kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

base: kalipso:vaultwarden
Branches Tags
kalipso:master kalipso:vaultwarden kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver
..
compare: kalipso:e4f6cf2595ff7adb2f4d2ba63bcb95b13ddc688d
Branches Tags
kalipso:vaultwarden kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

1 Commits
vaultwarde ... e4f6cf2595

Author SHA1 Message Date
ahtlon
e4f6cf2595 [user module] add backup usr
All checks were successful
Check flake syntax / flake-check (push) Successful in 5m49s
Details
2025-03-11 18:19:26 +01:00
37 changed files with 150 additions and 5759 deletions
Expand all files Collapse all files

1
doc/src/SUMMARY.md
View File

@@ -21,4 +21,3 @@
- [Updates](./anleitung/updates.md)
- [Rollbacks](./anleitung/rollback.md)
- [MicroVM](./anleitung/microvm.md)
- [Update Nextcloud](./anleitung/update_nextcloud.md)

69
doc/src/anleitung/create.md
View File

@@ -1,19 +1,47 @@
# Create host with nixos-anywhere
We use a nixos-anywhere wrapper script to deploy new hosts.
The wrapper script takes care of copying persistent host keys before calling nixos-anywhere.
To accomplish that boot the host from a nixos image and setup a root password.
# Create host with disko-install
How to use disko-install is described here: https://github.com/nix-community/disko/blob/master/docs/disko-install.md
---
Here are the exact steps to get bakunin running:
First create machines/hostname/configuration.nix
Add hosts nixosConfiguration in machines/configurations.nix
Boot nixos installer on the Machine.
``` bash
sudo su
passwd
```
# establish network connection
wpa_passphrase "network" "password" > wpa.conf
wpa_supplicant -B -i wlp3s0 -c wpa.conf
ping 8.8.8.8
# if that works continue
After that get the hosts ip using `ip a` and start deployment from your own machine:
# generate a base hardware config
nixos-generate-config --root /tmp/config --no-filesystems
``` bash
# from infrastrucutre repository root dir:
nix develop .#
remote-install hostname 10.0.42.23
# get the infra repo
nix-shell -p git
git clone https://git.dynamicdiscord.de/kalipso/infrastructure
cd infrastructure
# add the new generated hardware config (and import in hosts configuration.nix)
cp /tmp/config/etc/nixos/hardware-configuration.nix machines/bakunin/
# check which harddrive we want to install the system on
lsblk #choose harddrive, in this case /dev/sda
# run nixos-install on that harddrive
sudo nix --extra-experimental-features flakes --extra-experimental-features nix-command run 'github:nix-community/disko/latest#disko-install' -- --flake .#bakunin --disk main /dev/sda
# this failed with out of memory
# running again showed: no disk left on device
# it seems the usb stick i used for flashing is way to small
# it is only
# with a bigger one (more than 8 gig i guess) it should work
# instead the disko-install tool i try the old method - first partitioning using disko and then installing the system
# for that i needed to adjust ./machines/modules/disko/btrfs-laptop.nix and set the disk to "/dev/sda"
sudo nix --extra-experimental-features "flakes nix-command" run 'github:nix-community/disko/latest' -- --mode format --flake .#bakunin
# failed with no space left on device.
# problem is lots of data is written to the local /nix/store which is mounted on tmpfs in ram
# it seems that a workaround could be modifying the bootable stick to contain a swap partition to extend tmpfs storage
```
# Testing Disko
@@ -21,3 +49,18 @@ Testing disko partitioning is working quite well. Just run the following and che
```bash
nix run -L .\#nixosConfigurations.fanny.config.system.build.vmWithDisko
```
Only problem is that encryption is not working, so it needs to be commented out. For testing host fanny the following parts in ```./machines/modules/disko/fanny.nix``` need to be commented out(for both pools!):
```nix
datasets = {
encrypted = {
options = {
encryption = "aes-256-gcm"; #THIS ONE
keyformat = "passphrase"; #THIS ONE
keylocation = "file:///tmp/root.key"; #THIS ONE
};
# use this to read the key during boot
postCreateHook = '' #THIS ONE
zfs set keylocation="prompt" "zroot/$name"; #THIS ONE
''; #THIS ONE
```

16
doc/src/anleitung/update_nextcloud.md
View File

@@ -1,16 +0,0 @@
### Updating nextcloud
## Updating the draggable patch
The draggable patch is a one line patch found in the deck repo under `src/components/cards/CardItem.vue`
Direct link: https://git.dynamicdiscord.de/ahtlon/deck/commit/77cbcf42ca80dd32e450839f02faca2e5fed3761
The easiest way to apply is
1. Sync the repo with remote https://github.com/nextcloud/deck/tree/main
2. Checkout the stable branch for the nextcloud version you need
- example `git checkout stable31`
3. Apply the patch using `git cherry-pick bac32ace61e7e1e01168f9220cee1d24ce576d5e`
4. Start a nix-shell with `nix-shell -p gnumake krankerl php84Packages.composer php nodejs_24`
5. run `krankerl package`
6. upload the archive at "./build/artifacts/deck.tar.gz" to a file storage (ask Ahtlon for access to the storj s3 or use own)
7. Change url and sha in the nextcloud configuration.nix `deck = pkgs.fetchNextcloudApp {};`

10
doc/src/anleitung/updates.md
View File

@@ -1,11 +1 @@
# Updates
## Nextcloud
Update nextcloud to a new major version:
- create state directories: `mkdir /tmp/var /tmp/data`
- run vm state dirs to initialize state `sudo run-vm nextcloud --dummy-secrets --networking --var /tmp/var --data /tmp/data`
- Update lock file `nix flake update --commit-lock-file`
- Change services.nextcloud.package to the next version (do not skip major version upgrades)
- change custom `extraApps` to the new version
- TEST!
- run vm again, it should successfully upgrade nextcloud from old to new version
- run vm state dirs to initialize state `sudo run-vm nextcloud --dummy-secrets --networking --var /tmp/var --data /tmp/data`

125
flake.lock generated
View File

@@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1746728054,
"narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
"lastModified": 1736864502,
"narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
"owner": "nix-community",
"repo": "disko",
"rev": "ff442f5d1425feb86344c028298548024f21256d",
"rev": "0141aabed359f063de7413f80d906e1d98c0c123",
"type": "github"
},
"original": {
@@ -67,16 +67,16 @@
]
},
"locked": {
"lastModified": 1763992789,
"narHash": "sha256-WHkdBlw6oyxXIra/vQPYLtqY+3G8dUVZM8bEXk0t8x4=",
"lastModified": 1736373539,
"narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "44831a7eaba4360fb81f2acc5ea6de5fde90aaa3",
"rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.05",
"ref": "release-24.11",
"repo": "home-manager",
"type": "github"
}
@@ -109,11 +109,11 @@
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1764549796,
"narHash": "sha256-Mswg665P92EoHkBwCwPr/7bdnj04g2Qfb+t02ZEYTHA=",
"lastModified": 1739104176,
"narHash": "sha256-bNvtud2PUcbYM0i5Uq1v01Dcgq7RuhVKfjaSKkW2KRI=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "030d055e877cc13d7525b39f434150226d5e4482",
"rev": "d3a9b7504d420a1ffd7c83c1bb8fe57deaf939d2",
"type": "github"
},
"original": {
@@ -145,11 +145,11 @@
]
},
"locked": {
"lastModified": 1764234087,
"narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=",
"lastModified": 1737057290,
"narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "032a1878682fafe829edfcf5fdfad635a2efe748",
"rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
"type": "github"
},
"original": {
@@ -160,11 +160,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1764440730,
"narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
"lastModified": 1738816619,
"narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
"rev": "2eccff41bab80839b1d25b303b53d339fbb07087",
"type": "github"
},
"original": {
@@ -192,11 +192,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1764517877,
"narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=",
"lastModified": 1739020877,
"narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c",
"rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
"type": "github"
},
"original": {
@@ -208,16 +208,16 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1764522689,
"narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=",
"lastModified": 1739206421,
"narHash": "sha256-PwQASeL2cGVmrtQYlrBur0U20Xy07uSWVnFup2PHnDs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
"rev": "44534bc021b85c8d78e465021e21f33b856e2540",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
@@ -235,8 +235,7 @@
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix",
"tasklist": "tasklist",
"utils": "utils_3",
"zineshop": "zineshop"
"utils": "utils_3"
}
},
"sops-nix": {
@@ -246,11 +245,11 @@
]
},
"locked": {
"lastModified": 1764483358,
"narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
"lastModified": 1739262228,
"narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "5aca6ff67264321d47856a2ed183729271107c9c",
"rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
"type": "github"
},
"original": {
@@ -262,11 +261,11 @@
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1759482047,
"narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
"lastModified": 1733308308,
"narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
"ref": "refs/heads/main",
"rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
"revCount": 996,
"rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
"revCount": 792,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
@@ -335,21 +334,6 @@
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tasklist": {
"inputs": {
"nixpkgs": [
@@ -357,11 +341,11 @@
]
},
"locked": {
"lastModified": 1760981884,
"narHash": "sha256-ASFWbOhuB6i3AKze5sHCvTM+nqHIuUEZy9MGiTcdZxA=",
"lastModified": 1737548421,
"narHash": "sha256-gmlqJdC+v86vXc2yMhiza1mvsqh3vMfrEsiw+tV5MXg=",
"ref": "refs/heads/master",
"rev": "b67eb2d778a34c0dceb91a236b390fe493aa3465",
"revCount": 32,
"rev": "c5fff78c83959841ac724980a13597dcfa6dc26d",
"revCount": 29,
"type": "git",
"url": "https://git.dynamicdiscord.de/kalipso/tasklist"
},
@@ -423,45 +407,6 @@
"repo": "flake-utils",
"type": "github"
}
},
"utils_4": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"zineshop": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": "utils_4"
},
"locked": {
"lastModified": 1764942243,
"narHash": "sha256-P02Zm0VAON9SqRxqe6h5vfxgpCBYeiz5JPWGIn6KFFg=",
"ref": "refs/heads/master",
"rev": "f56b7eb6887b7e0fecae4a1f4c1311392eebad8d",
"revCount": 156,
"type": "git",
"url": "https://git.dynamicdiscord.de/kalipso/zineshop"
},
"original": {
"type": "git",
"url": "https://git.dynamicdiscord.de/kalipso/zineshop"
}
}
},
"root": "root",

9
flake.nix
View File

@@ -3,7 +3,7 @@
inputs = {
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -22,11 +22,6 @@
inputs.nixpkgs.follows = "nixpkgs";
};
zineshop = {
url = "git+https://git.dynamicdiscord.de/kalipso/zineshop";
inputs.nixpkgs.follows = "nixpkgs";
};
ep3-bs = {
url = "git+https://git.dynamicdiscord.de/kalipso/ep3-bs.nix";
inputs.nixpkgs.follows = "nixpkgs";
@@ -38,7 +33,7 @@
};
home-manager= {
url = "github:nix-community/home-manager/release-25.05";
url = "github:nix-community/home-manager/release-24.11";
inputs = {
nixpkgs.follows = "nixpkgs";
};

7
machines/.sops.yaml
View File

@@ -95,13 +95,6 @@ creation_rules:
- *admin_kalipso_dsktp
age:
- *admin_atlan
- path_regex: vaultwarden/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan
- path_regex: .*/secrets/.*
key_groups:
- pgp:

4
machines/bakunin/configuration.nix
View File

@@ -48,12 +48,12 @@ in
firefox
thunderbird
telegram-desktop
tor-browser
tor-browser-bundle-bin
keepassxc
libreoffice
gimp
inkscape
kdePackages.okular
okular
element-desktop
chromium
mpv

22
machines/durruti/host_config.nix
View File

@@ -49,10 +49,6 @@ in
locations."/" = {
proxyPass = "http://10.0.0.10";
extraConfig = ''
client_max_body_size 10G;
client_body_timeout 3600s;
send_timeout 3600s;
fastcgi_buffers 64 4K;
'';
};
};
@@ -77,24 +73,6 @@ in
};
};
services.nginx.virtualHosts."zines.malobeo.org" = {
forceSSL = true;
enableACME= true;
locations."/" = {
proxyPass = "http://10.0.0.10";
extraConfig = ''
client_body_in_file_only clean;
client_body_buffer_size 32K;
client_max_body_size 50M;
sendfile on;
send_timeout 300s;
'';
};
};
services.nginx.virtualHosts."status.malobeo.org" = {
forceSSL = true;
enableACME= true;

80
machines/fanny/configuration.nix
View File

@@ -1,12 +1,10 @@
{ inputs, config, ... }:
let
sshKeys = import ../ssh_keys.nix;
peers = import ../modules/malobeo/peers.nix;
in
{
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets.wg_private = {};
sops.secrets.shop_auth = {};
imports =
[ # Include the results of the hardware scan.
@@ -20,7 +18,6 @@ in
inputs.self.nixosModules.malobeo.microvm
inputs.self.nixosModules.malobeo.metrics
inputs.self.nixosModules.malobeo.users
inputs.self.nixosModules.malobeo.backup
];
virtualisation.vmVariantWithDisko = {
@@ -45,11 +42,6 @@ in
cacheurl = "https://cache.dynamicdiscord.de";
};
malobeo.backup = {
enable = true;
snapshots = [ "storage/encrypted" "zroot/encrypted/var" ];
};
nix = {
settings.experimental-features = [ "nix-command" "flakes" ];
#always update microvms
@@ -61,7 +53,6 @@ in
malobeo.users = {
malobeo = true;
admin = true;
backup = true;
};
malobeo.disks = {
@@ -86,42 +77,8 @@ in
enable = true;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["r8169"];
zfsExtraPools = [ "storage" ];
};
boot.initrd = {
availableKernelModules = [ "wireguard" ];
# postMountCommands = ''
# ip address flush dev wg-initrd
# ip link set dev wg-initrd down
# '';
systemd = {
enable = true;
network = {
enable = true;
netdevs."30-wg-initrd" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-initrd";
};
wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
wireguardPeers = [{
AllowedIPs = peers.vpn.allowedIPs;
PublicKey = peers.vpn.publicKey;
Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
PersistentKeepalive = 25;
}];
};
networks."30-wg-initrd" = {
name = "wg-initrd";
addresses = [{ Address = "${peers.fanny-initrd.address}/24"; }];
};
};
};
};
boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/wg.private";
services.malobeo.vpn = {
enable = true;
name = "fanny";
@@ -129,13 +86,7 @@ in
};
services.malobeo.microvm.enableHostBridge = true;
services.malobeo.microvm.deployHosts = [
"overwatch"
"infradocs"
"nextcloud"
"durruti"
"zineshop"
];
services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" "nextcloud" "durruti" ];
networking = {
nat = {
@@ -165,10 +116,6 @@ in
proxyPass = "http://10.0.0.13";
extraConfig = ''
proxy_set_header Host $host;
client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize};
client_body_timeout 3600s;
send_timeout 3600s;
fastcgi_buffers 64 4K;
'';
};
};
@@ -190,26 +137,6 @@ in
'';
};
};
virtualHosts."zines.malobeo.org" = {
# created with: nix-shell --packages apacheHttpd --run 'htpasswd -B -c foo.txt malobeo'
# then content of foo.txt put into sops
# basicAuthFile = config.sops.secrets.shop_auth.path;
locations."/" = {
proxyPass = "http://10.0.0.15:8080";
extraConfig = ''
proxy_set_header Host $host;
client_body_in_file_only clean;
client_body_buffer_size 32K;
client_max_body_size 50M;
sendfile on;
send_timeout 300s;
'';
};
};
};
services.tor = {
@@ -229,10 +156,5 @@ in
time.timeZone = "Europe/Berlin";
system.stateVersion = "23.05"; # Do.. Not.. Change..
sops.secrets.shop_auth = {
owner = config.services.nginx.user;
group = config.services.nginx.group;
};
}

8
machines/fanny/secrets.yaml
View File

@@ -1,6 +1,4 @@
wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str]
shop_cleartext: ENC[AES256_GCM,data:sifpX/R6JCcNKgwN2M4Dbflgnfs5CqB8ez5fULPohuFS6k36BLemWzEk,iv:1lRYausj7V/53sfSO9UnJ2OC/Si94JXgIo81Ld74BE8=,tag:5osQU/67bvFeUGA90BSiIA==,type:str]
shop_auth: ENC[AES256_GCM,data:0NDIRjmGwlSFls12sCb5OlgyGTCHpPQIjycEJGhYlZsWKhEYXV2u3g1RHMkF8Ny913jarjf0BgwSq5pBD9rgPL9t8X8=,iv:3jgCv/Gg93Mhdm4eYzwF9QrK14QL2bcC4wwSajCA88o=,tag:h8dhMK46hABv9gYW4johkA==,type:str]
sops:
kms: []
gcp_kms: []
@@ -25,8 +23,8 @@ sops:
QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP
SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-14T10:34:55Z"
mac: ENC[AES256_GCM,data:vcDXtTi0bpqhHnL6XanJo+6a8f5LAE628HazDVaNO34Ll3eRyhi95eYGXQDDkVk2WUn9NJ5oCMPltnU82bpLtskzTfQDuXHaPZJq5gtOuMH/bAKrY0dfShrdyx71LkA4AFlcI1P5hchpbyY1FK3iqe4D0miBv+Q8lCMgQMVrfxI=,iv:1lMzH899K0CnEtm16nyq8FL/aCkSYJVoj7HSKCyUnPg=,tag:mEbkmFNg5VZtSKqq80NrCw==,type:str]
lastmodified: "2025-01-14T12:41:07Z"
mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str]
pgp:
- created_at: "2025-02-11T18:32:49Z"
enc: |-
@@ -67,4 +65,4 @@ sops:
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.9.4
version: 3.9.2

8
machines/hosts.nix
View File

@@ -67,14 +67,6 @@
};
};
zineshop = {
type = "microvm";
network = {
address = "10.0.0.15";
mac = "D0:E5:CA:F0:D7:F1";
};
};
testvm = {
type = "host";
};

9
machines/louise/configuration.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, inputs, ... }:
{ config, pkgs, ... }:
{
imports =
@@ -9,7 +9,6 @@
../modules/sshd.nix
../modules/minimal_tools.nix
../modules/autoupdate.nix
inputs.self.nixosModules.malobeo.printing
];
malobeo.autoUpdate = {
@@ -31,12 +30,12 @@
firefox
thunderbird
telegram-desktop
tor-browser
tor-browser-bundle-bin
keepassxc
libreoffice
gimp
inkscape
kdePackages.okular
okular
element-desktop
chromium
mpv
@@ -51,8 +50,6 @@
};
services.printing.enable = true;
services.malobeo.printing.enable = true;
services.printing.drivers = [
(pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
pkgs.gutenprint

3
machines/lucia/configuration.nix
View File

@@ -35,7 +35,8 @@ in
services = {
dokuwiki.sites."wiki.malobeo.org" = {
#acl = "* @ALL 8"; # everyone can edit using this config
enable = true;
#acl = "* @ALL 8"; # everyone can edit using this config
# note there is a users file at
# /var/lib/dokuwiki/<wiki-name>/users.auth.php
# makes sense to edit it by hand

4777
machines/modules/KOC658UX.ppd
View File

File diff suppressed because it is too large Load Diff

16
machines/modules/host_builder.nix
View File

@@ -133,13 +133,6 @@ rec {
mountPoint = "/var";
tag = "var";
}
] ++ pkgs.lib.optionals (options.dataPath != "") [
{
source = "${options.dataPath}";
securityModel = "mapped";
mountPoint = "/data";
tag = "data";
}
]);
interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{
@@ -202,7 +195,8 @@ rec {
vmNestedMicroVMOverwrites = host: sopsDummy: {
microvm.vms = pkgs.lib.mkForce (
services.malobeo.microvm.deployHosts = pkgs.lib.mkForce [];
microvm.vms =
let
# Map the values to each hostname to then generate an Attrset using listToAttrs
mapperFunc = name: { inherit name; value = {
@@ -216,22 +210,20 @@ rec {
(vmMicroVMOverwrites name {
withNetworking = true;
varPath = "";
dataPath = "";
writableStore = false; })
(if sopsDummy then (vmSopsOverwrites name) else {})
]);
};
}; };
in
builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts));
builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts);
};
buildVM = host: networking: sopsDummy: disableDisko: varPath: dataPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
modules = [
(vmMicroVMOverwrites host {
withNetworking = networking;
varPath = "${varPath}";
dataPath = "${dataPath}";
writableStore = writableStore;
fwdPort = fwdPort; })
(if sopsDummy then (vmSopsOverwrites host) else {})

102
machines/modules/malobeo/backup.nix
View File

@@ -1,102 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.malobeo.backup;
hostToCommand = (hostname: datasetNames:
(map (dataset: {
name = "${hostname}_${dataset.sourceDataset}";
value = {
inherit hostname;
inherit (dataset) sourceDataset targetDataset;
};
} ) datasetNames));
peers = import ./peers.nix;
enableSnapshots = cfg.snapshots != null;
enableBackups = cfg.hosts != null;
in
{
options.malobeo.backup = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable sanoid/syncoid based backup functionality";
};
snapshots = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
description = "Automatic snapshots will be created for the given datasets";
};
hosts = mkOption {
default = null;
type = types.nullOr (types.attrsOf (types.listOf (types.submodule {
options = {
sourceDataset = mkOption {
type = types.str;
description = "The source that needs to be backed up";
};
targetDataset = mkOption {
type = types.str;
description = "The target dataset where the backup should be stored";
};
};
})));
description = ''
Hostname with list of datasets to backup. This option should be defined on hosts that will store backups.
It is necessary to add the machines that get backed up to known hosts.
This can be done for example systemwide using
programs.ssh.knownHosts."10.100.0.101" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc";
Or set it for the syncoid user directly.
'';
};
sshKey = mkOption {
default = null;
type = types.nullOr types.str;
description = "Set path to ssh key used for pull backups. Otherwise default key is used";
};
};
config = mkIf (cfg.enable) {
services.sanoid = mkIf (enableSnapshots) {
enable = true;
templates."default" = {
hourly = 24;
daily = 30; #keep 30 daily snapshots
monthly = 6; #keep 6 monthly backups
yearly = 0;
autosnap = true; #take snapshots automatically
autoprune = true; #delete old snapshots
};
datasets = builtins.listToAttrs (map (name: { inherit name; value = {
useTemplate = [ "default" ];
recursive = true;
}; }) cfg.snapshots);
};
services.syncoid = mkIf (enableBackups) {
enable = true;
sshKey = cfg.sshKey;
commonArgs = [
"--no-sync-snap"
];
interval = "*-*-* 04:15:00";
commands = builtins.mapAttrs (name: value: {
source = "backup@${peers.${value.hostname}.address}:${value.sourceDataset}";
target = "${value.targetDataset}";
sendOptions = "w";
recvOptions = "\"\"";
recursive = true;
})(builtins.listToAttrs (builtins.concatLists (builtins.attrValues (builtins.mapAttrs hostToCommand cfg.hosts))));
};
};
}

47
machines/modules/malobeo/initssh.nix
View File

@@ -22,11 +22,6 @@ in
description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
example = "r8169";
};
zfsExtraPools = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Name or GUID of extra ZFS pools that you wish to import during boot.";
};
};
config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
@@ -37,43 +32,35 @@ in
zfs = {
forceImportAll = true;
requestEncryptionCredentials = true;
extraPools = cfg.zfsExtraPools;
};
initrd = {
availableKernelModules = cfg.ethernetDrivers;
systemd = {
initrdBin = [ pkgs.busybox pkgs.wireguard-tools pkgs.iproute2 ];
enable = true;
network.enable = true;
services."stopInitVpn" = {
description = "stop init vpn";
wantedBy = [
"initrd.target"
];
after = [
"zfs.target"
];
serviceConfig.StandardOutput = "journal+console";
script = ''
networkctl down wg-initrd
'';
serviceConfig.Type = "oneshot";
};
};
network = {
flushBeforeStage2 = true;
ssh = {
enable = true;
port = 222;
authorizedKeys = cfg.authorizedKeys;
hostKeys = [ "/etc/ssh/initrd" ];
};
network.ssh = {
enable = true;
port = 222;
authorizedKeys = cfg.authorizedKeys;
hostKeys = [ "/etc/ssh/initrd" ];
};
secrets = {
"/etc/ssh/initrd" = "/etc/ssh/initrd";
};
systemd.services.zfs-remote-unlock = {
description = "Prepare for ZFS remote unlock";
wantedBy = ["initrd.target"];
after = ["systemd-networkd.service"];
path = with pkgs; [ zfs ];
serviceConfig.Type = "oneshot";
script = ''
echo "systemctl default" >> /var/empty/.profile
'';
};
};
kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
};
};
}
}

18
machines/modules/malobeo/microvm_host.nix
View File

@@ -62,7 +62,7 @@ in
addresses = if cfg.enableHostBridgeUnstable then [
{ Address = "10.0.0.1/24"; }
] else [
{ Address = "10.0.0.1/24"; }
{ addressConfig.Address = "10.0.0.1/24"; }
];
};
@@ -102,22 +102,6 @@ in
/run/current-system/sw/bin/microvm -Ru ${name}
'';
};
"microvm-init-dirs@${name}" = {
description = "Initialize microvm directories";
after = [ "zfs-mount.service" ];
wantedBy = [ "microvm@${name}.service" ];
unitConfig.ConditionPathExists = "!/var/lib/microvms/${name}/.is_initialized";
serviceConfig = {
Type = "oneshot";
};
script = ''
mkdir -p /var/lib/microvms/${name}/var
mkdir -p /var/lib/microvms/${name}/etc
mkdir -p /var/lib/microvms/data/${name}
touch /var/lib/microvms/${name}/.is_initialized
'';
};
}) {} (cfg.deployHosts);
systemd.timers = builtins.foldl' (timers: name: timers // {

27
machines/modules/malobeo/peers.nix
View File

@@ -2,7 +2,7 @@
"vpn" = {
role = "server";
publicIp = "5.9.153.217";
address = "10.100.0.1";
address = [ "10.100.0.1/24" ];
allowedIPs = [ "10.100.0.0/24" ];
listenPort = 51821;
publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
@@ -11,51 +11,36 @@
"celine" = {
role = "client";
address = "10.100.0.2";
address = [ "10.100.0.2/24" ];
allowedIPs = [ "10.100.0.2/32" ];
publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
};
"desktop" = {
role = "client";
address = "10.100.0.3";
address = [ "10.100.0.3/24" ];
allowedIPs = [ "10.100.0.3/32" ];
publicKey = "FtY2lcdWcw+nvtydOOUDyaeh/xkaqHA8y9GXzqU0Am0=";
};
"atlan-pc" = {
role = "client";
address = "10.100.0.5";
address = [ "10.100.0.5/24" ];
allowedIPs = [ "10.100.0.5/32" ];
publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
};
"hetzner" = {
role = "client";
address = "10.100.0.6";
address = [ "10.100.0.6/24" ];
allowedIPs = [ "10.100.0.6/32" ];
publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ=";
};
"fanny" = {
role = "client";
address = "10.100.0.101";
address = [ "10.100.0.101/24" ];
allowedIPs = [ "10.100.0.101/32" ];
publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
};
"fanny-initrd" = {
role = "client";
address = "10.100.0.102";
allowedIPs = [ "10.100.0.102/32" ];
#TODO: UPDATE
publicKey = "h1A2yt7OQ5EJIilC8tQg203u27o6J6/c+Kd/pZ4UWAY=";
};
"backup0" = {
role = "client";
address = "10.100.0.20";
allowedIPs = [ "10.100.0.20/32" ];
publicKey = "Pp55Jg//jREzHdbbIqTXc9N7rnLZIFw904qh6NLrACE=";
};
}

122
machines/modules/malobeo/printing.nix
View File

@@ -1,122 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.malobeo.printing;
driverFile = pkgs.writeTextDir "share/cups/model/konicaminoltac258.ppd" (builtins.readFile ../KOC658UX.ppd);
defaultPpdOptions = {
PageSize = "A4";
SelectColor = "Grayscale";
Finisher = "FS534";
SaddleUnit = "SD511";
Model = "C258";
InputSlot = "Tray1";
TextPureBlack = "On";
PhotoPureBlack = "On";
GraphicPureBlack = "On";
};
in
{
options.services.malobeo.printing = {
enable = mkOption {
type = types.bool;
default = false;
description = "Setup malobeo printers";
};
};
config = mkIf (cfg.enable) {
services.printing.enable = true;
services.printing.drivers = [
driverFile
];
hardware.printers.ensurePrinters = [
{
name = "KonicaDefault";
model = "konicaminoltac258.ppd";
location = "Zine Workshop";
deviceUri = "ipp://192.168.1.42/ipp";
ppdOptions = defaultPpdOptions;
}
{
name = "KonicaBooklet";
model = "konicaminoltac258.ppd";
location = "Zine Workshop";
deviceUri = "ipp://192.168.1.42/ipp";
ppdOptions = defaultPpdOptions // {
Fold = "Stitch";
Staple = "None";
};
}
{
name = "KonicaPostcard";
model = "konicaminoltac258.ppd";
location = "Zine Workshop";
deviceUri = "ipp://192.168.1.42/ipp";
ppdOptions = defaultPpdOptions // {
Fold = "None";
Staple = "None";
InputSlot = "BypassTray";
MediaType = "Thick4";
KMDuplex = "1Sided";
};
}
];
};
}
/*
ALL AVAILABE OPTIONS:
PaperSources/Paper Source Unit: *None LU207 LU302 PC110 PC114 PC115 PC110+LU302 PC115+LU207 PC115+LU302 PC210 PC214 PC215 PC210+LU302 PC215+LU207 PC215+LU302 PC410 PC414 PC415 PC410+LU302 PC415+LU207 PC415+LU302
Finisher/Finisher: None FS533 *FS534 JS506 FS536 FS537 FS537+JS602
KOPunch/Punch Unit: *None PK519 PK519-3 PK519-4 PK519-SWE4 PK520 PK520-3 PK520-4 PK520-SWE4 PK523 PK523-3 PK523-4 PK523-SWE4
ZFoldPunch/Z-Fold Unit: *None ZU609
CoverSheetFeeder/Post Inserter: *None PI507
SaddleUnit/Saddle Kit: None *SD511 SD512
PrinterHDD/Hard Disk: None *HDD
AdvancedFunctionCover/Advanced Function(Cover Mode): *Disable Enable
Model/Model: C658 C558 C458 C368 C308 *C258 C287 C227 C266 C226
Collate/Collate: False *True
InputSlot/Paper Tray: AutoSelect *Tray1 Tray2 Tray3 Tray4 LCT ManualFeed
MediaType/Paper Type: *Plain Plain(2nd) Thick1 Thick1(2nd) Thick1Plus Thick1Plus(2nd) Thick2 Thick2(2nd) Thick3 Thick3(2nd) Thick4 Thick4(2nd) Thin Envelope Transparency Color SingleSidedOnly TAB Letterhead Special Recycled Recycled(2nd) User1 User1(2nd) User2 User2(2nd) User3 User3(2nd) User4 User4(2nd) User5 User5(2nd) User6 User6(2nd) PrinterDefault UserCustomType1 UserCustomType1(2nd) UserCustomType2 UserCustomType2(2nd) UserCustomType3 UserCustomType3(2nd) UserCustomType4 UserCustomType4(2nd) UserCustomType5 UserCustomType5(2nd) UserCustomType6 UserCustomType6(2nd) UserCustomType7 UserCustomType7(2nd) UserCustomType8 UserCustomType8(2nd) UserCustomType9 UserCustomType9(2nd) UserCustomType10 UserCustomType10(2nd) UserCustomType11 UserCustomType11(2nd) UserCustomType12 UserCustomType12(2nd) UserCustomType13 UserCustomType13(2nd) UserCustomType14 UserCustomType14(2nd) UserCustomType15 UserCustomType15(2nd) UserCustomType16 UserCustomType16(2nd) UserCustomType17 UserCustomType17(2nd) UserCustomType18 UserCustomType18(2nd) UserCustomType19 UserCustomType19(2nd)
PageSize/Paper Size: A3 *A4 A5 A6 B4 B5 B6 SRA3 220mmx330mm 12x18 Tabloid Legal Letter Statement 8x13 8.5x13 8.5x13.5 8.25x13 8.125x13.25 Executive 8K 16K EnvISOB5 EnvC4 EnvC5 EnvC6 EnvChou3 EnvChou4 EnvYou3 EnvYou4 EnvKaku1 EnvKaku2 EnvKaku3 EnvDL EnvMonarch Env10 JapanesePostCard 4x6_PostCard A3Extra A4Extra A5Extra B4Extra B5Extra TabloidExtra LetterExtra StatementExtra LetterTab-F A4Tab-F
Offset/Offset: *False True
OutputBin/Output Tray: *Default Tray1 Tray2 Tray3 Tray4
Binding/Binding Position: *LeftBinding TopBinding RightBinding
KMDuplex/Print Type: 1Sided *2Sided
Combination/Combination: *None Booklet
Staple/Staple: *None 1StapleAuto(Left) 1StapleZeroLeft 1Staple(Right) 2Staples
Punch/Punch: *None 2holes 3holes 4holes
Fold/Fold: None *Stitch HalfFold TriFold ZFold1 ZFold2
FrontCoverPage/Front Cover: None *Printed Blank
FrontCoverTray/Front Cover Tray: None Tray1 Tray2 Tray3 Tray4 LCT *BypassTray
BackCoverPage/Back Cover: *None Printed Blank
BackCoverTray/Back Cover Tray: *None Tray1 Tray2 Tray3 Tray4 LCT BypassTray
PIFrontCover/Front Cover from Post Inserter: *None PITray1 PITray2
PIBackCover/Back Cover from Post Inserter: *None PITray1 PITray2
TransparencyInterleave/Transparency Interleave: *None Blank
OHPOpTray/Interleave Tray: *None Tray1 Tray2 Tray3 Tray4 LCT
WaitMode/Output Method: *None ProofMode
SelectColor/Select Color: Auto Color *Grayscale
GlossyMode/Glossy Mode: *False True
OriginalImageType/Color Settings: *Document Photo DTP Web CAD
AutoTrapping/Auto Trapping: *False True
BlackOverPrint/Black Over Print: *Off Text TextGraphic
TextColorMatching/Color Matching (Text): *Auto Vivid Photo Colorimetric
TextPureBlack/Pure Black (Text): *Auto Off On
TextScreen/Screen (Text): *Auto Gradation Resolution HighResolution
PhotoColorMatching/Color Matching (Photo): *Auto Vivid Photo Colorimetric
PhotoPureBlack/Pure Black (Photo): *Auto Off On
PhotoScreen/Screen (Photo): *Auto Gradation Resolution HighResolution
PhotoSmoothing/Smoothing (Photo): *Auto None Dark Medium Light
GraphicColorMatching/Color Matching (Graphic): *Auto Vivid Photo Colorimetric
GraphicPureBlack/Pure Black (Graphic): *Auto Off On
GraphicScreen/Screen (Graphic): *Auto Gradation Resolution HighResolution
GraphicSmoothing/Smoothing (Graphic): *Auto None Dark Medium Light
TonerSave/Toner Save: *False True
String4Pt/Edge Enhancement: *False True
*/

8
machines/modules/malobeo/users.nix
View File

@@ -68,11 +68,7 @@ in
users = [ "backup" ];
commands = [
{
command = "/run/current-system/sw/bin/zfs";
options = [ "NOPASSWD" ];
}
{
command = "/run/current-system/sw/bin/zpool";
command = "${pkgs.zfs-user}/bin/zfs";
options = [ "NOPASSWD" ];
}
];
@@ -98,4 +94,4 @@ in
];
}
];
}
}

2
machines/modules/malobeo/wireguard.nix
View File

@@ -70,7 +70,7 @@ in
interfaces = {
malovpn = {
mtu = 1340; #seems to be necessary to proxypass nginx traffic through vpn
address = [ "${myPeer.address}/24" ];
address = myPeer.address;
autostart = cfg.autostart;
listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;

19
machines/nextcloud/configuration.nix
View File

@@ -31,16 +31,12 @@ with lib;
lokiHost = "10.0.0.14";
};
services.postgresqlBackup = {
enable = true;
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud32;
package = pkgs.nextcloud30;
hostName = "cloud.malobeo.org";
config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
maxUploadSize = "10G";
#https = true; #disable for testing
datadir = "/data/services/nextcloud/";
database.createLocally = true;
config.dbtype = "pgsql";
@@ -51,22 +47,21 @@ with lib;
};
extraAppsEnable = true;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) contacts calendar polls registration collectives forms;
deck = pkgs.fetchNextcloudApp {
sha256 = "sha256-epjwIANb6vTNx9KqaG6jZc14YPoFMBTCj+/c9JHcWkA=";
url = "https://link.storjshare.io/raw/jvrl62dakd6htpyxohjkiiqiw5ma/mal/deck32.tar.gz";
inherit (config.services.nextcloud.package.packages.apps) contacts calendar deck polls;
collectives = pkgs.fetchNextcloudApp {
sha256 = "sha256-cj/8FhzxOACJaUEu0eG9r7iAQmnOG62yFHeyUICalFY=";
url = "https://github.com/nextcloud/collectives/releases/download/v2.15.2/collectives-2.15.2.tar.gz";
license = "agpl3Plus";
};
};
settings = {
trusted_domains = ["10.0.0.13"];
trusted_proxies = [ "10.0.0.1" ];
"maintenance_window_start" = "1";
"default_phone_region" = "DE";
};
phpOptions = {
"realpath_cache_size" = "0";
"opcache.interned_strings_buffer" = "32";
"opcache.interned_strings_buffer" = "23";
};
};

19
machines/overwatch/configuration.nix
View File

@@ -12,7 +12,6 @@ with lib;
self.nixosModules.malobeo.metrics
../modules/malobeo_user.nix
../modules/sshd.nix
./printer_module.nix
];
networking.firewall.allowedTCPPorts = [ 80 3100 ];
@@ -67,9 +66,9 @@ with lib;
services.nginx = {
enable = true;
virtualHosts.${config.services.grafana.settings.server.domain} = {
virtualHosts.${config.services.grafana.domain} = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
proxyWebsockets = true;
extraConfig = ''
@@ -78,8 +77,6 @@ with lib;
};
};
};
printer_scraping.enable = true;
services.prometheus = {
enable = true;
@@ -92,12 +89,6 @@ with lib;
targets = [ "127.0.0.1:9002" ];
}];
}
{
job_name = "printer";
static_configs = [{
targets = [ "127.0.0.1:9091" ];
}];
}
{
job_name = "durruti";
static_configs = [{
@@ -116,12 +107,6 @@ with lib;
targets = [ "10.0.0.13:9002" ];
}];
}
{
job_name = "zineshop";
static_configs = [{
targets = [ "10.0.0.15:9002" ];
}];
}
{
job_name = "fanny";
static_configs = [{

33
machines/overwatch/printer_module.nix
View File

@@ -1,33 +0,0 @@
{config, lib, pkgs, ...}:
{
options.printer_scraping = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable the script to pull data from the printer";
};
timer = lib.mkOption {
type = lib.types.str;
default = "1m";
description = "systemd timer for script execution";
};
};
config = lib.mkIf config.printer_scraping.enable {
systemd.services."printer-scraping" = {
description = "Pull printer stats and upload to influxdb";
serviceConfig.Type = "oneshot";
path = with pkgs; [yq jq curl bash];
script = "bash ${./pull_info.sh}";
};
systemd.timers."printer-scraping" = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "5s";
OnUnitActiveSec = config.printer_scraping.timer;
Unit = "printer-scraping.service";
};
};
services.prometheus.pushgateway.enable = true; #Im not dealing with influx
};
}

133
machines/overwatch/pull_info.sh
View File

@@ -1,133 +0,0 @@
#!/usr/bin/env bash
set -eo pipefail
for command in "jq" "xq" "grep" "curl" "sed"
do
if ! command -v $command >/dev/null 2>&1
then
echo "$command could not be found"
exit 1
fi
done
#Functions---------------
get_cookie () {
if [[ $1 == "-d" ]]; then
cookie=$(cat request_example_1.txt)
else
cookie=$(curl -s -D - -X GET http://192.168.1.42/wcd/index.html)
fi
exitCode="$?"
if [[ $exitCode == "7" ]];
then
echo "Server offline"
exit 0
elif [[ $exitCode != "0" ]];
then
echo "Something went wrong"
exit 1
fi
cookie=$(echo "$cookie" | grep Set-Cookie | grep -oP "ID=\K[^.]+" )
if [[ $cookie == "" ]]
then
echo "No cookie got!"
exit 1
fi
}
get_values () {
local path="$1"
local -n keys=$2
local name="$3"
local_system_counter_data=$(echo "$system_counter_data" | jq "$path | .[]")
for key in "${keys[@]}";
do
value=$(echo "$local_system_counter_data" |
jq "select(.Type==\"$key\") | .Count" |
sed 's/"//g'
)
valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
done
}
get_values_DeviceStatus () {
local -n keys=$1
local name="$2"
local_system_counter_data=$(echo "$system_counter_data" | jq ".MFP.Common.DeviceStatus")
for key in "${keys[@]}";
do
value=$(echo "$local_system_counter_data" |
jq ".$key" |
sed 's/"//g'
)
valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
done
}
get_values_consumables () {
local -n keys=$1
local name="$2"
local_system_consumables_data=$(echo "$system_consumables_data" | jq ".[] |.DeviceInfo.ConsumableList.Consumable | .[]")
for key in "${keys[@]}";
do
value=$(
echo "$local_system_consumables_data" |
jq "select(.Name==\"$key\") | .CurrentLevel.LevelPer" |
sed 's/"//g'
)
valueStore=$(echo "$valueStore"; echo "$name"_"${key//[^a-zA-Z_-]/_}" "$value")
done
}
#End Functions----------
#Variables-----------------------
system_counter_DeviceStatus_keys=("ScanStatus" "PrintStatus" "Processing" "NetworkErrorStatus" "KmSaasgw" "HddMirroringErrorStatus")
system_counter_TotalCounter_keys=("Total" "DuplexTotal" "Document" "Paper" "TotalLarge" "PrintPageTotal" "PaperSizeA3" "PaperSizeA4" "PaperSizeB4" "PaperSizeB5" "PaperSizeOther" "Nin12in1" "PaperTypeNormal" "PaperTypeOther")
system_counter_FullColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
system_counter_BlackCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
system_counter_DoubleColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
system_counter_CopyCounter_keys=("BwTotal" "FullColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
system_counter_PrintCounter_keys=("BwTotal" "FullColorTotal" "BiColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
system_counter_ScanFaxCounter_keys=("DocumentReadTotal" "DocumentReadLarge" "FaxReceive" "FaxSend")
system_consumables_base_keys=("Toner (Yellow)" "Toner (Magenta)" "Toner (Cyan)" "Toner (Black)" "Drum Cartridge (Cyan)" "Developer Cartridge (Cyan)" "Drum Cartridge (Magenta)" "Developer Cartridge (Magenta)" "Drum Cartridge (Yellow)" "Developer Cartridge (Yellow)" "Drum Cartridge (Black)" "Developer Cartridge (Black)" "Fusing Unit" "Image Transfer Belt Unit" "Transfer Roller Unit")
#End Variables-------------
echo "Getting cookie"
get_cookie "$@"
echo "Start extracting info from system_counter"
if [[ $1 == "-d" ]]; then
system_counter_data=$(cat system_counter.xml |xq)
else
system_counter_data=$(curl -s -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=$cookie" |xq)
fi
get_values ".MFP.Count.UserCounterInfo.TotalCounterList.TotalCounter" system_counter_TotalCounter_keys TotalCounter
get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.FullColorCounterList.FullColorCounter" system_counter_FullColorCounter_keys FullColorCounter
get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.BlackCounterList.BlackCounter" system_counter_BlackCounter_keys BlackCounter
get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.DoubleColorCounterList.DoubleColorCounter" system_counter_DoubleColorCounter_keys DoubleColorCounter
get_values ".MFP.Count.UserCounterInfo.CopyCounterList.CopyCounter" system_counter_CopyCounter_keys CopyCounter
get_values ".MFP.Count.UserCounterInfo.ScanFaxCounterList.ScanFaxCounter" system_counter_ScanFaxCounter_keys ScanFaxCounter
get_values_DeviceStatus system_counter_DeviceStatus_keys DeviceStatus
echo "Start extracting info from system_consumables"
if [[ $1 == "-d" ]]; then
system_consumables_data=$(cat system_consumables.xml |xq)
else
system_consumables_data=$(curl -s -X GET http://192.168.1.42/wcd/system_consumable.xml -H "Cookie: ID=$cookie" |xq)
fi
get_values_consumables system_consumables_base_keys Consumables
echo "Sending data to prometheus-pushgateway..."
echo "$valueStore" | curl -s --data-binary @- http://localhost:9091/metrics/job/printer
echo "Success!"
exit 0

2
machines/ssh_keys.nix
View File

@@ -7,6 +7,6 @@
];
backup = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIGryhnXdmbGObONG88K+c9zeduMrwtoLHwzMDZg3UXB+Cnq2FXWOrlLZxA+95VUgHpyGZiykJmzeWrKhldDlDeGGd8QCCLeuliiOgXADTYjWaVfhd+6arPZrK2VtqqsguvH40gW1xfoGAOmAT4WFnxWxIaEip0V2u6NOoKTiH9I3bz2Qe4lfJvPXig+XwCXcukXd6XUkDFYDpiw8XNV3X7pqTus5d2RYR97bAhIYZZQ6h50ZpTY8N0lFh4RY5yfx8BhxJW3tfoi9uZvVuPx7dGPsZsSniENFPMNz3UwHGitTJMr4088cJrAGgd5lyFuLouiHiM2JMGA0wx9wWTbWJEwTLaTVQK9gSJf857ndV2zCh9vKlfko4w9bQgqxKg4U/mY8dXX1E7D51nD2ci8Ed+ZG+NEneFLyZhLsD82GkBY+YovA+4xm/pcx+hBhlyqGNxI8v+Jh+JhEyD/ZLgJfq3ZMbGIGsTiDwZ2flLLxImHHEoDoT6PHU6hDhPDJu560="
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPP4s6qNKwtu2l5DRKU/Xo6lMRztqNw/MOVsKx58kUE8 root@silizium"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJKl5FWPskhlnzJs1+mMYrVTMNnRG92uFKUgGlteTPhL"
];
}

60
machines/vaultwarden/configuration.nix
View File

@@ -1,60 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
with lib;
{
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
vaultUser = {};
vaultPass = {};
};
networking = {
hostName = mkDefault "uptimekuma";
useDHCP = false;
};
imports = [
../modules/malobeo_user.nix
../modules/sshd.nix
];
networking.firewall.allowedTCPPorts = [ 80 ];
services.nginx = {
enable = true;
virtualHosts."status.malobeo.org" = {
locations."/" = {
proxyPass = "http://127.0.0.1:3001";
extraConfig = ''
'';
};
};
};
services.vaultwarden = {
enable = true;
backupDir = "";
enviromentDile = sops.nochewas.file ;
config = {
DOMAIN = "keys.malobeo.org"; #maybe vault.malobeo.org
SIGNUPS_ALLOWED = true;
#WEBSERVER
ROCKET_ADDRESS = "::1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
#EMAIL
SMTP_HOST = "mail.systemli.org";
SMTP_PORT = 465;
SMTP_SECURITY = "force_tls";
SMTP_USERNAME = sops.smtpUser;
SMTP_PASSWORD = sops.smtpPass;
SMTP_FROM = "malobot@systemli.org";
SMTP_FROM_NAME = "Malobeo Vaultwarden Server";
};
};
system.stateVersion = "22.11"; # Did you read the comment?
}

55
machines/vaultwarden/secrets.yaml
View File

@@ -1,55 +0,0 @@
smtpUser: ENC[AES256_GCM,data:BsHFhpQtQ2Jhi3nuhJXjReJvbzU=,iv:jdSLeAgYj8JFSsLU3ZiVCG2ox8ZBo/HV6szCQUU5YWQ=,tag:XjS12SnmC6NNhWcTUvEhlA==,type:str]
sops:
age:
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYRnd3NGpkWjZVZjYxZ2VP
QUpTMjNwTml3NW8zL2o2c2R0TE53aEtlK0JNCi9jTjhZVXNMZ29oNDIrbFJBenkz
UkVBKzBQVUlYREc3bkxRb1R6RE5MaUUKLS0tIDJmdmlidmZCOXU5dDdFRmY2Q2pu
bWhRZS9oamtQYnRZVnI1clVGNytHWlkKb1hYwkqfSiMCVFOWraCiWoAU1Ua/U0Kc
2UnXRByOST5hfKkTnpJ0765UATUny0K53H/ieMR0cyQxE3aCbk5AfA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-18T17:56:54Z"
mac: ENC[AES256_GCM,data:/TofX/71rLHMpin9hhKcXQRTuCb+CXkTkHtZozuqSL0SHR0hTacLNZrmkPlzYlxmvzYsJekBOWTfrhxOD5cOhdOhfsZ/zhXi0e3RVDBPDE//faARYvbQ9IJGsDOGQzaZopwXx098MVNGj3NP6XqDgCI5aDXfL8Uklg0ORTXfPwE=,iv:Th7+EY9BdV8nmMi7rYQjgLN8nxDOwNSiWy3movkyIAw=,tag:caMd5aeQbaVAWbYJYe5K+A==,type:str]
pgp:
- created_at: "2025-12-18T17:32:21Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv/X02f2/84Twa9Sgj7husyP8ZOva1gsUnakZRd670K1Vxe
Z7eY4THMkP59qtbzCDkop0GulM1WNXd3jocT169WKYA5+myjNl131Ppn/DfAHMCk
QqguILH7K8X7zQkDU6Y4LE2sLuxYeoYz7aptdwoZpWZRKJjX6Q0pFrbFLZP54CJD
BXqcRAGHXSmr8lMJVmaQolzyn9B08Vv/D1LTfgI9qA+K+sxjKQopOjvv03NFSM67
PbNNqjQpToM2LaFJTfxXrwljRUkt1BN98wxKlFRIKVbb4spezYHFU+zf5XqM8+sg
V9mIGw/5lhYPfSB9EN/2mcqabaWFEqmhBRKRHVirXWBrUmvb5+cKTRQ93zM7Lipr
prz7MK+1DRxB5BgKxOiLTz+q/1JlmwpulxBBSSd8o3nHhpjEyaMBoa30TYuUWAVl
lW8zCC9H0H8vnqam2OXalu6tu8jvQ6AIquQGOKb3NtWf6pCTQNv0F7t0AWK2zkUL
WjrkEiG3lv3vGJeVGq9U0lgBj8HtXnnHsDMJkhPGClQeJcWiv7Tj8f79+Mni8QhM
dVWXVesg+dsUazptP35n2S2XlLY8Jk3tyD1KTLrt5R/MMGhAZOmgPS4I4q+zrZSj
S0Dj9iTJcJ/F
=YEYS
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-12-18T17:32:21Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUAQ/+LMZHO0oxmlivnL1qKaDz5JKAL718pHmjshxc53gUo4aN
x9WC4USniK8IMV4MTZUxti/ekJ5Bxd+myMMIORHE4R1q1FNO1tWx9n8PXAVhIrDx
XF/2NZKzUzCHd3OE3GvS+LSTITLnJdtSuAOPA9MjOeC2TU52r3CkNxUfYMjLYIuk
soZi8HfTWVfXKyEq300CLdEqoiaN6lqaxY+e0LoiQjPTpZSs0KhpcjvvmKBpZI0x
temAZ+VbEU93DuCVxsXQAQria5GUYs66237goctBjto6G0uOyzJ3lOE17ThDkL8J
PpbmoR+CkT++lJnSeeRuhF5FYaVWPl0LDGVLAQrkeblGUjhLtzSrN/ZNyjhGaYdk
zlUOFUNVlaok1fcC+8PNsfcna7keLW+N4YPTeZQljjH1uWvdzIZaJto1TaDYrSyu
EVF4J0FDThMCu7fyf0TrbqE8n7xs/1F7BBfhUC0wWztX4sNo9mNBZK1d96ihFlzB
FRBjrAKCGSD4eZcwaJZB/4NoipFDUh9kmQemmSalDNaHjvdXsT4euY4JNqwKw2iK
76EYBym1fvEaOeYvoOotLU3vrW6dH0YNEf0+Zvtl8XiUHlDCnxeLaBoVybA7p+Rt
0J/S3wPMubikTuq3mSsJcUM8c25sRBD90LjZsAcwKbmfDZntkTNGUr3AEaBdEyTS
WAGKfeJiKoH24BQrslUV8V4i4Fcz6xh1tb11Dmg9XcEiZm4+IF/P+UvjHgXanVdu
GvEauo1dOpGu+L8xc68fSFfMNQcWDJ1UmZIyJ3FLDbaxI/66H041peA=
=YUFg
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.11.0

26
machines/vpn/configuration.nix
View File

@@ -45,10 +45,6 @@ with lib;
proxyPass = "http://10.100.0.101";
extraConfig = ''
proxy_set_header Host $host;
client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize};
client_body_timeout 3600s;
send_timeout 3600s;
fastcgi_buffers 64 4K;
'';
};
};
@@ -70,28 +66,6 @@ with lib;
'';
};
};
virtualHosts."zines.malobeo.org" = {
locations."/" = {
proxyPass = "http://10.100.0.101";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Authorization $http_authorization; # Pass the Authorization header
proxy_pass_header Authorization;
client_body_in_file_only clean;
client_body_buffer_size 32K;
client_max_body_size 50M;
sendfile on;
send_timeout 300s;
'';
};
};
};
system.stateVersion = "22.11"; # Did you read the comment?

34
machines/zineshop/configuration.nix
View File

@@ -1,34 +0,0 @@
{ self, config, lib, pkgs, inputs, ... }:
with lib;
{
networking = {
hostName = mkDefault "zineshop";
useDHCP = false;
};
imports = [
inputs.malobeo.nixosModules.malobeo.metrics
inputs.malobeo.nixosModules.malobeo.printing
inputs.zineshop.nixosModules.zineshop
../modules/malobeo_user.nix
../modules/sshd.nix
];
malobeo.metrics = {
enable = true;
enablePromtail = true;
logNginx = true;
lokiHost = "10.0.0.14";
};
services.printing.enable = true;
services.malobeo.printing.enable = true;
services.zineshop.enable = true;
networking.firewall.allowedTCPPorts = [ 8080 ];
system.stateVersion = "22.11"; # Did you read the comment?
}

4
outputs.nix
View File

@@ -37,7 +37,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
sops.sops-init-gpg-key
pkgs.sops
pkgs.age
pkgs.python313Packages.grip
pkgs.python310Packages.grip
pkgs.mdbook
pkgs.ssh-to-age
microvmpkg.microvm
@@ -116,8 +116,6 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
metrics.imports = [ ./machines/modules/malobeo/metrics.nix ];
disko.imports = [ ./machines/modules/disko ];
users.imports = [ ./machines/modules/malobeo/users.nix ];
backup.imports = [ ./machines/modules/malobeo/backup.nix ];
printing.imports = [ ./machines/modules/malobeo/printing.nix ];
};
hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (

6
scripts/add_new_host_keys.sh
View File

@@ -31,13 +31,10 @@ cd "$pwpath"
# Generate SSH keys
ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
wg genkey > wg.private
publickey=$(cat wg.private | wg pubkey)
#encrypt the private keys
sops -e -i ./$hostkey
sops -e -i ./$initrdkey
sops -e -i ./wg.private
#generate encryption key
tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
@@ -48,9 +45,6 @@ echo
echo "Hier ist der age public key für sops etc:"
echo "$(ssh-to-age -i ./"$hostkey".pub)"
echo
echo "Hier ist der wireguard pubkey für das gerät"
echo "$publickey"
echo
echo "Hier ist eine reproduzierbare mac-addresse:"
echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'

3
scripts/remote-install-encrypt.sh
View File

@@ -40,9 +40,7 @@ trap cleanup EXIT
# Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/etc/ssh/"
install -d -m755 "$temp/etc/wireguard/"
##TODO:: wg genkey + pubkey --> /etc/wireguard/wg.private
diskKey=$(sops -d $pwpath/disk.key)
echo "$diskKey" > /tmp/secret.key
@@ -50,7 +48,6 @@ sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
sops -d "$pwpath/wg.private" > "$temp/etc/wireguard/wg.private"
# # Set the correct permissions so sshd will accept the key
chmod 600 "$temp/etc/ssh/$hostname"
chmod 600 "$temp/etc/ssh/initrd"

17
scripts/run-vm.sh
View File

@@ -6,7 +6,6 @@ usage() {
echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny"
echo "--writable-store enables writable store. necessary for host with nested imperative microvms like fanny"
echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate"
echo "--data path to directory that should be shared as /data"
echo "--fwd-port forwards the given port to port 80 on vm"
exit 1
}
@@ -24,7 +23,6 @@ DUMMY_SECRETS=false
NO_DISKO=false
RW_STORE=false
VAR_PATH=""
DATA_PATH=""
FWD_PORT=0
# check argws
@@ -44,15 +42,6 @@ while [[ "$#" -gt 0 ]]; do
usage
fi
;;
--data)
if [[ -n "$2" && ! "$2" =~ ^- ]]; then
DATA_PATH="$2"
shift
else
echo "Error: --data requires a non-empty string argument."
usage
fi
;;
--fwd-port)
if [[ -n "$2" && ! "$2" =~ ^- ]]; then
FWD_PORT="$2"
@@ -75,8 +64,4 @@ if [ -n "$VAR_PATH" ]; then
echo "sharing var directory: $VAR_PATH"
fi
if [ -n "$DATA_PATH" ]; then
echo "sharing data directory: $DATA_PATH"
fi
nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" \"$DATA_PATH\" $RW_STORE $FWD_PORT).config.microvm.declaredRunner"
nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" $RW_STORE $FWD_PORT).config.microvm.declaredRunner"

8
scripts/unlock-boot.sh
View File

@@ -24,16 +24,14 @@ diskkey=$(sops -d machines/$hostname/secrets/disk.key)
echo
if [ $# = 1 ]
then
ssh $sshoptions root@$hostname-initrd "zpool import -a"
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "zfs load-key storage/encrypted" #root
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data
elif [ $# = 2 ]
then
ip=$2
ssh $sshoptions root@$ip "zpool import -a"
echo "$diskkey" | ssh $sshoptions root@$ip "zfs load-key storage/encrypted"
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent"
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data
else
echo