lukas/puter
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

pluh 🗣

Browse source
This commit is contained in:
Lukas Wurzinger 2025-03-01 22:21:00 +01:00
parent 3ad9944baa
commit 668140531b
No known key found for this signature in database
59 changed files with 985 additions and 219 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -1,3 +1,11 @@
# :snowflake: puter # :snowflake: puter
This is my cobbled together NixOS configuration. There are many like it, but this one is mine. Copy at your own risk. This is my cobbled together NixOS configuration. There are many like it, but this one is mine. Copy at your own risk.
## TODO
- [ ] lanzaboote
- [ ] monitoring (prometheus)
- [ ] logging (loki)
- [ ] kiosk
- [ ] tailscale and headscale

15
classes/headful/cosmic.nix Normal file
View file

@ -0,0 +1,15 @@
{inputs, ...}: {
imports = [
inputs.nixos-cosmic.nixosModules.default
];
nix.settings = {
substituters = ["https://cosmic.cachix.org/"];
trusted-public-keys = ["cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="];
};
services = {
desktopManager.cosmic.enable = true;
displayManager.cosmic-greeter.enable = true;
};
}

15
classes/headful/fs.nix
View file

@ -1,15 +0,0 @@
{
boot.initrd.luks.devices.main.device = "/dev/disk/by-label/cryptmain";
fileSystems = {
"/" = {
fsType = "ext4";
device = "/dev/mapper/main";
options = ["noatime"];
};
"/boot" = {
label = "BOOT";
fsType = "vfat";
};
};
}

5
classes/headful/gtk.nix Normal file
View file

@ -0,0 +1,5 @@
{
xdg.portal.extraPortals = [pkgs.xdg-desktop-portal-gtk];
programs.dconf.enable = true;
}

5
classes/headful/hardware.nix
View file

@ -7,15 +7,10 @@
opentabletdriver.enable = true; opentabletdriver.enable = true;
graphics = { graphics = {
enable = true; enable = true;
enable32Bit = true;
extraPackages = [ extraPackages = [
pkgs.libvdpau-va-gl pkgs.libvdpau-va-gl
pkgs.vaapiVdpau pkgs.vaapiVdpau
]; ];
extraPackages32 = [
pkgs.pkgsi686Linux.libvdpau-va-gl
pkgs.pkgsi686Linux.vaapiVdpau
];
}; };
}; };
} }

27
classes/headful/plasma.nix
View file

@ -1,27 +0,0 @@
{pkgs, ...}: {
services = {
desktopManager.plasma6.enable = true;
displayManager.sddm = {
enable = true;
wayland.enable = true;
};
};
environment.systemPackages = [
pkgs.kdePackages.sddm-kcm
pkgs.kdePackages.discover
pkgs.kdePackages.kate
];
programs = {
kdeconnect.enable = true;
partition-manager.enable = true;
};
xdg.portal = {
xdgOpenUsePortal = true;
extraPortals = [pkgs.xdg-desktop-portal-gtk];
};
programs.dconf.enable = true;
}

43
classes/headless/grafana.nix Normal file
View file

@ -0,0 +1,43 @@
{
services.grafana = {
enable = true;
domain = "grafana.pele";
port = 9010;
addr = "127.0.0.1";
# WARNING: this should match nginx setup!
# prevents "Request origin is not authorized"
rootUrl = "http://192.168.1.10:8010"; # helps with nginx / ws / live
protocol = "http";
analytics.reporting.enable = false;
provision = {
enable = true;
datasources = [
{
name = "Prometheus";
type = "prometheus";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
}
{
name = "Loki";
type = "loki";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
}
];
};
};
services.nginx.virtualHosts.${config.services.grafana.domain} = {
locations."/" = {
proxyPass = "http://${lib.formatHostPort {
host = config.services.grafana.addr;
inherit (config.services.grafana) port;
}}";
proxyWebsockets = true;
};
};
}

79
classes/headless/loki.nix Normal file
View file

@ -0,0 +1,79 @@
{
services.loki = {
enable = true;
configuration = {
server.http_listen_port = 3030;
auth_enabled = false;
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
max_transfer_retries = 0;
};
schema_config = {
configs = [
{
from = "2022-06-06";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v12";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
boltdb_shipper = {
active_index_directory = "/var/lib/loki/boltdb-shipper-active";
cache_location = "/var/lib/loki/boltdb-shipper-cache";
cache_ttl = "24h";
shared_store = "filesystem";
};
filesystem = {
directory = "/var/lib/loki/chunks";
};
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
};
chunk_store_config = {
max_look_back_period = "0s";
};
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/var/lib/loki";
shared_store = "filesystem";
compactor_ring = {
kvstore = {
store = "inmemory";
};
};
};
};
# user, group, dataDir, extraFlags, (configFile)
};
}

34
classes/headless/prometheus.nix Normal file
View file

@ -0,0 +1,34 @@
{
config,
lib,
...
}: {
services.prometheus = {
enable = true;
port = 3020;
exporters = {
node = {
enable = true;
port = 3021;
enabledCollectors = ["systemd"];
};
};
scrapeConfigs = [
{
job_name = "nodes";
static_configs = [
{
targets = let
target = lib.formatHostPort {
host = config.services.prometheus.exporters.node.listenAddr;
inherit (config.services.prometheus.exporters.node) port;
};
in [target];
}
];
}
];
};
}

42
classes/headless/promtail.nix Normal file
View file

@ -0,0 +1,42 @@
{config, ...}: {
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [
{
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "pihole";
};
};
relabel_configs = [
{
source_labels = ["__journal__systemd_unit"];
target_label = "unit";
}
];
}
];
};
# extraFlags
};
}

31
classes/kiosk/cosmic.nix Normal file
View file

@ -0,0 +1,31 @@
{
config,
inputs,
pkgs,
...
}: {
imports = [
inputs.nixos-cosmic.nixosModules.default
];
nix.settings = {
substituters = ["https://cosmic.cachix.org/"];
trusted-public-keys = ["cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="];
};
services = {
desktopManager.cosmic.enable = true;
displayManager.cosmic-greeter.enable = true;
greetd.settings.initial_session = {
user = config.users.mainUser;
command = ''
${lib.getExe' pkgs.coreutils "env"} XCURSOR_THEME="''${XCURSOR_THEME:-Pop}" systemd-cat --identifier start-cosmic ${lib.getExe' pkgs.cosmic-session "start-cosmic"}
'';
};
};
environment.cosmic.excludePackages = [
pkgs.cosmic-store
];
}

14
classes/kiosk/flatpak.nix Normal file
View file

@ -0,0 +1,14 @@
{inputs, ...}: {
imports = [
inputs.flatpak.nixosModules.nix-flatpak
];
services.flatpak = {
enable = true;
update.auto = {
enable = true;
onCalendar = "weekly";
};
};
}

26
classes/kiosk/fonts.nix Normal file
View file

@ -0,0 +1,26 @@
{pkgs, ...}: {
fonts = {
enableDefaultPackages = true;
packages = [
pkgs.noto-fonts
pkgs.noto-fonts-extra
pkgs.noto-fonts-cjk-sans
pkgs.noto-fonts-cjk-serif
pkgs.noto-fonts-monochrome-emoji
pkgs.noto-fonts-color-emoji
];
fontconfig = {
enable = true;
defaultFonts = {
monospace = ["Noto Sans Mono"];
sansSerif = ["Noto Sans"];
serif = ["Noto Serif"];
emoji = ["Noto Color Emoji" "Noto Emoji"];
};
};
fontDir.enable = true;
};
}

5
classes/kiosk/gtk.nix Normal file
View file

@ -0,0 +1,5 @@
{
xdg.portal.extraPortals = [pkgs.xdg-desktop-portal-gtk];
programs.dconf.enable = true;
}

16
classes/kiosk/hardware.nix Normal file
View file

@ -0,0 +1,16 @@
{pkgs, ...}: {
hardware = {
bluetooth.enable = true;
steam-hardware.enable = true;
xone.enable = true;
xpadneo.enable = true;
opentabletdriver.enable = true;
graphics = {
enable = true;
extraPackages = [
pkgs.libvdpau-va-gl
pkgs.vaapiVdpau
];
};
};
}

3
classes/kiosk/location.nix Normal file
View file

@ -0,0 +1,3 @@
{
location.provider = "geoclue2";
}

6
classes/kiosk/mullvad.nix Normal file
View file

@ -0,0 +1,6 @@
{pkgs, ...}: {
services.mullvad-vpn = {
enable = true;
package = pkgs.mullvad-vpn;
};
}

10
classes/kiosk/networking.nix Normal file
View file

@ -0,0 +1,10 @@
{config, ...}: {
services.resolved.enable = true;
networking.networkmanager = {
enable = true;
dns = "systemd-resolved";
};
users.groups.networkmanager.members = config.users.normalUsers;
}

11
classes/kiosk/pipewire.nix Normal file
View file

@ -0,0 +1,11 @@
{
security.rtkit.enable = true;
services.pipewire = {
enable = true;
wireplumber.enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
}

6
classes/kiosk/wayland.nix Normal file
View file

@ -0,0 +1,6 @@
{
environment.sessionVariables = {
NIXOS_OZONE_WL = "1";
SDL_VIDEODRIVER = "wayland";
};
}

3
classes/kiosk/xdg.nix Normal file
View file

@ -0,0 +1,3 @@
{
xdg.portal.xdgOpenUsePortal = true;
}

5
common/boot.nix
View file

@ -1,4 +1,9 @@
{ {
fileSystems."/boot" = {
label = "BOOT";
fsType = "vfat";
};
boot = { boot = {
loader = { loader = {
systemd-boot = { systemd-boot = {

9
common/nix.nix
View file

@ -9,9 +9,14 @@
nixPath = lib.mapAttrsToList (key: _: "${key}=flake:${key}") config.nix.registry; nixPath = lib.mapAttrsToList (key: _: "${key}=flake:${key}") config.nix.registry;
optimise.automatic = true;
settings = { settings = {
trusted-users = config.users.normalUsers; trusted-users = ["root"] ++ config.users.normalUsers;
experimental-features = "nix-command flakes"; experimental-features = [
"nix-command"
"flakes"
];
auto-optimise-store = true; auto-optimise-store = true;
}; };
}; };

5
common/puter.nix
View file

@ -3,7 +3,10 @@
self, self,
... ...
}: { }: {
environment.systemPackages = [ environment = {
systemPackages = [
self.packages.${pkgs.system}.puter self.packages.${pkgs.system}.puter
]; ];
sessionVariables.PUTER_FLAKEREF = "git+https://forgejo@tea.wrz.one/lukas/puter.git";
};
} }

3
common/users.nix
View file

@ -15,7 +15,8 @@ in {
users = { users = {
root = { root = {
hashedPassword = "!"; hashedPassword = "!";
openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.hosts; # TODO define this more granularly
openssh.authorizedKeys.keys = [];
}; };
${mainUser} = { ${mainUser} = {
description = "Lukas Wurzinger"; description = "Lukas Wurzinger";

280
flake.lock
View file

@ -35,11 +35,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1728672398, "lastModified": 1737621947,
"narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=", "narHash": "sha256-8HFvG7fvIFbgtaYAY2628Tb89fA55nPm2jSiNs0/Cws=",
"owner": "cachix", "owner": "cachix",
"repo": "cachix", "repo": "cachix",
"rev": "aac51f698309fd0f381149214b7eee213c66ef0a", "rev": "f65a3cd5e339c223471e64c051434616e18cc4f5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -49,6 +49,21 @@
"type": "github" "type": "github"
} }
}, },
"crane": {
"locked": {
"lastModified": 1731098351,
"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": { "darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -80,11 +95,11 @@
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_4"
}, },
"locked": { "locked": {
"lastModified": 1737973553, "lastModified": 1740678151,
"narHash": "sha256-mHi+KLwCPEgGg2x4WVvvNU4BvBSq6HJUkilzrQUShsg=", "narHash": "sha256-q0tKL+Yny0wkLCHRBHQ97YhjorNLnbnyjc+FnQZyKkM=",
"owner": "cachix", "owner": "cachix",
"repo": "devenv", "repo": "devenv",
"rev": "252cfc8ca213dd3627100339d3fcc829fb2d960a", "rev": "af151da5e3d7391fe778050da00d8e7cefa2d087",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -106,6 +121,22 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
@ -121,7 +152,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": { "flake-compat_3": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1733328505, "lastModified": 1733328505,
@ -164,11 +195,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1736143030, "lastModified": 1738453229,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -177,6 +208,43 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flatpak": {
"locked": {
"lastModified": 1739444422,
"narHash": "sha256-iAVVHi7X3kWORftY+LVbRiStRnQEob2TULWyjMS6dWg=",
"owner": "gmodena",
"repo": "nix-flatpak",
"rev": "5e54c3ca05a7c7d968ae1ddeabe01d2a9bc1e177",
"type": "github"
},
"original": {
"owner": "gmodena",
"ref": "latest",
"repo": "nix-flatpak",
"type": "github"
}
},
"git-hooks": { "git-hooks": {
"inputs": { "inputs": {
"flake-compat": [ "flake-compat": [
@ -189,11 +257,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1737301351, "lastModified": 1737465171,
"narHash": "sha256-2UNmLCKORvdBRhPGI8Vx0b6l7M8/QBey/nHLIxOl4jE=", "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "15a87cedeb67e3dbc8d2f7b9831990dffcf4e69f", "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -224,13 +292,35 @@
"type": "github" "type": "github"
} }
}, },
"gitignore_2": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"hardware": { "hardware": {
"locked": { "locked": {
"lastModified": 1737751639, "lastModified": 1740646007,
"narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=", "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4", "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -260,6 +350,30 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_3",
"nixpkgs": "nixpkgs_5",
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1737639419,
"narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.4.2",
"repo": "lanzaboote",
"type": "github"
}
},
"libgit2": { "libgit2": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -295,11 +409,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1727438425, "lastModified": 1734114420,
"narHash": "sha256-X8ES7I1cfNhR9oKp06F6ir4Np70WGZU5sfCOuNBEwMg=", "narHash": "sha256-n52PUzub5jZWc8nI/sR7UICOheU8rNA+YZ73YaHeCBg=",
"owner": "domenkozar", "owner": "domenkozar",
"repo": "nix", "repo": "nix",
"rev": "f6c5ae4c1b2e411e6b1e6a8181cc84363d6a7546", "rev": "bde6a1a0d1f2af86caa4d20d23eca019f3d57eee",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -327,23 +441,39 @@
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1735774519, "lastModified": 1738452942,
"narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1730531603, "lastModified": 1733212471,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -371,11 +501,11 @@
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1716977621, "lastModified": 1733477122,
"narHash": "sha256-Q1UQzYcMJH4RscmpTkjlgqQDX5yi1tZL0O345Ri6vXQ=", "narHash": "sha256-qamMCz5mNpQmgBwc8SB5tVMlD5sbwVIToVZtSxMph9s=",
"owner": "cachix", "owner": "cachix",
"repo": "devenv-nixpkgs", "repo": "devenv-nixpkgs",
"rev": "4267e705586473d3e5c8d50299e71503f16a6fb6", "rev": "7bd9e84d0452f6d2e63b6e6da29fe73fac951857",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -387,11 +517,27 @@
}, },
"nixpkgs_5": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1737885589, "lastModified": 1731919951,
"narHash": "sha256-Zf0hSrtzaM1DEz8//+Xs51k/wdSajticVrATqDrfQjg=", "narHash": "sha256-vOM6ETpl1yu9KLi/icTmLJIPbbdJCdAVYUXZceO/Ce4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "852ff1d9e153d8875a83602e03fdef8a63f0ecf8", "rev": "04386ac325a813047fc314d4b4d838a5b1e3c7fe",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_6": {
"locked": {
"lastModified": 1740695751,
"narHash": "sha256-D+R+kFxy1KsheiIzkkx/6L63wEHBYX21OIwlFV8JvDs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6313551cd05425cd5b3e63fe47dbc324eabb15e4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -401,13 +547,13 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_6": { "nixpkgs_7": {
"locked": { "locked": {
"lastModified": 1737525964, "lastModified": 1740019556,
"narHash": "sha256-3wFonKmNRWKq1himW9N3TllbeGIHFACI5vmLpk6moF8=", "narHash": "sha256-vn285HxnnlHLWnv59Og7muqECNMS33mWLM14soFIv2g=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5757bbb8bd7c0630a0cc4bb19c47e588db30b97c", "rev": "dad564433178067be1fbdfcce23b546254b6d641",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -419,16 +565,16 @@
}, },
"phps": { "phps": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_3",
"nixpkgs": "nixpkgs_6", "nixpkgs": "nixpkgs_7",
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1737949449, "lastModified": 1740296995,
"narHash": "sha256-7yVWKcXYlpvuj1roseMDRSSMMWw+m3PDnwPSwu5BO3A=", "narHash": "sha256-M0bsnyYP5DqO7EKL9ujwXCWKwwlg9F2xUklpMvbd/0s=",
"owner": "fossar", "owner": "fossar",
"repo": "nix-phps", "repo": "nix-phps",
"rev": "f2c3381b4ee144cb650f47e56548490c805decbe", "rev": "6a6be7dd7f86f305deab7799a17af50aff0e3218",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -437,17 +583,67 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore_2",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1731363552,
"narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"devenv": "devenv", "devenv": "devenv",
"devenv-root": "devenv-root", "devenv-root": "devenv-root",
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_2",
"flatpak": "flatpak",
"hardware": "hardware", "hardware": "hardware",
"nixpkgs": "nixpkgs_5", "lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs_6",
"phps": "phps" "phps": "phps"
} }
}, },
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731897198,
"narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,

2
flake.nix
View file

@ -12,6 +12,8 @@
}; };
devenv.url = "github:cachix/devenv"; devenv.url = "github:cachix/devenv";
phps.url = "github:fossar/nix-phps"; phps.url = "github:fossar/nix-phps";
lanzaboote.url = "github:nix-community/lanzaboote/v0.4.2";
flatpak.url = "github:gmodena/nix-flatpak?ref=latest";
}; };
outputs = { outputs = {

9
hosts/headful/flamingo/filesystems.nix Normal file
View file

@ -0,0 +1,9 @@
{
boot.initrd.luks.devices.main.device = "/dev/disk/by-label/cryptmain";
fileSystems."/" = {
fsType = "ext4";
device = "/dev/mapper/main";
options = ["noatime"];
};
}

9
hosts/headful/glacier/filesystems.nix Normal file
View file

@ -0,0 +1,9 @@
{
boot.initrd.luks.devices.main.device = "/dev/disk/by-label/cryptmain";
fileSystems."/" = {
fsType = "ext4";
device = "/dev/mapper/main";
options = ["noatime"];
};
}

3
hosts/headful/glacier/lanzaboote.nix Normal file
View file

@ -0,0 +1,3 @@
{
setups.secureBoot.enable = true;
}

9
hosts/headful/work/filesystems.nix Normal file
View file

@ -0,0 +1,9 @@
{
boot.initrd.luks.devices.main.device = "/dev/disk/by-label/cryptmain";
fileSystems."/" = {
fsType = "ext4";
device = "/dev/mapper/main";
options = ["noatime"];
};
}

5
hosts/headless/abacus/authorized-keys.nix Normal file
View file

@ -0,0 +1,5 @@
{config, ...}: {
users.users.root.openssh.authorizedKeys.keys = [
config.pubkeys.hosts.vessel
];
}

14
hosts/headless/abacus/filesystems.nix Normal file
View file

@ -0,0 +1,14 @@
{config, ...}: {
fileSystems = {
"/" = {
fsType = "ext4";
label = "main";
options = ["noatime"];
};
${config.services.navidrome.settings.MusicFolder} = {
label = "music";
fsType = "ext4";
options = ["noatime"];
};
};
}

7
hosts/headless/abacus/fs.nix
View file

@ -1,7 +0,0 @@
{config, ...}: {
fileSystems.${config.services.navidrome.settings.MusicFolder} = {
label = "music";
fsType = "ext4";
options = ["noatime"];
};
}

4
hosts/headless/abacus/hardware.nix
View file

@ -1,5 +1,7 @@
{modulesPath, ...}: { {modulesPath, ...}: {
imports = ["${modulesPath}/profiles/qemu-guest.nix"]; imports = [
"${modulesPath}/profiles/qemu-guest.nix"
];
nixpkgs.hostPlatform = "aarch64-linux"; nixpkgs.hostPlatform = "aarch64-linux";

7
classes/headless/fs.nix → hosts/headless/vessel/filesystems.nix
View file

@ -5,9 +5,10 @@
label = "main"; label = "main";
options = ["noatime"]; options = ["noatime"];
}; };
"/boot" = { "/srv/backup" = {
label = "BOOT"; label = "backup";
fsType = "vfat"; fsType = "ext4";
options = ["noatime"];
}; };
}; };
} }

5
hosts/kiosk/insomniac/dolphin.nix Normal file
View file

@ -0,0 +1,5 @@
{
services.flatpak.packages = [
"org.DolphinEmu.dolphin-emu"
];
}

4
hosts/headless/vessel/fs.nix → hosts/kiosk/insomniac/filesystems.nix
View file

@ -1,7 +1,7 @@
{ {
fileSystems."/srv/backup" = { fileSystems."/" = {
label = "backup";
fsType = "ext4"; fsType = "ext4";
label = "main";
options = ["noatime"]; options = ["noatime"];
}; };
} }

5
hosts/kiosk/insomniac/firefox.nix Normal file
View file

@ -0,0 +1,5 @@
{
services.flatpak.packages = [
"org.mozilla.firefox"
];
}

5
hosts/kiosk/insomniac/freetube.nix Normal file
View file

@ -0,0 +1,5 @@
{
services.flatpak.packages = [
"io.freetubeapp.FreeTube"
];
}

25
hosts/kiosk/insomniac/hardware.nix Normal file
View file

@ -0,0 +1,25 @@
{
inputs,
modulesPath,
...
}: {
imports = [
"${modulesPath}/installer/scan/not-detected.nix"
inputs.hardware.nixosModules.common-cpu-amd
inputs.hardware.nixosModules.common-gpu-amd
inputs.hardware.nixosModules.common-pc-ssd
];
nixpkgs.hostPlatform = "x86_64-linux";
boot = {
initrd = {
availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "sd_mod"];
kernelModules = ["amdgpu"];
};
kernelModules = ["kvm-amd"];
};
powerManagement.cpuFreqGovernor = "performance";
}

5
hosts/kiosk/insomniac/rmg.nix Normal file
View file

@ -0,0 +1,5 @@
{
services.flatpak.packages = [
"com.github.Rosalie241.RMG"
];
}

5
hosts/kiosk/insomniac/steam.nix Normal file
View file

@ -0,0 +1,5 @@
{
services.flatpak.packages = [
"com.valvesoftware.Steam"
];
}

3
hosts/kiosk/insomniac/system.nix Normal file
View file

@ -0,0 +1,3 @@
{
system.stateVersion = "24.11";
}

12
hosts/kiosk/insomniac/users.nix Normal file
View file

@ -0,0 +1,12 @@
{
config,
lib,
...
}: let
inherit (config.users) mainUser;
in {
users = {
mainUser = lib.mkForce "user";
users.${mainUser}.description = lib.mkForce "User";
};
}

6
lib.nix
View file

@ -9,6 +9,12 @@ lib: _: {
]) ])
paths; paths;
mkIfElse = condition: trueContent: falseContent:
lib.mkMerge [
(lib.mkIf condition trueContent)
(lib.mkIf (!condition) falseContent)
];
formatHostPort = { formatHostPort = {
host, host,
port, port,

28
modules/secure-boot.nix Normal file
View file

@ -0,0 +1,28 @@
{
config,
lib,
inputs,
pkgs,
...
}: let
cfg = config.setups.secureBoot;
in {
imports = [
inputs.lanzaboote.nixosModules.lanzaboote
];
options.setups.secureBoot.enable = lib.mkEnableOption "Secure Boot";
config = lib.mkIf cfg.enable {
environment.systemPackages = [
pkgs.sbctl
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = lib.mkForce true;
pkiBundle = lib.mkDefault "/var/lib/sbctl";
};
};
}

129
packages/disk/disk.bash
View file

@ -19,49 +19,97 @@ error() {
exit 1 exit 1
} }
args=$(getopt --options r:m:b:l:c: --longoptions=root:,mapping:,boot-label:,main-label:,cryptmain-label: --name "$progname" -- "$@") skip() {
if (($# < 1)); then
error 'name of value to be skipped is required'
fi
if (($# > 1)); then
error 'too many arguments'
fi
local skip=$1
for s in "${skips[@]}"; do
if [[ $s == "$skip" ]]; then
return 1
fi
done
return 0
}
args=$(
getopt \
--options r:b:l:c:m:B:M:v \
--longoptions root:,boot-label:,main-label:,cryptmain-label:,mapping:,boot-options:,main-options:,verbose \
--name "$progname" \
-- "$@"
)
eval set -- "$args" eval set -- "$args"
root=/mnt root=/mnt
mapping=main
bootlbl=BOOT bootlbl=BOOT
mainlbl=main mainlbl=main
cryptmainlbl=cryptmain cryptmainlbl=cryptmain
mapping=main
bootflags=
mainflags=
fatflags=()
ext4flags=()
skips=()
while true; do while true; do
case "$1" in case "$1" in
(-r | --root) -r | --root)
root=$2 root=$2
shift 2 shift 2
;; ;;
(-m | --mapping) -b | --boot-label)
mapping=$2 skips+=(bootlbl)
shift 2
;;
(-b | --boot-label)
bootlbl=${2^^} bootlbl=${2^^}
shift 2 shift 2
;; ;;
(-l | --main-label) -l | --main-label)
skips+=(mainlbl)
mainlbl=$2 mainlbl=$2
shift 2 shift 2
;; ;;
(-c | --cryptmain-label) -c | --cryptmain-label)
skips+=(cryptmainlbl)
cryptmainlbl=$2 cryptmainlbl=$2
shift 2 shift 2
;; ;;
(--) -m | --mapping)
skips+=(mapping)
mapping=$2
shift 2
;;
-B | --boot-options)
bootflags+=(--options "$2")
shift 2
;;
-M | --main-options)
mainflags+=(--options "$2")
shift 2
;;
-v | --verbose)
fatflags+=(-v)
ext4flags+=(-v)
shift
;;
--)
shift shift
break break
;; ;;
esac esac
done done
if (( $# < 1 )); then if (($# < 1)); then
error 'an argument specifying the block device is required' error 'an argument specifying the block device is required'
fi fi
if (( $# > 1 )); then if (($# > 1)); then
error 'too many arguments' error 'too many arguments'
fi fi
@ -81,39 +129,68 @@ done < <(jq '.partitiontable.partitions | keys[]' <<<"$json")
bootfs="${parts[0]}" bootfs="${parts[0]}"
mainblkdev="${parts[1]}" mainblkdev="${parts[1]}"
mkfs.vfat -F 32 -n "$bootlbl" -- "$bootfs" >/dev/null if ! skip bootlbl; then
read -rep "Which label should the boot file system have? [$bootlbl] " input
if [[ -n $input ]]; then
bootlbl=$input
fi
fi
mkfs.fat -F 32 -n "$bootlbl" "${fatflags[@]}" -- "$bootfs" >/dev/null
while true; do while true; do
read -r -p 'Do you want your main partition to be encrypted [y/N]? ' luks read -rep 'Do you want your main partition to be encrypted? [y/N] ' input
case "$luks" in case "$input" in
([Yy]*) [Yy]*)
while true; do while true; do
read -r -s -p 'Enter password: ' password read -rsp 'Enter password: ' password
warn '' warn ''
read -r -s -p 'Re-enter password: ' repassword read -rsp 'Re-enter password: ' repassword
warn '' warn ''
if [[ $password == "$repassword" ]]; then if [[ $password == "$repassword" ]]; then
break break
fi fi
done done
cryptsetup luksFormat --batch-mode --label "$cryptmainlbl" "$mainblkdev" <<<"$password" if ! skip cryptmainlbl; then
cryptsetup open "$mainblkdev" "$mapping" <<<"$password" read -rep "Which label should the main LUKS partition have? [$cryptmainlbl] " input
if [[ -n $input ]]; then
cryptmainlbl=$input
fi
fi
cryptsetup luksFormat --batch-mode --label "$cryptmainlbl" -- "$mainblkdev" <<<"$password"
if ! skip mapping; then
read -rep "Which name should the main LUKS mapping have? [$mapping] " input
if [[ -n $input ]]; then
mapping=$input
fi
fi
cryptsetup open -- "$mainblkdev" "$mapping" <<<"$password"
mainfs=/dev/mapper/$mapping mainfs=/dev/mapper/$mapping
break break
;; ;;
('' | [Nn]*) '' | [Nn]*)
mainfs=$mainblkdev mainfs=$mainblkdev
break break
;; ;;
(*) warn 'Please answer with yes or no' ;; *) warn 'Please answer with yes or no' ;;
esac esac
done done
mkfs.ext4 -q -F -L "$mainlbl" -- "$mainfs" if ! skip mainlbl; then
read -rep "Which label should the main file system have? [$mainlbl] " input
if [[ -n $input ]]; then
mainlbl=$input
fi
fi
mkfs.ext4 -qFL "$mainlbl" "${ext4flags[@]}" -- "$mainfs"
mkdir --parents -- "$root" mkdir --parents -- "$root"
mount --options noatime -- "$mainfs" "$root" mount "${mainflags[@]}" -- "$mainfs" "$root"
mkdir -- "$root/boot" mkdir -- "$root/boot"
mount -- "$bootfs" "$root/boot" mount "${bootflags[@]}" -- "$bootfs" "$root/boot"

48
packages/puter/puter.bash
View file

@ -19,10 +19,19 @@ error() {
exit 1 exit 1
} }
args=$(getopt --options f:o:t:v --longoptions=flake:,on:,to:,verbose --name "$progname" -- "$@") args=$(
getopt \
--options F:f:o:t:v \
--longoptions flakeref:,flake:,on:,to:,verbose \
--name "$progname" \
-- "$@"
)
eval set -- "$args" eval set -- "$args"
if [[ -n $PUTER_FLAKEREF ]]; then
flakeref=$PUTER_FLAKEREF
fi
flags=( flags=(
--refresh --refresh
--use-remote-sudo --use-remote-sudo
@ -31,25 +40,29 @@ flags=(
verbose=false verbose=false
while true; do while true; do
case $1 in case $1 in
(-f | --flake) -F | --flakeref)
flakeref=$2
shift 2
;;
-f | --flake)
flake=$2 flake=$2
shift 2 shift 2
;; ;;
(-o | --on) -o | --on)
flags+=(--build-host "$2") flags+=(--build-host "$2")
shift 2 shift 2
;; ;;
(-t | --to) -t | --to)
host=$2 host=$2
flags+=(--target-host "$host") flags+=(--target-host "$host")
shift 2 shift 2
;; ;;
(-v | --verbose) -v | --verbose)
flags+=(--verbose) flags+=(--verbose)
verbose=true verbose=true
shift shift
;; ;;
(--) --)
shift shift
break break
;; ;;
@ -57,17 +70,26 @@ while true; do
done done
if [[ ! -v flake ]]; then if [[ ! -v flake ]]; then
if [[ -v flakeref ]]; then
warn "using flake reference $flakeref"
if [[ -v host ]]; then if [[ -v host ]]; then
hostname=$(ssh -- "$host" hostname) hostname=$(ssh -- "$host" hostname)
else else
hostname=$(hostname) hostname=$(hostname)
fi fi
flake=git+https://forgejo@tea.wrz.one/lukas/puter.git#$hostname if [[ -z $hostname ]]; then
error 'hostname could not be resolved and no flake specified'
fi
flake=$flakeref#$hostname
warn "resolved to $flake"
else
error 'no flake or flake reference specified'
fi
fi fi
flags+=(--flake "$flake") flags+=(--flake "$flake")
if (( $# == 0 )); then if (($# == 0)); then
error 'a subcommand is required' error 'a subcommand is required'
fi fi
@ -84,25 +106,25 @@ run() {
sub=$1 sub=$1
case $sub in case $sub in
(s | switch) s | switch)
shift shift
if (( $# > 0 )); then if (($# > 0)); then
error 'too many arguments' error 'too many arguments'
fi fi
run switch run switch
;; ;;
(b | boot) b | boot)
shift shift
if (( $# > 0 )); then if (($# > 0)); then
error 'too many arguments' error 'too many arguments'
fi fi
run boot run boot
;; ;;
(*) *)
error 'invalid subcommand' error 'invalid subcommand'
;; ;;
esac esac

1
pubkeys.nix
View file

@ -11,5 +11,6 @@
glacier = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrKpoDV/ImivtTZVbSsQ59IbGYVvSsKls4av2Zc9Nk8"; glacier = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrKpoDV/ImivtTZVbSsQ59IbGYVvSsKls4av2Zc9Nk8";
vessel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkYcOb1JPNLTJtob1TcuC08cH9P2APAhLR26RYd573d"; vessel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkYcOb1JPNLTJtob1TcuC08cH9P2APAhLR26RYd573d";
work = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHw8sMeiUSUDQu/yyIuZ2Oc6lmYace47HEYdo3nmUWSR"; work = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHw8sMeiUSUDQu/yyIuZ2Oc6lmYace47HEYdo3nmUWSR";
insomniac = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHw8sMeiUSUDQu/yyIuZ2Oc6lmYace47HEYdo3nmUWSR";
}; };
} }

BIN
secrets/forgejo-admin.age
View file

Binary file not shown.

BIN
secrets/forgejo-mailer.age
View file

Binary file not shown.

BIN
secrets/microbin.age
View file

Binary file not shown.

BIN
secrets/miniflux.age
View file

Binary file not shown.

21
secrets/restic-abacus.age
View file

@ -1,12 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 SFHVrw U+aZt7fWa449Gl55hXRDD38PUijyhzp28XAMPmRPYm0 -> ssh-ed25519 SFHVrw /OTVcIQd3fJVTG7aEwQCY/x6lfTd+EZpn7Jc4MeEcE4
CNCHCTxDX1OCedqbmT93DertJVC6X2eBQHSti9UpD3U 31r1WrTF9ZnrL5za6p57fafVJfQAj5iyY6lLQriIwaY
-> ssh-ed25519 S+dwQQ tga1gW8cAcAe2nmUpKGZDfPBMNWYCz8F9t6y5Z3nSUs -> ssh-ed25519 S+dwQQ TmWs92CYRNXJVaJCCsfQc7wWek38gofuVzaZiTchcRA
RNjnzz1D8IyIs5Yy1anjvPNUMU73WXNx/xN52tBsiCw +zEDzASCzZbWn6weWXoBrCfDRLsOzKncFLLuXOTD/bc
-> ssh-ed25519 bPbvlw S6OGsxSDtWeGnDkS/Pg/aM8xU3Z9ZMrLcC9QkmxsKzU -> ssh-ed25519 bPbvlw UuI6fU6RpT5aZBUZjgypR/q7N24usjkTxdu+hemcH2Q
1Z0Gx7pq0q01WhSg3+20Dap7ekkzXKSGGdrXRvbmv7I AaqzU+V02ezyLuBLFpjiobv0qL87JaAI+CVur0nyuZ4
-> ssh-ed25519 ffmsLw daLmGw0eJTSfFZMBw9aPqooDYXGFP0l7k1PrMQk2iEM -> ssh-ed25519 ffmsLw 41XX4wfkbdkgcOGV/QobtwxXjfyYEkpYrUSGjhg1wBw
BRZE2oQXWytOVU5+R0buTov74Acj1DKogJPt7TbGY44 YZFSenGSwenFCuVxlmFQSLUACP1XUewZlKtRGYTuzRE
--- 3ArhjIM9AlDiJjmn2BFe1ql/TUiveu+COhFVqN+5jsY --- FwFDJ/HQQyHH1Ik5HdCF4ZHihlNCvD9BYGxgM4KOims
F=Δ\*—%]8³×l»Tp•$Ó–š4mõ>;y¿Ï9ð½µâÀ<C3A2>gvÍ!
:0U=Ô5@<40>V½€0Ëe_í·ö"¶r ^™½“âꞘ{<7B> =»‡÷ULoUÇ %

20
secrets/restic-vessel.age
View file

@ -1,11 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 SFHVrw ijulBUOGDExmjRrr0Pyf7QpMELMNAY5gh77yM9VpnQ4 -> ssh-ed25519 SFHVrw fMNDH0URM0/+vDXt7G1XjLmdD3YkQMHJjfcF3g6Tty4
JCSSURYLwaOs/ga3dcQUcfMaWWxJugDZP5fbQhyPQ6s k+Gc9ZrRrSkqor8Mm6k+bE18H+Tx6fDNiKaTNA+f5qA
-> ssh-ed25519 S+dwQQ 6Jkn/HoEbeXAcIZ5BQrpJFjBlH4VqpDFmTlWAk98SQg -> ssh-ed25519 S+dwQQ jt/dEEBISxmpaUx6rjdamirV2MNzsIK9t9Eh79yA5UE
fOF3+MH/4IzHQ44SKQaLo7VrILZdu+hDHIIXGv4asLs Nq4Bw8eH1vWHqCiQvfRsuYtw6fETWHR865gM5IDHPng
-> ssh-ed25519 bPbvlw yvH9ggLK9QSrNoCIGkNQlpOS3UCegRz86f8LmZFUTEg -> ssh-ed25519 bPbvlw pEfHE2mBNPsUCs2AFl3xBrhH935Ik6EJLpACTXmOwU8
bOvwgPx3EAC4kXEV7Io6NHoPtuYLwqffjqx/cSWXeU0 ctFSiMorm+7by4tzDEySBfAjvjuskEQjpWIyC5BK9cg
-> ssh-ed25519 Sm0lOA T+w+u5UZlTnilbbTQy/Z6IFjp7/KaKg0MY2zhuSnOBI -> ssh-ed25519 Sm0lOA /pofcFqGH/aJo7JsrmaYBD7+/Eo0WyO7L1RCbU+LfAU
pbqYRhd83jjTHqfQbY3Xpz5p3Znt9yr1lBc+UEa2ESo ZjILSFZeV68fSTDUuXlTFfdTqda7fe6k2FdXjcK1wb8
--- xqFypHpvC9f/EaloV7W0PCvicGa/g/Igi69Rt5E9Pi4 --- SgzDlMCI5YwR8NLsV7DpKR48NAmTMGFS8vzyxMI/DF0
ËæýDÜOˆÿÏ=Œ‚î$ÎÆÚÍÓ“¸ô$ÖôùÿTö;ÆHi³Ôò IÃð~Ã1Ü­\3„7<17>:;V M~kë Š|<š»¨o'9óžj‡0t\M

3
secrets/secrets.nix
View file

@ -1,5 +1,6 @@
with import ../pubkeys.nix; { with import ../pubkeys.nix; {
"user-lukas.age".publicKeys = (builtins.attrValues users) ++ (builtins.attrValues hosts); "user-lukas.age".publicKeys = (builtins.attrValues users) ++ (builtins.attrValues (builtins.removeAttrs hosts ["insomniac"]));
"user-user.age".publicKeys = (builtins.attrValues users) ++ [hosts.insomniac];
"microbin.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; "microbin.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus];

BIN
secrets/user-lukas.age
View file

Binary file not shown.

BIN
secrets/vaultwarden.age
View file

Binary file not shown.