upRootNutrition/dotfiles
upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-12-07 21:42:16 -06:00
Code Issues Projects 1 Releases Packages Wiki Activity Actions

Compare commits

base: upRootNutrition:9ab5ebd35f9334b3abe642e8f983c284f70007e6
Branches Tags
upRootNutrition:main
..
compare: upRootNutrition:4b520563d4db72cef83b47f3257d548bf8fca48d
Branches Tags
upRootNutrition:main

No commits in common. "9ab5ebd35f9334b3abe642e8f983c284f70007e6" and "4b520563d4db72cef83b47f3257d548bf8fca48d" have entirely different histories.
9ab5ebd35f ... 4b520563d4

15 changed files with 87 additions and 229 deletions
Download patch file Download diff file Expand all files Collapse all files

4
modules/config/instances/config/caddy.nix
View file

@ -16,7 +16,7 @@ in
ports = { ports = {
port0 = 80; port0 = 80;
port1 = 443; port1 = 443;
port2 = 8080; port2 = 8443;
port3 = 8443; port3 = 8445; # Opencloud
}; };
} }

2
modules/config/instances/config/firefly-iii.nix
View file

@ -32,7 +32,7 @@ in
]; ];
subdomain = subdomain; subdomain = subdomain;
ports = { ports = {
port0 = 8084; port0 = 8080;
port1 = 8081; port1 = 8081;
}; };
interface = { interface = {

0
modules/config/instances/config/opencloud1.nix → modules/config/instances/config/opencloud.nix
View file

56
modules/config/instances/config/opencloud0.nix
View file

@ -1,56 +0,0 @@
{ moduleFunctions }:
let
inherit (moduleFunctions.instancesFunctions)
domain0
sslPath
varPath
mntPath
secretPath
;
label = "OpenCloud";
name = "opencloud";
short = "cloud";
domain = "${short}.${domain0}";
secrets = "${secretPath}/${name}";
ssl = "${sslPath}/${domain}";
in
{
label = label;
name = name;
short = "Cloud";
domains = {
url0 = domain;
};
subdomain = short;
tags = [
name
"opencloud"
"cloud"
];
ports = {
port0 = 9200;
};
interface = {
id = "vm-${short}";
mac = "02:00:00:00:56:09";
idUser = "vmuser-${short}";
macUser = "02:00:00:00:00:09";
ip = "192.168.50.119";
gate = "192.168.50.1";
ssh = 2209;
};
ssl = {
path = ssl;
cert = "${ssl}/fullchain.pem";
key = "${ssl}/key.pem";
};
varPaths = {
path0 = "${varPath}/${name}";
};
mntPaths = {
path0 = "${mntPath}/${name}";
};
secretPaths = {
path0 = secrets;
};
}

5
modules/nixos/default.nix
View file

@ -46,6 +46,7 @@ in
inherit (modules) inherit (modules)
acme acme
caddy caddy
ceresOpenCloud
comfyui comfyui
firefly-iii firefly-iii
forgejo forgejo
@ -55,7 +56,6 @@ in
microvm microvm
minecraft minecraft
ollama ollama
opencloud1
projectSite projectSite
qbittorrent qbittorrent
restic restic
@ -70,9 +70,10 @@ in
eris = { eris = {
imports = builtins.attrValues { imports = builtins.attrValues {
inherit (modules) inherit (modules)
acme
caddy
impermanence impermanence
microvm microvm
opencloud0
sambaEris sambaEris
; ;
}; };

42
modules/nixos/guests/opencloud/opencloud1/default.nix → modules/nixos/guests/opencloud/ceresOpenCloud/default.nix
View file

@ -7,7 +7,7 @@
let let
inherit (flake.config.people) user0; inherit (flake.config.people) user0;
inherit (flake.config.services) instances; inherit (flake.config.services) instances;
serviceCfg = instances.opencloud1; serviceCfg = instances.opencloud;
hostCfg = instances.web; hostCfg = instances.web;
dns = instances.web.dns.provider1; dns = instances.web.dns.provider1;
localhost = instances.web.localhost.address1; localhost = instances.web.localhost.address1;
@ -32,6 +32,7 @@ in
stateDir = "/var/lib/${serviceCfg.name}"; stateDir = "/var/lib/${serviceCfg.name}";
environmentFile = "/run/secrets/projectenv"; environmentFile = "/run/secrets/projectenv";
}; };
openssh = { openssh = {
enable = true; enable = true;
settings = { settings = {
@ -40,11 +41,13 @@ in
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
22 # SSH 22 # SSH
587 # SMTP 587 # SMTP
serviceCfg.ports.port0 serviceCfg.ports.port0
]; ];
systemd = { systemd = {
services = { services = {
systemd-networkd.wantedBy = [ "multi-user.target" ]; systemd-networkd.wantedBy = [ "multi-user.target" ];
@ -52,28 +55,17 @@ in
path = [ pkgs.inotify-tools ]; path = [ pkgs.inotify-tools ];
}; };
opencloud-fix-permissions = { opencloud-fix-permissions = {
description = "Fix OpenCloud storage permissions"; description = "Fix OpenCloud storage permissions on file changes";
after = [ "opencloud.service" ]; after = [ "opencloud.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "simple";
ExecStart = pkgs.writeShellScript "fix-perms" '' ExecStart = pkgs.writeShellScript "fix-perms-on-change" ''
echo "Starting permission fix..." ${pkgs.inotify-tools}/bin/inotifywait -m -r -e create,moved_to /var/lib/opencloud/storage --format '%w%f' | while read filepath; do
${pkgs.coreutils}/bin/chown opencloud:opencloud "$filepath"
OPENCLOUD_UID=$(id -u opencloud)
echo "OpenCloud UID: $OPENCLOUD_UID"
find /var/lib/opencloud/storage/users -type f ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r file; do
echo "Fixing file: $file"
chown opencloud:opencloud "$file" 2>/dev/null || true
done done
find /var/lib/opencloud/storage/users -type d ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r dir; do
echo "Fixing dir: $dir"
chown opencloud:opencloud "$dir" 2>/dev/null || true
done
echo "Permission fix complete"
''; '';
Restart = "always";
User = "root"; User = "root";
}; };
}; };
@ -82,7 +74,7 @@ in
description = "Periodically fix OpenCloud storage permissions"; description = "Periodically fix OpenCloud storage permissions";
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig = { timerConfig = {
OnBootSec = "30s"; OnBootSec = "1min";
OnUnitActiveSec = "1min"; OnUnitActiveSec = "1min";
Unit = "opencloud-fix-permissions.service"; Unit = "opencloud-fix-permissions.service";
}; };
@ -106,11 +98,14 @@ in
]; ];
}; };
}; };
tmpfiles.rules = [ tmpfiles.rules = [
"d ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "d ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
"z /etc/opencloud 0700 ${serviceCfg.name} ${serviceCfg.name} -" "z /etc/opencloud 0700 ${serviceCfg.name} ${serviceCfg.name} -"
]; ];
}; };
microvm = { microvm = {
vcpu = 1; vcpu = 1;
mem = 1024 * 1; mem = 1024 * 1;
@ -163,18 +158,19 @@ in
}; };
environment.systemPackages = builtins.attrValues { environment.systemPackages = builtins.attrValues {
inherit (pkgs) inherit (pkgs)
inotifywait
opencloud opencloud
; ;
}; };
}; };
}; };
}; };
security.acme.certs."${host}" = { security.acme.certs."${host}" = {
dnsProvider = dns; dnsProvider = dns;
environmentFile = config.sops.secrets.${dnsPath}.path; environmentFile = config.sops.secrets.${dnsPath}.path;
group = "caddy"; group = "caddy";
}; };
services.caddy.virtualHosts = { services.caddy.virtualHosts = {
"${host}" = { "${host}" = {
extraConfig = extraConfig =
@ -193,7 +189,9 @@ in
''; '';
}; };
}; };
users.users.caddy.extraGroups = [ "acme" ]; users.users.caddy.extraGroups = [ "acme" ];
systemd = { systemd = {
tmpfiles.rules = [ tmpfiles.rules = [
"d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -"
@ -201,10 +199,12 @@ in
"d ${serviceCfg.mntPaths.path0}/config 0751 microvm wheel - -" "d ${serviceCfg.mntPaths.path0}/config 0751 microvm wheel - -"
]; ];
}; };
sops.secrets = { sops.secrets = {
"${serviceCfg.name}/projectenv" = { "${serviceCfg.name}/projectenv" = {
owner = "root"; owner = "root";
mode = "0600"; mode = "0600";
}; };
}; };
} }

111
modules/nixos/guests/opencloud/opencloud0/default.nix → modules/nixos/guests/opencloud/erisOpenCloud/default.nix
View file

@ -1,4 +1,5 @@
{ {
config,
flake, flake,
pkgs, pkgs,
... ...
@ -6,17 +7,22 @@
let let
inherit (flake.config.people) user0; inherit (flake.config.people) user0;
inherit (flake.config.services) instances; inherit (flake.config.services) instances;
serviceCfg = instances.opencloud0; serviceCfg = instances.vaultwarden;
hostCfg = instances.web; hostCfg = instances.web;
dns = instances.web.dns.provider1;
localhost = instances.web.localhost.address1; localhost = instances.web.localhost.address1;
host = serviceCfg.domains.url0; host = "${serviceCfg.subdomain}.${flake.inputs.linkpage.secrets.domains.projectsite}";
dnsPath = "dns/${dns}";
in in
{ {
microvm.vms = { microvm.vms = {
opencloud = { projectcloud = {
autostart = true; autostart = true;
restartIfChanged = true; restartIfChanged = true;
config = { config = {
environment.systemPackages = with pkgs; [
inotify-tools
];
system.stateVersion = "24.05"; system.stateVersion = "24.05";
time.timeZone = "America/Winnipeg"; time.timeZone = "America/Winnipeg";
users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
@ -27,7 +33,7 @@ in
port = serviceCfg.ports.port0; port = serviceCfg.ports.port0;
address = localhost; address = localhost;
stateDir = "/var/lib/${serviceCfg.name}"; stateDir = "/var/lib/${serviceCfg.name}";
environmentFile = "/run/secrets/env"; environmentFile = "/run/secrets/projectenv";
}; };
openssh = { openssh = {
@ -46,51 +52,10 @@ in
]; ];
systemd = { systemd = {
services = {
systemd-networkd.wantedBy = [ "multi-user.target" ];
opencloud = {
path = [ pkgs.inotify-tools ];
};
opencloud-fix-permissions = {
description = "Fix OpenCloud storage permissions";
after = [ "opencloud.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeShellScript "fix-perms" ''
echo "Starting permission fix..."
OPENCLOUD_UID=$(id -u opencloud)
echo "OpenCloud UID: $OPENCLOUD_UID"
find /var/lib/opencloud/storage/users -type f ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r file; do
echo "Fixing file: $file"
chown opencloud:opencloud "$file" 2>/dev/null || true
done
find /var/lib/opencloud/storage/users -type d ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r dir; do
echo "Fixing dir: $dir"
chown opencloud:opencloud "$dir" 2>/dev/null || true
done
echo "Permission fix complete"
'';
User = "root";
};
};
};
timers.opencloud-fix-permissions = {
description = "Periodically fix OpenCloud storage permissions";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "30s";
OnUnitActiveSec = "1min";
Unit = "opencloud-fix-permissions.service";
};
};
network = { network = {
enable = true; enable = true;
networks."20-lan" = { networks."20-lan" = {
matchConfig.Name = "enp0s6"; matchConfig.Name = "enp0s5";
addresses = [ addresses = [
{ Address = "${serviceCfg.interface.ip}/24"; } { Address = "${serviceCfg.interface.ip}/24"; }
]; ];
@ -108,15 +73,16 @@ in
}; };
tmpfiles.rules = [ tmpfiles.rules = [
"d ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
"z /etc/opencloud 0700 ${serviceCfg.name} ${serviceCfg.name} -"
]; ];
}; };
systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ];
microvm = { microvm = {
vcpu = 1; vcpu = 4;
mem = 1024 * 1; mem = 4096;
hypervisor = "qemu"; hypervisor = "qemu";
interfaces = [ interfaces = [
{ {
@ -147,15 +113,9 @@ in
{ {
mountPoint = "/var/lib/${serviceCfg.name}"; mountPoint = "/var/lib/${serviceCfg.name}";
proto = "virtiofs"; proto = "virtiofs";
source = "${serviceCfg.mntPaths.path0}/data"; source = serviceCfg.mntPaths.path0;
tag = "${serviceCfg.name}_data"; tag = "${serviceCfg.name}_data";
} }
{
mountPoint = "/etc/opencloud";
proto = "virtiofs";
source = "${serviceCfg.mntPaths.path0}/config";
tag = "${serviceCfg.name}_config";
}
{ {
mountPoint = "/run/secrets"; mountPoint = "/run/secrets";
proto = "virtiofs"; proto = "virtiofs";
@ -164,26 +124,37 @@ in
} }
]; ];
}; };
environment.systemPackages = builtins.attrValues {
inherit (pkgs)
inotify-tools
opencloud
;
};
}; };
}; };
}; };
systemd = { security.acme.certs."${host}" = {
tmpfiles.rules = [ dnsProvider = dns;
"d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" environmentFile = config.sops.secrets.${dnsPath}.path;
"d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -" group = "caddy";
"d ${serviceCfg.mntPaths.path0}/config 0751 microvm wheel - -"
];
}; };
services.caddy.virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} {
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key}
'';
};
};
users.users.caddy.extraGroups = [ "acme" ];
systemd.tmpfiles.rules = [
"d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -"
];
sops.secrets = { sops.secrets = {
"${serviceCfg.name}/env" = { "${serviceCfg.name}/projectenv" = {
owner = "root"; owner = "root";
mode = "0600"; mode = "0600";
}; };

32
modules/nixos/services/caddy/default.nix
View file

@ -1,41 +1,19 @@
{ flake, config, ... }: { flake, ... }:
let let
inherit (flake.config.services) instances; inherit (flake.config.services) instances;
inherit (flake.config.machines.devices) eris;
opencloud = instances.opencloud0;
dns = instances.web.dns.provider0;
opencloudHost = opencloud.domains.url0;
dnsPath = "dns/${dns}";
service = instances.caddy; service = instances.caddy;
in in
{ {
services.caddy = { services.caddy = {
enable = true; enable = true;
virtualHosts = {
"${opencloud.domains.url0}" = {
extraConfig = ''
reverse_proxy ${opencloud.interface.ip}:${toString opencloud.ports.port0} {
header_up X-Real-IP {remote_host}
}
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
tls ${opencloud.ssl.cert} ${opencloud.ssl.key}
'';
};
};
};
security.acme.certs."${opencloudHost}" = {
dnsProvider = dns;
environmentFile = config.sops.secrets.${dnsPath}.path;
group = "caddy";
}; };
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
service.ports.port0 # 80 service.ports.port0
service.ports.port1 # 443 service.ports.port1
]; ];
}; };
}; };

2
modules/nixos/services/restic/default.nix
View file

@ -31,7 +31,7 @@ in
(inst "firefly-iii") (inst "firefly-iii")
(inst "forgejo") (inst "forgejo")
(inst "mastodon") (inst "mastodon")
(inst "opencloud1") (inst "opencloud")
(inst "minecraft0") (inst "minecraft0")
(inst "minecraft1") (inst "minecraft1")
(inst "vaultwarden") (inst "vaultwarden")

3
modules/nixos/services/samba/sambaEris/default.nix
View file

@ -12,10 +12,11 @@ in
# sudo smbpasswd -a username # sudo smbpasswd -a username
services = { services = {
samba = { samba = {
# package = pkgs.samba4Full;
enable = true; enable = true;
openFirewall = true; openFirewall = true;
settings = { settings = {
"storage" = { "raid0" = {
path = "/mnt/storage"; path = "/mnt/storage";
writable = "yes"; writable = "yes";
"valid users" = user0; "valid users" = user0;

2
profiles/user0/default.nix
View file

@ -67,8 +67,6 @@ in
file = file =
if hostname == devices.ceres.name then if hostname == devices.ceres.name then
{ } { }
else if hostname == devices.eris.name then
{ }
else else
{ {
"./justfile" = import ./files/misc/justfile.nix { inherit flake config lib; }; "./justfile" = import ./files/misc/justfile.nix { inherit flake config lib; };

7
secrets/secrets.yaml
View file

@ -1,7 +1,7 @@
ssh: ssh:
private: ENC[AES256_GCM,data:XJk/gjPkFeSZtPkKYS2vRHqMY/X5zRaDlS4UwzUvjm9MvTgdhoXUlqvFC0Dl5SZhRlY+XXAuG7gIIUESzCFWQKdOoUcto3r0WSuIm9EwLKXnnaHemeFVHYgZU9Rz45PK6yFWUC06+n56b2A1dFXftjeXcCqaQrT/jk3RDSHmhW9u7QgDmhhaybxXOrzkup2U8kjhrMmRBcf4xP//nihuzHcyYX75ONr56bgkjl6gpZTfZrn2ad8b+4iGn+rElzf7RHAG0mwTeEX2kYRyafaanGuc2xTnZubBAYDnc1eM6T99PXC0iWh/lUKc1zG1l18UchWzgvl3sPK0Cb2/5aaFMUk2ET6kVOlpKyGc94MRpyv3iUi8soFjh34sWH3mFtec2OWfIxDhoVfZoc2hmP2Hflfjp7acwaMskFBHaCSO2DGtNmN3hSUhAAeLx8OZupSIJmDVpq00qKUbN+5z4K78AdGuUOP07cE889evNniCHLP6yPav7tIulnBS9lD2U+CbqF7vMtdZx/eYFwJjmMtE,iv:JxSytvXKWLHDedlE0Wq5YpPUnfb0HoQgKJ2bt1Z8yqk=,tag:MjOoUSWsHWHgxp0yu9YQFA==,type:str] private: ENC[AES256_GCM,data:XJk/gjPkFeSZtPkKYS2vRHqMY/X5zRaDlS4UwzUvjm9MvTgdhoXUlqvFC0Dl5SZhRlY+XXAuG7gIIUESzCFWQKdOoUcto3r0WSuIm9EwLKXnnaHemeFVHYgZU9Rz45PK6yFWUC06+n56b2A1dFXftjeXcCqaQrT/jk3RDSHmhW9u7QgDmhhaybxXOrzkup2U8kjhrMmRBcf4xP//nihuzHcyYX75ONr56bgkjl6gpZTfZrn2ad8b+4iGn+rElzf7RHAG0mwTeEX2kYRyafaanGuc2xTnZubBAYDnc1eM6T99PXC0iWh/lUKc1zG1l18UchWzgvl3sPK0Cb2/5aaFMUk2ET6kVOlpKyGc94MRpyv3iUi8soFjh34sWH3mFtec2OWfIxDhoVfZoc2hmP2Hflfjp7acwaMskFBHaCSO2DGtNmN3hSUhAAeLx8OZupSIJmDVpq00qKUbN+5z4K78AdGuUOP07cE889evNniCHLP6yPav7tIulnBS9lD2U+CbqF7vMtdZx/eYFwJjmMtE,iv:JxSytvXKWLHDedlE0Wq5YpPUnfb0HoQgKJ2bt1Z8yqk=,tag:MjOoUSWsHWHgxp0yu9YQFA==,type:str]
public: ENC[AES256_GCM,data:Cn4hutHHeptbefHOKK7zv5TmveGOqfHAwGHogDq9sRmeb+b1lzHwj7qvg8lcnlJtIo4qS+TrKtSj5ZCsPNXOhWG1rkk97gTfPMbcxj5f1O3WJigL2wsrB2cQgc5UsA==,iv:ID4zRdr/efClOAHbXzxG1bNuJR0A2qbydzGlMhvEcRE=,tag:qbIoaGb+RXxRRkkQtuX7/A==,type:str] public: ENC[AES256_GCM,data:Cn4hutHHeptbefHOKK7zv5TmveGOqfHAwGHogDq9sRmeb+b1lzHwj7qvg8lcnlJtIo4qS+TrKtSj5ZCsPNXOhWG1rkk97gTfPMbcxj5f1O3WJigL2wsrB2cQgc5UsA==,iv:ID4zRdr/efClOAHbXzxG1bNuJR0A2qbydzGlMhvEcRE=,tag:qbIoaGb+RXxRRkkQtuX7/A==,type:str]
hosts: ENC[AES256_GCM,data:dfvIxDI75SnfEVeHQPfNWTfNBC8payffDCgLUyrf2U9xBFEXCE+LqaIlmiXOaFoZK6GyEwgqWyR1fPeYF+Txwe7oF1YPRF7Fg4+OYSZ/IWzUwlk8xblKvqDhF6ZBeYICFaEJ+pc6Cc3XnfLOk4M1rJqUSjhWoomKF3XNbyEbl2OfU3Yptn4dZmc9W9KQEZyduwakSz1K3nD+8EWx/qCU2O1Ga0DXol1BM+p++HKG7L5m7+B1r29mo96c08P5Rhi+s+lKgz0HsSRBzXRlA+wsueDJ8pKdNWp5QOf2TWoQ7eVmVyltlJsw7yFAzTYu/h9tisU0UWtEiHw5J7yGzTznY/4OKIObD//bD7+SANIrdXV1Wr9e3mzT81FRhMCtVZJK7u5nT1o2/vXg+tMl/t0kgus2BWZ2KFo5UOjppoS4BCEnHF16tw0jBwiUVlF5lxs+czOML9wWo/GkEkcJ2SaynXzu1qXEewzueLHl7Ghz4qWesimu9vPhe5d2PxvZsT8Ell3raryylLaawyN/W2Ea57Fn0I9UVW839PFYwn+XGhoh8SfufmY4hZj1WIg4L8tdCyfcoB0gOo8aKsNmQht2BAUb01eMeSNHdPduFjcNC5MZLJqz5pBY1a192R2mAzbpa70yBetDewOYfGkSAdSgo7DZMNYd/0Krf0Fh2QsE0NkQee6dQi70XoQ7gJaBpFED3GEvOg8oRTyZPHoNEbGFU/g/A0YaHj/S5RbmIaF9xUd1UcQjUnQ2+OzrPDnT3zYIFks8PostlDvTBS4399yDydzIV9Khk3U3qZqCtWxBO8Ny/1v1dESBtWZsZdC4yvhIvhkMx0roHcHxw0W4Kkp1cfGOTMuTSHMsApURJVNHfBLlKjBV+sHIQhYwRmYSiCKyM/HwvVyZERU5R/zubHIDxfPaYN7vs4aPmtF1gKAD83TP5bwEIT48OQdIZwycNhFQQZWZTBRT8f79W6d5/Q2bjY3j60xA/q4K96rFfa8lK2OSl3HGB1e8rBovG91VNuf8DOdiLB/6CQzXXAaGCNgDD6fxW38MooOhmr+gfdJOLyIKoWULBRIPGIBESp3iRt4mlQrwnQTcHI7RXFOo6S4tt/k4sbBjMp4ZgPA/cqpIyzc9GHVV6R6xaqY2A6o4rEmvlzIAoXkEfO+Jn+ZClonuQ5jK3VnnHoGydldW7VMPfM/hDzQO9dsSFkiWHvIhAMuAOKUuWsCyHHzY4ReG4evvTLgbf7/wpdbpAFelMaNjlxrRisXyPmvw+nxNC7y+XwkroEfBPVULivocLVyTZx+6xRRQ/2p0lF20Qv4Dp21C6nOWwuooMbQPGgpm1Yt35W2B2DbZyAq1akF/j7cmkfmIwSs87/fr2z1b738BEZsgETjWN3L3DZdikSH1cTlSxAuJn7fSlVhp//mA+ha+plmNGrqAUhwv5jilGqS2/aWE03lnLRSAD82dHEHflvAafa9p5/qII2X+tDoJHQNEERvbAjec4pekE++s777ZOMHMj5QzoZYB1sIeoWQMLT1y4xXXXyVvUubtA3mKUqLTh1ppS3IUizu9841j2yWkRUBJ1OrdiEFrkAC9qyKJkh0LV6XxwZnVa7yD1+kAWwCg+P7RZ+Pqqj2gifg7N8QsZo9O8ugFmgK58neH5Xe1moZXAP0n9A==,iv:N+l6jqTz8AA2uWb6txur85ZelwBae9ZXfOWgjUz9BJE=,tag:UYUMeHnid7MaWYcemwJSdQ==,type:str] hosts: ENC[AES256_GCM,data:paJLnlvk5GWjQeaiLkjThyyBzUNW0q6bBNs7+yykpgQFw9U1yyIJxObVgSgK3uQXZKGMMoZhbLKvYTSaxsvHNkGbtTpOD39uK2tT8Jx1ZFfSDe42KT1UHdksecmFFIxIcbtjx6+JhEs8dN1DoLESUQK35nvuT4m4GcnmzONGxIzScP199GApOUKHK2S88D+EbmVUawGjb6a6Y1yFuim/C2n6HCWvk9w9rK3tq1G+E0qZlrHqp/7O8SMYezEcE5YhH4ccQwtvhVeuj8CaSstDBhiW6RZT9fPCgb3IYLXmCiCQaYChpbP8alCazQQ4QzTtfSuDfzhPfde7YJL5/we9k3Xt9TWB0anqdBvyM0duXj7DFDpACz0vcE4360ZgIE+YAv3ABUxHpnh+j7hKEr69Wrhs0vtoiMG/BvjqlP8G3ZXwzVRaxhnk07mlQAqIrxOEyR+/YETg8P6YKrXN9bVhCwpn5TlOw2tUg+ZdPVWZhvH3XZbdgbOn0DSzvKT/7p+ouhH+w9fJvjmV1Oepu27fuhhbx5cimlouwLzVOCiy1MMm5zyV3f3h34oT8LVwEp8S11gRaZBPRP2YtgWSovXEEuimYtvXqH0cCoMfsxCS2u1ZxHdr0a6LhLP9yckFndRNutjeP9Ve5H7Ml3amMt7I6GDJCXOX6oMJ9LrCntsAWuSPtk3Yvw59aAUO7f1OAV6H18vhcGo+vDrE9OwYY9HcbQWtTrCUSZSUzeCkplbfYqsOmkfjFd63ZoRomar66/i/4L+D6XRcJHwxxmnBSovRLTbSSVJtW5JwRPH/LZMKctjB2p4EUWHIG9C17oXRF8nRAQLNoqfnp5jIewLqQzHN9/ONQzINWGfzhtJRXmK3RIi/L4lS5i3UKp8vKLI9QuY1a93B1/Cc+IqpR3rTx6wIFl9t375ECZSDUzbULlqzWnyAgAUKuyzUZ9+dTJVG8BCeNmF2+inNN0GOpPLow8OdDZK0R0Aj9YY+9vj1CljCkrB3377BSgEM7RZM8CpZW5m+NuwdF+wSPcTBzc0JXUTUFC8GasHJ5WaOQP68ETeAAqU+2Di/5pLPLPxKFDsAUprNY7bVrZq2b/GGqXtpiB8lVjuKiK1Tm43/ErAQmMt8RDOz1f5sQ2ewJmhUkKigeUxQPyjhAD818K7kBtvJCEaLSMqCC74BUNStp7f36OP6cwQvz/1bIjHb2Cg8YuiDy9DY46FgNEBtLMt3iFhSfMsV+JaKASsrx2w45JtJbr08vmq0/aLFWBwkGShxBDWbJvcSys1y6yMdSNV59v7xNjub7OY79VGSA9wS86Tf/TKFTSzSLMUdpCzeSTmkOWEMY+QxM/CGMuVoBmmxGkMboB+WU6AsVwr/3lxFsGhaupp6TgTMlXwmdWsNYB3E6YaFiTExB0BpJEA/qLOC1K0JBp+uTp9EnC/TmJAofNgaNA3AHWCVtNegXrpxlvACE3qG7ap7T1qlZNzcEyaTIpEivWrI/WT73a2TMlj6/nXd4NCGzkXbH8qv4oOT+urodglq05JjcM8PYLtFHcEFp1nue8HqAJXw2IvHf77ZPUbhvawwWABll/gBEl4Yb18OjWazaOcm8HaJQhiOQgde1Y4kvpP3NqsLi1atzZvbKgQHFIGeI9WUmPoLyMzd7FndvoQOT2dukSIRcz+kuXQqEbNs,iv:2aNCRzV0knKNrZGYNXahGS5WQkYzzqzu4aul1w0twPM=,tag:PXBdIdUL/5TqVaZAyF6Rpg==,type:str]
network: network:
server: ENC[AES256_GCM,data:EFsmXNkuf5OAMh8hjfZTixmmdjqBNIME9JjQC8azeCwcMVInm8bWdxE4OqFmxOk9MAU=,iv:pI6WeM2aQC+7vx1Xmp5O2rikqNLgzuEOg+Lo7TqFQxU=,tag:ElcA8mn9dx+IjIf38nKT5A==,type:str] server: ENC[AES256_GCM,data:EFsmXNkuf5OAMh8hjfZTixmmdjqBNIME9JjQC8azeCwcMVInm8bWdxE4OqFmxOk9MAU=,iv:pI6WeM2aQC+7vx1Xmp5O2rikqNLgzuEOg+Lo7TqFQxU=,tag:ElcA8mn9dx+IjIf38nKT5A==,type:str]
fallaryn: ENC[AES256_GCM,data:O77hH3STB6zpl0b9iXsVu9OOrlLKUwfs2qI9hdqX4kMuBs3XgT/xsQ==,iv:RDKsuJoy+LIyADMc3bgOEmLKdXtu6kad2aeVetuZdJI=,tag:MrpCZ+iJUnGIjeHMgcYG6Q==,type:str] fallaryn: ENC[AES256_GCM,data:O77hH3STB6zpl0b9iXsVu9OOrlLKUwfs2qI9hdqX4kMuBs3XgT/xsQ==,iv:RDKsuJoy+LIyADMc3bgOEmLKdXtu6kad2aeVetuZdJI=,tag:MrpCZ+iJUnGIjeHMgcYG6Q==,type:str]
@ -47,7 +47,6 @@ wireguard:
glance: glance:
jellyfin: ENC[AES256_GCM,data:Ddpv23kdMGTWvlemn7o5M2ARQ+NuzUfgO9eLuMnRh/kt,iv:RiMRQPoyHtQqqc3wx48g1+Ip3meuCKSOniLZq2iJ3i4=,tag:B2sZT8R4ZnLIKiUMaU3L+w==,type:str] jellyfin: ENC[AES256_GCM,data:Ddpv23kdMGTWvlemn7o5M2ARQ+NuzUfgO9eLuMnRh/kt,iv:RiMRQPoyHtQqqc3wx48g1+Ip3meuCKSOniLZq2iJ3i4=,tag:B2sZT8R4ZnLIKiUMaU3L+w==,type:str]
opencloud: opencloud:
env: ENC[AES256_GCM,data:/bzPV7JRZncxMPOI7559IP5SZFBYA6n2WOZRPifBU/TRO67aM5N3cIwNfmpT3OEBs55RxujodAIDVGTQECnbWsh6RpbxfXb7DWnqQHiatBju70oeWZpa/cX1CiZsg9ma19O55PRmHD9kZYvIwPAnWo6FDRZJ/iwUz4qZpgPR1RuMBoxRZfZ9zDaf5yTwFbAuGEyY8cZghMC24uOXGTOoYsN2wGhog/EYFA2/Kw73xC6xMK+/GtwRJDJq7NEfWiwReM2Lxb/mc3EAtlzX9fWP/xE5o5FsnC7VZGc5HWV832wLpUjt+Fcw3d+Mb2aB2qRHTcXV891j8qnESnSYoZsTiJz1EPiIeebWFdNmfDqAAn5Kz/IVUaiPlDew26tq6aFr5JFVVxdmIgqtOgZyWmEPkr6K7joTl5kbEK1vT6ulaBA8UroY6tu529m9DXF2y6dWbNRqaQ18nq6GEZOL1WIAJ3PIGEh1x0f18jXTfPmEKMuUcWQ983B+sMyZFBU/Z5LDojsuwrEVvj/28MX7XM9TbvFmgW3J9x2LgN32B0Q01pZfvhHBh4VJc0E0hYX9b9r+MHTTxaH7/iyNWLAuwFkGL/+zcYyanwIOYmvO85r4affkWcvpltAIIJECrKJO8qf4uSw1K409QDKAtF0IVf5mjw8zddAThuo=,iv:xGkn4l8LxBZeAyLvOIgEMoxP91yzCvnGTHH7BfqW4ys=,tag:w7IlZdW5/BIAv9dbfqNfQg==,type:str]
projectenv: ENC[AES256_GCM,data:NQuJeomWD+uaq+g5uGft/ecsWTNEpWkOi+vWQ9nXV3KRHDAeB9mCJuvxoj+642Q+hnq3zAH2fZ7KTa3W3UcizPbFIltoJMzh5E2vDteuEEYNXX2cJJLJir9b421Gsb9sB/5d8Mz+K0BhDPTG+fByR+O1XqoaSLbnqEGrdzje/6t/e2Eyse4+qE3oUvZkzJsGTHM+rkM+EE9NXXMd5dCvfZAzmnRnsLRWL/Axnv93s0lfTM2pDs0/+E4wAcRI2KLH08pQyRRAWJ7A0VB2d4hH6hYOerqAPVAtTBR5j7yDHeR3IyHMk4xzh35zz5MMfi2zSABBfzv6PXOaiYmuUPaZ7WH1ZJjfVdR+AIzMma3SFRn8n2fNdR11gX/ZBfaI0YLHg7rHZJ9JJM88poh1D3dByrkGVPRDRQMZpSUQPay8lymrjMAsjAlpWjUvVpELR99BTMpto3IB2D5aY7btHuUskBhIBl7nWTRKfGg8ScDaPgJeARNd78bfvXY5mtnUdT8m38m4AH7DTWpQ3rajHBJITbiLZaUDx7NxcYCVAJAjcQgJoV6fC/PCsMbUxwxlfjgnrirIRjGrA29+l784oMlNJuHQyAmFq9Ffe6GJUJP1WA5DIvxypBcGC3w4nUE6u/HyzFz7AcIpx2GCDIeC2UjsQgnr0ujzGb38/nM88+x8IWra,iv:YQR0CDFNDgeRwm+Q8xN7SYQ4Jo3PfneciGtIOhRDJOY=,tag:OArVLjnc3ZT2EAqP9QpzQQ==,type:str] projectenv: ENC[AES256_GCM,data:NQuJeomWD+uaq+g5uGft/ecsWTNEpWkOi+vWQ9nXV3KRHDAeB9mCJuvxoj+642Q+hnq3zAH2fZ7KTa3W3UcizPbFIltoJMzh5E2vDteuEEYNXX2cJJLJir9b421Gsb9sB/5d8Mz+K0BhDPTG+fByR+O1XqoaSLbnqEGrdzje/6t/e2Eyse4+qE3oUvZkzJsGTHM+rkM+EE9NXXMd5dCvfZAzmnRnsLRWL/Axnv93s0lfTM2pDs0/+E4wAcRI2KLH08pQyRRAWJ7A0VB2d4hH6hYOerqAPVAtTBR5j7yDHeR3IyHMk4xzh35zz5MMfi2zSABBfzv6PXOaiYmuUPaZ7WH1ZJjfVdR+AIzMma3SFRn8n2fNdR11gX/ZBfaI0YLHg7rHZJ9JJM88poh1D3dByrkGVPRDRQMZpSUQPay8lymrjMAsjAlpWjUvVpELR99BTMpto3IB2D5aY7btHuUskBhIBl7nWTRKfGg8ScDaPgJeARNd78bfvXY5mtnUdT8m38m4AH7DTWpQ3rajHBJITbiLZaUDx7NxcYCVAJAjcQgJoV6fC/PCsMbUxwxlfjgnrirIRjGrA29+l784oMlNJuHQyAmFq9Ffe6GJUJP1WA5DIvxypBcGC3w4nUE6u/HyzFz7AcIpx2GCDIeC2UjsQgnr0ujzGb38/nM88+x8IWra,iv:YQR0CDFNDgeRwm+Q8xN7SYQ4Jo3PfneciGtIOhRDJOY=,tag:OArVLjnc3ZT2EAqP9QpzQQ==,type:str]
caddy: caddy:
share-auth: ENC[AES256_GCM,data:3jY2B2GOdz5EPJeAyVsk4XCs5NMft3VquIBep7SxYtEZ9H7IDroq1U1Sch6YVQ7VcL85L4Ix/OVPm4jVDEA0sZiGkltbYXRXZ8CR34ifsHtHR35lgjXyj8ZhJLydw7LgmZCEztWO8GjLdvSY,iv:MT5sA32Djx81HGc36rqV2xS5KUHLAeTyZiOdSu8oqQY=,tag:V1dv4yS2RXf4Xqrl5+tEuA==,type:str] share-auth: ENC[AES256_GCM,data:3jY2B2GOdz5EPJeAyVsk4XCs5NMft3VquIBep7SxYtEZ9H7IDroq1U1Sch6YVQ7VcL85L4Ix/OVPm4jVDEA0sZiGkltbYXRXZ8CR34ifsHtHR35lgjXyj8ZhJLydw7LgmZCEztWO8GjLdvSY,iv:MT5sA32Djx81HGc36rqV2xS5KUHLAeTyZiOdSu8oqQY=,tag:V1dv4yS2RXf4Xqrl5+tEuA==,type:str]
@ -79,7 +78,7 @@ sops:
bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-05T02:46:10Z" lastmodified: "2025-12-01T00:55:01Z"
mac: ENC[AES256_GCM,data:O0NMjjNBFbpD7dIEWuiezkrnr5Y+3meL322kLoSr5JFaOkGPKjpOSXdxRrf0cItdRWN06jFJGv53qd2N7lGN3afo+QzUzkepnxhlwlvE7/CwXpMrfHLAERa50lto0VHcHht1MgPnPa7/694mvoWQ9sG/kwEtTDix91YgeRH5eis=,iv:ng4l1IH7xO9+ewe5nRHydjxw0eyXtoiIvekIiUYtAbQ=,tag:8yNt5yA2D/FBWjYli7I8ag==,type:str] mac: ENC[AES256_GCM,data:TlAyw4R25haTPzkDndYQI2TK9Uwc88Lwa/r40u0utMfflAz6v8HAbC8fm7jVqw+YzahbL+rRRCIjRHNbFPReflMeY3vxgPRgOHDb3FOL23sxuRDHcAx8m3R+/udY98PIMT9d40QxHGwBK76z0yMKSoDHgQFKF/5hhrQgwLHQx5Q=,iv:ev4chBe52ZAgzRTY0rDe92w+X0xGIibhp36NtaY1kes=,tag:r3OaebNEZtuQTV3D8g4UyQ==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.11.0

10
systems/eris/config/filesystem.nix
View file

@ -104,12 +104,10 @@ in
btrfs subvolume create /btrfs_tmp/root btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp umount /btrfs_tmp
''; '';
swraid = { swraid.enable = true;
enable = true; # mdadmConf = ''
mdadmConf = '' # ARRAY /dev/md0 metadata=1.2 name=eris:storage UUID=64659038:a939a18d:8cdc0f3f:97171a50
ARRAY /dev/md0 metadata=1.2 name=eris:storage UUID=64659038:a939a18d:8cdc0f3f:97171a50 # '';
'';
};
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"Z ${config.home-manager.users.${user0}.home.homeDirectory} 0755 ${user0} users -" "Z ${config.home-manager.users.${user0}.home.homeDirectory} 0755 ${user0} users -"

38
systems/eris/config/networking.nix
View file

@ -1,4 +1,5 @@
{ {
lib,
flake, flake,
... ...
}: }:
@ -6,44 +7,11 @@ let
inherit (flake.config.machines.devices) eris; inherit (flake.config.machines.devices) eris;
in in
{ {
microvm.host.enable = true;
systemd.network = {
enable = true;
netdevs."10-br-vms" = {
netdevConfig = {
Name = "br-vms";
Kind = "bridge";
};
};
networks = {
"20-enp3s0" = {
matchConfig.Name = "enp3s0";
networkConfig = {
Bridge = "br-vms";
};
};
"20-vm" = {
matchConfig.Name = "vm-*";
networkConfig = {
Bridge = "br-vms";
};
};
"30-br-vms" = {
matchConfig.Name = "br-vms";
networkConfig = {
Address = "192.168.50.245/24";
Gateway = "192.168.50.1";
DNS = [ "192.168.50.1" ];
};
linkConfig.RequiredForOnline = "routable";
};
};
};
networking = { networking = {
hostName = eris.name; hostName = eris.name;
networkmanager.enable = false; networkmanager.enable = true;
nftables.enable = true; nftables.enable = true;
useDHCP = false; useDHCP = lib.mkDefault true;
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [

2
systems/mars/config/filesystem.nix
View file

@ -19,7 +19,7 @@ in
"samba0" "samba0"
]; ];
erisFolders = [ erisFolders = [
"storage" "raid0"
]; ];
ceresDrives = [ ceresDrives = [
"samba0" "samba0"