felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-05-13 01:51:14 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:userweb-sendmail-proxy
Branches Tags
felixalb:main felixalb:userweb-sendmail-proxy felixalb:bicep-garage-test-deployment felixalb:bicep-revival felixalb:drumknotty felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
..
compare: felixalb:bicep-garage-test-deployment
Branches Tags
felixalb:main felixalb:userweb-sendmail-proxy felixalb:bicep-garage-test-deployment felixalb:bicep-revival felixalb:drumknotty felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

1 Commits
userweb-se ... bicep-gara

Author SHA1 Message Date
h7x4
d83c64f246 WIP 2026-04-29 14:31:44 +02:00
32 changed files with 897 additions and 284 deletions
Expand all files Collapse all files

7
.gitea/workflows/build-topology-graph.yml
View File

@@ -13,6 +13,13 @@ jobs:
- uses: actions/checkout@v6
- uses: https://github.com/cachix/install-nix-action@v31
with:
extra_nix_config: |
show-trace = true
max-jobs = auto
trusted-users = root
experimental-features = nix-command flakes
build-users-group =
- name: Build topology graph
run: nix build .#topology -L

7
.gitea/workflows/eval.yml
View File

@@ -12,5 +12,12 @@ jobs:
- uses: actions/checkout@v6
- uses: https://github.com/cachix/install-nix-action@v31
with:
extra_nix_config: |
show-trace = true
max-jobs = auto
trusted-users = root
experimental-features = nix-command flakes
build-users-group =
- run: nix flake check

27
.sops.yaml
View File

@@ -10,6 +10,7 @@ keys:
- &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
# Hosts
- &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
@@ -19,6 +20,7 @@ keys:
- &host_lupine-3 age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye
- &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
- &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
- &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
- &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
@@ -121,6 +123,31 @@ creation_rules:
pgp:
- *user_oysteikt
- path_regex: secrets/bakke/[^/]+\.yaml$
key_groups:
- age:
- *host_bakke
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/skrott/[^/]+\.yaml$
key_groups:
- age:
- *host_skrott
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/skrot/[^/]+\.yaml$
key_groups:
- age:

4
README.md
View File

@@ -43,7 +43,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
| [kommode][kom] | Virtual | Gitea + Gitea pages |
| [lupine][lup] | Physical | Gitea CI/CD runners |
| shark | Virtual | Test host for authentication, absolutely horrendous |
| [skrot][skr] | Physical | Kiosk, snacks and soda |
| [skrot/skrott][skr] | Physical | Kiosk, snacks and soda |
| [wenche][wen] | Virtual | Nix-builders, general purpose compute |
## Documentation
@@ -60,5 +60,5 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
[ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrot
[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche

5
base/default.nix
View File

@@ -10,10 +10,7 @@
(fp /users)
(fp /modules/snakeoil-certs.nix)
./mitigations.nix
./flake-input-exporter.nix
./hardening.nix
./networking.nix
./nix.nix
./programs.nix
@@ -71,6 +68,8 @@
fi
'';
# security.lockKernelModules = true;
security.protectKernelImage = true;
security.sudo.execWheelOnly = true;
security.sudo.extraConfig = ''
Defaults lecture = never

64
base/hardening.nix
View File

@@ -1,64 +0,0 @@
{ ... }:
{
boot.blacklistedKernelModules = [
# Obscure network protocols
"appletalk"
"atm"
"ax25"
"batman-adv"
"can"
"netrom"
"psnap"
"rds"
"rose"
"sctp"
"tipc"
# Filesystems we don't use
"adfs"
"affs"
"befs"
"bfs"
"cifs"
"cramfs"
"efs"
"exofs"
"orangefs"
"freevxfs"
"gfs2"
"hfs"
"hfsplus"
"hpfs"
"jffs2"
"jfs"
"minix"
"nilfs2"
"ntfs"
"omfs"
"qnx4"
"qnx6"
"sysv"
"ubifs"
"ufs"
# Legacy hardware
"pcspkr"
"floppy"
"parport"
"ppdev"
# Other stuff we don't use
"firewire-core"
"firewire-ohci"
"ksmbd"
"ib_core"
"l2tp_eth"
"l2tp_netlink"
"l2tp_ppp"
"nfc"
"soundwire"
];
# security.lockKernelModules = true;
security.protectKernelImage = true;
}

17
base/mitigations.nix
View File

@@ -1,17 +0,0 @@
{ ... }:
{
boot.blacklistedKernelModules = [
"rxrpc" # dirtyfrag
"esp6" # dirtyfrag
"esp4" # dirtyfrag
];
boot.extraModprobeConfig = ''
# dirtyfrag
install esp4 /bin/false
# dirtyfrag
install esp6 /bin/false
# dirtyfrag
install rxrpc /bin/false
'';
}

29
flake.lock generated
View File

@@ -232,11 +232,11 @@
]
},
"locked": {
"lastModified": 1777808420,
"narHash": "sha256-hh9XBz0K1ypZ+neezgIPCSsnWFKEq8VfV/1aUSPu3OA=",
"lastModified": 1774824790,
"narHash": "sha256-3R2aoykbutdJ7YQaZiU7uO8w4O8b6RjztTPNo8isLTI=",
"owner": "oddlama",
"repo": "nix-topology",
"rev": "28e9dc901ff38a8fa2d24bccd5f89511d6d8324e",
"rev": "5765ce41be8a4fb5471a57671c2b740a350c5da0",
"type": "github"
},
"original": {
@@ -248,11 +248,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1778125667,
"narHash": "sha256-swcxqlW+XrZFBqjcV3AV8AR64/eI234AZRFKs6q4DFo=",
"rev": "75636a69ad3115ff64d4cb3090e66c8275dda9c2",
"lastModified": 1775064210,
"narHash": "sha256-bEqbUNAnoyNZzd8rrhS8QETdDWr+vYzZeaggBLmFLIA=",
"rev": "9d1c3efdc713c1ed9679796c08a1a8a193e4704e",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.10534.75636a69ad31/nixexprs.tar.xz"
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.8497.9d1c3efdc713/nixexprs.tar.xz"
},
"original": {
"type": "tarball",
@@ -276,11 +276,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1778157832,
"narHash": "sha256-lSl05j1UzI5MioSJWUa7oUp5a88zzv3sXMwWC4d1N70=",
"rev": "ec299c6a33eee9baf5b4d72881ca2f15c06b4f01",
"lastModified": 1777014002,
"narHash": "sha256-urhq48kYlNYbkGXQ/f3NjzJTGfMdG8GmJQbgFLcrcV0=",
"rev": "15ebe06759175c2e98dba23c0b125913589094e7",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre993859.ec299c6a33ee/nixexprs.tar.xz"
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre986338.15ebe0675917/nixexprs.tar.xz"
},
"original": {
"type": "tarball",
@@ -390,7 +390,6 @@
},
"original": {
"ref": "main",
"rev": "16b2bc5c2759e20ecb952374509f1e1f9d6c06e7",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
}
@@ -465,11 +464,11 @@
]
},
"locked": {
"lastModified": 1777944972,
"narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
"lastModified": 1774910634,
"narHash": "sha256-B+rZDPyktGEjOMt8PcHKYmgmKoF+GaNAFJhguktXAo0=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
"rev": "19bf3d8678fbbfbc173beaa0b5b37d37938db301",
"type": "github"
},
"original": {

53
flake.nix
View File

@@ -32,7 +32,7 @@
minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main&rev=16b2bc5c2759e20ecb952374509f1e1f9d6c06e7";
roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main";
roowho2.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
@@ -62,11 +62,9 @@
importantMachines = [
"bekkalokk"
"bicep"
"brzeczyszczykiewicz"
"georg"
"ildkule"
"kommode"
"lupine-1"
"skrot"
];
in {
inputs = lib.mapAttrs (_: src: src.outPath) inputs;
@@ -149,6 +147,11 @@
stableNixosConfig = name: extraArgs:
nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
in {
bakke = stableNixosConfig "bakke" {
modules = [
inputs.disko.nixosModules.disko
];
};
bicep = stableNixosConfig "bicep" {
modules = [
inputs.matrix-next.nixosModules.default
@@ -235,6 +238,38 @@
};
}
//
(let
skrottConfig = {
modules = [
(nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
inputs.dibbler.nixosModules.default
];
overlays = [
inputs.dibbler.overlays.default
(final: prev: {
# NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
atool = prev.emptyDirectory;
micro = prev.emptyDirectory;
ncdu = prev.emptyDirectory;
})
];
};
in {
skrott = self.nixosConfigurations.skrott-native;
skrott-native = stableNixosConfig "skrott" (skrottConfig // {
localSystem = "aarch64-linux";
crossSystem = "aarch64-linux";
});
skrott-cross = stableNixosConfig "skrott" (skrottConfig // {
localSystem = "x86_64-linux";
crossSystem = "aarch64-linux";
});
skrott-x86_64 = stableNixosConfig "skrott" (skrottConfig // {
localSystem = "x86_64-linux";
crossSystem = "x86_64-linux";
});
})
//
(let
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
stableLupineNixosConfig = name: extraArgs:
@@ -305,6 +340,16 @@
lib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
//
# Skrott is exception
{
skrott = self.packages.${system}.skrott-native-sd;
skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
}
//
# Nix-topology
(let
topology' = import inputs.nix-topology {

18
hosts/bakke/configuration.nix Normal file
View File

@@ -0,0 +1,18 @@
{ config, pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base
./filesystems.nix
];
networking.hostId = "99609ffc";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "24.05";
}

83
hosts/bakke/disks.nix Normal file
View File

@@ -0,0 +1,83 @@
{
# https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
# Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
disko.devices = {
disk = {
one = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
two = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
};
mdadm = {
boot = {
type = "mdadm";
level = 1;
metadata = "1.0";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
raid1 = {
type = "mdadm";
level = 1;
content = {
type = "gpt";
partitions.primary = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

26
hosts/bakke/filesystems.nix Normal file
View File

@@ -0,0 +1,26 @@
{ pkgs,... }:
{
# Boot drives:
boot.swraid.enable = true;
# ZFS Data pool:
boot = {
zfs = {
extraPools = [ "tank" ];
requestEncryptionCredentials = false;
};
supportedFilesystems.zfs = true;
# Use stable linux packages, these work with zfs
kernelPackages = pkgs.linuxPackages;
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
# NFS Exports:
#TODO
# NFS Import mounts:
#TODO
}

52
hosts/bakke/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,52 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=nix" "noatime" ];
};
fileSystems."/boot" =
{ device = "/dev/sdc2";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

10
hosts/bekkalokk/services/website/fetch-gallery.nix
View File

@@ -47,8 +47,8 @@ in {
}}
# Delete files and directories that exists in the gallery that don't exist in the tarball
filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))
while IFS= read -r fname; do
filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
while IFS= read fname; do
rm -f "$fname" ||:
rm -f ".thumbnails/$fname.png" ||:
done <<< "$filesToRemove"
@@ -56,9 +56,9 @@ in {
find . -type d -empty -delete
mkdir -p .thumbnails
images=$(find . -type f -not -path './.thumbnails*')
images=$(find . -type f -not -path "./.thumbnails*")
while IFS= read -r fname; do
while IFS= read fname; do
# Skip this file if an up-to-date thumbnail already exists
if [ -f ".thumbnails/$fname.png" ] && \
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -67,7 +67,7 @@ in {
fi
echo "Creating thumbnail for $fname"
mkdir -p "$(dirname ".thumbnails/$fname")"
mkdir -p $(dirname ".thumbnails/$fname")
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
done <<< "$images"

1
hosts/bicep/configuration.nix
View File

@@ -7,6 +7,7 @@
./services/nginx
./services/calendar-bot.nix
./services/garage.nix
#./services/git-mirrors
./services/minecraft-heatmap.nix
./services/mysql

143
hosts/bicep/services/garage.nix Normal file
View File

@@ -0,0 +1,143 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.garage;
in
{
sops.secrets = lib.mkIf cfg.enable {
"garage/rpc-secret" = {
owner = "garage";
group = "garage";
restartUnits = [ "garage.service" ];
};
"garage/admin-token" = {
owner = "garage";
group = "garage";
restartUnits = [ "garage.service" ];
};
"garage/metrics-token" = {
owner = "garage";
group = "garage";
restartUnits = [ "garage.service" ];
};
};
services.garage = {
enable = true;
package = pkgs.garage_2;
settings = {
data_dir = [
{
capacity = "50G";
path = "/var/lib/garage/data";
}
];
metadata_dir = "/var/lib/garage/meta";
db_engine = "lmdb";
replication_factor = 1;
rpc_bind_addr = "[::]:3901";
rpc_secret_file = config.sops.secrets."garage/rpc-secret".path;
s3_api = {
s3_region = "eu-central";
api_bind_addr = "[::]:3900";
root_domain = ".garage.pvv.ntnu.no";
};
# s3_web = {
# bind_addr = "[::]:3902";
# root_domain = ".garage-web.pvv.ntnu.no";
# index = "index.html";
# };
admin = {
# api_bind_addr = "[::]:3903";
admin_token_file = config.sops.secrets."garage/admin-token".path;
metrics_token_file = config.sops.secrets."garage/metrics-token".path;
};
};
};
users = lib.mkIf cfg.enable {
users.garage = {
isSystemUser = true;
group = "garage";
};
groups.garage = { };
};
systemd.tmpfiles.settings."10-garage" = lib.mkIf cfg.enable {
"/data/garage/data".d = {
user = "garage";
group = "garage";
mode = "0770";
};
"/data/garage/meta".d = {
user = "garage";
group = "garage";
mode = "0770";
};
};
systemd.services.garage = lib.mkIf cfg.enable {
serviceConfig = {
DynamicUser = false;
User = "garage";
Group = "garage";
BindReadWritePaths = [
"/data/garage/data:/var/lib/garage/data"
"/data/garage/meta:/var/lib/garage/meta"
];
LoadCredential = [
"rpc_secret_path:${config.sops.secrets."garage/rpc-secret".path}"
"admin_token_path:${config.sops.secrets."garage/admin-token".path}"
"metrics_token_path:${config.sops.secrets."garage/metrics-token".path}"
];
Environment = [
"GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
"GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
"GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
"GARAGE_METRICS_TOKEN_FILE=%d/metrics_token_path"
];
};
};
services.nginx = lib.mkIf cfg.enable {
upstreams.s3_backend.servers = {
"[::1]:3900" = { };
};
# upstreams.web_backend.servers = {
# "[::1]:3902" = { };
# };
virtualHosts."garage.pvv.ntnu.no" = {
serverAliases = [ "*.garage.pvv.ntnu.no" ];
enableACME = true;
# useACMEHost = "garage.pvv.ntnu.no";
forceSSL = true;
locations."/" = {
proxyPass = "http://s3_backend";
extraConfig = ''
client_max_body_size 64m;
proxy_max_temp_file_size 0;
'';
};
};
# virtualHosts."garage-web.pvv.ntnu.no" = {
# serverAliases = [ "*.garage-web.pvv.ntnu.no" ];
# useACMEHost = "garage-web.pvv.ntnu.no";
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://web_backend";
# };
# };
};
}

2
hosts/bicep/services/mysql/backup.nix
View File

@@ -57,7 +57,7 @@ in
rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';

2
hosts/bicep/services/postgresql/backup.nix
View File

@@ -58,7 +58,7 @@ in
rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';

2
hosts/ildkule/services/monitoring/prometheus/machines.nix
View File

@@ -30,6 +30,8 @@ in {
(mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "skrott" [ defaultNodeExporterPort defaultSystemdExporterPort ])
(mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])

24
hosts/kommode/services/gitea/customization/default.nix
View File

@@ -99,23 +99,23 @@ in
];
} ''
# Bigger icons
install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
'';
in ''
install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'
install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'
install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'
install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'
install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'
install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'
install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'
install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'
install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'
install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
'${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/'
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
'';
};
}

112
hosts/skrott/configuration.nix Normal file
View File

@@ -0,0 +1,112 @@
{ config, pkgs, lib, modulesPath, fp, values, ... }: {
imports = [
(modulesPath + "/profiles/perlless.nix")
(fp /base)
];
# Disable import of a bunch of tools we don't need from nixpkgs.
disabledModules = [ "profiles/base.nix" ];
sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
boot = {
consoleLogLevel = 0;
enableContainers = false;
loader.grub.enable = false;
loader.systemd-boot.enable = false;
kernelPackages = pkgs.linuxPackages;
};
hardware = {
enableAllHardware = lib.mkForce false;
firmware = [ pkgs.raspberrypiWirelessFirmware ];
};
# Now turn off a bunch of stuff lol
# TODO: can we reduce further?
# See also https://nixcademy.com/posts/minimizing-nixos-images/
system.autoUpgrade.enable = lib.mkForce false;
services.irqbalance.enable = lib.mkForce false;
services.logrotate.enable = lib.mkForce false;
services.nginx.enable = lib.mkForce false;
services.postfix.enable = lib.mkForce false;
services.smartd.enable = lib.mkForce false;
services.udisks2.enable = lib.mkForce false;
services.thermald.enable = lib.mkForce false;
services.promtail.enable = lib.mkForce false;
# There aren't really that many firmware updates for rbpi3 anyway
services.fwupd.enable = lib.mkForce false;
documentation.enable = lib.mkForce false;
environment.enableAllTerminfo = lib.mkForce false;
programs.neovim.enable = lib.mkForce false;
programs.zsh.enable = lib.mkForce false;
programs.git.package = pkgs.gitMinimal;
nix.registry = lib.mkForce { };
nix.nixPath = lib.mkForce [ ];
sops.secrets = {
"dibbler/postgresql/password" = {
owner = "dibbler";
group = "dibbler";
};
};
# zramSwap.enable = true;
networking = {
hostName = "skrott";
defaultGateway = values.hosts.gateway;
defaultGateway6 = values.hosts.gateway6;
interfaces.eth0 = {
useDHCP = false;
ipv4.addresses = [{
address = values.hosts.skrott.ipv4;
prefixLength = 25;
}];
ipv6.addresses = [{
address = values.hosts.skrott.ipv6;
prefixLength = 25;
}];
};
};
services.dibbler = {
enable = true;
kioskMode = true;
limitScreenWidth = 80;
limitScreenHeight = 42;
settings = {
general.quit_allowed = false;
database = {
type = "postgresql";
postgresql = {
username = "pvv_vv";
dbname = "pvv_vv";
host = "postgres.pvv.ntnu.no";
password_file = config.sops.secrets."dibbler/postgresql/password".path;
};
};
};
};
# https://github.com/NixOS/nixpkgs/issues/84105
boot.kernelParams = lib.mkIf (!config.virtualisation.isVmVariant) [
"console=ttyUSB0,9600"
# "console=tty1" # Already part of the module
];
systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
enable = true;
wantedBy = [ "getty.target" ]; # to start at boot
serviceConfig.Restart = "always"; # restart when session is closed
};
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11";
}

2
hosts/temmie/configuration.nix
View File

@@ -6,7 +6,7 @@
(fp /base)
./services/nfs-mounts.nix
./services/userweb
./services/userweb.nix
];
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {

187
hosts/temmie/services/userweb/default.nix → hosts/temmie/services/userweb.nix
View File

@@ -7,26 +7,9 @@ let
# https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
phpEnv = pkgs.php.buildEnv {
extensions = { all, ... }: with all; [
bz2
curl
decimal
gd
imagick
mysqli
mysqlnd
pgsql
posix
protobuf sqlite3
uuid
xml
xsl
zlib
zstd
pdo
pdo_mysql
pdo_pgsql
pdo_sqlite
opcache
protobuf
];
extraConfig = ''
@@ -42,15 +25,38 @@ let
pkgs.irssi
pkgs.nix.libs.nix-perl-bindings
AlgorithmDiff
AnyEvent
AnyEventI3
ArchiveZip
CGI
CPAN
CPANPLUS
DBDPg
DBDSQLite
DBDmysql
DBI
EmailAddress
EmailSimple
Env
Git
HTMLMason
HTMLParser
HTMLTagset
HTTPDAV
HTTPDaemon
ImageMagick
JSON
TemplateToolkit
LWP
MozillaCA
PathTiny
Switch
SysSyslog
TestPostgreSQL
TextPDF
TieFile
Tk
URI
XMLLibXML
]);
# https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
@@ -64,88 +70,102 @@ let
ignoreCollisions = true;
};
sendmailWrapper = pkgs.writeShellApplication {
name = "sendmail";
runtimeInputs = [ ];
text = ''
args=("$@")
if [[ "''${PWD:-}" =~ ^/home/pvv/[^/]+/([^/]+) ]] && [[ "''${BASH_REMATCH[1]}" != "pvv" ]]; then
# Prepend -fusername to the argument list, so bounces go to the user
args=("-f''${BASH_REMATCH[1]}" "''${args[@]}")
fi
exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
'';
};
# https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
fhsEnv = pkgs.buildEnv {
name = "userweb-env";
ignoreCollisions = true;
paths = with pkgs; [
bash
sendmailWrapper
perlEnv
pythonEnv
phpEnv
]
++ (with phpEnv.packages; [
# composer
])
++ [
# Useful packages for homepages
exiftool
gnuplot
ikiwiki-full
imagemagick
jhead
ruby
sbcl
sourceHighlight
# Missing packages from tom
# blosxom
# pyblosxom
# mediawiki (TODO: do people host their own mediawikis in userweb?)
# nanoblogger
# Version control
cvs
rcs
git
# Compression/Archival
bzip2
gnutar
gzip
lz4
unzip
xz
zip
zstd
# Other tools you might expect to find on a normal system
acl
aspell
autoconf
autotrash
bazel
bintools
bison
bsd-finger
catdoc
ccache
clang
cmake
coreutils-full
curl
devcontainer
diffutils
emacs
# exiftags
exiftool
ffmpeg
file
findutils
gawk
gcc
glibc
gnugrep
gnumake
gnupg
gnuplot
gnused
gnutar
gzip
html-tidy
imagemagick
inetutils
iproute2
jhead
less
man
libgcc
lndir
mailutils
man # TODO: does this one want a mandb instance?
meson
more
mpc
mpi
mplayer
ninja
nix
openssh
openssl
patchelf
pkg-config
ppp
procmail
procps
qemu
rc
rhash
rsync
ruby # TODO: does this one want systemwide packages?
salt
sccache
sourceHighlight
spamassassin
strace
subversion
system-sendmail
systemdMinimal
texliveMedium
tmux
unzip
util-linux
valgrind
vim
wget
which
wine
xdg-utils
zip
zstd
];
extraOutputsToInstall = [
@@ -155,10 +175,6 @@ let
};
in
{
imports = [
./mail.nix
];
services.httpd = {
enable = true;
adminAddr = "drift@pvv.ntnu.no";
@@ -215,25 +231,6 @@ in
AllowOverride All
Require all granted
</Directory>
<DirectoryMatch "^/home/pvv/.*/web-docs/(${lib.concatStringsSep "|" [
"\\.git"
"\\.hg"
"\\.svn"
"\\.ssh"
"\\.env"
"\\.envrc"
"\\.bzr"
"\\.venv"
"CVS"
"RCS"
".*\\.swp"
".*\\.bak"
".*~"
]})(/|$)">
AllowOverride All
Require all denied
</DirectoryMatch>
'';
};
};

34
hosts/temmie/services/userweb/mail.nix
View File

@@ -1,34 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.postfix.enable = lib.mkForce false;
services.nullmailer = {
enable = true;
config = {
me = config.networking.fqdn;
remotes = "mail.pvv.ntnu.no smtp --port=25";
};
};
systemd.sockets.userweb-sendmail-sandbox-proxy = {
wantedBy = [ "sockets.target" ];
listenStreams = [ "/run/userweb-sendmail-sandbox-proxy.sock" ];
socketConfig = {
# Accept = true;
SocketUser = "httpd";
SocketGroup = "httpd"; # TODO: is wwwrun(54) in this group?
SocketMode = "0660";
};
};
systemd.services.userweb-sendmail-sandbox-proxy = {
serviceConfig = {
User = "root";
Group = "root";
Sockets = [
"userweb-sendmail-sandbox-proxy.socket"
];
ExecStart = "${lib.getExe pkgs.hello}";
};
};
}

30
modules/matrix-ooye.nix
View File

@@ -77,29 +77,29 @@ in
id
echo "Before if statement"
stat "''${REGISTRATION_FILE}"
stat ''${REGISTRATION_FILE}
if [[ ! -f "''${REGISTRATION_FILE}" ]]; then
if [[ ! -f ''${REGISTRATION_FILE} ]]; then
echo "No registration file found at '$REGISTRATION_FILE'"
cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}"
cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
fi
echo "After if statement"
stat "''${REGISTRATION_FILE}"
stat ''${REGISTRATION_FILE}
AS_TOKEN="$('${lib.getExe pkgs.jq}' -r .as_token "''${REGISTRATION_FILE}")"
HS_TOKEN="$('${lib.getExe pkgs.jq}' -r .hs_token "''${REGISTRATION_FILE}")"
DISCORD_TOKEN="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)"
DISCORD_CLIENT_SECRET="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)"
AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE})
HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE})
DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)
DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)
# Check if we have all required tokens
if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
AS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)"
AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
echo "Generated new AS token: ''${AS_TOKEN}"
fi
if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
HS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)"
HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
echo "Generated new HS token: ''${HS_TOKEN}"
fi
@@ -115,13 +115,13 @@ in
exit 1
fi
shred -u "''${REGISTRATION_FILE}"
cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}"
shred -u ''${REGISTRATION_FILE}
cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
'${lib.getExe pkgs.jq}' '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' "''${REGISTRATION_FILE}" > "''${REGISTRATION_FILE}.tmp"
${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
shred -u "''${REGISTRATION_FILE}"
mv "''${REGISTRATION_FILE}.tmp" "''${REGISTRATION_FILE}"
shred -u ''${REGISTRATION_FILE}
mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE}
'';
in

20
modules/snakeoil-certs.nix
View File

@@ -51,24 +51,24 @@ in
script = let
openssl = lib.getExe pkgs.openssl;
in lib.concatMapStringsSep "\n" ({ name, value }: ''
mkdir -p "$(dirname '${value.certificate}')" "$(dirname '${value.certificateKey}')"
if ! ${openssl} x509 -checkend 86400 -noout -in '${value.certificate}'
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
then
echo "Regenerating '${value.certificate}'"
${openssl} req \
-newkey rsa:4096 \
-new -x509 \
-days '${toString value.daysValid}' \
-days "${toString value.daysValid}" \
-nodes \
-subj '${value.subject}' \
-out '${value.certificate}' \
-keyout '${value.certificateKey}' \
-subj "${value.subject}" \
-out "${value.certificate}" \
-keyout "${value.certificateKey}" \
${lib.escapeShellArgs value.extraOpenSSLArgs}
fi
chown '${value.owner}:${value.group}' '${value.certificate}'
chown '${value.owner}:${value.group}' '${value.certificateKey}'
chmod '${value.mode}' '${value.certificate}'
chmod '${value.mode}' '${value.certificateKey}'
chown "${value.owner}:${value.group}" "${value.certificate}"
chown "${value.owner}:${value.group}" "${value.certificateKey}"
chmod "${value.mode}" "${value.certificate}"
chmod "${value.mode}" "${value.certificateKey}"
echo "\n-----------------\n"
'') (lib.attrsToList cfg);

2
packages/mediawiki-extensions/update-mediawiki-extensions.py
View File

@@ -83,7 +83,7 @@ def get_newest_commit(project_name: str, tracking_branch: str) -> str:
content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text
soup = bs4.BeautifulSoup(content, features="html.parser")
try:
a = soup.find('li').find('a')
a = soup.find('li').findChild('a')
commit_sha = a['href'].split('/')[-1]
except AttributeError:
print(f"ERROR: Could not parse page for {project_name}:")

99
secrets/bakke/bakke.yaml Normal file
View File

@@ -0,0 +1,99 @@
hello: ENC[AES256_GCM,data:+GWORSIf9TxmJLw1ytZwPbve2yz5H9ewVE5sOpQzkrRpct6Wes+vTE19Ij8W1g==,iv:C/WhXNBBM/bidC9xynZzk34nYXF3mUjAd4nPXpUlYHs=,tag:OJXSwuI8aNDnHFFTkwyGBQ==,type:str]
example_key: ENC[AES256_GCM,data:ojSsrFYo5YD0YtiqcA==,iv:nvNtG6c0OqnQovzWQLMjcn9vbQ4PPYSv2B43Y8z0h5s=,tag:+h7YUNRA2MTvwGJq1VZW8g==,type:str]
#ENC[AES256_GCM,data:6EvhlBtrl5wqyf6UAGwY8Q==,iv:fzLUjBzyuT17FcP8jlmLrsKW46pu6/lAvAVLHBxje6k=,tag:n+qR1NUqa91uFRIpALKlmw==,type:comment]
example_array:
- ENC[AES256_GCM,data:A38KXABxJzMoKitKpHo=,iv:OlRap3R//9tvKdPLz7uP+lvBa/fD0W8xFzdxIKKFi4E=,tag:QKizPN1fYOv5zZlMVgTIOQ==,type:str]
- ENC[AES256_GCM,data:8X2iVkHQtQMReopWdgM=,iv:2Wq3QOadwd3G3ROXNe7JQD4AL/5H/WV19TBEbxijG/8=,tag:tikKT9Wvzm4Vz5aoy6w9WQ==,type:str]
example_number: ENC[AES256_GCM,data:0K05hiSPh2Ok1A==,iv:IVRo61xkKugv4OiPm0vt9ODm5DC1DzJFdlgQJb1TfTg=,tag:o3xXygVEUD4jaGSJr0Nxtw==,type:float]
example_booleans:
- ENC[AES256_GCM,data:zoykmQ==,iv:1JGy1Cg5GdAiod9qPSzW+wsG6rUgUJyYMEE4k576Tlk=,tag:RUCbytPpo78bqlAVEUsbLg==,type:bool]
sops:
age:
- recipient: age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOE50MkkxV1p0UlVUT0dE
WCtLMEk0ZSttY25UMjNHSHB1QzJ4N2l5WnpFCkNpdmlCY1VxWVo0ZStVclZ0amo4
dGhSRWY1SElRZXZzdWo5UDNjUHMzUjAKLS0tIDI3elNXSXJHQU5qb3hCSHYwWnoy
N3BhNmJQZjIrbWlVRytxZ3dFMjBtL1kKn7/DTPfJtdBomSplnBomYhsxJbX7kJQa
1Qsr+bmugWxHFIPhoDwPIBpChQkLvAo8exQpduos18FsXgvMmB0guQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXdnNSSEJoaUQwdTNTMDY4
QUxuLzRIWVNkM25QNTZ5VTBwQlYvT2p3SURzCnJmd2g1YUY0cmdLL3FkQTQ4NURL
YncyY3VROTFUeDc5ZlB1aWdXVGNNdjgKLS0tIEtXeDdRLzl4RXhpS2o5ZUE4YkpI
RjBObVhlWncrRnVidEtGN2N0ZitzNlUK/ooEeWCY5nDgny43q45wvl/e6qq/X4B/
7Q/DPj13BcrWRgoCYeHlq6VlIerz5ERNgxyR/qKuVSGAVroSVY6spA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRy9CaHY1WEEzOXdUSjd2
aFlGU3NGcW5MeHg3U2d0UEk0SXJIcmg4RVFzCkpwODhBWld6T1VNS2haSkpxL0hn
b0VRWVNFcTE5c0t3VkFZQ1R1d2dnbmMKLS0tIDdNMHBrU0RRSmlBZUJobXQxZUt2
MzZSYlM5bjYzUlRYNXkzNzZlWmx3L0UKkH6WOXHFRRbCprSjxcONSVUN/9NEQvtS
Jg+dJSMviq6GvUfUNmNvPJHfyy+CYT6a2Zd+4NdYCetRLsRJPc6p3A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUckpiMzYrU1NnNFJ4MGps
OEt0c0o3Ty9QejhEM29wZFMrNTNyMHlHWlRBCnBHUUdvcmxoL0FqVEtBSHlma25P
c2tITUtZTGVzOGdidC84OUYvRlpxSjAKLS0tIFNMVmdiWmJNZUdLS1g3T3ZINUh6
Mjg5RHdKYnV3Z2V0L3E3ZlA2WDB0WlkKJr4Vg6rnKqGpL6N143QYfLqS4lQIED/J
SYQds8mCiyCNGvV6ON4k096jXcuMAZ1w+0bA16AHlTXnqgIgfaHpKA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHL1QvSUlWUTN4OTBKOURa
VkVVb29McWgxa3gwb2lkVTdSZmUrVVZpSERjCm9oTTFRckg3SUM1a0tJRVlaU3RL
dUtsU0FpY1JyNkx6K1U1MWcrSjNYbUUKLS0tICtvTjJVdG1PSXF4TVltZ204SnVu
VE9aT3l2dGgxMWNHUXQ0bDN2RjVOek0KwOa/vczHZa+SRr8j6KvkfZZ0kajxXOq0
5AoDz2Mtcs+qBctTuogdLCZoL2ZpRVV7v1dGI+Fm1cVLoutV19IvTQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVFp0ZlRhU29DNUhMSmRy
Y3VVV2pmajJmaU9qN0tHR1E3ekFMS3o0K2pRClIwek5GYzNNZEliK2ZTT1NVZklQ
YWpqY3poN0E1ZTVOTVRhL3FQSVZmZW8KLS0tIHpuWktoa1EwcXc1bEJJYk5VbEw3
blE2VXBuTDdlbHJTVjRzOWdyem1UWTQKg5uZRhcLpmiVcadqdJoscqsBD2u6UGx+
qT0IoSVOzsBlJw2t9rH1zR7WfRSlCXT1NYzu9aTWGqQaB8qvEtyk4g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdjhMM1ZpM2xFVXlvOXZK
MlRZT2U5YzhMUVR1L0FqVVdiSTFTYUpyN25rCjB6ajMwTnNTaWk5d21vM0Zza243
dHhSOHM0c3cwS1c5dGxhbzBNVm9DeFEKLS0tIEpOY1lWVE04UkNYNDdCcUdnTUhI
NC9xOENWZUNyay9SeXRjSUdkMlE4UXcKiygSIWelRUZQPbiK2ASQya7poe1KCXmo
XIlgOaUe1+lvY8s2bjdud0+7QlPOKeyciCSFNNqIxzHMYSEKwNCbpg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-15T21:42:17Z"
mac: ENC[AES256_GCM,data:2gH/ZaxSA6ShRu53dxj7V3jk7FsVdYS+PSHQyFT8qMvKM1hsQ/nWrKt00PUl9I7Gb4uomP9Ga3SyphYOXRBzKoV+x52oEWOJE3Q4iPrwdCkyHlxEezhTd/ZRQVatG6dvHpLuDNS9Dyph4f7Mw5USI+m4WeVdgCvHTydw+4KIfP4=,iv:yimfq96WVsagvKr8HTg1RdZBSrVGcCWPvv8XOXkOfcg=,tag:zHzdrE0PX5+AeD2lpqeJVQ==,type:str]
pgp:
- created_at: "2026-01-16T06:34:38Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/+O1tft/OfS52K8cmcQE7I7aFb85P2L+7u1TdmTjHwNFkC
3jhvzPkNDQDkMIc5EPZKX5WLUS8F1UaqCw4b8zZtqoTqKDpu0S92KL500iXwBxft
D3cRMFFb6GBoSlPJVBt6LMRJjGLWCkBihlYL1AknoVV7VERj8m1cvcstdp3qbEd7
c+X6t5B+7N0/QPdh2KyrHWXyCzFc/6emVjNGy2EoXRt7idFF2yTbafobCs/hZ8LZ
RJyhpGyR9QPtAwFP9Und62tCd4ZwG5FazZBLevRrmD7AOW1WnQhyYvxBvqQp/Oz+
lFmhcirLw5CaC1AbF2k3uNoAHXVWyexaQeu2gsNYXq+lpsdCWT8WtrAtNCyC2StI
PtdrdQ9oikJptmoWQ0zEBXKXdV8AhukLSX0wtis74KbmcS+2YyNKvQksGF2ZfHBh
U9ycfJr1kwm7TAg5Lg6XOmKrdOJkPoIcUCk2QW7MfS3nwwMLt3BjhhpRVUfeUmjB
Jjjs+jUXEusnmwmvGGgEU2pT944FLuFClSI8JTnIZ61YkjF7zAtrURvsNKlqu/UG
JLrWR+dnnh1YK0qQEcqt6giNSX2IWrw5SpJ8Jekt0TWfB1HDHybQUyFC/n/je/XK
0ouAeDL9oqh0eRU3ng4KKhOXNn+WO3/HrnG//KFwokc//BNNvP8qM0CTtPQbQ1HS
XgFjhTfzV0T4LyUryuict4rLVI+DDbzWGRp0umdobvQE1CGLhKCanrd2/Ng6fAny
9G09vYF5zK95uzqFBCTh1zFr6+rhfbMI501TwBu1KxOaJdYs3vzLiTGWoyI48JM=
=5fyo
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.8.1

10
secrets/bicep/bicep.yaml
View File

@@ -10,6 +10,10 @@ minecraft-heatmap:
ssh-key:
private: ENC[AES256_GCM,data:h9OtD6hxrxyokFDe9bveAkMICrs3YrsAEqg0RVHV+xCkgkNAdoh85wb1QI8FJ0tga4Bfq8ZxZTdMnexQvbYWL8m/N/P6gWoPPJd7dwGuxaUZu5lqngVuHIhH0yWFWtPXjQ0Zyl5Q1aBKyjzJMvJc/H2iprgVH4YFs/fWf/KDEp17Plvvz0AoPGPrOZErDmne4MtLbW3pUm1r5ACo/41OyXYwjHk1Ywgsoz1CMxe/DrmkADnf7jSDWL6Q0mz8hIIYi8GbToJS4BIJ2plttraxV9sqpIPzS/1jMERNchItlkCppSYIy/eohVmskP8dAySm5Z7HNGGtzWSSGLxq15xKc7OVFYPMI+B35nPnp1LVOUWqBHAqVo7dwxc3VXOlVat7AMknUZnr67d4TIIl5BOdy/rvAxzXS/fDV0zntIs5o3phKStVvq07eZFaOVva45B7Pyyn0PdBhHBt2JcBtm+Xtg9i3xvZdwQgbeeJRhnYgDqK6BVhmtTuirwp1GOyslqaFCjg0MJj+W+d8R9gbbfyFR6YrZQAkcd/o/yZGg86z7Phe18=,iv:nt/+qPBwPZKQt43VJ9FbKjLYioFwCxD7VK9WNCJCmpQ=,tag:MuDfnTiro3VVJq9x5rkEQg==,type:str]
public: ENC[AES256_GCM,data:+fiCO8VRSmV7tmyweYSpZJMOuMORLHkWetYbr20aTQ1vRYr927nYGes4E464t+Dv9OyJPCLmHBdgt7UvxJWuC3pZE8iStnBYnej3D4ebMzi2SMfOkJjGuQSplXtl8QeAYe1YvROmtQ==,iv:thgGQUyWdXfwUt1E/vudoNjl8JjnksFd1rb/asTry+g=,tag:t1iQPocvfI+JafuJycaLuw==,type:str]
garage:
rpc-secret: ENC[AES256_GCM,data:GzLWSrVcjCiZKNC78BCjf1CFDdUxU43w5cjUCxlV2zUv4RLJ9m4rJiw749du+JW/w7CvyVgBHSM7D4ixeunvJA==,iv:VwrmBtbNX0AumaBmMNYwMd+zMHfYwXzvMd5D2uQrIis=,tag:ShHXGuYx4lrg+ORf+JXISw==,type:str]
admin-token: ENC[AES256_GCM,data:UFyn0s0t44oEDdV36kkeUyomvP0X+Sw4ed1g6n29Fh6PLYl53gvDnyg0OSI=,iv:w9IMARTfTcfvu/Qdh60JVH7S9W1GkV+/e3YL08WZKh8=,tag:kOx9BZ8OPBNRpvkLgmW3Zw==,type:str]
metrics-token: ENC[AES256_GCM,data:/dCSR1OgpEsOsRRzCeiY6OSyGvl8feKovb/Kfqg6QCQ4tb8bAkkR8xLtTxQ=,iv:4wHwBgoiJFTZETtNs9t6dshgG3f84T7HHiEi86LkOmU=,tag:3usDN18uB2ZPo8fDJZEDag==,type:str]
sops:
age:
- recipient: age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
@@ -75,8 +79,8 @@ sops:
U3IrZTB3YUJiREZDQkgzUFMvb3VxU1kKJhYYVcCT8hNJkEK1nD3GBekVGDOI3Nin
iBat3LwB4Ijzx1jA+jKJ1Ilf4MgdoL2ox6l/uWft27vvsRaQ501VvA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-25T12:27:53Z"
mac: ENC[AES256_GCM,data:GoJ2en7e+D4wjyPJqq7i1s8JPdgFO3wcxrtXOgSKTxi6HTibuIcP4KQcKrCMRAZmXOEL1vpnWFA2uk7S00Av7/QOnzP0Zrk3aPBM6lbB+p9XSabN0sOe1UpZDtAM3bzvS9JZzyztT5nHKvO/eV2rP71y/tYbsT6yvj7Y9zxpvKg=,iv:tQiCr7zpo7g5jZpt2VD9jtFKo32XUWs94Jay+T4XWys=,tag:npBqmlbUUfN+ztttajva3w==,type:str]
lastmodified: "2026-04-29T12:18:46Z"
mac: ENC[AES256_GCM,data:blfYRh75xbA+jeGCCxuZADBVAa4Nih+b5hcXEp8mdzOBrbdOWfL4TfuyYB0Cj/rMDsklIprczmBJ/a/cSTdKSaak/LfAzy7swR6u5R5V3+xLP6CopOhO59RaXc2inoMPEc73XAmP33jynm/kSznRM1PGA+X9oaK6PrWcTgHiM7M=,iv:SwXRz/XpyOVOQzvRjViqK41NOdHXGdTshQ3a/Qi1350=,tag:v6p6QW6qnv1T14PBBB88NQ==,type:str]
pgp:
- created_at: "2026-01-16T06:34:45Z"
enc: |-
@@ -99,4 +103,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.10.2
version: 3.12.2

93
secrets/skrott/skrott.yaml Normal file
View File

@@ -0,0 +1,93 @@
dibbler:
postgresql:
password: ENC[AES256_GCM,data:2n85TO709GJc7/qoYp2RXO8Ttfo=,iv:5ZCZPEQQXPGYfDd1qPhDwDfm1Gds1M8PEX9IiCsHcrw=,tag:PAseyFBAe56pLj5Uv8Jd7A==,type:str]
sops:
age:
- recipient: age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNdjk1L1N4QU5SK3pjTit6
V0hIZHhyOW9Rc2xWdE9yN0tmMG93V0IzZzA4Ck5OSUlRTE5mVGZtMTl3NDh1QzA2
Uk9RVnRENmVnQUZuQUVSeGxBS0VaK2sKLS0tIHRHbUUzcmlQbW0weXU0eWJKVmVT
ZUxJKzV3UDVVSW11SHRrWGxOSmgrZk0KyWxjEmCvNhiZfgXfObQfQ5riscy0mLFn
3pslIN7fbxgxnEVyAhl9FOUS65GrmWrrhvN0pkIpgMw1cqtCrZHxyw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoVFh2WC9iVHpURDBzckdB
UjVGcHkyR3V6VHVMbXc4c21ob1lSMDRWeW44ClgzRXhLY2RYN2hleDNLWHoyeXVm
T2xJMlNZMml2NGZDNmlQWGp6RXJRQ1EKLS0tIGNmK0lGdjRLM3l4S3JVazZ0MkFU
SzZOMFNvcGZRcjJsU242cnZ4NU9OZmcKxlRdhZlXP4KQBHFLFt195H5R33hLuQ0O
bVHtQk00IZmMPq4R4aOc0WMkuJxcFaLi0YDQigcFtReSvWDhTHns7A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBua0cvc21qeFp4d1NZZ0Vw
aWhldXVjUm1wSmJPdnpZV1JvTVowSWw4RVU0CngzUWkrcXA1TkpZN1M4QVBCS0pX
Z0w5aURoQU9Xck1RckNsRTlGeWk2N2cKLS0tIFlSdG05V2l6eStURDJVTXEzc0Zh
U2tFemF1djFGeVFQYWg5NjFhdW13Vm8K/QztsuBUcmJNBta3R7uYHGzqKOCRus3s
bFd2AOC0PNqvAe8e5q2XYf87MUt/U6AaFjroaDpoC3IUI2+qLJDXDA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkcUVib2tsd3lNS0VmOGNS
WWR6NDE5RWw3bStqVjRtdWFSM1E2QUp2cEg0Cm0zdjE3eVpUS3M1L241akM3cyta
WGVFVGtQVnQ1d2U1QVRSYXE1YUYrTU0KLS0tIGRTK29EdzVka3hmaFIrSnVUQ1c5
c0YxcWZIRHRxZEVjVk9MckJMVisyS28KGH6+9IXIBeXrrZ3AoL3zU1v6EA5TNwN5
8DgPO9+yfVesZiEJ0MNhs6tXAA4ODInpU1CUdsjKWRA6/QXBbmEUQw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLS0RnMDNOZzBIZzF4VG1R
T083bXFOdE1JSzl0SE1SUGlxdnFFQVluWVgwCnRLMThOSU45RTRFMVZybm9YV01n
K1pCMThGUFhMMzZhUEszRlZlK2FoQXcKLS0tIHdJRGw4aEU5UkgrU3ZEZXl4bDhi
dCtIVkdSWmg1dGNzNmhjZDBiWUJVWkEKSZySabmhM3HDXdduzFGAbOPR6m1CjwWb
ttMA9hTvl+T/UqYjxSHj8hmsyTfDY7a4sfHaFcMBJMJrjuEllm/L9g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYmF6cm5xUHVKMWw3MHJD
cWsvZTNWUjRZNDQxbFdDWGh5dUpCc2lGTTNjCm1uV0FCVEgxOG5WbXJUdXlkYTZW
KzFzaDNma3RJWEtlUmFHNGxNVUFKN28KLS0tIFFCSi82Q3EvV01UeHg4bG96K1Jm
S2JrZlcwcGsrTzdFTDlHcktJd0hmUVUKt0W/8r+L1m25kHKbh5RcweKbl4JB5xqX
DYUhUW1Rh1EI63CgVzriz4HZjuNGiuqG9cFv72wIg9Hl2lBPpkC4LQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQYUtHY1djWno1MG1zQTRB
ZHNjbitQbTUwVjFkZWtHU0gwUFFMTTIrQUVZCkUwd3UrbmpyMndXcVl6MEFsSktX
L1ZBM2ZPbGMycXd0MDRyWGI1SHh2NVkKLS0tIHFKcS82cUJYZ2V6dHJ6djJSajFy
RkIzYUI3dUZjenpxRnplOTZKZmhoS0kKDw9Zuf57k+MAINMReYcCN1DoTtFMgKGJ
CWwkNN59Ojgz757xS+2cmK6oxAkDRcN+KZc3sANdj0LY//rXq/UJgw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-25T14:03:57Z"
mac: ENC[AES256_GCM,data:RBf3LjVNSclsPN7I4QPaDUjWbKlaccjk3rzsRNdRe3+OvJSd7MsS9RfpUFCqUtO7ZkkocXHmkHA8z8LNxs6vejT9czMsLLQD14qHZS6fFdTnToOx3Kt5UuviPO/2UryVI+6HWORkH1aqFJhzkSMop2TO5mzuOTfbCEBLYUUuS6s=,iv:NQs8O1hIbjzGBTZo+gCuisj3edraFGk/Y146HmfPmQY=,tag:4g9IXw2UFC5V9EIHuWJqdA==,type:str]
pgp:
- created_at: "2026-02-07T21:15:24Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYARAAsIJXQn91VrFoSuu0ppgC79T2juR6mA7H5Z2NSGypbild
BsNPlWy+q8rpctGkria2Jm37Wz8Qu+sUNQ8Y2w6Z8Bv+M5tks62wc7qBjJkcZKmw
IjumrbsEmKQsZKS2YzGFcTjuwpBTGnACAMjUTz1rqnRcaq4U8Wqfi+mmf81yRSnR
F0emN015EmGCAUQYD6YRFMAw0PGbP3HiQrXQxdmv8zObbCg9d3+ZozurqFO2RmB4
SeZIUEtxgVDuMsr87AmHgbCr8Ux9eZmHU0qv+ejgbnXE7/MaUbppa1gy3RdcwHqG
DaETVa6YLUQqP9GOuTVy4gVr3AHtaGwMYRz30gjgQuoGUlQOG1U38PRtqe/94iHF
1lo14e31BSfHTnv66vupvWdfDXZme/1rOBJw0lM8Q+wHHJrr3mKmiLus85bJsMD7
M4Cn+5n3lE4kSrup8Y5fOsYSwq1WM9GYUfkVR+x2eHNmNdXLVHS0No6kA2TpKeqg
zbTyL59i+VBPfANCPehVYxFv7JM9pTFYQXDzMEAJcFerWBmB70HUoYXPZxeDEpiC
6seUT9lXM733QGbxwZLXRhXX4sDhJ7rMQJOvrxSvVDhiJx+Arqhz5srM8FlQHdjG
kfC507phCarRqXoef55G4trYjrr3zf+sWHRnPuh1IdFch3U+2CMrBUZIRU+C1nXS
XgHnubHvfLECTWfeEZUQvZaTtio1K3NSWqv/KBivBBRMfNI20A5erQXnocCYXB7o
RYisThHMQomNI7bT8vbf5/N/xlqEra5par0SDX16jl4FuU6dgKRuQ3SrpzFjQTA=
=ySHN
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.11.0

8
topology/default.nix
View File

@@ -228,7 +228,7 @@ in {
(mkConnection "demiurgen" "eno1")
(mkConnection "sanctuary" "ethernet_0")
(mkConnection "torskas" "eth0")
(mkConnection "skrot" "enp2s0")
(mkConnection "skrott" "eth0")
(mkConnection "homeassistant" "eth0")
(mkConnection "orchid" "eth0")
(mkConnection "principal" "em0")
@@ -270,4 +270,10 @@ in {
interfaces.ens18.network = "pvv";
};
nodes.bakke = {
guestType = "openstack";
parent = config.nodes.stackit.id;
interfaces.enp2s0.network = "pvv";
};
}

8
values.nix
View File

@@ -32,6 +32,10 @@ in rec {
gateway = pvv-ipv4 129;
gateway6 = pvv-ipv6 1;
bakke = {
ipv4 = pvv-ipv4 173;
ipv6 = pvv-ipv6 173;
};
bekkalokk = {
ipv4 = pvv-ipv4 168;
ipv6 = pvv-ipv6 168;
@@ -77,6 +81,10 @@ in rec {
ipv4 = pvv-ipv4 234;
ipv6 = pvv-ipv6 234;
};
skrott = {
ipv4 = pvv-ipv4 235;
ipv6 = pvv-ipv6 235;
};
skrot = {
ipv4 = pvv-ipv4 237;
ipv6 = pvv-ipv6 237;