felixalb/nixos-config
felixalb/nixos-config
2
2
Fork 0
mirror of https://git.feal.no/felixalb/nixos-config.git synced 2025-01-09 03:47:30 +01:00
Code Issues Activity

Compare commits

base: felixalb:b97c986f4a552af10a3dc579b3a38fcfae25ca44
Branches Tags
felixalb:main
..
compare: felixalb:0cacad7aea370f293b7a10c6424335fa9e8ac268
Branches Tags
felixalb:main

No commits in common. "b97c986f4a552af10a3dc579b3a38fcfae25ca44" and "0cacad7aea370f293b7a10c6424335fa9e8ac268" have entirely different histories.
b97c986f4a ... 0cacad7aea

7 changed files with 75 additions and 65 deletions
Show Stats Expand all files Collapse all files

53
flake.lock generated
View File

@ -41,11 +41,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1706981411, "lastModified": 1704980875,
"narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=", "narHash": "sha256-IPZmMjk5f4TBbEpzUFBc3OC1W6OwDNEXk2w/0uVXX1o=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "652fda4ca6dafeb090943422c34ae9145787af37", "rev": "5f0ab0eedc6ede69beb8f45561ffefa54edc6e65",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -80,11 +80,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1706833576, "lastModified": 1704277720,
"narHash": "sha256-w7BL0EWRts+nD1lbLECIuz6fRzmmV+z8oWwoY7womR0=", "narHash": "sha256-meAKNgmh3goankLGWqqpw73pm9IvXjEENJloF0coskE=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "bdbae6ecff8fcc322bf6b9053c0b984912378af7", "rev": "0dd382b70c351f528561f71a0a7df82c9d2be9a4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -101,11 +101,11 @@
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1707354851, "lastModified": 1705108818,
"narHash": "sha256-EavLrnN9VlqqTabq+XDEvK2hV0XzZ3eCorsO5MvaWro=", "narHash": "sha256-V7zG8ihfhcopjaZbIvBl78icARrVPSrdeBpgyk3Aa5k=",
"owner": "Infinidoge", "owner": "Infinidoge",
"repo": "nix-minecraft", "repo": "nix-minecraft",
"rev": "ca6b8974161fee88608ff2addf1cb7655f17d165", "rev": "9151fbf3086d10b5da436616175e71add449f0e1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -147,27 +147,27 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1707391491, "lastModified": 1705033721,
"narHash": "sha256-TyDXcq8Z3slMNeyeF+ke0BzISWuM6NrBklr7XyiRbZA=", "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bc6cb3d59b7aab88e967264254f8c1aa4c0284e9", "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "release-23.11", "ref": "release-23.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1707238373, "lastModified": 1705183652,
"narHash": "sha256-WKxT0yLzWbFZwYi92lI0yWJpYtRaFSWHGX8QXzejapw=", "narHash": "sha256-rnfkyUH0x72oHfiSDhuCHDHg3gFgF+lF8zkkg5Zihsw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "fb0c047e30b69696acc42e669d02452ca1b55755", "rev": "428544ae95eec077c7f823b422afae5f174dee4b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -197,11 +197,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1707397511, "lastModified": 1705201153,
"narHash": "sha256-pYqXcTjcPC/go3FzT1dYtYsbmzAjO1MHhT/xgiI6J7o=", "narHash": "sha256-y0/a4IMDZrc7lAkR7Gcm5R3W2iCBiARHnYZe6vkmiNE=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "2168851d58595431ee11ebfc3a49d60d318b7312", "rev": "70dd0d521f7849338e487a219c1a07c429a66d77",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -227,11 +227,11 @@
}, },
"unstable": { "unstable": {
"locked": { "locked": {
"lastModified": 1707092692, "lastModified": 1705133751,
"narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=", "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "faf912b086576fd1a15fca610166c98d47bc667e", "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -243,11 +243,10 @@
}, },
"voyager-addons": { "voyager-addons": {
"locked": { "locked": {
"lastModified": 1707399193, "dirtyRev": "238bcd33b3e2562fcf76f86348909990ddc3d6cc-dirty",
"narHash": "sha256-Q570CBu01ufGMitMQVAgsKoQ7zMEDwqDtqKJ1kyeUjQ=", "dirtyShortRev": "238bcd3-dirty",
"ref": "refs/heads/main", "lastModified": 1704460893,
"rev": "3d04b4ec9c40948693f4efe919413cce9265bae7", "narHash": "sha256-lh5nuxULb6Y8rPIDRWnvUOVs7j3jsp4QqiXvEpJjMec=",
"revCount": 4,
"type": "git", "type": "git",
"url": "file:///home/felixalb/voyager-addons" "url": "file:///home/felixalb/voyager-addons"
}, },

6
hosts/burnham/services/wireguard.nix
View File

@ -44,12 +44,6 @@ in {
"10.100.0.5/32" "10.100.0.5/32"
]; ];
} }
{ # Riker
publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
allowedIPs = [
"10.100.0.6/32"
];
}
]; ];
}; };
}; };

6
hosts/defiant/services/wireguard.nix
View File

@ -50,12 +50,6 @@ in {
"10.100.0.5/32" "10.100.0.5/32"
]; ];
} }
{ # Riker
publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
allowedIPs = [
"10.100.0.6/32"
];
}
]; ];
}; };
}; };

2
hosts/voyager/configuration.nix
View File

@ -7,7 +7,7 @@
../../common/metrics-exporters.nix ../../common/metrics-exporters.nix
./hardware-configuration.nix ./hardware-configuration.nix
./filesystems.nix ./filesystems.nix
# ./wireguard.nix ./wireguard.nix
./exports.nix ./exports.nix
./services/snappymail.nix ./services/snappymail.nix

43
hosts/voyager/services/nextcloud.nix
View File

@ -59,29 +59,26 @@ in {
after = [ "postgresql.service" ]; after = [ "postgresql.service" ];
}; };
systemd.services."phpfpm-nextcloud" = { systemd.services."phpfpm-nextcloud".serviceConfig = {
requires = [ "var-lib-nextcloud.mount" ]; WorkingDirectory = "/var/lib/nextcloud";
serviceConfig = { NoNewPrivileges = true;
WorkingDirectory = "/var/lib/nextcloud"; PrivateDevices = true;
NoNewPrivileges = true; PrivateMounts = true;
PrivateDevices = true; PrivateTmp = true;
PrivateMounts = true; ProtectClock = true;
PrivateTmp = true; ProtectHome = true;
ProtectClock = true; ProtectHostname = true;
ProtectHome = true; ProtectKernelLogs = true;
ProtectHostname = true; ProtectKernelModules = true;
ProtectKernelLogs = true; ProtectKernelTunables = true;
ProtectKernelModules = true; ProtectProc = "invisible";
ProtectKernelTunables = true; ReadWritePaths = [ "/var/lib/nextcloud" "/run/phpfpm" "/run/systemd" "/run/secrets" "/nix/store" ];
ProtectProc = "invisible"; RemoveIPC = true;
ReadWritePaths = [ "/var/lib/nextcloud" "/run/phpfpm" "/run/systemd" "/run/secrets" "/nix/store" ]; RestrictSUIDSGID = true;
RemoveIPC = true; UMask = "0007";
RestrictSUIDSGID = true; SystemCallArchitectures = "native";
UMask = "0007"; SystemCallFilter = "@system-service";
SystemCallArchitectures = "native"; CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
SystemCallFilter = "@system-service";
CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
};
}; };
fileSystems."/var/lib/nextcloud" = { fileSystems."/var/lib/nextcloud" = {

22
hosts/voyager/wireguard.nix Normal file
View File

@ -0,0 +1,22 @@
{ config, pkgs, lib, ... }:
let
port = 51820;
endpoint = "vpn.feal.no:51820";
publicKey = "ct2FBeSSt0u38tFMv61aVpGwdcJvXi1Q0sV0zCNH7xU=";
in {
sops.secrets."wireguard/wg0/private" = {};
networking.firewall.allowedUDPPorts = [ port ];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.100.0.2/24" ];
listenPort = port;
privateKeyFile = config.sops.secrets."wireguard/wg0/private".path;
peers = [
{
inherit endpoint publicKey;
allowedIPs = [ "10.100.0.0/24" ];
persistentKeepalive = 25;
}
];
};
}

8
secrets/voyager/voyager.yaml
View File

@ -10,6 +10,10 @@
#ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment] #ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment]
transmission: transmission:
vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str] vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str]
wireguard:
wg0:
public: ENC[AES256_GCM,data:jKkYH9giZJ09/hFWF0UgM8TSvQ/qrkSbhCOhHG5Ze2WI8MLZaNzZMQSgWHM=,iv:VI48j/DzQez+L4oW2vUHj8FqDpTAd5P/71ih4D/3I54=,tag:9m23ruMSkFsTbxj9dAD9eg==,type:str]
private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str]
nextcloud: nextcloud:
adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str] adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str]
sops: sops:
@ -45,8 +49,8 @@ sops:
NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB
4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw== 4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-08T13:44:57Z" lastmodified: "2024-01-03T11:58:32Z"
mac: ENC[AES256_GCM,data:oy6uBKFDm7J70OZuZtCziKeNkV5u9/RabGF2gXOONeHqFD/9jXhHsWIrDYrgwHPCyauJyAZqwnw/+wNUMNUzk25rM1iBaBJg0+mjUnFGBEhrAUJu8hSHl2EAHEauhzPqRS0L7bew75FmuGs56Wo58DkdvdnCjjs3XIAOj8kjv/g=,iv:/rbPS8xANKV9sSC7e1OAQuIeJK7OtlUMggxN/RW+GLs=,tag:5kE7m7ZrfIPF+ulCsiPLVQ==,type:str] mac: ENC[AES256_GCM,data:17G+wUFH0yV9dQo7kLoMiI7UMBVfj8HbqE0p26/LZ5N0wbLyXKt5YdXQPG8rC22fgHdgePFgIl6qxI2KWgy0bwgBtg9kTxjaKDHkdEs8KKTxbjUXYeIp2JonIH9j3GgN/wa7kABr4QyhDmKhlLupi0ea2A51fDSuhYZDN2kl5As=,iv:XNhmnQJEww6PfHI80bl8LKoiiJdJQcezy71kQZx4oys=,tag:02+GjhSRxw4+qNNjlxPbqA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1