diff --git a/fuji/configuration.nix b/fuji/configuration.nix new file mode 100644 index 0000000..d7ca07e --- /dev/null +++ b/fuji/configuration.nix @@ -0,0 +1,701 @@ +{ config +, nvim +, pkgs +, system +, zremap +, lib +, ... +}: +let + USER = "akill"; +in +{ + imports = [ ]; + + system = { + stateVersion = "23.05"; + autoUpgrade.enable = false; + etc.overlay.enable = true; + nixos-init.enable = true; + }; + + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets = { + "peerix/private" = { + sopsFile = ./secrets/peerix.yaml; + mode = "0400"; + owner = config.users.users.nobody.name; + group = config.users.users.nobody.group; + }; + + "wg_privkey" = { + sopsFile = ./secrets/wg_privkey.yaml; + }; + + "wg_preshared/nixy" = { + sopsFile = ../common/secrets/wg_preshared.yaml; + }; + + "wg_privkey_proton" = { + sopsFile = ./secrets/wg_privkey_proton.yaml; + }; + + "wg_endpoint_proton" = { + sopsFile = ./secrets/wg_privkey_proton.yaml; + }; + + "borgbase_enc_key" = { + sopsFile = ./secrets/borgbase_enc_key.yaml; + owner = config.users.users.${USER}.name; + }; + + "borgbase_ssh_key" = { + sopsFile = ./secrets/borgbase_ssh_key.yaml; + owner = config.users.users.${USER}.name; + }; + }; + }; + + nix = { + optimise.automatic = true; + gc.automatic = true; + gc.options = "--delete-older-than 7d"; + package = pkgs.nixVersions.latest; + settings = { + sandbox = true; + experimental-features = [ + "nix-command" + "flakes" + ]; + }; + }; + + boot = { + extraModulePackages = with config.boot.kernelPackages; [ + usbip + v4l2loopback + ]; + extraModprobeConfig = '' + options snd_sof ipc_type=1 tplg_path=intel/sof-ipc4-tplg tplg_filename=sof-hda-generic-cavs25-2ch.tplg + ''; + blacklistedKernelModules = [ ]; + + + initrd.compressor = "zstd"; + initrd.kernelModules = [ ]; + initrd.systemd.enable = true; + binfmt.emulatedSystems = [ + "wasm32-wasi" + "x86_64-windows" + ]; + kernelParams = [ + "xe.force_probe=a7a0" + "i915.force_probe=!a7a0" + ]; + kernelPackages = pkgs.linuxPackages_latest; + kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + "kernel.unprivileged_userns_clone" = "1"; /* Needed with harderned kernel */ + }; + loader.efi.canTouchEfiVariables = true; + loader.systemd-boot = { + editor = false; + enable = true; + memtest86.enable = true; + }; + nixStoreMountOpts = [ "ro" ]; + supportedFilesystems = [ + "xfs" + ]; + tmp.useTmpfs = true; + }; + + security = { + rtkit.enable = true; + allowSimultaneousMultithreading = true; + sudo.enable = true; + doas.enable = true; + doas.extraRules = [ + { + users = [ USER ]; + keepEnv = true; + persist = true; + } + ]; + }; + + powerManagement = { + enable = true; + }; + + networking = { + nftables.enable = true; + firewall = { + enable = true; + allowedTCPPorts = [ + 80 + 443 + 51820 + 8020 + ]; + }; + + hostName = "fuji"; + nameservers = [ + "127.0.0.1" + "::1" + ]; + dhcpcd.extraConfig = "nohook resolv.conf"; + + extraHosts = '' + 192.168.88.171 jellyfin.mediabox.lan + 192.168.88.171 jellyseerr.mediabox.lan + 192.168.88.171 mediabox.lan + 192.168.88.171 qbittorrent.mediabox.lan + 192.168.88.1 router.lan + 192.168.88.231 workstation.lan + 192.168.88.121 ender.lan + ''; + + networkmanager = { + enable = true; + dns = "none"; + wifi.backend = "iwd"; + }; + + wireless.iwd = { + enable = true; + settings = { + General = { + AddressRandomization = "network"; + #EnableNetworkConfiguration = true; + }; + }; + }; + + wireguard.interfaces = { + wg0 = { + ips = [ "10.100.0.6/24" ]; + privateKeyFile = config.sops.secrets."wg_privkey".path; + peers = [ + { + publicKey = builtins.readFile ../magpie/wg_pubkey; + presharedKeyFile = config.sops.secrets."wg_preshared/nixy".path; + allowedIPs = [ "10.100.0.0/24" ]; + endpoint = "5.75.229.224:51820"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; + + time.timeZone = "Europe/Sarajevo"; + + nixpkgs.config.allowUnfree = true; + nixpkgs.overlays = [ + nvim.overlays.${system}.overlay + ]; + environment = { + systemPackages = with pkgs; [ alsa-ucm-conf maliit-keyboard ]; + variables.ALSA_CONFIG_UCM2 = "${pkgs.alsa-ucm-conf}/share/alsa/ucm2"; + + sessionVariables = { + LIBVA_DRIVER_NAME = "iHD"; + KWIN_COMPOSE = "O2ES"; + }; + + etc = { + "firejail/qutebrowser.local".text = '' + whitelist ''${RUNUSER}/qutebrowser + ''; + "xdg/autostart/powerdevil.desktop".text = '' + [Desktop Entry] + Hidden=true + ''; + }; + extraInit = '' + unset -v SSH_ASKPASS + ''; + homeBinInPath = true; + variables = { + PATH = "$HOME/.cargo/bin"; + }; + }; + + programs = { + steam = { + enable = true; + remotePlay.openFirewall = true; + dedicatedServer.openFirewall = false; + localNetworkGameTransfers.openFirewall = true; + }; + gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + appimage = { + enable = true; + binfmt = true; + }; + nix-ld = { + enable = false; + libraries = with pkgs; [ + stdenv.cc.cc.lib + zlib + ]; + }; + zsh.enable = true; + firejail.enable = true; + adb.enable = true; + wireshark.enable = true; + sway.enable = true; + }; + + documentation.dev.enable = true; + + systemd = { + #sysusers.enable = true; + services = { + # Fix issue where systemd-vconsole-setup failes to find keymap + systemd-vconsole-setup = { + unitConfig = { + After = "local-fs.target"; + }; + }; + + "zremap@" = { + enable = true; + restartIfChanged = true; + serviceConfig.Nice = -20; + unitConfig = { + Description = "zremap on %I"; + ConditionPathExists = "%I"; + }; + serviceConfig = { + Type = "simple"; + ExecStart = "${zremap.defaultPackage.${system}}/bin/zremap %I"; + }; + }; + + "netns@" = { + description = "%I network namespace"; + before = [ "network.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.iproute2}/bin/ip netns add %I"; + ExecStop = "${pkgs.iproute2}/bin/ip netns del %I"; + }; + }; + + "wg_proton" = { + description = "wg network interface"; + bindsTo = [ "netns@wg.service" ]; + requires = [ "network-online.target" ]; + wants = [ "dnscrypt-proxy_proton.service" ]; + after = [ "netns@wg.service" ]; + before = [ "dnscrypt-proxy_proton.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = pkgs.writers.writeBash "wg-up" '' + set -e + ENDPOINT_IP=$(${pkgs.coreutils-full}/bin/cat "${config.sops.secrets."wg_endpoint_proton".path}") + ${pkgs.iproute2}/bin/ip link add proton_wg type wireguard + ${pkgs.iproute2}/bin/ip link set proton_wg netns wg + ${pkgs.iproute2}/bin/ip -n wg address add 10.2.0.2/32 dev proton_wg + ${pkgs.iproute2}/bin/ip netns exec wg \ + ${pkgs.wireguard-tools}/bin/wg set "proton_wg" private-key "${ + config.sops.secrets."wg_privkey_proton".path + }" + ${pkgs.iproute2}/bin/ip netns exec wg \ + ${pkgs.wireguard-tools}/bin/wg set "proton_wg" peer "g6DkXWKI/68RsLjROIwCEcyB/ZhyK5Q7OWcz1TtqER0=" \ + endpoint "$ENDPOINT_IP:51820" \ + persistent-keepalive "25" \ + allowed-ips "0.0.0.0/0" + ${pkgs.iproute2}/bin/ip -n wg link set lo up + ${pkgs.iproute2}/bin/ip -n wg link set proton_wg up + ${pkgs.iproute2}/bin/ip -n wg route add default dev proton_wg + ''; + ExecStop = pkgs.writers.writeBash "wg-down" '' + ${pkgs.iproute2}/bin/ip -n wg route del default dev proton_wg + ${pkgs.iproute2}/bin/ip -n wg link del proton_wg + ''; + }; + }; + + "dnscrypt-proxy_proton" = { + description = "DNSCrypt-proxy client proton"; + wants = [ + "network-online.target" + "nss-lookup.target" + ]; + before = [ "nss-lookup.target" ]; + after = [ "wg_proton.service" ]; + partOf = [ "wg_proton.service" ]; + serviceConfig = { + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CacheDirectory = "dnscrypt-proxy"; + DynamicUser = true; + ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${config.services.dnscrypt-proxy.configFile}"; + LockPersonality = true; + LogsDirectory = "dnscrypt-proxy"; + MemoryDenyWriteExecute = true; + NetworkNamespacePath = "/var/run/netns/wg"; + NonBlocking = true; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + Restart = "always"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RuntimeDirectory = "dnscrypt-proxy"; + StateDirectory = "dnscrypt-proxy"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@chown" + "~@aio" + "~@keyring" + "~@memlock" + "~@setuid" + "~@timer" + ]; + }; + }; + }; + + coredump.enable = false; + settings.Manager = { + DefaultTimeoutStartSec = "30s"; + DefaultTimeoutStopSec = "30s"; + }; + }; + + services = { + acpid.enable = true; + dbus.enable = true; + dbus.implementation = "broker"; + envfs.enable = true; + fstrim.enable = true; + fwupd.enable = true; + ntp.enable = true; + openssh.enable = true; + printing.enable = true; + userborn.enable = true; + power-profiles-daemon.enable = false; + + greetd = { + enable = true; + settings = { + default_session = { + command = '' + ${pkgs.tuigreet}/bin/tuigreet \ + --time \ + --remember \ + --remember-session \ + --greeting 'Welcome to NixOS' \ + --cmd sway + ''; + user = "greeter"; + }; + }; + }; + + logind = { + powerKey = "suspend"; + }; + + desktopManager.plasma6.enable = false; + + pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + + avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; + + libinput.enable = true; + xserver = { + enable = true; + dpi = 144; + desktopManager.xterm.enable = false; + displayManager = { + lightdm.enable = false; + startx.enable = true; + }; + windowManager.i3.enable = false; + }; + + udev = { + packages = [ + pkgs.openhantek6022 + pkgs.openocd + ]; + extraRules = '' + #Xilinx FTDI + ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Xilinx", MODE:="666" + + #Xilinx Digilent + ATTR{idVendor}=="1443", MODE:="666" + ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Digilent", MODE:="666" + + #Arduino UNO r4 + SUBSYSTEMS=="usb", ATTRS{idVendor}=="2341", MODE:="0666" + + #zremap on new keyboard + ACTION=="add", SUBSYSTEM=="input", ATTRS{phys}!="", KERNEL=="event[0-9]*", ENV{ID_INPUT_KEY}=="1", ENV{ID_INPUT_KEYBOARD}=="1", TAG+="systemd", ENV{SYSTEMD_WANTS}+="zremap@$env{DEVNAME}.service" + ''; + }; + + tlp = { + enable = true; + settings = { + START_CHARGE_THRESH_BAT0 = 70; + STOP_CHARGE_THRESH_BAT0 = 94; + #CPU_SCALING_GOVERNOR_ON_AC = "performance"; + #CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; + + # For your Fujitsu U9313X - Intel 13th gen + #CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; + #CPU_ENERGY_PERF_POLICY_ON_BAT = "balance_power"; + + # Optional: CPU boost control + CPU_BOOST_ON_AC = 1; + CPU_BOOST_ON_BAT = 0; + + }; + }; + + batteryNotifier = { + enable = true; + notifyCapacity = 12; + suspendCapacity = 5; + }; + + actkbd = { + enable = true; + bindings = [ + { + keys = [ 115 ]; + events = [ "key" ]; + command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+"; + } + + { + keys = [ 114 ]; + events = [ + "key" + "rep" + ]; + command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"; + } + + { + keys = [ 113 ]; + events = [ + "key" + "rep" + ]; + command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"; + } + + { + keys = [ 224 ]; + events = [ "key" ]; + command = "${pkgs.light}/bin/light -U 5"; + } + + { + keys = [ 225 ]; + events = [ "key" ]; + command = "${pkgs.light}/bin/light -A 5"; + } + ]; + }; + + dnscrypt-proxy = { + enable = true; + settings = { + ipv6_servers = true; + require_dnssec = true; + require_nolog = true; + require_nofilter = true; + http3 = true; + + sources.public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + }; + }; + + borgbackup.jobs."borgbase" = + let + user = config.users.users.${USER}; + home = user.home; + in + { + user = user.name; + paths = [ + (home + "/pic/priv") + (home + "/pproj") + (home + "/videos/priv") + ]; + exclude = [ + "**/.ccls_cache" + "**/*.d" + "**/*.map" + "**/*.o" + "**/zig-cache" + "**/zig-out" + ]; + repo = "ssh://oda929rv@oda929rv.repo.borgbase.com/./repo"; + encryption = { + mode = "repokey-blake2"; + passCommand = "${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgbase_enc_key".path}"; + }; + environment.BORG_RSH = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borgbase_ssh_key".path}"; + compression = "auto,zstd"; + startAt = "daily"; + }; + + nix-serve = { + enable = false; + secretKeyFile = "/var/cache-priv-key.pem"; + }; + + journald.extraConfig = '' + SystemMaxUse=50M + ''; + + logind.settings.Login = { + KillUserProcesses = true; + }; + + }; + + fonts = { + fontconfig = { + cache32Bit = true; + allowBitmaps = true; + useEmbeddedBitmaps = true; + defaultFonts = { + monospace = [ "JetBrainsMono" ]; + }; + }; + + packages = with pkgs; [ + dejavu_fonts + dina-font + fira-code + fira-code-symbols + font-awesome_6 + inconsolata + iosevka + jetbrains-mono + liberation_ttf + libertine + noto-fonts + noto-fonts-cjk-sans + noto-fonts-color-emoji + proggyfonts + siji + terminus_font + terminus_font_ttf + ubuntu-classic + vista-fonts + ]; + }; + + virtualisation = { + waydroid.enable = false; + libvirtd = { + enable = true; + allowedBridges = [ + "virbr0" + "br0" + ]; + }; + spiceUSBRedirection.enable = true; + containers.storage.settings = { + storage = { + graphroot = "/var/lib/containers/storage"; + runroot = "/run/containers/storage"; + }; + }; + podman = { + enable = true; + autoPrune.enable = true; + dockerCompat = true; + }; + }; + + hardware = { + bluetooth = { + enable = true; + settings = { + General = { + Experimental = true; + Enable = "Source,Sink,Media,Socket"; + }; + }; + }; + + graphics = { + enable = true; + extraPackages = with pkgs; [ intel-media-driver ]; + }; + + rtl-sdr.enable = true; + firmware = [ pkgs.sof-firmware ]; + sensor.iio.enable = true; + }; + + zramSwap = { + enable = true; + algorithm = "zstd"; + }; + + users.users.${USER} = { + isNormalUser = true; + initialHashedPassword = "$y$j9T$FZnEcCEMIC0Fjj4dZi5t8.$D8ygvO19dR5nyTZxWwDgjEimHutD.sKnD1DLAyhU8.B"; + shell = pkgs.zsh; + extraGroups = [ + "adbusers" + "audio" + "dialout" + "input" + "kvm" + "plugdev" + "sound" + "tty" + "wheel" + "wireshark" + ]; + }; +} diff --git a/fuji/hardware-configuration.nix b/fuji/hardware-configuration.nix new file mode 100644 index 0000000..a3bdb3a --- /dev/null +++ b/fuji/hardware-configuration.nix @@ -0,0 +1,45 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "thunderbolt" "nvme" "uas" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + + boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/8a06d0e9-d765-49e8-a729-4d84c2638d56"; + + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" "fujitsu_laptop" "xe" "snd_soc_sof_sdw" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/mapper/fuji_lvm_root-root"; + fsType = "xfs"; + }; + + fileSystems."/home" = + { + device = "/dev/mapper/fuji_lvm_root-home"; + fsType = "xfs"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/83F9-733B"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.sensor.iio.enable = lib.mkDefault true; + hardware.enableRedistributableFirmware = true; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/fuji/peerix-public b/fuji/peerix-public new file mode 100644 index 0000000..046e1d1 --- /dev/null +++ b/fuji/peerix-public @@ -0,0 +1 @@ +peerix-nixy:8THqS0R2zWF/47ai0RFmqJnieYTZ1jaWOD9tnzpvA6s= \ No newline at end of file diff --git a/fuji/secrets/borgbase_enc_key.yaml b/fuji/secrets/borgbase_enc_key.yaml new file mode 100644 index 0000000..117afbb --- /dev/null +++ b/fuji/secrets/borgbase_enc_key.yaml @@ -0,0 +1,21 @@ +borgbase_enc_key: ENC[AES256_GCM,data:AD+JghEOX25tBGYhoU1ge1fqrA+5AK8N4yg=,iv:u05GVeWbL3xdZQgGkXSPkxlATd2M9MX4uSZiLOHMMRE=,tag:pmTQIJWmz+ePmSNzO/EO4Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEaDhSZVVibVl1NU84NG9U + aEVQbThIcC9CajNHS25SVW1SMFFwMUsvMmxJCkpTVThpZ0JZdEpLTnJlQWFqM244 + LzFaUFVvWWxIcU4wRlhXalF5TkNpVHMKLS0tIExXMUx5cDBBbDloQ0sxbEY0eGdj + bE5vNHVHekI2RzY5M3JNcTdCa3pNeUUK8C04wF1te6epA97sNrhoz0VUn+MC7SML + 6N1CZK3MuRARBqcj4c/W1aXuTysvuV1o/Fl5xOk/gbumcfwnDYj28A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-21T08:14:25Z" + mac: ENC[AES256_GCM,data:7M+akGH09E2JYyKLmwpjx0VCEBmXqO6bNHFNRCO+9LdSIqsEw8MD4WGO0zwHOD9ls7+1OPFeoU+MVbtfMhmvN4g6rg+tFkXbxPSXCPkTA4tL90ZLXoBIpUBxKKhFMxtdOnjXxES3rTzjXGAvxocFOiNv/7pKbzeqMJUnH9FgAcM=,iv:h0+OpLmutMyPN3YFhyuHFgWSqxVK5WmBAE0k5ezEo9A=,tag:UKOXnTOjWaLDEOYk5YK4Aw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/fuji/secrets/borgbase_ssh_key.yaml b/fuji/secrets/borgbase_ssh_key.yaml new file mode 100644 index 0000000..064dd32 --- /dev/null +++ b/fuji/secrets/borgbase_ssh_key.yaml @@ -0,0 +1,21 @@ +borgbase_ssh_key: ENC[AES256_GCM,data:lLHIBmw/03An3SRJUjYS2pn0g7XEW0kTXtSObhIGwjBwlRypU7uQDz4JseOA2GbSm+GqsGK8U3Ifgirb7t8AsGy6DPxO+2sm+ByJ1S46G6cwkO2GateJw4Zg0mmhUBBuB/eXQMLuBLKZM2WGta5+6O0SWxDtsrTsBhlo5qbwwYILu0gg2zsBWFSn1OBGgvjYYRTd7N85WX8+S7oNYVAL2HjCmhHHtYrLnua4ajBY9dQEzrKdZaQW4v39HV9MyoilEz17fFLU8S2KbJ1iw8HgoAc9W81hpQNNd8fWKY+e0iWxD9X5H7UTs8YP/bsKeWyG4OAwr99zIZ1Lqzi0EuZI+PYkIz4Q4WBmv1wD6Py274iug3kr1OqvaIOmIT/9j2C3mOZTqxuFaF5T4NMkcIeViCBmRwUMTl/8a36X+n/MYxRoznHCQmg8zKubDuykVJfBmFwxbUc9tx8PeodnWeiASOV7FvBie47yq+NyBGItJXAK14SxLE9T2sxRchJWcrQBcekZdZ5Mej20lfUlcAGkwfUc0e54xsv1K3oY,iv:5157BQmbfuF5EYbDHCy/TmnTYErIwmgXO8RaX6f18xs=,tag:T2eZN46Qd6RgLWk4kbYgPQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5b2YzSDdaU3R5TUdqS3Nv + eUYraFBiZlZ1TXBqYzlWNUNYOFlyMzJvWEE4ClJ6R25CRXRUZ2FDTFY2ZmJIRkRX + WVJCSy83N2JUNzRuT3VuSUF1OTV2TUkKLS0tIEZ5cVg1V2o0MkdmWEx1emJVdjZ0 + RkZFL2tRNW9RdnAwalE2ZzVQcnljRFUKRyN8ahv9ZI63m8ycl74GZ59lyAXUsKmi + tfPqQvL1oTtJr3hzwy2bkctXQLYjGvsMyZt2tiWpy5vLc1MrxlqVDQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-21T08:16:40Z" + mac: ENC[AES256_GCM,data:VkXpCPQB4RypDrK31pYWXeOcl8ulis6fMF1q/SLCg2wXnL0jFrmAFp78C+ers9xFhbnUnMbVc/ZJIVKfa0g94WV3jJbn4+HB0GPWQCz7LwhmG5XEY5O5sFLuDCcHb/epZvDbCsEQeiq+TGDHp6TtdL8qDF+hE2k8qfsy570wocU=,iv:HQleJtHWQ5uk4+Witn2aaqh0SvXqomfiSO/ExgPzVag=,tag:hlBmboddR8GDAmBpETi0Ow==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/fuji/secrets/peerix.yaml b/fuji/secrets/peerix.yaml new file mode 100644 index 0000000..e2de063 --- /dev/null +++ b/fuji/secrets/peerix.yaml @@ -0,0 +1,22 @@ +peerix: + private: ENC[AES256_GCM,data:Oi8H5nqJ0Bf45wQepCjdZNHBOv4AlPxNN7L5Th3gcRQlW1FS77nusIWGSUvlmL2a5LTN0FV36o2GFPrrhiwmvnkQwuSZKc9VeDTf7SX0RRL1NLmRR/zy4WsRNJFxlqtjahieqg==,iv:6hJwqcdPayZaYZhJ0OfYLAtmeVndLEfeYZjUq5/3qJE=,tag:MiAfg8aZAHNYbB0JwcdStg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMEIyck1xbVJ4Zm56Z3dM + OGsxa1p0TGIvRE5DYXZzTDM3YUZFVTAxbUUwCllPd0FOUlRiZW5wT2QvLzZXYjRr + S1A5WjZxLzNYQ1ZWVFFQTzRwMFQweFEKLS0tIHNoZUpHS2dDNmFKc3ZVNFZuUFU4 + L0M0MitMeDg1ZWYxcDNCQlVGUjRKeFkKvD2SKnuh517o2knPr2SOWq3kubMyI7UV + j6HgXVbHUDjmKl2dY+YVTnmxrK54E+Q6iiu7mQnvLdzxYBK/EiNt9w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-21T08:17:51Z" + mac: ENC[AES256_GCM,data:v4KQq3Y5ZxsyMxR+FS1BZkH/bPTIIHfQu800U44odaNycIbWnuwCnLWGyJK6Por76bWALycGppDbHPKKW/N1I1XLy/EAXo02+nhHNvKVi2cXSXciuEPc/Cl+6TbP39lx4+EOM8CZoNZ8HAiS3QPy2bwZdMjEw/OHl8TqlN07q9s=,iv:PIcv/b6t+54/yCTZj+12Yep15ors/wXNUnaXjLjpVbM=,tag:JxO5M3OYaWzqgf4gUhCzzg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/fuji/secrets/wg_preshared.yaml b/fuji/secrets/wg_preshared.yaml new file mode 100644 index 0000000..fc4c74b --- /dev/null +++ b/fuji/secrets/wg_preshared.yaml @@ -0,0 +1,21 @@ +wg_preshared: ENC[AES256_GCM,data:k+aFYDNMojf5kktn6KJ4F5mH5oGdqxdF0MO88NcYpai9USnH394XRL9ASvs=,iv:L5LIXbADhrivKjK/V0E5QpRT7BDsktwIuKHgY+2qr84=,tag:pCW1naU/ygxAIDYWV2hHPQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZSHZvYy9TTmVEb2ZSTncy + ckJ1bXZGWVdJSkVHMGx2Vk5ZNlZ3Q2wzVFQ0Cmg1M3hKNFhnZk5nTE54RTdyR0Vs + NVRiTEltSnkxdmhhdGlycHNPWjFLbncKLS0tIE02NVJRZTd0VmowT1c4cjhKNlZk + Q01BQWNSVWtIMnFXRWpxR3JDMU8zYTAKIbfpM8uUb09cUlA8YWtgEOL5zvWf5omv + baZINiAu0/f1avYmW6Qb+aLa2ALrSZaotj46Uwd9Lb5mtjJ/8v9IOg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-20T18:12:20Z" + mac: ENC[AES256_GCM,data:4PWjwxOO0UuNsevCbzCLaiW7C+So4mEGivd9GzyLKx2JlkNFVB8wqPrY1Rl1ANMrT+7LKc8tVOA4zbweNc9idFG4y5DcvnDSieqKu9v1MeEMHqNpz5TTLbCP81g7qegjI/WKul2kaWIdPaioI/f5x2E6rEYnzFv+Di2mc3W+Qcc=,iv:iE9sali0O3sQIhOw30RGR/4ZQsAPcSxq1qxosfasojU=,tag:+9AOwph5A4oDXsK6Z3YeZA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/fuji/secrets/wg_privkey.yaml b/fuji/secrets/wg_privkey.yaml new file mode 100644 index 0000000..d341b5c --- /dev/null +++ b/fuji/secrets/wg_privkey.yaml @@ -0,0 +1,21 @@ +wg_privkey: ENC[AES256_GCM,data:XL9FU1kZXvBJfwyt3HpQe8k8zg9HT6Xm0BdjNMduSu9uAgcHbglpLc/qTB0=,iv:QgX1VsmLUsDozFXmzDVPukjPNTa4Lnh806AQ4qdgpa8=,tag:RNVlDbtx8vAAbG0rinLVOw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBSnkyM1ZrcnEvM3VHL0Nk + THhUUDdGU2s5UFgrVGZ3WXhkYTRIVTlaeGs4CjR4eVpmRy9qUkZSWkpFZDZHRDZI + ZWRXSmMzL2RWZkVrSlFPcC9ueGpDVFkKLS0tIDZWbENyS2hrSCtlNlBHaE56QTha + eFJmWXk1SVJEbDJOc1Q1VFlzVS8yODgKFXRAtR+67x0dkQTqZPtMT0Hd+aW+5K17 + S/lhuHRhITt3woQnecVPMYklgJJlsyQ6blKhJw8dvhbVWWThZ853rQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-21T08:18:59Z" + mac: ENC[AES256_GCM,data:xPKsGZD5RKT/WMRupe4YTgoiUQRFq77KQyGaazeY1GEPI117gWxRHEpiyCLnfhZWcaekPWoXosm32wRLwDAXM/Femk567i5uKKG2wAqApWbc+FXTQ71w/CFr9uEWFApBjpEHpuBBaFV23qJfylsqeMp9r52d9Sp5eDQC4RJead0=,iv:oiNoZ/bqQUe+luqeuldw1M0KB2d4C5T7kXy+mLFZNZQ=,tag:5pK22TYGwbBNyWlfd/Ufxw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/fuji/secrets/wg_privkey_proton.yaml b/fuji/secrets/wg_privkey_proton.yaml new file mode 100644 index 0000000..86753af --- /dev/null +++ b/fuji/secrets/wg_privkey_proton.yaml @@ -0,0 +1,22 @@ +wg_privkey_proton: ENC[AES256_GCM,data:qVVd+1s2T3sKDi03V+eMvgqW8LAVl/yEKwtG2EMn8NhBCN7RvlttC5SeIDM=,iv:/QcrtmMjCzZRulumIz5u9oxyaRt+HUq96ZiP8ecpvAo=,tag:1DCaJqVGfg3sfvKTQnmzZA==,type:str] +wg_endpoint_proton: ENC[AES256_GCM,data:ggoWnB6nGjGc/kSOaCo=,iv:1r5J6SO5JYH7+bMhE2lGwfFETVFeS61eCXtej0Pl07M=,tag:p+0hhQ/vqZzZML24YReA0g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdXZpL1lrOEYyYVdFTzNJ + SHhXRVc5Y0o4ZzN2THRjM215UWczVjZOTXg4CjBJZ2VxN0t0ZFgzTmJMeXo5SWZk + UjRlNmdRTVVPbHVEeXM3TWhoS0pSUTQKLS0tIEtkTURBc1A3d2lTalhmeEoxUkZj + K3BHZnUzN3ZrL1dFQk8rWFpZR05pbFUKObrnIpY3NR1o3/lKhTfVpQU+eQRTi7wF + SAjGZ5BRdCi5x1VWRxiT1Fvjqkm7kBEQFvdSvbqW2UK6lVHtWgt2Vg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-12T13:30:18Z" + mac: ENC[AES256_GCM,data:3UqJGcNGPZDlLA3a0uNHUI0ykDC0ByxAR2ZsrsbWQMv3BS6zyBuc+zpTHQZoIPGsAMUetuB3OuA0IQNll3abg6u2AadEQBUf1PYMWlo58txLYlAs/q0g+575F+LhDSgmDMKOFXz4HqbFP0RYTHkPnmjWPMWWY3G9o6B3Iaw5+Kc=,iv:massJRpGcH4pDZxJrpQYy80XVViyw+qFsZ8Sk9Xze08=,tag:eDvuNadKGKBS/3jauvnuFQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/fuji/ssh_pubkey b/fuji/ssh_pubkey new file mode 100644 index 0000000..6b5fcaf --- /dev/null +++ b/fuji/ssh_pubkey @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPNCxE/8z02lVOC1unJbPMH+Ma+KRJfmz33oUfz3hKc root@nixy diff --git a/fuji/wg_pubkey b/fuji/wg_pubkey new file mode 100644 index 0000000..ed01ed9 --- /dev/null +++ b/fuji/wg_pubkey @@ -0,0 +1 @@ +oHVmhw80daHjDjo7nwt/Y9eKBaH5FoTiVeukwDObijM= diff --git a/fuji/wg_pubkey_nx b/fuji/wg_pubkey_nx new file mode 100644 index 0000000..5ad6892 --- /dev/null +++ b/fuji/wg_pubkey_nx @@ -0,0 +1 @@ +eoYSDh27qQFpvOcDmuVFzSTuPnrHQYXDMqatKmDAth0=