From bd2aef1cd269185e0aa2ea42204b339fc6710bb6 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Tue, 10 Jan 2023 16:05:00 +0100
Subject: kartei tv: add ru

---
 kartei/tv/hosts/ru.nix | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 kartei/tv/hosts/ru.nix

(limited to 'kartei')

diff --git a/kartei/tv/hosts/ru.nix b/kartei/tv/hosts/ru.nix
new file mode 100644
index 000000000..334df5d07
--- /dev/null
+++ b/kartei/tv/hosts/ru.nix
@@ -0,0 +1,24 @@
+{
+  ci = true;
+  nets = {
+    retiolum = {
+      ip4.addr = "10.243.13.42";
+      aliases = [
+        "ru.r"
+      ];
+      tinc.pubkey = ''
+        -----BEGIN RSA PUBLIC KEY-----
+        MIIBCgKCAQEAr4xgpXPr/OGrLO5vwur35esesbAwREwShGJf9btt65UQXst090tD
+        GWev8Yfi3Mr241r1TG7zpW3Idh5nth2yhzVvqGc9m6QmK27v2MKpb+ppjOKab7RL
+        1KfdBAwjdrWdL2xO3XAYOUljxWoIV4VKX8kEBvjJEDOwl/u+g5mB3yLWebtIT7Wk
+        EneMU6wvCVKhOPeqyXmbqO/+j6+bqxkKP2/5hHcX3a91+15YbR3SvREK2rUm9stx
+        Rc3kmGUO/DiGK6MmUmt+qieGo/4vheK8hij57dY0uXFIC7U680QzV7jsUmtlKGBL
+        PoK/Xn6TLLG6nozgmF+q8esYyaYQFrwU2QIDAQAB
+        -----END RSA PUBLIC KEY-----
+      '';
+      tinc.pubkey_ed25519 = "Eg9l+RxFSNrQ9RkTd8tSkoTIG2m7zhQpjUJBWJRft1J";
+    };
+  };
+  secure = true;
+  ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcNClgsey79WzdEQs/8qkLMHzc1SCU/MqyMerPcUi8X root@ru";
+}
-- 
cgit v1.3.1


From dec9c9227f979830ddca11d656b5378bc723def9 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 18 Jan 2023 20:05:58 +0100
Subject: l neoprism.r: add internet ips

---
 kartei/lass/neoprism.nix | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'kartei')

diff --git a/kartei/lass/neoprism.nix b/kartei/lass/neoprism.nix
index 74b8aca3c..9538c3003 100644
--- a/kartei/lass/neoprism.nix
+++ b/kartei/lass/neoprism.nix
@@ -1,6 +1,20 @@
 { r6, w6, ... }:
 {
-  nets = {
+  nets = rec {
+    internet = {
+      ip4 = rec {
+        addr = "95.217.192.59";
+        prefix = "${addr}/32";
+      };
+      ip6 = rec {
+        addr = "2a01:4f9:4a:4f1a::1";
+        prefix = "${addr}/64";
+      };
+      aliases = [
+        "neoprism.i"
+      ];
+      ssh.port = 45621;
+    };
     retiolum = {
       ip4.addr = "10.243.0.99";
       ip6.addr = r6 "99";
-- 
cgit v1.3.1


From d691712e3d4088b21c3f493becf4e9799f6d331c Mon Sep 17 00:00:00 2001
From: Jörg Thalheim <joerg@thalheim.io>
Date: Fri, 13 Jan 2023 21:01:39 +0100
Subject: mic92: add transmission.r

Sometimes transmission is still required i.e. to download games.
---
 kartei/lass/yellow.nix          | 1 +
 lass/1systems/yellow/config.nix | 9 +++++++++
 2 files changed, 10 insertions(+)

(limited to 'kartei')

diff --git a/kartei/lass/yellow.nix b/kartei/lass/yellow.nix
index bb0b1f09b..b9dcb008c 100644
--- a/kartei/lass/yellow.nix
+++ b/kartei/lass/yellow.nix
@@ -9,6 +9,7 @@
         "jelly.r"
         "radar.r"
         "sonar.r"
+        "transmission.r"
       ];
       tinc = {
         pubkey = ''
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
index 06561e9cf..73d7f3780 100644
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@@ -40,6 +40,7 @@ in {
   security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL;
   security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL;
   security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL;
+  security.acme.certs."transmission.r".server = config.krebs.ssl.acmeURL;
   services.nginx = {
     enable = true;
     package = pkgs.nginx.override {
@@ -152,6 +153,14 @@ in {
         proxy_set_header Accept-Encoding "";
       '';
     };
+    virtualHosts."transmission.r" = {
+      enableACME = true;
+      addSSL = true;
+      locations."/".extraConfig = ''
+        proxy_pass http://localhost:9091/;
+        proxy_set_header Accept-Encoding "";
+      '';
+    };
     virtualHosts."radar.r" = {
       enableACME = true;
       addSSL = true;
-- 
cgit v1.3.1


From 5a8488fa58a3ad3d2384ae15af14784c4a0b7c22 Mon Sep 17 00:00:00 2001
From: Jörg Thalheim <joerg@thalheim.io>
Date: Mon, 16 Jan 2023 16:01:13 +0100
Subject: mic92: add doctor.r

---
 kartei/mic92/default.nix | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

(limited to 'kartei')

diff --git a/kartei/mic92/default.nix b/kartei/mic92/default.nix
index 6eacb4a27..178cf27a2 100644
--- a/kartei/mic92/default.nix
+++ b/kartei/mic92/default.nix
@@ -502,6 +502,40 @@ in {
       };
     };
 
+    doctor = {
+      owner = config.krebs.users.mic92;
+      nets = rec {
+        internet = {
+          # monitoring.dse.in.tum.de
+          ip4.addr = "131.159.102.4";
+          ip6.addr = "2a09:80c0:102::4";
+          aliases = [ "doctor.i" ];
+        };
+        retiolum = {
+          via = internet;
+          aliases = [
+            "doctor.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIICCgKCAgEAuXYfR5PRMcJkJG6yjxw0tQvjtzRwZI/k2ks1SBgVhtCh1TcMFraq
+            /u367B6E9BrGHhPZNtTcceMunC+Tow1+JIAHQPQU1+l1w+6n3esNgYUvakv0C/Dj
+            opOh5mWzS81UL1r+ifXKdEs4/u561GPUdhhScxnk2lsudh0fem0Rn7yDXuGofrIo
+            kAD49TLV0ZEflCQLe9/ck+qvzM8yPOnDsCZlCdCZJVpOW0Aq1cfghI6BiStVkDDU
+            DaBj74m3eK0wtPJlj0flebF91VNMsmQ4XSmFZeDtdx/xOJmqzB29C7tTynuPD5FV
+            zREKo5wxgvaf/J3da5K5nCP/sOBIishlYVBNZeJqwQiTze405ycdglNiYVISpYaF
+            8ikv0w19E9nI3GVjwm6mYH29eKbHuEJSou5J/7lS2tlyVaGI9opGRLV+X7GLwE1D
+            01uaQsyTYB7mK33broIABp5Mu/Il1+Mi3uwMKzCL/ciPMMFoSbR+zth2QoU1wRUz
+            A6OK3t6w5//ufq9bKGcZ3rhU/rYzfk8nHY1F/5QBPM95WTGZZ7CjAMPzyc6Is/CL
+            +7jtPZPrT05yc9HKPqG2RPWP3dziw4l1TX6NXstMzizyaayeF0yPQ6chNTqgvfFJ
+            s3ABq1R8UV0LUBmdDAxeyKOOEqrqBcShHFxWmEzk95ghdT6P5XSMMCUCAwEAAQ==
+            -----END RSA PUBLIC KEY-----
+          '';
+          tinc.pubkey_ed25519 = "StFqqnSArvIfK07//ejbxkP3V4nnXsj8vu5km8LcM/P";
+        };
+      };
+    };
+
     eva = {
       owner = config.krebs.users.mic92;
       nets = rec {
-- 
cgit v1.3.1


From 18efc15b2a2694dac07f89d33bb1243492358a88 Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Thu, 26 Jan 2023 16:13:42 +0100
Subject: l aergia.r: init

---
 kartei/lass/aergia.nix            | 39 ++++++++++++++++++++++
 lass/1systems/aergia/config.nix   | 70 +++++++++++++++++++++++++++++++++++++++
 lass/1systems/aergia/disk.nix     | 64 +++++++++++++++++++++++++++++++++++
 lass/1systems/aergia/install.sh   |  3 ++
 lass/1systems/aergia/physical.nix | 40 ++++++++++++++++++++++
 lass/1systems/aergia/source.nix   | 21 ++++++++++++
 6 files changed, 237 insertions(+)
 create mode 100644 kartei/lass/aergia.nix
 create mode 100644 lass/1systems/aergia/config.nix
 create mode 100644 lass/1systems/aergia/disk.nix
 create mode 100644 lass/1systems/aergia/install.sh
 create mode 100644 lass/1systems/aergia/physical.nix
 create mode 100644 lass/1systems/aergia/source.nix

(limited to 'kartei')

diff --git a/kartei/lass/aergia.nix b/kartei/lass/aergia.nix
new file mode 100644
index 000000000..d186f912c
--- /dev/null
+++ b/kartei/lass/aergia.nix
@@ -0,0 +1,39 @@
+{ r6, w6, ... }:
+{
+  nets = {
+    retiolum = {
+      ip4.addr = "10.243.0.1";
+      ip6.addr = r6 "ae12";
+      aliases = [
+        "aergia.r"
+      ];
+      tinc.pubkey = ''
+        -----BEGIN RSA PUBLIC KEY-----
+        MIICCgKCAgEAqLtEUExq0qmXbi3aykdoW1WIneePfmm1SnFxCVcEBecJ1z326cNl
+        EIhYFSzhctwui0vG1dscmNMXHJ0rRQ0QHks1kp/x2MNMlun3Wl8Md9PQrTRGqZOf
+        ltdlNKzn8QbqcQQa9BYMgnFRzhbzzsSO3q5xqncJJ8qSxxWy/boIR9fO+OI/aUfe
+        rVLVHj/i5TTAmov5johqQZOyb7ydEbLiTbaaPSo1H/I/as0iv2jaDRdoVBL5/r+q
+        JvYFfhcdePjpwjRVNohdRwPquyM2ut91e2UyxD5N5eUoQBn+Xr18f6CQlyfJmMrc
+        /oGL+DScrDzFQ/ezCzks3O02dWAmgJsU6odUyNqtdU2x+0lhSqTRH0IXfdkj5n3k
+        K5U340/84e8Bn/1BJQoaGpBZJbK8RHdZd/0r+9+aXcI5tm2YAGaPPYzgLUYg06NZ
+        fMES28iByiCecIPci4vUZ50oOQFGQYaBNA12JC4TRbL/EfLlaax9bRAaUQr7qIXS
+        OBmKrC8eN9QO53T2d2w8Llk5d1rwq0TE3lyJEFLt7sqrHvlBFJ4fpeC+JqZAObqf
+        AJlCvFrqDYXBPzuNC2cZQX9QJ4FlGBpOObGg5KtkY0hPUyBO96OMxIDQ2+Jqc7F0
+        isAUVvn23h6i3m77jRE1AGFyIC/ReMaCH70/83AJQxRpTkzKcF98xU8CAwEAAQ==
+        -----END RSA PUBLIC KEY-----
+      '';
+      tinc.pubkey_ed25519 = "Jb8RJkm+ufh8o0acM31P2BolEUneYFB4xbtyoLQywLG";
+    };
+    wiregrill = {
+      ip6.addr = w6 "ae12";
+      aliases = [
+        "aergia.w"
+      ];
+      wireguard.pubkey = ''
+        h2GFkqW1ThHpDiALrLkJEsR5NU1lXHvwk0Kers1vIxg=
+      '';
+    };
+  };
+  ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAGcqlL5fcxT3iCTlOm5rNPGKZmx1SEDWS71d3Tvbs/";
+  syncthing.id = "K5G46ZC-AKEG3WE-MQTG6MB-PC3ZA7O-C2BOKW6-KCXTSEW-RWHKP4B-Q7FCRQ7";
+}
diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix
new file mode 100644
index 000000000..a723a6385
--- /dev/null
+++ b/lass/1systems/aergia/config.nix
@@ -0,0 +1,70 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    <stockholm/lass>
+
+    <stockholm/lass/2configs/retiolum.nix>
+    <stockholm/lass/2configs/exim-retiolum.nix>
+    <stockholm/lass/2configs/baseX.nix>
+    <stockholm/lass/2configs/pipewire.nix>
+    <stockholm/lass/2configs/browsers.nix>
+    <stockholm/lass/2configs/programs.nix>
+    <stockholm/lass/2configs/network-manager.nix>
+    <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/sync/sync.nix>
+    <stockholm/lass/2configs/games.nix>
+    <stockholm/lass/2configs/steam.nix>
+    <stockholm/lass/2configs/wine.nix>
+    <stockholm/lass/2configs/fetchWallpaper.nix>
+    <stockholm/lass/2configs/yellow-mounts/samba.nix>
+    <stockholm/lass/2configs/pass.nix>
+    <stockholm/lass/2configs/mail.nix>
+    <stockholm/lass/2configs/bitcoin.nix>
+    # <stockholm/lass/2configs/xonsh.nix>
+    <stockholm/lass/2configs/review.nix>
+    <stockholm/lass/2configs/dunst.nix>
+    <stockholm/lass/2configs/print.nix>
+    <stockholm/lass/2configs/br.nix>
+  ];
+
+  system.stateVersion = "22.11";
+
+  krebs.build.host = config.krebs.hosts.aergia;
+
+  environment.systemPackages = with pkgs; [
+    brain
+    bank
+    l-gen-secrets
+    generate-secrets
+  ];
+
+  programs.adb.enable = true;
+
+  hardware.bluetooth = {
+    enable = true;
+    powerOnBoot = true;
+  };
+  hardware.pulseaudio.package = pkgs.pulseaudioFull;
+
+  lass.browser.config = {
+    fy = { browser = "chromium";  groups = [ "audio" "video" ]; hidden = true; };
+    qt = { browser = "qutebrowser";  groups = [ "audio" "video" ]; hidden = true; };
+  };
+
+  nix.trustedUsers = [ "root" "lass" ];
+
+  # nix.extraOptions = ''
+  #   extra-experimental-features = nix-command flakes
+  # '';
+
+  services.tor = {
+    enable = true;
+    client.enable = true;
+  };
+
+  documentation.nixos.enable = true;
+  boot.binfmt.emulatedSystems = [
+    "aarch64-linux"
+  ];
+}
diff --git a/lass/1systems/aergia/disk.nix b/lass/1systems/aergia/disk.nix
new file mode 100644
index 000000000..0ae0892ee
--- /dev/null
+++ b/lass/1systems/aergia/disk.nix
@@ -0,0 +1,64 @@
+{ lib, ... }:
+{
+  disk = {
+    main = {
+      type = "disk";
+      device = "/dev/nvme0n1";
+      content = {
+        type = "table";
+        format = "gpt";
+        partitions = [
+          {
+            name = "boot";
+            type = "partition";
+            start = "0";
+            end = "1M";
+            part-type = "primary";
+            flags = ["bios_grub"];
+          }
+          {
+            type = "partition";
+            name = "ESP";
+            start = "1MiB";
+            end = "1GiB";
+            fs-type = "fat32";
+            bootable = true;
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          }
+          {
+            name = "root";
+            type = "partition";
+            start = "1GiB";
+            end = "100%";
+            content = {
+              type = "luks";
+              name = "aergia1";
+              content = {
+                type = "btrfs";
+                extraArgs = "-f"; # Override existing partition
+                subvolumes = {
+                  # Subvolume name is different from mountpoint
+                  "/rootfs" = {
+                    mountpoint = "/";
+                  };
+                  # Mountpoints inferred from subvolume name
+                  "/home" = {
+                    mountOptions = [];
+                  };
+                  "/nix" = {
+                    mountOptions = [];
+                  };
+                };
+              };
+            };
+          }
+        ];
+      };
+    };
+  };
+}
+
diff --git a/lass/1systems/aergia/install.sh b/lass/1systems/aergia/install.sh
new file mode 100644
index 000000000..0e4f0ab4c
--- /dev/null
+++ b/lass/1systems/aergia/install.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+target=$1
diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix
new file mode 100644
index 000000000..800202396
--- /dev/null
+++ b/lass/1systems/aergia/physical.nix
@@ -0,0 +1,40 @@
+{ config, lib, pkgs, modulesPath, ... }:
+{
+  imports = [
+    ./config.nix
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+  disko.devices = import ./disk.nix;
+
+  networking.hostId = "deadbeef";
+  # boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/nvme0n1";
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+
+  # Enables the amd cpu scaling https://www.kernel.org/doc/html/latest/admin-guide/pm/amd-pstate.html
+  # On recent AMD CPUs this can be more energy efficient.
+  boot.kernelModules = [ "kvm-amd" ];
+
+  # hardware.cpu.amd.updateMicrocode = true;
+
+  services.xserver.videoDrivers = [
+    "amdgpu"
+  ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
+
+  services.logind.lidSwitch = "ignore";
+  services.logind.lidSwitchDocked = "ignore";
+
+  environment.systemPackages = [
+    pkgs.ryzenadj
+  ];
+
+  # textsize
+  services.xserver.dpi = 200;
+}
diff --git a/lass/1systems/aergia/source.nix b/lass/1systems/aergia/source.nix
new file mode 100644
index 000000000..abbf26c75
--- /dev/null
+++ b/lass/1systems/aergia/source.nix
@@ -0,0 +1,21 @@
+{ lib, pkgs, test, ... }: let
+  npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
+in {
+  nixpkgs = (if test then lib.mkForce ({ derivation = let
+    rev = npkgs.rev;
+    sha256 = npkgs.sha256;
+  in ''
+    with import (builtins.fetchTarball {
+      url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz";
+      sha256 = "${sha256}";
+    }) {};
+    pkgs.fetchFromGitHub {
+      owner = "nixos";
+      repo = "nixpkgs";
+      rev = "${rev}";
+      sha256 = "${sha256}";
+    }
+  ''; }) else {
+    git.ref = lib.mkForce npkgs.rev;
+  });
+}
-- 
cgit v1.3.1


From ab06eab6af32e794882687a25746a35a66ef481d Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Thu, 26 Jan 2023 16:15:35 +0100
Subject: l ubik.r: init on neoprism.r

---
 kartei/lass/ubik.nix              | 38 ++++++++++++++++++++++++++++++++++++++
 lass/1systems/neoprism/config.nix |  1 +
 lass/1systems/ubik/config.nix     | 33 +++++++++++++++++++++++++++++++++
 lass/1systems/ubik/physical.nix   |  7 +++++++
 lass/2configs/ubik-host.nix       | 26 ++++++++++++++++++++++++++
 5 files changed, 105 insertions(+)
 create mode 100644 kartei/lass/ubik.nix
 create mode 100644 lass/1systems/ubik/config.nix
 create mode 100644 lass/1systems/ubik/physical.nix
 create mode 100644 lass/2configs/ubik-host.nix

(limited to 'kartei')

diff --git a/kartei/lass/ubik.nix b/kartei/lass/ubik.nix
new file mode 100644
index 000000000..94a4a8b05
--- /dev/null
+++ b/kartei/lass/ubik.nix
@@ -0,0 +1,38 @@
+{ r6, w6, ... }:
+{
+  nets = {
+    retiolum = {
+      ip4.addr = "10.243.0.12";
+      ip6.addr = r6 "0b1c";
+      aliases = [
+        "ubik.r"
+      ];
+      tinc.pubkey = ''
+        -----BEGIN RSA PUBLIC KEY-----
+        MIICCgKCAgEAnWJKDrDmmGZbwVeaBhvOdTR4nsumo1yzOR2Iu+SMTOH6fbgJM5cW
+        WtlgPhrdOMrBYR956SBiBNkvsdczRrOF7F6hvXyDwwoGdWGsZXzaTMJlNAYjP5Y4
+        fbJlDq8/QV/SvVFGeu4XP3g2yuU/aNu/4FkU4jlysX+8wo9qGpIFPLpLvqfuU247
+        jHCatNzHfLK60fx7yt57iDhuX2plyFfQVX7xPTxudfGZKD7rEDEnKX4Ghd5dUkOA
+        z0lr0B1AOrkZgrnajU0ZmkjnNy8lrylCWDOnEPhJdao53gL4XFmUcZaR4uFsWuS7
+        V1VM+VivuMTAXRUnJScyLap2mo6dcr9h11kas70c/R7tI2pGmxlNk9t2uYy/jQnC
+        WmyzNCcqpPSfKikx5sRVAVIuv2wtAKYDuZg+1D4YEfeklA0+ZZlHO43NnRnIoKeO
+        Za0SNUE6vtd/EPoiifMkOWtHaO0LppgOxMTk8OgUxR6dcTmbuL0Roz3aY0rSW3EG
+        +li3yjS3YAtMtvhQwuqooVrkBFrcGQLjTnAfCeUHbCjZidGAHnqhESA+Aj+LKx32
+        0ALQY439xAs6Vf3rICs93cO4Yxa8W1F5sHE6ANOGU+jCmSkCWI2hdHGbckD3L0AQ
+        NBJ+jyXm0kFfVgqRS2i17JPz2ZZxhAHw3KH13Ef1KI4tMdzCvFSayW0CAwEAAQ==
+        -----END RSA PUBLIC KEY-----
+      '';
+      tinc.pubkey_ed25519 = "BcbZOID7dipWNH0/uowqCF7Ivqm4QktMoz11Yv249tG";
+    };
+    wiregrill = {
+      ip6.addr = w6 "0b1c";
+      aliases = [
+        "ubik.w"
+      ];
+      wireguard.pubkey = ''
+        JakWwg7Rq76jjzLFWPBQJPpzRHbIEbb46VLsSUOKI2I=
+      '';
+    };
+  };
+  ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHlqW8zqJpjbva0NTty9Ex7R/Jk2emDxHJNpaM3WPt5L";
+}
diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix
index 8e5a60c36..dc2702e6a 100644
--- a/lass/1systems/neoprism/config.nix
+++ b/lass/1systems/neoprism/config.nix
@@ -9,6 +9,7 @@
     <stockholm/lass/2configs/consul.nix>
     <stockholm/lass/2configs/yellow-host.nix>
     <stockholm/lass/2configs/radio/container-host.nix>
+    <stockholm/lass/2configs/ubik-host.nix>
 
     # other containers
     <stockholm/lass/2configs/riot.nix>
diff --git a/lass/1systems/ubik/config.nix b/lass/1systems/ubik/config.nix
new file mode 100644
index 000000000..1d1d32f3f
--- /dev/null
+++ b/lass/1systems/ubik/config.nix
@@ -0,0 +1,33 @@
+with import <stockholm/lib>;
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    <stockholm/lass>
+    <stockholm/lass/2configs>
+    <stockholm/lass/2configs/retiolum.nix>
+  ];
+
+  krebs.build.host = config.krebs.hosts.ubik;
+
+  lass.sync-containers3.inContainer = {
+    enable = true;
+    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBFGMjH0+Dco6DVFZbByENMci8CFTLXCL7j53yctPnM";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 ];
+  services.nextcloud = {
+    enable = true;
+    hostName = "c.apanowicz.de";
+    package = pkgs.nextcloud25;
+    config.adminpassFile = "/run/nextcloud.pw";
+    https = true;
+  };
+  systemd.services.nextcloud-setup.serviceConfig.ExecStartPre = [
+    "+${pkgs.writeDash "copy-pw" ''
+      ${pkgs.rsync}/bin/rsync \
+        --chown nextcloud:nextcloud \
+        --chmod 0700 \
+        /var/src/secrets/nextcloud.pw /run/nextcloud.pw
+    ''}"
+  ];
+}
diff --git a/lass/1systems/ubik/physical.nix b/lass/1systems/ubik/physical.nix
new file mode 100644
index 000000000..8577daf34
--- /dev/null
+++ b/lass/1systems/ubik/physical.nix
@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./config.nix
+  ];
+  boot.isContainer = true;
+  networking.useDHCP = true;
+}
diff --git a/lass/2configs/ubik-host.nix b/lass/2configs/ubik-host.nix
new file mode 100644
index 000000000..874d4ecb8
--- /dev/null
+++ b/lass/2configs/ubik-host.nix
@@ -0,0 +1,26 @@
+{ config, pkgs, ... }:
+{
+  lass.sync-containers3.containers.ubik = {
+    sshKey = "${toString <secrets>}/ubik.sync.key";
+  };
+  containers.ubik.bindMounts."/var/lib" = {
+    hostPath = "/var/lib/sync-containers3/ubik/state";
+    isReadOnly = false;
+  };
+  containers.ubik.bindMounts."/var/lib/nextcloud/data" = {
+    hostPath = "/var/ubik";
+    isReadOnly = false;
+  };
+  services.nginx.virtualHosts."c.apanowicz.de" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      recommendedProxySettings = true;
+      proxyWebsockets = true;
+      proxyPass = "http://ubik.r";
+      extraConfig = ''
+        client_max_body_size 9001M;
+      '';
+    };
+  };
+}
-- 
cgit v1.3.1


From bf4a3fe78e4814b9281b7e20d8eae2e0461fed72 Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Mon, 30 Jan 2023 20:40:25 +0100
Subject: l orange.r: init

---
 kartei/lass/orange.nix            | 38 ++++++++++++++++++++++++++++++++++++++
 lass/1systems/orange/config.nix   | 21 +++++++++++++++++++++
 lass/1systems/orange/physical.nix |  7 +++++++
 lass/2configs/orange-host.nix     | 15 +++++++++++++++
 4 files changed, 81 insertions(+)
 create mode 100644 kartei/lass/orange.nix
 create mode 100644 lass/1systems/orange/config.nix
 create mode 100644 lass/1systems/orange/physical.nix
 create mode 100644 lass/2configs/orange-host.nix

(limited to 'kartei')

diff --git a/kartei/lass/orange.nix b/kartei/lass/orange.nix
new file mode 100644
index 000000000..7f656c260
--- /dev/null
+++ b/kartei/lass/orange.nix
@@ -0,0 +1,38 @@
+{ r6, w6, ... }:
+{
+  nets = {
+    retiolum = {
+      ip4.addr = "10.243.0.15";
+      ip6.addr = r6 "012a";
+      aliases = [
+        "orange.r"
+      ];
+      tinc.pubkey = ''
+        -----BEGIN RSA PUBLIC KEY-----
+        MIICCgKCAgEAlnHedIf4f3/6Wfl5PSSz+7KvdIMkygp5m/U270sdPBh46MqYa8cn
+        OfPq40LcbWIZqAVex7mP+fK7vq8LTIr+sCKvzY46o3ZLbQQ7cCtQi02GFnSAPhVT
+        4XEmPn9dX/nRmI8xQqzh5jRMpgeOKE+xY6QfgkERD9mflkJi5dGYCOVW1UUK7pHR
+        7giCrUiLuQbUeIz+G7KOeIRHxU8dwD8it1Jk6KxdM3MW6HwFsuqZu0qjbBPKhTEe
+        fgzSTDtZEGmcQw5vA/RwjxoRvKYThbK/lLoVJItFAhUCWUJA8bJuIanwzPfOF0JO
+        xWkxiY3ntvn5ykbvhF6LoHE+kEfcBJzBfRFRSXV5qU5wW1FC4AQylUDrest/qXQh
+        DY8boUqK/hi/MlC2ciPH+DlBOi5wduWty8F0KqNzjg1IIEOk8H+z9hgBDbdJnYHH
+        MBjYOZ3MFpoNb2VCJTE7dlIarVdH1OOO2KkzX/GGW7wGQK94iqLHjBcGl15GcGOz
+        EOivq+783VOtzZGS4jd8D0OcCo725FzhuWi6KR5QTljwrd5C1gGFoAW7RCsUiveZ
+        0by9aB+G2DWmSRWZsmPnnbYo6yPvp+WR2yfPu1pKwjyNsmAgTYm4bkwRIvODb6Xk
+        ShgawP5V8RDp+hUmr27KgJvUJnQbVeJf9SO1pT7IfNOjLwHv26iOo7UCAwEAAQ==
+        -----END RSA PUBLIC KEY-----
+      '';
+      tinc.pubkey_ed25519 = "dVIOgHjuKLDJ+QB+sDjL9Pk3pXs8wKo+gemGvNG3z1H";
+    };
+    wiregrill = {
+      ip6.addr = w6 "012a";
+      aliases = [
+        "orange.w"
+      ];
+      wireguard.pubkey = ''
+        NP8zM9+ocwsHhY9Rn6tFqIU1FR8JidqtDs7IKpl3yU8=
+      '';
+    };
+  };
+  ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnHnTPPwMW1Oy3DBuaT4fG5ryhWmVS9Y8Sw0ezUGuLn";
+}
diff --git a/lass/1systems/orange/config.nix b/lass/1systems/orange/config.nix
new file mode 100644
index 000000000..3c13ebe85
--- /dev/null
+++ b/lass/1systems/orange/config.nix
@@ -0,0 +1,21 @@
+with import <stockholm/lib>;
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    <stockholm/lass>
+    <stockholm/lass/2configs>
+    <stockholm/lass/2configs/retiolum.nix>
+  ];
+
+  krebs.build.host = config.krebs.hosts.orange;
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@lassul.us";
+  };
+
+  lass.sync-containers3.inContainer = {
+    enable = true;
+    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWzKuXrwQopBc1mzb2VpljmwAs7Y8bRl9a8hBXLC+l";
+  };
+}
diff --git a/lass/1systems/orange/physical.nix b/lass/1systems/orange/physical.nix
new file mode 100644
index 000000000..8577daf34
--- /dev/null
+++ b/lass/1systems/orange/physical.nix
@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./config.nix
+  ];
+  boot.isContainer = true;
+  networking.useDHCP = true;
+}
diff --git a/lass/2configs/orange-host.nix b/lass/2configs/orange-host.nix
new file mode 100644
index 000000000..3fbf417a7
--- /dev/null
+++ b/lass/2configs/orange-host.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+{
+  lass.sync-containers3.containers.orange = {
+    sshKey = "${toString <secrets>}/orange.sync.key";
+  };
+  services.nginx.virtualHosts."lassul.us" = {
+    # enableACME = config.security;
+    # forceSSL = true;
+    locations."/" = {
+      recommendedProxySettings = true;
+      proxyWebsockets = true;
+      proxyPass = "http://orange.r";
+    };
+  };
+}
-- 
cgit v1.3.1