malobeo/infrastructure
2
1
Fork 1
Code Issues 40 Pull Requests 3 Actions Projects 3 Releases Wiki Activity

Compare commits

base: malobeo:dns
Branches Tags
malobeo:master malobeo:nixpkgs_bump_20260409 malobeo:debug_mode malobeo:dns malobeo:vaultwarden malobeo:nextcloud_deck_derivation malobeo:staging malobeo:script malobeo:zineshop malobeo:nextcloud_upgrade_31 malobeo:printer-module malobeo:microvm-dirs malobeo:sanoid malobeo:issue77 malobeo:reproducible-deployments malobeo:reproducible-deployments-filestructure malobeo:issue31 malobeo:microvm-module malobeo:issue47 malobeo:hostbuilder malobeo:better-workflows malobeo:issue51 malobeo:local-testing-v2 malobeo:gitea malobeo:fileserver
..
compare: malobeo:7bee418e79eadc3fb383ac06ee80a06ebf541c9e
Branches Tags
malobeo:master malobeo:nixpkgs_bump_20260409 malobeo:debug_mode malobeo:dns malobeo:vaultwarden malobeo:nextcloud_deck_derivation malobeo:staging malobeo:script malobeo:zineshop malobeo:nextcloud_upgrade_31 malobeo:printer-module malobeo:microvm-dirs malobeo:sanoid malobeo:issue77 malobeo:reproducible-deployments malobeo:reproducible-deployments-filestructure malobeo:issue31 malobeo:microvm-module malobeo:issue47 malobeo:hostbuilder malobeo:better-workflows malobeo:issue51 malobeo:local-testing-v2 malobeo:gitea malobeo:fileserver

1 Commits
dns ... 7bee418e79

Author SHA1 Message Date
kalipso
7bee418e79 [nixpkgs] update
All checks were successful
Check flake syntax / flake-check (push) Successful in 7m9s
Details
2025-08-14 14:08:54 +02:00
32 changed files with 231 additions and 673 deletions
Expand all files Collapse all files

1
doc/src/SUMMARY.md
View File

@@ -21,4 +21,3 @@
- [Updates](./anleitung/updates.md)
- [Rollbacks](./anleitung/rollback.md)
- [MicroVM](./anleitung/microvm.md)
- [Update Nextcloud](./anleitung/update_nextcloud.md)

16
doc/src/anleitung/update_nextcloud.md
View File

@@ -1,16 +0,0 @@
### Updating nextcloud
## Updating the draggable patch
The draggable patch is a one line patch found in the deck repo under `src/components/cards/CardItem.vue`
Direct link: https://git.dynamicdiscord.de/ahtlon/deck/commit/77cbcf42ca80dd32e450839f02faca2e5fed3761
The easiest way to apply is
1. Sync the repo with remote https://github.com/nextcloud/deck/tree/main
2. Checkout the stable branch for the nextcloud version you need
- example `git checkout stable31`
3. Apply the patch using `git cherry-pick bac32ace61e7e1e01168f9220cee1d24ce576d5e`
4. Start a nix-shell with `nix-shell -p gnumake krankerl php84Packages.composer php nodejs_24`
5. run `krankerl package`
6. upload the archive at "./build/artifacts/deck.tar.gz" to a file storage (ask Ahtlon for access to the storj s3 or use own)
7. Change url and sha in the nextcloud configuration.nix `deck = pkgs.fetchNextcloudApp {};`

107
flake.lock generated
View File

@@ -21,27 +21,6 @@
"type": "github"
}
},
"dns": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1768143854,
"narHash": "sha256-E5/kyPz4zAZn/lZdvqlF83jMgCWNxmqYjjWuadngCbk=",
"owner": "kirelagin",
"repo": "dns.nix",
"rev": "a97cf4156e9f044fe4bed5be531061000dfabb07",
"type": "github"
},
"original": {
"owner": "kirelagin",
"repo": "dns.nix",
"type": "github"
}
},
"ep3-bs": {
"inputs": {
"nixpkgs": [
@@ -64,21 +43,6 @@
}
},
"flake-utils": {
"locked": {
"lastModified": 1614513358,
"narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
},
@@ -103,11 +67,11 @@
]
},
"locked": {
"lastModified": 1763992789,
"narHash": "sha256-WHkdBlw6oyxXIra/vQPYLtqY+3G8dUVZM8bEXk0t8x4=",
"lastModified": 1753592768,
"narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "44831a7eaba4360fb81f2acc5ea6de5fde90aaa3",
"rev": "fc3add429f21450359369af74c2375cb34a2d204",
"type": "github"
},
"original": {
@@ -138,18 +102,18 @@
},
"microvm": {
"inputs": {
"flake-utils": "flake-utils_2",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1764549796,
"narHash": "sha256-Mswg665P92EoHkBwCwPr/7bdnj04g2Qfb+t02ZEYTHA=",
"lastModified": 1755102374,
"narHash": "sha256-v6xhTSgnGQoF1a51BB6OQWN8HXiYbZtVL+54TRuk9zk=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "030d055e877cc13d7525b39f434150226d5e4482",
"rev": "0a5cda80e48191959cf5a9c0552532599ef2cee4",
"type": "github"
},
"original": {
@@ -181,11 +145,11 @@
]
},
"locked": {
"lastModified": 1764234087,
"narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=",
"lastModified": 1751903740,
"narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "032a1878682fafe829edfcf5fdfad635a2efe748",
"rev": "032decf9db65efed428afd2fa39d80f7089085eb",
"type": "github"
},
"original": {
@@ -196,11 +160,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1764440730,
"narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
"lastModified": 1754564048,
"narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
"rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113",
"type": "github"
},
"original": {
@@ -228,11 +192,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1764517877,
"narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=",
"lastModified": 1755027561,
"narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c",
"rev": "005433b926e16227259a1843015b5b2b7f7d1fc3",
"type": "github"
},
"original": {
@@ -244,16 +208,16 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1764522689,
"narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=",
"lastModified": 1754937576,
"narHash": "sha256-3sWA5WJybUE16kIMZ3+uxcxKZY/JRR4DFBqLdSLBo7w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
"rev": "ddae11e58c0c345bf66efbddbf2192ed0e58f896",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
@@ -261,7 +225,6 @@
"root": {
"inputs": {
"disko": "disko",
"dns": "dns",
"ep3-bs": "ep3-bs",
"home-manager": "home-manager",
"mfsync": "mfsync",
@@ -283,11 +246,11 @@
]
},
"locked": {
"lastModified": 1764483358,
"narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
"lastModified": 1754988908,
"narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "5aca6ff67264321d47856a2ed183729271107c9c",
"rev": "3223c7a92724b5d804e9988c6b447a0d09017d48",
"type": "github"
},
"original": {
@@ -299,11 +262,11 @@
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1759482047,
"narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
"lastModified": 1754675037,
"narHash": "sha256-afS08F7lfMUBR4qrBxinN1kuxu+DoHQ5TPNVp9VS/OA=",
"ref": "refs/heads/main",
"rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
"revCount": 996,
"rev": "586577f3015397afacd83bc185454f4cc3c8028f",
"revCount": 955,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
@@ -394,11 +357,11 @@
]
},
"locked": {
"lastModified": 1760981884,
"narHash": "sha256-ASFWbOhuB6i3AKze5sHCvTM+nqHIuUEZy9MGiTcdZxA=",
"lastModified": 1743458889,
"narHash": "sha256-eVTtsCPio3Wj/g/gvKTsyjh90vrNsmgjzXK9jMfcboM=",
"ref": "refs/heads/master",
"rev": "b67eb2d778a34c0dceb91a236b390fe493aa3465",
"revCount": 32,
"rev": "b61466549e2687628516aa1f9ba73f251935773a",
"revCount": 30,
"type": "git",
"url": "https://git.dynamicdiscord.de/kalipso/tasklist"
},
@@ -487,11 +450,11 @@
"utils": "utils_4"
},
"locked": {
"lastModified": 1764942243,
"narHash": "sha256-P02Zm0VAON9SqRxqe6h5vfxgpCBYeiz5JPWGIn6KFFg=",
"lastModified": 1751462005,
"narHash": "sha256-vhr2GORiXij3mL+QIfnL0sKSbbBIglw1wnHWNmFejiA=",
"ref": "refs/heads/master",
"rev": "f56b7eb6887b7e0fecae4a1f4c1311392eebad8d",
"revCount": 156,
"rev": "f505fb17bf1882cc3683e1e252ce44583cbe58ce",
"revCount": 155,
"type": "git",
"url": "https://git.dynamicdiscord.de/kalipso/zineshop"
},

7
flake.nix
View File

@@ -3,7 +3,7 @@
inputs = {
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -13,11 +13,6 @@
disko.url = "github:nix-community/disko/latest";
disko.inputs.nixpkgs.follows = "nixpkgs";
dns = {
url = "github:kirelagin/dns.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
utils = {
url = "github:numtide/flake-utils";
};

2
machines/bakunin/configuration.nix
View File

@@ -48,7 +48,7 @@ in
firefox
thunderbird
telegram-desktop
tor-browser
tor-browser-bundle-bin
keepassxc
libreoffice
gimp

1
machines/durruti/configuration.nix
View File

@@ -29,6 +29,7 @@ with lib;
enable = true;
enablePromtail = true;
logNginx = true;
lokiHost = "10.0.0.14";
};
services.malobeo-tasklist.enable = true;

27
machines/durruti/host_config.nix
View File

@@ -43,6 +43,16 @@ in
};
};
services.nginx.virtualHosts."cloud.malobeo.org" = {
forceSSL = true;
enableACME= true;
locations."/" = {
proxyPass = "http://10.0.0.10";
extraConfig = ''
'';
};
};
services.nginx.virtualHosts."grafana.malobeo.org" = {
forceSSL = true;
enableACME= true;
@@ -64,6 +74,23 @@ in
};
services.nginx.virtualHosts."zines.malobeo.org" = {
forceSSL = true;
enableACME= true;
locations."/" = {
proxyPass = "http://10.0.0.10";
extraConfig = ''
client_body_in_file_only clean;
client_body_buffer_size 32K;
client_max_body_size 50M;
sendfile on;
send_timeout 300s;
'';
};
};
services.nginx.virtualHosts."status.malobeo.org" = {
forceSSL = true;
enableACME= true;

114
machines/fanny/configuration.nix
View File

@@ -1,14 +1,11 @@
{ inputs, config, ... }:
let
sshKeys = import ../ssh_keys.nix;
peers = import ../modules/malobeo/peers.nix;
hosts = import ../hosts.nix {};
in
{
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets.wg_private = {};
sops.secrets.shop_auth = {};
sops.secrets.njala_api_key = {};
imports =
[ # Include the results of the hardware scan.
@@ -36,7 +33,7 @@ in
enable = true;
enablePromtail = true;
logNginx = true;
lokiHost = hosts.malobeo.hosts.overwatch.network.address;
lokiHost = "10.0.0.14";
};
malobeo.autoUpdate = {
@@ -88,54 +85,15 @@ in
enable = true;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["r8169"];
zfsExtraPools = [ "storage" ];
};
boot.initrd = {
availableKernelModules = [ "wireguard" ];
# postMountCommands = ''
# ip address flush dev wg-initrd
# ip link set dev wg-initrd down
# '';
systemd = {
enable = true;
network = {
enable = true;
netdevs."30-wg-initrd" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-initrd";
};
wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
wireguardPeers = [{
AllowedIPs = peers.vpn.allowedIPs;
PublicKey = peers.vpn.publicKey;
Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
PersistentKeepalive = 25;
}];
};
networks."30-wg-initrd" = {
name = "wg-initrd";
addresses = [{ Address = "${peers.fanny-initrd.address}/24"; }];
};
};
};
};
boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/wg.private";
services.malobeo.vpn = {
enable = true;
name = "fanny";
privateKeyFile = config.sops.secrets.wg_private.path;
};
services.malobeo.microvm = {
enableHostBridge = true;
interface = "enp1s0";
gateway = "192.168.1.1";
address = "192.168.1.2/24";
};
services.malobeo.microvm.enableHostBridge = true;
services.malobeo.microvm.deployHosts = [
"overwatch"
"infradocs"
@@ -156,61 +114,30 @@ in
};
};
security.acme = {
acceptTerms = true;
defaults.email = "malobeo@systemli.org";
defaults = {
dnsProvider = "njalla";
credentialsFile = config.sops.secrets.njala_api_key.path;
dnsPropagationCheck = false;
};
};
services.nginx = {
enable = true;
virtualHosts."docs.malobeo.org" = {
locations."/" = {
proxyPass = "http://${hosts.malobeo.hosts.infradocs.network.address}:9000";
proxyPass = "http://10.0.0.11:9000";
extraConfig = ''
proxy_set_header Host $host;
'';
};
};
virtualHosts."cloud.hq.malobeo.org" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://${hosts.malobeo.hosts.nextcloud.network.address}";
extraConfig = ''
proxy_set_header Host $host;
client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize};
client_body_timeout 3600s;
send_timeout 3600s;
fastcgi_buffers 64 4K;
'';
};
};
virtualHosts."cloud.malobeo.org" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${hosts.malobeo.hosts.nextcloud.network.address}";
proxyPass = "http://10.0.0.13";
extraConfig = ''
proxy_set_header Host $host;
client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize};
client_body_timeout 3600s;
send_timeout 3600s;
fastcgi_buffers 64 4K;
client_max_body_size 10G;
'';
};
};
virtualHosts."grafana.malobeo.org" = {
locations."/" = {
proxyPass = "http://${hosts.malobeo.hosts.overwatch.network.address}";
proxyPass = "http://10.0.0.14";
extraConfig = ''
proxy_set_header Host $host;
'';
@@ -219,38 +146,19 @@ in
virtualHosts."tasklist.malobeo.org" = {
locations."/" = {
proxyPass = "http://${hosts.malobeo.hosts.durruti.network.address}:8080";
proxyPass = "http://10.0.0.5:8080";
extraConfig = ''
proxy_set_header Host $host;
'';
};
};
virtualHosts."zines.hq.malobeo.org" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://${hosts.malobeo.hosts.zineshop.network.address}:8080";
extraConfig = ''
proxy_set_header Host $host;
client_body_in_file_only clean;
client_body_buffer_size 32K;
client_max_body_size 50M;
sendfile on;
send_timeout 300s;
'';
};
};
virtualHosts."zines.malobeo.org" = {
forceSSL = true;
enableACME = true;
# created with: nix-shell --packages apacheHttpd --run 'htpasswd -B -c foo.txt malobeo'
# then content of foo.txt put into sops
# basicAuthFile = config.sops.secrets.shop_auth.path;
locations."/" = {
proxyPass = "http://${hosts.malobeo.hosts.zineshop.network.address}:8080";
proxyPass = "http://10.0.0.15:8080";
extraConfig = ''
proxy_set_header Host $host;

11
machines/fanny/dummy.yaml
View File

@@ -1,6 +1,9 @@
wg_private: ENC[AES256_GCM,data:YEmIfgtyHE9msYijva0Ye2w7shVmYBPZ3mcKRF7Cy20xa6yHEUQ0kC2OWnM=,iv:ouK6fHcrxrEtsmiPmtCz9Ca8Ec1algOifrgZSBNHi74=,tag:524e/SQt++hwVyeWruCsLg==,type:str]
njala_api_key: ENC[AES256_GCM,data:uEzx7KeI7ZZP63Igu5vHmuvASVxJai8bezM40UZVobQMr7r6opjnVTc0BPyIGfnG2mx/6Bo=,iv:lch04oGn6bkqtBGVzYlz6B97FGXlGOoxkiT1IplSxm4=,tag:bzXx2jSqFBv1hgJO1r5i+w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
enc: |
@@ -20,8 +23,8 @@ sops:
NjJ5cFdTVS9NZmVWMjcrcHo2WDZEZDgKiDwkuUn90cDmidwYGZBb5qp+4R1HafV0
vMQfjT9GrwB5K/O1GumOmvbzLNhvO2vRZJhfVHzyHLzQK64abQgF5Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-20T18:33:50Z"
mac: ENC[AES256_GCM,data:YlsQVjfgtlcSObjLiZif/sOJNx2PqH9q0kguPgBSwAoNiX2/eJhNH2WwtQ8uXQfdPiX7kwfFrl2E0xevqwLv+4AICr+9v6oCfcUHJYPRdkLfCs0jXyvnZr52LzfyV3GOPah/j8Uye9d9sspUMqqaXewoeWtrXHgo277pQVdrKxM=,iv:Xb5ckc/cvpGqkZoViTrw8rUniO2OWy0/rNfhF+Qb/iM=,tag:ZhI4jS2Iyig9juVGAeii+w==,type:str]
lastmodified: "2025-01-19T22:46:09Z"
mac: ENC[AES256_GCM,data:eU3SIqAGrgbO2tz4zH1tgYcif7oe5j+/wmdYl2xXXI+D6IhiKrTJGvzE3rd3ElEpb+Bg0UQId952U2Ut0yPTfxGLtdlbJA66CmhLAksByoJ8lOXUcp/qDyA4yMRSuwYG2v7uF2crvue9fyRfZ7hl7abE/Q7Z2UjOKqhSZC5cO3U=,iv:NmCVvtBWZRzhpr5nMLy+98VuQZWoUms7xFSxq8PMvBA=,tag:UWjA7oqoNWh4wb0myNg7FA==,type:str]
pgp:
- created_at: "2025-01-19T22:45:26Z"
enc: |-
@@ -62,4 +65,4 @@ sops:
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.11.0
version: 3.9.2

11
machines/fanny/secrets.yaml
View File

@@ -1,8 +1,11 @@
wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str]
shop_cleartext: ENC[AES256_GCM,data:sifpX/R6JCcNKgwN2M4Dbflgnfs5CqB8ez5fULPohuFS6k36BLemWzEk,iv:1lRYausj7V/53sfSO9UnJ2OC/Si94JXgIo81Ld74BE8=,tag:5osQU/67bvFeUGA90BSiIA==,type:str]
shop_auth: ENC[AES256_GCM,data:0NDIRjmGwlSFls12sCb5OlgyGTCHpPQIjycEJGhYlZsWKhEYXV2u3g1RHMkF8Ny913jarjf0BgwSq5pBD9rgPL9t8X8=,iv:3jgCv/Gg93Mhdm4eYzwF9QrK14QL2bcC4wwSajCA88o=,tag:h8dhMK46hABv9gYW4johkA==,type:str]
njala_api_key: ENC[AES256_GCM,data:T9cZas/3ju54h22SaDnx/dx4lhJiMi6foRilxSDxQ+e0bw2A8szkFPdxqK6XSuRckCUg3YI=,iv:HonCrH0H2rfUC7VMk8jRV/12NJBXh8uICos0OAHfETI=,tag:aGoiGzljuoX2RoPDlOKgOA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk
enc: |
@@ -22,8 +25,8 @@ sops:
QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP
SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-20T18:33:24Z"
mac: ENC[AES256_GCM,data:JpZRz3fUMkGbIVVtP1TerhQ+BY3nOsgJsTxb7Uqw9RL7JxvurbWeYK9GTAUzJeGi5O7XQia6/M2MI+K1xxGF4AM7NeSLiZEfGeGC4zmV7inIFgNJy/1lUdnsnZkw8NeOKx16t1b+GqY4xGhDcpVU12RaU4D7/Z0BBM+soc9O6hg=,iv:Um49dRgm5i0I0BrWqsEwn4zjm8eOdnl6SQgG9gScCXU=,tag:0JaSpb8V4WoismawGEYTlg==,type:str]
lastmodified: "2025-04-14T10:34:55Z"
mac: ENC[AES256_GCM,data:vcDXtTi0bpqhHnL6XanJo+6a8f5LAE628HazDVaNO34Ll3eRyhi95eYGXQDDkVk2WUn9NJ5oCMPltnU82bpLtskzTfQDuXHaPZJq5gtOuMH/bAKrY0dfShrdyx71LkA4AFlcI1P5hchpbyY1FK3iqe4D0miBv+Q8lCMgQMVrfxI=,iv:1lMzH899K0CnEtm16nyq8FL/aCkSYJVoj7HSKCyUnPg=,tag:mEbkmFNg5VZtSKqq80NrCw==,type:str]
pgp:
- created_at: "2025-02-11T18:32:49Z"
enc: |-
@@ -64,4 +67,4 @@ sops:
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.11.0
version: 3.9.4

100
machines/hosts.nix
View File

@@ -1,102 +1,82 @@
{ ... }:
let
createMaloNet = hostId: mac: {
local = true;
hostId = hostId;
address = "192.168.1.${hostId}";
gateway = "192.168.1.1";
nameservers = [ "192.168.1.17" "1.1.1.1" ]; #setting ns1 as nameserver
mac = mac;
};
createOffsiteNet = hostId: mac: {
local = false;
hostId = hostId;
address = "10.0.0.${hostId}";
gateway = "10.0.0.1";
nameservers = [ "1.1.1.1" ];
mac = mac;
};
in
{
#TODO: fix local 192.168.1.0/24 addresses they are just palceholders!
malobeo = {
hosts = {
louise = {
type = "host";
network = {
local = true;
hostId = "11";
address = "192.168.1.101";
};
};
bakunin = {
type = "host";
network = {
local = true;
hostId = "12";
address = "192.168.1.12";
};
};
fanny = {
type = "host";
network = {
local = true;
hostId = "13";
address = "192.168.1.13";
};
};
lucia = {
type = "rpi";
network = {
local = true;
hostId = "15";
address = "192.168.1.15";
};
};
durruti = {
type = "microvm";
network = createMaloNet "5" "52:DA:0D:F9:EF:F9";
network = {
address = "10.0.0.5";
mac = "52:DA:0D:F9:EF:F9";
};
};
vpn = {
type = "microvm";
network = createOffsiteNet "10" "52:DA:0D:F9:EF:E6";
network = {
address = "10.0.0.10";
mac = "D0:E5:CA:F0:D7:E6";
};
};
infradocs = {
type = "microvm";
network = createMaloNet "11" "52:DA:0D:F9:EF:E7";
network = {
address = "10.0.0.11";
mac = "D0:E5:CA:F0:D7:E7";
};
};
uptimekuma = {
type = "microvm";
network = createOffsiteNet "12" "52:DA:0D:F9:EF:E8";
network = {
address = "10.0.0.12";
mac = "D0:E5:CA:F0:D7:E8";
};
};
nextcloud = {
type = "microvm";
network = createMaloNet "13" "52:DA:0D:F9:EF:E9";
network = {
address = "10.0.0.13";
mac = "D0:E5:CA:F0:D7:E9";
};
};
overwatch = {
type = "microvm";
network = createMaloNet "14" "52:DA:0D:F9:EF:E0";
network = {
address = "10.0.0.14";
mac = "D0:E5:CA:F0:D7:E0";
};
};
zineshop = {
type = "microvm";
network = createMaloNet "15" "52:DA:0D:F9:EF:F1";
network = {
address = "10.0.0.15";
mac = "D0:E5:CA:F0:D7:F1";
};
};
ns1 = {
type = "microvm";
network = createMaloNet "17" "52:DA:0D:F9:EF:F3";
testvm = {
type = "host";
};
};
};

1
machines/infradocs/configuration.nix
View File

@@ -19,6 +19,7 @@ with lib;
enable = true;
enablePromtail = true;
logNginx = true;
lokiHost = "10.0.0.14";
};
system.stateVersion = "22.11"; # Did you read the comment?

2
machines/louise/configuration.nix
View File

@@ -31,7 +31,7 @@
firefox
thunderbird
telegram-desktop
tor-browser
tor-browser-bundle-bin
keepassxc
libreoffice
gimp

25
machines/modules/host_builder.nix
View File

@@ -43,7 +43,7 @@ rec {
];
defaultModules = baseModules;
makeMicroVM = hostName: network: modules: [
makeMicroVM = hostName: ipv4Addr: macAddr: modules: [
{
microvm = {
hypervisor = "cloud-hypervisor";
@@ -83,7 +83,7 @@ rec {
{
type = "tap";
id = "vm-${hostName}";
mac = "${network.mac}";
mac = "${macAddr}";
}
];
};
@@ -93,9 +93,9 @@ rec {
systemd.network.networks."20-lan" = {
matchConfig.Type = "ether";
networkConfig = {
Address = [ "${network.address}/24" ];
Gateway = "${network.gateway}";
DNS = network.nameservers;
Address = [ "${ipv4Addr}/24" ];
Gateway = "10.0.0.1";
DNS = ["1.1.1.1"];
DHCP = "no";
};
};
@@ -165,16 +165,6 @@ rec {
});
};
systemd.network.networks."20-lan" = pkgs.lib.mkForce {
matchConfig.Type = "ether";
networkConfig = {
Address = [ "10.0.0.${hosts.malobeo.hosts.${hostname}.network.hostId}/24" ];
Gateway = "10.0.0.1";
DNS = [ "1.1.1.1" ];
DHCP = "no";
};
};
boot.isContainer = pkgs.lib.mkForce false;
services.timesyncd.enable = false;
users.users.root.password = "";
@@ -220,7 +210,8 @@ rec {
specialArgs.self = self;
config = {
imports = (makeMicroVM "${name}"
hosts.malobeo.hosts.${name}.network [
"${hosts.malobeo.hosts.${name}.network.address}"
"${hosts.malobeo.hosts.${name}.network.mac}" [
../${name}/configuration.nix
(vmMicroVMOverwrites name {
withNetworking = true;
@@ -259,7 +250,7 @@ rec {
modules = (if (settings.type != "microvm") then
defaultModules ++ [ ../${host}/configuration.nix ]
else
makeMicroVM "${host}" settings.network [
makeMicroVM "${host}" "${settings.network.address}" "${settings.network.mac}" [
inputs.microvm.nixosModules.microvm
../${host}/configuration.nix
]);

47
machines/modules/malobeo/initssh.nix
View File

@@ -22,11 +22,6 @@ in
description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
example = "r8169";
};
zfsExtraPools = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Name or GUID of extra ZFS pools that you wish to import during boot.";
};
};
config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
@@ -37,43 +32,35 @@ in
zfs = {
forceImportAll = true;
requestEncryptionCredentials = true;
extraPools = cfg.zfsExtraPools;
};
initrd = {
availableKernelModules = cfg.ethernetDrivers;
systemd = {
initrdBin = [ pkgs.busybox pkgs.wireguard-tools pkgs.iproute2 ];
enable = true;
network.enable = true;
services."stopInitVpn" = {
description = "stop init vpn";
wantedBy = [
"initrd.target"
];
after = [
"zfs.target"
];
serviceConfig.StandardOutput = "journal+console";
script = ''
networkctl down wg-initrd
'';
serviceConfig.Type = "oneshot";
};
};
network = {
flushBeforeStage2 = true;
ssh = {
enable = true;
port = 222;
authorizedKeys = cfg.authorizedKeys;
hostKeys = [ "/etc/ssh/initrd" ];
};
network.ssh = {
enable = true;
port = 222;
authorizedKeys = cfg.authorizedKeys;
hostKeys = [ "/etc/ssh/initrd" ];
};
secrets = {
"/etc/ssh/initrd" = "/etc/ssh/initrd";
};
systemd.services.zfs-remote-unlock = {
description = "Prepare for ZFS remote unlock";
wantedBy = ["initrd.target"];
after = ["systemd-networkd.service"];
path = with pkgs; [ zfs ];
serviceConfig.Type = "oneshot";
script = ''
echo "systemctl default" >> /var/empty/.profile
'';
};
};
kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
};
};
}
}

3
machines/modules/malobeo/metrics.nix
View File

@@ -1,7 +1,6 @@
{ config, lib, pkgs, ... }:
let
cfg = config.malobeo.metrics;
hosts = import ../../hosts.nix {};
in
{
options.malobeo.metrics = {
@@ -22,7 +21,7 @@ in
};
lokiHost = lib.mkOption {
type = lib.types.str;
default = hosts.malobeo.hosts.overwatch.network.address;
default = "10.0.0.14";
description = "Address of loki host";
};
};

60
machines/modules/malobeo/microvm_host.nix
View File

@@ -14,26 +14,6 @@ in
description = lib.mdDoc "Setup bridge device for microvms.";
};
interface = mkOption {
default = "eno1";
type = types.str;
};
gateway = mkOption {
default = "10.0.0.1";
type = types.str;
};
address = mkOption {
default = "10.0.0.1/24";
type = types.str;
};
dns = mkOption {
default = [ "1.1.1.1" ];
type = types.listOf types.str;
};
enableHostBridgeUnstable = mkOption {
default = false;
type = types.bool;
@@ -67,29 +47,29 @@ in
systemd.network = mkIf (cfg.enableHostBridge || cfg.enableHostBridgeUnstable) {
enable = true;
networks."10-lan" = {
matchConfig.Name = [ "${cfg.interface}" "vm-*"];
networkConfig = {
Bridge = "malobeo0";
};
# create a bride device that all the microvms will be connected to
netdevs."10-microvm".netdevConfig = {
Kind = "bridge";
Name = "microvm";
};
netdevs."malobeo0" = {
netdevConfig = {
Name = "malobeo0";
Kind = "bridge";
};
};
networks."10-lan-bridge" = {
matchConfig.Name = "malobeo0";
networks."10-microvm" = {
matchConfig.Name = "microvm";
networkConfig = {
Address = [ "${cfg.address}" ];
Gateway = "${cfg.gateway}";
DNS = cfg.dns;
IPv6AcceptRA = true;
DHCPServer = true;
IPv6SendRA = true;
};
linkConfig.RequiredForOnline = "routable";
addresses = if cfg.enableHostBridgeUnstable then [
{ Address = "10.0.0.1/24"; }
] else [
{ Address = "10.0.0.1/24"; }
];
};
# connect the vms to the bridge
networks."11-microvm" = {
matchConfig.Name = "vm-*";
networkConfig.Bridge = "microvm";
};
};

8
machines/modules/malobeo/peers.nix
View File

@@ -44,14 +44,6 @@
publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
};
"fanny-initrd" = {
role = "client";
address = "10.100.0.102";
allowedIPs = [ "10.100.0.102/32" ];
#TODO: UPDATE
publicKey = "h1A2yt7OQ5EJIilC8tQg203u27o6J6/c+Kd/pZ4UWAY=";
};
"backup0" = {
role = "client";
address = "10.100.0.20";

41
machines/modules/malobeo/zones.nix
View File

@@ -1,41 +0,0 @@
{ inputs }:
let
vpnNS = "vpn";
localNS = "hq";
peers = import ./peers.nix;
hosts = ((import ../../hosts.nix ) {}).malobeo.hosts;
in
{
SOA = {
nameServer = "ns1";
adminEmail = "admin@malobeo.org";
serial = 2019030801;
};
useOrigin = false;
NS = [
"ns1.malobeo.org."
];
subdomains = {
ns1 = {
A = [ hosts.ns1.network.address ];
};
${localNS} = {
A = [ hosts.fanny.network.address ];
subdomains = builtins.mapAttrs (name: value: if value.network.local == true then {
A = [ value.network.address ];
} else {}) hosts;
};
${vpnNS} = {
A = [ peers.vpn.address ];
subdomains = builtins.mapAttrs (name: value: if value.role != "server" then {
A = [ value.address ];
} else {}) peers;
};
};
}

22
machines/nextcloud/configuration.nix
View File

@@ -2,9 +2,6 @@
with lib;
let
hosts = import ../hosts.nix {};
in
{
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
@@ -31,15 +28,12 @@ in
enable = true;
enablePromtail = true;
logNginx = true;
};
services.postgresqlBackup = {
enable = true;
lokiHost = "10.0.0.14";
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud32;
package = pkgs.nextcloud31;
hostName = "cloud.malobeo.org";
config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
maxUploadSize = "10G";
@@ -53,16 +47,16 @@ in
};
extraAppsEnable = true;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) contacts calendar polls registration collectives forms;
deck = pkgs.fetchNextcloudApp {
sha256 = "sha256-epjwIANb6vTNx9KqaG6jZc14YPoFMBTCj+/c9JHcWkA=";
url = "https://link.storjshare.io/raw/jvrl62dakd6htpyxohjkiiqiw5ma/mal/deck32.tar.gz";
inherit (config.services.nextcloud.package.packages.apps) contacts calendar deck polls registration collectives forms;
appointments = pkgs.fetchNextcloudApp {
sha256 = "sha256-ls1rLnsX7U9wo2WkEtzhrvliTcWUl6LWXolE/9etJ78=";
url = "https://github.com/SergeyMosin/Appointments/raw/refs/tags/v2.4.3/build/artifacts/appstore/appointments.tar.gz";
license = "agpl3Plus";
};
};
settings = {
trusted_domains = [ "cloud.malobeo.org" ];
trusted_proxies = [ hosts.malobeo.hosts.fanny.network.address ];
trusted_domains = ["10.0.0.13"];
trusted_proxies = [ "10.0.0.1" ];
"maintenance_window_start" = "1";
"default_phone_region" = "DE";
};

52
machines/ns1/configuration.nix
View File

@@ -1,52 +0,0 @@
{ config, self, lib, inputs, pkgs, ... }:
with lib;
with inputs;
let
dns = inputs.dns;
in
{
networking = {
hostName = mkDefault "ns1";
useDHCP = false;
};
imports = [
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
../modules/autoupdate.nix
];
networking.firewall = {
enable = true;
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
services.bind = {
enable = true;
forwarders = [
"1.1.1.1"
"1.0.0.1"
];
cacheNetworks = [
"127.0.0.0/24"
"10.0.0.0/24"
"192.168.1.0/24"
"10.100.0.0/24"
];
zones = {
"malobeo.org" = {
master = true;
file = pkgs.writeText "zone-malobeo.org" (dns.lib.toString "malobeo.org" (import ../modules/malobeo/zones.nix { inherit inputs; }));
};
};
};
system.stateVersion = "22.11"; # Did you read the comment?
}

23
machines/overwatch/configuration.nix
View File

@@ -2,9 +2,6 @@
with lib;
let
hosts = import ../hosts.nix {};
in
{
networking = {
hostName = mkDefault "overwatch";
@@ -15,7 +12,6 @@ in
self.nixosModules.malobeo.metrics
../modules/malobeo_user.nix
../modules/sshd.nix
./printer_module.nix
];
networking.firewall.allowedTCPPorts = [ 80 3100 ];
@@ -24,6 +20,7 @@ in
enable = true;
enablePromtail = true;
logNginx = false;
lokiHost = "10.0.0.14";
};
services.grafana = {
@@ -80,8 +77,6 @@ in
};
};
};
printer_scraping.enable = true;
services.prometheus = {
enable = true;
@@ -94,40 +89,34 @@ in
targets = [ "127.0.0.1:9002" ];
}];
}
{
job_name = "printer";
static_configs = [{
targets = [ "127.0.0.1:9091" ];
}];
}
{
job_name = "durruti";
static_configs = [{
targets = [ "${hosts.malobeo.hosts.durruti.network.address}:9002" ];
targets = [ "10.0.0.5:9002" ];
}];
}
{
job_name = "infradocs";
static_configs = [{
targets = [ "${hosts.malobeo.hosts.infradocs.network.address}:9002" ];
targets = [ "10.0.0.11:9002" ];
}];
}
{
job_name = "nextcloud";
static_configs = [{
targets = [ "${hosts.malobeo.hosts.nextcloud.network.address}:9002" ];
targets = [ "10.0.0.13:9002" ];
}];
}
{
job_name = "zineshop";
static_configs = [{
targets = [ "${hosts.malobeo.hosts.zineshop.network.address}:9002" ];
targets = [ "10.0.0.15:9002" ];
}];
}
{
job_name = "fanny";
static_configs = [{
targets = [ "${hosts.malobeo.hosts.fanny.network.address}:9002" ];
targets = [ "10.0.0.1:9002" ];
}];
}
# add vpn - check how to reach it first. most probably 10.100.0.1

4
machines/overwatch/dashboards/node_full.json
View File

@@ -23750,8 +23750,8 @@
},
{
"current": {
"text": "192.168.1.13:9002",
"value": "192.168.1.13:9002"
"text": "10.0.0.13:9002",
"value": "10.0.0.13:9002"
},
"datasource": {
"type": "prometheus",

33
machines/overwatch/printer_module.nix
View File

@@ -1,33 +0,0 @@
{config, lib, pkgs, ...}:
{
options.printer_scraping = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable the script to pull data from the printer";
};
timer = lib.mkOption {
type = lib.types.str;
default = "1m";
description = "systemd timer for script execution";
};
};
config = lib.mkIf config.printer_scraping.enable {
systemd.services."printer-scraping" = {
description = "Pull printer stats and upload to influxdb";
serviceConfig.Type = "oneshot";
path = with pkgs; [yq jq curl bash];
script = "bash ${./pull_info.sh}";
};
systemd.timers."printer-scraping" = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "5s";
OnUnitActiveSec = config.printer_scraping.timer;
Unit = "printer-scraping.service";
};
};
services.prometheus.pushgateway.enable = true; #Im not dealing with influx
};
}

2
machines/overwatch/promtail.yaml
View File

@@ -6,7 +6,7 @@ positions:
filename: /tmp/positions.yaml
clients:
- url: http://192.168.1.13:3100/loki/api/v1/push
- url: http://10.0.0.13:3100/loki/api/v1/push
scrape_configs:

133
machines/overwatch/pull_info.sh
View File

@@ -1,133 +0,0 @@
#!/usr/bin/env bash
set -eo pipefail
for command in "jq" "xq" "grep" "curl" "sed"
do
if ! command -v $command >/dev/null 2>&1
then
echo "$command could not be found"
exit 1
fi
done
#Functions---------------
get_cookie () {
if [[ $1 == "-d" ]]; then
cookie=$(cat request_example_1.txt)
else
cookie=$(curl -s -D - -X GET http://192.168.1.42/wcd/index.html)
fi
exitCode="$?"
if [[ $exitCode == "7" ]];
then
echo "Server offline"
exit 0
elif [[ $exitCode != "0" ]];
then
echo "Something went wrong"
exit 1
fi
cookie=$(echo "$cookie" | grep Set-Cookie | grep -oP "ID=\K[^.]+" )
if [[ $cookie == "" ]]
then
echo "No cookie got!"
exit 1
fi
}
get_values () {
local path="$1"
local -n keys=$2
local name="$3"
local_system_counter_data=$(echo "$system_counter_data" | jq "$path | .[]")
for key in "${keys[@]}";
do
value=$(echo "$local_system_counter_data" |
jq "select(.Type==\"$key\") | .Count" |
sed 's/"//g'
)
valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
done
}
get_values_DeviceStatus () {
local -n keys=$1
local name="$2"
local_system_counter_data=$(echo "$system_counter_data" | jq ".MFP.Common.DeviceStatus")
for key in "${keys[@]}";
do
value=$(echo "$local_system_counter_data" |
jq ".$key" |
sed 's/"//g'
)
valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
done
}
get_values_consumables () {
local -n keys=$1
local name="$2"
local_system_consumables_data=$(echo "$system_consumables_data" | jq ".[] |.DeviceInfo.ConsumableList.Consumable | .[]")
for key in "${keys[@]}";
do
value=$(
echo "$local_system_consumables_data" |
jq "select(.Name==\"$key\") | .CurrentLevel.LevelPer" |
sed 's/"//g'
)
valueStore=$(echo "$valueStore"; echo "$name"_"${key//[^a-zA-Z_-]/_}" "$value")
done
}
#End Functions----------
#Variables-----------------------
system_counter_DeviceStatus_keys=("ScanStatus" "PrintStatus" "Processing" "NetworkErrorStatus" "KmSaasgw" "HddMirroringErrorStatus")
system_counter_TotalCounter_keys=("Total" "DuplexTotal" "Document" "Paper" "TotalLarge" "PrintPageTotal" "PaperSizeA3" "PaperSizeA4" "PaperSizeB4" "PaperSizeB5" "PaperSizeOther" "Nin12in1" "PaperTypeNormal" "PaperTypeOther")
system_counter_FullColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
system_counter_BlackCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
system_counter_DoubleColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
system_counter_CopyCounter_keys=("BwTotal" "FullColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
system_counter_PrintCounter_keys=("BwTotal" "FullColorTotal" "BiColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
system_counter_ScanFaxCounter_keys=("DocumentReadTotal" "DocumentReadLarge" "FaxReceive" "FaxSend")
system_consumables_base_keys=("Toner (Yellow)" "Toner (Magenta)" "Toner (Cyan)" "Toner (Black)" "Drum Cartridge (Cyan)" "Developer Cartridge (Cyan)" "Drum Cartridge (Magenta)" "Developer Cartridge (Magenta)" "Drum Cartridge (Yellow)" "Developer Cartridge (Yellow)" "Drum Cartridge (Black)" "Developer Cartridge (Black)" "Fusing Unit" "Image Transfer Belt Unit" "Transfer Roller Unit")
#End Variables-------------
echo "Getting cookie"
get_cookie "$@"
echo "Start extracting info from system_counter"
if [[ $1 == "-d" ]]; then
system_counter_data=$(cat system_counter.xml |xq)
else
system_counter_data=$(curl -s -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=$cookie" |xq)
fi
get_values ".MFP.Count.UserCounterInfo.TotalCounterList.TotalCounter" system_counter_TotalCounter_keys TotalCounter
get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.FullColorCounterList.FullColorCounter" system_counter_FullColorCounter_keys FullColorCounter
get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.BlackCounterList.BlackCounter" system_counter_BlackCounter_keys BlackCounter
get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.DoubleColorCounterList.DoubleColorCounter" system_counter_DoubleColorCounter_keys DoubleColorCounter
get_values ".MFP.Count.UserCounterInfo.CopyCounterList.CopyCounter" system_counter_CopyCounter_keys CopyCounter
get_values ".MFP.Count.UserCounterInfo.ScanFaxCounterList.ScanFaxCounter" system_counter_ScanFaxCounter_keys ScanFaxCounter
get_values_DeviceStatus system_counter_DeviceStatus_keys DeviceStatus
echo "Start extracting info from system_consumables"
if [[ $1 == "-d" ]]; then
system_consumables_data=$(cat system_consumables.xml |xq)
else
system_consumables_data=$(curl -s -X GET http://192.168.1.42/wcd/system_consumable.xml -H "Cookie: ID=$cookie" |xq)
fi
get_values_consumables system_consumables_base_keys Consumables
echo "Sending data to prometheus-pushgateway..."
echo "$valueStore" | curl -s --data-binary @- http://localhost:9091/metrics/job/printer
echo "Success!"
exit 0

2
machines/ssh_keys.nix
View File

@@ -7,6 +7,6 @@
];
backup = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIGryhnXdmbGObONG88K+c9zeduMrwtoLHwzMDZg3UXB+Cnq2FXWOrlLZxA+95VUgHpyGZiykJmzeWrKhldDlDeGGd8QCCLeuliiOgXADTYjWaVfhd+6arPZrK2VtqqsguvH40gW1xfoGAOmAT4WFnxWxIaEip0V2u6NOoKTiH9I3bz2Qe4lfJvPXig+XwCXcukXd6XUkDFYDpiw8XNV3X7pqTus5d2RYR97bAhIYZZQ6h50ZpTY8N0lFh4RY5yfx8BhxJW3tfoi9uZvVuPx7dGPsZsSniENFPMNz3UwHGitTJMr4088cJrAGgd5lyFuLouiHiM2JMGA0wx9wWTbWJEwTLaTVQK9gSJf857ndV2zCh9vKlfko4w9bQgqxKg4U/mY8dXX1E7D51nD2ci8Ed+ZG+NEneFLyZhLsD82GkBY+YovA+4xm/pcx+hBhlyqGNxI8v+Jh+JhEyD/ZLgJfq3ZMbGIGsTiDwZ2flLLxImHHEoDoT6PHU6hDhPDJu560="
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPP4s6qNKwtu2l5DRKU/Xo6lMRztqNw/MOVsKx58kUE8 root@silizium"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJKl5FWPskhlnzJs1+mMYrVTMNnRG92uFKUgGlteTPhL"
];
}

31
machines/vpn/configuration.nix
View File

@@ -40,6 +40,15 @@ with lib;
};
};
virtualHosts."cloud.malobeo.org" = {
locations."/" = {
proxyPass = "http://10.100.0.101";
extraConfig = ''
proxy_set_header Host $host;
'';
};
};
virtualHosts."grafana.malobeo.org" = {
locations."/" = {
proxyPass = "http://10.100.0.101";
@@ -57,6 +66,28 @@ with lib;
'';
};
};
virtualHosts."zines.malobeo.org" = {
locations."/" = {
proxyPass = "http://10.100.0.101";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Authorization $http_authorization; # Pass the Authorization header
proxy_pass_header Authorization;
client_body_in_file_only clean;
client_body_buffer_size 32K;
client_max_body_size 50M;
sendfile on;
send_timeout 300s;
'';
};
};
};
system.stateVersion = "22.11"; # Did you read the comment?

1
machines/zineshop/configuration.nix
View File

@@ -20,6 +20,7 @@ with lib;
enable = true;
enablePromtail = true;
logNginx = true;
lokiHost = "10.0.0.14";
};
services.printing.enable = true;

6
scripts/add_new_host_keys.sh
View File

@@ -31,13 +31,10 @@ cd "$pwpath"
# Generate SSH keys
ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
wg genkey > wg.private
publickey=$(cat wg.private | wg pubkey)
#encrypt the private keys
sops -e -i ./$hostkey
sops -e -i ./$initrdkey
sops -e -i ./wg.private
#generate encryption key
tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
@@ -48,9 +45,6 @@ echo
echo "Hier ist der age public key für sops etc:"
echo "$(ssh-to-age -i ./"$hostkey".pub)"
echo
echo "Hier ist der wireguard pubkey für das gerät"
echo "$publickey"
echo
echo "Hier ist eine reproduzierbare mac-addresse:"
echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'

3
scripts/remote-install-encrypt.sh
View File

@@ -40,9 +40,7 @@ trap cleanup EXIT
# Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/etc/ssh/"
install -d -m755 "$temp/etc/wireguard/"
##TODO:: wg genkey + pubkey --> /etc/wireguard/wg.private
diskKey=$(sops -d $pwpath/disk.key)
echo "$diskKey" > /tmp/secret.key
@@ -50,7 +48,6 @@ sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
sops -d "$pwpath/wg.private" > "$temp/etc/wireguard/wg.private"
# # Set the correct permissions so sshd will accept the key
chmod 600 "$temp/etc/ssh/$hostname"
chmod 600 "$temp/etc/ssh/initrd"

8
scripts/unlock-boot.sh
View File

@@ -24,16 +24,14 @@ diskkey=$(sops -d machines/$hostname/secrets/disk.key)
echo
if [ $# = 1 ]
then
ssh $sshoptions root@$hostname-initrd "zpool import -a"
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "zfs load-key storage/encrypted" #root
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data
elif [ $# = 2 ]
then
ip=$2
ssh $sshoptions root@$ip "zpool import -a"
echo "$diskkey" | ssh $sshoptions root@$ip "zfs load-key storage/encrypted"
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent"
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data
else
echo