diff --git a/flake.lock b/flake.lock index f5f51ff..fcd58d6 100644 --- a/flake.lock +++ b/flake.lock @@ -87,6 +87,22 @@ "type": "github" } }, + "jellyfin-exporter": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "path": "./jellyfin-exporter", + "type": "path" + }, + "original": { + "path": "./jellyfin-exporter", + "type": "path" + }, + "parent": [] + }, "nix-darwin": { "inputs": { "nixpkgs": [ @@ -128,6 +144,7 @@ "inputs": { "agenix": "agenix", "home-manager": "home-manager_2", + "jellyfin-exporter": "jellyfin-exporter", "nix-darwin": "nix-darwin", "nixpkgs": "nixpkgs" } diff --git a/flake.nix b/flake.nix index 2883726..1667b77 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,8 @@ home-manager.inputs.nixpkgs.follows = "nixpkgs"; agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixpkgs"; + jellyfin-exporter.url = "path:./jellyfin-exporter"; + jellyfin-exporter.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = @@ -18,16 +20,20 @@ home-manager, nixpkgs, agenix, + jellyfin-exporter, }: let macbook = import ./systems/macbook/macbook.nix inputs; selene = import ./systems/selene/system.nix inputs; + + ren = import ./systems/ren/system.nix inputs; in { # Build darwin flake using: # $ darwin-rebuild build --flake .#Maxiems-MacBook-Pro darwinConfigurations."Maxiems-MacBook-Pro" = macbook; nixosConfigurations.selene = selene; + nixosConfigurations.ren = ren; }; } diff --git a/jellyfin-exporter/flake.nix b/jellyfin-exporter/flake.nix new file mode 100644 index 0000000..307e58b --- /dev/null +++ b/jellyfin-exporter/flake.nix @@ -0,0 +1,55 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; + }; + + outputs = + { self, nixpkgs }: + let + # The set of systems to provide outputs for + allSystems = [ + "x86_64-linux" + "aarch64-linux" + "x86_64-darwin" + "aarch64-darwin" + ]; + + # A function that provides a system-specific Nixpkgs for the desired systems + forAllSystems = + f: + nixpkgs.lib.genAttrs allSystems ( + system: + f { + pkgs = import nixpkgs { inherit system; }; + } + ); + in + { + packages = forAllSystems ( + { pkgs }: + { + default = pkgs.buildGoModule (finalAttrs: { + doCheck = false; + pname = "jellyfin-exporter"; + version = "1.3.8"; + + src = pkgs.fetchFromGitHub { + owner = "rebelcore"; + repo = "jellyfin_exporter"; + tag = "v${finalAttrs.version}"; + hash = "sha256-7fIrjcy6y/Ayj43WeuPNCx3uVJyl5Wf6bWs5ta2PpWc="; + }; + + # Let Nix fetch Go modules and hash them automatically + vendorHash = "sha256-JSOKDbefQyDLNy2y1oW7HUplQw8uhhOGZ+ueWyUYYQ0="; + + meta = { + description = "Jellyfin exporter for Prometheus"; + homepage = "https://github.com/rebelcore/jellyfin_exporter"; + license = pkgs.lib.licenses.asl20; + }; + }); + } + ); + }; +} diff --git a/keys/hetzner.priv b/keys/hetzner.priv new file mode 100644 index 0000000..3d9659c Binary files /dev/null and b/keys/hetzner.priv differ diff --git a/keys/macbook.priv b/keys/macbook.priv index 2584baf..c3935a5 100644 Binary files a/keys/macbook.priv and b/keys/macbook.priv differ diff --git a/keys/master.priv b/keys/master.priv index 4c8e0ec..d2ffd90 100644 Binary files a/keys/master.priv and b/keys/master.priv differ diff --git a/keys/ren.priv b/keys/ren.priv new file mode 100644 index 0000000..7b2a0ed Binary files /dev/null and b/keys/ren.priv differ diff --git a/keys/ren.pub b/keys/ren.pub new file mode 100644 index 0000000..3454ee9 --- /dev/null +++ b/keys/ren.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIM1gLSFZSVq+5s58+pymRJY+QOWHm6SZvvhY93YDm5k ren@me.com diff --git a/keys/secrets.nix b/keys/secrets.nix index ad697ad..c1ba64d 100644 --- a/keys/secrets.nix +++ b/keys/secrets.nix @@ -2,10 +2,16 @@ let selene = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEiuoUbvgZ2N03MTcWw4z+oUB9SG0jR0fy5AnTTBHym" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcfmaqbtwSEydV2hge/aDWxfwlKOw/JJZZWy8ycjojH" ]; macbook = [ (builtins.readFile ./macbook.pub) ]; master = [ (builtins.readFile ./master.pub) ]; + ren = [ (builtins.readFile ./ren.pub) ]; in { "jellyfin-key".publicKeys = selene; "google-storage-key".publicKeys = selene; "macbook.priv".publicKeys = macbook ++ master; "master.priv".publicKeys = macbook ++ master; + "wg-selene".publicKeys = macbook ++ selene ++ master; + "wg-macbook".publicKeys = macbook ++ master; + "hetzner.priv".publicKeys = macbook ++ selene ++ master ++ ren; + "wg-ren".publicKeys = macbook++master; + "ren.priv".publicKeys = master ++ ren; } \ No newline at end of file diff --git a/keys/wg-macbook b/keys/wg-macbook new file mode 100644 index 0000000..d4487b3 --- /dev/null +++ b/keys/wg-macbook @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 M7OTMg f7fgG3DiQpjnDRSEUjSinuqgLATaK7QRN59bSimH1EU +9sKf6eQVwqVBrB553zCHwFs0uyQGRpIJkBZ0AyXPFC4 +-> ssh-ed25519 CJLJQg +b+cRU3irwvMnqVBWBIV4GoRyEy+Lg3LHUxZ/httTDo +uBlqCHMXyf1Um+W6y1Bh9pY0osqdeTgFQGuR6eSHQP4 +--- Ft1Ii2eVy0h8X6h7ABOW6ryT4ctxg9jS8utA7s52bBA +z0yWϥ4Ͱ^| +MuRtLA:*Ȃh2Sζk咬F& m1y \ No newline at end of file diff --git a/keys/wg-macbook.pub b/keys/wg-macbook.pub new file mode 100644 index 0000000..d151aae --- /dev/null +++ b/keys/wg-macbook.pub @@ -0,0 +1 @@ +uFmbvJBptZsrzYDqpZM7SsibELaIRZIT91dr+lg4UTQ= diff --git a/keys/wg-ren b/keys/wg-ren new file mode 100644 index 0000000..858a6a6 --- /dev/null +++ b/keys/wg-ren @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 M7OTMg QdJds7EpXMyyO9aKmqQg3HWmY6RQbzkQxRQw+K9fn14 +/SlvfJAOmCqYvIOZm/ZSynAIWSC+2dAvPpa+5Me6I8k +-> ssh-ed25519 CJLJQg MqNRTuwFcRdZ5VFbcgXQwjRxMAHLJEdUKLuXFPtkRVc +qRaaJzGRPiW2doetErhhUKwUXitvsQ5CGl2QzGK44Ss +--- fCQGYqP7qr+S1tzDeyce5Bn4iWsXq+kIe/ojPNj0LVA +4Zi"՞3W+i98ߞ=unBy]@[X[] XÛ5̜zl@ \ No newline at end of file diff --git a/keys/wg-ren.pub b/keys/wg-ren.pub new file mode 100644 index 0000000..c183803 --- /dev/null +++ b/keys/wg-ren.pub @@ -0,0 +1 @@ +wvTFERFXOPcgziLtLtfF3LGv5zmBWikCy/yLRwSuxWA= diff --git a/keys/wg-selene b/keys/wg-selene new file mode 100644 index 0000000..9c5a200 Binary files /dev/null and b/keys/wg-selene differ diff --git a/keys/wg-selene.pub b/keys/wg-selene.pub new file mode 100644 index 0000000..aa058e5 --- /dev/null +++ b/keys/wg-selene.pub @@ -0,0 +1 @@ +4N/84YKCDOPpXTkRxBDQOOUzKR2PXOy4/3gJbel1yE4= diff --git a/modules/servermodules/forgejo/forgejo.nix b/modules/servermodules/forgejo/forgejo.nix new file mode 100644 index 0000000..e82db47 --- /dev/null +++ b/modules/servermodules/forgejo/forgejo.nix @@ -0,0 +1,36 @@ +{ + lib, + pkgs, + config, + ... +}: +let + cfg = config.services.forgejo; + srv = cfg.settings.server; +in +{ + services.forgejo = { + enable = true; + database.type = "postgres"; + # Enable support for Git Large File Storage + lfs.enable = true; + settings = { + server = { + DOMAIN = "git.maxiemgeldhof.com"; + # You need to specify this to remove the port from URLs in the web UI. + ROOT_URL = "https://${srv.DOMAIN}/"; + HTTP_PORT = 3028; + }; + # You can temporarily allow registration to create an admin user. + service.DISABLE_REGISTRATION = true; + # Add support for actions, based on act: https://github.com/nektos/act + actions = { + ENABLED = false; + }; + + metrics = { + ENABLED = true; + }; + }; + }; +} diff --git a/modules/servermodules/jellyfin/jellyfin.nix b/modules/servermodules/jellyfin/jellyfin.nix index f976393..15baa37 100644 --- a/modules/servermodules/jellyfin/jellyfin.nix +++ b/modules/servermodules/jellyfin/jellyfin.nix @@ -18,7 +18,7 @@ }; age.secrets.jellyfin-key = { - file = ./secrets/jellyfin-key; + file = ../../../keys/jellyfin-key; owner = "jellyfin"; }; diff --git a/modules/servermodules/nginx.nix b/modules/servermodules/nginx.nix index b114fe6..4cd70b6 100644 --- a/modules/servermodules/nginx.nix +++ b/modules/servermodules/nginx.nix @@ -1,39 +1,37 @@ -{ rootdomain }: -{ +rootdomain: { systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/logs/nginx" ]; services.nginx.enable = true; services.nginx.commonHttpConfig = '' - log_format myformat '$remote_addr - $remote_user [$time_local] ' - '$host "$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; - ''; + log_format myformat '$remote_addr - $remote_user [$time_local] ' + '$host "$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + ''; services.nginx.virtualHosts."default" = { - enableACME = false; - rejectSSL = true; - default = true; + enableACME = false; + rejectSSL = true; + default = true; - locations."/" = { - return = 404; - }; - extraConfig = '' - access_log /logs/nginx/nginx-access.log myformat; - ''; + locations."/" = { + return = 404; + }; + extraConfig = '' + access_log /logs/nginx/nginx-access.log myformat; + ''; }; - services.nginx.virtualHosts."grafana.${rootdomain}" = { - enableACME = true; - forceSSL = true; + enableACME = true; + forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:3000"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; - extraConfig = '' - access_log /logs/nginx/nginx-access.log myformat; - ''; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + extraConfig = '' + access_log /logs/nginx/nginx-access.log myformat; + ''; }; services.nginx.virtualHosts."jellyfin.${rootdomain}" = { @@ -50,11 +48,11 @@ proxyPass = "http://127.0.0.1:8096/metrics"; recommendedProxySettings = true; extraConfig = '' - allow 127.0.0.1; - allow 192.168.0.0/16; - allow 10.0.0.0/8; - allow 172.16.0.0/12; - deny all; + allow 127.0.0.1; + allow 192.168.0.0/16; + allow 10.0.0.0/8; + allow 172.16.0.0/12; + deny all; ''; }; @@ -68,9 +66,34 @@ defaults.email = "admin@${rootdomain}"; }; - systemd.tmpfiles.rules = [ - # Type Path Mode User Group Age Argument - "d /logs/nginx 0755 nginx nginx - -" - ] -} + services.nginx.virtualHosts."git.${rootdomain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:3028"; + recommendedProxySettings = true; + }; + + locations."/metrics" = { + proxyPass = "http://127.0.0.1:3028/metrics"; + recommendedProxySettings = true; + extraConfig = '' + allow 127.0.0.1; + allow 192.168.0.0/16; + allow 10.0.0.0/8; + allow 172.16.0.0/12; + deny all; + ''; + }; + + extraConfig = '' + access_log /logs/nginx/nginx-access.log myformat; + ''; + }; + + systemd.tmpfiles.rules = [ + # Type Path Mode User Group Age Argument + "d /logs/nginx 0755 nginx nginx - -" + ]; +} diff --git a/modules/servermodules/packages.nix b/modules/servermodules/packages.nix index 4d3f88c..d15c966 100644 --- a/modules/servermodules/packages.nix +++ b/modules/servermodules/packages.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: { environment.systemPackages = [ pkgs.git @@ -8,7 +8,7 @@ pkgs.tmux ]; age.secrets.google-storage-key = { - file = ./secrets/google-storage-key; + file = ../../keys/google-storage-key; owner = "root"; }; environment.variables.GOOGLE_APPLICATION_CREDENTIALS = config.age.secrets."google-storage-key".path; diff --git a/modules/servermodules/wireguard/wireguard-server.nix b/modules/servermodules/wireguard/wireguard-server.nix new file mode 100644 index 0000000..0e9144b --- /dev/null +++ b/modules/servermodules/wireguard/wireguard-server.nix @@ -0,0 +1,72 @@ +let + allowedIPs = [ "10.100.0.1/24" ]; + port = 51820; + publicIp = "37.27.207.39"; +in +{ + serverModule = + { + pkgs, + config, + ... + }: + { + # enable NAT + networking.nat.enable = true; + networking.nat.externalInterface = "eth0"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.firewall = { + allowedUDPPorts = [ port ]; + }; + + age.secrets.wg-selene = { + file = ../../../keys/wg-selene; + owner = "selene"; + }; + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = allowedIPs; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = port; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + # postSetup = '' + # ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + # ''; + + # # This undoes the above command + # postShutdown = '' + # ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + # ''; + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + + privateKeyFile = config.age.secrets.wg-selene.path; + + peers = [ + # List of allowed peers. + (import ../../../systems/macbook/wireguard.nix).peerConfig + { + publicKey = (builtins.readFile ../../../keys/wg-ren.pub); + allowedIPs = [ "10.100.0.3/32" ]; + } + ]; + }; + }; + }; + + infoForClients = { + endpoint = "${publicIp}:${builtins.toString port}"; + allowedIPs = allowedIPs; + publicKey = builtins.readFile ../../../keys/wg-selene.pub; + persistentKeepalive = 25; + }; +} diff --git a/modules/usermodules/darwinsettings.nix b/modules/usermodules/darwinsettings.nix index 31fecd3..253c4e5 100644 --- a/modules/usermodules/darwinsettings.nix +++ b/modules/usermodules/darwinsettings.nix @@ -2,7 +2,7 @@ self: { pkgs, agenix, ... }: { # List packages installed in system profile. To search by name, run: # $ nix-env -qaP | grep wget - environment.systemPackages = [ pkgs.vim pkgs.vscode pkgs.git pkgs.nixfmt-rfc-style agenix.packages.aarch64-darwin.default pkgs.python3]; + environment.systemPackages = [ pkgs.vim pkgs.vscode pkgs.git pkgs.nixfmt-rfc-style agenix.packages.aarch64-darwin.default pkgs.python3 pkgs.wireguard-tools]; # Necessary for using flakes on this system. nix.settings.experimental-features = "nix-command flakes"; diff --git a/systems/macbook/macbook.nix b/systems/macbook/macbook.nix index 97e8b97..8ce6646 100644 --- a/systems/macbook/macbook.nix +++ b/systems/macbook/macbook.nix @@ -1,15 +1,22 @@ -{ nix-darwin, home-manager, agenix, self, ... }: +{ + nix-darwin, + home-manager, + agenix, + self, + ... +}: nix-darwin.lib.darwinSystem { modules = [ + agenix.darwinModules.default { system.primaryUser = "maxiemgeldhof"; } (import ../../modules/usermodules/darwinsettings.nix self) home-manager.darwinModules.home-manager - (import ./users.nix) - agenix.darwinModules.default + ./users.nix + (import ./wireguard.nix).systemModule ]; specialArgs = { - home-manager=home-manager; + home-manager = home-manager; agenix = agenix; }; } diff --git a/systems/macbook/users.nix b/systems/macbook/users.nix index da4bb7a..038f488 100644 --- a/systems/macbook/users.nix +++ b/systems/macbook/users.nix @@ -13,6 +13,10 @@ let programs.zsh = (import ../../modules/usermodules/zsh.nix).programs.zsh; programs.git = (import ../../modules/usermodules/git.nix).programs.git; + + programs.ssh.matchBlocks.ren = { + + }; }; in { @@ -20,4 +24,5 @@ in home-manager.useUserPackages = true; home-manager.users.maxiemgeldhof = userconfig; users.users.maxiemgeldhof.home = "/Users/maxiemgeldhof"; + age.identityPaths = [ "/Users/maxiemgeldhof/.ssh/id_ed25519" ]; } diff --git a/systems/macbook/wireguard.nix b/systems/macbook/wireguard.nix new file mode 100644 index 0000000..35e93c8 --- /dev/null +++ b/systems/macbook/wireguard.nix @@ -0,0 +1,32 @@ +let + ip = "10.100.0.2/32"; + publicKey = (builtins.readFile ../../keys/wg-macbook.pub); +in +{ + systemModule = { config, ... }: { + age.secrets.wg-private.file = ../../keys/wg-macbook; + networking.wg-quick.interfaces.wg-selene = { + privateKeyFile = config.age.secrets.wg-private.path; + + # The internal IP address assigned to this client by the server. + # The /24 subnet mask is important for knowing the VPN's local network. + address = [ ip ]; + + # DNS server(s) to use when the tunnel is active. + # This is critical for resolving hostnames when all traffic is routed. + dns = [ + "1.1.1.1" + "1.0.0.1" + ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8 + + peers = [ + (import ../../modules/servermodules/wireguard/wireguard-server.nix).infoForClients + ]; + }; + }; + + peerConfig = { + publicKey = publicKey; + allowedIPs = [ip]; + }; +} diff --git a/systems/ren/hardware.nix b/systems/ren/hardware.nix new file mode 100644 index 0000000..2f48c31 --- /dev/null +++ b/systems/ren/hardware.nix @@ -0,0 +1,30 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/0683-2D32"; + fsType = "vfat"; + }; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "xen_blkfront" + "vmw_pvscsi" + ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; + system.stateVersion = "23.11"; + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + +} diff --git a/systems/ren/system.nix b/systems/ren/system.nix new file mode 100644 index 0000000..d78fa0d --- /dev/null +++ b/systems/ren/system.nix @@ -0,0 +1,37 @@ +{ + agenix, + jellyfin-exporter, + nixpkgs, + self, + ... +}: +let + system = "x86_64-linux"; +in +nixpkgs.lib.nixosSystem { + system = system; + specialArgs = { + # This selects the package for the current system and passes it + exporter-pkg = jellyfin-exporter.packages.${system}.default; + system = system; + }; + + modules = [ + { + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + networking.hostName = "Ren"; + networking.domain = ""; + services.openssh.enable = true; + networking.firewall = { + enable = true; + allowedTCPPorts = [ + 22 + ]; + }; + } + ./users.nix + ./hardware.nix + agenix.nixosModules.default + ]; +} diff --git a/systems/ren/users.nix b/systems/ren/users.nix new file mode 100644 index 0000000..cb5485d --- /dev/null +++ b/systems/ren/users.nix @@ -0,0 +1,28 @@ +{ + users.users.ren = { + isNormalUser = true; + home = "/home/ren"; + hashedPassword = "$y$j9T$KjOwguW/7P9GvbNg6Yy.k/$8xf3aqnJ909HSjxtpe854RKdiXiPpbOLt.aiuJSfeC0"; + openssh.authorizedKeys.keys = [ + (builtins.readFile ../../keys/hetzner.pub) + (builtins.readFile ../../keys/asus.pub) + (builtins.readFile ../../keys/macbook.pub) + ]; + + extraGroups = [ + "wheel" + "networkmanager" + ]; + }; + + age.secrets.hetzner-key = { + file = ../../keys/hetzner.priv; + owner = "ren"; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + (builtins.readFile ../../keys/hetzner.pub) + ]; + age.identityPaths = [ "/home/ren/.ssh/id_ed25519" ]; + +} diff --git a/systems/selene/basesettings.nix b/systems/selene/basesettings.nix index 6ef1b84..448afa3 100644 --- a/systems/selene/basesettings.nix +++ b/systems/selene/basesettings.nix @@ -1,7 +1,7 @@ { ... }: { imports = [ - ./hardware-configuration.nix + ./hardware.nix ./networking.nix # generated at runtime by nixos-infect ]; diff --git a/systems/selene/system.nix b/systems/selene/system.nix index 2a7edc4..a48777f 100644 --- a/systems/selene/system.nix +++ b/systems/selene/system.nix @@ -1,19 +1,31 @@ -{ agenix, jellyfin-exporter, nixpkgs, ... }: +{ + agenix, + jellyfin-exporter, + nixpkgs, + self, + ... +}: +let + system = "aarch64-linux"; +in nixpkgs.lib.nixosSystem { system = system; specialArgs = { # This selects the package for the current system and passes it exporter-pkg = jellyfin-exporter.packages.${system}.default; + system = system; }; modules = [ ./basesettings.nix ./users.nix ../../modules/servermodules/packages.nix - (import ./nginx.nix "maxiemgeldhof.com") - ../../modules/servermodules/grafana.nix - ../../modules/servermodules/jellyfin.nix + (import ../../modules/servermodules/nginx.nix "maxiemgeldhof.com") + ../../modules/servermodules/grafana/grafana.nix + ../../modules/servermodules/jellyfin/jellyfin.nix + (import ../../modules/servermodules/wireguard/wireguard-server.nix).serverModule ./volumes.nix + ../../modules/servermodules/forgejo/forgejo.nix agenix.nixosModules.default ]; } diff --git a/systems/selene/users.nix b/systems/selene/users.nix index 1885a32..7bf2c37 100644 --- a/systems/selene/users.nix +++ b/systems/selene/users.nix @@ -6,7 +6,7 @@ openssh.authorizedKeys.keys = [ (builtins.readFile ../../keys/hetzner.pub) (builtins.readFile ../../keys/asus.pub) - (builtins.readFile "../../keys/pacbook.pub") + (builtins.readFile ../../keys/macbook.pub) ]; extraGroups = [ @@ -14,4 +14,10 @@ "networkmanager" ]; }; + + age.secrets.hetzner-key = { + file = ../../keys/hetzner.priv; + owner = "selene"; + }; + }