update ff search

deploy.sh

@@ -0,0 +1,5 @@
+# usage:
+# $ ./deploy.sh <hostname> <ip>
+# example usage:
+# $ ./deply.sh 109-199-104-83 109.199.104.83
+nix run github:nix-community/nixos-anywhere -- --generate-hardware-config nixos-generate-config ./hardware-configuration.nix --flake .?ref=411ee0c#$1 --target-host root@$2

hardware-configuration.nix

@@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

machines.nix

@@ -19,6 +19,9 @@
       # networking
       ./modules/nixos/laptop.nix
 
+      # vpn
+      ./modules/nixos/openvpn-client.nix
+
       # ly display manager
       ./modules/nixos/ly.nix
 
@@ -36,6 +39,7 @@
     modules = [
       # impermanence
       ./modules/nixos/impermanence.nix
+      ./modules/nixos/impermanence-ssh.nix
 
       # hardware configuration
       # verbatim as `nixos-generate-config` AND `system.stateVersion`
@@ -53,23 +57,26 @@
 
       # ssh through port 5522 among other things
       # andromeda@lenovo is the only user allowed access
-      # ./modules/nixos/networking/hard-ssh.nix
+      ./modules/nixos/networking/hard-ssh.nix
-      #./modules/nixos/networking/ssh-as-root.nix
+      ./modules/nixos/networking/ssh-as-root.nix
-      ({config, ...}: {
+      ({config, ...}: {users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];})
-        services.openssh.enable = true;
-        users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];
-      })
 
       # TODO add Impermanence to the following services
 
       # simple-nixos-mailserver email server
       # mail.domain
-      # ./modules/nixos/mailserver.nix
+      ./modules/nixos/mailserver.nix
 
       # roundcube webmail client
       # webmail.domain
-      # ./modules/nixos/roundcube.nix
+      ./modules/nixos/roundcube.nix
 
+      # BROKEN
+      # forgejo
+      # git.domain
+      # ./modules/nixos/forgejo.nix
+
+      # BROKEN
       # zulip chat client
       # chat.domain
       # zulip chat server

modules/nixos/boot/109-199-104-83.nix

@@ -3,4 +3,7 @@
     efiSupport = true;
     efiInstallAsRemovable = true;
   };
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+  ];
 }

modules/nixos/forgejo.nix

@@ -0,0 +1,27 @@
+{config, ...}: {
+  services.nginx = {
+    virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M
+      '';
+      locations."/".proxyPass = "https://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
+    };
+  };
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+    settings = {
+      server = rec {
+        DOMAIN = "git.galaxious.de";
+        ROOT_URL = "https://${DOMAIN}";
+        HTTP_PORT = 4043;
+        SSH_PORT = 4022;
+      };
+      service.DISABLE_REGISTRATION = false;
+    };
+  };
+  services.openssh.ports = [config.services.forgejo.settings.server.SSH_PORT];
+}

modules/nixos/mailserver.nix

@@ -28,4 +28,12 @@
     acceptTerms = true;
     defaults.email = "mtgmonket@gmail.com";
   };
+  environment.persistence."/persist" = {
+    directories = [
+      "/var/dkim"
+      "/var/vmail"
+      "/var/lib/redis-rspamd"
+      "/var/lib/acme"
+    ];
+  };
 }

modules/nixos/openvpn-client.nix

@@ -0,0 +1,8 @@
+{lib, ...}: {
+  services.openvpn.servers = {
+    "173.249.5.230" = {config = ''config /etc/openvpn-confs/173.249.5.230.ovpn'';};
+  };
+  networking.enableIPv6 = lib.mkForce false;
+  environment.persistence."/persist".directories = ["/etc/openvpn-confs"];
+  boot.kernelParams = ["ipv6.disable=1"];
+}

modules/nixos/roundcube.nix

@@ -9,4 +9,8 @@
       $config['smtp_pass'] = "%p";
     '';
   };
+  environment.persistence."/persist".directories = [
+    "/var/lib/roundcube"
+    "/var/lib/postgresql"
+  ];
 }

pub-keys.nix

@@ -16,7 +16,7 @@
     ssh = {
       andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
       lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
-      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJe5ol56yC23fivSEKeK4HZQm934ROX46AM7o0aE2hMq root@vmi2998419";
+      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINlpE7T8kvfbDtVRpnkr33EVjBkU+yF2IQPbzkbNVFF3 root@109-199-104-83";
     };
   };
 }

secrets/andromeda-pw.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg 4fCTrNibFdjnVfsIbXi6plbd56K8ZDDqtgryXPk2SUA
+-> ssh-ed25519 mT2fyg K7kzILfWN/0BDwr0a2oGiuc3kROPhW79nEFs4Fqm7Uw
-vKlbDi+HpyYlSsN39GRh6GRwdHRSjypCEqguOaHPFDM
+LvTmIvmmBOKsW3wYxI58arafExAaX/VWIjCZ0v9i28Y
--> ssh-ed25519 UHxfvA RqrDa4xJoAy1Gdzvq6Z5eTSNTDtHzUmzRoLC+j+HxiI
+-> ssh-ed25519 UHxfvA FB8alLQWDkoRqIM6l4D39Ty+Wc318JZyjLTthXCIL0s
-+5CohUFSDB9oiLU0T25FKrQrz07DCviVuzZsVcUltOc
+QNAOXZq10TaofYpDflKbywJpQTmzq8lZJEoa6Say+s4
---- SQ5zQx9lL5UdNinOgP6yG5WWiBdhSwFqJVt6u3SNpLA
+--- 9qhHzZQfZFT95v5M2GQHP4ZoAwY8Ba7veV/PRvTX2tQ
-î6<EFBFBD>©ç¥UÛð¦pî<70>‡„øÚúQÙ]ÜNû;K;1yœµ™
+¾tš] ¢äžãQ²Áf&ªë£ëWücùc¸Î¬^,„8Sò2ÃiKX<4B>€ºö<C2BA>€ÇÓKB5éÿW6§*<2A>Åîá:,º<>“ÜÍk<C38D>Êo„u3–œ…;Òä E¸Ti<54>9&*oßqÞ'qáB

secrets/mailserver-acc-admin-pw.age

@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg Lt6EG5R9iQWuD/eDXM+vsablwqCn7wUBKFuNO3qcq04
+-> ssh-ed25519 mT2fyg UXZa4za31eYxaMdKZQnbSy6Gnld5iyhco1MFm1tCjhQ
-07jSpN+5/CJFCaBAEVB5TYqLEnGj8Fbt6z3qIVSijqU
+WzLHMSOIAEWY5bJTznbsyRtBGqWqCCEtPDgM26BmRsw
--> ssh-ed25519 UHxfvA 8iIyIoZxJUYrvL9DFmleATVYs0TSZvPjSFqxSWYnVFs
+-> ssh-ed25519 UHxfvA vXmE9DfcfytziqECkPp0yJ7+e+n3Mmi9ETBsOYoyyxY
-XDQQGlQXJqjjAqslyfJerVATPIO4vCxTPRWOcBuF7f8
+wA7omrsIg/6TVmHGvayhNviNzaYL9TgfyPeuIBpV1Mw
--> ssh-ed25519 Xoin5w tE8Tx9cSJH+4eJoEpG8CVf9+C1WrurERvGG0kOLatG4
+-> ssh-ed25519 j/PduQ 2xFdyoJrD7A5qL5b1BfmJpJIfkfd6V6iCU3hcex1OGw
-YUUPvg6Ev3+7idthbcUeLeRZ+iE8yp+uirJojSt1gVg
+P09BqDmI1TKVBqgcSyKuzJ+dHh6l1YMekA3jY19/bc8
---- FamPgM9+DjHiHQBkCmPaHe9aLLXIL3ZPCUtmtEtNOAI
+--- Grh8z8mJg0r73NihegyvcukrpcrJZT4bhqsKKrOvTNA
-Õ‘žâ}ƒ_rT6ÖUwzù|–<ÿ_Ñø®¬×5 ®û!~‹N<E280B9>ácǦi<>*þE<10>M?H?›QSbùàÀòâ\ŠÛ<C5A0>‰ÑzèK	?zŒÕ;¦×R¶JpËÒ¶í‡É´só蔈œy›Ä
+¼
+^áÇcjpMCÏæDìÅÀ%è
õøÛŒ{sçF¸‰<C2B8>žø'~¶ä@ëøËDu$×	ò<>ZšöÓ„¶‰zòJ•PN
?7³T@‹Ÿk-_y×É‘Í•ïÐý§ï£C“MìPl

secrets/mailserver-acc-zulip+admin-pw.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg JsKjySZOoC/xK6HFjgBSYumrg/Ak7EBjYCqa9uszXGo
+-> ssh-ed25519 mT2fyg FHuYkPGH3UL3O34LIx8cDhJIWfskCN7UVG3AdWiKg1o
-daQvoxsqkxA4OClbWm4YHes5zkky8wikEKg94ceeNWw
+eR7vCHJDwKKM046yFTZ+ZNjGGEo4/OiYWGxME7Px30g
--> ssh-ed25519 UHxfvA yDtvX6SqI9HFN3v1teeRfVicMXpS0fYLiyxe391kIHY
+-> ssh-ed25519 UHxfvA 7mvZu454XNEa23FzE8QQ5vIfl2PTixieAhwtjS2kKBM
-xpYokiMmAlFbZHuOIqxKeGXtgiB9yOvRquI8OY5mdqE
+nX+3S24PR5ymH6XYbITgNG3AS98OzkVYs0b2tcEkpYE
--> ssh-ed25519 Xoin5w 9ND7dZoaaLXVu7VN3fYF6bZa23QpCr29b4DNIOSRi2Q
+-> ssh-ed25519 j/PduQ ivvo7z0GMBIeApn1fSNkrKBAI9vrzV3kOshH9KTRCkg
-L6oOEQ8XSZZuQyfxPwgGYycMqAKfslEtFRJbBHbomoY
+G1qrQfYKoaYyFXplnr7itkU9fT7SEe96UuWGYz5qoak
---- ewcxsNTgXUy+wlZ3MiSC2KYO0BowGOAn/JvvV7x3pBc
+--- cifQaIuyTN6u6GWRVqui2qjQqQSYgEYKJlFY1g54y78
-ýVÖ5aƒ›Ð.°B'Kì¸7¹ì²LR9h`™<>€ƒÕ·<C395>Iúéª
+ŒëËV1;ÁkiïbÚ¸¦g”Á¸n6.ðNüRR ¢›gÛ|yPöѾPRfq'‡÷F%å™a"lÊ;É+ÛMÄí’Üv¥ùáý¥&¤¬ƒêP ï#— Ù
-8cˆ%)ÅÛ£Ö5³‡<C2B3>ä¾ä©ÕKLR¢˜yÞ199Y?©v’Û’¼‘2<E28098>ЖKûfãºÔ<C2BA>!€©{3‚)æ,

users/andromeda/home.nix

@@ -91,6 +91,91 @@ in {
       };
     };
     fastfetch.enable = true;
+    firefox = {
+      enable = true;
+      package = pkgs.firefox.override {
+        cfg.enableTridactylNative = true;
+      };
+      profiles.${config.home.username} = {
+        extensions.packages = [
+          pkgs.nur.repos.rycee.firefox-addons.tridactyl
+        ];
+        search = {
+          default = "repos";
+          privateDefault = "ddghtml";
+          order = [
+            "wiki"
+            "options"
+            "packages"
+            "repos"
+          ];
+          engines = {
+            "packages" = {
+              urls = [
+                {
+                  template = "https://search.nixos.org/packages";
+                  params = [
+                    {
+                      name = "channel";
+                      value = "unstable";
+                    }
+                    {
+                      name = "query";
+                      value = "{searchTerms}";
+                    }
+                  ];
+                }
+              ];
+            };
+
+            "options" = {
+              urls = [
+                {
+                  template = "https://search.nixos.org/options";
+                  params = [
+                    {
+                      name = "channel";
+                      value = "unstable";
+                    }
+                    {
+                      name = "query";
+                      value = "{searchTerms}";
+                    }
+                  ];
+                }
+              ];
+            };
+
+            "wiki" = {
+              urls = [
+                {
+                  template = "https://wiki.nixos.org/w/index.php";
+                  params = [
+                    {
+                      name = "search";
+                      value = "{searchTerms}";
+                    }
+                  ];
+                }
+              ];
+            };
+
+            "repos" = {
+              template = "https://html.duckduckgo.com/html/";
+              params = [
+                {
+                  name = "q";
+                  value = "{searchTerms}+(site:*.gitlab.org OR site:github.com OR site:git.mtgmonkey.net OR site:sr.ht)";
+                }
+              ];
+            };
+          };
+        };
+        settings = {
+          "extensions.autoDisableScopes" = 0;
+        };
+      };
+    };
     git = {
       enable = true;
       settings = {
@@ -103,15 +188,6 @@ in {
     };
     gh.enable = true;
     home-manager.enable = true;
-    firefox = {
-      enable = true;
-      package = pkgs.firefox.override {
-        cfg.enableTridactylNative = true;
-      };
-      profiles.${config.home.username}.extensions.packages = [
-        pkgs.nur.repos.rycee.firefox-addons.tridactyl
-      ];
-    };
     lsd.enable = true;
     nvf = {
       enable = true;