Drift/pvv-nixos-config
17
5
Fork 1
Code Issues Pull Requests 7 Actions Wiki Activity

Compare commits

base: Drift:nettsiden-postgresql
Branches Tags
Drift:main Drift:bindmount-postgres-mysql-dirs Drift:nettsiden-postgresql Drift:gitea-vaskepersonalet Drift:errorpages Drift:create-flake-input-exporter Drift:gitea-runners-secrets Drift:nom Drift:add-skrott Drift:pvvvvv Drift:gitea-show-license-in-list-view Drift:nix-topology Drift:gitea-robots-txt Drift:dagali-heimdal-openldap-sasl-stack Drift:gitea-navbar-get-started Drift:backup-databases Drift:openwebui Drift:setup-openvpn-tunnel Drift:gitea-gpg-signing Drift:sleipner-authorised-keys Drift:openstack-image-builder Drift:elysium Drift:smartd-notifs Drift:systemd-journald-remote Drift:skrot Drift:deploy-doorbell Drift:misc-gitea-fixes Drift:spotifyd Drift:remote Drift:setup-bikkje-login Drift:ozai-prod Drift:add-bluemap Drift:ozai Drift:setup-postfix-for-service-machines Drift:fix-gitea-ci-runner-network-issues Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud Drift:gitea-metrics Drift:misc1 Drift:add-simple-saml-theme Drift:misc-extra-gitea-setup Drift:setup-kerberos Drift:setup-home-areas Drift:shark-kanidm Drift:prometheusexim
..
compare: Drift:main
Branches Tags
Drift:main Drift:bindmount-postgres-mysql-dirs Drift:nettsiden-postgresql Drift:gitea-vaskepersonalet Drift:errorpages Drift:create-flake-input-exporter Drift:gitea-runners-secrets Drift:nom Drift:add-skrott Drift:pvvvvv Drift:gitea-show-license-in-list-view Drift:nix-topology Drift:gitea-robots-txt Drift:dagali-heimdal-openldap-sasl-stack Drift:gitea-navbar-get-started Drift:backup-databases Drift:openwebui Drift:setup-openvpn-tunnel Drift:gitea-gpg-signing Drift:sleipner-authorised-keys Drift:openstack-image-builder Drift:elysium Drift:smartd-notifs Drift:systemd-journald-remote Drift:skrot Drift:deploy-doorbell Drift:misc-gitea-fixes Drift:spotifyd Drift:remote Drift:setup-bikkje-login Drift:ozai-prod Drift:add-bluemap Drift:ozai Drift:setup-postfix-for-service-machines Drift:fix-gitea-ci-runner-network-issues Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud Drift:gitea-metrics Drift:misc1 Drift:add-simple-saml-theme Drift:misc-extra-gitea-setup Drift:setup-kerberos Drift:setup-home-areas Drift:shark-kanidm Drift:prometheusexim

26 Commits
nettsiden- ... main

Author SHA1 Message Date
h7x4
167c889e11 various: set sops restartUnits
All checks were successful
Eval nix flake / evals (push) Successful in 1h11m49s
Details
2025-12-22 15:48:13 +09:00
h7x4
6c5e8efea9 kommode/gitea: fix sops restarts and systemd ordering
All checks were successful
Eval nix flake / evals (push) Successful in 6m15s
Details
2025-12-22 15:39:36 +09:00
h7x4
cedaf2a517 kommode/gitea: declarative pubkey
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Details
2025-12-22 15:35:54 +09:00
h7x4
4f24217bef kommode/gitea: add restartUnits for some sops secrets
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Details
2025-12-22 15:20:56 +09:00
h7x4
9b22b53e95 secrets/bakke: update keys
All checks were successful
Eval nix flake / evals (push) Successful in 5m37s
Details
2025-12-22 15:10:22 +09:00
h7x4
0a6e50e04c secrets/kommode: update gitea signing key 2025-12-22 15:08:53 +09:00
h7x4
c66e04dd26 .sops.yaml: remove remains of jokum 2025-12-22 15:08:39 +09:00
h7x4
5df01ee6d5 bekkalokk/mediawiki: add dark mode support
All checks were successful
Eval nix flake / evals (push) Successful in 6m16s
Details
2025-12-22 14:10:56 +09:00
h7x4
b0a49f87d5 bicep/postgres: bindmount datadir
All checks were successful
Eval nix flake / evals (push) Successful in 6m13s
Details
2025-12-22 13:38:21 +09:00
h7x4
a619125dcb bekkalokk/nettsiden: remove old handling of alternative domains
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Details
2025-12-22 13:07:02 +09:00
h7x4
c9d90203d4 bekkalokk/nettsiden: use SSL cert for redirects
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Details
2025-12-22 13:03:14 +09:00
h7x4
bde6ebc6ad bekkalokk/nettsiden: use redirects for alternative domains
All checks were successful
Eval nix flake / evals (push) Successful in 5m36s
Details
2025-12-22 12:45:58 +09:00
Felix Albrigtsen
0491df32f7 Init bakke (!87)
All checks were successful
Eval nix flake / evals (push) Successful in 5m18s
Details 
New backup server just dropped!
This server is awfully slow, and the mdraid setup is awfully slow, and I doubt that this will be a good experience, but we now have a backup server again?

- Tried Disko and nixos-anywhere
- Tried using mdraid
- Found that md is ancient and bad
- Found that disko is 100% extra steps, and a lot more complicated and noisy than just formatting your disks yourself
- Found that systemd-boot doesn't support mdraid
- Found that we probably don't need to mirror the boot partition :)
- Found that old hardware is slow
- Found that old hardware can have poor support for iPXE with UEFI, and might do weird BIOS stuff on you when you least expect it
- Reaffirmed that zfs is love

Current disk layout:
- mdraid for boot/root disk
    - 4TB WD Red with 500MiB ESP with systemd-boot, Remaining mdraid - Old?
    - 4TB WD Red with 500MiB Unused partition, Remaining mdraid - Old?
- zfs pool "tank" for the actual backup data
    - 8TB Toshiba MG08 - New
    - 8TB Exos 7E10 - New

TODO:

- Document the death of Toriel on the wiki
- Document Bakke on the wiki
  - ... describing the poco loco disk layout
- Start backing stuff up
  - Restic? Borg? Rsync?
  - Make backup retention policy and zfs snapshot system
  - Document backup procedures

Reviewed-on: #87
Co-authored-by: Felix Albrigtsen <felix@albrigtsen.it>
Co-committed-by: Felix Albrigtsen <felix@albrigtsen.it>
 2025-12-22 04:08:30 +01:00
h7x4
f1c89fd22a kommode/gitea: move some links from top to bottom
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Details
2025-12-22 11:50:59 +09:00
h7x4
f58c935966 bekkalokk/kerberos: remove vendored module
All checks were successful
Eval nix flake / evals (push) Successful in 5m12s
Details
2025-12-22 11:17:58 +09:00
h7x4
a238540e04 bicep/minecraft-heatmap: re-enable
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Details
2025-12-22 11:14:41 +09:00
h7x4
bd4b8c876f ildkule/prometheus/mysqld: use service cname
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Details
2025-12-22 10:37:26 +09:00
h7x4
88ea686b59 bicep/matrix-synapse: replace hardcoded ip space with ones from values
All checks were successful
Eval nix flake / evals (push) Successful in 5m58s
Details
2025-12-22 10:32:17 +09:00
h7x4
0a8702e3ba flake-input-exporter: replace hardcoded ip space with ones from values
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Details
2025-12-22 10:30:55 +09:00
Peder Bergebakken Sundt
3a9efb2b1f values/grzegorz: migrate ntnu IPs to values.nix
All checks were successful
Eval nix flake / evals (push) Successful in 6m7s
Details
Eval nix flake / evals (pull_request) Successful in 5m16s
Details
2025-12-22 10:26:57 +09:00
Peder Bergebakken Sundt
f1bdd71192 grzegorz: allow all of ntnu 2025-12-22 10:26:56 +09:00
Peder Bergebakken Sundt
6d171ef0d2 grzegorz: use values.nix 2025-12-22 10:26:56 +09:00
h7x4
1d08131076 bicep/coturn: replace hardcoded ip with one fr
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Details 
om `values`
 2025-12-22 10:23:39 +09:00
h7x4
ad137081c7 bicep/mysql: allow connections from ildkule 2025-12-22 10:23:39 +09:00
h7x4
f04596b752 bicep/postgres: allow connections from ildkule 2025-12-22 10:23:39 +09:00
h7x4
f154d58f32 flake.lock: bump minecraft-kartverket
All checks were successful
Eval nix flake / evals (push) Successful in 6m13s
Details
2025-12-17 02:05:54 +09:00
30 changed files with 458 additions and 1793 deletions
Expand all files Collapse all files

37
.sops.yaml
View File

@@ -1,32 +1,31 @@
keys: keys:
# Users # Users
- &user_danio age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge - &user_danio age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
- &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
- &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
- &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
- &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
- &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
- &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 - &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
- &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
- &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
# Hosts # Hosts
- &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt - &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8 - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
- &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
- &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
- &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
- &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9 - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
- &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
- &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
creation_rules: creation_rules:
# Global secrets # Global secrets
- path_regex: secrets/[^/]+\.yaml$ - path_regex: secrets/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *host_jokum
- *user_danio - *user_danio
- *user_felixalb - *user_felixalb
- *user_eirikwit - *user_eirikwit
@@ -62,18 +61,6 @@ creation_rules:
pgp: pgp:
- *user_oysteikt - *user_oysteikt
- path_regex: secrets/jokum/[^/]+\.yaml$
key_groups:
- age:
- *host_jokum
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
- path_regex: secrets/ildkule/[^/]+\.yaml$ - path_regex: secrets/ildkule/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
@@ -125,3 +112,15 @@ creation_rules:
- *user_pederbs_bjarte - *user_pederbs_bjarte
pgp: pgp:
- *user_oysteikt - *user_oysteikt
- path_regex: secrets/bakke/[^/]+\.yaml$
key_groups:
- age:
- *host_bakke
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt

4
base/flake-input-exporter.nix
View File

@@ -45,8 +45,8 @@ in
allow ${values.hosts.ildkule.ipv6}/128; allow ${values.hosts.ildkule.ipv6}/128;
allow 127.0.0.1/32; allow 127.0.0.1/32;
allow ::1/128; allow ::1/128;
allow 129.241.210.128/25; allow ${values.ipv4-space};
allow 2001:700:300:1900::/64; allow ${values.ipv6-space};
deny all; deny all;
''; '';
}; };

5
flake.nix
View File

@@ -104,6 +104,11 @@
stableNixosConfig = name: extraArgs: stableNixosConfig = name: extraArgs:
nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs; nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
in { in {
bakke = stableNixosConfig "bakke" {
modules = [
disko.nixosModules.disko
];
};
bicep = stableNixosConfig "bicep" { bicep = stableNixosConfig "bicep" {
modules = [ modules = [
inputs.matrix-next.nixosModules.default inputs.matrix-next.nixosModules.default

26
hosts/bakke/configuration.nix Normal file
View File

@@ -0,0 +1,26 @@
{ config, pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base
../../misc/metrics-exporters.nix
./filesystems.nix
];
sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "bakke";
networking.hostId = "99609ffc";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
system.stateVersion = "24.05";
}

83
hosts/bakke/disks.nix Normal file
View File

@@ -0,0 +1,83 @@
{
# https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
# Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
disko.devices = {
disk = {
one = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
two = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
};
mdadm = {
boot = {
type = "mdadm";
level = 1;
metadata = "1.0";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
raid1 = {
type = "mdadm";
level = 1;
content = {
type = "gpt";
partitions.primary = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

26
hosts/bakke/filesystems.nix Normal file
View File

@@ -0,0 +1,26 @@
{ config, pkgs, lib, ... }:
{
# Boot drives:
boot.swraid.enable = true;
# ZFS Data pool:
environment.systemPackages = with pkgs; [ zfs ];
boot = {
zfs = {
extraPools = [ "tank" ];
requestEncryptionCredentials = false;
};
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
# NFS Exports:
#TODO
# NFS Import mounts:
#TODO
}

52
hosts/bakke/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,52 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=nix" "noatime" ];
};
fileSystems."/boot" =
{ device = "/dev/sdc2";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

2
hosts/bekkalokk/configuration.nix
View File

@@ -8,7 +8,7 @@
./services/bluemap/default.nix ./services/bluemap/default.nix
./services/idp-simplesamlphp ./services/idp-simplesamlphp
./services/kerberos ./services/kerberos.nix
./services/mediawiki ./services/mediawiki
./services/nginx.nix ./services/nginx.nix
./services/phpfpm.nix ./services/phpfpm.nix

0
hosts/bekkalokk/services/kerberos/default.nix → hosts/bekkalokk/services/kerberos.nix
View File

88
hosts/bekkalokk/services/kerberos/krb5-conf-format.nix
View File

@@ -1,88 +0,0 @@
{ pkgs, lib, ... }:
# Based on
# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
let
inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
str submodule;
in
{ }: {
type = let
section = attrsOf relation;
relation = either (attrsOf value) value;
value = either (listOf atom) atom;
atom = oneOf [int str bool];
in submodule {
freeformType = attrsOf section;
options = {
include = mkOption {
default = [ ];
description = mdDoc ''
Files to include in the Kerberos configuration.
'';
type = coercedTo path singleton (listOf path);
};
includedir = mkOption {
default = [ ];
description = mdDoc ''
Directories containing files to include in the Kerberos configuration.
'';
type = coercedTo path singleton (listOf path);
};
module = mkOption {
default = [ ];
description = mdDoc ''
Modules to obtain Kerberos configuration from.
'';
type = coercedTo path singleton (listOf path);
};
};
};
generate = let
indent = str: concatMapStringsSep "\n" (line: " " + line) (splitString "\n" str);
formatToplevel = args @ {
include ? [ ],
includedir ? [ ],
module ? [ ],
...
}: let
sections = removeAttrs args [ "include" "includedir" "module" ];
in concatStringsSep "\n" (filter (x: x != "") [
(concatStringsSep "\n" (mapAttrsToList formatSection sections))
(concatMapStringsSep "\n" (m: "module ${m}") module)
(concatMapStringsSep "\n" (i: "include ${i}") include)
(concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
]);
formatSection = name: section: ''
[${name}]
${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
'';
formatRelation = name: relation:
if isAttrs relation
then ''
${name} = {
${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
}''
else formatValue name relation;
formatValue = name: value:
if isList value
then concatMapStringsSep "\n" (formatAtom name) value
else formatAtom name value;
formatAtom = name: atom: let
v = if isBool atom then boolToString atom else toString atom;
in "${name} = ${v}";
in
name: value: pkgs.writeText name ''
${formatToplevel value}
'';
}

90
hosts/bekkalokk/services/kerberos/krb5.nix
View File

@@ -1,90 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
inherit (lib.types) bool;
mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
The option `krb5.${name}' has been removed. Use
`security.krb5.settings.${name}' for structured configuration.
'';
cfg = config.security.krb5;
format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
in {
imports = [
(mkRemovedOptionModuleCfg "libdefaults")
(mkRemovedOptionModuleCfg "realms")
(mkRemovedOptionModuleCfg "domain_realm")
(mkRemovedOptionModuleCfg "capaths")
(mkRemovedOptionModuleCfg "appdefaults")
(mkRemovedOptionModuleCfg "plugins")
(mkRemovedOptionModuleCfg "config")
(mkRemovedOptionModuleCfg "extraConfig")
(mkRemovedOptionModule' "kerberos" ''
The option `krb5.kerberos' has been moved to `security.krb5.package'.
'')
];
options = {
security.krb5 = {
enable = mkOption {
default = false;
description = mdDoc "Enable and configure Kerberos utilities";
type = bool;
};
package = mkPackageOption pkgs "krb5" {
example = "heimdal";
};
settings = mkOption {
default = { };
type = format.type;
description = mdDoc ''
Structured contents of the {file}`krb5.conf` file. See
{manpage}`krb5.conf(5)` for details about configuration.
'';
example = {
include = [ "/run/secrets/secret-krb5.conf" ];
includedir = [ "/run/secrets/secret-krb5.conf.d" ];
libdefaults = {
default_realm = "ATHENA.MIT.EDU";
};
realms = {
"ATHENA.MIT.EDU" = {
admin_server = "athena.mit.edu";
kdc = [
"athena01.mit.edu"
"athena02.mit.edu"
];
};
};
domain_realm = {
"mit.edu" = "ATHENA.MIT.EDU";
};
logging = {
kdc = "SYSLOG:NOTICE";
admin_server = "SYSLOG:NOTICE";
default = "SYSLOG:NOTICE";
};
};
};
};
};
config = mkIf cfg.enable {
environment = {
systemPackages = [ cfg.package ];
etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
};
};
meta.maintainers = builtins.attrValues {
inherit (lib.maintainers) dblsaiko h7x4;
};
}

1543
hosts/bekkalokk/services/kerberos/pam.nix
View File

File diff suppressed because it is too large Load Diff

6
hosts/bekkalokk/services/mediawiki/default.nix
View File

@@ -130,6 +130,12 @@ in {
$wgVectorDefaultSidebarVisibleForAnonymousUser = true; $wgVectorDefaultSidebarVisibleForAnonymousUser = true;
$wgVectorResponsive = true; $wgVectorResponsive = true;
# Experimental dark mode support for Vector 2022
$wgVectorNightMode['beta'] = true;
$wgVectorNightMode['logged_out'] = true;
$wgVectorNightMode['logged_in'] = true;
$wgDefaultUserOptions['vector-theme'] = 'os';
# Misc # Misc
$wgEmergencyContact = "${cfg.passwordSender}"; $wgEmergencyContact = "${cfg.passwordSender}";
$wgUseTeX = false; $wgUseTeX = false;

50
hosts/bekkalokk/services/website/default.nix
View File

@@ -18,11 +18,16 @@ in {
restartUnits = [ "phpfpm-pvv-nettsiden.service" ]; restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
}); });
security.acme.certs."www.pvv.ntnu.no" = {
extraDomainNames = [
"pvv.ntnu.no"
"www.pvv.org"
"pvv.org"
];
};
services.idp.sp-remote-metadata = [ services.idp.sp-remote-metadata = [
"https://www.pvv.ntnu.no/simplesaml/" "https://www.pvv.ntnu.no/simplesaml/"
"https://pvv.ntnu.no/simplesaml/"
"https://www.pvv.org/simplesaml/"
"https://pvv.org/simplesaml/"
]; ];
services.pvv-nettsiden = { services.pvv-nettsiden = {
@@ -55,10 +60,8 @@ in {
DOOR_SECRET = includeFromSops "door_secret"; DOOR_SECRET = includeFromSops "door_secret";
DB = { DB = {
# DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no"; DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
# USER = "www-data_nettsi"; USER = "www-data_nettsi";
DSN = "pgsql:dbname=pvv_nettsiden;host=postgres.pvv.ntnu.no";
USER = "pvv_nettsiden";
PASS = includeFromSops "mysql_password"; PASS = includeFromSops "mysql_password";
}; };
@@ -71,28 +74,39 @@ in {
ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password"; ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
TRUSTED_DOMAINS = [ TRUSTED_DOMAINS = [
"www.pvv.ntnu.no" "www.pvv.ntnu.no"
"pvv.ntnu.no"
"www.pvv.org"
"pvv.org"
]; ];
}; };
}; };
}; };
services.phpfpm.pools."pvv-nettsiden".settings = { services.phpfpm.pools."pvv-nettsiden".settings = {
"php_flag[display_errors]" = true; # "php_admin_value[error_log]" = "stderr";
"php_admin_value[error_log]" = "syslog";
"php_admin_flag[log_errors]" = true; "php_admin_flag[log_errors]" = true;
"catch_workers_output" = true; "catch_workers_output" = true;
}; };
services.nginx.virtualHosts.${cfg.domainName} = { services.nginx.virtualHosts."pvv.ntnu.no" = {
serverAliases = [ globalRedirect = cfg.domainName;
"pvv.ntnu.no" redirectCode = 307;
"www.pvv.org" forceSSL = true;
"pvv.org" useACMEHost = "www.pvv.ntnu.no";
]; };
services.nginx.virtualHosts."www.pvv.org" = {
globalRedirect = cfg.domainName;
redirectCode = 307;
forceSSL = true;
useACMEHost = "www.pvv.ntnu.no";
};
services.nginx.virtualHosts."pvv.org" = {
globalRedirect = cfg.domainName;
redirectCode = 307;
forceSSL = true;
useACMEHost = "www.pvv.ntnu.no";
};
services.nginx.virtualHosts.${cfg.domainName} = {
locations = { locations = {
# Proxy home directories # Proxy home directories
"^~ /~" = { "^~ /~" = {

2
hosts/bicep/configuration.nix
View File

@@ -9,7 +9,7 @@
./services/calendar-bot.nix ./services/calendar-bot.nix
#./services/git-mirrors #./services/git-mirrors
#./services/minecraft-heatmap.nix ./services/minecraft-heatmap.nix
./services/mysql.nix ./services/mysql.nix
./services/postgres.nix ./services/postgres.nix

4
hosts/bicep/services/matrix/coturn.nix
View File

@@ -6,12 +6,14 @@
key = "synapse/turnconfig"; key = "synapse/turnconfig";
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group; group = config.users.users.matrix-synapse.group;
restartUnits = [ "coturn.service" ];
}; };
sops.secrets."matrix/coturn/static-auth-secret" = { sops.secrets."matrix/coturn/static-auth-secret" = {
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "coturn/static-auth-secret"; key = "coturn/static-auth-secret";
owner = config.users.users.turnserver.name; owner = config.users.users.turnserver.name;
group = config.users.users.turnserver.group; group = config.users.users.turnserver.group;
restartUnits = [ "coturn.service" ];
}; };
services.matrix-synapse-next = { services.matrix-synapse-next = {
@@ -42,7 +44,7 @@
security.acme.certs.${config.services.coturn.realm} = { security.acme.certs.${config.services.coturn.realm} = {
email = "drift@pvv.ntnu.no"; email = "drift@pvv.ntnu.no";
listenHTTP = "129.241.210.213:80"; listenHTTP = "${values.services.turn.ipv4}:80";
reloadServices = [ "coturn.service" ]; reloadServices = [ "coturn.service" ];
}; };

1
hosts/bicep/services/matrix/hookshot/default.nix
View File

@@ -18,6 +18,7 @@ in
sops.templates."hookshot-registration.yaml" = { sops.templates."hookshot-registration.yaml" = {
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name; group = config.users.groups.keys-matrix-registrations.name;
restartUnits = [ "matrix-hookshot.service" ];
content = '' content = ''
id: matrix-hookshot id: matrix-hookshot
as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}" as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}"

1
hosts/bicep/services/matrix/mjolnir.nix
View File

@@ -6,6 +6,7 @@
key = "mjolnir/access_token"; key = "mjolnir/access_token";
owner = config.users.users.mjolnir.name; owner = config.users.users.mjolnir.name;
group = config.users.users.mjolnir.group; group = config.users.users.mjolnir.group;
restartUnits = [ "mjolnir.service" ];
}; };
services.mjolnir = { services.mjolnir = {

4
hosts/bicep/services/matrix/out-of-your-element.nix
View File

@@ -9,18 +9,22 @@ in
"matrix/ooye/as_token" = { "matrix/ooye/as_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/as_token"; key = "ooye/as_token";
restartUnits = [ "matrix-ooye.service" ];
}; };
"matrix/ooye/hs_token" = { "matrix/ooye/hs_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/hs_token"; key = "ooye/hs_token";
restartUnits = [ "matrix-ooye.service" ];
}; };
"matrix/ooye/discord_token" = { "matrix/ooye/discord_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/discord_token"; key = "ooye/discord_token";
restartUnits = [ "matrix-ooye.service" ];
}; };
"matrix/ooye/discord_client_secret" = { "matrix/ooye/discord_client_secret" = {
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/discord_client_secret"; key = "ooye/discord_client_secret";
restartUnits = [ "matrix-ooye.service" ];
}; };
}; };

4
hosts/bicep/services/matrix/synapse.nix
View File

@@ -124,8 +124,8 @@ in {
"fec0::/10" "fec0::/10"
# NTNU # NTNU
"129.241.0.0/16" values.ntnu.ipv4-space
"2001:700:300::/44" values.ntnu.ipv6-space
]; ];
}; };
}; };

2
hosts/bicep/services/mysql.nix
View File

@@ -48,6 +48,8 @@
IPAddressAllow = [ IPAddressAllow = [
values.ipv4-space values.ipv4-space
values.ipv6-space values.ipv6-space
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
]; ];
}; };
} }

47
hosts/bicep/services/postgres.nix
View File

@@ -1,15 +1,15 @@
{ config, pkgs, ... }: { config, pkgs, values, ... }:
{ {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_15; package = pkgs.postgresql_15;
enableTCPIP = true; enableTCPIP = true;
dataDir = "/data/postgresql";
authentication = '' authentication = ''
host all all 129.241.210.128/25 md5 host all all ${values.ipv4-space} md5
host all all 2001:700:300:1900::/64 md5 host all all ${values.ipv6-space} md5
host all all ${values.hosts.ildkule.ipv4}/32 md5
host all all ${values.hosts.ildkule.ipv6}/32 md5
''; '';
# Hilsen https://pgconfigurator.cybertec-postgresql.com/ # Hilsen https://pgconfigurator.cybertec-postgresql.com/
@@ -74,11 +74,40 @@
}; };
}; };
systemd.services.postgresql.serviceConfig = { systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
LoadCredential = [ user = config.systemd.services.postgresql.serviceConfig.User;
"cert:/etc/certs/postgres.crt" group = config.systemd.services.postgresql.serviceConfig.Group;
"key:/etc/certs/postgres.key" mode = "0700";
};
systemd.services.postgresql-setup = {
after = [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
]; ];
serviceConfig = {
LoadCredential = [
"cert:/etc/certs/postgres.crt"
"key:/etc/certs/postgres.key"
];
BindPaths = [ "/data/postgresql:/var/lib/postgresql" ];
};
};
systemd.services.postgresql = {
after = [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
];
serviceConfig = {
LoadCredential = [
"cert:/etc/certs/postgres.crt"
"key:/etc/certs/postgres.key"
];
BindPaths = [ "/data/postgresql:/var/lib/postgresql" ];
};
}; };
environment.snakeoil-certs."/etc/certs/postgres" = { environment.snakeoil-certs."/etc/certs/postgres" = {

2
hosts/ildkule/services/monitoring/prometheus/mysqld.nix
View File

@@ -10,7 +10,7 @@ in {
inherit (config.sops) placeholder; inherit (config.sops) placeholder;
in '' in ''
[client] [client]
host = bicep.pvv.ntnu.no host = mysql.pvv.ntnu.no
port = 3306 port = 3306
user = prometheus_mysqld_exporter user = prometheus_mysqld_exporter
password = ${placeholder."config/mysqld_exporter_password"} password = ${placeholder."config/mysqld_exporter_password"}

8
hosts/kommode/services/gitea/customization/default.nix
View File

@@ -24,10 +24,15 @@ in
script = let script = let
logo-svg = fp /assets/logo_blue_regular.svg; logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = fp /assets/logo_blue_regular.png; logo-png = fp /assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" '' extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a> <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a> <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a> <a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
''; '';
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" { project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
@@ -49,6 +54,7 @@ in
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/ "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/

1
hosts/kommode/services/gitea/default.nix
View File

@@ -15,6 +15,7 @@ in {
defaultConfig = { defaultConfig = {
owner = "gitea"; owner = "gitea";
group = "gitea"; group = "gitea";
restartUnits = [ "gitea.service" ];
}; };
in { in {
"gitea/database" = defaultConfig; "gitea/database" = defaultConfig;

25
hosts/kommode/services/gitea/gpg.nix
View File

@@ -4,9 +4,23 @@ let
GNUPGHOME = "${config.users.users.gitea.home}/gnupg"; GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
in in
{ {
sops.secrets."gitea/gpg-signing-key" = { sops.secrets = {
owner = cfg.user; "gitea/gpg-signing-key-public" = {
inherit (cfg) group; owner = cfg.user;
inherit (cfg) group;
restartUnits = [
"gitea.service"
"gitea-ensure-gnupg-homedir.service"
];
};
"gitea/gpg-signing-key-private" = {
owner = cfg.user;
inherit (cfg) group;
restartUnits = [
"gitea.service"
"gitea-ensure-gnupg-homedir.service"
];
};
}; };
systemd.services.gitea.environment = { inherit GNUPGHOME; }; systemd.services.gitea.environment = { inherit GNUPGHOME; };
@@ -18,6 +32,7 @@ in
systemd.services.gitea-ensure-gnupg-homedir = { systemd.services.gitea-ensure-gnupg-homedir = {
description = "Import gpg key for gitea"; description = "Import gpg key for gitea";
before = [ "gitea.service" ];
environment = { inherit GNUPGHOME; }; environment = { inherit GNUPGHOME; };
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
@@ -25,7 +40,8 @@ in
PrivateNetwork = true; PrivateNetwork = true;
}; };
script = '' script = ''
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path} ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-public".path}
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-private".path}
''; '';
}; };
@@ -34,5 +50,6 @@ in
SIGNING_NAME = "PVV Git"; SIGNING_NAME = "PVV Git";
SIGNING_EMAIL = "gitea@git.pvv.ntnu.no"; SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
INITIAL_COMMIT = "always"; INITIAL_COMMIT = "always";
WIKI = "always";
}; };
} }

26
modules/grzegorz.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, unstablePkgs, ... }: {config, lib, pkgs, unstablePkgs, values, ...}:
let let
grg = config.services.greg-ng; grg = config.services.greg-ng;
grgw = config.services.grzegorz-webui; grgw = config.services.grzegorz-webui;
@@ -44,8 +44,12 @@ in {
"${machine}.pvv.org" "${machine}.pvv.org"
]; ];
extraConfig = '' extraConfig = ''
allow 129.241.210.128/25; # pvv
allow 2001:700:300:1900::/64; allow ${values.ipv4-space}
allow ${values.ipv6-space}
# ntnu
allow ${values.ntnu.ipv4-space}
allow ${values.ntnu.ipv6-space}
deny all; deny all;
''; '';
@@ -67,8 +71,12 @@ in {
"${machine}-backend.pvv.org" "${machine}-backend.pvv.org"
]; ];
extraConfig = '' extraConfig = ''
allow 129.241.210.128/25; # pvv
allow 2001:700:300:1900::/64; allow ${values.ipv4-space}
allow ${values.ipv6-space}
# ntnu
allow ${values.ntnu.ipv4-space}
allow ${values.ntnu.ipv6-space}
deny all; deny all;
''; '';
@@ -86,8 +94,12 @@ in {
"${machine}-old.pvv.org" "${machine}-old.pvv.org"
]; ];
extraConfig = '' extraConfig = ''
allow 129.241.210.128/25; # pvv
allow 2001:700:300:1900::/64; allow ${values.ipv4-space}
allow ${values.ipv6-space}
# ntnu
allow ${values.ntnu.ipv4-space}
allow ${values.ntnu.ipv6-space}
deny all; deny all;
''; '';

90
secrets/bakke/bakke.yaml Normal file
View File

@@ -0,0 +1,90 @@
hello: ENC[AES256_GCM,data:+GWORSIf9TxmJLw1ytZwPbve2yz5H9ewVE5sOpQzkrRpct6Wes+vTE19Ij8W1g==,iv:C/WhXNBBM/bidC9xynZzk34nYXF3mUjAd4nPXpUlYHs=,tag:OJXSwuI8aNDnHFFTkwyGBQ==,type:str]
example_key: ENC[AES256_GCM,data:ojSsrFYo5YD0YtiqcA==,iv:nvNtG6c0OqnQovzWQLMjcn9vbQ4PPYSv2B43Y8z0h5s=,tag:+h7YUNRA2MTvwGJq1VZW8g==,type:str]
#ENC[AES256_GCM,data:6EvhlBtrl5wqyf6UAGwY8Q==,iv:fzLUjBzyuT17FcP8jlmLrsKW46pu6/lAvAVLHBxje6k=,tag:n+qR1NUqa91uFRIpALKlmw==,type:comment]
example_array:
- ENC[AES256_GCM,data:A38KXABxJzMoKitKpHo=,iv:OlRap3R//9tvKdPLz7uP+lvBa/fD0W8xFzdxIKKFi4E=,tag:QKizPN1fYOv5zZlMVgTIOQ==,type:str]
- ENC[AES256_GCM,data:8X2iVkHQtQMReopWdgM=,iv:2Wq3QOadwd3G3ROXNe7JQD4AL/5H/WV19TBEbxijG/8=,tag:tikKT9Wvzm4Vz5aoy6w9WQ==,type:str]
example_number: ENC[AES256_GCM,data:0K05hiSPh2Ok1A==,iv:IVRo61xkKugv4OiPm0vt9ODm5DC1DzJFdlgQJb1TfTg=,tag:o3xXygVEUD4jaGSJr0Nxtw==,type:float]
example_booleans:
- ENC[AES256_GCM,data:zoykmQ==,iv:1JGy1Cg5GdAiod9qPSzW+wsG6rUgUJyYMEE4k576Tlk=,tag:RUCbytPpo78bqlAVEUsbLg==,type:bool]
sops:
age:
- recipient: age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM0NNRFlYaDVtY2taK2xZ
R1pJKzhzOFJJbVI1ZEtQZTJJd1JiejdwaHpJCjlyZVZLZUpVeG1HNHo1UTlaa1gz
Q2JOTmpibndlcERXaWw3Ujd3OGo2aU0KLS0tIEhKcjFKYm82VFdHWTkvcFBDam5H
bzhGbFF6ZmRPTXpzMWgzWGJJbGlkUTAKtNREtgj4kXKDymmbBt2YVFUqrAaGY72z
8fUEIz/2/kPeb4QBpYt4HQabXDLCZXZ0Q5qhHRFOSER8o+TrkJDEow==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbEJRNjVJSE5qSk1VcVR6
VTh6ZU93Q2dGclhZWXA4YTh5WXZ4MWFMRzNRCkJ6Z1F6a20za3ZxLzRsZGg2aHpn
Nll0NW9XRndIOFpzMVgwK3RxWm1BUkEKLS0tIGF0MUYwblY4a3haelJYRkNyd3lS
S0ZuSUVXWGVXbnJocm1LRjZRSGVrMFkKQcwZk7mlF96kPdvZyLNR2i5CnU/qR7/i
u897JxtxmXuuNDKPA80pFxfwkOwzcUVrYiwOlAbMENwJWH1SwFO3Cg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWa2c5d0RvR21jQ21ZRVBL
dkR2RDhMMmJKTXk4UnFTbEZCbE5vV2cwRTNnCkFFT05kYUhXREtzSGkyY1VYQ2ZE
bU0xZnlUN0draW5DZXRqQlloVi9NaFkKLS0tIDdHb05weWlzcDN4bFdzYnpUVjVV
ZkVXK01odnZJeGhoaFFLbEVSMFJsMHcK/mgeA6aMlr7T35rHL3GriYHu2DQE45sI
8RdxdErESmpx0bneFbmsBgXOYu+iT64zatPEGVSu1taW/nMa8Ucpzw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbm4wL1pHeVVRYzJrb0RZ
VHA5ZGRTUHkxbk9qenpNRGE4bjQ0SzN6UVFvCkRHQ0VDaUhRRDI3Yy90UXZCdTlo
dnBHSmU5WlBlczlBbDBZRHFvLzFBWVkKLS0tIFVNVG5qRDZlcWZ4R00zc0N5bkli
d0Z4TEJzdEFuV3NnTndFZlpPMTNYSHMK1d1Use9/w4ClrCfShBymIxHZppCXmhmQ
vIW5vI4Ui0jSX9Rwhd17CLT66mQYBbaHTGB9fiGNQpFRc/ztaFbbnw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNmF2ZTFreDdzdVZHRWt4
VW1TNXFWRW13T3VBN04wMi95VkRCeHJIalVNClRLZGFDY2ZIREkweXp5dU9yYVRD
T1N5QVh0eWczd3VIWEthbTZRVXM0L00KLS0tIFlWeDZmQzYrQXdoZ3dycS9udEFW
TGg0bGwxQjQ1UkR5OC9FajI1RHprUXMK8NRbkEjLEW6pANEkB0QyBcgMin/Aaf5A
dkFYo01G3XM7AmlnnM9UCc56Gc/ZfcsVaUhMAZoEvEvuU0++ufCIZg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNE04cmdoYnc4cGhmMmlW
aU1MNXpacVp2eGV1dU1GUUNyd3dFRDI0and3CllsSG9qR1IwaG1iU2FpWEduanhx
WVE2SWZBblp5RWd3Mi8rc2s3M2F6cXcKLS0tIFBnaCtIelBPdEtqRUIrTnY3VytC
K3dUNVgrYlVnRjRKVVRDQmxsUC9tOG8KFE/pU3tSnyohg58FTWWc2j1Yk0+QHRyH
VakZTPA8l2j7X01KOwEDaZBZrzFd8059GBUMRnylcVOCg5a5VjXpEg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-15T21:42:17Z"
mac: ENC[AES256_GCM,data:2gH/ZaxSA6ShRu53dxj7V3jk7FsVdYS+PSHQyFT8qMvKM1hsQ/nWrKt00PUl9I7Gb4uomP9Ga3SyphYOXRBzKoV+x52oEWOJE3Q4iPrwdCkyHlxEezhTd/ZRQVatG6dvHpLuDNS9Dyph4f7Mw5USI+m4WeVdgCvHTydw+4KIfP4=,iv:yimfq96WVsagvKr8HTg1RdZBSrVGcCWPvv8XOXkOfcg=,tag:zHzdrE0PX5+AeD2lpqeJVQ==,type:str]
pgp:
- created_at: "2025-12-22T06:10:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/+Jcq2EiWutguXVgFJsG0eU9CmM/ZrSfN7Of6MeGh53vw5
F125rivlWf56nEjAnW0u0Ai1MRUUvL6cSqnIxH0y0NcgllkUVrMDJPtsp4/1pFG3
pMhQuaoun7mmHbMwFD/WIGk3NeQA2WRm8vCa2yHuOHKG5rISZDgY/5WdkLGK9Vll
A3eBaz2r+jQwZNHMTu9Sgmuya7EAGCb/7oSTyE+ZyG9zDwyvbKcuS+xMx/Sqx5a+
a1a38fJCdwTHNGR293kMhVK75z0aOvGp4t92bulAe0Tp0Efc43TNGYIGjOQT7r3J
k4YQ0OcR+fezp8GSLxoewWBpCMFaRliSnLh7XJwd2jTURbzlpQFFKNXW4pLxrAIr
ZJXZ6Hloz91MRoQ8HLCs7WqhLptXGnqXsJPCwdBJEeVzutyt3cZIzq11bNgf9sNv
Ydj86FmGTMFK5d9kNYAqxwnfcVIc3/AdbyKNoky1Muu0z5XvUdgUcYu5RK9yL3DA
dUJVI5uam+ONUatFeTbS2Vz7KEbwh1H3gfQUQTrE6FOSrh8bk0lp1aG1geL69ram
XXh/uHkvzTgbq+oiyiqbodurrEQHcdhrYJwvPELLQwtIq+0iVu7xNIFz+LNuAMqK
d1lualLK7xHNqCOhihY1nKR3PjDrE4tUKjtwu1lp2Ae+VEXg1FgrqdkquxlE+0XS
XgG0jfeGqwQKM1qGkaj9UX/xXe8Io5KhOAqRhnkauU9nZ4Uaj5X1rFpbLAOT2/FZ
rHjT46gUUh1hK2TEnL14yJ8ttIntlcXh6lJ6zbkIL7G+56GlqhPmr8M6N67VEq8=
=8M3y
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.8.1

9
secrets/kommode/kommode.yaml
View File

@@ -5,7 +5,8 @@ gitea:
database: ENC[AES256_GCM,data:nDZqnSBKijyhslBjhSu9weqLVJzUiBD8Ltu/nmllicadraeISylyEk3pOA==,iv:XFzM1pGv98jehdgvlZN217LrsK8TcAMFK5eDrPi2bm0=,tag:+YpXqMmvMTrnt7cDK/Sa7A==,type:str] database: ENC[AES256_GCM,data:nDZqnSBKijyhslBjhSu9weqLVJzUiBD8Ltu/nmllicadraeISylyEk3pOA==,iv:XFzM1pGv98jehdgvlZN217LrsK8TcAMFK5eDrPi2bm0=,tag:+YpXqMmvMTrnt7cDK/Sa7A==,type:str]
email-password: ENC[AES256_GCM,data:tasMZ2Zu449o/mH6uSSPM7cFOlBg4vC+,iv:lDNMvXh5P3HNy9pW6nBsSLCyij/3HiSRunVuLeKAmbI=,tag:ApqGWYE9MSE8m6iYLK6Yww==,type:str] email-password: ENC[AES256_GCM,data:tasMZ2Zu449o/mH6uSSPM7cFOlBg4vC+,iv:lDNMvXh5P3HNy9pW6nBsSLCyij/3HiSRunVuLeKAmbI=,tag:ApqGWYE9MSE8m6iYLK6Yww==,type:str]
passwd-ssh-key: ENC[AES256_GCM,data:VOp8vqVoX9IFJhzpKy0J+AzyX3TvxEIBvv3dXpD1f8szmUyPwd4gDOlaFpqTSDu8ebmK3m/D0FMTkfBkPVhUG6XTPo7YIV37gLhfsBF6CuwCMXxTQAd23nfpwJKcDIn3R5h8Mu4MMme2Ev/4PNDztktmIYv3KoEbPglzBMS4LrZqJsDilvIYKEIDUExhSAkESKQZiIzK1TdtWDQSUzvUZ3OsbxONZgaTw5e+xz3qk/q+IR5eRNp9fpeZQ8EkpC7aa/JDIwxzNIuMFi8W9PWh6ANmAOm6GK7JSKiHYQL8GofVifhUGUanAnjgDTYkIWpDiSsuHjfDPGupFCeONNd+Wd4NpJZsej3p9ldLOVxa01Le2tIVYY80jUWT0dpV9IJ5syp4gVaky5Vk6i2QhvjunDoEUnArSRGyMTxWfxAxZLvbLYMNAJDoWzy25vf3jteNB43lVHckEW1F8w/RtzoKzbjKYiANHg+eNLVq0HK67gX2twpblNN4OBt9d03ZbV2lZjTMXGzJXHGFT5ZPDwTkxcDooNvoRuCMe8t8dpuksHFaIp4=,iv:3sgiIgGD9pmCMLVRk0Q8+7GZajYIWsokDUx9JuNrO2c=,tag:WDXyNYtqjdAMePEsnA0hbw==,type:str] passwd-ssh-key: ENC[AES256_GCM,data:VOp8vqVoX9IFJhzpKy0J+AzyX3TvxEIBvv3dXpD1f8szmUyPwd4gDOlaFpqTSDu8ebmK3m/D0FMTkfBkPVhUG6XTPo7YIV37gLhfsBF6CuwCMXxTQAd23nfpwJKcDIn3R5h8Mu4MMme2Ev/4PNDztktmIYv3KoEbPglzBMS4LrZqJsDilvIYKEIDUExhSAkESKQZiIzK1TdtWDQSUzvUZ3OsbxONZgaTw5e+xz3qk/q+IR5eRNp9fpeZQ8EkpC7aa/JDIwxzNIuMFi8W9PWh6ANmAOm6GK7JSKiHYQL8GofVifhUGUanAnjgDTYkIWpDiSsuHjfDPGupFCeONNd+Wd4NpJZsej3p9ldLOVxa01Le2tIVYY80jUWT0dpV9IJ5syp4gVaky5Vk6i2QhvjunDoEUnArSRGyMTxWfxAxZLvbLYMNAJDoWzy25vf3jteNB43lVHckEW1F8w/RtzoKzbjKYiANHg+eNLVq0HK67gX2twpblNN4OBt9d03ZbV2lZjTMXGzJXHGFT5ZPDwTkxcDooNvoRuCMe8t8dpuksHFaIp4=,iv:3sgiIgGD9pmCMLVRk0Q8+7GZajYIWsokDUx9JuNrO2c=,tag:WDXyNYtqjdAMePEsnA0hbw==,type:str]
gpg-signing-key: ENC[AES256_GCM,data:AyafTF3H8p1qDk9xsNvT68BksoKGLwE2uE3hjz0TrT2XPxCRDOIlfAVYEPSu2Ih6l5a2uruEJhHPtU2fPCB2hln3Bv3gZfFGLb3GFWkSvdePIYFxG56uqGK5dE1KaMccc2cTi+raDImKqSTbp7Qpdo/c6C0WYVglYrD+2l8Y4QOiFuazyLY9zwcX0qG7pIjJ+akCUjfE4rJDAW6H/v+OqvHpcED3q4iXOYuw9sj/UeIgZfJ5Xc/uVrRmPewP4yALnA8o9gsaaLdjWRFIILe7VRwPr0YqwQ6XGgc+pEartkV8AzxjCq6DOtifOOzmu8EI1U1yoaOViYCAMbSHfP6SIKr7pJbrdU+YDBq9mvRx8KPXWUU2uNGrMObATEzlqMYAYA/HJeOdV4w3Axvq8RG2FLkJxJJniwNP5VZRF3bbbI3w+hprRP2yAwgeQw19KBU8yF8upKga/GdMNScpKJvRyVLjZtI0rsfvSC81lHawouuje6aPXT3dH1S5ROJBHMTeV0sP0vK6liBevz9RZpvNs6JVyNCgiRRtRSSYqsgwPJonDKuPeI/Zpgih7HboA8HqhIibqpO96h5/4yO69oJAbLUYV3zlKQcMDTaqadL4Ox5Z+8ygSAL3l1ufZIFGSj73SNHGQqQlIS/a3dAccRi5fPqv0gOmGFAAUJPKfeauFn3TclwojKzu5vwmQxZ5g50txEpTSTaYOy++qq6UZa/dXEyDC7fle75dXhqXyqMCf9kDwZZl5E9eBsabNdTF+auQCp82iLQivdBy7uJX2hkJFSg84fF9MLgH4mOcMQc2E/z961uNzEgoyvVhbDY6+SIJ+6SGmnardbFW7mYrj/QqnSUiMc4tHukAB4NGQYHgjOYRZMpHfVO/6dLbjmTOljnPsnfQUCepvb9rGim8NazvnARaVzezx4t3tfbNR8uLQudSeLZzn/Fu1mKSQvpP+IjdglmyAgp6QhB4OCDPbiaMRDUtOQIzlVILdz1/geUVzhZkJ4xzkm5klGukhtv+3TqjiTcEnoVJC+A1jRvxBQUfEE92GFuupJUfrw8bIDqsWQLkHPCNUMgdoKa/q2OkrWeQz2zm2yUqMAJn1/puoLHdSH5aCELUggx1gQZoc480pSBUvSCML+Qc4B4Cd6hX2PPp+/KQeKtfqHIsKz2I+DMT6KDirReX6WHxqk+s2DtLw7Wx/j65PWCIWLCz,iv:c9BDRxQImWTmwq11+T2CW0S00Dixd8d0od5xn5zZmY8=,tag:brnMedsdTwlkbaHaLa2w2g==,type:str] gpg-signing-key-public: ENC[AES256_GCM,data:WgEr+ehNJa9ivlPYnsTD2772MUmsu3uvGtuwn2htqHtNxJwNG6rlnAWr1zG5D69A3G01u61mWCxLYETzjg6GsLW3rKadzUSP934kl5VQMISW2iW3XDaPLpO8dPfk2IaT4oXpui0zk0z+Viy87yl/p6JVLJ2HHFTwh7QTl+gZj8JXF5zpst8Y1op+JuBlePCUgBIE4YCF/m1kKuCDEUnZ5b4QKrogOtlN8AXwIKgrEADGgufXee5B+mg/KYBfX3/JB6evfz3rAn3gLyT8nO9T8V7RJjVeastHw0tPEx7Ep12rQxZ7uOQ66n1D0WIYB5FgiqDoY9AJxMJi02roiW1d2bqvkKfikWnYkk8zkKPWzbLWkL/gaXR5wrvK4x5kLg3GUdNzGKLUrNOy/3QjCUOe4RDXBDPgvB+LNmoME9hGGhtPRBzAsM5n7HKCTRksDRHWnArP2JsNhxeUoJWp09lBIbQ6qoF5x9C/mcxdbfuzP8+PrWiTNbxb7ZWwfhc/NYzS2YYYBUdc30xJwqgPVtJdo2FHLwQFlLNnQzvSTL/ed11EGLaNDQ4ybLVymJE1NGdsqTxzhkh0bejIkl5AcYmuw7qdzjc4bKEokT7EixVNqzw9wohyLrOfaN1fSWt8hWgULkeYNbxUMAicLIyrrBxz0D88wrug6LzNhxAC28RRs4ALhFhXpYQKnr8ldLWgoDUq8uefnWiRCiXPBB6u8BhzwTUR68lbjXjZDTUOLEubdBavRtHsWF2sy7nex8oVcMuD5+YGb+coEB4Js/QhcBSf/ewWFMmg/UIGfCkIpzpsbRTJZtHIgI7eQ8RQ0zRFlNPDeQ0Us05Qza8YcGEtIwyZgc7rJXZ2+6VtQrGuCkOAHiZzlkauDD0RZkB+oAI9RW3HoW0HdfXNwLAlHldNEMNkl2lf5fYNfZIXv6GbHXVnhGo13K8arLMqo6o5DUO3f57PWUk821kNaw5vr6dMb92rx0k0yNp1kxAug8JWYWmUcBypJHNEHTvNiMDO45HwS1C7e670NB8c2MWE2akimbSZTWF1U3RiSAD3MRUjMnT4yvpumhJlKlC9tRsKmE5WapCvwNxwIkGhFV2c0rml+8wBae0Y9CxVGWVwDnJc,iv:LpQufJB8jurx+2b1zvMd87z+byT3kKCITN0PQlW6yE4=,tag:K9tdQyFwbmk8J/6yHz27lQ==,type:str]
gpg-signing-key-private: ENC[AES256_GCM,data:WoFK9E4vCkQ68WTgSrmTwf3qaDfpjd/MVi1wSEiwJLqtWvm6BhWzTD+LQlgqrqZkSbX7bEcRwY2XT2DDLqK32xA8NgmOFinf3Xj3XsVTxTUWB7QoEksl1FVtrzTiJV+5Ztk/irhRnyCBnWSl6dHallY9RxbPVRMdgFzYP09FKhgJ90nmTtbfRzTO+jVsUp886kRwrJhitjie+nJlNrZwdh7YtqazJrmggPs6Z8cF/GkQrpSZpVHPGh6uNWRyxf50R8dcjLTHOHgVMuPo8UHX2w4lSGmEfNVa6VKKiZg86laTr998H1oUzC00erII5RENDb+PulVe3Gy8aSxd+swybM+3QTSGg/2q6hk2rS/uDQ8nDN80xKqho9T5IDqSbVamS9X5n/adY2wDoJMwlF7oha6mrmaUiGaWVoRkhw0YpwH4xY9US5O5BfUgJ+NAAo4U+YQGAJvQkO1txkFifv/lLptRRexvfRQJ5nNP0Dn0Yvolz/Xwx78IykWIHzv1mx3odKc8wDDKfzPEA9Y3KgiSHb8B3CL4XQqcW0ADAO1gfeLRBWTy0wtrgoYKdLW+eNTjy/WW5qWf81CrrjDb0hDwRQRaO0elCjS3tg1FYQYfyc2dg0XPANhCACbBajP9l6MShzpj9+0WWBTrc1e+bKy42FiteYk42f3oI5k9EGsYqlpyTCUyk0Iezwskl5ui/3Jce9G8BhpWH5YQpIg8iXiKkLwaAMDgfrZe5I8ad44L798LVZM+0kXjBW1pbt6ok2PkhQh75sDKubiNKFGVyR70QguQyAfr1FKGC2W351OzX/2CMJ2426/M2IXBfaXxZLDjlMN1KMhwGAGQOPRv8EqZABvPUUP8fIDhUhtAn0AhLs7cga1Xoz0DmY2x+0aVvfYjZIPzrrJA1LIJtTFvJzUltpf6e3UWX+r6MoDfpp4vNLi2x3mDWM8sC75Ouv4jKL2o3VA3C0EuIUK8L/aDh+V53L0Yvc0AZxv+eV3cZjveEgcwSBhv6hXpZYYOHrAOSrHQFns5jUqxZcGMWGDOtl/tmKW9cRuxeSHKB9bNHoJWtMDX2ojcU0l4APCFeM2RRXFSohJRS/0lDgWz0JwI9xXkqDfdB8r7WS0cLKxcHmAxF+d9+qoJRwMc5AVIRFfH8NyDhS5ngFJgeVE1ae0ng6nIauxwjpmtjdWl7a2XOKAtbh+jwHe0OqlG20/i,iv:D7QmF6bx/r9JX2S1Tb8IpDqX/yD3deNPqqNHXJHrhqs=,tag:NSEP9RCcaZBgbaRnmR/p7g==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:P6hKaCpcZdXIy4rE/1b1+66Md/3Kmviileb0OIT3Vz4IVsDLecBh3IiadHq66V4KocXC4LBUNFjcrxlVVGIonHJ3qd6VpQUwG0n83yhj6LD5hgxmZ5phAyR77Ri8BiH1lWUcg51L2k0U+WJFPP6JkumT9MEz1t1+JYr5Imij6GKRWRKFwTbU6QJwFH4tCA/iGw0ElrzIjSHiNiwIKfbm8yas9vlOhr4y7vCeV10hVyvV,iv:dZ8hQxhn7pokWbQG/8rQ2vFDpPYut7WCG3xy9g6kzNs=,tag:xMyPtJJoh8kjJcOT4t9aRA==,type:str] ssh-known-hosts: ENC[AES256_GCM,data:P6hKaCpcZdXIy4rE/1b1+66Md/3Kmviileb0OIT3Vz4IVsDLecBh3IiadHq66V4KocXC4LBUNFjcrxlVVGIonHJ3qd6VpQUwG0n83yhj6LD5hgxmZ5phAyR77Ri8BiH1lWUcg51L2k0U+WJFPP6JkumT9MEz1t1+JYr5Imij6GKRWRKFwTbU6QJwFH4tCA/iGw0ElrzIjSHiNiwIKfbm8yas9vlOhr4y7vCeV10hVyvV,iv:dZ8hQxhn7pokWbQG/8rQ2vFDpPYut7WCG3xy9g6kzNs=,tag:xMyPtJJoh8kjJcOT4t9aRA==,type:str]
import-user-env: ENC[AES256_GCM,data:9SE2k3/IJqbdexj0QFSQBQ1+u1AduWNjt+0XIHryJlxIEdvv9a+6hP4EXPo+31GnaE4=,iv:qZlWOBV5owr3ESTyFaV/R8VwlGl04kaui80I2zYk4zY=,tag:PhjRfEC1xoHaYyl648yCVw==,type:str] import-user-env: ENC[AES256_GCM,data:9SE2k3/IJqbdexj0QFSQBQ1+u1AduWNjt+0XIHryJlxIEdvv9a+6hP4EXPo+31GnaE4=,iv:qZlWOBV5owr3ESTyFaV/R8VwlGl04kaui80I2zYk4zY=,tag:PhjRfEC1xoHaYyl648yCVw==,type:str]
secret-key: ENC[AES256_GCM,data:YqwSJazPqz1OOsUVIPKsGvIHbX7SyJqryan1KWSRGRJkt9yZlaiRtQG/mQugAM6IvLFD3pj+gPTcXyqenaAQKA==,iv:nyPnL7wuhpb0kl0tm1JhOHmF7KI9vVcTN1SRGTgD2o8=,tag:Rt/IPC/YtBcmTx5osGlbBg==,type:str] secret-key: ENC[AES256_GCM,data:YqwSJazPqz1OOsUVIPKsGvIHbX7SyJqryan1KWSRGRJkt9yZlaiRtQG/mQugAM6IvLFD3pj+gPTcXyqenaAQKA==,iv:nyPnL7wuhpb0kl0tm1JhOHmF7KI9vVcTN1SRGTgD2o8=,tag:Rt/IPC/YtBcmTx5osGlbBg==,type:str]
@@ -67,8 +68,8 @@ sops:
ZWRCSXpESTNpbnQzU3A3VG1xSE1BeXcKDr35W9phmGfEQtNb7V/f+g4GIcbk/klU ZWRCSXpESTNpbnQzU3A3VG1xSE1BeXcKDr35W9phmGfEQtNb7V/f+g4GIcbk/klU
+1EJsJ+jK1qCSDgO7omQge5Jx1XqSAg8H+21fnHA4JLhfIeZbntBTQ== +1EJsJ+jK1qCSDgO7omQge5Jx1XqSAg8H+21fnHA4JLhfIeZbntBTQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-03T01:35:52Z" lastmodified: "2025-12-22T06:35:29Z"
mac: ENC[AES256_GCM,data:wQPIW9zRhB6IjK1OQy69Ln+dj6OMNLnNKIzFIhv/vbQ4GllMJ3N/gZjuzMJIumcVND+jEY/qiYnsCFSptStlDYtB3/zHWo1e6It2pM4igtoTP29uiQME0vPJSz0guakZlDMa20mOTN0vVZODEbeBiQNXWtnTbl93R2JVJlZrWcI=,iv:L9Dk5S+hbBO0LTM0irfLuqjLYHzVtY5Tq+Q7m65u6p8=,tag:0GT9IyPeGY5YM6PP/LNs/Q==,type:str] mac: ENC[AES256_GCM,data:Tvj7CzTOFGTMJyNMTjx4XTmrBGBTkOKb2kIHNEtvhCfc5fSbAjzl/keONaq6LGMhyc83jp0XZpM22vN8d+TqTsUiFGwlXIEJ9aa2N/IFlixd/FGRIZUihQj65Uctbk1x5y0LHUDl53aUa/FFEeuF7aPlUB70Q2SiLME1ATtG9+0=,iv:b0Fp4fQUzhgmSKH7caegMXbstWkj2by/8ABQXUJjdIQ=,tag:uzkkvggilx6KWaeMhYRBEQ==,type:str]
pgp: pgp:
- created_at: "2025-12-01T10:58:24Z" - created_at: "2025-12-01T10:58:24Z"
enc: |- enc: |-
@@ -91,4 +92,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.11.0

13
values.nix
View File

@@ -1,8 +1,13 @@
# Feel free to change the structure of this file # Feel free to change the structure of this file
let let
pvv-ipv4 = suffix: "129.241.210.${toString suffix}"; ntnu-ipv4 = suffix: "129.241.${toString suffix}";
pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}"; ntnu-ipv6 = suffix: "2001:700:300:${toString suffix}";
pvv-ipv4 = suffix: ntnu-ipv4 "210.${toString suffix}";
pvv-ipv6 = suffix: ntnu-ipv6 "1900::${toString suffix}";
in rec { in rec {
ntnu.ipv4-space = ntnu-ipv4 "0.0/16"; # https://ipinfo.io/ips/129.241.0.0/16
ntnu.ipv6-space = ntnu-ipv6 ":/48"; # https://ipinfo.io/2001:700:300::
ipv4-space = pvv-ipv4 "128/25"; ipv4-space = pvv-ipv4 "128/25";
ipv6-space = pvv-ipv6 "/64"; ipv6-space = pvv-ipv6 "/64";
@@ -27,6 +32,10 @@ in rec {
gateway = pvv-ipv4 129; gateway = pvv-ipv4 129;
gateway6 = pvv-ipv6 1; gateway6 = pvv-ipv6 1;
bakke = {
ipv4 = pvv-ipv4 173;
ipv6 = pvv-ipv6 173;
};
bekkalokk = { bekkalokk = {
ipv4 = pvv-ipv4 168; ipv4 = pvv-ipv4 168;
ipv6 = pvv-ipv6 168; ipv6 = pvv-ipv6 168;