shelvacu/nix-stuff
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: shelvacu:restricted-inputs
Branches Tags
shelvacu:master shelvacu:doofnet shelvacu:feat-nice shelvacu:repos shelvacu:wip-2024-09-doof shelvacu:fw-experiment shelvacu:wip-2024-09-verify-system shelvacu:restricted-inputs shelvacu:liam-relay shelvacu:add-mar shelvacu:wip-commands2 shelvacu:wip-commands shelvacu:wip-devver shelvacu:wip-nod
..
compare: shelvacu:wip-commands
Branches Tags
shelvacu:master shelvacu:doofnet shelvacu:feat-nice shelvacu:repos shelvacu:wip-2024-09-doof shelvacu:fw-experiment shelvacu:wip-2024-09-verify-system shelvacu:restricted-inputs shelvacu:liam-relay shelvacu:add-mar shelvacu:wip-commands2 shelvacu:wip-commands shelvacu:wip-devver shelvacu:wip-nod

4 Commits
restricted ... wip-comman

Author SHA1 Message Date
Shelvacu
3d478c8d37 wip commands 2024-06-22 17:03:25 -07:00
Shelvacu
e052a165ec wip commands 2024-06-22 17:00:44 -07:00
Shelvacu
5a9e975723 Merge branch 'master' of git.uninsane.org:shelvacu/nix-stuff 2024-06-22 16:50:31 -07:00
Shelvacu
91d9098ae2 remove (unnecssary) common-packages 2024-06-22 16:49:44 -07:00
48 changed files with 417 additions and 2389 deletions
Expand all files Collapse all files

30
.sops.yaml
View File

@@ -1,15 +1,8 @@
shel_keys: &shel_keys
- &a age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
- &b age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
- &c age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
- &d age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
- &e age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s
- &f age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru
- &g age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2
- &h age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp
- &i age1ck6lhd8thjcrdcnkn2epc8npztg0sfswahunjkwcf57rr0xaevys8fh0x6
- &j age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d
- &k age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6
- &pixel-termux age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
- &t460s age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
- &pixel-nix age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
- &compute-deck-user age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
machine_host_keys:
- &trip age10lv32k2guszr5y69sez3z5xj92wzmdxvfejd6hm8xr0pmclw2cvq0hk6pe
- &compute-deck-host age1hcqem868xhjdj3lzsvgf0duylwrdp9nqs06a9d0043cpsuhms4as7cqnv4
@@ -22,17 +15,10 @@ creation_rules:
- path_regex: ^secrets/liam/
key_groups:
- age:
- *a
- *b
- *c
- *d
- *e
- *f
- *g
- *h
- *i
- *j
- *k
- *pixel-termux
- *t460s
- *pixel-nix
- *compute-deck-user
- *liam
- path_regex: ^tests/test_secrets/
key_groups:

86
common/commands.nix
View File

@@ -1,86 +0,0 @@
{ config, lib, pkgs, ... }: let
inherit (lib) mkOption types;
cfg = builtins.attrValues config.vacu.shell.functions;
enabled = builtins.filter (o: o.enable) cfg;
writeShellFunction = name: text: pkgs.writeTextFile {
inherit name;
executable = false;
destination = "/share/vacufuncs/${name}";
text = ''
${text}
'';
checkPhase = ''
${pkgs.stdenv.shellDryRun} "$target"
'';
};
in {
options = {
vacu.shell.functionsDir = mkOption {
type = types.path;
};
vacu.shell.interactiveLines = mkOption {
type = types.lines;
default = "";
};
vacu.shell.functions = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
options = {
name = mkOption {
type = types.str;
default = name;
readonly = true;
};
content = mkOption {
type = types.str;
default = "";
};
enable = mkOption {
type = types.bool;
default = config.content != "";
defaultText = ''${name}.content != ""'';
};
};
}));
};
};
config = {
_module.args.vaculib.writeShellFunction = writeShellFunction;
vacu.shell.interactiveLines = ''
if [[ $- == *i* ]] && [[ -f ${config.vacu.shell.functionsDir}/vacureload ]]; then
function __vacushell_load() { eval "$(cat ${config.vacu.shell.functionsDir}/vacureload)"; }
__vacushell_load
unset __vacushell_load
fi
'';
vacu.packages.vacureload.enable = true;
vacu.packages.vacureload.package = let
inherit (config.vacu.shell) functionsDir;
in writeShellFunction "vacureload" ''
declare -gA vacuShellFunctionsLoaded
if ! [[ -f ${functionsDir}/vacureload ]]; then
echo "vacureload: I think that's my cue to leave (${functionsDir}/vacureload not found, assuming vacureload-less config has been loaded and unloading myself)" 1>&2
for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
unset -f $funcname
done
return
fi
for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
if ! [[ -f ${functionsDir}/$funcname ]]; then
unset -f $funcname
fi
done
for fullPath in ${functionsDir}/*; do
local funcname="$(basename "$fullPath")"
local followedPath="$(readlink -f "$fullPath")"
if [[ "''${vacuShellFunctionsLoaded[$funcname]}" != "$followedPath" ]]; then
unset -f $funcname
eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(cat '$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
vacuShellFunctionsLoaded[$funcname]=$followedPath
fi
unset followedPath
unset funcname
done
'';
};
}

9
common/common-but-not.nix
View File

@@ -1,9 +0,0 @@
# todo: rename this module
# stuff that does actual configuring (so can't be in ./module.nix) but works in nixos module, home-manager modules, and nix-on-droid modules
{ inputs, ... }:
{
nix.registry.vacu.to = {
type = "path";
path = inputs.self.outPath;
};
}

5
common/home.nix
View File

@@ -1,5 +0,0 @@
{ ... }: let
in {
imports = [ ./common-but-not.nix ];
}

228
common/module.nix
View File

@@ -1,228 +0,0 @@
{ config, pkgs, lib, inputs, ... }: let
inherit (lib) mkOption types;
inherit (inputs) self;
in {
imports = [ ./package-set.nix ./not-aliases.nix ./ssh.nix ];
options = {
vacu.nix.extraSubstituters = mkOption { type = types.listOf types.str; };
vacu.nix.extraTrustedKeys = mkOption { type = types.listOf types.str; };
vacu.rootCAs = mkOption { type = types.listOf types.str; };
vacu.versionId = mkOption { type = types.str; readOnly = true; };
vacu.versionInfo = mkOption { readOnly = true; };
};
config = {
vacu.packages = with pkgs; [
home-manager
nixos-rebuild
which
nano
vim
wget
screen
tmux
lsof
htop
mosh
dnsutils
iperf3
nmap
rsync
ethtool
sshfs
ddrescue
pciutils
ncdu
nix-index
git
pv
unzip
file
ripgrep
jq
units
tree
rclone
iputils
ssh-to-age
sops
inetutils
neovim
diffutils
findutils
utillinux
tzdata
hostname
man
gnugrep
gnused
gnutar
bzip2
gzip
xz
zip
unzip
openssh
dig
bash
termscp
usbutils
ruby
psutils
killall
git
inputs.nix-search-cli.packages.${pkgs.system}.default
inputs.nix-inspect.packages.${pkgs.system}.default
];
vacu.versionId = toString (self.shortRev or self.dirtyShortRev);
vacu.versionInfo = {
id = config.vacu.versionId;
flakePath = self.outPath;
};
vacu.nix.extraSubstituters = [
"https://nixcache.shelvacu.com/"
"https://nix-community.cachix.org/"
"https://nix-on-droid.cachix.org/"
];
vacu.nix.extraTrustedKeys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM="
"nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU="
];
vacu.rootCAs = [
''
-----BEGIN CERTIFICATE-----
MIIBnjCCAUWgAwIBAgIBBTAKBggqhkjOPQQDAjAgMQswCQYDVQQGEwJVUzERMA8G
A1UEAxMIdm5vcG4gQ0EwHhcNMjQwODEyMjExNTQwWhcNMzQwODEwMjExNTQwWjAg
MQswCQYDVQQGEwJVUzERMA8GA1UEAxMIdm5vcG4gQ0EwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAARqRbSeq00FfYUGeCHVkzwrjrydI56T12xy+iut0c4PemSuhyxC
AgfdKYtDqMNZmSqMaLihzkBenD0bN5i0ndjho3AwbjAPBgNVHRMBAf8EBTADAQH/
MCwGA1UdHgEB/wQiMCCgGDAKhwgKTkwA///8ADAKgggudDJkLmxhbqEEMAKBADAO
BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAjSkbJQCQc1WP6nIP5iLDIKGFrdMAoG
CCqGSM49BAMCA0cAMEQCIFtyawkZqFhvzgmqG/mYNNO6DdsQTPQ46x/08yrEiiF4
AiA+FwAPqX+CBkaSdIhuhv1kIecmvacnDL5kpyB+9nDodw==
-----END CERTIFICATE-----
''
];
vacu.ssh.authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86" # Termux on pixel6pro
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp" # t460s windows
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W" # pixel6pro nix-on-droid
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug" # compute-deck
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g" # triple-dezert
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8" # triple-dezert (root)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I" # compute-deck (root)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX" # pro1x nix-on-droid
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExSObd1lZprdqAFLqFhtxDEckV0q/vZZIYqrYFKfkoC" # devver
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m" # fw (root)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C" # fw
];
vacu.ssh.config = ''
Host deckvacu
User deck
Host rsb
User user
HostName finaltask.xyz
Port 2222
Host awoo
HostName 45.142.157.71
Host trip
HostName trip.shelvacu.com
Port 6922
Host liam
HostName 178.128.79.152
Host pluto
HostName pluto.somevideogam.es
Host *
User shelvacu
GlobalKnownHostsFile ${pkgs.writeText "known_hosts" config.vacu.ssh.knownHostsText}
'';
vacu.ssh.knownHosts = {
#public hosts
"github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
"gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
"git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
#colin's stuff
"uninsane.org" = {
extraHostNames = [ "git.uninsane.org" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
};
"desko" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
};
#daymocker's stuff
"pluto" = {
extraHostNames = [ "74.208.184.137" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
};
#powerhouse hosts
"ostiary" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
};
"habitat" = { # previously known as zigbee-hub
extraHostNames = [ "10.78.79.114" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
};
"vnopn" = {
extraHostNames = [ "10.78.79.1" "vnopn.t2d.lan" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
};
#work laptop
"tebbs-MBP" = {
extraHostNames = [ "10.244.10.3" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKO/ks07zSByDH/qmDrghtBSFwWnze2s62zEmtXwaMJe";
};
#personal hosts
trip = {
extraHostNames = [ "triple-dezert" "trip.shelvacu.com" "[trip.shelvacu.com]:6922" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
};
servacu = {
extraHostNames = [ "mail.dis8.net" "servacu.shelvacu.com" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
};
finaltask = {
extraHostNames = [ "rsb" "finaltask.xyz" "[finaltask.xyz]:2222" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
};
compute-deck = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
};
"2esrever" = {
extraHostNames = [ "10.4.5.218" "10.244.46.71" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
};
awoo = {
extraHostNames = [ "45.142.157.71" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
};
deckvacu = {
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
};
liam = {
extraHostNames = [ "liam.dis8.net" "178.128.79.152" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
};
devver = {
extraHostNames = [ "devver.t2d.lan" "10.78.79.10" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeFaH2tzWIiCPdKNmxl3NqCnPTdmVIOBinauUAEl+UU";
};
fw = {
extraHostNames = [ "fw.t2d.lan" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
};
};
};
}

16
common/nix-on-droid.nix
View File

@@ -1,16 +0,0 @@
{ config, ... }:
{
imports = [
./module.nix
./commands.nix
./common-but-not.nix
];
environment.packages = config.vacu.packageList;
environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
nix.substituters = config.vacu.nix.extraSubstituters;
nix.trustedPublicKeys = config.vacu.nix.extraTrustedKeys;
vacu.shell.functionsDir = "${config.user.home}/.nix-profile/share/vacufuncs";
environment.etc.bashrc.text = config.vacu.shell.interactiveLines;
environment.etc.profile.text = config.vacu.shell.interactiveLines;
environment.etc."vacu.json".text = builtins.toJSON config.vacu.versionInfo;
}

99
common/nixos.nix
View File

@@ -1,99 +0,0 @@
{ lib, pkgs, config, inputs, utils, ... }:
{
imports = [ ./module.nix ./commands.nix ./common-but-not.nix ];
options.vacu.underTest = lib.mkOption {
default = false;
type = lib.types.bool;
};
options.vacu.acmeCertDependencies = lib.mkOption {
default = {};
example = ''
vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
'';
type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
};
config = let
for-systemd-services = lib.concatMapAttrs
(cert: units:
{
"acme-selfsigned-${cert}" = {
wantedBy = units;
before = units;
};
}
)
config.vacu.acmeCertDependencies;
for-security-acme-certs = lib.concatMapAttrs
(cert: units:
{
${cert}.reloadServices = units;
}
)
config.vacu.acmeCertDependencies;
in {
console = {
keyMap = lib.mkDefault "us";
};
vacu.packages."xorg-xev" = {
enable = config.services.xserver.enable;
package = pkgs.xorg.xev;
};
environment.systemPackages = config.vacu.packageList;
programs.git = {
enable = true;
lfs.enable = true;
};
system.nixos.tags = [ "vacu${config.vacu.versionId}" ];
environment.etc."vacu.json".text = builtins.toJSON config.vacu.versionInfo;
i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
time.timeZone = "America/Los_Angeles";
users.users.shelvacu = {
openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
isNormalUser = true;
extraGroups = [ "wheel" ];
};
systemd.services = for-systemd-services;
security.acme.certs = for-security-acme-certs;
services.openssh = {
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "prohibit-password";
};
nix.settings.trusted-users = [ "shelvacu" ];
security.sudo.wheelNeedsPassword = lib.mkDefault false;
programs.screen = {
screenrc = ''
defscrollback 10000
termcapinfo xterm* ti@:te@
maptimeout 5
'';
} // (if config.system.nixos.release == "23.11" then {} else { enable = true; });
programs.tmux.enable = true;
programs.tmux.extraConfig = "setw mouse";
programs.tmux.clock24 = true;
nix.settings = {
experimental-features = [ "nix-command" "flakes" ];
substituters = config.vacu.nix.extraSubstituters;
trusted-public-keys = config.vacu.nix.extraTrustedKeys;
};
nixpkgs.config.allowUnfree = lib.mkDefault true;
programs.mosh.enable = lib.mkDefault true;
programs.ssh.extraConfig = config.vacu.ssh.config;
security.pki.certificates = config.vacu.rootCAs;
# commands.nix
environment.pathsToLink = [ "/share/vacufuncs" ];
vacu.shell.functionsDir = "/run/current-system/sw/share/vacufuncs";
programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
};
}

34
common/not-aliases.nix
View File

@@ -1,34 +0,0 @@
# These are the things that might in a simpler time go in ~/.bashrc as aliases. But they're not aliases, cuz aliases are bad
{ pkgs, vaculib, ... }: let
inherit (pkgs) writeScriptBin;
inherit (vaculib) writeShellFunction;
in {
vacu.packages = [
(writeScriptBin "ms" ''
set -e
if [[ $# != 1 ]]; then
echo "wrong number of args" 1>&2
exit 1
fi
set -x
mosh -- $1 sudo screen -Rd
'')
(writeScriptBin "rmln" ''
set -eo pipefail
for arg in "$@"; do
if [[ "$arg" != "-*" ]] && [[ ! -L "$arg" ]]; then
echo "$0: $arg is not a symlink" 1>&2
exit 1
fi
done
rm $@
'')
(writeShellFunction "nd" ''
declare -a args
args=("$@")
mkdir "''${args[@]}" && cd "''${args[-1]}"
'')
(writeShellFunction "td" ''pushd $(mktemp "$@")'')
];
}

40
common/package-set.nix
View File

@@ -1,40 +0,0 @@
{ config, pkgs, lib, ... }: let
inherit (lib) mkOption types;
pkgOptions = builtins.attrValues config.vacu.packages;
enabledOptions = builtins.filter (o: o.enable) pkgOptions;
enabledPkgs = builtins.map (o: o.package) enabledOptions;
packagesSetType = types.attrsOf (types.submodule ({ name, config, options, ... }: {
options = {
enable = mkOption {
type = types.bool;
description = "Will this package be installed (included in environment.systemPackages)";
};
package = mkOption {
type = types.package;
default = pkgs.${name};
defaultText = "pkgs.${name}";
};
};
}));
packageListToSet = (from: let
keyvals = map (val:
if builtins.isString val then
{ name = val; value = { package = pkgs."${val}"; enable = lib.mkDefault true; }; }
else
{ name = val.name; value = { package = val; enable = lib.mkDefault true; }; }
) from;
in builtins.listToAttrs keyvals);
in {
options = {
vacu.packages = mkOption {
default = {};
type = types.coercedTo (types.listOf (types.either types.str types.package)) packageListToSet packagesSetType;
};
vacu.packageList = mkOption {
type = types.listOf types.package;
readOnly = true;
};
};
config.vacu.packageList = enabledPkgs;
}

116
common/ssh.nix
View File

@@ -1,116 +0,0 @@
{ pkgs, lib, config, ... }: let
inherit (lib) mkOption types flip concatMapStringsSep optionalString concatStringsSep readFile mapAttrsToList literalExpression;
inherit (builtins) attrValues;
cfg = config.vacu;
knownHosts = attrValues cfg.ssh.knownHosts;
knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
(h: assert h.hostNames != [];
optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
+ (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
)) + "\n";
in {
options = {
vacu.ssh.knownHostsText = mkOption {
type = types.str;
readOnly = true;
default = knownHostsText;
};
vacu.ssh.authorizedKeys = mkOption {
type = types.listOf types.str;
};
vacu.ssh.config = mkOption {
type = types.lines;
};
# Straight copied from nixpkgs
# https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
vacu.ssh.knownHosts = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
options = {
certAuthority = mkOption {
type = types.bool;
default = false;
description = ''
This public key is an SSH certificate authority, rather than an
individual host's key.
'';
};
hostNames = mkOption {
type = types.listOf types.str;
default = [ name ] ++ config.extraHostNames;
defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
description = ''
A list of host names and/or IP numbers used for accessing
the host's ssh service. This list includes the name of the
containing `knownHosts` attribute by default
for convenience. If you wish to configure multiple host keys
for the same host use multiple `knownHosts`
entries with different attribute names and the same
`hostNames` list.
'';
};
extraHostNames = mkOption {
type = types.listOf types.str;
default = [];
description = ''
A list of additional host names and/or IP numbers used for
accessing the host's ssh service. This list is ignored if
`hostNames` is set explicitly.
'';
};
publicKey = mkOption {
default = null;
type = types.nullOr types.str;
example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
description = ''
The public key data for the host. You can fetch a public key
from a running SSH server with the {command}`ssh-keyscan`
command. The public key should not include any host names, only
the key type and the key itself.
'';
};
publicKeyFile = mkOption {
default = null;
type = types.nullOr types.path;
description = ''
The path to the public key file for the host. The public
key file is read at build time and saved in the Nix store.
You can fetch a public key file from a running SSH server
with the {command}`ssh-keyscan` command. The content
of the file should follow the same format as described for
the `publicKey` option. Only a single key
is supported. If a host has multiple keys, use
{option}`programs.ssh.knownHostsFiles` instead.
'';
};
};
}));
description = ''
The set of system-wide known SSH hosts. To make simple setups more
convenient the name of an attribute in this set is used as a host name
for the entry. This behaviour can be disabled by setting
`hostNames` explicitly. You can use
`extraHostNames` to add additional host names without
disabling this default.
'';
example = literalExpression ''
{
myhost = {
extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
};
"myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
"myhost2.net/dsa" = {
hostNames = [ "myhost2.net" ];
publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
};
}
'';
};
config.assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (name: data: {
assertion = (data.publicKey == null && data.publicKeyFile != null) ||
(data.publicKey != null && data.publicKeyFile == null);
message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
});
};
}

44
compute-deck/default.nix
View File

@@ -3,14 +3,14 @@
{
imports = [
inputs.jovian.nixosModules.jovian
# inputs.disko.nixosModules.default
inputs.home-manager.nixosModules.default
inputs.disko.nixosModules.default
inputs.homeManager.nixosModules.default
./hardware.nix
./partitioning.nix
./home.nix
./bluetooth.nix
./partitioning.nix
./padtype.nix
../common/nixos.nix
../common-nixos-config.nix
];
system.nixos.tags = [ "host-${config.networking.hostName}" ];
@@ -55,22 +55,22 @@
rustup
];
# boot.kernelPatches = [
# {
# name = "gadget";
# patch = null;
# extraStructuredConfig = with lib.kernel; {
# USB_ETH=module;
# USB_GADGET=yes;
# USB_LIBCOMPOSITE=yes;
# USB_CONFIGFS=yes;
# USB_DWC3=module;
# USB_DWC3_PCI=module;
# USB_DWC3_DUAL_ROLE=yes;
# USB_DWC3_HOST=no;
# USB_DWC3_GADGET=no;
# USB_ROLE_SWITCH=yes;
# };
# }
# ];
boot.kernelPatches = [
{
name = "gadget";
patch = null;
extraStructuredConfig = with lib.kernel; {
USB_ETH=module;
USB_GADGET=yes;
USB_LIBCOMPOSITE=yes;
USB_CONFIGFS=yes;
USB_DWC3=module;
USB_DWC3_PCI=module;
USB_DWC3_DUAL_ROLE=yes;
USB_DWC3_HOST=no;
USB_DWC3_GADGET=no;
USB_ROLE_SWITCH=yes;
};
}
];
}

2
compute-deck/hardware.nix
View File

@@ -5,7 +5,7 @@
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "sdhci_pci" "dwc3_pci" ];
boot.initrd.availableKernelModules = [ "nvme" "usbhid" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];

3
compute-deck/partitioning.nix
View File

@@ -1,6 +1,5 @@
{ inputs, ... }:
{ ... }:
{
imports = [ inputs.disko.nixosModules.default ];
disko.devices.disk.blarg = {
device = "/dev/disk/by-id/nvme-Micron_2400_MTFDKBK2T0QFM_230341951668_1-part11";
content = {

55
deterministic-certs.nix
View File

@@ -1,55 +0,0 @@
{ nixpkgs ? import <nixpkgs> }: let
pkgs = nixpkgs;
lib = nixpkgs.lib;
defaultCertTemplate = {
serial = 1;
activation_date = "1970-01-01 00:00:00 UTC";
expiration_date = "2500-01-01 00:00:00 UTC";
};
keyValToConfigLines = (key: value:
if (builtins.isString value) || (builtins.isPath value) then "${key} = \"${value}\"" else
if builtins.isInt value then "${key} = ${builtins.toString value}" else
if builtins.isList value then map (innerValue: keyValToConfigLines key innerValue) else
if builtins.isBool value then (if value then "${key}" else "# no ${key}") else
throw "don't know how to handle ${builtins.typeOf value}"
);
mkTemplateConfig = config: lib.concatStringsSep "\n" (lib.lists.flatten (lib.attrsets.mapAttrsToList keyValToConfigLines config));
certCfg = pkgs.writeText "deterministic-cert.cfg" ''
serial = 1
activation_date = "1970-01-01 00:00:00 UTC"
expiration_date = "2500-01-01 00:00:00 UTC"
'';
privKeyFile = name: let
keySizeBits = 256;
keySizeHex = builtins.toString (keySizeBits / 4);
in pkgs.runCommand "deterministic-privkey-${name}.pem" {} ''
seed=$(echo ${lib.escapeShellArg (builtins.toJSON name)} | ${pkgs.ruby_3_2}/bin/ruby -rjson -e 'name = JSON.parse(STDIN.gets); print name.unpack("H*")[0].ljust(${keySizeHex}, "0")')
${pkgs.gnutls}/bin/certtool --generate-privkey --outfile=$out --key-type=rsa --sec-param=high --seed=$seed
'';
generateCert = { name, config, args, preCommands ? "" }: let
deriv = pkgs.runCommand "deterministic-cert-${name}" {} ''
mkdir -p $out
cd $out
ln -s ${privKeyFile name} privkey.pem
ln -s ${pkgs.writeText "${name}-template.cfg" (mkTemplateConfig (defaultCertTemplate // config))} template.cfg
${preCommands}
${pkgs.gnutls}/bin/certtool ${lib.escapeShellArgs args} --load-privkey=privkey.pem --outfile=cert.pem --template=template.cfg
'';
in deriv // { privateKeyPath = "${deriv}/privkey.pem"; certificatePath = "${deriv}/cert.pem"; };
in {
inherit privKeyFile;
selfSigned = name: config: generateCert { inherit name config; args = [ "--generate-self-signed" ]; };
caSigned = name: ca: config: generateCert {
inherit name config;
preCommands = ''
ln -s ${ca.privateKeyPath} ca-privkey.pem
ln -s ${ca.certificatePath} ca-cert.pem
'';
args = [
"--generate-certificate"
"--load-ca-certificate=ca-cert.pem"
"--load-ca-privkey=ca-privkey.pem"
];
};
}

4
devver/default.nix
View File

@@ -2,8 +2,8 @@
{
imports = [
inputs.home-manager.nixosModules.default
../common/nixos.nix
inputs.homeManager.nixosModules.default
../common-nixos-config.nix
(modulesPath + "/profiles/qemu-guest.nix")
];

775
flake.lock generated
View File

File diff suppressed because it is too large Load Diff

159
flake.nix
View File

@@ -2,55 +2,40 @@
description = "Config for triple-dezert server";
inputs = {
nixpkgs.url = "nixpkgs/nixos-24.05-small";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; #todo: put this back to -small once jovian-nixos is fixed
nixpkgs.url = "nixpkgs/nixos-23.11-small";
nixpkgs2405.url = "nixpkgs/nixos-24.05-small";
nix-inspect = {
url = "github:bluskript/nix-inspect";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-inspect-unstable = {
url = "github:bluskript/nix-inspect";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
vscode-server-unstable = {
url = "github:nix-community/nixos-vscode-server";
inputs.nixpkgs.follows = "nixpkgs-unstable";
#inputs.nixpkgs.follows = "nixpkgs";
};
vscode-server = {
url = "github:nix-community/nixos-vscode-server";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-on-droid = {
url = "github:nix-community/nix-on-droid";
url = "github:nix-community/nix-on-droid/release-23.05";
inputs.nixpkgs.follows = "nixpkgs";
};
jovian-unstable = { # there is no stable jovian :cry:
jovian = {
url = "github:Jovian-Experiments/Jovian-NixOS";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
disko-unstable = {
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
home-manager = {
url = "github:nix-community/home-manager/release-24.05";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager-unstable = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
nix-search-cli-unstable = {
url = "github:peterldowns/nix-search-cli";
homeManager = {
url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
nix-search-cli = {
url = "github:peterldowns/nix-search-cli";
inputs.nixpkgs.follows = "nixpkgs";
};
padtype-unstable = {
padtype = {
url = "gitlab:shelvacu/padtype";
inputs.nixpkgs.follows = "nixpkgs-unstable";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
url = "github:Mic92/sops-nix";
@@ -60,82 +45,58 @@
url = "github:astro/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-hardware.url = "github:nixos/nixos-hardware";
most-winningest = {
url = "github:captain-jean-luc/most-winningest";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, nix-on-droid, home-manager, ... }@inputs: let
defaultInputs = { inherit (inputs) self nix-search-cli nix-inspect; };
defaultArgs = { inputs = defaultInputs; };
in {
outputs = { self, nixpkgs, nix-on-droid, ... }@inputs: {
debug.isoDeriv = (import "${inputs.nixpkgs}/nixos/release-small.nix" { nixpkgs = ({ revCount = 0; } // inputs.nixpkgs); });
nixosConfigurations.triple-dezert = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./triple-dezert ];
specialArgs = { inputs = defaultInputs // { inherit (inputs) most-winningest; }; };
specialArgs = { inherit inputs; };
};
nixosConfigurations.compute-deck = inputs.nixpkgs-unstable.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./compute-deck ];
specialArgs = { inputs = {
jovian = inputs.jovian-unstable;
home-manager = inputs.home-manager-unstable;
vscode-server = inputs.vscode-server-unstable;
disko = inputs.disko-unstable;
padtype = inputs.padtype-unstable;
nix-search-cli = inputs.nix-search-cli-unstable;
nix-inspect = inputs.nix-inspect-unstable;
self = inputs.self;
}; };
specialArgs = { inherit inputs; };
};
nixosConfigurations.liam = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./liam ];
specialArgs = { inputs = defaultInputs // { inherit (inputs) sops-nix; }; };
specialArgs = { inherit inputs; };
};
nixosConfigurations.lp0 = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./lp0 ];
specialArgs = defaultArgs;
specialArgs = { inherit inputs; };
};
nixosConfigurations.shel-installer = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./installer.nix ];
specialArgs = defaultArgs;
specialArgs = { inherit inputs; };
};
nixosConfigurations.devver = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./devver ];
specialArgs = { inputs = defaultInputs // { inherit (inputs) home-manager; }; };
specialArgs = { inherit inputs; };
};
nixosConfigurations.fw = nixpkgs.lib.nixosSystem {
nixosConfigurations.fw = inputs.nixpkgs2405.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./fw ];
specialArgs = { inputs = defaultInputs // { inherit (inputs) nixos-hardware; }; };
specialArgs = { inherit inputs; };
};
nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
modules = [ ./nix-on-droid ];
extraSpecialArgs = defaultArgs;
pkgs = import nixpkgs { system = "aarch64-linux"; };
modules = [ ./nix-on-droid.nix ];
extraSpecialArgs = { inherit inputs; };
};
homeConfigurations."nix-on-droid" = home-manager.lib.homeManagerConfiguration {
modules = [
./home/nix-on-droid.nix
{ _module.args.inputs = defaultInputs; }
];
pkgs = import nixpkgs { system = "aarch64-linux"; };
};
diskoConfigurations.compute-deck = import ./compute-deck/partitioning.nix;
checks = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (system:
let
@@ -144,73 +105,37 @@
node.pkgs = pkgs;
node.pkgsReadOnly = false;
node.specialArgs.selfPackages = self.packages.${system};
#node.specialArgs.inputs = defaultInputs;
node.specialArgs.inputs = inputs;
};
in
{
liam = nixpkgs.lib.nixos.runTest {
hostPkgs = pkgs;
imports = [ config ./tests/liam.nix { node.specialArgs.inputs = self.nixosConfigurations.liam._module.specialArgs.inputs; } ];
imports = [ config ./tests/liam.nix ];
};
trip = nixpkgs.lib.nixos.runTest {
hostPkgs = pkgs;
imports = [ config ./tests/triple-dezert.nix { node.specialArgs.inputs = self.nixosConfigurations.triple-dezert._module.specialArgs.inputs; } ];
imports = [ config ./tests/triple-dezert.nix ];
};
# trip_haproxy_config = let
# hacfg = self.nixosConfigurations.triple-dezert.config.containers.frontproxy.config.services.haproxy;
# in pkgs.stdenvNoCC.mkDerivation {
# name = "trip-haproxy-config-check";
# script = ''
# mkdir -p certs/shelvacu.com/
# touch certs/shelvacu.com/full.pem
# ${hacfg.package}/bin/haproxy \
# -f ${pkgs.writeText "haproxy-config" hacfg.config} \
# -c \
# -dW \
# -dD \
# -C $PWD
# '';
# };
}
);
nixosModules.common = import ./common/module.nix;
packages.x86_64-linux.snmpb = nixpkgs.legacyPackages.x86_64-linux.libsForQt5.callPackage ./packages/snmpb/package.nix {};
packages.x86_64-linux.snmp-mibs-downloader = nixpkgs.legacyPackages.x86_64-linux.callPackage ./packages/snmp-mibs-downloader.nix {};
nixosModules.common = import ./common-config.nix;
packages.x86_64-linux.digitalOceanImage = import ./generic-digitalocean-nixos.nix { inherit inputs; };
packages.x86_64-linux.authorizedKeys = let
pkgs = nixpkgs.legacyPackages.x86_64-linux;
in pkgs.writeText "authorizedKeys" (pkgs.lib.concatStringsSep "\n" self.nixosConfigurations.fw.config.vacu.ssh.authorizedKeys);
packages.aarch64-linux.authorizedKeys = let
pkgs = nixpkgs.legacyPackages.aarch64-linux;
in pkgs.writeText "authorizedKeys" (pkgs.lib.concatStringsSep "\n" self.nixOnDroidConfigurations.default.config.vacu.ssh.authorizedKeys);
qb = /* qb is "quick build" */ let
toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel;
deterministicCerts = import ./deterministic-certs.nix { nixpkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; };
pkgs = nixpkgs.legacyPackages.x86_64-linux;
in rec {
# nix-on-droid is impure >:(
# nod = self.nixOnDroidConfigurations.default.activationPackage;
fw = toplevelOf "fw";
triple-dezert = toplevelOf "triple-dezert";
trip = triple-dezert;
compute-deck = toplevelOf "compute-deck";
cd = compute-deck;
liam = toplevelOf "liam";
lp0 = toplevelOf "lp0";
devver = toplevelOf "devver";
shel-installer = toplevelOf "shel-installer";
iso = self.nixosConfigurations.shel-installer.config.system.build.isoImage;
do = self.packages.x86_64-linux.digitalOceanImage;
snmpb = self.packages.x86_64-linux.snmpb;
check-triple-dezert = self.checks.x86_64-linux.trip.driver;
check-trip = check-triple-dezert;
check-liam = self.checks.x86_64-linux.liam.driver;
authorizedKeys = self.packages.x86_64-linux.authorizedKeys;
authorizedKeysAarch = self.packages.aarch64-linux.authorizedKeys;
ak = authorizedKeys;
dc-priv = deterministicCerts.privKeyFile "test";
dc-cert = deterministicCerts.selfSigned "test" {};
};
all = let
pkgs = nixpkgs.legacyPackages.x86_64-linux;
symlinkCommands = pkgs.lib.mapAttrsToList (name: pkg: "ln -s ${pkg} ${name}") self.qb;
in pkgs.runCommand "nix-stuff-all" {} ''
mkdir $out
cd $out
${pkgs.lib.concatStringsSep "\n" symlinkCommands}
'';
allWithBuildDeps = nixpkgs.legacyPackages.x86_64-linux.closureInfo { rootPaths = [ self.all.drvPath ]; };
};
}

4
fw/android.nix
View File

@@ -1,4 +0,0 @@
{ pkgs, ... }: {
vacu.packages = pkgs.androidStudioPackages.stable.all;
users.users.shelvacu.extraGroups = [ "kvm" ];
}

59
fw/apex.nix
View File

@@ -1,59 +0,0 @@
# everything to interact with my apex flex, pcsc stuff, fido2 stuff, etc
{ pkgs, ... }: {
# apparently this is already enabled??
# nixpkgs.overlays = [ ( final: prev: {
# libfido2 = prev.libfido2.override { withPcsclite = true; };
# } ) ];
vacu.packages = with pkgs; [
libfido2
pcsclite
pcsc-tools
scmccid
opensc
];
services.pcscd.enable = true;
# conflicts with pcscd, see https://stackoverflow.com/questions/55144458/unable-to-claim-usb-interface-device-or-resource-busy-stuck
boot.blacklistedKernelModules = [ "pn533_usb" "pn533" "nfc" ];
# bunch of stuff from https://wiki.nixos.org/wiki/Web_eID
# Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
# (PIN1 for authentication/decryption, PIN2 for signing).
# environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
# module: ${pkgs.opensc}/lib/opensc-pkcs11.so
# '';
# environment.etc."opensc.conf".text = ''
# app default {
# reader_driver pcsc {
# enable_pinpad = false;
# }
# }
# '';
environment.systemPackages = [
# Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
# security devices, so they can be used for TLS client auth.
# Each user needs to run this themselves, it does not work on a system level
# due to a bug in Chromium:
#
# https://bugs.chromium.org/p/chromium/issues/detail?id=16387
(pkgs.writeShellScriptBin "setup-browser-eid" ''
NSSDB="''${HOME}/.pki/nssdb"
mkdir -p ''${NSSDB}
${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
-libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so
'')
];
programs.firefox.enable = true;
#programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
# trying CTAP-bridge
services.udev.extraRules = ''
KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE+="0666", TAG+="uaccess"
KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE+="0666", TAG+="uaccess"
'';
}

60
fw/default.nix
View File

@@ -1,52 +1,24 @@
{ config, inputs, pkgs, lib, ... }: {
imports = [
../common/nixos.nix
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./apex.nix
./android.nix
../common-nixos-config.nix
];
#boot.loader.grub.configurationLimit = 5;
system.nixos.tags = [ "host-${config.networking.hostName}" ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.networkmanager.enable = true;
# boot.kernelParams = [ "nvme.noacpi=1" ]; # DONT DO IT: breaks shit even more
services.fprintd.enable = false; #kinda broken
vacu.packages = with pkgs; [
bitwarden-desktop
nheko
librewolf
brave
thunderbird
wl-clipboard
nextcloud-client
signal-desktop
fw-ectool
framework-tool
iio-sensor-proxy
power-profiles-daemon
acpi
jellyfin-media-player
vlc
dmidecode
prismlauncher
ffmpeg_7-full
wireshark
obsidian
dino
aircrack-ng
libreoffice-qt6-fresh
# null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
(inkscape-with-extensions.override { inkscapeExtensions = null; })
libsmi
net-snmp
];
services.fwupd.enable = true;
#fwupd gets confused by the multiple EFI partitions, I think I just have to pick one
#update: it didn't work, I dunno why. Leaving this here anyways
services.fwupd.daemonSettings.EspLocation = lib.mkForce "/boot0";
vacu.packages.bitwarden-desktop.enable = true;
vacu.packages.nheko.enable = true;
vacu.packages.librewolf.enable = true;
vacu.packages.brave.enable = true;
vacu.packages.thunderbird.enable = true;
vacu.packages.wl-clipboard.enable = true;
vacu.packages.nextcloud-client.enable = true;
vacu.packages.signal-desktop.enable = true;
vacu.packages.fw-ectool.enable = true;
vacu.packages.framework-tool.enable = true;
vacu.packages.iio-sensor-proxy.enable = true;
vacu.packages.power-profiles-daemon.enable = true;
vacu.packages.acpi.enable = true;
services.xserver.enable = true;
services.displayManager.sddm.enable = true;
@@ -103,7 +75,6 @@
hardware.opengl = {
driSupport = true;
driSupport32Bit = true;
extraPackages = [ pkgs.rocmPackages.clr.icd pkgs.amdvlk ];
};
programs.nix-ld.enable = true;
programs.steam = {
@@ -120,7 +91,4 @@
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true;
services.postgresql.enable = true; #for development
}

7
home/nix-on-droid.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
imports = [ ../common/home.nix ];
home.stateVersion = "24.05";
home.homeDirectory = "/data/data/com.termux.nix/files/home";
home.username = "nix-on-droid";
}

2
installer.nix
View File

@@ -1,7 +1,7 @@
{ config, inputs, modulesPath, lib, ... }: {
imports = [
"${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
./common/nixos.nix
./common-nixos-config.nix
];
# this is an installer image, created anew every time. There's no state we need to worry about messing up
system.stateVersion = config.system.nixos.version;

15
liam/default.nix
View File

@@ -2,14 +2,13 @@
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
(modulesPath + "/virtualisation/digital-ocean-config.nix")
../common/nixos.nix
../common-nixos-config.nix
./nginx.nix
./sops.nix
./dovecot.nix
./mail.nix
./dkim.nix
./sieve.nix
./network.nix
];
options = let
@@ -30,11 +29,6 @@
"shop.theviolincase.com"
];
domains = mkReadOnly (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
relayhost = lib.options.mkOption {
type = lib.types.str;
# mailhop is duocircle
default = "[outbound.mailhop.org]:587 [relay.dynu.com]:587";
};
reservedIpLocal = mkReadOnly "10.46.0.7";
};
};
@@ -45,6 +39,13 @@
networking.domain = "dis8.net";
# networking.interfaces."ens3".useDHCP = false;
# from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
# {
# "ip_address": "10.46.0.7",
# "netmask": "255.255.0.0",
# "gateway": "10.46.0.1"
# }
services.openssh.enable = true;
virtualisation.digitalOcean.setSshKeys = false;

4
liam/dovecot.nix
View File

@@ -75,13 +75,13 @@
userdb {
driver = passwd-file
args = username_format=%n ${config.sops.secrets."dovecot-passwd".path}
args = username_format=%n /run/secrets/dovecot-passwd
override_fields = uid=${config.services.dovecot2.mailUser} gid=${config.services.dovecot2.mailGroup} user=%n
}
passdb {
driver = passwd-file
args = username_format=%n ${config.sops.secrets."dovecot-passwd".path}
args = username_format=%n /run/secrets/dovecot-passwd
override_fields = user=%n
}

33
liam/mail.nix
View File

@@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }: let
inherit (config.vacu.liam) shel_domains julie_domains domains relayhost;
debug = false;
{ config, lib, pkgs, ... }:
let
inherit (config.vacu.liam) shel_domains julie_domains domains;
fqdn = config.networking.fqdn;
dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
in {
@@ -37,23 +37,15 @@ in {
mapFiles.sender_access = pkgs.writeText "sender-access" (lib.concatMapStringsSep "\n" (d: "${d} REJECT") domains);
# hack to get postfix to add a X-Original-To header
mapFiles.add_envelope_to = pkgs.writeText "addenvelopeto" "/(.+)/ PREPEND X-Envelope-To: $1";
mapFiles.sender_transport = pkgs.writeText "sender-transport" "@shelvacu.com relayservice";
mapFiles.sender_relay = pkgs.writeText "sender-relay" "@shelvacu.com ${relayhost}";
# verbatim appended to main.cf
extraConfig = ''
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
inet_protocols = ipv4
virtual_alias_domains =
${lib.concatStringsSep ",\n " domains}
sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
header_checks = pcre:/etc/postfix/header_checks
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to
recipient_delimiter = +
#we should never use these transport methods unless thru transport map
# RFC3463:
@@ -74,30 +66,13 @@ in {
smtpd_tls_dh1024_param_file = ${lib.optionalString config.services.dovecot2.enableDHE config.security.dhparams.params.dovecot2.path}
# smtp_bind_address = 10.46.0.7
# inet_interfaces = all
# inet_protocols = ipv4
${lib.optionalString config.services.opendkim.enable (assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock"); ''
smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/run/opendkim/opendkim.sock
'')}
'';
masterConfig."relayservice" = {
command = "smtp";
type = "unix";
args = [
"-o" "smtp_sasl_auth_enable=yes"
"-o" "smtp_sasl_security_options=noanonymous"
"-o" "smtp_tls_security_level=secure"
"-o" "smtp_sasl_password_maps=texthash:${config.sops.secrets.relay_creds.path}"
"-o" "smtp_tls_wrappermode=no"
#"-o" "relayhost=${relayhost}"
] ++ (if debug then ["-v"] else []);
};
masterConfig.qmgr = lib.mkIf debug { args = ["-v"]; };
masterConfig.cleanup = lib.mkIf debug { args = ["-v"]; };
masterConfig.smtpd = lib.mkIf debug { args = ["-v"]; };
submissionsOptions = {
smtpd_tls_key_file = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
smtpd_tls_cert_file = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";

26
liam/network.nix
View File

@@ -1,26 +0,0 @@
{ lib, config, ... }: let
# from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
# {
# "ip_address": "10.46.0.7",
# "netmask": "255.255.0.0",
# "gateway": "10.46.0.1"
# }
interface_conf = {
useDHCP = true;
ipv4.addresses = [{
address = "10.46.0.7";
prefixLength = 24;
}];
ipv4.routes = [{
address = "0.0.0.0";
prefixLength = 0;
via = "10.46.0.1";
options.scope = "global";
options.src = "10.46.0.7";
options.metric = "1200";
}];
};
in {
networking.interfaces."ens3" = lib.mkIf (!config.vacu.underTest) interface_conf;
networking.interfaces."eth0" = lib.mkIf ( config.vacu.underTest) interface_conf;
}

5
liam/sieve.nix
View File

@@ -59,7 +59,6 @@
sieve_text = ''
require ["fileinto", "mailbox"];
if header :is "Delivered-To" "shelvacu@liam.dis8.net" {
if header :is "X-Envelope-To" "brandcrowd@shelvacu.com" {
discard;
}
@@ -68,9 +67,7 @@
}
${concatStrings email_filters}
${concatStrings domain_filters}
}
'';
in {
services.dovecot2.sieve.extensions = [ "fileinto" "mailbox" ];
services.dovecot2.sieve.scripts.before = pkgs.writeText "blargsieve" sieve_text;
services.dovecot2.sieveScripts.before = pkgs.writeText "blargsieve" sieve_text;
}

4
liam/sops.nix
View File

@@ -20,9 +20,5 @@
restartUnits = [ "opendkim.service" ];
owner = config.services.opendkim.user;
};
sops.secrets.relay_creds = {
restartUnits = [ "postfix.service" ];
owner = config.services.postfix.user;
};
};
}

2
lp0/default.nix
View File

@@ -1,7 +1,7 @@
{ config, pkgs, ... }:
{
imports = [
../common/nixos.nix
../common-nixos-config.nix
./hardware-config.nix
];

12
nix-on-droid/default.nix → nix-on-droid.nix
View File

@@ -1,19 +1,19 @@
{ config, lib, pkgs, inputs, ... }:
{
imports = [
../common/nix-on-droid.nix
./flake-registry.nix
];
imports = [ ./common-config.nix ];
environment.packages = config.vacu.packageList;
environment.etc."resolv.conf".text = lib.mkForce ''
# nameserver 10.78.79.1
nameserver 10.78.79.1
nameserver 9.9.9.10
nameserver 149.112.112.10
options timeout:1 attempts:5
'';
environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
# Backup etc files instead of failing to activate generation if a file already exists in /etc
environment.etcBackupExtension = ".bak";
@@ -24,6 +24,8 @@
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
nix.substituters = config.vacu.nix.extraSubstituters;
nix.trustedPublicKeys = config.vacu.nix.extraTrustedKeys;
environment.sessionVariables."PS1" = "\\w $ ";

9
nix-on-droid/flake-registry.nix
View File

@@ -1,9 +0,0 @@
# To make `nix run nixpkgs#hello` and such use the same nixpkgs used to build this, so that it doesn't take forever
{ inputs, ... }:
{
nix.registry.nixpkgs.to = {
type = "path";
path = inputs.nixpkgs.outPath;
};
nix.nixPath = [ "nxipkgs=flake:nixpkgs" ];
}

32
package-set.nix Normal file
View File

@@ -0,0 +1,32 @@
{ config, pkgs, lib, ... }: let
inherit (lib) mkOption types;
pkgOptions = builtins.attrValues config.vacu.packages;
enabledOptions = builtins.filter (o: o.enable) pkgOptions;
enabledPkgs = builtins.map (o: o.package) enabledOptions;
in {
options = {
vacu.packages = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
options = {
enable = mkOption {
type = types.bool;
default = true;
description = "Will this package be installed (included in environment.systemPackages)";
};
package = mkOption {
type = types.package;
default = pkgs.${name};
defaultText = "pkgs.${name}";
};
};
}));
};
vacu.packageList = mkOption {
type = types.listOf types.package;
readOnly = true;
};
};
config.vacu.packageList = enabledPkgs;
}

104
packages/snmp-mibs-downloader.nix
View File

@@ -1,104 +0,0 @@
{
bash,
coreutils,
gzip,
gnutar,
unzip,
wget,
gnupatch,
fetchFromGitLab,
fetchurl,
#libsmi,
#resholve,
stdenv,
writeText,
lib,
}@args:
stdenv.mkDerivation (self: let
# this script depends on an old version of libsmi's smistrip
libsmi = stdenv.mkDerivation rec {
pname = "libsmi";
version = "0.4.8";
src = fetchurl {
url = "https://www.ibr.cs.tu-bs.de/projects/libsmi/download/${pname}-${version}.tar.gz";
hash = "sha256-8EilJw9BvIiww7Co/nDKTXFqRrUxoOyqqHxGL0nXSEk=";
};
env.NIX_CFLAGS_COMPILE = "-std=gnu90";
#env.CFLAGS="-Wno-error";
#env.NIX_DEBUG="7";
hardeningDisable = [ "format" ];
meta = with lib; {
description = "A Library to Access SMI MIB Information";
homepage = "https://www.ibr.cs.tu-bs.de/projects/libsmi/index.html";
license = licenses.free;
platforms = lib.platforms.linux ++ lib.platforms.darwin;
};
};
in rec {
pname = "snmp-mibs-downloader";
version = "1.6";
src = fetchFromGitLab {
domain = "salsa.debian.org";
owner = "debian";
repo = "${pname}";
rev = "debian/${version}";
hash = "sha256-W2VW3EJWmHwlqMoL12dFcfkYmAADLOtUWCydcL5qUKc=";
};
# installPhase = ''
# install -Dm755 download-mibs $out/bin
# install -Dm644 *.conf *list $out/etc/snmp-mips-downloader
# cp mibrfcs/* $out/share/snmp/mibs-downloader/mibrfcs
# cp mibiana/* $out/share/snmp/mibs-downloader/mibiana
# gzip -9 $out/share/snmp/mibs-downloader/*/*
# '';
postPatch = ''
substituteInPlace download-mibs \
--replace-fail SMISTRIP=/usr/bin/smistrip "" \
--replace-fail CONFDIR=/etc/snmp-mibs-downloader "BASEDIR=/var/lib/mibs; AUTOLOAD='rfc ianarfc iana'" \
--replace-fail '. $CONFDIR/snmp-mibs-downloader.conf' ""
'';
preInstall = ''
mkdir -p $out/usr/bin $out/etc/snmp-mibs-downloader $out/usr/share/snmp/mibs-downloader/mib{rfcs,iana} $out/usr/share/snmp/mibs
'';
installFlags = [ "INSTALL=install" "DESTDIR=$(out)" ];
postInstall = ''
mv $out/usr/* $out
rmdir $out/usr
substituteInPlace $out/etc/snmp-mibs-downloader/* \
--replace-quiet 'DIR=/usr/share/snmp/mibs-downloader' 'DIR='$out'/share/snmp/mibs-downloader'
mv $out/bin/download-mibs $out/bin/.download-mibs-unwrapped
cat <<EOF > $out/bin/download-mibs
#!${bash}/bin/bash
PATH=${lib.escapeShellArg (lib.concatStringsSep ":" (lib.flip map [ coreutils gzip gnutar unzip wget gnupatch ] (p: "${p}/bin")))}
SMISTRIP=${libsmi}/bin/smistrip
CONFDIR=$out/etc/snmp-mibs-downloader
source $out/bin/.download-mibs-unwrapped
EOF
chmod u+x $out/bin/download-mibs
'';
env.NIX_DEBUG="7";
# solutions.default = {
# scripts = [ "bin/download-mibs" ];
# interpreter = "${bash}/bin/bash";
# inputs = [ coreutils gzip gnutar unzip wget gnupatch ];
# keep = {
# "$archive_fetcher" = true;
# source = [ "$CONFDIR/$i.conf" ];
# "${wget}/bin/wget" = true;
# };
# fix = { "$SMISTRIP" = [ "${libsmi}/bin/smistrip" ]; };
# };
meta = {
mainProgram = "download-mibs";
};
})

124
packages/snmpb/package.nix
View File

@@ -1,124 +0,0 @@
{
fetchgit,
lib,
libsmi,
libtomcrypt,
qmake,
qtbase,
qwt,
stdenv,
wrapQtAppsHook,
breakpointHook,
}@args:
stdenv.mkDerivation (finalAttrs: let
# ./configure --disable-shared --disable-yang --with-pathseparator=';' --with-dirseparator='/' --with-smipath=${INSTALL_PREFIX}'/${SHARE}/snmpb/mibs;'${INSTALL_PREFIX}'/${SHARE}/snmpb/pibs'
libsmi = finalAttrs.passthru.libsmi;
# $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/iana/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
# $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/ietf/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
# $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/tubs/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
# $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/pibs/ietf/* ${INSTALL_PREFIX}/${SHARE}/snmpb/pibs
# $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/pibs/tubs/* ${INSTALL_PREFIX}/${SHARE}/snmpb/pibs
in {
pname = "snmpb";
version = "0.9pre1";
# __structuredAttrs = true;
passthru = {
proFile = "${finalAttrs.pname}.pro";
makeFile = "makefile.${finalAttrs.pname}";
smipath = "${finalAttrs.passthru.libsmi-data}/share/snmpb/mibs;${finalAttrs.passthru.libsmi-data}/share/snmpb/pibs";
libsmi = args.libsmi.overrideAttrs (final: prev: {
#preConfigure = (prev.preConfigure or "") + "\n" + ''
# appendToVar configureFlags --prefix=$out/ --disable-yang --with-pathseparator=';' --with-dirseparator='/'
#'';
configureFlags = (prev.configureFlags or []) ++ ["--with-pathseparator=;" "--with-smipath=${finalAttrs.passthru.smipath}"];
env.NIX_DEBUG="2";
pname = prev.pname + "-for-snmpb";
});
libsmi-data = stdenv.mkDerivation {
name = "libsmi-snmpb-data";
phases = "unpackPhase installPhase";
src = libsmi.src;
installPhase = ''
mkdir -p $out/share/snmpb/{mibs,pibs}
shopt -s globstar
for foo in mibs pibs; do
for node in $foo/**/*; do
[[ -f $node ]] && install -m444 $node $out/share/snmpb/$foo/
done
done
rm $out/share/snmpb/*/Makefile*
'';
};
};
src = fetchgit {
url = "https://git.code.sf.net/p/snmpb/code";
rev = "a092855bfd201778f87be578b91aeb062726e329";
hash = "sha256-nlS1pqv2ERZGkk0SJ8ByXqBHHho1GTSq/oxrXL2tytM=";
};
patches = [ ./unvendor.patch ];
buildInputs = [
qwt
qtbase
libtomcrypt
libsmi
];
nativeBuildInputs = [
wrapQtAppsHook
qmake
breakpointHook
];
#setSourceRoot = "sourceRoot=$(echo */app)";
#NIX_DEBUG="7";
#installFlags = "INSTALL_PREFIX=$(out) NO_ROOT=1";
installPhase = ''
popd
install -Dm 555 -s app/snmpb $out/bin/snmpb
#mkdir -p $out/share/snmpb/{mibs,pibs}
#for foo in mibs pibs; do
# for file in ${libsmi}/share/$foo/*; do
# ln -s $file $out/share/snmpb/$foo/
# done
#done
install -Dm 444 app/snmpb.desktop $out/share/applications
install -Dm 444 app/snmpb.xml $out/share/mime/packages
install -Dm 444 app/images/snmpb.png $out/share/icons/hicolor/128x128/apps
install -Dm 444 app/images/snmpb.png $out/share/pixmaps
install -Dm 444 app/images/snmpb.svg $out/share/icons/hicolor/scalable/apps
'';
postPatch = ''
rm -rf libsmi libtomcrypt qwt #ensures un-vendoring worked correctly
#smipath_parts=(${libsmi}/share/{mibs,pibs}/*)
#smipath=$(IFS=";" ; echo "''${smipath_parts[*]}")
substituteInPlace app/preferences.cpp --subst-var smipath
substituteInPlace app/*.pro \
--subst-var libs \
--subst-var include
pushd app
'';
env = {
include = "${qwt.dev}/include ${libsmi}/include ${libtomcrypt}/include";
libs = "${qwt}/lib/libqwt.so ${libsmi}/lib/libsmi.so ${libtomcrypt}/lib/libtomcrypt.so -lqwt -lsmi -ltomcrypt";
inherit (finalAttrs.passthru) smipath;
};
preConfigure = ''
qmakeFlags+=( "${finalAttrs.passthru.proFile}" "-o" "${finalAttrs.passthru.makeFile}" )
'';
makefile = finalAttrs.passthru.makeFile;
meta = {
description = "GUI SNMP browser and MIB editor wrtten with Qt";
};
})

61
packages/snmpb/unvendor.patch
View File

@@ -1,61 +0,0 @@
diff --git a/app/preferences.cpp b/app/preferences.cpp
index 29fa8c8..98e842f 100644
--- a/app/preferences.cpp
+++ b/app/preferences.cpp
@@ -22,13 +22,6 @@
#include <qfileinfo.h>
#include <qtextstream.h>
-// For DEFAULT_SMIPATH
-#ifdef WIN32
-#include "../libsmi/win/config.h"
-#else
-#include "../libsmi/config.h"
-#endif
-
#include "mibmodule.h"
#include "preferences.h"
@@ -288,7 +281,7 @@ void Preferences::MibPathRefresh()
void Preferences::MibPathReset()
{
// "Reset to default" for MIB paths
- QStringList defaultpaths = QString(DEFAULT_SMIPATH).split(SMI_PATH_SEPARATOR);
+ QStringList defaultpaths = QString("@smipath@").split(SMI_PATH_SEPARATOR);
QSettings settings;
settings.beginWriteArray("mibpaths");
diff --git a/app/snmpb.h b/app/snmpb.h
index 63f0d6e..c1da1b8 100644
--- a/app/snmpb.h
+++ b/app/snmpb.h
@@ -20,6 +20,7 @@
#ifndef SNMPB_H
#define SNMPB_H
+#include <qwt_text.h>
#include "ui_mainw.h"
#define SNMPB_VERSION_STRING "1.0"
diff --git a/app/snmpb.pro b/app/snmpb.pro
index b6ee631..a5ff14a 100644
--- a/app/snmpb.pro
+++ b/app/snmpb.pro
@@ -83,14 +83,9 @@ FORMS += \
INCLUDEPATH += \
../snmp++/include \
../snmp++/ \
- ../libtomcrypt/src/headers \
- ../libsmi/lib \
- ../qwt/src
-LIBS += \
- -L../libtomcrypt \
- -L../libsmi/lib/.libs \
- -L../qwt/lib \
- -lsmi -ltomcrypt -lqwt
+ @include@
+
+LIBS += @libs@
RESOURCES = snmpb.qrc

120
secrets/liam/main.yaml
View File

@@ -1,7 +1,6 @@
dovecot-passwd: ENC[AES256_GCM,data:pcj7T1AKqZfMBGiHiihW0WxVKzAiy6xsGGlOhOV4IeHPEn+SXNoQjTQQVhZoNxYsENptH54SgWwlMETCcQrQzq6prrktlT3iZCnwlwvzaNRXrMe1mk/WT+OiTpaQ0PWGfrhVkQXj4bxWKCRc2i3NJxm1AtYfE0nNL/1dUk9rzwYTH6zjiQFYmZHbwzjtxiE3YbZCwYnpNR3Ql08S4kNf5TtsecFtTY1VOPFRycjEfIIIUbVLUM06DZ5savKVNRdgaVMUuXyPoOxy65YbkwZ9vkoBleRShY0v6FOgG1YLmQmr7f8QtiHlFbA0NJ0vUkg8bgSTsw27jC/JQU0qTSNVrMHgzfApw6GUQgGTYZK24tFCVNBJ3sxvTbuVOcShy01yJA==,iv:5gTo8ySgq//ZaY88F7AcAa2CEe2hXR415EqqSsYIbF8=,tag:DOf4yEXW5kzYAL89KQOAdQ==,type:str]
dovecot-passwd: ENC[AES256_GCM,data:cZt43pgPNbORpqX6KyXvzVt1Q8tNz1cMF9YVUyL7saZyFqA5XA+uywU5yVerjdsTXfx4QeoYbA+bDE7qwdjTQBpEoEMm99WBb77rac652VGXXCas4nrbwMmZbUY2Z57PKd4GPN/i57VAD6eHiTV8HCd5OwiX7AlpmHXImgL9jr4P9skyTPIEnLF3NUVxktmAjn+X7IwmBH1mtn5Gesc5Q+6hoTQMwLn7ilYWfcOvaf5UOsHS6zvuTlGPuISaLPEvx2CLBccu7I38kKafCLTc1FOhdrFRu2n9/6gD1yIxUnbCkDWpcIV1e/3FlU5aQM7c7duQFVuIW9KpY2U0R2Y5Miv0ciU2D1GaJWMud7S/HCxPrQo=,iv:Arppozvg9+bjNCIJl7kRwbwGm2fuf7CjBfEfDT45+MQ=,tag:+PeAznYRW9S0Ok5uEn/qpQ==,type:str]
dkim_key: ENC[AES256_GCM,data:CZC/1U1cJUIyNhXAWp+YFJd0pZZKvZClJxOh3uZ3YyfEQBiK9nEQryAJHirpFXAmZTcGhsuotkAuJvVQtoh/pM9YGkrncCKlw+P96hiafHGoSOnqd77DazcVERwGEGYBPK7fIZfhpAaYiIvjwq6FbMzkkZ4vLcYRNRj+LCtrXu4K5cy5ZJaRFkLCiaIVHhrOfjyhDFCkFBd3pZ/oCGH57teisjFl+LWFqGOQFyGs3Vkv0bY1fUTUtFvpYcTdrRe6A7yI3OGveX3Q9JnDKD+PBqHhd/a/OjBF0Xme6BeipRnv6/Md2F5LNDfUWugOtDy0xigtWAp/mbVel8GYgTXEQYv+sxVu0kFM7bX8fa/A/BHNx98HFoScwLCt8VmCc26asfGvGFfADrJMBIk2IbmqjQ2NV7/ejB6Zym7tjLLpYI24LBAyZDH/Rtw7CqGPmpHXCQ9xILFxLMdqMSmgPPJtF/75qFICCQH2p3CHj7b/TmTpu8RLIVu2pxG48u4VnUgJE1zPBeaY5EY1uS7L5sF37CI+vMy1mY/3m5ZsWeOu9YigZouYy/Y6OrdtOzaEVaipQ2cYirD00MOYqO57izmjuUdw47OJ5zK7XInR4MHoLX0PfdJiw5Oq8OVir6KJf9UWPSXBbSZlj6PMkqbvQ+7VWJmDT0jKTbRg2M1eZCbcRrJAnE/YenMqYFXiVY1dOGjcrrxUn0zcnJ51UJmfDU2+UQc7urBVtqm7jfegudQ+Em735ynclMfYRWvRXQGQUm2YCUFXTwd6RhY4hHb32j6x00hi6iLjt1gjlMx8pHAcVbqcOdHFoLvNe1DlBsl/7jmL7otyY5m1VF3+H0tksDTSYfil5oudMEECTPypsZfp8iLU4xgjuh/+fXjZf4hQJMiA6OaGMw7R2cwvfiuSaHL/iz57ZtlHFW6TMWK77UBU2xZACVfylnqEaaIgzhYX0/wAsVQI+gqt03EsUx/AqlCFOCrOSwjov06k2bTDzSDcITayLkf9UjwOo/lmRz+7fCfvCaw26wZCEsEtRBfLrZc+Ibwq9uvNDsrV1hthi0qh1ngZonQOA1Y2NURDom3VMKkfu++nFIV+CGrAI5n0CVlVLkJn4RbPCDcmNGd9Kr8pYv7rU4MnMmD2n2M1OzAJbScrbb+f4Z8hEOIUk0dMVxOr/clrg+7F3vqceZC8VTzBbBAH4QuBAf67VwmZTpDB5bobFv/UwEC8pJ4HWmKcBN+s1QihtD7x+WYz+8pSNucr+oN56fiY8xAyvFFyTE7/zNWlXVi94E0is30q3/ZB/Gog5eOQT21tOI4Ak0N4y+ElfNIXSqtEUGhck2DIjfegygpvwiuu8ktEZwje9Q4SAYK8/0THT8ANyzDunwSocMdztL1zF6/ZhDub8hmOuaRJWotXzmL/zCXSGR0nEPXVSmyXKwHt/4MMGkasXOXetrENKIwDqYdm1eZBMCl8EGnyAbAo21LAfVTI0GLrNoFWNTPkpBIo3dKoBofmdRei/jHtQmBtvaILUv6UsIAyjJ+x2cpARW+yMIrv/0g8MnDMj4cCiIFk+AIXI279BvMrkVP1cOA7ESJkLe1hsL6+b7lmrhAWK1cpDnIWTXJG+v9aKlc0jz9D47gr7kD/ePC8sMaI95aQBbA93ftzYhKzsU9hINsU/IKGmT0rXS4j/BPZ0o8uC1HRaMjdE5Z0KHsebS9tn8lXfHFgX5wTDMaES9h+usUJrjc6F1lj2zYP5oTOjM8YmN6YQedo3wmi/PnA/8YMXz0tRFAZvg8VAYYtsfdV/2GLtjfD2YRK3iHsg5+GSEwqFafmWGgr+uhsl4JmKiASWJvx0Ron8RwdEzK2MC6WD1JERLU4UojOfx2xy5v15eveNnEufb7o1MJSAbjuRbVYiABqNFjIwe9hquIyTYVsiqiXi6fLeIV4fsTtiI5LLKx/6dOw31nFg/WfFWzvzLiLJ6b0NZowECP+Rsvzl3U0Qo/LbePyY/o8UYOo7u1zLpzxIOPyTqdKh64WqGYnqXmWy1ga57vnyl9mWhzr9ZlEuhM+0U8bVelIXmLTZp1Nredrs8E5ERdVnKmThbrLr8GvJAl4B7g5BIrGhSBB841wMm9h/SheKdq8SN9gUDRNgW0QNFkflBhX5ZsAHlPiJxddePbbAxfChv+ClG0oDuFDoSwSElCRR9GRayLRiws6CCDhviU8ub5JApSPTI9p/UjSJePSj+GqyqljTge0J/wgxRL2pAHk1HDQyOnv4kFZ5UhMFjU6GvbuPl2W2lqICJOcK9UuKdvivGsYkSSrOfke3mZMh52/f+03ciZ4xlwjDGV91kGONq5GME8dFEPD093xg0KbScfWanRWSoV3fOxitPWpcJ+xuNnDDOHjzLOYgt07u1QQs62rg/6BII+1XKBowLwG9Z5aWexZ3yCzrOR70pLRWPbOJNCAggEIaTkIa0ukOlaPbGzSZ6LuIyup7ex0Uabd2cOuvmAdMqGwnIB7fhtkdR7G4iDbnUqu7hbFurJn/3IZalJvbyZUuvC5X4oGU/CTWzDtdSgv5jQQ9qnr9ehCNCWjdg9T05v65XsW/OwHnRUN8A+1vxBIZ884lvFoOhJYeKXMufdAg4bCzUE/kdctRPwAVt3OjLnykXYcJV/3Ch+YIwv2vNA4pXqsMw8wgxX7DCvrCrVpkZAC1JIE32aKCXrN4tRUMrc0mnqUXa9M1rc6HCGa/vFCMj5ZW8xP9mOG+HEJFiJaV6ydxvhI7NMyXW2YDSxVh5RMMjXHUBq/bKMHPrLN57qmzvtcKUNcmS+VTvjS64wZlUsA1PEVwaJ/EQVAaY6ZeZi0CJ2A3YpklXYJpNqYhv8ICtFK2Uf6STfNYGaLTW2bgfZpWhic1y/V4wAWKa5A/XALXec+ioFr0foQR2ADiUycQYhMLZPSKPnWhcmwUPY+KPrjP11raVSM4ehtKdDlrbL3vmw6SlwowveyC3aqiceYzISWAw9o+ccvLs/bedEBeC2af2V53/vIuN4XYWjtZArRyqpzeeqlnTOb7vhpI84plXJdGHlmw0bml0yV3r3ucgB50wbAMRvQtJQ6ePPfOLOYLpDYFLPZJci8Vc3vRInskPOF39m9tSTT1noUSRZ3IxGi4LiUT76nAgI8BeTp3bqNuA6Of6I4yYS4Jmmby5C5eel0Ozl3gkMk1xuM5UTwcE7EDkr9rnzxs6rbx3CpQB3y6QB3tAe00zPpMm5YKJq1AKqvSzPco58g1vVu06e3l+tcGyt85t5wQTco3OX2kgBBxsiA629yAWcSIqKFZ+o7nTpA+zZmQrjVganWflbOhVNkvRSkLpThkYVlnkqBU9ixzQa79xVOF3WmNYBhdWfnO9VxFwE4MqgpOyL7sz0PsV5/ZsOy8m7DadM3GCS2mFtWZiM1RnGCayZvyY2KFNj3I8qM1HGMMfeF+3KXjyCBSyBkD25in85M0QaPlMzBxFZupSoleJLLwqd4BfsLk+POiZjLQQseSDVSqrjqWyE6d+baiy+m6d+z6sx4ojRf+q9wlMjZ2oRa+wsLnhbCrdHsZi6Q9eZawU6Vlsy3/KjarJABnapJsMbHYTlwPHlPYU6Du9T3lO2aJuTewOzA42Aoqm2Tlm4xh0GRV6Rx7najkMjc3cex1DAu0PNaFzWVBD7yPuv9FS+DzdEneEj9Tx81v245I9U8Oc6yacu72Ry2CG03ONld70oEU2BHrIgswoyMNg72hnhot9jfDutjJrB10b65pP5WZOAUGtwDh2a2KrdnYG/TGId+ehnkkwS2Sd87/CM4aaSYlsVneId6bXYpUcxSLroXUAHsigA3rjMpNpvR8XRiQZUfLWRQ+d8gyL5PVLp1H7R6LEDO4sZP8IuDJfxDzlP0Rh6GOQgu+dlkcxWGVHQxcexBThMURJYVMhTDoYopEfUqo3j+q7Fla4Q3HdypKg17VyVfEA/J7Nie+eDZvTEuvX0jWQmGAFdC9GbkVuT7hlzYx4kZ6/B81kVyQi8e3L3ZBAYHQXbHeK4GhSWQDwHG6ZBU16KrD6dhjIvn4HlXaGYaPMvv0Rp+yjeiur/n0NOWyvx0R1RrksbsyeaLIEDhOS19wXP4kiDrTR2qJN4LHcWu3m/hYuB4Fj72qyr2K7osXvbC/up2bSpY0IOcei8Nc/hIhqoe7uM4Jg3cpXt0hTpcDZ74HNIsd/6f592BqpoXIy5Cr1ZOxmnpkHdgZIyJ3KqwZEhYa7pSkOIIEAY9EnTPm3ViBHQdqjUpghYNzntO8EomNNw0sXUFFrwlGAY+ntLYUty0kREWt4l8Iot+XblCc8FX1gKYSqhnJOGjHHjOHO22Cr6NPJdcHfgkIBCknwwFWWMRPwZOomE=,iv:7LF3l52m6YRKGd/8rxDady3AbSEcXuVRsIaLlgNfKOs=,tag:UCjMRgFZFHQyXY5NfbZRcg==,type:str]
dkim_pub: ENC[AES256_GCM,data:XLYRTAviK+r6DnRU4+lc58elI3FJ+FPsB1A5sQOk+pb+fNu7zFCiZdz/MwTVkE9izDP1Onv+VhV8sRgmxacTv4nW5GcukCrm3FmCp2jm6QF1/40/WRv6Lkbek0tV1bMOQPy9Zj8wdO9M05XCXUVXk4x17rj+lw8ApwJS2pJMoultMFx34tx2pNEnmO3MFtuBOxzeU2yP+NhF2sJNA62to78AiH5EblkoF0a6sUYk553U+sv3Ob0lo1nSv6c8zwl7y1WSNQnLK+/3WxSVGfePHVsVM8Zze1KFTVLQQggIzWTdcr7AgcTGbk3kaYCeucfQ60pVlqOyPnkJoUJ8HR1RSajFk6Ylzw0xBpY85qAXNT2YIRiq0HTUc1s5lD0luXLQEP+g+XUwZfzFRZgt1nWBlPmpbj2Ylj1FfrA7EXsIK9nyo+rf0qRn/4HusJATr9ddYmZdxwazl1FXkOKLHPyu1NlzwoTNSQQgMHlzxzUvrrv7+mI2nQvXRx82TSRytqrMvoBTF1NFX+pRjhNg9fcq0oPJ2ORqOVQsxzhLhB+tw7Cg+UHGWlnKnkqaKH1JDmOFyJDB96aPUnSQT2J8qkyb+hMBXz9mme8rZopkHrA4WyDXv3zpEi0P5Sj0DDwdRxKMdDdZ4hw79YQIrd63cIorN8XG6Icevb25LfekLEq/C2FS8+kADagyOM0uzCw2p/qacNz37ZNGqPK6gYkjnyoAfSm14zbgoLX/5dnf7eCuMatevTm4AcE53RawQfzz0YNJuEv5uqD/WUy+UIKHIwxPYY9FWBBPmH+8eaPC1mMPh54I444b39FwpnPU8GwxEPsjRg8TSnohawNmmhEWEpmlawEKw+C+BE6A2DmVJzyeBvVRwe/W6CPgyYxgSGWUuvfZFm1GrzwZDjCOEMRn7qMwMBxh1nr2BOAiNxA38UtsymaZO5ZOknClWlKIkIFl8NJdVITNNsI48KMuSY20o1puzkxMaAUH3OrGEhtoHrEOeIq+KCFzH2gZo6L5hbv9CHM7QgCYsbtVIMwL+cRZZaSNubS3K48OmWJnHNuqkcrSI4lqfjLhz1DbnQ==,iv:/cNMmlpq9LSOk0MwVq8NaWvp47q68lKWTx4s5nkwF5c=,tag:ZNX+yZsSxdhFsavDpX380g==,type:str]
relay_creds: ENC[AES256_GCM,data:yWG53NaiA2s5aUudZWecDS1+fOURTHd0D0rNxZ9Tud9TsTO2F/6+5i3vRz/4qP4FoBexEVoW5Xhkqo8o8OaGOpZHh/Nla7TJTnaSCgJw9QPfFoRNiE9f46LytXYThiCGBdy3Z3gtNmSX5BQk1zNI1TiHBFG4IYfauq7e6jJ4Bp/9z3LRknDITdlLjzAPjIO5kUG95IrQQCl3SeAjS+LwxPFRuV1+zWNdOXJLmSeWv1JcAcyhkwutMhQYRGMaS09bbXp29N8DX3lsAK9pYZLr5F3gXwOrZN7nG4+K0KOqfMI4UcLpIOlCPdj9XjgAYcWC+LL5bA0W53e7je3IDVebevDheKPowKK/A6le2TfqXKfhOVi4qXaEsjOBIJzLylOqXoAb1ZCM3nTHCC3M/r3/il+6RnFgISOCHezTiEYM,iv:0kAJzoV/HEIRuEAxzWAaQqwlzWlBSwklipWquF9WeoY=,tag:SCQOQCXm6kmLSYhkT6dubQ==,type:str]
sops:
kms: []
gcp_kms: []
@@ -11,113 +10,50 @@ sops:
- recipient: age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZREpDaXVwSjBPZEtaUFU1
d1FTYnV1STlUdW5oeis4RStVckcvUFhPcndRCnNUdndTenhxN1M1STNlZmtqcWtI
amkxZitGZ2p1ZlNTRFVaYkNvWWdnRkUKLS0tIExLYm5PYVI4aFViaER2L1dUOGMy
d05BTDlqanFMQ1hjazRLUUVlaXpHL2cK+kXvv9khiwYlBK+lmqgYmHNNjMXHU5FZ
x5dpXndIiTRJ0cGtEgK78efbQmVNsHAae2X0E0IxbvrSe26S5PIbMQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3S0FqZWxDYmxHYU5FZVQz
V2FZMFFSVXJubVRaNDZORDJPSXhHMnludmpRCjJrendscEdqU0p6K1R6eE9FUGtj
RVB4Z3dlNHlBSHRhZ0ZMODdDRkN6ZFEKLS0tIFlzUStVWmhlYWExV1JscHE0KzhG
Vm1uUmhQRzAvL1YzTWVVbllRUlE2Z0EKwg6SBat+CG8E7/j7K0sakqGSyJYNzXqt
b0DMsGq9GnHE1Ph6gGVVWO+pos/FGuunSDyL0lcXk9xJE02FErnw+w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONXlpMm5KTmZuKysybU0z
OUJCMmdrZ0V4amI4NTNtOEFqSXVtbW92cjFVCmlCZGF4bXMycXhJS3h6OWVpV000
SjZuQUFxelVpT3BXOVh5eU1vYnNKMjAKLS0tIG1KYjZJU1dMd1Y3bmxWaDhOSEJn
SUp1akQ2bUU0VmQvVkhheXZ4Zk5jWVkKqJ12/g0H8l6WwpiHxA0K3g3Ry4dpPb/h
2m84IYzpQA28BRCSHeIEeH1hQ1jU33/625XlNE1iJncPqu9YH5mXug==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNVl3ZTNGWGdMT280MnhQ
R2RHTGRWVFpjMWltMDVIWk1YSUc2eEhjbWwwCnNiTjA4dUZuOU1tNTZtd240VXpU
c0FKY3VoR1dYUVo1MDZjMEJ5MmhjeEEKLS0tIGhuT3k2VlFpTWpJdFJYM0JhZWtS
dzNFb0FDcERGTFVUOTgxN3czTmRUME0KihoqiXkph3sNWTwn6tFi29z9jnht6JRT
zOMNiaWjMHQ7GiR+Yv1JMWrEvKRrEjNaFXt89z0Ebx4llTtyH8W2fw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLM3NCcGVPTS9hWHQvMCsv
RlJ5M0tVQWZIUm1tWSt2NlFVRGtHaTN1Rmd3CndVUHpEcU15S2lmbHpIY0h6WW1B
aEpRZVgzN0puRmlMNWNQNW94TXh6UUkKLS0tIEVXSVVVL2JaMGRFcldoVnZ1TFZz
bzJ3UGl1aGpsa0FGSVkzeGRHZDJWdmMKZgg4UtokzNDBuVZYoyYirTI1NEC3QGmm
ilOukMvpTZFYtKbwWVOuB8kyeudlkupavzlnHYAGBbpMVccpPeZHAw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWE91QUFmTzdEUjJ3TTFX
Y2o0Yy9BZjdkc2VVcis4a3FlcDVScDF5eGwwCkZocDFIN3B5dHdNTDNaVXI2WHBF
dDVXMDdvOXVBM3V1NW01YngzclJ1RXMKLS0tIDV5M2JURHkvWWFlbGtUNEhxZ2ZE
RVlDMDgvNVFOamlFR1BZMUtrMzJ4N1UK6r7QbX3nEBu+S8e7oqCk3ys6hqXHkyW4
z4hWz1rr/23JpGR2ENRS+DpHRCRo4KKRhUx2hLc6C2XijNgD4YsUCA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOZ0tyczJoVzZxUmhIZG14
WDZjSlM0Q2F6VE9Yb1hRV0d5dGVoVmErVkJFCi9HbXdxZE9NZ0pLaFo1Nlk5QjRV
TSsrMlFqV2Z0OVlWVjRnYXpyTlNWdUUKLS0tIGZ5M2ZEWFR0NDNQUFQxMW1tTXlP
dDRaYnFZajR2S3ZoZ1FFWURYVFVpSFkK8YuczSfs+j3dL1OT4sr2/kfdAxPRstJj
SeDlvg4C0e2wKrqj0QwjN5oz8t21ELerXska7yZ3cod5gaQcFxB44w==
-----END AGE ENCRYPTED FILE-----
- recipient: age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBNWlKeHh6UjNIRTAycEJ1
UVhJMi9CUVBsVld3YlBEYjVwaWE0T2V0cFJzCnpEb2ZxNkNwMDBDQ3JsQXVjY1lS
eFhqSkcvenkvOHNOclI3dkc5NytmQjAKLS0tIHkrc3ZEQjhJVVZlZWVJMVE0b0x5
QkxVMkhOK2hUS0lQVGlXYXUrVm1LVFkKyFIvkGHeykZBib8gNln1mEHtU5+Xr9rC
RpphkvAU9AA4J5/LXQs3To/WzTg9gt2fSxtrwk9TLheheRfUcHDuRQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aENxNUpXUUxTcEZobkpW
SFo1UWlUSXRWbzF2bWp6WU9Idi93OWQvdGl3Ck1rdlNYZFR5dThKa3NaVFU4NWY4
dTdUNUdEQ1hkWkRsT0dNbVVqMytnTXcKLS0tIExXZlgydnhXTktyeDNrZmg0RFlt
QXAzNGk3MmRCSng2SlN5bGdiSTlJRTQKXy5hTxS47WVjw1ILaaNfMaW7YMIS3FGP
hvYeGGL2WHstUapyYb/Rgn46KJgk1gfDchYyHq+06SkpZRaUzCBDUw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUYWl1NUQzMElhbFBrbVBu
eURzOGFJSW85dFMzLzR4M3UvOVhQUGYvS0ZRCm1qYXJTUnpUcUVWUTFtRWQ2OHBO
UVg2UC9OSDJkL21vV3VNV0l1Z3ZHcHcKLS0tIDhVaGpFZ1djSnFaRnVKckxtQU0z
YlAyNGxsYno2U1NIMDVtVXJwcFA0ZWsKdNW5iANSWOGdSRYeBf/+/gtk7b+IN/ir
lo1HtaIT1a5tA28JfAo6ixIKdF5nnSIunM6Z0JlF9zKuJbBOmdVbHw==
-----END AGE ENCRYPTED FILE-----
- recipient: age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWDd5Yk1pNGZ0UHRrc3lu
WWlPZTd5bFIvNVBqTWplR3NzdS8rQ0gyZVdVCkUvMEg5eWxCWHNyYTcvMFd6ek9y
Z0RudTRHanlTTVhYZDBuMkpsYTcwWjAKLS0tIGtDemJabDRVakJxMUdVUWQ2VjIv
NTBabFVLNENzWlNoUmZSUXU2eEJtdEEKuOXBlsIBsgjQvRZ4fKdoLfs1gqZYa4og
9o/mo+ciXYU3xPPOhnd/OTar/8pBpCBBCO0Ag+1Me/dVYbA0s8Jvvw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ck6lhd8thjcrdcnkn2epc8npztg0sfswahunjkwcf57rr0xaevys8fh0x6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUnNZSEtpb0JVOTVjazFB
NHdXSnVxRm4vaXN6VE5leGU1Z1JGOHFEUUNVCnNwdUxweTVlanR2ODdvTzlDWkZR
NWVsY0k3WmFOWktsUVJGT1p6QUlKbGsKLS0tIEtnRVdxeWVYd29XZHVQWmZCNnhE
OElkbHNtUG1ncXdQWEpOcDNMeUg1d0EKF9OjITJDrkfZA2wI6Gm+0+MTDw4OPkQt
SDbNe5Gllo8BC1jTRM3H+uxsQ5L0TRrwnrSxNYjNdDIRHMrIxi3qcg==
-----END AGE ENCRYPTED FILE-----
- recipient: age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVk12WUxKdWdDVWRCU1dk
VkhNZWhNeWJ6OWJJaWdXNFZwRlZMT0lOTFdJClRyYkQvank0cGlZSzJGaE1LVVpO
VURjMnBIY3VvMkVnbzlJVGF0dU1FR2MKLS0tIHZlV0U4azN4aEVRU1YzWDN6U3Nz
YlIzbFBDd1pqMTVQa0diYnZjRmRRa2MKcPAvAB0B/zNj+mcavMkJdksWl8o1j8oQ
gGG8xdIEPT9wjfbL75IvHOy/7TKJR0uVomD8IB4QuVi1MxJh6jNJQw==
-----END AGE ENCRYPTED FILE-----
- recipient: age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbmxpNlZvV2JWYmRJS3lq
Um5GVDQ0ampMTDdzZHB1RFFqZ012bFZMd3g4CjdoMzdOUXhtSEF4Tjk1UTJlNGNG
TzAwSDAvK3VCL3ZheW1HOHFCclU0OEkKLS0tIDY5anhYeTQ5RGxNUlZNRXg5Rm1o
QVk5dm5RaWpocUZrWk02Slg3N2lONjAKxWKAmAHt9x2T/9bh2mnQIF03ufffO9wF
79jffMh/3GyX5Pk0IbjMWwOn7ahQWOEgD58C1Lja2wpixLdwb0wgfA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqelVSdDFFcVZxODBiVkEv
QUhYUzM5SDZLVWQ4YlB2UGorZWlidUhIa1N3Ck96TXFGTXBtSVFLdFY1b3BKK3g5
ejZFTkZOTDdqdHFsWmRKNEcyaUZZWW8KLS0tIDJtL2JaRE5XaHNvYW9HMFYrbTFP
NUFlUTVvQVdiTlBZOVZqSjA1ODNhUHcK8hnqUuHjUgjF8nbZgY4BTkk58BbRCYWV
NOPw/jUdEZBRoTJqoEdOLAtW/x1h7Xo+mpVuDW0K7h07LiaU7FL8xQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hkve3khk7fthyrwxjqdf4r37lrqpmnkz6mke7psuphvu2ykynqaq9g6ja5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhcUJUTFRrZmxiN1MrZkZB
V2FjSlM5ZUxyUFZMKzRoYzY1M0plcmhjckJ3CjBhY0VRT2VMRUR2N01YZWZVRkJk
VEdqSTNvLzNBOElZVVUxZ0VBekx6RnMKLS0tIHNtVlA4V1R2bkFBaVJMYkk3eUNm
TjhQY0VoNU91Zi96VzZGaitsWHptT0UKZ3Vx/iqilkHrFkAbaSeJZNmSOzXvMDX6
HhcXrrq+sVjnq0XhOqWVY72h8Hp3d0JWA9VOxNQRyM9hdVENXur8YA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UDNVSG9Fb01YSWJTdXRD
UFB1dWhpRUFhWmMwTzdHeTNRdlg2YXd1ZnlnCndBRXBpMTJWdFRsMVNYeDBBY2g2
ZEZKTEw4dHpHSlFNT1BsSXQvaCs4MDQKLS0tIDg3YUlJYU1nUjRTTGtIeTJBVEhR
SjZLWG4xNmxoSmtaTFZweEd3TDJ2QUkKcI4MdgglGFJT58ugHebiE6YQUehEomnH
qPZdH0SZAtJxBPqt78wJqvndR5INt5HBmLtXMDLLEk8o43lqfIkK5Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-10T20:44:49Z"
mac: ENC[AES256_GCM,data:tSTKCP7HUUCSCrbeiLutPghjfbL9TsxuCmbARUqwQBH8pyeOsyFHyPCqmqjCDSu2ha0QTldNGM9baiIQa/05DV5KNmFfVuoWy6dd4/3L5yNd3FPkzR2SvBua1g09YZpC1G2IaGrOcqBEOY9baILeBGgXfxRtcpMVAR2C3bOqJyQ=,iv:4phBdZ/4u5DAbUn4Z7pdrJym+iG9oxZSsIPZqoDEqco=,tag:RJn0416yl+0FV9bTu5tA5w==,type:str]
lastmodified: "2024-03-21T22:00:22Z"
mac: ENC[AES256_GCM,data:wnRif4PVGh1P29ZXv1XPF4GdFFhrsRkYmdlun4WsLDFs0Y3xIjPQRScAbDzPnhY6vaiGKZfx0+RZHHMMFyVCz4bmo85MzGuF9H2QECBfWBNgCNCKXqz7pLQHA4c0u9jiatuc9PVc42RokJ+rITn1cWV9tLGot98ealpYkJbN91w=,iv:EL2Y5WZtWB6IRwnrGmWV5QO3XiPOB8IJkATbZTY1/oY=,tag:/z3ULuFshOw/ed+G3W8OmQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

122
tests/liam.nix
View File

@@ -1,52 +1,4 @@
{ pkgs, nodes, lib, ... }: let
certs = import ../deterministic-certs.nix { nixpkgs = pkgs; };
relayDomain = "relay.test.example.com";
rootCA = certs.selfSigned "liam-test" { ca = true; cert_signing_key = true; cn = "Liam test CA"; };
relayCert = certs.caSigned "liam-relay" rootCA {
ca = false;
signing_key = true;
encryption_key = true;
data_encipherment = true;
tls_www_client = true;
tls_www_server = true;
cn = relayDomain;
dns_name = relayDomain;
};
relayUser = "foobar@shelvacu.com";
relayPass = "asdfghjkl";
relayPassFile = pkgs.writeText "relay-password-file" "${relayUser}:${relayPass}";
testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
testAgeSecretFile = pkgs.writeText "test-age-key" testAgeSecret;
sopsTestSecrets = {
"dovecot-passwd" = (lib.concatStringsSep "\n" (map (name: "${name}:{plain}${name}::::::") [ "shelvacu" "julie" ])) + "\nbackup:::::::";
dkim_key = ''
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANn62hMdcFw4znAB
CKth6N4JD8XrNezCYbvyrUcVpGkkMX3TC9sEyZgGV6Y2Cs/J2Q6jKakC47nXebzV
Edk/kWsApj4J7PQl4t/G3vf1rdfICQx1pIspsmqQKsYugUG18EugEZzelai3+n4U
wqsed4551aRtwaws8dJQePOEEq1BAgMBAAECgYEAummKgXpVkqiJ8sMPlPEgYnHB
aXLjJNx/FGpOwVHCzp/DK2WG6ADKHhaecmgZCuYFmDz07bKo6U9arqBQqUdxpUor
JT2SS9RFP5MTsTB6R+eRqX8oMRQhcXB/+MczoSV/087vIZsL3L//6XoGyvjuHKW/
bvUR/F8PhB84uPU6RLkCQQDzXXj80iRhY6jHDwqoGf3BXd4O4cIAzPbBXN0W41fV
L5ZBm0K0KAgLnyjVygbsSn6lXsZXzAa/wAbSstMeCn7PAkEA5Uv88nfZSLU99XvF
WB9GD7lKXsAnWlf09F8hH4a1TH/zfGUCxrDdYNmdBdG6t0XuIVjay3TZcpW68Z2Q
lLeW7wJACj7KJCKYo3z1kwPAGBmYBDb2bTv11eDLFpLZP+hsPy5UrghiQ4FX7V1S
88Ugi3wLXtzhjrqpIhNsdhxPJPmeIwJAVpx8YE4a+hbT340v/thZS4ku6Vllw/9j
XIcuaM0mYE4Yd81j3g9in7mzUUZmY+H7UAdTJfTuShT6t1dQDIzIawJBAIJ+azsj
H5M2KsE3Nuxe3RODM/D4I5M5dngTkgNZQvUAywAyj9U39ZeFPEyXJyGkKNoR2CXB
hCvgabgr0wsi1y0=
-----END PRIVATE KEY-----
'';
relay_creds = "[${relayDomain}]:587 ${relayUser}:${relayPass}";
};
sopsTestSecretsYaml = pkgs.writeText "test-secrets-plain.json.yaml" (builtins.toJSON sopsTestSecrets);
sopsTestSecretsFolder = pkgs.runCommand "test-secrets-encrypted" {} ''
mkdir -p $out/liam
SOPS_AGE_KEY="${testAgeSecret}" ${pkgs.sops}/bin/sops --verbose -e --age "$(echo "${testAgeSecret}" | ${pkgs.age}/bin/age-keygen -y)" ${sopsTestSecretsYaml} --output-type yaml > $out/liam/main.yaml
'';
in {
{ pkgs, nodes, ... }: {
name = "liam-receives-mail";
nodes.ns = { lib, nodes, ... }: let
@@ -60,9 +12,8 @@ in {
master = true;
file = pkgs.writeText "root.zone" ''
$TTL 3600
. IN SOA ns. fake-hostmaster.example.com. ( 1 1 1 1 1 )
. IN SOA ns. ns. ( 1 8 2 4 1 )
. IN NS ns.
${relayDomain}. IN A ${nodes.relay.networking.primaryIPAddress}
${lib.concatMapStringsSep "\n"
(node: "${node.networking.hostName}. IN A ${node.networking.primaryIPAddress}")
(builtins.attrValues nodes)
@@ -70,61 +21,26 @@ in {
${lib.concatMapStringsSep "\n"
(d: ''
${d}. IN A ${nodes.liam.networking.primaryIPAddress}
${d}. IN MX 0 ${d}.
${d}. IN MX ${nodes.liam.networking.primaryIPAddress} 0
${d}. IN TXT ( "v=spf1 mx -all" ) ;
${liam_config.services.opendkim.selector}._domainkey.${d}. IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZ+toTHXBcOM5wAQirYejeCQ/F6zXswmG78q1HFaRpJDF90wvbBMmYBlemNgrPydkOoympAuO513m81RHZP5FrAKY+Cez0JeLfxt739a3XyAkMdaSLKbJqkCrGLoFBtfBLoBGc3pWot/p+FMKrHneOedWkbcGsLPHSUHjzhBKtQQIDAQAB" )
'')
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZ+toTHXBcOM5wAQirYejeCQ/F6zXswmG78q1HFaRpJDF90wvbBMmYBlemNgrPydkOoympAuO513m81RHZP5FrAKY+Cez
0JeLfxt739a3XyAkMdaSLKbJqkCrGLoFBtfBLoBGc3pWot/p+FMKrHneOedWkbcGsLPHSUHjzhBKtQQIDAQAB" ) '')
liam_config.vacu.liam.domains
}
'';
}];
};
nodes.relay = { lib, pkgs, config, ... }: let
mailpit = pkgs.mailpit;
dir = "/var/lib/mailpit";
in {
networking.firewall.enable = false;
users.groups.mailpit = {};
users.users.mailpit = {
isSystemUser = true;
home = dir;
createHome = true;
group = config.users.groups.mailpit.name;
};
systemd.services.mailpit = {
environment = {
MP_DATABASE = "${dir}/mailpit.db";
MP_SMTP_TLS_CERT = relayCert.certificatePath;
MP_SMTP_TLS_KEY = relayCert.privateKeyPath;
MP_SMTP_REQUIRE_STARTTLS = "true";
MP_SMTP_BIND_ADDR = "0.0.0.0:587";
MP_SMTP_AUTH_FILE = "${relayPassFile}";
MP_UI_BIND_ADDR = "0.0.0.0:8025";
};
serviceConfig.ExecStart = "${mailpit}/bin/mailpit";
# serviceConfig.Restart = "always";
serviceConfig.User = config.users.users.mailpit.name;
serviceConfig.Group = config.users.groups.mailpit.name;
serviceConfig.AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
wantedBy = [ "multi-user.target" ];
};
};
nodes.liam = { lib, ... }: {
imports = [ ../liam ];
vacu.underTest = true;
#systemd.tmpfiles.settings."69-whatever"."/run/secretKey".L.argument = "${testAgeSecretFile}";
systemd.services."acme-liam.dis8.net".enable = lib.mkForce false;
systemd.timers."acme-liam.dis8.net".enable = lib.mkForce false;
systemd.services."acme-selfsigned-liam.dis8.net".wantedBy = [ "postfix.service" "dovecot2.service" ];
systemd.services."acme-selfsigned-liam.dis8.net".before = [ "postfix.service" "dovecot2.service" ];
vacu.secretsFolder = "${sopsTestSecretsFolder}";
vacu.liam.relayhost = "[badhost.blarg]:587 [${relayDomain}]:587";
system.activationScripts.sopsHack.text = "ln -s ${testAgeSecretFile} /run/secretKey";
system.activationScripts.setupSecrets.deps = [ "sopsHack" ];
sops.age.keyFile = "/run/secretKey";
# sops = lib.mkForce {};
vacu.secretsFolder = ./test_secrets;
sops.age.sshKeyPaths = [ ./test_key ];
services.do-agent.enable = false;
virtualisation.digitalOcean = {
seedEntropy = false;
@@ -136,8 +52,7 @@ in {
services.dovecot2.enableDHE = lib.mkForce false;
security.acme.defaults.email = lib.mkForce "me@example.org";
security.acme.defaults.server = lib.mkForce "https://example.com"; # self-signed only
networking.nameservers = lib.mkForce [ nodes.ns.networking.primaryIPAddress ];
security.pki.certificateFiles = [ rootCA.certificatePath ];
networking.nameservers = lib.mkForce (lib.singleton nodes.ns.networking.primaryIPAddress);
};
nodes.checker = { pkgs, lib, ... }: {
@@ -145,14 +60,11 @@ in {
pkgs.wget
pkgs.python311Packages.imap-tools
pkgs.python311
(pkgs.writers.writePython3Bin "mailtest" { libraries = with pkgs.python3Packages; [ imap-tools requests ]; } ''
# flake8: noqa
# #!${pkgs.python311}/bin/python
(pkgs.writeScriptBin "mailtest" ''
#!${pkgs.python311}/bin/python
import sys
sys.argv.insert(1, "${nodes.liam.networking.primaryIPAddress}")
#sys.path.append("${pkgs.python311Packages.imap-tools}/lib/python3.11/site-packages")
#sys.path.append("${pkgs.python311Packages.urllib3}/lib/python3.11/site-packages")
#sys.path.append("${pkgs.python311Packages.requests}/lib/python3.11/site-packages")
sys.path.append("${pkgs.python311Packages.imap-tools}/lib/python3.11/site-packages")
${builtins.readFile ./mailtest.py}
'')
];
@@ -171,16 +83,8 @@ in {
liam.wait_for_unit("postfix.service")
liam.wait_for_unit("dovecot2.service")
relay.wait_for_unit("mailpit.service")
checks = """
--submission --mailfrom me@shelvacu.com --rcptto foo@example.com --username shelvacu --expect-mailpit-received --mailpit-url http://${nodes.relay.networking.primaryIPAddress}:8025
--submission --mailfrom me@dis8.net --rcptto foo@example.com --username shelvacu --expect-mailpit-not-received --mailpit-url http://${nodes.relay.networking.primaryIPAddress}:8025
# julie's emails should NOT get sieve'd like mine
--rcptto julie@shelvacu.com --username julie --imap-dir INBOX
--rcptto julie+stuff@shelvacu.com --username julie --imap-dir INBOX
# test the sieve script is working
--mailfrom whoever@example.com --rcptto sievetest@shelvacu.com --username shelvacu --imap-dir com.shelvacu
@@ -198,7 +102,6 @@ in {
--mailfrom julie@shelvacu.com --expect-recipient-refused
--mailfrom @vacu.store --expect-recipient-refused
--submission --expect-recipient-refused --mailfrom julie@shelvacu.com --username shelvacu
--submission --expect-recipient-refused --mailfrom fubar@theviolincase.com --username shelvacu
--submission --expect-recipient-refused --mailfrom fubar@vacu.store --username julie
@@ -209,7 +112,6 @@ in {
--submission --mailfrom foo@vacu.store --rcptto foo@example.com --username shelvacu@shelvacu.com --password shelvacu --expect-sent
--submission --mailfrom foo@violingifts.com --rcptto foo@example.com --username julie --password julie --expect-sent
--submission --mailfrom foo@violingifts.com --rcptto foo@example.com --username julie@shelvacu.com --password julie --expect-sent
"""
for check in checks.split("\n"):
check = check.strip()

20
tests/mailtest.py
View File

@@ -5,7 +5,6 @@ import time
import ssl
import argparse
import uuid
import requests
parser = argparse.ArgumentParser()
parser.add_argument('host', type = str)
@@ -25,9 +24,6 @@ parser.add_argument('--expect-recipient-refused',
)
parser.add_argument('--expect-sent', dest = 'expect', action = 'store_const', const = 'sent')
parser.add_argument('--expect-imap-error', dest = 'expect', action = 'store_const', const = 'imap_error')
parser.add_argument('--expect-mailpit-received', dest = 'expect', action = 'store_const', const = 'mailpit_received')
parser.add_argument('--expect-mailpit-not-received', dest = 'expect', action = 'store_const', const = 'mailpit_not_received')
parser.add_argument('--mailpit-url')
args = parser.parse_args()
@@ -45,9 +41,6 @@ if password is None:
if (username is None or password is None) and (args.submission or args.expect == 'received'):
assert False, "Bad args"
if args.expect.startswith("mailpit_") and args.mailpit_url is None:
assert False, "Bad args"
msg_magic = str(uuid.uuid4())
def mk_ctx():
@@ -75,19 +68,6 @@ except smtplib.SMTPRecipientsRefused:
else:
assert (not args.expect == 'recipient_refused'), "Server was supposed to reject this message, but it didn't"
if args.mailpit_url is not None:
time.sleep(3)
mails = requests.get(args.mailpit_url + "/api/v1/messages").json()
found_message = False
for message_data in mails["messages"]:
if msg_magic in message_data["Snippet"]:
found_message = True
break
if args.expect == 'mailpit_received':
assert found_message, "Message not received by mailpit server"
else:
assert not found_message, "Message was received by the mailpit server when it wasn't supposed to be"
if args.expect == 'received' or args.expect == 'imap_error':
time.sleep(3)
try:

6
tests/test_secrets/liam/main.yaml
View File

@@ -1,4 +1,4 @@
dovecot-passwd: ENC[AES256_GCM,data:Ji41+n/7D90/O/LVM+3FDNACZ6jJPT6QYVIGWLujCheIY8m6vaRmMXzPCTgbK+njDOfIv7O2Sko15U4CYqWXAi3P43Np8GKRcv5+4NE=,iv:o6+tYBHSB3reRIqvFGB39wHk3G1L5VKmkj9Fiinnvnw=,tag:wggoNMvAYyJzkh73C3bMHw==,type:str]
dovecot-passwd: ENC[AES256_GCM,data:OPlQGFnkklEQvFpQM3jrdHB1p1zM+n76TCCaLmM/DOYlJ6W3+8bGt4i1JJq+FbA05RiX0Yhpv5s=,iv:R47TNT306RVrAPSRpK5TjUoWJF4nXnBvpDpIhwpdxWg=,tag:iKTUIoano0Bcxjkb2VQeuA==,type:str]
dkim_key: ENC[AES256_GCM,data:nzujLrGttOL38d8mxglUcAQ9EO+sL2Gh75E4Wyt6siviFEpx5ZIpXkaC9XXmD2f6Ax4BHF8FTOB1cX0dLrRYp9gNOV007CsVUWpYf34H/J5bOUo1j+urYtbtA5Idu8FoUC3ENg5Ap4CId7jTtxQ9PlS9vTKQ2T2tIqmvXGE0t0aowUdJJdPfJLN1lMENY+/m9NxwArF06K/75BAX9LaxhNDzUHNwV9PK+htD9M1g0r7McbLtZpPut8tdkzOWGiUHIisPpXSTUk8LjrFY36DNngcXAyiRZtp6WrhINVABRKMVf92dYUQixpf6r7BkCkyRT60rAHz5UbWHI/saYHgXlH2OGK5hyZZ4JueAHU2Y7Hpvbw3UIG9jumdDcRda5W0WycJyGS4a5YZST907eDP4PuZayHOmp288Cuyc+kXOxvuCGjqiuZswokj4Ba4hIUUNJU1Ys4THYrf+j+iX0nKclGS+LXvqQI1cKUE3gBecxE2SW3BNzIOGh/ywO1kg2uZlUPpfGBr+Aupke/nULcGi2HVwX5EV47jpDyoqIEiVCy3OYSeQ2gkocIQ/y74fNMoud4kWmye8bAhprxVUHHes2TBjBb6QxQdmazjhAiCvgSI3p43QlSG2fqtQMcXMiANra1heRHHsOS8GKWk/ti9/k3/0YWycXcawYE8lpg/efpBPWkgWQ+NDUxcJBbWCKbkvA2DEfoSluwcGuxUjWGa27SKaCVX/LNAUDvXcw82F61XsTpoK2i0pme7pIZeF1bfbKyPxDnpWKoLoL2i2HchD1B5AEemr+eKh3kPGqpY3SNfqPFyUYN34Fea/gg/eM1Jw/ORWGNxMwg882a/NQLRzjjseQsPEI0r0o8Xba1KqGP1mMhursrOFVRz9xXG7l5oXhx0+GsscKDnP40CXJBMf6r2tEZobrR8NagV4/Mh4r2+zYw12KwwYZ5drmS1b0ftrLZLSugJopgLaQqYC3OAnmdW1MOkNoQSWv9Y5NaPERpMQ9BJcPcGM3W3+AyEz3zRSlFQFnjZO6kk37dFz1KVbbXkrFTXhDpGw/Z/RCMdzv6eyhPqcSSccisaOxDtlLQXy95G6tOcpJV7u7qu1LzQDehyZnBjasqMQVpCJw1Q9GRxnSBjpVKzN07dEkzXqcZHh67kPR/aoH8jzbfNq5YDQ6nxK0INcSyCzJe4w18JbY5Wq0F5U0OeYwYAwHoIV/nbMdptyyw==,iv:ol3dz4SomkwyN2s4tPWDCJEYdnMuZTvHppUA95Nz3+8=,tag:IlZBYvM8e3COjxZ/dxJT7Q==,type:str]
dkim_pub: ENC[AES256_GCM,data:tigMKTZ5XiDViSez2WKfUPBkw9OtLKrEBrbp/I3tUk+mu7RR2YIaQEWfTH0EOzPMpDEIJ32pwlqicGQZdTf7WdpELcJZgbxKpWPWgTzjwHasgs38aJh2JIIoIuFwa1YgEuRGtSl7YT47WDhTTGbFFdvaKBlIe7vipgkFSxNX1NKGNgdkkcVczvlVgWKqbp05zzUlav1XEwBhd+3eTgPQFptYyvQbIFasiunrHBT8cbm+CQ/O8q90lUkoVrmQUu3XG6njDMa4pNULUJqsUogCyYgm/aDMdx7AN29daCbgj99g/hjnQrBFajJCzNyG36XrzQdZJGiG0AgG1oWAq98boNFxC5ux4eBDmT946FyxXFNwyZpu1p2naHkBlE01duCBS4PUuQFlw9tsCYOuL+xGR3paBafTcL6X67w=,iv:lXFMxiePwivoyQxuQu+hEHeuU0z85fJk9y7296oJNl8=,tag:0QknKaFPpNHo2v0feR+jAQ==,type:str]
sops:
@@ -16,8 +16,8 @@ sops:
T3dqdEJxRmkvSStuK1NmRWJkN1psWWsKuNdc6DHXXEcn63CZv/5lE30MAagPfHO0
GDOLTLCLDzNvKmd5i9dNuYBrD1JeyotNId6E4w/3oYxCFJ56SsH32Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-28T22:08:15Z"
mac: ENC[AES256_GCM,data:G7ceHgkxOv1xinx2Oc5kWCDs5njnf/uUyHlOddzM8RBZTcBp4RVB6NJb3ERFpHlEBXtO5EXnXm2ggK9cfxH9BKL/4tZeFQDqT9QcwFvtynQbCcOmBi3ffrkt4uXKwOIpVZyT8bz8GYueLq/fu2fIHwjZ7Ll43Gn2Sp6gQuvFSuo=,iv:wg88Qpn5cIIr9tXUkc/WxfMDt/SHbA09CRCCv/FwUVU=,tag:QiG5ERsym5kl2g11LK0onw==,type:str]
lastmodified: "2024-03-21T22:00:58Z"
mac: ENC[AES256_GCM,data:147XZroz5psp5Q5zGz19FZNPFr01wPGM0ivxbNVu9IcuUPw5dhnSaFQTvdYKfZPLSW2dwMJ2sPA5NAxxW0zQTh3d4vjirJ7GVj07Fn+ipL/X+wZKM42HjNSEw9IdAD5OIArZ8XjZcC+AGu7C4wHHf43uOEu7ZbWYx9Kbq+cJGbk=,iv:V9GHCN0NPWaRZOmoWhKA5fHwfKfrdays3ODfiTBrbo8=,tag:JwiHjHEjTDc6XRqtn0Aqwg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

1
tests/triple-dezert.nix
View File

@@ -28,7 +28,6 @@
);
in {
imports = [ ../triple-dezert ];
vacu.underTest = true;
systemd.services = disableAcmes // reEnableSelfsigned;
systemd.units = disableUnits;
#vacu.secretsFolder = ./test_secrets;

4
triple-dezert/database.nix
View File

@@ -53,10 +53,10 @@ in
services.postgresql = rec {
enable = true;
package = pkgs.postgresql_16;
dataDir = "/var/postgres/data/${package.psqlSchema}";
dataDir = "/trip/pg/data/${package.psqlSchema}";
enableJIT = true;
initdbArgs = [
"--waldir=/var/postgres/wal/${package.psqlSchema}"
"--waldir=/trip/pg/wal/${package.psqlSchema}"
];
ensureUsers = [
{

19
triple-dezert/default.nix
View File

@@ -1,7 +1,7 @@
{ config, pkgs, inputs, lib, ... }: {
imports =
[
../common/nixos.nix
../common-nixos-config.nix
./hardware-configuration.nix
./awootrip.nix
./frontproxy.nix
@@ -15,16 +15,12 @@
#./vms.nix
./networking.nix
./devver-host.nix
./emily.nix
./jellyfin.nix
];
system.nixos.tags = [ "host-${config.networking.hostName}" ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
#todo: increase boot partition size
boot.loader.systemd-boot.configurationLimit = 10;
# The first thing to complain was redis in the vacustore container:
#
# WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
@@ -38,23 +34,14 @@
services.xserver.enable = false;
vacu.packages = with pkgs; [
environment.systemPackages = with pkgs; [
zfs
smartmontools
openvpn
nvme-cli
tshark
config.services.postgresql.package
(pkgs.writeScriptBin "into-nix-cache" ''
if [[ $UID -ne 0 ]]; then exec sudo $0 "$@";fi
${pkgs.nix}/bin/nix copy \
--no-update-lock-file \
--no-write-lock-file \
--to 'file:///trip/nix-binary-cache?parallel-compression=true&secret-key=/root/cache-priv-key.pem&want-mass-query=true&write-nar-listing=true' \
"$@"
'')
postgresql_16
];
hardware.opengl.extraPackages = [ pkgs.intel-compute-runtime pkgs.ocl-icd ];
services.openssh = {
enable = true;

43
triple-dezert/emily.nix
View File

@@ -1,43 +0,0 @@
{ config, ... }: let
sshPort = 32767;
container = config.containers.emily;
in {
networking.firewall.allowedTCPPorts = [ sshPort ];
networking.nat.forwardPorts = [{
destination = container.localAddress;
proto = "tcp";
sourcePort = sshPort;
}];
containers.emily = {
privateNetwork = true;
hostAddress = "192.168.100.20";
localAddress = "192.168.100.21";
autoStart = true;
ephemeral = false;
bindMounts."/emdata" = {
hostPath = "/trip/ncdata/data/melamona/files";
isReadOnly = false;
};
config = { config, ... }: {
system.stateVersion = "24.05";
services.openssh.enable = true;
services.openssh.ports = [ sshPort ];
services.openssh.openFirewall = true;
users.groups.emily.gid = 999;
users.users.emily = {
isNormalUser = true;
isSystemUser = false;
hashedPassword = "$y$j9T$gP2phgJ9iSH.tWROn/T2C1$dwifP4R4SY4Fyd6W4vZ7tMDFhZB7Cfji9QvporeKUXB";
group = "emily";
};
users.mutableUsers = false;
users.allowNoPasswordLogin = true;
};
};
}

2
triple-dezert/frontproxy.nix
View File

@@ -10,7 +10,6 @@ let
"vacu.store"
"jean-luc.org"
"pwrhs.win"
"jf.finaltask.xyz"
];
in {
security.acme.acceptTerms = true;
@@ -72,7 +71,6 @@ in {
"${outer_config.containers.nix-cache-nginx.localAddress}" = [ "nix-cache" ];
"${outer_config.containers.jl-stats.localAddress}" = [ "jl_stats" ];
"${outer_config.containers.static-stuff.localAddress}" = [ "static_stuff" ];
"${outer_config.containers.jellyfin.localAddress}" = [ "jellyfin" ];
};
};
};

16
triple-dezert/haproxy-config.cfg
View File

@@ -13,8 +13,8 @@ global
defaults
# https://world.hey.com/goekesmi/haproxy-chrome-tcp-preconnect-and-error-408-a-post-preserved-from-the-past-2497d1f7
timeout server 3s
timeout client 3s
timeout server 302s
timeout client 302s
timeout connect 10s
option http-ignore-probes
@@ -25,7 +25,7 @@ defaults
frontend main
bind :80
bind :443 ssl crt /certs/shelvacu.com/full.pem crt /certs/vacu.store/full.pem crt /certs/jean-luc.org/full.pem crt /certs/pwrhs.win/full.pem crt /certs/jf.finaltask.xyz/full.pem
bind :443 ssl crt /certs/shelvacu.com/full.pem crt /certs/vacu.store/full.pem crt /certs/jean-luc.org/full.pem crt /certs/pwrhs.win/full.pem
mode http
@@ -36,13 +36,12 @@ frontend main
# Check whether the client is attempting domain fronting.
acl ssl_sni_http_host_match ssl_fc_sni,strcmp(req.host) eq 0
# acl host_auth var(req.host) -m str "auth.shelvacu.com"
acl host_vacustore var(req.host) -m str "vacu.store"
# acl host_auth var(req.host) -m str "auth.shelvacu.com"
acl host_cache var(req.host) -m str "nixcache.shelvacu.com"
acl host_stats_jl var(req.host) -m str "stats.jean-luc.org"
acl host_tulpaudcast_jl var(req.host) -m str "tulpaudcast.jean-luc.org"
acl host_habitat_pwrhs var(req.host) -m str "habitat.pwrhs.win"
acl host_jellyfin var(req.host) -m str "jf.finaltask.xyz"
http-after-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" if { ssl_fc }
@@ -65,7 +64,6 @@ frontend main
http-request allow if host_stats_jl
http-request allow if host_tulpaudcast_jl
http-request allow if host_habitat_pwrhs
http-request allow if host_jellyfin
http-request return status 404 string "not found" content-type text/plain
use_backend vacustore if host_vacustore
@@ -74,7 +72,6 @@ frontend main
use_backend jl_stats if host_stats_jl
use_backend static_stuff if host_tulpaudcast_jl
use_backend habitat if host_habitat_pwrhs
use_backend jellyfin if host_jellyfin
backend vacustore
mode http
@@ -86,11 +83,6 @@ backend kani
option forwardfor
server main kani:8443 check maxconn 500 ssl verify none ssl-reuse
backend jellyfin
mode http
option forwardfor
server main jellyfin:8096 check maxconn 100 proto h1
# backend keycloak
# mode http
# option forwardfor

42
triple-dezert/jellyfin.nix
View File

@@ -1,42 +0,0 @@
{ config, pkgs, ... }: let
name = "jellyfin";
contain = config.containers.${name};
in {
systemd.tmpfiles.settings.${name}."/trip/${name}".d = {
mode = "0755";
};
containers.${name} = {
privateNetwork = true;
hostAddress = "192.168.100.22";
localAddress = "192.168.100.23";
autoStart = true;
ephemeral = true;
restartIfChanged = true;
bindMounts."/${name}" = {
hostPath = "/trip/${name}";
isReadOnly = false;
};
config = { pkgs, ... }: {
system.stateVersion = "24.05";
networking.useHostResolvConf = false;
networking.nameservers = [ "10.78.79.1" ];
networking.firewall.enable = false;
services.jellyfin = {
enable = true;
dataDir = "/${name}";
};
environment.systemPackages = with pkgs; [
jellyfin
jellyfin-web
jellyfin-ffmpeg
];
};
};
}

29
triple-dezert/jl-stats.nix
View File

@@ -2,8 +2,29 @@
let
name = "jl-stats";
contain = config.containers.${name};
pg = config.services.postgresql.package;
most-winningest = inputs.most-winningest.packages."${config.nixpkgs.system}".default.override { postgresql = pg; };
most-winningest = pkgs.callPackage ({
rustPlatform,
fetchFromGitHub,
pkg-config,
openssl,
postgresql,
}: rustPlatform.buildRustPackage rec {
pname = "most-winningest";
version = "69.420";
nativeBuildInputs = [ pkg-config ];
buildInputs = [ openssl postgresql ];
src = fetchFromGitHub {
owner = "captain-jean-luc";
repo = pname;
rev = "d203ae1b8dd450b281bc1b4bb2ae7518a5665352";
hash = "sha256-RDVIu4zU4BvsJ1Ek7SwlpvA7H48TlPTzTCvUk+9hZ74=";
};
cargoHash = "sha256-5Wbx/RBqtDmJUKdLXttryMuJfpkUJwRGTFYP3UFEPT0=";
}) {};
in {
vacu.databases.${name}.authByIp = contain.localAddress;
@@ -65,10 +86,6 @@ in {
timerConfig.OnBootSec = "5m";
timerConfig.OnUnitInactiveSec = "1h";
};
environment.systemPackages = [
pg #provides psql binary, helpful for debugging
];
};
};
}

60
triple-dezert/vacustore.nix
View File

@@ -31,6 +31,8 @@
networking.useHostResolvConf = lib.mkForce false;
services.resolved.enable = true;
systemd.services.nextcloud-setup.after = [ "network-online.target" ];
services.nginx.virtualHosts."vacu.store".extraConfig = ''
client_body_timeout 5m;
'';
@@ -39,69 +41,69 @@
services.nextcloud = {
enable = true;
package = pkgs.nextcloud29;
package = pkgs.nextcloud28;
configureRedis = true;
hostName = "vacu.store";
datadir = "/ncdata";
logLevel = 1;
https = true;
maxUploadSize = "1000G";
database.createLocally = false;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) calendar notes tasks contacts;
# appointments = pkgs.fetchNextcloudApp {
# appName = "appointments";
# url = "https://github.com/SergeyMosin/Appointments/raw/v2.1.4/build/artifacts/appstore/appointments.tar.gz";
# sha256 = "sha256-LKxTF6yF7n6t34KzRRRqsf1doqS7DaKPmqscmNmtzAg=";
# appVersion = "2.1.4";
# license = "gpl3";
# };
appointments = pkgs.fetchNextcloudApp {
appName = "appointments";
url = "https://github.com/SergeyMosin/Appointments/raw/v2.1.4/build/artifacts/appstore/appointments.tar.gz";
sha256 = "sha256-LKxTF6yF7n6t34KzRRRqsf1doqS7DaKPmqscmNmtzAg=";
appVersion = "2.1.4";
license = "agpl3";
};
gpoddersync = pkgs.fetchNextcloudApp {
appName = "gpoddersync";
url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.9.0/gpoddersync.tar.gz";
sha256 = "sha256-wLiM8kv+HinOoAebarQ9MwuxqUpVeF0zS2RVYpAoYMI=";
appVersion = "3.9.0";
license = "gpl3";
url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.8.2/gpoddersync.tar.gz";
sha256 = "sha256-eeBvRZUDVIaym0ngfPD2d7aY3SI/7lPWkrYPnqSh5Kw=";
appVersion = "3.8.2";
license = "agpl3";
};
webapppassword = pkgs.fetchNextcloudApp {
appName = "webapppassword";
url = "https://github.com/digital-blueprint/webapppassword/releases/download/v24.6.0/webapppassword.tar.gz";
sha256 = "sha256-x9uARo/VtkFLabif2/GZhs4cG6qmhAJs93dzhFFmhB0=";
appVersion = "24.6.0";
license = "gpl3";
url = "https://github.com/digital-blueprint/webapppassword/releases/download/v23.12.0/webapppassword.tar.gz";
sha256 = "sha256-nQUHEm+cvTmRS2ECZK4lk7YAd+2gUYTFcu44A967kY4=";
appVersion = "23.12.0";
license = "agpl3";
};
# oidc_login = pkgs.fetchNextcloudApp {
# appName = "oidc_login";
# url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.0.2/oidc_login.tar.gz";
# sha256 = "sha256-cN5azlThKPKRVip14yfUNR85of5z+N6NVI7sg6pSGQI=";
# appVersion = "3.0.2";
# license = "gpl3";
# };
# sociallogin = pkgs.fetchNextcloudApp {
# appName = "sociallogin";
# url = "https://github.com/zorn-v/nextcloud-social-login/releases/download/v5.6.3/release.tar.gz";
# sha256 = "sha256-XHHD87InU9P5uq9zCJnFliHhWh5tpSpSnMMOfNgJKRw=";
# appVersion = "5.6.3";
# license = "gpl3";
# license = "agpl3";
# };
sociallogin = pkgs.fetchNextcloudApp {
appName = "sociallogin";
url = "https://github.com/zorn-v/nextcloud-social-login/releases/download/v5.6.3/release.tar.gz";
sha256 = "sha256-XHHD87InU9P5uq9zCJnFliHhWh5tpSpSnMMOfNgJKRw=";
appVersion = "5.6.3";
license = "agpl3";
};
};
phpOptions."opcache.interned_strings_buffer" = "32";
config = {
trustedProxies = [ outer_config.containers.vacustore.hostAddress ];
adminpassFile = "/etc/admin_password";
dbtype = "pgsql";
dbuser = "ncadmin";
dbhost = outer_config.containers.vacustore.hostAddress;
dbname = "nextcloud";
dbtableprefix = "oc_";
overwriteProtocol = "https";
defaultPhoneRegion = "US";
};
settings = {
loglevel = 1;
default_phone_region = "US";
overwriteprotocol = "https";
trusted_proxies = [ outer_config.containers.vacustore.hostAddress ];
extraOptions = {
allow_user_to_change_display_name = false;
lost_password_link = "disabled";
oidc_login_provider_url = "https://id.shelvacu.com/oauth2/openid/vacustore/";