataStoreEncryptionKey; - }; - TURNConfig = { - Secret = { - _secret = idpSecret; - }; - }; - IdpManagerConfig = { - ClientConfig = { - ClientID = "netbird-backend"; - ClientSecret = { - _secret = idpSecret; - }; - }; - }; - }; - }; - coturn = { - user = "netbird"; - passwordFile = coturnPassFile; - enable = true; - }; - dashboard.settings = { - USE_AUTH0 = false; - AUTH_AUTHORITY = "https://keycloak.net.dn/realms/master"; - AUTH_CLIENT_ID = "netbird"; - AUTH_AUDIENCE = "netbird"; - AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api"; - }; - }; - clients.default = { - inherit port; - openFirewall = true; - name = "netbird"; - interface = "wt0"; - hardened = true; - dns-resolver.address = "10.0.0.1"; - }; - }; - - services.nginx.virtualHosts."netbird.${domain}" = { - enableACME = true; - forceSSL = true; - }; -} diff --git a/system/dev/dn-pre7780/games/default.nix b/system/dev/dn-pre7780/games/default.nix index 30e6300..d11d1c4 100644 --- a/system/dev/dn-pre7780/games/default.nix +++ b/system/dev/dn-pre7780/games/default.nix @@ -1,6 +1,7 @@ { imports = [ ../../../modules/gaming.nix - ./game.nix + ./shadps4.nix + ./minecraft.nix ]; } diff --git a/system/dev/dn-pre7780/games/minecraft.nix b/system/dev/dn-pre7780/games/minecraft.nix new file mode 100644 index 0000000..f0123aa --- /dev/null +++ b/system/dev/dn-pre7780/games/minecraft.nix @@ -0,0 +1,12 @@ +{ pkgs, ... }: +{ + home-manager.sharedModules = [ + { + home.packages = with pkgs; [ + prismlauncher + lsfg-vk + lsfg-vk-ui + ]; + } + ]; +} diff --git a/system/dev/dn-pre7780/games/game.nix b/system/dev/dn-pre7780/games/shadps4.nix similarity index 100% rename from system/dev/dn-pre7780/games/game.nix rename to system/dev/dn-pre7780/games/shadps4.nix diff --git a/system/dev/dn-pre7780/network/default.nix b/system/dev/dn-pre7780/network/default.nix new file mode 100644 index 0000000..cff9313 --- /dev/null +++ b/system/dev/dn-pre7780/network/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ../../../modules/netbird-client.nix + # ../../../modules/wireguard.nix + ]; +} diff --git a/system/dev/dn-pre7780/services/default.nix b/system/dev/dn-pre7780/services/default.nix index ce667a6..df55e8e 100644 --- a/system/dev/dn-pre7780/services/default.nix +++ b/system/dev/dn-pre7780/services/default.nix @@ -3,8 +3,7 @@ ../../../modules/postgresql.nix # ./mail.nix ./nginx.nix - ./wireguard.nix + # ./pangolin.nix # ./nextcloud.nix - # ./netbird.nix ]; } diff --git a/system/dev/dn-pre7780/services/netbird.nix b/system/dev/dn-pre7780/services/netbird.nix deleted file mode 100644 index 589b265..0000000 --- a/system/dev/dn-pre7780/services/netbird.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, ... }: -{ - imports = [ - (import ../expr/netbird.nix { - domain = "pre7780.dn"; - coturnPassFile = config.sops.secrets."netbird/coturn/password".path; - idpSecret = config.sops.secrets."netbird/oidc/secret".path; - dataStoreEncryptionKey = config.sops.secrets."netbird/dataStoreKey".path; - }) - ]; -} diff --git a/system/dev/dn-pre7780/services/pangolin.nix b/system/dev/dn-pre7780/services/pangolin.nix new file mode 100644 index 0000000..b05fd85 --- /dev/null +++ b/system/dev/dn-pre7780/services/pangolin.nix @@ -0,0 +1,48 @@ +{ config, lib, ... }: +let + inherit (lib) mkForce; + secrets = config.sops.secrets; + domain = "net.dn"; +in +{ + sops.secrets = { + "pangolin/env" = { }; + "pangolin/traefik" = { + key = "acme/pdns"; + }; + }; + + services.pangolin = { + enable = true; + openFirewall = true; + dashboardDomain = "auth.${domain}"; + baseDomain = domain; + + environmentFile = secrets."pangolin/env".path; + letsEncryptEmail = "danny@net.dn"; + dnsProvider = "pdns"; + + settings = { + app = { + save_logs = true; + }; + domains = { + + }; + traefik.prefer_wildcard_cert = true; + }; + }; + + services.traefik = { + staticConfigOptions = { + certificatesResolvers.letsencrypt.acme = { + caServer = mkForce "https://ca.net.dn/acme/acme/directory"; + dnsChallenge = { + provider = "pdns"; + resolvers = [ "10.0.0.1:53" ]; + }; + }; + }; + environmentFiles = [ secrets."pangolin/traefik".path ]; + }; +} diff --git a/system/dev/dn-pre7780/services/wireguard.nix b/system/dev/dn-pre7780/services/wireguard.nix deleted file mode 100644 index b2e5388..0000000 --- a/system/dev/dn-pre7780/services/wireguard.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - imports = [ - ../../../modules/wireguard.nix - ]; -} diff --git a/system/dev/dn-pre7780/sops/secret.yaml b/system/dev/dn-pre7780/sops/secret.yaml index c8203dd..9fa4e7c 100644 --- a/system/dev/dn-pre7780/sops/secret.yaml +++ b/system/dev/dn-pre7780/sops/secret.yaml @@ -1,11 +1,12 @@ wireguard: wg0.conf: ENC[AES256_GCM,data:ozySeNEvkiLt9TGrZCrlJWKT5gcSlZ9T8AeXGO97SPgxI394eCQ/LOkVFl7AykhZvs7YkxMpZzAZxc0oNdTYuDlqfrNr0pqTUJmpX+5PVRmDb5z2MJvERktVkJ4LSvVodoYznDwT/y9q199AFKf3t4EoWuRyR/il6P8HuGVHXrKRYUrwuB4nuq1SIByY+8D2gzohFB/s6pSOPYy6/xCt0Nm+x0wmcdrlyOb0S+4WXlcou2ll98o9q2YDdVBKeW4jyUjFqXM2XzD0JXpAi9ZFlyzxyYNwa4oMYATyCBCH4BNHqe850QHEoCaOovioEdDH/tluB2X/891ixqzURypzbg==,iv:3Q5xOgGcg8/DIwHt4fHsQGtN8f2hGpVDtf47PcwW62I=,tag:SbJqhWi3+h1O5ZIOayDrUw==,type:str] +netbird: + wt0-setupKey: ENC[AES256_GCM,data:166VX+rgzxhar+GFKxA5d8G3/9ewISdv2hUSwvbggyyjwwvE,iv:w8p4gDP6U0ZONX59t2dnglTC9S2dW2TX5A4OoCzRuzM=,tag:zf3jvlERJtM+osBd4ZQjMA==,type:str] dovecot: openldap: ENC[AES256_GCM,data:U3YYreEqoh+F0Mrli52jgQowrUqIUPmdQps=,iv:vTjHBFsue+89GOCDigVIktgGSZNZv8A2e3GM80o6TXc=,tag:GGh+hsT+yV/I12meXxflbQ==,type:str] nextcloud: adminPassword: ENC[AES256_GCM,data:69NrA/iP0sfrkdv8ahv7I+ZY,iv:/TXTs0fZw64HELdGr5CzgToO2L2G2mCNdN4Zexz8p+o=,tag:p2hNTxv1xdYmEJ6ZAO3w3Q==,type:str] whiteboard: ENC[AES256_GCM,data:qcZOLX1qJyciKm+4uuOVIopZXG70Jg9Grc07SCjG5ww9DK0myzdqlfWeZKdTsOyTBLMyCE9K7lC5rtBFeSv3ZeqkAUXTQt9QiAN05+tTpHk=,iv:v6fgSz/eh8MZANSbLbeSrKVOdX09pHYZ599BK8Ug2Lo=,tag:JTezfqrInm82K3gB0zpniw==,type:str] - signaling.conf: ENC[AES256_GCM,data:Ede61FM7k3VQHt4hO7O4UOE0p5nHk8lYsqaNWh8ZxfdGRJoMoLJYFcJs8nemAj1AGCh1Ep4ehtgQGcFfILUcek280m4paSIfaE2cwsI+1F+diXn98YmsmiR3swryw518gmfTZ7DrHlns7EWr/Udflz91F5+CKAuPNKtsYRSkB4KmJmEc4k2ioPus7hHEz/edLqA4mob/DuRXrWmFkDtlEj4I9aS5CJpyeDrsYoticnp5/QCWBnpxN2itqvbwjspid085Us7p4wbrM7Di/gPjj0D84Hw4biOLWSHm1oMRXqXIBP3ntPvvKJ2sKy7czcbeIGeJAIwEctStG7hqLAv3bfxiMn8DQ8eNp/xWw6tnwYklS4KCBJbDUucGvNcSx41JLCm+TShxaPIv/l6y+Z7Hkvri1WW2WSRvRsMFFEy3PrZLu0GstESYyARBrVdJ+OdaEtt3tthYLCUQcTT5xd484TTEyF9z3d5CBPC62BXZBdFRyEPD696nXV0ztVTBz2oWCmD6jHL0v+nTn3sojTDet0vmPo6o6cE0RqX6G/oVx+Y9l52QirFxOaNALk3R1l/lvXhDhlrAp8EldGhfnZf8y7X2HoC/XHQud9pA0N89Xrgp/Ak+9d+tRtmr4icLNVtwBg91md9P1tCyqPTUGR3JHc1KtmDHVI3NqgekUAmHrNRE5m633fchV2sTYSOfvdtL,iv:/xlMQoexPA9rXIlMd7bTQY1ojHuprBX/5quVSnNslvI=,tag:geAR+vPBmDB37/oSnnpqSA==,type:str] openldap: adminPassword: ENC[AES256_GCM,data:jEGuzgs5QTWfdyJenC3t3g==,iv:StfFOcvbDapnma6eAlpaGiBWnqiD3I/wfQsMBzufol0=,tag:892q7N4KrsSQoZYGy6CQrA==,type:str] lam: @@ -18,15 +19,13 @@ acme: pdns: ENC[AES256_GCM,data:eKnahc8HWboYCUpBuEUrdCMhN8A2N2VN0wrmzcyU2OfMeQaswIYSWV4sBzUbj/pono8PaVxK1FBKsn+Ycd4Y6tcxsAkbPfnPkOsbe0FJpz4t9RFLJBLw3U0YTE/TaURiDYipHnvPGYgyq3AziH/xa4WXZxLHGI0x+a/y3PpWy37rT87DWUT2kktPshdO7Mbwn7nSC78WByXmyaUMkT74Sc0FNmCgfijrHk/ATXGb,iv:y3eRZXFbqqf4VuuqHHYdIoiEa1zqRU1XIlEqooJ28lU=,tag:2bIALJFGZyIZT7fyo/y5Nw==,type:str] cloudflare: secret: ENC[AES256_GCM,data:Ktk7BtyjaDeOc4Okflz/ZBYpJ7Uy1SeEBV6ofWcToZsvCDT6aTVxGrAKEHIE/eknvnyWOFeSQv/z/Q==,iv:x2ymbLwa1E2FzdomISeyhchya5bowgieO/XuOnoi81w=,tag:Nj+1DRnbvcwiLiEeu2WaRQ==,type:str] -netbird: - oidc: - secret: ENC[AES256_GCM,data:hSVMUEBL0kCvRLD3zd57SLhNIAFOR4eaJPcIIIIUJng=,iv:VhfseftQNlXSDCWuaYQUIklMUCkUbChyWbJl3qgD75M=,tag:vbqov0VgA0XNZfzcr3FZgA==,type:str] - dataStoreKey: ENC[AES256_GCM,data:vV2wgo5qFS+DC1NmOjVddZW9HAsRMpUFH+t/70iQ3A5YXkhbWoCeSxZDyAg=,iv:tKqh28qj8gqHfcb44Ej731w6NKi29X4iEwIOQ4ZcCzA=,tag:ObAxVrUctm6pbmXSQw7j5w==,type:str] crowdsec: lapi.yaml: ENC[AES256_GCM,data:BpDlz/liFYVZTA66TMWDifGfT4R9l0W9/LOU33rrPVC4YKeFbB1gIxqkUOEDl8fxsou5Jx/MQivyz90lE8yxbcGV/Zzx4ZJaHN+jz6mfM6mADEWp/nUcfO9tECijOhPPYt/8aE3py38NlFZuafZ2CwdL7RmDX7YCjpiIYxXaIjSv61WPD1SLkOkusnoA7bJZ2xmJ/dfEMXEA4LCCOfGQ,iv:922rrz94pD3/R1kGlQyIFkoq/fRSyxaIQ5qllldQMCY=,tag:AAPlwiQP4KMzHZmcMH76AQ==,type:str] capi.yaml: ENC[AES256_GCM,data:UuBESeHfKEPSIzP7RPNES0BVWwJsmPqLP3QJbAeAcm6eQ3sRzUSrVxY8A2yoiLD2lnuJPy2BbYHJpBR7VSfs7oUCc7LljgAp1uB2GH1y8YE46xJLo0TDp873bZJdcsO00ozsbtmWlGWJm7HLrzIUEe0mAjBzZeXe1WDJByGeVqupNLwpXSMaos2ktHjXA6hTGAdE5iIxBAXI6qjldWjRnlqE,iv:hZ2nUaOipU7Top0vsn23yU0XWP9SKcoj85xFo5hD/mU=,tag:32E2o+FOJXM9aMnLQA6KYA==,type:str] consoleToken: ENC[AES256_GCM,data:Q6QWWwcvLd8+ddwPMBzyB+X4gh8I53qSLA==,iv:JD48L59nQYttglAfuKL/lNBzWgBfj01rkIeP8pqmo70=,tag:6cxsQViDGuzjScKkBuO4Bw==,type:str] rspamd: ENC[AES256_GCM,data:8DryYdMyhzBqwqcbYUQ=,iv:5w21u3xqshRSf8IJbG16/Gf6AC2Zw6VnI3MOchN+w8A=,tag:OiiYUDT69SZObgOh1qCL0g==,type:str] +pangolin: + env: ENC[AES256_GCM,data:f5Pq+DE9PeRyOKeygREuovlqOMhe/bmTOrBA7Px3Oq+pWG5kGwnxqDdP/PwawJAskQPC9LN+QP6hIPNrJbPyxtk87hoRMb/3X0ggOw==,iv:yqqQizPwf3EfCelczf/7piH9kYiAwGLTtassvQ8oXNs=,tag:UzVuKIS8WZNAHgpLkzc9XA==,type:str] sops: age: - recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv @@ -38,7 +37,7 @@ sops: MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-19T12:39:37Z" - mac: ENC[AES256_GCM,data:JSwphdjAfZcLSuctzruwVjBQXhbQKnEda93KlrH8eoSJcFXBRCMz0v+HY2nBlrC9lwp9vgT3HnGmR6hIPi48UtyxYcGOJy33OY4M1it0WGE2r8Ikg++5cBUtacK4QdwuMCADhNT5ZHs5T7UUX0GMLeqAtrcJ3FKt+4+catsOvnE=,iv:7ZTi86IkbScizZlOCk+uXDyWzrFDsLRuLuzjUFsMFR0=,tag:3/i7BZ8XYALj7RYj4dIUgA==,type:str] + lastmodified: "2026-01-07T08:17:20Z" + mac: ENC[AES256_GCM,data:M9hBNU2KetaGEhJnYW10nWEWetFWs9c5gPN/0W6UIOsP2Y9E2d8J09Ary9O9z6TjjxqkS+H15SQfo6bjuc19jSwtdQ/scqy9nV1H0pOEHzWj8zG/bzC71WmwhZbx4+1cK83HYS9pJhzbO+5tbOK75GwJscXAhXKDzzNBmTW2Y3U=,iv:qozD5Z2uiI5vFApsRVkjiXLOPATs3VV0PDk5szX+mrc=,tag:WpM+Ab9U2q9GR0qvyMZO8w==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 diff --git a/system/dev/dn-pre7780/sops/sops-conf.nix b/system/dev/dn-pre7780/sops/sops-conf.nix index 34f5f60..a5a1df9 100644 --- a/system/dev/dn-pre7780/sops/sops-conf.nix +++ b/system/dev/dn-pre7780/sops/sops-conf.nix @@ -7,17 +7,6 @@ in secrets = { "lam/env" = { }; - "netbird/oidc/secret" = mkIf config.services.netbird.server.dashboard.enable { - owner = "netbird"; - }; - - "netbird/coturn/password" = mkIf config.services.netbird.server.coturn.enable { - owner = "turnserver"; - key = "netbird/oidc/secret"; - }; - "netbird/dataStoreKey" = mkIf config.services.netbird.server.management.enable { - owner = "netbird"; - }; "acme/pdns" = mkIf (hasAttr "acme" config.users.users) { owner = "acme"; }; diff --git a/system/dev/dn-server/common/backup.nix b/system/dev/dn-server/common/backup.nix index 2696ba9..344f7ef 100644 --- a/system/dev/dn-server/common/backup.nix +++ b/system/dev/dn-server/common/backup.nix @@ -67,6 +67,7 @@ in "roundcube" "grafana" "crowdsec" + "netbird" ]; location = "${backupPath}/postgresql"; }; diff --git a/system/dev/dn-server/default.nix b/system/dev/dn-server/default.nix index 0d2940c..0040b7b 100644 --- a/system/dev/dn-server/default.nix +++ b/system/dev/dn-server/default.nix @@ -17,11 +17,9 @@ in "maps.rspamd.com" "cdn-hub.crowdsec.net" "api.crowdsec.net" - "mx1.daccc.info" "mx1.dnywe.com" ]; allowedIPs = [ - "10.0.0.0/24" "127.0.0.1" # CrowdSec "52.51.161.146" diff --git a/system/dev/dn-server/network/default.nix b/system/dev/dn-server/network/default.nix index d94f68f..b1161e8 100644 --- a/system/dev/dn-server/network/default.nix +++ b/system/dev/dn-server/network/default.nix @@ -3,5 +3,6 @@ ./nginx.nix ./services.nix ./step-ca.nix + ./wireguard.nix ]; } diff --git a/system/dev/dn-server/network/nginx.nix b/system/dev/dn-server/network/nginx.nix index 09fcb41..733924b 100644 --- a/system/dev/dn-server/network/nginx.nix +++ b/system/dev/dn-server/network/nginx.nix @@ -64,14 +64,6 @@ locations."/".proxyPass = "http://10.0.0.130:8001/phone.html"; }; - - "ca.net.dn" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "https://10.0.0.1:8443/"; - }; - }; }; }; } diff --git a/system/dev/dn-server/network/services.nix b/system/dev/dn-server/network/services.nix index 948f3af..3a69a42 100644 --- a/system/dev/dn-server/network/services.nix +++ b/system/dev/dn-server/network/services.nix @@ -6,8 +6,9 @@ }: let inherit (config.systemConf) username security; - inherit (lib) concatStringsSep; + inherit (lib) concatStringsSep mkForce optionalString; inherit (helper.nftables) mkElementsStatement; + netbirdCfg = config.services.netbird; ethInterface = "enp0s31f6"; sshPorts = [ 30072 ]; @@ -23,19 +24,16 @@ let restrict = "10.0.0.128/25"; }; - kube = { - ip = "10.10.0.1/24"; - range = "10.10.0.0/24"; + infra = { + ip = "10.10.0.2/32"; interface = "wg1"; - port = 51821; - masterIP = "10.10.0.1"; - masterHostname = "api-kube.${config.networking.domain}"; - masterAPIServerPort = 6443; + range = "10.10.0.0/24"; }; allowedSSHIPs = concatStringsSep ", " [ "122.117.215.55" "192.168.100.1/24" + "100.64.0.0/16" personal.range ]; @@ -168,6 +166,13 @@ let ]; in { + systemConf.security.allowedIPs = [ + "10.10.0.0/24" + "10.0.0.0/24" + ]; + + services.resolved.enable = mkForce false; + networking = { nat = { enable = true; @@ -175,7 +180,6 @@ in externalInterface = ethInterface; internalInterfaces = [ personal.interface - kube.interface ]; }; @@ -183,15 +187,12 @@ in allowedUDPPorts = [ 53 personal.port - kube.port 25565 - kube.masterAPIServerPort 5359 ]; allowedTCPPorts = sshPorts ++ [ 53 25565 - kube.masterAPIServerPort 5359 ]; }; @@ -235,9 +236,10 @@ in tcp dport { ${sshPortsString} } jump ssh-filter - iifname { ${ethInterface}, ${personal.interface}, ${kube.interface} } udp dport { ${toString personal.port}, ${toString kube.port} } accept - iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet - iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter + iifname { ${ethInterface}, ${personal.interface} } udp dport { ${toString personal.port} } accept + iifname ${infra.interface} ip saddr ${infra.range} accept + iifname ${personal.interface} ip saddr ${personal.range} jump wg-subnet + iifname ${netbirdCfg.clients.wt0.interface} accept drop } @@ -251,6 +253,11 @@ in udp dport 53 accept tcp dport 53 accept + # Allow UDP hole punching + ${optionalString ( + netbirdCfg.clients ? wt0 + ) ''udp sport ${toString netbirdCfg.clients.wt0.port} accept''} + meta skuid ${toString config.users.users.systemd-timesync.uid} accept ct state vmap { invalid : drop, established : accept, related : accept } @@ -273,16 +280,11 @@ in meta l4proto { icmp, ipv6-icmp } accept iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet - iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter + iifname ${infra.interface} ip saddr ${infra.ip} accept counter } - chain kube-filter { - ip saddr ${kube.ip} ip daddr ${kube.ip} accept - counter drop - } - chain wg-subnet { ip saddr ${personal.full} accept ip saddr ${personal.restrict} ip daddr ${personal.range} accept @@ -309,17 +311,8 @@ in inherit (r) publicKey allowedIPs; }) (fullRoute ++ meshRoute); }; - - ${kube.interface} = { - ips = [ kube.ip ]; - listenPort = kube.port; - privateKeyFile = config.sops.secrets."wireguard/privateKey".path; - peers = [ ]; - }; }; }; - - extraHosts = "${kube.masterIP} ${kube.masterHostname}"; }; services = { @@ -349,7 +342,7 @@ in openssh = { enable = true; - ports = sshPorts; + ports = mkForce sshPorts; settings = { PasswordAuthentication = false; UseDns = false; @@ -385,9 +378,7 @@ in pdns-recursor = { enable = true; forwardZones = { - "${config.networking.domain}." = "127.0.0.1:5359"; - "pre7780.dn." = "127.0.0.1:5359"; - "test.local." = "127.0.0.1:5359"; + "dn." = "127.0.0.1:5359"; }; forwardZonesRecurse = { # ==== Rspamd DNS ==== # @@ -514,7 +505,7 @@ in "uptime.${config.networking.domain}" = { enableACME = true; forceSSL = true; - locations."/".proxyPass = "http://localhost:3001"; + locations."/".proxyPass = "http://127.0.0.1:3001"; }; }; diff --git a/system/dev/dn-server/network/step-ca.nix b/system/dev/dn-server/network/step-ca.nix index 8cdedee..8ac7ced 100644 --- a/system/dev/dn-server/network/step-ca.nix +++ b/system/dev/dn-server/network/step-ca.nix @@ -80,4 +80,12 @@ Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB openFirewall = true; intermediatePasswordFile = config.sops.secrets."step_ca/password".path; }; + + services.nginx.virtualHosts."ca.net.dn" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "https://10.0.0.1:8443/"; + }; + }; } diff --git a/system/dev/dn-server/network/wireguard.nix b/system/dev/dn-server/network/wireguard.nix new file mode 100644 index 0000000..85877ba --- /dev/null +++ b/system/dev/dn-server/network/wireguard.nix @@ -0,0 +1,5 @@ +{ config, ... }: +{ + sops.secrets."wireguard/wg1.conf" = { }; + networking.wg-quick.interfaces.wg1.configFile = config.sops.secrets."wireguard/wg1.conf".path; +} diff --git a/system/dev/dn-server/options/network.nix b/system/dev/dn-server/options/network.nix index b77f00c..646ae3e 100644 --- a/system/dev/dn-server/options/network.nix +++ b/system/dev/dn-server/options/network.nix @@ -5,7 +5,12 @@ ... }: let - inherit (lib) mkOption types concatStringsSep; + inherit (lib) + mkOption + types + concatStringsSep + unique + ; cfg = config.systemConf.security; in { @@ -14,6 +19,7 @@ in type = with types; listOf str; description = "Domains that allowed to query dns."; default = [ ]; + apply = v: unique v; }; rules = { setName = mkOption { diff --git a/system/dev/dn-server/security/fail2ban.nix b/system/dev/dn-server/security/fail2ban.nix index cdb8340..ba578f1 100644 --- a/system/dev/dn-server/security/fail2ban.nix +++ b/system/dev/dn-server/security/fail2ban.nix @@ -4,6 +4,8 @@ extraAllowList = [ "10.0.0.0/24" "122.117.215.55" + # Netbird + "100.104.0.0/16" ]; }) ]; diff --git a/system/dev/dn-server/services/default.nix b/system/dev/dn-server/services/default.nix index 325cedd..d427c8c 100644 --- a/system/dev/dn-server/services/default.nix +++ b/system/dev/dn-server/services/default.nix @@ -3,11 +3,15 @@ imports = [ ./actual-budget.nix ./bitwarden.nix - # ./docmost.nix + ./minecraft-server.nix ./mail-server.nix ./nextcloud.nix ./paperless-ngx.nix ./metrics.nix + ./forgejo.nix + ./keycloak.nix + ./netbird.nix + ./hideTTY.nix # (import ../../../modules/opencloud.nix { # fqdn = "opencloud.net.dn"; # envFile = config.sops.secrets."opencloud".path; diff --git a/system/dev/dn-server/services/forgejo.nix b/system/dev/dn-server/services/forgejo.nix new file mode 100644 index 0000000..902307b --- /dev/null +++ b/system/dev/dn-server/services/forgejo.nix @@ -0,0 +1,72 @@ +{ lib, config, ... }: +let + cfg = config.services.forgejo; + srv = cfg.settings.server; + domain = "git.dnywe.com"; + mailServer = "mx1.net.dn"; + + forgejoOwner = { + owner = "forgejo"; + mode = "400"; + }; +in +{ + sops.secrets = { + "forgejo/mailer/password" = forgejoOwner; + "forgejo/server/secretKey" = forgejoOwner; + }; + + networking.firewall.allowedTCPPorts = [ srv.HTTP_PORT ]; + + services.postgresqlBackup.databases = [ cfg.database.name ]; + + systemd.services.forgejo.preStart = + let + adminCmd = "${lib.getExe cfg.package} admin user"; + pwd = config.sops.secrets."forgejo/mailer/password"; + user = "forgejo"; + in + '' + ${adminCmd} create --admin --email "noreply@${srv.DOMAIN}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true + ''; + + services.openssh.settings.AllowUsers = [ cfg.user ]; + + services.forgejo = { + enable = true; + database.type = "postgres"; + lfs.enable = true; + + settings = { + server = { + DOMAIN = domain; + ROOT_URL = "https://${srv.DOMAIN}"; + HTTP_PORT = 32006; + SSH_PORT = lib.head config.services.openssh.ports; + + # ==== OpenID Connect ==== # + ENABLE_OPENID_SIGNIN = true; + WHITELISTED_URIS = "https://${config.services.keycloak.settings.hostname}/*"; + }; + + services.DISABLE_REGISTRATION = true; + actions = { + ENABLE = true; + DEFAULT_ACTION_URL = "github"; + }; + + mailer = { + ENABLED = true; + SMTP_ADDR = mailServer; + SMTP_PORT = 587; + FROM = "noreply@${srv.DOMAIN}"; + USER = "noreply@${srv.DOMAIN}"; + }; + }; + + secrets = { + mailer.PASSWD = config.sops.secrets."forgejo/mailer/password".path; + server.SECRET_KEY = config.sops.secrets."forgejo/server/secretKey".path; + }; + }; +} diff --git a/system/dev/dn-server/services/hideTTY.nix b/system/dev/dn-server/services/hideTTY.nix new file mode 100644 index 0000000..4a0da22 --- /dev/null +++ b/system/dev/dn-server/services/hideTTY.nix @@ -0,0 +1,13 @@ +{ ... }: +{ + systemd.services.hideTTY = { + description = "Auto turn off monitor "; + wantedBy = [ "multi-user.target" ]; + script = '' + echo 1 > /sys/class/graphics/fb0/blank + ''; + serviceConfig = { + Type = "oneshot"; + }; + }; +} diff --git a/system/dev/dn-server/services/keycloak.nix b/system/dev/dn-server/services/keycloak.nix new file mode 100644 index 0000000..210b692 --- /dev/null +++ b/system/dev/dn-server/services/keycloak.nix @@ -0,0 +1,17 @@ +# NOTE: This is keycloak partial overwrite for `mail-server.nix`. +{ lib, config, ... }: +let + inherit (lib) mkForce; + domain = "dnywe.com"; + cfg = config.services.keycloak; +in +{ + services.keycloak = { + settings = { + hostname = mkForce "login.${domain}"; + }; + }; + + # Disable nginx reverse proxy + services.nginx.virtualHosts."${cfg.settings.hostname}" = mkForce { }; +} diff --git a/system/dev/dn-server/services/mail-server.nix b/system/dev/dn-server/services/mail-server.nix index 0e1ab7f..c390a9a 100644 --- a/system/dev/dn-server/services/mail-server.nix +++ b/system/dev/dn-server/services/mail-server.nix @@ -1,9 +1,25 @@ -{ config, lib, ... }: +{ + config, + lib, + ... +}: let inherit (lib) mkForce; inherit (config.systemConf) username; in { + systemConf.security.allowedDomains = [ + "registry-1.docker.io" + "auth.docker.io" + "login.docker.com" + "auth.docker.com" + "production.cloudflare.docker.com" + "docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage" + "api.docker.com" + "cdn.segment.com" + "api.segment.io" + ]; + mail-server = let domain = "net.dn"; @@ -81,29 +97,16 @@ in }; }; - services.openldap.settings.attrs.olcLogLevel = mkForce "config"; - - services.postfix.settings.main = { - # internal_mail_filter_classes = [ "bounce" ]; + virtualisation.oci-containers.containers.phpLDAPadmin = { + environment = { + LDAP_ALLOW_GUEST = "true"; + LOG_LEVEL = "debug"; + LDAP_LOGGING = "true"; + }; }; - services.rspamd = { - locals."logging.conf".text = '' - level = "debug"; - ''; - locals."settings.conf".text = '' - bounce { - id = "bounce"; - priority = high; - ip = "127.0.0.1"; - selector = 'smtp_from.regexp("/^$/").last'; - - apply { - BOUNCE = -25.0; - } - - symbols [ "BOUNCE" ] - } - ''; + services.openldap.settings = { + attrs.olcLogLevel = mkForce "config"; + # children."cn=schema".includes = extraSchemas; }; } diff --git a/system/dev/dn-server/services/metrics.nix b/system/dev/dn-server/services/metrics.nix index 3b019ee..c6b4208 100644 --- a/system/dev/dn-server/services/metrics.nix +++ b/system/dev/dn-server/services/metrics.nix @@ -63,7 +63,7 @@ in job_name = "powerdns_recursor"; static_configs = [ { - targets = [ "localhost:${toString config.services.pdns-recursor.api.port}" ]; + targets = [ "127.0.0.1:${toString config.services.pdns-recursor.api.port}" ]; labels = { machine = "${hostName}"; }; @@ -87,7 +87,7 @@ in static_configs = [ { targets = [ - "localhost:${toString config.services.crowdsec.settings.general.prometheus.listen_port}" + "127.0.0.1:${toString config.services.crowdsec.settings.general.prometheus.listen_port}" ]; labels = { machine = "${hostName}"; diff --git a/system/dev/dn-server/services/minecraft-server.nix b/system/dev/dn-server/services/minecraft-server.nix new file mode 100644 index 0000000..98e2905 --- /dev/null +++ b/system/dev/dn-server/services/minecraft-server.nix @@ -0,0 +1,40 @@ +{ pkgs, ... }: +let + modpack = pkgs.fetchPackwizModpack { + url = "https://git.dnywe.com/dachxy/shader-retired-modpack/raw/branch/main/pack.toml"; + packHash = "sha256-NPMS8j5NXbtbsso8R4s4lhx5L7rQJdek62G2Im3JdmM="; + }; +in +{ + systemConf.security.allowedDomains = [ + "api.mojang.com" + "textures.minecraft.net" + "session.minecraft.net" + "login.microsoftonline.com" + ]; + + services.minecraft-servers = { + enable = true; + eula = true; + }; + + services.minecraft-servers.servers.shader-retired = { + enable = true; + autoStart = true; + openFirewall = true; + package = pkgs.fabric-server; + symlinks = { + "mods" = "${modpack}/mods"; + }; + serverProperties = { + server-port = 25565; + difficulty = 3; + gamemode = "survival"; + max-player = 20; + modt = "Bro!!!!"; + accepts-flight = true; + accepts-transfers = true; + hardcore = false; + }; + }; +} diff --git a/system/dev/dn-server/services/netbird.nix b/system/dev/dn-server/services/netbird.nix new file mode 100644 index 0000000..9eac81c --- /dev/null +++ b/system/dev/dn-server/services/netbird.nix @@ -0,0 +1,119 @@ +{ config, lib, ... }: +let + inherit (lib) mkForce; + domain = "dnywe.com"; + + # Virtual Domain + vDomain = "vnet.dn"; + proxyIP = "10.10.0.1"; + + cfg = config.services.netbird; + srv = cfg.server; + + # TODO: Change realm to master + realm = "netbird"; +in +{ + sops.secrets."netbird/wt0-setupKey" = { + owner = cfg.clients.wt0.user.name; + mode = "400"; + }; + + systemConf.security.allowedDomains = [ + "login.dnywe.com" + "pkgs.netbird.io" + "${srv.domain}" + ]; + + imports = [ + (import ../../../modules/netbird-server.nix { + inherit realm vDomain; + domain = "netbird.${domain}"; + oidcURL = "https://${config.services.keycloak.settings.hostname}"; + enableNginx = false; + oidcType = "keycloak"; + }) + ]; + + services.netbird = { + ui.enable = mkForce false; + + clients.wt0 = { + port = 51830; + openFirewall = true; + autoStart = true; + environment = { + NB_MANAGEMENT_URL = "https://${srv.domain}"; + }; + login = { + enable = true; + setupKeyFile = config.sops.secrets."netbird/wt0-setupKey".path; + }; + }; + + server.management = { + disableSingleAccountMode = false; + singleAccountModeDomain = vDomain; + metricsPort = 32009; + turnDomain = mkForce "coturn.${domain}"; + extraOptions = [ "--user-delete-from-idp" ]; + }; + + server.coturn.enable = mkForce false; + }; + + networking.firewall.allowedTCPPorts = [ 32011 ]; + + # ==== Proxy By Caddy & CDN ==== # + services.nginx.appendHttpConfig = '' + set_real_ip_from ${proxyIP}; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + ''; + + services.nginx.virtualHosts."netbird.local" = { + locations = { + "/" = { + root = cfg.server.dashboard.finalDrv; + tryFiles = "$uri $uri.html $uri/ =404"; + }; + + "/404.html".extraConfig = '' + internal; + ''; + + "/api" = { + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + proxyPass = "http://127.0.0.1:${builtins.toString srv.management.port}"; + }; + + "/management.ManagementService/".extraConfig = '' + client_body_timeout 1d; + + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + grpc_pass grpc://127.0.0.1:${builtins.toString srv.management.port}; + grpc_read_timeout 1d; + grpc_send_timeout 1d; + grpc_socket_keepalive on; + ''; + + "/signalexchange.SignalExchange/".extraConfig = '' + client_body_timeout 1d; + + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + grpc_pass grpc://127.0.0.1:${builtins.toString srv.signal.port}; + grpc_read_timeout 1d; + grpc_send_timeout 1d; + grpc_socket_keepalive on; + ''; + }; + + extraConfig = '' + error_page 404 /404.html; + ''; + }; +} diff --git a/system/dev/dn-server/services/nextcloud.nix b/system/dev/dn-server/services/nextcloud.nix index eee0e25..bf61e1c 100644 --- a/system/dev/dn-server/services/nextcloud.nix +++ b/system/dev/dn-server/services/nextcloud.nix @@ -1,19 +1,156 @@ -{ config, ... }: { + config, + pkgs, + lib, + ... +}: +let + inherit (lib) mkIf mkDefault mkAfter; + inherit (config.sops) secrets; + spreedCfg = config.services.nextcloud-spreed-signaling; + nextcloudCfg = config.services.nextcloud; + turnDomain = "coturn.dnywe.com"; + domain = "net.dn"; +in +{ + sops.secrets = { + "nextcloud/smtpPassword" = { + owner = "nextcloud"; + group = "nextcloud"; + }; + "nextcloud/adminPassword" = { }; + "nextcloud/whiteboard" = { + owner = "nextcloud"; + }; + "nextcloud/spreed/turnPassword" = { + key = "netbird/coturn/password"; + owner = spreedCfg.user; + }; + "nextcloud/spreed/turnSecret" = { + key = "netbird/oidc/secret"; + owner = spreedCfg.user; + }; + "nextcloud/spreed/hashkey" = { + owner = spreedCfg.user; + }; + "nextcloud/spreed/blockkey" = { + owner = spreedCfg.user; + }; + "nextcloud/spreed/internalsecret" = { + owner = spreedCfg.user; + }; + "nextcloud/spreed/backendsecret" = { + owner = spreedCfg.user; + }; + }; + imports = [ (import ../../../modules/nextcloud.nix { - hostname = "nextcloud.net.dn"; - adminpassFile = config.sops.secrets."nextcloud/adminPassword".path; + hostname = "nextcloud.${domain}"; + adminpassFile = secrets."nextcloud/adminPassword".path; trusted-proxies = [ "10.0.0.0/24" ]; whiteboardSecrets = [ - config.sops.secrets."nextcloud/whiteboard".path + secrets."nextcloud/whiteboard".path ]; }) ]; services.nextcloud = { extraApps = { - inherit (config.services.nextcloud.package.packages.apps) music; + inherit (config.services.nextcloud.package.packages.apps) music spreed; + + user_migration = pkgs.fetchNextcloudApp { + url = "https://github.com/nextcloud-releases/user_migration/releases/download/v9.0.0/user_migration-v9.0.0.tar.gz"; + sha256 = "sha256-WiEEAazuj8kh5o+URs22uoNWANXcXQYLTaoABMU6rFo="; + license = "agpl3Plus"; + }; + + cospend = pkgs.fetchNextcloudApp { + url = "https://github.com/julien-nc/cospend-nc/releases/download/v3.2.0/cospend-3.2.0.tar.gz"; + sha256 = "sha256-mclcZDNmvpYX/2q7azyiTLSCiTYvk7ILeqtb/8+0ADQ="; + license = "agpl3Plus"; + }; + }; + appstoreEnable = false; + + settings = { + mail_smtpauth = true; + mail_smtphost = "mx1.${domain}"; + mail_smtpname = "nextcloud"; + mail_smtpmode = "smtp"; + mail_smtpauthtype = "LOGIN"; + mail_domain = "net.dn"; + mail_smtpport = 465; + mail_smtpsecure = "ssl"; + mail_from_address = "nextcloud"; + }; + + secrets = { + mail_smtppassword = secrets."nextcloud/smtpPassword".path; }; }; + + # ==== Nextcloud Talk ==== # + services.nextcloud-spreed-signaling = { + enable = true; + configureNginx = true; + hostName = "talk.${domain}"; + backends.default = { + urls = [ "https://${nextcloudCfg.hostName}" ]; + secretFile = secrets."nextcloud/spreed/backendsecret".path; + }; + + settings = { + http.listen = "127.0.0.1:31008"; + turn = { + servers = [ "turn:${turnDomain}:3478?transport=udp" ]; + secretFile = secrets."nextcloud/spreed/turnPassword".path; + apikeyFile = secrets."nextcloud/spreed/turnSecret".path; + }; + clients.internalsecretFile = secrets."nextcloud/spreed/internalsecret".path; + sessions = { + hashkeyFile = secrets."nextcloud/spreed/hashkey".path; + blockkeyFile = secrets."nextcloud/spreed/blockkey".path; + }; + nats.url = [ "nats://127.0.0.1:4222" ]; + }; + }; + + services.nats = mkIf nextcloudCfg.enable { + enable = true; + settings = { + host = "127.0.0.1"; + }; + }; + + services.nginx.virtualHosts.${spreedCfg.hostName} = { + enableACME = true; + forceSSL = true; + }; + + # ==== Secruity ==== # + services.fail2ban = { + jails = { + nextcloud.settings = { + backend = "systemd"; + journalmatch = "SYSLOG_IDENTIFIER=Nextcloud"; + enabled = true; + port = 443; + protocol = "tcp"; + filter = "nextcloud"; + maxretry = 3; + bantime = 86400; + findtime = 43200; + }; + }; + }; + + environment.etc = { + "fail2ban/filter.d/nextcloud.local".text = mkDefault (mkAfter '' + [Definition] + failregex = ^.*"remoteAddr":"(?P)".*"message":"Login failed: + ^.*"remoteAddr":"(?P)".*"message":"Two-factor challenge failed: + ^.*"remoteAddr":"(?P)".*"message":"Trusted domain error + ''); + }; } diff --git a/system/dev/dn-server/sops/secret.yaml b/system/dev/dn-server/sops/secret.yaml index 195a3f8..f028377 100644 --- a/system/dev/dn-server/sops/secret.yaml +++ b/system/dev/dn-server/sops/secret.yaml @@ -1,17 +1,31 @@ wireguard: privateKey: ENC[AES256_GCM,data:TzZLi58XfkhHAN0LcWNSlGJ7KSspCVaCKvLl1Y3MhxEKyERStCR8MEJ629U=,iv:XG107Tnt/Md56q9vK/Eh5uyzvFT+JrcD0UAUdqky+EA=,tag:dHgl7IwqEWC+MgHPH9wyIw==,type:str] + wg1.conf: ENC[AES256_GCM,data:Wq8PgaNaEZNYpxqC2sO9CY+Cc+Qsk+sWpQ43FkjXqY5rSYo7rSjzN3sde44ba2IY85Dwyo+TKNp+mmLnjDM3Bgxb3h/sLLEJRwVGS1lU7GQKuT2ZL3MupnKVYXyK/2VmP+Umfw75AHYeMM809HRr7UroDEFQEll3DVqNqWSJRAll2hR14lnxUQpZIewMWTerEE0b+SEADXhPCOsgTUXFxJMtXTfsifGjf0HO2sLrW7EQvMxuiTvSCwosUilc/HgaA/+vNm+UkZ3pSwybYm9fIFvEu0IEqHuLyvy41J70DdxFdS9mNAcYcpeOFrTR4BE6NQ==,iv:zgyIqdH9OWEXPNkHs94Tcet16zvbxV7rbkwzVybkQBc=,tag:GJgAAGyrAhhaxVmcsT/reA==,type:str] +netbird: + oidc: + secret: ENC[AES256_GCM,data:zZ8zuDqUdZANk1VV44kfp/Y4eXxJDwead9440QJma4Q=,iv:d6/RSEtuhqL+RQDuOQMJhyC9U9ikcasEz0DIdtaBtKg=,tag:8be6FBymbIN+To0dFz2ncA==,type:str] + dataStoreKey: ENC[AES256_GCM,data:FGyqII1DZMtImMtWiUx0e1I4J+yMzrWKwhBB6kjmRHqlLz8Oy+C/zCM5SQ8=,iv:AXD8u9vcha8CSRnMPabtdXDQoeqpqKIbWGwfcgIc8Dw=,tag:3nSIt0V+G6NJQ7JSslNOWg==,type:str] + coturn: + password: ENC[AES256_GCM,data:AMWBkWLcj1EFfufl8pALpVOG0PE=,iv:sngIedZE4X8clhGIsQyiGKbdsheRbEqeU57Emz2DWJM=,tag:daRLPNrO5fq84rtieYuYYw==,type:str] + wt0-setupKey: ENC[AES256_GCM,data:2KKqmcdQhkbu4Qo8rVWLwT7NdpF7iWneDGazHQlM++LdGQNr,iv:Dfryc5Ak8ueuHCT+8SxliEJqUtn695/N3iE69a5AoCQ=,tag:wCKfCOcTFZWbZs99FhF2EQ==,type:str] nextcloud: adminPassword: ENC[AES256_GCM,data:ev4Ua8JX0l0KK50SGm6xCw==,iv:OosiF0g4l1mrgndbwUOvO2YUqxWVk1hvAZY0rHU9GPE=,tag:rIr+4x/p8u94e2Ip03iX0Q==,type:str] whiteboard: ENC[AES256_GCM,data:EFrakjKTOskWBrobg/F12bdm/sM/cU4u6bUDw8TVqzmV95fNqn6n4MR+gTyKj6CG0+YLbZDHAmfsApWVH/VhDNTw3s1hkSu93Yq85ov7QEk=,iv:fYTLDOMmW+qoZVgC7fSPo+xFaytJN1gIaEcRgle+7gY=,tag:ETmXxGPsUafV3pR9cMLMXA==,type:str] + smtpPassword: ENC[AES256_GCM,data:sira5mEA1U3aUJVAdGt4wmQi,iv:asyfTixRkEU2LqaFYgf9PdpIwLzwdrRagmVNiiSqukw=,tag:LVL1uWKg+ud3AcE1ZtksTw==,type:str] + spreed: + hashkey: ENC[AES256_GCM,data:6HeTBV5sqwREumVNklCkLuqHMjRCoQ3BGddqFoZW5IWFLyMgHlgacZVq8iQ=,iv:AIeEmYRmCbipMEdATX0pocglhwP+vlrT1JfOz07peDg=,tag:VYgrLbDyyqw/4T5YnJUFlg==,type:str] + blockkey: ENC[AES256_GCM,data:eHnOyQBqjw3DPd1Vb9M9AVI/2yFgGh09sDIpq7rBrvE=,iv:m6jhSNZuFEBeLGaOS85GdT4bGAorhT0S0keRDzwEMg8=,tag:/Ck+vPXqmKkdpAdF1IiN/g==,type:str] + internalsecret: ENC[AES256_GCM,data:rOIMX0Me5V2xhnBSnNVg4F9nInYCGAXSp7Fm01uImlPSoXGWi8HBx2LRkN8=,iv:wyPIhSpDEZYf3apmQr3VsoO6MDjU3lvSjHeTZNEBMLM=,tag:NySofDB+7t8KXwG0BvYd8w==,type:str] + backendsecret: ENC[AES256_GCM,data:pV5yw755RkAwHBdmfeP37/SobFZqJouWyIiRJ+Y2mk0iiVdW04vhYVsyjcI=,iv:NhkewgnyE2Dw8mQMMSq6AWo6IOWu8BlyPZvZAszyZuQ=,tag:BlZO15qZWViV8pCWIgZHZQ==,type:str] step_ca: password: ENC[AES256_GCM,data:3NtUAl344gHiXLlMl88X17Vsm/4OKFM0W8bntzbXC0U=,iv:q9cWW8xTxYQnRYohBxnPIsbVSpvkZYVpYLRVeZgmsRM=,tag:ibumK7ebPKNO/CXAS0eeRA==,type:str] vaultwarden: ENC[AES256_GCM,data:5gn2+IYznojrYbmzCJx17qAlBvJBv3CnMEZensyep9JpKEHVz29teOYDh5Zetv0mSrgmrUxCTdNsm0OZCX9EswhslNl5ay6zkhoL+64JIyUcNFWcvu7oD2w1qynWgz41GS2yzuw91LntN4mcpODKhHNN8XFCU9d71Z9zTSIdWn2PoG8wME2hVBJ2YxLpqzDyJYlkWYf4VYUnn9vXZatZqQd0n7bjx3dgX3ogFG/UNfMAs2oLCfuYLkxBqpR2cGNktIxWctCEAWwG68Pfk7X66KMi5w==,iv:JcExp8YkGwV2nMbCK+n0KSL3+SryJZ0iKtVcU/Q+Cgs=,tag:Ut6ahXVAuOKlcwk6DE56Ig==,type:str] ldap: password: ENC[AES256_GCM,data:gz5WBopSffGyvJxKDPekPQ==,iv:bX7N9/oNMhtE/KbPah2ge4s87P2VsxHGoFkOyl83dxs=,tag:YoTe6NPAJgp/0nvhHC9Y5A==,type:str] - env: ENC[AES256_GCM,data:XmIz9JEswvK1jVmTsTgdDZJXeK7j8E/b6nF+uuZpvpoe5/IogjMrzcWi3EB1i44z1Dxgoim8QM8ZtczY,iv:1jK/J2qfKODrbrNpSHl110jPvbNLl0zI//laowerJOc=,tag:tkBVxDC8Ebn3Aac+LATQFA==,type:str] + env: ENC[AES256_GCM,data:68EvTHeBqtCVfde5oO+Wzny+l/YIMWQmbcNQ0Wl59EjMrSlJM0rmFm2lMJpxKzCN2cFs0N2z6zG1/eQ9t/SxxyVBrNA6ECnCZrerIo2YGlaT30tc1rffpd8TchMH1VKP5qHnbLUqORMx5z0LR4U49l2HVcHgSCjt/1f127oMi411vIU=,iv:+m1F0CBaoJGv6Z1u+h6rbsXGPUhxgHouTalj13ccJiY=,tag:I/hK65yPaIcgHEZVaXJHBA==,type:str] oauth: password: ENC[AES256_GCM,data:lzS/OtqHb/24IJnOKxMBQA==,iv:BI1n7Jjklye6WM2ss7jpaGgokrJpAG2Ipil7VrY30XM=,tag:i3OByJ6LDwvAsS5CTrEQig==,type:str] - adminEnv: ENC[AES256_GCM,data:tF7ECUxG5QeNIvx3IFpTtY7NnSXROGHi48jGXZNgJVX5cABNIYBUqYW9/p2KbA==,iv:7oNmOBEs0b9mB6Ay7IULH2AumQOdIyQ+hDHm5kV6lTY=,tag:jkfA6D8CKg1jC21dS7Sumw==,type:str] + adminEnv: ENC[AES256_GCM,data:qUU6jv7zDNd0pJQdGyyolWKhN+iq5vUWG8FgZlokOgx9cH89XVS4LBQofpHPz2Y1Th0kvRducQcZqFc=,iv:wSI3uOaXK12zwzyXAI7sQKy9RzVpNHtFswHa8p2+kio=,tag:jqAD0E/Vv1kpwAyghze+mw==,type:str] powerdns-admin: secret: ENC[AES256_GCM,data:M5hD8B7kikseQJZCWUIlc7OJcQn0nwnx0QOSQe+Mf8TaztvyFfSfxv0vowNsx0MyGef4teuK+DW9/UTbRFEHeg==,iv:xaSgzhqMU9+ud1xfXLVkg3v2xcmIo35BOhml5VfHKBI=,tag:L1v95+HsIqNjVA1LGNbEJQ==,type:str] salt: ENC[AES256_GCM,data:rs4tZrVF4kb6/97wjQA2Npb2QeS6vjN3L1zRgmM=,iv:c0VTEtnahMSfs/PqeFQxYpDstLxPKaW1RyXMc6SQJu8=,tag:dXHUO2KJvP5Sz22Gv6ws/w==,type:str] @@ -31,7 +45,7 @@ prometheus: nginxAuth: ENC[AES256_GCM,data:+xcdBPwrpAXIXPFJCrmSsDacWlKzZbE0Mtt97ixxYcDMJT4PdATkboaECDJoyhqUc9ThwOCJ7t8/IHHNOh5r7hkk9aWzh8FY,iv:Z/IiEi6oZm1Hv3m8c522GK6eYFf0syFn3A0o4S58DUI=,tag:ASZqiiBOitfFGdYFP+i0jQ==,type:str] paperless: adminPassword: ENC[AES256_GCM,data:6SFObuK96Vc+PBUv/wRNCA==,iv:Mn6GJWzkd72xsvqlG0bD/3pp9YICqov356ZmlTda2eA=,tag:P3BJ1I+3XFD3HVkJccKyTg==,type:str] - envFile: ENC[AES256_GCM,data:vkWkYMG9Wzlddrht485x9COh4gtheDgVEZJJdNpKiOqMReK8XZn1iDIYj6RQz6rfuXincUne4EkiLW3JkhFtyXcDfOJMB/Xxn/zNkxTU2xx1RFVNY+wXwcqhuDCd2OdFlp1xQpa1/jd0uktgfixE1yFoBA2JBUxQYdR+ISakeUw1mJN5g9neNJK/+hpS0s8Z/4Tup0Ax2EGKcO2Z2W+7gc8jji45a4kiypx/v8/Jq2xMg13Fdd6yBd1jYu3rCur5V+mI8JPSN4ayhobw1tycokKlMFwI+937POYvyOh5g67piEuM7czaYpn/wROWIIO6mKnIURAuySFkpW1kUL+a6M3bFh6Ew/G5Bn5snl1D+/3GCWq0GqYCzrhwKUlKUCNZJPYZ3V1DLy/4OgORyrzB7PUQul0VZO5llD6BRJ0yWTJJbnHan5X4nhqazdT5PCJZBNfILGI22KYcMsgqtrBD+i7NZSFq9hRhqQKvvYD4xgEdYLIHOOPu9rEHX9Nk2LLFcvsXlIxDx9OMJCxacYoqV0/tZtCP4dA=,iv:/rSkQ3a9q4kLfwznGnEl9nD2poUUMeS0oeLRyhQYE6o=,tag:HHY1NAXfoinfGqWmUTMmXA==,type:str] + envFile: ENC[AES256_GCM,data:7eA3OhoVtwdmpzKYd8vEtxxzwyWi3XClf3KqTTFZe5X696xvHUv8E5uvXuJm8lQ7RVas97qDSxqHXURNOE7SXQqyDblhPqYPZceqS8gfeXsQOkltrOZpqP1D8DFj93MnDVbsUBLBeRng6xz1XZ7zPn3PUfSOgFDjDyH6GU/XNsnIqWLxYyKqhEAW24KF8OZaSWwOgD1cV5EZR+GY9dTTBdAEwZaLzvUEXiKLRXEGBHAck6mGjuapyuA/DXjt1BNX8AS6AJeTJquK3flYwv3FFDFE1t3WrL2miOm3JtqSoqrbO/eOvJ3DD5vc7xRgNT673BlSBX6BEufXjS3kM+cBhYPEFsMx82dniojPpqCG8osz40YYDqo9Ao3mEqJDnPmyVi2XMLsHS/+XkGLbZPzGzlL14fIx1qIsS/22YsjHkNXLA6htwQbs5CSE8MEgHkVJHzSKo4W7nKB7OKuzdZB9PNlt1zmQozoGhgkAOKZo9kfs9FejTKiHS/I+v9DBuU4cts0BEOjCUViRjD6uVYg939HxAZQs9JM=,iv:EtcZFfI/zBDXyW6/LMoGahcjMQoAVKx9VTF9I9y6J3w=,tag:LdkJJzz/WBxQCVoLd0E1ug==,type:str] atticd: secret: ENC[AES256_GCM,data:HAMmdCCm5HVK35T7gkFbsVKXMENUqZxE23FvyYqii6Bs0nzo4mNJKcAkugYdKU4JgO1R3goMMNJsCaHDbsQ/FUM73MDbUyCS88rV5l+arsoDRBPlVfnfeMa+0CRxkoZpcpVpRJ/m8e6pIc+hqnn9DsxvB3uXcy77EpE2mAzRBTTzb9GKJnaNUubrHDi05BDAMRcyqFsgBl5SeQGA/HvhiqdUevz79kVQxQchBjYJvf+fRP8oub/mVJwbxJLBi/mStZtARp8/Xwt7SMlGGvYzL6czW1IowHd1GG/EQ+HplnBIHro1BVRDqyzP2aNq3ipW4KQ1yE3LUBSRrGUk7jR+lIhgwj0tepkJmrp3P73rEndjP3cqIB3G0e/L4CHH7hsbhZj/Setlg8Cb8tgD5Yj4/EUZGDr2Bfj8sqIDLTSK7aFFTvDeNUqrUji1J2I1HZSbXlGXWircgOjX84VU5hpUhVoQSYGBskBrzt3jkMh3FQUTLU4HOMInPvv+Ow9uICok3mOhF33Zg8h7lW8K4o633adDzoCrhVyOX75B3/cUGNhnSxJUql/NJe23dv1oOV1XsaZEVw/O2cWG/1P0GIAY98DnzMFpU0hbEjfI1sKTPxJDBNl0OSiiErix3Gls8EsxwR3aCQ/rIGreETvuAwLkeyaVzmeh5vv62OkhvRT2gtJM9/CsAp2HisCTcnV4bWsQ4dUCXOh64ZCaHYk2eF5TcSqQ1kUSm8RSpTcdsSUxn8grbUCzPm37xodX1joqW/dv6WACZmGkL62/Bv1cdduFeX5Z+yagyK3s8UHynNca945pmVEiYdAq9e9mAMRKeQPxNhc1Ri56wcSdmaCt8tvk1NOYpdn1bQMkK8HfzCD41bjy9oQ75Hsscaq6y3ybZlscGuHjWx4MKnb0he20BVEB+RmmfdVkShVJQTHyBepMFrqWNKxrKKe3c7izxMW1ksRjowIaLdeRTdoZBRP1PxdejVv3guniANooaEooatIdOZhYYcTLyQ4Sc5ceO+AV6QoYIULyBywMXP+4ONx3qg65LqF9Js24ngypko6NlqYnuw9BAfjj9QUVibpzxXarn6sbMsnWastXyvknfkCBJzIUy3aODCIk2OPa1QDGEuD5Y0DfdVRwMLaeG4l+XWztLin2oOCLmuWyCSE+hE1A70AmzjwvYVvTIB/A9OdFkNeLK7nUoPHmEtrJfENH5SuQVjSxEzjdwqL9jIYWelcCtz/oBQMTrXCfrs4uIrQbQ/GA/plK1IaNp//5gk1TT/YVARuaxZWsYZ17MYndLkuQ6V1oJFkXMLomJe7dFfw0bBn5Pq9TEvT0yPf+pqqsOmi7h3Cbhetlke2AT6V37UQ7U4SKG9zUVz+tzK+LikNTCRIcEQH5MiXEbu7EmOGRIZqGVs4Nfz6w54vzoh9Lgen6tf30IhpcysxsVzxjP59yXFILrzHbsVTUt+LG3igaKV8zNhrXB1vF6t+dqB6LZ8Y2Q7jPuL2tZ+Ti0BKIcAAc9i99PrsFsR/1q2EbgJmQ7PkzJs8qOY5oKHASbr7xGvNWZ9EmQU+bur7NyBNR34EdIr4H+g2N3+JQdjxtlxn8M1cgBDskgE56fG4Ve3c0l58KoK+u1IFMNSIS+Rx9RI5/V6cPcAVx597Fw9rCjndQumys9A9pI/l0qiYp7FHQcqq9wbahQARU1j4aoMRREJ7+so73kockdKXx6Gx5+CU7MRmP8zxWt2bATpH/x62QPyg7xp1J8k2vFDSpDdinFFCR3FE7zUY6IhmuZK2jvmMSv3fAKVDPIWpPJS/P93Lk3CWyxPFdgEhtaToHACBGoEk/rqYpgJNVAtZ2JpLVaYOjC17WCncoZzXwKJCJ0rlHIJXCrwaV37WazJM6k4o2tnLcl51LgmHk/w0FUT2fb7jFNpL6uMLd4chQiJfrccYDqWWpI+ltIK7kmCyycVQ/O63xBWTkP40ZjW2UJDKKRUOThsZsB9vbMRbOmmjkNbwCQ4eaaTM4kMX5jA60XQJa/XHgmHcAY3OLLTeZhbtVufgh8HGcxY/Sy2Cli2TqRYrDNiQLR6mdrb2pui5czHXU4b6JfrBIaPR3hSvKVAxEiuXRc7o1PAAfJPIKEFkTxbkuDl2gqBcfHZhydVqoL3rZnpL1R3ZjrwovlMf1ivIZ0x8S1ceiFw5UqjkIr3oGBo9rC3LJO8qy3i2x40hEzZMYckrxEunlxxgkDAPE2xMadldnmjd0HTOIn/5yCXIHx6HJOcV1ym2KIJNUvk0arql90tRglOLS2jX0IgK9wNHwMMyrIPGtoAFw+j6T7IJU2yLwFXK3oA4GLjZRjaBr16ZzJEpu9VMoTv/4aPxihoVUfWj9uXezQ1BokDLdpUeNUXTfV/YqXv8USC/Lfl2PfEM7ILcPzzaWrj8aZsuZFBRFNOLAFlrwTAxZq+fch8hEAg9XATdB5JOZZ66uGBoDzc8rsgJ+OlNBicld0B6wkB5NwCePSNy7WE/S9tJD26pzc3mVyf7OyjdKgz2yKVYjVtWuZidsxGXqFjQgEMcKwI+1Wam+iwJndFAhl4vJfJpLYZ3tgpnVrpzGkjE1t8zuy/m3pecqaYQMm1S7zxxsnE7LijYCMP39ExBNmrnrWZEO1S+amBAKxP99yFoFM/pznVthZKWAqDBBH+r4oWFgXSC1Nw43pr0XHsSGdPPFj0m8RUfJ+J+YynktKAOhcran1B+MPqE5ANH6ACmByB/pb9gZGgRiW4MLcYGmu6xSAz49Ow0Gn1ASiM7pI5+P5FK5ILJbmvbmC/qE/V7LYz9n+1Fm+7VoOY+1BHBjJofqI341erZIMKkhInnRnugHwDKV3at8Megd6PMU72RAbMorDJhX1Pe8HxAJ6rhDWToXzelWwRH9iqJAfBO2bTb4hAib2HCEqAStaf6NxObSHxV/66MgGGo0bNi/h5IKZwQVilxfuxeZPNwbKdmHIR8LSiIRKSYwCfMlBG0Ga+Q1cqJ+Tu/gHq9tes1+IJYih2dszl8ZdfyMY3cZ9ultejK0vANIRBeRE7gHf9YQWVu6UBzPcytrvVVggyqk84tYoxRIcGTzc4sCd0rhM6Ie4oyWRdgYK3CqCl1+SnsTTwJpFarILGX59j/ecGZFKxk+v6tUodgiUb+s2W3Sxtyu+PPHb2Tm0x6iXciRDEk8hxappKGI7YCnzi2FHhn8G1+bscli8Nf64igBd2s9dvckluZg30GOElZ5W8NFLW64WxoceQiq4hnXxpY38vsBals+0arQPLfDzYvvRgaTnCcDcWOE9sg4OhQC2/rXCglmMGEqnaDbysDziYcjQlCBgtWQSj6SBhm2SI2v+G3emRSFPsqGBvS9JgQPx8AKUHqBawRJlILyABNlQKvJjjPeXE17wWD9cwgFv6NPlZ4YggLFXl/Bdb7SLhzicBxdqlY4EfG2ZPIpJ4quDXLDQJl5uowwGorKqp2ZQjkdGeQGoi7riCsZtVeZZRFzQEZF9yWzIWyJfnLlaMxqRsLJ6uY9ZxVP/pLpNw4/WbZjxWXKZcXEaf/6Yy5iOaYl8YL3Bg8xyTmhQDXGyZaq+oTsm6i9nczsOth0pnxLtkCUO/AnxyYWO9CpF52QPzyCEoETHeLHB4rTxKjGbm2U2hXC5lIdMNW6S/aP2e4JDl2iduP4FiZTVmZtpu8W0bL3twtnnwkwMolxWNENaYsap02teEXMMaPd/f/F+vtN4VbYeDL5kmzo3pOC2Uxv4shlRfWgDmgUXP4oSVoHnTmBYnq1f1ww8uhm7XL/x7oL0JytNUqUUzlR3u8AmmpEWFCDVhXnNmgXNFiEzuDDu6it1TNDbPdgxPSdxzcuBp1oJTSEi6MtoyU1rfqE/LwcwAT15X/OP+vYQtuQbBh+8J0rMTVtA6xCl6rkLz1lcOnKOapB9yF208a5E3r6/f10zXbbcaYmQ+q/LmhwbnrMLijCQ/MVLBup9iJVWBsPLUS7BNikFgyAwRyMBUb+GEqCP3hoEir+7ILolCNcVBWj03nzkwsMm8fCLlQeC+KWtU1Z391U+JK3imgjudJTG/QFioS3c6UH14iDzMVdXw+aZoj+OroD1AOwJLaIZAS2omjkn44a4jRgCDMHClk/MTkuocaaMb2SPpIZI/If7N3KGscW2hSWlnWgwxTNWsGOPkbouFvH7SgWm3SLaFwBTKoI7ZG7VB/MbJSnpQtRMUbU9Me0xQpjc2zOV48bJE1jiOTdHEeUCDgJtXqKOpQxaByd/icIaJjs7G1/19OWHJMntaxDAk7THZsfAGYy2olqt/yefuDMxFEqapjQfNrpcQ503friY/dAuQHl7TaIjn7yZnGbLYDhJrip3srlIrqp+CR8kC/+A8D+ZjruUc8G+DZ1NPL5EksYAuiASr9WBKSkIKG7gBfibO8nO+vtGNs81pwfMOXMaXtohFmrRLhqjpGnte09scgk+ofym9l+4VsBUZnm7VZOWgOd4LyaKDH5YbAV3aP9BBtr/0dGPiV2BWvkx6woj3nU2MiLwFw2lMc06fXJXzXoZXclVbG3dMwU9NOOzyuI5YcRnxtjdAtVsXQuGtHDOgleEClTvDg+zF3D6McqFLW+O5fLthcavzQK9M/4x/J+7FGsE3cZs2r3ctu9v7+SwjDsuh3QBg6VEACgqEPYYhIZm4asbd647559LGWsmqRlXQIAVlbKQsTtosTHth2bzuIc9iBT1g/sHazLoGbhLO6uC0P9TbHTQW3oHKGQqP0mE73GX6pyS2Ohydl7Usd6GGFPzAG7cyswYfpoLCRbK+lwhygdw0/RvzgDbmLAR4p/ByAyp56sP4l5IE/i2ZrhHLLgjj/SBXb9CVY5hLeVbdk0LPCokeqFxsQDOnLEceGBUjg2Vj/KwBI1s/oaV+xmsGnIbYe/1TkFdp7+SP5PlRq/UIrG4OJTdpw0KT/z85XXSvrNAjSYTIjDUXAGN65ukWjLxGo5Sd4vzkFAYiWAX0uf2FNYKy9QBrC90o5QeVrMHw3j0ijExCVPmDzNcvco5Ie2cVAf4BzC6DS6dUuJLbtPcm7nG6p2iwchiiJFgOROWW2jBunwJO/7e5K9Y4eKO+mgAcDULi+ujmbbG9zlsPcVx7rkXPKbLjQsPOwI4b7wRsB62rFSAGhmAoQL7EKwg9k/FpXqHogGbQ29LN16/LvVoQ+lotKwFPMRWlXG0PLdTcQFIi/gCLO5YkM7xmAVTXRGLEf8V3JYyMpIgip3Gtjfnqbyli7bWbyjkrSaSV7RID3N8z4U3uIhvXECoK256rO5qgcgPx0jA34sHyKW7MekgcYLMXnTuJHOAGmM9I9GeXzsWnY0wXvWTkdv3A7jRlykGkUBzCXdd5pzi/1tmePuG2MXYq83H51N0XtcoWfmUiKZo9pra4zf66IiHWmcFOpXWZBPGU8fx2yoFq+yiz1zeJ+6TMiIHNOBvtCHPyrQPhfjPiEgBFa6L4f2dY3RMTmYVY/UqurZlX42KU3idiYHO6NBIfGkme9ShkgyxhghZfEYBDAwzNmt/uB+XCdvXLyB3bMEKwQrhKRIMVnkHrpA0wVi5XmfkkNyvxpxPks4czxnc4LmXLUizL/EKraWrGaUqxq7ctKG2k/xAEQjyf8kcidvMJu5LGRFq82oRCn+bP/2WGGCwVj4MKNxCmHG9b/e/dd4fSIPYuMohWe4XHCZWPsIX2yaBp+6S4JfhsoiVeyFQPu6pG9MU8wxS3GGIeftVm4Pye90OB/uY+ClcYR7gK2Lak0RFOXfLEeXCnlxRMLcnxTv1m1KXfGa4gWRINDdgZbDcXp2Xr0pE6t0IT8=,iv:WVSTjMjzmtQTs7s9RUO4q3QY0ECP3yhNrWIu+fOb8jQ=,tag:QmHqdcd9uMo2DSTVooJtVA==,type:str] docmost: ENC[AES256_GCM,data:4uK3rOKurQPFfiTJzjMRn7hqPeB3c1fYG/zt01Ttwp5BvuI9B3JA34oNwvVzG8Jkl+Oc8pcj+IR55H5Y7KCQNiY9ux8rLbdtHRjhwKU6nah8kP+qSLOi935fXDdd0C5aMoHz2k72G8pT5ww5mt3AVCtd+bghZKX8WV6+XPBYwya2R3JGy/dm5/UAWoYC0LxMKsyj1w7Zr7nKWCa3PMWDjJXNvHkfwvC/9mhNWUMSVtAtlqYNRjQpCK/4rH8PDRRr3KgPyV1LYmV+O8/wVK+aQ4cuI8TLp5qQxNXU3PBljKCrfMyGRNx307P/cL63DR7Bv08iTFtVX58dYnTrnG3OSvMWaup5IF9+w/I=,iv:hmU6Eq/3vj3+rWSnUlt6mdLW47viShxbFa6WykQrR6M=,tag:8dBYTIBI5jGhSEp64axpXg==,type:str] @@ -41,6 +55,11 @@ crowdsec: consoleToken: ENC[AES256_GCM,data:G/UfbMqHW0lecT7vKmZsusvXzgxz6apdRQ==,iv:JJTN1RPhFNMd2gqE3Vw2FvC+bA/vgOiYNfBhr96veIw=,tag:HKbhtwCWkLte8e8uGDt2Gw==,type:str] opencloud: ENC[AES256_GCM,data:NrhvojLoMUbGkWNkfDN12iAU70F9o1MXa3m8RzYtcBU1r9zk0e+4ZlPAqw2SIobMDC3vo3few7cA21ruYGP2p36lskG6UjafyJPJoHQcxlq04Kp/9GVeSsvI3KP08WLmoaBqk6b+f1K57P4OzSHPYKQ4/f51B4yhmt8n/DNg7RgF8wNKi4KUTOBuC/j+T+51vsJdjqHUuBi1y2ZqaolAwfEYbnswNVJUcOxHUezIAGke/22U0fS01+p1JQ/PAzSeDdxuX8dAMDVYHHZ13A07kXIRchpSb63Y5pTLUUAl25zAaSYoq+fZ0s61DZrYCaityZCishhCpJwmyoOsCWEesOpRFYNjIALIxWmM9b3aU/5G1WNiPRdlfvZpowhm3r+4X7QGCoXvuoI94l8DuXW7wN77XhLr7s4w,iv:TrUgpRHN7NYFZw+tihcxJ+dhNi4nIuNHMxNWgCE53AA=,tag:YZNL/Pv8S0hYtSt5IBE1GA==,type:str] ntfy: ENC[AES256_GCM,data:y2evjuP49mnN8dCnS+nC6KGYEiO5ZPykgtHXQJqYoW/yq7zMpPowe5cFdKYO6MYWYFwT4Vy8okl64h8GQXZOPfqjEct2eB23GL6021ZCm5FmGJf4pYERwuYV0LC3VV74nnvTd9rDhWeSDd1awXzwkbviy7CtI55R3+ZBxRKhIYL31f4T4OHs51wldJWE6Lf8f6eNldN0M+Ki4Pxvyhbtt/A3OLmfSKhCd+eehdCABkuWaiPAu55dJS/m/b8++lQaod0Vmdbp9WlLGP5Ep7G5XwG92F5PgPr6dRa78x5AcvahVgSr8inlTVhXrue5EBzd3TAj2cIf953S2V6GKCFqhdjajbPvqzqXVxC5JuTCX9d6bWAMVGkVqeF0i33kHewM+cT3iGAYUSt38UTvCqI7UY5X0AIlZe5S8J2BCoDlRbHA7mERQrDl2Q==,iv:n+ubsZKbW2odqQeK4aqhxPxdCxtCsO7wS2wIthaQPHE=,tag:j7Ju4FrPYnKfUcy5pNQI3w==,type:str] +forgejo: + server: + secretKey: ENC[AES256_GCM,data:DShv0oGdrHi40OMGz6/8XsiNY7nFcdJswBXucP9t7JQtgj9wk8Wr2mn17rfzkjNXTRletI60OPGPz2c57xOnTA==,iv:9TVma4i167123hyVA4yMAGsc9074+Yd4qggL7PkhUKg=,tag:/ELp01jK7of78Kyn+aOcMA==,type:str] + mailer: + password: ENC[AES256_GCM,data:dcIotYpgtdFLcunAB3ttlczzQ68=,iv:vH3rckAfntFAEtH3dolF7NCAdj142cAzre56x7oBdDA=,tag:TaxRn8g/TVloM60D6Ud0Jg==,type:str] sops: age: - recipient: age17rjcght2y5p4ryr76ysnxpy2wff62sml7pyc5udcts48985j05vqpwdfq2 @@ -70,7 +89,7 @@ sops: OFloWEFuTC9GTXJsMG5NNktmdmIrY1kK0yN0ae0xNaydujV5lt2FiwXdyursG0DK 9i/B3TTAm9csDMMSTSFbiAUJDzG7kIqn++JU/cxvsGScSnhMqjEK/g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-29T05:31:41Z" - mac: ENC[AES256_GCM,data:7vRB92qX6NPYafjpTY0wS23bq5Jn57xkWamJZ2ZgD4/2rW+qRilmO6sqaZEktWr7q2jQzgSvdgZsgbuhkxoqQXrTVP7osjr8qQ20jL9OXLxSgPQry2QqNBqlSdjEUov/bygJA0oI46K8pdk6OrT07Few/nXMrvUixFAGGUsKmJc=,iv:Gd5X70COnDL4Ntps/bedF92uUH6hCosDj2dsbF0KQHw=,tag:O3vq/kFnay5le7F1Q2heJQ==,type:str] + lastmodified: "2026-01-07T08:19:02Z" + mac: ENC[AES256_GCM,data:hWVuAT2P1vXtSWUiCYh52vr2FY60611QlO+lNf9GbB98Tzk6K3/RaEtQR8a1KVGz9qoJFwxRk0jm9Mo78ezxaCmjePWklyDYFTPGCcBZbPNGTcZfiCfp5yzFGDbGsR2s3nVDHP+a+BIwIWYEJZz2T4Gi/sPK2rUwGdvq6b0rnKQ=,iv:trEF/xsJobs87q96BdRxDkZHmInEU9krhUQiMvNu87g=,tag:PkYNLlnl72J+dxgnWhvWAw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 diff --git a/system/dev/dn-server/sops/sops-conf.nix b/system/dev/dn-server/sops/sops-conf.nix index 0449f9c..e123c75 100644 --- a/system/dev/dn-server/sops/sops-conf.nix +++ b/system/dev/dn-server/sops/sops-conf.nix @@ -5,10 +5,6 @@ in { sops.secrets = { "wireguard/privateKey" = { }; - "nextcloud/adminPassword" = { }; - "nextcloud/whiteboard" = { - owner = "nextcloud"; - }; "step_ca/password" = { }; vaultwarden = { }; "oauth/password" = { }; diff --git a/system/dev/skydrive-lap/default.nix b/system/dev/skydrive-lap/default.nix index 1581b1c..0dd0d0d 100644 --- a/system/dev/skydrive-lap/default.nix +++ b/system/dev/skydrive-lap/default.nix @@ -10,11 +10,11 @@ in systemConf = { inherit hostname username; domain = "net.dn"; - hyprland.enable = true; + # hyprland.enable = true; + niri.enable = true; face = pkgs.fetchurl { - url = "https://files.net.dn/skydrive.jpg"; + url = "https://git.dnywe.com/dachxy/skydrive-avatar/raw/branch/main/skydrive.jpg"; hash = "sha256-aMjl6VL1Zy+r3ElfFyhFOlJKWn42JOnAFfBXF+GPB/Q="; - curlOpts = "-k"; }; }; @@ -22,9 +22,9 @@ in ../../modules/presets/basic.nix ./common ./games - ./services ./sops ./utility + ./network ]; users.users.root.openssh.authorizedKeys.keys = [ diff --git a/system/dev/skydrive-lap/network/default.nix b/system/dev/skydrive-lap/network/default.nix new file mode 100644 index 0000000..e7803e3 --- /dev/null +++ b/system/dev/skydrive-lap/network/default.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + imports = [ + ./netbird.nix + ]; +} diff --git a/system/dev/skydrive-lap/network/netbird.nix b/system/dev/skydrive-lap/network/netbird.nix new file mode 100644 index 0000000..b413fa2 --- /dev/null +++ b/system/dev/skydrive-lap/network/netbird.nix @@ -0,0 +1,17 @@ +{ self, ... }: +let + serverCfg = self.nixosConfigurations.dn-server.config; + domain = serverCfg.services.netbird.server.domain; +in +{ + services.netbird = { + clients.wt0 = { + openFirewall = true; + autoStart = true; + port = 51820; + environment = { + NB_MANAGEMENT_URL = "https://${domain}"; + }; + }; + }; +} diff --git a/system/dev/skydrive-lap/services/default.nix b/system/dev/skydrive-lap/services/default.nix deleted file mode 100644 index e02134a..0000000 --- a/system/dev/skydrive-lap/services/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - imports = [ - ./wireguard.nix - ]; -} diff --git a/system/dev/skydrive-lap/services/wireguard.nix b/system/dev/skydrive-lap/services/wireguard.nix deleted file mode 100644 index b2e5388..0000000 --- a/system/dev/skydrive-lap/services/wireguard.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - imports = [ - ../../../modules/wireguard.nix - ]; -} diff --git a/system/modules/actual/default.nix b/system/modules/actual/default.nix index 5a34bf2..9b00369 100644 --- a/system/modules/actual/default.nix +++ b/system/modules/actual/default.nix @@ -39,7 +39,7 @@ in forceSSL = true; locations."/api/".proxyPass = - "http://localhost:${toString config.services.actual-budget-api.listenPort}/"; - locations."/".proxyPass = "http://localhost:${toString config.services.actual.settings.port}"; + "http://127.0.0.1:${toString config.services.actual-budget-api.listenPort}/"; + locations."/".proxyPass = "http://127.0.0.1:${toString config.services.actual.settings.port}"; }; } diff --git a/system/modules/cockpit.nix b/system/modules/cockpit.nix index 6638ef8..5493fda 100644 --- a/system/modules/cockpit.nix +++ b/system/modules/cockpit.nix @@ -28,6 +28,6 @@ in services.nginx.virtualHosts."${domain}" = mkIf enableNginx { enableACME = true; forceSSL = true; - locations."/".proxyPass = "http://localhost:${toString config.services.cockpit.port}"; + locations."/".proxyPass = "http://127.0.0.1:${toString config.services.cockpit.port}"; }; } diff --git a/system/modules/docmost.nix b/system/modules/docmost.nix index 488b750..a86a592 100644 --- a/system/modules/docmost.nix +++ b/system/modules/docmost.nix @@ -46,10 +46,10 @@ in if (fqdn != null) then "${if https then "https" else "http"}://${fqdn}" else - "http://localhost:${toString port}" + "http://127.0.0.1:${toString port}" }"; DATABASE_URL = "postgresql://docmost@docmost?schema=public&host=/var/run/postgresql"; - REDIS_URL = "redis://localhost:${toString config.services.redis.servers.docmost.port}"; + REDIS_URL = "redis://127.0.0.1:${toString config.services.redis.servers.docmost.port}"; } // extraConf ); @@ -77,7 +77,7 @@ in enableACME = lib.mkIf https true; forceSSL = lib.mkIf https true; locations."/" = { - proxyPass = "http://localhost:${toString port}"; + proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; }; }; diff --git a/system/modules/fail2ban.nix b/system/modules/fail2ban.nix index 781ff17..c2ec324 100644 --- a/system/modules/fail2ban.nix +++ b/system/modules/fail2ban.nix @@ -1,5 +1,5 @@ { - extreAllowList ? [ ], + extraAllowList ? [ ], ... }: { @@ -9,7 +9,7 @@ ignoreIP = [ "192.168.0.0/16" ] - ++ extreAllowList; + ++ extraAllowList; bantime = "24h"; bantime-increment = { enable = true; diff --git a/system/modules/gc.nix b/system/modules/gc.nix index f90d332..eb5b5fb 100644 --- a/system/modules/gc.nix +++ b/system/modules/gc.nix @@ -11,7 +11,7 @@ optimise.automatic = true; gc = { automatic = true; - dates = [ "03:15" ]; + dates = "weekly"; options = "--delete-older-than 7d"; }; }; diff --git a/system/modules/netbird-client.nix b/system/modules/netbird-client.nix new file mode 100644 index 0000000..7119b5f --- /dev/null +++ b/system/modules/netbird-client.nix @@ -0,0 +1,31 @@ +{ + self, + config, + ... +}: +let + serverCfg = self.nixosConfigurations.dn-server.config; + cfg = config.services.netbird; + domain = serverCfg.services.netbird.server.domain; +in +{ + sops.secrets."netbird/wt0-setupKey" = { + owner = cfg.clients.wt0.user.name; + mode = "400"; + }; + + services.netbird = { + clients.wt0 = { + openFirewall = true; + autoStart = true; + port = 51820; + environment = { + NB_MANAGEMENT_URL = "https://${domain}"; + }; + login = { + enable = true; + setupKeyFile = config.sops.secrets."netbird/wt0-setupKey".path; + }; + }; + }; +} diff --git a/system/modules/netbird-server.nix b/system/modules/netbird-server.nix new file mode 100644 index 0000000..e563231 --- /dev/null +++ b/system/modules/netbird-server.nix @@ -0,0 +1,123 @@ +{ + domain, + oidcURL, + vDomain ? null, + enableNginx ? false, + oidcType ? "keycloak", + realm ? "netbird", +}: +{ + lib, + config, + ... +}: +let + inherit (lib) mkIf mkForce; + inherit (config.sops) secrets; + cfg = config.services.netbird; + srv = cfg.server; + dnsDomain = if vDomain == null then domain else vDomain; +in +{ + sops.secrets = { + "netbird/oidc/secret" = { }; + "netbird/turn/secret" = { + key = "netbird/oidc/secret"; + }; + "netbird/turn/password" = { + key = "netbird/coturn/password"; + }; + "netbird/coturn/password" = mkIf config.services.netbird.server.coturn.enable { + owner = "turnserver"; + }; + "netbird/dataStoreKey" = { }; + }; + + services.postgresql = { + enable = true; + ensureDatabases = [ "netbird" ]; + ensureUsers = [ + { + name = "netbird"; + ensureDBOwnership = true; + } + ]; + }; + + systemd.services.netbird-management.environment = { + NETBIRD_STORE_ENGINE_POSTGRES_DSN = "host=/var/run/postgresql user=netbird dbname=netbird"; + }; + + services.netbird = { + ui.enable = true; + + server = { + inherit domain enableNginx; + enable = true; + + # ==== Signal ==== # + signal.enable = true; + + # ==== Management ==== # + management = { + inherit dnsDomain; + + # === turn === # + oidcConfigEndpoint = "${oidcURL}/realms/${realm}/.well-known/openid-configuration"; + settings = { + StoreConfig.Engine = "postgres"; + DataStoreEncryptionKey = { + _secret = secrets."netbird/dataStoreKey".path; + }; + TURNConfig = { + Secret._secret = secrets."netbird/turn/secret".path; + Turns = mkForce [ + { + Proto = "udp"; + URI = "turn:${srv.management.turnDomain}:3478"; + Username = "netbird"; + Password._secret = secrets."netbird/turn/password".path; + } + ]; + }; + IdpManagerConfig = { + ManagerType = oidcType; + ClientConfig = { + TokenEndpoint = "${oidcURL}/realms/${realm}/protocol/openid-connect/token"; + ClientID = "netbird-backend"; + ClientSecret = { + _secret = secrets."netbird/oidc/secret".path; + }; + }; + ExtraConfig = { + AdminEndpoint = "${oidcURL}/admin/realms/${realm}"; + }; + }; + DeviceAuthorizationFlow.ProviderConfig = { + Audience = "netbird-client"; + ClientID = "netbird-client"; + }; + PKCEAuthorizationFlow.ProviderConfig = { + Audience = "netbird-client"; + ClientID = "netbird-client"; + }; + }; + }; + + # ==== Dashboard ==== # + dashboard.settings = { + AUTH_AUTHORITY = "${oidcURL}/realms/${realm}"; + AUTH_CLIENT_ID = "netbird-client"; + AUTH_AUDIENCE = "netbird-client"; + AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api"; + }; + + # ==== Coturn (STUN/TURN) ==== # + coturn = { + enable = true; + passwordFile = secrets."netbird/coturn/password".path; + useAcmeCertificates = enableNginx; + }; + }; + }; +} diff --git a/system/modules/nextcloud.nix b/system/modules/nextcloud.nix index 33041ae..d0ea33f 100644 --- a/system/modules/nextcloud.nix +++ b/system/modules/nextcloud.nix @@ -47,10 +47,42 @@ in ]; }; - systemd.services."phpfpm-nextcloud".postStart = mkIf config.services.nextcloud.enable '' - ${config.services.nextcloud.occ}/bin/nextcloud-occ config:app:set recognize node_binary --value '${lib.getExe pkgs.nodejs_22}' - ${config.services.nextcloud.occ}/bin/nextcloud-occ config:app:set recognize tensorflow.purejs --value 'true' - ''; + systemd.services.nextcloud-config-recognize = + let + inherit (config.services.nextcloud) occ; + in + { + wantedBy = [ "multi-user.target" ]; + after = [ + "nextcloud-setup.service" + ]; + script = '' + ${occ}/bin/nextcloud-occ config:app:set recognize node_binary --value '${lib.getExe pkgs.nodejs_22}' + ${occ}/bin/nextcloud-occ config:app:set recognize tensorflow.purejs --value 'true' + ''; + serviceConfig = { + Type = "oneshot"; + }; + }; + + # Disable Other login method for nextcloud + # Admin can login through adding `?direct=1` to url param + systemd.services.nextcloud-config-oidc = + let + inherit (config.services.nextcloud) occ; + in + { + wantedBy = [ "multi-user.target" ]; + after = [ + "nextcloud-setup.service" + ]; + script = '' + ${occ}/bin/nextcloud-occ config:app:set --type=string --value=0 user_oidc allow_multiple_user_backends + ''; + serviceConfig = { + Type = "oneshot"; + }; + }; services.nextcloud = { enable = true; diff --git a/system/modules/paperless-ngx.nix b/system/modules/paperless-ngx.nix index e55cdd7..45ab185 100644 --- a/system/modules/paperless-ngx.nix +++ b/system/modules/paperless-ngx.nix @@ -31,6 +31,6 @@ in services.nginx.virtualHosts."${domain}" = mkIf configureNginx { enableACME = true; forceSSL = true; - locations."/".proxyPass = "http://localhost:${toString config.services.paperless.port}"; + locations."/".proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}"; }; } diff --git a/system/modules/presets/minimal.nix b/system/modules/presets/minimal.nix index c2e5923..8312883 100644 --- a/system/modules/presets/minimal.nix +++ b/system/modules/presets/minimal.nix @@ -1,4 +1,7 @@ -{ ... }: +{ lib, ... }: +let + inherit (lib) mkForce; +in { imports = [ ../environment.nix @@ -18,5 +21,9 @@ ../sops-nix.nix ../gc.nix ../security.nix + ../systemd-resolv.nix ]; + + # Disable man cache + documentation.man.generateCaches = mkForce false; } diff --git a/system/modules/prometheus.nix b/system/modules/prometheus.nix index 1df30a6..de09bc6 100644 --- a/system/modules/prometheus.nix +++ b/system/modules/prometheus.nix @@ -33,7 +33,7 @@ in job_name = "master-server"; static_configs = [ (optionalAttrs selfMonitor { - targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; }) ]; } @@ -47,7 +47,7 @@ in forceSSL = true; locations."/" = { - proxyPass = "http://localhost:${toString config.services.prometheus.port}"; + proxyPass = "http://127.0.0.1:${toString config.services.prometheus.port}"; }; }; } diff --git a/system/modules/secure-boot.nix b/system/modules/secure-boot.nix index 064adc8..75e9eed 100644 --- a/system/modules/secure-boot.nix +++ b/system/modules/secure-boot.nix @@ -8,7 +8,8 @@ loader.systemd-boot.enable = lib.mkForce false; lanzaboote = { enable = true; - pkiBundle = "/var/lib/sbctl/"; + autoGenerateKeys.enable = true; + pkiBundle = "/var/lib/sbctl"; }; }; } diff --git a/system/modules/services.nix b/system/modules/services.nix index e23eae3..dffbe2c 100644 --- a/system/modules/services.nix +++ b/system/modules/services.nix @@ -27,7 +27,7 @@ in ports = [ 22 ]; settings = { PasswordAuthentication = lib.mkDefault false; - AllowUsers = lib.mkDefault [ username ]; + AllowUsers = [ username ]; UseDns = lib.mkDefault false; PermitRootLogin = lib.mkDefault "no"; }; diff --git a/system/modules/shells/noctalia/default.nix b/system/modules/shells/noctalia/default.nix index 31b0851..c5079a5 100644 --- a/system/modules/shells/noctalia/default.nix +++ b/system/modules/shells/noctalia/default.nix @@ -65,6 +65,14 @@ in }; calendar = { cards = [ + { + enabled = true; + id = "banner-card"; + } + { + enabled = true; + id = "calendar-card"; + } { enabled = true; id = "timer-card"; @@ -73,14 +81,6 @@ in enabled = true; id = "weather-card"; } - { - enabled = true; - id = "calendar-header-card"; - } - { - enabled = true; - id = "calendar-month-card"; - } ]; }; changelog = { diff --git a/system/modules/systemd-resolv.nix b/system/modules/systemd-resolv.nix new file mode 100644 index 0000000..28018c6 --- /dev/null +++ b/system/modules/systemd-resolv.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + networking.nameservers = [ + "1.1.1.1#one.one.one.one" + "1.0.0.1#one.one.one.one" + ]; + + services.resolved = { + enable = true; + llmnr = "false"; + fallbackDns = [ + "1.1.1.1#one.one.one.one" + "1.0.0.1#one.one.one.one" + ]; + domains = [ "~." ]; + }; +} diff --git a/system/modules/vaultwarden.nix b/system/modules/vaultwarden.nix index 49f931c..1894571 100644 --- a/system/modules/vaultwarden.nix +++ b/system/modules/vaultwarden.nix @@ -34,7 +34,7 @@ enableACME = true; forceSSL = true; locations."/" = { - proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; + proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; proxyWebsockets = true; }; }; diff --git a/system/modules/wireguard.nix b/system/modules/wireguard.nix index 75eb2a8..43425f3 100644 --- a/system/modules/wireguard.nix +++ b/system/modules/wireguard.nix @@ -22,8 +22,8 @@ let watchDog = pkgs.writeShellScriptBin "wg0-watchdog" '' TARGET_CONF="$1" - PING_INTERVAL=1 - PING_TIMEOUT=1 + PING_INTERVAL=10 + PING_TIMEOUT=10 PING_COUNT=1 set -euo pipefail @@ -37,7 +37,7 @@ let notify() { users=$(loginctl list-users --json=short | jq -r '.[].user') for user in $users; do - systemctl --machine=danny@.host --user start wg0-notify-user + systemctl --machine="$user@.host" --user start wg0-notify-user done } @@ -46,13 +46,11 @@ let } check_health() { - ping -c "$PING_COUNT" -W "$PING_TIMEOUT" $1 >/dev/null 2>&1 - return $? + ping -c "$PING_COUNT" -W "$PING_TIMEOUT" "$1" >/dev/null 2>&1 } is_wg_active() { systemctl is-active wg-quick-wg0.service >/dev/null 2>&1 - return $? } start_wg() { @@ -105,15 +103,17 @@ in }; systemd.services.wg0-watchdog = { - wantedBy = [ "wg-quick-wg0.service" ]; - after = [ "wg-quick-wg0.service" ]; + wantedBy = [ "multi-user.target" ]; path = with pkgs; [ jq + iputils ]; serviceConfig = { ExecStart = "${getExe watchDog} \"${config.sops.secrets."wireguard/wg0.conf".path}\""; RestartSec = 5; TimeoutStopSec = 0; + CapabilityBoundingSet = "CAP_NET_RAW"; + AmbientCapabilities = "CAP_NET_RAW"; }; };