tailscale stuff

2022-07-11 15:15:09 +02:00 · 2022-07-11 15:15:09 +02:00 · ba7f19a5bf
commit ba7f19a5bf
parent c2c03c4260
5 changed files with 115 additions and 112 deletions
--- a/flake.lock
+++ b/flake.lock
@ -98,11 +98,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1657016837,
+        "lastModified": 1657536849,
-        "narHash": "sha256-knx83nZ0xax6U1zR3rEOwIz2matk85kntbVEJRQYNuw=",
+        "narHash": "sha256-xpKggtyxzs2bbs8NT5lPNv2engBn7v0yPgzHemf8Ga4=",
        "owner": "nix-community",
        "repo": "emacs-overlay",
-        "rev": "beec877720e2b09b0b1a96450286459bcd7e6435",
+        "rev": "4f95fe202c5e2c796adab52afff568b23ffadda2",
        "type": "github"
      },
      "original": {
@ -165,11 +165,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1656927578,
+        "lastModified": 1657396086,
-        "narHash": "sha256-ZSFrM/1PlJOqCb3mN88ZUh9dkQvNLU/nkoQ2tu02/FM=",
+        "narHash": "sha256-4cQ6hEuewWoFkTBlu211JGxPQQ1Zyli8oEq1cu7cVeA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f2445620d177e295e711c1b2bc6c01ed6df26c16",
+        "rev": "c645cc9f82c7753450d1fa4d1bc73b64960a9d7a",
        "type": "github"
      },
      "original": {
@ -201,11 +201,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1639947939,
+        "lastModified": 1655042882,
-        "narHash": "sha256-pGsM8haJadVP80GFq4xhnSpNitYNQpaXk4cnA796Cso=",
+        "narHash": "sha256-9BX8Fuez5YJlN7cdPO63InoyBy7dm3VlJkkmTt6fS1A=",
        "owner": "nix-community",
        "repo": "naersk",
-        "rev": "2fc8ce9d3c025d59fee349c1f80be9785049d653",
+        "rev": "cddffb5aa211f50c4b8750adbec0bbbdfb26bb9f",
        "type": "github"
      },
      "original": {
@ -224,11 +224,11 @@
      },
      "locked": {
        "dir": "contrib",
-        "lastModified": 1657006790,
+        "lastModified": 1657466803,
-        "narHash": "sha256-/OAsHWvRJNe591udM69w1KhXm41WYNh25v83UBNWMHY=",
+        "narHash": "sha256-9WceMMKppZI/Z0bP0b7a+BzQIuieH8MNAk3wcmZAiVU=",
        "owner": "neovim",
        "repo": "neovim",
-        "rev": "eb814bdca0bad2a68e111d59fae62f79b8dbeef1",
+        "rev": "95c65a6b221fe6e1cf91e8322e7d7571dc511a71",
        "type": "github"
      },
      "original": {
@ -247,11 +247,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1657008970,
+        "lastModified": 1657527462,
-        "narHash": "sha256-c6HhbjGtsZfuD0IHg6Qv8NMajNPV3Tehrw9FU8F3s90=",
+        "narHash": "sha256-oK2maGETT52ES+J4bKUDgtq7kYHV4YZwF1tf8BKoNyA=",
        "owner": "nix-community",
        "repo": "neovim-nightly-overlay",
-        "rev": "4f3fe701f50810929c06cb5cf428a4780b0d37d0",
+        "rev": "0058638e7ae87b399e7cad52b7734f199c2ffa7f",
        "type": "github"
      },
      "original": {
@ -278,11 +278,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1656847440,
+        "lastModified": 1657502824,
-        "narHash": "sha256-9LRlUrdU+TNAAp393hqDaKnwBssLLkxpRQEAzLSC2pM=",
+        "narHash": "sha256-q/56TxABu/So0mqrCiOnl9mWHC10XinFtmOHy6UeStM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d63774ae64431366be4d1f2aede50e52204c7d6c",
+        "rev": "f904e3562aabca382d12f8471ca2330b3f82899a",
        "type": "github"
      },
      "original": {
@ -292,11 +292,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1657020478,
+        "lastModified": 1657544714,
-        "narHash": "sha256-sU5hXEGcOcvz2xoPAuNLBQJLXjwvPpTkoddyXE8gw20=",
+        "narHash": "sha256-lJu41CQadSbQLmpT5j3kjt2KrY6RTXBVVkdYGyBRrUA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "71a4f0dc3d80ba76f437c888c1c3d59f1df98163",
+        "rev": "63d729665c2835be0c507ced648ccc024620afb6",
        "type": "github"
      },
      "original": {
@ -308,11 +308,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1656753965,
+        "lastModified": 1657447684,
-        "narHash": "sha256-BCrB3l0qpJokOnIVc3g2lHiGhnjUi0MoXiw6t1o8H1E=",
+        "narHash": "sha256-FCP9AuU1q6PE3vOeM5SFf58f/UKPBAsoSGDUGamNBbo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "0ea7a8f1b939d74e5df8af9a8f7342097cdf69eb",
+        "rev": "5f43d8b088d3771274bcfb69d3c7435b1121ac88",
        "type": "github"
      },
      "original": {
@ -363,11 +363,11 @@
        "utils": "utils_2"
      },
      "locked": {
-        "lastModified": 1655204811,
+        "lastModified": 1657475948,
-        "narHash": "sha256-XtEycAZBlYVuu78cWI0SCvsGWipXglxcUknLlcF7BiM=",
+        "narHash": "sha256-iOMjTTW2hQbBU3u4pFP5i4Hp4l+r1gkU86YzVfBCx6w=",
        "owner": "nix-community",
        "repo": "rnix-lsp",
-        "rev": "2e49c1f31d6ad46d3f2adbfc1863a896835e4dd0",
+        "rev": "0449f49a0468624128dd4f5e2d27d1a0e6f894f4",
        "type": "github"
      },
      "original": {
@ -417,11 +417,11 @@
    },
    "utils_2": {
      "locked": {
-        "lastModified": 1638122382,
+        "lastModified": 1656928814,
-        "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
+        "narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
+        "rev": "7e2a3b3dfd9af950a856d66b0a7d01e3c18aa249",
        "type": "github"
      },
      "original": {
@ -468,11 +468,11 @@
    "zsh-completions": {
      "flake": false,
      "locked": {
-        "lastModified": 1656752981,
+        "lastModified": 1657090022,
-        "narHash": "sha256-qSobM4PRXjfsvoXY6ENqJGI9NEAaFFzlij6MPeTfT0o=",
+        "narHash": "sha256-RnG8YFTOrX6HSnHq27GfcO49ms/5rnakWbPU0MfaorU=",
        "owner": "zsh-users",
        "repo": "zsh-completions",
-        "rev": "0331b2908f93556453e45fa5a899aa21e0a7f64d",
+        "rev": "073379d9081da21b9e3aa32ea4ff4d15c2aaa6a9",
        "type": "github"
      },
      "original": {
--- a/hm-imports/cli.nix
+++ b/hm-imports/cli.nix
@ -1,7 +1,7 @@
 { inputs, config, lib, pkgs, ... }:
 {
-  home.stateVersion = "21.05";
+  home.stateVersion = lib.mkDefault "21.05";
  home.packages = with pkgs; [
    my.scripts
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@ -115,68 +115,68 @@ in
    </service-group>
  '';
  # Webhook service to trigger scanning the ADF from HomeAssistant
-  systemd.services.scanhook = {
+  #systemd.services.scanhook = {
-    description = "webhook go server to trigger scanning";
+  #  description = "webhook go server to trigger scanning";
-    documentation = [ "https://github.com/adnanh/webhook" ];
+  #  documentation = [ "https://github.com/adnanh/webhook" ];
-    wantedBy = [ "multi-user.target" ];
+  #  wantedBy = [ "multi-user.target" ];
-    path = with pkgs; [ bash ];
+  #  path = with pkgs; [ bash ];
-    serviceConfig = {
+  #  serviceConfig = {
-      TemporaryFileSystem = "/:ro";
+  #    TemporaryFileSystem = "/:ro";
-      BindReadOnlyPaths = [
+  #    BindReadOnlyPaths = [
-        "/nix/store"
+  #      "/nix/store"
-        "-/etc/resolv.conf"
+  #      "-/etc/resolv.conf"
-        "-/etc/nsswitch.conf"
+  #      "-/etc/nsswitch.conf"
-        "-/etc/hosts"
+  #      "-/etc/hosts"
-        "-/etc/localtime"
+  #      "-/etc/localtime"
-      ];
+  #    ];
-      BindPaths = [
+  #    BindPaths = [
-        "/data/applications/paperless-consumption"
+  #      "/data/applications/paperless-consumption"
-      ];
+  #    ];
-      LockPersonality = true;
+  #    LockPersonality = true;
-      NoNewPrivileges = true;
+  #    NoNewPrivileges = true;
-      PrivateMounts = true;
+  #    PrivateMounts = true;
-      PrivateTmp = true;
+  #    PrivateTmp = true;
-      PrivateUsers = true;
+  #    PrivateUsers = true;
-      ProcSubset = "pid";
+  #    ProcSubset = "pid";
-      ProtectHome = true;
+  #    ProtectHome = true;
-      ProtectControlGroups = true;
+  #    ProtectControlGroups = true;
-      ProtectKernelLogs = true;
+  #    ProtectKernelLogs = true;
-      ProtectKernelModules = true;
+  #    ProtectKernelModules = true;
-      ProtectKernelTunables = true;
+  #    ProtectKernelTunables = true;
-      ProtectProc = "invisible";
+  #    ProtectProc = "invisible";
-      RestrictNamespaces = true;
+  #    RestrictNamespaces = true;
-      RestrictRealtime = true;
+  #    RestrictRealtime = true;
-      RestrictSUIDSGID = true;
+  #    RestrictSUIDSGID = true;
-      DynamicUser = true;
+  #    DynamicUser = true;
-      ExecStart =
+  #    ExecStart =
-        let
+  #      let
-          scanScript = pkgs.writeScript "plscan.sh" ''
+  #        scanScript = pkgs.writeScript "plscan.sh" ''
-            #!/usr/bin/env bash
+  #          #!/usr/bin/env bash
-            export PATH=${lib.makeBinPath [ pkgs.strace pkgs.gnugrep pkgs.coreutils pkgs.sane-backends pkgs.sane-airscan pkgs.imagemagick ]}
+  #          export PATH=${lib.makeBinPath [ pkgs.strace pkgs.gnugrep pkgs.coreutils pkgs.sane-backends pkgs.sane-airscan pkgs.imagemagick ]}
-            export LD_LIBRARY_PATH=${config.environment.sessionVariables.LD_LIBRARY_PATH} # Adds SANE Libraries to the ld library path of this script
+  #          export LD_LIBRARY_PATH=${config.environment.sessionVariables.LD_LIBRARY_PATH} # Adds SANE Libraries to the ld library path of this script
-            set -x
+  #          set -x
-            date="''$(date --iso-8601=seconds)"
+  #          date="''$(date --iso-8601=seconds)"
-            filename="Scan ''$date.pdf"
+  #          filename="Scan ''$date.pdf"
-            tmpdir="''$(mktemp -d)"
+  #          tmpdir="''$(mktemp -d)"
-            pushd "''$tmpdir"
+  #          pushd "''$tmpdir"
-            scanimage --batch=out%d.jpg --format=jpeg --mode Gray -d "airscan:e0:Canon MB5100 series" --source "ADF Duplex" --resolution 300
+  #          scanimage --batch=out%d.jpg --format=jpeg --mode Gray -d "airscan:e0:Canon MB5100 series" --source "ADF Duplex" --resolution 300
-            for i in $(ls out*.jpg | grep 'out.*[24680]\.jpg'); do convert $i -rotate 180 $i; done # rotate even stuff
+  #          for i in $(ls out*.jpg | grep 'out.*[24680]\.jpg'); do convert $i -rotate 180 $i; done # rotate even stuff
-            convert out*.jpg /data/applications/paperless-consumption/"''$filename"
+  #          convert out*.jpg /data/applications/paperless-consumption/"''$filename"
-            chmod 666 /data/applications/paperless-consumption/"''$filename"
+  #          chmod 666 /data/applications/paperless-consumption/"''$filename"
-            popd
+  #          popd
-            rm -r "''$tmpdir"
+  #          rm -r "''$tmpdir"
-          '';
+  #        '';
-          hooksFile = pkgs.writeText "webhook.json" (builtins.toJSON [
+  #        hooksFile = pkgs.writeText "webhook.json" (builtins.toJSON [
-            {
+  #          {
-              id = "scan-webhook";
+  #            id = "scan-webhook";
-              execute-command = "${scanScript}";
+  #            execute-command = "${scanScript}";
-            }
+  #          }
-          ]);
+  #        ]);
-        in
+  #      in
-        "${pkgs.webhook}/bin/webhook -hooks ${hooksFile} -verbose";
+  #      "${pkgs.webhook}/bin/webhook -hooks ${hooksFile} -verbose";
-    };
+  #  };
-  };
+  #};
  networking.firewall.allowedTCPPorts = [ 9000 ];
  # Immutable users due to tmpfs
--- a/nixos-modules/networking/tailscale.nix
+++ b/nixos-modules/networking/tailscale.nix
@ -6,6 +6,9 @@ in
  options.ragon.services.tailscale.enable = lib.mkEnableOption "Enables tailscale";
  config = lib.mkIf cfg.enable {
    # enable the tailscale service
    ragon.persist.extraDirectories = [
      "/var/lib/tailscale"
    ];
    services.tailscale.enable = true;
    ragon.agenix.secrets.tailscaleKey = { };
    networking.firewall = {
--- a/secrets/tailscaleKey.age
+++ b/secrets/tailscaleKey.age
@ -1,17 +1,17 @@
 age-encryption.org/v1
-> ssh-ed25519 ugHWWw mindsoOw/VEfQHrlsm0Z4Kh1vGzY+QF007lWs6YHz3A
+-> ssh-ed25519 ugHWWw lEYsog3suDaEm29deawF+QJ5ecGoAnULSyZ9Zx7rCWw
-iRDoyR5RUYp0erHWn5qKCJHcMaoonDvL4u0Y1YGCEYI
+qvbMdlTATvEQ4XHBAqK9BecI30gS4t+E8i4LWUeg9Ns
-> ssh-ed25519 UU9RSA /eq9/iIM2aPqXQeU7P4avvzM0etAz9TrC38lWs82zxA
+-> ssh-ed25519 UU9RSA HA4dGg9YiDesbVsWu5A310ZTNpmBN1oxmtDGzG76lBY
-SqY5FhrrfxB6gbsGuK/wynKx6iKhHRfjHmhGI/kg46s
+iIfu/jwLWRpdi8+LsqKDYB3xLkiSUfmnoZlTqY2Lb1s
-> ssh-ed25519 yqm35A QzpAv2ifUBh1gPBz5Qx91a2qP5umD/fgj0sV3cnVcQI
+-> ssh-ed25519 yqm35A U4eHydfPgYXbjlknk08AQFacp9DlqBWWs2LGBbY+qFo
-o9UFRn5DIw3yAg0ovONNvjI2CZ+i6LQ/vcQV0pXbjIQ
+Ho/oYBpwzQPLXPLFH+Z3dcNI3KzetQPnlPLq4XeI1xM
-> ssh-ed25519 kKx7Qw JdNXOcNT3t/G7fQFM6kBcUaecZjayLXc3IbfSTAkFn4
+-> ssh-ed25519 kKx7Qw gxgiXQF97nvLzNUHYab655qoDEKoddmw4Dp2JuJK0Wg
-mNbFfDRKF6hti5oE5RIvhMjCf0SdevNbxuIs6zGp7IQ
+okYkX46Wuy7AJXW6vDXrU6ZJn9XMSwNLZi/Qj+kzeJo
-> ssh-ed25519 IbXxfw o90RhqE0NHzyLBMeSTNUvqzJoRvA4ul8aALaiRCSaH8
+-> ssh-ed25519 IbXxfw 9uAGCMt6sfJQ79WApL2u17xeqytYsDMqrb6AktYz1F8
-V/npCtbZnIO16ZVeXMnwMxRd8z10WM1nc1fPfMerdLc
+26194ECFzQkvdecym7qCaLsDfC0fyDWn44NtTjlUuqU
-> ssh-ed25519 WceKOQ TmAMWSWQGi9mYJtDiv/jZNlY6J++qlsUfxN1OdeYVTc
+-> ssh-ed25519 WceKOQ Tm776jVswnnmIqaD7v7V47ik2uADBEW5eg35mzi+r2M
-UMmvWY3SErUzMPseiboLpcohy+fK9B6BM2fPWXWjX7k
+skXChK2fmc3+13Wm3nLhQX9VU8OAQbZxLWWjPKcpGek
-> 'oy1,Nx-grease )r)tqH("
+-> K:lG-grease sjZ |3 kvquB:;
-t05KVbenog5B/4agytm7yw
+twd+UxT3/s9GQrFPXQRfmRj9+Eg
--- WWamvx+v3DW/uSWPXGXd9qlDSYo7tA8tUhYpADmU/YM
+--- tuqN03osNyBnWR6Ck2pR6Kzd7lIJWfEumht/IG+9Dp8
-¯2ßÇ<EFBFBD>å3Ý[â&š§GpÒŠÓßèz…:FpSñÖäxU/òwÊÂ„È ÛúV•^´ÞˆIXÕk¹6ª1CŒ¤U£4]<5D>¸Éðþ
+¡ý?št~HrEÏ€aéH'BÉ÷íSe <65>Ò@›×&ÅºOãcQÄ)e	WúAÙPGAjïÀEiÌ„Â§wtúM¥h¤àÎÍaÁ1