persist /etc/ssh

deploy.sh

@@ -0,0 +1,5 @@
+# usage:
+# $ ./deploy.sh <hostname> <ip>
+# example usage:
+# $ ./deply.sh 109-199-104-83 109.199.104.83
+nix run github:nix-community/nixos-anywhere -- --generate-hardware-config nixos-generate-config ./hardware-configuration.nix --flake .?ref=411ee0c#$1 --target-host root@$2

hardware-configuration.nix

@@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

machines.nix

@@ -19,6 +19,9 @@
       # networking
       ./modules/nixos/laptop.nix
 
+      # vpn
+      ./modules/nixos/openvpn-client.nix
+
       # ly display manager
       ./modules/nixos/ly.nix
 
@@ -36,6 +39,7 @@
     modules = [
       # impermanence
       ./modules/nixos/impermanence.nix
+      ./modules/nixos/impermanence-ssh.nix
 
       # hardware configuration
       # verbatim as `nixos-generate-config` AND `system.stateVersion`
@@ -53,23 +57,24 @@
 
       # ssh through port 5522 among other things
       # andromeda@lenovo is the only user allowed access
-      # ./modules/nixos/networking/hard-ssh.nix
+      ./modules/nixos/networking/hard-ssh.nix
-      #./modules/nixos/networking/ssh-as-root.nix
+      ./modules/nixos/networking/ssh-as-root.nix
-      ({config, ...}: {
+      ({config, ...}: {users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];})
-        services.openssh.enable = true;
-        users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];
-      })
-
-      # TODO add Impermanence to the following services
 
       # simple-nixos-mailserver email server
       # mail.domain
-      # ./modules/nixos/mailserver.nix
+      ./modules/nixos/mailserver.nix
 
       # roundcube webmail client
       # webmail.domain
-      # ./modules/nixos/roundcube.nix
+      ./modules/nixos/roundcube.nix
 
+      # BROKEN
+      # forgejo
+      # git.domain
+      # ./modules/nixos/forgejo.nix
+
+      # BROKEN
       # zulip chat client
       # chat.domain
       # zulip chat server

modules/nixos/boot/109-199-104-83.nix

@@ -3,4 +3,7 @@
     efiSupport = true;
     efiInstallAsRemovable = true;
   };
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+  ];
 }

modules/nixos/forgejo.nix

@@ -0,0 +1,27 @@
+{config, ...}: {
+  services.nginx = {
+    virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M
+      '';
+      locations."/".proxyPass = "https://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
+    };
+  };
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+    settings = {
+      server = rec {
+        DOMAIN = "git.galaxious.de";
+        ROOT_URL = "https://${DOMAIN}";
+        HTTP_PORT = 4043;
+        SSH_PORT = 4022;
+      };
+      service.DISABLE_REGISTRATION = false;
+    };
+  };
+  services.openssh.ports = [config.services.forgejo.settings.server.SSH_PORT];
+}

modules/nixos/mailserver.nix

@@ -28,4 +28,12 @@
     acceptTerms = true;
     defaults.email = "mtgmonket@gmail.com";
   };
+  environment.persistence."/persist" = {
+    directories = [
+      "/var/dkim"
+      "/var/vmail"
+      "/var/lib/redis-rspamd"
+      "/var/lib/acme"
+    ];
+  };
 }

modules/nixos/openvpn-client.nix

@@ -0,0 +1,8 @@
+{lib, ...}: {
+  services.openvpn.servers = {
+    "173.249.5.230" = {config = ''config /etc/openvpn-confs/173.249.5.230.ovpn'';};
+  };
+  networking.enableIPv6 = lib.mkForce false;
+  environment.persistence."/persist".directories = ["/etc/openvpn-confs"];
+  boot.kernelParams = ["ipv6.disable=1"];
+}

modules/nixos/roundcube.nix

@@ -9,4 +9,8 @@
       $config['smtp_pass'] = "%p";
     '';
   };
+  environment.persistence."/persist".directories = [
+    "/var/lib/roundcube"
+    "/var/lib/postgresql"
+  ];
 }

pub-keys.nix

@@ -16,7 +16,7 @@
     ssh = {
       andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
       lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
-      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJe5ol56yC23fivSEKeK4HZQm934ROX46AM7o0aE2hMq root@vmi2998419";
+      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINlpE7T8kvfbDtVRpnkr33EVjBkU+yF2IQPbzkbNVFF3 root@109-199-104-83";
     };
   };
 }

secrets/andromeda-pw.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg 4fCTrNibFdjnVfsIbXi6plbd56K8ZDDqtgryXPk2SUA
+-> ssh-ed25519 mT2fyg K7kzILfWN/0BDwr0a2oGiuc3kROPhW79nEFs4Fqm7Uw
-vKlbDi+HpyYlSsN39GRh6GRwdHRSjypCEqguOaHPFDM
+LvTmIvmmBOKsW3wYxI58arafExAaX/VWIjCZ0v9i28Y
--> ssh-ed25519 UHxfvA RqrDa4xJoAy1Gdzvq6Z5eTSNTDtHzUmzRoLC+j+HxiI
+-> ssh-ed25519 UHxfvA FB8alLQWDkoRqIM6l4D39Ty+Wc318JZyjLTthXCIL0s
-+5CohUFSDB9oiLU0T25FKrQrz07DCviVuzZsVcUltOc
+QNAOXZq10TaofYpDflKbywJpQTmzq8lZJEoa6Say+s4
---- SQ5zQx9lL5UdNinOgP6yG5WWiBdhSwFqJVt6u3SNpLA
+--- 9qhHzZQfZFT95v5M2GQHP4ZoAwY8Ba7veV/PRvTX2tQ
-<EFBFBD>6<EFBFBD><16><0B><>U<EFBFBD><EFBFBD><EFBFBD>p<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Q<>]<5D>N<EFBFBD>;K;1y<31><79><EFBFBD>
+<EFBFBD>t<EFBFBD>]<13><><EFBFBD><EFBFBD><EFBFBD>Q<EFBFBD><51>f&<26><><EFBFBD><EFBFBD>W<EFBFBD>c<7F>c<EFBFBD>ά^,<2C>8S<38>2<EFBFBD>iKX<4B><58><EFBFBD><EFBFBD><EFBFBD><12><><0B>KB5<42><35>W6<57>*<2A><EFBFBD><EFBFBD><EFBFBD>:,<EFBFBD><EFBFBD><EFBFBD><EFBFBD><05>k<EFBFBD>Êo<C38A>u3<75><33><EFBFBD>;<1D><><EFBFBD>E<EFBFBD>Ti<54>9&*o<>q<06>'q<>B

secrets/mailserver-acc-admin-pw.age

@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg Lt6EG5R9iQWuD/eDXM+vsablwqCn7wUBKFuNO3qcq04
+-> ssh-ed25519 mT2fyg UXZa4za31eYxaMdKZQnbSy6Gnld5iyhco1MFm1tCjhQ
-07jSpN+5/CJFCaBAEVB5TYqLEnGj8Fbt6z3qIVSijqU
+WzLHMSOIAEWY5bJTznbsyRtBGqWqCCEtPDgM26BmRsw
--> ssh-ed25519 UHxfvA 8iIyIoZxJUYrvL9DFmleATVYs0TSZvPjSFqxSWYnVFs
+-> ssh-ed25519 UHxfvA vXmE9DfcfytziqECkPp0yJ7+e+n3Mmi9ETBsOYoyyxY
-XDQQGlQXJqjjAqslyfJerVATPIO4vCxTPRWOcBuF7f8
+wA7omrsIg/6TVmHGvayhNviNzaYL9TgfyPeuIBpV1Mw
--> ssh-ed25519 Xoin5w tE8Tx9cSJH+4eJoEpG8CVf9+C1WrurERvGG0kOLatG4
+-> ssh-ed25519 j/PduQ 2xFdyoJrD7A5qL5b1BfmJpJIfkfd6V6iCU3hcex1OGw
-YUUPvg6Ev3+7idthbcUeLeRZ+iE8yp+uirJojSt1gVg
+P09BqDmI1TKVBqgcSyKuzJ+dHh6l1YMekA3jY19/bc8
---- FamPgM9+DjHiHQBkCmPaHe9aLLXIL3ZPCUtmtEtNOAI
+--- Grh8z8mJg0r73NihegyvcukrpcrJZT4bhqsKKrOvTNA
-Ց<EFBFBD><EFBFBD>}<7D>_rT6<54>Uwz<77>|<7C><<3C>_<EFBFBD><0F><><EFBFBD><EFBFBD>5<><35><EFBFBD>!~<>N<EFBFBD><18>cǦi<>*<2A>E<10>M?H?<3F>QSb<53><62><EFBFBD><EFBFBD><EFBFBD>\<5C>۝<EFBFBD><DB9D>z<>K	?z<><7A>;<1C><>R<EFBFBD>Jp<4A>Ҷ<><D2B6>ɴs<C9B4>蔈<EFBFBD>y<EFBFBD><EFBFBD>
+<EFBFBD>
+^<5E><>cjpMC<0B><>D<03><><EFBFBD>%<25>
<01><13>ی{s<>F<><46><EFBFBD><EFBFBD><EFBFBD>'~<07><>@<40><><EFBFBD>Du$<24>	<09><>Z<EFBFBD><02>ӄ<1C><>z<EFBFBD>J<EFBFBD>PN
?7<>T@<40><>k-_y<5F>ɑ<EFBFBD><><7F><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>C<13>M<EFBFBD>Pl

secrets/mailserver-acc-zulip+admin-pw.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg JsKjySZOoC/xK6HFjgBSYumrg/Ak7EBjYCqa9uszXGo
+-> ssh-ed25519 mT2fyg FHuYkPGH3UL3O34LIx8cDhJIWfskCN7UVG3AdWiKg1o
-daQvoxsqkxA4OClbWm4YHes5zkky8wikEKg94ceeNWw
+eR7vCHJDwKKM046yFTZ+ZNjGGEo4/OiYWGxME7Px30g
--> ssh-ed25519 UHxfvA yDtvX6SqI9HFN3v1teeRfVicMXpS0fYLiyxe391kIHY
+-> ssh-ed25519 UHxfvA 7mvZu454XNEa23FzE8QQ5vIfl2PTixieAhwtjS2kKBM
-xpYokiMmAlFbZHuOIqxKeGXtgiB9yOvRquI8OY5mdqE
+nX+3S24PR5ymH6XYbITgNG3AS98OzkVYs0b2tcEkpYE
--> ssh-ed25519 Xoin5w 9ND7dZoaaLXVu7VN3fYF6bZa23QpCr29b4DNIOSRi2Q
+-> ssh-ed25519 j/PduQ ivvo7z0GMBIeApn1fSNkrKBAI9vrzV3kOshH9KTRCkg
-L6oOEQ8XSZZuQyfxPwgGYycMqAKfslEtFRJbBHbomoY
+G1qrQfYKoaYyFXplnr7itkU9fT7SEe96UuWGYz5qoak
---- ewcxsNTgXUy+wlZ3MiSC2KYO0BowGOAn/JvvV7x3pBc
+--- cifQaIuyTN6u6GWRVqui2qjQqQSYgEYKJlFY1g54y78
-<08>V<EFBFBD>5a<35><61><EFBFBD>.<2E>B'K<><4B>7<EFBFBD><37><17>LR9h`<60><>€<EFBFBD>շ<>I<EFBFBD><EFBFBD><EFBFBD>
+<EFBFBD><EFBFBD><EFBFBD>V1;<19>ki<6B>bڸ<62>g<><67><EFBFBD>n6.<2E>N<EFBFBD>RR <20><06>g<EFBFBD>|yP<1B>ѾPRfq'<08><>F%<25><>a"l<1D>;<3B>+<2B>M<EFBFBD><4D><EFBFBD><EFBFBD>v<EFBFBD><76><EFBFBD><EFBFBD><0E>&<26><><EFBFBD><EFBFBD>P<EFBFBD><0B>#<23><EFBFBD><EFBFBD>
-8c<EFBFBD>%)<29>ۣ<EFBFBD>5<EFBFBD><35><EFBFBD><1C><1E><><EFBFBD><EFBFBD>KLR<4C><52>y<EFBFBD>199Y?<3F>v<EFBFBD><1E><16><><EFBFBD>2<EFBFBD>ЖK<D096>f<02><>ԏ!<21><>{3<>)<29>,

users/andromeda/home.nix

@@ -91,6 +91,91 @@ in {
       };
     };
     fastfetch.enable = true;
+    firefox = {
+      enable = true;
+      package = pkgs.firefox.override {
+        cfg.enableTridactylNative = true;
+      };
+      profiles.${config.home.username} = {
+        extensions.packages = [
+          pkgs.nur.repos.rycee.firefox-addons.tridactyl
+        ];
+        search = {
+          default = "repos";
+          privateDefault = "ddghtml";
+          order = [
+            "wiki"
+            "options"
+            "packages"
+            "repos"
+          ];
+          engines = {
+            "packages" = {
+              urls = [
+                {
+                  template = "https://search.nixos.org/packages";
+                  params = [
+                    {
+                      name = "channel";
+                      value = "unstable";
+                    }
+                    {
+                      name = "query";
+                      value = "{searchTerms}";
+                    }
+                  ];
+                }
+              ];
+            };
+
+            "options" = {
+              urls = [
+                {
+                  template = "https://search.nixos.org/options";
+                  params = [
+                    {
+                      name = "channel";
+                      value = "unstable";
+                    }
+                    {
+                      name = "query";
+                      value = "{searchTerms}";
+                    }
+                  ];
+                }
+              ];
+            };
+
+            "wiki" = {
+              urls = [
+                {
+                  template = "https://wiki.nixos.org/w/index.php";
+                  params = [
+                    {
+                      name = "search";
+                      value = "{searchTerms}";
+                    }
+                  ];
+                }
+              ];
+            };
+
+            "repos" = {
+              template = "https://html.duckduckgo.com/html/";
+              params = [
+                {
+                  name = "q";
+                  value = "{searchTerms}+(site:*.gitlab.org OR site:github.com OR site:git.mtgmonkey.net OR site:sr.ht)";
+                }
+              ];
+            };
+          };
+        };
+        settings = {
+          "extensions.autoDisableScopes" = 0;
+        };
+      };
+    };
     git = {
       enable = true;
       settings = {
@@ -103,15 +188,6 @@ in {
     };
     gh.enable = true;
     home-manager.enable = true;
-    firefox = {
-      enable = true;
-      package = pkgs.firefox.override {
-        cfg.enableTridactylNative = true;
-      };
-      profiles.${config.home.username}.extensions.packages = [
-        pkgs.nur.repos.rycee.firefox-addons.tridactyl
-      ];
-    };
     lsd.enable = true;
     nvf = {
       enable = true;