diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..3c3bb45 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,15 @@ +keys: + - &primary age132m0pg4utk3cjve2lgcjffvz7cevl0fq5krufu9sgud7wu2wgurqk49kgl +creation_rules: + - path_regex: secrets/invidious-db.env + key_groups: + - age: + - *primary + - path_regex: secrets/invidious-config.yaml + key_groups: + - age: + - *primary + - path_regex: secrets/blarm-restic.yaml + key_groups: + - age: + - *primary diff --git a/flake.lock b/flake.lock index 7b673f7..b268e60 100644 --- a/flake.lock +++ b/flake.lock @@ -247,6 +247,22 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1731763621, + "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nmd": { "flake": false, "locked": { @@ -319,6 +335,7 @@ "nvf": "nvf", "plasma-manager": "plasma-manager", "snowfall-lib": "snowfall-lib", + "sops-nix": "sops-nix", "stable": "stable" } }, @@ -366,6 +383,24 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1739262228, + "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "stable": { "locked": { "lastModified": 1740162160, diff --git a/flake.nix b/flake.nix index 19b42d4..f96115f 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix.url = "github:Mic92/sops-nix"; + snowfall-lib = { url = "github:snowfallorg/lib"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/homes/x86_64-linux/philipp/default.nix b/homes/x86_64-linux/philipp/default.nix index 146e689..9f47fe0 100644 --- a/homes/x86_64-linux/philipp/default.nix +++ b/homes/x86_64-linux/philipp/default.nix @@ -1,9 +1,11 @@ { - lib, namespace, ... + lib, + namespace, + ... }: with lib.${namespace}; { - home.activation.removeBrowserBackups = lib.hm.dag.entryAfter ["checkLinkTargets"] '' + home.activation.removeBrowserBackups = lib.hm.dag.entryAfter [ "checkLinkTargets" ] '' if [ -d "/home/philipp/.librewolf/philipp" ]; then rm -f /home/philipp/.librewolf/philipp/search.json.mozlz4.backup fi diff --git a/modules/home/apps/cinny/default.nix b/modules/home/apps/cinny/default.nix new file mode 100644 index 0000000..ee7a1c4 --- /dev/null +++ b/modules/home/apps/cinny/default.nix @@ -0,0 +1,24 @@ +{ + config, + lib, + pkgs, + namespace, + ... +}: +with lib; +with lib.${namespace}; +let + cfg = config.${namespace}.apps.cinny; +in +{ + options.${namespace}.apps.cinny = with types; { + enable = mkBoolOpt false "Whether or not to enable cinny."; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ + cinny-desktop + ]; + }; + +} diff --git a/modules/nixos/services/invidious/default.nix b/modules/nixos/services/invidious/default.nix deleted file mode 100644 index ee7041d..0000000 --- a/modules/nixos/services/invidious/default.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - lib, - config, - pkgs, - namespace, - ... -}: -with lib; -with lib.${namespace}; -let - cfg = config.${namespace}.services.invidious; -in -{ - options.${namespace}.services.invidious = { - enable = mkEnableOption "Invidious"; - domain = mkOption { - type = types.string; - default = "localhost"; - description = "Domain to use for absolute URLs"; - }; - }; - - config = mkIf cfg.enable { - services.invidious = { - enable = true; - domain = cfg.domain; - extraSettingsFile = "/var/lib/invidious/settings.yml"; - }; - }; -} diff --git a/modules/nixos/services/restic/default.nix b/modules/nixos/services/restic/default.nix new file mode 100644 index 0000000..b9e54e5 --- /dev/null +++ b/modules/nixos/services/restic/default.nix @@ -0,0 +1,48 @@ +{ + lib, + config, + pkgs, + namespace, + ... +}: +with lib; +with lib.${namespace}; +let + cfg = config.${namespace}.services.restic; +in +{ + options.${namespace}.services.restic = { + enable = mkBoolOpt false "Restic"; + }; + + config = mkIf cfg.enable { + sops.secrets.restic_url = { + format = "yaml"; + sopsFile = ../../../../secrets/blarm-restic.yaml; + key = "restic/url"; + }; + sops.secrets.restic_password = { + format = "yaml"; + sopsFile = ../../../../secrets/blarm-restic.yaml; + key = "restic/password"; + }; + services.restic.backups = { + borgbase = { + initialize = true; + exclude = [ "/home/*/.cache" ]; + passwordFile = "/run/secrets/restic_password"; + repository = "$(cat /run/secrets/restic_url)"; + paths = [ + "/home" + "/var/lib/" + ]; + timerConfig = { + OnCalendar = "00:10"; + RandomizedDelaySec = "1h"; + }; + }; + }; + + environment.systemPackages = with pkgs; [ restic ]; + }; +} diff --git a/modules/nixos/system/gnupg/default.nix b/modules/nixos/system/gnupg/default.nix index b3b63cb..f7527d3 100644 --- a/modules/nixos/system/gnupg/default.nix +++ b/modules/nixos/system/gnupg/default.nix @@ -12,7 +12,7 @@ let in { options.${namespace}.system.gnupg = with types; { - enable = mkBoolOpt false "Whether or not to manage fonts."; + enable = mkBoolOpt false "Whether or not to enable gnupg."; }; config = mkIf cfg.enable { diff --git a/modules/nixos/system/sops/default.nix b/modules/nixos/system/sops/default.nix new file mode 100644 index 0000000..310f234 --- /dev/null +++ b/modules/nixos/system/sops/default.nix @@ -0,0 +1,24 @@ +{ + config, + inputs, + lib, + namespace, + ... +}: +with lib; +with lib.${namespace}; +let + cfg = config.${namespace}.system.sops; +in +{ + imports = [ inputs.sops-nix.nixosModules.sops ]; + + options.${namespace}.system.sops = with types; { + enable = mkBoolOpt false "Whether or not to enable sops support."; + }; + + config = mkIf cfg.enable { + sops.age.keyFile = "/home/philipp/.config/sops/age/keys.txt"; + }; + +} diff --git a/modules/nixos/virtualisation/podman/invidious/config/config.yml b/modules/nixos/virtualisation/podman/invidious/config/config.yml deleted file mode 100644 index ab3f615..0000000 --- a/modules/nixos/virtualisation/podman/invidious/config/config.yml +++ /dev/null @@ -1,246 +0,0 @@ -######################################### -# -# Database and other external servers -# -######################################### - -## -## Database configuration with separate parameters. -## This setting is MANDATORY, unless 'database_url' is used. -## -db: - user: philipp - password: s3cr3tp4ssw0rd - host: invidious-db - port: 5432 - dbname: invidious - -## -## Enable automatic table integrity check. This will create -## the required tables and columns if anything is missing. -## -## Accepted values: true, false -## Default: false -## -check_tables: true - - -## -## Path to an external signature resolver, used to emulate -## the Youtube client's Javascript. If no such server is -## available, some videos will not be playable. -## -## Accepted values: a path to a UNIX socket or ":" -## Default: -## -signature_server: signature-helper:12999 - - -######################################### -# -# Server config -# -######################################### - -# ----------------------------- -# Network (inbound) -# ----------------------------- - -## -## Port to listen on for incoming connections. -## -## Note: Ports lower than 1024 requires either root privileges -## (not recommended) or the "CAP_NET_BIND_SERVICE" capability -## (See https://stackoverflow.com/a/414258 and `man capabilities`) -## -## Accepted values: 1-65535 -## Default: 3000 -## -port: 3000 - -## -## Interface address to listen on for incoming connections. -## -## Accepted values: a valid IPv4 or IPv6 address. -## default: 0.0.0.0 (listen on all interfaces) -## -host_binding: 0.0.0.0 - -## -## Domain name under which this instance is hosted. This is -## used to craft absolute URLs to the instance (e.g in the API). -## The domain MUST be defined if your instance is accessed from -## a domain name (like 'example.com'). -## -## Accepted values: a fully qualified domain name (FQDN) -## Default: -## -domain: inv.monapona.dev - -## -## Tell Invidious that it is behind a proxy that provides only -## HTTPS, so all links must use the https:// scheme. This -## setting MUST be set to true if invidious is behind a -## reverse proxy serving HTTPs. -## -## Accepted values: true, false -## Default: false -## -https_only: true - - -# ----------------------------- -# Network (outbound) -# ----------------------------- - - -## -## Send Google session informations. This is useful when Invidious is blocked -## by the message "This helps protect our community." -## See https://github.com/iv-org/invidious/issues/4734. -## -## Warning: These strings gives much more identifiable information to Google! -## -## Accepted values: String -## Default: -## -po_token: "" -visitor_data: "" - -# ----------------------------- -# Users and accounts -# ----------------------------- - -## -## Enable/Disable the captcha challenge on the login page. -## -## Note: this is a basic captcha challenge that doesn't -## depend on any third parties. -## -## Accepted values: true, false -## Default: true -## -captcha_enabled: false - -## -## List of usernames that will be granted administrator rights. -## A user with administrator rights will be able to change the -## server configuration options listed below in /preferences, -## in addition to the usual user preferences. -## -## Server-wide settings: -## - popular_enabled -## - captcha_enabled -## - login_enabled -## - registration_enabled -## - statistics_enabled -## Default user preferences: -## - default_home -## - feed_menu -## -## Accepted values: an array of strings -## Default: [""] -## -admins: ["spaenny"] - -## -## Note: This parameter is mandatory and should be a random string. -## Such random string can be generated on linux with the following -## command: `pwgen 20 1` -## -## Accepted values: a string -## Default: -## -hmac_key: "gNcPHs+DWI4TTZLtHh3EbXWeISHsgUgBFnGpgW4yU9Q=" - - -######################################### -# -# Default user preferences -# -######################################### - -default_user_preferences: - - ## - ## Default geographical location for content. - ## - ## Accepted values: - ## AE, AR, AT, AU, AZ, BA, BD, BE, BG, BH, BO, BR, BY, CA, CH, CL, CO, CR, - ## CY, CZ, DE, DK, DO, DZ, EC, EE, EG, ES, FI, FR, GB, GE, GH, GR, GT, HK, - ## HN, HR, HU, ID, IE, IL, IN, IQ, IS, IT, JM, JO, JP, KE, KR, KW, KZ, LB, - ## LI, LK, LT, LU, LV, LY, MA, ME, MK, MT, MX, MY, NG, NI, NL, NO, NP, NZ, - ## OM, PA, PE, PG, PH, PK, PL, PR, PT, PY, QA, RO, RS, RU, SA, SE, SG, SI, - ## SK, SN, SV, TH, TN, TR, TW, TZ, UA, UG, US, UY, VE, VN, YE, ZA, ZW - ## - ## Default: US - ## - region: DE - - ## - ## Default feed to display on the home page. - ## - ## Note: setting this option to "Popular" has no - ## effect when 'popular_enabled' is set to false. - ## - ## Accepted values: Popular, Trending, Subscriptions, Playlists, - ## Default: Popular - ## - default_home: Subscriptions - - # ----------------------------- - # Video player behavior - # ----------------------------- - - ## - ## Automatically play videos on page load. - ## - ## Accepted values: true, false - ## Default: false - ## - autoplay: true - - ## - ## Automatically load the "next" video (either next in - ## playlist or proposed) when the current video ends. - ## - ## Accepted values: true, false - ## Default: false - ## - continue: true - - - # ----------------------------- - # Video playback settings - # ----------------------------- - - ## - ## Default video quality. - ## - ## Accepted values: dash, hd720, medium, small - ## Default: hd720 - ## - quality: dash - - ## - ## Default dash video quality. - ## - ## Note: this setting only takes effet if the - ## 'quality' parameter is set to "dash". - ## - ## Accepted values: - ## auto, best, 4320p, 2160p, 1440p, 1080p, - ## 720p, 480p, 360p, 240p, 144p, worst - ## Default: auto - ## - quality_dash: best - - ## - ## Save the playback position - ## Allow to continue watching at the previous position when - ## watching the same video. - ## - ## Accepted values: true, false - ## Default: false - ## - save_player_pos: true diff --git a/modules/nixos/virtualisation/podman/invidious/config/db.env b/modules/nixos/virtualisation/podman/invidious/config/db.env deleted file mode 100644 index cd808b6..0000000 --- a/modules/nixos/virtualisation/podman/invidious/config/db.env +++ /dev/null @@ -1,3 +0,0 @@ -POSTGRES_USER=philipp -POSTGRES_PASSWORD=s3cr3tp4ssw0rd -POSTGRES_DB=invidious diff --git a/modules/nixos/virtualisation/podman/invidious/default.nix b/modules/nixos/virtualisation/podman/invidious/default.nix index f0d0e29..50eb16d 100644 --- a/modules/nixos/virtualisation/podman/invidious/default.nix +++ b/modules/nixos/virtualisation/podman/invidious/default.nix @@ -1,6 +1,5 @@ { lib, - pkgs, config, namespace, ... @@ -16,6 +15,18 @@ in }; config = mkIf cfg.enable { + sops.secrets.invidious-db = { + format = "dotenv"; + sopsFile = ../../../../../secrets/invidious-db.env; + key = ""; + }; + + sops.secrets.invidious-config = { + format = "yaml"; + sopsFile = ../../../../../secrets/invidious-config.yaml; + key = ""; + }; + security.unprivilegedUsernsClone = true; virtualisation = { @@ -36,9 +47,7 @@ in invidious = { image = "quay.io/invidious/invidious:latest-arm64"; hostname = "invidious"; - volumes = [ - "/home/philipp/nix-config/modules/nixos/virtualisation/podman/invidious/config/config.yml:/invidious/config/config.yml" - ]; + volumes = [ "/run/secrets/invidious-config:/invidious/config/config.yml" ]; ports = [ "192.168.1.202:3000:3000" "[fd00:192:168:1::202]:3000:3000" @@ -61,9 +70,7 @@ in "/home/philipp/nix-config/modules/nixos/virtualisation/podman/invidious/config/sql:/config/sql" "/home/philipp/nix-config/modules/nixos/virtualisation/podman/invidious/init-invidious-db.sh:/docker-entrypoint-initdb.d/init-invidious-db.sh" ]; - environmentFiles = [ - /home/philipp/nix-config/modules/nixos/virtualisation/podman/invidious/config/db.env - ]; + environmentFiles = [ /run/secrets/invidious-db ]; }; }; }; diff --git a/secrets/blarm-restic.yaml b/secrets/blarm-restic.yaml new file mode 100644 index 0000000..32406d7 --- /dev/null +++ b/secrets/blarm-restic.yaml @@ -0,0 +1,23 @@ +restic: + url: ENC[AES256_GCM,data:VhPf0ftgjxjYic0UkT8UgHRlEFB5P4erN7mJ9yvBvBXam13vUesqDPviupvsgGthWWqBMFAYjsdqhgB5sifkkKE=,iv:KI3r42yAzid5oB3HhYha66YOuUKbq3rF72e48dlmhcI=,tag:g9BFJRZ6i6ub2hW1R4L+kg==,type:str] + password: ENC[AES256_GCM,data:9ilFmtQ3YEgfruzHwiY=,iv:tjlMqoRpqVHUJUtfz7pLLP+F1EpPuGPa77uaWr92ybk=,tag:P5Qek8+um+EF6OV4RC0xGg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age132m0pg4utk3cjve2lgcjffvz7cevl0fq5krufu9sgud7wu2wgurqk49kgl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVVkNINjZmRGNjbzdyV2ZD + ck5kckFqb21TbnBuM21vT0pCeXp2STFFTXpFCk5TRWd4V2FmY0VlVFQ1d3FOd0pF + YWpKNC9pbWNYaVBiMUwvYnlZTGVxR1EKLS0tIExWZ0paZ0p6U3hORkZOa3hYWGpD + T2l6WGpxSHFlL1doNkh5Y3Y4dmEyWE0KRPn0lw3Ao+7HtFxRHxMaWszSYfQe0QED + ogLnro6X/a18AUhq5kTArYryzBblGsPwaoruBjrLOG9OkKaGuaWNJA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-02-27T22:26:49Z" + mac: ENC[AES256_GCM,data:ANN25JdIXhzImyo1I6MkB8wMHck6sipGeQ0Y5R//h8koy4arenO18oD8HDcmrjXNqWaiOQ+3HzENHG4i4CsRq29HGPmIAUiJMNkTbJbX/775o+P0OPd5yqQ+0CL5pYpAfLuksV1GazTTT01rBhmwIwvu1QSJubfYekkZAnf/GUA=,iv:vgoIylxQCmRLV4nwoElPSyPxljdSYJJYD5YMu/llDG4=,tag:fpXz2Glaci8VA0sKJQIKjg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/secrets/invidious-config.yaml b/secrets/invidious-config.yaml new file mode 100644 index 0000000..b906757 --- /dev/null +++ b/secrets/invidious-config.yaml @@ -0,0 +1,123 @@ +channel_threads: ENC[AES256_GCM,data:AQ==,iv:UMs5NzRhz3OZj3g0a8pJlQKTDNSqSgBIrRMSEDemKbc=,tag:xOUf8o9ZcwmyLyjAWuWh8A==,type:int] +channel_refresh_interval: ENC[AES256_GCM,data:Ad4=,iv:OUnqHGL52cboVtrIY0QbFHXI9FGBZWCaDzX6u5NX3BQ=,tag:PUNsFMwaGejdOnfi7ElcwQ==,type:int] +feed_threads: ENC[AES256_GCM,data:DA==,iv:/aukY6D8aUiaUlRbYQh8IvRL+SUrm3EzHoiL9V9My98=,tag:z6YKJB2T6PiJ91k49N71qA==,type:int] +output: ENC[AES256_GCM,data:yw2I2rwU,iv:d6iaFXhqAqLPRb3i8S/mX9ytmB1KbZeltX8kRi+A6d0=,tag:mBd/yh34eT4GbIsKsIuoEA==,type:str] +log_level: ENC[AES256_GCM,data:mf9jLQ==,iv:m0IJHSYEINnWAe7kbh57pce8k6sqg3l7VRXdYaAUwwI=,tag:HsJ94jCJ/ZPoDWd+iIjnvA==,type:str] +colorize_logs: ENC[AES256_GCM,data:lbjj0VI=,iv:0AvriEveScwERhC2xGBKDXxNf78Vht+siFk2T4cYOZk=,tag:gB09LQgZFGcxJ1wGVkM9dg==,type:bool] +db: + user: ENC[AES256_GCM,data:22MhzRJF3w==,iv:oenmhbP4WpUBs8ENrv4yZh/7hfIbqTsTuniGduU7+K8=,tag:wsB5/gb2rVvABlcNIMa0qQ==,type:str] + password: ENC[AES256_GCM,data:8vVn63hJQjtNQ5zYSoQ=,iv:3YqFCljz4j7ErxKzuQOXJUVKHe6CbRXiWQbgKnY+/gU=,tag:oC9zioyyLCsQqpztJcpJGA==,type:str] + host: ENC[AES256_GCM,data:9CnRoynti5iPjAbw,iv:QSaU+e4oiF8X8sT2qeoylhOzD3FtlYN0A+X3lkZrlhw=,tag:GKmdlnpSVKm3Em4SMoeuAA==,type:str] + port: ENC[AES256_GCM,data:14CIdw==,iv:LojU5NnDvlgbDynbhWLDfiwOxLeAhhlJEPCxfnrdits=,tag:71JY9O8ivuiAZcHVRb9o7g==,type:int] + dbname: ENC[AES256_GCM,data:aTfj82IPdesj,iv:bQ6h4RDQBQGtcABZ0pAL5WTJ8BzAGPSv+cei2dzKBAE=,tag:dDnqO1LDb5IKEK5/uob1pw==,type:str] +database_url: ENC[AES256_GCM,data:qs9dlAUyGfdtG2Dm9baksAS0tgErUOC6UPO4TBF1E9d0kPiCXO35saBe3wNHpnSeu/I3BgEkjvGEKWhLCw==,iv:hWY189n47YkAaLhdHNSzXMZoIM9XKlbGKygOKFs/e/s=,tag:+bOJUwEsjxniv6CNGjl8Xw==,type:str] +full_refresh: ENC[AES256_GCM,data:UqvNQm8=,iv:T1mi4Rfb7lM+KkUtNKXQGRgJqclKUrxvIl1oO1Imiok=,tag:W5vjIf+o1znvY5KfBIuY2g==,type:bool] +https_only: ENC[AES256_GCM,data:Q1EM2Q==,iv:rAp/2fJDcKFSw9AQUtha0cPwYkyQKLukwUDN+wj9n/o=,tag:pcg182ttzWyxA5uOhCu4Vw==,type:bool] +hmac_key: ENC[AES256_GCM,data:dK1vwU6F6oHaV2wDzyL6kR5BVHmaiHLbRl/FfS0l4EnBeogYaRo6Y/0wQac=,iv:r4Z7CCxXQ9FXLHTjgwoz2muvYhDlwxnwP9tTOXiUr/g=,tag:eg2G3g5SaF2giygkGmkRjw==,type:str] +domain: ENC[AES256_GCM,data:ohgsVQ6TjV20xpgvkEJeJA==,iv:uqzjWp21IyAc69udlKZ06Zy/WZo7C8lRypIugqTPG7A=,tag:hO1RlOpYyQF4Z3wvLCLBqg==,type:str] +use_pubsub_feeds: ENC[AES256_GCM,data:Psged44=,iv:e7psNKmp1gOtmW6uHAIAK/UMZ7eujzsdEx101S49zjw=,tag:MSWwaS9tdpD1DrPBToq2Vw==,type:bool] +popular_enabled: ENC[AES256_GCM,data:sd1pkg==,iv:eCVP3hbkCIuAIyxvrZSZ965nsDjRPR+yl37AwJN562Y=,tag:jNktqKvoXBUU+g3pM0zqZw==,type:bool] +captcha_enabled: ENC[AES256_GCM,data:AWLykZk=,iv:/LgWLW2JyVIiYgc8hFzKDrgxP+ODsQ/4yuOlSOO4NVA=,tag:ZO1KSEuU69qtKEUOXBPiRA==,type:bool] +login_enabled: ENC[AES256_GCM,data:Vjpvpw==,iv:BgCiJdELxzGTvQwYEcE635/J8exYeoLL1wWu74G/cOk=,tag:4FYsy/pjAfhPEb8C3Ar69g==,type:bool] +registration_enabled: ENC[AES256_GCM,data:GXl2rA==,iv:2xU01AvXAmRknLjMzT/Hja8lJF6ZG8PE5tY4BsKqg38=,tag:50ljE+WXs5cPF98BkOCxgQ==,type:bool] +statistics_enabled: ENC[AES256_GCM,data:U+FiREM=,iv:9n5K2kQ8L+E+b5FjW4ZvYgUuKymmU8TzFviqHD6KAEs=,tag:i8m9fZ6ZhwE8HHHw5TGcuA==,type:bool] +admins: + - ENC[AES256_GCM,data:LSERwu4QmA==,iv:Na7MRLPQ/tlQfTleoQueU7fimMepY91ZDtoHk6E31rQ=,tag:O0s0g9P+L1aaIFmnHfcFAA==,type:str] +external_port: ENC[AES256_GCM,data:VD86,iv:f2Hn552dx5/5KOev/s0oeMmjSxFG/C3hUpsSoypSuiw=,tag:pe9BGwYbJR+QFKZpvQ72jQ==,type:int] +default_user_preferences: + annotations: ENC[AES256_GCM,data:x9V0kC0=,iv:XQYXcyXb+My5YuqEPjEIFOf+s0Ci4ZrBRFjPCBs7I5Q=,tag:6gJhMVgXGXo4uDwvLTpQng==,type:bool] + annotations_subscribed: ENC[AES256_GCM,data:Bkn+MEs=,iv:wysRHNNvWn8ARuVS1C4LKv4iUUXfHGORYhlyIaFkmuI=,tag:dN13dJR236Mt7LvaBQFbYQ==,type:bool] + preload: ENC[AES256_GCM,data:zgWsMw==,iv:Rae7cOBzepq0XghliL0UeB22WbnNShxADGqKZs7zef0=,tag:R0w49L3u7p0/UykapeUTAg==,type:bool] + autoplay: ENC[AES256_GCM,data:inUUUw==,iv:QmoY6zMexE8vutXDm4dnDWPQy+WxdGpSCu5wlS/xLxU=,tag:SWoUJNUssofusItww6TkXg==,type:bool] + captions: + - "" + - "" + - "" + comments: + - ENC[AES256_GCM,data:5QWsC3hWvA==,iv:Y06tHI7s7Ra9hVhiQ+D+SrkSV5RpPBsjdlaiFONvx/A=,tag:rt3Qr5cmCj/ZE8JqWe5Ltg==,type:str] + - "" + continue: ENC[AES256_GCM,data:whITcQ==,iv:ipBq04R+HfebnGs/4HilztYWsAzwhPfeudFAY7uCxGU=,tag:MBQZw6v3jbRHFSAGhYnSFg==,type:bool] + continue_autoplay: ENC[AES256_GCM,data:lByZfw==,iv:0G588Qxg6wh1zURujh3uWLuSmbVheDAFUCYpjI58rHk=,tag:nSeghxUAgDcnXfAWHRnk2g==,type:bool] + dark_mode: "" + latest_only: ENC[AES256_GCM,data:HJ/jvjg=,iv:1VTsYz42xWroGch8biMBp9q4beG1qgQK3aWVq1c7Yhk=,tag:zv0Cz6i4rz7iqmcBPpHW9Q==,type:bool] + listen: ENC[AES256_GCM,data:3hPDRR8=,iv:Jw+DMM9G7lEOtIGbTOEPPNb9dlLo+8aqVRtMLmwuno4=,tag:ZWfZOJ6kSbzqa0QNH67A3g==,type:bool] + local: ENC[AES256_GCM,data:HrjOmLk=,iv:lUdKPUkSSYCRLEfBknw0pmD2rbFySumNO8l4APwtfGk=,tag:Zp3JIOeB/BlJT+PyGbt2Qw==,type:bool] + locale: ENC[AES256_GCM,data:hh8AueI=,iv:AifIXipoCuBZSFR7w+Bb/AlbBGJceYZ08wSCwrgs4OI=,tag:kxzIVuh/Z1sdKV9qK06dfA==,type:str] + watch_history: ENC[AES256_GCM,data:N8u54g==,iv:SCcWzjGCC0Ba4lGW8FXTIJE/dL1uEvcayoC8z9yPr6k=,tag:N7x5FTUAj/J5AxbLopL2TA==,type:bool] + max_results: ENC[AES256_GCM,data:yQc=,iv:n+sdfNUUzNBtbxF7RAupO+KwEsg9ggvzGLYcAh30bxA=,tag:hzq0Adh8eh2FQY+lkz701A==,type:int] + notifications_only: ENC[AES256_GCM,data:OJDFpRA=,iv:Gc8wnmSK0IcZYtr2OH9QHrPOLsFmj9HUNgjs3QIqsjs=,tag:a+8iFPqbiuRIjKwH5Qva9A==,type:bool] + player_style: ENC[AES256_GCM,data:R/ixf7YI9NUd,iv:1VcI6bSQaKWTvFIA6rnKH+7MsaTDvnkKzdol3BlNk/U=,tag:LXEJB+k+XY6VpmDgQOB6cg==,type:str] + quality: ENC[AES256_GCM,data:3CxtnQ==,iv:nVJBIAfoagBPim6a8pzDxsjNWrSCIEA8rA96JxXUNXk=,tag:vQ7IXKaXJ/EQxRMQjUpZcg==,type:str] + quality_dash: ENC[AES256_GCM,data:ibvXLw==,iv:nj2dmnqXDOMiexNS8Ex4wo23ncNXyfRGCgB+VQYgpNM=,tag:JFsQMn693AAUUuKqk8B3FA==,type:str] + default_home: ENC[AES256_GCM,data:5ddakzlUqtaQsBjT/g==,iv:bS9CVAkKBKVark0Zr+flnjPY7P813tITxbDgZ7z3MTc=,tag:u+oLYhb8+fprf4YRBM5y4A==,type:str] + feed_menu: + - ENC[AES256_GCM,data:HrxrnCKYng==,iv:8HWKgOOx4joZwM23Mq18uM8/U+DrEhpGNkpPAuStoeQ=,tag:50jPGafqMsr0Z6sjewmQVA==,type:str] + - ENC[AES256_GCM,data:yFqy/UffH/Q=,iv:lvDdfkGrGPGwusWSpisvRHbiBa7vRidO3qUCShmyAdc=,tag:ORJfOGRkifjKOKr3IfWfuQ==,type:str] + - ENC[AES256_GCM,data:EQlPg7yhT1oYutwkvw==,iv:WIkbVWJ1KVwZeAxYVkFXDMPeHWWWQ/ZfqjtL7gc+/L8=,tag:xsCY2ZmMGJq40tc/meHnrA==,type:str] + - ENC[AES256_GCM,data:BH6t90r+drmo,iv:gzFPgxDNaAhDesO+5TdbpXQpkcmHgAxy4u3YclWLn78=,tag:edxGwrDeWXhJVtkCuoCaUA==,type:str] + automatic_instance_redirect: ENC[AES256_GCM,data:s1lAFEY=,iv:JbnsgN1KclKXdnytBGb8V80HS6UZ1RWcDfkg+V+QalU=,tag:TXzUKi8SaggBEfjjS9guFQ==,type:bool] + region: ENC[AES256_GCM,data:tQM=,iv:h4Um9nVCHulSbgNnu66mfQqlDNSbA9iIHJC4dAufhn0=,tag:+SpTRcm1uuUvD8Fyg8Xk/g==,type:str] + related_videos: ENC[AES256_GCM,data:5qWPfA==,iv:AhHzCyDtdX5Cx73mj+0svFBk+pBpKscl/5L+p3LrlCg=,tag:DxeI9ca5e7l3PhINGHJ04g==,type:bool] + sort: ENC[AES256_GCM,data:8KM1eZY7Zpm5,iv:V+kSD7GeJjcuxAC6YIr9Yz6seMSS4VB3n8uetU9/j88=,tag:mYAVivMni9QqxZOiPx5TDA==,type:str] + speed: ENC[AES256_GCM,data:ug==,iv:9x1/XrSeV/jQso6fA7mggW/odV9Dtat5pEAJtKi9oaU=,tag:m1s+zVSM7Z1HYCEORU71eg==,type:float] + thin_mode: ENC[AES256_GCM,data:kC+/qqA=,iv:70JQmFFqE4tVLOhEhTqn6o4+Z6TcNPE4GchxUWpPEnM=,tag:oSQ+c2/3jlwfb8QWYztYLA==,type:bool] + unseen_only: ENC[AES256_GCM,data:1uBKEeM=,iv:c5DG4Yf+NrqogOYrC2lYYYtPUDe3P/Th28YlmCs4oiE=,tag:qM/6RaOPHJC+GsgijS96WQ==,type:bool] + video_loop: ENC[AES256_GCM,data:0pNxRg4=,iv:aWfDKRHZte5oCY4QIoB+t2q07Do0cKWABoaIE0TahLY=,tag:gpTriuKShm5VGiYyMFhrTg==,type:bool] + extend_desc: ENC[AES256_GCM,data:VLlU0d8=,iv:nPZcRu31m6igC2c/PKzRWF8Uwdlxd6C4gqr0qtqBBDA=,tag:byfDuLh5AuG9BSyrCyiH+g==,type:bool] + volume: ENC[AES256_GCM,data:faKp,iv:VzgdgxeP1/Up35xI+lzaODn8H2eBLyZU0zGp9qjkGj8=,tag:JXJTwe4KeMZqmEUpE0nd8Q==,type:int] + vr_mode: ENC[AES256_GCM,data:ZePSng==,iv:vRFUt/q6spkPzCa65s+sPiIKERrvuS1LSxybIYYccfA=,tag:5IhKDwZGyTXxVuRfN7psRg==,type:bool] + show_nick: ENC[AES256_GCM,data:+WN1jg==,iv:vdaal5qpnNLr6Fx0PgXx4B1lNzFzJFmwB5B1YwJ95dc=,tag:2DEV5Vx2vE/0g5vcmBBE+Q==,type:bool] + save_player_pos: ENC[AES256_GCM,data:9KOHcA==,iv:gUWTE44T7kqepJTu+EHmcDs/A4oWXNTGXjhMLuGfxEA=,tag:z/0UvMUR8pXre6Xs5DewaA==,type:bool] +dmca_content: [] +check_tables: ENC[AES256_GCM,data:7zqhIw==,iv:IpTDl0T7nGIUoKbIf0FVvP5e6OXgdkxSx/UWQOT1vNQ=,tag:juZedzQp56sGkBEGYyJ2DQ==,type:bool] +cache_annotations: ENC[AES256_GCM,data:t4BZqig=,iv:Tl03bEbcjEmmCurzFw9u5bl5QRBi4H3Hem3wS0HLCTE=,tag:UcNa4tq7yPOYVTFSJipdmw==,type:bool] +hsts: ENC[AES256_GCM,data:91lKsw==,iv:Rb9gSvV36/AKXatUHSeLHOAq3tdqFPtNnPueehlUogk=,tag:nrU2T+hQPXbSrhxuIO4vKQ==,type:bool] +disable_proxy: ENC[AES256_GCM,data:ZTTpJ18=,iv:ieeLe5Jlt+je1pkGNSdOCwF6wDwmQXlIg6hVSCcDfsI=,tag:fEtEskFdzji99gOM8zmeew==,type:bool] +enable_user_notifications: ENC[AES256_GCM,data:A/aIhA==,iv:7OpUbvY57lRUt+QVcKHPGpUI/YnNTj4sE3heWkiYZV8=,tag:LxgFhFzfJ7m9rwRl94RnwA==,type:bool] +force_resolve: null +signature_server: ENC[AES256_GCM,data:5PzFXfKq4kO//dfIntXEz86pM8GD4Q==,iv:3auXhAGlP79lRNFDJmpn5oK/l11Qcu1Jok71x2QadXc=,tag:M/zr0DGiNs74Peud+dAxRQ==,type:str] +port: ENC[AES256_GCM,data:PlXCKw==,iv:U0s6cA9d9YI1xHa4vqP5xFNGZ4sBAv0e/ao012gmx5U=,tag:yANlE2j3mxjepaUj6DMc+g==,type:int] +host_binding: ENC[AES256_GCM,data:Ld6bF95Wxw==,iv:bfxSfNMMw8ZihADhLsASbg58nzV+1abmRhcPd7sEQ7k=,tag:LMmXKu4I3fWOIqBoLMRGNA==,type:str] +pool_size: ENC[AES256_GCM,data:e1qc,iv:rdMTdMNzkiu/BPPy0PhWP3WjFikpL5FGDeL7MHsi4v8=,tag:nyayJ+49Skhemw9bJnxUrw==,type:int] +use_innertube_for_captions: ENC[AES256_GCM,data:pNUxJWY=,iv:zShwBRgrtptWjSWfM3M5r1OHPRIRxn+LSZA0SgNEdk4=,tag:RLqN0OkSOTkj9g2ltYec0w==,type:bool] +visitor_data: ENC[AES256_GCM,data:s6r4dU8T+AsJDgrdJHZHCTpQsH2JlHbW52sMoxJ7LACWEBaVd+PtFt5YbM/bJNFO,iv:QOvOJ0ORKWtTIRp8eHCESrvPzQUnQgPODDOVry71f+0=,tag:zhLnpFF1CByaIT5WlYKYgQ==,type:str] +po_token: ENC[AES256_GCM,data:6SlD2/+4ZhuaZQ6SYZtjF+kqByORolkzxFcQgpzX9pRksZ95Lvgu7/6KXFq08oWY2FDFJS72gXih0D2aPX+JgAlfdYNL40Oa4oOisNEhnAKVTh/8zG55LM7c6+Juc4K/f/J22tteNr4dVxvf/7gsmm5+XL/msHi5ZkjckpauZOdq2XPTSr/m99Z9DGrraxv61nbHY4ie/lyGm4/JlLhLxQ==,iv:PZ7awQYIUryGRSDh46sEV6rmDxdjn+L7j0+Zy7IX9w8=,tag:81yxZez07oLq6BTZLJzDdw==,type:str] +cookies: "" +playlist_length_limit: ENC[AES256_GCM,data:uS1R,iv:64OdDxfuGx3kjjwkgq0STYjqhoxBQpeysu9VPFLv2Nk=,tag:BVssIKHnlQJVrRGrvq2nGA==,type:int] +jobs: + clear_expired_items: + enable: ENC[AES256_GCM,data:xH06BQ==,iv:hZjjrWzRkrUI6bU0sO0MHBA0AU+kAGIFWYf+8FjDJ9s=,tag:jEzCBAAOjcNHlA/6WjI6mg==,type:bool] + instance_list_refresh: + enable: ENC[AES256_GCM,data:lz4Ylg==,iv:HHvmrWSwBHe21LbpPxvIYmNRCQYUCoBcESCrBI3V+SQ=,tag:qxTJ2zX0VYuu/m/15rSLXQ==,type:bool] + notification: + enable: ENC[AES256_GCM,data:NRFmlw==,iv:AR5QGepJ16BITCeRbN9MxWomQEI4JXehuP9cd9ABxH4=,tag:Cxuto/6jtEVAaOvZZL8R/g==,type:bool] + pull_popular_videos: + enable: ENC[AES256_GCM,data:M3DS1Q==,iv:QclNR/OJoaUcaozedj7QeClV8xVy48Fz3Xy2KTb8e3M=,tag:EDz05Kj96egj2UrabdQKQw==,type:bool] + refresh_channels: + enable: ENC[AES256_GCM,data:ICMXfA==,iv:xdW8viTWGMsjwPYeh5u7MjEXxO0LgGh4QT418D+K4nA=,tag:VyzS1O+5oKHz+MeaRflVhQ==,type:bool] + refresh_feeds: + enable: ENC[AES256_GCM,data:exdk+g==,iv:u2jIajt8MRh7CqPNlysmyWMwpYN0gfoXZ4xnFhyfNb4=,tag:2DcP8PlywobzeWaPRDduSQ==,type:bool] + statistics_refresh: + enable: ENC[AES256_GCM,data:kPtx+A==,iv:GDG/TCrQminzi1w35IGs5yEil8qvT736FOuuoBw25sE=,tag:cveZUnBPd+I00s/ChQLXAA==,type:bool] + subscribe_to_feeds: + enable: ENC[AES256_GCM,data:M55jsg==,iv:dVaHutqV9WihAHlVXMSyl+OE/tBIWHE74sX0sioiWG8=,tag:ZXP06yS5ea0XLcr2mzehJA==,type:bool] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age132m0pg4utk3cjve2lgcjffvz7cevl0fq5krufu9sgud7wu2wgurqk49kgl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNVZtMURSVDByRVhMOUVQ + V2V5blRtL092bkp0TlJRRG9KRUlRRUhKcVE4CmYyUlkrUEU4VE1DVWJlM2YzckE1 + RzV6M1p5Tk9lSzBjZ2JaNld4SUkwbnMKLS0tIFBiRDBLYzB2TVdtZUI3RmtoNFVm + ZUcxTXRMUWJaaE12eE9jSUtMbm40bncKDhbq/YynM7XLSX9SorMcFflLa+uC94zk + sLXityG5r8abl7pIc5LPzOieinNIDh5Riv/1gDrObqvWbHIo5ZZa5w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-02-27T22:21:43Z" + mac: ENC[AES256_GCM,data:SZvgwodmlCTSUc7aYVeYg24RkcEJUqZtxEx0MAVpfsT9cj/FSPLa8qeHO3k9otQgZ8564CLtmAFyeZOs0DcpGUdPMJy1Y28elJSBKSl+lyqX19gm133BxOF+qWxebdb+RQpZyUvRLiTAqTc2NkS4RjGJrs4zMF8klvv+FznkEW4=,iv:W2hVSRxVbKN1pSN4xNWrl1u3fchg18dxDduFtJ4Tt74=,tag:nf1y7Io9OngeVeWECc/azA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/secrets/invidious-db.env b/secrets/invidious-db.env new file mode 100644 index 0000000..4de4692 --- /dev/null +++ b/secrets/invidious-db.env @@ -0,0 +1,9 @@ +POSTGRES_USER=ENC[AES256_GCM,data:PVPAeSrscw==,iv:R6GU70VGP5OHW2N9wIjDAWJrb9beH45l+jkkR9ZTB1U=,tag:o+yOt625gykWmCztRr4unQ==,type:str] +POSTGRES_PASSWORD=ENC[AES256_GCM,data:TAz5ZMv93FwvZKCFBqM=,iv:Qoau8wnNLridLcMDUImAd0eklAevKfFetkG9eJOOenk=,tag:Y58I++MF2/rRTEZvk5kKoA==,type:str] +POSTGRES_DB=ENC[AES256_GCM,data:T1Fr3wZZFQ4K,iv:9u9kwm9mfgq82ljVe9wawuzpqbIOmA4bnMv246Wh/II=,tag:F9/cMt648T5e0X/IbqIQoA==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeWV0TE5JV09LVGREWHVm\nL3ZrZHRCbVBCaUFlNjRXUXVoM04renBad3dJCnZ5SEowYmEyczA2N2tOc3AzSVNZ\nSElZWUlJU2pBc1o0NnpYanV6aXJBT1EKLS0tIFJDaUQvYitub1dvRXpFajd0bWI3\nNHhiUU5Pc3ZWd3VQTnpNeFdsNHB3bjQKt7SSRCS4+vhmKu70duQSiQge0UnC3EEb\njtCm1TU5OhVvglKMbf/964ivNXMN8ShnxEx8/Oro+/Etjrolk4sGTQ==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age132m0pg4utk3cjve2lgcjffvz7cevl0fq5krufu9sgud7wu2wgurqk49kgl +sops_lastmodified=2025-02-27T22:11:10Z +sops_mac=ENC[AES256_GCM,data:aLxWZ4e0udg889PGsOxAFSwz04hGkEucq8S5xn9PgIEbFzN18Gp50Pi2Q3sNcX2UTqAuCtPB85jgZ1UvNutekaD6fi++eVCcedoQDmV5xpQcFoHa76n/nuh5klMJgOsY1xV7CIdSzbrPbswskeLzLvXZCxxRnWK16EyexBDhzR4=,iv:go3WFH2EvxK2qWVcjMQKeloIIah+l0JJyks7x8eoJVY=,tag:nbKLzehcpfV5DfnsP1T8HA==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.9.4 diff --git a/systems/aarch64-linux/blarm/default.nix b/systems/aarch64-linux/blarm/default.nix index b030646..79589de 100644 --- a/systems/aarch64-linux/blarm/default.nix +++ b/systems/aarch64-linux/blarm/default.nix @@ -1,10 +1,11 @@ { lib, - namespaces, + pkgs, + namespace, modulesPath, ... }: -with lib.${namespaces}; +with lib.${namespace}; { imports = [ (modulesPath + "/installer/scan/not-detected.nix") @@ -20,12 +21,15 @@ with lib.${namespaces}; networking.networkmanager.enable = true; networking.defaultGateway.address = "192.168.1.1"; networking.defaultGateway.interface = "end0"; - networking.interfaces.end0.ipv4.addresses = [ - { - address = "192.168.1.202"; - prefixLength = 32; - } - ]; + networking.interfaces.end0 = { + useDHCP = true; + ipv4.addresses = [ + { + address = "192.168.1.202"; + prefixLength = 32; + } + ]; + }; networking.interfaces.end0.ipv6.addresses = [ { address = "fd00:192:168:1::202"; @@ -49,6 +53,14 @@ with lib.${namespaces}; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; + snowfallorg.users.philipp = { + create = true; + admin = true; + home = { + enable = true; + }; + }; + users.users.philipp = { isNormalUser = true; description = "Philipp Böhm"; @@ -69,6 +81,12 @@ with lib.${namespaces}; awesome-flake.container.technitium = enabled; awesome-flake.container.invidious = enabled; awesome-flake.cli.neovim = enabled; + awesome-flake.services.restic = enabled; + awesome-flake.system.sops = enabled; + + environment.systemPackages = with pkgs; [ + git + ]; system.stateVersion = "24.11";