Add more dns servers to unbound

.sops.yaml

@@ -6,6 +6,7 @@ keys:
   - &server_ns4 age12a3nyvjs8jrwmpkf3tgawel3nwcklwsr35ktmytnvhpawqwzrsfqpgcy0q
   - &server_ha1 age1d2w5zece9647qwyq4vas9qyqegg96xwmg6c86440a6eg4uj6dd2qrq0w3l
   - &server_nixos-test1 age1gcyfkxh4fq5zdp0dh484aj82ksz66wrly7qhnpv0r0p576sn9ekse8e9ju
+  - &server_inc1 age1g5luz2rtel3surgzuh62rkvtey7lythrvfenyq954vmeyfpxjqkqdj3wt8
 creation_rules:
   - path_regex: secrets/[^/]+\.(yaml|json|env|ini)
     key_groups:
@@ -17,6 +18,7 @@ creation_rules:
         - *server_ns4
         - *server_ha1
         - *server_nixos-test1
+        - *server_inc1
   - path_regex: secrets/ns3/[^/]+\.(yaml|json|env|ini)
     key_groups:
       - age:

flake.nix

@@ -76,6 +76,26 @@
             backup-helper.nixosModules.backup-helper
           ];
         };
+        inc1 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = { inherit inputs self sops-nix; };
+          modules = [
+            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+            ./hosts/inc1
+            sops-nix.nixosModules.sops
+            # backup-helper.nixosModules.backup-helper
+          ];
+        };
+        inc2 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = { inherit inputs self sops-nix; };
+          modules = [
+            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+            ./hosts/inc2
+            sops-nix.nixosModules.sops
+            # backup-helper.nixosModules.backup-helper
+          ];
+        };
         template1 = nixpkgs.lib.nixosSystem {
           inherit system;
           specialArgs = { inherit inputs self sops-nix; };

hosts/inc1/configuration.nix

@@ -0,0 +1,96 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../system
+      ../../services/incus
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+  };
+
+  networking.hostName = "inc1";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  networking.nftables.enable = true;
+  networking.firewall.trustedInterfaces = [ "vlan13" ];
+
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  # Primary interface
+  systemd.network.networks."enp2s0" = {
+    matchConfig.Name = "enp2s0";
+    address = [
+      "10.69.12.80/24"
+    ];
+    networkConfig = {
+      VLAN = [ "enp2s0.13" ];
+    };
+    routes = [
+      { routeConfig.Gateway = "10.69.12.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+
+  # VLAN 13 netdev
+  systemd.network.netdevs."enp2s0.13" = {
+    enable = true;
+    netdevConfig = {
+      Kind = "vlan";
+      Name = "enp2s0.13";
+    };
+    vlanConfig = {
+      Id = 13;
+    };
+  };
+
+  # # Bridge netdev
+  # systemd.network.netdevs."br13" = {
+  #   netdevConfig = {
+  #     Name = "br13";
+  #     Kind = "bridge";
+  #   };
+  # };
+
+  # # Bridge network
+  # systemd.network.networks."br13" = {
+  #   matchConfig.Name = "enp2s0.13";
+  #   networkConfig.Bridge = "br13";
+  # };
+
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    tcpdump
+    vim
+    wget
+    git
+  ];
+
+  # Enable the OpenSSH daemon.
+  # services.openssh.enable = true;
+  # services.openssh.settings.PermitRootLogin = "yes";
+
+  system.stateVersion = "24.05"; # Did you read the comment?
+}
+

hosts/inc1/default.nix

@@ -0,0 +1,5 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+  ];
+}

hosts/inc1/hardware-configuration.nix

@@ -0,0 +1,41 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/faa60038-b3a4-448a-8909-49857818c955";
+      fsType = "xfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/7A94-A91C";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/f7a4f85e-0b4b-492d-a611-f50d2b915c2c"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/inc2/configuration.nix

@@ -0,0 +1,96 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../system
+      ../../services/incus
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+  };
+
+  networking.hostName = "inc2";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  networking.nftables.enable = true;
+  networking.firewall.trustedInterfaces = [ "vlan13" ];
+
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  # Primary interface
+  systemd.network.networks."enp2s0" = {
+    matchConfig.Name = "enp2s0";
+    address = [
+      "10.69.12.81/24"
+    ];
+    networkConfig = {
+      VLAN = [ "enp2s0.13" ];
+    };
+    routes = [
+      { routeConfig.Gateway = "10.69.12.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+
+  # VLAN 13 netdev
+  systemd.network.netdevs."enp2s0.13" = {
+    enable = true;
+    netdevConfig = {
+      Kind = "vlan";
+      Name = "enp2s0.13";
+    };
+    vlanConfig = {
+      Id = 13;
+    };
+  };
+
+  # # Bridge netdev
+  # systemd.network.netdevs."br13" = {
+  #   netdevConfig = {
+  #     Name = "br13";
+  #     Kind = "bridge";
+  #   };
+  # };
+
+  # # Bridge network
+  # systemd.network.networks."br13" = {
+  #   matchConfig.Name = "enp2s0.13";
+  #   networkConfig.Bridge = "br13";
+  # };
+
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    tcpdump
+    vim
+    wget
+    git
+  ];
+
+  # Enable the OpenSSH daemon.
+  # services.openssh.enable = true;
+  # services.openssh.settings.PermitRootLogin = "yes";
+
+  system.stateVersion = "24.05"; # Did you read the comment?
+}
+

hosts/inc2/default.nix

@@ -0,0 +1,5 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+  ];
+}

hosts/inc2/hardware-configuration.nix

@@ -0,0 +1,33 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "rtsx_usb_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/3e7c311c-b1a3-4be7-b8bf-e497cba64302";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/F0D7-E5C1";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/1a06a36f-da61-4d36-b94e-b852836c328a"; }];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
+

secrets/secrets.yaml

@@ -10,65 +10,74 @@ sops:
         - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBubWtoVGhXYXRlSlFRN1R1
-            Zk9ER3d6ZExUeW0yV1grQkFzMks3akhuaHlVCk4rRmVTaUd6RG9NRldmNFZ0ZXMr
-            aUh5QTJLSkpISXRkVXJFWDZkdlVnSHMKLS0tIGRVcXRQRTVDK09JSThidTdsOHBo
-            NGpxMjFhVmg2cHdNS2dTQitEQWlLYUUKgKAgXN4Bwl2A+MRcLsGFl+BDAj8Jqkg1
-            42aUJbVMVhQLVMSFw23AIsAiSkm0l05JVedUayr6EdL0AsZRmArRrw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5eHNpQ2NkV0Z2QldSVDBW
+            dTN5dk1KN2tOUUZVREpzdVhPVGlERkI3TjBjCmhCMFU3WElMZGhCek5ocGlRM2hu
+            YVBPdkcxU0FKNk9QeXA0bDNRYU0xZEUKLS0tIDdtMjNyNkY1d21OZVdacnR0L09B
+            c3ZRYzBva1ZiV0xucWw3WEcxM01JbFUK3AmQJ3tVbYr8vmNFvssh/TGJcFM2O+hb
+            BXO2VYZqNmRLKEClgRUPR8lykt1j+P1hXfxlpUEsudyyd1iV6r/7vg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hz2lz4k050ru3shrk5j3zk3f8azxmrp54pktw5a7nzjml4saudesx6jsl0
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaVFFxK0RMU3pYVkpTeFQ3
-            M1VzVkZnR2RWazdUSEo5dGExMDR6RXlTYlZJCk14OVFIQjF1aEh6NGRseEkyUjdG
-            SUNIK0N2eEVWRW9mM1E4YzExS3g4QU0KLS0tIDJ2by9wYUlEWlh5Y2cxZzZBUW9w
-            N3BkNlBEVGl1L09nbjZXZm9seTY1NTAKtVmJ9bh/cN/q+FmZ7AhmdledAL3SKWvm
-            69+sx3etiIrZ8tx9hB+shULNkBWI4scopFZdoeRu75Q+Mc86s+wf4A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcGM3UTVhMlV0TTNsMVp4
+            RERtRmlObHovUVdONDRWTnB6SWxxU09YKzF3Ck5qVFpiWVFUZVZYT3JwUHRBSXU0
+            VkFmVFZ1Nm51YlA4VDR6WVBwRnlBVncKLS0tIE9MVFBzUlpZOXRIalJtSkM0Uk52
+            MUJtREo5UlFnTDlicmZUOVB0aTNDNEUK9FHHmJs63JEucmxjlAr5GmkQ/8NUJkay
+            9+8V+BxGtqIYAn+U++GOa0hjJYQb8FrHL1SpKB8qOwkWYM7mbENH2g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1w2q4gm2lrcgdzscq8du3ssyvk6qtzm4fcszc92z9ftclq23yyydqdga5um
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRGtVZk9nL2EwaVlDcUlM
-            VUZuUHNXNnZEajdzL1RkeFFvNVFEaXVpWVRZCmpQMGoyOGNqemN4VHRzV2QxdWMv
-            c2V0T1FiMWw1ZzR2bFZmSzVsbFphWjAKLS0tIFF3TE9OcXUzUVI1UC9LU1FJVjhM
-            NzRoTGt6V3gyQStVbWxITUUrU0k0M1UKTGQ+9FFpFkzYYhvu4SoBYhQNh3IfErVT
-            orD+RecwMaZqkCh0gjs6pPG675fiWaESo/SUqG5+w38Jh/Q3fHiBnQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRVdzemZ4UVBySytWeHZw
+            ekU1emdUU1FlZGFWK2NjUHdDS3B0ZGF5a0dvClVhVjZvZVE1dFlPak1QY0pYUU1Q
+            V2ttcFBLalNWQWlMVnZDOTE0YWpSUDQKLS0tIENvSGVZZ2hJS1hQZWpzT1hZWXFI
+            SXhkM2pFVmE5djRlMGhaSU9rRlcwaXMKg65Sop34XWfYiQvZGquB2U2Oh0/afz2i
+            PRAozkriSM+vY4n3WJlqK/rCmlOniARaci6mzfqRLhazEbmKBOYM7g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1snmhmpavqy7xddmw4nuny0u4xusqmnqxqarjmghkm5zaluff84eq5xatrd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Q2tBYUVuNzNONk5Kbzho
-            SHhVUWs0MFNyblVGNDRUTStLa0NpYXdXeWxRCm0zcTlaMUZqQ0dNVXZpak1YSUZZ
-            VmNvelJiQXJlZXJIa0dncE91TU5sNTAKLS0tIFQ2Z1lSSFhiK3dZSVlxeEt2VXlU
-            bk0rNjMrbWx4WVdnd0VLSWRUNGI5cVkKUIf+ilyc8N/T8jXk9X643DiASH0Yc8MU
-            eWw6vttNrIHu69s1jku59JiGGzxaSJOvRwHqu2toIpR0aFm9X87PPQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwUllOVVVyTVEyYkVvYXhL
+            RUx4RE5ZaENxY1FRT1lhN1Nva3orb2RGMzIwCndZSkcyTGYxaTZnMzJCMWt5NWRK
+            YTVHcEtndm5KbXJDNjBTdDlkTDlVODQKLS0tIEFGU3JPT295KzUwRTk2QVJ6eTNv
+            MmJRaTM1WWdwVjRrNk16dzU0ZFdBL1kK8Dp3M942e+6sLIYhV8MlkIbLh9se7IbC
+            iN+1N/6N5JUvg3FFz+V1tFlT7R0y3BJFBmemaMLJWsRelshjj26NcA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age12a3nyvjs8jrwmpkf3tgawel3nwcklwsr35ktmytnvhpawqwzrsfqpgcy0q
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0ZmJiek14ZUdnRkJUNDR1
-            dkN2blJ6Ykx0TlEvVlA2UGlaT0N5WHp4eGdNCldRL0gwVmlSQ3JBaXhDZ0RHWTVZ
-            K3BVZmczYis1cHNFbmRLK0t3MlVhQ0kKLS0tIFFMRUFXMWJIRjRWeHFsUEpDTjI0
-            czhoVlg3NVBGK2hkK1F1cElwK3ZpZDQKVYL7UmZpDwUUCELJ85dkh4aQgiFuiP4b
-            ljk7WwMCr2KPOwlqDNSSOZgoh8RmFlKaMsNB5EQMd4loNWgMra7URA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZi9UaGM3L1BsQTRpbFZi
+            OUdwam5JWXNDa1VWcEhCdkx4YXppV1NRem13CjBBTk9PRDVkNjBaY1dOU2txNkpK
+            ZXVUVTZVRUtmWjlvUEd3UDA0LzdhTlEKLS0tIEtwTUlESXdwQ1ZkTUVtWVJzK1p0
+            ZnlHNGk4bGVndUJZb1VrUWpxUHJucWsKULgyNAkFMRFgOQYIG/NC6jQxCvCrAVqS
+            WYS54btyjqiUYYx/nv6Ce6EZwMYEvKGRl1IVrFlNXVfjoE14GhuL7g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1d2w5zece9647qwyq4vas9qyqegg96xwmg6c86440a6eg4uj6dd2qrq0w3l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0MVEwVy94VXd2U1pCd3cv
-            TFpwNDYrU01Md3pQZXlwbWFNd2xocnMrN3pJCi94alVKajk5eExhbWkwd1ZFNEQ0
-            VnN0VExzTEdQNGplS05nVWsxZnNYdW8KLS0tIFVTdWYzbDA0R3FpbjhjVTU3ZnRw
-            ZHJTUXJQOUFmWEVjQ0ZHellVS2swVmsK4vyeriPn+OcSFQoaIjtErQBwDdOOBxdc
-            sgYKQOuqjcbDC6T8AgeR1fKz6XY2aBf4NwRje4iqFLDEW/L3WQEiYQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZFpFNjJIeXRxandtY24z
+            WXBjMmhTRmdFVzFJU3MwT3BCSnBBUDJnTHdRCjluT3B2Y1pBNjBtODlRUXVvZlZu
+            dnZleUJQRHIvYkVlVjlFNDRwM1FCWXMKLS0tIGRUdzlrL1Q4d3NhMFlaVlF5alFx
+            T0RKZ0JRUzRQMUJ0bDFKVEhNV1cvSEkKEorAEa2nQqp1BtVfa4bj3dsKuhHAMPif
+            RsI8t6f3UhBrC59DklJbhqD4zmxzCNtqhwHxklh3ofRThqsAs8fuSg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1gcyfkxh4fq5zdp0dh484aj82ksz66wrly7qhnpv0r0p576sn9ekse8e9ju
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsalA0a0tNQWNHVUlNVTVP
-            b1JONEpVSzhkK25qRE4zeFlnQmlCdzBPaFVJCnVHNklyNlVNc3lnN04yKzVWdHNy
-            OG51Y2pEelVjN0pYSEg0Sk9iM3RtaVUKLS0tIGlXNnZBdGxCcGZDVGNJMGJiOXBB
-            V1FQQ0o4UVhEbWtFMEtFcWpQR0c2aDQKduenww5ggqovBUmU1u3xGNABx4MevBk7
-            939Mp8UtDPblCDBFi2SmxrrsFiQDOWVkz7llHTmLHYDPEejkVc8/sQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZejZxUUNPVnFJeWpoWU1Q
+            RVgySXoxTmtRQnhKRUh6K1E0dnhteTdxTlVBClBxOFlUby9pWG1vdWpjeUxYaUhn
+            VXdCTnl2Smt4K2VQOUlRYjhLcTlsVEEKLS0tIGZZb29iNlVmaStrdDVrelhsUDJK
+            R1dJcjF3TWM0R0NCVGhYN2ZNVWR1Uk0KGKPtGaT6MomJav2gyU7VbvFMxvVfEqJZ
+            B8DhVtjfm3DpL/KjdljuGh74PBdiX7xPUTiD6e0KnboGU96/OzESgg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g5luz2rtel3surgzuh62rkvtey7lythrvfenyq954vmeyfpxjqkqdj3wt8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQSWs2TTV1RWR0Q0pVYW5X
+            ZGwxUVZqOVd5R1NnWlY3ODFyUWtGVE5jN1NFCmNMMUhUTXp1Z1dheHNFRExQbzQw
+            cW50MWFZay9RYkVSTytDeUgzMi9KSEEKLS0tIG9oZDdFM0EyaVd5RmZTenY3N1Ax
+            dlM4L0tCZWh5Ti9EUHNFWGJ0SVhodVEKfwBmqlondg8oulzrEg+AkgeDQ6CvkoS3
+            L+GWzo98ccpt/uE95vIuiywdTmpt7hjkJNrDh2euOvJXBdwexFW3tA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-06-02T22:09:06Z"
     mac: ENC[AES256_GCM,data:cxJq4EMEMVEw0IUXNwtyQj4MaYIJ/Xo4OaY+3VLgIhYw6oBO9CmJxgLuXcSnGnr23oNE5OQF6ALv+vxF46D1pI0V1zhqKL6zMIs0DzPBwo7Arg166w5kGAT274jK7YWymeJ7fafWXYubLlGUthyVJS1BkvlqIhoe2BlTZ3bPyBs=,iv:Z2Uh9Oo4q/ce6DDLShs7JAX3XFNAVOGBmBPvRbGxaaU=,tag:6qZhZ4+tgtXl60b0Lx7Taw==,type:str]

services/incus/default.nix

@@ -0,0 +1,7 @@
+{ pkgs, config, ... }:
+{
+  virtualisation.incus = {
+    enable = true;
+  };
+  networking.firewall.allowedTCPPorts = [ 8443 ];
+}

services/ns/resolver.nix

@@ -31,7 +31,13 @@
       forward-zone = {
         name = ".";
         forward-tls-upstream = "yes";
-        forward-addr = "1.1.1.1@853#cloudflare-dns.com";
+        # forward-addr = "1.1.1.1@853#cloudflare-dns.com";
+        forward-addr = [
+          "1.1.1.1@853#cloudflare-dns.com"
+          "1.0.0.1@853#cloudflare-dns.com"
+          "8.8.8.8@853#dns.google"
+          "8.8.4.4@853#dns.google"
+        ];
       };
     };
   };

services/ns/zones-home-2rjus-net.conf

@@ -1,7 +1,7 @@
 $ORIGIN home.2rjus.net.
 $TTL 1800
 @       IN      SOA     ns1.home.2rjus.net.      admin.test.2rjus.net. (
-                        2035                    ; serial number
+                        2037                    ; serial number
                         3600                    ; refresh
                         900                     ; retry
                         1209600                 ; expire
@@ -45,6 +45,8 @@ sonarr              IN      A       10.69.12.54
 bazarr              IN      A       10.69.12.55
 mpnzb 	            IN      A       10.69.12.57
 pve1                IN      A       10.69.12.75
+inc1                IN      A       10.69.12.80
+inc2                IN      A       10.69.12.81
 
 ; 13_SVC
 ns1                 IN      A       10.69.13.5