flakes
This commit is contained in:
parent
5f8cc2f9ba
commit
26747bd639
2
.envrc
2
.envrc
@ -1,5 +1,3 @@
|
||||
export PASSWORD_STORE_DIR=$PWD
|
||||
|
||||
if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then
|
||||
source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.2.1/direnvrc" "sha256-zelF0vLbEl5uaqrfIzbgNzJWGmLzCmYAkInj/LNxvKs="
|
||||
fi
|
||||
|
10
.sops.yaml
10
.sops.yaml
@ -1,10 +0,0 @@
|
||||
keys:
|
||||
- &motiejus 5F6B7A8A92A260A437049BEB6F133A0C1C2848D7
|
||||
- &server_hel1a age1wxwfy32jwskgzudzc8kvvx4uya5kr6lc5vp03y07ly0wpe3jk9gqqree6q
|
||||
creation_rules:
|
||||
- path_regex: hosts/hel1-a/secrets.yaml$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *motiejus
|
||||
age:
|
||||
- *server_hel1a
|
22
README.md
22
README.md
@ -12,18 +12,28 @@ Upcoming flakes:
|
||||
|
||||
$ nix build .#deploy.nodes.hel1-a.profiles.system.path
|
||||
|
||||
Managing secrets
|
||||
----------------
|
||||
VM:
|
||||
|
||||
$ nix build .#nixosConfigurations.vm.config.system.build.vm
|
||||
|
||||
Encoding host-only secrets
|
||||
--------------------------
|
||||
|
||||
Encode a secret on host:
|
||||
|
||||
rage -e -r $(ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub) -o secret.age /etc/plaintext
|
||||
rage -e -r "$(cat /etc/ssh/ssh_host_ed25519_key.pub)" -o secret.age /path/to/plaintext
|
||||
|
||||
Decode a secret on host (to test things out):
|
||||
|
||||
age -d -i <(sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) secret.age
|
||||
rage -d -i /etc/ssh/ssh_host_ed25519_key secret.age
|
||||
|
||||
If/when [str4d/rage#379](https://github.com/str4d/rage/issues/379) is fixed, we
|
||||
can replace the above command to `rage`.
|
||||
Bootstrapping
|
||||
-------------
|
||||
|
||||
Prereqs:
|
||||
|
||||
mkdir -p /etc/secrets/initrd
|
||||
ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519
|
||||
|
||||
[1]: https://cgit.krebsco.de/krops/about/
|
||||
|
||||
|
65
data.nix
65
data.nix
@ -1,3 +1,64 @@
|
||||
{
|
||||
pubkeys = {}; # TODO
|
||||
rec {
|
||||
ips = {
|
||||
vno1 = "88.223.107.21";
|
||||
hel1a = "65.21.7.119";
|
||||
};
|
||||
|
||||
ssh_pubkeys = {
|
||||
motiejus = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+qpaaD+FCYPcUU1ONbw/ff5j0xXu5DNvp/4qZH/vOYwG13uDdfI5ISYPs8zNaVcFuEDgNxWorVPwDw4p6+1JwRLlhO4J/5tE1w8Gt6C7y76LRWnp0rCdva5vL3xMozxYIWVOAiN131eyirV2FdOaqTwPy4ouNMmBFbibLQwBna89tbFMG/jwR7Cxt1I6UiYOuCXIocI5YUbXlsXoK9gr5yBRoTjl2OfH2itGYHz9xQCswvatmqrnteubAbkb6IUFYz184rnlVntuZLwzM99ezcG4v8/485gWkotTkOgQIrGNKgOA7UNKpQNbrwdPAMugqfSTo6g8fEvy0Q+6OXdxw5X7en2TJE+BLVaXp4pVMdOAzKF0nnssn64sRhsrUtFIjNGmOWBOR2gGokaJcM6x9R72qxucuG5054pSibs32BkPEg6Qzp+Bh77C3vUmC94YLVg6pazHhLroYSP1xQjfOvXyLxXB1s9rwJcO+s4kqmInft2weyhfaFE0Bjcoc+1/dKuQYfPCPSB//4zvktxTXud80zwWzMy91Q4ucRrHTBz3PrhO8ys74aSGnKOiG3ccD3HbaT0Ff4qmtIwHcAjrnNlINAcH/A2mpi0/2xA7T8WpFnvgtkQbcMF0kEKGnNS5ULZXP/LC8BlLXxwPdqTzvKikkTb661j4PhJhinhVwnQ==";
|
||||
vno1_root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiWb7yeSeuFCMZWarKJD6ZSxIlpEHbU++MfpOIy/2kh";
|
||||
};
|
||||
|
||||
systems = {
|
||||
"vno1-oh2.servers.jakst" = {
|
||||
extraHostNames = ["dl.jakstys.lt" "vno1-oh2.jakstys.lt"];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHtYsaht57g2sp6UmLHqsCK+fHjiiZ0rmGceFmFt88pY";
|
||||
};
|
||||
"hel1-a.servers.jakst" = {
|
||||
extraHostNames = ["hel1-a.jakstys.lt" "git.jakstys.lt" "vpn.jakstys.lt" "jakstys.lt" "www.jakstys.lt"];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6Wd2lKrpP2Gqul10obMo2dc1xKaaLv0I4FAnfIaFKu";
|
||||
};
|
||||
"mtwork.motiejus.jakst" = {
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvNuABV5KXmh6rmS+R50XeJ9/V+Sgpuc1DrlYXW2bQb";
|
||||
};
|
||||
"zh2769.rsync.net" = {
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtclizeBy1Uo3D86HpgD3LONGVH0CJ0NT+YfZlldAJd";
|
||||
};
|
||||
"github.com" = {
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
|
||||
};
|
||||
"git.sr.ht" = {
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
|
||||
};
|
||||
};
|
||||
|
||||
tailscale_subnet = {
|
||||
cidr = "100.89.176.0/20";
|
||||
range = "100.89.176.0-100.89.191.255";
|
||||
};
|
||||
|
||||
jakstysLTZone = ''
|
||||
$ORIGIN jakstys.lt.
|
||||
$TTL 86400
|
||||
@ SOA ns1.jakstys.lt. motiejus.jakstys.lt. (2023032100 86400 86400 86400 86400)
|
||||
@ NS ns1.jakstys.lt.
|
||||
@ NS ns2.jakstys.lt.
|
||||
@ A ${ips.hel1a}
|
||||
www A ${ips.hel1a}
|
||||
ns1 A ${ips.vno1}
|
||||
ns2 A ${ips.hel1a}
|
||||
beta A ${ips.hel1a}
|
||||
turn A ${ips.hel1a}
|
||||
vpn A ${ips.hel1a}
|
||||
git A ${ips.hel1a}
|
||||
auth A ${ips.hel1a}
|
||||
dl A ${ips.vno1}
|
||||
hel1-a A ${ips.hel1a}
|
||||
vno1 A ${ips.vno1}
|
||||
@ MX 10 aspmx.l.google.com.
|
||||
@ MX 20 alt1.aspmx.l.google.com.
|
||||
@ MX 20 alt2.aspmx.l.google.com.
|
||||
@ MX 30 aspmx2.googlemail.com.
|
||||
@ MX 30 aspmx3.googlemail.com.
|
||||
'';
|
||||
}
|
||||
|
23
flake.nix
23
flake.nix
@ -49,12 +49,27 @@
|
||||
nixosConfigurations.hel1-a = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
./configuration.nix
|
||||
./hardware-configuration.nix
|
||||
./zfs.nix
|
||||
./hosts/hel1-a/configuration.nix
|
||||
./hosts/hel1-a/hardware-configuration.nix
|
||||
./hosts/hel1-a/zfs.nix
|
||||
|
||||
./modules
|
||||
|
||||
agenix.nixosModules.default
|
||||
|
||||
{
|
||||
age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age;
|
||||
age.secrets.sasl-passwd.file = ./secrets/hel1-a/postfix/sasl_passwd.age;
|
||||
age.secrets.turn-static-auth-secret.file = ./secrets/hel1-a/turn/static_auth_secret.age;
|
||||
age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age;
|
||||
age.secrets.synapse-registration-shared-secret.file = ./secrets/hel1-a/synapse/registration_shared_secret.age;
|
||||
age.secrets.synapse-macaroon-secret-key.file = ./secrets/hel1-a/synapse/macaroon_secret_key.age;
|
||||
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
|
||||
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
|
||||
}
|
||||
];
|
||||
|
||||
specialArgs = inputs;
|
||||
specialArgs = {inherit myData;} // inputs;
|
||||
};
|
||||
|
||||
deploy.nodes.hel1-a = {
|
||||
|
@ -2,25 +2,10 @@
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
agenix,
|
||||
myData,
|
||||
...
|
||||
}: let
|
||||
gitea_uidgid = 995;
|
||||
|
||||
tailscale_subnet = {
|
||||
cidr = "100.89.176.0/20";
|
||||
range = "100.89.176.0-100.89.191.255";
|
||||
};
|
||||
|
||||
ips = {
|
||||
vno1 = "88.223.107.21";
|
||||
hel1a = "65.21.7.119";
|
||||
};
|
||||
|
||||
ssh_pubkeys = {
|
||||
motiejus = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+qpaaD+FCYPcUU1ONbw/ff5j0xXu5DNvp/4qZH/vOYwG13uDdfI5ISYPs8zNaVcFuEDgNxWorVPwDw4p6+1JwRLlhO4J/5tE1w8Gt6C7y76LRWnp0rCdva5vL3xMozxYIWVOAiN131eyirV2FdOaqTwPy4ouNMmBFbibLQwBna89tbFMG/jwR7Cxt1I6UiYOuCXIocI5YUbXlsXoK9gr5yBRoTjl2OfH2itGYHz9xQCswvatmqrnteubAbkb6IUFYz184rnlVntuZLwzM99ezcG4v8/485gWkotTkOgQIrGNKgOA7UNKpQNbrwdPAMugqfSTo6g8fEvy0Q+6OXdxw5X7en2TJE+BLVaXp4pVMdOAzKF0nnssn64sRhsrUtFIjNGmOWBOR2gGokaJcM6x9R72qxucuG5054pSibs32BkPEg6Qzp+Bh77C3vUmC94YLVg6pazHhLroYSP1xQjfOvXyLxXB1s9rwJcO+s4kqmInft2weyhfaFE0Bjcoc+1/dKuQYfPCPSB//4zvktxTXud80zwWzMy91Q4ucRrHTBz3PrhO8ys74aSGnKOiG3ccD3HbaT0Ff4qmtIwHcAjrnNlINAcH/A2mpi0/2xA7T8WpFnvgtkQbcMF0kEKGnNS5ULZXP/LC8BlLXxwPdqTzvKikkTb661j4PhJhinhVwnQ==";
|
||||
vno1_root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiWb7yeSeuFCMZWarKJD6ZSxIlpEHbU++MfpOIy/2kh";
|
||||
};
|
||||
|
||||
backup_paths = {
|
||||
var_lib = {
|
||||
mountpoint = "/var/lib";
|
||||
@ -45,6 +30,7 @@
|
||||
};
|
||||
|
||||
turn_cert_dir = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/turn.jakstys.lt";
|
||||
gitea_uidgid = 995;
|
||||
|
||||
# functions
|
||||
mountLatest = (
|
||||
@ -72,26 +58,24 @@ in {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 22;
|
||||
authorizedKeys = builtins.attrValues ssh_pubkeys;
|
||||
authorizedKeys = builtins.attrValues myData.ssh_pubkeys;
|
||||
hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
|
||||
};
|
||||
};
|
||||
|
||||
security = {
|
||||
sudo = {
|
||||
wheelNeedsPassword = false;
|
||||
execWheelOnly = true;
|
||||
mj = {
|
||||
stateVersion = "22.11";
|
||||
timeZone = "UTC";
|
||||
|
||||
base.initrd = {
|
||||
enable = true;
|
||||
authorizedKeys = builtins.attrValues myData.ssh_pubkeys;
|
||||
hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
|
||||
};
|
||||
};
|
||||
|
||||
time.timeZone = "UTC";
|
||||
|
||||
users = {
|
||||
mutableUsers = false;
|
||||
|
||||
users = {
|
||||
git = {
|
||||
users.git = {
|
||||
description = "Gitea Service";
|
||||
home = "/var/lib/gitea";
|
||||
useDefaultShell = true;
|
||||
@ -100,29 +84,14 @@ in {
|
||||
uid = gitea_uidgid;
|
||||
};
|
||||
|
||||
motiejus = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["wheel"];
|
||||
uid = 1000;
|
||||
openssh.authorizedKeys.keys = [ssh_pubkeys.motiejus];
|
||||
};
|
||||
};
|
||||
|
||||
groups.gitea.gid = gitea_uidgid;
|
||||
};
|
||||
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
jq
|
||||
git
|
||||
dig
|
||||
wget
|
||||
tree
|
||||
lsof
|
||||
file
|
||||
tmux
|
||||
htop
|
||||
rage
|
||||
#ncdu
|
||||
nmap
|
||||
ipset
|
||||
@ -135,56 +104,25 @@ in {
|
||||
tcpdump
|
||||
vimv-rs
|
||||
openssl
|
||||
ripgrep
|
||||
bsdgames
|
||||
binutils
|
||||
moreutils
|
||||
headscale
|
||||
mailutils
|
||||
nixos-option
|
||||
unixtools.xxd
|
||||
graphicsmagick
|
||||
];
|
||||
variables = {
|
||||
EDITOR = "nvim";
|
||||
};
|
||||
};
|
||||
|
||||
programs = {
|
||||
mtr.enable = true;
|
||||
mosh.enable = true;
|
||||
neovim = {
|
||||
enable = true;
|
||||
defaultEditor = true;
|
||||
};
|
||||
|
||||
ssh.knownHosts = {
|
||||
"vno1-oh2.servers.jakst" = {
|
||||
extraHostNames = ["dl.jakstys.lt" "vno1-oh2.jakstys.lt"];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHtYsaht57g2sp6UmLHqsCK+fHjiiZ0rmGceFmFt88pY";
|
||||
};
|
||||
"hel1-a.servers.jakst" = {
|
||||
extraHostNames = ["hel1-a.jakstys.lt" "git.jakstys.lt" "vpn.jakstys.lt" "jakstys.lt" "www.jakstys.lt"];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6Wd2lKrpP2Gqul10obMo2dc1xKaaLv0I4FAnfIaFKu";
|
||||
};
|
||||
"mtwork.motiejus.jakst" = {
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvNuABV5KXmh6rmS+R50XeJ9/V+Sgpuc1DrlYXW2bQb";
|
||||
};
|
||||
"zh2769.rsync.net" = {
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtclizeBy1Uo3D86HpgD3LONGVH0CJ0NT+YfZlldAJd";
|
||||
};
|
||||
"github.com" = {
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
|
||||
};
|
||||
"git.sr.ht" = {
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
tailscale.enable = true;
|
||||
|
||||
nsd = {
|
||||
enable = true;
|
||||
interfaces = [ "0.0.0.0" "::" ];
|
||||
zones = {
|
||||
"jakstys.lt.".data = myData.jakstysLTZone;
|
||||
};
|
||||
};
|
||||
|
||||
zfs = {
|
||||
autoScrub.enable = true;
|
||||
trim.enable = true;
|
||||
@ -192,11 +130,6 @@ in {
|
||||
};
|
||||
|
||||
openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
PermitRootLogin = "no";
|
||||
PasswordAuthentication = false;
|
||||
};
|
||||
extraConfig = ''
|
||||
AcceptEnv GIT_PROTOCOL
|
||||
'';
|
||||
@ -240,7 +173,7 @@ in {
|
||||
repo = "zh2769@zh2769.rsync.net:hel1-a.servers.jakst";
|
||||
encryption = {
|
||||
mode = "repokey-blake2";
|
||||
passCommand = "cat /var/src/secrets/borgbackup/password";
|
||||
passCommand = "cat ${config.age.secrets.borgbackup-password.path}";
|
||||
};
|
||||
paths = value.paths;
|
||||
extraArgs = "--remote-path=borg1";
|
||||
@ -267,7 +200,7 @@ in {
|
||||
settings = {
|
||||
server_url = "https://vpn.jakstys.lt";
|
||||
ip_prefixes = [
|
||||
tailscale_subnet.cidr
|
||||
myData.tailscale_subnet.cidr
|
||||
"fd7a:115c:a1e0:59b0::/64"
|
||||
];
|
||||
log.level = "warn";
|
||||
@ -407,7 +340,7 @@ in {
|
||||
denied-peer-ip=10.0.0.0-10.255.255.255
|
||||
denied-peer-ip=192.168.0.0-192.168.255.255
|
||||
denied-peer-ip=172.16.0.0-172.31.255.255
|
||||
denied-peer-ip=${tailscale_subnet.range}
|
||||
denied-peer-ip=${myData.tailscale_subnet.range}
|
||||
'';
|
||||
};
|
||||
|
||||
@ -419,7 +352,7 @@ in {
|
||||
admin_contact = "motiejus@jakstys.lt";
|
||||
enable_registration = false;
|
||||
report_stats = true;
|
||||
signing_key_path = "/run/matrix-synapse/jakstys.lt.signing.key";
|
||||
signing_key_path = "/run/matrix-synapse/jakstys_lt_signing_key";
|
||||
extraConfigFiles = ["/run/matrix-synapse/secrets.yaml"];
|
||||
log_config = pkgs.writeText "log.config" ''
|
||||
version: 1
|
||||
@ -509,13 +442,13 @@ in {
|
||||
"127.0.0.1/8"
|
||||
"[::ffff:127.0.0.0]/104"
|
||||
"[::1]/128"
|
||||
tailscale_subnet.cidr
|
||||
myData.tailscale_subnet.cidr
|
||||
];
|
||||
hostname = "${config.networking.hostName}.${config.networking.domain}";
|
||||
relayHost = "smtp.sendgrid.net";
|
||||
relayPort = 587;
|
||||
mapFiles = {
|
||||
sasl_passwd = "/var/src/secrets/postfix/sasl_passwd";
|
||||
sasl_passwd = config.age.secrets.sasl-passwd.path;
|
||||
};
|
||||
extraConfig = ''
|
||||
smtp_sasl_auth_enable = yes
|
||||
@ -549,52 +482,10 @@ in {
|
||||
blocktime = 900;
|
||||
whitelist = [
|
||||
"192.168.0.0/16"
|
||||
tailscale_subnet.cidr
|
||||
ips.vno1
|
||||
myData.tailscale_subnet.cidr
|
||||
myData.ips.vno1
|
||||
];
|
||||
};
|
||||
|
||||
knot = let
|
||||
jakstysLTZone = pkgs.writeText "jakstys.lt.zone" ''
|
||||
$ORIGIN jakstys.lt.
|
||||
$TTL 86400
|
||||
@ SOA ns1.jakstys.lt. motiejus.jakstys.lt. (2023032100 86400 86400 86400 86400)
|
||||
@ NS ns1.jakstys.lt.
|
||||
@ NS ns2.jakstys.lt.
|
||||
@ A ${ips.hel1a}
|
||||
www A ${ips.hel1a}
|
||||
ns1 A ${ips.vno1}
|
||||
ns2 A ${ips.hel1a}
|
||||
beta A ${ips.hel1a}
|
||||
turn A ${ips.hel1a}
|
||||
vpn A ${ips.hel1a}
|
||||
git A ${ips.hel1a}
|
||||
auth A ${ips.hel1a}
|
||||
dl A ${ips.vno1}
|
||||
fwmine A ${ips.hel1a}
|
||||
hel1-a A ${ips.hel1a}
|
||||
vno1 A ${ips.vno1}
|
||||
recordrecap A ${ips.hel1a}
|
||||
www.recordrecap A ${ips.hel1a}
|
||||
@ MX 10 aspmx.l.google.com.
|
||||
@ MX 20 alt1.aspmx.l.google.com.
|
||||
@ MX 20 alt2.aspmx.l.google.com.
|
||||
@ MX 30 aspmx2.googlemail.com.
|
||||
@ MX 30 aspmx3.googlemail.com.
|
||||
'';
|
||||
in {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
server:
|
||||
listen: 0.0.0.0@53
|
||||
listen: ::@53
|
||||
version: 42
|
||||
zone:
|
||||
- domain: jakstys.lt
|
||||
file: ${jakstysLTZone}
|
||||
semantic-checks: on
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
networking = {
|
||||
@ -683,7 +574,7 @@ in {
|
||||
"${turn_cert_dir}/turn.jakstys.lt.crt"
|
||||
];
|
||||
serviceConfig.LoadCredential = [
|
||||
"static-auth-secret:/var/src/secrets/turn/static-auth-secret"
|
||||
"static-auth-secret:${config.age.secrets.turn-static-auth-secret.path}"
|
||||
"tls-key.pem:${turn_cert_dir}/turn.jakstys.lt.key"
|
||||
"tls-cert.pem:${turn_cert_dir}/turn.jakstys.lt.crt"
|
||||
];
|
||||
@ -704,7 +595,7 @@ in {
|
||||
secretsScript = pkgs.writeShellScript "write-secrets" ''
|
||||
set -euo pipefail
|
||||
umask 077
|
||||
ln -sf ''${CREDENTIALS_DIRECTORY}/jakstys.lt.signing.key /run/matrix-synapse/jakstys.lt.signing.key
|
||||
ln -sf ''${CREDENTIALS_DIRECTORY}/jakstys_lt_signing_key /run/matrix-synapse/jakstys_lt_signing_key
|
||||
cat > /run/matrix-synapse/secrets.yaml <<EOF
|
||||
registration_shared_secret: "$(cat ''${CREDENTIALS_DIRECTORY}/registration_shared_secret)"
|
||||
macaroon_secret_key: "$(cat ''${CREDENTIALS_DIRECTORY}/macaroon_secret_key)"
|
||||
@ -714,10 +605,10 @@ in {
|
||||
in {
|
||||
serviceConfig.ExecStartPre = ["" secretsScript];
|
||||
serviceConfig.LoadCredential = [
|
||||
"jakstys.lt.signing.key:/var/src/secrets/synapse/jakstys.lt.signing.key"
|
||||
"registration_shared_secret:/var/src/secrets/synapse/registration_shared_secret"
|
||||
"macaroon_secret_key:/var/src/secrets/synapse/macaroon_secret_key"
|
||||
"turn_shared_secret:/var/src/secrets/turn/static-auth-secret"
|
||||
"jakstys_lt_signing_key:${config.age.secrets.synapse-jakstys-signing-key.path}"
|
||||
"registration_shared_secret:${config.age.secrets.synapse-registration-shared-secret.path}"
|
||||
"macaroon_secret_key:${config.age.secrets.synapse-macaroon-secret-key.path}"
|
||||
"turn_shared_secret:${config.age.secrets.turn-static-auth-secret.path}"
|
||||
];
|
||||
};
|
||||
|
||||
@ -784,7 +675,4 @@ in {
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Do not change
|
||||
system.stateVersion = "22.11";
|
||||
}
|
@ -1,41 +0,0 @@
|
||||
borgbackup-password: ENC[AES256_GCM,data:igLuxWZujydxdJO8Qt7sIOhIT9SqOkCvjw==,iv:pHk2V/VBb/HzHGieHyL4KY1RpmN6bqjjSDuTTnsH4bM=,tag:36aSlD6zY3AXE5X9ejs6CA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1wxwfy32jwskgzudzc8kvvx4uya5kr6lc5vp03y07ly0wpe3jk9gqqree6q
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNldGbmdndDJSclV5TFJ2
|
||||
aVNhR3hlSEdiaGVBVk5ReTN3TmM0ckNFNVZJCmtmdkdyT0ZBNUVmemNvaFlaMnda
|
||||
eXBpdEtDNFlNNkdBNVQxSloxc0dMcVUKLS0tIDZWZ3lvTWYzUHBxd3ZOa3UyREY5
|
||||
YmdScHFndG1leTl0VFo0dzh2SjhZTU0Kp3aiUTvTWMzw6y+D0ELT9BE4enrJAVDD
|
||||
1c0TvbFwDAJI3KB8T/Mz23qerExtZZQeCnm9zQKd+NsSKZCf52JEkg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-04-06T20:01:44Z"
|
||||
mac: ENC[AES256_GCM,data:PRjs8bZ/DGGlfDjRexvImDdAuE/W74HPa+KdQtE1Qktu6nz1cqlFy8a+CiA/mw+Y3P4NntzXHxU30sONrZWXA+n5RXAn8kMgpOYzRWqZWn0zzIyfhZ9+jPmP7uLpJWGZIEayw8NRfHGthDb7SLTnM9OpbkIP9dl4NgMSvn0A2MA=,iv:ma2ekXqtJGlTE2lAIw9YapvtXns/P1BwSgj+Ly4W+gE=,tag:z/ypCNkpdi2B1BFoZx5Jyw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-04-05T19:33:35Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAznIq2pQRYaoARAApA2PMariUuuZ5D+XKf2W8od3oaTzGH9ttu6u7jNg2lqX
|
||||
3Ov1jbvUhT+stH5+DjbeApxxRJPcxMa3cA8g8907b3MagtyJYfxYJbqRNur2kOfy
|
||||
o4VlogFPTTIeeDP9hexX8p6jHC/lXPcT65B8Puj5NbTbitK9pP2RCQnvBG5vm2bB
|
||||
g+d4xiVfhtkt6Wv+m3oBdXO6mLn2tsakBEfseGJuovNpFd469ym9pqP0UpMEWtMy
|
||||
ezODZEbKsxvdUA+pa0wbTo5cQ+G5Pe2BjxNjfO2i4QgEPW5bCkeYDjN5uN9OgnxG
|
||||
zCMrr/PGrLDfebxU0YJqqkfLtmwgJpYKFNuwa6eLG7aOi3ahEsS9WUzLF/7nuTky
|
||||
p1+tOa6VRtQ1nTO0cV3XX9F6Pq/mtp5oozQUBhTzRndpO6Ju7luqzjNEvlS9ILzf
|
||||
w+3lxn/1nvwklBt9S9b2OOhf12iGPfoVye3lhXCSo6cNyk6uIs2fW/n7UXTJgG0W
|
||||
M5Zv5ygXbJwL3SyVaO9moL4ZSvllbwigI4MfSOoAH8P1Tzt/eyrfb3lL282b1N4c
|
||||
7KuTrWju3ml69QbulcN3Fae8ID+U8plcbpVv5f/v4zW4KPJBIN33D9InFzzwaBDF
|
||||
m2ESR/nsRMeLpR1StPz3SoPERLQ9PdLIuDp449O+EPgOK26yAvGiO+E4vfGQMpzS
|
||||
XAEdM3mNnGT8BTgChbPK+Khx0U0kJc2s9OjmW2aGEHNLeiPWcaj02EQ13rtH5q3c
|
||||
YFXzo8Ymlg3YEemwBY9LNVfGXmNUEgI8FYlh2mFwAwv3IdCjW7JsCwwsPE8C
|
||||
=KfCh
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 5F6B7A8A92A260A437049BEB6F133A0C1C2848D7
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
@ -33,5 +33,4 @@
|
||||
boot.loader.grub.devices = [
|
||||
"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_9233346"
|
||||
];
|
||||
users.users.root.initialHashedPassword = "$6$oXLEcliXQJloPkrW$Or3O2tLdpLMs4s4gyn2hJlvMjm0S7zLlFlQCOx.S3fdLKxyFjQFaLhPZXJPluZ7iYrB65JSdT0ESluFwgJwLi.";
|
||||
}
|
@ -9,11 +9,9 @@ in {
|
||||
mj = {
|
||||
stateVersion = "23.05";
|
||||
timeZone = "UTC";
|
||||
stubPasswords = true;
|
||||
};
|
||||
|
||||
users.users.vm.isSystemUser = true;
|
||||
users.users.vm.initialPassword = "test";
|
||||
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
tmux
|
||||
@ -24,6 +22,7 @@ in {
|
||||
services = {
|
||||
nsd = {
|
||||
enable = true;
|
||||
interfaces = [ "0.0.0.0" "::" ];
|
||||
zones = {
|
||||
"jakstys.lt.".data = myData.jakstysLTZone;
|
||||
};
|
||||
|
27
krops.nix
27
krops.nix
@ -1,27 +0,0 @@
|
||||
let
|
||||
krops = builtins.fetchGit {
|
||||
url = "https://cgit.krebsco.de/krops/";
|
||||
};
|
||||
lib = import "${krops}/lib";
|
||||
pkgs = import "${krops}/pkgs" {};
|
||||
|
||||
source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.symlink = "/root/.nix-defexpr/channels/nixos";
|
||||
nixos-config.file = toString ./configuration.nix;
|
||||
secrets.pass = {
|
||||
dir = toString ./secrets;
|
||||
name = "hel1-a";
|
||||
};
|
||||
}
|
||||
];
|
||||
in {
|
||||
hel1a = pkgs.krops.writeDeploy "deploy-hel1a" {
|
||||
source = source;
|
||||
target =
|
||||
lib.mkTarget "motiejus@hel1-a.jakstys.lt"
|
||||
// {
|
||||
sudo = true;
|
||||
};
|
||||
};
|
||||
}
|
135
modules/base/default.nix
Normal file
135
modules/base/default.nix
Normal file
@ -0,0 +1,135 @@
|
||||
{
|
||||
config,
|
||||
myData,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
./sshd
|
||||
./initrd
|
||||
];
|
||||
|
||||
options.mj = {
|
||||
stateVersion = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
example = "22.11";
|
||||
description = "The NixOS state version to use for this system";
|
||||
};
|
||||
timeZone = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
example = "Europe/Vilnius";
|
||||
description = "Time zone for this system";
|
||||
};
|
||||
|
||||
stubPasswords = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
time.timeZone = config.mj.timeZone;
|
||||
|
||||
# Select internationalisation properties.
|
||||
i18n = {
|
||||
defaultLocale = "en_US.UTF-8";
|
||||
supportedLocales = [
|
||||
"lt_LT.UTF-8/UTF-8"
|
||||
];
|
||||
};
|
||||
|
||||
nix.settings.experimental-features = ["nix-command" "flakes"];
|
||||
|
||||
system.stateVersion = config.mj.stateVersion;
|
||||
|
||||
security = {
|
||||
sudo = {
|
||||
wheelNeedsPassword = false;
|
||||
execWheelOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
users = let
|
||||
withPasswordFile = file: attrs: (if config.mj.stubPasswords then {
|
||||
initialPassword = "live";
|
||||
} else {
|
||||
passwordFile = file;
|
||||
}) // attrs;
|
||||
in {
|
||||
mutableUsers = false;
|
||||
|
||||
users = {
|
||||
motiejus = withPasswordFile config.age.secrets.motiejus-passwd-hash.path {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["wheel"];
|
||||
uid = 1000;
|
||||
openssh.authorizedKeys.keys = [myData.ssh_pubkeys.motiejus];
|
||||
};
|
||||
|
||||
root = withPasswordFile config.age.secrets.root-passwd-hash.path { };
|
||||
};
|
||||
};
|
||||
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
jc # parse different formats and command outputs to json
|
||||
jq # parse, format and query json documents
|
||||
pv # pipe viewer for progressbars in pipes
|
||||
bat # "bat - cat with wings", cat|less with language highlight
|
||||
duf # nice disk usage output
|
||||
file # file duh
|
||||
host # look up host info
|
||||
tree # tree duh
|
||||
lsof # lsof yay
|
||||
rage # encrypt-decrypt
|
||||
#ncdu # disk usage navigator
|
||||
pwgen
|
||||
sqlite
|
||||
direnv
|
||||
ripgrep
|
||||
vimv-rs
|
||||
nix-top # nix-top is a top for what nix is doing
|
||||
binutils
|
||||
moreutils
|
||||
unixtools.xxd
|
||||
|
||||
# networking
|
||||
dig
|
||||
nmap
|
||||
wget
|
||||
curl
|
||||
whois
|
||||
ipset
|
||||
testssl
|
||||
dnsutils
|
||||
speedtest-cli
|
||||
prettyping
|
||||
(runCommand "prettyping-pp" {} ''
|
||||
mkdir -p $out/bin
|
||||
ln -s ${prettyping}/bin/prettyping $out/bin/pp
|
||||
'')
|
||||
|
||||
# compression/decompression
|
||||
xz
|
||||
pigz
|
||||
zstd
|
||||
p7zip
|
||||
brotli
|
||||
zopfli
|
||||
];
|
||||
|
||||
variables = {
|
||||
EDITOR = "nvim";
|
||||
};
|
||||
};
|
||||
|
||||
programs = {
|
||||
mtr.enable = true;
|
||||
neovim = {
|
||||
enable = true;
|
||||
defaultEditor = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
31
modules/base/initrd/default.nix
Normal file
31
modules/base/initrd/default.nix
Normal file
@ -0,0 +1,31 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
options.mj.base.initrd = {
|
||||
enable = lib.mkEnableOption "Enable base initrd settings";
|
||||
|
||||
hostKeys = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
description = "ssh private key for use in initrd.";
|
||||
};
|
||||
|
||||
authorizedKeys = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
description = lib.mdDoc "Authorized keys for the root user on initrd.";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.mj.base.initrd.enable {
|
||||
boot.initrd.network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 22;
|
||||
authorizedKeys = config.mj.base.initrd.authorizedKeys;
|
||||
hostKeys = config.mj.base.initrd.hostKeys;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
18
modules/base/sshd/default.nix
Normal file
18
modules/base/sshd/default.nix
Normal file
@ -0,0 +1,18 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
myData,
|
||||
...
|
||||
}: {
|
||||
config = {
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
PasswordAuthentication = false;
|
||||
PermitRootLogin = "no";
|
||||
};
|
||||
};
|
||||
programs.mosh.enable = true;
|
||||
programs.ssh.knownHosts = myData.systems;
|
||||
};
|
||||
}
|
6
modules/default.nix
Normal file
6
modules/default.nix
Normal file
@ -0,0 +1,6 @@
|
||||
{...}: {
|
||||
imports = [
|
||||
./base
|
||||
./services
|
||||
];
|
||||
}
|
9
modules/services/default.nix
Normal file
9
modules/services/default.nix
Normal file
@ -0,0 +1,9 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
];
|
||||
}
|
18
secrets.nix
Normal file
18
secrets.nix
Normal file
@ -0,0 +1,18 @@
|
||||
let
|
||||
motiejus_yk1 = "age1yubikey1qtwmhf7h7ljs3dyx06wyzme4st6w4calkdpmsxgpxc9t2cldezvasd6n8wg";
|
||||
motiejus_bk1 = "age1kyehn8yr9tfu3w0z4d9p9qrj0tjjh92ljxmz2nyr6xnm7y8kpv5spwwc9n";
|
||||
motiejus = [motiejus_yk1 motiejus_bk1];
|
||||
|
||||
hel1-a = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6Wd2lKrpP2Gqul10obMo2dc1xKaaLv0I4FAnfIaFKu";
|
||||
systems = [hel1-a];
|
||||
in {
|
||||
"secrets/hel1-a/borgbackup/password.age".publicKeys = [hel1-a] ++ motiejus;
|
||||
"secrets/hel1-a/postfix/sasl_passwd.age".publicKeys = [hel1-a] ++ motiejus;
|
||||
"secrets/hel1-a/turn/static_auth_secret.age".publicKeys = [hel1-a] ++ motiejus;
|
||||
"secrets/hel1-a/synapse/jakstys_lt_signing_key.age".publicKeys = [hel1-a] ++ motiejus;
|
||||
"secrets/hel1-a/synapse/registration_shared_secret.age".publicKeys = [hel1-a] ++ motiejus;
|
||||
"secrets/hel1-a/synapse/macaroon_secret_key.age".publicKeys = [hel1-a] ++ motiejus;
|
||||
|
||||
"secrets/motiejus_passwd_hash.age".publicKeys = [hel1-a] ++ motiejus;
|
||||
"secrets/root_passwd_hash.age".publicKeys = [hel1-a] ++ motiejus;
|
||||
}
|
11
secrets/hel1-a/borgbackup/password.age
Normal file
11
secrets/hel1-a/borgbackup/password.age
Normal file
@ -0,0 +1,11 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-ed25519 vDjOfg yV3BxKKBmsDJJDpTbTpW8ZQBEw1dzsAZcEhlcr1efwA
|
||||
WPG4olU+AEQOPOXCGVYyN9J/h5jItJkQilUr5x/3UqQ
|
||||
-> X25519 k28YknTZR1ETWY1PhXwmRv/rAmvsL0YVzV5/x2qHGX0
|
||||
ooqcWrdQ4gBxq6Y0WNVr41NJFarC5g+3xZDdo1NKooo
|
||||
-> piv-p256 +y2G/w AlBGJoImuKrcEvQCLwk8NJX+YwzpaTSX7rT01NAbYp6f
|
||||
ihlhk5+itPJ3skH/4Rkx+Taq+JboQ0s+6My86WSaCmg
|
||||
-> c-grease
|
||||
1P4Pqguo6ZtYcXzdDQVm26RGywukVnkR0Mnk/lzXkjtr4Sk
|
||||
--- xMODuPBdbFKgzh1mWly/CGFwUFA/10L1z3EQiDDNYD0
|
||||
ïP8<EFBFBD><J]q¤í§“5ZÅ9 tÐÈ©Ä€<C384>ÇÐO„Î<–‚<E28093>
(à{ØÐ-àÚaÇ6{«ª‡Æê
|
Binary file not shown.
12
secrets/hel1-a/postfix/sasl_passwd.age
Normal file
12
secrets/hel1-a/postfix/sasl_passwd.age
Normal file
@ -0,0 +1,12 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-ed25519 vDjOfg b1Zx1w3fzcOwPX6PPgXEGP9fNMu2G+9GP21ozLAdpFw
|
||||
H9WBB2lD83ZaU7EeNBjH3FmAMcArO/58IvMltFCI+R0
|
||||
-> X25519 eHDSOyattfnleSYopf54sbh0ZBsJkBYHTwKiIrAIoHo
|
||||
Zq3Ic+MuhT8apWBXFSvipCGMIpgi0VD3cogXSqXUKQA
|
||||
-> piv-p256 +y2G/w Ay1FiQ7KMDPuGVc1JM0IQGf5Nuf+veaeO2V9TnxGE0Zt
|
||||
agLLHpBgOM+hQSci8S/nKlMa5EMsAQhQaOc2XET7dx4
|
||||
-> pI8`h-grease Y}P!N p[
|
||||
7ecvACao/g
|
||||
--- udtUjLi1oDBLTDbEm/jD2T43Vd8uCPXIVBDhVaL0CVU
|
||||
b•ô5Î/í–bÏ ¶Ó½¬ŽïØÿÁ±×Õã<
¿Ü‚Z_“´TþÉô5,Ú=J^ÑNÉ<4E>£;B—ÃÄãaıùðQñåkÒͧû—¶‚wOÂN8\̘°Žn¼(w:ó*>¬8¸€§3«ð0VÓôA¾'P<>~ÌšœblÒ,רÔ
|
||||
7 …
|
Binary file not shown.
Binary file not shown.
12
secrets/hel1-a/synapse/jakstys_lt_signing_key.age
Normal file
12
secrets/hel1-a/synapse/jakstys_lt_signing_key.age
Normal file
@ -0,0 +1,12 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-ed25519 vDjOfg FDCOq/6TT4MiTydElRtbJYGQkf5Dp9Rz+pGJbGNyEUk
|
||||
w3FZziEXQZdhesTjJ1klAHoIOSKdgXBwBoLys60BjJE
|
||||
-> X25519 RzOTSjA6boL+kwZ4F7TZkuzhP8HIXNDzIfM3tgLAURw
|
||||
ThbibWPRI3F1PwlXls96SDeTMLpUau/freOw/rCdadE
|
||||
-> piv-p256 +y2G/w ArbH4qK3h6v1FmARFCMivDuJ8zeA85sP6NrpPDuiI8se
|
||||
zskm+i/Ox8DlhZplggvBBN3Nb9mEIsgcLsNR1/hejoY
|
||||
-> n.bS-grease .8*'{}4t
|
||||
/QdO2N7yjPjur3KSMV/Se/hASwhzjPXbz+wlI6UbJnxkbmSer+wdg9nYMbBtINU7
|
||||
aHsmE/Sm1fWeLKP7T4RvftqJtLZWDkn6BG4PA6sxqzQV
|
||||
--- IU8CbpKKUO1yxNKrOSwKDZ7thZ3D4CKjA1H6N/Fw+fs
|
||||
<*qL3â,ý@øOô<4F>AM‡b‡ÿâ=jn1âQبizn†¨ž3áeñmQ!:oÀÙó1ä¹\=mnªG „æ×ÊaçM>TÍ¥å¤Áð fNŒSÕäy
|
11
secrets/hel1-a/synapse/macaroon_secret_key.age
Normal file
11
secrets/hel1-a/synapse/macaroon_secret_key.age
Normal file
@ -0,0 +1,11 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-ed25519 vDjOfg 99J07yNSb9UAfoiGi3ABFV6M4xl3iApYRv1HGNdQgT8
|
||||
LBMxQ+eAizZ2nWVQyD7lOzJfe8+3wPv+vNgxw/WEKk0
|
||||
-> X25519 FLS0fXs2R32jedMkvavMYoc+pZBfaOPfkm1qCc+RJjY
|
||||
g9YlhVMu2DZ5GjBXCF51g0VY8STp0wbMI+lS0GQ4k2o
|
||||
-> piv-p256 +y2G/w A9bUaREVnU6o1QAyqaCs5y5T+jQHbYvQQqOs8NRAe7mQ
|
||||
8Z3p5ZpyI3O1peY8E6OGUyMUONlMEVDrfOVLMcJhzeY
|
||||
-> L?a5-grease
|
||||
A0lbHu5aBHSBIrwMz+QG4Mc6m2sEl/Z5TBmTsf1h
|
||||
--- Df+ap67pp9N2RGb9OCkd5gVogMfXXqSJPeHMNk98TdU
|
||||
¿·5åršâÍÍòL÷ó÷Ù(ü<>ä<EFBFBD>uZ¼bœÒ›{;ØÚV8Ah˜`íh sPé--µÛuuª¥ÁJ–¿ü)XwX6É"‚ªºüü<C3BC>èTd¨ànm°*bi°<1C>&)Æ<>ÖK‚
|
Binary file not shown.
BIN
secrets/hel1-a/synapse/registration_shared_secret.age
Normal file
BIN
secrets/hel1-a/synapse/registration_shared_secret.age
Normal file
Binary file not shown.
Binary file not shown.
Binary file not shown.
12
secrets/hel1-a/turn/static_auth_secret.age
Normal file
12
secrets/hel1-a/turn/static_auth_secret.age
Normal file
@ -0,0 +1,12 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-ed25519 vDjOfg DGNmUpEoo4KB2XQG7bOC9m81RHSK19Rg/UKzXVV4oRI
|
||||
WWrASGb+TwRmVW57v/CjhHvkwbJ8N6JFKuzEgSnujzk
|
||||
-> X25519 m9VcMyeq72eZJWl9DU6W5Tg/fPthO6mjyevoAgtG4CU
|
||||
x7rBS+gYeM0vZ/ZBV9O9wpoW3x+RX9D4xkfCJ4ddBfg
|
||||
-> piv-p256 +y2G/w A+q8rvVRfAP/PjfCtRFhvX7FmtYMeIjucSbQKU0o9Shx
|
||||
k9uFNzhWZQfaMKUx6nXiKXf9fVFrE4y6ybmnXpeiblk
|
||||
-> 3">;=-grease
|
||||
wEXSvaFLu5VvuoelMWG1GMyGnHIEkBo
|
||||
--- pTNrYbbGlOhK7RhK1VkzaNoCcEMa/e5pYwxSf5/sIj8
|
||||
W-¼ƒPâH'<>µ[²À@æèæÄé-“æx<C3A6>ÃÎéWôÄ
|
||||
`pñÏ tÌ4<™
|
2
secrets/motiejus_bk1.pub.txt
Executable file
2
secrets/motiejus_bk1.pub.txt
Executable file
@ -0,0 +1,2 @@
|
||||
# created: 2023-04-08T13:24:01Z
|
||||
# public key: age1kyehn8yr9tfu3w0z4d9p9qrj0tjjh92ljxmz2nyr6xnm7y8kpv5spwwc9n
|
BIN
secrets/motiejus_passwd_hash.age
Normal file
BIN
secrets/motiejus_passwd_hash.age
Normal file
Binary file not shown.
12
secrets/root_passwd_hash.age
Normal file
12
secrets/root_passwd_hash.age
Normal file
@ -0,0 +1,12 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-ed25519 vDjOfg khtSufKQJkOUzpMxwhDgxqumAGCeFc/n1X3onrS6Gzw
|
||||
qGIW0wJmOxMqLNzKzm7jOxBXwInU52l63Rsk2q48srw
|
||||
-> X25519 bsbdwq/bgJJZITDid5cEvLTs6qRBpMhYGREnecMbuTw
|
||||
YsIPaszuaxNx3hDFkvTR9sNhMBnVrWiaQkig9F/3lS4
|
||||
-> piv-p256 +y2G/w AuO3mkk1M4svQFyyOVt5JyDJHUKtBmUJVaWQ/fENJ6jA
|
||||
0A2qkDLeKMS0zCTHRkqrGmDj3GkBeWfeFNd8FZpzviw
|
||||
-> 3ZriuP-grease nfB3p3"V m
|
||||
9pCGB1gfXUQwKgGkvSSeai6scEUhso9ibWwALW5b2erPGzB5hmZaHyhFE3tEn68
|
||||
--- NqN1QH25TJMyVgJn/6iLUrfEMBL3iJzJIemJpH2hOfE
|
||||
N<>A¸ÿF<C3BF>¡Lâ8Ÿ}–ï³ÂÏÍýON_2NôIj$¨>‡5F³
|
||||
f4#ŠçoÛ|Ãüp<C3BC>þŒ
h´Á{;5@PÔ&E<>¼êÊsZGƒRK<52>õ°Ú“C~?éŽ?:Q¯öd(IS}j@B¦OKy¢í1AØ–AèôÉ“ÀX‡ýYG—Rô‰òNE¯
|
Binary file not shown.
Loading…
Reference in New Issue
Block a user