Compare commits
8 Commits
50c136b018
...
b209921284
Author | SHA1 | Date | |
---|---|---|---|
b209921284 | |||
e7ae078b31 | |||
2ded0567d1 | |||
50afdf4c87 | |||
7bd06726f0 | |||
44c71fd688 | |||
84893e0f69 | |||
1cd660e2c3 |
31
base.nix
31
base.nix
@ -88,17 +88,44 @@
|
|||||||
|
|
||||||
systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
|
systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
|
||||||
|
|
||||||
environment.snakeoil-certs = lib.mkIf (config.services.nginx.enable) {
|
environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
|
||||||
"/etc/certs/nginx" = {
|
"/etc/certs/nginx" = {
|
||||||
owner = "nginx";
|
owner = "nginx";
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."_" = lib.mkIf (config.services.nginx.enable) {
|
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
|
||||||
sslCertificate = "/etc/certs/nginx.crt";
|
sslCertificate = "/etc/certs/nginx.crt";
|
||||||
sslCertificateKey = "/etc/certs/nginx.key";
|
sslCertificateKey = "/etc/certs/nginx.key";
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
extraConfig = "return 444;";
|
extraConfig = "return 444;";
|
||||||
|
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
|
||||||
|
config = ''
|
||||||
|
pcre_jit on;
|
||||||
|
worker_processes auto;
|
||||||
|
worker_rlimit_nofile 100000;
|
||||||
|
'';
|
||||||
|
eventsConfig = ''
|
||||||
|
worker_connections 2048;
|
||||||
|
use epoll;
|
||||||
|
multi_accept on;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.nginx.serviceConfig = {
|
||||||
|
LimitNOFILE = 65536;
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = "drift@pvv.ntnu.no";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
21
flake.lock
generated
21
flake.lock
generated
@ -80,6 +80,26 @@
|
|||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nix-gitea-themes": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1712621190,
|
||||||
|
"narHash": "sha256-O8xtza+wPplTmSm0EAPk8Ud9sJ6huVNY6jU21FYHCp4=",
|
||||||
|
"ref": "refs/heads/main",
|
||||||
|
"rev": "812c1fc4061d534a8c7d35271ce32b6c76a9f385",
|
||||||
|
"revCount": 5,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1712386448,
|
"lastModified": 1712386448,
|
||||||
@ -172,6 +192,7 @@
|
|||||||
"grzegorz": "grzegorz",
|
"grzegorz": "grzegorz",
|
||||||
"grzegorz-clients": "grzegorz-clients",
|
"grzegorz-clients": "grzegorz-clients",
|
||||||
"matrix-next": "matrix-next",
|
"matrix-next": "matrix-next",
|
||||||
|
"nix-gitea-themes": "nix-gitea-themes",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||||
"pvv-calendar-bot": "pvv-calendar-bot",
|
"pvv-calendar-bot": "pvv-calendar-bot",
|
||||||
|
@ -20,6 +20,9 @@
|
|||||||
matrix-next.url = "github:dali99/nixos-matrix-modules";
|
matrix-next.url = "github:dali99/nixos-matrix-modules";
|
||||||
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
|
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
|
||||||
|
nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
grzegorz.url = "github:Programvareverkstedet/grzegorz";
|
grzegorz.url = "github:Programvareverkstedet/grzegorz";
|
||||||
grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||||
grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
|
grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
|
||||||
@ -86,9 +89,11 @@
|
|||||||
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
|
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
|
||||||
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
|
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
|
||||||
})
|
})
|
||||||
|
inputs.nix-gitea-themes.overlays.default
|
||||||
inputs.pvv-nettsiden.overlays.default
|
inputs.pvv-nettsiden.overlays.default
|
||||||
];
|
];
|
||||||
modules = [
|
modules = [
|
||||||
|
inputs.nix-gitea-themes.nixosModules.default
|
||||||
inputs.pvv-nettsiden.nixosModules.default
|
inputs.pvv-nettsiden.nixosModules.default
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
@ -52,14 +52,16 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
|
||||||
|
|
||||||
environment.systemPackages = [ cfg.package ];
|
environment.systemPackages = [ cfg.package ];
|
||||||
|
|
||||||
services.nginx.virtualHosts."${domain}" = {
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
kTLS = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
|
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
|
||||||
recommendedProxySettings = true;
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
client_max_body_size 512M;
|
client_max_body_size 512M;
|
||||||
'';
|
'';
|
||||||
|
@ -180,6 +180,7 @@ in
|
|||||||
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
|
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
kTLS = true;
|
||||||
root = "${package}/share/php/simplesamlphp/public";
|
root = "${package}/share/php/simplesamlphp/public";
|
||||||
locations = {
|
locations = {
|
||||||
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
|
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
|
||||||
|
@ -43,6 +43,7 @@ in {
|
|||||||
(map (key: lib.nameValuePair key {
|
(map (key: lib.nameValuePair key {
|
||||||
owner = user;
|
owner = user;
|
||||||
group = group;
|
group = group;
|
||||||
|
restartUnits = [ "phpfpm-mediawiki.service" ];
|
||||||
}))
|
}))
|
||||||
lib.listToAttrs
|
lib.listToAttrs
|
||||||
];
|
];
|
||||||
@ -85,7 +86,7 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
extensions = {
|
extensions = {
|
||||||
inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
|
inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp VisualEditor;
|
||||||
};
|
};
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
@ -151,6 +152,7 @@ in {
|
|||||||
users.groups.mediawiki.members = [ "nginx" ];
|
users.groups.mediawiki.members = [ "nginx" ];
|
||||||
|
|
||||||
services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
|
services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
|
||||||
|
kTLS = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations = {
|
locations = {
|
||||||
|
@ -4,19 +4,5 @@
|
|||||||
./ingress.nix
|
./ingress.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
security.acme = {
|
services.nginx.enable = true;
|
||||||
acceptTerms = true;
|
|
||||||
defaults.email = "drift@pvv.ntnu.no";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
}
|
}
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
serverAliases = [ "pvv.org" ];
|
serverAliases = [ "pvv.org" ];
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
kTLS = true;
|
||||||
|
|
||||||
locations = {
|
locations = {
|
||||||
# Proxy home directories
|
# Proxy home directories
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
|
services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
#locations."/" = lib.mkForce { };
|
kTLS = true;
|
||||||
locations."= /" = {
|
locations."= /" = {
|
||||||
return = "301 https://www.pvv.ntnu.no/mail/";
|
return = "301 https://www.pvv.ntnu.no/mail/";
|
||||||
};
|
};
|
||||||
|
@ -35,6 +35,7 @@ in
|
|||||||
services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
|
services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
|
||||||
|
|
||||||
services.nginx.virtualHosts.${domain} = {
|
services.nginx.virtualHosts.${domain} = {
|
||||||
|
kTLS = true;
|
||||||
locations."/roundcube" = {
|
locations."/roundcube" = {
|
||||||
tryFiles = "$uri $uri/ =404";
|
tryFiles = "$uri $uri/ =404";
|
||||||
index = "index.php";
|
index = "index.php";
|
||||||
|
@ -5,6 +5,7 @@ in {
|
|||||||
services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
|
services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
kTLS = true;
|
||||||
|
|
||||||
root = pkgs.element-web.override {
|
root = pkgs.element-web.override {
|
||||||
conf = {
|
conf = {
|
||||||
|
@ -217,6 +217,9 @@ in {
|
|||||||
services.redis.servers."".enable = true;
|
services.redis.servers."".enable = true;
|
||||||
|
|
||||||
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
|
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
|
||||||
|
({
|
||||||
|
kTLS = true;
|
||||||
|
})
|
||||||
({
|
({
|
||||||
locations."/.well-known/matrix/server" = {
|
locations."/.well-known/matrix/server" = {
|
||||||
return = ''
|
return = ''
|
||||||
|
@ -1,15 +1,8 @@
|
|||||||
{ config, values, ... }:
|
{ config, values, ... }:
|
||||||
{
|
{
|
||||||
security.acme = {
|
|
||||||
acceptTerms = true;
|
|
||||||
defaults.email = "danio@pvv.ntnu.no";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
enableReload = true;
|
enableReload = true;
|
||||||
|
|
||||||
defaultListenAddresses = [
|
defaultListenAddresses = [
|
||||||
values.hosts.bicep.ipv4
|
values.hosts.bicep.ipv4
|
||||||
"[${values.hosts.bicep.ipv6}]"
|
"[${values.hosts.bicep.ipv6}]"
|
||||||
@ -20,7 +13,6 @@
|
|||||||
];
|
];
|
||||||
|
|
||||||
appendConfig = ''
|
appendConfig = ''
|
||||||
pcre_jit on;
|
|
||||||
worker_processes 8;
|
worker_processes 8;
|
||||||
worker_rlimit_nofile 8192;
|
worker_rlimit_nofile 8192;
|
||||||
'';
|
'';
|
||||||
@ -29,17 +21,5 @@
|
|||||||
multi_accept on;
|
multi_accept on;
|
||||||
worker_connections 4096;
|
worker_connections 4096;
|
||||||
'';
|
'';
|
||||||
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedBrotliSettings = true;
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
|
|
||||||
systemd.services.nginx.serviceConfig = {
|
|
||||||
LimitNOFILE = 65536;
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -91,6 +91,7 @@ in {
|
|||||||
services.nginx.virtualHosts.${cfg.settings.server.domain} = {
|
services.nginx.virtualHosts.${cfg.settings.server.domain} = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
kTLS = true;
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";
|
proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";
|
||||||
|
@ -1,15 +1,8 @@
|
|||||||
{ config, values, ... }:
|
{ config, values, ... }:
|
||||||
{
|
{
|
||||||
security.acme = {
|
|
||||||
acceptTerms = true;
|
|
||||||
defaults.email = "drift@pvv.ntnu.no";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
enableReload = true;
|
enableReload = true;
|
||||||
|
|
||||||
defaultListenAddresses = [
|
defaultListenAddresses = [
|
||||||
values.hosts.ildkule.ipv4
|
values.hosts.ildkule.ipv4
|
||||||
"[${values.hosts.ildkule.ipv6}]"
|
"[${values.hosts.ildkule.ipv6}]"
|
||||||
@ -18,12 +11,5 @@
|
|||||||
"127.0.0.2"
|
"127.0.0.2"
|
||||||
"[::1]"
|
"[::1]"
|
||||||
];
|
];
|
||||||
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
}
|
}
|
||||||
|
@ -24,15 +24,12 @@ in {
|
|||||||
services.grzegorz-webui.hostName = "${config.networking.fqdn}";
|
services.grzegorz-webui.hostName = "${config.networking.fqdn}";
|
||||||
services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
|
services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
|
||||||
|
|
||||||
security.acme.acceptTerms = true;
|
|
||||||
security.acme.defaults.email = "pederbs@pvv.ntnu.no";
|
|
||||||
|
|
||||||
services.nginx.enable = true;
|
services.nginx.enable = true;
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
|
|
||||||
services.nginx.virtualHosts."${config.networking.fqdn}" = {
|
services.nginx.virtualHosts."${config.networking.fqdn}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
kTLS = true;
|
||||||
serverAliases = [
|
serverAliases = [
|
||||||
"${config.networking.hostName}.pvv.org"
|
"${config.networking.hostName}.pvv.org"
|
||||||
];
|
];
|
||||||
|
@ -4,4 +4,5 @@ lib.makeScope pkgs.newScope (self: {
|
|||||||
PluggableAuth = self.callPackage ./pluggable-auth { };
|
PluggableAuth = self.callPackage ./pluggable-auth { };
|
||||||
SimpleSAMLphp = self.callPackage ./simple-saml-php { };
|
SimpleSAMLphp = self.callPackage ./simple-saml-php { };
|
||||||
UserMerge = self.callPackage ./user-merge { };
|
UserMerge = self.callPackage ./user-merge { };
|
||||||
|
VisualEditor = self.callPackage ./visual-editor { };
|
||||||
})
|
})
|
||||||
|
7
packages/mediawiki-extensions/visual-editor/default.nix
Normal file
7
packages/mediawiki-extensions/visual-editor/default.nix
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
{ fetchzip }:
|
||||||
|
|
||||||
|
fetchzip {
|
||||||
|
name = "mediawiki-visual-editor-source";
|
||||||
|
url = "https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_40-5f8c97e.tar.gz";
|
||||||
|
hash = "sha256-oBMmEDKsFxrD0tpN2dy264IXK164BrZWrNK3v3FNX6w=";
|
||||||
|
}
|
@ -6,15 +6,21 @@
|
|||||||
extraGroups = [
|
extraGroups = [
|
||||||
"wheel"
|
"wheel"
|
||||||
"drift"
|
"drift"
|
||||||
|
"nix-builder-users"
|
||||||
];
|
];
|
||||||
|
|
||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
eza
|
|
||||||
neovim
|
neovim
|
||||||
|
htop
|
||||||
|
ripgrep
|
||||||
|
vim
|
||||||
|
foot.terminfo
|
||||||
];
|
];
|
||||||
|
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFa5y7KyLn2tjxed1czMbyM5scnEpo9v/GfnhL/28ckM legolas"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFa5y7KyLn2tjxed1czMbyM5scnEpo9v/GfnhL/28ckM legolas"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf7SlyHR6KgP7+IeFr/Iuiu2lL5vaSlzqPonaO8XU0J gunalx@aragon"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user