dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Compare commits

base: dev:5686aa1a019c30a322681d0ef89142ae35c3db5c
Branches Tags
dev:master dev:fastback-ssh
dev:installer
..
compare: dev:fastback-ssh
Branches Tags
dev:master dev:fastback-ssh
dev:installer

65 Commits
5686aa1a01 ... fastback-s

Author SHA1 Message Date
Jack O'Sullivan
ab25c07f69 An attempt was made 2024-01-09 21:56:10 +00:00
Jack O'Sullivan
aad8adf5da nixos/middleman: Add hack for working Gitea Docker image pull
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 26m52s
Details
2024-01-09 18:50:11 +00:00
Jack O'Sullivan
205a948486 nixos/middleman: Fix HedgeDoc websockets 2024-01-09 17:35:34 +00:00
Jack O'Sullivan
39e7c703ba pkgs: Add modrinth-app
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 34m35s
Details
2024-01-09 17:19:13 +00:00
Jack O'Sullivan
d07ef96d28 envrc: Use watch_file instead of nix_direnv_watch_file 2024-01-09 13:33:00 +00:00
Jack O'Sullivan
1a29a7d589 nixos/simpcraft: Staging server running
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 26m57s
Details
2024-01-09 00:22:17 +00:00
Jack O'Sullivan
ca6fe534dc nixos/git: Use separate nginx 2024-01-08 23:31:06 +00:00
Jack O'Sullivan
e277cce3bc nixos/object: Add HedgeDoc
Some checks failed
CI / Check, build and cache Nix flake (push) Has been cancelled
Details
2024-01-08 21:40:20 +00:00
Jack O'Sullivan
c9ce57e2c5 nixos/middleman: Add public directory
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 24m53s
Details
2024-01-07 03:40:33 +00:00
Jack O'Sullivan
04dfc89f07 nixos/simpcraft: Add ToTheMoonStar to whitelist
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 24m53s
Details
2024-01-06 14:59:57 +00:00
Jack O'Sullivan
cfbbed8285 nixos/simpcraft: Upgrade to 0.1.1 2024-01-05 20:07:48 +00:00
Jack O'Sullivan
066c87d3d6 nixos/simpcraft: Add mods
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 23m39s
Details
2024-01-05 02:13:15 +00:00
Jack O'Sullivan
e24ac05bb2 nixos/home/routing-common: Add vibe DNS
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 23m7s
Details
2024-01-03 03:10:44 +00:00
Jack O'Sullivan
a2b146e8ba nixos: Add librespeed
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 22m56s
Details
2024-01-03 01:07:12 +00:00
Jack O'Sullivan
a03fdbdbdd nixos/simpcraft: Add Eefah98 to whitelist
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 23m44s
Details
2024-01-02 22:13:06 +00:00
Jack O'Sullivan
5915f664cc nixos/simpcraft: Add hynge_ to whitelist 2024-01-02 20:49:08 +00:00
Jack O'Sullivan
42111c530e nixos/colony: Reduce memory for mail VM
Some checks failed
CI / Check, build and cache Nix flake (push) Failing after 35m28s
Details
2024-01-01 21:45:54 +00:00
Jack O'Sullivan
a741e3eea2 nixos/whale2: Minecraft server updates
Some checks failed
CI / Check, build and cache Nix flake (push) Failing after 1h14m44s
Details
2024-01-01 20:32:15 +00:00
Jack O'Sullivan
7a4372dfe7 nixos/whale2: Add Minecraft server
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 25m30s
Details
2024-01-01 16:28:04 +00:00
Jack O'Sullivan
65917bad5c nixos/kelder: Disable minecraft-server 2024-01-01 16:26:45 +00:00
Jack O'Sullivan
16c7fd7659 nixos/kelder: Update Minecraft and Nextcloud
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 23m55s
Details
2023-12-31 20:21:02 +00:00
Jack O'Sullivan
2fffefd22d Update river public IP
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 23m24s
Details
2023-12-31 15:15:22 +00:00
Jack O'Sullivan
c14aebf4a3 nixos/colony: Only start needed LVs in initrd to prevent race
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 23m2s
Details
2023-12-30 21:07:12 +00:00
Jack O'Sullivan
677f3f26ab home-manager/common: Use vi bindings for tmux 2023-12-29 21:04:07 +00:00
Jack O'Sullivan
c55600c5af lib: Make awaitPostgres code early in preStart 2023-12-29 19:05:28 +00:00
Jack O'Sullivan
64c3e2d720 nixos/colony: Give 8GiB more RAM to git
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 53m46s
Details
Installer / Build installer (push) Successful in 4m43s
Details
2023-12-28 18:54:43 +00:00
Jack O'Sullivan
20d5fa29ae nixos/deploy: Minor improvements 2023-12-28 18:33:55 +00:00
Jack O'Sullivan
046937de27 Update inputs and add custom NixOS branding
Some checks failed
CI / Check, build and cache Nix flake (push) Failing after 34m39s
Details
2023-12-28 17:39:14 +00:00
Jack O'Sullivan
bba87ef73b nixos/home/routing-common: Add trusted AS211024 to input chain
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 20m12s
Details
2023-12-23 12:33:10 +00:00
Jack O'Sullivan
4e3ff0a466 nixos/home/routing-common: Add dynamic DNS update script
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 20m48s
Details
2023-12-23 01:22:41 +00:00
Jack O'Sullivan
b1af3dbf18 nixos/tower: Add wireshark and Tailscale shell abbrev 2023-12-23 00:49:24 +00:00
Jack O'Sullivan
f58b71e8d3 nixos/britway: Use internal addresses for DNS 2023-12-23 00:49:02 +00:00
Jack O'Sullivan
0a86a649a6 nixos: Add SFH VM config
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 21m29s
Details
2023-12-22 01:34:28 +00:00
Jack O'Sullivan
85189e74f8 Add missing trusted AS211024 prefixes
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 20m12s
Details
2023-12-20 23:43:04 +00:00
Jack O'Sullivan
e760569b3e Don't blindly trust as211024
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 20m22s
Details
2023-12-20 23:06:27 +00:00
Jack O'Sullivan
0fe863844f nixos/estuary: Don't announce home prefix for now (MTU issues) 2023-12-20 22:51:01 +00:00
Jack O'Sullivan
d44fdcfe6a nixos/home/routing-common: Restrict SSH access 2023-12-20 20:41:19 +00:00
Jack O'Sullivan
b48e7b1c33 nixos: Initial waffletail
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 20m52s
Details
2023-12-20 19:21:31 +00:00
Jack O'Sullivan
d0b155d786 nixos/middleman: Wait for psql before starting nginx 2023-12-20 18:38:22 +00:00
Jack O'Sullivan
01cb95de6d nixos/containers: Fix initial dummy deploy 2023-12-20 18:29:08 +00:00
Jack O'Sullivan
46df9b8aa8 nixos/britway: Setup split DNS
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 19m27s
Details
2023-12-20 16:43:20 +00:00
Jack O'Sullivan
b2342c7a05 nixos/tower: Add tailscale
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 19m54s
Details
2023-12-20 10:16:07 +00:00
Jack O'Sullivan
a572be0708 nixos/britway: Use AS211024 source address for SNAT
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 19m26s
Details
2023-12-20 01:44:24 +00:00
Jack O'Sullivan
68bf705e85 Intra-AS211024 routing
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 19m5s
Details
2023-12-20 01:30:27 +00:00
Jack O'Sullivan
21136e98b2 nixos/britway: Add tailscale
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 19m49s
Details
2023-12-20 00:21:39 +00:00
Jack O'Sullivan
b537524e5a nixos/britway: Add headscale 2023-12-19 23:40:54 +00:00
Jack O'Sullivan
10769a4441 nixos/britway: Export route to Dublin
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 19m2s
Details
2023-12-19 16:59:45 +00:00
Jack O'Sullivan
9b05e7cd8d nixos/britway: Add BGP
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 19m10s
Details
2023-12-19 15:51:16 +00:00
Jack O'Sullivan
eda0cdbe0e nixos: Add initial britway
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 19m34s
Details
2023-12-19 14:30:27 +00:00
Jack O'Sullivan
f321a039f3 nixos/home/routing-common: Send MTU DHCP option
Some checks reported warnings
CI / Check, build and cache Nix flake (push) Has been cancelled
Details
Installer / Build installer (push) Successful in 4m36s
Details
2023-12-17 15:19:14 +00:00
Jack O'Sullivan
fc6c4f461f Add netboot archive (including to installer workflow)
Some checks reported warnings
CI / Check, build and cache Nix flake (push) Has been cancelled
Details
Installer / Build installer (push) Successful in 4m31s
Details
2023-12-17 14:56:39 +00:00
Jack O'Sullivan
22bf75d0a0 deploy-rs: Default to skipping checks and disabling auto / magic rollback 2023-12-17 13:40:25 +00:00
Jack O'Sullivan
318972a086 nixos/home/routing-common: Split DHCP pools 2023-12-17 13:39:55 +00:00
Jack O'Sullivan
9fa8299b71 nixos/home/routing-common: Add missing radvd search domain
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 17m45s
Details
2023-12-16 19:33:53 +00:00
Jack O'Sullivan
490413c24b nixos/routing-common: Working DHCP
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 18m48s
Details
2023-12-16 18:50:51 +00:00
Jack O'Sullivan
9cec5051bf nixos/estuary: Remvoe efero upstream 2023-12-16 16:53:55 +00:00
Jack O'Sullivan
70f49c8438 nixos/home/routing-common: Working IPv6 router 2023-12-16 15:59:33 +00:00
Jack O'Sullivan
8b0db3ac7f nixos/home/routing-common: Add route to other router's public IPv4 2023-12-16 13:00:10 +00:00
Jack O'Sullivan
cc07964fac nixos/palace: Add BindsTo= dependency for river on cellar 2023-12-16 12:54:10 +00:00
Jack O'Sullivan
4624480c8b home-manager/common: Fix Nix cache config for users
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 18m32s
Details
2023-12-13 22:57:54 +00:00
Jack O'Sullivan
3bc8befb7d nixos/cellar: Enable SPDK dynamic scheduler
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 17m37s
Details
2023-12-13 21:53:10 +00:00
Jack O'Sullivan
1b853d405c nixos/palace: Set up virtual IOMMU for cellar
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 17m49s
Details
2023-12-13 11:23:47 +00:00
Jack O'Sullivan
82b24c3c55 nixos/cellar: Move SPDK config to separate module
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 17m56s
Details
2023-12-13 02:19:04 +00:00
Jack O'Sullivan
2f2764a364 Add json2nix util 2023-12-13 00:40:36 +00:00
Jack O'Sullivan
4b48d7e788 nixos/nvme: Add module
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 17m30s
Details
2023-12-12 01:37:14 +00:00
124 changed files with 10215 additions and 1604 deletions
Expand all files Collapse all files

2
.envrc
View File

@@ -1,2 +1,2 @@
nix_direnv_watch_file devshell/{default,commands,install,vm-tasks}.nix watch_file devshell/{default,commands,install,vm-tasks}.nix
use flake use flake

25
.gitea/workflows/installer.yaml
View File

@@ -1,4 +1,4 @@
name: Installer ISO name: Installer
on: on:
push: push:
@@ -6,7 +6,7 @@ on:
jobs: jobs:
installer: installer:
name: Build installer ISO name: Build installer
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -24,20 +24,27 @@ jobs:
extra-substituters = https://nix-cache.nul.ie/main extra-substituters = https://nix-cache.nul.ie/main
extra-trusted-public-keys = main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8= extra-trusted-public-keys = main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8=
- name: Set up attic - name: Set up attic
id: setup
run: | run: |
nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \ nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \
login --set-default colony https://nix-cache.nul.ie "${{ secrets.NIX_CACHE_TOKEN }}" login --set-default colony https://nix-cache.nul.ie "${{ secrets.NIX_CACHE_TOKEN }}"
echo "short_rev=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
- name: Build installer ISO - name: Build installer ISO
id: build
run: | run: |
nix build .#nixosConfigurations.installer.config.my.buildAs.iso nix build .#nixfiles.config.nixos.systems.installer.configuration.config.my.buildAs.iso
short_rev="$(git rev-parse --short HEAD)" ln -s "$(readlink result)"/iso/jackos-installer.iso \
ln -s result/iso/nixos-installer-devplayer0.iso nixos-installer-devplayer0-$short_rev.iso jackos-installer-${{ steps.setup.outputs.short_rev }}.iso
echo "short_rev=$short_rev" >> "$GITHUB_OUTPUT" - name: Build installer netboot archive
- name: Create release for ISO run: |
nix build .#nixfiles.config.nixos.systems.installer.configuration.config.my.buildAs.netbootArchive
ln -s "$(readlink result)" \
jackos-installer-netboot-${{ steps.setup.outputs.short_rev }}.tar
- name: Create release
uses: https://gitea.com/actions/release-action@main uses: https://gitea.com/actions/release-action@main
with: with:
title: Latest installer title: Latest installer
files: | files: |
nixos-installer-devplayer0-${{ steps.build.outputs.short_rev }}.iso jackos-installer-${{ steps.setup.outputs.short_rev }}.iso
jackos-installer-netboot-${{ steps.setup.outputs.short_rev }}.tar

4
deploy-rs.nix
View File

@@ -47,8 +47,8 @@ in
(nodesFor homes) (nodesFor homes)
); );
autoRollback = true; autoRollback = false;
magicRollback = true; magicRollback = false;
}; };
# Filter out null values so deploy merges overriding options correctly # Filter out null values so deploy merges overriding options correctly

18
devshell/commands.nix
View File

@@ -48,6 +48,12 @@ in
help = "Print the ed25519 pubkey for a host"; help = "Print the ed25519 pubkey for a host";
command = "${pkgs.openssh}/bin/ssh-keyscan -t ed25519 \"$1\" 2> /dev/null | awk '{ print $2 \" \" $3 }'"; command = "${pkgs.openssh}/bin/ssh-keyscan -t ed25519 \"$1\" 2> /dev/null | awk '{ print $2 \" \" $3 }'";
} }
{
name = "json2nix";
category = "utilities";
help = "Convert JSON to formatted Nix";
command = "nix eval --impure --expr 'builtins.fromJSON (builtins.readFile /dev/stdin)' | ${pkgs.nixfmt}/bin/nixfmt";
}
{ {
name = "fmt"; name = "fmt";
@@ -91,6 +97,18 @@ in
help = "Build NixOS configuration into an ISO"; help = "Build NixOS configuration into an ISO";
command = ''nix build "''${@:2}" ".#nixfiles.config.nixos.systems.\"$1\".configuration.config.my.buildAs.iso"''; command = ''nix build "''${@:2}" ".#nixfiles.config.nixos.systems.\"$1\".configuration.config.my.buildAs.iso"'';
} }
{
name = "build-kexec";
category = "tasks";
help = "Build NixOS configuration as kexec tree";
command = ''nix build "''${@:2}" ".#nixfiles.config.nixos.systems.\"$1\".configuration.config.my.buildAs.kexecTree"'';
}
{
name = "build-netboot";
category = "tasks";
help = "Build NixOS configuration as netboot archive";
command = ''nix build "''${@:2}" ".#nixfiles.config.nixos.systems.\"$1\".configuration.config.my.buildAs.netbootArchive"'';
}
{ {
name = "build-home"; name = "build-home";
category = "tasks"; category = "tasks";

4
devshell/default.nix
View File

@@ -24,7 +24,9 @@ in
coreutils coreutils
nixVersions.stable nixVersions.stable
rage rage
deploy-rs.deploy-rs (pkgs.writeShellScriptBin "deploy" ''
exec ${deploy-rs.deploy-rs}/bin/deploy --skip-checks "$@"
'')
home-manager home-manager
attic-client attic-client
]; ];

154
flake.lock generated
View File

@@ -35,11 +35,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1698258239, "lastModified": 1702969472,
"narHash": "sha256-qnhoYYIJ0L/P7H/f56lQUEvpzNlXh4sxuHpRERV+B44=", "narHash": "sha256-IJP9sC+/gLUdWhm6TsnWpw6A1zQWUfn53ym63KeLXvU=",
"owner": "zhaofengli", "owner": "zhaofengli",
"repo": "attic", "repo": "attic",
"rev": "e9918bc6be268da6fa97af6ced15193d8a0421c0", "rev": "bdafd64910bb2b861cf90fa15f1fc93318b6fbf6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -95,26 +95,17 @@
}, },
"crane": { "crane": {
"inputs": { "inputs": {
"flake-compat": [
"attic",
"flake-compat"
],
"flake-utils": [
"attic",
"flake-utils"
],
"nixpkgs": [ "nixpkgs": [
"attic", "attic",
"nixpkgs" "nixpkgs"
], ]
"rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1677892403, "lastModified": 1702918879,
"narHash": "sha256-/Wi0L1spSWLFj+UQxN3j0mPYMoc7ZoAujpUF/juFVII=", "narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=",
"owner": "ipetkov", "owner": "ipetkov",
"repo": "crane", "repo": "crane",
"rev": "105e27adb70a9890986b6d543a67761cbc1964a2", "rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -185,11 +176,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1698921442, "lastModified": 1703087360,
"narHash": "sha256-7KmvhQ7FuXlT/wG4zjTssap6maVqeAMBdtel+VjClSM=", "narHash": "sha256-0VUbWBW8VyiDRuimMuLsEO4elGuUw/nc2WDeuO1eN1M=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "660180bbbeae7d60dad5a92b30858306945fd427", "rev": "b709d63debafce9f5645a5ba550c9e0983b3d1f7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -241,14 +232,14 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs-unstable"
], ],
"systems": "systems_3" "systems": "systems_4"
}, },
"locked": { "locked": {
"lastModified": 1698410321, "lastModified": 1701787589,
"narHash": "sha256-MphuSlgpmKwtJncGMohryHiK55J1n6WzVQ/OAfmfoMc=", "narHash": "sha256-ce+oQR4Zq9VOsLoh9bZT8Ip9PaMLcjjBUHVPzW5d7Cw=",
"owner": "numtide", "owner": "numtide",
"repo": "devshell", "repo": "devshell",
"rev": "1aed986e3c81a4f6698e85a7452cbfcc4b31a36e", "rev": "44ddedcbcfc2d52a76b64fb6122f209881bd3e1e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -276,11 +267,11 @@
"flake-compat_2": { "flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1668681692, "lastModified": 1696426674,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1", "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -418,14 +409,14 @@
}, },
"flake-utils_7": { "flake-utils_7": {
"inputs": { "inputs": {
"systems": "systems_4" "systems": "systems_5"
}, },
"locked": { "locked": {
"lastModified": 1694529238, "lastModified": 1701680307,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384", "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -451,7 +442,7 @@
}, },
"flake-utils_9": { "flake-utils_9": {
"inputs": { "inputs": {
"systems": "systems_5" "systems": "systems_6"
}, },
"locked": { "locked": {
"lastModified": 1681202837, "lastModified": 1681202837,
@@ -474,11 +465,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1700814205, "lastModified": 1703367386,
"narHash": "sha256-lWqDPKHRbQfi+zNIivf031BUeyciVOtwCwTjyrhDB5g=", "narHash": "sha256-FMbm48UGrBfOWGt8+opuS+uLBLQlRfhiYXhHNcYMS5k=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "aeb2232d7a32530d3448318790534d196bf9427a", "rev": "d5824a76bc6bb93d1dce9ebbbcb09a9b6abcc224",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -494,11 +485,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1701433070, "lastModified": 1703754036,
"narHash": "sha256-Gf9JStfENaUQ7YWFz3V7x/srIwr4nlnVteqaAxtwpgM=", "narHash": "sha256-JpJdcj9Tg4lMuYikXDpajA8wOp+rHyn9RD2rKBEM4cQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "4a8545f5e737a6338814a4676dc8e18c7f43fc57", "rev": "c24c298562fe41b39909f632c5a7151bbf6b4628",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -508,11 +499,11 @@
}, },
"impermanence": { "impermanence": {
"locked": { "locked": {
"lastModified": 1697303681, "lastModified": 1703656108,
"narHash": "sha256-caJ0rXeagaih+xTgRduYtYKL1rZ9ylh06CIrt1w5B4g=", "narHash": "sha256-hCSUqdFJKHHbER8Cenf5JRzjMlBjIdwdftGQsO0xoJs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "impermanence", "repo": "impermanence",
"rev": "0f317c2e9e56550ce12323eb39302d251618f5b5", "rev": "033643a45a4a920660ef91caa391fbffb14da466",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -531,13 +522,13 @@
"locked": { "locked": {
"lastModified": 1685908677, "lastModified": 1685908677,
"narHash": "sha256-E4zUPEUFyVWjVm45zICaHRpfGepfkE9Z2OECV9HXfA4=", "narHash": "sha256-E4zUPEUFyVWjVm45zICaHRpfGepfkE9Z2OECV9HXfA4=",
"owner": "guibou", "owner": "nix-community",
"repo": "nixGL", "repo": "nixGL",
"rev": "489d6b095ab9d289fe11af0219a9ff00fe87c7c5", "rev": "489d6b095ab9d289fe11af0219a9ff00fe87c7c5",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "guibou", "owner": "nix-community",
"repo": "nixGL", "repo": "nixGL",
"type": "github" "type": "github"
} }
@@ -560,11 +551,11 @@
}, },
"nixpkgs-mine": { "nixpkgs-mine": {
"locked": { "locked": {
"lastModified": 1701607327, "lastModified": 1703756459,
"narHash": "sha256-pHX6S1mrUSFVq6v0HiZuShfXLL01wiWvgivCabX2x+M=", "narHash": "sha256-ztEMyPQZh3Pb+LOoWl5lbIK2LenP59sOUBC86CDmLio=",
"owner": "devplayer0", "owner": "devplayer0",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c8af66cb9046a65cbab33563f804b7bad46173af", "rev": "e80160eb2ac3a7111d07cc43a15c16b9edca01ea",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -576,11 +567,11 @@
}, },
"nixpkgs-mine-stable": { "nixpkgs-mine-stable": {
"locked": { "locked": {
"lastModified": 1701607437, "lastModified": 1703756491,
"narHash": "sha256-ozMDOyJtxr/CznI6lrwtt9JkU32Y2cLr2B4vlW85Tfw=", "narHash": "sha256-9VL34e0gzomwqRnryRn23V2ImYcaZIQdp7CsWg5TmlE=",
"owner": "devplayer0", "owner": "devplayer0",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "67ef05e2dd98d1fd856028eba1bb4edb847f6c6e", "rev": "36611f5f7cfd401f51ad4ca76fd6ee85a714bb74",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -592,11 +583,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1701389149, "lastModified": 1703467016,
"narHash": "sha256-rU1suTIEd5DGCaAXKW6yHoCfR1mnYjOXQFOaH7M23js=", "narHash": "sha256-/5A/dNPhbQx/Oa2d+Get174eNI3LERQ7u6WTWOlR1eQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5de0b32be6e85dc1a9404c75131316e4ffbc634c", "rev": "d02d818f22c777aa4e854efc3242ec451e5d462a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -607,11 +598,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1701253981, "lastModified": 1703438236,
"narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=", "narHash": "sha256-aqVBq1u09yFhL7bj1/xyUeJjzr92fXVvQSSEx6AdB1M=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58", "rev": "5f64a12a728902226210bf01d25ec6cbb9d9265b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -678,7 +669,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs-unstable"
], ],
"rust-overlay": "rust-overlay_2" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1682237245, "lastModified": 1682237245,
@@ -715,33 +706,6 @@
} }
}, },
"rust-overlay": { "rust-overlay": {
"inputs": {
"flake-utils": [
"attic",
"crane",
"flake-utils"
],
"nixpkgs": [
"attic",
"crane",
"nixpkgs"
]
},
"locked": {
"lastModified": 1675391458,
"narHash": "sha256-ukDKZw922BnK5ohL9LhwtaDAdCsJL7L6ScNEyF1lO9w=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "383a4acfd11d778d5c2efcf28376cbd845eeaedf",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": { "inputs": {
"flake-utils": [ "flake-utils": [
"ragenix", "ragenix",
@@ -862,13 +826,31 @@
"type": "github" "type": "github"
} }
}, },
"utils": { "systems_6": {
"locked": { "locked": {
"lastModified": 1667395993, "lastModified": 1681028828,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github" "type": "github"
}, },
"original": { "original": {

7
flake.nix
View File

@@ -26,7 +26,7 @@
impermanence.url = "github:nix-community/impermanence"; impermanence.url = "github:nix-community/impermanence";
boardie.url = "github:devplayer0/boardie"; boardie.url = "github:devplayer0/boardie";
boardie.inputs.nixpkgs.follows = "nixpkgs-unstable"; boardie.inputs.nixpkgs.follows = "nixpkgs-unstable";
nixGL.url = "github:guibou/nixGL"; nixGL.url = "github:nix-community/nixGL";
nixGL.inputs.nixpkgs.follows = "nixpkgs-unstable"; nixGL.inputs.nixpkgs.follows = "nixpkgs-unstable";
# Packages not in nixpkgs # Packages not in nixpkgs
@@ -63,7 +63,7 @@
flake = flake-utils.lib; flake = flake-utils.lib;
}; };
pkgsLibOverlay = final: prev: { lib = prev.lib.extend libOverlay; }; pkgsLibOverlay = final: prev: { lib = prev.lib.extend libOverlay; };
myPkgsOverlay = final: prev: import ./pkgs { lib = prev.lib; pkgs = prev; }; myPkgsOverlay = final: prev: import ./pkgs { lib = final.lib; pkgs = prev; };
# Override the flake-level lib since we're going to use it for non-config specific stuff # Override the flake-level lib since we're going to use it for non-config specific stuff
pkgsFlakes = mapAttrs (_: pkgsFlake: pkgsFlake // { lib = pkgsFlake.lib.extend libOverlay; }) { pkgsFlakes = mapAttrs (_: pkgsFlake: pkgsFlake // { lib = pkgsFlake.lib.extend libOverlay; }) {
@@ -118,6 +118,7 @@
nixos/boxes/castle nixos/boxes/castle
nixos/boxes/home/stream.nix nixos/boxes/home/stream.nix
nixos/boxes/home/palace nixos/boxes/home/palace
nixos/boxes/britway
nixos/boxes/kelder nixos/boxes/kelder
# Homes # Homes
@@ -128,7 +129,7 @@
modules = [ modules = [
{ {
_module.args = { _module.args = {
inherit lib pkgsFlakes hmFlakes inputs; inherit lib pkgsFlakes hmFlakes self inputs;
pkgs' = configPkgs'; pkgs' = configPkgs';
}; };

14
home-manager/modules/common.nix
View File

@@ -47,9 +47,14 @@ in
nix = { nix = {
package = mkIf (!(versionAtLeast config.home.stateVersion "22.11")) pkgs.nix; package = mkIf (!(versionAtLeast config.home.stateVersion "22.11")) pkgs.nix;
settings = { settings = with lib.my.c.nix; {
experimental-features = [ "nix-command" "flakes" "ca-derivations" ]; experimental-features = [ "nix-command" "flakes" "ca-derivations" ];
max-jobs = mkDefault "auto"; max-jobs = mkDefault "auto";
extra-substituters = cache.substituters;
extra-trusted-public-keys = cache.keys;
connect-timeout = 5;
fallback = true;
}; };
}; };
@@ -75,6 +80,7 @@ in
tmux = { tmux = {
enable = true; enable = true;
keyMode = "vi";
}; };
bash = { bash = {
@@ -235,12 +241,6 @@ in
exact = true; exact = true;
}; };
}; };
settings = with lib.my.c.nix; {
extra-substituters = cache.substituters;
extra-trusted-public-keys = cache.keys;
connect-timeout = 5;
fallback = true;
};
}; };
}) })
(mkIf config.my.isStandalone { (mkIf config.my.isStandalone {

113
lib/constants.nix
View File

@@ -10,12 +10,14 @@ rec {
gitea-runner = 401; gitea-runner = 401;
jellyseerr = 402; jellyseerr = 402;
atticd = 403; atticd = 403;
kea = 404;
}; };
gids = { gids = {
matrix-syncv3 = 400; matrix-syncv3 = 400;
gitea-runner = 401; gitea-runner = 401;
jellyseerr = 402; jellyseerr = 402;
atticd = 403; atticd = 403;
kea = 404;
}; };
}; };
@@ -24,7 +26,7 @@ rec {
latest = pkgs: pkgs.linuxKernel.packages.linux_6_6; latest = pkgs: pkgs.linuxKernel.packages.linux_6_6;
}; };
nginx = { nginx = rec {
proxyHeaders = '' proxyHeaders = ''
# Setting any proxy_header in a child (e.g. location) will nuke the parents... # Setting any proxy_header in a child (e.g. location) will nuke the parents...
proxy_set_header X-Origin-URI $request_uri; proxy_set_header X-Origin-URI $request_uri;
@@ -38,6 +40,45 @@ rec {
proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Scheme $scheme; proxy_set_header X-Scheme $scheme;
''; '';
baseHttpConfig = ''
# NixOS provides a logrotate config that auto-compresses :)
log_format main
'$remote_addr - $remote_user [$time_local] $scheme "$host" "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main;
# optimisation
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
# gzip
gzip on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types
application/atom+xml
application/javascript
application/json
application/xml
application/xml+rss
image/svg+xml
text/css
text/javascript
text/plain
text/xml;
gzip_vary on;
# proxying
proxy_buffering off;
proxy_redirect off;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_http_version 1.1;
${proxyHeaders}
'';
}; };
networkd = { networkd = {
@@ -128,6 +169,18 @@ rec {
port = 8448; port = 8448;
dst = aa.middleman.internal.ipv4.address; dst = aa.middleman.internal.ipv4.address;
} }
{
port = 25565;
dst = aa.simpcraft-oci.internal.ipv4.address;
}
{
port = 25566;
dst = aa.simpcraft-staging-oci.internal.ipv4.address;
}
{
port = 25575;
dst = aa.simpcraft-oci.internal.ipv4.address;
}
{ {
port = 2456; port = 2456;
@@ -139,6 +192,18 @@ rec {
dst = aa.valheim-oci.internal.ipv4.address; dst = aa.valheim-oci.internal.ipv4.address;
proto = "udp"; proto = "udp";
} }
{
port = 41641;
dst = aa.waffletail.internal.ipv4.address;
proto = "udp";
}
{
port = 25565;
dst = aa.simpcraft-oci.internal.ipv4.address;
proto = "udp";
}
]; ];
fstrimConfig = { fstrimConfig = {
@@ -162,7 +227,7 @@ rec {
"stream" "stream"
]; ];
routersPubV4 = [ routersPubV4 = [
"109.255.31.25" "109.255.1.246"
"109.255.252.63" "109.255.252.63"
]; ];
@@ -180,14 +245,17 @@ rec {
hi = { hi = {
v4 = subnet 4 1 all.v4; v4 = subnet 4 1 all.v4;
v6 = subnet 4 1 all.v6; v6 = subnet 4 1 all.v6;
mtu = hiMTU;
}; };
lo = { lo = {
v4 = subnet 3 1 all.v4; v4 = subnet 3 1 all.v4;
v6 = subnet 4 2 all.v6; v6 = subnet 4 2 all.v6;
mtu = 1500;
}; };
untrusted = { untrusted = {
v4 = subnet 6 16 all.v4; v4 = subnet 6 16 all.v4;
v6 = subnet 4 3 all.v6; v6 = subnet 4 3 all.v6;
mtu = 1500;
}; };
inherit (colony.prefixes) as211024; inherit (colony.prefixes) as211024;
}; };
@@ -211,6 +279,47 @@ rec {
}; };
}; };
britway = {
domain = "lon1.int.${pubDomain}";
pubV4 = "45.76.141.188";
prefixes = {
vultr = {
v6 = "2001:19f0:7402:128b::/64";
};
inherit (colony.prefixes) as211024;
};
# Need to use this IP as the source address for BGP
assignedV6 = "2001:19f0:7402:128b:5400:04ff:feac:6e06";
};
tailscale = {
prefix = {
v4 = "100.64.0.0/10";
v6 = "fd7a:115c:a1e0::/48";
};
};
as211024 = rec {
trusted = {
v4 = [
colony.prefixes.as211024.v4
colony.prefixes.all.v4
home.prefixes.all.v4
tailscale.prefix.v4
];
v6 = [
colony.prefixes.as211024.v6
colony.prefixes.all.v6
home.prefixes.all.v6
tailscale.prefix.v6
];
};
nftTrust = ''
iifname as211024 ip saddr { ${concatStringsSep ", " trusted.v4} } accept
iifname as211024 ip6 saddr { ${concatStringsSep ", " trusted.v6} } accept
'';
};
kelder = { kelder = {
groups = { groups = {
storage = 2000; storage = 2000;

24
lib/default.nix
View File

@@ -1,10 +1,11 @@
{ lib }: { lib }:
let let
inherit (builtins) length match elemAt filter replaceStrings; inherit (builtins) length match elemAt filter replaceStrings substring;
inherit (lib) inherit (lib)
genAttrs mapAttrsToList filterAttrsRecursive nameValuePair types genAttrs mapAttrsToList filterAttrsRecursive nameValuePair types
mkOption mkOverride mkForce mkIf mergeEqualOption optional mkOption mkOverride mkForce mkIf mergeEqualOption optional
showWarnings concatStringsSep flatten unique; showWarnings concatStringsSep flatten unique optionalAttrs
mkBefore;
inherit (lib.flake) defaultSystems; inherit (lib.flake) defaultSystems;
in in
rec { rec {
@@ -152,6 +153,9 @@ rec {
LLDP = true; LLDP = true;
EmitLLDP = "customer-bridge"; EmitLLDP = "customer-bridge";
}; };
linkConfig = optionalAttrs (a.mtu != null) {
MTUBytes = toString a.mtu;
};
ipv6AcceptRAConfig = { ipv6AcceptRAConfig = {
Token = mkIf (a.ipv6.iid != null) "static:${a.ipv6.iid}"; Token = mkIf (a.ipv6.iid != null) "static:${a.ipv6.iid}";
UseDNS = true; UseDNS = true;
@@ -163,7 +167,7 @@ rec {
systemdAwaitPostgres = pkg: host: { systemdAwaitPostgres = pkg: host: {
after = [ "systemd-networkd-wait-online.service" ]; after = [ "systemd-networkd-wait-online.service" ];
preStart = '' preStart = mkBefore ''
until ${pkg}/bin/pg_isready -h ${host}; do until ${pkg}/bin/pg_isready -h ${host}; do
sleep 0.5 sleep 0.5
done done
@@ -236,4 +240,18 @@ rec {
filterOpts = filterAttrsRecursive (_: v: v != null); filterOpts = filterAttrsRecursive (_: v: v != null);
}; };
versionOverlay = { self, pkgsFlake }: final: prev:
let
date = substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101");
revCode = flake: flake.shortRev or "dirty";
in
{
trivial = prev.trivial // {
release = "23.12:u-${prev.trivial.release}";
codeName = "Amogus";
revisionWithDefault = default: self.rev or default;
versionSuffix = ".${date}.${revCode self}:u-${revCode pkgsFlake}";
};
};
} }

197
nixos/boxes/britway/bgp.nix Normal file
View File

@@ -0,0 +1,197 @@
{ lib, pkgs, config, assignments, ... }:
let
inherit (lib.my.c.britway) assignedV6;
securebitSpace = "2a0e:97c0:4d0::/44";
intnet6 = "2a0e:97c0:4df::/48";
amsnet6 = "2a0e:97c0:4d2::/48";
homenet6 = "2a0e:97c0:4d0::/48";
in
{
config = {
my = {
secrets.files."britway/bgp-password-vultr.conf" = {
owner = "bird2";
group = "bird2";
};
};
environment.etc."bird/vultr-password.conf".source = config.age.secrets."britway/bgp-password-vultr.conf".path;
systemd = {
services.bird2.after = [ "systemd-networkd-wait-online@veth0.service" ];
network = {
config.networkConfig.ManageForeignRoutes = false;
};
};
services = {
bird2 = {
enable = true;
preCheckConfig = ''
echo '"dummy"' > vultr-password.conf
'';
# TODO: Clean up and modularise
config = ''
define OWNAS = 211024;
define OWNIP4 = ${assignments.vultr.ipv4.address};
define OWNNETSET4 = [ ${assignments.vultr.ipv4.address}/32 ];
define INTNET6 = ${intnet6};
define AMSNET6 = ${amsnet6};
define HOMENET6 = ${homenet6};
define OWNIP6 = ${assignments.vultr.ipv6.address};
define OWNNETSET6 = [ ${intnet6}, ${amsnet6}, ${homenet6} ];
#define TRANSSET6 = [ ::1/128 ];
define DUB1IP6 = ${lib.my.c.home.vips.as211024.v6};
define PREFIXP = 110;
define PREFPEER = 120;
filter bgp_import {
if net !~ OWNNETSET4 && net !~ OWNNETSET6 then accept; else reject;
}
filter bgp_export {
if net ~ OWNNETSET4 || net ~ OWNNETSET6 then accept; else reject;
}
router id from "veth0";
protocol device {}
protocol direct {
interface "veth0";
ipv4;
ipv6;
}
protocol static static4 {
ipv4 {
import all;
export none;
};
}
protocol static static6 {
# Special case: We have to do the routing on behalf of this _internal_ next-hop
route INTNET6 via "as211024";
route HOMENET6 via DUB1IP6;
ipv6 {
import all;
export none;
};
}
protocol kernel kernel4 {
ipv4 {
import none;
export none;
};
}
protocol kernel kernel6 {
ipv6 {
import none;
export filter {
if net = HOMENET6 then accept;
reject;
};
};
}
protocol bgp bgptools {
local as OWNAS;
multihop;
description "bgp.tools monitoring";
neighbor 2a0c:2f07:9459::b11 as 212232;
source address OWNIP6;
ipv4 {
import none;
export all;
add paths tx;
};
ipv6 {
import none;
export all;
add paths tx;
};
}
template bgp base_bgp4 {
local as OWNAS;
direct;
allow local as;
ipv4 {
import keep filtered;
export none;
};
}
template bgp upstream_bgp4 from base_bgp4 {
ipv4 {
#import none;
import filter bgp_import;
};
}
template bgp peer_bgp4 from base_bgp4 {
ipv4 {
import filter bgp_import;
preference PREFPEER;
};
}
template bgp ixp_bgp4 from base_bgp4 {
ipv4 {
import filter bgp_import;
preference PREFIXP;
};
}
template bgp base_bgp6 {
local ${assignedV6} as OWNAS;
direct;
# So we can see routes we announce from other routers
allow local as;
ipv6 {
import keep filtered;
export filter bgp_export;
};
}
template bgp upstream_bgp6 from base_bgp6 {
ipv6 {
#import none;
import filter bgp_import;
};
}
template bgp peer_bgp6 from base_bgp6 {
ipv6 {
import filter bgp_import;
preference PREFPEER;
};
}
template bgp ixp_bgp6 from base_bgp6 {
ipv6 {
import filter bgp_import;
preference PREFIXP;
};
}
protocol bgp upstream4_vultr from upstream_bgp4 {
description "Vultr transit (IPv4)";
neighbor 169.254.169.254 as 64515;
multihop 2;
password
include "vultr-password.conf";;
}
protocol bgp upstream6_vultr from upstream_bgp6 {
description "Vultr transit (IPv6)";
neighbor 2001:19f0:ffff::1 as 64515;
multihop 2;
password
include "vultr-password.conf";;
}
'';
};
};
};
}

174
nixos/boxes/britway/default.nix Normal file
View File

@@ -0,0 +1,174 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.britway) prefixes domain pubV4 assignedV6;
in
{
nixos.systems.britway = {
system = "x86_64-linux";
nixpkgs = "mine";
assignments = {
vultr = {
inherit domain;
ipv4 = {
address = pubV4;
mask = 23;
gateway = "45.76.140.1";
};
ipv6 = {
iid = "::1";
address = "2001:19f0:7402:128b::1";
};
};
as211024 = {
ipv4 = {
address = net.cidr.host 5 prefixes.as211024.v4;
gateway = null;
};
ipv6.address = net.cidr.host ((2*65536*65536*65536) + 1) prefixes.as211024.v6;
};
};
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
let
inherit (lib) mkMerge mkForce;
inherit (lib.my) networkdAssignment;
in
{
imports = [
"${modulesPath}/profiles/qemu-guest.nix"
./bgp.nix
./nginx.nix
./tailscale.nix
];
config = mkMerge [
{
boot = {
initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "sr_mod" ];
loader = {
systemd-boot.enable = false;
grub = {
enable = true;
device = "/dev/vda";
};
};
};
fileSystems = {
"/boot" = {
device = "/dev/disk/by-partuuid/c557ef12-da44-41d1-84f5-d32a711feefd";
fsType = "ext4";
};
"/nix" = {
device = "/dev/disk/by-partuuid/d42d0853-b054-4104-8afd-6d36287c7ca3";
fsType = "ext4";
};
"/persist" = {
device = "/dev/disk/by-partuuid/f14fbcf4-5242-456b-a4db-ef15d053d62e";
fsType = "ext4";
neededForBoot = true;
};
};
services = {
iperf3 = {
enable = true;
openFirewall = true;
};
};
networking = { inherit domain; };
systemd.network = {
config = {
routeTables.ts-extra = 1337;
};
links = {
"10-veth0" = {
matchConfig.PermanentMACAddress = "56:00:04:ac:6e:06";
linkConfig.Name = "veth0";
};
};
networks = {
"20-veth0" = mkMerge [
(networkdAssignment "veth0" assignments.vultr)
{
address = [ "${assignedV6}/64" ];
}
];
"90-l2mesh-as211024" = mkMerge [
(networkdAssignment "as211024" assignments.as211024)
{
matchConfig.Name = "as211024";
networkConfig.IPv6AcceptRA = mkForce false;
routes = map (r: { routeConfig = r; }) [
{
Destination = lib.my.c.colony.prefixes.all.v4;
Gateway = allAssignments.estuary.as211024.ipv4.address;
}
{
Destination = lib.my.c.home.prefixes.all.v4;
Gateway = lib.my.c.home.vips.as211024.v4;
}
{
# Just when routing traffic from Tailscale nodes, otherwise use WAN
Destination = lib.my.c.colony.prefixes.all.v6;
Gateway = allAssignments.estuary.as211024.ipv6.address;
Table = "ts-extra";
}
];
routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
{
IncomingInterface = "tailscale0";
To = lib.my.c.colony.prefixes.all.v6;
Table = "ts-extra";
}
];
}
];
};
};
my = {
server.enable = true;
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAmXC9egI46Qtaiifhq2I+rv2s1yPyzTlO4BHzUb+3Su";
files = {
"l2mesh/as211024.key" = {};
};
};
vpns = {
l2.pskFiles = {
as211024 = config.age.secrets."l2mesh/as211024.key".path;
};
};
firewall = {
trustedInterfaces = [ "tailscale0" ];
extraRules = ''
table inet filter {
chain forward {
${lib.my.c.as211024.nftTrust}
oifname as211024 accept
}
}
table inet nat {
chain postrouting {
iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address}
iifname tailscale0 oifname veth0 snat ip6 to ${assignments.as211024.ipv6.address}
}
}
'';
};
};
}
];
};
};
}

109
nixos/boxes/britway/nginx.nix Normal file
View File

@@ -0,0 +1,109 @@
{ lib, pkgs, config, ... }:
let
inherit (builtins) mapAttrs;
inherit (lib) mkMerge mkDefault;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.nginx) baseHttpConfig proxyHeaders;
in
{
config = {
my = {
secrets.files = {
"dhparams.pem" = {
owner = "acme";
group = "acme";
mode = "440";
};
"britway/cloudflare-credentials.conf" = {
owner = "acme";
group = "acme";
};
};
firewall = {
tcp.allowed = [ "http" "https" ];
};
};
users = {
users = {
nginx.extraGroups = [ "acme" ];
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "dev@nul.ie";
server = "https://acme-v02.api.letsencrypt.org/directory";
reloadServices = [ "nginx" ];
dnsResolver = "8.8.8.8";
};
certs = {
"${pubDomain}" = {
extraDomainNames = [
"*.${pubDomain}"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."britway/cloudflare-credentials.conf".path;
};
};
};
services = {
nginx = {
enable = true;
enableReload = true;
logError = "stderr info";
recommendedTlsSettings = true;
serverTokens = true;
sslDhparam = config.age.secrets."dhparams.pem".path;
# Based on recommended*Settings, but probably better to be explicit about these
appendHttpConfig = ''
${baseHttpConfig}
# caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=512m;
'';
virtualHosts =
let
hosts = {
"_" = {
default = true;
forceSSL = true;
onlySSL = false;
locations = {
"/".root = "${pkgs.nginx}/html";
};
};
"ts.${pubDomain}" = {
locations."/" = {
proxyPass = "http://localhost:${toString config.services.headscale.port}";
proxyWebsockets = true;
extraConfig = ''
proxy_buffering off;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
'';
};
};
};
defaultsFor = mapAttrs (n: _: {
onlySSL = mkDefault true;
useACMEHost = mkDefault pubDomain;
kTLS = mkDefault true;
http2 = mkDefault true;
});
in
mkMerge [
hosts
(defaultsFor hosts)
];
};
};
};
}

110
nixos/boxes/britway/tailscale.nix Normal file
View File

@@ -0,0 +1,110 @@
{ lib, pkgs, config, assignments, allAssignments, ... }:
let
inherit (lib) concatStringsSep;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.britway) prefixes domain;
# Can't use overrideAttrs because we need to override `vendorHash` within `buildGoModule`
headscale = pkgs.headscale.override {
buildGoModule = args: pkgs.buildGoModule (args // rec {
version = "0.23.0-alpha2";
src = pkgs.fetchFromGitHub {
owner = "juanfont";
repo = "headscale";
rev = "v${version}";
hash = "sha256-sz+uQyyq/5YYDe5I44x5x2nvd48swAhNlInB8KZYvDo=";
};
vendorHash = "sha256-u9AmJguQ5dnJpfhOeLN43apvMHuraOrJhvlEIp9RoIc=";
});
};
advRoutes = concatStringsSep "," [
lib.my.c.home.prefixes.all.v4
lib.my.c.home.prefixes.all.v6
];
pubNameservers = [
"1.1.1.1"
"1.0.0.1"
"2606:4700:4700::1111"
"2606:4700:4700::1001"
];
in
{
config = {
environment.systemPackages = [
# For CLI
config.services.headscale.package
];
services = {
headscale = {
enable = true;
package = headscale;
settings = {
disable_check_updates = true;
unix_socket_permission = "0770";
server_url = "https://ts.${pubDomain}";
db_type = "sqlite3";
db_path = "/var/lib/headscale/db.sqlite3";
noise.private_key_path = "/var/lib/headscale/noise_private.key";
ip_prefixes = with lib.my.c.tailscale.prefix; [ v4 v6 ];
dns_config = {
# Use IPs that will route inside the VPN to prevent interception
# (e.g. DNS rebinding filtering)
restricted_nameservers = {
"${domain}" = pubNameservers;
"${lib.my.c.colony.domain}" = with allAssignments.estuary.base; [
ipv4.address ipv6.address
];
"${lib.my.c.home.domain}" = with allAssignments; [
river.hi.ipv4.address
river.hi.ipv6.address
stream.hi.ipv4.address
stream.hi.ipv6.address
];
};
magic_dns = true;
base_domain = "ts.${pubDomain}";
override_local_dns = false;
};
oidc = {
only_start_if_oidc_is_available = true;
issuer = "https://accounts.google.com";
client_id = "545475967061-l45cln081mp8t4li2c34v7t7b8la6f4f.apps.googleusercontent.com";
client_secret_path = config.age.secrets."britway/oidc-secret.txt".path;
scope = [ "openid" "profile" "email" ];
allowed_users = [ "jackos1998@gmail.com" ];
};
};
};
tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale-auth.key".path;
openFirewall = true;
interfaceName = "tailscale0";
extraUpFlags = [
"--operator=${config.my.user.config.name}"
"--login-server=https://ts.nul.ie"
"--netfilter-mode=off"
"--advertise-exit-node"
"--advertise-routes=${advRoutes}"
"--accept-routes=false"
];
};
};
my = {
secrets = {
files = {
"britway/oidc-secret.txt" = {
owner = "headscale";
group = "headscale";
mode = "440";
};
"tailscale-auth.key" = {};
};
};
};
};
}

33
nixos/boxes/castle/default.nix
View File

@@ -17,13 +17,9 @@ in
mask = 22; mask = 22;
gateway = null; gateway = null;
}; };
}; ipv6 = {
lo = { iid = "::3:1";
inherit domain; address = net.cidr.host (65536*3+1) prefixes.hi.v6;
ipv4 = {
address = net.cidr.host 40 prefixes.lo.v4;
mask = 21;
gateway = null;
}; };
}; };
}; };
@@ -108,7 +104,13 @@ in
blueman.enable = true; blueman.enable = true;
}; };
programs.virt-manager.enable = true; programs = {
virt-manager.enable = true;
wireshark = {
enable = true;
package = pkgs.wireshark-qt;
};
};
virtualisation.libvirtd.enable = true; virtualisation.libvirtd.enable = true;
networking = { networking = {
@@ -147,7 +149,6 @@ in
wait-online.enable = false; wait-online.enable = false;
netdevs = mkMerge [ netdevs = mkMerge [
(mkVLAN "lan-hi" vlans.hi) (mkVLAN "lan-hi" vlans.hi)
(mkVLAN "lan-lo" vlans.lo)
]; ];
links = { links = {
"10-et2.5g" = { "10-et2.5g" = {
@@ -169,28 +170,23 @@ in
networks = { networks = {
"50-lan" = { "50-lan" = {
matchConfig.Name = "et2.5g"; matchConfig.Name = "et2.5g";
DHCP = "yes"; DHCP = "no";
address = [ "10.16.7.1/16" ];
}; };
"50-et100g" = { "50-et100g" = {
matchConfig.Name = "et100g"; matchConfig.Name = "et100g";
vlan = [ "lan-hi" "lan-lo" ]; vlan = [ "lan-hi" ];
networkConfig.IPv6AcceptRA = false; networkConfig.IPv6AcceptRA = false;
}; };
"60-lan-hi" = mkMerge [ "60-lan-hi" = mkMerge [
(networkdAssignment "lan-hi" assignments.hi) (networkdAssignment "lan-hi" assignments.hi)
{ {
DHCP = "yes";
matchConfig.Name = "lan-hi"; matchConfig.Name = "lan-hi";
linkConfig.MTUBytes = "9000"; linkConfig.MTUBytes = "9000";
} }
]; ];
"60-lan-lo" = mkMerge [
(networkdAssignment "lan-lo" assignments.lo)
{
matchConfig.Name = "lan-lo";
linkConfig.MTUBytes = "1500";
}
];
}; };
}; };
}; };
@@ -251,6 +247,7 @@ in
secrets = { secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlVuTzKObeaUuPocCF41IO/8X+443lzUJLuCIclt2vr"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlVuTzKObeaUuPocCF41IO/8X+443lzUJLuCIclt2vr";
}; };
nvme.uuid = "2230b066-a674-4f45-a1dc-f7727b3a9e7b";
firewall = { firewall = {
enable = false; enable = false;

30
nixos/boxes/colony/default.nix
View File

@@ -66,10 +66,21 @@ in
}; };
}); });
kernelModules = [ "kvm-amd" ]; kernelModules = [ "kvm-amd" ];
kernelParams = [ "amd_iommu=on" "console=ttyS0,115200n8" "console=ttyS1,115200n8" "console=tty0" ]; kernelParams = [
"amd_iommu=on"
"console=ttyS0,115200n8" "console=ttyS1,115200n8" "console=tty0"
"systemd.setenv=SYSTEMD_SULOGIN_FORCE=1"
];
initrd = { initrd = {
kernelModules = [ "dm-raid" ]; kernelModules = [ "dm-raid" ];
availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
systemd = {
enable = true;
# Onlu activate volumes needed for boot to prevent thin check from getting killed while switching root
contents."/etc/lvm/lvm.conf".text = ''
activation/auto_activation_volume_list = [ "main/colony-nix" "main/colony-persist" ]
'';
};
}; };
}; };
@@ -137,6 +148,15 @@ in
services = { services = {
"serial-getty@ttyS0".enable = true; "serial-getty@ttyS0".enable = true;
"serial-getty@ttyS1".enable = true; "serial-getty@ttyS1".enable = true;
lvm-activate-main = {
description = "Activate remaining LVs";
before = [ "local-fs-pre.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.lvm2.bin}/bin/vgchange -aay main";
};
wantedBy = [ "sysinit.target" ];
};
rsync-lvm-meta = { rsync-lvm-meta = {
description = "rsync lvm metadata backups / archives to rsync.net"; description = "rsync lvm metadata backups / archives to rsync.net";
@@ -248,6 +268,14 @@ in
Destination = allAssignments.shill.internal.ipv4.address; Destination = allAssignments.shill.internal.ipv4.address;
Gateway = allAssignments.shill.routing.ipv4.address; Gateway = allAssignments.shill.routing.ipv4.address;
} }
{
Destination = lib.my.c.tailscale.prefix.v4;
Gateway = allAssignments.shill.routing.ipv4.address;
}
{
Destination = lib.my.c.tailscale.prefix.v6;
Gateway = allAssignments.shill.internal.ipv6.address;
}
{ {
Destination = prefixes.oci.v4; Destination = prefixes.oci.v4;

6
nixos/boxes/colony/vms/default.nix
View File

@@ -120,7 +120,7 @@
cpus = 12; cpus = 12;
threads = 2; threads = 2;
}; };
memory = 49152; memory = 40960;
networks.vms.mac = "52:54:00:27:3d:5c"; networks.vms.mac = "52:54:00:27:3d:5c";
cleanShutdown.timeout = 120; cleanShutdown.timeout = 120;
drives = [ ] ++ (optionals (!config.my.build.isDevVM) [ drives = [ ] ++ (optionals (!config.my.build.isDevVM) [
@@ -160,7 +160,7 @@
cpus = 12; cpus = 12;
threads = 2; threads = 2;
}; };
memory = 32768; memory = 40960;
networks.vms.mac = "52:54:00:75:78:a8"; networks.vms.mac = "52:54:00:75:78:a8";
cleanShutdown.timeout = 120; cleanShutdown.timeout = 120;
drives = [ drives = [
@@ -181,7 +181,7 @@
cpus = 3; cpus = 3;
threads = 2; threads = 2;
}; };
memory = 8192; memory = 6144;
networks.public = { networks.public = {
bridge = null; bridge = null;
mac = "52:54:00:a8:d1:03"; mac = "52:54:00:a8:d1:03";

25
nixos/boxes/colony/vms/estuary/bgp.nix
View File

@@ -27,7 +27,9 @@ in
define HOMENET6 = ${homenet6}; define HOMENET6 = ${homenet6};
define OWNIP6 = ${assignments.base.ipv6.address}; define OWNIP6 = ${assignments.base.ipv6.address};
define OWNNETSET6 = [ ${intnet6}, ${amsnet6}, ${homenet6} ]; # we have issues with sending ICMPv6 too big back on the wrong interface right now...
define OWNNETSET6 = [ ${intnet6}, ${amsnet6} ];
define CCNETSET6 = [ ];
#define TRANSSET6 = [ ::1/128 ]; #define TRANSSET6 = [ ::1/128 ];
define DUB1IP6 = ${lib.my.c.home.vips.as211024.v6}; define DUB1IP6 = ${lib.my.c.home.vips.as211024.v6};
@@ -42,7 +44,7 @@ in
if net ~ OWNNETSET4 || net ~ OWNNETSET6 then accept; else reject; if net ~ OWNNETSET4 || net ~ OWNNETSET6 then accept; else reject;
} }
filter bgp_export_cc { filter bgp_export_cc {
if net ~ OWNNETSET4 || net ~ OWNNETSET6 || net ~ CCNETSET4 then accept; else reject; if net ~ OWNNETSET4 || net ~ OWNNETSET6 || net ~ CCNETSET4 || net ~ CCNETSET6 then accept; else reject;
} }
router id from "wan"; router id from "wan";
@@ -188,10 +190,12 @@ in
protocol bgp upstream6_coloclue_eun2 from upstream_bgp6 { protocol bgp upstream6_coloclue_eun2 from upstream_bgp6 {
description "ColoClue euNetworks 2 (IPv6)"; description "ColoClue euNetworks 2 (IPv6)";
neighbor 2a02:898:0:20::e2 as 8283; neighbor 2a02:898:0:20::e2 as 8283;
ipv6 { export filter bgp_export_cc; };
} }
protocol bgp upstream6_coloclue_eun3 from upstream_bgp6 { protocol bgp upstream6_coloclue_eun3 from upstream_bgp6 {
description "ColoClue euNetworks 3 (IPv6)"; description "ColoClue euNetworks 3 (IPv6)";
neighbor 2a02:898:0:20::e1 as 8283; neighbor 2a02:898:0:20::e1 as 8283;
ipv6 { export filter bgp_export_cc; };
} }
protocol bgp upstream6_ifog from upstream_bgp6 { protocol bgp upstream6_ifog from upstream_bgp6 {
@@ -204,14 +208,15 @@ in
neighbor 2001:7f8:10f::1b1b:154 as 6939; neighbor 2001:7f8:10f::1b1b:154 as 6939;
} }
protocol bgp upstream4_fogixp_efero from upstream_bgp4 { # Not working so well lately...
description "efero transit (on FogIXP, IPv4)"; # protocol bgp upstream4_fogixp_efero from upstream_bgp4 {
neighbor 185.1.147.107 as 208431; # description "efero transit (on FogIXP, IPv4)";
} # neighbor 185.1.147.107 as 208431;
protocol bgp upstream6_fogixp_efero from upstream_bgp6 { # }
description "efero transit (on FogIXP, IPv6)"; # protocol bgp upstream6_fogixp_efero from upstream_bgp6 {
neighbor 2001:7f8:ca:1::107 as 208431; # description "efero transit (on FogIXP, IPv6)";
} # neighbor 2001:7f8:ca:1::107 as 208431;
# }
protocol bgp peer4_cc_luje from peer_bgp4 { protocol bgp peer4_cc_luje from peer_bgp4 {
description "LUJE.net (on ColoClue, IPv4)"; description "LUJE.net (on ColoClue, IPv4)";

34
nixos/boxes/colony/vms/estuary/default.nix
View File

@@ -15,6 +15,7 @@ in
estuary.addr = pubV4; estuary.addr = pubV4;
river.addr = elemAt lib.my.c.home.routersPubV4 0; river.addr = elemAt lib.my.c.home.routersPubV4 0;
stream.addr = elemAt lib.my.c.home.routersPubV4 1; stream.addr = elemAt lib.my.c.home.routersPubV4 1;
britway.addr = lib.my.c.britway.pubV4;
}; };
}; };
}; };
@@ -297,6 +298,15 @@ in
Destination = prefixes.cust.v6; Destination = prefixes.cust.v6;
Gateway = allAssignments.colony.internal.ipv6.address; Gateway = allAssignments.colony.internal.ipv6.address;
} }
{
Destination = lib.my.c.tailscale.prefix.v4;
Gateway = allAssignments.colony.routing.ipv4.address;
}
{
Destination = lib.my.c.tailscale.prefix.v6;
Gateway = allAssignments.colony.internal.ipv6.address;
}
] ++ ] ++
(map (pName: [ (map (pName: [
{ {
@@ -316,6 +326,12 @@ in
{ {
matchConfig.Name = "as211024"; matchConfig.Name = "as211024";
networkConfig.IPv6AcceptRA = mkForce false; networkConfig.IPv6AcceptRA = mkForce false;
routes = map (r: { routeConfig = r; }) [
{
Destination = lib.my.c.home.prefixes.all.v4;
Gateway = lib.my.c.home.vips.as211024.v4;
}
];
} }
]; ];
"95-kelder" = { "95-kelder" = {
@@ -350,7 +366,6 @@ in
}; };
}; };
firewall = { firewall = {
trustedInterfaces = [ "as211024" ];
udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ]; udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
tcp.allowed = [ 5353 "bgp" ]; tcp.allowed = [ 5353 "bgp" ];
nat = { nat = {
@@ -378,12 +393,16 @@ in
# Safe enough to allow all SSH # Safe enough to allow all SSH
tcp dport ssh accept tcp dport ssh accept
${matchInet "tcp dport { http, https, 8448 } accept" "middleman"} ip6 daddr ${aa.middleman.internal.ipv6.address} tcp dport { http, https, 8448 } accept
${matchInet "udp dport { 2456-2457 } accept" "valheim-oci"} ${matchInet "tcp dport { http, https } accept" "git"}
ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} tcp dport { 25565, 25575 } accept
ip6 daddr ${aa.simpcraft-staging-oci.internal.ipv6.address} tcp dport 25565 accept
return return
} }
chain routing-udp { chain routing-udp {
ip6 daddr ${aa.valheim-oci.internal.ipv6.address} udp dport { 2456-2457 } accept
ip6 daddr ${aa.waffletail.internal.ipv6.address} udp dport 41641 accept
ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} udp dport 25565 accept
return return
} }
chain filter-routing { chain filter-routing {
@@ -400,7 +419,8 @@ in
} }
chain forward { chain forward {
iifname { wan, $ixps } oifname base jump filter-routing ${lib.my.c.as211024.nftTrust}
iifname { wan, as211024, $ixps } oifname base jump filter-routing
oifname $ixps jump ixp oifname $ixps jump ixp
iifname base oifname { base, wan, $ixps } accept iifname base oifname { base, wan, $ixps } accept
oifname { as211024, kelder } accept oifname { as211024, kelder } accept
@@ -413,11 +433,9 @@ in
table inet nat { table inet nat {
chain prerouting { chain prerouting {
${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"} ${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"}
ip daddr ${aa.git.internal.ipv4.address} tcp dport { http, https } dnat to ${aa.middleman.internal.ipv4.address}
ip6 daddr ${aa.git.internal.ipv6.address} tcp dport { http, https } dnat to ${aa.middleman.internal.ipv6.address}
} }
chain postrouting { chain postrouting {
ip saddr ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address} ip saddr ${prefixes.all.v4} oifname != as211024 snat to ${assignments.internal.ipv4.address}
} }
} }
''; '';

7
nixos/boxes/colony/vms/estuary/dns.nix
View File

@@ -52,7 +52,7 @@ in
allowFrom = [ allowFrom = [
"127.0.0.0/8" "::1/128" "127.0.0.0/8" "::1/128"
prefixes.all.v4 prefixes.all.v6 prefixes.all.v4 prefixes.all.v6
]; ] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
}; };
settings = { settings = {
@@ -145,9 +145,14 @@ in
http IN A ${assignments.internal.ipv4.address} http IN A ${assignments.internal.ipv4.address}
http IN AAAA ${allAssignments.middleman.internal.ipv6.address} http IN AAAA ${allAssignments.middleman.internal.ipv6.address}
librespeed IN CNAME http.${config.networking.domain}.
valheim IN A ${assignments.internal.ipv4.address} valheim IN A ${assignments.internal.ipv4.address}
valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address} valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address}
simpcraft IN A ${assignments.internal.ipv4.address}
simpcraft IN AAAA ${allAssignments.simpcraft-oci.internal.ipv6.address}
simpcraft-staging IN A ${assignments.internal.ipv4.address}
simpcraft-staging IN AAAA ${allAssignments.simpcraft-staging-oci.internal.ipv6.address}
mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4} mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4}
mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6} mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6}

120
nixos/boxes/colony/vms/git/default.nix
View File

@@ -1,8 +1,11 @@
{ lib, ... }: { lib, ... }:
let let
inherit (builtins) mapAttrs;
inherit (lib) mkMerge mkDefault;
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.c) pubDomain; inherit (lib.my.c) pubDomain;
inherit (lib.my.c.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
inherit (lib.my.c.nginx) baseHttpConfig proxyHeaders;
in in
{ {
nixos.systems.git = { nixos.systems.git = {
@@ -72,9 +75,109 @@ in
}; };
}; };
users = {
users = {
nginx.extraGroups = [ "acme" ];
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "dev@nul.ie";
server = "https://acme-v02.api.letsencrypt.org/directory";
reloadServices = [ "nginx" ];
dnsResolver = "8.8.8.8";
};
certs = {
"${pubDomain}" = {
extraDomainNames = [
"*.${pubDomain}"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
};
};
};
services = { services = {
fstrim = lib.my.c.colony.fstrimConfig; fstrim = lib.my.c.colony.fstrimConfig;
# Hacks for Jsch (Minecraft FastBack) to work
openssh = {
hostKeys = [
{
bits = 4096;
path = "/etc/ssh/ssh_host_rsa_key";
type = "rsa";
}
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
type = "ecdsa-sha2-nistp256";
path = "/etc/ssh/ssh_host_ecdsa_key";
}
];
settings = {
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-256"
];
};
};
netdata.enable = true; netdata.enable = true;
nginx = {
enable = true;
enableReload = true;
logError = "stderr info";
recommendedTlsSettings = true;
clientMaxBodySize = "0";
serverTokens = true;
sslDhparam = config.age.secrets."dhparams.pem".path;
# Based on recommended*Settings, but probably better to be explicit about these
appendHttpConfig = ''
${baseHttpConfig}
# caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=512m;
'';
virtualHosts =
let
hosts = {
"_" = {
default = true;
forceSSL = true;
onlySSL = false;
locations = {
"/".root = "${pkgs.nginx}/html";
};
};
"git.${pubDomain}" = {
locations."/".proxyPass = "http://localhost:3000";
};
};
defaultsFor = mapAttrs (n: _: {
onlySSL = mkDefault true;
useACMEHost = mkDefault pubDomain;
kTLS = mkDefault true;
http2 = mkDefault true;
});
in
mkMerge [
hosts
(defaultsFor hosts)
];
};
}; };
virtualisation = { virtualisation = {
@@ -104,11 +207,24 @@ in
}; };
my = { my = {
secrets.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP+KINpHLMduBuW96JzfSRDLUzkI+XaCBghu5/wHiW5R"; secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP+KINpHLMduBuW96JzfSRDLUzkI+XaCBghu5/wHiW5R";
files = {
"dhparams.pem" = {
owner = "acme";
group = "acme";
mode = "440";
};
"middleman/cloudflare-credentials.conf" = {
owner = "acme";
group = "acme";
};
};
};
server.enable = true; server.enable = true;
firewall = { firewall = {
tcp.allowed = [ 19999 ]; tcp.allowed = [ 19999 "http" "https" ];
extraRules = '' extraRules = ''
table inet filter { table inet filter {
chain forward { chain forward {

27
nixos/boxes/colony/vms/git/gitea.nix
View File

@@ -26,18 +26,6 @@ in
systemd = { systemd = {
services = { services = {
# TODO: Figure out a way to do this properly... redirecting localhost is awkward...
local-http-forward = {
description = "Forward local HTTP connections";
serviceConfig.ExecStart = "${pkgs.socat}/bin/socat tcp-listen:80,fork tcp:${allAssignments.middleman.internal.ipv4.address}:80";
wantedBy = [ "multi-user.target" ];
};
local-https-forward = {
description = "Forward local HTTPS connections";
serviceConfig.ExecStart = "${pkgs.socat}/bin/socat tcp-listen:443,fork tcp:${allAssignments.middleman.internal.ipv4.address}:443";
wantedBy = [ "multi-user.target" ];
};
gitea = mkMerge [ gitea = mkMerge [
(lib.my.systemdAwaitPostgres pkgs.postgresql "colony-psql") (lib.my.systemdAwaitPostgres pkgs.postgresql "colony-psql")
{ {
@@ -141,21 +129,6 @@ in
"gitea/minio.txt" = ownedByGit; "gitea/minio.txt" = ownedByGit;
}; };
}; };
firewall.extraRules = ''
table inet filter {
chain input {
ip saddr ${prefixes.all.v4} tcp dport 3000 accept
ip6 saddr ${prefixes.all.v6} tcp dport 3000 accept
}
}
table inet nat {
chain prerouting {
ip daddr ${assignments.internal.ipv4.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv4.address}
ip6 daddr ${assignments.internal.ipv6.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv6.address}
}
}
'';
}; };
}; };
} }

1
nixos/boxes/colony/vms/shill/containers/default.nix
View File

@@ -7,5 +7,6 @@
./jackflix ./jackflix
./object.nix ./object.nix
./toot.nix ./toot.nix
./waffletail.nix
]; ];
} }

57
nixos/boxes/colony/vms/shill/containers/middleman/default.nix
View File

@@ -2,6 +2,7 @@
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.c) pubDomain; inherit (lib.my.c) pubDomain;
inherit (lib.my.c.nginx) baseHttpConfig;
inherit (lib.my.c.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
@@ -65,6 +66,7 @@ in
owner = "nginx"; owner = "nginx";
group = "nginx"; group = "nginx";
}; };
"librespeed.toml" = { };
}; };
}; };
@@ -121,6 +123,19 @@ in
baseURL = "https://sso.${pubDomain}"; baseURL = "https://sso.${pubDomain}";
}; };
}; };
librespeed = {
frontend.servers = [
{
name = "Amsterdam, Netherlands";
server = "//librespeed.${domain}";
}
];
backend = {
enable = true;
extraSettingsFile = config.age.secrets."librespeed.toml".path;
};
};
}; };
users = { users = {
@@ -131,6 +146,10 @@ in
systemd = { systemd = {
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal; network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
services = {
# HACK: nginx seems to get stuck not being able to DNS early...
nginx = lib.my.systemdAwaitPostgres pkgs.postgresql "colony-psql";
};
}; };
security = { security = {
@@ -231,43 +250,9 @@ in
# Based on recommended*Settings, but probably better to be explicit about these # Based on recommended*Settings, but probably better to be explicit about these
appendHttpConfig = '' appendHttpConfig = ''
# NixOS provides a logrotate config that auto-compresses :) ${baseHttpConfig}
log_format main
'$remote_addr - $remote_user [$time_local] $scheme "$host" "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main;
# optimisation resolver_timeout 5s;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
# gzip
gzip on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types
application/atom+xml
application/javascript
application/json
application/xml
application/xml+rss
image/svg+xml
text/css
text/javascript
text/plain
text/xml;
gzip_vary on;
# proxying
proxy_buffering off;
proxy_redirect off;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_http_version 1.1;
${lib.my.c.nginx.proxyHeaders}
# caching # caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g; proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;

53
nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
View File

@@ -347,9 +347,41 @@ in
}; };
useACMEHost = pubDomain; useACMEHost = pubDomain;
}; };
"public.${pubDomain}" = {
serverAliases = [ "p.${pubDomain}" ];
locations."/" = {
root = "/mnt/media/public";
extraConfig = ''
fancyindex on;
fancyindex_show_dotfiles on;
'';
};
useACMEHost = pubDomain;
};
"git.${pubDomain}" = { "mc-map.${pubDomain}" = {
locations."/".proxyPass = "http://git-vm.${domain}:3000"; locations."/".proxyPass = "http://simpcraft-oci.${domain}:8100";
useACMEHost = pubDomain;
};
"mc-rail.${pubDomain}" = {
locations."/".proxyPass = "http://simpcraft-staging-oci.${domain}:3876";
useACMEHost = pubDomain;
};
"librespeed.${domain}" = {
locations."/".proxyPass = "http://localhost:8989";
};
"speed.${pubDomain}" = {
locations."/".proxyPass = "http://localhost:8989";
useACMEHost = pubDomain;
};
"md.${pubDomain}" = {
locations."/" = {
proxyPass = "http://object-ctr.${domain}:3000";
proxyWebsockets = true;
extraConfig = proxyHeaders;
};
useACMEHost = pubDomain; useACMEHost = pubDomain;
}; };
}; };
@@ -387,7 +419,22 @@ in
"s3.${pubDomain}" = { "s3.${pubDomain}" = {
serverAliases = [ "*.s3.${pubDomain}" ]; serverAliases = [ "*.s3.${pubDomain}" ];
inherit extraConfig; inherit extraConfig;
locations."/".proxyPass = s3Upstream; locations = {
"/".proxyPass = s3Upstream;
"/gitea/packages/" = {
proxyPass = s3Upstream;
# HACK: Docker images need the MIME type to be correct for the manifest but Gitea
# doesn't tell S3... By hiding the header we can use add_header to set Content-Type
# (normally can't be set directly)
extraConfig = ''
proxy_hide_header Content-Type;
add_header Content-Type $upstream_http_content_type always;
if ($args ~ "response-content-disposition=.+filename%3D%22manifest\.json%22") {
add_header Content-Type "application/vnd.docker.distribution.manifest.v2+json";
}
'';
};
};
useACMEHost = pubDomain; useACMEHost = pubDomain;
}; };

28
nixos/boxes/colony/vms/shill/containers/object.nix
View File

@@ -48,11 +48,17 @@ in
group = config.my.user.config.group; group = config.my.user.config.group;
}; };
"object/atticd.env" = {}; "object/atticd.env" = {};
"object/hedgedoc.env" = {};
}; };
}; };
firewall = { firewall = {
tcp.allowed = [ 9000 9001 config.services.sharry.config.bind.port 8069 ]; tcp.allowed = [
9000 9001
config.services.sharry.config.bind.port
8069
config.services.hedgedoc.settings.port
];
}; };
user.homeConfig = { user.homeConfig = {
@@ -194,6 +200,26 @@ in
}; };
}; };
}; };
hedgedoc = {
enable = true;
environmentFile = config.age.secrets."object/hedgedoc.env".path;
settings = {
domain = "md.${pubDomain}";
protocolUseSSL = true;
db = {
dialect = "postgresql";
username = "hedgedoc";
database = "hedgedoc";
host = "colony-psql";
};
host = "::";
allowAnonymous = false;
allowAnonymousEdits = true;
email = true;
allowEmailRegister = false;
};
};
}; };
} }
(mkIf config.my.build.isDevVM { (mkIf config.my.build.isDevVM {

100
nixos/boxes/colony/vms/shill/containers/waffletail.nix Normal file
View File

@@ -0,0 +1,100 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.waffletail = { config, ... }: {
system = "x86_64-linux";
nixpkgs = "mine";
rendered = config.configuration.config.my.asContainer;
assignments = {
internal = {
name = "waffletail-ctr";
inherit domain;
ipv4.address = net.cidr.host 9 prefixes.ctrs.v4;
ipv6 = {
iid = "::9";
address = net.cidr.host 9 prefixes.ctrs.v6;
};
};
tailscale = with lib.my.c.tailscale; {
ipv4 = {
address = net.cidr.host 5 prefix.v4;
mask = 32;
gateway = null;
};
ipv6 = {
address = net.cidr.host 5 prefix.v6;
mask = 128;
};
};
};
configuration = { lib, config, assignments, ... }:
let
inherit (lib) concatStringsSep mkMerge mkIf mkForce;
inherit (lib.my) networkdAssignment;
in
{
config = {
my = {
deploy.enable = false;
server.enable = true;
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZc88lcSQ9zzQzDITdE/T5ty++TxFQUAED7p9YfFBiR";
files = {
"tailscale-auth.key" = {};
};
};
firewall = {
trustedInterfaces = [ "tailscale0" ];
extraRules = ''
table inet filter {
chain forward {
iifname host0 oifname tailscale0 ip saddr ${prefixes.all.v4} accept
iifname host0 oifname tailscale0 ip6 saddr ${prefixes.all.v6} accept
}
}
table inet nat {
chain postrouting {
iifname tailscale0 ip daddr != ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address}
iifname tailscale0 ip6 daddr != ${prefixes.all.v6} snat ip6 to ${assignments.internal.ipv6.address}
}
}
'';
};
};
systemd = {
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
};
services = {
tailscale =
let
advRoutes = concatStringsSep "," (with prefixes.all; [ v4 v6 ]);
in
{
enable = true;
authKeyFile = config.age.secrets."tailscale-auth.key".path;
port = 41641;
openFirewall = true;
interfaceName = "tailscale0";
extraUpFlags = [
"--operator=${config.my.user.config.name}"
"--login-server=https://ts.nul.ie"
"--netfilter-mode=off"
"--advertise-exit-node"
"--advertise-routes=${advRoutes}"
"--accept-routes=false"
];
};
};
};
};
};
}

11
nixos/boxes/colony/vms/shill/default.nix
View File

@@ -139,6 +139,16 @@ in
ipv6PrefixConfig.Prefix = prefixes.ctrs.v6; ipv6PrefixConfig.Prefix = prefixes.ctrs.v6;
} }
]; ];
routes = map (r: { routeConfig = r; }) [
{
Destination = lib.my.c.tailscale.prefix.v4;
Gateway = allAssignments.waffletail.internal.ipv4.address;
}
{
Destination = lib.my.c.tailscale.prefix.v6;
Gateway = allAssignments.waffletail.internal.ipv6.address;
}
];
} }
]; ];
}; };
@@ -196,6 +206,7 @@ in
}; };
}; };
toot = {}; toot = {};
waffletail = {};
}; };
in in
mkMerge [ mkMerge [

3
nixos/boxes/colony/vms/whale2/default.nix
View File

@@ -50,6 +50,8 @@ in
}; };
}) { }) {
valheim-oci = 2; valheim-oci = 2;
simpcraft-oci = 3;
simpcraft-staging-oci = 4;
}; };
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }: configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
@@ -63,6 +65,7 @@ in
"${modulesPath}/profiles/qemu-guest.nix" "${modulesPath}/profiles/qemu-guest.nix"
./valheim.nix ./valheim.nix
./minecraft
]; ];
config = mkMerge [ config = mkMerge [

121
nixos/boxes/colony/vms/whale2/minecraft/default.nix Normal file
View File

@@ -0,0 +1,121 @@
{ lib, pkgs, config, allAssignments, ... }:
let
inherit (lib) concatStringsSep;
inherit (lib.my) dockerNetAssignment;
# devplayer0
op = "6d7d971b-ce10-435b-85c5-c99c0d8d288c";
whitelist = concatStringsSep "," [
op
"dcd2ecb9-2b5e-49cb-9d4f-f5a76162df56" # Elderlypug
"fcb26db2-c3ce-41aa-b588-efec79d37a8a" # Jesthral_
"1d366062-12c0-4e29-aba7-6ab5d8c6bb05" # shr3kas0ras
"703b378a-09f9-4c1d-9876-1c9305728c49" # OROURKEIRE
"f105bbe6-eda6-4a13-a8cf-894e77cab77b" # Adzerq
"1fc94979-41fb-497a-81e9-34ae24ca537a" # johnnyscrims
"d53c91df-b6e6-4463-b106-e8427d7a8d01" # BossLonus
"f439f64d-91c9-4c74-9ce5-df4d24cd8e05" # hynge_
"d6ec4c91-5da2-44eb-b89d-71dc8fe017a0" # Eefah98
"096a7348-fabe-4b2d-93fc-fd1fd5608fb0" # ToTheMoonStar
];
fastback = {
gitConfig = pkgs.writeText "git-config" ''
[user]
email = "simpcraft@nul.ie"
name = "Simpcraft bot"
'';
knownHosts = pkgs.writeText "known_hosts" ''
git.nul.ie ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD023ECzYmLeXIpcGVaciPjq6UN/Sjmsys5HP/Nei5GkrUZqPa3OJ2uSXKLUSKGYdeNhxaFTPJe8Yx3TsZxMme8=
'';
};
in
{
config = {
virtualisation.oci-containers.containers = {
simpcraft = {
image = "ghcr.io/itzg/minecraft-server:2023.12.2-java17-alpine";
environment = {
TYPE = "MODRINTH";
EULA = "true";
ENABLE_QUERY = "true";
MOTD = "§4§k----- §9S§ai§bm§cp§dc§er§fa§6f§5t §4§k-----";
ICON = "/ext/icon.png";
EXISTING_WHITELIST_FILE = "SYNCHRONIZE";
WHITELIST = whitelist;
EXISTING_OPS_FILE = "SYNCHRONIZE";
OPS = op;
DIFFICULTY = "normal";
SPAWN_PROTECTION = "0";
VIEW_DISTANCE = "20";
MAX_MEMORY = "6G";
MODRINTH_MODPACK = "https://cdn.modrinth.com/data/CIYf3Hk8/versions/cdj2bSKg/Simpcraft-0.1.2.mrpack";
TZ = "Europe/Dublin";
};
volumes = [
"minecraft_data:/data"
"${./icon.png}:/ext/icon.png:ro"
];
extraOptions = [
''--network=colony:${dockerNetAssignment allAssignments "simpcraft-oci"}''
];
};
simpcraft-staging = {
image = "git.nul.ie/dev/craftblock:2024.1.0-java17-alpine";
environment = {
TYPE = "MODRINTH";
EULA = "true";
ENABLE_QUERY = "true";
ENABLE_RCON = "true";
MOTD = "§4§k----- §9S§ai§bm§cp§dc§er§fa§6f§5t [staging] §4§k-----";
ICON = "/ext/icon.png";
EXISTING_WHITELIST_FILE = "SYNCHRONIZE";
WHITELIST = whitelist;
EXISTING_OPS_FILE = "SYNCHRONIZE";
OPS = op;
DIFFICULTY = "normal";
SPAWN_PROTECTION = "0";
VIEW_DISTANCE = "20";
MAX_MEMORY = "4G";
MODRINTH_MODPACK = "https://cdn.modrinth.com/data/CIYf3Hk8/versions/Ym3sIi6H/Simpcraft-0.2.0.mrpack";
TZ = "Europe/Dublin";
};
environmentFiles = [ config.age.secrets."whale2/simpcraft.env".path ];
volumes = [
"minecraft_staging_data:/data"
"${./icon.png}:/ext/icon.png:ro"
"${fastback.gitConfig}:/data/.config/git/config:ro"
"${fastback.knownHosts}:/data/.ssh/known_hosts:ro"
"${config.age.secrets."whale2/simpcraft-git.key".path}:/data/.ssh/id_rsa"
];
extraOptions = [
''--network=colony:${dockerNetAssignment allAssignments "simpcraft-staging-oci"}''
];
};
};
my = {
secrets.files = {
"whale2/simpcraft.env" = {};
"whale2/simpcraft-git.key" = {
owner = "1000";
};
};
};
};
}

BIN
nixos/boxes/colony/vms/whale2/minecraft/icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.4 KiB

53
nixos/boxes/home/palace/default.nix
View File

@@ -2,7 +2,7 @@
let let
inherit (lib.my) net mkVLAN; inherit (lib.my) net mkVLAN;
inherit (lib.my.c) pubDomain; inherit (lib.my.c) pubDomain;
inherit (lib.my.c.home) domain vlans prefixes vips; inherit (lib.my.c.home) domain vlans prefixes vips hiMTU;
in in
{ {
imports = [ ./vms ]; imports = [ ./vms ];
@@ -15,15 +15,21 @@ in
assignments = { assignments = {
hi = { hi = {
inherit domain; inherit domain;
mtu = hiMTU;
ipv4 = { ipv4 = {
address = net.cidr.host 22 prefixes.hi.v4; address = net.cidr.host 22 prefixes.hi.v4;
mask = 22; mask = 22;
gateway = vips.hi.v4; gateway = vips.hi.v4;
}; };
ipv6 = {
iid = "::2:1";
address = net.cidr.host (65536*2+1) prefixes.hi.v6;
};
}; };
core = { core = {
inherit domain; inherit domain;
name = "palace-core"; name = "palace-core";
mtu = 1500;
ipv4 = { ipv4 = {
address = net.cidr.host 20 prefixes.core.v4; address = net.cidr.host 20 prefixes.core.v4;
gateway = null; gateway = null;
@@ -88,7 +94,7 @@ in
extraOptions = [ "-A /var/log/smartd/" "--interval=600" ]; extraOptions = [ "-A /var/log/smartd/" "--interval=600" ];
}; };
udev.extraRules = '' udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="net", ENV{ID_NET_DRIVER}=="mlx5_core", ENV{ID_PATH}=="pci-0000:44:00.0", ATTR{device/sriov_numvfs}="2" ACTION=="add", SUBSYSTEM=="net", ENV{ID_NET_DRIVER}=="mlx5_core", ENV{ID_PATH}=="pci-0000:44:00.0", ATTR{device/sriov_numvfs}="3"
''; '';
}; };
@@ -104,7 +110,7 @@ in
hwloc hwloc
]; ];
networking.domain = "h.${pubDomain}"; networking = { inherit domain; };
systemd = { systemd = {
tmpfiles.rules = [ tmpfiles.rules = [
@@ -131,13 +137,20 @@ in
}; };
linkConfig = { linkConfig = {
Name = "et100g"; Name = "et100g";
MTUBytes = "9000"; MTUBytes = toString hiMTU;
}; };
}; };
}; };
netdevs = mkMerge [ netdevs = mkMerge [
(mkVLAN "lan-hi" vlans.hi) (mkVLAN "lan-hi" vlans.hi)
(mkVLAN "lan-lo-phy" vlans.lo)
{
"25-lan-lo".netdevConfig = {
Name = "lan-lo";
Kind = "bridge";
};
}
]; ];
networks = { networks = {
@@ -145,6 +158,7 @@ in
(networkdAssignment "lan-core" assignments.core) (networkdAssignment "lan-core" assignments.core)
{ {
matchConfig.Name = "lan-core"; matchConfig.Name = "lan-core";
vlan = [ "lan-lo-phy" ];
networkConfig.IPv6AcceptRA = mkForce false; networkConfig.IPv6AcceptRA = mkForce false;
} }
]; ];
@@ -167,19 +181,28 @@ in
VirtualFunction=1 VirtualFunction=1
LinkState=yes LinkState=yes
MACAddress=52:54:00:8a:8a:f2 MACAddress=52:54:00:8a:8a:f2
# sfh
[SR-IOV]
VirtualFunction=2
VLANId=${toString vlans.hi}
LinkState=yes
MACAddress=52:54:00:ac:15:a9
''; '';
}; };
"60-lan-hi" = mkMerge [ "60-lan-hi" = networkdAssignment "lan-hi" assignments.hi;
(networkdAssignment "lan-hi" assignments.hi)
{ "50-lan-lo-phy" = {
matchConfig.Name = "lan-hi"; matchConfig.Name = "lan-lo-phy";
linkConfig.MTUBytes = "9000"; networkConfig = {
networkConfig.DNS = [ Bridge = "lan-lo";
(allAssignments.stream.hi.ipv4.address) } // networkd.noL3;
# (allAssignments.river.hi.ipv4.address) };
]; "60-lan-lo" = {
} matchConfig.Name = "lan-lo";
]; linkConfig.RequiredForOnline = "no";
networkConfig = networkd.noL3;
};
}; };
}; };
}; };

56
nixos/boxes/home/palace/vms/cellar/default.nix
View File

@@ -2,7 +2,7 @@
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.c) pubDomain; inherit (lib.my.c) pubDomain;
inherit (lib.my.c.home) domain prefixes vips; inherit (lib.my.c.home) domain prefixes vips hiMTU;
in in
{ {
nixos.systems.cellar = { nixos.systems.cellar = {
@@ -12,11 +12,16 @@ in
assignments = { assignments = {
hi = { hi = {
inherit domain; inherit domain;
mtu = hiMTU;
ipv4 = { ipv4 = {
address = net.cidr.host 80 prefixes.hi.v4; address = net.cidr.host 80 prefixes.hi.v4;
mask = 22; mask = 22;
gateway = vips.hi.v4; gateway = vips.hi.v4;
}; };
ipv6 = {
iid = "::4:1";
address = net.cidr.host (65536*4+1) prefixes.hi.v6;
};
}; };
}; };
@@ -24,21 +29,17 @@ in
let let
inherit (lib) mkMerge; inherit (lib) mkMerge;
inherit (lib.my) networkdAssignment; inherit (lib.my) networkdAssignment;
spdk = pkgs.spdk.overrideAttrs (o: {
configureFlags = o.configureFlags ++ [ "--with-rdma" ];
});
in in
{ {
imports = [ imports = [
"${modulesPath}/profiles/qemu-guest.nix" "${modulesPath}/profiles/qemu-guest.nix"
./spdk.nix
]; ];
config = mkMerge [ config = mkMerge [
{ {
boot = { boot = {
kernelParams = [ "console=ttyS0,115200n8" ]; kernelParams = [ "console=ttyS0,115200n8" "intel_iommu=on" ];
blacklistedKernelModules = [ "nvme" ];
}; };
fileSystems = { fileSystems = {
@@ -57,58 +58,27 @@ in
}; };
}; };
networking = { inherit domain; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
pciutils pciutils
spdk partclone
(pkgs.writeShellScriptBin "spdk-rpc" ''
exec ${pkgs.python3}/bin/python3 ${spdk.src}/scripts/rpc.py "$@"
'')
]; ];
services = { services = {
netdata.enable = true; netdata.enable = true;
}; };
systemd.services = {
spdk-nvmf = {
description = "SPDK NVMe-oF target";
path = with pkgs; [
bash
python3
kmod
gawk
util-linux
];
after = [ "systemd-networkd-wait-online@lan-hi.service" ];
preStart = ''
${spdk.src}/scripts/setup.sh
'';
serviceConfig.ExecStart = "${spdk}/bin/spdk_tgt -c ${./spdk_nvmf.json}";
wantedBy = [ "multi-user.target" ];
};
};
systemd.network = { systemd.network = {
links = { links = {
"10-lan-hi" = { "10-lan-hi" = {
matchConfig.PermanentMACAddress = "52:54:00:cc:3e:70"; matchConfig.PermanentMACAddress = "52:54:00:cc:3e:70";
linkConfig = { linkConfig.Name = "lan-hi";
Name = "lan-hi";
MTUBytes = "9000";
};
}; };
}; };
networks = { networks = {
"80-vms" = mkMerge [ "80-lan-hi" = networkdAssignment "lan-hi" assignments.hi;
(networkdAssignment "lan-hi" assignments.hi)
{
networkConfig.DNS = [
(allAssignments.stream.hi.ipv4.address)
# (allAssignments.river.hi.ipv4.address)
];
}
];
}; };
}; };

137
nixos/boxes/home/palace/vms/cellar/spdk.nix Normal file
View File

@@ -0,0 +1,137 @@
{ lib, pkgs, config, assignments, ... }:
let
inherit (lib) mapAttrsToList;
in
{
config = {
boot.blacklistedKernelModules = [ "nvme" ];
systemd.services = {
spdk-tgt.after = [ "systemd-networkd-wait-online@lan-hi.service" ];
};
my = {
spdk = {
enable = true;
extraArgs = "--mem-channels 2 --cpumask 0xffff";
debugCommands = ''
spdk-rpc bdev_nvme_attach_controller -t pcie -a 02:00.0 -b NVMe0
spdk-rpc bdev_nvme_attach_controller -t pcie -a 03:00.0 -b NVMe1
spdk-rpc bdev_nvme_attach_controller -t pcie -a 04:00.0 -b NVMe2
spdk-rpc bdev_raid_create -n NVMeRaid -z 64 -r 0 -b 'NVMe0n1 NVMe1n1 NVMe2n1'
spdk-rpc ublk_create_target
spdk-rpc ublk_start_disk NVMeRaid 1
'';
config.subsystems =
let
nvmeAttaches = mapAttrsToList (name: bdf: {
method = "bdev_nvme_attach_controller";
params = {
hostnqn =
"nqn.2014-08.org.nvmexpress:uuid:2b16606f-b82c-49f8-9b20-a589dac8b775";
trtype = "PCIe";
inherit name;
traddr = bdf;
};
}) {
"NVMe0" = "02:00.0";
"NVMe1" = "03:00.0";
"NVMe2" = "04:00.0";
};
nvmfListener = nqn: {
method = "nvmf_subsystem_add_listener";
params = {
inherit nqn;
listen_address = {
adrfam = "IPv4";
traddr = assignments.hi.ipv4.address;
trsvcid = "4420";
trtype = "RDMA";
};
secure_channel = false;
};
};
nvmfBdev = { nqn, hostnqn, bdev, serial }: [
{
method = "nvmf_create_subsystem";
params = {
inherit nqn;
serial_number = serial;
};
}
(nvmfListener nqn)
{
method = "nvmf_subsystem_add_host";
params = {
inherit nqn;
host = hostnqn;
};
}
{
method = "nvmf_subsystem_add_ns";
params = {
inherit nqn;
namespace = {
bdev_name = bdev;
nsid = 1;
};
};
}
];
in
{
scheduler = [
{
method = "framework_set_scheduler";
params.name = "dynamic";
}
];
bdev = [
{
method = "bdev_set_options";
params.bdev_auto_examine = false;
}
] ++ nvmeAttaches ++ [
{
method = "bdev_raid_create";
params = {
base_bdevs = [ "NVMe0n1" "NVMe1n1" "NVMe2n1" ];
name = "NVMeRaid";
raid_level = "raid0";
strip_size_kb = 64;
};
}
{
method = "bdev_examine";
params.name = "NVMeRaid";
}
{ method = "bdev_wait_for_examine"; }
];
nvmf = [
{
method = "nvmf_create_transport";
params.trtype = "RDMA";
}
(nvmfListener "nqn.2014-08.org.nvmexpress.discovery")
] ++ (nvmfBdev {
bdev = "NVMeRaidp1";
nqn = "nqn.2016-06.io.spdk:river";
hostnqn =
"nqn.2014-08.org.nvmexpress:uuid:12b52d80-ccb6-418d-9b2e-2be34bff3cd9";
serial = "SPDK00000000000001";
}) ++ (nvmfBdev {
bdev = "NVMeRaidp2";
nqn = "nqn.2016-06.io.spdk:castle";
hostnqn =
"nqn.2014-08.org.nvmexpress:uuid:2230b066-a674-4f45-a1dc-f7727b3a9e7b";
serial = "SPDK00000000000002";
});
};
};
};
};
}

375
nixos/boxes/home/palace/vms/cellar/spdk_nvmf.json
View File

@@ -1,375 +0,0 @@
{
"subsystems": [
{
"subsystem": "scheduler",
"config": [
{
"method": "framework_set_scheduler",
"params": {
"name": "static"
}
}
]
},
{
"subsystem": "vmd",
"config": []
},
{
"subsystem": "sock",
"config": [
{
"method": "sock_impl_set_options",
"params": {
"impl_name": "posix",
"recv_buf_size": 2097152,
"send_buf_size": 2097152,
"enable_recv_pipe": true,
"enable_quickack": false,
"enable_placement_id": 0,
"enable_zerocopy_send_server": true,
"enable_zerocopy_send_client": false,
"zerocopy_threshold": 0,
"tls_version": 0,
"enable_ktls": false
}
},
{
"method": "sock_impl_set_options",
"params": {
"impl_name": "ssl",
"recv_buf_size": 4096,
"send_buf_size": 4096,
"enable_recv_pipe": true,
"enable_quickack": false,
"enable_placement_id": 0,
"enable_zerocopy_send_server": true,
"enable_zerocopy_send_client": false,
"zerocopy_threshold": 0,
"tls_version": 0,
"enable_ktls": false
}
}
]
},
{
"subsystem": "iobuf",
"config": [
{
"method": "iobuf_set_options",
"params": {
"small_pool_count": 8192,
"large_pool_count": 1024,
"small_bufsize": 8192,
"large_bufsize": 135168
}
}
]
},
{
"subsystem": "accel",
"config": [
{
"method": "accel_set_options",
"params": {
"small_cache_size": 128,
"large_cache_size": 16,
"task_count": 2048,
"sequence_count": 2048,
"buf_count": 2048
}
}
]
},
{
"subsystem": "bdev",
"config": [
{
"method": "bdev_set_options",
"params": {
"bdev_io_pool_size": 65535,
"bdev_io_cache_size": 256,
"bdev_auto_examine": true
}
},
{
"method": "bdev_nvme_set_options",
"params": {
"action_on_timeout": "none",
"timeout_us": 0,
"timeout_admin_us": 0,
"keep_alive_timeout_ms": 10000,
"transport_retry_count": 4,
"arbitration_burst": 0,
"low_priority_weight": 0,
"medium_priority_weight": 0,
"high_priority_weight": 0,
"nvme_adminq_poll_period_us": 10000,
"nvme_ioq_poll_period_us": 0,
"io_queue_requests": 512,
"delay_cmd_submit": true,
"bdev_retry_count": 3,
"transport_ack_timeout": 0,
"ctrlr_loss_timeout_sec": 0,
"reconnect_delay_sec": 0,
"fast_io_fail_timeout_sec": 0,
"generate_uuids": false,
"transport_tos": 0,
"io_path_stat": false,
"allow_accel_sequence": false
}
},
{
"method": "bdev_nvme_attach_controller",
"params": {
"name": "NVMe0",
"trtype": "PCIe",
"traddr": "02:00.0",
"prchk_reftag": false,
"prchk_guard": false,
"ctrlr_loss_timeout_sec": 0,
"reconnect_delay_sec": 0,
"fast_io_fail_timeout_sec": 0,
"hostnqn": "nqn.2014-08.org.nvmexpress:uuid:2b16606f-b82c-49f8-9b20-a589dac8b775",
"hdgst": false,
"ddgst": false
}
},
{
"method": "bdev_nvme_attach_controller",
"params": {
"name": "NVMe1",
"trtype": "PCIe",
"traddr": "03.00.0",
"prchk_reftag": false,
"prchk_guard": false,
"ctrlr_loss_timeout_sec": 0,
"reconnect_delay_sec": 0,
"fast_io_fail_timeout_sec": 0,
"hostnqn": "nqn.2014-08.org.nvmexpress:uuid:2b16606f-b82c-49f8-9b20-a589dac8b775",
"hdgst": false,
"ddgst": false
}
},
{
"method": "bdev_nvme_attach_controller",
"params": {
"name": "NVMe2",
"trtype": "PCIe",
"traddr": "04.00.0",
"prchk_reftag": false,
"prchk_guard": false,
"ctrlr_loss_timeout_sec": 0,
"reconnect_delay_sec": 0,
"fast_io_fail_timeout_sec": 0,
"hostnqn": "nqn.2014-08.org.nvmexpress:uuid:2b16606f-b82c-49f8-9b20-a589dac8b775",
"hdgst": false,
"ddgst": false
}
},
{
"method": "bdev_nvme_set_hotplug",
"params": {
"period_us": 100000,
"enable": false
}
},
{
"method": "bdev_raid_create",
"params": {
"name": "Raid0",
"strip_size_kb": 64,
"raid_level": "raid0",
"base_bdevs": [
"NVMe0n1",
"NVMe1n1",
"NVMe2n1"
]
}
},
{
"method": "bdev_wait_for_examine"
}
]
},
{
"subsystem": "nvmf",
"config": [
{
"method": "nvmf_set_config",
"params": {
"discovery_filter": "match_any",
"admin_cmd_passthru": {
"identify_ctrlr": false
}
}
},
{
"method": "nvmf_set_max_subsystems",
"params": {
"max_subsystems": 1024
}
},
{
"method": "nvmf_set_crdt",
"params": {
"crdt1": 0,
"crdt2": 0,
"crdt3": 0
}
},
{
"method": "nvmf_create_transport",
"params": {
"trtype": "RDMA",
"max_queue_depth": 128,
"max_io_qpairs_per_ctrlr": 127,
"in_capsule_data_size": 4096,
"max_io_size": 131072,
"io_unit_size": 8192,
"max_aq_depth": 128,
"num_shared_buffers": 4095,
"buf_cache_size": 4294967295,
"dif_insert_or_strip": false,
"zcopy": false,
"max_srq_depth": 4096,
"no_srq": false,
"acceptor_backlog": 100,
"no_wr_batching": false,
"abort_timeout_sec": 1
}
},
{
"method": "nvmf_create_subsystem",
"params": {
"nqn": "nqn.2016-06.io.spdk:river",
"allow_any_host": false,
"serial_number": "SPDK00000000000001",
"model_number": "SPDK bdev Controller",
"max_namespaces": 32,
"min_cntlid": 1,
"max_cntlid": 65519,
"ana_reporting": false
}
},
{
"method": "nvmf_subsystem_add_host",
"params": {
"nqn": "nqn.2016-06.io.spdk:river",
"host": "nqn.2014-08.org.nvmexpress:uuid:12b52d80-ccb6-418d-9b2e-2be34bff3cd9"
}
},
{
"method": "nvmf_subsystem_add_ns",
"params": {
"nqn": "nqn.2016-06.io.spdk:river",
"namespace": {
"nsid": 1,
"bdev_name": "9c545b0b-5b9c-4a32-b1eb-483adf5369fc",
"nguid": "9C545B0B5B9C4A32B1EB483ADF5369FC",
"uuid": "9c545b0b-5b9c-4a32-b1eb-483adf5369fc"
}
}
},
{
"method": "nvmf_subsystem_add_listener",
"params": {
"nqn": "nqn.2016-06.io.spdk:river",
"listen_address": {
"trtype": "RDMA",
"adrfam": "IPv4",
"traddr": "192.168.68.80",
"trsvcid": "4420"
},
"secure_channel": false
}
},
{
"method": "nvmf_create_subsystem",
"params": {
"nqn": "nqn.2016-06.io.spdk:sfh",
"allow_any_host": false,
"serial_number": "SPDK00000000000002",
"model_number": "SPDK bdev Controller",
"max_namespaces": 32,
"min_cntlid": 1,
"max_cntlid": 65519,
"ana_reporting": false
}
},
{
"method": "nvmf_subsystem_add_ns",
"params": {
"nqn": "nqn.2016-06.io.spdk:sfh",
"namespace": {
"nsid": 1,
"bdev_name": "780ddeb9-646d-4331-a0d5-3b0aecd3bf3e",
"nguid": "780DDEB9646D4331A0D53B0AECD3BF3E",
"uuid": "780ddeb9-646d-4331-a0d5-3b0aecd3bf3e"
}
}
},
{
"method": "nvmf_subsystem_add_listener",
"params": {
"nqn": "nqn.2016-06.io.spdk:sfh",
"listen_address": {
"trtype": "RDMA",
"adrfam": "IPv4",
"traddr": "192.168.68.80",
"trsvcid": "4420"
},
"secure_channel": false
}
}
]
},
{
"subsystem": "nbd",
"config": []
},
{
"subsystem": "vhost_blk",
"config": []
},
{
"subsystem": "scsi",
"config": null
},
{
"subsystem": "iscsi",
"config": [
{
"method": "iscsi_set_options",
"params": {
"node_base": "iqn.2016-06.io.spdk",
"max_sessions": 128,
"max_connections_per_session": 2,
"max_queue_depth": 64,
"default_time2wait": 2,
"default_time2retain": 20,
"first_burst_length": 8192,
"immediate_data": true,
"allow_duplicated_isid": false,
"error_recovery_level": 0,
"nop_timeout": 60,
"nop_in_interval": 30,
"disable_chap": false,
"require_chap": false,
"mutual_chap": false,
"chap_group": 0,
"max_large_datain_per_connection": 64,
"max_r2t_per_connection": 4,
"pdu_pool_size": 36864,
"immediate_data_pool_size": 16384,
"data_out_pool_size": 2048
}
}
]
},
{
"subsystem": "vhost_scsi",
"config": []
}
]
}

54
nixos/boxes/home/palace/vms/default.nix
View File

@@ -4,7 +4,7 @@
./river.nix ./river.nix
]; ];
nixos.systems.palace.configuration = { lib, pkgs, config, systems, ... }: nixos.systems.palace.configuration = { lib, pkgs, config, systems, allAssignments, ... }:
let let
inherit (lib) mkMerge; inherit (lib) mkMerge;
inherit (lib.my) vm; inherit (lib.my) vm;
@@ -55,7 +55,19 @@
}; };
}; };
systemd.services = { systemd.services =
let
awaitCellar = {
after = [ "vm@cellar.service" ];
bindsTo = [ "vm@cellar.service" ];
preStart = ''
until ${pkgs.netcat}/bin/nc -w1 -z ${allAssignments.cellar.hi.ipv4.address} 22; do
sleep 1
done
'';
};
in
{
"vm@cellar" = { "vm@cellar" = {
serviceConfig = { serviceConfig = {
CPUAffinity = "numa"; CPUAffinity = "numa";
@@ -63,14 +75,19 @@
NUMAMask = "1"; NUMAMask = "1";
}; };
}; };
"vm@river" = "vm@river" =
let let
vtapUnit = "sys-subsystem-net-devices-vm\\x2det1g0.device"; vtapUnit = "sys-subsystem-net-devices-vm\\x2det1g0.device";
in in
mkMerge [
awaitCellar
{ {
requires = [ vtapUnit ]; requires = [ vtapUnit ];
after = [ vtapUnit ]; after = [ vtapUnit ];
}; }
];
"vm@sfh" = awaitCellar;
}; };
my = { my = {
@@ -83,7 +100,8 @@
cpus = 8; cpus = 8;
threads = 2; threads = 2;
}; };
memory = 32768; memory = 16384;
cleanShutdown.timeout = 120;
drives = [ drives = [
(mkMerge [ (vm.disk "cellar" "esp") { frontendOpts.bootindex = 0; } ]) (mkMerge [ (vm.disk "cellar" "esp") { frontendOpts.bootindex = 0; } ])
(vm.disk "cellar" "nix") (vm.disk "cellar" "nix")
@@ -107,6 +125,10 @@
hostBDF = "43:00.0"; hostBDF = "43:00.0";
}; };
}; };
qemuFlags = [
"machine kernel-irqchip=split"
"device intel-iommu,caching-mode=on,device-iotlb=on,intremap=on"
];
}; };
river = { river = {
@@ -117,6 +139,7 @@
threads = 2; threads = 2;
}; };
memory = 4096; memory = 4096;
cleanShutdown.timeout = 60;
networks = { networks = {
et1g0 = { et1g0 = {
ifname = "vm-et1g0"; ifname = "vm-et1g0";
@@ -138,6 +161,29 @@
}; };
}; };
}; };
sfh = {
uuid = "82ec149d-577c-421a-93e2-a9307c756cd8";
cpu = "host,topoext";
smp = {
cpus = 8;
threads = 2;
};
memory = 32768;
cleanShutdown.timeout = 120;
networks.netboot = {
bridge = "lan-lo";
waitOnline = "carrier";
mac = "52:54:00:a5:7e:93";
extraOptions.bootindex = 1;
};
hostDevices = {
et100g0vf2 = {
index = 0;
hostBDF = "44:00.3";
};
};
};
}; };
}; };
}; };

28
nixos/boxes/home/palace/vms/river.nix
View File

@@ -43,7 +43,6 @@
extraBin = with pkgs; { extraBin = with pkgs; {
dmesg = "${util-linux}/bin/dmesg"; dmesg = "${util-linux}/bin/dmesg";
ip = "${iproute2}/bin/ip"; ip = "${iproute2}/bin/ip";
nvme = "${nvme-cli}/bin/nvme";
}; };
extraConfig = '' extraConfig = ''
DefaultTimeoutStartSec=50 DefaultTimeoutStartSec=50
@@ -65,25 +64,6 @@
"30-lan-hi" = networkdAssignment "lan-hi" assignments.hi; "30-lan-hi" = networkdAssignment "lan-hi" assignments.hi;
}; };
}; };
services.connect-nvme = {
description = "Connect NVMe-oF";
before = [ "initrd-root-device.target" ];
after = [ "systemd-networkd-wait-online.service" ];
requires = [ "systemd-networkd-wait-online.service" ];
serviceConfig = {
Type = "oneshot";
Restart = "on-failure";
RestartSec = 10;
};
script = ''
${pkgs.nvme-cli}/bin/nvme connect -t rdma -a 192.168.68.80 \
-n nqn.2016-06.io.spdk:river -q nqn.2014-08.org.nvmexpress:uuid:12b52d80-ccb6-418d-9b2e-2be34bff3cd9
'';
wantedBy = [ "initrd-root-device.target" ];
};
}; };
}; };
}; };
@@ -146,6 +126,14 @@
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9uFa4z9WPuXRFVA+PClQSitQCSPckhKTxo1Hq585Oa"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9uFa4z9WPuXRFVA+PClQSitQCSPckhKTxo1Hq585Oa";
}; };
server.enable = true; server.enable = true;
nvme = {
uuid = "12b52d80-ccb6-418d-9b2e-2be34bff3cd9";
boot = {
nqn = "nqn.2016-06.io.spdk:river";
address = "192.168.68.80";
};
};
deploy.node.hostname = "192.168.68.1"; deploy.node.hostname = "192.168.68.1";
}; };
}; };

131
nixos/boxes/home/routing-common/default.nix
View File

@@ -3,9 +3,10 @@ let
inherit (builtins) elemAt; inherit (builtins) elemAt;
inherit (lib.my) net mkVLAN; inherit (lib.my) net mkVLAN;
inherit (lib.my.c) pubDomain; inherit (lib.my.c) pubDomain;
inherit (lib.my.c.home) domain vlans prefixes routers routersPubV4; inherit (lib.my.c.home) domain vlans prefixes vips routers routersPubV4;
name = elemAt routers index; name = elemAt routers index;
otherIndex = 1 - index;
in in
{ {
nixos.systems."${name}" = { nixos.systems."${name}" = {
@@ -19,14 +20,16 @@ in
core = { core = {
name = "${name}-core"; name = "${name}-core";
inherit domain; inherit domain;
mtu = 1500;
ipv4 = { ipv4 = {
address = net.cidr.host (index + 1) prefixes.core.v4; address = net.cidr.host (index + 1) prefixes.core.v4;
gateway = null; gateway = null;
}; };
}; };
hi = { hi = {
inherit domain;
name = "${name}-hi"; name = "${name}-hi";
inherit domain;
mtu = 9000;
ipv4 = { ipv4 = {
address = net.cidr.host (index + 1) prefixes.hi.v4; address = net.cidr.host (index + 1) prefixes.hi.v4;
mask = 22; mask = 22;
@@ -37,6 +40,7 @@ in
lo = { lo = {
name = "${name}-lo"; name = "${name}-lo";
inherit domain; inherit domain;
mtu = 1500;
ipv4 = { ipv4 = {
address = net.cidr.host (index + 1) prefixes.lo.v4; address = net.cidr.host (index + 1) prefixes.lo.v4;
mask = 21; mask = 21;
@@ -47,6 +51,7 @@ in
untrusted = { untrusted = {
name = "${name}-ut"; name = "${name}-ut";
inherit domain; inherit domain;
mtu = 1500;
ipv4 = { ipv4 = {
address = net.cidr.host (index + 1) prefixes.untrusted.v4; address = net.cidr.host (index + 1) prefixes.untrusted.v4;
mask = 24; mask = 24;
@@ -61,11 +66,38 @@ in
}; };
ipv6 = { ipv6 = {
address = net.cidr.host ((1*65536*65536*65536) + index + 1) prefixes.as211024.v6; address = net.cidr.host ((1*65536*65536*65536) + index + 1) prefixes.as211024.v6;
gateway = net.cidr.host 1 prefixes.as211024.v6; gateway = net.cidr.host ((2*65536*65536*65536) + 1) prefixes.as211024.v6;
}; };
}; };
}; };
extraAssignments = {
router-hi.hi = {
name = "router-hi";
inherit domain;
ipv4 = {
address = vips.hi.v4;
mask = 22;
};
ipv6.address = vips.hi.v6;
};
router-lo.lo = {
name = "router-lo";
inherit domain;
ipv4 = {
address = vips.lo.v4;
mask = 21;
};
ipv6.address = vips.lo.v6;
};
router-ut.untrusted = {
name = "router-ut";
inherit domain;
ipv4.address = vips.untrusted.v4;
ipv6.address = vips.untrusted.v6;
};
};
configuration = { lib, pkgs, config, assignments, allAssignments, ... }: configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
let let
inherit (lib) mkIf mkMerge mkForce; inherit (lib) mkIf mkMerge mkForce;
@@ -76,6 +108,8 @@ in
imports = map (m: import m index) [ imports = map (m: import m index) [
./keepalived.nix ./keepalived.nix
./dns.nix ./dns.nix
./radvd.nix
./kea.nix
]; ];
config = { config = {
@@ -157,7 +191,7 @@ in
networks = networks =
let let
mkVLANConfig = name: mtu: mkVLANConfig = name:
let let
iface = "lan-${name}"; iface = "lan-${name}";
in in
@@ -165,26 +199,9 @@ in
"60-${iface}" = mkMerge [ "60-${iface}" = mkMerge [
(networkdAssignment iface assignments."${name}") (networkdAssignment iface assignments."${name}")
{ {
linkConfig.MTUBytes = toString mtu; dns = [ "127.0.0.1" "::1" ];
domains = [ config.networking.domain ]; domains = [ config.networking.domain ];
networkConfig = { networkConfig.IPv6AcceptRA = mkForce false;
IPv6AcceptRA = mkForce false;
# IPv6SendRA = true;
};
ipv6SendRAConfig = {
DNS = [
(net.cidr.host 1 prefixes."${name}".v4)
(net.cidr.host 2 prefixes."${name}".v4)
(net.cidr.host 1 prefixes."${name}".v6)
(net.cidr.host 2 prefixes."${name}".v6)
];
Domains = [ config.networking.domain ];
};
ipv6Prefixes = [
{
ipv6PrefixConfig.Prefix = prefixes."${name}".v6;
}
];
} }
]; ];
}; };
@@ -212,12 +229,6 @@ in
DHCP = "ipv4"; DHCP = "ipv4";
dns = [ "127.0.0.1" "::1" ]; dns = [ "127.0.0.1" "::1" ];
dhcpV4Config.UseDNS = false; dhcpV4Config.UseDNS = false;
routes = map (r: { routeConfig = r; }) [
# {
# Destination = prefixes.ctrs.v4;
# Gateway = allAssignments.shill.routing.ipv4.address;
# }
];
qdiscConfig = { qdiscConfig = {
Parent = "ingress"; Parent = "ingress";
@@ -251,13 +262,39 @@ in
{ {
matchConfig.Name = "as211024"; matchConfig.Name = "as211024";
networkConfig.IPv6AcceptRA = mkForce false; networkConfig.IPv6AcceptRA = mkForce false;
routes = map (r: { routeConfig = r; }) [
{
Destination = lib.my.c.colony.prefixes.all.v4;
Gateway = allAssignments.estuary.as211024.ipv4.address;
}
{
Destination = lib.my.c.tailscale.prefix.v4;
Gateway = allAssignments.britway.as211024.ipv4.address;
}
{
Destination = lib.my.c.tailscale.prefix.v6;
Gateway = allAssignments.britway.as211024.ipv6.address;
}
];
} }
]; ];
} }
(mkVLANConfig "hi" 9000) (mkVLANConfig "hi")
(mkVLANConfig "lo" 1500) (mkVLANConfig "lo")
(mkVLANConfig "untrusted" 1500) (mkVLANConfig "untrusted")
{
"60-lan-hi" = {
routes = map (r: { routeConfig = r; }) [
{
Destination = elemAt routersPubV4 otherIndex;
Gateway = net.cidr.host (otherIndex + 1) prefixes.hi.v4;
}
];
};
}
]; ];
}; };
@@ -280,24 +317,30 @@ in
nat = { nat = {
enable = true; enable = true;
externalInterface = "wan"; externalInterface = "wan";
# externalIP = assignments.internal.ipv4.address;
forwardPorts = [
# {
# port = "http";
# dst = allAssignments.middleman.internal.ipv4.address;
# }
];
}; };
extraRules = '' extraRules =
let
aa = allAssignments;
in
''
table inet filter { table inet filter {
chain input { chain input {
${lib.my.c.as211024.nftTrust}
iifname base meta l4proto { udp, tcp } th dport domain accept iifname base meta l4proto { udp, tcp } th dport domain accept
iifname lan-core meta l4proto vrrp accept iifname lan-core meta l4proto vrrp accept
} }
chain routing-tcp { chain routing-tcp {
# Safe enough to allow all SSH ip daddr {
tcp dport ssh accept ${aa.castle.hi.ipv4.address},
${aa.cellar.hi.ipv4.address},
${aa.palace.hi.ipv4.address}
} tcp dport ssh accept
ip6 daddr {
${aa.castle.hi.ipv6.address},
${aa.cellar.hi.ipv6.address},
${aa.palace.hi.ipv6.address}
} tcp dport ssh accept
return return
} }
@@ -316,8 +359,10 @@ in
} }
chain forward { chain forward {
${lib.my.c.as211024.nftTrust}
iifname lan-untrusted jump filter-untrusted iifname lan-untrusted jump filter-untrusted
iifname { wan, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing iifname { wan, as211024, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing
oifname as211024 accept
} }
chain output { } chain output { }
} }

61
nixos/boxes/home/routing-common/dns.nix
View File

@@ -2,6 +2,7 @@ index: { lib, pkgs, config, assignments, allAssignments, ... }:
let let
inherit (builtins) attrNames elemAt; inherit (builtins) attrNames elemAt;
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.home) prefixes vips routers; inherit (lib.my.c.home) prefixes vips routers;
name = elemAt routers index; name = elemAt routers index;
@@ -22,6 +23,7 @@ in
owner = "pdns-recursor"; owner = "pdns-recursor";
group = "pdns-recursor"; group = "pdns-recursor";
}; };
"home/ddclient-cloudflare.key" = {};
}; };
pdns.recursor = { pdns.recursor = {
@@ -42,18 +44,13 @@ in
"127.0.0.0/8" "::1/128" "127.0.0.0/8" "::1/128"
prefixes.hi.v4 prefixes.hi.v6 prefixes.hi.v4 prefixes.hi.v6
prefixes.lo.v4 prefixes.lo.v6 prefixes.lo.v4 prefixes.lo.v6
]; ] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
}; };
settings = { settings = {
query-local-address = [ query-local-address = [
# TODO: IPv6
"0.0.0.0" "0.0.0.0"
"::" "::"
# TODO: Dynamic IPv4 WAN address?
# assignments.internal.ipv4.address
# assignments.internal.ipv6.address
# assignments.hi.ipv6.address
]; ];
forward-zones = map (z: "${z}=127.0.0.1:5353") authZones; forward-zones = map (z: "${z}=127.0.0.1:5353") authZones;
@@ -68,14 +65,42 @@ in
}; };
}; };
systemd.services = { systemd = {
services = {
# Add AF_NETLINK to allow pulling IP from network interfaces # Add AF_NETLINK to allow pulling IP from network interfaces
pdns.serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; pdns.serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
ddns-update = {
description = "DNS update script";
after = [ "network.target" ];
path = [
(pkgs.python3.withPackages (ps: [ ps.cloudflare ]))
pkgs.ldns
];
serviceConfig = {
Type = "oneshot";
ExecStart =
''${./dns_update.py} -k ${config.age.secrets."home/ddclient-cloudflare.key".path} '' +
''${pubDomain} ns${toString (index + 1)}.${config.networking.domain}'';
};
wantedBy = [ "multi-user.target" ];
};
};
timers = {
ddns-update = {
description = "Periodically update DNS";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "5min";
OnUnitInactiveSec = "5min";
};
};
};
}; };
# For rec_control
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# For rec_control
pdns-recursor pdns-recursor
sqlite
]; ];
my.pdns.auth = { my.pdns.auth = {
@@ -98,11 +123,15 @@ in
webserver = true; webserver = true;
webserver-address = "::"; webserver-address = "::";
webserver-allow-from = [ "127.0.0.1" "::1" ]; webserver-allow-from = [ "127.0.0.1" "::1" ];
dnsupdate = true;
launch = [ "gsqlite3" ];
gsqlite3-database = "/var/lib/pdns/dynamic.sqlite3";
}; };
bind.zones = bind.zones =
let let
names = [ "core" "hi" "lo" ]; names = [ "core" "hi" "lo" "untrusted" ];
i = toString (index + 1); i = toString (index + 1);
in in
{ {
@@ -136,13 +165,27 @@ in
ns1 IN ALIAS ${elemAt routers 0}.${config.networking.domain}. ns1 IN ALIAS ${elemAt routers 0}.${config.networking.domain}.
ns2 IN ALIAS ${elemAt routers 1}.${config.networking.domain}. ns2 IN ALIAS ${elemAt routers 1}.${config.networking.domain}.
dyn IN NS ns1.dyn.h.nul.ie.
dyn IN NS ns2.dyn.h.nul.ie.
ns1.dyn.h.nul.ie. IN ALIAS ${elemAt routers 0}.${config.networking.domain}.
ns2.dyn.h.nul.ie. IN ALIAS ${elemAt routers 1}.${config.networking.domain}.
jim-core IN A ${net.cidr.host 10 prefixes.core.v4} jim-core IN A ${net.cidr.host 10 prefixes.core.v4}
jim IN A ${net.cidr.host 10 prefixes.hi.v4} jim IN A ${net.cidr.host 10 prefixes.hi.v4}
jim IN AAAA ${net.cidr.host (65536+1) prefixes.hi.v6}
jim-lo IN A ${net.cidr.host 10 prefixes.lo.v4} jim-lo IN A ${net.cidr.host 10 prefixes.lo.v4}
jim-lo IN AAAA ${net.cidr.host (65536+1) prefixes.lo.v6}
dave-core IN A ${net.cidr.host 11 prefixes.core.v4} dave-core IN A ${net.cidr.host 11 prefixes.core.v4}
dave IN A ${net.cidr.host 11 prefixes.hi.v4} dave IN A ${net.cidr.host 11 prefixes.hi.v4}
dave IN AAAA ${net.cidr.host (65536+2) prefixes.hi.v6}
dave-lo IN A ${net.cidr.host 11 prefixes.lo.v4} dave-lo IN A ${net.cidr.host 11 prefixes.lo.v4}
dave-lo IN AAAA ${net.cidr.host (65536+2) prefixes.lo.v6}
;ap0 IN A ${net.cidr.host 12 prefixes.hi.v4}
;ap0 IN AAAA ${net.cidr.host (65536+3) prefixes.hi.v6}
vibe IN A ${net.cidr.host 13 prefixes.hi.v4}
vibe IN AAAA ${net.cidr.host (65536+4) prefixes.hi.v6}
ups IN A ${net.cidr.host 20 prefixes.lo.v4} ups IN A ${net.cidr.host 20 prefixes.lo.v4}
palace-kvm IN A ${net.cidr.host 21 prefixes.lo.v4} palace-kvm IN A ${net.cidr.host 21 prefixes.lo.v4}

35
nixos/boxes/home/routing-common/dns_update.py Executable file
View File

@@ -0,0 +1,35 @@
#!/usr/bin/env python3
import argparse
import subprocess
import CloudFlare
def main():
parser = argparse.ArgumentParser(description='Cloudflare DNS update script')
parser.add_argument('-k', '--api-token-file', help='Cloudflare API token file')
parser.add_argument('zone', help='Cloudflare Zone')
parser.add_argument('record', help='Cloudflare record name')
args = parser.parse_args()
address = subprocess.check_output(
['drill', '-Q', '-p5353', '@127.0.0.1', args.record, 'A'],
encoding='utf8').strip()
cf_token = None
if args.api_token_file:
with open(args.api_token_file) as f:
cf_token = f.readline().strip()
cf = CloudFlare.CloudFlare(token=cf_token)
zones = cf.zones.get(params={'name': args.zone})
assert zones, f'Zone {args.zone} not found'
records = cf.zones.dns_records.get(zones[0]['id'], params={'name': args.record})
assert records, f'Record {args.record} not found in zone {args.zone}'
print(f'Updating {args.record} -> {address}')
cf.zones.dns_records.patch(
zones[0]['id'], records[0]['id'],
data={'type': 'A', 'name': args.record, 'content': address})
if __name__ == '__main__':
main()

149
nixos/boxes/home/routing-common/kea.nix Normal file
View File

@@ -0,0 +1,149 @@
index: { lib, pkgs, assignments, ... }:
let
inherit (lib) mkForce;
inherit (lib.my) net;
inherit (lib.my.c.home) domain prefixes vips hiMTU;
dns-servers = [
{
ip-address = net.cidr.host 1 prefixes.core.v4;
port = 5353;
}
{
ip-address = net.cidr.host 2 prefixes.core.v4;
port = 5353;
}
];
in
{
users = with lib.my.c.ids; {
users.kea= {
isSystemUser = true;
uid = uids.kea;
group = "kea";
};
groups.kea.gid = gids.kea;
};
systemd.services = {
kea-dhcp4-server.serviceConfig.DynamicUser = mkForce false;
kea-dhcp-ddns-server.serviceConfig.DynamicUser = mkForce false;
};
services = {
kea = {
dhcp4 = {
enable = true;
settings = {
interfaces-config = {
interfaces = [
"lan-hi/${assignments.hi.ipv4.address}"
"lan-lo/${assignments.lo.ipv4.address}"
"lan-untrusted/${assignments.untrusted.ipv4.address}"
];
};
lease-database = {
type = "memfile";
persist = true;
name = "/var/lib/kea/dhcp.leases";
};
option-data = [
{
name = "domain-name";
data = domain;
}
{
name = "domain-search";
data = "${domain}, dyn.${domain}, ${lib.my.c.colony.domain}, ${lib.my.c.britway.domain}";
always-send = true;
}
];
subnet4 = [
{
id = 1;
subnet = prefixes.hi.v4;
interface = "lan-hi";
option-data = [
{
name = "routers";
data = vips.hi.v4;
}
{
name = "domain-name-servers";
data = "${net.cidr.host 1 prefixes.hi.v4}, ${net.cidr.host 2 prefixes.hi.v4}";
}
{
name = "interface-mtu";
data = toString hiMTU;
}
];
pools = [
{
pool = if index == 0
then "192.168.68.120 - 192.168.69.255"
else "192.168.70.0 - 192.168.71.240";
}
];
reservations = [
{
# castle
hw-address = "24:8a:07:a8:fe:3a";
ip-address = net.cidr.host 40 prefixes.hi.v4;
}
];
}
{
id = 2;
subnet = prefixes.lo.v4;
interface = "lan-lo";
option-data = [
{
name = "routers";
data = vips.lo.v4;
}
{
name = "domain-name-servers";
data = "${net.cidr.host 1 prefixes.lo.v4}, ${net.cidr.host 2 prefixes.lo.v4}";
}
];
pools = [
{
pool = if index == 0
then "192.168.72.120 - 192.168.75.255"
else "192.168.76.0 - 192.168.79.240";
}
];
reservations = [
{
# castle
hw-address = "24:8a:07:a8:fe:3a";
ip-address = net.cidr.host 40 prefixes.lo.v4;
}
];
}
];
ddns-send-updates = true;
ddns-replace-client-name = "when-not-present";
ddns-qualifying-suffix = "dyn.${domain}";
ddns-generated-prefix = "ip";
ddns-update-on-renew = true;
dhcp-ddns.enable-updates = true;
};
};
dhcp-ddns = {
enable = true;
settings = {
forward-ddns.ddns-domains = [
{
name = "dyn.${domain}.";
inherit dns-servers;
}
];
};
};
};
};
}

18
nixos/boxes/home/routing-common/keepalived.nix
View File

@@ -1,20 +1,30 @@
index: { lib, pkgs, ... }: index: { lib, pkgs, config, ... }:
let let
inherit (builtins) attrNames; inherit (builtins) attrNames concatMap;
inherit (lib) optional;
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.c.home) prefixes vips; inherit (lib.my.c.home) prefixes vips;
vlanIface = vlan: if vlan == "as211024" then vlan else "lan-${vlan}"; vlanIface = vlan: if vlan == "as211024" then vlan else "lan-${vlan}";
vrrpIPs = family: map (vlan: { vrrpIPs = family: concatMap (vlan: [
{
addr = "${vips.${vlan}.${family}}/${toString (net.cidr.length prefixes.${vlan}.${family})}"; addr = "${vips.${vlan}.${family}}/${toString (net.cidr.length prefixes.${vlan}.${family})}";
dev = vlanIface vlan; dev = vlanIface vlan;
}) (attrNames vips); }
] ++ (optional (family == "v6") {
addr = "fe80::1/64";
dev = vlanIface vlan;
})) (attrNames vips);
mkVRRP = family: routerId: { mkVRRP = family: routerId: {
state = if index == 0 then "MASTER" else "BACKUP"; state = if index == 0 then "MASTER" else "BACKUP";
interface = "lan-core"; interface = "lan-core";
priority = 255 - index; priority = 255 - index;
virtualRouterId = routerId; virtualRouterId = routerId;
virtualIps = vrrpIPs family; virtualIps = vrrpIPs family;
extraConfig = ''
notify_master "${config.systemd.package}/bin/systemctl start radvd.service"
notify_backup "${config.systemd.package}/bin/systemctl stop radvd.service"
'';
}; };
in in
{ {

28
nixos/boxes/home/routing-common/radvd.nix Normal file
View File

@@ -0,0 +1,28 @@
index: { lib, pkgs, ... }:
let
inherit (lib) mkForce concatMapStringsSep;
inherit (lib.my) net;
inherit (lib.my.c.home) domain prefixes;
mkInterface = name: ''
interface lan-${name} {
AdvSendAdvert on;
AdvRASrcAddress { fe80::1; };
AdvLinkMTU ${toString prefixes."${name}".mtu};
prefix ${prefixes."${name}".v6} {};
RDNSS ${net.cidr.host 1 prefixes."${name}".v6} ${net.cidr.host 2 prefixes."${name}".v6} {};
DNSSL ${domain} dyn.${domain} ${lib.my.c.colony.domain} ${lib.my.c.britway.domain} {};
};
'';
in
{
# To be started by keepalived
systemd.services.radvd.wantedBy = mkForce [ ];
services = {
radvd = {
enable = true;
config = concatMapStringsSep "\n" mkInterface [ "hi" "lo" "untrusted" ];
};
};
}

2
nixos/boxes/kelder/containers/spoder/default.nix
View File

@@ -92,7 +92,7 @@ in
nextcloud = { nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud27; package = pkgs.nextcloud28;
datadir = "/mnt/storage/nextcloud"; datadir = "/mnt/storage/nextcloud";
hostName = "cloud.${domain}"; hostName = "cloud.${domain}";
https = true; https = true;

40
nixos/boxes/kelder/containers/spoder/nginx.nix
View File

@@ -2,7 +2,7 @@
let let
inherit (builtins) mapAttrs; inherit (builtins) mapAttrs;
inherit (lib) mkMerge mkIf mkDefault; inherit (lib) mkMerge mkIf mkDefault;
inherit (lib.my.c.nginx) proxyHeaders; inherit (lib.my.c.nginx) baseHttpConfig proxyHeaders;
inherit (lib.my.c.kelder) domain; inherit (lib.my.c.kelder) domain;
in in
{ {
@@ -39,43 +39,7 @@ in
# Based on recommended*Settings, but probably better to be explicit about these # Based on recommended*Settings, but probably better to be explicit about these
appendHttpConfig = '' appendHttpConfig = ''
# NixOS provides a logrotate config that auto-compresses :) ${baseHttpConfig}
log_format main
'$remote_addr - $remote_user [$time_local] $scheme "$host" "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main;
# optimisation
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
# gzip
gzip on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types
application/atom+xml
application/javascript
application/json
application/xml
application/xml+rss
image/svg+xml
text/css
text/javascript
text/plain
text/xml;
gzip_vary on;
# proxying
proxy_buffering off;
proxy_redirect off;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_http_version 1.1;
${proxyHeaders}
# caching # caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g; proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;

6
nixos/boxes/kelder/default.nix
View File

@@ -135,12 +135,14 @@ in
samba-wsdd.enable = true; samba-wsdd.enable = true;
minecraft-server = { minecraft-server = {
enable = true; enable = false;
package = pkgs.minecraftServers.vanilla-1-19; package = pkgs.minecraftServers.vanilla-1-20;
declarative = true; declarative = true;
eula = true; eula = true;
whitelist = { whitelist = {
devplayer0 = "6d7d971b-ce10-435b-85c5-c99c0d8d288c"; devplayer0 = "6d7d971b-ce10-435b-85c5-c99c0d8d288c";
Elderlypug = "dcd2ecb9-2b5e-49cb-9d4f-f5a76162df56";
shr3kas0ras = "1d366062-12c0-4e29-aba7-6ab5d8c6bb05";
}; };
serverProperties = { serverProperties = {
motd = "Simpcraft"; motd = "Simpcraft";

17
nixos/boxes/tower/default.nix
View File

@@ -107,10 +107,19 @@
fprintd.enable = true; fprintd.enable = true;
blueman.enable = true; blueman.enable = true;
tailscale = {
enable = true;
openFirewall = true;
};
}; };
programs = { programs = {
steam.enable = true; steam.enable = true;
wireshark = {
enable = true;
package = pkgs.wireshark-qt;
};
}; };
networking = { networking = {
@@ -166,6 +175,14 @@
packages = with pkgs; [ ]; packages = with pkgs; [ ];
}; };
programs = {
fish = {
shellAbbrs = {
tsup = "doas tailscale up --login-server=https://ts.nul.ie --accept-routes";
};
};
};
services = { services = {
blueman-applet.enable = true; blueman-applet.enable = true;
}; };

15
nixos/default.nix
View File

@@ -1,4 +1,4 @@
{ lib, pkgsFlakes, hmFlakes, inputs, pkgs', config, ... }: { self, lib, pkgsFlakes, hmFlakes, inputs, pkgs', config, ... }:
let let
inherit (builtins) attrValues mapAttrs; inherit (builtins) attrValues mapAttrs;
inherit (lib) inherit (lib)
@@ -25,10 +25,14 @@ let
modules' = [ hmFlakes.${config'.home-manager}.nixosModule ] ++ (attrValues cfg.modules); modules' = [ hmFlakes.${config'.home-manager}.nixosModule ] ++ (attrValues cfg.modules);
in in
pkgsFlake.lib.nixosSystem { # Import eval-config ourselves since the flake now force-sets lib
import "${pkgsFlake}/nixos/lib/eval-config.nix" {
# Gotta override lib here unforunately, eval-config.nix likes to import its own (unextended) lib. We explicitly # Gotta override lib here unforunately, eval-config.nix likes to import its own (unextended) lib. We explicitly
# don't pass pkgs so that it'll be imported with modularly applied config and overlays. # don't pass pkgs so that it'll be imported with modularly applied config and overlays.
lib = pkgs.lib; lib = pkgs.lib.extend (lib.my.versionOverlay { inherit self pkgsFlake; });
# Set to null since we pass modularly
system = null;
# Put the inputs in specialArgs to avoid infinite recursion when modules try to do imports # Put the inputs in specialArgs to avoid infinite recursion when modules try to do imports
specialArgs = { inherit inputs pkgsFlakes pkgsFlake allAssignments; inherit (cfg) systems; }; specialArgs = { inherit inputs pkgsFlakes pkgsFlake allAssignments; inherit (cfg) systems; };
@@ -51,7 +55,7 @@ let
pkgs' = allPkgs; pkgs' = allPkgs;
}; };
system.name = name; system = { inherit name; };
networking = { networking = {
domain = let d = config'.assignments.internal.domain or null; in mkIf (d != null) (mkDefault' d); domain = let d = config'.assignments.internal.domain or null; in mkIf (d != null) (mkDefault' d);
hostName = mkDefault (config'.assignments.internal.name or name); hostName = mkDefault (config'.assignments.internal.name or name);
@@ -86,6 +90,8 @@ let
pkgsPath = toString pkgsFlakes.${config'.hmNixpkgs}; pkgsPath = toString pkgsFlakes.${config'.hmNixpkgs};
pkgs' = allPkgs; pkgs' = allPkgs;
}; };
home.enableNixpkgsReleaseCheck = false;
} }
(homeStateVersion config'.home-manager) (homeStateVersion config'.home-manager)
]; ];
@@ -100,6 +106,7 @@ let
altNames = mkOpt' (listOf str) [ ] "Extra names to assign."; altNames = mkOpt' (listOf str) [ ] "Extra names to assign.";
visible = mkBoolOpt' true "Whether or not this assignment should be visible."; visible = mkBoolOpt' true "Whether or not this assignment should be visible.";
domain = mkOpt' (nullOr str) null "Domain for this assignment."; domain = mkOpt' (nullOr str) null "Domain for this assignment.";
mtu = mkOpt' (nullOr ints.unsigned) null "Interface MTU.";
ipv4 = { ipv4 = {
address = mkOpt' net.types.ipv4 null "IPv4 address."; address = mkOpt' net.types.ipv4 null "IPv4 address.";
mask = mkOpt' ints.u8 24 "Network mask."; mask = mkOpt' ints.u8 24 "Network mask.";

3
nixos/installer.nix
View File

@@ -32,7 +32,8 @@
}; };
isoImage = { isoImage = {
isoBaseName = "nixos-installer-devplayer0"; isoBaseName = "jackos-installer";
volumeID = "jackos-${config.system.nixos.release}-${pkgs.stdenv.hostPlatform.uname.processor}";
edition = "devplayer0"; edition = "devplayer0";
appendToMenuLabel = " /dev/player0 Installer"; appendToMenuLabel = " /dev/player0 Installer";
}; };

3
nixos/modules/_list.nix
View File

@@ -17,5 +17,8 @@
gui = ./gui.nix; gui = ./gui.nix;
l2mesh = ./l2mesh.nix; l2mesh = ./l2mesh.nix;
borgthin = ./borgthin.nix; borgthin = ./borgthin.nix;
nvme = ./nvme;
spdk = ./spdk.nix;
librespeed = ./librespeed;
}; };
} }

12
nixos/modules/build.nix
View File

@@ -43,6 +43,16 @@ let
modules = flatten [ modules = flatten [
"${modulesPath}/installer/netboot/netboot.nix" "${modulesPath}/installer/netboot/netboot.nix"
allHardware allHardware
({ pkgs, config, ... }: {
system.build.netbootArchive = pkgs.runCommand "netboot-${config.system.name}-archive.tar" { } ''
${pkgs.gnutar}/bin/tar -rvC "${config.system.build.kernel}" \
-f "$out" "${config.system.boot.loader.kernelFile}"
${pkgs.gnutar}/bin/tar -rvC "${config.system.build.netbootRamdisk}" \
-f "$out" initrd
${pkgs.gnutar}/bin/tar -rvC "${config.system.build.netbootIpxeScript}" \
-f "$out" netboot.ipxe
'';
})
]; ];
}; };
@@ -82,6 +92,7 @@ in
}; };
isoImage = { isoImage = {
isoBaseName = dummyOption; isoBaseName = dummyOption;
volumeID = dummyOption;
edition = dummyOption; edition = dummyOption;
appendToMenuLabel = dummyOption; appendToMenuLabel = dummyOption;
}; };
@@ -99,6 +110,7 @@ in
iso = config.my.asISO.config.system.build.isoImage; iso = config.my.asISO.config.system.build.isoImage;
container = config.my.asContainer.config.system.build.toplevel; container = config.my.asContainer.config.system.build.toplevel;
kexecTree = config.my.asKexecTree.config.system.build.kexecTree; kexecTree = config.my.asKexecTree.config.system.build.kexecTree;
netbootArchive = config.my.asKexecTree.config.system.build.netbootArchive;
}; };
}; };
}; };

10
nixos/modules/common.nix
View File

@@ -1,7 +1,7 @@
{ lib, pkgs, pkgs', inputs, config, ... }: { lib, pkgs, pkgs', inputs, config, ... }:
let let
inherit (lib) mkIf mkDefault mkMerge; inherit (lib) mkIf mkDefault mkMerge;
inherit (lib.my) mkBoolOpt' dummyOption; inherit (lib.my) mkDefault';
in in
{ {
options = with lib.types; { options = with lib.types; {
@@ -121,11 +121,15 @@ in
services.lvm.enable = mkDefault true; services.lvm.enable = mkDefault true;
}; };
}; };
system = {
nixos = {
distroName = mkDefault' "JackOS";
};
};
environment.systemPackages = with pkgs; mkMerge [ environment.systemPackages = with pkgs; mkMerge [
[ [
bash-completion bash-completion
vim
git git
unzip unzip
] ]
@@ -138,6 +142,7 @@ in
fish.enable = mkDefault true; fish.enable = mkDefault true;
# TODO: This is expecting to look up the channel for the database... # TODO: This is expecting to look up the channel for the database...
command-not-found.enable = mkDefault false; command-not-found.enable = mkDefault false;
vim.defaultEditor = true;
}; };
services = { services = {
@@ -151,6 +156,7 @@ in
font-name=SauceCodePro Nerd Font Mono font-name=SauceCodePro Nerd Font Mono
''; '';
}; };
getty.greetingLine = mkDefault' ''<<< Welcome to ${config.system.nixos.distroName} ${config.system.nixos.label} (\m) - \l >>>'';
openssh = { openssh = {
enable = mkDefault true; enable = mkDefault true;

6
nixos/modules/containers.nix
View File

@@ -209,12 +209,16 @@ in
mkdir -p -m 0755 "$root"/sbin "$root"/etc mkdir -p -m 0755 "$root"/sbin "$root"/etc
touch "$root"/etc/os-release touch "$root"/etc/os-release
if [ -e "${containerSystem}"/prepare-root ]; then ${if system == sysProfile then ''
if [ -e "${sysProfile}"/prepare-root ]; then
initSource="${containerSystem}"/prepare-root initSource="${containerSystem}"/prepare-root
else else
initSource="${containerSystem}"/init initSource="${containerSystem}"/init
fi fi
ln -sf "$initSource" "$root"/sbin/init ln -sf "$initSource" "$root"/sbin/init
'' else ''
ln -sf "${containerSystem}/prepare-root" "$root"/sbin/init
''}
''; '';
postStop = postStop =
'' ''

16
nixos/modules/deploy-rs.nix
View File

@@ -15,16 +15,20 @@ let
# Based on https://github.com/serokell/deploy-rs/blob/master/flake.nix # Based on https://github.com/serokell/deploy-rs/blob/master/flake.nix
nixosActivate = cfg': base: (pkgs.deploy-rs.lib.activate.custom // { nixosActivate = cfg': base: (pkgs.deploy-rs.lib.activate.custom // {
dryActivate = "$PROFILE/bin/switch-to-configuration dry-activate"; dryActivate = "$PROFILE/bin/switch-to-configuration dry-activate";
boot = "$PROFILE/bin/switch-to-configuration boot"; boot = ''
$PROFILE/bin/switch-to-configuration boot
${keepGensSnippet "$PROFILE" cfg'.keepGenerations}
'';
}) base.config.system.build.toplevel '' }) base.config.system.build.toplevel ''
# work around https://github.com/NixOS/nixpkgs/issues/73404 # work around https://github.com/NixOS/nixpkgs/issues/73404
cd /tmp cd /tmp
"$PROFILE"/bin/switch-to-configuration ${cfg'.mode} "$PROFILE"/bin/switch-to-configuration switch
# https://github.com/serokell/deploy-rs/issues/31 # https://github.com/serokell/deploy-rs/issues/31
${with base.config.boot.loader; ${with base.config.boot.loader;
optionalString ((cfg'.mode == "switch" || cfg'.mode == "boot") && systemd-boot.enable) optionalString systemd-boot.enable
"sed -i '/^default /d' ${efi.efiSysMountPoint}/loader/loader.conf"} "sed -i '/^default /d' ${efi.efiSysMountPoint}/loader/loader.conf"}
${keepGensSnippet "$PROFILE" cfg'.keepGenerations} ${keepGensSnippet "$PROFILE" cfg'.keepGenerations}
@@ -59,7 +63,11 @@ let
{ {
name = "container-${n}"; name = "container-${n}";
value = { value = {
path = pkgs.deploy-rs.lib.activate.custom ctrConfig.my.buildAs.container '' path = (pkgs.deploy-rs.lib.activate.custom // {
boot = ''
echo "Next systemd-nspawn@${n}.service restart / reload will load config"
'';
}) ctrConfig.my.buildAs.container ''
source ${systemdUtil}/bin/systemd-util.sh source ${systemdUtil}/bin/systemd-util.sh
${if c.hotReload then '' ${if c.hotReload then ''
if (! systemctl show -p ActiveState systemd-nspawn@${n} | grep -q "ActiveState=active") || \ if (! systemctl show -p ActiveState systemd-nspawn@${n} | grep -q "ActiveState=active") || \

2
nixos/modules/firewall.nix
View File

@@ -222,7 +222,7 @@ in
"iifname ${cfg.nat.externalInterface} jump filter-iif-port-forwards"} "iifname ${cfg.nat.externalInterface} jump filter-iif-port-forwards"}
${optionalString ${optionalString
dipForward dipForward
(concatMapStringsSep "\n " (ip: "${ipK ip} daddr ${ip} jump ${natFilterChain ip}") (attrNames cfg.nat.forwardPorts))} (concatMapStringsSep "\n " (ip: "jump ${natFilterChain ip}") (attrNames cfg.nat.forwardPorts))}
} }
} }

76
nixos/modules/librespeed/default.nix Normal file
View File

@@ -0,0 +1,76 @@
{ lib, pkgs, config, ... }:
let
inherit (builtins) toJSON;
inherit (lib) mkOption mkMerge mkIf mkDefault;
inherit (lib.my) mkOpt' mkBoolOpt';
cfg = config.my.librespeed;
serversConf = map (s: s // {
dlURL = "backend/garbage";
ulURL = "backend/empty";
pingURL = "backend/empty";
getIpURL = "backend/getIP";
}) cfg.frontend.servers;
frontendTree = pkgs.runCommand "librespeed-frontend" {
speedtestServers = toJSON serversConf;
} ''
mkdir "$out"
cp "${pkgs.librespeed-go}"/assets/* "$out"/
substitute ${./index.html} "$out"/index.html --subst-var speedtestServers
'';
backendConf = pkgs.writers.writeTOML "librespeed.toml" cfg.backend.settings;
generateBackendSettings = base: dst: if (cfg.backend.extraSettingsFile != null) then ''
oldUmask="$(umask)"
umask 006
cat "${base}" "${cfg.backend.extraSettingsFile}" > "${dst}"
umask "$oldUmask"
'' else ''
cp "${base}" "${dst}"
'';
in
{
options.my.librespeed = with lib.types; {
frontend = {
servers = mkOpt' (listOf (attrsOf unspecified)) { } "Server configs.";
webroot = mkOption {
description = "Frontend webroot.";
type = package;
readOnly = true;
};
};
backend = {
enable = mkBoolOpt' false "Whether to enable librespeed backend.";
settings = mkOpt' (attrsOf unspecified) { } "Backend settings.";
extraSettingsFile = mkOpt' (nullOr str) null "Extra settings file.";
};
};
config = mkMerge [
(mkIf (cfg.frontend.servers != { }) {
my.librespeed.frontend.webroot = frontendTree;
})
(mkIf cfg.backend.enable {
my.librespeed.backend.settings = {
assets_path = frontendTree;
database_type = mkDefault "bolt";
database_file = mkDefault "/var/lib/librespeed-go/speedtest.db";
};
systemd.services.librespeed = {
description = "LibreSpeed Go backend";
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
preStart = generateBackendSettings backendConf "/run/librespeed-go/settings.toml";
serviceConfig = {
ExecStart = "${pkgs.librespeed-go}/bin/speedtest -c /run/librespeed-go/settings.toml";
RuntimeDirectory = "librespeed-go";
StateDirectory = "librespeed-go";
};
wantedBy = [ "multi-user.target" ];
};
})
];
}

491
nixos/modules/librespeed/index.html Normal file
View File

@@ -0,0 +1,491 @@
<!DOCTYPE html>
<html>
<head>
<link rel="shortcut icon" href="favicon.ico">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no, user-scalable=no" />
<meta charset="UTF-8" />
<script type="text/javascript" src="speedtest.js"></script>
<script type="text/javascript">
function I(i){return document.getElementById(i);}
//LIST OF TEST SERVERS. See documentation for details if needed
var SPEEDTEST_SERVERS=@speedtestServers@;
// var SPEEDTEST_SERVERS=[
// { //this server doesn't actually exist, remove it
// name:"Example Server 1", //user friendly name for the server
// server:"//test1.mydomain.com/", //URL to the server. // at the beginning will be replaced with http:// or https:// automatically
// dlURL:"backend/garbage.php", //path to download test on this server (garbage.php or replacement)
// ulURL:"backend/empty.php", //path to upload test on this server (empty.php or replacement)
// pingURL:"backend/empty.php", //path to ping/jitter test on this server (empty.php or replacement)
// getIpURL:"backend/getIP.php" //path to getIP on this server (getIP.php or replacement)
// },
// { //this server doesn't actually exist, remove it
// name:"Example Server 2", //user friendly name for the server
// server:"//test2.example.com/", //URL to the server. // at the beginning will be replaced with http:// or https:// automatically
// dlURL:"garbage.php", //path to download test on this server (garbage.php or replacement)
// ulURL:"empty.php", //path to upload test on this server (empty.php or replacement)
// pingURL:"empty.php", //path to ping/jitter test on this server (empty.php or replacement)
// getIpURL:"getIP.php" //path to getIP on this server (getIP.php or replacement)
// }
// //add other servers here, comma separated
// ];
//INITIALIZE SPEEDTEST
var s=new Speedtest(); //create speed test object
s.setParameter("telemetry_level","basic"); //enable telemetry
//SERVER AUTO SELECTION
function initServers(){
var noServersAvailable=function(){
I("message").innerHTML="No servers available";
}
var runServerSelect=function(){
s.selectServer(function(server){
if(server!=null){ //at least 1 server is available
I("loading").className="hidden"; //hide loading message
//populate server list for manual selection
for(var i=0;i<SPEEDTEST_SERVERS.length;i++){
if(SPEEDTEST_SERVERS[i].pingT==-1) continue;
var option=document.createElement("option");
option.value=i;
option.textContent=SPEEDTEST_SERVERS[i].name;
if(SPEEDTEST_SERVERS[i]===server) option.selected=true;
I("server").appendChild(option);
}
//show test UI
I("testWrapper").className="visible";
initUI();
}else{ //no servers are available, the test cannot proceed
noServersAvailable();
}
});
}
if(typeof SPEEDTEST_SERVERS === "string"){
//need to fetch list of servers from specified URL
s.loadServerList(SPEEDTEST_SERVERS,function(servers){
if(servers==null){ //failed to load server list
noServersAvailable();
}else{ //server list loaded
SPEEDTEST_SERVERS=servers;
runServerSelect();
}
});
}else{
//hardcoded server list
s.addTestPoints(SPEEDTEST_SERVERS);
runServerSelect();
}
}
var meterBk=/Trident.*rv:(\d+\.\d+)/i.test(navigator.userAgent)?"#EAEAEA":"#80808040";
var dlColor="#6060AA",
ulColor="#616161";
var progColor=meterBk;
//CODE FOR GAUGES
function drawMeter(c,amount,bk,fg,progress,prog){
var ctx=c.getContext("2d");
var dp=window.devicePixelRatio||1;
var cw=c.clientWidth*dp, ch=c.clientHeight*dp;
var sizScale=ch*0.0055;
if(c.width==cw&&c.height==ch){
ctx.clearRect(0,0,cw,ch);
}else{
c.width=cw;
c.height=ch;
}
ctx.beginPath();
ctx.strokeStyle=bk;
ctx.lineWidth=12*sizScale;
ctx.arc(c.width/2,c.height-58*sizScale,c.height/1.8-ctx.lineWidth,-Math.PI*1.1,Math.PI*0.1);
ctx.stroke();
ctx.beginPath();
ctx.strokeStyle=fg;
ctx.lineWidth=12*sizScale;
ctx.arc(c.width/2,c.height-58*sizScale,c.height/1.8-ctx.lineWidth,-Math.PI*1.1,amount*Math.PI*1.2-Math.PI*1.1);
ctx.stroke();
if(typeof progress !== "undefined"){
ctx.fillStyle=prog;
ctx.fillRect(c.width*0.3,c.height-16*sizScale,c.width*0.4*progress,4*sizScale);
}
}
function mbpsToAmount(s){
return 1-(1/(Math.pow(1.3,Math.sqrt(s))));
}
function format(d){
d=Number(d);
if(d<10) return d.toFixed(2);
if(d<100) return d.toFixed(1);
return d.toFixed(0);
}
//UI CODE
var uiData=null;
function startStop(){
if(s.getState()==3){
//speed test is running, abort
s.abort();
data=null;
I("startStopBtn").className="";
I("server").disabled=false;
initUI();
}else{
//test is not running, begin
I("startStopBtn").className="running";
I("shareArea").style.display="none";
I("server").disabled=true;
s.onupdate=function(data){
uiData=data;
};
s.onend=function(aborted){
I("startStopBtn").className="";
I("server").disabled=false;
updateUI(true);
if(!aborted){
//if testId is present, show sharing panel, otherwise do nothing
try{
var testId=uiData.testId;
if(testId!=null){
var shareURL=window.location.href.substring(0,window.location.href.lastIndexOf("/"))+"/results/?id="+testId;
I("resultsImg").src=shareURL;
I("resultsURL").value=shareURL;
I("testId").innerHTML=testId;
I("shareArea").style.display="";
}
}catch(e){}
}
};
s.start();
}
}
//this function reads the data sent back by the test and updates the UI
function updateUI(forced){
if(!forced&&s.getState()!=3) return;
if(uiData==null) return;
var status=uiData.testState;
I("ip").textContent=uiData.clientIp;
I("dlText").textContent=(status==1&&uiData.dlStatus==0)?"...":format(uiData.dlStatus);
drawMeter(I("dlMeter"),mbpsToAmount(Number(uiData.dlStatus*(status==1?oscillate():1))),meterBk,dlColor,Number(uiData.dlProgress),progColor);
I("ulText").textContent=(status==3&&uiData.ulStatus==0)?"...":format(uiData.ulStatus);
drawMeter(I("ulMeter"),mbpsToAmount(Number(uiData.ulStatus*(status==3?oscillate():1))),meterBk,ulColor,Number(uiData.ulProgress),progColor);
I("pingText").textContent=format(uiData.pingStatus);
I("jitText").textContent=format(uiData.jitterStatus);
}
function oscillate(){
return 1+0.02*Math.sin(Date.now()/100);
}
//update the UI every frame
window.requestAnimationFrame=window.requestAnimationFrame||window.webkitRequestAnimationFrame||window.mozRequestAnimationFrame||window.msRequestAnimationFrame||(function(callback,element){setTimeout(callback,1000/60);});
function frame(){
requestAnimationFrame(frame);
updateUI();
}
frame(); //start frame loop
//function to (re)initialize UI
function initUI(){
drawMeter(I("dlMeter"),0,meterBk,dlColor,0);
drawMeter(I("ulMeter"),0,meterBk,ulColor,0);
I("dlText").textContent="";
I("ulText").textContent="";
I("pingText").textContent="";
I("jitText").textContent="";
I("ip").textContent="";
}
</script>
<style type="text/css">
html,body{
border:none; padding:0; margin:0;
background:#FFFFFF;
color:#202020;
}
body{
text-align:center;
font-family:"Roboto",sans-serif;
}
h1{
color:#404040;
}
#loading{
background-color:#FFFFFF;
color:#404040;
text-align:center;
}
span.loadCircle{
display:inline-block;
width:2em;
height:2em;
vertical-align:middle;
background:url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAMAAAD04JH5AAAAP1BMVEUAAAB2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZyFzwnAAAAFHRSTlMAEvRFvX406baecwbf0casimhSHyiwmqgAAADpSURBVHja7dbJbQMxAENRahnN5lkc//5rDRAkDeRgHszXgACJoKiIiIiIiIiIiIiIiIiIiIj4HHspsrpAVhdVVguzrA4OWc10WcEqpwKbnBo0OU1Q5NSpsoJFTgOecrrdEag85DRgktNqfoEdTjnd7hrEHMEJvmRUYJbTYk5Agy6nau6Abp5Cm7mDBtRdPi9gyKdU7w4p1fsLvyqs8hl4z9/w3n/Hmr9WoQ65lAU4d7lMYOz//QboRR5jBZibLMZdAR6O/Vfa1PlxNr3XdS3HzK/HVPRu/KnLs8iAOh993VpRRERERMT/fAN60wwWaVyWwAAAAABJRU5ErkJggg==');
background-size:2em 2em;
margin-right:0.5em;
animation: spin 0.6s linear infinite;
}
@keyframes spin{
0%{transform:rotate(0deg);}
100%{transform:rotate(359deg);}
}
#startStopBtn{
display:inline-block;
margin:0 auto;
color:#6060AA;
background-color:rgba(0,0,0,0);
border:0.15em solid #6060FF;
border-radius:0.3em;
transition:all 0.3s;
box-sizing:border-box;
width:8em; height:3em;
line-height:2.7em;
cursor:pointer;
box-shadow: 0 0 0 rgba(0,0,0,0.1), inset 0 0 0 rgba(0,0,0,0.1);
}
#startStopBtn:hover{
box-shadow: 0 0 2em rgba(0,0,0,0.1), inset 0 0 1em rgba(0,0,0,0.1);
}
#startStopBtn.running{
background-color:#FF3030;
border-color:#FF6060;
color:#FFFFFF;
}
#startStopBtn:before{
content:"Start";
}
#startStopBtn.running:before{
content:"Abort";
}
#serverArea{
margin-top:1em;
}
#server{
font-size:1em;
padding:0.2em;
}
#test{
margin-top:2em;
margin-bottom:12em;
}
div.testArea{
display:inline-block;
width:16em;
height:12.5em;
position:relative;
box-sizing:border-box;
}
div.testArea2{
display:inline-block;
width:14em;
height:7em;
position:relative;
box-sizing:border-box;
text-align:center;
}
div.testArea div.testName{
position:absolute;
top:0.1em; left:0;
width:100%;
font-size:1.4em;
z-index:9;
}
div.testArea2 div.testName{
display:block;
text-align:center;
font-size:1.4em;
}
div.testArea div.meterText{
position:absolute;
bottom:1.55em; left:0;
width:100%;
font-size:2.5em;
z-index:9;
}
div.testArea2 div.meterText{
display:inline-block;
font-size:2.5em;
}
div.meterText:empty:before{
content:"0.00";
}
div.testArea div.unit{
position:absolute;
bottom:2em; left:0;
width:100%;
z-index:9;
}
div.testArea2 div.unit{
display:inline-block;
}
div.testArea canvas{
position:absolute;
top:0; left:0; width:100%; height:100%;
z-index:1;
}
div.testGroup{
display:block;
margin: 0 auto;
}
#shareArea{
width:95%;
max-width:40em;
margin:0 auto;
margin-top:2em;
}
#shareArea > *{
display:block;
width:100%;
height:auto;
margin: 0.25em 0;
}
#privacyPolicy{
position:fixed;
top:2em;
bottom:2em;
left:2em;
right:2em;
overflow-y:auto;
width:auto;
height:auto;
box-shadow:0 0 3em 1em #000000;
z-index:999999;
text-align:left;
background-color:#FFFFFF;
padding:1em;
}
a.privacy{
text-align:center;
font-size:0.8em;
color:#808080;
padding: 0 3em;
}
div.closePrivacyPolicy {
width: 100%;
text-align: center;
}
div.closePrivacyPolicy a.privacy {
padding: 1em 3em;
}
@media all and (max-width:40em){
body{
font-size:0.8em;
}
}
div.visible{
animation: fadeIn 0.4s;
display:block;
}
div.hidden{
animation: fadeOut 0.4s;
display:none;
}
@keyframes fadeIn{
0%{
opacity:0;
}
100%{
opacity:1;
}
}
@keyframes fadeOut{
0%{
display:block;
opacity:1;
}
100%{
display:block;
opacity:0;
}
}
</style>
<title>/dev/player0's speedtest</title>
</head>
<body onload="initServers()">
<h1>/dev/player0's speedtest</h1>
<div id="loading" class="visible">
<p id="message"><span class="loadCircle"></span>Selecting a server...</p>
</div>
<div id="testWrapper" class="hidden">
<div id="startStopBtn" onclick="startStop()"></div><br/>
<a class="privacy" href="#" onclick="I('privacyPolicy').style.display=''">Privacy</a>
<div id="serverArea">
Server: <select id="server" onchange="s.setSelectedServer(SPEEDTEST_SERVERS[this.value])"></select>
</div>
<div id="test">
<div class="testGroup">
<div class="testArea2">
<div class="testName">Ping</div>
<div id="pingText" class="meterText" style="color:#AA6060"></div>
<div class="unit">ms</div>
</div>
<div class="testArea2">
<div class="testName">Jitter</div>
<div id="jitText" class="meterText" style="color:#AA6060"></div>
<div class="unit">ms</div>
</div>
</div>
<div class="testGroup">
<div class="testArea">
<div class="testName">Download</div>
<canvas id="dlMeter" class="meter"></canvas>
<div id="dlText" class="meterText"></div>
<div class="unit">Mbit/s</div>
</div>
<div class="testArea">
<div class="testName">Upload</div>
<canvas id="ulMeter" class="meter"></canvas>
<div id="ulText" class="meterText"></div>
<div class="unit">Mbit/s</div>
</div>
</div>
<div id="ipArea">
<span id="ip"></span>
</div>
<div id="shareArea" style="display:none">
<h3>Share results</h3>
<p>Test ID: <span id="testId"></span></p>
<input type="text" value="" id="resultsURL" readonly="readonly" onclick="this.select();this.focus();this.select();document.execCommand('copy');alert('Link copied')"/>
<img src="" id="resultsImg" />
</div>
</div>
<a href="https://github.com/librespeed/speedtest">Source code</a>
</div>
<div id="privacyPolicy" style="display:none">
<h2>Privacy Policy</h2>
<p>This HTML5 speed test server is configured with telemetry enabled.</p>
<h4>What data we collect</h4>
<p>
At the end of the test, the following data is collected and stored:
<ul>
<li>Test ID</li>
<li>Time of testing</li>
<li>Test results (download and upload speed, ping and jitter)</li>
<li>IP address</li>
<li>ISP information</li>
<li>Approximate location (inferred from IP address, not GPS)</li>
<li>User agent and browser locale</li>
<li>Test log (contains no personal information)</li>
</ul>
</p>
<h4>How we use the data</h4>
<p>
Data collected through this service is used to:
<ul>
<li>Allow sharing of test results (sharable image for forums, etc.)</li>
<li>To improve the service offered to you (for instance, to detect problems on our side)</li>
</ul>
No personal information is disclosed to third parties.
</p>
<h4>Your consent</h4>
<p>
By starting the test, you consent to the terms of this privacy policy.
</p>
<h4>Data removal</h4>
<p>
If you want to have your information deleted, you need to provide either the ID of the test or your IP address. This is the only way to identify your data, without this information we won't be able to comply with your request.<br/><br/>
Contact this email address for all deletion requests: <a href="mailto:dev@nul.ie">dev@nul.ie</a>.
</p>
<br/><br/>
<div class="closePrivacyPolicy">
<a class="privacy" href="#" onclick="I('privacyPolicy').style.display='none'">Close</a>
</div>
<br/>
</div>
</body>
</html>

58
nixos/modules/nvme/default.nix Normal file
View File

@@ -0,0 +1,58 @@
{ lib, pkgs, config, ... }:
let
inherit (lib) mkIf;
inherit (lib.my) mkOpt';
cfg = config.my.nvme;
nvme-cli = pkgs.nvme-cli.override {
libnvme = pkgs.libnvme.overrideAttrs (o: {
patches = o.patches ++ [ ./libnvme-hostconf.patch ];
});
};
hostNQN = "nqn.2014-08.org.nvmexpress:uuid:${cfg.uuid}";
etc = prefix: {
"${prefix}nvme/hostnqn".text = hostNQN;
"${prefix}nvme/hostid".text = cfg.uuid;
};
in
{
options.my.nvme = with lib.types; {
uuid = mkOpt' (nullOr str) null "NVMe host ID";
boot = {
nqn = mkOpt' (nullOr str) null "NQN to connect to on boot";
address = mkOpt' str null "Address of NVMe-oF target.";
};
};
config = mkIf (cfg.uuid != null) {
environment = {
systemPackages = [
nvme-cli
];
etc = etc "";
};
boot.initrd.systemd = mkIf (cfg.boot.nqn != null) {
contents = etc "/etc/";
extraBin.nvme = "${nvme-cli}/bin/nvme";
services.connect-nvme = {
description = "Connect NVMe-oF";
before = [ "initrd-root-device.target" ];
after = [ "systemd-networkd-wait-online.service" ];
requires = [ "systemd-networkd-wait-online.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${nvme-cli}/bin/nvme connect -t rdma -a ${cfg.boot.address} -n ${cfg.boot.nqn}";
Restart = "on-failure";
RestartSec = 10;
};
wantedBy = [ "initrd-root-device.target" ];
};
};
};
}

15
nixos/modules/nvme/libnvme-hostconf.patch Normal file
View File

@@ -0,0 +1,15 @@
diff --git a/src/nvme/fabrics.c b/src/nvme/fabrics.c
index 21fb292..f9090d1 100644
--- a/src/nvme/fabrics.c
+++ b/src/nvme/fabrics.c
@@ -41,8 +41,8 @@
#define NVMF_HOSTID_SIZE 37
-#define NVMF_HOSTNQN_FILE SYSCONFDIR "/nvme/hostnqn"
-#define NVMF_HOSTID_FILE SYSCONFDIR "/nvme/hostid"
+#define NVMF_HOSTNQN_FILE "/etc/nvme/hostnqn"
+#define NVMF_HOSTID_FILE "/etc/nvme/hostid"
const char *nvmf_dev = "/dev/nvme-fabrics";

3
nixos/modules/pdns.nix
View File

@@ -268,6 +268,9 @@ in
# For pdns_control etc # For pdns_control etc
systemPackages = with pkgs; [ systemPackages = with pkgs; [
pdns pdns
(pkgs.writeShellScriptBin "pu" ''
${pdns}/bin/pdnsutil --config-dir /run/pdns "$@"
'')
pdns-file-record pdns-file-record
]; ];

94
nixos/modules/spdk.nix Normal file
View File

@@ -0,0 +1,94 @@
{ lib, pkgs, config, ... }:
let
inherit (builtins) toJSON;
inherit (lib) optional optionalAttrs mapAttrsToList mkIf withFeature;
inherit (lib.my) mkOpt' mkBoolOpt';
rpcOpts = with lib.types; {
options = {
method = mkOpt' str null "RPC method name.";
params = mkOpt' (attrsOf unspecified) { } "RPC params";
};
};
cfg = config.my.spdk;
config' = {
subsystems = mapAttrsToList (subsystem: c: {
inherit subsystem;
config = map (rpc: {
inherit (rpc) method;
} // (optionalAttrs (rpc.params != { }) { inherit (rpc) params; })) c;
}) cfg.config.subsystems;
};
configJSON = pkgs.writeText "spdk-config.json" (toJSON config');
spdk = pkgs.spdk.overrideAttrs (o: {
configureFlags = o.configureFlags ++ (map (withFeature true) [ "rdma" "ublk" ]);
buildInputs = o.buildInputs ++ (with pkgs; [ liburing ]);
});
spdk-rpc = (pkgs.writeShellScriptBin "spdk-rpc" ''
exec ${pkgs.python3}/bin/python3 ${spdk.src}/scripts/rpc.py "$@"
'');
spdk-setup = (pkgs.writeShellScriptBin "spdk-setup" ''
exec ${spdk.src}/scripts/setup.sh "$@"
'');
spdk-debug = pkgs.writeShellApplication {
name = "spdk-debug";
runtimeInputs = [ spdk ];
text = ''
set -m
if [ "$(id -u)" -ne 0 ]; then
echo "I need to be root!"
exit 1
fi
spdk_tgt ${cfg.extraArgs} --wait-for-rpc &
until spdk-rpc spdk_get_version > /dev/null; do
sleep 0.5
done
spdk-rpc bdev_set_options --disable-auto-examine
spdk-rpc framework_start_init
${cfg.debugCommands}
fg %1
'';
};
in
{
options.my.spdk = with lib.types; {
enable = mkBoolOpt' false "Whether to enable SPDK target.";
extraArgs = mkOpt' str "" "Extra arguments to pass to spdk_tgt.";
debugCommands = mkOpt' lines "" "Commands to run with the spdk-debug script.";
config.subsystems = mkOpt' (attrsOf (listOf (submodule rpcOpts))) { } "Subsystem config / RPCs.";
};
config = mkIf cfg.enable {
boot.kernelModules = [ "ublk_drv" ];
environment.systemPackages = [
spdk
spdk-setup
spdk-rpc
] ++ (optional (cfg.debugCommands != "") spdk-debug);
systemd.services = {
spdk-tgt = {
description = "SPDK target";
path = with pkgs; [
bash
python3
kmod
gawk
util-linux
];
serviceConfig = {
ExecStartPre = "${spdk.src}/scripts/setup.sh";
ExecStart = "${spdk}/bin/spdk_tgt ${cfg.extraArgs} -c ${configJSON}";
};
wantedBy = [ "multi-user.target" ];
};
};
};
}

26
nixos/modules/tmproot.nix
View File

@@ -466,6 +466,32 @@ in
(mkIf config.virtualisation.libvirtd.enable { (mkIf config.virtualisation.libvirtd.enable {
my.tmproot.persistence.config.directories = [ "/var/lib/libvirt" ]; my.tmproot.persistence.config.directories = [ "/var/lib/libvirt" ];
}) })
(mkIf (with config.services.kea; (dhcp4.enable || dhcp6.enable || dhcp-ddns.enable)) {
my.tmproot.persistence.config.directories = [
{
directory = "/var/lib/kea";
mode = "0750";
user = "kea";
group = "kea";
}
];
})
(persistSimpleSvc "headscale")
(mkIf config.services.tailscale.enable {
my.tmproot.persistence.config.directories = [ "/var/lib/tailscale" ];
})
(mkIf config.my.librespeed.backend.enable {
my.tmproot.persistence.config.directories = [ "/var/lib/librespeed-go" ];
})
(mkIf config.services.hedgedoc.enable {
my.tmproot.persistence.config.directories = [
{
directory = "/var/lib/hedgedoc";
user = "hedgedoc";
group = "hedgedoc";
}
];
})
])) ]))
]); ]);

4
nixos/modules/user.nix
View File

@@ -37,7 +37,9 @@ in
extraGroups = extraGroups =
[ "wheel" "kvm" "dialout" ] ++ [ "wheel" "kvm" "dialout" ] ++
(optional config.networking.networkmanager.enable "networkmanager") ++ (optional config.networking.networkmanager.enable "networkmanager") ++
(optional config.virtualisation.libvirtd.enable "libvirtd"); (optional config.virtualisation.libvirtd.enable "libvirtd") ++
(optional config.programs.wireshark.enable "wireshark") ++
(with config.services.headscale; (optional enable group));
password = mkIf (cfg.passwordSecret == null) (mkDefault "hunter2"); password = mkIf (cfg.passwordSecret == null) (mkDefault "hunter2");
shell = shell =
let shell = cfg.homeConfig.my.shell; let shell = cfg.homeConfig.my.shell;

17
nixos/modules/vms.nix
View File

@@ -116,7 +116,7 @@ let
}); });
default = { }; default = { };
}; };
drives = mkOpt' (listOf (submodule driveOpts)) { } "Drives to attach to VM."; drives = mkOpt' (listOf (submodule driveOpts)) [ ] "Drives to attach to VM.";
hostDevices = mkOpt' (attrsOf (submodule hostDevOpts)) { } "Host PCI devices to pass to the VM."; hostDevices = mkOpt' (attrsOf (submodule hostDevOpts)) { } "Host PCI devices to pass to the VM.";
}; };
}; };
@@ -126,8 +126,8 @@ let
(map (map
(i: mapAttrsToList (name: c: c // { inherit name; }) i.hostDevices) (i: mapAttrsToList (name: c: c // { inherit name; }) i.hostDevices)
(attrValues cfg.instances)); (attrValues cfg.instances));
anyVfioDevs = any (d: d.bindVFIO) allHostDevs; anyVfioDevs = any (d: d.bindVFIO);
vfioHostDevs = filter (d: d.bindVFIO) allHostDevs; vfioHostDevs = filter (d: d.bindVFIO);
mkQemuScript = n: i: mkQemuScript = n: i:
let let
@@ -204,7 +204,7 @@ in
services.udev = { services.udev = {
packages = packages =
optionals optionals
anyVfioDevs (anyVfioDevs allHostDevs)
[ [
pkgs.vfio-pci-bind pkgs.vfio-pci-bind
(pkgs.writeTextDir (pkgs.writeTextDir
@@ -212,7 +212,7 @@ in
(concatMapStringsSep (concatMapStringsSep
"\n" "\n"
(d: ''ACTION=="add", SUBSYSTEM=="pci", KERNEL=="0000:${d.hostBDF}", TAG="vfio-pci-bind"'') (d: ''ACTION=="add", SUBSYSTEM=="pci", KERNEL=="0000:${d.hostBDF}", TAG="vfio-pci-bind"'')
vfioHostDevs)) (vfioHostDevs allHostDevs)))
]; ];
}; };
@@ -261,12 +261,15 @@ in
}; };
preStart = preStart =
let
hostDevs = attrValues i.hostDevices;
in
'' ''
if [ ! -e "$STATE_DIRECTORY"/ovmf_vars.bin ]; then if [ ! -e "$STATE_DIRECTORY"/ovmf_vars.bin ]; then
cp "${cfg.ovmfPackage.fd}"/FV/OVMF_VARS.fd "$STATE_DIRECTORY"/ovmf_vars.bin cp "${cfg.ovmfPackage.fd}"/FV/OVMF_VARS.fd "$STATE_DIRECTORY"/ovmf_vars.bin
fi fi
${optionalString anyVfioDevs '' ${optionalString (anyVfioDevs hostDevs) ''
iommu_group() { iommu_group() {
g=/sys/bus/pci/devices/0000:$1/iommu_group g=/sys/bus/pci/devices/0000:$1/iommu_group
until [ -e $g ]; do until [ -e $g ]; do
@@ -280,7 +283,7 @@ in
done done
} }
${concatMapStringsSep "\n" (d: "wait_vfio ${d.hostBDF}") vfioHostDevs} ${concatMapStringsSep "\n" (d: "wait_vfio ${d.hostBDF}") (vfioHostDevs hostDevs) }
''} ''}
''; '';
script = mkQemuScript n i; script = mkQemuScript n i;

2
pkgs/default.nix
View File

@@ -6,4 +6,6 @@ in
# yeah turns out this is in nixpkgs now... we'll leave it as a sample i guess lol # yeah turns out this is in nixpkgs now... we'll leave it as a sample i guess lol
monocraft' = callPackage ./monocraft.nix { }; monocraft' = callPackage ./monocraft.nix { };
vfio-pci-bind = callPackage ./vfio-pci-bind.nix { }; vfio-pci-bind = callPackage ./vfio-pci-bind.nix { };
librespeed-go = callPackage ./librespeed-go.nix { };
modrinth-app = callPackage ./modrinth-app { };
} }

26
pkgs/librespeed-go.nix Normal file
View File

@@ -0,0 +1,26 @@
{ lib, fetchFromGitHub, buildGoModule, ... }:
let
webSrc = fetchFromGitHub {
owner = "librespeed";
repo = "speedtest";
rev = "5.3.0";
hash = "sha256-OgKGLQcfWX/sBLzaHI6TcJHxX1Wol6K7obLf0+CHrC8=";
};
in
buildGoModule rec {
pname = "librespeed-go";
version = "1.1.5";
src = fetchFromGitHub {
owner = "librespeed";
repo = "speedtest-go";
rev = "v${version}";
hash = "sha256-ywGrodl/mj/WB25F0TKVvaV0PV4lgc+KEj0x/ix9HT8=";
};
vendorHash = "sha256-ev5TEv8u+tx7xIvNaK8b5iq2XXF6I37Fnrr8mb+N2WM=";
postInstall = ''
mkdir -p "$out"/assets
cp "${webSrc}"/{speedtest.js,speedtest_worker.js,favicon.ico} "$out"/assets/
'';
}

6239
pkgs/modrinth-app/Cargo.lock generated Normal file
View File

File diff suppressed because it is too large Load Diff

97
pkgs/modrinth-app/default.nix Normal file
View File

@@ -0,0 +1,97 @@
{ lib
, fetchFromGitHub
, rustPlatform
, pkg-config
, openssl
, libsoup
, dbus
, glib
, glib-networking
, gtk3
, webkitgtk
, libayatana-appindicator
, librsvg
, wrapGAppsHook
, stdenvNoCC
, jq
, moreutils
, nodePackages
, cacert
}:
rustPlatform.buildRustPackage rec {
pname = "modrinth-app";
version = "0.6.3";
src = fetchFromGitHub {
owner = "modrinth";
repo = "theseus";
rev = "v${version}";
hash = "sha256-gFQXcTqHgSKfne6+v837ENXYYiEYu/Yks9TpnfBCPnA=";
};
cargoLock = {
lockFile = ./Cargo.lock;
outputHashes = {
"tauri-plugin-single-instance-0.0.0" = "sha256-G4h2OXKPpZMmradutdUWxGG5axL9XMz2ACAe8AQ40eg=";
};
};
nativeBuildInputs = [
pkg-config
nodePackages.pnpm
wrapGAppsHook
];
buildInputs = [
openssl
libsoup
dbus
glib
glib-networking
gtk3
webkitgtk
libayatana-appindicator
librsvg
];
pnpm-deps = stdenvNoCC.mkDerivation {
pname = "${pname}-pnpm-deps";
inherit src version;
sourceRoot = "${src.name}/theseus_gui";
nativeBuildInputs = [
jq
moreutils
nodePackages.pnpm
cacert
];
installPhase = ''
export HOME=$(mktemp -d)
pnpm config set store-dir $out
pnpm install --ignore-scripts
# Remove timestamp and sort the json files
rm -rf $out/v3/tmp
for f in $(find $out -name "*.json"); do
sed -i -E -e 's/"checkedAt":[0-9]+,//g' $f
jq --sort-keys . $f | sponge $f
done
'';
dontFixup = true;
outputHashMode = "recursive";
outputHash = "sha256-9HtTdIotG3sNIlWhd76v7Ia6P69ufp/FFqZfINXSkVc=";
};
preBuild = ''
cd theseus_gui
export HOME=$(mktemp -d)
pnpm config set store-dir ${pnpm-deps}
pnpm install --ignore-scripts --offline
chmod -R +w node_modules
pnpm rebuild
pnpm build
cd ..
'';
}

10
secrets/britway/bgp-password-vultr.conf.age Normal file
View File

@@ -0,0 +1,10 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBJYzdr
b1d2aEtVd3lVb3NBamRwVFpTaTRjZFlCczk4MVIwQUoxWklwN0NrCmFFekpPYUlO
YlgvVlQ2WDR6amZDN0ZSY0Q3WWtTME5pUmhQeks1c3dGOVUKLT4gWDI1NTE5IHVK
bUZvUVAvL0NmQzFkY3BuYm1wMjcwbFpLRUNpZjJCaW15SEVDUDV0REkKRXFMQ2d1
NlFBejBvTlJrcUtCYWZxSDBkbmxIdExBNTU0aC8zRW5OVWllVQotPiBDLWdyZWFz
ZSBkeC4oTFUgO0FtJG9+RyB2IF1QXGhxVwpJS213MXBRMWY1cXlHZwotLS0gRUF2
ZkswNlhvcDhTc2tybCs1dldwa2l6SDZZVmNkNUNjNGlkV1ZVa09pOAp88dxHGxVU
vuFQO6JcroY9MF5Te/YV+wMc3hVxksibMnH1TWGh207prwcOWNOEz2iEkZY=
-----END AGE ENCRYPTED FILE-----

15
secrets/britway/cloudflare-credentials.conf.age Normal file
View File

@@ -0,0 +1,15 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBLVlg2
ZUdtUlFUQXBLT3B5YmkycWJnMXJyKzltbyt6K2dJK1RBUm5ydWwwCmRUdjJFSEYz
Wnp4cGtzTXZwc0s0SUJQUjRlOUJlQUoyQ3BETXZmY0ppWG8KLT4gWDI1NTE5IGR5
QUJzeG1DQTRLUmRwNnNSRUJRSFFtUDl5VjB0clVLYUp3R1g4TEVKaTgKb09tVlhF
R0tmcmIxMHVHcG80RGxRTEhBcngvT3MrdnNPbmpCTlRyZW5xQQotPiA6RzEtZ3Jl
YXNlCldSUlN2ejB0MGpyUHYzNS9OQmJTK3MvcXRDakdBVlhuUEt6SFE4QmhnWVN0
V1JMOE1oaEp5QQotLS0gYW1OMTcxNWJrUndmR2h0ZmRDWk5CYnJjc29pSERUMnNk
d2VhTGdpOW4yUQrEeH2E9m0YycuW60QrdlRetO1kNU5FaKXRQt46iA9lACIWD4rC
Cx6WxhCBgz3hvm9x6iuYiiQxZzgJNK7qXcV2MBeQdivazeEbC7blAKVPhwD/dl+b
PzBDXRXG3c3jMjeZFT69fIBGJfZrrLGKpTALVE4dTVXmQmVVQDTp19IC+jUXHBti
Pj6Dpc7452s8zPkzZyRbasO9b4PYTwq8IHT6X7ITwbzZZm8gexDYe2SzRZ5VcPz3
El+yoULZ92WbXPSQIP/Slx4BEZjmsQS+sm0N8AnBRNZkWVbHPF9IZRg3VjDAn2i8
F3un5js=
-----END AGE ENCRYPTED FILE-----

13
secrets/britway/oidc-secret.txt.age Normal file
View File

@@ -0,0 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyAyMWox
cEFDWWUrVzJSM1o2azJqei9HV2xFY25oQXV5SzM3akxEaUJiN1J3CjkrQVhjWHY5
Uk01eGp5Q0RKNVREVXJVZytndTM0SXNZSGIvUVp1TnRiNXMKLT4gWDI1NTE5IFZn
WjAyR1RMajEyMnFSYnNGT2EyekROVWNoakFJQVZxaFc0YThOMHVyanMKWldrdlAv
cVg0OTFHL2loeGJ3RHA0MnlnckN3czF4RUgyc1NjYXVOSXF5cwotPiBvTFQtZ3Jl
YXNlIDRsSDp6eikgT1ojIGEzOFZMIFc3MUZGCkttZ3ZLNGxucnlJc01kRXFZTGpC
eCsvRzl5WnFUMUIyTWNVWGk4SjQyN3V0bXQ4VzFuM1RjSzVMcDJkaW1JYXMKQkE4
YWI1Mmg3MkpjdVpVYWJkczJQMnM1SVMvNkZhOXBDVEZPCi0tLSB3SVIyU3M5RHBE
VFRtMFU4OUFLbkNjbkJmVmhlc2VsYzdsd0pFaFkrUmkwCs+h2KlXoyZ8U++A9wmV
kh4N2YyI/a84yPGDNoFdSlXaU8jxUzolnadImXSXyB4CroqQLvGEbkZZlWqPLVfh
Iav7Ja8=
-----END AGE ENCRYPTED FILE-----

21
secrets/chatterbox/nul.ie.signing.key.age
View File

@@ -1,12 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USBnMUZn YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USB2WFY2
YTE4djNQaktTcDRxZGNPM0RjVUJRTUE4cUhraTRSUUxPUnJ2WXhZCjZ5ajk0K2lS MzFnVFYvb0wzc3grRDBrUi9teW1tNmx5dVBIRVc5OUdlcjdvTDJFCmpJL2tlYXND
eUN1Yk1ydGxaOHErWHVNWUxaUW5hMnBBanppR2owdnRPYWsKLT4gWDI1NTE5IGlM bVJKbzd2S3JkSFVMdG40MS84V0lPTVJSNHVBQlNXSkN1eTAKLT4gWDI1NTE5IFBM
T014WmFiY3BtRzhLV1NFaTJMNnZwTkVVUUpnVjZ6OFBGNzFCUm54azAKTm9uTVow ZGo3L2VlNUZqOEE1UHBuMHdqc1pyYlQ3R29ucE9pajU0bHMzamlXRDAKcG1Qdmw2
b1lVN0RUMkZVS3grYUljRXprdzgrcWExekFiUU1wYnBEdk1tawotPiBOYTMtZ3Jl cUlncDFWNXBOWnpIeDNZSFA3d1E1bjNaVVpKU3lMRjRaSHNtMAotPiB2XUh8eF4t
YXNlCkxEMnBPK1AyTFI5ME0vaUFUVURoTG9ncEFtYWNzdTRlRU1XN04xajd0bUVL Z3JlYXNlICUrO0cxIH4gaTRoIF81SEpTN0Q5CnpWdEZpb1hZa2t5YkE5RnJFMHVZ
dUFpdmg5Yno3R2FVSDdHVnlYYWsKTGJzcEFIZEVZc2JsT0FtNWVzK3FURW80TjNj WkhkQ2o0eWtyOE9ueDJkeGd2aUhmLzRUUGs1aUc1NURIOTYxczZhOEVmT0EKd2xk
Ci0tLSA2VWVtOVhoaFV6R3BDRzgzWW1BOEdXVVpMZ3psRzRzcGVuZ0I5VjRRZE84 TXFHN051d25PQmtNUVZkVEFGUVliZjdmZDF3RWFkaEhNTzd3ZVd5N3dlNzQKLS0t
Cql55Kzze8L84kGF3UKci3jcPIm0iRFAFZOrhEKhGAS5lS4XIQz7dLR2/hCn7GeV IGZDR1Mxd24zOW05bitzQnN5WWVOOGtCNEc5aXIraEF4eXFUQm5CZUdCV2MKd44C
d7DZ/I2gZiHvssWIoTnex+BR1RxaJ2cjXN40FfEWc8EdXyXZwkEySyKxDAo= /Trgg0OEZ89/jqbj56z/Hia1Ka3ZsEv6bXPI/kcRvFDBFTgtvG3KWCgMBtTUHXzY
TKBPoQqrUf7plH7a/mTx3KR+4Y+yF+1i86s7TzYjD8d1xfFH3BsVtg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

56
secrets/chatterbox/synapse.yaml.age
View File

@@ -1,30 +1,30 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USBpZE1S YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USBuQjBY
VDd3aUdWTVIyKzRXMnYxODJyTmlqdTNCdUNSL2o5VHN5cVFFQXd3CnRjZEs3NUNk K1ZTUzR0SmFoYUZLdzUzNUt2M1B4RFdPZzFkcW8rMWJLUjVHOUN3Cjd3ZHdMSzdp
MjZDTEllT0V1VW13TFJCaEl4K0hRNWNCeWlZSXVCVHBLWGcKLT4gWDI1NTE5IExv OWswditVWUhYNjZCdjV6M1d6U3pNak5hUlZjTHNqSkZPSk0KLT4gWDI1NTE5IGNG
Nml0dWRlMDM1d1JudnYwempFaXovZVZMYnQ3QzRFVnBoc3Rocm1hRDgKdlVqTXBB ZytHazJQWTExMjNkZWV2aDUwcnZjUGcwcXRkZWl0M0F2R2JpUVlJekUKWTFlbkEz
RC82cUkvd1ZEU2N0Z3lFV2FyOFRWaWFRNitBd3Z0aG5sdkwzYwotPiA2NzNvTS1n YlN6dkgrMmFFcmlZMjQ0b2oySjlEMC85cUF5QlA4NGF3blBKRQotPiA8M1hbWS1n
cmVhc2UgI0xTdSEhIHFwXT1nICkhbAovWitTSSszVmgzTjMzR01qbEk4Nm1CSFUz cmVhc2UgOmlZJFYmJgo3UExzUHhSVi9lbVRjNW4xTnVaUTVGSGVDNzRUNlJ2TnVu
amUxZkthL1VYM09FQnZDRy9vZmxxVXhpYTJBdlpqSHIyMHRZczBKCmFoaWVaSk5G U0wrWU5kd3dyR2phcUNVUHJCYjdzeWhjNVFOV011CmZMOVN0WDk5eUg3ajhwbStQ
L0dabE5KQWpjanc1MThXVGpFZ1oxd3IybkJlNEpmWnBoWDFNVXM0eFExN0ZHUWNI aHExT0EwblpreTBXVHh6Zk1HRkhzcmFQNnoyVUlaeStMUkgKLS0tIG1aY3Zadko3
VHprZUZ3Ci0tLSBXL1ptR001MjB2NUxGQzYwUFRsTElTZUk1di9UNERKQUFTNExE V3pDMGswSDZCeit4SVhSRCsrZVRVZVkvQkNsQWN1MXFMUGcKcK74YULWqWw9VvkI
cHJWZXdRClEedBLfmm36+AnKXAe/Ll9awAi6q0eS3m5W+8L8Fry9EWybLRkOIyuy NH38VHfDPW5ueSiyHHKn8MI9YosPr/TmkwgKd/DOIMVB74ahPalo1QUeg+eaBVnq
PapzCN03M4oPAVpzbdWqO3HGHYY9lafZSlKx8fpZ4ponbt9fQOeruYqcljtX5Dq0 Uncsbx5ecW3JswthkAhiktWHcdHmioGD6hCcgbWtfA3VvbAYc2gtAF2plfDVH6BD
3yXfrFeDhwB2FXCpFoa9ZQgn9rip6B7GtNGCIxbAXpggVZhKtBpxNFDRE0h7Z3Rs c8veai3B15ZmDmq3b62sgVA9JUgbFaB1eRqcaPXmNgQJR4c8J+CZWXGQ/TKMqtAg
+PAES0QSk1tA/CnZTyuG1EVA73jxKCIJyRK6UfBMOqIJnsJPQ6Arc4DMvY0vQ3Oz chCDuczjLX8IxhMPF1gdCggSt5GtMhY47fpZJRbBUw01l8koqjm63KvEeg2ejFGU
WQBXeZvPt1hyMUzscLaOWQX/n8clrwflmVaVLAghZx/vReXuZqHWhC4nTPxTwEyh +tXonI4jm2JUxlDTqmNSrVpmAgtPoEPszHc+GsnyNjAz4IXMm5UrQAZyDPgxtwQW
yp9+JjmXEjWxKxdxhu1JIjauKo13E9r5wpqhPi5kjzYVFGWZA1g+sBA+oIg9hQFm ZAn0IdOB8rSL/AnRGUpPrecuauINQjONe8CapijjJPQK7g1AHscfxr+OJD1j2eV3
AYPbpJLufiGo/8Q98xOOLljCydWUh7BQVT8A4mDT2TgE6WTCIMiYByZvpOZWtOEF O6TNlz8vKW4t/V7CUf46ykxxExhA0mKJ53ksaXy2+HWoro2+c4nao/bEld5gt08U
j5gNXNYR0BVLgLnxKHFGhJbtxWVQyK6FcGkyKI/45szjWPFymb9561sMHoGQUbYX uCpJtjPKB64X6vdzbY21/l87VRDyxbb3poENfrXlawqS0Z7i2gAbHN5EuiMv+35o
S0iofDcvYYzAh0d20CsrKJYne7IY5SLVPiH0jaLDQbGldyaS+qDwJQVZ2I9hgpLc sBaR0BfcbTn6VagC3i8HEEOO964FrW65pkqmGJcJMgUdcZSl+Y7gHMjWyodqGPOY
i/swzvoTheecWfSpXdQNMIeGbWDnIBmKGOAZnNKu5U7G9eGqMg82u/zTzy5D+9aX evT6xj4iyeM49vXynV2vrJRu5rr02hOS/8rPphV9c9q9ju5n8xbhS6IiybAelPwt
49beIm0B//Z10FbaB0mz4ktOBCIEAWr1Ee7wWsRoPtYwj7MYNGIz6XvjXYMWpIDb sa+xM+w0n+fxVksiXeFj7qD1LDN4+kwqhYP9SlzbA4fT3AkYYrxthTww4IFAweyQ
FaI8ZnMWiFr1onduD/23SzVatVruGVrWIpL2ephh9bKLjtHpXTIakhEiWvCp4zp3 IJkpVL0/IZEIEfRzpr0lWLprAaoyPc64pecl0z/gBJDgz1kSG6iEh6K4qx7ahGde
A7UwizVDCr7crRUNy12CCeAd25f1NSLBf54Aps3vYOF7yYu626GvMpE9sdKETL6m kBBpS2I2ZsdBkvmQxDSM7tYYBzPxcUNZlSFOIeUy3Xl+OGPlKgtMofbnjV8AFqUf
09YDH6C8Oz42wJx7gutX3EgvmNaNzxnpmVOf4vG92RMekPfCpB9qAkKxkaMRZf6b tOpgKpLUEkTgXbGUKBxHLj+8pbw7zOFp4sJ00i48ZzLP5D9jom+jS19wGshRc7cH
Pp9sdXd11VnFOK6swVMIxs2ZOQ6HvQZsMmHN3sh1LP0T0kP3idhrsLZY5S9oy86c dK92CctvrfndQ85yO0vqlyOdMTqjh/z3P2KmhL5SW6P51q5mseTvj7FNM7331DTs
7PHZDcHNKgG6xsyrudeMVF9DdHCjxXAgsTN3OVxyPUJYsX2tPpFW10++FokUknFc rq7XWaBLE61eWWQ/dZKnqh5YbkSlU1+08Rl6H/vCU5hTC8fht3KTQSWPofkrP+5f
jfVrCReyKXCQghRuJHrqNtyINEdCfUfw/cpM7nfukEs24gDdgZkMtKUgjowHCSr7 We/Pe62LyhV/MbLRA0nmU7Sf4IAnpHfa4kLtlYeB3xiqKd0McM//qzjuk5NoIgE4
Q3xgC20nbRss/w1KZ4foiQaDJ6H6Bb+jQgqwt992GEq0vwAh8mhe/WHDYtNXOLtr nL0T8YXdGt8K01w+nt+j5bo5gFoRz5+1/ZZ9BgN2DOo4SClYnJWQ/x80X061yJ33
dvOM0D6UTNrn4083k1g6QPE439K5zTKEWtTwHswx 0SGv4eAC3vFi6xE=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

27
secrets/chatterbox/syncv3.env.age
View File

@@ -1,15 +1,16 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USByNWdJ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USA3MEFh
RTFFKzd0OTRlV25PSTRWYUx3WjZrdW81aWxlY1lOOWN4WHIreG5rClVvWUUxeWEz YURySHY5RjVQa1c0QmMvTkZtZElNd1BIeDFpR1U1YXZ5dndnclUwClA2M0ZYMk90
OGprT0JYMFpiUERuaExRQjBqZVdscFhYSTM0c0VycDBab1kKLT4gWDI1NTE5IEdk RmlCZHVISkxZQTZXeEhZVUROSVRGRVg4TmZKZytSL05FcTgKLT4gWDI1NTE5IFY2
NStOSTVWV1NPeHlJdWFueDJ4bW5CSWVJd3JaR1dxUGQ2Q21XMEJSQ00KSXFPZVdF V2k3S0VQdGlQZ0hkU2ZoSWdOUG9rQ0p5Ukg3ZHU3MXVvNHlWYVN5VVUKcWtoWDJh
RzhqemJpNS9rOVUraE1WSkk4NUlPUjNlR1ZDUWRYOGZYdkZLawotPiA3T3IyLEEt LzRwcktWUGQ1bnJvRzVBVlpHU3NhdzYwUDBPTmx3MFNrdWNQYwotPiBKQil6Km0t
Z3JlYXNlIEA6YEJZKFg3IF9kCi9tZ3NjcGFWWkJxWVBUcjNjMUhwRXlEMzJyUFFj Z3JlYXNlIFdlRTlUU2cgVlxLIzUgJlVyQiJ8Cng3NzF2b3d6MnlEdURQWHgrSFJv
QXhPOWMwRjFjK0hYc3V5Q0QxTVVRWTVyNnhtQUEKLS0tIGVmZjgwdVJldGNLMUVm Y1BMUkZyelJSdDJvUUUwY1k5R3ZBMnJaa1R4NWxlUll2azNseW5MQlpvVWUKYUdN
VE5aTzZmd2t0dSt5K0YvZmRYQ0YwdlgwVCthTXMKEFtExlrGEJGAFdM6snloZLA6 d1ZscXVxd1dxSGpzMjBYeWhhYyt5ZlNkSjhmV1ZTTDBTCi0tLSBBTG45VUJOSXZv
r9hTjFJDR2bPV1qWEMXt2hFCrESx87KNVwoffF0i1y5704HFmB9fF5IWDVUDLrY3 N3lYNVlyZldMVkpZdUMvS21NdSswVmU3VThZK2M2eis4CjwfWWJVR9Ty5dBXEr5s
1168vGtlxTePkp8NHQdb4k/Eda+35vaONf2bi2YIi70XPVHzKxZIaRV0UGrNAAbO U+QrifXvyMJJvqOKEfMYYomFLpt/VtbDAUwNlqLnFIk1VZ2xPUBisXPtReiCK3gq
a+OL9tjSsA6Nyusp4X+FOLcwMIe7AdVuUaIlTnfAcnEWiUrCXoaZPCVaE5aDdGgA P+i6bUONSmPYvmF82VgiuKDuz/kmWqVGg2iSBPIXAGLNIEojndQwmhnrsN9ex4Xy
PSeRNQQncqVBwp4m9DbGFiD9mExMYeU2H4a3AVE3ba165an5PkSi1EZHIO+urHIy lBHkvVsN8EamUJwZ+FEZe4+PjA5yEnANWpeTELOt2gA92/jwwnNIsr07eVTlkh8X
qU+NiPFUjwgzaQ== UmQ2owGwktXP7it6//NV3C7sAdazs2bX65WSnog2E8WPNAorKWI8RCYs33CshVFt
zzclZ4hRmlAmqMHYqFY=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

19
secrets/colony/borg-pass.txt.age
View File

@@ -1,12 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGo2N0ZYUSBEUDk0 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGo2N0ZYUSBoYlRq
TFFzYkd0Ni9HVThkWnExNmMyUENaWHZMK2NselpQZjZOL2VaNWpVCmlTVHcyZXlu ckk2c21uMVZSR05SdlJpck5MT0FZeUpLTmpTRVN2WDkxWWxmVTBvCjlHZWtEQ2Jh
enFSTlAvV0piN2xtcWg3Rnk4NWF1cE5kaExobEEyU0R5S0EKLT4gWDI1NTE5IEFI YUdybjJLWkNsZkxabTVIR0JnMno5YlMvVmhodDU1bktrSzgKLT4gWDI1NTE5IFZT
MUFmM0RLb2hSRmdZQXVEa3JpS3ZiY2tQeXdFM2VIQWZVUnhZR3k5Um8KZHg3Zy9y Um9lWXhqRFFLTWdNaTR3Sm1acmY4N0l6WE1FSW54ZEtQcEE5RHBRRHcKcE5KYmp1
Mk52NFZ2QldTY3Q2WHNUMTZmKzdSMTh2YTVza3h0aFRQdlI5bwotPiAldCg0O0kk WVdCVk0wMHZ2SCtUR0xKWU10N0xETXlXZmgxcmZZOFBXYWtBawotPiBlRm1gKGxU
LWdyZWFzZSBEPShYbi1jdQpNTlZKamkrZ0I5em5kVXBKdldST25wdGdZYkpWT29s LWdyZWFzZSAqXF8gOkU8Tm96IGA4IC1TCjY3NUgKLS0tIDhjaTNrbG1iQ05iTWRS
emlweEQ2RTBqU09ocnY5NUxlSjhnYVpOejh5Z2JHZ2N2CjZRCi0tLSB5cklPZmwx UzIvNzA5TmVGS2ozZmYrYjlBY3J4Z1RRUGRNeWcKUTIEhWqr0fOODu86MDll7k3U
b2FGSnUvU1Z5WXFrZkZEWXQ2b2pVY1Q5cWJVL2VDb0NlZUVNCox5BZhbD6neHv9K ThgmS9nlcUY3fMgXzZLtpHIJ/4ZSI+miu8RmLMaeC61qv6xNThGdx+MvU4tMBWKA
usD6g49XWn+1VYO/KDMLGiTzRDYi0EhGAUI7qjR4AoJ/8+2xAAPuohebavELH0EX Hv3XGi2MYL1jdHh2KYg5PgdqchYuHrFuBPS7c/tQow==
dqhddaHLJaSgv/4gPMYMn2K0oo7HX0+59MvttnX98GEP85skMP4=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

160
secrets/colony/rsync.key.age
View File

@@ -1,82 +1,82 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGo2N0ZYUSBlZmpZ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGo2N0ZYUSBZVkFh
MXNjQVFlaVhrd28ySkc5S0ZIcmpvU0hQUzNXVTl6cjBhYThWWHhvCmZmd0pPWTlh RDNNZCtySlNQTTZFbzJvZmF2TEZKVUM5VjFjQWNSeHlNc1JNZ2hNClVac2pEdWdw
N0o0ay8rZkxrdmxOYy9QMDh6bFhPVXFOYmtRUUNnYkZTMDQKLT4gWDI1NTE5IGtZ OVpOTmhWWklVRDA3UzZWWk9QVG1ySUFmTzRSVlFReVdFVFEKLT4gWDI1NTE5IDVD
RmxYNVBFL3Z1UVltWThwVnhMaHhLdjdOZG4xVzhxYlhXcXFkdzVZbk0KYVVLVDdV eWN2S29aWVNVTTdldXFxZG1vWUNYK2RrajI0OGNGaklzdFByTzlPUkUKTmsvdTE3
bGlVT2hhV1djSmcvdjhJOFR3M21TbDRtS1lhQnp1Y0tab3ZNVQotPiAvVWRsS2ZP ZFBvalZsdENxR0VnV3FVSnFxTitBRlFWR1BzcjJWd1h0U3hpYwotPiAyOkUlJC1n
LWdyZWFzZSA1R2kkfmsgLjEsIHNDMm5TIG1YKgpXN1BDR3dYOXhHV1VKREhBdDRX cmVhc2UgIWFOMiogVDc8IFZETk9BSDVTIHEKQ01rc1ZoNXQxUDdtWGRQUlRCV3k1
cVg2YlhVTjJJbGF4WURoL0drRXd4VkoyaDR6NlJrRm5NUVl4SmowTlZ0dDF2ClFG djNZeEtOaUl6Tkl5TDA1S2ZXWTFQZEFiV2pWMDJpZ2dkYXdBOGhSTVA2ego4UnBz
NzFwT1NTc2hHYmlrcTZoZXN2VmVKbnkweFl6U3hSazdKazl5YVVKdU5pNXY4Qjcr ZGhXcklMd0NVWlhsc0Voem1wUzMyREViUllCRAotLS0gMU5GQjdJaVdlUFJGMG82
QQotLS0gS2ZiQTl4aThCa0RYVXdKNUc4SlEreWNHaW0ycEsxUWJaVFdFZHl1TVpy YnZCUm05ak9qcmVyUVJSS0tHaWRRTld3ZkNPMArRgojrBQvlyjMhChn8jgUNDysj
VQpFH8YP85+5wIgkxKat6/Wq/X6t83nC2Aqcv0b6YkQh5rmtENSltIS0mlHRpsdp 9Nh3BVqf44fiUNMKARTrFTz3wVMlioo6MmKRzJ/yj0fWkZ2h80X68Nq3rQvy+0UK
CJ/pSrNHhkbykyAAC7FsPQbQSjasERdS9I4ycUn72EnBakfJvN11uzbQybEF8T1K 4PNPRbwY5ib0nf7n3itFKjehrYr8HnOjreQps4it52bT5re2TWIC9ogZhNKBLRvB
CjVBmZy+b2MUU/+75RqQFL437Zl2ZYaCTYSH6T033J2ogAK8usT4Xyr6hBI6dtiS qv14HjcF5bGnia8TgSU/8nUZJuIaLwHvS5sc9GOtmV4lDwiSTEJQEtGh716Jzuvs
jaAyV1QfmuzpBF729lAQkPbdxvlG5j4g18fVTkMGd0t/YWG8TID/KscJxNg63NaW XxQLPEVVufAjZUKLp+jWUhXGkvUEeY5bxE2aOLuB8kLfHPC/5p2rl/n2sW3oEDFn
2Ijk6cLI8yi+PK6udYuA2Z4rnfCpbsR/bBccSng5K8r4U9u4KPfYeh0v5YeMHKZ4 Fw+XcNnCHWBzk3DlzKZFXwIaZL6Ocqrt+p8CBpWoNhbssuKyOtEbWQOmJxX3UPMt
0+gG+D4vBPKBRk6nvruxRq8VgQloxB99d18CsGilAcpski1Yq8/VgHs6rvE2lx3k sBFNdKSKFhoBQ4ukqkKDhgcm0i+8wG4eBbNIMIDwzPBxK0QiVriwlPQHl7RS2M/J
N2DohlIIrdO/ZQpF0+jFvMKTeqNZ51Ho9vDJtMIrH2ZdcpkoYiUEidFX2RJrvvS9 LgGeS7qrKC3SgmLu57CdUVUlnogJ4oOg7FPh6x+jQBIIv7gtYCzJb040TUZWZWvi
YFyaF5UAcEAUHvS1/kukd3XgW6rYzbj6dUrODj3lfQS2+PcOpdAXxf7gTRREZ+3R cfKWBBwLqLa+7Y6kEhcosLUgw2c9Et5P4rvNjU598q7qrZq7uK6Mr+PMwD3Pd66O
O1ijz/6R+qudfQMFWuboMNxg2CD0We/76Vs9qPLcKB2T9ChP6qWGUMrACYA6viC8 SQyT4nYhhXBnaIsLXZfima2nRzPocaBmfsuXQwlnLJC8JB6yzqEViK0xYKfl0fIi
3p1i2tBk00Xc1YAWe1IvoMKJ25LEHMfGMWJql2HJOMuZ3xUdr5J9StZ6FA6o/XQO jxuYBw/8Y+MWQhIkF1pP8z+Kw51QdK4CIV33mlLBJnGjlizewsjj04EIgpzQ0+3I
0gwftRdbY7P9a1j2wLo85L5yCQHKVLnF8dxQS1CdQfcbrlmSFgrMwgINlMyhPQoa ZRyee/SzFmGBBk/pMGN0DizA8LS9yZ9DRGrc13rYVUTN6G5xT5AT1eEtFbQ6DH/n
bU6dermKLoDp8JISIQVe7tksez5qlA+Hxa/8VVoaQxWnUpqRHEnKNsr1VRawNy7t q13Tur4QJ8AqJmwv1cnX+faH61dXahfbinveXWqB5S95/HE3OGnZfAiS5bs1jW4U
St9kpnQ0P9gZLROh1LJCMB1UceoyVb0/dEUVd00gofxMu8lUrrCuPM1yW37nSfMV D3BLaBiFMYD+ccPedg5MLXRgEryVaOWlQ5wuXxqmaCG0KS6YLxl8o0bRR3lKXNZP
ClDjFueTR468s+pLcGhwwvTPACgz7xQlvBNAZYzHobCJbwOZXhSGS5Rrz2yGQ5W3 B7Ye0Px69aYtOs58dTOq0Peu039Fi5iNC0beocdKOjig4tZ6p41uz0jPGMUoDebZ
BYMbhWn9NixlXtpdUZeh21eua9HjvEo9Z9W8HFCT7KJBrji8eVwSuSJSSGeg0m7D MYHax+a7Qpi5M6ZVGVpF1ieW2hqnm0lfb18cEYHuXjoI/YlgVhFPCGSzHJpuNiDU
BgNFRymNW74P5zf2xB8M2IouCFVdZHTitrawQjVn3vAsOMzUlyN/X7g9jq2gsII6 qJSfOuD8HUB2iXFeEgAi+V3EKTsyjlS+R1zWxkr2awqAk7Uf3svLGWZNINHNoJRe
Hcv0USJsBQ9P/RJuHQfrCKP+/yJ0dntbLv6dC8qPvAp0WMaqCgTtkNpJAZEypEIu CPPANHzTSHlNPSelQ1CyOhl0W/eMCEJuJ9/6kZsmUC3zvzxEMGofG+Ub9RRBW/+/
cQsga4UkNRJ3evei7tuhb4IZOhI9aaEWTV3Gqsa5pNCxSdkP7qMBBynALpD5Kljf TkrVvMrQv7/Va/4dxMPCqrdOQ+3/LkVzGX7qg6tQR76Su0q7aqh38Ki9qWY47bTm
h0FVPu3oll0BuCGz9+LiuPmBxQy4kR0IqXo7qOVCwEEkPSU8QwjcLBSP0Ccjykj8 lq5I2EcQApt/O1cGQJTFowdXVJXx/qQv436p/jL1mymQ8241iQ6XX3DUjbnqdI33
qWJ3sYb1sFjCpzU4TQhXzt0jIzpMfgjQFSntMRahtKq5lpV82M9eafP4w0wHc6uV 4XcPa/B7naRkgSG1Z55Vv+IIBOzcjzUMzeQVP/WM3SFRNYT79mJnV0SsKvUFtUOM
tr8w4UfQvC16dWF1hULQhi288WwR8UHTYc+x5ecLKx06WI++QnG8EJ5K/sA/cggd 1OxMGEx+ZxfNIZqdp+qo0+uIU00ciokldh4URo9u8EIHjFVcV3Eyb7EbbCxzDiU9
wsR9aWejw3/6dDOBo2El77K6j4EcVPKvyYZp0R9d4zOWABVToftIRN1VJQa+9e65 iwoAAaJjwBlyaRQFWYsKhY2J3NEay142WAyAiHmnNBNhZM9TKkCpjton4ehxeRUC
K959sDtk03b7kc2VI7l8lUVjcMLqkRQVK5BYVqRyYaIntGZVt7iZaH0Ab9wjdCem hoXpzh4J2lMhdcmXXZ675C3MYiLDpajgLS1dwRp+mAUXwjvQG5rmJd7UWdgpbdpJ
20TsKHl8P92lZ7TbHOihHVQAPIZO3FiDI9L+ezpGTBJNEeRDua5g90rse+/uHbPZ K6wABNkl601XgKv3/nV9touE0KQjHg1fzo9vzmf8zVEViTgXxH3NECZHctObwgoo
6z2kUoYEyUxb0d7dqApOIb+udcP7gMecOqcYsBRnV7v0s9T2Cc1ePg3Tg3kM0V9E SlbUOW8vihCi2HU9G3tqH7dwkUsgB2a22JFovgwwW8ePKJQpdvwAV/jyFMLL6jyj
se7vMiWz6/SuJcDEOIGb0RjK8nLHnqARduph1LUkwOs0psoiHq5GvlVHPPK3F7vO 6Tf0Gsc/Iut6Mh5TYiTWJdCzvEBjcybOVnppj2zR32/A/vAXUrJQaq0kwKkCwG+e
jOpLNliRun5kj5uo3rZh1xu8vm8nQfpCnr+pBd2KjDBNzcTO+sU+H2s7Ewsbsrto TL0hAQuA2Su27qTR9Xy2QKpQ5NppRH7V9YxCpjGfcLbcCh7XH7AEZaYfrrX8NoP5
tZNTvXnKEBiTg7fe7cqQ/E5hsHlQHuCg2AWbWpFSLeXoE0MQ4LNNdx3s6WSjWzAV zPalFA+7E1IuDRtT29wFNRVb3lAet9t5q0LUHf3x+Qk23dQ7Mdq2JIf9RIo5xZ6X
5Q9s68CjiHUOlG+4HJDQ4DxCeSnnItpVHau7DzKLE1xCU5vF7TxarxObZ5H4VjGF nsKa9eBQ0O5OAv1VGWVvbrVCMpmyiklYV2rcIT+dbrhrgiTu/BvODSvtmeANIkhC
dqYZWYjJ0qtdvNjQl+juUeZW1QdaEMnqFmI/AL/SfbkMr0nQ1YXf3mTWn3LwvCZF uF112/+QW1UNPCENioYq9OWPcEwby+s9JkQf5nTub2o/0lTFKJxNgXa1QBcKKVyC
VAPZ22HtSmH5kdM9Uh/hyH2rcktJjKBVcdlBUB91/VkahbCSxwM1GD+VFtMYZWpf 9aTCRhcxXsfuR7YzbCXRcK2hUW203iS8+UgAfZBVe5GhskOd0ZR0WSkse+jGzPqI
SR92qGuElKPVTFy6h7uaNb8ca3fYf274dI9fYDso0liFs9KA8wZeNnOHccuuVGH9 tnH5F0yQgLn9emebpL6dNFUVvssjpiMlvkijXFJv1tWSKLb3TxJd2BE/w5Zj7Haz
EM/p7cLFU+G53ls0/uOfs1dORaY1j0vty7ujasbPHvbe+6BOH1hvstwfF6j0RxRx iv7Wz6o5+bY4v2YL2Ev7hGzfSaef+ip7/BYZ9TGuzSoZEHMYa7dNT8kRR18IhfXv
K8W10f5/jPFW/3hpdl48zOdlp8AyXBHKKLCVV7KhBVmGGvP71wVDY2IhiV6Yfqgw Y3wa2xlOhB+WE3AjtYy1oTi2c6Vmd9UKASZy/Eb++j1MSPtxZQLNaj+svCmqqfvO
GOLy31dLqLnA3yQb44l1baeVdpDlOOASaQS05llAcSmIhQr0kzlYF+IUtjrPxDhA /gElVfGlgkomYwc2EfJvR1lt9u9YGepxKrafPsgvjR6bYPwLF7eHKkKyEiqGCYnW
YlKSbm6qIMERKO988DyGCAl8/46HAEx5AkeKlrxvyMpmMVZzOBN5k6BCnuNToA8f mcNJz/B0egxhFjoGd0U17tNuZcYRD/Tsj9ugGF+4/q+IaEV2YzZTdGzupI3lW17o
zpofXdg0Nyws95+W942iH+62DzSVD5q1UlawqAR+8ww2/guk5DE/3BIVx5+ByErk Q4H+EksxkWYDr0WRlYKn7VT1gTThuggEz77JskjNP4jK29EOIEO9IqGMh39tXsud
NS3/OqlvN20/WeJrtHUGj2y+4QRx1brPhHDEQzHh4GF05vE0+KB2hDBajZLTCGBR mhL2Z6XMX6sgxSjSkYxLpFnS1mRZ6uQnSptxHTfnG6jYhq//MTjGX7xmYBj5EoTC
mX+VJad3EOwKKEhUs5JmaI6+O81d7lbEgXOHjqAiDW0h90bLvcopi4W+TSBW64az duHuaCqjRXc3yHWoNm8jepkpbe1PPbwEbL6RDK16G3g0WVREjZopj+66C2xlY8Bq
MHOx8O6spwy95wIWVCYtlbC7eUSBjUbc1VkSVLFFgXohZDsbO3Q1rYwp0FwJ22V8 ZCmHhud22QHs+5r1LLSIynsUlGIOvq30DZ0F2/f9Gm7uayIYbp8gA4z7M7RjmHoZ
T6dOMMb5v7sLfKW4vbLGD4xm90v1DicjmMuON5f9XcLuUNZrX3U5ZaTay1xz+QPK +XHYSPc4kH4a3T9MucQQGzJMl1k/bifBAWLbu9uPcDUe7Cglfz0wHnPemOu8HZXY
NwHUqfV9dq6+eN8FR+Ik+1EQYpzufHuSpD2YdR/7ioCqnldCHPwt0/ybsHbfduPf 6qS1n6PAHyyGlqX/pNWxR2vQrHJRksdTCvjl4g6256PhaMDop3QAHuQj9meYKIqP
YPFCjmBqTBgwKw8lUejqElx6nXmpvSv7/qmyGO0pZMmQM37GMrLStXrsT9lO3mn0 MiZexiuOW3KjPJ30Gx1Q7PnUc+w3SjjsKaZEvRgeWKa37rvj1ICTnBQUPq2HV6y8
vJSwJ0+2844AV46c35L0lxcg9Ew33LE3aQqmRFLF9hCwsTu92RAvIWQWV6heqjK1 zaGnJcfd0ENAmFnRaCIbdU6TRonnIAAuSfE2gtLni/PJbmUpznuq82W//kxvH1tR
zmAbBY5FQ3rprVvMsBx9eKaeLVIM6/PCL7gdtsAjKDjFPRiWzsWbJL1A2/SB9J8g oPx6LuM2+hRncMoyXUTWSUVO1DAUPXgZA+j7fkkwmosi14d/5xe3wO4U3dGZ6wAY
/k+VZyf3+Kz6i1xiFxDN5eKlo7TZCG2qdqcf+Hr39c7aPN17giCCKUAGXShUytWJ D+zlzhq4d/4vIvLIL0NoBcp8yM+xWxPTtvj7HUJ7BOVV06ICnilUlv2wjR+dZLZK
YVMUSKwCQ7Utos639oYfXe14AOEEyeJZLniNvk2YTC7I/bc4bRb4DN+YcVkxmkTg DyjWhMoqk8r2TDZbAQr8MNX+sSlp1JxQEgBijpqBvRdF/ulqraF/GFDFRLcEi7D+
2yzGYugCRL7xc8XGfPeUsDCrg//WCl3dVa8gJxJYREHKPLJFyQdsMvdLWBP9xY9i AkHPg4TrmaNB5ixsj72j0xruFJxgQJGj8fwQtemJGu8QcuJbCvJ74TI3vu0Pac/C
hzadXEaLuu2G1pCoJus8dpl+8A5VTT3hixiWsspDKD6TuXPZgCSnRYd0bBD7d2bo MRov1TAVJB7+iVvVNEgCMlzimJCSCUYh1Zgk5Ci2CDFMFRAEcGoHywIW6v5V8j5o
cjIkir79OU5cYXCVyE//URLTOhPEIAKbg584PqOoG86bN/x6fJfQxQI8YxduAHQ7 v30mJKZCVFc4Yibivjj1aGhQVO72vgiog4L++i7CeXHIu6Fe1Jmlve5iuxrQA2aM
/v8bLAQ4SLpSWshQoSbvQw+kFbYd2+2+s3h1gL3ioCVTgfsIaBsWHRwg8snrV+ar 9vjCbFJIi8k5vQTVcKPRcsto7/qbyxvWvahKBBbHl53XnSb0WtLUyTEaXJ+0l5gy
r0Vjiub6lt/sBQyqdcUU4gnVhYHI8XXR39D3DD3SiE7K1tijep2Si3ET3PVTOqxn Epxfl6ZRNkt+YBYBqCZL9aK6TNpCR+zTC7OhrKcZntqFYCeRB25YEfc1z0lTH4SE
e+/A/irESg0u6uJCktptrRL3EF/pyfGNQV1LQME2eQjja7/WmG0Pi2fDEIycVWoI TPymGSMOeUX8YEIr+XNYG0H/I7ZtEdNGBEXaUrC4YUNrvojpq3PS9bhfLhAf5D11
E4HH9jv/cbLkZBbct3R3EreZWRAsoM/Y7Mnnha8pj8Cj5iQGNKHkWSufhJrTtMNl wmI2tS9cqxAuS2zkaBr9Qo5xNEVsyGNFd1K0q0JJosiMnVZDzOA4wJTYhOw5gwcW
0OlVGDew+ikffcazhYZDsf7GdlnkY7+o+UHhGDP7sKGFYVKZ6oQxKrZlNJNttNyM T1Kh/LDvK4RE0CV0jRqN81YO8V6Jq+/c2kgtwTLzrx1GCcdHRsY2kPhCEWOTLKb8
7Av6S+w1Bq69pba62AxTxJ7jO4gcSQiOxO/6IbsyCtMcTYoSXwbc5KKWrdapRYJT Jn5nyyvOOjMIkAEYYqoRRxl05UbNWNS9SuO2g9HF6JpNJmw0cmzT8erIIjVvaUs5
QBeUDQdMtzYnVQW8wIUfmcE9x8aU7Ertk6cO6v+VMYdXJfw19VS8zuayB5ctMxQv dd0Bd5EgkkLq3RMPNTiidQCyIy8QtoElmxYfM11mbf+JMgxsB3sDcRGN4lauUhho
AingSZIFy367I7Cf3+Dc4z3U4UTWyZwyrq4faeUs58Qeqa83Jf0lwuTYDESa2Mh5 JlayuFUfrQEwtHFwyULiJwUC55faVqOQzyvcQ8C9AJezDXS7//ku1kvEgbzK0nFm
DzOLX5nkQnOPRzjjGm3F65fgHPfSI6lliTTD4cBqXGnzSSVrPUq6ss2UqMQ2N0yo 3bCCiuog7pG9XlldSReYvlJtnqTmp6E5+m9YaP+yB2E+swKBORHkbCfBu1CuX6R+
s4CGueS/jvrPbO6t7sdtUTnlm/XMqFOtkB3XFDj3LDi/S9IdRkUVAsnAMqDzAog0 aryBYIDeLaIiJs5GWJN//37TT0hVUCipY9QISfTiZ5tIy0aNKRu9syjWphcoTJuv
tHACw0Qbwk6peWa9zVLQzlocATqQtuNmPiR58IV1w8o4F1laEKj8b823WiK8KNVD YBaRxKNdZs81ppFTa3sXB824+QXwzRJJPjBndXOtyX/a2U68NK3dqau/A5190VAn
d31mJ9z62VjBM31DwHW8dHfeiYgAUTXTAs6ch9HLh1antavNXAsJo1sCw6dgniS9 bn7jnJ68rhcL9ewwydQRm72qwyxBbRHFXnEXpkJhzYRw6fosglqbOJMxFiy36HWD
UZfUd5vE4YYZRig7rRuDVTRIjdP7KPYFOblnu3UELKALOiQWKtDwS0K62EKDBuPq RkVluvTInw8Em/DhhWgn+UrxLlQN6JnVdpkT9hwrlFWooiM56UKAPO2a1FM2XKXe
G/hZ0wO8Apj9CPblytIhorTnWyNHifOyoYdBivdwklikck/jxY3c5SR1HXQtvIas TqsolY07uWnA+ouiljqIpsaFlVDBcz/sGZWqy4aKKPBTcZlreW88PMsS0c9nixVi
GbGSwJWWA00V9Mg3/hmG7d6YGXboBQcDd4RYBkT8YcWmspP56YxHRQZYEX1rF5Wr nKnmI00HuzeL85zVHGo0IKYfktVVjuZNPzJ6+w18XpKIi8TxHpxELC9M2kVOCnuy
m2EL1BlORe/5reJmd7e3rTCUax+4TYppLGMDB0CbxGsgfDuC8NEbpAav4FGBTrHL uwuntJlRty+GpXVvx2VLi1wBKyLpXUxhyg1tSi2sZyjIdVt4yEOKfajZYOp73JZx
lPwy1u44BWFliV/+LlGcuga6LkM2TvSdGwEuXTuWuUIhQ4BRbvljob96/x/wiSMU IcInD7Cby9olkMsa25YhloljY8YELfW8EWutF13m8tsjGP9c6aOuMIXhrrpwLgYy
za6EavFLbeKkRiKH9BBspJCoLMoVBDwL+jTc7gz14zGSDrBQFU1J4wA9YY3OZSCR E27iFh9tHq0mjCMibwQnHld7Ccd4OqO4AKfPofHDxWoY9+ivArOBAXjsCxhxWWWp
QdE8N0RYlKBkrpa+qsyAVxmbIZHWT0EHAFMBzZheOPagVCD6PsI4SWtjW/9tFIXj aLqLJz+JH+idcsVDlw8jJzFW6pQFbM3VxXObvCg9ou5+P+Pc5XYyALJzIlmoOrN+
8L2L0nimhU5USEHbfGzGyif1mhN8bNbTFgY2rfNa4H02g3g0pn98jCI4mMuLfxLY ns5Z+U/2XKGyySQASUyFXUNml6csSrTd+ejz1QvEX9POU1nLmvS1+aojgnptgdpn
QVAXjJZZOtMpICIxoD4ejxyEkzOUGtAP3oxOdoXogU0iQJkhLerRWZF+dA== sAtksQHMt1Njo1oRug3+/0iC6XWEig==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

60
secrets/dhparams.pem.age
View File

@@ -1,29 +1,35 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGdTeFAwUSBBWUs1 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyB3QTU1
eWQ1TnJucHN5SkZlQkFZRDUwcWJweW5aYWxmZGVTSFFmbWg2YVRZCkdKSFZGN3Fz TEdvbFNaUmE4U1lCNzI1dlloVDBTNXdURjZ2akRMV0R6dm5ST0FNCk9YclRSakhT
WDNUZDlLN0p1ZktWL3VxbTJMdm1FTkNYNk1aeDlVT1B5eWcKLT4gc3NoLWVkMjU1 NlV2UVJwak9Fa3dQNTNBK0xKWGlkNXdwZTBEMm4xZzc3azQKLT4gc3NoLWVkMjU1
MTkgVkZjdzVnIEdaUmd0YVFNWSs2c1BEN3YrQ2h6NUxpcHJWaFFzZ1lqc3MwYlp2 MTkgakk4UkFnIGNBMHNrdG84cUQxd1lqQmJIczlScU1jNk52Y3BtR2tXeDNWdWRX
eC9BRFkKWTlBVFZYMHEzdUx6dFZGbDdlUDFjbzJLRUs5cHFJOFJrTUx2bUFtWERa cEFCR0UKVU5vem5MZUFPbGhoQzJTYnF4OTd3OW9jYTRkazdocVJkZ0pRRGNLek93
NAotPiBYMjU1MTkgYTNMVjlqejJxNytGSFNna2hiZktEZGJCME1GbnhBbW0xSXYw cwotPiBzc2gtZWQyNTUxOSBnU3hQMFEgQ2RUaEUyV1ZGbGRtZnlIUEtTQXk5MUZF
bmQ2SVNpQQo1Y3ZUOHhkcmliU2JWNkpDMDRld0pJWTdCUVd6QTVqWkVFWFJxbVBt djYxZ0hBUThlV2tXTHNvdXpVSQpMdiswMy9QNUtCb1hkbGRqR0Nia3FXTzE1ajZL
N2RFCi0+IDtacWtxa0ItZ3JlYXNlIEooK3xzagpTcDIxMWgzejNxTVNIWmVSUkhq UXljSTZqM2YvbzVuWUFzCi0+IHNzaC1lZDI1NTE5IFZGY3c1ZyBYL1NrRjRaRnFn
TG82SEdvRTNoVVdjUW5EdlBqeUtGZTJrVWdtSDhib3lvbUE5emJ1aldNUlFvCnhz RlNLdWJ3cThteDM3WmNaY210d3RmZzhCYmNpVXBwVGlVCjBkM0IzZC9zNjhmTTZV
TVBsNnA5Ci0tLSBSVlRhWDNHNXJuck9QR3JEOWl3MFhEQWNiUktvbEVlOTByRkQ1 R25ySkVoQWxQQ252WWFlWWZFMlc5dWtUN3VvVTgKLT4gWDI1NTE5IE8yUU1pWGFr
VGpvcUFNCpbxW5nbaK4WcMd1e6ASuETvrP/az98wYN+NjVdOhik/6eO6nWAI6C6D NzUvZVpwalB6aklkWmJGWUQzTnJiRjNzdzY2MUp6MkY5M1UKR1VIWDVyTFpxem5F
ftTgIwQgIFYLagTrhMkQ/NjvDtDufT5Gbvbpjvk4ohFsOALlGj2S5zttIuF+MRwj TmRNWE9zZStLanRTdlU5d0NOSEJKdWhDUjBCdy9vOAotPiBTJCd2NyFYey1ncmVh
j3Nsd0YVjgB4WrG3u+0I8gla3lw0nPAKGpkEf7Ie9EDNxeNFP2//VXjNFjWB4UmJ c2UgfE4mYSBXfms0TC5FPiBiYmx8IGRFV35mciNoCjVZdHRiVUtMMWxEMlJ4b1F1
c1lkHf7CeZSa0o3WQcssPpCLMYNNf0eFucdcX4SPlKrmKdavkYMUQxLb7Ul7n1k5 TGgxY01XTlZpTEtndkg0T0hRVjlqVUJGMUpSaE5tVlZWR3VGenpkUXY2eXJtbmkK
PRGNpSdlA/ps1U6LtGSQ9rG/fF16MzA4mIntu6j4XaGSmqDOw9+IDs6vMmXq/HWo ZCtqRVN4dnZENXdoYkpjNHRWYXkvN2laY1p4YjV0WQotLS0gOHlEVTVOSmlNemNQ
wOMS7pQ9E/+snQjgxV3mxu3OCViihCiZxYiy6vU1xpMLcESTN2nYsNotdwBs4uGe TW5ISk1DeDlEM1RoQ2JtUFlyTXRKQjdnT0hiend2VQqrUFvr+76sKn0ldBmZMlEW
oGo/HaU0LZn0KlW6qNUdwNesNQ7kUC599Fn1GtEkdy8xiuwfjndkMLlbW7Y46lgJ U2k85DLo2KU+/+GtbkZwVXxxIZHMLpoJgghHk9ptdalUgLGcl0X15x9jVaw8aeta
mQRQFOxKh33yK+w4zyybmfKL2Lrvaoz23AOTPVV2dlV85hCalktebo6ZVGa6rAhK hbeOHotRHY7bC3z0S74riTk3xDMR1eT0QGhDMWHjfo8SkCftOYBlFfhTftevdep3
8NRRQscn2RYMLZcAywDKoA0WA9iKKUFxQdkVCdEqZcxN/c5Al4tN2u0sqwt1cLcd pKMZsuQMwH9JzxgUfcxIcWE975cZzrEJ85nfWMGvdSjcg51KNxP/UUPRxDlcbCEf
NqzX/AeMDCpvOAe7X/7ejaP5b6OTboo6Pqnpr2X+6OKvIGPHLJmw64I06L0fPk7N 9XX5apSzNsTI3ibGD1n6Qwq8bdVYDMHmy5pAhw4l8L+SdoU1tGdw7JOA16sMCJbx
ezdzHtJOo/jofYKNC46nvuSPp8eDZaE0tsDL/x6Zk93KweWicu3JOjO3Ox8uaTX4 T4bV0ky/PGRonjJuCyDBj8oe9vMe1ZI1O/ITtktekS+wocxBs6QXlY7pIZMlGUn2
B3JcONGYJgXCriHDE0nQWTmOlmAJBzjxP5bgwO50lEurJTAQX1qdNgj7sSvrPlZs 6m59ZEEaf7R4/MdnmBDNDkQuyXaKc7SaTc6h5sKWzXdYScGUKvgUQ7U/WJ2ItUTC
d+JGid12F4nfCvRnxRHVZh8WGBgLdlVHZ3Fbh8VcBXRVJYD+6mOp1q5B4DyqElwJ N/Xq07GkZZMt5MYBlyEr+/mKWlcy+ylJPGb7EswvQWaHoeM1QF0XLZ1v+W/Xsso0
io5+S3NDDeHpBNzIk+2GZNhoqcTdn8aEpOxPCoBGWeJ3LcFKr8hEFbx59xL02ggN seIoz+geSu9a02kwfsa8WvWXdIAT5X2pNGPClVNzjQ23pfQfQuW8ZQrGmIFR4g5A
Z9A/nDoL8qkpFzKYYhukIINDbOeC+ditBD9QMYySAlIpBjx7le7QDdMPN5+mczAt 58T1K+vGLdShqqVGyJFMVrSuOzqX5FVmZalu7/++1IQfiRGUlrHKoPlKWnCfFEOu
cz2YLbGobs5YLUhJbzomfXIaNr1srIYzGNt1gb6OgbatFkw3/kQDR/eZN6gCq/lL AYjaPeEFX2ByxcqfMK1YVPvUufdISUQeaQOO7mXGE3FqB0oUqmRIUiWZATwhq3Pw
mymcUtzwVJTEofIjiv8Y1fDwfQp2EQ8FqU0iG9p9wgEf0dHbi8tl/g== p5QdcySTnmMpD/w05hvwski77kCdmYuHlMlLZez/kfhTnIGXris+Vwi/V19bsZ8G
zwaZ/Xr6WNC+df5JqSfTGREnXZPFRDkaTt3ri5/eEm6BqliuYjGbuiKsDECi4+JX
bHpH6LBBoKQ6ms7jCAn0Ls4cUKF37PcjGAOuWnzCSBU+REht1EDfHzx4C7hNiP8X
87NjEqJbwE9lORho0hQJRTn8uriQcidlVoB3se2SYKbMy8UA4NNnxN9PTj0TuQjL
OD3LtqHBElqNPbGNyyEAAJmMBmmkUvPPXlGQ0D99b1+jIdHzYSRtOLshBFykqWYQ
LJD61duhGqcQqcLx4+JdQ+oVcfAI2nG7YINnHB0OmS2DOZvvwqQ7ASScSujUWIjA
LNQxu3ruMz+bw/G0tYZBBiE=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

19
secrets/estuary/kelder-wg.key.age
View File

@@ -1,12 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBaTGhw YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBEcDNm
dHZMZERSU3FPUW1RTHo3VEg1WTlDUEhIdHB4L0lHOExsVk9tcDBFCkoyMDlQaXdq ajc3a0gwYmVSdkowak1aakJ3VWZ1Rk50S1JIS0ExVktVSW9OVWljCjJqbUEySlNK
T0pRSHJFSHFJa1JoTXdQYUlhZS9kQ3pQYXE5UlBFSnNraGMKLT4gWDI1NTE5IHpY a0xyT3NPK1BBMjZzN0RrLzhwVitvS0pzQ25iSnJSc3FmM0EKLT4gWDI1NTE5IHk0
UzRSM1RRSzQra0xpeTV6bXdWRTFlZGJsa2JmYjNGSWJuZFBQZU5NemcKVUY1ekhJ M2pkWHgyMHR1WHc5bE4xWTFDTndKdkhRdTg5bzZIWEU2cm02UDZBQjgKUUY3dS9p
dmV3cDZGd2ptWFNBZm9LVU4zWG1tdDZoVndobEJ6Z1hDYWdZcwotPiA1ajNWXy1n U3h1L1ZvTkFPdURLZ2tSYXJXOGNZZ21KVGdIbXdhSUJrd2puYwotPiAoL0RtO0lH
cmVhc2UgbFprW3NJSiAmUSB9CnhHdDhRQ3pEOEV3NDJJR2RUQmNjbm9FZEwzTDJw OS1ncmVhc2UKVGthN0ZSU0ZFTTg5YW9UOXMwa3RnSzFlMjE2VTN3Ci0tLSBwMEMx
b3prOHFVTGFiTXdUM0tqRlRHYjl0MTR6UHJtTXlrYlBoTHgKNHlraTdiU1g3YjJH Q0tQckd3SzBwUUE4SndMV01kUjVrOTdDWmxlcWs2Zy9TZk5yMzhvCrBXyLBZGuSD
MDFrRUxWUQotLS0gcWMrU1pBcHlOWEQ5TWVZVkZNZk1XcXhqVHE4T0t0NHZNcTVs dJodNI13obTM3UvX6hSgQ8Su+J3fOKr5NibkhQ0Auvlr2tUXhhDm2WOUlHjqVTq+
SUkyTGhRcwpG02jLWWTFQBDFcIIdBSWTot/V0X3ns1+13mBZ1nHQdony0moJGRyG jWLSyhioDlIEyBgk8Zrl7KGeDzBi
OkHKvy3dglXLOndeDuHvvJw0XoKTvBv/WzKnkndIOhrjgbKNxQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

24
secrets/estuary/netdata/powerdns.conf.age
View File

@@ -1,13 +1,15 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyA1SXFN YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBzaEo5
Vy9YRGd0YnRsdVZRSG51QTZ3TWFiM3d2dmM4SmcxeFgyYnBTSzFFCk92U1VIYWkx RzNndHBLMUl3Z2txdVZoOVJBbWsrTVJwY01WeHQ0VTBaSm5VclY0CnJLYStYNEI5
UVVrYVpLR0tieVdsQjQ2QTVFbk5QcDRFTXJURkN0Yis1SUUKLT4gWDI1NTE5IFdT VTN3dEQ0ZjBKaU1PZSt3d0lldkE5VC9wNHdWazNWV2F6WWMKLT4gWDI1NTE5IEJ5
c0d5UlpzajRIWW9zL0VIeUlHUUU5Snp0bnRMZmZCT0RMSTJzcGZmUlkKdWVaL1BC amlzTDhCOFF0TllPd2RsME5Cb1lRQUZPTGNvOEZnL1J2Wlpnb29GblUKT2t1NFZy
Z3NxQ0FtazBoUldWZVQyQktiemJKbnprcXJuVUZaRE9RVkpaTQotPiBgLWdyZWFz blNZSHdxZjlHTlZmaTFYT0laQ1IwOCtDZ21vTjhxM0owdTAvawotPiBLYS1ncmVh
ZSAwW0wwc0ZvIFgkOitncQp1NHRSSm5aSWY5TmpBQlZTb0FVaWtNOXF4RFRvUHcK c2UgRX0nVGtpSCUgNVNDWCVwIDBuPjM3MwplK2cwc2htQ2RLcFhUZ0RSc21uQlFV
LS0tIG0vS0hnSG1CaW4zS0JuL1Zrc1NvTHZEaTIzWkp3a0xIWDFaVXdoNVlBOVkK Y1QwSStOK3lKYmVVQ0J5RXA3Zytaa0JoMWtlWU9qMHBLNktFZWxtbFpDCnJyS0JJ
DJOWDeHFZ7DFi3RkpWZY/JgOfZRzegYbCMosO2RtAickW0LfN0w72pSt5lwEuOVT WEcwbndYbERreFhLZlRyQ3E0czB5NkREancxZk5BTGdWRkR6N2NrZmFrbnhSYlZZ
YlrZwZKFCX/q9KtTek4DM6zHeZ8oweKaMf9hznA/hQ+l0CG9n8uxvWaOdRZVNw/s NElHNEEKLS0tIGVLdXAxU0ZaZVkxaHV4dEZNNUVuc2J4N3VRMzZzTktSMDY3bDVB
YdP2XdxL89L5QDvSttaEN2y5kpKOVqql/d4vmldmpIx2gFUdqq8JIyfOHkJ5lOXZ bWtmUVkKigIZ3J0s23vNzmbzJGjSMGBXK6o6xnsA9HXeQZ13VgKv5Qv+UHu+Z0g2
LdGTGw== TeKdQSrHbDB3ydIxaiXsi2ivULdrIMCyd96rEJFxrkVuVqSZE0ehG5j+o8lKk4OU
PDe70slbZrVYDSu+OOUOCVRSopZreCURlYn2Pc4rjvrMAn5r1r+/AxjZMdkmmQZ0
l0wMBTus5zZzKg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

23
secrets/estuary/netdata/powerdns_recursor.conf.age
View File

@@ -1,12 +1,15 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBhc3NI YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBoZUI4
Zkc2UlB1QndwYXRtYjl3cGZFMDJDbnZnR1pTVGZFRVdFc1AxTXdvCmgvRkpGUjVz bEdWSW1pcDdMYVRJLzdQOWhsdTlZMmlyZjRVeEFwU3Z3NzVFa3lBCkxRZ1FYeU9D
OHpsWDlEaTFmQ3ZJNHViekV4anArTkhXUHJLaXZJbldOTG8KLT4gWDI1NTE5IFg2 L2dramp4WFFlREZ3NTFnWUs3clVEcnBhLzExclVac1M2SG8KLT4gWDI1NTE5IHVZ
aGZrYjJHeWFIdDl1TktFM1FXckEvenB5azlXNXp6RGM0UXUrRTkrU3cKVWNYZmZ0 bk9QYy94Tk50c1dVanNvNzhpYWNqeFMzVVR0eTQ5OXozMmp2VFlad2cKaEdvUnR5
V0d1WTVXajZpenhvbDlOcDB3MzQ5QWVMNzdsa09YRitTZHhCQQotPiAvby1ncmVh ZjhsQ1FRaittQXFkbnRZei85MmtWb3pXRVFsc0RzNzBPMXFMWQotPiAzSXJZb0RE
c2UgIyBAMUQgUmY8QjY2IDlpdQpHdwotLS0gY1g1bERWNmVibTJmWFVRZ3pwUVFE LWdyZWFzZSBudCBGIDklTWIjVnwgM3YvCjRVYUd2TForc0gycnRBR05MbU90QmNu
MUhLREw4TktCTTc0dzY5eDFpbHZFQQp5QPn4Dj0jrXk0YjIWumiMSLweZAYgWMqi dXlmQVB2bnZyME5heXlyMUdGTmR6SVd5SHcrTThrZEJYRlpnUmdmWnkKU1lyNjQ3
704Y84T+R9H6H59LUTrUBQ7LEnyuzrOwLq8YsPxk8iLl0MxiTHOZJJtZ6OlkG1no T0J6b3NPQ1FYZnhxTjFrYmN1UUJzMjEwcDBwSTJkTnlmeHl3WmFFTXB4eUVMWm9i
7hZCYrnyMNpFbgx4iaZaVp2WqdLcyPM/MaCKyFPNhSONMo/4uc52Hd3G/82pqWO8 NExUZzM2SHlLLwpiZjQKLS0tIHdqakpMSUNOdnlBcVA4RGJHR2d5QnJNT2dVclZN
LSmZFCPZqUacBHeO/Kn2nxhpo5hyNRCSX+k0 djd4WXBLSUhORktzZ2sKzMjxqL3UPrtGmXDijdfu0AwxLJooK7ZKauYvXWSuZUrR
vl5i1QPMEEBYEl+NaZIFgxAFqWpAXHQ1VxSijMWxNjKUd1Chq0tbLrpbh9wXJflK
SW19Wyqc9eTb8BnFoOSYWpDvAs2Lbyr2kJkOj2TNrwMv8nDJdOB8XIPlV5drCj1q
Dx/1zWqm6NMYxsep6eZkv4AzxA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

21
secrets/estuary/pdns/auth.conf.age
View File

@@ -1,12 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBLTUJk YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBrd0pM
RllycjhGdERQejN0aVhGRERhUmxnc2cwTlNnb05FOHQ4S3FVbEVrCkZzMXVUMFAz TGw1anJNaGoyQ3lMUis1cHVtRWFPcFFNZk9Cdm9TMEh1QTdKc25ZCm9VNzVQcUxE
dlhIaE9kQkpzZHlvZVJrb0x6TXF5ZmJ6aU9oTE9UTVpzZDgKLT4gWDI1NTE5IGtS Njh2Wi80RWszSU5NczRNcHpVYXpRMzJNcDRsdGxyWVZsUDgKLT4gWDI1NTE5IFpT
VmJZKzJxL2M5K0ZuWnN5L255eUw4a21naXB0ZFlSSEZXRUQ3VUp0QVEKd05yMGdD MEJVUkcycVFJaVFOUURoL29VT3R0MVJCWW04NXVRVEpKY3hlY1lWRkEKcENya1Jx
ZUlYRXlmc2hSNzZxKzJWbWorbjU5T1FYYWNvRDZoVWJ4RGpwOAotPiBTW0gtZ3Jl VnBCMVBrZkc4VDkvMnZoTllCL09vQ0VOZytuMnRvYVQxL2FldwotPiAzLWdyZWFz
YXNlIF5sZUFedQpFdlVIRm1WcGpiZDhzV1lVdDFUN0IxOGQ3RjdzMnU3SDJmdThN ZSBCNX0gIiB7InIsfCAkOT9uM2UKUWpSYTZ1dUo3SHNaUlFibTl0UDhTaFh5Mk1n
NENoOXlLZjFDazhheWtVTURkdVVMcUYKLS0tIGpSY2J2eDM4SHVQd2huWXBMZERI bFp2cjM5RGhqU0s0Qm50Zk1pUVZmT0R6ZjBoUG1EUGlKbHFzVwozQ2t1cWVDVVAv
NHIxYUpvL2ZwRllIN2J5UnRodVBuMGMKrj4hHa5abTUuU+XyvcxvuPYZly5IUUFK Q21QTjF3NW5UdTBZRldnL0RmSlV3QndHcDB0d0lvZ1RHTTByS1ZwNkNVQnU3WmVn
I76KkSLu/ATWrVyFCSqbyfE2tZ0qkbq1cYf3hLvNkOoBMQSJAn/3DLXiJFDVg8Au ZwotLS0gb0Fxb2FsYzgwRjJwSUF3ei9hZVR2Vk1ORDlIMWoyZ2RTd09hUmtvMWpD
LEmh cwrEjdaYfoGZ9i/S97xL9QvA/yii+sJLeuUzzv7a3DE661eQ5ezurV8Qz1tIhxWG
RsOppaaj1podFx3U1x7QQbLO6zQbJA458RMjYgc=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

22
secrets/estuary/pdns/recursor.conf.age
View File

@@ -1,13 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBrd0dl YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBHNWg0
VktWOGhqdlB4T2Rib1hEekozL3pOYWF3YTJqcGRpYzlXWUp6UUI4Ck9neGxpTWFC WGRGZnlTdEhsRm96T0ZMOWx4UUxkTitJa3hMWDE1dVkreEtEa0RVClpvR2I5NGpz
VVI3UEhRQ2NDbWQvVUFwR3FOQXFaLzUveWNhcXJ4dzBQVTgKLT4gWDI1NTE5IHFn aUF0N1VZU05oWXUzTEI1TVBLYlVVang3Zzgwbi9teDVlQlEKLT4gWDI1NTE5IG4v
WXpHRXNHb1Q1MGVzbTRXbXhVeUlHaE1XekluR2Ivcm16WkxvTTROMDAKWUdrUWN6 OXRIbzhaZEdXc1pjTnRRWHVxc2ZTcmozSlJkY3lyOGtvd1BVeGprVUkKdUNqSW94
amRjSjErQTRxdDlmcHpkTUhhSm92VTRZblErZUFPSzdkdVhNUQotPiBaMSZdZU1o SUIyOWtsNU83cnVOTUxNR1BvWHJPczdzUWc4aGp1MjlpZm5ESQotPiA2KSV2PVx5
LWdyZWFzZSB5e1pUIDg0UmM+IlZPIEQrbz49MyRRIEVBMU13VwprUzlnMVp0ZnJP LWdyZWFzZSBqezVxOHc9biA+aD4tP20mXwpwRCtMUDhmcVhGNXpCZlFmSllpdDVp
VFJrL05iczJlZSszd25YcW5CWCtySkFaNW5JTW0xYWxPbHBIZ1dYN3kraHprMUwx SmFZelNhZnJlR25DS2l2MlQ3ZGFtdGxkZEdEWVNrRlk1VEZBRm9GMHBFCkVlQ1hp
N0RnU0dyCk5KcU1BWWdFWGhNRzViQkdkUQotLS0gRk9ORmhqeUJxcC9NemJZckpU WnhOTGl2R2s5RDRKN0p5TmF6Y0cyN3ZlR2pDZlhMVjQ1c0FJN3hCbFEKLS0tIEFT
OWh6V1RBeVJiWmd0YzZBQ3hCMHJwN2szdwpaTwj65x4L2fWZ4zne18OX+K/qMOCw bjFiRStXMmJueHdsRm1nU084dDRpS0tBT21ENzZFclJXbE11NWJETm8KyMHU+tZY
7pf/F1kBPxAMMJHn7foqchuygESUdGxR7N/e7kFfeoh7zYlRzal1DKbPJCAPKozA QELtZCbXKWnP8QC6V84JIFAxoRslACwsIJZpogcZO/IFIV2RGunGjCJk6QBmhOPV
7KWVyLI= kJXRcGO/ndYjWfuU0U3+9HtPocnO
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

19
secrets/gitea/actions-runner.env.age
View File

@@ -1,12 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGpJOFJBZyA1Y1Bq YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGpJOFJBZyBOZ1RV
WFluTzdIY2d5RmsycTd5ZEhaVzNVYmxINFhqL1hRSTcxbjBtRGx3CngzdEJ2NGhC VVpOZ0Jhd2x4YklMOHdkNkd0MEM4ekZiYXFKMjRIdXlZVDFkOTFZCkRreDZlK3Bo
RDBxMFRCMDVFamZvODJ1NGJCRzJsSm9YdCswQWZ5VlhUR1UKLT4gWDI1NTE5IDRV WmJ1MDBxSU5UYzRuUDMvdnpVc0prNFF4MjM0M1FaZmg4V1EKLT4gWDI1NTE5IEkz
amRveWlWL0xhYVJRdXZjU3F4ZDRtdVRvT2Nma24zRWtGbVBzL1BaamcKNm96c0Vq THNsVDVCbU9KYWpXL010OVRmNjBVVmVyVzhRZW5McVFJcnA3ZWJvZzQKOE1lQnVX
aThXOWF5Vit0V2JvSUt2TUtqMTc3V0RYbzdRS1dQUEgvcE1jdwotPiBxKWN3ay1n Nk1rWVAvS1lpbDEzb2ViUUE4RlB5NnJOZmNoUGdUMGNuMk1iMAotPiBuYVwtZ3Jl
cmVhc2UKcGlEb3BWV3dzL25PWEd4VGY3RmQyQUxuaEcyd2xURGJMaGpPM09kUHhX YXNlIHdYXzh3MSB0TyREIGpdTjheeQpJZ2pYUyt6UC9vVmRNZU1uaDdvR2ZUNG0K
NnJ1eFR4UGVUWFdBSUdtYUh4cXJtYgpCdGhvY1pBYThGRkRjSHowZk00Ci0tLSA2 LS0tIHNCRno2V21tZU9XV1UwR2IvZDdkWEMzZDI4V25Yb0lvdmJadXNEZFV6TEEK
VlA2MnpJM2FMc2pCTDRXVmovam9WOHdUbmwxTno3Tm1JZGFqOVo1U3hVCjPYbm1u 81uT8S3QJNe+mVadi/VpXSPEP0Ygzm0/+1pB5qqYlSQEWTHqS55gCyFCwu+sjaDq
7Da0EUA3BWCbGYa/UPa+EWiV7h/NczMRMW+T1CVopFf57t0sPbLk97JzUfyuJnT6 DpYTSm1JAk5ql9NRj4fJvCS53lJZ4zo+5c0iJKmuRg==
bxKMaWBOd3XTebxBxKOIj7UkbI5ql4tBlEA=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

19
secrets/gitea/db.txt.age
View File

@@ -1,12 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGpJOFJBZyBoZ08x YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGpJOFJBZyBBOVJi
QnRrS3h3SXJ3MXZnRXpvQ0dTSWZjQ0NLUTl0eUxiV2xnM1pIUVZVCk83OVhGVVAv SXdGVDlXWmVGZUM0OTJPUWFYem5qZzAwZWxhNzhpT2t1VjdZU0ZrCjYxWUE2VW5o
aXJpOTA1d0JlNXdKaWFqS2phNjlMMTRnMFd4K3FKOXlodmcKLT4gWDI1NTE5IDQ5 cGFLZ3g3Y3BpUWlWOUtUYTg4MGZXVHZvdVV3eU9iZW0ybE0KLT4gWDI1NTE5IDIw
SmE1bnVSUnJMbDM4ZUJGUDdjQnM1V1Fha1VRYWFmRk81L2VQTmp3REUKMW5lZWRi QmxaWTY0WjJFZUd6TUxqaHhRelpRQ1hGZVBEcm43d3JYUVhpTWp4aGcKVzhJdFFu
ZEFSekhlTGhpZTZhbWp1T3JEaGRkM0xOTjlGT3Rqcjh2aDFiRQotPiAkeU9kfU5G SEhUUUZVNVk1N2tzekpzUS9RazRCcFBhb2xxbkhRNEwzVys5cwotPiBkeE19PHEm
LWdyZWFzZSAxCnB4UHFLQnN5RVB0M0xHd1F4M254R0NnWHByQWloOWh3Wm5IeDUx LWdyZWFzZQpwR0xsb05JVlFXQTZZQkJSWHY0akNRdjh1eXFnbmFDWUlCM0xLWXBi
WHBIL012RVVhSGFBSE1TY1I2ZXNqMWgxU2YKaWxadkJla2NERERPaXhRMDY2ZTJZ QkVuanloRQotLS0gZTkrT212MXdsZy9Kb1AwMkFHU3VsTElweGNlYkZ2UWVXRzkr
SzRvSzlPRFVUWG90WTQKLS0tIDM2Q00waEwveUlKRENZSWlQeWpCUzhXZXJrRVJ2 dnB0SHRnYwrveLSY6SdUDO+QH7WGniLIOPcECTQ7CiTj9lwD5Hm0rYLdvizolb33
czAvYWorLytUcWdzcVEKDHfSKAadS4AXkF3xsafW77DFS0UElUmmm8oTzhjEb1ww CsGX/kSEI2bD
R1V3R0ItrJoBnSuC0SE29g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

18
secrets/gitea/mail.txt.age
View File

@@ -1,10 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGpJOFJBZyBpV2hu YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGpJOFJBZyBrTW1E
WUFDdXNVVFAvNjNmUkI1emRMYW5nT1dNVk5DZmxlU25IeTJIV1YwCmRWcWtSMi9B ZDFSRXIwbXZXUlNJbHZCVjFzMzRxTmdtbDQ5eWVOWWp3SEdSUERrClVMeFRLOGUx
SW9HRncxNlh2U1JJSVVwczRQeGw0RGYrMGZUOXF5L0w2TUkKLT4gWDI1NTE5IGxG U0dmT2ZUUXlCSGhJdE5ibkZLMmZ2VmZFWU9PQXpGZFRPQkkKLT4gWDI1NTE5IDIw
NDJjbDd3MDdyUnkxYlNZOW9vVzZnNDc3S3RZRG5mbnY5djQvR2RLUTAKNE1sS1Zi VXd5N2EwTVdhdkRYeVF3c201SnV3TmxnUGpOZWY5bFJaQWRWMWxQVmMKR2RNc2pE
cnpNRjNOays3VmtCR1BrNSswaU4yeDhCL0M0Wm9kZ3M1V0o3OAotPiBRK3xdWy1n aUs4ZW1XSGU1RzM4bHZYQks2cHZWUkhZN1hob2d1QnM3cCtlMAotPiB0XENxMSct
cmVhc2UgeEoKNU5OQlNoeDdHZUFzUHpRYXJERE9xcHAxSWJxejZ2blkKLS0tIHFi Z3JlYXNlIC5LIEIoJ1w6Ci93eE5lMUxDQjE3dWI4a05wUE5sV2dWN21ZN2lFRThv
eVNOeVZYRFFacUdadUJ6S1I5WFQzdUVLbHdwUEtQS0tQTjBzRy9DY1UK6+dW6bqH YVJGNXNWaEtmbjVMaXhnemVuTXhOMXFtNkQvbGNuS3oKalZ6bEtGdHcxYnZNb0Zy
sM3s5t3A7D/ethY/paLr9cbbuM6FsjOFD1K1qmoVqt5z61dzRTcrfMtZsg== YnlGTDdoVVdyeTJpYjJjZkc3alUyV2ZGa0taeEFIYTdiRnZmYmRjR3BzNUp2Ci0t
LSBROCtSMzFNR3hTK1p5NVhGcFpqM0U0L0MwbWpzNUNTUWUyNEVXbzFFMGpjCnot
A6mYbp+jhpoyjZidXQfzLVcu6y34WqAfJZsfT6l5SJONVfSvSw+iP7XXW2T5OnE=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

19
secrets/gitea/minio.txt.age
View File

@@ -1,11 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGpJOFJBZyBiM1l6 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGpJOFJBZyA3dDEx
bVZBQXlIOWRKMEhFR0lJVHZnNVIwS1ZmeldnU1JIRUdCWDlPN2x3CnFKVDN1WWxF SUw4QVh5T3QySHFFemo2N1JWTjNCSGRiS1lmRTkxVEQ3S1NKR2dNClZNM1Vwc3dF
ZXRpeFBocnRLTGFBZ21GUVBKYVZVV20wak0wUXR4SC9Hb0UKLT4gWDI1NTE5ICth elB0Unk1OWpUb1RQMVpSTUpJUDNrZzFMWkhKK0l1dXVBYlkKLT4gWDI1NTE5IGRF
R2dUVlQvcWZkRlJwV2h6T1ZlemZYcDQrYTlNVXcyOUZsaysrVTFwVU0KeGFib0dI TTZlMjdaamlwTUJzYlVkcVIxbmtybkFwakVtK2craXVBNVZraGZ1VlEKN2VvaU5r
TCsvT2RvMlR1WjlWemQ3Z3YxSlNaeVVKdWFaLzFXUGExbXpUVQotPiAkQUZsRS1n VjNRS2I5WE9kVDhES2dWTUV2cEVJaXZxNzRUcFo5blhGTDBaawotPiAxXCJQemxa
cmVhc2UKbms4d1ZlUGI5Vmh1TjNKRkpIY0syMmJGNEk3SXJvMStsWDZPeDM4b2dt dS1ncmVhc2UgcDphKHFVTGUgIUonYydBPgowQnc2Wk5yS0E1bVBCWmpOc25MWWs2
OHJFc25kMjZYYkRNZjR6OHlLVEZmYwpoVENzd3lBCi0tLSBKYWhnTFRicUtmR2Jn UTR1dVlJbnNXYUVJSkx5bWFIcmtpT1lPSVE3b2Zpd0JaTGZWcEtjelFDCitQcy83
cytTL0Fzc3A0VzFETkVybWhBVytrS2ZvUjBkVmVNCp4i4tW5lDIxFhvxvYT3MBfr bEVvM3FNTEhyWVVFS21tS0VQWG5OOHFza28KLS0tIEZZeUZwVGxUdEdtQTZuYk5K
fV52kb1gB+xg0acu4wlmHdiCvTVdbOG2pXdWSsjXV5Y= SHJaUDhHZ0JqbGNFSjJCaVlQTVo0OStkMWcKz/w0SnoHxnw71gr5DbXgMl59Kgjy
SW4tzNGeRcX2j4YdRjr77TP5UAzpQE30tEcrtw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

13
secrets/home/ddclient-cloudflare.key.age Normal file
View File

@@ -0,0 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpOcUlvZyBNalB5
RUZRNE1CTUJsbW1kSkxBSWVIcG1RUnBKd1gvcnRQVkZCUXFOQmhvClJUN2ltbnNk
T1grdVJSTzIyNTBTTGVEckVGQXdYNHdwOU5NbW1md3lGM0kKLT4gc3NoLWVkMjU1
MTkgcytxUmZnIHZ4bFZSS0huWFBDbUhNcTd2MFhvV0lOY1l3d3ZXNU4vT3dwMmlI
emhoV0kKcDF4M0FPK0JpclI5Q3Q5WGxpZWVYbHVWbkNWdTArclZsN09XK3VJSXc1
awotPiBYMjU1MTkgRjRCNVZmcXVnQnJ4KzZoM1ZkdWxYUkJTM1JuK3ZlRWJYdkFR
WXpFSmR4NApTbU5qR3ZuN0ZmbzIvMTFsMkdNSGJXSVlrVmZPdnZvcHFiZW45SW9I
endJCi0+IDEoIjlcJi1ncmVhc2UgJUE4IWl5ODkgfGVdLihEfT4gWCAreSduPS4K
bkI2Wm9LRGJXdW11aDl2VgotLS0gTENqYjZEUUZaWVZEcWQvWW5yTzJEdHRLeDJm
QUl5aytXdDE5QVMwVHZVSQo+aDbaGNOrz+hTSUQ4IAjDC9EfNwrlXDZtBqw8HkRv
1/Rr737scjrM7Bgt9zuKn6CB0zdeHTW5u685V2hCW/3aTy1eppWMWj3r
-----END AGE ENCRYPTED FILE-----

26
secrets/home/pdns/auth.conf.age
View File

@@ -1,14 +1,16 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpOcUlvZyBaejNS YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpOcUlvZyBFb2hL
M01lYlhZMWZOVUFsVjFOcWFzdmNGdWpnL0RwNWJDeThYMTBham5ZCm1lM1lVeHE4 MCt6c0I4Nm5SMFhEaWNZRTRtNkpYeVQvVGFVZzVqd0E3L2dZdzFBCiszUXZSVENo
cmVrVkZZQmxsSks0YUQ3ZnREV2ZSdGt6b3hHUXhvVzNWdEUKLT4gc3NoLWVkMjU1 cmxqdVFwMFA0elpFOGZoM3B6SW80MEhCNlJoRXV0WXpUeG8KLT4gc3NoLWVkMjU1
MTkgcytxUmZnIHM3NThSTEVUWG5ZeFNqMFhDWjNWNlYwK3RQcEhPcTdUOTFmcGlK MTkgcytxUmZnIHQxR2MrakZmRFJMcjhabGFON2xQU2RBSDNvRCtuV3NwNGJ2bjZF
cGM1ZzgKbDhuY1Z3N0twQlNJdTJYM2dpU3IrdThqTHdEWkRBM3ArcmVnNWQzYzNB b2lCQVUKcFNzM3paS1ZnWk8xY1VzVmdTWndMK0JCTU14bUJvM3E2bjR2TmlTY2tF
YwotPiBYMjU1MTkgbW9WVGFUMGRVN2duVjFHTkRqSStEUlpRMk81QXpGQ2Zzb2RJ NAotPiBYMjU1MTkgY1MrT3ZkN1pUd0JVb0JWSDByNUNRd1NUd2ZiNVJrc0JCb0J5
eXVnS2lqWQp5ZzhOQ1ZrazJSME11SXdNNk1ZaFdmY2ZPaHJnTHpEUjNBci9BSVRu NENrU0MySQp0bFpwRXRZcHRVdnN3eitkNHlWc0c0a0NmUjVYSVFXSVNFVHI0b0ZB
YU80Ci0+IDV+Ti1ncmVhc2UgMCZzTHBrM1kgWApGS202Q0NIUTVrUFVWdU1qU0Rx U3kwCi0+IHQmKm9ERFdfLWdyZWFzZSBJIFkvRG5JIC9ZI002bmkgNX1hQHcKc2l4
bjM3bjVieC9FMHVzM29aU3pSdEV2c2c2R2c2R2pkaDNUU3cKLS0tIGZuZy9udTdN S0N4YzgvK2xqZm1YVkl4ZlF1REVOTGRWOVZRQm80R2NnczlsdFlhTEd1RmVoNjZa
d3AyT21EZ00xTEs3cFVhSEZ2NnZUZjc3emtXY2lIQkZrN00Kn069S5Es7Rr8B2P0 KzlkVXNpbGZsNTRybAp4RDlIWmRqR0t3VjF6WVlSeTJ4aGZBd1dDNEpMTUhZenZS
F+JYJKGeqSyt7GzB8nd6DY53Bs1HCjAycYufcB5fx13efxR1oGNWHdZgDSRpp87m WjZCK0FZcXJORkJwc1piS1FvSlkzc3R5T2s3Vk0KLS0tIDFPODlkZ1BSWEhHUHJK
zttLbgw4rAVdRVV3wJjy QjdZOE1KcFNvcUYxYlFkL1FLNVJETTkySVNYRTgKOipmWGTV9SvGE4KVqgQqGw4e
CLP4PYlgdSmOATTIg32G/GVTM8NlvaII3q2GNS0Enx7Y8YwnwS2dGkYKVN3Da3b2
WJwMiBZRu/PC
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

25
secrets/home/pdns/recursor.conf.age
View File

@@ -1,14 +1,15 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpOcUlvZyBvSnpo YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpOcUlvZyBjbUF2
SkI0L1R4WUdQQ1Bqc0YrMUREVEV5YVFkR08xb1ZEMjZYbXZEc1NRCkZVdkhWVFJW VXYyVkRud3JFU0tDQThjQlVMTTFaaW5uTkt3K2dmd1pleTFOQm5jCkNUeEVqSXVX
NWhSekRmNkJFOFg0TG5yOE1KaU5QSnJmQVJDZmduR2tQU2sKLT4gc3NoLWVkMjU1 RGUxcU14Z04zMlRubVIxV0VwazhlZlFtTCtXT2dVS3l4b2MKLT4gc3NoLWVkMjU1
MTkgcytxUmZnIG5nVmZsTTA4NmdLUmhtQ0lLb3JHQURBbVk2MDBzek4wMjlwK2d3 MTkgcytxUmZnIG5SRTFOWWVIMU5yK3VTdkVtc0VYNnFkRXFrdEpiNTJIRHBvVnky
cm5VVTgKS29VeEhTQzU2WkFCN014VHpxMWtaN20rdkdnN3k4M0RvR21JUDJURzBl OHRyWEUKVXVvZlBBR0dsUXFMa2dSZ1FWVWpvZGlwcHJ3YXRscnBoaU1FWlVFYTdt
cwotPiBYMjU1MTkgTXJUM2VaaHFvTGV3Rlp5eWhyd2lESDJYR21RanpMVXl3dHZR dwotPiBYMjU1MTkgMWlBWCtSU0I4Q1I0T0JrZ1ErYzlHRTZsUHhZQkpYQVJGNnFy
VDlsWEkwVQo1b1QwU0Q3V0hMWktFdlozZ0Y3cTAybFZrWVRONHNyOUs3OFB2QnBl U3ZPeU9RTQoxaGZDYnRaNjBRRGQzMGNsTmZwcjhBRXdLeEFqVWxoT3hNNHk5cU9C
ajF3Ci0+ICpzOG5KLWdyZWFzZSBJJXBxIFAKODVtZFNrcFNuTUFNVEdJOHhubTRS Qk00Ci0+ICF8Q0EuPSIhLWdyZWFzZSBKcCp6MgpaTXQwdEllbmhRVDhOQTdpb0RU
YSs5QXdyb3VjUFdlTkkxMUNJNnY1bHVDTG1UOWFJa1VWT3VlbnFCUVl1QgpSeVlF T1VGZmdZK1VEMWdPUXduYWQ2YWx5aDFTQ3ZzRnRWbFRGN0lWUU5iQWdPakpZCnl6
Ci0tLSBmUENxdnd1d3djRkpNTTQxc3UvSEJyQ0NKd0pNNW9qT3VVdExBNUhORy9F MnI0SE5sS0x2MUZibW96SllDQVVOK2grRldPOWo0VSs3SkFUN1dqS3RqTTdPZG1M
CqKljzlqh+iV4+JjxyAVvEgyEBvemzDulwTNgSX0QByuEDuHMg5LrLJ0xxprVkhF eHI0T1BHK1F1cWlINAotLS0gckFnWkoydklhWHZhZHBkSkN5ZmdadVdiMU1QOUZW
VDclljFdxKchzSZUHIHAns2btW6+U1WFvLd6KA== VkJENWlHVWNXcEVsWQqYscIBmSi//ev3IN2ax0Ei7p8Atu4nYQui7yoY/1fiyGQL
DB5+R9Dm4YUNHt3bjrBYclLohDGdLUnOB00BXUqNmlLm4psL4Ey5Go8=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

20
secrets/jackflix/airvpn-privkey.age
View File

@@ -1,13 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhNYTRudyB5bTla YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhNYTRudyB1N0V0
RmdoZnd3WXRDd0hDK0c2ZHhyKytFM0VPK3BacEw2MjNHcHJoQ0VrClhoellSMGNM UW5ZKzQrSlFUMnR5QUE5N2Mzd0FvK3JCeFM2RVRtUklVQkNkU0dNCnJuUUxjQjcw
VFN5RGlPTHpEZ1NmVllOYkZuM1RLTkRBNmdlOHJqb0JLQXcKLT4gWDI1NTE5IHA0 NURFOFRWRG5WSnBPT1dOVjFNQWZVUjJUSU9WVTExeS9XZkEKLT4gWDI1NTE5IHdq
TThaNlZHNjlNeVZDUys4Zk5NbElFWlpRQjI5TWU5SW1ER1FoZEFhMlEKSm1EaTNa eDhJSTZKN1lQRXNaZzNIWEx4NTZINzZpdFRPZWJGcys5SUV6bmc0Q1EKeGlqTjF6
NW5ZUGZqZWxTRDFrTlJ4U0ZlRjlTYk9vZ2JnUTBxS1BZM3VVYwotPiBPeXtILWdy b3Y3ZWNhcjF4WlpOcXh1OHBucmNCZmp6VTI1MXRjN1FlNlA3VQotPiBtQ01Dey8t
ZWFzZSBFSSAwTFA/ClZDV3V4RUhlSy9JS0liYUc5VlNlZUVrTFp5WVV4aXV5VlZ5 Z3JlYXNlCnFKKys4Y0I3RkE3bzl2NDJ2aDNMeTRTUUU4dFFwelV3SjVReExnCi0t
SzlJWERpNEo5NndiRm5aUEpvdVQzaFFnYXF0WE4KVjh6bUdLMU80ZmlNM25PZzlL LSA1QSthdHR0cVE4bXhiczZqUTNJdzkzdnZ2TEpESWwwQ3BWNnoyNmp4ZXdrCl1g
ZHFoVVgvUU5FVnc0ZjltVGtIWWVrM0VnWlYKLS0tIEh2OU83YVJlQ2ZkdEJxVUlU oNwCvlTrPx5b5l0OUymxMo1HMCV9fsQ9zyaoJoPFN1hv7l4hjjX5oVoj/IdTJbbe
ekthYzVMaklZZmVhUmpvcy9FdWQzK0t0WUEKeNxuqkWlgQB2t+I/qGYtpYCrQpF8 ZMs1yqa7YbR4+HG9GG8nPhU36hchSN2whoz8
Y9yU9W0U2QJywb9uFEzrhVgi+rfqczieoSLAYUzN6miCap+AnrrspK0csCNzAqTD
BtxHihG5BF8=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

20
secrets/jackflix/airvpn-psk.age
View File

@@ -1,13 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhNYTRudyBOK2F3 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhNYTRudyB6dGZN
N3hYdXhkS0lrRUg5WDJVdzdMd2NpVU5CRm54SGZtQVJ5ZUp5V3pVCmtUcW5GMVBu VDF3ME9IWWJMQUVrbmlKeXhZbzE1THUwVWhBc2ZBQXdUUkpod0FzCkVncGlyTXVv
OTNKdWhBL0I0MVFZTTNKOUZNR0U2M1pDMW83TDBsRy81dU0KLT4gWDI1NTE5IGRG bmxPN0F3ODdvUmw3Sit1cERNTXN6YWZlU2IvYUhoUThER3cKLT4gWDI1NTE5IGQ2
V25jWFczOTh0VGRjTmE0V2lDRzVKSGl3NnZtdFZaZitxSVZvVERLVXcKQlJUbWxr RzdCWUw2N1BHWVhiOGhvNEdzQVlUanR3emdDV3FUTFRXUDB3RDdrMmsKZDkvWWgv
QldlemNHeGExVmE2aVh0aFJhR2wrN3ltSm5GOVEyT1UwenlSZwotPiBVSW43Qy1n MFZhbHZtVDVQSWVEQ2NxQUZrOXFMVmYxbEU0STFJTVBzZm16ZwotPiB+Ty1ncmVh
cmVhc2UgamdvLWAgM2h9bC9iVSArSW4gI35KOiNjewpvdTc0NG0wQStlUFdxTHN0 c2UgMnpCPlV9ClY2TzJGcnBrbUJTU3lyNVlrNDdwYTd3Ci0tLSBHaU9ZVnZoUkx5
b2xYOWFqT1NWeFFpeVMyeEl3MTBOZWNiN1hUeDNQalh1MytLcDZEWGtnZDlYNHpP QnE4UXhMdEg1elE1dDRoQWx4bDhBMHNwS1BlQkRaUm93CspT9YnuzfpKxC9y6SWJ
ClUrSk1OdkZsb1JKRmZyNlhEUXlxSHY3YkdXSUtoaTliTE5TSXlkVDZSSVVyQ2hK JRyT8aFEJTjoDEqN2I/DBwRikSxKyspHi7grCwFaoofylqJzsP/In7Xlf91xbMXz
TXM2N05IVVowYWNzdzdhK0MKCi0tLSAvQkpKSS93N29rSFdGTS8yaUh1dy9KTjM4 njjXbBQQP9PG3Z2c0OHk
TDFEOXdUc0tRUWE0TU9NUmh3CjUGRpG0chZckclsVNpQUDQy7S0Ik2dMHKLzEKjM
Dv8NrzjJs0kWAlOt9pLv+37ider1q+PSp2J+lqEEbswLf2xaQt0rkZXdSr/3bG1Y
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

20
secrets/kelder/acquisition/airvpn-privkey.age
View File

@@ -1,12 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDdXUTlQQSB4VVc2 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDdXUTlQQSBaUm1C
bGZlMmZtanJhN3NHeGpndGdsMVNKdVRsL3plQzF3MjhhWFlaU1VJClpmM1REVUUw WGJDSUNtTUYxbHVnWU44VkRnY3F6cTR0Tm1EUEdDYmltWHBrL1dvCnMzSEFqZTdS
eFA3eHZjWCtLWFdjakhpeXpYZ1dWSHErejNaN05jMWNQQk0KLT4gWDI1NTE5IEMz K25tMkdkNEZ1dGhBMVhSUkR2M21EY0NtbnJjb0R5RVoyTDAKLT4gWDI1NTE5IHhv
eWFMQnovc2pVWFpvNW4rY3BuWmo0emc1RHdOUjdOT2NtenJGYTBmemMKa1d4VFBG RlJOd3dCa3ZaeE5JS0ovV3ZiY0N5QThNSi9LaXQ5d1JIa1UyeVFJekUKd216RGw2
bUQranlrcTkwcXhhWmpvd0t2ekxmSnNQZWovU002d2tMTnNmSQotPiBmLWdyZWFz Szg3VG1PWUVweE9udFpta0gxdWx1NEU5ZmNwK3hMdHdZNlB6SQotPiB3dlxKIXxG
ZSA/R3p7IE8gcTxBI0I+WQpUVE1DWldzd1IrZC9zWitOb3NQZlZ1eFNXZy9SdGt6 LWdyZWFzZSBCLGsgWCU+UWwKWXVYQTBqVkRMKzNsU3JuWmlQdVpzdWJWcVdwVUM5
UXFGeHN1WU1FMWxjeG16WVZjaWdWV2lSZUhBCi0tLSBISjNVQmt6RWYvdFJRWmFw aHpmZFVPbWlidHJEYlN2M3NvUWNqVgotLS0gZHhwUlE3YXJSdHFkdFpkTnh0bC9a
SUp4L2RpeERXK2txTDVvZ3pPUmRlaVJBcU53ChdRO7fcT9vwWgVxO2sDWjM4KPXG TytZcmtxd0pldUg2YUEzMFJ4QjR5dwqaUnjT3oaUunudOqNfh9twKyaRttf4sk9G
aaYzwrV0YuhNI0/OB0wEAWlPRYmGw7xXeVNQUDgyCu84pGUt5OKC6ineOvSKLmb1 uiiKoEa314HbI1vgS4iCNX4vG+468SECiF9llZL9U1w+1MSF1y1BKy7XrDCsp7Xs
gQjpofJQ0aiW HiA2aA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

20
secrets/kelder/acquisition/airvpn-psk.age
View File

@@ -1,11 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDdXUTlQQSB2NGxY YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDdXUTlQQSBIdGI1
NnpHM0VuWmozLzdBSHc4UVMrb1JhWGJaYTVEVndQLzR2ck90M1M0CmR6VzZiRGhs UVl5bVN5TDUvMTRuVFdpdG9lSkRjL2hOTHo3OVFxQ25IMDRlRGdJCm1oOEM5Rzlv
VWxoNk9LZ2RSY1NwTVRadTJLRXlDbmU4TE1qZkpOOWJJd0EKLT4gWDI1NTE5ICt2 cUljejB0aUNCS0x5Qjh1Y1JWQTNmWE9kcjF1ZktJVUxLSUEKLT4gWDI1NTE5IHBN
NUNoTlYzazY3Qm1HY091Zm5samFZQVo5RmJHNGxnWWtpZzFxanY4eTQKWENHcXFp Vm4vbC9GcUdaYjNlWEg0UUVTVVVHWG5VTnVPRFBkUXk1dm8wWlF1QU0KZEU3dXFR
VjlNTUQxaHBLbnFLVUExZW01NkppZXZkNGZtd205UVdTeHVSWQotPiBXKHlSLWdy YU5GalhSakF3OEduSlhuYTN3SVdFU0NrWmJBZThvN1BGU21TUQotPiBdLVQtZ3Jl
ZWFzZSBycSBUUycKcTF6TURtYitTbXVzZnpONFV0aHFUZjRmc08rWE5HcHZYdwot YXNlIElWPzRFcicgYVoldUFzClA3M2JUNFU4T2xSRmpyeStMQjZNa1I0bmxLSUdj
LS0gOHp4U2w4MExDcjVSRUVMeTZ3b0RiM1Zpa25YVW9ndkxlbWFNMFg2RlVKbwrf NGN6NkFvbmJEVWJXSEhCMjhkWjhyZkZPRyt5N2diZDI5SGwKczFsaEZXbDljVGQz
irm/8ZQMmH3U5gwwYXLyBRn1PPntePtHW66Hn9StQaUSJX81+KaazppMBsHXkg1q cnpMcHpPdTBPL0hwb0t3dE1XNURWckVEOFZmQwotLS0gbmQrNm9QQkpxTnYzTTFt
3T/qvw5eyFiWorLYm3IKUqertzUVyO3ajsBCdQ== bHU3WWVDai9BY3VSaTB3NDN5bk1IdUNiMWk4NAqyrvPkq+FP+fSs9mZMgxLTJICD
5l8Ii5h9fl2APzedygOLFGQLq0qW7pjBygfmQWgG4gqsO4iKIwEjUiv30/QCUhKL
CGZJpN8AfZAcow==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

26
secrets/kelder/cloudflare-credentials.conf.age
View File

@@ -1,15 +1,15 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGdTeFAwUSBSUHcx YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGdTeFAwUSBSdmly
NE9VNmRvTllERXltV3AzRmJRTmNiWHpJQlBOdFJYMDZPWGlYUDJRClAvd3lPTWxF aEtUTHh3Uy95ZGhEcno5VktOcmlWYzVqUTE1MUs4NDg4WnZBT0Y4CjY2QndadEF2
bW1nb054Tld0RnBoQW5udjVCNndJMHJjYWdMQnIyblBjYWsKLT4gWDI1NTE5IGZR TzF6TlJxall2cW4zeGltQVNabUJkcWNCUDRwZXpjYXJubVUKLT4gWDI1NTE5IGVL
YmJ3ZHZxLzVsNFYxM3JtQStlNHp6LzV5Mkl3T1E1T2ora0JINEhGbTAKeUpUUURn N3dkVDFuSXdXZTFCVStzSCtCRUJGWUd0bnNGdnBhUlIzMExSNjBqWEEKOUdvZTlK
SnVTUEloSzg1UDB2Uk9IT2xBNWdWelhuL0N1dXkxS2U0MFgyUQotPiBDY21jQXYt dzhyYWUzTmFzbnVxRTZRNHZ1NGFXSkJ3ejM0S0JCTGNpcHVzcwotPiB1dS1ncmVh
Z3JlYXNlCld4aUliNVpHSEs1U0tMYTFCZVBwa0s2THI1VG5ucTVwWkVxZmdsUDRD c2UgY0NxK2VxdyBdRE8vQSV1cSBcIFw/TG8jQwplZk1ZeTAzUnZJUm1qQ0VxUGpU
aVZlRCtIcmV6Zk5PZnVQQ3NnYllXSXQKT2NkbHdEWG9DWkorCi0tLSBNU0QrQVND NU1waVZ6OXF3NXQvS08vblYvRDl6TzF4RUhvdW16anZWcXdORTVnCi0tLSB6ayth
RFgvekM2V2FEK2FTdzlRL3ZKSnM2dStQM3p1ZEVjRWo1NldRChP+Ju3pDMe5N2SO aWRVUGgwazBMSUk0MEdETkhnbURkbEZXUGNCNnN4OUdPMXpkelcwCoil0uw2yDNc
TxQUx5lg5gTtSXD2U43xREso9QEJVAS4BaQmkwCYo3vAFToRHNaR5RZiZ0kyoofC mOUMhVzALll4DgCX/MskwCdYohSBnMpSzqtltAhkW1aqdbuU3PC9LHQElpuHqpl9
f+bH5XnoI9h+CdaCPT4poGVGz9sGWVGo5XOnIWS2Twlg6OGSgbD4lkVTmBoCcx63 leNTu6n5nU5BHQ5qWShedL1G11SRzcblImwUcyg10d6Z0nUoCUjmw3BnGQ2wwvhC
vR8ajFOeY3b8Tjx58LrP38icCO4OF3plp8VMhckqq3e1LCCiX/5V35mUqcxjE8Jc M+GGeb9X1ORRciqprtTq1WXWGG3tYgL9SjTAEtyMhAZ3CFjh3p4BdC9pVhCAJ9TA
t6LTpi30wes3ppXkKp4IPMRHWXa0gWex09YpSxXtRrS0yZ327tJHZtD66OoUr8ve tbRAtqIz8VTzG86G4zPJYzBwtAse8tJDEO40GUqcOsmXhmPPpd7je1k381+GVrMj
KPEXqd6AtCjUk6MaExsYPnjMnB19BxMAMFAkCNPbAw== q2g2gTCUOrMryVRX/7+H2iRxtIxmhqESXIWgY5SIUv9uRA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

19
secrets/kelder/ddclient-cloudflare.key.age
View File

@@ -1,11 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGV5cTNkZyBmV2tP YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGV5cTNkZyB0blBa
RVEyZzNraUVRZ1hyTm8waTA3UVlLeEZPeUFTU2xoZ2N0bk9STkV3Ck5qM1VFeGFp Nlo2VGUzZzdTNW9heXhuUTJWYi9lWkl5WEp2VXcycExWd3FsLzNzCnpoZVVHaUxK
cDFVQ3lhWHZRVVZIZnE4LzIwb0U4LzhRWjBzN3BKaEFVUTAKLT4gWDI1NTE5IHJm aHAxVmxQSkJ6a0JnSFpkdmRzLzl3ZktwYy9yckFSNGxzRWsKLT4gWDI1NTE5IFhl
RDJZRUxIQ0FwQi85Q3g4dW5BSWY5QURDOHJBZWViOHdybHVEM2lGaEEKRjIzVklv RlR5TjJoUVdScjRKN3hDQmg4aDJpSllnd25WNmlVVTU4SzZRZEdnQ28KVGsyVHN6
RllPeTNKRmh6RDBpdE9OUEVaa3NLUFRTWjVjcVB5OFl3bURmdwotPiA4OiotLnEo TmZyV1hSbWZqWUtYNFdEQ0FLMjczRW5HSWVEaHJidHBjZzBZTQotPiA/by1ncmVh
cS1ncmVhc2UgdyBWXzZKZiAsVTV0ei4KUk5KTnlZS0VBMXNYZndFQWlpRzBYQVQ1 c2UKUlJ1V2Y1eW1aNG1CTkx5VjZlREt5VkJjOVZoUno1T3p4WldSUTFpNDBXb21m
MmRzeVc5TDVwSVpsQmJ4YjN3Ci0tLSBUczhhMjRMckV1amhkdFZuY2JCR2dWd3Br Z0l6eGZKaTBqbjRiTTRybnEyagpxQlRIZldEVGdNblRrZkMycFljdkwxSjl4VHcK
ZTBFWWFxai8veVFydUVBV1I0CirnhmVgavdnHIgL5KQTwjJcQ1RVvw/RxXonq9Gp LS0tIDV2Q0NHeGRUblhCc3JUenl2bGhueER0UnFkcUZNWXR1c09QWDI0R2FkdXcK
7gpCvmnaV/iucS0myKREF//irXBz9qZG6DDZpvvIHMDsdliMAaAHWvE9+Dk= 8DfpILM67mlC23bKjt2hWfpI51JvTa2YBEvHwHDuaaZBw8FIU6E8s77iyjTysmsw
vmQwTrdoUPhfLHXspjHH1GGObwOxvdw/Mg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

21
secrets/kelder/estuary-wg.key.age
View File

@@ -1,13 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGV5cTNkZyBqalRY YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGV5cTNkZyAxUzdG
bU9WQWM1dmxOd0ZDWGNaWFpKYTlncnNsWGE0Vnc5OE93ZnRvV1F3Cnh1SEFnQjBT dG9ZNkpPNGlreWxRMFlPQUdFTk9FZ0kvVjNhbUNvMWU4a2krcmcwCnl1Vk1PUS8r
RVRVOWVKQjIvQ2o2b1BEZThFUGZ5d2xvZCtNQXlpa3VSajAKLT4gWDI1NTE5IHY5 S0lveDV3OVphc3d6UDdLKzR4ZjB3RUloRzE2Zis3bjhsL00KLT4gWDI1NTE5IGVx
cFJBMUM2S0tSYXlyVHVUOGhuVStsOU03SDhvWE1pRFVIRTZabWdQQncKQW5OZ3hj TEMzdDRDbFBuT0c0V1Y1d1diSUVYMEw0dmJwcG9WaWQwcUdMMEVtZ3cKZ0x0OExq
bmNjWFc0T1FkVlpGd0pVd3BncEhRSDdyTE1SemFRcTlEMjZtawotPiBmcS1ncmVh REFEdlJPU3o2WTlUQWU3b1NxcnJ1ajRRNkhxR1lxUmNpM1BLZwotPiBrMTREQ0lb
c2UgLSY8fCggNW9PNiJVCmVCcFl3QlRGcnVLZ05jaXE1WlNocTFRcnR1NUtVbFJp LWdyZWFzZSB6TSp5Y0knClQ3V1VFY0dzSy9iNVdkRVZYU09yWjhONXkzck9VZVpC
d3F2L1NBMUdUZVJUeEJ5T3NjNVA2MDFHTXBvRitIV00KQjZ4VG9VemUzZ1p6d1ln THh5amMvTlNLRDN2YUh1Mk1ncFcvZTZJZTRIRUlON1QKUzVDTDJJVk8KLS0tIENE
NFdDT290K3Y2QXQvK2NTMmtySkxPcTNzQQotLS0gQ2lCUEhUVlh1SmVlaWhUOXl1 N0ZzdjNnTER6ejRqZ0Y2WTd6dUJOaHJqTk1HT2U2TlkyUnBPTFc5WmsKYcIKEURp
a1V5NjBTbG91U2ZJUjQ4Mkx5TWNDZTQxTQpBl3ECvYohopb+98O3ahFfh5Qnqsa2 YcoFwU+gxq7BQlXo5LJDIcB73HPeerPnKYpfdyXFlsdm8mv3IXPEabSPwSNHXGIx
6rOdnP3KfsAPXqtbFmbVqKHeLtvlaxt/gUj2YcGHUcpI7jW92J5hbHsB4gJj1jz8 BdinoqfHgAjMwptksMA3iIOWqp1cF6E=
PdogwYfHKQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

22
secrets/kelder/htpasswd.age
View File

@@ -1,14 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGdTeFAwUSBROVVR YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGdTeFAwUSBvRWE1
MXJkMEJJR09udytTU3QvWEZnMjFWb1NsZHVBYXZXUUd2Z0hZaHhnCmVRT1VkSVpR Z1ZpNTFjTnluOUlPMldCQ3BzQzdVaEw4dlZjc2xuMkhGWlNDU1ZZCjVGNk9PNjNS
QUZ6MS96K0QxeUhuNXU1NHBVMWpudnJOSkxlRTRCUjhZT1EKLT4gWDI1NTE5IHhB elNlSzMzYUNOQ0dzYkNFUDlxNlg4S3BGbXNldGN5eWYwZTgKLT4gWDI1NTE5IHp2
MmYxeXAwRVgxcTBpVXdEdElzSU4wQkdMV3UweUxqemVQNjIrTnVmR2sKc2xrQWQw eDFPZ0VadjFVZFdVMXlYd3ZFRXIyeDRQU1dMV3ZEWHJEaGxOSzgxRE0KVVpvVnFQ
TnQyYkVDSmljSWFHOUFQeWR4anpaMEpZOHpNOHZDMjM0RGlhYwotPiBwK0YtZ3Jl WHhpWjN2Mm9TV0EwajlyRTg4TVIvbm0zZGFBVkJqbkJTZEh5RQotPiB6QS1ncmVh
YXNlCis5dm9Oc1NqQ2hlTWR2NEtwNFIreHdVbXNlSnZoWGUvbWREK0VSdk1CYVNs c2UgdycgQmJMCnVhd01JSEpUQ1U1Q3o2Wnh5UQotLS0gSkZwd0tNTGs0NkFiY250
c2paTEMzZ1R6NXh1Vml4ZURBRmQKaVB2TGVieFdjVWtXSndmYi9qcTFld3IrblVE eGR1WXRLTWhzWlZOaHlGaHQvNUh2MjNDUm8yWQpH1cWbszmSTjpqz8Wyrt6g2TNP
bzlZUkhpMno4eklYZUtuQ1p2RkNuVlRhK3VRTnFPdG1nTEtjWgp2YmxSCi0tLSBZ rtCRSnfw7UcoMh2oW3kyYcQrwf/sAFAHLNMh8oOWoxrKG1vtPxpOz251hlnee8JV
NjRPY1YwQWhwMEpRcVVqUjdPOGpjL1hUN1pTWWhWbjVPYWRhNEJBVVdjCiX336fQ dIZ/2Gj/lPXDFTkhmX0TfABAe4wPJlM2wu9pj70UvGnI1osR6avrpYr9mMau3Ypm
uUv/N211zQADOvYuKFaW1VWgHXI8ppxAp7KZFNihgQO33iVQkcRzMQhhpIhWxtAS Ucix6cE=
z5tCW5KKXxVGn22j1kOgDs4g0Z2yieTWHI3tZ0D+LCvaWX/K6XAvu3U3lEPhXGSt
51vW+2NVVXYNBfieqKMtNb8VQg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

19
secrets/kelder/nextcloud-root.txt.age
View File

@@ -1,13 +1,10 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGdTeFAwUSBMaFVZ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGdTeFAwUSArMzRH
ckY5b1dWc3BXWnJSSU1kVWhrUnZBUGs1ZTZvVlBaQzQ5a1ZkQ0NzCm9QNThMSzVs YnRFQUNJd0dRZDBEMGJZeitaS3Zaa214c2FnakxMYVVxOW1xMkh3ClpSeEprOTBW
WDk0SUNLN2pUdzQxOWhuWDZBRkxGZ1R4clZnZFcyVXJTbEEKLT4gWDI1NTE5IHNo dk1tRWhmUXRzeWpLUm13Z05pTnhsV0hCRk1YUjJQMTdDQ28KLT4gWDI1NTE5IGQ4
YXIwU0hqbmxZMk9qT3NGaHhYQzNrQzVKRzBkdEtqejBJUnhxb015Q2sKR0RWZnNl OXBuVkRiS0lRQitweU1TRURzK1VhY0lnWFpZRGQ0aG9yOGhsa1JnUlEKUkU2VUhr
ajRoUWpDbUpjTkVESllmUE14cHJaVHZIQjZQVElDZkIwdlNzYwotPiAiLWdyZWFz MTc5N2tkdFYxd1RUemk3MFEvb3d4eHFaVU9ycEhBWHk3QVRwZwotPiBbXGVcI3J6
ZSA8TzNReV9DKSB3bCNqSiBaUnRHIHBbS31fCmxOY1JpeDg2YW9zc3JNNkNVaGdO LWdyZWFzZQptTGx5SmVNM0FPMHdGY0NQK3AwCi0tLSBwbUxtKzMxYTNpdUlPc3BZ
VDMzMjlPd21UaEhHMS85bU96ZHJSdThhbndWbVBFNkZtZGZIcWFBcGFlbzgKSTZy V1N2cFlyTkZvYThES2wrZTdHTy82cXVoeStJCk0ed1c9gQUw93efGmqJDQ608cwj
N1NaSzk2Yjg2RldOQStNY2Y4UU9LOTdVTDQrcHcxQlZrZjIwbHVzS3NKUQotLS0g PDVTyJ7erVlArctJkTKOx57QMqWzMSEGh7O196SceZEv
aXYzL1ZuUkYxd3VRV0R1c2gvQ3BiQnQ0TjZxWk5nTllpRE10cVBPdlNOVQpp9eCD
uw2Gd47si4im8kx48dqRMLg63xi7aHlwfE6mr9szrZDFl8yUMD2/jKNJrXATJcnI
Yw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

29
secrets/l2mesh/as211024.key.age
View File

@@ -1,15 +1,18 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBlM2tx YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBUUmlu
bVhHc2VYOGVHdkVuQmFFbTdheStJMDBjcXdUVVJCNWdVMkpUaGdrCnBpYTF4MWNo VkJMYVltVTZyUnh0aXdZZzduSEl0ZFAxb2lIb2F2ck4zdlBjdFZNCm51RnV0M0pi
SDZqVHdoUm1HQXNMdGJrdmhrV2ZFWWx1QVVoa3BnUVc4aUkKLT4gc3NoLWVkMjU1 VkVaZVdOMWpKOW43ZjhFODgzZTJ2c1F1eXc5WnJvMHVZUGMKLT4gc3NoLWVkMjU1
MTkgWk5xSW9nIDlFRFhpT3dEVG81Y09zTHlDNmJFNGJLcWtBT1E1MXpJOEtXdEd5 MTkgbjhDcFV3IDdhNjB5U1h3ellMRDRRQWVkQ3hNcVQxUnQrbkQ0V2doR3pFWFRI
NXBOQk0KQ3p1YzNRSk8vL2JXeTIxSnl5Snl1MU9KSWUwdGdGSk53d3h2QndMc2h6 RE9xMDQKTUh2bXV0eTdvRmhmTVVaRllRcEpiRStnSnpMeGFpeGt0eEhvQlZETXhi
bwotPiBzc2gtZWQyNTUxOSBzK3FSZmcgVmhGL2JJNXN2OVRzdzJIcEpmTW9zS2hH awotPiBzc2gtZWQyNTUxOSBaTnFJb2cgUW03aXgrM3FWbURXR3o0ZkZsUE83YVk1
aHNzd1VuY1A2RE80a3N0Q3psVQpnWmtUcTd4NHRyR3k3dnhmVzVaRTlJMjVVOXoy ZzkwZm1JdC81aHI4YVJOdWQzTQpzS1dHRFZYeHV2djVFN1Q3MHdhWVl5WVc5NExy
bTcyMmRVcU5rZFU3TUZrCi0+IFgyNTUxOSBVUjRjNXByVmFYdjdUM3NscFFaaS9W M2xEckFMTjFvTWI1Y3BrCi0+IHNzaC1lZDI1NTE5IHMrcVJmZyAwQ0Z0a1FHU0lV
MzNFb1B5U2lXM0wxcmpreWVSMFc0Cm5ITVJadTFrTDJGTVhvRHZTYk5aa2YyNEJC VEFmMFpsNXF3Z0l3eTkrdzRZQ3lSQUg4MFhPaUNEbGdVCnFuVEhXWDdndnhxdUtV
UktWSGpZUWM4c2dHdFJGWTQKLT4gUz5eXnUtZ3JlYXNlCjlKZURvRDNidWRuc0Rs TkdRZnpFTGpaZDNJalI3b1NHUld2NEV0TlphK2MKLT4gWDI1NTE5IExObHUwOEFT
WG55VmhiCi0tLSBzbnliVkpkVUxRVlJmenFwWGpjdnZ6dzNFdStqaWh2dk4vSTQz bGl4S2F0YVdHaGFnRjdIQ3VDeVFDbjh5SFpkczN3d0ZuQUUKSEFvdTIwSUhvd0dz
N1RHdExRCj2UQ+zo5APubLuTDgV5TY91CZ2cCSWwggEV5T/X05HXg25u8uIZ8Fta dDdBSUxDOHZaNkNLL0x0aDRCS1ZORUsrdWpJS3EwVQotPiApcDQxLWdyZWFzZSA5
yh1exnKcLTUjS+9qFgIyxU8MWlcGcZboV0DpfPjYma6LdokZ ZSA9YD4gbWMgRH18eXd0YnkKbmcKLS0tIElQa3pEcVhtN0N1bW4rSTZ5VnB3N256
bnM0OXpSc1BuNmJwZnBremRIZnMKhN29J3s+Cif3jvx63Xay77CdC6uVhjsojdbF
zhWad9vPolrrbEiNkhcdrutyTRniFBUEwxQVGmAxcEySNTr3lnWnWQFagphu3F27
zLs=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

13
secrets/librespeed.toml.age Normal file
View File

@@ -0,0 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZGY3c1ZyA4N0Qw
bFd4Q01yb3M3M05Ua1BPZjNsK2cwYlBuSUM3TXRaa2hPU2wxb1hzCnhoTzNMYVNT
bjRUTzFJdjdZVG1IVWJNa29PNjVVQ2NWbFdnNWNjcDk1bk0KLT4gWDI1NTE5IGVu
d2x5N21ZaW5MeHBzWkw5QnV0SUNiZTJBVlhXOFZacUFJVktNQXI4MTgKYmxQYmlC
YXJvYjhKbWVZWGRPWWh0eTlIZTJPSFZTZmt4UHJ1M2thNHRCMAotPiBvPls2N3ct
Z3JlYXNlIGowLGEgUFNKKWljTX4gInUKMkFwNGRiZUJCbUZhN2Z3YnZnZ3Nna0tD
UCtrODlldWZ0Rk5INmxTd0tmTGx1NS8rQUtTdVFwSVROcjVqeUJaWAplNWd3SUR5
MjRzeXlyemtka2EwdVZDTkowTk5NMk1rdUxCdkR5ZUJOCi0tLSA4bWVKMXFTalg4
ODFIN0hsTS9lekdWZVI2VTNKYlE3UzhXNk5nM1ZCMlowCn3ZLml2b8qDs+A2W8Nn
YGCfDV+aes39ef/2wu6EMISradXZQrzhSj8JHn7HqsarqSQmOhYP5juawEFxAuZJ
kUc=
-----END AGE ENCRYPTED FILE-----

Some files were not shown because too many files have changed in this diff Show More