gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(nginx): remove meaningless address bits

Browse source
This commit is contained in:
arcnmx 2024-05-01 10:07:42 -07:00
parent 12ca25421c
commit e2a091e17a
8 changed files with 482 additions and 256 deletions
Download patch file Download diff file Expand all files Collapse all files

238
modules/nixos/access.nix
View file

@ -1,238 +0,0 @@
{
pkgs,
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkOptionDefault;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.lists) optionals;
inherit (lib.strings) concatStringsSep optionalString;
inherit (config.services) tailscale;
inherit (config) networking;
cfg = config.networking.access;
cidrModule = {config, ...}: {
options = with lib.types; {
all = mkOption {
type = listOf str;
readOnly = true;
};
v4 = mkOption {
type = listOf str;
default = [];
};
v6 = mkOption {
type = listOf str;
default = [];
};
};
config.all = mkOptionDefault (
config.v4
++ optionals networking.enableIPv6 config.v6
);
};
in {
options.networking.access = with lib.types; {
cidrForNetwork = mkOption {
type = attrsOf (submodule cidrModule);
default = {};
};
localaddrs = {
enable =
mkEnableOption "localaddrs"
// {
default = networking.firewall.interfaces.local.nftables.enable;
};
stateDir = mkOption {
type = path;
default = "/var/lib/localaddrs";
};
reloadScript = mkOption {
type = path;
readOnly = true;
};
nftablesInclude = mkOption {
type = lines;
readOnly = true;
};
};
};
config.networking.access = {
cidrForNetwork = {
loopback = {
v4 = [
"127.0.0.0/8"
];
v6 = [
"::1"
];
};
local = {
v4 = [
"10.1.1.0/24"
];
v6 = [
"fd0a::/64"
"fe80::/64"
];
};
int = {
v4 = [
"10.9.1.0/24"
];
v6 = [
"fd0c::/64"
];
};
tail = mkIf tailscale.enable {
v4 = [
"100.64.0.0/10"
];
v6 = [
"fd7a:115c:a1e0::/96"
"fd7a:115c:a1e0:ab12::/64"
];
};
allLan = {
v4 = cfg.cidrForNetwork.loopback.v4
++ cfg.cidrForNetwork.local.v4
++ cfg.cidrForNetwork.int.v4;
v6 = cfg.cidrForNetwork.loopback.v6
++ cfg.cidrForNetwork.local.v6
++ cfg.cidrForNetwork.int.v6;
};
allLocal = {
v4 = mkMerge [
cfg.cidrForNetwork.allLan.v4
(mkIf tailscale.enable cfg.cidrForNetwork.tail.v4)
];
v6 = mkMerge [
cfg.cidrForNetwork.allLan.v6
(mkIf tailscale.enable cfg.cidrForNetwork.tail.v6)
];
};
};
localaddrs = {
nftablesInclude = mkBefore (''
define localrange6 = 2001:568::/29
''
+ optionalString cfg.localaddrs.enable ''
include "${cfg.localaddrs.stateDir}/*.nft"
'');
reloadScript = let
localaddrs-reload = pkgs.writeShellScript "localaddrs-reload" ''
${config.systemd.package}/bin/systemctl reload localaddrs 2>/dev/null ||
${config.systemd.package}/bin/systemctl restart localaddrs ||
true
'';
in "${localaddrs-reload}";
};
moduleArgAttrs = {
inherit (cfg) cidrForNetwork localaddrs;
mkSnakeOil = pkgs.callPackage ../../packages/snakeoil.nix {};
};
};
config.networking = {
nftables.ruleset = mkBefore cfg.localaddrs.nftablesInclude;
firewall = {
interfaces.local = {
nftables.conditions = [
"ip saddr { ${concatStringsSep ", " (cfg.cidrForNetwork.local.v4 ++ cfg.cidrForNetwork.int.v4)} }"
(
mkIf networking.enableIPv6
"ip6 saddr { $localrange6, ${concatStringsSep ", " (cfg.cidrForNetwork.local.v6 ++ cfg.cidrForNetwork.int.v6)} }"
)
];
};
};
};
config.systemd.services = let
localaddrs = pkgs.writeShellScript "localaddrs" ''
set -eu
getaddrs() {
local PREFIX=$1 PATTERN=$2 IPADDRS
IPADDRS=$(${pkgs.iproute2}/bin/ip -o addr show to "$PREFIX") || return $?
IPADDRS=$(printf '%s\n' "$IPADDRS" | ${pkgs.gnugrep}/bin/grep -o "$PATTERN") || return $?
if [[ -z $IPADDRS ]]; then
return 1
fi
printf '%s\n' "$IPADDRS"
}
getaddrs4() {
getaddrs 10.1.1.0/24 '[0-9]*\.[0-9.]*/[0-9]*'
}
getaddrs6() {
getaddrs 2001:568::/29 '[0-9a-f:]*:[0-9a-f:]*/[0-9]*'
}
mkdir -p $STATE_DIRECTORY
if LOCALADDRS4=$(getaddrs4); then
printf '%s\n' "$LOCALADDRS4" > $STATE_DIRECTORY/localaddrs4
else
echo WARNING: localaddr4 not found >&2
fi
if LOCALADDRS6=$(getaddrs6); then
echo "$LOCALADDRS6" > $STATE_DIRECTORY/localaddrs6
else
echo WARNING: localaddr6 not found >&2
fi
'';
localaddrs-nftables = pkgs.writeShellScript "localaddrs-nftables" ''
set -eu
LOCALADDR6=$(head -n1 "${cfg.localaddrs.stateDir}/localaddrs6" || true)
if [[ -n $LOCALADDR6 ]]; then
printf 'redefine localrange6 = %s\n' "$LOCALADDR6" > ${cfg.localaddrs.stateDir}/ranges.nft
fi
'';
localaddrs-nginx = pkgs.writeShellScript "localaddrs-nginx" ''
set -eu
LOCALADDR6=$(head -n1 "${cfg.localaddrs.stateDir}/localaddrs6" || true)
if [[ -n $LOCALADDR6 ]]; then
printf 'allow %s;\n' "$LOCALADDR6" > ${cfg.localaddrs.stateDir}/allow.nginx.conf
fi
LOCALADDR4=$(head -n1 "${cfg.localaddrs.stateDir}/localaddrs4" || true)
if [[ -n $LOCALADDR4 ]]; then
printf 'allow %s;\n' "$LOCALADDR4" >> ${cfg.localaddrs.stateDir}/allow.nginx.conf
fi
'';
in {
localaddrs = mkIf cfg.localaddrs.enable {
unitConfig = {
After = ["network-online.target"];
};
serviceConfig = rec {
StateDirectory = "localaddrs";
ExecStart = mkMerge [
["${localaddrs}"]
(mkIf networking.nftables.enable (mkAfter [
"${localaddrs-nftables}"
]))
(mkIf config.services.nginx.enable (mkAfter [
"${localaddrs-nginx}"
]))
];
ExecReload = ExecStart;
Type = "oneshot";
RemainAfterExit = true;
};
};
nftables = mkIf (networking.nftables.enable && cfg.localaddrs.enable) rec {
wants = ["localaddrs.service"];
serviceConfig = {
ExecReload = mkBefore [
"+${cfg.localaddrs.reloadScript}"
];
};
};
nginx = mkIf (config.services.nginx.enable && cfg.localaddrs.enable) rec {
wants = ["localaddrs.service"];
after = wants;
serviceConfig = {
ExecReload = mkBefore [
"+${cfg.localaddrs.reloadScript}"
];
};
};
};
}

116
modules/nixos/access/cidr.nix Normal file
View file

@ -0,0 +1,116 @@
{
pkgs,
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkMerge mkOptionDefault;
inherit (lib.options) mkOption;
inherit (lib.lists) optionals;
inherit (lib.strings) concatStringsSep;
inherit (config.services) tailscale;
inherit (config) networking;
cfg = config.networking.access;
cidrModule = {config, ...}: {
options = with lib.types; {
all = mkOption {
type = listOf str;
readOnly = true;
};
v4 = mkOption {
type = listOf str;
default = [];
};
v6 = mkOption {
type = listOf str;
default = [];
};
};
config.all = mkOptionDefault (
config.v4
++ optionals networking.enableIPv6 config.v6
);
};
in {
options.networking.access = with lib.types; {
cidrForNetwork = mkOption {
type = attrsOf (submodule cidrModule);
default = {};
};
};
config.networking.access = {
cidrForNetwork = {
loopback = {
v4 = [
"127.0.0.0/8"
];
v6 = [
"::1"
];
};
local = {
v4 = [
"10.1.1.0/24"
];
v6 = [
"fd0a::/64"
"fe80::/64"
];
};
int = {
v4 = [
"10.9.1.0/24"
];
v6 = [
"fd0c::/64"
];
};
tail = mkIf tailscale.enable {
v4 = [
"100.64.0.0/10"
];
v6 = [
"fd7a:115c:a1e0::/96"
"fd7a:115c:a1e0:ab12::/64"
];
};
allLan = {
v4 = cfg.cidrForNetwork.loopback.v4
++ cfg.cidrForNetwork.local.v4
++ cfg.cidrForNetwork.int.v4;
v6 = cfg.cidrForNetwork.loopback.v6
++ cfg.cidrForNetwork.local.v6
++ cfg.cidrForNetwork.int.v6;
};
allLocal = {
v4 = mkMerge [
cfg.cidrForNetwork.allLan.v4
(mkIf tailscale.enable cfg.cidrForNetwork.tail.v4)
];
v6 = mkMerge [
cfg.cidrForNetwork.allLan.v6
(mkIf tailscale.enable cfg.cidrForNetwork.tail.v6)
];
};
};
moduleArgAttrs = {
inherit (cfg) cidrForNetwork;
mkSnakeOil = pkgs.callPackage ../../../packages/snakeoil.nix {};
};
};
config.networking = {
firewall = {
interfaces.local = {
nftables.conditions = [
"ip saddr { ${concatStringsSep ", " (cfg.cidrForNetwork.local.v4 ++ cfg.cidrForNetwork.int.v4)} }"
(
mkIf networking.enableIPv6
"ip6 saddr { ${concatStringsSep ", " (cfg.cidrForNetwork.local.v6 ++ cfg.cidrForNetwork.int.v6)} }"
)
];
};
};
};
}

166
modules/nixos/access/local.nix Normal file
View file

@ -0,0 +1,166 @@
{
pkgs,
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkMerge mkBefore mkAfter;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.strings) optionalString;
inherit (config) networking;
cfg = config.networking.access.localaddrs;
in {
options.networking.access.localaddrs = with lib.types; {
enable =
mkEnableOption "localaddrs"
// {
default = networking.firewall.interfaces.local.nftables.enable;
};
stateDir = mkOption {
type = path;
default = "/var/lib/localaddrs";
};
reloadScript = mkOption {
type = path;
readOnly = true;
};
nftablesInclude = mkOption {
type = lines;
readOnly = true;
};
};
config.networking.access = {
localaddrs = {
nftablesInclude = mkBefore (''
define localrange6 = 2001:568::/29
''
+ optionalString cfg.enable ''
include "${cfg.stateDir}/*.nft"
'');
reloadScript = let
localaddrs-reload = pkgs.writeShellScript "localaddrs-reload" ''
${config.systemd.package}/bin/systemctl reload localaddrs 2>/dev/null ||
${config.systemd.package}/bin/systemctl restart localaddrs ||
true
'';
in "${localaddrs-reload}";
};
moduleArgAttrs = {
inherit (cfg) localaddrs;
};
};
config.networking = {
nftables.ruleset = mkIf cfg.enable (mkBefore cfg.nftablesInclude);
firewall = {
interfaces.local = {
nftables.conditions = mkIf (cfg.enable && networking.enableIPv6) [ "ip6 saddr $localrange6" ];
};
};
};
config.systemd.services = let
localaddrs = pkgs.writeShellScript "localaddrs" ''
set -eu
getaddrs() {
local PREFIX=$1 PATTERN=$2 IPADDRS
IPADDRS=$(${pkgs.iproute2}/bin/ip -o addr show to "$PREFIX") || return $?
IPADDRS=$(printf '%s\n' "$IPADDRS" | ${pkgs.gnugrep}/bin/grep -o "$PATTERN") || return $?
if [[ -z $IPADDRS ]]; then
return 1
fi
printf '%s\n' "$IPADDRS"
}
getaddrs4() {
getaddrs 10.1.1.0/24 '[0-9]*\.[0-9.]*/[0-9]*'
}
getaddrs6() {
getaddrs 2001:568::/29 '[0-9a-f:]*:[0-9a-f:]*/[0-9]*'
}
stripcidr() {
local IPADDR
while read -r IPADDR; do
if [[ $IPADDR = ?*:?*:?*:?*:?*:?*:?*:?*/64 ]]; then
echo ''${IPADDR%:?*:?*:?*:?*/64}::/64
elif [[ $IPADDR = ?*:?*:?*:?*::*/64 ]] || [[ $IPADDR = ?*::?*:?*:?*:?*/64 ]]; then
echo ''${IPADDR%::*/64}::/64
elif [[ $IPADDR = *.*.*.*/24 ]]; then
echo "''${IPADDR%.*/24}.0/24"
else
echo "WARNING: localaddrs failed to parse CIDR: $IPADDR" >&2
echo "$IPADDR"
fi
done
}
mkdir -p $STATE_DIRECTORY
if LOCALADDRS4=$(getaddrs4); then
printf '%s\n' "$LOCALADDRS4" > $STATE_DIRECTORY/localaddrs4
stripcidr <<<"$LOCALADDRS4" > $STATE_DIRECTORY/localcidrs4
else
echo WARNING: localaddr4 not found >&2
fi
if LOCALADDRS6=$(getaddrs6); then
echo "$LOCALADDRS6" > $STATE_DIRECTORY/localaddrs6
stripcidr <<<"$LOCALADDRS6" > $STATE_DIRECTORY/localcidrs6
else
echo WARNING: localaddr6 not found >&2
fi
'';
localaddrs-nftables = pkgs.writeShellScript "localaddrs-nftables" ''
set -eu
LOCALADDR6=$(head -n1 "${cfg.stateDir}/localcidrs6" || true)
if [[ -n $LOCALADDR6 ]]; then
printf 'redefine localrange6 = %s\n' "$LOCALADDR6" > ${cfg.stateDir}/ranges.nft
fi
'';
localaddrs-nginx = pkgs.writeShellScript "localaddrs-nginx" ''
set -eu
LOCALADDR6=$(head -n1 "${cfg.stateDir}/localcidrs6" || true)
if [[ -n $LOCALADDR6 ]]; then
printf 'allow %s;\n' "$LOCALADDR6" > ${cfg.stateDir}/allow.nginx.conf
fi
LOCALADDR4=$(head -n1 "${cfg.stateDir}/localcidrs4" || true)
if [[ -n $LOCALADDR4 ]]; then
printf 'allow %s;\n' "$LOCALADDR4" >> ${cfg.stateDir}/allow.nginx.conf
fi
'';
in {
localaddrs = mkIf cfg.enable {
unitConfig = {
After = ["network-online.target"];
};
serviceConfig = rec {
StateDirectory = "localaddrs";
ExecStart = mkMerge [
["${localaddrs}"]
(mkIf networking.nftables.enable (mkAfter [
"${localaddrs-nftables}"
]))
(mkIf config.services.nginx.enable (mkAfter [
"${localaddrs-nginx}"
]))
];
ExecReload = ExecStart;
Type = "oneshot";
RemainAfterExit = true;
};
};
nftables = mkIf (networking.nftables.enable && cfg.enable) {
wants = ["localaddrs.service"];
serviceConfig = {
ExecReload = mkBefore [
"+${cfg.reloadScript}"
];
};
};
nginx = mkIf (config.services.nginx.enable && cfg.enable) rec {
wants = ["localaddrs.service"];
after = wants;
serviceConfig = {
ExecReload = mkBefore [
"+${cfg.reloadScript}"
];
};
};
};
}

53
modules/nixos/access/peeps.nix Normal file
View file

@ -0,0 +1,53 @@
{
config,
options,
lib,
...
}: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkBefore mkDefault;
inherit (lib.attrsets) mapAttrsToList mapAttrs' nameValuePair;
inherit (lib.strings) concatStringsSep;
inherit (config) networking;
cfg = config.networking.access.peeps;
mkSopsName = name: "access-peeps-nft-${name}";
mkNftName = name: "peeps_${name}6";
hasSops = options ? sops.secrets;
in {
options.networking.access.peeps = with lib.types; {
enable = mkEnableOption "peeps" // { default = hasSops; };
ranges = mkOption {
type = attrsOf str;
default = { };
};
stateDir = mkOption {
type = path;
default = "/run/access/peeps";
};
};
config.${if hasSops then "sops" else null}.secrets = let
sopsFile = mkDefault ../../../nixos/secrets/access.yaml;
sopsSecrets = mapAttrs' (name: _: nameValuePair (mkSopsName name) {
inherit sopsFile;
path = mkDefault "${cfg.stateDir}/${name}.nft";
}) cfg.ranges;
in mkIf cfg.enable sopsSecrets;
config.networking = let
nftRanges = mapAttrsToList (name: range: let
nft = "define ${mkNftName name} = ${range}";
in mkBefore nft) cfg.ranges;
condition = "ip6 saddr { ${concatStringsSep "," (mapAttrsToList (name: _: "$" + mkNftName name) cfg.ranges)} }";
in {
nftables.ruleset = mkIf cfg.enable (mkMerge (
nftRanges
++ [ (mkBefore ''include "${cfg.stateDir}/*.nft"'') ]
));
firewall.interfaces.peeps = {
nftables.enable = cfg.enable;
nftables.conditions = [
(mkIf (cfg.enable && networking.enableIPv6) condition)
];
};
};
}

13
nixos/minecraft/bedrock.nix
View file

@ -18,10 +18,12 @@ in {
tree-capitator-rs.package = addons.definitive-tree-capitator-rs; tree-capitator-rs.package = addons.definitive-tree-capitator-rs;
}; };
allowPlayers = let allowPlayers = let
base = 2535460000000000; base = 2535420000000000;
nums = 1760;
in { in {
Kyxna.xuid = base + 4308966797; Kyxna.xuid = base + 44308966797;
arcnmx.xuid = base + 13399068799; arcnmx.xuid = base + 413399068799;
"ConnieHeart${toString (base / 1000000000000 + nums)}".xuid = base + 417602225;
}; };
}; };
systemd.services.minecraft-bedrock-server = mkIf cfg.enable { systemd.services.minecraft-bedrock-server = mkIf cfg.enable {
@ -35,9 +37,10 @@ in {
users.${cfg.user}.uid = 913; users.${cfg.user}.uid = 913;
groups.${cfg.group}.gid = config.users.users.${cfg.user}.uid; groups.${cfg.group}.gid = config.users.users.${cfg.user}.uid;
}; };
networking.firewall.interfaces.local = let networking.firewall.interfaces = let
ports = [ cfg.serverProperties.server-port cfg.serverProperties.server-portv6 ]; ports = [ cfg.serverProperties.server-port cfg.serverProperties.server-portv6 ];
in mkIf cfg.enable { in mkIf cfg.enable {
allowedUDPPorts = ports; local.allowedUDPPorts = ports;
peeps.allowedUDPPorts = ports;
}; };
} }

120
nixos/secrets/access.yaml Normal file
View file

@ -0,0 +1,120 @@
access-peeps-nft-connieallure: ENC[AES256_GCM,data:K+Mjtc/23sseniuQg9GyklMkvRh2VZFFQHGsw6MWMYgpriX6KI3o0V+0upoxrXzDHtNE/Hp/OHE=,iv:Oo0fIUHkXFeQA6jyyTCInsQYM9x7B9ZbkAyBQSt86Xk=,tag:v87P8BXfvqJcn9qKUM0CQw==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIVlJmVTFKZVJ6Z3V0K0tS
clgyNEtMRlVKM2RybDNnN0Nja0Y0NTJKT2l3CmRXZHVHWTExUmVNVCswTm1JYkNi
QjhKWmp4dnZxVmJBdFQrYXdqT2NrbzgKLS0tIGM3Qk5VYWkvelllQmxMOFNZbTkw
djJMVjVqbWhvdzhlVW05Y0JvM3FHQzQKmhFhntjjR0fikS7b//dLSvdtkRyT3AMr
u8RSg4QpvejOTRKfJ8vsv2b654b37QrnLdFwgByzluJr1ETG92vLIA==
-----END AGE ENCRYPTED FILE-----
- recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5QjdtczlwOUJDUkc1QU8r
dDRBNXRZS3Avc09kVy96cHE0OTZwWDg1Z2hRClA4K2xyNjNkM1YrTU9xZE14Wnh6
ZlhFK29tS3dUMkx2QTU4VzEwek03SzAKLS0tIG5vVnUwMWlGc0xmREtIR1ZMNW04
T29GMHdaRWV2VTRiUXJMRzdpdTBFTXMKx7aF3X5XfNdXEJIhBRxwdXh8lOXOH+et
2RcBNIsQURLBfZQ9rK/Hoy39+S3sKO6ECytAI+jqhEEVnNppUtonVQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArVDdGRmNrUFJwSCtYU0NW
eFViTmVhMlZKTVdGWlg3dy9wcDJhVDFkOG5NCkFHUUlmRkNYbVVqVFBNOSsvK1VG
c2pVV2FmK3Frc3dpSjBEd3oxRkpVd1UKLS0tIDNiWXlidVo3ZmFEMS9NSVFEMGc1
bHA4Z0hGS3QvUkpVUVlTQnlGMkd1aEUK3yP5WzCUZeeLDTHNyVe2zIk4tKZOx59o
w8NTaXRYGkQp0BAc0pKv1IGRP/wQBgUElhWnfTsMbzG2+Aey+lrj8Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWXF2MUFtZUNtOTJaTG9a
RVJkS0l2cU0reEJIdHI2QkkzMU1CUC83S2t3ClU4MDhGVEJ0VEF2cGEyUXkyUmQw
YXhZNFNHUmJqQVRjOUtrV2JqdXhPbGsKLS0tIGdzQ1h2LzdLNk1pbGZjWU5POUEz
QTRwdURiS1o0YTNmMGlNdElIR0xicXMKHCnCa4KxEAmdOkbcWVz0i3BUJ1uSeZvr
ZosXjnKNZYWBqijECwWFAPkxdLRXsJs9RDq0di7qTGYhjQAH+pTvTg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbkdsSFZObE9GZERzZm1x
RVZGR0tCMklmaTM2RnZKSEdMZGNlOFc4VkNrCkRUTC9FQjkwdkltQnh0V0ZVYlor
T1BHeVBzdkZpbm91RmlyRFIxUHRucW8KLS0tIG5iM2ppRmJuVWtORG9GQlVxbjNJ
UWh1dXlmSnZ5aEdNN2p2bEk2L3ppZGMKVBYG9SessgUOz6BzvNE/s0iSaDawSSyl
vcs+Cp+JAEFZWO6V7F6dpb65tl1Ua/0vEAXc3uwRbtW2IVyIYTmVeA==
-----END AGE ENCRYPTED FILE-----
- recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2SU9sSitRRzQyV2FZczhB
UDBBVGVwUXozZDBUamdpcnhvekI3UG9Kb0Z3ClFYWlZPZWhGbHYreHEwdmk5SnAv
blVLbFBocUtTTmFmMXZyY1c4c2hxWVkKLS0tIElFTUdXbDM0WEhjVGlPU3BxQVRO
djF6R2kyYjY5OWV5NjFTQm5wUXJYMncKDu4SczknbAduRIdhsyM6zY++ad6vs6ej
S92xI6Av9lluES0kDEEyJZYqqoJOjXVLBKfBQFVwmX1su7P/XCOHxA==
-----END AGE ENCRYPTED FILE-----
- recipient: age13qgddr326g5je0fpq2r3k940vsr3fh9nlvl9xtcxk3xg2x0k3vsq7pvzaj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2VURXbFJpclIzRnFybnps
MS81ZXNKcjRkYncrY2dIN0JoUTc1MGVnbGxNCmY1UityMFdlMm9IQlgwRmg1NE1z
ZTVWTS9VQmVGRGI1S2huWm1zWmxvNGMKLS0tIExaTDlmVGN0T1BnUkdKdE5ZUkZY
SFQ4OG9pYU4zUGJzZE5ieCt3bVdLUkUKVFZ2l7ggSN8QwEIN0uRX/Tn2vrsmTvxo
/l3hh3YFNM2QY9Z5rtoV1jSsTFLUrRUNsY94FUNOzk6F3HIArC9AIQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ktmx2szedfnpe5xumnzs8vkk0ffqgga6ved3drtksg9pye6ndsnsnqq488
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ejJaTU1nOXBZZDBmVnhw
dWd3dWhrbWFVTWVJNUlBaVc1RlRBemFzL2pVCktYdXBjeTZPR0lGK3VKcGFDSmZH
M1VISFlQOXZ1c0JqTFhSSzR4VGh0Q0EKLS0tIGsxVk8zQVJDc1JNRVQ1RlcvWFNx
V2VrSWMzcG12TFYyMXFDRm1KK3VVQ2cKfTEG/qGly/ypBfEYEYviAcjGudfvyjZx
OT6MOITYPW+1lrU871lM7VZJJTKjnFQV2df1Ca5YQNSW9EzrWcgtcg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-01T16:50:29Z"
mac: ENC[AES256_GCM,data:humfCS9LaB0pcAObLZH+8huTED1/eW6ZtR7PVZ33JPrTJhc9ttorbsfsVPGjsd52I0RT4cNNk9iRDGSqNvgCP+BdvOyILDRA0kxKvF3XLX76Iw0v5jWlPBUts0Hi5ch9Mzn5abN/w3E/5D7z1OMQN11kroJtVpnQMdPDza/qK4g=,iv:UNHN2BYkC0AShqtB7gRLIBYqYwASqVbYhA2RC1dSWYE=,tag:Qo/1LczVrlTHFvWkCG3GIw==,type:str]
pgp:
- created_at: "2024-05-01T16:36:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ//cm9rYFWc99F9A9X2U/Qg/44MZhuthrxiRtZ7IUECn+rv
JTUhQTe5p2l+CxKznCef1+L03aP1Iqh86YDrEO+d01HG6/NSt4gyViXw9suJM913
bdcZUz9YHpvyvsoSLaawxI3upqJykKx1ZhVgnMkJCewZ7IsEoMRlv9U1ofxzbGBC
dvm60l2swE5smdXiZeRxilDeGg0Mf7ijhMhhC4iniJS2lVe5vTAg05uBA3lJUVr9
GLpUnY8c+0MWlEo5QSFYlWFJ0qVPJcR82vVhAZVfcPMtqmtqS3MpbJvFR/2krZjI
6y8QPZdLnZdI0j+4BW5m/5mgFFBJeq6y67j61M8uP0Bi6VL7Z+82oeVOwVjgTnZx
cfMlUdzOwkXyC7roSLV7U/Suc61es2PG+IulaMGbgVAQIB8gl4oUYgQcvfLJkqxv
UokSBWyoyrWGQIae5nQOslLpPWBaNi54W6LZcAamAKmQgSlD/wTOSrajrTi6lvX4
VMMjPoyLNkcu1MS68Ue4M4wsw8B/Da+TjkatVMgm+D/Dxmvl9iaMKc6diec92jUt
so5yZ/kf7F7rfglbvsYFyLeRNenBXrWN9PicmGLjKJQPV7Agdfg35ywbhcp6cUqf
QDmO+5G4CsgLy1MNPczJKXsvrIGltWU0evzoMbPiWXiZvUKQwNW6g2a1FGiTVEbS
XAHgjFs1QAjzaWB1+bjCmt8m0+pUq1wtqT69XRgwBZu9Xb5KDR/h1OXl2s9qZUcj
8oi8OIZIv+yEPXcZYm51NQg0IB9qtwQpxya4TuYM29cEFQY4/ANAExxK2rp3
=BJAs
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
- created_at: "2024-05-01T16:36:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQgAhiN4+xEOSyWdDOKv9vAlr9R0lTRewysTFa7cWynDntix
FNHapgPIVp/NatooTUkE6RFJhnkDC+6HKwDwc25NuD2Uoo16BxWVUZyzVNUYboZs
VEJbXj2WIe/4iyxArCjlBaEoLrLqQ4bbsZb2kye3C8YOyH+jIaCbb/cvWyzuHyAj
ENqGWKehhVy9hP6BN767hUfcvBvU12btN35ieGSe9V7yG56tTA467V+htXx60zsU
uUZ8RFPLpZlDylAbarNMcevhgRF+/8G1uCKjN8gJkn+sJtKFQT7YR5HgHg6LKuBc
0dYqgzsp9NjindHjX0/WCofwEG+HXjSMDK4GZvC7eNJcATuWAaYXRIpoIYOBS5yq
p4FttSfgo1CWKEhOVs4IFn6XuzzyteVRYhxFMj+/ojYsj7NkqnIIhWe7nFSFYHOE
ye+hMG1+ncrArTuIlH0c0KO7UqCEKQNBh7TKJuk=
=T2l/
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.8.1

11
nixos/users/connie.nix
View file

@ -1,5 +1,6 @@
{config, ...}: { {config, options, ...}: {
users.users.connieallure = {name, ...}: { config.users = {
users.connieallure = {name, ...}: {
uid = 8003; uid = 8003;
isNormalUser = true; isNormalUser = true;
autoSubUidGidRange = false; autoSubUidGidRange = false;
@ -10,7 +11,11 @@
"kyuuto" "kyuuto"
]; ];
}; };
users.groups.connieallure = {name, ...}: { groups.connieallure = {name, ...}: {
gid = config.users.users.${name}.uid; gid = config.users.users.${name}.uid;
}; };
};
config.${if options ? networking.firewall then "networking" else null} = {
access.peeps.ranges.connieallure = "2604:3d00::/28";
};
} }

1
tree.nix
View file

@ -55,6 +55,7 @@
]; ];
}; };
}; };
"modules/nixos/access".functor.enable = true;
"modules/nixos/ldap".functor.enable = true; "modules/nixos/ldap".functor.enable = true;
"modules/nixos/krb5".functor.enable = true; "modules/nixos/krb5".functor.enable = true;
"modules/nixos/sssd".functor.enable = true; "modules/nixos/sssd".functor.enable = true;