diff --git a/flake.lock b/flake.lock index af034e9..83e4427 100644 --- a/flake.lock +++ b/flake.lock @@ -28,11 +28,11 @@ ] }, "locked": { - "lastModified": 1724031427, - "narHash": "sha256-o1HdAf+7IGv9M13R3c+zc/sJ0QgeEnhsvHBcodI4UpM=", + "lastModified": 1726524467, + "narHash": "sha256-xkPPPvfHhHK7BNX5ZrQ9N6AIEixCmFzRZHduDf0zv30=", "owner": "nix-community", "repo": "disko", - "rev": "4e719b38fa7c85f4f65d0308ca7084c91e7bdd6d", + "rev": "22ee467a54a3ab7fa9d637ccad5330c6c087e9dc", "type": "github" }, "original": { @@ -99,11 +99,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "type": "github" }, "original": { @@ -183,11 +183,11 @@ ] }, "locked": { - "lastModified": 1722589758, - "narHash": "sha256-sbbA8b6Q2vB/t/r1znHawoXLysCyD4L/6n6/RykiSnA=", + "lastModified": 1725515722, + "narHash": "sha256-+gljgHaflZhQXtr3WjJrGn8NXv7MruVPAORSufuCFnw=", "owner": "nix-community", "repo": "gomod2nix", - "rev": "4e08ca09253ef996bd4c03afa383b23e35fe28a1", + "rev": "1c6fd4e862bf2f249c9114ad625c64c6c29a8a08", "type": "github" }, "original": { @@ -203,11 +203,11 @@ ] }, "locked": { - "lastModified": 1720042825, - "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=", + "lastModified": 1725703823, + "narHash": "sha256-tDgM4d8mLK0Hd6YMB2w1BqMto1XBXADOzPEaLl10VI4=", "owner": "nix-community", "repo": "home-manager", - "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073", + "rev": "208df2e558b73b6a1f0faec98493cb59a25f62ba", "type": "github" }, "original": { @@ -298,11 +298,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1723803910, - "narHash": "sha256-yezvUuFiEnCFbGuwj/bQcqg7RykIEqudOy/RBrId0pc=", + "lastModified": 1725513492, + "narHash": "sha256-tyMUA6NgJSvvQuzB7A1Sf8+0XCHyfSPRx/b00o6K0uo=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "bfef0ada09e2c8ac55bbcd0831bd0c9d42e651ba", + "rev": "7570de7b9b504cfe92025dd1be797bf546f66528", "type": "github" }, "original": { @@ -314,11 +314,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1724067415, - "narHash": "sha256-WJBAEFXAtA41RMpK8mvw0cQ62CJkNMBtzcEeNIJV7b0=", + "lastModified": 1726489388, + "narHash": "sha256-JBHtN+n1HzKawpnOQAz6jdgvrtYV9c/kyzgoIdguQGo=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "b09c46430ffcf18d575acf5c339b38ac4e1db5d2", + "rev": "dc8b0296f68f72f3fe77469c549a6f098555c2e9", "type": "github" }, "original": { @@ -330,11 +330,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1723938990, - "narHash": "sha256-9tUadhnZQbWIiYVXH8ncfGXGvkNq3Hag4RCBEMUk7MI=", + "lastModified": 1726320982, + "narHash": "sha256-RuVXUwcYwaUeks6h3OLrEmg14z9aFXdWppTWPMTwdQw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c42fcfbdfeae23e68fc520f9182dde9f38ad1890", + "rev": "8f7492cce28977fbf8bd12c72af08b1f6c7c3e49", "type": "github" }, "original": { @@ -378,11 +378,11 @@ }, "nixpkgs-stable_3": { "locked": { - "lastModified": 1721524707, - "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=", + "lastModified": 1725762081, + "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171", + "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05", "type": "github" }, "original": { @@ -394,11 +394,11 @@ }, "nixpkgsMaster": { "locked": { - "lastModified": 1724145953, - "narHash": "sha256-WamuitHHkmPp/fzwAdZxprYR7BOhtNytGmDuCp0UoHg=", + "lastModified": 1726573629, + "narHash": "sha256-O4fWqykLSQrGcNmx7HCElAmrYC6riGbhdCzk1dmj4qs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1bc1437a085748a3b24c8f25047eb2eac4068318", + "rev": "06e78ca76feaa97082b905d330265d495eefc9f7", "type": "github" }, "original": { @@ -410,11 +410,11 @@ }, "nur": { "locked": { - "lastModified": 1724135985, - "narHash": "sha256-yImm/xJDDBganXyJawdIbwG1hCFYbeaLEwDLMSCdUvg=", + "lastModified": 1726569072, + "narHash": "sha256-x33fIaVSJGc/kLiXh+a8x97GrMN1DtnRd8Ar50sDaNs=", "owner": "nix-community", "repo": "NUR", - "rev": "0ba1aacb815bd8574f6bd25032fdb4fd77d6e630", + "rev": "48b58426a0fb447bad367813e742247dc860bed6", "type": "github" }, "original": { @@ -436,11 +436,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1724134185, - "narHash": "sha256-nDqpGjz7cq3ThdC98BPe1ANCNlsJds/LLZ3/MdIXjA0=", + "lastModified": 1726394406, + "narHash": "sha256-RUzT5OUT+sCNl/fA4u6u/SPc1Bye7MU96Vtu6jksfxs=", "owner": "nix-community", "repo": "poetry2nix", - "rev": "5ee730a8752264e463c0eaf06cc060fd07f6dae9", + "rev": "a0cbe913ce184bef7cd739f75ba5d123e1f41ef2", "type": "github" }, "original": { @@ -526,11 +526,11 @@ "nixpkgs-stable": "nixpkgs-stable_3" }, "locked": { - "lastModified": 1723501126, - "narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=", + "lastModified": 1726524647, + "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "be0eec2d27563590194a9206f551a6f73d52fa34", + "rev": "e2d404a7ea599a013189aa42947f66cede0645c8", "type": "github" }, "original": { diff --git a/hosts/iron/configuration.nix b/hosts/iron/configuration.nix index 31d5069..d2a78b8 100644 --- a/hosts/iron/configuration.nix +++ b/hosts/iron/configuration.nix @@ -1,5 +1,6 @@ { inputs, config, pkgs, lib, ... }: let + interfaces = import ./interfaces.nix; zfsKernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; disks = [ "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103837K" @@ -46,14 +47,19 @@ with lib; { useDHCP = false; networkmanager.enable = false; + bridges = { + "${interfaces.lan}" = { + interfaces = [ "enp2s4" "enp3s5" ]; + }; + }; vlans = { iot = { id = 20; - interface = "enp2s4"; + interface = interfaces.lan; }; }; interfaces = { - enp2s4.ipv4.addresses = [{ + "${interfaces.lan}".ipv4.addresses = [{ address = "192.168.42.1"; prefixLength = 24; }]; @@ -61,28 +67,36 @@ with lib; { address = "10.20.0.1"; prefixLength = 20; }]; - enp3s5 = { + "${interfaces.wan}" = { useDHCP = true; }; }; nat = { enable = true; - externalInterface = "enp3s5"; + externalInterface = interfaces.wan; internalInterfaces = [ - "enp2s4" + interfaces.lan + "virbr0" ]; }; - firewall.extraForwardRules = '' - tcp flags syn tcp option maxseg size set rt mtu - ''; + firewall = { + allowedTCPPorts = [ 5201 ]; + extraForwardRules = '' + tcp flags syn tcp option maxseg size set rt mtu + ''; + interfaces.virbr0 = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 67 ]; + }; + }; }; services.radvd = { enable = true; config = '' - interface enp2s4 { + interface ${interfaces.lan} { AdvSendAdvert on; prefix ::/64 { AdvOnLink on; @@ -97,10 +111,10 @@ with lib; { noipv6rs waitip 6 - interface enp3s5 + interface ${interfaces.wan} ipv6rs ia_na 1 - ia_pd 1/::/64 enp2s4/0/64 + ia_pd 1/::/64 ${interfaces.lan}/0/64 ''; boot = { @@ -219,5 +233,8 @@ with lib; { memoryPercent = 60; priority = 1; }; + + + jalr.libvirt.enable = true; }; } diff --git a/hosts/iron/interfaces.nix b/hosts/iron/interfaces.nix new file mode 100644 index 0000000..dec89ae --- /dev/null +++ b/hosts/iron/interfaces.nix @@ -0,0 +1,4 @@ +{ + lan = "br0"; + wan = "enp0s25"; +} diff --git a/hosts/iron/ports.nix b/hosts/iron/ports.nix index 6b38336..b5d9466 100644 --- a/hosts/iron/ports.nix +++ b/hosts/iron/ports.nix @@ -7,13 +7,14 @@ custom-utils.validatePortAttrset { home-assistant.tcp = 8123; jellyfin.tcp = 8096; matrix-synapse.tcp = 8008; + matrix-sliding-sync.tcp = 8009; mautrix-signal.tcp = 29319; mautrix-whatsapp.tcp = 29318; navidrome.tcp = 4533; nginx-http.tcp = 80; nginx-https.tcp = 443; postfix-relay.tcp = 25; - postfix-submission.tcp = [ 465 587 ]; + postfix-submission.tcp = [ 465 ]; qbittorrent-torrent.tcp = 59832; qbittorrent-webui.tcp = 8099; radicale.tcp = 5232; diff --git a/hosts/iron/secrets.yaml b/hosts/iron/secrets.yaml index 33595e2..4e19154 100644 --- a/hosts/iron/secrets.yaml +++ b/hosts/iron/secrets.yaml @@ -8,6 +8,7 @@ rspamd-worker-controller: ENC[AES256_GCM,data:7tS8bEr9i5F+YZoj3uPQa6Xd2SCsuC+jE5 dkim-keys: jalr.de.default: ENC[AES256_GCM,data:mnApsYKXYGtUAHddccmNmU9yZQtekDkTiTXbJ0UJxC0rFxzQCtGsinQslIROJdNUxsxciR1ilNzxawzjJD7AaWJbcAq2TYObGJJOQZBif7t/XEN/rIxEmnAFmdeAyrSONmFb9DiEn59m6DpsU+/9Y+hnc/uwwbzueO34WHJnTqmmsxFVNQZfGR+cbSckHS3wZrfjZSKKzCRt+9DU/xxJ4voyowXLO77w00LHVkyU5liwONi0v2XJ+QeP/jIMmJeKjujZcH+qvUm/kukijqyWKGrZoAYPC2cBlL/UrNECuVdSLMXvr4KBDDTCRZCSMRgUPJ0TAfpQPTPitKJ/0igK7qQl9n/6hckY7VyP8KDS7J7G2Z2XVxfZrAR4X/7ya9B2kneVr2CNx3w954EdTcV1/lD7rcKRjKynyl3ddf8gxJFJ21k1ybo2RLnftGCRVq25qNwhyfjU8x5c7AEs+YTPDrcnmxZ/Ui276eLwpMj61oZzTp8QQhiBVwS/+ruRLC+78pu2gb1gBF/Oo3nuvQD1SOpCRikLVewCYDvfXj/hrjo+oCsjTOj+9tWRcRAEDVlhkXWCMuPXDYrdt3HrIWbQuP8NW1ezd1Ll0r1ujjtPJeSwdd8cVcUSBIoA5gU+eXnYjFaSx9BZ+sIfKqG//W3S+aBYDqAEK/z4N5q66sReb5mtSQYfbZuIZDmox9bwNMG3tJmQX0lJZgEIiuJ5/ef4ra0sj9JsRFldmIn9KUmjW9OlIwzQ42cNNvQSMD/6haNiYsE6TPzVylJ/B2kNu9Qh5FfpCIPtVORv2BAGoNvZlyhjyEiXBEZ4x2hx1l5cBwGOaGhoJ0p+1wqn2zDalIBaEFjbBVdIB6DPC6/lccvpqSwF7HvW2ugyYhW+u92vgic71/BsI4i0OlsJV18gU/zVg0Yj8SK69kEwm4wkJTrkM/I4+kkUIc5OiSAknRfjOFJc0etkh3nO34xpHLOkSv9DrKfXSAGmGZtCLtVL5LGdZeCd/g6EK0JJh6bd9Gu9koSJVq5vjdDJJFf+sgk39TCvHAvk8k1/FgdK5jMJ+pR8heJtP8G96ay3DFVm5hpbjuNKqfBvbf2rkyV6++ywRFnAQGPUiMn9g6Q4F5Ks7CC1D0Ubl7b3dCUk6BDi8rHjxy9QS0/25Yz9cF0bFd6XQDfblnyRLMi9aB36M9Vp38Oh5aB16MyvNUHzcxpaAak0yknE6OuuEMBPQZgFVADCITfy9eUXl2FoXrMWEnBO78GybQ+cV8nhynn5t0U+3koMy2E8ju5kiEofQxXylys3Q76iKRRUbQqFkh/ndWtJVVfGNpi1GrUr1w1YZM0hBY9FqqeBjf7ckj+9BdiwWJ0XauuR70o7odm02mydk1/T3Hfzt3OE5nHIXnVbum9KyPx8wXj9qc6JGFm558pQOcRUgGUi+EzGoGckkoLx4Onl+XeGysW5sXP9dbYgMBug0Tjmdo9xkoBti6znDnN/zh93bbzWITNvxMgVs8zSWEhlM0c7F02UeUXSekbTFue5FOaMdYObMvPeb53jAKBOYLr34GVFvucJhKajIaNzDvfiI6fGCMxcSsWk+P3co7gdbRlWYZELsKDu2scktZsHr/gRwRiDZXAWOLiWZL4jswQ1vXSFXJgdblEV//hr2DwsAtCAsyFcgO/LGq30xi3xNqHTkUZXo6cZYSb6EVaIywMCI5ySEnTLAp/xedySANHuo8yyVqyLxkDPI7CnnSS7JcnQF3K5z+NZ0KnIpc1ewGupOhS0fKj31XxUkoSsHEY/iWJPLNA8+4VsBkADnGdkYXHTvy/yAGV6w1k1qtjiWhDAGcE9/o6NOHctYm3cx8CVsLpve/WFUaCkGgjWJdC8XP92xsUQoE6PENn6ZzFaqGHs7hgQqE1kBcEj8N5WkEqkoMo82giHE33iYoVUdkjOTkV4iDGEqyjg1BoM0GedR2A832LseDkP7u4DjIAQfpIDu7PaeiDh7xWkPRwIMV0oDTakXTdPkPGdgFikzTaxkTzRlpCbQuV769eITqVT04kJDp7+0Rb6dtjeXc0Ennv68wZSiyrlmXbrJntg7g1wrebq28q9NMIZETAPugfK6wNDu/Iw1q1kZn2ELo6xaDlcIxHDcpzK7e2VAYYuP1k3sYnSLU3oeq54j3/yS2z1me5FEqWlPOCrjdnLkE3/GjbeMsYo2YTYJEUEd2ncacSCoXUaUoxpBnjRYcHLRUV+6jy7Amp0/52rAPzSeVlBzc+SdNiKLYA2UQ74WrMU596Gkhw1SD8jSM5QqSBhH9sL+oE4GjhjLhstMUPdkNgiwxXDTZLKcIyjN1cn+RSmvNA2KXMH6MoXrkqSkJ9u2s0QAhla51zR/LZwWbzwGOO0dkh3rwh2x+pcCfuzvlk3lYr/x5XOF2k1n8yvehXY5zIX8nk6djjLbvAzzSr/yalS7R0WYIc6CjzoUl3qz+PlneMfKHcaX00hkOlIub/ZFQf1RE+JzZxi0qQq4M8Nt1XRKGDeS448Z6znDpedStUH29krZcnjMtyLmPX7ETTsjr3HLpCOd7MQ2K1rfhmvh5BtJkn1KSUf94puZbkLH7X+WnWN0hsc+KbSXnYZvqwJ8G0/7ptp/Q+wGljqhjv+HhOeA3NUwANv1xWgbiymVIlxCodXtQwn8mxS+jxSvslGwOnyUkTT76IbFbv/IpW6PNvj/xqwOqey8a/4WCGcqs403Y7TKQ+xCflG6K3tL7U5UbMnMgXTeZvoK+DooS2eIepF2WB5XqTuOZJV2OQ6GHfaBMjXN9iGVNLi6XgkbpmcMLQ4TZq+dVmgleJb14IaTFD3n74OfmbcT9lmRfPRJEpFEMNeL3ghH54P2a91zJFASgE7x+Uv2cGcmKFtMbyc/rrhH1F/Ixlv/R37huFo1T2dPMEZ/1ouuPpbUQ5oz/JlOWw3NOxd0O6oG0x9Xib+9KxSFOusLWcFEgx70jrBQKj8s2Jj+W0gZYv+BJtPMPY0KAkRj1amt4Fd6ZrPOEXJ392EHSAEv5jssO5ba52OHKA+QkYvPPL04rwkxSAQiTl57scnEj2WEIP+Lz0/qsMnwF+3rWuz856doJZcXX+U9iuzBCaYQqA1P3BojAYhEHnXBPeolHOA3BmhT9E2TJsZ6P9SQ+GaqyLm0i4vRXGlArlkLwRBs9EZv/l4DT8q0YHha53O4rhRzGJZKAOO252Dpha1YN7+FubYGAZjaUT5O0R/7xSPrGyBejddtM8asW8+NClAn4Y6xvj1IgUg6VRpEy7ZIpZEQ+UyDWt0A4nsipaz2NyZKZ5Vxza2v1qZDdYODK8nm/zj7fR/JykaNVEVj7ceTSHdaQlajfeEWWTs92msIBcqPUXqlaR005hoVvXm+WCnzIMIXLGiyRKRsAPIDYh2hGCtvfXLSq5TYm3bnGAImL0KW3Yllt1qSqSbOYsvm5QfDmTrrccvtSLGRj0rOU3Z8f4WXjf+1YgxjZ9h8fKL+LKA8x1S6M8fl0JVGBIAU8Xe8c4+r2F1VcygJp7h+0v8o8GudM6in4djAdeMLWBgXid7r0q744joFucP56opwYQp3Lu0oFEo0omS6Rh9yPfOjdGBU2eUdjcCNXXuEJD9yHSyebviSAvDw/KH1AxYSWYnjMWACCfcbOlXf3ej7PuQgq5MdFwF7+QawXm0john4YusUon4/0fqd/IFLd6oHYYesxcFdm1jN6DeS4SAqRgeEPuEWDFERgXjLHBxl5Xdi5n+NOR3Vc7ziJ9j9/CA1DKdwmsFBBDcVKMnr2FibXpN5WsSdlBng0L2zhkL22wRH9xbz8Xk5shN20/EHoxHB5HJvwfOgHIC7ooWKOUUuNTZH43+gVN+wzRzlMfiF4X71Edw+lTnQRp6Lh03M2k9do6JPoX2+UU0h6mOYiAFkhHKzCmK3DY12c4Smx+qLJNbUGhoMgthu/WnXObm0Hr+myCooTYSVNTJx6vVjI3GZtMcat2o8B9k38u/Y5/FxqTYmyXhROwS4v3W5fXwTAaxBqQy6Xj5s4V37omBBh/Z9a43nc2VlT7dKR1wIvNB/gqhiYyYrVMtYMJqGLkeCbu50LUWT4qXyR8uaqbZTVjyJCQRxZd6fd3Zfe9wIeYe3N5qKIXkFD3n1U2Q/EyRfb3TpiA+eYkAtl6JGK0vpeWpN5M2LJ3/V79e3cIG7B7/p6BrRxKxHDnBZcu57KKaN8XM+v2KTz7XdF8bjgeu1V/B9WoBwnpzCM+3s5ffNceuUcb2gJgRAUpZvcSDLYy+9aluGU2Tvsm49fCzr851p3VSEJepgPpnvuq874AX/MbPvqidF8Y21Kss1RUbl5wrlq5IihKdM+xCSq6mjvtSPVHRvw==,iv:2NBiTTW9slOH9BvM+kVbMB/+8EiS/Dc/eaqrtiwn4HY=,tag:0rc2+ZWy9XZYE7RK/oSo3g==,type:str] synapse-turn-shared-secret: ENC[AES256_GCM,data:Q1XRds3Zud1kYkvD6s9WUzP+kNDNsxB5SHd6oCAaLCHhHhYENSAYTZOF+rGjCPNyKFL0e/A=,iv:zScRQrz+pXHNUh/BGOaV+TVnDR3wu1Z/UO1zXarKwtA=,tag:ckpVziE+yb0FjctcT7tAkg==,type:str] +matrix-sliding-sync: ENC[AES256_GCM,data:CmR8Q5NL1m+eixenK4u1n3MfVh49/Q3ZIRmWfSbuFMr3u79rIGrtFf2EjaThCwBHQyXdYw1wyTouxhGZql1Fcp/HYma8u4w5nJOaJa1TXg==,iv:/kFqA/+kpCkhHZKJdhadjH11pZwh4MFiQPjY96t8M5k=,tag:aZkDCcbtonHMTv4TdBv1sQ==,type:str] rmfakecloud: ENC[AES256_GCM,data:ktKBKb6cRv1VF8tRvXIpxIy9hPinVPKK05mgvYzz18PEdcrCLpldm5xf7ffHtY5XzDOAMXDCiz6x4xyv7071frrF0spOEPnIzVhxwG8H2Ck=,iv:qJdHjv0RziAs4G9UGeRwGQ4GE5kaObJWpIYWpRKhr9c=,tag:PXgvU1hZK/gvWGyFJaHekg==,type:str] esphome: ENC[AES256_GCM,data:ufIZkZo1aP/Th/8a+9srkJBqLqPQI/ymElIEBmTKzqsJ3HE/mx9QJ1aH0vGVed9W/wSJ+7+huFpB+pNAebJMohK/fAmAVG3lzgT0wKWw8g4u33VHb6X8FIW6q1+CYRnOCQsocgM4EX26YfzaxVpw9P4PF/abwB1bVzr9xnEL2JdJfstzxnR70dKO88WTolykysc443iDW80i0scH+sCh8JIfDrV+V0l3jT+woAeTw1VA0hFa5x9i3tdfrHpzc/sN1/OW6F1CsMVS2pwUTkr7pKp5nfjxhEPi94iLMmakm0XWPZpay2213FQEUYiRqCIGmD1Oiyq0nSVcOAkc66TNwsqrdPCkCL8OPTXuTd+yIfAuU3267kUMNcN2A9kqGMx4Inj8JGlmvxuoQueuXIA4gvVFhJFBdovpl10HY/YkG/cGM0gazfF2+5xG93RgD9Uryq1g61XTFOkOaH7XtGs8Q13xnnXVwfq2pK/vnx9kQkgXJJQRU1Ng8PAg+Rw1VK6bzVz5ugj6q1ei56orNy4A8FU1z1aGyChfPT3XPaDwLr0pEXvc2Vz/6CxAosSpNHIQ6fO0XBM7nvIs/2jHZssXSVo2iwYRZsgZft60cg0FfBmDyc3QH6pVjYhoQGsBlfQt5CtW7XX3rJjQTcDLfzUlO8Ykax7TXZKnDcvtNonRm45bmV+1CqS9KLrBHouWN0axtweabAVW8dld9EnL3CrclE/RbTI0nPOR00S+Ip7wNuBto30yTACxaPHYF79izHu4rQjmm2N5Jt+nI8maEVva6IbAog16NUw6fYDaMwBDeSszBZm0BwNMf36EP/Mcp+MXrBfP1kOYe6HGjftMRDky83XYvP6Cx7FJcPXIZdsMQydxsXB3LKroFqoS2HsHBnCgQbbraQ5UWi40vKXANlKbgFcutqkATvoPW6Hbh07vfiLVfDeuHU9DUCFlgK7KHPWk/g+Uo+TUmgTVKNhbGU/vFu/9h4kIrbf/ocqL/tyMjwA5Yp9e0rQCez8w5Zqfbtqm4N1WB518Q7p52r8C+yLBAua7yB0gAc7SENXWFafkbHClchZXi3c0hY64YvuweDp8G/bPFT/yLuY/yBvA3F2G3CxZXzCMvhMVQfm2yzJeOL20vWumZ8LuIaXJ/13AzLp+lUrc8RmJvU/Hrp6xsEqzXz34qMiBNUR1BKjNAS86WJ1rzD3QtejeETGDwsw016jNbyIMcShgxiEMHnD6HXzWnfTv2fO5xICiAG/VMm5h+vC3MweW2XO01P3O0/Rq/OSy3R8ZlEFErlhR1HiXhc2CdxuuxqDySi0/rP/Jpxf25Zi8mY9YBTFlV0T9ApzJoTwlobMmmxHmqq+vQSKAxLq0lJ/bpO+8utchHbnQNUICveCkX4w+rK9Vnls3zbiLTBnsf+J4y5zpLZ5HkDCUNcEnD29ZR30IYoBTLUG3PlfyH++rLl5ynW5QKUWLnUdjvf9ZwS2veFAZw6tfHelzjkZ5tps5BkjS8YAi/x70Jw4qs3fzZudq6Lej4fsMdkBnYSSN2s7Sc3A1,iv:jSR/M4KS+cZMQgtTZWtPcpmKFD5QNr7s8ClAbXzpR2s=,tag:sp3BnZi+b9WuIiCPapG6Bw==,type:str] home-assistant: ENC[AES256_GCM,data:wcFMxDdRCHf/shO9v2WaGgrsa9J2WP62xFs=,iv:9ckeIO62cFZUo8fPyQj445CrJVTooNlwLapM/oTsrkk=,tag:mlfxtXDPsB3T79P9BX9oJQ==,type:str] @@ -26,8 +27,8 @@ sops: SU1USkxFUUY2NVhmUHBhZkdrNDR1Q0kKiXIicInELRjDR3tuyA+lnXeCcd9lYvbV GnBRGPM7BNO/6AA7HhAei48Kt+XE6+jQX66yTXyviKhK7Lpjrlb2YQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-06T15:25:14Z" - mac: ENC[AES256_GCM,data:JfgVZ7I/S22cN4yiXqE5nJY0KBq+ZLJABlMTi58VUw5jGf1vUmyTDkzm67QmZtVVL3R/xodrSMJw5CodF7wgVvJFilSvez/ygr1P8KKo7CDMxzl5VTO5uHq5aszOmRFF5N9ZGfUFZxjl3iuCwQofckcMKgeyG/1wOIf37H4Gstw=,iv:oLS4yQdl0LE363gVIkRUieFJ5M2N8Fc4Rge7SuTN85k=,tag:N4uxXbKIHfZonkiV1GxckQ==,type:str] + lastmodified: "2024-09-11T16:10:31Z" + mac: ENC[AES256_GCM,data:7STJaln+9X6xZFAyLSoMCw2PKNiRr4GNhxGbZRPRf+nKfkFh7wJRS3YWVrxd9iOonSPsuHfPnBrAPiq7ILXqwfjNcyf2HtOIPxHz0utE6b0X7KvEwmLSRMOQG9rpsETE5UBQ+DgtU9IwZzTXgh9CGZpHWQAPeOI+lK4OKLlXvkk=,iv:E++ECn4SJy43lW5RWxjSDc7dj0LWDXIuO+5fVFE3+zU=,tag:QFvao9PWSllzXXhGwFQgrw==,type:str] pgp: - created_at: "2024-01-31T01:20:30Z" enc: |- diff --git a/hosts/iron/secrets/mail-users.nix b/hosts/iron/secrets/mail-users.nix index 4caac02..0046b88 100644 Binary files a/hosts/iron/secrets/mail-users.nix and b/hosts/iron/secrets/mail-users.nix differ diff --git a/hosts/iron/services/dnsmasq.nix b/hosts/iron/services/dnsmasq.nix index 8e7ca67..b277cf4 100644 --- a/hosts/iron/services/dnsmasq.nix +++ b/hosts/iron/services/dnsmasq.nix @@ -1,12 +1,14 @@ { lib, pkgs, ... }: let + interfaces = import ../interfaces.nix; stateDir = "/var/lib/dnsmasq"; in { services.dnsmasq = { enable = true; settings = { + bind-interfaces = true; listen-address = [ "192.168.42.1" "10.20.0.1" @@ -41,7 +43,7 @@ in }; networking.firewall.interfaces = lib.attrsets.genAttrs [ - "enp2s4" + interfaces.lan "iot" ] ( diff --git a/hosts/iron/services/dyndns.nix b/hosts/iron/services/dyndns.nix index 9b4aebf..710aceb 100644 --- a/hosts/iron/services/dyndns.nix +++ b/hosts/iron/services/dyndns.nix @@ -1,4 +1,7 @@ { config, ... }: +let + interfaces = import ../interfaces.nix; +in { sops.secrets.duckdns-secret = { sopsFile = ../secrets.yaml; @@ -11,7 +14,7 @@ username = "nouser"; passwordFile = config.sops.secrets.duckdns-secret.path; domains = [ "jalr-bw" ]; - use = "if, if=enp3s5"; + use = "if, if=${interfaces.wan}"; #usev6=ifv6, ifv6=enp3s4 }; } diff --git a/hosts/iron/services/home-assistant.nix b/hosts/iron/services/home-assistant.nix index acbb59d..c7f304a 100644 --- a/hosts/iron/services/home-assistant.nix +++ b/hosts/iron/services/home-assistant.nix @@ -135,7 +135,7 @@ in platform = "bluetooth_le_tracker"; } ]; - script = [ + "script nix" = [ { lights_off_except = { icon = "mdi:home-lightbulb"; @@ -159,6 +159,7 @@ in }; } ]; + "script ui" = "!include scripts.yaml"; calendar = [ { platform = "caldav"; diff --git a/hosts/iron/services/matrix.nix b/hosts/iron/services/matrix.nix index 7214d0d..79a184d 100644 --- a/hosts/iron/services/matrix.nix +++ b/hosts/iron/services/matrix.nix @@ -2,6 +2,8 @@ args@{ config, pkgs, custom-utils, ... }: let ports = import ../ports.nix args; + signalPhoneNumber = "+4915566437153"; + signalUser = "jalr"; in { sops.secrets = { @@ -9,12 +11,19 @@ in owner = "matrix-synapse"; sopsFile = ../secrets.yaml; }; + matrix-sliding-sync = { + sopsFile = ../secrets.yaml; + }; }; jalr.matrix = { enable = true; fqdn = "matrix.jalr.de"; domain = "jalr.de"; synapse.port = ports.matrix-synapse.tcp; + sliding-sync = { + port = ports.matrix-sliding-sync.tcp; + secretFile = config.sops.secrets.matrix-sliding-sync.path; + }; turn = { host = "turn.jalr.de"; sharedSecretFile = config.sops.secrets.synapse-turn-shared-secret.path; @@ -31,7 +40,7 @@ in }; }; mautrix-signal = { - enable = false; + enable = true; port = ports.mautrix-signal.tcp; settings.bridge = { permissions = { @@ -43,4 +52,27 @@ in }; }; }; + + systemd.services.signal-cli-receive = { + description = "Run signal-cli to receive messages"; + serviceConfig = { + Type = "oneshot"; + User = signalUser; + CapabilityBoundingSet = null; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + SystemCallFilter = "@system-service"; + }; + script = "${pkgs.signal-cli}/bin/signal-cli -u ${signalPhoneNumber} receive"; + }; + systemd.timers.signal-cli-receive = { + description = "Run signal-cli to receive messages"; + after = [ "network.target" ]; + wantedBy = [ "timers.target" ]; + timerConfig = { + Persistent = true; + OnCalendar = "*-*-* *:00:00"; + Unit = config.systemd.services.signal-cli-receive.name; + }; + }; } diff --git a/hosts/iron/services/unifi-controller.nix b/hosts/iron/services/unifi-controller.nix index bb5417f..6eeed31 100644 --- a/hosts/iron/services/unifi-controller.nix +++ b/hosts/iron/services/unifi-controller.nix @@ -2,13 +2,14 @@ args@{ pkgs, custom-utils, ... }: let ports = import ../ports.nix args; + interfaces = import ../interfaces.nix; in { services.unifi = { enable = true; unifiPackage = pkgs.unifi8; }; - networking.firewall.interfaces.enp2s4.allowedTCPPorts = [ + networking.firewall.interfaces."${interfaces.lan}".allowedTCPPorts = [ ports.unifi-http.tcp ports.unifi-https.tcp ]; diff --git a/hosts/magnesium/ports.nix b/hosts/magnesium/ports.nix index b35165c..0fa666e 100644 --- a/hosts/magnesium/ports.nix +++ b/hosts/magnesium/ports.nix @@ -1,4 +1,4 @@ -{ lib, custom-utils, ... }: +{ custom-utils, ... }: custom-utils.validatePortAttrset { coturn-cli.tcp = 5766; @@ -9,4 +9,5 @@ custom-utils.validatePortAttrset { nginx-http.tcp = 80; nginx-https.tcp = 443; wireguard-public-ip-tunnel.udp = 51000; + forgejo-ssh.tcp = 2022; } diff --git a/hosts/magnesium/secrets.yaml b/hosts/magnesium/secrets.yaml index cd7f526..f7c505b 100644 --- a/hosts/magnesium/secrets.yaml +++ b/hosts/magnesium/secrets.yaml @@ -1,6 +1,7 @@ wireguard_key_hetzner-ha: ENC[AES256_GCM,data:HEW+EalHg6/mq7pRKZkasGz0nqbkSppkf0H/uV5QMJnWwKw9a9W21Y77OSw=,iv:OA6yml1T5kVafX0RYd0Es7DHcGjJazUxP2M6a5Pwkag=,tag:lX5UPIseIQ136HLrHbzZyw==,type:str] turn-static-auth-secret: ENC[AES256_GCM,data:rzhixUemFPwKj1BcVPZd7KtUO9OA6A2R4qEQ1BZGVG0=,iv:uYHYe4Cywxovt3b/Ho1tQVHrpgVic+AKh9AjYMYSZcM=,tag:rr8RW/if06t38GpZCYQB4w==,type:str] gitlab-runner_fablab-nea-hcloud-labsync: ENC[AES256_GCM,data:+znVO8cQxjDdhch7oUALZvt84iJmWnAx6lTM0+WGkGtaRWTCTPjgnst5waSJpw/Oysrd1PkXZKmLHyHuU7K/CHQij7sWH50G3ZcUum58klJc3dCPztlrLpDVHeSwyYiLpsqkQTfjqLPfrMkxuxBgTEVXlq2ZnFuyOGbFx9hubPxLeyQKakiW3qZWGjbFXYAps7Gl61AVdKJj3y1otX2JbCjG9x2i6FHZpl5ywwQCjKNM,iv:7v+I/oJtWDap6PNIJ4Qm3Si9dGs7a79SaMhnr/tbe1A=,tag:7jgoLtdWAEKMkWoXZ10owA==,type:str] +forgejo-mail: ENC[AES256_GCM,data:eZv9dM0a06wFJaDUZjo=,iv:L32ab5k/AX8HqSACJA5w+WbzLlBijA5++Gcr2SrnYIU=,tag:ddyTXikWTMnxq86IijgyYg==,type:str] sops: kms: [] gcp_kms: [] @@ -16,8 +17,8 @@ sops: QTBqZDZLeDFLK0k2MHF4Uk1mQTIxRHcKeLHz+lSnHLyTgw2Aq+IVGpIi9X8SQx+Q bCSPPMPIZsL4VLInuZmcd2n/kEr80fQM2P3/ktW8RnViQjTU+kKbMg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-10-13T18:27:53Z" - mac: ENC[AES256_GCM,data:8DPq0aGtoiMOdFyD+0NKGZ9OrDi1VXXS/6y3tH4DwlkLDpDqb2QsxunTDwoHlILQBu300nB2lUeGuGlp4/0FimFdiddlu2Ljq8vLh3wt+sz660RgfeaIcgWLSHtulyNIIQJ91wzzgbRADafFRCavVFvJALnIgeE+QDQa4ybLus0=,iv:T3xwELbHbqDszIkGs8BeJn9WV0LjagF1T+HLxCR/Aeo=,tag:NAIBPTRcnRtkGKhpWpe5Pw==,type:str] + lastmodified: "2024-09-17T12:35:12Z" + mac: ENC[AES256_GCM,data:ji+KDLN/7nQG448ZMxOFCuCTrzwnn00xbey84itd2cHpGP3oWYCFDWqdMg18C7koZ8eVtudgi3v6++bYLunAMONcvVwqconiEgEy17GKMzaladkEVDzSTRLipbcby/k4VYzS+iBP02eEn1gHYaNWTeIN/8X+42kIdhq3Itx44fU=,iv:X72KO/yNE1RI8lSPEc5llmCUuO0bZrtD4kizHf4dnzA=,tag:jZOIX1hhF1yfy7U8f47/VA==,type:str] pgp: - created_at: "2024-01-31T01:20:03Z" enc: |- @@ -31,4 +32,4 @@ sops: -----END PGP MESSAGE----- fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1 diff --git a/hosts/magnesium/services/default.nix b/hosts/magnesium/services/default.nix index 0fd2a7f..9737c6c 100644 --- a/hosts/magnesium/services/default.nix +++ b/hosts/magnesium/services/default.nix @@ -1,6 +1,7 @@ { imports = [ ./coturn.nix + ./forgejo.nix ./gitlab-runner.nix ./mosquitto.nix ./public-ip-tunnel.nix diff --git a/hosts/magnesium/services/forgejo.nix b/hosts/magnesium/services/forgejo.nix new file mode 100644 index 0000000..98042a7 --- /dev/null +++ b/hosts/magnesium/services/forgejo.nix @@ -0,0 +1,68 @@ +args@{ config, custom-utils, ... }: +let + domain = "git.jalr.de"; + cfg = config.services.forgejo; + ports = import ../ports.nix args; +in +{ + sops.secrets.forgejo-mail = { + owner = cfg.user; + sopsFile = ../secrets.yaml; + }; + services.forgejo = { + enable = true; + lfs.enable = true; + mailerPasswordFile = config.sops.secrets.forgejo-mail.path; + settings = { + DEFAULT.APP_NAME = "jalr's git"; + avatar.DISABLE_GRAVATAR = true; + mailer = { + ENABLED = true; + PROTOCOL = "smtps"; + SMTP_ADDR = "hha.jalr.de"; + FROM = "git@jalr.de"; + USER = "git@jalr.de"; + }; + server = { + DOMAIN = domain; + PROTOCOL = "http+unix"; + ROOT_URL = "https://${domain}/"; + + DISABLE_ROUTER_LOG = true; + OFFLINE_MODE = true; + + BUILTIN_SSH_SERVER_USER = "git"; + START_SSH_SERVER = true; + SSH_PORT = ports.forgejo-ssh.tcp; + SSH_SERVER_HOST_KEYS = "ssh/forgejo.ed25519"; + }; + service = { + DEFAULT_ALLOW_CREATE_ORGANIZATION = false; + DEFAULT_KEEP_EMAIL_PRIVATE = true; + ENABLE_NOTIFY_MAIL = false; + REGISTER_MANUAL_CONFIRM = true; + DISABLE_REGISTRATION = true; + }; + session = { + PROVIDER = "file"; + COOKIE_SECURE = true; + }; + log.level = "Warn"; + }; + }; + + networking.firewall.allowedTCPPorts = [ cfg.settings.server.SSH_PORT ]; + + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://unix:/run/forgejo/forgejo.sock"; + }; + + extraConfig = '' + client_max_body_size 1G; + ''; + }; +} diff --git a/hosts/magnesium/services/webserver.nix b/hosts/magnesium/services/webserver.nix index 9c55514..8ab2c50 100644 --- a/hosts/magnesium/services/webserver.nix +++ b/hosts/magnesium/services/webserver.nix @@ -44,7 +44,7 @@ in add_header Content-Type application/json; return 200 '${builtins.toJSON { "m.server" = "${matrixDomain}:443"; - }}'; + }}'; ''; "=/.well-known/matrix/client".extraConfig = '' ${parentHeaders} @@ -52,6 +52,7 @@ in add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON { "m.homeserver"."base_url" = "https://${matrixDomain}"; + "org.matrix.msc3575.proxy"."url" = "https://${matrixDomain}"; }}'; ''; }; diff --git a/hosts/weinturm-pretix-prod/ports.nix b/hosts/weinturm-pretix-prod/ports.nix index 9c3e0e7..5de5641 100644 --- a/hosts/weinturm-pretix-prod/ports.nix +++ b/hosts/weinturm-pretix-prod/ports.nix @@ -4,5 +4,5 @@ custom-utils.validatePortAttrset { nginx-http.tcp = 80; nginx-https.tcp = 443; ports.postfix-relay.tcp = 25; - ports.postfix-submission.tcp = [ 465 587 ]; + ports.postfix-submission.tcp = [ 465 ]; } diff --git a/modules/default.nix b/modules/default.nix index bd73bc6..ae19e75 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -67,6 +67,8 @@ ]; }; + programs.nano.enable = false; + security.acme = { acceptTerms = true; defaults = { diff --git a/modules/dji-goggles.nix b/modules/dji-goggles.nix index 00a735b..951482a 100644 --- a/modules/dji-goggles.nix +++ b/modules/dji-goggles.nix @@ -1,6 +1,6 @@ { services.udev.extraRules = '' # DJI Goggles - SUBSYSTEM=="usb", ATTRS{idVendor}=="2ca3", ATTRS{idProduct}=="001f", GROUP="video", MODE="0660" + SUBSYSTEM=="usb", ATTR{idVendor}=="2ca3", ATTR{idProduct}=="001f", MODE="0660", GROUP="plugdev" ''; } diff --git a/modules/mailserver/postfix.nix b/modules/mailserver/postfix.nix index e09a48a..62b7eaa 100644 --- a/modules/mailserver/postfix.nix +++ b/modules/mailserver/postfix.nix @@ -41,7 +41,7 @@ lib.mkIf cfg.enable { relayPort = cfg.relayPort; - enableSubmission = true; # plain/STARTTLS (latter is forced in submissionOptions) + enableSubmission = false; # plain/STARTTLS (latter is forced in submissionOptions) enableSubmissions = true; # submission with implicit TLS (TCP/465) hostname = cfg.fqdn; @@ -147,7 +147,7 @@ lib.mkIf cfg.enable { networking.firewall.allowedTCPPorts = [ 25 # SMTP - 587 # SMTP submission + 465 # SMTPS (implicit TLS) ]; systemd.services.postfix = { diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index d237ca5..48dae11 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -21,6 +21,16 @@ in }; }; }; + sliding-sync = { + port = mkOption { + description = "TCP port for synapse service."; + type = port; + }; + secretFile = mkOption { + type = path; + description = "Location of the file to set secret environment variables."; + }; + }; fqdn = mkOption { type = str; description = '' @@ -82,6 +92,7 @@ in imports = [ ./mautrix-signal.nix ./mautrix-whatsapp.nix + ./sliding-sync.nix ./synapse.nix ]; } diff --git a/modules/matrix/sliding-sync.nix b/modules/matrix/sliding-sync.nix new file mode 100644 index 0000000..9ab2cba --- /dev/null +++ b/modules/matrix/sliding-sync.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.jalr.matrix; +in +lib.mkIf cfg.enable { + services.matrix-sliding-sync = { + enable = true; + settings = { + SYNCV3_SERVER = "https://${cfg.fqdn}"; + SYNCV3_BINDADDR = "127.0.0.1:${toString cfg.sliding-sync.port}"; + }; + environmentFile = cfg.sliding-sync.secretFile; + }; + services.nginx.virtualHosts."${cfg.fqdn}".locations."/_matrix/client/unstable/org.matrix.msc3575/sync" = { + proxyPass = "http://127.0.0.1:${toString cfg.sliding-sync.port}"; + }; +} diff --git a/users/jalr/default.nix b/users/jalr/default.nix index 09de610..9d83727 100644 --- a/users/jalr/default.nix +++ b/users/jalr/default.nix @@ -16,6 +16,7 @@ in "libvirtd" "lp" "networkmanager" + "plugdev" "scanner" "video" "wheel" @@ -56,6 +57,14 @@ in pwgen ]; + xdg.mimeApps = { + enable = true; + defaultApplications = { + "application/pdf" = "org.gnome.Evince.desktop"; + "image/svg+xml" = "org.inkscape.Inkscape.desktop"; + }; + }; + accounts.email.accounts = { "jalr" = { primary = true; @@ -72,10 +81,10 @@ in }; smtp = { host = "hha.jalr.de"; - port = 587; + port = 465; tls = { enable = true; - useStartTls = true; + useStartTls = false; }; }; thunderbird = { @@ -97,10 +106,10 @@ in }; smtp = { host = "mail.agenturserver.de"; - port = 587; + port = 465; tls = { enable = true; - useStartTls = true; + useStartTls = false; }; }; thunderbird = { @@ -147,10 +156,10 @@ in }; smtp = { host = "hha.jalr.de"; - port = 587; + port = 465; tls = { enable = true; - useStartTls = true; + useStartTls = false; }; }; thunderbird = { diff --git a/users/jalr/modules/neovim.nix b/users/jalr/modules/neovim.nix index deb6fe2..ee25579 100644 --- a/users/jalr/modules/neovim.nix +++ b/users/jalr/modules/neovim.nix @@ -84,6 +84,7 @@ in NeoSolarized deoplete-nvim editorconfig-vim + jinja-vim nvim-lspconfig { plugin = telescope-nvim;