diff --git a/.sops.yaml b/.sops.yaml index 10a2a063..da533b8f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,6 +6,7 @@ keys: - &nas age1c7y687sxh428wk34s8ws6kemu62mggafpt40rmanevgkuj5xa59q6f7tlc - &instance-20221213-1915 age1elra3uklw8rmwkevqms2l4tsd06d5utqda9d2w4qvqpz898uzuesugxkhc - &vf2 age1gtezxkkfhpkv788x9dek6s6s342n9tkl40zvsa48m9a7yqn25fnsmd3wy0 + - &rainbow-resort age12ermm5afdu7a3humlf5wlun5rjm33u6tvzu06l7s8u59h0qd0yxs5mgjuh creation_rules: - path_regex: secrets/shared\.yaml$ key_groups: @@ -16,6 +17,7 @@ creation_rules: - *nas - *instance-20221213-1915 - *vf2 + - *rainbow-resort pgp: - *lotte - path_regex: secrets/nixos-8gb-fsn1-1\.yaml$ @@ -51,6 +53,7 @@ creation_rules: - age: - *nutty-noon - *thinkrac + - *rainbow-resort pgp: - *lotte - path_regex: secrets/instance-20221213-1915\.yaml$ @@ -65,3 +68,9 @@ creation_rules: - *vf2 pgp: - *lotte + - path_regex: secrets/rainbow-resort\.yaml$ + key_groups: + - age: + - *rainbow-resort + pgp: + - *lotte diff --git a/config/default.nix b/config/default.nix index 79c2c147..404eb89a 100644 --- a/config/default.nix +++ b/config/default.nix @@ -10,7 +10,6 @@ ./users/root.nix ./nix.nix ./sops.nix - ./wireguard ./home.nix ./services/restic.nix ./specialization.nix @@ -48,7 +47,6 @@ ]; listenAddress = "0.0.0.0"; }; - networking.firewall.interfaces."wg0".allowedTCPPorts = [config.services.prometheus.exporters.node.port]; environment.pathsToLink = ["/share/zsh"]; @@ -80,7 +78,6 @@ key = "ssh/builder_id_ed25519"; path = "/home/darkkirb/.ssh/builder_id_ed25519"; }; - networking.nameservers = ["fd0d:a262:1fa6:e621:b4e1:08ff:e658:6f49" "fd0d:a262:1fa6:e621:746d:4523:5c04:1453"]; programs.ssh.knownHosts = { "nas.int.chir.rs".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhao1I1Kd1gK5bERUdjMxP9yHDrSHYZsTN2TcSk0K/U"; diff --git a/config/installer.nix b/config/installer.nix index 1a92f39c..409ca7c6 100644 --- a/config/installer.nix +++ b/config/installer.nix @@ -2,8 +2,5 @@ imports = [ "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix" ]; - networking.wireguard.interfaces."wg0".ips = [ - "fd0d:a262:1fa6:e621:6ec2:1e4e:ce7f:d2af/64" - ]; networking.hostId = "8425e349"; } diff --git a/config/instance-20221213-1915.nix b/config/instance-20221213-1915.nix index ff49a155..3508deba 100644 --- a/config/instance-20221213-1915.nix +++ b/config/instance-20221213-1915.nix @@ -27,6 +27,7 @@ ./services/heisenbridge.nix ./services/uptime-kuma.nix ./services/matrix-sliding-sync.nix + ./wireguard ]; boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"]; diff --git a/config/nas.nix b/config/nas.nix index af959307..6345a195 100644 --- a/config/nas.nix +++ b/config/nas.nix @@ -71,7 +71,6 @@ fsType = "vfat"; }; - networking.wireguard.interfaces."wg0".ips = ["fd0d:a262:1fa6:e621:bc9b:6a33:86e4:873b/64"]; environment.etc."sysconfig/lm_sensors".text = '' # Generated by sensors-detect on Sun Apr 24 08:31:51 2022 # This file is sourced by /etc/init.d/lm_sensors and defines the modules to @@ -111,15 +110,6 @@ ]; nix.daemonCPUSchedPolicy = "idle"; nix.daemonIOSchedClass = "idle"; - networking.wireguard.interfaces.wg0.peers = [ - # nutty-noon - { - publicKey = "YYQmSJwipRkZJUsPV5DxhfyRBMdj/O1XzN+cGYtUi1s="; - allowedIPs = [ - "fd0d:a262:1fa6:e621:47e6:24d4:2acb:9437/128" - ]; - } - ]; system.stateVersion = "22.05"; home-manager.users.darkkirb = import ./home-manager/darkkirb.nix { diff --git a/config/nix.nix b/config/nix.nix index 71955519..e12bbc80 100644 --- a/config/nix.nix +++ b/config/nix.nix @@ -102,6 +102,32 @@ ]; } ]) + (mkIf (config.networking.hostName != "rainbow-resort") [ + { + hostName = "build-rainbow-resort"; + systems = [ + "armv7l-linux" + "powerpc-linux" + "powerpc64-linux" + "powerpc64le-linux" + "wasm32-wasi" + "riscv32-linux" + "riscv64-linux" + ]; + maxJobs = 16; + speedFactor = 1; + supportedFeatures = [ + "kvm" + "nixos-test" + "big-parallel" + "benchmark" + "gccarch-znver2" + "gccarch-znver1" + "gccarch-skylake" + "ca-derivations" + ]; + } + ]) (mkIf (config.networking.hostName != "vf2") [ { hostName = "build-riscv"; diff --git a/config/nixos-8gb-fsn1-1.nix b/config/nixos-8gb-fsn1-1.nix index 02953c3a..8c373efd 100644 --- a/config/nixos-8gb-fsn1-1.nix +++ b/config/nixos-8gb-fsn1-1.nix @@ -33,6 +33,7 @@ ./services/shitalloverme.nix ./services/wordpress.nix ./services/initrd-ssh.nix + ./wireguard ]; boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod"]; diff --git a/config/nutty-noon.nix b/config/nutty-noon.nix index b5adfd8c..3a0b177a 100644 --- a/config/nutty-noon.nix +++ b/config/nutty-noon.nix @@ -85,8 +85,6 @@ system.stateVersion = "21.11"; - networking.wireguard.interfaces."wg0".ips = ["fd0d:a262:1fa6:e621:47e6:24d4:2acb:9437/64"]; - services.xserver.videoDrivers = ["amdgpu"]; environment.etc."sysconfig/lm_sensors".text = '' @@ -114,17 +112,7 @@ hardware.enableRedistributableFirmware = true; nix.daemonCPUSchedPolicy = "idle"; nix.daemonIOSchedClass = "idle"; - networking.wireguard.interfaces.wg0.peers = [ - # nas - { - publicKey = "RuQImASPojufJMoJ+zZ4FceC+mMN5vhxNR+i+m7g9Bc="; - allowedIPs = [ - "fd0d:a262:1fa6:e621:bc9b:6a33:86e4:873b/128" - ]; - endpoint = "192.168.2.1:51820"; - } - ]; - + nix.settings.system-features = [ "kvm" "nixos-test" diff --git a/config/programs/builders.nix b/config/programs/builders.nix index f19f12c2..c6565afb 100644 --- a/config/programs/builders.nix +++ b/config/programs/builders.nix @@ -16,6 +16,13 @@ port = 22; user = "remote-build"; }; + "build-rainbow-resort" = { + hostname = "rainbow-resort.int.chir.rs"; + identitiesOnly = true; + identityFile = "${config.home.homeDirectory}/.ssh/builder_id_ed25519"; + port = 22; + user = "remote-build"; + }; "build-aarch64" = { hostname = "instance-20221213-1915.int.chir.rs"; identitiesOnly = true; diff --git a/config/rainbow-resort.nix b/config/rainbow-resort.nix new file mode 100644 index 00000000..8fcf5aa9 --- /dev/null +++ b/config/rainbow-resort.nix @@ -0,0 +1,104 @@ +{ + config, + pkgs, + modulesPath, + lib, + nixos-hardware, + ... +}: { + networking.hostName = "rainbow-resort"; + networking.hostId = "776736c6"; + + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ./systemd-boot.nix + ./desktop.nix + ./services/tpm2.nix + nixos-hardware.nixosModules.common-cpu-amd + nixos-hardware.nixosModules.common-gpu-amd + nixos-hardware.nixosModules.common-pc-ssd + ./users/remote-build.nix + ]; + hardware.cpu.amd.updateMicrocode = true; + boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "k10temp"]; + boot.initrd.kernelModules = ["amdgpu"]; + boot.kernelModules = ["kvm-amd" "i2c-dev" "i2c-piix4"]; + boot.extraModulePackages = [ + config.boot.kernelPackages.zenpower + ]; + services.hardware.openrgb = { + enable = true; + package = pkgs.openrgb-with-all-plugins; + motherboard = "amd"; + }; + + boot.kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.linux_xanmod_latest); + + fileSystems."/" = { + device = "/dev/disk/by-uuid/23690ff2-7a65-431e-a6ee-fea0878e0bb1"; + fsType = "btrfs"; + options = ["compress=zstd"]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/B6BA-BE40"; + fsType = "vfat"; + }; + + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + services.snapper.configs.main = { + SUBVOLUME = "/"; + TIMELINE_LIMIT_HOURLY = "5"; + TIMELINE_LIMIT_DAILY = "7"; + TIMELINE_LIMIT_WEEKLY = "4"; + TIMELINE_LIMIT_MONTHLY = "12"; + TIMELINE_LIMIT_YEARLY = "0"; + }; + services.beesd.filesystems.root = { + spec = "/"; + hashTableSizeMB = 2048; + verbosity = "crit"; + extraOptions = ["--loadavg-target" "5.0"]; + }; + + networking.interfaces.enp13s0.useDHCP = true; + + system.stateVersion = "23.11"; + + services.xserver.videoDrivers = ["amdgpu"]; + + nix.settings.cores = 16; + boot.binfmt.emulatedSystems = [ + "armv7l-linux" + "powerpc-linux" + "powerpc64-linux" + "powerpc64le-linux" + "wasm32-wasi" + "riscv32-linux" + "riscv64-linux" + ]; + hardware.enableRedistributableFirmware = true; + nix.daemonCPUSchedPolicy = "idle"; + nix.daemonIOSchedClass = "idle"; + + nix.settings.system-features = [ + "kvm" + "nixos-test" + "big-parallel" + "benchmark" + "gccarch-znver4" + "gccarch-znver3" + "gccarch-znver2" + "gccarch-znver1" + "gccarch-skylake" + "gccarch-skylake-avx512" + "ca-derivations" + ]; + + services.tailscale.useRoutingFeatures = "client"; + home-manager.users.darkkirb._module.args.withNSFW = lib.mkForce true; + system.autoUpgrade.allowReboot = true; +} diff --git a/config/rpi2.nix b/config/rpi2.nix index 3ef67a72..a1088eee 100644 --- a/config/rpi2.nix +++ b/config/rpi2.nix @@ -12,7 +12,4 @@ _: { system.stateVersion = "21.11"; home-manager.users.darkkirb = import ./home-manager/darkkirb.nix false; nix.settings.cores = 4; - networking.wireguard.interfaces."wg0".ips = [ - "fd0d:a262:1fa6:e621:6a74:93b8:e164:cd7c/64" - ]; } diff --git a/config/services/cups.nix b/config/services/cups.nix index 48d7850d..8fe06596 100644 --- a/config/services/cups.nix +++ b/config/services/cups.nix @@ -22,8 +22,6 @@ publish.enable = true; publish.userServices = true; }; - networking.firewall.interfaces.wg0.allowedUDPPorts = [631]; - networking.firewall.interfaces.wg0.allowedTCPPorts = [631]; #imports = ["${nixpkgs}/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix"]; hardware.sane.enable = true; diff --git a/config/services/hydra.nix b/config/services/hydra.nix index 48b0e66d..b3fb50eb 100644 --- a/config/services/hydra.nix +++ b/config/services/hydra.nix @@ -93,7 +93,6 @@ in { "/run/hydra-machines" ]; }; - networking.firewall.interfaces."wg0".allowedTCPPorts = [9199]; nix.settings.allowed-uris = ["https://github.com/" "https://git.chir.rs/" "https://darkkirb.de/" "https://git.neo-layout.org/" "https://static.darkkirb.de/" "https://gist.github.com/" "https://git.kescher.at/" "https://akkoma.dev/" "https://gitlab.com/" "https://api.github.com/" "https://git.sr.ht/"]; sops.secrets."services/hydra/gitea_token" = {}; sops.secrets."services/hydra/github_token" = {}; @@ -123,8 +122,8 @@ in { Type = "oneshot"; }; script = '' - if ${pkgs.iputils}/bin/ping -c 1 nutty-noon.int.chir.rs; then - echo "build-pc armv7l-linux,powerpc-linux,powerpc64-linux,powerpc64le-linux,wasm32-wasi,x86_64-linux,i686-linux,riscv32-linux,riscv64-linux - 16 1 kvm,nixos-test,big-parallel,benchmark,gccarch-znver2,gccarch-znver1,gccarch-skylake,ca-derivations -" > /run/hydra-machines + if ${pkgs.iputils}/bin/ping -c 1 rainbow-resort.int.chir.rs; then + echo "build-rainbow-resort armv7l-linux,powerpc-linux,powerpc64-linux,powerpc64le-linux,wasm32-wasi,x86_64-linux,i686-linux,riscv32-linux,riscv64-linux - 16 1 kvm,nixos-test,big-parallel,benchmark,gccarch-znver4,gccarch-znver3,gccarch-znver2,gccarch-znver1,gccarch-skylake,gccarch-skylake-avx512,ca-derivations -" > /run/hydra-machines else rm -f /run/hydra-machines fi diff --git a/config/services/loki.nix b/config/services/loki.nix index d3f75405..6e58332e 100644 --- a/config/services/loki.nix +++ b/config/services/loki.nix @@ -3,5 +3,4 @@ _: { enable = true; configFile = ./loki.yaml; }; - networking.firewall.interfaces."wg0".allowedTCPPorts = [3100]; } diff --git a/config/services/matrix-media-repo.nix b/config/services/matrix-media-repo.nix index 9dc8cbeb..a4968e8e 100644 --- a/config/services/matrix-media-repo.nix +++ b/config/services/matrix-media-repo.nix @@ -102,7 +102,6 @@ }; }); in { - networking.firewall.interfaces."wg0".allowedTCPPorts = [9000]; systemd.services.matrix-media-repo = { description = "Matrix Media Repo"; after = ["network.target"]; diff --git a/config/services/postgres.nix b/config/services/postgres.nix index ecad88d4..ec5d0f7a 100644 --- a/config/services/postgres.nix +++ b/config/services/postgres.nix @@ -21,5 +21,4 @@ user = "postgres"; listenAddress = "0.0.0.0"; }; - networking.firewall.interfaces."wg0".allowedTCPPorts = [9187 5432]; } diff --git a/config/services/rspamd.nix b/config/services/rspamd.nix index 29b3d2d2..440f1e44 100644 --- a/config/services/rspamd.nix +++ b/config/services/rspamd.nix @@ -194,11 +194,5 @@ sops.secrets."services/rspamd/dkim/darkkirb.de" = {owner = "rspamd";}; sops.secrets."services/rspamd/dkim/miifox.net" = {owner = "rspamd";}; sops.secrets."services/rspamd/dkim/chir.rs" = {owner = "rspamd";}; - networking.firewall.interfaces."wg0".allowedTCPPorts = [ - 11332 - 11333 - 11334 - 7980 - ]; services.prometheus.exporters.rspamd.enable = true; } diff --git a/config/services/syncthing.nix b/config/services/syncthing.nix index 2fba6aea..e801f0bb 100644 --- a/config/services/syncthing.nix +++ b/config/services/syncthing.nix @@ -3,7 +3,6 @@ _: { enable = true; guiAddress = "[::]:8384"; }; - networking.firewall.interfaces."wg0".allowedTCPPorts = [8384]; networking.firewall.allowedTCPPorts = [22000]; networking.firewall.allowedUDPPorts = [22000]; } diff --git a/config/thinkrac.nix b/config/thinkrac.nix index 0abd851a..270f2fe5 100644 --- a/config/thinkrac.nix +++ b/config/thinkrac.nix @@ -66,9 +66,6 @@ networking.interfaces.enp0s31f6.useDHCP = true; system.stateVersion = "23.11"; - networking.wireguard.interfaces."wg0".ips = [ - "fd0d:a262:1fa6:e621:f45a:db9f:eb7c:1a3f/64" - ]; services.xserver.videoDrivers = ["modesetting"]; nix.settings.cores = 4; diff --git a/flake.nix b/flake.nix index 5ee79d24..fd925393 100644 --- a/flake.nix +++ b/flake.nix @@ -141,6 +141,10 @@ rec { name = "vf2"; # VisionFive 2 system = "riscv64-linux"; } + { + name = "rainbow-resort"; # PC + system = "x86_64-linux"; + } ]; in rec { nixosConfigurations = builtins.listToAttrs (map diff --git a/secrets/desktop.yaml b/secrets/desktop.yaml index 43c5ad33..52964627 100644 --- a/secrets/desktop.yaml +++ b/secrets/desktop.yaml @@ -12,33 +12,42 @@ sops: - recipient: age1c96dd2hj7qg7sl8wq277q7a4na36krd4dmu50jz5mvw4ls9grcps28zhdl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqS3o2NHF2Y21Tb1N2YTQ0 - UzEwa0FGSXdtbjVBcWppcHZhd2VJRkJrUHlBCmR0bm9xSmVDa1NOQWpaR0JBR3Ev - ZjV2L3RSamYrbGxQejdUREpkYllqR3cKLS0tIGxtMGx6ZVh1N1hUa2thTVZPUyt5 - Q3pwaklpQVlFcHpkM3lVK3V3RUhPYU0KLC4ORcsWbnxYNvkYU8WgAmobQpvli/yE - MaMpi/+NCMUSl+XmMZtZaymd/Q0PjUpgk1yYU+8xsF4QUIoAMqW+xQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNQldpaEVWdVRraGQvdTVU + NmN4Mm9QVjR5SHR3QWh1OThORDF3cEJIc2xrCjBMU2NDZmpmMnFjYlNVYVRSRGlx + U3dOdWJydTJQRzJLWUVHd00wSUJBVzgKLS0tIEd1OGVkTFhYRHUrYkFKWEp4ek9J + ZzJTMU5xaEd3Yiszd3NVTE1lYm9vMGcKF10r02Mw4oL1s5u265w1x+cXR2fLK4fD + facGJ8oC8o/RmOeyMOfhhAitPhsumZ871i51A1ZCm3Em8gjotQ/ZFA== -----END AGE ENCRYPTED FILE----- - recipient: age1p400545a482fma40yfgytu40p6wr5a75v4f8yeudvgf7eh5erufqxhgynr enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0c1ZYR3ZGSlR2NzZPSmhS - YTI1RzZyOTdpK1NBU1JnbUFiMTBaM0kvaWtJCmV5TTFRQ1Jiay9RWDBDU2x1SFVt - ZmJCVy9aQS9PZnd5Wi96b29LdVhjL0EKLS0tIFRibjFJb0IwbUtJdGVKdkhieUhm - MUUrUGxLT3R6SXAzam5xU1o0OXl2b0kKa2ehWbXLaQFTSDrtR7WXhLccInrwfLLn - SLgCulAbTe9NKnbyhIQ+WRr8v1jC+XOTi+1k/6I+H7v6s4W8ZA7dOg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SmxrMm1Lc0FWTHl6SGdt + aVZ0RCt1NHlxN2ErWnVmV3FncUFUV2ZnRWpRCjBUL1RiMVZ5MlJxZGJyNXpBM0Jh + K21CRWN4blZCaHpVbThTK1VZWVBrS2cKLS0tIGVDSCtDVnNQZE05U2VKVjJnNXQy + c1BpSVZicTVxcVVCZE12M2NhQmRzdlUKf4waPVRIV8Zuh4QuzmcPOJ1psHVuHGzX + 20L6UQqs4wOlKvB5NFTEfIoGOnABwLdzyVpF1OLNKdRzlK2I8V6keA== + -----END AGE ENCRYPTED FILE----- + - recipient: age12ermm5afdu7a3humlf5wlun5rjm33u6tvzu06l7s8u59h0qd0yxs5mgjuh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnY0g4QXFSWmppc285ZEVL + eEF4NDVaYVJvdlNNeUNhYlBBTUpnb05NTGtjClg4c0FDOU1yOFNwME01RFVvYWpK + andBOTRFN3JGSmFxSFRCWG4zcFlVYmMKLS0tIE05N0ZZaG0xenNzbHJlTnBtSnNk + bEZTbC8vVnhNL1BQWEZWYXRrTm9UMzAKSfgQ1ArK/ryEeD4qLI9nLN77V7UHEpio + IqtZUluSwQJuH6C8OKzrZOGOTCYo3RrhTItDTzqU5b/SAAoSJkGJnQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-01T11:21:31Z" mac: ENC[AES256_GCM,data:yanyvQWXf3Yj78uyhiEjdsAJdWx56/6YwnSR9knSIcQAWZ4guKEtl86wTcJZHyt7P7lsMI+z2rsGdQ/pGRIJeUoPzW0ImrGGm3rlXn75aH0jDeSk1qlxLc4dDDxwPDeSI0/QsTsENRW/Vf3/z8xiSHPUwBfDmRqTqwZ0b2vOwZc=,iv:idWdv2m7nUUZDmrNhL97BJn9Tm+fX7y2hG4RJBXffGU=,tag:ns1OrwzupAd6608pGovkrg==,type:str] pgp: - - created_at: "2023-11-29T14:41:45Z" + - created_at: "2023-12-06T12:54:16Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DAAAAAAAAAAASAQdAb/lR5TvzggwycCA16xc7tLycuOwCKmlInHp9MHfHTmkw - GiwTHbOOCqP4pV2Qo76hWNMzO961XZT5PxuFhM0U7cC6z3WaejQAAep39JUzds1P - 0lwBQhceDlbVdA3XJ+6RuzovhhiIPG9U/h1NcEbSgNRV4t0IAaOJY/98GI1unZf4 - vVUzes9Q08dbkT40RSGxi4m3EdSOXTRadffvRBRo2bq3AJIdFMVsQUZ3sE5h0w== - =eY/P + hF4DAAAAAAAAAAASAQdACsbftZkLgxiWbSGQPwgSO/JJqeQyG803rkkGUvnTbQAw + 27+8v2JsGsSk4LEm8ZMKX0UIE9EeXgRicjZ+BeJvHYT1EvESubyhH4Y/9MrH3aCw + 0lwBntz8MNeIE7MjweHgM7BKz9C6jBA87SXXFcb6uwH9MMUlqs7NFteDcFe71Uwm + 4Ds+SwFg57K8RImA/qmU5ACw4NigrinRaPSqLy8zEPZNrUCLeKYgvAgeVeCLoQ== + =3hgf -----END PGP MESSAGE----- fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD unencrypted_suffix: _unencrypted diff --git a/secrets/rainbow-resort.yaml b/secrets/rainbow-resort.yaml new file mode 100644 index 00000000..c2f79ee0 --- /dev/null +++ b/secrets/rainbow-resort.yaml @@ -0,0 +1,40 @@ +security: + restic: + password: ENC[AES256_GCM,data:hjOOc6TZR1U8Nv9UdKDABnz4Iqg=,iv:95CAyDS2hSEsZysvhzY32pVmKtBZ3rMTRJLed7KIHZw=,tag:hdFqZdUkcQ+R0PcCkqF1jg==,type:str] +email: + lotte@chir.rs: ENC[AES256_GCM,data:5mwX4V/e1A12VCaYhTpmYs2f+Q==,iv:AhCmjzZDDB3n9H2PKxnyLJU8nu1zmDLWne3nedYNgkQ=,tag:L9nBbJqj0G5Lm5wYgNw5pA==,type:str] + mdelenk@hs-mittweida.de: ENC[AES256_GCM,data:q/ay3nCIiobmyoZf9gyV1lEm/YAjJLWkw9yeesCxVHRJ6/isBHIBpBj5Y+Z6qQ32zDVCO4EYa2oPNWSiessOsQ==,iv:Hux4GbI0DLuo5tKg5o47ob+zlLjJwsPe0N5MpD85kqc=,tag:olARO7mLklXHqtxdetXwUg==,type:str] +password: + root: ENC[AES256_GCM,data:NLyFpKA2YgH/lfX7rdxjV7JckSaQ9vUutf7BcTXBskMRoi3oDGoMHnaLT9hhSfrp0xM3qDZWKyuVRq2bYf1JKrFnQe2btoZQj3NPxgIojNF9Eys5BFTp78eBxsB+AqqUg1LLzhIi47EDow==,iv:xtj6j7SyguvUqKhqvqFTyTQ6XpcLVpIGOJBt6N4CrL8=,tag:7A0DTcGZim4+IjIW5XO3Mg==,type:str] + darkkirb: ENC[AES256_GCM,data:d82Q/Ew17WJK/qafVt8R1517ECOuGf1XaVzH7IqmyivZSVyXSTi2Wr43kV0P66FaponFN/ZvUL8YsghiepKxNVen/vqqJuI2R7aYApHH3RkbawCVperoj4rQlPeiHThuQEXTQDUX9W0ZlA==,iv:XuRk2NPyBEMZ9vaudLI6kQum0GM2PkVjWWovoabAnaw=,tag:F5iM9TeqV8/qlyMTkeJgfQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age12ermm5afdu7a3humlf5wlun5rjm33u6tvzu06l7s8u59h0qd0yxs5mgjuh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dDlwckJVbkU5QVZPbXJm + c1lpSTFDRmNWaVRqZkZyWk53TWJ3WVBBVFRrCkVWcnlXV0pkNXlvaDRIYUs4NUVl + QktiSnVlSWQ3a3VGeDNoZHdMOGdxY0UKLS0tIGxSSSt6OXRpdUJidlBlM1NCdW1Y + RGFCVVBLc3hwS1JnZWhVZ01HMEUxQ2cKz0bEhJuK0pTginAQLAG/Qzr3MxplHtsx + tQbqJwbmIGanbWMxO2Mfe81qwgAzKuFt/JYT/Dp0VxIokyk7KEueMQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-06T12:55:55Z" + mac: ENC[AES256_GCM,data:DpdvYGNexaRCcy2Vdvj5u4EpYdbMJXzZW6qOx4bgMnhJyH9pkU5ZtbKH4DMDAiY+4uI8mx2TcW8t40+pW43Pag7IXGeX0en00aeygnLYLHtTsSgEn1/26nrCu0o/sLqLYP5mrj7OUYUoaYBUaqjXn0MVpBuN9L5weiZvqruMjFg=,iv:i7U+Pia6QLVccv6SupYfssDHl51k1o4tHCsYohfUR34=,tag:/MZDc8WRRLmid2yd7Js3tw==,type:str] + pgp: + - created_at: "2023-12-06T12:55:39Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DAAAAAAAAAAASAQdASM6Ctv5DiKZC2o9BoyjLHPp4C/XZTRTLVZ77hcPV1wEw + 2egg59Gu4iU3v33LqyMdo8imytfADHT3FvbU8+Cx96CHBhsZ2MJF6SN0rhrXcJNo + 0lwBe7Xb4k/IBN/XAixZVa0fTkYTXq40blAWIHDGq+UYkHFosleqtDbSB4B3db2S + TGPP4nryvaoeG3y+50M+qGkOYf+VWR4clmSJOnSYZyHXzsnhBS0KHgLRN4Z+nQ== + =uNYU + -----END PGP MESSAGE----- + fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/shared.yaml b/secrets/shared.yaml index ac9481d0..48b96862 100644 --- a/secrets/shared.yaml +++ b/secrets/shared.yaml @@ -12,69 +12,78 @@ sops: - recipient: age1273ps5thcy70ckdt0270s2nysqgu48t38pq3wq975v3y7mf4eavsw38wsl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZVVOV1BhR3pFL1FPVHVq - K3JGUXlBTVpoa2VwVWhDdGpMWDVsTmI4OXc4ClN0L2J2Q2xDZW1EYWhxM29JSHpD - YkRpR0NqdmtyY2JqbmdJODBiZlludHMKLS0tIEFxd0Q3K0t3eHVFVnllWlRVRG8w - Y3hhZFIvZndpdVNzU2R4aDZ0Y1hnWm8Klzq4jsXemJ3jsKJ5n2wNOaq1a3n0D50/ - C8ExEjn7Z3Hf57pRXxU+hJMTR3bLX8L02xXQ2eBt7vwtPKFg5gzvZQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQzBRSWdKUDBRZVBrS01r + SUVBbmFaUWtwNkVnRnBTcHltTEUrQU5jT1NzCm8xRERUNmdKNVdWc0RDL09RMkl0 + Znp1S21IbEcxZEFPSkprd1VWSXZyUFkKLS0tIE9oSmp1ZHJkeWpQL0hPVXRDOU0z + T1pNRHRpaFF2dGE5M3FMU2hkeFhmbFEK+SK14kw5i9d+S0XHzlgfS3ubN/PDMbh/ + IqAd+1p7iOJkCRKecGxSUL9CX71t21fcbXoo0hVlYjgxzvzAK231Eg== -----END AGE ENCRYPTED FILE----- - recipient: age1c96dd2hj7qg7sl8wq277q7a4na36krd4dmu50jz5mvw4ls9grcps28zhdl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzV0thMVQyb0lJSnZydml0 - UlVLSVVLbTZXbXFMVS9ScDRRVkg5bDBJUUJvCmxEcEJITGVHbUF4NkZJVUxNMWhL - U2tISC82a1NtZ2pjZUtrbi8zaE5Mc2sKLS0tIE9rRUwyS3ROaE9JSnFJaTd1NWR5 - TVhLT1lOM0didUxoNlo0SHZid3VGUDgKWIXEadsYqKqW18I9RErey/hfBypwB8yf - DLt9T4jdBb2rykwocJmA+L2DVwPE+KQkaov4wR5gwN07f7NSRCyu9g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLWkVDSmNGNkJyeEJOdHQ5 + QkNja2Z2VGxwSWcwSWJ3NlZYOE9NK0VvWkJJCm8xYWc5MWM4MmxUMmNZT2xuRXd1 + WmV1RW1Dd2puaUkzZG9XcFNXT0EvRVUKLS0tIGpEam96WU9tMzRPT3NucitESlJo + UDczaDdVVnA3MnFscVJFd2RqZlUyUVEK7rBeElH5BaqqoHLTao4o/iTLsB7TLVwO + quAtMJ9i7q1l8cmHkmMIOSZtcA6ZUSIEygk9nUJOPdFMLSTdRD7NBg== -----END AGE ENCRYPTED FILE----- - recipient: age1p400545a482fma40yfgytu40p6wr5a75v4f8yeudvgf7eh5erufqxhgynr enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUEZtL1lkRkg3VGFnbnQ0 - ZmxJV3gzZkI3YStYWmxjUW9lZ3NRakZyRkhFCmhJZUE4K2FaaUNWQzhKczRHZGww - S2ZZYU5oVThpeXlzRS9tbW9YSm9XUFUKLS0tICtUL3RTeHh4V0d0ZS9hK3FESnNk - MWY3N1ZySTlCUS9nTnlOS2hYTVNlSTQKIlaTOyVKR9QTQRfVWRrp3Zkqhm1JAwCx - tGHt1RGJDHeSxXwwsasm4xQWgSSQ9XJXLh+7582WYEssLB1FgcURxg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOGYyT1pDcVdPOWtMOUIw + eCtWZFRlZndwWmxTdjY0UkdyYW9ObFUvTWxFCmdJSHRSYVV4YXRRVGliWm9SUHVW + b042a3JEcjRiQVViUmw2T1plRXJtdHcKLS0tIG5LbSt3YndkaHcrUkVoOGZORmY3 + NlVad3ZYRFcrdjV0RW95eW1NTG1FRDQKPiq+H7jcjMztetSll+TwSi22fuqIERDs + 50XHR+GMkELSsDbUHKZ5Zw6bLLm5TCeB7uUTt6ntEbejk5Bl+aXxqA== -----END AGE ENCRYPTED FILE----- - recipient: age1c7y687sxh428wk34s8ws6kemu62mggafpt40rmanevgkuj5xa59q6f7tlc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUHhSWGpvUk8wQXlrRVB0 - VTVIV2NGa1d3bURZYko0N1BlQUpPeXloSHlNCnpHd2dPOWZqRkZrUW1Ed2NBZ09p - eHNVQUVrUUQwTjcvMU5ocTN5N2VWZjQKLS0tIGVEbDBIQjR2Z2cwaXkvU2ZRbDZI - YkFzL0pXcGxVcE5zcjF4TEpxQzBwYTQKbe5IUV1JXdjzAfrUrx4+gGtCdCXSlcAm - Qb/UL7asdHAjuPVttM7e3UiW/d49LwsWKb8WHJRX0rmt26lvB+Y0Kg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZUNmbklSRm80MjVjWDNt + WFI0V25GZUwrQVVkTGVyUFN3SzJuN2V4NGc0ClN5aDBFaUFQN3FvcG1uUDRkYmxw + a29YSjROcG9KRVc4bUlBMmF1blRITUUKLS0tIDRoWWM2V0lmUmtuYjdlQ3Y3V0Vj + UGJGdEE4cy9NaTVaRTVYL1FTS3ZONWMKdRy0fGqKWIrOkjn9riUJJ64hm5SOv8B8 + W7z6p6y6eFWYmDe7DUoRnJfOml0OQrgymI4+P2JyaTSfNqwSMatn+g== -----END AGE ENCRYPTED FILE----- - recipient: age1elra3uklw8rmwkevqms2l4tsd06d5utqda9d2w4qvqpz898uzuesugxkhc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydjZQNlFtQnY4RHhRZVVh - VFBKd2YyaWxIb3crL0xpZ1pqZlhPVkFUV3d3CjdsaFJDaUlxTWE4OG5mUzBOdzI2 - RFd1cTRjeTZKMEp4bk1UUHE0VjgzdGcKLS0tIHk4Vmw3V2RDU2F2OTlON3NLS3gr - OFpBME8vY0hQV0Z5S3NpR0pySkx4K3cKxGI/3Qrw1OTQNdphEqGNLwd1U8oFlltp - U/hxnt51hQbc0EgemxZYU4Feh6sbjD3RXUeiS2sN2NRHgnNoyVfRiw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTWnJQNnhpck1SOTh6OHQ4 + azR0RHJWVUdaMXIyQ2VFbjFvZ2plZHBSM0NVCnFDMkh5dlBWdExmUzB2YzdmVmVJ + aFdXTmV6aHFLNHg0OTFlWkNteDFYRkUKLS0tIE1VUytzMEpwZmtLbDM0a0JBRWpI + QTFEWk1FZU5ENDF3dFQ3VWpubGpRNkEK901SZzfkueJG99+gVqcfeU6ZaErtEXUj + HfGWzLliI3LmIxoTNBZwF3bhG5MM9mGy7zKburoSAtHLVyOu1xAexg== -----END AGE ENCRYPTED FILE----- - recipient: age1gtezxkkfhpkv788x9dek6s6s342n9tkl40zvsa48m9a7yqn25fnsmd3wy0 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvaVNMTkkvWTBqWnlReTkv - dFJpMWh1UnZWZ0dHUVJERFZPSGIwRUMxbkZFCi8zWDFVM3hnV0JUVTZtYlkvaFNh - UU91SlU0M0FTeEJBTXJOSU1Va3Z6QUUKLS0tIDhjSkRNM24yTmk5Wllrem50cFZZ - clhPNmVLVGtFWCtiRWZUMU4xVUV0emcKBHSrJLwboPrDBGU3jmQ0VSgkerVkqdbn - RdyW44G7nH1GenJ7vZePeSigppsGkUkw5yzFDz0UXfH2gaP7nzoYnw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPakJPcXR3amE5SE50VUxa + WDNzWGd4R2NQQ1BUOUZMenRlNWtlYnFwSUJBCnZHUjRVR1hkcGlROTJNY2xGc1hI + Q1lLL0FucHJUeGVBOWh0RlY0L0hMUUEKLS0tIDVoMmltVXhBeW9CK3FBNEZPaEJv + bXRnMGVVTXZpTGVmcElIaFRpM0oyRW8KIExU6g3zrDxc8wl5pBuo1T2ygK7XOrd5 + lJsjCdFo5gAyIPUeR3q78KtZ146OhhFeZxk1zgf5NeDOBSZB2zWvRw== + -----END AGE ENCRYPTED FILE----- + - recipient: age12ermm5afdu7a3humlf5wlun5rjm33u6tvzu06l7s8u59h0qd0yxs5mgjuh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4aXRlWDRraWk2WWVCdXIy + N3A0Y21BRXphQmVZcklHQnpOd3ljQysvT0VRCnBDVXNGeWZMTjZ6Wm9rUkVXaDl5 + czJTdEtCWmE4Q2ozZkt5VFduQ3JlbncKLS0tIEpKTHJxUWdWQis0TlFsMi9HbkhO + MS94TGU2MHRFN3didk15SXBodkEvK0EKkeehekFssls4ZX+n41auDjRL0imXYaCH + z0Qtc5QCbXh8BOU+OOZx3BoguIImRpgMp/AQ5MMUgvLok78Qw5Oy9Q== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-06T09:11:09Z" mac: ENC[AES256_GCM,data:XujFjvx73/z+hmk4f4tRRvwl/ML25YOZw6etr0P9lhcXlYPelIrqvVLO1vmobt8TYDzngAHdHSNNlhInw00KO73luOLcQhL/1DVMqTgeMSC11ReUhd5KOZLVXOSP0+8ADLXgbGGGY8DyPnZtr1ZWa3dDIBFPt5ZD7RzWz1qKnJ4=,iv:kYPLpSrLEu9pkWw0iwqKmH6Mm8sFjAstr06mcAWnUEU=,tag:NQjXV8sHUrjU//AQJ+4E+Q==,type:str] pgp: - - created_at: "2023-11-29T14:42:03Z" + - created_at: "2023-12-06T12:54:02Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DAAAAAAAAAAASAQdAbeKleeLCw1QqnCuhwl1mOoFFTDNQYb6iGueYoOEwwlcw - BRZDEqKWSfgak1TGE32w7SMZUOhGb4RqskgeQozK7E8eyGEmT3YV06B9uiN9GV4B - 0l4BDWVHexK6hoAjQZgOH60Ao/DK/I90TBPnJmfPwfwqRVfSfqt0rAah+W31N9x2 - 2F/t6cwXafzglhAo7r+Esp1CzRgPDWfcIxJ+eE5fvEpinsZ0E8+D18NeGaJeWCkf - =4O3x + hF4DAAAAAAAAAAASAQdAWK9o2S/9tr0iwwu3nntRyob1qNOEzwv5IW/n8hlonxww + rn3js0kRalvmUBnJLDMfmN6qKMN9jJGkLpsUwQ3dCPNI+ksGeHSmTyhhQLFpAvTN + 0l4B2pRmouH+fvvud86etK1uar5h5LUJ3lnGb+h84/cUEaUKeQ5LCo0dpLmevduM + 8CFHrQoyovCMwv8C/wTs6UJROHxaFw2hyCvMUagrGlAkDagWekN9O59UOwXQawgF + =Ituw -----END PGP MESSAGE----- fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD unencrypted_suffix: _unencrypted diff --git a/zones/int.chir.rs.nix b/zones/int.chir.rs.nix index 9f8b134b..dbd62dc4 100644 --- a/zones/int.chir.rs.nix +++ b/zones/int.chir.rs.nix @@ -15,7 +15,7 @@ in { SOA = { nameServer = "ns1.chir.rs."; adminEmail = "lotte@chir.rs"; - serial = 26; + serial = 27; }; NS = [ "ns1.chir.rs." @@ -283,6 +283,12 @@ in { (ttl zoneTTL (aaaa "fd7a:115c:a1e0:ab12:4843:cd96:625a:5784")) ]; }; + rainbow-resort = { + A = [(ttl zoneTTL (a "100.108.224.109"))]; + AAAA = [ + (ttl zoneTTL (aaaa "fd7a:115c:a1e0::d8ac:e06d")) + ]; + }; grafana.CNAME = [(ttl zoneTTL (cname "nixos-8gb-fsn1-1"))]; minio.CNAME = [(ttl zoneTTL (cname "nixos-8gb-fsn1-1"))];