Skynet/nixos
7
1
Fork 0
Code Issues43 Pull requests1 Projects Releases Packages Wiki Activity Actions

Compare commits

..

4 commits
main ... #76-Nuked-

Author SHA1 Message Date
Brendan Golden
b77f846a33
Merge remote-tracking branch 'origin/#76-Nuked-Backup' into #76-Nuked-Backup 
# Conflicts:
#	secrets/backup/nuked.age
 2024-06-07 19:44:51 +01:00
Brendan Golden
097fa21af8
admin: add eliza and esy as admins to teh secrets 
Actually add the keys this time....
 2024-06-07 19:20:52 +01:00
Brendan Golden
3e10c14a4b
feat: Gonna use the space left behind Optimus to test this out 
Relates to
2024-06-07 19:19:55 +01:00
Brendan Golden
223fcb4202
feat: Gonna use the space left behind Optimus to test this out 
Relates to
2024-06-06 23:36:50 +01:00
100 changed files with 1854 additions and 3233 deletions

59
.forgejo/workflows/deploy.yaml
View file

@ -1,59 +0,0 @@
name: Build_Deploy
on:
workflow_run:
workflows: [ "Update_Flake" ]
types:
- completed
push:
branches:
- 'main'
paths:
- applications/**/*
- machines/**/*
- secrets/**/*
- flake.*
- config/**/*
- .forgejo/**/*
jobs:
linter:
runs-on: nix
steps:
- uses: actions/checkout@v4
- run: nix fmt -- --check .
- run: nix --version
#if: github.repository == 'Skynet/nixos'
build:
runs-on: nix
steps:
- uses: actions/checkout@v4
- run: nix develop -v
# - name: Archive Test Results
# if: always()
# run: sleep 100m
# - run: colmena build -v --on @active-dns
# - run: colmena build -v --on @active-core
# - run: colmena build -v --on @active
# - run: colmena build -v --on @active-ext
# - run: colmena build -v --on @active-git
deploy_dns:
runs-on: nix
needs: [ linter, build ]
steps:
- uses: actions/checkout@v4
- run: colmena apply -v --on @active-dns --show-trace
shell: bash
deploy_active:
strategy:
matrix:
batch: [ active-core, active, active-ext ]
runs-on: nix
needs: [ deploy_dns ]
steps:
- uses: actions/checkout@v4
- run: colmena apply -v --on @${{ matrix.batch }} --show-trace
shell: bash

12
.forgejo/workflows/deploy_forgejo.yaml
View file

@ -1,12 +0,0 @@
name: Update_Forgejo
on:
workflow_dispatch:
jobs:
deploy:
runs-on: nix
steps:
- uses: actions/checkout@v4
- run: colmena apply -v --on @active-git --show-trace
shell: bash

31
.forgejo/workflows/update_input.yaml
View file

@ -1,31 +0,0 @@
name: Update_Flake
run-name: "[Update Flake] ${{ inputs.input_to_update }}"
on:
workflow_dispatch:
inputs:
input_to_update:
description: 'Flake input to update'
required: false
type: string
jobs:
update:
runs-on: nix
permissions:
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
contents: write
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.PIPELINE_TOKEN }}
- run: nix flake update ${{ inputs.input_to_update }}
shell: bash
- uses: https://github.com/stefanzweifel/git-auto-commit-action@v5
with:
commit_message: "Updated flake for ${{ inputs.input_to_update }}"

41
.forgejo/workflows/update_websites.yaml
View file

@ -1,41 +0,0 @@
# The websites can sometimes cause issues when being built and deployed
# This pipeline is to update the inputs from the server
name: Update_Flake_Websites
run-name: "[Update Flake Websites]"
on:
workflow_dispatch:
jobs:
update:
runs-on: nix
permissions:
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
contents: write
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.PIPELINE_TOKEN }}
- run: nix flake update skynet_website_2003
shell: bash
- run: nix flake update skynet_website_2006
shell: bash
- run: nix flake update skynet_website_2016
shell: bash
- run: nix flake update skynet_website_2021
shell: bash
- run: nix flake update skynet_website_2023
shell: bash
- run: nix flake update skynet_website_2024
shell: bash
- run: nix flake update skynet_website
shell: bash
- uses: https://github.com/stefanzweifel/git-auto-commit-action@v5
with:
commit_message: "Updated flake for Websites"

3
.gitignore vendored
View file

@ -6,9 +6,6 @@
*.tmp
tmp
# open office tmp lockfiles
.~lock.*
# Test files
test.*
*.test.*

18
.gitlab-ci.yml
View file

@ -30,7 +30,7 @@ update:
# the part that updates the flake
- nix --experimental-features 'nix-command flakes' flake lock --update-input $PACKAGE_NAME
- git add flake.lock
- git commit -m "Updated flake for $PACKAGE_NAME" || echo "No changes, nothing to commit"
- git commit -m "[skip ci] Updated flake for $PACKAGE_NAME" || echo "No changes, nothing to commit"
# we have a custom domain
- git remote rm origin && git remote add origin ssh://git@gitlab.skynet.ie:2222/compsoc1/skynet/nixos.git
- git push origin HEAD:$CI_COMMIT_REF_NAME
@ -48,14 +48,13 @@ sync_repos:
- chmod +x ./sync.sh
- ./sync.sh
rules:
- if: $UPDATE_FLAKE == "yes"
when: never
- if: '$CI_PROJECT_NAMESPACE == "compsoc1/skynet" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
changes:
- sync/repos.csv
.scripts_base: &scripts_base
# load nix environment
- git pull origin $CI_COMMIT_REF_NAME
- . "$HOME/.nix-profile/etc/profile.d/nix.sh"
- nix --extra-experimental-features 'nix-command flakes' profile install nixpkgs#colmena
@ -70,8 +69,6 @@ sync_repos:
- nix --extra-experimental-features 'nix-command flakes' profile install nixpkgs#attic-client
- attic login skynet https://nix-cache.skynet.ie/ $CACHE_KEY
- attic use skynet-cache
# add any new items to the cache
- attic watch-store skynet-cache &
# every commit on main will build and deploy
.build_template: &builder
@ -81,8 +78,6 @@ sync_repos:
- *scripts_base
- *scripts_cache
rules:
- if: $UPDATE_FLAKE == "yes"
when: never
- changes:
- applications/**/*
- machines/**/*
@ -98,8 +93,6 @@ sync_repos:
- *scripts_base
- *scripts_cache
rules:
- if: $UPDATE_FLAKE == "yes"
when: never
- if: '$CI_PROJECT_NAMESPACE == "compsoc1/skynet" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
changes:
- flake.nix
@ -119,12 +112,12 @@ build:
<<: *builder
stage: test
script:
- nix --extra-experimental-features 'nix-command flakes' develop
- attic watch-store skynet-cache &
- colmena build -v --on @active-dns
- colmena build -v --on @active-core
- colmena build -v --on @active
- colmena build -v --on @active-ext
- colmena build -v --on @active-git
- colmena build -v --on @active-gitlab
# dns always has to be deployed first
deploy_dns:
@ -161,11 +154,12 @@ deploy_ext:
- deploy_dns
script:
- colmena apply -v --on @active-ext
allow_failure: true
deploy_gitlab:
<<: *builder
<<: *deployment
stage: deploy_gitlab
script:
- colmena apply -v --on @active-git
- colmena apply -v --on @active-gitlab
when: manual

48
ITD/Firewall_Rules.csv
View file

@ -1,48 +0,0 @@
Rule,Action,Ticket,Status,Source_IP,Source_Server,Destination_IP,Destination_Server,Port_TCP,Port_UDP,Notes
SKYNET_FIREWALL_00000,Add,,Complete,VPN,-,93.1.99.71 - 193.1.99.126,All,22,-,sftp/ssh required from vpn to servers for admins
SKYNET_FIREWALL_00001,Add,,Complete,All,-,193.1.99.109,SKYNET00004,-,53,Nameserver for skynet.ie
SKYNET_FIREWALL_00002,Add,,Complete,All,-,193.1.99.111,SKYNET00005,"80, 443, 8000",-,"ULFM, http(s) for internet streaming, 8000 for connecting to the server."
SKYNET_FIREWALL_00003,Add,,Complete,All,-,193.1.99.112,SKYNET00006,"80, 443, 25565",-,"Games host, Minecraft uses 25565 (will have more ports in the future)"
SKYNET_FIREWALL_00004,Add,,Complete,All,-,193.1.99.120,SKYNET00002,-,53,Nameserver for skynet.ie
SKYNET_FIREWALL_00005,Add,i23-01-19_681,Complete,193.1.99.72,SKYNET00001,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00006,Add,i23-01-19_681,Complete,193.1.99.75,SKYNET00008,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00007,Add,i23-01-19_681,Complete,193.1.99.109,SKYNET00004,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00008,Add,i23-01-19_681,Complete,193.1.99.111,SKYNET00005,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00009,Add,i23-01-19_681,Complete,193.1.99.112,SKYNET00006,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00010,Add,i23-01-19_681,Complete,193.1.99.120,SKYNET00002,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00011,Add,i23-05-18_249,Complete,All,-,193.1.99.75,SKYNET00008,"80, 443",-,For gitlab Access
SKYNET_FIREWALL_00012,Add,i23-05-18_249,Complete,193.1.99.72 - 193.1.99.126,-,All,-,-,-,"I would also like to extend the outbound access to cover our entire range (193.1.99.72 to 193.1.99.126) to allow for setup for more servers on those ip's (need to download updates and packages).
I have a few servers I plan to setup over the next two weeks, one after another as the later ones depend on earlier ones.
In such a case asking for permission for each individual IP would induce several tickets and a few weeks of paperwork going through change control.
Only a few of these sevices will need inbound ports opened on ITD's firewall, which can be requested when the systems are up, running and secured."
SKYNET_FIREWALL_00013,Add,i23-05-18_249,Complete,All,-,193.1.99.76,SKYNET00009,"143, 993, 587, 465",-,Email Server
SKYNET_FIREWALL_00014,Add,i23-06-19_525,Complete,All,-,193.1.99.76,SKYNET00009,"80, 443, 25",-,"Mailserver here, SPF, DKIM and DMARC are all set up"
SKYNET_FIREWALL_00015,Add,i23-06-19_525,Complete,All,-,193.1.99.79,SKYNET00011,"80, 443",-,Main Skynet webserver
SKYNET_FIREWALL_00016,Add,i23-06-30_024,Complete,All,-,193.1.96.165,SKYNET00012,22,-,"Skynet user's server
Outlet is 131 or 132"
SKYNET_FIREWALL_00017,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.120,SKYNET00002,-,53,Allow Skynet server to use our own internal DNS
SKYNET_FIREWALL_00018,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.74,SKYNET00007,389/636,-,Allow Skynet server to access LDAP
,Add,i23-07-28_010,Denied,All,-,193.1.99.74,SKYNET00007,"80, 443",-,Self Service site for Skynet accounts Only 443 on account modification pages
SKYNET_FIREWALL_00019,Add,i23-07-28_010,Complete,All,-,193.1.99.74,SKYNET00007,443,-,Self Service site for Skynet accounts
SKYNET_FIREWALL_00020,Add,i23-09-05_639,Complete,All,-,193.1.96.165,SKYNET00012,"80, 443",-,Web hosting for user sites
SKYNET_FIREWALL_00021,Add,i23-10-27_014,Complete,All,-,193.1.99.77,SKYNET00014,"80, 443",-,"Nextcloud, selfhosted google services, filestorage and documents"
SKYNET_FIREWALL_00022,Add,i24-02-01_102,Complete,193.1.96.165,SKYNET00012,103.1.99.109,SKYNET00004,-,53,Give the Skynet server access to ur secondary DNS
SKYNET_FIREWALL_00023,Add,i24-02-01_102,Complete,193.1.99.78,SKYNET00010,193.1.96.165,SKYNET00012,22,-,Allow our gitlab runner to access and deploy to teh external server
SKYNET_FIREWALL_00024,Add,i24-02-16_065,Complete,All,-,193.1.99.90,SKYNET00016,"80, 443",-,Games Server Administrative panel
SKYNET_FIREWALL_00025,Add,i24-02-16_065,Complete,All,-,193.1.99.91,SKYNET00017,25518-25525,"19132, 24418-24425",Minecraft Games server
SKYNET_FIREWALL_00026,Add,i24-06-04_017,Complete,All,-,193.1.99.76,SKYNET00009,4190,-,"Email sieve to allow members to add email filters to their
skynet mail."
SKYNET_FIREWALL_00027,Add,i24-06-04_017,Complete,All,-,193.1.99.82,SKYNET00018,80/443,-,"Public services such as a binary cache, open governance and keyserver"
,Add,i24-06-04_017,Denied,All,-,193.1.99.90,SKYNET00016,8080,-,"Websocket for admin panel on games management server
Denied because more information on wat it was for was requested"
,Add,i24-06-04_017,Denied,193.1.99.74,SKYNET00007,193.1.96.165,SKYNET00012,9000-9020,-,"Metrics collection, not done because not enough info provided"
SKYNET_FIREWALL_00028,Remove,i24-06-04_017,Complete,-,-,193.1.99.112,SKYNET00019,25565,-,No longer the minecraft game host
SKYNET_FIREWALL_00029,Add,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Websocket for admin panel on games management server
SKYNET_FIREWALL_00030,Add,i24-06-04_017,Complete,193.1.99.83,SKYNET00020,193.1.96.165,SKYNET00012,9000-9010,-,Metrics Collection
SKYNET_FIREWALL_00031,Add,i24-06-04_017,Complete,All,-,193.1.99.83,SKYNET00020,"80, 443",-,Web interface for Metrics server
SKYNET_FIREWALL_00032,Remove,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Had incorrectly opened 8080 on the main panel
SKYNET_FIREWALL_00033,Add,i24-06-04_017,Complete,All,-,193.1.99.91,SKYNET00017,8080,-,Websocket for admin panel on games management server
,Add,i24-07-15_112,Denied,193.1.99.75,-,-,-,22,-,Response from ITD - 'Our IT Security team have advised that port 22 and port 2222 are only to be allowed through the VPN and will not be opened to allow inbound ssh connections directly from the internet'
SKYNET_FIREWALL_00034,Add,i25-01-26_075,Complete,All,-,193.1.99.91,SKYNET00017,-,23318-23325,Ports for Minecraft Bedrock on the main games server.
SKYNET_FIREWALL_00035,Add,i25-02-14_114,Complete,193.1.99.75,SKYNET00008,193.1.96.165,SKYNET00012,22,-,Allow our forgejo runner to access and deploy to teh external server
SKYNET_FIREWALL_00036,Add,i25-03-11_125,Complete,All,-,193.1.99.86,SKYNET00027,25,-,Email Filter
1 Rule Action Ticket Status Source_IP Source_Server Destination_IP Destination_Server Port_TCP Port_UDP Notes
2 SKYNET_FIREWALL_00000 Add Complete VPN - 93.1.99.71 - 193.1.99.126 All 22 - sftp/ssh required from vpn to servers for admins
3 SKYNET_FIREWALL_00001 Add Complete All - 193.1.99.109 SKYNET00004 - 53 Nameserver for skynet.ie
4 SKYNET_FIREWALL_00002 Add Complete All - 193.1.99.111 SKYNET00005 80, 443, 8000 - ULFM, http(s) for internet streaming, 8000 for connecting to the server.
5 SKYNET_FIREWALL_00003 Add Complete All - 193.1.99.112 SKYNET00006 80, 443, 25565 - Games host, Minecraft uses 25565 (will have more ports in the future)
6 SKYNET_FIREWALL_00004 Add Complete All - 193.1.99.120 SKYNET00002 - 53 Nameserver for skynet.ie
7 SKYNET_FIREWALL_00005 Add i23-01-19_681 Complete 193.1.99.72 SKYNET00001 All - - - Allow outbound access
8 SKYNET_FIREWALL_00006 Add i23-01-19_681 Complete 193.1.99.75 SKYNET00008 All - - - Allow outbound access
9 SKYNET_FIREWALL_00007 Add i23-01-19_681 Complete 193.1.99.109 SKYNET00004 All - - - Allow outbound access
10 SKYNET_FIREWALL_00008 Add i23-01-19_681 Complete 193.1.99.111 SKYNET00005 All - - - Allow outbound access
11 SKYNET_FIREWALL_00009 Add i23-01-19_681 Complete 193.1.99.112 SKYNET00006 All - - - Allow outbound access
12 SKYNET_FIREWALL_00010 Add i23-01-19_681 Complete 193.1.99.120 SKYNET00002 All - - - Allow outbound access
13 SKYNET_FIREWALL_00011 Add i23-05-18_249 Complete All - 193.1.99.75 SKYNET00008 80, 443 - For gitlab Access
14 SKYNET_FIREWALL_00012 Add i23-05-18_249 Complete 193.1.99.72 - 193.1.99.126 - All - - - I would also like to extend the outbound access to cover our entire range (193.1.99.72 to 193.1.99.126) to allow for setup for more servers on those ip's (need to download updates and packages). I have a few servers I plan to setup over the next two weeks, one after another as the later ones depend on earlier ones. In such a case asking for permission for each individual IP would induce several tickets and a few weeks of paperwork going through change control. Only a few of these sevices will need inbound ports opened on ITD's firewall, which can be requested when the systems are up, running and secured.
15 SKYNET_FIREWALL_00013 Add i23-05-18_249 Complete All - 193.1.99.76 SKYNET00009 143, 993, 587, 465 - Email Server
16 SKYNET_FIREWALL_00014 Add i23-06-19_525 Complete All - 193.1.99.76 SKYNET00009 80, 443, 25 - Mailserver here, SPF, DKIM and DMARC are all set up
17 SKYNET_FIREWALL_00015 Add i23-06-19_525 Complete All - 193.1.99.79 SKYNET00011 80, 443 - Main Skynet webserver
18 SKYNET_FIREWALL_00016 Add i23-06-30_024 Complete All - 193.1.96.165 SKYNET00012 22 - Skynet user's server Outlet is 131 or 132
19 SKYNET_FIREWALL_00017 Add i23-06-30_024 Complete 193.1.96.165 SKYNET00012 193.1.99.120 SKYNET00002 - 53 Allow Skynet server to use our own internal DNS
20 SKYNET_FIREWALL_00018 Add i23-06-30_024 Complete 193.1.96.165 SKYNET00012 193.1.99.74 SKYNET00007 389/636 - Allow Skynet server to access LDAP
21 Add i23-07-28_010 Denied All - 193.1.99.74 SKYNET00007 80, 443 - Self Service site for Skynet accounts – Only 443 on account modification pages
22 SKYNET_FIREWALL_00019 Add i23-07-28_010 Complete All - 193.1.99.74 SKYNET00007 443 - Self Service site for Skynet accounts
23 SKYNET_FIREWALL_00020 Add i23-09-05_639 Complete All - 193.1.96.165 SKYNET00012 80, 443 - Web hosting for user sites
24 SKYNET_FIREWALL_00021 Add i23-10-27_014 Complete All - 193.1.99.77 SKYNET00014 80, 443 - Nextcloud, selfhosted google services, filestorage and documents
25 SKYNET_FIREWALL_00022 Add i24-02-01_102 Complete 193.1.96.165 SKYNET00012 103.1.99.109 SKYNET00004 - 53 Give the Skynet server access to ur secondary DNS
26 SKYNET_FIREWALL_00023 Add i24-02-01_102 Complete 193.1.99.78 SKYNET00010 193.1.96.165 SKYNET00012 22 - Allow our gitlab runner to access and deploy to teh external server
27 SKYNET_FIREWALL_00024 Add i24-02-16_065 Complete All - 193.1.99.90 SKYNET00016 80, 443 - Games Server Administrative panel
28 SKYNET_FIREWALL_00025 Add i24-02-16_065 Complete All - 193.1.99.91 SKYNET00017 25518-25525 19132, 24418-24425 Minecraft Games server
29 SKYNET_FIREWALL_00026 Add i24-06-04_017 Complete All - 193.1.99.76 SKYNET00009 4190 - Email sieve to allow members to add email filters to their skynet mail.
30 SKYNET_FIREWALL_00027 Add i24-06-04_017 Complete All - 193.1.99.82 SKYNET00018 80/443 - Public services such as a binary cache, open governance and keyserver
31 Add i24-06-04_017 Denied All - 193.1.99.90 SKYNET00016 8080 - Websocket for admin panel on games management server Denied because more information on wat it was for was requested
32 Add i24-06-04_017 Denied 193.1.99.74 SKYNET00007 193.1.96.165 SKYNET00012 9000-9020 - Metrics collection, not done because not enough info provided
33 SKYNET_FIREWALL_00028 Remove i24-06-04_017 Complete - - 193.1.99.112 SKYNET00019 25565 - No longer the minecraft game host
34 SKYNET_FIREWALL_00029 Add i24-06-04_017 Complete All - 193.1.99.90 SKYNET00016 8080 - Websocket for admin panel on games management server
35 SKYNET_FIREWALL_00030 Add i24-06-04_017 Complete 193.1.99.83 SKYNET00020 193.1.96.165 SKYNET00012 9000-9010 - Metrics Collection
36 SKYNET_FIREWALL_00031 Add i24-06-04_017 Complete All - 193.1.99.83 SKYNET00020 80, 443 - Web interface for Metrics server
37 SKYNET_FIREWALL_00032 Remove i24-06-04_017 Complete All - 193.1.99.90 SKYNET00016 8080 - Had incorrectly opened 8080 on the main panel
38 SKYNET_FIREWALL_00033 Add i24-06-04_017 Complete All - 193.1.99.91 SKYNET00017 8080 - Websocket for admin panel on games management server
39 Add i24-07-15_112 Denied 193.1.99.75 - - - 22 - Response from ITD - 'Our IT Security team have advised that port 22 and port 2222 are only to be allowed through the VPN and will not be opened to allow inbound ssh connections directly from the internet'
40 SKYNET_FIREWALL_00034 Add i25-01-26_075 Complete All - 193.1.99.91 SKYNET00017 - 23318-23325 Ports for Minecraft Bedrock on the main games server.
41 SKYNET_FIREWALL_00035 Add i25-02-14_114 Complete 193.1.99.75 SKYNET00008 193.1.96.165 SKYNET00012 22 - Allow our forgejo runner to access and deploy to teh external server
42 SKYNET_FIREWALL_00036 Add i25-03-11_125 Complete All - 193.1.99.86 SKYNET00027 25 - Email Filter

28
ITD/Server_Inventory.csv
View file

@ -1,28 +0,0 @@
Index,Name,Status,IP_Address,OS,Description
SKYNET00001,agentjones,Active,193.1.99.072,Nixos-24.05,Firewall (currently not active)
SKYNET00002,vendetta,Active,193.1.99.120,Nixos-24.05,DNS Nameserver 1
SKYNET00003,jarvis,Active,193.1.99.073,Proxmox,VM Host
SKYNET00004,vigil,Active,193.1.99.109,Nixos-24.05,DNS Nameserver 2
SKYNET00005,galatea,Active,193.1.99.111,Nixos-24.05,ULFM Radio
SKYNET00006,optimus,Retired,193.1.99.112,Nixos-24.05,Retired Games server
SKYNET00007,kitt,Active,193.1.99.074,Nixos-24.05,"LDAP and Self-Service Password/Account management, also hosts our Discord bot"
SKYNET00008,glados,Active,193.1.99.075,Nixos-24.05,Gitlab server
SKYNET00009,gir,Active,193.1.99.076,Nixos-24.05,Email and Webmail
SKYNET00010,wheatly,Active,193.1.99.078,Nixos-24.05,Gitlab Runner
SKYNET00011,earth,Active,193.1.99.079,Nixos-24.05,Offical website host
SKYNET00012,skynet,Active,193.1.96.165,Nixos-24.05,Skynet server. (DMZ)
SKYNET00013,neuromancer,Active,193.1.99.080,Nixos-24.05,Local Backup Server
SKYNET00014,cadie,Active,193.1.99.077,Nixos-24.05,"Services VM, has nextcloud to start with"
SKYNET00015,marvin,Active,193.1.99.081,Nixos-24.05,Trainee testing server
SKYNET00016,optimus,Retired,193.1.99.090,Debian-12,Games server manager (replacing SKYNET00006 soon)
SKYNET00017,bumblebee,Retired,193.1.99.091,Debian-12,Game server - Minecraft
SKYNET00018,calculon,Active,193.1.99.082,Nixos-24.05,"Public Services such as binary cache, Open Governance and Keyserver"
SKYNET00019,deepthought,Active,193.1.99.112,Nixos-24.05,Backup Test Server using restic
SKYNET00020,ariia,Active,193.1.99.083,Nixos-24.05,"Metrics, Grafana and Prometheus"
SKYNET00021,ash,Active,193.1.99.114,NA,Server Room Network access
SKYNET00022,ultron,Active,193.1.99.084,Proxmox,VM Host
SKYNET00023,optimus-test,Retired,193.1.99.085,Nixos,Testing flake for Pelecian
SKYNET00024,optimus,Active,193.1.99.090,Nixos,Games server manager (replaced SKYNET00016)
SKYNET00025,bumblebee,Active,193.1.99.091,Nixos,Game server - Minecraft (replaced SKYNET00017)
SKYNET00026,vision,Active,193.1.99.085,Raspbian,Proxmox Qurom server
SKYNET00027,mimi,Active,193.1.99.086,Proxmox-Mail-Gateway,Proxmox Mail Gateway
1 Index Name Status IP_Address OS Description
2 SKYNET00001 agentjones Active 193.1.99.072 Nixos-24.05 Firewall (currently not active)
3 SKYNET00002 vendetta Active 193.1.99.120 Nixos-24.05 DNS Nameserver 1
4 SKYNET00003 jarvis Active 193.1.99.073 Proxmox VM Host
5 SKYNET00004 vigil Active 193.1.99.109 Nixos-24.05 DNS Nameserver 2
6 SKYNET00005 galatea Active 193.1.99.111 Nixos-24.05 ULFM Radio
7 SKYNET00006 optimus Retired 193.1.99.112 Nixos-24.05 Retired Games server
8 SKYNET00007 kitt Active 193.1.99.074 Nixos-24.05 LDAP and Self-Service Password/Account management, also hosts our Discord bot
9 SKYNET00008 glados Active 193.1.99.075 Nixos-24.05 Gitlab server
10 SKYNET00009 gir Active 193.1.99.076 Nixos-24.05 Email and Webmail
11 SKYNET00010 wheatly Active 193.1.99.078 Nixos-24.05 Gitlab Runner
12 SKYNET00011 earth Active 193.1.99.079 Nixos-24.05 Offical website host
13 SKYNET00012 skynet Active 193.1.96.165 Nixos-24.05 Skynet server. (DMZ)
14 SKYNET00013 neuromancer Active 193.1.99.080 Nixos-24.05 Local Backup Server
15 SKYNET00014 cadie Active 193.1.99.077 Nixos-24.05 Services VM, has nextcloud to start with
16 SKYNET00015 marvin Active 193.1.99.081 Nixos-24.05 Trainee testing server
17 SKYNET00016 optimus Retired 193.1.99.090 Debian-12 Games server manager (replacing SKYNET00006 soon)
18 SKYNET00017 bumblebee Retired 193.1.99.091 Debian-12 Game server - Minecraft
19 SKYNET00018 calculon Active 193.1.99.082 Nixos-24.05 Public Services such as binary cache, Open Governance and Keyserver
20 SKYNET00019 deepthought Active 193.1.99.112 Nixos-24.05 Backup Test Server using restic
21 SKYNET00020 ariia Active 193.1.99.083 Nixos-24.05 Metrics, Grafana and Prometheus
22 SKYNET00021 ash Active 193.1.99.114 NA Server Room Network access
23 SKYNET00022 ultron Active 193.1.99.084 Proxmox VM Host
24 SKYNET00023 optimus-test Retired 193.1.99.085 Nixos Testing flake for Pelecian
25 SKYNET00024 optimus Active 193.1.99.090 Nixos Games server manager (replaced SKYNET00016)
26 SKYNET00025 bumblebee Active 193.1.99.091 Nixos Game server - Minecraft (replaced SKYNET00017)
27 SKYNET00026 vision Active 193.1.99.085 Raspbian Proxmox Qurom server
28 SKYNET00027 mimi Active 193.1.99.086 Proxmox-Mail-Gateway Proxmox Mail Gateway

6
ITD/VPN_Admins.csv
View file

@ -1,6 +0,0 @@
Index,First Name,Surname,UL Student Email
SKYNET_VPN_ADM_001,Brendan,Golden,12136891@studentmail.ul.ie
SKYNET_VPN_ADM_002,Evan,Cassidy,External
SKYNET_VPN_ADM_003,Eoghan,Conlon,21310262@studentmail.ul.ie
SKYNET_VPN_ADM_004,Eliza,Macovei,23382619@studentmail.ul.ie
SKYNET_VPN_ADM_005,Daragh,Downes,22351159@studentmail.ul.ie
1 Index First Name Surname UL Student Email
2 SKYNET_VPN_ADM_001 Brendan Golden 12136891@studentmail.ul.ie
3 SKYNET_VPN_ADM_002 Evan Cassidy External
4 SKYNET_VPN_ADM_003 Eoghan Conlon 21310262@studentmail.ul.ie
5 SKYNET_VPN_ADM_004 Eliza Macovei 23382619@studentmail.ul.ie
6 SKYNET_VPN_ADM_005 Daragh Downes 22351159@studentmail.ul.ie

7
ITD/VPN_Admins_changes.csv
View file

@ -1,7 +0,0 @@
Date,Date Modified,Action,Ticket,ID
SKYNET_VPN_ADM_CHANGE_001,2023/04/04,Added,,SKYNET_VPN_ADM_001
SKYNET_VPN_ADM_CHANGE_002,2023/04/04,Added,,SKYNET_VPN_ADM_002
SKYNET_VPN_ADM_CHANGE_003,2023/04/04,Added,,SKYNET_VPN_ADM_003
SKYNET_VPN_ADM_CHANGE_003,2024/07/21,Removed,i24-07-22_760,SKYNET_VPN_ADM_003
SKYNET_VPN_ADM_CHANGE_004,2024/07/21,Added,i24-07-22_760,SKYNET_VPN_ADM_004
SKYNET_VPN_ADM_CHANGE_005,2024/07/21,Added,i24-07-22_760,SKYNET_VPN_ADM_005
1 Date Date Modified Action Ticket ID
2 SKYNET_VPN_ADM_CHANGE_001 2023/04/04 Added SKYNET_VPN_ADM_001
3 SKYNET_VPN_ADM_CHANGE_002 2023/04/04 Added SKYNET_VPN_ADM_002
4 SKYNET_VPN_ADM_CHANGE_003 2023/04/04 Added SKYNET_VPN_ADM_003
5 SKYNET_VPN_ADM_CHANGE_003 2024/07/21 Removed i24-07-22_760 SKYNET_VPN_ADM_003
6 SKYNET_VPN_ADM_CHANGE_004 2024/07/21 Added i24-07-22_760 SKYNET_VPN_ADM_004
7 SKYNET_VPN_ADM_CHANGE_005 2024/07/21 Added i24-07-22_760 SKYNET_VPN_ADM_005

19
ITD_Firewall.csv Normal file
View file

@ -0,0 +1,19 @@
Index,Status,Name,IP_Address,DNS_Name,Ports TCP,Ports UDP,Tunnel,Ports_Requested,Related_Tickets,Description
SKYNET00001,Active,agentjones,193.1.99.72,agentjones,,,,,,Firewall (currently not active)
SKYNET00002,Active,vendetta,193.1.99.120,vendetta/ns1,,53,,,,DNS Nameserver 1
SKYNET00003,Active,jarvis,193.1.99.73,jarvis,,,,,,VM Host
SKYNET00004,Active,vigil,193.1.99.109,vigil/ns2,,53,,,,DNS Nameserver 2
SKYNET00005,Active,galatea,193.1.99.111,galatea/stream,80/443 8000,,,,,ULFM Radio
SKYNET00006,Retired,optimus,193.1.99.112,optimus/games/*.games,80/443 25565,,,,,Retired Games server
SKYNET00007,Active,kitt,193.1.99.74,kitt/account/api.account,443,,,-> skynet:9000-9020,i23-07-28_010,"LDAP and Self-Service Password/Account management, also hosts our Discord bot"
SKYNET00008,Active,glados,193.1.99.75,glados/gitlab/*.pages.gitlab,80/443,,,,i23-05-18_249,Gitlab server
SKYNET00009,Active,gir,193.1.99.76,gir/mail/imap/pop3/smtp,80/443 25/143/993/587/465,,,4190,i23-06-19_525/i23-06-19_525,Email and Webmail
SKYNET00010,Active,wheatly,193.1.99.78,wheatly,,,-> skynet:22,,,Gitlab Runner
SKYNET00011,Active,earth,193.1.99.79,earth,80/443,,,,i23-06-19_525,Offical website host
SKYNET00012,Active,skynet,193.1.96.165,skynet/*.users,22 80/443,,,,i23-06-30_024,Skynet server. (DMZ)
SKYNET00013,Active,neuromancer,193.1.99.80,neuromancer,,,,,,Local Backup Server
SKYNET00014,Active,cadie,193.1.99.77,cadie/nextcloud/onlyoffice.nextcloud,80/443,,,,i23-10-27_014,"Services VM, has nextcloud to start with"
SKYNET00015,Active,marvin,193.1.99.81,marvin,,,,,,Trainee testing server
SKYNET00016,Active,optimus,193.1.99.90,,80/443,,,8080,i24-02-16_065,Games server manager (replacing SKYNET00006 soon)
SKYNET00017,Active,bumblebee,193.1.99.91,,25518-25525,19132 24418-24425,,,i24-02-16_065,Game server - Minecraft
SKYNET00018,Active,calculon,193.1.99.82,,,,,80/443,,"Public Services such as binary cache, Open Governance and Keyserver"
1 Index Status Name IP_Address DNS_Name Ports TCP Ports UDP Tunnel Ports_Requested Related_Tickets Description
2 SKYNET00001 Active agentjones 193.1.99.72 agentjones Firewall (currently not active)
3 SKYNET00002 Active vendetta 193.1.99.120 vendetta/ns1 53 DNS Nameserver 1
4 SKYNET00003 Active jarvis 193.1.99.73 jarvis VM Host
5 SKYNET00004 Active vigil 193.1.99.109 vigil/ns2 53 DNS Nameserver 2
6 SKYNET00005 Active galatea 193.1.99.111 galatea/stream 80/443 8000 ULFM Radio
7 SKYNET00006 Retired optimus 193.1.99.112 optimus/games/*.games 80/443 25565 Retired Games server
8 SKYNET00007 Active kitt 193.1.99.74 kitt/account/api.account 443 -> skynet:9000-9020 i23-07-28_010 LDAP and Self-Service Password/Account management, also hosts our Discord bot
9 SKYNET00008 Active glados 193.1.99.75 glados/gitlab/*.pages.gitlab 80/443 i23-05-18_249 Gitlab server
10 SKYNET00009 Active gir 193.1.99.76 gir/mail/imap/pop3/smtp 80/443 25/143/993/587/465 4190 i23-06-19_525/i23-06-19_525 Email and Webmail
11 SKYNET00010 Active wheatly 193.1.99.78 wheatly -> skynet:22 Gitlab Runner
12 SKYNET00011 Active earth 193.1.99.79 earth 80/443 i23-06-19_525 Offical website host
13 SKYNET00012 Active skynet 193.1.96.165 skynet/*.users 22 80/443 i23-06-30_024 Skynet server. (DMZ)
14 SKYNET00013 Active neuromancer 193.1.99.80 neuromancer Local Backup Server
15 SKYNET00014 Active cadie 193.1.99.77 cadie/nextcloud/onlyoffice.nextcloud 80/443 i23-10-27_014 Services VM, has nextcloud to start with
16 SKYNET00015 Active marvin 193.1.99.81 marvin Trainee testing server
17 SKYNET00016 Active optimus 193.1.99.90 80/443 8080 i24-02-16_065 Games server manager (replacing SKYNET00006 soon)
18 SKYNET00017 Active bumblebee 193.1.99.91 25518-25525 19132 24418-24425 i24-02-16_065 Game server - Minecraft
19 SKYNET00018 Active calculon 193.1.99.82 80/443 Public Services such as binary cache, Open Governance and Keyserver

9
LICENSE
View file

@ -1,9 +0,0 @@
MIT License
Copyright (c) 2024 Skynet
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

1
Possible_Server_Names.md
View file

@ -1,6 +1,5 @@
https://web.archive.org/web/20180815150202/https://wiki.skynet.ie/Admin/SkynetMachines
https://en.m.wikipedia.org/wiki/Category:Fictional_artificial_intelligences
https://en.wikipedia.org/wiki/List_of_artificial_intelligence_films
* agentsmith
* skynet

6
README.md
View file

@ -43,7 +43,7 @@ colmena build --on @active-dns
Deploying is putting (apply-ing) the config tat was built onto the server, there is no need to build first, it will automatically do so.
While the ***recommended way of deploying is using the CI/CD process*** there are times when you will have to manually deploy the config.
One such case is the ``@active-git`` group if either Gitlab or Gitlab-runner got updated.
One such case is the ``@active-gitlab`` group if either Gitlab or Gitlab-runner got updated.
Another is if ye have fecked up DNS.
Your ``~/.ssh/config`` should be set up as follows and you should be a member of ``skynet-admins-linux``
@ -60,10 +60,10 @@ Then you can run the following commands like so:
```shell
colmena apply
colmena apply --on @active-dns
colmena apply --on @active-git
colmena apply --on @active-gitlab
```
The CI/CD pipeline has a manual job that can be triggered to update ``@active-git`` if you know it wont cause issues.
The CI/CD pipeline has a manual job that can be triggered to update ``@active-gitlab`` if you know it wont cause issues.
### Agenix

17
applications/_base.nix
View file

@ -9,24 +9,9 @@ with lib; let
cfg = config.services.skynet;
in {
imports = [
# every server needs to have a dns record
./dns/dns.nix
# every server should have proper certs
./acme.nix
./dns.nix
./nginx.nix
# every server may need the firewall config stuff
./firewall.nix
# every server needs teh ldap client for admins
./ldap/client.nix
# every server will need the config to backup to
./restic.nix
# every server will be monitored for grafana
./prometheus.nix
];
options.services.skynet = {

1
applications/_retired/games.nix
View file

@ -10,6 +10,7 @@ with lib; let
cfg = config.services.skynet."${name}";
in {
imports = [
./dns.nix
./nginx.nix
./games/minecraft.nix
];

4
applications/_retired/games/minecraft.nix
View file

@ -13,6 +13,10 @@ with lib; let
short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in {
imports = [
../acme.nix
../dns.nix
../firewall.nix
../nginx.nix
inputs.arion.nixosModules.arion
];

4
applications/acme.nix
View file

@ -32,15 +32,15 @@ in {
defaults = {
email = "admin_acme@skynet.ie";
credentialsFile = config.age.secrets.acme.path;
# we use our own dns authorative server for verifying we own the domain.
dnsProvider = "rfc2136";
credentialsFile = config.age.secrets.acme.path;
};
certs = {
"skynet" = {
domain = "skynet.ie";
extraDomainNames = lists.naturalSort cfg.domains;
extraDomainNames = cfg.domains;
};
};
};

324
applications/bitwarden/bitwarden-directory-connector-cli.nix Normal file
View file

@ -0,0 +1,324 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.bitwarden-directory-connector-cli;
in {
disabledModules = ["services/security/bitwarden-directory-connector-cli.nix"];
options.services.bitwarden-directory-connector-cli = {
enable = mkEnableOption "Bitwarden Directory Connector";
package = mkPackageOption pkgs "bitwarden-directory-connector-cli" {};
domain = mkOption {
type = types.str;
description = lib.mdDoc "The domain the Bitwarden/Vaultwarden is accessible on.";
example = "https://vaultwarden.example.com";
};
user = mkOption {
type = types.str;
description = lib.mdDoc "User to run the program.";
default = "bwdc";
};
interval = mkOption {
type = types.str;
default = "*:0,15,30,45";
description = lib.mdDoc "The interval when to run the connector. This uses systemd's OnCalendar syntax.";
};
ldap = mkOption {
description = lib.mdDoc ''
Options to configure the LDAP connection.
If you used the desktop application to test the configuration you can find the settings by searching for `ldap` in `~/.config/Bitwarden\ Directory\ Connector/data.json`.
'';
default = {};
type = types.submodule ({
config,
options,
...
}: {
freeformType = types.attrsOf (pkgs.formats.json {}).type;
config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options)));
options = {
finalJSON = mkOption {
type = (pkgs.formats.json {}).type;
internal = true;
readOnly = true;
visible = false;
};
ssl = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether to use TLS.";
};
startTls = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether to use STARTTLS.";
};
hostname = mkOption {
type = types.str;
description = lib.mdDoc "The host the LDAP is accessible on.";
example = "ldap.example.com";
};
port = mkOption {
type = types.port;
default = 389;
description = lib.mdDoc "Port LDAP is accessible on.";
};
ad = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether the LDAP Server is an Active Directory.";
};
pagedSearch = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether the LDAP server paginates search results.";
};
rootPath = mkOption {
type = types.str;
description = lib.mdDoc "Root path for LDAP.";
example = "dc=example,dc=com";
};
username = mkOption {
type = types.str;
description = lib.mdDoc "The user to authenticate as.";
example = "cn=admin,dc=example,dc=com";
};
};
});
};
sync = mkOption {
description = lib.mdDoc ''
Options to configure what gets synced.
If you used the desktop application to test the configuration you can find the settings by searching for `sync` in `~/.config/Bitwarden\ Directory\ Connector/data.json`.
'';
default = {};
type = types.submodule ({
config,
options,
...
}: {
freeformType = types.attrsOf (pkgs.formats.json {}).type;
config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options)));
options = {
finalJSON = mkOption {
type = (pkgs.formats.json {}).type;
internal = true;
readOnly = true;
visible = false;
};
removeDisabled = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group.";
};
overwriteExisting = mkOption {
type = types.bool;
default = false;
description =
lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.";
};
largeImport = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Enable if you are syncing more than 2000 users/groups.";
};
memberAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute that lists members in a LDAP group.";
example = "uniqueMember";
};
creationDateAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute that lists a user's creation date.";
example = "whenCreated";
};
useEmailPrefixSuffix = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "If a user has no email address, combine a username prefix with a suffix value to form an email.";
};
emailPrefixAttribute = mkOption {
type = types.str;
description = lib.mdDoc "The attribute that contains the users username.";
example = "accountName";
};
emailSuffix = mkOption {
type = types.str;
description = lib.mdDoc "Suffix for the email, normally @example.com.";
example = "@example.com";
};
users = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Sync users.";
};
userPath = mkOption {
type = types.str;
description = lib.mdDoc "User directory, relative to root.";
default = "ou=users";
};
userObjectClass = mkOption {
type = types.str;
description = lib.mdDoc "Class that users must have.";
default = "inetOrgPerson";
};
userEmailAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute for a users email.";
default = "mail";
};
userFilter = mkOption {
type = types.str;
description = lib.mdDoc "LDAP filter for users.";
example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)";
default = "";
};
groups = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether to sync ldap groups into BitWarden.";
};
groupPath = mkOption {
type = types.str;
description = lib.mdDoc "Group directory, relative to root.";
default = "ou=groups";
};
groupObjectClass = mkOption {
type = types.str;
description = lib.mdDoc "A class that groups will have.";
default = "groupOfNames";
};
groupNameAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute for a name of group.";
default = "cn";
};
groupFilter = mkOption {
type = types.str;
description = lib.mdDoc "LDAP filter for groups.";
example = "(cn=sales)";
default = "";
};
};
});
};
secrets = {
ldap = mkOption {
type = types.str;
description = "Path to file that contains LDAP password for user in {option}`ldap.username";
};
bitwarden = {
client_path_id = mkOption {
type = types.str;
description = "Path to file that contains Client ID.";
};
client_path_secret = mkOption {
type = types.str;
description = "Path to file that contains Client Secret.";
};
};
};
};
config = mkIf cfg.enable {
users.groups."${cfg.user}" = {};
users.users."${cfg.user}" = {
isSystemUser = true;
group = cfg.user;
};
systemd = {
timers.bitwarden-directory-connector-cli = {
description = "Sync timer for Bitwarden Directory Connector";
wantedBy = ["timers.target"];
after = ["network-online.target"];
timerConfig = {
OnCalendar = cfg.interval;
Unit = "bitwarden-directory-connector-cli.service";
Persistent = true;
};
};
services.bitwarden-directory-connector-cli = {
description = "Main process for Bitwarden Directory Connector";
environment = {
BITWARDENCLI_CONNECTOR_APPDATA_DIR = "/tmp";
BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS = "true";
};
serviceConfig = {
Type = "oneshot";
User = "${cfg.user}";
PrivateTmp = true;
ExecStartPre = pkgs.writeShellScript "bitwarden_directory_connector-config" ''
set -eo pipefail
# create the config file
${lib.getExe cfg.package} data-file
touch /tmp/data.json.tmp
chmod 600 /tmp/data.json{,.tmp}
${lib.getExe cfg.package} config server ${cfg.domain}
# now login to set credentials
export BW_CLIENTID="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_id})"
export BW_CLIENTSECRET="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_secret})"
${lib.getExe cfg.package} login
${lib.getExe pkgs.jq} '.authenticatedAccounts[0] as $account
| .[$account].directoryConfigurations.ldap |= $ldap_data
| .[$account].directorySettings.organizationId |= $orgID
| .[$account].directorySettings.sync |= $sync_data' \
--argjson ldap_data ${escapeShellArg cfg.ldap.finalJSON} \
--arg orgID "''${BW_CLIENTID//organization.}" \
--argjson sync_data ${escapeShellArg cfg.sync.finalJSON} \
/tmp/data.json \
> /tmp/data.json.tmp
mv -f /tmp/data.json.tmp /tmp/data.json
# final config
${lib.getExe cfg.package} config directory 0
${lib.getExe cfg.package} config ldap.password --secretfile ${cfg.secrets.ldap}
'';
ExecStart = "${lib.getExe cfg.package} sync";
};
};
};
};
meta.maintainers = with maintainers; [Silver-Golden];
}

4
applications/bitwarden/bitwarden_sync.nix
View file

@ -6,7 +6,9 @@
}: let
user = "bwdc";
in {
imports = [];
imports = [
./bitwarden-directory-connector-cli.nix
];
options = {};

3
applications/bitwarden/vaultwarden.nix
View file

@ -13,6 +13,9 @@ with lib; let
domain = "${domain_sub}.skynet.ie";
in {
imports = [
../acme.nix
../dns.nix
../nginx.nix
];
options.services.skynet."${name}" = {

4
applications/discord.nix
View file

@ -21,6 +21,7 @@ in {
#backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.discord_token.file = ../secrets/discord/token.age;
age.secrets.discord_ldap.file = ../secrets/discord/ldap.age;
age.secrets.discord_mail.file = ../secrets/email/details.age;
age.secrets.discord_wolves.file = ../secrets/wolves/details.age;
@ -30,9 +31,12 @@ in {
env = {
discord = config.age.secrets.discord_token.path;
ldap = config.age.secrets.discord_ldap.path;
mail = config.age.secrets.discord_mail.path;
wolves = config.age.secrets.discord_wolves.path;
};
discord.server = "689189992417067052";
};
};
}

309
applications/dns/dns.nix → applications/dns.nix
View file

@ -3,42 +3,19 @@
pkgs,
config,
nodes,
self,
...
}: let
name = "dns";
cfg = config.services.skynet."${name}";
# reads that date to a string (will need to be fixed in 2038)
current_date = self.lastModified;
# this gets a list of all domains we have records for
domains = lib.lists.naturalSort (lib.lists.unique (
lib.lists.forEach records (x: x.domain)
));
# get the ip's of our servers
servers = lib.lists.naturalSort (lib.lists.unique (
lib.lists.forEach (sort_records_a_server records) (x: x.value)
));
domains_owned = [
# for historic reasons we own this
"csn.ul.ie"
# the main one we use now
"skynet.ie"
# a backup
"ulcompsoc.ie"
];
current_date = lib.readFile "${pkgs.runCommand "timestamp" {} "echo -n `date +%s` > $out"}";
# gets a list of records that match this type
filter_records_type = records: r_type: builtins.filter (x: x.r_type == r_type) records;
# Get all the A records that are for servers (base record for them)
filter_records_a_server = records: builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type records "A");
# Every other A record
filter_records_a = records: builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type records "A");
filter_records_type = r_type: builtins.filter (x: x.r_type == r_type) records;
filter_records_server = builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type "A");
filter_records_a = builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type "A");
# These functions are to get the final 3 digits of an IP address so we can use them for reverse pointer
process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x);
process_ptr_sub = record: {
record = builtins.substring 9 3 record.record;
@ -47,100 +24,87 @@
};
ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip);
# filter and sort records so we cna group them in the right place later
sort_records_a_server = records: builtins.sort (a: b: a.record < b.record) (filter_records_a_server records);
sort_records_a = records: builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) (filter_records_a records);
sort_records_cname = records: builtins.sort (a: b: a.value < b.value) (filter_records_type records "CNAME");
sort_records_ptr = records: builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type records "PTR"));
sort_records_srv = records: builtins.sort (a: b: a.record < b.record) (filter_records_type records "SRV");
sort_records_server = builtins.sort (a: b: a.record < b.record) filter_records_server;
sort_records_a = builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) filter_records_a;
sort_records_cname = builtins.sort (a: b: a.value < b.value) (filter_records_type "CNAME");
sort_records_ptr = builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type "PTR"));
sort_records_srv = builtins.sort (a: b: a.record < b.record) (filter_records_type "SRV");
# a tad overkill but type guarding is useful
max = x: y:
assert builtins.isInt x;
assert builtins.isInt y;
if x < y
then y
else x;
format_records = records: offset: lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records;
# get teh max length of a list of strings
max_len = records: lib.lists.foldr (a: b: (max a b)) 0 (lib.lists.forEach records (record: lib.strings.stringLength record.record));
# Now that we can get teh max lenth of a list of strings
# we can pad it out to the max len +1
# this is so that teh generated file is easier for a human to read
format_records = records: let
offset = (max_len records) + 1;
in
lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records;
# small function to add spaces until it reaches teh required length
# small function to trim it down a tad
padString = text: length: fixedWidthString_post length " " text;
# like lib.strings.fixedWidthString but postfix
# recursive function to extend a string up to a limit
fixedWidthString_post = width: filler: str: let
strw = lib.stringLength str;
reqWidth = width - (lib.stringLength filler);
in
# this is here because we were manually setting teh length, now max_len does that for us
assert lib.assertMsg (strw <= width) "fixedWidthString_post: requested string length (${toString width}) must not be shorter than actual length (${toString strw})";
if strw == width
then str
else (fixedWidthString_post reqWidth filler str) + filler;
# base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie)
# ";" are comments in this file
get_config_file = (
domain: records: ''
domain: ''
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; hostmaster@${domain} is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.${domain}. hostmaster.${domain}. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
${toString current_date}
${current_date}
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
604800 ; Expire (1 week)
3600 ; Minimum (1 hour)
)
; @ stands for teh root domain so teh A record below is where ${domain} points to
@ NS ns1.skynet.ie.
@ NS ns2.skynet.ie.
@ NS ns1.${domain}.
@ NS ns2.${domain}.
; @ stands for teh root domain so teh A record below is where ${domain} points to
;@ A 193.1.99.76
;@ MX 5 ${domain}.
; can have multiple mailserves
@ MX 10 mail.${domain}.
; ------------------------------------------
; Server Names (A Records)
; ------------------------------------------
${format_records (sort_records_a_server records)}
${format_records sort_records_server 31}
; ------------------------------------------
; A (non server names
; ------------------------------------------
${format_records (sort_records_a records)}
${format_records sort_records_a 31}
; ------------------------------------------
; CNAMES
; ------------------------------------------
${format_records (sort_records_cname records)}
${format_records sort_records_cname 31}
; ------------------------------------------
; TXT
; ------------------------------------------
${format_records (filter_records_type records "TXT")}
${format_records (filter_records_type "TXT") 31}
; ------------------------------------------
; MX
; ------------------------------------------
${format_records (filter_records_type records "MX")}
${format_records (filter_records_type "MX") 31}
; ------------------------------------------
; SRV
; ------------------------------------------
${format_records (sort_records_srv records)}
${format_records sort_records_srv 65}
''
);
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse
# config for our reverse dns pointers (not properly working)
# config for our reverse dnspointers (not properly working)
get_config_file_rev = (
domain: ''
$ORIGIN 64-64.99.1.193.in-addr.arpa.
@ -148,7 +112,7 @@
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
${toString current_date}
${current_date}
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
604800 ; Expire (1 week)
@ -161,37 +125,55 @@
; ------------------------------------------
; PTR
; ------------------------------------------
${format_records (sort_records_ptr records)}
${format_records sort_records_ptr 3}
''
);
# arrays of teh two nameservers
nameserver_1 = ["193.1.99.109"];
nameserver_2 = ["193.1.99.120"];
# domains we dont have proper ownship over, only here to ensure the logs dont get cluttered.
get_config_file_old_domains = (
domain: ''
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
${current_date}
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
604800 ; Expire (1 week)
3600 ; Minimum (1 hour)
)
@ NS ns1.skynet.ie.
@ NS ns2.skynet.ie.
''
);
# arrys of teh two nameservers
tmp1 = ["193.1.99.109"];
tmp2 = ["193.1.99.120"];
primaries = (
if cfg.server.primary
then
# primary servers have no primaries (ones they listen to)
[]
else if builtins.elem cfg.server.ip nameserver_1
then nameserver_2
else nameserver_1
else if builtins.elem cfg.server.ip tmp1
then tmp2
else tmp1
);
secondaries = (
if cfg.server.primary
then
if builtins.elem cfg.server.ip nameserver_1
then nameserver_2
else nameserver_1
if builtins.elem cfg.server.ip tmp1
then tmp2
else tmp1
else []
);
# small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router
# now limited explicitly to servers that we are administering
# See i24-09-30_050 for more information
create_cache_networks = map (x: "${toString x}/32") servers;
create_cache_networks = map (x: "193.1.99.${toString x}/32") (lib.lists.range 71 126);
# standard function to create the etc file, pass in the text and domain and it makes it
create_entry_etc_sub = domain: text: {
@ -203,38 +185,27 @@
# The UNIX file mode bits
mode = "0664";
# content of the file
text = text;
};
};
# (text.owned "csn.ul.ie")
# standard function to create the etc file, pass in the text and domain and it makes it
create_entry_etc = domain: type: let
domain_records = lib.lists.filter (x: x.domain == domain) records;
in
# this is the main type of record that most folks are used to
create_entry_etc = domain: type:
if type == "owned"
then create_entry_etc_sub domain (get_config_file domain domain_records)
# reverse lookups allow for using an IP to find domains pointing to it
then create_entry_etc_sub domain (text.owned domain)
else if type == "reverse"
then create_entry_etc_sub domain (get_config_file_rev domain)
then create_entry_etc_sub domain (text.reverse domain)
else if type == "old"
then create_entry_etc_sub domain (text.old domain)
else {};
create_entry_zone = domain: let
if_primary_and_owned =
if cfg.server.primary && (lib.lists.any (item: item == domain) domains_owned)
then ''
allow-update { key rfc2136key.skynet.ie.; };
dnssec-policy default;
inline-signing yes;
''
else "";
in {
create_entry_zone = domain: extraConfig: {
"${domain}" = {
extraConfig = ''
${if_primary_and_owned}
${extraConfig}
// for bumping the config
// ${toString current_date}
// ${current_date}
'';
# really wish teh nixos config didnt use master/slave
master = cfg.server.primary;
@ -247,16 +218,69 @@
};
};
text = {
owned = domain: get_config_file domain;
reverse = domain: get_config_file_rev domain;
old = domain: get_config_file_old_domains domain;
};
extraConfig = {
owned =
if cfg.server.primary
then ''
allow-update { key rfc2136key.skynet.ie.; };
dnssec-policy default;
inline-signing yes;
''
else "";
# no extra config for reverse
reverse = "";
old = "";
};
records =
config.skynet.records
/*
Need to "manually" grab it from each server.
Nix is laxy evalusted so if it does not need to open a file it wont.
This is to iterate through each server (node) and evaluate the dns records for that server.
*/
++ builtins.concatLists (
lib.attrsets.mapAttrsToList (
key: value: value.config.services.skynet.dns.records
key: value: let
details_server = value.config.services.skynet."${name}".server;
details_records = value.config.services.skynet."${name}".records;
in
if builtins.hasAttr "dns" value.config.services.skynet
then
(
# got to handle habing a dns record for the dns serves themselves.
if details_server.enable
then
(
if details_server.primary
then
details_records
++ [
{
record = "ns1";
r_type = "A";
value = details_server.ip;
server = false;
}
]
else
details_records
++ [
{
record = "ns2";
r_type = "A";
value = details_server.ip;
server = false;
}
]
)
else details_records
)
else []
)
nodes
);
@ -267,7 +291,8 @@
else "ns2";
in {
imports = [
../../config/dns.nix
./firewall.nix
../config/dns.nix
];
options.services.skynet."${name}" = {
@ -291,11 +316,28 @@ in {
};
};
# mirrorred in ../config/dns.nix
records = lib.mkOption {
description = "Records, sorted based on therir type";
type = lib.types.listOf (lib.types.submodule (import ./options-records.nix {
inherit lib;
}));
type = with lib.types;
listOf (submodule {
options = {
record = lib.mkOption {
type = str;
};
r_type = lib.mkOption {
type = enum ["A" "CNAME" "TXT" "PTR" "SRV" "MX"];
};
value = lib.mkOption {
type = str;
};
server = lib.mkOption {
description = "Core record for a server";
type = bool;
default = false;
};
};
});
};
};
@ -314,40 +356,29 @@ in {
"ip daddr ${cfg.server.ip} udp dport 53 counter packets 0 bytes 0 accept"
];
services.skynet.dns.records = [
{
record = nameserver;
r_type = "A";
value = config.services.skynet.host.ip;
}
];
services.bind.zones =
(create_entry_zone "csn.ul.ie" extraConfig.owned)
// (create_entry_zone "skynet.ie" extraConfig.owned)
// (create_entry_zone "ulcompsoc.ie" extraConfig.owned)
// (create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse)
// (create_entry_zone "conradcollins.net" extraConfig.old)
// (create_entry_zone "edelharty.net" extraConfig.old);
services.bind.zones = lib.attrsets.mergeAttrsList (
# uses teh domains lsited in teh records
(lib.lists.forEach domains (domain: (create_entry_zone domain)))
# we have to do a reverse dns
++ [
(create_entry_zone "64-64.99.1.193.in-addr.arpa")
]
);
environment.etc = lib.attrsets.mergeAttrsList (
# uses teh domains lsited in teh records
(lib.lists.forEach domains (domain: (create_entry_etc domain "owned")))
# we have to do a reverse dns
++ [
(create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse")
]
);
environment.etc =
(create_entry_etc "csn.ul.ie" "owned")
// (create_entry_etc "skynet.ie" "owned")
// (create_entry_etc "ulcompsoc.ie" "owned")
// (create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse")
// (create_entry_etc "conradcollins.net" "old")
// (create_entry_etc "edelharty.net" "old");
# secrets required
age.secrets.dns_dnskeys = {
file = ../../secrets/dns_dnskeys.conf.age;
file = ../secrets/dns_dnskeys.conf.age;
owner = "named";
group = "named";
};
# basic but ensure teh dns ports are open
networking.firewall = {
allowedTCPPorts = [53];
allowedUDPPorts = [53];

31
applications/dns/options-records.nix
View file

@ -1,31 +0,0 @@
/*
Define the options for dns records here.
They are imported into anything that needs to use them
*/
{lib, ...}:
with lib; {
options = {
domain = lib.mkOption {
description = "Domain this record is for";
type = lib.types.str;
default = "skynet.ie";
};
record = lib.mkOption {
description = "What you want to name the subdomain.";
type = lib.types.str;
};
r_type = lib.mkOption {
description = "Type of record that this is.";
type = lib.types.enum ["A" "CNAME" "TXT" "PTR" "SRV" "MX"];
};
value = lib.mkOption {
description = "What the record points to, normally ip or another record.";
type = lib.types.str;
};
server = lib.mkOption {
description = "Core record for a server";
type = lib.types.bool;
default = false;
};
};
}

285
applications/email.nix
View file

@ -50,10 +50,6 @@ with lib; let
account = "contact";
members = ["committee"];
}
{
account = "committee";
members = ["committee"];
}
{
account = "dbadmin";
members = ["admin"];
@ -96,7 +92,7 @@ with lib; let
}
];
sieveConfigFile =
configFile =
# https://doc.dovecot.org/configuration_manual/sieve/examples/#plus-addressed-mail-filtering
pkgs.writeText "basic_sieve"
''
@ -109,36 +105,24 @@ with lib; let
# this should be close to teh last step
if allof (
address :localpart ["To", "Cc"] ["${toString create_config_to}"],
address :domain ["To", "Cc"] "skynet.ie"
){
if address :matches ["To", "Cc"] "*@skynet.ie" {
if header :is "X-Spam" "Yes" {
fileinto :create "''${1}.Junk";
stop;
} else {
fileinto :create "''${1}";
stop;
address :localpart ["To"] ["${toString create_config_to}"],
address :domain ["To"] "skynet.ie"
){
if address :matches ["To"] "*@skynet.ie" {
if header :is "X-Spam" "Yes" {
fileinto :create "''${1}.Junk";
stop;
} else {
fileinto :create "''${1}";
}
}
}
}
if allof (
address :localpart ["From"] ["${toString create_config_to}"],
address :domain ["From"] "skynet.ie"
){
if address :matches ["From"] "*@skynet.ie" {
if header :is "X-Spam" "Yes" {
fileinto :create "''${1}.Junk";
stop;
} else {
fileinto :create "''${1}";
stop;
}
}
}
'';
in {
imports = [
./dns.nix
./acme.nix
./nginx.nix
inputs.simple-nixos-mailserver.nixosModule
# for teh config
@ -206,7 +190,7 @@ in {
config = mkIf cfg.enable {
services.skynet.backup.normal.backups = [
#"/var/vmail"
"/var/vmail"
"/var/dkim"
];
@ -286,128 +270,95 @@ in {
};
# set up dns record for it
services.skynet.dns.records =
[
{
# This is the mail gateway, try to send all mail to it first
# Lower number = higher priority
record = "@";
r_type = "MX";
# the number is the priority in teh case of multiple mailservers
value = "5 mimi.${cfg.domain}.";
}
{
# this is the main email server
record = "@";
r_type = "MX";
# the number is the priority in teh case of multiple mailservers
value = "10 mail.${cfg.domain}.";
}
{
record = "@";
r_type = "MX";
# the number is the priority in teh case of multiple mailservers
value = "10 lists.${cfg.domain}.";
}
services.skynet.dns.records = [
# basic one
{
record = "mail";
r_type = "A";
value = config.services.skynet.host.ip;
}
#DNS config for K-9 Mail
{
record = "imap";
r_type = "CNAME";
value = "mail";
}
{
record = "pop3";
r_type = "CNAME";
value = "mail";
}
{
record = "smtp";
r_type = "CNAME";
value = "mail";
}
# basic one
{
record = "mail";
r_type = "A";
value = config.services.skynet.host.ip;
}
{
record = "lists";
r_type = "A";
value = config.services.skynet.host.ip;
}
#DNS config for K-9 Mail
{
record = "imap";
r_type = "CNAME";
value = "mail";
}
{
record = "pop3";
r_type = "CNAME";
value = "mail";
}
{
record = "smtp";
r_type = "CNAME";
value = "mail";
}
# TXT records, all tehse are inside escaped strings to allow using ""
# reverse pointer
{
record = config.services.skynet.host.ip;
r_type = "PTR";
value = "${cfg.sub}.${cfg.domain}.";
}
# SRV records to help gmail on android etc find the correct mail.skynet.ie domain for config rather than just defaulting to skynet.ie
# https://serverfault.com/questions/935192/how-to-setup-auto-configure-email-for-android-mail-app-on-your-server/1018406#1018406
# response should be:
# _imap._tcp SRV 0 1 143 imap.example.com.
{
record = "_imaps._tcp";
r_type = "SRV";
value = "0 1 993 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_imap._tcp";
r_type = "SRV";
value = "0 1 143 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submissions._tcp";
r_type = "SRV";
value = "0 1 465 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submission._tcp";
r_type = "SRV";
value = "0 1 587 ${cfg.sub}.${cfg.domain}.";
}
]
# TXT records, all tehse are inside escaped strings to allow using ""
# SPF record
++ [
{
record = "${cfg.domain}.";
r_type = "TXT";
value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} ip4:${config.services.skynet.host.ip} -all"'';
}
]
{
record = "${cfg.domain}.";
r_type = "TXT";
value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';
}
# DKIM keys
++ [
{
record = "mail._domainkey.skynet.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';
}
{
domain = "ulcompsoc.ie";
record = "mail._domainkey.ulcompsoc.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';
}
]
{
record = "mail._domainkey.skynet.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';
}
{
record = "mail._domainkey.ulcompsoc.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';
}
# DMARC
++ [
{
record = "_dmarc.${cfg.domain}.";
r_type = "TXT";
# p : quarantine => sends to spam, reject => never sent
# rua : mail that receives reports about DMARC activity
# pct : percentage of unathenticated messages that DMARC stops
# adkim : alignment policy for DKIM, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
# aspf : alignment policy for SPF, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
# sp : DMARC policy for subdomains, none => no action, reports to rua, quarantine => spam, reject => never sent
value = ''"v=DMARC1; p=quarantine; rua=mailto:mailman@skynet.ie; pct=100; adkim=s; aspf=s; sp=quarantine"'';
}
];
{
record = "_dmarc.${cfg.domain}.";
r_type = "TXT";
# p : quarantine => sends to spam, reject => never sent
# rua : mail that receives reports about DMARC activity
# pct : percentage of unathenticated messages that DMARC stops
# adkim : alignment policy for DKIM, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
# aspf : alignment policy for SPF, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
# sp : DMARC policy for subdomains, none => no action, reports to rua, quarantine => spam, reject => never sent
value = ''"v=DMARC1; p=quarantine; rua=mailto:mailman@skynet.ie; pct=100; adkim=s; aspf=s; sp=none"'';
}
# reverse pointer
{
record = config.services.skynet.host.ip;
r_type = "PTR";
value = "${cfg.sub}.${cfg.domain}.";
}
# SRV records to help gmail on android etc find the correct mail.skynet.ie domain for config rather than just defaulting to skynet.ie
# https://serverfault.com/questions/935192/how-to-setup-auto-configure-email-for-android-mail-app-on-your-server/1018406#1018406
# response should be:
# _imap._tcp SRV 0 1 143 imap.example.com.
{
record = "_imaps._tcp";
r_type = "SRV";
value = "0 1 993 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_imap._tcp";
r_type = "SRV";
value = "0 1 143 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submissions._tcp";
r_type = "SRV";
value = "0 1 465 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submission._tcp";
r_type = "SRV";
value = "0 1 587 ${cfg.sub}.${cfg.domain}.";
}
];
#https://nixos-mailserver.readthedocs.io/en/latest/add-roundcube.html
users.groups.nginx = {};
@ -452,7 +403,6 @@ in {
fqdn = "${cfg.sub}.${cfg.domain}";
domains = [
cfg.domain
"lists.skynet.ie"
];
enableManageSieve = true;
@ -501,40 +451,7 @@ in {
};
services.dovecot2.sieve.scripts = {
before = sieveConfigFile;
};
# This is to add a bcc to outgoing mail
# this then interacts with teh filters to put it in the right folder
# we can directly add to the postfix service here
services.postfix = let
# mostly copied from the upstream mailserver config/functions
mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
sender_bcc_maps_file = let
content = lookupTableToString create_skynet_service_bcc;
in
builtins.toFile "sender_bcc_maps" content;
lookupTableToString = attrs: let
valueToString = value: lib.concatStringsSep ", " value;
in
lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name} ${valueToString value}") attrs);
# convert the mailboxes config to something that can be used here
create_skynet_email_bcc = mailbox: {
name = "${mailbox}@skynet.ie";
value = ["${mailbox}@skynet.ie"];
};
create_skynet_service_bcc = builtins.listToAttrs (map (mailbox: (create_skynet_email_bcc mailbox.account)) service_mailboxes);
in {
mapFiles."sender_bcc_maps" = sender_bcc_maps_file;
config = {
sender_bcc_maps = [
(mappedFile "sender_bcc_maps")
];
};
before = configFile;
};
# tune the spam filter

60
applications/games/minecraft.nix
View file

@ -1,60 +0,0 @@
{
config,
pkgs,
lib,
inputs,
...
}: let
# function to create the cname record for eachs erver
create_cname = configs:
lib.lists.forEach configs (
c: {
record = "${c.address}.games";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
);
# function to create the srv record
# this allows us to change the port without impacting (java) users
create_srv = configs:
lib.lists.forEach configs (c: {
record = "_minecraft._tcp.${c.address}.games.skynet.ie.";
r_type = "SRV";
value = "0 10 ${c.port} ${config.services.skynet.host.name}.skynet.ie.";
});
servers = [
{
address = "minecraft.compsoc";
port = "25518";
}
{
address = "minecraft-classic.compsoc";
port = "25518";
}
{
address = "minecraft-aged.compsoc";
port = "25519";
}
{
address = "minecraft.gsoc";
port = "25521";
}
{
address = "minecraft.phildeb";
port = "25522";
}
{
address = "minecraft.anime";
port = "25523";
}
];
in {
imports = [
];
config = {
services.skynet.dns.records = (create_cname servers) ++ (create_srv servers);
};
}

135
applications/git/forgejo.nix
View file

@ -1,135 +0,0 @@
{
config,
pkgs,
lib,
...
}:
with lib; let
name = "forgejo";
cfg = config.services.skynet."${name}";
domain_base = "${cfg.domain.base}.${cfg.domain.tld}";
domain_full = "${cfg.domain.sub}.${domain_base}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Forgejo";
domain = {
tld = mkOption {
type = types.str;
default = "ie";
};
base = mkOption {
type = types.str;
default = "skynet";
};
sub = mkOption {
type = types.str;
default = name;
};
};
forgejo = {
port = mkOption {
type = types.port;
default = 3000;
};
};
};
config = mkIf cfg.enable {
# age.secrets.forgejo-mailer-password = {
# file = ../../secrets/forgejo/mailer-password.age;
# mode = "400";
# owner = "forgejo";
# };
services.skynet.acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
];
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
services.skynet.dns.records = [
{
record = cfg.domain.sub;
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx.virtualHosts = {
# main site
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "http://localhost:${toString cfg.forgejo.port}";
extraConfig = ''
add_header Content-Security-Policy "frame-ancestors 'self' https://silver.users.skynet.ie";
client_max_body_size 1000M;
'';
};
};
};
# for signing reasons
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
services.forgejo = {
enable = true;
package = pkgs.forgejo;
database.type = "sqlite3";
# Enable support for Git Large File Storage
lfs.enable = true;
settings = {
server = {
DOMAIN = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
# You need to specify this to remove the port from URLs in the web UI.
ROOT_URL = "https://${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}/";
HTTP_PORT = cfg.forgejo.port;
};
# You can temporarily allow registration to create an admin user.
service.DISABLE_REGISTRATION = true;
# Add support for actions, based on act: https://github.com/nektos/act
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
indexer = {
# Will consume more disk space, but we have plenty of that
REPO_INDEXER_ENABLED = true;
};
# Allow for signing off merge requests
# "repository.signing" = {
# SIGNING_KEY = "5B2DED0FE9F8627A";
# SIGNING_NAME = "Skynet";
# SIGNING_EMAIL = "forgejo@glados.skynet.ie";
# MERGES = "always";
# };
# Sending emails is completely optional
# You can send a test email from the web UI at:
# Profile Picture > Site Administration > Configuration > Mailer Configuration
# mailer = {
# ENABLED = true;
# SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}";
# FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
# USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
# };
};
# mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
};
};
}

161
applications/git/forgejo_runner.nix
View file

@ -1,161 +0,0 @@
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
name = "forgejo_runner";
cfg = config.services.skynet."${name}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet ForgeJo Runner";
name = mkOption {
type = types.str;
default = config.networking.hostName;
};
website = mkOption {
default = "https://forgejo.skynet.ie";
type = types.str;
};
user = mkOption {
default = "gitea-runner";
type = types.str;
};
secret = mkOption {
type = types.path;
};
};
config = mkIf cfg.enable {
# https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
environment.systemPackages = with pkgs; [
forgejo-actions-runner
];
age.secrets.forgejo_runner_token = {
file = cfg.secret;
owner = cfg.user;
group = cfg.user;
};
# make sure the ssh config stuff is in teh right palce
systemd.tmpfiles.rules = [
#"d /home/${cfg.user} 0755 ${cfg.user} ${cfg.user}"
"L+ /home/${cfg.user}/.ssh/config 0755 ${cfg.user} ${cfg.user} - ${./ssh_config}"
];
age.secrets.forgejo_runner_ssh = {
file = ../../secrets/forgejo/runners/ssh.age;
mode = "600";
owner = "${cfg.user}";
group = "${cfg.user}";
symlink = false;
path = "/home/${cfg.user}/.ssh/skynet/root";
};
nix = {
settings = {
trusted-users = [
# allow the runner to build nix stuff and to use the cache
"gitea-runner"
];
trusted-public-keys = [
"skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
substituters = [
"https://nix-cache.skynet.ie/skynet-cache/"
"https://cache.nixos.org/"
];
trusted-substituters = [
"https://nix-cache.skynet.ie/skynet-cache/"
"https://cache.nixos.org/"
];
};
};
# very basic setup to always be watching for changes in teh cache
systemd.services.attic-uploader = {
enable = true;
serviceConfig = {
ExecStart = "${pkgs.attic-client}/bin/attic watch-store skynet-cache";
User = "root";
Restart = "always";
RestartSec = 1;
};
};
# give teh runner user a home to store teh ssh config stuff
systemd.services.gitea-runner-default.serviceConfig = {
DynamicUser = lib.mkForce false;
User = lib.mkForce cfg.user;
};
users = {
groups."${cfg.user}" = {};
users."${cfg.user}" = {
#isSystemUser = true;
isNormalUser = true;
group = cfg.user;
createHome = true;
shell = pkgs.bash;
};
};
boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
virtualisation.docker.enable = true;
# taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
# the actual runner
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
name = cfg.name;
url = cfg.website;
tokenFile = config.age.secrets.forgejo_runner_token.path;
labels = [
## optionally provide native execution on the host:
"nix:host"
"docker:docker://node:22-bookworm"
"ubuntu-latest:docker://node:22-bookworm"
];
hostPackages = with pkgs; [
# default ones
bash
coreutils
curl
gawk
git
gnused
nodejs
wget
# useful to have in path
jq
which
dpkg
zip
git-lfs
# used in deployments
inputs.colmena.defaultPackage."x86_64-linux"
attic-client
lix
openssh
sudo
];
};
};
};
}

5
applications/git/ssh_config
View file

@ -1,5 +0,0 @@
Host *.skynet.ie 193.1.99.* 193.1.96.165
User root
IdentityFile ~/.ssh/skynet/root
IdentitiesOnly yes

16
applications/git/gitlab.nix → applications/gitlab.nix
View file

@ -12,6 +12,10 @@ with lib; let
domain_full = "${cfg.domain.sub}.${domain_base}";
in {
imports = [
./acme.nix
./dns.nix
./firewall.nix
./nginx.nix
];
options.services.skynet."${name}" = {
@ -56,32 +60,32 @@ in {
# grep -r --exclude-dir={docker,containers,log,sys,nix,proc} gitlab /
age.secrets.gitlab_pw = {
file = ../../secrets/gitlab/pw.age;
file = ../secrets/gitlab/pw.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_db = {
file = ../../secrets/gitlab/secrets_db.age;
file = ../secrets/gitlab/secrets_db.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_secret = {
file = ../../secrets/gitlab/secrets_secret.age;
file = ../secrets/gitlab/secrets_secret.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_otp = {
file = ../../secrets/gitlab/secrets_otp.age;
file = ../secrets/gitlab/secrets_otp.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_jws = {
file = ../../secrets/gitlab/secrets_jws.age;
file = ../secrets/gitlab/secrets_jws.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_db_pw = {
file = ../../secrets/gitlab/db_pw.age;
file = ../secrets/gitlab/db_pw.age;
owner = cfg.user;
group = cfg.user;
};

122
applications/gitlab_runner.nix Normal file
View file

@ -0,0 +1,122 @@
{
config,
pkgs,
lib,
...
}:
with lib; let
name = "gitlab_runner";
cfg = config.services.skynet."${name}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Gitlab Runner";
runner = {
name = mkOption {
type = types.str;
};
gitlab = mkOption {
default = "https://gitlab.skynet.ie";
type = types.str;
};
description = mkOption {
default = cfg.runner.name;
type = types.str;
};
docker = {
image = mkOption {
default = "alpine:3.18.4";
type = types.str;
};
cleanup_dates = mkOption {
# https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS
# it will use a lot of storage so clear it daily, may change to hourly if required
default = "daily";
type = types.str;
};
};
};
};
config = mkIf cfg.enable {
# https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
environment.systemPackages = [
pkgs.gitlab-runner
];
age.secrets.runner_01_nix.file = ../secrets/gitlab/runners/runner01.age;
age.secrets.runner_02_general.file = ../secrets/gitlab/runners/runner02.age;
boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
virtualisation.docker.enable = true;
# taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
services.gitlab-runner = {
enable = true;
# clear-docker-cache = {
# enable = true;
# dates = cfg.runner.docker.cleanup_dates;
# };
services = {
# might make a function later to have multiple runners, might never need it though
runner_nix = {
cloneUrl = cfg.runner.gitlab;
description = "For Nix only";
registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
registrationConfigFile = config.age.secrets.runner_01_nix.path;
dockerImage = cfg.runner.docker.image;
# from https://nixos.wiki/wiki/Gitlab_runner
dockerVolumes = [
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
];
dockerDisableCache = true;
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
mkdir -p -m 0755 /nix/var/nix/gcroots
mkdir -p -m 0755 /nix/var/nix/profiles
mkdir -p -m 0755 /nix/var/nix/temproots
mkdir -p -m 0755 /nix/var/nix/userpool
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
mkdir -p -m 0700 "$HOME/.nix-defexpr"
. ${pkgs.nix}/etc/profile.d/nix-daemon.sh
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-unstable nixpkgs # 3
${pkgs.nix}/bin/nix-channel --update nixpkgs
${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [nix cacert git openssh])}
'';
environmentVariables = {
ENV = "/etc/profile";
USER = "root";
NIX_REMOTE = "daemon";
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
};
tagList = ["nix"];
};
runner_general = {
cloneUrl = cfg.runner.gitlab;
description = "General Runner";
registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
registrationConfigFile = config.age.secrets.runner_02_general.path;
dockerImage = cfg.runner.docker.image;
};
};
};
};
}

4
applications/grafana.nix
View file

@ -9,6 +9,8 @@ with lib; let
port = 4444;
in {
imports = [
./acme.nix
./dns.nix
];
options.services.skynet."${name}" = {
@ -49,8 +51,6 @@ in {
domain = "${name}.skynet.ie";
port = port;
settings.server.root_url = "https://${name}.skynet.ie";
settings.security.admin_password = "$__file{${config.age.secrets.grafana_pw.path}}";
provision = {

5
applications/ldap/backend.nix
View file

@ -11,6 +11,9 @@ with lib; let
port_backend = "8087";
in {
imports = [
../acme.nix
../dns.nix
../nginx.nix
inputs.skynet_ldap_backend.nixosModule."x86_64-linux"
../../config/users.nix
];
@ -40,6 +43,7 @@ in {
#backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.ldap_details.file = ../../secrets/ldap/details.age;
age.secrets.ldap_discord.file = ../../secrets/discord/ldap.age;
age.secrets.ldap_mail.file = ../../secrets/email/details.age;
age.secrets.ldap_wolves.file = ../../secrets/wolves/details.age;
@ -68,6 +72,7 @@ in {
# contains teh password in env form
env = {
ldap = config.age.secrets.ldap_details.path;
discord = config.age.secrets.ldap_discord.path;
mail = config.age.secrets.ldap_mail.path;
wolves = config.age.secrets.ldap_wolves.path;
};

3
applications/ldap/server.nix
View file

@ -15,6 +15,9 @@ with lib; let
in {
# these are needed for teh program in question
imports = [
../acme.nix
../dns.nix
../nginx.nix
];
options.services.skynet."${name}" = {

41
applications/nextcloud.nix
View file

@ -10,6 +10,9 @@ with lib; let
domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in {
imports = [
./acme.nix
./dns.nix
./nginx.nix
];
options.services.skynet."${name}" = {
@ -45,7 +48,6 @@ in {
services.skynet.acme.domains = [
domain
"onlyoffice.${domain}"
"whiteboard.${domain}"
];
services.skynet.dns.records = [
@ -59,18 +61,13 @@ in {
r_type = "CNAME";
value = config.services.skynet.host.name;
}
{
record = "whiteboard.${cfg.domain.sub}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
# /var/lib/nextcloud/data
services.nextcloud = {
enable = true;
package = pkgs.nextcloud30;
package = pkgs.nextcloud28;
hostName = domain;
https = true;
@ -84,10 +81,9 @@ in {
appstoreEnable = true;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) richdocuments;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit forms groupfolders maps notes onlyoffice polls;
};
extraAppsEnable = true;
settings = {
trusted_proxies = ["193.1.99.65"];
@ -97,21 +93,10 @@ in {
};
};
environment.etc."nextcloud-whiteboard-secret".text = ''
JWT_SECRET_KEY=test123
'';
services.nextcloud-whiteboard-server = {
enable = true;
settings.NEXTCLOUD_URL = "https://nextcloud.skynet.ie";
secrets = ["/etc/nextcloud-whiteboard-secret"];
};
nixpkgs.config.allowUnfree = true;
# impacted by https://github.com/NixOS /nixpkgs/issues/352443
# services.onlyoffice = {
# enable = true;
# };
services.onlyoffice = {
enable = true;
};
services.nginx.virtualHosts = {
${domain} = {
@ -123,14 +108,6 @@ in {
useACMEHost = "skynet";
locations."/".proxyPass = "http://127.0.0.1:8000";
};
"whiteboard.${domain}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "http://localhost:3002";
proxyWebsockets = true;
};
};
};
};
}

2
applications/nginx.nix
View file

@ -9,6 +9,8 @@
recommendedGzipSettings = true;
recommendedProxySettings = true;
statusPage = true;
# give Nginx access to our certs
group = "acme";
};

6
applications/nix_cache/nix_cache.nix
View file

@ -15,6 +15,7 @@ https://docs.attic.rs/introduction.html
lib,
config,
pkgs,
inputs,
...
}:
with lib; let
@ -22,6 +23,9 @@ with lib; let
cfg = config.services.skynet."${name}";
in {
imports = [
inputs.attic.nixosModules.atticd
../acme.nix
../dns.nix
];
options.services.skynet."${name}" = {
@ -51,7 +55,7 @@ in {
enable = true;
# Replace with absolute path to your credentials file
environmentFile = "/etc/atticd.env";
credentialsFile = "/etc/atticd.env";
settings = {
listen = "127.0.0.1:8080";

2
applications/open_governance/keyserver.nix
View file

@ -13,6 +13,8 @@ with lib; let
port = 11371;
in {
imports = [
../acme.nix
../dns.nix
];
options.services.skynet."${name}" = {

2
applications/open_governance/open_governance.nix
View file

@ -15,6 +15,8 @@ with lib; let
folder = "/var/skynet/${name}";
in {
imports = [
../acme.nix
../dns.nix
];
options.services.skynet."${name}" = {

6
applications/pelican/Notes.md
View file

@ -1,6 +0,0 @@
# Notes on Pelican
## Panel
* ``pelican-install`` is in env that can be used to isntall
* then go to ``panel-address.skynet.ie/installer`` to finish the setup

30
applications/pelican/pelican-panel-install.nix
View file

@ -1,30 +0,0 @@
{
pkgs,
dir,
}:
pkgs.writeShellScriptBin "pelican-install" ''
DIR=${dir}
echo "Installing Pelican panel to $DIR ..."
if [ -d $DIR ]; then
echo "Directory $DIR already exists, exiting"
exit 1
fi
echo "Creating directory ..."
mkdir -p $DIR
cd $DIR
echo "Downloading Pelican panel ..."
curl -L https://github.com/pelican-dev/panel/releases/latest/download/panel.tar.gz | tar -xzv
echo "Installing Pelican panel using composer ..."
yes | composer install --no-dev --optimize-autoloader
echo "Setting up the environment ..."
yes "" | php artisan p:environment:setup
echo "Setting permissions ..."
chmod -R 755 storage/* bootstrap/cache/
chown -R nginx:acme $DIR
echo "Pelican panel installed successfully"
''

48
applications/pelican/pelican-panel-update.nix
View file

@ -1,48 +0,0 @@
{
pkgs,
dir,
}:
pkgs.writeShellScriptBin "pelican-update" ''
DIR=${dir}
echo "Updateing Pelican panel in $DIR ..."
if [ -d $DIR ]; then
echo "Directory $DIR found, entering maintenance mode ..."
else
echo "Directory $DIR does not exist, exiting"
exit 1
fi
cd $DIR
php artisan down
echo "Downloading Pelican panel update ..."
curl -L https://github.com/pelican-dev/panel/releases/latest/download/panel.tar.gz | tar -xzv
echo "Setting permissions ..."
chmod -R 755 storage/* bootstrap/cache
echo "Updating Pelican panel using composer ..."
yes | composer install --no-dev --optimize-autoloader
echo "Clearing compiled template cache ..."
php artisan view:clear
php artisan config:clear
echo "Optimizing Pelican panel ..."
php artisan filament:optimize
echo "Updating the database ..."
php artisan migrate --seed --force
echo "Setting permissions ..."
chown -R nginx:acme $DIR
echo "Restart Pelican queue service ..."
systemctl restart pelican-queue.service
echo "Exiting maintenance mode ..."
php artisan up
echo "Pelican panel updated successfully"
''

24
applications/pelican/pelican-wing-package.nix
View file

@ -1,24 +0,0 @@
{
stdenv,
lib,
fetchurl,
docker,
gnutar,
}:
stdenv.mkDerivation rec {
pname = "pelican-wings";
version = "v1.0.0-beta9";
src = fetchurl {
url = "https://github.com/pelican-dev/wings/releases/download/${version}/wings_linux_amd64";
hash = "sha256-YaS1bthNSeWXH5drc2yensRqsRAOa2VXvivJOaPybqc=";
};
buildInputs = [docker gnutar];
phases = ["installPhase"];
installPhase = ''
install -D $src $out/bin/wings
'';
}

323
applications/pelican/pelican.nix
View file

@ -1,323 +0,0 @@
{
inputs,
pkgs,
lib,
config,
...
}:
with lib; let
name = "pelican";
cfg = config.services.skynet."${name}";
php_pool = name;
domain_panel = "${cfg.panel.domain.sub}.${cfg.panel.domain.base}.${cfg.panel.domain.tld}";
packages = let
dir = cfg.panel.dir;
in [
pkgs.curl
pkgs.gnutar
pkgs.unzip
pkgs.gzip
pkgs.php83
pkgs.php83Packages.composer
pkgs.php83Extensions.gd
pkgs.php83Extensions.mysqli
pkgs.php83Extensions.mbstring
pkgs.php83Extensions.bcmath
pkgs.php83Extensions.xml
pkgs.php83Extensions.curl
pkgs.php83Extensions.zip
pkgs.php83Extensions.intl
pkgs.php83Extensions.sqlite3
(import ./pelican-panel-update.nix {
inherit pkgs;
inherit dir;
})
];
in {
imports = [
];
options.services.skynet."${name}" = {
panel = {
enable = mkEnableOption "Pelican Panel";
dir = mkOption {
type = types.str;
default = "/var/lib/pelican_panel";
};
domain = {
tld = mkOption {
type = types.str;
default = "ie";
};
base = mkOption {
type = types.str;
default = "skynet";
};
sub = mkOption {
type = types.str;
#default = name;
default = "panel.games";
};
};
};
wing = {
enable = mkEnableOption "Pelican Wing";
node_name = mkOption {
type = types.str;
};
};
};
config = mkMerge [
(mkIf cfg.panel.enable {
services.skynet.acme.domains = [
domain_panel
];
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
services.skynet.dns.records = [
{
record = cfg.panel.domain.sub;
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
environment.systemPackages = packages;
systemd.timers."pelican-cron" = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "5m";
OnUnitActiveSec = "1m";
Unit = "pelican-cron.service";
};
};
systemd.services."pelican-cron" = {
script = ''
${pkgs.php83}/bin/php ${cfg.panel.dir}/artisan schedule:run >> /dev/null 2>&1
'';
serviceConfig = {
Type = "oneshot";
};
};
systemd.services.pelican-queue = {
wantedBy = ["multi-user.target"];
serviceConfig = {
User = config.services.nginx.user;
Group = config.services.nginx.group;
Restart = "always";
ExecStart = "${pkgs.php83}/bin/php -q ${cfg.panel.dir}/artisan queue:work --tries=3";
startLimitInterval = 180;
startLimitBurst = 30;
RestartSec = "5";
};
};
systemd.services.pelican-panel-setup = {
wantedBy = ["pelican-queue.target" "pelican-cron.target"];
partOf = [];
path = packages;
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
TimeoutSec = "infinity";
Restart = "on-failure";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "pelican-panel-install" ''
DIR=${cfg.panel.dir}
echo "Installing Pelican panel to $DIR ..."
if [ -d $DIR ]; then
echo "Directory $DIR already exists, exiting"
exit 1
fi
echo "Creating directory ..."
mkdir -p $DIR
cd $DIR
echo "Downloading Pelican panel ..."
curl -L https://github.com/pelican-dev/panel/releases/latest/download/panel.tar.gz | tar -xzv
echo "Installing Pelican panel using composer ..."
yes | composer install --no-dev --optimize-autoloader
echo "Setting up the environment ..."
yes "" | php artisan p:environment:setup
echo "Setting permissions ..."
chmod -R 755 storage/* bootstrap/cache/
chown -R ${config.services.nginx.user}:${config.services.nginx.group} $DIR
echo "Pelican panel installed successfully"
'';
};
};
services.phpfpm.pools.${php_pool} = {
user = config.services.nginx.user;
group = config.services.nginx.group;
settings = {
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
"listen.mode" = "0600";
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
"catch_workers_output" = 1;
};
};
services.nginx.virtualHosts."${domain_panel}" = {
root = "${cfg.panel.dir}/public";
forceSSL = true;
useACMEHost = "skynet";
extraConfig = ''
index index.html index.htm index.php;
charset utf-8;
access_log off;
error_log /var/log/nginx/pelican.app-error.log error;
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header Content-Security-Policy "frame-ancestors 'self'";
add_header X-Frame-Options DENY;
add_header Referrer-Policy same-origin;
'';
locations = {
"/" = {
extraConfig = ''
try_files $uri $uri/ /index.php?$query_string;
'';
};
"/favicon.ico".extraConfig = ''
access_log off;
log_not_found off;
'';
"/robots.txt".extraConfig = ''
access_log off;
log_not_found off;
'';
"~ \\.php$" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.${php_pool}.socket};
fastcgi_index index.php;
include ${config.services.nginx.package}/conf/fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
'';
};
"~ /\\.ht".extraConfig = ''
deny all;
'';
};
};
})
(mkIf cfg.wing.enable {
services.skynet.acme.domains = [
"${cfg.wing.node_name}.${domain_panel}"
];
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
services.skynet.dns.records = [
{
record = "${cfg.wing.node_name}.${cfg.panel.domain.sub}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx.virtualHosts = {
"${cfg.wing.node_name}.${domain_panel}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".proxyPass = "http://127.0.0.1:8080";
};
};
networking.firewall.allowedTCPPorts = [8080 8443];
virtualisation.docker.enable = true;
environment.systemPackages = [
(pkgs.callPackage ./pelican-wing-package.nix {})
];
users.groups.pelican = {};
users.users.pelican = {
#createHome = true;
isSystemUser = true;
#home = "/etc/pelican";
group = "pelican";
extraGroups = ["docker" "acme"];
# X11 is to ensure the directory can be traversed
#homeMode = "711";
};
systemd.services.pelican-wings = {
description = "Wings Daemon";
after = ["docker.service"];
requires = ["docker.service"];
partOf = ["docker.service"];
serviceConfig = {
User = "root";
WorkingDirectory = "/etc/pelican";
LimitNOFILE = 4096;
PIDFile = "/var/run/wings/daemon.pid";
ExecStart = "/run/current-system/sw/bin/wings";
Restart = "on-failure";
startLimitInterval = 180;
startLimitBurst = 30;
RestartSec = "5";
};
wantedBy = ["multi-user.target"];
};
systemd.tmpfiles.rules = [
"L+ /etc/letsencrypt/live/${cfg.wing.node_name}.${domain_panel}/fullchain.pem - pelican acme - /var/lib/acme/skynet/fullchain.pem"
"L+ /etc/letsencrypt/live/${cfg.wing.node_name}.${domain_panel}/privkey.pem - pelican acme - /var/lib/acme/skynet/key.pem"
];
})
];
}

16
applications/prometheus.nix
View file

@ -21,7 +21,7 @@ with lib; let
)
nodes
);
node = lib.attrsets.mapAttrsToList (key: value: "${value.config.deployment.targetHost}:${toString value.config.services.prometheus.exporters.node.port}") nodes;
node = lib.attrsets.mapAttrsToList (key: value: "${value.config.deployment.targetHost}:${toString config.services.prometheus.exporters.node.port}") nodes;
};
# clears any invalid entries
@ -37,10 +37,8 @@ in {
type = types.port;
default = 9001;
};
};
external = {
node = mkOption {
external.node = mkOption {
type = types.listOf types.str;
default = [];
description = ''
@ -48,20 +46,12 @@ in {
'';
};
};
ports = {
node = mkOption {
type = types.port;
default = 9100;
};
};
};
config = mkMerge [
{
services.prometheus.exporters.node = {
enable = true;
port = cfg.ports.node;
openFirewall = true;
# most collectors are on by default see https://github.com/prometheus/node_exporter for more options
enabledCollectors = ["systemd" "processes"];
@ -76,7 +66,7 @@ in {
job_name = "node_exporter";
static_configs = [
{
targets = filter_empty (exporters.node ++ cfg.external.node);
targets = filter_empty (exporters.node ++ cfg.server.external.node);
}
];
}

19
applications/proxmox-lxc.nix
View file

@ -12,19 +12,19 @@ with lib; {
enable = mkOption {
default = true;
type = types.bool;
description = lib.mdDoc "Whether to enable the Proxmox VE LXC module.";
description = lib.mdDoc "Whether to enable the ProxmoxLXC.";
};
privileged = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Whether to enable privileged mounts
'';
};
manageNetwork = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Whether to manage network interfaces through nix options
When false, systemd-networkd is enabled to accept network
configuration from proxmox.
@ -33,7 +33,7 @@ with lib; {
manageHostName = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Whether to manage hostname through nix options
When false, the hostname is picked up from /etc/hostname
populated by proxmox.
@ -68,8 +68,6 @@ with lib; {
loader.initScript.enable = true;
};
console.enable = true;
networking = mkIf (!cfg.manageNetwork) {
useDHCP = false;
useHostResolvConf = false;
@ -83,14 +81,13 @@ with lib; {
startWhenNeeded = mkDefault true;
};
systemd = {
mounts = mkIf (!cfg.privileged) [
systemd.mounts =
mkIf (!cfg.privileged)
[
{
enable = false;
where = "/sys/kernel/debug";
enable = false;
}
];
services."getty@".unitConfig.ConditionPathExists = ["" "/dev/%I"];
};
};
}

70
applications/restic.nix
View file

@ -83,6 +83,9 @@ with lib; let
));
in {
imports = [
./dns.nix
./nginx.nix
./acme.nix
];
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
@ -142,6 +145,20 @@ in {
default = false;
};
};
nuked = {
enable = mkEnableOption "Nuked Backup server";
port = mkOption {
type = types.port;
default = 8765;
};
appendOnly = mkOption {
type = types.bool;
default = false;
};
};
};
config = mkMerge [
@ -195,5 +212,58 @@ in {
}
];
})
# restic -r rest:https://skynet:testing@nuked.skynet.ie/ init
(mkIf cfg.nuked.enable {
assertions = [
{
assertion = !cfg.server.enable;
message = "Our backup and Nuked backup cannot co-exist";
}
];
services.skynet.acme.domains = [
"nuked.skynet.ie"
];
services.skynet.dns.records = [
{
record = "nuked";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx.virtualHosts = {
"nuked.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "http://${config.services.restic.server.listenAddress}";
proxyWebsockets = true;
};
};
};
networking.firewall.allowedTCPPorts = [
cfg.nuked.port
];
age.secrets.restic_pw = {
file = ../secrets/backup/nuked.age;
path = "${config.services.restic.server.dataDir}/.htpasswd";
symlink = false;
mode = "770";
owner = "restic";
group = "restic";
};
services.restic.server = {
enable = true;
listenAddress = "${config.services.skynet.host.ip}:${toString cfg.server.port}";
appendOnly = cfg.nuked.appendOnly;
privateRepos = true;
};
})
];
}

71
applications/skynet.ie/skynet.ie.nix → applications/skynet.ie.nix
View file

@ -10,15 +10,8 @@ with lib; let
cfg = config.services.skynet."${name}";
in {
imports = [
# import in past website versions, available at $year.skynet.ie
# at teh end of teh year add it here
(import ./old_site.nix {year = "2024";})
(import ./old_site.nix {year = "2023";})
(import ./old_site.nix {year = "2022";})
(import ./old_site.nix {year = "2016";})
(import ./old_site.nix {year = "2006";})
(import ./old_site.nix {year = "2003";})
(import ./old_site.nix {year = "1996";})
./acme.nix
./dns.nix
];
options.services.skynet."${name}" = {
@ -27,8 +20,11 @@ in {
config = mkIf cfg.enable {
services.skynet.acme.domains = [
"*.skynet.ie"
"*.discord.skynet.ie"
# the root one is already covered by teh certificate
"2016.skynet.ie"
"discord.skynet.ie"
"public.skynet.ie"
"renew.skynet.ie"
];
services.skynet.dns.records = [
@ -39,7 +35,7 @@ in {
value = config.services.skynet.host.ip;
}
{
record = "www";
record = "2016";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
@ -54,19 +50,22 @@ in {
value = config.services.skynet.host.name;
}
{
record = "*.discord";
record = "renew";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx = {
virtualHosts = let
main_site = {
virtualHosts = {
# main site
"skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations = {
"/".root = "${inputs.skynet_website.defaultPackage."x86_64-linux"}";
"/" = {
root = "${inputs.skynet_website.defaultPackage."x86_64-linux"}";
};
# this redirects old links to new format
"~* ~(?<username>[a-z_0-9]*)(?<files>\\S*)$" = {
@ -75,10 +74,13 @@ in {
};
};
};
in {
# main site
"www.skynet.ie" = main_site;
"skynet.ie" = main_site;
# archive of teh site as it was ~2012 to 2016
"2016.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.skynet_website_2016.defaultPackage."x86_64-linux"}";
};
# a custom discord url, because we are too cheap otehrwise
"discord.skynet.ie" = {
@ -86,16 +88,6 @@ in {
useACMEHost = "skynet";
locations."/".return = "307 https://discord.gg/mkuKJkCuyM";
};
"compsoc.discord.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://discord.gg/mkuKJkCuyM";
};
"committee.discord.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://discord.gg/D6mbASJKxU";
};
"public.skynet.ie" = {
forceSSL = true;
@ -103,20 +95,13 @@ in {
root = "${inputs.compsoc_public.packages.x86_64-linux.default}";
locations."/".extraConfig = "autoindex on;";
};
};
};
# Some old sites need a php pool running
services.phpfpm.pools.old_sites = {
user = "nobody";
settings = {
"pm" = "dynamic";
"listen.owner" = config.services.nginx.user;
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
# for alumni members to renew their account
"renew.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.skynet_website_renew.defaultPackage."x86_64-linux"}";
};
};
};
};

52
applications/skynet.ie/old_site.nix
View file

@ -1,52 +0,0 @@
{year}: {
config,
pkgs,
lib,
inputs,
...
}:
with lib; {
imports = [];
config = {
services.skynet.dns.records = [
{
record = year;
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx = {
virtualHosts = {
"${year}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs."skynet_website_${year}".defaultPackage."x86_64-linux"}";
# Handle any of the old php sites
# https://stackoverflow.com/a/21911610
locations = {
"/" = {
index = "index.html index.htm index.php";
tryFiles = "$uri $uri.html $uri/ @extensionless-php";
};
"~ \\.php$" = {
extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.old_sites.socket};
fastcgi_index index.php;
'';
tryFiles = "$uri =404";
};
"@extensionless-php" = {
extraConfig = ''
rewrite ^(.*)$ $1.php last;
'';
};
};
};
};
};
};
}

59
applications/skynet.ie/wiki.nix
View file

@ -1,59 +0,0 @@
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
name = "wiki";
cfg = config.services.skynet."${name}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Wiki";
};
config = mkIf cfg.enable {
services.skynet.dns.records = [
{
record = "renew";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
{
record = "wiki";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx = {
virtualHosts = {
"wiki.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.skynet_website_wiki.defaultPackage."x86_64-linux"}";
# https://stackoverflow.com/a/38238001/11964934
extraConfig = ''
location / {
if ($request_uri ~ ^/(.*)\.html) {
return 302 /$1;
}
try_files $uri $uri.html $uri/ =404;
}
'';
};
# redirect old links to the new wiki
"renew.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://wiki.skynet.ie";
};
};
};
};
}

22
applications/skynet_users.nix
View file

@ -11,6 +11,9 @@ with lib; let
php_pool = name;
in {
imports = [
./acme.nix
./dns.nix
./nginx.nix
];
options.services.skynet."${name}" = {
@ -18,10 +21,7 @@ in {
};
config = {
# we havea more limited ports range on the skynet server
services.skynet.prometheus.ports = {
node = 9000;
};
# ssh access
# allow more than admins access
services.skynet.ldap_client = {
@ -85,20 +85,6 @@ in {
};
services.nginx.virtualHosts = {
"outinul.ie" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
alias = "/home/outinul/public_html/";
index = "index.html";
extraConfig = ''
autoindex on;
'';
tryFiles = "$uri$args $uri$args/ /index.html";
};
};
};
# main site
"*.users.skynet.ie" = {
forceSSL = true;

77
applications/sso.nix
View file

@ -1,77 +0,0 @@
{
lib,
config,
...
}:
with lib; let
name = "sso";
cfg = config.services.skynet."${name}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Keycloak server";
datasource = {
name = mkOption {
type = types.str;
};
url = mkOption {
type = types.str;
};
};
};
config = mkIf cfg.enable {
services.skynet.dns.records = [
{
record = "${name}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.skynet.acme.domains = [
"${name}.skynet.ie"
];
age.secrets.keycloak_pw.file = ../secrets/keycloak/pw.age;
services.nginx.virtualHosts = {
"${name}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations = {
"/" = {
proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}/";
};
};
};
};
services.postgresql.enable = true;
services.keycloak = {
enable = true;
initialAdminPassword = "sharky_loves_sso";
database = {
type = "postgresql";
createLocally = true;
username = "keycloak";
passwordFile = config.age.secrets.keycloak_pw.path;
};
settings = {
hostname = "${name}.skynet.ie";
http-port = 38080;
proxy-headers = "xforwarded";
http-enabled = true;
};
};
};
}

4
applications/ulfm.nix
View file

@ -9,6 +9,10 @@ with lib; let
cfg = config.services.skynet."${name}";
in {
imports = [
./acme.nix
./dns.nix
./firewall.nix
./nginx.nix
];
options.services.skynet."${name}" = {

140
config/dns.nix
View file

@ -1,70 +1,92 @@
{lib, ...}: {
imports = [
# Paths to other modules.
# Compose this module out of smaller ones.
];
# this needs to mirror ../applications/dns.nix
options.skynet.records = lib.mkOption {
description = "Records, sorted based on therir type";
type = lib.types.listOf (lib.types.submodule (import ../applications/dns/options-records.nix {
inherit lib;
}));
type = with lib.types;
listOf (submodule {
options = {
record = lib.mkOption {
type = str;
};
r_type = lib.mkOption {
type = enum ["A" "CNAME" "TXT" "PTR" "SRV" "MX"];
};
value = lib.mkOption {
type = str;
};
server = lib.mkOption {
description = "Core record for a server";
type = bool;
default = false;
};
};
});
};
config = {
skynet.records =
[
# Proxmox hosts
{
record = "jarvis";
r_type = "A";
value = "193.1.99.73";
server = true;
}
{
record = "ultron";
r_type = "A";
value = "193.1.99.84";
server = true;
}
# wifi in server room
{
record = "ash";
r_type = "A";
value = "193.1.99.114";
server = true;
}
{
record = "mimi";
r_type = "A";
value = "193.1.99.86";
server = true;
}
{
record = "nuked";
r_type = "CNAME";
value = "neuromancer.skynet.ie.";
}
]
# non skynet domains
++ [
{
domain = "conradcollins.net";
record = "www";
r_type = "CNAME";
value = "skynet.skynet.ie.";
}
{
domain = "edelharty.net";
record = "www";
r_type = "CNAME";
value = "skynet.skynet.ie.";
}
{
domain = "damienconroy.com";
record = "www";
r_type = "CNAME";
value = "skynet.skynet.ie.";
}
];
skynet.records = [
{
record = "optimus";
r_type = "A";
value = "193.1.99.90";
server = true;
}
{
record = "panel.games";
r_type = "CNAME";
value = "optimus";
}
{
record = "bumblebee";
r_type = "A";
value = "193.1.99.91";
server = true;
}
{
record = "minecraft.compsoc.games";
r_type = "CNAME";
value = "bumblebee";
}
{
record = "_minecraft._tcp.minecraft.compsoc.games.skynet.ie.";
r_type = "SRV";
value = "0 10 25518 minecraft.compsoc.games.skynet.ie.";
}
{
record = "minecraft-classic.compsoc.games";
r_type = "CNAME";
value = "bumblebee";
}
{
record = "_minecraft._tcp.minecraft-classic.compsoc.games.skynet.ie.";
r_type = "SRV";
value = "0 10 25520 minecraft-classic.compsoc.games.skynet.ie.";
}
{
record = "minecraft.gsoc.games";
r_type = "CNAME";
value = "bumblebee";
}
{
record = "_minecraft._tcp.minecraft.gsoc.games.skynet.ie.";
r_type = "SRV";
value = "0 10 25521 minecraft.gsoc.games.skynet.ie.";
}
{
record = "minecraft.phildeb.games";
r_type = "CNAME";
value = "bumblebee";
}
{
record = "_minecraft._tcp.minecraft.phildeb.games.skynet.ie.";
r_type = "SRV";
value = "0 10 25522 minecraft.phildeb.games.skynet.ie.";
}
];
};
}

51
config/users.nix
View file

@ -1,11 +1,6 @@
{
lib,
config,
...
}:
{lib, ...}:
with lib; let
port_backend = "8087";
cfg = config.skynet.users;
in {
options.skynet = {
users = {
@ -49,39 +44,29 @@ in {
config.skynet = {
users = {
committee = lib.lists.unique (
# Committee - Core
[
"silver"
"eoghanconlon73"
"nanda"
"skyapples"
"generically"
]
# Committee - OCM
++ [
"eliza"
"amymucko"
"archiedms"
"kaiden"
]
# Committee - SISTEM
++ [
"peace"
"milan"
]
# Admins are part of Committee as well
++ cfg.admin
);
committee = [
"silver"
"eoghanconlon73"
"sidhiel"
"maksimsger1"
"kaiden"
"pine"
"nanda"
"sourabh1805"
"kronsy"
"skyapples"
];
admin = [
"silver"
"evanc"
"eoghanconlon73"
"eliza"
"esy"
# for temp reasons
"peace"
];
trainee = [];
trainee = [
"milan"
"kronsy"
];
lifetime = [];
banned = [];

1284
flake.lock generated
View file

File diff suppressed because it is too large Load diff

109
flake.nix
View file

@ -7,60 +7,76 @@
# Return to using unstable once the current master is merged in
# nixpkgs.url = "nixpkgs/nixos-unstable";
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
# utility stuff
flake-utils.url = "github:numtide/flake-utils";
agenix.url = "github:ryantm/agenix";
arion.url = "github:hercules-ci/arion";
alejandra = {
url = "github:kamadorueda/alejandra";
url = "github:kamadorueda/alejandra/3.0.0";
inputs.nixpkgs.follows = "nixpkgs";
};
colmena.url = "github:zhaofengli/colmena";
attic.url = github:zhaofengli/attic;
# we host our own
# email
# simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
simple-nixos-mailserver = {
inputs.nixpkgs.follows = "nixpkgs";
url = "git+https://forgejo.skynet.ie/Skynet/misc_nixos-mailserver";
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "misc%2Fnixos-mailserver";
};
######################
### skynet backend ###
######################
skynet_ldap_backend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_backend";
# skynet_ldap_backend.url = "git+file:/_college/CompSoc/Skynet/ldap_backend?shallow=1";
skynet_ldap_frontend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_frontend";
skynet_website_wiki.url = "git+https://forgejo.skynet.ie/Skynet/wiki";
skynet_website_games.url = "git+https://forgejo.skynet.ie/Skynet/website_games";
skynet_discord_bot.url = "git+https://forgejo.skynet.ie/Skynet/discord-bot";
# for testing a local build
# skynet_discord_bot.url = "git+file:/_college/CompSoc/Skynet/discord_bot?shallow=1";
#####################
### compsoc stuff ###
#####################
compsoc_public.url = "git+https://forgejo.skynet.ie/Computer_Society/presentations_compsoc";
#################
### skynet.ie ###
#################
# this should always point to teh current website
skynet_website.url = "git+https://forgejo.skynet.ie/Skynet/website_2023";
# past versions of the current website
skynet_website_2024.url = "git+https://forgejo.skynet.ie/Skynet/website_2023?ref=main&rev=8987e33cb709e7f2c30017e77edf9161b87d9885";
skynet_website_2023.url = "git+https://forgejo.skynet.ie/Skynet/website_2023?ref=main&rev=c4d61c753292bf73ed41b47b1607cfc92a82a191";
skynet_website_2022.url = "git+https://forgejo.skynet.ie/Skynet/website_2023?ref=2022&rev=687a0b1811987cfc27c2e6f5a625c4d59ef577c2";
skynet_website_2016.url = "git+https://forgejo.skynet.ie/Skynet/website_2016";
skynet_website_2006.url = "git+https://forgejo.skynet.ie/Skynet/website_2006";
skynet_website_2003.url = "git+https://forgejo.skynet.ie/Skynet/website_2003";
skynet_website_1996.url = "git+https://forgejo.skynet.ie/Skynet/website_1996";
# account.skynet.ie
skynet_ldap_backend = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "ldap%2Fbackend";
};
skynet_ldap_frontend = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "ldap%2Ffrontend";
};
skynet_website = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "website%2F2023";
};
skynet_website_2016 = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "website%2F2016";
};
skynet_website_renew = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "website%2Falumni-renew";
};
skynet_website_games = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "website%2Fgames.skynet.ie";
};
skynet_discord_bot = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "discord-bot";
};
compsoc_public = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fcompsoc";
repo = "presentations%2Fpresentations";
};
};
nixConfig = {
@ -100,7 +116,7 @@
overlays = [];
};
specialArgs = {
inherit inputs self;
inherit inputs;
};
};
@ -149,14 +165,7 @@
# Public Services
calculon = import ./machines/calculon.nix;
# metrics
ariia = import ./machines/ariia.nix;
# games server - panel
optimus = import ./machines/optimus.nix;
# games server - host
bumblebee = import ./machines/bumblebee.nix;
deepthought = import ./machines/deepthought.nix;
};
};
}

41
machines/_base.nix
View file

@ -18,11 +18,23 @@ in {
# for the secrets
inputs.agenix.nixosModules.default
# base application config for all servers
# base config for all servers
../applications/_base.nix
#
inputs.lix-module.nixosModules.default
# every sever may need the firewall config stuff
../applications/firewall.nix
# every sever needs to have a dns record
../applications/dns.nix
# every server needs teh ldap client for admins
../applications/ldap/client.nix
# every server will need the config to backup to
../applications/restic.nix
# every server will be monitored for grafana
../applications/prometheus.nix
];
options.skynet = {
@ -120,20 +132,19 @@ in {
# https://discourse.nixos.org/t/systemd-networkd-wait-online-934764-timeout-occurred-while-waiting-for-network-connectivity/33656/9
systemd.network.wait-online.enable = false;
environment.systemPackages = with pkgs; [
environment.systemPackages = [
# for flakes
git
git-lfs
pkgs.git
# useful tools
ncdu_2
htop
nano
nmap
bind
zip
traceroute
openldap
screen
pkgs.ncdu_2
pkgs.htop
pkgs.nano
pkgs.nmap
pkgs.bind
pkgs.zip
pkgs.traceroute
pkgs.openldap
pkgs.screen
];
};
}

56
machines/_template.nix
View file

@ -1,56 +0,0 @@
/*
Name: Link to where information on the name can be found
Why: Why is it named this
Type: VM/Physical
Hardware: - if its a VM, the hardware (PowerEdge r210) if its physical
From: 2023/2024/2025/...
Role: What role does it have in teh cluster
Notes:
*/
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "name";
# Assigned IP address
ip_pub = "193.1.99.000";
# dont need to change these
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
# what configurrations to import, email in this example
imports = [
../applications/email.nix
];
deployment = {
# dont need to change these
targetHost = hostname;
targetPort = 22;
targetUser = null;
# deployment option: active-dns/active-core/active-ext/active
tags = [
"active"
];
};
services.skynet = {
# pass in the details of the host server
host = host;
# enable the backup service
backup.enable = true;
# enable the imported service
email.enable = true;
};
}

49
machines/ariia.nix
View file

@ -1,49 +0,0 @@
/*
Name: https://en.wikipedia.org/wiki/Eagle_Eye
Why: ARIIA - Autonomous Reconnaissance Intelligence Integration Analyst
Type: VM
Hardware: -
From: 2024
Role: Metrics gathering and Analysis
Notes:
*/
{
config,
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "ariia";
ip_pub = "193.1.99.83";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
../applications/grafana.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = null;
tags = [
# "active-core"
];
};
services.skynet = {
host = host;
backup.enable = true;
prometheus.server.enable = true;
grafana.enable = true;
};
}

51
machines/bumblebee.nix
View file

@ -1,51 +0,0 @@
/*
Name: https://en.wikipedia.org/wiki/Bumblebee_(Transformers)
Why: Created to sell toys so this vm is for games
Type: VM
Hardware: -
From: 2024
Role: Game host
Notes:
*/
{
pkgs,
lib,
nodes,
arion,
...
}: let
# name of the server, sets teh hostname and record for it
name = "bumblebee";
ip_pub = "193.1.99.91";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
../applications/pelican/pelican.nix
../applications/games/minecraft.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = null;
tags = ["active"];
};
services.skynet = {
host = host;
backup.enable = true;
pelican = {
wing = {
enable = true;
node_name = "node01";
};
};
};
}

42
machines/deepthought.nix Normal file
View file

@ -0,0 +1,42 @@
/*
Name: https://hitchhikers.fandom.com/wiki/Deep_Thought
Why: Our home(page)
Type: VM
Hardware: -
From: 2023
Role: Public Backup
Notes:
*/
{
pkgs,
lib,
nodes,
inputs,
...
}: let
name = "deepthought";
ip_pub = "193.1.99.112";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
];
deployment = {
targetHost = ip_pub;
targetPort = 22;
targetUser = null;
tags = ["active-core"];
};
services.skynet = {
host = host;
backup.nuked.enable = true;
};
}

4
machines/earth.nix
View file

@ -25,8 +25,7 @@ Notes:
};
in {
imports = [
../applications/skynet.ie/skynet.ie.nix
../applications/skynet.ie/wiki.nix
../applications/skynet.ie.nix
];
deployment = {
@ -41,6 +40,5 @@ in {
host = host;
backup.enable = true;
website.enable = true;
wiki.enable = true;
};
}

11
machines/glados.nix
View file

@ -26,8 +26,7 @@ Notes: Each user has roughly 20gb os storage
};
in {
imports = [
../applications/git/forgejo.nix
../applications/git/forgejo_runner.nix
../applications/gitlab.nix
];
deployment = {
@ -35,16 +34,12 @@ in {
targetPort = 22;
targetUser = null;
tags = ["active-git"];
tags = ["active-gitlab"];
};
services.skynet = {
host = host;
backup.enable = true;
forgejo.enable = true;
forgejo_runner = {
enable = true;
secret = ../secrets/forgejo/runners/token2.age;
};
gitlab.enable = true;
};
}

7
machines/kitt.nix
View file

@ -31,7 +31,8 @@ in {
../applications/discord.nix
../applications/bitwarden/vaultwarden.nix
../applications/bitwarden/bitwarden_sync.nix
../applications/sso.nix
../applications/grafana.nix
../applications/prometheus.nix
];
deployment = {
@ -55,7 +56,7 @@ in {
# committee/admin services
vaultwarden.enable = true;
sso.enable = true;
prometheus.server.enable = true;
grafana.enable = true;
};
}

3
machines/retired/ash.nix
View file

@ -22,6 +22,9 @@ Notes: Thius vpn is for admin use only, to give access to all the servers via
hostname = ip_pub;
in {
imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
];
deployment = {

8
machines/optimus.nix → machines/retired/optimus.nix
View file

@ -17,7 +17,7 @@ Notes:
}: let
# name of the server, sets teh hostname and record for it
name = "optimus";
ip_pub = "193.1.99.90";
ip_pub = "193.1.99.112";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
@ -26,7 +26,7 @@ Notes:
};
in {
imports = [
../applications/pelican/pelican.nix
../applications/games.nix
];
deployment = {
@ -40,8 +40,6 @@ in {
services.skynet = {
host = host;
backup.enable = true;
pelican = {
panel.enable = true;
};
games.enable = true;
};
}

9
machines/wheatly.nix
View file

@ -25,7 +25,7 @@ Notes:
};
in {
imports = [
../applications/git/forgejo_runner.nix
../applications/gitlab_runner.nix
];
deployment = {
@ -33,15 +33,16 @@ in {
targetPort = 22;
targetUser = null;
tags = ["active-git"];
tags = ["active-gitlab"];
};
services.skynet = {
host = host;
backup.enable = true;
forgejo_runner = {
gitlab_runner = {
enable = true;
secret = ../secrets/forgejo/runners/token1.age;
runner.name = "runner01";
};
};
}

0
.mailmap → mailmap
View file

17
secrets/backup/nuked.age Normal file
View file

@ -0,0 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA dgJJTGIzBXLeK17bfgeYeXXN5YrByBOTbhyIkx+Z2TI
zgujS6RYpXEzbUYZc1DRz0RlWAGurFNzAJnE4j4zhjY
-> ssh-ed25519 4PzZog U7EUVcL+2Acv3mBpz88t2ZwVJm4YyNlwXzXpSkZfjk8
LKQqiFcJ3pIWJG5DSbBbcEzg0dIPFOfiwcKCuR2zfhA
-> ssh-ed25519 5Nd93w Rsjby+9wJr4PnaixDgUk32319SnfJCxgnC8fQ9Gc0yM
7jmxPtgrIZ9ZF5c04bMzgYBLLPoqKFfwmU/qG6hF+9s
-> ssh-ed25519 q8eJgg p5+dL0VBijPOTihOZuDQdE/yLQA+BHlEVSq12gRaizw
MzQcGLTaUhgarzvJ7h/XfHIyPUb+i6YkbgkbvhOONEo
-> ssh-ed25519 KVr8rw W9+d0ot3036q0YPNYaY1MS/4EiTU0MnLmq56dvUamE0
wuIORoGvEG8lqrirf07ycIHawiw/DsjvTUwZrIEjSjk
-> ssh-ed25519 fia1eQ c5cadKGZlONyUKivzegA+swGqgpb8oLDe5bk7Sb8XBI
NNrb+ezMjYuKkaDUGumflNYrKPzxnPULoMslxH5/bFI
-> ssh-ed25519 DVzSig 6uvtkJC55iEwnCPZGAqMrLzW+IuHX9YDhtCX3eHtxkA
JNmstGPHqh2if+C4j1S19v2bCpbib+Wthp/OCusCSc8
--- teGaaxnvHxEkKCtyNsBV/yhl3Ohn9BD3nfjl6jq3OcM
³Êb_ÂòõŠ<C3B5>aX¹&6LFÀo8˘¯œC.ƒ ~ÿˆŽœž—k3âÃî;¯1Ž² ”Iôd* ÚûV®Ïƒj¦áÖùñÅí?D©´Õd%buš^Øa"Q2„<m<>oãm©œc6Ò¹5!…HÂé8Žj9Ä <C384>1º»þàT@½ÎoíâvÂœ¦ß<>&E„áÅË(èˆH©n®}³ÞQÉhe5JãfàåÓ\.,~X<isÅpŽpÆkøb ÿp8aÒfÞ†½0ˆ*»0ù;Øy:hl

96
secrets/backup/restic.age
View file

@ -1,53 +1,45 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA TQmxW2o4Jtnt2Q+dtDSSvQid5mJuYXIfB6/R9pu8Mm8
jaOFArFpPRtqPTRvDIBCs3OUR3MTMm6KO1T6MgKpj4Q
-> ssh-ed25519 4PzZog mQtJSXzC+V4BZqhB2QfstBCiSJ6xiqkQHBswGDjMiR0
VXLEzvi3mug2FLeG4VCuYbIqWeOElmtQVco5nCB8lT4
-> ssh-ed25519 dA0vRg gTO68mXaUs3+5hScGoNC5GvwunDmQQTpC4NYs4Yal0c
nQXHVzwjJqhp7OI78gFxfY6i6lh/vEOgGcKykpIq+sA
-> ssh-ed25519 5Nd93w dvoKD0frxnLkpkyIjPrbQX/85QYTow++jYRkzE6JQDQ
GOpAxyasg3QIeia0M/fSjx0GXBbtoB0Dij5OQcLt9OQ
-> ssh-ed25519 q8eJgg U5JyEYQx80ZPAlPcYLeJ4LIuXqnBzEB9H3quyXKihQg
2XPT3XDfMMGdbq+Dli7GTz8L5aOqIGuvBjkyicO1LCI
-> ssh-ed25519 KVr8rw wDaI/Q1pPUiZw7YgSxaxOQet8kmbmCPVMoWuFOuLfTo
EwmqrN+ebwtUZk9xfk8t8aEB4247v5ebRIAuQC4HG0Q
-> ssh-ed25519 fia1eQ tabZ4WR8aUIFbrxQkn1N9bkSf0fDSh4b3H8v/DDJUGs
AtLXyURPbd7705P55GSjCimLUqnx5qx2pw8+EYkCPMM
-> ssh-ed25519 /Gb5gQ zlOMAGbhvow7GfAZTzr4YN1NUcAdK4Ul3H3E6XTQ0lE
Sych9Yv3j+up2Tq40Ne71f6+gh1aa4pnMCD9Ix0uJTA
-> ssh-ed25519 NtlN/A HcUw+Yy00Km07maRKra/gFT9HGR8M5oTi04RS2YnPS8
cuB3REfy2U1JFoZJsDPYNrj4dtTqjR3Bmci1FJxxTm0
-> ssh-ed25519 v2Y09A NOo8GtwyhqWHfv+b4C1YAZ1NuibgOVSjFNu1mrRxN0M
Cep8xw59D0UAKMsCXSISCUEr6qxsLyhX0gC+A70Nd1I
-> ssh-ed25519 XSrA6w PrKMz2M77Cn6v84pQGKgNNZOKX1bsMf0uW3BvTVizBc
HBB/U6ab8cVTfrwAlPIC0IUSYBTzCpBKs3T5V8yTkp4
-> ssh-ed25519 MhHMYA sN0py+4OvuxWeg8IFRW8a0D5Q1iv1RkkcIkTVuLDy2c
obTquHtRQ6KyNdQphqGla1Db/GikKzsawLqyBjLDlQ8
-> ssh-ed25519 3erWHw lIY/CpMeOjEdmhlyA82Bf1HWYjZOGBHXZ0yDO/oD6Vk
rdmgOpo2jCYqwlvNOR6uGgbHQK8dYbCfGntcB9NE7Ck
-> ssh-ed25519 uZzB3g 6hlhEB4/qTYhna5ELo1VgesvV78kNNftJP7WVGa8njI
Yzk+Q1yQMm2ENMbwEQ9eue4QnhfRrG6c5XkVL7dAlus
-> ssh-ed25519 CqOTGQ Q1/FbhX3FQiT88QsvIbo9esKAPrkSjNrYZQWd20l/1E
fOJQ489r/URsux+XWNGMnVY6DyIML0Ek1XUFWngMJKQ
-> ssh-ed25519 IzAMqA 8j7ykxVoEENqhspd711lo3WyPhRsIwrdHoo2jl7qwk0
s+594dkf5CXAcjRXMBxBmq5cOVAxWTynk7yMr6v285Y
-> ssh-ed25519 Hb0ipQ ubqGhgR7av/VnBLI8EfxrRBx9/Vg+AV+djg20ZVtvGo
gVhGWJpD7GqqWzIcJNcMEeYzKFXVpt8A1irQl4Npji8
-> ssh-ed25519 3pl/Kw tq+5vte1e5CPV0W+LQi5c6hq6QsSZEKef5p5Ij9VZmM
pD9+4dWKjRL+2L8hea+To01l0rsmDgcDHhEQYvitaos
-> ssh-ed25519 SqDBmA fHhzQz1J4xGo3jVwIMF5qupq+a7/vVEzjWijULHg+yI
9qjuBOZ4Xcxt43ICEBjg+SEkvmW9YA1Fx4t26tG5AQM
-> ssh-ed25519 UE6fcQ 6rttdnxCOyPl6H2hHgFl1CI+MC0pp0SwCuV0ZUcsCws
BdKGZy3Bvi5mXKLV1A879CWkb4Oilxf//KDUoTPqw3o
-> ssh-ed25519 YFaxCg qEVNkH3OOlwo5WgJT/dEXwnaVKWMHry4bD7Nk9Giyxw
qsVYVERNaSBOwxARdFVoJlvc60/K5wsnPBVmLY8X+No
-> ssh-ed25519 elCEeg zU9svoK/IrLhufndDkxuFgh3NQMHJkJboqk8bqar2yc
lO1OGKjO/tdpu0mb/neO4bXzgK1PP4FipeIW7//FoqI
-> ssh-ed25519 8vZ9CQ OBwGQL1ZnRTx9B7AeRk3b1pASOfrGUJrpNpL5B8/DGk
/X/OImiweaztghP6rOauMxmnICjvY28rGm4g6B5XOR4
-> ssh-ed25519 IpLDOw 2sprkG8onsdJc1eOUWDPh80UGwrX1TUyO3AxC+tx9lQ
p8vYbeigZXz25CR9zcFHue7rSx3Oet06FuUfiMsu4t0
--- Vcose0DATNbmn/6l8iEec/gF12mpoD4qR6JJZlkNic8
<EFBFBD>.¾•®19E97Q÷ÃSœ3\¡!DR
ÑÐË5ÛíŸ4Áóã
<EFBFBD>Î/°[Ñ<>»‡—Á^û@tb—$å·ä«lCÕI9÷>A•vŸ9þ'Ÿ¡$CâPWy4Ù”7ïð;u÷~xÔ˜5ÝO#Hì]¡¨ƒ ,¸)ÿõ^'éÄÊÙ^o/ G\¹ŽŒÁµ·SU áØ;B¾#ð†ó§B
-> ssh-ed25519 V1pwNA 7yvURMKPgnbCWAE2q51v3fDFuXCivslOvDuxGIi2JHc
numnCMoai7pCs0qBhsWr/CjU8FfrUeQsfq9mvMTVj34
-> ssh-ed25519 4PzZog O2zDjiWrxoqWp0QYlwXw8Oushe2wwlw1J336+QksnUc
oBJ9zPd7+Agc9KSYgA64Sbj0aZLJRRQS2MgnPGHbcic
-> ssh-ed25519 5Nd93w adTzuNLU94FC3fR/uK3XsI5XZSANXZmwp6fG9ZeoA14
7U4C8ZbZKsl3kdPMymoHc42k4i1Wom+wi/THXosDgYg
-> ssh-ed25519 q8eJgg bgfuSRzrmyVG7ewvPztde7o0QJyQXXBbvK+Rs5JdN3U
2wABMhVimVi4Nyrfa7EWji5YClqh6GhOjFUKzcJqJcs
-> ssh-ed25519 KVr8rw xQcp6gQPq/AxA8cEKjhgvQ8NBmSmXd9LN1ZBxxqSlQU
gy7wbZiCsKdCUAPH82xgnxWXc/sxY2S8JKcnzzypyOY
-> ssh-ed25519 fia1eQ Xh2ErHfrIvHTvUyDHmDD1X0Dxnz9bUnnRne0RYPIPk8
V3+5H/8vMWV3lriiiEd/C7lg8IcQSKkO0JrhD8KrNGw
-> ssh-ed25519 /Gb5gQ ftm+TgiEOPimzA+qsus9/rFUqTjWn/VVORIs96Lgy2E
mzRiPpqZj/tkFvdphOWn15IHv+GhTd4vj+T/lpsXJtA
-> ssh-ed25519 NtlN/A 2t0YPeV7uzYhrIZU1TDi8xxPGvpCReUL5Rxt8sflK28
r61bhrJj6irlo2xTU8iCJj8YzSbYWFjH8iiC88SOrAA
-> ssh-ed25519 v2Y09A BXWbnz7DUn5tssTCFkM9cFzF4M5oj3rcFMrfhFzL5lM
2GVsK4gq4HIBVJWlQVd1G0kags2peJ63AfuBdOxbY70
-> ssh-ed25519 XSrA6w OJ2j5EQe69sPH+wTsiMBlopI4QmHiLsfJDQj+F9rEiw
u/9MNFViy7TvNTA7lvBKnL/qYWlkOJrJKcSG563Btnk
-> ssh-ed25519 DVzSig 6djjmbfge5li1ZTlaA4Wc58xfk0Kb4EdXPxX1bPdJAE
HMnnH5Cd5ffp9t+tJdhagDLoGk9HKpjI28SMQGcMvIc
-> ssh-ed25519 uZzB3g NS2dkA9o84OuCTUSoHU7MaUMJG85vr2tnCq3rSKtTGo
6+7gqBrSIogz7nYdDUmtS3650x/y4rmgy4ru9sOf7hY
-> ssh-ed25519 yvS9bw /CoelQvArSJCFKTV8x/OHVWTYEsNTkbRqweqaIvlykA
TGuI9tt8EnEThL3l+wgipOtDMPPTkVTdFLpRKHGFMpU
-> ssh-ed25519 IzAMqA Hb0cVXd+8WrWJWVs6j/qxBUCOv67M+Se+v2y7470oB4
i8GWMK8uXbaODkQm02TqCn79+b1zu9Zq2W7c7Rg3FHE
-> ssh-ed25519 Hb0ipQ 3Gr6C7Q1yfHWcxn0pImpI4mQjdIHJKyzSZDv+5Eo1Vk
8WFp3fNRKFb0jxmSDNVlRM+ec4bd2O5POeY69T0bVz0
-> ssh-ed25519 3pl/Kw GCks2XrtAKpVRl7nC2g+q7c+Q1gqh2tSfPDHHI+wxng
iyblirNv3byNgI27599Dq6kc0ae2xaoMh7thSIoVLJ4
-> ssh-ed25519 SqDBmA FxJJFJboiAe5T4TTcx7VY2brEQN5DqlQ3Ak5C03MKzw
yLYdnZHSftMTwruQYJy1I2oWmWZNPykqxe6nlAdLTDs
-> ssh-ed25519 UE6fcQ Y7XmsyOOMffkb7GofPufJ6d/JdVi9fg3LK17C1zL1wo
hfo5xZcNpVSOiNuZFe1fJ8o4mPF2cHoyAoyc2LO6XhY
-> ssh-ed25519 YFaxCg 1t6GiHkJUaJ795x9PRVkDU0P0FP+RC1QEedl4qHgNAE
o9hxn0jLFBqej4D7xJdtVCB9UnUBrCXZM5gpFbibldA
-> ssh-ed25519 elCEeg TunOY5HCLU87gGej0HWFm775FLsbtL+41HqYS3hgLyk
E6rAZdQUj/Zia6i0Q32SfqugEJ3rrQt8OM9sPQ+ZXOk
-> ssh-ed25519 8vZ9CQ Pwqq6eKEIf/fLLiB+j5IQTFxRXrEi2ajORzH8GQpHVY
nmrnjLLmUPPOgk1y64Zcfhhhm87dRg5V8GM5GIfB6oE
--- dBHJ3bG+te1AZd+FHj/ssxBbrCBiyl3VARjnd5F0yz0
8|ÁÔÌåp™Èh1DMZ ê¦À<>Os+^<5E>ƒ:ËËŒ¿øÇ™ÉækâLÃØ°çùãá¹»¢]gžši`í™jþê;JÄp/€·<E282AC>• ‰^×a<@Ï} ÚÛ¶ÞÆä <C3A4> Ÿ¢J¤\P¬Ò7çK7÷Ö òâçÎ~ µ+6NõýüÜä2k<Õ<ç^§³„9Pôi/X4uË

36
secrets/backup/restic_pw.age
View file

@ -1,20 +1,18 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA mN/1o9VKKc+kBc0s2DEmjHJn6AUbCQUoaCsvswNHzUM
SlqlUx/Ok6lrc71g7uJYG4/Y+DG9nnumw0GsHtFH9Ao
-> ssh-ed25519 4PzZog Hm/dzRXkAtX8iopSdsrRw0rIAKtagbRtS9zGnFZdjAk
dIhBGvUOUd7SgqADywQnnv/lggussXa+AxOdxI/gp4E
-> ssh-ed25519 dA0vRg mP3xepL4DnV1V0sYrS8n5a9XFaY3HlYn88IjukBW2C4
KpUv1UGZdzx3kHH8LlkqCIgGK9DAOZSyN+bLfaPABcU
-> ssh-ed25519 5Nd93w E8tGoDN/aQoe9gmMkIWxB7vsgQ5fJ8WzjO6+NefmcXM
HY65eZHHm3GovuZoVgOMh8kveA1aaxyYBvXDMuw5Ry4
-> ssh-ed25519 q8eJgg j86zF1fq/TSyxl0CTlvnJw0MJVVtG03oqGDumyovogI
gNZY0eSlLIstaHlbY/6n44/BKaQITXqD8qNOJGotplI
-> ssh-ed25519 KVr8rw 7T8vLuXcc0jrtvQTu/FU3ZZC963YkAizU5Q79OQEvxg
R9YC1AZsrJa6PZ0Vzum9TKCwFPd5EWJ4McJqtNgQQ34
-> ssh-ed25519 fia1eQ bzqIMpD3LmkKUPRZ8HibiqJDZfR2lIcMCICputpX2w0
2TMqO/yxAMPB4b13/r6jBytD5lhbhauxTrmCx95w/4s
-> ssh-ed25519 3pl/Kw 9qEhAIqJFP6XrMsT5ju8XQeG5dNG/U0/wTUiPYT7xHU
gT+zRjaAhAK/BUOZXAWNUq90F1I9T/y6qZuGRnbHroQ
--- QGGO/WedFvcHW4JxdpMHP1PbfaB1ITP4KVb5vWF3Kzc
Y@Ò·›â/å­Ü» ÁKç‡ïhA@ð0K
.uÔÐÎq_9`Ï, ÓÕW%ØTnÞÇÎÈø`C€”ÌʯªÃ·‰1ŠÕnì3äï?ŹєÇ<E2809D>¡<17>V]­Ó
-> ssh-ed25519 V1pwNA Q6fzzE0ZuVtBGR3fFnmw45hrQU/vKj2y2aEzYA2cvAs
c0A5Ieu188qIE3QKvC+6DqjDxAC4HqfBUbPu3m72NTA
-> ssh-ed25519 4PzZog AzQaulqa+X3fxgk/sP5jjFfPGAPMzGlbacGIQdKpSxs
d5OgkPftJ8wqrMlfGcxLld+DWVQ58/SvXGOmPj79SUQ
-> ssh-ed25519 5Nd93w u+Fu4cNNKnHht6Gj8NgCK96U8SL4h+hFv9SZ+DSMrGg
zy6Jf8ZBInhOVDuFuFAZso6KJl8gLlklqWCayPqb14w
-> ssh-ed25519 q8eJgg s6jAIb95QqWDKGEx2lbnJruSfp6mgERcI2SzTip+Gnw
IHPOcqeagr79owKNqyk9dLjz5Qz1fQ1A/vOxt+NPlu4
-> ssh-ed25519 KVr8rw VO/YREcq6mknjN2JdAr3GWg91Hml4k1Ojx1tUMXAXks
1BhUi7kRCZV+c9TROQIFeNt2WSL9Xa14J40vo/qyJ70
-> ssh-ed25519 fia1eQ w6T0/iajXe7pgvX75tm/94HueS6OlKlXAo3IgIIlcm0
Cun2Xmb7fbXCg18lLmsdhqViEG8lqOAGGoghJlvunu0
-> ssh-ed25519 3pl/Kw cpVAh+pifXN3ohww8TqmyCrCRWU06OAPPdLX/5DBUwo
+GQ7xCXSJp6nwGymXD+9AqeZC7ScJl4a/A/2XWQzKbA
--- GhvvZMgI8VzeGNtLQ+EUIPYpR6EgLpxiuxn9Upu6o7g
ðKihãPSëÔd~p{%<25>Pàbªc•£„ã't«kÀÙ?[e0¤þbþë
éŠ<EFBFBD>{<7B>Ú Æ&$tWŠë.<2E>œ"ûÆX˜f¥\-vIýL{]”óõš¡Õ1;ûúüU¦<55>

BIN
secrets/bitwarden/details.age
View file

Binary file not shown.

34
secrets/bitwarden/id.age
View file

@ -1,19 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA H7YH2bTxZIlSQR6h9LTj/rdgIH1FzrT3zGujEGWa/T0
EB/hy708s62jz9yhqVMp/iouRC3Hf/GahvtZzgTK6Uk
-> ssh-ed25519 4PzZog 0UlgzFAlGE4dOOHlGaI9DNBu2UaNTGOzjICpA218m1E
guZIR8Czh3zt4W4mKkHzp0VzhdK2nzM1hDB94t4AyFY
-> ssh-ed25519 dA0vRg 7J2jo8Y7mlp91/N41e+cuv4Y46Ui+DKnNhfeXd2dsj8
HqAFiScEAKMK4z4bfx+7PQQJQwm80GxjzjBghplVQtg
-> ssh-ed25519 5Nd93w VIsfbZTy3Ima3RoXrVDmzm/bBlPRT7vgzwKLkQ+7WCE
ZTX0Gryg/XoQ7Pu0jmBb0MBKv0ee6GUFuOj27SThHIo
-> ssh-ed25519 q8eJgg FOcmChMzV93MYDuFEraXcksxUi2YSxM0t1VXXmZOVXk
vBdFZBUquAmb1GQV+Gs8wLzzK0IS2yV/o9cnYiMGBPs
-> ssh-ed25519 KVr8rw qC6uMcLvYz4gIK4Ajrfqzr1PBC4Iqgw6elBPRztTUzM
ww7UnTYn+ZwUwTg2xpNIp9cmPCxRztn+NWGzVfSgCMs
-> ssh-ed25519 fia1eQ o3z/yAM9iwIYMJnmp/uJ/ul7nNp447VgumnKzSQyvig
dUXr5Za7VZzHJSmMwUw76TptIRHdtBRdHv4IRKfzZog
-> ssh-ed25519 IzAMqA otPdEEaDoxx4CiZkn+Ho+Vp+l+BPC2a5vkSv1DCg4Bw
FCFjzX4tueayqW2vhzowZfntufX8uR5ViGFH78r82J4
--- Tnv8fDlZG/DndtKdjbuxPnw6d36W0lZ0uetXa1VcaOs
5m PåÅñ_”\@%Ç2Á€¡Æº¶ÌÊ<04>ãòÉMCyäz¾Ó*=QMÐ>öXØ3Ý/1æÞÄú 4A5(c´<63>𲊬ƒ4îãgfô«µ,k
-> ssh-ed25519 V1pwNA abYqfp05DkkiK7wdTOn+E9+FU9iX8y/UcoVNUJQ1wwQ
BLIH6HkjumaaeKntAMm5BXC4ADfqLRh3vsq26gVB470
-> ssh-ed25519 4PzZog gNCidb7IlrQLJah7iqpLKLFzlhe/4RLk5hexSq96My0
ynnNvbbit8U8CNel3cBEeel006ftNPArV+oAFNdmv/4
-> ssh-ed25519 5Nd93w YnGe4yzhVDQD1z7Mq58KgnF2GJjkBLyiOZBmCygazRU
dZg81Rb+XSoeho2Xbth+pIza+6F4TbAuN6s5BbP1OLM
-> ssh-ed25519 q8eJgg H9L5QhInkMWBndRYQHIQTmuMVBrMtaXqCrpEXV/hpBE
QL24qbdGbfdmv2bgS1uYjRHB5fKPrfmbmMidjI9dEIg
-> ssh-ed25519 KVr8rw GqmHdNfgOFKcZ6+zxKDWg/ImAVEXHTSpzDmBe8f/vmo
4u2ek5DHeDuBizYx0nRee02Gf6492fjWM8U7/HL2XwQ
-> ssh-ed25519 fia1eQ zYA2FI8k6675UAQn1AlwWzPV5e52dAmv/ESDFMmSQlA
rup+vtydMspXXeQQ9In4s0HQnBNY4IvqRIlIdKPVaZk
-> ssh-ed25519 IzAMqA QOiOSUOx76IICb8rSo0OxTtyZnyyA8nZ/pvuDZcVfUI
vDUSgB6dfzKNIpA4/0PbvJ/KzcVgW9l5KqqV6rKbyhM
--- 7Lo9nyTOtFbzsGyr/5Kanvj+yoszus8bUMWquX2rG90
¡Çä4†ª+¡ ¦ÂÐQÍBFY2°“$žÄ8sñ¼Ñ„qš.U¾È<C2BE>ª5õ<35>†âQ·yKëog§ ­8^ÏËhîú.±=<3D>Î柳ŒÉE

BIN
secrets/bitwarden/secret.age
View file

Binary file not shown.

47
secrets/discord/ldap.age
View file

@ -1,26 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA 6NKUbOSUbwVjzW/ZUpl8qEiUTTegFlji4+tVJyqY3SE
fRQvaKnLMkVBboTEriQpWlGY9VBAP3ppsEbAB2QTScs
-> ssh-ed25519 4PzZog mp/+b5LpB+DvRduqAZiKWqkZq6+tlyQgVTZz7Oge2Us
OycqmZyDr3levWSfRFxypJOkITLDix0Q15Todya6BNc
-> ssh-ed25519 dA0vRg yp/4LvS9DbdatHFWFsP5qhH8CP8Bs0IjVSenUtG4+Xs
hHiJEtl1ffYXltsJzuEMLGUl2i/i3pFzv4bjbx/cbOI
-> ssh-ed25519 5Nd93w BTngmy4NGLGKhC8lPos63QEVBKoQT82KswQ22EypcQQ
OCnJMkOwwXQVbtCitUizXM4nynC6a1tiPSkm7MxulWA
-> ssh-ed25519 q8eJgg NaEjVcDBVICRgXuJchEdE4vg3qmkNmJAbDDxLq1fX0M
YFwUmEPwJIik5YJ2SV5IAmqGlY+h24voJJlrBaoCBwA
-> ssh-ed25519 KVr8rw ZnyVITZFkuozEs/rbTdxXDQNS3Nggo+JkBL1Icht2SM
B4jVVts5lK1kIlOWMl0eiN7TpsTeJZWIu7NqildxeGE
-> ssh-ed25519 fia1eQ kvzARRScl/eypC2a5cY66sXcH+TZqz4sYg4W/k9iJxQ
Ga+4TVvXiQ6i5/+fgUQ3E5tJiLqdBsEsXjenXEpRV/A
-> ssh-ed25519 IzAMqA 5sizvlhLhAhAR1bViHJtRJ8fAIO56TAuLVSOwE177QE
b9oJ8BC2xiBjvc3D0H0EF7bSNDlpvIidyBCTf04ndJI
-> ssh-ed25519 uZzB3g g9y66zNmQbqP6Rbhg2t06W3YOgy8DkRvJZbWVegT71s
2dH7E76tDMrWQJbLPefyORP66iaPHQnSjwu8NCdSyJo
-> ssh-ed25519 Hb0ipQ azOzBLXfshInlFVpV0PzIBidL/VzA/+kKRXFFVD6ZF4
iXBF/Wcv4KWo5qUXUlyimuo0l6aClKxOCtkm3MxAIBc
-> ssh-ed25519 IzAMqA EWitYyV8RsPIB6HEFE2OI/C1zcC6WfBEeDI62rGVmkk
Bk9tdSqIjLjat21J2LM8RXAt9GwdQxYdfPzqDtCjunE
--- waY7j+HMEOdqEZs/TcLEhUY9gJs6ZSc51VNfuCmCxJ4
Ý;dÙ9A‡vÔé±nq<“ê;TèáƒB؇$ÐGÌvï¯h
»\^Žé§lÖ¯`š¼ÄÎ?l¸ <0C>au~üЧ×yâ[ךju²ü;]!œ6Ëè±ãXIs4ÇŒ!Ù@ß϶û¬‘|›úïª">eÈÿ[Vž´,ÿ5˜ý8N§¹Œh<04><>[ƒ×´ZD,&âñíó¡”õIØ>ŠØù¡<C3B9>|ÎézÉm
-> ssh-ed25519 V1pwNA FJbuXA9iZkVimh/bRdl2MnswKZpHkF6HmIqG/cmE62s
2vP3FNg2f1ijAMwWGcLa7aZQD7/Tq8iXwf6+/bMEgb8
-> ssh-ed25519 4PzZog 75e7m7A1i4/XjB+b9OozGjKttQ3VzJuoNwKV6z1xYB4
9/czRQ3V/Kb/8p9h3cdiXXbNBECeZfLLEWg8gR+WBE4
-> ssh-ed25519 5Nd93w Kier0iAHycxtmgq9n5Mq/eLR2akqKB2Z/JBA2ACjaE8
HokkZ2jHa7DV6KqODEH5rF+YprwNwBIjLLFGbfXdkrc
-> ssh-ed25519 q8eJgg cFNBrJQ1R4tDi4HTI/1lGEy44cjCDpnUXGYsXQ4daA4
GPJ3fX/AxxhUjvfnAJNREQDEGp/Bz4zvfiTWHD5bwMI
-> ssh-ed25519 KVr8rw hzHh/c9qM7v7eFFpvD/uvCcDD12kSaTabVVA8CKosgI
3bwDd/aWeYWmYf8b2ko4N37XXgTP5LeP98qYXSlaxwM
-> ssh-ed25519 fia1eQ gol262stWS/VMaXgAJNC/VK5QkNb/UHN8X2khm3PHFQ
3eBj1/cUkTSNBGANSYp6S7IvMU+8dKKEtZxqo7kMzxY
-> ssh-ed25519 IzAMqA Z70Jqsw7IR9vk4uLef56F1+YCQtK2YvDC950d+WVNHk
nXqGHPrbh3VS2DMToRKs9FxBsn8PftR6HTkeA2KXRLU
-> ssh-ed25519 uZzB3g Zrc8idjRB+ZPHq9ScsCnXDqipGM83pio/V8mO6YYa0I
JFVQ8V3Jkn8vxklAZzwGpmOcaKUd8QBDFO/+gAyb3Ug
-> ssh-ed25519 Hb0ipQ Yhn/pwNTNmMdW3L2RV2MJECEYRlAzNTYztcA5MfRCjk
S3rkfwU9Nln8WFPSr102lX+H96wnHWVZa6z8upTRgvk
-> ssh-ed25519 IzAMqA 8SVaC/2C2+xmeCP07Mu+/xGFSB1UXrIlVJ/i8YfQXUU
y4mt/hZRuc0+5OXFs3VjYH/Q/nEACAd30YlyUyNzSqw
--- M8Emn3XUVeSu5qTgSbR7/93DjFawmR5iZ2qxQEJ9gd0
zg*õFŒô·ç½xÍ?¬7,¬ò”ïaƒ1'Ü¥ôtmR t[øVFÝl=ç+Mç¸îm᜴ÙÑj;¿Ä”Fy6—O\î<>™Ó¬µ²Òªo=¹UG#%{®ÇÛoæÛ<²Àèi*à,RO;L2Oy¤ðŠð×NŠ”¡`g‰*î$yÄÜR]-õo¼böÑ05Q/ÂXˆýk[dEÕ_…i é’ å­ï+KP8Kÿ

BIN
secrets/discord/token.age
View file

Binary file not shown.

BIN
secrets/dns_certs.secret.age
View file

Binary file not shown.

38
secrets/dns_dnskeys.conf.age
View file

@ -1,21 +1,19 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA bfDBtLa7MSSEgZq6q64mkMwGcra6xtlATR/S9dFN/lI
4un/JaBnt4N3ngrxiTpKl401sFRTJ8OxzSPa1iSwCyA
-> ssh-ed25519 4PzZog sWxeGJic+1kkrMf9DNNAQ/EyxXhXy3QT0t7okQSJiQw
tOEBzods/724JTETOyzmY4DHbMssaQjB3rkLKlG8I9g
-> ssh-ed25519 dA0vRg 87wl9rQyDUMz3Saacc8YdDUqBSMgQEGsDW017ADdwkU
GLPkwXaS1MAi3L9T9NRsRabQ3N+4b0T2q2K7ezGQfG4
-> ssh-ed25519 5Nd93w +O5uYPYYHF1ocJzVLw7sM6BeetboqoOFsI5B1l5lYi0
qgq9suCE/JxRI/1vDqE0DtqTnJ1sNLfTsYheTZPimoU
-> ssh-ed25519 q8eJgg ymbogv1TZLM/yTyyVx6IF6EoWC9eUPYkwfP0mjmmCGg
F5haIRqiWoeJ9ZNk2XriYHJTiUtLq04r9o0c5uS2nWw
-> ssh-ed25519 KVr8rw XcHHH2VwKPrb7Xk3G4nxBfVzqZqQItTRXlm3j15O1zY
Oz4R27q7EeVKoCq5CAui9zQxlr9ESaAC5XkKun2kmKk
-> ssh-ed25519 fia1eQ xC9LxTGN4aLjBwea1lt/J1m1eSJFV/SJtNlLcd/mTX0
JwvVaXTDNslhhsXyAskV4zpJz6g0NhLx7DosrD/b7yM
-> ssh-ed25519 NtlN/A akFElU7sdSYVTmNrji5lAOt6cVzTHprTZaJT+w22HgY
1Xe7+C8SyYhVnoB5FsuSY8mXkpyLpS6FmqVXnceWuMI
-> ssh-ed25519 v2Y09A +ROUvtp1wJt2HmtsB465uVPNxHPuEd254znvk+7VRmA
P8+NmCIY3nGHIBoAVPW/CknO325q5f4lIaNhUUEh0TE
--- LfSoY4IcP9WX5VHX4ECx8E29AMKQzLI5lhCK0Qgy+kU
½ú3x9 LF´'E4“¸RÛ¶8Z±§R%ÖT•…béXÂÛ¼Õ5ጢ1=ñ¡=ÿ¬á‡}lÿ•8LƒŠ¼×ëúªlYºL<C2BA>ÍWÄÉÅfº3¤ú;Ý#/4çcZào± S¦Ô­€~®[+V:2]<6D>»ñÏ?¡äµND[oÑœ]©
-> ssh-ed25519 V1pwNA QUveqW1V2eyNUoLz3VlbU1eoeKqpMhKhM3xidvLzmAc
ONNE8H73iwIqsGOugXQdeH12oro0eAU2qBgIMc6/OS0
-> ssh-ed25519 4PzZog oYUJKbA2TI8onEnEDLBLpRDqXBZlX4Wa5qk/vT165iY
J9LPEQfwudit3Fa7Po4tR+ZGMGJEVAL6QWD8S2pVeXk
-> ssh-ed25519 5Nd93w r3fH+siDMDiuo7MAYUzxpcCk+SM/kY/cL/ndRWn4OhA
zPQrQS9E7narD++03B1ECfz3w7Wtckbk3nC002GkjD0
-> ssh-ed25519 q8eJgg l4ZcaUycpCI4o4NDfsQlsnl/BzS4UKhxSEYKbIclmik
lqT4jCsxhtK2tNNzRIiiZmB5iHFfzMR9w2TayZlTuvs
-> ssh-ed25519 KVr8rw CRuDx3JbAfKvRQ1SyD5whrlw2MpFnlP33YMiClgXvC4
LKZIzgEEjLvKQgDJOZUi6tP9hi/lXehYQyodLOiNrYg
-> ssh-ed25519 fia1eQ uOoglDTy0OlQm+aUqsg3KfPFXynHnJi7d7WStsw7hmQ
Vt214X0k+A+BWzDwbk3JHX9/lOY74bUPVt0CdYUxHHg
-> ssh-ed25519 NtlN/A yAVmup2BnnPIyRVQD4+e3Fh0RTfc6mJZRLKTPV69AHw
dEAj8GqDaIMq84hU5DHEQsba5d7Fvp71xaMVQfMD6CQ
-> ssh-ed25519 v2Y09A 5rxrWgwLfUKqbWIyPzODXJiFSCPYB+Xlchj+9wF2RTg
x9qWFO8KJ6R2EUqbdkFVFYMs7nHelnqZ9XF4bZ6bx8k
--- XvVzqiGGv9j443pVSwh9lZYRjgSuUn98bICJichEzhY
åõ×/—"cÅR"_`QSÚÂéy­p)öê<C3B6>¯¼» z¼ÔeNÆîójúÉTéõc:9%I™ùƒ÷ }$~Û¢<C39B>RW`0Qä'©XÕÍûVJƒ[@VÛ]$,‚¢ÁžˆËÀѱô[?òuwK½»!à¼Ì¹÷ÔÿáÌuBâç:) ·æÁ‡Ý<E280A1>Ñâi

47
secrets/email/details.age
View file

@ -1,26 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA P8uCL9OgS5BrRWrGEFOSqvO4KsGc3Y3q02OL4sFBQCg
XuuBTNDWEkcDzcO/aFgh7d3XhRmj/8maHx2U6l4KOgc
-> ssh-ed25519 4PzZog 20A9EEcTrw/ZJjkvawiiUqHmMaNmwuP72VErLL8Z3B8
w2Pl4/J0+MI07Blk3rRLAULbxMbFNLQpZkdJPhnoTK8
-> ssh-ed25519 dA0vRg jn2VA10+qrRAktjhSARaE+MAS5HsHsoIZfc1/ao/mV8
3ahsWtZ8/Bb3tpQnLSyEPFHeW7dsX9uEaLZbJ200u7E
-> ssh-ed25519 5Nd93w WKXWwcQBExcz6niKqBYT3JcL8EHfY2VeYfnTIEtEfGs
gzJOdp1j4QX3bWDzJgBig4/vDxlRRQl+jsGmcp95drE
-> ssh-ed25519 q8eJgg I1J3jOc15TsBijQW8/DZbRETY+233V81vPLKfGI0ji0
SLtoYZ+8T72c+FWAi8dz57VJ8wweJY737AKPF0PQEtE
-> ssh-ed25519 KVr8rw CQZs4smVwaFAaFbLeyTFi/IaJyle199te4X8Zq0AfjA
/74zAyuwEmB1KcGBZK4QGgwShhqxOcEQ5wlpmtAT7Xw
-> ssh-ed25519 fia1eQ CkkfDdt9iAaUxUZt+aD+VDMPUcMegomtFiR6CCux/UY
WQcE9ck0HuSXYCWqsy6NOXAHOlE4VIRUkgz/i+7AVQE
-> ssh-ed25519 IzAMqA 2pbs+DJzOw4rgM80o0lUFzIgdMN/X0/7wrUh/OAxykA
291gUsUfOEEsf9o/qVoVI3s3gHmPK400NCEmpxNsefw
-> ssh-ed25519 uZzB3g YP3htz8c1QJzFyAyGopjelQCKPyTx0SOOTVEL/uTK1I
iupAfrSbl5ybwi9Le655pU3Kw+KKndFZI9M+AlSrBWk
-> ssh-ed25519 Hb0ipQ odISOFTymnTj8TnenWHMHeU0Qh4OSGYFy6vJUieehhE
G+Jje+2S+l9bSnKKrwGV5V2xLczDDPFXlZ8MsrL6jHs
-> ssh-ed25519 IzAMqA HIG1qsEisRUws33TxC8yGSrITlwDxuL/RIL6lkdjwUk
IWMnSXxQzv8cAQKNmiY/+hRb86aAuFloQk9WFFcCSWY
--- UK7VzqqXFlN+IVB2hl81+7o1d1NjbFNY7tYRbTvnKmo
(¬ÎmyHC´©|B¶,ì#<23> ûkWsI{KæöµHfŽÆâ¡Å4µF<C2B5>â,zXúá‡vÌ
W1Ú!þ*Ë{BëÝ)R°°eGžK«¥=@Q>üBžšÇœeL6œ°†÷D( °GNà $„²=òA—“_‡¹ÃñY!Û÷½0tGãqŒ¤<Z
-> ssh-ed25519 V1pwNA 69RgNRqfd9pSNuJMr88rzFViy/xYScupvNucY4jOARE
KeTB7nbTiKxS7Bl1UPZ7IoL6XlTKxuEDIaUiZyjrsx4
-> ssh-ed25519 4PzZog R4dDARo9QpqRG9qKjr2ytkpJYGq/822XdiLEBDFOMk8
N8WWraxJ0HLAgeFM0b5BPeRB1VIP5paWO12Pgruh9x4
-> ssh-ed25519 5Nd93w VboljaSRjajrkCp1ilMC6qvDv3+ROE670Hs1iNFKRXo
zUXXzywu/SwRrqmQtNeiq0hoayNDuW18EJuRZY07Z6A
-> ssh-ed25519 q8eJgg VqbE/b/ddDfl4ShxeW3Id3vjXVJBP1KZKnJVUJsElws
y7uUlFXj1UlKnQxs0Xkixv4uLU9xRZXktmY2nID/AFE
-> ssh-ed25519 KVr8rw dCG//gX7lz0frI48guiFNm9TvuoAJ1B9/Q/o4FQiWGo
wZ+QWN+0YK6DXHCtmdxtBDmtkHtNfOBrKac3ADIxK/U
-> ssh-ed25519 fia1eQ 1s5iHrqZ/7TdhC1vU7qwO2Cgr9W1EQRdBwXEm7U+XmU
O8HYon1a/hcQyjEQkjL+uVIvD2aR90k+Ro830hy7QfI
-> ssh-ed25519 IzAMqA IY4TEBaim4AtxO4N+YJApvUlDifcJkcIrH02bUP20yU
lQzfhUpnEuQdBep1ZKxdzZ6kIyP2g/BlJG1WxL8SiJw
-> ssh-ed25519 uZzB3g z/mf484FBG7MNOnAV0iGksnv+NnuEzzfcCRl7UFosjM
a6fCYyU/6Rq3eKXecch64GJQ/a6bVNd5TJYu4SmUgf4
-> ssh-ed25519 Hb0ipQ rTavA3BBHDOm1oBTOAeB/E/ZfOumL82FFHbqk1c3rlM
VBPFpsqo+j6uhTwaXZtuPvzG/JNo0cS90Av1GfAsYnI
-> ssh-ed25519 IzAMqA xGKLZbl6ErNlp9zH56mnN4cL/YlNakt1qFWqKhOJaxY
iju55ngxSk4IptEnRZ5435ocDloskNIENnkYGbR151I
--- ypGNmAjP0+RusrsXWCdDwWXJiqO6b1gnnzSyLGcQHLo
¶÷ÎO¨¬´˜÷MˆžïhÖÆœçIt^þ=Ô½5ÒÎãìõ´!ø±1 ¢ÂŽo†-4+ ^¥à<C2A5>†7Ê-<>{•¡ìmªôÞK†ž{T"ã…íìjdç/.  ¾M°ËÍbïä€T{Óˆüy†Æ(*ê¢yBž¦ó˃ÀUoßû1´Ã¦

BIN
secrets/forgejo/runners/ssh.age
View file

Binary file not shown.

22
secrets/forgejo/runners/token1.age
View file

@ -1,22 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA +pIQ+0uvquBBU5ZNQfiiUopQ/iodoDSPDsWNACANpkc
7ARm2csFT/lYYcck312gn+qFem6cSiHi1uzjd5uTSEM
-> ssh-ed25519 4PzZog Ow4kjpBSlYqqOUnwyXfpuyVVG4V90AO+Ufg3urhbZTA
pqhJZHZjFCj9O2qKFJEesyw3QZ0KdtKM9aabt0qqyqY
-> ssh-ed25519 dA0vRg LYcB23Z1a8veGkdyjVcrfLfpnRbeSYLLIwbqFkfkOwY
FgXSEffN3aa8p7mdbUg4ju05A6w7sgu9TEVZCuLg9H8
-> ssh-ed25519 5Nd93w +YYFQk5KWGpSB9Yd+RlfGBfuaJ4e4KoN+x6QOI8yLyU
4aDGQeg+qhWKbb8aIp/M931zbpFjvqUVDQr5luzKetI
-> ssh-ed25519 q8eJgg OIX7xsmQUWnkTYeLMsLA041xszFNmSNu/dsdys5sLEg
kGh+aDF0EcCsrTd3eHIvHcp6Zz+n114Nve+iA9dJNFw
-> ssh-ed25519 KVr8rw XlcnAJI30iJMH1Xi2DEMNUJWBaqaunFQUUqjKU8Goms
/zFGkNR5S+8cBcmnjlSVOP3sih4Xm4E5GtRpkG3fbWw
-> ssh-ed25519 fia1eQ 1vb0ZzbLFiCWD/bEEQ+7ZqLOJpcNZA1v6fmBNMml9UA
/XFV734jcIrJCtwY63MgRcN3pyhGRmdE5WAhzCTrZlo
-> ssh-ed25519 CqOTGQ oQFa2N/oo1mnS0d2Hn7sTr4XiKMm+AAANvTB3q+Cn1M
bBBOtb6zNevJiBU/PB3dE5TjaBzs5y6SAl1MOADwFqE
-> ssh-ed25519 uZzB3g EtRrpCF2zNXG+Ap6orXxKCpgdp6OGBA20zT7iZMjfG4
ZsxKfYW/2q6lnm+IuSANPHOuor3GxJNGtzD9lBT2Dlc
--- b+97Pc+Bh2lwkQ2OhlfGtpT05lzwBbmNxYy7TxkQvaA
«b0Üa§ˆ{ú|²-{ƒL
Û3<iˆÄËœ·s£¯ôö¿UL]Õ¥ŠuÓëÔkÐG<74>¸ë<>GW»8´p

21
secrets/forgejo/runners/token2.age
View file

@ -1,21 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA ccCI3dQxsa2ZCh0ZvVuZyVlGhbmDGZhpP/1ZOo4h0n4
sZVa+SmOKofbQqLoccCVCucubBDZ+M6JjP7mYD1sPdo
-> ssh-ed25519 4PzZog vUYse3RgWUEHV5WpaTooXTGRlZrPN9Rv5kgpDQF5bzI
4CXVFUyCBNNfNFtpNX85QbvypvGhqmqv8cZFxse8qY8
-> ssh-ed25519 dA0vRg fjBLqSO3lOAkFjIUf3cw9KcS6GiI3XHygzLqHZ8HWCI
r51K0Qn5CQ6bWjPMsbbx7GcZBFkfznlwUeAT7k48bTY
-> ssh-ed25519 5Nd93w lm/dILoCnula6pjMSU36exugjaDUQdMyXu9J8o9aAGU
XKNybvPiP8p8ekJOYoYyQe0weZNvCKxHyRierqtOA/0
-> ssh-ed25519 q8eJgg kzY4FBRimHWOxBC40TOLbAXHjgeXoRrJNaVHzCIihCs
hL2sddOfuVpW0aR0IXUwlBnhUixpwtm2nN8ZLFwnKxY
-> ssh-ed25519 KVr8rw nvbIH2FLP+1apZMSQbUmGvG9A7+8eRgH8aILlWtePBg
SJY3KmiPUHLjiPB92jW20RxzlHgie0cNyAmWbxn86Ck
-> ssh-ed25519 fia1eQ gSgrywCP2+DAokxgLSRjh7g8kxqYMLyxXCpO1JyNOyk
vDFj0SVUJZ2+aTWrinJQNq7VCmZME0fc9A7SgPgttjQ
-> ssh-ed25519 CqOTGQ Vh2iFaSEnJMD1Lg4PpNCnU5zF26t2yq6CjM1Fw1Xej0
qFA7MEM82zAdKcdVBxmixpWXqQRbYYtUgYgvv+5Qr64
-> ssh-ed25519 uZzB3g OHlq5XFNupblTEbMi3jaf/LqvFCkD8Ni0ya5j5b2m3I
wamah1nxgBUQUkIEFXHuG9O5DvB9HnyaFqxsREM+T4w
--- FPKedvAzPcmXhVexIy1UpwSfwKCsdyfTxcl/AFagFt8
"êò[ôV!hòŒÈ|˜*¡aÙ®ä{4ðêÜtŠãG|ûŽ}=Ž/Æiäb>?à¼ÛL"ùÛLjj£e×-±ã’¤·˜:<3A> øþö±

BIN
secrets/gitlab/db_pw.age
View file

Binary file not shown.

BIN
secrets/gitlab/ldap_pw.age
View file

Binary file not shown.

BIN
secrets/gitlab/pw.age
View file

Binary file not shown.

BIN
secrets/gitlab/runners/runner01.age
View file

Binary file not shown.

BIN
secrets/gitlab/runners/runner02.age
View file

Binary file not shown.

35
secrets/gitlab/secrets_db.age
View file

@ -1,20 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA 51Y21teSJryE0zPWFftIdmaw+ajp7Fom8Xoc5EnZWBs
iDvtT3UwjuPf8MRwxnxKGbfGPg7y24JQWcm/WjOP3qQ
-> ssh-ed25519 4PzZog qZgoJXZsAfqAXKnIsktzB5nl00eErrn0hjevF9pcu1U
xUYDshqLKabFlmW4QRo+OewDFHFFuvLONaJnx5jbBQM
-> ssh-ed25519 dA0vRg sWKzaacPSC6AnLXWKPBT5etAHGqtzzse6UVsIIC/6yw
l1TZMSwnz6e6w6UZgPEOzG29DMCF9InQ5dK1H9XuPAA
-> ssh-ed25519 5Nd93w EgPejsyAUBLjgPwQmSH6KVjgNrFA7Y2UiKuAUjjqpxM
mUypoPJQJx49NDQ9esdzAi0KbfwcjQXGXa7IPB9T/SA
-> ssh-ed25519 q8eJgg EZgoUSh7Cjs4/VeGw8N7dEGaFcqA6FbdKfdTirlQfBM
wL5BVBG4lVJuj/3wkBy7Y/PMXDU9SvKSNmh7KVw1rHk
-> ssh-ed25519 KVr8rw E9d6+qCeB8S4ZWOzbXfNRgrYfKy2qfYj6ZT9cMfFAWk
GtNuM3DBYy5TyFZ3aw97BjRiIrSBkZ/g5p3QRMNhP/c
-> ssh-ed25519 fia1eQ Z1QtqqvvSEGVbJJSxU+8MizwWlDtoiT/V66Hoxw3Mjg
dKBCDtW+PfFKRkvAHh6oNNp1rHvfBXtpgIvOlxFs3Zk
-> ssh-ed25519 uZzB3g XqKGXqaeUiGOnvASUbdcB5BDTCRNrN7uqUO545F9zxs
Whs8NFVFoUZ7wY5FKKd3kplc8bVIudvxUUyZ0AzeXeM
--- S9gM1mjnuKGKAmZazNYfjNUAoQfqMmOUYCTxAvj1W8M
¾ÞéXÌý¤èòMVù³)Ž³Ï=3xÐû¿ø™ï<E284A2>ݶ?¿þ,yïn!#'—wƒˆÎÈÀý»ÑËhJF£h#Ék õ³p=9_X8†º(ÐÛÀ»lN þ´5Ã@ïÖŽ”nÖÕÀûäQ¥âŽÛ€
žè SLOÎLúuoÙ ³Â<õé¢Hdoª‘€·„Ô+1)i¥>âcÊ
-> ssh-ed25519 V1pwNA nvvDGnr/WMta+0XVEnUlmg8KV3mO+5zX9ZlFQZQS1Bg
YyVLxI+TxfXXsncaIyi9Su6tzh5KLTbHxHxbWhplXXw
-> ssh-ed25519 4PzZog zuxuhtcAiEhrr28adZrFPK5Z4399/8gbf8aWoAtI7HU
vR/0DkXhUQmbfdzMBVAFDd1S/87DDpg9v0gyZDVv2UY
-> ssh-ed25519 5Nd93w CUTmUrZomxIY6wwemYIwaIBO9CFSPrcQaIWs1tUdMm8
btVGPdTgvyxqd4rYiuIXLGJcQoF45g1hx5OnTHQgCrg
-> ssh-ed25519 q8eJgg wKjpIAXn+5FAC09yengwsJmAgPVY4BSNOkzC6bdZUBM
LUifpX/UNLC0ge/ApqC0VZ6NWwug865Gtp5t2/Fbijw
-> ssh-ed25519 KVr8rw 0YwXdULrmM1CaWqe4ppSvn3rI4qaHpjVFxZLtE/jFiY
GXxdfK6NU0M0tBf9Txl9M7SzUEkAoDJ6VhGQuQtDRCg
-> ssh-ed25519 fia1eQ BoAjwSD4dQG+35NLGjPwYcENbtkukIoEVxo23A3mukE
1YAgdZedWip4daImkXA1UnHJNGu5LBF5g8t4FotjiTg
-> ssh-ed25519 uZzB3g g/yGqYocU7fg27BOj75yUgFYHfYhLg5iOA490U7xpUY
huOnWVaBT71Li8CO/NialjSzBC0jscJIE7Vddc34Aes
--- 9iDIOye0Eass4rxrC2ZcfxXu09TG0F5SQoMAi7VOsfg
õm§Od¹åŒ½xõà·o#Ï5i‰¯¢;ËYóÔÜ:>†,n,³¤}K{½)œi¨XêÜU”jvS?jú(ªr@'ó†<C3B3>sç@ö çáLQ…ç<E280A6>ÅÞC^ý¯w<77>€XœólqŠcÑOÀ«ÆP¾Ñ<C2BE>Mnç_<C3A7>jÚÁÅÍ<L<…C+¦œå\Yü ëÜû$Ì3<C38C>|r”ÿN€x<E282AC>2A¹¿~

BIN
secrets/gitlab/secrets_jws.age
View file

Binary file not shown.

BIN
secrets/gitlab/secrets_otp.age
View file

Binary file not shown.

37
secrets/gitlab/secrets_secret.age
View file

@ -1,20 +1,19 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA dsOtBJUn6+a38WgFDm8J62eBkRFVA2V3z9EumXQ9FVs
ToePf5brr6F+Ao4DFPKxTCY1kZw5TSIpbuvTvqpu78Y
-> ssh-ed25519 4PzZog 3Rks8tAW0P9WaOi4Dgdbpm8Upj3bQlDkbZAJ7D7AnUU
HLhSEl9WDEFiLKEzynpC/kysCdOhRnXQm/DxaygKwN0
-> ssh-ed25519 dA0vRg ygOBHsBElk5nJ0CCVI+DXAFThq4fCbt4UHOZ5fnenkk
5tJzdOr7v8qnaJNv+9WZhVSHOfS+yAOxg9Sg31TX7nA
-> ssh-ed25519 5Nd93w j8CYiVH5FZ+YPm958H7+VDUIIWtaRsZOsCAvwgPVTSI
zX2gZP/T3//1LYEM0O4TadZD0SYM8dMtf3YI0mvuwSg
-> ssh-ed25519 q8eJgg 6oWoMHjAFcdeU/ALoGK+bd1+yRfIUg7jbmMNEnhpSBk
YOi+4vi7OKIitbFjtIGJ+51SVjSZaMZ7N1ynSkbh6Lw
-> ssh-ed25519 KVr8rw NWEJ+KDDjNBrdkvzqvOG3az41Q/IyQKC8cDcv5n0Tlk
iloODu5Ujy1njkSCzjyRxiL5TMuKhug0UpN+E1rl/vU
-> ssh-ed25519 fia1eQ RRJmQ0o4s6AswuikJz8BKMUn97ed5hfgtf6lnAjG3CY
xf4ksZBi9bYw9X0rU10Lt0HoLxltyv58/p8uUybqIxQ
-> ssh-ed25519 uZzB3g vZpgv4Hdd4/WyB4fDe8RFnEAkZRVFK+YCVAe2UXrJ2g
qS8MSV3fSZpoQQe0YsT7xX14iBUbAeKU6YdGU/ty4wo
--- kNv1eRCjPwaTN8iPDThyUQwrrt62awoGeLY+ZqaAbYc
ŒÓêu_øA·¦^çÒ‰ žÍٶνdWu>!˜·Á7ÄÒ¼²ub§À|,%áé¥ÉÅ+gã/ÏëiøùrgYµ£ ¾á#¿2UЄ HkˆÏnôû'ETÇYì(D:®,CU_¯yÇRöc²<63>Oü*­ “•É
½|gL€ âÚ0ÆÁþé 2 Ž…éô/)s•<Ùq‡·U
-> ssh-ed25519 V1pwNA 9M7GmhZKBWIG3aKDhybPf3j9L4lhTrGG9aGpV7dRKy8
BfUZCdKn6rZGgHMf3475lgPqJamnm2W0tPkPctZHqyk
-> ssh-ed25519 4PzZog ijLfuYQCg2bofPXdcj+2wo4yar/Rcocw4e69nO/Kuyk
H8/Un3MCa/u+WvWUIl1L0W6agAC7qMm6XyRslDy/4SE
-> ssh-ed25519 5Nd93w ti92GZohdr4Yr2ezaLt4iJJaBeu6xfe3cU8YUvW0vH0
NFm7YCcsy+X3OykCrBcO5/83qVojV2JacoSSdR1ctaw
-> ssh-ed25519 q8eJgg PvJPouqT8s+EeBv+SZUsfVXk6VY4R+o8SktSyDdxvHE
kGVDmEqA2kKGwmtK6Ue/rq8rmOUIdrF7tvZI4qjCuoc
-> ssh-ed25519 KVr8rw iQOHwjOQgTHEnn63/GBv9mRS5DZMouNK6ssawJIomGU
5wrSu/IlWpOWQ5WW0Ii0JhgWfY2qDRTT2dIayJWfPPQ
-> ssh-ed25519 fia1eQ ORWzCW6WqJttUok3KIJOJuR2a3mvJRD6EqJMDhaTHi4
cO4hefRRmCNJT/5ShZ5G68JR5nNqsjIuCsMm9ymWW84
-> ssh-ed25519 uZzB3g tlXiwBwJtKqA8xIJpUtS3/3R0loyD2uYI57P7HzcwXs
8Y1cOMDwGTPIUOKSZpx8ngab7dgtTRzvTb3r87x6Um8
--- KZjYtWrcPBYnbBRRzKuyOr1IUvEdd+XggCg3rzPLKX8
l˜M ¯Ô0Æ4a¨Ÿ”À'h^<03>³žš®°<C2AE>ž/ðìé!©óÖ<C3B3>{D#]Ô”îõ¶û Ž ø;úqax×&¼ÉÑ1®(zwí"6<>YÕa±¿Ôìv:©Àوʲß<C2B2>ÔÙOvc•
Ë8<EFBFBD>¦ÉdjbA€º¢µ
\·øOž>ðä=Gÿò¾œYQçóñ¬ÅÙ 

34
secrets/grafana/pw.age
View file

@ -1,19 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA wg5YKE7/sMO2/uHVH21A5Ezp5jTGyWICQE0hjgdOPFI
0BdMLvNfdkdawh6+binpY5cP3+SUih9GqXqGRjIMuPU
-> ssh-ed25519 4PzZog ig5HQ0wsF9mdSplrAA+k47YEnLKXxsq0mbLSBcuhLz8
j7lejLu7Nm7rscsILqxJ7c2CTV52a8auuzRfuyT8tyc
-> ssh-ed25519 dA0vRg A3FTxSbl06XeRXwqtSEdp8zrbNRrYEhIzxggBa87yFw
MDLSG1m3Ss7mRB1D18VL1XzEPJqUJTay2BCgRrR2MTk
-> ssh-ed25519 5Nd93w 7FA1lC5wmw07jEoTAJteqj25VU9LgpS4aS+UDhfJ3Us
ss6DD0KevDM1MWr9ZtUi/ZwvRi6KxAHUvQoQlhDvhso
-> ssh-ed25519 q8eJgg tynydC/TKwdRGYYFhkOUeBSQhbReny5WqFiksVBfhik
uuvgLJZGfeCIudTGb/E91YUWtMuX4Q4+dP/ixM5ppr0
-> ssh-ed25519 KVr8rw 0PrEzDMMr5NRKLPwh5FUdsK+IgmmOaR+vsjkRlaPaW0
12tS3tR3BAEBTVQunX//RAXefZ+b422Q2uaDViMPcmw
-> ssh-ed25519 fia1eQ Phy3mMJqUjc+np7zDI0UVeHEMF9aDJGBKQGeNDWWcC8
/B5W/0j5Ziq/ToQKswSHyLaVw7cl5DyQ0PhhQK8MnkI
-> ssh-ed25519 IpLDOw g8f5bCJc2CSqqNi5ZbzykknpsWFEffdEjT+ZxHkUZ3g
sSfMc85BkNYiDO7JKm3yzK+dA94qry15c/GyZx4sTLE
--- iE3MElTwsLIYXZDjxLu2iz9LU/NieS1hbcuFfMn1erk
<EFBFBD>?×øQµ°ø1é˜uL×L*›ç;ï)°ƒ!EðªÑk³.qLÚ† Š¢hF±Õ<ìÖ<íöHÌòfuQIÁ<49>ŒÙ2EǘÀ4
-> ssh-ed25519 V1pwNA LAEKkf1x39PdLIH97OJtIJfTZX1M6gT8No8qqTYPA3c
2iOWDr+BbDIaTz58B7AzN4NWT7RwSb7XkuiVJ57B1j0
-> ssh-ed25519 4PzZog Cw8kkkTDezUXzQ2gphOAv2jSDKVoERI99A6tytjwv3c
hYNdr4UWSlrn2PwFCBlI0IW3tQClDWcbuNjdAwoteho
-> ssh-ed25519 5Nd93w Pe1qtfWj87qtN6DWuBiB5NoBLI+aSfSgHoq421na720
7kb4ChNHhvfp7hM9wd4OZWUlm51cE7/RR3IFdomw12g
-> ssh-ed25519 q8eJgg p9LYkhCE37NkSDxV/as4eM7UiiITWcK0GIsXitD0Vi0
T0m6EuQ5oa7EU4X4Dx+BWyGKH+zm8A28QQUvwiaNPmc
-> ssh-ed25519 KVr8rw XuxmoWmw07yr9Tqi61RMvuwf6oYIVbJUhfT+FgBwgEg
Hzym4T2/f/6A/UYTdIbBavj3hrq3sGCNO7mwewS/mg8
-> ssh-ed25519 fia1eQ f2XQkWEUmk0n9DtS7vhZt9o3+aPtgiwro8Eu9mcnvmk
/43wuhInhHfSPcFziObogHjyZy6qXr7X1jAPTMzulJI
-> ssh-ed25519 IzAMqA eqAgjVRof9nHZiYzY0m5MRlEzy0LBXxb/yi11K29kkQ
wS86BxKIoT9ZOW1n8Xo6GomhOlRztBp7DpQNv/s9PRs
--- axgiJ8IqNurtt+4iAL6j3mRLi73NnjoG5+TMeIKwjI0
Ô 9ÓŠö†âF­Û„XþX_î(ÝŠ.Œc{<02>¼~™ègÍ}<7D>S¬<>à"92K¬J4„s4×u#1 Äæ~ÚëRX/@°K8~áBö

BIN
secrets/keycloak/pw.age
View file

Binary file not shown.

BIN
secrets/ldap/details.age
View file

Binary file not shown.

48
secrets/ldap/pw.age
View file

@ -1,27 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA U0WP4K92oRNJ1Dz7siaR+8IcCuKO+diy9VhnuyMQ3w8
Ral58VncypJzKyBweTNDn0uyFfmqbVBsZAgsxd16I8s
-> ssh-ed25519 4PzZog ADJzfpJ3mw+42CriE25RkMq49zMrkaQM+mYO450fDBo
lkz7JlpkgOOg/clVAOJ3BBnSmo84u+hxHAqxgj4VfgQ
-> ssh-ed25519 dA0vRg TbBXDcY0qSdQ8X+CsumrUV8DATgyjybFmMSr7vKcvEQ
VA0TrtKta0ObYcXio/usanpsD/cAtS/FSd6IcOLYzaQ
-> ssh-ed25519 5Nd93w dFpBpeouKn6S84QDP3mvQmecCnGO1DbEFRf4IgnsHjc
9xoxDilLBwS1QxXnXk2CUaoyQs8udAZJqbgwMpj5ivI
-> ssh-ed25519 q8eJgg 7bSXg/HPIYoAMK/aLs+IrN9Y9BEPUyTsIo3PLEmH4yk
l0Pe13zucVpLKDE9LnBtQMkdQQuAbR/hCYhjmji6xHo
-> ssh-ed25519 KVr8rw cDXOR2vdFmc8V0cDFzJd+7024ez99Th7v+i/7aK6Zwg
av5jiCaB5Q4Pa6Jbmeyx7RFwrj/qkmIN+BC7d8IMP+g
-> ssh-ed25519 fia1eQ 1VFDFHIJ58+ybs3uUVIXHMpOCweDRBH1h/9b/qfUc1Y
W74hrPdMJ8sriTxN7FMoGkY22Ba3uq8DB+H1Rb4AGII
-> ssh-ed25519 IzAMqA pIdk0fdfM7FZB/TTA9EN38qzBxVO1IMgDSi03tpJR3s
f4UURtxj2/YnmepYeoiFeSVwsWo4u/YYZzPZr+vybVY
-> ssh-ed25519 uZzB3g JhwS814323gjfUA4JxkPFuBfNppmI5N4sN2bLxOXTVY
Up6477aZtVmbVV0s+dAafQZm1Fk4L3zA5nGG/JOMnX8
-> ssh-ed25519 Hb0ipQ 7eBD6LAaLzBep1Ihw5ElMkeT8lYTeaQJGoYlsN6AVm8
9QLQ1Uja0PfiQdpnB4ykW8GAXdzDZUfertdRB1V/+/Q
-> ssh-ed25519 IzAMqA TPkc8WaH/jYOcTvFD43lwQR6fgnJ9bLdMJI5ns49hX0
FoUbMUqIfkiFxk8YqwHmeVb5/k7H+0EJcFDzNZoPs8s
--- Rfu7lKgz3e8yBtCwf1rlh2lH5pMTtBeCAR2HtL8Lehw
X_¶ÇÈ™æb­p®9eŠ ™+ÖKÛ¬£‚‰OåÛp™
… 8ºputJâ†[W<>ÉÑÃã±â:ç§þ
™¯\SW½zuœ<33>cÙç&`­JþT˜öõÈX®ÝòR†ýÓKÃ8ͳu8[º¶SK`¡[3?hç§T7at<61>Lç1|õH<E28094>`nÛ¡á;ü¸i­2
-> ssh-ed25519 V1pwNA 87SmLeH/I1VzLSj65xOuPZsPDnVl9xliQ5/CVijnYmM
2RNAdkwpR7AHsYrh4/NnANF5oNa6NnKF2TvqiuMrxAA
-> ssh-ed25519 4PzZog BUlnW06UQsJzwcQ3Jtca5Mzgj+iFUunwhisvtIYlv2g
8zGP78Pcw7Sx2mCWAEBf/v8vH3PXqqQ5GmBXvLQN0jk
-> ssh-ed25519 5Nd93w 985aPULvm7eHx4VACN0MU9tkZvuhEGfTse5rCILxCWE
kX2GxHAC1XJe837p6kJtaqnESrNQZgBOnw47zE7enf4
-> ssh-ed25519 q8eJgg J4Gdo5cacvP19ZyUFSsIQdy6imX6oJDrBIH2nLUC4D4
d4VhUAvqAyIAYKJjNPg5rsM7GifGQo+nl1+Oyvk7tsQ
-> ssh-ed25519 KVr8rw cmAn4m7om7xJ8ByH1mWE9sG4NZVOOENZYuqh8yly7CM
qgZjhu1fvNbDgbF3xFMqVI0klgZOZ0gEuXU/dq7ZziA
-> ssh-ed25519 fia1eQ xTLCJGaocQf99+Fl6FHXu6hOXLmq2i8aFDoS7RevYV4
K4JxlKPHjUfQZj9LnVXAryWln2c10lZhrpt4ALCF6k4
-> ssh-ed25519 IzAMqA VCMeNgMAgywehKU6Fvh9O0nXHWSFD2PkNM8++ZqWYB8
uCnmYYPiuKt22eplH3Ms0LzBynU1JqMjWDDx9Zep2Q0
-> ssh-ed25519 uZzB3g OIeb65JzQmV+GPw1RxBYEKrWBovyqD+yUNkvD5ey7Ds
7RlSzUGmwcuV+NwwOIJ1dAsiBk48lD3vbsnq7U/xJks
-> ssh-ed25519 Hb0ipQ s5bT1+VXT8ySjSTCoD6dDqc+cU49SDv1AgUIKmaKcno
oa+M7RQq31nzSccRUdEw1NuHQo4xHaSva6CaIBgz9V8
-> ssh-ed25519 IzAMqA hvFsxUBn484Uga9+JGPDxsjhZBhmNGlLXn/jX2BxwA4
pSdMVOfWttPbioa0Pkl2eSjE+TpocHu5+/l0f8IoOFA
--- B28xN6XA1WfkiAYzDCfdKMxbosPv9ad0V/NFX3KeJNw
Œí»X˜1«š*ÖHk—,ïÐè2>è<ÑþÄfŽiP# Ù3<E28098>ç³h<ßM±RD¥ASe†ö!2`­Ž£?¿ª0µF¼÷='à<>¿ŧ¦øCëõñr<C3B1>¾@ÒêXvƘî{Ç"+s[Ûî­š€‹Ÿ¥65CÚÎx§¡xr°]™Ÿdê3_ä™1J7áÆÚ”¹½Àµº

BIN
secrets/nextcloud/pw.age
View file

Binary file not shown.

51
secrets/secrets.nix
View file

@ -1,7 +1,6 @@
let
admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin";
silver_laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWfVKls31yK1aZeAu5mCE+xycI9Kt3Xoj+gfvEonDg silver@helios";
silver_laptop_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOmm4CCnpT+tF7vecSrku0+7aDA1z3pQ+PDqZvoCynCR silver@aether";
silver_laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWfVKls31yK1aZeAu5mCE+xycI9Kt3Xoj+gfvEonDg NixOS Laptop";
silver_desktop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico Desktop";
thenobrainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer";
eliza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJaVEGPDxG/0gbYJovPB+tiODgBDUABlgc1OokmF3WA eliza-skynet";
@ -10,7 +9,6 @@ let
users = [
admin
silver_laptop
silver_laptop_2
silver_desktop
thenobrainer
eliza
@ -21,8 +19,9 @@ let
vendetta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvcxiSYE38V1IopHj7Z7ZWP1IqnskYCdhj8yCQohVUM root@vendetta";
vigil = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDsz1bjNAThqwF48dKIJGOECsCKHTj/Gn5Gh9XyzoSO root@vigil";
galatea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3Mke5YtaMkLvXJxJ3y7YAIEBesoJk3qJyJsnoLUWgW root@galatea";
optimus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqYbbWy3WWtxvD96Hx+RfTx7fJPPirIEa5bOvUILi9r root@optimus";
glados = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6go7ScvOga9vYqC5HglPfh2Nu8wQTpEKpvIZuMAZom root@glados";
wheatly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPlgCGtyvd3xwYg9ZNyjTJNB/LvUSJO01SzN8PGcDLP root@wheatly";
wheatly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEehcrWqZbTr4+do1ONE9Il/SayP0xXMvhozm845tonN root@wheatly";
kitt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPble6JA2O/Wwv0Fztl/kiV0qj+QMjS+jTTj1Sz8k9xK root@kitt";
gir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL2qk/e0QBqpTQ2xDjF7Cv4c92jJ53jW2fuu88hAF/u root@gir";
neuromancer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFAs6lBJSUBRhtZO3zGKhEIlWvqnHFGAQuQ//9FdAn6 root@neuromancer";
@ -31,9 +30,6 @@ let
cadie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACcwg27wzzFVvzuTytcnzRmCfGkhULwlHJA/3BeVtgf root@cadie";
marvin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAme2vuVpGYX4La/JtXm3zunsWNDP+SlGmBk/pWmYkH root@marvin";
calculon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsmeBfh4Jw2GOL7Iyswzn4TVNzalDbxDgh7WuQotFxR root@calculon";
ariia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF/x7Zsp9jqxXxxRGLq7ng4HaiZ9o043Bwy4TFPXSs5S root@ariia";
optimus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFv0Hb4qfzXUll+Hct1NQOE0bCf0MpE24Cqskd8vAFyj root@optimus";
bumblebee = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINF31tsOZTEpPFCu4wZvJjxxvgFhRpxvo9SKyDMNWHZu root@bumblebee";
systems = [
agentjones
@ -41,7 +37,6 @@ let
vigil
galatea
optimus
bumblebee
glados
wheatly
kitt
@ -52,7 +47,6 @@ let
cadie
marvin
calculon
ariia
];
dns = [
@ -77,13 +71,33 @@ let
gitlab_runners = [
wheatly
glados
];
grafana = [
ariia
kitt
];
# these need dns stuff
webservers =
[
# ULFM
galatea
# Games
optimus
# skynet is a webserver for users
skynet
# our offical server
earth
# nix
calculon
]
# ldap servers are web facing
++ ldap
++ gitlab
++ nextcloud;
restic = [
neuromancer
];
@ -100,8 +114,8 @@ let
kitt
];
sso = [
kitt
nuked = [
optimus
];
in {
# nix run github:ryantm/agenix -- -e secret1.age
@ -122,10 +136,6 @@ in {
"gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners;
"gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
"forgejo/runners/token1.age".publicKeys = users ++ gitlab_runners;
"forgejo/runners/token2.age".publicKeys = users ++ gitlab_runners;
"forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners;
# for ldap
"ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden;
# for use connectring to teh ldap
@ -134,9 +144,11 @@ in {
# everyone has access to this
"backup/restic.age".publicKeys = users ++ systems;
"backup/restic_pw.age".publicKeys = users ++ restic;
"backup/nuked.age".publicKeys = users ++ nuked;
# discord bot and discord
"discord/token1.age".publicKeys = users ++ discord;
"discord/ldap.age".publicKeys = users ++ ldap ++ discord;
"discord/token.age".publicKeys = users ++ discord;
# email stuff
"email/details.age".publicKeys = users ++ ldap ++ discord;
@ -152,9 +164,6 @@ in {
"bitwarden/secret.age".publicKeys = users ++ bitwarden;
"bitwarden/details.age".publicKeys = users ++ bitwarden;
# Keycloak/sso
"keycloak/pw.age".publicKeys = users ++ sso;
# grafana
"grafana/pw.age".publicKeys = users ++ grafana;
}

BIN
secrets/stream_ulfm.age
View file

Binary file not shown.

BIN
secrets/wolves/details.age
View file

Binary file not shown.