Compare commits
16 Commits
f6bbbdec3e
...
staging
| Author | SHA1 | Date | |
|---|---|---|---|
| 03846d5e7f | |||
add299c242
|
|||
| e8f929a35a | |||
| 42f2c91b8e | |||
| b94574c640 | |||
| a97de389e5 | |||
| 845379ac86 | |||
| e91481c405 | |||
| d3312c870a | |||
| eee561b650 | |||
| a612221e2a | |||
| 73c482ece0 | |||
| 4d4e9d980b | |||
| beb3839a6b | |||
| 0df32bf47c | |||
| 7bee418e79 |
60
flake.lock
generated
60
flake.lock
generated
@@ -67,11 +67,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1748226808,
|
||||
"narHash": "sha256-GaBRgxjWO1bAQa8P2+FDxG4ANBVhjnSjBms096qQdxo=",
|
||||
"lastModified": 1763992789,
|
||||
"narHash": "sha256-WHkdBlw6oyxXIra/vQPYLtqY+3G8dUVZM8bEXk0t8x4=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "83665c39fa688bd6a1f7c43cf7997a70f6a109f9",
|
||||
"rev": "44831a7eaba4360fb81f2acc5ea6de5fde90aaa3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -109,11 +109,11 @@
|
||||
"spectrum": "spectrum"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1748260747,
|
||||
"narHash": "sha256-V3ONd70wm55JxcUa1rE0JU3zD+Cz7KK/iSVhRD7lq68=",
|
||||
"lastModified": 1764549796,
|
||||
"narHash": "sha256-Mswg665P92EoHkBwCwPr/7bdnj04g2Qfb+t02ZEYTHA=",
|
||||
"owner": "astro",
|
||||
"repo": "microvm.nix",
|
||||
"rev": "b6c5dfc2a1c7614c94fd2c5d2e8578fd52396f3b",
|
||||
"rev": "030d055e877cc13d7525b39f434150226d5e4482",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -145,11 +145,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1747663185,
|
||||
"narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
|
||||
"lastModified": 1764234087,
|
||||
"narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-generators",
|
||||
"rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
|
||||
"rev": "032a1878682fafe829edfcf5fdfad635a2efe748",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -160,11 +160,11 @@
|
||||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1747900541,
|
||||
"narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=",
|
||||
"lastModified": 1764440730,
|
||||
"narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06",
|
||||
"rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -192,11 +192,11 @@
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1748190013,
|
||||
"narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=",
|
||||
"lastModified": 1764517877,
|
||||
"narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "62b852f6c6742134ade1abdd2a21685fd617a291",
|
||||
"rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -208,16 +208,16 @@
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1748162331,
|
||||
"narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
|
||||
"lastModified": 1764522689,
|
||||
"narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
|
||||
"rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-25.05",
|
||||
"ref": "nixos-25.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
@@ -246,11 +246,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1747603214,
|
||||
"narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
|
||||
"lastModified": 1764483358,
|
||||
"narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
|
||||
"rev": "5aca6ff67264321d47856a2ed183729271107c9c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -262,11 +262,11 @@
|
||||
"spectrum": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1746869549,
|
||||
"narHash": "sha256-BKZ/yZO/qeLKh9YqVkKB6wJiDQJAZNN5rk5NsMImsWs=",
|
||||
"lastModified": 1759482047,
|
||||
"narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "d927e78530892ec8ed389e8fae5f38abee00ad87",
|
||||
"revCount": 862,
|
||||
"rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
|
||||
"revCount": 996,
|
||||
"type": "git",
|
||||
"url": "https://spectrum-os.org/git/spectrum"
|
||||
},
|
||||
@@ -450,11 +450,11 @@
|
||||
"utils": "utils_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1751462005,
|
||||
"narHash": "sha256-vhr2GORiXij3mL+QIfnL0sKSbbBIglw1wnHWNmFejiA=",
|
||||
"lastModified": 1764942243,
|
||||
"narHash": "sha256-P02Zm0VAON9SqRxqe6h5vfxgpCBYeiz5JPWGIn6KFFg=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "f505fb17bf1882cc3683e1e252ce44583cbe58ce",
|
||||
"revCount": 155,
|
||||
"rev": "f56b7eb6887b7e0fecae4a1f4c1311392eebad8d",
|
||||
"revCount": 156,
|
||||
"type": "git",
|
||||
"url": "https://git.dynamicdiscord.de/kalipso/zineshop"
|
||||
},
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
|
||||
inputs = {
|
||||
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
|
||||
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
@@ -48,7 +48,7 @@ in
|
||||
firefox
|
||||
thunderbird
|
||||
telegram-desktop
|
||||
tor-browser-bundle-bin
|
||||
tor-browser
|
||||
keepassxc
|
||||
libreoffice
|
||||
gimp
|
||||
|
||||
@@ -91,6 +91,10 @@ in
|
||||
|
||||
boot.initrd = {
|
||||
availableKernelModules = [ "wireguard" ];
|
||||
# postMountCommands = ''
|
||||
# ip address flush dev wg-initrd
|
||||
# ip link set dev wg-initrd down
|
||||
# '';
|
||||
systemd = {
|
||||
enable = true;
|
||||
network = {
|
||||
@@ -102,15 +106,15 @@ in
|
||||
};
|
||||
wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
|
||||
wireguardPeers = [{
|
||||
AllowedIPs = peers.fanny-initrd.allowedIPs;
|
||||
PublicKey = peers.fanny-initrd.publicKey;
|
||||
AllowedIPs = peers.vpn.allowedIPs;
|
||||
PublicKey = peers.vpn.publicKey;
|
||||
Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
|
||||
PersistentKeepalive = 25;
|
||||
}];
|
||||
};
|
||||
networks."30-wg-initrd" = {
|
||||
name = "wg-initrd";
|
||||
addresses = [{ Address = peers.fanny-initrd.address; }];
|
||||
addresses = [{ Address = "${peers.fanny-initrd.address}/24"; }];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -31,7 +31,7 @@
|
||||
firefox
|
||||
thunderbird
|
||||
telegram-desktop
|
||||
tor-browser-bundle-bin
|
||||
tor-browser
|
||||
keepassxc
|
||||
libreoffice
|
||||
gimp
|
||||
|
||||
@@ -42,30 +42,36 @@ in
|
||||
initrd = {
|
||||
availableKernelModules = cfg.ethernetDrivers;
|
||||
systemd = {
|
||||
packages = [ pkgs.busybox ];
|
||||
initrdBin = [ pkgs.busybox pkgs.wireguard-tools pkgs.iproute2 ];
|
||||
enable = true;
|
||||
network.enable = true;
|
||||
services."stopInitVpn" = {
|
||||
description = "stop init vpn";
|
||||
wantedBy = [
|
||||
"initrd.target"
|
||||
];
|
||||
after = [
|
||||
"zfs.target"
|
||||
];
|
||||
serviceConfig.StandardOutput = "journal+console";
|
||||
script = ''
|
||||
networkctl down wg-initrd
|
||||
'';
|
||||
serviceConfig.Type = "oneshot";
|
||||
};
|
||||
};
|
||||
network.ssh = {
|
||||
enable = true;
|
||||
port = 222;
|
||||
authorizedKeys = cfg.authorizedKeys;
|
||||
hostKeys = [ "/etc/ssh/initrd" ];
|
||||
network = {
|
||||
flushBeforeStage2 = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 222;
|
||||
authorizedKeys = cfg.authorizedKeys;
|
||||
hostKeys = [ "/etc/ssh/initrd" ];
|
||||
};
|
||||
};
|
||||
secrets = {
|
||||
"/etc/ssh/initrd" = "/etc/ssh/initrd";
|
||||
};
|
||||
systemd.services.zfs-remote-unlock = {
|
||||
description = "Prepare for ZFS remote unlock";
|
||||
wantedBy = ["initrd.target"];
|
||||
after = ["systemd-networkd.service"];
|
||||
path = with pkgs; [ zfs ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = ''
|
||||
zpool import storage
|
||||
echo "zfs load-key -a; killall zfs; systemctl default" >> /var/empty/.profile
|
||||
'';
|
||||
};
|
||||
};
|
||||
kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
|
||||
};
|
||||
|
||||
@@ -33,7 +33,7 @@ with lib;
|
||||
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
package = pkgs.nextcloud31;
|
||||
package = pkgs.nextcloud32;
|
||||
hostName = "cloud.malobeo.org";
|
||||
config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
|
||||
maxUploadSize = "10G";
|
||||
@@ -48,14 +48,9 @@ with lib;
|
||||
extraAppsEnable = true;
|
||||
extraApps = {
|
||||
inherit (config.services.nextcloud.package.packages.apps) contacts calendar polls registration collectives forms;
|
||||
appointments = pkgs.fetchNextcloudApp {
|
||||
sha256 = "sha256-ls1rLnsX7U9wo2WkEtzhrvliTcWUl6LWXolE/9etJ78=";
|
||||
url = "https://github.com/SergeyMosin/Appointments/raw/refs/tags/v2.4.3/build/artifacts/appstore/appointments.tar.gz";
|
||||
license = "agpl3Plus";
|
||||
};
|
||||
deck = pkgs.fetchNextcloudApp {
|
||||
sha256 = "sha256-1sqDmJpM9SffMY2aaxwzqntdjdcUaRySyaUDv9VHuiE=";
|
||||
url = "https://link.storjshare.io/raw/jw7pf6gct34j3pcqvlq6ddasvdwq/mal/deck.tar.gz";
|
||||
url = "https://link.storjshare.io/raw/jvrl62dakd6htpyxohjkiiqiw5ma/mal/deck32.tar.gz";
|
||||
license = "agpl3Plus";
|
||||
};
|
||||
};
|
||||
|
||||
@@ -24,14 +24,16 @@ diskkey=$(sops -d machines/$hostname/secrets/disk.key)
|
||||
echo
|
||||
if [ $# = 1 ]
|
||||
then
|
||||
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
|
||||
ssh $sshoptions root@$hostname-initrd "zpool import -a"
|
||||
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "zfs load-key storage/encrypted" #root
|
||||
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data
|
||||
|
||||
elif [ $# = 2 ]
|
||||
then
|
||||
ip=$2
|
||||
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
|
||||
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data
|
||||
ssh $sshoptions root@$ip "zpool import -a"
|
||||
echo "$diskkey" | ssh $sshoptions root@$ip "zfs load-key storage/encrypted"
|
||||
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent"
|
||||
|
||||
else
|
||||
echo
|
||||
|
||||
Reference in New Issue
Block a user