diff options
Diffstat (limited to '')
113 files changed, 3646 insertions, 909 deletions
@@ -15,7 +15,9 @@ keys: - &arrakis age1mkqxkwse7hrnxtcgqe0wdzhhrxk55syx2wpcngemecz0d7hugsnqupw3de + - &caladan age1rpjhlmc9sf3kcagg2fq4850vcxnvhmrrfggs30jckffjxxr89smsukj0f3 - &darkstar age1z6g6etwcer433v97lwjrruetdh9fswkgjh9w702wzdc2ydvy5q8ssrfy9r + - &fangorn age15yqlem4d5h4mz808j72ccd8mrdu4p8hyal2k988jdcmtqrns23xq80896d - &ginaz age1900zc5caephklavvjxp0g4qqvyqlzg3sux69y9p092g3d3qck3kqz62reh - &kaitain age1fptscuj4qa39238xfvc7envgxr4cf29z3zaejp2v3q703tq45dasf8vadl - &nipsy age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va @@ -26,25 +28,34 @@ creation_rules: key_groups: - age: - *nipsy - - path_regex: ^home/nipsy/secrets/ginaz.yaml$ + - path_regex: ^home/nipsy/secrets/caladan.yaml$ key_groups: - age: - *nipsy - - path_regex: ^home/root/secrets/arrakis.yaml$ + - path_regex: ^home/nipsy/secrets/ginaz.yaml$ key_groups: - age: - - *arrakis - *nipsy - path_regex: ^hosts/secrets/arrakis.yaml$ key_groups: - age: - *arrakis - *nipsy + - path_regex: ^hosts/secrets/caladan.yaml$ + key_groups: + - age: + - *caladan + - *nipsy - path_regex: ^hosts/secrets/darkstar.yaml$ key_groups: - age: - *darkstar - *nipsy + - path_regex: ^hosts/secrets/fangorn.yaml$ + key_groups: + - age: + - *fangorn + - *nipsy - path_regex: ^hosts/secrets/ginaz.yaml$ key_groups: - age: @@ -58,5 +69,5 @@ creation_rules: - path_regex: ^hosts/secrets/richese.yaml$ key_groups: - age: - - *richese - *nipsy + - *richese @@ -87,3 +87,11 @@ which should walk you through the rest of the installation. As part of the installation, the Git repo you grabbed above to perform the installation was also copied to /etc/nixos on your new system. Keeping a NixOS system up to date means keeping your living system configuration up to date also. To make this task slightly easier if this is your first NixOS installation, you can run the script `/etc/nixos/scripts/pretty-rebuild` as root which will perform a standard nixos-rebuild command to upgrade the system along with some informational output after that command finishes on what may have changed. + +### Rescue + +You might need to boot into a rescue initrd environment. In order to successfully do that, you'll probably need to add the following to your kernel command line: + +``` +rescue systemd.setenv=SYSTEMD_SULOGIN_FORCE=1 +``` @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1735468753, - "narHash": "sha256-2dt1nOe9zf9pDkf5Kn7FUFyPRo581s0n90jxYXJ94l0=", + "lastModified": 1779226674, + "narHash": "sha256-wuOkjI6pRiN4sEn/EPBRnNW5cmcpvd7xtIM8y5LooAs=", "owner": "nix-community", "repo": "disko", - "rev": "84a5b93637cc16cbfcc61b6e1684d626df61eb21", + "rev": "65fb947964bd44fc0008faf77d1fcb7a9f40bb32", "type": "github" }, "original": { @@ -27,11 +27,11 @@ ] }, "locked": { - "lastModified": 1736066484, - "narHash": "sha256-uTstP36WaFrw+TEHb8nLF14hFPzQBOhmIxzioHCDaL8=", + "lastModified": 1779580960, + "narHash": "sha256-/EG2rRahtxdoKKzGPGqaymVB96kBBYhygatEAbsoqaM=", "owner": "nix-community", "repo": "home-manager", - "rev": "5ad12b6ea06b84e48f6b677957c74f32d47bdee0", + "rev": "6e92bf094d45bc33d754e2b0f75d9ca1827cc363", "type": "github" }, "original": { @@ -40,34 +40,13 @@ "type": "github" } }, - "home-manager-stable": { - "inputs": { - "nixpkgs": [ - "nixpkgs-stable" - ] - }, - "locked": { - "lastModified": 1726989464, - "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, "nixos-hardware": { "locked": { - "lastModified": 1735388221, - "narHash": "sha256-e5IOgjQf0SZcFCEV/gMGrsI0gCJyqOKShBQU0iiM3Kg=", + "lastModified": 1779258371, + "narHash": "sha256-j1iZsLy6oFApqR1oiDmHhvkwxXqcNi0aoSJj643LuwU=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "7c674c6734f61157e321db595dbfcd8523e04e19", + "rev": "c97bc4d15bd3473dd095e8e8ba57330ab1943a77", "type": "github" }, "original": { @@ -78,15 +57,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1735834308, - "narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=", - "owner": "nixos", + "lastModified": 1779508470, + "narHash": "sha256-Ap9KJX+5xHIn3bPIpfNgT6MEXdAECECwo4/rmlQD74M=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "6df24922a1400241dae323af55f30e4318a6ca65", + "rev": "29916453413845e54a65b8a1cf996842300cd299", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -94,31 +73,31 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1736066559, - "narHash": "sha256-H72cyGZp9JxzrhzSx/iT9rmLurM9J9G+m45l1RQQynk=", - "owner": "nixos", + "lastModified": 1779583481, + "narHash": "sha256-Z4IcqDCAH1pY8x1RVooPW5/9S4DLoZL4zsY7ruTj+Jc=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "8a36010652b4571ee6dc9125cec2eaebc30e9400", + "rev": "2b9a54ffbdfb5e7cf2d064ddf1224ac8c4d5b547", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-stable": { "locked": { - "lastModified": 1735651292, - "narHash": "sha256-YLbzcBtYo1/FEzFsB3AnM16qFc6fWPMIoOuSoDwvg9g=", - "owner": "nixos", + "lastModified": 1779102034, + "narHash": "sha256-vZJZjLo513IeI8hjzHFc6TDezUd4uCE2Eq4SNO3DNNg=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "0da3c44a9460a26d2025ec3ed2ec60a895eb1114", + "rev": "687f05a9184cad4eaf905c48b63649e3a86f5433", "type": "github" }, "original": { - "owner": "nixos", - "ref": "release-24.05", + "owner": "NixOS", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } @@ -131,11 +110,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1734937677, - "narHash": "sha256-5qKdUBN1cq/LHa6ASIjGcDEYKDnAiaKgNtZCRbBrWEs=", + "lastModified": 1778056557, + "narHash": "sha256-+7ise6iAK5+Vp55V8QfouwUxvthxPsG4FEL+KNJKwII=", "owner": "icewind1991", "repo": "nvidia-patch-nixos", - "rev": "ec2e76e3cd53208c6bcbbddcc043516a24ca71b2", + "rev": "c3a6df1587d783cdfa1a485182f3b3d4f09cbcc4", "type": "github" }, "original": { @@ -148,7 +127,6 @@ "inputs": { "disko": "disko", "home-manager": "home-manager", - "home-manager-stable": "home-manager-stable", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", @@ -164,11 +142,11 @@ ] }, "locked": { - "lastModified": 1736064798, - "narHash": "sha256-xJRN0FmX9QJ6+w8eIIIxzBU1AyQcLKJ1M/Gp6lnSD20=", + "lastModified": 1777944972, + "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5dc08f9cc77f03b43aacffdfbc8316807773c930", + "rev": "c591bf665727040c6cc5cb409079acb22dcce33c", "type": "github" }, "original": { @@ -12,10 +12,10 @@ # url = "github:ghostty-org/ghostty"; #}; - home-manager-stable = { - url = "github:nix-community/home-manager/release-24.05"; - inputs.nixpkgs.follows = "nixpkgs-stable"; - }; + #home-manager-stable = { + # url = "github:nix-community/home-manager/release-26.05"; + # inputs.nixpkgs.follows = "nixpkgs-stable"; + #}; home-manager = { url = "github:nix-community/home-manager"; @@ -24,12 +24,17 @@ nixos-hardware.url = "github:nixos/nixos-hardware"; + # persistent base NixOS URLs + nixpkgs-master.url = "github:NixOS/nixpkgs"; + nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-26.05"; + #nixpkgs-staging.url = "github:NixOS/nixpkgs/staging-nixos"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + # per https://nixos-and-flakes.thiscute.world/nixos-with-flakes/downgrade-or-upgrade-packages + #my-nixpkgs.url = "github:nipsy/nixpkgs/update_reaper_7.61"; #nixpkgs-67e692392.url = "github:nixos/nixpkgs/67e69239226f37168d1adb8d29bd61150756a03e"; - nixpkgs-master.url = "github:nixos/nixpkgs"; - #nixpkgs-pr369712.url = "github:7c6f434c/nixpkgs/fix-tftp-hpa"; - nixpkgs-stable.url = "github:nixos/nixpkgs/release-24.05"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + #nixpkgs-pr495610.url = "github:thiagokokada/nixpkgs/nixos-rebuild-ng-add-env-to-copy-closure"; + #nixpkgs-wine9_22.url = "github:nixos/nixpkgs/dea5930f0ed8c29d3758d5ade9898b4e99d80b74"; nvidia-patch = { url = "github:icewind1991/nvidia-patch-nixos"; @@ -45,12 +50,15 @@ outputs = { disko, - home-manager-stable, + #home-manager-stable, home-manager, + #my-nixpkgs, nixos-hardware, nixpkgs-master, - #nixpkgs-pr369712, + #nixpkgs-pr495610, nixpkgs-stable, + #nixpkgs-staging, + #nixpkgs-wine9_22, nixpkgs, nvidia-patch, self, @@ -78,21 +86,42 @@ # ghostty.packages.x86_64-linux.default # ]; #} + disko.nixosModules.disko + ./hosts/arrakis + home-manager.nixosModules.home-manager { + home-manager.sharedModules = [ sops-nix.homeManagerModules.sops ]; + home-manager.users.root = import ./home/root/arrakis.nix; + home-manager.users.nipsy = import ./home/nipsy/arrakis.nix; + } + sops-nix.nixosModules.sops + ]; + }; + + caladan = nixpkgs.lib.nixosSystem { + specialArgs = { inherit inputs outputs; }; + modules = [ #({ config, pkgs, ... }: # let - # overlay-dict-pr367392 = final: prev: { - # dict = nixpkgs-pr367392.legacyPackages."x86_64-linux".dict; + # overlay-nixos-rebuild-ng-pr495610 = final: prev: { + # nixos-rebuild-ng = nixpkgs-pr495610.legacyPackages."x86_64-linux".nixos-rebuild-ng; # }; # in { - # nixpkgs.overlays = [ overlay-dict-pr367392 ]; - # } - #) + # nixpkgs.overlays = [ overlay-nixos-rebuild-ng-pr495610 ]; + #}) + #({ config, pkgs, ... }: + # let + # overlay-my-nixpkgs = final: prev: { + # reaper = my-nixpkgs.legacyPackages."x86_64-linux".reaper; + # }; + # in { + # nixpkgs.overlays = [ overlay-my-nixpkgs ]; + #}) disko.nixosModules.disko - ./hosts/arrakis + ./hosts/caladan home-manager.nixosModules.home-manager { home-manager.sharedModules = [ sops-nix.homeManagerModules.sops ]; - home-manager.users.root = import ./home/root/arrakis.nix; - home-manager.users.nipsy = import ./home/nipsy/arrakis.nix; + home-manager.users.root = import ./home/root/caladan.nix; + home-manager.users.nipsy = import ./home/nipsy/caladan.nix; } sops-nix.nixosModules.sops ]; @@ -112,6 +141,21 @@ ]; }; + fangorn = nixpkgs.lib.nixosSystem rec { + specialArgs = { inherit inputs outputs; }; + modules = [ + disko.nixosModules.disko + ./hosts/fangorn + home-manager.nixosModules.home-manager { + home-manager.sharedModules = [ sops-nix.homeManagerModules.sops ]; + home-manager.users.root = import ./home/root/fangorn.nix; + home-manager.users.don = import ./home/don/fangorn.nix; + home-manager.users.nipsy = import ./home/nipsy/fangorn.nix; + } + sops-nix.nixosModules.sops + ]; + }; + ginaz = nixpkgs.lib.nixosSystem rec { specialArgs = { inherit inputs outputs; }; modules = [ @@ -130,17 +174,129 @@ # from https://nixos.wiki/wiki/Creating_a_NixOS_live_CD and https://chengeric.com/homelab/ iso = nixpkgs.lib.nixosSystem { modules = [ - "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix" - ({ + ({ modulesPath, pkgs, ... }: { + environment.systemPackages = [ + pkgs.acl + pkgs.bash + pkgs.bc + pkgs.bzip2 + pkgs.conntrack-tools + pkgs.coreutils + pkgs.cpio + pkgs.csvkit + pkgs.curl + pkgs.debootstrap + pkgs.diffutils + pkgs.dig + pkgs.dmidecode + pkgs.elinks + pkgs.encfs + pkgs.ethtool + pkgs.exfatprogs + pkgs.expect + pkgs.file + pkgs.findutils + pkgs.fio + pkgs.fping + pkgs.git + pkgs.gnugrep + pkgs.gnupatch + pkgs.gnused + pkgs.gnutar + pkgs.gptfdisk + pkgs.gzip + pkgs.htop + pkgs.iotop + pkgs.ipcalc + pkgs.iperf + pkgs.iproute2 + pkgs.iputils + pkgs.jq + pkgs.less + pkgs.lshw + pkgs.lsof + pkgs.lvm2 + pkgs.moreutils + pkgs.nano + pkgs.netcat-openbsd + pkgs.nettools + pkgs.nmap + pkgs.ntfs3g + pkgs.openldap + pkgs.openssl + pkgs.p7zip + pkgs.parted + pkgs.pciutils + pkgs.perf + pkgs.perl5Packages.ArchiveZip + pkgs.procps + pkgs.progress + pkgs.psmisc + pkgs.pv + pkgs.pwgen + pkgs.recode + pkgs.rsync + pkgs.sg3_utils + pkgs.smartmontools + pkgs.socat + pkgs.speedtest-cli + pkgs.sqlite + pkgs.sshfs + pkgs.strace + pkgs.sysstat + pkgs.tcpdump + pkgs.tmux + pkgs.tftp-hpa + pkgs.tlp + pkgs.traceroute + pkgs.tree + pkgs.tshark + pkgs.unixtools.xxd + pkgs.unrar + pkgs.unzip + pkgs.usbutils + pkgs.util-linux + pkgs.vim + pkgs.w3m + pkgs.wdiff + pkgs.wget + pkgs.whois + pkgs.wireguard-tools + pkgs.xz + pkgs.zip + ]; + + imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") ]; + #isoImage.squashfsCompression = "gzip -Xcompression-level 1"; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + nixpkgs.config.allowUnfree = true; + + services = { + fwupd.enable = true; + + openssh = { + enable = true; + openFirewall = true; + + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; + + udisks2.enable = true; + }; + users.users = { nixos.openssh.authorizedKeys.keys = [ (builtins.readFile ./hosts/common/users/nipsy/keys/id_arrakis.pub) ]; root.openssh.authorizedKeys.keys = [ (builtins.readFile ./hosts/common/users/nipsy/keys/id_arrakis.pub) ]; }; }) + { nixpkgs.hostPlatform = "x86_64-linux"; } ]; - system = "x86_64-linux"; }; kaitain = nixpkgs.lib.nixosSystem rec { @@ -196,8 +352,8 @@ root.openssh.authorizedKeys.keys = [ (builtins.readFile ./hosts/common/users/nipsy/keys/id_arrakis.pub) ]; }; }) + { nixpkgs.hostPlatform = "x86_64-linux"; } ]; - system = "x86_64-linux"; }; richese = nixpkgs.lib.nixosSystem rec { diff --git a/home/common/scripts/knock b/home/common/scripts/knock new file mode 100755 index 0000000..fdff4ca --- /dev/null +++ b/home/common/scripts/knock @@ -0,0 +1,50 @@ +#!/usr/bin/env zsh + +# load module to parse command line arguments +zmodload zsh/zutil +zparseopts -D -E -A opts -- h x + +# load module to avoid use of GNU sleep +zmodload zsh/zselect + +# enable XTRACE shell option for full debugging output of scripts +if (( ${+opts[-x]} )); then + set -x +fi + +if [[ -z "${2}" ]] || (( ${+opts[-h]} )); then + echo "usage: ${0:t} [ -h ] [ -x ] host port [ knock_port ] .." >&2 + echo -e '\n\t-h\tshow this help\n\t-x\tenable shell debugging' >&2 + echo -e '\thost\tdestination host name' >&2 + echo -e '\tport\tdestination service port\n' >&2 + echo -e 'Specifying no knock_port(s) will use 12345 23456 34567 45678 by default.\n' >&2 + exit 1 +fi + +host="${1}" +port="${2}" +shift 2 +knock_ports="${@:-12345 23456 34567 45678}" +attempts=1 + +function check_service_port { + if nc -w1 ${host} ${port} &> /dev/null <& -; then + exit 0 + fi +} + +#check_service_port + +while [[ ${attempts} -lt 9 ]]; do + + for knock_port in ${=knock_ports}; do + nc -w1 ${host} ${knock_port} &> /dev/null <& - & + zselect -t ${attempts}0 + done + + check_service_port + ((attempts+=1)) + +done + +exit 1 diff --git a/home/don/common/core/bash.nix b/home/don/common/core/bash.nix new file mode 100644 index 0000000..7bfb808 --- /dev/null +++ b/home/don/common/core/bash.nix @@ -0,0 +1,16 @@ +{ + programs.bash = { + enable = true; + enableCompletion = true; + shellAliases = { + grep = "grep --color=auto"; + ip = "ip -c=auto"; + la = "ls -aF --color=auto"; + ll = "ls -alF --color=auto"; + lock = "xscreensaver-command -lock"; + nix-list-derivations = "nix-store --query --requisites /run/current-system | cut -d- -f2- | sort | uniq"; + nix-list-generations = "nixos-rebuild list-generations"; + zgrep = "zgrep --color=auto"; + }; + }; +} diff --git a/home/don/common/core/default.nix b/home/don/common/core/default.nix new file mode 100644 index 0000000..8250d0c --- /dev/null +++ b/home/don/common/core/default.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, outputs, ... }: +{ + imports = [ + ./bash.nix + ./vim + ]; + + home = { + username = lib.mkDefault "don"; + homeDirectory = lib.mkDefault "/home/${config.home.username}"; + stateVersion = lib.mkDefault "23.11"; + }; + + #home.packages = builtins.attrValues { + # inherit (pkgs) + # wget + # zip; + #}; + + nix = { + package = lib.mkDefault pkgs.nix; + settings = { + experimental-features = [ "nix-command" "flakes" ]; + warn-dirty = false; + }; + }; + + programs.home-manager.enable = true; +} diff --git a/home/don/common/core/vim/default.nix b/home/don/common/core/vim/default.nix new file mode 100644 index 0000000..ea4ed5e --- /dev/null +++ b/home/don/common/core/vim/default.nix @@ -0,0 +1,6 @@ +{ + programs.vim = { + enable = true; + extraConfig = (builtins.readFile ./vimrc); + }; +} diff --git a/home/don/common/core/vim/vimrc b/home/don/common/core/vim/vimrc new file mode 100644 index 0000000..87de2a0 --- /dev/null +++ b/home/don/common/core/vim/vimrc @@ -0,0 +1,47 @@ +" Handling of big files - William Natter, Tony Mechelynck and others +" fairly certain that BufSizeThreshold is in bytes +let g:SaveUndoLevels = &undolevels +let g:BufSizeThreshold = 5242880 +if has("autocmd") + au VimEnter * let g:SaveUndoLevels = &undolevels + au BufReadPre * if getfsize(expand("%")) >= g:BufSizeThreshold | setlocal noswapfile | endif + au BufEnter * if getfsize(expand("%")) < g:BufSizeThreshold | let &undolevels=g:SaveUndoLevels | else | setlocal undolevels=-1 | endif + au BufEnter * if getfsize(expand("%")) < g:BufSizeThreshold | syntax on | else | syntax off | endif +endif + +set mouse& +set noautoindent " always set autoindenting off + +" enable better 24-bit color support +"let &t_8f = "\<Esc>[38;2;%lu;%lu;%lum" +"let &t_8b = "\<Esc>[48;2;%lu;%lu;%lum" +set termguicolors + +" If using a dark background within the editing area and syntax highlighting +" turn on this option as well +set background=dark + +if has("autocmd") + " Enabled file type detection + " Use the default filetype settings. If you also want to load indent files + " to automatically do language-dependent indenting add 'indent' as well. + filetype plugin on + "filetype indent on +endif " has ("autocmd") + +" The following are commented out as they cause vim to behave a lot +" different from regular vi. They are highly recommended though. +set showcmd " Show (partial) command in status line. +set showmatch " Show matching brackets. +set ignorecase " Do case insensitive matching +set incsearch " Incremental search +"set expandtab " replace tabs with spaces +set smarttab " use shiftwidth instead of tabstop at start of line +set spell spelllang=en_us " turn on the spell check +set hlsearch " highlight all search matches + +set laststatus=2 +set statusline=%<%f%h%m%r%=%{&ff}\ %Y\ %b\ 0x%B\ \ %l,%c%V\ %P + +"map <F5> :w<CR><bar>:!clear;go run %<CR> +"map <F6> :w<CR><bar>:%! gofmt<CR> diff --git a/home/don/fangorn.nix b/home/don/fangorn.nix new file mode 100644 index 0000000..83c92cd --- /dev/null +++ b/home/don/fangorn.nix @@ -0,0 +1,6 @@ +{ inputs, lib, pkgs, config, outputs, ... }: +{ + imports = [ + common/core + ]; +} diff --git a/home/nipsy/arrakis.nix b/home/nipsy/arrakis.nix index 9f38e29..2776524 100644 --- a/home/nipsy/arrakis.nix +++ b/home/nipsy/arrakis.nix @@ -2,8 +2,9 @@ { imports = [ common/core - common/optional/desktops - common/optional/desktops/services/xscreensaver.nix + #common/optional/desktops + #common/optional/desktops/services/xscreensaver.nix + common/optional/secrets.nix #inputs.sops-nix.homeManagerModules.sops ]; @@ -19,16 +20,17 @@ text/html; elinks -dump %s; copiousoutput #text/richtext; catdoc '%s'; copiousoutput; description=Microsoft Rich Text Format ''; - ".mutt/aliases".text = (builtins.readFile arrakis/mutt/aliases); - ".mutt/colors".text = (builtins.readFile arrakis/mutt/colors); - ".mutt/headers".text = (builtins.readFile arrakis/mutt/headers); - ".mutt/keys".text = (builtins.readFile arrakis/mutt/keys); - ".mutt/muttrc".text = (builtins.readFile arrakis/mutt/muttrc); + ".mutt/aliases".source = ./arrakis/mutt/aliases; + ".mutt/colors".source = ./arrakis/mutt/colors; + ".mutt/headers".source = ./arrakis/mutt/headers; + ".mutt/keys".source = ./arrakis/mutt/keys; + ".mutt/muttrc".source = ./arrakis/mutt/muttrc; + "bin/knock".source = ../common/scripts/knock; }; programs.zsh = { shellAliases = { - manage = "tmux new-window ssh root@darkstar\\; split-window -d ssh root@king\\; new-window ssh root@black-sheep\\; split-window -d ssh root@treebeard\\; new-window ssh root@casey\\; split-window -d ssh root@homer\\; new-window ssh root@lilnasx\\; split-window -d ssh root@trent"; + manage = "tmux new-window ssh root@darkstar\\; split-window -d ssh root@king\\; new-window ssh root@black-sheep\\; split-window -d ssh root@fangorn\\; split-window -d ssh root@treebeard\\; new-window ssh root@casey\\; split-window -d ssh root@homer\\; new-window ssh root@lilnasx\\; split-window -d ssh root@trent"; }; }; @@ -46,12 +48,12 @@ }; }; - xsession = { - initExtra = '' - xrandr --output DP-2 --primary --mode 2560x1440 --rate 165 + #xsession = { + # initExtra = '' + # xrandr --output DisplayPort-0 --primary --mode 2560x1440 --rate 165 - # disable VRR because it causes the display to go to sleep on my GeForce 1080 (now 3070 Ti) sometimes; maybe monitor related? - #nvidia-settings -a AllowVRR=0 - ''; - }; + # # disable VRR because it causes the display to go to sleep on my GeForce 1080 (now 3070 Ti) sometimes; maybe monitor related? + # #nvidia-settings -a AllowVRR=0 + # ''; + #}; } diff --git a/home/nipsy/arrakis/mutt/muttrc b/home/nipsy/arrakis/mutt/muttrc index f77c5bf..eec5b99 100644 --- a/home/nipsy/arrakis/mutt/muttrc +++ b/home/nipsy/arrakis/mutt/muttrc @@ -53,7 +53,7 @@ set confirmcreate=no # prompt when creating new files set copy=yes # always save a copy of outgoing messages set delete=yes # purge deleted messages without asking set edit_headers # let me edit the message header when composing -set editor="vim -c 'set textwidth=65'" # editor to use when composing messages +set editor="vim -c 'set textwidth=65' -c 'set noautoindent'" # editor to use when composing messages #set editor="/usr/bin/nvi" # editor to use when composing messages #set editor="/usr/bin/vi" # editor to use when composing messages set fast_reply # skip initial prompts when replying diff --git a/home/nipsy/caladan.nix b/home/nipsy/caladan.nix new file mode 100644 index 0000000..591fdb4 --- /dev/null +++ b/home/nipsy/caladan.nix @@ -0,0 +1,62 @@ +{ inputs, lib, pkgs, config, outputs, ... }: +{ + imports = [ + common/core + common/optional/desktops + common/optional/desktops/i3 + common/optional/desktops/services/xscreensaver.nix + #common/optional/desktops/sway + common/optional/desktops/xdg.nix + common/optional/secrets.nix + #inputs.sops-nix.homeManagerModules.sops + ]; + + home.file = { + ".mailcap".text = '' + #application/msword; antiword -rs '%s'; copiousoutput; description=Microsoft Word Document + application/pdf; pdftotext '%s' -; copiousoutput; description=Adobe Portable Document Format + #image/gif; asciiview -driver curses -dim -bold -reverse -normal -boldfont -extended -eight '%s'; description=GIF image + image/gif; sxiv '%s'; description=GIF image + #image/jpeg; asciiview -driver curses -dim -bold -reverse -normal -boldfont -extended -eight '%s'; description=JPEG image + image/jpeg; sxiv '%s'; description=JPEG image + image/png; sxiv '%s'; description=PNG image + text/html; elinks -dump %s; copiousoutput + #text/richtext; catdoc '%s'; copiousoutput; description=Microsoft Rich Text Format + ''; + ".mutt/aliases".source = ./arrakis/mutt/aliases; + ".mutt/colors".source = ./arrakis/mutt/colors; + ".mutt/headers".source = ./arrakis/mutt/headers; + ".mutt/keys".source = ./arrakis/mutt/keys; + ".mutt/muttrc".source = ./arrakis/mutt/muttrc; + "bin/knock".source = ../common/scripts/knock; + }; + + programs.zsh = { + shellAliases = { + manage = "tmux new-window ssh -A root@arrakis\\; split-window -d ssh -A root@darkstar\\; split-window -d ssh root@king\\; new-window ssh root@black-sheep\\; split-window -d ssh root@fangorn\\; split-window -d ssh root@treebeard\\; new-window ssh root@casey\\; split-window -d ssh root@homer\\; new-window ssh root@lilnasx\\; split-window -d ssh root@trent"; + }; + }; + + sops = { + age.keyFile = "/home/nipsy/.config/sops/age/keys.txt"; + defaultSopsFile = ./secrets/caladan.yaml; + + secrets = { + "reaper_license" = { + path = "/home/nipsy/.config/REAPER/reaper-license.rk"; + }; + "ssh_config" = { + path = "/home/nipsy/.ssh/config"; + }; + }; + }; + + xsession = { + initExtra = '' + xrandr --output DisplayPort-0 --primary --mode 2560x1440 --rate 170 + + # disable VRR because it causes the display to go to sleep on my GeForce 1080 (now 3070 Ti) sometimes; maybe monitor related? + #nvidia-settings -a AllowVRR=0 + ''; + }; +} diff --git a/home/nipsy/common/core/default.nix b/home/nipsy/common/core/default.nix index a78dbe8..23d7ce8 100644 --- a/home/nipsy/common/core/default.nix +++ b/home/nipsy/common/core/default.nix @@ -3,7 +3,6 @@ imports = [ ./bash.nix ./git.nix - #./ssh.nix ./tmux ./vim ./zsh diff --git a/home/nipsy/common/core/git.nix b/home/nipsy/common/core/git.nix index d8bc6cf..225ca73 100644 --- a/home/nipsy/common/core/git.nix +++ b/home/nipsy/common/core/git.nix @@ -1,8 +1,13 @@ { programs.git = { enable = true; - userEmail = "nipsy@bitgnome.net"; - userName = "Mark Nipper"; - extraConfig.pull.rebase = true; + settings = { + pull.rebase = true; + user = { + email = "nipsy@bitgnome.net"; + name = "Mark Nipper"; + }; + }; + signing.format = null; }; } diff --git a/home/nipsy/common/core/ssh.nix b/home/nipsy/common/core/ssh.nix deleted file mode 100644 index 929cc51..0000000 --- a/home/nipsy/common/core/ssh.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - programs.ssh = { - enable = true; - }; -} diff --git a/home/nipsy/common/core/vim/vimrc b/home/nipsy/common/core/vim/vimrc index 9f652cd..87de2a0 100644 --- a/home/nipsy/common/core/vim/vimrc +++ b/home/nipsy/common/core/vim/vimrc @@ -43,5 +43,5 @@ set hlsearch " highlight all search matches set laststatus=2 set statusline=%<%f%h%m%r%=%{&ff}\ %Y\ %b\ 0x%B\ \ %l,%c%V\ %P -map <F5> :w<CR><bar>:!clear;go run %<CR> -map <F6> :w<CR><bar>:%! gofmt<CR> +"map <F5> :w<CR><bar>:!clear;go run %<CR> +"map <F6> :w<CR><bar>:%! gofmt<CR> diff --git a/home/nipsy/common/core/zsh/default.nix b/home/nipsy/common/core/zsh/default.nix index a3b0f9e..c155f65 100644 --- a/home/nipsy/common/core/zsh/default.nix +++ b/home/nipsy/common/core/zsh/default.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ lib, pkgs, ... }: { programs.zsh = { enable = true; @@ -8,7 +8,7 @@ size = 100000; }; - initExtra = (builtins.readFile ./zshrc); + initContent = (builtins.readFile ./zshrc); sessionVariables = let makePluginPath = format: (lib.strings.makeSearchPath format [ @@ -42,7 +42,9 @@ }; shellAliases = { + FIXCAPS = "xdotool key Caps_Lock"; fixkeyboard = "setxkbmap -layout us -option caps:super -option compose:ralt"; + ftp = "${pkgs.inetutils}/bin/ftp"; geniso = "nix build ~/git/nix/nipsy#nixosConfigurations.iso.config.system.build.isoImage && ll result/iso/*iso"; grep = "grep --color=auto"; ip = "ip -c=auto"; @@ -52,6 +54,7 @@ nix-list-derivations = "nix-store --query --requisites /run/current-system | cut -d- -f2- | sort | uniq"; nix-list-generations = "nixos-rebuild list-generations"; steam-no-beta = "steam -clearbeta"; + telnet = "${pkgs.inetutils}/bin/telnet"; zgrep = "zgrep --color=auto"; }; }; diff --git a/home/nipsy/common/core/zsh/zshrc b/home/nipsy/common/core/zsh/zshrc index 543450d..08d4025 100644 --- a/home/nipsy/common/core/zsh/zshrc +++ b/home/nipsy/common/core/zsh/zshrc @@ -1,5 +1,12 @@ umask 022 +# remote gpg-agent handling +if [[ ${HOST} == "arrakis.bitgnome.net" ]]; then + if [[ ! -d /run/user/1000/gnupg ]]; then + gpgconf --create-socketdir + fi +fi + eval $(dircolors) # set SWAYSOCK correctly @@ -13,6 +20,7 @@ if [[ -z "${DISPLAY}" ]] && [[ $(tty) == "/dev/tty1" ]]; then export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) # set some Wayland specific variables + export ELECTRON_OZONE_PLATFORM_HINT=auto export MOZ_ENABLE_WAYLAND=1 export GDK_BACKEND=wayland export QT_QPA_PLATFORM=wayland @@ -23,11 +31,6 @@ if [[ -z "${DISPLAY}" ]] && [[ $(tty) == "/dev/tty1" ]]; then fi -# if already in Wayland, update the GPG TTY so ssh-askpass will work correctly -if [[ -n "${WAYLAND_DISPLAY}" ]]; then - gpg-connect-agent updatestartuptty /bye >/dev/null -fi - # completion options setopt LIST_PACKED MENU_COMPLETE # expansion and globbing options diff --git a/home/nipsy/common/optional/desktops/default.nix b/home/nipsy/common/optional/desktops/default.nix index 26e369a..0f6a0e8 100644 --- a/home/nipsy/common/optional/desktops/default.nix +++ b/home/nipsy/common/optional/desktops/default.nix @@ -1,28 +1,12 @@ -{ config, pkgs, ... }: { + home.file = { + "bin/rotatebg".source = ./rotatebg; + }; + imports = [ ./fonts.nix + ./ghostty.nix ./gtk.nix - ./i3 ./services/dunst.nix ]; - - programs.password-store = { - enable = true; - package = pkgs.pass.withExtensions (exts: with exts; [ - pass-otp - ]); - settings = { - PASSWORD_STORE_DIR = "${config.home.homeDirectory}/.password-store"; - }; - }; - - services.gpg-agent = { - defaultCacheTtl = 43200; - defaultCacheTtlSsh = 43200; - enable = true; - enableSshSupport = true; - maxCacheTtl = 86400; - maxCacheTtlSsh = 86400; - }; } diff --git a/home/nipsy/common/optional/desktops/fonts.nix b/home/nipsy/common/optional/desktops/fonts.nix index f2b862d..6935029 100644 --- a/home/nipsy/common/optional/desktops/fonts.nix +++ b/home/nipsy/common/optional/desktops/fonts.nix @@ -1,7 +1,8 @@ -{ pkgs, ... }: +{ lib, pkgs, ... }: { fonts.fontconfig.enable = true; home.packages = [ + #(builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts)) pkgs.nerd-fonts._0xproto pkgs.nerd-fonts._3270 pkgs.nerd-fonts.agave @@ -51,7 +52,7 @@ pkgs.nerd-fonts.monofur pkgs.nerd-fonts.monoid pkgs.nerd-fonts.mononoki - pkgs.nerd-fonts.mplus + #pkgs.nerd-fonts.mplus pkgs.nerd-fonts.noto pkgs.nerd-fonts.open-dyslexic pkgs.nerd-fonts.overpass diff --git a/home/nipsy/common/optional/desktops/ghostty.nix b/home/nipsy/common/optional/desktops/ghostty.nix new file mode 100644 index 0000000..6f4b409 --- /dev/null +++ b/home/nipsy/common/optional/desktops/ghostty.nix @@ -0,0 +1,52 @@ +{ + home = { + file = { + ".config/ghostty/config".text = '' + #async-backend = epoll + background-opacity = 0.8 + cursor-color = #ffffff + font-family = "DejaVu Sans Mono" + font-size = 9 + gtk-titlebar = false + keybind = alt+one=unbind + keybind = alt+two=unbind + keybind = alt+three=unbind + keybind = alt+four=unbind + keybind = alt+five=unbind + keybind = alt+six=unbind + keybind = alt+seven=unbind + keybind = alt+eight=unbind + keybind = alt+nine=unbind + keybind = ctrl+shift+page_down=decrease_font_size:1 + keybind = ctrl+shift+page_up=increase_font_size:1 + theme = mydark + window-padding-x = 0 + window-padding-y = 0 + ''; + + ".config/ghostty/themes/mydark".text = '' + palette = 0=#000000 + palette = 1=#cd0000 + palette = 2=#00cd00 + palette = 3=#cdcd00 + palette = 4=#0000ee + palette = 5=#cd00cd + palette = 6=#00cdcd + palette = 7=#e5e5e5 + palette = 8=#7f7f7f + palette = 9=#ff0000 + palette = 10=#00ff00 + palette = 11=#ffff00 + palette = 12=#5c5cff + palette = 13=#ff00ff + palette = 14=#00ffff + palette = 15=#ffffff + background = #000000 + background-opacity = 0.5 + bold-is-bright = true + foreground = #e5e5e5 + cursor-color = #ffffff + ''; + }; + }; +} diff --git a/home/nipsy/common/optional/desktops/gtk.nix b/home/nipsy/common/optional/desktops/gtk.nix index bac2060..c31bae6 100644 --- a/home/nipsy/common/optional/desktops/gtk.nix +++ b/home/nipsy/common/optional/desktops/gtk.nix @@ -1,11 +1,34 @@ +{ pkgs, ... }: { - home.sessionVariables = { - GTK_THEME = "Adwaita:dark"; + dconf.settings."org/gnome/desktop/interface" = { + color-scheme = "prefer-dark"; + #gtk-theme = "Adwaita"; }; + # https://github.com/NixOS/nixpkgs/issues/274554#issuecomment-1932302164 gtk = { + colorScheme = "dark"; enable = true; - gtk3.extraConfig.gtk-application-prefer-dark-theme = true; - gtk4.extraConfig.gtk-application-prefer-dark-theme = true; + + gtk3 = { + colorScheme = "dark"; + extraConfig.gtk-application-prefer-dark-theme = 1; + }; + + gtk4 = { + colorScheme = "dark"; + extraConfig.gtk-application-prefer-dark-theme = 1; + theme = null; # https://github.com/nix-community/home-manager/issues/7113#issuecomment-3556166692 + }; + + #iconTheme = { + # name = "Adwaita"; + # package = pkgs.adwaita-icon-theme; + #}; + + #theme = { + # name = "Adwaita"; + # package = pkgs.gnome-themes-extra; + #}; }; } diff --git a/home/nipsy/common/optional/desktops/i3/default.nix b/home/nipsy/common/optional/desktops/i3/default.nix index c7a521d..56803f3 100644 --- a/home/nipsy/common/optional/desktops/i3/default.nix +++ b/home/nipsy/common/optional/desktops/i3/default.nix @@ -2,40 +2,7 @@ { home = { file = { - ".config/ghostty/config".text = '' - background-opacity = 0.5 - cursor-color = #ffffff - font-family = "DejaVu Sans Mono" - font-size = 9 - gtk-titlebar = false - theme = mydark - window-padding-x = 0 - window-padding-y = 0 - ''; - - ".config/ghostty/themes/mydark".text = '' - palette = 0=#000000 - palette = 1=#cd0000 - palette = 2=#00cd00 - palette = 3=#cdcd00 - palette = 4=#0000ee - palette = 5=#cd00cd - palette = 6=#00cdcd - palette = 7=#e5e5e5 - palette = 8=#7f7f7f - palette = 9=#ff0000 - palette = 10=#00ff00 - palette = 11=#ffff00 - palette = 12=#5c5cff - palette = 13=#ff00ff - palette = 14=#00ffff - palette = 15=#ffffff - background = #000000 - background-opacity = 0.5 - bold-is-bright = true - foreground = #e5e5e5 - cursor-color = #ffffff - ''; + "bin/xscreensaver-activate".source = ./xscreensaver-activate; }; packages = [ @@ -69,17 +36,23 @@ defaultWorkspace = "workspace number 1"; modifier = "Mod4"; keybindings = lib.mkOptionDefault { - "${modifier}+Return" = "exec ghostty"; + "${modifier}+Scroll_Lock" = "exec --no-startup-id ${pkgs.xscreensaver}/bin/xscreensaver-command -lock"; "${modifier}+Shift+e" = "exec ${pkgs.i3}/bin/i3-msg exit"; "${modifier}+Shift+v" = ''mode "VNC"''; }; startup = [ { - command = "${pkgs.feh}/bin/feh --no-fehbg --bg-center ~/bg/StarWarsRetro-BrentCheshire.jpg"; + command = "~/bin/rotatebg"; + always = true; + notification = false; + } + { + command = "~/bin/xscreensaver-activate"; always = true; notification = false; } ]; + terminal = "ghostty"; window.border = 0; window.commands = [ { diff --git a/home/nipsy/common/optional/desktops/i3/xscreensaver-activate b/home/nipsy/common/optional/desktops/i3/xscreensaver-activate new file mode 100755 index 0000000..b7b8457 --- /dev/null +++ b/home/nipsy/common/optional/desktops/i3/xscreensaver-activate @@ -0,0 +1,100 @@ +#!/usr/bin/env zsh + +# bail out if xscreensaver isn't installed +if [[ ! -x =xscreensaver ]]; then + echo "no xscreensaver command found, ${0:t} bailing out" >&2 + exit 0 +fi + +# record our own PID to avoid duplicate invocations +PIDFILE="/dev/shm/${0:t}.pid" + +# check for already running script +if [[ -f ${PIDFILE} ]]; then + for i in $(pidof -x ${0:t}); do + if [[ ${i} -eq $(cat ${PIDFILE}) ]]; then + echo "${0:t} already running!" >&2 + exit 1 + fi + done +fi + +# record current PID +echo ${$} > ${PIDFILE} + +# wait a bit for everything to start +sleep 30 + +# check whether xscreensaver itself is running and start it if not +if ! systemctl --user --quiet is-active xscreensaver.service; then + systemctl --user start xscreensaver.service +fi + +# retrieve current Xorg screen size so we know where the corners are +xrandr | grep ^Screen | grep -Eo 'current [[:digit:]]+ x [[:digit:]]+' | cut -d' ' -f2,4 | read max_x max_y +echo "read screen size as ${max_x} x ${max_y}" + +# main loop +while true; do + + # retrieve current mouse position and set environment variables + eval $(xdotool getmouselocation --shell) + + # a Steam game is running + if ps axfu | grep -v grep | grep -q '/home/nipsy/.local/share/Steam/steamapps/common/'; then + + # make sure xscreensaver is even running before telling it to stay idle + if pidof xscreensaver &>/dev/null; then + sleep 5 + xscreensaver-command -deactivate &>/dev/null + fi + + # keep xscreensaver deactivated if we're in the bottom right corner of the screen + elif [[ ${X} -eq $((max_x - 1)) && ${Y} -eq $((max_y - 1)) ]]; then + + # make sure xscreensaver is even running before telling it to stay idle + if pidof xscreensaver &>/dev/null; then + sleep 5 + xscreensaver-command -deactivate &>/dev/null + fi + + # mouse is in the top left corner -- potentially activate xscreensaver right now + elif [[ ${X} -eq $((max_x - max_x)) && ${Y} -eq $((max_y - max_y)) ]]; then + + # sleep a bit and then check mouse coordinates again + sleep 5 + eval $(xdotool getmouselocation --shell) + + # mouse is still in the top left corner -- we must really want to activate xscreensaver + if [[ ${X} -eq $((max_x - max_x)) && ${Y} -eq $((max_y - max_y)) ]]; then + + # make sure xscreensaver is actually running + if pidof xscreensaver &>/dev/null; then + + # make sure it hasn't already activated + if ! xscreensaver-command -time | grep -q 'screen blanked since'; then + + # activate it! + xscreensaver-command -activate &>/dev/null + + fi + + fi + + fi + + fi + + # die off if we're no longer running on a connected Xorg screen any longer -- this should be the normal termination path for this script + if ! xdpyinfo &>/dev/null; then + rm ${PIDFILE} + exit 0 + fi + + # arbitrary sleep for script to avoid CPU sucking infinite loop + sleep 5 + +done + +# exit with error since we should never get here +exit 1 diff --git a/home/nipsy/common/optional/desktops/rotatebg b/home/nipsy/common/optional/desktops/rotatebg new file mode 100755 index 0000000..1b5b95b --- /dev/null +++ b/home/nipsy/common/optional/desktops/rotatebg @@ -0,0 +1,53 @@ +#!/usr/bin/env zsh + +# bail out if not running under i3 or sway +if [[ ! -S ${I3SOCK} && ! -S ${SWAYSOCK} ]]; then + echo "no running window manager detected, ${0:t} bailing out" >&2 + exit 0 +fi + +# record our own PID to avoid duplicate invocations +PIDFILE="/dev/shm/${0:t}.pid" + +# check for already running script +if [[ -f ${PIDFILE} ]]; then + for i in $(pidof -x ${0:t}); do + if [[ ${i} -eq $(cat ${PIDFILE}) ]]; then + echo "${0:t} already running!" >&2 + exit 1 + fi + done +fi + +# record current PID +echo ${$} > ${PIDFILE} + +# main loop +while true; do + + # test for continued presence of a running window manager and bail if not found + if [[ ! -S ${I3SOCK} && ! -S ${SWAYSOCK} ]]; then + echo "window manager has stopped running, ${0:t} bailing out" >&2 + exit 0 + fi + + # build array of only type file present underneath my background directory + bg=(~/bg/**/*(.)) + + # if running i3, we need to set the background immediately, at random based on the array length + if [[ -S ${I3SOCK} && ! ${I3SOCK} =~ "sway" ]]; then + feh --no-fehbg --bg-max ${bg[$((RANDOM % $#bg + 1))]} + fi + + # wait a bit + sleep 10m + + # if running sway, select and set our new background at random based on the array length + if [[ -S ${SWAYSOCK} ]]; then + swaymsg -s ${SWAYSOCK} output '*' bg ${bg[$((RANDOM % $#bg + 1))]} fit + fi + +done + +# exit with error since we should never get here +exit 1 diff --git a/home/nipsy/common/optional/desktops/sway/config b/home/nipsy/common/optional/desktops/sway/config new file mode 100644 index 0000000..7b4d661 --- /dev/null +++ b/home/nipsy/common/optional/desktops/sway/config @@ -0,0 +1,249 @@ +# Default config for sway +# +# Copy this to ~/.config/sway/config and edit it to your liking. +# +# Read `man 5 sway` for a complete reference. + +### Variables +# +# Logo key. Use Mod1 for Alt. +set $mod Mod4 +# Home row direction keys, like vim +set $left h +set $down j +set $up k +set $right l +# Your preferred terminal emulator +set $term ghostty +# Your preferred application launcher +set $menu wmenu-run + +### Output configuration +# +# Default wallpaper (more resolutions are available in /run/current-system/sw/share/backgrounds/sway/) +output * mode 2560x1440@143.972Hz adaptive_sync on allow_tearing yes bg ~/bg/StarWarsRetro-BrentCheshire.jpg fit +# +# Example configuration: +# +# output HDMI-A-1 resolution 1920x1080 position 1920,0 +# +# You can get the names of your outputs by running: swaymsg -t get_outputs + +### Idle configuration +# +# Example configuration: +# +#exec swayidle -w \ +# timeout 600 'swaylock -f -c 000000' \ +# timeout 900 'swaymsg "output * power off"' resume 'swaymsg "output * power on"' \ +# before-sleep 'swaylock -f -c 000000' +# +# This will lock your screen after 300 seconds of inactivity, then turn off +# your displays after another 300 seconds, and turn your screens back on when +# resumed. It will also lock your screen before your computer goes to sleep. + +exec swayidle -w \ + timeout 900 'swaymsg "output * power off"' resume 'swaymsg "output * power on"' + +exec ~/bin/rotatebg + +### Default options +default_border none +default_floating_border none +titlebar_padding 1 +titlebar_border_thickness 0 + +### Input configuration +# +# Example configuration: +# +# input type:touchpad { +# dwt enabled +# tap enabled +# natural_scroll enabled +# middle_emulation enabled +# } +# +input type:keyboard { + xkb_layout "us" + xkb_options "caps:super,compose:ralt" +} +# +# You can also configure each device individually. +# Read `man 5 sway-input` for more information about this section. + +### Key bindings +# +# Basics: +# + # Start a terminal + bindsym $mod+Return exec $term + + # Kill focused window + bindsym $mod+Shift+q kill + + # Start your launcher + bindsym $mod+d exec $menu + + # Drag floating windows by holding down $mod and left mouse button. + # Resize them with right mouse button + $mod. + # Despite the name, also works for non-floating windows. + # Change normal to inverse to use left mouse button for resizing and right + # mouse button for dragging. + floating_modifier $mod normal + + # Reload the configuration file + bindsym $mod+Shift+c reload + + # Exit sway (logs you out of your Wayland session) + bindsym $mod+Shift+e exit +# +# Moving around: +# + # Move your focus around + bindsym $mod+$left focus left + bindsym $mod+$down focus down + bindsym $mod+$up focus up + bindsym $mod+$right focus right + # Or use $mod+[up|down|left|right] + bindsym $mod+Left focus left + bindsym $mod+Down focus down + bindsym $mod+Up focus up + bindsym $mod+Right focus right + + # Move the focused window with the same, but add Shift + bindsym $mod+Shift+$left move left + bindsym $mod+Shift+$down move down + bindsym $mod+Shift+$up move up + bindsym $mod+Shift+$right move right + # Ditto, with arrow keys + bindsym $mod+Shift+Left move left + bindsym $mod+Shift+Down move down + bindsym $mod+Shift+Up move up + bindsym $mod+Shift+Right move right +# +# Workspaces: +# + # Switch to workspace + bindsym $mod+1 workspace number 1 + bindsym $mod+2 workspace number 2 + bindsym $mod+3 workspace number 3 + bindsym $mod+4 workspace number 4 + bindsym $mod+5 workspace number 5 + bindsym $mod+6 workspace number 6 + bindsym $mod+7 workspace number 7 + bindsym $mod+8 workspace number 8 + bindsym $mod+9 workspace number 9 + bindsym $mod+0 workspace number 10 + # Move focused container to workspace + bindsym $mod+Shift+1 move container to workspace number 1 + bindsym $mod+Shift+2 move container to workspace number 2 + bindsym $mod+Shift+3 move container to workspace number 3 + bindsym $mod+Shift+4 move container to workspace number 4 + bindsym $mod+Shift+5 move container to workspace number 5 + bindsym $mod+Shift+6 move container to workspace number 6 + bindsym $mod+Shift+7 move container to workspace number 7 + bindsym $mod+Shift+8 move container to workspace number 8 + bindsym $mod+Shift+9 move container to workspace number 9 + bindsym $mod+Shift+0 move container to workspace number 10 + # Note: workspaces can have any name you want, not just numbers. + # We just use 1-10 as the default. +# +# Layout stuff: +# + # You can "split" the current object of your focus with + # $mod+b or $mod+v, for horizontal and vertical splits + # respectively. + bindsym $mod+b splith + bindsym $mod+v splitv + + # Switch the current container between different layout styles + bindsym $mod+s layout stacking + bindsym $mod+w layout tabbed + bindsym $mod+e layout toggle split + + # Make the current focus fullscreen + bindsym $mod+f fullscreen + + # Toggle the current focus between tiling and floating mode + bindsym $mod+Shift+space floating toggle + + # Swap focus between the tiling area and the floating area + bindsym $mod+space focus mode_toggle + + # Move focus to the parent container + bindsym $mod+a focus parent +# +# Scratchpad: +# + # Sway has a "scratchpad", which is a bag of holding for windows. + # You can send windows there and get them back later. + + # Move the currently focused window to the scratchpad + bindsym $mod+Shift+minus move scratchpad + + # Show the next scratchpad window or hide the focused scratchpad window. + # If there are multiple scratchpad windows, this command cycles through them. + bindsym $mod+minus scratchpad show +# +# Resizing containers: +# +mode "resize" { + # left will shrink the containers width + # right will grow the containers width + # up will shrink the containers height + # down will grow the containers height + bindsym $left resize shrink width 10px + bindsym $down resize grow height 10px + bindsym $up resize shrink height 10px + bindsym $right resize grow width 10px + + # Ditto, with arrow keys + bindsym Left resize shrink width 10px + bindsym Down resize grow height 10px + bindsym Up resize shrink height 10px + bindsym Right resize grow width 10px + + # Return to default mode + bindsym Return mode "default" + bindsym Escape mode "default" +} +bindsym $mod+r mode "resize" +# +# Utilities: +# + # Special keys to adjust volume via PulseAudio + bindsym --locked XF86AudioMute exec pactl set-sink-mute \@DEFAULT_SINK@ toggle + bindsym --locked XF86AudioLowerVolume exec pactl set-sink-volume \@DEFAULT_SINK@ -5% + bindsym --locked XF86AudioRaiseVolume exec pactl set-sink-volume \@DEFAULT_SINK@ +5% + bindsym --locked XF86AudioMicMute exec pactl set-source-mute \@DEFAULT_SOURCE@ toggle + # Special keys to adjust brightness via brightnessctl + bindsym --locked XF86MonBrightnessDown exec brightnessctl set 5%- + bindsym --locked XF86MonBrightnessUp exec brightnessctl set 5%+ + # Special key to take a screenshot with grim + bindsym Print exec grim + +# +# Status Bar: +# +# Read `man 5 sway-bar` for more information about this section. +bar { + position bottom + + # When the status_command prints a new line to stdout, swaybar updates. + # The default just shows the current date and time. + status_command while date -R; do sleep 1; done + + colors { + background #000000 + focused_workspace #222222 #222222 #ffffff + inactive_workspace #000000 #000000 #424242 + statusline #ffffff + } +} + +# Criteria based behavior +for_window [class=".*"] inhibit_idle fullscreen +for_window [app_id=".*"] inhibit_idle fullscreen + +include /etc/sway/config.d/* diff --git a/home/nipsy/common/optional/desktops/sway/default.nix b/home/nipsy/common/optional/desktops/sway/default.nix new file mode 100644 index 0000000..bc1b6bc --- /dev/null +++ b/home/nipsy/common/optional/desktops/sway/default.nix @@ -0,0 +1,5 @@ +{ + home.file = { + ".config/sway/config".source = ./config; + }; +} diff --git a/home/nipsy/common/optional/desktops/xdg.nix b/home/nipsy/common/optional/desktops/xdg.nix new file mode 100644 index 0000000..f4ac723 --- /dev/null +++ b/home/nipsy/common/optional/desktops/xdg.nix @@ -0,0 +1,21 @@ +{ + xdg.mimeApps = { + enable = true; + defaultApplications = { + "application/x-extension-htm" = "firefox.desktop"; + "application/x-extension-html" = "firefox.desktop"; + "application/x-extension-shtml" = "firefox.desktop"; + "application/x-extension-xht" = "firefox.desktop"; + "application/x-extension-xhtml" = "firefox.desktop"; + "application/xhtml+xml" = "firefox.desktop"; + "text/html" = "firefox.desktop"; + "x-scheme-handler/about" = "firefox.desktop"; + "x-scheme-handler/chrome" = "firefox.desktop"; + "x-scheme-handler/http" = "firefox.desktop"; + "x-scheme-handler/https" = "firefox.desktop"; + "x-scheme-handler/sgnl" = "signal.desktop"; + "x-scheme-handler/signalcaptcha" = "signal.desktop"; + "x-scheme-handler/unknown" = "firefox.desktop"; + }; + }; +} diff --git a/home/nipsy/common/optional/secrets.nix b/home/nipsy/common/optional/secrets.nix new file mode 100644 index 0000000..9a92ad0 --- /dev/null +++ b/home/nipsy/common/optional/secrets.nix @@ -0,0 +1,20 @@ +{ pkgs, ... }: +{ + programs.password-store = { + enable = true; + package = pkgs.pass.withExtensions (exts: [ + exts.pass-otp + ]); + settings = { }; + }; + + services.gpg-agent = { + defaultCacheTtl = 43200; + defaultCacheTtlSsh = 43200; + enable = true; + enableExtraSocket = true; + enableSshSupport = true; + maxCacheTtl = 86400; + maxCacheTtlSsh = 86400; + }; +} diff --git a/home/nipsy/fangorn.nix b/home/nipsy/fangorn.nix new file mode 100644 index 0000000..bd7a95d --- /dev/null +++ b/home/nipsy/fangorn.nix @@ -0,0 +1,11 @@ +{ inputs, lib, pkgs, config, outputs, ... }: +{ + imports = [ + common/core + common/optional/desktops + common/optional/desktops/i3 + common/optional/desktops/services/blueman-applet.nix + common/optional/desktops/services/xscreensaver.nix + common/optional/secrets.nix + ]; +} diff --git a/home/nipsy/ginaz.nix b/home/nipsy/ginaz.nix index 8f42a2f..838681f 100644 --- a/home/nipsy/ginaz.nix +++ b/home/nipsy/ginaz.nix @@ -1,10 +1,18 @@ { inputs, lib, pkgs, config, outputs, ... }: { + + home.file = { + "bin/knock".source = ../common/scripts/knock; + }; + imports = [ common/core common/optional/desktops + common/optional/desktops/i3 common/optional/desktops/services/blueman-applet.nix common/optional/desktops/services/xscreensaver.nix + common/optional/desktops/xdg.nix + common/optional/secrets.nix #inputs.sops-nix.homeManagerModules.sops ]; @@ -27,5 +35,10 @@ xrandr --output eDP --primary --scale 0.5 xinput set-prop "ELAN06FA:00 04F3:3202 Touchpad" "libinput Middle Emulation Enabled" 0 ''; + windowManager.i3.config.keybindings = let + modifier = config.xsession.windowManager.i3.config.modifier; + in lib.mkOptionDefault { + "${modifier}+Return" = "exec ghostty"; + }; }; } diff --git a/home/nipsy/kaitain.nix b/home/nipsy/kaitain.nix index 83406e0..022090b 100644 --- a/home/nipsy/kaitain.nix +++ b/home/nipsy/kaitain.nix @@ -3,22 +3,32 @@ imports = [ common/core common/optional/desktops + common/optional/desktops/i3 + common/optional/secrets.nix ]; - home.file.".ansible.cfg".text = '' - [defaults] - forks=5 - timeout=600 + home.file = { + ".ansible.cfg".text = '' + [defaults] + forks=5 + timeout=600 + + [ssh_connection] + ssh_args=-o BatchMode=yes -o ControlMaster=auto -o ControlPersist=8h -o Compression=yes + control_path=/dev/shm/%%C + control_path_dir=/dev/shm + pipelining=True + ''; - [ssh_connection] - ssh_args=-o BatchMode=yes -o ControlMaster=auto -o ControlPersist=8h -o Compression=yes - control_path=/dev/shm/%%C - control_path_dir=/dev/shm - pipelining=True - ''; + ".mailcap".text = '' + text/html; elinks -dump %s; copiousoutput + application/pdf; pdftotext '%s' -; copiousoutput; description=Adobe Portable Document Format + ''; + }; - home.file.".mailcap".text = '' - text/html; elinks -dump %s; copiousoutput - application/pdf; pdftotext '%s' -; copiousoutput; description=Adobe Portable Document Format - ''; + xsession.windowManager.i3.config.keybindings = let + modifier = config.xsession.windowManager.i3.config.modifier; + in lib.mkOptionDefault { + "${modifier}+Return" = "exec env LIBGL_ALWAYS_SOFTWARE=1 ghostty"; + }; } diff --git a/home/nipsy/richese.nix b/home/nipsy/richese.nix index 7c3e0b0..f4173bd 100644 --- a/home/nipsy/richese.nix +++ b/home/nipsy/richese.nix @@ -3,17 +3,27 @@ imports = [ common/core common/optional/desktops + common/optional/desktops/i3 + common/optional/secrets.nix ]; - home.file.".ansible.cfg".text = '' - [defaults] - forks=5 - timeout=600 + home.file = { + ".ansible.cfg".text = '' + [defaults] + forks=5 + timeout=600 + + [ssh_connection] + ssh_args=-o BatchMode=yes -o ControlMaster=auto -o ControlPersist=8h -o Compression=yes -o StrictHostKeyChecking=no + control_path=/dev/shm/%%C + control_path_dir=/dev/shm + pipelining=True + ''; + }; - [ssh_connection] - ssh_args=-o BatchMode=yes -o ControlMaster=auto -o ControlPersist=8h -o Compression=yes -o StrictHostKeyChecking=no - control_path=/dev/shm/%%C - control_path_dir=/dev/shm - pipelining=True - ''; + xsession.windowManager.i3.config.keybindings = let + modifier = config.xsession.windowManager.i3.config.modifier; + in lib.mkOptionDefault { + "${modifier}+Return" = "exec env LIBGL_ALWAYS_SOFTWARE=1 ghostty"; + }; } diff --git a/home/nipsy/secrets/arrakis.yaml b/home/nipsy/secrets/arrakis.yaml index 6b8813f..88cc8a6 100644 --- a/home/nipsy/secrets/arrakis.yaml +++ b/home/nipsy/secrets/arrakis.yaml @@ -1,10 +1,6 @@ reaper_license: ENC[AES256_GCM,data:v+3MRFYfshEg+v/wrf5kYY3zIJsQhl0RUXaOw/VmbIqjswH0aTy28UsU8rt4+btvywpb4TT9ta9NkBrnsHBgE5jTnIrnUyt6NJHOSnA/I9TUzvumg6ijKzuu86w3uahCwlPE/ZBrR+BKRM0pK5d7En9HHuNTNUwVrmAkMOk0YeuaArWu+e50CWl+Yx84HiNCP7BgsUbc8Wa9PZMinvXpzwd69WKDmsVdVLGnHPxTJHFTH8/8XAV0DrHbW4nV/xUiFALTURWqbyZlQpcfMjSHDT7YNq/c6JZzU4YYFZOrYrkiUPAn5Zjz/r/XcdteIpai2wZrgRir7/1Vxhul2wK2Ku0Z/66JeNxj2Tk4/CPcWQIbwZF4k13Z5x4wm8duOWrDgnjSRRwM10TSeERP4KiFsIL9xFR5MATYsUD1gTKtCDRN8SsO+/NGXlUn4nkN4tNxedxeRfGNmxwijmkJ6RTFwdcKwUh8KHMh/TEpGG05/hGZ6Z+Q7/5QsT+wrCb1kMwFZuEjLMCNyT+wBy6G2Ns5pSyiNwFRXzqYjYMqlPGliZOaaVZ6HWkthd9G7CiqYbP5YZfI6VspbVoqc2FDvTvf65YBrh8VFHWelwbrbnWX8/glB8UWNp0pwoTxM/sjfQLwXNMmb/EGU4X1SYbQcPe4gNLuspDjaqwA/g==,iv:tq8oSvqZTmy2pZK3LhxqBM1OZG3x+LS4ov0+lE5I0B0=,tag:J/WTEMSjl+EYZn7HbifGMQ==,type:str] -ssh_config: ENC[AES256_GCM,data:lHK4qHMOToG4LzWwAeJ7nSwHXtYSlaCvUqsch7+Vvzn7kpuE8hFphw1OVbbUOFl7vpRxaJ06ghjE3qSNN45J028KytI5nVVGd+k8qjvhrsp2Y+j0XwtpGA0C+dXUpIdRQcdFx8jZRBqej6ipnUl1e25Tt5XZs+aZfdblql3rw2tyYASNyYszjvJR/5LmLSIaJo79tao+gg8yOR5T1uLeS4fcC5d8V9hXSE+RxaBZXyAjBshowADMCbUl2R1FFzRVg+6kp/GpwsQSNZrDasH2aWziwZmA7h9rc2Kc2zMcZeiQ/KUEhq8xj5fwsSqp1URsZXvv3kEdTKceGI6eszHNsqbLipkTXmK1LnyfZrymJ1oToL3REDPd8La7wRyrSyX7Eq32w2GgB2eGbQIdEAE37XkK7wwINO6BzB5mdyo0PDghvakTvPhxnp5d6raogb99H+aZwDD4Rb6kmTpuZZdedtuAOqXWREq7+BQsC501inIkcDcJ5wrOj+6HNttsA5BGc16vrSRw+NX++E63OP5Mjbh6LZeWPRutIubIf38nis8pcBtvzhOrt/fWn4QqWMOJ0LdEXpEU7GzETq4klwg+ohdDCLGZqa1WNTmvNQUslxZFZb7J+2Od/MxVhQg7VUxlJZrvsht6oKzBkDQXHJdBtMDsxpkqUhO65GX8bSdiJp62j2aiinQ7P250S3dGwTYHzDC8Q6KpfzHGY+YUa81soggjDLAuViCFYqnvXK9egKl8G/6WiDDo6O3gv/csywcMUSVR+AFGFH/SwRMf6n70nFHkUO+pNQphONKZQoNMV9TA53K9ChUX/7lG3AQvfe2jb2MGYc77AY6+L+vzzNw7o2Iffjy8fEV+Ytq4rQaqxOqDQwhOUWZcQo6k1pmtbXVzPgn1b6VYq/RHTG2uw8zx1pzuesofh6GP5TmaNoWNxKN42J8jm5AeDmuuFoOBjmpUpAzMsmf4g5jZiZRGjguZDo3laVATNXVU8iYNcMRsH7wzPIsMHn7+LoKcoIX67/uD/cURUX5HFBQJUKkxOAk18P1u2pLr59Lw4zUA6I+tPZgN2iyxe5Nn/blXI8KPWXo3l85pdJEYgZzEVxozCUDrEo0ESgw8KdY6JzLctkreskHg1AwMKCe2udO/yInTipQH2pOAv9+LOzZylBZJaYgMo1+G/lik8bodK6/CuCXo/rPEky0CejN/k5E6QqG2uRTqOD/j5k/E+dV3zVtXcWHW9NvX5hOkmgbTN/cAtGiEcAmfDyOflJ0nUBLGtTAB0zlEGJH+M9B1AS1BUWW2J9UJ8GIsAn+5/iu3RsB1/mNCtV2BWsCzIlF9BkRybW+rpWXS0ubUaLK/ckQ2/uTfqLle4asQofdY5jhvi9DtoXv8rpREDRPFfgNz6CtjeVogftDaywKLRFC7JU8DRQqzYN3nz4RiJLrG3WO6L3rxEADY+vgTe5Jy4bAz2yUrLwkM8iP7SgwbHAFWxXOWsdYkZt/xbZ/mydr7X9ZAAM9TaqIzYRrR2yIFPRhYjxhn3V2uuonPykKqx+cUwUjUIN8B3tcfuXVpGv5A1zNoHv7iao1LrRE7J9n83ZeSbSYh1cnHm0Jkr9xzxVuV49KVYySIyi2Afo4+oGMFZHlZ/8d1bqCktrInFNBOSN3s2Q==,iv:oe6PtLmY9V4QuhuLrdtMMQJFsuaCC6XoPAWlGlvmSFw=,tag:BrGrA+jVCaTN7yFtl02bVA==,type:str] +ssh_config: ENC[AES256_GCM,data:5ciD6IiyavGoYC6Zf7hza4K++99veSMACNkG8CblMQfQvElJmnkNLHWMBl5FkusbC5LQUUgP09tx9I8ZAat8j6ThMjXMAJa0TI5O1niNU6pqpGw0kjlKT9Ul9I3t016KFevHPCa4/E82tBxgl46mAdPy+CqGcQyMqqvW8A0Uu+kDo0pHgCpVXhNlJXpGpG1JCaf7A7+ejQAAG7Y7tWwoOrrm05c5hwOZQ5rXy2halWmTP/khcuZ5sKVYGI+0peVLpAM7rx/yHnARRSXyswMv4yvbS7v1nKVy6+F4u/ThaWSh/gzS7NCtTFGpAqvxOfyMqwwdE/eIVeJItYK5/9rnUCMBUbmxjMsnRe7/uNi+x6kSZOWbd6BGkD18AkgT3Skp+M5ZZnCi/Z6wOrOTmpeg9GUMOdknvaLx+C3lpAJv9XE6YrUMfZf0gAaEhq3OWP5Obj3VwXCKSkuXbn1pp4bxicD/dJZMY/lHl6tNDL4q7VCssJ9PwQHxfWcZbSpqIxR3tPgi2pP+m0Y5gNiNew5NBw2cWMARPkZhMpt4puwnlx7c/Ooa9j3s59OygDhG8AxgjzcMHBV+ek2KaHQoruyOJJjQXrwX5JWNDEtlUTKNtjhixLTBGKCer9PUtMEmUyYiAD0gG6rwZLKN8hrIhjAHpJ6D/fB0kgoUo7jGWgQ4smC4n/tJOL1uPLd9Rl1mKY9CXI2iPL8cnxSQ/bSTp+mvYAyIX17s0o/tzHRUN4R+cYVmbEo5UpHJYRMi53WXALgJx3CVj3OMqdwfUx/fLgkBXrn24PYMkkzXY79Kp5NwlOrsxFRE7dv26pPRmNYs9nKymw5ICWQe+lbazPG73ehXn5iRMSo4nQ7txPEts82Pn/MsiLR4SG1m0Hj7IPfdCCNEIq30HXr9y2BydUzXtqGWx7Lm6xwkyEgPuIrBgJL4F32Ko/JLLRiCe020g6LQifm0O59OJmNZgpmn0mJv9RR4H6tL6M+DC2QFM4iyr4WNsDandzWolhoRJWb8b64/c6YL1EbykaKN5LKDH7cvrwM/sYG6LJmv9cHuieDf1cpSaUTq8M+ZKCkG0tlqy1/mAWjElB8ReRWUHj0n6iK7m0lSyjpddjkIaFBClaoySPNLrtigMl9t76e9Xl4ZWq/aC+w4dHuLsufVDC21x68bWlWvIlxkiusHo35uXpXHAFO8HjBNdz8vEEW3WqWsJMZLxXB+wIh5Mdsy6VB8c+u3/3PpnOx34PuvIBu1Y27JzNkuOvozER7xGXwU+ZXN7ipfeDxjJrqbrSyRjmqOzAdz2FB/XhEFmosHetWR+tJVivFmO3z3+Xn+FuHijZ6MQdDMNYbfvzFtzkX7P502agXR6EO3eRyaLg0etdXuhUNu1inmxLW73VBzgeYcTmQuvHnBtEl338jwWesUgrW45yGUCVaFtEWAwOxOe7rs//pm/unSa3JZllUILEBTN0aE46ZIKHKMMTR3DPIRmNOOTWovRQHdKBefdMbC9Havnnz3/qeJQs8WkpGQk9zE40Yc9Sb+U1G02/W3iaB54piY6dch4TNKLtZ54jd0tg44Fyzy9rKuH9F0Ym9r81KTwK5fuHxHr88kdg3JZY3cyYqyUmJ5pzIjAa2TV417sOoH8aI0qknwxhRBfaghJKgizb0/WPi5XuVHN1l8MdT1/JCOkQn/d6VYt/R3yP0sDcI8hqegE+DWLKbqSMrdMJOh5gxrbn77boCYkoPclEzrIQVyB4PsbLUE,iv:J0ThC/EV3diI6wAeI0ZhNaGC/bkXjnuNJ4s2wy/sQKs=,tag:QKndY5DfG7RZO7OsJBhHcw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va enc: | @@ -15,8 +11,7 @@ sops: cWx6Z2psUUlobDdFd20wcXBvS2tUaW8Knod4aI4/qOIJqMr2rdQzUta/G3HDFif8 LoREomHElDv31FYrR1EVEr8Fk11hhkuZs7a0iEzxTxPe6CjCiSfqbQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-16T07:02:53Z" - mac: ENC[AES256_GCM,data:wAbaSouSNEIt+gpRhtJ8Dcay662f8p/flpVz+YCYmSXXgm8AXVJfWOCnKCLM5WC6Uge9tZVlAli8oYdJ3PcKMqE+0dSXH0haEi3uenhvOxj63eLLIiccDRjOI45OJk+9J0ilKsqiaP7S1nnY185DCDtgDdLr9mOZlpBrHZohKxw=,iv:ue4DD08RllFhDZHf2BlsuFRouM+596skjXw9KQxMs2U=,tag:7gU9N7pwl/VdRMr0ndpRug==,type:str] - pgp: [] + lastmodified: "2025-06-05T18:05:08Z" + mac: ENC[AES256_GCM,data:QbB2D1urwDo7vwMLqDYpNgopPoE70P5to7iqVyALUmOVwiOJeARKO84buMLHDNQHG1pCGf585UaAbvAs+blPZ4rb0O5f0Ir5nughtxZDg+eE2lcdmnUOxE5nxI1lTsOof/aKtK/wXMPIsLny6HKiJW6aDbtmItgjA7CP0Baceto=,iv:obWptKyJiLKHdR4S5JgwpwdXJNceFa/k7GUgf9T9QtA=,tag:ogak476K//OYBTwi7unqVw==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.10.2 diff --git a/home/nipsy/secrets/caladan.yaml b/home/nipsy/secrets/caladan.yaml new file mode 100644 index 0000000..91df543 --- /dev/null +++ b/home/nipsy/secrets/caladan.yaml @@ -0,0 +1,17 @@ +reaper_license: ENC[AES256_GCM,data:r+s9lH3dvz3+Y1G0c0MKGimwjXnPf1lMT/E+39MHmyRzQaeK1Wvq2aLMKdqpJgfns5x3jA7vE1zV+dhZMMkc9nks6eskY31R66Zcn0SgwoSx+0tIRJ5U/Df8bvbHk1Xt5YO0vSpoaWvKg2KwIrQFmGoWBEogMG+mvmTahBogZOiTUIHrJZMQu6fBrcaNASKFNTVfHLdmjfFr5qWEOIhydXMKprFDPII/orfr3rL0oUzXsT3hRgGpp0fQm1i2cYIenYh0XGntxYjwJkYsWRV4hbzdHpft6q0nFatknwaKX0kmdQAuBs328xo4c3tPqp6QpEUD3NCGO9F/i7ljQSbsYP/EyQSTH5RGkGBQ7WqYtdJn3Jnz8okFntrq9Fpcw5rOJoCuINa328pDKvu2pbOIoAM2oSZIJVZlz6MFa/MlaiuyKvoLgxceLugG82auEWry9tPIpyIKA8TOqbaDjyRsFuIC8uEPgHAMipRcwnFt4kCQupMi2GiHvCZ3sP0utBEhCb+bHiYL/ylI3TJoNSpCPl86QEvCNXIdUUBG7FdYtX0UkE/A6MKo1whV6RTGmrHQuaa8IQdJbXMZKraY4nNarVWM0VTB22jRJ0RIE47Ax+kjIme8Y82i6gV6Y488rJiGDIo+JrHNN47nn74SOt9TQQUcG4vOYhmX9A==,iv:RT0XBkthKkM9MapVvGi+FdxXrEtwEU4V0WXJb7EP9Uw=,tag:esy7aQXzUtrdTkYYVGCDmg==,type:str] +ssh_config: ENC[AES256_GCM,data:yH4Ul7wAwj9kJwhmoQxMAyjLmELKRI8PvoheDbiUjr/7jXQSTSzlNIQHQilhJg6clezveC4q2fYphynn/YG9Q1AbTCTTqt+PuLABQpPPuc2h7Zx8cp3m5bo8tx/ITZTcxfjOB5QmeBuxuzINkQ2gKly0FOFS8Ha8PwxLUaQ69KAg46kqIxuk+zeNy8CZw5afhDkQ2w5nsXmeJkP5OlBqe8M8Wh4F+1DrG3ymFqSjZLfcY3V9cLEMCknFs9gJoE/n3fNteruuLoYw7rD3+RQf0JdtTP6Bg78zTTrr2LsCTTM5TtzFDngSa6RjMST0e9PVoVWD8JKZ7LINYA9SOjyfhCxGLqrL0H0uotB2sGZseZPdSN3Teek7S3fdUmjKiB9LW4w6T0QwTAlYpPyrLQ7YWuQnxaKIuMxMxQuV26BljPt557bhIcNY9EV3gnzD9JNXVX9Qg9qm5UDmVZtnWPsg2ykhecwiDUKQdNfi1+tz6Dkqri1YF1INVBuud077wdsVfsDPtAWTTu5vv5nEWX6MLlGkGy10VuXZabL9eD96aRFbx4f3Jsp7KGdo2+IrQXkgeOdsOl2BUfpO9BJFKcUbqyVBdOdjxGA/9KAX67taiA9S59Dzv6VL95v6radNB9pgUwoIO2ZtXB3qhx+oIB9a1F9WlDtiB/TmaTO3jHWw43QTQFi4BXj4U6glJYJQgzbPjY+M/BbxvurW3Xwkxa5wsBT86ENB+kRpC5AWA/LeoQwpicyPlxmb3juHWM2/lMsw50BwmFhjwzxZrYS92+AUQpVC8s5FFNY1h4i0oRr5E1JddNWbWGry2y79yl91NomyF96tPmrZ5NdYCSYHm9dEbubp5WaaJNQvU+3XqECQU6YHX4dZuDw+ZwYPdXVtInMp7YfZ+PSacRuAsHeb2cuSOx1d7yjPgy9aaGssJcn+hIfKLGMmUypkKEfKA3IiFBh0ChQ75vQQ59tNPiu6RyrZxZLJhpctIBQQXWrsrd4NSiZVyR9gWmQkQeZjvYiFnJKGMFAk89sEA0qFuUiasH9eKDRPr1BlO0NwKUv2UXSK9pu0HdtJasi1LLGsLQg3QOL0hnwoOsrCBHLCD15x7BLcInYhZUucDQvEt0JdNMJlV4iF3fEt9kEUJmuo7JIpYLZYI7P3z+C/IiFsX6/erIal+Ycj+1tHQJi0YwBGKkkE3XPZ2RXqzKrhu/m7FBiBLSCOsg2IJ3NmUiLa74KCwdDSLn9wdkOKN4RMijFfoctopf75SsaJpdR4Y0K15q2OzBN4P1yZgNiMUCF9Y41qlIqbX8JE0ARiUs9LXFBdt+0oc86XUy1QEcFdh2IDbHOhJFlz0gGLryYTMI2+6P6lV9Iw8t8S2dM0P28vqGsqz8QNIhcBJP5mpdHzH1c1urnXQZeYRN5VVV9y9Yz9Gz2XFogsMqo1YIuPIf2GNwvDrgz3kQwbBqqLh0aA6+bbwq347f3CTeA8QJjtv9/a3Bo8EXZJk7eOEFcH9bqiJym7Sqg7fGPM6BnqGb80AnjFe+MzRCVBOElJKwzbodpSs56W2ZpZnAuhMBB3pBZt8hs9440waJHaW/nuGxrHyhqAbdr+lf52Xzrhz898iTstvvFnKpkSBZII5WujWALntFzXC2+T7bFG+b3TUFeCBiSz2AFeq4HkJIIohXO+35YVOnQfcmykcf2AdTDPRH5qEKn9A/cx5Az1IdlUum0yXYwMqtEzjDrnjCLS2LbgtmPZ6rA1vYlQDewKSD2qnQUpJM8IF9JFtWbqXhrWOg0Y6EajprYxgp8pP0bNrM/t5BKwfJEPllZ5HEIIRILCQ+HBAF5pM/KZISN/KZw2Disz533qCC1PaqRv7YFXXbvk8OzepGOszctfl4UBOsfWww0a/oqj2UmZKFxt800MdY976kJ1LaHDb/+jCtFu9WslyMFRy+l0CIrenGbdZpqnhaUClpYrrvzn6zeYiQRmzjtGGEQykVLvH4GPpKjWeyza9GZ1B1aI1+6Sd2/Zl2CwSZvZg2Wl6olvazifVdFzH5xwtlKDc3ABrDUKPWLl67213PQNBMwBrqx+iDuJ76FMQwE=,iv:sZejEGs4211FBCUYZ9IcZjOX4u4R+NW76/tMCvGmJBU=,tag:bHIjCMuI95eM/Cg1XdfMlg==,type:str] +sops: + age: + - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSUJOMDlTem5jNXVkRnIy + TlorQmQ0ajQyRnFYQXdueVhvNloyaFVabUFVCndDOHZDSGVyWUNQRkd5ekEwbDdz + S054ck9IbDh2UGRjVlVaV3N5dDVjTzgKLS0tIHNjaXgvL0R1MmY2cGt4NFZ5M2J5 + dnVlaUtXRkJOYllweUpjRXpreUI0bjQKdeI5T4qxmRk3goiHMfxQPxYyfauY69ea + ipFJuEzDTg6XdQvpwmmBs9N+QM2diNUkuxTOd4RDN5/EAN0h3fEhZg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-05T18:05:52Z" + mac: ENC[AES256_GCM,data:tRKW7bODDlA60O4UjY8ufuCm+695PVsX0oscGce5AIU9EsstMYAW6Ny6TpgBfMBvfNiNLLyKXQqEylvCfD0ZwbwM6cAttfMgMM6kbbfyOT00CHqrwC2as8MZmJHWcbA20SwvWBFPhhxJFvn9oP2BClU/IbaMdRi7IbqxIl6WNxE=,iv:cjaFEUfp206d6cY40cPlfkvZ9gyYhbAPoQ0yYx8ykrs=,tag:Ac1+FjrGjV/KMaLrhsA9Fg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/home/nipsy/secrets/ginaz.yaml b/home/nipsy/secrets/ginaz.yaml index 21d2933..5ace25d 100644 --- a/home/nipsy/secrets/ginaz.yaml +++ b/home/nipsy/secrets/ginaz.yaml @@ -1,10 +1,6 @@ reaper_license: ENC[AES256_GCM,data:AfhcqHqVoIpIxKP73VYFy9XYAHXdUfXqswX/eHntZQTka9HwhL8Dz3KXUffRa179hFhcarVNapAOujPOLS4zCJHXbMEAY9aAVMAaQM9ID73l5EFErJ/kscfQgjM5oBEuAL6H/rL4pO1I8JGMqPLAq1gyQFJhRDoLd4hKOJTRXPBY69mZwtPlEjY67Jl/7+jv9neldNHHmDqPVAO+tT+wFFAStAIZ/o5kuJxPg7Tc5M9hxanKkJVQIIZ1HJJyMlS4wCTPyeGIXEcR8XWP9tlfpmE8OUirCvME4lYMwNY6plxoHMhDuWF6OGIcRTPv1KzM1of6iD/bzQbe+z21r2R9my5j0NwRQKUGJS0bPE7snlwvdCrvwJm7RDotVrumOpiuuzaVSoXyFPUQe8EEF3rZlfXlysxpSdBKNTJz+f+i4clFurcznKUk0pWDKMefcKhYzs5x847iPDoqnR89f4B7v9hpCdwZRSsHyKncbz2p/zFi5LLuaBd4jmFKS3aOI/WlUFeUfhicUh1iXgIMTzvY8yZwpaX3r+XOBIOVxIyAipgoNXoRsi3fMfdlMXtR3XIiGmhXRJNEw4Lczu0qbWl4bDCaMD0sNKMPMiBJyGSnw1fspGLiZIKGLMb2DyGa0s9iIfjU0uKA7o/TsP7kE6T5XGq1kp9Q7LpJTg==,iv:8Z2o5SOYPbFl8CBpcafvVjZUMPFJ+6atrsnJVbBljgE=,tag:TsACvre6dMgPZsENgcYkeA==,type:str] -ssh_config: ENC[AES256_GCM,data:3liYuVh7teH2UWRU2ggHvk8j2HCf5BqIj+XVrOPbBXPcF6y5P6HaVbGF6ccDuj59WyqrNfQV3PPOm83cHz7aYydimKUDg+qx2Qs+brD1S0gaBjdnTmq6tdpLXvyWLBjgmioTARyfm50sg+iGkqNQyVmaMYoWxZyvoE7OvECqG05zp8BC/udsFO0JRCvQlZhHgFhppVRnBEHsi5r8k2ENjswjOp0lx9YrIwqD/pMaD53NbsiP+74SD5nWAC7B/NnnOi3MbKPWiXPkNr9YMeGojTDyy6Y8Ie6TzRKoD0TiLLqOArZY1N+n0VYnwdGUsXoRSRH0WgDvMJ42dEI1LswBKby83PXxRle/GxC3XZOs6mJW2aAzCM2ZF/CAE3SohuWXyRnCT52AHMq4Ctnhodim+0FIvlMxK7JzFU+a5/ceGHoSlm70w2iq4HGYxdZF48mPXrEk+xtyUQUpgwu54x388QNBhKkt+8XssnwzachCxCQLJu9hztZQtAsU8JTglSrgmwmtzBoSleVHxfTfMMKqGhJ3MyZZA1e9XF+muIi3gngilUF6qt4UEcepWZMagPlV/8/k4iwjgVXskcpjOBo5HB63IZxsx8w/SAim+1KKD4xFAZQhdO+7UGzpc13oSyRujHKEYuT19jvYTmu+0NDuTfkDVxa9Hou1/BMLKjAfnZgXtdPgdjvZMXoXQbi+jFtvnCtAgLAPe2bENBXVfoqE/ZQo8IzJNEOZN8ZHi51TUapMjoE8pM5IO0Jk2ulBSgsnzsXDwQ1ZqDDGxDzOz9aVRnd2VqbK4krIAWVA519i5NBps3fdqkDASbfYfo0F4a1VfoywTwk4ykqRKLbd4UL5oDi062mmQ5u4Wr3s3sHH1ZOJlyQn4d0CfREB7ruX9X0BhASkmy3FsHUpDy07wyMR/qY8GbAl+TxZCLBQEDaLIwoGOwii/smFS+A1B3xWmGiosSTgySaKkyObJkI6qUQAHP9jo7cwTAmmvbj+eHjC6BNmXUeqv35KV88YY5chAamS0w7tF2XhA0nxAHHvGEElIUyUmLd3Tzn1PO/O+c9XQLn8ROmQ5SnaLYuXAlOOFxne4gqMP6aywI9kJ2qpmF4eedLhrjT+rFS05NsrE1S6oVVRkGYy2s3IYciX10Ib2v6vf2UOshUHcb1V5bicz0r2qlxwhM83+eIpNmrO0GQCpoihl3Uz6Wbgv6P7kHUKduqiBCJuuONpKnHCGFpEPMM+/vrG+8zFBzTKxDDGhpSO7ZgyzHBBgIsbeiWa1K5V3eXxD5KNch+s7m+brfNxgReI2831ntSRYgbuOj/WktVJv76fEMIt9YxwSEG6sq6Zx9C2gTfWodMQ8TZ9ck1xoegqHZcPhXtt6QsrXue6NIIrFLwH3CRz0cqgQz232GUwfMpJ9pKc5WsV58dOCmkW4w/hvalraA3Cd2QnYAfGdb2l59MOtpsFDO6rGg4UisrGuWvYRiBze47NGz0n8UFmvxNOVll8AJzz1h63QQeENx0WHcNFsdGzof7nvkbVkF87b/d9kp43w1L6j0LZ0BLKnfAoXBg065ZAR0TyiDuI/r+A3HTxmUGwoIlefUVFkZsODTOhiftKiVTfOfV0WCmw7aw2nWr/92ZGTSzEzMg175G9EezkINCo/NRh3umLHg3YvUMWoGs4V9m2F9wkL+fL4uyM/OYovMz8a1xr4HjxgxsVmd31nk3iIaE/Ux9T//w08IZ1PNEDDT2EH8oSqwciWPKuwbIVxlKBGyn3+LzFf3a96Lrb163/OALWlPBx3cXs/u/tyCPtRuuCTvfFDGcxSGLFv3o/XVV7Fvwg4Yv/u1z1CIWby+H2M3rL52V/iSnjj9tywOThCu/Qkjf8eadizyF0eeCbr4MOVfSv5l452C8BrINGq0aeznlcC1bP7aUsIQiuOKeXr3lUmbJUTRRQ2WSaD8uaxufjKkW/3CneSw==,iv:lsjEeTnvaMA/gpJnQ8lNmQx3gHL3VesDm9Yp/hBZur0=,tag:SDs/rGbM+NiZmQWMGspvMA==,type:str] +ssh_config: ENC[AES256_GCM,data:IdQuiUPF8VvgIgLh916/nLI7T0obkkkxclkVQAS3Q6x2wFkR1rOQTl7nxr/pXfnoIoNu294QPvv2Lt6RIB+5eLgoMHEw0LLZ9eyYcJbbRzsuF1gTJtwk9DRZEhlrjzrb3giFDrJeC6AsAfousqdFNqzR//M6YkQA/YGmN5zR8nhj6zgRbeemzBouh2gLLxppFM14Ttc1sTibm61smHKZPwmc4f83S0jdSvffhQmy9EwfgZZpIprcibbfatdc6uH4+nn05R8Uz10few2k+uDZVSTTAxOqNWrpLebfB1dLAuwNSxuz90EnC0hD8O5Bxs6yK5xHB3k1M17JeK65VB0t/zVM99+3Tx06YvmuyeBu2CYrZgl2tMPiKg0PUkRqPDSXhj+UfNAm5r6KWqT7RPS1BjOveRwkJauhzNZJ1BKd6K0gG2vKja/ERf+oWiw3zOpzbDCiF5aBW8XYb+TisSdMlyaA1xfuYTmYZtxz4el1Ra34t/Dyy4OBn6bgmYziP6NoLrWI0Qn/vWo8YJJMNUaHgCNsr4/90URzhqfw+GFDK5FpdIAm+UDQOJc3tS2GE7QIK8+KzLzU4ujq+Oe7QW27u1U1jVprI3Z9bT8gXjY+f1STqdJF+mXFUu7CkiDS2kUIJGaMHraz2y59YHK3M49+tKYT5uCq7sMT4wD/X365luecSvaO0Fpi86PTxOOhtXj+/cRTUzdhUHoLchq1ZOZfZEZRb6K49YoLQHR5JFC8Acb1dJARq75KAmHW0T7+K8rIsxFpmgwXTEQpMtaU5EbvKIGZ7khocS+mSWFgW9yukj54mrvNSsM4yiXex/xeOTfw2+obEeFfVmEoZScn3sLs+Db/tuyKu8TTztDaBUwjvPgMearCTtEXhE3H8UCFeI5a26Y+74ELZJxIjINS4wmHVP4GqUfbH5WTXOj3ljmc7WvrpXN1g7Rn4m/G04OS+XR9gZJvStks4mWFzJa6xJOE2y3Ce/2glmV/UP64deeDPwI2Dj2FAdEey5Ijinbr40brC5NEuOJXiOVu7SlFGtY/spoIVl1gcqbqdqmm3mVKQkV7W2MMcUCHbaIwlvVVLr3KTF8YPr1RFIePzTGtmCRrpOmIZ+E0SMVcmBMiib02deYV3VDGetz28wTbJ55mBjRQApRKE4RfpwX4z0j1NemyasC2Ma9plohUWqAKhLkjcOUJa8hqw9Qaeav10MPasuuLhP48p0ShS4hlFqDoe6mjjCauvfDQRBqB599/usnFwB42tMUzwgEGRIVll/eMtA4TtnSQ0rh5loxIqztOlwD71jsSJjKol7+SJQj1S/LmLPH0qNbL+RhS9CvA+fHe6qDAkE+UhiB8hJeck2QEba3PPvecFk/pZjNEZXUS1OY4BD4X8VQyNyDkywnw45wPxdCpRU4eMk74/gZjp89tVpvZerrKXgdn21/cjy0fOjRGBAD+SNHP/IMHPbkXSvX+UOmVYFzme9q0lJK8bzUjqi2okIuJMzjvKdRLPGibKxW+6BA0g+sog0Le5b+M+SIfGy2HO0v8QfNlG9toup7lycMD7we/kt0rYohScNk8pXZKOv41jVRf7W81bOpet/wS0atN2Pb3+IgMaoDTU19zZJOn5m7SdTSq2TuGEXQC5aJiDvDeaAtR55rFI2/v/L/+30SHRWpOkT9lxAbvAcjK890T8uhXkwjNQj4sQQT9nnT9UaR2dm4arIe4JS1xLvP+kJ2C6zv+b0tul3WR+oxBz934hhLGE3p1oyOWce6tLEjGFUmogZa0QcPaX8XYJD+I0rGSlZPVqiFmTl3QkewIHd2rddWFGYD5qAv5yJH5zRgL6XBKWvxLc4A+DHYkrtjN2Knlr0cn/DoxJ5tu3ijzd2+4R2NLmf6ur/Bo6zEi6MJQOo+OSSWhXpyg9GelHRkbWjcYArye57kS0lSuQsl2lhmtaoQrL1Wr+f90s6ozy8smhA==,iv:efBxf9iRo29LJxFyGzTqPlQxN3cKxnim0a9x4OkNueU=,tag:SXKQZJuOJlqVUbRNXldaZw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va enc: | @@ -15,8 +11,7 @@ sops: QXRkc3NnamhWcFd6eS9CWE9tQzRpNE0KtEdfws+SlXPk7y7FNSx/9ogcZZneuRaj gnI30NcSbuHhWVvu9BEzBaoz4CU0slxvevOe6nNDoMzFhVacGTnhQg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-16T07:03:15Z" - mac: ENC[AES256_GCM,data:nFprDmU67eSEr0IKe58uC5AXwpPcGcug1PkASgc1Ep41wSyeJ+Y9/ki3ahu6BUgnkKyd7G48tC3/5Vn3+oNidmb185pw7lwcaYjPFOtKihWbgRC8+LuZCsaDMxAEbOnxDurHzzC8ywSLfDEXNDxoZ0v4m3bBQjDAP+7CghWafnQ=,iv:9qVYTef74T1M1Rca8tuUxovhWSWFs4SjE8ClwbfjYQs=,tag:BBC9MJajtSR8lDQYWXk80Q==,type:str] - pgp: [] + lastmodified: "2025-06-05T18:06:46Z" + mac: ENC[AES256_GCM,data:UQK2sM/OS8R4KWSp1DvgfqoeiIG9esZ9mDoaLx5qVg5zFvTDXgJ1cSOSwFM7lrXX8v+bHY/WiFR70C7kHXVEG3UXYagOuxqGncFnfigA+VR3TGMaTRnaRV0EQs9HuscEj9z8zngp5bZMUORsY/334VKz8tF/+vmaDwRtOVU4GrI=,iv:a+eSIBlFBk64BzMRcJARgE/0MdOa0J7Jybr2J1YR2YI=,tag:eCMdgVc0b0M2+OXJV76MJA==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.10.2 diff --git a/home/root/arrakis.nix b/home/root/arrakis.nix index b852ce5..d9d9162 100644 --- a/home/root/arrakis.nix +++ b/home/root/arrakis.nix @@ -5,20 +5,21 @@ ]; home.file = { + "bin/knock".source = ../common/scripts/knock; "bin/vpnctl" = { executable = true; text = '' #!${pkgs.zsh}/bin/zsh - + function status_vpn { - + ip netns exec vpn su -c 'curl -m 10 -s https://bitgnome.net/ip/ | grep REMOTE_ADDR' nipsy ip netns exec vpn su -c 'curl -m 10 -s https://www.cloudflarestatus.com | grep "Cloudflare Status"' nipsy - + } - + function start_vpn { - + ip netns add vpn ip link add veth.host type veth peer veth.vpn ip link set dev veth.host up @@ -32,44 +33,52 @@ ip -n vpn link set wg1 up ip -n vpn route add default dev wg1 ip netns exec vpn nft -f /etc/nftables-vpn.conf - + } - + function stop_vpn { - - ip netns del vpn - ip link del veth.host - + + systemctl stop prowlarr.service qbittorrent.service + + if ip netns | grep -q '^vpn '; then + ip netns del vpn + fi + + if ip link show veth.host > /dev/null; then + ip link del veth.host + fi + } - + if [[ -z "''${1}" || "''${1}" == "status" ]]; then - + status_vpn - + elif [[ "''${1}" == "restart" ]]; then - + stop_vpn sleep 2 start_vpn - + systemctl restart prowlarr.service qbittorrent.service + elif [[ "''${1}" == "restart_firewall" ]]; then - + ip netns exec vpn nft -f /etc/nftables-vpn.conf - + elif [[ "''${1}" == "start" ]]; then - + if [[ ! -f /run/netns/vpn ]]; then start_vpn else echo 'VPN service already appears to be running' >&2 fi - + elif [[ "''${1}" == "stop" ]]; then - + stop_vpn - + fi - + exit 0 ''; }; diff --git a/home/root/caladan.nix b/home/root/caladan.nix new file mode 100644 index 0000000..228bb90 --- /dev/null +++ b/home/root/caladan.nix @@ -0,0 +1,14 @@ +{ config, inputs, lib, outputs, pkgs, ... }: +{ + imports = [ + common/core + ]; + + home.file = { + "bin/knock".source = ../common/scripts/knock; + }; + + nix.extraOptions = '' + !include /run/secrets/nix-access-token-github + ''; +} diff --git a/home/root/common/core/default.nix b/home/root/common/core/default.nix index e2ca7c5..3043d2c 100644 --- a/home/root/common/core/default.nix +++ b/home/root/common/core/default.nix @@ -3,7 +3,6 @@ imports = [ ./bash.nix ./git.nix - #./ssh.nix ./tmux ./vim ./zsh diff --git a/home/root/common/core/git.nix b/home/root/common/core/git.nix index 49e10df..31af80e 100644 --- a/home/root/common/core/git.nix +++ b/home/root/common/core/git.nix @@ -1,6 +1,7 @@ { programs.git = { enable = true; - extraConfig.pull.rebase = true; + settings.pull.rebase = true; + signing.format = null; }; } diff --git a/home/root/common/core/ssh.nix b/home/root/common/core/ssh.nix deleted file mode 100644 index 929cc51..0000000 --- a/home/root/common/core/ssh.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - programs.ssh = { - enable = true; - }; -} diff --git a/home/root/common/core/vim/vimrc b/home/root/common/core/vim/vimrc index 9f652cd..87de2a0 100644 --- a/home/root/common/core/vim/vimrc +++ b/home/root/common/core/vim/vimrc @@ -43,5 +43,5 @@ set hlsearch " highlight all search matches set laststatus=2 set statusline=%<%f%h%m%r%=%{&ff}\ %Y\ %b\ 0x%B\ \ %l,%c%V\ %P -map <F5> :w<CR><bar>:!clear;go run %<CR> -map <F6> :w<CR><bar>:%! gofmt<CR> +"map <F5> :w<CR><bar>:!clear;go run %<CR> +"map <F6> :w<CR><bar>:%! gofmt<CR> diff --git a/home/root/common/core/zsh/default.nix b/home/root/common/core/zsh/default.nix index eaec714..58b0c34 100644 --- a/home/root/common/core/zsh/default.nix +++ b/home/root/common/core/zsh/default.nix @@ -1,3 +1,4 @@ +{ pkgs, ... }: { programs.zsh = { enable = true; @@ -19,8 +20,9 @@ export COLORFGBG=";0" save = 100000; size = 100000; }; - initExtra = (builtins.readFile ./zshrc); + initContent = (builtins.readFile ./zshrc); shellAliases = { + ftp = "${pkgs.inetutils}/bin/ftp"; grep = "grep --color=auto"; ip = "ip -c=auto"; la = "ls -aF --color=auto"; @@ -28,6 +30,7 @@ export COLORFGBG=";0" nix-list-derivations = "nix-store --query --requisites /run/current-system | cut -d- -f2- | sort | uniq"; nix-list-generations = "nixos-rebuild list-generations | cat; echo; nix-env --list-generations --profile /nix/var/nix/profiles/system"; pstrace = "bpftrace -e 'tracepoint:syscalls:sys_enter_exec*{ printf(\"pid: %d, comm: %s, args: \", pid, comm); join(args->argv); }'"; + telnet = "${pkgs.inetutils}/bin/telnet"; zgrep = "zgrep --color=auto"; }; }; diff --git a/home/root/darkstar.nix b/home/root/darkstar.nix index 72dbda0..7399284 100644 --- a/home/root/darkstar.nix +++ b/home/root/darkstar.nix @@ -1,5 +1,11 @@ { inputs, lib, pkgs, config, outputs, ... }: { + home = { + file = { + "bin/knock".source = ../common/scripts/knock; + }; + }; + imports = [ common/core ]; diff --git a/home/root/fangorn.nix b/home/root/fangorn.nix new file mode 100644 index 0000000..72dbda0 --- /dev/null +++ b/home/root/fangorn.nix @@ -0,0 +1,10 @@ +{ inputs, lib, pkgs, config, outputs, ... }: +{ + imports = [ + common/core + ]; + + nix.extraOptions = '' + !include /run/secrets/nix-access-token-github + ''; +} diff --git a/home/root/ginaz.nix b/home/root/ginaz.nix index 72dbda0..8370818 100644 --- a/home/root/ginaz.nix +++ b/home/root/ginaz.nix @@ -1,5 +1,12 @@ { inputs, lib, pkgs, config, outputs, ... }: { + + home = { + file = { + "bin/knock".source = ../common/scripts/knock; + }; + }; + imports = [ common/core ]; diff --git a/home/root/kaitain.nix b/home/root/kaitain.nix index 72dbda0..cb4ed48 100644 --- a/home/root/kaitain.nix +++ b/home/root/kaitain.nix @@ -4,6 +4,10 @@ common/core ]; + home.file = { + "bin/knock".source = ../common/scripts/knock; + }; + nix.extraOptions = '' !include /run/secrets/nix-access-token-github ''; diff --git a/home/root/richese.nix b/home/root/richese.nix index 72dbda0..cb4ed48 100644 --- a/home/root/richese.nix +++ b/home/root/richese.nix @@ -4,6 +4,10 @@ common/core ]; + home.file = { + "bin/knock".source = ../common/scripts/knock; + }; + nix.extraOptions = '' !include /run/secrets/nix-access-token-github ''; diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix index 80509cb..f1c15c0 100644 --- a/hosts/arrakis/default.nix +++ b/hosts/arrakis/default.nix @@ -2,10 +2,12 @@ boot = { initrd.kernelModules = [ "zfs" ]; kernel.sysctl = { + "kernel.hostname" = "arrakis.bitgnome.net"; "net.ipv4.ip_forward" = 1; - "net.ipv4.conf.all.proxy_arp" = 1; + "net.netfilter.nf_log_all_netns" = 1; + #"net.ipv4.conf.all.proxy_arp" = 1; }; - kernelPackages = pkgs.linuxPackages_6_12; + kernelPackages = pkgs.master.linuxPackages_7_0; loader = { efi = { canTouchEfiVariables = true; @@ -16,119 +18,134 @@ extraInstallCommands = '' ${pkgs.rsync}/bin/rsync -av --delete /efiboot/efi1/ /efiboot/efi2 ''; + memtest86.enable = true; }; timeout = 3; }; supportedFilesystems = [ "zfs" ]; - #zfs.package = pkgs.master.zfs; + zfs = { + forceImportRoot = false; + package = pkgs.master.zfs_2_4; + }; }; - environment.etc."nftables-vpn.conf".text = '' - # VPN firewall - - flush ruleset - - table inet filter { - chain input { - type filter hook input priority filter; policy drop; - - # established/related connections - ct state established,related accept - - # invalid connections - ct state invalid drop - - # loopback interface - iif lo accept - - # ICMP (routers may also want: mld-listener-query, nd-router-solicit) - #ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, packet-too-big, parameter-problem, time-exceeded } accept - ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, parameter-problem, router-advertisement, source-quench, time-exceeded } accept - - # services - iif veth.vpn tcp dport 8080 accept # qBittorrent - iif veth.vpn tcp dport 9696 accept # Prowlarr - iifname wg1 tcp dport { 49152-65535 } accept # Transmission - } - - chain output { - type filter hook output priority filter; policy drop; - - # explicitly allow my DNS traffic without VPN - skuid nipsy ip daddr 192.168.1.1 tcp dport domain accept - skuid nipsy ip daddr 192.168.1.1 udp dport domain accept - - # explicitly allow my traffic without VPN - oifname veth.vpn skuid nipsy tcp sport 8080 accept # qBittorrent - oifname veth.vpn skuid nipsy tcp sport 9696 accept # Prowlarr - oifname veth.vpn skuid nipsy ip daddr 192.168.1.2 tcp dport { 7878, 8686, 8787, 8989 } accept # Prowlarr to { Radarr, Lidarr, Readarr, Sonarr } - - # allow any traffic out through VPN - oifname wg1 accept - - # drop everything else - counter drop - } - - chain forward { - type filter hook forward priority filter; policy drop; - } - } - ''; + environment.etc = { + "netns/vpn/resolv.conf".text = '' + nameserver 10.64.0.1 + options edns0 + ''; + + "nftables-vpn.conf".text = '' + # VPN firewall + + flush ruleset + + table inet filter { + chain input { + type filter hook input priority filter; policy drop; + + # established/related connections + ct state established,related accept + + # invalid connections + ct state invalid drop + + # loopback interface + iif lo accept + + # ICMP (routers may also want: mld-listener-query, nd-router-solicit) + #ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, packet-too-big, parameter-problem, time-exceeded } accept + ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, parameter-problem, router-advertisement, source-quench, time-exceeded } accept + + # services + iif veth.vpn tcp dport 8080 accept # qBittorrent + iif veth.vpn tcp dport 9696 accept # Prowlarr + iifname wg1 tcp dport { 49152-65535 } accept # Transmission + + # drop everything else + counter drop + } + + chain output { + type filter hook output priority filter; policy drop; + + # explicitly allow my DNS traffic without VPN + skuid nipsy ip daddr 192.168.1.1 tcp dport domain accept + skuid nipsy ip daddr 192.168.1.1 udp dport domain accept + + # explicitly allow my traffic without VPN + oifname veth.vpn skuid nipsy tcp sport 8080 accept # qBittorrent + oifname veth.vpn skuid nipsy tcp sport 9696 accept # Prowlarr + oifname veth.vpn skuid nipsy ip daddr 192.168.1.2 tcp dport { 7878, 8686, 8787, 8989 } accept # Prowlarr to { Radarr, Lidarr, Readarr, Sonarr } + oif lo skuid nipsy ip daddr 192.168.1.3 tcp dport 8080 accept # Prowlarr to qBittorrent + + # allow any traffic out through VPN + oifname wg1 accept + + # drop everything else + counter drop + } + + chain forward { + type filter hook forward priority filter; policy drop; + } + } + ''; + }; - environment.systemPackages = with pkgs; [ - angband - assaultcube - master.bsdgames - bzflag - extremetuxracer - #frozen-bubble - hedgewars - kobodeluxe - lidarr - mailutils - megacmd - moc - nethack - openttd - pixcat - prowlarr - qbittorrent-nox - radarr - rdiff-backup - readarr - #scorched3d - signal-desktop - sonarr - superTux - superTuxKart - umoria - warzone2100 - wpa_supplicant - xonotic-sdl - master.xpilot-ng + environment.sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; }; + + environment.systemPackages = [ + #pkgs.bitcoind + pkgs.igir + pkgs.intel-gpu-tools + pkgs.lidarr + pkgs.mailutils + pkgs.megacmd + pkgs.prowlarr + pkgs.qbittorrent-nox + pkgs.radarr + pkgs.rdiff-backup + pkgs.readarr + pkgs.sonarr + pkgs.wpa_supplicant ]; + hardware = { + #bluetooth.enable = true; + + graphics = { + enable = true; + extraPackages = [ + pkgs.intel-compute-runtime + pkgs.intel-media-driver + pkgs.intel-ocl pkgs.vpl-gpu-rt + ]; + #extraPackages32 = [ pkgs.pkgsi686Linux.nvidia-vaapi-driver ]; + }; + }; + imports = [ ./disks.nix ./hardware-configuration.nix ./services.nix ../common/core - ../common/optional/adb.nix - ../common/optional/db.nix + #../common/optional/db.nix ../common/optional/dev.nix - ../common/optional/ebooks.nix + #../common/optional/ebooks.nix ../common/optional/games.nix ../common/optional/google-authenticator.nix ../common/optional/misc.nix ../common/optional/multimedia.nix - ../common/optional/pipewire.nix - ../common/optional/sdr.nix + #../common/optional/pipewire.nix + #../common/optional/sdr.nix ../common/optional/services/chrony.nix ../common/optional/services/openssh.nix - ../common/optional/services/xorg.nix - ../common/optional/sound.nix + #../common/optional/services/xorg.nix + #../common/optional/sound.nix + ../common/optional/wdt.nix ../common/optional/zfs.nix + ../common/users/lin ../common/users/nipsy ../common/users/root ]; @@ -136,13 +153,12 @@ networking = { defaultGateway = { address = "192.168.1.1"; - interface = "wlp5s0"; + interface = "enp6s0"; }; - domain = "bitgnome.net"; hostId = "2ae4c89f"; hostName = "arrakis"; interfaces = { - wlp5s0 = { + enp6s0 = { ipv4.addresses = [ { address = "192.168.1.2"; prefixLength = 24; } ]; @@ -150,6 +166,9 @@ }; nameservers = [ "192.168.1.1" ]; nftables.enable = true; + search = [ + "bitgnome.net" + ]; useDHCP = false; wg-quick.interfaces = { wg0 = { @@ -193,6 +212,11 @@ presharedKeyFile = "${config.sops.secrets."wireguard/timetrad_psk".path}"; publicKey = "/lWCEMGRIr3Gl/3GQYuweAKylhH5H2KqamiXeocYFVM="; } + { # fangorn + allowedIPs = [ "10.4.20.9/32" ]; + presharedKeyFile = "${config.sops.secrets."wireguard/fangorn_psk".path}"; + publicKey = "G4oahOfaCR+ecXLGM2ilPYzqX6x8v/6z8VIo2vP2RC4="; + } { # ginaz allowedIPs = [ "10.4.20.254/32" ]; presharedKeyFile = "${config.sops.secrets."wireguard/ginaz_psk".path}"; @@ -216,35 +240,33 @@ nixpkgs = { config = { allowUnfree = true; - permittedInsecurePackages = [ - "aspnetcore-runtime-6.0.36" - "aspnetcore-runtime-wrapped-6.0.36" - "dotnet-sdk-6.0.428" - "dotnet-sdk-wrapped-6.0.428" - ]; }; hostPlatform = "x86_64-linux"; overlays = [ - inputs.nvidia-patch.overlays.default + #inputs.nvidia-patch.overlays.default outputs.overlays.additions outputs.overlays.modifications outputs.overlays.master-packages outputs.overlays.stable-packages + #outputs.overlays.wine9_22-packages ]; }; - services.openssh.settings.X11Forwarding = true; - services.xserver.videoDrivers = [ "nvidia" ]; - sops = { age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; defaultSopsFile = ../secrets/arrakis.yaml; secrets = { + "htpasswd" = { + owner = config.users.users.nginx.name; + group = config.users.users.nginx.group; + }; "nftables/ssh" = {}; "nix-access-token-github" = {}; + "ssh_config".path = "/root/.ssh/config"; "wireguard/arrakis_key" = {}; "wireguard/black-sheep_psk" = {}; + "wireguard/fangorn_psk" = {}; "wireguard/ginaz_psk" = {}; "wireguard/homer_psk" = {}; "wireguard/lilnasx_psk" = {}; @@ -266,6 +288,7 @@ system.stateVersion = "23.11"; systemd.services = { + jellyfin.environment.LIBVA_DRIVER_NAME = "iHD"; "lidarr" = { after = [ "network.target" ]; @@ -287,26 +310,28 @@ after = [ "zfs-import-data.service" ]; description = "Bind NFS exports to ZFS paths"; script = '' - ${pkgs.util-linux}/bin/mount /srv/nfs/keepers - ${pkgs.util-linux}/bin/mount /srv/nfs/movies - ${pkgs.util-linux}/bin/mount /srv/nfs/tv + ${pkgs.util-linux}/bin/mount --onlyonce /srv/caladan/downloads || ${pkgs.coreutils}/bin/true + ${pkgs.util-linux}/bin/mount --onlyonce /srv/caladan/www || ${pkgs.coreutils}/bin/true + ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/keepers || ${pkgs.coreutils}/bin/true + ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/movies || ${pkgs.coreutils}/bin/true + ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/tv || ${pkgs.coreutils}/bin/true ''; wantedBy = [ "local-fs.target" ]; }; "nftables-extra" = let rules_script = '' - ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443' - ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138' - ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445' - ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport 2049 counter accept' - ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server' - ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 5121 counter accept # Neverwinter Nights Server' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport { http, https } counter accept # 80, 443' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport 2049 counter accept' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport 5121 counter accept # Neverwinter Nights Server' ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "veth.host" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr' - ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr' - ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 15637 counter accept # Enshrouded' - ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play' - ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play' - ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport 15637 counter accept # Enshrouded' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport 51820 counter accept # WireGuard' ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} ''; in { description = "nftables extra firewall rules"; @@ -421,7 +446,6 @@ }; wantedBy = [ "multi-user.target" ]; }; - }; systemd.paths."nftables-extra" = { diff --git a/hosts/arrakis/hardware-configuration.nix b/hosts/arrakis/hardware-configuration.nix index 3c508e5..21bd5a1 100644 --- a/hosts/arrakis/hardware-configuration.nix +++ b/hosts/arrakis/hardware-configuration.nix @@ -5,7 +5,7 @@ { imports = - [ #(modulesPath + "/installer/scan/not-detected.nix") + [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { @@ -16,9 +16,22 @@ zfs.extraPools = [ "data" ]; }; - environment.sessionVariables = { - LIBVA_DRIVER_NAME = "nvidia"; - MOZ_DISABLE_RDD_SANDBOX = "1"; + fileSystems."/srv/caladan/downloads" = { + device = "/data/home/nipsy/downloads"; + fsType = "none"; + options = [ + "bind" + "noauto" + ]; + }; + + fileSystems."/srv/caladan/www" = { + device = "/data/home/nipsy/www"; + fsType = "none"; + options = [ + "bind" + "noauto" + ]; }; fileSystems."/srv/nfs/keepers" = { @@ -47,19 +60,4 @@ "noauto" ]; }; - - hardware = { - bluetooth.enable = true; - graphics = { - enable = true; - extraPackages = with pkgs; [ nvidia-vaapi-driver ]; - extraPackages32 = with pkgs.pkgsi686Linux; [ nvidia-vaapi-driver ]; - }; - nvidia = { - modesetting.enable = true; - open = true; - package = pkgs.nvidia-patch.patch-nvenc (pkgs.nvidia-patch.patch-fbc config.boot.kernelPackages.nvidiaPackages.beta); - #package = config.boot.kernelPackages.nvidiaPackages.beta; - }; - }; } diff --git a/hosts/arrakis/services.nix b/hosts/arrakis/services.nix index b026cc1..697c25b 100644 --- a/hosts/arrakis/services.nix +++ b/hosts/arrakis/services.nix @@ -5,7 +5,7 @@ directory = * ''; - networking.firewall.allowedTCPPorts = [ 2049 ]; + networking.firewall.allowedTCPPorts = [ 2049 8333 ]; security.acme = { acceptTerms = true; @@ -19,15 +19,10 @@ services = { - avahi = { - enable = true; - nssmdns4 = true; - openFirewall = true; - }; - cgit = { "arrakis.bitgnome.net" = { enable = true; + gitHttpBackend.checkExportOkFiles = false; nginx.location = "/nipsy/git/"; scanPath = "/home/nipsy/www/git"; settings = { @@ -58,20 +53,35 @@ cron.enable = true; - #dictd.enable = true; + dictd.enable = true; iperf3.openFirewall = true; jellyfin = { enable = true; - package = pkgs.master.jellyfin; + #package = pkgs.master.jellyfin; + }; + + minidlna = { + enable = true; + openFirewall = true; + settings = { + inotify = "yes"; + media_dir = [ + "A,/data/home/nipsy/www/media/music" + ]; + }; }; nfs = { server = { enable = true; exports = '' - /srv/nfs 192.168.1.0/24(ro,all_squash,insecure,crossmnt,subtree_check,fsid=0) + /srv/caladan/downloads 192.168.1.4/32(rw,root_squash,fsid=1) + /srv/caladan/www 192.168.1.4/32(rw,root_squash,fsid=2) + /srv/nfs/keepers 192.168.1.0/24(ro,all_squash,insecure,fsid=3) + /srv/nfs/movies 192.168.1.0/24(ro,all_squash,insecure,fsid=4) + /srv/nfs/tv 192.168.1.0/24(ro,all_squash,insecure,fsid=5) ''; }; settings = { @@ -87,8 +97,6 @@ nginx = let sys = lib.nixosSystem { - system = "x86_64-linux"; - modules = [ ({ config, pkgs, lib, modulesPath, ... }: { imports = [ @@ -97,9 +105,10 @@ ]; config = { - environment.systemPackages = with pkgs; [ - git - rsync + environment.systemPackages = [ + pkgs.git + pkgs.iperf + pkgs.rsync ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; @@ -109,8 +118,8 @@ openFirewall = true; settings = { - PasswordAuthentication = false; KbdInteractiveAuthentication = false; + PasswordAuthentication = false; }; }; @@ -120,6 +129,7 @@ }; }; }) + { nixpkgs.hostPlatform = "x86_64-linux"; } ]; }; @@ -217,10 +227,26 @@ }; "/nipsy" = { + tryFiles = "$uri $uri/ =404"; + }; + + "/nipsy/iso" = { + extraConfig = '' + autoindex on; + ''; + }; + + "/nipsy/media/emu/mame" = { + basicAuthFile = "${config.sops.secrets.htpasswd.path}"; + extraConfig = '' + autoindex on; + ''; + }; + + "/nipsy/media/misc" = { extraConfig = '' autoindex on; ''; - tryFiles = "$uri $uri/ =404"; }; }; @@ -229,17 +255,26 @@ }; }; + openssh.settings = { + StreamLocalBindUnlink = true; + }; + postfix = let my_email = "nipsy@bitgnome.net"; in { enable = true; extraAliases = '' nipsy: ${my_email} ''; - hostname = "${config.networking.hostName}.${config.networking.domain}"; - relayHost = "mail.bitgnome.net"; - relayPort = 587; rootAlias = my_email; - sslCert = "/var/lib/acme/arrakis.bitgnome.net/fullchain.pem"; - sslKey = "/var/lib/acme/arrakis.bitgnome.net/key.pem"; + settings.main = { + myhostname = "arrakis.bitgnome.net"; + relayhost = [ + "[mail.bitgnome.net]:587" + ]; + smtpd_tls_chain_files = [ + "/var/lib/acme/arrakis.bitgnome.net/key.pem" + "/var/lib/acme/arrakis.bitgnome.net/fullchain.pem" + ]; + }; }; printing.enable = true; @@ -291,41 +326,47 @@ device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014"; options = "-a -o on -S on -m ${my_email_addr}"; } - #{ - # device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUEZNL"; - # options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - #} { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUUSXL"; + device = "/dev/disk/by-id/ata-WDC_WUH722020ALE604_2LG5X74K"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV0H5L"; + device = "/dev/disk/by-id/ata-WDC_WUH722020ALE604_2LGHJAUF"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUK5EL"; + device = "/dev/disk/by-id/ata-WDC_WUH722020ALE604_2LG26NHF"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV5JEL"; + device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_8LKLLAAE"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUZ42L"; + device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_8LK84H9V"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV3BSL"; + device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_2LGKG71F"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV338L"; + device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_9AG00UKJ"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_8LG806ZA"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } ]; }; + udev.packages = [ + pkgs.vial + ]; + + #xserver.videoDrivers = [ "nvidia" ]; + }; #systemd.services.nginx.serviceConfig.ProtectHome = lib.mkForce false; diff --git a/hosts/caladan/default.nix b/hosts/caladan/default.nix new file mode 100644 index 0000000..b42dd03 --- /dev/null +++ b/hosts/caladan/default.nix @@ -0,0 +1,238 @@ +{ config, inputs, outputs, pkgs, ... }: { + boot = { + initrd.kernelModules = [ "amdgpu" "zfs" ]; + kernel.sysctl = { + "kernel.hostname" = "caladan.bitgnome.net"; + "kernel.split_lock_mitigate" = 0; # https://lwn.net/Articles/911219/ + #"net.ipv4.tcp_congestion_control" = "reno"; + }; + kernelPackages = pkgs.master.linuxPackages_7_0; + #kernelParams = [ + # "amdgpu.ppfeaturemask=0xfffd3fff" + # "split_lock_detect=off" + #]; + loader = { + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/efiboot/efi1"; + }; + systemd-boot = { + enable = true; + extraInstallCommands = '' + ${pkgs.rsync}/bin/rsync -av --delete /efiboot/efi1/ /efiboot/efi2 + ''; + memtest86.enable = true; + }; + timeout = 3; + }; + supportedFilesystems = [ "zfs" ]; + zfs = { + forceImportRoot = false; + package = pkgs.master.zfs_2_4; + }; + }; + + environment.systemPackages = [ + pkgs.android-tools + pkgs.angband + pkgs.assaultcube + pkgs.beyond-all-reason + pkgs.bsdgames + pkgs.bzflag + pkgs.extremetuxracer + pkgs.fastfetch + #pkgs.frozen-bubble + pkgs.hedgewars + pkgs.igir + pkgs.kobodeluxe + pkgs.linux-firmware + pkgs.master.linuxKernel.packages.linux_7_0.turbostat + pkgs.lrzsz + pkgs.mailutils + pkgs.minicom + #pkgs.moc + pkgs.ncftp + pkgs.nethack + pkgs.openttd + pkgs.piper + #pkgs.qbittorrent-nox + pkgs.rdiff-backup + pkgs.scorched3d + pkgs.setserial + pkgs.signal-desktop + #pkgs.signalbackup-tools + pkgs.starsector + #pkgs.master.supertux + pkgs.supertuxkart + pkgs.tio + pkgs.umoria + pkgs.unshield + pkgs.vial + pkgs.vice + #pkgs.warzone2100 + pkgs.wayback-x11 + pkgs.wpa_supplicant + pkgs.xonotic-sdl + #pkgs.master.xpilot-ng + ]; + + imports = [ + ./disks.nix + ./hardware-configuration.nix + ./services.nix + ../common/core + ../common/optional/db.nix + ../common/optional/dev.nix + ../common/optional/ebooks.nix + ../common/optional/games.nix + ../common/optional/google-authenticator.nix + ../common/optional/gui.nix + ../common/optional/misc.nix + ../common/optional/multimedia.nix + ../common/optional/pipewire.nix + ../common/optional/printer.nix + ../common/optional/sdr.nix + ../common/optional/services/chrony.nix + ../common/optional/services/openssh.nix + #../common/optional/services/wayland.nix + ../common/optional/services/xorg.nix + ../common/optional/sound.nix + ../common/optional/wdt.nix + ../common/optional/zfs.nix + ../common/users/nipsy + ../common/users/root + ]; + + networking = { + defaultGateway = { + address = "192.168.1.1"; + interface = "enp16s0"; + }; + hostId = "8981d1e5"; + hostName = "caladan"; + interfaces = { + enp16s0 = { + ipv4.addresses = [ + { address = "192.168.1.4"; prefixLength = 24; } + ]; + }; + }; + nameservers = [ "192.168.1.1" ]; + nftables.enable = true; + search = [ + "bitgnome.net" + ]; + useDHCP = false; + #wireless = { + # enable = true; + # networks = { + # "Crystal Palace" = { + # pskRaw = "ext:psk_crystal_palace"; + # }; + # }; + # secretsFile = "${config.sops.secrets."wpa_supplicant".path}"; + #}; + }; + + nixpkgs = { + config = { + allowUnfree = true; + }; + hostPlatform = "x86_64-linux"; + overlays = [ + #inputs.nvidia-patch.overlays.default + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.master-packages + #outputs.overlays.my-nixpkgs-packages + #outputs.overlays.pr495610-packages + outputs.overlays.stable-packages + #outputs.overlays.staging-packages + #outputs.overlays.wine9_22-packages + ]; + }; + + programs = { + nix-ld = { + enable = true; + libraries = [ + pkgs.alsa-lib + pkgs.at-spi2-core + pkgs.cairo + pkgs.cups + pkgs.dbus + pkgs.fontconfig + pkgs.freetype + pkgs.glib + pkgs.libgbm + pkgs.libx11 + pkgs.libxcb + pkgs.libxext + pkgs.libxfixes + pkgs.libxkbcommon + pkgs.libxrandr + pkgs.nspr + pkgs.nss + pkgs.pango + pkgs.vulkan-loader + pkgs.libxcomposite + pkgs.libxdamage + ]; + }; + }; + + services.openssh.settings.X11Forwarding = true; + services.xserver.videoDrivers = [ "amdgpu" ]; + + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ../secrets/caladan.yaml; + + secrets = { + "nftables/ssh" = {}; + "nix-access-token-github" = {}; + "ssh_config".path = "/root/.ssh/config"; + #"wpa_supplicant" = { + # group = config.users.users.wpa_supplicant.group; + # owner = config.users.users.wpa_supplicant.name; + #}; + }; + }; + + system.stateVersion = "23.11"; + + systemd.services = { + + "nftables-extra" = let rules_script = '' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp16s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp16s0" udp dport 5121 counter accept # Neverwinter Nights Server' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp16s0" udp dport 9876-9878 counter accept # V Rising dedicated server' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp16s0" udp dport 15637 counter accept # Enshrouded' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp16s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp16s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play' + ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} + ''; in { + description = "nftables extra firewall rules"; + reload = rules_script; + script = rules_script; + serviceConfig = { + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = [ + config.sops.secrets."nftables/ssh".path + ]; + ReloadPropagatedFrom = "nftables.service"; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "nftables.service" ]; + partOf = [ "nftables.service" ]; + }; + + }; + + users.users.root.openssh.authorizedKeys.keys = [ + (builtins.readFile ../common/users/nipsy/keys/id_att.pub) + ]; +} diff --git a/hosts/caladan/disks.nix b/hosts/caladan/disks.nix new file mode 100644 index 0000000..8961361 --- /dev/null +++ b/hosts/caladan/disks.nix @@ -0,0 +1,132 @@ +{ + disko.devices = { + disk = { + nvme0n1 = { + type = "disk"; + device = "/dev/disk/by-id/nvme-CT4000P3PSSD8_2512E9B12C42"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/efiboot/efi1"; + mountOptions = [ "X-mount.mkdir" "umask=0077" ]; + extraArgs = [ "-nESP1" ]; + }; + }; + swap = { + size = "32G"; + type = "8200"; + content = { + type = "swap"; + extraArgs = [ "-L swap1" ]; + }; + }; + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "rpool"; + }; + }; + }; + }; + }; + nvme1n1 = { + type = "disk"; + device = "/dev/disk/by-id/nvme-CT4000P3PSSD8_2512E9B12C44"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/efiboot/efi2"; + mountOptions = [ "X-mount.mkdir" "umask=0077" ]; + extraArgs = [ "-nESP2" ]; + }; + }; + swap = { + size = "32G"; + type = "8200"; + content = { + type = "swap"; + extraArgs = [ "-L swap2" ]; + }; + }; + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "rpool"; + }; + }; + }; + }; + }; + }; + zpool = { + rpool = { + mode = "mirror"; + type = "zpool"; + rootFsOptions = { + acltype = "posixacl"; + canmount = "off"; + compression = "on"; + dnodesize = "auto"; + relatime = "on"; + xattr = "sa"; + }; + options = { + ashift = "12"; + autotrim = "on"; + }; + datasets = { + "local" = { + type = "zfs_fs"; + options.mountpoint = "none"; + }; + "local/root" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/"; + }; + "local/nix" = { + type = "zfs_fs"; + options = { + atime = "off"; + mountpoint = "legacy"; + }; + mountpoint = "/nix"; + }; + "user" = { + type = "zfs_fs"; + options.mountpoint = "none"; + }; + "user/home" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/home"; + }; + "user/home/root" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/root"; + }; + "user/home/nipsy" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/home/nipsy"; + }; + }; + }; + }; + }; +} diff --git a/hosts/caladan/hardware-configuration.nix b/hosts/caladan/hardware-configuration.nix new file mode 100644 index 0000000..645d43e --- /dev/null +++ b/hosts/caladan/hardware-configuration.nix @@ -0,0 +1,65 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, inputs, lib, outputs, pkgs, modulesPath, ... }: + +{ + imports = + [ #(modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + extraModulePackages = [ ]; + initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ]; + initrd.kernelModules = [ ]; + kernelModules = [ "kvm-amd" "ntsync" ]; + #zfs.extraPools = [ "data" ]; + }; + + environment.sessionVariables = { + #LIBVA_DRIVER_NAME = "nvidia"; + MOZ_DISABLE_RDD_SANDBOX = "1"; + }; + + fileSystems = { + "/media" = { + device = "/dev/sda1"; + fsType = "auto"; + options = [ + "user,noauto" + ]; + }; + + "/mnt/downloads" = { + device = "192.168.1.2:/srv/caladan/downloads"; + fsType = "nfs"; + options = [ + "nfsvers=4.2" + ]; + }; + + "/mnt/www" = { + device = "192.168.1.2:/srv/caladan/www"; + fsType = "nfs"; + options = [ + "nfsvers=4.2" + ]; + }; + }; + + + hardware = { + amdgpu.overdrive.enable = true; + + bluetooth.enable = true; + + graphics = { + enable = true; + enable32Bit = true; + #extraPackages = [ pkgs.nvidia-vaapi-driver ]; + #extraPackages32 = [ pkgs.pkgsi686Linux.nvidia-vaapi-driver ]; + #package = pkgs.master.mesa; + #package32 = pkgs.master.driversi686Linux.mesa; + }; + }; +} diff --git a/hosts/caladan/services.nix b/hosts/caladan/services.nix new file mode 100644 index 0000000..79c5b97 --- /dev/null +++ b/hosts/caladan/services.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: { + + services = { + + clamav.updater.enable = true; + + cron.enable = true; + + dictd.enable = true; + + iperf3.openFirewall = true; + + lact.enable = true; + + nfs.server.enable = true; + + printing.enable = true; + + ratbagd.enable = true; + + #smartd = let my_email_addr = "nipsy@bitgnome.net"; in { + # enable = true; + # devices = [ + # { + # device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800005"; + # options = "-a -o on -S on -m ${my_email_addr}"; + # } + # { + # device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014"; + # options = "-a -o on -S on -m ${my_email_addr}"; + # } + # ]; + #}; + + udev.packages = [ + pkgs.vial + ]; + + }; + +} diff --git a/hosts/common/core/default.nix b/hosts/common/core/default.nix index 2bc8d14..f332f07 100644 --- a/hosts/common/core/default.nix +++ b/hosts/common/core/default.nix @@ -9,98 +9,104 @@ documentation.dev.enable = true; documentation.man.enable = true; - environment.systemPackages = with pkgs; [ - acl - age - bash - bc - bind - binutils - bpftools - #bpftrace - bzip2 - colordiff - conntrack-tools - coreutils - cpio - curl - diceware - diffutils - dig - dmidecode - elinks - ethtool - file - findutils - fping - git - gnugrep - gnupatch - gnused - gnutar - gptfdisk - gzip - iproute2 - iputils - jq - less - lshw - lsof - lvm2 - lynx - moreutils - nano - ncurses - netcat-openbsd - nettools - nix-index - nmap - ntfs3g - nvd - oath-toolkit - openldap - openssl - p7zip - parted - patchelf - pciutils - procps - progress - psmisc - pv - pwgen - qemu_kvm - recode - rsync - sg3_utils - smartmontools - socat - sops - sqlite - ssh-to-age - ssh-to-pgp - stoken - strace - sysstat - tcpdump - master.tftp-hpa - traceroute - tree - tshark - unixtools.xxd - unrar - unzip - usbutils - util-linux - vim - wdiff - wget - whois - wireguard-tools - xkcdpass - xz - zip - zstd + environment.systemPackages = [ + pkgs.acl + pkgs.age + pkgs.bash + pkgs.bc + pkgs.bind + pkgs.binutils + pkgs.bpftools + #pkgs.bpftrace + pkgs.bzip2 + pkgs.colordiff + pkgs.conntrack-tools + pkgs.coreutils + pkgs.cpio + pkgs.csvkit + pkgs.curl + pkgs.diceware + pkgs.diffutils + pkgs.dig + pkgs.dmidecode + pkgs.elinks + pkgs.ethtool + pkgs.exfatprogs + pkgs.file + pkgs.findutils + pkgs.fping + pkgs.git + pkgs.gnugrep + pkgs.gnupatch + pkgs.gnused + pkgs.gnutar + pkgs.gptfdisk + pkgs.gzip + pkgs.htop + pkgs.hydra-check + pkgs.iproute2 + pkgs.iputils + pkgs.jq + pkgs.less + pkgs.lshw + pkgs.lsof + pkgs.lvm2 + pkgs.lynx + pkgs.moreutils + pkgs.nano + pkgs.ncurses + pkgs.netcat-openbsd + pkgs.nettools + pkgs.nix-index + pkgs.nmap + pkgs.ntfs3g + pkgs.nvd + pkgs.oath-toolkit + pkgs.openldap + pkgs.openssl + pkgs.p7zip + pkgs.parted + pkgs.patchelf + pkgs.pciutils + pkgs.perl5Packages.ArchiveZip + pkgs.procps + pkgs.progress + pkgs.psmisc + pkgs.pv + pkgs.pwgen + pkgs.qemu_kvm + pkgs.recode + pkgs.rsync + pkgs.sg3_utils + pkgs.smartmontools + pkgs.socat + pkgs.sops + pkgs.sqlite + pkgs.ssh-to-age + pkgs.ssh-to-pgp + pkgs.stoken + pkgs.strace + pkgs.sysstat + pkgs.tcpdump + pkgs.tftp-hpa + pkgs.traceroute + pkgs.tree + pkgs.tshark + pkgs.unixtools.xxd + pkgs.unrar + pkgs.unzip + pkgs.usbutils + pkgs.util-linux + pkgs.vim + pkgs.w3m + pkgs.wdiff + pkgs.wget + pkgs.whois + pkgs.wireguard-tools + pkgs.xkcdpass + pkgs.xz + pkgs.zip + pkgs.zstd ]; hardware.enableRedistributableFirmware = true; @@ -111,4 +117,6 @@ programs.mtr.enable = true; programs.tmux.enable = true; programs.zsh.enable = true; + + #services.dbus.implementation = "broker"; } diff --git a/hosts/common/core/nix.nix b/hosts/common/core/nix.nix index a989f03..7370241 100644 --- a/hosts/common/core/nix.nix +++ b/hosts/common/core/nix.nix @@ -1,29 +1,24 @@ { inputs, lib, ... }: - -let - build-tmp = "/var/tmp"; -in { - +{ nix = { + gc = { + automatic = true; + dates = "daily"; + options = "--delete-older-than 7d"; + randomizedDelaySec = "5min"; + }; + #package = pkgs.nixVersions.latest; settings = { auto-optimise-store = lib.mkDefault true; - build-dir = build-tmp; experimental-features = [ "nix-command" "flakes" ]; trusted-users = [ "root" "@wheel" ]; warn-dirty = false; }; - - # Garbage Collection - gc = { - automatic = true; - dates = "weekly"; - randomizedDelaySec = "14m"; - # Keep the last 2 generations - options = "--delete-older-than 28d"; - }; - }; - systemd.services."nix-daemon".environment.TMPDIR = build-tmp; - + systemd.user.services."nix-gc" = { + description = "Garbage collection for user profiles"; + script = "/run/current-system/sw/bin/nix-collect-garbage --delete-older-than 7d"; + startAt = "daily"; + }; } diff --git a/hosts/common/core/shells.nix b/hosts/common/core/shells.nix index 0469b8c..f02ec63 100644 --- a/hosts/common/core/shells.nix +++ b/hosts/common/core/shells.nix @@ -1,8 +1,7 @@ { pkgs, ... }: { - environment.systemPackages = builtins.attrValues { - inherit (pkgs) - bash - zsh; - }; + environment.systemPackages = [ + pkgs.bash + pkgs.zsh + ]; } diff --git a/hosts/common/optional/adb.nix b/hosts/common/optional/adb.nix deleted file mode 100644 index 435add8..0000000 --- a/hosts/common/optional/adb.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - programs.adb.enable = true; -} diff --git a/hosts/common/optional/db.nix b/hosts/common/optional/db.nix index af6766e..d4410bd 100644 --- a/hosts/common/optional/db.nix +++ b/hosts/common/optional/db.nix @@ -1,8 +1,7 @@ { pkgs, ... }: { - environment.systemPackages = builtins.attrValues { - inherit (pkgs) - mariadb - postgresql; - }; + environment.systemPackages = [ + pkgs.mariadb + pkgs.postgresql + ]; } diff --git a/hosts/common/optional/dev.nix b/hosts/common/optional/dev.nix index c25ab08..8238424 100644 --- a/hosts/common/optional/dev.nix +++ b/hosts/common/optional/dev.nix @@ -1,20 +1,19 @@ { pkgs, ... }: { - environment.systemPackages = builtins.attrValues { - inherit (pkgs) - autoconf - automake - cargo - cmake - gcc - go - nasm - perl - pkg-config - python3 - rustc - virtualenv - yasm - zig; - }; + environment.systemPackages = [ + pkgs.autoconf + pkgs.automake + pkgs.cargo + pkgs.cmake + pkgs.gcc + pkgs.go + pkgs.nasm + pkgs.perl + pkgs.pkg-config + pkgs.python3 + pkgs.rustc + pkgs.virtualenv + pkgs.yasm + pkgs.zig + ]; } diff --git a/hosts/common/optional/ebooks.nix b/hosts/common/optional/ebooks.nix index b2cbb2b..1805b7a 100644 --- a/hosts/common/optional/ebooks.nix +++ b/hosts/common/optional/ebooks.nix @@ -1,8 +1,8 @@ { pkgs, ... }: { - environment.systemPackages = with pkgs; [ - libgourou - master.calibre + environment.systemPackages = [ + pkgs.libgourou + pkgs.calibre ]; services.udisks2.enable = true; diff --git a/hosts/common/optional/games.nix b/hosts/common/optional/games.nix index c0770cd..49ee9ba 100644 --- a/hosts/common/optional/games.nix +++ b/hosts/common/optional/games.nix @@ -1,26 +1,21 @@ { pkgs, ... }: { - #environment.systemPackages = builtins.attrValues { - # inherit (pkgs) - # godot_4 - # mame - # mednafen - # mednaffe - # winetricks; - #}; - - environment.systemPackages = with pkgs; [ - godot_4 - mame - mame.tools - mednafen - mednaffe - winetricks - wineWowPackages.stagingFull + environment.systemPackages = [ + pkgs.godot + pkgs.mame + pkgs.mame.tools + pkgs.mednafen + pkgs.mednaffe + pkgs.protontricks + pkgs.steamcmd ]; + hardware.steam-hardware.enable = true; + programs.steam = { enable = true; - extraCompatPackages = with pkgs; [ proton-ge-bin ]; + extraCompatPackages = [ pkgs.proton-ge-bin ]; + extraPackages = [ pkgs.hidapi ]; + #package = pkgs.master.steam; }; } diff --git a/hosts/common/optional/google-authenticator.nix b/hosts/common/optional/google-authenticator.nix index 7380d1b..87e43fd 100644 --- a/hosts/common/optional/google-authenticator.nix +++ b/hosts/common/optional/google-authenticator.nix @@ -1,15 +1,17 @@ { pkgs, ... }: { - environment.systemPackages = builtins.attrValues { - inherit (pkgs) - #other - google-authenticator; + environment = { + etc."pam.d/xscreensaver".source = "/etc/static/pam.d/xlock"; + systemPackages = [ + #pkgs.other + pkgs.google-authenticator + ]; }; security.pam.services = { chfn.googleAuthenticator.enable = true; chsh.googleAuthenticator.enable = true; - cups.googleAuthenticator.enable = true; + #cups.googleAuthenticator.enable = true; lightdm.googleAuthenticator.enable = true; login.googleAuthenticator.enable = true; other.googleAuthenticator.enable = true; diff --git a/hosts/common/optional/gui.nix b/hosts/common/optional/gui.nix new file mode 100644 index 0000000..4ed2b86 --- /dev/null +++ b/hosts/common/optional/gui.nix @@ -0,0 +1,76 @@ +{ pkgs, ... }: +{ + environment.systemPackages = [ + pkgs.chafa + pkgs.evince + pkgs.feh + pkgs.freerdp + pkgs.gcr + #pkgs.geeqie + pkgs.ghostty + pkgs.gimp3 + #pkgs.gimp-with-plugins + pkgs.google-chrome + pkgs.gv + pkgs.inkscape + pkgs.kdePackages.okular + pkgs.libreoffice + pkgs.libva-utils + pkgs.mako + pkgs.mesa-demos + pkgs.polkit_gnome + pkgs.rdesktop + pkgs.read-edid + pkgs.slurp + pkgs.st + pkgs.swayimg + pkgs.sxiv + pkgs.vdpauinfo + pkgs.vulkan-tools + pkgs.wireshark + pkgs.xclip + pkgs.xdotool + pkgs.appres + pkgs.editres + pkgs.xdpyinfo + pkgs.xev + pkgs.xsnow + pkgs.xterm + ]; + + programs = { + dconf.enable = true; + + firefox = { + enable = true; + #package = pkgs.master.firefox; + }; + + #gamemode.enable = true; + #steam.gamescopeSession.enable = true; + }; + + security.pam.loginLimits = [ + { domain = "@users"; item = "rtprio"; type = "-"; value = 1; } + ]; + + services = { + blueman.enable = true; + libinput.enable = true; + printing.enable = true; + }; + + systemd.user.services.polkit-gnome-authentication-agent-1 = { + after = [ "graphical-session.target" ]; + description = "polkit-gnome-authentication-agent-1"; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1"; + Restart = "on-failure"; + RestartSec = 1; + TimeoutStopSec = 10; + }; + wantedBy = [ "graphical-session.target" ]; + wants = [ "graphical-session.target" ]; + }; +} diff --git a/hosts/common/optional/misc.nix b/hosts/common/optional/misc.nix index f996274..a784324 100644 --- a/hosts/common/optional/misc.nix +++ b/hosts/common/optional/misc.nix @@ -1,37 +1,39 @@ { pkgs, ... }: { - environment.systemPackages = with pkgs; [ - ansible - aspell - aspellDicts.en - aspellDicts.en-computers - aspellDicts.en-science - #dict - encfs - enscript - expect - fio - fortune - ghostscript - imagemagick - inxi - iotop - ipcalc - iperf - mutt - poppler_utils - powertop - qrencode - radeontop - speedtest-cli - sshfs - (weechat.override { + environment.systemPackages = [ + pkgs.amdgpu_top + pkgs.ansible + pkgs.aspell + pkgs.aspellDicts.en + pkgs.aspellDicts.en-computers + pkgs.aspellDicts.en-science + pkgs.dict + pkgs.encfs + pkgs.enscript + pkgs.expect + pkgs.fio + pkgs.fortune + pkgs.ghostscript + pkgs.imagemagick + pkgs.inxi + pkgs.iotop + pkgs.ipcalc + pkgs.iperf + pkgs.mutt + pkgs.perf + pkgs.poppler-utils + pkgs.powertop + pkgs.qrencode + pkgs.radeontop + pkgs.speedtest-cli + pkgs.sshfs + (pkgs.weechat.override { configure = { availablePlugins, ...}: { plugins = with availablePlugins; [ (perl.withPackages(p: [ p.PodParser ])) ] ++ [ python ]; - scripts = with pkgs.weechatScripts; [ - wee-slack + scripts = [ + pkgs.weechatScripts.wee-slack ]; }; }) diff --git a/hosts/common/optional/multimedia.nix b/hosts/common/optional/multimedia.nix index f519992..8e820b1 100644 --- a/hosts/common/optional/multimedia.nix +++ b/hosts/common/optional/multimedia.nix @@ -1,13 +1,13 @@ { pkgs, ... }: { - #environment.systemPackages = builtins.attrValues { - # inherit (pkgs) - environment.systemPackages = with pkgs; [ - ffmpeg - flac - lame - mkvtoolnix-cli - x265#; + environment.systemPackages = [ + pkgs.ffmpeg + pkgs.flac + pkgs.lame + pkgs.mangohud + pkgs.mpv + pkgs.mkvtoolnix-cli + pkgs.vlc + pkgs.x265 ]; - #}; } diff --git a/hosts/common/optional/pipewire.nix b/hosts/common/optional/pipewire.nix index e34010e..f87dea4 100644 --- a/hosts/common/optional/pipewire.nix +++ b/hosts/common/optional/pipewire.nix @@ -1,13 +1,12 @@ { pkgs, ... }: { - environment.systemPackages = builtins.attrValues { - inherit (pkgs) - easyeffects - pamixer - pavucontrol - pwvucontrol - qpwgraph; - }; + environment.systemPackages = [ + pkgs.easyeffects + #pkgs.pamixer + pkgs.pavucontrol + pkgs.pwvucontrol + pkgs.qpwgraph + ]; security.pam.loginLimits = [ { domain = "@audio"; item = "memlock"; type = "-" ; value = "unlimited"; } @@ -25,7 +24,10 @@ jack.enable = true; #package = pkgs.master.pipewire; pulse.enable = true; - wireplumber.enable = true; + wireplumber = { + enable = true; + #package = pkgs.master.wireplumber; + }; # use the example session manager (no others are packaged yet so this is enabled by default, # no need to redefine it in your config for now) diff --git a/hosts/common/optional/printer.nix b/hosts/common/optional/printer.nix new file mode 100644 index 0000000..32e4c76 --- /dev/null +++ b/hosts/common/optional/printer.nix @@ -0,0 +1,22 @@ +{ lib, ... }: +{ + hardware.printers = let + brother = "Brother_HL-L2340D"; + ip = "192.168.1.20"; + in { + ensureDefaultPrinter = brother; + ensurePrinters = [{ + name = brother; + deviceUri = "ipp://${ip}/ipp"; + model = "everywhere"; + description = lib.replaceStrings [ "_" ] [ " " ] brother; + location = "home"; + }]; + }; + + systemd.services."ensure-printers" = { + after = [ "network-online.target" ]; + preStart = "sleep 5"; + wants = [ "network-online.target" ]; + }; +} diff --git a/hosts/common/optional/sdr.nix b/hosts/common/optional/sdr.nix index 8e1e5d2..3ac2c3c 100644 --- a/hosts/common/optional/sdr.nix +++ b/hosts/common/optional/sdr.nix @@ -1,10 +1,10 @@ { pkgs, ... }: { - environment.systemPackages = builtins.attrValues { - inherit (pkgs) - fldigi - sdrconnect; - }; + environment.systemPackages = [ + pkgs.chirp + pkgs.fldigi + pkgs.sdrconnect + ]; services.udev.extraRules = '' SUBSYSTEM=="usb",ENV{DEVTYPE}=="usb_device",ATTRS{idVendor}=="1df7",ATTRS{idProduct}=="2500",MODE:="0666" diff --git a/hosts/common/optional/services/dhcp.nix b/hosts/common/optional/services/dhcp.nix index cc21ef9..4bd9477 100644 --- a/hosts/common/optional/services/dhcp.nix +++ b/hosts/common/optional/services/dhcp.nix @@ -7,10 +7,10 @@ "tftp/undionly.kpxe".source = "${pkgs.ipxe}/undionly.kpxe"; }; - systemPackages = with pkgs; [ - ipxe - master.tftp-hpa - master.wol + systemPackages = [ + pkgs.ipxe + pkgs.tftp-hpa + pkgs.wol ]; }; @@ -99,13 +99,17 @@ ]; reservations = [ + ({ hw-address = "3c:78:95:e0:fc:3a"; ip-address = "192.168.1.10"; }) # mister ({ hw-address = "8c:8c:aa:4e:e9:8c"; ip-address = "192.168.1.11"; }) # jupiter ({ hw-address = "38:f3:ab:59:06:e0"; ip-address = "192.168.1.12"; }) # saturn ({ hw-address = "8c:8c:aa:4e:fc:aa"; ip-address = "192.168.1.13"; }) # uranus ({ hw-address = "38:f3:ab:59:08:10"; ip-address = "192.168.1.14"; }) # neptune + ({ hw-address = "e8:8d:a6:e2:2a:85"; ip-address = "192.168.1.16"; }) # deck ({ hw-address = "7c:b5:66:65:e2:9e"; ip-address = "192.168.1.17"; }) # ginaz + ({ hw-address = "9c:13:9e:ed:f4:e8"; ip-address = "192.168.1.18"; }) # loadstar ({ hw-address = "00:05:cd:72:92:b0"; ip-address = "192.168.1.19"; }) # onkyo ({ hw-address = "74:29:af:6f:20:ed"; ip-address = "192.168.1.20"; }) # brother + ({ hw-address = "ce:b9:f3:eb:b5:10"; ip-address = "192.168.1.21"; }) # mister-lan ({ hw-address = "ec:08:6b:6a:4a:ac"; ip-address = "192.168.1.252"; }) # ac2600 ]; } @@ -123,7 +127,7 @@ Restart = "always"; RestartSec = 5; Type = "exec"; - ExecStart = "${pkgs.master.tftp-hpa}/bin/in.tftpd -l -a 192.168.1.1:69 -P /run/tftpd.pid /etc/tftp"; + ExecStart = "${pkgs.tftp-hpa}/bin/in.tftpd -l -a 192.168.1.1:69 -P /run/tftpd.pid /etc/tftp"; TimeoutStopSec = 20; PIDFile = "/run/tftpd.pid"; }; diff --git a/hosts/common/optional/services/nolid.nix b/hosts/common/optional/services/nolid.nix index db868fe..7346c26 100644 --- a/hosts/common/optional/services/nolid.nix +++ b/hosts/common/optional/services/nolid.nix @@ -1,7 +1,7 @@ { - services.logind = { - lidSwitch = "ignore"; - lidSwitchDocked = "ignore"; - lidSwitchExternalPower = "ignore"; + services.logind.settings.Login = { + HandleLidSwitch = "ignore"; + HandleLidSwitchDocked = "ignore"; + HandleLidSwitchExternalPower = "ignore"; }; } diff --git a/hosts/common/optional/services/nsd/bitgnome.net.zone b/hosts/common/optional/services/nsd/bitgnome.net.zone index f421fb9..76e1df5 100644 --- a/hosts/common/optional/services/nsd/bitgnome.net.zone +++ b/hosts/common/optional/services/nsd/bitgnome.net.zone @@ -3,7 +3,7 @@ $ORIGIN bitgnome.net. $TTL 1h @ in soa ns.bitgnome.net. nipsy.bitgnome.net. ( - 2025010101 ; serial + 2026051501 ; serial 1d ; refresh 2h ; retry 4w ; expire @@ -29,7 +29,7 @@ $TTL 1h ; name servers ns in a 5.161.149.85 ns in aaaa 2a01:4ff:f0:e164::1 -ns2 in a 67.5.101.192 +ns2 in a 67.5.101.3 ; srv records _xmpp-client._tcp 5m in srv 0 0 5222 bitgnome.net. @@ -67,10 +67,10 @@ mta-sts 5m in cname @ ;royder in cname @ ; external machines -arrakis 1m in a 67.5.101.192 +arrakis 1m in a 67.5.101.3 ;darkstar 1m in a 66.69.213.114 ;nb 1m in a 67.10.209.108 ;terraria 1m in a 128.83.27.4 ;caladan 1m in a 104.130.129.241 ;caladan 1m in aaaa 2001:4800:7818:101:be76:4eff:fe03:db44 -darkstar 1m in a 67.5.101.192 +darkstar 1m in a 67.5.101.3 diff --git a/hosts/common/optional/services/openssh.nix b/hosts/common/optional/services/openssh.nix index 424d3bf..2bd7caf 100644 --- a/hosts/common/optional/services/openssh.nix +++ b/hosts/common/optional/services/openssh.nix @@ -1,4 +1,7 @@ +{ pkgs, ... }: { + #programs.ssh.package = pkgs.openssh_10_2; + services.openssh = { enable = true; settings = { diff --git a/hosts/common/optional/services/wayland.nix b/hosts/common/optional/services/wayland.nix new file mode 100644 index 0000000..501e173 --- /dev/null +++ b/hosts/common/optional/services/wayland.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: +{ + environment.systemPackages = [ + pkgs.grim + pkgs.wev + pkgs.wl-clipboard + pkgs.wlvncc + ]; + + programs = { + sway = { + enable = true; + wrapperFeatures.gtk = true; + }; + }; +} diff --git a/hosts/common/optional/services/xorg.nix b/hosts/common/optional/services/xorg.nix index c9aaeaa..9852a51 100644 --- a/hosts/common/optional/services/xorg.nix +++ b/hosts/common/optional/services/xorg.nix @@ -1,47 +1,11 @@ -{ pkgs, ... }: +{ config, lib, pkgs, ... }: { - #environment.systemPackages = builtins.attrValues { - # inherit (pkgs) - environment.systemPackages = with pkgs; [ - evince - feh - gcr - geeqie - master.ghostty - gimp - #gimp-with-plugins - google-chrome - gv - inkscape - libreoffice - libva-utils - mesa-demos - mpv - polkit_gnome - master.rdesktop - read-edid - st - sxiv - tigervnc - turbovnc - vdpauinfo - vlc - vulkan-tools - wireshark - x11vnc - xclip - xdotool - xorg.appres - xorg.editres - xorg.xdpyinfo - xorg.xev - xscreensaver - xsnow - xterm#; + environment.systemPackages = [ + #pkgs.tigervnc + pkgs.turbovnc + pkgs.x11vnc + pkgs.xscreensaver ]; - #}; - - programs.firefox.enable = true; security.polkit = { enable = true; @@ -63,42 +27,33 @@ ''; }; - services.blueman.enable = true; - services.printing.enable = true; - services.displayManager.defaultSession = "xsession"; - services.libinput.enable = true; - services.xserver = { - displayManager.lightdm = { - enable = true; - extraSeatDefaults = ''greeter-hide-users=true''; + services = { + displayManager = lib.mkIf (config.networking.hostName != "fangorn") { + defaultSession = "xsession"; }; - - displayManager.session = [ - { - manage = "desktop"; - name = "xsession"; - start = ''exec $HOME/.xsession''; - } - ]; - - enable = true; - xkb.layout = "us"; - xkb.options = "caps:super,compose:ralt"; - }; - - systemd = { - user.services.polkit-gnome-authentication-agent-1 = { - description = "polkit-gnome-authentication-agent-1"; - wantedBy = [ "graphical-session.target" ]; - wants = [ "graphical-session.target" ]; - after = [ "graphical-session.target" ]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1"; - Restart = "on-failure"; - RestartSec = 1; - TimeoutStopSec = 10; - }; + picom.enable = true; + xserver = { + displayManager.lightdm = lib.mkMerge [ + (lib.mkIf (config.networking.hostName == "fangorn") { + enable = true; + }) + (lib.mkIf (config.networking.hostName != "fangorn") { + enable = true; + extraSeatDefaults = ''greeter-hide-users=true''; + }) + ]; + + displayManager.session = lib.mkIf (config.networking.hostName != "fangorn") [ + { + manage = "desktop"; + name = "xsession"; + start = ''exec $HOME/.xsession''; + } + ]; + + enable = true; + xkb.layout = "us"; + xkb.options = "caps:super,compose:ralt"; }; }; } diff --git a/hosts/common/optional/sound.nix b/hosts/common/optional/sound.nix index b05ef1e..55be237 100644 --- a/hosts/common/optional/sound.nix +++ b/hosts/common/optional/sound.nix @@ -1,38 +1,51 @@ { pkgs, ... }: { environment = { - systemPackages = with pkgs; [ - bespokesynth - cardinal - chow-tape-model - distrho-ports - fluidsynth - geonkick - lilypond-unstable-with-fonts - lsp-plugins - odin2 - oxefmsynth - polyphone - qsynth - reaper - #master.rosegarden - samplv1 - sfizz - surge-XT - synthv1 - v4l-utils - vapoursynth - vital - vmpk - vocproc - wavpack - winetricks - wineWowPackages.stagingFull - yabridge - yabridgectl - yoshimi - zam-plugins - zynaddsubfx + systemPackages = [ + #pkgs.artyFX + pkgs.audacity + pkgs.bespokesynth + pkgs.boops + pkgs.cardinal + #pkgs.carla + #pkgs.chow-tape-model + pkgs.cmus + pkgs.distrho-ports + pkgs.fluidsynth + #pkgs.fmsynth + #pkgs.gearmulator + pkgs.geonkick + #pkgs.master.guitarix + pkgs.gxplugins-lv2 + pkgs.lilypond-unstable-with-fonts + pkgs.lsp-plugins + pkgs.meters-lv2 + pkgs.odin2 + pkgs.oxefmsynth + #pkgs.master.polyphone + pkgs.qsynth + pkgs.reaper + pkgs.rosegarden + pkgs.samplv1 + pkgs.sfizz + #pkgs.sorcer + pkgs.surge-xt + pkgs.synthv1 + pkgs.talentedhack + #pkgs.tunefish + pkgs.v4l-utils + pkgs.vapoursynth + pkgs.vital + pkgs.vmpk + pkgs.vocproc + pkgs.wavpack + pkgs.winetricks + pkgs.wineWow64Packages.stagingFull + pkgs.yabridge + pkgs.yabridgectl + pkgs.yoshimi + pkgs.zam-plugins + pkgs.zynaddsubfx ]; }; } diff --git a/hosts/common/optional/wdt.nix b/hosts/common/optional/wdt.nix new file mode 100644 index 0000000..3d60706 --- /dev/null +++ b/hosts/common/optional/wdt.nix @@ -0,0 +1,3 @@ +{ + systemd.settings.Manager.RuntimeWatchdogSec = "60s"; +} diff --git a/hosts/common/users/don/default.nix b/hosts/common/users/don/default.nix new file mode 100644 index 0000000..3c700a7 --- /dev/null +++ b/hosts/common/users/don/default.nix @@ -0,0 +1,32 @@ +{ pkgs, inputs, config, ... }: +let + ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups; + uid = 1001; +in +{ + users.groups.don.gid = uid; + users.users.don = { + description = "Don Arnold"; + extraGroups = [ + "audio" + "video" + "wheel" + ] ++ ifTheyExist [ + "adbusers" + "networkmanager" + "vboxsf" + "vboxusers" + ]; + group = "don"; + home = "/home/don"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + (builtins.readFile ../nipsy/keys/id_arrakis.pub) + #(builtins.readFile ./keys/id_other.pub) + ]; + + packages = [ pkgs.home-manager ]; + #shell = pkgs.zsh; + uid = uid; + }; +} diff --git a/hosts/common/users/lin/default.nix b/hosts/common/users/lin/default.nix new file mode 100644 index 0000000..048a6fc --- /dev/null +++ b/hosts/common/users/lin/default.nix @@ -0,0 +1,18 @@ +{ pkgs, config, ... }: +let + ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups; + uid = 1001; +in +{ + users.groups.lin.gid = uid; + users.users.lin = { + description = "Lindsey Holcomb"; + group = "lin"; + home = "/data/home/lin"; + isNormalUser = true; + + packages = [ pkgs.home-manager ]; + #shell = pkgs.zsh; + uid = uid; + }; +} diff --git a/hosts/common/users/nipsy/default.nix b/hosts/common/users/nipsy/default.nix index 5eacd6f..35daabc 100644 --- a/hosts/common/users/nipsy/default.nix +++ b/hosts/common/users/nipsy/default.nix @@ -1,9 +1,10 @@ { pkgs, inputs, config, ... }: let ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups; + uid = 1000; in { - users.groups.nipsy.gid = 1000; + users.groups.nipsy.gid = uid; users.users.nipsy = { description = "Mark Nipper"; extraGroups = [ @@ -12,6 +13,8 @@ in "wheel" ] ++ ifTheyExist [ "adbusers" + "dialout" + "gamemode" "networkmanager" "vboxsf" "vboxusers" @@ -26,5 +29,6 @@ in packages = [ pkgs.home-manager ]; shell = pkgs.zsh; + uid = uid; }; } diff --git a/hosts/common/users/nipsy/keys/id_att.pub b/hosts/common/users/nipsy/keys/id_att.pub index 8a66903..9aa33b1 100644 --- a/hosts/common/users/nipsy/keys/id_att.pub +++ b/hosts/common/users/nipsy/keys/id_att.pub @@ -1 +1 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCic35t4KTqV2d6D5CeIry8Rj6XUNEx02NcyuQf1xLyTi6MngDAcSVR6cmDhVWh1V3lUJHGk9qDE71/9EsIOwbxTHoFT95dU+pg78LgaYjzxXZuNmnr2fyFDuB39WjgPYubrIKE9rBJaipiQDIm7IiO1iFGFVToIOwmd+dDu7jlKfXXrdDDgsYVQum9PYJBIDV86B7nTlI3wfTzWZCW0iaa19lJltD1dmn9WJ1W+/aEgMb67u6MCh9R2xFfrK+Sir9ucGJghKGt4+TzCcNYfUFd0qk3CThcKQAnQejYGJYO54kqQan6PJXdUV40eGJaFzNGFXYrhL9MPuzXe86qZrIkRz4VpEagFxteL6T7uKLc70ji6jKZlPq0KMaXxlkX+fgb9l7xLK+/MmXqo16UqvbirLyGT4CbqEFh75xBgj5/Y5ml/5FB0p9PjGKGdCnp9Lt5Tk42VZ/qTbRZRxgi4R1BAWmstRGmrjkFxuKzjSgkTrAVdWeVGKZqbQvfQ4KYIN6hDCRts6Ci4NqVm4zo6xPx+ygWjtGyW5Ohiv7oUdlwnCA5JyR9re0EHKOblWphcgUjPXFMPm/5RI82s4KQT6D5REHbuQPNUCrCKHWOoNRhuMZlP4pjt9GJZZOcbvlmP2n8PgLXo5qzNjNt696GE1BAQUNnKF9oVNVWNuxVcQhKeQ== mn116t@att.com +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcB/E/3tPdLJDroKuu8ttsKi9XA8NMuj2K/vRDjgFDH8iFjQcMx6tOdY293BUXwIg9VrqOVDnlGPkg30aRAhx3sy7mHpxSD2RXaqmBQdblox2bGJtBteqn1cumPgiTp2vwE4DUjelE3rHTpbR3yLbjDrWzcLYaIdUkRL3WnkaYx96fXe1aTJ/WHwJbQaagU7Om2mryUdoZOe25xGF2iGlyDuvR1fUpBoFZd9eekW8R1zi4s2lY3F413cucZHamif+jdXdBwvEg1uYHr9hzVNzbOvyN3n5IcpyNqV9H8xA4KUmRS6URiNNR+S4/2bUUD45LMuuQAMGTzdwaDpaPyDR6Qo82XiA4T2BmVmNIM9ftF2QEIuO79DTEn1aSEB3XPNcN4q4xVKSbhpdXvMBgcy+HCNPAehFLEvFYD/LrA7Zy1b5HcJwnvAkqMuim5D2wuWvgbiKn07PlT5gv39I4+2K3MKJnZhla/jVLjtaF9NKjxwApG/abFuvST3BzyO0Omd+miYFHu2ongg11tW++zViaeQTi6wdXGzCd9xbazNPNJ+rB8Mf8AM243pkL5MSd+cvWN6/J/kiIqD1FFG6Yzq2KGFmjT/UTe4uJrO4PX8Ws5JsMkIKlWUz+ab/APFLuRvqPr/Krw48XiXtIzdCtKfx7JmRwqm+8t70u4SgWKBhyMQ== mn116t@att.com diff --git a/hosts/darkstar/default.nix b/hosts/darkstar/default.nix index b53a7d7..08d6e78 100644 --- a/hosts/darkstar/default.nix +++ b/hosts/darkstar/default.nix @@ -2,9 +2,10 @@ boot = { initrd.kernelModules = [ "zfs" ]; kernel.sysctl = { + "kernel.hostname" = "darkstar.bitgnome.net"; "net.ipv4.ip_forward" = true; }; - kernelPackages = pkgs.linuxPackages_6_12; + kernelPackages = pkgs.master.linuxPackages_7_0; loader = { efi = { canTouchEfiVariables = true; @@ -15,38 +16,48 @@ extraInstallCommands = '' ${pkgs.rsync}/bin/rsync -av --delete /efiboot/efi1/ /efiboot/efi2 ''; + memtest86.enable = true; }; timeout = 3; }; supportedFilesystems = [ "zfs" ]; - #zfs.package = pkgs.master.zfs; + zfs = { + forceImportRoot = false; + package = pkgs.master.zfs_2_4; + }; }; - #environment.systemPackages = with pkgs; [ - # wpa_supplicant - # somethingelse - #]; + environment = { + #etc."mitmproxy-c64u.py".source = ./mitmproxy-c64u.py; + systemPackages = [ + #pkgs.master.mitmproxy + pkgs.speedtest-go + ]; + }; imports = [ ./disks.nix ./hardware-configuration.nix ./services.nix ../common/core - ../common/optional/services/asterisk.nix + #../common/optional/services/asterisk.nix ../common/optional/services/chrony.nix ../common/optional/services/dhcp.nix ../common/optional/services/nsd.nix ../common/optional/services/openssh.nix + ../common/optional/wdt.nix ../common/optional/zfs.nix ../common/users/nipsy ../common/users/root ]; networking = { + #defaultGateway = "192.168.1.1"; hostId = "f9ca5efe"; hostName = "darkstar"; - #defaultGateway = "192.168.1.1"; - domain = "bitgnome.net"; + #hosts = { + # "185.187.254.229" = [ "hackerswithstyle.se" ]; + #}; interfaces = { enp116s0 = { ipv4.addresses = [ @@ -65,6 +76,9 @@ internalInterfaces = [ "enp116s0" ]; }; nftables.enable = true; + search = [ + "bitgnome.net" + ]; useDHCP = false; vlans = { vlan201 = { id=201; interface="enp117s0"; }; @@ -101,6 +115,7 @@ "nftables/forward" = {}; "nftables/ssh" = {}; "nix-access-token-github" = {}; + "ssh_config".path = "/root/.ssh/config"; }; }; @@ -114,7 +129,23 @@ system.stateVersion = "23.11"; - systemd.services."nftables-extra" = let rules_script = '' + systemd.services = { + #"mitmproxy" = let rules_script = '' + # ${pkgs.mitmproxy}/bin/mitmdump -p 80 -s /etc/mitmproxy-c64u.py --mode reverse:http://185.187.254.229:80 --set block_global=false + #''; in { + # description = "proxy for C64 site hackerswithstyle.se"; + # script = rules_script; + # serviceConfig = { + # Restart = "on-failure"; + # RestartSec = 5; + # StandardError = "append:/var/log/mitmproxy.log"; + # StandardOutput = "append:/var/log/mitmproxy.log"; + # Type = "simple"; + # }; + # after = [ "network.target" ]; + # wantedBy = [ "multi-user.target" ]; + #}; + "nftables-extra" = let rules_script = '' ${pkgs.nftables}/bin/nft -a list chain inet nixos-fw input | ${pkgs.gnugrep}/bin/grep @anveo | ${pkgs.gnugrep}/bin/grep -Eo 'handle [[:digit:]]+$' | ${pkgs.gnused}/bin/sed -e 's/^handle //' | while read handle; do ${pkgs.nftables}/bin/nft delete rule inet nixos-fw input handle ''${handle}; done if ${pkgs.nftables}/bin/nft list set inet nixos-fw anveo 2>/dev/null; then ${pkgs.nftables}/bin/nft delete set inet nixos-fw anveo; fi if ${pkgs.nftables}/bin/nft list ct helpers table inet nixos-fw | ${pkgs.gnugrep}/bin/grep -qE '^[[:space:]]*ct helper sip-5060 {$'; then ${pkgs.nftables}/bin/nft delete ct helper inet nixos-fw sip-5060; fi @@ -142,6 +173,7 @@ wantedBy = [ "multi-user.target" ]; after = [ "nftables.service" ]; partOf = [ "nftables.service" ]; + }; }; systemd.paths."nftables-extra" = { diff --git a/hosts/darkstar/mitmproxy-c64u.py b/hosts/darkstar/mitmproxy-c64u.py new file mode 100644 index 0000000..5fc5aa6 --- /dev/null +++ b/hosts/darkstar/mitmproxy-c64u.py @@ -0,0 +1,303 @@ + +import json +import os +import re +import sys +from mitmproxy import http +from datetime import datetime + +STATE_DIR = "/var/lib" +STATE_FILE = f"{STATE_DIR}/mitmproxy-clients.json" + +def log(msg): + """Print with flush for immediate output""" + timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S") + print(f"[{timestamp}] {msg}", flush=True) + +def load_state(): + if os.path.exists(STATE_FILE): + with open(STATE_FILE, "r") as f: + return json.load(f) + return {} + +def save_state(state): + os.makedirs(STATE_DIR, exist_ok=True) + with open(STATE_FILE, "w") as f: + json.dump(state, f, indent=4) + +def request(flow: http.HTTPFlow) -> None: + client_ip = flow.client_conn.peername[0] + + # Get Client-Id header to detect device type + client_id_header = flow.request.headers.get("Client-Id") + + # Debug: log all incoming requests + log(f"REQUEST: {flow.request.method} {flow.request.path}") + log(f" Client-IP: {client_ip}") + log(f" Client-Id: {client_id_header}") + log(f" Query params: {dict(flow.request.query)}") + log(f" Headers: {dict(flow.request.headers)}") + + # Load saved server choice for this client (assembly64 or commoserve) + state = load_state() + server_choice = state.get(client_ip) + + # Default: give them what they can't normally access + # C64U (Commodore) -> default to assembly64 + # Ultimate64 (Ultimate) -> default to commoserve + if server_choice is None: + if client_id_header == "Ultimate": + server_choice = "commoserve" + else: + server_choice = "assembly64" + log(f" Default server for {client_id_header}: {server_choice}") + + # Check for server parameter in query (from menu selection) + server_param = flow.request.query.get("server", "").lower() + if server_param in ["assembly64", "commoserve"]: + state[client_ip] = server_param + save_state(state) + server_choice = server_param + log(f"SWITCH (menu): {client_ip} -> {server_param}") + # Remove the server param so it doesn't confuse the real server + del flow.request.query["server"] + + # Check for server selection in query (from injected menu) + # Query comes as: (server:assembly64) or (server:commoserve) + # May also include other search params like (name:"bubble") + query_string = flow.request.query.get("query", "") + query_lower = query_string.lower() + name_string = flow.request.query.get("name", "").lower() + search_text = query_lower + " " + name_string + + # Handle server menu selection - strip server: from query and continue + if "server:assembly64" in query_lower or "server:commoserve" in query_lower: + if "server:assembly64" in query_lower: + new_server = "assembly64" + else: + new_server = "commoserve" + + state[client_ip] = new_server + save_state(state) + server_choice = new_server + log(f"SWITCH (menu): {client_ip} -> {new_server}") + + # Remove server:xxx from query string (case insensitive) + # Also handle the & operator that joins query parts + cleaned_query = re.sub(r'\s*&\s*\(server:(assembly64|commoserve)\)', '', query_string, flags=re.IGNORECASE) + cleaned_query = re.sub(r'\(server:(assembly64|commoserve)\)\s*&\s*', '', cleaned_query, flags=re.IGNORECASE) + cleaned_query = re.sub(r'\(server:(assembly64|commoserve)\)', '', cleaned_query, flags=re.IGNORECASE) + # Clean up any leftover empty parens or double spaces + cleaned_query = cleaned_query.strip() + + # If query is now empty or just whitespace, return confirmation + if not cleaned_query or cleaned_query == "()": + flow.response = http.Response.make( + 200, + json.dumps([{"name": f"Switched to {new_server.upper()}", "id": "0", "category": 0}]), + {"Content-Type": "application/json"} + ) + log(f" No other search params, returning confirmation") + return + else: + # Update query with server part removed and continue with search + flow.request.query["query"] = cleaned_query + log(f" Cleaned query: {cleaned_query}") + + # Also check for keywords in search query (legacy method) + if "assembly64" in search_text: + state[client_ip] = "assembly64" + save_state(state) + server_choice = "assembly64" + log(f"SWITCH (keyword): {client_ip} -> Assembly64") + + elif "commoserve" in search_text: + state[client_ip] = "commoserve" + save_state(state) + server_choice = "commoserve" + log(f"SWITCH (keyword): {client_ip} -> Commoserve") + + # Help feature + elif "help" in search_text: + device = "Ultimate64" if client_id_header == "Ultimate" else "C64U" + help_text = ( + "PROXY HELP:\n" + f"Device: {device}\n" + f"Current: {server_choice}\n" + "Use Server menu or search 'commoserve'/'assembly64' to switch." + ) + flow.response = http.Response.make( + 200, + json.dumps({"results": [{"name": help_text}]}), + {"Content-Type": "application/json"} + ) + log(f"HELP: Sent help response to {client_ip}") + return + + # Block requests for our fake info items (id "0" or "info") + # These are the "Switched to..." or "Currently browsing..." messages + if re.match(r'/leet/search/entries/(0|info)/', flow.request.path): + log(f"BLOCKED: Request for info item, returning empty") + flow.response = http.Response.make( + 200, + json.dumps([]), + {"Content-Type": "application/json"} + ) + return + + # Bot protection + if not client_id_header and "/leet/search/" not in flow.request.path: + log(f"BLOCKED: No Client-Id header from {client_ip}") + flow.kill() + return + + # Apply header patch + # C64U (Commodore) accessing assembly64 -> patch to Ultimate + # Ultimate64 (Ultimate) accessing commoserve -> patch to Commodore + original_client_id = client_id_header + + # Always fetch presets with Ultimate header to get full Assembly64 menu + if flow.request.path == "/leet/search/aql/presets": + if client_id_header != "Ultimate": + flow.request.headers["Client-Id"] = "Ultimate" + log(f"PATCHED: {client_ip} Client-Id: {client_id_header} -> Ultimate (fetching full menu)") + else: + log(f"FORWARDED: {client_ip} presets request (already Ultimate)") + elif client_id_header == "Commodore" and server_choice == "assembly64": + flow.request.headers["Client-Id"] = "Ultimate" + log(f"PATCHED: {client_ip} Client-Id: Commodore -> Ultimate (accessing Assembly64)") + elif client_id_header == "Ultimate" and server_choice == "commoserve": + flow.request.headers["Client-Id"] = "Commodore" + log(f"PATCHED: {client_ip} Client-Id: Ultimate -> Commodore (accessing Commoserve)") + else: + device = "Ultimate64" if client_id_header == "Ultimate" else "C64U" + log(f"FORWARDED: {client_ip} ({device}) -> {server_choice} (no patch needed)") + + # Forwarding + flow.request.host = "185.187.254.229" + flow.request.port = 80 + flow.request.headers["Host"] = "hackerswithstyle.se" + log(f" Forwarding to: {flow.request.host}:{flow.request.port}") + +def response(flow: http.HTTPFlow) -> None: + """Intercept responses and inject Server menu option into presets""" + client_ip = flow.client_conn.peername[0] + + # Debug: log all responses + log(f"RESPONSE: {flow.request.path}") + log(f" Status: {flow.response.status_code}") + log(f" Content-Type: {flow.response.headers.get('Content-Type', 'unknown')}") + log(f" Content length: {len(flow.response.content)} bytes") + + # Show first 500 chars of response for debugging + try: + content_preview = flow.response.content.decode('utf-8')[:500] + log(f" Content preview: {content_preview}") + except: + log(f" Content preview: (binary data)") + + # Inject "Currently browsing..." info item into search results + # Match /leet/search/aql but not /leet/search/aql/presets + if flow.request.path.startswith("/leet/search/aql") and not flow.request.path.startswith("/leet/search/aql/"): + log(f"SEARCH RESULTS: Intercepted search response for path: {flow.request.path}") + try: + data = json.loads(flow.response.content) + log(f" Response type: {type(data).__name__}") + + # Get current server choice for this client + state = load_state() + client_id_header = flow.request.headers.get("Client-Id") + server_choice = state.get(client_ip) + + # Default based on device type + if server_choice is None: + if client_id_header == "Ultimate": + server_choice = "commoserve" + else: + server_choice = "assembly64" + + # Create info item showing current server + server_display = "Assembly64" if server_choice == "assembly64" else "Commoserve" + info_item = { + "name": f"Browsing: {server_display}", + "id": "info", + "category": 0 + } + + # Handle both array and dict responses + if isinstance(data, list): + log(f" Original results count: {len(data)}") + data.insert(0, info_item) + log(f" After injection: {len(data)} items") + elif isinstance(data, dict) and "results" in data: + log(f" Original results count: {len(data['results'])}") + data["results"].insert(0, info_item) + log(f" After injection: {len(data['results'])} items") + else: + log(f" Unknown response format, skipping injection") + return + + # Update response + new_content = json.dumps(data) + flow.response.content = new_content.encode() + log(f"INJECTED: Info item into search results") + except json.JSONDecodeError as e: + log(f"ERROR: JSON decode failed for search results: {e}") + except Exception as e: + log(f"ERROR: Search results injection failed: {type(e).__name__}: {e}") + + if flow.request.path == "/leet/search/aql/presets": + log(f"PRESETS: Intercepted presets response") + try: + # Parse the original response + data = json.loads(flow.response.content) + log(f" Original presets count: {len(data)}") + + # Get current server choice for this client + state = load_state() + client_id_header = flow.request.headers.get("Client-Id") + server_choice = state.get(client_ip) + + # Default based on device type + if server_choice is None: + if client_id_header == "Ultimate": + server_choice = "commoserve" + else: + server_choice = "assembly64" + + # Build server menu with current selection marked with asterisk + if server_choice == "assembly64": + server_menu = { + "type": "server", + "description": "Server", + "values": [ + {"aqlKey": "assembly64", "name": "* Assembly64"}, + {"aqlKey": "commoserve", "name": "Commoserve"} + ] + } + else: + server_menu = { + "type": "server", + "description": "Server", + "values": [ + {"aqlKey": "commoserve", "name": "* Commoserve"}, + {"aqlKey": "assembly64", "name": "Assembly64"} + ] + } + + # Inject Server menu at the beginning + data.insert(0, server_menu) + log(f" After injection: {len(data)} items (current: {server_choice})") + + # Update response + new_content = json.dumps(data) + flow.response.content = new_content.encode() + log(f"INJECTED: Server menu into presets response") + log(f" New content length: {len(new_content)}") + except json.JSONDecodeError as e: + log(f"ERROR: JSON decode failed: {e}") + log(f" Raw content: {flow.response.content[:200]}") + except AttributeError as e: + log(f"ERROR: Attribute error: {e}") + except Exception as e: + log(f"ERROR: Unexpected error: {type(e).__name__}: {e}") diff --git a/hosts/darkstar/services.nix b/hosts/darkstar/services.nix index 7304b48..2bc8203 100644 --- a/hosts/darkstar/services.nix +++ b/hosts/darkstar/services.nix @@ -7,10 +7,15 @@ allowedUDPPorts = [ 53 # domain ]; - interfaces.enp116s0.allowedUDPPorts = [ - 69 # xinetd/tftpd - 123 # ntp - ]; + interfaces.enp116s0 = { + allowedTCPPorts = [ + 80 # http + ]; + allowedUDPPorts = [ + 69 # xinetd/tftpd + 123 # ntp + ]; + }; }; }; @@ -41,24 +46,40 @@ ]; local-data = [ "\"darkstar.bitgnome.net. IN A 192.168.1.1\"" + #"\"hackerswithstyle.se. IN A 192.168.1.1\"" "\"arrakis.bitgnome.net. IN A 192.168.1.2\"" + "\"caladan.bitgnome.net. IN A 192.168.1.4\"" + "\"mister.bitgnome.net. IN A 192.168.1.10\"" "\"jupiter.bitgnome.net. IN A 192.168.1.11\"" "\"saturn.bitgnome.net. IN A 192.168.1.12\"" "\"uranus.bitgnome.net. IN A 192.168.1.13\"" "\"neptune.bitgnome.net. IN A 192.168.1.14\"" + "\"deck.bitgnome.net. IN A 192.168.1.16\"" "\"ginaz.bitgnome.net. IN A 192.168.1.17\"" + "\"loadstar.bitgnome.net. IN A 192.168.1.18\"" + "\"onkyo.bitgnome.net. IN A 192.168.1.19\"" + "\"brother.bitgnome.net. IN A 192.168.1.20\"" + "\"mister-lan.bitgnome.net. IN A 192.168.1.21\"" ]; local-data-ptr = [ "\"192.168.1.1 darkstar.bitgnome.net\"" "\"192.168.1.2 arrakis.bitgnome.net\"" + "\"192.168.1.4 caladan.bitgnome.net\"" + "\"192.168.1.10 mister.bitgnome.net\"" "\"192.168.1.11 jupiter.bitgnome.net\"" "\"192.168.1.12 saturn.bitgnome.net\"" "\"192.168.1.13 uranus.bitgnome.net\"" "\"192.168.1.14 neptune.bitgnome.net\"" + "\"192.168.1.16 deck.bitgnome.net\"" "\"192.168.1.17 ginaz.bitgnome.net\"" + "\"192.168.1.18 loadstar.bitgnome.net\"" + "\"192.168.1.19 onkyo.bitgnome.net\"" + "\"192.168.1.20 brother.bitgnome.net\"" + "\"192.168.1.21 mister-lan.bitgnome.net\"" ]; local-zone = [ "\"bitgnome.net.\" transparent" + #"\"hackerswithstyle.se.\" transparent" "\"1.168.192.in-addr.arpa.\" static" ]; verbosity = 2; diff --git a/hosts/fangorn/default.nix b/hosts/fangorn/default.nix new file mode 100644 index 0000000..cdf30af --- /dev/null +++ b/hosts/fangorn/default.nix @@ -0,0 +1,90 @@ +{ config, inputs, lib, outputs, pkgs, ... }: { + boot = { + kernelPackages = pkgs.master.linuxPackages_7_0; + loader = { + efi.canTouchEfiVariables = true; + systemd-boot = { + enable = true; + memtest86.enable = true; + }; + timeout = 3; + }; + supportedFilesystems = [ "zfs" ]; + zfs = { + devNodes = "/dev/disk/by-label"; + forceImportRoot = false; + package = pkgs.master.zfs_2_4; + }; + }; + + environment.systemPackages = [ + pkgs.chirp + pkgs.signal-desktop + pkgs.wpa_supplicant + ]; + + imports = [ + ./disks.nix + ./hardware-configuration.nix + ../common/core + #../common/optional/db.nix + ../common/optional/dev.nix + ../common/optional/ebooks.nix + #../common/optional/games.nix + ../common/optional/gui.nix + ../common/optional/misc.nix + ../common/optional/multimedia.nix + ../common/optional/pipewire.nix + ../common/optional/services/nolid.nix + ../common/optional/services/openssh.nix + #../common/optional/services/tlp.nix + ../common/optional/services/xorg.nix + ../common/optional/sound.nix + ../common/optional/wdt.nix + ../common/optional/zfs.nix + ../common/users/don + ../common/users/nipsy + ../common/users/root + ]; + + networking = { + firewall.extraInputRules = '' + iifname "wg0" tcp dport ssh counter accept + ''; + hostId = "6f1faddc"; + hostName = "fangorn"; + networkmanager.enable = true; + nftables.enable = true; + }; + + nixpkgs = { + config.allowUnfree = true; + hostPlatform = "x86_64-linux"; + overlays = [ + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.master-packages + outputs.overlays.stable-packages + ]; + }; + + services.openssh = { + openFirewall = false; + settings.X11Forwarding = true; + }; + services.xserver.desktopManager.xfce.enable = true; + services.xserver.videoDrivers = [ "amdgpu" ]; + + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ../secrets/fangorn.yaml; + + secrets = { + "nix-access-token-github" = {}; + }; + }; + + system.stateVersion = "23.11"; + + time.timeZone = lib.mkForce "America/Chicago"; +} diff --git a/hosts/fangorn/disks.nix b/hosts/fangorn/disks.nix new file mode 100644 index 0000000..fdef7cf --- /dev/null +++ b/hosts/fangorn/disks.nix @@ -0,0 +1,102 @@ +{ lib, ... }: +{ + disko.devices = { + disk = { + nvme0n1 = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + extraArgs = [ "-nboot" ]; + }; + }; + swap = { + size = "32G"; + type = "8200"; + content = { + type = "swap"; + extraArgs = [ "-L swap" ]; + }; + }; + rpool = { + size = "100%"; + content = { + type = "zfs"; + pool = "rpool"; + }; + }; + }; + }; + }; + }; + zpool = { + rpool = { + type = "zpool"; + rootFsOptions = { + acltype = "posixacl"; + canmount = "off"; + compression = "on"; + dnodesize = "auto"; + relatime = "on"; + xattr = "sa"; + }; + options = { + ashift = "12"; + autotrim = "on"; + }; + datasets = { + "local" = { + type = "zfs_fs"; + options.mountpoint = "none"; + }; + "local/root" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/"; + }; + "local/nix" = { + type = "zfs_fs"; + options = { + atime = "off"; + mountpoint = "legacy"; + }; + mountpoint = "/nix"; + }; + "user" = { + type = "zfs_fs"; + options.mountpoint = "none"; + }; + "user/home" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/home"; + }; + "user/home/root" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/root"; + }; + "user/home/don" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/home/don"; + }; + "user/home/nipsy" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/home/nipsy"; + }; + }; + }; + }; + }; +} diff --git a/hosts/fangorn/hardware-configuration.nix b/hosts/fangorn/hardware-configuration.nix new file mode 100644 index 0000000..17a6bc6 --- /dev/null +++ b/hosts/fangorn/hardware-configuration.nix @@ -0,0 +1,33 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ]; + kernelModules = [ ]; + }; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; + + fileSystems."/boot" = { + device = lib.mkForce "/dev/disk/by-label/boot"; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + #networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/ginaz/default.nix b/hosts/ginaz/default.nix index 4be0d1d..df4c558 100644 --- a/hosts/ginaz/default.nix +++ b/hosts/ginaz/default.nix @@ -1,19 +1,27 @@ { config, inputs, outputs, pkgs, ... }: { boot = { initrd.kernelModules = [ "amdgpu" "zfs" ]; - kernelPackages = pkgs.linuxPackages_6_12; + kernelPackages = pkgs.master.linuxPackages_7_0; loader = { efi.canTouchEfiVariables = true; - systemd-boot.enable = true; + systemd-boot = { + enable = true; + memtest86.enable = true; + }; timeout = 3; }; supportedFilesystems = [ "zfs" ]; - #zfs.package = pkgs.master.zfs; + zfs = { + forceImportRoot = false; + package = pkgs.master.zfs_2_4; + }; }; - environment.systemPackages = with pkgs; [ - signal-desktop - #master.wsmancli + environment.systemPackages = [ + pkgs.minicom + pkgs.setserial + pkgs.signal-desktop + pkgs.tio ]; imports = [ @@ -25,6 +33,7 @@ ../common/optional/ebooks.nix ../common/optional/games.nix ../common/optional/google-authenticator.nix + ../common/optional/gui.nix ../common/optional/misc.nix ../common/optional/multimedia.nix ../common/optional/pipewire.nix @@ -33,6 +42,7 @@ ../common/optional/services/tlp.nix ../common/optional/services/xorg.nix ../common/optional/sound.nix + ../common/optional/wdt.nix ../common/optional/zfs.nix ../common/users/nipsy ../common/users/root @@ -43,12 +53,16 @@ hostName = "ginaz"; networkmanager.enable = true; nftables.enable = true; + search = [ + "bitgnome.net" + ]; }; nixpkgs = { config.allowUnfree = true; hostPlatform = "x86_64-linux"; overlays = [ + inputs.nvidia-patch.overlays.default outputs.overlays.additions outputs.overlays.modifications outputs.overlays.master-packages @@ -66,6 +80,7 @@ secrets = { "nftables/ssh" = {}; "nix-access-token-github" = {}; + "ssh_config".path = "/root/.ssh/config"; }; }; diff --git a/hosts/ginaz/hardware-configuration.nix b/hosts/ginaz/hardware-configuration.nix index adc71fd..108f2d4 100644 --- a/hosts/ginaz/hardware-configuration.nix +++ b/hosts/ginaz/hardware-configuration.nix @@ -10,7 +10,7 @@ boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ]; boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; + boot.kernelModules = [ "kvm-amd" "ntsync" ]; boot.extraModulePackages = [ ]; fileSystems."/boot" = { @@ -23,14 +23,18 @@ graphics = { enable = true; - extraPackages = with pkgs; [ nvidia-vaapi-driver ]; - extraPackages32 = with pkgs.pkgsi686Linux; [ nvidia-vaapi-driver ]; + extraPackages = [ pkgs.nvidia-vaapi-driver ]; + extraPackages32 = [ pkgs.pkgsi686Linux.nvidia-vaapi-driver ]; }; - nvidia = { + nvidia = let + betaPkg = config.boot.kernelPackages.nvidiaPackages.beta; + pkgAfterFbc = if builtins.hasAttr betaPkg.version pkgs.nvidia-patch-list.fbc then pkgs.nvidia-patch.patch-fbc betaPkg else betaPkg; + finalPkg = if builtins.hasAttr betaPkg.version pkgs.nvidia-patch-list.nvenc then pkgs.nvidia-patch.patch-nvenc pkgAfterFbc else pkgAfterFbc; + in { modesetting.enable = true; open = true; - package = config.boot.kernelPackages.nvidiaPackages.beta; + package = if finalPkg == betaPkg then betaPkg else finalPkg; prime = { amdgpuBusId = "PCI:4:0:0"; nvidiaBusId = "PCI:1:0:0"; diff --git a/hosts/jupiter/default.nix b/hosts/jupiter/default.nix index c6ad5ff..6c73e8a 100644 --- a/hosts/jupiter/default.nix +++ b/hosts/jupiter/default.nix @@ -4,21 +4,25 @@ #kernel.sysctl = { # "net.ipv4.ip_forward" = true; #}; - kernelPackages = pkgs.linuxPackages_6_12; + kernelPackages = pkgs.master.linuxPackages_7_0; loader = { efi.canTouchEfiVariables = true; - systemd-boot.enable = true; + systemd-boot = { + enable = true; + memtest86.enable = true; + }; timeout = 3; }; supportedFilesystems = [ "zfs" ]; zfs = { devNodes = "/dev/disk/by-label"; - #package = pkgs.master.zfs; + forceImportRoot = false; + package = pkgs.master.zfs_2_4; }; }; - environment.systemPackages = with pkgs; [ - wpa_supplicant + environment.systemPackages = [ + pkgs.wpa_supplicant ]; imports = [ @@ -38,9 +42,11 @@ networking = { hostId = "d3a9e699"; hostName = "jupiter"; - domain = "bitgnome.net"; - nftables.enable = true; interfaces.enp2s0f0.wakeOnLan.enable = true; + nftables.enable = true; + search = [ + "bitgnome.net" + ]; wireless = { enable = true; userControlled.enable = true; diff --git a/hosts/kaitain/default.nix b/hosts/kaitain/default.nix index 9a222be..3fba8dc 100644 --- a/hosts/kaitain/default.nix +++ b/hosts/kaitain/default.nix @@ -1,21 +1,25 @@ { config, inputs, lib, outputs, pkgs, ... }: { boot = { initrd.kernelModules = [ "zfs" ]; - kernelPackages = pkgs.linuxPackages_6_12; + kernelPackages = pkgs.master.linuxPackages_7_0; loader = { efi.canTouchEfiVariables = true; - systemd-boot.enable = true; + systemd-boot = { + enable = true; + memtest86.enable = true; + }; timeout = 3; }; supportedFilesystems = [ "zfs" ]; zfs = { devNodes = "/dev/disk/by-label"; - #package = pkgs.master.zfs; + forceImportRoot = false; + package = pkgs.master.zfs_2_4; }; }; - environment.systemPackages = with pkgs; [ - git-review + environment.systemPackages = [ + pkgs.git-review ]; imports = [ @@ -24,6 +28,7 @@ ../common/core #../common/optional/db.nix ../common/optional/dev.nix + ../common/optional/gui.nix ../common/optional/misc.nix #../common/optional/multimedia.nix ../common/optional/pipewire.nix @@ -51,8 +56,23 @@ ]; }; - services.openssh.openFirewall = false; - services.xserver.videoDrivers = lib.mkForce [ "vmware" "virtualbox" "modesetting" ]; + services = { + openssh.openFirewall = false; + xrdp = { + defaultWindowManager = "${pkgs.i3}/bin/i3"; + enable = true; + extraConfDirCommands = '' + substituteInPlace $out/xrdp.ini \ + --replace-fail 'port=3389' 'port=vsock://-1:3389' \ + --replace-fail '#vmconnect=true' 'vmconnect=true' \ + --replace-fail 'security_layer=negotiate' 'security_layer=rdp' \ + --replace-fail 'crypt_level=high' 'crypt_level=none' \ + --replace-fail 'bitmap_compression=true' 'bitmap_compression=false' + ''; + #openFirewall = true; + }; + #xserver.videoDrivers = lib.mkForce [ "modesetting" ]; + }; sops = { age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; @@ -60,11 +80,14 @@ secrets = { "nix-access-token-github" = {}; + "ssh_config".path = "/root/.ssh/config"; }; }; system.stateVersion = "23.11"; + systemd.services.xrdp.serviceConfig.ExecStart = lib.mkForce "${pkgs.xrdp}/bin/xrdp --nodaemon --config /etc/xrdp/xrdp.ini"; # https://github.com/nixos/nixpkgs/issues/304855 required because XRDP ignores port parameter in INI when specified via CLI + #systemd.user.services = let # vbox-client = desc: flags: { # description = "VirtualBox Guest: ${desc}"; @@ -86,5 +109,5 @@ (builtins.readFile ../common/users/nipsy/keys/id_att.pub) ]; - virtualisation.virtualbox.guest.enable = true; + virtualisation.hypervGuest.enable = true; } diff --git a/hosts/kaitain/hardware-configuration.nix b/hosts/kaitain/hardware-configuration.nix index f38c16a..07b3857 100644 --- a/hosts/kaitain/hardware-configuration.nix +++ b/hosts/kaitain/hardware-configuration.nix @@ -8,7 +8,7 @@ [ #(modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "ohci_pci" "ehci_pci" "ata_piix" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; diff --git a/hosts/neptune/default.nix b/hosts/neptune/default.nix index f19e4f1..8c52d18 100644 --- a/hosts/neptune/default.nix +++ b/hosts/neptune/default.nix @@ -4,21 +4,25 @@ #kernel.sysctl = { # "net.ipv4.ip_forward" = true; #}; - kernelPackages = pkgs.linuxPackages_6_12; + kernelPackages = pkgs.master.linuxPackages_7_0; loader = { efi.canTouchEfiVariables = true; - systemd-boot.enable = true; + systemd-boot = { + enable = true; + memtest86.enable = true; + }; timeout = 3; }; supportedFilesystems = [ "zfs" ]; zfs = { devNodes = "/dev/disk/by-label"; - #package = pkgs.master.zfs; + forceImportRoot = false; + package = pkgs.master.zfs_2_4; }; }; - environment.systemPackages = with pkgs; [ - wpa_supplicant + environment.systemPackages = [ + pkgs.wpa_supplicant ]; imports = [ @@ -38,9 +42,11 @@ networking = { hostId = "6c1b830a"; hostName = "neptune"; - domain = "bitgnome.net"; - nftables.enable = true; interfaces.enp2s0f0.wakeOnLan.enable = true; + nftables.enable = true; + search = [ + "bitgnome.net" + ]; wireless = { enable = true; userControlled.enable = true; diff --git a/hosts/richese/default.nix b/hosts/richese/default.nix index 2a97fc4..3fdef04 100644 --- a/hosts/richese/default.nix +++ b/hosts/richese/default.nix @@ -1,18 +1,26 @@ { config, inputs, lib, outputs, pkgs, ... }: { boot = { initrd.kernelModules = [ "zfs" ]; - kernelPackages = pkgs.linuxPackages_6_12; - loader.grub.enable = true; + kernelPackages = pkgs.master.linuxPackages_7_0; + loader = { + efi.canTouchEfiVariables = true; + systemd-boot = { + enable = true; + memtest86.enable = true; + }; + timeout = 3; + }; supportedFilesystems = [ "zfs" ]; zfs = { devNodes = "/dev/disk/by-label"; - #package = pkgs.master.zfs; + forceImportRoot = false; + package = pkgs.master.zfs_2_4; }; }; - environment.systemPackages = with pkgs; [ - git-review - openstackclient-full + environment.systemPackages = [ + pkgs.git-review + pkgs.openstackclient-full ]; imports = [ @@ -21,6 +29,7 @@ ../common/core #../common/optional/db.nix ../common/optional/dev.nix + ../common/optional/gui.nix ../common/optional/misc.nix #../common/optional/multimedia.nix ../common/optional/pipewire.nix @@ -49,7 +58,7 @@ }; services.openssh.openFirewall = false; - services.xserver.videoDrivers = lib.mkForce [ "vmware" "virtualbox" "modesetting" ]; + services.xserver.videoDrivers = lib.mkForce [ "modesetting" ]; sops = { age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; @@ -57,6 +66,7 @@ secrets = { "nix-access-token-github" = {}; + "ssh_config".path = "/root/.ssh/config"; }; }; @@ -83,5 +93,5 @@ (builtins.readFile ../common/users/nipsy/keys/id_att.pub) ]; - virtualisation.virtualbox.guest.enable = true; + virtualisation.hypervGuest.enable = true; } diff --git a/hosts/richese/disks.nix b/hosts/richese/disks.nix index 02c6ffe..a626a80 100644 --- a/hosts/richese/disks.nix +++ b/hosts/richese/disks.nix @@ -7,10 +7,6 @@ content = { type = "gpt"; partitions = { - MBR = { - size = "4M"; - type = "EF02"; - }; ESP = { size = "1G"; type = "EF00"; @@ -52,7 +48,7 @@ encryption = "aes-256-gcm"; keyformat = "passphrase"; keylocation = "file:///tmp/data.keyfile"; - normalization = "formD"; + #normalization = "formD"; # disabled due to previous issue: https://github.com/NixOS/nixpkgs/pull/86432 relatime = "on"; xattr = "sa"; }; diff --git a/hosts/richese/hardware-configuration.nix b/hosts/richese/hardware-configuration.nix index d1c33b7..07b3857 100644 --- a/hosts/richese/hardware-configuration.nix +++ b/hosts/richese/hardware-configuration.nix @@ -8,7 +8,7 @@ [ #(modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "ohci_pci" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" ]; + boot.initrd.availableKernelModules = [ "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; diff --git a/hosts/saturn/default.nix b/hosts/saturn/default.nix index 9930e7e..9cad0ae 100644 --- a/hosts/saturn/default.nix +++ b/hosts/saturn/default.nix @@ -4,21 +4,25 @@ #kernel.sysctl = { # "net.ipv4.ip_forward" = true; #}; - kernelPackages = pkgs.linuxPackages_6_12; + kernelPackages = pkgs.master.linuxPackages_7_0; loader = { efi.canTouchEfiVariables = true; - systemd-boot.enable = true; + systemd-boot = { + enable = true; + memtest86.enable = true; + }; timeout = 3; }; supportedFilesystems = [ "zfs" ]; zfs = { devNodes = "/dev/disk/by-label"; - #package = pkgs.master.zfs; + forceImportRoot = false; + package = pkgs.master.zfs_2_4; }; }; - environment.systemPackages = with pkgs; [ - wpa_supplicant + environment.systemPackages = [ + pkgs.wpa_supplicant ]; imports = [ @@ -38,9 +42,11 @@ networking = { hostId = "4ae5eb4d"; hostName = "saturn"; - domain = "bitgnome.net"; - nftables.enable = true; interfaces.enp2s0f0.wakeOnLan.enable = true; + nftables.enable = true; + search = [ + "bitgnome.net" + ]; wireless = { enable = true; userControlled.enable = true; diff --git a/hosts/secrets/arrakis.yaml b/hosts/secrets/arrakis.yaml index 6ec5283..092a2b4 100644 --- a/hosts/secrets/arrakis.yaml +++ b/hosts/secrets/arrakis.yaml @@ -1,9 +1,12 @@ +htpasswd: ENC[AES256_GCM,data:IuYErhpL1UHIfwLVld02vCE0sqvVm142vHhwLun1DsV/QL17aHze0YcjMYhHiXv0EhEr1dG7t9KuIZ/js+nIp08=,iv:IPswgi2H1lLpci5ITcnKMOL45OlQzQJ0iBXhMibqCTg=,tag:NC96lWJUAZYtSuu4zLI49w==,type:str] nftables: ssh: ENC[AES256_GCM,data:7XB18w9GPsqxT3MOjfxOyYIjgDZoPzWhKTJIGkhcRGXpf68OekCA0Jv3v5g81pxYNHQz5ky1//T5eEEhskBNT1dalScYXMm90CUOlYKHF975SW46p9ht357vUHngxnu4/Dh36Zmn7u4CMxUIeYsVXXVqujCFH+Ypuy7702hwyNJWa/u5Ik8rlsMMtO8aO+31xMf8MaCGVghDzXqXWaV9FJuuH69TJW0tW1Td2QD9yaMkH1kVSRXYi34Zbgcmf6MzGtWkytexjLqejegFUZ/7D6vQrGQIwYkTmtBvqlf0UUOKkZzXRp9e0ScWNnGJKbQSMes1ablDzwcuTzF6HS04Aykf0/CN8k71PxojWdd8HJEEKp1rL2CFW8LB/7CY8MD5zP4JcUilNiyzaFFQU93BRPg+7T6Dhk+qNIYCRaG/xLxzi4SxVSfMhI++/JwhOFatk9hOs3z8d4JgvMgTN0gKZJftt17CJMlAq3iDNvQC8aiIVaGHKoCSDUBBGS4zI75b8AcWRcSUNTixWnCx89KBBzQYTy4h3ZO0n6SsQvKyKdPWcVpnQtRqcToEJcCwvdwZXW3RfuRutmJb19yxIIagKEqWVYvgxIEZ19aV6HLJwUEnP761VsnskTVXbdPIctl4H5Mdg++K919ZVNZ56I0sE3c4TKukVsT+bn84ymoF/BUO+yvszptiCtpoJMLM/MPBbDT+3HB/rdi3gZKi1/MS3uj9cDTQJa6HeXd0PxxRXrBZnMJouUhMdrfVeUdLRpzZbVEcL7BYy3IBWAT5UUsJ+UrkOgK9nySe0NQ27gxSpooOIaxg8QRH0KB5p6hn2cwIHXT6GqbWdxE9T0G3hQmAvab7xpPA0oDRW4jb236vzBvBt7dWlw3QxRZXClaa2f1tYY7e499xQ+KqgC/zaBHJy74dStbc+aVQQwUyy8PqQ3OkaKL4uAsJHbjNmomTtt4OLwWfJvPY1QprfrbyXpFF5hNupi7aiItluKVpTvw+Sou7N1gmcNsbYunVJC6MMN7TGw+YL9kQ6h+5hDnyOt3sa31mZpIU95+PV6vpdxxkT1NC/HskJDPfcnoYnVj7PuyaRij2yRdmL+o6bN1NhEGl6dDuGy3gW5wos03bb9voMlhStuxrvRjUr/db3U1Z1O5winpWyRsDxkZR2EA4MweNbkWSS3FrZkuY1pYJd2RClrUIfuviB9gBXwntkaD06NJlXYlHr989cWuqrxIJ+tjHwThwozQ8knYs+Aa8bIFiw6BoBeOxl2d4QHml+4LmuWxaRSx4RLprgXCvJewqClbxk+4oyW5NqXxtXIHCQawCW+Z8my9j1hfNgM6Ct4L3hH0IRE2wZML3URRlkPI/FpvjitR0IauPl090mQa/kSfAjd0pcdJy37garUh9xIxkwmoyF6i2lmb3KSrK9G0rYmVMYIM2BVFTICr7yEguX/azw8uSLNdjENZ0D8bLvFhjoYrBf2WryqPrvtwh8nH2Q6XBGvPMgO2Aj9x0UgxVoHFrFi1qsoKqJpDrrIGGqYMKDS+m3VorQ3DAoCOMS6A739rOzjxFvi6ZtA03v1W4bDtldmydiMYpBEIA+ZVw0+1NwsSq+vEEIuyhiA05ev8KrexFyixmMvmqS2iGoJ/0MqpYPDnXwbQS66HY+ipn3Ds0RyZdH1cQEgi89p77nb6tjMLBRdsvkoVGwXQqVsmbMbtDsBX8wyzc5GMjG5oY5nO0FQcnudQuA3BBHWFL4Q+eaPGDx27s9sQxKBRaPfMgBBMV63/nmAcSYaqN8S4lVHWrpZvUCxehZ+5rx5tmI0625JODfN0GWK/ef0XRGNBW1I1KZAw3XmhAo+a0jaWTMaQz++JuV0MpVD8/xViOMBQdNHlBoWyUb9ArdkF2gzjOsWW1zeAFT+KPVPFXu/fQ1ZTN4aUnomC2uLpfKBYkQp1qkXx+BNAWFfzEmv6BJbtJaT432S7KnRJTCyQVyATlnMI1hOgkZO+y1OTXguhy4OBbxjmkib3OpUt0yLGI4cb1s8JtA1T4ZDlK6u70+rE1AlYtRAc3OotAhbOv9Uo071Pr8CA6eCzAt4Y/gGcss/AJ7LB0rG4OCXw/N+ic5N9n0YGn3Zp2XRqheLVWrgZiuN7gj+rORS3EpLUb6JnkanXWM5dAY/gWbRd8+iF7cCRCtnkaARp9Uch77SntUdllX+AGIMnRtcAU1cYkEBzKsDLF0PPZQzPXE4z5cRH7rnDSTLixATHS70vwGkBOe7NukiXBVzK7GBCXP1nzJevb7BeeUg9rDcsCxyejoc7YA8+pczMNxl4wjx3H2/x+JhMWrYcZQdhi8Vzaeoz0ulW8xZ6tO4JhLPA/Cb66B0tq9Za6f+uaJOIfqnl0xem6Rif2qUiKkSAZ4rN/2j8pRj9BMXCvKSttvG6hTTaprCe9Jn9rGi84rnIwZmN98C9KyHaTeKPC2NC4ooCsxOZtpeCCXNfFhqDVGL15NhwCravL/8pKf9bFhKW8DOkZRPy7jWtCCfIu0kkuZUkBLfT1lQ6eXKB6P6sC04IgBPV8Euw3woPOgGkJXCfLnxLljgvn70P3VQ==,iv:OnEBPu/havLABMuANjiKMEmhPX2tk/PlyDY0FwvQnsI=,tag:Qny6XbCXMhAr1AjZjr0ucw==,type:str] nix-access-token-github: ENC[AES256_GCM,data:1kkcaybmrEUrU9lqjKpaEqBBqtmTU9Teh0sEh+7PmAYoJEkyngT48Zzo8zpxN+wHdD9l/XV0iT3tDT/xY0ZMtawdXUI=,iv:8XYmmL0Md3eVLkvW3YkxN3gzGwY6DBvPA2XBdC8ccQ0=,tag:La0H5RJIwV3Ed3jVfqxlog==,type:str] +ssh_config: ENC[AES256_GCM,data:f0nNWKZxV+MjG+Jx3JVDiGaPwryaJxivRJrdPB3Ks7vJgieey5xLXkyBbEzFps/S2YLod4MAMQvsvunx4U54Dgz5kJQR+NfsQ4pVdYenqNYxpyCqM1n+oSWwmW0l1Z4F717OsDiadaAp6RJ58GK1pNB/AyV/Xns0EbSyqiwUGTgb/Mb6MeVm01djrfXzEYNHoBVuUA8b0LxdL1xH8CQwmPcbpMHItrO9MWIdHNZrz1YKD4EOfqt9ei0DwdvYbMqqOPrw/5Sgn9oViX/yJxWDJ1M8CHNAWMfAZfnr0ATQCYE75PhOAhuHhsZQBmUUCj1hr0b/Qb9Lc0agS8lvYRJXEIkMDoFu5bOAZkjmrOATnu2GOAynMr/tjMqPFBYmWdIfJcGRe55pW8ulbqnxcfvlDSmLGABc+sIr50IVwsBlzxSPoZhH6Hm+7i0Vs3Ep7VM/0Bcuyvd7z9NGKJp/wWAeUrT4ccJJSt5/1HVHcYF2rs0u0JZ2KNr4hdzGafC1353jQ03UC2yzZff1Jtv5nnrxQrlm1rBjbB5pxk99zVs8hWg9y7+Y44xw7PQ7UUrZTGd95khj1E00Qe0YFHxid4UPXoOGhZ282bziVBoJgmzdkAq/ekC3nZ38SSD/oKOnZNto76uBx/Q8ndwP4IgxWOkP9EKpsMvQFYyaoXCwdOKX8yNHUZy6wCW0WMEzWeCv1ixHhMF2rAFUu+jcd0outRQTaxBCvDwAnQqHWmY0ixk/L2r4Lf9IpYBGZ89xlcqnUTXKD6wu5AfWeMU2SxmzsF1AWSA/WBUjqW5nTfTr,iv:uXbX67nw8uot2BeeeU0wMNZ+xK+gJ6Xy42jriUZ0gjQ=,tag:AkRAMlnyaxvCVAQy1a2zGw==,type:str] wireguard: arrakis_key: ENC[AES256_GCM,data:jJxltF+jMKMchavpXWKGFmFI3K/Qkgmroc68nUzYL71kKR+WFMPUzDjXW0Y=,iv:RESrP6zChCIMeDn65mu7ULvfeT5QRRX76TdyOAjE/fw=,tag:0QXp38YwTJZS8phv9ObrhQ==,type:str] black-sheep_psk: ENC[AES256_GCM,data:ZBR7CQJLBltt9lTeN16SUte0xt90oVoJfvWrdF8gVAPQgvGIp/t3i5L2+eA=,iv:ilqCFzHhjgxU7FRcj0Ymi/t53NPt8QMJD56azsNQMe4=,tag:i4TIQryxzJpGaM8KGCVXQA==,type:str] + fangorn_psk: ENC[AES256_GCM,data:Ob994Cp+CDDfg4IEVGPnf265sDXe2zS9snehBvfr87x6kGq1YnKJQzkGXx4=,iv:mNDGwyRI0T3FHbPw9Z3NX+3/PmiIXiA+C1QUYYTdENc=,tag:Hz4qSjF7EmXA5ovnGLH3sQ==,type:str] ginaz_psk: ENC[AES256_GCM,data:Iy/jyCcXl5VnSArA+Uazww/refw+Flopi2CnUgXyB/lnL6ykqawztK6KSBU=,iv:rB9eeMXqa+ZptLenJs/x9yffu4s10YwI11A1EPUHY54=,tag:1rw8SyfXyKA9IW3SUfYbTg==,type:str] homer_psk: ENC[AES256_GCM,data:JaUJEWlcEhWeT+g5J+ysQ7rHFW8bxyDiciqrwL4JH493fQNCBnIkfJXtjfg=,iv:l95W7lVeBZhS2YwWN8biyFHBlAUwP7+DrSOVAhowC+I=,tag:q+wDpSGlT3nb+88yYMNzhQ==,type:str] lilnasx_psk: ENC[AES256_GCM,data:wssUtPGQfs2Gt63Iq+QD7nQsAaua/OP0tcTmxlWFPTjPF3PzU2Y8m/76B3w=,iv:1jSwB0XkC+Gcn2JRNcaGd3hhJebmdfaF1N6PNDEdkSU=,tag:GVigw9hi66q2+q06g+WumA==,type:str] @@ -11,16 +14,11 @@ wireguard: ramped_psk: ENC[AES256_GCM,data:TCeXW9SWFEq7H7YdEE4E7gLoMC8F4GwSPBtvh8Zv6OQ3Ni0LdZBH9IHmPT4=,iv:U33J1eusuCiC41zla2ieIFKzmmgL/TlkLmH/5El3u4s=,tag:Z4QzImR0T2XzdI26nlX+/Q==,type:str] timetrad_psk: ENC[AES256_GCM,data:zAOHUlk6VJd+w6ePcDAPhpmPmlogwqUh5zhDpnW7cbXflIdLtFN9YQbOYtc=,iv:DpqIP+uTxRY7Dl0WwOvAr/dDFeARCVZKNKKKCrgOkYA=,tag:IP+nUZS3klUvHNzbgS4IjQ==,type:str] treebeard_psk: ENC[AES256_GCM,data:EjzdD4siZfCkwd6pX82C2HP8I0avKjStv6fleURD2cPkGmBFDH//MLYcY/k=,iv:yCc+U3+kAzOroOxO04EKVrbuqr85Y8cZ343UN4s3nBg=,tag:r5piVnM+Q5+0HRRMpVwmSA==,type:str] - wg1_conf: ENC[AES256_GCM,data:FeRx87Ynsku8RPJ34HX4WZbvrl0NMKQVUueYevXhZi/uxehsttjqdZyhKGG8ZZW2rYNT7PADp90NcOYRuS2bquFuU+XSK21xDC7myk9EMHtEh1t2nk8ILYV590eQVceyQCb9XNjlypI0QJEBItODg9DAGHf9WqV232zj2NcXmUEFwdQpWt3NnFo7Dku1KTmNWIQhfKL96casrHP5j7YHASlbLC5xmieZ8IPasfozPCDwQJMxdA5PH5rr7DEcjIrOgYSqa7G9VcPWlBfiuyEI0MZVYhF2pl4P57LVZNDRf8XamOcsphnRfgr6JYArxrHl3H5r4Nbcz3I09W8rrw==,iv:qAB6GAKDLg4P0g+5cRPcOWS2DvW7dcMJp7Fb4hDArfo=,tag:cacQeEAR7gjA/40Msuh/8g==,type:str] + wg1_conf: ENC[AES256_GCM,data:/285rDfz+rySzB0pohVJSVDCRWAnPi8Kg9Xu9U4C03PWYWbPvsm5Ci1q6z/kYKPsaGYYo16Ttl/0PJJcgDaQXHxJAXqWr1VQJttrcMuWuG7VlSzqhxrb1QOD60Gl+wrP7WechufmOejJZZor4FIi/AnvB4GEKQpqdP8Zz2bSd2c+5wM3tBqXftoK+68qkoYzMBtinyBISKrP3n3raF8HwHx9a5RWbuMBs5UzKSPHIbx3assHnVyJb+tX6Bs4lJTwon7r6sc3EqfozbsIHrL275V1JYsRGmSk0Lk0exjK9mQyn+c/Z4uf1T0yg0gY5XwQ/U1AJ7e9CfLdJMP3QeUtqzj8H5LlydU/24xkpqqBtozYQ+/F9nn0omoWGtX4KWZWoIVTaHLjPiETCbY/PsRrx3QFckE=,iv:i+Jr6GV1zvVoGh66HYd3ZU8cLG5AeHZ3cz7xa3mXbbk=,tag:csj43Q4sGblmylUqqb84GQ==,type:str] wpa_supplicant: ENC[AES256_GCM,data:HHs6g3qaaeinVGgteExQvhE0CEC94WjJ0tV7pyI=,iv:6F+DYHieaWWo+V1F9yjwWT7PcdiIpH48nv1SUrFHePk=,tag:cpimCP+YNmCI+t+wpuXwHg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - - recipient: age1mkqxkwse7hrnxtcgqe0wdzhhrxk55syx2wpcngemecz0d7hugsnqupw3de - enc: | + - enc: | -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UjB1Tk9rajRIVFJWc2Zo SHZoaFN1ZTltaTBHOHZKZTNGQzk1UnBMSTFnCisrbDZHQTBETldnYmF5aGl0bE14 @@ -28,8 +26,8 @@ sops: ZXdGdkxHeXN2YkhyNHF4SFFWNS9NbzQKXG65eqAP0pCfXshk2gUFAfyOplcvTb6F 0sboWmSBPwWi0ARKQHvOO0/Qu4AETRgUQHu/SJH0yc59mr9Nmhzwqg== -----END AGE ENCRYPTED FILE----- - - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va - enc: | + recipient: age1mkqxkwse7hrnxtcgqe0wdzhhrxk55syx2wpcngemecz0d7hugsnqupw3de + - enc: | -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBieDFPVE11OXRSOCs0Y3Q3 QVBveUZNMTFmcHZWUSsxNXdLdG1KVmdYQlNnCnNlZndCekV5RmJLK0V6aDczYktG @@ -37,8 +35,8 @@ sops: ejRLb2Vkd1B3QmxLSE1wUzgrazZJT0UKz1IQxYm7hagYtBsWTpk+f6/79ArRUgNL MfhHMQAwuuXjBSmuFolyU3UoWnDYK6uGAv5nlTJxESqj5eQBafItSw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-23T22:22:25Z" - mac: ENC[AES256_GCM,data:2f0EwhcP70EDiEqsY8FmIZ3AfjazmdNYCGmz3f0D4EwNx0BxmnVMosWeLrZYrIucNlhqD7xCWhHxJAGM7P6m255sVXFipU0tkk0ZANsUXBc0qQUmH17YfH34kBoKnUUlDHHK0/Ep7ByBiCkzZACmxliZYRX4uvnsDf4hWTYUW6I=,iv:v8phL5vDHGEweS9NAAygiUNDHpXgx0vQkdwzfEn8eTY=,tag:MFdjpQN3PytxmtV4qCrsGQ==,type:str] - pgp: [] + recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va + lastmodified: "2026-05-28T01:04:37Z" + mac: ENC[AES256_GCM,data:4Sl5BRiaP+Oumo2z4mJyof41tXnUItMHE3Rv1NBocv8b9Ha6Das9XHTF5bQk4tocw70JxvCVkHE++p3H3loROzrdSvCUXnpT9dYipukaTZl2fVSudU8lmmZllTg93GVJsrEUbWlxWjROgtlhAk4vtZTEwXYy0zCVh0HDIRhz3SM=,iv:f4fK5RhObFi7T57g85yBjogBMeYSgLVaYq07yiUoE3Q=,tag:51mfu2YFROI1IVM9rjkstw==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.13.1 diff --git a/hosts/secrets/caladan.yaml b/hosts/secrets/caladan.yaml new file mode 100644 index 0000000..dbbf048 --- /dev/null +++ b/hosts/secrets/caladan.yaml @@ -0,0 +1,29 @@ +nftables: + ssh: ENC[AES256_GCM,data:BTUQjgRlGhk3+p2uYAyN2X59YzYeBzSuMJ7MZ5Aaugrm360+OTejUHzUYcrqLVomFLe30uF5puXVKQGeCd2RIxQhyxHGPQ4liI4RwhYE2JAtGlAxoZCoHKSew3Rqpk5+fQgkJ4xGwFDyTa4KOKOYXKknrCkLOUc7jYXhGAfwopAMfGqsUFgFJVkJ+zIs5PCNAxZeneXGffb3tjdC17jh2gLdydmhCINUpn/CGKtta7aDqPD0yg1fHeHTd4jhkin0PoemGlBm4IVSv4FHK/P39dhSR27GRb/hqxxrkZyHK9uqx3REEbHGWWGjok2peVpLVMbKIxKU7yEYYJL5zq5/vnb7RsP1+Qrk3Z9ho83qUgOhXYoJVV2c0UrrZ2KKOojOakmkzgwK/FFBhpMu2JHzF5Qf5ngE/CXnOrdutw9ChXUarCUsbMFXDRIP+AgwqsCgOSSPTOgAfyKAkqUqOw0+cR9GhvEVpe6fxIAQf9s6vjYrFCUorsP/z6vDzkLu8Fodd/fkxIY5+nix18r5lrP8JU2LCIfpH3iPE62KgPZnFtUCs+blsgOh1+3ypw/zWB414hQYaEatoXgfUW13xwHdDuyQJBKjCm0QFenzisojfIDr6seDIYKoi0jnot0jU+4n6sCBdMP/xghscn+6oNUIQ22aWGeMVfGOkORIsJkCYHHLRIZ6axvRr1J7rRl1J7NaB1i0m26POe2XxjNrmQ4dE6FIN3ho/1ETv6JX40+95SU/F5skth6MeHwueOLHo5orJsSjYtttYYqL5FqPM6Pz3EQqAh2/bxuKKtDznVCZJgTx8X5cwdjw2uCBNxXnhPE2iRL4wE/udI6B5QOz2nAHYt4mR0QuRARvtbSbVZI6cCd5CVBfqo6DZbXF96PH0Ghgtrt9ZNGxJrKoljBmeogY2fgNpow3nmmoFoEoACxo8+eJp1AH9+Ma88xO0Eoq/jdNFfxkhpBdulDeRdHsf13tH85xqWk5lc2U6HNyqomF1wOWUcpoJf2vfBmA3y/JI2bsLW37OjciRLH4KAbyp2QPZhdILdQRgWTDkrWolzZ3ZW2kiM10q/8PtM/R/Ih2PggVKptJiUM1KFx8R5+dfTzi4sBNiBM74rUu385cuxo8f1opGT1biGBq9qh4t2p81yLeRQOm7iXvtoAE/BEJdlOXBgooXSK76R+tz/0JeQMuD2khbCrDHlY/35a/VphygPSAV5ztJWoHpo6cYezs4yWOotB63YnAWJktdMkNHzsGD1tWYr95u4+OMqWtMogvICyVD3HZlTy6NYlrOeHwthOW8yndpnFhXLh8PgKjyZ/bTH3QUSCmWuPowEMJ4mecWDYYneQYF2wr8hXYRkUlY3AogkNf6rJkMlXzkHxlK+wy4pF6KfaTMsGYIKiSczl+uGYJ/HWxSNeQXzIq0s9/POTs0IoeMdJehrFLQQyslKuxfOZgei7m0KT8nEaRMHQxc2mCBbLIah3ldWip+FOj4ASRDOXAFhKNyj8a+TLx+TrVXAFLOK4PrmaCpgp5IQyfHTYlYTgZlvXB+MywDUo34FKMA4InHRslTv3qpg/qQa9jRrqs0xhrvXJ7UDxOImHl5zxHwHUw/ltJEh+q63Y7DkNWrD5oB7gQKF2z70mJae13DgYzl8ADK0nQG4oR5sKdaH3O1Z+MWwP2+XpafLeWy8nvG7wKOekXR+cxajhN7B/fyTHYI8BHkYaVXyoLU3kUnwAuFfEDRxFj+ESWR3L6qRY1OPOl71fuGcaifKLkr6IM8TJ5x6/ffoGOHeS42aZZ/eKK23BlRMTchVts9whiPgyjTdn2o44MdIASZXeohPdnuIbfptxSH+gdTc0NWZnEtwsYMPPGovQ6sZQ5UHtDypQ96OlRS3xjFTKTYgDJsUQxieAzENjAEdghZArf4Sh4OVqdDiDUzP2YkXhPooPnkq4vhhWld0/zQMkjvlT+GKbNux82KXu6WTXG+YqyQ5KCNcZ8z+wvHlzAFoSK9/Nw+oXS+jpLUbjqbAJ09vEG6fqnA7EjLXSDDv+p8Wcn473Yz9wKp0G+PhVCQHld/FITB0+AoD0FWN7RxZx0T72YDn2vd+xpZ4Hc6MaLlseeWaLOBxe/Si2lPhwFG9ZWWwkzTnMyPd87iRgxP0w/w5NxyyY2IQOqN0EtR0+dFzBJuZfcBMuVe3gUzNhnhFO9nt+MynzVxsCij1Ez5NDCrmF0bpr/TCaiWVt/UuvoB0fQLSMawZ0eRC3BfiGD2L6lmoTv5i2bY997OWYAt7y/ajchk8UlYqJDQ5nM8OdQ4MW6BEKf6/j4MA1l7CsactHDpJwPStX90BGff7WCkx+eZ5XaCza+DE/NILD02XUfRqfYnvSW+9WzMtUEfvou9J79i4iPAsezsGkfI8ZCsg5dCVclA2mbQYqT8+3dY++5ICpvk1r0xyeBGAoThJlbWC2m0o4OmhrGMJwz7iX8uEPVEfwDlLsHVTdmrLirdKUhq2KfwjvARsjPDkCdRQf+uZsI2X5Wdl2yZFa/TdSshbfCsKEK0SsShdyUt7O5aqCjze73KahteWapZqnes4xrrKFQamHo/e1t1lxwVDO66EVhl23jZZZ6B5TdydTnAXoDiONOhm+zfF3mD6JhJrMc1v5fVFA3Eedif5hkwj+CiHSTaN3UERRf6rFb1VFCk7pbsc0xaqvTURJb6Mq1Kom8cmn3oOMJEBRJZLZS9cAawNbMlXJ+AxL4swxTAyl72Rdm1MYRPMxahBmi1OWuUdNXogpHnsy88Ri4Z83TcH79dub5dQCfN3hYDv8HsDpRJwqgHZwK4+Q4PRRa5yyxK3aUYOxRN1jQ0L4F2SaZt26I/j9eS7J4loY4o77Zt0tMzBCFLLV/1qje4xKF/dTzIw+kwJfRWCtZgTN+RL5lINHWTj5t4HVznkMZWk6pS5xexHyX11zu2TsZbEcF0aTbL9ByPJSrOgs0FVyPTajYTMpqRkjz4ZlYzOKwMVDnh/suj13YyC+gECXV8kpgh8CENEc3UhlOgvGrwF5j2O7hwkt0V0tBWNjxwK85/JWUUgR+UrsGTuziUClz3x+duu9+2t4QUjE3e3U6CS9/IEP7B76GxePO/jCf2+tp9MBCT6E2WiLav6X4cnksNcP0k4QNEKe3zBCOpQxBOBnnLe0f3w==,iv:UY/efikTAvIUfcciypnngPj7PhGjccoIeXRyew2Ft0s=,tag:QnYxLwkV9Oo9ETWAqIKNyg==,type:str] +nix-access-token-github: ENC[AES256_GCM,data:9+Yal5PsrtrQmpEmYp48dUs8i6U+ZBl2fm3WMz0ElKbFm8HvWaANgpxNoVUChj/GejqRtmJVkUR11m75Gh/Y4RhRa40=,iv:xffltN4QMFPCIUdVBA+ZzZJwMV1aiR+ZalGEUM6zxb4=,tag:nmM4RpKfFonvGgOMVeT9rg==,type:str] +ssh_config: ENC[AES256_GCM,data:zlEJ00GNq3WScqJ7hFTx4YLfTaEuN+GZF6HKew1vshX2nwqsRQMpumyIgPisl/WqPbTUCU13qAvwTbmN0vGna3WFA376GVAHIN+TzTWGdcaVzgI8wJF3c26k0GpYDvgsxW0QNR9BhHJvEE7ox6o/chPXUNS7Q4AwvD1YuOgQZc2kdBYC5zOZ6Z2/qPOLmVesn9+jbFBGfHNxCu/Vq1wXfCFhZ7+hY27R+BYmGc3uUPYrQ40WZgbLzBpkndxhh7dE7KlYFavJtaaRhnaN7i7/30xyO6IGBpuHBUxnryVwgCUx42fXjYMVe6tfYXsKYAbVhjgrJSwOB5Uf8W7gekr1qSRStROZC/Vnh2Enz3PwWYjXViyrWEpw9jXR3w8rCIQ0NJQXwvsRyEipujxmbs9MhywW7x8zC6txjg4Nd5gBNuaEsg4e82ARic65RQ6q8tvgLQj6ghR53nXA+GFv6ybbDgRuL27ki9wWHCy1oYOS1D58So3+ABAKzxayk6Eo3sQeBHO9bKVCZWwWYwuWtknKWf8HoedVhMUiimJ9MdgQsNEEuKL7g1OTSt+25KDBcnuUqh7fYbNi0AB4kiGTSrExQ7zzTIkKiDO3j0yL3M+lC8WoeBpYfmpuTWcVSYHmjQn8ggybdbEWRY/pdiRNChG11IHGZpS1v1hM5Dw05oGFFciCwOBFS7EQpetOYlKT9wl4Kof3cpqfQUE7q4AHSMkSWZX/t6xCFRv2V6jhSwSpvcf+CMGu+s+ND/kEjKpo/+HiyNp5GhyD6h1oPc+G3x78YVx1WI+wuzMccSp0,iv:8EtrGsi86BhlCrn5kNZSbvIq/D6RBjJ1AAt8x3x6Pns=,tag:OB8azq3ZWpMIZDMQp+ry3w==,type:str] +wpa_supplicant: ENC[AES256_GCM,data:UtDgnfUMvMyDeYLhOTvLYRj6Wm7uX9rm6Iuxg5o=,iv:lidCvrXwm3gCg7eTCLtOyyooDF+9eZ3bYdmK7cx9NAM=,tag:VpLfKf5onTg087n5ZeuWqA==,type:str] +sops: + age: + - recipient: age1rpjhlmc9sf3kcagg2fq4850vcxnvhmrrfggs30jckffjxxr89smsukj0f3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDRWR2MUxlYmlXaFpsN2c4 + dU51ajY0czg5QmtDOU40YnByV0VWbUpzb2xRCnUwK3Zra0NrWWRybC9TNmt3cVVD + ejhza3Mvay8zNUlPVUJjSkUxQzAzd00KLS0tIEtqNCsvKzR2eXNIVTRvRWZVT0g4 + a3NMZC9xYlRlc2RxU1h6Q3VCUi80TkEKSCs6Y4l0McbmNmN1JX/B4xlk3kCpzUxH + vXCmtdm6ab6xYjPfRXvci9Z3Pxibi+s4hchiUi9EMRJk1YfXrOzbwg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwdVNLSkNXQUNpeXVMVkhY + RHlMOVlSb2xnOFJnUTYwTHg4aVlEb3VDRWdBCkIrSXZGZHdYUVhlTU40Z29ROUd0 + ZVhCMzAwNVZ6UDVvOWU5RXYyaW9kVFUKLS0tIFZhcG90VzI1TnFEY0Q3ejB6SUJH + enMwY2xGMkRBNU1jenp5MWhBY1NmSkEKK8cpEKoyOQLEyA3TUqaRprTxbJH7lhur + E2V8leAbO4FLR7Qp3+9ymK1HIO/lcynktLlBHZtJLc+IrmyUguxqeA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-05T18:00:15Z" + mac: ENC[AES256_GCM,data:JKzxSGzEPIM7z5QfGZgZBXNUTvLOmP5Krkjt5CCt91MdlLJtksVjMzcMEE4hu+3maLXR0UsXn4W2K6IkMmyo8nU7vHhg/n40WIgeX0J8e7nx51VymJAsiisdijGtPbVovdK2qLjU7CRoKypfDNiV9dYLPbyzpNFKyCDdpbnBJ+4=,iv:MCRxJ6QsNWSfblgtIkJhnqap/qFg1OYzXHUYP137ihw=,tag:szwCMpyn2sWm15BJR16GeQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/hosts/secrets/darkstar.yaml b/hosts/secrets/darkstar.yaml index 37b53ce..b9ac45d 100644 --- a/hosts/secrets/darkstar.yaml +++ b/hosts/secrets/darkstar.yaml @@ -1,16 +1,187 @@ -asterisk: - extensions.ael: ENC[AES256_GCM,data:pJy+Z0Iv5a2rZThIpspriCkSYCGsnYWDQvOID9fhuiVc4JUxgB1Q+0iq8tANBnYtGYtbYO0jijxYmWZMcHu66aXQwegf66PQmYNwlfiJWJjJ/T753iiVvqcrnAwA0XL0RW2rbA7cWtVq+enUglz2cT6N+BIwPSMTo5EUei+JzZ/ovqN7E0SLLhgvfmIttqfJOo8OZU9eIYN3XPO3UEs9ezHDTgFIygxdD3xaGBfecoiftCWG6CDFdK0pMgABn8THLqeqigjuC7J4Kmqq7suGSA8eBfejfYoGzxY+9LfiRdGVb+oj5Xik/4Xkb/dKthphl7ez7PkJfd89cXuNtAFO67dMhy9ITlJzrkEqUKl1eMsf9oDzqoSuUjDNhS32uKO3CrhAjzAiW1z8C2gmfMscpUeNnDbUHDjw2isz9Ay5nzapM7m+3hq5D9BBb413dXxu66WkewkOHy96Vg+yO5M2c63BPiO8NfKESd5ij1RtgyQIjj8rlEfjheOa0nLfw9lj9Ohc6n27xvi55WZbZOfdeb34yIzbtNw5pw1OZhQ2U9uexJhLrUpKsg35/TMjQ3/7DkcwacA4fpI4TvfYcxZydzXvDBNEw1cZyRYEVXpIM8FepCGICviVM53cRYJJ9jmR5MC2VQSp8K8WBnBgcNfrJ2CCnfT8mGH8g2t2ZDC8AHHS8P8qRMSfsS/UmAPkIuqVXBoIRb8PJQELDfMLDzHvTL5D2CZ3+UGqB8trHB40wEJ7pw/Fm/910Z0NJS5yUZKCoU7llbV7qyxjVBIv5VU6yj7PZWkyS1t5+M63J/lssnKbohm5er2pH5tZ0cD8XRkOJXZ2R+31t48cJDYFePYO6CbMsGUlRtKYjnmHMT79N7HA7U2OKfhn9ab//UjMpMNTEHEGGB34G+hq4kgvHuiUA/IpvjQ4/D7bHjTFc0S7umt54dsCCzJsrH4pYPLbEXmNnm3XvI++cY0o4WKJvxihZIDg5+w4rYVgK+mc+3x7Um18K0UCIvrvYEoRfxM3eYKS5OkUZ1DLJZ3IZRTttgAppOVYfkAJiF1DkNKpYP7iD2OJuM8BMS9W7NL5tLmg0zlm4zIOUmYBTE95KL/LakpC9tHm/MgCz1vzdGgY3c5cGDAFp2+NOH4Hbh86A96aH7S8gDExCB5ePbHPmJxoHgzxqFgKGJc8hDlVx5E3QZls8l8cW0q1Rxu7EyNKEop7dAooGNoWhyIEGzmgVqKKTgu7jAYV6OjkKlgeJQGVuMfW4fDJoo8/4t9XpPNpa/eI1MSZOgITFZ8Qd6FU3447M0E846VUgR5PnPWcX0l6rBcIilQL3ioRqE9auKNItvZRLdC3J8nMwXct0dplB7yUKPVegqLpGDUXJCe/WBAP8doP1NMBsBN1lSGZ5ZJGs1TF1HN4D0Ucmnyo400Ytni43AGuqvTdTz18DpWxFPkU4XWvAznsdu7KGjAvb3bHCpGn/y43/Ib343Y8G9LcqDWrU05J2ONU+nf6YE9atnF1CwCaP5/Nu9Du+iDYO5Oh9TiDwZ1itqEJN7Bggxru5+QgPFXi8PsMf5Ie29ptoxhCPxxrDMbC4YwVm3Llur2qdWy8rMwDgB2AgAqaidks5djVjbfB1aLQb4lQfsfyfvakU37T4rUul1XbYiako3ZRFs9jLWbRdl4QEuky8XG4Tdc1NZgmenUMtvsL2T+AEN8/kdbbhtnZrFPA/xeRxjDOb3y9K5MM5IT3yPLOgqMA9LRo/3Fzi2xNj1WcN5ZWjvEi0+OyoC2CawrCPPCij/6UOZIeCGTyJYqDoX1zD4TuHvQHC6H9rxUbyjOgkrvGIYsyW2ZgnYtni5nK/irUphA1VoadsXE0gEXJ+jsV7gAUZ9aF1WhQIVJz9fz3LwuLAxoiruM+9SoNANqL5q80+/VTyUsfezY6UG8Hc1GWFtid+OqE8kxO0MS2NnQwiRIc49vs3XotIDnnycRYh4pgBSlt1OH+tKnvhFA9IjMolVMrHjPWd8BOVwWKKalUaG9eouTN6qJQAG2YW3Sv/IOmyXzLlwFL9TMIrg9xO02BGABrx7XctzLF0VcndmszWEbVOsG+M/BiJPkIw8VhFLGGKQbOv4qaPPN/CDeveHDwZLUkUwOBsgt8fmu9UzYq742vQkw0dSGrbEXED5Oln473s7RZH5/b3AYNyehD2uctbtoDai5WwuO6l/3x5yiOXfIkw5pfhj6gT1nzKXU8PdsbnBUx6cEYCT7QZLeusyO6315WH1XGcu3R636NE8Lz2/UpmbRD4OdKHC7jTGHFuo1H+doxisdWwDgmsxKxyIl99WW4ekMKw5L6VCrng/TyEtT8lPSDs777H6vlIofDScyKOSB7qWTIYIUP4+iiNKiW8xem+g3fYkylG569JFsNeQDZDs8MDib9LeMTT/55mL7Cl+p8nlX8JHfEmYJSlbdY4eWQtPkfHbcnVtr724XIZvDY68ocPskRhUUw4CXNNyV8XFKb01a1Gl7gYtzx76dTeswBGEFNsBfWSj3ndLy0TviwkI3hz4miEsr78t0nYRpGv1Bb3s5aUfanfDEz/JYwg12jKvOumjr+BytNfDwjSMTbYRi/D81otS2b12EunLfAml+Y3ZSojD1y7iYYpgJ2rpMfz1BWfkTWWFjV5Dldq4lY7RSaoQw8hl/aeD9kaiR5beOyAQ9EYI+VFnPK,iv:XJjhLnUgf1cc9O50U4Q8Pis/ZYLg5B9U7u3eDuDcjeA=,tag:0ZqdjgYNMsXcKGIs05PGvA==,type:str] - pjsip.conf: ENC[AES256_GCM,data:rVtOAj6DiUDAlM7m/E2h1EZvsrabmDb9zD8fQPvvTITTQ8WUwwU6etJm3CsnrfskyctnJQWqs2nQQol5ZtS8Mgbr9CGOsk9eOvAxQJcjvkI+tJKl/d7DEVk1XKI6jV1X2Y8klJlHROe5w9N2zzdEfDbWIBUig0Lc0T71eAzOEhR/9QxQD0OVoonk0AuG8xRa0vzyYJEvWbOeqrxiM74RlrGThE7U/+fM0rS68Yy3PdIVnOnHtlz5v//ZGcNGYNmncBV3W7avnlCRV+C9b9WblkG3UXQ/rkXI2nNg2BaKTa5545kjyJsuIYPbD3Mx15oTQaBhZo8KKAO7ZsfOGWSZJ13vdx4xnub8S63QDWEgwx1UzjoTCsnkBh86BFWp+xk+D5XDk4nC1qqV92Qy33d8R6HJ241INwxPK6ZV0X2FG00mGdpMzELDuq0yg1979QlIHqDBAOoYR4rhHSYYKCqKw9cXsURkqsz/sOqsb1BFQRY6+WsvAK7p9seiw14E9glPa0OkjnQcA7JjhOQGOvoz+p2UiygVDnJ/H+MaGseUPTUZGm+Moa442/xJAUpj80wfHxwOAX9kdWjOFBXBn2A8u/cmO6cdCQvG8Mpx57eZg/CzeqmNMGcjAi9z7TtWN3iYi3TxD25ZFfo5XSgqOmgKtI94Mt//insmLFP4Q3l4IHqTpZj4qQDMAtocShhyhDI49exHPQ2lWiKMlBtQ4OAbrYOVrVk3oHgJ8e7rRWZy1Zlu9UrfTEO/sj1xvXa/9mvJSpz4nQBz+pKyjy003VveaJpvjPXkRkhtLLDX4Aw0K23fWt/4GQEJIG04w1sJMHu/s5RIrP8bHZKjezNYV7Brvvlna4xMahSzfg3Z5cvOH2hgNKOoFglmGUqvWyeDm4CCepJ+WJ8TYkwIEMnjOnCpb+OF+uXwYpqUi2DD4pwzmEuSagaDBtTAuSIgtkSupakpOdQYhW3UN+keVcu7reBVtl5GWSVfviZ9P0Vyh0Zvtpg/qMTWipr3qjvtIBauT1ChLxW3lQ0Js7rTOOJK6uQ0PPv9MmgVTvAMTO37LU5fmJ3EGfTWuBSwvaDMJAvhQpXWG2PYXc/OhPBhA8dqxUhd9nmSYlHBSdR68ETftsViQaBoOyGEcjOZyTnM3GMQAlnX2rLcOm2KaYaJbQ+lksTT4eye8A9JY6YdMDrSfnkops+7ECJgqYY00xFI6bg0+C0p+WJtWk/YQuTDwjTHmKBfVIMOm659EzeXC2mq9j51z8jX49NfQg6heQYGad3W273P4El/As7Lm1BKG8cKHTo2yQKEcC9coYrRUcFS96b82sgCX+wPq2tb7TIHB7nMjuGc6oMQwQY6lcimzwlO/1r0HpCUhU/p3Sp2coyqgRI5WqczI5kqs/9pm/owASpGXOma7/Yw27Q9z4dDM0rz2mM794XpsCF2JxLd5AwuV3N9YOqwOWCkt7XcveKqz0GPd/l0RBHi0Nx58C6eWhbGSUK8lM1H06Pw/0fkh1qJMtpPK1+qqR37jBgktyVi941Ko/7LK4DGHk6P2+BsGNPrhA==,iv:n0S64/G7Pm6ZwszDDFMR4qvugU9+HhQDfptOv+KGkzE=,tag:BivicBQ1kjWRj7ZD1c26Pw==,type:str] - rtp.conf: ENC[AES256_GCM,data:wRhJ3O8qgECEuMX4mCKKv2igiMxTJS6p0IkgilBxPU7sdFsy,iv:UkXcVOwRDlp7s0+u7QbQ6lGyaJq2JO4YaYMzphOA9ew=,tag:iHJXCC9XAnaQc6qsCTNEYQ==,type:str] +#ENC[AES256_GCM,data:koNrUwSd8yki,iv:OWn+BvvlDhV5g0aT6vj/XnJn0yBpPEzDe70aEnGpPyE=,tag:nwaIzDU9e/VyfPRwigH/XQ==,type:comment] +#ENC[AES256_GCM,data:Edyn0TZVgQvmf4x4K6qzJ6OQtMJP,iv:JdIudLJ1b2qzkAo/tkbG8t/qubeL7v8Rp2yWy8CgRPk=,tag:WGUU4TgHa/qxf5d2d4oJMQ==,type:comment] +#ENC[AES256_GCM,data:kuWF0wpR2bGcP+mjurtCvNqhVpuqO5DYNLs=,iv:2JuLlQ5oS5hR1WGn+wMtAvOysy+23fvjG3HDncLBokA=,tag:sxgmrNZb3dphMASAG7lQig==,type:comment] +#ENC[AES256_GCM,data:6E+vU6uKweNZIpnLsk1R4wg=,iv:WMZ5gi5WKA2jfYV76Er5Dn36C78xVTXBGc+sLz2hltg=,tag:T4y/os/1pBwB8m4lt7aaYg==,type:comment] +#ENC[AES256_GCM,data:2aGKb01LdNLdJdh6hFPsiK2qnUksBeHFL46aeA4jcfqFT0/eS9OTEPrlfZAIlw==,iv:MV9Rt5jGygcLC4JTIMBR8FhEcKQ4hzyXWxWHgPMOnN4=,tag:y9exk7KSyz0VvbBZQqVTug==,type:comment] +#ENC[AES256_GCM,data:Q38m1R59G9HHQD3evNt0/OAF7KPLplLFF314GuNA+sjYZF06npZ7NpErJ41KjCi+o3sG2pAe3/j9,iv:4XOVyyHdAeL8pU1Js+4h+y3zvzuf/R3EpxNoHcU3nlQ=,tag:PpEbr1HOOAbSR481orm3wA==,type:comment] +#ENC[AES256_GCM,data:BtZh9+LW8q30LlMIeTeFo8s=,iv:pVC17w2XK4VpBDitwhW3BmO8CzuxWPYEUkSPIMrxa0w=,tag:Y1bLSBysROKPmmmacCcWdw==,type:comment] +#ENC[AES256_GCM,data:Yr3D4deUxfCfnx4=,iv:zcZbgJVH1JQnsA6Xl/tMA+v4gSE9f/UiGbDLOiogMWk=,tag:NTq+vVoA3l7gdfj+9ZUeqQ==,type:comment] +# +#ENC[AES256_GCM,data:DPNZCtKsvt2TbTpteOX5uh7P,iv:JQJrcv9uptD8cqMGv4DLi4YleF5Dg6hhU83V6vZfe18=,tag:FjEx6Lwj/0KHubeZcy62vg==,type:comment] +#ENC[AES256_GCM,data:Y5fUERk5GxkhMCe8pdyEuixXQ6tmz/2vsRmEBNdGrg==,iv:QNkZBFqg9lsTBcn/HXb5EUUOT5YtLk8cR3tH53BxcD0=,tag:LMpPZwdcUouyOLdw/QwRrw==,type:comment] +#ENC[AES256_GCM,data:1uSrAoDFqpqXWixv+YLn5nHh4eH+8sYlzpq548Qlk0mu0w==,iv:/4OUiMVim9Jr43+JpR8j5HEp2dKKr+2N3mnip0B0waI=,tag:fw358ATo6qp7Li7PsAt59Q==,type:comment] +#ENC[AES256_GCM,data:Z5ZX6TqSYcTaWx3ouOAY,iv:WF0YXeAYglXQlfPStMilAoVJznJsRoMGd+QnxPWs148=,tag:kVLnxWwiXqxmhzxRGdfYVA==,type:comment] +#ENC[AES256_GCM,data:xRp4e2j13CHZ2JzmvtO0jlEfWPsvaxUAw0toKtQWy82JbA==,iv:HxAk56MKqQkw6gAm7LskDWaCfF+ZAOi+XeYHkOBO6bs=,tag:MIwUfICkfeyttb+JGlHwmg==,type:comment] +#ENC[AES256_GCM,data:RrLqfa8+bWIo3ZF6TsH2+Bo=,iv:ByDQwPS2qDqLoHJYCfn8rwZzeHrNs00LQ8vKJq//Jh8=,tag:856gJo8SfUeZsUP5rXKumw==,type:comment] +#ENC[AES256_GCM,data:GsTl6zwg5d4UFkU=,iv:DSDqA2Lt+p/CnhPO+fZXDDJWy98wpJXV6V8SbBpokyA=,tag:fMUKuDyZAkyv10bmrl+hlQ==,type:comment] +# +#ENC[AES256_GCM,data:xeRqstRJfW6jLFimzF7Sdie8,iv:9gPkgr4udNSFHI/DeNWWdl3N4Jbo7jUlGcacXzYUzUQ=,tag:bdtHw+giVWaIL0uxKqSzNg==,type:comment] +#ENC[AES256_GCM,data:o9TKPq1Vqvl/KKywfIZjUc8=,iv:vWKE9iyf7uqTgngeYndKUr4Llvy02LOJZFxF8YE+IwQ=,tag:ts75yi4yz34i8wcz22yFQw==,type:comment] +#ENC[AES256_GCM,data:/HLJJlGoDkfRH2R3PQglBthL7c9AUZ9P,iv:zNwtm2hxMuWofAzlWmm2dRTVsfEdKgzVshlgiMUORoo=,tag:y0b0C9TKjTLmrso6nIBYYA==,type:comment] +#ENC[AES256_GCM,data:8dShCGz1B/q6liBoq8r9sV4=,iv:3daeyLDLldMpW1dS7IQSi7WKqePQz7ZucxPD4Q3s4Wg=,tag:FKtgLRN/1O+8AeGzMI5qFg==,type:comment] +#ENC[AES256_GCM,data:tVwliFSYozYM52o=,iv:FnUA3+4XJuyza/H3THOWz9mAHic69w4oczMcWKc+PwE=,tag:tw6onP5xt4GL2XcC+Cq5Vg==,type:comment] +# +#ENC[AES256_GCM,data:N4EhOl7yEqT6DQRbmBz5cnkxYQ4=,iv:H9z+ZP8vvE+PTauAAzg43pVaEjrLI4nLlIe4ni9Keho=,tag:wAVKSBEk5sPchGegUXjB0g==,type:comment] +#ENC[AES256_GCM,data:AZciKcw/bMIXHjTI6lRcl5xPBg==,iv:37TbQSCxbQPy9hkA4msaVqBwHMXJk95kZuM8pxEEGOE=,tag:e7FkGKEHY1ZHqFMfQ/jlJg==,type:comment] +#ENC[AES256_GCM,data:/WQn0wHchGLYUwQ3RfrJDiIm/CZFIkJROzBlbsf9LlM+k2s=,iv:RzRlSNosNS5xlRpXibQdcZ8bi01RDJs9mdoTBdUzQvo=,tag:DuE6htQ8uolsry0haNzzbw==,type:comment] +#ENC[AES256_GCM,data:NlA8Xz96TJJVNlhCCYqeHLJwYg==,iv:sTQ43in92gD2arVfHX4UrJCIHaX6rEAWcWxsCqnhvU4=,tag:vHczIYGp0WyPm3yH5FI48Q==,type:comment] +#ENC[AES256_GCM,data:X174VF93LZr70A+1vg==,iv:laAgfLpCwzAez03EN3HXwKzvfwbRECgIzpQq7vz+hXM=,tag:9ldfGGjnV50B3O18kOESaQ==,type:comment] +# +#ENC[AES256_GCM,data:0Y+K9H66/y+mzZM/Zf/i0DTr,iv:AN4wfSg7bT3dDHIJDuknE6/Imnd+L2inSGKNCEbSx2w=,tag:fbGNSv/Vr33jhVD5zkv0lg==,type:comment] +#ENC[AES256_GCM,data:hZN4Q0NdAp0h/4JPem/73VI=,iv:Xo86Epq3Whcd/dJGgsAqjWcfdDFuYaGtVA06d/Vik3o=,tag:tkJSkkrc9uLGl82Cwa6J/Q==,type:comment] +#ENC[AES256_GCM,data:Y0jraJtzyWQEYaikZCiNChoWkNLlJA==,iv:IG3CjUidzaq6VLbAfPQWAX8cd6A9rBZv6P5G8REXl68=,tag:Fkw7NewUqxDOTdXOfp5J/A==,type:comment] +#ENC[AES256_GCM,data:vJBYw8KYp4ET5VQQG3x8CmY=,iv:iRQS+eB58Hf9/aXGHHKc/N+yMMQNpvA0LyBlP9pP6kM=,tag:WB2SX7FHqKHxkD3jqwu4QQ==,type:comment] +#ENC[AES256_GCM,data:DP3cG8SqADmGjJ8=,iv:jt7aFHphO3kPK+tCBHWu5fZOOpI9qZAlXZYa3Tc/GvU=,tag:Zi6xriNT6Rew7KSLxrnxvg==,type:comment] +# +#ENC[AES256_GCM,data:ER35lsO/pWxe7Y2t9+CMdglM,iv:sYp6UWwkoEbqoKXscCwTDQhtkaU2gBXYFc04grB4mRA=,tag:J9UdyqtuLuVoEUE3pWtuKg==,type:comment] +#ENC[AES256_GCM,data:kubz/kXTQoLr8X2sHGEhovsF1W42HTs8hn1LI6bqViIhqcDe,iv:rS2KoFeAedKtFCOAZC50LSqPTPTzMaIHgtPWoSMLOio=,tag:z/IR786mgxtsSMsrjbBWyA==,type:comment] +#ENC[AES256_GCM,data:J4eVKfcyNnj4qs7U93wmWG7ziI2qAf5wrbZMFW/kiZYfIGzP3+4=,iv:ZDI5USiPw6vETDhCxF9s8/II1QRZ+HlXgHXosVo71nY=,tag:OPHrfgB/nqcfHTlzNW3UuA==,type:comment] +#ENC[AES256_GCM,data:BY5yJR2n4c3pN7QU4JUvUh+ZWfqLdaenLvSSyUXTlx+SXJUM,iv:o/NdY9URIt3FBrUfrbfTgBUjGDLXPNG9flDaoevk+tQ=,tag:hdo9PJsSyc+W3LS/N3t6mw==,type:comment] +#ENC[AES256_GCM,data:RFMv0U1PxQZGY92iQlVk+us=,iv:EEBhxZu0QOAv5oRM759rLGcpZH/QgSV6EYXiCEG3Gik=,tag:0S+4dhitEXzrJKdv269hWw==,type:comment] +#ENC[AES256_GCM,data:J35+o84yGofskT8=,iv:fvX6/RM/PLGFJGvRKeXgyKlXvpkpC1GdBfIzUQlMlcU=,tag:YgXIBP6er+lamAPgASFqxA==,type:comment] +# +#ENC[AES256_GCM,data:V+lIr2vZHQbmdHLElWrAowI6L3eHsAaiwQ==,iv:XUllNkux54jqE1B8Due5TvdSn9WDKjDnJ9x65bzTgqA=,tag:9coS77Zp8/3PhRW0DlxIqA==,type:comment] +#ENC[AES256_GCM,data:8OyKTUeTykagBB3pp4v5RoPs8faabv4/knp2rT2ybwHGf+hkT8InH35FsP040oSCMrRpnY+pOOI24k6YtGtg4ciPBXz367XQk5g4k9FQbTN8OGyXUsC9UTgSE8ezsuXftyuw81cXIJmmFUegaGCS6lngCTNEonG7HrXGMedChl6vbw6cGDdyzHQ=,iv:063MvIh0K4FRmhCeEKODC0mzXYA3xBfj5Vwr8N2F78k=,tag:n5vrDhj2U0+ihYTzpH4mbg==,type:comment] +#ENC[AES256_GCM,data:zGB7GHhzsrYpeCJNqGA1EvBLyrUmWC0PnnVChc3M7M8daVpi0EwXd5rDnsw=,iv:MjfJVQbTcQ/CBW9OiTe4B3LxUdoWSxZxutNpd0nSPuA=,tag:/btBe0uUdm6lT0qhuh2ofQ==,type:comment] +#ENC[AES256_GCM,data:rvi0Tei8aDONEIVIf8bFT5/9MB42cOkCUPDCOfCIIhBSBOPJgp/gSc7fbDyxPcltGKPmy5PZtQ==,iv:mL54m/JnXP0iCcXCVcqzDQtSSbzStDiYFNfOqh2beTw=,tag:b+KecBxOElBhSZO+09pXdA==,type:comment] +#ENC[AES256_GCM,data:yzLts4nuFJ6B2A3lOA6dd6C/dc0=,iv:eniXHvGrRVY7wsxHhBUmiXYrJRDn32GpVguSsivBH/o=,tag:m0nP3PQqomIoqFU59qSMIw==,type:comment] +#ENC[AES256_GCM,data:SbVJ/6BdZ2cUhIX4pRSoOFwNi/J6OEHXNQ0Y9+iaCpX892zAFTj7MVAEpwQ=,iv:zkUDjDAySvwrB+osSk6s8v0Xp2uWb1WnN4zu+ATeW/0=,tag:SjQxtFhDdGmZfDWc84285g==,type:comment] +#ENC[AES256_GCM,data:rsMLM339Ng0J+CSd8eI+0iJKEFAa2+TbpLYAFO9lD94vGjrRp2TLIYY3XbgCLK8qgR5csVCd5g==,iv:/Vq50LAtE4AgYP4hOR/TogL6E/PEiFmeRj8Yn5kc/y4=,tag:rcoMCfsY5aefbzycaLcCnw==,type:comment] +#ENC[AES256_GCM,data:juhPTHtHltDDPQ+0vxjAR+gL,iv:aoP45LG9s12qGON73w5g/Xo6fPONZKfCWxVVXiQVGPE=,tag:9grJnf3UrF7Ub3QfmvxN4A==,type:comment] +#ENC[AES256_GCM,data:hrrNKoeKYAlV8J9LCwydZai+9zgKB+pJY3gD43pqx4zkhDyi4ZNyiLSPGwc=,iv:CN89Sexq1wCBlNDiJLKdl87SrVAuE6JbaGZSl4K1Ibg=,tag:OfZzeHg1kM14bWCSlLvE/A==,type:comment] +#ENC[AES256_GCM,data:zrf0HtyxuVfKn6auS27cGX/wboqSzqPZOfdS5cezquL5ykJeCFNX2LYGMHi/Ab3y3o3Xup1KiA==,iv:nRBJ9/YXezSMbLZVI3wulLnhFs8worafDNAeqnpFAXE=,tag:RudcLVsezIkjY5ze86P8Fg==,type:comment] +#ENC[AES256_GCM,data:1NbfTZRxDxoVVlYGWiFbraw=,iv:Gsnnpuu1m5yfOyogbCBzJ1FIZyjL8gRqRSyj5uYqBZs=,tag:DDw0PXGPdoU9Dy6CiJQOuw==,type:comment] +#ENC[AES256_GCM,data:Be5ykZ9sxAHz7Bk=,iv:3QA1EiCbpagmNOqAhyoli8A0nQWfODTvElECykaJqPQ=,tag:ZK+GpY7b8rKw7Yos+FOpOQ==,type:comment] +# +#ENC[AES256_GCM,data:/9VfkNKqAReTgTdSvQY2JaAHsXtumSrQrd8=,iv:KcUHBGVlMyBnddeOI9TBWAv+Ik+he2bLp53Ddgu0Zcs=,tag:U/imF4+lPRes1t5gUpD2XA==,type:comment] +#ENC[AES256_GCM,data:CtP3PL1Nr2unz/SQfTIKynzflv7X42i2gJBqmsM2kdoh+q/j3XJy0Ry4Dd3wqjMk/vtrZGFrWdPoEJ5KrYvN6BvdzUzzNhc6a7YuqXkFsXBRipGw66dpm85RJ8aQYgWu1KqPRPoSnqSglAWLXBF+HzbIlHSuHQ40HVLms/5y/u7cMJgCLRtyN6c=,iv:Z4eSlo3EGDMx99wBeyhwWf3jsFWNHwWa0Or1Mln3LF4=,tag:7+p+T8Ud9s/5kLrRBEXhSg==,type:comment] +#ENC[AES256_GCM,data:wBpUUVRSQImQoZDKHuUIbNK+bhKv+YHjh2Yqd9QW77s5XV7LrRMfW4/ZYQ==,iv:8DKM6v/mSgNtIeFC3YEn/YfzBV8gQNp+k+C2GXsX2oE=,tag:25hDvhgm9DPJAqSI6bvZGg==,type:comment] +#ENC[AES256_GCM,data:PHwWZRIhodwLWqmpcEdWQojLzEBM9ots+X92w+SUpE8C865cslcU/LTRRlB3M/bnfuQpK7Ac,iv:Ng4jmfoGaFTKViTp0FXeQuCIZaBI7FdsYmsCzJ9LVyU=,tag:BipNTijyXeq05DSdWwRVag==,type:comment] +#ENC[AES256_GCM,data:bYxNetex17+C4xJO6WSMxbHH,iv:9WhdhpdcUh324as7tBdd2m51mv1/eEpIELOoThtcuVs=,tag:B75EaPx+bVe1mVew+UfulQ==,type:comment] +#ENC[AES256_GCM,data:AhoWpnxWgOeeU5s6wL00L6reBcpOtV8irwVd3fAEe8DCreEPBnqpwGevwg==,iv:0UWv9ucAj9R7y+QUEr3QFn4GqS2UoRc++xSdsAErDXk=,tag:kC6N1fNTz4YmSsMuEW6epQ==,type:comment] +#ENC[AES256_GCM,data:ov4K0cJSxxE/ENcaevRXJV+jAfKGKBsaXvHYgArUtVHQbepWpGsJfCkppwwvVcEyTAfeUDNO,iv:i/CRlQkyUA+CF20SAA6GbCTBnHpRXg8qbOvOZoR8XEE=,tag:abAym0hWQ6wykamhCZtl4g==,type:comment] +#ENC[AES256_GCM,data:jSJSXRF/DEnonOg+++gcFGkr,iv:g1o4qexYJY2aev/5qMJEyMyyZGO4P1Guijl1V9q8y2g=,tag:nLYnhoNuxkbOgXnkZTrS7w==,type:comment] +#ENC[AES256_GCM,data:2ID1+ZbUX8wEPtZEqgRY9WueOOI5vD6UFfK0P6npXgfxmfvGmB+e+dnt4A==,iv:u/OM5noggVYSVuHhc+tKCxBiX+t6PSHB3EKERkfhmbk=,tag:Sl3Yf1iN0PPE6hvWu4CyTQ==,type:comment] +#ENC[AES256_GCM,data:g0k+f1bApJG9pLPfnAur6rny6xMfI2K9c2X9gVp6AQqHj/5VSQR9vSpF+9Ng4rS/12UAZWfT,iv:NNquw+EnBevv/5sZFsClfbo/4n9W8guxBnaEhsiP5gU=,tag:74u0ii9UIIbW2+IQ94KSkA==,type:comment] +#ENC[AES256_GCM,data:RsOaGh7pe2N8dICKNpwLWXo=,iv:6Jst/NIF0E5mb8vnsbGFen5WbCcBPKOhjguja6EORes=,tag:DQlmrUSy3QZDPWIyOg3Sbg==,type:comment] +#ENC[AES256_GCM,data:LzSQ1zgetryprs0=,iv:0vW+cUM3k97Lrbo7hF4c01mPbeovrOwPAUwVzz7thcw=,tag:zt0DteAxi4W4mfkdB0mkYw==,type:comment] +#ENC[AES256_GCM,data:MvQ2a5TWmqN4Ew==,iv:IPCYJBFM1x1s0jNITUE42TsOJMX1nBl7tYnfkpdfvU0=,tag:SVherXXtjrVwZGW2azmLXg==,type:comment] +# +#ENC[AES256_GCM,data:bgc4f/2RrR2dW5vQjeyNePgmoLOKmpIqzVM=,iv:H5uenlSITm9wl6Hkk+91yG2J1II4U47ROIlGcuZEhFA=,tag:M/9/Vjr6sTjKbLeyqnyE1Q==,type:comment] +#ENC[AES256_GCM,data:qEWa5Gzr6XseeEs2sYkoXE4TM8n3uccR9Q==,iv:3aWgaP+TNUBNlQEAnrOg/kvIRHyptkkB9h3a0dWuViA=,tag:kPWFT0XG5LSMrSD1JIhOUA==,type:comment] +#ENC[AES256_GCM,data:Q8g59UA+ZGRXT7Ygr2f/obZDP8MHXw==,iv:wgw54HCMwdJQ2p+OP3BB+Qh+v/GQvhquScYDgvSAPCA=,tag:IB26ffBNOJCX8+2Sl7ElEg==,type:comment] +#ENC[AES256_GCM,data:uRxOKL32JURtb+/XE/mRQ+CC2aYWWxR98p7AGyUASd/jFnJdl4aqttVvKabuMjvKWrsk2c1xD734Dz5tMsclT8OB7lPNwwpGp5g=,iv:jA0XIYjCR/4+4OjNnr+KSt7ulliDa9w/2tEPD7GlHo4=,tag:iOiTfLnafUH6VzrpsgefKw==,type:comment] +#ENC[AES256_GCM,data:+g9BiEj/8FiydQxDNO/Fche+,iv:1NkNgP1QxV5emu1yHap9/srF2tt2g/8jaXhnE2Uz3F4=,tag:OhlBkyyNkJyFPhyf+jiKkA==,type:comment] +#ENC[AES256_GCM,data:9p3ftfRZnvlhRAYakQbmzfr51QSeLnD27Q==,iv:Tk0N4HLngjY2Kp6AnHlSppo5JS2eupwRm27hEdXdYL8=,tag:6Em3dbDs2xbC3kk6Q7Wcjw==,type:comment] +#ENC[AES256_GCM,data:lueEj+bYuJOB+l3ll6OhVcfSz1wX7Q==,iv:gDRtIVAtaDAvHUcK/xjQgjjo/AZByRuTR8cXCapgZXo=,tag:dcoanmEDgtulvJdtTC8iWg==,type:comment] +#ENC[AES256_GCM,data:mDV8VHOVG0VSvqZYNbjDB162HEHFQvMR1oP7,iv:zjBquqa8ACwtNKbfXGVhxDlCHsi45ZWaq/F0Dtxd6fw=,tag:whdb/WADQtESImE4jImwOA==,type:comment] +#ENC[AES256_GCM,data:qZ/LnzbeDvj9f3QalSd2OwuLEsvEfvOTuiy9oQ==,iv:5OBekjL+y5oR8L9uaRLXYcZ1yQt+Sl2jPCiNmRv90sE=,tag:IPk79XfIFTdkzb0NxEnscQ==,type:comment] +#ENC[AES256_GCM,data:0yd/4Ctgq/lil2OBtMLIopj+T8hdRqbfq9AyZw==,iv:T0qg+Ag/6UycUCOyauD4oj92c9SUocmTDKhxFYCPI2M=,tag:PcQFljhmdPb3RkkLOXjqMQ==,type:comment] +#ENC[AES256_GCM,data:aFzpb99XER8q6LfKb9SEVRDj,iv:gFu6HVrHmgChKi2EMc/WdowcqktML0KtuyJdJhbz5rM=,tag:/f1qElxNivJOzb7SZRqi9w==,type:comment] +#ENC[AES256_GCM,data:imSHtr6vBCS5aMBcPQOfMai+Sbh28jZbGUfzo2Ye1KBttLmV1QSJCA38weTZ8GahzKQTlxaEnG24BmyTs9UN,iv:E6oF2mW8g+03q+F3vUfsklLTqaMo+qiYC3B/lNPzhaY=,tag:0mxqqVsi0ZAT5EAhLKaKLA==,type:comment] +#ENC[AES256_GCM,data:8KHxrv84NgfoacA=,iv:vlt+6Qmgw1R6v2KusPIFx75xFqufcssB26ovo1+6Zrw=,tag:/bG32rIh2gG7dW5E6S/aLQ==,type:comment] +#ENC[AES256_GCM,data:R+t85y+viDb0/R7JuyB54k4=,iv:mBVQV+tltYLXw+foADu51N5fpXrqF7hYLG2OiMbWZ9k=,tag:xeWXnF7TI+kiehZIEEEcHA==,type:comment] +#ENC[AES256_GCM,data:qVn0Vjo42u31sKE=,iv:2453HNpZLxnJasgAXAyjWx4BK6Y2IguwdrhyagV3b0k=,tag:AJXsVweXNiQ6hiSdRD4rvg==,type:comment] +# +#ENC[AES256_GCM,data:870a7NWcXKusP9tkmjpPMH7QtNL5EuiR5A==,iv:IEGuYGVk7rVi4BF3FQITwPAe6nGvs2t0GYA/UTl4Jdk=,tag:1cvq8VJ1VbxXIeCEhPK9uw==,type:comment] +#ENC[AES256_GCM,data:6fr6msoUoVJIJDgtL9otyKory3iWVA==,iv:vVt0qCnQyZoYc3Ncx5Z8YHGkBLJxADQS9KiU0fvANNM=,tag:MJkLWWfw1O9Jnqbl/6AoCg==,type:comment] +#ENC[AES256_GCM,data:tWPa6UdPoYRiVElPbYNv/QFYloJpkO/9izm5DMflx8KWSYNUZtu8QmLvrXxmEpTd3AEicr9ZGGaTdMdwos12xC86IyjPsLb3JxY=,iv:PGWtqsLB/0xMxgi//0EsZo8OxqlJrwD69JmY2KDZcHk=,tag:6GO9Lkjp/Egr66AZPS8mAA==,type:comment] +#ENC[AES256_GCM,data:8pSWxh7uUisOxbTYqIsKYiX+,iv:d6q1eQV2ckSU2vOzqrvAZ+Iluc9o7+ZMhIxo8H03PqI=,tag:hxnlfCBr6gZg4NvJ4q11jg==,type:comment] +#ENC[AES256_GCM,data:FG9YA6i8HJMNSaTn6R8PV/edKZeAHPgEwg==,iv:yOFVYMr9ZPs5z9n2A9KStZ3fhiyQhJpMui0huSfs2Zo=,tag:EGAtYW1uc8Bbj4EHVofhQQ==,type:comment] +#ENC[AES256_GCM,data:N0vkSW0vD0YL3jyTxJWscknooIt3ZA==,iv:0zhhzYCdNFp8HghxrL9Nu8vrRHAm0FVpSTWBQWxowgc=,tag:DDkE5xue1051732fUMt0JA==,type:comment] +#ENC[AES256_GCM,data:UIGa7jpdOB4Lfv5JsbjlV8yeh8pDg5tLZ9My,iv:JAGqvE7c43pWRGpwRS5qjEjRVrnv11DESCaGSzarwHQ=,tag:zGKKpmNLjXFDXub7Z2AiVg==,type:comment] +#ENC[AES256_GCM,data:jCt4qMitq+meYz8hlM5HDfJ9kN7OM9CAF/aY9A==,iv:BFkU6fr827X3dDSig4KXKvEceesmWygAGmrBXWwCxrY=,tag:I+z23JgupQ6UHYJzE2Oh2w==,type:comment] +#ENC[AES256_GCM,data:rhBzSaTx+gPSWUepEbG7d5j01MEPJwcDNoU=,iv:JmqO8MvpeqlkSboWuVAF80Sn9HsR6yEjKFJgKszc8v4=,tag:jLpagtpfGQ9rv2faLVDx2w==,type:comment] +#ENC[AES256_GCM,data:FRlvrmXEf05F6PgENUZVaC5R,iv:Hbb3myNwiWlcG78aHWWe5az3HpujpavT0imPVDERA9g=,tag:/Ala51aCehpJ06/Nq0Aqcw==,type:comment] +#ENC[AES256_GCM,data:AdmSotjFoQ9HLllJfVhytPR38/uV7hggeQW6oeJjezTWPGdjetkftraYS0I2oRz+cCepsBNyU7V6oMU/IKKm,iv:Pab4QLtgCN/njzl5G7tUJiiSHg+TCK07rlSPobJnPr4=,tag:e0crhizVQlOayutG838VvQ==,type:comment] +#ENC[AES256_GCM,data:cw4Ng6EYpc4dKxc=,iv:4TrHjJygdOeijK/2vJQQsO3lGa0cVyCsSWmRSA/XSt0=,tag:v1GDX3qiYyAGgCpUVEarMw==,type:comment] +#ENC[AES256_GCM,data:qQjh6E7jme6LAUtb0kkzpqg=,iv:t3FFpnb12Hi5uGe+bMqWB84mqMTBZqewGi/fAEw+noM=,tag:RJu/O1TA0cy1xCjFuSYJjA==,type:comment] +#ENC[AES256_GCM,data:qTlNeSq2WkF4dOI=,iv:6ymng817HTeDds0KuW208kQnfarE7ahBybwyHitisbM=,tag:pAycVFy95ujAkPODZOExsQ==,type:comment] +#ENC[AES256_GCM,data:UQkM5k5QfJfoFg==,iv:0TDmGDUADCnYvIJf8cz1tD15zGevTEUPTfcFyWPuhoI=,tag:vo7JDfr+UlrtWLng+L3O1A==,type:comment] +#ENC[AES256_GCM,data:/b7HzhZiiuEifWiw6QtQ0Gk=,iv:32tJRHd0pqs4B0Ut5yg6CiIINzGxQczg6Ka/ZN3XQAM=,tag:BuvitctLA6QuM9L1+P350Q==,type:comment] +#ENC[AES256_GCM,data:PJSab7u1SpCEJ/Vbek6BckFjVMhoYjhpZLwsy2Q=,iv:nSguWEO8LZW17AhSwbY2QgWf14iLnL3SNxDbP11I6s4=,tag:mZpa2HC9eploCJRRfYQNwQ==,type:comment] +#ENC[AES256_GCM,data:ncqHrtotQtoXlVLzQ17WBVdlA5CP9A==,iv:SrvHjpSzyh1hU4mpPbtnej4WJ5+WP2C1UKxFwiYxSw0=,tag:TfLM8CJEEeAoItff6wSZmA==,type:comment] +#ENC[AES256_GCM,data:HjCAmw7B9Ah1/pVwxb5rUXqy4Pc=,iv:bDD9cKd/imH5+iozynxDgPEoSEIIphjkfwCZu30qKnU=,tag:Us5niBmVRaXPUSVGGwdHwg==,type:comment] +#ENC[AES256_GCM,data:4XnKVoC8z/uu0BVlJipyv/l7a0ZNdQ0V1xF3Nz1qN8M=,iv:A8FS4aUnMlu3KibbM4HSaSmbMSU8LsPzivzBNUvUxoY=,tag:rI0q5sR921vCGWk6yL+pyQ==,type:comment] +#ENC[AES256_GCM,data:jNXvOEztxrltP7q4rlfn3GMCNqTJgSihMwN4rq8M8/f944oxTrZKX2TR74w4,iv:dTDRhG9MZYxF8GAeVUUHZqKtwbmLkvoBZkaw4klIRZo=,tag:R5OOeLPX8ILVQ3blZeSp1g==,type:comment] +#ENC[AES256_GCM,data:PPV53Is72DbKryu5SldI/cvC/OEi0iUh03+aAm68CKqc+8+2arJSPxYbMwl6lr/N/w==,iv:CulUqXYhQAPb/Nxd26i2VPeJbJRqhRkGrQr1oFUZrUs=,tag:s+aazHjWnxoTg88xPRIdnQ==,type:comment] +#ENC[AES256_GCM,data:DvVpwJ/qga9No9NVByjR/kfrqpThk7b6gyGbgKlA,iv:U5O+dAxg0j92uRbo8Mmsqrk0P+74RBhILnRzdIxmjxE=,tag:McLjNRvm4ODQVc5U2WMU7A==,type:comment] +#ENC[AES256_GCM,data:JDhpV1lVCLEtxrw/yG8F6q4yJj2uW/5yyERoiBr7Dp4YMfM0B4F6A+nuxg==,iv:FQ6BXkQDX0jPy9+2vpBQA4AEKu6tKm7Fa/++85gTtKg=,tag:uXOtz5aDEovuZOfpHGD6cg==,type:comment] +#ENC[AES256_GCM,data:Ss3HZ9jwy3BYEPUxIIcb9owjz0pC2/tHSwiXkpjfHI/VBsCo4sjhSLPEFJBwAmQ=,iv:In4bCeJ+awjGyosyzUnMAJJ6HNeYKYkssZXVTFVa4eg=,tag:r5RCOURKd88lIQ+/hh0Ieg==,type:comment] +# +#ENC[AES256_GCM,data:761fAyNbew82DpMOHHhFCtbXKAirp0/EHLQ=,iv:vu5eWu3I9N2KNOLYsgvOJS8Q04Qz1yILJKFo8GcYTHY=,tag:8APc/1x2khyhzYSYNSux9w==,type:comment] +#ENC[AES256_GCM,data:qAM3q6ux/NY+F/HTgtPyF07YHgqjeg==,iv:ub/L+gvpoJY8VX/EZ7rGCTA7RLdyXzEGAIj0u+kbYl4=,tag:b7bZrmw67GzDFGIm638i7g==,type:comment] +#ENC[AES256_GCM,data:shHhdwchJf1ycbSQIDGlTnwzZfA=,iv:wXP1bMUQyMVoFbSMfDFa3hhqwJAme/0bUSfsx0oUx8s=,tag:unko7HBj5Oe5RzqY1JCOIA==,type:comment] +#ENC[AES256_GCM,data:eQOr4L454juTJAIWcwp7pPKiMFaEChE59KYl20g=,iv:LEFggdiT50AkRj/T6shiTfIEtznA+s0IgmIFq/cVKT8=,tag:bf+3uWrDV8uyHaGQz02bFQ==,type:comment] +#ENC[AES256_GCM,data:8EN21PgAL3k8FGkZBqG8PRYTXEfYbRfzXqvZvjOOYbc=,iv:09sBBh8Pl7Gw3/KknqJF+mX7sziXUsY6k+8riEPJJSk=,tag:RfSYmcyxFyWbWFRpf0vtRQ==,type:comment] +#ENC[AES256_GCM,data:Z+KrmBfOCc7buLeEZSortJrp0EQFH/gTfCkp12l6,iv:eVLTPRO1Hiv51fWfckSiiU+psvmvHT2usL2IuT1D7Fg=,tag:fcisj0TvbCCANTrpOCzq6Q==,type:comment] +# +#ENC[AES256_GCM,data:1naYyapZP1Sf7/d7rvM=,iv:+bzQzrKho7qmANnp71hn35RVYBNFaHDXfRBoWrCjMp0=,tag:iaDYIb50KLsBwKaLLLCJTw==,type:comment] +#ENC[AES256_GCM,data:AsVU5oLsQV4P/eO7sdG4jQWI/9lY,iv:UZuKcwnGMbL7ynJy6Hi/a8NV6wRSaxdPZUlsDaKgE88=,tag:gJ3IgoT3VsvT7VU2I49+/w==,type:comment] +#ENC[AES256_GCM,data:04u7xJ8FAWO1bwYshgTsvYF5aWPKbbvpDgnH3dfbbJ4rIg==,iv:OTs8fcjT6irtIyoPVGFNC62MDatUaRI6a7ZjezEMkKk=,tag:JmWCTY4FLMSQN2qWFoqQ/w==,type:comment] +#ENC[AES256_GCM,data:XtpX+ghnXln/pBWR2nzA+dVvF/JhzoAJ,iv:C0vXbHn4fvu2OnVHV/R7TMWvc2QPvaQ/G03gDVaj8Vc=,tag:FbC+KYWz6Rm/2OJzj8gSQw==,type:comment] +#ENC[AES256_GCM,data:mPNDHm/1+A3EF1cltM9Nzs8NTi53z1pGyT+1x+PGuo8wPs5s3Pm0pe4q,iv:eXRESlusYlM8YvY5WGNxxsIFxCE3zss+YJq3ZGJQVRc=,tag:jgtGt5mISZVYjwn1SMi0Ig==,type:comment] +#ENC[AES256_GCM,data:O3YaY66fkwlRBFQ13/51TfmdDUA=,iv:wQ0BhRyN4gKXScWxYOTmUaYIGYilN3lZnd3yXIYxlbo=,tag:NBu9CFWUqk6x5q8BGdhisQ==,type:comment] +#ENC[AES256_GCM,data:4mOi5U7tX90UN1Pqt6az5hQm,iv:aZkshz0R7r6wdyA+4gexy9dh2pGC8JNAy4r3JXvbghQ=,tag:R9x9jkc8+VuzjelSqpeCTg==,type:comment] +#ENC[AES256_GCM,data:Ze2NZZy3deWf+PYMCBxwhM3E,iv:IyPA8m+xQ6/CyYfIYDoXf0LNmhbmcFnWyiR+d8cTB8Y=,tag:br/4/5aS7Wc9oVSWWfTCmA==,type:comment] +#ENC[AES256_GCM,data:iXM/bRiK2WID6LV7ivdBZY8t,iv:AhZb5XiGFshAnM60322SJETK17z9KpqucrgofjzjR6w=,tag:byf4ZF91atJcO+gA6ImyWQ==,type:comment] +#ENC[AES256_GCM,data:ChhGNI/CaeS2uAFVXyCJGOA=,iv:u6wsa1iANNDytCaLEdYdAeraJGs0qN+mQ0UKIQemJu4=,tag:D6T/VwzjF22sP2MZwblLdA==,type:comment] +#ENC[AES256_GCM,data:pa0vuJMqgJj5UIT2qvbdGCo=,iv:DyV73yWUdMdoa702d1ggZtZGihnqc3rlusCFyFCDTpQ=,tag:DEl+iodZXqcB7NCbfySb7A==,type:comment] +#ENC[AES256_GCM,data:Z81YGP/CiAueQMSU3jKiSCV46WT3b7EaO1AWe3I=,iv:90xZtzlIze9u8LQg/A1v7ot0RsMdC+o2KUZGcJyJD5M=,tag:185KHYhPwrGIeaIATMG6JA==,type:comment] +#ENC[AES256_GCM,data:fTkbtgJLL0dpW7ne/HbrsyTCEWUwT8n+YkTefUXrd/W3xbAdbivwRBym,iv:cZBDGL3JVKGL3krkuShUsPtyDIwmdFaLHoaNpGPATCQ=,tag:zI2nkCDmSCVAy1gRshpPIg==,type:comment] +#ENC[AES256_GCM,data:tg9yQg4UxMbEToWsTWT8GuXu2pwzgPQ=,iv:hd4nykf9C64HUnEBxTE8TfpfvVS1HVaFsBxVPXaNW3Q=,tag:dIGlpldGYv24yE7HSeNxmg==,type:comment] +# +#ENC[AES256_GCM,data:Hwz4Wo0LeshEMlN0AAk=,iv:QjqlUt2Fz6b336ySN97KPAppEmbgOAL4/0rAB9OPdMs=,tag:t4p52GWpd0ONIAoSEdC74g==,type:comment] +#ENC[AES256_GCM,data:iPuF/T3jM00fouYANF4hww==,iv:8CbNJog28zwe8GmJufrK7PI8/4ph94So6w0JWhCffPw=,tag:LPPY90qiGbgjUJ95MTK+5Q==,type:comment] +#ENC[AES256_GCM,data:pAPpPtByhIVKa7pCwM85mLfNKd12jA==,iv:NDyOr7VNrYP+oH7NRotc7RpRFfFT7Yhk1H16OKUVtFQ=,tag:h2u53KtUfaw/MiBWXyXsFw==,type:comment] +#ENC[AES256_GCM,data:rejRFwFfNdaZDCjWDVbw+0C68VlTJpyyUOth,iv:jHz0EZdZHz2+gOcG+2/0CAyd2k4U9exvQOzugZwyNfs=,tag:cKkGscx++0q1Mlo6agurGg==,type:comment] +# +#ENC[AES256_GCM,data:pTVBKKE9q9v7+ZjdY68=,iv:WQ956XLsvCNPEpCL4JNmadhHLoS7S/8tod8fMLrQf5I=,tag:lCytViYpkE6BtJ5OY5n7nA==,type:comment] +#ENC[AES256_GCM,data:n2SzH57dweIGijPecnE+/xE=,iv:hAbEIzVwrAB8uXuh2wBH9E/rvsS7mqgk+FMQLCFtVdw=,tag:EzfW664vfiOfPWHcjSOEVQ==,type:comment] +#ENC[AES256_GCM,data:N3dg6dK4FZvUh44RkC6B22ctCzxrNLkNP8Y=,iv:5zPUorfS3J5XtTs3mbLljYV9G/PMjSdDohWk35zqA9c=,tag:TcD1/rnD6CrsR6pEfIB3zg==,type:comment] +#ENC[AES256_GCM,data:cf1CYbMC+bG3KO8BK1ctaok7NQU+,iv:ri5NGrT1zNQx8cc4A+iePV2Txtj7TT6ZhmXMtZZIHBA=,tag:0hD44RjYLOyp9VPT7FXvQA==,type:comment] +#ENC[AES256_GCM,data:uSJcPrieoeXzK/jMxzhIoWjZ8PQA,iv:4ciYuyyyiWErOozctjUssNeKEvXwjw4BBR00Wye6Ulk=,tag:Swp1RxMPu+z5EbTd+2+Pcg==,type:comment] +# +#ENC[AES256_GCM,data:M71IlxnACTBo/ZVoByHS,iv:mz53kNeoZ/I0L1gCHNplO/wkiuv3Pa5cOdAkbW2H6aY=,tag:uv14h8nqiqilLQPxxZwu+g==,type:comment] +#ENC[AES256_GCM,data:ctZR4y3L1Kkt1XImNios3g==,iv:/mZRQO7itMZhFu++g1u/CZ0k/NySK3Ssndb+B18VjHg=,tag:xA1br9fn7kze6nKXw1U5CQ==,type:comment] +#ENC[AES256_GCM,data:KCRx11KSpYt3jc8KrsLlOkohAQoMrEM3xhkjWA0=,iv:MC2Ed79B/C2Ti2xhND9Zud+SsVi4HlW8hFigEg61RH4=,tag:3U1vzj+X3mSCJiph9eDExQ==,type:comment] +# +#ENC[AES256_GCM,data:syJIANmTl822v5R0CaZm,iv:dZqFx0V07L+AA0kdbhmd/zAwb3am4xKlCncSYmTUoww=,tag:rarebRjHp/ePr3c61gS22g==,type:comment] +#ENC[AES256_GCM,data:P+HW2K26Ro1aIc9U9WhB1hs+fBMy,iv:wgtCxHBMV1VP3aC+7c09d/ZbataHNsi10+MMNeExCfE=,tag:ljJA0PYZMTKH0svHvrhTaQ==,type:comment] +#ENC[AES256_GCM,data:+bwRXTLBm87M7woyQu8H1xLWAtcziUMo,iv:wOsQVvDYzKZ+K/nny31n9I6oRN27KZbKW3/qMwwFcRg=,tag:wvXx1P3f5yaQJt6Vfw5Abw==,type:comment] +#ENC[AES256_GCM,data:kOpTKJrs9zEyLRvuCrzCgAcGOWs=,iv:wv47cqmw9qRI93UpH2HEiwQ4z/0Hh3Uk8KoOz+xMXlY=,tag:g2MSlsd8mrSAcOl6Zll+0A==,type:comment] +#ENC[AES256_GCM,data:CrF+LoZrJQFZ1qEiVaEDtPNz,iv:bEwRChGTIzy/TYFRX8+LNspgBFsP8BaPaClkhlSccCM=,tag:2J2EOQ5DablYMShw5ftN1A==,type:comment] +#ENC[AES256_GCM,data:dI63YN6OjqWYpKZlL4nFKIyr,iv:Z/hpFzm/xFZ+CbjnmXnyCcsVht4+dwfiLa0w4ZJRoCI=,tag:kGCAI025/e0OGxyD9058pg==,type:comment] +# +#ENC[AES256_GCM,data:TAfLyQue1g2BJQI/wv8W,iv:AXIQDwYrV7VcomWA7ma2aqPYBIyQS4n56lTfWJQ+yUs=,tag:GtGBdQ+58GCcNsHhP7oiwQ==,type:comment] +#ENC[AES256_GCM,data:rh8P0ngb61FEj7gmwC81xAM/VlBi,iv:evqLKuYgoYKSDeyMR/qgry9ZdUXs43bYDkOgwesLaOc=,tag:+4qtneJQN7GKjEnTxOigKw==,type:comment] +#ENC[AES256_GCM,data:emvw13eA7liyFYskeQkcLwY3SOR+Z3I8,iv:arsc/GaQFBFU98ZROWC8OQBsGUwHHNQ6OtYvVzW0ku0=,tag:xnDo0c49vrcpF4BLJTEtpA==,type:comment] +#ENC[AES256_GCM,data:EkFxLiKlPDwAKK/E5d+cpiw8FgvNmW1gtpngahzEA5Ce4If/Bg==,iv:zQsseNpyW4mT7GQp6ADNBDX3SNWjnSGIJmGAzHLE6tc=,tag:BEEfPC7pATG95ZQbCbOLGw==,type:comment] +#ENC[AES256_GCM,data:MPkLe8WaC1xZUZfc5Fv5ayx7,iv:txOc29KRFcjU2gzkF0k7wzCnKDukDcy4uErZKKbfe8s=,tag:mGYqbafKvzcSXzX86PYZlw==,type:comment] +#ENC[AES256_GCM,data:wv7Z3jSiyax1IzrhiP+KvhccLhY=,iv:kZ0yTnHw7hGWLL5rPiK3m2fVtmkbSqc8c9HfmuSLfTo=,tag:kHLORLIVOc95e+U6qVnLJA==,type:comment] +#ENC[AES256_GCM,data:t1bw7qSOfu+9FSHPkKybc8gc,iv:IRs97CByexbWAJT7p4NKDKer3vwsFHx9+HQ14PXAaK0=,tag:a/tjedW0wFjg1isufG+XSg==,type:comment] +#ENC[AES256_GCM,data:MctPm36in8QYiOm/oDwCFNUV3+iwy68=,iv:ht+3MnZDqop6NrpTTP1NxXKw3W2Uxb97RpFz14POGJY=,tag:FnO5oTzAOLHX6W2LynKvkA==,type:comment] +#ENC[AES256_GCM,data:OAFeB07mHMVp0ZXpje3Ruurgvyc81z7Bbcd7nK7ZvGvWUQ==,iv:EIahYcU/L3m4NEl48JR9B4U4bfTECPeeH9JSPMUfY8w=,tag:fL6sQhNHBetXkpzMD2tLeQ==,type:comment] +#ENC[AES256_GCM,data:p4SkEqkgBc91VPOP1dnKEzuz88gbxqu/InVztjoqC+g=,iv:VbdRX3Dd5xEABPGyn8HW0PsqUdViTR6SLt8ptyYMKSM=,tag:lTUKz2RJBcF+jnZjcp+uXg==,type:comment] +# +#ENC[AES256_GCM,data:UZCWBKBgEcNeRHUfTurT,iv:V02x6pxQBxIMBWtIuVS1B0z3T6vsvTB0LivY6zEUryA=,tag:WB3LNHwcrAD0ECwlW3u06A==,type:comment] +#ENC[AES256_GCM,data:++cW/Mp8DxwAj6qDS6R3ja/Dkr7B,iv:guoppYi2+nr8ZvPiEk5PHx9NUlKWgXKWOgIz8hQHG98=,tag:gh99y1r9OVNNR6DzQAk47Q==,type:comment] +#ENC[AES256_GCM,data:Rr+ary7Q3eF5mGFYJAlU7oQnFJ/VKI9GPHOX+vnGubOIbMRiQQy6FRgKNwZJqXx1HEVqoSLf2DPN2w6Cxbc+8tlPf9w=,iv:WJ8ovxoPEOR0lIiRuoorO/7j27S7AIrcpDjqfKfb7K4=,tag:erHL8jfBc6B1okJnknB1rw==,type:comment] +#ENC[AES256_GCM,data:0nyQ/wj/6UhsZWVj+ohMnSsk+g0FNQ==,iv:+rO0ddTFacXf9tsiXCJUgWW4iOpTUn4HWQQdwWsAGs4=,tag:9QAHLohS5u9WE+qlSnYQGA==,type:comment] +# +#ENC[AES256_GCM,data:B9mfN6DeeT9WCHYI9tAK,iv:F1MQcw4LvPagzcIzvBy/jlFKMecu8vW2SMSdm6vQylA=,tag:mSJIhvLxIyRMVZI6hwq/6Q==,type:comment] +#ENC[AES256_GCM,data:lrELH+Xpg03LbmpdXl8muA==,iv:vdLbxoLhroiizYc6Zht771jydjrHkNMsENKxNELkwhM=,tag:iE2l5ZtvnC+PberTi4mUww==,type:comment] +#ENC[AES256_GCM,data:9D5ZJjb7IjoAj7v7pizINtbQC1dAhytSwsQvflWu/9eWnFiCkdU=,iv:rXgiZXcxvuHZNYFoVXngbTMFJ7g+qpN3Fw134iuxuco=,tag:MJp0xk9yUGEime2vDmg/YQ==,type:comment] +#ENC[AES256_GCM,data:sILv6Ii5T+k5R1jVs8f3,iv:ACvkAkCIGDiUxjGMAPchh1QAom1MGs35bvSMDNQuogA=,tag:D+KSIk3+7bDjLmHxLplwcA==,type:comment] +#ENC[AES256_GCM,data:cVuCmTpnfn7Hncw7cZFCvko=,iv:tx9aeIISmbPcop5NZp1GEPg8J2TETnYw5yAyFmejfyU=,tag:+itwTekQiK1EQp4SDti/vw==,type:comment] +#ENC[AES256_GCM,data:oDZ2g9ZymWNmh3/D2CZk8WFHG3+E,iv:zTfxcHtHLiMWENDzn4D3/SOWFycdcQQfzy5e30z8vAY=,tag:wT1d6pQ/el4a/vhVEqS/bw==,type:comment] +#ENC[AES256_GCM,data:Jt73gVDZ0pTtFLi5TlDpPDrfzQ==,iv:OyEEqyL8tNmJmkdtnI1at+6tFS80vv/nYAWXNl00O68=,tag:LF1panNmPifrPQSKF3tzUw==,type:comment] nftables: forward: ENC[AES256_GCM,data:F32GGcjkvsha6rjTanGdkAB9h3fkzqkniXFzrjfvmh5tUjBckEm/L3L82olRzwRVCN/9SiC8+6wRiGnU1aItPtFkyJlA7pNORLHitVIKTyyKNSMLjEsWpt1v94UTRhNWC628Vc22XDULY2POfdSGLr38ynpL3fpUSJkFvhhwx8FjprzvogGDZ+NSaSKaqD04t9kbdGlefGoLNo1gqdutRbN7clqJnMN/Ip5hS0u7o2bDTQ7qmBFFGwAIwFUpyO1nGFl1c0D04GzFGedwm8Yl9on6mFG+8SfZvR5nxyv0tG/Zwb6OVrWiFv0LYYzE5064AM7K10A16E6as3t4R416sSpmWLFTHMWPzMICfXSAiEU5yQBYeVzmTAzrZzhJZgYjBls2C3DvgjwcVVfGUD3S6iwUNQBgfgh8FKmD6W0OhismnFFcte6yIo4mvwkldhT24hZqyHBg3m+wNetYybsCO+ivf1e81a7vA0GLcv5cL72B55vl7X/pYeiIgIln9Z92+T3/2YRnz5f0IHFkR9/tCi8oapyFmQirU739QCuuWWmoKP7d3cA5NyiofUCbPhO8QYN2d2xb35cNg1US1IexHBO1MV2mJPelnj1K3qCdmpIqEULlWkFKXkg1ssjW9ia7sNSFMxE6302Fu08Whnv4t7uOx/Movr10pLGuRYwO1nA09hK2gKaEmsIZ7UP0tiCAuvl/5vVCelNvIGAgCHRiVoA3GpfpI+LF/YXPwNeyWJANqwOdjl9pOQamVsUJbO/YGVthwVg7dLQNChGcArGPCBOm/aTVxiWiFmbPTRo93jVf7ovPUlhoqKIuhWKxlz15025Gzbm6Re0kDY3fZG4FKMXgaXDgNwgSr0wdCQUMmstgyOIRUao4k7qrnaiaXhtUmK2jlYjsZDvs8Uq9CILU4y/FYB4Z4I5cn1dazjMcNOLjX9Mtg9cfTyNrTZmu3TCze5694hU7O978CUZU5vrK5mzgusE5P9tDpi7RvLLZr/1+2N/V14wAmhJDAPygkgfAuN4IOn2h/P0TJ6jqLzP9p+iOfEhTVRxrx2veVE4+wi2pNY5GHSp/FXFtdCDEMSUc3wzNDDrOurFa4wNK8/0xhgsAnjyc+OlvL1Yf9sPgLJ+XJjDxmdfBeCHGkTK7TtXM93pzj9Vdto3dq66RPUz2FwJJ4xSq0SFOUaNHEC5p6Sg1rZnGvaUpfr9+G6C8rsk0z5wP6f6lOkLwXagKgQ7oAsJXB+hKV6yOLL0TYz8IWds7pHdhXYJtEQ3TeI32X1M0md1X/13Lq+m2XH049+/V/HI3cA9X6wj+t8nzKYqbnGIUwXr1f8WfRAPqJhLBl5zdI/PKtmrPMqmN5iiUrtYGSzzLgZOWHCJuvo2f2X+2ynyACY0lWG3DNFRh4aDzP+LaeY1+mZbvCaopEb7Uc7YUbJ3oyq+eeb7+mgb7lhjpe1kC7GtpdtRwTvIMMrQUXcngkyWFO26vYM8QPMRVIIWcdeSBk0qmF+t1oJBaaGVji4G9PvUCcpHXDoyao0FNfkcr606ELMMrBFPE7DVGU81M6+57NtjSAfh8KLuhKA1cQQU3U0ciSM1w1e/t73b9xmKGVShlTbm5yPmM9I7en6PV3aH5SpZv6LMovmp/PBl9r6ZWUg4tTU2iCj09cWlUjxaXX5h7AxUW7jA2ypsUOn7dgkCPFwr5gv+mfvkmeYGCtijusp9GMuAvL4Wp7Lg9SZC1/k0ocI3buLRbmAji69j+du4no8o+Vy7OHNqcnbtg/Qlnp65lRI4/Z+Bg0OZ18rSYJYM7BavNYHyxVgKDHo+5ypM6s0yigCpq6naI4A/kr1i3ST3rl6IFQQLhWjeH/FS9Ay34RGO8nk/62Htx4cTrmGUnr1VgLrtdBiHj2YkeJDa0/nfM1sI+EPv4tM9GOlMQU6OysJhBzWhHTqEQxVgUQhcacYv2OiOH7I4Az2TTxNnAjOiWY9TuazRiVeJlpTjCkiQfSdGgW4hD2nRbAQZ5X9LrQKZpI5Q5wXwI1lapmjW4m0t8cnEVXgxE5Gn1uH5TQpzzIpSIVRJjWvEeQP+EuotWjYCdx/1tj5PnYs3aiV2Us9QmTMAI2euNQ6DpNTFFpiFONSPDBzZ/IANPKWWFVDeMzBZKdllleUl5VYCWaTEd9JrbjRx/u9YrYlBDl5Xo/DCYJIoUFmusCdh1UfI9y64XYsPxrPNxrF+upisE9vxG/BRTDgxLBOenB3A5/Suba7RfHI0LBHVhO2ijJr3Nh0T/78ecnTE+1zBI41TtN8Y/2MGbs20ZSZtDFy27mf+YQLpYKFpXEOEdoTy51kVW2jn953x1lbNgwV+DWRPf25TNP+dFTZH+z4/Mv6F4RCyYS+VJL5SfGah76GpMxYodmE2iBbXyfUeUxKAeool7EZ6cIvhtwLaJuaUhvjKLd6ateSzAaAKbFVpdsgP7iSJd15YyTKmb,iv:lX4dz+VArj+I9yhy4tahlz8cNvnc/eDs69pKRbIWeEg=,tag:px+HxZRAHlKQA32KJJZwaA==,type:str] ssh: ENC[AES256_GCM,data:RA14V9O3PcGOoCfgj4nCILtwc4ER/hPC5HBzz91WhNHmUKzOlxy4zso6HSmSz6sMFBK7J77r3MO+6JKw8eNeHmx9fDDcboHFPcL1PQfYAJE6LNBS0e9d00Mi3k67DdNJZE4F/yOCGIrducvlCsJl/8S4zMMI9Ktum2sJFdkw0INgXoPVPSAQ6nyO5KKcboVtxeKc64RtcBZoO2CCSLhEdVJnE9AXB+l1Pk1926f2XHlS3Ci/Jh/uAwM/4uAeldQ2r3gRuzq9H3SIAgSNZhlJIVr9VDU9kZ28dNpDYhhdOrle1W1drj+9viJ6eeIxykhzZ/8kX34xik4UiMxW9vGO/VpdEdE1XRMqEIRp5L2ADBNCImbXEN5fbRo8+FlL9H+aAFDjBtxxalcSSqApYac6NcM7msF8Lewj4ED8FYXEsEIX7qA8XbVzJuFFYHhRWA6Lt+Gp9Kn6aaxZMF4fl7u35BFPggi1vwsb42la+yQAizk5x0t+fCCX5D8XRHmfCZYX6AYJeQhfzHETuSUu6p4asmhlx+8cJLtjMkkBc8lDscdK7NcuhPm3QzjQt3H7wAHQBzWrxStvBC77K2d3Xf/C6VERUdDvLK1El1oZAl9UmnxAK35kUqAKHHE2xheHQcw1rhy1D0dsX/rQLovTpPdczd/vqpkcJxHk0nH3rddySiyOaWsdoQ3DhpdX7h4PNTwcFJGVzbVR7+9pCnTJ4DTbc9H9G9xiX0vPef4cBuJQPXG8Bc+kMXOpV9uKt9KRoNtPG2M4IZvtaZNiS8qYB0LTjdHiY3C3NYvDc0pkDAIxDjP9TERWxuBCUlscmbXLAxDqB4zO6LBm9yVhMWxYyim5gH24UGD9D2g1piFGXKiSb4dXbrnxoRe/JoLITdWOOEkabVxqJr4KQF07MjTg1JNO3fPLMI6azElQSUj+2ZAy5dqPggg5xw8+h6yp7ZLh3zXaTlSroL+yA4BH8BjVuEa+jl9xqexKgB7zeHb6VhWmtONsffvQtk/kVucDwmXOiOnma1+pj6COoMur2e8bEK3Scap/k+B1b8D9SWMEXi61HxpEtHn6XH5DEdq7Pb12zs2FQEE4QvuaTIscMlvwrsMHkwW7WtkCj2sQFIuUAL4ayyccx+QomhB/hxWKZE83SztNfiAqTWAOaL0XfX3+4qgsehfEkdaUl3FCZvuObPPxIUcYu5Crl54O8B5fbOQE0dcvxMpuxVM6kt3O/jcmj/eri4NPmghBohGSrcJpZ3CUMjWbOJG3A2GFQWztFobkRW9N0K1Fg8UYzKr/lhzlPKiB72D7flghX1yMYfefOnD7vClPUY7oFmnf6sD0qYmZK49SGR6+b7z1bBaskaqhEx3zB214DvOxKGeiPuMVmXk3h7bGqJQ+ejiRcfQHMr1dpFCEMurTmoHwJPwB9fetOpaA0RAEr4pP0QKt8iuTT8MCZi3KBXaiPhZYtdyR5Ka9DETlmBoSeYgyzNht2bCf9nTLn0AJDGZNcZH/NUoy4kLFrhQ18mDIvKHCaALWabp5SnyASQRI/qIkE1DTH8JSkSrr2edz1Ag0SbTMhXsVuHUy3jPuFkNb1SBJxlXmvjHSny7gAr9HVVG2ClRzGtVOXiFHyYguNbmP1F8uqDvabbx8FvAGCEZeARFWQI4iFCe37rYjJE62byilC5LMBCQ5l4/kOYHVgPivPzV8qkZV8B8dQBvMjIvBOgQNvljqagDu0C66rZOTj9G16FDfYDRcdApL0xraAs/O8EgQWxzlB9cQPJmjecAVlF1wsqIbIDODKtTRY4dMYqKfhLoeCV4kPb4WjvoaLxBgbsrJylZKULkO+xbBCvvFhnFNQDOVFPe2ZhEwcx4Ji6j8GZhhyv2LsOdQcXGLgyTr7YM3z/M9DdlCKqlFolA6tod6+9CdUkhFfL7y2vBV3pyEHwyTwWMy5UQIprwm2Ht2RxejhpUcfVydjT/ISJ+aNMy+nq11rrQOlDFsF/E/Db0ngUbORNezWX5n8bqDxModmDLTwYwYT8qu4jruw/WMY1iEZPZzZE8xywRoKCzqN2KweUdEkv+Px6rxtOnNIkPtJxyq4I2L7/oJcaGU40e87KXhhm68qIajboyPM30WInOcGAcG5LwWlyrxwCpthDEcnNlXXghx9izXyqpw7s8hP0qsmRDeESckqn1KUfs98Jkbfg54nEdIT+JcHm0PjvqIHJB61IGWwN4l3SQXY5SKuUb7hSMItKC/FlDKWL5yk5qO55SlYfz0mrD/7Fqk9uFRzP94mswYh8uOkCHBC+WxL4/ashBZOPFZ+WErBAyDgV0LvdiEBN1zpJlAegDozPNXpOzG3rb7QcBr7kwkiHBtD6q7dhBZ51XKPcJPRjkFXDR9Rbj50k6wQHznuDNMA9lI42a6rFN3mr3G8h6mvD67x7b83IxwtLaf7Y0Nb04m/37sCJM1TbjP6jXvD0BdIAdbLc7Qk3K8F2cSIfNH/O7JI9WTvXxxOKtPdpRnnrOURpr4PnXEdJJ1ErujfCPPvFkr0BjpR1Xv2LYKmWISx2OblJnx/MAwECBacN69SX5qnJlaP1Mn769lR5quhAaBCpq0LmHSB1jqF5ap33VKHcB9EHs2ActJHMyn6GxRXSYudw==,iv:iE3MNeQkraGC3qvhP2CtVQv24XVzUQMJZuPa1JxlN9E=,tag:wU1dIUj/HoWD/QPHqHxcDg==,type:str] nix-access-token-github: ENC[AES256_GCM,data:CWFmo1vx9xGrsickiHtAehg7CLhDrV69yG9Ngca66ecsAeLKU32CDvL+3/9UTOA7lrHe88q0GOXMmbCfSDFA4M0sZWo=,iv:yfQzZ5qmKkkpL6T6I79HGByyt8nhdYnxR6D7DvKFaNU=,tag:WGg9oSbmZcy+3BAFTyf1vQ==,type:str] +ssh_config: ENC[AES256_GCM,data:7ZdTQR//YDvkfld0ewzK1mlMwxmdnH1Cuxo1JVtTBF7DOnx5o6tUkQS/sX30BzNqew59pN6lPbYToZOx1MVB9HCHUpNGiSu41RlNO22j0ihTHVleOk4/IqsfFKhrmpHlYoVXvPQm2803qRF3x8AAnR81AoBpdc5agD8Jqmpm8ISkBL+IPqL9LJN7IopMn3iBm1k2xz8Gml8E3VY4i7U4qxIaWVJLGNDXd0uxGIpjO/of+nL3ySIYGxoAzp7zX6lhyt5BOIkSpJoPJPI7QjlPOvGmLnpj4+RTFwIamYHzwQaAD+T6MyvO/40SzGVxvvWNvfz49UmO5s/wWMdYwRqMMQQniztDMwJ2cB7/YjWzJFP1H7H3VCxl1Lfz7CiYkMynFVWSNnoFuK//ii9WSHuXohgzyRjt2D1CGaWB4ufKM31Dfj0vYAq+NGcwl7PQRknP9uudRDj5/+Uw+cZcpDozZO39vJVTI45RHrtRTAeXZqMyeT9V14+2/QyzE9MRovr11ermAp4HivCd6/diodeEUERoJ4YSwafYMgNbx56dnbZ6CrsJZ91K3/j/l9Nq0JfLkYdWcR8pjJ+8MP7j1AGlzHgWha+DPMK7YULA5NaSBcOVt5WgObqmO3w6Uq2UWCkA/evXejH3hxn8lZqsJIRTayDwJB/ea1FrS0ryTuWTK+IT3PvFpKIFFKKJ6aRaATc2im7zcePikV3R6EETLe4mB7YgSGXCkMlM6q97myFKnOv+9lwVsd9elszWsapgThPqm89uWMUGrQEEW0ZlZi8VlfXU72SqGARengUIkOA=,iv:+535dLYm/zY5HIeXbpLaeMV/sx6b5BNV16VZApPIt48=,tag:zE2yzu1Nl3Cbqd1JdvmZWA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1z6g6etwcer433v97lwjrruetdh9fswkgjh9w702wzdc2ydvy5q8ssrfy9r enc: | @@ -30,8 +201,7 @@ sops: ZTdpV09qUVZGK3FjTWRITFp5TGZFUkUK1E9IN+SyTV0r9l1bd+2z7zrsp/7VxCyG tEWZp8LmfkGEunspv6iDyxKbYxWqNqJxZuSVeMD4ZMx6YLwHfW797w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-12T22:11:05Z" - mac: ENC[AES256_GCM,data:YgCiqSbW2qMrGM3SYO7F4xcgrdRaBcaLj8r53i9Nu5D75l7fA+qKTc89XCpNXlFMv15LHT3kKjfXqsH2Cyn8RyPvrHHd/Hnqa7paQPrcpQIRcpP8QTMCBNFJvzpaXUozwb3fpx1xY63Ydw/TDv1/PQBEJWzp9k/MDiTSZYOba+Q=,iv:9w88jxstxmvIScgCUtgl1hPkr/j76Rked3Kv9fhZQJ4=,tag:UvfTXI222OFtIqex+0mdhw==,type:str] - pgp: [] + lastmodified: "2025-08-26T07:30:16Z" + mac: ENC[AES256_GCM,data:2i+AMaBIOCrKYfHFXZXB//yZ4Nf54DXYLzcdWDwh/cloWfpa2uPb2UzYVIIOz8ayi1h/Ij8ON9fQEa+4SzflV59ThN03/kbR/wOo9UYLvjTl0JIFypl/1O0PRRxwrNPp8jMl6mX9vUL0gvfB4qnZnk4xUOykTaXoIjnO4M4FLwg=,iv:WL8RXkxvh+MfmfiVUFLNhTwAv92DV93ZE6q4lagCNpo=,tag:sbXuzl8PuZihzcrASPNCqQ==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.10.2 diff --git a/hosts/secrets/fangorn.yaml b/hosts/secrets/fangorn.yaml new file mode 100644 index 0000000..dd5ab96 --- /dev/null +++ b/hosts/secrets/fangorn.yaml @@ -0,0 +1,25 @@ +nix-access-token-github: ENC[AES256_GCM,data:5VERSDp1ROol58nG80J+84fBB7k8GyFd46U/D2+zW1iVV12Y+IbJf9SNuR0Wca1qOxR4v6qRZjkTOL/d72SwBCGfmkA=,iv:qn8u70EGF/2H7tQO86rLNQVPeoTuk9eyn0SFwrHpHRs=,tag:bPGqZUavVXzmZZGrMUkveQ==,type:str] +sops: + age: + - recipient: age15yqlem4d5h4mz808j72ccd8mrdu4p8hyal2k988jdcmtqrns23xq80896d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUcWdVV0hNMlJSTnRPV1lu + WnRNalM4cjA2bUdYclRxcmFGSTVjMEYrV1FJClB6NGsrcnlpWDJWK1M1ZmtDbE54 + SmhwZk5VUTJGSWVEbkVXMkRydEJ2cWMKLS0tIGVBb3BBRnExd25FblNOR1FLWWF6 + NUU0cjAzOW1nblJ6SEZjN3NpZFJpRDQKwIG60pc821BmWTymHeyY1SSLy6jpFowN + 2AuzBldfk9Tm3g/bfcXV8Af/YQMX53xrYawUQiDALOHNAj7smZWvRw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZjFkcUxxM0VsV2RFSjhv + d0FyKzBZTllGTnRLL1d5NmNBT0R3b2dhZ1M4CkVEOTJ5SUpDVUF3N0hJWEtOL2xP + eVFnNkJST2R0U1RDZ1pOdTlGUzF3UzAKLS0tIEUydVcyMmFlMEpXemNKcnJsYS9V + M3F3blQ1dGxoWml5WEc1R0ZjblN3bkUK0+9zLdJi4u9JE3ijbP/SVNPqe6tXBcqw + gS+N2V47O63fjGM/VSXMywrB5aatwU9xUW5+A68qwgHCXTcHYGiHvA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-14T19:53:57Z" + mac: ENC[AES256_GCM,data:JlVFa18N4w+y4RIK5GG8XspsW6BL9U7IpU6IEpG3u4R+h/3UpLFvVqOE+sK4zdUaDNajHk0Hc3oE2RRsTaf0MUif2utqSpT1y7fqaVBj6LBrqH7pu3KNRnktfLb/VOyovAj6yT1Rmko1YtcKw6ZPu4r9t/Vi5FAZP1+3qLmWyv4=,iv:e9z7vP2W4AWACCEDto1eY2i0PwD4l6W3c6+KWcduwZw=,tag:LQoyet3sJKh4bpn+FE40Yw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.1 diff --git a/hosts/secrets/ginaz.yaml b/hosts/secrets/ginaz.yaml index 38a9950..069d445 100644 --- a/hosts/secrets/ginaz.yaml +++ b/hosts/secrets/ginaz.yaml @@ -1,11 +1,8 @@ nftables: ssh: ENC[AES256_GCM,data:mGh0TM88dWZfymF7+Xt896POHOqoDrcsicncILYFRA5DBw3AjnaaG28Da+qcJ7/VrXGFVIRm4b8L+QeTJ9Uk/h1VEYUpmaPdqY4yaK9CPTDqKmLSLsTgrIvzbUjxJ062+KOx1ovGlLqpZnkiSgHyY2h7uYbxPnq+fvrboPRoxwZiIc8UQTs7KFsQolZPka5It5kXsa6mYdaCKYp36ypTCmD1dCnkneveiYxDg/58O9UJLSbMV7vbB2020B6ga8PsG/5UbFGMzOlktejgqgfr3ZQlU+A8E8Oh4S9uweDEBsg8W+XIDH3pV7qYflkUqCctunzUNdn94RtasAiBkLd5RIV23hiII4NbPnxke3jOtO/OElmU9WxXcIHX/obZ8pPnTZYNeeNxeubkph0KJJE0DKnEKFwetF0J4wnxj90R1hxAFYLXBOYEzVANuC8bVuVw0M0GB6yRzKbxA1uxeUAbq1njBurDfVAZwUh4y551YYTJJxRq+4VPDikkE7X35smRYgRzckxhWnNvg1mggcI+ZUuGkp9XYjHOwifumib1i95xeXAD5aIiS3GTTTFPLajOlbJhdU9RHA/6WY98PEJmU4sybWS1REMkI3LfxjibLACds9B3NQYpbwIrYu4WdLrio5eQp8ifAUv1nMQAfJDYX+Vd1TEAqcv01kWiad2FVrNSy1CVphGfTHHgOfk+P/UpLMnC/OmbvTrc74wgmBVdvnMkOca4JvT94d8VtiriJ8vr8l2xOqA8A0sjph8ucInZ7GXIV91fePwFH50kYHQE7a0sSTtGMvzKjRg2/7VtgubY8tNSUO/u5FNXKbPYBwhYKB8DXI5G1m9otPa9PeobeLsLcovRyqfVhqzAIw0htQYvHHC6RZwkHptAa3RcxeB0+dj4IxB7yzayWCcNVcQHdJ+bSB897hgo5c/k26+TnYhz97STlS+/pf4h0To4JnS/+67nFqHMoRUTlmL70JAxkkwvjg+5T76+pFQFB3cPRZF48fiBo2NhpF0PWiSUB9uEIKjfyq5mwQ9tEHDTjv25V8qxcpQitu4W8ydO7L+5ovln68oPaZC5vSe21m4p7msDtg27Y6GLHTVCdFFSi9CmXgb3JCawLWDXkVMpMch1bFYcsOOumYZjBsmosK0Yi4zCZAreSJ6O8pakyjfG/T81a8wPySEjin6NGLj5rEo04YqXqIEoG5hCNQz1WIIsqfeeVZYMhQ2e5jlxqATbvnq8y4dVfP9riuUA1YAYmmwrwTw3OEnhShxtyl49s5FctmPxCPEoskzpQ1rvv45xDyvKN1QrlInu1O/TXPddpbs1eFRiyPBV+rzAwW5ULlsxy5letfqkQZiKMZ0bVIdpgJaTeKeCrZeg5khsRpxf7CIWhCRftzrVaesZKM3YGYGmlOO4FALQbg0vXQlJQBCidNVgtG8v0n/b0TCiLl+pmaItlp8GGYUHrKWLg/iNXQ4EDiXwfxF2TdSRtqkOIQQxo8Odz7fxccGGQNOeD/xCAVZuZgwOtcGGtzBaBIz18pttLRLIfzPr4WnCqlycApux1g8UhyK9zPo9kjeFnwHAseMi7sZb5iQwzSPpT6osZF127g9rgi/ck+1AB8EEsB8AOYw4DmKFCHQ8S7OuWMpAgqtphsy2sW0QOBHdp62bqZBlFofYokw1c72+SoW4ZsTwqX5ECc2pcwdDsdse9jyTHSppap/NguvgLtgfv7uz9tVw6T/Mw5Sq5MlwxFY3J0PFIJU1KjxXGmoTowor+QJVds5PxnWFBX5u6jsHs9ifcub7ddaNXuQHPGcqbyNp/T6pH51/NyymnWRq8/RcHE3DFFFYDl2J9/WY9+y1Q35o8fMo7XWJ5FqArogtAyDE42EjxCvujUos3JJKqcSUueKBimO0oJ1TzgpTCrYi4OoP54dVNRFSGVq5dFAkJ9Dmpeh4a/v1Gxuk9ujvxbRZso8GfM7gnr2FIK3hinipT7F8RHVx07YnJehM93Ul9m237OwJl5hpBBsFRy+yIuBoxd5DEeN3nPuztEOovW5lR+Sj0RB6ipJc5kaHTVx0bZm2SwPVr9RaWeHBq4j2b3HP5+frgR/vnPo3q6RQJLKamLh30mAxtzTV4F77N6LEXp9JFhs9ytv5y9MYwotHIjO6sN6pop1vcIpm/b4tKeYyUDJ6JDVuy/oroS8uAtf378gTRlT/P/ekDLRymyySvwWQ/TVtm5iF0vjt3lUdpwNOoY3J5TJZejCLbDOcShE7PDfKtf0QKGNBmxNh3gqtqDQ5YWoQirTLUv9B2Q7JkRpYZ+gLnkXMe0eu7QFcrjUMGeJwe7F4EOjBd7Xy6Wh72BVi54sYuuWWIgCOAFCjMDqMiLGdu2itnMJN33epOnnj3Dn2liqTDubSRpRaYE5/thVeRXKs+myuiU70R8mKtxol5/0i1HGrolT1Sq5k4O3t4Ibj/rhjqpmQU036T/211YS3DH9MMsP2YlOOv4NXBfptwJ+hKY3R2IoXI/FVHF1q0/8b24+kVefCZ4tOlKViPVLnYlYuxw72ztzhheKsSLMJy/UzMJMV4p250IsPAO8locfPIw==,iv:zHwrBGfdoz2j/5Qko5QNDkh/kkJ/bD/aHvEL5DACmKI=,tag:9YELKHujgP4p5yO5vAwZog==,type:str] nix-access-token-github: ENC[AES256_GCM,data:D0VIVA6O4vTDkg//+NgV0pptpSGFkSi8YtbcjjXTQyYLK6j6QJ1Zxhz1SaHZadWNjJgilMjoOHZOg742fdusxwzJTQ0=,iv:pjdlfeRW9v4q4+S/6voEFPOvwQMQYd2ehQS2k0MNAuI=,tag:HG3+7EfbD1XTjxE2UjTV3g==,type:str] +ssh_config: ENC[AES256_GCM,data:sEEnFAoiJcn2zAptd01UOfP9e+9HIba0iq3ylATVYu6QHMOeojwCa4jDFtR22Sb4tvlcaKIeYseKhQfMfHopK8Bqz696mSHyrlROrxNZxYg7YvWol0ksN+xNLa7ALTQoI+boQoobpHbZiEQ9OhwUyZBP+Y2ovU3ipXXL3fqaqC/l6oqsSytKv8WDjgoNtTtdbr6NHgM8RMuu72YIMvMYOt2NRoQiqhEzdn/3NOZC7eLz1SV+JKVcm9rogfV9BSjivP+x5lp5KwUUHsbDVIL7LT83jkx+FXZe6CsuVX3Qbd3mErNSDxLDZtxYBUwECt8Ku8wvWf82IQDHMQEwF5zu6Lq7aPi+fZK1CTvsS5X/ar0HMhBwbBkljgnPr+U/CrS5vjouYP7tcuJXxAsSkgACKgZtj9cc38dEqVltR7J4KcZ43nhjci5CeH6Xr9S/wxQRoPxwXfy6cSFHlt5uj4Rkli49f5dqC2fNz8LF77ceygQA3wgCKir+28tWLVSfMO6Xu88BG7fNWldCnkaWQNIMvXAJs03i6XZONXVWP8svfBRbcY9tbhwh0OPT60V4pI3TGuGiAw/kWwswKl4sPz6Fj9/yeCuynoSYXU7PKUgB6ZWZ8Y4eK4+uddSfOKwaQGqeDBz4oJ7X5IH776J8WtBZ/J5D14zgHkJh1ELl2ldaYdjFhQfruBTCILIhQCwcY/DSCWdv9LExIj3Wh5Piv2w1cUmP5HIO0BVk47vial+lWZm4KCU3AwxNwyME3CfqRh7TIzK8Ufi7MZBXHC26e5EAfK5g6Du/I6hVlTjnRDrGqUyF/+c=,iv:yX+/BGMQplX9e1dyLxJ5e81z8tPgI6x67xqqJrFbpzw=,tag:FFiFgWdsuRdSdAbNf44Sng==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1900zc5caephklavvjxp0g4qqvyqlzg3sux69y9p092g3d3qck3kqz62reh enc: | @@ -25,8 +22,7 @@ sops: Nmp5TTVkNFNqd29PRVlRZ2lZWDhaQVEKQ5dnzV8gqd21v6AlUfpOrBTyzvpEC2kr VF7UR0f3VOvnaJ5fDB4nrcHthYbQtxuzhV2wuvZFh+fBle5xRgGRIg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-14T10:19:24Z" - mac: ENC[AES256_GCM,data:XfGP9Yv5sDlMCXBjy/E1I1sqKhNqniDTCTxVpW498tok7gnuMo0rU3Gi+AZQZhNery3dRrZDfCRj2Fvv1O9eF75HrfIlbS6HwZd+XiZXRDeMC4W0jYy/egXevMsajwEmSPM4jnqeKsC1qs3iTqPBnRWCSS1WZoVXB8JSpDW84cU=,iv:TXmKXaNBNXluYF9WMUiXfzqcz9uGzEOFETbR5PvtSog=,tag:SvQuJrdaUeQPYQbXdpzc4w==,type:str] - pgp: [] + lastmodified: "2025-06-05T18:01:08Z" + mac: ENC[AES256_GCM,data:VaYnO0cCKoxY2cvnmqr4MqkTjSOzlBY8z80uxksUxrfWnWCkBtIPHG5gHi7HKn6LnlREUquzHoSSfmpIoKpMjdsOlFunPnrG876uGhNFxHROocixxZJV6yIsClgRx3FCwe1M3iT0NDAYq3zzNrL2bTx1MOx4C97Ki4BuISn4/98=,iv:dUUpbFa7e+Qa9FV9ALEVPifQNrPkv5oYsA6djgYEq10=,tag:s2abIa6FX/vPsUr7M3kEfQ==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.10.2 diff --git a/hosts/secrets/kaitain.yaml b/hosts/secrets/kaitain.yaml index 255695a..951aa75 100644 --- a/hosts/secrets/kaitain.yaml +++ b/hosts/secrets/kaitain.yaml @@ -1,9 +1,6 @@ nix-access-token-github: ENC[AES256_GCM,data:OcAY30aGdCEHyl6DW6mYOLI166w/bGBeTKQ645EG3lL0k1IHvu/ox/PG28AjlcCj4pZHeYxEVIYut6a9VoPNjRT3ohA=,iv:8kRcGkGm+6hWAQ0/0FwqDeS7i0GE8cyd0YsC9J6kl54=,tag:G1J/5pK9dQ2N29oz5byVuA==,type:str] +ssh_config: ENC[AES256_GCM,data:pm2kOAyplRTTlQdIGOrX0/T+dGWUH0XdoVdibWY8qGUzgQ80NYGWgM6bHm272OeMKrCLE+0Rtgjzt90HF7cj00V7ER1CK2hJaLmQypsGEBel3PkdhO9oPmSJk9TtydtAldMA/OQEAtZkVm2+1AGiGdvuwNF2PMyJUXSGxqU/uCLpGhQoQY3QGFytsrnsNbsmZplwg5+tT/JI+d56ol2Gm2hvYtEWX/2PunQR2nim0HHDuCLojxXIR1oLbz8l1MU6PsZMHIKvBMbn27OIC4AHFENWbvsKzxK5YZk6DOX+ZnRiyYQ36+ykzAaNXXXuvGufPbKMOySJ4GBKKvxtGd95HeDH8fknVUly5/MraVnjymTmVAQfUm3/eQPxAkA6Lno5UOmxeYUVjFC/fNlx9HDNLwSNze8Kvz/ugdAqfmxWo7wbmlDkFW+HJT2IzxbMDdEUmErBho0s8gYO,iv:8Vwujh30g9GYps+J8hkFHpL+viC088AGLdPCMzL2/LU=,tag:ES2GoIJYk7n0b8MV1tnn6g==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1fptscuj4qa39238xfvc7envgxr4cf29z3zaejp2v3q703tq45dasf8vadl enc: | @@ -23,8 +20,7 @@ sops: RUQzdEkrQTU1cC9OU1B3L1cva0JQTTQKzAuNy/7h5XyOIiQh/8fXfgri90dTW/qt wn/snTnrukwPaeQXsAHQDvzueYxSEtHqk0WYT8sOAfuzOQP7wGoGFg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-18T18:32:59Z" - mac: ENC[AES256_GCM,data:YHZ+rkkVX2CX1XgLKFvSEf1Hg6i6wJwNV2IdMx8kjyWSVjAx2PQjKvy/dLFsqspo1FF4Bo++jyaEn0yxuouVful12Q/6RAhf1HRDXK0TjPTWf/vsCw0Mlv/zcPOKMEPG4ltP6bSDG6WtTtFx3Ck6stQwepF2omoVT2E4kj1KONM=,iv:uHs5N9sMfPn4+ZEaU6BlioESWy/BijUfYHu/5UrA4H8=,tag:b/lwx7ex21Jw0knpuy1TPw==,type:str] - pgp: [] + lastmodified: "2025-06-24T17:03:24Z" + mac: ENC[AES256_GCM,data:rbADZdFAqxx6oONZaw8u9BF9ZMBHaCIUCysOa7qucuPnC4N50PbmxhpYZR3Nd0NOqDbkT0+8Ox1XxF6Aty+kxvd46V70WR9oibGJkxuWxyAohXAETv4XjZl8JOkQV8JvEDAzKNjEXbOUKiLRkU8PWfQ13ogshuCE4FYLzrQcNjo=,iv:/79wztsyRzv+g14KeuM/68ne9cKenVB4WX5DYxIGvnM=,tag:626pO+4jISMP5Z/PWcPuxQ==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.10.2 diff --git a/hosts/secrets/richese.yaml b/hosts/secrets/richese.yaml index 45bb5e0..a7aa1fc 100644 --- a/hosts/secrets/richese.yaml +++ b/hosts/secrets/richese.yaml @@ -1,9 +1,6 @@ nix-access-token-github: ENC[AES256_GCM,data:g+9Vi3SOLWFkZGb6KzlYdYmv9JSIoYd4OaOhAYZLrxlJKWqsa66Tc2z5dFWr/wyPbitxRAzQB1xRZI3CUbMWOWb06L8=,iv:kjdbr2KLLWfIsSNTCespLXdQ4BKm4caiRASaCYWKFHA=,tag:DBqjdPHnMCSa6obeSy0WzA==,type:str] +ssh_config: ENC[AES256_GCM,data:lNXNkmr0nWohTX+Zf4OpVCnFFaIafxqtz0a1p/mWHV+52W0pwS34vga4Xt1zd7tgaZChXPdU/QLVouIhoR/6o+cHlX/N7UIw5S5tg7uZfsMdxam1hs+VQzSunEYMpVTn9TmsrjUx/4ETKZLXQuA+cq3M/9sBsQYk6acJKstNKdyguG+QJJBddmaQOxp7+VUOELUWwOy3nJxldI1Asg95BXQImi4FLeRw9/iZKkgn0xUrCfljiXn5rC4Fpphebw/JkQMsbd7x/9fpK9wjNtUs/8MPXAIRYU6Ty912rYda5ALUpl4U8L2iRHwSmxriW42IdeRKXcmDtCAJMMN5LyWewqAc36RUwzd7G8ihEweZgRTibRIwYOPuYC10IihX5ccojjDakbMPDx/fhOHRlp6qjRHzB/4qonRbyr+f9CR9of8l6l+VAO9k69BeYjlbfvZOlDMWELGTmdKE,iv:JNcvLKSZ6xhrERXixIIOGlyQMrvT7D9W2zneNSTTjfw=,tag:iMHQNJVEShgUA1L5/3dm4g==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1wv08vfv7mlwkhkn2pkq0gd94a3wz0gc3x3eq0szxem05xg05nfhq2glvv9 enc: | @@ -23,8 +20,7 @@ sops: MGt6VkNzc3hGU2FDVWxsM1Rqdk9qTkEKA5viW8YGBdqvLVLYEdzLWWggxQ2BrDOa atzlSR0WjUsK316X4HtVMyllk0FvLy4QdUP40/XLgd5DpxZZds3OiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-18T18:32:48Z" - mac: ENC[AES256_GCM,data:VvcWlUPFgdQ/YAioKnZzK69PYulZanKNQOan3cHLF8BRehkw1VvVFAmPW0cPLY66cMXFma9rFxaP5XAdRojs2J4ViOgzbhrCHYTVCSA3VTcgBZRTPAfTggztwoPKic0EhE2HxfykhQCrPVxqa23Z25x4q1LuWskE+BMbGubPSP0=,iv:bJnO2oE3ogvpXjCUFKd/+5RXO2udL5a2UXdBdb5Wfec=,tag:dbZR0/BQpPAL996Siyta/A==,type:str] - pgp: [] + lastmodified: "2025-06-24T17:04:43Z" + mac: ENC[AES256_GCM,data:JdElb6C5lvdOXouz10CLgYkmYnqlY0swPivTETGG631MKq08bzkc5zusmkBnHdQ8m/tO7R9JXYzOqoMIrrfgWQ+W2Du6m60BLOcRxGJVsFhcf1yb6GrM47NT/HAyyKUgJloDKJUQL10rrD8mPzCa475OBjebkJ7ycqKiyQV1cr4=,iv:raIutEF8Kv9lxkcboZ/8LzCA7JkfO4pXRRYRJJDz8KQ=,tag:7eTo1a6Kt+ac1Nz+2xfmZg==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.10.2 diff --git a/hosts/uranus/default.nix b/hosts/uranus/default.nix index 68be405..52db18f 100644 --- a/hosts/uranus/default.nix +++ b/hosts/uranus/default.nix @@ -4,21 +4,25 @@ #kernel.sysctl = { # "net.ipv4.ip_forward" = true; #}; - kernelPackages = pkgs.linuxPackages_6_12; + kernelPackages = pkgs.master.linuxPackages_7_0; loader = { efi.canTouchEfiVariables = true; - systemd-boot.enable = true; + systemd-boot = { + enable = true; + memtest86.enable = true; + }; timeout = 3; }; supportedFilesystems = [ "zfs" ]; zfs = { devNodes = "/dev/disk/by-label"; - #package = pkgs.master.zfs; + forceImportRoot = false; + package = pkgs.master.zfs_2_4; }; }; - environment.systemPackages = with pkgs; [ - wpa_supplicant + environment.systemPackages = [ + pkgs.wpa_supplicant ]; imports = [ @@ -38,9 +42,11 @@ networking = { hostId = "46fdaa8e"; hostName = "uranus"; - domain = "bitgnome.net"; - nftables.enable = true; interfaces.enp2s0f0.wakeOnLan.enable = true; + nftables.enable = true; + search = [ + "bitgnome.net" + ]; wireless = { enable = true; userControlled.enable = true; diff --git a/overlays/default.nix b/overlays/default.nix index 01287a5..e41e782 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -6,8 +6,11 @@ # outputs.overlays.modifications # outputs.overlays."67e692392-packages" # outputs.overlays.master-packages -# outputs.overlays.pr369712-packages +# outputs.overlays.my-nixpkgs +# outputs.overlays.pr495610-packages # outputs.overlays.stable-packages +# outputs.overlays.staging-packages +# outputs.overlays.wine9_22-packages # ] {inputs, ...}: { @@ -21,6 +24,42 @@ # example = prev.example.overrideAttrs (oldAttrs: rec { # ... # }); + #ghostty = prev.ghostty.overrideAttrs (_: { + # preBuild = '' + # shopt -s globstar + # sed -i 's/^const xev = @import("xev");$/const xev = @import("xev").Epoll;/' **/*.zig + # shopt -u globstar + # ''; + #}); + + #linux-firmware = prev.linux-firmware.overrideAttrs (old: rec { + # pname = "linux-firmware"; + # version = "20250708"; + # src = prev.fetchFromGitLab { + # owner = "kernel-firmware"; + # repo = "linux-firmware"; + # rev = "99d64b4f788c16e81b6550ef94f43c6b91cfad2d"; + # hash = "sha256-TJ97A9I0ipsqgg7ex3pAQgdhDJcLbkNCvuLppt9a07o="; + # }; + #}); + + #proton-ge-bin = prev.proton-ge-bin.overrideAttrs (old: rec { + # pname = "proton-ge-bin"; + # src = prev.fetchzip { + # hash = "sha256-NxZ4OJUYQdRNQTb62jRET6Ef14LEhynOASIMPvwWeNA="; + # url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/${version}/${version}.tar.gz"; + # }; + # version = "GE-Proton10-32"; + #}); + + reaper = prev.reaper.overrideAttrs (old: rec { + pname = "reaper"; + src = prev.fetchurl { + hash = "sha256-tXyflaxx00SCqjo7xZFOigMwAc0i/i3Jakwr6BuasbQ="; + url = "https://www.reaper.fm/files/7.x/reaper773_linux_x86_64.tar.xz"; + }; + version = "7.73"; + }); }; #"67e692392-packages" = final: _prev: { @@ -30,6 +69,13 @@ # }; #}; + #"wine9_22-packages" = final: _prev: { + # "wine9_22" = import inputs.nixpkgs-wine9_22 { + # inherit (final) system; + # config.allowUnfree = true; + # }; + #}; + # When applied, the master nixpkgs set (declared in the flake inputs) will # be accessible through 'pkgs.master' master-packages = final: _prev: { @@ -39,8 +85,15 @@ }; }; - #pr369712-packages = final: _prev: { - # pr369712 = import inputs.nixpkgs-pr369712 { + #my-nixpkgs-packages = final: _prev: { + # my-nixpkgs = import inputs.my-nixpkgs { + # inherit (final) system; + # config.allowUnfree = true; + # }; + #}; + + #pr495610-packages = final: _prev: { + # pr495610 = import inputs.nixpkgs-pr495610 { # inherit (final) system; # config.allowUnfree = true; # }; @@ -54,4 +107,13 @@ config.allowUnfree = true; }; }; + + # When applied, the staging nixpkgs set (declared in the flake inputs) will + # be accessible through 'pkgs.staging' + #staging-packages = final: _prev: { + # staging = import inputs.nixpkgs-staging { + # inherit (final) system; + # config.allowUnfree = true; + # }; + #}; } diff --git a/pkgs/default.nix b/pkgs/default.nix index 48a0059..1534076 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,3 +1,5 @@ pkgs: { + gearmulator = pkgs.callPackage ./gearmulator { }; sdrconnect = pkgs.callPackage ./sdrconnect { }; + wayback-x11 = pkgs.callPackage ./wayback-x11 { }; } diff --git a/pkgs/gearmulator/default.nix b/pkgs/gearmulator/default.nix new file mode 100644 index 0000000..4ebddba --- /dev/null +++ b/pkgs/gearmulator/default.nix @@ -0,0 +1,81 @@ +{ + alsa-lib, + cmake, + fetchFromGitHub, + fontconfig, + freetype, + lib, + libjack2, + libX11, + libXcursor, + libXext, + libXinerama, + libXrandr, + lv2, + pkg-config, + stdenv +}: + +stdenv.mkDerivation rec { + pname = "gearmulator"; + version = "1.4.1"; + + src = fetchFromGitHub { + owner = "dsp56300"; + repo = pname; + tag = version; + hash = "sha256-JnXTTtxF5jHPaU+d558JwlGo/QjKHtVuCqel5iaBBCk="; + fetchSubmodules = true; + }; + + nativeBuildInputs = [ + cmake + pkg-config + ]; + + buildInputs = [ + alsa-lib + fontconfig + freetype + libjack2 + libX11 + libXcursor + libXext + libXinerama + libXrandr + lv2 + ]; + + env.NIX_LDFLAGS = toString [ + "-ljack" + "-lX11" + "-lXcursor" + "-lXext" + "-lXinerama" + "-lXrandr" + ]; + + cmakeFlags = [ + "-Dgearmulator_BUILD_FX_PLUGIN=OFF" + "-Dgearmulator_BUILD_JUCEPLUGIN=ON" + "-Dgearmulator_BUILD_JUCEPLUGIN_CLAP=OFF" + "-Dgearmulator_BUILD_JUCEPLUGIN_LV2=OFF" + "-Dgearmulator_SYNTH_NODALRED2X=OFF" + "-Dgearmulator_SYNTH_OSIRUS=OFF" + "-Dgearmulator_SYNTH_OSTIRUS=ON" + "-Dgearmulator_SYNTH_VAVRA=OFF" + "-Dgearmulator_SYNTH_XENIA=OFF" + ]; + + postInstall = '' + rm $out/{dsp56300EmuServer,start_Impact__MS.sh,start_IndiArp_BC.sh,virusTestConsole} + rm -r $out/plugins + ''; + + meta = { + description = "Emulation of Motorola 56300 family DSP synths"; + homepage = "https://github.com/dsp56300/gearmulator"; + license = lib.licenses.gpl3; + platforms = [ "x86_64-linux" ]; + }; +} diff --git a/pkgs/sdrconnect/default.nix b/pkgs/sdrconnect/default.nix index 2a3bf7d..6bf1452 100644 --- a/pkgs/sdrconnect/default.nix +++ b/pkgs/sdrconnect/default.nix @@ -1,39 +1,55 @@ -{ alsa-lib, autoPatchelfHook, copyDesktopItems, fetchurl, fontconfig, gcc, iconConvTools, icu, lib, libusb1, makeDesktopItem, stdenv, util-linux, xorg }: +{ + alsa-lib, + autoPatchelfHook, + copyDesktopItems, + fetchurl, + fontconfig, + gcc, + icu, + lib, + libice, + libsm, + libusb1, + libx11, + makeDesktopItem, + stdenv, + util-linux +}: let - hash = "b6fce59a3"; + hash = "a4b8da76b"; platforms = { aarch64-linux = { arch = "arm64"; - sha256 = "8d354686700014c4bd606a959ee5e979b0601bef281a33c8d12e181819d9a641"; + sha256 = "0nq2hb2iim0ivnwa1rzw4dwgi6abvwdzynf9wr1x3p9jm42lphfg"; }; x86_64-linux = { arch = "x64"; - sha256 = "1c2d150df1aec3f15174986fe7f522ea98aa04f3536f941fcc98f099a798b835"; + sha256 = "1nxlyvma0qpclcyslvszq7m3vziwwsfwngacc1gavl1dka911c0c"; }; }; - version = "1.0.3"; + version = "1.0.8"; inherit (stdenv.hostPlatform) system; in - with platforms.${system} or (throw "Unsupported system: ${system}"); + with platforms.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}"); stdenv.mkDerivation rec { inherit version; pname = "sdrconnect"; src = fetchurl { - url = "https://www.sdrplay.com/software/SDRconnect_linux-${arch}_${hash}.run"; + url = "https://www.sdrplay.com/software/sdrconnect_linux-${arch}_${hash}.tar.gz"; inherit sha256; }; - nativeBuildInputs = [ autoPatchelfHook copyDesktopItems iconConvTools ]; + nativeBuildInputs = [ autoPatchelfHook copyDesktopItems ]; buildInputs = [ alsa-lib @@ -45,22 +61,22 @@ in runtimeDependencies = [ icu - xorg.libX11 - xorg.libICE - xorg.libSM + libice + libsm + libx11 ]; appendRunpaths = [ "${placeholder "out"}/lib" ]; unpackPhase = '' - bash $src --target . --noexec + tar xaf $src ''; postInstall = '' - mkdir -p $out/bin $out/lib + mkdir -p $out/bin $out/lib $out/share/icons/hicolor/64x64/apps cp SDRconnect $out/bin cp *.so $out/lib - icoFileToHiColorTheme sdrconnect.ico sdrconnect $out + cp icons/64x64/sdrconnect.png $out/share/icons/hicolor/64x64/apps ''; desktopItems = with meta; [ @@ -71,7 +87,7 @@ in comment = description; desktopName = "SDRconnect"; genericName = "SDRplay Client"; - categories = [ "HamRadio" ]; + categories = [ "AudioVideo" "HamRadio" ]; keywords = [ "Ham" "Radio" "SDR" ]; }) ]; diff --git a/pkgs/wayback-x11/default.nix b/pkgs/wayback-x11/default.nix new file mode 100644 index 0000000..e1b9c02 --- /dev/null +++ b/pkgs/wayback-x11/default.nix @@ -0,0 +1,64 @@ +{ + fetchFromGitLab, + lib, + libxkbcommon, + meson, + ninja, + pixman, + pkg-config, + scdoc, + stdenv, + unstableGitUpdater, + wayland, + wayland-protocols, + wayland-scanner, + wlroots_0_19, + xwayland, +}: + +stdenv.mkDerivation { + pname = "wayback"; + version = "0.1"; + + src = fetchFromGitLab { + domain = "gitlab.freedesktop.org"; + owner = "wayback"; + repo = "wayback"; + rev = "156d7a86d112cd1bd70c2f75cb190fdd98565080"; + hash = "sha256-A4Ur32QZc0foS+O+jfQCug0k32nvYkB2MoacDT4W7dQ="; + }; + + strictDeps = true; + + depsBuildBuild = [ + pkg-config + ]; + + nativeBuildInputs = [ + meson + ninja + pkg-config + scdoc + wayland-scanner + ]; + + buildInputs = [ + libxkbcommon + pixman + wayland + wayland-protocols + wlroots_0_19 + xwayland + ]; + + passthru.updateScript = unstableGitUpdater { }; + + meta = { + description = "X11 compatibility layer leveraging wlroots and Xwayland"; + homepage = "https://wayback.freedesktop.org"; + license = lib.licenses.mit; + platforms = lib.platforms.linux; + mainProgram = "wayback-session"; + maintainers = with lib.maintainers; [ dramforever ]; + }; +} diff --git a/scripts/pretty-rebuild b/scripts/pretty-rebuild index 0814cca..995eda2 100755 --- a/scripts/pretty-rebuild +++ b/scripts/pretty-rebuild @@ -1,9 +1,15 @@ #!/usr/bin/env nix-shell #!nix-shell -i zsh --packages nvd zsh +if [[ ${@} =~ "--flake" ]]; then + args=(${=@}) +else + args=("--flake .#$(hostname -s)" ${=@}) +fi + cd /etc/nixos && \ nix flake update && \ - nixos-rebuild switch --upgrade --show-trace && \ + nixos-rebuild switch --show-trace ${=args} && \ echo && \ nixos-rebuild list-generations | cat && \ echo && \ |