From ac76e6f10b165b7adb6809e73397a7d523a9dbb1 Mon Sep 17 00:00:00 2001 From: m3tam3re Date: Wed, 15 May 2024 09:25:27 +0000 Subject: [PATCH] first commit --- .gitignore | 5 + flake.lock | 367 ++++++++++++++++++ flake.nix | 133 +++++++ home/features/cli/default.nix | 67 ++++ home/features/cli/fish.nix | 52 +++ home/features/cli/neofetch.nix | 15 + home/features/cli/scripts.nix | 1 + home/features/cli/secrets.nix | 21 + home/features/cli/starship.nix | 18 + home/features/cli/zellij.nix | 17 + home/features/coding/default.nix | 13 + home/features/coding/emacs.nix | 8 + home/features/coding/golang.nix | 5 + home/features/coding/nix.nix | 9 + home/features/coding/nodejs.nix | 1 + home/features/coding/rust.nix | 1 + home/features/coding/tools.nix | 10 + home/features/desktop/crypto.nix | 15 + home/features/desktop/default.nix | 153 ++++++++ home/features/desktop/design.nix | 25 ++ home/features/desktop/extrafonts.nix | 23 ++ home/features/desktop/media.nix | 36 ++ home/features/desktop/office.nix | 16 + home/features/desktop/plasma.nix | 21 + home/features/desktop/syncthing.nix | 4 + home/features/desktop/theme.nix | 17 + home/features/desktop/wayland.nix | 15 + home/features/desktop/wofi.nix | 7 + home/features/gaming/default.nix | 11 + home/features/gaming/sunshine.nix | 15 + home/features/hardware/default.nix | 6 + home/features/privacy/default.nix | 5 + home/features/virtualization/default.nix | 1 + home/features/virtualization/podman.nix | 14 + home/features/virtualization/qemu.nix | 14 + home/users/lkk-admin/base/default.nix | 56 +++ home/users/lkk-admin/lkk-nix-1.nix | 16 + home/users/m3tam3re/base/default.nix | 62 +++ home/users/m3tam3re/dotfiles/default.nix | 22 ++ home/users/m3tam3re/dotfiles/hyprland.nix | 227 +++++++++++ home/users/m3tam3re/lkk-nix-1.nix | 16 + home/users/m3tam3re/m3-nix.nix | 38 ++ home/users/m3tam3re/m3-r1.nix | 16 + home/users/produktion/base/default.nix | 52 +++ home/users/produktion/lkk-prod-1.nix | 21 + home/users/produktion/lkk-prod-2.nix | 21 + hosts/common/base/default.nix | 21 + hosts/common/users/lkk-admin/default.nix | 26 ++ hosts/common/users/lkk-admin/lkk-admin | 1 + hosts/common/users/m3tam3re/default.nix | 26 ++ hosts/common/users/m3tam3re/m3tam3re | 1 + hosts/common/users/produktion/default.nix | 19 + hosts/common/users/produktion/produktion | 1 + hosts/lkk-nix-1/default.nix | 92 +++++ hosts/lkk-nix-1/hardware-configuration.nix | 59 +++ hosts/lkk-nix-1/services/container.nix | 13 + .../lkk-nix-1/services/containers/baserow.nix | 9 + .../lkk-nix-1/services/containers/default.nix | 13 + .../services/containers/little-link.nix | 8 + .../lkk-nix-1/services/containers/matomo.nix | 19 + .../lkk-nix-1/services/containers/mautic.nix | 20 + hosts/lkk-nix-1/services/containers/n8n.nix | 13 + .../services/containers/nextcloud.nix | 18 + hosts/lkk-nix-1/services/containers/nginx.nix | 12 + .../services/containers/ordercollector.nix | 7 + .../services/containers/wordpress.nix | 30 ++ hosts/lkk-nix-1/services/default.nix | 13 + hosts/lkk-nix-1/services/gitea.nix | 16 + hosts/lkk-nix-1/services/mariadb.nix | 11 + hosts/lkk-nix-1/services/metabase.nix | 13 + hosts/lkk-nix-1/services/postgres.nix | 29 ++ hosts/lkk-nix-1/services/syncthing.nix | 26 ++ hosts/lkk-nix-1/services/tailscale.nix | 42 ++ hosts/lkk-nix-1/services/traefik.nix | 241 ++++++++++++ hosts/lkk-nix-1/services/vaultwarden.nix | 15 + hosts/lkk-prod-1/default.nix | 176 +++++++++ hosts/lkk-prod-1/hardware-configuration.nix | 43 ++ hosts/lkk-prod-2/default.nix | 176 +++++++++ hosts/lkk-prod-2/hardware-configuration.nix | 43 ++ hosts/m3-nix/default.nix | 148 +++++++ hosts/m3-nix/hardware-configuration.nix | 67 ++++ hosts/m3-nix/hardware.nix | 54 +++ hosts/m3-nix/services/cron.nix | 6 + hosts/m3-nix/services/default.nix | 32 ++ hosts/m3-nix/services/flatpak.nix | 8 + hosts/m3-nix/services/ollama.nix | 7 + hosts/m3-nix/services/prometheus-node.nix | 10 + hosts/m3-nix/services/restic.nix | 25 ++ hosts/m3-nix/services/sound.nix | 14 + hosts/m3-nix/services/tailscale.nix | 40 ++ hosts/m3-nix/services/udev.nix | 5 + hosts/m3-nix/services/virtualization.nix | 19 + hosts/m3-nix/services/wireguard.nix | 8 + hosts/m3-nix/services/xserver.nix | 19 + hosts/m3-nix/vfio.nix | 40 ++ hosts/m3-r1/default.nix | 104 +++++ hosts/m3-r1/hardware-configuration.nix | 53 +++ hosts/m3-r1/services/container.nix | 13 + hosts/m3-r1/services/containers/baserow.nix | 25 ++ .../m3-r1/services/containers/briefkasten.nix | 12 + hosts/m3-r1/services/containers/default.nix | 12 + .../m3-r1/services/containers/little-link.nix | 12 + hosts/m3-r1/services/containers/matomo.nix | 19 + hosts/m3-r1/services/containers/mautic.nix | 20 + hosts/m3-r1/services/containers/nextcloud.nix | 18 + hosts/m3-r1/services/containers/nginx.nix | 8 + hosts/m3-r1/services/containers/wireguard.nix | 22 ++ hosts/m3-r1/services/containers/wordpress.nix | 18 + hosts/m3-r1/services/default.nix | 14 + hosts/m3-r1/services/gitea.nix | 16 + hosts/m3-r1/services/mariadb.nix | 15 + hosts/m3-r1/services/n8n.nix | 18 + hosts/m3-r1/services/postgres.nix | 28 ++ hosts/m3-r1/services/searx.nix | 10 + hosts/m3-r1/services/syncthing.nix | 26 ++ hosts/m3-r1/services/tailscale.nix | 42 ++ hosts/m3-r1/services/traefik.nix | 171 ++++++++ hosts/m3-r1/services/vaultwarden.nix | 11 + modules/nixos/default.nix | 1 + modules/nixos/ordercollect.nix | 32 ++ overlays/default.nix | 20 + pkgs/default.nix | 5 + pkgs/ordercollect/default.nix | 26 ++ pkgs/wofi-pass/default.nix | 29 ++ pkgs/zellij-ps/default.nix | 33 ++ secrets.nix | 39 ++ secrets/baserow-env.age | Bin 0 -> 1177 bytes secrets/briefkasten-env.age | Bin 0 -> 1023 bytes secrets/littlelink-lanakk-env.age | Bin 0 -> 3630 bytes secrets/littlelink-m3tam3re-env.age | Bin 0 -> 3373 bytes secrets/m3tam3re-secrets.age | 16 + secrets/metabase-env.age | Bin 0 -> 840 bytes secrets/minio-root-cred.age | Bin 0 -> 826 bytes secrets/mj-smtp-pass.age | 16 + secrets/mj-smtp-user.age | 16 + secrets/n8n-env.age | Bin 0 -> 1200 bytes secrets/n8n-m3r1.age | Bin 0 -> 1055 bytes secrets/openai.age | Bin 0 -> 772 bytes secrets/ordercollector-env.age | Bin 0 -> 1094 bytes secrets/pgadmin.age | Bin 0 -> 689 bytes secrets/searx-environmentFile.age | Bin 0 -> 819 bytes secrets/tailscale-key.age | 16 + secrets/traefik-env.age | Bin 0 -> 912 bytes secrets/vaultwarden-env.age | Bin 0 -> 21541 bytes secrets/wg-key.age | Bin 0 -> 1083 bytes 145 files changed, 4378 insertions(+) create mode 100644 .gitignore create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 home/features/cli/default.nix create mode 100644 home/features/cli/fish.nix create mode 100644 home/features/cli/neofetch.nix create mode 100644 home/features/cli/scripts.nix create mode 100644 home/features/cli/secrets.nix create mode 100644 home/features/cli/starship.nix create mode 100644 home/features/cli/zellij.nix create mode 100644 home/features/coding/default.nix create mode 100644 home/features/coding/emacs.nix create mode 100644 home/features/coding/golang.nix create mode 100644 home/features/coding/nix.nix create mode 100644 home/features/coding/nodejs.nix create mode 100644 home/features/coding/rust.nix create mode 100644 home/features/coding/tools.nix create mode 100644 home/features/desktop/crypto.nix create mode 100644 home/features/desktop/default.nix create mode 100644 home/features/desktop/design.nix create mode 100644 home/features/desktop/extrafonts.nix create mode 100644 home/features/desktop/media.nix create mode 100644 home/features/desktop/office.nix create mode 100644 home/features/desktop/plasma.nix create mode 100644 home/features/desktop/syncthing.nix create mode 100644 home/features/desktop/theme.nix create mode 100644 home/features/desktop/wayland.nix create mode 100644 home/features/desktop/wofi.nix create mode 100644 home/features/gaming/default.nix create mode 100644 home/features/gaming/sunshine.nix create mode 100644 home/features/hardware/default.nix create mode 100644 home/features/privacy/default.nix create mode 100644 home/features/virtualization/default.nix create mode 100644 home/features/virtualization/podman.nix create mode 100644 home/features/virtualization/qemu.nix create mode 100644 home/users/lkk-admin/base/default.nix create mode 100644 home/users/lkk-admin/lkk-nix-1.nix create mode 100644 home/users/m3tam3re/base/default.nix create mode 100644 home/users/m3tam3re/dotfiles/default.nix create mode 100644 home/users/m3tam3re/dotfiles/hyprland.nix create mode 100644 home/users/m3tam3re/lkk-nix-1.nix create mode 100644 home/users/m3tam3re/m3-nix.nix create mode 100644 home/users/m3tam3re/m3-r1.nix create mode 100644 home/users/produktion/base/default.nix create mode 100644 home/users/produktion/lkk-prod-1.nix create mode 100644 home/users/produktion/lkk-prod-2.nix create mode 100644 hosts/common/base/default.nix create mode 100644 hosts/common/users/lkk-admin/default.nix create mode 120000 hosts/common/users/lkk-admin/lkk-admin create mode 100644 hosts/common/users/m3tam3re/default.nix create mode 120000 hosts/common/users/m3tam3re/m3tam3re create mode 100644 hosts/common/users/produktion/default.nix create mode 120000 hosts/common/users/produktion/produktion create mode 100644 hosts/lkk-nix-1/default.nix create mode 100644 hosts/lkk-nix-1/hardware-configuration.nix create mode 100644 hosts/lkk-nix-1/services/container.nix create mode 100644 hosts/lkk-nix-1/services/containers/baserow.nix create mode 100644 hosts/lkk-nix-1/services/containers/default.nix create mode 100644 hosts/lkk-nix-1/services/containers/little-link.nix create mode 100644 hosts/lkk-nix-1/services/containers/matomo.nix create mode 100644 hosts/lkk-nix-1/services/containers/mautic.nix create mode 100644 hosts/lkk-nix-1/services/containers/n8n.nix create mode 100644 hosts/lkk-nix-1/services/containers/nextcloud.nix create mode 100644 hosts/lkk-nix-1/services/containers/nginx.nix create mode 100644 hosts/lkk-nix-1/services/containers/ordercollector.nix create mode 100644 hosts/lkk-nix-1/services/containers/wordpress.nix create mode 100644 hosts/lkk-nix-1/services/default.nix create mode 100644 hosts/lkk-nix-1/services/gitea.nix create mode 100644 hosts/lkk-nix-1/services/mariadb.nix create mode 100644 hosts/lkk-nix-1/services/metabase.nix create mode 100644 hosts/lkk-nix-1/services/postgres.nix create mode 100644 hosts/lkk-nix-1/services/syncthing.nix create mode 100644 hosts/lkk-nix-1/services/tailscale.nix create mode 100644 hosts/lkk-nix-1/services/traefik.nix create mode 100644 hosts/lkk-nix-1/services/vaultwarden.nix create mode 100644 hosts/lkk-prod-1/default.nix create mode 100644 hosts/lkk-prod-1/hardware-configuration.nix create mode 100644 hosts/lkk-prod-2/default.nix create mode 100644 hosts/lkk-prod-2/hardware-configuration.nix create mode 100644 hosts/m3-nix/default.nix create mode 100644 hosts/m3-nix/hardware-configuration.nix create mode 100644 hosts/m3-nix/hardware.nix create mode 100644 hosts/m3-nix/services/cron.nix create mode 100644 hosts/m3-nix/services/default.nix create mode 100644 hosts/m3-nix/services/flatpak.nix create mode 100644 hosts/m3-nix/services/ollama.nix create mode 100644 hosts/m3-nix/services/prometheus-node.nix create mode 100644 hosts/m3-nix/services/restic.nix create mode 100644 hosts/m3-nix/services/sound.nix create mode 100644 hosts/m3-nix/services/tailscale.nix create mode 100644 hosts/m3-nix/services/udev.nix create mode 100644 hosts/m3-nix/services/virtualization.nix create mode 100644 hosts/m3-nix/services/wireguard.nix create mode 100644 hosts/m3-nix/services/xserver.nix create mode 100644 hosts/m3-nix/vfio.nix create mode 100644 hosts/m3-r1/default.nix create mode 100644 hosts/m3-r1/hardware-configuration.nix create mode 100644 hosts/m3-r1/services/container.nix create mode 100644 hosts/m3-r1/services/containers/baserow.nix create mode 100644 hosts/m3-r1/services/containers/briefkasten.nix create mode 100644 hosts/m3-r1/services/containers/default.nix create mode 100644 hosts/m3-r1/services/containers/little-link.nix create mode 100644 hosts/m3-r1/services/containers/matomo.nix create mode 100644 hosts/m3-r1/services/containers/mautic.nix create mode 100644 hosts/m3-r1/services/containers/nextcloud.nix create mode 100644 hosts/m3-r1/services/containers/nginx.nix create mode 100644 hosts/m3-r1/services/containers/wireguard.nix create mode 100644 hosts/m3-r1/services/containers/wordpress.nix create mode 100644 hosts/m3-r1/services/default.nix create mode 100644 hosts/m3-r1/services/gitea.nix create mode 100644 hosts/m3-r1/services/mariadb.nix create mode 100644 hosts/m3-r1/services/n8n.nix create mode 100644 hosts/m3-r1/services/postgres.nix create mode 100644 hosts/m3-r1/services/searx.nix create mode 100644 hosts/m3-r1/services/syncthing.nix create mode 100644 hosts/m3-r1/services/tailscale.nix create mode 100644 hosts/m3-r1/services/traefik.nix create mode 100644 hosts/m3-r1/services/vaultwarden.nix create mode 100644 modules/nixos/default.nix create mode 100644 modules/nixos/ordercollect.nix create mode 100644 overlays/default.nix create mode 100644 pkgs/default.nix create mode 100644 pkgs/ordercollect/default.nix create mode 100644 pkgs/wofi-pass/default.nix create mode 100644 pkgs/zellij-ps/default.nix create mode 100644 secrets.nix create mode 100644 secrets/baserow-env.age create mode 100644 secrets/briefkasten-env.age create mode 100644 secrets/littlelink-lanakk-env.age create mode 100644 secrets/littlelink-m3tam3re-env.age create mode 100644 secrets/m3tam3re-secrets.age create mode 100644 secrets/metabase-env.age create mode 100644 secrets/minio-root-cred.age create mode 100644 secrets/mj-smtp-pass.age create mode 100644 secrets/mj-smtp-user.age create mode 100644 secrets/n8n-env.age create mode 100644 secrets/n8n-m3r1.age create mode 100644 secrets/openai.age create mode 100644 secrets/ordercollector-env.age create mode 100644 secrets/pgadmin.age create mode 100644 secrets/searx-environmentFile.age create mode 100644 secrets/tailscale-key.age create mode 100644 secrets/traefik-env.age create mode 100644 secrets/vaultwarden-env.age create mode 100644 secrets/wg-key.age diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..84c5e1d --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +/result +*.qcow2 +\# +# +.# diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..b337ffd --- /dev/null +++ b/flake.lock @@ -0,0 +1,367 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1715101957, + "narHash": "sha256-fs5uVQFTfgb4L9pnhldeyTHNcYwn1U4nKYoCBJ6W3W4=", + "owner": "ryantm", + "repo": "agenix", + "rev": "07479c2e7396acaaaac5925483498154034ea80a", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_2", + "utils": "utils" + }, + "locked": { + "lastModified": 1711973905, + "narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, + "dotfiles": { + "flake": false, + "locked": { + "lastModified": 1713941143, + "narHash": "sha256-xkjxhTUToZ5KOT46te2q+59k7hgMmVxlhomvYrWCD+Y=", + "ref": "refs/heads/master", + "rev": "9c79f4672bee385c7ae0c69153a60103627e12c2", + "revCount": 12, + "type": "git", + "url": "https://code.m3tam3re.com/m3tam3re/dotfiles.git" + }, + "original": { + "type": "git", + "url": "https://code.m3tam3re.com/m3tam3re/dotfiles.git" + } + }, + "fenix": { + "inputs": { + "nixpkgs": [ + "fh", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "narHash": "sha256-0dZpggYjjmWEk+rGixiBHOHuQfLzEzNfrtjSig04s6Q=", + "rev": "9ccae1754eec0341b640d5705302ac0923d22875", + "revCount": 1618, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/nix-community/fenix/0.1.1618%2Brev-9ccae1754eec0341b640d5705302ac0923d22875/018aea4c-03c9-7734-95d5-b84cc8881e3d/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/nix-community/fenix/0.1.1565.tar.gz" + } + }, + "fh": { + "inputs": { + "fenix": "fenix", + "flake-compat": "flake-compat_2", + "naersk": "naersk", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1711118970, + "narHash": "sha256-fRaKydMSwd1zl6ptBKvn5ej2pqtI8xi9dioFmR8QA+g=", + "rev": "73fed26f0231ae650122beb3ac1b7654b5cc682c", + "revCount": 425, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/fh/0.1.10/018e66b1-a218-7f23-949d-ace71c4e4c8b/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/fh/%2A.tar.gz" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "locked": { + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "revCount": 57, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/edolstra/flake-compat/1.0.1.tar.gz" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715077503, + "narHash": "sha256-AfHQshzLQfUqk/efMtdebHaQHqVntCMjhymQzVFLes0=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "6e277d9566de9976f47228dd8c580b97488734d4", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "naersk": { + "inputs": { + "nixpkgs": [ + "fh", + "nixpkgs" + ] + }, + "locked": { + "narHash": "sha256-TunvZMCxXHvU6fz5kq3XTLfojIvTDlbFGfPUFtwCU5o=", + "rev": "06a99941d72e2202ed62b8aa08b9869817fea56f", + "revCount": 332, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/nix-community/naersk/0.1.332%2Brev-06a99941d72e2202ed62b8aa08b9869817fea56f/018b61d4-48e5-77e8-8893-9f917732b11a/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/nix-community/naersk/0.1.332.tar.gz" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1714971268, + "narHash": "sha256-IKwMSwHj9+ec660l+I4tki/1NRoeGpyA2GdtdYpAgEw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "27c13997bf450a01219899f5a83bd6ffbfc70d3c", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1702272962, + "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "narHash": "sha256-9NJcFF9CEYPvHJ5ckE8kvINvI84SZZ87PvqMbH6pro0=", + "rev": "5e4c2ada4fcd54b99d56d7bd62f384511a7e2593", + "revCount": 534806, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.534806%2Brev-5e4c2ada4fcd54b99d56d7bd62f384511a7e2593/018b29e9-ae6d-72f2-993b-19cb9a64a3b5/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.514192.tar.gz" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1715087517, + "narHash": "sha256-CLU5Tsg24Ke4+7sH8azHWXKd0CFd4mhLWfhYgUiDBpQ=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b211b392b8486ee79df6cdfb1157ad2133427a29", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "deploy-rs": "deploy-rs", + "dotfiles": "dotfiles", + "fh": "fh", + "home-manager": "home-manager_2", + "nixpkgs": "nixpkgs_4", + "nixpkgs-stable": "nixpkgs-stable" + } + }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1696050837, + "narHash": "sha256-2K3Aq4gjPZBDnkAMJaMA4ElE+BNbmrqtSBWtt9kPGaM=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "0840038f02daec6ba3238f05d8caa037d28701a0", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..625b06b --- /dev/null +++ b/flake.nix @@ -0,0 +1,133 @@ +{ + description = '' + This i my basic NixOS system configuration. Feel free to reuse anything you find useful. + ''; + + inputs = { + home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + agenix.url = "github:ryantm/agenix"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11"; + fh.url = "https://flakehub.com/f/DeterminateSystems/fh/*.tar.gz"; + deploy-rs.url = "github:serokell/deploy-rs"; + dotfiles.url = "git+https://code.m3tam3re.com/m3tam3re/dotfiles.git"; + dotfiles.flake = false; # Use this if your dotfiles repo is not a flake + }; + + outputs = { + self, + dotfiles, + nixpkgs, + fh, + home-manager, + agenix, + deploy-rs, + ... + } @ inputs: let + inherit (self) outputs; + lib = nixpkgs.lib; + systems = [ + "aarch64-linux" + "i686-linux" + "x86_64-linux" + "aarch64-darwin" + "x86_64-darwin" + ]; + forAllSystems = nixpkgs.lib.genAttrs systems; + in { + packages = + forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system}); + formatter = + forAllSystems (system: nixpkgs.legacyPackages.${system}.alejandra); + overlays = import ./overlays {inherit inputs;}; + nixosConfigurations = { + lkk-nix-1 = lib.nixosSystem rec { + specialArgs = {inherit inputs outputs;}; + modules = [./hosts/lkk-nix-1 agenix.nixosModules.default]; + }; + m3-r1 = lib.nixosSystem { + specialArgs = {inherit inputs outputs;}; + modules = [./hosts/m3-r1 agenix.nixosModules.default]; + }; + lkk-prod-1 = lib.nixosSystem { + specialArgs = {inherit inputs outputs;}; + modules = [./hosts/lkk-prod-1 agenix.nixosModules.default]; + }; + lkk-prod-2 = lib.nixosSystem { + specialArgs = {inherit inputs outputs;}; + modules = [./hosts/lkk-prod-2 agenix.nixosModules.default]; + }; + m3-nix = lib.nixosSystem { + specialArgs = {inherit inputs outputs;}; + modules = [./hosts/m3-nix agenix.nixosModules.default]; + }; + }; + homeConfigurations = { + # Laptop + "m3tam3re@m3-nix" = home-manager.lib.homeManagerConfiguration { + pkgs = nixpkgs.legacyPackages."x86_64-linux"; + extraSpecialArgs = {inherit inputs outputs;}; + modules = [./home/users/m3tam3re/m3-nix.nix]; + }; + "m3tam3re@lkk-nix-1" = home-manager.lib.homeManagerConfiguration { + pkgs = nixpkgs.legacyPackages."x86_64-linux"; + extraSpecialArgs = { + # pass things to t + }; + modules = [./home/users/m3tam3re/lkk-nix-1.nix]; + }; + "m3tam3re@m3-r1" = home-manager.lib.homeManagerConfiguration { + pkgs = nixpkgs.legacyPackages."x86_64-linux"; + extraSpecialArgs = { + # pass things to t + }; + modules = [./home/users/m3tam3re/m3-r1.nix]; + }; + }; + deploy.nodes.lkk-nix-1 = { + hostname = "lkk-nix-1"; + sshUser = "root"; + profiles.system = { + user = "root"; + path = + deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.lkk-nix-1; + }; + }; + deploy.nodes.m3-r1 = { + hostname = "m3-r1"; + sshUser = "root"; + activationTimeout = 600; + profiles.system = { + user = "root"; + path = + deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.m3-r1; + }; + }; + deploy.nodes.lkk-prod-1 = { + hostname = "lkk-prod-1"; + sshUser = "root"; + profiles.system = { + user = "root"; + path = + deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.lkk-prod-1; + }; + }; + deploy.nodes.lkk-prod-2 = { + hostname = "lkk-prod-2"; + sshUser = "root"; + profiles.system = { + user = "root"; + path = + deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.lkk-prod-2; + }; + }; + deploy.remoteBuild = true; + }; +} diff --git a/home/features/cli/default.nix b/home/features/cli/default.nix new file mode 100644 index 0000000..c0591d2 --- /dev/null +++ b/home/features/cli/default.nix @@ -0,0 +1,67 @@ +{ pkgs, ... }: { + imports = [ + ./fish.nix + ./neofetch.nix + ./secrets.nix + ./scripts.nix + ./starship.nix + ./zellij.nix + ]; + + programs.zoxide = { + enable = true; + enableFishIntegration = true; + }; + + programs.fzf = { + enable = true; + enableFishIntegration = true; + defaultOptions = [ "--preview='bat --color=always --style=numbers {}'" ]; + }; + + programs.neovim = { + enable = true; + defaultEditor = true; + viAlias = true; + vimAlias = true; + vimdiffAlias = true; + withNodeJs = true; + withPython3 = true; + }; + + programs.bat = { enable = true; }; + + programs.eza = { + enableFishIntegration = true; + enableBashIntegration = true; + git = true; + icons = true; + }; + + home.packages = with pkgs; [ + alejandra + bc + comma + coreutils + devenv + direnv + eza + fd + htop + httpie + jq + just + lf + nix-index + open-interpreter + procs + progress + ripgrep + tldr + trash-cli + tree + unzip + wttrbar + zip + ]; +} diff --git a/home/features/cli/fish.nix b/home/features/cli/fish.nix new file mode 100644 index 0000000..8d4b512 --- /dev/null +++ b/home/features/cli/fish.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: +with lib; +let cfg = config.features.cli.fish; +in { + options.features.cli.fish.enable = mkEnableOption "enable fish shell"; + + config = mkIf cfg.enable { + programs.fish = { + enable = true; + plugins = [{ + name = "foreign-env"; + src = pkgs.fetchFromGitHub { + owner = "oh-my-fish"; + repo = "plugin-foreign-env"; + rev = "dddd9213272a0ab848d474d0cbde12ad034e65bc"; + sha256 = "00xqlyl3lffc5l0viin1nyp819wf81fncqyz87jx8ljjdhilmgbs"; + }; + }]; + loginShellInit = '' + set -x TERMINAL alacritty + set -x XDG_DATA_HOME $HOME/.local/share + set -x FZF_CTRL_R_OPTS " + --preview='bat --color=always -n {}' + --preview-window up:3:hidden:wrap + --bind 'ctrl-/:toggle-preview' + --color header:bold + --header 'Press CTRL-Y to copy command into clipboard'" + set -x FZF_ALT_C_COMMAND fd --type d --exclude .git --follow --hidden + set -x FZF_DEFAULT_COMMAND fd --type f --exclude .git --follow --hidden + set -x FZF_CTRL_T_COMMAND "$FZF_DEFAULT_COMMAND" + set -x FZF_DEFAULT_OPTS " + --preview='bat --color=always -n {}' + --bind 'ctrl-/:toggle-preview' + --color=fg:#f8f8f2,bg:#282a36,hl:#bd93f9 + --color=fg+:#f8f8f2,bg+:#44475a,hl+:#bd93f9 + --color=info:#ffb86c,prompt:#50fa7b,pointer:#ff79c6 + --color=marker:#ff79c6,spinner:#ffb86c,header:#6272a4" + ''; + shellAbbrs = { + ".." = "cd .."; + ls = "eza"; + grep = "rg"; + ps = "procs"; + just = "just --unstable"; + fs = "du -ah . | sort -hr | head -n 10"; + + tsu = "sudo tailscale up"; + tsd = "sudo tailscale down"; + }; + }; + }; +} diff --git a/home/features/cli/neofetch.nix b/home/features/cli/neofetch.nix new file mode 100644 index 0000000..e4123da --- /dev/null +++ b/home/features/cli/neofetch.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.cli.neofetch; +in { + options.features.cli.neofetch.enable = mkEnableOption "enable neofetch"; + + config = mkIf cfg.enable { + home.packages = with pkgs; [neofetch]; + }; +} diff --git a/home/features/cli/scripts.nix b/home/features/cli/scripts.nix new file mode 100644 index 0000000..acf64bb --- /dev/null +++ b/home/features/cli/scripts.nix @@ -0,0 +1 @@ +{pkgs, ...}: {home.packages = [pkgs.zellij-ps];} diff --git a/home/features/cli/secrets.nix b/home/features/cli/secrets.nix new file mode 100644 index 0000000..df4ca6f --- /dev/null +++ b/home/features/cli/secrets.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.cli.secrets; +in { + options.features.cli.secrets.enable = mkEnableOption "enable secrets"; + + config = mkIf cfg.enable { + programs.password-store = { + enable = true; + package = + pkgs.pass-wayland.withExtensions + (exts: [exts.pass-otp exts.pass-import]); + }; + home.packages = with pkgs; [pinentry]; + }; +} diff --git a/home/features/cli/starship.nix b/home/features/cli/starship.nix new file mode 100644 index 0000000..f3d53f6 --- /dev/null +++ b/home/features/cli/starship.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.cli.starship; +in { + options.features.cli.starship.enable = mkEnableOption "enable starship prompt"; + + config = mkIf cfg.enable { + programs.starship = { + enable = true; + enableFishIntegration = true; + }; + }; +} diff --git a/home/features/cli/zellij.nix b/home/features/cli/zellij.nix new file mode 100644 index 0000000..e5c3d62 --- /dev/null +++ b/home/features/cli/zellij.nix @@ -0,0 +1,17 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.cli.zellij; +in { + options.features.cli.zellij.enable = mkEnableOption "enable tmux"; + + config = mkIf cfg.enable { + programs.zellij = { + enable = true; + }; + }; +} diff --git a/home/features/coding/default.nix b/home/features/coding/default.nix new file mode 100644 index 0000000..0f48295 --- /dev/null +++ b/home/features/coding/default.nix @@ -0,0 +1,13 @@ +{pkgs, ...}: { + imports = [./emacs.nix ./golang.nix ./nix.nix ./nodejs.nix ./rust.nix ./tools.nix]; + + home.packages = with pkgs; [ + cachix + cmake + gcc + ispell + guile_3_0 + tinyscheme + python3 + ]; +} diff --git a/home/features/coding/emacs.nix b/home/features/coding/emacs.nix new file mode 100644 index 0000000..27ff711 --- /dev/null +++ b/home/features/coding/emacs.nix @@ -0,0 +1,8 @@ +{pkgs, ...}: { + services.emacs.enable = true; + programs.emacs = { + enable = true; + package = pkgs.emacs29; + extraPackages = epkgs: [epkgs.vterm]; + }; +} diff --git a/home/features/coding/golang.nix b/home/features/coding/golang.nix new file mode 100644 index 0000000..59df1a0 --- /dev/null +++ b/home/features/coding/golang.nix @@ -0,0 +1,5 @@ +{pkgs, ...}: { + home.packages = with pkgs; [ + gopls + ]; +} diff --git a/home/features/coding/nix.nix b/home/features/coding/nix.nix new file mode 100644 index 0000000..ea98a2b --- /dev/null +++ b/home/features/coding/nix.nix @@ -0,0 +1,9 @@ +{pkgs, ...}: { + home.packages = with pkgs; [ + appimage-run + deploy-rs + nil + nix-prefetch-git + nixfmt + ]; +} diff --git a/home/features/coding/nodejs.nix b/home/features/coding/nodejs.nix new file mode 100644 index 0000000..4319bef --- /dev/null +++ b/home/features/coding/nodejs.nix @@ -0,0 +1 @@ +{pkgs, ...}: {home.packages = with pkgs; [nodejs];} diff --git a/home/features/coding/rust.nix b/home/features/coding/rust.nix new file mode 100644 index 0000000..9c8c9eb --- /dev/null +++ b/home/features/coding/rust.nix @@ -0,0 +1 @@ +{pkgs, ...}: {home.packages = with pkgs; [];} diff --git a/home/features/coding/tools.nix b/home/features/coding/tools.nix new file mode 100644 index 0000000..540b54e --- /dev/null +++ b/home/features/coding/tools.nix @@ -0,0 +1,10 @@ +{pkgs, ...}: { + programs = { + direnv = { + enable = true; + nix-direnv.enable = true; + }; + }; + + home.packages = with pkgs; [insomnia hugo pandoc]; +} diff --git a/home/features/desktop/crypto.nix b/home/features/desktop/crypto.nix new file mode 100644 index 0000000..4b7e6eb --- /dev/null +++ b/home/features/desktop/crypto.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.desktop.crypto; +in { + options.features.desktop.crypto.enable = mkEnableOption "Enable Crypto"; + + config = mkIf cfg.enable { + home.packages = with pkgs; [bisq-desktop monero-gui trezor-suite]; + }; +} diff --git a/home/features/desktop/default.nix b/home/features/desktop/default.nix new file mode 100644 index 0000000..a77105a --- /dev/null +++ b/home/features/desktop/default.nix @@ -0,0 +1,153 @@ +{ pkgs, ... }: { + imports = [ + ./crypto.nix + ./design.nix + ./extrafonts.nix + ./media.nix + ./office.nix + ./theme.nix + ./syncthing.nix + ./wayland.nix + ./wofi.nix + ]; + + xdg = { + enable = true; + configFile."mimeapps.list".force = true; + mimeApps = { + enable = true; + associations.added = { + "application/zip" = [ "org.gnome.FileRoller.desktop" ]; + "application/csv" = [ "calc.desktop" ]; + "application/pdf" = [ "okularApplication_pdf.desktop" ]; + "x-scheme-handler/org-protocol" = [ "org-protocol.desktop" ]; + }; + defaultApplications = { + "application/zip" = [ "org.gnome.FileRoller.desktop" ]; + "application/csv" = [ "calc.desktop" ]; + "application/pdf" = [ "okularApplication_pdf.desktop" ]; + "x-scheme-handler/org-protocol" = [ "org-protocol.desktop" ]; + }; + }; + userDirs = { + enable = true; + createDirectories = true; + }; + }; + + home.sessionVariables = { + WEBKIT_DISABLE_COMPOSITING_MODE = "1"; + NIXOS_OZONE_WL = "1"; + TERMINAL = "alacritty"; + QT_QPA_PLATFORM = "wayland"; + }; + home.sessionPath = + [ "\${XDG_BIN_HOME}" "\${HOME}/.cargo/bin" "$HOME/.npm-global/bin" ]; + + fonts.fontconfig.enable = true; + + services.mako = { + enable = true; + backgroundColor = "#282a36"; + textColor = "#80FFEA"; + borderColor = "#9742b5"; + width = 400; + height = 150; + padding = "10,20"; + borderRadius = 8; + borderSize = 1; + margin = "20,20"; + }; + + programs.alacritty = { + enable = true; + settings = { + env.TERM = "xterm-256color"; + font = { + size = 12; + #draw_bold_text_with_bright_colors = true; + }; + scrolling.multiplier = 5; + selection.save_to_clipboard = true; + colors = { + primary = { + background = "0x22212c"; + #foregound = "0xf8f8f2"; + }; + cursor = { + text = "0x454158"; + cursor = "0xf8f8f2"; + }; + selection = { + text = "0xf8f8f2"; + background = "0x454158"; + }; + normal = { + black = "0x22212c"; + red = "0xff9580"; + green = "0x8aff80"; + yellow = "0xffff80"; + blue = "0x9580ff"; + magenta = "0xff80bf"; + cyan = "0x80ffea"; + white = "0xf8f8f2"; + }; + bright = { + black = "0x22212c"; + red = "0xffaa99"; + green = "0xa2ff99"; + yellow = "0xffff99"; + blue = "0xaa99ff"; + magenta = "0xff99cc"; + cyan = "0x99ffee"; + white = "0xffffff"; + }; + }; + }; + }; + home.pointerCursor = { + gtk.enable = true; + package = pkgs.bibata-cursors; + name = "Bibata-Modern-Ice"; + size = 20; + }; + home.packages = with pkgs; [ + appimage-run + anytype + blueberry + brave + brightnessctl + clipman + distrobox + eww + gnome.file-roller + gnome.seahorse + gnome.sushi + glib + gsettings-desktop-schemas + graphviz + hyprpaper + ksnip + nwg-look + pamixer + pavucontrol + libsForQt5.qtstyleplugins + nyxt + pcmanfm + qt5ct + qt6.qtwayland + rustdesk + socat + unrar + unzip + usbutils + v4l-utils + remmina + wl-clipboard + wlogout + wtype + xdg-utils + ydotool + zip + ]; +} diff --git a/home/features/desktop/design.nix b/home/features/desktop/design.nix new file mode 100644 index 0000000..9a72765 --- /dev/null +++ b/home/features/desktop/design.nix @@ -0,0 +1,25 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.desktop.design; +in { + options.features.desktop.design.enable = mkEnableOption "enable design tools"; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ + argyllcms + cyan + gimp + gimpPlugins.gmic + gmic + gmic-qt + imagemagick + inkscape + lcms2 + ]; + }; +} diff --git a/home/features/desktop/extrafonts.nix b/home/features/desktop/extrafonts.nix new file mode 100644 index 0000000..33f51e8 --- /dev/null +++ b/home/features/desktop/extrafonts.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.desktop.extrafonts; +in { + options.features.desktop.extrafonts.enable = mkEnableOption "install additional fonts for desktop apps"; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ + emacs-all-the-icons-fonts + fira-code + fira-code-symbols + fira-code-nerdfont + font-manager + font-awesome_5 + noto-fonts + ]; + }; +} diff --git a/home/features/desktop/media.nix b/home/features/desktop/media.nix new file mode 100644 index 0000000..6e30b82 --- /dev/null +++ b/home/features/desktop/media.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: +with lib; +let cfg = config.features.desktop.media; +in { + options.features.desktop.media.enable = + mkEnableOption "enable media features"; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ + audacity + ffmpeg_6-full + gphoto2 + handbrake + stable.libsForQt5.kdenlive + makemkv + mediainfo + mpv + plexamp + spotify + uxplay + vlc + webcord + youtube-dl + unimatrix + ]; + + programs.obs-studio = { + enable = true; + plugins = with pkgs.obs-studio-plugins; [ + input-overlay + wlrobs + obs-vertical-canvas + ]; + }; + }; +} diff --git a/home/features/desktop/office.nix b/home/features/desktop/office.nix new file mode 100644 index 0000000..41be21a --- /dev/null +++ b/home/features/desktop/office.nix @@ -0,0 +1,16 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.desktop.office; +in { + options.features.desktop.office.enable = + mkEnableOption "enable office features"; + + config = mkIf cfg.enable { + home.packages = with pkgs; [libreoffice neomutt pdftk okular zathura]; + }; +} diff --git a/home/features/desktop/plasma.nix b/home/features/desktop/plasma.nix new file mode 100644 index 0000000..34bf484 --- /dev/null +++ b/home/features/desktop/plasma.nix @@ -0,0 +1,21 @@ +{ + pkgs, + lib, + outputs, + ... +}: { + imports = [ + # + ]; + + home.packages = with pkgs; [ + alacritty + brave + libreoffice + nextcloud-client + xclip + libnotify + espanso + firefox + ]; +} diff --git a/home/features/desktop/syncthing.nix b/home/features/desktop/syncthing.nix new file mode 100644 index 0000000..3a8a041 --- /dev/null +++ b/home/features/desktop/syncthing.nix @@ -0,0 +1,4 @@ +{pkgs, ...}: { + services.syncthing = {enable = true;}; + home.packages = with pkgs; [syncthingtray-minimal]; +} diff --git a/home/features/desktop/theme.nix b/home/features/desktop/theme.nix new file mode 100644 index 0000000..d6f8874 --- /dev/null +++ b/home/features/desktop/theme.nix @@ -0,0 +1,17 @@ +{pkgs, ...}: { + qt = { + enable = true; + platformTheme = "gtk"; + }; + gtk = { + enable = true; + theme = { + name = "Dracula"; + package = pkgs.dracula-theme; + }; + iconTheme = { + name = "Dracula"; + package = pkgs.dracula-icon-theme; + }; + }; +} diff --git a/home/features/desktop/wayland.nix b/home/features/desktop/wayland.nix new file mode 100644 index 0000000..b88956c --- /dev/null +++ b/home/features/desktop/wayland.nix @@ -0,0 +1,15 @@ +{ inputs, config, lib, pkgs, ... }: { + programs.waybar = { enable = true; }; + home.packages = with pkgs; [ + grim + hypridle + hyprlock + mimeo + pulseaudio + slurp + waypipe + wf-recorder + wl-mirror + ydotool + ]; +} diff --git a/home/features/desktop/wofi.nix b/home/features/desktop/wofi.nix new file mode 100644 index 0000000..88b10c0 --- /dev/null +++ b/home/features/desktop/wofi.nix @@ -0,0 +1,7 @@ +{ + pkgs, + outputs, + ... +}: { + home.packages = [pkgs.wofi pkgs.bemoji pkgs.wofi-pass]; +} diff --git a/home/features/gaming/default.nix b/home/features/gaming/default.nix new file mode 100644 index 0000000..6cae595 --- /dev/null +++ b/home/features/gaming/default.nix @@ -0,0 +1,11 @@ +{pkgs, ...}: { + imports = [./sunshine.nix]; + home.packages = with pkgs; [ + gamemode + gamescope + goverlay + mangohud + ryujinx + protonup-ng + ]; +} diff --git a/home/features/gaming/sunshine.nix b/home/features/gaming/sunshine.nix new file mode 100644 index 0000000..c0bcee5 --- /dev/null +++ b/home/features/gaming/sunshine.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.gaming.sunshine; +in { + options.features.gaming.sunshine.enable = mkEnableOption "enable Sunshine"; + + config = mkIf cfg.enable { + home.packages = with pkgs; [sunshine]; + }; +} diff --git a/home/features/hardware/default.nix b/home/features/hardware/default.nix new file mode 100644 index 0000000..0c17c09 --- /dev/null +++ b/home/features/hardware/default.nix @@ -0,0 +1,6 @@ +{pkgs, ...}: { + home.packages = with pkgs; [ + lm_sensors + powertop + ]; +} diff --git a/home/features/privacy/default.nix b/home/features/privacy/default.nix new file mode 100644 index 0000000..b5d380c --- /dev/null +++ b/home/features/privacy/default.nix @@ -0,0 +1,5 @@ +{pkgs, ...}: { + home.packages = with pkgs; [ + i2p + ]; +} diff --git a/home/features/virtualization/default.nix b/home/features/virtualization/default.nix new file mode 100644 index 0000000..c43eb43 --- /dev/null +++ b/home/features/virtualization/default.nix @@ -0,0 +1 @@ +{imports = [./podman.nix ./qemu.nix];} diff --git a/home/features/virtualization/podman.nix b/home/features/virtualization/podman.nix new file mode 100644 index 0000000..711678d --- /dev/null +++ b/home/features/virtualization/podman.nix @@ -0,0 +1,14 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.virtualization.podman; +in { + options.features.virtualization.podman.enable = + mkEnableOption "install podman"; + + config = mkIf cfg.enable {home.packages = with pkgs; [fuse-overlayfs];}; +} diff --git a/home/features/virtualization/qemu.nix b/home/features/virtualization/qemu.nix new file mode 100644 index 0000000..ca0088d --- /dev/null +++ b/home/features/virtualization/qemu.nix @@ -0,0 +1,14 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.virtualization.qemu; +in { + options.features.virtualization.qemu.enable = + mkEnableOption "install qemu tools"; + config = + mkIf cfg.enable {home.packages = with pkgs; [virt-manager virtiofsd];}; +} diff --git a/home/users/lkk-admin/base/default.nix b/home/users/lkk-admin/base/default.nix new file mode 100644 index 0000000..4a1db8d --- /dev/null +++ b/home/users/lkk-admin/base/default.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, inputs, outputs, ... }: +let +in { + nixpkgs = { + # You can add overlays here + overlays = [ + # Add overlays your own flake exports (from overlays and pkgs dir): + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.stable-packages + + # You can also add overlays exported from other flakes: + # neovim-nightly-overlay.overlays.default + + # Or define it inline, for example: + # (final: prev: { + # hi = final.hello.overrideAttrs (oldAttrs: { + # patches = [ ./change-hello-to-hi.patch ]; + # }); + # }) + ]; + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + # Workaround for https://github.com/nix-community/home-manager/issues/2942 + allowUnfreePredicate = _: true; + }; + }; + + nix = { + package = lib.mkDefault pkgs.nix; + settings = { + experimental-features = [ "nix-command" "flakes" "repl-flake" ]; + warn-dirty = false; + }; + }; + programs = { + home-manager.enable = true; + git.enable = true; + git = { + userName = "m3tam3re"; + userEmail = "m@m3tam3re.com"; + aliases = { st = "status"; }; + extraConfig = { + core.excludesfile = "~/.gitignore_global"; + init.defaultBranch = "master"; + }; + }; + }; + + home = { + username = lib.mkDefault "lkk-admin"; + homeDirectory = lib.mkDefault "/home/${config.home.username}"; + }; +} diff --git a/home/users/lkk-admin/lkk-nix-1.nix b/home/users/lkk-admin/lkk-nix-1.nix new file mode 100644 index 0000000..fcdfd71 --- /dev/null +++ b/home/users/lkk-admin/lkk-nix-1.nix @@ -0,0 +1,16 @@ +{ + config, + pkgs, + ... +}: { + imports = [./base ../../features/cli]; + + features = { + cli = { + fish.enable = true; + starship.enable = true; + }; + }; + + home.stateVersion = "22.11"; +} diff --git a/home/users/m3tam3re/base/default.nix b/home/users/m3tam3re/base/default.nix new file mode 100644 index 0000000..49d8e15 --- /dev/null +++ b/home/users/m3tam3re/base/default.nix @@ -0,0 +1,62 @@ +{ + config, + lib, + pkgs, + inputs, + outputs, + ... +}: let +in { + nixpkgs = { + # You can add overlays here + overlays = [ + # Add overlays your own flake exports (from overlays and pkgs dir): + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.stable-packages + + # You can also add overlays exported from other flakes: + # neovim-nightly-overlay.overlays.default + + # Or define it inline, for example: + # (final: prev: { + # hi = final.hello.overrideAttrs (oldAttrs: { + # patches = [ ./change-hello-to-hi.patch ]; + # }); + # }) + ]; + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + # Workaround for https://github.com/nix-community/home-manager/issues/2942 + allowUnfreePredicate = _: true; + }; + }; + + nix = { + package = lib.mkDefault pkgs.nix; + settings = { + experimental-features = ["nix-command" "flakes" "repl-flake"]; + warn-dirty = false; + }; + }; + programs = { + home-manager.enable = true; + git.enable = true; + git = { + userName = "m3tam3re"; + userEmail = "m@m3tam3re.com"; + aliases = {st = "status";}; + extraConfig = { + core.excludesfile = "~/.gitignore_global"; + init.defaultBranch = "master"; + }; + }; + }; + + home = { + username = lib.mkDefault "m3tam3re"; + homeDirectory = lib.mkDefault "/home/${config.home.username}"; + }; +} diff --git a/home/users/m3tam3re/dotfiles/default.nix b/home/users/m3tam3re/dotfiles/default.nix new file mode 100644 index 0000000..5430ee6 --- /dev/null +++ b/home/users/m3tam3re/dotfiles/default.nix @@ -0,0 +1,22 @@ +{ pkgs, inputs, ... }: { + home.file.".config/bat" = { + source = "${inputs.dotfiles}/bat"; + recursive = true; + }; + home.file.".config/nyxt" = { + source = "${inputs.dotfiles}/nyxt"; + recursive = true; + }; + home.file.".config/hypr" = { + source = "${inputs.dotfiles}/hypr"; + recursive = true; + }; + home.file.".config/nvim" = { + source = "${inputs.dotfiles}/nvim"; + recursive = true; + }; + home.file.".config/zellij" = { + source = "${inputs.dotfiles}/zellij"; + recursive = true; + }; +} diff --git a/home/users/m3tam3re/dotfiles/hyprland.nix b/home/users/m3tam3re/dotfiles/hyprland.nix new file mode 100644 index 0000000..a4e4a41 --- /dev/null +++ b/home/users/m3tam3re/dotfiles/hyprland.nix @@ -0,0 +1,227 @@ +{ config, ... }: { + home.file.".config/hypr/hyprland.conf".text = '' + + # See https://wiki.hyprland.org/Configuring/Monitors/ + monitor=eDP-1,preferred,2560x0,1.25 + monitor=DP-1,preferred,0x0,1 + + # See https://wiki.hyprland.org/Configuring/Keywords/ for more + xwayland { + force_zero_scaling = true + } + # Execute your favorite apps at launch + # exec-once = waybar & hyprpaper & firefox + exec-once = waybar + exec-once = hyprpaper + exec-once = wl-paste -p -t text --watch clipman store -P --histpath="~/.local/share/clipman-primary.json" + # Source a file (multi-file configs) + # source = ~/.config/hypr/myColors.conf + + # Some default env vars. + env = LIBVA_DRIVER_NAME,nvidia + env = XDG_SESSION_TYPE,wayland + env = GBM_BACKEND,nvidia-drm + env = __GLX_VENDOR_LIBRARY_NAME,nvidia + env = XCURSOR_SIZE,32 + env = WLR_NO_HARDWARE_CURSORS,1 + env = GTK_THEME,Dracula + # For all categories, see https://wiki.hyprland.org/Configuring/Variables/ + input { + kb_layout = de,us + kb_variant = + kb_model = + kb_rules = + kb_options=ctrl:nocaps + follow_mouse = 1 + + touchpad { + natural_scroll = yes + } + + sensitivity = 0 # -1.0 - 1.0, 0 means no modification. + } + + device { + name = zsa-technology-labs-moonlander-mark-i + kb_layout = us + } + + general { + # See https://wiki.hyprland.org/Configuring/Variables/ for more + #col.active_border = rgb(44475a) rgb(bd93f9) 90deg + #col.inactive_border = rgba(44475aaa) + #col.group_border = rgba(282a36dd) + #col.group_border_active = rgb(bd93f9) rgb(44475a) 90deg + + gaps_in = 5 + gaps_out = 5 + border_size = 1 + col.active_border = rgba(9742b5ee) rgba(9742b5ee) 45deg + col.inactive_border = rgba(595959aa) + + layout = dwindle + } + + decoration { + # See https://wiki.hyprland.org/Configuring/Variables/ for more + col.shadow = rgba(1E202966) + drop_shadow = yes + shadow_range = 60 + shadow_offset = 1 2 + shadow_render_power = 3 + shadow_scale = 0.97 + rounding = 8 + blur { + enabled = yes + size = 3 + passes = 3 + } + active_opacity = 0.9 + inactive_opacity = 0.5 + drop_shadow = yes + shadow_range = 4 + shadow_render_power = 3 + } + + animations { + enabled = yes + + # Some default animations, see https://wiki.hyprland.org/Configuring/Animations/ for more + + bezier = myBezier, 0.05, 0.9, 0.1, 1.05 + + animation = windows, 1, 7, myBezier + animation = windowsOut, 1, 7, default, popin 80% + animation = border, 1, 10, default + animation = borderangle, 1, 8, default + animation = fade, 1, 7, default + animation = workspaces, 1, 6, default + } + + dwindle { + # See https://wiki.hyprland.org/Configuring/Dwindle-Layout/ for more + pseudotile = yes # master switch for pseudotiling. Enabling is bound to mainMod + P in the keybinds section below + preserve_split = yes # you probably want this + } + + master { + # See https://wiki.hyprland.org/Configuring/Master-Layout/ for more + new_is_master = true + } + + gestures { + # See https://wiki.hyprland.org/Configuring/Variables/ for more + workspace_swipe = off + } + + # Example per-device config + # See https://wiki.hyprland.org/Configuring/Keywords/#executing for more + device { + name = epic-mouse-v1 + sensitivity = -0.5 + } + + # Example windowrule v1 + # windowrule = float, ^(kitty)$ + # Example windowrule v2 + # windowrulev2 = float,class:^(kitty)$,title:^(kitty)$ + # See https://wiki.hyprland.org/Configuring/Window-Rules/ for more + windowrule = float, file_progress + windowrule = float, confirm + windowrule = float, dialog + windowrule = float, download + windowrule = float, notification + windowrule = float, error + windowrule = float, splash + windowrule = float, confirmreset + windowrule = float, title:Open File + windowrule = float, title:branchdialog + windowrule = float, Lxappearance + windowrule = float, Wofi + windowrule = float, dunst + windowrule = animation none,Wofi + windowrule = float,viewnior + windowrule = float,feh + windowrule = float, pavucontrol-qt + windowrule = float, pavucontrol + windowrule = float, file-roller + windowrule = fullscreen, wlogout + windowrule = float, title:wlogout + windowrule = fullscreen, title:wlogout + windowrule = idleinhibit focus, mpv + windowrule = idleinhibit fullscreen, firefox + windowrule = float, title:^(Media viewer)$ + windowrule = float, title:^(Volume Control)$ + windowrule = float, title:^(Picture-in-Picture)$ + windowrule = size 800 600, title:^(Volume Control)$ + windowrule = move 75 44%, title:^(Volume Control)$ + + # See https://wiki.hyprland.org/Configuring/Keywords/ for more + $mainMod = SUPER + + # Example binds, see https://wiki.hyprland.org/Configuring/Binds/ for more + bind = $mainMod, return, exec, alacritty -e zellij-ps + bind = $mainMod, t, exec, alacritty + bind = $mainMod SHIFT, e, exec, alacritty -e zellij_nvim + bind = $mainMod, o, exec, thunar + bind = $mainMod, Escape, exec, wlogout -p layer-shell + bind = $mainMod, Space, togglefloating + bind = $mainMod, q, killactive, + bind = $mainMod, M, exit, + bind= $mainMod, F, fullscreen + bind = $mainMod, V, togglefloating, + bind = $mainMod, D, exec, wofi --show drun --allow-images + bind = $mainMod SHIFT, S, exec, bemoji + bind = $mainMod, P, exec, wofi-pass + bind = $mainMod SHIFT, P, pseudo, # dwindle + bind = $mainMod, J, togglesplit, # dwindle + + # Move focus with mainMod + arrow keys + bind = $mainMod, left, movefocus, l + bind = $mainMod, right, movefocus, r + bind = $mainMod, up, movefocus, u + bind = $mainMod, down, movefocus, d + + workspace = 1, monitor:DP-1, default:true + workspace = 2, monitor:DP-1 + workspace = 3, monitor:DP-1 + workspace = 4, monitor:eDP-1 + workspace = 5, monitor:eDP-1 + + windowrulev2 = workspace 1,class:(Emacs) + windowrulev2 = workspace 3,opacity 1.0, class:(brave-browser) + windowrulev2 = workspace 4,class:(com.obsproject.Studio) + + # Switch workspaces with mainMod + [0-9] + bind = $mainMod, 1, workspace, 1 + bind = $mainMod, 2, workspace, 2 + bind = $mainMod, 3, workspace, 3 + bind = $mainMod, 4, workspace, 4 + bind = $mainMod, 5, workspace, 5 + bind = $mainMod, 6, workspace, 6 + bind = $mainMod, 7, workspace, 7 + bind = $mainMod, 8, workspace, 8 + bind = $mainMod, 9, workspace, 9 + bind = $mainMod, 0, workspace, 10 + + # Move active window to a workspace with mainMod + SHIFT + [0-9] + bind = $mainMod SHIFT, 1, movetoworkspace, 1 + bind = $mainMod SHIFT, 2, movetoworkspace, 2 + bind = $mainMod SHIFT, 3, movetoworkspace, 3 + bind = $mainMod SHIFT, 4, movetoworkspace, 4 + bind = $mainMod SHIFT, 5, movetoworkspace, 5 + bind = $mainMod SHIFT, 6, movetoworkspace, 6 + bind = $mainMod SHIFT, 7, movetoworkspace, 7 + bind = $mainMod SHIFT, 8, movetoworkspace, 8 + bind = $mainMod SHIFT, 9, movetoworkspace, 9 + bind = $mainMod SHIFT, 0, movetoworkspace, 10 + + # Scroll through existing workspaces with mainMod + scroll + bind = $mainMod, mouse_down, workspace, e+1 + bind = $mainMod, mouse_up, workspace, e-1 + + # Move/resize windows with mainMod + LMB/RMB and dragging + bindm = $mainMod, mouse:272, movewindow + bindm = $mainMod, mouse:273, resizewindow + ''; +} diff --git a/home/users/m3tam3re/lkk-nix-1.nix b/home/users/m3tam3re/lkk-nix-1.nix new file mode 100644 index 0000000..fcdfd71 --- /dev/null +++ b/home/users/m3tam3re/lkk-nix-1.nix @@ -0,0 +1,16 @@ +{ + config, + pkgs, + ... +}: { + imports = [./base ../../features/cli]; + + features = { + cli = { + fish.enable = true; + starship.enable = true; + }; + }; + + home.stateVersion = "22.11"; +} diff --git a/home/users/m3tam3re/m3-nix.nix b/home/users/m3tam3re/m3-nix.nix new file mode 100644 index 0000000..ed348f2 --- /dev/null +++ b/home/users/m3tam3re/m3-nix.nix @@ -0,0 +1,38 @@ +{ + config, + pkgs, + ... +}: { + imports = [ + ./base + ./dotfiles + ../../features/cli + ../../features/coding + ../../features/desktop + ../../features/gaming + ../../features/virtualization + ]; + + features = { + cli = { + fish.enable = true; + neofetch.enable = true; + secrets.enable = true; + starship.enable = true; + zellij.enable = true; + }; + gaming = {sunshine.enable = true;}; + desktop = { + crypto.enable = true; + design.enable = true; + extrafonts.enable = true; + media.enable = true; + office.enable = true; + }; + virtualization = { + podman.enable = true; + qemu.enable = true; + }; + }; + home.stateVersion = "24.05"; +} diff --git a/home/users/m3tam3re/m3-r1.nix b/home/users/m3tam3re/m3-r1.nix new file mode 100644 index 0000000..fcdfd71 --- /dev/null +++ b/home/users/m3tam3re/m3-r1.nix @@ -0,0 +1,16 @@ +{ + config, + pkgs, + ... +}: { + imports = [./base ../../features/cli]; + + features = { + cli = { + fish.enable = true; + starship.enable = true; + }; + }; + + home.stateVersion = "22.11"; +} diff --git a/home/users/produktion/base/default.nix b/home/users/produktion/base/default.nix new file mode 100644 index 0000000..5ac8b44 --- /dev/null +++ b/home/users/produktion/base/default.nix @@ -0,0 +1,52 @@ +{ + config, + lib, + pkgs, + outputs, + ... +}: let +in { + nixpkgs = { + # You can add overlays here + overlays = [ + # Add overlays your own flake exports (from overlays and pkgs dir): + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.stable-packages + + # You can also add overlays exported from other flakes: + # neovim-nightly-overlay.overlays.default + + # Or define it inline, for example: + # (final: prev: { + # hi = final.hello.overrideAttrs (oldAttrs: { + # patches = [ ./change-hello-to-hi.patch ]; + # }); + # }) + ]; + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + # Workaround for https://github.com/nix-community/home-manager/issues/2942 + allowUnfreePredicate = _: true; + }; + }; + + nix = { + package = lib.mkDefault pkgs.nix; + settings = { + experimental-features = ["nix-command" "flakes" "repl-flake"]; + warn-dirty = false; + }; + }; + programs = { + home-manager.enable = true; + git.enable = true; + }; + + home = { + username = lib.mkDefault "produktion"; + homeDirectory = lib.mkDefault "/home/${config.home.username}"; + }; +} diff --git a/home/users/produktion/lkk-prod-1.nix b/home/users/produktion/lkk-prod-1.nix new file mode 100644 index 0000000..ab3329b --- /dev/null +++ b/home/users/produktion/lkk-prod-1.nix @@ -0,0 +1,21 @@ +{ + config, + pkgs, + ... +}: { + imports = [ + ./base + ../../features/cli + ../../features/desktop/plasma.nix + ../../features/desktop/media.nix + ]; + + features = { + cli = { + fish.enable = true; + starship.enable = true; + }; + }; + + home.stateVersion = "24.05"; +} diff --git a/home/users/produktion/lkk-prod-2.nix b/home/users/produktion/lkk-prod-2.nix new file mode 100644 index 0000000..ab3329b --- /dev/null +++ b/home/users/produktion/lkk-prod-2.nix @@ -0,0 +1,21 @@ +{ + config, + pkgs, + ... +}: { + imports = [ + ./base + ../../features/cli + ../../features/desktop/plasma.nix + ../../features/desktop/media.nix + ]; + + features = { + cli = { + fish.enable = true; + starship.enable = true; + }; + }; + + home.stateVersion = "24.05"; +} diff --git a/hosts/common/base/default.nix b/hosts/common/base/default.nix new file mode 100644 index 0000000..09e617e --- /dev/null +++ b/hosts/common/base/default.nix @@ -0,0 +1,21 @@ +{ + lib, + pkgs, + inputs, + outputs, + ... +}: +with pkgs; { + imports = [inputs.home-manager.nixosModules.home-manager]; + home-manager = { + useUserPackages = true; + extraSpecialArgs = {inherit inputs outputs;}; + }; + users.defaultUserShell = fish; + + environment.systemPackages = [ + inputs.agenix.packages."${pkgs.system}".default + inputs.fh.packages."${pkgs.system}".default + coreutils + ]; +} diff --git a/hosts/common/users/lkk-admin/default.nix b/hosts/common/users/lkk-admin/default.nix new file mode 100644 index 0000000..61113ae --- /dev/null +++ b/hosts/common/users/lkk-admin/default.nix @@ -0,0 +1,26 @@ +{ config, pkgs, inputs, ... }: { + users.users.lkk-admin = { + initialHashedPassword = + "$y$j9T$wOKc3kLsQVtmmyLIN7ljV.$NvdWzwn6p8JNByHoXQqf6/GF3C0JOPHW/D0HgFLQXy4"; + isNormalUser = true; + description = "lkk-admin"; + extraGroups = [ + "wheel" + "networkmanager" + "libvirtd" + "flatpak" + "audio" + "video" + "plugdev" + "input" + "kvm" + "qemu-libvirtd" + ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDh8J7t25qJ5ibc1qmf5WOTWMSqbMQnCbAgdnTzCIJto6ybyRUqoKTr4Os1d1wf4SxzERApzqkBA9fKN2hsAoCi72agXZSpSgHNWZMH+qYXxiYQjNV1ueuCISCjFdDSeu8jQV8UMyEOfi1yNN0g3YXnt7KOnfcv5mdi7jZXmI6CpaHoVZo1xyozBFQj9AM7jP0J5RMXL5mxMfluULBjuR2rxa/74HHbxfxrireGgeW94nnyT0WD9vPxvLuiAufarCrwwh1kLS4COu9QshcVnu1tKH9vXJFIS0r6+vHf/Swo/gRf/AaHUNktFIi9rso+MGGFXozdoHligea6vxYU/3sV m3tam3re@m3-nix" + ]; + packages = [ inputs.home-manager.packages.${pkgs.system}.default ]; + }; + home-manager.users.lkk-admin = + import lkk-admin/${config.networking.hostName}.nix; +} diff --git a/hosts/common/users/lkk-admin/lkk-admin b/hosts/common/users/lkk-admin/lkk-admin new file mode 120000 index 0000000..1511bb1 --- /dev/null +++ b/hosts/common/users/lkk-admin/lkk-admin @@ -0,0 +1 @@ +../../../../home/users/lkk-admin/ \ No newline at end of file diff --git a/hosts/common/users/m3tam3re/default.nix b/hosts/common/users/m3tam3re/default.nix new file mode 100644 index 0000000..204c8f9 --- /dev/null +++ b/hosts/common/users/m3tam3re/default.nix @@ -0,0 +1,26 @@ +{ config, pkgs, inputs, ... }: { + users.users.m3tam3re = { + initialHashedPassword = + "$y$j9T$wOKc3kLsQVtmmyLIN7ljV.$NvdWzwn6p8JNByHoXQqf6/GF3C0JOPHW/D0HgFLQXy4"; + isNormalUser = true; + description = "m3tam3re"; + extraGroups = [ + "wheel" + "networkmanager" + "libvirtd" + "flatpak" + "audio" + "video" + "plugdev" + "input" + "kvm" + "qemu-libvirtd" + ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix" + ]; + packages = [ inputs.home-manager.packages.${pkgs.system}.default ]; + }; + home-manager.users.m3tam3re = + import m3tam3re/${config.networking.hostName}.nix; +} diff --git a/hosts/common/users/m3tam3re/m3tam3re b/hosts/common/users/m3tam3re/m3tam3re new file mode 120000 index 0000000..3ffe3fa --- /dev/null +++ b/hosts/common/users/m3tam3re/m3tam3re @@ -0,0 +1 @@ +../../../../home/users/m3tam3re/ \ No newline at end of file diff --git a/hosts/common/users/produktion/default.nix b/hosts/common/users/produktion/default.nix new file mode 100644 index 0000000..89acb3b --- /dev/null +++ b/hosts/common/users/produktion/default.nix @@ -0,0 +1,19 @@ +{ + config, + pkgs, + lib, + outputs, + ... +}: { + users.users.produktion = { + isNormalUser = true; + description = "Produktion"; + extraGroups = ["tailscale" "networkmanager" "audio" "video"]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix" + ]; + packages = [pkgs.home-manager]; + }; + nixpkgs.config.allowUnfree = true; + home-manager.users.produktion = import produktion/${config.networking.hostName}.nix; +} diff --git a/hosts/common/users/produktion/produktion b/hosts/common/users/produktion/produktion new file mode 120000 index 0000000..3ce91f9 --- /dev/null +++ b/hosts/common/users/produktion/produktion @@ -0,0 +1 @@ +../../../../home/users/produktion \ No newline at end of file diff --git a/hosts/lkk-nix-1/default.nix b/hosts/lkk-nix-1/default.nix new file mode 100644 index 0000000..9d96458 --- /dev/null +++ b/hosts/lkk-nix-1/default.nix @@ -0,0 +1,92 @@ +{ pkgs, ... }: { + imports = [ + ./hardware-configuration.nix + ../common/users/lkk-admin + ../common/users/m3tam3re + ../common/base + ./services + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + services.openssh.enable = true; + services.openssh.settings.PasswordAuthentication = false; + networking = { + hostName = "lkk-nix-1"; + firewall.enable = true; + firewall.allowedTCPPortRanges = [{ + from = 3000; + to = 3100; + }]; + firewall.allowedTCPPorts = [ 53 80 443 5432 3306 3478 ]; + firewall.allowedUDPPorts = [ 53 51820 41641 ]; + firewall.allowedUDPPortRanges = [{ + from = 3478; + to = 3481; + }]; + }; + environment.systemPackages = with pkgs; [ podman-compose ]; + programs.fish.enable = true; + age = { + secrets = { + mj-smtp-user.file = ../../secrets/mj-smtp-user.age; + mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age; + tailscale-key.file = ../../secrets/tailscale-key.age; + + vaultwarden-env = { + file = ../../secrets/vaultwarden-env.age; + mode = "770"; + }; + + metabase-env = { + file = ../../secrets/metabase-env.age; + mode = "770"; + }; + + n8n-env = { + file = ../../secrets/n8n-env.age; + mode = "770"; + }; + ordercollector-env = { + file = ../../secrets/ordercollector-env.age; + mode = "770"; + }; + + traefik-env = { + file = ../../secrets/traefik-env.age; + mode = "770"; + owner = "traefik"; + }; + + minio-root-cred = { + file = ../../secrets/minio-root-cred.age; + mode = "770"; + }; + + baserow-env = { + file = ../../secrets/baserow-env.age; + mode = "770"; + }; + littlelink-lanakk-env = { + file = ../../secrets/littlelink-lanakk-env.age; + mode = "770"; + }; + pgadmin = { + file = ../../secrets/pgadmin.age; + mode = "770"; + owner = "pgadmin"; + }; + }; + identityPaths = [ "/root/.ssh/lkk-nix-1" ]; + }; + + nix = { + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + optimise.automatic = true; + }; + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/hosts/lkk-nix-1/hardware-configuration.nix b/hosts/lkk-nix-1/hardware-configuration.nix new file mode 100644 index 0000000..6f09139 --- /dev/null +++ b/hosts/lkk-nix-1/hardware-configuration.nix @@ -0,0 +1,59 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52"; + fsType = "btrfs"; + options = ["subvol=root"]; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52"; + fsType = "btrfs"; + options = ["subvol=home"]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/2550-EF31"; + fsType = "vfat"; + }; + + fileSystems."/var/backup" = { + device = "46.38.248.210:/voln527829a1"; + fsType = "nfs"; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/lkk-nix-1/services/container.nix b/hosts/lkk-nix-1/services/container.nix new file mode 100644 index 0000000..3790e64 --- /dev/null +++ b/hosts/lkk-nix-1/services/container.nix @@ -0,0 +1,13 @@ +{ + config, + pkgs, + ... +}: { + imports = [./containers]; + + virtualisation.podman = { + enable = true; + defaultNetwork.settings = {dns_enabled = true;}; + }; + virtualisation.oci-containers.backend = "podman"; +} diff --git a/hosts/lkk-nix-1/services/containers/baserow.nix b/hosts/lkk-nix-1/services/containers/baserow.nix new file mode 100644 index 0000000..799ad45 --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/baserow.nix @@ -0,0 +1,9 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."baserow" = { + image = "docker.io/baserow/baserow:1.24.2"; + environmentFiles = [ config.age.secrets.baserow-env.path ]; + ports = [ "127.0.0.1:3001:80" ]; + volumes = [ "baserow_data:/baserow/data" ]; + extraOptions = [ "--add-host=postgres:10.88.0.1" "--ip=10.88.0.11" ]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/default.nix b/hosts/lkk-nix-1/services/containers/default.nix new file mode 100644 index 0000000..0375948 --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/default.nix @@ -0,0 +1,13 @@ +{ + imports = [ + ./baserow.nix + ./little-link.nix + ./matomo.nix + ./mautic.nix + ./n8n.nix + ./nextcloud.nix + ./nginx.nix + ./ordercollector.nix + ./wordpress.nix + ]; +} diff --git a/hosts/lkk-nix-1/services/containers/little-link.nix b/hosts/lkk-nix-1/services/containers/little-link.nix new file mode 100644 index 0000000..60f096c --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/little-link.nix @@ -0,0 +1,8 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."littlelink_lanakk" = { + image = "ghcr.io/techno-tim/littlelink-server"; + environmentFiles = [ config.age.secrets.littlelink-lanakk-env.path ]; + ports = [ "3010:3000" ]; + extraOptions = [ "--ip=10.88.0.20" ]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/matomo.nix b/hosts/lkk-nix-1/services/containers/matomo.nix new file mode 100644 index 0000000..326ee12 --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/matomo.nix @@ -0,0 +1,19 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."matomo" = { + image = "docker.io/matomo"; + environment = { + MATOMO_DATABASE_HOST = "mysql"; + MATOMO_DATABASE_USERNAME = "matomo"; + MATOMO_DATABASE_PASSWORD = "matomo"; + MATOMO_DATABASE_DBNAME = "matomo"; + PHP_MEMORY_LIMIT = "2048M"; + }; + ports = ["3003:80"]; + volumes = ["matomo_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.13"]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/mautic.nix b/hosts/lkk-nix-1/services/containers/mautic.nix new file mode 100644 index 0000000..73b9639 --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/mautic.nix @@ -0,0 +1,20 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."mautic" = { + image = "docker.io/mautic/mautic:v4-apache"; + environment = { + MAUTIC_DB_HOST = "mysql"; + MAUTIC_DB_USER = "mautic"; + MAUTIC_DB_PASSWORD = "mautic"; + MAUTIC_DB_DBNAME = "mautic"; + PHP_MEMORY_LIMIT = "2048M"; + MAUTIC_RUN_CRON_JOBS = "true"; + }; + ports = ["127.0.0.1:3008:80"]; + volumes = ["mautic_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.23"]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/n8n.nix b/hosts/lkk-nix-1/services/containers/n8n.nix new file mode 100644 index 0000000..e96d394 --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/n8n.nix @@ -0,0 +1,13 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."n8n" = { + image = "docker.n8n.io/n8nio/n8n"; + environmentFiles = [config.age.secrets.n8n-env.path]; + ports = ["127.0.0.1:5678:5678"]; + volumes = ["/var/lib/n8n/.n8n:/home/node/.n8n"]; + extraOptions = ["--ip=10.88.0.24"]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/nextcloud.nix b/hosts/lkk-nix-1/services/containers/nextcloud.nix new file mode 100644 index 0000000..e506894 --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/nextcloud.nix @@ -0,0 +1,18 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."nextcloud" = { + image = "docker.io/nextcloud"; + environment = { + TRUSTED_PROXIES = "10.88.0.1/16"; + OVERWRITEPROTOCOL = "https"; + OVERWRITECLIURL = "https://cloud.lanakk.com"; + OVERWRITEHOST = "cloud.lanakk.com"; + }; + ports = ["127.0.0.1:3005:80"]; + volumes = ["nextcloud_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.15"]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/nginx.nix b/hosts/lkk-nix-1/services/containers/nginx.nix new file mode 100644 index 0000000..9f9a241 --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/nginx.nix @@ -0,0 +1,12 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."http-images" = { + image = "docker.io/nginx:alpine"; + ports = ["127.0.0.1:3012:80"]; + volumes = ["/opt/service-data/http-images:/usr/share/nginx/html"]; + extraOptions = ["--ip=10.88.0.22"]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/ordercollector.nix b/hosts/lkk-nix-1/services/containers/ordercollector.nix new file mode 100644 index 0000000..d2c01bd --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/ordercollector.nix @@ -0,0 +1,7 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."ordercollector" = { + image = "code.lanakk.com/lanakk/ordercollector:latest"; + environmentFiles = [ config.age.secrets.ordercollector-env.path ]; + ports = [ "127.0.0.1:3004:8080" ]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/wordpress.nix b/hosts/lkk-nix-1/services/containers/wordpress.nix new file mode 100644 index 0000000..901550a --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/wordpress.nix @@ -0,0 +1,30 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."lanakk_blog" = { + image = "docker.io/wordpress"; + environment = { + WORDPRESS_DB_HOST = "mysql"; + WORDPRESS_DB_USER = "wp"; + WORDPRESS_DB_PASSWORD = "wp"; + WORDPRESS_DB_NAME = "lanakk_blog"; + }; + ports = ["127.0.0.1:3002:80"]; + volumes = ["lanakk_blog_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.12"]; + }; + virtualisation.oci-containers.containers."kk_blog" = { + image = "docker.io/wordpress"; + environment = { + WORDPRESS_DB_HOST = "mysql"; + WORDPRESS_DB_USER = "wp"; + WORDPRESS_DB_PASSWORD = "wp"; + WORDPRESS_DB_NAME = "kk_blog"; + }; + ports = ["3015:80"]; + volumes = ["kk_blog_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.16"]; + }; +} diff --git a/hosts/lkk-nix-1/services/default.nix b/hosts/lkk-nix-1/services/default.nix new file mode 100644 index 0000000..9f761c8 --- /dev/null +++ b/hosts/lkk-nix-1/services/default.nix @@ -0,0 +1,13 @@ +{ + imports = [ + ./container.nix + ./gitea.nix + ./mariadb.nix + ./metabase.nix + ./postgres.nix + ./syncthing.nix + ./tailscale.nix + ./traefik.nix + ./vaultwarden.nix + ]; +} diff --git a/hosts/lkk-nix-1/services/gitea.nix b/hosts/lkk-nix-1/services/gitea.nix new file mode 100644 index 0000000..997f14a --- /dev/null +++ b/hosts/lkk-nix-1/services/gitea.nix @@ -0,0 +1,16 @@ +{ + config, + pkgs, + ... +}: { + services.gitea = { + enable = true; + settings.server.ROOT_URL = "https://code.lanakk.com"; + lfs.enable = true; + dump = { + enable = true; + interval = "03:30:00"; + backupDir = "/var/backup/gitea"; + }; + }; +} diff --git a/hosts/lkk-nix-1/services/mariadb.nix b/hosts/lkk-nix-1/services/mariadb.nix new file mode 100644 index 0000000..c9cbaae --- /dev/null +++ b/hosts/lkk-nix-1/services/mariadb.nix @@ -0,0 +1,11 @@ +{ pkgs, config, ... }: { + services.mysql = { + enable = true; + package = pkgs.mariadb; + }; + services.mysqlBackup = { + enable = true; + calendar = "03:00:00"; + databases = [ "lanakk_blog" "matomo" "mautic" ]; + }; +} diff --git a/hosts/lkk-nix-1/services/metabase.nix b/hosts/lkk-nix-1/services/metabase.nix new file mode 100644 index 0000000..34c5402 --- /dev/null +++ b/hosts/lkk-nix-1/services/metabase.nix @@ -0,0 +1,13 @@ +{ + config, + pkgs, + ... +}: { + services.metabase = { + enable = true; + listen.port = 3013; + }; + systemd.services.metabase.serviceConfig = { + EnvironmentFile = "${config.age.secrets.metabase-env.path}"; + }; +} diff --git a/hosts/lkk-nix-1/services/postgres.nix b/hosts/lkk-nix-1/services/postgres.nix new file mode 100644 index 0000000..f2f83eb --- /dev/null +++ b/hosts/lkk-nix-1/services/postgres.nix @@ -0,0 +1,29 @@ +{ pkgs, config, ... }: { + services.postgresql = { + enable = true; + enableTCPIP = true; + package = pkgs.postgresql_15; + authentication = pkgs.lib.mkOverride 10 '' + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host all all 10.88.0.1/16 trust + ''; + initialScript = pkgs.writeText "backend-initScript" '' + CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow'; + CREATE DATABASE baserow; + GRANT ALL PRIVILEGES ON DATABASE baserow TO baserow; + ALTER DATABASE baserow OWNER to baserow; + ''; + }; + services.postgresqlBackup = { + enable = true; + startAt = "03:10:00"; + databases = [ "baserow" "metabase" "postgres" "lanakk_data_warehouse" ]; + }; + services.pgadmin = { + enable = true; + initialPasswordFile = "${config.age.secrets.pgadmin.path}"; + initialEmail = "sascha@lanakk.com"; + }; +} diff --git a/hosts/lkk-nix-1/services/syncthing.nix b/hosts/lkk-nix-1/services/syncthing.nix new file mode 100644 index 0000000..c49d16e --- /dev/null +++ b/hosts/lkk-nix-1/services/syncthing.nix @@ -0,0 +1,26 @@ +{ + config, + pkgs, + ... +}: { + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; + overrideDevices = true; + overrideFolders = true; + settings = { + devices = { + "LK-DATA" = { + id = "BI7CMZF-2SGQMXW-RG47HRG-FEH454J-ZTCE544-BXNSCSJ-PXCE7A7-R4CX2Q3"; + }; + }; + folders = { + "Bildvorschauen" = { + path = "/opt/service-data/http-images"; + devices = ["LK-DATA"]; + }; + }; + }; + }; +} diff --git a/hosts/lkk-nix-1/services/tailscale.nix b/hosts/lkk-nix-1/services/tailscale.nix new file mode 100644 index 0000000..cbb3cee --- /dev/null +++ b/hosts/lkk-nix-1/services/tailscale.nix @@ -0,0 +1,42 @@ +{ + config, + pkgs, + ... +}: { + services.tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; + networking.firewall = { + trustedInterfaces = ["tailscale0"]; + }; + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; + }; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --advertise-exit-node --authkey $TAILSCALE_KEY + ''; + }; +} diff --git a/hosts/lkk-nix-1/services/traefik.nix b/hosts/lkk-nix-1/services/traefik.nix new file mode 100644 index 0000000..51a76c5 --- /dev/null +++ b/hosts/lkk-nix-1/services/traefik.nix @@ -0,0 +1,241 @@ +{ config, ... }: { + services.traefik = { + enable = true; + staticConfigOptions = { + log = { level = "WARN"; }; + certificatesResolvers = { + godaddy = { + acme = { + email = "dev@lanakk.com"; + storage = "/var/lib/traefik/acme.json"; + dnsChallenge = { provider = "godaddy"; }; + }; + }; + lets-encrypt = { + acme = { + email = "dev@lanakk.com"; + storage = "/var/lib/traefik/acme.json"; + tlsChallenge = { }; + }; + }; + }; + api = { }; + entryPoints = { + web = { + address = ":80"; + http.redirections.entryPoint = { + to = "websecure"; + scheme = "https"; + }; + }; + websecure = { address = ":443"; }; + }; + }; + dynamicConfigOptions = { + http = { + middlewares = { + auth = { + basicAuth = { + users = [ "m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh." ]; + }; + }; + nextcloud_redirectregex = { + redirectRegex = { + permanent = true; + regex = "https://(.*)/.well-known/(?:card|cal)dav"; + replacement = "https://\${1}/remote.php/dav"; + }; + }; + nextcloud_headers = { + headers = { + referrerPolicy = "no-referrer"; + stsSeconds = "31536000"; + forceSTSHeader = true; + stsPreload = true; + stsIncludeSubdomains = true; + }; + }; + }; + services = { + baserow.loadBalancer.servers = [{ url = "http://localhost:3001/"; }]; + gitea.loadBalancer.servers = [{ url = "http://localhost:3000/"; }]; + n8n.loadBalancer.servers = [{ url = "http://localhost:5678/"; }]; + lanakk_blog.loadBalancer.servers = + [{ url = "http://localhost:3002/"; }]; + matomo.loadBalancer.servers = [{ url = "http://localhost:3003/"; }]; + ordercollector.loadBalancer.servers = + [{ url = "http://localhost:3004/"; }]; + nextcloud.loadBalancer.servers = + [{ url = "http://localhost:3005/"; }]; + mautic.loadBalancer.servers = [{ url = "http://localhost:3008/"; }]; + littlelink-lanakk.loadBalancer.servers = + [{ url = "http://localhost:3010/"; }]; + http-images.loadBalancer.servers = + [{ url = "http://localhost:3012/"; }]; + syncthing.loadBalancer.servers = + [{ url = "http://localhost:8384/"; }]; + metabase.loadBalancer.servers = [{ url = "http://localhost:3013/"; }]; + pgadmin.loadBalancer.servers = [{ url = "http://localhost:5050/"; }]; + vaultwarden.loadBalancer.servers = + [{ url = "http://localhost:3014/"; }]; + kk_blog.loadBalancer.servers = [{ url = "http://localhost:3015/"; }]; + }; + routers = { + api = { + rule = "Host(`r.lanakk.com`)"; + tls = { certResolver = "lets-encrypt"; }; + service = "api@internal"; + middlewares = "auth"; + entrypoints = "websecure"; + }; + baserow = { + rule = "Host(`db.lanakk.com`)"; + tls = { certResolver = "lets-encrypt"; }; + service = "baserow"; + entrypoints = "websecure"; + }; + gitea = { + rule = "Host(`code.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "code.lanakk.com"; + }; + service = "gitea"; + entrypoints = "websecure"; + }; + n8n = { + rule = "Host(`wf.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "wf.lanakk.com"; + }; + service = "n8n"; + entrypoints = "websecure"; + }; + ordercollector = { + rule = "Host(`api.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "api.lanakk.com"; + }; + service = "ordercollector"; + entrypoints = "websecure"; + }; + lanakk_blog = { + rule = "Host(`www.weltkarte-pinnwand.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "www.weltkarte-pinnwand.com"; + }; + service = "lanakk_blog"; + entrypoints = "websecure"; + }; + kk_blog = { + rule = "Host(`kk.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "kk.lanakk.com"; + }; + service = "kk_blog"; + entrypoints = "websecure"; + }; + matomo = { + rule = "Host(`stats.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "stats.lanakk.com"; + }; + service = "matomo"; + entrypoints = "websecure"; + }; + matomo-weltkarte-pinnwand = { + rule = "Host(`stats.weltkarte-pinnwand.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "stats.weltkarte-pinnwand.com"; + }; + service = "matomo"; + entrypoints = "websecure"; + }; + pgadmin = { + rule = "Host(`pg.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "pg.lanakk.com"; + }; + service = "pgadmin"; + entrypoints = "websecure"; + }; + nextcloud = { + rule = "Host(`cloud.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "cloud.lanakk.com"; + }; + service = "nextcloud"; + entrypoints = "websecure"; + middlewares = "nextcloud_redirectregex,nextcloud_headers"; + }; + mautic = { + rule = "Host(`ma.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "ma.lanakk.com"; + }; + service = "mautic"; + entrypoints = "websecure"; + }; + littlelink-lanakk = { + rule = "Host(`links.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "links.lanakk.com"; + }; + service = "littlelink-lanakk"; + entrypoints = "websecure"; + }; + http-images = { + rule = "Host(`media.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "media.lanakk.com"; + }; + service = "http-images"; + entrypoints = "websecure"; + }; + syncthing = { + rule = "Host(`sync.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "sync.lanakk.com"; + }; + service = "syncthing"; + entrypoints = "websecure"; + }; + metabase = { + rule = "Host(`kpi.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "kpi.lanakk.com"; + }; + service = "metabase"; + entrypoints = "websecure"; + }; + vaultwarden = { + rule = "Host(`vw.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "vw.lanakk.com"; + }; + service = "vaultwarden"; + entrypoints = "websecure"; + }; + }; + }; + }; + }; + + systemd.services.traefik.serviceConfig = { + EnvironmentFile = [ "${config.age.secrets.traefik-env.path}" ]; + }; +} diff --git a/hosts/lkk-nix-1/services/vaultwarden.nix b/hosts/lkk-nix-1/services/vaultwarden.nix new file mode 100644 index 0000000..7c42524 --- /dev/null +++ b/hosts/lkk-nix-1/services/vaultwarden.nix @@ -0,0 +1,15 @@ +{ + config, + pkgs, + ... +}: { + services.vaultwarden = { + enable = true; + backupDir = "/var/backup/vaultwarden"; + config = { + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 3014; + }; + environmentFile = "${config.age.secrets.vaultwarden-env.path}"; + }; +} diff --git a/hosts/lkk-prod-1/default.nix b/hosts/lkk-prod-1/default.nix new file mode 100644 index 0000000..4947b54 --- /dev/null +++ b/hosts/lkk-prod-1/default.nix @@ -0,0 +1,176 @@ +{ + config, + pkgs, + outputs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ../common/users/produktion + ../common/base + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.efi.efiSysMountPoint = "/boot/efi"; + + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking = { + hostName = "lkk-prod-1"; + networkmanager.enable = true; + firewall.enable = true; + }; + programs.fish.enable = true; + age = { + secrets = {tailscale-key.file = ../../secrets/tailscale-key.age;}; + identityPaths = ["/root/.ssh/lkk-nix-1"]; + }; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + }; + services.avahi.nssmdns4 = { + enable = true; + nssmdns = true; + }; + + services.tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; + }; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY + ''; + }; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # Select internationalisation properties. + i18n.defaultLocale = "de_DE.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "de_DE.UTF-8"; + LC_IDENTIFICATION = "de_DE.UTF-8"; + LC_MEASUREMENT = "de_DE.UTF-8"; + LC_MONETARY = "de_DE.UTF-8"; + LC_NAME = "de_DE.UTF-8"; + LC_NUMERIC = "de_DE.UTF-8"; + LC_PAPER = "de_DE.UTF-8"; + LC_TELEPHONE = "de_DE.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + # Enable the KDE Plasma Desktop Environment. + services.xserver.displayManager.sddm.enable = true; + services.xserver.desktopManager.plasma5.enable = true; + + # Configure keymap in X11 + services.xserver = {xkb.layout = "de";}; + + # Configure console keymap + console.keyMap = "de"; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable sound with pipewire. + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + nixpkgs = { + overlays = [ + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.stable-packages + ]; + config = {allowUnfree = true;}; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [neovim]; + nix = { + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + optimise.automatic = true; + }; + + system.stateVersion = "24.05"; # Did you read the comment? + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). +} diff --git a/hosts/lkk-prod-1/hardware-configuration.nix b/hosts/lkk-prod-1/hardware-configuration.nix new file mode 100644 index 0000000..44425dd --- /dev/null +++ b/hosts/lkk-prod-1/hardware-configuration.nix @@ -0,0 +1,43 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/hardware/network/broadcom-43xx.nix") + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/88887b78-5a75-49cf-991d-7a3c8f813799"; + fsType = "ext4"; + }; + + fileSystems."/boot/efi" = { + device = "/dev/disk/by-uuid/67E3-17ED"; + fsType = "vfat"; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/lkk-prod-2/default.nix b/hosts/lkk-prod-2/default.nix new file mode 100644 index 0000000..59ec80c --- /dev/null +++ b/hosts/lkk-prod-2/default.nix @@ -0,0 +1,176 @@ +{ + config, + pkgs, + outputs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ../common/users/produktion + ../common/base + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.efi.efiSysMountPoint = "/boot/efi"; + + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking = { + hostName = "lkk-prod-2"; + networkmanager.enable = true; + firewall.enable = true; + }; + programs.fish.enable = true; + age = { + secrets = {tailscale-key.file = ../../secrets/tailscale-key.age;}; + identityPaths = ["/root/.ssh/lkk-nix-1"]; + }; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + }; + services.avahi.nssmdns4 = { + enable = true; + nssmdns = true; + }; + services.tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; + }; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY + ''; + }; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # Select internationalisation properties. + i18n.defaultLocale = "de_DE.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "de_DE.UTF-8"; + LC_IDENTIFICATION = "de_DE.UTF-8"; + LC_MEASUREMENT = "de_DE.UTF-8"; + LC_MONETARY = "de_DE.UTF-8"; + LC_NAME = "de_DE.UTF-8"; + LC_NUMERIC = "de_DE.UTF-8"; + LC_PAPER = "de_DE.UTF-8"; + LC_TELEPHONE = "de_DE.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + # Enable the KDE Plasma Desktop Environment. + services.xserver.displayManager.sddm.enable = true; + services.xserver.desktopManager.plasma5.enable = true; + + # Configure keymap in X11 + services.xserver = {xkb.layout = "de";}; + + # Configure console keymap + console.keyMap = "de"; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable sound with pipewire. + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + nixpkgs = { + overlays = [ + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.stable-packages + ]; + config = {allowUnfree = true;}; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [neovim]; + + nix = { + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + optimise.automatic = true; + }; + + system.stateVersion = "22.11"; # Did you read the comment? + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). +} diff --git a/hosts/lkk-prod-2/hardware-configuration.nix b/hosts/lkk-prod-2/hardware-configuration.nix new file mode 100644 index 0000000..a3edf65 --- /dev/null +++ b/hosts/lkk-prod-2/hardware-configuration.nix @@ -0,0 +1,43 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/hardware/network/broadcom-43xx.nix") + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/73092ab4-3dcb-4b39-8fa2-44c0341c44c0"; + fsType = "ext4"; + }; + + fileSystems."/boot/efi" = { + device = "/dev/disk/by-uuid/67E3-17ED"; + fsType = "vfat"; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/m3-nix/default.nix b/hosts/m3-nix/default.nix new file mode 100644 index 0000000..1335169 --- /dev/null +++ b/hosts/m3-nix/default.nix @@ -0,0 +1,148 @@ +{ config, inputs, outputs, pkgs, lib, ... }: +with pkgs; { + imports = [ + ./hardware.nix + ./hardware-configuration.nix # Include the results of the hardware scan. + ../common/users/m3tam3re + ../common/base + ./services + ]; + + specialisation = { + "NVIDIA".configuration = { + boot.kernelParams = [ "nvidia.NVreg_PreserveVideoMemoryAllocations=1" ]; + system.nixos.tags = [ "NVIDIA" ]; + services.xserver.videoDrivers = [ "nvidia" ]; + }; + }; + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.systemd-boot.memtest86.enable = true; + + boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; + boot.kernelModules = [ "v4l2loopback" ]; + + boot.extraModprobeConfig = '' + options kvm_intel nested=1 + options kvm_intel emulate_invalid_guest_state=0 + options kvm ignore_msrs=1 + options v4l2loopback exclusive_caps=1 max_buffers=2 + ''; + + networking = { + hostName = "m3-nix"; + firewall.extraCommands = + "iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns"; + networkmanager.enable = true; + }; + + services.openssh = { + enable = true; + settings.PermitRootLogin = "no"; + allowSFTP = true; + }; + + services.avahi = { + enable = true; + nssmdns4 = true; + publish = { + addresses = true; + workstation = true; + userServices = true; + }; + }; + + programs.nix-ld.enable = true; + programs.nix-ld.libraries = with pkgs; + [ + # Add any missing dynamic libraries for unpackaged programs + # here, NOT in environment.systemPackages + ]; + programs.hyprland = { + enable = true; + xwayland.enable = true; + }; + programs.steam = { + enable = true; + remotePlay.openFirewall = true; + dedicatedServer.openFirewall = true; + }; + programs.fish.enable = true; + programs.thunar = { + enable = true; + plugins = with pkgs.xfce; [ thunar-archive-plugin thunar-volman ]; + }; + age = { + secrets = { + tailscale-key.file = ../../secrets/tailscale-key.age; + wg-key.file = ../../secrets/wg-key.age; + m3tam3re-secrets = { + file = ../../secrets/m3tam3re-secrets.age; + owner = "m3tam3re"; + }; + }; + identityPaths = [ "/root/.ssh/lkk-nix-1" ]; + }; + + time.timeZone = "Europe/Berlin"; + i18n.defaultLocale = "de_DE.utf8"; + console.keyMap = "de"; + + # NOTE: NIX related config + + programs.nh = { + enable = true; + clean.enable = true; + clean.extraArgs = "--keep-since 4d --keep 3"; + flake = "/home/m3tam3re/projects/nix-configurations"; + }; + nix.extraOptions = '' + experimental-features = nix-command + keep-outputs = true + keep-derivations = true + ''; + nix = { + settings = { + experimental-features = "nix-command flakes"; + trusted-users = [ "root" "m3tam3re" ]; + }; + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + optimise.automatic = true; + registry = (lib.mapAttrs (_: flake: { inherit flake; })) + ((lib.filterAttrs (_: lib.isType "flake")) inputs); + nixPath = [ "/etc/nix/path" ]; + }; + + environment.etc = lib.mapAttrs' (name: value: { + name = "nix/path/${name}"; + value.source = value.flake; + }) config.nix.registry; + environment.systemPackages = + [ neovim nvd nix-output-monitor wally-cli nfs-utils restic sshfs ]; + + systemd.extraConfig = '' + DefaultTimeoutStopSec=10s + ''; + nixpkgs = { + overlays = [ + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.stable-packages + ]; + config = { + allowUnfree = true; + nvidia.acceptLicense = true; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leavecatenate(variables, "bootdev", bootdev) + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/m3-nix/hardware-configuration.nix b/hosts/m3-nix/hardware-configuration.nix new file mode 100644 index 0000000..4d6ac18 --- /dev/null +++ b/hosts/m3-nix/hardware-configuration.nix @@ -0,0 +1,67 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [(modulesPath + "/installer/scan/not-detected.nix")]; + + boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "ahci" "nvme" "usb_storage" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d"; + fsType = "btrfs"; + options = ["subvol=root" "compress=zstd"]; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d"; + fsType = "btrfs"; + options = ["subvol=home" "compress=zstd"]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d"; + fsType = "btrfs"; + options = ["subvol=home" "compress=zstd" "noatime"]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/4811-EA6E"; + fsType = "vfat"; + }; + + fileSystems."/opt" = { + device = "/dev/disk/by-uuid/3574df3a-2a90-4b54-9c21-128f1d01ff8f"; + fsType = "btrfs"; + options = ["noatime" "compress=zstd"]; + }; + + fileSystems."/mnt/skynet-bkg" = { + device = "100.94.135.99:/volume3/bkg"; + fsType = "nfs"; + options = ["noauto" "x-systemd.automount"]; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp46s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/m3-nix/hardware.nix b/hosts/m3-nix/hardware.nix new file mode 100644 index 0000000..8a7787e --- /dev/null +++ b/hosts/m3-nix/hardware.nix @@ -0,0 +1,54 @@ +{ config, pkgs, ... }: { + hardware.nvidia = { + package = let + rcu_patch = pkgs.fetchpatch { + url = + "https://github.com/gentoo/gentoo/raw/c64caf53/x11-drivers/nvidia-drivers/files/nvidia-drivers-470.223.02-gpl-pfn_valid.patch"; + hash = "sha256-eZiQQp2S/asE7MfGvfe6dA/kdCvek9SYa/FFGp24dVg="; + }; + in config.boot.kernelPackages.nvidiaPackages.mkDriver { + version = "535.154.05"; + sha256_64bit = "sha256-fpUGXKprgt6SYRDxSCemGXLrEsIA6GOinp+0eGbqqJg="; + sha256_aarch64 = "sha256-G0/GiObf/BZMkzzET8HQjdIcvCSqB1uhsinro2HLK9k="; + openSha256 = "sha256-wvRdHguGLxS0mR06P5Qi++pDJBCF8pJ8hr4T8O6TJIo="; + settingsSha256 = "sha256-9wqoDEWY4I7weWW05F4igj1Gj9wjHsREFMztfEmqm10="; + persistencedSha256 = + "sha256-d0Q3Lk80JqkS1B54Mahu2yY/WocOqFFbZVBh+ToGhaE="; + + #version = "550.40.07"; + #sha256_64bit = "sha256-KYk2xye37v7ZW7h+uNJM/u8fNf7KyGTZjiaU03dJpK0="; + #sha256_aarch64 = "sha256-AV7KgRXYaQGBFl7zuRcfnTGr8rS5n13nGUIe3mJTXb4="; + #openSha256 = "sha256-mRUTEWVsbjq+psVe+kAT6MjyZuLkG2yRDxCMvDJRL1I="; + #settingsSha256 = "sha256-c30AQa4g4a1EHmaEu1yc05oqY01y+IusbBuq+P6rMCs="; + #persistencedSha256 = "sha256-11tLSY8uUIl4X/roNnxf5yS2PQvHvoNjnd2CB67e870="; + + patches = [ rcu_patch ]; + }; + prime = { + offload.enable = false; + + # Bus ID of the Intel GPU. You can find it using lspci, either under 3D or VGA + intelBusId = "PCI:0:2:0"; + + # Bus ID of the NVIDIA GPU. You can find it using lspci, either under 3D or VGA + nvidiaBusId = "PCI:1:0:0"; + }; + modesetting.enable = true; + powerManagement.finegrained = false; + powerManagement.enable = true; + open = false; + dynamicBoost.enable = true; + nvidiaSettings = true; + }; + hardware.opengl.enable = true; + hardware.opengl.driSupport32Bit = true; + services.hardware.bolt.enable = true; + services.auto-cpufreq.enable = true; + services.tlp.enable = true; + services.fstrim.enable = true; + hardware.bluetooth.enable = true; + hardware.keyboard.zsa.enable = true; + hardware.tuxedo-rs.enable = true; + hardware.tuxedo-rs.tailor-gui.enable = true; + hardware.tuxedo-keyboard.enable = true; +} diff --git a/hosts/m3-nix/services/cron.nix b/hosts/m3-nix/services/cron.nix new file mode 100644 index 0000000..0820c0d --- /dev/null +++ b/hosts/m3-nix/services/cron.nix @@ -0,0 +1,6 @@ +{ + services.cron = { + enable = true; + systemCronJobs = [""]; + }; +} diff --git a/hosts/m3-nix/services/default.nix b/hosts/m3-nix/services/default.nix new file mode 100644 index 0000000..a14cb15 --- /dev/null +++ b/hosts/m3-nix/services/default.nix @@ -0,0 +1,32 @@ +{pkgs, ...}: { + imports = [ + ./cron.nix + ./flatpak.nix + ./prometheus-node.nix + ./ollama.nix + ./sound.nix + ./udev.nix + ./restic.nix + ./tailscale.nix + ./virtualization.nix + ./wireguard.nix + #./xserver.nix + ]; + + # services.gvfs = { + # enable = true; + # package = pkgs.gnome3.gvfs; + # }; + # services.kubo = { enable = true; }; # IPFS + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryPackage = pkgs.pinentry-gnome3; + }; + services.printing.enable = true; + services.sabnzbd.enable = true; + services.i2p.enable = true; + services.gvfs.enable = true; + services.trezord.enable = true; + services.logind.lidSwitchExternalPower = "ignore"; +} diff --git a/hosts/m3-nix/services/flatpak.nix b/hosts/m3-nix/services/flatpak.nix new file mode 100644 index 0000000..eb6ea2e --- /dev/null +++ b/hosts/m3-nix/services/flatpak.nix @@ -0,0 +1,8 @@ +{pkgs, ...}: { + services.flatpak.enable = true; + xdg.portal = { + # xdg desktop intergration (required for flatpak) + enable = true; + extraPortals = [pkgs.xdg-desktop-portal-gtk]; + }; +} diff --git a/hosts/m3-nix/services/ollama.nix b/hosts/m3-nix/services/ollama.nix new file mode 100644 index 0000000..7b28157 --- /dev/null +++ b/hosts/m3-nix/services/ollama.nix @@ -0,0 +1,7 @@ +{ + config, + pkgs, + ... +}: { + services.ollama = {enable = true;}; +} diff --git a/hosts/m3-nix/services/prometheus-node.nix b/hosts/m3-nix/services/prometheus-node.nix new file mode 100644 index 0000000..30aa66a --- /dev/null +++ b/hosts/m3-nix/services/prometheus-node.nix @@ -0,0 +1,10 @@ +{ + services.prometheus.exporters.node = { + enable = true; + port = 8081; + enabledCollectors = ["logind" "systemd"]; + disabledCollectors = ["textfile"]; + openFirewall = true; + firewallFilter = "-i br0 -p tcp -m tcp --dport 8081"; + }; +} diff --git a/hosts/m3-nix/services/restic.nix b/hosts/m3-nix/services/restic.nix new file mode 100644 index 0000000..3111a3a --- /dev/null +++ b/hosts/m3-nix/services/restic.nix @@ -0,0 +1,25 @@ +{ + services.restic.backups = { + skynet = { + repository = "/mnt/skynet-bkg/m3-nix"; + passwordFile = "/etc/nixos/restic-pass"; + initialize = true; + paths = ["/home/m3tam3re"]; + exclude = [ + "/home/m3tam3re/.cache" + "/home/m3tam3re/Bilder/" + "/home/m3tam3re/Videos/" + "/home/m3tam3re/Downloads" + "/home/m3tam3re/Library" + "/home/m3tam3re/Projekte" + "/home/m3tam3re/Sync" + "/home/m3tam3re/.local/share/Trash" + ]; + timerConfig = { + OnCalendar = "09:30"; + RandomizedDelaySec = "2h"; + Persistent = true; + }; + }; + }; +} diff --git a/hosts/m3-nix/services/sound.nix b/hosts/m3-nix/services/sound.nix new file mode 100644 index 0000000..207fe01 --- /dev/null +++ b/hosts/m3-nix/services/sound.nix @@ -0,0 +1,14 @@ +{ pkgs, ... }: { + sound.enable = true; + sound.mediaKeys.enable = true; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = false; + wireplumber.enable = true; + wireplumber.package = pkgs.stable.wireplumber; + }; +} diff --git a/hosts/m3-nix/services/tailscale.nix b/hosts/m3-nix/services/tailscale.nix new file mode 100644 index 0000000..7910806 --- /dev/null +++ b/hosts/m3-nix/services/tailscale.nix @@ -0,0 +1,40 @@ +{ + config, + pkgs, + ... +}: { + services.tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; + + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; + }; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY + ''; + }; +} diff --git a/hosts/m3-nix/services/udev.nix b/hosts/m3-nix/services/udev.nix new file mode 100644 index 0000000..13a692d --- /dev/null +++ b/hosts/m3-nix/services/udev.nix @@ -0,0 +1,5 @@ +{pkgs, ...}: { + services.udev.extraRules = '' + SUBSYSTEM=="usb", MODE="0666 + ''; +} diff --git a/hosts/m3-nix/services/virtualization.nix b/hosts/m3-nix/services/virtualization.nix new file mode 100644 index 0000000..7e7661b --- /dev/null +++ b/hosts/m3-nix/services/virtualization.nix @@ -0,0 +1,19 @@ +{pkgs, ...}: { + virtualisation = { + libvirtd = { + enable = true; + qemu = { + swtpm.enable = true; + ovmf = { + enable = true; + packages = [pkgs.OVMFFull]; + }; + }; + }; + containers.cdi.dynamic.nvidia.enable = true; + podman = { + enable = true; + defaultNetwork.settings.dns_enabled = true; + }; + }; +} diff --git a/hosts/m3-nix/services/wireguard.nix b/hosts/m3-nix/services/wireguard.nix new file mode 100644 index 0000000..f3a0603 --- /dev/null +++ b/hosts/m3-nix/services/wireguard.nix @@ -0,0 +1,8 @@ +{config, ...}: { + networking.wg-quick.interfaces = { + wg0 = { + configFile = config.age.secrets.wg-key.path; + autostart = false; + }; + }; +} diff --git a/hosts/m3-nix/services/xserver.nix b/hosts/m3-nix/services/xserver.nix new file mode 100644 index 0000000..17bff04 --- /dev/null +++ b/hosts/m3-nix/services/xserver.nix @@ -0,0 +1,19 @@ +{pkgs, ...}: { + services.xserver.videoDrivers = ["nvidia"]; + # services.xserver = { + # enable = true; + # videoDrivers = [ "nvidia" ]; + # displayManager = { + # defaultSession = "hyprland"; + # sddm = { enable = true; }; + # }; + # libinput.enable = true; # touchpad support + # layout = "de"; + # xkbOptions = "ctrl:nocaps"; + # }; + # services.xserver.screenSection = '' + # Option "metamodes" "nvidia-auto-select +0+0 {ForceFullCompositionPipeline=On}" + # Option "AllowIndirectGLXProtocol" "off" + # Option "TripleBuffer" "on" + # ''; +} diff --git a/hosts/m3-nix/vfio.nix b/hosts/m3-nix/vfio.nix new file mode 100644 index 0000000..34b14c9 --- /dev/null +++ b/hosts/m3-nix/vfio.nix @@ -0,0 +1,40 @@ +let + gpuIDs = [ + "10de:249d" # Graphics + "10de:228b" # Audio + ]; +in + { + pkgs, + lib, + config, + ... + }: { + options.vfio.enable = with lib; + mkEnableOption "Configure the machine for VFIO"; + + config = let + cfg = config.vfio; + in { + boot = { + initrd.kernelModules = [ + "vfio_pci" + "vfio" + "vfio_iommu_type1" + "vfio_virqfd" + ]; + + kernelParams = + [ + # enable IOMMU + "intel_iommu=on" + ] + ++ lib.optional cfg.enable + # isolate the GPU + ("vfio-pci.ids=" + lib.concatStringsSep "," gpuIDs); + }; + + hardware.opengl.enable = true; + virtualisation.spiceUSBRedirection.enable = true; + }; + } diff --git a/hosts/m3-r1/default.nix b/hosts/m3-r1/default.nix new file mode 100644 index 0000000..b1d5a98 --- /dev/null +++ b/hosts/m3-r1/default.nix @@ -0,0 +1,104 @@ +{ inputs, outputs, lib, config, pkgs, ... }: { + imports = [ + ./hardware-configuration.nix + ../common/users/m3tam3re + ../common/base + ./services + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + services.openssh.enable = true; + services.openssh.settings.PasswordAuthentication = false; + networking = { + hostName = "m3-r1"; + firewall.enable = true; + firewall.allowedTCPPortRanges = [{ + from = 3000; + to = 3100; + }]; + firewall.allowedTCPPorts = [ 53 80 443 5432 3306 3478 ]; + firewall.allowedUDPPorts = [ 53 51820 41641 ]; + firewall.allowedUDPPortRanges = [{ + from = 3478; + to = 3481; + }]; + }; + programs.fish.enable = true; + age = { + secrets = { + mj-smtp-user.file = ../../secrets/mj-smtp-user.age; + mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age; + openai.file = ../../secrets/openai.age; + tailscale-key.file = ../../secrets/tailscale-key.age; + + vaultwarden-env = { + file = ../../secrets/vaultwarden-env.age; + mode = "770"; + }; + n8n-env = { + file = ../../secrets/n8n-m3r1.age; + mode = "770"; + }; + + traefik-env = { + file = ../../secrets/traefik-env.age; + mode = "770"; + owner = "traefik"; + }; + + searx-environmentFile = { + file = ../../secrets/searx-environmentFile.age; + mode = "770"; + owner = "searx"; + }; + + littlelink-m3tam3re-env = { + file = ../../secrets/littlelink-m3tam3re-env.age; + mode = "770"; + }; + }; + identityPaths = [ "/root/.ssh/lkk-nix-1" ]; + }; + + nix = { + extraOptions = '' + experimental-features = nix-command + keep-outputs = true + keep-derivations = true + ''; + + settings = { + experimental-features = "nix-command flakes"; + trusted-users = [ "root" "m3tam3re" ]; + }; + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + optimise.automatic = true; + registry = (lib.mapAttrs (_: flake: { inherit flake; })) + ((lib.filterAttrs (_: lib.isType "flake")) inputs); + nixPath = [ "/etc/nix/path" ]; + }; + + environment.etc = lib.mapAttrs' (name: value: { + name = "nix/path/${name}"; + value.source = value.flake; + }) config.nix.registry; + + systemd.extraConfig = '' + DefaultTimeoutStopSec=10s + ''; + nixpkgs = { + overlays = [ + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.stable-packages + ]; + config = { allowUnfree = true; }; + }; + + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/hosts/m3-r1/hardware-configuration.nix b/hosts/m3-r1/hardware-configuration.nix new file mode 100644 index 0000000..2d69ed8 --- /dev/null +++ b/hosts/m3-r1/hardware-configuration.nix @@ -0,0 +1,53 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/5e3a0875-005c-49c4-9dbf-86e471e7e881"; + fsType = "btrfs"; + options = ["subvol=root" "compress=zstd"]; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/5e3a0875-005c-49c4-9dbf-86e471e7e881"; + fsType = "btrfs"; + options = ["subvol=home" "compress=zstd"]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/5e3a0875-005c-49c4-9dbf-86e471e7e881"; + fsType = "btrfs"; + options = ["subvol=nix" "compress=zstd"]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/A79C-4B9F"; + fsType = "vfat"; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/m3-r1/services/container.nix b/hosts/m3-r1/services/container.nix new file mode 100644 index 0000000..3790e64 --- /dev/null +++ b/hosts/m3-r1/services/container.nix @@ -0,0 +1,13 @@ +{ + config, + pkgs, + ... +}: { + imports = [./containers]; + + virtualisation.podman = { + enable = true; + defaultNetwork.settings = {dns_enabled = true;}; + }; + virtualisation.oci-containers.backend = "podman"; +} diff --git a/hosts/m3-r1/services/containers/baserow.nix b/hosts/m3-r1/services/containers/baserow.nix new file mode 100644 index 0000000..1659668 --- /dev/null +++ b/hosts/m3-r1/services/containers/baserow.nix @@ -0,0 +1,25 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."baserow" = { + image = "docker.io/baserow/baserow:1.24.2"; + environment = { + BASEROW_PUBLIC_URL = "https://br.m3tam3re.com"; + + POSTGRES_USER = "baserow"; + POSTGRES_PASSWORD = "baserow"; + POSTGRES_DB = "baserow"; + DATABASE_HOST = "postgres"; + DATABASE_NAME = "baserow"; + DATABASE_USER = "baserow"; + DATABASE_PASSWORD = "baserow"; + + EMAIL_SMTP = "in-v3.mailjet.com"; + EMAIL_SMTP_HOST = "in-v3.mailjet.com"; + EMAIL_SMTP_PORT = "587"; + EMAIL_SMTP_USER = config.age.secrets.mj-smtp-user.path; + EMAIL_SMTP_PASSWORD = config.age.secrets.mj-smtp-pass.path; + }; + ports = [ "3001:80" ]; + volumes = [ "baserow_data:/baserow/data" ]; + extraOptions = [ "--add-host=postgres:10.88.0.1" "--ip=10.88.0.11" ]; + }; +} diff --git a/hosts/m3-r1/services/containers/briefkasten.nix b/hosts/m3-r1/services/containers/briefkasten.nix new file mode 100644 index 0000000..2671ab9 --- /dev/null +++ b/hosts/m3-r1/services/containers/briefkasten.nix @@ -0,0 +1,12 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."briefkasten" = { + image = "docker.io/ndom91/briefkasten"; + environmentFiles = [config.age.secrets.briefkasten-env.path]; + ports = ["3009:3000"]; + extraOptions = ["--add-host=postgres:10.88.0.1" "--ip=10.88.0.19"]; + }; +} diff --git a/hosts/m3-r1/services/containers/default.nix b/hosts/m3-r1/services/containers/default.nix new file mode 100644 index 0000000..76edb8c --- /dev/null +++ b/hosts/m3-r1/services/containers/default.nix @@ -0,0 +1,12 @@ +{ + imports = [ + ./baserow.nix + # ./briefkasten.nix + ./little-link.nix + ./matomo.nix + ./mautic.nix + # ./nextcloud.nix + ./nginx.nix + # ./wordpress.nix + ]; +} diff --git a/hosts/m3-r1/services/containers/little-link.nix b/hosts/m3-r1/services/containers/little-link.nix new file mode 100644 index 0000000..126c3b6 --- /dev/null +++ b/hosts/m3-r1/services/containers/little-link.nix @@ -0,0 +1,12 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."littlelink_m3tam3re" = { + image = "ghcr.io/techno-tim/littlelink-server"; + environmentFiles = [config.age.secrets.littlelink-m3tam3re-env.path]; + ports = ["3011:3000"]; + extraOptions = ["--ip=10.88.0.21"]; + }; +} diff --git a/hosts/m3-r1/services/containers/matomo.nix b/hosts/m3-r1/services/containers/matomo.nix new file mode 100644 index 0000000..326ee12 --- /dev/null +++ b/hosts/m3-r1/services/containers/matomo.nix @@ -0,0 +1,19 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."matomo" = { + image = "docker.io/matomo"; + environment = { + MATOMO_DATABASE_HOST = "mysql"; + MATOMO_DATABASE_USERNAME = "matomo"; + MATOMO_DATABASE_PASSWORD = "matomo"; + MATOMO_DATABASE_DBNAME = "matomo"; + PHP_MEMORY_LIMIT = "2048M"; + }; + ports = ["3003:80"]; + volumes = ["matomo_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.13"]; + }; +} diff --git a/hosts/m3-r1/services/containers/mautic.nix b/hosts/m3-r1/services/containers/mautic.nix new file mode 100644 index 0000000..73b9639 --- /dev/null +++ b/hosts/m3-r1/services/containers/mautic.nix @@ -0,0 +1,20 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."mautic" = { + image = "docker.io/mautic/mautic:v4-apache"; + environment = { + MAUTIC_DB_HOST = "mysql"; + MAUTIC_DB_USER = "mautic"; + MAUTIC_DB_PASSWORD = "mautic"; + MAUTIC_DB_DBNAME = "mautic"; + PHP_MEMORY_LIMIT = "2048M"; + MAUTIC_RUN_CRON_JOBS = "true"; + }; + ports = ["127.0.0.1:3008:80"]; + volumes = ["mautic_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.23"]; + }; +} diff --git a/hosts/m3-r1/services/containers/nextcloud.nix b/hosts/m3-r1/services/containers/nextcloud.nix new file mode 100644 index 0000000..e61191c --- /dev/null +++ b/hosts/m3-r1/services/containers/nextcloud.nix @@ -0,0 +1,18 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."nextcloud" = { + image = "docker.io/nextcloud"; + environment = { + TRUSTED_PROXIES = "10.88.0.1/16"; + OVERWRITEPROTOCOL = "https"; + OVERWRITECLIURL = "https://cloud.lanakk.com"; + OVERWRITEHOST = "cloud.lanakk.com"; + }; + ports = ["3005:80"]; + volumes = ["nextcloud_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.15"]; + }; +} diff --git a/hosts/m3-r1/services/containers/nginx.nix b/hosts/m3-r1/services/containers/nginx.nix new file mode 100644 index 0000000..c2da3d3 --- /dev/null +++ b/hosts/m3-r1/services/containers/nginx.nix @@ -0,0 +1,8 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."http-images" = { + image = "docker.io/nginx:alpine"; + ports = [ "3012:80" ]; + volumes = [ "/var/www/m3tam3re.com/www:/usr/share/nginx/html" ]; + extraOptions = [ "--ip=10.88.0.22" ]; + }; +} diff --git a/hosts/m3-r1/services/containers/wireguard.nix b/hosts/m3-r1/services/containers/wireguard.nix new file mode 100644 index 0000000..29d5b8b --- /dev/null +++ b/hosts/m3-r1/services/containers/wireguard.nix @@ -0,0 +1,22 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."wireguard" = { + image = "docker.io/weejewel/wg-easy"; + environment = { + WG_HOST = "wg.lanakk.com"; + WG_DEFAULT_DNS = "10.88.0.1:5353"; + }; + ports = ["3007:51821/tcp" "51820:51820/udp"]; + volumes = ["wireguard_data:/etc/wireguard"]; + extraOptions = [ + "--cap-add=NET_ADMIN" + "--cap-add=SYS_MODULE" + "--sysctl=net.ipv4.conf.all.src_valid_mark=1" + "--sysctl=net.ipv4.ip_forward=1" + "--ip=10.88.0.17" + ]; + }; +} diff --git a/hosts/m3-r1/services/containers/wordpress.nix b/hosts/m3-r1/services/containers/wordpress.nix new file mode 100644 index 0000000..45bcdd1 --- /dev/null +++ b/hosts/m3-r1/services/containers/wordpress.nix @@ -0,0 +1,18 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."lanakk_blog" = { + image = "docker.io/wordpress"; + environment = { + WORDPRESS_DB_HOST = "mysql"; + WORDPRESS_DB_USER = "wp"; + WORDPRESS_DB_PASSWORD = "wp"; + WORDPRESS_DB_NAME = "lanakk_blog"; + }; + ports = ["3002:80"]; + volumes = ["lanakk_blog_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.12"]; + }; +} diff --git a/hosts/m3-r1/services/default.nix b/hosts/m3-r1/services/default.nix new file mode 100644 index 0000000..bad37e3 --- /dev/null +++ b/hosts/m3-r1/services/default.nix @@ -0,0 +1,14 @@ +{ + imports = [ + ./container.nix + ./gitea.nix + ./mariadb.nix + # ./n8n.nix + ./postgres.nix + ./searx.nix + ./syncthing.nix + # ./tailscale.nix + ./traefik.nix + # ./vaultwarden.nix + ]; +} diff --git a/hosts/m3-r1/services/gitea.nix b/hosts/m3-r1/services/gitea.nix new file mode 100644 index 0000000..47fdd45 --- /dev/null +++ b/hosts/m3-r1/services/gitea.nix @@ -0,0 +1,16 @@ +{ + config, + pkgs, + ... +}: { + services.gitea = { + enable = true; + settings.server.ROOT_URL = "https://code.m3tam3re.com"; + lfs.enable = true; + dump = { + enable = true; + interval = "03:30:00"; + backupDir = "/var/backup/gitea"; + }; + }; +} diff --git a/hosts/m3-r1/services/mariadb.nix b/hosts/m3-r1/services/mariadb.nix new file mode 100644 index 0000000..2930f5e --- /dev/null +++ b/hosts/m3-r1/services/mariadb.nix @@ -0,0 +1,15 @@ +{ + pkgs, + config, + ... +}: { + services.mysql = { + enable = true; + package = pkgs.mariadb; + }; + services.mysqlBackup = { + enable = true; + calendar = "03:00:00"; + databases = ["matomo"]; + }; +} diff --git a/hosts/m3-r1/services/n8n.nix b/hosts/m3-r1/services/n8n.nix new file mode 100644 index 0000000..46e76c3 --- /dev/null +++ b/hosts/m3-r1/services/n8n.nix @@ -0,0 +1,18 @@ +{ + config, + pkgs, + ... +}: { + services.n8n = { + enable = true; + openFirewall = true; + settings = { + host = "wf.lanakk.com"; + protocol = "https"; + editorBaseUrl = "https://wf.lanakk.com"; + }; + }; + systemd.services.n8n.serviceConfig = { + EnvironmentFile = "${config.age.secrets.n8n-env.path}"; + }; +} diff --git a/hosts/m3-r1/services/postgres.nix b/hosts/m3-r1/services/postgres.nix new file mode 100644 index 0000000..1a5c584 --- /dev/null +++ b/hosts/m3-r1/services/postgres.nix @@ -0,0 +1,28 @@ +{ + pkgs, + config, + ... +}: { + services.postgresql = { + enable = true; + enableTCPIP = true; + package = pkgs.postgresql_15; + authentication = pkgs.lib.mkOverride 10 '' + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host all all 10.88.0.1/16 trust + ''; + initialScript = pkgs.writeText "backend-initScript" '' + CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow'; + CREATE DATABASE baserow; + GRANT ALL PRIVILEGES ON DATABASE baserow TO baserow; + ALTER DATABASE baserow OWNER to baserow; + ''; + }; + services.postgresqlBackup = { + enable = true; + startAt = "03:10:00"; + databases = ["baserow"]; + }; +} diff --git a/hosts/m3-r1/services/searx.nix b/hosts/m3-r1/services/searx.nix new file mode 100644 index 0000000..00795f0 --- /dev/null +++ b/hosts/m3-r1/services/searx.nix @@ -0,0 +1,10 @@ +{pkgs, ...}: { + services.searx = { + enable = true; + package = pkgs.searxng; + settings = { + server.port = 3004; + server.secret_key = "@SEARX_SECRET_KEY@"; + }; + }; +} diff --git a/hosts/m3-r1/services/syncthing.nix b/hosts/m3-r1/services/syncthing.nix new file mode 100644 index 0000000..c49d16e --- /dev/null +++ b/hosts/m3-r1/services/syncthing.nix @@ -0,0 +1,26 @@ +{ + config, + pkgs, + ... +}: { + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; + overrideDevices = true; + overrideFolders = true; + settings = { + devices = { + "LK-DATA" = { + id = "BI7CMZF-2SGQMXW-RG47HRG-FEH454J-ZTCE544-BXNSCSJ-PXCE7A7-R4CX2Q3"; + }; + }; + folders = { + "Bildvorschauen" = { + path = "/opt/service-data/http-images"; + devices = ["LK-DATA"]; + }; + }; + }; + }; +} diff --git a/hosts/m3-r1/services/tailscale.nix b/hosts/m3-r1/services/tailscale.nix new file mode 100644 index 0000000..cbb3cee --- /dev/null +++ b/hosts/m3-r1/services/tailscale.nix @@ -0,0 +1,42 @@ +{ + config, + pkgs, + ... +}: { + services.tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; + networking.firewall = { + trustedInterfaces = ["tailscale0"]; + }; + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; + }; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --advertise-exit-node --authkey $TAILSCALE_KEY + ''; + }; +} diff --git a/hosts/m3-r1/services/traefik.nix b/hosts/m3-r1/services/traefik.nix new file mode 100644 index 0000000..a10085c --- /dev/null +++ b/hosts/m3-r1/services/traefik.nix @@ -0,0 +1,171 @@ +{ config, ... }: { + services.traefik = { + enable = true; + staticConfigOptions = { + log = { level = "WARN"; }; + certificatesResolvers = { + lets-encrypt = { + acme = { + email = "acc@m3tam3re.com"; + storage = "/var/lib/traefik/acme.json"; + tlsChallenge = { }; + }; + }; + }; + api = { }; + entryPoints = { + web = { + address = ":80"; + http.redirections.entryPoint = { + to = "websecure"; + scheme = "https"; + }; + }; + websecure = { address = ":443"; }; + }; + }; + dynamicConfigOptions = { + http = { + middlewares = { + auth = { + basicAuth = { + users = [ "m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh." ]; + }; + }; + nextcloud_redirectregex = { + redirectRegex = { + permanent = true; + regex = "https://(.*)/.well-known/(?:card|cal)dav"; + replacement = "https://\${1}/remote.php/dav"; + }; + }; + nextcloud_headers = { + headers = { + referrerPolicy = "no-referrer"; + stsSeconds = "31536000"; + forceSTSHeader = true; + stsPreload = true; + stsIncludeSubdomains = true; + }; + }; + }; + services = { + baserow.loadBalancer.servers = [{ url = "http://localhost:3001/"; }]; + gitea.loadBalancer.servers = [{ url = "http://localhost:3000/"; }]; + n8n.loadBalancer.servers = [{ url = "http://localhost:5678/"; }]; + littlelink-m3tam3re.loadBalancer.servers = + [{ url = "http://localhost:3011/"; }]; + matomo.loadBalancer.servers = [{ url = "http://localhost:3003/"; }]; + searx.loadBalancer.servers = [{ url = "http://localhost:3004/"; }]; + mautic.loadBalancer.servers = [{ url = "http://localhost:3008/"; }]; + m3tam3re.loadBalancer.servers = [{ url = "http://localhost:3012/"; }]; + syncthing.loadBalancer.servers = + [{ url = "http://localhost:8384/"; }]; + vaultwarden.loadBalancer.servers = + [{ url = "http://localhost:3014/"; }]; + }; + routers = { + api = { + rule = "Host(`r.m3tam3re.com`)"; + tls = { certResolver = "lets-encrypt"; }; + service = "api@internal"; + middlewares = "auth"; + entrypoints = "websecure"; + }; + baserow = { + rule = "Host(`br.m3tam3re.com`)"; + tls = { certResolver = "lets-encrypt"; }; + service = "baserow"; + entrypoints = "websecure"; + }; + gitea = { + rule = "Host(`code.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "code.m3tam3re.com"; + }; + service = "gitea"; + entrypoints = "websecure"; + }; + littlelink-m3tm3re = { + rule = "Host(`links.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "links.m3tam3re.com"; + }; + service = "littlelink-m3tam3re"; + entrypoints = "websecure"; + }; + n8n = { + rule = "Host(`io.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "io.m3tam3re.com"; + }; + service = "n8n"; + entrypoints = "websecure"; + }; + m3tam3re = { + rule = "Host(`www.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "www.m3tam3re.com"; + }; + service = "m3tam3re"; + entrypoints = "websecure"; + }; + matomo-m3tam3re = { + rule = "Host(`stats.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "stats.m3tam3re.com"; + }; + service = "matomo"; + entrypoints = "websecure"; + }; + searx = { + rule = "Host(`search.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "search.m3tam3re.com"; + }; + service = "searx"; + entrypoints = "websecure"; + }; + mautic = { + rule = "Host(`ma.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "ma.m3tam3re.com"; + }; + service = "mautic"; + entrypoints = "websecure"; + }; + syncthing = { + rule = "Host(`sync.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "sync.m3tam3re.com"; + }; + service = "syncthing"; + entrypoints = "websecure"; + }; + vaultwarden = { + rule = "Host(`vw.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "vw.m3tam3re.com"; + }; + service = "vaultwarden"; + middlewares = "auth"; + entrypoints = "websecure"; + }; + }; + }; + }; + }; + + systemd.services.traefik.serviceConfig = { + EnvironmentFile = [ "${config.age.secrets.traefik-env.path}" ]; + }; +} diff --git a/hosts/m3-r1/services/vaultwarden.nix b/hosts/m3-r1/services/vaultwarden.nix new file mode 100644 index 0000000..8f0ef03 --- /dev/null +++ b/hosts/m3-r1/services/vaultwarden.nix @@ -0,0 +1,11 @@ +{ + config, + pkgs, + ... +}: { + services.vaultwarden = { + enable = true; + backupDir = "/var/backup/vaultwarden"; + environmentFile = "${config.age.secrets.vaultwarden-env.path}"; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix new file mode 100644 index 0000000..ab08ee4 --- /dev/null +++ b/modules/nixos/default.nix @@ -0,0 +1 @@ +{ordercollect = import ./ordercollect.nix;} diff --git a/modules/nixos/ordercollect.nix b/modules/nixos/ordercollect.nix new file mode 100644 index 0000000..cc7c72a --- /dev/null +++ b/modules/nixos/ordercollect.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + ... +}: +with lib; let + cfg = config.services.ordercollect; +in { + options.services.ordercollect = { + enable = mkEnableOption "Enable Ordercollect"; + port = mkOption { + type = types.str; + description = "The http port to run on"; + default = ""; + }; + package = mkOption { + type = types.package; + default = pkgs.ordercollect; + description = '' + The package for ordercollect + ''; + }; + }; + config = mkIf cfg.enable { + environment.systemPackages = [cfg.package]; + + systemd.services.ordercollect = { + ExecStart = "${cfg.package}/bin/ordercollect --port ${cfg.port}"; + Restart = "on-failure"; + }; + }; +} diff --git a/overlays/default.nix b/overlays/default.nix new file mode 100644 index 0000000..afe22df --- /dev/null +++ b/overlays/default.nix @@ -0,0 +1,20 @@ +{inputs, ...}: { + # This one brings our custom packages from the 'pkgs' directory + additions = final: _prev: import ../pkgs {pkgs = final;}; + + # This one contains whatever you want to overlay + # You can change versions, add patches, set compilation flags, anything really. + # https://nixos.wiki/wiki/Overlays + modifications = final: prev: { + # example = prev.example.overrideAttrs (oldAttrs: rec { + # ... + # }); + }; + + stable-packages = final: _prev: { + stable = import inputs.nixpkgs-stable { + system = final.system; + config.allowUnfree = true; + }; + }; +} diff --git a/pkgs/default.nix b/pkgs/default.nix new file mode 100644 index 0000000..08af3e7 --- /dev/null +++ b/pkgs/default.nix @@ -0,0 +1,5 @@ +{pkgs, ...}: { + wofi-pass = pkgs.callPackage ./wofi-pass {}; + ordercollect = pkgs.callPackage ./ordercollect {}; + zellij-ps = pkgs.callPackage ./zellij-ps {}; +} diff --git a/pkgs/ordercollect/default.nix b/pkgs/ordercollect/default.nix new file mode 100644 index 0000000..4517eb9 --- /dev/null +++ b/pkgs/ordercollect/default.nix @@ -0,0 +1,26 @@ +{ + buildGoModule, + fetchFromGitea, + lib, +}: +buildGoModule rec { + pname = "ordercollect"; + version = "0.1.0"; + + src = fetchFromGitea { + domain = "code.lanakk.com"; + owner = "LANAKK"; + repo = "ordercollect"; + rev = "9ecbfa46f6758214aa2fcee7ad96aa7730301a06"; + hash = "sha256-n4njl7LwG6GuoTj7x3rWOjErZ/a1Fog0qAymYxvsR2w="; + }; + + vendorHash = "sha256-G6k331XRuVN/cM4sNcdUV9/BzdISQI7Ljc4tesJnmH0="; + + meta = with lib; { + description = "A simple Api for creating orders, written in Go"; + homepage = "https://code.lanakk.com/LANAKK/ordercollect"; + license = licenses.mit; + maintainers = with maintainers; [m3tam3re]; + }; +} diff --git a/pkgs/wofi-pass/default.nix b/pkgs/wofi-pass/default.nix new file mode 100644 index 0000000..ab77c5b --- /dev/null +++ b/pkgs/wofi-pass/default.nix @@ -0,0 +1,29 @@ +{ + stdenv, + lib, + fetchFromGitHub, + bash, + pkgs, + makeWrapper, +}: +with lib; +with pkgs; + stdenv.mkDerivation { + pname = "wofi-pass"; + version = "0.1"; + src = fetchFromGitHub { + owner = "TinfoilSubmarine"; + repo = "wofi-pass"; + rev = "869c545"; + sha256 = "gcfW8E/3/dqv0P3S4z9fDv8k4R7czcIKwpo/OHFFWj0="; + }; + buildInputs = [bash coreutils wl-clipboard wofi wtype]; + + nativeBuildInputs = [makeWrapper]; + installPhase = '' + mkdir -p $out/bin + cp wofi-pass $out/bin/wofi-pass + wrapProgram $out/bin/wofi-pass \ + --prefix PATH : ${makeBinPath [bash coreutils wl-clipboard wofi wtype]} + ''; + } diff --git a/pkgs/zellij-ps/default.nix b/pkgs/zellij-ps/default.nix new file mode 100644 index 0000000..2918fe6 --- /dev/null +++ b/pkgs/zellij-ps/default.nix @@ -0,0 +1,33 @@ +{ lib, stdenv, fetchFromGitea, fish, fd, fzf, pkgs, zellij, }: +with lib; +with pkgs; +stdenv.mkDerivation rec { + pname = "zellij-ps"; + version = "0.1.0"; + + src = fetchFromGitea { + domain = "code.m3tam3re.com"; + owner = "m3tam3re"; + repo = "helper-scripts"; + rev = "25cd4f662c2a7d1a5091ad30810c458627fdba5a"; + sha256 = "0lw1qmn18i1s21ljmsdy2x034x19gad8krml9iggksn3c31haz9m"; + }; + + buildInputs = [ fish fd fzf zellij ]; + + nativeBuildInputs = [ makeWrapper ]; + installPhase = '' + mkdir -p $out/bin + cp zellij-ps.fish $out/bin/zellij-ps + wrapProgram $out/bin/zellij-ps \ + --prefix PATH : ${lib.makeBinPath [ fish fd fzf zellij ]} + ''; + + meta = with lib; { + description = "A small project script for zellij"; + homepage = "https://code.m3tam3re.com/m3tam3re/helper-scripts"; + license = licenses.mit; + maintainers = with maintainers; [ m3tam3re ]; + platforms = platforms.unix; + }; +} diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..d7c9327 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,39 @@ +let + system = + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU="; +in { + "secrets/mj-smtp-user.age".publicKeys = [ system ]; + "secrets/mj-smtp-pass.age".publicKeys = [ system ]; + + "secrets/n8n-env.age".publicKeys = [ system ]; + "secrets/n8n-m3r1.age".publicKeys = [ system ]; + + "secrets/godaddy-api-key.age".publicKeys = [ system ]; + "secrets/godaddy-api-secret.age".publicKeys = [ system ]; + + "secrets/searx-environmentFile.age".publicKeys = [ system ]; + + "secrets/tailscale-key.age".publicKeys = [ system ]; + "secrets/wg-key.age".publicKeys = [ system ]; + + "secrets/briefkasten-env.age".publicKeys = [ system ]; + + "secrets/littlelink-lanakk-env.age".publicKeys = [ system ]; + "secrets/littlelink-m3tam3re-env.age".publicKeys = [ system ]; + + "secrets/m3tam3re-secrets.age".publicKeys = [ system ]; + + "secrets/traefik-env.age".publicKeys = [ system ]; + + "secrets/metabase-env.age".publicKeys = [ system ]; + "secrets/ordercollector-env.age".publicKeys = [ system ]; + + "secrets/baserow-env.age".publicKeys = [ system ]; + + "secrets/pgadmin.age".publicKeys = [ system ]; + + "secrets/minio-system-cred.age".publicKeys = [ system ]; + "secrets/openai.age".publicKeys = [ system ]; + + "secrets/vaultwarden-env.age".publicKeys = [ system ]; +} diff --git a/secrets/baserow-env.age b/secrets/baserow-env.age new file mode 100644 index 0000000000000000000000000000000000000000..be441e47d07f76bb3920392fc39410087ab5046e GIT binary patch literal 1177 zcmWmC`;XHE003YxfKcuXZ@dV&z~O}}W9zzh+j$&p*S)vyy{^p#uie@`+O=J`b?ZWo zaPR}32|+{xNDPO9JmTYc>0v@LK;S%LBoIQt!~lARgaASW0VT%oZ}{jet7pZuqRExK zB(9Q_tU-kUeUGkO&gqpht-~UM(^3Oc8o|RL=xNx*Ml9<}D;Q<+^PrhQd57lorA;&g zqqSf>l=1kBl;2&H9XMoEct&PSNvoCuN`a6KBgsn6ig0i&m1W&!#)>=Td?=jC;bo$b zNEB=VT8btW*u=^-XD~^59%A5f(3Ol?s{kZX4W&HS7S_;EpSFG z!zu;XkSs7suisg&L?yYanzyZ z;4ETb(t$c2MMW*nfz~uFV#S0Tv{k)Sfup?uvR1o=Ch-`CQ==U}Z2hE9Dq8U7({z4uLD2{Vc}fM;Y7=X4IL3fh;QtyieO6)VGOHu|-THMLsKar) z6zr?+gI6Ukp1o{MyvT3z=(upD^z?)!Hv3E%i1Q|2z}+9%!~`=-Ayz2M-3 z(&TkSZ@>Jx{pzM2cVw;V9US|0X!aMkw@r67U)&fQ!JZwQ1a0pj)s@5c%iGtC+@AB} zJ3qgCJhFV_$L|eZIaK=LYv$<@_e*uXedDv!A9_Z=x-&Qt8JLo4J#zkVyv5uxx#f-S znIqSy3cGHN2Z88<1J66JkdsS$K6`k!&-OT&jrB7Z+ai%0H|O8~Qg9HXQuD9ft)tzm zTj!mO`|A zdv*D>Df|8n=@wsjki4{Y#ondO%?mr0ZMoL=+PS0H+C4je+x*?Wsm|C$ed&&AgJ)J# zEuD*JUB7#3!S{XOKSO=UEvx4o-*tJHqh++~$@V{k$J*OwH1EeQqO+w~Pe)UEoZ21h z#dogieSVDpX#Caju4&Jf__zM_`!DV6tKoqD;L5kZeLB2o#a`jn@QeNFjZ4xCcb*=f PXkHrlWd5!t8_xU(NYBJd literal 0 HcmV?d00001 diff --git a/secrets/briefkasten-env.age b/secrets/briefkasten-env.age new file mode 100644 index 0000000000000000000000000000000000000000..d43467276d2939587ab3543364e6eaa121a5c562 GIT binary patch literal 1023 zcmWmCZEq6=003Z_2y!7Tum#zKrDmCKsonK%y|(8fv+ecTYp?C~*6Vtw%(QpcyI!w% zz4qE`tB4B$m1HbvgqbP6u_)-w;$n=zGzN{4=y>r1L^0VwV+Z3SvCv0HmFx5unqx^owjOKc2ufa8u}|Vv!;HD1*if zR-@!>%+1FMd(H{PsuV_&R*07*d&Hlqv9wGTDrgjd6e<%G>0&U;W%y9d$}5&tRpm-O zX-asjs<0;0V#6H5qukJ#Csa(u$GpW{fa7%65NbvVz^4}=IU4klC=1ariZhK&yyY+s%jB6z}YBMF-~m3MbVS6i_J8LImdz- z3{MZ?go&gLDN!$&2Co{y0B8tR9RraV%$VLlqUqr^w^}zb%}`5V1J{B7YxFw@{P{kIR1vdP(WWZl z-I0K3>m5(UNZSLXtF+7Z$ZoSiHi0CFE2Wy1z%53jgSl3bs0WhuFp9-_z~OM%V6!0` zkOpV)q8R{Hh6o^L3n`67>6C>fVxpO-8cN0MOged>eMatNk-(-IPw#AL$I7-hwve;v zj=yH-9b4!@v(`*nNwy5}#AoHp(U3`@LuQGo$19#EB2LKfbzm`h0);RTS>*yEWdk_0EQT zu;=X&Hl$g{u9L)QlLuVRbC?;QWNR@wOEmpAG4sk_RZllOWj_IVD}Z_!7u zz~2u{?VEq}{M`Jo^wm^x!~Ul>FSqSK3v_jLJY+v`lR0)sa@J0M`cwD9g|}Be-um3Y z+DI32TkSsc$w6Zy^YZGhfz`!Jf56{qdVxNIySkQMyVf>+W6zDfBFtXN;bwfd6SV41I zVrpekPFGEQ(;7Ea#cxgV^nx(VKib< za%)p}dPzrcNJwr^Z#gq!ct>+XVnkPNdRA_7Z%0p7LkcfKHdJt8bzxafNOp2_M00jS zNmVd(M{;&qWll;|OjdGlMrU(LQY%7EFm8EaM{!eYc6xa;azbe<~ zSTJ`vXm@8zHcDbLLOCmBaAG!ZHCit-RAOUAdNXuVWpz+UR#`B4Xf#`Ddtk*Ej}Py zCt5rrPHa^zXL4m>b7dexI5S>9AUt+2c5NVPdUI+rL@p{IVrMX53TZWVW_3 zWob!6dT3L4Xi{b{O>$OqGea+GcTqEPOj2=ALqRKOcvCrcIZtUc3N0-yAVOs~M{Ra5 zZf|O1IC4!^cQ$1>OQZZHY7y(GN>7_uXtNO`9NhY$a&N7W>| zla{DFYjOhlgoD3QlD0Scu}-egfmTZ-H^B)O!n}N~Hw3IqL-SXqb8QdXBPV17xE7Ii8!pl~!nBq}nr=5mA z9Lgtdf|1{c!e4zb#&k)6+3!5;Av2lbMWnYPCRExk4}LU48*ohIft%a!TtsBl z$$KIgykUhvpD>#R*5}V2($)O+^=QdZSiukwK~)%F;9;e!|NF`2t#lnyX9#rly?r^% z866^?-~Dy0&P{YzV`>UxwkwSNk(r{!c0=|d+q5LQjnO-(Fpd=l5X%w)P zDMGR|&k4x|KP{DixOLj-MX#SKE^^`afI3)HlC8EsEo%V{Zg*lTtR;7;NTDC-&I@E9 zCL!G6Z(>%m9h5d<4x^qB{BDue7R_pm$KvQVHgIoxUkMA5s(hwC0!FsB^tbU`Q~Pd1 zya)3ULvn;+j~3MCKQaOon+PvraxWX66EKep!i~q*5G(|{7;x7*6Y@Qc^<)bdv>Ji9GOLcx8S>Thy)ls7o<+qRuleI2M0A^mq`xh`So$dEcduI4}_

J#TH7Bd@0PaQ#TYxhj?w08p=}TgnWZ*i+Pe1 z7!MWSvV-buoXRs(_4fTHj-dyU4{50ww8k}bB>b#BY!AV2YcBLd@CGDvsO*-OxiTH# znxNW>)AoI^$ik(x3HB@`W$gmo3X92eLIZr_SGILYNO|*goI}81u{;j~I-?8o$(!%7r%bahyR}`9M|d^LDIc4?PUj))BVQZZDAi z)x1Uk`uM>1H?)13GuEtfQOvs4-65HPuFDq?OE%RXB0x=;1{ z_(ctPQd?a@X`~ZRg;-tm!JmfGqyudEb6c3J*Q=_kJH(+6{W}6R56IT$%m$G-mU-kj z?W&4(##(_iFr z#@Qp2TMYFWt_!Hsl|S5IB=T{u)?s@c_eh>4xO@WP?k8A;Xl#e%ui&Bi`hV7hB3|bL zrcnr{|77*G^UR`hnEQG6z*|_7j3z+{SJoaOW8TjwOfJ?M%k*ZeS4W~*;bV5n)!?zt zT-=qdYQp7L7yjA+{DL#Xs7u3CFaP>P9VaY=)5u*2pMh2W=|rXGHE0Zb57Afd1B;!LXUabH zPm}Z3Vh59o8D|GA*etk|ZmH=q4hZ>ndh0u#q5jyI{LSANfx%3oLKC1Ycoyg{qqWss z`ZR~ePbX~Ky+Zji{|93$=$<5E{zc0CA|MDcu{MWv5jqOwf!lh2U9fbbOH8m9`hXdfzu zV64Nqc^)Q9RIxoX$UjLK-O6>+Ojo`QcH4WI+?kN}dth&u20Mx<0slAXbR~Fa<$EW` zptG8pX1D6L@%iSzXtJ8ju=EQcfuginpGn2CyU;;sXCfpWG0xT}#Kw6aQyOWWyz=2% zt2;*SY>71?VlMa##w^$=!DPGYWWNW{PoeyJ-T&Hgd=9Pb@d~3_5D}CkR)El;)RNo5 zDEeuL-`upZ@51S@T!<316kP40W_XKGuv#tf>mD(wqhw>(>e*izV)5j8vnWC$veR1t zPlYb_9I2n0M+^PJq)tC@n-*Qy^o{JuALCvRdp<`HE~7g#+Zz5Z_=`7fbcHW^TQfk2 z>BJm0Dk*2y-|||By+04bUXhPR_j^a}4=QQ$Rgd87H0#nz zc$xsmPHitleOG>3nV+4&*>}odE%gw{;O3wQX0SK6{}no7Ct-Go zizw${ATgzi$u*7xdl9J4=z-piQGhc zAf{ezUT~)L1|jjKl9zM)=VZ^B{_dDlBDSl_uJa9K7y+-Pz84P*(KZVJ zsT_keq~TdKgvG7YL^PAyKba276kycWhp$J9W(6ey%4$U^=&w~*j8r&Kz=i61mjOve zwHM=m?tNya(S%5rQr+k~W@&|(nQSA2;E^y`)O(;`QAO$5=8nikPeNmNg&3SaQXK-6 z-r%UGP5tyT0W30z=Fat|d2R+a>`c;+cn|+=rNNB7tQKe-BE0A@N%I?t*VRSdCr6iS zV78zb%JLVc9FUkn>FeY#PlRzTI?kv{jNH2>LKh)bsYkjb>F+?CnXSq9?II80F_ILo zov0=0#m^|eR%;FUrdyIxWq*J2Oe`&kz`xjeDQ>aZOGSNQ4im8pw^l=HIrx}T6kV>U3S#aK zJi}2Wv<7ex+ckj!gY;yNjy4vJBxZOnF(-Hr1|vm9(b1B;B>Xa4Bq2GU{}J8jFBCR( za2RD&W*f2H*0{9$HNuqGOCCAD-{}~X7=R3$Gh5rXdC^E2lW8=T83{7XC{4QeV(_ol z3jdK5tAk)*lKwhY!rjczOmSnraB?9>RXL{o)qN)i8_ofcrRDy62@vF&>Ii0HCmWqJ@qBU3Mpv zUM*_(lgFF+8en8MW-eOeT4}DnK%X+++Y33LzdcfX+3t0OK zcAqG2@DAjWf}a!a_y}8(Z&un?L4+!GDkTc$p74e2tMyiAE3~x`cGqN=EwfRDim5=C Ai~s-t literal 0 HcmV?d00001 diff --git a/secrets/littlelink-m3tam3re-env.age b/secrets/littlelink-m3tam3re-env.age new file mode 100644 index 0000000000000000000000000000000000000000..17fba3c2eb60367733e43c1125d91a14dddb3a05 GIT binary patch literal 3373 zcmV+|4bt*qXJsvAZewzJaCB*JZZ23 zX*5|*YGE;PR%uE{c|}=jVlP!#3PDFrZb4#CT5nD>Xi0KWN^yC3K`}XRRY+oRIXF*7 zbXj$9GBs0iSyfdpGc#jQT4!!iGeTobYE)HCbZu#ORtjQjL3vtBXJRo;GfR1NS8+&J zWmtM@X-j!FXDe=FVs}<=dND6*Ms{muFilK1cvwzkWN>p+b$CcnOJrCuGBpZmQc+q- zOG8O_VRmS7Wi(+jYj;U=I7DPGO+-y&O;1NeXG~f$Xi#}DdTmrtGFM@7NHs-SRW(6y zazjmHPfl_QRbxy^Qei82IXP8CQBqM$FEBP)ay3wMd3Q2Pcuh)Wb#8QTHEl^+He*9; zOG|WgX=+1MH*a!LVJkI7Nkd{r3U6mPHA+oNIcYRcGFf9$Pe*1oIWjnBZcutfax_Lq zSZ*^%S!rciF?dZqy}PE~bJV={3}Sus#&QVMx#cTF>RRYz@8PcLCfO)*7J zYIJvJayescMNnB%Vr*?wOEN1b7df1Od>^KRW2ZGdpaN^TS*}xF$#8JGzu*(Eg(>DLUU|2FnLaJ zb!ld1RC#SRSxb3AY;k8%HZo2&Qc6uiR$@;zGE+@yI0`9Z{m%UawX$L-hgl*kTGFeA zn*XtP#V$B@!(a9)iRQTqUmYV0?zS7<4zj++3c`dy2*HSHl2k916tJqajhJ585Q`!H z7f*ls)<-Y00C%{EWneuMd_89l6%E>3Q~DDbIAkp#o?Ia)V;7XlwQ2G0Ln4eI;wnK$ z4{9CIN*Ef0ZeLyQi{qMBDO3-`tec@yDq5PBk^wwFwo4y!X68XdI7H!*$t4&j69 zBi+K@kaL~)`fSoRwlS_>{tne%Ato?M3+&z?B%ip|F%6N#WNmZi0d^m7-~vA4WqMV? zlwZn!E-FabM}OLtJm}lP{-Xsssh3$QT*-kAy*$%d=aIbAyC~v&uYE zz?~FJW6~FlkI7yElwz_y68KuloPgIhAE5EI*iFmJ9iEKMLRgSYp1Lo(GJB5nu~|a{ zqkP>8e)W3uvq|QS%Q9LYRQN7*Q7&Q?yKH-Nqw zYViQo{sa&A`hM~Ij7Q_9*FJ>Ej{NWmnE-0sfTJlohOFHMWUXvS0`3uJqfHSgAZDF9 z2bc${A0)hyLih|mNVoC4e8$S-f&8l;VwPzilMeexX;%+-Y~XuUl|+_32)U_udIi5# z+7JO(7IAjeTilqsNUgV>aWyAj!8pd<&p{usJ@NB5%AdxSK8E9?rji5uybKv20piUp zk3#Vt$T35VU1HJt5Kt~inzE)e2eZe$ct;m9=&M_}q6!e7+q$PzFX{y5ouKTpX0f2o z%xPSM2_QG>z*Th*=p#67){Z0-x7*3*Hl#r^Nze$k<^&5KI1)}V(QCgS&yeD!YOc^h z940FRg79|YHaq)!h?U&C^`}4>jUOUgewro%uocB6aL9W2OaKVvY0c0tsj=?gyg^q1 zsrA;?)R;rT4)P#9{2_!XNRE&71K&$jbnN8a&Ur~i3zAHmNNZH|@TAq^9qU}t-l7Wj zz2IS~NwTagqz{AgbpR2Y5v61{P1~yApL1<_Giz|dzGP|S9>PmX_&JdH#=z3=i`jH1 z6KhWUk`&Qizk~$8r+n`P2^<%*SyIrss5%{#_&a(c-uLLWwi#M~E#fq&yC{nW@ESc_ z*irjK1T-(BLjqACiXnp#5OWyCo-X1e>EO9gJ~*)>>0uWDp0w^-)soWR3ED|bibQ(e zJi5Fvvu{RfRg<=ZMTHOHyQ70TAQb4X6(tQ4#=r&Pqfm5{w-Q^Nuu6;t4)^@^&SS0XOq>GYh93jYB){rYUY9J@fwKRyERfg6!MBJ;nt86gFX; z?FPax-$;a54f~Go3oXQ6IX}|9xiIu>Tn^2WE2DaFE$3;n@qRYED#1C`dBgkq0tEU7 zlQxre{4Q0u)wgNQ!0;IIE@eCns_i8mp)%mnkAUH*h`gurWnp?&>rNO>DNii?dtrKs zvJ;P@gYD*B>%9m+T^!8|Qn%~TXw37-Db#0Cg(cw$m#j};SsxMUuR6zZw3 zQ18)`h;YLTv>y=QRuS}m(}X#V7rn6ue?5IKFA^GDPKo?o9NF>5J=j0DA`u*ORtk&l zb11M+$%ZJWCf;X5p8%QmwymmmcYs&a8PBs>C= z!pQ!hnyWI=w9U=Dr{rJfPewUXccMmwslCa@&VEn58+dszMs{be*93<+!ZmaK@E{4z zB!{m0h)8jr3A_ey?Py|@EWz1j8*&V^O z{*xHyxoZQKOX}aT@@BB;hx-ew>D|@H%8?&gYes( z+I2qk4;rb0yh5KiNj(S{S*N7})>CgGU8V6qS4o~0zaD3Q1N=H|-7-0Y1PGI=P1raLg<;0y4L!Xm4|bXb z@7jL;5riJAd+Yju>npqawwQB7m+6kxR*mL-PVLIyWez!`d5m(2z3_D^KU711+2PT7 zMUr22mY=9GOAdX~|GB}+RU&f8JE6jAlkQV|o|5ez9dIk3k+O*vDS zlaKf7KZW|?u|x&KtTDo9B_7sQEXqO3%^B^L>Xvgk4qO z_}(}R)B=~0VX!b8q6fdoKo>L9kWMWV{h|4`XUl?e{uT5j{k>6auMH)E<|%tWBrB3@ zs5VLqPBW+#%TMf*FA<0&*wt1n^+kbQepC{akO^-)sp6zWs38A%4th#heK zGf&+AxGIG9!1-D!*|9m*<@>~#`@epG2B%Gof967@Qmc$A`OcVGn|=rC^0;baJJDo- zWzwW(XmUUI^BLH7FbT&q3@_n5Gh`dG589=WB#d#s8t0yKx zJylzw+bNVZydl%+PJwgY`zY-Gd>`tde!;d26Y3h8yP>?>lArVZYT-@2(E^?8Ce1;E zLWd)@%G?>G>?bCaVR5L6eP3xIb~Rg9_d{KS@)z`BG<_tV1jDz3-EDpd?8I0Z9tu2o zYD~J&U7BK~A9c3MU28t=BO4?nOfuot+Xm@lSZ!>>33+2F!>g zGFR=aDkOlE);D^H3pxvB&SO0(0GhZrv?}fC8PAcK|LWDvW6@FuW_!u|nQP;12lTsm zEdZ2EkV6W;42~Zj%Dn$ScDEKcyrFy{!_XH+B*N!AJHu$qd&wA8j>OVVoD7#GCf8uF DqGTH~ literal 0 HcmV?d00001 diff --git a/secrets/m3tam3re-secrets.age b/secrets/m3tam3re-secrets.age new file mode 100644 index 0000000..8363307 --- /dev/null +++ b/secrets/m3tam3re-secrets.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-rsa DQlE7w +XeGCNzawMOA9QxMCDine7KduqAmw+m9YGVDmMVKeOhFfsOU2ErbXbA3bt1F/shel +b7HNIDtH+H0u4nI6FjhGj2J/vhacIJfx8mcLms8dIsw+iBRxQyypjxPIaxmfpk5p +Pe6UqTopAinGF46DtsEpEYYEhQ0ELvVyfUZh6s5lA8mpqOYSpF7VkeyJNRxiy1Gy +DD0gA98EqPU4/mFWt/eAbu+KV7TNftiEfGNNEo8GQ9nTQC7VWPh32kE3Ld7JnhFf +xJx1HuO0mQ5U1g2T0FlRlU15vOLLbsUgumIPgw4h5jcj9/6igLU/EVvtE8ron6N2 +OTUos8ESqIMcNPWl8XZgVhQIa9yYXazbVbgo9xF+thxWGHphRznRGQsjA7HO28hL +CLgnCJoCyfWEmxynZL1tTA1atYkq6BTI5s6ratXniiRBglxWbnrfppooXgzA+zKe +vRQY3XDBhJbkyzkDw7yN2qI/K7Vwv47rlpVvf4qyRJ0orVUHhlkOmmywBjf8xIkw + +-> x?FdO-grease zSG1. =L Fe 7<"E +cBm3uuWGs/XbW+x2KSUl1GVJEAVSbf8Pb2NN9pud+LCIbkZ8Ps/oCZ3ZeUfd18K0 +hcpIRNX0SumXA7gM130ih7knGLyWeskqen5860EdbbM7qOkOGqDX4w +--- lG2ygn11D1m/YFNdEhigTXb887C9LFJr3ekMM44g29Q +[®àŸ+~¢Ÿ±1ååäêẍ“63:4„–rK”h÷J«ª ìM‘½oö+ «v]RSÁ?ªú\4íœ#åö‚÷€W3«lAÉÖ/øg†ØjlŠ¾;|%@öw@¡ù \ No newline at end of file diff --git a/secrets/metabase-env.age b/secrets/metabase-env.age new file mode 100644 index 0000000000000000000000000000000000000000..cf227f2d6c361248910e97d9e4ccd027208dfda5 GIT binary patch literal 840 zcmWmC%j?^8003~EV~2o;ABqmy;V0r@mfF19BqD<}Nz+%FXY;7Tk*4W4X`1BQJlZtU zlSc(XhHjt^@gg3avV#xsu%m2>Lw4}2j0qdEgUlhQ`1u}Rxo1=S2$Q0A<3my z=IoMa-dVIbyf0-dq-D}OEzmK~n-*9nFv<{c8XW;5$T~IduUAN@~HW$MXmiJjrMWK&c;h(3Y31Y-in;; z${}88ZB7A*q+6SAw6BaXlvb!9$+My>HDWWYzyP{Y4i|o#lnOfzylLJKJqr?ADp<2U zHI!7LAs`AD3Br6n##rCfY&akTQ>$?4q#eCJ(4LdQr7&k9tdqJ zDv|$d%$w&$JTT8TLFT);f81lYx?;bG^rnr`gqas%*M_Y)NHmodab2i;8$HV@4%8;`wx`$sr^^wL{DTzdA_b6-3IpZewK zuSchkJo)q4;hjr&Kl=XZho7DN{oaEM^ut>}p9p`#u3qQQ7=J!ERIl9p?c?#`^u_PK zY~PQ~i#NVvzP{4GeCLhVy~Dfgo9Eo>6H&eY&+S(~JazVi=SSBj(a{saYgfD%?md3S I)30Cs54RdFc>n+a literal 0 HcmV?d00001 diff --git a/secrets/minio-root-cred.age b/secrets/minio-root-cred.age new file mode 100644 index 0000000000000000000000000000000000000000..db79f2824b5f908a60821053992f7e74f090846a GIT binary patch literal 826 zcmWmCyQ}MT003a+I!LYvir^#^Codr}4oOa)&HLE|^lqZF zf+80b6+{IGmpjNEe1U_DgOd+%6DJpkGl=5%H+**BAztQIL(xQec9mBF+TjrL!lbT4 zq^j-7LQ4d?heSD}EPdXHOEP4QG8Q(Ws;a!WH+-C(kAme8p<$s#?^bpV!+A?22}l^c z3%UMC4 zlFVBL+Tx*nBsa`>Ho>6cLDSPt;s{NadWR`6&80%m6ECu|fF2~1%xB7$S@UZ@EzID0 z&C8IuVc}+U@P2j8a`Nh|pIW-y@UUQ)hyxh&&ROLIxQ$xjv`udWCQ=GI>Oc}qJoRI%hufyZLnC6RJlagl1h3&3{na@ z;U-PwzBwwpY8qjbVQ6w_S(uy`z$OKb8gx!}<63aYshRb*9x5vd3r304FSrL^L+m_W zp_f+W*R8t3w1)8p)`Lwa&S+LS6J5Vg4LGvVhH~u#Z}6ob2^O9fs5j>toi?CFF?6Aq zf_^8*d<$!*qAKZAg!`E2!Xh&UQZpz89^!Tuhg`sRBF*)f!|^j+EoMs^`oBgM=n~?- zf*?WV*|j&hnw)|cC)gB@?o2EQV9fzXVV|6e8<*)$EWaPz^r)jC5+SKD+tgk+1g;?mc$}=JDpc zhyVKIA>MxXoqvB&-~V;;{l}}HcOQLz!+-ns-@os_c+~mv={KLGUV7v4e?Hug559Wr ckMylO=Ii(We8TE}dG(p6zPWqv)@#rH2lRU!CjbBd literal 0 HcmV?d00001 diff --git a/secrets/mj-smtp-pass.age b/secrets/mj-smtp-pass.age new file mode 100644 index 0000000..cbe88db --- /dev/null +++ b/secrets/mj-smtp-pass.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-rsa DQlE7w +TVcGTRFtB2aJ3Tq3S5k8jSSsF5DUq20hRlXFzi/SY2UczJjzPIO+Qax/7gBmPxGM +i9sp89CHAz1owTEzFkxsdj7AMoz6SMlvPL9Ixc3zrwKthhz2puv/JiKsmzycNQd1 +XvSzOKkJgZMG25Y7lBWjIy+SGTBDVUSaN1UUs2VRGhEBh0LW76+8dgJMdtzaFy4n +E2Yf3jj8MCjfBa6iX+G+ZTlWAl0ZhgBsJVmy9sN77AHQoUJVZ5FUllpy+sayV3iW +btwSlZMWlA4btbdZbV6PffGgHAMPCLu8OseIFDkLky12wt9ChK9A4OOZcFw4+bMb +YvDUOaQqtjqbZ8XSmokQVBNns9TxUcNcJ68cMz0qbm9Pj+gcY0k3zbsDfrpPNbpX +X3ZUWJVK594Uv2V9mKR6VVcYOrzvucD5iGqfO7SUTWJppldrB0/YGe3eGxmtG0D2 +4K0JntFoDRThSyyGx1/YvPxAJqKBWT7SARUxGjMaqnWM3OWppKDBYLGl/jRQQAqf + +-> VGV-grease OQ :S.YU\ +M4HB0MfSl0giX1GydEobdPW85+T6loiGtSWgzhWESbY28rwZulR83bUX8ftEzemT +LF9AKGIr50etdijB9uypYf9sQarujWXPsMyNQG/Xyfo +--- Ns60O8WsNVrAkDvDfoI/opMnBjlKrRiFehRcUDCPAXg +ZÞÞwŠÁÅTJ;´ÞÊ=k7·_U55ˆYFçàÂë&¦?÷‘Ã.øÛ…U¨çü"Ü ¹>ç D~Ïž qyÖÝD \ No newline at end of file diff --git a/secrets/mj-smtp-user.age b/secrets/mj-smtp-user.age new file mode 100644 index 0000000..7ddd890 --- /dev/null +++ b/secrets/mj-smtp-user.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-rsa DQlE7w +GZ5/RD7yNwlvFjNwv/rxjsl2GVF8lRm0qlXfOeQcYctyDo4xHFsIbhLpwV508rJf +zeLJpoQYFaqumEtgxBeZrQS+qYiOG3Ne2pO36MN3qq/wVVBPuWiupNBrZTUeHn2n +1BTENMzmPfqhuZL2D62NXKcIsbOiGADtdt/4h3Xk4CyroBuEfNFx0U9WTMGHx5mg +kUVC2jRzo0KbnFwFTeGYmUc90dgy/rciAqhkBOfbPpcYdUy6LTVrGbz0jxwutIq1 +SmkMW7pj/KSPAgVnX6p38gWobVxyRIFmC0wrFZ/NCy2Hq4ae0QdkX/I0TabEBtbj +vcacZDlfXEsV+n3gvl8qzOVJO1inc3ZV8QUgnK5QEaV6JF37XONeczi8/qFT7e9K +fCUw0gG5N7r6Ma3JcNctEtB5NsgBXJXe3Fy3j6yT5sQQayPW4eS2yYuClUcYaaIe +xwDLpuRESYx0oh9DJZqvmoSZriLpejsJ54ZUVDJ57NAd+Vl1iCFKKOyMr/aUDNSM + +-> r\&\-grease cT"t7WhI IM +LjM4kAZQbwNT8isi73f1V0PVVsJxWvjkSCLTaS8aD03LgYLYY9uCs6k/hyb3GdWw +1a/9BC907cyNGQ +--- ulEvcwLfcMfh78M+U9KeF1l39rdLG1NpVE9FLPCHOgI + ]ƒSþ³KÖˆÓUèä;NÊL[6á(î e+ WU øÍL ±ô57ºÀ£9L†Vy\ GhÆø±Ž "(´× \ No newline at end of file diff --git a/secrets/n8n-env.age b/secrets/n8n-env.age new file mode 100644 index 0000000000000000000000000000000000000000..7819a2c68f63aa2998be00a8fa090da3f3b6e8a5 GIT binary patch literal 1200 zcmWmC3y;$T003YD37R3w!wUp?93UVZW8I_craW%#x_0Z7<7>Cpd@1g7(}D03gcy^LXqJz*|4aT?ltQ+I+#%fB<~SaE*-bgNn9+{5Ddtq zUG-|4z@{5@SJB8Av6MZpm{iWu%%E5(q{elN4=ZD|sVS@|RhpRQZe~CvuZQ)vT7rxu z?SikA4Df!JS7+TkQ*frMJ|T<1b%k}=3KdMnETRXf#p*F5BM}OdtFcbm%?22X(#mGc zp@0(GQH)BdVn+>xVv^Vdq!Jy;DfNyrZI7aKNV9NudqL(o7evDXWpq>vN{P%lbAHud zEE51wW#M2LgG>(&(;gN>SwJCt$s|-kok@-%lA`7R8uR^hinhuXk<&#>Ld?K24MkF@ znrPUgO-^mAa5#2S6VQQL?dJP3&Fb4<_95*)oN`Okhta~vPm#pQzK^G zPUx{xk&|+5UXCPO0ieWW&1?hW0S2|GYrY8YSttd-xlcYgxo`dWA4j6TNn2MHr)!TF zyWi|-W%bE3XT9?Il-d6N@M1Ok)T_0vUA;$^wfy_U$y<|0j-1^2OXkYCPfmzGPl)__ z^V+>(sB>M*-lN|Fr{bah7v-TX!07f<*N-*uMH|50JHnp_emM3*Pt4VP^x@E^yX!vg zU-R17zn3lxrI6;f_g7C5&+Kqj?LEEySGK$}U0v;3xaqI2Iv>78jd|cM6sKC)cn2~V|GoO5qad?NLTvl?X&0Y zBd09cIb!WzyJh31z1v5Pe#W)p;+Kmjifr}7Pa8<>;P}4ZzU!U8_Stb$FP;5IaO_Ek z2G5?^JlD7Rn*QOi(Y|A&*tNcIn_RiE@+IfmX)qI7KCt&;x%c}|kGBrGI(x>|BZD0S i`+Za2yPvyr<8~;AUb@|gdG7jJ<{nsfchT-)y5&E|F3ukS literal 0 HcmV?d00001 diff --git a/secrets/n8n-m3r1.age b/secrets/n8n-m3r1.age new file mode 100644 index 0000000000000000000000000000000000000000..29a776bf4d19f4639d34d7926f6e764803c85067 GIT binary patch literal 1055 zcmWmCYitt*0Kjp-n8_)F!2~BG8*HMpcGveqH>K@e+iQ1iuh$1Xm2uZzukH15k6wFM z5G4y{j0_B-CKyP-ML)otE}5E$Xd-M0PKk473meIp3vN8J4aPLS@%ul&Pk)l3)pR~C zC|ogJ$hQ^*1}td-^^1+7m{JQO*$81-*jxr&Mz0JI|GkTA$Z%%j=91 z>&VCWV$2!V+7Qr|ii0^s$QJEZDy#`IFkwMykx->%K?JM{$r~aOTh4){jp3k@i?Vi& zDC-!}UbHZI#7WE6EEG_5A{t^iKI=&G!HCIcbXS-N0r3d{CWB_kVUSZ{tdvS}M8;*M zSijz>k0}m}3yKIBQ^5ik#aN9tl#&giUNS2xR8%~Q4|U`-0On&tnPmDwgGUHFuF7PJ zjHn3*VL~#S-7FM0pVh1JPtGB@r4xtyVXJ`GmpjWz&#T21QtlL*=kU+ao0+nahL{(SXHKjAt}f z0Zn4S8^(>trblNQCht+lX=>dd;Z0tz#V@}4Yx+(a2<{~H*P80)1AA8k-COK0k1e-r zR$jP#I^ysD_xI|(w-!gMzR&>ILvb{_dz<6AO?>m6J?}&Q&$i>Yj-G{1ywp>7m7NNw zMB|mi?_Tb-H#dUgN9va>RcmiQv-)(Z{qN+^%(UDboqBdd-Q1Sa;6w4_V<&+AQ#SX{ zA{h;@3h@~<+mLa{P@J9#|Ah37}(HR-EjZN_Fmnaruy4V;_&SG10&v+t+h>4 zcQ36}e4}EyD zYyau;(6!m~P0n@Y;qk9}hEc|}#MOLbYCT8Zth}{5+hV%-)ALJ1Z`c2@a$u%=m|k2a zf0^G8|9M7U=v+`uf8CVn9vgUKGWgd-+j{f*ee)vrnE$DNPWEi9oKXuOdCp3@KK;bE Juiuzs{{uWtp2GkD literal 0 HcmV?d00001 diff --git a/secrets/openai.age b/secrets/openai.age new file mode 100644 index 0000000000000000000000000000000000000000..eab6f283d9b54741447d073d2feade301f48ab29 GIT binary patch literal 772 zcmV~$OUT=F008g_9!3s+2qNMX%J5`Y(>$7g0y4fdujbJ-ZJMU(5KWUNZS!iHw0YoT z-?!KEB<(`TN=aqP2*fZMDf)N&Hl@_2E4N zwJtWYY}wjoc7q*;94H_Ki4C)05nbgj&? zT;?cgNNaqmI+%NSA&Vjj+2UV*16=m zS(Nq($H6DWXbr8EO+|);W9+$t)I`)Ew%dx7)6lEEXy6Bv7(`=jLZX9Zz8I3uykvZY zO?#eIuDiNYLpq3w$n>pQ?5b9%_e&lgd$7*2UCb($nYHF+Fk`eWECe*@xNvUA%}V6W zT~22D%Zw_O56YlJg+j11GUKqO8Ig8{On<;dFAoPq~a1q5Oi%U$~49LH8$_f4ZWvrFwK;vNI#wf zahH40CKclWHe$-C(q-0(7~7`HoMx`;dFroTdIx@<_22pSnEi?T5Zr(A!Oz88)Dvf4qVGLh>^{FhKJxGN;_5T6rI*Z` z`IEn#etDh@>Knh+N7diw-njGni}c+SNxgNAdGjIc_oLg#FF$&UY<|3acKG%5yTjA( z{`cos$49+iAAa9&Am^{Y`q^LVDn0kN~4G|x=?yk>k!EEWfy=$)z`nXLpc5ScMUe|l{+Pk)c z48d)HIwvZ|Aq>Jp5i}z~qdchC zW2?Cg4M|EsQBxs`2}MRED=fYyD1iwz=jAN2Q5J#ohiy7k`l>~;54T6 zIzuwq6bj0?&c(|`j3+Y~=Lzct)a6A{ARtQqbS5n^30TDlK2BJdLnw~UMc6n}4B+`F z>IV^n8HRbal;$|nXNg8ALWSG(es73VMF9k-y%D`8U(owgf*OI`6sL6HN{R=a5h6uk zDiNXFbk0TQj5veSAp;>GK8>L+jt66GSnmhyI)sNImta(adUcL)+hT~w7uaZ?usd^@ z)n#@&2{+5+5ocVo>vAzhllCTf51R02KxZ$x?(nMOco$4AaRifgldul8W^yEG%~M+3%Mg$^T=Y>&RZa%fR=vrM`8dK8f|?lCnz0!k z6IriQ%WM-V8nwp9T|J5At!mzbI6%(g6A_<>j^-pwy+_XhfI^|Dfa>h^$s(){xm0$S zR1XQZh*_m8YIJnmZ?J`ts5fP{7`&8haRQai3(SYSl_OVAtSW8#aQD`!#*P@Tz{*F98`F0mj2-xR*Pbxo{&K~Z0VZ|o=PGA-?f)?gC$YoV`H?8gP*V@tHiK@Dt)PECy z_uX4|8Mt(D&iNz!+j2^N`FV58?)U$hUv6uEcqY*KZ)?lO*@HbddJMM*4|m@DeCO#u z`gctl*J*>j_Q;X@8#`1u-@m3kyrUsnPP{0q_MZUIYzENVKd zyPMJ5re$T#obX|C*h_Nl5X$2OEaaerUePYfu0ZDPb%$PJGc ztkslGiKBfDa{G~2-`ZX?Z>aH6ZF-(%`Q(jrzkai4_KxKPZTpW2Gr?2&gB?##ezv;2 ztaD8sx!5)8SXgm%){Yh{YG+cT1o$$T% zxzd?!*#YsFYf?$u+;3m%K6PpA$D8t}E0|koW((SX{?ESx$!ZMQ`PE&Z7K5~`u6!6R ISu3;u1MS7PF#rGn literal 0 HcmV?d00001 diff --git a/secrets/pgadmin.age b/secrets/pgadmin.age new file mode 100644 index 0000000000000000000000000000000000000000..60a5df78d11748096d29182ec584fddab95d71b1 GIT binary patch literal 689 zcmWmCy{?l`003Y&6E+hc;4V(2(jE#FlWPLyzfgYKQs`oU!U0Nw0zH(zz)hTdf$N}) zgVEIoaWzq+gD>D>VvOH2d;yF{aTzs3-DOqzv}z!MCfMltP1~lUrVVZcyAYWkgCZI8 zy+g@0lV!FJx1KT1*pf!F1}Mo(SdAWHW*M$XZwEt&YSl-ZooV`;#VLal!g?QsSx)kr zSqr#znyJFHDL@bTG1=tTRC9?H6NHgcq3EbP`=h?lNo7yfQ8}LYMYO?!JU2k%Mfnni z@_0(Pl+Vm#zo-GPii0a=>-4Z+Ue4tVU!#I+#s@OmG50<$3RTt>+W`>B#?MOx=h6=rT00Y%4lbZDiE794mXpO~Jj7BUlfAxfB2 zo4P%tm9~B=lZl;P_dBtQIo-vhu`Nw;$x{ln#QxW~wMMXsgEq$IrjRmVW>&2Y`c<~} z_$f9Tjc#gmJ%XqvvmUo*<1EaUHfJfO%7Y+_dSk$B@ORv#!e)Z5Pb= zLn%-LqA+j+N20p$)!M*AsHCvpGPYMz3c0>F(#q)fhY62bKeEX2&b3H2 zhwF_m5#ziR)LT+#_Yp@A?9ex2883s0J+O@Caw`{jLr)*_P?Pr%Mo!72Of6b8vOgXr zkefN!>b0+}^iyTX?&vXV%M#Fz1nQ1t%p2RM$wjE9Q533ds}4(x@k7R+k^;eZ-7pju zT%DUe*IA$v=J++Tcf%Cz!Qd4BC=Qwy?;ryLpc*nB$3!s4CX3fdoxW0tZk-YrZ|St& zdn_E3(yg~BHnnn0_A)86kb+m@tnumLK90O)@P3;d)|QC{U1rL(g6Ps|U?xE>c8%VV zGMBb2>rFI2-}xskaN<7C6ulG4EV*B&f}mSF^^e$UEdWa?pco_n*FdvJ$+Sq@IOyV8 z1)h94d$gBwWJjt=iW5?xeLr>GObl_drYRNL;)wjMa% z%ELmkc(YE=IyN$;lF39zpi#8)Y|2dh(4$QPrPvzU&cTQ-+nOh$qtPaVD))8RAdAIf zHqQbn#|uVjq+w|?6LmMkYk+d5qy&C_rkNvSI5PFd7)3t&=Lzy4`9 zJN?f;p8Wjs`HQ#gU;lme;D?tVw!bap?>~R`_p7I-_1y>WzkdAHyI;TadiKjVKfd?y G_x}Ld%@f`L literal 0 HcmV?d00001 diff --git a/secrets/tailscale-key.age b/secrets/tailscale-key.age new file mode 100644 index 0000000..f1ab609 --- /dev/null +++ b/secrets/tailscale-key.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-rsa DQlE7w +b4/YbeFqzbMhKh0R1V5Kth0a6O9OMIGXZJWHeV4sYXAonybyc5yWFz05Mrm2Qo9E +xOEH7s8XpTPmyOPoUfFdzEJSQ/QFUOganfsO1YiTOTVOf7ARHI1WjPSiYH/pXaef +cksXjxLjGuiMZWGbIeU+xaxVsrbUPFtTb0nTvUrAdVMXPMM7TvLva7JO3DZa/7RA +tikR4fV2kMiD6yhoNedzDoRRWtuMLmHvtoJlKnAnhxAkRz8Poo77ZNVdrw+w5KuM +bDDVxvNJ76peGI7hx+LYlKQHf849iAjsa/e0C2zkOJROEMzhW9CgaJxNA829GqRM +96lluaJLtGvtxQuQSJcnTRWZQBg8513+LJGcIUT7gynCa8qChlDoxuwmhhGIDAQ5 +9QtO9scI39dMsgQeM+TJcpMYlgJCw2JLQ1j7en6xUXfUrV8hahV7Ul/rVFe5oU81 +KUBSBFJoli2R0P4PeoykNNLY897kfXWyjIyW1RZ4Z0g+9DwG8VMuYrxe3BbLSWBE + +-> V~^hk-grease :Y +1ROczYKXhky797kakoYTfMjB1YSjiEc0cMKI5wvb8PUwepSvv+IJ+H941XTr7qv9 +CD7hGgQO/gtHp9nI4/bguBaxZrGGg1p2o3Sb7j3ENz1Gyw +--- uyM+nfRla6Evb8kfnwNNWF1FvkPeQ333kOMCo0oCh+8 +AIŒÇQ4ˆÕåþž¯¹§SŒ¸ÿýç,Š¢+‘T$ÙÑ1Óôÿt_·ìí§øE%’Zï]€ößõ`rŒa£/GüýŸ·<“™'‹my#­Fˆ¯#èw"äÀDi„Ïkñj \ No newline at end of file diff --git a/secrets/traefik-env.age b/secrets/traefik-env.age new file mode 100644 index 0000000000000000000000000000000000000000..4f4a03bdf1031cc08123ffd84d96bcb4c576e015 GIT binary patch literal 912 zcmWmCNvqrh003a|*-H*ZPl5-Tf_g9=vnMm9^pSn?vS*UntY9)(XOdZxylj2gD%k#j zqG%~7C@7+bCkVm=LG&P16fFhuRz0dGPo7+U!Uvxl1^r;N%-da=Y&S1#^9ZUCpns)T z6mdT<+#YA9JXHe)+>U(8^;fP`NgD4&!QMxdT^Ee6ackQS{}jcuVoWEyl^g{q2qC7C&N zokM7A00uc2&X3Y0S?8?NdUe8CzR)5=ab6hWl=i8SH|2Cn2;*uwVFQ(+$Mp=PmunDT z`Qsc01dsO!dzrFHt|MK!-Qw%W7&E$tWLxM)9pL{O zk@I}`%%&gZfm;MUW-`BYcB#@cBuPr;tNwjHG~Jamg^5>+pDi zii>n6l6a#@Q#tb;Y8ogIjMj|G`8bH%14*_)8Y(ADfsq}4Z08`k1X`|3;c9D*Lqg3f zXOEG3ik7=L&t0gNG{MtL+qYqDfke%eB)dA)5l2l$T<#R0-|zP_JSzr)#?ZPm|0-uUa6_RM&Fef9Q*SAM+m+v&ZhdiTG6 zS@`Gnh1YJ(9@f{tkOJW-DlIMK*I`T4^~; zXm~SmN?~VMbw_SEIdVridU;1;3REjgF>XX~FLG5=S7C26W;HQFT1{_5axriSz%ByZc;0GQ)X{VR4a8?W(qPd17}mHFj`Dc2`+q zVKZ$~YB^6iY&T{>NOVwPVoyt0L`Z5)ZdPhqL0L{?Wq5c>Of^z&G%_?-Xmtu&VOCXi zZ(2=7X-ij8LTE}>Sx9d&aYAEdYi>eXGdE-}Wn^JzaaK!oGf+r1T4!TJG-@<%M@L#o zVKX#UaaU3bY-3quOm1U(dTUc|V`N!2Wq4&#LS$HNO=fvZLV8ehGDS~Uc{gioH&$3Q zRckhDP){^>b53SAOHFQMZ)`7X3P?*bQbj~HL{>{;Rdq`?Ia72{F*8MTcTzcWYeGj- zdT(WNa&b0sRy8%SXpjCT3R-FR(WG(dTe5BGYVyBWMx(_H)S+0N<&q1MtD?a zVP#HEF-})*N<%n$S~gTtcSvz)G&pQ%PgzxEL2Y(2XEtszF>7Nmkwc{yxpMhZ%3MR#E@V@owcZAy4EXKXlm za9MeJG(#(A3N0-yAWt-GMQ~b7FG)6VZB}DfdNyS+S2F{kjPC$VT$y`?ZFHIN%B|JXY}PJP*sK# zjlsGQ%YjoK7Zr$02bl#iu|u6FRyi;w78$Oo=Xe=llugx68}hd)z&AlAvUb9ebtm|1 zkb+9_xy{UjDq4Qh9B{);@^*70G?W<@uH`q^zV6k0JbIvdLlM?IY~qpVds-e^970ti zVj)q!FV|;Z4M*0GM!qrY)C1+?8En4o_#|v%*WxxIR2r_al-Ri!cELdGz!Uo*gf;pY zszrV{cX(UXMHz6WHE~-8RX6gZOlxo(obQlnas z5a{&lF3FI|of7RGJNN}>%I;Ac5km($($zp)g1zObk>iQFI@;F~{uPSCttRDu5Z+WU zi2136n-Y*5$#*LuSm}My>fwMn2LZ{&bHzvxNkHxxw>ul*{fg&@UDk~o#tcuO+9l4! zK?Gi5g9TLtFx>S(nyU%NV@0~?a^-(aY$*BIjjrwr1$zSK&P^aXqF`Ty5%yrEamIXY zm-^#xYvKiTGq&?i0q{YY=N^v5 z=~*0a)WP@bhdn_;QOy(-D4rPXnwKabWJ0w7l&TJC$UCWB?zG!lb(sA)wh=tk5e`*3 zlEG9&m_RoFTeq57A6J^4^$OnA@wov|EjnD1W*8Y(8||oSc59=BO)1ft0dG8B3v#$e z4WRs^=u9StY$euRE^fV7KJg7n`c=AsZuTKN!M=G}$(*Si5326%8~Uf5l;oD@V4<(_ z*2fy%D&}`wGqZ1qDthaCCFj}^n>c+j zm9jpu4JIOGX9ivg4}gLUa~>qjv>nbh%l{6XJuLYyY}1tkx( zV<~ac#_PYqUzrZKjK=TDH_?o~^@{N~KQa|pUo3{r_-!y}$=-ncOb+H;AT{8Q zYJQepjQ*fR3xEm}D%IUCj@T&jLHP=8&N*b`$y$we7YRzby>&t_5O{rZFyg#STN?j9 zCkR4y@Z#iJ^*SzW-PRI3dNO<56i+O=bn=QJ-s+aJM=Ds?!eAwMg6xc@j!&$Jmd)!k zcbHgAqP&(QR1C{E8CAq5kUg5|y}{EO4>qt84s}!7z%{qPw+t+8<%MX_)wH}_suxr+ zR1Fo!VOEE0d83XpYaE`g8AmkEkqaoFiesQc%nT}UrljHtB>_kl_9DsVOAn^BqMOCq z0Q79%wM9wisKte_Vp{YjgO>EvJUUKe$pb;FTp=U>asfBmDUF={^9;fyO2#)VdP3`a z6W8~==uTO0I25G?gitJ`kywEU-2M&Xl699k9xa3CXB54E2v|EIal$3lIjok66ius$ z?O?7sYSIO$y6;l;KEpH;?twaYM_~jODi&1yz;5zAvx4EopuDoWw-31UD_xOf1wGUf z^UKJHIVB@I_PeAXI-j?Debbo$= zRo0_dNf=_O`iMP@O2A=#njI(55AN8@g7yB}a)31b0yxDYvPsUh>+tS;b(M^Pq?Ol2 zNxzCuYj8DvgBG~=_baqPvMtD|x1WFo4Zo=X5XH;kC~EG{OuRBwD);EF%+k0QS4p2s zo2fbQ^S})6IMsVgT!^8l24V|)wm-*7Q3OFv*ja|i)$r2<$XY_!;e-|Y8!g$lk_XL$ z_%i^OEv2bpeS6`4T!W{lMc!iLg<|qCC7ikU#N3N8v7$68ao)&Sb=oJ8Qbu<6DxOsDp|Q3 z;z`udbh&_!@|nfMHYYDzJaoapPcL&Lupoy7^w`R~grs!uE)p{Bg6Ue^VUw-IbnnF} zH2-#9`P|a=Px>LgIeRIG%q>GM`vXdxx6e@kmQ?jDn~3D@g!nq({WhPJ`m<2O12b|O;TqcI+D8)`@V$3-DBxJF)5tiVl zmtvF)6w!{hN;0&-!W8800TLIRbcgwW8~jxfoP4%hI50m6=ZYVxznY`BPP*( zwRq_KOZnIRU-JGbfhR$3xHXVdgMrWc^Xgm!+D)CF7oHgzcCR>rVacPH2tSU9UQGhSt;n#%nbRf3e;1}x zp>JRciqJ%{#wG|Up)YyXvOuznP(~S|^HD#;roqjwVd=BV#p1zR{{s@RpTi81^YVid zroXG&^`}8eui7Lt^$lm2V(fBcE8i^k;%pEL4h`I6ysG+d{H8OPz}9&*c%MlHb%KXy zI$*r1hy(*HbYs*b#|Qb3@NsO*;(H$IG04=G`JX3@o#Hto{j?0ly2bd2-VGqi=Ws zWCA|Bby)PzYjfC4^u_?V74qS+aSLRdo%y<7nVfFcU{#WSVyBjWk^H(K~r4;b7XT_!#qgaH1kj{RBu?U$@K zjSq^|PmOrDxTb`jAI-%FXlS}fl(k_t!G`H;6*F+Md7&t}pppQBMZ6M>bjX_#Lyk?H zeeUvN)S3$46MK)`3L@+Bmw;%E;1P9t`tH;1`Q>-ACAc2=ZL0G({egCdZk2GPmYvu8 z~;FR^;=-6hTRrc?${x(FZ||EM0RADcoTpDh{^Y-`k5OdNg%}#H-@ECz-DQL z3Z)7s^GvY5*jrn6SY~I3J*h2Y!)-~GgNE@a z!EW%|2I)r39<_LdN^9Sh7KV`vJX%$7h~2k%9wIaMsl_KE~JuLYl= zx{RtpAr~es@uNeYXCO(|4r;g9oamJCYpIQTvV~zqYjCI&5Xt%W<4Q+2omz0~qZK4F zHWBgG9k(;k)7sFQc(Di2%#Nh{2#LNMX=k`HU`TK?4-obaUJdzlsF9mOJY9=5doJ~C ztFgOu{m@Kp2ug(ia7>ysw@H1RFtubJGi186fO>;OBXuWofI4i(V|(k%>46pn6%oXn*v;^@-7$jlf|WFA&$a^bfMRS1o77x z3o9^6$n_%-f!5Og3zH45)Vu*e9eB|T9sNT&<)SmYk@0jKFoVMzM?zOgSvlE~P}5gQ zuU)I2to0==G+nWlr6F?8nWCHb7Z%?cgk4%4AZC(aWiL~irnfIJNh)R87=nZSU~uR%5-rMl-i>>`ud%kFQ)&>K;3gQy%M?~ zjv)r!lXQTg>yH;ZvCj2LUxsJ?Q3^Dmpu*N|2l|d_n}s6=ocq8iq2?aXu6iv>clT%P zRwh;N`Jln;YQ!C}E*(?$jYu0n(8^F@0K+KSK52?d>wt$bN5dK9WUecowl0lS#71*5 zih|t5=);gJLOU{Kw<9}qCP$8wNDIh(0Ia@pOllV(ryY4^gQL#ZAuDr`2$Bo0s~brH zewfp+jnB4{GfzpxzRYXx`~cFRf&Qs1vCM<=EPCGb6@?(np80G1drDmL*rDVcM_J7IKTG0G#QDXlX3E2&-5OeRRe zg4$HjXw%|vH%RD-M*;fvA_r075s7Z%YOdYA>&lZYZtGQQ3*e4TGQ;#EQ>`h|# z`?k~0*a7V_kzKfLr3GfMh1gDTJCD&?ffI(43N;k!r4$w`B7ff#*9B7gO)snD3aL7o zxwBazCR-V}Mj>c?oSMgZ+^CvWmGL{XTBVK&tjKd=*~TWG8&;UcLoUhBRY@@xnM>U~ zZzD<)`BQWz7=OW9K4Kh zbDKTMZ(HIEseV8hG&AGyBxql-k-%)Z#dva?L@9kN+8nMP&jb(R#f>4NboCQ!K}zww+&bnsD!)FCUwfR=WDTz2~m^^Qrj zbdhTB6~3NO`P9MvYq=6O>D+ot*U03j`Ct*06R=4dESU&Frlg%tZ=GjA0yyrsJP~?k z2ma?WJZxm|B_)DGvX10XWxbrwaxGWX++>TB2!YT==O-m9b}7`mYDnRW&y-~Mf=QP- zrLb4@t@Zy4JQ!*Ebt0V|_+f6#zOw`6nGqtSeM16Endwsuu0T(+fnh^xhqVv4+j`-7 z(qyjC=~GcZ;Q^w-bx2AkY|=9a9nO~1vG(TYHMPk^t)f3$8tO~YKT2`-5GOv`%0r;b zqN<^q)O#Xf1l4@Ko5eCdA`me`m7D?>PD%onR^U4_N7IcVxnEP3&UnxhH}^GTi~>KL_4RVG5l^=EnMkB=2_2GG)x5Eyvm{8Dj`aUk71_TZ?pauLzXA9#0s>6^8o?#=3juBY3G>4c~r#-#Loe^VLuKwnaeB zAzlnX8m>RqPK!0>?%UMHA zes^Q_D<-#kM)fDJONb-BTUP(oza!H6o`b4Db4>@<5#mUstz6kG%}H%`1V?p7&rq#O zYXMn9iAw~up$h|W%738b8?l?W1BGAdS=ALwmv+f!wqAcm5ddZ^y*k&if35LbmTIB- zipu0GvHm6*D8ZmMFMe9n&*Lbn08usyOVbZi}5k6qE zl}DC4;p$P(@IoQyxI$=EFXW63?Jz||EK*v<;qv&!cy`$&x&X*O0t^a|=X7|P#7w2M zxAWopU2pc_bHfCfRENiN#z2C+IN`;wDIO(q9ArOjPrx6bddqkX&M%>l9aQk<{WU!NXx}hs4}i!2jtKmAwxn2M zaAAAk#EKXU0u$U(Ky3wyX~pg6sCetLFn00?-RK^yz>IL1a(ZwFYQ=#ghi7DT;g;5( zf%C&VFhjLwmtV48OSLoHSSZAWAs0+^-kt=69?p1aTXpy85h9_Rj-^v-^@asA=7#dW zPaI`^cwZWpW++aIcufs_5cXCc^M6n;kNJ*v3%@gbWZY>pe|?teb$rB)ZdrDx&N*qA6uP$S)OMjUa#2pg}HhG zUnN@**Q!!eTNmLY(DI1RtniYHh(>k`eksJ1U1`PagDxFDV9IDh5jvNlBox|S6Cs|g z@!sU6KpG_Q&I=g8kK(h8uVHtDG}F>l+i+3|e~oWnL#UR9=$=3iL-X8@WiMsa;|=%D z(J31l+gLtcFY+IK>#Q|UbQ(vD=pOFV{S@fKOZ*uSI&O0{wU2liW9 zUF#@{9PL7CZd6$>c8m)xMW6LyPX?i zd)pRUTeUnrdw_*c>Rob3?4y%I!-Kg)L4zeZDV0cG9t!yOmb9t ztNuDL$^!98EGhaOj2cFKh9Dtt|F*Gg)JHjt1murY!XZa8xmiV^&A0FJ>%JS!~sZYrJi(!zcKf`eXK4dM)xH^s*+?i#bL7r58nkv+f z4GBFTZ==sb)rG62{?L;@CLv+rs@jt4maP$fdRsRUM0EZAf4+M@e^Bz>+BE5@V7?@8 z2EU#^LviG%Y`UYq?Z^sj`aKq9SyLCtf-EXLlGxho9Ks?$D^gw7$$EKgS}CFT)AO7>=&65udhY$970#h@_=`MRo((>rj#!?y;ZmDpP3T|_&YGgEQ#Mq zu{9~uzXY(kkR`x!*7n6&W{8qsBEcluW)OE{Ptp+W$uF0DuIkOUvvFU0T|LWBj zx9|OdgS8Tyr!|7nAj+xF;yns!_(aW+vJwW)a*X*uVYAkddL3n!Yv@Wl%pH0FCFi}1 za*;~oDrwg|^ufoH!RK568x#t`;*VT<)B=;TI!y6u zdSu0#8_@0EC0~u^?tz&AkB2CeVE0SkrJP^eYVgz(bH)_%R zi|z_uV{}Dvw%JOMtW8W*{Ic{X5gU1H)+27n8cppb<^d_@Oc5!najKs*hBbDnaaZDt za4-JN4y7tzi5?nk0f{$a3qTH>&fikC05|@L3V%5dK!b()XB{JM0*Fqsw(4n>a__K^GaxVD zY}N#`vdAd`#3a%FT7i!Hw~Rfiik+`-)KY3x4$)B1T^F(cr`A(qofkw>WQvCmYbeM zO6rS+W(HT1F{jRK_+nbzdG)Ywqb{Q?QW475(kx{>A<9k-fBZWY{%gymPe3*coSRDi z1NTwwM|zOIoKRpFB)7q(&V6UfwIzXy2`UDm8WLk4d-kjLaU7eC+!cm?Pt=g*o5 zUu5329TnZ!+}gLcW5lT^?Ks)!;Lag4yr!HuMT=bI47~FI33|%rHneQn>S*bfn|dCRyG^g zRTK78zsWDA5P@9z!my7C4#mv5HBHMUm^bZ;aVV`)?5WqRE?&dap|)b}z+r^|^mu!F z2D50RG*9mC{I4vbfv#~XX`&MEV4kD2!97MX$=Ay@ZDU{S<#utiMZ#-p2*f9)==(SOoIt38Y1CXs@u|+!Ss7*x%+f#iIgbFV_uz#-lC%eOh;IM5Dg`?LS%=G?;n{ujMV;|0(unW)luR|1tt0PD zq+2r?`E&1|Es+RSGL0_MeuO+()qWy+UX<#{0Rco>QG)*4lig?z{h4UPqhvOSF8U-O z|4Ra`qFdOEbcL2&G5>{6Rom`;++q5Z`__&rI=sRDzObbT+1x~}1NusIThWwmDRx?- z#MjQY`#zsH#>f%Kb$!VAYkd8y!*H8|_)dY4-PZsWH#b98L2bkMhsBYFju?astp&4@ z4MZ(wR_I1NjigpKu<c1)WnwGR3YKs! z=1uQKOc|4-Ag->&t@9I2Kb-8Q1v%IXN8c6v;ny33ZUwhI2A)0Ocl+WS&V%U zej?XNQ_#Dzt5U&8Xgia)?Ir&kX4eBBfMigQ8pzO=p8ig!$~zbN6{mnc zUZt1a{tv=xFQ)yQtZqZ6M3qpjR0~kGxsA3HK~D{SngPn6DEtzwcO)rR-I7dP*RW;O zD&i;jUP1Pm>!^6yBl~*Zryg3G%au?|tk%Y=eIlxm6(D6!kYE|L91KPVH#L{OZTceC z>-;R7fNX{XN-CP&!4W^5QL-AtoPc$5{3KN6j;d54d+f|Vm6O#26&6(CDQQ>Z>9V^< z+|%2~T8$uJTUDF%%)Y}=IOv$bC*htr0)!vF+HMb>h%nJ}lS~}_$H_io2i+Krs~lE6 z!G!>AH~ab!SYsC#o$_=WV;-7#xa8%uH4Q@7c7orXBYaIdSwZgp%#~!!WfF!!9{4=z zH-EGo@_1L8>NV!=nmFsyqjL|ZH%IaKyPbr0?rt1r@2w9%YU-ZXDQHE;iq@v9%liMP>fS zjTb|GLWTvlj+(0(BrhciHkb=g=X67|1|4=E1D}9gRnN~nPuT$Yj@MJ42G}7o&{GaT z_&q^rZdtbyM#*S{3pi|{zM}j@V_B?Ycd_TjvkONNNf7yLXC@ZX3k=ec8)+1x%9`h! z85QO%&zQIod_Q()%Z;1 zUh=a{Z|OwZ}rOA zE^r64zvtD{Y6SU?e^Ix`r>|A6%~tfVzNA$8{us@;+Q9ox0E#Vi@^zL!dr-t-9Ym7p z^Q`JEog4^QC8ClDU9EjAo!%a$;mk-l)ylD#9S5~ z{NPt&6Fl*8yGI6Qy+0yWc@z{Viin9OFEuGHvI_@;lFgN&b)e}PgsYPJ1I9Q_=E&WZ zjc|sl0(j&AyqL$UI#9L21z=0uE*eL9j1{;v^y*@-VE932dL|x}e{NaXkVVqnz$XIz zPmm6~i>l9&TK%FqfOQQXm9!}wJL}U5+d>V3E5*e9+P>xxryWkf$$sX}t6TkC0`Q0y z!&0Y{r4GFCejsa(g}i3JqYrEQkojjMm7YNFE)Dd|cJG|b7k~8{vD;PB%c;k;6u44PJKeH(KaX zcBQpEAdq7<+}_Ms>Y`ndE?qqM1hCL^Jw#1c*u^>{pN&FVT)KQb(&yhD(A~0Z+C1~r zs!#ep%d~$NqRT@$Db4wIYSQG~Dq8hZ?$rqwMy4%cw4w)KJ`JC?ZghdXkh#Jn+6MQmixe7^j+ zdiXmg#ID69Hs}}TJ-iV76CTZg;t2Q8+z2oeo~`-6dS&D;&6`0i2NSxPFfpc79}uls zLah_$XA$JKY8aS*9Gphn4)Zr-+6~Q!K`t~dbNuEAEgwAqE=bRkE#?U>Z86xi;cVjUAH--9T_*}{o zsF6oa!gOYv#VtCX<*eU$U-qc|;zw$esCP~A(;<4jyjxyQ za(b&RHFW;u6NF-sbQJ(^BcQYcVgveXa-G+?vzc=Rx`Sm=>{f8>)J86FZ}eub&?gan zbU5G%NfeM7DRz^&x1eAfa7LS3JUH~finsmVUll5)03<|rBJ$k_)d+~OE0V{Fh>eu1 z8o2pWw^GEB6K3?JYW|8zYWC-xGH+b&vjuQV@_y9V^~ayEG*ah3lma_|;Th8|qk1eQ zm`ykZlfaaqGLf&M%fV+G0s2^VUN^V;0_o4r3K3m3iVJ4zAJqLNJY^lej75Y!u%&^Pf5D4gYF;WMPGfoOQT{qp|!a1@3t5IQx5 zar%Fa+QS{rpVn%zaVG}M$CmFo>bj=|G)LZnx}HY>uUtXZmqGHo23ow*>5DSVP2r1r zGj!wm>ICLrmL{hZi)b>7obH%44 z9^;i?H%SuThWVGtuoufP8KE)|hX`qNLf`a~X8i&Nv3G;g{1(6~i4sDs4hpvET==OJ2i z#~Ixo&F-SE4u^y6QE5%Lg>q_dSSbcv+fcQhV#h8zwcKB$@WIRu$J^B`0rAGI4fG?d zGAryc?CqEcWa0+DJ8l{q$fl`$ATp+#aeCA{2sp72R#5EHpIWYt_1<3mMr_w zJTvn+lZI=eY>(N{lYRl5od)jubo|e3T6R?0CF@=J z-p>tLHTJA{vOuy`oO<3%4w01bA$byTxVDJDID>aY*n#Oq1C#EHjJ-&Bdi~kq_J8=P z&*4!ny%GILNK9h{%O-?P*nc?W{QUE-yHzv6NFHyRLC{BvYfv;0iNnj|9$-k$JoJd0 z{!?t|1^Fe5m`sKGTP3gU5dz0{vG(gLH_q47v~K$(BL`U9MsTHS+}~s2TP?{E&0($n zfe3>SooY;s5reI5jQZ1 z=^euf1IQ!w)?H3$&)<6^`9b3Tw+CtRU(A23ZVFjSZYHqY=KA(FHRfo~SKviVxIYg` zC;!W>T1%X|zy37kt}^kGfr~#>e zXpDHMAZR#3iJ>qeHy7-uc6Pt(@Y5fdzrtwoWYLU3!H#Rv%?&yp&aU^`#|h^A(FIR1W5}8`9Xb9b^1p2MUxx9ue_3s`$yC zbG60CXZd|GJ2-&pu%C3pnvJiX!}HO&7zV*Ur>7-76Dw9jtLX6acl3^bg!4@XsSx2$ zRB|%cXO50qk3TUHM_j#rMSY5tl}~h%&0e|ZhJ!Jt%VJyd-Td_RcMTa!O2X{``j$wT zr3U3Xr@~zskn)?rR+q!jKe!XW9g#JMNpN^0cji4+Ydu%u_->S51$h@fzP0(7gRThFvo%0)&ZY>{}h%64|7uw?%I zwu>NH+jYLrsMJ@W?#H{yB-%@GMi0nTdlWk$G;Xy~3gzQhpiUjpm2!CtHh zQ!MjU#*L=~>%2vJy#_8A2tSg`s$udeq?#xpojnndIR#q6g@6OT8yK30 zC}LIwIS*LdC{qo+O#lF~Ey%2(B|4e>QhV^kKu~DqZoqC(^%H9V=x!nL6>e%%PGMd` z#r$%#wwV7#tVE657|Kle#Dr9jj`bCkZew0*?sm}@aRtOb2mf{y;>>TGdWS_!?pf`> ziL|hDJW)l1y&12uT5sv58ug8sFazV=D~9@cCIyK*cYv&jGox{LcW)qyVzCT+eS2prE zI8B>o{&9qznB1-bl)X@B`^4GwSeQSbfO&{22>Y!*ot#)P^VQd6K5ti;G*R#OG;Wf&yiWcG9lsoz}dh+3hQH z_Tg$nJgIhCFH)hUvjT^Dt+PgW4j0E2mfjdu3!WnXEOXq~4`OTNZy#IkwN|P>O{8=+ zXFvK7Wgp&c^4G134mCL5{U?e;unGZEhxbAA z-2JZENy^IUJB0i-N4l^Y?d|KyNW#Toe1KFI9ao&64B*GT$icr1Xq*fwts-FqEslA6 zb%_GER?^LQUHO{#$2}Iug@TP#!32E%_`(8frcRcri3weQ3<_+h`U|9~n*$N zoYV?q!Dhenf`7yC&&dP0;L((R7 zG=gaG-QcJrt>S82I7uH9{{VA+cMZ^ZrMeng;6?ujMs0%GGK&viL7p_zT|&xibny|P z^$ESN)*A^@5u7bM)V*<<9Gwm+T88Vcv0&xO89|mQ0lF0yWWwBBW%Ycz0KVPii*!+d z6!Y(_l5oC&O26vpBcS~i$&s2s{-L2CkV=-zMFn-+5{mQ>A(Z^wCR4MYOgb=LY38zm zy>re^#$8TV)jZe69^* zz$!GnjdsIY28taC9q|%cBb*;uEu`g91HbYa;insEBE7HU18D)l>vX@4Q*w$$ENfaG zCW=mP;gFGRy!E|G2m&ni>>3iD-)kl1M=m&OO|px^)WlgotIHSH59;6ip2Cklv0QX% zM<1wAC8obcdLS<+SLvJToaWcAtSXmx;WYKF3N8KZCTZMUzG4Z=@(JohMFDA|lEqzK zL=E)G?PD5gEXv@%UjQ9w)CapVyq(P4Y(a~Voj6zi(+XlpY+Q-KIS%{!9Bc)jC3A?C zL=hv`RI=xsh@}p|X8{r_jwv*&Yr>(ym-K$LqcV6VC_3iIprta?+) zccbux8|U5ZLkW$}Ute$BSShPzclIINk#@(C!2N=QO2xF)m4vPpIzZcCtL)5nRF!_1%7dHygh)S{3*=D>1&%KZ}FxrteI@mT= zPC3v7b)Ekmn%duj+}vKQQ?aB{<&XzA`J--;5~V9V)9*pN@?5-OiE<%g`(x!Om6hsb zPiOQ~z1%diIiaOUEYl(_i9hs@v*L-=vv&IJWuRmkx`9J<`9jR(7KeHGU|sgn&oP&> zp~e}ywVL)s34wDyo?}aH%Z3&^@1~eE-NlGuT^kNPoKQo6kG~2pwX^?@iNd2ov4$Zd z?F#LCE{8p0UmN7B!WVyMOf= zwPo=n>F8>i;nXpz`YvV)KWz|GAC>zADc|U;>L$v=yFo;+kJbt3%nMb5e3EB< z-EnHQS$Dd<2dip5|K3(WIrrbNmX_T#n+_1iJLqIbn$X8* z_x^Dx(1uvtD=|JW|Fv23;>!>(cp zTc}nGHWF-e9*c?pwJmg%93en2vn9V$TI{L7fip>n*Jo_oYf^Xhcrkr30W8U&Z_>zD z7WJF(r=(yA(u$moqsN-ResT>D#%0kluX=mqtq+qX+5DQ5TZwag;;PE|oCw7<*;$Z}Vn#zWP2g#3S% zNb_;cV>Yg;(vc9#;Pg_pvoN(@#%|+xspQ3zZz9M0Z07l1wiwp!smW7Lr-Z^>Z_-9B z(sH0tUX9=S{|xYQBqz&A&|!$^bb1xtmkHLmeAwaIrBL;gI1U<4T9P_LpFa@A?$Avy zPKsQOiXx>@I{It0DiInI-kuvb4A|Klr^A*)kbLCuD}#lkx{!n_ep+GPRf|K}6K?TT zA~#r@4=HNJdhp7BSrJ()Mwz_@DMZuk#=Uor|?;B;>7OGsR$u-;{#VmXGI7Dz9P z|1m-&$OakW`=Oy!>iNiY0Coj>K_`{$OIkvvm^DGSPv%0S4v8$iBaF7Ms~eY|b5-9O z>vW`ji}7d)f^y#4AtO}At3vSp9G=&PV#u@ZWXF?aJKY`;_PYBnQ{93HFH(C_F05ftw0UZ@6LDjvY3FlKWEd2YF+ z*g1yQlU3=IUXw6n3OcO-@)Q;^Vb$MBH{+!6Aa^yp~4(6ssW{>JCe*cP2 zBq)$btm*X|_QDrVQVv%*2Bb@)hB_BBsw}LouLG@DDZia1@VYZWjG_L!osNA67=3QP&wE$HpS!%9uef| zd4$T#85CGEl$B&G4tb;tcQHCENu)zba@XJPGhoT4{=#$~NS@CtW~+cx4#6-m?@U3J z9PJc@zVy6%JM2rF8Atpuw1#hv9cOVH11n7`)p$+`HCIM6fiG&W;z^`!-fb@S>l8~= zKtB|q7DlP_qtJ<=Gq6LdHBj9Rv!fG{az0s|_pt@L4|l?CA4QG$OQ2EF4ZU z%FO7F=Z8Po%Ark90A!i}M$?OZ>PM0h-}0`RS=>n59c~f^W%-V_W=6!D%!i>sgyyEX zdXkU@^O2k5s*eBNI29AD2s^XLs@$m${z$QhBYt}&e0B{5u1zz`4(T+$8@u42x`-)w z1QcDPzn>3-2R9<&e3Hf3TrmxO7oxx!@MpqZ@7mZmv`W5s7vhL<`s%Aftk+f76X3i| zD&`=))N-e@{#t4dS%OpYB6X<29hNeq^^>o(S3m?N-nD%)T~_FuV*Hw&haH>P2Y*nt zRSysIrG45wT@6`zG&UZ+wJnAO69$sx4Pd>v0S}a&tvnv0SX3M4JFrBMh4+7F+ zx?{-uB{>VuI+y>Pn@lAm7K8*?d>=2dma*J(w;CJDrKG7E%YB6fko}+`;(L<8gSsR8GwavX{ON(KPvkzvWqU$-2YNj!> z$Rp^?cQh`LNBoXjrm9{SFJadM;J+|1;$-dO5{R2>D*o{{H=*O73z6@|?P5cHi~f9uW6F|h zK3OXi<>XQ)?jT561qEJwgi8}a z2?)DWdBT9FY}$^jSVSjhrnm?dxDlsFXWW7<^8Bg5yBSSEh0Q{7BZ#Kh#Y14d{NlTY zwU6bfH28juKrnJ5ijqU`WJwG^QW)K(dv>5-fPWIC+dlDFt3M~B1d3M@>d(mC%^(gY z_8oQo@GH$TAgCV74?*2|7M5k&fIBS_8;usoOkeLypeLR)fpILWEn9TaFXiwc6hOtB zEj7b!gbGWT3+%N2AZ{4LfeSFvhb?wwf#PLc3s!Rv$Y&btsrNz%KvAvL%Yu3|9QPh& zYAjC)r7?&U(0>!toQO|$eYqjP`DQ%6yZoLnyMwcFi6$4nqvF#OgZg-=lj!P7p z^*`l|V=u;$4tN-I*)uiX$`VWrl^r(XCgnn*SCn6?F6T4Rc*={Z#q53It@m(YA=PN^)tWXs`Zm7fe@u0{MY%Dn7X&&hME!|H|wHmR?oi zPgdR!@dS(#3RD_b$1yO+_IET-_vESss&SAhJ7mbLy^tx$P?mF>mSvKK-*!a9={yWD zA)WABWI_hvnbevs40RpHu}O2ly*ISA=l_=>=^dx!eZ@NRl8afxM5Uuu{UfAYFcrp~ zafg6y0II4`^Y{hfX4CQTP0+29)agtYDO3{Imt7&Qs0gF7226ovv~ZT=A|)Sd@)c1(jRGM^4B}tfi-Hcqke|#`1zgM za35;tTd-d8PaQWtjXpK_%<6KNDp|*!ik3a`8ubgfVVuZNWmN;C^l(iQ3{rdNx5EiK z5OI*E+fHGc5tIC!hP~5hz0{w1@-y>3d4b9e!J9wzEDRBVXsLnZbIQ&Pq!al;+_`3N z-C}k_R8k7WDHRcwB^E(N0KAO@9vg=A4spJ5gFqX#-H|nX}#kJ+`B}b zVoh8W4PoKR$bqQG#&0_nkeLk<04EyouAj;?jhwVKOn4jO z?KrjF;I}eet$P#&=VNbu&w|(Xv=k6BTq57ekfng{OszGu1KA}L#L$D-vr0Nm-qS1WtVI(W#W z^FhS@`%zy~$M#NX!8IW}v*(_cF`=LQ!pWjAs&&OTJPMHG2f&lgYT5Z5=6ure5^jiBR1up-B8UFZ7)4y}{c`zi@`c{GKKIg^Xfj2 z38;EyOhg^F=X(1*7W7{QQBq!p=X&6Oigd`uQ*pO@1>t~}CoWdITBEKKAUUS$v}w?| z!RhfAMc?LdjW8#1w<@OiN&exRS$JmY^|5bgLTZS`MK z(-bO67xF$c`>FeMRf?q!Og3hP#S|VV!`g!Zpy)g!epZVMC}fBuK;~#ykS}Ak>5)d$R6mn(v2>J4i$!IyauEAXHu^`zj-G3M8SvCZA*r7h6TyyFeND6F& z94$o&5?3}^WoUhe5$f=T#nTJCFk!lYk%T*LM?04EOEEIbE+HpQ`s2jJ0>n18B_+%q zJ9`=8*TgXn2*;LNTEwvg1RsA(N6^O~@l6HQC=!VWG*I>3eXM#42sY`1>_tgm9(uSqFtrn2s1{mWg!~My2rx9ing^8B1_Rh<-y12<6)yW{cOW=bj2M$39 zZ4qzd0$N)9e-*yjWqw`!b{^`3A7+JiN_d_ZwI3Zyci;Boy<)5Tk$HZ8JgS*R9y#0_RbGJXcmk1NrLg#xc5MqZ?$#$kgYH%nbIl7M^qgh{SWhSs={boX)ssC zsR%*81kM4NFoM^3>I#N6T+_-tV~Gws@EPx7Nco@))gY+l*8`$tp$@M32P<=Jyqaoe zc2H(2-B2}|G!F`z5xq-&?BMpxJD~cmVN#uFxh~Y9m9czdzgj1woPx)*spA<+6_P7N zd)_&Rl-*AlsIv~gk`_RKGJgirB;|tAF4@g)(zM-%u77iXoQRq4)rNoC#gEW+ zC6j$#e}hlb^NF8ub!#!fDoFmaMx1sfsjYOUfaN9xN=I*XCg{q$y266~g4s2BO>9(J z4&!pgoIu`2OsD%5%VRB?jz|1D)L79DsvssWzifuj?U&|8&+pMhLfn0{@@7@u#c7<Y8cjg|mmK zcys#*L=`os5{4jeK_EuchVli?w?Rx&ftQh<+2)2evHJX_NqMdq z z5U@_m*uWCPJ=U{&_`?~wf#b24Wpo7=EEL@cg#e|wPdmy!3@VpzZ0T|FP8U$9S~AL= zu*YoDLUf$6ZoMi3w65y77S@4e67i@4pL@n>QBPDGFL`mHS;V8BqxmyECdTE`Wo)AK zCmTRiM-sw#iH5MCx7=D$MustA!@p~b&lNy&k*-0ksm32InJJqfbScxBT!Dm`NF>_P z;cw|e72QP?jzq+~^Pd7TRlq-nu`UPhCQFYQv0WPeDZ<-rdY6W7uywAyes+tq*klxp z>Dwjwf1)1=8s_^baJl|m+mHXLPfO3_eMrE|`u5+rfW@XK!Q7;aa47uA8p1|Ga4PzT zqDVDo z*#itVIm@PRGpPnT`|h+{K6xe>V;Qc4e%`5x>;xl^g!{#1i)$#iPpdY~ z-EGJOfJD}`>AjvSpY7nq9lTpq@;J)J7X5O$hWkbXp4Y2FV66?5JQVcd4$j`xbza-*XY|ywH59XFClA96yqyD;G-}uh$Qi3PvsPz%lHPNQyb>&^H zeE{=JN<#^}XsC*hIeN`7ib5y;WJ7zT|1uDQW<6BO>I!0W8+oA1I9j8tB)jH+9jNqi z*cW@Wj{+G;BC>_2|F@76uS~BB^qsehC?#vhZ8Q>^{Nt1qsokY<+brE7Tk_(Mdh7&k zA}do|iuy9FTRRKFj8S38+-!hUDe2q=B;lpdsspo)@2@5)x*}GBA!Aeh_+3Og zqyU_JE(XNiti~*@Ew9zNl|k)PAjd_g_P1SLE4FET#Fm!2muWwxlH$-w0hNE;vbxj2 zmXSrgB^^-GdwnS9FtI2(OP)9-zog+1LAL-?EVS&B4#0nhpZtT*Y-2VvB??ziNj&uy zO9AV($j*N~oW#PnX-Ny-+EbhcJ9Uw#(z{Hm3vmk!W)#hOcmY}MPUv^y@~(ZvUPq!8 zbK4xHkY+%zPqI1;?xDdCEqvV<;56yIFja0qMpt8y?DMT;tpMApQaZbmkLR0{(Hf9H c3salIYvL5XM(K4p1+nmhLQ2+n{ literal 0 HcmV?d00001 diff --git a/secrets/wg-key.age b/secrets/wg-key.age new file mode 100644 index 0000000000000000000000000000000000000000..368419a491ac31d5e25dd3c1a90b0adc22812dc8 GIT binary patch literal 1083 zcmWmC>yOg}003}JcxZ+2L6E0%5Kh!N)^%Om5xjU?+g;bK>(;I76(6i!Z{6Cp+q%9+ zKo5+(LZU_yNR*2r@h%z>{h)yy8Vx2qg2+WQ5EX)Aj1suhC=o>c7k>Gbt4dHYv80e->QSEf#sBJJ(TG3@jOcFOfwlq z6)zEx4T>zXe3f@hA?->LK_D6dg>(@GXsJjEHjxtUA$kr@5vm<MELX4R6GP>EE?G-gip3h@mJOQ@Yk+SUQU=Kk2Dld7aG^X^9BLH?;ab+IR)!Q8 zcUxStQ|<6bkx7yS|9*D9nxSZLPB9R*^nd%ZKV=y7PM%w9}Z(? zgz4n4idW7-$$B7b8TqaO`BAZ}#{`z^FEJ6I(@r6HO;=?&PJvaaMVHu$AB(05f#^4h z2us@;0itNhEP^KJFec-J*+#d^bQ&$$&P8#c4L6HqCIN{QMG;J$VQJkVaG1%&IkG?% z22yf~j-(PvHP! zYGTKUN!*|W8k)_72t2J-d4j?96mMu@svAP;QBP1!%Jv|}`%kU}$+8*~#d@GwvH`i2 z77=@>UThkJCCuybZ0XCsa>%M&pv7Xrc)O)3K((GAR(SiG8!>`=C{q)Ao zNA~`C`HnlYcl)pRrM{@08IJyf9iD`PPw)F6Fn8aD^5Wz-iY<_eTz4=Z9n8?`Ix)^VXU-)=k3m|N2V!dC9BCC)eWgZ2F@a_U3;k zmdPuavpbHDJ$KK-H6x1`ojJAs{Ew#}y1BG9xw!A)EwR1%{77*6)Xj-u?)tR3)6eF! z?@Zi+#mwUyf1Ur#&R(%_