m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(ports): add netbird port definitions

Browse Source
This commit is contained in:
m3tm3re
2026-02-27 16:03:08 +01:00
parent 4920029c65
commit fa9747f3e9
24 changed files with 411 additions and 253 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
flake.lock generated
View File

@@ -82,11 +82,11 @@
]
},
"locked": {
"lastModified": 1771355198,
"narHash": "sha256-89m5VKxIs8QNiIvLsxHu5NpyhDsoXTtoN801IAurnW4=",
"lastModified": 1771881364,
"narHash": "sha256-A5uE/hMium5of/QGC6JwF5TGoDAfpNtW00T0s9u/PN8=",
"owner": "nix-community",
"repo": "disko",
"rev": "92fceb111901a6f13e81199be4fab95fce86a5c9",
"rev": "a4cb7bf73f264d40560ba527f9280469f1f081c6",
"type": "github"
},
"original": {
@@ -162,11 +162,11 @@
]
},
"locked": {
"lastModified": 1771422582,
"narHash": "sha256-xK5kl3OBZaF1VwziVMX+SZ2LT9Fbu5o8vRDt78uR7no=",
"lastModified": 1772164835,
"narHash": "sha256-zRcwrZDeBfYipqv/7K7TqsfPb87LFU6b7JhoNUGSnvQ=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "b3ccd4bb262f4e6d3248b46cede92b90c4a42094",
"rev": "2a39b0828bbffce0d73769a61e46e780488d098b",
"type": "github"
},
"original": {
@@ -246,11 +246,11 @@
"openspec": "openspec"
},
"locked": {
"lastModified": 1771433707,
"narHash": "sha256-O6S4YB16lN9ACb2Z6lEWxE22IyUhb+Z3mJgQJw3hpA4=",
"lastModified": 1772041931,
"narHash": "sha256-NQOQrGtR1EXM33JSVUt5Sz5MburSxWU7t9iZrJk9gQo=",
"ref": "refs/heads/master",
"rev": "58312b2ca2fdf5e0f753e496b4902a523cbb96aa",
"revCount": 120,
"rev": "e22774539ac26071b1bc0e6e8272df3c3ec732f2",
"revCount": 132,
"type": "git",
"url": "https://code.m3ta.dev/m3tam3re/nixpkgs"
},
@@ -393,11 +393,11 @@
},
"nixpkgs-master": {
"locked": {
"lastModified": 1770917518,
"narHash": "sha256-XSwv/tVrNo/L8SPH8Lx9xZH1PrZd/3Z3J/0SH7Xertg=",
"lastModified": 1771574031,
"narHash": "sha256-yKeO6auxI8PrBZOdt/LVRDm+bh939E60l4iZKo1ExeA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3f4a3c08f2f318ee29fc8a2689f390071a94aaf0",
"rev": "ab43bb60c7d266a4a285e863d89c1e69cd124dd5",
"type": "github"
},
"original": {
@@ -409,11 +409,11 @@
},
"nixpkgs-master_2": {
"locked": {
"lastModified": 1771426280,
"narHash": "sha256-EJOpj/ha/y7cLBHqPWCbYh4fFM83mO/c9bYm8zVVRkY=",
"lastModified": 1772174770,
"narHash": "sha256-/9F05YcHccOaI4dIsWk4G9oKEK07Oc3TeK5O7S3Mu8Q=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "85680c67a23fe3cc29b85d4568e984185c58e0c9",
"rev": "337e35331766eb979303e7639914c8a80cc02649",
"type": "github"
},
"original": {
@@ -425,11 +425,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1771208521,
"narHash": "sha256-X01Q3DgSpjeBpapoGA4rzKOn25qdKxbPnxHeMLNoHTU=",
"lastModified": 1771903837,
"narHash": "sha256-sdaqdnsQCv3iifzxwB22tUwN/fSHoN7j2myFW5EIkGk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "fa56d7d6de78f5a7f997b0ea2bc6efd5868ad9e8",
"rev": "e764fc9a405871f1f6ca3d1394fb422e0a0c3951",
"type": "github"
},
"original": {
@@ -457,11 +457,11 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1770562336,
"narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=",
"lastModified": 1771369470,
"narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d6c71932130818840fc8fe9509cf50be8c64634f",
"rev": "0182a361324364ae3f436a63005877674cf45efb",
"type": "github"
},
"original": {
@@ -489,11 +489,11 @@
},
"nixpkgs_5": {
"locked": {
"lastModified": 1771008912,
"narHash": "sha256-gf2AmWVTs8lEq7z/3ZAsgnZDhWIckkb+ZnAo5RzSxJg=",
"lastModified": 1771848320,
"narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "a82ccc39b39b621151d6732718e3e250109076fa",
"rev": "2fc6539b481e1d2569f25f8799236694180c0993",
"type": "github"
},
"original": {
@@ -527,11 +527,11 @@
]
},
"locked": {
"lastModified": 1771425294,
"narHash": "sha256-owiQE9oINf1cgaulbrr2sMjelk2cmR8rkxLRPYYL6Kg=",
"lastModified": 1772169824,
"narHash": "sha256-KF4t5iagvmzUCT/ukiMbKg+hG+raFm+qs4zRWJouho8=",
"owner": "nix-community",
"repo": "NUR",
"rev": "242d44cd6af365da2dfa77422263b29d0ac9f39f",
"rev": "9d6c360577861a5218dbf453b84483075e6b56d2",
"type": "github"
},
"original": {
@@ -548,16 +548,16 @@
]
},
"locked": {
"lastModified": 1771271829,
"narHash": "sha256-43vPMyO7DsAgKrh0Wmt7jLDYCWUsaj30nBITreyYgX8=",
"lastModified": 1772031356,
"narHash": "sha256-PA3/P5nUDlrKD6xjDXFoNNF8U2Wzz2JeeY4H+CzWWgY=",
"owner": "anomalyco",
"repo": "opencode",
"rev": "d8c25bfeb44771cc3a3ba17bf8de6ad2add9de2c",
"rev": "de2bc25677b419d2af0da8b6a24a05d3f22b67a8",
"type": "github"
},
"original": {
"owner": "anomalyco",
"ref": "v1.2.6",
"ref": "v1.2.14",
"repo": "opencode",
"type": "github"
}
@@ -570,11 +570,11 @@
]
},
"locked": {
"lastModified": 1771409495,
"narHash": "sha256-LplnuO/OHSFL8S8iwQ16CZTjlPxRV9XohkKxL3uA5Sc=",
"lastModified": 1771554066,
"narHash": "sha256-nQPz81Um+4zhEeNz1o55Ix1DoBEM3CxeABAmOJkgIac=",
"owner": "Fission-AI",
"repo": "OpenSpec",
"rev": "5fd8e9d66c3b6b116e7af814a6013c2d9c4958dd",
"rev": "4ba26902dfecf6f54c5a729993e012a57f4e2877",
"type": "github"
},
"original": {

1
home/features/desktop/hyprland.nix
View File

@@ -122,6 +122,7 @@ in {
"match:title branchdialog, float on"
"match:class pavucontrol-qt, float on"
"match:class pavucontrol, float on"
"match:class class:^(espanso)$, float on"
# wlogout
"match:class wlogout, fullscreen on"
"match:title wlogout, float on"

6
home/features/desktop/media.nix
View File

@@ -19,22 +19,22 @@ in {
amf
blueberry
ffmpeg_6-full
gimp
gst_all_1.gstreamer
gst_all_1.gst-vaapi
handbrake
inkscape
kdePackages.kdenlive
krita
libation
#makemkv
pamixer
pavucontrol
qpwgraph
v4l-utils
#plexamp
plexamp
# uxplay
# vlc
# webcord
webcord
# yt-dlp
unimatrix
];

4
hosts/common/ports.nix
View File

@@ -18,6 +18,10 @@
wireguard = 51820;
tailscale = 41641;
headscale = 3009;
netbird-stun = 3478;
netbird-proxy = 8443;
netbird-metrics = 9090;
netbird-health = 9000;
# Containers & web apps
gitea = 3030;

1
hosts/m3-ares/services/default.nix
View File

@@ -6,7 +6,6 @@
./postgres.nix
./restic.nix
./sound.nix
./tailscale.nix
./udev.nix
./wireguard.nix
];

12
hosts/m3-ares/services/tailscale.nix
View File

@@ -1,12 +0,0 @@
{config, ...}: {
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets.tailscale-key.path;
useRoutingFeatures = "both";
extraUpFlags = [
"--login-server=https://va.m3tam3re.com"
"--accept-routes"
"--ssh"
];
};
}

18
hosts/m3-atlas/secrets.nix
View File

@@ -11,6 +11,24 @@
littlelink-m3tam3re = {file = ../../secrets/littlelink-m3tam3re.age;};
minio-root-cred = {file = ../../secrets/minio-root-cred.age;};
n8n-env = {file = ../../secrets/n8n-env.age;};
netbird-auth-secret = {
file = ../../secrets/netbird-auth-secret.age;
};
netbird-db-password = {
file = ../../secrets/netbird-db-password.age;
};
netbird-encryption-key = {
file = ../../secrets/netbird-encryption-key.age;
};
netbird-dashboard-env = {
file = ../../secrets/netbird-dashboard-env.age;
};
netbird-server-env = {
file = ../../secrets/netbird-server-env.age;
};
netbird-proxy-env = {
file = ../../secrets/netbird-proxy-env.age;
};
paperless-key = {file = ../../secrets/paperless-key.age;};
restreamer-env = {file = ../../secrets/restreamer-env.age;};
searx = {file = ../../secrets/searx.age;};

236
hosts/m3-atlas/services/containers/netbird.nix Normal file
View File

@@ -0,0 +1,236 @@
{
config,
lib,
pkgs,
...
}: let
serviceName = "netbird";
servicePort = config.m3ta.ports.get "netbird";
domain = "v.m3ta.dev";
proxyDomain = "p.m3ta.dev";
ipBase = "10.89.0";
ipOffset = 50;
# Database configuration
dbName = "netbird";
dbUser = "netbird";
dbHost = "${ipBase}.1";
# NetBird config als Nix attribute set
netbirdConfig = {
server = {
listenAddress = ":80";
exposedAddress = "https://${domain}:443";
stunPorts = [3478];
metricsPort = 9090;
healthcheckAddress = ":9000";
logLevel = "info";
logFile = "console";
dataDir = "/var/lib/netbird";
auth = {
issuer = "https://${domain}/oauth2";
localAuthDisabled = true;
signKeyRefreshEnabled = true;
dashboardRedirectURIs = [
"https://${domain}/nb-auth"
"https://${domain}/nb-silent-auth"
];
cliRedirectURIs = ["http://localhost:53000/"];
};
reverseProxy = {
trustedHTTPProxies = ["${ipBase}.1/32"];
};
# Proxy Feature
proxy = {
enabled = true;
domain = proxyDomain;
};
store = {
engine = "postgres";
postgres = {
host = dbHost;
port = 5432;
database = dbName;
username = dbUser;
};
};
};
};
# YAML generieren
yamlFormat = pkgs.formats.yaml {};
configYamlBase = yamlFormat.generate "netbird-config-base.yaml" netbirdConfig;
# Script das Secrets zur Runtime injiziert
configGenScript = pkgs.writeShellScript "netbird-gen-config" ''
set -euo pipefail
AUTH_SECRET=$(cat "$1")
DB_PASSWORD=$(cat "$2")
ENCRYPTION_KEY=$(cat "$3")
${pkgs.yq-go}/bin/yq eval "
.server.authSecret = \"$AUTH_SECRET\" |
.server.store.encryptionKey = \"$ENCRYPTION_KEY\" |
.server.store.postgres.password = \"$DB_PASSWORD\"
" ${configYamlBase}
'';
in {
age.secrets."${serviceName}-auth-secret".file = ../../../../secrets/${serviceName}-auth-secret.age;
age.secrets."${serviceName}-db-password".file = ../../../../secrets/${serviceName}-db-password.age;
age.secrets."${serviceName}-encryption-key".file = ../../../../secrets/${serviceName}-encryption-key.age;
age.secrets."${serviceName}-dashboard-env".file = ../../../../secrets/${serviceName}-dashboard-env.age;
age.secrets."${serviceName}-server-env".file = ../../../../secrets/${serviceName}-server-env.age;
age.secrets."${serviceName}-proxy-env".file = ../../../../secrets/${serviceName}-proxy-env.age;
# Systemd oneshot Service der die Config generiert
systemd.services."${serviceName}-config" = {
description = "Generate NetBird config with secrets";
wantedBy = ["multi-user.target"];
before = ["podman-${serviceName}-server.service"];
requiredBy = ["podman-${serviceName}-server.service"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "netbird-write-config" ''
mkdir -p /var/lib/${serviceName}
${configGenScript} \
${config.age.secrets."${serviceName}-auth-secret".path} \
${config.age.secrets."${serviceName}-db-password".path} \
${config.age.secrets."${serviceName}-encryption-key".path} \
> /var/lib/${serviceName}/config.yaml
chmod 600 /var/lib/${serviceName}/config.yaml
'';
};
};
virtualisation.oci-containers.containers = {
"${serviceName}-dashboard" = {
image = "netbirdio/dashboard:latest";
autoStart = true;
environmentFiles = [config.age.secrets."${serviceName}-dashboard-env".path];
extraOptions = [
"--ip=${ipBase}.${toString ipOffset}"
"--network=web"
];
};
"${serviceName}-server" = {
image = "netbirdio/netbird-server:latest";
autoStart = true;
ports = ["3478:3478/udp"];
environmentFiles = [config.age.secrets."${serviceName}-server-env".path];
volumes = [
"${serviceName}_data:/var/lib/netbird"
"/var/lib/${serviceName}/config.yaml:/etc/netbird/config.yaml:ro"
];
cmd = ["--config" "/etc/netbird/config.yaml"];
extraOptions = [
"--ip=${ipBase}.${toString (ipOffset + 1)}"
"--network=web"
];
};
"${serviceName}-proxy" = {
image = "netbirdio/reverse-proxy:latest";
autoStart = true;
ports = ["51820:51820/udp"];
volumes = [
"${serviceName}_proxy_certs:/certs"
];
environmentFiles = [config.age.secrets."${serviceName}-proxy-env".path];
cmd = [
"--domain=p.m3ta.dev"
"--mgmt=https://${domain}:443"
"--addr=:8443"
"--cert-dir=/certs"
"--acme-certs"
"--trusted-proxies=${ipBase}.1/32"
];
dependsOn = ["${serviceName}-server"];
extraOptions = [
"--ip=${ipBase}.${toString (ipOffset + 2)}"
"--network=web"
];
};
};
services.traefik.dynamicConfigOptions = {
# HTTP Services und Routers
http = {
services = {
"${serviceName}-dashboard".loadBalancer.servers = [
{url = "http://${ipBase}.${toString ipOffset}:80/";}
];
"${serviceName}-server".loadBalancer.servers = [
{url = "http://${ipBase}.${toString (ipOffset + 1)}:80/";}
];
"${serviceName}-server-h2c".loadBalancer.servers = [
{url = "h2c://${ipBase}.${toString (ipOffset + 1)}:80";}
];
};
routers = {
# gRPC (Signal + Management)
"${serviceName}-grpc" = {
rule = "Host(`${domain}`) && (PathPrefix(`/signalexchange.SignalExchange/`) || PathPrefix(`/management.ManagementService/`) || PathPrefix(`/management.ProxyService/`))";
entrypoints = "websecure";
tls.certResolver = "godaddy";
service = "${serviceName}-server-h2c";
priority = 100;
};
# Backend (relay, WebSocket, API, OAuth2)
"${serviceName}-backend" = {
rule = "Host(`${domain}`) && (PathPrefix(`/relay`) || PathPrefix(`/ws-proxy/`) || PathPrefix(`/api`) || PathPrefix(`/oauth2`))";
entrypoints = "websecure";
tls.certResolver = "godaddy";
service = "${serviceName}-server";
priority = 100;
};
# Dashboard (catch-all, niedrigste Priorität)
"${serviceName}-dashboard" = {
rule = "Host(`${domain}`)";
entrypoints = "websecure";
tls.certResolver = "godaddy";
service = "${serviceName}-dashboard";
priority = 1;
};
};
};
# TCP für Proxy TLS Passthrough
tcp = {
services."${serviceName}-proxy-tls".loadBalancer.servers = [
{address = "${ipBase}.${toString (ipOffset + 2)}:8443";}
];
routers."${serviceName}-proxy-passthrough" = {
entryPoints = ["websecure"];
rule = "HostSNI(`*`)";
service = "${serviceName}-proxy-tls";
priority = 1;
tls.passthrough = true;
};
};
# ServersTransport für Proxy Protocol v2 (optional)
serversTransports."pp-v2" = {
proxyProtocol.version = 2;
};
};
networking.firewall.allowedUDPPorts = [
3478 # STUN
51820 # WireGuard für Proxy
];
}

4
hosts/m3-atlas/services/default.nix
View File

@@ -3,15 +3,13 @@
./containers
./gitea.nix
./gitea-actions-runner.nix
./headscale.nix
./minio.nix
./mysql.nix
./n8n.nix
./outline.nix
./netbird.nix
./paperless.nix
./postgres.nix
./searx.nix
./tailscale.nix
./traefik.nix
./vaultwarden.nix
./wastebin.nix

118
hosts/m3-atlas/services/headscale.nix
View File

@@ -1,118 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
# Define a new option for the admin user
options.services.headscale = {
adminUser = lib.mkOption {
type = lib.types.str;
default = "m3tam3re@m3ta.loc";
description = "Username for the headscale admin user";
};
};
config = let
adminUser = config.services.headscale.adminUser;
aclConfig = {
# Groups definition
groups = {
"group:admins" = ["${adminUser}"];
};
acls = [
# Allow all connections within the tailnet
{
action = "accept";
src = ["*"];
dst = ["*:*"];
}
# Allow admin to connect to their own services
{
action = "accept";
src = ["${adminUser}"];
dst = ["${adminUser}:*"];
}
];
# Auto-approvers section for routes
autoApprovers = {
routes = {
"0.0.0.0/0" = ["${adminUser}"];
"10.0.0.0/8" = ["${adminUser}"];
"192.168.0.0/16" = ["${adminUser}"];
};
exitNode = ["${adminUser}"];
};
};
# Convert to HuJSON format with comments
aclHuJson = ''
// Headscale ACL Policy - Generated by NixOS
// Admin user: ${adminUser}
${builtins.toJSON aclConfig}
'';
aclFile = pkgs.writeText "acl-policy.hujson" aclHuJson;
in {
services = {
headscale = {
enable = true;
adminUser = "m3tam3re@m3ta.loc";
port = 3009;
settings = {
server_url = "https://va.m3tam3re.com";
dns = {
base_domain = "m3ta.loc";
nameservers.global = ["8.8.8.8"];
};
logtail.enabled = false;
policy.path = "${aclFile}";
};
};
};
# Create a systemd service to ensure the admin user exists
systemd.services.headscale-ensure-admin = lib.mkIf config.services.headscale.enable {
description = "Ensure Headscale admin user exists";
after = ["headscale.service"];
requires = ["headscale.service"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = "headscale";
Group = "headscale";
};
script = ''
# Check if user exists and create if needed
if ! ${pkgs.headscale}/bin/headscale users list | grep -q "${adminUser}"; then
echo "Creating headscale admin user: ${adminUser}"
${pkgs.headscale}/bin/headscale users create "${adminUser}"
else
echo "Headscale admin user ${adminUser} already exists"
fi
'';
};
# Traefik configuration for headscale
services.traefik.dynamicConfigOptions.http = {
services.headscale.loadBalancer.servers = [
{
url = "http://localhost:3009/";
}
];
routers.headscale = {
rule = "Host(`va.m3tam3re.com`)";
tls = {
certResolver = "godaddy";
};
service = "headscale";
entrypoints = "websecure";
};
};
};
}

10
hosts/m3-atlas/services/n8n.nix
View File

@@ -1,8 +1,16 @@
{config, ...}: {
{
config,
lib,
...
}: {
services.n8n = {
enable = true;
environment.WEBHOOK_URL = "https://wf.m3tam3re.com";
};
# Temporary fix for upstream module
systemd.services.n8n.serviceConfig.LoadCredential = lib.mkForce [];
systemd.services.n8n.environment.N8N_RUNNERS_AUTH_TOKEN_FILE = lib.mkForce null;
systemd.services.n8n.serviceConfig = {
EnvironmentFile = ["${config.age.secrets.n8n-env.path}"];
};

33
hosts/m3-atlas/services/outline.nix
View File

@@ -1,33 +0,0 @@
{
services.outline = {
enable = true;
port = 3019;
publicUrl = "https://ol.m3ta.dev";
databaseUrl = "postgresql://outline:outline@127.0.0.1:5432/outline";
storage = {
storageType = "local";
};
};
systemd.services.outline.serviceConfig = {
Environment = [
"PGSSLMODE=disable"
];
};
# Traefik configuration specific to littlelink
services.traefik.dynamicConfigOptions.http = {
services.outline.loadBalancer.servers = [
{
url = "http://localhost:3019/";
}
];
routers.outline = {
rule = "Host(`ol.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "outline";
entrypoints = "websecure";
};
};
}

1
hosts/m3-atlas/services/postgres.nix
View File

@@ -26,6 +26,7 @@
# Podman network connections for Baserow
host baserow baserow 10.89.0.0/24 scram-sha-256
host kestra kestra 10.89.0.0/24 scram-sha-256
host netbird netbird 10.89.0.0/24 scram-sha-256
# Deny all other connections
local all all reject

28
hosts/m3-atlas/services/tailscale.nix
View File

@@ -1,28 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets.tailscale-key.path;
useRoutingFeatures = "both";
extraUpFlags = [
"--login-server=${config.services.headscale.settings.server_url}"
"--advertise-exit-node"
"--accept-routes"
"--ssh=true"
];
};
services.networkd-dispatcher = lib.mkIf config.services.tailscale.enable {
enable = true;
rules."50-tailscale" = {
onState = ["routable"];
script = ''
NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ")
${pkgs.ethtool}/bin/ethtool -K "$NETDEV" rx-udp-gro-forwarding on rx-gro-list off
'';
};
};
}

8
hosts/m3-kratos/services/default.nix
View File

@@ -1,22 +1,24 @@
{
{pkgs, ...}: {
imports = [
./containers
./mem0.nix
./n8n.nix
./postgres.nix
./sound.nix
./tailscale.nix
./udev.nix
./wireguard.nix
];
services = {
hypridle.enable = true;
espanso = {
enable = true;
package = pkgs.espanso-wayland;
};
printing.enable = true;
gvfs.enable = true;
trezord.enable = true;
gnome.gnome-keyring.enable = true;
qdrant.enable = true;
stirling-pdf.enable = true;
avahi = {
enable = true;
nssmdns4 = true;

7
hosts/m3-kratos/services/n8n.nix
View File

@@ -1,12 +1,13 @@
{
{lib, ...}: {
services.n8n = {
enable = true;
openFirewall = true;
};
systemd.services.n8n = {
environment = {
N8N_SECURE_COOKIE = "false";
N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = "false";
};
};
# Temporary fix for upstream module
systemd.services.n8n.serviceConfig.LoadCredential = lib.mkForce [];
systemd.services.n8n.environment.N8N_RUNNERS_AUTH_TOKEN_FILE = lib.mkForce null;
}

13
hosts/m3-kratos/services/tailscale.nix
View File

@@ -1,13 +0,0 @@
{config, ...}: {
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets.tailscale-key.path;
useRoutingFeatures = "both";
extraUpFlags = [
"--login-server=https://va.m3tam3re.com"
"--accept-routes"
"--ssh"
"--reset"
];
};
}

6
secrets.nix
View File

@@ -21,6 +21,12 @@ in {
"secrets/kestra-env.age".publicKeys = systems ++ users;
"secrets/minio-root-cred.age".publicKeys = systems ++ users;
"secrets/n8n-env.age".publicKeys = systems ++ users;
"secrets/netbird-auth-secret.age".publicKeys = systems ++ users;
"secrets/netbird-db-password.age".publicKeys = systems ++ users;
"secrets/netbird-encryption-key.age".publicKeys = systems ++ users;
"secrets/netbird-dashboard-env.age".publicKeys = systems ++ users;
"secrets/netbird-server-env.age".publicKeys = systems ++ users;
"secrets/netbird-proxy-env.age".publicKeys = systems ++ users;
"secrets/paperless-key.age".publicKeys = systems ++ users;
"secrets/ref-key.age".publicKeys = systems ++ users;
"secrets/exa-key.age".publicKeys = systems ++ users;

22
secrets/netbird-auth-secret.age Normal file
View File

@@ -0,0 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 4NLKrw 8RHoP6X3KpWlot1bjJ7k2RKYucu6QRB8yvtVyj5sEDA
mtffN452PGzO4CcyE0GhFcNwI7fr7Aq3bgaohE6PwEQ
-> ssh-ed25519 5kwcsA 3232LkSUcKzcW+ZMnKL8rqDYK933OA8RqnRxy7lRGAo
ZexaJBmpEkalgIc0/xCVN/7kF70KcKDXi3jJb+AWR/8
-> ssh-ed25519 9d4YIQ L1LGlKGk6l5ajdoG0B7vVdO/6rBwRQsK8mV/vz8DLmI
6lRnaGFyykil752Vctnd8W1qNATuQv069BAiYU0vg6U
-> ssh-ed25519 3Bcr1w PzlTqlD68Wdxct/8S59FDWPWQPpw0WpIBVYh4eIkP3I
wM2Y9/kpr+X1Q1b6QdFP2R25FsLl2zEFZltieraOWps
-> ssh-rsa DQlE7w
bm/GpjLWe9QONNTgC6U1jPQOkh0in5iOSfl15kYrWPMf1YDdLoM8vMBium8ph61o
UmgLZ5/vcaZYnxwTA7Bgc8+JJrsWyU9WJZa1eK63Y/ARLyt3FCWSkPl2XJUgYMC1
feH9f05PkPaK1aIVn4EpUlaoDbBHUEhnzgDRAXAGKpDcKJvthTXMD7iYgeyIuXv5
jy7mRSlSfp4BddXEghVuI48sBoc9FZKL8FW75vPLkb2NJfGYqwp+ObJG2sSGJPp2
57/BL/9/Gny5AuKnT1ATU18zZZ+RBCJGllwFpwTM21FQJUlE8mchHURxdARbeRAq
HvcG+lHbQzpqwdIMY9KuqtuxeIGeXjWDmrzy8ELzbRnawibnVLBPPB1eUecngub6
qtUYBNgHVDFwEEIKj3+YVAf/Aqn9KJnGpvt2PtEs9vMIgHlDZUl8ZgTned5UT+xi
sEAHWFO94HfhOSH5FjySQspr3h4Iuq9JG1mO0nJZlTH7F4fV+ORP0yj3ZKgN58Bl
--- OkS1vA83+ysvD8XdKZKhUCJtkidazlyykV3DPx+hHnQ
Ê®RvŸd´þÜ,½VˆýÝ×É\\
SénܼìG

BIN
secrets/netbird-dashboard-env.age Normal file
View File

Binary file not shown.

BIN
secrets/netbird-db-password.age Normal file
View File

Binary file not shown.

21
secrets/netbird-encryption-key.age Normal file
View File

@@ -0,0 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 4NLKrw NLamAuw7V60OB3MTyRALKoCnLxgM6SiCqOg/XS+yEVI
aemlH3y+fSUZwTKn/liurPIK80wa99Dh0EMWSKCfdu0
-> ssh-ed25519 5kwcsA sC0jWG6Hrphab3Za9qlQuToasQACdtvhdQrvHRQrdkA
mmI/Le4sgd4+0M64c9v0yKomytRPo8ZYZCp86kilSaw
-> ssh-ed25519 9d4YIQ rTv0fzkzVdH5FmdQtlJsLrvt/gO/ZIjVJ5TTbf19fSk
TMCl0zEUEd5z1MHr/2uimJPrW26FRavMsGJHevXh/uo
-> ssh-ed25519 3Bcr1w oWeZqIZsrgmbFvbJgGZEzy/xcT+ic/1eVo8r2tgMLRc
0L67L46LpOQteobHmwZMka+rGHZmhH6YvOj6NpXHRm4
-> ssh-rsa DQlE7w
AaW55WhemFjgE4y92rtKTD0QnttwEdfk3siGRA26/igwWxawqgr6eejNAGtyyVZp
BcUyzGIR4oo7f6NU8ArcHvycMBIxKVUazJQ9tS02gjQCor+w8Ts578VDYp16SxGd
FuporQIEuVIVhBaRmm5p4SepUfJ8+wGPz/YXLnmt4bCvf0xZw+AsXGLuZeGIMJsW
PQqFZsn7dpB8PPJ7tcAYFb4QX2bE3gmNIja5gUSaOV6mn2FYAU8cFDrfuUIhSHqU
2pWFBv4s7P1N7iKQmAnveG539jyXgzC2FAWKWG+yWuM0yg/wK5owaHNHOt2LXUsb
rNdacOJFJWykBqvM89dk+vY9RkbZsjLuKAZlNnxVcklCOw3pdGEJZvknZudJ2cGv
S9aE+3mqn4T91cIgO9XvXEjMxGUquDjDAQu7vSaBcwAZN9nUaGg/mq4UaYmqAVOr
4BZmrnU1HCJ4vxCAcLZ5t0F6kXPDgLaQ67HzNkRXZzauzbxCTwmrvpxPjMQyStg0
--- PtWD49Fm8l/54CB8q3L1vHD5EAu4EWp7j4p5lIM9wg4
ÆaýÞÿK(¿ÎþÈ!Åò³8´“ýcp ¥MiVÑo 'ˆR~`7`3¤`lIobè_]Ú„¡5€$¦À>Lxyvp;ìÝ{Þ8NóÒ¤wÿ

21
secrets/netbird-proxy-env.age Normal file
View File

@@ -0,0 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 4NLKrw z/cBQjeEEhzQCSOweODXfH1+u0x4fPFzMmuJ60sT6Vk
7fA+XIqnsXFHlCD5w8s0ttHRYijt0/97PtJrx/xNVeA
-> ssh-ed25519 5kwcsA p/tSvBiYUFw1CEypUFkZkan6Fg4cTpy4vT7weDAtZQI
zcphfvNyNUa0XYmVrIA7qTJ4btWD/LwZoGv8i3pWktU
-> ssh-ed25519 9d4YIQ Xjyuwljm4+dJn/CUP4NgFl4fK1ah4z71rHAVrJ9ggTw
2ae/e/rdDNqt40E29E4qxvkEIC0GWAKX0pMbY7guHn4
-> ssh-ed25519 3Bcr1w Cra9xUKcyk5e0+VrdtCZUuGo/tRhicxlSNHheDfFslw
+AQBO1F8Yk/u0KuQ8uG168m1xOczr+I4kvNIyeHu11o
-> ssh-rsa DQlE7w
qvtWc6kq/Q8W5aBlfj3o0/GFZC2pnyw58rggC//ciWvacz8lVUWSqYbP9JdRg8eK
04UnbS6FyUYRVJuD8hZYF5RRbPFOMzZE69jb2N/B3OnrtCr21ohXluPP3+rH8Egz
pC4ETTJYPuNPG+clEGcEcilLrgrI3ZvajJbDGhAx2kOTN1g3u4SnkSA6b1c5otsX
UAJsDzCOr4eKAdnf2ZGtuhzcrwDb8lCJ0rKz/ZQtWhWXRhYzalrWZHyH5KdMkOTq
ZTrPMLyzAaL3Civv9uZ6cveQp8TGSZHnA5hmz/4lwfMrRcJzJUgjjDdgiNwK34pw
IkInu6D6k5x7kRcFvKcOu8zJUELtXV6/uzswy3uJn9CiQsMC5GSri65iuARIi3JC
nUNxx8yVfUFk+PMoAWLXZ2A3Gd3GQ5tlQNrfcLubnpwHuD7bYMdskkSTktIW+RDj
p4ckgCxRFG4K5sYQEtM5j4mQg+hEKCjQTFzcgRY74AFZepXoWYuQ+d/ExMANPUMi
--- HfrVJutjDYDbddvlCyZ9RNEmgp/dTcjR3y1U+OLZ7Wg
×8<EFBFBD>‰k\í…ß,³vW/²=|:jDœfd#¤ê‰gxIwoïæ~UÛüíé4Ù¶ê…í¨Ô°

24
secrets/netbird-server-env.age Normal file
View File

@@ -0,0 +1,24 @@
age-encryption.org/v1
-> ssh-ed25519 4NLKrw oEe3RAkN0nCoiAEGWBs5NNcqTPqrJfSbsAW3Wg9mG0A
c04EeyHGDUwXrYdwhV37fu/wiAwk7ATBLvs/nAeFpH4
-> ssh-ed25519 5kwcsA D6RT7Az3STvBs+QcPDby/8O6iIH+5k/701einsc/+hc
JBUWr6TSOjjkTlbQuGfu/iaXebdy6wSF1ZMKzETPacw
-> ssh-ed25519 9d4YIQ 4G2u1OgO0LaWDdVqndDb34z9VXC7OyLul1yLEgbKExs
maFwiYmX4p7ZhrxOE9vBs1FH31g+LxuiLY2crzU7K00
-> ssh-ed25519 3Bcr1w omrCT+k8GZoBZnoARMgel08EiRf+f/p6ux5+ERpI0Dk
evobZrcUSxCfOsJUnbxAgWklt7t725TqqsK6z9Jsios
-> ssh-rsa DQlE7w
Ik9Lg9iR2mxmmqiFscIMhCUrmTcr2UgOwf/XjPP1FwM2s4uF10vMFE0iIZxmouDZ
L4Ro7OiLYiXZsiDNQsTu5psmU0mxNEA3pTfr1MDP2dMYbyfe7xKMEmf5tzZr9FzA
3UBs1vWujEaA0CIA94W5hUvmniptmhxe4dMPZQrTX6eCfthfd+Fg07QCVgriO4ry
H2YxeFMlNaG5SSl5CAmanYlbjwCUvQDuIOLH2tqyhKGyMvRBZmLu+moaJ9RBXaUZ
u+1PCanbkhZXoxFo5jVabBWwryUMbz+ZuKsfXX1HZxSO7GPwWiOE4qRP5jvMWR1B
pq1F3zLiutUSWeg4caNRQj9GBD4khN40Z8ZDdcMG/dnWVcyLZ9pZMAbGPCB094Lm
G0bbKZdr78Est0fb5fOcfZgrFD46olFPMqb6e28S0T2mCf0uNuFM3+HsLAHeK188
nN0QtgxWv1ABixcage4EFRIKMZkkqXBJbkErXiHWUOuOBz0lldl9RadbDCuT0yXe
--- 0KbtreSHr3k7839f78+IZVafLFzrXdlpJiJ9afGkV2A
dfë®Ý.è®+2?ÁØõ4ÿ¢ÿ»pl¯vÅèäÏ˵-âŸ3
ØŠ„¬¯B|æT¡ÁëN½giÊò<C38A>?H‚¢@»!X©ÈüJ¹€á¼omï§k­º¥pç4FÝpåY°xÁ•ÜRÛY
ÀZ<‚É|pí]ldÎÐAò1ÿµv
z:˜¢–