restructure folder organisation

2025-05-24 09:54:40 +02:00 · 2022-12-05 20:32:39 +01:00 · 2022-12-05 20:32:39 +01:00 · 9cf7be677d
commit 9cf7be677d
parent 599d55fa6a
72 changed files with 95 additions and 98 deletions
--- a/machines/newton/boot.nix
+++ b/machines/newton/boot.nix
@ -0,0 +1,10 @@
+{ config, ... }:
+{
+  boot.loader = {
+    timeout = 1;
+    grub = {
+      enable = true;
+      device = "/dev/sda";
+    };
+  };
+}
--- a/machines/newton/configuration.nix
+++ b/machines/newton/configuration.nix
@ -0,0 +1,32 @@
+{ config, ... }:
+{
+  imports = [
+    ./boot.nix
+    ./hardware-configuration.nix
+    ./disks.nix
+    ./network.nix
+    ./syncthing.nix
+    ./services.nix
+    ../../legacy/modules/docker.nix
+    ../../legacy/modules/networkdecrypt.nix
+    ../../legacy/modules/nix.nix
+    ../../legacy/modules/users.nix
+  ];
+
+  networking.hostName = "newton";
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    gnupg.sshKeyPaths = [ ];
+  };
+
+  #environment.noXlibs = true;
+
+  networking.firewall.allowedTCPPorts = [
+  ];
+
+  system = {
+    stateVersion = "22.05";
+    autoUpgrade.enable = true;
+  };
+}
--- a/machines/newton/disks.nix
+++ b/machines/newton/disks.nix
@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.initrd.luks.devices."luks-drive" = {
+    name = "luks-drive";
+    device = "/dev/disk/by-partlabel/Crypt";
+    preLVM = true;
+    allowDiscards = true;
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/newton-root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/newton-boot";
+    fsType = "vfat";
+  };
+
+  fileSystems."/srv" = {
+    device = "/dev/disk/by-label/newton-srv";
+    fsType = "ext4";
+  };
+
+  swapDevices = [{
+    device = "/dev/disk/by-label/newton-swap";
+  }];
+}
+
--- a/machines/newton/hardware-configuration.nix
+++ b/machines/newton/hardware-configuration.nix
@ -0,0 +1,19 @@
+{ config, pkgs, lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "sd_mod"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+  ];
+  boot.initrd.kernelModules = [
+    "dm-snapshot"
+  ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/machines/newton/network.nix
+++ b/machines/newton/network.nix
@ -0,0 +1,64 @@
+{ config, lib, pkgs, ... }:
+
+let
+  ifname = "ens18";
+
+  ip4_addr = "38.242.193.132";
+  ip4_mask = "255.255.240.0";
+  ip4_mask_len = 20;
+
+  ip4_gw = "38.242.192.1";
+  ip4_dns = [
+    "8.8.8.8"
+    "79.143.182.242"
+    "178.238.234.231"
+    "5.189.191.29"
+  ];
+
+  ip6_addr = "2a02:c206:3009:3317::1";
+  ip6_mask_len = 64;
+
+  ip6_gw = "fe80::1";
+  ip6_dns = [
+    "2a02:c205:0:0882::1"
+    "2a02:c205:0:0891::1"
+    "2a02:c207:0:0842::1"
+  ];
+in
+{
+  networking = {
+    #useDHCP = false;
+
+    nameservers = ip4_dns ++ ip6_dns;
+    domain = "buehler.rocks";
+    search = [ "buehler.rocks" ];
+
+    defaultGateway = {
+      address = ip4_gw;
+      interface = ifname;
+    };
+
+    defaultGateway6 = {
+      address = ip6_gw;
+      interface = ifname;
+    };
+
+    interfaces."${ifname}" = {
+      ipv4.addresses = [
+        {
+          address = ip4_addr;
+          prefixLength = ip4_mask_len;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = ip6_addr;
+          prefixLength = ip6_mask_len;
+        }
+      ];
+      # Do not use the temporary addresses on this interface
+      # The machine is rather a server
+      tempAddress = "disabled";
+    };
+  };
+}
--- a/machines/newton/secrets.yaml
+++ b/machines/newton/secrets.yaml
@ -0,0 +1,51 @@
+users:
+    felix:
+        password: ENC[AES256_GCM,data:ma+FSUcvVjrtMKS9,iv:3AHwBXdbuSG6ZZnBVL+/Mf8H/GjiXIhmXbuZEnRYIGA=,tag:hlnKF0pLznMl1sbnGENXXQ==,type:str]
+borgbackup:
+    password: ENC[AES256_GCM,data:MCzHfmd5uSIO6NqOLljVEce6O2btQoc=,iv:CGGvivLFcsUSQKT1EkY72uDVM9+No25WlXjL/WryuEU=,tag:wZOV8Clot5Df+mMf71thZA==,type:str]
+    private_ssh_key: ENC[AES256_GCM,data:O6/5WZC+5ef/DjQzR9mwmvgYarIF0OlUAW20cvcNXBeTUIWReB3lnf6eigXJ8t0Y7UPnEAy0L4SXkNtnnqL43pb9GcZ5QxVenqS54bec2AN46282PP3MvO2qKQ1xNhrEDYy8U3dz5Pna6nJIRhpcLuUbQ/ZRc9LQh74LrqUlX3fjvVqAhc4QSXpBwZ1MdqF3M8XjZiB1kpwhYqnLNuGrMw+RftR4x2g763gS9qicnjmNdBL+aaHebRC3JRaGQbm6QNa0NDOANfkG2MtdMKRKot6mMCN4M3nL0ngswr1JolKsTo+YHrYP6YrqMinPEfL0XjIZA6J8AzUsFKN65bScd7mLnMuxF5P11hLEVAFYqS3QsHY0BXmvwWY7mOG7FVU0l6UOlK9xvlLOC8UdDwdx9ipBc/lQ89i7CyBviqcRLrqkzC9OzX0035u+OblcrJlfQ38buZWsojHGZPDPctPRnhcOf2eNZEvoc7SWbvuVnDQfLv4DcRXEp4C2+IV+Boh08zG26QHNRkZMGY3Nmjmb,iv:RCZYSfP2HK5YgRk9V/inFAwu8sQuq05nVe+aBGfsWfo=,tag:AAo7S8M+l2GvEQtqm4TsAw==,type:str]
+syncthing:
+    key: ENC[AES256_GCM,data:r4kihzg6FcZYHqchcu+8k5N27ZwdrXkQXyJ1QM2p0kVSiwTPq5n1jQCI8i7bCXckBkEv5IQmSOc3kf9383EM3XH3Q9zDqw2z4TEHWo6EBI9JalPK/4UC6gRpN5bTJRpwUlZ5gnhM6ifcl+OX6bdU6zSS2MtFqL1ne/CVJdUoGLHV4BKNCF43CBgIcJG+o/iOt0P292/PozrRRL3nCHxB8TCIpfUDjyeQYGAvBuQy1/WDUJoBLFIOKVYmzo5jbGwScVrUIg2hT+KIuv4P4ZVkBBgx0avOi9JlTglOh2kS//+F0+nT7+XQV/Fo/AwSE4Y1MBZCaxtlb+C89DRcrR5oqFbPLA11oynPHrMryPgyikrtRKDnN52/8UNVMaJgK04E,iv:w3ItAGO/LZxqtLNLu9R0nrcUezIBwe9aFqY2kY9gY0s=,tag:shC2Qo9vF4o3I/RXjbTXoA==,type:str]
+    cert: ENC[AES256_GCM,data:k3LEq2gEcoM3x1xEtFzbvbd04LRYvm15z5Cm/t07IG2fVvdtPWy9Dsha5Crx2CEnjB4Xtf7xdCOTaKr/OeZnUf+iK67e/xj6St1Q2n9ua20/+82nUxFtG2ItXH+iu5rkF7IIsXuVxE0WNAXxC8M+xdDt4KUOJP6e/GSv+/8KA1N4fOiW1N5EUpLwuN7sAwaj7YkzUJwHiGrUw3qTYRwXU6j/hWA3vtw8Z8latWW3+goaD9/aDSMHzSE5Pdi2/GQ1Ll/UVc43nRUYgXL7H9grOrXiI3sdPpc42MeFUpNM0AGJp3M6tepUsLIuA9L54wgqaQVrGO0RilBMtMrAb1tUoqLqEB0CM0VqNDBEWyIzDKIfHtQWta/1fIxzo5bKoJcJ6UG2qrZ5ru6sX387sGi8QcC9uN5ko6oZesdOacw9z5tvFDQrk7KvfiCtvHj+AtPxiLrkFj3EPoQK1vXzy4IyanIDJx46WtuAURTHmBZms2KBLPKLMYzWm9qdq8dW4sadbaSofzwquj4HaWuOIugSdjVlSdzBj+KI/nIRde5uWunpnr9AYHrf3lPgl1tkduQpL5RRu3je4RQ5dNa+TNkcqacMTF/3Q34uJXBkp99LpK+8fXx70PKm/PmnHOQgeK7WJnz2kAeSc6kBhX+sh2w1KWBG01ptc0Ixi7xrC/6fgB4pmkKdryMFsZ/PML/VOwLxbkbrzsHyK1Zpw8jV03oGTwz76IaDpELqpfX2rD3GztS58mYXxJn5sqyTIFKjLVX05jB77bjYk5pWLQZasHpdU5wLYg6AHCe2wEIfbu3y3M4XVEfCiB/d+P370T1qLMbxeTYMd1MtD4oq87Bg7brlCy64LWhOwW/Elu0oeBqHmpoXwBc6aoIBH8a+uK4ZWm87N/oJha1zzsh0+0Z3NdinAL4ufjrlKQBGJRZj7NBKdQfnKZXM/ELLEQD2R6UxZUsFnmrXEN2AuAv+KZtoImf1oOOGXiaIDPEJNvGlIT8fZ8cQViYRxzGjtkbO5p3FHpn+/DdcEke+/4ABqNZ0hHw+98U6qRlvcQ==,iv:80pejP5/F/uLoFuAwg1tKjwq5hQjowhpBT6/+ipPW0c=,tag:zccXZgI/KT7+DPbqyZWjOA==,type:str]
+paperless:
+    password: ENC[AES256_GCM,data:GrH2MEFUGSoJEUnFUb5nTxHHnnSIohwEUVU+2Xpa,iv:U9tDsq5PsqFzzl1e1sYUL5XxUqGEmdiZoJtCh96+yEA=,tag:qVu2bulQ9wz+K0lmbMULzQ==,type:str]
+freshrss:
+    password: ENC[AES256_GCM,data:dUOKeRxovwIHIchkwMFxsQYEKrU2muY=,iv:OA1zbIiV3NBWIoJLpxpLBEjR/I6m5vzVKvzMEZYYE7Q=,tag:r4PbEbEkSH3bsJMamDuuFw==,type:str]
+nextcloud:
+    password: ENC[AES256_GCM,data:uE507Ij34zJVYnd2YkNCGj8hpFpEM5w=,iv:x8BNCUaAas0poQ/Lo0izZApF6l52xal8DDrClIzWjvk=,tag:sA08dmcVQbKswX9hF/txag==,type:str]
+sso:
+    auth-key: ENC[AES256_GCM,data:jFDeymziDiJMnoIGjYPMmnxTzKer1bFffGDaoHnbKlpMPslP/Bmtsc5kio2tbDBlxG0TCdf+ePirPPw2,iv:8wGHEp1gB/qgkSvqkqjb9zBnqkkl1+Ezm9tCFS8tL3w=,tag:tHIT9Iw29TUXJm2e7z3Z/A==,type:str]
+    felix:
+        password-hash: ENC[AES256_GCM,data:4yOMOg3/RsijtXC7h73sIk3HDPq83xmSY7AaLeUbtPVZzjjZ/Qp+YiXpgL0fVsio1Pic3HyAzeVlWg0E,iv:23CdJQAhtpgrUZ1jVKiKYfgw5jQNVN6413Ew8ryJH6w=,tag:bds2Yd18gFtVDtgLkxMGkQ==,type:str]
+        totp-secret: ENC[AES256_GCM,data:pXx//6N7XMlmPQoUPziIcEswGWSNQ+oUgjlxAWG1RC/EToTmzwwvbhpaJRr0liKFkHVIeKT7rLU=,iv:hh3F6S2phwP11MhAtqYLMzXw4/9K25fCfiz779XkLj8=,tag:x7BXtPqh6N4LrLJfsEwh4Q==,type:str]
+acme:
+    inwx: ENC[AES256_GCM,data:tu3pdI2fAQPAwQNdIIk10Kkl0xBPBLx592UlYYEXxJX0YGddAhGMwDUqKTh/B5k9WW11cyoLoeTMnZPMzD15V1Qj,iv:UbbauJBjr3O4XnKRL9Pc3PdRGJqAhqO0PDNkvpyXH2o=,tag:YRVtRo8D0KLVCtWukW7GWw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOHlyV1B4SE9maDhmTVhB
+            RWIzbkdhZzhwVjVuUEcxN3pQL2VNTU9Oa0VZCnN5YUhSZUVFTUVMS3dLRDExSFBW
+            SHNNM0pKeDRITG5heXhrNVRFbFJ4WkEKLS0tIHR2a3RXcUNzbjZQNythTnk1T0d1
+            bnlMMmY2NHRncEEvTlNob0JJU3dLdE0Kjo2Ge3OVnClKgAyUHvi//Qx74fqhtxjw
+            7IlsnpkmHbPPbmTWtcXwzS8S8/2tcurMj9mG1wrDou3POr/aHMPs/Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1s9spl75rwhgm3cvvqsr9rze5m0kuxqes2tsxjmq07xg5ycn5j47s2m0dlu
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWmp0dGtsU3ZiMjN3SjU0
+            OFpGdkJ1SitjMlJkSFVhZm5lYjZHUFRjYWh3ClFKM1d1RG9GbFg5V0dWOGs2WmQv
+            OFZpTlU2V0xITUNmSXlyWlkwdHFmbHMKLS0tIHNKb1lSaTB6cnE3RytaRklpbzVx
+            NmNwT3N5UEVabFdLTDhseFRjeVZaWFkKL3HGFqfttU1tXY4OhnIr1ABFsHB0R0CX
+            s6wxb0ilut32ijjtnGXMIIa9y6XsMTpYskTb9FdRP9VnQQGVrMfdew==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-11-13T15:50:14Z"
+    mac: ENC[AES256_GCM,data:RmNsaye+hanRtzO1BNj6Q/LKS4ACRufzs7TGGcQHfVbi8QyrBqltGoox9ukgaN5PqBNR+uz3+Grpzkjj33xtdJuSRoHNk7aa/q2FHFHmJs+qIggf3HRzgfmBPkP0K9kJdFeOYvy0XoZWMdmaZ9H3fC8kqbEkQPMTrwnKEiDOx6M=,iv:ntjiRk8UUbsnPaKW1AxEoa8RRejA9LCKYNGD6s8dKwI=,tag:hKi3HZoMuOwtAcd7oyUZgw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/machines/newton/services.nix
+++ b/machines/newton/services.nix
@ -0,0 +1,88 @@
+# Deployed services
+{ config, lib, ... }:
+let
+  secrets = config.sops.secrets;
+in
+{
+  sops.secrets."acme/inwx" = { };
+  sops.secrets."sso/auth-key" = { };
+  sops.secrets."sso/felix/password-hash" = { };
+  sops.secrets."sso/felix/totp-secret" = { };
+  sops.secrets."paperless/password" = { };
+  sops.secrets."nextcloud/password" = { };
+  sops.secrets."nextcloud/password".owner = config.users.users.nextcloud.name;
+
+  # List services that you want to enable:
+  my.services = {
+    # My own personal homepage
+    homepage = {
+      enable = true;
+    };
+    # Dashboard
+    homer = {
+      enable = true;
+    };
+    # RSS provider for websites that do not provide any feeds
+    rss-bridge = {
+      enable = true;
+    };
+    # voice-chat server
+    mumble-server = {
+      enable = true;
+    };
+    # sandbox video game
+    minecraft-server = {
+      enable = true;
+    };
+    # music streaming server
+    navidrome = {
+      enable = true;
+      musicFolder = "/srv/data/music";
+    };
+    # self-hosted cloud
+    nextcloud = {
+      enable = true;
+      passwordFile = secrets."nextcloud/password".path;
+    };
+    # document management system
+    paperless = {
+      enable = true;
+      passwordFile = secrets."paperless/password".path;
+      extraConfig.PAPERLESS_ADMIN_USER = "felix";
+    };
+    # self-hosted git service
+    gitea = {
+      enable = true;
+    };
+    # collaborative markdown editor
+    hedgedoc = {
+      enable = true;
+    };
+    # a password-generator using the marokov model
+    passworts = {
+      enable = true;
+    };
+    ssh-server = {
+      enable = true;
+    };
+    # Webserver
+    nginx = {
+      enable = true;
+      acme = {
+        credentialsFile = secrets."acme/inwx".path;
+      };
+      sso = {
+        authKeyFile = secrets."sso/auth-key".path;
+        users = {
+          felix = {
+            passwordHashFile = secrets."sso/felix/password-hash".path;
+            totpSecretFile = secrets."sso/felix/totp-secret".path;
+          };
+        };
+        groups = {
+          root = [ "felix" ];
+        };
+      };
+    };
+  };
+}
--- a/machines/newton/syncthing.nix
+++ b/machines/newton/syncthing.nix
@ -0,0 +1,66 @@
+{ config, ... }:
+{
+  sops.secrets."syncthing/key" = { };
+  sops.secrets."syncthing/cert" = { };
+
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = true;
+    dataDir = "/srv/data";
+    key = config.sops.secrets."syncthing/key".path;
+    cert = config.sops.secrets."syncthing/cert".path;
+    extraOptions = {
+      options = {
+        localAnnounceEnabled = false;
+      };
+    };
+    devices = {
+      "thinkman" = {
+        id = "KXSCPX3-JCCFZM4-S2LQZZL-3AM6WRL-IPNWVG2-IB5FEDJ-YYFUIRR-VMDO3AL";
+      };
+      "birdman" = {
+        id = "34Z4J7W-MJIODUD-J6LDJY6-QILQLLB-CJ4GR7K-7TJM2K3-R7SIPRV-XQO5TAI";
+      };
+      "serverle" = {
+        id = "PVPEIN7-PI226LR-ULSBYKT-JGRQ3PS-WSPLGBP-TKYRJVP-OTWE7IV-NLKTBA3";
+      };
+    };
+    folders = {
+      "Computer" = {
+        id = "djdxo-1akub";
+        path = "/srv/data/computer";
+        devices = [
+          "thinkman"
+          "birdman"
+          "serverle"
+        ];
+      };
+      "Phone" = {
+        id = "4hds7-gpypp";
+        path = "/srv/data/phone";
+        devices = [
+          "thinkman"
+          "birdman"
+          "serverle"
+        ];
+      };
+      "Music" = {
+        id = "mphdq-n6q7y";
+        path = "/srv/data/music";
+        devices = [
+          "thinkman"
+          "birdman"
+          "serverle"
+        ];
+      };
+      "Pictures" = {
+        id = "cujyo-yiabu";
+        path = "/srv/data/photos";
+        devices = [
+          "thinkman"
+          "serverle"
+        ];
+      };
+    };
+  };
+}