Compare commits
20 Commits
d31c49ed15
...
60d0753c11
| Author | SHA1 | Date | |
|---|---|---|---|
60d0753c11
|
|||
|
cbed702076
|
|||
|
1929e0492b
|
|||
|
4f103c910e
|
|||
|
a75bd96aeb
|
|||
|
3424713a41
|
|||
|
d03150dd46
|
|||
|
d68ad26d73
|
|||
|
322a59a73c
|
|||
|
0eb77e14bd
|
|||
|
6f259985b9
|
|||
|
c78957cf3c
|
|||
|
3c58508f64
|
|||
|
77dde1a4ad
|
|||
|
561eaeedfb
|
|||
|
2aeea208ad
|
|||
|
6d74befec3
|
|||
|
d05b5fe0c6
|
|||
|
27ed87e300
|
|||
|
237a8e9ded
|
3
TODO.md
3
TODO.md
@ -1,10 +1,9 @@
|
||||
# TODO
|
||||
|
||||
* grafana for all services
|
||||
* move some profiles to modules (like vpn.nix)
|
||||
* use sops for all occurrences of hashedPassword
|
||||
* auto-import gpg keys
|
||||
* wait headscale start until authentik
|
||||
* auto-login to tailscale for hypervisor
|
||||
* config qbittorrent
|
||||
* fix waybar config
|
||||
* change writeShellScript and writeShellScriptBin to writeShellApplication
|
||||
|
||||
256
flake.lock
generated
256
flake.lock
generated
@ -6,11 +6,11 @@
|
||||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703351934,
|
||||
"narHash": "sha256-HoMdwXPYzvXd07JxqIMwR/rRe7hdRKUV5HLPbiM2CA0=",
|
||||
"lastModified": 1706099209,
|
||||
"narHash": "sha256-eg4irTtkkjNcqrB6sVmYoxOB0WdPo0a3mqoKjjBH99o=",
|
||||
"owner": "ezKEa",
|
||||
"repo": "aagl-gtk-on-nix",
|
||||
"rev": "6afc4cff9fcd9016d6270c95e0d67023cdafd6dd",
|
||||
"rev": "4aa68a34807599b830decaa6e76b3bccb9510b32",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -44,11 +44,11 @@
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1702969472,
|
||||
"narHash": "sha256-IJP9sC+/gLUdWhm6TsnWpw6A1zQWUfn53ym63KeLXvU=",
|
||||
"lastModified": 1705617092,
|
||||
"narHash": "sha256-n9PK4O4X4S1JkwpkMuYm1wHZYJzRqif8g3RuVIPD+rY=",
|
||||
"owner": "zhaofengli",
|
||||
"repo": "attic",
|
||||
"rev": "bdafd64910bb2b861cf90fa15f1fc93318b6fbf6",
|
||||
"rev": "fbe252a5c21febbe920c025560cbd63b20e24f3b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -156,11 +156,11 @@
|
||||
"utils": "utils"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703087360,
|
||||
"narHash": "sha256-0VUbWBW8VyiDRuimMuLsEO4elGuUw/nc2WDeuO1eN1M=",
|
||||
"lastModified": 1704875591,
|
||||
"narHash": "sha256-eWRLbqRcrILgztU/m/k7CYLzETKNbv0OsT2GjkaNm8A=",
|
||||
"owner": "serokell",
|
||||
"repo": "deploy-rs",
|
||||
"rev": "b709d63debafce9f5645a5ba550c9e0983b3d1f7",
|
||||
"rev": "1776009f1f3fb2b5d236b84d9815f2edee463a9b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -177,11 +177,11 @@
|
||||
"pre-commit-hooks": "pre-commit-hooks"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703066966,
|
||||
"narHash": "sha256-MbX0XYOEvAuXwi80emHKJsjo1IGQZhoKKnEp2uzgNx4=",
|
||||
"lastModified": 1706018268,
|
||||
"narHash": "sha256-d24+re0t8b6HYGzAPZCIJed85n23RUFXQa2yuHoW0uQ=",
|
||||
"owner": "cachix",
|
||||
"repo": "devenv",
|
||||
"rev": "405a4c6a3fecfd2a7fb37cc13f4e760658e522e6",
|
||||
"rev": "ad0ae333b210e31237e1fc4a7ddab71a01785add",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -197,11 +197,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703532766,
|
||||
"narHash": "sha256-ojjW3cuNmqL5uqDWohwLoO8dYpheM5+AfgsNmGIMwG8=",
|
||||
"lastModified": 1706145859,
|
||||
"narHash": "sha256-+iGHKwzKVW6aGAWfUmUSJW1KiE6WLYhKyTyWZMTw/cg=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "1b191113874dee97796749bb21eac3d84735c70a",
|
||||
"rev": "5a2dc95464080764b9ca1b82b5d6d981157522be",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -361,11 +361,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1701473968,
|
||||
"narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
|
||||
"lastModified": 1704982712,
|
||||
"narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
|
||||
"rev": "07f6395285469419cf9d078f59b5b49993198c00",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -394,14 +394,17 @@
|
||||
},
|
||||
"flake-parts_3": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": "nixpkgs-lib_2"
|
||||
"nixpkgs-lib": [
|
||||
"prismlauncher",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1701473968,
|
||||
"narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
|
||||
"lastModified": 1704982712,
|
||||
"narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
|
||||
"rev": "07f6395285469419cf9d078f59b5b49993198c00",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -413,11 +416,11 @@
|
||||
"flake-registry": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1692779116,
|
||||
"narHash": "sha256-erTXdDToRA8whxURoEgBGWj550vcUirO6adEFIjQ0M0=",
|
||||
"lastModified": 1705308826,
|
||||
"narHash": "sha256-Z3xTYZ9EcRIqZAufZbci912MUKB0sD+qxi/KTGMFVwY=",
|
||||
"owner": "nixos",
|
||||
"repo": "flake-registry",
|
||||
"rev": "3f641cbae15d3c74370aa9b97fd0ac478a114305",
|
||||
"rev": "9c69f7bd2363e71fe5cd7f608113290c7614dcdd",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -667,11 +670,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703527373,
|
||||
"narHash": "sha256-AjypRssRtS6F3xkf7rE3/bXkIF2WJOZLbTIspjcE1zM=",
|
||||
"lastModified": 1706134977,
|
||||
"narHash": "sha256-KwNb1Li3K6vuVwZ77tFjZ89AWBo7AiCs9t0Cens4BsM=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "80679ea5074ab7190c4cce478c600057cfb5edae",
|
||||
"rev": "6359d40f6ec0b72a38e02b333f343c3d4929ec10",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -691,11 +694,11 @@
|
||||
"xdph": "xdph"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703616278,
|
||||
"narHash": "sha256-xipHN28RIfB36qNoqesh4NnE/M6YZbEiYhkPHS3BFhI=",
|
||||
"lastModified": 1706104398,
|
||||
"narHash": "sha256-0kRaHegXXWJwnd+Yq0ZL9r/1JssYSyZiEkOmj7HoSvw=",
|
||||
"owner": "hyprwm",
|
||||
"repo": "Hyprland",
|
||||
"rev": "9fb50252d3a128466e80bfc2fb67b45dc923ad41",
|
||||
"rev": "754eaf5b8b65c9764abe67ec2d599036cd51e381",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -729,6 +732,28 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"hyprlang": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"hyprland",
|
||||
"xdph",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1704287638,
|
||||
"narHash": "sha256-TuRXJGwtK440AXQNl5eiqmQqY4LZ/9+z/R7xC0ie3iA=",
|
||||
"owner": "hyprwm",
|
||||
"repo": "hyprlang",
|
||||
"rev": "6624f2bb66d4d27975766e81f77174adbe58ec97",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hyprwm",
|
||||
"repo": "hyprlang",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"hyprpaper": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
@ -752,11 +777,11 @@
|
||||
},
|
||||
"impermanence": {
|
||||
"locked": {
|
||||
"lastModified": 1703606475,
|
||||
"narHash": "sha256-ztFe33E2f+XmrvOFOy9NDvQCkvfQUE6K/BBV+ZtCZLs=",
|
||||
"lastModified": 1703656108,
|
||||
"narHash": "sha256-hCSUqdFJKHHbER8Cenf5JRzjMlBjIdwdftGQsO0xoJs=",
|
||||
"owner": "nix-community",
|
||||
"repo": "impermanence",
|
||||
"rev": "3d599bd65eb383bc36191ba39ed6084674b0d7b2",
|
||||
"rev": "033643a45a4a920660ef91caa391fbffb14da466",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -890,11 +915,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1702639936,
|
||||
"narHash": "sha256-Fz5KsFVXB1xu2J4Hmr514vK3eir16/z1Mrv60HjzFtA=",
|
||||
"lastModified": 1705306460,
|
||||
"narHash": "sha256-tV42EZ0GAYDKUu8IUaeZgSsOBtp/1IO9jEkHpOj5K94=",
|
||||
"owner": "thiagokokada",
|
||||
"repo": "nix-alien",
|
||||
"rev": "7d36757ddef3c2fb1805126e0da9abc9d88060f8",
|
||||
"rev": "f43ce845467ad2b90df34323dbed3de9f17471d7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -910,11 +935,11 @@
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703153680,
|
||||
"narHash": "sha256-B5w8UABj9i18mhd67pCu+rY+wYPIXXDU5IU8f1K8ov0=",
|
||||
"lastModified": 1706125328,
|
||||
"narHash": "sha256-YPkz7Pdsz2FqRTvJbw7Tz4Dtvmgnyk71OdePTe9ZuKQ=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-direnv",
|
||||
"rev": "c5b7db30bec53b441d94fce933514b8cdb17285b",
|
||||
"rev": "ae3b757eb9e88df23d81b8185245433d632e8ceb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -980,15 +1005,15 @@
|
||||
"nixpkgs": "nixpkgs_8"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1702291765,
|
||||
"narHash": "sha256-kfxavgLKPIZdYVPUPcoDZyr5lleymrqbr5G9PVfQ2NY=",
|
||||
"owner": "Mic92",
|
||||
"lastModified": 1705282324,
|
||||
"narHash": "sha256-LnURMA7yCM5t7et9O2+2YfGQh0FKAfE5GyahNDDzJVM=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-index-database",
|
||||
"rev": "45d82e0a8b9dd6c5dd9da835ac0c072239af7785",
|
||||
"rev": "49aaeecf41ae0a0944e2c627cb515bcde428a1d1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-index-database",
|
||||
"type": "github"
|
||||
}
|
||||
@ -1002,11 +1027,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703553395,
|
||||
"narHash": "sha256-lbioI+/sipflPD0XmJOjYfCioPIg/3cRo87l4hp6i7s=",
|
||||
"lastModified": 1706145905,
|
||||
"narHash": "sha256-zABEBEl2Nn7Ea0CyqNvc+gOboN8M9RXNOI2Qeamx0WY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-vscode-extensions",
|
||||
"rev": "904561c550a38470b6093e431b961666838bc07e",
|
||||
"rev": "272df61ec787306e2c5c777ff84fbe5ed2a3eb10",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1058,11 +1083,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1701689616,
|
||||
"narHash": "sha256-ewnfgvRy73HoP5KnYmy1Rcr4m4yShvsb6TCCaKoW8pc=",
|
||||
"lastModified": 1706085261,
|
||||
"narHash": "sha256-7PgpHRHyShINcqgevPP1fJ6N8kM5ZSOJnk3QZBrOCQ0=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-generators",
|
||||
"rev": "246219bc21b943c6f6812bb7744218ba0df08600",
|
||||
"rev": "896f6589db5b25023b812bbb6c1f5d3a499b1132",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1073,11 +1098,11 @@
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1703068421,
|
||||
"narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=",
|
||||
"lastModified": 1703992652,
|
||||
"narHash": "sha256-C0o8AUyu8xYgJ36kOxJfXIroy9if/G6aJbNOpA5W0+M=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f",
|
||||
"rev": "32f63574c85fbc80e4ba1fbb932cde9619bad25e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1135,31 +1160,13 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-lib_2": {
|
||||
"locked": {
|
||||
"dir": "lib",
|
||||
"lastModified": 1701253981,
|
||||
"narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"dir": "lib",
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-master": {
|
||||
"locked": {
|
||||
"lastModified": 1703618775,
|
||||
"narHash": "sha256-bEoiRFhgaPx3UBw8629yysGEZaUEJWyYnkx8EVjPz+0=",
|
||||
"lastModified": 1706205041,
|
||||
"narHash": "sha256-WXvr++aH3Q7IGqGLcaDhsrVj8zmjVGZoHRpqG9GgJ2o=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "d1fcabefe1617c4dd295774692140b2018b9f9fc",
|
||||
"rev": "3401c58f049fc9c72b578f99c0440092c2c49736",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1251,11 +1258,11 @@
|
||||
},
|
||||
"nixpkgs-stable_3": {
|
||||
"locked": {
|
||||
"lastModified": 1704420045,
|
||||
"narHash": "sha256-C36QmoJd5tdQ5R9MC1jM7fBkZW9zBUqbUCsgwS6j4QU=",
|
||||
"lastModified": 1706098335,
|
||||
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c1be43e8e837b8dbee2b3665a007e761680f0c3d",
|
||||
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1267,11 +1274,11 @@
|
||||
},
|
||||
"nixpkgs-stable_4": {
|
||||
"locked": {
|
||||
"lastModified": 1703351344,
|
||||
"narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=",
|
||||
"lastModified": 1705033721,
|
||||
"narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "7790e078f8979a9fcd543f9a47427eeaba38f268",
|
||||
"rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1283,11 +1290,11 @@
|
||||
},
|
||||
"nixpkgs_10": {
|
||||
"locked": {
|
||||
"lastModified": 1703255338,
|
||||
"narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=",
|
||||
"lastModified": 1705856552,
|
||||
"narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "6df37dc6a77654682fe9f071c62b4242b5342e04",
|
||||
"rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1299,11 +1306,11 @@
|
||||
},
|
||||
"nixpkgs_11": {
|
||||
"locked": {
|
||||
"lastModified": 1702539185,
|
||||
"narHash": "sha256-KnIRG5NMdLIpEkZTnN5zovNYc0hhXjAgv6pfd5Z4c7U=",
|
||||
"lastModified": 1704842529,
|
||||
"narHash": "sha256-OTeQA+F8d/Evad33JMfuXC89VMetQbsU4qcaePchGr4=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "aa9d4729cbc99dabacb50e3994dcefb3ea0f7447",
|
||||
"rev": "eabe8d3eface69f5bb16c18f8662a702f50c20d5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1411,11 +1418,11 @@
|
||||
},
|
||||
"nixpkgs_8": {
|
||||
"locked": {
|
||||
"lastModified": 1701718080,
|
||||
"narHash": "sha256-6ovz0pG76dE0P170pmmZex1wWcQoeiomUZGggfH9XPs=",
|
||||
"lastModified": 1704722960,
|
||||
"narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2c7f3c0fb7c08a0814627611d9d7d45ab6d75335",
|
||||
"rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1427,11 +1434,11 @@
|
||||
},
|
||||
"nixpkgs_9": {
|
||||
"locked": {
|
||||
"lastModified": 1702539185,
|
||||
"narHash": "sha256-KnIRG5NMdLIpEkZTnN5zovNYc0hhXjAgv6pfd5Z4c7U=",
|
||||
"lastModified": 1705697961,
|
||||
"narHash": "sha256-XepT3WS516evSFYkme3GrcI3+7uwXHqtHbip+t24J7E=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "aa9d4729cbc99dabacb50e3994dcefb3ea0f7447",
|
||||
"rev": "e5d1c87f5813afde2dda384ac807c57a105721cc",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1443,11 +1450,11 @@
|
||||
},
|
||||
"nur": {
|
||||
"locked": {
|
||||
"lastModified": 1705685864,
|
||||
"narHash": "sha256-kUrIeXJr1TBzcHi3GI9Aos9kIwzS6N9gM7O3e7LZdd0=",
|
||||
"lastModified": 1706357136,
|
||||
"narHash": "sha256-+mFuIEZlQKvI8TzKjQ1E4vPVWZIuXxWXoRvgnpX/ff8=",
|
||||
"owner": "nix-community",
|
||||
"repo": "NUR",
|
||||
"rev": "9270a293f01ae7748ec42b903c7b92123cb24ec0",
|
||||
"rev": "63467f6aa6726390d7901ba8d84c5bdf3305d02b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1471,11 +1478,11 @@
|
||||
"nixpkgs-stable": "nixpkgs-stable_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1688056373,
|
||||
"narHash": "sha256-2+SDlNRTKsgo3LBRiMUcoEUb6sDViRNQhzJquZ4koOI=",
|
||||
"lastModified": 1704725188,
|
||||
"narHash": "sha256-qq8NbkhRZF1vVYQFt1s8Mbgo8knj+83+QlL5LBnYGpI=",
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"rev": "5843cf069272d92b60c3ed9e55b7a8989c01d4c7",
|
||||
"rev": "ea96f0c05924341c551a797aaba8126334c505d2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1502,11 +1509,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1702456155,
|
||||
"narHash": "sha256-I2XhXGAecdGlqi6hPWYT83AQtMgL+aa3ulA85RAEgOk=",
|
||||
"lastModified": 1705072518,
|
||||
"narHash": "sha256-90dERRuG781f0EWjn2AOtScZqsTcpIFLpY8TN2VbkL8=",
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"rev": "007a45d064c1c32d04e1b8a0de5ef00984c419bc",
|
||||
"rev": "274ae3979a0eacae422e1bbcf63b8b7a335e1114",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1525,11 +1532,11 @@
|
||||
"pre-commit-hooks": "pre-commit-hooks_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703322210,
|
||||
"narHash": "sha256-/oemKTm9nHLFHRdVhoZ0/Mm0SEOcHO8M12DhkosG9UU=",
|
||||
"lastModified": 1705720243,
|
||||
"narHash": "sha256-y71UC+zWjj1bQOiXBUJuNat60LB1TYxTlkk8k7QLhwQ=",
|
||||
"owner": "AtaraxiaSjel",
|
||||
"repo": "PrismLauncher",
|
||||
"rev": "30bb9a1f1a8f8dc1a38fa1c4c36dc17aba842aa4",
|
||||
"rev": "5277f00b2cdb2f381be3ea8d5fb0470b9a7f6db9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1600,11 +1607,11 @@
|
||||
"rycee": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1703515744,
|
||||
"narHash": "sha256-x/Oz43zeFewMyDglI4AGfyv7xgJZCL75/RL+kGwahto=",
|
||||
"lastModified": 1706155439,
|
||||
"narHash": "sha256-Bcj9CwE1giS1tw3g2aMQiPwo6d7JQKHlnf/wsqxXalc=",
|
||||
"owner": "rycee",
|
||||
"repo": "nur-expressions",
|
||||
"rev": "3776272394cb8b1caf3db29bc6dc853f11208b46",
|
||||
"rev": "7915e98a24618949530ed1bb2181b0d38d7bc193",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
@ -1625,11 +1632,11 @@
|
||||
"utils": "utils_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1700085753,
|
||||
"narHash": "sha256-qtib7f3eRwfaUF+VziJXiBcZFqpHCAXS4HlrFsnzzl4=",
|
||||
"lastModified": 1703666786,
|
||||
"narHash": "sha256-SLPNpM/rI8XPyVJAxMYAe+n6NiYSpuXvdwPILHP4yZI=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "nixos-mailserver",
|
||||
"rev": "008d78cc21959e33d0d31f375b88353a7d7121ae",
|
||||
"rev": "b5023b36a1f6628865cb42b4353bd2ddde0ea9f4",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
@ -1646,11 +1653,11 @@
|
||||
"nixpkgs-stable": "nixpkgs-stable_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703387502,
|
||||
"narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=",
|
||||
"lastModified": 1706130372,
|
||||
"narHash": "sha256-fHZxKH1DhsXPP36a2vJ91Zy6S+q6+QRIFlpLr9fZHU8=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3",
|
||||
"rev": "4606d9b1595e42ffd9b75b9e69667708c70b1d68",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1787,11 +1794,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1702461037,
|
||||
"narHash": "sha256-ssyGxfGHRuuLHuMex+vV6RMOt7nAo07nwufg9L5GkLg=",
|
||||
"lastModified": 1705659004,
|
||||
"narHash": "sha256-XQsZudrb9u5Pw631U0tFYZkjq49CcwF24XT01vz2jPk=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "d06b70e5163a903f19009c3f97770014787a080f",
|
||||
"rev": "8cd95da6c30852adb2a06c4b6bdacfe8b64a0a35",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1894,18 +1901,18 @@
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"host": "gitlab.freedesktop.org",
|
||||
"lastModified": 1701368958,
|
||||
"narHash": "sha256-7kvyoA91etzVEl9mkA/EJfB6z/PltxX7Xc4gcr7/xlo=",
|
||||
"lastModified": 1703963193,
|
||||
"narHash": "sha256-ke8drv6PTrdQDruWbajrRJffP9A9PU6FRyjJGNZRTs4=",
|
||||
"owner": "wlroots",
|
||||
"repo": "wlroots",
|
||||
"rev": "5d639394f3e83b01596dcd166a44a9a1a2583350",
|
||||
"rev": "f81c3d93cd6f61b20ae784297679283438def8df",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"host": "gitlab.freedesktop.org",
|
||||
"owner": "wlroots",
|
||||
"repo": "wlroots",
|
||||
"rev": "5d639394f3e83b01596dcd166a44a9a1a2583350",
|
||||
"rev": "f81c3d93cd6f61b20ae784297679283438def8df",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
@ -1915,6 +1922,7 @@
|
||||
"hyprland",
|
||||
"hyprland-protocols"
|
||||
],
|
||||
"hyprlang": "hyprlang",
|
||||
"nixpkgs": [
|
||||
"hyprland",
|
||||
"nixpkgs"
|
||||
@ -1925,11 +1933,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703514399,
|
||||
"narHash": "sha256-VRr5Xc4S/VPr/gU3fiOD3vSIL2+GJ+LUrmFTWTwnTz4=",
|
||||
"lastModified": 1704659450,
|
||||
"narHash": "sha256-3lyoUVtUWz1LuxbltAtkJSK2IlVXmKhxCRU2/0PYCms=",
|
||||
"owner": "hyprwm",
|
||||
"repo": "xdg-desktop-portal-hyprland",
|
||||
"rev": "0a318a7a217a6402b0b705837cd5b50b0e94b31b",
|
||||
"rev": "6a5de92769d5b7038134044053f90e7458f6a197",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
||||
@ -122,17 +122,18 @@
|
||||
secretsDir = ./secrets;
|
||||
|
||||
sharedPatches = patchesPath [
|
||||
"authentik-271885.patch"
|
||||
"vaultwarden.patch"
|
||||
"webhooks.patch"
|
||||
];
|
||||
sharedOverlays = [ flake-utils-plus.overlay inputs.sops-nix.overlays.default ];
|
||||
channelsConfig = { allowUnfree = true; android_sdk.accept_license = true; };
|
||||
channels.unstable.input = nixpkgs;
|
||||
channels.unstable.patches = patchesPath [ "zen-kernels.patch" "ydotoold.patch" "tor-bridge.patch" ] ++ sharedPatches;
|
||||
channels.unstable.patches = patchesPath [ "zen-kernels.patch" "ydotoold.patch" ] ++ sharedPatches;
|
||||
channels.stable.input = inputs.nixpkgs-stable;
|
||||
channels.stable.patches = sharedPatches;
|
||||
channels.server.input = inputs.nixpkgs-pinned;
|
||||
channels.server.patches = patchesPath [ "zen-kernels.patch" "ydotoold.patch" "tor-bridge.patch" ] ++ sharedPatches;
|
||||
channels.server.patches = patchesPath [ "zen-kernels.patch" "ydotoold.patch" ] ++ sharedPatches;
|
||||
channels.vps.input = inputs.nixpkgs;
|
||||
|
||||
hostDefaults.system = "x86_64-linux";
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{ config, inputs, ... }: {
|
||||
sops.secrets.rustic-nas-pass.sopsFile = inputs.self.secretsDir + /backup-conf.yaml;
|
||||
sops.secrets.rclone-rustic-backups.sopsFile = inputs.self.secretsDir + /backup-conf.yaml;
|
||||
sops.secrets.rustic-nas-pass.sopsFile = inputs.self.secretsDir + /rustic.yaml;
|
||||
sops.secrets.rclone-rustic-backups.sopsFile = inputs.self.secretsDir + /rustic.yaml;
|
||||
services.rustic.backups = rec {
|
||||
nas-backup = {
|
||||
backup = true;
|
||||
|
||||
@ -31,6 +31,7 @@ in {
|
||||
customProfiles.radicale
|
||||
customProfiles.spdf
|
||||
customProfiles.tinyproxy
|
||||
customProfiles.vault
|
||||
customProfiles.vaultwarden
|
||||
customProfiles.vscode-server
|
||||
customProfiles.webhooks
|
||||
@ -43,7 +44,7 @@ in {
|
||||
})
|
||||
|
||||
(import customProfiles.headscale {
|
||||
inherit config pkgs inputs;
|
||||
inherit config pkgs lib inputs;
|
||||
inherit (import ./dns-mapping.nix) headscale-list;
|
||||
})
|
||||
];
|
||||
@ -55,9 +56,23 @@ in {
|
||||
ram = 12;
|
||||
fileSystem = "zfs";
|
||||
};
|
||||
deviceSpecific.isServer = true;
|
||||
deviceSpecific.enableVirtualisation = true;
|
||||
deviceSpecific.vpn.tailscale.enable = true;
|
||||
deviceSpecific.isServer = true;
|
||||
# Tailscale auto-login
|
||||
services.headscale-auth.home-hypervisor = {
|
||||
outPath = "/tmp/hypervisor-authkey";
|
||||
before = [ "tailscaled-autoconnect.service" ];
|
||||
};
|
||||
services.tailscale = {
|
||||
authKeyFile = "/tmp/hypervisor-authkey";
|
||||
extraUpFlags = [
|
||||
"--login-server=https://wg.ataraxiadev.com"
|
||||
"--accept-dns=false"
|
||||
"--advertise-exit-node=false"
|
||||
"--operator=${config.mainuser}"
|
||||
];
|
||||
};
|
||||
|
||||
zramSwap = {
|
||||
enable = true;
|
||||
@ -132,6 +147,8 @@ in {
|
||||
127.0.0.1 code.ataraxiadev.com
|
||||
127.0.0.1 cache.ataraxiadev.com
|
||||
127.0.0.1 s3.ataraxiadev.com
|
||||
127.0.0.1 wg.ataraxiadev.com
|
||||
127.0.0.1 vault.ataraxiadev.com
|
||||
'';
|
||||
|
||||
nix.optimise.automatic = false;
|
||||
|
||||
@ -28,6 +28,7 @@
|
||||
{ name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
|
||||
{ name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
|
||||
{ name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
|
||||
{ name = "vault.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
|
||||
{ name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
|
||||
{ name = "wiki.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
|
||||
|
||||
@ -59,10 +60,17 @@
|
||||
{ name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
|
||||
{ name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
|
||||
{ name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
|
||||
{ name = "vault.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
|
||||
{ name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
|
||||
{ name = "wiki.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
|
||||
];
|
||||
dnsmasq-list = [
|
||||
# TODO: Fix dns resolution in blocky for unmapped subdomains of ataraxiadev.com
|
||||
"/element.ataraxiadev.com/83.138.55.118"
|
||||
"/matrix.ataraxiadev.com/83.138.55.118"
|
||||
"/stats.ataraxiadev.com/83.138.55.118"
|
||||
"/turn.ataraxiadev.com/83.138.55.118"
|
||||
|
||||
"/api.ataraxiadev.com/192.168.0.10"
|
||||
"/auth.ataraxiadev.com/192.168.0.10"
|
||||
"/cache.ataraxiadev.com/192.168.0.10"
|
||||
@ -86,6 +94,7 @@
|
||||
"/s3.ataraxiadev.com/192.168.0.10"
|
||||
"/sonarr.ataraxiadev.com/192.168.0.10"
|
||||
"/tools.ataraxiadev.com/192.168.0.10"
|
||||
"/vault.ataraxiadev.com/192.168.0.10"
|
||||
"/vw.ataraxiadev.com/192.168.0.10"
|
||||
"/wiki.ataraxiadev.com/192.168.0.10"
|
||||
];
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{ config, inputs, ... }: {
|
||||
sops.secrets.rustic-vps-pass.sopsFile = inputs.self.secretsDir + /backup-conf.yaml;
|
||||
sops.secrets.rclone-rustic-backups.sopsFile = inputs.self.secretsDir + /backup-conf.yaml;
|
||||
sops.secrets.rustic-vps-pass.sopsFile = inputs.self.secretsDir + /rustic.yaml;
|
||||
sops.secrets.rclone-rustic-backups.sopsFile = inputs.self.secretsDir + /rustic.yaml;
|
||||
services.rustic.backups = rec {
|
||||
vps-backup = {
|
||||
backup = true;
|
||||
|
||||
320
modules/authentik.nix
Normal file
320
modules/authentik.nix
Normal file
@ -0,0 +1,320 @@
|
||||
# Thanks for original module, anpin! https://gist.github.com/anpin/ecbdb6625400908856ef9482eca3380c
|
||||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.authentik;
|
||||
databaseActuallyCreateLocally = cfg.database.createLocally
|
||||
&& cfg.database.host == "/run/postgresql";
|
||||
|
||||
inherit (lib)
|
||||
mkIf mkEnableOption mkOption types mdDoc literalExpression optional attrsets;
|
||||
inherit (attrsets) optionalAttrs;
|
||||
inherit (types) str bool port submodule package nullOr path enum;
|
||||
|
||||
hostWithPort = h: p: "${h}:${toString p}";
|
||||
|
||||
authentikBaseService = {
|
||||
after = [ "network.target" ]
|
||||
++ optional databaseActuallyCreateLocally "postgresql.service";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = [ cfg.package ];
|
||||
environment = let
|
||||
listenAddress = hostWithPort cfg.listen.address;
|
||||
in {
|
||||
AUTHENTIK_REDIS__HOST = cfg.redis.host;
|
||||
AUTHENTIK_REDIS__PORT = toString cfg.redis.port;
|
||||
|
||||
AUTHENTIK_POSTGRESQL__HOST = cfg.database.host;
|
||||
AUTHENTIK_POSTGRESQL__PORT = mkIf (cfg.database.port != null) "${toString cfg.database.port}";
|
||||
AUTHENTIK_POSTGRESQL__USER = cfg.database.user;
|
||||
AUTHENTIK_POSTGRESQL__NAME = cfg.database.name;
|
||||
|
||||
AUTHENTIK_LISTEN__HTTP = listenAddress cfg.listen.http;
|
||||
AUTHENTIK_LISTEN__HTTPS = listenAddress cfg.listen.https;
|
||||
|
||||
# initial password for admin user
|
||||
AUTHENTIK_BOOTSTRAP_PASSWORD = cfg.defaultPassword;
|
||||
|
||||
# disable outbound connections
|
||||
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
|
||||
AUTHENTIK_ERROR_REPORTING__ENABLED = "false";
|
||||
AUTHENTIK_DISABLE_STARTUP_ANALYTICS = "true";
|
||||
AUTHENTIK_AVATARS = "initials";
|
||||
|
||||
AUTHENTIK_LOG_LEVEL = cfg.logLevel;
|
||||
};
|
||||
serviceConfig = {
|
||||
User = "authentik";
|
||||
Group = "authentik";
|
||||
EnvironmentFile = cfg.environmentFile;
|
||||
WorkingDirectory = cfg.package;
|
||||
DynamicUser = true;
|
||||
RuntimeDirectory = "authentik";
|
||||
NoNewPrivileges = true;
|
||||
PrivateTmp = true;
|
||||
ProtectHome = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectControlGroups = true;
|
||||
SystemCallFilter= "~@cpu-emulation @keyring @module @obsolete @raw-io @reboot @swap @sync";
|
||||
ConfigurationDirectory = "authentik";
|
||||
StateDirectoryMode = "0750";
|
||||
};
|
||||
};
|
||||
in {
|
||||
options.services.authentik = {
|
||||
enable = mkEnableOption "Enables Authentik service";
|
||||
|
||||
package = mkOption {
|
||||
type = package;
|
||||
default = pkgs.authentik;
|
||||
defaultText = literalExpression "pkgs.authentik";
|
||||
description = mdDoc "Authentik package to use.";
|
||||
};
|
||||
|
||||
defaultPassword = mkOption {
|
||||
description = mdDoc "Default admin password. Only read on first startup.";
|
||||
type = str;
|
||||
default = "change-me";
|
||||
};
|
||||
|
||||
logLevel = mkOption {
|
||||
description = mdDoc
|
||||
"Log level for the server and worker containers. Setting the log level to trace will include sensitive details in logs, so it shouldn't be used in most cases.";
|
||||
type = enum [ "trace" "debug" "info" "warning" "error" ];
|
||||
default = "info";
|
||||
};
|
||||
|
||||
listen = mkOption {
|
||||
description = mdDoc "Listen ports";
|
||||
default = { };
|
||||
type = submodule {
|
||||
options = {
|
||||
http = mkOption {
|
||||
description = mdDoc "HTTP port.";
|
||||
type = port;
|
||||
default = 9000;
|
||||
};
|
||||
https = mkOption {
|
||||
description = mdDoc "HTTPS port.";
|
||||
type = port;
|
||||
default = 9443;
|
||||
};
|
||||
address = mkOption {
|
||||
description = mdDoc "Address to listen on.";
|
||||
type = str;
|
||||
default = "0.0.0.0";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
redis = {
|
||||
createLocally = mkOption {
|
||||
description = mdDoc "Configure local Redis server for Authentik.";
|
||||
type = bool;
|
||||
default = true;
|
||||
};
|
||||
|
||||
host = mkOption {
|
||||
description = mdDoc "Redis host.";
|
||||
type = str;
|
||||
default = "127.0.0.1";
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
description = mdDoc "Redis port.";
|
||||
type = port;
|
||||
default = 31637;
|
||||
};
|
||||
};
|
||||
ssl = {
|
||||
cert = mkOption {
|
||||
type = nullOr path;
|
||||
default = null;
|
||||
};
|
||||
|
||||
key = mkOption {
|
||||
type = nullOr path;
|
||||
default = null;
|
||||
};
|
||||
|
||||
name = mkOption {
|
||||
type = str;
|
||||
default = "SSL from NIXOS";
|
||||
};
|
||||
};
|
||||
|
||||
environmentFile = mkOption {
|
||||
type = nullOr path;
|
||||
default = null;
|
||||
example = "/var/lib/authentik/secrets/db-password";
|
||||
description = mdDoc ''
|
||||
Environment variables including :
|
||||
- Secret key used for cookie signing and unique user IDs, don't change this after the first install.
|
||||
'';
|
||||
};
|
||||
|
||||
database = {
|
||||
createLocally = mkOption {
|
||||
description =
|
||||
mdDoc "Configure local PostgreSQL database server for authentik.";
|
||||
type = bool;
|
||||
default = true;
|
||||
};
|
||||
|
||||
host = mkOption {
|
||||
type = str;
|
||||
default = "/run/postgresql";
|
||||
example = "192.168.23.42";
|
||||
description = mdDoc "Database host address or unix socket.";
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = nullOr port;
|
||||
default = if cfg.database.createLocally then null else 5432;
|
||||
defaultText = literalExpression ''
|
||||
if config.database.createLocally then null else 5432
|
||||
'';
|
||||
description = mdDoc "Database host port.";
|
||||
};
|
||||
|
||||
name = mkOption {
|
||||
type = str;
|
||||
default = "authentik";
|
||||
description = mdDoc "Database name.";
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = str;
|
||||
default = "authentik";
|
||||
description = mdDoc "Database user.";
|
||||
};
|
||||
};
|
||||
|
||||
outposts = mkOption {
|
||||
type = submodule {
|
||||
options = {
|
||||
ldap = mkOption {
|
||||
type = submodule {
|
||||
options = {
|
||||
enable =
|
||||
mkEnableOption (lib.mdDoc "the authentik ldap outpost");
|
||||
package = mkOption {
|
||||
type = path;
|
||||
default = pkgs.authentik-outposts.ldap;
|
||||
};
|
||||
host = mkOption {
|
||||
type = str;
|
||||
default = if cfg.outposts.ldap.insecure then
|
||||
"http://127.0.0.1:${toString cfg.listen.http}"
|
||||
else
|
||||
"https://127.0.0.1:${toString cfg.listen.https}";
|
||||
};
|
||||
insecure = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
};
|
||||
environmentFile = mkOption {
|
||||
type = nullOr path;
|
||||
default = null;
|
||||
example = "/var/lib/authentik-ldap/secrets/env";
|
||||
description = mdDoc ''
|
||||
Environment variables including :
|
||||
- API TOKEN
|
||||
'';
|
||||
};
|
||||
listen = mkOption {
|
||||
description = mdDoc "Listen ports";
|
||||
default = { };
|
||||
type = submodule {
|
||||
options = {
|
||||
ldap = mkOption {
|
||||
description = mdDoc "LDAP port.";
|
||||
type = port;
|
||||
default = 3389;
|
||||
};
|
||||
ldaps = mkOption {
|
||||
description = mdDoc "LDAPS port.";
|
||||
type = port;
|
||||
default = 6636;
|
||||
};
|
||||
address = mkOption {
|
||||
description = mdDoc "Address to listen on.";
|
||||
type = str;
|
||||
default = "0.0.0.0";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
default = { ldap = { enable = false; }; };
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
users.users.authentik = {
|
||||
isSystemUser = true;
|
||||
home = cfg.package;
|
||||
group = "authentik";
|
||||
};
|
||||
users.groups.authentik = { };
|
||||
|
||||
services.postgresql = mkIf databaseActuallyCreateLocally {
|
||||
enable = true;
|
||||
ensureUsers = [{
|
||||
name = cfg.database.name;
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
ensureDatabases = [ cfg.database.name ];
|
||||
};
|
||||
|
||||
services.redis.servers.authentik =
|
||||
mkIf (cfg.redis.createLocally && cfg.redis.host == "127.0.0.1") {
|
||||
enable = true;
|
||||
port = cfg.redis.port;
|
||||
bind = "127.0.0.1";
|
||||
};
|
||||
|
||||
systemd.services.authentik-server = authentikBaseService // {
|
||||
serviceConfig = authentikBaseService.serviceConfig // {
|
||||
ExecStart = "${cfg.package}/bin/ak server";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.authentik-worker = authentikBaseService // {
|
||||
serviceConfig = authentikBaseService.serviceConfig // {
|
||||
ExecStart = "${cfg.package}/bin/ak worker";
|
||||
};
|
||||
};
|
||||
|
||||
# systemd.services.authentik-ssl-import = authentikBaseService // {
|
||||
# before = [ "authentik-server.service" ];
|
||||
# serviceConfig = authentikBaseService.serviceConfig // {
|
||||
# Type = "oneshot";
|
||||
# RemainAfterExit = true;
|
||||
# ExecStart = ''
|
||||
# ${cfg.package}/bin/ak import_certificate --name "${cfg.ssl.name}" --certificate "${cfg.ssl.cert}" --private-key "${cfg.ssl.key}"'';
|
||||
# };
|
||||
# };
|
||||
|
||||
systemd.services.authentik-ldap-outpost = let
|
||||
ldapCfg = cfg.outposts.ldap;
|
||||
in mkIf ldapCfg.enable (authentikBaseService // {
|
||||
description = "authentik ldap outpost";
|
||||
environment = let listenAddress = hostWithPort ldapCfg.listen.address;
|
||||
in {
|
||||
AUTHENTIK_HOST = ldapCfg.host;
|
||||
AUTHENTIK_LISTEN__LDAP = listenAddress ldapCfg.listen.ldap;
|
||||
AUTHENTIK_LISTEN__LDAPS = listenAddress ldapCfg.listen.ldaps;
|
||||
} // optionalAttrs ldapCfg.insecure { AUTHENTIK_INSECURE = "true"; };
|
||||
serviceConfig = authentikBaseService.serviceConfig // {
|
||||
ExecStart = "${cfg.outposts.ldap.package}/bin/ldap";
|
||||
EnvironmentFile = ldapCfg.environmentFile;
|
||||
};
|
||||
});
|
||||
};
|
||||
}
|
||||
76
modules/headscale-auth.nix
Normal file
76
modules/headscale-auth.nix
Normal file
@ -0,0 +1,76 @@
|
||||
{ config, lib, pkgs, inputs, ... }:
|
||||
with lib;
|
||||
{
|
||||
options.services.headscale-auth = mkOption {
|
||||
description = mdDoc ''
|
||||
Request headscale auth key.
|
||||
'';
|
||||
type = types.attrsOf (types.submodule ({ cfg, name, ... }: {
|
||||
options = {
|
||||
autoStart = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = mdDoc "Request auth key on startup.";
|
||||
};
|
||||
ephemeral = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = mdDoc "Request ephemeral auth key.";
|
||||
};
|
||||
expire = mkOption {
|
||||
type = types.str;
|
||||
default = "1h";
|
||||
description = mdDoc "Auth key expiration time.";
|
||||
};
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "ataraxiadev";
|
||||
description = mdDoc "Auth key user.";
|
||||
};
|
||||
outPath = mkOption {
|
||||
type = types.str;
|
||||
default = "/tmp/auth-key";
|
||||
description = mdDoc "Where to write down the auth key.";
|
||||
};
|
||||
before = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [ ];
|
||||
description = mdDoc "Start service before this services.";
|
||||
};
|
||||
};
|
||||
}));
|
||||
default = { };
|
||||
};
|
||||
config = mkIf (config.services.headscale-auth != { }) {
|
||||
sops.secrets.headscale-api-env.sopsFile = inputs.self.secretsDir + /misc.yaml;
|
||||
|
||||
systemd.services =
|
||||
mapAttrs'
|
||||
(name: cfg: nameValuePair "headscale-auth-${name}" ({
|
||||
path = [ pkgs.headscale pkgs.jq ];
|
||||
restartIfChanged = false;
|
||||
requiredBy = cfg.before;
|
||||
before = cfg.before;
|
||||
wants = [ "network-online.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
wantedBy = mkIf cfg.autoStart [ "multi-user.target" ];
|
||||
environment = {
|
||||
HEADSCALE_CLI_ADDRESS = "wg.ataraxiadev.com:443";
|
||||
};
|
||||
script = ''
|
||||
auth_key=$(headscale preauthkeys create -e ${cfg.expire} -u ${cfg.user} -o json ${optionalString cfg.ephemeral "--ephemeral"} | jq -r .key)
|
||||
if [ "$auth_key" = "null" ]; then
|
||||
echo "Cannot retrieve auth key." >&2
|
||||
exit 1
|
||||
else
|
||||
echo $auth_key > "${cfg.outPath}"
|
||||
fi
|
||||
'';
|
||||
serviceConfig = {
|
||||
EnvironmentFile = config.sops.secrets.headscale-api-env.path;
|
||||
Type = "oneshot";
|
||||
};
|
||||
})
|
||||
) config.services.headscale-auth;
|
||||
};
|
||||
}
|
||||
80
modules/minio-kes.nix
Normal file
80
modules/minio-kes.nix
Normal file
@ -0,0 +1,80 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.services.kes;
|
||||
format = pkgs.formats.yaml { };
|
||||
configFile = format.generate "config.yaml" cfg.settings;
|
||||
port = strings.toInt (lists.last (strings.splitString ":" cfg.settings.address));
|
||||
in
|
||||
{
|
||||
options.services.kes = {
|
||||
enable = mkEnableOption (mdDoc "Minio's Key Managament Server");
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
description = mdDoc "Which package to use for the kes instance.";
|
||||
default = pkgs.minio-kes;
|
||||
};
|
||||
environmentFile = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
description = lib.mdDoc ''
|
||||
File in the format of an EnvironmentFile as described by systemd.exec(5).
|
||||
'';
|
||||
};
|
||||
settings = mkOption {
|
||||
type = format.type;
|
||||
default = { address = "0.0.0.0:7373"; };
|
||||
example = literalExpression ''
|
||||
{
|
||||
address = "0.0.0.0:7373";
|
||||
cache = {
|
||||
expiry = {
|
||||
any = "5m0s";
|
||||
unused = "20s";
|
||||
};
|
||||
};
|
||||
}
|
||||
'';
|
||||
description = mdDoc ''
|
||||
KES Configuration.
|
||||
Refer to <https://github.com/minio/kes/blob/master/server-config.yaml>
|
||||
for details on supported values.
|
||||
'';
|
||||
};
|
||||
};
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.kes = {
|
||||
description = "KES";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
path = [ cfg.package ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
Restart = "always";
|
||||
ExecStart = "${cfg.package}/bin/kes server --config ${configFile}";
|
||||
User = "kes";
|
||||
Group = "kes";
|
||||
# WorkingDirectory = "/etc/kes";
|
||||
|
||||
AmbientCapabilities = mkIf (port < 1024) ["CAP_NET_BIND_SERVICE"];
|
||||
LimitNOFILE = 65536;
|
||||
ProtectProc = "invisible";
|
||||
SendSIGKILL = "no";
|
||||
TasksMax = "infinity";
|
||||
TimeoutStopSec = "infinity";
|
||||
} // optionalAttrs (cfg.environmentFile != null) {
|
||||
EnvironmentFile = cfg.environmentFile;
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
users.groups.kes = { };
|
||||
users.users.kes = {
|
||||
description = "KES user";
|
||||
group = "kes";
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
@ -48,7 +48,7 @@ in
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
description = lib.mdDoc ''
|
||||
file in the format of an EnvironmentFile as described by systemd.exec(5).
|
||||
File in the format of an EnvironmentFile as described by systemd.exec(5).
|
||||
'';
|
||||
};
|
||||
adminpassFile = mkOption {
|
||||
|
||||
71
modules/rustic-postgresql.nix
Normal file
71
modules/rustic-postgresql.nix
Normal file
@ -0,0 +1,71 @@
|
||||
{ config, lib, pkgs, inputs, ... }:
|
||||
with lib;
|
||||
{
|
||||
options.backups.postgresql = mkOption {
|
||||
description = mdDoc ''
|
||||
Periodic backups of postgresql database to create with Rustic.
|
||||
'';
|
||||
type = types.attrsOf (types.submodule ({ config, name, ... }: {
|
||||
options = {
|
||||
dbName = mkOption {
|
||||
type = types.str;
|
||||
default = name;
|
||||
};
|
||||
proxyAddress = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = "http://192.168.0.6:8888";
|
||||
};
|
||||
};
|
||||
}));
|
||||
default = { };
|
||||
};
|
||||
config = mkIf (config.backups.postgresql != { }) {
|
||||
sops.secrets.rclone-postgresql-backups.sopsFile = inputs.self.secretsDir + /rustic.yaml;
|
||||
sops.secrets.rustic-postgresql-pass.sopsFile = inputs.self.secretsDir + /rustic.yaml;
|
||||
sops.secrets.rclone-postgresql-backups.owner = "postgres";
|
||||
sops.secrets.rustic-postgresql-pass.owner = "postgres";
|
||||
|
||||
services.rustic.backups =
|
||||
mapAttrs'
|
||||
(name: backup: nameValuePair "postgresql-${name}" ({
|
||||
backup = true;
|
||||
prune = true;
|
||||
initialize = true;
|
||||
user = "postgres";
|
||||
extraEnvironment.https_proxy = mkIf (backup.proxyAddress != null) backup.proxyAddress;
|
||||
rcloneConfigFile = config.sops.secrets.rclone-postgresql-backups.path;
|
||||
rcloneOptions = { fast-list = true; };
|
||||
pruneOpts = [ "--repack-cacheable-only=false" ];
|
||||
timerConfig = {
|
||||
OnCalendar = "daily";
|
||||
Persistent = true;
|
||||
};
|
||||
# Backup postgresql db and pass it to rustic through stdin
|
||||
backupCommandPrefix = "${config.services.postgresql.package}/bin/pg_dump ${backup.dbName} | ${pkgs.zstd}/bin/zstd --rsyncable --stdout - |";
|
||||
extraBackupArgs = [ "-" ];
|
||||
# Rustic profile yaml
|
||||
settings = {
|
||||
repository = {
|
||||
repository = "rclone:postgresql-backups:postgresql-backups/${backup.dbName}";
|
||||
password-file = config.sops.secrets.rustic-postgresql-pass.path;
|
||||
};
|
||||
backup = {
|
||||
host = config.device;
|
||||
label = backup.dbName;
|
||||
ignore-devid = true;
|
||||
group-by = "label";
|
||||
stdin-filename = "${backup.dbName}.dump.zst";
|
||||
};
|
||||
forget = {
|
||||
filter-label = [ backup.dbName ];
|
||||
group-by = "label";
|
||||
prune = true;
|
||||
keep-daily = 4;
|
||||
keep-weekly = 2;
|
||||
keep-monthly = 1;
|
||||
};
|
||||
};
|
||||
})
|
||||
) config.backups.postgresql;
|
||||
};
|
||||
}
|
||||
@ -176,6 +176,21 @@ in
|
||||
];
|
||||
};
|
||||
|
||||
backupCommandPrefix = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = lib.mdDoc ''
|
||||
Prefix for backup command.
|
||||
'';
|
||||
};
|
||||
|
||||
backupCommandSuffix = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = lib.mdDoc ''
|
||||
Suffix for backup command.
|
||||
'';
|
||||
};
|
||||
|
||||
backupPrepareCommand = mkOption {
|
||||
type = with types; nullOr str;
|
||||
@ -224,10 +239,6 @@ in
|
||||
profile = settingsFormat.generate "${name}.toml" backup.settings;
|
||||
extraOptions = concatMapStrings (arg: " -o ${arg}") backup.extraOptions;
|
||||
rusticCmd = "${backup.package}/bin/rustic -P ${lib.strings.removeSuffix ".toml" profile}${extraOptions}";
|
||||
pruneCmd = optionals (backup.prune) [
|
||||
(rusticCmd + " forget --prune " + (concatStringsSep " " backup.pruneOpts))
|
||||
(rusticCmd + " check " + (concatStringsSep " " backup.checkOpts))
|
||||
];
|
||||
# Helper functions for rclone remotes
|
||||
rcloneAttrToOpt = v: "RCLONE_" + toUpper (builtins.replaceStrings [ "-" ] [ "_" ] v);
|
||||
toRcloneVal = v: if lib.isBool v then lib.boolToString v else v;
|
||||
@ -247,10 +258,17 @@ in
|
||||
restartIfChanged = false;
|
||||
wants = [ "network-online.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
script = ''
|
||||
${optionalString (backup.backup) ''
|
||||
${backup.backupCommandPrefix} ${rusticCmd} backup ${concatStringsSep " " backup.extraBackupArgs} ${backup.backupCommandSuffix}
|
||||
''}
|
||||
${optionalString (backup.prune) ''
|
||||
${rusticCmd} forget --prune ${concatStringsSep " " backup.pruneOpts}
|
||||
${rusticCmd} check ${concatStringsSep " " backup.checkOpts}
|
||||
''}
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = (optionals backup.backup [ "${rusticCmd} backup ${concatStringsSep " " backup.extraBackupArgs}" ])
|
||||
++ pruneCmd;
|
||||
User = backup.user;
|
||||
RuntimeDirectory = "rustic-backups-${name}";
|
||||
CacheDirectory = "rustic-backups-${name}";
|
||||
@ -265,7 +283,7 @@ in
|
||||
${pkgs.writeScript "backupPrepareCommand" backup.backupPrepareCommand}
|
||||
''}
|
||||
${optionalString (backup.initialize) ''
|
||||
${rusticCmd} snapshots || ${rusticCmd} init ${concatStringsSep " " backup.initializeOpts}
|
||||
${rusticCmd} init ${concatStringsSep " " backup.initializeOpts} || true
|
||||
''}
|
||||
'';
|
||||
} // optionalAttrs (backup.backupCleanupCommand != null) {
|
||||
|
||||
101
modules/s3-sync.nix
Normal file
101
modules/s3-sync.nix
Normal file
@ -0,0 +1,101 @@
|
||||
{ config, lib, pkgs, utils, ... }:
|
||||
with lib;
|
||||
let
|
||||
inherit (utils.systemdUtils.unitOptions) unitOption;
|
||||
in {
|
||||
options.backups.rclone-sync = mkOption {
|
||||
description = mdDoc ''
|
||||
Sync buckets beetween two storages.
|
||||
'';
|
||||
type = types.attrsOf (types.submodule ({ config, name, ... }: {
|
||||
options = {
|
||||
rcloneConfigFile = mkOption {
|
||||
type = with types; nullOr path;
|
||||
default = null;
|
||||
description = mdDoc ''
|
||||
Path to the file containing rclone configuration. This file
|
||||
must contain configuration for the remotes specified in this backup
|
||||
set and also must be readable by root.
|
||||
'';
|
||||
};
|
||||
syncOpts = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [ "--checksum" "--fast-list" ];
|
||||
description = mdDoc ''
|
||||
A list of options for 'rclone sync'.
|
||||
'';
|
||||
};
|
||||
syncTargets = mkOption {
|
||||
type = with types; listOf (submodule {
|
||||
options = {
|
||||
source = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = mdDoc "Source to sync.";
|
||||
};
|
||||
target = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = mdDoc "Target to sync.";
|
||||
};
|
||||
};
|
||||
});
|
||||
default = { };
|
||||
description = mdDoc ''
|
||||
List of sync targets.
|
||||
'';
|
||||
};
|
||||
timerConfig = mkOption {
|
||||
type = types.attrsOf unitOption;
|
||||
default = {
|
||||
OnCalendar = "06:15";
|
||||
RandomizedDelaySec = "15m";
|
||||
Persistent = true;
|
||||
};
|
||||
description = lib.mdDoc ''
|
||||
When to run the backup. See {manpage}`systemd.timer(5)` for details.
|
||||
'';
|
||||
};
|
||||
proxyAddress = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = "http://192.168.0.6:8888";
|
||||
};
|
||||
};
|
||||
}));
|
||||
default = { };
|
||||
};
|
||||
config = mkIf (config.backups.rclone-sync != { }) {
|
||||
systemd.services =
|
||||
mapAttrs'
|
||||
(name: backup: nameValuePair "rclone-sync-${name}" ({
|
||||
path = [ pkgs.rclone ];
|
||||
restartIfChanged = false;
|
||||
wants = [ "network-online.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
environment = {
|
||||
RCLONE_CONFIG = backup.rcloneConfigFile;
|
||||
https_proxy = mkIf (backup.proxyAddress != null) backup.proxyAddress;
|
||||
};
|
||||
script = lib.pipe backup.syncTargets [
|
||||
(map (v: "rclone sync ${concatStringsSep " " backup.syncOpts} ${v.source} ${v.target}"))
|
||||
(lib.concatStringsSep "\n")
|
||||
];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RuntimeDirectory = "rclone-sync-${name}";
|
||||
CacheDirectory = "rclone-sync-${name}";
|
||||
CacheDirectoryMode = "0700";
|
||||
PrivateTmp = true;
|
||||
};
|
||||
})
|
||||
) config.backups.rclone-sync;
|
||||
|
||||
systemd.timers =
|
||||
mapAttrs'
|
||||
(name: backup: nameValuePair "rclone-sync-${name}" {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = backup.timerConfig;
|
||||
})
|
||||
config.backups.rclone-sync;
|
||||
};
|
||||
}
|
||||
314
patches/authentik-271885.patch
Normal file
314
patches/authentik-271885.patch
Normal file
@ -0,0 +1,314 @@
|
||||
diff --git a/pkgs/by-name/au/authentik/ldap.nix b/pkgs/by-name/au/authentik/ldap.nix
|
||||
new file mode 100644
|
||||
index 000000000000..7945c3021dfd
|
||||
--- /dev/null
|
||||
+++ b/pkgs/by-name/au/authentik/ldap.nix
|
||||
@@ -0,0 +1,18 @@
|
||||
+{ lib, buildGoModule, authentik }:
|
||||
+
|
||||
+buildGoModule {
|
||||
+ pname = "authentik-ldap-outpost";
|
||||
+ inherit (authentik) version src;
|
||||
+
|
||||
+ vendorHash = "sha256-8F9emmQmbe7R+xtGrjV5ht0adGasU6WAvLa8Wxr+j8M=";
|
||||
+
|
||||
+ CGO_ENABLED = 0;
|
||||
+
|
||||
+ subPackages = [ "cmd/ldap" ];
|
||||
+
|
||||
+ meta = authentik.meta // {
|
||||
+ description = "The authentik ldap outpost. Needed for the extendal ldap API.";
|
||||
+ homepage = "https://goauthentik.io/docs/providers/ldap/";
|
||||
+ mainProgram = "ldap";
|
||||
+ };
|
||||
+}
|
||||
diff --git a/pkgs/by-name/au/authentik/outposts.nix b/pkgs/by-name/au/authentik/outposts.nix
|
||||
new file mode 100644
|
||||
index 000000000000..05649628b3e8
|
||||
--- /dev/null
|
||||
+++ b/pkgs/by-name/au/authentik/outposts.nix
|
||||
@@ -0,0 +1,5 @@
|
||||
+{ callPackage }:
|
||||
+
|
||||
+{
|
||||
+ ldap = callPackage ./ldap.nix { };
|
||||
+}
|
||||
diff --git a/pkgs/by-name/au/authentik/package.nix b/pkgs/by-name/au/authentik/package.nix
|
||||
new file mode 100644
|
||||
index 000000000000..8fca47e7ec28
|
||||
--- /dev/null
|
||||
+++ b/pkgs/by-name/au/authentik/package.nix
|
||||
@@ -0,0 +1,248 @@
|
||||
+{ lib
|
||||
+, stdenvNoCC
|
||||
+, fetchFromGitHub
|
||||
+, buildNpmPackage
|
||||
+, buildGoModule
|
||||
+, runCommand
|
||||
+, openapi-generator-cli
|
||||
+, nodejs
|
||||
+, python3
|
||||
+, codespell
|
||||
+, makeWrapper }:
|
||||
+
|
||||
+let
|
||||
+ version = "2023.10.6";
|
||||
+
|
||||
+ src = fetchFromGitHub {
|
||||
+ owner = "goauthentik";
|
||||
+ repo = "authentik";
|
||||
+ rev = "version/${version}";
|
||||
+ hash = "sha256-N6FeNUlenbBQPAAUSqC+2GWFfte3G+Zfu5KGVJOqNZQ=";
|
||||
+ };
|
||||
+
|
||||
+ website = buildNpmPackage {
|
||||
+ pname = "authentik-website";
|
||||
+ inherit version src;
|
||||
+ npmDepsHash = "sha256-4dgFxEvMnp+35nSQNsEchtN1qoS5X2KzEbLPvMnyR+k=";
|
||||
+
|
||||
+ NODE_ENV = "production";
|
||||
+ NODE_OPTIONS = "--openssl-legacy-provider";
|
||||
+
|
||||
+ postPatch = ''
|
||||
+ cd website
|
||||
+ '';
|
||||
+
|
||||
+ installPhase = ''
|
||||
+ cp -r help $out
|
||||
+ '';
|
||||
+
|
||||
+ npmInstallFlags = [ "--include=dev" ];
|
||||
+ npmBuildScript = "build-docs-only";
|
||||
+ };
|
||||
+
|
||||
+ clientapi = stdenvNoCC.mkDerivation {
|
||||
+ pname = "authentik-client-api";
|
||||
+ inherit version src;
|
||||
+
|
||||
+ postPatch = ''
|
||||
+ rm Makefile
|
||||
+
|
||||
+ substituteInPlace ./scripts/api-ts-config.yaml \
|
||||
+ --replace '/local' "$(pwd)/"
|
||||
+ '';
|
||||
+
|
||||
+ nativeBuildInputs = [ openapi-generator-cli ];
|
||||
+ buildPhase = ''
|
||||
+ runHook preBuild
|
||||
+ openapi-generator-cli generate -i ./schema.yml \
|
||||
+ -g typescript-fetch -o $out \
|
||||
+ -c ./scripts/api-ts-config.yaml \
|
||||
+ --additional-properties=npmVersion=${nodejs.pkgs.npm.version} \
|
||||
+ --git-repo-id authentik --git-user-id goauthentik
|
||||
+ runHook postBuild
|
||||
+ '';
|
||||
+ };
|
||||
+
|
||||
+ webui = buildNpmPackage {
|
||||
+ pname = "authentik-webui";
|
||||
+ inherit version;
|
||||
+
|
||||
+ src = runCommand "authentik-webui-source" {} ''
|
||||
+ mkdir -p $out/web/node_modules/@goauthentik/
|
||||
+ cp -r ${src}/web $out/
|
||||
+ ln -s ${src}/website $out/
|
||||
+ ln -s ${clientapi} $out/web/node_modules/@goauthentik/api
|
||||
+ '';
|
||||
+ npmDepsHash = "sha256-5aCKlArtoEijGqeYiY3zoV0Qo7/Xt5hSXbmy2uYZpok=";
|
||||
+
|
||||
+ postPatch = ''
|
||||
+ cd web
|
||||
+ '';
|
||||
+
|
||||
+ installPhase = ''
|
||||
+ runHook preInstall
|
||||
+ mkdir $out
|
||||
+ cp -r dist $out/dist
|
||||
+ cp -r authentik $out/authentik
|
||||
+ runHook postInstall
|
||||
+ '';
|
||||
+
|
||||
+ NODE_ENV = "production";
|
||||
+ NODE_OPTIONS = "--openssl-legacy-provider";
|
||||
+
|
||||
+ npmInstallFlags = [ "--include=dev" ];
|
||||
+ };
|
||||
+
|
||||
+ python = python3.override {
|
||||
+ self = python;
|
||||
+ packageOverrides = final: prev: {
|
||||
+ authentik-django = prev.buildPythonPackage {
|
||||
+ pname = "authentik-django";
|
||||
+ inherit version src;
|
||||
+ pyproject = true;
|
||||
+
|
||||
+ postPatch = ''
|
||||
+ substituteInPlace authentik/root/settings.py \
|
||||
+ --replace 'Path(__file__).absolute().parent.parent.parent' "\"$out\""
|
||||
+ substituteInPlace authentik/lib/default.yml \
|
||||
+ --replace '/blueprints' "$out/blueprints"
|
||||
+ sed -i '/dumb-init/d' pyproject.toml
|
||||
+ sed -i '/djangorestframework-guardian/d' pyproject.toml
|
||||
+ '';
|
||||
+
|
||||
+ nativeBuildInputs = [ prev.poetry-core ];
|
||||
+ propagatedBuildInputs = with prev; [
|
||||
+ argon2-cffi
|
||||
+ celery
|
||||
+ channels
|
||||
+ channels-redis
|
||||
+ colorama
|
||||
+ dacite
|
||||
+ daphne
|
||||
+ deepmerge
|
||||
+ defusedxml
|
||||
+ django
|
||||
+ django-filter
|
||||
+ django-guardian
|
||||
+ django-model-utils
|
||||
+ django-prometheus
|
||||
+ django-redis
|
||||
+ djangorestframework
|
||||
+ djangorestframework-guardian2
|
||||
+ docker
|
||||
+ drf-spectacular
|
||||
+ duo-client
|
||||
+ facebook-sdk
|
||||
+ flower
|
||||
+ geoip2
|
||||
+ gunicorn
|
||||
+ httptools
|
||||
+ kubernetes
|
||||
+ ldap3
|
||||
+ lxml
|
||||
+ opencontainers
|
||||
+ packaging
|
||||
+ paramiko
|
||||
+ psycopg
|
||||
+ pycryptodome
|
||||
+ pydantic
|
||||
+ pydantic-scim
|
||||
+ pyjwt
|
||||
+ pyyaml
|
||||
+ requests-oauthlib
|
||||
+ sentry-sdk
|
||||
+ structlog
|
||||
+ swagger-spec-validator
|
||||
+ twilio
|
||||
+ twisted
|
||||
+ ua-parser
|
||||
+ urllib3
|
||||
+ uvicorn
|
||||
+ uvloop
|
||||
+ watchdog
|
||||
+ webauthn
|
||||
+ websockets
|
||||
+ wsproto
|
||||
+ xmlsec
|
||||
+ zxcvbn
|
||||
+ jsonpatch
|
||||
+ ] ++ [
|
||||
+ codespell
|
||||
+ ];
|
||||
+
|
||||
+ postInstall = ''
|
||||
+ mkdir -p $out/web $out/website
|
||||
+ cp -r lifecycle manage.py $out/${prev.python.sitePackages}/
|
||||
+ cp -r blueprints $out/
|
||||
+ cp -r ${webui}/dist ${webui}/authentik $out/web/
|
||||
+ cp -r ${website} $out/website/help
|
||||
+ ln -s $out/${prev.python.sitePackages}/lifecycle $out/lifecycle
|
||||
+ '';
|
||||
+ };
|
||||
+ };
|
||||
+ };
|
||||
+
|
||||
+ inherit (python.pkgs) authentik-django;
|
||||
+
|
||||
+ proxy = buildGoModule {
|
||||
+ pname = "authentik-proxy";
|
||||
+ inherit version src;
|
||||
+
|
||||
+ postPatch = ''
|
||||
+ substituteInPlace internal/gounicorn/gounicorn.go \
|
||||
+ --replace './lifecycle' "${authentik-django}/lifecycle"
|
||||
+ substituteInPlace web/static.go \
|
||||
+ --replace './web' "${authentik-django}/web"
|
||||
+ substituteInPlace internal/web/static.go \
|
||||
+ --replace './web' "${authentik-django}/web"
|
||||
+ '';
|
||||
+
|
||||
+ CGO_ENABLED = 0;
|
||||
+
|
||||
+ vendorHash = "sha256-8F9emmQmbe7R+xtGrjV5ht0adGasU6WAvLa8Wxr+j8M=";
|
||||
+
|
||||
+ postInstall = ''
|
||||
+ mv $out/bin/server $out/bin/authentik
|
||||
+ '';
|
||||
+
|
||||
+ subPackages = [ "cmd/server" ];
|
||||
+ };
|
||||
+
|
||||
+in stdenvNoCC.mkDerivation {
|
||||
+ pname = "authentik";
|
||||
+ inherit src version;
|
||||
+
|
||||
+ postPatch = ''
|
||||
+ rm Makefile
|
||||
+ patchShebangs lifecycle/ak
|
||||
+
|
||||
+ # This causes issues in systemd services
|
||||
+ substituteInPlace lifecycle/ak \
|
||||
+ --replace 'printf' '>&2 printf' \
|
||||
+ --replace '> /dev/stderr' ""
|
||||
+ '';
|
||||
+
|
||||
+ installPhase = ''
|
||||
+ runHook preInstall
|
||||
+ mkdir -p $out/bin
|
||||
+ cp -r lifecycle/ak $out/bin/
|
||||
+
|
||||
+ wrapProgram $out/bin/ak \
|
||||
+ --prefix PATH : ${lib.makeBinPath [ (python.withPackages (ps: [ps.authentik-django])) proxy ]} \
|
||||
+ --set TMPDIR /dev/shm \
|
||||
+ --set PYTHONDONTWRITEBYTECODE 1 \
|
||||
+ --set PYTHONUNBUFFERED 1
|
||||
+ runHook postInstall
|
||||
+ '';
|
||||
+
|
||||
+ nativeBuildInputs = [ makeWrapper ];
|
||||
+
|
||||
+ meta = with lib; {
|
||||
+ description = "The authentication glue you need";
|
||||
+ changelog = "https://github.com/goauthentik/authentik/releases/tag/version%2F${version}";
|
||||
+ homepage = "https://goauthentik.io/";
|
||||
+ license = licenses.mit;
|
||||
+ maintainers = with maintainers; [ jvanbruegge ];
|
||||
+ mainProgram = "ak";
|
||||
+ };
|
||||
+}
|
||||
diff --git a/pkgs/tools/networking/openapi-generator-cli/default.nix b/pkgs/tools/networking/openapi-generator-cli/default.nix
|
||||
index 2edba9a26eb6..fed141f9c1e1 100644
|
||||
--- a/pkgs/tools/networking/openapi-generator-cli/default.nix
|
||||
+++ b/pkgs/tools/networking/openapi-generator-cli/default.nix
|
||||
@@ -33,6 +33,7 @@ let this = stdenv.mkDerivation rec {
|
||||
homepage = "https://github.com/OpenAPITools/openapi-generator";
|
||||
changelog = "https://github.com/OpenAPITools/openapi-generator/releases/tag/v${version}";
|
||||
sourceProvenance = with sourceTypes; [ binaryBytecode ];
|
||||
+ mainProgram = "openapi-generator-cli";
|
||||
license = licenses.asl20;
|
||||
maintainers = with maintainers; [ shou ];
|
||||
};
|
||||
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
|
||||
index e0ca2d741d53..20687cbb509a 100644
|
||||
--- a/pkgs/top-level/all-packages.nix
|
||||
+++ b/pkgs/top-level/all-packages.nix
|
||||
@@ -3374,6 +3374,8 @@ with pkgs;
|
||||
|
||||
authelia = callPackage ../servers/authelia { };
|
||||
|
||||
+ authentik-outposts = recurseIntoAttrs (callPackages ../by-name/au/authentik/outposts.nix { });
|
||||
+
|
||||
autoflake = with python3.pkgs; toPythonApplication autoflake;
|
||||
|
||||
autospotting = callPackage ../applications/misc/autospotting { };
|
||||
@ -5,7 +5,6 @@ let
|
||||
fonts = config.lib.base16.theme.fonts;
|
||||
profileName = config.mainuser;
|
||||
homeDir = config.home-manager.users.${profileName}.home.homeDirectory;
|
||||
profilePath = ".mozilla/firefox/${profileName}";
|
||||
mkUserJs = { prefs ? {}, extraPrefs ? "" }: ''
|
||||
${extraPrefs}
|
||||
|
||||
@ -14,9 +13,7 @@ let
|
||||
'') prefs)}
|
||||
'';
|
||||
|
||||
firefox-kpoxa = pkgs.writeShellScriptBin "firefox-kpoxa" ''
|
||||
${pkgs.firefox}/bin/firefox -profile ${homeDir}/.mozilla/firefox/kpoxa
|
||||
'';
|
||||
|
||||
in {
|
||||
services.dbus.packages = [ pkgs.firefox-wayland ];
|
||||
|
||||
@ -24,29 +21,35 @@ in {
|
||||
MOZ_USE_XINPUT2 = "1";
|
||||
MOZ_DBUS_REMOTE = "1";
|
||||
};
|
||||
# programs.browserpass.enable = true;
|
||||
|
||||
defaultApplications.browser = {
|
||||
cmd = "${pkgs.firefox}/bin/firefox";
|
||||
desktop = "firefox";
|
||||
};
|
||||
|
||||
home-manager.users.${config.mainuser} = {
|
||||
home.packages = [ firefox-kpoxa ];
|
||||
# Mailvelope GnuPG integration
|
||||
home.file.".mozilla/native-messaging-hosts/gpgmejson.json".text = ''
|
||||
{
|
||||
"name": "gpgmejson",
|
||||
"description": "JavaScript binding for GnuPG",
|
||||
"path": "${pkgs.gpgme.dev}/bin/gpgme-json",
|
||||
"type": "stdio",
|
||||
"allowed_extensions": ["jid1-AQqSMBYb0a8ADg@jetpack"]
|
||||
}
|
||||
home-manager.users.${config.mainuser} = let
|
||||
firefoxFinal = config.home-manager.users.${config.mainuser}.programs.firefox.finalPackage;
|
||||
firefox-kpoxa = pkgs.writeShellScriptBin "firefox-kpoxa" ''
|
||||
${firefoxFinal}/bin/firefox -profile ${homeDir}/.mozilla/firefox/kpoxa
|
||||
'';
|
||||
|
||||
in {
|
||||
home.packages = [ firefox-kpoxa ];
|
||||
programs.firefox = {
|
||||
enable = true;
|
||||
package = pkgs.firefox;
|
||||
package = pkgs.firefox.override {
|
||||
# Mailvelope GnuPG integration
|
||||
nativeMessagingHosts = [
|
||||
(pkgs.writeTextDir "lib/mozilla/native-messaging-hosts/gpgmejson.json" ''
|
||||
{
|
||||
"name": "gpgmejson",
|
||||
"description": "JavaScript binding for GnuPG",
|
||||
"path": "${pkgs.gpgme.dev}/bin/gpgme-json",
|
||||
"type": "stdio",
|
||||
"allowed_extensions": ["jid1-AQqSMBYb0a8ADg@jetpack"]
|
||||
}
|
||||
'')
|
||||
];
|
||||
};
|
||||
profiles = {
|
||||
${config.mainuser} = {
|
||||
id = 0;
|
||||
@ -99,7 +102,6 @@ in {
|
||||
"network.allow-experiments" = false;
|
||||
|
||||
"network.protocol-handler.external.element" = false;
|
||||
# "identity.sync.tokenserver.uri" = "https://fsync.ataraxiadev.com/1.0/sync/1.5";
|
||||
};
|
||||
extraPrefs = "${fileContents "${pkgs.arkenfox-userjs}/share/user.js/user.js"}";
|
||||
};
|
||||
|
||||
@ -72,14 +72,11 @@ in
|
||||
vscode.monosans.djlint
|
||||
vscode.ms-python.isort
|
||||
vscode.ms-python.vscode-pylance
|
||||
vscode.thebarkman.vscode-djaneiro
|
||||
# Latex
|
||||
vscode.james-yu.latex-workshop
|
||||
# Rust
|
||||
vscode.gruntfuggly.todo-tree
|
||||
vscode.jscearcy.rust-doc-viewer
|
||||
vscode.polypus74.trusty-rusty-snippets
|
||||
vscode.rust-lang.rust-analyzer
|
||||
nixpkgs.rust-lang.rust-analyzer
|
||||
vscode.serayuzgur.crates
|
||||
vscode.tamasfe.even-better-toml
|
||||
vscode.usernamehw.errorlens
|
||||
|
||||
@ -63,7 +63,7 @@ try:
|
||||
if temp is not None:
|
||||
print_page(temp)
|
||||
raise SystemExit(0)
|
||||
api_key = read_key('/tmp/narodmon-key')
|
||||
api_key = read_key('/run/secrets/narodmon-key')
|
||||
data['api_key'] = api_key
|
||||
response = requests.post(
|
||||
'http://narodmon.com/api',
|
||||
|
||||
@ -31,7 +31,6 @@
|
||||
users.users.atticd = {
|
||||
isSystemUser = true;
|
||||
group = "atticd";
|
||||
hashedPassword = "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";
|
||||
};
|
||||
|
||||
systemd.services.atticd = {
|
||||
@ -47,5 +46,7 @@
|
||||
ensureDatabases = [ "atticd" ];
|
||||
};
|
||||
|
||||
backups.postgresql.atticd = {};
|
||||
|
||||
persist.state.directories = [ "/var/lib/atticd" ];
|
||||
}
|
||||
@ -1,122 +1,27 @@
|
||||
{ config, lib, pkgs, inputs, ... }:
|
||||
let
|
||||
backend = config.virtualisation.oci-containers.backend;
|
||||
data-dir = "/srv/authentik";
|
||||
pod-name = "authentik-pod";
|
||||
pod-dns = "192.168.0.1";
|
||||
open-ports = [
|
||||
# authentik
|
||||
"127.0.0.1:9000:9000/tcp" "127.0.0.1:9443:9443/tcp"
|
||||
# ldap
|
||||
"127.0.0.1:389:3389/tcp" "127.0.0.1:636:6636/tcp"
|
||||
];
|
||||
owner = "1000";
|
||||
authentik-version = "2023.10.6";
|
||||
in {
|
||||
{ config, inputs, ... }: {
|
||||
sops.secrets.authentik-env.sopsFile = inputs.self.secretsDir + /home-hypervisor/authentik.yaml;
|
||||
sops.secrets.authentik-ldap.sopsFile = inputs.self.secretsDir + /home-hypervisor/authentik.yaml;
|
||||
sops.secrets.authentik-env.restartUnits = [ "${backend}-authentik-server.service" ];
|
||||
sops.secrets.authentik-ldap.restartUnits = [ "${backend}-authentik-ldap.service" ];
|
||||
sops.secrets.authentik-env.restartUnits = [ "authentik-server.service" "authentik-worker.service" ];
|
||||
sops.secrets.authentik-ldap.restartUnits = [ "authentik-ldap-outpost.service" ];
|
||||
|
||||
virtualisation.oci-containers.containers = {
|
||||
authentik-postgresql = {
|
||||
autoStart = true;
|
||||
image = "docker.io/library/postgres:12-alpine";
|
||||
extraOptions = [ "--pod=${pod-name}" ];
|
||||
environmentFiles = [ config.sops.secrets.authentik-env.path ];
|
||||
volumes = [
|
||||
"${data-dir}/db:/var/lib/postgresql/data"
|
||||
];
|
||||
};
|
||||
authentik-redis = {
|
||||
autoStart = true;
|
||||
image = "docker.io/library/redis:alpine";
|
||||
cmd = [ "--save" "60" "1" "--loglevel" "warning" ];
|
||||
extraOptions = [ "--pod=${pod-name}" ];
|
||||
volumes = [
|
||||
"${data-dir}/redis:/data"
|
||||
];
|
||||
};
|
||||
authentik-server = {
|
||||
autoStart = true;
|
||||
dependsOn = [ "authentik-postgresql" "authentik-redis" ];
|
||||
image = "ghcr.io/goauthentik/server:${authentik-version}";
|
||||
cmd = [ "server" ];
|
||||
extraOptions = [ "--pod=${pod-name}" ];
|
||||
environment = {
|
||||
AUTHENTIK_REDIS__HOST = "authentik-redis";
|
||||
AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql";
|
||||
};
|
||||
environmentFiles = [ config.sops.secrets.authentik-env.path ];
|
||||
volumes = [
|
||||
"${data-dir}/media:/media"
|
||||
"${data-dir}/custom-templates:/templates"
|
||||
];
|
||||
};
|
||||
authentik-worker = {
|
||||
autoStart = true;
|
||||
dependsOn = [ "authentik-server" ];
|
||||
image = "ghcr.io/goauthentik/server:${authentik-version}";
|
||||
cmd = [ "worker" ];
|
||||
extraOptions = [ "--pod=${pod-name}" ];
|
||||
environment = {
|
||||
AUTHENTIK_REDIS__HOST = "authentik-redis";
|
||||
AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql";
|
||||
};
|
||||
environmentFiles = [ config.sops.secrets.authentik-env.path ];
|
||||
# user = "root";
|
||||
volumes = [
|
||||
# "/var/run/${backend}/${backend}.sock"
|
||||
"${data-dir}/media:/media"
|
||||
"${data-dir}/certs:/certs"
|
||||
"${data-dir}/custom-templates:/templates"
|
||||
];
|
||||
};
|
||||
authentik-ldap = {
|
||||
autoStart = true;
|
||||
dependsOn = [ "authentik-server" ];
|
||||
image = "ghcr.io/goauthentik/ldap:${authentik-version}";
|
||||
extraOptions = [ "--pod=${pod-name}" ];
|
||||
environment = {
|
||||
AUTHENTIK_HOST = "https://auth.ataraxiadev.com";
|
||||
AUTHENTIK_INSECURE = "false";
|
||||
};
|
||||
environmentFiles = [ config.sops.secrets.authentik-ldap.path ];
|
||||
backups.postgresql.authentik = {};
|
||||
|
||||
services.authentik = {
|
||||
enable = true;
|
||||
logLevel = "info";
|
||||
listen.address = "127.0.0.1";
|
||||
listen.http = 9000;
|
||||
listen.https = 9443;
|
||||
environmentFile = config.sops.secrets.authentik-env.path;
|
||||
outposts.ldap = {
|
||||
enable = true;
|
||||
host = "https://auth.ataraxiadev.com";
|
||||
environmentFile = config.sops.secrets.authentik-ldap.path;
|
||||
listen.address = "127.0.0.1";
|
||||
listen.ldap = 3389;
|
||||
listen.ldaps = 6636;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${data-dir}/db 0700 70 root -"
|
||||
"d ${data-dir}/redis 0755 999 root -"
|
||||
"d ${data-dir}/media 0755 ${owner} ${owner} -"
|
||||
"d ${data-dir}/certs 0755 ${owner} ${owner} -"
|
||||
"d ${data-dir}/custom-templates 0755 ${owner} ${owner} -"
|
||||
];
|
||||
|
||||
systemd.services."podman-create-${pod-name}" = let
|
||||
portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports;
|
||||
start = pkgs.writeShellScript "create-pod-${pod-name}" ''
|
||||
podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping} --dns ${pod-dns}
|
||||
'';
|
||||
stop = "podman pod rm -i -f ${pod-name}";
|
||||
in rec {
|
||||
path = [ pkgs.coreutils config.virtualisation.podman.package ];
|
||||
before = [
|
||||
"${backend}-authentik-postgresql.service"
|
||||
"${backend}-authentik-redis.service"
|
||||
"${backend}-authentik-server.service"
|
||||
"${backend}-authentik-worker.service"
|
||||
"${backend}-authentik-ldap.service"
|
||||
];
|
||||
requiredBy = before;
|
||||
partOf = before;
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = "yes";
|
||||
ExecStart = start;
|
||||
ExecStop = stop;
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 389 ];
|
||||
# networking.firewall.allowedTCPPorts = [ 389 ];
|
||||
}
|
||||
@ -3,14 +3,10 @@ let
|
||||
nodeAddress = "192.168.0.5";
|
||||
upstream-dns = "100.64.0.1";
|
||||
in {
|
||||
systemd.services.gen-headscale-key = {
|
||||
services.headscale-auth.blocky = {
|
||||
ephemeral = true;
|
||||
outPath = "/tmp/blocky-authkey";
|
||||
before = [ "container@blocky.service" ];
|
||||
requiredBy = [ "container@blocky.service" ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
path = [ pkgs.headscale ];
|
||||
script = ''
|
||||
headscale preauthkeys create --ephemeral -e 1h -u ataraxiadev | tee /tmp/blocky-authkey
|
||||
'';
|
||||
};
|
||||
containers.blocky = {
|
||||
autoStart = true;
|
||||
|
||||
@ -28,6 +28,8 @@ in {
|
||||
{ directory = "/srv/gitea"; user = gitea-user; group = gitea-group; }
|
||||
];
|
||||
|
||||
backups.postgresql.gitea = {};
|
||||
|
||||
# TODO: backups! gitea.dump setting
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
{ config, pkgs, inputs, headscale-list ? {}, ... }:
|
||||
{ config, lib, pkgs, inputs, headscale-list ? {}, ... }:
|
||||
let
|
||||
domain = "wg.ataraxiadev.com";
|
||||
in {
|
||||
@ -9,12 +9,12 @@ in {
|
||||
address = "0.0.0.0";
|
||||
port = 8005;
|
||||
settings = {
|
||||
logtail.enabled = false;
|
||||
server_url = "https://${domain}";
|
||||
ip_prefixes = [
|
||||
"fd7a:115c:a1e0::/64" "100.64.0.0/16"
|
||||
];
|
||||
dns_config = {
|
||||
override_local_dns = true;
|
||||
base_domain = domain;
|
||||
nameservers = [ "127.0.0.1" ];
|
||||
extra_records = headscale-list;
|
||||
@ -23,10 +23,15 @@ in {
|
||||
only_start_if_oidc_is_available = true;
|
||||
issuer = "https://auth.ataraxiadev.com/application/o/headscale/";
|
||||
client_id = "n6UBhK8PahexLPb7GkU1xzoFLcYxQX0HWDytpUoi";
|
||||
client_secret_path = config.sops.secrets.headscale-oidc.path;
|
||||
scope = [ "openid" "profile" "email" "groups" ];
|
||||
allowed_groups = [ "headscale" ];
|
||||
strip_email_domain = true;
|
||||
};
|
||||
grpc_listen_addr = "127.0.0.1:50443";
|
||||
grpc_allow_insecure = true;
|
||||
disable_check_updates = true;
|
||||
ephemeral_node_inactivity_timeout = "4h";
|
||||
};
|
||||
};
|
||||
|
||||
@ -35,14 +40,11 @@ in {
|
||||
owner = "headscale";
|
||||
restartUnits = [ "headscale.service" ];
|
||||
};
|
||||
systemd.services.headscale = {
|
||||
serviceConfig.TimeoutStopSec = 10;
|
||||
serviceConfig.TimeoutStartSec = 300;
|
||||
serviceConfig.EnvironmentFile = config.sops.secrets.headscale-oidc.path;
|
||||
serviceConfig.ExecStartPre = (pkgs.writeShellScript "wait-dns.sh" ''
|
||||
until ${pkgs.host}/bin/host auth.ataraxiadev.com > /dev/null; do sleep 1; done
|
||||
'');
|
||||
};
|
||||
systemd.services.headscale.after = lib.mkIf config.services.authentik.enable [
|
||||
"authentik-server.service"
|
||||
"authentik-worker.service"
|
||||
"nginx.service"
|
||||
];
|
||||
|
||||
persist.state.directories = [ "/var/lib/headscale" ];
|
||||
}
|
||||
@ -38,7 +38,7 @@ let
|
||||
in {
|
||||
virtualisation.oci-containers.containers.media-caddy = {
|
||||
autoStart = true;
|
||||
image = "cr.hotio.dev/hotio/caddy:release-2.7.4";
|
||||
image = "ghcr.io/hotio/caddy:release-2.7.4";
|
||||
environment = {
|
||||
PUID = "1000";
|
||||
PGID = "100";
|
||||
|
||||
@ -12,7 +12,7 @@ in {
|
||||
TZ = "Europe/Moscow";
|
||||
};
|
||||
extraOptions = [ "--pod=media-stack" ];
|
||||
image = "cr.hotio.dev/hotio/jackett:release-0.21.946";
|
||||
image = "ghcr.io/hotio/jackett:release-0.21.946";
|
||||
volumes = [
|
||||
"${nas-path}/configs/jackett:/config"
|
||||
];
|
||||
|
||||
@ -5,7 +5,7 @@ let
|
||||
in {
|
||||
virtualisation.oci-containers.containers.qbittorrent = {
|
||||
autoStart = true;
|
||||
image = "cr.hotio.dev/hotio/qbittorrent:release-4.5.5";
|
||||
image = "ghcr.io/hotio/qbittorrent:release-4.5.5";
|
||||
environment = {
|
||||
PUID = "1000";
|
||||
PGID = "100";
|
||||
|
||||
@ -14,7 +14,7 @@ in {
|
||||
HTTPS_PROXY = "http://192.168.0.6:8888";
|
||||
};
|
||||
extraOptions = [ "--pod=media-stack" ];
|
||||
image = "cr.hotio.dev/hotio/radarr:release-4.7.5.7809";
|
||||
image = "ghcr.io/hotio/radarr:release-4.7.5.7809";
|
||||
volumes = [
|
||||
"${nas-path}/configs/radarr:/config"
|
||||
"${nas-path}:/data"
|
||||
|
||||
@ -12,7 +12,7 @@ in {
|
||||
TZ = "Europe/Moscow";
|
||||
};
|
||||
extraOptions = [ "--pod=media-stack" ];
|
||||
image = "cr.hotio.dev/hotio/sonarr:nightly-4.0.0.688";
|
||||
image = "ghcr.io/hotio/sonarr:nightly-4.0.0.688";
|
||||
volumes = [
|
||||
"${nas-path}/configs/sonarr:/config"
|
||||
"${nas-path}:/data"
|
||||
|
||||
@ -1,10 +1,26 @@
|
||||
{ config, lib, pkgs, inputs, ... }: {
|
||||
sops.secrets.minio-credentials = {
|
||||
{ config, lib, inputs, ... }:
|
||||
let
|
||||
minio-secret = {
|
||||
owner = "minio";
|
||||
mode = "0400";
|
||||
sopsFile = inputs.self.secretsDir + /home-hypervisor/minio.yaml;
|
||||
restartUnits = [ "minio.service" ];
|
||||
};
|
||||
kes-secret = {
|
||||
owner = "kes";
|
||||
mode = "0400";
|
||||
sopsFile = inputs.self.secretsDir + /home-hypervisor/minio.yaml;
|
||||
restartUnits = [ "kes.service" ];
|
||||
};
|
||||
in {
|
||||
sops.secrets.minio-credentials = minio-secret;
|
||||
sops.secrets.kes-vault-env = kes-secret;
|
||||
sops.secrets.kes-key = kes-secret;
|
||||
sops.secrets.kes-cert = kes-secret // {
|
||||
group = "minio";
|
||||
mode = "0440";
|
||||
restartUnits = [ "kes.service" "minio.service" ];
|
||||
};
|
||||
|
||||
services.minio = {
|
||||
enable = true;
|
||||
@ -20,14 +36,79 @@
|
||||
environment = lib.mkAfter {
|
||||
MINIO_SERVER_URL = "https://s3.ataraxiadev.com";
|
||||
MINIO_BROWSER_REDIRECT_URL = "https://s3.ataraxiadev.com/ui";
|
||||
MINIO_IDENTITY_OPENID_COMMENT="Authentik";
|
||||
MINIO_IDENTITY_OPENID_CONFIG_URL = "https://auth.ataraxiadev.com/application/o/minio/.well-known/openid-configuration";
|
||||
MINIO_IDENTITY_OPENID_REDIRECT_URI = "https://s3.ataraxiadev.com/ui/oauth_callback";
|
||||
MINIO_IDENTITY_OPENID_COMMENT = "Authentik";
|
||||
MINIO_IDENTITY_OPENID_CONFIG_URL =
|
||||
"https://auth.ataraxiadev.com/application/o/minio/.well-known/openid-configuration";
|
||||
MINIO_IDENTITY_OPENID_REDIRECT_URI =
|
||||
"https://s3.ataraxiadev.com/ui/oauth_callback";
|
||||
MINIO_IDENTITY_OPENID_SCOPES = "openid,profile,email,minio";
|
||||
# KMS
|
||||
MINIO_KMS_KES_ENDPOINT = "https://${config.services.kes.settings.address}";
|
||||
MINIO_KMS_KES_CAPATH = config.sops.secrets.kes-cert.path;
|
||||
MINIO_KMS_KES_KEY_NAME = "minio-default-key";
|
||||
MINIO_KMS_KES_ENCLAVE = "minio-hypervisor";
|
||||
};
|
||||
};
|
||||
systemd.services.minio.after =
|
||||
lib.mkIf config.services.authentik.enable [
|
||||
"authentik-server.service"
|
||||
"authentik-worker.service"
|
||||
"nginx.service"
|
||||
"kes.service"
|
||||
];
|
||||
|
||||
# persist.state.directories = config.services.minio.dataDir ++ [
|
||||
# config.services.minio.configDir
|
||||
# ];
|
||||
}
|
||||
services.kes = {
|
||||
enable = true;
|
||||
environmentFile = config.sops.secrets.kes-vault-env.path;
|
||||
settings = {
|
||||
address = "127.0.0.1:7373";
|
||||
admin.identity = "disabled";
|
||||
tls = {
|
||||
key = config.sops.secrets.kes-key.path;
|
||||
cert = config.sops.secrets.kes-cert.path;
|
||||
};
|
||||
policy.minio = {
|
||||
allow = [
|
||||
"/v1/key/create/minio-*"
|
||||
"/v1/key/generate/minio-*"
|
||||
"/v1/key/decrypt/minio-*"
|
||||
"/v1/key/bulk/decrypt"
|
||||
"/v1/key/list/*"
|
||||
"/v1/status"
|
||||
"/v1/metrics"
|
||||
"/v1/log/audit"
|
||||
"/v1/log/errot"
|
||||
];
|
||||
identities = [
|
||||
"d76b126754bd382de969e18ab71c3ba3fe1fdf9bb89927b3f16e08ebae07d242"
|
||||
];
|
||||
};
|
||||
keystore.vault = {
|
||||
endpoint = "http://${config.services.vault.address}";
|
||||
engine = "kv/";
|
||||
version = "v1";
|
||||
approle = {
|
||||
id = ''''${KES_APPROLE_ID}'';
|
||||
secret = ''''${KES_APPROLE_SECRET}'';
|
||||
retry = "15s";
|
||||
};
|
||||
status.ping = "10s";
|
||||
};
|
||||
};
|
||||
};
|
||||
systemd.services.kes.after = [ "vault.service" "vault-unseal.service" ];
|
||||
|
||||
# Sync local minio buckets to remote s3 storage
|
||||
sops.secrets.rclone-s3-sync.sopsFile = inputs.self.secretsDir + /rustic.yaml;
|
||||
backups.rclone-sync.minio = {
|
||||
rcloneConfigFile = config.sops.secrets.rclone-s3-sync.path;
|
||||
syncTargets =
|
||||
let buckets = [
|
||||
"authentik-media" "ocis" "outline"
|
||||
"obsidian-ataraxia" "obsidian-doste" "obsidian-kpoxa"
|
||||
]; in map (bucket: {
|
||||
source = "minio:${bucket}";
|
||||
target = "idrive:minio-${bucket}";
|
||||
}) buckets;
|
||||
};
|
||||
}
|
||||
|
||||
@ -88,6 +88,7 @@ in {
|
||||
"sonarr.ataraxiadev.com"
|
||||
# "startpage.ataraxiadev.com"
|
||||
"tools.ataraxiadev.com"
|
||||
"vault.ataraxiadev.com"
|
||||
"vw.ataraxiadev.com"
|
||||
"wg.ataraxiadev.com"
|
||||
"wiki.ataraxiadev.com"
|
||||
@ -150,7 +151,7 @@ in {
|
||||
};
|
||||
} // default;
|
||||
"api.ataraxiadev.com" = {
|
||||
locations."~ (\\.py|\\.sh)$" = with config.services; {
|
||||
locations."~ (\\.py)$" = with config.services; {
|
||||
alias = "/srv/http/api.ataraxiadev.com";
|
||||
extraConfig = ''
|
||||
gzip off;
|
||||
@ -297,6 +298,12 @@ in {
|
||||
"tools.ataraxiadev.com" = default // authentik {
|
||||
proxyPass = "http://127.0.0.1:8070";
|
||||
};
|
||||
"vault.ataraxiadev.com" = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:8200";
|
||||
extraConfig = proxySettings;
|
||||
};
|
||||
} // default;
|
||||
"vw.ataraxiadev.com" = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:8812";
|
||||
@ -313,21 +320,30 @@ in {
|
||||
};
|
||||
} // default;
|
||||
"wg.ataraxiadev.com" = {
|
||||
locations."/headscale." = {
|
||||
extraConfig = ''
|
||||
grpc_pass grpc://${config.services.headscale.settings.grpc_listen_addr};
|
||||
'';
|
||||
priority = 1;
|
||||
};
|
||||
locations."/metrics" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
|
||||
extraConfig = ''
|
||||
allow 100.64.0.0/16;
|
||||
allow 192.168.0.0/24;
|
||||
deny all;
|
||||
'';
|
||||
priority = 2;
|
||||
};
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
|
||||
proxyWebsockets = true;
|
||||
priority = 3;
|
||||
};
|
||||
} // default;
|
||||
"wiki.ataraxiadev.com" = default // authentik {
|
||||
proxyPass = "http://127.0.0.1:8190";
|
||||
};
|
||||
# "cocalc.ataraxiadev.com" = {
|
||||
# locations."/" = {
|
||||
# proxyPass = "https://127.0.0.1:9599";
|
||||
# proxyWebsockets = true;
|
||||
# extraConfig = proxySettings;
|
||||
# };
|
||||
# } // default;
|
||||
};
|
||||
};
|
||||
|
||||
@ -339,7 +355,17 @@ in {
|
||||
|
||||
sops.secrets.narodmon-key.sopsFile = inputs.self.secretsDir + /home-hypervisor/api.yaml;
|
||||
sops.secrets.narodmon-key.owner = config.services.nginx.user;
|
||||
sops.secrets.narodmon-key.path = "/tmp/narodmon-key";
|
||||
# Avoid api key revoke
|
||||
systemd.services.narodmon-api = {
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = config.services.nginx.user;
|
||||
ExecStart = "${pkgs.narodmon-py}/bin/temp.py";
|
||||
};
|
||||
startAt = "daily";
|
||||
after = [ "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
};
|
||||
|
||||
system.activationScripts.linkPyScripts.text = ''
|
||||
[ ! -d "/srv/http/api.ataraxiadev.com" ] && mkdir -p /srv/http/api.ataraxiadev.com
|
||||
|
||||
@ -36,4 +36,11 @@
|
||||
STORAGE_USERS_S3NG_REGION = "us-east-1";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
systemd.services.ocis-server.after =
|
||||
lib.mkIf config.services.authentik.enable [
|
||||
"authentik-server.service"
|
||||
"authentik-worker.service"
|
||||
"nginx.service"
|
||||
];
|
||||
}
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
{ config, inputs, ... }: {
|
||||
{ config, lib, inputs, ... }: {
|
||||
sops.secrets = let
|
||||
default = {
|
||||
sopsFile = inputs.self.secretsDir + /home-hypervisor/outline.yaml;
|
||||
@ -52,6 +52,15 @@
|
||||
utilsSecretFile = config.sops.secrets.outline-utils.path;
|
||||
};
|
||||
|
||||
systemd.services.outline.after =
|
||||
lib.mkIf config.services.authentik.enable [
|
||||
"authentik-server.service"
|
||||
"authentik-worker.service"
|
||||
"nginx.service"
|
||||
];
|
||||
|
||||
backups.postgresql.outline = {};
|
||||
|
||||
persist.state.directories = [
|
||||
"/var/lib/redis-outline"
|
||||
];
|
||||
|
||||
39
profiles/servers/vault.nix
Normal file
39
profiles/servers/vault.nix
Normal file
@ -0,0 +1,39 @@
|
||||
{ config, pkgs, inputs, ... }:
|
||||
let
|
||||
api-addr = "http://127.0.0.1:8200";
|
||||
in {
|
||||
environment.systemPackages = [ config.services.vault.package ];
|
||||
services.vault = {
|
||||
enable = true;
|
||||
package = pkgs.vault-bin;
|
||||
address = "127.0.0.1:8200";
|
||||
storageBackend = "raft";
|
||||
storageConfig = ''
|
||||
node_id = "main_node"
|
||||
'';
|
||||
extraConfig = ''
|
||||
disable_cache = true
|
||||
api_addr = "${api-addr}"
|
||||
cluster_addr = "https://127.0.0.1:8201"
|
||||
ui = true
|
||||
'';
|
||||
};
|
||||
|
||||
sops.secrets.vault-keys-env.sopsFile = inputs.self.secretsDir + /home-hypervisor/vault.yaml;
|
||||
systemd.services.vault-unseal = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
partOf = [ "vault.service" ];
|
||||
after = [ "vault.service" ];
|
||||
path = [ pkgs.curl ];
|
||||
script = ''
|
||||
set -aeuo pipefail
|
||||
source ${config.sops.secrets.vault-keys-env.path}
|
||||
curl -H "Content-Type: application/json" --data "{\"key\":\"$VAULT_KEY1\"}" ${api-addr}/v1/sys/unseal >/dev/null 2>&1
|
||||
curl -H "Content-Type: application/json" --data "{\"key\":\"$VAULT_KEY2\"}" ${api-addr}/v1/sys/unseal >/dev/null 2>&1
|
||||
curl -H "Content-Type: application/json" --data "{\"key\":\"$VAULT_KEY3\"}" ${api-addr}/v1/sys/unseal >/dev/null 2>&1
|
||||
'';
|
||||
serviceConfig.Type = "oneshot";
|
||||
};
|
||||
|
||||
persist.state.directories = [ config.services.vault.storagePath ];
|
||||
}
|
||||
@ -126,6 +126,19 @@
|
||||
file="''${file%.*}"
|
||||
ffmpeg -i "$1" -c:v libvpx-vp9 -b:v 0 -crf 30 -an "$dir/$file.webm"
|
||||
}
|
||||
gh_delete_runs() {
|
||||
org="$1"
|
||||
repo="$2"
|
||||
set -a
|
||||
source /run/secrets/github-token
|
||||
set +a
|
||||
run_ids=($(${pkgs.gh}/bin/gh api repos/$org/$repo/actions/runs --paginate --jq '.workflow_runs[] | .id'))
|
||||
for run_id in "''${run_ids[@]}"
|
||||
do
|
||||
echo "Deleting Run ID $run_id"
|
||||
${pkgs.gh}/bin/gh api repos/$org/$repo/actions/runs/$run_id --method DELETE >/dev/null &
|
||||
done
|
||||
}
|
||||
|
||||
XDG_DATA_DIRS=$XDG_DATA_DIRS:$GSETTINGS_SCHEMAS_PATH
|
||||
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
narodmon-key: ENC[AES256_GCM,data:sNzfMEF5W6aaRAukJw==,iv:WUHbk+SYoU5J2L5eL16EnuH3jMIlv020oO+quWljCR0=,tag:EJ2LguJOT7HZgFjyn5eU5g==,type:str]
|
||||
narodmon-key: ENC[AES256_GCM,data:8LJRYete2kojvn7sDA==,iv:KkUFWz2Dhs0FCQOutALhNHg8UKdQmrOog5Fw3GP/4Hk=,tag:rKoRfq0e4cytC0RFjwdLww==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-01-21T19:48:53Z"
|
||||
mac: ENC[AES256_GCM,data:htIZ35knmE7lscDrAHv/FnhiuwWxudr8W63wv39k97FfvmlM35MAJD7hKj2aYj5fk6dHz7XqinX+ibb6q5CYhCSi2gqGp6jzoUIj3Dowo/aBci39GTbnjXHhjCUYFWSJLoJHQDa6YxhHn5LGjbVmcGUqhx2GtfF6ZYkZNboJrgY=,iv:ptcGa8QbPaFz9Ln24QHdd/lMib1c1mVCbZ7YotSqqMA=,tag:GK0RGoQpuYJuQWOW+xSKDw==,type:str]
|
||||
lastmodified: "2024-01-27T14:51:05Z"
|
||||
mac: ENC[AES256_GCM,data:1OnZT0kcK1t8wCW80YGQ+sMnfOR6EKqRYlrvFG81vZEPLwOeZVi5ByzydBYBCcrVQ6I5fxDULf1AVpQeWB0GmXaG9ZxehAzSkD4LA09l3/4RtKXKgSFNdiCkudeVwUguxyzWaLJd4Saq82ltxpW5Am4VWtzp+z0wJe81ImSz0cI=,iv:jqES/410Z02Z39z5mg6mn2nNeQqPzvxHQlstZJw7iJY=,tag:y7EurbA3YQmLtawgYWeJjg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-01-21T19:48:32Z"
|
||||
enc: |-
|
||||
|
||||
@ -1,4 +1,6 @@
|
||||
authentik-env: ENC[AES256_GCM,data:gyQWquVp/HOa4M07NNZ1cfzxAB2fTtGhc1CCQlHnU6HyRaGoIVHLl5syRQP3CJtCrxtd4FwmtetjGoOzouIEFo9m0EoXdr9iGc05GE3WZ9Ms2KLLeTOr6ZMQTbT9Z0LW94tnyiAZmDboSC+GTSA+Lh737sF8pr58YLPtoOlIdwP0YLgIVZdhckQ4n9VJ8MW9TuP5PorDKikG/JPHBdq6ke82qi1o0P/vruAXffGgrNcczCZUx1GcCznA+H6kubPD8vhoNx7i+/ZobGWXbnwhsmh8Sn1DUgpmV/hQeOm/2kssbLB3JgV2IBsB35fZ8nSijvOfV4tc/vYc0kcRT2Tm3KiopCTb1a6WKdR4goFSDk/16uzX5L6RpgFiQaR/Z01ACiWuj0CIMjVHJqtzKm3BkvxUnN1mOP7gvvqu72igV6bMasWbQ0uHR1wpASsR1N6qLLOznQAmz1zfWOpewTxPJVVyGS+l7QU7QN5ogbMgzX8n2BjWuce6Tv9fSmLtR7vdw/kPYUpFKr08h7cBEC4Vlb76cK7L4PqvIRtm6q652I/7t0h4fPwMJmCMrgwp8estgDrekkQwZdArDxm7dKdyAdG9HNj5TZ+f3aXXdMBIXn8WrX04iFJPq/Um49Bk7LRYVhEiFTmml2jXhV6l68E/U0s3DUOVvAo/UBD8E/dMKlQ9kzuwz+uR92KyWNLlqt0odOYw2FVvRKCRBobc1S8CBQo4uzteJo4NNB1Y68HbkGVtO6xTrsmOEhzHwzeW4VBRkEhvNSbCp9YIC0VrxtupFPBBszPVJ3tIZEjGX/X3Px0QqFI5ri78326xWwNtTtvGMzb6ggBFBfNb3v1tthiz8fphF/OHbtivhDtUbdY4UWcuJmjVdcNcUFNTi7Npdf/mlMoDGDQKFmX+HtjFs39zAu/CFF7R9fA0bfZqjyLapqFShmAJwtSxYHQllkQPWu4JViPpaV7HtmpU28mcEMiHoUpPnhrBTkTSv4H1hLC/AOrJLF0gJQ5nsowLTb2x0J14niaYQzHadzgl1bS8RozShAizskvHzfRb1AyTJPoIJHMv8RwHOBIxriEq0H6UwkuNkSqJdCOzX3evI8roQ9okvBNkb86ILKXpCsDy6Dl2YW8S9inMMCWB8RgQDBLmL7SO8se2NgrcHPviix2zucUX04jVoAvVz2cO2Eday2Mhl6y+t1YDnQ8UgretDIc6cfmhHKqS2GZcOf2fFWJ/PbSK4qI9H2geySubOhidsjW/zoP71GPJ0lbMCADLFK6i0dGJvf0YmRv1wJBrH0vFILFEaSqgbKYE0QKUAiwsSkilJLVgK1K4dgDzqlJ9q0pTyg==,iv:QMfMecO5xgnHakjTQOJlMyh9am12n23pHIL+CndhVDI=,tag:k2+Yx6hpjjgPskBPiq+hSw==,type:str]
|
||||
authentik-docker-env: ENC[AES256_GCM,data:gQgij38e/InGVurVfXNkLTWuydSKu0InOXBooltqu7hpctm1noSGFXtfT2dgXcmftTXPzDx3Mah5zqAHXeygv4gWqnTaCXIw9IKmsz4V0VeycfUVzdtli2oo5Dyf1lyJHzSrxWVuatdQYafVQomIHswKHqSMIGg0LE7HR1HHDoPm57v8JMEbMGaw4PQ7cIasRPYwTQyzqiLAlohXpyovYlVd7yUZZQNWSozlD8mFwVaKPDEmnSfzEBxYMwnzY3d8MtHaI+S/kGKWcKBDQ58WXuLysjuIu7bgRiHnvbz/aUlKiF7r4deaIX4tWZsOarjYliSTBraZEHbFqO00viRISX1IBP4BVD7N1QsuczMk9MILWy5NZzUVT73MK2Y9WY4A3TYofdxjjSBnhXQnwfZlm3IY5cJxAVLjVXIUqMaQ+GHiJsnxdl9qVvvsJ/hadYgTpf+JZ9G4X6hE84/2vFrXItY/5VRyh1Hv4Z43wsCALw6pzWJcp8HbzkbyAJpROFXD9XPm28ocAEmc92mu0X4a3vevJq2cfvHTAYb5Gwyo868G/DZdgIq9MPpK3ZBGUtJnacIS5jtYowf9TncGpRSkxC0iUCwbl/aY02o9cfEuYhJK57e7o0N3oVxKhP3aelgrpq5sdy6QBNAc4IgTJwUucwTpqFSj4z7TDSIjtLA4BTlSEfwTRFVuF7VAakhoeSkW8YvHRaZB+Dq/2P3nLpFbPAjqW7XthlDypQ5ADRWBFfj9BzMbf+Kcd4rtO9bTtnyZPzpkbsbuWkF/I0NWeAlc7ozW3O37+n4Flt42fuHg2Vh0ncV7MSk6vETVBvtV04JSr65bBqhuKhBrGV7UHTHQAov3gyML3Gica0ZCcJvK9lKGaX+hEYaB0nb9qmtCQc4JKxGwboG5Lo59tIYGN3yPNf0QtiAMFWzZ8sTL1b2pV1NKIgoMtrx7l5dga2Mng4bhUIkLii0H/bqeY6qD/a2PV2B7zU3EInoK9UjieOGM6DaGJXcbj/JPJKMg23ZR/wbNM2LE59U8IomuXeJ+vRlRpZvxn9148qwJcF+DlgZlVFdGBnyUucLHZMZogtmcfe48QGYv5oKdBk2ZOVnvSxodiw1jPWgLmRATnWK4zaqBXlnMsoNZGyp57pYpTpaklulXy1kUwooMGyJo7TEOQj4zzgEjII5mrA6xb73Sg1qGIbSHyqMvg2f+CWgWPgwrlwug+6IepQHgPeIaukSIuDzhq5SJLZpBig+b4qNuVwUqtuWeoW1V2H/iaNojLsizcGVgiIlTnOU16mpn40G5tbpmsZLjSJnDhrPScz2kn1kA6mDjNmZ7s4s7ouAGxFpL3A==,iv:RoNU+sz4ibBnCZEwhrZOCZ8L2f4AKlA2HDkjGOd75HU=,tag:GmXqPgen7ZJ/hVqQhO+DbQ==,type:str]
|
||||
authentik-docker-ldap: ENC[AES256_GCM,data:Ex6g0F9krdKj1Zn4V6oafV7PXrkdIHYsh6z287yEDkJdUUsz73QXKYjMIyF6AhoDFtOCPqmEB7J6qFxCzQjJsHYDbDT/pDHjJMpmnA==,iv:DrifVWgEak8Pd7V50UOnEs6lVH3+LhSNDmZ6z4QMS14=,tag:snAy/ebpo1yyHGmy9l12Ww==,type:str]
|
||||
authentik-env: ENC[AES256_GCM,data:G2/zs34u73Iyob0ZBV2xRh6sAbr9LgvXeupfQeg7UhafEfFe9Izki7ig8ZzFwaoWMeewWvF2/LOlegK5n05D6CnDL0hMBCbRiGEd2df3zHLT0lbN5jbZ9mNw+p13+qT5lm3paV26PCsvERGQNQLJ8+SHrgB6S847fHqWANmQJRoiA2LFPWNj2VJfn2By1ZyH/JtQPERNuLGZJCz6PgecC4qM88+Rubqw3Jj9ebw3xvQFqAt1rhD08xSO6yFSBQRG0SxDmhX2L7dI2mm4CQl9LIA5dTF3tw/nqlVby5j2TqrfICoP87eunifcus16TNRHjDdpfKpWBpFuROoiBdzCRakkORcNzDegyNb9UI0hsklnT9c01b9vC75Jrmv6fcZFRbw7diwcs85Ty6aHKZAANhShYHx5TmO+SFIR2lZpXPpXQgJuXNz8EDYyflZfIBagwpD5G7NawDeGFrnqd7ioJqO/yoAQNaF5b8z5Fdw6xpwWCCmJ7MHUkIioHE8/82egi5d2lBPM+BHiMvTyi0jC1AwrL0cD+efdG19/vkEk2Vdvx4EQb+JaAzQeSYpcl4r78s9IWTEberibWi6dfu9bf+Wf4RZ3XA9x7ij2fK2VP+C1rbwsx35SWFME+XouBMYdnfZINKl4lEqawfilbTjfqNBrZMVarWBEnQ579q9MPuXWH1TAIoWXZnZkFJIZRmotXzO84/NSNSkcyeMZPqmASD2Wi5oS+szb+iPf5w1N1LLmj407lEo8zcQrc63Du77d4KRl+ClrHCGIkcE4wENn1PZO8pBtqke+d/OGJ2xf4n2FTa7ShwBWG6vfwD3JFswv/uFrIjlcwviRVakK3taRFdPrWacMACyDLlOVFWsXUJRE+QZUvcF+F6NgKI2OoEObg0TpIepBFafg09P+9t8iHhFB1/7JUdefLUQrP6mNecUoJdJHV12r5DGN0GfeFiUijXCXAwRQvskYMEHxCaL+a3WL4zVoKhxiE+c+N8rQeneypnSvOFgQZLe3GpzrGpuyT2scw89WbEkequ54xbKnKOjNQiNcXuIvofTn4l8sWaK6JPLltZzvbCH3L3NLOIcadkvLxH2Mprp0FKUb,iv:/fR2FJan/QRCKLKBaPdagcfMD4xsaezZAXHIYmwZ484=,tag:1u/EXA+4KdsVrchKUMY41A==,type:str]
|
||||
authentik-ldap: ENC[AES256_GCM,data:trkAbd1/delgSdV2nvPjbDV4fK0Eeu0X3c8xGYFIotHhPrYqZeBlgh9m6W1dEBeH/DOqPDlc6hqwGCE7D39Ael/WV5dgQepzB+7eYQ==,iv:dNGa2YW2nm21lLuX0efxYO8TLyi6Or4IOID0Zvl3neQ=,tag:wBDWNxeuahiNw+vupGNPqw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
@ -6,8 +8,8 @@ sops:
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-01-21T19:05:38Z"
|
||||
mac: ENC[AES256_GCM,data:7OiHNkvt6RqCSHtwHSlU8Fu3Lz02J4hKZTmIUNfRiisECa35nFTsDPHT5Tk9C8jKCyaScjiJLR4hGRBkBhKrjsJj0gDZSDKmWErIq26RBdDSjGWLzG71i4TD1PsYYSOfeftwuoRaC3boDsQ5EzTzZCF99rCEkf33YkeUFCWFjg0=,iv:ou900k1mW/SXnw2Bl2pSvazbcjsZia+55acE3narTBw=,tag:IlBmeN2cTVbxxBJbfQrmAQ==,type:str]
|
||||
lastmodified: "2024-01-24T16:13:04Z"
|
||||
mac: ENC[AES256_GCM,data:OKANPvWhQCG/iFwc2zWVnaQ2799ai8l40styj60kpWB1Id7ccLomPCvzMMtZS/tCrp9HxrbYkN/9GgRnMrMoNvp2QtL19c4pmN2V9VKrEklm77UMeN5KEOemk5Iiqnjk6LF3mPuRa5nFTSwoLSsYPZ1v+vX7oob7WlhR57WAb+g=,iv:2waLQWzcqXT/9NN1rkaoc1Ym2qziGVOgRhc2nvDtMCI=,tag:ayzPdyGxts/02kIyayDPpQ==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-01-21T19:04:47Z"
|
||||
enc: |-
|
||||
|
||||
@ -1,12 +1,13 @@
|
||||
headscale-oidc: ENC[AES256_GCM,data:IQaE/1zXfc72iivZBDH3LmQmaljWIyxIeyMGLRetphJ7UWB//MeQbR4eM3gt7pXaFKudXYxuEkSCjJ/CgrxgTrlLoBFlTNwibr5tsDEYLgLdodCQj/Oih7ru1fSAAJR2XBtM/T4CZHWlTHnbGxRZUrUXRUgMog9GsY9Q+ybbzvI81urZTvaRzKUfHJ2YQKOW/k1Ug5fT1yZUdMyU2A==,iv:Fk4UFEnHsHjgMHbny6L7MEULQFELB5dtR1OtEm2A/Zk=,tag:shKxkfdXqpAppiPX06HMYw==,type:str]
|
||||
headscale-oidc: ENC[AES256_GCM,data:lu1c/XSD7/fV1MuwAETDV1PCn3C7zr0UKK0u4/5Z2AoQXHLsUES3Yvu7B9kStFd3M+GoOq6Y0xYVGLS9x5TcEVFDKSsdRRgGYlu2C/x+NUOlP0cEKKq222NYIZ6iA9emP6A2ZVy1ZpM1UE65vJHk1NHHbS4zYiiJMskOacwW1bs=,iv:o9/TG+9/MU6mchYtj6navG97eJhP/4kUlWcx/xjhvK0=,tag:l2xQhGn1vkcBZvBZevpTOg==,type:str]
|
||||
headscale-oidc-env: ENC[AES256_GCM,data:LX26VJfqImj5hHGSczey4okdPsNdxsIQ4OD3kRhwRt4P2MAdlVWiBQl47Jj5lk1Nm/yZejf4GXARLoQf3TK1ie4aDaWJx8Yhl8aSpy1s3h/1lcM7OCNb9WhUB+ZmikXaA6sOui4sQfGEtf0ydeIE0CwH04WL+Qomu+WxFzUVSzPW3baR2AKSqKiLGLGB0mZrRmdbhSdxCJN85j2i/Q==,iv:9b4pMMLj9huMg2RnrU10xqjRoA3NCWUKn4rc956Gm+s=,tag:+XN0KzJqWvTS/8ufGooNfg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-01-21T19:12:33Z"
|
||||
mac: ENC[AES256_GCM,data:EpMvPZNJ0JCDMZ+btkQQskZ5TGSftq/S+N/aGwx54lH1w7qNqpuyxD9XsadeIb8wTP5yIuXKkBegcRmMmKHfl3/tMfwbJ779yuJpMDRMYGoaFfYiR3r+14gBYtBONFKv+OtI6+4oWYN7xrVIncMYbs3SptD/Q80SUQ5ZgtF7I9Q=,iv:O2IzGK0YJZ7YuR8g/EiNKlAaY3D4xkwjFgftuFk7Oys=,tag:8uUMxgkF24BGesa7vahP7Q==,type:str]
|
||||
lastmodified: "2024-01-24T20:09:29Z"
|
||||
mac: ENC[AES256_GCM,data:akcHfxJrGSPINI28sQdxcz4s6P9Va+GAvF0TC7adgf2mgVtqkZdaZPJZ/BaVlxccWf3tFgBMKwLVHcfmxMi93KnxFxOuA3DWYnjmBfHzxHFq+jWke7BHzRhPvVsKOKKHdfkXPCZnqyHLwRPp0jUyrANw9m9Ub2JTomfHy3j2+FA=,iv:784bnpb7v0z3KewsnH+RXYkdml+o2sj/qvR7qqn/om0=,tag:L1c/p8GcUlT+4sLyr0T5fA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-01-21T19:12:17Z"
|
||||
enc: |-
|
||||
|
||||
@ -1,12 +1,21 @@
|
||||
minio-credentials: ENC[AES256_GCM,data:yK/skw8GkY6rlhfIYHKoHV4+pBMHkLtXtwG8hQMVit6SQtcC74T7tQOnwe/AU79xKZAL9Bpvn1vBurBAVmsBiyPWNZVvkuWWT1033LkE9lApwwb6HaF4PAqPgiCvXwc0svPKPaFp+Kfyc07+I6KhKuL2tQLKWtZLIVhwEltSsQME/X1f2pAfJMxd/JfiZYd9kpv2JNN5PGPtDNCddsqHg8x5xJfVS3rCDe3LCiIZliKHOHD0D+EpFpnCrdR5GLH67LCwNT/1ZHjOntWoTVHDFMzWYW+bahE+HQp/C+462NmDTFFqT3cfh+c+hArADVAwIrgPNo5jbPkbkSFYhhC9kyWmCwasgtb1Pw+/66wNJWIrZ2lQWIFsV73NmNPv3qsuXJ/Iw4fRXzy8x0FY8fXhdIUOlpBmZINiGmwPEVGLRv+Fym6RGOsKWSqx3q9vgT3hA0AU6bh1,iv:PBXOkdagtbApkWY/dM4cH61lfJtsk+PbVeeGmSvnNzs=,tag:CqhqHbNxGNItLfQTrXEc4w==,type:str]
|
||||
minio-credentials: ENC[AES256_GCM,data:ZSlcb56ikNhHpdE56LabmhJcRVZcnEPEFjUhA2zrnc14lqdyXNk4uvNy52RVfrODm6jvD8BwWwcYwCy7gvv/gHbySE8At/PGXyHHz208RlgKAGMqWqYAPnGH3ASiW4yn5bdU6PFz13RVdqER9rTT43J9Rj99DMaJlc7t/9/KrEUDNwkRvJs7DLvTwXEom+Q3W936hlyFRAqpLrwbFNpQKgSOiwsOA0eTGGKh+4ZQjU0Qsu75TIR581hj0cyBZ+3aBN3NdwC7x13p1WZTlNAdpnMcdGSTa5fb9cWhyXxzvh9rqrmXNiUXwnTnMjv0cADnZ8p3Ou2+nV5YFbIChlFA0qynBvBgq5OEs39yF2ikaitOytpILkhQYPaR6bczQJ2tCm/r759S1jtXz2EMiOaAJ/TptJx6eV06ICVpBFenw8/PoxcCM8oUwM7cvQZVRSSj3j0pVE/OtvC9IG47XR719pSyIQCv3w32U7lIk4ivrEGNlzCR/Ue8VxaJFHfBP3arougZsiinmAc2qHKXdu0CEkIogazzIfuYbPNl21o+kBA=,iv:RVvj6dBIc/Oe2qjuF7iIKsUvAqYyx9WbLOBvny5Uqac=,tag:fhQG+CAWw43BKzrbff6b+A==,type:str]
|
||||
kes-vault-env: ENC[AES256_GCM,data:PiHL6k29G7Ci7bWQfPQZW8E8lPP3RU8eXFYc6JM1uLPj7rhO9qdz1Q/EdxxFpkPBwzXKGJtcNW1jNM4oiGO29ONOIsk4GNIMqbvmv4TU9/jPaXhR3UPdEChw9xvaLmTnHinRVWtHHHVZ1X0=,iv:eLV1Wxh8pDJzvHylkpEkNQJD5uoDNNbJQGdTFT6m2zs=,tag:i/f+ZlItVPUimfWJKmhEBQ==,type:str]
|
||||
kes-vault-approle-id: ENC[AES256_GCM,data:bKjEKJDT+i/SZh8q9CpW/5N63gvMPAK884FD2ZcDB/IHSbkV,iv:sKFMub4+4JGHodb518y1ysaevCiSE+UQTMahUQAJo+I=,tag:cH7jlkt6GsUhy1yXoKE0GA==,type:str]
|
||||
kes-vault-approle-secret: ENC[AES256_GCM,data:9idFvJnsTSAvUEbsyelqv7bRev8p+veFDe7LEI/4wHbDE+F2,iv:6JABa/k0zaLUkRhI/Ag690CIcYqalXjeGUWFXBEaTao=,tag:iXIpWQRHJt5oAGcUF3MlmQ==,type:str]
|
||||
minio-kes-api-key: ENC[AES256_GCM,data:lSZdYv/MYMVgNE4Pe+fftTQg06lgczKSXj8DJpWfbHHQCDoDtuzBdTnau87QN59xqRXG,iv:0X4CC3dBbBPyq/kQpFlveaqZYQfSbVlxvGavHStwCB4=,tag:m8jWGL5wfcOP91gu4SIgsg==,type:str]
|
||||
kes-api-key: ENC[AES256_GCM,data:RSj/mTGjPe3di/xqZvko4CTynB66AyUhdGzHm/sacgl0+2kHejd1NvGEd+G7UehqUvcq,iv:UQvlGP9dwEK5r82anaTzSJW12+BD8bmKBy3XhJP2JaU=,tag:ipKsmtQhIYZy2K0WBgpyWw==,type:str]
|
||||
minio-kes-cert: ENC[AES256_GCM,data:o84eMtsgxp3ClR4Dkh1j5sHPUirkPKDy0tZCiqvLZV3N5/8M3erfECtK7Mv7nFQgvkYyk9/SfSy7i34iUckilHnkZytH8iBKDK6krJanntJFf/C1ntmraWvPb0mmCm+MNzNq+/0kYXt/LzxGpoCdjk2xspmQbSVU1qeiWBSuFIwoMg9EMwurkwp6DQZJgZfatyZgkrFud7sq7BviD8dBQ+3ybJUBuAfU6ITOHSlVVxu32J1OcCJDbA8BPxw3WOhK9/XWfnKdHxOEHPp2HM8kK5xGcWsawadAaHy9OD+RrDYLuF6UaGFtb+8FRDn/oq04+hQa0v7AWiDssvcgg2XyflLHQUfN9aRYm/iZrFIEzTa/goxSfUhYZ73g+irf5/dd0RSpOCwqEe9Vsd0TDa6ENbTPR9IHaeUDF+ro1+LaSQLR3SBc0fiH3TP+mFKPor2vX9T20wqwlD+3x+j/bipyZbP1iO0u4DS8p5+tBJ/e655HWbWShFgovThNik9EDNRKZOTjh+HdVkGpoVSupc5jPTOo6ucLeUq0QWuEcH0Lm8YP7/vWAjJ/JQMc558J7qe3d6MDge6QfwZxcdARvu0DCTY2NjxNI/aFMIoGtuv4sKEKk8Gqe1WdYnoqNPQW5UkysJ/6xP38N5nrCPdUL8EWPLf+Zns/X6Hk,iv:FelsEzmNCaYplIhk78FoPXduC5UW5kRNlFlStEEH06o=,tag:aEfdYmjAD0cvOteQlk/I3w==,type:str]
|
||||
minio-kes-key: ENC[AES256_GCM,data:1h4AdQ4L9bOfkAfKQz4qfO8M6qe5vXOpZnBzpCYUfNJQefCM3dDJwbYmE87jh8UWqX6iM0hdE7YuBll21oflu7d5HAWMRWEuYp1ApiAcWaRYZ6/MsonPv51bboiJFplPcPmLen48kpQ5AcbQddhgzrD99WX9Pg==,iv:7kZrAD2ty0v7Iq9bKtIkHViDz1f35Qvji5cI6ow8FVQ=,tag:lqEMjq2qIBHDLT7LSpdwcA==,type:str]
|
||||
kes-cert: ENC[AES256_GCM,data:jUNtsajgp8wSJ6JeqxJNR0jplRpewew4H74SUx+Ib5S5hxSLz3uxTDSJvEeWj2D0FngmKH4GDhltGl2as3DBRiELC4mApSc/7K+aXwi1+lE2HLTG1ESLMBLG3d0iuNvuCM4qX5rEvH3ZKFTyMIhXZMt0wOMiGn9fyFqxNiGr4ipx8aVXWzJ3jRMHWKVaW4HlSSWRGkmf2U7Dc9WeYtc5T/ziissIjHqBfPRfDp8X7P2goWLjCI4LBkGzjOwgw+J8/2B65cvde/gMAwWX8Q6VRNAhVkNlfc2633YwQQF9GzyFgvuEFQrTvzrR/L6JJnDvW40ldlW04I3AtEHFQTJGk+caXdj2xil5Be3949VcGWPVMD9nfMTFnl1LS7rzUj3eT1eoKoQHmfV/Z+32MOxiLtTVh+TRSLIDiu3JfyDSL1khLHKGY6kvTibN6KHgTHAM1fopaNdks23pgn+G9ONkRuTWIKnNldNeKBWt2XfB4dQv/ITd6bio8tJHfmJenBUKUuUlocQlzgzqpghLoLuX3hcitVMZfBn3xHDEDXpl6ou6eTp9BmRtjaYN/oFaEJNiZGCCYxgi+m6FEpp4deK2us8va+XoeYGIN3uQOFVcI7D///nmvtOyqc3lN2xKKNJgVNyv4U3Z4dLu3Zk93bMtug==,iv:CwacuLmfX/cj7wC6AaAj7sny3Ywrx+RVkKqDZv6OheM=,tag:iIh1StrhkveyX0Ccjuh14g==,type:str]
|
||||
kes-key: ENC[AES256_GCM,data:D4I0gPI1e4cDS+E3xvIoBbk5HXvkqh7t6pIRztOPptkUuu9WG9R3HjOJb4qqUtAQGwX2oNs0lxwnopBWps48SFh3bIwPVlPJ9JrMhWrTs7q7GNYaUTxsH7rFU7j/GKvsd52YL9UHee9GPSo4JdmdvfGm2EJLSg==,iv:lCNaOi1uEFzYnDD+w8SKGVUGUsiOhRUjUGQ5R2Aw+W0=,tag:rNeHNUV14sCeYOvClzng3A==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-01-20T18:53:33Z"
|
||||
mac: ENC[AES256_GCM,data:KnuQeJpvts2n53WRRsPOeSJLVPu5D/aTiqcbmB+zzWGxAmRRJz+Nx2iPPAy3Soz1Plg9LlcAW0P42wQ392qlxwq0SYPceJ6wxllnqOURoPF4hHTfvkPmJoQjgt782tunDvzKP8EsBb3GQwpwG7yPkFSCU4NpZc1hQsuFlWxjfJw=,iv:YVJLsTMBRmmuSXV5IHLxNysKIQqwN5P4D5qINrQwieY=,tag:+Z1Rj5JJilHqkR6M0i7aGQ==,type:str]
|
||||
lastmodified: "2024-01-27T13:31:03Z"
|
||||
mac: ENC[AES256_GCM,data:jOoYhT0lGWkfv8KaV1sTVLDa//v7fhGX6U8TZbl1fBwsqjAds2wgac0XlrsHTtXvI4IbdzQCt3+czfUP4n6xHssRZCAP/Hjqp6NjXcHKY1P3/k/CPnRElb8DizjGJyhuDDRW7gokrxK6XEEvE/y4muI+tBy4/DP2dz6wflgC16g=,iv:StiAgxMmAHb5V6gb24Lz6f+DIhxSozWxmP8RD9wgoNg=,tag:On+Tu3KFxuTLBcdGQCyFDg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-01-20T17:06:10Z"
|
||||
enc: |-
|
||||
|
||||
53
secrets/home-hypervisor/vault.yaml
Normal file
53
secrets/home-hypervisor/vault.yaml
Normal file
@ -0,0 +1,53 @@
|
||||
vault-root-token: ENC[AES256_GCM,data:xJa+HRfScyRw+mSWbJcNjxYKkF46CUUzDn+UCw==,iv:JRZMKgJlPFhINy+BXaFemM9Reju6zi/Ca4r7LXRfqR8=,tag:5pQ1YuJW2qc5K1ShK8zoIw==,type:str]
|
||||
vault-key1: ENC[AES256_GCM,data:aKTeYtHrDY2cIq6YvD7+d6hpRsGEt1EeBYql/vISESdFmoHwXfgBo8WrD94=,iv:Cw3UbYee9P1mXWUThZuxjB2+ZukBBA0hrUH+3ZwhQr4=,tag:SkDegygx5EGoVDtwpyTpkg==,type:str]
|
||||
vault-key2: ENC[AES256_GCM,data:aYXhjVBfDKKXGHxtxhX2N8rgPJcImhdPun9a905abeJ6YwnX8jHUZ5mo7d4=,iv:vtrtk2AM7cXDId0W3vRKiVR1evMkqh7ui0svOUtlAoo=,tag:GbpEXXX35JTUpdBFb6bPrg==,type:str]
|
||||
vault-key3: ENC[AES256_GCM,data:iwWfxfjP+A6XQzzEHCel8NoTKMEAysDXeDeTouQ4qvZMzizUkN+Vhtf9DkM=,iv:yGs2h6GzQBzSAdFzGJTMCtHpYltsHtpox8kgrjo4r2s=,tag:m/mJrFhWKclVp20oPlNnOg==,type:str]
|
||||
vault-key4: ENC[AES256_GCM,data:ONdi4oTOaxzcjcgJFhF05CHKMF4U1vBfYbdinB8yjc+7DDpllj/qKVhl9+c=,iv:xHG3kgLzsQvfWsU/Wk+G+ktm/6HamyLcBztPlCHVH7o=,tag:hx9giqs2/VYFNXZLEGjMnA==,type:str]
|
||||
vault-key5: ENC[AES256_GCM,data:sKABkAuvMhfsWSJNMvA5A0Up3z9vTf+uu9Aa4U+wftNYwWU9cHAr5N5WQLE=,iv:jQXhCLNrKhy369YSp9SaCOULB077tGLxBBJZ4917+nA=,tag:VW68/IwNZzE5+WmLVdXoPw==,type:str]
|
||||
vault-keys-env: ENC[AES256_GCM,data:EtIRzlCGjULEjxMU1W3ca8vrM+6Z4PNGspg1qCOCUgTVELPFHnqPfBpIC1zClSuqCErwtZiBBI7OCpYF4wdEMeaAOPNMSqOvF56H/MEEYbZHEaA7D9uBGqWDEm7HHhr86dwPPjEisuOj44ju3VgGa//SjyOz6WfHwV89DojDkxSnY+egiJzrZhWbj+VIQsoZ8lLCTFjhFJVXdc9grgznoC0mUAAgNvWSdr1P/NT5Q8QMYfGieCSSIeAq+/p1WXzd2YVGNUMD9Ym+Obj21r6Ag1UWaIx9LZvVlZ+BDuz50fFsGsnCFqUzK9sK+tjhlG4rHUdQMGCuGkgqCJPovxmioiqgninbza7L8wjbbbkIjx628K7YxGfM,iv:URbdJQfbNvNH7Awt703lcJoFJcMs4JyGwuL8f1w8tT0=,tag:PWlFaPNPWwF47+66KcTUhQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-01-27T13:13:42Z"
|
||||
mac: ENC[AES256_GCM,data:fjxLdFVIO2AEe2zr6Eu/b7DW0+8RT9MsF7sa1Fh3dBfSzA4JyKB7vtk0KWsPks8lAAfZXDV8A9ICPcQtPzjyASx6Ck8AgaBFZL2kzG9LVpwIzvM5TMKs182qCcMQ1v8SSpmG7+mnyacJk71XL1l0Y8eK2ddI+neCjD8skML/eZM=,iv:QDPmNbNooFMFhvLc5XTKLnspHCOKDIKRaPvEx2hMjAU=,tag:GmLSi036UDVI12qi5MEFww==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-01-25T12:11:53Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMAwcagTG/Fm6AAQf/Wma1t/7viv8+ghjH9TE3YUcZXHtJaan4T0gHXvkCEGT4
|
||||
HEIyNnxGNXjMbSfVyQvBeXuHF1DamYZgocOqPa5QegdcI9eQb9ynLYU3anDlcJDn
|
||||
Edw5b3u0LL+L8f78p1ydV0lJA0jxLP7rgv05rkmTjWfheajuFFotXY4+GfxnDX25
|
||||
WGJBnSZSIBUriNcSN27m/w3lJarkcc1f6xlIigd6rfhLLVunXaI3UxXzuiKGKt/e
|
||||
gioUN1R8TENiw7kXAyS4vUp2+WA1qkslZHpwoeOOtMqpL0QBwsVapY/gBvzyTIcl
|
||||
buooeN41eL+sEU7Lq80MTrKSLTDKdt1Y7eDIHh+Y69JYAVXd+G6EgCsgVbDwqw+n
|
||||
G+1xXbCzpRCAR9J5BOJEK3oIykGfs4pCVVQiYi38XF//6KkmE7oi6EQDDmDFMsl6
|
||||
Va8+aG3HscTU17rK1PD5yjBLLmtb2kOn4g==
|
||||
=2uEF
|
||||
-----END PGP MESSAGE-----
|
||||
fp: ad382d058c964607b7bbf01b071a8131bf166e80
|
||||
- created_at: "2024-01-25T12:11:53Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA187ia82lSDGAQ/+NmiXHMKjuN3rVLKhttuYUo55voVcR/HyPDlwuV4NQjms
|
||||
91axlTq67cOKdlR31prwpthEF2OqpDlO2vIXK+040Vz0qISDcB+LSolsixj2RWml
|
||||
v+3liQIFcbDkIrCulMPcnYmLAo09yI2648w98LEJwuX8n8OsnLPdKcgw0emj97CX
|
||||
FDydoFCz+ETLBaLAyeYJfFV/uDsj96rt4ZRhdCqWfNTs+ivEDdBHIUjKH6/5+Xjw
|
||||
9GtBw7oZN/pB1iSBrKDCbiDOcLBXgSh4gGoL+p8g3qPGDTN2M8GDicvV5SAgK9UH
|
||||
1OZphbSxVVh5GGcuFQWnfFVW80p+dYwQLYhwo9euDEUtKaYy6M9JswjV4P625hcQ
|
||||
umg9vZ/z0amN2NLV4YVq0LiPor0vk2PhPiTiSR3YcgqdYJONaFrE8LzGTkbSRPvE
|
||||
mWbFNfGQcZ6Xk6BHK3P0EEpp8hiO/fmL9+8CaA5t9Jr+8q1xl/nMcjNpmB0boZZn
|
||||
i9/If9WT+HgrrGR1EhKZUs4VckqvCNTticIBt1M9cmQ9grjEw4MMAfcgLoZhDewe
|
||||
5LY3rMhzSeuVs+ZdyCio53DICxMwdLLn+24iESneWKDYCCkrlQUwsF3XTjpdtabI
|
||||
cDufLlFeV6enm7Q/VNIr7iQTeWLcvvhwMehO+hdDCtRYoDH55QywWT9yscKShwbS
|
||||
WAG+2G8B4LDHtD/SdLR5oQkZDc0IXFR3y1f9SHAddUcp2UFS6WanSbEc1Y+s6Ohu
|
||||
Ki8t+C8UsKByaDLlglUv2MUjRSF1Gl5u1T7zCufJl27gbRKbEFYJcF4=
|
||||
=dsp4
|
||||
-----END PGP MESSAGE-----
|
||||
fp: a32018133c7afbfd05d5b2795f3b89af369520c6
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
@ -1,12 +1,14 @@
|
||||
attic-token: ENC[AES256_GCM,data:mO5g45uO9fMh9EakmjmdClVkhquKurjXmwnc3Qenj0Wq4QCUvQrOUa9xNcOpQPJsnGnVFH9qFF1X26kGqgUtX3vy4pibvgyoEi5EWVMw8d6tZ/OOKqm4UHlnbG1uEHq5VN5o+IRkk5P0pxXSXiWHNh1aUmW2NrQ8+Wcx7izH01rG5rAZ0hrPZAm/a66W882p6fRdGGvVo4KJBUx8T5n4MD8UNPlafGRKPiloZbXbNAb4NFPnvDLvSPn3VNM659AvDkweMUIQuLvsV0dXB2tOc9ZTkoYHqdYqVMDN/vy+sN+QpKJx0vL5x7e4bSbSCQ7ZP1tJHknuod0DKZqMjg==,iv:Fj35Z4G6jscv8hpcASmoTGc6TUWl/wbebMkQeYoEDeQ=,tag:Y0L5NrA0MKFE+/Fa+eL8oA==,type:str]
|
||||
headscale-api: ENC[AES256_GCM,data:oTVPF4ZwvXEle6R7WyNFTkOgbEEaCVumC2fXtWwSCOpWezCYPNpN1Jwtu+JHDiSCgn8zKu9H,iv:iSkHmcCLBHzeWc3r2GPEM2y+nxPCSDK2rVdcatkEtao=,tag:XBCLGwwbYR3YpLDR957hqg==,type:str]
|
||||
headscale-api-env: ENC[AES256_GCM,data:YdXBG+jYWOMpzMQvga+LOI7C/plmsxhDdhwkCSUzQGkv383KSPFM/KK+tVaEL2/9r4HaO8flnjGKYGPPC9IaPrrJbiNolcjzyBbIYA==,iv:61h8KDlhEUtOCyS+5FKmFdCuXYe3BQ+nNjpPKEgkenw=,tag:V27Dg0jQQSgrLYXORLzxrQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-01-21T19:02:30Z"
|
||||
mac: ENC[AES256_GCM,data:yia77K9TZeufHwH6CAQDZprV8cldqvGnOYVBYhh6vywKMudNOi17oQBT2M5hAbxa/GRan/mO5qbyxZnqOGed7Ki9dJvcnv6qJ6xQVuNYWj+U6o5IL0JP5kpoPkglz1ShubArn7En39Vnd3lOdDTCEFwSv43llQ35krAeCK5etV4=,iv:b5EAv7ufDPRR6HSbyHg5IohqCu/8BO1ORR012rqgiD8=,tag:iebh6Q9RpqitDuO8AkL3fQ==,type:str]
|
||||
lastmodified: "2024-01-24T19:58:00Z"
|
||||
mac: ENC[AES256_GCM,data:FU1kS+eGnUZoesvkvtPO0wOJiUz8MJBCgXI1AW3ImU1j8gAJLyZEZO8kT+7VAGcq2iMgjMYteZRyk2A3bl9CTb5LPONlwicMcRzG/TzjCBmx41QJeNlwqg/FINNvp6fvFP6ZBwwwqGIMQZmdLjdE7a4v1S53r5+sVNRKVnlzg0E=,iv:SWhgN8Pc0RnZsrzmY0xn0K6i9R6CcKDwlLvRjx5eOFw=,tag:4KXTnDJDtRn9jLMsLxnNmw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-01-22T10:23:43Z"
|
||||
enc: |-
|
||||
|
||||
@ -1,14 +1,18 @@
|
||||
rclone-rustic-backups: ENC[AES256_GCM,data:78Ch7VVk/9rPy8pTQCTmuSSXWVKlNwlaTxnrM4yBi8/AQ6B4QJYQr1ibtxbgFs4aGHMddJbARLILT9afzXVF3dwyZ5490v8b+6NmGQ/ECdLpQ3LUGWzQHSkTQRib8s2ks2v3XC7AAzUr4hNdXHxL4/11WrKIL5wJyn2YP/KngQoIjijkpzoAoKZgr9cTZDSQ3FsnDv6WlQ4lTneRSkssFmHrytgFWEj/EXTqeZo5/2E7GrqFC161iO/p6+ZM9dNFoSsLxj4SI5gF2HsUChZbDfMyMdzYCHTt,iv:a1Vgs89rKIDJ//CCN94F3rzUSBtbrBB9fB8nZpFacTg=,tag:Y4QA6YKOUAWN5uhnG2C95Q==,type:str]
|
||||
rclone-postgresql-backups: ENC[AES256_GCM,data:rEINBfZezX3YSfQQhYm9JsgHOZE4c4us3dl5FvgZv2L+uIsoVVSNt0gr6My/nk19hL7IGY1I7ab2YgEwKE3w4rV3wpZ6+lCAucNM2YvGXWoqpvOvhH0YGfASA7yOSDaLZ69zL07UGX0WK2Z2dDrLOEz8NJsPbOn55XvDXVwjtR1o3R7j7bLKUHgcm8S/JGF0IQXvJWBN/WQzF66rFjNf0SxReEfa/mYLr3w+qdBpRVsZ3yiXQrvFUWj9GNS3FYfG6wro5SLGLuX7hDkGE+KiKv7j0cuMkphlQu0IyQ==,iv:NodSsCEPz6dMfSbHKE3sIfehaZ7cD3tq3gVtTceHmrg=,tag:lBDzO4QmOGyUBX5aAm2TYA==,type:str]
|
||||
rustic-nas-pass: ENC[AES256_GCM,data:uDiQQRxlpBfbwihXDR32aGjP41iZ,iv:qx6FJEllahkP9BPYFFfv9LHnnVTOl6B7Jv9OSfNkPok=,tag:MBUT77ccG/acr/U/X2zrCA==,type:str]
|
||||
rustic-vps-pass: ENC[AES256_GCM,data:LMdVK6j/TV9JLAxwWUtIfF//nf6r,iv:PjOYcNeLjlRx6uoZo+jr0oA9N60NJNNPloc9fc44raw=,tag:AjOzsfVIhDCb5a5D3yIdUA==,type:str]
|
||||
rustic-postgresql-pass: ENC[AES256_GCM,data:oUHakvIPSwkNy1lkQ4k14+CWIofO,iv:v3EFeZCkFyeY/ADK8vqYvAD0XDmnQFIq6XGd9B8jvXY=,tag:6+kGWMq+9iVLSf5p/TIp8g==,type:str]
|
||||
rustic-minio-secret-key: ENC[AES256_GCM,data:Jkn0mHcLFWS/euPCYtEF3hXN4Jx8PHZHA3RtZiMshuZdZTv0Y+tHteZB2i27Ka+u,iv:R2FEEhe+EoqFDQYbLJ3hrb+ENVvsP2c++WA0z3QQrxA=,tag:bifjyNyNouUhFGV6SpAg7Q==,type:str]
|
||||
rclone-s3-sync: ENC[AES256_GCM,data:xM7ufaVNhuLPKCU1XYCA7PGinrkPLeTYSH6zx1di6/Vnq8YjgD6X2F3SUxX/zi0LAe0y5SuP0QpOkPq9jF1wnuKojPRK4xOqurURdIztQnDtF1CP3slWzx5CjDYLdkPWpOm6LWuMA+84ghxfFjA/mb4hbpg8W90avrYd+8uyOYIiHxFSC27n6kuIRjWERxgcVth+8tK2gSyEC3Y2P+jodA1Yqxt++exFMaM53KDhFE9W5Z9uBOZTFI0CeRHkJWOnbRw6ArtAm8XuWaRCvbLf0PCr4ULdzO+POpebSI3F9HK983omaCYbqm37Cnvn7EFECatMLLcx3EHBNXHkzDGEDosUAp2HCB1dFiL2H444SIxDLcA9uqgsts8VfwbHbmy1Nh2jJ7nUhykPbmg17FWlXwGJoY9izLP/jbuGroiBgEPliorbvzYwxybudDJsamvdO9XDdqUIblHlXyWZLqNl2d7PS4Gom6YZ6Xdkf8Ffpq87EUOWC+Ey7q2rOsnwatANyjDIKQB2fMZ5zIYPntOBJ4tsjPqVvjXLA7O/bRjmD9Acy2OPyiXtw7mwtT32upUyZxHpCjp1zIYM,iv:2pXnmuz+Lrv/7p6CsqAElRovFdERV03VMA+X7vQF+Gw=,tag:mZbTfZRih4inCGrHdeH6EQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-01-19T11:27:22Z"
|
||||
mac: ENC[AES256_GCM,data:EskxLpbdlrpB5yvUsyzgjoozqwPgDnqPLSkA8WcHmreqR+v1mEM/xY2GAije2TA4Bg7WGSKEBonuapk5hMHtehXy7+9iytdloDNQtXJWAoOy2PLd55E7shUdBVilEAa2mCUz5VDBz9jXMtlW0jv13W4iwXQ9ixKmzaUr/JSpnCk=,iv:t2MBxAtKrMOG/BoBOszkTu+o4bELfmU2cVLbvZK+BZw=,tag:u6E7DZDrC58zbpYf9tqDYA==,type:str]
|
||||
lastmodified: "2024-01-23T15:17:00Z"
|
||||
mac: ENC[AES256_GCM,data:Ws5QPNDrb/xHj9/F6d14l2juemaVzLecYs4SeN/Fwo0DSztJsZhSK9JV2gx+iZk1R5i5WKJumr+2SPeEbFzfQkIuemj32ECHGBPKI0UB1O48hEMWOxIMN03zXf56MujWWXoIeVK+bzVNPot9+qtU0mZQ/VvLlVpWF35vb8tkORE=,iv:nJKM7qFqK1ezTiMe8sXAOz+Bpg+BnKCZOGDKCgUEEHE=,tag:01+MqoF0jfGjauVeaVatyQ==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-01-22T10:23:32Z"
|
||||
enc: |-
|
||||
Loading…
x
Reference in New Issue
Block a user