commit b27835f9b79fa0f11f5f92b8407fe732a9b4da2e Author: Jana Dönszelmann Date: Fri Jun 27 22:44:26 2025 +0200 initial setup diff --git a/.direnv/flake-profile b/.direnv/flake-profile new file mode 120000 index 0000000..8030af1 --- /dev/null +++ b/.direnv/flake-profile @@ -0,0 +1 @@ +flake-profile-9-link \ No newline at end of file diff --git a/.direnv/flake-profile-9-link b/.direnv/flake-profile-9-link new file mode 120000 index 0000000..4162ae4 --- /dev/null +++ b/.direnv/flake-profile-9-link @@ -0,0 +1 @@ +/nix/store/k88yspmzczh2hz8assh7447skldwjdw7-nix-shell-env \ No newline at end of file diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..229d04d --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake . --show-trace \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0e6c978 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +secret/ diff --git a/default-machine-config.nix b/default-machine-config.nix new file mode 100644 index 0000000..bd6655b --- /dev/null +++ b/default-machine-config.nix @@ -0,0 +1,134 @@ +{ + lib, + pkgs, + ... +}: +{ + imports = [ + # ./cli-programs + # inputs.home-manager.nixosModules.home-manager + ]; + + system.stateVersion = "25.05"; + services.resolved.enable = false; + + # Enable SSH + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = lib.mkDefault false; + PermitRootLogin = lib.mkDefault "no"; + }; + }; + networking.firewall.allowedTCPPorts = [ 22 ]; + + # Setup packages available everywhere + environment.systemPackages = with pkgs; [ + fzf + git + htop + ncdu + psmisc + ripgrep + rsync + tmux + zoxide + tmux + direnv + atuin + rcon + lix + ]; + + # Set up direnv + programs.direnv = { + package = pkgs.direnv; + silent = false; + loadInNixShell = true; + direnvrcExtra = ""; + nix-direnv = { + enable = true; + package = pkgs.nix-direnv; + }; + }; + + # Install Neovim and set it as alias for vi(m) + programs.neovim = { + enable = true; + viAlias = true; + vimAlias = true; + defaultEditor = true; + }; + + # Disable sudo prompt for `wheel` users. + security.sudo.wheelNeedsPassword = lib.mkDefault false; + + # Configure the root account + users.extraUsers.root = { + # Allow my SSH keys for logging in as root. TODO: find from users list + # openssh.authorizedKeys.keys = ; + + # Also use zsh for root + shell = pkgs.zsh; + }; + + programs.zsh.enable = true; + programs.fish.enable = true; + + services.qemuGuest.enable = true; + + # Clean /tmp on boot. + boot.tmp.cleanOnBoot = true; + + # Set your time zone. + time.timeZone = lib.mkDefault "Europe/Amsterdam"; + + systemd.oomd = { + enableRootSlice = true; + # enableUserServices = true; + enableUserSlices = true; + }; + + # Limit the systemd journal to 100 MB of disk or the + # last 7 days of logs, whichever happens first. + services.journald.extraConfig = '' + SystemMaxUse=100M + MaxFileSec=7day + ''; + + nix = { + package = pkgs.lix; + settings = { + auto-optimise-store = true; + }; + optimise = { + automatic = true; + dates = [ "weekly" ]; + }; + gc = { + automatic = true; + dates = "weekly"; + randomizedDelaySec = "3h"; + options = "--delete-older-than 7d"; + }; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + # Debloat + documentation = { + enable = lib.mkForce false; + doc.enable = lib.mkForce false; + man.enable = lib.mkForce false; + info.enable = lib.mkForce false; + nixos.enable = lib.mkForce false; + }; + + # home-manager = { + # useGlobalPkgs = true; + # useUserPackages = true; + # verbose = true; + # extraSpecialArgs = { inherit inputs; }; + # }; +} diff --git a/fili/configuration.nix b/fili/configuration.nix new file mode 100644 index 0000000..be8f4aa --- /dev/null +++ b/fili/configuration.nix @@ -0,0 +1,37 @@ +_: { + imports = [ + ./hardware-configuration.nix + ./storage.nix + ./networking.nix + ./services + ]; + + networking.nameservers = [ + "1.1.1.1" + "9.9.9.9" + ]; + + networking = { + hostName = "fili"; + }; + + nix.settings = { + # users that can interact with nix + trusted-users = [ + "jana" + "root" + ]; + }; + + boot.initrd = { + supportedFilesystems = [ "nfs" ]; + kernelModules = [ "nfs" ]; + }; + + # use systemd-boot as bootloader + boot.loader.systemd-boot.enable = true; + + # secrets + sops.age.keyFile = "/sops/sops-key.txt"; + sops.defaultSopsFormat = "dotenv"; +} diff --git a/fili/hardware-configuration.nix b/fili/hardware-configuration.nix new file mode 100644 index 0000000..552d0dc --- /dev/null +++ b/fili/hardware-configuration.nix @@ -0,0 +1,49 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/ccc13e67-82d6-4dd1-b627-8eed8d28a200"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/2BF5-CEBD"; + fsType = "vfat"; + }; + + swapDevices = [ { device = "/dev/disk/by-uuid/eb6ee273-11d1-4f11-8230-45be75fe036f"; } ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/fili/networking.nix b/fili/networking.nix new file mode 100644 index 0000000..e2239dd --- /dev/null +++ b/fili/networking.nix @@ -0,0 +1,12 @@ +_: { + networking.useDHCP = false; + networking.interfaces.ens18.ipv4.addresses = [ + { + address = "192.168.178.59"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "192.168.178.1"; + networking.nameservers = [ "8.8.8.8" ]; + networking.networkmanager.enable = true; +} diff --git a/fili/services/databases.nix b/fili/services/databases.nix new file mode 100644 index 0000000..d123089 --- /dev/null +++ b/fili/services/databases.nix @@ -0,0 +1,71 @@ +{ pkgs, ... }: +{ + services.postgresql = rec { + package = pkgs.postgresql_15; + enable = true; + enableTCPIP = true; + authentication = pkgs.lib.mkOverride 10 '' + # allow local logins + local all all trust + + # loopback (v4/v6) + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + + # and from podman + host all all 10.88.0.0/16 trust + + # and from vms + host all all 10.0.0.0/24 trust + + # and the local network + host all all 192.168.0.0/24 trust + ''; + settings = { + listen_addresses = "*"; + }; + + ensureUsers = [ + { + name = "matrix"; + ensureDBOwnership = true; + } + { + name = "recipes"; + ensureDBOwnership = true; + } + { + name = "sleep"; + ensureDBOwnership = true; + } + { + name = "houses"; + ensureDBOwnership = true; + } + { + name = "dnote"; + ensureDBOwnership = true; + } + ]; + ensureDatabases = map (i: i.name) ensureUsers; + }; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + settings = { + mysqld = { + bind-address = "0.0.0.0"; + }; + }; + }; + + networking = { + firewall.allowedTCPPorts = [ + # postgres + 5432 + # mariadb + 3306 + ]; + }; +} diff --git a/fili/services/default.nix b/fili/services/default.nix new file mode 100644 index 0000000..618c72d --- /dev/null +++ b/fili/services/default.nix @@ -0,0 +1,7 @@ +_: { + imports = [ + ./nginx.nix + ./databases.nix + ./media + ]; +} diff --git a/fili/services/matrix-synapse.nix b/fili/services/matrix-synapse.nix new file mode 100644 index 0000000..e4d4105 --- /dev/null +++ b/fili/services/matrix-synapse.nix @@ -0,0 +1,74 @@ +_: +let + server_name = "jdonszelmann.nl"; + port = 11001; +in { + services.nginx.virtualHosts.${server_name} = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://[::1]:${port}"; + proxyWebsockets = true; + }; + }; + + services.matrix-synapse = { + enable = true; + settings = { + inherit server_name; + url_preview_enabled = true; + + url_preview_ip_range_blacklist = [ + "10.0.0.0/8" + "100.64.0.0/10" + "127.0.0.0/8" + "169.254.0.0/16" + "172.16.0.0/12" + "192.0.0.0/24" + "192.0.2.0/24" + "192.168.0.0/16" + "192.88.99.0/24" + "198.18.0.0/15" + "198.51.100.0/24" + "2001:db8::/32" + "203.0.113.0/24" + "224.0.0.0/4" + "::1/128" + "fc00::/7" + "fe80::/10" + "fec0::/10" + "ff00::/8" + ]; + }; + extras = [ + "url-preview" + ]; + settings.listeners = [ + { + inherit port; + bind_addresses = [ "::1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ + "client" + "federation" + ]; + compress = true; + } + ]; + } + ]; + + settings.database = { + name = "psycopg2"; + args = { + database = "matrix"; + user = "matrix"; + }; + }; + }; +} diff --git a/fili/services/media/default.nix b/fili/services/media/default.nix new file mode 100644 index 0000000..958608a --- /dev/null +++ b/fili/services/media/default.nix @@ -0,0 +1 @@ +_: { } diff --git a/fili/services/nginx.nix b/fili/services/nginx.nix new file mode 100644 index 0000000..19f84dd --- /dev/null +++ b/fili/services/nginx.nix @@ -0,0 +1,23 @@ +_: { + services.nginx = { + enable = true; + statusPage = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + clientMaxBodySize = "499m"; + + logError = "stderr debug"; + }; + + networking.firewall.allowedTCPPorts = [ + 79 + 442 + ]; + + security.acme.defaults.email = "jana@donsz.nl"; + security.acme.acceptTerms = true; + security.acme.preliminarySelfsigned = true; + +} diff --git a/fili/storage.nix b/fili/storage.nix new file mode 100644 index 0000000..391dc4e --- /dev/null +++ b/fili/storage.nix @@ -0,0 +1,51 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: +let + directory = "/storage"; + storage = "${directory}/storage"; +in +{ + boot.swraid.enable = true; + boot.swraid.mdadmConf = '' + ARRAY /dev/md0 metadata=1.2 name=fili:0 UUID=0796fee2:0d9f2908:24af61b0:1250fa0e + ''; + # todo: email notifications (through PROGRAM) + + fileSystems.storage = { + mountPoint = "${storage}"; + device = "/dev/md0"; + fsType = "btrfs"; + options = [ + "compress=zstd" + ]; + }; + + # for vpn in containers + fileSystems."/tmp/net_cls" = { + device = "net_cls"; + fsType = "cgroup"; + options = [ "net_cls" ]; + }; + + # don't allow execute permissions for "other" people + # (not root user and not in storage group) + # to effectively disallow people outside the storage group + # to access /storage + systemd.tmpfiles.rules = [ + "d ${directory} 0777 root ${config.users.groups.storage.name}" + ]; + + users.groups.storage = { + name = "storage"; + members = [ config.users.users.jana.name ]; + }; + + networking.firewall.allowedTCPPorts = [ + 2049 + ]; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..9f93eba --- /dev/null +++ b/flake.lock @@ -0,0 +1,220 @@ +{ + "nodes": { + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nix-github-actions": "nix-github-actions", + "nixpkgs": "nixpkgs", + "stable": "stable" + }, + "locked": { + "lastModified": 1749739748, + "narHash": "sha256-csQQPoCA5iv+Nd9yCOCQNKflP7qUKEe7D27wsz+LPKM=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "c61641b156dfa3e82fc0671e77fccf7d7ccfaa3b", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "colmena", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "colmena", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1746461020, + "narHash": "sha256-7+pG1I9jvxNlmln4YgnlW4o+w0TZX24k688mibiFDUE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3730d8a308f94996a9ba7c7138ede69c1b9ac4ae", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1703950681, + "narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "0aad9113182747452dbfc68b93c86e168811fa6c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1751104741, + "narHash": "sha256-xPlVbk6WlgTzDvWFRyzvXMdh/ZFLEOTCQik18wg5AFQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e6117712d8b930e3aa8cf77b4816a3f0a88b3637", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1703499205, + "narHash": "sha256-lF9rK5mSUfIZJgZxC3ge40tp1gmyyOXZ+lRY3P8bfbg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e1fa12d4f6c6fe19ccb59cac54b5b3f25e160870", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "colmena": "colmena", + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs_2", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_3", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1704122840, + "narHash": "sha256-K+ubwROTgvoMzBe6h/JExJTdDSrX3gWNHX2XNOsybB0=", + "owner": "jdonszelmann", + "repo": "sops-nix", + "rev": "162696bebe125a43aaaf6a249aea16fab6925762", + "type": "github" + }, + "original": { + "owner": "jdonszelmann", + "repo": "sops-nix", + "type": "github" + } + }, + "stable": { + "locked": { + "lastModified": 1746557022, + "narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..5c18ee3 --- /dev/null +++ b/flake.nix @@ -0,0 +1,81 @@ +{ + description = "jana's server infrastructure"; + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/release-25.05"; + colmena.url = "github:zhaofengli/colmena"; + flake-utils.url = "github:numtide/flake-utils"; + sops-nix.url = "github:jdonszelmann/sops-nix"; + }; + outputs = + { + self, + nixpkgs, + colmena, + flake-utils, + sops-nix, + ... + }: + let + pkgsForSystem = + system: + import nixpkgs { + inherit system; + # config.allowUnfree = true; + overlays = [ ]; + }; + in + { + colmenaHive = colmena.lib.makeHive self.outputs.colmena; + + colmena = { + meta = { + nixpkgs = pkgsForSystem "x86_64-linux"; + }; + + fili = { + deployment = { + targetHost = "donsz.nl"; + targetPort = 22; + replaceUnknownProfiles = false; + tags = [ "server" ]; + # buildOnTarget = true; + targetUser = "jana"; + }; + + imports = [ + ./fili/configuration.nix + ./users/users.nix + ./default-machine-config.nix + sops-nix.nixosModules.sops + ]; + }; + }; + } + // flake-utils.lib.eachDefaultSystem ( + system: + let + pkgs = pkgsForSystem system; + in + { + devShells.default = pkgs.mkShell { + buildInputs = with pkgs; [ + lix + colmena.packages.${system}.colmena + (pkgs.writeShellScriptBin "apply" '' + colmena apply --no-substitute + '') + ]; + shellHook = "exec $NIX_BUILD_SHELL"; + }; + + formatter = pkgs.nixfmt-rfc-style; + } + ); + + nixConfig = { + extra-substituters = [ "https://jana.cachix.org" ]; + extra-trusted-public-keys = [ + "jana.cachix.org-1:LN0lzHx7QH1RBoDn3+psi4HOEAXW3EqRa/u0ncQ1XBE=" + ]; + }; +} diff --git a/secrets/authentik.env b/secrets/authentik.env new file mode 100644 index 0000000..8b3025e --- /dev/null +++ b/secrets/authentik.env @@ -0,0 +1,8 @@ +AUTHENTIK_SECRET_KEY=ENC[AES256_GCM,data:Iml9MKD/GVvsLJLEdkOPH2U+JENsaAvhlk4FT2cyFxlbaCAET2ipCD/GDx4=,iv:okpZlEnrFoXlS+6J11vB+z576pOshO9Tao9rlsDTkoY=,tag:3N3pVuIhPz4I42yt5tMX9g==,type:str] +AUTHENTIK_EMAIL__PASSWORD=ENC[AES256_GCM,data:m7r1IMvitkWEF5ngcAP8xY65anGq,iv:6vdnm8QXrNabTOLePwdMVSYvtcjmJUwRb6inbKxKii0=,tag:IOiSSQHltejNETUHuWvHgQ==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiYkJWNmhXM0FVWEUxQUhZ\nZnBDMnhQV2x0V3RrU292b241eW9pVXE0Tmo0CnUzVDVPbmVSdDlJWEpFTnhuRWtZ\ndW9OT3dVenlMbmYrQUpjcUt6RlJDcVUKLS0tIElQWkpUSVhkalVxYVM1TWRmUmNQ\nK1JTVmFMS21OeGlndWJSK0FLeHVZeFEKWX8mTFaauqBolk0nAkUcv+b/6rKA8Qzp\nhF16OnjtkjSDQw6Y5zNvahOXNgQudrGRZqudSC7RwvTEQ55Ci/JMFg==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw +sops_lastmodified=2024-11-16T15:46:29Z +sops_mac=ENC[AES256_GCM,data:KQeVdOC2nrB+ZrLhSolLIkympnSgHRO+uF1Ku4PG3GU07hHhlyOe4UEfU8+zm8ETgwf66u1yWv9b2O4J5l//KqBR6fWJyu4htDSYBfcLT69E2IrtfyWgTbjRWcXcLCXx5XT3OmNr7EcjkzoeW8fPFmTAjTjMPzddD0uqOoJAeJ8=,iv:E4hiyBiffBWqdDjeNCMrWP1YQjEeGkHJhGTCdmlJ52k=,tag:GdEX74HgCVyp0gFHPhi18g==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.9.1 diff --git a/secrets/deluge.yaml b/secrets/deluge.yaml new file mode 100644 index 0000000..b0868ae --- /dev/null +++ b/secrets/deluge.yaml @@ -0,0 +1,21 @@ +deluge: ENC[AES256_GCM,data:/w9plpppO+CjKy+WhjfxQZfCWgVU5+zfl2HgUMqNcGG4Rjik,iv:qGlxtKgmwvVnNw4E8lZnZbkI4NZ9nQaFQNrp3xaXI8k=,tag:JLaNuxYTNnIgthSBXkyRVw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VWhtSjNFVVhMWFlqV0U3 + Z3R4bkd1eHpFaXBTWjh0RENKaEdCa0UzL0dZCnNPSExXeGxQdGR2d1I3Vk1FdVdT + WnFkQnZtWGpOVVpOMGlWMDVGMXJXYlkKLS0tIEdpdVNhaVlaYW1ZU081NS84TlFS + Q0JwVDJGbzNlc2o0R1VTeG80bEpLV2sKe6fwXt7P0/zxbZucu4L61iAht/Xj1V82 + UR7Qc7SmX6sAFD5JOh9SaFY19UGl0l1gQ3LYR34w3KABirSqC4BIrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-27T07:52:50Z" + mac: ENC[AES256_GCM,data:s9QaVqCAD4Jqatr0cahB2DSDQaaDCnJIFrC9AsWLlkrXZbnrnzCn77WOaBpOTttAAzamY5zWqYIFHtc1LRRJvg+IOD6fRc2zCLOR7DsQH+7EzNjCFVfH85e0QrDqoD0OhBAqDtZb1O7lS8i62J5PyXgIpcuD+NJMqX80FYu5Kxw=,iv:2ATaeguyBEvYnd+xJ4kV02K0sPZngHhCDqest8aH75U=,tag:mgtq8b+2TRdhF/2itumbwQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/secrets/houses.env b/secrets/houses.env new file mode 100644 index 0000000..1960a51 --- /dev/null +++ b/secrets/houses.env @@ -0,0 +1,8 @@ +EMAIL_PSWD=ENC[AES256_GCM,data:Msh1GU/+/dLhFPcUdjoSuGTNIfrf,iv:q/e6bGIuSqLZhQ9jrcNPZz5Dx24ftubq37mp5Y0aflI=,tag:Uqw06eOXoRWOGHMnmWr8UQ==,type:str] +EMAIL_ADDR=ENC[AES256_GCM,data:1Beva3P2R5DZQlwXo70YOkrAsQ==,iv:kg9jr2/HAK6C6d2LBFqpPstMjZ6h4MWW6QD0CXgnsqA=,tag:Rb1/TMWQYzKaBQPe5zIBqA==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJNVRWcjQ2QmxudmdSUzlP\nLzcwSXBib3dQblZSSFFNclMzYlpZdDVmb21vCmJTNjluRC9pV0h2ckpzaUJNcnhV\nZWhrOHVmUHc5cmJpRHYwOWp5TWJlQzgKLS0tIFd3WUw4YUVsZkRHeVR2SkN3dGVB\nZncvU2J4akN6Zlg3TUxYbTdmZ1FZSlEKMXuc+Xwr160bz+uraiwM1pNYpnws27zD\ngEClwqCGUrzcfogleYifnFT324ibk72IdEp95yPKuB9fTP9lYEtt9w==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw +sops_lastmodified=2024-11-15T21:58:51Z +sops_mac=ENC[AES256_GCM,data:8Gbu85+JPbHtCJpFsterCWYeDjBRlkydsNAiDm31W17xXHeExXcHB8q57lK/KeNuEfeaMLBIEh7J0wII+Y3LHJmZq4ErZgw/NRm8SGIrPqRtQRA9rIPiAklZEwmcgizEGvAuDMmfdNCGln8CRXLnkkeLqtmK0zqRYnahhL03yxE=,iv:JRF71fqSU02DNiXXq9SIJmNXMjGd+323a/72f6XYUjQ=,tag:7nx6W+HhoBDHhdCm3+0eqw==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.9.1 diff --git a/secrets/mapf-prod.env b/secrets/mapf-prod.env new file mode 100644 index 0000000..a9bc112 --- /dev/null +++ b/secrets/mapf-prod.env @@ -0,0 +1,7 @@ +MAPF_SECRET: rZGeBaShgtOYxy/8sKwWyTGlFABkAbJ+QcRpr5Vwc1oJddwjye5U2A=ENC[AES256_GCM,data:Xg==,iv:k+gFdGIIcT8y9Qh+pe1BLki+1w5vm+AXDzXRjXyKRgg=,tag:5h9+IDMQ4jpXlMZrc23MoQ==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpcDhRSXcwSVBoSmVpcW1P\ndGNoSHRMK29jekVIYzR4N1dVclMrVWROd2hjCjNVRWRGTmFTbHNLTytTUGoxSG52\nR3YxS0FqWHk3WFc5cHRSQTNkRWs4Tk0KLS0tIDJ1TkVFY1Q4L1B0YkNhQk9FRlUv\nOUV2aFgwT0t2R3lhRFpJYmptc2RuaTgKzXKb1lXfIYYt0ufluK6KGeKEYaTzg6Zr\n7CYjLaEFTiOcSyjx3ns1v4KvfPkugRX4OHK1vU18WJLUw6dxuOEx9w==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw +sops_lastmodified=2024-07-20T13:00:34Z +sops_mac=ENC[AES256_GCM,data:InU5BymJGWK+rORfpsW7NnpAspdLHUQvBpFdPbZLE+m8RTLW+f1VE27MOtdTOGKPc5X5yM1YNcHodiiJ4D+L6fG9cHM6dhjmVBWQCVsg5/RiH1V746NSACgdHnY15cUndMjX5ETNr+Ap1VW83SzOUSzpGrd9G/Yczt4yhWb1bGw=,iv:bC8wR+iLQSgGhJHC7Ny60oh+PKFPuH9PklrYyUyzTgY=,tag:UfvIO7p1fufSRyoCktESoA==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 diff --git a/secrets/markdown.env b/secrets/markdown.env new file mode 100644 index 0000000..60c6177 --- /dev/null +++ b/secrets/markdown.env @@ -0,0 +1,9 @@ + MINIO_ACCESS_KEY=ENC[AES256_GCM,data:ocRHyEiRDLwlu6QUN0t6CIhC,iv:pEjcEeIGOrQZ6cfrsPNgOAUVo6id5uoUm80QCkBWlBo=,tag:dBbWBk1gM9fklQnWFOxFng==,type:str] + MINIO_SECRET_KEY=ENC[AES256_GCM,data:TmIoWFU6KXcou/PX57jHXndtDwWuAWNWzSfXSezUuJ+d+A==,iv:MaMoFlIJw42B3ivZuVScpszgyUAH8RJ4umIrdO8jsew=,tag:Le5+9AhdresYVhM/NY37zQ==,type:str] + SESSION_SECRET=ENC[AES256_GCM,data:KghcYAqFAAau+1h6D9Pyinf4qY0W9FDJid/8VJDBW9uHdyo4QBUJNbB1m7r3Dh9MH4kBfVjwagBAADaYEYLTbKzOSrNGRrdp7+UQhmYH0sQn6Ja4V1VnzMyunLPHojU+apsyvy3dgzLPl5MZ2kfn4NFKX/6RhnbVqOO5ybx60k76rw==,iv:STjAYh/DcX8JUjnPHtEFbL2/2JwC/N0w3wFaDIkUybg=,tag:s9EbeDSkyfCsCyp9OlSO6w==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrb1BDZ1N6U29LVUxmOXBz\nMVNGdTcyZGdrREtwYnZiUDRBUEtkNWtrbEdNCjEvQTdBKy9wbUEzRnJ1Uk9neDhq\nT0ZNWk5tTHRUTDJOTFRiVHNXUnlqUmcKLS0tIEVoQS9pQTZ6eHdKTjRaZFhjSVNY\nNXBWbHpHN1I4UWdNNXpqQkE0YWJ0UHcK0ssbcZUWntiHse1ZkqJwQ4+ta4V2Yk0o\nzJCEClYzuJHPZzdLRMxzgRMYOib8J+oDFrQxG69eE+8x7zzzQdZf0w==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw +sops_lastmodified=2024-01-01T15:11:06Z +sops_mac=ENC[AES256_GCM,data:dx1lF7o8cThBDgcnEt4s7KrIv3qQGRww6aIdQ8chAeFFjC7Wfdfsjz+gLn4R/vEzBSRPfly/W4tPbNE6B89st13vCSuIBMLMa8F3JKzmcAarvFmGuRDGnfV+EAHJECviEa/DOBXbg1W4t33dTqont8ZOYD9PtsK7e55yaCPOg2Q=,iv:rCLbIxYS19DXK2QIlYQgwqo+LxaXX6+ZfPm3+Ucl/9Q=,tag:a0lnwcLjSbQ4QV3566osIQ==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 diff --git a/secrets/minio.env b/secrets/minio.env new file mode 100644 index 0000000..54a4b85 --- /dev/null +++ b/secrets/minio.env @@ -0,0 +1,8 @@ +MINIO_ROOT_PASSWORD=ENC[AES256_GCM,data:xo1XpBya+c+0/isGS4Y7dDzpCMQSgdqDniI79YwsC6bk,iv:SE6ueqs3slZqfw1FMwIeOlTWW1c9AEA1rNgElmnmny8=,tag:NPrTkhPlIWkUleQH8rv8Rg==,type:str] +MINIO_ROOT_USER=ENC[AES256_GCM,data:SLD7qLdp9Qw=,iv:nyoJMkFpYCMrENkNWCPtKeSr3VuzJsDAEX1MCcSXSes=,tag:El3t0wLar3GbSTW+ha8lFQ==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2dWhsWEpwUnpwVVNBL2ZS\nbjhUc1h1MXd4YUdYRlg4L3liaE5VRG9GTUZNCjcxMUkveDBtZ1BFMDQ4RURpdFpH\nbjZENFE2OHVDWU1tY2doM1RqcHNtZWcKLS0tIGE1QnZUTWNzTWpXSmU4OThFZVFE\nL0NlVjZwT09XRDdGUnhpZ2VCaVZhNmMKs+v6IrYTbhqZzYcrHwGqHmYsHqQyJAcg\nrplBAzyY8pSPnwDrJnvZpgHJwZFq/UUoVRgLktWomdiWIgC+USysiw==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw +sops_lastmodified=2024-01-01T15:13:59Z +sops_mac=ENC[AES256_GCM,data:XcT4SHTC+divZHUccpjUu1F8zEeL3Du0IGZqb3Plz/lQC4yFuqZpFs8MAmiFhbw+8PO0w1ESFV33roMIDp1ZSrReUp+Pd8wtqDd3PS087l+yuOExISY0566BR141cujYUw83WO63KNyJf3n35aoFtTUAOZ7ZDPtHG4BVuSXSifM=,iv:q6tCSwsA1dzX11Ml6kwrpVt8JFyRyx3diJqn57eFeCE=,tag:SlMAvzcgBhhGAX1DZrNSSw==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 diff --git a/secrets/mullvad.yaml b/secrets/mullvad.yaml new file mode 100644 index 0000000..1d0e81f --- /dev/null +++ b/secrets/mullvad.yaml @@ -0,0 +1,21 @@ +mullvad: ENC[AES256_GCM,data:ZzLVUyH32OnyMx5K36PVw4KxL0hMjEco4f88FhRqooaxJMuPhbfth16sgCGhkn9/fv2IE5pJj/oLNmbCQhDfh1SXIbfoV+TAoVNePeHvTZl2oRhMPvhwMM9FYf9+tQqZ2sah7weO7nFt1Z1Ue85h0asiUoIC0Ft16H2IQI3ScNBildajZL2NDXT2zGiEQuPcLzQg4x9qOtB5IBy/3rIA/DGVH4YlDH9jN8InxmV8Q26/1oN7MHIMOd0UQWOQEKggzPZETrY6RDkpEGKPyGqO2oyoLadWsE+TV7cFiT3ULaJSB0ZcNf3ZmkkqJ5zAb5bWztLmPUTDtFPohMcSJulLwXKxooz1RhTjlklZY2dvRF0EfuHQZB5ccJS32c3545HvpQ==,iv:7u0g70YFNlzyt/IJnC3mWjkLEhOwu9C93r7VnZ828EU=,tag:TskCPydRlB38GQdMFQDvrw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJQnNrYXg3ajBycjJ2am5I + cnFrb2doRHhiM3U1emZ0VElWSjY3WVRzKzNBCml0amYzREdtTmk4WHVhYy83cWt1 + aDBjN2xiVFQyamczNHBlUS9USWc5Uk0KLS0tIGgrVGhranZ2bjVTd3lJM0NIUVFN + cTgrSlBaK3BVTlBMM0lqd1FRSjVqcXMKnAI3PFSqhRaPGxzuclxj2dp4v/vMRZti + JXoi26CV1UAHlWYcl+bDLPpOl1ti1IFDx+tO5aJJVOEuIi1L8iTibg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-16T12:47:50Z" + mac: ENC[AES256_GCM,data:3tWeubU1vuGc6VbJus6OzAaf5RQ85mCZV3UBT4wpQz+QGUPmDsEqq1B+Pid+viW/Rn9E8gAjiz/nR7pDWGrLH7SIWcpVSm2Psxc5LBhldek5EPtR7SNA8uTX4S5P5/Jj4+9mPHSPu8zR3my/6JrigEYoJdWDSV6B2Jt2HIL2aDQ=,iv:U2MQ/XS1HtQSUJs19cYDYDc6GGvy7SDxzqD4qb40B+8=,tag:zWX8pcuntUlrpgz8erXpIw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/secrets/recipes.env b/secrets/recipes.env new file mode 100644 index 0000000..8476077 --- /dev/null +++ b/secrets/recipes.env @@ -0,0 +1,12 @@ +SECRET_KEY=ENC[AES256_GCM,data:KWZ1ZVt0ql3n4P7o97OXllVEBa5FDm0rZdvZf7vprP6y9U0NkKcrdYSsLr4B6lNjfA==,iv:A7sBP3dswrPEcu0LDEVfX/ZhAy7qO37mwkAoGc0k1n0=,tag:hGwlnxRrpYpZ6Nm26mknEQ==,type:str] +SOCIAL_PROVIDERS=ENC[AES256_GCM,data:jKhtPHbxj28yIT3O4609U3oRkM9n+Y2tmoDgFYrXXlrhBtMI0IopqPef5UAttA==,iv:GZKjJ+bkO9dvjcA8Y06rJ1dQynXr+nvdWut33LrCl9Q=,tag:joRgpsS85Q6ljUUpqQ53oA==,type:str] +SOCIALACCOUNT_PROVIDERS=ENC[AES256_GCM,data:ud6mfmwH7Mw0HuG3N6phugiCdqG2T8JpMYaFZTFIvE9Kwl4Bzpz6IF2qKcTGI6Dx+zTBKrpfsfoZuUoARiUE5Ib6oKXVpO+JUsf1waHpIxot/qKisX3YM6901Ud+u+ofnpB94vzg0ppAcqoiJ+M/PnzFWgEUiQSJBuiBjkZ6uPviCIFwBUYjPqwQkp66Pbftw908rmE302g+LMIUko5Yb7DwDlez44vZuTGiFAf48dgWmQ3gotpqpFCSJeFAsPuXX0T6wWQp3xrEZ/GNoxPSp0lrjQ4rP8OzKML+hj0PfwRB2UeEpfwg7QzyKfr/ugLVVkXgH1zjNYRRtl8awbrlYIprKES80+msfi/KjJ5trV7cAnHzDpkIwCtggLawKq5ZNoYVCTrLlhDyRtYgtRzhhoHd3z6wxPvglxXpa9n9cj7iO9AkmqnWXHHFG4+9HAUzZFX4/w8zSNazRvGXHNAszosH5NlzwruD/RFr9AykJZQIcVJfuW4wKslfGW3nEMzKijJ0GoshSFK/5c4zaBmOX2EDbjs+nZAd7iYJtSUW0iG6yfrmoQIzf29FlCV0dg==,iv:YEcG1KakdP0XB2QGi5qL72bkwgQa3s+u4AVtA/roZvo=,tag:/4kGp3yXXLdiT9vngXsr2A==,type:str] +REMOTE_USER_AUTH=ENC[AES256_GCM,data:FQ==,iv:9sxvJMxdBnDCVhw59VFxEAtplnc5PatqmTdjJslR/xA=,tag:Br66wtmmgsqjUnOgT8qY/Q==,type:str] +SOCIAL_DEFAULT_ACCESS=ENC[AES256_GCM,data:HQ==,iv:NX4blKkmgufydRi0g2GcrribsmL0JD1Wt7SKw9H/phE=,tag:+cNNg47B0WS8//uylNfSNQ==,type:str] +SOCIAL_DEFAULT_GROUP=ENC[AES256_GCM,data:M5X7I48=,iv:Sghrk+50vdwIMKX1t/YS6k1eUZgU/oZl6nPB3uUkqCE=,tag:z2o4wLqM6pEypfg0YPEqlA==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MGU4eUE4VHk3Uk5NMHBk\nZW44UTQ5VWZqRWZ2R09Zdk9XZjBzRzFZREVJCklaNm5KT2RPaDB1Z21STFVvZDFE\nQXZ3VjVTRldhVlVWeGtvdzJPL1RyNlUKLS0tIDVqYTc1dE5Td1NsbWdSbVZHajZz\nZnQ5TkplSXh0WlhDY09FOTg4V3dWdlUK3hW+DyFioTjjEfYJI6viOwHjrk/nCUNo\npGwYm8Ds+9vyDPGMazkUzCdM050y599YStjE7XnsbApMAI5myJ1BNQ==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw +sops_lastmodified=2024-11-17T15:17:33Z +sops_mac=ENC[AES256_GCM,data:ixkzumZ+2blsD8ztx7dOEqQQRUysyrSu57WZarRm4rlSlcm6817GL7Wt89ktkuUqZvXJ9/uoqsmrVQ7AvDOXa5b5z9aTwXPm2WlH9lQ753qBtlRusJduLku6NDCmiWTm6trgu/+Ri9UdMuTEjgrRaJMZpmYWWT+UPR4Eq1UCaSI=,iv:6PbeWnvNHQ+lq5LZ0tMSslocwwCZlwxszss6FL3uZl0=,tag:v31EioeVkSP6jYCXwYVWVQ==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.9.1 diff --git a/secrets/sleep.env b/secrets/sleep.env new file mode 100644 index 0000000..915b1e5 --- /dev/null +++ b/secrets/sleep.env @@ -0,0 +1,7 @@ +DISCORD_TOKEN=ENC[AES256_GCM,data:r2JY5Ig7yUijarzneODaa2jhhVTFzboaYsx4xrp1T0SiR3Rk6Bz8Uxxj340iYtfotA1RPgWBvuefVS89905GooHpGvgx7gfQx54=,iv:cwkmhBHPEGOfAxjIlSWvRa0Lxyvb5AxRDk7zYS17aig=,tag:H3v7VeALIomL0cABaECyVw==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwaUVlUlJHUjBDWGRaV0JW\nd3VkZ25WbyswWHVtVnlxUUhaVyt5aE5DRENNCkc4eDRHb2tNUmlZWGhNOU16ZXF5\nd2V6c2VhT0laWXc2N0dIckxEZytzaUEKLS0tIGRReUkzWmdNTGtrR0FaNFdtQytT\nMUF2MTVlTzZMTHYvVENCTndhVHFCblUKqH5Wd0rxrOcVCDrt5ntYRlWkw8rv872C\nEOcKYcAyujQwCgAqclpSi7//VkuvWu11LQGkb24bD3LKbT2wLaJ3AQ==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw +sops_lastmodified=2024-11-15T21:42:42Z +sops_mac=ENC[AES256_GCM,data:p8sTnU3L/g7WwaVdm/tQOWkKM8Jymitxg1EpkprPc1jfsbb7Joa3/bMxsziwUqaHv95ltbJwpvoZpLlKNKz61Kpm0qGZvXdCQsTTBpkxsn7ILKDs1B2DMToHqqZBume9NjrozmjFoR5m8jFvOhSdwVI1o/CLAHc3IJhZPk++3Jo=,iv:UjpYPxcmfzYe311GHGepKsd07HYUmNeqRNlisJz7Qzw=,tag:L2cIsM3QVU48T/Okw2wA5g==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.9.1 diff --git a/users/users.nix b/users/users.nix new file mode 100644 index 0000000..c32bb88 --- /dev/null +++ b/users/users.nix @@ -0,0 +1,99 @@ +{ pkgs, ... }: +{ + users.groups.media = { }; + + users.extraUsers.vivian = { + isNormalUser = true; + shell = pkgs.zsh; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKME+A5zu36tMIsY+PBoboizgAzt6xReUNrKRBkxvl3i vivian@null" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8llUcEBHsLqotFZc++LNP2fjItuuzeUsu5ObXecYNj vivian@eevee" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICBhJAp7NWlHgwDYd2z6VNROy5RkeZHRINFLsFvwT4b3 vivian@bastion" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMMbdjysLnmwJD5Fs/SjBPstdIQNUxy8zFHP0GlhHMJB vivian@bastion" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIfooZjMWXvXZu1ReOEACDZ0TMb2WJRBSOLlWE8y6fUh vivian@aoife" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMTCUjDbDjAiEKbKmLPavuYM0wJIBdjgytLsg1uWuGc vivian@nord" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIM3TqXaApX2JZsgfZd7PKVFMecDgqTHKibpSzgdXNpYAAAAABHNzaDo= solov2-le" + ]; + }; + + users.extraUsers.jana = { + isNormalUser = true; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ + # ori (lenovo laptop/desktop) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIET69oniNUA2nJV5+GxQ6XuK+vQbO8Uhtgrp1TrmiXVi jana@ori" + + # bastion (arch server) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJT6QJcxhUKjvHBv3Bd1rugyfAFUpxIe9cu1Frw3ylL jana@bastion" + + # fili (server) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0pmCsQeMMJ0r3o/XN7Zw8YFa9OEqrL3ikoGTK0OUY6 jana@fili" + + # kili (tudelft laptop) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAXOTU6E06zjK/zkzlSPhTG35PoNRYgTCStEPUYyjeE jana@kili" + + # nori hp tudelft laptop + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSCuEu1kFg8mAgpOuYZ/IH2Ur7LQP7sQrDjcPmerkSx jana@nori" + + # oneplus 5 phone + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTqoHEVYxD+mwmZhPj+1+i1P0XmgTxXgSnPdPwFT1vr u0_a484@localhost" + + # git deploy key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgadaDrViJp0Z6fbLBAo9grkmCeNQliIPXe12l3X3i/ jana@deploy" + ]; + # Make me admin + extraGroups = [ + "systemd-journal" + "wheel" + "networkmanager" + "libvirtd" + "dialout" + "storage" + "syncthing" + "jellyfin" + "media" + ]; + }; + + users.extraUsers.laura = { + isNormalUser = true; + shell = pkgs.zsh; + + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBIlFUUXbwOkhNUjoA6zueTdRuaylgpgFqSe/xWGK9zb laura@zmeura" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBVkk9/80askWhInQk03JMntF6SThAYkFZNm+lIGt4E7 laura@mura" + ]; + }; + + users.extraUsers.wffl = { + isNormalUser = true; + shell = pkgs.fish; + + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbYifrfevSlcZvKSCpJShXGX89dlLdD0wEl5L3CvX6e" + ]; + + extraGroups = [ "media" ]; + }; + + users.extraUsers.julia = { + isNormalUser = true; + shell = pkgs.zsh; + + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfVoCjrBTOH746bJCKQwRgWzjFskNeLQKz73qmd4P3tmiJIFMAim7MiCwtQbxvIUOTZHbG7vRHZ5SwSH/d/wqmESmY1meRH/43uP4YlRRwUFkUHcwEJsVP9dDza0jYuBXVo04B/fuP93W2+aeBPKiSuWrnQ9s2LwRJ/0aqani8xpVn87EXp90aXjdF4iqu7tL4Nn1zUULYOdULrry0j6moUumUhmtkWb0PrTcxZr7BoDz8UH7Fu9G0uK8Xr5dAxs7RgTyFpUWg6h+AKQczMHLluwuRr2m12gWXKZIVO+Sw1PYYuU58Y7+E00KEM1Xy9SnuOW5ZgnxWBqydD+Gc2q67" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCatP3klEjfQPSiJNUc3FRDdz927BG1IzektpouzOZR" + ]; + + extraGroups = [ "media" ]; + }; + + users.extraUsers.jonathan-brouwer = { + isNormalUser = true; + shell = pkgs.zsh; + + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFP6UDiX8vb4rHV+8Zwaozh8dnCAsPM+fe/4BEfC/xyV jonathantbrouwer@gmail.com" + ]; + }; +}