Drift/pvv-nixos-config
17
5
Fork 1
Code Issues Pull Requests 11 Actions Wiki Activity

Compare commits

merge into: Drift:backup-databases
Branches Tags
Drift:main Drift:gitea-vaskepersonalet Drift:errorpages Drift:create-flake-input-exporter Drift:minecraft-heatmap Drift:fix-import-gitea-users-script Drift:gitea-runners-secrets Drift:gitea-runners-cluster Drift:25.05 Drift:new_nodes Drift:ooye Drift:grg-ip Drift:nom Drift:add-skrott Drift:pvvvvv Drift:setup-git-mirroring-on-bicep Drift:init-bakke Drift:gitea-show-license-in-list-view Drift:nix-topology Drift:gitea-robots-txt Drift:dagali-heimdal-openldap-sasl-stack Drift:gitea-navbar-get-started Drift:backup-databases Drift:openwebui Drift:setup-openvpn-tunnel Drift:gitea-gpg-signing Drift:sleipner-authorised-keys Drift:openstack-image-builder Drift:elysium Drift:smartd-notifs Drift:systemd-journald-remote Drift:skrot Drift:deploy-doorbell Drift:misc-gitea-fixes Drift:spotifyd Drift:remote Drift:setup-bikkje-login Drift:ozai-prod Drift:add-bluemap Drift:ozai Drift:setup-postfix-for-service-machines Drift:fix-gitea-ci-runner-network-issues Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud Drift:gitea-metrics Drift:misc1 Drift:add-simple-saml-theme Drift:misc-extra-gitea-setup Drift:setup-kerberos Drift:setup-home-areas Drift:shark-kanidm Drift:prometheusexim
...
pull from: Drift:dagali-heimdal-openldap-sasl-stack
Branches Tags
Drift:gitea-vaskepersonalet Drift:errorpages Drift:main Drift:create-flake-input-exporter Drift:minecraft-heatmap Drift:fix-import-gitea-users-script Drift:gitea-runners-secrets Drift:gitea-runners-cluster Drift:25.05 Drift:new_nodes Drift:ooye Drift:grg-ip Drift:nom Drift:add-skrott Drift:pvvvvv Drift:setup-git-mirroring-on-bicep Drift:init-bakke Drift:gitea-show-license-in-list-view Drift:nix-topology Drift:gitea-robots-txt Drift:dagali-heimdal-openldap-sasl-stack Drift:gitea-navbar-get-started Drift:backup-databases Drift:openwebui Drift:setup-openvpn-tunnel Drift:gitea-gpg-signing Drift:sleipner-authorised-keys Drift:openstack-image-builder Drift:elysium Drift:smartd-notifs Drift:systemd-journald-remote Drift:skrot Drift:deploy-doorbell Drift:misc-gitea-fixes Drift:spotifyd Drift:remote Drift:setup-bikkje-login Drift:ozai-prod Drift:add-bluemap Drift:ozai Drift:setup-postfix-for-service-machines Drift:fix-gitea-ci-runner-network-issues Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud Drift:gitea-metrics Drift:misc1 Drift:add-simple-saml-theme Drift:misc-extra-gitea-setup Drift:setup-kerberos Drift:setup-home-areas Drift:shark-kanidm Drift:prometheusexim

97 Commits
backup-dat ... dagali-hei

Author SHA1 Message Date
Felix Albrigtsen
051dd82f57 WIP: Move krb5 realm to pvv.local, make sane ldap structure
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Details
2025-03-11 14:14:07 +01:00
Øystein Tveit
735d590f85 WIP: set up heimdal-openldap-sasl stack 2025-03-11 14:14:07 +01:00
Øystein Tveit
57a2bf8bf1 hosts/dagali: init 2025-03-11 14:14:02 +01:00
h7x4
a3c88b7869 bekkalokk/gitea: take a dump
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Details
2025-03-10 20:06:29 +01:00
h7x4
4aa994e7a3 bekkalokk/gitea: rename gitea customization service to have gitea prefix
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Details
2025-03-10 19:59:16 +01:00
h7x4
fc64139739 bekkalokk/gitea: bigger icons 2025-03-10 19:58:53 +01:00
h7x4
75b0c00212 bekkalokk/gitea: move customization to different file 2025-03-10 18:01:31 +01:00
Daniel Olsen
94d73b34ad bluemap: generate web folder if it doesnt exist before rendering
All checks were successful
Eval nix flake / evals (push) Successful in 2m59s
Details
2025-03-02 02:32:32 +01:00
Daniel Olsen
bf50d6478b bluemap: 5.4 -> 5.7
All checks were successful
Eval nix flake / evals (push) Successful in 3m18s
Details
2025-03-02 01:27:09 +01:00
h7x4
e9dc0d85a0 flake.lock: bump
All checks were successful
Eval nix flake / evals (push) Successful in 4m33s
Details
2025-03-01 21:31:56 +01:00
Daniel Olsen
a009b05977 bicep/matrix/coturn: coturn is actually fixed
All checks were successful
Eval nix flake / evals (push) Successful in 9m38s
Details
2025-02-16 02:01:29 +01:00
Øystein Tveit
8a8f5659fb gergle: big if true
All checks were successful
Eval nix flake / evals (push) Successful in 7m58s
Details
2025-01-25 19:59:43 +01:00
Felix Albrigtsen
13c921c47b bekkalokk: Update nettsiden (re-enable events)
All checks were successful
Eval nix flake / evals (push) Successful in 6m42s
Details
2025-01-17 23:11:19 +01:00
h7x4
819fcef4c2 flake.lock: bump greg-ng
All checks were successful
Eval nix flake / evals (push) Successful in 3m48s
Details
2025-01-11 15:02:00 +01:00
h7x4
102a6f9011 flake.lock: bump nix-gitea-themes
All checks were successful
Eval nix flake / evals (push) Successful in 29m22s
Details
2025-01-10 18:51:41 +01:00
h7x4
86e68f496e bekkalokk/gitea: add declarative label set 'projects' 2025-01-10 18:51:40 +01:00
h7x4
394ff94033 flake.nix: move grz projects from Projects to Grzegorz
All checks were successful
Eval nix flake / evals (push) Successful in 5m41s
Details
2025-01-06 16:34:22 +01:00
h7x4
6cb7f576a5 bekkalokk/gitea-scripts: add Grzegorz organization 2025-01-06 16:34:22 +01:00
Øystein Tveit
edb448f7a0 ustetind/gitea-runners: update docker image, update registration keys
All checks were successful
Eval nix flake / evals (push) Successful in 4m22s
Details
2024-12-22 23:17:41 +01:00
h7x4
4507ffe2ab base/auto-upgrade: switch ref back to main
All checks were successful
Eval nix flake / evals (push) Successful in 4m34s
Details
2024-12-22 23:04:08 +01:00
Felix Albrigtsen
882a8f2e88 bekkalokk: Update nettsiden
Some checks are pending
Eval nix flake / evals (push) Waiting to run
Details
2024-12-21 23:50:53 +01:00
Øystein Tveit
65da25da7e packages/mediawiki-extensions: update all
Some checks are pending
Eval nix flake / evals (push) Waiting to run
Details
2024-12-10 21:05:21 +01:00
h7x4
fd81d61a56 common/logrotate: remove custom hardening now that nixpkgs provides it 2024-12-10 21:05:21 +01:00
Daniel Olsen
2776273a27 flake update 2024-12-10 21:05:20 +01:00
Daniel Olsen
ebc5b269ef 24.11 2024-12-10 21:05:20 +01:00
h7x4
850d0b0ec5 bekkalokk/gitea-web: fix SSH access
All checks were successful
Eval nix flake / evals (push) Successful in 13m28s
Details
2024-12-10 21:05:06 +01:00
h7x4
02792fc20e bekkalokk/gitea: fix api pagination for web secret provider
All checks were successful
Eval nix flake / evals (push) Successful in 4m14s
Details
2024-12-10 19:35:10 +01:00
Øystein Tveit
40dd069a52 ustetind/gitea-runners: fix podman dns
All checks were successful
Eval nix flake / evals (push) Successful in 4m25s
Details
2024-12-09 23:25:54 +01:00
h7x4
04a838fc62 flake.nix: nixlib -> lib
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Details
2024-12-09 22:33:39 +01:00
Øystein Tveit
1f85208587 hosts/ustetind: set up gitea-runners 2024-12-09 22:24:54 +01:00
Øystein Tveit
c10c6d5a09 hosts/ustetind: init 2024-12-09 21:31:30 +01:00
h7x4
6301688c95 common/smartd: only run on non-virtualized hardware 
It's still part of the simulation tho
 2024-12-09 21:03:50 +01:00
h7x4
0ed0a3a504 flake.nix: make outputs.inputs buildable 2024-12-08 00:29:59 +01:00
h7x4
5242d99260 bekkalokk/gitea: add gpg signing key 2024-11-24 03:23:54 +01:00
Fredrik Robertsen
c60597dc5a Merge pull request 'Let smartd send mail notification' (!92) from add-mail-to-smartd into main 
Reviewed-on: #92
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>

Closes #92
 2024-11-24 01:09:58 +01:00
frero
69462bf486 let smartd send mail notification 2024-11-24 01:01:55 +01:00
Oystein Kristoffer Tveit
7d4ccf1972 Merge pull request 'Add user frero' (!91) from add-user-frero into main 
Reviewed-on: #91
 2024-11-23 22:40:43 +01:00
frero
c87a81eeee users: add frero 2024-11-23 22:39:53 +01:00
Daniel Olsen
3bdfb4c297 Add function to make paths from flake root 
No more ../../../../../../
 2024-11-17 00:08:02 +01:00
Felix Albrigtsen
8285d91401 Merge pull request 'Ildkule: Move monitoring state directories to data volume' (!88) from ildkule-data-volume into main 
Reviewed-on: #88
Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
 2024-11-10 02:30:11 +01:00
Alf Helge Jakobsen
b07cd5fbf6 systemd hardening for pvv-nettsiden-gallery-update.service (!90) 
#133

Reviewed-on: #90
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
Co-authored-by: Alf Helge Jakobsen <alfhj@stud.ntnu.no>
Co-committed-by: Alf Helge Jakobsen <alfhj@stud.ntnu.no>
 2024-11-09 22:22:09 +01:00
Felix Albrigtsen
2d52ebce52 Ildkule: hardware-config: use UUIDs 2024-11-09 21:42:44 +01:00
h7x4
464576e856 flake.lock: bump greg-ng 2024-11-09 19:43:07 +01:00
Oystein Kristoffer Tveit
df35715978 Merge pull request 'Add alfhj.nix' (!89) from newusersconfig into main 
Reviewed-on: #89
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 2024-11-09 19:40:03 +01:00
Alf Helge Jakobsen
165ff56948 Add alfhj.nix 2024-11-09 19:35:19 +01:00
Felix Albrigtsen
11f6ef0572 Ildkule: Move monitoring state directories to data volume 2024-11-09 15:21:12 +01:00
h7x4
815f48c30d flake.lock: bump greg-ng 2024-10-22 19:50:29 +02:00
h7x4
4985bac3ba flake.lock: bump greg-ng 2024-10-20 23:18:35 +02:00
Oystein Kristoffer Tveit
9e41c3374d Merge pull request 'bekkalokk/nginx: host .well-known' (!79) from move-well-known-to-bekkalokk into main 
Reviewed-on: #79
Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
 2024-10-20 01:35:22 +02:00
h7x4
f39fee4213 bekkalokk/nginx: host .well-known 2024-10-20 01:34:41 +02:00
Oystein Kristoffer Tveit
4c77c9fc67 Merge pull request 'greg-ng 🎉' (!86) from greg-ng-working-branch into main 
Reviewed-on: #86
Reviewed-by: Felix Albrigtsen <felixalb@pvv.ntnu.no>
 2024-10-20 01:30:26 +02:00
h7x4
7938e8135f flake.lock: bump 2024-10-19 23:31:29 +02:00
h7x4
cbc3490882 modules/grzegorz: use greg-ng 2024-10-19 23:31:28 +02:00
Daniel Olsen
47ed79986c bicep/matrix: use sops templates for appservice registrations 2024-10-14 15:46:58 +02:00
Daniel Olsen
5aed665cc8 flake update 2024-10-14 00:24:29 +02:00
Daniel Olsen
2c86a2d812 bicep/matrix/hookshot: More configuration 2024-10-14 00:13:15 +02:00
Daniel Olsen
d4fd3f8332 bicep/matrix/hookshot: add nginx 2024-10-13 06:03:26 +02:00
Joakim Pettersvold
c1833eb07c bicep/matrix/hookshot: Configure matrix-hookshot 
Co-authored-by: Daniel Olsen <daniel.olsen99@gmail.com>
 2024-10-13 05:50:22 +02:00
Finn Landweber
5ee23ef2e2 bicep/matrix/hookshot: Backported from nixpkgs 
Co-authored-by: Joakim Pettersvold <joakimpokemeg@hotmail.no>
 2024-10-13 05:50:22 +02:00
Oystein Kristoffer Tveit
f5c16f46f1 Merge pull request 'disable-postgres-on-bekkalokk' (!85) from disable-postgres-on-bekkalokk into main 
Reviewed-on: #85
Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
 2024-10-13 02:34:45 +02:00
h7x4
aa71d497f1 bekkalokk/roundcube: add postgres password 2024-10-12 23:57:27 +02:00
Daniel Olsen
c56d157c3f add registration secret 2024-10-12 23:49:10 +02:00
fredrikr79
4fbd823be6 bekkalokk/roundcube: add database.host 2024-10-12 22:53:42 +02:00
Daniel Olsen
6c9e651e59 bekkalokk/gitea: Add important emoji reactions 2024-10-12 22:42:59 +02:00
Adrian G L
f56e73548c base: openssh fix 2024-10-12 22:32:18 +02:00
Adrian Gunnar Lauterer
c62ea129ed Merge pull request 'base openssh added sleipner ssh keys' (!83) from sleipner-authorised-keys into main 
Reviewed-on: #83
 2024-10-12 21:48:08 +02:00
Adrian G L
4b41ddcf5d base: openssh added sleipner ssh keys 2024-10-12 21:47:31 +02:00
Daniel Olsen
abec66b287 users/danio: add to wheel 2024-10-08 14:08:17 +02:00
Felix Albrigtsen
aa884353c7 Merge pull request 'Add ipv6 gateway' (!82) from ipv6-fix into main 
Reviewed-on: #82
Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
 2024-09-28 21:44:55 +02:00
Felix Albrigtsen
2147b56864 Add ipv6 gateway 2024-09-28 21:35:57 +02:00
Daniel Olsen
a7fe2aabc5 bicep/matrix/coturn: disable ipv6 to fix the service running at all 
coturn is just fundamentally broken, look at trying eturnal instead
 2024-09-27 07:30:48 +02:00
Daniel Olsen
cd23e35aac bicep/matrix: update module and remove deprecated options 2024-09-27 06:38:12 +02:00
Peder Bergebakken Sundt
06668cda79 Merge pull request 'flake.lock: Update' (!81) from sounding into main 
Reviewed-on: #81
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 2024-09-21 22:19:36 +02:00
Peder Bergebakken Sundt
2861f939b7 Merge pull request 'auto-upgrade: store flake input refs' (!80) from retain-flake-inputs into main 
Reviewed-on: #80
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 2024-09-21 22:19:18 +02:00
Peder Bergebakken Sundt
166b80988a flake.lock: Update 
Flake lock file updates:

• Updated input 'grzegorz':
    'github:Programvareverkstedet/grzegorz/0481aef6553ae9aee86e4edb4ca0ed4f2eba2058' (2024-05-18)
  → 'git+https://git.pvv.ntnu.no/Projects/grzegorz.git?ref=refs/heads/master&rev=d10db19d7df5c5c2cd2dcb878376d5d681f6c2f2' (2024-09-20)
• Updated input 'grzegorz/fix-python':
    'github:GuillaumeDesforges/fix-python/f7f4b33e22414071fc1f9cbf68072c413c3a7fdf' (2024-04-23)
  → 'github:GuillaumeDesforges/fix-python/2926402234c3f99aa8e4608c51d9ffa73ea403c0' (2024-09-04)
• Updated input 'grzegorz-clients':
    'github:Programvareverkstedet/grzegorz-clients/b9444658fbb39cd1bf1c61ee5a1d5f0641c49abe' (2024-05-19)
  → 'git+https://git.pvv.ntnu.no/Projects/grzegorz-clients.git?ref=refs/heads/master&rev=546d921ec46735dbf876e36f4af8df1064d09432' (2024-09-20)
 2024-09-20 22:49:19 +02:00
Peder Bergebakken Sundt
4913b22ab9 auto-upgrade: store flake input refs 2024-09-16 02:51:20 +02:00
Peder Bergebakken Sundt
4e81647fb6 auto-upgrade: --update-input -> --override-input 2024-09-15 19:14:03 +02:00
Felix Albrigtsen
5a76b62700 Merge pull request 'add gitea metrics' (!78) from gitea-metric into main 
Reviewed-on: #78
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 2024-09-14 20:33:28 +02:00
Felix Albrigtsen
0f77a42e34 Grafana: Add Gitea Dashbaord [sic] 2024-09-14 20:28:35 +02:00
Felix Albrigtsen
c64d28fc26 Prometheus: Monitor gitea metrics 2024-09-14 20:21:12 +02:00
Tony Yen
179d0743ce gitea: export metric issue #101 2024-09-14 19:26:25 +02:00
Daniel Olsen
47fa3759c3 buskerud: remove 
This is now a proxmox machine :grr:
 2024-09-05 18:00:42 +02:00
Daniel Olsen
3a37fefd4d fixup! Merge pull request 'Fix Ildkule/Openstack networking' (!75) from fix-openstack-networking into main 2024-09-05 14:24:40 +02:00
Daniel Olsen
47d7b88a05 ildkule/prometheus: consolidate scrape jobs and label with hostname for base info 2024-09-05 14:14:28 +02:00
Daniel Lovbrotte Olsen
78456063ba Merge pull request 'Fix Ildkule/Openstack networking' (!75) from fix-openstack-networking into main 
Reviewed-on: #75
 2024-09-05 01:58:50 +02:00
Felix Albrigtsen
ca287b95c9 Ildkule/openstack: fix networking 
Removes systemd-networkd, and configures proper ipv4 and ipv6 in
openstack.
 2024-09-05 00:24:22 +02:00
Daniel Olsen
7e95b77e15 grzegorz: follow stable nix channel 
It broke because sanic
 2024-09-03 13:28:13 +02:00
Daniel Olsen
669733309b ildkule: get systemd stats from more machines 2024-09-03 13:10:36 +02:00
Daniel Olsen
4ed12573ff ildkule: fix system activation by disabling smartd 2024-09-03 13:07:58 +02:00
Daniel Olsen
8418cc016c fix biceps systemd units failing on activation 2024-09-03 13:00:12 +02:00
Daniel Olsen
b4c602e31c metrics: install systemd exporter 2024-09-02 23:12:24 +02:00
Daniel Olsen
3a0b8e270d bekkalokk/idp: Disallow bots 2024-09-02 23:11:44 +02:00
Daniel Olsen
9505223dc9 justfile: fix flake input updating 2024-09-02 19:33:15 +02:00
Daniel Olsen
201784fa21 bluemap on bekkalokk 💀 2024-09-02 15:11:32 +02:00
Daniel Olsen
ccefcb01fa flake.lock update 2024-09-02 14:12:39 +02:00
Daniel Olsen
f7e2c74f89 base: enable rebuilding nixos-config without updating the channels used 2024-09-01 22:10:58 +02:00
Felix Albrigtsen
161265d346 Bekkalokk/Nettsiden: deploy #78 2024-09-01 20:13:56 +02:00
80 changed files with 3692 additions and 553 deletions
Expand all files Collapse all files

13
.sops.yaml
View File

@@ -13,6 +13,7 @@ keys:
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0 - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2 - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
creation_rules: creation_rules:
# Global secrets # Global secrets
@@ -78,3 +79,15 @@ creation_rules:
- *user_pederbs_bjarte - *user_pederbs_bjarte
pgp: pgp:
- *user_oysteikt - *user_oysteikt
- path_regex: secrets/ustetind/[^/]+\.yaml$
key_groups:
- age:
- *host_ustetind
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt

6
README.MD
View File

@@ -26,10 +26,14 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den. Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre: Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade` `nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
som root på maskinen. som root på maskinen.
Hvis du ikke har lyst til å oppdatere alle pakkene (og kanskje måtte vente en stund!) kan du kjøre
`nixos-rebuild switch --override-input nixpkgs nixpkgs --override-input nixpkgs-unstable nixpkgs-unstable --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
## Seksjonen for hemmeligheter ## Seksjonen for hemmeligheter
For at hemmeligheter ikke skal deles med hele verden i git - eller å være world For at hemmeligheter ikke skal deles med hele verden i git - eller å være world

6
base/default.nix
View File

@@ -1,9 +1,9 @@
{ pkgs, lib, ... }: { pkgs, lib, fp, ... }:
{ {
imports = [ imports = [
../users (fp /users)
../modules/snakeoil-certs.nix (fp /modules/snakeoil-certs.nix)
./networking.nix ./networking.nix
./nix.nix ./nix.nix

3
base/networking.nix
View File

@@ -1,5 +1,6 @@
{ lib, values, ... }: { lib, values, ... }:
{ {
systemd.network.enable = true;
networking.domain = "pvv.ntnu.no"; networking.domain = "pvv.ntnu.no";
networking.useDHCP = false; networking.useDHCP = false;
# networking.search = [ "pvv.ntnu.no" "pvv.org" ]; # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
@@ -7,7 +8,7 @@
# networking.tempAddresses = lib.mkDefault "disabled"; # networking.tempAddresses = lib.mkDefault "disabled";
# networking.defaultGateway = values.hosts.gateway; # networking.defaultGateway = values.hosts.gateway;
systemd.network.enable = true; # The rest of the networking configuration is usually sourced from /values.nix
services.resolved = { services.resolved = {
enable = lib.mkDefault true; enable = lib.mkDefault true;

6
base/nix.nix
View File

@@ -23,8 +23,12 @@
*/ */
registry = { registry = {
"nixpkgs".flake = inputs.nixpkgs; "nixpkgs".flake = inputs.nixpkgs;
"nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
"pvv-nix".flake = inputs.self; "pvv-nix".flake = inputs.self;
}; };
nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"unstable=${inputs.nixpkgs-unstable}"
];
}; };
} }

20
base/services/auto-upgrade.nix
View File

@@ -1,12 +1,26 @@
{ ... }: { inputs, pkgs, lib, ... }:
{ {
system.autoUpgrade = { system.autoUpgrade = {
enable = true; enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git"; flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [ flags = [
"--update-input" "nixpkgs" # --update-input is deprecated since nix 2.22, and removed in lix 2.90
"--update-input" "nixpkgs-unstable" # https://git.lix.systems/lix-project/lix/issues/400
"--refresh"
"--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.11-small"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
"--no-write-lock-file" "--no-write-lock-file"
]; ];
}; };
# workaround for https://github.com/NixOS/nix/issues/6895
# via https://git.lix.systems/lix-project/lix/issues/400
environment.etc."current-system-flake-inputs.json".source
= pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (name: input:
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
// { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
)
);
} }

36
base/services/logrotate.nix
View File

@@ -1,42 +1,8 @@
{ ... }: { ... }:
{ {
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
systemd.services.logrotate = { systemd.services.logrotate = {
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ]; documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
unitConfig.RequiresMountsFor = "/var/log"; unitConfig.RequiresMountsFor = "/var/log";
serviceConfig = { serviceConfig.ReadWritePaths = [ "/var/log" ];
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
ReadWritePaths = [ "/var/log" ];
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; # disable for third party rotate scripts
PrivateDevices = true;
PrivateNetwork = true; # disable for mail delivery
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true; # disable for userdir logs
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
};
}; };
} }

4
base/services/nginx.nix
View File

@@ -33,6 +33,10 @@
systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable { systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
LimitNOFILE = 65536; LimitNOFILE = 65536;
# We use jit my dudes
MemoryDenyWriteExecute = lib.mkForce false;
# What the fuck do we use that where the defaults are not enough???
SystemCallFilter = lib.mkForce null;
}; };
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable { services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {

7
base/services/openssh.nix
View File

@@ -10,5 +10,12 @@
Match All Match All
''; '';
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
}; };
users.users."root".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
];
} }

14
base/services/smartd.nix
View File

@@ -1,8 +1,20 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
services.smartd.enable = lib.mkDefault true; services.smartd = {
enable = lib.mkDefault true;
notifications = {
mail = {
enable = true;
sender = "root@pvv.ntnu.no";
recipient = "root@pvv.ntnu.no";
};
wall.enable = false;
};
};
environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [ environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
smartmontools smartmontools
]); ]);
systemd.services.smartd.unitConfig.ConditionVirtualization = "no";
} }

211
flake.lock generated
View File

@@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1715445235, "lastModified": 1740485968,
"narHash": "sha256-SUu+oIWn+xqQIOlwfwNfS9Sek4i1HKsrLJchsDReXwA=", "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "159d87ea5b95bbdea46f0288a33c5e1570272725", "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -20,64 +20,45 @@
"type": "github" "type": "github"
} }
}, },
"fix-python": { "gergle": {
"inputs": { "inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": [
"grzegorz",
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1713887124, "lastModified": 1736621371,
"narHash": "sha256-hGTSm0p9xXUYDgsAAr/ORZICo6T6u33vLfX3tILikaQ=", "narHash": "sha256-45UIQSQA7R5iU4YWvilo7mQbhY1Liql9bHBvYa3qRI0=",
"owner": "GuillaumeDesforges", "ref": "refs/heads/main",
"repo": "fix-python", "rev": "3729796c1213fe76e568ac28f1df8de4e596950b",
"rev": "f7f4b33e22414071fc1f9cbf68072c413c3a7fdf", "revCount": 20,
"type": "github" "type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
}, },
"original": { "original": {
"owner": "GuillaumeDesforges", "type": "git",
"repo": "fix-python", "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
"type": "github"
} }
}, },
"flake-utils": { "greg-ng": {
"inputs": { "inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1689068808,
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"grzegorz": {
"inputs": {
"fix-python": "fix-python",
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs"
] ],
"rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1715364232, "lastModified": 1736545379,
"narHash": "sha256-ZJC3SkanEgbV7p+LFhP+85CviRWOXJNHzZwR/Stb7hE=", "narHash": "sha256-PeTTmGumdOX3rd6OKI7QMCrZovCDkrckZbcHr+znxWA=",
"owner": "Programvareverkstedet", "ref": "refs/heads/main",
"repo": "grzegorz", "rev": "74f5316121776db2769385927ec0d0c2cc2b23e4",
"rev": "3841cda1cdcac470440b06838d56a2eb2256378c", "revCount": 42,
"type": "github" "type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
}, },
"original": { "original": {
"owner": "Programvareverkstedet", "type": "git",
"repo": "grzegorz", "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
"type": "github"
} }
}, },
"grzegorz-clients": { "grzegorz-clients": {
@@ -87,17 +68,17 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1715384651, "lastModified": 1736178795,
"narHash": "sha256-7RhckgUTjqeCjWkhiCc1iB+5CBx9fl80d/3O4Jh+5kM=", "narHash": "sha256-mPdi8cgvIDYcgG3FRG7A4BOIMu2Jef96TPMnV00uXlM=",
"owner": "Programvareverkstedet", "ref": "refs/heads/master",
"repo": "grzegorz-clients", "rev": "fde738910de1fd8293535a6382c2f0c2749dd7c1",
"rev": "738a4f3dd887f7c3612e4e772b83cbfa3cde5693", "revCount": 79,
"type": "github" "type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
}, },
"original": { "original": {
"owner": "Programvareverkstedet", "type": "git",
"repo": "grzegorz-clients", "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
"type": "github"
} }
}, },
"matrix-next": { "matrix-next": {
@@ -107,20 +88,35 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717234745, "lastModified": 1727410897,
"narHash": "sha256-MFyKRdw4WQD6V3vRGbP6MYbtJhZp712zwzjW6YiOBYM=", "narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
"owner": "dali99", "owner": "dali99",
"repo": "nixos-matrix-modules", "repo": "nixos-matrix-modules",
"rev": "d7dc42c9bbb155c5e4aa2f0985d0df75ce978456", "rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "dali99", "owner": "dali99",
"ref": "v0.6.0", "ref": "v0.6.1",
"repo": "nixos-matrix-modules", "repo": "nixos-matrix-modules",
"type": "github" "type": "github"
} }
}, },
"minecraft-data": {
"locked": {
"lastModified": 1725277886,
"narHash": "sha256-Fw4VbbE3EfypQWSgPDFfvVH47BHeg3ptsO715NlUM8Q=",
"ref": "refs/heads/master",
"rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
"revCount": 2,
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
}
},
"nix-gitea-themes": { "nix-gitea-themes": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -128,11 +124,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1714416973, "lastModified": 1736531400,
"narHash": "sha256-aZUcvXjdETUC6wVQpWDVjLUzwpDAEca8yR0ITDeK39o=", "narHash": "sha256-+X/HVI1AwoPcud28wI35XRrc1kDgkYdDUGABJBAkxDI=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "2b23c0ba8aae68d3cb6789f0f6e4891cef26cc6d", "rev": "e4dafd06b3d7e9e6e07617766e9c3743134571b7",
"revCount": 6, "revCount": 7,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git" "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
}, },
@@ -143,48 +139,34 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1719520878, "lastModified": 1740782485,
"narHash": "sha256-5BXzNOl2RVHcfS/oxaZDKOi7gVuTyWPibQG0DHd5sSc=", "narHash": "sha256-GkDJDqHYlPKZFdyxzZHtljxNRsosKB1GCrblqlvLFgo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a44bedbb48c367f0476e6a3a27bf28f6330faf23", "rev": "dd5c2540983641bbaabdfc665931592d4c9989e8",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.05-small",
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1714858427,
"narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "release-23.11", "ref": "nixos-24.11-small",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1715435713, "lastModified": 1740848276,
"narHash": "sha256-lb2HqDQGfTdnCCpc1pgF6fkdgIOuBQ0nP8jjVSfLFqg=", "narHash": "sha256-bYeI3FEs824X+MJYksKboNlmglehzplqzn+XvcojWMc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "52b40f6c4be12742b1504ca2eb4527e597bf2526", "rev": "e9b0ff70ddc61c42548501b0fafb86bb49cca858",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "owner": "NixOS",
"ref": "nixos-unstable-small", "ref": "nixos-unstable-small",
"type": "indirect" "repo": "nixpkgs",
"type": "github"
} }
}, },
"pvv-calendar-bot": { "pvv-calendar-bot": {
@@ -214,11 +196,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1722722932, "lastModified": 1737151758,
"narHash": "sha256-K81a2GQpY2kRX+C9ek9r91THlZB674CqRTSMMb5IO7E=", "narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "6580cfe546c902cdf11e17b0b8aa30b3c412bb34", "rev": "a4ebe6ded0c8c124561a41cb329ff30891914b5e",
"revCount": 465, "revCount": 475,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git" "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
}, },
@@ -230,9 +212,11 @@
"root": { "root": {
"inputs": { "inputs": {
"disko": "disko", "disko": "disko",
"grzegorz": "grzegorz", "gergle": "gergle",
"greg-ng": "greg-ng",
"grzegorz-clients": "grzegorz-clients", "grzegorz-clients": "grzegorz-clients",
"matrix-next": "matrix-next", "matrix-next": "matrix-next",
"minecraft-data": "minecraft-data",
"nix-gitea-themes": "nix-gitea-themes", "nix-gitea-themes": "nix-gitea-themes",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
@@ -241,19 +225,39 @@
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
}, },
"rust-overlay": {
"inputs": {
"nixpkgs": [
"greg-ng",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729391507,
"narHash": "sha256-as0I9xieJUHf7kiK2a9znDsVZQTFWhM1pLivII43Gi0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "784981a9feeba406de38c1c9a3decf966d853cca",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ]
"nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1715244550, "lastModified": 1739262228,
"narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=", "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f", "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -261,21 +265,6 @@
"repo": "sops-nix", "repo": "sops-nix",
"type": "github" "type": "github"
} }
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

63
flake.nix
View File

@@ -2,8 +2,8 @@
description = "PVV System flake"; description = "PVV System flake";
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-24.05-small"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small"; # remember to also update the url in base/services/auto-upgrade.nix
nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -17,27 +17,31 @@
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git"; pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs"; pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.0"; matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.1";
matrix-next.inputs.nixpkgs.follows = "nixpkgs"; matrix-next.inputs.nixpkgs.follows = "nixpkgs";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"; nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs"; nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
grzegorz.url = "github:Programvareverkstedet/grzegorz"; greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git";
grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable"; greg-ng.inputs.nixpkgs.follows = "nixpkgs";
grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients"; gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git";
gergle.inputs.nixpkgs.follows = "nixpkgs";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs"; grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
}; };
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs: outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
let let
nixlib = nixpkgs.lib; inherit (nixpkgs) lib;
systems = [ systems = [
"x86_64-linux" "x86_64-linux"
"aarch64-linux" "aarch64-linux"
"aarch64-darwin" "aarch64-darwin"
]; ];
forAllSystems = f: nixlib.genAttrs systems f; forAllSystems = f: lib.genAttrs systems f;
allMachines = builtins.attrNames self.nixosConfigurations; allMachines = builtins.attrNames self.nixosConfigurations;
importantMachines = [ importantMachines = [
"bekkalokk" "bekkalokk"
@@ -47,16 +51,17 @@
"ildkule" "ildkule"
]; ];
in { in {
inherit inputs; inputs = lib.mapAttrs (_: src: src.outPath) inputs;
nixosConfigurations = let nixosConfigurations = let
unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux; unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate nixosConfig = nixpkgs: name: config: lib.nixosSystem (lib.recursiveUpdate
rec { rec {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { specialArgs = {
inherit nixpkgs-unstable inputs; inherit unstablePkgs inputs;
values = import ./values.nix; values = import ./values.nix;
fp = path: ./${path};
}; };
modules = [ modules = [
@@ -92,6 +97,7 @@
heimdal = unstablePkgs.heimdal; heimdal = unstablePkgs.heimdal;
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { }; mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { }; simplesamlphp = final.callPackage ./packages/simplesamlphp { };
bluemap = final.callPackage ./packages/bluemap.nix { };
}) })
inputs.nix-gitea-themes.overlays.default inputs.nix-gitea-themes.overlays.default
inputs.pvv-nettsiden.overlays.default inputs.pvv-nettsiden.overlays.default
@@ -111,19 +117,36 @@
#ildkule-unstable = unstableNixosConfig "ildkule" { }; #ildkule-unstable = unstableNixosConfig "ildkule" { };
shark = stableNixosConfig "shark" { }; shark = stableNixosConfig "shark" { };
ustetind = stableNixosConfig "ustetind" {
modules = [
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
];
};
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" { brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
modules = [ modules = [
inputs.grzegorz.nixosModules.grzegorz-kiosk
inputs.grzegorz-clients.nixosModules.grzegorz-webui inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
]; ];
}; };
georg = stableNixosConfig "georg" { georg = stableNixosConfig "georg" {
modules = [ modules = [
inputs.grzegorz.nixosModules.grzegorz-kiosk
inputs.grzegorz-clients.nixosModules.grzegorz-webui inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
]; ];
}; };
buskerud = stableNixosConfig "buskerud" { };
dagali = unstableNixosConfig "dagali" { };
}; };
nixosModules = { nixosModules = {
@@ -141,19 +164,19 @@
in rec { in rec {
default = important-machines; default = important-machines;
important-machines = pkgs.linkFarm "important-machines" important-machines = pkgs.linkFarm "important-machines"
(nixlib.getAttrs importantMachines self.packages.x86_64-linux); (lib.getAttrs importantMachines self.packages.x86_64-linux);
all-machines = pkgs.linkFarm "all-machines" all-machines = pkgs.linkFarm "all-machines"
(nixlib.getAttrs allMachines self.packages.x86_64-linux); (lib.getAttrs allMachines self.packages.x86_64-linux);
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { }; simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
} // } //
(nixlib.pipe null [ (lib.pipe null [
(_: pkgs.callPackage ./packages/mediawiki-extensions { }) (_: pkgs.callPackage ./packages/mediawiki-extensions { })
(nixlib.flip builtins.removeAttrs ["override" "overrideDerivation"]) (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
(nixlib.mapAttrs' (name: nixlib.nameValuePair "mediawiki-${name}")) (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
]) ])
// nixlib.genAttrs allMachines // lib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel); (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
}; };
}; };

10
hosts/bekkalokk/configuration.nix
View File

@@ -1,11 +1,12 @@
{ pkgs, values, ... }: { fp, pkgs, values, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../base (fp /base)
../../misc/metrics-exporters.nix (fp /misc/metrics-exporters.nix)
./services/bluemap/default.nix
./services/gitea/default.nix ./services/gitea/default.nix
./services/idp-simplesamlphp ./services/idp-simplesamlphp
./services/kerberos ./services/kerberos
@@ -15,9 +16,10 @@
./services/vaultwarden.nix ./services/vaultwarden.nix
./services/webmail ./services/webmail
./services/website ./services/website
./services/well-known
]; ];
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml; sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true; sops.age.generateKey = true;

85
hosts/bekkalokk/services/bluemap/default.nix Normal file
View File

@@ -0,0 +1,85 @@
{ config, lib, pkgs, inputs, ... }:
let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
in {
imports = [
./module.nix # From danio, pending upstreaming
];
disabledModules = [ "services/web-apps/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
sops.secrets."bluemap/ssh-known-hosts" = { };
services.bluemap = {
enable = true;
package = pkgs.callPackage ./package.nix { };
eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
host = "minecraft.pvv.ntnu.no";
maps = {
"verden" = {
settings = {
world = vanillaSurvival;
sorting = 0;
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.verden;
};
};
"underverden" = {
settings = {
world = "${vanillaSurvival}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.underverden;
};
};
"enden" = {
settings = {
world = "${vanillaSurvival}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
};
};
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
};
# TODO: render somewhere else lmao
systemd.services."render-bluemap-maps" = {
preStart = ''
mkdir -p /var/lib/bluemap/world
${pkgs.rsync}/bin/rsync \
-e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" \
-avz --no-owner --no-group \
root@innovation.pvv.ntnu.no:/ \
${vanillaSurvival}
'';
serviceConfig = {
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
}

351
hosts/bekkalokk/services/bluemap/module.nix Normal file
View File

@@ -0,0 +1,351 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.bluemap;
format = pkgs.formats.hocon { };
coreConfig = format.generate "core.conf" cfg.coreSettings;
webappConfig = format.generate "webapp.conf" cfg.webappSettings;
webserverConfig = format.generate "webserver.conf" cfg.webserverSettings;
storageFolder = pkgs.linkFarm "storage"
(lib.attrsets.mapAttrs' (name: value:
lib.nameValuePair "${name}.conf"
(format.generate "${name}.conf" value))
cfg.storage);
mapsFolder = pkgs.linkFarm "maps"
(lib.attrsets.mapAttrs' (name: value:
lib.nameValuePair "${name}.conf"
(format.generate "${name}.conf" value.settings))
cfg.maps);
webappConfigFolder = pkgs.linkFarm "bluemap-config" {
"maps" = mapsFolder;
"storages" = storageFolder;
"core.conf" = coreConfig;
"webapp.conf" = webappConfig;
"webserver.conf" = webserverConfig;
"packs" = cfg.resourcepacks;
};
renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
"maps" = pkgs.linkFarm "maps" {
"${name}.conf" = (format.generate "${name}.conf" value.settings);
};
"storages" = storageFolder;
"core.conf" = coreConfig;
"webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
"webserver.conf" = webserverConfig;
"packs" = value.resourcepacks;
};
inherit (lib) mkOption;
in {
options.services.bluemap = {
enable = lib.mkEnableOption "bluemap";
package = lib.mkPackageOption pkgs "bluemap" { };
eula = mkOption {
type = lib.types.bool;
description = ''
By changing this option to true you confirm that you own a copy of minecraft Java Edition,
and that you agree to minecrafts EULA.
'';
default = false;
};
defaultWorld = mkOption {
type = lib.types.path;
description = ''
The world used by the default map ruleset.
If you configure your own maps you do not need to set this.
'';
example = lib.literalExpression "\${config.services.minecraft.dataDir}/world";
};
enableRender = mkOption {
type = lib.types.bool;
description = "Enable rendering";
default = true;
};
webRoot = mkOption {
type = lib.types.path;
default = "/var/lib/bluemap/web";
description = "The directory for saving and serving the webapp and the maps";
};
enableNginx = mkOption {
type = lib.types.bool;
default = true;
description = "Enable configuring a virtualHost for serving the bluemap webapp";
};
host = mkOption {
type = lib.types.str;
default = "bluemap.${config.networking.domain}";
defaultText = lib.literalExpression "bluemap.\${config.networking.domain}";
description = "Domain to configure nginx for";
};
onCalendar = mkOption {
type = lib.types.str;
description = ''
How often to trigger rendering the map,
in the format of a systemd timer onCalendar configuration.
See {manpage}`systemd.timer(5)`.
'';
default = "*-*-* 03:10:00";
};
coreSettings = mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
data = mkOption {
type = lib.types.path;
description = "Folder for where bluemap stores its data";
default = "/var/lib/bluemap";
};
metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use";
};
};
description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
};
webappSettings = mkOption {
type = lib.types.submodule {
freeformType = format.type;
};
default = {
enabled = true;
webroot = cfg.webRoot;
};
defaultText = lib.literalExpression ''
{
enabled = true;
webroot = config.services.bluemap.webRoot;
}
'';
description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
};
webserverSettings = mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
enabled = mkOption {
type = lib.types.bool;
description = ''
Enable bluemap's built-in webserver.
Disabled by default in nixos for use of nginx directly.
'';
default = false;
};
};
};
default = { };
description = ''
Settings for the webserver.conf file, usually not required.
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
'';
};
maps = mkOption {
type = lib.types.attrsOf (lib.types.submodule {
options = {
resourcepacks = mkOption {
type = lib.types.path;
default = cfg.resourcepacks;
defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
description = "A set of resourcepacks/mods/bluemap-addons to extract models from loaded in alphabetical order";
};
settings = mkOption {
type = (lib.types.submodule {
freeformType = format.type;
options = {
world = mkOption {
type = lib.types.path;
description = "Path to world folder containing the dimension to render";
};
};
});
description = ''
Settings for files in `maps/`.
See the default for an example with good options for the different world types.
For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
'';
};
};
});
default = {
"overworld".settings = {
world = "${cfg.defaultWorld}";
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
"nether".settings = {
world = "${cfg.defaultWorld}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
};
"end".settings = {
world = "${cfg.defaultWorld}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
defaultText = lib.literalExpression ''
{
"overworld".settings = {
world = "''${cfg.defaultWorld}";
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
"nether".settings = {
world = "''${cfg.defaultWorld}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
};
"end".settings = {
world = "''${cfg.defaultWorld}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
'';
description = ''
map-specific configuration.
These correspond to views in the webapp and are usually
different dimension of a world or different render settings of the same dimension.
If you set anything in this option you must configure all dimensions yourself!
'';
};
storage = mkOption {
type = lib.types.attrsOf (lib.types.submodule {
freeformType = format.type;
options = {
storage-type = mkOption {
type = lib.types.enum [ "FILE" "SQL" ];
description = "Type of storage config";
default = "FILE";
};
};
});
description = ''
Where the rendered map will be stored.
Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/storages)
'';
default = {
"file" = {
root = "${cfg.webRoot}/maps";
};
};
defaultText = lib.literalExpression ''
{
"file" = {
root = "''${config.services.bluemap.webRoot}/maps";
};
}
'';
};
resourcepacks = mkOption {
type = lib.types.path;
default = pkgs.linkFarm "resourcepacks" { };
description = ''
A set of resourcepacks/mods to extract models from loaded in alphabetical order.
Can be overriden on a per-map basis with `services.bluemap.maps.<name>.resourcepacks`.
'';
};
};
config = lib.mkIf cfg.enable {
assertions =
[ { assertion = config.services.bluemap.eula;
message = ''
You have enabled bluemap but have not accepted minecraft's EULA.
You can achieve this through setting `services.bluemap.eula = true`
'';
}
];
services.bluemap.coreSettings.accept-download = cfg.eula;
systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender {
serviceConfig = {
Type = "oneshot";
Group = "nginx";
UMask = "026";
};
script = ''
# If web folder doesnt exist generate it
test -f "${cfg.webRoot}" || ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
# Render each minecraft map
${lib.strings.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
(name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
cfg.maps)}
# Generate updated webapp
${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
'';
};
systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = cfg.onCalendar;
Persistent = true;
Unit = "render-bluemap-maps.service";
};
};
services.nginx.virtualHosts = lib.mkIf cfg.enableNginx {
"${cfg.host}" = {
root = config.services.bluemap.webRoot;
locations = {
"~* ^/maps/[^/]*/tiles/".extraConfig = ''
error_page 404 = @empty;
'';
"@empty".return = "204";
};
};
};
};
meta = {
maintainers = with lib.maintainers; [ dandellion h7x4 ];
};
}

30
hosts/bekkalokk/services/bluemap/package.nix Normal file
View File

@@ -0,0 +1,30 @@
{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
stdenvNoCC.mkDerivation rec {
pname = "bluemap";
version = "5.7";
src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-8udZYJgrr4bi2mjRYrASd8JwUoUVZW1tZpOLRgafAIw=";
};
dontUnpack = true;
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
runHook preInstall
makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
runHook postInstall
'';
meta = {
description = "3D minecraft map renderer";
homepage = "https://bluemap.bluecolored.de/";
sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ dandellion h7x4 ];
mainProgram = "bluemap";
};
}

52
hosts/bekkalokk/services/gitea/customization.nix Normal file
View File

@@ -0,0 +1,52 @@
{ config, pkgs, lib, fp, ... }:
let
cfg = config.services.gitea;
in
{
services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
systemd.services.gitea-customization = lib.mkIf cfg.enable {
description = "Install extra customization in gitea's CUSTOM_DIR";
wantedBy = [ "gitea.service" ];
requiredBy = [ "gitea.service" ];
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
};
script = let
logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = fp /assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
labels = lib.importJSON ./labels/projects.json;
};
customTemplates = pkgs.runCommandLocal "gitea-templates" {
nativeBuildInputs = with pkgs; [
coreutils
gnused
];
} ''
# Bigger icons
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
sed -i -e 's/24/48/g' "$out/repo/icon.tmpl"
'';
in ''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
'';
};
}

89
hosts/bekkalokk/services/gitea/default.nix
View File

@@ -1,11 +1,12 @@
{ config, values, pkgs, lib, ... }: { config, values, lib, ... }:
let let
cfg = config.services.gitea; cfg = config.services.gitea;
domain = "git.pvv.ntnu.no"; domain = "git.pvv.ntnu.no";
sshPort = 2222; sshPort = 2222;
in { in {
imports = [ imports = [
./ci.nix ./customization.nix
./gpg.nix
./import-users ./import-users
./web-secret-provider ./web-secret-provider
]; ];
@@ -55,6 +56,11 @@ in {
USER = "gitea@pvv.ntnu.no"; USER = "gitea@pvv.ntnu.no";
SUBJECT_PREFIX = "[pvv-git]"; SUBJECT_PREFIX = "[pvv-git]";
}; };
metrics = {
ENABLED = true;
ENABLED_ISSUE_BY_LABEL = true;
ENABLED_ISSUE_BY_REPOSITORY = true;
};
indexer.REPO_INDEXER_ENABLED = true; indexer.REPO_INDEXER_ENABLED = true;
service = { service = {
DISABLE_REGISTRATION = true; DISABLE_REGISTRATION = true;
@@ -99,8 +105,37 @@ in {
ENABLE_FEDERATED_AVATAR = false; ENABLE_FEDERATED_AVATAR = false;
}; };
actions.ENABLED = true; actions.ENABLED = true;
ui = {
REACTIONS = lib.concatStringsSep "," [
"+1"
"-1"
"laugh"
"confused"
"heart"
"hooray"
"rocket"
"eyes"
"100"
"anger"
"astonished"
"no_good"
"ok_hand"
"pensive"
"pizza"
"point_up"
"sob"
"skull"
"upside_down_face"
"shrug"
];
};
"ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet"; "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
}; };
dump = {
enable = true;
type = "tar.gz";
};
}; };
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
@@ -109,44 +144,22 @@ in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
kTLS = true; kTLS = true;
locations."/" = { locations = {
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}"; "/" = {
extraConfig = '' proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
client_max_body_size 512M; extraConfig = ''
''; client_max_body_size 512M;
'';
};
"/metrics" = {
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4}/32;
deny all;
'';
};
}; };
}; };
networking.firewall.allowedTCPPorts = [ sshPort ]; networking.firewall.allowedTCPPorts = [ sshPort ];
# Extra customization
services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
systemd.services.install-gitea-customization = {
description = "Install extra customization in gitea's CUSTOM_DIR";
wantedBy = [ "gitea.service" ];
requiredBy = [ "gitea.service" ];
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
};
script = let
logo-svg = ../../../../assets/logo_blue_regular.svg;
logo-png = ../../../../assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
in ''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
'';
};
} }

38
hosts/bekkalokk/services/gitea/gpg.nix Normal file
View File

@@ -0,0 +1,38 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.gitea;
GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
in
{
sops.secrets."gitea/gpg-signing-key" = {
owner = cfg.user;
inherit (cfg) group;
};
systemd.services.gitea.environment = { inherit GNUPGHOME; };
systemd.tmpfiles.settings."20-gitea-gnugpg".${GNUPGHOME}.d = {
inherit (cfg) user group;
mode = "700";
};
systemd.services.gitea-ensure-gnupg-homedir = {
description = "Import gpg key for gitea";
environment = { inherit GNUPGHOME; };
serviceConfig = {
Type = "oneshot";
User = cfg.user;
PrivateNetwork = true;
};
script = ''
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path}
'';
};
services.gitea.settings."repository.signing" = {
SIGNING_KEY = "0549C43374D2253C";
SIGNING_NAME = "PVV Git";
SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
INITIAL_COMMIT = "always";
};
}

1
hosts/bekkalokk/services/gitea/import-users/gitea-import-users.py
View File

@@ -177,6 +177,7 @@ def ensure_gitea_user_is_part_of_team(
# List of teams that all users should be part of by default # List of teams that all users should be part of by default
COMMON_USER_TEAMS = [ COMMON_USER_TEAMS = [
("Projects", "Members"), ("Projects", "Members"),
("Grzegorz", "Members"),
("Kurs", "Members"), ("Kurs", "Members"),
] ]

116
hosts/bekkalokk/services/gitea/labels/projects.json Normal file
View File

@@ -0,0 +1,116 @@
[
{
"name": "art",
"exclusive": false,
"color": "#006b75",
"description": "Requires some creativity"
},
{
"name": "big",
"exclusive": false,
"color": "#754bc4",
"description": "This is gonna take a while"
},
{
"name": "blocked",
"exclusive": false,
"color": "#850021",
"description": "This issue/PR depends on one or more other issues/PRs"
},
{
"name": "bug",
"exclusive": false,
"color": "#f05048",
"description": "Something brokey"
},
{
"name": "ci-cd",
"exclusive": false,
"color": "#d1ff78",
"description": "Continuous integrals and continuous derivation"
},
{
"name": "crash report",
"exclusive": false,
"color": "#ed1111",
"description": "Report an oopsie"
},
{
"name": "disputed",
"exclusive": false,
"color": "#5319e7",
"description": "Kranglefanter"
},
{
"name": "documentation",
"exclusive": false,
"color": "#fbca04",
"description": "Documentation changes required"
},
{
"name": "duplicate",
"exclusive": false,
"color": "#cccccc",
"description": "This issue or pull request already exists"
},
{
"name": "feature request",
"exclusive": false,
"color": "#0052cc",
"description": ""
},
{
"name": "good first issue",
"exclusive": false,
"color": "#009800",
"description": "Get your hands dirty with a new project here"
},
{
"name": "me gusta",
"exclusive": false,
"color": "#30ff36",
"description": "( ͡° ͜ʖ ͡°)"
},
{
"name": "packaging",
"exclusive": false,
"color": "#bf642b",
"description": ""
},
{
"name": "question",
"exclusive": false,
"color": "#cc317c",
"description": ""
},
{
"name": "security",
"exclusive": false,
"color": "#ed1111",
"description": "Skommel"
},
{
"name": "techdebt spring cleaning",
"exclusive": false,
"color": "#8c6217",
"description": "The code is smelly 👃"
},
{
"name": "testing",
"exclusive": false,
"color": "#52b373",
"description": "Poke it and see if it explodes"
},
{
"name": "ui/ux",
"exclusive": false,
"color": "#f28852",
"description": "User complaints about ergonomics and economics and whatever"
},
{
"name": "wontfix",
"exclusive": false,
"color": "#ffffff",
"description": "Nei, vil ikke"
}
]

3
hosts/bekkalokk/services/gitea/web-secret-provider/default.nix
View File

@@ -3,6 +3,7 @@ let
organizations = [ organizations = [
"Drift" "Drift"
"Projects" "Projects"
"Grzegorz"
"Kurs" "Kurs"
]; ];
@@ -27,6 +28,7 @@ in
users.users."gitea-web" = { users.users."gitea-web" = {
group = "gitea-web"; group = "gitea-web";
isSystemUser = true; isSystemUser = true;
shell = pkgs.bash;
}; };
sops.secrets."gitea/web-secret-provider/token" = { sops.secrets."gitea/web-secret-provider/token" = {
@@ -58,6 +60,7 @@ in
key-dir = "/var/lib/gitea-web/keys/%i"; key-dir = "/var/lib/gitea-web/keys/%i";
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i"; authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
rrsync-script = pkgs.writeShellScript "rrsync-chown" '' rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
mkdir -p "$1"
${lib.getExe pkgs.rrsync} -wo "$1" ${lib.getExe pkgs.rrsync} -wo "$1"
${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1" ${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
''; '';

16
hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py
View File

@@ -34,7 +34,21 @@ def get_org_repo_list(args: argparse.Namespace, token: str):
f"{args.api_url}/orgs/{args.org}/repos", f"{args.api_url}/orgs/{args.org}/repos",
headers = { 'Authorization': 'token ' + token }, headers = { 'Authorization': 'token ' + token },
) )
return [repo["name"] for repo in result.json()]
results = [repo["name"] for repo in result.json()]
target = int(result.headers['X-Total-Count'])
i = 2
while len(results) < target:
result = requests.get(
f"{args.api_url}/orgs/{args.org}/repos",
params = { 'page': i },
headers = { 'Authorization': 'token ' + token },
)
results += [repo["name"] for repo in result.json()]
i += 1
return results
def generate_ssh_key(args: argparse.Namespace, repository: str): def generate_ssh_key(args: argparse.Namespace, repository: str):

6
hosts/bekkalokk/services/idp-simplesamlphp/default.nix
View File

@@ -202,6 +202,12 @@ in
rewrite ^/simplesaml/(.*)$ /$1 redirect; rewrite ^/simplesaml/(.*)$ /$1 redirect;
return 404; return 404;
''; '';
"/robots.txt" = {
root = pkgs.writeTextDir "robots.txt" ''
User-agent: *
Disallow: /
'';
};
}; };
}; };
}; };

8
hosts/bekkalokk/services/mediawiki/default.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, lib, config, values, pkgs-unstable, ... }: let { pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
cfg = config.services.mediawiki; cfg = config.services.mediawiki;
# "mediawiki" # "mediawiki"
@@ -210,8 +210,8 @@ in {
''; '';
}; };
"= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg; "= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png; "= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png;
"= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" { "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
buildInputs = with pkgs; [ imagemagick ]; buildInputs = with pkgs; [ imagemagick ];
} '' } ''
@@ -219,7 +219,7 @@ in {
-resize x64 \ -resize x64 \
-gravity center \ -gravity center \
-crop 64x64+0+0 \ -crop 64x64+0+0 \
${../../../../assets/logo_blue_regular.png} \ ${fp /assets/logo_blue_regular.png} \
-flatten \ -flatten \
-colors 256 \ -colors 256 \
-background transparent \ -background transparent \

2
hosts/bekkalokk/services/vaultwarden.nix
View File

@@ -83,7 +83,6 @@ in {
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ RestrictAddressFamilies = [
"AF_INET" "AF_INET"
"AF_INET6" "AF_INET6"
@@ -98,7 +97,6 @@ in {
"@system-service" "@system-service"
"~@privileged" "~@privileged"
]; ];
UMask = "0007";
}; };
}; };
} }

12
hosts/bekkalokk/services/webmail/roundcube.nix
View File

@@ -6,6 +6,11 @@ let
domain = "webmail.pvv.ntnu.no"; domain = "webmail.pvv.ntnu.no";
in in
{ {
sops.secrets."roundcube/postgres_password" = {
owner = "nginx";
group = "nginx";
};
services.roundcube = { services.roundcube = {
enable = true; enable = true;
@@ -16,10 +21,15 @@ in
custom_from custom_from
]); ]);
dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ]; dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
maxAttachmentSize = 20; maxAttachmentSize = 20;
hostName = "roundcubeplaceholder.example.com"; hostName = "roundcubeplaceholder.example.com";
database = {
host = "postgres.pvv.ntnu.no";
passwordFile = config.sops.secrets."roundcube/postgres_password".path;
};
extraConfig = '' extraConfig = ''
$config['enable_installer'] = false; $config['enable_installer'] = false;
$config['default_host'] = "ssl://imap.pvv.ntnu.no"; $config['default_host'] = "ssl://imap.pvv.ntnu.no";

4
hosts/bekkalokk/services/webmail/snappymail.nix
View File

@@ -1,8 +1,8 @@
{ config, lib, pkgs, ... }: { config, lib, fp, pkgs, ... }:
let let
cfg = config.services.snappymail; cfg = config.services.snappymail;
in { in {
imports = [ ../../../../modules/snappymail.nix ]; imports = [ (fp /modules/snappymail.nix) ];
services.snappymail = { services.snappymail = {
enable = true; enable = true;

10
hosts/bekkalokk/services/website/default.nix
View File

@@ -116,16 +116,6 @@ in {
"/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift"; "/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift";
"/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse"; "/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
"/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza"; "/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
}; };
}; };
} }

27
hosts/bekkalokk/services/website/fetch-gallery.nix
View File

@@ -62,6 +62,33 @@ in {
WorkingDirectory = galleryDir; WorkingDirectory = galleryDir;
User = config.services.pvv-nettsiden.user; User = config.services.pvv-nettsiden.user;
Group = config.services.pvv-nettsiden.group; Group = config.services.pvv-nettsiden.group;
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; # disable for third party rotate scripts
PrivateDevices = true;
PrivateNetwork = true; # disable for mail delivery
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true; # disable for userdir logs
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
}; };
}; };
} }

18
hosts/bekkalokk/services/well-known/default.nix Normal file
View File

@@ -0,0 +1,18 @@
{ ... }:
{
services.nginx.virtualHosts."www.pvv.ntnu.no".locations = {
"^~ /.well-known/" = {
alias = (toString ./root) + "/";
};
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
}

31
hosts/bekkalokk/services/well-known/root/autoconfig/mail/config-v1.1.xml Normal file
View File

@@ -0,0 +1,31 @@
<?xml version="1.0"?>
<clientConfig version="1.1">
<emailProvider id="pvv.ntnu.no">
<domain>pvv.ntnu.no</domain>
<domain>pvv.org</domain>
<displayName>Programvareverkstedet</displayName>
<incomingServer type="imap">
<hostname>imap.pvv.ntnu.no</hostname>
<port>993</port>
<socketType>SSL</socketType>
<username>%EMAILLOCALPART%</username>
<authentication>password-cleartext</authentication>
</incomingServer>
<outgoingServer type="smtp">
<hostname>smtp.pvv.ntnu.no</hostname>
<port>587</port>
<socketType>STARTTLS</socketType>
<username>%EMAILLOCALPART%</username>
<authentication>password-cleartext</authentication>
<useGlobalPreferredServer>true</useGlobalPreferredServer>
</outgoingServer>
<documentation url="https://www.pvv.ntnu.no/pvv/Drift/Mail/IMAP_POP3">
<descr lang="en">Setup programvareverkstedet email user with IMAP or POP3</descr>
<descr lang="nb">Sett opp programvareverkstedet email bruker med IMAP eller POP3</descr>
</documentation>
</emailProvider>
</clientConfig>

12
hosts/bekkalokk/services/well-known/root/security.txt Normal file
View File

@@ -0,0 +1,12 @@
Contact: mailto:drift@pvv.ntnu.no
Contact: mailto:cert@pvv.ntnu.no
# drift@pvv.ntnu.no is read by more people and have a quicker reaction time,
# but cert@pvv.ntnu.no can be used for more severe issues.
Preferred-Languages: no, en
Expires: 2032-12-31T23:59:59.000Z
# This file was last updated 2024-09-14.
# You can find a wikipage for our security policies at:
# https://wiki.pvv.ntnu.no/wiki/CERT

24
hosts/bicep/acmeCert.nix
View File

@@ -1,24 +0,0 @@
{ values, ... }:
{
users.groups.acme.members = [ "nginx" ];
security.acme.certs."postgres.pvv.ntnu.no" = {
group = "acme";
extraDomainNames = [
# "postgres.pvv.org"
"bicep.pvv.ntnu.no"
# "bicep.pvv.org"
# values.hosts.bicep.ipv4
# values.hosts.bicep.ipv6
];
};
services.nginx = {
enable = true;
virtualHosts."postgres.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
# useACMEHost = "postgres.pvv.ntnu.no";
};
};
}

13
hosts/bicep/configuration.nix
View File

@@ -1,14 +1,12 @@
{ pkgs, values, ... }: { fp, pkgs, values, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../base (fp /base)
../../misc/metrics-exporters.nix (fp /misc/metrics-exporters.nix)
./services/nginx ./services/nginx
./acmeCert.nix
./services/mysql.nix ./services/mysql.nix
./services/postgres.nix ./services/postgres.nix
./services/mysql.nix ./services/mysql.nix
@@ -17,7 +15,7 @@
./services/matrix ./services/matrix
]; ];
sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml; sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true; sops.age.generateKey = true;
@@ -36,6 +34,9 @@
anyInterface = true; anyInterface = true;
}; };
# There are no smart devices
services.smartd.enable = false;
# Do not change, even during upgrades. # Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11"; system.stateVersion = "22.11";

6
hosts/bicep/services/calendar-bot.nix
View File

@@ -1,16 +1,16 @@
{ config, lib, pkgs, ... }: { config, fp, lib, pkgs, ... }:
let let
cfg = config.services.pvv-calendar-bot; cfg = config.services.pvv-calendar-bot;
in { in {
sops.secrets = { sops.secrets = {
"calendar-bot/matrix_token" = { "calendar-bot/matrix_token" = {
sopsFile = ../../../secrets/bicep/bicep.yaml; sopsFile = fp /secrets/bicep/bicep.yaml;
key = "calendar-bot/matrix_token"; key = "calendar-bot/matrix_token";
owner = cfg.user; owner = cfg.user;
group = cfg.group; group = cfg.group;
}; };
"calendar-bot/mysql_password" = { "calendar-bot/mysql_password" = {
sopsFile = ../../../secrets/bicep/bicep.yaml; sopsFile = fp /secrets/bicep/bicep.yaml;
key = "calendar-bot/mysql_password"; key = "calendar-bot/mysql_password";
owner = cfg.user; owner = cfg.user;
group = cfg.group; group = cfg.group;

15
hosts/bicep/services/matrix/coturn.nix
View File

@@ -1,14 +1,14 @@
{ config, lib, pkgs, secrets, ... }: { config, lib, fp, pkgs, secrets, values, ... }:
{ {
sops.secrets."matrix/synapse/turnconfig" = { sops.secrets."matrix/synapse/turnconfig" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "synapse/turnconfig"; key = "synapse/turnconfig";
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group; group = config.users.users.matrix-synapse.group;
}; };
sops.secrets."matrix/coturn/static-auth-secret" = { sops.secrets."matrix/coturn/static-auth-secret" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "coturn/static-auth-secret"; key = "coturn/static-auth-secret";
owner = config.users.users.turnserver.name; owner = config.users.users.turnserver.name;
group = config.users.users.turnserver.group; group = config.users.users.turnserver.group;
@@ -48,6 +48,9 @@
users.users.turnserver.extraGroups = [ "acme" ]; users.users.turnserver.extraGroups = [ "acme" ];
# It needs this to be allowed to access the files with the acme group
systemd.services.coturn.serviceConfig.PrivateUsers = lib.mkForce false;
systemd.services."acme-${config.services.coturn.realm}".serviceConfig = { systemd.services."acme-${config.services.coturn.realm}".serviceConfig = {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
}; };
@@ -60,12 +63,14 @@
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
use-auth-secret = true; use-auth-secret = true;
# World readable but I dont think it's that bad
static-auth-secret-file = config.sops.secrets."matrix/coturn/static-auth-secret".path; static-auth-secret-file = config.sops.secrets."matrix/coturn/static-auth-secret".path;
secure-stun = true; secure-stun = true;
listening-ips = [ "129.241.210.213" "2001:700:300:1900::213" ]; listening-ips = [
values.services.turn.ipv4
values.services.turn.ipv6
];
tls-listening-port = 443; tls-listening-port = 443;
alt-tls-listening-port = 5349; alt-tls-listening-port = 5349;

1
hosts/bicep/services/matrix/default.nix
View File

@@ -10,6 +10,7 @@
./mjolnir.nix ./mjolnir.nix
./discord.nix ./discord.nix
./hookshot
]; ];

46
hosts/bicep/services/matrix/discord.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, ... }: { config, lib, fp, ... }:
let let
cfg = config.services.mx-puppet-discord; cfg = config.services.mx-puppet-discord;
@@ -6,15 +6,42 @@ in
{ {
users.groups.keys-matrix-registrations = { }; users.groups.keys-matrix-registrations = { };
sops.secrets."matrix/registrations/mx-puppet-discord" = { sops.secrets."matrix/discord/as_token" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "registrations/mx-puppet-discord"; key = "discord/as_token";
};
sops.secrets."matrix/discord/hs_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "discord/hs_token";
};
sops.templates."discord-registration.yaml" = {
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name; group = config.users.groups.keys-matrix-registrations.name;
content = ''
as_token: "${config.sops.placeholder."matrix/discord/as_token"}"
hs_token: "${config.sops.placeholder."matrix/discord/hs_token"}"
id: discord-puppet
namespaces:
users:
- exclusive: true
regex: '@_discordpuppet_.*'
rooms: []
aliases:
- exclusive: true
regex: '#_discordpuppet_.*'
protocols: []
rate_limited: false
sender_localpart: _discordpuppet_bot
url: 'http://localhost:8434'
de.sorunome.msc2409.push_ephemeral: true
'';
}; };
systemd.services.mx-puppet-discord = { systemd.services.mx-puppet-discord = {
serviceConfig.SupplementaryGroups = [ config.users.groups.keys-matrix-registrations.name ]; serviceConfig.SupplementaryGroups = [
config.users.groups.keys-matrix-registrations.name
];
}; };
@@ -29,11 +56,16 @@ in
relay.whitelist = [ ".*" ]; relay.whitelist = [ ".*" ];
selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ]; selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
}; };
services.mx-puppet-discord.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ]; services.mx-puppet-discord.serviceDependencies = [
"matrix-synapse.target"
"nginx.service"
];
services.matrix-synapse-next.settings = { services.matrix-synapse-next.settings = {
app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ]; app_service_config_files = [
config.sops.templates."discord-registration.yaml".path
];
use_appservice_legacy_authorization = true; use_appservice_legacy_authorization = true;
}; };

135
hosts/bicep/services/matrix/hookshot/default.nix Normal file
View File

@@ -0,0 +1,135 @@
{ config, lib, fp, unstablePkgs, inputs, ... }:
let
cfg = config.services.matrix-hookshot;
webhookListenAddress = "127.0.0.1";
webhookListenPort = 8435;
in
{
sops.secrets."matrix/hookshot/as_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/as_token";
};
sops.secrets."matrix/hookshot/hs_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/hs_token";
};
sops.templates."hookshot-registration.yaml" = {
owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name;
content = ''
id: matrix-hookshot
as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}"
hs_token: "${config.sops.placeholder."matrix/hookshot/hs_token"}"
namespaces:
rooms: []
users:
- regex: "@_webhooks_.*:pvv.ntnu.no"
exclusive: true
- regex: "@bot_feeds:pvv.ntnu.no"
exclusive: true
aliases: []
sender_localpart: hookshot
url: "http://${cfg.settings.bridge.bindAddress}:${toString cfg.settings.bridge.port}"
rate_limited: false
# If enabling encryption
de.sorunome.msc2409.push_ephemeral: true
push_ephemeral: true
org.matrix.msc3202: true
'';
};
systemd.services.matrix-hookshot = {
serviceConfig.SupplementaryGroups = [
config.users.groups.keys-matrix-registrations.name
];
};
services.matrix-hookshot = {
enable = true;
package = unstablePkgs.matrix-hookshot;
registrationFile = config.sops.templates."hookshot-registration.yaml".path;
settings = {
bridge = {
bindAddress = "127.0.0.1";
domain = "pvv.ntnu.no";
url = "https://matrix.pvv.ntnu.no";
mediaUrl = "https://matrix.pvv.ntnu.no";
port = 9993;
};
listeners = [
{
bindAddress = webhookListenAddress;
port = webhookListenPort;
resources = [
"webhooks"
# "metrics"
# "provisioning"
"widgets"
];
}
];
generic = {
enabled = true;
outbound = true;
urlPrefix = "https://hookshot.pvv.ntnu.no/webhook/";
userIdPrefix = "_webhooks_";
allowJsTransformationFunctions = false;
waitForComplete = false;
};
feeds = {
enabled = true;
pollIntervalSeconds = 600;
};
serviceBots = [
{ localpart = "bot_feeds";
displayname = "Aya";
avatar = ./feeds.png;
prefix = "!aya";
service = "feeds";
}
];
permissions = [
# Users of the PVV Server
{ actor = "pvv.ntnu.no";
services = [ { service = "*"; level = "commands"; } ];
}
# Members of Medlem space (for people with their own hs)
{ actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
services = [ { service = "*"; level = "commands"; } ];
}
# Members of Drift
{ actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
services = [ { service = "*"; level = "admin"; } ];
}
# Dan bootstrap
{ actor = "@dandellion:dodsorf.as";
services = [ { service = "*"; level = "admin"; } ];
}
];
};
};
services.matrix-hookshot.serviceDependencies = [
"matrix-synapse.target"
"nginx.service"
];
services.matrix-synapse-next.settings = {
app_service_config_files = [
config.sops.templates."hookshot-registration.yaml".path
];
};
services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
enableACME = true;
locations."/" = {
proxyPass = "http://${webhookListenAddress}:${toString webhookListenPort}";
};
};
}

BIN
hosts/bicep/services/matrix/hookshot/feeds.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 MiB

4
hosts/bicep/services/matrix/mjolnir.nix
View File

@@ -1,8 +1,8 @@
{ config, lib, ... }: { config, lib, fp, ... }:
{ {
sops.secrets."matrix/mjolnir/access_token" = { sops.secrets."matrix/mjolnir/access_token" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "mjolnir/access_token"; key = "mjolnir/access_token";
owner = config.users.users.mjolnir.name; owner = config.users.users.mjolnir.name;
group = config.users.users.mjolnir.group; group = config.users.users.mjolnir.group;

20
hosts/bicep/services/matrix/synapse.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, values, inputs, ... }: { config, lib, fp, pkgs, values, inputs, ... }:
let let
cfg = config.services.matrix-synapse-next; cfg = config.services.matrix-synapse-next;
@@ -10,23 +10,18 @@ let
in { in {
sops.secrets."matrix/synapse/signing_key" = { sops.secrets."matrix/synapse/signing_key" = {
key = "synapse/signing_key"; key = "synapse/signing_key";
sopsFile = ../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group; group = config.users.users.matrix-synapse.group;
}; };
sops.secrets."matrix/synapse/user_registration" = { sops.secrets."matrix/synapse/user_registration" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "synapse/signing_key"; key = "synapse/signing_key";
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group; group = config.users.users.matrix-synapse.group;
}; };
sops.secrets."matrix/sliding-sync/env" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "sliding-sync/env";
};
services.matrix-synapse-next = { services.matrix-synapse-next = {
enable = true; enable = true;
@@ -43,8 +38,6 @@ in {
workers.eventPersisters = 2; workers.eventPersisters = 2;
workers.useUserDirectoryWorker = true; workers.useUserDirectoryWorker = true;
enableSlidingSync = true;
enableNginx = true; enableNginx = true;
settings = { settings = {
@@ -137,9 +130,6 @@ in {
}; };
}; };
services.matrix-synapse.sliding-sync.environmentFile = config.sops.secrets."matrix/sliding-sync/env".path;
services.redis.servers."".enable = true; services.redis.servers."".enable = true;
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [ services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
@@ -182,8 +172,6 @@ in {
extraConfig = '' extraConfig = ''
allow ${values.hosts.ildkule.ipv4}; allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6}; allow ${values.hosts.ildkule.ipv6};
allow ${values.hosts.ildkule.ipv4_global};
allow ${values.hosts.ildkule.ipv6_global};
deny all; deny all;
''; '';
}) })
@@ -195,8 +183,6 @@ in {
extraConfig = '' extraConfig = ''
allow ${values.hosts.ildkule.ipv4}; allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6}; allow ${values.hosts.ildkule.ipv6};
allow ${values.hosts.ildkule.ipv4_global};
allow ${values.hosts.ildkule.ipv6_global};
deny all; deny all;
''; '';
}; };

10
hosts/bob/configuration.nix
View File

@@ -1,16 +1,16 @@
{ config, pkgs, values, ... }: { config, fp, pkgs, values, ... }:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base (fp /base)
../../misc/metrics-exporters.nix (fp /misc/metrics-exporters.nix)
./disks.nix ./disks.nix
../../misc/builder.nix (fp /misc/builder.nix)
]; ];
sops.defaultSopsFile = ../../secrets/bob/bob.yaml; sops.defaultSopsFile = fp /secrets/bob/bob.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true; sops.age.generateKey = true;

6
hosts/brzeczyszczykiewicz/configuration.nix
View File

@@ -1,10 +1,10 @@
{ config, pkgs, values, ... }: { config, fp, pkgs, values, ... }:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base (fp /base)
../../misc/metrics-exporters.nix (fp /misc/metrics-exporters.nix)
./services/grzegorz.nix ./services/grzegorz.nix
]; ];

4
hosts/brzeczyszczykiewicz/services/grzegorz.nix
View File

@@ -1,6 +1,6 @@
{ config, ... }: { config, fp, ... }:
{ {
imports = [ ../../../modules/grzegorz.nix ]; imports = [ (fp /modules/grzegorz.nix) ];
services.nginx.virtualHosts."${config.networking.fqdn}" = { services.nginx.virtualHosts."${config.networking.fqdn}" = {
serverAliases = [ serverAliases = [

10
hosts/buskerud/services/libvirt.nix
View File

@@ -1,10 +0,0 @@
{ config, pkgs, lib, ... }:
{
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
boot.kernelModules = [ "kvm-intel" ];
# On a gui-enabled machine, connect with:
# $ virt-manager --connect "qemu+ssh://buskerud/system?socket=/var/run/libvirt/libvirt-sock"
}

78
hosts/dagali/TODO.md Normal file
View File

@@ -0,0 +1,78 @@
# Tracking document for new PVV kerberos auth stack
![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
<div align="center">
Bensinstasjon på heimdal
</div>
### TODO:
- [ ] setup heimdal
- [x] ensure running with systemd
- [x] compile smbk5pwd (part of openldap)
- [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
- [ ] fully initialize PVV.NTNU.NO
- [x] `kadmin -l init PVV.NTNU.NO`
- [x] add oysteikt/admin@PVV.NTNU.NO principal
- [x] add oysteikt@PVV.NTNU.NO principal
- [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
- why is this needed, and where is it documented?
- `kadmin check` seems to work under sudo?
- (it is included by default, just included as error message
in a weird state)
- [x] Ensure client is working correctly
- [x] Ensure kinit works on darbu
- [x] Ensure kpasswd works on darbu
- [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
- [ ] Ensure kdc is working correctly
- [x] Ensure kinit works on dagali
- [x] Ensure kpasswd works on dagali
- [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
- [x] Fix FQDN
- https://github.com/NixOS/nixpkgs/issues/94011
- https://github.com/NixOS/nixpkgs/issues/261269
- Possibly fixed by disabling systemd-resolved
- [ ] setup cyrus sasl
- [x] ensure running with systemd
- [x] verify GSSAPI support plugin is installed
- `nix-shell -p cyrus_sasl --command pluginviewer`
- [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
- [x] verify cyrus sasl is able to talk to heimdal
- `sudo testsaslauthd -u oysteikt -p <password>`
- [ ] provide ldap principal to cyrus sasl through keytab
- [ ] setup openldap
- [x] ensure running with systemd
- [ ] verify openldap is able to talk to cyrus sasl
- [ ] create user for oysteikt in openldap
- [ ] authenticate openldap login through sasl
- does this require creating an ldap user?
- [ ] fix smbk5pwd integration
- [x] add smbk5pwd schemas to openldap
- [x] create openldap db for smbk5pwd with overlays
- [ ] test to ensure that user sync is working
- [ ] test as user source (replace passwd)
- [ ] test as PAM auth source
- [ ] test as auth source for 3rd party appliation
- [ ] Set up ldap administration panel
- Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
- [ ] Set up kerberos SRV DNS entry
### Information and URLS
- OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
- Use a keytab: https://kb.iu.edu/d/aumh
- 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
- Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
- Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
- PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
- OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
- saslauthd(8): https://linux.die.net/man/8/saslauthd

33
hosts/buskerud/configuration.nix → hosts/dagali/configuration.nix
View File

@@ -1,31 +1,44 @@
{ config, pkgs, values, ... }:
{ config, pkgs, values, lib, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../base ../../base.nix
../../misc/metrics-exporters.nix ../../misc/metrics-exporters.nix
./services/libvirt.nix ./services/heimdal.nix
#./services/openldap.nix
./services/cyrus-sasl.nix
]; ];
# buskerud does not support efi? # buskerud does not support efi?
# boot.loader.systemd-boot.enable = true; # boot.loader.systemd-boot.enable = true;
# boot.loader.efi.canTouchEfiVariables = true; # boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sdb"; boot.loader.grub.device = "/dev/sda";
networking.hostName = "buskerud"; # resolved messes up FQDN coming from nscd
networking.search = [ "pvv.ntnu.no" "pvv.org" ]; services.resolved.enable = false;
networking.hostName = "dagali";
networking.domain = lib.mkForce "pvv.local";
networking.hosts = {
"129.241.210.185" = [ "dagali.pvv.local" ];
};
#networking.search = [ "pvv.ntnu.no" "pvv.org" ];
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ]; networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
networking.tempAddresses = "disabled"; networking.tempAddresses = "disabled";
networking.networkmanager.enable = true;
systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // { systemd.network.networks."ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "enp3s0f0"; matchConfig.Name = "ens18";
address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ]; address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
}; };
# List packages installed in system profile # List packages installed in system profile
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# TODO: consider adding to base.nix
nix-output-monitor
]; ];
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
@@ -34,5 +47,5 @@
# this value at the release version of the first install of this system. # this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment? system.stateVersion = "24.05"; # Did you read the comment?
} }

20
hosts/buskerud/hardware-configuration.nix → hosts/dagali/hardware-configuration.nix
View File

@@ -5,33 +5,29 @@
{ {
imports = imports =
[ (modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff"; { device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
fsType = "ext4"; fsType = "ext4";
}; };
swapDevices = [ ]; swapDevices =
[ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true; # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
# networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

21
hosts/dagali/services/cyrus-sasl.nix Normal file
View File

@@ -0,0 +1,21 @@
{ config, ... }:
let
cfg = config.services.saslauthd;
in
{
# TODO: This is seemingly required for openldap to authenticate
# against kerberos, but I have no idea how to configure it as
# such. Does it need a keytab? There's a binary "testsaslauthd"
# that follows with `pkgs.cyrus_sasl` that might be useful.
services.saslauthd = {
enable = true;
mechanism = "kerberos5";
config = ''
mech_list: gs2-krb5 gssapi
keytab: /etc/krb5.keytab
'';
};
# TODO: maybe the upstream module should consider doing this?
environment.systemPackages = [ cfg.package ];
}

100
hosts/dagali/services/heimdal.nix Normal file
View File

@@ -0,0 +1,100 @@
{ config, pkgs, lib, ... }:
let
realm = "PVV.LOCAL";
cfg = config.security.krb5;
in
{
security.krb5 = {
enable = true;
# NOTE: This is required in order to build smbk5pwd, because of some nested includes.
# We should open an issue upstream (heimdal, not nixpkgs), but this patch
# will do for now.
package = pkgs.heimdal.overrideAttrs (prev: {
postInstall = prev.postInstall + ''
cp include/heim_threads.h $dev/include
'';
});
settings = {
realms.${realm} = {
kdc = [ "dagali.${lib.toLower realm}" ];
admin_server = "dagali.${lib.toLower realm}";
kpasswd_server = "dagali.${lib.toLower realm}";
default_domain = lib.toLower realm;
primary_kdc = "dagali.${lib.toLower realm}";
};
kadmin.default_keys = lib.concatStringsSep " " [
"aes256-cts-hmac-sha1-96:pw-salt"
"aes128-cts-hmac-sha1-96:pw-salt"
];
libdefaults.default_etypes = lib.concatStringsSep " " [
"aes256-cts-hmac-sha1-96"
"aes128-cts-hmac-sha1-96"
];
libdefaults = {
default_realm = realm;
dns_lookup_kdc = false;
dns_lookup_realm = false;
};
domain_realm = {
"${lib.toLower realm}" = realm;
".${lib.toLower realm}" = realm;
};
logging = {
# kdc = "CONSOLE";
kdc = "SYSLOG:DEBUG:AUTH";
admin_server = "SYSLOG:DEBUG:AUTH";
default = "SYSLOG:DEBUG:AUTH";
};
};
};
services.kerberos_server = {
enable = true;
settings = {
realms.${realm} = {
dbname = "/var/lib/heimdal/heimdal";
mkey = "/var/lib/heimdal/m-key";
acl = [
{
principal = "kadmin/admin";
access = "all";
}
{
principal = "felixalb/admin";
access = "all";
}
{
principal = "oysteikt/admin";
access = "all";
}
];
};
# kadmin.default_keys = lib.concatStringsSep " " [
# "aes256-cts-hmac-sha1-96:pw-salt"
# "aes128-cts-hmac-sha1-96:pw-salt"
# ];
# libdefaults.default_etypes = lib.concatStringsSep " " [
# "aes256-cts-hmac-sha1-96"
# "aes128-cts-hmac-sha1-96"
# ];
# password_quality.min_length = 8;
};
};
networking.firewall.allowedTCPPorts = [ 88 464 749 ];
networking.firewall.allowedUDPPorts = [ 88 464 749 ];
networking.hosts = {
"127.0.0.2" = lib.mkForce [ ];
"::1" = lib.mkForce [ ];
};
}

121
hosts/dagali/services/openldap.nix Normal file
View File

@@ -0,0 +1,121 @@
{ config, pkgs, lib, ... }:
{
services.openldap = let
dn = "dc=pvv,dc=ntnu,dc=no";
cfg = config.services.openldap;
heimdal = config.security.krb5.package;
in {
enable = true;
# NOTE: this is a custom build of openldap with support for
# perl and kerberos.
package = pkgs.openldap.overrideAttrs (prev: {
# https://github.com/openldap/openldap/blob/master/configure
configureFlags = prev.configureFlags ++ [
# Connect to slapd via UNIX socket
"--enable-local"
# Cyrus SASL
"--enable-spasswd"
# Reverse hostname lookups
"--enable-rlookups"
# perl
"--enable-perl"
];
buildInputs = prev.buildInputs ++ [
pkgs.perl
# NOTE: do not upstream this, it might not work with
# MIT in the same way
heimdal
];
extraContribModules = prev.extraContribModules ++ [
# https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
"smbk5pwd"
];
});
settings = {
attrs = {
olcLogLevel = [ "stats" "config" "args" ];
# olcAuthzRegexp = ''
# gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
# "uid=heimdal,${dn2}"
# '';
# olcSaslSecProps = "minssf=0";
};
children = {
"cn=schema".includes = let
# NOTE: needed for smbk5pwd.so module
schemaToLdif = name: path: pkgs.runCommandNoCC name {
buildInputs = with pkgs; [ schema2ldif ];
} ''
schema2ldif "${path}" > $out
'';
hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
in [
"${cfg.package}/etc/schema/core.ldif"
"${cfg.package}/etc/schema/cosine.ldif"
"${cfg.package}/etc/schema/nis.ldif"
"${cfg.package}/etc/schema/inetorgperson.ldif"
"${hdb-ldif}"
"${samba-ldif}"
];
# NOTE: installation of smbk5pwd.so module
# https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
"cn=module{0}".attrs = {
objectClass = [ "olcModuleList" ];
olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
};
# NOTE: activation of smbk5pwd.so module for {1}mdb
"olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
olcOverlay = "{0}smbk5pwd";
olcSmbK5PwdEnable = [ "krb5" "samba" ];
olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
};
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcSuffix = dn;
# TODO: PW is supposed to be a secret, but it's probably fine for testing
olcRootDN = "cn=users,${dn}";
# TODO: replace with proper secret
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
olcDbIndex = "objectClass eq";
olcAccess = [
''{0}to attrs=userPassword,shadowLastChange
by dn.exact=cn=users,${dn} write
by self write
by anonymous auth
by * none''
''{1}to dn.base=""
by * read''
/* allow read on anything else */
# ''{2}to *
# by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
# by * read''
];
};
};
};
};
}

8
hosts/georg/configuration.nix
View File

@@ -1,12 +1,12 @@
{ config, pkgs, values, ... }: { config, fp, pkgs, values, ... }:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base (fp /base)
../../misc/metrics-exporters.nix (fp /misc/metrics-exporters.nix)
../../modules/grzegorz.nix (fp /modules/grzegorz.nix)
]; ];
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;

50
hosts/ildkule/configuration.nix
View File

@@ -1,16 +1,16 @@
{ config, pkgs, values, ... }: { config, fp, pkgs, lib, values, ... }:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base (fp /base)
../../misc/metrics-exporters.nix (fp /misc/metrics-exporters.nix)
./services/monitoring ./services/monitoring
./services/nginx ./services/nginx
]; ];
sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml; sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true; sops.age.generateKey = true;
@@ -19,33 +19,37 @@
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
networking.hostName = "ildkule"; # Define your hostname. # Openstack Neutron and systemd-networkd are not best friends, use something else:
systemd.network.enable = lib.mkForce false;
networking = let
hostConf = values.hosts.ildkule;
in {
hostName = "ildkule";
tempAddresses = "disabled";
useDHCP = lib.mkForce true;
# Main connection, using the global/floatig IP, for communications with the world search = values.defaultNetworkConfig.domains;
systemd.network.networks."30-ntnu-global" = values.openstackGlobalNetworkConfig // { nameservers = values.defaultNetworkConfig.dns;
matchConfig.Name = "ens4"; defaultGateway.address = hostConf.ipv4_internal_gw;
# Add the global addresses in addition to the local address learned from DHCP interfaces."ens4" = {
addresses = [ ipv4.addresses = [
{ addressConfig.Address = "${values.hosts.ildkule.ipv4_global}/32"; } { address = hostConf.ipv4; prefixLength = 32; }
{ addressConfig.Address = "${values.hosts.ildkule.ipv6_global}/128"; } { address = hostConf.ipv4_internal; prefixLength = 24; }
]; ];
}; ipv6.addresses = [
{ address = hostConf.ipv6; prefixLength = 64; }
# Secondary connection only for use within the university network ];
systemd.network.networks."40-ntnu-internal" = values.openstackLocalNetworkConfig // { };
matchConfig.Name = "ens3";
# Add the ntnu-internal addresses in addition to the local address learned from DHCP
addresses = [
{ addressConfig.Address = "${values.hosts.ildkule.ipv4}/32"; }
{ addressConfig.Address = "${values.hosts.ildkule.ipv6}/128"; }
];
}; };
# List packages installed in system profile # List packages installed in system profile
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
]; ];
# No devices with SMART
services.smartd.enable = false;
system.stateVersion = "23.11"; # Did you read the comment? system.stateVersion = "23.11"; # Did you read the comment?
} }

9
hosts/ildkule/hardware-configuration.nix
View File

@@ -3,7 +3,14 @@
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ]; boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; }; fileSystems."/" = {
device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
fsType = "ext4";
};
fileSystems."/data" = {
device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
fsType = "ext4";
};
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
} }

1546
hosts/ildkule/services/monitoring/dashboards/gitea-dashbaord.json Normal file
View File

File diff suppressed because it is too large Load Diff

6
hosts/ildkule/services/monitoring/grafana.nix
View File

@@ -75,6 +75,12 @@ in {
url = "https://grafana.com/api/dashboards/240/revisions/3/download"; url = "https://grafana.com/api/dashboards/240/revisions/3/download";
options.path = dashboards/go-processes.json; options.path = dashboards/go-processes.json;
} }
{
name = "Gitea Dashbaord";
type = "file";
url = "https://grafana.com/api/dashboards/17802/revisions/3/download";
options.path = dashboards/gitea-dashbaord.json;
}
]; ];
}; };

13
hosts/ildkule/services/monitoring/loki.nix
View File

@@ -2,6 +2,7 @@
let let
cfg = config.services.loki; cfg = config.services.loki;
stateDir = "/data/monitoring/loki";
in { in {
services.loki = { services.loki = {
enable = true; enable = true;
@@ -16,7 +17,7 @@ in {
ingester = { ingester = {
wal = { wal = {
enabled = true; enabled = true;
dir = "/var/lib/loki/wal"; dir = "${stateDir}/wal";
}; };
lifecycler = { lifecycler = {
address = "127.0.0.1"; address = "127.0.0.1";
@@ -48,12 +49,12 @@ in {
storage_config = { storage_config = {
boltdb_shipper = { boltdb_shipper = {
active_index_directory = "/var/lib/loki/boltdb-shipper-index"; active_index_directory = "${stateDir}/boltdb-shipper-index";
cache_location = "/var/lib/loki/boltdb-shipper-cache"; cache_location = "${stateDir}/boltdb-shipper-cache";
cache_ttl = "24h"; cache_ttl = "24h";
}; };
filesystem = { filesystem = {
directory = "/var/lib/loki/chunks"; directory = "${stateDir}/chunks";
}; };
}; };
@@ -64,14 +65,14 @@ in {
}; };
compactor = { compactor = {
working_directory = "/var/lib/loki/compactor"; working_directory = "${stateDir}/compactor";
}; };
# ruler = { # ruler = {
# storage = { # storage = {
# type = "local"; # type = "local";
# local = { # local = {
# directory = "/var/lib/loki/rules"; # directory = "${stateDir}/rules";
# }; # };
# }; # };
# rule_path = "/etc/loki/rules"; # rule_path = "/etc/loki/rules";

14
hosts/ildkule/services/monitoring/prometheus/default.nix
View File

@@ -1,18 +1,26 @@
{ config, ... }: { { config, ... }: let
stateDir = "/data/monitoring/prometheus";
in {
imports = [ imports = [
./gogs.nix ./gitea.nix
./matrix-synapse.nix ./matrix-synapse.nix
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# ./mysqld.nix # ./mysqld.nix
./node.nix
./postgres.nix ./postgres.nix
./machines.nix
]; ];
services.prometheus = { services.prometheus = {
enable = true; enable = true;
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
port = 9001; port = 9001;
ruleFiles = [ rules/synapse-v2.rules ]; ruleFiles = [ rules/synapse-v2.rules ];
}; };
fileSystems."/var/lib/prometheus2" = {
device = stateDir;
options = [ "bind" ];
};
} }

16
hosts/ildkule/services/monitoring/prometheus/gitea.nix Normal file
View File

@@ -0,0 +1,16 @@
{ ... }:
{
services.prometheus.scrapeConfigs = [{
job_name = "gitea";
scrape_interval = "60s";
scheme = "https";
static_configs = [
{
targets = [
"git.pvv.ntnu.no:443"
];
}
];
}];
}

16
hosts/ildkule/services/monitoring/prometheus/gogs.nix
View File

@@ -1,16 +0,0 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "git-gogs";
scheme = "https";
metrics_path = "/-/metrics";
static_configs = [
{
targets = [
"essendrop.pvv.ntnu.no:443"
];
}
];
}];
}

54
hosts/ildkule/services/monitoring/prometheus/machines.nix Normal file
View File

@@ -0,0 +1,54 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "base_info";
static_configs = [
{ labels.hostname = "ildkule";
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"ildkule.pvv.ntnu.no:${toString cfg.exporters.systemd.port}"
];
}
{ labels.hostname = "bekkalokk";
targets = [
"bekkalokk.pvv.ntnu.no:9100"
"bekkalokk.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "bicep";
targets = [
"bicep.pvv.ntnu.no:9100"
"bicep.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "brzeczyszczykiewicz";
targets = [
"brzeczyszczykiewicz.pvv.ntnu.no:9100"
"brzeczyszczykiewicz.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "georg";
targets = [
"georg.pvv.ntnu.no:9100"
"georg.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "hildring";
targets = [
"hildring.pvv.ntnu.no:9100"
];
}
{ labels.hostname = "isvegg";
targets = [
"isvegg.pvv.ntnu.no:9100"
];
}
{ labels.hostname = "microbel";
targets = [
"microbel.pvv.ntnu.no:9100"
];
}
];
}];
}

22
hosts/ildkule/services/monitoring/prometheus/node.nix
View File

@@ -1,22 +0,0 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "node";
static_configs = [
{
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"microbel.pvv.ntnu.no:9100"
"isvegg.pvv.ntnu.no:9100"
"knakelibrak.pvv.ntnu.no:9100"
"hildring.pvv.ntnu.no:9100"
"bicep.pvv.ntnu.no:9100"
"essendrop.pvv.ntnu.no:9100"
"andresbu.pvv.ntnu.no:9100"
"bekkalokk.pvv.ntnu.no:9100"
];
}
];
}];
}

6
hosts/ildkule/services/monitoring/uptime-kuma.nix
View File

@@ -2,6 +2,7 @@
let let
cfg = config.services.uptime-kuma; cfg = config.services.uptime-kuma;
domain = "status.pvv.ntnu.no"; domain = "status.pvv.ntnu.no";
stateDir = "/data/monitoring/uptime-kuma";
in { in {
services.uptime-kuma = { services.uptime-kuma = {
enable = true; enable = true;
@@ -17,4 +18,9 @@ in {
kTLS = true; kTLS = true;
locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}"; locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
}; };
fileSystems."/var/lib/uptime-kuma" = {
device = stateDir;
options = [ "bind" ];
};
} }

8
hosts/shark/configuration.nix
View File

@@ -1,13 +1,13 @@
{ config, pkgs, values, ... }: { config, fp, pkgs, values, ... }:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base (fp /base)
../../misc/metrics-exporters.nix (fp /misc/metrics-exporters.nix)
]; ];
sops.defaultSopsFile = ../../secrets/shark/shark.yaml; sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true; sops.age.generateKey = true;

44
hosts/ustetind/configuration.nix Normal file
View File

@@ -0,0 +1,44 @@
{ config, fp, pkgs, lib, values, ... }:
{
imports = [
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea-runners.nix
];
sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
networking.hostName = "ustetind";
networking.useHostResolvConf = lib.mkForce false;
systemd.network.networks = {
"30-lxc-eth" = values.defaultNetworkConfig // {
matchConfig = {
Type = "ether";
Kind = "veth";
Name = [
"eth*"
];
};
address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
"40-podman-veth" = values.defaultNetworkConfig // {
matchConfig = {
Type = "ether";
Kind = "veth";
Name = [
"veth*"
];
};
DHCP = "yes";
};
};
system.stateVersion = "24.11";
}

16
hosts/bekkalokk/services/gitea/ci.nix → hosts/ustetind/services/gitea-runners.nix
View File

@@ -15,8 +15,8 @@ let
enable = true; enable = true;
name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no"; name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
labels = [ labels = [
"debian-latest:docker://node:18-bullseye" "debian-latest:docker://node:current-bookworm"
"ubuntu-latest:docker://node:18-bullseye" "ubuntu-latest:docker://node:current-bookworm"
]; ];
tokenFile = config.sops.secrets."gitea/runners/${name}".path; tokenFile = config.sops.secrets."gitea/runners/${name}".path;
}; };
@@ -27,5 +27,15 @@ lib.mkMerge [
(mkRunner "alpha") (mkRunner "alpha")
(mkRunner "beta") (mkRunner "beta")
(mkRunner "epsilon") (mkRunner "epsilon")
{ virtualisation.podman.enable = true; } {
virtualisation.podman = {
enable = true;
defaultNetwork.settings.dns_enabled = true;
autoPrune.enable = true;
};
networking.dhcpcd.IPv6rs = false;
networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
}
] ]

2
justfile
View File

@@ -18,7 +18,7 @@ run-vm machine=`just _a_machine`:
nix eval .#inputs --apply builtins.attrNames --json \ nix eval .#inputs --apply builtins.attrNames --json \
| jq '.[]' -r \ | jq '.[]' -r \
| gum choose --no-limit --height=15 \ | gum choose --no-limit --height=15 \
| xargs nix flake update --commit-lock-file | xargs -L 1 nix flake lock --update-input
_a_machine: _a_machine:

24
misc/metrics-exporters.nix
View File

@@ -14,13 +14,31 @@
"::1" "::1"
values.hosts.ildkule.ipv4 values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6 values.hosts.ildkule.ipv6
values.hosts.ildkule.ipv4_global
values.hosts.ildkule.ipv6_global
]; ];
}; };
networking.firewall.allowedTCPPorts = [ 9100 ]; services.prometheus.exporters.systemd = {
enable = true;
port = 9101;
extraFlags = [
"--systemd.collector.enable-restart-count"
"--systemd.collector.enable-ip-accounting"
];
};
systemd.services.prometheus-systemd-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = [ 9100 9101 ];
services.promtail = { services.promtail = {
enable = true; enable = true;

122
modules/grzegorz.nix
View File

@@ -1,59 +1,95 @@
{config, lib, pkgs, ...}: {config, lib, pkgs, ...}:
let let
grg = config.services.grzegorz; grg = config.services.greg-ng;
grgw = config.services.grzegorz-webui; grgw = config.services.grzegorz-webui;
in {
services.pipewire.enable = true;
services.pipewire.alsa.enable = true;
services.pipewire.alsa.support32Bit = true;
services.pipewire.pulse.enable = true;
users.users.pvv = { machine = config.networking.hostName;
isNormalUser = true; in {
description = "pvv"; services.greg-ng = {
enable = true;
settings.host = "localhost";
settings.port = 31337;
enableSway = true;
enablePipewire = true;
}; };
services.grzegorz.enable = true; services.grzegorz-webui = {
services.grzegorz.listenAddr = "localhost"; enable = true;
services.grzegorz.listenPort = 31337; listenAddr = "localhost";
listenPort = 42069;
listenWebsocketPort = 42042;
hostName = "${machine}-old.pvv.ntnu.no";
apiBase = "https://${machine}-backend.pvv.ntnu.no/api";
};
services.grzegorz-webui.enable = true; services.gergle = {
services.grzegorz-webui.listenAddr = "localhost"; enable = true;
services.grzegorz-webui.listenPort = 42069; virtualHost = config.networking.fqdn;
services.grzegorz-webui.listenWebsocketPort = 42042; };
services.grzegorz-webui.hostName = "${config.networking.fqdn}";
services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.virtualHosts = {
${config.networking.fqdn} = {
forceSSL = true;
enableACME = true;
kTLS = true;
serverAliases = [
"${machine}.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
};
services.nginx.virtualHosts."${config.networking.fqdn}" = { "${machine}-backend.pvv.ntnu.no" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
kTLS = true; kTLS = true;
serverAliases = [ serverAliases = [
"${config.networking.hostName}.pvv.org" "${machine}-backend.pvv.org"
]; ];
extraConfig = '' extraConfig = ''
allow 129.241.210.128/25; allow 129.241.210.128/25;
allow 2001:700:300:1900::/64; allow 2001:700:300:1900::/64;
deny all; deny all;
''; '';
locations."/" = { locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenPort}"; proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
proxyWebsockets = true;
};
}; };
# https://github.com/rawpython/remi/issues/216
locations."/websocket" = { "${machine}-old.pvv.ntnu.no" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenWebsocketPort}"; forceSSL = true;
proxyWebsockets = true; enableACME = true;
}; kTLS = true;
locations."/api" = { serverAliases = [
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}"; "${machine}-old.pvv.org"
}; ];
locations."/docs" = { extraConfig = ''
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}"; allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
locations."/" = {
proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
};
# https://github.com/rawpython/remi/issues/216
locations."/websocket" = {
proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
proxyWebsockets = true;
};
locations."/api" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
locations."/docs" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
}; };
}; };
} }

30
packages/bluemap.nix Normal file
View File

@@ -0,0 +1,30 @@
{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
stdenvNoCC.mkDerivation rec {
pname = "bluemap";
version = "5.2";
src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-4vld+NBwzBxdwbMtsKuqvO6immkbh4HB//6wdjXaxoU=";
};
dontUnpack = true;
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
runHook preInstall
makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
runHook postInstall
'';
meta = {
description = "3D minecraft map renderer";
homepage = "https://bluemap.bluecolored.de/";
sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ dandellion ];
mainProgram = "bluemap";
};
}

50
packages/mediawiki-extensions/default.nix
View File

@@ -12,7 +12,7 @@ let
name name
, commit , commit
, hash , hash
, tracking-branch ? "REL1_41" , tracking-branch ? "REL1_42"
, kebab-name ? kebab-case-name name , kebab-name ? kebab-case-name name
, fetchgit ? pkgs.fetchgit , fetchgit ? pkgs.fetchgit
}: }:
@@ -33,63 +33,63 @@ in
lib.mergeAttrsList [ lib.mergeAttrsList [
(mw-ext { (mw-ext {
name = "CodeEditor"; name = "CodeEditor";
commit = "7d8447035e381d76387e38b92e4d1e2b8d373a01"; commit = "9f69f2cf7616342d236726608a702d651b611938";
hash = "sha256-v2AlbP0vZma3qZyEAWGjZ/rLcvOpIMroyc1EixKjlAU="; hash = "sha256-sRaYj34+7aghJUw18RoowzEiMx0aOANU1a7YT8jivBw=";
}) })
(mw-ext { (mw-ext {
name = "CodeMirror"; name = "CodeMirror";
commit = "a7b4541089f9b88a0b722d9d790e4cf0f13aa328"; commit = "1a1048c770795789676adcf8a33c1b69f6f5d3ae";
hash = "sha256-clyzN3v3+J4GjdyhrCsytBrH7VR1tq5yd0rB+32eWCg="; hash = "sha256-Y5ePrtLNiko2uU/sesm8jdYmxZkYzQDHfkIG1Q0v47I=";
}) })
(mw-ext { (mw-ext {
name = "DeleteBatch"; name = "DeleteBatch";
commit = "cad869fbd95637902673f744581b29e0f3e3f61a"; commit = "b76bb482e026453079104d00f9675b4ab851947e";
hash = "sha256-M1ek1WdO1/uTjeYlrk3Tz+nlb/fFZH+O0Ok7b10iKak="; hash = "sha256-GebF9B3RVwpPw8CYKDDT6zHv/MrrzV6h2TEIvNlRmcw=";
}) })
(mw-ext { (mw-ext {
name = "PluggableAuth"; name = "PluggableAuth";
commit = "4111a57c34e25bde579cce5d14ea094021e450c8"; commit = "1da98f447fd8321316d4286d8106953a6665f1cc";
hash = "sha256-aPtN8A9gDxLlq2+EloRZBO0DfHtE0E5kbV/adk82jvM="; hash = "sha256-DKDVcAfWL90FmZbSsdx1J5PkGu47EsDQmjlCpcgLCn4=";
}) })
(mw-ext { (mw-ext {
name = "Popups"; name = "Popups";
commit = "f1bcadbd8b868f32ed189feff232c47966c2c49e"; commit = "9b9e986316b9662b1b45ce307a58dd0320dd33cf";
hash = "sha256-PQAjq/X4ZYwnnZ6ADCp3uGWMIucJy0ZXxsTTbAyxlSE="; hash = "sha256-rSOZHT3yFIxA3tPhIvztwMSmSef/XHKmNfQl1JtGrUA=";
}) })
(mw-ext { (mw-ext {
name = "Scribunto"; name = "Scribunto";
commit = "7b99c95f588b06635ee3c487080d6cb04617d4b5"; commit = "eb6a987e90db47b09b0454fd06cddb69fdde9c40";
hash = "sha256-pviueRHQAsSlv4AtnUpo2Cjci7CbJ5aM75taEXY+WrI="; hash = "sha256-Nr0ZLIrS5jnpiBgGnd90lzi6KshcsxeC+xGmNsB/g88=";
}) })
(mw-ext { (mw-ext {
name = "SimpleSAMLphp"; name = "SimpleSAMLphp";
kebab-name = "simple-saml-php"; kebab-name = "simple-saml-php";
commit = "ecb47191fecd1e0dc4c9d8b90a9118e393d82c23"; commit = "fd4d49cf48d16efdb91ae8128cdd507efe84d311";
hash = "sha256-gKu+O49XrAVt6hXdt36Ru7snjsKX6g2CYJ0kk/d+CI8="; hash = "sha256-Qdtroew2j3AsZYlhAAUKQXXS2kUzUeQFnuR6ZHdFhAQ=";
}) })
(mw-ext { (mw-ext {
name = "TemplateData"; name = "TemplateData";
commit = "1ec66ce80f8a4322138efa56864502d0ee069bad"; commit = "836e3ca277301addd2578b2e746498ff6eb8e574";
hash = "sha256-Lv3Lq9dYAtdgWcwelveTuOhkP38MTu0m5kmW8+ltRis="; hash = "sha256-UMcRLYxYn+AormwTYjKjjZZjA806goMY2TRQ4KoS5fY=";
}) })
(mw-ext { (mw-ext {
name = "TemplateStyles"; name = "TemplateStyles";
commit = "581180e898d6a942e2a65c8f13435a5d50fffa67"; commit = "06a2587689eba0a17945fd9bd4bb61674d3a7853";
hash = "sha256-zW8O0mzG4jYfQoKi2KzsP+8iwRCLnWgH7qfmDE2R+HU="; hash = "sha256-C7j0jCkMeVZiLKpk+55X+lLnbG4aeH+hWIm3P5fF4fw=";
}) })
(mw-ext { (mw-ext {
name = "UserMerge"; name = "UserMerge";
commit = "c17c919bdb9b67bb69f80df43e9ee9d33b1ecf1b"; commit = "41759d0c61377074d159f7d84130a095822bc7a3";
hash = "sha256-+mkzTCo8RVlGoFyfCrSb5YMh4J6Pbi1PZLFu5ps8bWY="; hash = "sha256-pGjA7r30StRw4ff0QzzZYUhgD3dC3ZuiidoSEz8kA8Q=";
}) })
(mw-ext { (mw-ext {
name = "VisualEditor"; name = "VisualEditor";
commit = "90bb3d455892e25317029ffd4bda93159e8faac8"; commit = "a128b11fe109aa882de5a40d2be0cdd0947ab11b";
hash = "sha256-SZAVELQUKZtwSM6NVlxvIHdFPodko8fhZ/uwB0LCFDA="; hash = "sha256-bv1TkomouOxe+DKzthyLyppdEUFSXJ9uE0zsteVU+D4=";
}) })
(mw-ext { (mw-ext {
name = "WikiEditor"; name = "WikiEditor";
commit = "8dba5b13246d7ae09193f87e6273432b3264de5f"; commit = "21383e39a4c9169000acd03edfbbeec4451d7974";
hash = "sha256-vF9PBuM+VfOIs/a2X1JcPn6WH4GqP/vUJDFkfXzWyFU="; hash = "sha256-aPVpE6e4qLLliN9U5TA36e8tFrIt7Fl8RT1cGPUWoNI=";
}) })
] ]

16
secrets/bekkalokk/bekkalokk.yaml
View File

@@ -5,12 +5,9 @@ gitea:
database: ENC[AES256_GCM,data:UlS33IdCEyeSvT6ngpmnkBWHuSEqsB//DT+3b7C+UwbD8UXWJlsLf1X8/w==,iv:mPRW5ldyZaHP+y/0vC2JGSLZmlkhgmkvXPk4LazkSDs=,tag:gGk6Z/nbPvzE1zG+tJC8Sw==,type:str] database: ENC[AES256_GCM,data:UlS33IdCEyeSvT6ngpmnkBWHuSEqsB//DT+3b7C+UwbD8UXWJlsLf1X8/w==,iv:mPRW5ldyZaHP+y/0vC2JGSLZmlkhgmkvXPk4LazkSDs=,tag:gGk6Z/nbPvzE1zG+tJC8Sw==,type:str]
email-password: ENC[AES256_GCM,data:KRwC+aL1aPvJuXt91Oq1ttATMnFTnuUy,iv:ats8TygB/2pORkaTZzPOLufZ9UmvVAKoRcWNvYF1z6w=,tag:Do0fA+4cZ3+l7JJyu8hjBg==,type:str] email-password: ENC[AES256_GCM,data:KRwC+aL1aPvJuXt91Oq1ttATMnFTnuUy,iv:ats8TygB/2pORkaTZzPOLufZ9UmvVAKoRcWNvYF1z6w=,tag:Do0fA+4cZ3+l7JJyu8hjBg==,type:str]
passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str] passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str]
gpg-signing-key: ENC[AES256_GCM,data:y/g1rpsEgiGEJ9BGii6te166ABpg1jgsyYMT1Ji5njLbT8/juBBMc7BFEM5BcIxKpQGijymsB+Htl8CZAN4Bl3FHSRyrnXGuMCnveJfw1qTVjMa6soriHv7EdTDFPCp3TYMbs1OgY/bhGJIvp8e4hCVd4F3x8eAlFmiwHhkxr62qQNHjH7SRNIyUNibf/TTttOeEcercxOy7FeUE99D+CWG4pnJNEYyRHDdddalgpSJyZIJvPpXoKmeCDk3futnxiZ15Vr7bDS5u4dqnE+no7DKoZ5fvk38f/77JH3w/Qom7NCYSG6L+unJ3r3RKuuGMRDjdz09TPZ4APpmrlyOElfGMmm134g6mdhgXmwNCo65Z7VOd1OKFA/uyZm2b7XsT3tCgRalE8gBa0R3MBMi3JK+5KUdS6ZUvYXDt8D8C68ldM3K9E7lyeeHn775rV6L4JIXcj/NL1O23sXtjeVuUPQmsUesgYlllRaiTSTfY7K+yOIG3wqqCuCDSAeILQICkvod4iw4xdVMQzd8eQtbD6bCjOzHwvBcu+rOSN6ti+xOQ7bJ9+6xhCgJJsiADkp2q09cUu8mDbUh+YJxfu+oZhPomOJVDMSqfS4qNXcVM9mbak/L9KPR4b83GqTpmXHnDMlGe4BHGXrkIUKPsBQ5TmdckXbpRDBQFrnjVvFT+Gfx3xwHxWc9fbxcFID2wp69EzQrGC77bDPCFxBT5vAVwffGYUezPQEo25bKRpCWxTFTpiIQfACrwzZc/O9cmwDgrYN7bTZyrrp8cbyBtllZGYmXxLDkDOzIqzpLG3b0yJC2jSnw0f1DkU6M2mD/j9FRTVW1MVymyLPiZQ7T9QyZ3MekHEEY1QqmyiJMIOekSzC5+3Us6Nl32MeBrIry6NuV8ewIQF5bcZEHtSmZ0k/wBtK0fpFHUuc/vETFuRUiQw/InhN5W8iH78vFvflxBfg61Qp7PzEx0k0axwEc6VAKbEg/uFNL+fhUKKt7sYiEBmwg2Vsj3pyZgdmjPZEsOQ86+psaxv+2feH94wog47jDHFRrc4iRC5w7kZ6UJXHfZt9lkBbwl4qNwiOLlPnUUcR+CpTBpPoKD9ulidQGfcYY49+iE+PM5dAI2CtisKpLQiwmrvjOzB1a/rC9QnH679frgH5Ebb57WRL4uSAVNRdIvIGzAF5MNwQOu+cxKoiW6ZmuNJSb547XUB1UO,iv:aKzrgAV30sLfPEpgdQ26ZzdM3+gYtoSpZ9mNyqCqf/M=,tag:vjywN4qxh2zsCE3RPG6Yrw==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str] ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str] import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
runners:
alpha: ENC[AES256_GCM,data:gARxCufePz+EMVwEwRsL2iZUfh9HUowWqtb7Juz3fImeeAdbt+k3DvL/Nwgegg==,iv:3fEaWd7v7uLGTy2J7EFQGfN0ztI0uCOJRz5Mw8V5UOU=,tag:Aa6LwWeW2hfDz1SqEhUJpA==,type:str]
beta: ENC[AES256_GCM,data:DVjS78IKWiWgf+PuijCZKx4ZaEJGhQr7vl+lc7QOg1JlA4p9Kux/tOD8+f2+jA==,iv:tk3Xk7lKWNdZ035+QVIhxXy2iJbHwunI4jRFM4It46E=,tag:9Mr6o//svYEyYhSvzkOXMg==,type:str]
epsilon: ENC[AES256_GCM,data:JMnZVBdiy+5oPyXgDpfYvy7qLzIEfHy09fQSBDpNG4zDXTil2pSKBKxk09h5xg==,iv:/8oXKJW6+sMBjDt51MqVAWjQPM5nk02Lv5QqbZsZ5ms=,tag:+Rx7ursfVWc0EcExCLgLhQ==,type:str]
mediawiki: mediawiki:
password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str] password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str] postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
@@ -18,6 +15,8 @@ mediawiki:
postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str] postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str] cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str] admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
roundcube:
postgres_password: ENC[AES256_GCM,data:fGHmq6r/ZCeIseHL8/gmm5DfWQYorI3OJq1TW0EHvh7rHL62M4TE+Lrlrmq8AIlmGLSWtO8AQzOP3toxidL6xWX3pcwLxtTefa1gom2oQf6ZL4TbAZLidHksdiro6pWtpMOO66bb8O9eXvZmns4=,iv:Irnb2/bgx8WilDyRLleWfo6HHafZ+vlDEwxIcgm1f18=,tag:eTNBUELmLwO7DsQN9CLX7Q==,type:str]
idp: idp:
cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str] cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str] admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
@@ -32,6 +31,9 @@ nettsiden:
admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str] admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
vaultwarden: vaultwarden:
environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str] environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str]
bluemap:
ssh-key: ENC[AES256_GCM,data:nPwsT4RYbMbGp2MChLUh6NXW4ckYr7SQcd6Gy2G8CEU+ugew5pt4d6GOK1fyekspDtet3EkPL2F1AsoPFBB2Rv0boARMslAhBqwWSsbBJTXeTEgAABSMxTPJRBtfJucvv426nyIj3uApoknz6mDCQh1OI6mER0fis7MPaM1506HlDlnIT0FV9EairEsaAmbd0yddByGJSccKIza2vW0qWqrz83P+xrakEONxFz0fJlkO5PRXCcQJVBCqWQfnaHNrWeBWv0QA7vAHlT0yjqJCpDRxN2KYrPWsz7sUbB4UZOtykCRM5kKFq73GUaOKqVECJQhcJi6tERhpJELwjjS8MSqvBD90UTKTshGugfuygTaOyUx4wou3atxMR2Rah9+uZ6mBrLAOLX3JKiAtyhFewPMWjd/UhbMPuzNageVBNz2EMpa4POSVwz5MyViKNSgr9cPcNGqmrnjvr/W/lnj6Ec+W80RiXQlADSE4Q6diLLwB9nlHvKs8NTDgv6sUafcPHpJ2+N4Jkb96dE14bMffQ385SI4vLDcQ8xCQ,iv:WdJIHRzjlm8bEldolCx1Q7pZJvjxGkNZALSOy3IjizU=,tag:5ZAikiqttq/76+thG+4LMw==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:J6V+NJ9TvYUL2gmcqWWYt8X+n0M7i0RpDpBelWAbFMH64+e9ztHNnC491sm+RogDxqKk0kwQyX2Mz00iq3Gc3wDYyozGOdv3tBKrp7/LcfjUQ9T9hi0yTD3eNV0LAjlAWMTdlW65VGHqGst8ncKbUuVxbBASVlh3A321toZgD+xxUAtNz7qKFa6fDbOS0xLD1+CmTwVp+aPos//QIKzjuk1HqxfBNK82maKtD4JHPS+Y3be2wIEjGWq3H6JYN/RDojD88D/jzo9RwvEjpqLXoOVfy8uX/fbEsgkgfAmPiaG+ePCnchSExEe3a6Y0E+I6YIzvP+tGThJpu4HaT/yW2Rww/jvsxKrXSUhtBZI/SIX5ZAIFB3sFjJXQefJjfNpQTQWhbspLfdemafGaRiDnzVgKDhNL1HNMNsXKDfWa0SLs4//dqerom/QCCNsaqV+4HVzv5x44srChGERadQI/Wh4UG2R19xxbdyIsKPHzv7BhEKufJkjc5upBjWygQrGAkTRHugFpw2Tdkz9yUQSujMkaeRKhVkA+ZUAjwnY5TwqNZBj7U3K2JXoNVHAq194XmrA2dNghh0OmRrvKGwM3HKexX22SXT0bPlpdWRQpMbUgV+uHLMerlDpNMFTIueEBkaF/FWeSW2N5WUrUb1uJ91QcJ8JBgN1riuD1Oxv9RRPrY9VVNJMrYjpAAREN8i8brMTOCJ35s7jnqIei0dNmnNXOoQZPs9kUMeEtUc/Df1E8/aO2Y4yU9gHUuevXnAJWFAiu2IxssgPk6CcNxvapJEmlwkLK/JyuDsWwFxVOHfw5QIEsoDVWXt6eMhquqUgzJI1q7QrTWUQsBb5A5sQKYWQHempOaXuQn1bzA7mU3Gzsr8bNNc6tpy+6j3zTXYR067EX00yqPG+kqRn4QVIuhByxXP3cwXLUG9uD1lsqWrGzs6WCnHr7txhRBXf4WbBVmXModO3uf36cDYEwrUa6yBsARtSl8PJ0UadfY/xULcT5PFvu9+Hi2qj3vp4IU3JCJa9AvXB+11pbSdawprjuDhwQtPwkJ4CQyvZsom3/BOrmwYM5+EyMDIluEQ0z6eDE5buiIVbX6IvXnDCKbrnqVwavX2wqyiDduFLjRfWL/3U2O1yRim78smrDMJABJZvtW+a+GfmlnTd/gnFvS70Fmm/lgtY051ISL/iFx6toJRoBMMiI/Zvy13uQry+w/HbyFl42DIank8tf7kuN3E9M7ADGMubRJJ0AZOcQddrFnR4Gl2nU2+3RS5fLHaBf9QHK6W92/n//xmPkYqrkPacew4eBjUqM32jVGuBpDc964fK9kdtIdw8q5P1s/ph3I79Y24kGeuO1AVJuZvkaTv1Z7GgI9+K9TstKJ9XpRCidLpLSP+uHOWkqcNsQlt6ilTlfHj+MKoD85dKZ315QMmpiuYEvzCSP1aYTb9dpd61Su/IVuM3r2NuINNEZ166YlHQVsLNpDn8E5ahk3ZInOAg6/kaKTmjUI8KEvX4BR3PbbViAlJJb3suJ0oZBGPUlrW5uLRmADvf2mMDVO5zY7/m9DQwxjt4Miu0l8ZaUc0YJQ850lBKucQ==,iv:GI8w7h7xX8gMHuAoWUyrW+BQb85LNlASoYvGBPlCZaI=,tag:WnHNMevfFSMc0ikBZwWn/g==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@@ -92,8 +94,8 @@ sops:
UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg== 4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-26T19:38:58Z" lastmodified: "2024-12-09T21:18:23Z"
mac: ENC[AES256_GCM,data:3FyfZPmJ7znQEul+IwqN1ZaM53n6os3grquJwJ9vfyDSc2h8UZBhqYG+2uW9Znp9DSIjuhCUI8iqGKRJE0M/6IDICeXms/5+ynVFOS9bA2cdzPvWaj0FFAd2x3g4Vhs47+vRlsnIe/tMiKU3IOvzOfI6KAUHc9L2ySrzH7z2+fo=,iv:1iZSR9qOIEtf+fNbtWSwJBIUEQGKadfHSVOnkFzOwq8=,tag:Sk6JEU1B6Rd1GXLYC6rQtQ==,type:str] mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str]
pgp: pgp:
- created_at: "2024-08-04T00:03:28Z" - created_at: "2024-08-04T00:03:28Z"
enc: |- enc: |-
@@ -116,4 +118,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.1

16
secrets/bicep/matrix.yaml
View File

@@ -2,14 +2,16 @@ synapse:
turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str] turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str]
user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str] user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str]
signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str] signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str]
sliding-sync:
env: ENC[AES256_GCM,data:DsU1qKTy5sn06Y0S5kFUqZHML20n6HdHUdXsQRUw,iv:/TNTc+StAZbf6pBY9CeXdxkx8E+3bak/wOqHyBNMprU=,tag:er5u4FRlSmUZrOT/sj+RhQ==,type:str]
coturn: coturn:
static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str] static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
mjolnir: mjolnir:
access_token: ENC[AES256_GCM,data:ERFqZjK7MRD0xWt91FNCIxP1YC6Qj54QgnckHlCTtcQVLWaM1h2h9lHS+K8=,iv:1d7vmFkXAPcsmumzlmOT31amdrKLWtL5sJiS8G9g+LE=,tag:2l0vWzJ6P12ofuBdf5CCWw==,type:str] access_token: ENC[AES256_GCM,data:ERFqZjK7MRD0xWt91FNCIxP1YC6Qj54QgnckHlCTtcQVLWaM1h2h9lHS+K8=,iv:1d7vmFkXAPcsmumzlmOT31amdrKLWtL5sJiS8G9g+LE=,tag:2l0vWzJ6P12ofuBdf5CCWw==,type:str]
registrations: discord:
mx-puppet-discord: ENC[AES256_GCM,data:FleyXxgOmc05nTP6M2DBJlacufN3p/05eZm4kB8+K4ci0k24o3zli988wlM/kyeZmxu4pgQlJ3lNLte4uip2hBXHWG5t5Ldzmr7bNCUD+r7nM+I1lfNkrDROPZ54bHysmn9O5CHpEa16rSo6RJgncIPqsLJxTwjC7qZlkOpzqvMhkq/MHCVOpvg0M/6AUR+AlSZoggujBMoXLznQNQapN13foEsbuo/QxjszM/ObGmhYMVyaS+TDBXzQLA8Yuj50Q/gZCIINWZ4G2qmgsGxxNR4I+usUQml/jxCtIXS4zn/ettXfL9G4Fdm2F9u1v11DehtTGa5xoxDq94M9rIxOqeJpvgEQEyyKAyFUIrlINfGl7tAj4Zu7+9Z8JTRAnppjM1q8iInwn/Z2L9KgB0YFi/Go1whgXly+TH6hpreo7m5klXV/ff/aV3ghOgFCGA8nBrZFqE8Uw268q9tV1s1dxCb6TbpGf19V5c9MD6BsCIVeoq+j9I/I8iZpzg2Reb4IlHhMDwbwsL2w2ks30wiZ9XO/CFrXDY4uBlI=,iv:3vvkGvldS8Raibg6tzlV8VY1O9NCLxSuNX/lwi1QgiA=,tag:D/noIsE3xlOiYM6Pk+cc8Q==,type:str] as_token: ENC[AES256_GCM,data:cnPZjBbODZUA1p0kLNeWpKh1oGkDPxDw/g7163XnoRCIgpqk,iv:Uu4L36uDPMBgzdXE2Lt9U0qrBSl3Xuufh1313BD8B/U=,tag:nTm6s7IGd4vNzZ95mfxDpA==,type:str]
hs_token: ENC[AES256_GCM,data:UzcaNsJtJPKvFT4gQDNfat0nmyJzmQ6OcSI73pANibzOVrWl,iv:ujgRM2jb1rbeloPB4UPLBEvQ7uue4a+bHiqsZAHIqtk=,tag:uIfuaTWSTeVvpQx5o28HPA==,type:str]
hookshot:
as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@@ -70,8 +72,8 @@ sops:
WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28 WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28
pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA== pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-22T00:31:46Z" lastmodified: "2024-10-13T23:30:01Z"
mac: ENC[AES256_GCM,data:UpnaUfRxvdyzBy5x4EC3w5LQ1qWxILTQhpyVPd9whTzQMAivAHT0pVmP9aE4T9w3NcWTaghp+f70GmQXx/OCC6DsRCWtU9pFHRj12YUowM3yB5lVTOomOLZQ9m4gUXw5I2GZHWBJn8CyosDcBMlXz2tiR91v/8Ulh6sDSAO86U0=,iv:5GcgRvbpqDEslZruKHM/TcMaF52A5X7AK41DEbrsRIQ=,tag:ndDgCRyX1aDRnzEUNmpoMw==,type:str] mac: ENC[AES256_GCM,data:vdsAZmg7gPqzeucBhLhPemtRVkcxRecIdB6PXZ4paU+Uv5UorBKcTZ3jseN2cLi6ot3ycTIm+UI6uhlCy87vAJVynVJhuJS+ICFRS2+DfoVyuttLjZQGC2sr3+dEBHxIH7sZJSo9PIzbIWw3qHrpOPAZj0//1pFyp/k15k3vidM=,iv:jWtV+WAPt08lgdrVvtXOl35rDB4QflkZWuGBW1+ESyw=,tag:YxSHncZZOAW5uDxXtb/krw==,type:str]
pgp: pgp:
- created_at: "2024-08-04T00:03:46Z" - created_at: "2024-08-04T00:03:46Z"
enc: |- enc: |-
@@ -94,4 +96,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.8.1

90
secrets/ustetind/ustetind.yaml Normal file
View File

@@ -0,0 +1,90 @@
gitea:
runners:
alpha: ENC[AES256_GCM,data:Hnq2guka4oERPIFCv1/ggrLjaePA7907VHXMStDQ7ll3hntTioT76qGOUJgfIw==,iv:wDPYuuL6VAWJakrz6asVRrzwRxqw0JDRes13MgJIT6E=,tag:ogFUeUirHVkCLN63nctxOw==,type:str]
beta: ENC[AES256_GCM,data:HmdjBvW8eO5MkzXf7KEzSNQAptF/RKN8Bh03Ru7Ru/Ky+eJJtk91aqSSIjFa+Q==,iv:Hz9HE3U6CFfZFcPmYMd6wSzZkSvszt92L2gV+pUlMis=,tag:LG3NfsS7B1EdRFvnP3XESQ==,type:str]
epsilon: ENC[AES256_GCM,data:wfGxwWwDzb6AJaFnxe/93WNZGtuTpCkLci/Cc5MTCTKJz6XlNuy3m/1Xsnw0hA==,iv:I6Zl+4BBAUTXym2qUlFfdnoLTHShu+VyxPMjRlFzMis=,tag:jjTyZs1Nzqlhjd8rAldxDw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYVl6ZnI5TkhxK0JKNnlL
WE5YZUZ2T1JEbCtvSVUxemZ1QUs4R2pjMWc0ClJ0cnU0c0d5bU5jWU1aVGd6WE45
Wm9OT0xPaTJ3Y2kxMU5RTHdRKy81b2sKLS0tIEx4SkFoV240VUJieWFlc3hRWU1Y
SWlwZnNOT3paRHRsTC9CQUp5SlBvTncKdcMI8pWtsfBpgeUagOmZUXIC6svkfmwE
QF3GpWZgeVvo8e2oT2kBjerCDlUlzd0jJ8aK+B56xifTm7ii3oCAIA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3QVBaQWlSZk43dEtHVWF1
WmFBcmx3eFUvU2lrd0RCUGx3a2hDWHEzTUR3Cm9BclM3OU9SUnpySDZJZHRudmtO
Ulp5OEZvZmMyRGJvQXJnUDVLdVRJUVkKLS0tIHE3M3MycE9pU1huYUREN3luWEZV
WlNuN3BWeHhqL1dEOUJBSVNTaVJ3eTgKb5MRfeaay22PI9V5hni5mhnb0QF8PG8H
bKWbc2SwdMNolrxhUiiIhdppEtXGHqLyBel786tuOdtEwVcy+m/rtA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaDB6enozMFpqcWxFdU93
MEg5RTRzZExzWGppenlBTlZZRlpqWDBPT0UwCnhOaXI5R3Jrd0hWY0xqc1VXaDJZ
TUxwSTZDcHd0bnZPR2N2d0JVTUJONnMKLS0tIENzOW9PM0tQSndVNmF1bTZ4anpw
b1RzL0NEOWg0dGZUa0Jpd3hiTlRGSm8KleRV5c/Xoe0B1VtnR3y0sgXpmhMS8pKl
TWaAQTRlM9X2Pk5M/J/bu369ncmw/kycJKjK6W1yluaGwBNuEP+K4Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0N1JvRVE0Y0xOMERMVXdB
enZiNk1DZTJTUnluRVBIWm9WNmFPc21rU0FZCjBIeHErSHgveFFFdk9ybWwrRXZG
WGpVcHliUW9Qb3dLb2Q0aWlrZmpiVm8KLS0tIG0wcXJVK2dMeG9NUTFQSzVtY2RG
UE1FS3MvSXlxdEtJVWxJVDRFSkRmQkkK/2z7Lu6LVd6RLZAXKs+JsPc+1kcqFAET
0zlTTTU0goTBLuXZ7uxFVZtqc1Nmoarf5Ksm/zcZ2B80P5ox9CzcWQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SFpKcVBTTlp3SXhVaGQy
QVVEV3h6dTZVcmx6aFc1eHF4UzJPbXQ2RnhvCkZiOEYydWhCYUtwcUdieGpBeTZh
Z3dYVno5bFNkOUszNHBJNTdQWS9jUTQKLS0tIEhPVEdLK0RaclVvdklFNUJCcHNi
OXVobVJCTjhQZ2RTQ21xK2dUY0h5RGcKcPBgD5FIWuyQBhmPt5aqrWgEG1tzhtr0
gVyLxgtMFGeeShjdpivgcWI/GZZlhWJilJOoZo7f6TknvCIIKsrUSA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWlhiS1dxekZGZkRCQU9O
SktHRHRXL2VhNUJSRVhBeEM5UEZ1R0pFdXdrCnZQOUZaYitpSlJ0aXFpZXFrRFJj
MmZiLytvekZtVXYzamJDakc1RjdIREEKLS0tICtiOTZMRGZuWEdHTmZwRjZ2dUNT
aU4xWjVYYlNvSmYxajVGdzk5dTQ4WG8Klq12bSegsW29xp4qteuCB5Tzis6EhVCk
53jqtYe5UG9MjFVQYiSi2jJz5/dxfqSINMZ/Y/EB5LxbwgbFws8Yuw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-12T12:20:19Z"
mac: ENC[AES256_GCM,data:D9/NAd/zrF6pHFdZjTUqI+u4WiwJqt0w5Y+SYCS1o/dAXJE/ajHzse/vCSGXZIjP0yqe+S/NyTvhf+stw2B4dk6Njtabjd+PhG0hR4L0X07FtFqzB3u5pLHCb0bH9QLG5zWcyMkwNiNTCvhRUZzbcqLEGqqJ7ZjZAEUfYSR+Jls=,iv:5xPfODPxtQjgbl8delUHsmhD0TI2gHjrxpHV+qiFE00=,tag:HHLo5G8jhy/sKB3R+sKmwQ==,type:str]
pgp:
- created_at: "2024-12-09T21:17:27Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYARAAv2XS2jzoymOzpRHquUbYpUtbIeKXhPS8i9uk2zBvSKnr
b/jZCpvtkCcSz1UFm+HzSn/i1eNkj9ghObisifvqY6JbO0DIa1jFlx1TfE9pj8dE
rrNTsYfxNwdGOvklPBHm3vKY5qPiGlE71TaKkJcO79vE5jxwhUqzWI9SWAZY3cFw
IVJN44DT0I4ctTlwPM9eAYYodL8QP8OMXHJ/mjI4SPODRsvrOyy6rpip40Q+dU/N
DwRupzrRlxJ8BDSh/x6J/AryZSwkmChX9cYyGaDknJ3ONQ0XLhVUtLkAvPWtWeow
6NVHmUOJ39ockT1clhYy2P5rQTraZESuI7vaSS9zVIuScBnJwbSRZ5xgxSD6Fj+C
Y/JyogXa8FtyG6xeMgIwW7t/m/rbXL5OkP4w8D+CJs+4I55WXz054XOZ937EisVH
XAlNBIHixjQVckbb+sS7rEmegfoC+rvOXA0irpwXFiapAbMGUePCwQHdSBMP8orC
Tb3E8kqHATN40b8CpUBcPw6HCQKmbhe8o+R8NG6TZh6JH7kSztl2+SIIuMzhDflr
1AphY047Ku2RANaWfo+xyVZMWgAQcnoaUOeYaHJ9nZ7f2klJ3fnRtdXJn1gcO3i3
NZVRjjYHJgzCVCIZJa1b1TMGep84naF7NmRkNlS4wyv6MXGqSpHHZUGUBAQOCMPS
XAEqjZt8va0LKtsPsBOTGQDuzTar+2069fu6TjS07mJM2sTp/G8bGBnvjc0TIplZ
M5FOiCilI9yX7vQ0O3LUKJW5zELWnW2d+3okpGjgkr0BFERtM7BMCp6nxR6+
=rEY5
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.2

13
users/alfhj.nix Normal file
View File

@@ -0,0 +1,13 @@
{pkgs, ...}:
{
users.users.alfhj = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCAYE0U3sFizm/NSbKCs0jEhZ1mpAWPcijFevejiFL1 alfhj"
];
};
}

2
users/danio.nix
View File

@@ -3,7 +3,7 @@
{ {
users.users.danio = { users.users.danio = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "drift" "nix-builder-users" ]; extraGroups = [ "drift" "nix-builder-users" "wheel" ];
shell = pkgs.zsh; shell = pkgs.zsh;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [

11
users/frero.nix Normal file
View File

@@ -0,0 +1,11 @@
{ pkgs, ... }:
{
users.users.frero = {
isNormalUser = true;
extraGroups = [ "wheel" "drift" "nix-builder-users" ];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII09JbtSUMurvmHpJ7TmUQctXpNVhjFYhoJ3+1ZITmMx"
];
};
}

50
values.nix
View File

@@ -25,16 +25,21 @@ in rec {
hosts = { hosts = {
gateway = pvv-ipv4 129; gateway = pvv-ipv4 129;
gateway6 = pvv-ipv6 1;
bekkalokk = { bekkalokk = {
ipv4 = pvv-ipv4 168; ipv4 = pvv-ipv4 168;
ipv6 = pvv-ipv6 168; ipv6 = pvv-ipv6 168;
}; };
dagali = {
ipv4 = pvv-ipv4 185;
ipv6 = pvv-ipv6 185;
};
ildkule = { ildkule = {
ipv4 = "10.212.25.209"; ipv4 = "129.241.153.213";
ipv6 = "2001:700:300:6025:f816:3eff:feee:812d"; ipv4_internal = "192.168.12.209";
ipv4_internal_gw = "192.168.12.1";
ipv4_global = "129.241.153.213"; ipv6 = "2001:700:300:6026:f816:3eff:fe58:f1e8";
ipv6_global = "2001:700:300:6026:f816:3eff:fe58:f1e8";
}; };
bicep = { bicep = {
ipv4 = pvv-ipv4 209; ipv4 = pvv-ipv4 209;
@@ -59,39 +64,18 @@ in rec {
ipv4 = pvv-ipv4 204; ipv4 = pvv-ipv4 204;
ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
}; };
buskerud = { ustetind = {
ipv4 = pvv-ipv4 231; ipv4 = pvv-ipv4 234;
ipv6 = pvv-ipv6 231; ipv6 = pvv-ipv6 234;
}; };
}; };
defaultNetworkConfig = { defaultNetworkConfig = {
networkConfig.IPv6AcceptRA = "no"; dns = [ "129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201" ];
gateway = [ hosts.gateway ];
dns = [ "129.241.0.200" "129.241.0.201" ];
domains = [ "pvv.ntnu.no" "pvv.org" ]; domains = [ "pvv.ntnu.no" "pvv.org" ];
gateway = [ hosts.gateway hosts.gateway6 ];
networkConfig.IPv6AcceptRA = "no";
DHCP = "no"; DHCP = "no";
}; };
openstackGlobalNetworkConfig = {
networkConfig.IPv6AcceptRA = "yes";
dns = [ "129.241.0.200" "129.241.0.201" ];
domains = [ "pvv.ntnu.no" "pvv.org" ];
DHCP = "yes";
};
openstackLocalNetworkConfig = {
networkConfig.IPv6AcceptRA = "no";
dns = [ "129.241.0.200" "129.241.0.201" ];
domains = [ "pvv.ntnu.no" "pvv.org" ];
DHCP = "yes";
# Only use this network for link-local networking, not global/default routes
dhcpV4Config.UseRoutes = "no";
routes = [
{ routeConfig = { Destination = "10.0.0.0/8"; Gateway = "_dhcp4"; }; }
];
linkConfig.RequiredForOnline = "no";
};
} }