diff --git a/nixos/modules/borg-server.nix b/nixos/modules/borg-server.nix index e498cd1..594f356 100644 --- a/nixos/modules/borg-server.nix +++ b/nixos/modules/borg-server.nix @@ -39,14 +39,6 @@ in path = "${cfg.path}/gorgon"; quota = "1T"; }; - "stolas" = { - allowSubRepos = false; - authorizedKeysAppendOnly = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINC/mVYd3o7oA0dsA58CgkqR40CSfeuU+rikleSrSXFz dadada@gorgon" - ]; - path = "${cfg.path}/stolas"; - quota = "1T"; - }; "surgat" = { allowSubRepos = false; authorizedKeysAppendOnly = [ diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index b72f6be..04fd504 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -4,7 +4,6 @@ imports = [ ../modules/profiles/laptop.nix ./disks.nix - # TODO ./paperless.nix ]; boot = { @@ -33,7 +32,7 @@ luks.devices = { root = { # TODO - device = "/dev/disk/by-uuid/TODO"; + device = "/dev/disk/by-uuid/todo"; allowDiscards = true; # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL #crypttabExtraOpts = [ "fido2-device=auto" ]; @@ -86,11 +85,13 @@ settings.max-jobs = lib.mkDefault 16; }; - dadada.backupClient.backup1.enable = true; - dadada.backupClient.backup2 = { - enable = true; - repo = "u355513-sub5@u355513-sub5.your-storagebox.de:/home/backup"; - }; + # TODO dadada.backupClient.backup1.enable = true; + # dadada.backupClient.backup2 = { + # enable = true; + # passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path; + # sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path; + # repo = "u355513-subX@u355513-subX.your-storagebox.de:/home/backup"; + # }; programs = { adb.enable = true; @@ -116,6 +117,11 @@ enable = true; browsing = true; }; + paperless = { + # TODO migrate DB + enable = true; + passwordFile = config.age.secrets.paperless.path; + }; tlp.enable = false; }; @@ -123,6 +129,19 @@ stateVersion = "25.05"; }; + systemd.tmpfiles.rules = + let + cfg = config.services.paperless; + in + [ + ( + if cfg.consumptionDirIsPublic then + "d '${cfg.consumptionDir}' 777 - - - -" + else + "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -" + ) + ]; + systemd.services = { modem-manager.enable = lib.mkForce false; "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false; diff --git a/nixos/stolas/disks.nix b/nixos/stolas/disks.nix index 3ecb67d..6b07f9b 100644 --- a/nixos/stolas/disks.nix +++ b/nixos/stolas/disks.nix @@ -25,6 +25,7 @@ mountOptions = [ "umask=0077" ]; }; }; + # TODO tmpfs for nix/var/nix/builds luks = { size = "100%"; content = { diff --git a/nixos/stolas/paperless.nix b/nixos/stolas/paperless.nix deleted file mode 100644 index 7591f0a..0000000 --- a/nixos/stolas/paperless.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config }: -{ - services.paperless = { - # TODO migrate DB - enable = true; - passwordFile = config.age.secrets.paperless.path; - }; - systemd.tmpfiles.rules = - let - cfg = config.services.paperless; - in - [ - ( - if cfg.consumptionDirIsPublic then - "d '${cfg.consumptionDir}' 777 - - - -" - else - "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -" - ) - ]; -} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index a3255e1..1da186e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,7 +7,6 @@ let ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos"; pruflas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqZHu5ygTODgrNzcU9C2O+b8yCfVsnztV83qxXV4aA8 root@pruflas"; surgat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOJ9UgAle5sX0pAawfRztckVwaQm2U8o0Bawv7cZfXE root@surgat"; - stolas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV1LSH8jeMnXJ/eqhJCebbwxenJmxNoeB6UGrBmRjZk root@stolas"; }; backupSecrets = hostName: { "${hostName}-backup-passphrase.age".publicKeys = [ @@ -89,4 +88,3 @@ in // backupSecrets "pruflas" // backupSecrets "surgat" // backupSecrets "agares" -// backupSecrets "stolas" diff --git a/secrets/stolas-backup-passphrase.age b/secrets/stolas-backup-passphrase.age deleted file mode 100644 index ff9d514..0000000 --- a/secrets/stolas-backup-passphrase.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 OgKXZA A8XAP2YQw/CnN//rHPM9m9p1A/l4IiWV1Qhc9+RHdxQ -mcpcULPCQUMtoCiTwiAU2AXD5UVrQkF5LxZqCJ3VEMA --> ssh-ed25519 Otklkw UzdSM3CCvzQ4owHWWmrBfiC6NuBAu0onns6s4nlR9Vs -UQ4TBW/4O5rVi0xpS2lAS6M7zgUcWtGlXeL+i748KYE ---- tqrtKyZVDght0KJQZDSDVdnEL38KZjPA2xZ3LjeKlI0 -2lC@(N3-igaH?~Fnqc ɝ<ۼ#F7aB%&t}vr_< \ No newline at end of file diff --git a/secrets/stolas-backup-ssh-key.age b/secrets/stolas-backup-ssh-key.age deleted file mode 100644 index cb98c8d..0000000 --- a/secrets/stolas-backup-ssh-key.age +++ /dev/null @@ -1,8 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 OgKXZA gTx4Ozd2BU13T8GpiBxSCZdjAwJ/zb10xqW62QMTwms -M9y1f/ndVYnujqIDo0rocQEX/8Isg0vn97mQm8K83iE --> ssh-ed25519 Otklkw 2hyKMpf/Z8wgBowMgxwb77cj9B5b0/a7q4hq3CxWp0M -jFLwfV72isKUdtr5m2n5303KZiJDKTJny9koUOHLLLg ---- GQfIExiJTJEQTnesTVqF3X7AcorV+SH8TQ9uo5xLwso -u`6^|&Q[KPFAƇшU*n55Ozv傺-C0r;6JC={'@Ժ9O'b#Rw-(؊RjF[=uD3vڝ5bWxiz͢={S; r.O2|jtOrpK297Y/?8&pP:g