diff --git a/modules/config/default.nix b/modules/config/default.nix index a266aad..dd293f8 100755 --- a/modules/config/default.nix +++ b/modules/config/default.nix @@ -54,41 +54,43 @@ let }; }; - instanceSubmodule = lib.types.submodule { - options = { - subdomain = stringType; - label = stringType; - name = stringType; - short = stringType; - hostname = stringType; - tags = listType; - records = genOptions stringType "record"; - domains = genOptions stringType "url"; - dns = genOptions stringType "provider"; - localhost = genOptions stringType "address"; - wireguard = genOptions stringType "interface"; - remotehost = genOptions stringType "address"; - email = genOptions stringType "address"; - sops = genOptions stringType "path"; - paths = genOptions stringType "path"; - varPaths = genOptions stringType "path"; + interfaceConfig = { + domain = stringType; + email = stringType; + ip = stringType; + subdomain = stringType; + wireguard = stringType; + microvm = { + gate = stringType; + id = stringType; + idUser = stringType; + mac = stringType; + macUser = stringType; + num = intType; + ssh = intType; + }; + ssl = { + cert = stringType; + key = stringType; + path = stringType; + }; + paths = { mntPaths = genOptions stringType "path"; secretPaths = genOptions stringType "path"; + varPaths = genOptions stringType "path"; + }; + }; + + instanceSubmodule = lib.types.submodule { + options = { + name = stringType; + label = stringType; + short = stringType; + tags = listType; + dns = genOptions stringType "provider"; ports = genOptions intType "port"; - interface = { - id = stringType; - mac = stringType; - idUser = stringType; - macUser = stringType; - ip = stringType; - gate = stringType; - ssh = intType; - }; - ssl = { - cert = stringType; - key = stringType; - path = stringType; - }; + addresses = genOptions stringType "address"; + interfaces = genOptions interfaceConfig "interface"; }; }; @@ -284,10 +286,8 @@ in emailNoReply = "noreply"; servicePath = "/mnt/media/NAS1"; mntPath = "/mnt/storage"; - varLib = var; varPath = var; sslPath = "${var}/acme"; - sopsPath = "${var}/secrets"; secretPath = "/run/secrets"; cachePath = "/var/cache"; dummy = ""; diff --git a/modules/config/instances/config/firefly-iii.nix b/modules/config/instances/config/firefly-iii.nix index 2b0cc44..5c59318 100755 --- a/modules/config/instances/config/firefly-iii.nix +++ b/modules/config/instances/config/firefly-iii.nix @@ -10,53 +10,59 @@ let ; label = "Firefly-III"; name = "firefly-iii"; - subdomain = "finances"; - domain = "${subdomain}.${domain0}"; - secrets = "${secretPath}/${name}"; - ssl = "${sslPath}/${domain}"; in { label = label; name = name; short = label; - email = { - address0 = "noreply@${domain0}"; - }; - domains = { - url0 = domain; - }; tags = [ "firefly-iii" "finances" "money" ]; - subdomain = subdomain; ports = { port0 = 8084; port1 = 8081; }; - interface = { - id = "vm-${name}"; - mac = "02:00:00:00:54:04"; - idUser = "vmuser-firefly"; - macUser = "02:00:00:00:00:04"; - ip = "192.168.50.114"; - gate = "192.168.50.1"; - ssh = 2204; - }; - ssl = { - path = ssl; - cert = "${ssl}/fullchain.pem"; - key = "${ssl}/key.pem"; - }; - varPaths = { - path0 = "${varPath}/${name}"; - path1 = "${cachePath}/${name}"; - }; - mntPaths = { - path0 = "${mntPath}/${name}"; - }; - secretPaths = { - path0 = secrets; + interfaces = { + interface0 = + let + subdomain = "finances"; + domain = "${subdomain}.${domain0}"; + secrets = "${secretPath}/${name}"; + ssl = "${sslPath}/${domain}"; + in + { + microvm = { + id = "vm-${name}"; + mac = "02:00:00:00:54:04"; + idUser = "vmuser-firefly"; + macUser = "02:00:00:00:00:04"; + ip = "192.168.50.114"; + gate = "192.168.50.1"; + ssh = 2204; + }; + email = "noreply@${domain0}"; + domain = domain; + subdomain = subdomain; + ssl = { + path = ssl; + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + }; + paths = { + varPaths = { + path0 = "${varPath}/${name}"; + path1 = "${cachePath}/${name}"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + secretPaths = { + path0 = secrets; + }; + + }; + }; }; } diff --git a/modules/config/instances/config/forgejo.nix b/modules/config/instances/config/forgejo.nix index ef11631..2df65ef 100755 --- a/modules/config/instances/config/forgejo.nix +++ b/modules/config/instances/config/forgejo.nix @@ -11,22 +11,11 @@ let name = "forgejo"; label = "Forgejo"; - subdomain = "source"; - domain = "${subdomain}.${domain1}"; - secrets = "${secretPath}/${name}"; - ssl = "${sslPath}/${domain}"; in { name = name; label = label; short = label; - email = { - address0 = "${emailNoReply}@${domain1}"; - }; - domains = { - url0 = domain; - }; - subdomain = subdomain; tags = [ name "forge" @@ -35,28 +24,43 @@ in ports = { port0 = 3033; }; - interface = { - id = "vm-${name}"; - mac = "02:00:00:00:53:03"; - idUser = "vmuser-${name}"; - macUser = "02:00:00:00:00:03"; - ip = "192.168.50.113"; - gate = "192.168.50.1"; - ssh = 2203; - }; - - ssl = { - path = ssl; - cert = "${ssl}/fullchain.pem"; - key = "${ssl}/key.pem"; - }; - varPaths = { - path0 = "${varPath}/${name}"; - }; - mntPaths = { - path0 = "${mntPath}/${name}"; - }; - secretPaths = { - path0 = secrets; + interfaces = { + interface0 = + let + subdomain = "source"; + domain = "${subdomain}.${domain1}"; + secrets = "${secretPath}/${name}"; + ssl = "${sslPath}/${domain}"; + in + { + domains = domain; + subdomain = subdomain; + email = "${emailNoReply}@${domain1}"; + microvm = { + id = "vm-${name}"; + mac = "02:00:00:00:53:03"; + idUser = "vmuser-${name}"; + macUser = "02:00:00:00:00:03"; + ip = "192.168.50.113"; + gate = "192.168.50.1"; + ssh = 2203; + }; + ssl = { + path = ssl; + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + }; + paths = { + varPaths = { + path0 = "${varPath}/${name}"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + secretPaths = { + path0 = secrets; + }; + }; + }; }; } diff --git a/modules/config/instances/config/jellyfin.nix b/modules/config/instances/config/jellyfin.nix index 09e6462..ca64071 100755 --- a/modules/config/instances/config/jellyfin.nix +++ b/modules/config/instances/config/jellyfin.nix @@ -9,19 +9,11 @@ let ; label = "Jellyfin"; name = "jellyfin"; - domain = "${name}.${domain0}"; - ssl = "${sslPath}/${name}.${domain0}"; in { label = label; name = name; short = "Jelly"; - email = { - address0 = "noreply@${domain0}"; - }; - domains = { - url0 = domain; - }; tags = [ "jelly" "video" @@ -30,32 +22,42 @@ in "shows" "music" ]; - subdomain = name; ports = { port0 = 8096; # Jellyfin HTTP port1 = 5055; # Jellyseer port2 = 8920; # Jellyfin HTTPS }; - interface = { - id = "vm-${name}"; - mac = "02:00:00:00:52:02"; - idUser = "vmuser-${name}"; - macUser = "02:00:00:00:00:02"; - ip = "192.168.50.112"; - gate = "192.168.50.1"; - ssh = 2202; - }; - ssl = { - path = ssl; - cert = "${ssl}/fullchain.pem"; - key = "${ssl}/key.pem"; - }; - varPaths = { - path0 = "${varPath}/${name}"; - path1 = "${cachePath}/${name}"; - path2 = "${varPath}/${name}-media"; - }; - mntPaths = { - path0 = "${mntPath}/${name}"; + interfaces = { + interface0 = + let + domain = "${name}.${domain0}"; + ssl = "${sslPath}/${name}.${domain0}"; + in + { + domain = domain; + subdomain = name; + email = "noreply@${domain0}"; + microvm = { + id = "vm-${name}"; + mac = "02:00:00:00:52:02"; + idUser = "vmuser-${name}"; + macUser = "02:00:00:00:00:02"; + ip = "192.168.50.112"; + gate = "192.168.50.1"; + ssh = 2202; + }; + paths = { + varPaths = { + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + }; + ssl = { + path = ssl; + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + }; + }; }; } diff --git a/modules/config/instances/config/mastodon.nix b/modules/config/instances/config/mastodon.nix index 8aa4d3b..b908ab9 100755 --- a/modules/config/instances/config/mastodon.nix +++ b/modules/config/instances/config/mastodon.nix @@ -10,22 +10,11 @@ let ; label = "Mastodon"; name = "mastodon"; - subdomain = "social"; - domain = "${subdomain}.${domain1}"; - secrets = "${secretPath}/${name}"; - ssl = "${sslPath}/${domain}"; in { label = label; name = name; short = "Mast"; - email = { - address0 = "noreply@${domain1}"; - }; - domains = { - url0 = domain; - }; - subdomain = subdomain; tags = [ name "mast" @@ -35,27 +24,43 @@ in port0 = 80; }; interface = { - id = "vm-${name}"; - mac = "02:00:00:00:55:05"; - idUser = "vmuser-mastodon"; - macUser = "02:00:00:00:00:05"; - ip = "192.168.50.115"; - gate = "192.168.50.1"; - ssh = 2205; - }; - ssl = { - path = ssl; - cert = "${ssl}/fullchain.pem"; - key = "${ssl}/key.pem"; - }; - varPaths = { - path0 = "${varPath}/${name}"; - path1 = "${cachePath}/${name}"; - }; - mntPaths = { - path0 = "${mntPath}/${name}"; - }; - secretPaths = { - path0 = secrets; + interface0 = + let + subdomain = "social"; + domain = "${subdomain}.${domain1}"; + secrets = "${secretPath}/${name}"; + ssl = "${sslPath}/${domain}"; + in + { + domains = domain; + subdomain = subdomain; + email = "noreply@${domain1}"; + microvm = { + id = "vm-${name}"; + mac = "02:00:00:00:55:05"; + idUser = "vmuser-mastodon"; + macUser = "02:00:00:00:00:05"; + ip = "192.168.50.115"; + gate = "192.168.50.1"; + ssh = 2205; + }; + ssl = { + path = ssl; + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + }; + paths = { + varPaths = { + path0 = "${varPath}/${name}"; + path1 = "${cachePath}/${name}"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + secretPaths = { + path0 = secrets; + }; + }; + }; }; } diff --git a/modules/config/instances/config/minecraft.nix b/modules/config/instances/config/minecraft.nix new file mode 100755 index 0000000..67e0d09 --- /dev/null +++ b/modules/config/instances/config/minecraft.nix @@ -0,0 +1,73 @@ +{ moduleFunctions }: +let + inherit (moduleFunctions.instancesFunctions) + varPath + mntPath + secretPath + ; + label = "Minecraft"; + name = "minecraft"; +in +{ + label = label; + name = name; + ports = { + }; + interfaces = { + interface0 = + let + world = "world0"; + in + { + microvm = { + id = "vm-${world}"; + mac = "02:00:00:00:51:41"; + idUser = "vmuser-${world}"; + macUser = "02:00:00:00:00:41"; + ip = "192.168.50.141"; + gate = "192.168.50.1"; + ssh = 2401; + port = 43000; + }; + paths = { + varPaths = { + path0 = "${varPath}/${name}"; + }; + mntPaths = { + path0 = "${mntPath}/${name}/${world}"; + }; + secretPaths = { + path0 = "${secretPath}/${name}"; + }; + }; + }; + interface1 = + let + world = "world1"; + in + { + microvm = { + id = "vm-${world}"; + mac = "02:00:00:00:51:42"; + idUser = "vmuser-${world}"; + macUser = "02:00:00:00:00:42"; + ip = "192.168.50.142"; + gate = "192.168.50.1"; + ssh = 2402; + port = 43001; + }; + paths = { + varPaths = { + path0 = "${varPath}/${name}"; + }; + mntPaths = { + path1 = "${mntPath}/${name}/${world}"; + }; + secretPaths = { + path0 = "${secretPath}/${name}"; + }; + + }; + }; + }; +} diff --git a/modules/config/instances/config/minecraft0.nix b/modules/config/instances/config/minecraft0.nix deleted file mode 100755 index 7e43839..0000000 --- a/modules/config/instances/config/minecraft0.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ moduleFunctions }: -let - inherit (moduleFunctions.instancesFunctions) - varPath - mntPath - secretPath - ; - label = "Minecraft"; - name = "minecraft"; - world = "world0"; -in -{ - label = label; - name = name; - ports = { - port0 = 43000; - }; - interface = { - id = "vm-${world}"; - mac = "02:00:00:00:51:41"; - idUser = "vmuser-${world}"; - macUser = "02:00:00:00:00:41"; - ip = "192.168.50.141"; - gate = "192.168.50.1"; - ssh = 2401; - }; - varPaths = { - path0 = "${varPath}/${name}"; - }; - mntPaths = { - path0 = "${mntPath}/${name}/${world}"; - }; - secretPaths = { - path0 = "${secretPath}/${name}"; - }; -} diff --git a/modules/config/instances/config/minecraft1.nix b/modules/config/instances/config/minecraft1.nix deleted file mode 100755 index c8759f0..0000000 --- a/modules/config/instances/config/minecraft1.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ moduleFunctions }: -let - inherit (moduleFunctions.instancesFunctions) - varPath - mntPath - secretPath - ; - label = "Minecraft"; - name = "minecraft"; - world = "world1"; -in -{ - label = label; - name = name; - ports = { - port0 = 43001; - }; - interface = { - id = "vm-${world}"; - mac = "02:00:00:00:51:42"; - idUser = "vmuser-${world}"; - macUser = "02:00:00:00:00:42"; - ip = "192.168.50.142"; - gate = "192.168.50.1"; - ssh = 2402; - }; - varPaths = { - path0 = "${varPath}/${name}"; - }; - mntPaths = { - path0 = "${mntPath}/${name}/${world}"; - }; - secretPaths = { - path0 = "${secretPath}/${name}"; - }; -} diff --git a/modules/config/instances/config/nginx.nix b/modules/config/instances/config/nginx.nix deleted file mode 100755 index bd5611a..0000000 --- a/modules/config/instances/config/nginx.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ moduleFunctions }: -let - inherit (moduleFunctions.instancesFunctions) - sopsPath - ; - - label = "Nginx"; - name = "nginx"; -in -{ - label = label; - name = name; - sops = { - path0 = "${sopsPath}/${name}"; - }; - ports = { - port0 = 8080; - }; -} diff --git a/modules/config/instances/config/ollama.nix b/modules/config/instances/config/ollama.nix index 8498166..7715afa 100755 --- a/modules/config/instances/config/ollama.nix +++ b/modules/config/instances/config/ollama.nix @@ -9,18 +9,11 @@ let ; label = "Ollama"; name = "ollama"; - domain = "${name}.${domain0}"; - secrets = "${secretPath}/${name}"; - ssl = "${sslPath}/${domain}"; in { label = label; name = name; short = label; - domains = { - url0 = domain; - }; - subdomain = name; tags = [ name "chat" @@ -31,26 +24,40 @@ in port1 = 11434; # Ollama API }; interface = { - id = "vm-${name}"; - mac = "02:00:00:00:56:08"; - idUser = "vmuser-${name}"; - macUser = "02:00:00:00:00:08"; - ip = "192.168.50.118"; - gate = "192.168.50.1"; - ssh = 2208; - }; - ssl = { - path = ssl; - cert = "${ssl}/fullchain.pem"; - key = "${ssl}/key.pem"; - }; - varPaths = { - path0 = "${varPath}/${name}"; - }; - mntPaths = { - path0 = "${mntPath}/${name}"; - }; - secretPaths = { - path0 = secrets; + interface0 = + let + domain = "${name}.${domain0}"; + secrets = "${secretPath}/${name}"; + ssl = "${sslPath}/${domain}"; + in + { + domain = domain; + subdomain = name; + microvm = { + id = "vm-${name}"; + mac = "02:00:00:00:56:08"; + idUser = "vmuser-${name}"; + macUser = "02:00:00:00:00:08"; + ip = "192.168.50.118"; + gate = "192.168.50.1"; + ssh = 2208; + }; + ssl = { + path = ssl; + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + }; + paths = { + varPaths = { + path0 = "${varPath}/${name}"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + secretPaths = { + path0 = secrets; + }; + }; + }; }; } diff --git a/modules/config/instances/config/opencloud.nix b/modules/config/instances/config/opencloud.nix new file mode 100755 index 0000000..f4b5db0 --- /dev/null +++ b/modules/config/instances/config/opencloud.nix @@ -0,0 +1,98 @@ +{ moduleFunctions }: +let + inherit (moduleFunctions.instancesFunctions) + domain0 + sslPath + varPath + mntPath + secretPath + ; + label = "OpenCloud"; + name = "opencloud"; + short = "cloud"; +in +{ + label = label; + name = name; + short = "Cloud"; + tags = [ + name + "opencloud" + "cloud" + ]; + ports = { + port0 = 9200; + }; + interface = { + interface0 = + let + domain = "${short}.${domain0}"; + secrets = "${secretPath}/${name}"; + ssl = "${sslPath}/${domain}"; + in + { + domain = domain; + subdomain = short; + microvm = { + id = "vm-${short}"; + mac = "02:00:00:00:56:09"; + idUser = "vmuser-${short}"; + macUser = "02:00:00:00:00:09"; + ip = "192.168.50.119"; + gate = "192.168.50.1"; + ssh = 2209; + }; + ssl = { + path = ssl; + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + }; + paths = { + varPaths = { + path0 = "${varPath}/${name}"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + secretPaths = { + path0 = secrets; + }; + }; + }; + interface1 = + let + domain = "${short}.${domain0}"; + secrets = "${secretPath}/${name}"; + ssl = "${sslPath}/${name}.${domain0}"; + in + { + domain = domain; + subdomain = short; + microvm = { + id = "vm-${short}"; + mac = "02:00:00:00:56:06"; + idUser = "vmuser-${short}"; + macUser = "02:00:00:00:00:06"; + ip = "192.168.50.116"; + gate = "192.168.50.1"; + ssh = 2206; + }; + ssl = { + path = ssl; + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + }; + paths = { + varPaths = { + path0 = "${varPath}/${name}"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + secretPaths = { + path0 = secrets; + }; + }; + }; + }; +} diff --git a/modules/config/instances/config/opencloud0.nix b/modules/config/instances/config/opencloud0.nix deleted file mode 100755 index 1667681..0000000 --- a/modules/config/instances/config/opencloud0.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ moduleFunctions }: -let - inherit (moduleFunctions.instancesFunctions) - domain0 - sslPath - varPath - mntPath - secretPath - ; - label = "OpenCloud"; - name = "opencloud"; - short = "cloud"; - domain = "${short}.${domain0}"; - secrets = "${secretPath}/${name}"; - ssl = "${sslPath}/${domain}"; -in -{ - label = label; - name = name; - short = "Cloud"; - domains = { - url0 = domain; - }; - subdomain = short; - tags = [ - name - "opencloud" - "cloud" - ]; - ports = { - port0 = 9200; - }; - interface = { - id = "vm-${short}"; - mac = "02:00:00:00:56:09"; - idUser = "vmuser-${short}"; - macUser = "02:00:00:00:00:09"; - ip = "192.168.50.119"; - gate = "192.168.50.1"; - ssh = 2209; - }; - ssl = { - path = ssl; - cert = "${ssl}/fullchain.pem"; - key = "${ssl}/key.pem"; - }; - varPaths = { - path0 = "${varPath}/${name}"; - }; - mntPaths = { - path0 = "${mntPath}/${name}"; - }; - secretPaths = { - path0 = secrets; - }; -} diff --git a/modules/config/instances/config/opencloud1.nix b/modules/config/instances/config/opencloud1.nix deleted file mode 100755 index b98bf6b..0000000 --- a/modules/config/instances/config/opencloud1.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ moduleFunctions }: -let - inherit (moduleFunctions.instancesFunctions) - domain0 - sslPath - varPath - mntPath - secretPath - ; - label = "OpenCloud"; - name = "opencloud"; - short = "cloud"; - domain = "${short}.${domain0}"; - secrets = "${secretPath}/${name}"; - ssl = "${sslPath}/${name}.${domain0}"; -in -{ - label = label; - name = name; - short = "Cloud"; - domains = { - url0 = domain; - }; - subdomain = short; - tags = [ - name - "opencloud" - "cloud" - ]; - ports = { - port0 = 9200; - }; - interface = { - id = "vm-${short}"; - mac = "02:00:00:00:56:06"; - idUser = "vmuser-${short}"; - macUser = "02:00:00:00:00:06"; - ip = "192.168.50.116"; - gate = "192.168.50.1"; - ssh = 2206; - }; - ssl = { - path = ssl; - cert = "${ssl}/fullchain.pem"; - key = "${ssl}/key.pem"; - }; - varPaths = { - path0 = "${varPath}/${name}"; - }; - mntPaths = { - path0 = "${mntPath}/${name}"; - }; - secretPaths = { - path0 = secrets; - }; -} diff --git a/modules/config/instances/config/photoprism.nix b/modules/config/instances/config/photoprism.nix new file mode 100644 index 0000000..11ac3af --- /dev/null +++ b/modules/config/instances/config/photoprism.nix @@ -0,0 +1,63 @@ +{ moduleFunctions }: +let + inherit (moduleFunctions.instancesFunctions) + domain0 + sslPath + varPath + mntPath + secretPath + ; + label = "Photoprism"; + name = "photoprism"; + short = "prism"; +in +{ + label = label; + name = name; + short = label; + tags = [ + name + "photo" + "images" + ]; + ports = { + port0 = 3030; + }; + interface = { + interface0 = + let + domain = "${short}.${domain0}"; + secrets = "${secretPath}/${name}"; + ssl = "${sslPath}/${domain}"; + in + { + domain = domain; + subdomain = short; + microvm = { + id = "vm-${short}"; + mac = "02:00:00:00:56:11"; + idUser = "vmuser-${short}"; + macUser = "02:00:00:00:00:11"; + ip = "192.168.50.121"; + gate = "192.168.50.1"; + ssh = 2211; + }; + ssl = { + path = ssl; + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + }; + paths = { + varPaths = { + path0 = "${varPath}/${label}"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + secretPaths = { + path0 = secrets; + }; + }; + }; + }; +} diff --git a/modules/config/instances/config/postgresql.nix b/modules/config/instances/config/postgresql.nix deleted file mode 100755 index a415d27..0000000 --- a/modules/config/instances/config/postgresql.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ moduleFunctions }: -let - inherit (moduleFunctions.instancesFunctions) - servicePath - sopsPath - ; - - label = "PostgreSQL"; - name = "postgres"; -in -{ - label = label; - name = name; - sops = { - path0 = "${sopsPath}/${name}"; - }; - paths = { - path0 = "${servicePath}/${label}"; - }; - ports = { - port0 = 5432; - }; -} diff --git a/modules/config/instances/config/projectSite.nix b/modules/config/instances/config/projectSite.nix index 1697b59..485a104 100755 --- a/modules/config/instances/config/projectSite.nix +++ b/modules/config/instances/config/projectSite.nix @@ -7,40 +7,38 @@ let ; label = "ProjectSite"; name = "projectsite"; - domain = "${name}.${domain0}"; in { label = label; name = name; short = "Project"; - email = { - address0 = "noreply@${domain0}"; - }; - domains = { - url0 = domain; - }; tags = [ "project" ]; - subdomain = name; ports = { port0 = 1334; }; - interface = { - id = "vm-project"; - mac = "02:00:00:00:52:22"; - idUser = "vmuser-project"; - macUser = "02:00:00:00:00:22"; - ip = "192.168.50.212"; - gate = "192.168.50.1"; - ssh = 2299; - }; - varPaths = { - path0 = "${varPath}/${name}"; - path1 = "${varPath}/${name}/dist"; - - }; - mntPaths = { - path0 = "${mntPath}/${name}"; + interfaces = { + interface0 = { + email = "noreply@${domain0}"; + microvm = { + id = "vm-project"; + mac = "02:00:00:00:52:22"; + idUser = "vmuser-project"; + macUser = "02:00:00:00:00:22"; + ip = "192.168.50.212"; + gate = "192.168.50.1"; + ssh = 2299; + }; + paths = { + varPaths = { + path0 = "${varPath}/${name}"; + path1 = "${varPath}/${name}/dist"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + }; + }; }; } diff --git a/modules/config/instances/config/prompter.nix b/modules/config/instances/config/prompter.nix deleted file mode 100755 index a58be9e..0000000 --- a/modules/config/instances/config/prompter.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ moduleFunctions }: -let - inherit (moduleFunctions.instancesFunctions) - domain0 - sslPath - sopsPath - ; - - label = "Prompter"; - name = "prompter"; - subdomain = "prompter"; - domain = "${subdomain}.${domain0}"; -in -{ - label = label; - name = name; - short = "upRoot"; - sops = { - path0 = "${sopsPath}/${name}"; - }; - domains = { - url0 = domain; - }; - subdomain = subdomain; - tags = [ - name - "blog" - ]; - paths = { - path0 = "/var/lib/${name}/dist"; - path1 = ""; - path2 = ""; - }; - ports = { - port0 = 1234; - }; - ssl = { - cert = "${sslPath}/${domain0}/fullchain.pem"; - key = "${sslPath}/${domain0}/key.pem"; - }; -} diff --git a/modules/config/instances/config/qbittorrent.nix b/modules/config/instances/config/qbittorrent.nix index 61ff528..a56dc5c 100755 --- a/modules/config/instances/config/qbittorrent.nix +++ b/modules/config/instances/config/qbittorrent.nix @@ -10,18 +10,11 @@ let label = "qBittorrent"; name = "qbittorrent"; short = "share"; - domain = "${short}.${domain0}"; - secrets = "${secretPath}/${name}"; - ssl = "${sslPath}/${domain}"; in { label = label; name = name; short = label; - domains = { - url0 = domain; - }; - subdomain = short; tags = [ name "torrent" @@ -31,26 +24,40 @@ in port0 = 3030; }; interface = { - id = "vm-${short}"; - mac = "02:00:00:00:56:07"; - idUser = "vmuser-${short}"; - macUser = "02:00:00:00:00:07"; - ip = "192.168.50.117"; - gate = "192.168.50.1"; - ssh = 2207; - }; - ssl = { - path = ssl; - cert = "${ssl}/fullchain.pem"; - key = "${ssl}/key.pem"; - }; - varPaths = { - path0 = "${varPath}/${label}"; - }; - mntPaths = { - path0 = "${mntPath}/${name}"; - }; - secretPaths = { - path0 = secrets; + interface0 = + let + domain = "${short}.${domain0}"; + secrets = "${secretPath}/${name}"; + ssl = "${sslPath}/${domain}"; + in + { + domain = domain; + subdomain = short; + microvm = { + id = "vm-${short}"; + mac = "02:00:00:00:56:07"; + idUser = "vmuser-${short}"; + macUser = "02:00:00:00:00:07"; + ip = "192.168.50.117"; + gate = "192.168.50.1"; + ssh = 2207; + }; + ssl = { + path = ssl; + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + }; + paths = { + varPaths = { + path0 = "${varPath}/${label}"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + secretPaths = { + path0 = secrets; + }; + }; + }; }; } diff --git a/modules/config/instances/config/samba.nix b/modules/config/instances/config/samba.nix deleted file mode 100755 index 52ff70f..0000000 --- a/modules/config/instances/config/samba.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ moduleFunctions }: -let - inherit (moduleFunctions.instancesFunctions) - sopsPath - ; - - label = "Samba"; - name = "samba"; -in -{ - label = label; - name = name; - sops = { - path0 = "${sopsPath}/${name}"; - }; - paths = { - }; - ports = { - port0 = 445; # Samba - }; -} diff --git a/modules/config/instances/config/smtp.nix b/modules/config/instances/config/smtp.nix index 53707cd..ea105d3 100755 --- a/modules/config/instances/config/smtp.nix +++ b/modules/config/instances/config/smtp.nix @@ -6,20 +6,22 @@ let ; name = "smtp"; + domain = "smtp.migadu.com"; in { - hostname = "smtp.migadu.com"; name = name; ports = { port0 = 465; # TLS port1 = 587; # StartTLS }; - email = { - address0 = "noreply@${domain0}"; - address1 = "noreply@${domain1}"; - }; - records = { - record0 = "tls"; - record1 = "starttls"; + interfaces = { + interface0 = { + domain = domain; + email = "noreply@${domain0}"; + }; + interface1 = { + domain = domain; + email = "noreply@${domain1}"; + }; }; } diff --git a/modules/config/instances/config/syncthing.nix b/modules/config/instances/config/syncthing.nix index 8ba84fb..105a86c 100755 --- a/modules/config/instances/config/syncthing.nix +++ b/modules/config/instances/config/syncthing.nix @@ -2,30 +2,19 @@ let inherit (moduleFunctions.instancesFunctions) domain0 - varLib + varPath + mntPath sslPath - sopsPath + secretPath ; label = "Syncthing"; name = "syncthing"; - domain = "${name}.${domain0}"; in { label = label; name = name; short = "Sync"; - sops = { - path0 = "${sopsPath}/${name}"; - }; - paths = { - path0 = "${varLib}/${name}"; - path1 = "${varLib}/${name}/backups"; - }; - domains = { - url0 = domain; - }; - subdomain = name; tags = [ name "sync" @@ -36,8 +25,43 @@ in port1 = 21027; # Syncthing (Discovery) port2 = 22000; # Syncthing (Transfer) }; - ssl = { - cert = "${sslPath}/${name}.${domain0}/fullchain.pem"; - key = "${sslPath}/${name}.${domain0}/key.pem"; + interfaces = { + interface0 = + let + domain = "${name}.${domain0}"; + ssl = "${sslPath}/${domain}"; + id = "sync"; + secrets = "${secretPath}/${name}"; + in + { + domain = domain; + subdomain = name; + microvm = { + id = "vm-${id}"; + mac = "02:00:00:00:56:10"; + idUser = "vmuser-${id}"; + macUser = "02:00:00:00:00:10"; + ip = "192.168.50.120"; + gate = "192.168.50.1"; + ssh = 2210; + }; + ssl = { + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + path = ssl; + }; + paths = { + varPaths = { + path0 = "${varPath}/${name}"; + path1 = "${varPath}/${name}/backups"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + secretPaths = { + path0 = secrets; + }; + }; + }; }; } diff --git a/modules/config/instances/config/upRootNutrition.nix b/modules/config/instances/config/upRootNutrition.nix deleted file mode 100755 index e6e9004..0000000 --- a/modules/config/instances/config/upRootNutrition.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ moduleFunctions }: -let - inherit (moduleFunctions.instancesFunctions) - domain1 - varPath - mntPath - sslPath - ; - label = "upRootNutrition"; - name = "uprootnutrition"; - ssl = "${sslPath}/${domain1}"; -in - -{ - label = label; - name = name; - short = "upRoot"; - email = { - address0 = "nick@${domain1}"; - }; - domains = { - url0 = domain1; - }; - tags = [ - name - "blog" - ]; - interface = { - id = "vm-uproot"; - mac = "02:00:00:00:52:21"; - idUser = "vmuser-uproot"; - macUser = "02:00:00:00:00:21"; - ip = "192.168.50.211"; - gate = "192.168.50.1"; - ssh = 2300; - }; - ssl = { - path = ssl; - cert = "${ssl}/fullchain.pem"; - key = "${ssl}/key.pem"; - }; - - varPaths = { - path0 = "${varPath}/${name}"; - }; - mntPaths = { - path0 = "${mntPath}/${name}"; - }; - -} diff --git a/modules/config/instances/config/vaultwarden.nix b/modules/config/instances/config/vaultwarden.nix index dda77af..6693809 100755 --- a/modules/config/instances/config/vaultwarden.nix +++ b/modules/config/instances/config/vaultwarden.nix @@ -9,21 +9,11 @@ let ; label = "Vaultwarden"; name = "vaultwarden"; - domain = "${name}.${domain0}"; - secrets = "${secretPath}/${name}"; - ssl = "${sslPath}/${name}.${domain0}"; in { label = label; name = name; short = "Vault"; - email = { - address0 = "noreply@${domain0}"; - }; - domains = { - url0 = domain; - }; - subdomain = name; tags = [ name "bitwarden" @@ -35,26 +25,41 @@ in port0 = 8085; }; interface = { - id = "vm-${name}"; - mac = "02:00:00:00:51:01"; - idUser = "vmuser-vault"; - macUser = "02:00:00:00:00:01"; - ip = "192.168.50.111"; - gate = "192.168.50.1"; - ssh = 2201; - }; - ssl = { - path = ssl; - cert = "${ssl}/fullchain.pem"; - key = "${ssl}/key.pem"; - }; - varPaths = { - path0 = "${varPath}/${name}"; - }; - mntPaths = { - path0 = "${mntPath}/${name}"; - }; - secretPaths = { - path0 = secrets; + interface0 = + let + domain = "${name}.${domain0}"; + secrets = "${secretPath}/${name}"; + ssl = "${sslPath}/${name}.${domain0}"; + in + { + domain = domain; + subdomain = name; + email = "noreply@${domain0}"; + microvm = { + id = "vm-${name}"; + mac = "02:00:00:00:51:01"; + idUser = "vmuser-vault"; + macUser = "02:00:00:00:00:01"; + ip = "192.168.50.111"; + gate = "192.168.50.1"; + ssh = 2201; + }; + ssl = { + path = ssl; + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + }; + paths = { + varPaths = { + path0 = "${varPath}/${name}"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + secretPaths = { + path0 = secrets; + }; + }; + }; }; } diff --git a/modules/config/instances/config/web.nix b/modules/config/instances/config/web.nix index 346aa82..0f888d9 100755 --- a/modules/config/instances/config/web.nix +++ b/modules/config/instances/config/web.nix @@ -1,19 +1,14 @@ { moduleFunctions }: let inherit (moduleFunctions.instancesFunctions) - domain0 - domain1 + dummy ; label = "Router"; in { label = label; name = "router"; - short = label; - domains = { - url0 = domain0; - url1 = domain1; - }; + short = dummy; dns = { provider0 = "namecheap"; provider1 = "cloudflare"; @@ -22,17 +17,11 @@ in "router" "asus" ]; - localhost = { + addresses = { address0 = "127.0.0.1"; # Local address1 = "0.0.0.0"; # All address2 = "192.168.50.1"; # Router address3 = "192.168.50.0"; # Router address4 = "192.168.1.0"; # Router }; - remotehost = { - address0 = "24.76.173.0"; - }; - wireguard = { - interface0 = "10.100.0.1"; - }; } diff --git a/modules/config/instances/config/website.nix b/modules/config/instances/config/website.nix new file mode 100755 index 0000000..6b1100c --- /dev/null +++ b/modules/config/instances/config/website.nix @@ -0,0 +1,54 @@ +{ moduleFunctions }: +let + inherit (moduleFunctions.instancesFunctions) + domain1 + varPath + sslPath + ; + label = "upRootNutrition"; + name = "uprootnutrition"; +in +{ + label = label; + name = name; + short = "upRoot"; + tags = [ + name + "blog" + ]; + interface = { + interface0 = + let + ssl = "${sslPath}/${domain1}"; + in + { + domain = domain1; + email = "nick@${domain1}"; + microvm = { + id = "vm-uproot"; + mac = "02:00:00:00:52:21"; + idUser = "vmuser-uproot"; + macUser = "02:00:00:00:00:21"; + ip = "192.168.50.211"; + gate = "192.168.50.1"; + ssh = 2300; + }; + ssl = { + path = ssl; + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + }; + }; + interface1 = { + microvm = { + id = "vm-project"; + mac = "02:00:00:00:52:22"; + idUser = "vmuser-project"; + macUser = "02:00:00:00:00:22"; + ip = "192.168.50.212"; + gate = "192.168.50.1"; + ssh = 2299; + }; + }; + }; +} diff --git a/modules/config/instances/config/wireGuard.nix b/modules/config/instances/config/wireGuard.nix index d8b6be0..2b274d0 100755 --- a/modules/config/instances/config/wireGuard.nix +++ b/modules/config/instances/config/wireGuard.nix @@ -1,9 +1,8 @@ { moduleFunctions }: let inherit (moduleFunctions.instancesFunctions) - sopsPath + secretPath ; - label = "WireGuard"; name = "wireguard"; in @@ -11,10 +10,21 @@ in label = label; name = name; sops = { - path0 = "${sopsPath}/${name}"; }; ports = { port0 = 53; port1 = 51821; }; + addresses = { + address0 = "10.100.0.1"; + }; + interfaces = { + interface0 = { + paths = { + secretPaths = { + path0 = "${secretPath}/${name}"; + }; + }; + }; + }; } diff --git a/modules/config/instances/config/zookeeper.nix b/modules/config/instances/config/zookeeper.nix index 0aa5985..8231527 100755 --- a/modules/config/instances/config/zookeeper.nix +++ b/modules/config/instances/config/zookeeper.nix @@ -12,19 +12,24 @@ in label = label; name = name; interface = { - id = "vm-boonbot"; - mac = "02:00:00:00:53:23"; - idUser = "vmuser-boonbot"; - macUser = "02:00:00:00:00:23"; - ip = "192.168.50.213"; - gate = "192.168.50.1"; - ssh = 2303; + interface0 = { + microvm = { + id = "vm-boonbot"; + mac = "02:00:00:00:53:23"; + idUser = "vmuser-boonbot"; + macUser = "02:00:00:00:00:23"; + ip = "192.168.50.213"; + gate = "192.168.50.1"; + ssh = 2303; + }; + paths = { + varPaths = { + path0 = "${varPath}/${name}"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + }; + }; }; - varPaths = { - path0 = "${varPath}/${name}"; - }; - mntPaths = { - path0 = "${mntPath}/${name}"; - }; - } diff --git a/modules/nixos/guests/firefly-iii/default.nix b/modules/nixos/guests/firefly-iii/default.nix deleted file mode 100755 index 7c518be..0000000 --- a/modules/nixos/guests/firefly-iii/default.nix +++ /dev/null @@ -1,257 +0,0 @@ -{ - flake, - config, - pkgs, - ... -}: -let - - inherit (flake.config.people) user0; - inherit (flake.config.people.users.${user0}) email; - inherit (flake.config.services) instances; - serviceCfg = instances.firefly-iii; - smtpCfg = instances.smtp; - hostCfg = instances.web; - host = serviceCfg.domains.url0; - dns = instances.web.dns.provider0; - dnsPath = "dns/${dns}"; -in -{ - microvm.vms = { - ${serviceCfg.name} = { - autostart = true; - restartIfChanged = true; - config = { - system.stateVersion = "24.05"; - time.timeZone = "America/Winnipeg"; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - services = { - firefly-iii = { - enable = true; - enableNginx = false; - poolConfig = { - "listen.owner" = config.services.caddy.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 4; - "pm.max_requests" = 500; - }; - settings = { - APP_URL = "https://${host}"; - APP_KEY_FILE = "/etc/firefly-secrets/${user0}-pass"; - DB_PASSWORD_FILE = "/etc/firefly-secrets/${user0}-data"; - DB_CONNECTION = "pgsql"; - DB_HOST = "/run/postgresql"; - DB_DATABASE = "firefly-iii"; - DB_USERNAME = "firefly-iii"; - MAIL_MAILER = smtpCfg.name; - MAIL_HOST = smtpCfg.hostname; - MAIL_PORT = smtpCfg.ports.port0; - MAIL_FROM = smtpCfg.email.address0; - MAIL_USERNAME = smtpCfg.email.address0; - MAIL_PASSWORD_FILE = "/etc/firefly-secrets/${user0}-smtp"; - MAIL_ENCRYPTION = "tls"; - SITE_OWNER = email.address2; - }; - }; - phpfpm.pools.firefly-iii.phpEnv = { - TRUSTED_PROXIES = "*"; - APP_URL = "https://${host}"; - }; - firefly-iii-data-importer = { - enable = true; - }; - caddy = { - enable = true; - virtualHosts.":80" = { - extraConfig = '' - root * ${config.services.firefly-iii.package}/public - file_server - encode gzip - php_fastcgi unix//run/phpfpm/firefly-iii.sock { - env HTTPS {http.request.header.X-Forwarded-Proto} - env HTTP_X_FORWARDED_PROTO {http.request.header.X-Forwarded-Proto} - } - ''; - }; - }; - postgresql = { - enable = true; - ensureDatabases = [ "firefly-iii" ]; - ensureUsers = [ - { - name = "firefly-iii"; - ensureDBOwnership = true; - } - ]; - }; - openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; - }; - }; - users.users.caddy = { - extraGroups = [ "firefly-iii" ]; - }; - networking.firewall.allowedTCPPorts = [ - 22 - 80 - serviceCfg.ports.port0 - serviceCfg.ports.port1 - ]; - systemd = { - services = { - caddy = { - after = [ "phpfpm-firefly-iii.service" ]; - requires = [ "phpfpm-firefly-iii.service" ]; - }; - fix-secrets-permissions = { - description = "Fix secrets permissions for firefly-iii"; - wantedBy = [ "multi-user.target" ]; - before = [ - "firefly-iii-setup.service" - "phpfpm-firefly-iii.service" - ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - mkdir -p /etc/firefly-secrets - cp /run/secrets/${user0}-pass /etc/firefly-secrets/${user0}-pass - cp /run/secrets/${user0}-data /etc/firefly-secrets/${user0}-data - cp /run/secrets/${user0}-smtp /etc/firefly-secrets/${user0}-smtp - chmod 755 /etc/firefly-secrets - chmod 644 /etc/firefly-secrets/* - ''; - }; - systemd-networkd.wantedBy = [ "multi-user.target" ]; - }; - network = { - enable = true; - networks."20-lan" = { - matchConfig.Name = "enp0s6"; - addresses = [ - { Address = "${serviceCfg.interface.ip}/24"; } - ]; - routes = [ - { - Destination = "${hostCfg.localhost.address1}/0"; - Gateway = serviceCfg.interface.gate; - } - ]; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; - tmpfiles.rules = [ - "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - ]; - }; - microvm = { - vcpu = 1; - mem = 512; - hypervisor = "qemu"; - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - { - type = "user"; - id = serviceCfg.interface.idUser; - mac = serviceCfg.interface.macUser; - } - ]; - forwardPorts = [ - { - from = "host"; - host.port = serviceCfg.interface.ssh; - guest.port = 22; - } - ]; - shares = [ - { - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - source = "/nix/store"; - tag = "read_only_nix_store"; - } - { - mountPoint = "/var/lib/${serviceCfg.name}"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/data"; - tag = "${serviceCfg.name}_data"; - } - { - mountPoint = "/var/lib/postgresql"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/database"; - tag = "${serviceCfg.name}_database"; - } - { - mountPoint = "/run/secrets"; - proto = "virtiofs"; - source = "/run/secrets/${serviceCfg.name}"; - tag = "host_secrets"; - } - ]; - }; - }; - }; - }; - - systemd.tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -" - ]; - - sops = { - secrets = builtins.listToAttrs ( - map - (secret: { - name = "${serviceCfg.name}/${user0}-${secret}"; - value = { - owner = "root"; - group = "root"; - mode = "0644"; - }; - }) - [ - "pass" - "data" - "smtp" - ] - ); - }; - - users.users.caddy.extraGroups = [ "acme" ]; - - security.acme.certs."${host}" = { - dnsProvider = dns; - environmentFile = config.sops.secrets.${dnsPath}.path; - group = "caddy"; - }; - - services.caddy.virtualHosts."${host}" = { - extraConfig = '' - reverse_proxy http://${serviceCfg.interface.ip}:80 { - header_up X-Forwarded-Proto https - header_up X-Forwarded-Host {host} - } - - tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} - - encode zstd gzip - ''; - }; -} diff --git a/modules/nixos/guests/forgejo/default.nix b/modules/nixos/guests/forgejo/default.nix deleted file mode 100755 index 92d47d9..0000000 --- a/modules/nixos/guests/forgejo/default.nix +++ /dev/null @@ -1,178 +0,0 @@ -{ - config, - flake, - ... -}: -let - inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - serviceCfg = flake.config.services.instances.forgejo; - smtpCfg = flake.config.services.instances.smtp; - hostCfg = flake.config.services.instances.web; - host = serviceCfg.domains.url0; - dns0 = instances.web.dns.provider0; - dns0Path = "dns/${dns0}"; -in -{ - users.users.caddy.extraGroups = [ "acme" ]; - security.acme.certs."${host}" = { - dnsProvider = dns0; - environmentFile = config.sops.secrets.${dns0Path}.path; - group = "caddy"; - }; - microvm.vms = { - ${serviceCfg.name} = { - autostart = true; - restartIfChanged = true; - config = { - system.stateVersion = "24.05"; - time.timeZone = "America/Winnipeg"; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - services = { - ${serviceCfg.name} = { - enable = true; - lfs.enable = true; - secrets = { - mailer.PASSWD = "/run/secrets/smtp"; - }; - settings = { - server = { - DOMAIN = host; - ROOT_URL = "https://${host}/"; - HTTP_PORT = serviceCfg.ports.port0; - }; - # If you need to start from scratch, don't forget to turn this off again - service.DISABLE_REGISTRATION = true; - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "github"; - }; - mirror = { - ENABLED = true; - }; - mailer = { - ENABLED = true; - SMTP_ADDR = smtpCfg.hostname; - FROM = smtpCfg.email.address1; - USER = smtpCfg.email.address1; - PROTOCOL = "${smtpCfg.name}+${smtpCfg.records.record1}"; - SMTP_PORT = smtpCfg.ports.port1; - SEND_AS_PLAIN_TEXT = true; - USE_CLIENT_CERT = false; - }; - }; - }; - openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; - }; - }; - networking.firewall.allowedTCPPorts = [ - 22 # SSH - 25 # SMTP - 139 # SMTP - 587 # SMTP - 2525 # SMTP - serviceCfg.ports.port0 - ]; - fileSystems."/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = [ - "size=4G" - "mode=1777" - ]; - }; - systemd = { - network = { - enable = true; - networks."20-lan" = { - matchConfig.Name = "enp0s5"; - addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; - routes = [ - { - Destination = "${hostCfg.localhost.address1}/0"; - Gateway = serviceCfg.interface.gate; - } - ]; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; - tmpfiles.rules = [ - "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - # "Z /var/lib/postgresql 0755 postgres postgres -" - ]; - }; - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - microvm = { - vcpu = 1; - mem = 1024; - hypervisor = "qemu"; - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - { - type = "user"; - id = serviceCfg.interface.idUser; - mac = serviceCfg.interface.macUser; - } - ]; - forwardPorts = [ - { - from = "host"; - host.port = serviceCfg.interface.ssh; - guest.port = 22; - } - ]; - shares = [ - { - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - source = "/nix/store"; - tag = "read_only_nix_store"; - } - { - mountPoint = "/var/lib/${serviceCfg.name}"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}"; - tag = "${serviceCfg.name}_data"; - } - { - mountPoint = "/run/secrets"; - proto = "virtiofs"; - source = "/run/secrets/${serviceCfg.name}"; - tag = "host_secrets"; - } - ]; - }; - }; - }; - }; - systemd.tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" - ]; - services.caddy.virtualHosts."${host}" = { - extraConfig = '' - reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { - header_up X-Real-IP {remote_host} - } - tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} - encode zstd gzip - ''; - }; - sops.secrets = { - "${serviceCfg.name}/smtp" = { - owner = "root"; - mode = "0600"; - }; - }; -} diff --git a/modules/nixos/guests/jellyfin/default.nix b/modules/nixos/guests/jellyfin/default.nix deleted file mode 100755 index 542fd63..0000000 --- a/modules/nixos/guests/jellyfin/default.nix +++ /dev/null @@ -1,181 +0,0 @@ -{ - config, - flake, - pkgs, - ... -}: -let - inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - serviceCfg = instances.jellyfin; - hostCfg = instances.web; - dns0 = instances.web.dns.provider0; - host = serviceCfg.domains.url0; - dns0Path = "dns/${dns0}"; - id = 993; -in -{ - microvm.vms = { - ${serviceCfg.name} = { - autostart = true; - restartIfChanged = true; - config = { - system.stateVersion = "25.05"; - time.timeZone = "America/Winnipeg"; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - services = { - jellyfin = { - enable = true; - openFirewall = true; - }; - openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; - }; - }; - users.users.jellyfin = { - isSystemUser = true; - group = serviceCfg.name; - uid = id; - }; - users.groups.jellyfin = { - gid = id; - }; - networking.firewall.allowedTCPPorts = [ - 22 - serviceCfg.ports.port0 - serviceCfg.ports.port1 - serviceCfg.ports.port2 - ]; - fileSystems."/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = [ - "size=6G" - "mode=1777" - ]; - }; - systemd = { - network = { - enable = true; - networks."20-lan" = { - matchConfig.Name = "enp0s6"; - addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; - routes = [ - { - Destination = "${hostCfg.localhost.address1}/0"; - Gateway = serviceCfg.interface.gate; - } - ]; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; - tmpfiles.rules = [ - "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - "Z ${serviceCfg.varPaths.path2} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - "d ${serviceCfg.varPaths.path1} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - "Z ${serviceCfg.varPaths.path2} 0775 ${serviceCfg.name} ${serviceCfg.name} -" - ]; - }; - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - microvm = { - vcpu = 4; - mem = 1024 * 3; - hypervisor = "qemu"; - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - { - type = "user"; - id = serviceCfg.interface.idUser; - mac = serviceCfg.interface.macUser; - } - ]; - forwardPorts = [ - { - from = "host"; - host.port = serviceCfg.interface.ssh; - guest.port = 22; - } - ]; - shares = [ - { - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - source = "/nix/store"; - tag = "read_only_nix_store"; - } - { - mountPoint = serviceCfg.varPaths.path0; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/data"; - tag = "${serviceCfg.name}_data"; - } - { - mountPoint = serviceCfg.varPaths.path1; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/cache"; - tag = "${serviceCfg.name}_cache"; - } - { - mountPoint = serviceCfg.varPaths.path2; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/media"; - tag = "${serviceCfg.name}_media"; - } - ]; - }; - }; - }; - }; - security.acme.certs."${host}" = { - dnsProvider = dns0; - environmentFile = config.sops.secrets.${dns0Path}.path; - group = "caddy"; - }; - services = { - caddy = { - virtualHosts = { - "${host}" = { - extraConfig = '' - reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { - header_up X-Real-IP {remote_host} - } - - tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} - encode zstd gzip - ''; - }; - }; - }; - }; - users = { - groups.jellyfin = { - gid = id; - members = [ user0 ]; - }; - users = { - jellyfin = { - isSystemUser = true; - group = serviceCfg.name; - uid = id; - }; - caddy.extraGroups = [ "acme" ]; - }; - }; - systemd.tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0} 0755 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/data 0755 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/cache 0755 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/media 0775 microvm wheel - -" - ]; -} diff --git a/modules/nixos/guests/mastodon/default.nix b/modules/nixos/guests/mastodon/default.nix deleted file mode 100755 index 0a49d07..0000000 --- a/modules/nixos/guests/mastodon/default.nix +++ /dev/null @@ -1,511 +0,0 @@ -{ - flake, - config, - pkgs, - lib, - ... -}: -let - inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - serviceCfg = flake.config.services.instances.mastodon; - smtpCfg = flake.config.services.instances.smtp; - hostCfg = flake.config.services.instances.web; - host = serviceCfg.domains.url0; - dns0 = instances.web.dns.provider0; - dns0Path = "dns/${dns0}"; - - fedifetcherConfig = pkgs.writeText "fedifetcher-config.json" ( - builtins.toJSON { - server = "https://${host}"; - home-timeline-length = 200; - max-followings = 80; - from-notifications = 1; - max-bookmarks = 80; - max-favourites = 40; - backfill-with-context = 1; - backfill-mentioned-users = 1; - remember-users-for-hours = 168; - remember-hosts-for-days = 30; - http-timeout = 5; - lock-hours = 24; - log-level = "INFO"; - } - ); -in -{ - # If you need to start fresh for some reason, run these to create the new Admin account: - # sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner - # sudo -u mastodon mastodon-tootctl accounts approve nick - # If you fuck up and lose the password, use this: - # sudo mastodon-tootctl accounts modify --reset-password nick - # If you really fuck up and name yourself wrong, use this shit - # sudo mastodon-tootctl accounts modify username --remove-role - - nixpkgs.overlays = [ - (final: prev: { - mastodon = prev.mastodon.overrideAttrs (oldAttrs: { - patches = (oldAttrs.patches or [ ]) ++ [ - ./config/chars.patch - ]; - }); - }) - ]; - - microvm.vms = { - ${serviceCfg.name} = { - autostart = true; - restartIfChanged = true; - config = { - system.stateVersion = "24.05"; - time.timeZone = "America/Winnipeg"; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - - services = { - ${serviceCfg.name} = { - enable = true; - localDomain = host; - secretKeyBaseFile = "/etc/mastodon-secrets/pass"; - streamingProcesses = 7; - trustedProxy = hostCfg.localhost.address0; - automaticMigrations = true; - database = { - createLocally = true; - name = serviceCfg.name; - host = "/run/postgresql"; - user = serviceCfg.name; - passwordFile = "/etc/mastodon-secrets/database"; - }; - extraConfig = { - SINGLE_USER_MODE = "false"; - SMTP_AUTH_METHOD = "plain"; - SMTP_DELIVERY_METHOD = "smtp"; - SMTP_ENABLE_STARTTLS_AUTO = "true"; - SMTP_SSL = "false"; - }; - - # if you're starting from scratch, you gotta cd into /var/lib/mastodon and run: - # sudo -u mastodon mastodon-tootctl search deploy - - elasticsearch = { - preset = "single_node_cluster"; - host = hostCfg.localhost.address0; - port = 9200; - }; - mediaAutoRemove = { - enable = true; - olderThanDays = 14; - }; - redis = { - createLocally = true; - enableUnixSocket = true; - }; - sidekiqThreads = 25; - sidekiqProcesses = { - all = { - jobClasses = [ ]; - threads = null; - }; - default = { - jobClasses = [ "default" ]; - threads = 5; - }; - ingress = { - jobClasses = [ "ingress" ]; - threads = 5; - }; - push-pull = { - jobClasses = [ - "push" - "pull" - ]; - threads = 5; - }; - mailers = { - jobClasses = [ "mailers" ]; - threads = 5; - }; - }; - smtp = { - authenticate = true; - createLocally = false; - fromAddress = "upRootNutrition <${smtpCfg.email.address1}>"; - host = smtpCfg.hostname; - passwordFile = "/etc/mastodon-secrets/smtp"; - port = smtpCfg.ports.port1; - user = smtpCfg.email.address1; - }; - }; - opensearch.enable = true; - caddy = { - enable = true; - virtualHosts = { - ":80" = { - extraConfig = '' - handle_path /system/* { - file_server * { - root /var/lib/mastodon/public-system - } - } - - handle /api/v1/streaming/* { - reverse_proxy unix//run/mastodon-streaming/streaming.socket { - header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto} - header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host} - } - } - - route * { - file_server * { - root ${pkgs.mastodon}/public - pass_thru - } - reverse_proxy * unix//run/mastodon-web/web.socket { - header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto} - header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host} - } - } - - handle_errors { - root * ${pkgs.mastodon}/public - rewrite 500.html - file_server - } - - encode gzip - - header /* { - Strict-Transport-Security "max-age=31536000;" - } - - header /emoji/* Cache-Control "public, max-age=31536000, immutable" - header /packs/* Cache-Control "public, max-age=31536000, immutable" - header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable" - header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable" - ''; - }; - }; - }; - - postgresql = { - enable = true; - }; - - openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; - }; - }; - - users.users = { - ${serviceCfg.name}.extraGroups = [ "postgres" ]; - caddy.extraGroups = [ serviceCfg.name ]; - fedifetcher = { - isSystemUser = true; - group = "fedifetcher"; - home = "/var/lib/fedifetcher"; - createHome = true; - }; - }; - - users.groups.fedifetcher = { }; - - networking.firewall.allowedTCPPorts = [ - 22 # SSH - 80 # Caddy - 25 # SMTP - 139 # SMTP - 587 # SMTP - 2525 # SMTP - 5432 # Postgres - ]; - - systemd = { - services = { - mastodon-init-dirs.serviceConfig.PrivateMounts = lib.mkForce false; - mastodon-web.serviceConfig.PrivateMounts = lib.mkForce false; - mastodon-streaming-1.serviceConfig.PrivateMounts = lib.mkForce false; - mastodon-streaming-2.serviceConfig.PrivateMounts = lib.mkForce false; - mastodon-streaming-3.serviceConfig.PrivateMounts = lib.mkForce false; - mastodon-streaming-4.serviceConfig.PrivateMounts = lib.mkForce false; - mastodon-streaming-5.serviceConfig.PrivateMounts = lib.mkForce false; - mastodon-streaming-6.serviceConfig.PrivateMounts = lib.mkForce false; - mastodon-streaming-7.serviceConfig.PrivateMounts = lib.mkForce false; - mastodon-sidekiq-all.serviceConfig.PrivateMounts = lib.mkForce false; - mastodon-sidekiq-default.serviceConfig.PrivateMounts = lib.mkForce false; - mastodon-sidekiq-ingress.serviceConfig.PrivateMounts = lib.mkForce false; - mastodon-sidekiq-mailers.serviceConfig.PrivateMounts = lib.mkForce false; - mastodon-sidekiq-push-pull.serviceConfig.PrivateMounts = lib.mkForce false; - - mastodon-elastic-search = { - description = "Recache elastic search"; - after = [ - "network-online.target" - "mastodon-web.service" - ]; - wants = [ "network-online.target" ]; - serviceConfig = { - WorkingDirectory = "/var/lib/${serviceCfg.name}"; - Type = "oneshot"; - }; - script = '' - /run/current-system/sw/bin/mastodon-tootctl search deploy --only=instances accounts tags statuses public_statuses - ''; - }; - - mastodon-copy-secrets = { - description = "Copy secrets from virtiofs to local filesystem"; - before = [ "mastodon-init-dirs.service" ]; - requiredBy = [ "mastodon-init-dirs.service" ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - - script = '' - mkdir -p /etc/mastodon-secrets - cp /run/secrets/pass /etc/mastodon-secrets/pass - cp /run/secrets/database /etc/mastodon-secrets/database - cp /run/secrets/redis /etc/mastodon-secrets/redis - cp /run/secrets/smtp /etc/mastodon-secrets/smtp - cp /run/secrets/fedifetcher-token /etc/mastodon-secrets/fedifetcher-token - chmod 755 /etc/mastodon-secrets - chmod 644 /etc/mastodon-secrets/* - ''; - }; - - fedifetcher = { - description = "FediFetcher - Fetch missing posts for Mastodon"; - after = [ - "network-online.target" - "mastodon-web.service" - ]; - wants = [ "network-online.target" ]; - - serviceConfig = { - Type = "oneshot"; - User = "fedifetcher"; - Group = "fedifetcher"; - WorkingDirectory = "/var/lib/fedifetcher"; - TimeoutStartSec = "300"; - PrivateTmp = true; - NoNewPrivileges = true; - ProtectSystem = "strict"; - ProtectHome = true; - ReadWritePaths = "/var/lib/fedifetcher"; - ExecStart = - let - script = pkgs.writeShellScript "fedifetcher-run" '' - set -e - - # Wait for Mastodon to be fully ready - for i in {1..30}; do - if ${pkgs.curl}/bin/curl -sf http://localhost:80/health >/dev/null 2>&1; then - echo "Mastodon is ready" - break - fi - echo "Waiting for Mastodon to be ready... ($i/30)" - sleep 2 - done - - export ACCESS_TOKEN=$(cat /etc/mastodon-secrets/fedifetcher-token) - ${pkgs.fedifetcher}/bin/fedifetcher \ - -c=${fedifetcherConfig} \ - --access-token="$ACCESS_TOKEN" - ''; - in - "${script}"; - }; - }; - - mastodon-init-db.serviceConfig.EnvironmentFile = "/var/lib/mastodon/.secrets_env"; - - systemd-tmpfiles-setup.after = [ "var-lib-mastodon.mount" ]; - - opensearch-install-plugins = { - description = "Install OpenSearch plugins"; - before = [ "opensearch.service" ]; - requiredBy = [ "opensearch.service" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - PLUGIN_DIR="/var/lib/opensearch/plugins/analysis-icu" - if [ ! -d "$PLUGIN_DIR" ]; then - # Create the plugins directory if it doesn't exist - mkdir -p /var/lib/opensearch/plugins - - # Install using the proper OpenSearch plugin command - export OPENSEARCH_JAVA_HOME="${pkgs.jdk17}/lib/openjdk" - ${pkgs.opensearch}/bin/opensearch-plugin install --batch analysis-icu || { - echo "Plugin installation failed, but continuing anyway" - exit 0 - } - fi - ''; - }; - }; - timers = { - mastodon-elastic-search = { - description = "Timer for Mastodon elastic search recaching"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "10min"; - OnUnitActiveSec = "60min"; - Unit = "mastodon-elastic-search.service"; - }; - }; - - fedifetcher = { - description = "Timer for FediFetcher"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "10min"; - OnUnitActiveSec = "15min"; - Unit = "fedifetcher.service"; - Persistent = true; - AccuracySec = "1min"; - }; - }; - }; - - network = { - enable = true; - networks."20-lan" = { - matchConfig.Name = "enp0s6"; - addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; - routes = [ - { - Destination = "${hostCfg.localhost.address1}/0"; - Gateway = serviceCfg.interface.gate; - } - ]; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; - - tmpfiles.rules = [ - "d /var/lib/mastodon 0755 mastodon mastodon -" - "Z /var/lib/mastodon 0755 mastodon mastodon -" - "Z /var/lib/postgresql 0755 postgres postgres -" - "d /var/cache/mastodon/precompile 0755 mastodon mastodon -" - "d /var/lib/mastodon/public-system 0755 mastodon mastodon -" - "d /var/lib/mastodon/public-system/accounts 0755 mastodon mastodon -" - "d /var/lib/mastodon/public-system/media_attachments 0755 mastodon mastodon -" - "d /var/lib/mastodon/public-system/media_attachments/files 0755 mastodon mastodon -" - "d /var/lib/mastodon/public-system/site_uploads 0755 mastodon mastodon -" - "d /var/lib/fedifetcher 0755 fedifetcher fedifetcher -" - ]; - }; - - microvm = { - vcpu = 2; - mem = 1024 * 6; - hypervisor = "qemu"; - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - { - type = "user"; - id = serviceCfg.interface.idUser; - mac = serviceCfg.interface.macUser; - } - ]; - forwardPorts = [ - { - from = "host"; - host.port = serviceCfg.interface.ssh; - guest.port = 22; - } - ]; - shares = [ - { - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - source = "/nix/store"; - tag = "read_only_nix_store"; - } - { - mountPoint = "/var/lib/${serviceCfg.name}"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/data"; - tag = "${serviceCfg.name}_data"; - } - { - mountPoint = "/var/lib/postgresql"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/database"; - tag = "${serviceCfg.name}_database"; - } - { - mountPoint = "/run/secrets"; - proto = "virtiofs"; - source = "/run/secrets/${serviceCfg.name}"; - tag = "host_secrets"; - } - ]; - }; - }; - }; - }; - - sops = { - secrets = builtins.listToAttrs ( - map - (secret: { - name = "${serviceCfg.name}/${secret}"; - value = { - owner = "root"; - group = "root"; - mode = "0644"; - }; - }) - [ - "smtp" - "database" - "redis" - "pass" - "fedifetcher-token" - ] - ); - }; - - systemd.tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -" - ]; - - services.caddy.virtualHosts."${host}" = { - extraConfig = '' - reverse_proxy http://${serviceCfg.interface.ip}:80 { - header_up X-Forwarded-Proto {scheme} - header_up X-Real-IP {remote_host} - header_up X-Forwarded-For {remote_host} - } - - tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} - - encode zstd gzip - ''; - }; - - users.users.caddy.extraGroups = [ "acme" ]; - - security.acme.certs."${host}" = { - dnsProvider = dns0; - environmentFile = config.sops.secrets.${dns0Path}.path; - group = "caddy"; - }; -} diff --git a/modules/nixos/guests/minecraft/world0/default.nix b/modules/nixos/guests/minecraft/world0/default.nix deleted file mode 100755 index ad6a2a5..0000000 --- a/modules/nixos/guests/minecraft/world0/default.nix +++ /dev/null @@ -1,190 +0,0 @@ -{ - flake, - pkgs, - ... -}: -let - inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - serviceCfg = instances.minecraft0; - hostCfg = instances.web; - world = "world0"; -in -{ - microvm.vms = { - "${serviceCfg.name}-${world}" = { - autostart = true; - restartIfChanged = true; - config = { - system.stateVersion = "24.05"; - time.timeZone = "America/Winnipeg"; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - services = { - minecraft-server = { - enable = true; - eula = true; - openFirewall = true; - declarative = true; - serverProperties = { - "rcon.password" = "/etc/${serviceCfg.name}-secrets/${world}"; - allow-flight = false; - allow-nether = true; - difficulty = 2; - enable-command-block = false; - enable-rcon = true; - enable-status = true; - force-gamemode = true; - gamemode = 0; - generate-structures = true; - hardcore = false; - hide-online-players = false; - level-name = "Brix on Nix"; - level-seed = "9064150133272194"; - max-players = 10; - max-world-size = 64000000; - motd = "A cool Minecraft server powered by NixOS"; - online-mode = true; - pvp = true; - server-ip = hostCfg.localhost.address1; - server-port = serviceCfg.ports.port0; - spawn-animals = true; - spawn-monsters = true; - spawn-npcs = true; - spawn-protection = 16; - view-distance = 32; - white-list = true; - }; - whitelist = { - Hefty_Chungus = "b75a9816-d408-4c54-b226-385b59ea1cb3"; - Hefty_Chungus_Jr = "c3bf8cac-e953-4ea4-ae5f-7acb92a51a85"; - EclipseMoon01 = "adef4af7-d8c6-4627-b492-e990ea1bb993"; - Fallaryn = "d8baa117-ab58-4b07-92a5-48fb1978eb49"; - }; - }; - - openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ - 22 # SSH - serviceCfg.ports.port0 - ]; - - systemd = { - services = { - "${serviceCfg.name}-copy-secrets" = { - description = "Copy secrets from virtiofs to local filesystem"; - before = [ "minecraft-server.service" ]; - requiredBy = [ "minecraft-server.service" ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - mkdir -p /etc/${serviceCfg.name}-secrets - cp /run/secrets/${world} /etc/${serviceCfg.name}-secrets/${world} - chmod 755 /etc/${serviceCfg.name}-secrets - chmod 644 /etc/${serviceCfg.name}-secrets/* - ''; - }; - - }; - network = { - enable = true; - networks."20-lan" = { - matchConfig.Name = "enp0s5"; - addresses = [ - { Address = "${serviceCfg.interface.ip}/24"; } - ]; - routes = [ - { - Destination = "${hostCfg.localhost.address1}/0"; - Gateway = serviceCfg.interface.gate; - } - ]; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; - - tmpfiles.rules = [ - "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - ]; - - }; - - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - - microvm = { - vcpu = 4; - mem = 1024 * 4; - hypervisor = "qemu"; - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - { - type = "user"; - id = serviceCfg.interface.idUser; - mac = serviceCfg.interface.macUser; - } - ]; - forwardPorts = [ - { - from = "host"; - host.port = serviceCfg.interface.ssh; - guest.port = 22; - } - ]; - shares = [ - { - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - source = "/nix/store"; - tag = "read_only_nix_store"; - } - { - mountPoint = serviceCfg.varPaths.path0; - proto = "virtiofs"; - source = serviceCfg.mntPaths.path0; - tag = "${serviceCfg.name}-${world}_data"; - } - { - mountPoint = "/run/secrets"; - proto = "virtiofs"; - source = serviceCfg.secretPaths.path0; - tag = "host_secrets"; - } - ]; - }; - }; - }; - }; - - sops.secrets = { - "${serviceCfg.name}/${world}" = { - owner = "root"; - mode = "0600"; - }; - }; - - networking.firewall.allowedTCPPorts = [ serviceCfg.ports.port0 ]; - - systemd = { - tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" - ]; - }; - -} diff --git a/modules/nixos/guests/minecraft/world1/default.nix b/modules/nixos/guests/minecraft/world1/default.nix deleted file mode 100755 index a57266b..0000000 --- a/modules/nixos/guests/minecraft/world1/default.nix +++ /dev/null @@ -1,188 +0,0 @@ -{ - flake, - pkgs, - ... -}: -let - inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - serviceCfg = instances.minecraft1; - hostCfg = instances.web; - world = "world1"; -in -{ - microvm.vms = { - "${serviceCfg.name}-${world}" = { - autostart = true; - restartIfChanged = true; - config = { - system.stateVersion = "24.05"; - time.timeZone = "America/Winnipeg"; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - services = { - minecraft-server = { - enable = true; - eula = true; - openFirewall = true; - declarative = true; - serverProperties = { - "rcon.password" = "/etc/${serviceCfg.name}-secrets/${world}"; - allow-flight = false; - allow-nether = true; - difficulty = 2; - enable-command-block = false; - enable-rcon = true; - enable-status = true; - force-gamemode = true; - gamemode = 0; - generate-structures = true; - hardcore = false; - hide-online-players = false; - level-name = "Cuddle Cubes"; - level-seed = "-2332803749585407299"; - max-players = 10; - max-world-size = 64000000; - motd = "A cool Minecraft server powered by NixOS"; - online-mode = true; - pvp = true; - server-ip = hostCfg.localhost.address1; - server-port = serviceCfg.ports.port0; - spawn-animals = true; - spawn-monsters = true; - spawn-npcs = true; - spawn-protection = 16; - view-distance = 32; - white-list = true; - }; - whitelist = { - Hefty_Chungus = "b75a9816-d408-4c54-b226-385b59ea1cb3"; - Fallaryn = "d8baa117-ab58-4b07-92a5-48fb1978eb49"; - }; - }; - - openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ - 22 # SSH - serviceCfg.ports.port0 - ]; - - systemd = { - services = { - "${serviceCfg.name}-copy-secrets" = { - description = "Copy secrets from virtiofs to local filesystem"; - before = [ "minecraft-server.service" ]; - requiredBy = [ "minecraft-server.service" ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - mkdir -p /etc/${serviceCfg.name}-secrets - cp /run/secrets/${world} /etc/${serviceCfg.name}-secrets/${world} - chmod 755 /etc/${serviceCfg.name}-secrets - chmod 644 /etc/${serviceCfg.name}-secrets/* - ''; - }; - - }; - network = { - enable = true; - networks."20-lan" = { - matchConfig.Name = "enp0s5"; - addresses = [ - { Address = "${serviceCfg.interface.ip}/24"; } - ]; - routes = [ - { - Destination = "${hostCfg.localhost.address1}/0"; - Gateway = serviceCfg.interface.gate; - } - ]; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; - - tmpfiles.rules = [ - "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - ]; - - }; - - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - - microvm = { - vcpu = 4; - mem = 1024 * 4; - hypervisor = "qemu"; - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - { - type = "user"; - id = serviceCfg.interface.idUser; - mac = serviceCfg.interface.macUser; - } - ]; - forwardPorts = [ - { - from = "host"; - host.port = serviceCfg.interface.ssh; - guest.port = 22; - } - ]; - shares = [ - { - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - source = "/nix/store"; - tag = "read_only_nix_store"; - } - { - mountPoint = serviceCfg.varPaths.path0; - proto = "virtiofs"; - source = serviceCfg.mntPaths.path0; - tag = "${serviceCfg.name}-${world}_data"; - } - { - mountPoint = "/run/secrets"; - proto = "virtiofs"; - source = serviceCfg.secretPaths.path0; - tag = "host_secrets"; - } - ]; - }; - }; - }; - }; - - sops.secrets = { - "${serviceCfg.name}/${world}" = { - owner = "root"; - mode = "0600"; - }; - }; - - networking.firewall.allowedTCPPorts = [ serviceCfg.ports.port0 ]; - - systemd = { - tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" - ]; - }; - -} diff --git a/modules/nixos/guests/ollama/default.nix b/modules/nixos/guests/ollama/default.nix deleted file mode 100755 index 967cc87..0000000 --- a/modules/nixos/guests/ollama/default.nix +++ /dev/null @@ -1,162 +0,0 @@ -{ - config, - flake, - pkgs, - ... -}: -let - inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - serviceCfg = instances.ollama; - hostCfg = instances.web; - dns0 = instances.web.dns.provider0; - host = serviceCfg.domains.url0; - localhost = instances.web.localhost.address1; - dns0Path = "dns/${dns0}"; -in -{ - microvm.vms = { - ${serviceCfg.name} = { - autostart = true; - restartIfChanged = true; - config = { - system.stateVersion = "24.05"; - time.timeZone = "America/Winnipeg"; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - services = { - ollama = { - enable = true; - group = serviceCfg.name; - host = "http://${localhost}"; - user = serviceCfg.name; - port = serviceCfg.ports.port1; - acceleration = "cuda"; - models = serviceCfg.varPaths.path0; - }; - open-webui = { - enable = true; - host = localhost; - port = serviceCfg.ports.port0; - environment = { - ENABLE_OLLAMA_API = "True"; - ANONYMIZED_TELEMETRY = "False"; - DO_NOT_TRACK = "True"; - SCARF_NO_ANALYTICS = "True"; - OLLAMA_BASE_URL = "http://${localhost}:${toString serviceCfg.ports.port1}"; - WEBUI_AUTH = "True"; - }; - }; - openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; - }; - }; - networking.firewall.allowedTCPPorts = [ - 22 # SSH - serviceCfg.ports.port0 - ]; - systemd = { - network = { - enable = true; - networks."20-lan" = { - matchConfig.Name = "enp0s5"; - addresses = [ - { Address = "${serviceCfg.interface.ip}/24"; } - ]; - routes = [ - { - Destination = "${hostCfg.localhost.address1}/0"; - Gateway = serviceCfg.interface.gate; - } - ]; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; - tmpfiles.rules = [ - "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - ]; - }; - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - microvm = { - vcpu = 1; - mem = 1024 * 3; - hypervisor = "qemu"; - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - { - type = "user"; - id = serviceCfg.interface.idUser; - mac = serviceCfg.interface.macUser; - } - ]; - forwardPorts = [ - { - from = "host"; - host.port = serviceCfg.interface.ssh; - guest.port = 22; - } - ]; - shares = [ - { - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - source = "/nix/store"; - tag = "read_only_nix_store"; - } - { - mountPoint = "/var/lib/private/${serviceCfg.name}"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/data"; - tag = "${serviceCfg.name}_data"; - } - { - mountPoint = "/var/lib/private/open-webui"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/config"; - tag = "${serviceCfg.name}_config"; - } - ]; - }; - environment.systemPackages = builtins.attrValues { - inherit (pkgs) - yazi - bottom - ffmpeg - ; - }; - }; - }; - }; - security.acme.certs."${host}" = { - dnsProvider = dns0; - environmentFile = config.sops.secrets.${dns0Path}.path; - group = "caddy"; - }; - services.caddy.virtualHosts = { - "${host}" = { - extraConfig = '' - reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { - header_up X-Real-IP {remote_host} - } - tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} - encode zstd gzip - ''; - }; - }; - users.users.caddy.extraGroups = [ "acme" ]; - systemd.tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/config 0751 microvm wheel - -" - ]; -} diff --git a/modules/nixos/guests/opencloud/opencloud0/default.nix b/modules/nixos/guests/opencloud/opencloud0/default.nix deleted file mode 100755 index 9465649..0000000 --- a/modules/nixos/guests/opencloud/opencloud0/default.nix +++ /dev/null @@ -1,180 +0,0 @@ -{ - flake, - pkgs, - ... -}: -let - inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - serviceCfg = instances.opencloud0; - hostCfg = instances.web; - localhost = instances.web.localhost.address1; - host = serviceCfg.domains.url0; -in -{ - microvm.vms = { - opencloud = { - autostart = true; - restartIfChanged = true; - config = { - system.stateVersion = "24.05"; - time.timeZone = "America/Winnipeg"; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - services = { - opencloud = { - enable = true; - url = "https://${host}"; - port = serviceCfg.ports.port0; - address = localhost; - stateDir = "/var/lib/${serviceCfg.name}"; - environmentFile = "/run/secrets/env"; - }; - openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; - }; - }; - networking.firewall.allowedTCPPorts = [ - 22 # SSH - 587 # SMTP - serviceCfg.ports.port0 - ]; - systemd = { - services = { - systemd-networkd.wantedBy = [ "multi-user.target" ]; - opencloud = { - path = [ pkgs.inotify-tools ]; - }; - opencloud-fix-permissions = { - description = "Fix OpenCloud storage permissions"; - after = [ "opencloud.service" ]; - serviceConfig = { - Type = "oneshot"; - ExecStart = pkgs.writeShellScript "fix-perms" '' - echo "Starting permission fix..." - OPENCLOUD_UID=$(id -u opencloud) - echo "OpenCloud UID: $OPENCLOUD_UID" - find /var/lib/opencloud/storage/users -type f ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r file; do - echo "Fixing file: $file" - chown opencloud:opencloud "$file" 2>/dev/null || true - done - find /var/lib/opencloud/storage/users -type d ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r dir; do - echo "Fixing dir: $dir" - chown opencloud:opencloud "$dir" 2>/dev/null || true - done - echo "Permission fix complete" - ''; - User = "root"; - }; - }; - }; - timers.opencloud-fix-permissions = { - description = "Periodically fix OpenCloud storage permissions"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "30s"; - OnUnitActiveSec = "1min"; - Unit = "opencloud-fix-permissions.service"; - }; - }; - network = { - enable = true; - networks."20-lan" = { - matchConfig.Name = "enp0s6"; - addresses = [ - { Address = "${serviceCfg.interface.ip}/24"; } - ]; - routes = [ - { - Destination = "${hostCfg.localhost.address1}/0"; - Gateway = serviceCfg.interface.gate; - } - ]; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; - - tmpfiles.rules = [ - "d ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - "z /etc/opencloud 0700 ${serviceCfg.name} ${serviceCfg.name} -" - ]; - }; - microvm = { - vcpu = 1; - mem = 1024 * 1; - hypervisor = "qemu"; - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - { - type = "user"; - id = serviceCfg.interface.idUser; - mac = serviceCfg.interface.macUser; - } - ]; - forwardPorts = [ - { - from = "host"; - host.port = serviceCfg.interface.ssh; - guest.port = 22; - } - ]; - shares = [ - { - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - source = "/nix/store"; - tag = "read_only_nix_store"; - } - { - mountPoint = "/var/lib/${serviceCfg.name}"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/data"; - tag = "${serviceCfg.name}_data"; - } - { - mountPoint = "/etc/opencloud"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/config"; - tag = "${serviceCfg.name}_config"; - } - { - mountPoint = "/run/secrets"; - proto = "virtiofs"; - source = "/run/secrets/${serviceCfg.name}"; - tag = "host_secrets"; - } - ]; - }; - environment.systemPackages = builtins.attrValues { - inherit (pkgs) - inotify-tools - opencloud - ; - }; - }; - }; - }; - systemd = { - tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/config 0751 microvm wheel - -" - ]; - }; - sops.secrets = { - "${serviceCfg.name}/env" = { - owner = "root"; - mode = "0600"; - }; - }; -} diff --git a/modules/nixos/guests/opencloud/opencloud1/default.nix b/modules/nixos/guests/opencloud/opencloud1/default.nix deleted file mode 100755 index c3a5909..0000000 --- a/modules/nixos/guests/opencloud/opencloud1/default.nix +++ /dev/null @@ -1,210 +0,0 @@ -{ - config, - flake, - pkgs, - ... -}: -let - inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - serviceCfg = instances.opencloud1; - hostCfg = instances.web; - dns = instances.web.dns.provider1; - localhost = instances.web.localhost.address1; - host = "${serviceCfg.subdomain}.${flake.inputs.linkpage.secrets.domains.projectsite}"; - dnsPath = "dns/${dns}"; -in -{ - microvm.vms = { - projectcloud = { - autostart = true; - restartIfChanged = true; - config = { - system.stateVersion = "24.05"; - time.timeZone = "America/Winnipeg"; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - services = { - opencloud = { - enable = true; - url = "https://${host}"; - port = serviceCfg.ports.port0; - address = localhost; - stateDir = "/var/lib/${serviceCfg.name}"; - environmentFile = "/run/secrets/projectenv"; - }; - openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; - }; - }; - networking.firewall.allowedTCPPorts = [ - 22 # SSH - 587 # SMTP - serviceCfg.ports.port0 - ]; - systemd = { - services = { - systemd-networkd.wantedBy = [ "multi-user.target" ]; - opencloud = { - path = [ pkgs.inotify-tools ]; - }; - opencloud-fix-permissions = { - description = "Fix OpenCloud storage permissions"; - after = [ "opencloud.service" ]; - serviceConfig = { - Type = "oneshot"; - ExecStart = pkgs.writeShellScript "fix-perms" '' - echo "Starting permission fix..." - - OPENCLOUD_UID=$(id -u opencloud) - echo "OpenCloud UID: $OPENCLOUD_UID" - - find /var/lib/opencloud/storage/users -type f ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r file; do - echo "Fixing file: $file" - chown opencloud:opencloud "$file" 2>/dev/null || true - done - - find /var/lib/opencloud/storage/users -type d ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r dir; do - echo "Fixing dir: $dir" - chown opencloud:opencloud "$dir" 2>/dev/null || true - done - - echo "Permission fix complete" - ''; - User = "root"; - }; - }; - }; - timers.opencloud-fix-permissions = { - description = "Periodically fix OpenCloud storage permissions"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "30s"; - OnUnitActiveSec = "1min"; - Unit = "opencloud-fix-permissions.service"; - }; - }; - network = { - enable = true; - networks."20-lan" = { - matchConfig.Name = "enp0s6"; - addresses = [ - { Address = "${serviceCfg.interface.ip}/24"; } - ]; - routes = [ - { - Destination = "${hostCfg.localhost.address1}/0"; - Gateway = serviceCfg.interface.gate; - } - ]; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; - tmpfiles.rules = [ - "d ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - "z /etc/opencloud 0700 ${serviceCfg.name} ${serviceCfg.name} -" - ]; - }; - microvm = { - vcpu = 1; - mem = 1024 * 1; - hypervisor = "qemu"; - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - { - type = "user"; - id = serviceCfg.interface.idUser; - mac = serviceCfg.interface.macUser; - } - ]; - forwardPorts = [ - { - from = "host"; - host.port = serviceCfg.interface.ssh; - guest.port = 22; - } - ]; - shares = [ - { - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - source = "/nix/store"; - tag = "read_only_nix_store"; - } - { - mountPoint = "/var/lib/${serviceCfg.name}"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/data"; - tag = "${serviceCfg.name}_data"; - } - { - mountPoint = "/etc/opencloud"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/config"; - tag = "${serviceCfg.name}_config"; - } - { - mountPoint = "/run/secrets"; - proto = "virtiofs"; - source = "/run/secrets/${serviceCfg.name}"; - tag = "host_secrets"; - } - ]; - }; - environment.systemPackages = builtins.attrValues { - inherit (pkgs) - inotify-tools - opencloud - ; - }; - }; - }; - }; - security.acme.certs."${host}" = { - dnsProvider = dns; - environmentFile = config.sops.secrets.${dnsPath}.path; - group = "caddy"; - }; - services.caddy.virtualHosts = { - "${host}" = { - extraConfig = - let - credPath = "/var/lib/acme/${host}"; - in - '' - reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { - header_up X-Real-IP {remote_host} - } - - redir /.well-known/carddav /remote.php/dav/ 301 - redir /.well-known/caldav /remote.php/dav/ 301 - - tls ${credPath}/fullchain.pem ${credPath}/key.pem - ''; - }; - }; - users.users.caddy.extraGroups = [ "acme" ]; - systemd = { - tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/config 0751 microvm wheel - -" - ]; - }; - sops.secrets = { - "${serviceCfg.name}/projectenv" = { - owner = "root"; - mode = "0600"; - }; - }; -} diff --git a/modules/nixos/guests/projectSite/default.nix b/modules/nixos/guests/projectSite/default.nix deleted file mode 100755 index b9bb425..0000000 --- a/modules/nixos/guests/projectSite/default.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ - config, - flake, - pkgs, - ... -}: -let - inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - serviceCfg = instances.projectSite; - host = flake.inputs.linkpage.secrets.domains.projectsite; - websitePkg = flake.inputs.linkpage.packages.${pkgs.stdenv.hostPlatform.system}.websiteFrontend; -in -{ - systemd.tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0} 0755 microvm wheel - -" - ]; - microvm.vms.${serviceCfg.name} = { - autostart = true; - config = { - system.stateVersion = "25.05"; - networking.firewall.allowedTCPPorts = [ - 22 - 80 - ]; - services.openssh = { - enable = true; - settings.PasswordAuthentication = false; - }; - environment.etc."website".source = websitePkg; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - systemd = { - network = { - enable = true; - networks."10-enp" = { - matchConfig.Name = "enp0s3"; - addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; - gateway = [ serviceCfg.interface.gate ]; - }; - }; - }; - services.caddy = { - enable = true; - virtualHosts.":80".extraConfig = '' - root * /etc/website - file_server - try_files {path} /index.html - ''; - }; - microvm = { - vcpu = 1; - mem = 512; - hypervisor = "qemu"; - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - ]; - shares = [ - { - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "ro-store"; - proto = "virtiofs"; - } - ]; - }; - }; - }; - services.caddy = { - enable = true; - virtualHosts.${host}.extraConfig = '' - reverse_proxy ${serviceCfg.interface.ip}:80 - tls /var/lib/acme/${host}/fullchain.pem /var/lib/acme/${host}/key.pem - ''; - }; - security.acme.certs.${host} = { - dnsProvider = instances.web.dns.provider1; - environmentFile = config.sops.secrets."dns/${instances.web.dns.provider1}".path; - }; -} diff --git a/modules/nixos/guests/qbittorrent/default.nix b/modules/nixos/guests/qbittorrent/default.nix deleted file mode 100755 index b3e49f9..0000000 --- a/modules/nixos/guests/qbittorrent/default.nix +++ /dev/null @@ -1,446 +0,0 @@ -{ - config, - flake, - pkgs, - ... -}: -let - inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - serviceCfg = instances.qbittorrent; - host = instances.qbittorrent.domains.url0; - dns0 = instances.web.dns.provider0; - dns0Path = "dns/${dns0}"; - torrentPort = 51820; - vpnEndpoint = "185.111.110.1"; - localNet = "192.168.50.0/24"; -in -{ - microvm.vms.${serviceCfg.name} = { - autostart = true; - config = { - system.stateVersion = "25.05"; - - # VPN Killswitch - configured BEFORE networking starts - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - }; - - networking = { - # Disable default firewall - we're doing it manually - firewall.enable = false; - - wg-quick.interfaces = { - wg0 = { - address = [ "10.2.0.2/32" ]; - dns = [ "10.2.0.1" ]; - privateKeyFile = "/run/secrets/wireguard-pass"; - - peers = [ - { - publicKey = "QPfiwJQmt5VLEOh1ufLbi1lj6LUnwQY0tgDSh3pWx1k="; - endpoint = "${vpnEndpoint}:${toString torrentPort}"; - allowedIPs = [ - "0.0.0.0/0" - "::/0" - ]; - persistentKeepalive = 25; - } - ]; - - # Now we can safely open the VPN tunnel for all traffic - postUp = '' - echo "VPN UP: Opening network for VPN and local traffic" - - # Allow ALL traffic through VPN interface - ${pkgs.iptables}/bin/iptables -A INPUT -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -A OUTPUT -o wg0 -j ACCEPT - - # Allow local network traffic (WebUI, management) - ${pkgs.iptables}/bin/iptables -A INPUT -i enp0s5 -s ${localNet} -j ACCEPT - ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -d ${localNet} -j ACCEPT - - # NAT for VPN - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE - - # Allow forwarding through VPN (for port forwarding) - ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -A FORWARD -i enp0s5 -o wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -A FORWARD -o enp0s5 -i wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - echo "VPN UP: Network opened for VPN and local traffic" - ''; - - preDown = '' - echo "VPN DOWN: Removing VPN rules, killswitch remains active" - ${pkgs.iptables}/bin/iptables -D INPUT -i wg0 -j ACCEPT 2>/dev/null || true - ${pkgs.iptables}/bin/iptables -D OUTPUT -o wg0 -j ACCEPT 2>/dev/null || true - - ${pkgs.iptables}/bin/iptables -D INPUT -i enp0s5 -s ${localNet} -j ACCEPT 2>/dev/null || true - ${pkgs.iptables}/bin/iptables -D OUTPUT -o enp0s5 -d ${localNet} -j ACCEPT 2>/dev/null || true - - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE 2>/dev/null || true - - ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT 2>/dev/null || true - ${pkgs.iptables}/bin/iptables -D FORWARD -o wg0 -j ACCEPT 2>/dev/null || true - ${pkgs.iptables}/bin/iptables -D FORWARD -i enp0s5 -o wg0 -j ACCEPT 2>/dev/null || true - ${pkgs.iptables}/bin/iptables -D FORWARD -o enp0s5 -i wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true - - echo "VPN DOWN: Killswitch rules remain - no internet access" - ''; - }; - }; - - dhcpcd.enable = false; - useNetworkd = true; - }; - - services = { - qbittorrent = { - enable = true; - webuiPort = serviceCfg.ports.port0; - torrentingPort = torrentPort; - openFirewall = false; # We're managing firewall manually - - serverConfig = { - LegalNotice.Accepted = true; - - BitTorrent = { - Session = { - Interface = "wg0"; - InterfaceName = "wg0"; - Port = torrentPort; - MaxConnections = -1; - MaxConnectionsPerTorrent = -1; - MaxUploads = -1; - MaxUploadsPerTorrent = -1; - QueueingSystemEnabled = false; - uTPRateLimited = false; - uTPEnabled = true; - AlternativeGlobalDLSpeedLimit = 0; - AlternativeGlobalUPSpeedLimit = 0; - GlobalMaxInactiveSeedingMinutes = 10224; - GlobalMaxRatio = -1; - }; - }; - - Preferences = { - WebUI = { - Username = "user"; - Password_PBKDF2 = "@ByteArray(1bJKXLVSLU6kgCHbCS2lDg==:BmyrMaod6dbJqEe7Ud/JgKAxRMqzsAuEjHcTvLzIBgc5rc5Z7J2X9mbH0cDEAhXqc+O3gQxrckt8S2Gf+zlO9w==)"; - }; - - General = { - Locale = "en"; - }; - - Downloads = { - SavePath = "${serviceCfg.varPaths.path0}/downloads"; - TempPathEnabled = false; - PreAllocation = false; - }; - }; - }; - }; - - openssh = { - enable = true; - settings.PasswordAuthentication = false; - }; - }; - - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - - systemd = { - network = { - enable = true; - networks."10-enp" = { - matchConfig.Name = "enp0s5"; - addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; - gateway = [ serviceCfg.interface.gate ]; - }; - }; - - tmpfiles.rules = [ - "d ${serviceCfg.varPaths.path0} 755 ${serviceCfg.name} ${serviceCfg.name} -" - "d ${serviceCfg.varPaths.path0}/downloads 755 ${serviceCfg.name} ${serviceCfg.name} -" - ]; - - services = { - # Ensure qBittorrent ONLY starts after VPN is up - qbittorrent = { - after = [ - "wg-quick-wg0.service" - "network-online.target" - ]; - requires = [ "wg-quick-wg0.service" ]; - wants = [ "network-online.target" ]; - bindsTo = [ "wg-quick-wg0.service" ]; # Stop if VPN stops - - serviceConfig = { - Restart = "on-failure"; - RestartSec = "10s"; - }; - }; - - natpmp-portforward = { - description = "NAT-PMP Port Forwarding for VPN"; - after = [ - "wg-quick-wg0.service" - "qbittorrent.service" - ]; - requires = [ - "wg-quick-wg0.service" - "qbittorrent.service" - ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - Type = "simple"; - Restart = "always"; - RestartSec = "10s"; - }; - - script = '' - PASSWORD=$(cat /run/secrets/qbittorrent-pass) - echo "Waiting for qBittorrent to start..." - sleep 10 - - while true; do - echo "Requesting port forwarding from VPN..." - - UDP_OUTPUT=$(${pkgs.libnatpmp}/bin/natpmpc -a 1 0 udp 60 -g 10.2.0.1 2>&1) - UDP_PORT=$(echo "$UDP_OUTPUT" | ${pkgs.gnugrep}/bin/grep "Mapped public port" | ${pkgs.gawk}/bin/awk '{print $4}' | head -1) - - TCP_OUTPUT=$(${pkgs.libnatpmp}/bin/natpmpc -a 1 0 tcp 60 -g 10.2.0.1 2>&1) - TCP_PORT=$(echo "$TCP_OUTPUT" | ${pkgs.gnugrep}/bin/grep "Mapped public port" | ${pkgs.gawk}/bin/awk '{print $4}' | head -1) - - if [ -n "$UDP_PORT" ] && [ -n "$TCP_PORT" ]; then - echo "Port forwarding successful: UDP=$UDP_PORT, TCP=$TCP_PORT" - - # Clean up old dynamic rules - ${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -i enp0s5 -s ${localNet} -p tcp -j DNAT 2>/dev/null || true - ${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -i enp0s5 -s ${localNet} -p udp -j DNAT 2>/dev/null || true - ${pkgs.iptables}/bin/iptables -D FORWARD -i enp0s5 -o wg0 -p tcp -j ACCEPT 2>/dev/null || true - ${pkgs.iptables}/bin/iptables -D FORWARD -i enp0s5 -o wg0 -p udp -j ACCEPT 2>/dev/null || true - ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -o enp0s5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true - - # DNAT: Forward LAN traffic to qBittorrent on WireGuard interface - ${pkgs.iptables}/bin/iptables -t nat -A PREROUTING -i enp0s5 -s ${localNet} -p tcp --dport "$TCP_PORT" -j DNAT --to-destination 10.2.0.2:"$TCP_PORT" - ${pkgs.iptables}/bin/iptables -t nat -A PREROUTING -i enp0s5 -s ${localNet} -p udp --dport "$UDP_PORT" -j DNAT --to-destination 10.2.0.2:"$UDP_PORT" - - # Allow forwarding for these specific ports - ${pkgs.iptables}/bin/iptables -A FORWARD -i enp0s5 -o wg0 -d 10.2.0.2 -p tcp --dport "$TCP_PORT" -j ACCEPT - ${pkgs.iptables}/bin/iptables -A FORWARD -i enp0s5 -o wg0 -d 10.2.0.2 -p udp --dport "$UDP_PORT" -j ACCEPT - ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -o enp0s5 -s 10.2.0.2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - echo "Firewall forwarding rules updated for ports: UDP=$UDP_PORT, TCP=$TCP_PORT" - - # Update qBittorrent listening port via API - echo "Logging into qBittorrent API..." - COOKIE=$(${pkgs.curl}/bin/curl -s -i \ - --header "Referer: http://localhost:${toString serviceCfg.ports.port0}" \ - --data "username=user&password=$PASSWORD" \ - "http://localhost:${toString serviceCfg.ports.port0}/api/v2/auth/login" | \ - ${pkgs.gnugrep}/bin/grep -i "set-cookie" | ${pkgs.gawk}/bin/awk -F'SID=|;' '{print $2}') - - if [ -n "$COOKIE" ]; then - echo "Authentication successful, updating port..." - ${pkgs.curl}/bin/curl -s \ - --cookie "SID=$COOKIE" \ - --data "json={\"listen_port\":$UDP_PORT}" \ - "http://localhost:${toString serviceCfg.ports.port0}/api/v2/app/setPreferences" - - echo "Updated qBittorrent listening port to $UDP_PORT" - else - echo "WARNING: Failed to authenticate with qBittorrent API" - fi - else - echo "ERROR: Failed to get forwarded ports" - echo "UDP output: $UDP_OUTPUT" - echo "TCP output: $TCP_OUTPUT" - fi - - sleep 45 - done - ''; - }; - killswitch-init = { - description = "Initialize VPN Killswitch Before Network"; - wantedBy = [ "network-pre.target" ]; - before = [ - "network-pre.target" - "network.target" - ]; - after = [ "systemd-modules-load.service" ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - - script = '' - echo "KILLSWITCH: Setting up firewall rules BEFORE network services" - - # Default DROP everything - ${pkgs.iptables}/bin/iptables -P INPUT DROP - ${pkgs.iptables}/bin/iptables -P OUTPUT DROP - ${pkgs.iptables}/bin/iptables -P FORWARD DROP - - ${pkgs.iptables}/bin/iptables -F - ${pkgs.iptables}/bin/iptables -t nat -F - ${pkgs.iptables}/bin/iptables -X - - # Allow loopback - ${pkgs.iptables}/bin/iptables -A INPUT -i lo -j ACCEPT - ${pkgs.iptables}/bin/iptables -A OUTPUT -o lo -j ACCEPT - - # CRITICAL: Only allow WireGuard endpoint traffic before VPN is up - ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -p udp --dport ${toString torrentPort} -d ${vpnEndpoint} -j ACCEPT - ${pkgs.iptables}/bin/iptables -A INPUT -i enp0s5 -p udp --sport ${toString torrentPort} -s ${vpnEndpoint} -j ACCEPT - - # Allow SSH from local network (for management) - ${pkgs.iptables}/bin/iptables -A INPUT -i enp0s5 -s ${localNet} -p tcp --dport 22 -j ACCEPT - ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -d ${localNet} -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - - # Block IPv6 completely - ${pkgs.iptables}/bin/ip6tables -P INPUT DROP 2>/dev/null || true - ${pkgs.iptables}/bin/ip6tables -P OUTPUT DROP 2>/dev/null || true - ${pkgs.iptables}/bin/ip6tables -P FORWARD DROP 2>/dev/null || true - - echo "KILLSWITCH: Initialized - Network locked down" - ''; - }; - }; - }; - - microvm = { - vcpu = 1; - mem = 1024 * 1; - hypervisor = "qemu"; - - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - { - type = "user"; - id = serviceCfg.interface.idUser; - mac = serviceCfg.interface.macUser; - } - ]; - - forwardPorts = [ - { - from = "host"; - host.port = serviceCfg.interface.ssh; - guest.port = 22; - } - ]; - - shares = [ - { - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "ro-store"; - proto = "virtiofs"; - } - { - mountPoint = serviceCfg.varPaths.path0; - proto = "virtiofs"; - source = serviceCfg.mntPaths.path0; - tag = "${serviceCfg.name}_data"; - } - { - mountPoint = "/run/secrets"; - proto = "virtiofs"; - source = "/run/secrets/torrent"; - tag = "host_secrets"; - } - ]; - }; - environment.systemPackages = builtins.attrValues { - inherit (pkgs) - conntrack-tools - gawk - iptables - libnatpmp - speedtest-go - wireguard-tools - ; - }; - }; - }; - - # Host configuration remains the same - services = { - caddy = { - virtualHosts = { - "${host}" = { - extraConfig = '' - basic_auth { - {$CADDY_AUTH_USER} {$CADDY_AUTH_PASSWORD_HASH} - } - reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} - - tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} - - encode zstd gzip - ''; - }; - }; - }; - }; - - sops.secrets = { - "caddy/share-auth" = { - owner = "caddy"; - group = "caddy"; - mode = "0400"; - }; - "torrent/wireguard-pass" = { - owner = "root"; - mode = "0400"; - }; - "torrent/qbittorrent-pass" = { - owner = "root"; - mode = "0400"; - }; - }; - - security.acme.certs."${host}" = { - dnsProvider = dns0; - environmentFile = config.sops.secrets.${dns0Path}.path; - group = "caddy"; - }; - - users.users.caddy.extraGroups = [ "acme" ]; - - systemd = { - services.caddy = { - serviceConfig = { - EnvironmentFile = config.sops.secrets."caddy/share-auth".path; - }; - }; - - tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0} 0755 microvm wheel - -" - "d ${serviceCfg.secretPaths.path0}/caddy 755 caddy caddy -" - "d /var/log/caddy 755 caddy caddy -" - ]; - }; - - networking.firewall = { - allowedTCPPorts = [ - 38834 - torrentPort - ]; - allowedUDPPorts = [ - 38834 - torrentPort - ]; - }; -} diff --git a/modules/nixos/guests/qbittorrent/rqbit.nix b/modules/nixos/guests/qbittorrent/rqbit.nix deleted file mode 100755 index 897e8bb..0000000 --- a/modules/nixos/guests/qbittorrent/rqbit.nix +++ /dev/null @@ -1,359 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; -let - cfg = config.services.rqbit; -in -{ - options.services.rqbit = { - enable = mkEnableOption "rqbit BitTorrent client"; - - package = mkOption { - type = types.package; - default = pkgs.rqbit; - defaultText = literalExpression "pkgs.rqbit"; - description = "The rqbit package to use."; - }; - - dataDir = mkOption { - type = types.path; - default = "/var/lib/rqbit"; - description = "Directory to store downloaded torrents."; - }; - - # HTTP API Configuration - httpApi = { - listenAddress = mkOption { - type = types.str; - default = "127.0.0.1"; - description = "IP address to listen on for the web UI and API."; - }; - - listenPort = mkOption { - type = types.port; - default = 3030; - description = "Port for the web UI and API."; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = "Open the firewall for the web UI port."; - }; - }; - - # BitTorrent TCP Configuration - tcp = { - minPort = mkOption { - type = types.port; - default = 4240; - description = "Minimum port for incoming BitTorrent connections."; - }; - - maxPort = mkOption { - type = types.port; - default = 4260; - description = "Maximum port for incoming BitTorrent connections."; - }; - - disable = mkOption { - type = types.bool; - default = false; - description = "Disable listening for incoming TCP connections."; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = "Open firewall ports for incoming BitTorrent connections."; - }; - }; - - # DHT Configuration - dht = { - disable = mkOption { - type = types.bool; - default = false; - description = "Disable DHT (Distributed Hash Table) for peer discovery."; - }; - - disablePersistence = mkOption { - type = types.bool; - default = false; - description = "Disable DHT state persistence (useful for multiple instances)."; - }; - }; - - # UPnP Configuration - upnp = { - disablePortForward = mkOption { - type = types.bool; - default = false; - description = "Disable UPnP port forwarding."; - }; - - enableServer = mkOption { - type = types.bool; - default = false; - description = "Enable UPnP Media Server to stream torrents."; - }; - - serverFriendlyName = mkOption { - type = types.nullOr types.str; - default = null; - description = "Friendly name for the UPnP server."; - example = "rqbit Media Server"; - }; - }; - - # Rate Limiting - rateLimit = { - download = mkOption { - type = types.nullOr types.int; - default = null; - description = "Download rate limit in bytes per second."; - example = 1048576; # 1 MB/s - }; - - upload = mkOption { - type = types.nullOr types.int; - default = null; - description = "Upload rate limit in bytes per second."; - example = 524288; # 512 KB/s - }; - }; - - # Logging Configuration - logging = { - level = mkOption { - type = types.nullOr ( - types.enum [ - "trace" - "debug" - "info" - "warn" - "error" - ] - ); - default = null; - description = "Console log level."; - }; - - file = mkOption { - type = types.nullOr types.path; - default = null; - description = "Log file path (in addition to console logging)."; - example = "/var/log/rqbit/rqbit.log"; - }; - - fileRustLog = mkOption { - type = types.str; - default = "librqbit=debug,info"; - description = "RUST_LOG value for the log file."; - }; - }; - - # Performance Configuration - performance = { - workerThreads = mkOption { - type = types.nullOr types.ints.positive; - default = null; - description = "Number of worker threads for the executor."; - }; - - maxBlockingThreads = mkOption { - type = types.ints.positive; - default = 8; - description = "Maximum blocking threads for disk I/O operations."; - }; - - singleThreadRuntime = mkOption { - type = types.bool; - default = false; - description = "Use tokio's single-threaded runtime (for debugging)."; - }; - - concurrentInitLimit = mkOption { - type = types.ints.positive; - default = 5; - description = "Maximum number of torrents that can initialize simultaneously."; - }; - }; - - # Peer Configuration - peer = { - connectTimeout = mkOption { - type = types.str; - default = "2s"; - description = "Peer connection timeout."; - example = "1.5s"; - }; - - readWriteTimeout = mkOption { - type = types.str; - default = "10s"; - description = "Peer read/write timeout."; - example = "5s"; - }; - }; - - # Tracker Configuration - tracker = { - refreshInterval = mkOption { - type = types.nullOr types.str; - default = null; - description = "Force a specific tracker refresh interval."; - example = "30s"; - }; - - trackersFile = mkOption { - type = types.nullOr types.path; - default = null; - description = "File with tracker URLs to use for all torrents."; - }; - }; - - # Advanced Options - socksProxy = mkOption { - type = types.nullOr types.str; - default = null; - description = "SOCKS5 proxy URL."; - example = "socks5://user:pass@localhost:1080"; - }; - - blocklistUrl = mkOption { - type = types.nullOr types.str; - default = null; - description = "URL to download a P2P blocklist from."; - example = "https://example.com/blocklist.txt"; - }; - - umask = mkOption { - type = types.nullOr types.str; - default = null; - description = "Set the process umask for file creation permissions."; - example = "022"; - }; - - # User/Group Configuration - user = mkOption { - type = types.str; - default = "rqbit"; - description = "User account under which rqbit runs."; - }; - - group = mkOption { - type = types.str; - default = "rqbit"; - description = "Group under which rqbit runs."; - }; - - extraArgs = mkOption { - type = types.listOf types.str; - default = [ ]; - description = "Extra command-line arguments to pass to rqbit."; - example = literalExpression ''[ "--experimental-mmap-storage" ]''; - }; - }; - - config = mkIf cfg.enable { - systemd.services.rqbit = { - description = "rqbit BitTorrent Client"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - preStart = mkIf (cfg.logging.file != null) '' - mkdir -p $(dirname ${cfg.logging.file}) - chown ${cfg.user}:${cfg.group} $(dirname ${cfg.logging.file}) - ''; - - serviceConfig = { - Type = "simple"; - User = cfg.user; - Group = cfg.group; - Environment = [ - "XDG_CACHE_HOME=${cfg.dataDir}/.cache" - "XDG_DATA_HOME=${cfg.dataDir}/.local/share" - ]; - ExecStart = - let - args = [ - "${cfg.package}/bin/rqbit" - "--http-api-listen-addr ${cfg.httpApi.listenAddress}:${toString cfg.httpApi.listenPort}" - ] - ++ optional (cfg.logging.level != null) "-v ${cfg.logging.level}" - ++ optional (cfg.logging.file != null) "--log-file ${cfg.logging.file}" - ++ optional (cfg.logging.file != null) "--log-file-rust-log ${cfg.logging.fileRustLog}" - ++ optional (cfg.tracker.refreshInterval != null) "-i ${cfg.tracker.refreshInterval}" - ++ optional cfg.performance.singleThreadRuntime "-s" - ++ optional cfg.dht.disable "--disable-dht" - ++ optional cfg.dht.disablePersistence "--disable-dht-persistence" - ++ optional (cfg.peer.connectTimeout != "2s") "--peer-connect-timeout ${cfg.peer.connectTimeout}" - ++ optional ( - cfg.peer.readWriteTimeout != "10s" - ) "--peer-read-write-timeout ${cfg.peer.readWriteTimeout}" - ++ optional (cfg.performance.workerThreads != null) "-t ${toString cfg.performance.workerThreads}" - ++ optional cfg.tcp.disable "--disable-tcp-listen" - ++ optional (cfg.tcp.minPort != 4240) "--tcp-min-port ${toString cfg.tcp.minPort}" - ++ optional (cfg.tcp.maxPort != 4260) "--tcp-max-port ${toString cfg.tcp.maxPort}" - ++ optional cfg.upnp.disablePortForward "--disable-upnp-port-forward" - ++ optional cfg.upnp.enableServer "--enable-upnp-server" - ++ optional ( - cfg.upnp.serverFriendlyName != null - ) "--upnp-server-friendly-name '${cfg.upnp.serverFriendlyName}'" - ++ optional ( - cfg.performance.maxBlockingThreads != 8 - ) "--max-blocking-threads ${toString cfg.performance.maxBlockingThreads}" - ++ optional (cfg.socksProxy != null) "--socks-url ${cfg.socksProxy}" - ++ optional ( - cfg.performance.concurrentInitLimit != 5 - ) "--concurrent-init-limit ${toString cfg.performance.concurrentInitLimit}" - ++ optional (cfg.umask != null) "--umask ${cfg.umask}" - ++ optional ( - cfg.rateLimit.download != null - ) "--ratelimit-download ${toString cfg.rateLimit.download}" - ++ optional (cfg.rateLimit.upload != null) "--ratelimit-upload ${toString cfg.rateLimit.upload}" - ++ optional (cfg.blocklistUrl != null) "--blocklist-url ${cfg.blocklistUrl}" - ++ optional (cfg.tracker.trackersFile != null) "--trackers-filename ${cfg.tracker.trackersFile}" - ++ cfg.extraArgs - ++ [ - "server" - "start" - cfg.dataDir - ]; - in - concatStringsSep " " args; - Restart = "on-failure"; - StateDirectory = "rqbit"; - NoNewPrivileges = true; - PrivateTmp = true; - ProtectSystem = "strict"; - ReadWritePaths = [ cfg.dataDir ] ++ optional (cfg.logging.file != null) (dirOf cfg.logging.file); - }; - }; - - users.users = mkIf (cfg.user == "rqbit") { - rqbit = { - isSystemUser = true; - group = cfg.group; - description = "rqbit BitTorrent client user"; - }; - }; - - users.groups = mkIf (cfg.group == "rqbit") { - rqbit = { }; - }; - - networking.firewall = mkIf (cfg.httpApi.openFirewall || cfg.tcp.openFirewall) { - allowedTCPPorts = optional cfg.httpApi.openFirewall cfg.httpApi.listenPort; - allowedTCPPortRanges = optional cfg.tcp.openFirewall { - from = cfg.tcp.minPort; - to = cfg.tcp.maxPort; - }; - }; - }; -} diff --git a/modules/nixos/guests/vaultwarden/default.nix b/modules/nixos/guests/vaultwarden/default.nix deleted file mode 100755 index 854bf89..0000000 --- a/modules/nixos/guests/vaultwarden/default.nix +++ /dev/null @@ -1,193 +0,0 @@ -{ - config, - flake, - pkgs, - ... -}: -let - inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - serviceCfg = instances.vaultwarden; - smtpCfg = instances.smtp; - hostCfg = instances.web; - dns0 = instances.web.dns.provider0; - host = serviceCfg.domains.url0; - dns0Path = "dns/${dns0}"; -in -{ - microvm.vms = { - vaultwarden = { - autostart = true; - restartIfChanged = true; - config = { - system.stateVersion = "24.05"; - time.timeZone = "America/Winnipeg"; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - services = { - vaultwarden = { - enable = true; - dbBackend = "sqlite"; - config = { - # Domain Configuration - DOMAIN = "https://${host}"; - - # Email Configuration - SMTP_AUTH_MECHANISM = "Plain"; - SMTP_EMBED_IMAGES = true; - SMTP_FROM = serviceCfg.email.address0; - SMTP_FROM_NAME = serviceCfg.label; - SMTP_HOST = smtpCfg.hostname; - SMTP_PORT = smtpCfg.ports.port1; - SMTP_SECURITY = smtpCfg.records.record1; - SMTP_USERNAME = smtpCfg.email.address0; - - # Security Configuration - DISABLE_ADMIN_TOKEN = false; - - # Event and Backup Management - EVENTS_DAYS_RETAIN = 90; - - # User Features - SENDS_ALLOWED = true; - SIGNUPS_VERIFY = true; - WEB_VAULT_ENABLED = true; - - # Rocket (Web Server) Settings - ROCKET_ADDRESS = "0.0.0.0"; - ROCKET_PORT = serviceCfg.ports.port0; - }; - - # Environment file with secrets (mounted from host) - environmentFile = "/run/secrets/${user0}-env"; - }; - openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ - 22 # SSH - 25 # SMTP - 139 # SMTP - 587 # SMTP - 2525 # SMTP - serviceCfg.ports.port0 - ]; - - systemd = { - network = { - enable = true; - networks."20-lan" = { - matchConfig.Name = "enp0s5"; - addresses = [ - { Address = "${serviceCfg.interface.ip}/24"; } - ]; - routes = [ - { - Destination = "${hostCfg.localhost.address1}/0"; - Gateway = serviceCfg.interface.gate; - } - ]; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; - - tmpfiles.rules = [ - "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - # "Z ${serviceCfg.secretPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - ]; - - }; - - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - - microvm = { - vcpu = 1; - mem = 512; - hypervisor = "qemu"; - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - { - type = "user"; - id = serviceCfg.interface.idUser; - mac = serviceCfg.interface.macUser; - } - ]; - - forwardPorts = [ - { - from = "host"; - host.port = serviceCfg.interface.ssh; - guest.port = 22; - } - ]; - - shares = [ - { - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - source = "/nix/store"; - tag = "read_only_nix_store"; - } - { - mountPoint = "/var/lib/bitwarden_rs"; - proto = "virtiofs"; - source = serviceCfg.mntPaths.path0; - tag = "${serviceCfg.name}_data"; - } - { - mountPoint = "/run/secrets"; - proto = "virtiofs"; - source = "/run/secrets/${serviceCfg.name}"; - tag = "host_secrets"; - } - ]; - }; - }; - }; - }; - - security.acme.certs."${host}" = { - dnsProvider = dns0; - environmentFile = config.sops.secrets.${dns0Path}.path; - group = "caddy"; - }; - - services.caddy.virtualHosts = { - "${host}" = { - extraConfig = '' - reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { - header_up X-Real-IP {remote_host} - } - - tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} - - encode zstd gzip - ''; - }; - }; - - users.users.caddy.extraGroups = [ "acme" ]; - - systemd.tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" - ]; - - sops.secrets = { - "${serviceCfg.name}/${user0}-env" = { - owner = "root"; - mode = "0600"; - }; - }; -} diff --git a/modules/nixos/guests/website/default.nix b/modules/nixos/guests/website/default.nix deleted file mode 100755 index 4ee6520..0000000 --- a/modules/nixos/guests/website/default.nix +++ /dev/null @@ -1,85 +0,0 @@ -{ - config, - flake, - pkgs, - lib, - ... -}: -let - inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - serviceCfg = instances.upRootNutrition; - host = serviceCfg.domains.url0; - websitePkg = flake.self.packages.${pkgs.system}.website; -in -{ - microvm.vms.${serviceCfg.name} = { - autostart = true; - config = { - system.stateVersion = "25.05"; - networking.firewall.allowedTCPPorts = [ - 22 - 80 - ]; - services.openssh = { - enable = true; - settings.PasswordAuthentication = false; - }; - - environment.etc."website".source = websitePkg; - - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - - systemd = { - network = { - enable = true; - networks."10-enp" = { - matchConfig.Name = "enp0s3"; - addresses = [ - { Address = "${serviceCfg.interface.ip}/24"; } - ]; - gateway = [ serviceCfg.interface.gate ]; - }; - }; - }; - services.caddy = { - enable = true; - virtualHosts.":80".extraConfig = '' - root * /etc/website - file_server - try_files {path} /index.html - ''; - }; - microvm = { - vcpu = 1; - mem = 512; - hypervisor = "qemu"; - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - ]; - shares = [ - { - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "ro-store"; - proto = "virtiofs"; - } - ]; - }; - }; - }; - services.caddy = { - virtualHosts.${host}.extraConfig = '' - reverse_proxy ${serviceCfg.interface.ip}:80 - tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} - ''; - }; - security.acme.certs.${host} = { - dnsProvider = instances.web.dns.provider0; - environmentFile = config.sops.secrets."dns/${instances.web.dns.provider0}".path; - }; -} diff --git a/modules/nixos/guests/zookeeper/default.nix b/modules/nixos/guests/zookeeper/default.nix deleted file mode 100755 index db7b3a6..0000000 --- a/modules/nixos/guests/zookeeper/default.nix +++ /dev/null @@ -1,93 +0,0 @@ -{ - flake, - pkgs, - lib, - ... -}: -let - inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - serviceCfg = instances.zookeeper; - hostCfg = instances.web; -in -{ - microvm.vms = { - zookeeper = { - autostart = true; - restartIfChanged = true; - config = { - system.stateVersion = "24.05"; - time.timeZone = "America/Winnipeg"; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - services.openssh = { - enable = true; - settings.PasswordAuthentication = false; - }; - networking.firewall.allowedTCPPorts = [ 22 ]; - systemd = { - services = { - zookeeper = { - serviceConfig = { - ExecStart = lib.getExe flake.self.packages.${pkgs.system}.zookeeper; - Restart = "always"; - RestartSec = 2; - EnvironmentFile = "/run/secrets/env"; - }; - wantedBy = [ "multi-user.target" ]; - }; - systemd-networkd.wantedBy = [ "multi-user.target" ]; - }; - network = { - enable = true; - networks."20-lan" = { - matchConfig.Name = "enp0s3"; - addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; - routes = [ - { - Destination = "${hostCfg.localhost.address1}/0"; - Gateway = serviceCfg.interface.gate; - } - ]; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; - }; - microvm = { - vcpu = 1; - mem = 512; - hypervisor = "qemu"; - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - ]; - shares = [ - { - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - source = "/nix/store"; - tag = "read_only_nix_store"; - } - { - mountPoint = "/run/secrets"; - proto = "virtiofs"; - source = "/run/secrets/${serviceCfg.name}"; - tag = "host_secrets"; - } - ]; - }; - }; - }; - }; - sops.secrets = { - "${serviceCfg.name}/env" = { - owner = "root"; - mode = "0600"; - }; - }; -} diff --git a/modules/nixos/services/acme/default.nix b/modules/nixos/homelab/acme/default.nix similarity index 100% rename from modules/nixos/services/acme/default.nix rename to modules/nixos/homelab/acme/default.nix diff --git a/modules/nixos/homelab/caddy/config/firefly-iii/default.nix b/modules/nixos/homelab/caddy/config/firefly-iii/default.nix new file mode 100755 index 0000000..f44f223 --- /dev/null +++ b/modules/nixos/homelab/caddy/config/firefly-iii/default.nix @@ -0,0 +1,34 @@ +{ + flake, + config, + ... +}: +let + + inherit (flake.config.services) instances; + serviceCfg = instances.firefly-iii; + interfaceCfg = serviceCfg.intefaces.interface0; + host = interfaceCfg.domain; + dns0 = instances.web.dns.provider0; + dns0Path = "dns/${dns0}"; +in +{ + security.acme.certs."${host}" = { + dnsProvider = dns0; + environmentFile = config.sops.secrets.${dns0Path}.path; + group = "caddy"; + }; + + services.caddy.virtualHosts."${host}" = { + extraConfig = '' + reverse_proxy http://${interfaceCfg.microvm.ip}:80 { + header_up X-Forwarded-Proto https + header_up X-Forwarded-Host {host} + } + + tls ${interfaceCfg.ssl.cert} ${interfaceCfg.ssl.key} + + encode zstd gzip + ''; + }; +} diff --git a/modules/nixos/homelab/caddy/config/forgejo/default.nix b/modules/nixos/homelab/caddy/config/forgejo/default.nix new file mode 100644 index 0000000..007f7ab --- /dev/null +++ b/modules/nixos/homelab/caddy/config/forgejo/default.nix @@ -0,0 +1,26 @@ +{ flake, config, ... }: +let + inherit (flake.config.services) instances; + serviceCfg = instances.forgejo; + dns0 = instances.web.dns.provider0; + dns0Path = "dns/${dns0}"; + interface0Cfg = serviceCfg.interfaces.interface0; + host0 = interface0Cfg.domain; +in +{ + security.acme.certs."${host0}" = { + dnsProvider = dns0; + environmentFile = config.sops.secrets.${dns0Path}.path; + group = "caddy"; + }; + + services.caddy.virtualHosts."${host0}" = { + extraConfig = '' + reverse_proxy ${interface0Cfg.microvm.ip}:${toString serviceCfg.ports.port0} { + header_up X-Real-IP {remote_host} + } + tls ${interface0Cfg.ssl.cert} ${interface0Cfg.ssl.key} + encode zstd gzip + ''; + }; +} diff --git a/modules/nixos/homelab/caddy/config/jellyfin/default.nix b/modules/nixos/homelab/caddy/config/jellyfin/default.nix new file mode 100644 index 0000000..a99140c --- /dev/null +++ b/modules/nixos/homelab/caddy/config/jellyfin/default.nix @@ -0,0 +1,37 @@ +{ + config, + flake, + ... +}: +let + inherit (flake.config.services) instances; + serviceCfg = instances.jellyfin; + interface0Cfg = serviceCfg.interfaces.interface0; + host0 = interface0Cfg.domain; + dns0 = instances.web.dns.provider0; + dns0Path = "dns/${dns0}"; + +in +{ + security.acme.certs."${host0}" = { + dnsProvider = dns0; + environmentFile = config.sops.secrets.${dns0Path}.path; + group = "caddy"; + }; + + services = { + caddy = { + virtualHosts = { + "${host0}" = { + extraConfig = '' + reverse_proxy ${interface0Cfg.interface.ip}:${toString serviceCfg.ports.port0} { + header_up X-Real-IP {remote_host} + } + tls ${interface0Cfg.ssl.cert} ${interface0Cfg.ssl.key} + encode zstd gzip + ''; + }; + }; + }; + }; +} diff --git a/modules/nixos/homelab/caddy/config/mastodon/default.nix b/modules/nixos/homelab/caddy/config/mastodon/default.nix new file mode 100644 index 0000000..88860b2 --- /dev/null +++ b/modules/nixos/homelab/caddy/config/mastodon/default.nix @@ -0,0 +1,31 @@ +{ flake, config, ... }: +let + inherit (flake.config.services) instances; + serviceCfg = instances.mastodon; + interface0Cfg = serviceCfg.interfaces.interface0; + host0 = interface0Cfg.domain; + dns0 = instances.web.dns.provider0; + dns0Path = "dns/${dns0}"; +in +{ + security.acme.certs."${host0}" = { + dnsProvider = dns0; + environmentFile = config.sops.secrets.${dns0Path}.path; + group = "caddy"; + }; + + services.caddy.virtualHosts."${host0}" = { + extraConfig = '' + reverse_proxy http://${interface0Cfg.microvm.ip}:80 { + header_up X-Forwarded-Proto {scheme} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + } + + tls ${interface0Cfg.ssl.cert} ${interface0Cfg.ssl.key} + + encode zstd gzip + ''; + }; + +} diff --git a/modules/nixos/homelab/caddy/config/opencloud/default.nix b/modules/nixos/homelab/caddy/config/opencloud/default.nix new file mode 100755 index 0000000..ffba5f2 --- /dev/null +++ b/modules/nixos/homelab/caddy/config/opencloud/default.nix @@ -0,0 +1,54 @@ +{ + config, + flake, + ... +}: +let + inherit (flake.config.services) instances; + + serviceCfg = instances.opencloud; + interface0Cfg = serviceCfg.interfaces.interface0; + interface1Cfg = serviceCfg.interfaces.interface1; + dns0 = instances.web.dns.provider0; + dns1 = instances.web.dns.provider1; + host0 = interface1Cfg.domain; + host1 = "${interface0Cfg.subdomain}.${flake.inputs.linkpage.secrets.domains.projectsite}"; + credPath = "/var/lib/acme/${host0}"; +in +{ + security.acme.certs = { + "${host0}" = { + dnsProvider = dns0; + environmentFile = config.sops.secrets."dns/${dns0}".path; + group = "caddy"; + }; + "${host1}" = { + dnsProvider = dns1; + environmentFile = config.sops.secrets."dns/${dns1}".path; + group = "caddy"; + }; + }; + + services.caddy.virtualHosts = { + "${host0}" = { + extraConfig = '' + reverse_proxy ${interface0Cfg.microvm.ip}:${toString serviceCfg.ports.port0} { + header_up X-Real-IP {remote_host} + } + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + tls ${interface0Cfg.ssl.cert} ${interface0Cfg.ssl.key} + ''; + }; + "${host1}" = { + extraConfig = '' + reverse_proxy ${interface1Cfg.microvm.ip}:${toString serviceCfg.ports.port0} { + header_up X-Real-IP {remote_host} + } + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + tls ${credPath}/fullchain.pem ${credPath}/key.pem + ''; + }; + }; +} diff --git a/modules/nixos/homelab/caddy/config/photoprism/default.nix b/modules/nixos/homelab/caddy/config/photoprism/default.nix new file mode 100644 index 0000000..9b9c822 --- /dev/null +++ b/modules/nixos/homelab/caddy/config/photoprism/default.nix @@ -0,0 +1,31 @@ +{ flake, config, ... }: +let + inherit (flake.config.services) instances; + serviceCfg = instances.photoprism; + interface0Cfg = serviceCfg.interfaces.interface0; + host0 = interface0Cfg.domain; + dns0 = instances.web.dns.provider0; + dns0Path = "dns/${dns0}"; +in +{ + security.acme.certs."${host0}" = { + dnsProvider = dns0; + environmentFile = config.sops.secrets.${dns0Path}.path; + group = "caddy"; + }; + + services.caddy.virtualHosts."${host0}" = { + extraConfig = '' + reverse_proxy http://${interface0Cfg.microvm.ip}:80 { + header_up X-Forwarded-Proto {scheme} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + } + + tls ${interface0Cfg.ssl.cert} ${interface0Cfg.ssl.key} + + encode zstd gzip + ''; + }; + +} diff --git a/modules/nixos/homelab/caddy/config/qbittorrent/default.nix b/modules/nixos/homelab/caddy/config/qbittorrent/default.nix new file mode 100644 index 0000000..d49fb64 --- /dev/null +++ b/modules/nixos/homelab/caddy/config/qbittorrent/default.nix @@ -0,0 +1,39 @@ +{ flake, config, ... }: +let + inherit (flake.config.services) instances; + serviceCfg = instances.qbittorrent; + interface0Cfg = serviceCfg.interfaces.interface0; + host0 = interface0Cfg.domain; + dns0 = instances.web.dns.provider0; + dns0Path = "dns/${dns0}"; +in +{ + security.acme.certs."${host0}" = { + dnsProvider = dns0; + environmentFile = config.sops.secrets.${dns0Path}.path; + group = "caddy"; + }; + services = { + caddy = { + virtualHosts = { + "${host0}" = { + extraConfig = '' + basic_auth { + {$CADDY_AUTH_USER} {$CADDY_AUTH_PASSWORD_HASH} + } + reverse_proxy ${interface0Cfg.microvm.ip}:${toString serviceCfg.ports.port0} + tls ${interface0Cfg.ssl.cert} ${interface0Cfg.ssl.key} + encode zstd gzip + ''; + }; + }; + }; + }; + sops.secrets = { + "caddy/share-auth" = { + owner = "caddy"; + group = "caddy"; + mode = "0400"; + }; + }; +} diff --git a/modules/nixos/homelab/caddy/config/syncthing/default.nix b/modules/nixos/homelab/caddy/config/syncthing/default.nix new file mode 100644 index 0000000..4a2f32a --- /dev/null +++ b/modules/nixos/homelab/caddy/config/syncthing/default.nix @@ -0,0 +1,35 @@ +{ + config, + flake, + ... +}: +let + inherit (flake.config.services) instances; + serviceCfg = instances.syncthing; + interface0Cfg = serviceCfg.interfaces.interface0; + host0 = interface0Cfg.domain; + dns0 = instances.web.dns.provider0; + dns0Path = "dns/${dns0}"; +in +{ + security.acme.certs."${host0}" = { + dnsProvider = dns0; + environmentFile = config.sops.secrets.${dns0Path}.path; + group = "caddy"; + }; + services = { + caddy = { + virtualHosts = { + "${host0}" = { + extraConfig = '' + reverse_proxy ${interface0Cfg.interface.ip}:${toString serviceCfg.ports.port0} { + header_up X-Real-IP {remote_host} + } + tls ${interface0Cfg.ssl.cert} ${interface0Cfg.ssl.key} + encode zstd gzip + ''; + }; + }; + }; + }; +} diff --git a/modules/nixos/homelab/caddy/config/vaultwarden/default.nix b/modules/nixos/homelab/caddy/config/vaultwarden/default.nix new file mode 100755 index 0000000..b78062b --- /dev/null +++ b/modules/nixos/homelab/caddy/config/vaultwarden/default.nix @@ -0,0 +1,34 @@ +{ + config, + flake, + ... +}: +let + inherit (flake.config.services) instances; + serviceCfg = instances.vaultwarden; + interfaceCfg = serviceCfg.interfaces.interface0; + dns0 = instances.web.dns.provider0; + host = interfaceCfg.domain; + dns0Path = "dns/${dns0}"; +in +{ + security.acme.certs."${host}" = { + dnsProvider = dns0; + environmentFile = config.sops.secrets.${dns0Path}.path; + group = "caddy"; + }; + + services.caddy.virtualHosts = { + "${host}" = { + extraConfig = '' + reverse_proxy ${interfaceCfg.microvm.ip}:${toString serviceCfg.ports.port0} { + header_up X-Real-IP {remote_host} + } + + tls ${interfaceCfg.ssl.cert} ${interfaceCfg.ssl.key} + + encode zstd gzip + ''; + }; + }; +} diff --git a/modules/nixos/homelab/caddy/config/website/default.nix b/modules/nixos/homelab/caddy/config/website/default.nix new file mode 100644 index 0000000..724023c --- /dev/null +++ b/modules/nixos/homelab/caddy/config/website/default.nix @@ -0,0 +1,38 @@ +{ flake, config, ... }: +let + inherit (flake.config.services) instances; + serviceCfg = instances.website; + interface0Cfg = serviceCfg.interfaces.interface0; + interface1Cfg = serviceCfg.interfaces.interface1; + host0 = interface0Cfg.domain; + host1 = flake.inputs.linkpage.secrets.domains.projectsite; + dns0 = instances.web.dns.provider0; + dns1 = instances.web.dns.provider1; + dns0Path = "dns/${dns0}"; + dns1Path = "dns/${dns1}"; +in + +{ + services.caddy = { + virtualHosts = { + ${host0}.extraConfig = '' + reverse_proxy ${interface0Cfg.microvm.ip}:80 + tls ${interface0Cfg.ssl.cert} ${interface0Cfg.ssl.key} + ''; + ${host1}.extraConfig = '' + reverse_proxy ${interface1Cfg.microvm.ip}:80 + tls /var/lib/acme/${host1}/fullchain.pem /var/lib/acme/${host1}/key.pem + ''; + }; + }; + security.acme.certs = { + ${host0} = { + dnsProvider = dns0; + environmentFile = config.sops.secrets."${dns0Path}".path; + }; + ${host1} = { + dnsProvider = dns1; + environmentFile = config.sops.secrets."${dns1Path}".path; + }; + }; +} diff --git a/modules/nixos/homelab/caddy/default.nix b/modules/nixos/homelab/caddy/default.nix new file mode 100755 index 0000000..82e08c6 --- /dev/null +++ b/modules/nixos/homelab/caddy/default.nix @@ -0,0 +1,34 @@ +{ flake, ... }: +let + inherit (flake.config.services) instances; + service = instances.caddy; + + importList = + let + content = builtins.readDir ./.; + dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content); + in + map (name: ./. + "/${name}") dirContent; + +in +{ + imports = importList; + + services.caddy = { + enable = true; + }; + + tmpfiles.rules = [ + "d /run/secrets/caddy 755 caddy caddy -" + "d /var/log/caddy 755 caddy caddy -" + ]; + + networking = { + firewall = { + allowedTCPPorts = [ + service.ports.port0 # 80 + service.ports.port1 # 443 + ]; + }; + }; +} diff --git a/modules/nixos/guests/default.nix b/modules/nixos/homelab/default.nix similarity index 100% rename from modules/nixos/guests/default.nix rename to modules/nixos/homelab/default.nix diff --git a/modules/nixos/guests/minecraft/default.nix b/modules/nixos/homelab/guests/default.nix similarity index 56% rename from modules/nixos/guests/minecraft/default.nix rename to modules/nixos/homelab/guests/default.nix index da27578..7c41a45 100755 --- a/modules/nixos/guests/minecraft/default.nix +++ b/modules/nixos/homelab/guests/default.nix @@ -1,18 +1,12 @@ let + inherit (import ./helpers.nix) labHelpers; importList = let content = builtins.readDir ./.; dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content); in - map (name: ./. + "/${name}") dirContent; + map (name: ./. + "/${name}" { inherit labHelpers; }) dirContent; in { - - systemd = { - tmpfiles.rules = [ - "d /mnt/storage/minecraft 0751 microvm wheel - -" - ]; - }; - imports = importList; } diff --git a/modules/nixos/nas/guests/firefly-iii/config/default.nix b/modules/nixos/homelab/guests/firefly-iii/config/default.nix old mode 100644 new mode 100755 similarity index 90% rename from modules/nixos/nas/guests/firefly-iii/config/default.nix rename to modules/nixos/homelab/guests/firefly-iii/config/default.nix index acdf1a5..e983b0b --- a/modules/nixos/nas/guests/firefly-iii/config/default.nix +++ b/modules/nixos/homelab/guests/firefly-iii/config/default.nix @@ -6,11 +6,8 @@ let inherit (flake.config.people) user0; inherit (flake.config.services) instances; - serviceCfg = { - name = "firefly-iii"; - }; + serviceCfg = instances.firefly-iii; smtpCfg = instances.smtp; - in { fireflyVM = @@ -48,18 +45,18 @@ in }; settings = { APP_URL = "https://${host}"; - APP_KEY_FILE = "/etc/firefly-secrets/pass"; - DB_PASSWORD_FILE = "/etc/firefly-secrets/data"; + APP_KEY_FILE = "/etc/firefly-secrets/${user}-pass"; + DB_PASSWORD_FILE = "/etc/firefly-secrets/${user}-data"; DB_CONNECTION = "pgsql"; DB_HOST = "/run/postgresql"; - DB_DATABASE = "firefly-iii"; - DB_USERNAME = "firefly-iii"; + DB_DATABASE = serviceCfg.name; + DB_USERNAME = serviceCfg.name; MAIL_MAILER = smtpCfg.name; - MAIL_HOST = smtpCfg.hostname; + MAIL_HOST = smtpCfg.interfaces.interface0.domain; MAIL_PORT = smtpCfg.ports.port0; - MAIL_FROM = smtpCfg.email.address0; - MAIL_USERNAME = smtpCfg.email.address0; - MAIL_PASSWORD_FILE = "/etc/firefly-secrets/smtp"; + MAIL_FROM = smtpCfg.interfaces.interface0.email; + MAIL_USERNAME = smtpCfg.interfaces.interface0.email; + MAIL_PASSWORD_FILE = "/etc/firefly-secrets/${user}-smtp"; MAIL_ENCRYPTION = "tls"; SITE_OWNER = owner; }; @@ -106,9 +103,9 @@ in }; networking.firewall.allowedTCPPorts = [ 22 - 587 - 8084 - 8081 + smtpCfg.ports.port1 + serviceCfg.ports.port0 + serviceCfg.ports.port1 ]; systemd = { services = { @@ -194,7 +191,7 @@ in { mountPoint = "/var/lib/${serviceCfg.name}"; proto = "virtiofs"; - source = "${mnt}/${serviceCfg.name}/config"; + source = "${mnt}/${serviceCfg.name}config"; tag = "${serviceCfg.name}_${user}_config"; } { diff --git a/modules/nixos/nas/guests/firefly-iii/default.nix b/modules/nixos/homelab/guests/firefly-iii/default.nix old mode 100644 new mode 100755 similarity index 67% rename from modules/nixos/nas/guests/firefly-iii/default.nix rename to modules/nixos/homelab/guests/firefly-iii/default.nix index ca03f07..1fc5d4c --- a/modules/nixos/nas/guests/firefly-iii/default.nix +++ b/modules/nixos/homelab/guests/firefly-iii/default.nix @@ -2,27 +2,24 @@ config, flake, pkgs, - nasHelpers, + labHelpers, ... }: let inherit (import ./config { inherit config flake pkgs; }) fireflyVM; - inherit (nasHelpers) ipAddress guestPath firefly; inherit (flake.config.people) user0; inherit (flake.config.people.users.${user0}) email; - inherit (flake.config.services) instances; - id0 = builtins.toString firefly.id0; - id1 = builtins.toString firefly.id1; - id2 = builtins.toString firefly.id2; + inherit (flake.config.services.instances) firefly-iii; + interface0Cfg = firefly-iii.interfaces.interface0; fireflyNick = fireflyVM { user = user0; - ip = ipAddress id0; - mac = "02:00:00:00:${id0}:${id0}"; - userMac = "02:00:00:00:00:${id0}"; - ssh = firefly.ssh0; - host = instances.firefly-iii.domains.url0; - mnt = guestPath user0; + ip = interface0Cfg.microvm.ip; + mac = interface0Cfg.microvm.mac; + userMac = interface0Cfg.microvm.macUser; + ssh = interface0Cfg.microvm.ssh0; + host = interface0Cfg.domain; + mnt = ""; owner = email.address2; }; diff --git a/modules/nixos/homelab/guests/forgejo/config/default.nix b/modules/nixos/homelab/guests/forgejo/config/default.nix new file mode 100755 index 0000000..a83e37e --- /dev/null +++ b/modules/nixos/homelab/guests/forgejo/config/default.nix @@ -0,0 +1,170 @@ +{ + flake, + ... +}: +let + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + serviceCfg = instances.forgejo; + smtpCfg = instances.smtp; +in +{ + forgejoVM = + { + user, + ip, + mac, + userMac, + ssh, + mnt, + host, + }: + { + microvm.vms = { + "${serviceCfg.name}-${user}" = { + autostart = true; + restartIfChanged = true; + config = { + system.stateVersion = "24.05"; + time.timeZone = "America/Winnipeg"; + users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + services = { + ${serviceCfg.name} = { + enable = true; + lfs.enable = true; + secrets = { + mailer.PASSWD = "/run/secrets/${user}-smtp"; + }; + settings = { + server = { + DOMAIN = host; + ROOT_URL = "https://${host}/"; + HTTP_PORT = serviceCfg.ports.port0; + }; + # If you need to start from scratch, don't forget to turn this off again + service.DISABLE_REGISTRATION = true; + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + mirror = { + ENABLED = true; + }; + mailer = { + ENABLED = true; + SMTP_ADDR = smtpCfg.interface.interface1.domain; + FROM = smtpCfg.interfaces.interface1.email; + USER = smtpCfg.interfaces.interface1.email; + PROTOCOL = "smtp+starttls"; + SMTP_PORT = smtpCfg.ports.port1; + SEND_AS_PLAIN_TEXT = true; + USE_CLIENT_CERT = false; + }; + }; + }; + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ + 22 # SSH + 25 # SMTP + 139 # SMTP + 2525 # SMTP + smtpCfg.ports.port0 + serviceCfg.ports.port0 + ]; + fileSystems."/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ + "size=4G" + "mode=1777" + ]; + }; + systemd = { + network = { + enable = true; + networks."20-lan" = { + matchConfig.Name = "enp0s5"; + addresses = [ { Address = "${ip}/24"; } ]; + routes = [ + { + Destination = "0.0.0.0/0"; + Gateway = "192.168.50.1"; + } + ]; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + }; + tmpfiles.rules = [ + "d /var/lib/${serviceCfg.name} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + ]; + }; + systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; + microvm = { + vcpu = 1; + mem = 1024; + hypervisor = "qemu"; + interfaces = [ + { + type = "tap"; + id = "vm-fg-${user}"; + mac = mac; + } + { + type = "user"; + id = "vmuser-cloud"; + mac = userMac; + } + ]; + forwardPorts = [ + { + from = "host"; + host.port = ssh; + guest.port = 22; + } + ]; + shares = [ + { + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + source = "/nix/store"; + tag = "read_only_nix_store"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}"; + proto = "virtiofs"; + source = "${mnt}/${serviceCfg.name}"; + tag = "${serviceCfg.name}_${user}_data"; + } + { + mountPoint = "/run/secrets"; + proto = "virtiofs"; + source = "/run/secrets/${serviceCfg.name}"; + tag = "host_secrets"; + } + ]; + }; + }; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${mnt}/${serviceCfg.name} 0751 microvm wheel - -" + ]; + sops.secrets = { + "${serviceCfg.name}/${user}-smtp" = { + owner = "root"; + mode = "0600"; + }; + }; + }; +} diff --git a/modules/nixos/homelab/guests/forgejo/default.nix b/modules/nixos/homelab/guests/forgejo/default.nix new file mode 100644 index 0000000..9d92aaf --- /dev/null +++ b/modules/nixos/homelab/guests/forgejo/default.nix @@ -0,0 +1,25 @@ +{ + flake, + pkgs, + labHelpers, + ... +}: +let + inherit (import ./config { inherit flake pkgs; }) forgejoVM; + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + + interface0Cfg = instances.forgejo.interfaces.interface0; + + forgejoNick = forgejoVM { + user = user0; + ip = interface0Cfg.microvm.ip; + mac = interface0Cfg.microvm.mac; + userMac = interface0Cfg.microvm.macUser; + ssh = interface0Cfg.microvm.ssh; + mnt = ""; + host = interface0Cfg.domain; + }; +in +forgejoNick +# // forgejoStacie // forgejoGarnet diff --git a/modules/nixos/homelab/guests/helpers.nix b/modules/nixos/homelab/guests/helpers.nix new file mode 100644 index 0000000..34b14d3 --- /dev/null +++ b/modules/nixos/homelab/guests/helpers.nix @@ -0,0 +1,8 @@ +{ + labHelpers = { + guestPath = user: "/mnt/storage/users/${user}/guests"; + docsPath = user: "/mnt/storage/users/${user}/home/docs"; + mediaPath = user: "/mnt/storage/users/${user}/home/media"; + miscPath = user: "/mnt/storage/users/${user}/home/misc"; + }; +} diff --git a/modules/nixos/homelab/guests/jellyfin/config/default.nix b/modules/nixos/homelab/guests/jellyfin/config/default.nix new file mode 100755 index 0000000..c44391a --- /dev/null +++ b/modules/nixos/homelab/guests/jellyfin/config/default.nix @@ -0,0 +1,169 @@ +{ + config, + flake, + ... +}: +let + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + serviceCfg = instances.jellyfin; + id = 993; +in +{ + forgejoVM = + { + user, + ip, + mac, + userMac, + ssh, + mnt, + host, + }: + + { + microvm.vms = { + "${serviceCfg.name}-${user}" = { + autostart = true; + restartIfChanged = true; + config = { + system.stateVersion = "25.05"; + time.timeZone = "America/Winnipeg"; + users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + services = { + jellyfin = { + enable = true; + openFirewall = true; + }; + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + }; + }; + users.users.jellyfin = { + isSystemUser = true; + group = serviceCfg.name; + uid = id; + }; + users.groups.jellyfin = { + gid = id; + }; + networking.firewall.allowedTCPPorts = [ + 22 + serviceCfg.ports.port0 + serviceCfg.ports.port1 + serviceCfg.ports.port2 + ]; + fileSystems."/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ + "size=6G" + "mode=1777" + ]; + }; + systemd = { + network = { + enable = true; + networks."20-lan" = { + matchConfig.Name = "enp0s6"; + addresses = [ { Address = "${ip}/24"; } ]; + routes = [ + { + Destination = "0.0.0.0/0"; + Gateway = "192.168.50.1"; + } + ]; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + }; + tmpfiles.rules = [ + "d /var/cache/${serviceCfg.name} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + "d /var/lib/${serviceCfg.name} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + "d /var/lib/${serviceCfg.name}-media 0755 ${serviceCfg.name} ${serviceCfg.name} -" + ]; + }; + systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; + microvm = { + vcpu = 4; + mem = 1024 * 3; + hypervisor = "qemu"; + interfaces = [ + { + type = "tap"; + id = "vm-jf-${user}"; + mac = mac; + } + { + type = "user"; + id = "vmuser-cloud"; + mac = user; + } + ]; + forwardPorts = [ + { + from = "host"; + host.port = ssh; + guest.port = 22; + } + ]; + shares = [ + { + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + source = "/nix/store"; + tag = "read_only_nix_store"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}"; + proto = "virtiofs"; + source = "${mnt}/${serviceCfg.name}/data"; + tag = "${serviceCfg.name}_${user}_data"; + } + { + mountPoint = "/var/cache/${serviceCfg.name}"; + proto = "virtiofs"; + source = "${mnt}/${serviceCfg.name}/cache"; + tag = "${serviceCfg.name}_${user}_cache"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}-media"; + proto = "virtiofs"; + source = "${mnt}/${serviceCfg.name}/media"; + tag = "${serviceCfg.name}_${user}_media"; + } + ]; + }; + }; + }; + }; + + users = { + groups.jellyfin = { + gid = id; + members = [ user0 ]; + }; + users = { + jellyfin = { + isSystemUser = true; + group = serviceCfg.name; + uid = id; + }; + caddy.extraGroups = [ "acme" ]; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${mnt}/${serviceCfg.name} 0755 microvm wheel - -" + "d ${mnt}/${serviceCfg.name}/data 0755 microvm wheel - -" + "d ${mnt}/${serviceCfg.name}/cache 0755 microvm wheel - -" + "d ${mnt}/${serviceCfg.name}/media 0775 microvm wheel - -" + ]; + }; +} diff --git a/modules/nixos/homelab/guests/jellyfin/default.nix b/modules/nixos/homelab/guests/jellyfin/default.nix new file mode 100644 index 0000000..8ce516f --- /dev/null +++ b/modules/nixos/homelab/guests/jellyfin/default.nix @@ -0,0 +1,25 @@ +{ + flake, + pkgs, + labHelpers, + ... +}: +let + inherit (import ./config { inherit flake pkgs; }) jellyfinVM; + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + + interface0Cfg = instances.jellyfin.interfaces.interface0; + + jellyfinNick = jellyfinVM { + user = user0; + ip = interface0Cfg.microvm.ip; + mac = interface0Cfg.microvm.mac; + userMac = interface0Cfg.microvm.macUser; + ssh = interface0Cfg.microvm.ssh; + mnt = ""; + host = interface0Cfg.domain; + }; +in +jellyfinNick +# // forgejoStacie // forgejoGarnet diff --git a/modules/nixos/guests/mastodon/config/chars.patch b/modules/nixos/homelab/guests/mastodon/config/config/chars.patch similarity index 100% rename from modules/nixos/guests/mastodon/config/chars.patch rename to modules/nixos/homelab/guests/mastodon/config/config/chars.patch diff --git a/modules/nixos/guests/mastodon/config/twitter.txt b/modules/nixos/homelab/guests/mastodon/config/config/twitter.txt similarity index 100% rename from modules/nixos/guests/mastodon/config/twitter.txt rename to modules/nixos/homelab/guests/mastodon/config/config/twitter.txt diff --git a/modules/nixos/homelab/guests/mastodon/config/default.nix b/modules/nixos/homelab/guests/mastodon/config/default.nix new file mode 100755 index 0000000..3a181e1 --- /dev/null +++ b/modules/nixos/homelab/guests/mastodon/config/default.nix @@ -0,0 +1,499 @@ +{ + flake, + config, + pkgs, + lib, + ... +}: +let + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + serviceCfg = instances.mastodon; + smtpCfg = instances.smtp; + +in +{ + mastodonVM = + { + user, + ip, + mac, + userMac, + ssh, + mnt, + host, + }: + { + # If you need to start fresh for some reason, run these to create the new Admin account: + # sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner + # sudo -u mastodon mastodon-tootctl accounts approve nick + # If you fuck up and lose the password, use this: + # sudo mastodon-tootctl accounts modify --reset-password nick + # If you really fuck up and name yourself wrong, use this shit + # sudo mastodon-tootctl accounts modify username --remove-role + + nixpkgs.overlays = [ + (final: prev: { + mastodon = prev.mastodon.overrideAttrs (oldAttrs: { + patches = (oldAttrs.patches or [ ]) ++ [ + ./config/chars.patch + ]; + }); + }) + ]; + + microvm.vms = { + "${serviceCfg.name}-${user}" = { + autostart = true; + restartIfChanged = true; + config = { + system.stateVersion = "24.05"; + time.timeZone = "America/Winnipeg"; + users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + + services = { + ${serviceCfg.name} = { + enable = true; + localDomain = host; + secretKeyBaseFile = "/etc/mastodon-secrets/${user}-pass"; + streamingProcesses = 7; + trustedProxy = "127.0.0.1"; + automaticMigrations = true; + database = { + createLocally = true; + name = serviceCfg.name; + host = "/run/postgresql"; + user = serviceCfg.name; + passwordFile = "/etc/mastodon-secrets/${user}-database"; + }; + extraConfig = { + SINGLE_USER_MODE = "false"; + SMTP_AUTH_METHOD = "plain"; + SMTP_DELIVERY_METHOD = "smtp"; + SMTP_ENABLE_STARTTLS_AUTO = "true"; + SMTP_SSL = "false"; + }; + + # if you're starting from scratch, you gotta cd into /var/lib/mastodon and run: + # sudo -u mastodon mastodon-tootctl search deploy + + elasticsearch = { + preset = "single_node_cluster"; + host = "127.0.0.1"; + port = 9200; + }; + mediaAutoRemove = { + enable = true; + olderThanDays = 14; + }; + redis = { + createLocally = true; + enableUnixSocket = true; + }; + sidekiqThreads = 25; + sidekiqProcesses = { + all = { + jobClasses = [ ]; + threads = null; + }; + default = { + jobClasses = [ "default" ]; + threads = 5; + }; + ingress = { + jobClasses = [ "ingress" ]; + threads = 5; + }; + push-pull = { + jobClasses = [ + "push" + "pull" + ]; + threads = 5; + }; + mailers = { + jobClasses = [ "mailers" ]; + threads = 5; + }; + }; + smtp = { + authenticate = true; + createLocally = false; + fromAddress = "upRootNutrition <${smtpCfg.interfaces.interface1.email}>"; + host = smtpCfg.interfaces.interface1.domain; + passwordFile = "/etc/mastodon-secrets/${user}-smtp"; + port = smtpCfg.ports.port1; + user = smtpCfg.interfaces.interface1.email; + }; + }; + opensearch.enable = true; + caddy = { + enable = true; + virtualHosts = { + ":80" = { + extraConfig = '' + handle_path /system/* { + file_server * { + root /var/lib/mastodon/public-system + } + } + + handle /api/v1/streaming/* { + reverse_proxy unix//run/mastodon-streaming/streaming.socket { + header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto} + header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host} + } + } + + route * { + file_server * { + root ${pkgs.mastodon}/public + pass_thru + } + reverse_proxy * unix//run/mastodon-web/web.socket { + header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto} + header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host} + } + } + + handle_errors { + root * ${pkgs.mastodon}/public + rewrite 500.html + file_server + } + + encode gzip + + header /* { + Strict-Transport-Security "max-age=31536000;" + } + + header /emoji/* Cache-Control "public, max-age=31536000, immutable" + header /packs/* Cache-Control "public, max-age=31536000, immutable" + header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable" + header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable" + ''; + }; + }; + }; + + postgresql = { + enable = true; + }; + + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + }; + }; + + users.users = { + ${serviceCfg.name}.extraGroups = [ "postgres" ]; + caddy.extraGroups = [ serviceCfg.name ]; + fedifetcher = { + isSystemUser = true; + group = "fedifetcher"; + home = "/var/lib/fedifetcher"; + createHome = true; + }; + }; + + users.groups.fedifetcher = { }; + + networking.firewall.allowedTCPPorts = [ + 22 # SSH + 80 # Caddy + 25 # SMTP + 139 # SMTP + 587 # SMTP + 2525 # SMTP + 5432 # Postgres + ]; + + systemd = { + services = { + mastodon-init-dirs.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-web.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-streaming-1.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-streaming-2.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-streaming-3.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-streaming-4.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-streaming-5.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-streaming-6.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-streaming-7.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-sidekiq-all.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-sidekiq-default.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-sidekiq-ingress.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-sidekiq-mailers.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-sidekiq-push-pull.serviceConfig.PrivateMounts = lib.mkForce false; + + mastodon-elastic-search = { + description = "Recache elastic search"; + after = [ + "network-online.target" + "mastodon-web.service" + ]; + wants = [ "network-online.target" ]; + serviceConfig = { + WorkingDirectory = "/var/lib/${serviceCfg.name}"; + Type = "oneshot"; + }; + script = '' + /run/current-system/sw/bin/mastodon-tootctl search deploy --only=instances accounts tags statuses public_statuses + ''; + }; + + mastodon-copy-secrets = { + description = "Copy secrets from virtiofs to local filesystem"; + before = [ "mastodon-init-dirs.service" ]; + requiredBy = [ "mastodon-init-dirs.service" ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + script = '' + mkdir -p /etc/mastodon-secrets + cp /run/secrets/${user}-pass /etc/mastodon-secrets/${user}-pass + cp /run/secrets/${user}-database /etc/mastodon-secrets/${user}-database + cp /run/secrets/${user}-redis /etc/mastodon-secrets/${user}-redis + cp /run/secrets/${user}-smtp /etc/mastodon-secrets/${user}-smtp + cp /run/secrets/${user}-fedifetcher-token /etc/mastodon-secrets/${user}-fedifetcher + chmod 755 /etc/mastodon-secrets + chmod 644 /etc/mastodon-secrets/* + ''; + }; + + fedifetcher = { + description = "FediFetcher - Fetch missing posts for Mastodon"; + after = [ + "network-online.target" + "mastodon-web.service" + ]; + wants = [ "network-online.target" ]; + + serviceConfig = + let + fedifetcherConfig = pkgs.writeText "fedifetcher-config.json" ( + builtins.toJSON { + server = "https://${host}"; + home-timeline-length = 200; + max-followings = 80; + from-notifications = 1; + max-bookmarks = 80; + max-favourites = 40; + backfill-with-context = 1; + backfill-mentioned-users = 1; + remember-users-for-hours = 168; + remember-hosts-for-days = 30; + http-timeout = 5; + lock-hours = 24; + log-level = "INFO"; + } + ); + in + { + Type = "oneshot"; + User = "fedifetcher"; + Group = "fedifetcher"; + WorkingDirectory = "/var/lib/fedifetcher"; + TimeoutStartSec = "300"; + PrivateTmp = true; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + ReadWritePaths = "/var/lib/fedifetcher"; + ExecStart = + let + script = pkgs.writeShellScript "fedifetcher-run" '' + set -e + + # Wait for Mastodon to be fully ready + for i in {1..30}; do + if ${pkgs.curl}/bin/curl -sf http://localhost:80/health >/dev/null 2>&1; then + echo "Mastodon is ready" + break + fi + echo "Waiting for Mastodon to be ready... ($i/30)" + sleep 2 + done + + export ACCESS_TOKEN=$(cat /etc/mastodon-secrets/${user}-fedifetcher) + ${pkgs.fedifetcher}/bin/fedifetcher \ + -c=${fedifetcherConfig} \ + --access-token="$ACCESS_TOKEN" + ''; + in + "${script}"; + }; + }; + + mastodon-init-db.serviceConfig.EnvironmentFile = "/var/lib/mastodon/.secrets_env"; + + systemd-tmpfiles-setup.after = [ "var-lib-mastodon.mount" ]; + + opensearch-install-plugins = { + description = "Install OpenSearch plugins"; + before = [ "opensearch.service" ]; + requiredBy = [ "opensearch.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + PLUGIN_DIR="/var/lib/opensearch/plugins/analysis-icu" + if [ ! -d "$PLUGIN_DIR" ]; then + # Create the plugins directory if it doesn't exist + mkdir -p /var/lib/opensearch/plugins + + # Install using the proper OpenSearch plugin command + export OPENSEARCH_JAVA_HOME="${pkgs.jdk17}/lib/openjdk" + ${pkgs.opensearch}/bin/opensearch-plugin install --batch analysis-icu || { + echo "Plugin installation failed, but continuing anyway" + exit 0 + } + fi + ''; + }; + }; + timers = { + mastodon-elastic-search = { + description = "Timer for Mastodon elastic search recaching"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "10min"; + OnUnitActiveSec = "60min"; + Unit = "mastodon-elastic-search.service"; + }; + }; + + fedifetcher = { + description = "Timer for FediFetcher"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "10min"; + OnUnitActiveSec = "15min"; + Unit = "fedifetcher.service"; + Persistent = true; + AccuracySec = "1min"; + }; + }; + }; + + network = { + enable = true; + networks."20-lan" = { + matchConfig.Name = "enp0s6"; + addresses = [ { Address = "${ip}/24"; } ]; + routes = [ + { + Destination = "0.0.0.0/0"; + Gateway = "192.168.50.1"; + } + ]; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + }; + + tmpfiles.rules = [ + "d /var/lib/mastodon 0755 mastodon mastodon -" + "Z /var/lib/mastodon 0755 mastodon mastodon -" + "Z /var/lib/postgresql 0755 postgres postgres -" + "d /var/cache/mastodon/precompile 0755 mastodon mastodon -" + "d /var/lib/mastodon/public-system 0755 mastodon mastodon -" + "d /var/lib/mastodon/public-system/accounts 0755 mastodon mastodon -" + "d /var/lib/mastodon/public-system/media_attachments 0755 mastodon mastodon -" + "d /var/lib/mastodon/public-system/media_attachments/files 0755 mastodon mastodon -" + "d /var/lib/mastodon/public-system/site_uploads 0755 mastodon mastodon -" + "d /var/lib/fedifetcher 0755 fedifetcher fedifetcher -" + ]; + }; + + microvm = { + vcpu = 2; + mem = 1024 * 6; + hypervisor = "qemu"; + interfaces = [ + { + type = "tap"; + id = "vm-md-${user}"; + mac = mac; + } + { + type = "user"; + id = "vmuser-cloud"; + mac = userMac; + } + ]; + forwardPorts = [ + { + from = "host"; + host.port = ssh; + guest.port = 22; + } + ]; + shares = [ + { + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + source = "/nix/store"; + tag = "read_only_nix_store"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}"; + proto = "virtiofs"; + source = "${mnt}/${serviceCfg.name}/data"; + tag = "${serviceCfg.name}_data"; + } + { + mountPoint = "/var/lib/postgresql"; + proto = "virtiofs"; + source = "${mnt}/${serviceCfg.name}/database"; + tag = "${serviceCfg.name}_${user}_database"; + } + { + mountPoint = "/run/secrets"; + proto = "virtiofs"; + source = "/run/secrets/${serviceCfg.name}"; + tag = "host_secrets"; + } + ]; + }; + }; + }; + }; + + sops = { + secrets = builtins.listToAttrs ( + map + (secret: { + name = "${serviceCfg.name}/${user}-${secret}"; + value = { + owner = "root"; + group = "root"; + mode = "0644"; + }; + }) + [ + "smtp" + "database" + "redis" + "pass" + "fedifetcher" + ] + ); + }; + systemd.tmpfiles.rules = [ + "d ${mnt}/${serviceCfg.name} 0751 microvm wheel - -" + "d ${mnt}/${serviceCfg.name}/data 0751 microvm wheel - -" + "d ${mnt}/${serviceCfg.name}/database 0751 microvm wheel - -" + ]; + }; +} diff --git a/modules/nixos/homelab/guests/mastodon/default.nix b/modules/nixos/homelab/guests/mastodon/default.nix new file mode 100644 index 0000000..215307f --- /dev/null +++ b/modules/nixos/homelab/guests/mastodon/default.nix @@ -0,0 +1,25 @@ +{ + flake, + pkgs, + labHelpers, + ... +}: +let + inherit (import ./config { inherit flake pkgs; }) mastodonVM; + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + + interface0Cfg = instances.mastodon.interfaces.interface0; + + mastodonNick = mastodonVM { + user = user0; + ip = interface0Cfg.microvm.ip; + mac = interface0Cfg.microvm.mac; + userMac = interface0Cfg.microvm.macUser; + ssh = interface0Cfg.microvm.ssh; + mnt = ""; + host = interface0Cfg.domain; + }; +in +mastodonNick +# // mastodonStacie // mastodonGarnet diff --git a/modules/nixos/nas/guests/minecraft/config/default.nix b/modules/nixos/homelab/guests/minecraft/config/default.nix old mode 100644 new mode 100755 similarity index 99% rename from modules/nixos/nas/guests/minecraft/config/default.nix rename to modules/nixos/homelab/guests/minecraft/config/default.nix index 2ee33ea..8607b37 --- a/modules/nixos/nas/guests/minecraft/config/default.nix +++ b/modules/nixos/homelab/guests/minecraft/config/default.nix @@ -38,7 +38,7 @@ in openFirewall = true; declarative = true; serverProperties = { - "rcon.password" = "/etc/${serviceCfg.name}-secrets/world${worldNumber}"; + "rcon.password" = "/etc/${serviceCfg.name}-secrets/${user}-world${worldNumber}"; server-port = port; } // config; diff --git a/modules/nixos/homelab/guests/minecraft/default.nix b/modules/nixos/homelab/guests/minecraft/default.nix new file mode 100755 index 0000000..e685b92 --- /dev/null +++ b/modules/nixos/homelab/guests/minecraft/default.nix @@ -0,0 +1,105 @@ +{ + flake, + pkgs, + labHelpers, + ... +}: +let + inherit (import ./config { inherit flake pkgs; }) minecraftVM; + inherit (flake.config.services) instances; + inherit (flake.config.people) user0; + + minecraftNick01 = + let + interfaceCfg = instances.minecraft.interfaces.interface0; + in + minecraftVM { + user = user0; + ip = interfaceCfg.microvm.ip; + mac = interfaceCfg.microvm.mac; + userMac = interfaceCfg.microvm.macUser; + ssh = interfaceCfg.microvm.ssh; + port = interfaceCfg.microvm.port; + mnt = ""; + worldNumber = "01"; + config = { + allow-flight = false; + allow-nether = true; + difficulty = 2; + enable-command-block = false; + enable-rcon = true; + enable-status = true; + force-gamemode = true; + gamemode = 0; + generate-structures = true; + hardcore = false; + hide-online-players = false; + level-name = "Brix on Nix"; + level-seed = "9064150133272194"; + max-players = 10; + max-world-size = 64000000; + motd = "A cool Minecraft server powered by NixOS"; + online-mode = true; + pvp = true; + spawn-animals = true; + spawn-monsters = true; + spawn-npcs = true; + spawn-protection = 16; + view-distance = 32; + white-list = true; + }; + whitelist = { + Hefty_Chungus = "b75a9816-d408-4c54-b226-385b59ea1cb3"; + Hefty_Chungus_Jr = "c3bf8cac-e953-4ea4-ae5f-7acb92a51a85"; + EclipseMoon01 = "adef4af7-d8c6-4627-b492-e990ea1bb993"; + Fallaryn = "d8baa117-ab58-4b07-92a5-48fb1978eb49"; + }; + }; + + minecraftNick02 = + let + interfaceCfg = instances.minecraft.interfaces.interface1; + in + minecraftVM { + user = user0; + ip = interfaceCfg.microvm.ip; + mac = interfaceCfg.microvm.mac; + userMac = interfaceCfg.microvm.macUser; + ssh = interfaceCfg.microvm.ssh; + port = interfaceCfg.microvm.port; + mnt = ""; + worldNumber = "02"; + config = { + allow-flight = false; + allow-nether = true; + difficulty = 2; + enable-command-block = false; + enable-rcon = true; + enable-status = true; + force-gamemode = true; + gamemode = 0; + generate-structures = true; + hardcore = false; + hide-online-players = false; + level-name = "Cuddle Cubes"; + level-seed = "-2332803749585407299"; + max-players = 10; + max-world-size = 64000000; + motd = "A cool Minecraft server powered by NixOS"; + online-mode = true; + pvp = true; + spawn-animals = true; + spawn-monsters = true; + spawn-npcs = true; + spawn-protection = 16; + view-distance = 32; + white-list = true; + }; + whitelist = { + Hefty_Chungus = "b75a9816-d408-4c54-b226-385b59ea1cb3"; + Fallaryn = "d8baa117-ab58-4b07-92a5-48fb1978eb49"; + }; + }; + +in +minecraftNick01 // minecraftNick02 diff --git a/modules/nixos/nas/guests/onlyoffice/config/default.nix b/modules/nixos/homelab/guests/onlyoffice/config/default.nix old mode 100644 new mode 100755 similarity index 100% rename from modules/nixos/nas/guests/onlyoffice/config/default.nix rename to modules/nixos/homelab/guests/onlyoffice/config/default.nix diff --git a/modules/nixos/nas/guests/onlyoffice/default.nix b/modules/nixos/homelab/guests/onlyoffice/default.nix old mode 100644 new mode 100755 similarity index 100% rename from modules/nixos/nas/guests/onlyoffice/default.nix rename to modules/nixos/homelab/guests/onlyoffice/default.nix diff --git a/modules/nixos/nas/guests/opencloud/config/default.nix b/modules/nixos/homelab/guests/opencloud/config/default.nix old mode 100644 new mode 100755 similarity index 98% rename from modules/nixos/nas/guests/opencloud/config/default.nix rename to modules/nixos/homelab/guests/opencloud/config/default.nix index 910bee7..05dca37 --- a/modules/nixos/nas/guests/opencloud/config/default.nix +++ b/modules/nixos/homelab/guests/opencloud/config/default.nix @@ -5,9 +5,8 @@ }: let inherit (flake.config.people) user0; - serviceCfg = { - name = "opencloud"; - }; + inherit (flake.config.services.instances) opencloud; + serviceCfg = opencloud; in { opencloudVM = diff --git a/modules/nixos/nas/guests/opencloud/default.nix b/modules/nixos/homelab/guests/opencloud/default.nix old mode 100644 new mode 100755 similarity index 63% rename from modules/nixos/nas/guests/opencloud/default.nix rename to modules/nixos/homelab/guests/opencloud/default.nix index 25ba71b..3d58e20 --- a/modules/nixos/nas/guests/opencloud/default.nix +++ b/modules/nixos/homelab/guests/opencloud/default.nix @@ -1,26 +1,24 @@ { flake, pkgs, - nasHelpers, + labHelpers, ... }: let inherit (import ./config { inherit flake pkgs; }) opencloudVM; inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - inherit (nasHelpers) ipAddress guestPath opencloud; - id0 = builtins.toString opencloud.id0; - id1 = builtins.toString opencloud.id1; - id2 = builtins.toString opencloud.id2; + inherit (flake.config.services.instances) opencloud; + + interface0Cfg = opencloud.interfaces.interface0; opencloudNick = opencloudVM { user = user0; - ip = ipAddress id0; - mac = "02:00:00:00:${id0}:${id0}"; - userMac = "02:00:00:00:00:${id0}"; - ssh = opencloud.ssh0; - mnt = guestPath user0; - host = instances.opencloud0.domains.url0; + ip = interface0Cfg.microvm.ip; + mac = interface0Cfg.microvm.mac; + userMac = interface0Cfg.microvm.macUser; + ssh = interface0Cfg.microvm.ssh; + mnt = ""; + host = interface0Cfg.domain; }; # opencloudStacie = opencloudVM { diff --git a/modules/nixos/nas/guests/photoprism/config/default.nix b/modules/nixos/homelab/guests/photoprism/config/default.nix old mode 100644 new mode 100755 similarity index 98% rename from modules/nixos/nas/guests/photoprism/config/default.nix rename to modules/nixos/homelab/guests/photoprism/config/default.nix index 327b885..90b349c --- a/modules/nixos/nas/guests/photoprism/config/default.nix +++ b/modules/nixos/homelab/guests/photoprism/config/default.nix @@ -5,9 +5,8 @@ }: let inherit (flake.config.people) user0; - serviceCfg = { - name = "photoprism"; - }; + inherit (flake.config.services.instances) photoprism; + serviceCfg = photoprism; in { photoprismVM = diff --git a/modules/nixos/nas/guests/photoprism/default.nix b/modules/nixos/homelab/guests/photoprism/default.nix old mode 100644 new mode 100755 similarity index 66% rename from modules/nixos/nas/guests/photoprism/default.nix rename to modules/nixos/homelab/guests/photoprism/default.nix index 0f1c470..6eed982 --- a/modules/nixos/nas/guests/photoprism/default.nix +++ b/modules/nixos/homelab/guests/photoprism/default.nix @@ -1,30 +1,24 @@ { flake, lib, - nasHelpers, + labHelpers, ... }: let inherit (import ./config { inherit flake lib; }) photoprismVM; - inherit (nasHelpers) - ipAddress - guestPath - mediaPath - photoprism - ; + inherit (flake.config.services.instances) photoprism; inherit (flake.config.people) user0; - id0 = builtins.toString photoprism.id0; - id1 = builtins.toString photoprism.id1; - id2 = builtins.toString photoprism.id2; + interface0Cfg = photoprism.interfaces.interface0; photoprismNick = photoprismVM { user = user0; - ip = ipAddress id0; - mac = "02:00:00:00:${id0}:${id0}"; - userMac = "02:00:00:00:00:${id0}"; - ssh = photoprism.ssh0; - mnt = guestPath user0; - data = mediaPath user0; + ip = interface0Cfg.microvm.ip; + mac = interface0Cfg.microvm.mac; + userMac = interface0Cfg.microvm.macUser; + ssh = interface0Cfg.microvm.ssh; + mnt = ""; + data = ""; + host = interface0Cfg.domain; }; # photoprismStacie = photoprismVM { diff --git a/modules/nixos/homelab/guests/qbittorrent/config/default.nix b/modules/nixos/homelab/guests/qbittorrent/config/default.nix new file mode 100755 index 0000000..73aa462 --- /dev/null +++ b/modules/nixos/homelab/guests/qbittorrent/config/default.nix @@ -0,0 +1,430 @@ +{ + config, + flake, + pkgs, + ... +}: +let + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + serviceCfg = instances.qbittorrent; + dns0 = instances.web.dns.provider0; + dns0Path = "dns/${dns0}"; +in +{ + qbittorrentVM = + { + user, + ip, + mac, + userMac, + ssh, + mnt, + host, + port, + endpoint, + address, + dns, + key, + }: + { + microvm.vms = + let + torrentPort = port; + vpnEndpoint = endpoint; + localNet = "192.168.50.0/24"; + in + { + "${serviceCfg.name}-${user}" = { + autostart = true; + config = { + system.stateVersion = "25.05"; + + # VPN Killswitch - configured BEFORE networking starts + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + }; + + networking = { + # Disable default firewall - we're doing it manually + firewall.enable = false; + + wg-quick.interfaces = { + wg0 = { + address = address; + dns = dns; + privateKeyFile = "/run/secrets/${user}-wireguard-pass"; + + peers = [ + { + publicKey = key; + endpoint = "${vpnEndpoint}:${toString torrentPort}"; + allowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; + persistentKeepalive = 25; + } + ]; + + # Now we can safely open the VPN tunnel for all traffic + postUp = '' + echo "VPN UP: Opening network for VPN and local traffic" + + # Allow ALL traffic through VPN interface + ${pkgs.iptables}/bin/iptables -A INPUT -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -A OUTPUT -o wg0 -j ACCEPT + + # Allow local network traffic (WebUI, management) + ${pkgs.iptables}/bin/iptables -A INPUT -i enp0s5 -s ${localNet} -j ACCEPT + ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -d ${localNet} -j ACCEPT + + # NAT for VPN + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE + + # Allow forwarding through VPN (for port forwarding) + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -A FORWARD -i enp0s5 -o wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -A FORWARD -o enp0s5 -i wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + echo "VPN UP: Network opened for VPN and local traffic" + ''; + + preDown = '' + echo "VPN DOWN: Removing VPN rules, killswitch remains active" + ${pkgs.iptables}/bin/iptables -D INPUT -i wg0 -j ACCEPT 2>/dev/null || true + ${pkgs.iptables}/bin/iptables -D OUTPUT -o wg0 -j ACCEPT 2>/dev/null || true + + ${pkgs.iptables}/bin/iptables -D INPUT -i enp0s5 -s ${localNet} -j ACCEPT 2>/dev/null || true + ${pkgs.iptables}/bin/iptables -D OUTPUT -o enp0s5 -d ${localNet} -j ACCEPT 2>/dev/null || true + + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE 2>/dev/null || true + + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT 2>/dev/null || true + ${pkgs.iptables}/bin/iptables -D FORWARD -o wg0 -j ACCEPT 2>/dev/null || true + ${pkgs.iptables}/bin/iptables -D FORWARD -i enp0s5 -o wg0 -j ACCEPT 2>/dev/null || true + ${pkgs.iptables}/bin/iptables -D FORWARD -o enp0s5 -i wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true + + echo "VPN DOWN: Killswitch rules remain - no internet access" + ''; + }; + }; + + dhcpcd.enable = false; + useNetworkd = true; + }; + + services = { + qbittorrent = { + enable = true; + webuiPort = serviceCfg.ports.port0; + torrentingPort = torrentPort; + openFirewall = false; # We're managing firewall manually + + serverConfig = { + LegalNotice.Accepted = true; + + BitTorrent = { + Session = { + Interface = "wg0"; + InterfaceName = "wg0"; + Port = torrentPort; + MaxConnections = -1; + MaxConnectionsPerTorrent = -1; + MaxUploads = -1; + MaxUploadsPerTorrent = -1; + QueueingSystemEnabled = false; + uTPRateLimited = false; + uTPEnabled = true; + AlternativeGlobalDLSpeedLimit = 0; + AlternativeGlobalUPSpeedLimit = 0; + GlobalMaxInactiveSeedingMinutes = 10224; + GlobalMaxRatio = -1; + }; + }; + + Preferences = { + WebUI = { + Username = "user"; + Password_PBKDF2 = "@ByteArray(1bJKXLVSLU6kgCHbCS2lDg==:BmyrMaod6dbJqEe7Ud/JgKAxRMqzsAuEjHcTvLzIBgc5rc5Z7J2X9mbH0cDEAhXqc+O3gQxrckt8S2Gf+zlO9w==)"; + }; + + General = { + Locale = "en"; + }; + + Downloads = { + SavePath = "${mnt}/${serviceCfg.name}/downloads"; + TempPathEnabled = false; + PreAllocation = false; + }; + }; + }; + }; + + openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + }; + + users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + + systemd = { + network = { + enable = true; + networks."10-enp" = { + matchConfig.Name = "enp0s5"; + addresses = [ { Address = "${ip}/24"; } ]; + gateway = [ "192.168.50.1" ]; + }; + }; + + tmpfiles.rules = [ + "d ${mnt}/${serviceCfg.name} 755 ${serviceCfg.name} ${serviceCfg.name} -" + "d ${mnt}/${serviceCfg.name}/downloads 755 ${serviceCfg.name} ${serviceCfg.name} -" + ]; + + services = { + # Ensure qBittorrent ONLY starts after VPN is up + qbittorrent = { + after = [ + "wg-quick-wg0.service" + "network-online.target" + ]; + requires = [ "wg-quick-wg0.service" ]; + wants = [ "network-online.target" ]; + bindsTo = [ "wg-quick-wg0.service" ]; # Stop if VPN stops + + serviceConfig = { + Restart = "on-failure"; + RestartSec = "10s"; + }; + }; + + natpmp-portforward = { + description = "NAT-PMP Port Forwarding for VPN"; + after = [ + "wg-quick-wg0.service" + "qbittorrent.service" + ]; + requires = [ + "wg-quick-wg0.service" + "qbittorrent.service" + ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + RestartSec = "10s"; + }; + + script = '' + PASSWORD=$(cat /run/secrets/${user}-qbittorrent-pass) + echo "Waiting for qBittorrent to start..." + sleep 10 + + while true; do + echo "Requesting port forwarding from VPN..." + + UDP_OUTPUT=$(${pkgs.libnatpmp}/bin/natpmpc -a 1 0 udp 60 -g 10.2.0.1 2>&1) + UDP_PORT=$(echo "$UDP_OUTPUT" | ${pkgs.gnugrep}/bin/grep "Mapped public port" | ${pkgs.gawk}/bin/awk '{print $4}' | head -1) + + TCP_OUTPUT=$(${pkgs.libnatpmp}/bin/natpmpc -a 1 0 tcp 60 -g 10.2.0.1 2>&1) + TCP_PORT=$(echo "$TCP_OUTPUT" | ${pkgs.gnugrep}/bin/grep "Mapped public port" | ${pkgs.gawk}/bin/awk '{print $4}' | head -1) + + if [ -n "$UDP_PORT" ] && [ -n "$TCP_PORT" ]; then + echo "Port forwarding successful: UDP=$UDP_PORT, TCP=$TCP_PORT" + + # Clean up old dynamic rules + ${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -i enp0s5 -s ${localNet} -p tcp -j DNAT 2>/dev/null || true + ${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -i enp0s5 -s ${localNet} -p udp -j DNAT 2>/dev/null || true + ${pkgs.iptables}/bin/iptables -D FORWARD -i enp0s5 -o wg0 -p tcp -j ACCEPT 2>/dev/null || true + ${pkgs.iptables}/bin/iptables -D FORWARD -i enp0s5 -o wg0 -p udp -j ACCEPT 2>/dev/null || true + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -o enp0s5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true + + # DNAT: Forward LAN traffic to qBittorrent on WireGuard interface + ${pkgs.iptables}/bin/iptables -t nat -A PREROUTING -i enp0s5 -s ${localNet} -p tcp --dport "$TCP_PORT" -j DNAT --to-destination 10.2.0.2:"$TCP_PORT" + ${pkgs.iptables}/bin/iptables -t nat -A PREROUTING -i enp0s5 -s ${localNet} -p udp --dport "$UDP_PORT" -j DNAT --to-destination 10.2.0.2:"$UDP_PORT" + + # Allow forwarding for these specific ports + ${pkgs.iptables}/bin/iptables -A FORWARD -i enp0s5 -o wg0 -d 10.2.0.2 -p tcp --dport "$TCP_PORT" -j ACCEPT + ${pkgs.iptables}/bin/iptables -A FORWARD -i enp0s5 -o wg0 -d 10.2.0.2 -p udp --dport "$UDP_PORT" -j ACCEPT + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -o enp0s5 -s 10.2.0.2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + echo "Firewall forwarding rules updated for ports: UDP=$UDP_PORT, TCP=$TCP_PORT" + + # Update qBittorrent listening port via API + echo "Logging into qBittorrent API..." + COOKIE=$(${pkgs.curl}/bin/curl -s -i \ + --header "Referer: http://localhost:${toString serviceCfg.ports.port0}" \ + --data "username=user&password=$PASSWORD" \ + "http://localhost:${toString serviceCfg.ports.port0}/api/v2/auth/login" | \ + ${pkgs.gnugrep}/bin/grep -i "set-cookie" | ${pkgs.gawk}/bin/awk -F'SID=|;' '{print $2}') + + if [ -n "$COOKIE" ]; then + echo "Authentication successful, updating port..." + ${pkgs.curl}/bin/curl -s \ + --cookie "SID=$COOKIE" \ + --data "json={\"listen_port\":$UDP_PORT}" \ + "http://localhost:${toString serviceCfg.ports.port0}/api/v2/app/setPreferences" + + echo "Updated qBittorrent listening port to $UDP_PORT" + else + echo "WARNING: Failed to authenticate with qBittorrent API" + fi + else + echo "ERROR: Failed to get forwarded ports" + echo "UDP output: $UDP_OUTPUT" + echo "TCP output: $TCP_OUTPUT" + fi + + sleep 45 + done + ''; + }; + killswitch-init = { + description = "Initialize VPN Killswitch Before Network"; + wantedBy = [ "network-pre.target" ]; + before = [ + "network-pre.target" + "network.target" + ]; + after = [ "systemd-modules-load.service" ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + script = '' + echo "KILLSWITCH: Setting up firewall rules BEFORE network services" + + # Default DROP everything + ${pkgs.iptables}/bin/iptables -P INPUT DROP + ${pkgs.iptables}/bin/iptables -P OUTPUT DROP + ${pkgs.iptables}/bin/iptables -P FORWARD DROP + + ${pkgs.iptables}/bin/iptables -F + ${pkgs.iptables}/bin/iptables -t nat -F + ${pkgs.iptables}/bin/iptables -X + + # Allow loopback + ${pkgs.iptables}/bin/iptables -A INPUT -i lo -j ACCEPT + ${pkgs.iptables}/bin/iptables -A OUTPUT -o lo -j ACCEPT + + # CRITICAL: Only allow WireGuard endpoint traffic before VPN is up + ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -p udp --dport ${toString torrentPort} -d ${vpnEndpoint} -j ACCEPT + ${pkgs.iptables}/bin/iptables -A INPUT -i enp0s5 -p udp --sport ${toString torrentPort} -s ${vpnEndpoint} -j ACCEPT + + # Allow SSH from local network (for management) + ${pkgs.iptables}/bin/iptables -A INPUT -i enp0s5 -s ${localNet} -p tcp --dport 22 -j ACCEPT + ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -d ${localNet} -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + + # Block IPv6 completely + ${pkgs.iptables}/bin/ip6tables -P INPUT DROP 2>/dev/null || true + ${pkgs.iptables}/bin/ip6tables -P OUTPUT DROP 2>/dev/null || true + ${pkgs.iptables}/bin/ip6tables -P FORWARD DROP 2>/dev/null || true + + echo "KILLSWITCH: Initialized - Network locked down" + ''; + }; + }; + }; + + microvm = { + vcpu = 1; + mem = 1024 * 1; + hypervisor = "qemu"; + + interfaces = [ + { + type = "tap"; + id = "vm-qb-${user}"; + mac = mac; + } + { + type = "user"; + id = "vmuser-share"; + mac = userMac; + } + ]; + forwardPorts = [ + { + from = "host"; + host.port = ssh; + guest.port = 22; + } + ]; + shares = [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "ro-store"; + proto = "virtiofs"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}"; + proto = "virtiofs"; + source = "${mnt}/${serviceCfg.name}"; + tag = "${serviceCfg.name}_data"; + } + { + mountPoint = "/run/secrets"; + proto = "virtiofs"; + source = "/run/secrets/torrent"; + tag = "host_secrets"; + } + ]; + }; + environment.systemPackages = builtins.attrValues { + inherit (pkgs) + conntrack-tools + gawk + iptables + libnatpmp + speedtest-go + wireguard-tools + ; + }; + }; + }; + + sops.secrets = { + "torrent/${user}-wireguard-pass" = { + owner = "root"; + mode = "0400"; + }; + "torrent/${user}-qbittorrent-pass" = { + owner = "root"; + mode = "0400"; + }; + }; + + systemd = { + services.caddy = { + serviceConfig = { + EnvironmentFile = config.sops.secrets."caddy/share-auth".path; + }; + }; + + tmpfiles.rules = [ + "d ${mnt}/${serviceCfg.name} 0755 microvm wheel - -" + ]; + }; + + networking.firewall = { + allowedTCPPorts = [ + 38834 + torrentPort + ]; + allowedUDPPorts = [ + 38834 + torrentPort + ]; + }; + }; + }; +} diff --git a/modules/nixos/homelab/guests/qbittorrent/default.nix b/modules/nixos/homelab/guests/qbittorrent/default.nix new file mode 100644 index 0000000..5b8725a --- /dev/null +++ b/modules/nixos/homelab/guests/qbittorrent/default.nix @@ -0,0 +1,30 @@ +{ + flake, + pkgs, + labHelpers, + ... +}: +let + inherit (import ./config { inherit flake pkgs; }) qbittorrentVM; + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + + interface0Cfg = instances.qbittorrent.interfaces.interface0; + + qbittorrentNick = qbittorrentVM { + user = user0; + ip = interface0Cfg.microvm.ip; + mac = interface0Cfg.microvm.mac; + userMac = interface0Cfg.microvm.macUser; + ssh = interface0Cfg.microvm.ssh; + mnt = ""; + host = interface0Cfg.domain; + port = 51820; + endpoint = "185.111.110.1"; + address = [ "10.2.0.2/32" ]; + dns = [ "10.2.0.1" ]; + key = "QPfiwJQmt5VLEOh1ufLbi1lj6LUnwQY0tgDSh3pWx1k="; + }; +in +qbittorrentNick +# // qbittorrentStacie // qbittorrentGarnet diff --git a/modules/nixos/nas/guests/syncthing/config/default.nix b/modules/nixos/homelab/guests/syncthing/config/default.nix old mode 100644 new mode 100755 similarity index 97% rename from modules/nixos/nas/guests/syncthing/config/default.nix rename to modules/nixos/homelab/guests/syncthing/config/default.nix index 5048be1..eb703e5 --- a/modules/nixos/nas/guests/syncthing/config/default.nix +++ b/modules/nixos/homelab/guests/syncthing/config/default.nix @@ -4,8 +4,8 @@ }: let inherit (flake.config.people) user0; - inherit (flake.config.services) instances; - serviceCfg = instances.syncthing; + inherit (flake.config.services.instances) syncthing; + serviceCfg = syncthing; in { syncthingVM = diff --git a/modules/nixos/nas/guests/syncthing/default.nix b/modules/nixos/homelab/guests/syncthing/default.nix similarity index 83% rename from modules/nixos/nas/guests/syncthing/default.nix rename to modules/nixos/homelab/guests/syncthing/default.nix index 1c28dc7..4bb78b6 100755 --- a/modules/nixos/nas/guests/syncthing/default.nix +++ b/modules/nixos/homelab/guests/syncthing/default.nix @@ -1,20 +1,14 @@ -{ flake, nasHelpers, ... }: +{ + flake, + labHelpers, + ... +}: let inherit (import ./config { inherit flake; }) syncthingVM; inherit (flake.config.services) instances; inherit (flake.config.people) user0; - inherit (nasHelpers) - ipAddress - guestPath - docsPath - mediaPath - miscPath - syncthing - ; serviceCfg = instances.syncthing; - id0 = builtins.toString syncthing.id0; - id1 = builtins.toString syncthing.id1; - id2 = builtins.toString syncthing.id2; + interface0Cfg = serviceCfg.interfaces.interface0; foldersHelper = user: { docs = { @@ -58,19 +52,19 @@ let { mountPoint = "/var/lib/${serviceCfg.name}/docs"; proto = "virtiofs"; - source = docsPath user; + source = ""; tag = "${serviceCfg.name}_${user}_docs"; } { mountPoint = "/var/lib/${serviceCfg.name}/media"; proto = "virtiofs"; - source = mediaPath user; + source = ""; tag = "${serviceCfg.name}_${user}_media"; } { mountPoint = "/var/lib/${serviceCfg.name}/misc"; proto = "virtiofs"; - source = miscPath user; + source = ""; tag = "${serviceCfg.name}_${user}_misc"; } ]; @@ -87,11 +81,12 @@ let in syncthingVM { user = user0; - ip = ipAddress id0; - mac = "02:00:00:00:${id0}:${id0}"; - userMac = "02:00:00:00:00:${id0}"; - ssh = syncthing.ssh0; - mnt = guestPath user0; + ip = interface0Cfg.microvm.ip; + mac = interface0Cfg.microvm.mac; + userMac = interface0Cfg.microvm.macUser; + ssh = interface0Cfg.microvm.ssh; + mnt = ""; + host = interface0Cfg.domain; folders = foldersHelper user0; devices = devicesHelper user0 phoneID "Phone" "192.168.50.8"; tmp = tmpRules; diff --git a/modules/nixos/nas/guests/vaultwarden/config/default.nix b/modules/nixos/homelab/guests/vaultwarden/config/default.nix old mode 100644 new mode 100755 similarity index 95% rename from modules/nixos/nas/guests/vaultwarden/config/default.nix rename to modules/nixos/homelab/guests/vaultwarden/config/default.nix index 2f28915..5601873 --- a/modules/nixos/nas/guests/vaultwarden/config/default.nix +++ b/modules/nixos/homelab/guests/vaultwarden/config/default.nix @@ -7,7 +7,6 @@ let inherit (flake.config.services) instances; serviceCfg = instances.vaultwarden; smtpCfg = instances.smtp; - in { vaultwardenVM = @@ -40,11 +39,11 @@ in # Email Configuration SMTP_AUTH_MECHANISM = "Plain"; SMTP_EMBED_IMAGES = true; - SMTP_FROM = serviceCfg.email.address0; + SMTP_FROM = smtpCfg.interfaces.interface0.email; SMTP_FROM_NAME = serviceCfg.label; - SMTP_HOST = smtpCfg.hostname; + SMTP_HOST = smtpCfg.interfaces.interface0.domain; SMTP_PORT = smtpCfg.ports.port0; - SMTP_USERNAME = smtpCfg.email.address0; + SMTP_USERNAME = smtpCfg.interfaces.interface0.email; SMTP_SECURITY = "starttls"; # Security Configuration diff --git a/modules/nixos/nas/guests/vaultwarden/default.nix b/modules/nixos/homelab/guests/vaultwarden/default.nix old mode 100644 new mode 100755 similarity index 65% rename from modules/nixos/nas/guests/vaultwarden/default.nix rename to modules/nixos/homelab/guests/vaultwarden/default.nix index d58c522..56b02db --- a/modules/nixos/nas/guests/vaultwarden/default.nix +++ b/modules/nixos/homelab/guests/vaultwarden/default.nix @@ -1,20 +1,23 @@ -{ flake, nasHelpers, ... }: +{ + flake, + labHelpers, + ... +}: let inherit (import ./config { inherit flake; }) vaultwardenVM; inherit (flake.config.people) user0; - inherit (nasHelpers) ipAddress guestPath vaultwarden; - id0 = builtins.toString vaultwarden.id0; - id1 = builtins.toString vaultwarden.id1; - id2 = builtins.toString vaultwarden.id2; + inherit (flake.config.services.instances) vaultwarden; + + interface0Cfg = vaultwarden.interfaces.interface0; vaultwardenNick = vaultwardenVM { user = user0; - ip = ipAddress id0; - mac = "02:00:00:00:${id0}:${id0}"; - userMac = "02:00:00:00:00:${id0}"; - ssh = vaultwarden.ssh0; - mnt = guestPath user0; - host = ""; + ip = interface0Cfg.microvm.ip; + mac = interface0Cfg.microvm.mac; + userMac = interface0Cfg.microvm.macUser; + ssh = interface0Cfg.microvm.ssh; + mnt = ""; + host = interface0Cfg.domain; }; # vaultwardenStacie = vaultwardenVM { diff --git a/modules/nixos/homelab/guests/website/config/default.nix b/modules/nixos/homelab/guests/website/config/default.nix new file mode 100755 index 0000000..d057802 --- /dev/null +++ b/modules/nixos/homelab/guests/website/config/default.nix @@ -0,0 +1,82 @@ +{ + config, + flake, + pkgs, + ... +}: +let + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + serviceCfg = instances.website; +in +{ + websiteVM = + { + user, + ip, + mac, + userMac, + package, + }: + { + microvm.vms.${serviceCfg.name} = { + autostart = true; + config = { + system.stateVersion = "25.05"; + networking.firewall.allowedTCPPorts = [ + 22 + 80 + ]; + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + environment.etc."website".source = package; + + users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + + systemd = { + network = { + enable = true; + networks."10-enp" = { + matchConfig.Name = "enp0s3"; + addresses = [ + { Address = "${ip}/24"; } + ]; + gateway = [ "192.168.50.1" ]; + }; + }; + }; + services.caddy = { + enable = true; + virtualHosts.":80".extraConfig = '' + root * /etc/website + file_server + try_files {path} /index.html + ''; + }; + microvm = { + vcpu = 1; + mem = 512; + hypervisor = "qemu"; + interfaces = [ + { + type = "tap"; + id = "vm-ws-${user}"; + mac = mac; + } + ]; + shares = [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "ro-store"; + proto = "virtiofs"; + } + ]; + }; + }; + }; + }; +} diff --git a/modules/nixos/homelab/guests/website/default.nix b/modules/nixos/homelab/guests/website/default.nix new file mode 100644 index 0000000..3a7076f --- /dev/null +++ b/modules/nixos/homelab/guests/website/default.nix @@ -0,0 +1,38 @@ +{ + flake, + pkgs, + labHelpers, + ... +}: +let + inherit (import ./config { inherit flake pkgs; }) websiteVM; + inherit (flake.config.services) instances; + + websiteNick = + let + websitePkg = flake.self.packages.${pkgs.system}.website; + interfaceCfg = instances.website.interfaces.interface0; + in + websiteVM { + user = "uproot"; + ip = interfaceCfg.microvm.ip; + mac = interfaceCfg.microvm.mac; + userMac = interfaceCfg.microvm.macUser; + package = websitePkg; + }; + + websiteProject = + let + websitePkg = flake.inputs.linkpage.packages.${pkgs.stdenv.hostPlatform.system}.websiteFrontend; + interfaceCfg = instances.website.interfaces.interface1; + in + websiteVM { + user = "project"; + ip = interfaceCfg.microvm.ip; + mac = interfaceCfg.microvm.mac; + userMac = interfaceCfg.microvm.macUser; + package = websitePkg; + }; + +in +websiteNick // websiteProject diff --git a/modules/nixos/homelab/guests/zookeeper/config/default.nix b/modules/nixos/homelab/guests/zookeeper/config/default.nix new file mode 100755 index 0000000..6c34dbd --- /dev/null +++ b/modules/nixos/homelab/guests/zookeeper/config/default.nix @@ -0,0 +1,103 @@ +{ + flake, + pkgs, + lib, + ... +}: +let + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + serviceCfg = instances.zookeeper; +in +{ + websiteVM = + { + user, + ip, + mac, + userMac, + package, + }: + { + + microvm.vms = { + "${serviceCfg.name}-${user}" = { + autostart = true; + restartIfChanged = true; + config = { + system.stateVersion = "24.05"; + time.timeZone = "America/Winnipeg"; + users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + networking.firewall.allowedTCPPorts = [ 22 ]; + systemd = { + services = { + zookeeper = { + serviceConfig = { + ExecStart = lib.getExe package; + Restart = "always"; + RestartSec = 2; + EnvironmentFile = "/run/secrets/${user}-env"; + }; + wantedBy = [ "multi-user.target" ]; + }; + systemd-networkd.wantedBy = [ "multi-user.target" ]; + }; + network = { + enable = true; + networks."20-lan" = { + matchConfig.Name = "enp0s3"; + addresses = [ { Address = "${ip}/24"; } ]; + routes = [ + { + Destination = "0.0.0.0/0"; + Gateway = "192.168.50.1"; + } + ]; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + }; + }; + microvm = { + vcpu = 1; + mem = 512; + hypervisor = "qemu"; + interfaces = [ + { + type = "tap"; + id = "vm-qb-${user}"; + mac = mac; + } + ]; + shares = [ + { + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + source = "/nix/store"; + tag = "read_only_nix_store"; + } + { + mountPoint = "/run/secrets"; + proto = "virtiofs"; + source = "/run/secrets/${serviceCfg.name}"; + tag = "host_secrets"; + } + ]; + }; + }; + }; + }; + sops.secrets = { + "${serviceCfg.name}/${user}-env" = { + owner = "root"; + mode = "0600"; + }; + }; + }; +} diff --git a/modules/nixos/homelab/guests/zookeeper/default.nix b/modules/nixos/homelab/guests/zookeeper/default.nix new file mode 100644 index 0000000..c26ccfe --- /dev/null +++ b/modules/nixos/homelab/guests/zookeeper/default.nix @@ -0,0 +1,25 @@ +{ + flake, + pkgs, + labHelpers, + ... +}: +let + inherit (import ./config { inherit flake pkgs; }) zookeeperVM; + inherit (flake.config.services) instances; + interfaceCfg = instances.zookeeper.interfaces.interface0; + + zookeeperNick = + let + appPackage = flake.self.packages.${pkgs.system}.zookeeper; + in + zookeeperVM { + user = "boon"; + ip = interfaceCfg.microvm.ip; + mac = interfaceCfg.microvm.mac; + userMac = interfaceCfg.microvm.macUser; + package = appPackage; + }; + +in +zookeeperNick diff --git a/modules/nixos/guests/comfyui/default.nix b/modules/nixos/homelab/orphans/comfyui/default.nix similarity index 100% rename from modules/nixos/guests/comfyui/default.nix rename to modules/nixos/homelab/orphans/comfyui/default.nix diff --git a/modules/nixos/guests/opencloud/default.nix b/modules/nixos/homelab/orphans/default.nix similarity index 100% rename from modules/nixos/guests/opencloud/default.nix rename to modules/nixos/homelab/orphans/default.nix diff --git a/modules/nixos/guests/defenseio/default.nix b/modules/nixos/homelab/orphans/defenseio/default.nix similarity index 100% rename from modules/nixos/guests/defenseio/default.nix rename to modules/nixos/homelab/orphans/defenseio/default.nix diff --git a/modules/nixos/guests/defenseioGpu/config/default.nix b/modules/nixos/homelab/orphans/defenseioGpu/config/default.nix similarity index 100% rename from modules/nixos/guests/defenseioGpu/config/default.nix rename to modules/nixos/homelab/orphans/defenseioGpu/config/default.nix diff --git a/modules/nixos/guests/defenseioGpu/default.nix b/modules/nixos/homelab/orphans/defenseioGpu/default.nix similarity index 100% rename from modules/nixos/guests/defenseioGpu/default.nix rename to modules/nixos/homelab/orphans/defenseioGpu/default.nix diff --git a/modules/nixos/services/glance/assets/logo.png b/modules/nixos/homelab/orphans/glance/assets/logo.png similarity index 100% rename from modules/nixos/services/glance/assets/logo.png rename to modules/nixos/homelab/orphans/glance/assets/logo.png diff --git a/modules/nixos/services/glance/config/branding.nix b/modules/nixos/homelab/orphans/glance/config/branding.nix similarity index 100% rename from modules/nixos/services/glance/config/branding.nix rename to modules/nixos/homelab/orphans/glance/config/branding.nix diff --git a/modules/nixos/services/glance/config/pages.nix b/modules/nixos/homelab/orphans/glance/config/pages.nix similarity index 100% rename from modules/nixos/services/glance/config/pages.nix rename to modules/nixos/homelab/orphans/glance/config/pages.nix diff --git a/modules/nixos/services/glance/config/server.nix b/modules/nixos/homelab/orphans/glance/config/server.nix similarity index 100% rename from modules/nixos/services/glance/config/server.nix rename to modules/nixos/homelab/orphans/glance/config/server.nix diff --git a/modules/nixos/services/glance/config/theme.nix b/modules/nixos/homelab/orphans/glance/config/theme.nix similarity index 100% rename from modules/nixos/services/glance/config/theme.nix rename to modules/nixos/homelab/orphans/glance/config/theme.nix diff --git a/modules/nixos/services/glance/config/widgets/calendar.nix b/modules/nixos/homelab/orphans/glance/config/widgets/calendar.nix similarity index 100% rename from modules/nixos/services/glance/config/widgets/calendar.nix rename to modules/nixos/homelab/orphans/glance/config/widgets/calendar.nix diff --git a/modules/nixos/services/glance/config/widgets/clock.nix b/modules/nixos/homelab/orphans/glance/config/widgets/clock.nix similarity index 100% rename from modules/nixos/services/glance/config/widgets/clock.nix rename to modules/nixos/homelab/orphans/glance/config/widgets/clock.nix diff --git a/modules/nixos/services/glance/config/widgets/jelly/config/default.nix b/modules/nixos/homelab/orphans/glance/config/widgets/jelly/config/default.nix similarity index 100% rename from modules/nixos/services/glance/config/widgets/jelly/config/default.nix rename to modules/nixos/homelab/orphans/glance/config/widgets/jelly/config/default.nix diff --git a/modules/nixos/services/glance/config/widgets/jelly/default.nix b/modules/nixos/homelab/orphans/glance/config/widgets/jelly/default.nix similarity index 100% rename from modules/nixos/services/glance/config/widgets/jelly/default.nix rename to modules/nixos/homelab/orphans/glance/config/widgets/jelly/default.nix diff --git a/modules/nixos/services/glance/config/widgets/monitor.nix b/modules/nixos/homelab/orphans/glance/config/widgets/monitor.nix similarity index 100% rename from modules/nixos/services/glance/config/widgets/monitor.nix rename to modules/nixos/homelab/orphans/glance/config/widgets/monitor.nix diff --git a/modules/nixos/services/glance/config/widgets/podcasts.nix b/modules/nixos/homelab/orphans/glance/config/widgets/podcasts.nix similarity index 100% rename from modules/nixos/services/glance/config/widgets/podcasts.nix rename to modules/nixos/homelab/orphans/glance/config/widgets/podcasts.nix diff --git a/modules/nixos/services/glance/config/widgets/reddit.nix b/modules/nixos/homelab/orphans/glance/config/widgets/reddit.nix similarity index 100% rename from modules/nixos/services/glance/config/widgets/reddit.nix rename to modules/nixos/homelab/orphans/glance/config/widgets/reddit.nix diff --git a/modules/nixos/services/glance/config/widgets/repos.nix b/modules/nixos/homelab/orphans/glance/config/widgets/repos.nix similarity index 100% rename from modules/nixos/services/glance/config/widgets/repos.nix rename to modules/nixos/homelab/orphans/glance/config/widgets/repos.nix diff --git a/modules/nixos/services/glance/config/widgets/steam/config/default.nix b/modules/nixos/homelab/orphans/glance/config/widgets/steam/config/default.nix similarity index 100% rename from modules/nixos/services/glance/config/widgets/steam/config/default.nix rename to modules/nixos/homelab/orphans/glance/config/widgets/steam/config/default.nix diff --git a/modules/nixos/services/glance/config/widgets/steam/default.nix b/modules/nixos/homelab/orphans/glance/config/widgets/steam/default.nix similarity index 100% rename from modules/nixos/services/glance/config/widgets/steam/default.nix rename to modules/nixos/homelab/orphans/glance/config/widgets/steam/default.nix diff --git a/modules/nixos/services/glance/config/widgets/videos.nix b/modules/nixos/homelab/orphans/glance/config/widgets/videos.nix similarity index 100% rename from modules/nixos/services/glance/config/widgets/videos.nix rename to modules/nixos/homelab/orphans/glance/config/widgets/videos.nix diff --git a/modules/nixos/services/glance/config/widgets/weather.nix b/modules/nixos/homelab/orphans/glance/config/widgets/weather.nix similarity index 100% rename from modules/nixos/services/glance/config/widgets/weather.nix rename to modules/nixos/homelab/orphans/glance/config/widgets/weather.nix diff --git a/modules/nixos/services/glance/default.nix b/modules/nixos/homelab/orphans/glance/default.nix similarity index 100% rename from modules/nixos/services/glance/default.nix rename to modules/nixos/homelab/orphans/glance/default.nix diff --git a/modules/nixos/guests/midnight/default.nix b/modules/nixos/homelab/orphans/midnight/default.nix similarity index 100% rename from modules/nixos/guests/midnight/default.nix rename to modules/nixos/homelab/orphans/midnight/default.nix diff --git a/modules/nixos/services/ollama/default.nix b/modules/nixos/homelab/orphans/ollama/default.nix similarity index 100% rename from modules/nixos/services/ollama/default.nix rename to modules/nixos/homelab/orphans/ollama/default.nix diff --git a/modules/nixos/services/ollama/ollamaCeres/default.nix b/modules/nixos/homelab/orphans/ollama/ollamaCeres/default.nix similarity index 100% rename from modules/nixos/services/ollama/ollamaCeres/default.nix rename to modules/nixos/homelab/orphans/ollama/ollamaCeres/default.nix diff --git a/modules/nixos/services/ollama/ollamaMars/default.nix b/modules/nixos/homelab/orphans/ollama/ollamaMars/default.nix similarity index 100% rename from modules/nixos/services/ollama/ollamaMars/default.nix rename to modules/nixos/homelab/orphans/ollama/ollamaMars/default.nix diff --git a/modules/nixos/services/peertube/default.nix b/modules/nixos/homelab/orphans/peertube/default.nix similarity index 100% rename from modules/nixos/services/peertube/default.nix rename to modules/nixos/homelab/orphans/peertube/default.nix diff --git a/modules/nixos/services/searx/config/engines.nix b/modules/nixos/homelab/orphans/searx/config/engines.nix similarity index 100% rename from modules/nixos/services/searx/config/engines.nix rename to modules/nixos/homelab/orphans/searx/config/engines.nix diff --git a/modules/nixos/services/searx/config/general.nix b/modules/nixos/homelab/orphans/searx/config/general.nix similarity index 100% rename from modules/nixos/services/searx/config/general.nix rename to modules/nixos/homelab/orphans/searx/config/general.nix diff --git a/modules/nixos/services/searx/config/outgoing.nix b/modules/nixos/homelab/orphans/searx/config/outgoing.nix similarity index 100% rename from modules/nixos/services/searx/config/outgoing.nix rename to modules/nixos/homelab/orphans/searx/config/outgoing.nix diff --git a/modules/nixos/services/searx/config/plugins.nix b/modules/nixos/homelab/orphans/searx/config/plugins.nix similarity index 100% rename from modules/nixos/services/searx/config/plugins.nix rename to modules/nixos/homelab/orphans/searx/config/plugins.nix diff --git a/modules/nixos/services/searx/config/search.nix b/modules/nixos/homelab/orphans/searx/config/search.nix similarity index 100% rename from modules/nixos/services/searx/config/search.nix rename to modules/nixos/homelab/orphans/searx/config/search.nix diff --git a/modules/nixos/services/searx/config/server.nix b/modules/nixos/homelab/orphans/searx/config/server.nix similarity index 100% rename from modules/nixos/services/searx/config/server.nix rename to modules/nixos/homelab/orphans/searx/config/server.nix diff --git a/modules/nixos/services/searx/config/ui.nix b/modules/nixos/homelab/orphans/searx/config/ui.nix similarity index 100% rename from modules/nixos/services/searx/config/ui.nix rename to modules/nixos/homelab/orphans/searx/config/ui.nix diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/homelab/orphans/searx/default.nix similarity index 100% rename from modules/nixos/services/searx/default.nix rename to modules/nixos/homelab/orphans/searx/default.nix diff --git a/modules/nixos/services/restic/default.nix b/modules/nixos/homelab/restic/default.nix similarity index 100% rename from modules/nixos/services/restic/default.nix rename to modules/nixos/homelab/restic/default.nix diff --git a/modules/nixos/services/samba/default.nix b/modules/nixos/homelab/samba/default.nix similarity index 100% rename from modules/nixos/services/samba/default.nix rename to modules/nixos/homelab/samba/default.nix diff --git a/modules/nixos/services/samba/sambaCeres/default.nix b/modules/nixos/homelab/samba/sambaCeres/default.nix similarity index 100% rename from modules/nixos/services/samba/sambaCeres/default.nix rename to modules/nixos/homelab/samba/sambaCeres/default.nix diff --git a/modules/nixos/services/samba/sambaEris/default.nix b/modules/nixos/homelab/samba/sambaEris/default.nix similarity index 100% rename from modules/nixos/services/samba/sambaEris/default.nix rename to modules/nixos/homelab/samba/sambaEris/default.nix diff --git a/modules/nixos/nas/default.nix b/modules/nixos/nas/default.nix deleted file mode 100644 index 106292c..0000000 --- a/modules/nixos/nas/default.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ - flake, - config, - pkgs, - lib, - ... -}: -let - inherit (flake.config.people) user0; - - nasHelpers = { - ipAddress = ip: "192.168.50.${ip}"; - guestPath = user: "/mnt/storage/users/${user}/guests"; - docsPath = user: "/mnt/storage/users/${user}/home/docs"; - mediaPath = user: "/mnt/storage/users/${user}/home/media"; - miscPath = user: "/mnt/storage/users/${user}/home/misc"; - firefly = { - id0 = 70; - id1 = 71; - id2 = 72; - ssh0 = 2570; - ssh1 = 2571; - ssh2 = 2572; - }; - onlyoffice = { - id0 = 73; - id1 = 74; - id2 = 75; - ssh0 = 2573; - ssh1 = 2574; - ssh2 = 2575; - }; - opencloud = { - id0 = 76; - id1 = 77; - id2 = 78; - ssh0 = 2576; - ssh1 = 2577; - ssh2 = 2578; - }; - photoprism = { - id0 = 79; - id1 = 80; - id2 = 81; - ssh0 = 2579; - ssh1 = 2580; - ssh2 = 2581; - }; - syncthing = { - id0 = 82; - id1 = 83; - id2 = 84; - ssh0 = 2582; - ssh1 = 2583; - ssh2 = 2584; - }; - vaultwarden = { - id0 = 85; - id1 = 86; - id2 = 87; - ssh0 = 2585; - ssh1 = 2586; - ssh2 = 2587; - }; - }; - - firefly-iii = import ./guests/firefly-iii { - inherit - nasHelpers - config - flake - pkgs - ; - }; - - opencloud = import ./guests/opencloud { inherit nasHelpers flake pkgs; }; - photoprism = import ./guests/photoprism { inherit nasHelpers flake lib; }; - syncthing = import ./guests/syncthing { inherit nasHelpers flake; }; - vaultwarden = import ./guests/vaultwarden { inherit nasHelpers flake; }; -in -{ - imports = [ - firefly-iii - opencloud - photoprism - syncthing - vaultwarden - ]; - systemd.tmpfiles.rules = - let - inherit (nasHelpers) docsPath mediaPath miscPath; - homePaths = user: [ - "d ${docsPath user} 0751 microvm wheel - -" - "d ${mediaPath user} 0751 microvm wheel - -" - "d ${miscPath user} 0751 microvm wheel - -" - ]; - in - homePaths user0; - -} diff --git a/modules/nixos/nas/guests/minecraft/default.nix b/modules/nixos/nas/guests/minecraft/default.nix deleted file mode 100644 index 2283125..0000000 --- a/modules/nixos/nas/guests/minecraft/default.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ flake, pkgs, ... }: -let - inherit (import ./config { inherit flake pkgs; }) minecraftVM; - inherit (import ../../lib.generalHelpers) ipAddress; - inherit (import ../../lib.ceresHelpers) mntPath minecraft; - inherit (flake.config.people) user0; - id0 = builtins.toString minecraft.id0; - id1 = builtins.toString minecraft.id1; - id2 = builtins.toString minecraft.id2; - - minecraftNick01 = minecraftVM { - user = user0; - ip = ipAddress id0; - mac = "02:00:00:00:${id0}:${id0}"; - userMac = "02:00:00:00:00:${id0}"; - ssh = minecraft.ssh0; - port = 43000; - mnt = mntPath user0; - worldNumber = "01"; - config = { - allow-flight = false; - allow-nether = true; - difficulty = 2; - enable-command-block = false; - enable-rcon = true; - enable-status = true; - force-gamemode = true; - gamemode = 0; - generate-structures = true; - hardcore = false; - hide-online-players = false; - level-name = "Brix on Nix"; - level-seed = "9064150133272194"; - max-players = 10; - max-world-size = 64000000; - motd = "A cool Minecraft server powered by NixOS"; - online-mode = true; - pvp = true; - spawn-animals = true; - spawn-monsters = true; - spawn-npcs = true; - spawn-protection = 16; - view-distance = 32; - white-list = true; - }; - whitelist = { - Hefty_Chungus = "b75a9816-d408-4c54-b226-385b59ea1cb3"; - Hefty_Chungus_Jr = "c3bf8cac-e953-4ea4-ae5f-7acb92a51a85"; - EclipseMoon01 = "adef4af7-d8c6-4627-b492-e990ea1bb993"; - Fallaryn = "d8baa117-ab58-4b07-92a5-48fb1978eb49"; - }; - }; - - minecraftNick02 = minecraftVM { - user = user0; - ip = ipAddress id1; - mac = "02:00:00:00:${id1}:${id1}"; - userMac = "02:00:00:00:00:${id1}"; - ssh = minecraft.ssh1; - port = 43001; - mnt = mntPath user0; - worldNumber = "02"; - config = { - allow-flight = false; - allow-nether = true; - difficulty = 2; - enable-command-block = false; - enable-rcon = true; - enable-status = true; - force-gamemode = true; - gamemode = 0; - generate-structures = true; - hardcore = false; - hide-online-players = false; - level-name = "Cuddle Cubes"; - level-seed = "-2332803749585407299"; - max-players = 10; - max-world-size = 64000000; - motd = "A cool Minecraft server powered by NixOS"; - online-mode = true; - pvp = true; - spawn-animals = true; - spawn-monsters = true; - spawn-npcs = true; - spawn-protection = 16; - view-distance = 32; - white-list = true; - }; - whitelist = { - Hefty_Chungus = "b75a9816-d408-4c54-b226-385b59ea1cb3"; - Fallaryn = "d8baa117-ab58-4b07-92a5-48fb1978eb49"; - }; - }; - -in -minecraftNick01 // minecraftNick02 diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix new file mode 100755 index 0000000..a779bca --- /dev/null +++ b/modules/nixos/server/default.nix @@ -0,0 +1,29 @@ +{ + flake, + config, + pkgs, + lib, + ... +}: +let + serverHelpers = { + ipAddress = ip: "192.168.50.${ip}"; + mntPath = "/mnt/storage"; + minecraft = { + id0 = 40; + id1 = 41; + id2 = 42; + ssh0 = 2440; + ssh1 = 2441; + ssh2 = 2442; + }; + }; + + minecraft = import ./guests/firefly-iii { inherit serverHelpers; }; + +in +{ + imports = [ + minecraft + ]; +} diff --git a/modules/nixos/services/caddy/default.nix b/modules/nixos/services/caddy/default.nix deleted file mode 100755 index 712472e..0000000 --- a/modules/nixos/services/caddy/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ flake, config, ... }: -let - inherit (flake.config.services) instances; - inherit (flake.config.machines.devices) eris; - opencloud = instances.opencloud0; - dns = instances.web.dns.provider0; - opencloudHost = opencloud.domains.url0; - dnsPath = "dns/${dns}"; - service = instances.caddy; -in -{ - services.caddy = { - enable = true; - virtualHosts = { - "${opencloud.domains.url0}" = { - extraConfig = '' - reverse_proxy ${opencloud.interface.ip}:${toString opencloud.ports.port0} { - header_up X-Real-IP {remote_host} - } - - redir /.well-known/carddav /remote.php/dav/ 301 - redir /.well-known/caldav /remote.php/dav/ 301 - - tls ${opencloud.ssl.cert} ${opencloud.ssl.key} - ''; - }; - }; - }; - security.acme.certs."${opencloudHost}" = { - dnsProvider = dns; - environmentFile = config.sops.secrets.${dnsPath}.path; - group = "caddy"; - }; - networking = { - firewall = { - allowedTCPPorts = [ - service.ports.port0 # 80 - service.ports.port1 # 443 - ]; - }; - }; -} diff --git a/packages/website/frontend/static/arguments/abortion.jpg b/packages/website/frontend/static/arguments/abortion.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/agnostic.jpg b/packages/website/frontend/static/arguments/agnostic.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/anabolicketo.jpg b/packages/website/frontend/static/arguments/anabolicketo.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/animalrights.jpg b/packages/website/frontend/static/arguments/animalrights.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/antagonisticpleiotropy.jpg b/packages/website/frontend/static/arguments/antagonisticpleiotropy.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/antivandalism.jpg b/packages/website/frontend/static/arguments/antivandalism.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/carbobesity.jpg b/packages/website/frontend/static/arguments/carbobesity.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/cateupfreductio.jpg b/packages/website/frontend/static/arguments/cateupfreductio.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/chocolate.jpg b/packages/website/frontend/static/arguments/chocolate.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/coconutoil.jpg b/packages/website/frontend/static/arguments/coconutoil.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/colonizingnature.jpg b/packages/website/frontend/static/arguments/colonizingnature.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/cowrape.jpg b/packages/website/frontend/static/arguments/cowrape.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/cropdeaths.jpg b/packages/website/frontend/static/arguments/cropdeaths.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/dairy.jpg b/packages/website/frontend/static/arguments/dairy.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/dietarycholesterol.jpg b/packages/website/frontend/static/arguments/dietarycholesterol.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/efilism.jpg b/packages/website/frontend/static/arguments/efilism.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/epidemiologycausality.jpg b/packages/website/frontend/static/arguments/epidemiologycausality.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/ethicalslurs.jpg b/packages/website/frontend/static/arguments/ethicalslurs.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/fattyfish.jpg b/packages/website/frontend/static/arguments/fattyfish.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/fibre.jpg b/packages/website/frontend/static/arguments/fibre.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/finetuning.jpg b/packages/website/frontend/static/arguments/finetuning.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/flatearth.jpg b/packages/website/frontend/static/arguments/flatearth.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/foodsubstitution.jpg b/packages/website/frontend/static/arguments/foodsubstitution.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/fructosenafld.jpg b/packages/website/frontend/static/arguments/fructosenafld.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/healthfoods.jpg b/packages/website/frontend/static/arguments/healthfoods.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/healthseeker.jpg b/packages/website/frontend/static/arguments/healthseeker.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/immortality.jpg b/packages/website/frontend/static/arguments/immortality.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/lipoprotein.jpg b/packages/website/frontend/static/arguments/lipoprotein.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/luigiterrorist.jpg b/packages/website/frontend/static/arguments/luigiterrorist.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/mda.jpg b/packages/website/frontend/static/arguments/mda.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/oddorderpredators.jpg b/packages/website/frontend/static/arguments/oddorderpredators.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/omega6omega3ratio.jpg b/packages/website/frontend/static/arguments/omega6omega3ratio.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/ostroveganism.jpg b/packages/website/frontend/static/arguments/ostroveganism.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/pagers.jpg b/packages/website/frontend/static/arguments/pagers.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/plantbasedcvd.jpg b/packages/website/frontend/static/arguments/plantbasedcvd.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/plantfoods.jpg b/packages/website/frontend/static/arguments/plantfoods.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/pollinationreductio.jpg b/packages/website/frontend/static/arguments/pollinationreductio.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/polyphenolreductio.jpg b/packages/website/frontend/static/arguments/polyphenolreductio.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/predatoragriculture.jpg b/packages/website/frontend/static/arguments/predatoragriculture.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/processedmeat.jpg b/packages/website/frontend/static/arguments/processedmeat.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/redmeat.jpg b/packages/website/frontend/static/arguments/redmeat.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/rewilding.jpg b/packages/website/frontend/static/arguments/rewilding.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/saturatedfat.jpg b/packages/website/frontend/static/arguments/saturatedfat.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/seedoils.jpg b/packages/website/frontend/static/arguments/seedoils.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/sodiumcvd.jpg b/packages/website/frontend/static/arguments/sodiumcvd.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/soyproducts.jpg b/packages/website/frontend/static/arguments/soyproducts.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/tattooscratchers.jpg b/packages/website/frontend/static/arguments/tattooscratchers.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/tmaocausality.jpg b/packages/website/frontend/static/arguments/tmaocausality.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/transpeople.jpg b/packages/website/frontend/static/arguments/transpeople.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/truncatedmetas.jpg b/packages/website/frontend/static/arguments/truncatedmetas.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/arguments/vegansociety.jpg b/packages/website/frontend/static/arguments/vegansociety.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/bigfatsurprise.jpg b/packages/website/frontend/static/blog/bigfatsurprise.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/bigfatsurprise/image1.jpg b/packages/website/frontend/static/blog/bigfatsurprise/image1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/bigfatsurprise/image10.jpg b/packages/website/frontend/static/blog/bigfatsurprise/image10.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/bigfatsurprise/image11.jpg b/packages/website/frontend/static/blog/bigfatsurprise/image11.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/bigfatsurprise/image12.jpg b/packages/website/frontend/static/blog/bigfatsurprise/image12.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/bigfatsurprise/image2.jpg b/packages/website/frontend/static/blog/bigfatsurprise/image2.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/bigfatsurprise/image3.jpg b/packages/website/frontend/static/blog/bigfatsurprise/image3.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/bigfatsurprise/image4.jpg b/packages/website/frontend/static/blog/bigfatsurprise/image4.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/bigfatsurprise/image5.jpg b/packages/website/frontend/static/blog/bigfatsurprise/image5.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/bigfatsurprise/image6.jpg b/packages/website/frontend/static/blog/bigfatsurprise/image6.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/bigfatsurprise/image7.jpg b/packages/website/frontend/static/blog/bigfatsurprise/image7.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/bigfatsurprise/image8.jpg b/packages/website/frontend/static/blog/bigfatsurprise/image8.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/bigfatsurprise/image9.jpg b/packages/website/frontend/static/blog/bigfatsurprise/image9.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans.jpg b/packages/website/frontend/static/blog/everettvegans.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/argument1.jpg b/packages/website/frontend/static/blog/everettvegans/argument1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/argument2.jpg b/packages/website/frontend/static/blog/everettvegans/argument2.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image1.jpg b/packages/website/frontend/static/blog/everettvegans/image1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image10.jpg b/packages/website/frontend/static/blog/everettvegans/image10.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image11.jpg b/packages/website/frontend/static/blog/everettvegans/image11.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image12.jpg b/packages/website/frontend/static/blog/everettvegans/image12.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image13.jpg b/packages/website/frontend/static/blog/everettvegans/image13.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image14.jpg b/packages/website/frontend/static/blog/everettvegans/image14.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image15.jpg b/packages/website/frontend/static/blog/everettvegans/image15.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image16.jpg b/packages/website/frontend/static/blog/everettvegans/image16.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image17.jpg b/packages/website/frontend/static/blog/everettvegans/image17.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image18.jpg b/packages/website/frontend/static/blog/everettvegans/image18.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image19.jpg b/packages/website/frontend/static/blog/everettvegans/image19.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image2.jpg b/packages/website/frontend/static/blog/everettvegans/image2.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image20.jpg b/packages/website/frontend/static/blog/everettvegans/image20.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image21.jpg b/packages/website/frontend/static/blog/everettvegans/image21.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image22.jpg b/packages/website/frontend/static/blog/everettvegans/image22.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image23.jpg b/packages/website/frontend/static/blog/everettvegans/image23.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image24.jpg b/packages/website/frontend/static/blog/everettvegans/image24.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image25.jpg b/packages/website/frontend/static/blog/everettvegans/image25.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image26.jpg b/packages/website/frontend/static/blog/everettvegans/image26.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image27.jpg b/packages/website/frontend/static/blog/everettvegans/image27.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image28.jpg b/packages/website/frontend/static/blog/everettvegans/image28.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image29.jpg b/packages/website/frontend/static/blog/everettvegans/image29.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image3.jpg b/packages/website/frontend/static/blog/everettvegans/image3.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image4.jpg b/packages/website/frontend/static/blog/everettvegans/image4.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image5.jpg b/packages/website/frontend/static/blog/everettvegans/image5.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image6.jpg b/packages/website/frontend/static/blog/everettvegans/image6.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image7.jpg b/packages/website/frontend/static/blog/everettvegans/image7.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image8.jpg b/packages/website/frontend/static/blog/everettvegans/image8.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/everettvegans/image9.jpg b/packages/website/frontend/static/blog/everettvegans/image9.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/huntergatherers.jpg b/packages/website/frontend/static/blog/huntergatherers.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/huntergatherers/argument1.jpg b/packages/website/frontend/static/blog/huntergatherers/argument1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/huntergatherers/argument2.jpg b/packages/website/frontend/static/blog/huntergatherers/argument2.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/huntergatherers/image1.jpg b/packages/website/frontend/static/blog/huntergatherers/image1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/huntergatherers/image2.jpg b/packages/website/frontend/static/blog/huntergatherers/image2.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/huntergatherers/image3.jpg b/packages/website/frontend/static/blog/huntergatherers/image3.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/huntergatherers/image4.jpg b/packages/website/frontend/static/blog/huntergatherers/image4.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/huntergatherers/image5.jpg b/packages/website/frontend/static/blog/huntergatherers/image5.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/huntergatherers/image6.jpg b/packages/website/frontend/static/blog/huntergatherers/image6.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/huntergatherers/image7.jpg b/packages/website/frontend/static/blog/huntergatherers/image7.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/meatapologetics.jpg b/packages/website/frontend/static/blog/meatapologetics.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/meatapologetics/argument1.jpg b/packages/website/frontend/static/blog/meatapologetics/argument1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/meatapologetics/argument2.jpg b/packages/website/frontend/static/blog/meatapologetics/argument2.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/meatapologetics/argument3.jpg b/packages/website/frontend/static/blog/meatapologetics/argument3.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/meatapologetics/argument4.jpg b/packages/website/frontend/static/blog/meatapologetics/argument4.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/meatapologetics/argument5.jpg b/packages/website/frontend/static/blog/meatapologetics/argument5.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/meatapologetics/image1.jpg b/packages/website/frontend/static/blog/meatapologetics/image1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/meatapologetics/image2.jpg b/packages/website/frontend/static/blog/meatapologetics/image2.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/meatapologetics/image3.jpg b/packages/website/frontend/static/blog/meatapologetics/image3.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/meatapologetics/image4.jpg b/packages/website/frontend/static/blog/meatapologetics/image4.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/meatapologetics/image5.jpg b/packages/website/frontend/static/blog/meatapologetics/image5.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/nagragoodrich.jpg b/packages/website/frontend/static/blog/nagragoodrich.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/nagragoodrich/argument1.jpg b/packages/website/frontend/static/blog/nagragoodrich/argument1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/nagragoodrich/argument2.jpg b/packages/website/frontend/static/blog/nagragoodrich/argument2.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/nagragoodrich/argument3.jpg b/packages/website/frontend/static/blog/nagragoodrich/argument3.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/nagragoodrich/argument4.jpg b/packages/website/frontend/static/blog/nagragoodrich/argument4.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/nagragoodrich/argument5.jpg b/packages/website/frontend/static/blog/nagragoodrich/argument5.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/nagragoodrich/argument6.jpg b/packages/website/frontend/static/blog/nagragoodrich/argument6.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/nagragoodrich/argument7.jpg b/packages/website/frontend/static/blog/nagragoodrich/argument7.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/nagragoodrich/argument8.jpg b/packages/website/frontend/static/blog/nagragoodrich/argument8.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/nagragoodrich/argument9.jpg b/packages/website/frontend/static/blog/nagragoodrich/argument9.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta.jpg b/packages/website/frontend/static/blog/plantbasedmeta.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image10.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image10.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image100.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image100.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image101.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image101.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image102.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image102.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image103.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image103.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image104.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image104.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image105.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image105.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image106.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image106.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image107.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image107.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image108.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image108.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image109.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image109.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image11.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image11.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image110.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image110.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image111.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image111.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image112.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image112.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image113.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image113.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image114.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image114.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image115.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image115.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image116.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image116.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image117.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image117.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image118.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image118.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image119.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image119.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image12.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image12.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image120.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image120.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image121.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image121.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image122.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image122.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image123.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image123.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image124.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image124.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image125.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image125.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image126.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image126.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image127.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image127.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image128.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image128.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image129.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image129.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image13.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image13.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image130.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image130.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image131.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image131.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image132.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image132.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image133.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image133.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image134.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image134.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image135.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image135.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image136.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image136.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image137.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image137.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image138.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image138.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image139.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image139.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image14.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image14.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image140.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image140.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image141.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image141.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image142.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image142.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image143.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image143.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image144.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image144.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image145.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image145.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image146.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image146.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image147.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image147.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image148.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image148.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image149.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image149.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image15.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image15.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image150.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image150.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image151.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image151.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image152.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image152.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image153.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image153.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image154.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image154.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image155.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image155.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image156.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image156.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image157.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image157.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image158.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image158.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image159.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image159.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image16.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image16.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image160.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image160.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image161.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image161.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image162.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image162.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image163.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image163.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image164.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image164.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image165.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image165.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image166.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image166.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image167.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image167.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image168.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image168.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image169.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image169.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image17.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image17.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image170.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image170.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image171.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image171.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image172.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image172.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image173.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image173.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image174.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image174.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image175.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image175.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image176.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image176.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image177.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image177.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image178.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image178.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image179.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image179.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image18.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image18.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image180.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image180.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image181.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image181.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image182.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image182.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image183.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image183.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image184.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image184.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image185.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image185.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image186.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image186.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image19.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image19.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image20.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image20.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image21.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image21.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image22.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image22.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image23.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image23.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image24.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image24.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image25.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image25.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image26.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image26.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image27.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image27.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image28.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image28.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image29.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image29.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image30.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image30.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image31.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image31.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image32.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image32.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image33.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image33.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image34.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image34.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image35.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image35.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image36.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image36.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image37.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image37.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image38.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image38.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image39.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image39.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image40.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image40.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image41.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image41.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image42.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image42.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image43.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image43.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image44.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image44.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image45.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image45.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image46.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image46.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image47.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image47.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image48.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image48.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image49.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image49.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image5.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image5.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image50.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image50.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image51.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image51.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image52.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image52.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image53.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image53.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image54.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image54.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image55.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image55.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image56.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image56.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image57.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image57.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image58.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image58.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image59.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image59.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image6.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image6.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image60.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image60.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image61.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image61.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image62.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image62.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image63.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image63.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image64.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image64.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image65.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image65.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image66.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image66.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image67.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image67.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image68.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image68.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image69.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image69.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image7.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image7.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image70.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image70.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image71.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image71.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image72.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image72.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image73.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image73.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image74.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image74.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image75.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image75.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image76.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image76.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image77.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image77.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image78.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image78.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image79.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image79.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image8.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image8.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image80.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image80.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image81.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image81.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image82.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image82.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image83.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image83.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image84.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image84.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image85.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image85.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image86.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image86.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image87.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image87.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image88.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image88.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image89.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image89.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image9.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image9.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image90.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image90.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image91.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image91.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image92.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image92.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image93.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image93.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image94.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image94.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image95.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image95.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image96.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image96.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image97.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image97.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image98.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image98.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/plantbasedmeta/image99.jpg b/packages/website/frontend/static/blog/plantbasedmeta/image99.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/quacksmashing.jpg b/packages/website/frontend/static/blog/quacksmashing.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet.jpg b/packages/website/frontend/static/blog/sapiendiet.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/argument1.jpg b/packages/website/frontend/static/blog/sapiendiet/argument1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image1.jpg b/packages/website/frontend/static/blog/sapiendiet/image1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image10.jpg b/packages/website/frontend/static/blog/sapiendiet/image10.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image11.jpg b/packages/website/frontend/static/blog/sapiendiet/image11.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image12.jpg b/packages/website/frontend/static/blog/sapiendiet/image12.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image13.jpg b/packages/website/frontend/static/blog/sapiendiet/image13.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image14.jpg b/packages/website/frontend/static/blog/sapiendiet/image14.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image15.jpg b/packages/website/frontend/static/blog/sapiendiet/image15.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image16.jpg b/packages/website/frontend/static/blog/sapiendiet/image16.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image17.jpg b/packages/website/frontend/static/blog/sapiendiet/image17.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image18.jpg b/packages/website/frontend/static/blog/sapiendiet/image18.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image19.jpg b/packages/website/frontend/static/blog/sapiendiet/image19.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image2.jpg b/packages/website/frontend/static/blog/sapiendiet/image2.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image20.jpg b/packages/website/frontend/static/blog/sapiendiet/image20.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image21.jpg b/packages/website/frontend/static/blog/sapiendiet/image21.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image22.jpg b/packages/website/frontend/static/blog/sapiendiet/image22.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image23.jpg b/packages/website/frontend/static/blog/sapiendiet/image23.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image24.jpg b/packages/website/frontend/static/blog/sapiendiet/image24.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image25.jpg b/packages/website/frontend/static/blog/sapiendiet/image25.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image3.jpg b/packages/website/frontend/static/blog/sapiendiet/image3.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image4.jpg b/packages/website/frontend/static/blog/sapiendiet/image4.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image5.jpg b/packages/website/frontend/static/blog/sapiendiet/image5.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image6.jpg b/packages/website/frontend/static/blog/sapiendiet/image6.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image7.jpg b/packages/website/frontend/static/blog/sapiendiet/image7.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image8.jpg b/packages/website/frontend/static/blog/sapiendiet/image8.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sapiendiet/image9.jpg b/packages/website/frontend/static/blog/sapiendiet/image9.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils.jpg b/packages/website/frontend/static/blog/seedoils.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image1.jpg b/packages/website/frontend/static/blog/seedoils/image1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image10.jpg b/packages/website/frontend/static/blog/seedoils/image10.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image11.jpg b/packages/website/frontend/static/blog/seedoils/image11.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image12.jpg b/packages/website/frontend/static/blog/seedoils/image12.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image13.jpg b/packages/website/frontend/static/blog/seedoils/image13.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image14.jpg b/packages/website/frontend/static/blog/seedoils/image14.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image15.jpg b/packages/website/frontend/static/blog/seedoils/image15.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image16.jpg b/packages/website/frontend/static/blog/seedoils/image16.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image17.jpg b/packages/website/frontend/static/blog/seedoils/image17.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image18.jpg b/packages/website/frontend/static/blog/seedoils/image18.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image19.jpg b/packages/website/frontend/static/blog/seedoils/image19.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image2.jpg b/packages/website/frontend/static/blog/seedoils/image2.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image20.jpg b/packages/website/frontend/static/blog/seedoils/image20.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image21.jpg b/packages/website/frontend/static/blog/seedoils/image21.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image22.jpg b/packages/website/frontend/static/blog/seedoils/image22.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image23.jpg b/packages/website/frontend/static/blog/seedoils/image23.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image24.jpg b/packages/website/frontend/static/blog/seedoils/image24.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image25.jpg b/packages/website/frontend/static/blog/seedoils/image25.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image26.jpg b/packages/website/frontend/static/blog/seedoils/image26.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image27.jpg b/packages/website/frontend/static/blog/seedoils/image27.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image28.jpg b/packages/website/frontend/static/blog/seedoils/image28.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image29.jpg b/packages/website/frontend/static/blog/seedoils/image29.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image3.jpg b/packages/website/frontend/static/blog/seedoils/image3.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image30.jpg b/packages/website/frontend/static/blog/seedoils/image30.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image31.jpg b/packages/website/frontend/static/blog/seedoils/image31.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image32.jpg b/packages/website/frontend/static/blog/seedoils/image32.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image33.jpg b/packages/website/frontend/static/blog/seedoils/image33.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image34.jpg b/packages/website/frontend/static/blog/seedoils/image34.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image35.jpg b/packages/website/frontend/static/blog/seedoils/image35.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image36.jpg b/packages/website/frontend/static/blog/seedoils/image36.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image37.jpg b/packages/website/frontend/static/blog/seedoils/image37.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image38.jpg b/packages/website/frontend/static/blog/seedoils/image38.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image39.jpg b/packages/website/frontend/static/blog/seedoils/image39.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image4.jpg b/packages/website/frontend/static/blog/seedoils/image4.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image40.jpg b/packages/website/frontend/static/blog/seedoils/image40.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image42.jpg b/packages/website/frontend/static/blog/seedoils/image42.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image43.jpg b/packages/website/frontend/static/blog/seedoils/image43.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image44.jpg b/packages/website/frontend/static/blog/seedoils/image44.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image45.jpg b/packages/website/frontend/static/blog/seedoils/image45.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image46.jpg b/packages/website/frontend/static/blog/seedoils/image46.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image47.jpg b/packages/website/frontend/static/blog/seedoils/image47.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image48.jpg b/packages/website/frontend/static/blog/seedoils/image48.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image49.jpg b/packages/website/frontend/static/blog/seedoils/image49.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image5.jpg b/packages/website/frontend/static/blog/seedoils/image5.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image50.jpg b/packages/website/frontend/static/blog/seedoils/image50.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image51.jpg b/packages/website/frontend/static/blog/seedoils/image51.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image52.jpg b/packages/website/frontend/static/blog/seedoils/image52.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image53.jpg b/packages/website/frontend/static/blog/seedoils/image53.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image54.jpg b/packages/website/frontend/static/blog/seedoils/image54.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image55.jpg b/packages/website/frontend/static/blog/seedoils/image55.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image56.jpg b/packages/website/frontend/static/blog/seedoils/image56.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image57.jpg b/packages/website/frontend/static/blog/seedoils/image57.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image58.jpg b/packages/website/frontend/static/blog/seedoils/image58.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image59.jpg b/packages/website/frontend/static/blog/seedoils/image59.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image6.jpg b/packages/website/frontend/static/blog/seedoils/image6.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image60.jpg b/packages/website/frontend/static/blog/seedoils/image60.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image61.jpg b/packages/website/frontend/static/blog/seedoils/image61.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image62.jpg b/packages/website/frontend/static/blog/seedoils/image62.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image63.jpg b/packages/website/frontend/static/blog/seedoils/image63.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image64.jpg b/packages/website/frontend/static/blog/seedoils/image64.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image65.jpg b/packages/website/frontend/static/blog/seedoils/image65.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image66.jpg b/packages/website/frontend/static/blog/seedoils/image66.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image67.jpg b/packages/website/frontend/static/blog/seedoils/image67.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image68.jpg b/packages/website/frontend/static/blog/seedoils/image68.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image69.jpg b/packages/website/frontend/static/blog/seedoils/image69.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image7.jpg b/packages/website/frontend/static/blog/seedoils/image7.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image70.jpg b/packages/website/frontend/static/blog/seedoils/image70.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image71.jpg b/packages/website/frontend/static/blog/seedoils/image71.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image72.jpg b/packages/website/frontend/static/blog/seedoils/image72.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image73.jpg b/packages/website/frontend/static/blog/seedoils/image73.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image74.jpg b/packages/website/frontend/static/blog/seedoils/image74.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image75.jpg b/packages/website/frontend/static/blog/seedoils/image75.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image76.jpg b/packages/website/frontend/static/blog/seedoils/image76.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image77.jpg b/packages/website/frontend/static/blog/seedoils/image77.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image78.jpg b/packages/website/frontend/static/blog/seedoils/image78.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image79.jpg b/packages/website/frontend/static/blog/seedoils/image79.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image8.jpg b/packages/website/frontend/static/blog/seedoils/image8.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image80.jpg b/packages/website/frontend/static/blog/seedoils/image80.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image81.jpg b/packages/website/frontend/static/blog/seedoils/image81.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image82.jpg b/packages/website/frontend/static/blog/seedoils/image82.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image83.jpg b/packages/website/frontend/static/blog/seedoils/image83.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image84.jpg b/packages/website/frontend/static/blog/seedoils/image84.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image85.jpg b/packages/website/frontend/static/blog/seedoils/image85.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image86.jpg b/packages/website/frontend/static/blog/seedoils/image86.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image87.jpg b/packages/website/frontend/static/blog/seedoils/image87.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image88.jpg b/packages/website/frontend/static/blog/seedoils/image88.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image89.jpg b/packages/website/frontend/static/blog/seedoils/image89.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image9.jpg b/packages/website/frontend/static/blog/seedoils/image9.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image90.jpg b/packages/website/frontend/static/blog/seedoils/image90.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image91.jpg b/packages/website/frontend/static/blog/seedoils/image91.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image92.jpg b/packages/website/frontend/static/blog/seedoils/image92.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image93.jpg b/packages/website/frontend/static/blog/seedoils/image93.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image94.jpg b/packages/website/frontend/static/blog/seedoils/image94.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image95.jpg b/packages/website/frontend/static/blog/seedoils/image95.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image96.jpg b/packages/website/frontend/static/blog/seedoils/image96.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image97.jpg b/packages/website/frontend/static/blog/seedoils/image97.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/seedoils/image98.jpg b/packages/website/frontend/static/blog/seedoils/image98.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/shenanigans.jpg b/packages/website/frontend/static/blog/shenanigans.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception.jpg b/packages/website/frontend/static/blog/sweetdeception.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/image1.jpg b/packages/website/frontend/static/blog/sweetdeception/image1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/image10.jpg b/packages/website/frontend/static/blog/sweetdeception/image10.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/image11.jpg b/packages/website/frontend/static/blog/sweetdeception/image11.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/image12.jpg b/packages/website/frontend/static/blog/sweetdeception/image12.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/image13.jpg b/packages/website/frontend/static/blog/sweetdeception/image13.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/image14.jpg b/packages/website/frontend/static/blog/sweetdeception/image14.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/image2.jpg b/packages/website/frontend/static/blog/sweetdeception/image2.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/image3.jpg b/packages/website/frontend/static/blog/sweetdeception/image3.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/image4.jpg b/packages/website/frontend/static/blog/sweetdeception/image4.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/image5.jpg b/packages/website/frontend/static/blog/sweetdeception/image5.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/image6.jpg b/packages/website/frontend/static/blog/sweetdeception/image6.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/image7.jpg b/packages/website/frontend/static/blog/sweetdeception/image7.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/image8.jpg b/packages/website/frontend/static/blog/sweetdeception/image8.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/image9.jpg b/packages/website/frontend/static/blog/sweetdeception/image9.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/sweetdeception/shenanigans.jpg b/packages/website/frontend/static/blog/sweetdeception/shenanigans.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/thumbs/bigfatsurprise.jpg b/packages/website/frontend/static/blog/thumbs/bigfatsurprise.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/thumbs/everettvegans.jpg b/packages/website/frontend/static/blog/thumbs/everettvegans.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/thumbs/huntergatherers.jpg b/packages/website/frontend/static/blog/thumbs/huntergatherers.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/thumbs/meatapologetics.jpg b/packages/website/frontend/static/blog/thumbs/meatapologetics.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/thumbs/nagragoodrich.jpg b/packages/website/frontend/static/blog/thumbs/nagragoodrich.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/thumbs/plantbasedmeta.jpg b/packages/website/frontend/static/blog/thumbs/plantbasedmeta.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/thumbs/quacksmashing.jpg b/packages/website/frontend/static/blog/thumbs/quacksmashing.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/thumbs/sapiendiet.jpg b/packages/website/frontend/static/blog/thumbs/sapiendiet.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/thumbs/seedoils.jpg b/packages/website/frontend/static/blog/thumbs/seedoils.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/thumbs/shenanigans.jpg b/packages/website/frontend/static/blog/thumbs/shenanigans.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/blog/thumbs/sweetdeception.jpg b/packages/website/frontend/static/blog/thumbs/sweetdeception.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/contact/discord.jpg b/packages/website/frontend/static/contact/discord.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/contact/email.jpg b/packages/website/frontend/static/contact/email.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/adamsinger/adamsinger.jpg b/packages/website/frontend/static/cucks/adamsinger/adamsinger.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/adamsinger/receipt1.jpg b/packages/website/frontend/static/cucks/adamsinger/receipt1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/adamsinger/receipt2.jpg b/packages/website/frontend/static/cucks/adamsinger/receipt2.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/allengreen/allengreen.jpg b/packages/website/frontend/static/cucks/allengreen/allengreen.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/amberohearn/amberohearn.jpg b/packages/website/frontend/static/cucks/amberohearn/amberohearn.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/amberohearn/receipt1.jpg b/packages/website/frontend/static/cucks/amberohearn/receipt1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/annchilders/annchilders.jpg b/packages/website/frontend/static/cucks/annchilders/annchilders.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/annchilders/receipt1.jpg b/packages/website/frontend/static/cucks/annchilders/receipt1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/anthonygustin/anthonygustin.jpg b/packages/website/frontend/static/cucks/anthonygustin/anthonygustin.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/anthonygustin/receipt1.jpg b/packages/website/frontend/static/cucks/anthonygustin/receipt1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/ashwanigarg/ashwanigarg.jpg b/packages/website/frontend/static/cucks/ashwanigarg/ashwanigarg.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/ashwanigarg/receipt1.jpg b/packages/website/frontend/static/cucks/ashwanigarg/receipt1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/austinherbert/austinherbert.jpg b/packages/website/frontend/static/cucks/austinherbert/austinherbert.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/austinherbert/receipt1.jpg b/packages/website/frontend/static/cucks/austinherbert/receipt1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/austinhiggs/austinhiggs.jpg b/packages/website/frontend/static/cucks/austinhiggs/austinhiggs.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bartkay/bartkay.jpg b/packages/website/frontend/static/cucks/bartkay/bartkay.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bartkay/receipt1.jpg b/packages/website/frontend/static/cucks/bartkay/receipt1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/benbikman/benbikman.jpg b/packages/website/frontend/static/cucks/benbikman/benbikman.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/benbikman/receipt1.jpg b/packages/website/frontend/static/cucks/benbikman/receipt1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bennymalone/bennymalone.jpg b/packages/website/frontend/static/cucks/bennymalone/bennymalone.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bennymalone/receipt1.jpg b/packages/website/frontend/static/cucks/bennymalone/receipt1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bowtiedox/bowtiedox.jpg b/packages/website/frontend/static/cucks/bowtiedox/bowtiedox.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bradcampbell/bradcampbell.jpg b/packages/website/frontend/static/cucks/bradcampbell/bradcampbell.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bradcampbell/receipt1.jpg b/packages/website/frontend/static/cucks/bradcampbell/receipt1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bradcohn/bradcohn.jpg b/packages/website/frontend/static/cucks/bradcohn/bradcohn.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bradcohn/receipt1.jpg b/packages/website/frontend/static/cucks/bradcohn/receipt1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bradmarshall/bradmarshall.jpg b/packages/website/frontend/static/cucks/bradmarshall/bradmarshall.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bradmarshall/receipt1.jpg b/packages/website/frontend/static/cucks/bradmarshall/receipt1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bretscher/bretscher.jpg b/packages/website/frontend/static/cucks/bretscher/bretscher.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bretweinstein/bretweinstein.jpg b/packages/website/frontend/static/cucks/bretweinstein/bretweinstein.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bretweinstein/receipt1.jpg b/packages/website/frontend/static/cucks/bretweinstein/receipt1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bretweinstein/receipt2.jpg b/packages/website/frontend/static/cucks/bretweinstein/receipt2.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/bretweinstein/receipt3.jpg b/packages/website/frontend/static/cucks/bretweinstein/receipt3.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/briankateman/briankateman.jpg b/packages/website/frontend/static/cucks/briankateman/briankateman.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/briankerley/briankerley.jpg b/packages/website/frontend/static/cucks/briankerley/briankerley.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/cameronruggles/cameronruggles.jpg b/packages/website/frontend/static/cucks/cameronruggles/cameronruggles.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/carnivoreaurelius/carnivoreaurelius.jpg b/packages/website/frontend/static/cucks/carnivoreaurelius/carnivoreaurelius.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/carykelly/carykelly.jpg b/packages/website/frontend/static/cucks/carykelly/carykelly.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/cateshanahan/cateshanahan.jpg b/packages/website/frontend/static/cucks/cateshanahan/cateshanahan.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/chrisboettcher/chrisboettcher.jpg b/packages/website/frontend/static/cucks/chrisboettcher/chrisboettcher.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/claraaboel/claraaboel.jpg b/packages/website/frontend/static/cucks/claraaboel/claraaboel.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/cliffharvey/cliffharvey.jpg b/packages/website/frontend/static/cucks/cliffharvey/cliffharvey.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/daltongraham/daltongraham.jpg b/packages/website/frontend/static/cucks/daltongraham/daltongraham.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/davecali/davecali.jpg b/packages/website/frontend/static/cucks/davecali/davecali.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/davefeldman/davefeldman.jpg b/packages/website/frontend/static/cucks/davefeldman/davefeldman.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/davidberuh/davidberuh.jpg b/packages/website/frontend/static/cucks/davidberuh/davidberuh.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/daviddiamond/daviddiamond.jpg b/packages/website/frontend/static/cucks/daviddiamond/daviddiamond.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/davidgornoski/davidgornoski.jpg b/packages/website/frontend/static/cucks/davidgornoski/davidgornoski.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/davidzarkov/davidzarkov.jpg b/packages/website/frontend/static/cucks/davidzarkov/davidzarkov.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/devanandprabhu/devanandprabhu.jpg b/packages/website/frontend/static/cucks/devanandprabhu/devanandprabhu.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/dianarodgers/dianarodgers.jpg b/packages/website/frontend/static/cucks/dianarodgers/dianarodgers.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/edserrano/edserrano.jpg b/packages/website/frontend/static/cucks/edserrano/edserrano.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/edwardgoeke/edwardgoeke.jpg b/packages/website/frontend/static/cucks/edwardgoeke/edwardgoeke.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/eliejarrouge/eliejarrouge.jpg b/packages/website/frontend/static/cucks/eliejarrouge/eliejarrouge.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/ericsartori/ericsartori.jpg b/packages/website/frontend/static/cucks/ericsartori/ericsartori.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/garrylee/garrylee.jpg b/packages/website/frontend/static/cucks/garrylee/garrylee.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/garybrecka/garybrecka.jpg b/packages/website/frontend/static/cucks/garybrecka/garybrecka.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/garyfettke/garyfettke.jpg b/packages/website/frontend/static/cucks/garyfettke/garyfettke.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/garytaubes/garytaubes.jpg b/packages/website/frontend/static/cucks/garytaubes/garytaubes.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/georgemartin/georgemartin.jpg b/packages/website/frontend/static/cucks/georgemartin/georgemartin.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/guyaustin/guyaustin.jpg b/packages/website/frontend/static/cucks/guyaustin/guyaustin.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/ivorcummins/ivorcummins.jpg b/packages/website/frontend/static/cucks/ivorcummins/ivorcummins.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/jaimiedrew/jaimiedrew.jpg b/packages/website/frontend/static/cucks/jaimiedrew/jaimiedrew.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/jakemey/jakemey.jpg b/packages/website/frontend/static/cucks/jakemey/jakemey.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/jamesdinicolantonio/jamesdinicolantonio.jpg b/packages/website/frontend/static/cucks/jamesdinicolantonio/jamesdinicolantonio.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/josepheverett/josepheverett.jpg b/packages/website/frontend/static/cucks/josepheverett/josepheverett.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/justinmares/justinmares.jpg b/packages/website/frontend/static/cucks/justinmares/justinmares.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/kaitmalthaner/kaitmalthaner.jpg b/packages/website/frontend/static/cucks/kaitmalthaner/kaitmalthaner.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/kemminnick/kemminnick.jpg b/packages/website/frontend/static/cucks/kemminnick/kemminnick.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/kenberry/kenberry.jpg b/packages/website/frontend/static/cucks/kenberry/kenberry.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/kevinstock/kevinstock.jpg b/packages/website/frontend/static/cucks/kevinstock/kevinstock.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/kylemamounis/kylemamounis.jpg b/packages/website/frontend/static/cucks/kylemamounis/kylemamounis.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/lewiswhitfield.jpg b/packages/website/frontend/static/cucks/lewiswhitfield.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/lewiswhitfield/lewiswhitfield.jpg b/packages/website/frontend/static/cucks/lewiswhitfield/lewiswhitfield.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/macrofour/macrofour.jpg b/packages/website/frontend/static/cucks/macrofour/macrofour.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/marionholman/marionholman.jpg b/packages/website/frontend/static/cucks/marionholman/marionholman.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/markbski/markbski.jpg b/packages/website/frontend/static/cucks/markbski/markbski.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/marksisson/marksisson.jpg b/packages/website/frontend/static/cucks/marksisson/marksisson.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/martykendall/martykendall.jpg b/packages/website/frontend/static/cucks/martykendall/martykendall.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/maxlugavere/maxlugavere.jpg b/packages/website/frontend/static/cucks/maxlugavere/maxlugavere.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/michaelkummer/michaelkummer.jpg b/packages/website/frontend/static/cucks/michaelkummer/michaelkummer.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/michaelmanderville/michaelmanderville.jpg b/packages/website/frontend/static/cucks/michaelmanderville/michaelmanderville.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/miguelespejel/miguelespejel.jpg b/packages/website/frontend/static/cucks/miguelespejel/miguelespejel.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/mikemutzel/mikemutzel.jpg b/packages/website/frontend/static/cucks/mikemutzel/mikemutzel.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/mikesweeney/mikesweeney.jpg b/packages/website/frontend/static/cucks/mikesweeney/mikesweeney.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/nickeggleton/nickeggleton.jpg b/packages/website/frontend/static/cucks/nickeggleton/nickeggleton.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/ninateicholz/ninateicholz.jpg b/packages/website/frontend/static/cucks/ninateicholz/ninateicholz.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/ninateicholz/ninateicholz1.jpg b/packages/website/frontend/static/cucks/ninateicholz/ninateicholz1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/nocarbsnation/nocarbsnation.jpg b/packages/website/frontend/static/cucks/nocarbsnation/nocarbsnation.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/norstrongchris/norstrongchris.jpg b/packages/website/frontend/static/cucks/norstrongchris/norstrongchris.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/paulmason/paulmason.jpg b/packages/website/frontend/static/cucks/paulmason/paulmason.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/paulsaladino/paulsaladino.jpg b/packages/website/frontend/static/cucks/paulsaladino/paulsaladino.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/peterfaber/peterfaber.jpg b/packages/website/frontend/static/cucks/peterfaber/peterfaber.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/philipovadia/philipovadia.jpg b/packages/website/frontend/static/cucks/philipovadia/philipovadia.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/philippestephenson/philippestephenson.jpg b/packages/website/frontend/static/cucks/philippestephenson/philippestephenson.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/ralphnapolitano/ralphnapolitano.jpg b/packages/website/frontend/static/cucks/ralphnapolitano/ralphnapolitano.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/raphaelsirtoli/raphaelsirtoli.jpg b/packages/website/frontend/static/cucks/raphaelsirtoli/raphaelsirtoli.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/robbwolf/robbwolf.jpg b/packages/website/frontend/static/cucks/robbwolf/robbwolf.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/robmeijer/robmeijer.jpg b/packages/website/frontend/static/cucks/robmeijer/robmeijer.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/samtsimikas/samtsimikas.jpg b/packages/website/frontend/static/cucks/samtsimikas/samtsimikas.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/scottpsysher/scottpsysher.jpg b/packages/website/frontend/static/cucks/scottpsysher/scottpsysher.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/sebastianramirez/sebastianramirez.jpg b/packages/website/frontend/static/cucks/sebastianramirez/sebastianramirez.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/shawnbaker/shawnbaker.jpg b/packages/website/frontend/static/cucks/shawnbaker/shawnbaker.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/simongoddek/simongoddek.jpg b/packages/website/frontend/static/cucks/simongoddek/simongoddek.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/stevenarena/stevenarena.jpg b/packages/website/frontend/static/cucks/stevenarena/stevenarena.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/stevenbelknap/stevenbelknap.jpg b/packages/website/frontend/static/cucks/stevenbelknap/stevenbelknap.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/therealtruther/therealtruther.jpg b/packages/website/frontend/static/cucks/therealtruther/therealtruther.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/thomasdayspring/thomasdayspring.jpg b/packages/website/frontend/static/cucks/thomasdayspring/thomasdayspring.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/travisstatham/travisstatham.jpg b/packages/website/frontend/static/cucks/travisstatham/travisstatham.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/tristanhaggard/tristanhaggard.jpg b/packages/website/frontend/static/cucks/tristanhaggard/tristanhaggard.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/trokalayjian/trokalayjian.jpg b/packages/website/frontend/static/cucks/trokalayjian/trokalayjian.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/tuckergoodrich/tuckergoodrich.jpg b/packages/website/frontend/static/cucks/tuckergoodrich/tuckergoodrich.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/zoeharcombe/zoeharcombe.jpg b/packages/website/frontend/static/cucks/zoeharcombe/zoeharcombe.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/cucks/zsófiaclemens/zsófiaclemens.jpg b/packages/website/frontend/static/cucks/zsófiaclemens/zsófiaclemens.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/debate/arguments.jpg b/packages/website/frontend/static/debate/arguments.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/debate/cucklist.jpg b/packages/website/frontend/static/debate/cucklist.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/debate/cucklist1.jpg b/packages/website/frontend/static/debate/cucklist1.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/debate/gibberish.jpg b/packages/website/frontend/static/debate/gibberish.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/donate/cardano.jpg b/packages/website/frontend/static/donate/cardano.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/donate/checkmark.jpg b/packages/website/frontend/static/donate/checkmark.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/donate/ex.jpg b/packages/website/frontend/static/donate/ex.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/donate/kofi.jpg b/packages/website/frontend/static/donate/kofi.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/donate/liberapay.jpg b/packages/website/frontend/static/donate/liberapay.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/donate/merchandise.jpg b/packages/website/frontend/static/donate/merchandise.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/donate/patreon.jpg b/packages/website/frontend/static/donate/patreon.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/donate/paypal.jpg b/packages/website/frontend/static/donate/paypal.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/donate/question.jpg b/packages/website/frontend/static/donate/question.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/donate/stripe.jpg b/packages/website/frontend/static/donate/stripe.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/donate/youtube.jpg b/packages/website/frontend/static/donate/youtube.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/gibberish/epistemology.jpg b/packages/website/frontend/static/gibberish/epistemology.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/gibberish/gibberish.jpg b/packages/website/frontend/static/gibberish/gibberish.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/gibberish/metaphysics.jpg b/packages/website/frontend/static/gibberish/metaphysics.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/gibberish/normativity.jpg b/packages/website/frontend/static/gibberish/normativity.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/gibberish/ontology.jpg b/packages/website/frontend/static/gibberish/ontology.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/gibberish/philosophyoflanguage.jpg b/packages/website/frontend/static/gibberish/philosophyoflanguage.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/gibberish/philosophyofmind.jpg b/packages/website/frontend/static/gibberish/philosophyofmind.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/gibberish/theology.jpg b/packages/website/frontend/static/gibberish/theology.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/interviews/drshawnbakerpodcast.jpg b/packages/website/frontend/static/interviews/drshawnbakerpodcast.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/interviews/fitandfurious.jpg b/packages/website/frontend/static/interviews/fitandfurious.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/interviews/foolproofmastery.jpg b/packages/website/frontend/static/interviews/foolproofmastery.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/interviews/ketogeekspodcast.jpg b/packages/website/frontend/static/interviews/ketogeekspodcast.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/interviews/legendarylifepodcast.jpg b/packages/website/frontend/static/interviews/legendarylifepodcast.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/interviews/markbellspowerproject.jpg b/packages/website/frontend/static/interviews/markbellspowerproject.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/interviews/musclememoirspodcast.jpg b/packages/website/frontend/static/interviews/musclememoirspodcast.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/interviews/sigmanutritionradio.jpg b/packages/website/frontend/static/interviews/sigmanutritionradio.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/interviews/strenuouslifepodcast.jpg b/packages/website/frontend/static/interviews/strenuouslifepodcast.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/services/customelmsites.jpg b/packages/website/frontend/static/services/customelmsites.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/services/customnixconfigs.jpg b/packages/website/frontend/static/services/customnixconfigs.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/services/debateanalysis.jpg b/packages/website/frontend/static/services/debateanalysis.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/services/debatecoaching.jpg b/packages/website/frontend/static/services/debatecoaching.jpg old mode 100644 new mode 100755 diff --git a/packages/website/frontend/static/services/nutritionscience.jpg b/packages/website/frontend/static/services/nutritionscience.jpg old mode 100644 new mode 100755 diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index ededd40..89763f8 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -7,11 +7,11 @@ network: fallaryn: ENC[AES256_GCM,data:O77hH3STB6zpl0b9iXsVu9OOrlLKUwfs2qI9hdqX4kMuBs3XgT/xsQ==,iv:RDKsuJoy+LIyADMc3bgOEmLKdXtu6kad2aeVetuZdJI=,tag:MrpCZ+iJUnGIjeHMgcYG6Q==,type:str] garnet: ENC[AES256_GCM,data:N8sAdjTAiubQihKrtdCkaJQBKkz6/kNdeATiaZXRhlP/HLg7zg==,iv:8QP1HnGSUGHpkwBwQY2Z0gZ6tYaK7XzMuxXexY6QQaU=,tag:fHzPh9lvqB2BmuSkVH5Ojg==,type:str] mastodon: - smtp: ENC[AES256_GCM,data:ey1fq4e/V2rmY/PRvopbFkBFt2SNb0UERCu4pUf0iOpW,iv:dNl+cm2zkas48I9lUyYss5lMWBi9EEiqaeefuE49V7w=,tag:zucvfmY84B25SGS4vYr91Q==,type:str] - database: ENC[AES256_GCM,data:dYdLk9s4xZjHaIZCiKvLf/7HbcHVdMOk69JzYmXkX4lf,iv:IJKSR47LR08OuzPJZmfQnVUyOSjtUEmv0c/sGT9eIws=,tag:KUtW8ZKoZHBKvixVLYkNrQ==,type:str] - redis: ENC[AES256_GCM,data:lrbTQAuay170fXNUGooG7bJg5lROItwUrnlKYBalo7Zp,iv:osaPJhqOpT5fm4ZYP7rbn0y/jzCfOu8+iPwO8KhRkuM=,tag:ByQjwCT7MtJjgpGWNAoffA==,type:str] - pass: ENC[AES256_GCM,data:VlWIQQK89E4FaIUNXu1+sPuEbSQIVdYeGVWt8eztCMpikVsmeFd+G3XxS1Zm76m0tNFZjF7oHILpCudHU4M8k810ePwadcUOiglCP4P2Dkn1vrrB384T5Ed9gn8NHo3S1HlXczsNKmy6j8fP2CNKSb8Mar5VQBbajqryA73bB9pI,iv:EvlNrU4ImdYe5/HQytXCxqDui3Df3oIcC1vLkor7be4=,tag:lnkyjWHyEUTWPVqjwYx+cg==,type:str] - fedifetcher-token: ENC[AES256_GCM,data:dKAzD+hDQgbhNosvR7xo8UWe8g8LtaTAvF4oHY9hw5ThXJKN/LplmfoDGSY=,iv:yXaRQGHiJDk+1kco9jTjzD/ava0k6YqcIefm2X/ouYA=,tag:ouqufvNfHA50Sg+IkSgSXw==,type:str] + nick-smtp: ENC[AES256_GCM,data:7ChneqVz3G2diH33fY63FJSTZD136HjcIiu/X4CXOf+d,iv:G4ee7tg5+IwPwRgvX+ZB3fVVGb9ARo9Ds4lbQbscz4E=,tag:uYP97ieghFow3vQc5n6ldQ==,type:str] + nick-database: ENC[AES256_GCM,data:bBIjIrO0mkbg1yuLK3fP5lG/DWwwMUhqrGNTta2ejUNy,iv:HNnHryfXR+wB1f2AdY3FyDlHWDk7JPgWBRz170FKQU4=,tag:WlZdefcoWHzyPpv0bxCZ8A==,type:str] + nick-redis: ENC[AES256_GCM,data:EqI1Iyy8Z00b0QzqjXsMl21zI7Bi7U8fOM+BZOiEazAE,iv:YLiiT2KLcLgS3kBKtpD/IbnEsKAuPs5XlLNH8YCEhYc=,tag:Z56WCabmtxrg4j+3eXesdQ==,type:str] + nick-pass: ENC[AES256_GCM,data:WHV+iRST1H2k7muAJfp3mT0ol7l1fVDs8pG1OgBV4lKcLrMKy43wbNJ9YvK1R+CRYOh3JTbOurLAyqA50t7SvmzYKjtjXgANNx7u/mf4jgmO0TlaLxTp6Tc/YqZokUg7wgOkPRpb2+kukHIDrWPOdN0g5BFZSEvanE6ckkG0keRP,iv:XANdKTeCT4R0v7gCbuOTuXqHBN7GaiR3osW+vOt8SQ0=,tag:Ae71I4h5QweRlxoVWyJs+w==,type:str] + nick-fedifetcher-token: ENC[AES256_GCM,data:aqUQ1K2zCb1aicqiUwhJ9cniB6LCzGxkj26ZRT4NlZwki38Ktorf4Ntor7k=,iv:tSthNg5ubEXOUfqA4xCfaDx1LTheqiiV48XqtPEm0HQ=,tag:lxXt1G9ll5iVC/phSyO/BQ==,type:str] peertube: smtp: ENC[AES256_GCM,data:yrx7Ovy3zmApaODk+V3k26XJDUj5sGr0YAQ168V/o0dY,iv:s2P2Rf5/QnjBeNgFTXpXKPI+y8P97RJqaXRK4b19V/w=,tag:4X830RBQFzx1Mirwd5smeA==,type:str] database: ENC[AES256_GCM,data:T7cd/jrmpzdKuE7nZ6/Zh4DI8E35J26Jn/wt3yZEf+ce,iv:wfeoQljDlp0/isxsbH04ZRG31KTY0d0mBsShjy89ddo=,tag:XrtzpyRr6wvkArg2pGObBQ==,type:str] @@ -19,13 +19,13 @@ peertube: root: ENC[AES256_GCM,data:cMHXjWtZzeCwuzsw7hhTZI+g9inXV9X0/ez4X8APXria5DuZ+fyqTZu7MMCFceKuQzD3Gp2pyVsIQQ==,iv:S9017GWX6tC6Y0pG/H4SMNhKGE8xModDp7Rpdlehblg=,tag:oRaxoBze+z7DPvtXIQ/ofw==,type:str] secret: ENC[AES256_GCM,data:I+/FLyqsnt+PFsb0tidton95pwU/kMCL+ajsBrBpa8YdTdosgAK8QQOcJHbbMYKRIoWbsjWjzIqff6jgQ4B7Q/s=,iv:x+VD3KHLeNjvNvfsQqVQk7IJzUyGvSI2MPKCEdUpGks=,tag:1Kz/P9ffIAL4yx7nhVQIow==,type:str] forgejo: - database: ENC[AES256_GCM,data:KhwJNJdICaZpnouDecDQM/ShL60nzqzPuyTCO7reilJc,iv:LQord5Bkfhuq/13DqEk51EB+qtunWpJ+g5fFXbhXV90=,tag:TG/fsyXerdy+MEnsjBbuBg==,type:str] - smtp: ENC[AES256_GCM,data:rL1loo/yKrIPmZVpa6S8ka9lX2bwkgCNYRCZ1Np07ANp,iv:Si2sqBNlVQzi8rlfp8WQFUoyu4xJGfPYc9N6V6jrry4=,tag:SdPIRaiiIaHe1DnOxp1Y0Q==,type:str] + nick-database: ENC[AES256_GCM,data:Hzojzr1TvFFfnQO2Dm8c3+QMVejqWPqsMTR+hMCaddtu,iv:4gs+yuoqjkJWrsGKhhaeXXWE3PKOZgEcbOprbUUmP/w=,tag:ul7XkzbVLGbRfwBGvhGQbQ==,type:str] + nick-smtp: ENC[AES256_GCM,data:wJ3Q86tVNS1V+lzOrV4IbnoR1FzJg4CoTPvjfKvN/me+,iv:yF4nZw4c6L1MoD9maXaZBNr9EgLHM0ij5468P/wzHxI=,tag:yz01ukHdwKWc+Ph6QSaiNg==,type:str] zookeeper: - env: ENC[AES256_GCM,data:CEEUmzRxvyeXSQfwUkmZq46HQNkv3I+wMzkBoUpAlh3D5O3L5kCeoDksDWuQrVTeQfIwKj18LDeeG+2Bz5XOVPTyXm/Ap+m2Jw==,iv:6eX7ocY5PiQaJ0KBDiKxhx0UguuQWcIbiZSYHY2hHjU=,tag:6vXg2fzRyfuJd5G3yNeUNA==,type:str] + nick-env: ENC[AES256_GCM,data:Uhnk1fbHAOOpS7od9cd88JotcCqK0dWKVVV0I56/D90+pDKJ5qLKO0AnrF8ebNd8HgKMc7bkO/fO0AHRtKcei4jk5hg5vsM4EA==,iv:WR4wnxmA0XWjSwgAnFJcTUy63WJzfWiC5/ogPStR0r4=,tag:rDE3OktnQN5xJW5WXVcOlA==,type:str] minecraft: - world0: ENC[AES256_GCM,data:pz7P5g9jRL8KaARfSs2ddmN76ioKSuSv7A==,iv:ZFIhS15BPxHzTW4aPpT7A8R4rxuyNNGjPJXqJXYoBpk=,tag:aymiUs87YR519eZN8Aopyw==,type:str] - world1: ENC[AES256_GCM,data:vvMvvGlyrrufdoeiTWYUcKoYSyMtuOyQ2A2xPB0V81IM,iv:gQWuyxqcSTvrgKbhKlu8dZbBj0zqGImyB+W2ZufRyJc=,tag:ykPgGmRAEZl3M3HrEdE5Aw==,type:str] + nick-world0: ENC[AES256_GCM,data:r3cBMW662UaoRBy6dzIqWRlaFHopfN/t5g==,iv:Nr+lvEQTT+PDP8OMH6mUyWKo92ejRfO4fXAERMxg8sQ=,tag:2WevPfTYN4/NJNea/JwPqg==,type:str] + nick-world1: ENC[AES256_GCM,data:/npb82dKLypMDkq01F1eyb+aPiqzcgL9wUX3bMLgEYk5,iv:9JWvq9E5+Gs3T9y9YqrkXbF9kl0lAWPseVK+OBrQR/w=,tag:XziFN0BMs+Nk+54vkc4+ig==,type:str] vaultwarden: nick-env: ENC[AES256_GCM,data:lG7pqpLJ7OsFZhWCJcPnvDxkR4Ob78buazUeLWlRSAPYEv8KarymYduecJNWCZUjUlysoU5YrHaat8tny+Vl2rYdef8oPfqlf7fITofsdmjHhAGUBJEEVQWLyEXqrEebEyeNKZwI+u8=,iv:SNptt0CPcSCTs6AAWLcC+U0/94oQapqmT1K8ZN/bIfM=,tag:2/1A+DwuWOIr0eoJmZTnwA==,type:str] dns: @@ -50,7 +50,7 @@ opencloud: nick-env: ENC[AES256_GCM,data:bgrc1zzU3ByzTt7oVZVOLgm7zBAwHHq+rZMJQTmDUeQoUbvdPi6Y3Q9dI+cyBdzgKEIQjsDAkLw298a57qUvfOHS/341Myqy4QVEjpTXvvHqBS3yG64oOqg76nwyTl5B76w45lat4FCTvQ2RnVKgKhsUEwWhe6Jaf9qTd8c+18do4PHmnBfUUfy05dpI/lPnHhIIhPbNWhPzGhyq3oMjYBpnMK7z+pw8mMGveEdo9o8Kc69XtYP+rrkX03hXntVnBz2qwH/lVibIZfD2E+IsQGvQO3u5SSDXpI0BLfi0Au7kSdTnGwO5b8138LIC054hQkW9MdCzo6qZW231+6yhrixsosgz0x4T3vp4+38MgodrZHnrXCqpRHPqR9Lwbt07P3CgyTC47DNWo4ykwyfx7P4FbGrZ0lXWX8CT5E1yDjwaT9n4+1Zwsg+W7S6HIctQPlDNVLWc9L64ekdiw5Z2n4bfFvsph+/JoUe/hFuKmUzuw/fvPgBDOpuTMqDlIa4/fhZNVQJChnd0j52/QQ+NqdWmd3c2kgEIa1vbNRNvwYDN3UQmBCUGvohv1YbAENyaFsoYGj7LAnRGfrWcevvZIn4XFXCiYBZPm1Jnf9KxALnw6utt6s8mckzUtD36o1VqCgPV06cHZs4X2nRKxY+b1pdSxy2m5vQ=,iv:MrYZkzv5Y8xzzkHiRL4oRHPZ0fr+16iRQhyEcrBLKTY=,tag:SbagQ7zR+C8heOqwsmrbUA==,type:str] stacie-env: ENC[AES256_GCM,data:un2iedgo0Uy1MFMDefeM8qgsJV9PgYJH+n6iKtokp9uPzd30wFmfbRHar1wjqjG2QLZ60RYzWfeQwgs+XVVh7Jwqflyo60hpOrY71jn5C3QvAlMxD4bGW9tCiiq2+bMPBbPlxfTrpnvjGXxFD2g0Do71IFsfTNiMWa9ebSDooRUYOLpumPWz2OXFsPfJdr8KaH7hrCEWOXfXE4HUFdluyQoWPT/YqxCJmb8=,iv:26EoscOH/ZuiI3nEr+JlwHLVp2OqKA7yG1jFbdtQfOE=,tag:zYC1sW1C3muLQ/P4XQDIdA==,type:str] garnet-env: ENC[AES256_GCM,data:Vnf3KU6jzSKtvel1rEi5MqC/hyBJ7OS95sVIlchm82dVFyNSaQcmd1qeCNjNktxwvX5PboLVXpvpV5pQFp0LJiMMVV+b27CDdEDNIPpf1QcHgcmMOMcaVijavywXe2t+Q4q1n8qw/NsC8qdvmVe3pHK3IMtvA3/Rez/nHaM1tvayzdJ35DGibr+tI9MlzVAIW1Iu8Wm4MxSQlEQh/yp6ZfgRqosiTxe8NGQ=,iv:rID8YKduNcUG15WN6nwIcAKRu5MbnI0be2oVPJxVXwE=,tag:tS3C6OZ4p2EPwALbDndusA==,type:str] - projectenv: ENC[AES256_GCM,data:NQuJeomWD+uaq+g5uGft/ecsWTNEpWkOi+vWQ9nXV3KRHDAeB9mCJuvxoj+642Q+hnq3zAH2fZ7KTa3W3UcizPbFIltoJMzh5E2vDteuEEYNXX2cJJLJir9b421Gsb9sB/5d8Mz+K0BhDPTG+fByR+O1XqoaSLbnqEGrdzje/6t/e2Eyse4+qE3oUvZkzJsGTHM+rkM+EE9NXXMd5dCvfZAzmnRnsLRWL/Axnv93s0lfTM2pDs0/+E4wAcRI2KLH08pQyRRAWJ7A0VB2d4hH6hYOerqAPVAtTBR5j7yDHeR3IyHMk4xzh35zz5MMfi2zSABBfzv6PXOaiYmuUPaZ7WH1ZJjfVdR+AIzMma3SFRn8n2fNdR11gX/ZBfaI0YLHg7rHZJ9JJM88poh1D3dByrkGVPRDRQMZpSUQPay8lymrjMAsjAlpWjUvVpELR99BTMpto3IB2D5aY7btHuUskBhIBl7nWTRKfGg8ScDaPgJeARNd78bfvXY5mtnUdT8m38m4AH7DTWpQ3rajHBJITbiLZaUDx7NxcYCVAJAjcQgJoV6fC/PCsMbUxwxlfjgnrirIRjGrA29+l784oMlNJuHQyAmFq9Ffe6GJUJP1WA5DIvxypBcGC3w4nUE6u/HyzFz7AcIpx2GCDIeC2UjsQgnr0ujzGb38/nM88+x8IWra,iv:YQR0CDFNDgeRwm+Q8xN7SYQ4Jo3PfneciGtIOhRDJOY=,tag:OArVLjnc3ZT2EAqP9QpzQQ==,type:str] + project-env: ENC[AES256_GCM,data:CjHWkDkemkZUFXL85df/Sg29WLh79gjmhCpr2APDec67irdg169zw6D1RY9H18iT1ramA+0QMFWaLYmS2cwejOPzFeO2PA5AswJ/XBsgoix69pAdRMxOuVopvTzRVPCU4WGOfEc9FuPPKLwzzxoVYWaSwKUjrsCARjWt+lYh7Dd2VTsFnj4ZP/gs0XEQ1TpZNA9MmgiqisTTYAkqEUWFBDb07XDSLrb92SFFXh7LurBIALuGfng5NB0DOoSYBXehkkQMQV0Rg5o0ezeqS1lVdAkrLC9maf4mVaNOFQvnZBi3zbJJJKhTHla3Lv0K+HcIDz5G9apZmpLYTB8RN06lx2f6dGRrKkW5yp14Ijw822ABgKSdBGgpfbmOwGnndhmlxXh85C06IoijSMVeHj0jvQH4p2RQjO9G1BWrhXmJj3/jO+jS39hqyJ9uEliciObD1VoVOgd6Degm3EDhwPVAT6SySoDlJwvtr905y1Tta0FFqEbiqwyRObcOC8FBafSaJGVjj8RjtHkX3jvV8WhS4A0KvTZktvekYpmFB9pV8SQMh/gMUxHxAarHmQ2Ld22c8+ZAwFhB5c3z0MGY8vn6bEsqEPVNJVmhMcS5qvLfRuiFc39z2QcJaDMbBG3pYLBLcdhwaiT5bb33AAriaYNSqk0a2Mp+2nfEv1+cGvsNiNQB,iv:sdxcfdzE5Jz2gFq51popoQyMmuND+a2UPV3cCYLHvE0=,tag:U4vgdxPhPUuUx9ravFCJEg==,type:str] caddy: share-auth: ENC[AES256_GCM,data:3jY2B2GOdz5EPJeAyVsk4XCs5NMft3VquIBep7SxYtEZ9H7IDroq1U1Sch6YVQ7VcL85L4Ix/OVPm4jVDEA0sZiGkltbYXRXZ8CR34ifsHtHR35lgjXyj8ZhJLydw7LgmZCEztWO8GjLdvSY,iv:MT5sA32Djx81HGc36rqV2xS5KUHLAeTyZiOdSu8oqQY=,tag:V1dv4yS2RXf4Xqrl5+tEuA==,type:str] comfyui-auth: ENC[AES256_GCM,data:7VTXoRxnD0NyVCFRAjHaZswEUsFuQd/ZIwVfqGPmNNV87hn6CBYWvxvcPPFwe+uw7BmKMt+I66DyKx5ydYENTWxPocyT/rFdgdtWwNoenj+JwsUzegmMbEiH2HCZdiwKj0h1lo142mtA6zkc,iv:xT5XHCj8D4dyvglstE2oqo92fLdscCkaNMux43hJ7nQ=,tag:HgU9wAmjPvfoDXgnorB5yA==,type:str] @@ -61,8 +61,8 @@ firefly-iii: nick-data: ENC[AES256_GCM,data:K6nUu11WInVUE6KIb/PGGbPTX3g/d2VWM2dWxMjWMMCZ,iv:ZqjLh5kKgOed5KAJ9qcrqQnCTH8obc4wflb4EE7rGHc=,tag:A+1W4Y9eTFe+ukFJqgQ79A==,type:str] nick-smtp: ENC[AES256_GCM,data:oWBPlGwjUZt1/7O+X4PKh1uaAF4nzOhvXJqmdmiIntpi,iv:5LVy5S+46fjX0E3JrZFwuXOpyPycT7iKMVe31zEZL88=,tag:CcFDOpbJTyNCPcOtyX8FMQ==,type:str] torrent: - wireguard-pass: ENC[AES256_GCM,data:fNNHuOvaRRpiS7c9n/l6lB0A1J4VboJxIh+hrMrTfjFS2grpgRATLHhjZ/wo,iv:CVZIG3Gq+O1/qPqu0XBH/5XsTpAe9xe52/CtBHaIOPI=,tag:8RfoFjz0Ecmx8O7Bt/90ig==,type:str] - qbittorrent-pass: ENC[AES256_GCM,data:W1p7cYWbBNeAtEEL7Tb0pG27TSniqTrNMN6gxFFlli27,iv:seiWOr6V8pyjioBkKKEtCXC17RctDScA37E7uFbnmzk=,tag:KYz92O6XUvJob74LnGlYNg==,type:str] + nick-wireguard-pass: ENC[AES256_GCM,data:9vvKbANYt/zuPgIQmYFFhBdN59p6aa8hgErYBv325ByPkeGNrxZYhpzv8d8Y,iv:rJbMKsFRBaRyyCE3fI+2XsmVCxSgGdn7glrF/8QThSU=,tag:cg/JFl1iahoqelvrB/T0nA==,type:str] + nick-qbittorrent-pass: ENC[AES256_GCM,data:KT1L8pFz0sczfftnpGxA8Od0jY3dHzzDWpMf1fSyHsM9,iv:uzLkGIlWhA3+DsQxjdLd+bF4zCgsoKYDIs2W2LHtK2M=,tag:goIJ1uuqyPGHzqJMYq2wQg==,type:str] backblaze: env: ENC[AES256_GCM,data:cdOYt77KocuGB3aqYz13oBokoLkEIgI1AW+cYC5uutgZYujG3PqoLEh6Gvbpzn3O+0OWg1/4UAYr4f2v7oCsgwFzPWS3HrhqC5+kIBjrPCyAnxDxlu2xaQ9hR+ogFh5UTDo=,iv:6+jx4Dj5CNV72DAss6NNYm44f9gSHco/EUBvL2o2CNI=,tag:6/cx84MgTDqQJxu/zINEeA==,type:str] repo: ENC[AES256_GCM,data:sRae9XELIfkWPaXelCdgEXIDbLTHVqGcRO0o+WA9aBfB8MUw92JjRCYgMgGXT0Apy38eszyuEHFB3XPpRmtQ7g==,iv:EilVA9zdHm6B9pTIhNxyj6Th1248nXvh0kpnEqZJ5HI=,tag:q9ASAgx5vgY0IePws4rT5Q==,type:str] @@ -86,7 +86,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-08T08:47:33Z" - mac: ENC[AES256_GCM,data:1fQ7q87c3hMVIiHbW8YnCPUxvPtv647MRf//gVX/VKcxHNpO3FGX9jCvXpAh+Y2I0LiNUjZw2Ws9FIraytPMh+3uB7NAnLfCqkR9flL5rBfMLNrujaomFL/bBKCaKc5ruNTHGxF6MQ/s0a5m+lfa1hs9KPqtJnYFLBpyN/RvTQ4=,iv:J9JZlBPqsrspuQ8mgAJ2b8ih+1PATvHDvpI77oTi+yk=,tag:K75aDHyj3ohg+BugfmGqqw==,type:str] + lastmodified: "2025-12-09T03:06:03Z" + mac: ENC[AES256_GCM,data:DaIgPYNrO+owd4978mmvFcLvEoyeAiAo25II2uNmElFCsdcV+1x7N60Vpv6V7eMWYzxdeP2oQllz4GMsJcio8dQtQFEMK9m0uzk+LGftpZSraMMMf1UEounTD6NUS6YfaClvihUCnYIjD9DjF36TIL1mYjPtUNM2RXuksBeib8I=,iv:FdznQqiVBnYqojlj5/sgHshldNhcMWjyUZm5HuT6EMU=,tag:pVigh+nYjqOYE6OxS86qig==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0