Compare commits

...

5 Commits

30 changed files with 280 additions and 80 deletions

View File

@ -13,6 +13,7 @@ keys:
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0 - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2 - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
- &host_kvernberg age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz
creation_rules: creation_rules:
# Global secrets # Global secrets
@ -78,3 +79,9 @@ creation_rules:
- *user_pederbs_bjarte - *user_pederbs_bjarte
pgp: pgp:
- *user_oysteikt - *user_oysteikt
- path_regex: secrets/kvernberg/[^/]+$
key_groups:
- age:
- *host_kvernberg
- *user_danio

View File

@ -1,9 +1,9 @@
{ pkgs, lib, ... }: { pkgs, lib, fp, ... }:
{ {
imports = [ imports = [
../users (fp /users)
../modules/snakeoil-certs.nix (fp /modules/snakeoil-certs.nix)
./networking.nix ./networking.nix
./nix.nix ./nix.nix

View File

@ -2,12 +2,12 @@
{ {
system.autoUpgrade = { system.autoUpgrade = {
enable = true; enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git"; flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git?ref=pvvvvv";
flags = [ flags = [
# --update-input is deprecated since nix 2.22, and removed in lix 2.90 # --update-input is deprecated since nix 2.22, and removed in lix 2.90
# https://git.lix.systems/lix-project/lix/issues/400 # https://git.lix.systems/lix-project/lix/issues/400
"--refresh" "--refresh"
"--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.05-small" "--override-input" "nixpkgs" "github:NixOS/nixpkgs/refs/pull/332699/merge"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small" "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
"--no-write-lock-file" "--no-write-lock-file"
]; ];

View File

@ -31,7 +31,6 @@
ProtectSystem = "full"; ProtectSystem = "full";
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ]; SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ SystemCallFilter = [

32
flake.lock generated
View File

@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1729281548, "lastModified": 1731746438,
"narHash": "sha256-MuojlSnwAJAwfhgmW8ZtZrwm2Sko4fqubCvReqbUzYw=", "narHash": "sha256-f3SSp1axoOk0NAI7oFdRzbxG2XPBSIXC+/DaAXnvS1A=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "a6a3179ddf396dfc28a078e2f169354d0c137125", "rev": "cb64993826fa7a477490be6ccb38ba1fa1e18fa8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -119,27 +119,27 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1729307008, "lastModified": 1731779898,
"narHash": "sha256-QUvb6epgKi9pCu9CttRQW4y5NqJ+snKr1FZpG/x3Wtc=", "narHash": "sha256-oxxCrYZM0WNRoaokDyVXcPIlTc8Z2yX4QjKbgXGI3IM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a9b86fc2290b69375c5542b622088eb6eca2a7c3", "rev": "9972661139e27eed0237df4dde34839e09028cd5",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-24.05-small", "ref": "refs/pull/332699/merge",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1728156290, "lastModified": 1730602179,
"narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=", "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "17ae88b569bb15590549ff478bab6494dde4a907", "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -151,11 +151,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1729308112, "lastModified": 1731745710,
"narHash": "sha256-Ap+cPeiluam2KFZO+OWuFTl/IkIJfyGYGMgkT2pVCRY=", "narHash": "sha256-SVeiClbgqL071JpAspOu0gCkPSAL51kSIRwo4C/pghA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "61253596816c4cd65e2a0f474cbc0ac0c6e0f7cf", "rev": "dfaa4cb76c2d450d8f396bb6b9f43cede3ade129",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -249,11 +249,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1728345710, "lastModified": 1731748189,
"narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=", "narHash": "sha256-Zd/Uukvpcu26M6YGhpbsgqm6LUSLz+Q8mDZ5LOEGdiE=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b", "rev": "d2bd7f433b28db6bc7ae03d5eca43564da0af054",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -2,7 +2,7 @@
description = "PVV System flake"; description = "PVV System flake";
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; # remember to also update the url in base/services/auto-upgrade.nix nixpkgs.url = "github:NixOS/nixpkgs/refs/pull/332699/merge"; # remember to also update the url in base/services/auto-upgrade.nix
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
@ -59,6 +59,7 @@
specialArgs = { specialArgs = {
inherit unstablePkgs inputs; inherit unstablePkgs inputs;
values = import ./values.nix; values = import ./values.nix;
fp = path: ./${path};
}; };
modules = [ modules = [
@ -132,6 +133,12 @@
inputs.greg-ng.overlays.default inputs.greg-ng.overlays.default
]; ];
}; };
kvernberg = stableNixosConfig "kvernberg" {
modules = [
disko.nixosModules.disko
{ disko.devices.disk.disk1.device = "/dev/sda"; }
];
};
}; };
nixosModules = { nixosModules = {

View File

@ -1,10 +1,10 @@
{ pkgs, values, ... }: { fp, pkgs, values, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../base (fp /base)
../../misc/metrics-exporters.nix (fp /misc/metrics-exporters.nix)
./services/bluemap/default.nix ./services/bluemap/default.nix
./services/gitea/default.nix ./services/gitea/default.nix
@ -19,7 +19,7 @@
./services/well-known ./services/well-known
]; ];
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml; sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true; sops.age.generateKey = true;

View File

@ -1,4 +1,4 @@
{ config, values, pkgs, lib, ... }: { config, values, fp, pkgs, lib, ... }:
let let
cfg = config.services.gitea; cfg = config.services.gitea;
domain = "git.pvv.ntnu.no"; domain = "git.pvv.ntnu.no";
@ -173,8 +173,8 @@ in {
}; };
script = let script = let
logo-svg = ../../../../assets/logo_blue_regular.svg; logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = ../../../../assets/logo_blue_regular.png; logo-png = fp /assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" '' extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a> <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a> <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>

View File

@ -1,4 +1,4 @@
{ pkgs, lib, config, values, pkgs-unstable, ... }: let { pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
cfg = config.services.mediawiki; cfg = config.services.mediawiki;
# "mediawiki" # "mediawiki"
@ -210,8 +210,8 @@ in {
''; '';
}; };
"= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg; "= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png; "= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png;
"= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" { "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
buildInputs = with pkgs; [ imagemagick ]; buildInputs = with pkgs; [ imagemagick ];
} '' } ''
@ -219,7 +219,7 @@ in {
-resize x64 \ -resize x64 \
-gravity center \ -gravity center \
-crop 64x64+0+0 \ -crop 64x64+0+0 \
${../../../../assets/logo_blue_regular.png} \ ${fp /assets/logo_blue_regular.png} \
-flatten \ -flatten \
-colors 256 \ -colors 256 \
-background transparent \ -background transparent \

View File

@ -1,8 +1,8 @@
{ config, lib, pkgs, ... }: { config, lib, fp, pkgs, ... }:
let let
cfg = config.services.snappymail; cfg = config.services.snappymail;
in { in {
imports = [ ../../../../modules/snappymail.nix ]; imports = [ (fp /modules/snappymail.nix) ];
services.snappymail = { services.snappymail = {
enable = true; enable = true;

View File

@ -1,10 +1,10 @@
{ pkgs, values, ... }: { fp, pkgs, values, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../base (fp /base)
../../misc/metrics-exporters.nix (fp /misc/metrics-exporters.nix)
./services/nginx ./services/nginx
./services/mysql.nix ./services/mysql.nix
@ -15,7 +15,7 @@
./services/matrix ./services/matrix
]; ];
sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml; sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true; sops.age.generateKey = true;

View File

@ -1,16 +1,16 @@
{ config, lib, pkgs, ... }: { config, fp, lib, pkgs, ... }:
let let
cfg = config.services.pvv-calendar-bot; cfg = config.services.pvv-calendar-bot;
in { in {
sops.secrets = { sops.secrets = {
"calendar-bot/matrix_token" = { "calendar-bot/matrix_token" = {
sopsFile = ../../../secrets/bicep/bicep.yaml; sopsFile = fp /secrets/bicep/bicep.yaml;
key = "calendar-bot/matrix_token"; key = "calendar-bot/matrix_token";
owner = cfg.user; owner = cfg.user;
group = cfg.group; group = cfg.group;
}; };
"calendar-bot/mysql_password" = { "calendar-bot/mysql_password" = {
sopsFile = ../../../secrets/bicep/bicep.yaml; sopsFile = fp /secrets/bicep/bicep.yaml;
key = "calendar-bot/mysql_password"; key = "calendar-bot/mysql_password";
owner = cfg.user; owner = cfg.user;
group = cfg.group; group = cfg.group;

View File

@ -1,14 +1,14 @@
{ config, lib, pkgs, secrets, values, ... }: { config, lib, fp, pkgs, secrets, values, ... }:
{ {
sops.secrets."matrix/synapse/turnconfig" = { sops.secrets."matrix/synapse/turnconfig" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "synapse/turnconfig"; key = "synapse/turnconfig";
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group; group = config.users.users.matrix-synapse.group;
}; };
sops.secrets."matrix/coturn/static-auth-secret" = { sops.secrets."matrix/coturn/static-auth-secret" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "coturn/static-auth-secret"; key = "coturn/static-auth-secret";
owner = config.users.users.turnserver.name; owner = config.users.users.turnserver.name;
group = config.users.users.turnserver.group; group = config.users.users.turnserver.group;

View File

@ -1,4 +1,4 @@
{ config, lib, ... }: { config, lib, fp, ... }:
let let
cfg = config.services.mx-puppet-discord; cfg = config.services.mx-puppet-discord;
@ -7,11 +7,11 @@ in
users.groups.keys-matrix-registrations = { }; users.groups.keys-matrix-registrations = { };
sops.secrets."matrix/discord/as_token" = { sops.secrets."matrix/discord/as_token" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "discord/as_token"; key = "discord/as_token";
}; };
sops.secrets."matrix/discord/hs_token" = { sops.secrets."matrix/discord/hs_token" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "discord/hs_token"; key = "discord/hs_token";
}; };

View File

@ -1,4 +1,4 @@
{ config, lib, unstablePkgs, inputs, ... }: { config, lib, fp, unstablePkgs, inputs, ... }:
let let
cfg = config.services.matrix-hookshot; cfg = config.services.matrix-hookshot;
@ -11,11 +11,11 @@ in
]; ];
sops.secrets."matrix/hookshot/as_token" = { sops.secrets."matrix/hookshot/as_token" = {
sopsFile = ../../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/as_token"; key = "hookshot/as_token";
}; };
sops.secrets."matrix/hookshot/hs_token" = { sops.secrets."matrix/hookshot/hs_token" = {
sopsFile = ../../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/hs_token"; key = "hookshot/hs_token";
}; };

View File

@ -1,8 +1,8 @@
{ config, lib, ... }: { config, lib, fp, ... }:
{ {
sops.secrets."matrix/mjolnir/access_token" = { sops.secrets."matrix/mjolnir/access_token" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "mjolnir/access_token"; key = "mjolnir/access_token";
owner = config.users.users.mjolnir.name; owner = config.users.users.mjolnir.name;
group = config.users.users.mjolnir.group; group = config.users.users.mjolnir.group;

View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, values, inputs, ... }: { config, lib, fp, pkgs, values, inputs, ... }:
let let
cfg = config.services.matrix-synapse-next; cfg = config.services.matrix-synapse-next;
@ -10,13 +10,13 @@ let
in { in {
sops.secrets."matrix/synapse/signing_key" = { sops.secrets."matrix/synapse/signing_key" = {
key = "synapse/signing_key"; key = "synapse/signing_key";
sopsFile = ../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group; group = config.users.users.matrix-synapse.group;
}; };
sops.secrets."matrix/synapse/user_registration" = { sops.secrets."matrix/synapse/user_registration" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "synapse/signing_key"; key = "synapse/signing_key";
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group; group = config.users.users.matrix-synapse.group;

View File

@ -1,16 +1,16 @@
{ config, pkgs, values, ... }: { config, fp, pkgs, values, ... }:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base (fp /base)
../../misc/metrics-exporters.nix (fp /misc/metrics-exporters.nix)
./disks.nix ./disks.nix
../../misc/builder.nix (fp /misc/builder.nix)
]; ];
sops.defaultSopsFile = ../../secrets/bob/bob.yaml; sops.defaultSopsFile = fp /secrets/bob/bob.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true; sops.age.generateKey = true;

View File

@ -1,10 +1,10 @@
{ config, pkgs, values, ... }: { config, fp, pkgs, values, ... }:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base (fp /base)
../../misc/metrics-exporters.nix (fp /misc/metrics-exporters.nix)
./services/grzegorz.nix ./services/grzegorz.nix
]; ];

View File

@ -1,6 +1,6 @@
{ config, ... }: { config, fp, ... }:
{ {
imports = [ ../../../modules/grzegorz.nix ]; imports = [ (fp /modules/grzegorz.nix) ];
services.nginx.virtualHosts."${config.networking.fqdn}" = { services.nginx.virtualHosts."${config.networking.fqdn}" = {
serverAliases = [ serverAliases = [

View File

@ -1,12 +1,12 @@
{ config, pkgs, values, ... }: { config, fp, pkgs, values, ... }:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base (fp /base)
../../misc/metrics-exporters.nix (fp /misc/metrics-exporters.nix)
../../modules/grzegorz.nix (fp /modules/grzegorz.nix)
]; ];
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;

View File

@ -1,16 +1,16 @@
{ config, pkgs, lib, values, ... }: { config, fp, pkgs, lib, values, ... }:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base (fp /base)
../../misc/metrics-exporters.nix (fp /misc/metrics-exporters.nix)
./services/monitoring ./services/monitoring
./services/nginx ./services/nginx
]; ];
sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml; sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true; sops.age.generateKey = true;

View File

@ -0,0 +1,43 @@
{ config, fp, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./disks.nix
];
sops.defaultSopsFile = fp /secrets/kvernberg/kvernberg.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "kvernberg"; # Define your hostname.
systemd.network.networks."30-all" = values.defaultNetworkConfig // {
matchConfig.Name = "en*";
address = with values.hosts.kvernberg; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# No devices with SMART
services.smartd.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
}

39
hosts/kvernberg/disks.nix Normal file
View File

@ -0,0 +1,39 @@
# Example to create a bios compatible gpt partition
{ lib, ... }:
{
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

View File

@ -0,0 +1,26 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View File

@ -0,0 +1,11 @@
{
imports = [
./exchange.nix
];
services.taler = {
settings = {
taler.CURRENCY = "SCHPENN";
};
};
}

View File

@ -0,0 +1,40 @@
{ config, lib, fp, pkgs, ... }:
let
cfg = config.services.taler;
inherit (cfg.settings) CURRENCY;
sops.secrets.exchange-offline-master = {
format = "binary";
sopsFile = fp /secrets/kvernberg/exhange-offline-master.priv;
};
{
services.taler.exchange = {
enable = true;
debug = true;
openFirwall = true;
denominationConfig = ''
[COIN-${CURRENCY}-k1-1-0]
VALUE = ${CURRENCY}:1
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
'';
settings = {
exchange = {
MASTER_PUBLIC_KEY = "J331T37C8E58P9CVE686P1JFH11DWSRJ3RE4GVDTXKES9M24ERZG";
BASE_URL = "http://kvernberg.pvv.ntnu.no:8081/";
};
exchange-offline = {
MASTER_PRIV_FILE = config.sops.secrets.exchange-offline-master.path;
};
};
};
}

View File

@ -1,13 +1,13 @@
{ config, pkgs, values, ... }: { config, fp, pkgs, values, ... }:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base (fp /base)
../../misc/metrics-exporters.nix (fp /misc/metrics-exporters.nix)
]; ];
sops.defaultSopsFile = ../../secrets/shark/shark.yaml; sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true; sops.age.generateKey = true;

View File

@ -0,0 +1,24 @@
{
"data": "ENC[AES256_GCM,data:dhVo1B+ZG1B6s0bTLgph4ipPmi0mveaObbJAffDQbpY=,iv:P5plvu4DQYa99cQZQ6B/gEFcSffu3lTY3+Z80Cfoj94=,tag:4xcqCbn6fFSmCbYmmEgQEg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MzVHSE15Nk9MODQxc2g0\nbHlqNmFKclBYbUNKQTNUOGo0VThiaEZTVzJFCmU2YkYwMXlyeHM3ZzAxOWZpa3k4\nUUJLanVFbkNMa25RcGZmOTBsVmtzazQKLS0tIE1sTTBqT3VJMDFOYXl0T1JvcDRV\nRFpsZGNOZzFzMFc3YzcxeXdIK1d6QUUKzy0n7DJsOmrNvU03Tn6Zcj/l/kAylzzP\nhNnFLXfStdKl3A/qrzBPhTVbYD73yFkZuQ+bDr7/IMsHAmDsztuA9g==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbEdBWjdEbmtNYWJHQnFj\nSU1yb0NYVG4xVlZkYTdUWUpDcGdmbFF6U1NrCjBlWFZkcC9FMVJLYUtDNlBTUWcw\nNHBwWFNESDBQQmJNb3NDN2tDekM4eUUKLS0tICtMVGc1L2JFQ1BqKzM3eWFPRmRQ\nWXlQUWpvdUdOUlZ1OFhtS0ErL0JKSlUKzxLKbsnXvEqnR2HVsTxNqmM7YPjWfCjG\nZ4Bf046NdseomkNuTvWuPzjzPTe4GvjudMYc4ODchkIMOo6hXyf5kw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-11-17T01:12:23Z",
"mac": "ENC[AES256_GCM,data:aXIM/pmgVmfNSa+PwpfK6Efh/kCWXUqZNcKLkyhRwl++vaIBQUIQgQjv09hWHOF77V3ZjRQjh2E1uNe2baBLEmrDT5Au+7VABW+j49KX/vKMd+1l4w47l3DukOVnoo50bsOQFtH+amSl2P2imxpO15sjVDu9/nUeu2qXrtbIUh8=,iv:BQVs3P9p86uzTH2BfuSOxycpE6di4ZIwSz7OTZdcQPg=,tag:mT4Ek8dDbVINGp4Odt62zw==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.1"
}
}

View File

@ -60,6 +60,10 @@ in rec {
ipv4 = pvv-ipv4 204; ipv4 = pvv-ipv4 204;
ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
}; };
kvernberg = {
ipv4 = pvv-ipv4 206;
ipv6 = pvv-ipv6 "1:206";
};
}; };
defaultNetworkConfig = { defaultNetworkConfig = {