Compare commits

..

130 Commits

Author SHA1 Message Date
914458d4b0 feat: add error pages to nginx on bekkalokk 2025-10-25 22:13:02 +02:00
3faad36418 base/nixos-exporter: allow localhost to fetch 2025-10-13 06:41:28 +02:00
0b74907f76 bicep/matrix/hookshot: enable widgets and js transformations 2025-10-13 06:02:33 +02:00
bacfdeff23 bicep/matrix/hookshot: try fix up widgets and SSL 2025-10-13 05:42:06 +02:00
9e51bdb373 base/nixos-exporter: listen on own server block 2025-10-12 16:42:42 +02:00
df5557698f ildkule: scrape the nixos-flake exporters 2025-10-12 06:09:15 +02:00
c7930b793a base: create flake input exporter 2025-10-12 05:23:54 +02:00
dbe9dbe6f4 flake.lock: bump 2025-09-20 18:59:35 +02:00
2e75f31d3e kommode/gitea: skip some parts in the dumps 2025-09-10 11:27:44 +02:00
1166161858 oppdatere nettsiden 2025-09-08 13:59:41 +02:00
a0164a4038 oppdatere nettsiden 2025-09-08 12:20:09 +02:00
470cc451e0 kommode/gitea: fix backup count
Some checks failed
Eval nix flake / evals (push) Failing after 1m30s
2025-09-04 00:02:58 +02:00
a803de2b23 kommode/gitea: enable sd_notify, enable hardware watchdog
Some checks failed
Eval nix flake / evals (push) Failing after 1m23s
2025-09-03 23:48:22 +02:00
1dc78b6101 kommode/gitea: bindmount repo-archives to /var/cache/gitea
Some checks failed
Eval nix flake / evals (push) Failing after 1m26s
2025-09-03 23:23:16 +02:00
54434b7f93 kommode/gitea: only keep 3 backups 2025-09-03 22:46:13 +02:00
736dc44008 flake: update input pvv-nettsiden (fadderuke -> normal events) 2025-09-01 20:16:50 +02:00
9e68287f1b bicep/minecraft-heatmap: change postgres password, add to sops
Some checks failed
Eval nix flake / evals (push) Failing after 26s
2025-08-25 14:38:25 +02:00
b821d36f40 bicep/minecraft-heatmap: init
Some checks failed
Eval nix flake / evals (push) Failing after 1m19s
2025-08-25 14:26:37 +02:00
0b7fbcac32 modules/grzegorz: use unstable mpv for greg-ng
Some checks failed
Eval nix flake / evals (push) Failing after 1m19s
2025-08-23 14:04:48 +02:00
f3c60d0551 add vegardbm
Some checks failed
Eval nix flake / evals (push) Failing after 57s
Reviewed-on: #114
2025-08-21 14:21:39 +02:00
f0d2d989d1 Merge pull request 'remove duplicated button at /hendelser' (!113) from vegardbm/pvv-nixos-config:main into main
Some checks failed
Eval nix flake / evals (push) Failing after 1m30s
Reviewed-on: #113
2025-08-18 02:08:05 +02:00
57d0c6247b remove duplicated button at /hendelser
Some checks failed
Eval nix flake / evals (pull_request) Failing after 1m27s
2025-08-18 02:05:57 +02:00
95840bfa3c Merge pull request 'fix dead link at /tjenester' (!112) from vegardbm/pvv-nixos-config:main into main
Some checks failed
Eval nix flake / evals (push) Failing after 26s
Reviewed-on: #112
2025-08-17 20:59:45 +02:00
72da80f93f fix dead link at /tjenester
Some checks failed
Eval nix flake / evals (pull_request) Failing after 1m31s
2025-08-17 20:58:31 +02:00
8ffc2acea7 Merge pull request 'fix dead links for VMs at /tjenester' (!111) from vegardbm/pvv-nixos-config:main into main
Some checks failed
Eval nix flake / evals (push) Failing after 27s
Reviewed-on: #111
2025-08-17 20:48:40 +02:00
0d1423ab22 fix dead links for VMs at /tjenester
Some checks failed
Eval nix flake / evals (pull_request) Failing after 26s
2025-08-17 20:47:30 +02:00
809fcefbcf Merge pull request 'fix dead minecraft map link at /tjenester' (!110) from vegardbm/pvv-nixos-config:main into main
Some checks failed
Eval nix flake / evals (push) Failing after 28s
Reviewed-on: #110
2025-08-17 19:52:37 +02:00
203358a207 fix dead minecraft map link at /tjenester
Some checks failed
Eval nix flake / evals (pull_request) Has been cancelled
2025-08-17 19:48:56 +02:00
d11b189f95 Merge pull request 'forgot to write my whole name LAMO' (!109) from new-user-part-two into main
Some checks failed
Eval nix flake / evals (push) Failing after 1m23s
Reviewed-on: #109
2025-08-16 10:45:57 +02:00
b439ddd6f6 forgot to write my whole name LAMO
Some checks failed
Eval nix flake / evals (push) Failing after 1m18s
Eval nix flake / evals (pull_request) Failing after 1m22s
2025-08-15 19:57:23 +02:00
a22747bb66 flake.lock: bump pvv-nettsiden
Some checks failed
Eval nix flake / evals (push) Failing after 1m22s
2025-08-14 22:49:05 +02:00
efc79ee189 fix import-gitea-users script
Some checks failed
Eval nix flake / evals (push) Failing after 27s
2025-08-14 20:48:23 +02:00
8715fb220f Merge pull request 'added user alb' (!108) from new_user into main
Some checks failed
Eval nix flake / evals (push) Failing after 1m33s
Reviewed-on: #108
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
2025-08-14 19:07:30 +02:00
649c21de01 added user alb
Some checks failed
Eval nix flake / evals (push) Failing after 29s
Eval nix flake / evals (pull_request) Failing after 26s
2025-08-14 18:08:43 +02:00
2010556643 kommode/gitea: fix declarative secrets
Some checks failed
Eval nix flake / evals (push) Failing after 29s
2025-08-03 04:44:37 +02:00
8dcd471a6f base: don't lock kernel modules lmao
Some checks failed
Eval nix flake / evals (push) Failing after 39s
2025-08-03 04:36:10 +02:00
234a7030f0 kommode/gitea: make secrets declarative
Some checks failed
Eval nix flake / evals (push) Failing after 0s
2025-08-03 03:39:18 +02:00
0a7f559869 keys/oysteikt: update
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-08-03 02:25:57 +02:00
d482eb332d flake.nix: bump nixos-matrix-modules: 0.7.0 -> v0.7.1
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-08-03 02:21:05 +02:00
0600fce2ca ildkule/prometheus/exim: init 2025-08-03 02:21:04 +02:00
f5fed06381 ildkule/prometheus/machines: add lupine-{1,3,4,5} + wenche 2025-08-03 02:21:02 +02:00
579ed180a3 ildkule/prometheus: add utility function 2025-08-03 02:20:58 +02:00
043099eb37 hosts/lupine: init
Some checks failed
Eval nix flake / evals (push) Failing after 1m20s
Co-authored-by: h7x4 <h7x4@nani.wtf>
2025-07-30 20:30:28 +02:00
59969b9ec8 Allow configuring configuration src path in nixosConfig
Co-authored-by: h7x4 <h7x4@nani.wtf>
2025-07-20 03:54:00 +02:00
febc0940f8 flake: update pvv-nettsiden
Some checks failed
Eval nix flake / evals (push) Failing after 1m32s
2025-07-18 21:06:17 +02:00
76c251c277 kommode/gitea: use unstable package again
Some checks failed
Eval nix flake / evals (push) Failing after 12m16s
2025-07-14 07:51:49 +02:00
1d48a63e3d Merge branch '25.05'
Some checks failed
Eval nix flake / evals (push) Failing after 1m25s
2025-07-14 01:58:04 +02:00
ddd405f534 nixpkgs 25.05 🎉
Some checks failed
Eval nix flake / evals (push) Failing after 30s
2025-07-11 18:43:21 +02:00
a2dcd3019f fix package grr
Some checks failed
Eval nix flake / evals (push) Failing after 25s
2025-06-24 08:06:36 +02:00
410d4e44a8 bicep/matrix/ooye: use pvv fork for now
Some checks failed
Eval nix flake / evals (push) Failing after 25s
2025-06-22 19:29:15 +02:00
195163fd7b fix ooye somewhat
Some checks failed
Eval nix flake / evals (push) Failing after 25s
2025-06-22 19:00:50 +02:00
4fa544b430 WIP: bicep/ooye: init
Some checks failed
Eval nix flake / evals (push) Failing after 25s
2025-06-22 00:59:23 +02:00
7601734651 modules/ooye: init
Some checks failed
Eval nix flake / evals (push) Failing after 25s
2025-06-21 19:54:57 +02:00
cafeef827f packages/ooye: init 2025-06-21 19:52:37 +02:00
9e00d143f8 grzegorz: add and shortcut on main domain
Some checks failed
Eval nix flake / evals (push) Failing after 33s
2025-06-07 18:43:21 +02:00
eceb2ce4c7 Merge pull request 'base: stabilize system.build.toplevel.outPath for vmVariant' (!105) from no-flake-in-vm into main
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Reviewed-on: #105
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
2025-06-01 05:29:00 +02:00
518008527d Merge pull request 'flake: evaluate devShells with nixpkgs-unstable' (!107) from shell-unstable into main
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Reviewed-on: #107
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
2025-06-01 05:26:39 +02:00
9e82ca3d15 flake: evaluate devShells with nixpkgs-unstable
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Eval nix flake / evals (pull_request) Has been cancelled
2025-06-01 00:37:52 +02:00
da7cb17f9e base: stabilize system.build.toplevel.outPath for vmVariant
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Eval nix flake / evals (pull_request) Has been cancelled
This is done by not depending on the flake itself, allowing the bits of a dirty tree to not affect the hash.
This enables equivalence testing with `just eval-vm bob` and checking if the system closure hash changes or not.
2025-05-31 19:13:33 +02:00
1caa0cc7be Merge pull request 'base: add option config.virtualisation.vmVariant' (!101) from vm into main
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Reviewed-on: #101
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
2025-05-31 19:01:47 +02:00
752141f97f base: add option config.virtualisation.vmVariant
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Eval nix flake / evals (pull_request) Has been cancelled
2025-05-31 18:53:04 +02:00
23c1c17607 Merge pull request 'justfile: add more swag' (!104) from justfile-swag into main
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Reviewed-on: #104
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
2025-05-31 18:37:25 +02:00
9560eab82b Merge pull request 'flake: switch to nixos.org nixpkgs tarballs' (!103) from switch-inputs into main
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Reviewed-on: #103
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
2025-05-31 18:35:28 +02:00
5e4ededab3 .mailmap: init
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-05-31 14:25:33 +02:00
7fb3e29d7b base/uptimed: init
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-05-31 14:05:43 +02:00
9053dda57c kommode/gitea: install the rest of the themes
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-05-31 13:59:51 +02:00
4ab133e541 justfile: update 'update-inputs' to changed nix3 cli, make more robust to dirty tree
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Eval nix flake / evals (pull_request) Has been cancelled
2025-05-30 19:17:59 +02:00
e5b38cd2c1 justfile: add repl, eval and eval-vm 2025-05-30 19:17:59 +02:00
3e156a8649 justfile: only use nom if stdout is a tty 2025-05-30 19:17:59 +02:00
b40cde891e justfile: passthru extra args with 'set positional-arguments' 2025-05-30 19:17:59 +02:00
dca6862045 justfile: silence 'nix eval' spam 2025-05-30 19:17:59 +02:00
4e44da29b5 justfil: _a_machine: remember last choice 2025-05-30 19:17:51 +02:00
ca9ac0e0fc flake.lock: Update
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Eval nix flake / evals (pull_request) Has been cancelled
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/9204750b34cae1a8347ab4b5588115edfeebc6d7' (2025-04-24)
  → 'https://releases.nixos.org/nixos/24.11-small/nixos-24.11.718472.97d3ce1ceb66/nixexprs.tar.xz?narHash=sha256-8sjG4sNIonQPK2olCGvq3/j1qtjwPaTOFU5nkz1gj2Q%3D&rev=97d3ce1ceb663a24184aac92b7e9e8f5452111c1' (2025-05-30)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/6a2957c7978b189202e03721aab901c0a9dc1e1a' (2025-04-26)
  → 'https://releases.nixos.org/nixos/unstable-small/nixos-25.11pre807945.b8af95f4cf51/nixexprs.tar.xz?narHash=sha256-YCnUqO9k39p0oMIBndxYTbu8m0fOA/KVcq3IekXPy9c%3D&rev=b8af95f4cf511c5f056b463c3a45d2b63c7cfb03' (2025-05-30)
2025-05-30 19:05:27 +02:00
c8d29c363f flake: switch to nixos.org nixpkgs tarballs
no rate limiting and supports ipv6
2025-05-30 19:05:27 +02:00
e387656be8 base/auto-upgrade: fetch input urls from flake 2025-05-30 19:05:24 +02:00
48a5f4e79e bicep/git-mirrors: move to mirrors.pvv.ntnu.no
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-05-30 12:59:32 +02:00
29c4029486 bicep/git-mirrors: disable lfs by default
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-05-30 12:45:40 +02:00
5d704840ce brutally murder bob
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-05-25 11:32:44 +02:00
43d3ef1fed georg: configure spotifyd to maybe not crash, might even be functional?
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-05-25 10:32:40 +02:00
e8df081894 kommode/gitea: use stable package again
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-05-25 09:59:44 +02:00
f40f2ae89d update inputs to 25.05 2025-05-25 09:59:44 +02:00
a3c3ceac49 users/oysteikt: remove diskonaut
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-05-20 21:17:04 +02:00
7f3d288a15 bekkalokk/mediawiki: fix favicon derivation 2025-05-20 21:16:45 +02:00
f9f2304939 add spotifyd on georg
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Signed-off-by: Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no>
2025-05-20 12:42:54 +02:00
02c752e596 modules/grzegorz:Grzegorz wakes up every morning at 6:30!
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Eval nix flake / evals (pull_request) Has been cancelled
2025-05-18 00:40:18 +02:00
e44b2e8d0d treewide: convert 2 instances of 'convert' into 'magick'
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-05-17 22:47:09 +02:00
13a270b8ed disable nginx jit and multi_accept
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-05-10 11:13:51 +02:00
20ade0d619 bicep: add git-mirroring service
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-05-08 23:41:43 +02:00
20e3f89b79 flake.lock: update greg-ng
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-05-06 22:34:09 +02:00
f0e6521fbb update flake.lock
Some checks failed
Eval nix flake / evals (push) Failing after 15s
2025-04-26 22:50:00 +02:00
d59a3f6ec0 bicep: remove duplicate import of mysql service module 2025-03-30 17:43:15 +02:00
b730bdc34d flake.nix: fix nix-gitea-themes input url 2025-03-30 17:22:04 +02:00
f1f4da9ff6 Merge pull request 'Init wenche' (!94) from init-wenche into main
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Reviewed-on: #94
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
2025-03-29 22:15:02 +01:00
cd40bd6178 Wenche: add swapfile
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Eval nix flake / evals (pull_request) Has been cancelled
2025-03-29 22:08:44 +01:00
41e7f09c8b kommode/gitea: take a dump weekly
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-03-23 17:08:58 +01:00
30bedecd72 kommode/gitea: increase timeouts
Some checks are pending
Eval nix flake / evals (push) Waiting to run
2025-03-23 00:39:06 +01:00
29ad65bfef kommode/gitea: fix eval
Some checks are pending
Eval nix flake / evals (push) Waiting to run
2025-03-23 00:36:24 +01:00
b5a95eac90 bekkalokk/website/sp: trust all domain variants
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-03-19 01:49:12 +01:00
b2adb38a8b Merge pull request 'base: source ~/.bashrc' (!100) from bashrc into main
Some checks are pending
Eval nix flake / evals (push) Waiting to run
Reviewed-on: #100
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
2025-03-19 01:40:56 +01:00
3a707b00d3 base: source ~/.bashrc
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Eval nix flake / evals (pull_request) Has been cancelled
Now by default we source .bashrc and .profile unless the user has actually read the manual.
Tested in vm
2025-03-18 22:57:18 +01:00
decd69d9ae kommode/gitea: move customization.nix to separate dir
Some checks are pending
Eval nix flake / evals (push) Waiting to run
2025-03-17 20:37:15 +01:00
b7fca76ea5 ildkule/mysqld_exporter: use nix-sops template for config
Some checks are pending
Eval nix flake / evals (push) Waiting to run
2025-03-16 21:09:12 +01:00
c6b7e7f555 bekkalokk/mediawiki: remove outdated TODO
Some checks are pending
Eval nix flake / evals (push) Waiting to run
2025-03-16 20:59:03 +01:00
32a529e60f ildkule/prometheus: reenable mysqld exporter
Some checks are pending
Eval nix flake / evals (push) Waiting to run
2025-03-16 20:57:26 +01:00
493ab057f4 ildkule/grafana: fix gitea dashboard typo
Some checks are pending
Eval nix flake / evals (push) Waiting to run
2025-03-16 20:42:52 +01:00
c683e2184a kommode/gitea: allow ildkule's ipv6 address to read metrics
Some checks are pending
Eval nix flake / evals (push) Waiting to run
2025-03-16 20:40:07 +01:00
5c32798dcf ildkule/prometheus: add kommode and ustetind to machine list
Some checks are pending
Eval nix flake / evals (push) Waiting to run
2025-03-16 20:20:40 +01:00
e5cbd66769 kommode/gitea: use batch scheduling
Some checks are pending
Eval nix flake / evals (push) Waiting to run
2025-03-16 19:56:27 +01:00
8b34f31e3f Move gitea from bekkalokk to kommode 2025-03-16 19:02:30 +01:00
08b010cb93 kommode/sops: init
Some checks are pending
Eval nix flake / evals (push) Waiting to run
2025-03-16 14:04:09 +01:00
a408ef6688 hosts/kommode: init
Some checks are pending
Eval nix flake / evals (push) Waiting to run
2025-03-16 13:19:29 +01:00
c83005983e shells/cuda: Reformat, replace shellhook with env attr
Some checks failed
Eval nix flake / evals (push) Has been cancelled
Eval nix flake / evals (pull_request) Has been cancelled
2025-03-15 23:37:53 +01:00
30d31956c6 keys/oysteikt: update
Some checks are pending
Eval nix flake / evals (push) Waiting to run
2025-03-15 22:43:01 +01:00
c8bf3b7c01 modules/robots-txt: init 2025-03-15 14:58:30 +01:00
069da36895 shell.nix: replace shellHook with env 2025-03-15 03:09:26 +01:00
83f83a91b7 flake.{nix,lock}: bump inputs 2025-03-15 02:23:16 +01:00
6372a4111e common/userdbd: init 2025-03-15 01:47:10 +01:00
bdfb7384c2 common/userborn: init 2025-03-15 01:46:52 +01:00
ace351c0a7 misc/builder: add binfmt systems 2025-03-15 01:23:15 +01:00
cd5c2c0e01 misc/builder: set cpu sched policy batch 2025-03-15 01:21:57 +01:00
2be9eb16fe base/nix: defer store optimization 2025-03-15 01:20:34 +01:00
64bd33a213 base: enable fwupd 2025-03-15 01:19:59 +01:00
7b5e114944 base: use dbus-broker as dbus implementation 2025-03-15 01:19:33 +01:00
ee8965e18c base: use latest kernel by default 2025-03-15 01:18:28 +01:00
7125fd2478 flake.lock: bump pvv-nettsiden
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-03-12 02:39:46 +01:00
0c1762619a bekkalokk/gitea: use unstable package (1.23)
Some checks failed
Eval nix flake / evals (push) Has been cancelled
2025-03-12 02:13:13 +01:00
84d1ae13c0 flake.lock: bump pvv-nettsiden
Some checks are pending
Eval nix flake / evals (push) Waiting to run
2025-03-12 00:51:10 +01:00
4f28815018 wenche: Fix nvidia driver. flake: add shells/cuda.
Some checks failed
Eval nix flake / evals (pull_request) Failing after 14s
Eval nix flake / evals (push) Successful in 30m39s
2025-02-22 19:45:26 +01:00
bdaa765dbb wenche: start adding NVIDIA support
Some checks failed
Eval nix flake / evals (pull_request) Successful in 13m54s
Eval nix flake / evals (push) Failing after 15m56s
2025-02-19 23:28:42 +01:00
c0e551eb8b wenche: init new host
All checks were successful
Eval nix flake / evals (push) Successful in 26m28s
2025-02-19 22:48:28 +01:00
88 changed files with 2659 additions and 755 deletions

25
.mailmap Normal file
View File

@@ -0,0 +1,25 @@
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> <daniel.olsen99@gmail.com>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel <danio@pvv.ntnu.no>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@pvv.ntnu.no>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> danio <danio@pvv.ntnu.no>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@bicep.pvv.ntnu.no>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> h7x4 <h7x4@nani.wtf>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein Tveit <oysteikt@pvv.ntnu.no>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> oysteikt <oysteikt@pvv.ntnu.no>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein <oysteikt@pvv.org>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
Felix Albrigtsen <felixalb@pvv.ntnu.no> <felix@albrigtsen.it>
Felix Albrigtsen <felixalb@pvv.ntnu.no> <felixalbrigtsen@gmail.com>
Felix Albrigtsen <felixalb@pvv.ntnu.no> felixalb <felixalb@pvv.ntnu.no>
Peder Bergebakken Sundt <pederbs@pvv.ntnu.no> <pbsds@hotmail.com>
Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian G L <adrian@lauterer.it>
Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lauterer.it>
Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>

View File

@@ -14,6 +14,12 @@ keys:
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
- &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
- &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
- &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
- &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
- &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
- &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
creation_rules:
# Global secrets
@@ -44,6 +50,18 @@ creation_rules:
pgp:
- *user_oysteikt
- path_regex: secrets/kommode/[^/]+\.yaml$
key_groups:
- age:
- *host_kommode
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
- path_regex: secrets/jokum/[^/]+\.yaml$
key_groups:
- age:
@@ -91,3 +109,19 @@ creation_rules:
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
- path_regex: secrets/lupine/[^/]+\.yaml$
key_groups:
- age:
- *host_lupine-1
- *host_lupine-2
- *host_lupine-3
- *host_lupine-4
- *host_lupine-5
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt

View File

@@ -1,4 +1,9 @@
{ pkgs, lib, fp, ... }:
{
pkgs,
lib,
fp,
...
}:
{
imports = [
@@ -7,9 +12,14 @@
./networking.nix
./nix.nix
./vm.nix
./flake-input-exporter.nix
./services/acme.nix
./services/uptimed.nix
./services/auto-upgrade.nix
./services/dbus.nix
./services/fwupd.nix
./services/irqbalance.nix
./services/logrotate.nix
./services/nginx.nix
@@ -17,9 +27,12 @@
./services/postfix.nix
./services/smartd.nix
./services/thermald.nix
./services/userborn.nix
./services/userdbd.nix
];
boot.tmp.cleanOnBoot = lib.mkDefault true;
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
time.timeZone = "Europe/Oslo";
@@ -45,8 +58,22 @@
kitty.terminfo
];
# .bash_profile already works, but lets also use .bashrc like literally every other distro
# https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
# home-manager usually handles this for you: https://github.com/nix-community/home-manager/blob/22a36aa709de7dd42b562a433b9cefecf104a6ee/modules/programs/bash.nix#L203-L209
# btw, programs.bash.shellInit just goes into environment.shellInit which in turn goes into /etc/profile, spooky shit
programs.bash.shellInit = ''
if [ -n "''${BASH_VERSION:-}" ]; then
if [[ ! -f ~/.bash_profile && ! -f ~/.bash_login ]]; then
[[ -f ~/.bashrc ]] && . ~/.bashrc
fi
fi
'';
programs.zsh.enable = true;
# security.lockKernelModules = true;
security.protectKernelImage = true;
security.sudo.execWheelOnly = true;
security.sudo.extraConfig = ''
Defaults lecture = never
@@ -57,4 +84,3 @@
# Trusted users on the nix builder machines
users.groups."nix-builder-users".name = "nix-builder-users";
}

View File

@@ -0,0 +1,55 @@
{
config,
inputs,
lib,
pkgs,
values,
...
}:
let
data = lib.flip lib.mapAttrs inputs (
name: input: {
inherit (input)
lastModified
;
}
);
folder = pkgs.writeTextDir "share/flake-inputs" (
lib.concatMapStringsSep "\n" (
{ name, value }: ''nixos_last_modified_input{flake="${name}"} ${toString value.lastModified}''
) (lib.attrsToList data)
);
port = 9102;
in
{
services.nginx.virtualHosts."${config.networking.fqdn}-nixos-metrics" = {
serverName = config.networking.fqdn;
serverAliases = [
"${config.networking.hostName}.pvv.org"
];
locations."/metrics" = {
root = "${folder}/share";
tryFiles = "/flake-inputs =404";
extraConfig = ''
default_type text/plain;
'';
};
listen = [
{
inherit port;
addr = "0.0.0.0";
}
];
extraConfig = ''
allow ${values.hosts.ildkule.ipv4}/32;
allow ${values.hosts.ildkule.ipv6}/128;
allow 127.0.0.1/32;
allow ::1/128;
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
};
networking.firewall.allowedTCPPorts = [ port ];
}

View File

@@ -3,10 +3,6 @@
systemd.network.enable = true;
networking.domain = "pvv.ntnu.no";
networking.useDHCP = false;
# networking.search = [ "pvv.ntnu.no" "pvv.org" ];
# networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
# networking.tempAddresses = lib.mkDefault "disabled";
# networking.defaultGateway = values.hosts.gateway;
# The rest of the networking configuration is usually sourced from /values.nix

View File

@@ -1,14 +1,14 @@
{ inputs, ... }:
{ lib, config, inputs, ... }:
{
nix = {
gc = {
automatic = true;
options = "--delete-older-than 2d";
};
optimise.automatic = true;
settings = {
allow-dirty = true;
auto-optimise-store = true;
builders-use-substitutes = true;
experimental-features = [ "nix-command" "flakes" ];
log-lines = 50;
@@ -21,11 +21,16 @@
** use the same channel the system
** was built with
*/
registry = {
"nixpkgs".flake = inputs.nixpkgs;
"nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
"pvv-nix".flake = inputs.self;
};
registry = lib.mkMerge [
{
"nixpkgs".flake = inputs.nixpkgs;
"nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
}
# We avoid the reference to self in vmVariant to get a stable system .outPath for equivalence testing
(lib.mkIf (!config.virtualisation.isVmVariant) {
"pvv-nix".flake = inputs.self;
})
];
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"unstable=${inputs.nixpkgs-unstable}"

View File

@@ -1,26 +1,39 @@
{ inputs, pkgs, lib, ... }:
{ config, inputs, pkgs, lib, ... }:
let
inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
in
{
system.autoUpgrade = {
enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
# --update-input is deprecated since nix 2.22, and removed in lix 2.90
# https://git.lix.systems/lix-project/lix/issues/400
"--refresh"
"--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.11-small"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
"--no-write-lock-file"
];
# --update-input is deprecated since nix 2.22, and removed in lix 2.90
# as such we instead use --override-input combined with --refresh
# https://git.lix.systems/lix-project/lix/issues/400
] ++ (lib.pipe inputUrls [
(lib.intersectAttrs {
nixpkgs = { };
nixpkgs-unstable = { };
})
(lib.mapAttrsToList (input: url: ["--override-input" input url]))
lib.concatLists
]);
};
# workaround for https://github.com/NixOS/nix/issues/6895
# via https://git.lix.systems/lix-project/lix/issues/400
environment.etc."current-system-flake-inputs.json".source
= pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (name: input:
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
// { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
)
);
environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
"current-system-flake-inputs.json".source
= pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (name: input:
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
// { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
)
);
};
}

7
base/services/dbus.nix Normal file
View File

@@ -0,0 +1,7 @@
{ ... }:
{
services.dbus = {
enable = true;
implementation = "broker";
};
}

4
base/services/fwupd.nix Normal file
View File

@@ -0,0 +1,4 @@
{ ... }:
{
services.fwupd.enable = true;
}

View File

@@ -20,14 +20,14 @@
recommendedGzipSettings = true;
appendConfig = ''
pcre_jit on;
# pcre_jit on;
worker_processes auto;
worker_rlimit_nofile 100000;
'';
eventsConfig = ''
worker_connections 2048;
use epoll;
multi_accept on;
# multi_accept on;
'';
};

59
base/services/uptimed.nix Normal file
View File

@@ -0,0 +1,59 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.uptimed;
in
{
options.services.uptimed.settings = lib.mkOption {
description = "";
default = { };
type = lib.types.submodule {
freeformType = with lib.types; attrsOf (either str (listOf str));
};
};
config = {
services.uptimed = {
enable = true;
settings = let
stateDir = "/var/lib/uptimed";
in {
PIDFILE = "${stateDir}/pid";
SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
};
};
systemd.services.uptimed = lib.mkIf (cfg.enable) {
serviceConfig = let
uptimed = pkgs.uptimed.overrideAttrs (prev: {
postPatch = ''
substituteInPlace Makefile.am \
--replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
substituteInPlace src/Makefile.am \
--replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
'';
});
in {
Type = "notify";
ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
BindReadOnlyPaths = let
configFile = lib.pipe cfg.settings [
(lib.mapAttrsToList
(k: v:
if builtins.isList v
then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
else "${k}=${v}")
)
(lib.concatStringsSep "\n")
(pkgs.writeText "uptimed.conf")
];
in [
"${configFile}:/var/lib/uptimed/uptimed.conf"
];
};
};
};
}

View File

@@ -0,0 +1,4 @@
{ ... }:
{
services.userborn.enable = true;
}

View File

@@ -0,0 +1,4 @@
{ ... }:
{
services.userdbd.enable = true;
}

15
base/vm.nix Normal file
View File

@@ -0,0 +1,15 @@
{ lib, ... }:
# This enables
# lib.mkIf (!config.virtualisation.isVmVariant) { ... }
{
options.virtualisation.isVmVariant = lib.mkOption {
description = "`true` if system is build with 'nixos-rebuild build-vm'";
type = lib.types.bool;
default = false;
};
config.virtualisation.vmVariant = {
virtualisation.isVmVariant = true;
};
}

131
flake.lock generated
View File

@@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1740485968,
"narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=",
"lastModified": 1758287904,
"narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=",
"owner": "nix-community",
"repo": "disko",
"rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940",
"rev": "67ff9807dd148e704baadbd4fd783b54282ca627",
"type": "github"
},
"original": {
@@ -27,11 +27,11 @@
]
},
"locked": {
"lastModified": 1736621371,
"narHash": "sha256-45UIQSQA7R5iU4YWvilo7mQbhY1Liql9bHBvYa3qRI0=",
"lastModified": 1758384693,
"narHash": "sha256-zakdGo9micgEXGiC5Uq0gE5GkHtX12qaRYLcstKPek4=",
"ref": "refs/heads/main",
"rev": "3729796c1213fe76e568ac28f1df8de4e596950b",
"revCount": 20,
"rev": "5f6a462d87cbe25834e8f31283f39fb46c9c3561",
"revCount": 21,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
},
@@ -48,11 +48,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1736545379,
"narHash": "sha256-PeTTmGumdOX3rd6OKI7QMCrZovCDkrckZbcHr+znxWA=",
"lastModified": 1758919016,
"narHash": "sha256-TSJMOWq9dO7P1iQB4httzWwAtpM1veacLcaS7FAyTpo=",
"ref": "refs/heads/main",
"rev": "74f5316121776db2769385927ec0d0c2cc2b23e4",
"revCount": 42,
"rev": "c87263b784954d20485d108e70934c9316935d75",
"revCount": 51,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
},
@@ -88,16 +88,16 @@
]
},
"locked": {
"lastModified": 1727410897,
"narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
"lastModified": 1753216555,
"narHash": "sha256-qfgVfgXjVPV7vEER4PVFiGUOUW08GHH71CVXgYW8EVc=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
"rev": "099db715d1eba526a464f271b05cead5166fd9a9",
"type": "github"
},
"original": {
"owner": "dali99",
"ref": "v0.6.1",
"ref": "v0.7.1",
"repo": "nixos-matrix-modules",
"type": "github"
}
@@ -110,11 +110,31 @@
"rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
"revCount": 2,
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
}
},
"minecraft-heatmap": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1756124334,
"narHash": "sha256-DXFmSpgI8FrqcdqY7wg5l/lpssWjslHq5ufvyp/5k4o=",
"ref": "refs/heads/main",
"rev": "83760b1ebcd9722ddf58a4117d29555da65538ad",
"revCount": 13,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
}
},
"nix-gitea-themes": {
@@ -124,49 +144,43 @@
]
},
"locked": {
"lastModified": 1736531400,
"narHash": "sha256-+X/HVI1AwoPcud28wI35XRrc1kDgkYdDUGABJBAkxDI=",
"lastModified": 1743881366,
"narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
"ref": "refs/heads/main",
"rev": "e4dafd06b3d7e9e6e07617766e9c3743134571b7",
"revCount": 7,
"rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
"revCount": 11,
"type": "git",
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1740782485,
"narHash": "sha256-GkDJDqHYlPKZFdyxzZHtljxNRsosKB1GCrblqlvLFgo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dd5c2540983641bbaabdfc665931592d4c9989e8",
"type": "github"
"lastModified": 1760254360,
"narHash": "sha256-Npp92Joy2bRyickrrVP9+85z31aGS8kVNiLlKvd5pC4=",
"rev": "bafe987a29b8bea2edbb3aba76b51464b3d222f0",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/25.05-small/nixos-25.05.811161.bafe987a29b8/nixexprs.tar.xz"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11-small",
"repo": "nixpkgs",
"type": "github"
"type": "tarball",
"url": "https://nixos.org/channels/nixos-25.05-small/nixexprs.tar.xz"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1740848276,
"narHash": "sha256-bYeI3FEs824X+MJYksKboNlmglehzplqzn+XvcojWMc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e9b0ff70ddc61c42548501b0fafb86bb49cca858",
"type": "github"
"lastModified": 1760252326,
"narHash": "sha256-5v32B25kSE++E+KtP4DO687r/AlWL9qOlOjtYyfcDSw=",
"rev": "66e5020bfe0af40ffa127426f8405edbdadbb40b",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-25.11pre876242.66e5020bfe0a/nixexprs.tar.xz"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
"type": "tarball",
"url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
}
},
"pvv-calendar-bot": {
@@ -176,11 +190,11 @@
]
},
"locked": {
"lastModified": 1723850344,
"narHash": "sha256-aT37O9l9eclWEnqxASVNBL1dKwDHZUOqdbA4VO9DJvw=",
"lastModified": 1742225512,
"narHash": "sha256-OB0ndlrGLE5wMUeYP4lmxly9JUEpPCeZRQyMzITKCB0=",
"ref": "refs/heads/main",
"rev": "38b66677ab8c01aee10cd59e745af9ce3ea88092",
"revCount": 19,
"rev": "c4a6a02c84d8227abf00305dc995d7242176e6f6",
"revCount": 21,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
},
@@ -196,11 +210,11 @@
]
},
"locked": {
"lastModified": 1737151758,
"narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
"ref": "refs/heads/master",
"rev": "a4ebe6ded0c8c124561a41cb329ff30891914b5e",
"revCount": 475,
"lastModified": 1757332682,
"narHash": "sha256-4p4aVQWs7jHu3xb6TJlGik20lqbUU/Fc0/EHpzoRlO0=",
"ref": "refs/heads/main",
"rev": "da1113341ad9881d8d333d1e29790317bd7701e7",
"revCount": 518,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
},
@@ -217,6 +231,7 @@
"grzegorz-clients": "grzegorz-clients",
"matrix-next": "matrix-next",
"minecraft-data": "minecraft-data",
"minecraft-heatmap": "minecraft-heatmap",
"nix-gitea-themes": "nix-gitea-themes",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
@@ -233,11 +248,11 @@
]
},
"locked": {
"lastModified": 1729391507,
"narHash": "sha256-as0I9xieJUHf7kiK2a9znDsVZQTFWhM1pLivII43Gi0=",
"lastModified": 1758335443,
"narHash": "sha256-2jaGMj32IckpZgBjn7kG4zyJl66T+2A1Fn2ppkHh91o=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "784981a9feeba406de38c1c9a3decf966d853cca",
"rev": "f1ccb14649cf87e48051a6ac3a571b4a57d84ff3",
"type": "github"
},
"original": {
@@ -253,11 +268,11 @@
]
},
"locked": {
"lastModified": 1739262228,
"narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
"lastModified": 1760240450,
"narHash": "sha256-sa9bS9jSyc4vH0jSWrUsPGdqtMvDwmkLg971ntWOo2U=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
"rev": "41fd1f7570c89f645ee0ada0be4e2d3c4b169549",
"type": "github"
},
"original": {

104
flake.nix
View File

@@ -2,8 +2,8 @@
description = "PVV System flake";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small"; # remember to also update the url in base/services/auto-upgrade.nix
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
nixpkgs.url = "https://nixos.org/channels/nixos-25.05-small/nixexprs.tar.xz";
nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -17,12 +17,15 @@
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.1";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.7.1";
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git";
nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git";
minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git";
greg-ng.inputs.nixpkgs.follows = "nixpkgs";
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git";
@@ -30,7 +33,7 @@
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
minecraft-data.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git";
};
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -55,40 +58,65 @@
nixosConfigurations = let
unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
nixosConfig = nixpkgs: name: config: lib.nixosSystem (lib.recursiveUpdate
rec {
nixosConfig =
nixpkgs:
name:
configurationPath:
extraArgs:
lib.nixosSystem (lib.recursiveUpdate
(let
system = "x86_64-linux";
in {
inherit system;
specialArgs = {
inherit unstablePkgs inputs;
values = import ./values.nix;
fp = path: ./${path};
};
} // extraArgs.specialArgs or { };
modules = [
./hosts/${name}/configuration.nix
configurationPath
sops-nix.nixosModules.sops
] ++ config.modules or [];
] ++ extraArgs.modules or [];
pkgs = import nixpkgs {
inherit system;
extraArgs.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
[
"nvidia-x11"
"nvidia-settings"
];
overlays = [
# Global overlays go here
] ++ config.overlays or [ ];
] ++ extraArgs.overlays or [ ];
};
}
(removeAttrs config [ "modules" "overlays" ])
})
(builtins.removeAttrs extraArgs [
"modules"
"overlays"
"specialArgs"
])
);
stableNixosConfig = nixosConfig nixpkgs;
unstableNixosConfig = nixosConfig nixpkgs-unstable;
stableNixosConfig = name: extraArgs:
nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
in {
bicep = stableNixosConfig "bicep" {
modules = [
inputs.matrix-next.nixosModules.default
inputs.pvv-calendar-bot.nixosModules.default
inputs.minecraft-heatmap.nixosModules.default
self.nixosModules.gickup
self.nixosModules.matrix-ooye
];
overlays = [
inputs.pvv-calendar-bot.overlays.x86_64-linux.default
inputs.minecraft-heatmap.overlays.default
(final: prev: {
inherit (self.packages.${prev.system}) out-of-your-element;
})
];
};
bekkalokk = stableNixosConfig "bekkalokk" {
@@ -99,23 +127,25 @@
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
bluemap = final.callPackage ./packages/bluemap.nix { };
})
inputs.nix-gitea-themes.overlays.default
inputs.pvv-nettsiden.overlays.default
];
modules = [
inputs.nix-gitea-themes.nixosModules.default
inputs.pvv-nettsiden.nixosModules.default
];
};
bob = stableNixosConfig "bob" {
modules = [
disko.nixosModules.disko
{ disko.devices.disk.disk1.device = "/dev/vda"; }
];
};
ildkule = stableNixosConfig "ildkule" { };
#ildkule-unstable = unstableNixosConfig "ildkule" { };
shark = stableNixosConfig "shark" { };
wenche = stableNixosConfig "wenche" { };
kommode = stableNixosConfig "kommode" {
overlays = [
inputs.nix-gitea-themes.overlays.default
];
modules = [
inputs.nix-gitea-themes.nixosModules.default
];
};
ustetind = stableNixosConfig "ustetind" {
modules = [
@@ -145,17 +175,36 @@
inputs.gergle.overlays.default
];
};
dagali = unstableNixosConfig "dagali" { };
};
}
//
(let
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
stableLupineNixosConfig = name: extraArgs:
nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
modules = [{ networking.hostName = name; }];
specialArgs.lupineName = name;
}));
nixosModules = {
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
robots-txt = ./modules/robots-txt.nix;
gickup = ./modules/gickup;
matrix-ooye = ./modules/matrix-ooye.nix;
};
devShells = forAllSystems (system: {
default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
cuda = let
cuda-pkgs = import nixpkgs-unstable {
inherit system;
config = {
allowUnfree = true;
cudaSupport = true;
};
};
in cuda-pkgs.callPackage ./shells/cuda.nix { };
});
packages = {
@@ -170,6 +219,7 @@
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
} //
(lib.pipe null [
(_: pkgs.callPackage ./packages/mediawiki-extensions { })

View File

@@ -7,7 +7,6 @@
(fp /misc/metrics-exporters.nix)
./services/bluemap/default.nix
./services/gitea/default.nix
./services/idp-simplesamlphp
./services/kerberos
./services/mediawiki

View File

@@ -0,0 +1,99 @@
<!DOCTYPE html>
<html lang="no">
<head>
<meta charset="utf-8">
<title>500 Intern serverfeil | PVV</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
body {
margin: 0;
padding: 0;
font-family: 'Open Sans', sans-serif;
background-color: #002244;
color: #f0f0f0;
display: flex;
align-items: center;
justify-content: center;
height: 100vh;
text-align: center;
}
.box {
max-width: 480px;
padding: 2rem;
}
.logo {
width: 30%;
height: auto;
margin: 0 auto 2rem;
}
h1 {
margin: 0 0 1rem;
font-size: 2.25rem;
font-weight: 700;
}
p {
margin: 0 0 1.25rem;
font-size: 1.05rem;
line-height: 1.4;
}
.error-code {
margin: 1.5rem 0;
opacity: 0.7;
}
.contact {
margin-top: 1.75rem;
font-size: 0.93rem;
line-height: 1.4;
}
.contact a {
color: #bcd025;
text-decoration: none;
}
ul {
padding: 0;
list-style: none;
margin: 0.5rem 0 0;
}
li {
margin: 0.35rem 0;
}
</style>
</head>
<body>
<div class="box">
<div class="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 200">
<path fill="#283681" d="M0 0h200v200H0z"/>
<g fill="none" fill-opacity="0" stroke="#fff" stroke-width="1.1">
<path d="M119.6 180H78.3"/>
<path d="M179.3 55.8v124.3h-55"/>
<path stroke-linecap="square" d="M124.6 180a2.5 2.5 0 0 0-2.5-2.5 2.5 2.5 0 0 0-2.6 2.6H78.6a2.5 2.5 0 0 0-2.5-2.6 2.5 2.5 0 0 0-2.6 2.6H19.2V19.9h160v30H175v6.2h4.3"/>
</g>
<circle cx="396.8" cy="400" r="320.3" fill="none" stroke="#fff" stroke-miterlimit="10" stroke-width="4.2" transform="scale(.25)"/>
<g fill="none" fill-opacity="0" stroke="#fff" stroke-width="1.1">
<path stroke-linejoin="bevel" d="M128.6 43.4h-86v113.3h113.2V53.8l-9.7-10.5h-6.8L137 45h-5.4"/>
<path d="M131.6 83c0 1.9-1.3 3.4-3 3.4H57c-1.6 0-3-1.6-3-3.5v-36c0-1.9 1.4-3.4 3-3.4h71.7c1.7 0 3 1.5 3 3.4z"/>
<path d="M131.7 83.4a3 3 0 0 1-3 3H74.2a3 3 0 0 1-3-3v-37a3 3 0 0 1 3-3h54.5a3 3 0 0 1 3 3zm12.8 70a3 3 0 0 1-3 3H56.9a3 3 0 0 1-3-3V95.3a3 3 0 0 1 3-3h84.6a3 3 0 0 1 3 3zM45 147.6h6.4v5.7H45zm101.9 0h6.4v5.7H147z"/>
<path d="M108.4 48.4h16.2v34.4h-16.2z"/>
</g>
<path fill="#fff" stroke="#fff" stroke-miterlimit="10" stroke-width="4.2" d="M275 541.6c0 3.5 2.7 6.4 6.2 6.4 3.6 0 6.5-2.9 6.5-6.4v-31h30.8c10.5 0 19.2-8.7 19.2-19.2v-22.7c0-10.3-8.7-19-19.2-19H275zm12.7-43.8v-35.4h30.8c3.3 0 6.5 3 6.5 6.3v22.7c0 3.6-3 6.5-6.5 6.5zm78.3-19 25.3 65.2a6.4 6.4 0 0 0 12 0l25.4-65.3V456c0-3.4-2.9-6.3-6.4-6.3a6.3 6.3 0 0 0-6.3 6.3v20.3l-18.6 47.6-18.7-47.6V456c0-3.4-2.9-6.3-6.4-6.3a6.3 6.3 0 0 0-6.3 6.3zm91 0 25.4 65.2a6.4 6.4 0 0 0 12 0l25.4-65.3V456c0-3.4-2.9-6.3-6.4-6.3a6.3 6.3 0 0 0-6.3 6.3v20.3l-18.7 47.6-18.6-47.6V456c0-3.4-3-6.3-6.5-6.3a6.3 6.3 0 0 0-6.3 6.3z" transform="scale(.25)"/>
</svg>
</div>
<h1>50X: Intern serverfeil</h1>
<p>Beklager, noe gikk galt.</p>
<p>Vennligst prøv igjen senere eller gå til forsiden.</p>
<div class="error-code">Feilkode: 50X</div>
<div class="contact">
<p>Kontakt drift hvis problemet vedvarer:</p>
<ul>
<li><strong>Discord:</strong> <a href="https://discord.gg/pyDDFpbG2x" target="_blank">discord.gg/pyDDFpbG2x</a></li>
<li><strong>Matrix:</strong> <a href="https://matrix.to/#/#pvv:pvv.ntnu.no" target="_blank">#pvv:pvv.ntnu.no</a></li>
<li><strong>Epost:</strong> <a href="mailto:drift@pvv.ntnu.no">drift@pvv.ntnu.no</a></li>
</ul>
</div>
</div>
</body>
</html>

View File

@@ -61,7 +61,6 @@ in {
user = "mediawiki";
passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
createLocally = false;
# TODO: create a normal database and copy over old data when the service is production ready
name = "mediawiki";
};
@@ -215,11 +214,11 @@ in {
"= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
buildInputs = with pkgs; [ imagemagick ];
} ''
convert \
magick \
${fp /assets/logo_blue_regular.png} \
-resize x64 \
-gravity center \
-crop 64x64+0+0 \
${fp /assets/logo_blue_regular.png} \
-flatten \
-colors 256 \
-background transparent \

View File

@@ -1,4 +1,10 @@
{ pkgs, config, ... }:
{
services.nginx.enable = true;
services.nginx = {
enable = true;
appendHttpConfig = ''
error_page 500 502 503 504 /500.html;
'';
};
environment.etc."nginx/html/500.html".source = ./500.html;
}

View File

@@ -67,7 +67,12 @@ in {
ADMIN_NAME = "PVV Drift";
ADMIN_EMAIL = "drift@pvv.ntnu.no";
ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
TRUSTED_DOMAINS = [ cfg.domainName ];
TRUSTED_DOMAINS = [
"www.pvv.ntnu.no"
"pvv.ntnu.no"
"www.pvv.org"
"pvv.org"
];
};
};
};
@@ -117,5 +122,17 @@ in {
"/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
"/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
};
extraConfig = ''
error_page 500 502 503 504 /500.html;
'';
locations."/500.html" = {
root = "/etc/static/nginx/html";
extraConfig = ''
internal;
'';
};
};
}

View File

@@ -53,7 +53,7 @@ in {
echo "Creating thumbnail for $fname"
mkdir -p $(dirname ".thumbnails/$fname")
convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
done <<< "$images"
'';

View File

@@ -7,10 +7,11 @@
(fp /misc/metrics-exporters.nix)
./services/nginx
./services/calendar-bot.nix
./services/git-mirrors
./services/minecraft-heatmap.nix
./services/mysql.nix
./services/postgres.nix
./services/mysql.nix
./services/calendar-bot.nix
./services/matrix
];

View File

@@ -0,0 +1,100 @@
{ config, pkgs, lib, fp, ... }:
let
cfg = config.services.gickup;
in
{
sops.secrets."gickup/github-token" = {
owner = "gickup";
};
services.gickup = {
enable = true;
dataDir = "/data/gickup";
destinationSettings = {
structured = true;
zip = false;
keep = 10;
bare = true;
lfs = false;
};
instances = let
defaultGithubConfig = {
settings.token_file = config.sops.secrets."gickup/github-token".path;
};
defaultGitlabConfig = {
# settings.token_file = ...
};
in {
"github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
"github:NixOS/nixpkgs" = defaultGithubConfig;
"github:go-gitea/gitea" = defaultGithubConfig;
"github:heimdal/heimdal" = defaultGithubConfig;
"github:saltstack/salt" = defaultGithubConfig;
"github:typst/typst" = defaultGithubConfig;
"github:unmojang/FjordLauncher" = defaultGithubConfig;
"github:unmojang/drasl" = defaultGithubConfig;
"github:yushijinhun/authlib-injector" = defaultGithubConfig;
"gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
"gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
"any:glibc" = {
settings.url = "https://sourceware.org/git/glibc.git";
};
"any:out-of-your-element" = {
settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
};
"any:out-of-your-element-module" = {
settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
};
};
};
services.cgit = let
domain = "mirrors.pvv.ntnu.no";
in {
${domain} = {
enable = true;
package = pkgs.callPackage (fp /packages/cgit.nix) { };
group = "gickup";
scanPath = "${cfg.dataDir}/linktree";
settings = {
enable-commit-graph = true;
enable-follow-links = true;
enable-http-clone = true;
enable-remote-branches = true;
clone-url = "https://${domain}/$CGIT_REPO_URL";
remove-suffix = true;
root-title = "PVVSPPP";
root-desc = "PVV Speiler Praktisk og Prominent Programvare";
snapshots = "all";
logo = "/PVV-logo.png";
};
};
};
services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
locations."= /PVV-logo.png".alias = let
small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
nativeBuildInputs = [ pkgs.imagemagick ];
} ''
magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
'';
in toString small-pvv-logo;
};
systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {
serviceConfig.BindReadOnlyPaths = [ cfg.dataDir ];
};
}

View File

@@ -9,7 +9,8 @@
./coturn.nix
./mjolnir.nix
./discord.nix
# ./discord.nix
./out-of-your-element.nix
./hookshot
];

View File

@@ -45,7 +45,7 @@ in
};
services.mx-puppet-discord.enable = true;
services.mx-puppet-discord.enable = false;
services.mx-puppet-discord.settings = {
bridge = {
bindAddress = "localhost";

View File

@@ -77,14 +77,14 @@ in
outbound = true;
urlPrefix = "https://hookshot.pvv.ntnu.no/webhook/";
userIdPrefix = "_webhooks_";
allowJsTransformationFunctions = false;
allowJsTransformationFunctions = true;
waitForComplete = false;
};
feeds = {
enabled = true;
pollIntervalSeconds = 600;
};
serviceBots = [
{ localpart = "bot_feeds";
displayname = "Aya";
@@ -94,6 +94,11 @@ in
}
];
widgets = {
roomSetupWidget.addOnInvite = false;
publicUrl = "https://hookshot.pvv.ntnu.no/widgetapi/v1/static";
};
permissions = [
# Users of the PVV Server
{ actor = "pvv.ntnu.no";
@@ -128,6 +133,7 @@ in
services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://${webhookListenAddress}:${toString webhookListenPort}";
};

View File

@@ -0,0 +1,66 @@
{ config, pkgs, fp, ... }:
let
cfg = config.services.matrix-ooye;
in
{
users.groups.keys-matrix-registrations = { };
sops.secrets = {
"matrix/ooye/as_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/as_token";
};
"matrix/ooye/hs_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/hs_token";
};
"matrix/ooye/discord_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/discord_token";
};
"matrix/ooye/discord_client_secret" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/discord_client_secret";
};
};
services.matrix-ooye = {
enable = true;
homeserver = "https://matrix.pvv.ntnu.no";
homeserverName = "pvv.ntnu.no";
discordTokenPath = config.sops.secrets."matrix/ooye/discord_token".path;
discordClientSecretPath = config.sops.secrets."matrix/ooye/discord_client_secret".path;
bridgeOrigin = "https://ooye.pvv.ntnu.no";
enableSynapseIntegration = false;
};
systemd.services."matrix-synapse" = {
after = [
"matrix-ooye-pre-start.service"
"network-online.target"
];
requires = [ "matrix-ooye-pre-start.service" ];
serviceConfig = {
LoadCredential = [
"matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
];
ExecStartPre = [
"+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
"+${pkgs.coreutils}/bin/chown matrix-synapse:keys-matrix-registrations ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
];
};
};
services.matrix-synapse-next.settings = {
app_service_config_files = [
"${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
];
};
services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:${cfg.socket}";
};
}

View File

@@ -0,0 +1,49 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.minecraft-heatmap;
in
{
sops.secrets."minecraft-heatmap/ssh-key/private" = {
mode = "600";
};
sops.secrets."minecraft-heatmap/postgres-passwd" = {
mode = "600";
};
services.minecraft-heatmap = {
enable = true;
database = {
host = "postgres.pvv.ntnu.no";
port = 5432;
name = "minecraft_heatmap";
user = "minecraft_heatmap";
passwordFile = config.sops.secrets."minecraft-heatmap/postgres-passwd".path;
};
};
systemd.services.minecraft-heatmap-ingest-logs = {
serviceConfig.LoadCredential = [
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
];
preStart = let
knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
'';
in ''
mkdir -p '${cfg.minecraftLogsDir}'
"${lib.getExe pkgs.rsync}" \
--archive \
--verbose \
--progress \
--no-owner \
--no-group \
--rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
root@innovation.pvv.ntnu.no:/ \
'${cfg.minecraftLogsDir}'/
'';
};
}

View File

@@ -1,46 +0,0 @@
{ config, fp, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./disks.nix
(fp /misc/builder.nix)
];
sops.defaultSopsFile = fp /secrets/bob/bob.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
};
networking.hostName = "bob"; # Define your hostname.
systemd.network.networks."30-all" = values.defaultNetworkConfig // {
matchConfig.Name = "en*";
DHCP = "yes";
gateway = [ ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

View File

@@ -1,39 +0,0 @@
# Example to create a bios compatible gpt partition
{ lib, ... }:
{
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

View File

@@ -1,78 +0,0 @@
# Tracking document for new PVV kerberos auth stack
![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
<div align="center">
Bensinstasjon på heimdal
</div>
### TODO:
- [ ] setup heimdal
- [x] ensure running with systemd
- [x] compile smbk5pwd (part of openldap)
- [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
- [ ] fully initialize PVV.NTNU.NO
- [x] `kadmin -l init PVV.NTNU.NO`
- [x] add oysteikt/admin@PVV.NTNU.NO principal
- [x] add oysteikt@PVV.NTNU.NO principal
- [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
- why is this needed, and where is it documented?
- `kadmin check` seems to work under sudo?
- (it is included by default, just included as error message
in a weird state)
- [x] Ensure client is working correctly
- [x] Ensure kinit works on darbu
- [x] Ensure kpasswd works on darbu
- [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
- [ ] Ensure kdc is working correctly
- [x] Ensure kinit works on dagali
- [x] Ensure kpasswd works on dagali
- [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
- [x] Fix FQDN
- https://github.com/NixOS/nixpkgs/issues/94011
- https://github.com/NixOS/nixpkgs/issues/261269
- Possibly fixed by disabling systemd-resolved
- [ ] setup cyrus sasl
- [x] ensure running with systemd
- [x] verify GSSAPI support plugin is installed
- `nix-shell -p cyrus_sasl --command pluginviewer`
- [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
- [x] verify cyrus sasl is able to talk to heimdal
- `sudo testsaslauthd -u oysteikt -p <password>`
- [ ] provide ldap principal to cyrus sasl through keytab
- [ ] setup openldap
- [x] ensure running with systemd
- [ ] verify openldap is able to talk to cyrus sasl
- [ ] create user for oysteikt in openldap
- [ ] authenticate openldap login through sasl
- does this require creating an ldap user?
- [ ] fix smbk5pwd integration
- [x] add smbk5pwd schemas to openldap
- [x] create openldap db for smbk5pwd with overlays
- [ ] test to ensure that user sync is working
- [ ] test as user source (replace passwd)
- [ ] test as PAM auth source
- [ ] test as auth source for 3rd party appliation
- [ ] Set up ldap administration panel
- Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
- [ ] Set up kerberos SRV DNS entry
### Information and URLS
- OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
- Use a keytab: https://kb.iu.edu/d/aumh
- 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
- Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
- Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
- PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
- OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
- saslauthd(8): https://linux.die.net/man/8/saslauthd

View File

@@ -1,51 +0,0 @@
{ config, pkgs, values, lib, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./services/heimdal.nix
#./services/openldap.nix
./services/cyrus-sasl.nix
];
# buskerud does not support efi?
# boot.loader.systemd-boot.enable = true;
# boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
# resolved messes up FQDN coming from nscd
services.resolved.enable = false;
networking.hostName = "dagali";
networking.domain = lib.mkForce "pvv.local";
networking.hosts = {
"129.241.210.185" = [ "dagali.pvv.local" ];
};
#networking.search = [ "pvv.ntnu.no" "pvv.org" ];
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
networking.tempAddresses = "disabled";
networking.networkmanager.enable = true;
systemd.network.networks."ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
# TODO: consider adding to base.nix
nix-output-monitor
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
}

View File

@@ -1,21 +0,0 @@
{ config, ... }:
let
cfg = config.services.saslauthd;
in
{
# TODO: This is seemingly required for openldap to authenticate
# against kerberos, but I have no idea how to configure it as
# such. Does it need a keytab? There's a binary "testsaslauthd"
# that follows with `pkgs.cyrus_sasl` that might be useful.
services.saslauthd = {
enable = true;
mechanism = "kerberos5";
config = ''
mech_list: gs2-krb5 gssapi
keytab: /etc/krb5.keytab
'';
};
# TODO: maybe the upstream module should consider doing this?
environment.systemPackages = [ cfg.package ];
}

View File

@@ -1,100 +0,0 @@
{ config, pkgs, lib, ... }:
let
realm = "PVV.LOCAL";
cfg = config.security.krb5;
in
{
security.krb5 = {
enable = true;
# NOTE: This is required in order to build smbk5pwd, because of some nested includes.
# We should open an issue upstream (heimdal, not nixpkgs), but this patch
# will do for now.
package = pkgs.heimdal.overrideAttrs (prev: {
postInstall = prev.postInstall + ''
cp include/heim_threads.h $dev/include
'';
});
settings = {
realms.${realm} = {
kdc = [ "dagali.${lib.toLower realm}" ];
admin_server = "dagali.${lib.toLower realm}";
kpasswd_server = "dagali.${lib.toLower realm}";
default_domain = lib.toLower realm;
primary_kdc = "dagali.${lib.toLower realm}";
};
kadmin.default_keys = lib.concatStringsSep " " [
"aes256-cts-hmac-sha1-96:pw-salt"
"aes128-cts-hmac-sha1-96:pw-salt"
];
libdefaults.default_etypes = lib.concatStringsSep " " [
"aes256-cts-hmac-sha1-96"
"aes128-cts-hmac-sha1-96"
];
libdefaults = {
default_realm = realm;
dns_lookup_kdc = false;
dns_lookup_realm = false;
};
domain_realm = {
"${lib.toLower realm}" = realm;
".${lib.toLower realm}" = realm;
};
logging = {
# kdc = "CONSOLE";
kdc = "SYSLOG:DEBUG:AUTH";
admin_server = "SYSLOG:DEBUG:AUTH";
default = "SYSLOG:DEBUG:AUTH";
};
};
};
services.kerberos_server = {
enable = true;
settings = {
realms.${realm} = {
dbname = "/var/lib/heimdal/heimdal";
mkey = "/var/lib/heimdal/m-key";
acl = [
{
principal = "kadmin/admin";
access = "all";
}
{
principal = "felixalb/admin";
access = "all";
}
{
principal = "oysteikt/admin";
access = "all";
}
];
};
# kadmin.default_keys = lib.concatStringsSep " " [
# "aes256-cts-hmac-sha1-96:pw-salt"
# "aes128-cts-hmac-sha1-96:pw-salt"
# ];
# libdefaults.default_etypes = lib.concatStringsSep " " [
# "aes256-cts-hmac-sha1-96"
# "aes128-cts-hmac-sha1-96"
# ];
# password_quality.min_length = 8;
};
};
networking.firewall.allowedTCPPorts = [ 88 464 749 ];
networking.firewall.allowedUDPPorts = [ 88 464 749 ];
networking.hosts = {
"127.0.0.2" = lib.mkForce [ ];
"::1" = lib.mkForce [ ];
};
}

View File

@@ -1,121 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.openldap = let
dn = "dc=pvv,dc=ntnu,dc=no";
cfg = config.services.openldap;
heimdal = config.security.krb5.package;
in {
enable = true;
# NOTE: this is a custom build of openldap with support for
# perl and kerberos.
package = pkgs.openldap.overrideAttrs (prev: {
# https://github.com/openldap/openldap/blob/master/configure
configureFlags = prev.configureFlags ++ [
# Connect to slapd via UNIX socket
"--enable-local"
# Cyrus SASL
"--enable-spasswd"
# Reverse hostname lookups
"--enable-rlookups"
# perl
"--enable-perl"
];
buildInputs = prev.buildInputs ++ [
pkgs.perl
# NOTE: do not upstream this, it might not work with
# MIT in the same way
heimdal
];
extraContribModules = prev.extraContribModules ++ [
# https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
"smbk5pwd"
];
});
settings = {
attrs = {
olcLogLevel = [ "stats" "config" "args" ];
# olcAuthzRegexp = ''
# gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
# "uid=heimdal,${dn2}"
# '';
# olcSaslSecProps = "minssf=0";
};
children = {
"cn=schema".includes = let
# NOTE: needed for smbk5pwd.so module
schemaToLdif = name: path: pkgs.runCommandNoCC name {
buildInputs = with pkgs; [ schema2ldif ];
} ''
schema2ldif "${path}" > $out
'';
hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
in [
"${cfg.package}/etc/schema/core.ldif"
"${cfg.package}/etc/schema/cosine.ldif"
"${cfg.package}/etc/schema/nis.ldif"
"${cfg.package}/etc/schema/inetorgperson.ldif"
"${hdb-ldif}"
"${samba-ldif}"
];
# NOTE: installation of smbk5pwd.so module
# https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
"cn=module{0}".attrs = {
objectClass = [ "olcModuleList" ];
olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
};
# NOTE: activation of smbk5pwd.so module for {1}mdb
"olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
olcOverlay = "{0}smbk5pwd";
olcSmbK5PwdEnable = [ "krb5" "samba" ];
olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
};
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcSuffix = dn;
# TODO: PW is supposed to be a secret, but it's probably fine for testing
olcRootDN = "cn=users,${dn}";
# TODO: replace with proper secret
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
olcDbIndex = "objectClass eq";
olcAccess = [
''{0}to attrs=userPassword,shadowLastChange
by dn.exact=cn=users,${dn} write
by self write
by anonymous auth
by * none''
''{1}to dn.base=""
by * read''
/* allow read on anything else */
# ''{2}to *
# by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
# by * read''
];
};
};
};
};
}

View File

@@ -25,6 +25,26 @@
# List services that you want to enable:
services.spotifyd = {
enable = true;
settings.global = {
device_name = "georg";
use_mpris = false;
#dbus_type = "system";
#zeroconf_port = 1234;
};
};
networking.firewall.allowedTCPPorts = [
# config.services.spotifyd.settings.zeroconf_port
5353 # spotifyd is its own mDNS service wtf
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

View File

@@ -1539,8 +1539,8 @@
]
},
"timezone": "browser",
"title": "Gitea Dashbaord",
"title": "Gitea Dashboard",
"uid": "nNq1Iw5Gz",
"version": 29,
"weekStart": ""
}
}

View File

@@ -56,13 +56,12 @@ in {
url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
options.path = dashboards/synapse.json;
}
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# {
# name = "MySQL";
# type = "file";
# url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
# options.path = dashboards/mysql.json;
# }
{
name = "MySQL";
type = "file";
url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
options.path = dashboards/mysql.json;
}
{
name = "Postgresql";
type = "file";
@@ -76,10 +75,10 @@ in {
options.path = dashboards/go-processes.json;
}
{
name = "Gitea Dashbaord";
name = "Gitea Dashboard";
type = "file";
url = "https://grafana.com/api/dashboards/17802/revisions/3/download";
options.path = dashboards/gitea-dashbaord.json;
options.path = dashboards/gitea-dashboard.json;
}
];

View File

@@ -2,12 +2,12 @@
stateDir = "/data/monitoring/prometheus";
in {
imports = [
./exim.nix
./gitea.nix
./matrix-synapse.nix
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# ./mysqld.nix
./postgres.nix
./machines.nix
./matrix-synapse.nix
./mysqld.nix
./postgres.nix
];
services.prometheus = {

View File

@@ -0,0 +1,14 @@
{ ... }:
{
services.prometheus = {
scrapeConfigs = [
{
job_name = "exim";
scrape_interval = "15s";
static_configs = [{
targets = [ "microbel.pvv.ntnu.no:9636" ];
}];
}
];
};
}

View File

@@ -1,54 +1,37 @@
{ config, ... }: let
cfg = config.services.prometheus;
mkHostScrapeConfig = name: ports: {
labels.hostname = name;
targets = map (port: "${name}.pvv.ntnu.no:${toString port}") ports;
};
defaultNodeExporterPort = 9100;
defaultSystemdExporterPort = 9101;
defaultNixosExporterPort = 9102;
in {
services.prometheus.scrapeConfigs = [{
job_name = "base_info";
static_configs = [
{ labels.hostname = "ildkule";
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"ildkule.pvv.ntnu.no:${toString cfg.exporters.systemd.port}"
];
}
{ labels.hostname = "bekkalokk";
targets = [
"bekkalokk.pvv.ntnu.no:9100"
"bekkalokk.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "bicep";
targets = [
"bicep.pvv.ntnu.no:9100"
"bicep.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "brzeczyszczykiewicz";
targets = [
"brzeczyszczykiewicz.pvv.ntnu.no:9100"
"brzeczyszczykiewicz.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "georg";
targets = [
"georg.pvv.ntnu.no:9100"
"georg.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "hildring";
targets = [
"hildring.pvv.ntnu.no:9100"
];
}
{ labels.hostname = "isvegg";
targets = [
"isvegg.pvv.ntnu.no:9100"
];
}
{ labels.hostname = "microbel";
targets = [
"microbel.pvv.ntnu.no:9100"
];
}
(mkHostScrapeConfig "ildkule" [ cfg.exporters.node.port cfg.exporters.systemd.port defaultNixosExporterPort ])
(mkHostScrapeConfig "bekkalokk" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
# (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
(mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
];
}];
}

View File

@@ -1,7 +1,22 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
sops.secrets."config/mysqld_exporter" = { };
sops = {
secrets."config/mysqld_exporter_password" = { };
templates."mysqld_exporter.conf" = {
restartUnits = [ "prometheus-mysqld-exporter.service" ];
content = let
inherit (config.sops) placeholder;
in ''
[client]
host = bicep.pvv.ntnu.no
port = 3306
user = prometheus_mysqld_exporter
password = ${placeholder."config/mysqld_exporter_password"}
'';
};
};
services.prometheus = {
scrapeConfigs = [{
@@ -19,7 +34,7 @@ in {
exporters.mysqld = {
enable = true;
configFilePath = config.sops.secrets."config/mysqld_exporter".path;
configFile = config.sops.templates."mysqld_exporter.conf".path;
};
};
}

View File

@@ -0,0 +1,34 @@
{ pkgs, values, fp, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea
./services/nginx.nix
];
sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "kommode"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
services.btrfs.autoScrub.enable = true;
environment.systemPackages = with pkgs; [];
system.stateVersion = "24.11";
}

View File

@@ -14,12 +14,18 @@
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
fsType = "ext4";
{ device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/86CD-4C23";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
[ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

View File

@@ -3,7 +3,12 @@ let
cfg = config.services.gitea;
in
{
services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
services.gitea-themes = {
monokai = pkgs.gitea-theme-monokai;
earl-grey = pkgs.gitea-theme-earl-grey;
pitch-black = pkgs.gitea-theme-pitch-black;
catppuccin = pkgs.gitea-theme-catppuccin;
};
systemd.services.gitea-customization = lib.mkIf cfg.enable {
description = "Install extra customization in gitea's CUSTOM_DIR";

View File

Before

Width:  |  Height:  |  Size: 1.1 MiB

After

Width:  |  Height:  |  Size: 1.1 MiB

View File

@@ -1,31 +1,35 @@
{ config, values, lib, ... }:
{ config, values, lib, pkgs, unstablePkgs, ... }:
let
cfg = config.services.gitea;
domain = "git.pvv.ntnu.no";
sshPort = 2222;
in {
imports = [
./customization.nix
./customization
./gpg.nix
./import-users
./web-secret-provider
];
sops.secrets = {
"gitea/database" = {
owner = "gitea";
group = "gitea";
};
"gitea/email-password" = {
sops.secrets = let
defaultConfig = {
owner = "gitea";
group = "gitea";
};
in {
"gitea/database" = defaultConfig;
"gitea/email-password" = defaultConfig;
"gitea/lfs-jwt-secret" = defaultConfig;
"gitea/oauth2-jwt-secret" = defaultConfig;
"gitea/secret-key" = defaultConfig;
};
services.gitea = {
enable = true;
appName = "PVV Git";
package = unstablePkgs.gitea;
database = {
type = "postgres";
host = "postgres.pvv.ntnu.no";
@@ -43,9 +47,19 @@ in {
ROOT_URL = "https://${domain}/";
PROTOCOL = "http+unix";
SSH_PORT = sshPort;
LANDING_PAGE = "explore";
START_SSH_SERVER = true;
START_LFS_SERVER = true;
LANDING_PAGE = "explore";
LFS_JWT_SECRET = lib.mkForce "";
LFS_JWT_SECRET_URI = "file:${config.sops.secrets."gitea/lfs-jwt-secret".path}";
};
oauth2 = {
JWT_SECRET = lib.mkForce "";
JWT_SECRET_URI = "file:${config.sops.secrets."gitea/oauth2-jwt-secret".path}";
};
"git.timeout" = {
MIGRATE = 3600;
MIRROR = 1800;
};
mailer = {
ENABLED = true;
@@ -69,6 +83,10 @@ in {
};
admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
session.COOKIE_SECURE = true;
security = {
SECRET_KEY = lib.mkForce "";
SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
};
database.LOG_SQL = false;
repository = {
PREFERRED_LICENSES = lib.concatStringsSep "," [
@@ -134,12 +152,24 @@ in {
dump = {
enable = true;
interval = "weekly";
type = "tar.gz";
};
};
environment.systemPackages = [ cfg.package ];
systemd.services.gitea.serviceConfig.Type = lib.mkForce "notify";
systemd.services.gitea.serviceConfig.WatchdogSec = "60";
systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive";
systemd.services.gitea.serviceConfig.BindPaths = [
"%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
];
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
@@ -155,6 +185,7 @@ in {
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4}/32;
allow ${values.hosts.ildkule.ipv6}/128;
deny all;
'';
};
@@ -162,4 +193,31 @@ in {
};
networking.firewall.allowedTCPPorts = [ sshPort ];
systemd.services.gitea-dump = {
serviceConfig.ExecStart = let
args = lib.cli.toGNUCommandLineShell { } {
type = cfg.dump.type;
# This should be declarative on nixos, no need to backup.
skip-custom-dir = true;
# This can be regenerated, no need to backup
skip-index = true;
# Logs are stored in the systemd journal
skip-log = true;
};
in lib.mkForce "${lib.getExe cfg.package} ${args}";
# Only keep n backup files at a time
postStop = let
cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
backupCount = 3;
in ''
for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
${cu "rm"} "$file"
done
'';
};
}

View File

@@ -11,7 +11,8 @@ in
systemd.services.gitea-import-users = lib.mkIf cfg.enable {
enable = true;
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
serviceConfig = {
ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
flakeIgnore = [
@@ -25,6 +26,7 @@ in
];
DynamicUser="yes";
EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
RuntimeDirectory = "gitea-import-users";
};
};

View File

@@ -17,6 +17,10 @@ GITEA_API_URL = os.getenv('GITEA_API_URL')
if GITEA_API_URL is None:
GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
PASSWD_FILE_PATH = os.getenv('PASSWD_FILE_PATH')
if PASSWD_FILE_PATH is None:
PASSWD_FILE_PATH = '/tmp/passwd-import'
def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
r = requests.get(
@@ -187,7 +191,8 @@ def main():
if existing_users is None:
exit(1)
for username, name in passwd_file_parser("/tmp/passwd-import"):
print(f"Reading passwd entries from {PASSWD_FILE_PATH}")
for username, name in passwd_file_parser(PASSWD_FILE_PATH):
print(f"Processing {username}")
add_or_patch_gitea_user(username, name, existing_users)
for org, team_name in COMMON_USER_TEAMS:

View File

@@ -0,0 +1,4 @@
{ ... }:
{
services.nginx.enable = true;
}

View File

@@ -0,0 +1,35 @@
{ fp, values, lupineName, ... }:
{
imports = [
./hardware-configuration/${lupineName}.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea-runner.nix
];
sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
matchConfig.Name = "enp0s31f6";
address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ];
networkConfig.LLDP = false;
};
systemd.network.wait-online = {
anyInterface = true;
};
# There are no smart devices
services.smartd.enable = false;
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.05";
}

View File

@@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/81D6-38D3";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View File

@@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/4A34-6AE5";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View File

@@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/63FA-297B";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View File

@@ -5,20 +5,30 @@
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View File

@@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/F372-37DF";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View File

@@ -0,0 +1,45 @@
{ config, lupineName, ... }:
{
# This is unfortunately state, and has to be generated one at a time :(
# To do that, comment out all except one of the runners, fill in its token
# inside the sops file, rebuild the system, and only after this runner has
# successfully registered will gitea give you the next token.
# - oysteikt Sep 2023
sops = {
secrets."gitea/runners/token" = {
key = "gitea/runners/${lupineName}";
};
templates."gitea-runner-envfile" = {
restartUnits = [
"gitea-runner-${lupineName}.service"
];
content = ''
TOKEN="${config.sops.placeholder."gitea/runners/token"}"
'';
};
};
services.gitea-actions-runner.instances = {
${lupineName} = {
enable = true;
name = "git-runner-${lupineName}";
url = "https://git.pvv.ntnu.no";
labels = [
"debian-latest:docker://node:current-bookworm"
"ubuntu-latest:docker://node:current-bookworm"
];
tokenFile = config.sops.templates."gitea-runner-envfile".path;
};
};
virtualisation.podman = {
enable = true;
defaultNetwork.settings.dns_enabled = true;
autoPrune.enable = true;
};
networking.dhcpcd.IPv6rs = false;
networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
}

View File

@@ -0,0 +1,39 @@
{ config, fp, pkgs, values, lib, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
(fp /misc/builder.nix)
];
sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "wenche"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
hardware.graphics.enable = true;
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia = {
modesetting.enable = true;
open = false;
package = config.boot.kernelPackages.nvidiaPackages.production;
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
system.stateVersion = "24.11"; # Did you read the comment?
}

View File

@@ -0,0 +1,27 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "nvidia" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4e8ecdd2-d453-4fff-b952-f06da00f3b85";
fsType = "ext4";
};
swapDevices = [ {
device = "/var/lib/swapfile";
size = 16*1024;
} ];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View File

@@ -1,25 +1,56 @@
set positional-arguments # makes variables accesible as $1 $2 $@
export GUM_FILTER_HEIGHT := "15"
nom := `if command -v nom >/dev/null; then echo nom; else echo nix; fi`
nom := `if [[ -t 1 ]] && command -v nom >/dev/null; then echo nom; else echo nix; fi`
nix_eval_opts := "--log-format raw --option warn-dirty false"
@_default:
just "$(gum choose --ordered --header "Pick a recipie..." $(just --summary --unsorted))"
check:
nix flake check --keep-going
check *_:
nix flake check --keep-going "$@"
build-machine machine=`just _a_machine`:
{{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel
build-machine machine=`just _a_machine` *_:
{{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel "${@:2}"
run-vm machine=`just _a_machine`:
nixos-rebuild build-vm --flake .#{{ machine }}
run-vm machine=`just _a_machine` *_:
nixos-rebuild build-vm --flake .#{{ machine }} "${@:2}"
QEMU_NET_OPTS="hostfwd=tcp::8080-:80,hostfwd=tcp::8081-:443,hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
@update-inputs:
nix eval .#inputs --apply builtins.attrNames --json \
| jq '.[]' -r \
| gum choose --no-limit --height=15 \
| xargs -L 1 nix flake lock --update-input
@update-inputs *_:
@git reset flake.lock
@git restore flake.lock
nix eval {{nix_eval_opts}} --file flake.nix --apply 'x: builtins.attrNames x.inputs' --json \
| { printf "%s\n" --commit-lock-file; jq '.[]' -r | grep -vxF "self" ||:; } \
| gum choose --no-limit --header "Choose extra arguments:" \
| tee >(xargs -d'\n' echo + nix flake update "$@" >&2) \
| xargs -d'\n' nix flake update "$@"
@repl $machine=`just _a_machine` *_:
set -v; nixos-rebuild --flake .#"$machine" repl "${@:2}"
@eval $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
set -v; nix eval {{nix_eval_opts}} ".#nixosConfigurations.\"$machine\".config.$attrpath" --show-trace "${@:3}"
@eval-vm $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
just eval "$machine" "virtualisation.vmVariant.$attrpath" "${@:3}"
# helpers
[no-exit-message]
_a_machine:
nix eval .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r | gum filter
#!/usr/bin/env -S sh -euo pipefail
machines="$(
nix eval {{nix_eval_opts}} .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r
)"
[ -n "$machines" ] || { echo >&2 "ERROR: no machines found"; false; }
if [ -s .direnv/vars/last-machine.txt ]; then
machines="$(
grep <<<"$machines" -xF "$(cat .direnv/vars/last-machine.txt)" ||:
grep <<<"$machines" -xFv "$(cat .direnv/vars/last-machine.txt)" ||:
)"
fi
choice="$(gum filter <<<"$machines")"
mkdir -p .direnv/vars
cat <<<"$choice" >.direnv/vars/last-machine.txt
cat <<<"$choice"

View File

@@ -8,34 +8,58 @@ FgIDAQACHgECF4AACgkQRrkijoFKKqxIlQD9F0EedrFpHAVuaVas9ZWRZb4xv3zM
N3g0IDxoN3g0QG5hbmkud3RmPoiTBBMWCgA7AhsBBQsJCAcDBRUKCQgLBRYCAwEA
Ah4BAheAFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmL7l8ACGQEACgkQRrkijoFK
KqxI4wD9EIGpb3Gt5s5e8waH7XaLSlquOrW1RID3sSuzWI4DvikBAMncfBbtkpzH
EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLtCZoN3g0IChhbHRlcm5hdGl2ZSkgPGg3
eDQuYWx0QG5hbmkud3RmPoiQBBMWCgA4FiEE99N4kCKKkHRA4f1IRrkijoFKKqwF
AmL7j0oCGwEFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQRrkijoFKKqytywD+
IdHIxbjRcDEJYOqFX1r4wrymTvnjz/kp0zUSrymwMUoBAP8huPK/YpujNF6/cwwB
3A5WwpWjjV+F/uq2ejqFOocNuDMEYuaGRxYJKwYBBAHaRw8BAQdAsmc0GTQIszpk
jDYwgSt6zI81P2+k9WvBg6IEISnyuVWI9QQYFgoAJhYhBPfTeJAiipB0QOH9SEa5
Io6BSiqsBQJi5oZHAhsCBQkDwmcAAIEJEEa5Io6BSiqsdiAEGRYKAB0WIQTzzahs
xVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYeJt9t02jO
c3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFaazcz/QqT
ZeBs6Q+AkQ7ueQD/ZqQMkaCrd8o2L02h89U6bFxy86nyTurGAUVx92F8jUwBAKa7
Zp/0vR5bR4o57C7NTxB5kbmteF0AXS9R7sxSA/AEuQINBGLmhnoBEADa1yBK0NKx
VIto3hSh21hooYpWcEXWqMPXHO34rcAhktVFOOHIl2bFGScQAZXtjAcqUmMyC+PM
s1DZoocFk+9PJt17hAa/s6CRrw8vK+1fVqhj0XOLtevGV9iC6IRvhPxzTsOaeOss
gMGIU8xDmMKT2nGHGNUkqOXGld63E3NKsK3lnl+BCdpJ0f3GEB7aSQ+pk6k1uzOD
XX/mhAUJmL1MkVZ6jJA3vhsre0Kfa9p+C5mP4hLJ6jF+oESvA4HC+LuCSGm66gID
MC39jnLo6hwYEEjfPXD7CUAN4S2eISSFd+ZclN2vYcrKYgsCZS0hBFOgDhKKCHBu
MwP12AIM8y8L64/eOWFpR7s2StAPjjYbZeZECHLWZt1zGVvkS7Xp6lsAg6/T8Eys
KG7vTl2Qq9W0BmzNgk2ODTZkhv0gqqXppdr8eRiq+h0qMfJptG0GycOvqb9PoEO2
dfNCjjII8VfaSGfSEYo8UwsqYTtfgdoNnFCXKd1r7QmvrdbNsFDRmkv+wWJoipwU
aVquyb2KN652jSlpwMECW6fSEsT/5C3mJLgAmi6l6yosw6HdIY6jgpCGtxnHW2zR
eIS6ezZdtxYBCkEHK70yASyaIHrLLDknw+DuKvXAWOAecob8GNBHOjXZe3LzBt2r
VgOCRa+W7milNgjUCsz+R3rM8XfR+wNEGwARAQABiH4EGBYKACYWIQT303iQIoqQ
dEDh/UhGuSKOgUoqrAUCYuaGegIbDAUJA8JnAAAKCRBGuSKOgUoqrDE0AQDBxRsm
W9L60mxGCp1CpNWBXD2T6D605PlNiNCcM+cOCgD/c2OitSSG50M0YRbyh1LPYL6Y
QePL0dQkYsjm6XVmrAK4MwRi5obFFgkrBgEEAdpHDwEBB0BYP2r4I9LGW8ai+fLW
RKXGonni9TljqFVN5mV/yuxlPoh+BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFK
KqwFAmLmhsUCGyAFCQPCZwAACgkQRrkijoFKKqzeYwD/emjtDBD0EiCnS2mvfopa
T6foJSfXbiCe83UdFNebTjQBANFqnkXPCYb9dFIyM/0N1JXH7yj81VuslSqPi4NR
SNkE
=oTMO
EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLiJAEExYKADgWIQT303iQIoqQdEDh/UhG
uSKOgUoqrAUCYuaF5AIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBGuSKO
gUoqrKWiAQC1yFpodz5PGsZbFgihEA0UQ5jcoXBojoAlVRgmkwm41gEA782rsvyl
87ExoluDD3eV/Z5ILp7Ex6JeaE3JUix8Sgi0Jmg3eDQgKGFsdGVybmF0aXZlKSA8
aDd4NC5hbHRAbmFuaS53dGY+iJAEExYKADgWIQT303iQIoqQdEDh/UhGuSKOgUoq
rAUCYvuPSgIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBGuSKOgUoqrK3L
AP4h0cjFuNFwMQlg6oVfWvjCvKZO+ePP+SnTNRKvKbAxSgEA/yG48r9im6M0Xr9z
DAHcDlbClaONX4X+6rZ6OoU6hw24MwRi5oZHFgkrBgEEAdpHDwEBB0CyZzQZNAiz
OmSMNjCBK3rMjzU/b6T1a8GDogQhKfK5VYj1BBgWCgAmFiEE99N4kCKKkHRA4f1I
RrkijoFKKqwFAmLmhkcCGwIFCQPCZwAAgQkQRrkijoFKKqx2IAQZFgoAHRYhBPPN
qGzFWp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323T
aM5zdJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9
CpNl4GzpD4CRDu55AP9mpAyRoKt3yjYvTaHz1TpsXHLzqfJO6sYBRXH3YXyNTAEA
prtmn/S9HltHijnsLs1PEHmRua14XQBdL1HuzFID8ASI9QQYFgoAJgIbAhYhBPfT
eJAiipB0QOH9SEa5Io6BSiqsBQJmqp4CBQkFpUs7AIF2IAQZFgoAHRYhBPPNqGzF
Wp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323TaM5z
dJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9CpNl
4GzpD4CRDgkQRrkijoFKKqwYoQEAz0D3G/dD6DBYBf7p6pGYqXd2X0Dv8nmnalol
Z6SxfUMA/jT/XjPh7c4Ui8nZO7XDzYWrbV/eZwGMd1zXq2mU42MLiPUEGBYKACYC
GwIWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCaI6lzgUJCWqGhwCBdiAEGRYKAB0W
IQTzzahsxVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYe
Jt9t02jOc3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFa
azcz/QqTZeBs6Q+AkQ4JEEa5Io6BSiqsCG0BALDNFlploZWjQ0Xn3B9fd+1sTUmY
+e0s95lEY7XqVkF2AQCkKzMd2mHsymyVtY32bSsZ0iJxHTmxomS0uQ/TGIugB7kC
DQRi5oZ6ARAA2tcgStDSsVSLaN4UodtYaKGKVnBF1qjD1xzt+K3AIZLVRTjhyJdm
xRknEAGV7YwHKlJjMgvjzLNQ2aKHBZPvTybde4QGv7Ogka8PLyvtX1aoY9Fzi7Xr
xlfYguiEb4T8c07DmnjrLIDBiFPMQ5jCk9pxhxjVJKjlxpXetxNzSrCt5Z5fgQna
SdH9xhAe2kkPqZOpNbszg11/5oQFCZi9TJFWeoyQN74bK3tCn2vafguZj+ISyeox
fqBErwOBwvi7gkhpuuoCAzAt/Y5y6OocGBBI3z1w+wlADeEtniEkhXfmXJTdr2HK
ymILAmUtIQRToA4SighwbjMD9dgCDPMvC+uP3jlhaUe7NkrQD442G2XmRAhy1mbd
cxlb5Eu16epbAIOv0/BMrChu705dkKvVtAZszYJNjg02ZIb9IKql6aXa/HkYqvod
KjHyabRtBsnDr6m/T6BDtnXzQo4yCPFX2khn0hGKPFMLKmE7X4HaDZxQlynda+0J
r63WzbBQ0ZpL/sFiaIqcFGlarsm9ijeudo0pacDBAlun0hLE/+Qt5iS4AJoupesq
LMOh3SGOo4KQhrcZx1ts0XiEuns2XbcWAQpBByu9MgEsmiB6yyw5J8Pg7ir1wFjg
HnKG/BjQRzo12Xty8wbdq1YDgkWvlu5opTYI1ArM/kd6zPF30fsDRBsAEQEAAYh+
BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmLmhnoCGwwFCQPCZwAACgkQ
RrkijoFKKqwxNAEAwcUbJlvS+tJsRgqdQqTVgVw9k+g+tOT5TYjQnDPnDgoA/3Nj
orUkhudDNGEW8odSz2C+mEHjy9HUJGLI5ul1ZqwCiH4EGBYKACYCGwwWIQT303iQ
IoqQdEDh/UhGuSKOgUoqrAUCZqqeBQUJBaVLCAAKCRBGuSKOgUoqrMnbAP4oQbpa
Uki4OAfaSbH36qYTIbe8k9w58+e4nsVBII94wQEA3nSPoMKWZTI1eiHR/xKc9uOI
/Nk2tOHKpEjs9mOtywaIfgQYFgoAJgIbDBYhBPfTeJAiipB0QOH9SEa5Io6BSiqs
BQJojqXOBQkJaoZUAAoJEEa5Io6BSiqsiXkBAJ0JTRmdQQpEK9KSh8V7FEkblIsm
Ngko2cs+OhNSUgW9AQD0a7FHM3Dx32a7yD0zE3QwWi5VgeZZVIPyhItrOaANDbgz
BGLmhsUWCSsGAQQB2kcPAQEHQFg/avgj0sZbxqL58tZEpcaieeL1OWOoVU3mZX/K
7GU+iH4EGBYKACYWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaGxQIbIAUJA8Jn
AAAKCRBGuSKOgUoqrN5jAP96aO0MEPQSIKdLaa9+ilpPp+glJ9duIJ7zdR0U15tO
NAEA0WqeRc8Jhv10UjIz/Q3UlcfvKPzVW6yVKo+Lg1FI2QSIfgQYFgoAJgIbIBYh
BPfTeJAiipB0QOH9SEa5Io6BSiqsBQJmqp4GBQkFpUq9AAoJEEa5Io6BSiqsjF0B
AJn0EBEJfszskYiZzMshFHW5k0QUF+Ak3JNh2UG+M6FJAQCQVY/lDkrvOytuFnKb
kDrCaTrtLh/JAmBXpSERIejmD4h+BBgWCgAmAhsgFiEE99N4kCKKkHRA4f1IRrki
joFKKqwFAmiOpc4FCQlqhgkACgkQRrkijoFKKqwSMAD/bbO/uwwdFEJVgcNRexZU
6aoSxAGI1vjS92hSyfxZ9AABAK8KYO8sBGGCiVu+vWUpoUYmp3lfYTJHtf+36WMc
D5MD
=Gubf
-----END PGP PUBLIC KEY BLOCK-----

View File

@@ -2,4 +2,10 @@
{
nix.settings.trusted-users = [ "@nix-builder-users" ];
nix.daemonCPUSchedPolicy = "batch";
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"armv7l-linux"
];
}

310
modules/gickup/default.nix Normal file
View File

@@ -0,0 +1,310 @@
{ config, pkgs, lib, utils, ... }:
let
cfg = config.services.gickup;
format = pkgs.formats.yaml { };
in
{
imports = [
./set-description.nix
./hardlink-files.nix
./import-from-toml.nix
./update-linktree.nix
];
options.services.gickup = {
enable = lib.mkEnableOption "gickup, a git repository mirroring service";
package = lib.mkPackageOption pkgs "gickup" { };
gitPackage = lib.mkPackageOption pkgs "git" { };
gitLfsPackage = lib.mkPackageOption pkgs "git-lfs" { };
dataDir = lib.mkOption {
type = lib.types.path;
description = "The directory to mirror repositories to.";
default = "/var/lib/gickup";
example = "/data/gickup";
};
destinationSettings = lib.mkOption {
description = ''
Settings for destination local, see gickup configuration file
Note that `path` will be set automatically to `/var/lib/gickup`
'';
type = lib.types.submodule {
freeformType = format.type;
};
default = { };
example = {
structured = true;
zip = false;
keep = 10;
bare = true;
lfs = true;
};
};
instances = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule (submoduleInputs@{ name, ... }: let
submoduleName = name;
nameParts = rec {
repoType = builtins.head (lib.splitString ":" submoduleName);
owner = if repoType == "any"
then null
else lib.pipe submoduleName [
(lib.removePrefix "${repoType}:")
(lib.splitString "/")
builtins.head
];
repo = if repoType == "any"
then null
else lib.pipe submoduleName [
(lib.removePrefix "${repoType}:")
(lib.splitString "/")
lib.last
];
slug = if repoType == "any"
then lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName)
else "${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}";
};
in {
options = {
interval = lib.mkOption {
type = lib.types.str;
default = "daily";
example = "weekly";
description = ''
Specification (in the format described by {manpage}`systemd.time(7)`) of the time
interval at which to run the service.
'';
};
type = lib.mkOption {
type = lib.types.enum [
"github"
"gitlab"
"gitea"
"gogs"
"bitbucket"
"onedev"
"sourcehut"
"any"
];
example = "github";
default = nameParts.repoType;
description = ''
The type of the repository to mirror.
'';
};
owner = lib.mkOption {
type = with lib.types; nullOr str;
example = "go-gitea";
default = nameParts.owner;
description = ''
The owner of the repository to mirror (if applicable)
'';
};
repo = lib.mkOption {
type = with lib.types; nullOr str;
example = "gitea";
default = nameParts.repo;
description = ''
The name of the repository to mirror (if applicable)
'';
};
slug = lib.mkOption {
type = lib.types.str;
default = nameParts.slug;
example = "github-go-gitea-gitea";
description = ''
The slug of the repository to mirror.
'';
};
description = lib.mkOption {
type = with lib.types; nullOr str;
example = "A project which does this and that";
description = ''
A description of the project. This isn't used directly by gickup for anything,
but can be useful if gickup is used together with cgit or similar.
'';
};
settings = lib.mkOption {
description = "Instance specific settings, see gickup configuration file";
type = lib.types.submodule {
freeformType = format.type;
};
default = { };
example = {
username = "gickup";
password = "hunter2";
wiki = true;
issues = true;
};
};
};
}));
};
};
config = lib.mkIf cfg.enable {
users.users.gickup = {
isSystemUser = true;
group = "gickup";
home = "/var/lib/gickup";
};
users.groups.gickup = { };
services.gickup.destinationSettings.path = "/var/lib/gickup/raw";
systemd.tmpfiles.settings."10-gickup" = lib.mkIf (cfg.dataDir != "/var/lib/gickup") {
${cfg.dataDir}.d = {
user = "gickup";
group = "gickup";
mode = "0755";
};
};
systemd.slices."system-gickup" = {
description = "Gickup git repository mirroring service";
after = [ "network.target" ];
};
systemd.targets.gickup = {
description = "Gickup git repository mirroring service";
wants = map ({ slug, ... }: "gickup@${slug}.service") (lib.attrValues cfg.instances);
};
systemd.timers = {
"gickup@" = {
description = "Gickup git repository mirroring service for %i";
timerConfig = {
OnCalendar = "daily";
RandomizedDelaySec = "1h";
Persistent = true;
AccuracySec = "1s";
};
};
}
//
# Overrides for mirrors which are not "daily"
(lib.pipe cfg.instances [
builtins.attrValues
(builtins.filter (instance: instance.interval != "daily"))
(map ({ slug, interval, ... }: {
name = "gickup@${slug}";
value = {
overrideStrategy = "asDropin";
timerConfig.OnCalendar = interval;
};
}))
builtins.listToAttrs
]);
systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") (lib.attrValues cfg.instances);
systemd.services = {
"gickup@" = let
configDir = lib.pipe cfg.instances [
(lib.mapAttrsToList (name: instance: {
name = "${instance.slug}.yml";
path = format.generate "gickup-configuration-${name}.yml" {
destination.local = [ cfg.destinationSettings ];
source.${instance.type} = [
(
(lib.optionalAttrs (instance.type != "any") {
user = instance.owner;
includeorgs = [ instance.owner ];
include = [ instance.repo ];
})
//
instance.settings
)
];
};
}))
(pkgs.linkFarm "gickup-configuration-files")
];
in {
description = "Gickup git repository mirroring service for %i";
after = [ "network.target" ];
path = [
cfg.gitPackage
cfg.gitLfsPackage
];
restartIfChanged = false;
serviceConfig = {
Type = "oneshot";
ExecStart = "'${pkgs.gickup}/bin/gickup' '${configDir}/%i.yml'";
ExecStartPost = "";
User = "gickup";
Group = "gickup";
BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
"${cfg.dataDir}:/var/lib/gickup"
];
Slice = "system-gickup.slice";
SyslogIdentifier = "gickup-%i";
StateDirectory = "gickup";
# WorkingDirectory = "gickup";
# RuntimeDirectory = "gickup";
# RuntimeDirectoryMode = "0700";
# https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431
RemainAfterExit = true;
# Hardening options
AmbientCapabilities = [];
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
# ProtectProc = "invisible";
# ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
# SystemCallFilter = [
# "@system-service"
# "~@resources"
# "~@privileged"
# ];
UMask = "0002";
CapabilityBoundingSet = [];
};
};
};
};
}

View File

@@ -0,0 +1,42 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.gickup;
in
{
config = lib.mkIf cfg.enable {
# TODO: add a service that will look at the backed up files and hardlink
# the ones that have a matching hash together to save space. This can
# either run routinely (i.e. trigger by systemd-timer), or be activated
# whenever a gickup@<slug>.service finishes. The latter is probably better.
# systemd.services."gickup-hardlink" = {
# serviceConfig = {
# Type = "oneshot";
# ExecStart = let
# script = pkgs.writeShellApplication {
# name = "gickup-hardlink-files.sh";
# runtimeInputs = [ pkgs.coreutils pkgs.jdupes ];
# text = ''
# '';
# };
# in lib.getExe script;
# User = "gickup";
# Group = "gickup";
# BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
# "${cfg.dataDir}:/var/lib/gickup"
# ];
# Slice = "system-gickup.slice";
# StateDirectory = "gickup";
# # Hardening options
# # TODO:
# PrivateNetwork = true;
# };
# };
};
}

View File

@@ -0,0 +1,11 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.gickup;
in
{
config = lib.mkIf cfg.enable {
# TODO: import cfg.instances from a toml file to make it easier for non-nix users
# to add repositories to mirror
};
}

View File

@@ -0,0 +1,9 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.gickup;
in
{
config = lib.mkIf cfg.enable {
# TODO: create .git/description files for each repo where cfg.instances.<instance>.description is set
};
}

View File

@@ -0,0 +1,84 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.gickup;
in
{
config = lib.mkIf cfg.enable {
# TODO: run upon completion of cloning a repository
systemd.timers."gickup-linktree" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
Unit = "gickup-linktree.service";
};
};
# TODO: update symlink for one repo at a time (e.g. gickup-linktree@<instance>.service)
systemd.services."gickup-linktree" = {
serviceConfig = {
Type = "oneshot";
ExecStart = let
script = pkgs.writeShellApplication {
name = "gickup-update-symlink-tree.sh";
runtimeInputs = [
pkgs.coreutils
pkgs.findutils
];
text = ''
shopt -s nullglob
for repository in ./*/*/*; do
REPOSITORY_RELATIVE_DIRS=''${repository#"./"}
echo "Checking $REPOSITORY_RELATIVE_DIRS"
declare -a REVISIONS
readarray -t REVISIONS < <(find "$repository" -mindepth 1 -maxdepth 1 -printf "%f\n" | sort --numeric-sort --reverse)
if [[ "''${#REVISIONS[@]}" == 0 ]]; then
echo "Found no revisions for $repository, continuing"
continue
fi
LAST_REVISION="''${REVISIONS[0]}"
SYMLINK_PATH="../linktree/''${REPOSITORY_RELATIVE_DIRS}"
mkdir -p "$(dirname "$SYMLINK_PATH")"
EXPECTED_SYMLINK_TARGET=$(realpath "''${repository}/''${LAST_REVISION}")
EXISTING_SYMLINK_TARGET=$(realpath "$SYMLINK_PATH" || echo "<none>")
if [[ "$EXISTING_SYMLINK_TARGET" != "$EXPECTED_SYMLINK_TARGET" ]]; then
echo "Updating symlink for $REPOSITORY_RELATIVE_DIRS"
rm "$SYMLINK_PATH" ||:
ln -rs "$EXPECTED_SYMLINK_TARGET" "$SYMLINK_PATH"
else
echo "Symlink already up to date, continuing..."
fi
echo "---"
done
'';
};
in lib.getExe script;
User = "gickup";
Group = "gickup";
BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
"${cfg.dataDir}:/var/lib/gickup"
];
Slice = "system-gickup.slice";
StateDirectory = "gickup";
WorkingDirectory = "/var/lib/gickup/raw";
# Hardening options
# TODO:
PrivateNetwork = true;
};
};
};
}

View File

@@ -1,4 +1,4 @@
{config, lib, pkgs, ...}:
{ config, lib, pkgs, unstablePkgs, ... }:
let
grg = config.services.greg-ng;
grgw = config.services.grzegorz-webui;
@@ -11,6 +11,13 @@ in {
settings.port = 31337;
enableSway = true;
enablePipewire = true;
mpvPackage = unstablePkgs.mpv;
};
systemd.user.services.restart-greg-ng = {
script = "systemctl --user restart greg-ng.service";
startAt = "*-*-* 06:30:00";
};
services.grzegorz-webui = {
@@ -41,6 +48,15 @@ in {
allow 2001:700:300:1900::/64;
deny all;
'';
locations."/docs" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
locations."/api" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
proxyWebsockets = true;
};
};
"${machine}-backend.pvv.ntnu.no" = {

211
modules/matrix-ooye.nix Normal file
View File

@@ -0,0 +1,211 @@
# Original from: https://cgit.rory.gay/nix/OOYE-module.git/
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.matrix-ooye;
mkStringOption =
name: default:
lib.mkOption {
type = lib.types.str;
default = default;
};
in
{
options = {
services.matrix-ooye = {
enable = lib.mkEnableOption "Enable OOYE service";
package = lib.mkOption {
type = lib.types.package;
default = pkgs.out-of-your-element;
};
appserviceId = mkStringOption "The ID of the appservice." "ooye";
homeserver = mkStringOption "The homeserver to connect to." "http://localhost:8006";
homeserverName = mkStringOption "The name of the homeserver to connect to." "localhost";
namespace = mkStringOption "The prefix to use for the MXIDs/aliases of bridged users/rooms. Should end with a _!" "_ooye_";
discordTokenPath = mkStringOption "The path to the discord token file." "/etc/ooye-discord-token";
discordClientSecretPath = mkStringOption "The path to the discord token file." "/etc/ooye-discord-client-secret";
socket = mkStringOption "The socket to listen on, can either be a port number or a unix socket path." "6693";
bridgeOrigin = mkStringOption "The web frontend URL for the bridge, defaults to http://localhost:{socket}" "";
enableSynapseIntegration = lib.mkEnableOption "Enable Synapse integration";
};
};
config = lib.mkIf cfg.enable (
let
baseConfig = pkgs.writeText "matrix-ooye-config.json" (
builtins.toJSON {
id = cfg.appserviceId;
namespaces = {
users = [
{
exclusive = true;
regex = "@${cfg.namespace}.*:${cfg.homeserverName}";
}
];
aliases = [
{
exclusive = true;
regex = "#${cfg.namespace}.*:${cfg.homeserverName}";
}
];
};
protocols = [ "discord" ];
sender_localpart = "${cfg.namespace}bot";
rate_limited = false;
socket = cfg.socket; # Can either be a TCP port or a unix socket path
url = if (lib.hasPrefix "/" cfg.socket) then "unix:${cfg.socket}" else "http://localhost:${cfg.socket}";
ooye = {
server_name = cfg.homeserverName;
namespace_prefix = cfg.namespace;
max_file_size = 5000000;
content_length_workaround = false;
include_user_id_in_mxid = true;
server_origin = cfg.homeserver;
bridge_origin = if (cfg.bridgeOrigin == "") then "http://localhost:${cfg.socket}" else cfg.bridgeOrigin;
};
}
);
script = pkgs.writeScript "matrix-ooye-pre-start.sh" ''
#!${lib.getExe pkgs.bash}
REGISTRATION_FILE=registration.yaml
id
echo "Before if statement"
stat ''${REGISTRATION_FILE}
if [[ ! -f ''${REGISTRATION_FILE} ]]; then
echo "No registration file found at '$REGISTRATION_FILE'"
cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
fi
echo "After if statement"
stat ''${REGISTRATION_FILE}
AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE})
HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE})
DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)
DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)
# Check if we have all required tokens
if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
echo "Generated new AS token: ''${AS_TOKEN}"
fi
if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
echo "Generated new HS token: ''${HS_TOKEN}"
fi
if [[ -z "$DISCORD_TOKEN" ]]; then
echo "No Discord token found at '${cfg.discordTokenPath}'"
echo "You can find this on the 'Bot' tab of your Discord application."
exit 1
fi
if [[ -z "$DISCORD_CLIENT_SECRET" ]]; then
echo "No Discord client secret found at '${cfg.discordTokenPath}'"
echo "You can find this on the 'OAuth2' tab of your Discord application."
exit 1
fi
shred -u ''${REGISTRATION_FILE}
cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
shred -u ''${REGISTRATION_FILE}
mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE}
'';
in
{
warnings =
lib.optionals ((builtins.substring (lib.stringLength cfg.namespace - 1) 1 cfg.namespace) != "_") [
"OOYE namespace does not end with an underscore! This is recommended to have better ID formatting. Provided: '${cfg.namespace}'"
]
++ lib.optionals ((builtins.substring 0 1 cfg.namespace) != "_") [
"OOYE namespace does not start with an underscore! This is recommended to avoid conflicts with registered users. Provided: '${cfg.namespace}'"
];
environment.systemPackages = [ cfg.package ];
systemd.services."matrix-ooye-pre-start" = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = script;
WorkingDirectory = "/var/lib/matrix-ooye";
StateDirectory = "matrix-ooye";
DynamicUser = true;
RemainAfterExit = true;
Type = "oneshot";
LoadCredential = [
"discord_token:${cfg.discordTokenPath}"
"discord_client_secret:${cfg.discordClientSecretPath}"
];
};
};
systemd.services."matrix-ooye" = {
enable = true;
description = "Out of Your Element - a Discord bridge for Matrix.";
wants = [
"network-online.target"
"matrix-synapse.service"
"conduit.service"
"dendrite.service"
];
after = [
"matrix-ooye-pre-start.service"
"network-online.target"
];
requires = [ "matrix-ooye-pre-start.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = lib.getExe config.services.matrix-ooye.package;
WorkingDirectory = "/var/lib/matrix-ooye";
StateDirectory = "matrix-ooye";
#ProtectSystem = "strict";
#ProtectHome = true;
#PrivateTmp = true;
#NoNewPrivileges = true;
#PrivateDevices = true;
Restart = "on-failure";
DynamicUser = true;
};
};
systemd.services."matrix-synapse" = lib.mkIf cfg.enableSynapseIntegration {
after = [
"matrix-ooye-pre-start.service"
"network-online.target"
];
requires = [ "matrix-ooye-pre-start.service" ];
serviceConfig = {
LoadCredential = [
"matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
];
ExecStartPre = [
"+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
"+${pkgs.coreutils}/bin/chown matrix-synapse:matrix-synapse ${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
];
};
};
services.matrix-synapse.settings.app_service_config_files = lib.mkIf cfg.enableSynapseIntegration [
"${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
];
}
);
}

116
modules/robots-txt.nix Normal file
View File

@@ -0,0 +1,116 @@
{ config, pkgs, lib, ... }:
let
cfg = config.environment.robots-txt;
robots-txt-format = {
type = let
coercedStrToNonEmptyListOfStr = lib.types.coercedTo lib.types.str lib.singleton (lib.types.nonEmptyListOf lib.types.str);
in lib.types.listOf (lib.types.submodule {
freeformType = lib.types.attrsOf coercedStrToNonEmptyListOfStr;
options = {
pre_comment = lib.mkOption {
description = "Comment to add before the rule";
type = lib.types.lines;
default = "";
};
post_comment = lib.mkOption {
description = "Comment to add after the rule";
type = lib.types.lines;
default = "";
};
};
});
generate = name: value: let
makeComment = comment: lib.pipe comment [
(lib.splitString "\n")
(lib.map (line: if line == "" then "#" else "# ${line}"))
(lib.concatStringsSep "\n")
];
ruleToString = rule: let
user_agent = rule.User-agent or [];
pre_comment = rule.pre_comment;
post_comment = rule.post_comment;
rest = builtins.removeAttrs rule [ "User-agent" "pre_comment" "post_comment" ];
in lib.concatStringsSep "\n" (lib.filter (x: x != null) [
(if (pre_comment != "") then makeComment pre_comment else null)
(let
user-agents = lib.concatMapStringsSep "\n" (value: "User-agent: ${value}") user_agent;
in
if user_agent == [] then null else user-agents
)
(lib.pipe rest [
(lib.mapAttrsToList (ruleName: map (value: "${ruleName}: ${value}")))
lib.concatLists
(lib.concatStringsSep "\n")
])
(if (post_comment != "") then makeComment post_comment else null)
]);
content = lib.concatMapStringsSep "\n\n" ruleToString value;
in pkgs.writeText name content;
};
in
{
options.environment.robots-txt = lib.mkOption {
default = { };
description = ''
Different instances of robots.txt to use with web services.
'';
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
enable = lib.mkEnableOption "this instance of robots.txt" // {
default = true;
};
path = lib.mkOption {
description = "The resulting path of the dir containing the robots.txt file";
type = lib.types.path;
readOnly = true;
default = "/etc/robots-txt/${name}";
};
rules = lib.mkOption {
description = "Rules to include in robots.txt";
default = [ ];
example = [
{ User-agent = "Googlebot"; Disallow = "/no-googlebot"; }
{ User-agent = "Bingbot"; Disallow = [ "/no-bingbot" "/no-bingbot2" ]; }
];
type = robots-txt-format.type;
};
virtualHost = lib.mkOption {
description = "An nginx virtual host to add the robots.txt to";
type = lib.types.nullOr lib.types.str;
default = null;
};
};
}));
};
config = {
environment.etc = lib.mapAttrs' (name: value: {
name = "robots-txt/${name}/robots.txt";
value.source = robots-txt-format.generate name value.rules;
}) cfg;
services.nginx.virtualHosts = lib.pipe cfg [
(lib.filterAttrs (_: value: value.virtualHost != null))
(lib.mapAttrs' (name: value: {
name = value.virtualHost;
value = {
locations = {
"= /robots.txt" = {
extraConfig = ''
add_header Content-Type text/plain;
'';
root = cfg.${name}.path;
};
};
};
}))
];
};
}

21
packages/cgit.nix Normal file
View File

@@ -0,0 +1,21 @@
{ cgit, fetchurl, ... }:
let
pname = cgit.pname;
commit = "09d24d7cd0b7e85633f2f43808b12871bb209d69";
in
cgit.overrideAttrs (_: {
version = "1.2.3-unstable-2024.07.16";
src = fetchurl {
url = "https://git.zx2c4.com/cgit/snapshot/${pname}-${commit}.tar.xz";
hash = "sha256-gfgjAXnWRqVCP+4cmYOVdB/3OFOLJl2WBOc3bFVDsjw=";
};
# cgit is tightly coupled with git and needs a git source tree to build.
# IMPORTANT: Remember to check which git version cgit needs on every version
# bump (look for "GIT_VER" in the top-level Makefile).
gitSrc = fetchurl {
url = "mirror://kernel/software/scm/git/git-2.46.0.tar.xz";
hash = "sha256-fxI0YqKLfKPr4mB0hfcWhVTCsQ38FVx+xGMAZmrCf5U=";
};
})

View File

@@ -0,0 +1,42 @@
{
lib,
fetchgit,
makeWrapper,
nodejs,
buildNpmPackage,
}:
buildNpmPackage {
pname = "delete-your-element";
version = "3.1-unstable-2025-06-23";
src = fetchgit {
url = "https://git.pvv.ntnu.no/Drift/delete-your-element.git";
rev = "67658bf68026918163a2e5c2a30007364c9b2d2d";
sha256 = "sha256-jSQ588kwvAYCe6ogmO+jDB6Hi3ACJ/3+rC8M94OVMNw=";
};
npmDepsHash = "sha256-HNHEGez8X7CsoGYXqzB49o1pcCImfmGYIw9QKF2SbHo=";
dontNpmBuild = true;
nativeBuildInputs = [makeWrapper];
installPhase = ''
runHook preInstall
mkdir -p $out/share
cp -a . $out/share/ooye
makeWrapper ${nodejs}/bin/node $out/bin/matrix-ooye --add-flags $out/share/ooye/start.js
makeWrapper ${nodejs}/bin/node $out/bin/matrix-ooye-addbot --add-flags $out/share/ooye/addbot.js
runHook postInstall
'';
meta = with lib; {
description = "Matrix-Discord bridge with modern features.";
homepage = "https://gitdab.com/cadence/out-of-your-element";
longDescription = ''
Modern Matrix-to-Discord appservice bridge, created by @cadence:cadence.moe.
'';
license = licenses.gpl3;
# maintainers = with maintainers; [ RorySys ];
mainProgram = "matrix-ooye";
};
}

View File

@@ -3,11 +3,14 @@ calendar-bot:
mysql_password: ENC[AES256_GCM,data:Gqag8yOgPH3ntoT5TmaqJWv1j+si2qIyz5Ryfw5E2A==,iv:kQDcxnPfwJQcFovI4f87UDt18F8ah3z5xeY86KmdCyY=,tag:A1sCSNXJziAmtUWohqwJgg==,type:str]
mysql:
password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
gickup:
github-token: ENC[AES256_GCM,data:H/yBDLIvEXunmaUha3c2vUWKLRIbl9QrC0t13AQDRCTnrvhabeiUFLNxZ/F+4B6sZ2aPSgZoB69WwnHvh1wLdiFp1qLWKW/jQPvzZOxE4n+jXrnSOutUWktbPzVj,iv:KFW4jRru93JIl9doVFtcNkJDWp89NlzWjPDflHxcL/U=,tag:YtgyRxkoZO9MkuP3DJh7zA==,type:str]
minecraft-heatmap:
postgres-passwd: ENC[AES256_GCM,data:T8s9xct07AJ4/Z6MQjNrqZQq7FerHz8Op+ea8zO2MDLPWWgU7/hBfrr+T4sc1TgT3e5vtE0dVcqCSbZCZj+6zQ==,iv:prx6d8c92OvbL8IjBLAvi1Vqk69D6ZIkAp7E8CSljok=,tag:UA5YS4YwViYZJ2PWzIIM3g==,type:str]
ssh-key:
private: ENC[AES256_GCM,data:h9OtD6hxrxyokFDe9bveAkMICrs3YrsAEqg0RVHV+xCkgkNAdoh85wb1QI8FJ0tga4Bfq8ZxZTdMnexQvbYWL8m/N/P6gWoPPJd7dwGuxaUZu5lqngVuHIhH0yWFWtPXjQ0Zyl5Q1aBKyjzJMvJc/H2iprgVH4YFs/fWf/KDEp17Plvvz0AoPGPrOZErDmne4MtLbW3pUm1r5ACo/41OyXYwjHk1Ywgsoz1CMxe/DrmkADnf7jSDWL6Q0mz8hIIYi8GbToJS4BIJ2plttraxV9sqpIPzS/1jMERNchItlkCppSYIy/eohVmskP8dAySm5Z7HNGGtzWSSGLxq15xKc7OVFYPMI+B35nPnp1LVOUWqBHAqVo7dwxc3VXOlVat7AMknUZnr67d4TIIl5BOdy/rvAxzXS/fDV0zntIs5o3phKStVvq07eZFaOVva45B7Pyyn0PdBhHBt2JcBtm+Xtg9i3xvZdwQgbeeJRhnYgDqK6BVhmtTuirwp1GOyslqaFCjg0MJj+W+d8R9gbbfyFR6YrZQAkcd/o/yZGg86z7Phe18=,iv:nt/+qPBwPZKQt43VJ9FbKjLYioFwCxD7VK9WNCJCmpQ=,tag:MuDfnTiro3VVJq9x5rkEQg==,type:str]
public: ENC[AES256_GCM,data:+fiCO8VRSmV7tmyweYSpZJMOuMORLHkWetYbr20aTQ1vRYr927nYGes4E464t+Dv9OyJPCLmHBdgt7UvxJWuC3pZE8iStnBYnej3D4ebMzi2SMfOkJjGuQSplXtl8QeAYe1YvROmtQ==,iv:thgGQUyWdXfwUt1E/vudoNjl8JjnksFd1rb/asTry+g=,tag:t1iQPocvfI+JafuJycaLuw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
enc: |
@@ -63,8 +66,8 @@ sops:
cTh5bnJ3WW90aXRCSUp6NHFYeU1tZ0kK4afdtJwGNu6wLRI0fuu+mBVeqVeB0rgX
0q5hwyzjiRnHnyjF38CmcGgydSfDRmF6P+WIMbCwXC6LwfRhAmBGPg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-15T21:18:33Z"
mac: ENC[AES256_GCM,data:uR5HgeDAYqoqB9kk1V6p0T30+v6WpQJi4+qIeCDRnoUPnQKUVR10hvBhICck+E+Uh8p+tGhM6Uf3YrAJAV0ZCUiNJjtwDJQQLUDT53vdOAXN4xADCQqNuhgVwVMaruoTheEiwOswRuhFeEwy0gBj3Ze2pu47lueHYclmEzumLeQ=,iv:t0UyXN2YaR2m7M/pV2wTLJG5wVfqTIUs7wSQMmyeTVw=,tag:O7dIffzrDAXz3kGx5uazhw==,type:str]
lastmodified: "2025-08-25T12:27:53Z"
mac: ENC[AES256_GCM,data:GoJ2en7e+D4wjyPJqq7i1s8JPdgFO3wcxrtXOgSKTxi6HTibuIcP4KQcKrCMRAZmXOEL1vpnWFA2uk7S00Av7/QOnzP0Zrk3aPBM6lbB+p9XSabN0sOe1UpZDtAM3bzvS9JZzyztT5nHKvO/eV2rP71y/tYbsT6yvj7Y9zxpvKg=,iv:tQiCr7zpo7g5jZpt2VD9jtFKo32XUWs94Jay+T4XWys=,tag:npBqmlbUUfN+ztttajva3w==,type:str]
pgp:
- created_at: "2024-08-04T00:03:40Z"
enc: |-
@@ -87,4 +90,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.0
version: 3.10.2

View File

@@ -9,14 +9,15 @@ mjolnir:
discord:
as_token: ENC[AES256_GCM,data:cnPZjBbODZUA1p0kLNeWpKh1oGkDPxDw/g7163XnoRCIgpqk,iv:Uu4L36uDPMBgzdXE2Lt9U0qrBSl3Xuufh1313BD8B/U=,tag:nTm6s7IGd4vNzZ95mfxDpA==,type:str]
hs_token: ENC[AES256_GCM,data:UzcaNsJtJPKvFT4gQDNfat0nmyJzmQ6OcSI73pANibzOVrWl,iv:ujgRM2jb1rbeloPB4UPLBEvQ7uue4a+bHiqsZAHIqtk=,tag:uIfuaTWSTeVvpQx5o28HPA==,type:str]
ooye:
hs_token: ENC[AES256_GCM,data:QBrdRt4ozAh2XYJtssm82uHlk9aGO1Nr0fEZetmWfLvmw52FZEq8ijyKOgwS6uTcndMi4gGKkq9r4eapLwcMdQ==,iv:VHOAqxR1WGzZ9dmNx+FmjGAKRpUFjWOwyOVmgDswpE0=,tag:k5it/yx7pOfGbJXZUlV69Q==,type:str]
as_token: ENC[AES256_GCM,data:RMkY0xVj14FwDbYaAysSmzB0IlJuk0ucicNhhTmVAEgiU05PxWG+qk3/elFcaFwaXRFgQQtVyGFZEcK5gpE9hA==,iv:8JgNrTe7GQqPMdUCxEaxJ9qV7Uec2fkYBmF9LmH4X3o=,tag:tRnFpRAZs9kO3u2SDMwNnA==,type:str]
discord_token: ENC[AES256_GCM,data:6rzv3glW03jcYiJ7sAvDcvDmQHs9iVbV11tIFwgD3GuTkVn6mbAoQhjUaz3zpb/OeoGt+j/pCBRlZgk=,iv:JwkqLpeGYhgwLX7SACNh0AUO53XSx9IKgncI0+KkvyU=,tag:30C0X9nVSlEYPITVzuN0qA==,type:str]
discord_client_secret: ENC[AES256_GCM,data:wbM7bPZCWa2+UNUqXi27fP0ppdinRkEC4N9KB68TJzg=,iv:Y2j+8oI+kI7DMrBfFU3G5HtFWguNxDpxbNvJkpK5lQs=,tag:GntocbTCybCVqZ2T3lNSIQ==,type:str]
hookshot:
as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
enc: |
@@ -72,8 +73,8 @@ sops:
WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28
pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-13T23:30:01Z"
mac: ENC[AES256_GCM,data:vdsAZmg7gPqzeucBhLhPemtRVkcxRecIdB6PXZ4paU+Uv5UorBKcTZ3jseN2cLi6ot3ycTIm+UI6uhlCy87vAJVynVJhuJS+ICFRS2+DfoVyuttLjZQGC2sr3+dEBHxIH7sZJSo9PIzbIWw3qHrpOPAZj0//1pFyp/k15k3vidM=,iv:jWtV+WAPt08lgdrVvtXOl35rDB4QflkZWuGBW1+ESyw=,tag:YxSHncZZOAW5uDxXtb/krw==,type:str]
lastmodified: "2025-06-21T21:23:24Z"
mac: ENC[AES256_GCM,data:bEJoCzxph/MOnTOJKdrRiQmbVWmAgsKy8vbD5YBeWagWUCJPDAZNDFLzEzmPvt0jDBol04JosrSIKZS1JzJIIm0zRkcOWSqERQCgjgtGdAYmfp0V6ddseDUVfKlZYJDkt6Bdkqg+9LzrP8dDVm2tMDXpo8vzs02o9dTYFm7imVQ=,iv:buP/297JMfvEm9+IdMWRGV7AgZwF0+G6Z2YIeYw/z1o=,tag:+zG612MJA4Ui8CZBgxM+AQ==,type:str]
pgp:
- created_at: "2024-08-04T00:03:46Z"
enc: |-
@@ -96,4 +97,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.10.2

View File

@@ -1,15 +1,5 @@
#ENC[AES256_GCM,data:oyFG9fCzJH8yLB0QY78CVOcYO6Ttp/ARqtIcXwWGYOvL6nW+yLcakrdmVA96sR5toywb32aW,iv:7o3FI0cI6GHCwmQfLYh2iAVr8sELOMoxGSzE5qvuAaI=,tag:z9F1c4dOIiy2FtKpBwm5wg==,type:comment]
#ENC[AES256_GCM,data:nhDznFCozGpXdYBfumLyhp7TnA7C/IqBCpHJ,iv:3AZN6iVBha8Qh5/X6Yn/5JWsGhDXlE/zdUh1CcO7fQc=,tag:59DaAyKTOmkKty4eyFWFqw==,type:comment]
#ENC[AES256_GCM,data:vQu+AG19Vy94xxwj196G2uk9,iv:YJGBvoMgOngjn/TeuXeoU82daRvJDxvCQMYb3XCPlw0=,tag:fU6ZhhmAh0yh3/QuXbCNkQ==,type:comment]
#ENC[AES256_GCM,data:S1UOENn/ewhw8Pb9CmKp,iv:jafOhkCoiTm5HXQ/S611L4VlQFa1Wqr5WIIRzLQm3i0=,tag:6CQ+Y9E/FxWN8K+D9J7+Fg==,type:comment]
#ENC[AES256_GCM,data:lHHmoCHyP2Tc3waRGeMPEasQiv5+,iv:W6SSFpeWBfTBOEDo4P9hox39eoAiO40Ay4T3QeiI9Tw=,tag:9bLbcEZ9/B1QolDettwcfg==,type:comment]
#ENC[AES256_GCM,data:DrF4XHSd8QAWn5h1xEGGpDKMQcLF,iv:nPCBbThQh/Aa+uccKJtmiCXSvoJKHxZMJ42yFkV+hi8=,tag:3l50mMn7cPoCnjPcHv1+Vg==,type:comment]
#ENC[AES256_GCM,data:ADUhFzufaR2xXNOLgiXKu5Cd8Zx3waYeZiLF,iv:WMK2gJwplf6r/EdijrvrOBHgPL57W+UMIQ8dBPp/DBA=,tag:E/q/ccAd7UH3BV7nut6Slg==,type:comment]
#ENC[AES256_GCM,data:IVFSM6VOWnR0YDRfecsDPlYr,iv:Jxe8pq3lxw5QUGKyspB8tWSquDSMo3mAJBAsQGKxSec=,tag:7bffwY98iTX4/De0coUIxA==,type:comment]
#ENC[AES256_GCM,data:pHSDnojWTLYXIKk=,iv:ph2xCpxbP3OiWm+B/MDboykPa2gtCWpP0b3j96YCDh4=,tag:u5hmvxHaa/m8GaSeYvONmg==,type:comment]
#ENC[AES256_GCM,data:Q0fCyyP0DJqUyJPo,iv:qwBE3c2VqF52Yq8POXhy2Qv2xJd82wL1aX4eVY6wL1w=,tag:IwmbD7XqIkemOTODBKpS0g==,type:comment]
config:
mysqld_exporter: ENC[AES256_GCM,data:w4muNsWmsW1fPx9nqtDGPCZ9faO3W5Pagn/DfWrb5yf88GQOzOsN4z7TH3QeW0Xs6I5jDIktGmFml6RDxCjD8UX9eer1pvC7Kxyl2DQKLHwmsgx1DUFNTRUzE1Sgx8rZAJ8HM7DO7L/6aXS0ndY4J+huyhDDVd+cIetgiQ==,iv:Q4cZD9CKd/EDOm4bjAE2EOstwKpwexF2pxhMEF0/5/k=,tag:S0rOLJS+b9ualtxcHKdHlw==,type:str]
mysqld_exporter_password: ENC[AES256_GCM,data:I9K+QMqaN3FOOVKzeOR9Q6UERStXX0P8WEHyN1jzzbM=,iv:UxvIdlfAyJvNuxPkU4+guKPa0fiD0vVLzHOTYktcmso=,tag:ltnIqEwESYx9HBu8UN0ZLw==,type:str]
keys:
grafana:
secret_key: ENC[AES256_GCM,data:+WoAJbDBEgKs0RoHT+7oEELAVQ+/2Xt+5RTMSXg23moCqVRx+Gzll9P5Drw=,iv:AkRn/Y20iEe5i1T+84wAgLCTFtAox2G3giyawAkltAw=,tag:BZbt5Wb5lYLIJBm/pfP4GQ==,type:str]
@@ -77,8 +67,8 @@ sops:
WDRSdDZRa1lIbEVTdDlhU1dwUXUzQTgK5iE4Cf/zjsPYHKcqYA0rFqY0TNcCnzNU
vTM+cEPaA+/FXTwLfPpaiSkg5Fq8k2XdeMQsjQnglTBSWCwAJin27g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-20T23:41:59Z"
mac: ENC[AES256_GCM,data:38Ask+adT2FshF8DYEfCWeVWt4KiaJsTXhF7Ib3xxdfQ6vAixM2OXTaK/qqUvN6gQok9TFF+HMJBJ+jezV00nVcKUYn04FaU2/D2zdam44eEEYEEovmfAZ6vbC+CiDv4d/DCc3hnYtDZCEgUTfP4gsZ9rLZFAOwaOFWRJxcDi6Y=,iv:BzuWdTjn6LhscNeouHjM7IYKxTahA8PzzlHSCYZ618s=,tag:BWtPbNwzdOJb788eOO5ZNA==,type:str]
lastmodified: "2025-03-16T20:08:18Z"
mac: ENC[AES256_GCM,data:C2tpWppc13jKJq5d4nmAKQOaNWHm27TKwxAxm1fi2lejN1lqUaoz5bHfTBA7MfaWvuP5uZnfbtG32eeu48mnlWpo58XRUFFecAhb9JUpW9s5IR3/nbzLNkGU7H5C0oWPrxI4thd+bAVduIgBjjFyGj1pe6J9db3c0yUWRwNlwGU=,iv:YpoQ4psiFYOWLGipxv1QvRvr034XFsyn2Bhyy39HmOo=,tag:ByiCWygFC/VokVTbdLoLgg==,type:str]
pgp:
- created_at: "2024-08-04T00:03:54Z"
enc: |-
@@ -101,4 +91,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.9.4

View File

@@ -0,0 +1,94 @@
gitea:
web-secret-provider:
token: ENC[AES256_GCM,data:7ljFuW0CApzvvGSpWa7fiITIXtejhZk5aed70NNup6AS2GpDOv1NMw==,iv:vi+0BM4QkpnMatlGU6rdEYnCgGUU3U8SuE3imbwKfdE=,tag:uTFaeS/56t/MfBwb1hpkvA==,type:str]
password: ENC[AES256_GCM,data:1Hr2M95xT6J4SxnQLWe9ZQ7q4BIAACnpQXEGyCEm2OgRb/kqyv2s+gJAsw==,iv:95CbOJzeGl+jT8OsSSSx+DH8KYD1HtbXOyZhR60QwnU=,tag:dheIVvgqpiFrKvLLpFlPBg==,type:str]
database: ENC[AES256_GCM,data:nDZqnSBKijyhslBjhSu9weqLVJzUiBD8Ltu/nmllicadraeISylyEk3pOA==,iv:XFzM1pGv98jehdgvlZN217LrsK8TcAMFK5eDrPi2bm0=,tag:+YpXqMmvMTrnt7cDK/Sa7A==,type:str]
email-password: ENC[AES256_GCM,data:tasMZ2Zu449o/mH6uSSPM7cFOlBg4vC+,iv:lDNMvXh5P3HNy9pW6nBsSLCyij/3HiSRunVuLeKAmbI=,tag:ApqGWYE9MSE8m6iYLK6Yww==,type:str]
passwd-ssh-key: ENC[AES256_GCM,data:VOp8vqVoX9IFJhzpKy0J+AzyX3TvxEIBvv3dXpD1f8szmUyPwd4gDOlaFpqTSDu8ebmK3m/D0FMTkfBkPVhUG6XTPo7YIV37gLhfsBF6CuwCMXxTQAd23nfpwJKcDIn3R5h8Mu4MMme2Ev/4PNDztktmIYv3KoEbPglzBMS4LrZqJsDilvIYKEIDUExhSAkESKQZiIzK1TdtWDQSUzvUZ3OsbxONZgaTw5e+xz3qk/q+IR5eRNp9fpeZQ8EkpC7aa/JDIwxzNIuMFi8W9PWh6ANmAOm6GK7JSKiHYQL8GofVifhUGUanAnjgDTYkIWpDiSsuHjfDPGupFCeONNd+Wd4NpJZsej3p9ldLOVxa01Le2tIVYY80jUWT0dpV9IJ5syp4gVaky5Vk6i2QhvjunDoEUnArSRGyMTxWfxAxZLvbLYMNAJDoWzy25vf3jteNB43lVHckEW1F8w/RtzoKzbjKYiANHg+eNLVq0HK67gX2twpblNN4OBt9d03ZbV2lZjTMXGzJXHGFT5ZPDwTkxcDooNvoRuCMe8t8dpuksHFaIp4=,iv:3sgiIgGD9pmCMLVRk0Q8+7GZajYIWsokDUx9JuNrO2c=,tag:WDXyNYtqjdAMePEsnA0hbw==,type:str]
gpg-signing-key: ENC[AES256_GCM,data:AyafTF3H8p1qDk9xsNvT68BksoKGLwE2uE3hjz0TrT2XPxCRDOIlfAVYEPSu2Ih6l5a2uruEJhHPtU2fPCB2hln3Bv3gZfFGLb3GFWkSvdePIYFxG56uqGK5dE1KaMccc2cTi+raDImKqSTbp7Qpdo/c6C0WYVglYrD+2l8Y4QOiFuazyLY9zwcX0qG7pIjJ+akCUjfE4rJDAW6H/v+OqvHpcED3q4iXOYuw9sj/UeIgZfJ5Xc/uVrRmPewP4yALnA8o9gsaaLdjWRFIILe7VRwPr0YqwQ6XGgc+pEartkV8AzxjCq6DOtifOOzmu8EI1U1yoaOViYCAMbSHfP6SIKr7pJbrdU+YDBq9mvRx8KPXWUU2uNGrMObATEzlqMYAYA/HJeOdV4w3Axvq8RG2FLkJxJJniwNP5VZRF3bbbI3w+hprRP2yAwgeQw19KBU8yF8upKga/GdMNScpKJvRyVLjZtI0rsfvSC81lHawouuje6aPXT3dH1S5ROJBHMTeV0sP0vK6liBevz9RZpvNs6JVyNCgiRRtRSSYqsgwPJonDKuPeI/Zpgih7HboA8HqhIibqpO96h5/4yO69oJAbLUYV3zlKQcMDTaqadL4Ox5Z+8ygSAL3l1ufZIFGSj73SNHGQqQlIS/a3dAccRi5fPqv0gOmGFAAUJPKfeauFn3TclwojKzu5vwmQxZ5g50txEpTSTaYOy++qq6UZa/dXEyDC7fle75dXhqXyqMCf9kDwZZl5E9eBsabNdTF+auQCp82iLQivdBy7uJX2hkJFSg84fF9MLgH4mOcMQc2E/z961uNzEgoyvVhbDY6+SIJ+6SGmnardbFW7mYrj/QqnSUiMc4tHukAB4NGQYHgjOYRZMpHfVO/6dLbjmTOljnPsnfQUCepvb9rGim8NazvnARaVzezx4t3tfbNR8uLQudSeLZzn/Fu1mKSQvpP+IjdglmyAgp6QhB4OCDPbiaMRDUtOQIzlVILdz1/geUVzhZkJ4xzkm5klGukhtv+3TqjiTcEnoVJC+A1jRvxBQUfEE92GFuupJUfrw8bIDqsWQLkHPCNUMgdoKa/q2OkrWeQz2zm2yUqMAJn1/puoLHdSH5aCELUggx1gQZoc480pSBUvSCML+Qc4B4Cd6hX2PPp+/KQeKtfqHIsKz2I+DMT6KDirReX6WHxqk+s2DtLw7Wx/j65PWCIWLCz,iv:c9BDRxQImWTmwq11+T2CW0S00Dixd8d0od5xn5zZmY8=,tag:brnMedsdTwlkbaHaLa2w2g==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:P6hKaCpcZdXIy4rE/1b1+66Md/3Kmviileb0OIT3Vz4IVsDLecBh3IiadHq66V4KocXC4LBUNFjcrxlVVGIonHJ3qd6VpQUwG0n83yhj6LD5hgxmZ5phAyR77Ri8BiH1lWUcg51L2k0U+WJFPP6JkumT9MEz1t1+JYr5Imij6GKRWRKFwTbU6QJwFH4tCA/iGw0ElrzIjSHiNiwIKfbm8yas9vlOhr4y7vCeV10hVyvV,iv:dZ8hQxhn7pokWbQG/8rQ2vFDpPYut7WCG3xy9g6kzNs=,tag:xMyPtJJoh8kjJcOT4t9aRA==,type:str]
import-user-env: ENC[AES256_GCM,data:9SE2k3/IJqbdexj0QFSQBQ1+u1AduWNjt+0XIHryJlxIEdvv9a+6hP4EXPo+31GnaE4=,iv:qZlWOBV5owr3ESTyFaV/R8VwlGl04kaui80I2zYk4zY=,tag:PhjRfEC1xoHaYyl648yCVw==,type:str]
secret-key: ENC[AES256_GCM,data:YqwSJazPqz1OOsUVIPKsGvIHbX7SyJqryan1KWSRGRJkt9yZlaiRtQG/mQugAM6IvLFD3pj+gPTcXyqenaAQKA==,iv:nyPnL7wuhpb0kl0tm1JhOHmF7KI9vVcTN1SRGTgD2o8=,tag:Rt/IPC/YtBcmTx5osGlbBg==,type:str]
oauth2-jwt-secret: ENC[AES256_GCM,data:YUVbf0xgnzeNoahu57yzoib2XSB0rR2AAIkdlEe8eC9AFEdv4vE0S372jw==,iv:k1cEa/sWqJZ9b/NetVSR37BYy6UUOM4qAnbsfLEw+5Y=,tag:CrUh0xDWA77dAFp8FY0jPA==,type:str]
lfs-jwt-secret: ENC[AES256_GCM,data:fAirrt7Ue1XpHYB12e8l+47x1dY/eIsDV61KrDA/sRSKvZherRNnahtLQw==,iv:S6+rQHf3TL/1tKcknX/jHJ7k79GCU1BRBZHhuqXSRME=,tag:WUjNaP8bb1HvZnAX3+vXoQ==,type:str]
sops:
age:
- recipient: age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWnlOa1NGME00dVhBQ3Z2
UE1HZlc0Nldrb1VwZTk0Z2I2Nm5ZazV6WndFCnNoM2JaWFJnazJaWlltVW9uNGhm
UmdPSWlsdllORFhyMzRhYXBKQjRqWmcKLS0tIC91RmRCNG91UW1xb1pETXczSDlM
aStmM20xL0hHT3VnMWpTSEltZEpqT1kKj7Io72QSR/dgggQRBZ0gjs0Q7Y3GIP9K
GPgvKGxEi8CcrUj5J9u7rDUed1/TowgWWs/ujt/8q2zfli7AjTpS1w==
-----END AGE ENCRYPTED FILE-----
- recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByclROelpuQUFPQlFpREJr
NjhlUDA0TGw4R2FKbmRwWEVCSldrem9neVI0CmU1Q29qUUNZbmZDSkx0UmZmNkVL
dmNQMEJjRjJtcWFYNE1SamV5SUozZVUKLS0tIFBMdFB5TTV4dGRoeVNnYWV5dERY
ejV3RTlSMjNlcGNreXM0YjhpUkVxUzQK2xB69WIRrMPNdZuJUzwuNM/a/Qzpyp7b
nInPmTCCOhqc3eNFSc+od6y5urMeW+r2i2iNV4B2rIdJTdLl1434eg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVFEyaWtlV0F1d0QvMGpU
KzUxdGpXRUMzOWhSODJNYU1Id1Evbm1QelVzCmNZS3NSNWZlZDhPYUVCS3ZIUXRM
aVdScUI5aFI0aXU1ZUx0VjBBQW1hRUUKLS0tIGtOcmFNTXIxdEV0RlI0akJpWEM0
bk9lWDZkS3BrM0t6V2xEbVdtZlQ1aTgKv7bIQpdGIoXMxPZDmLzqunIEaqQ5M63r
Qu1oFC+yZh2UlkjGxKE6HMlMGn0CnBcTa8XvBaEVMfchVR/2WVq8TQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQWM5dlFCbTIrSXlZYnBw
VVQzK1ZiaXpQcTcwQzV5YVV3d1A2L012K1NBCmpXNnNnenNrNTZDUjdXdzNXd2R2
T3FSc3BLdUUxWEs2OXlRNEdieXU1bEkKLS0tIFJkU0ZGcjd4bEUyOWFZeHVUMHow
dVNTbk41S0VUNndQLzRoZ2ZpVTVqNU0Kp6okYalYtbI1CFuJq/881ZyOVpFoRq0j
DvG2E2U+go6XftSaJ59DIUC6rzVBg1JKpJX3TS6SJhe+T+1paoxG/A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYVdXc2hrQ0JFQnF6NFpG
UWVMVTN5U0JuQkRxU1ExdUlpWkV4RHlvYUNZCmIzOFI5QnVrMU84VTV6WmcxdjdZ
aTZpOWZNdGNoSnJ2c0R2UzJ2cU1TRmMKLS0tIGFxTkxaYjUvaUxsRmhxRmpVeFFD
aWt5dnlUYWxoUUlHTjRnWEVBU0NzODQKQ2v9oCbXhUhRnURyHWbAIJHGjgb/eVp1
h9Tdld0TWTxxbyN8JkRa80B8JpUVwHgeqJmq2krnhDrYLN9zaugVMQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bFd5OGpvY0YxczdkVnVY
ZXExNnY1UXBtb0d4MFNYR3JrMTN1SXhNOUhrCi9xVm1HZDhHZmpEdmdJNVBFcWhv
UjI3VDNycEpKdTNnbVU1eVFUeUZuZTAKLS0tIE5GdEJ3Nk1oam9KYUVCMk9CVmpL
OCtLcUZwL084TUp0QmpSQXNtSFhHYkUKwGvXXE9AWlrlDgRl2ECCmej7IMztO+fx
852Vu610cI9FLv5oghlKM769+/A2QP82KwdxZ4MaRSDvJwXKBi16aw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-03T01:35:52Z"
mac: ENC[AES256_GCM,data:wQPIW9zRhB6IjK1OQy69Ln+dj6OMNLnNKIzFIhv/vbQ4GllMJ3N/gZjuzMJIumcVND+jEY/qiYnsCFSptStlDYtB3/zHWo1e6It2pM4igtoTP29uiQME0vPJSz0guakZlDMa20mOTN0vVZODEbeBiQNXWtnTbl93R2JVJlZrWcI=,iv:L9Dk5S+hbBO0LTM0irfLuqjLYHzVtY5Tq+Q7m65u6p8=,tag:0GT9IyPeGY5YM6PP/LNs/Q==,type:str]
pgp:
- created_at: "2025-03-16T13:02:45Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/9Ey8zpaRU7DuvVaKTaybgkLCPTKNyq6mKXAusKqC0adMu
9G4M8G18uEoo6/Oa1LpJsQneU05EFuStZPaCs9+zxe5ZU2YhcVcDGAHgCDFBbI27
7kzUVxA/n5cK61CfIslNYdJolceJeLyH9HSrS3k3eI3V6zEQL9Yz05dDz7Nlma4q
AKsnGtLY4og0j2k7HZcK39ikhJGkllZHhsM4RT8/UVeVZF9CxKzwQ2OKbHkhJZyn
LGEpioYAKuIIWm/20y/DQwIYpAilltWkg+RWQUnYeAINAZKSzFNi9vd3N4n6e41t
ikq8Ukpjbesy42w0ju9sbNWayga14OG5STg/qacrCDjp+wY55VJCcEEM/6kPj1rf
e2dBR+eN8VMgcPOlexOf1pkrVhNqz9eDfEfaEtDbFDIgznt0pmLeeYcL3NBa5+Xf
vpGXG3fmgoXvQYW05yY4efBRiex9f70lbhnnngeY9ZbmSpy3ZuzIKq8RgBxy1ve+
4B6RYC2Ag8Tndj1xYfHcrqSNfmxq+xNieFV49PMGDO1hjJF++VASqPuRtX9lz3tZ
Y7E7VPtTESaxEp9IuUgLYYnvSHh1SNIRl3OtcctL+bwbF2wNk5iBha+jC/aXNRU/
PoRv1y+G+0R6aV3hLJjoC+Hrm2JX3FIksk64LRDM9mSI7Yl7MfEFrIzcH4HEzlTS
XAHugaMjpRCntUxlaP2tq4jlrv+PQLh7+uBzzbhLBK6qSjybKiqHBKeluxfYVsDs
rJJicnclRfI1eJPfZDlCr2iggd+2ABYG7uINQVrZYuw2dfb4IvvrqCQz/fBy
=Qb5k
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.10.2

124
secrets/lupine/lupine.yaml Normal file
View File

@@ -0,0 +1,124 @@
gitea:
runners:
lupine-1: ENC[AES256_GCM,data:UcZB2p/dInvcl0yNBEohzbmcVxg/QQPXlIsaVB3M3hyxFg1gtGfUGA==,iv:OigyPfPoRIjvyiId7hiiWdNrZqyZqI3OonvJC+zYEzI=,tag:SjBsvo/IJKhFQs+PiI596g==,type:str]
lupine-2: null
lupine-3: null
lupine-4: null
lupine-5: null
sops:
age:
- recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncnd2NVdqdjU1WWx4YWJr
RUVuSThBWWdyVnpFT0kzZjBrVjZiN1FiU0ZBCmNCbGVZK09YaFNGSUE2QWpidEFw
aEZEVndkODRzYmNLWDRzSGMzOWZKajAKLS0tIE00b3NiclFrOEk3R1lkeWM0VHY3
dUFQcG04bWNwYjRjTlNWV0pXNnlTN28KEc8nM7jzMuh2B6Q9vDS9apmVZDH9fAGi
dyze2SHCvfbr6So6GtJnZQy5J7tPoHBd3zwjojYV11kR9Ci1GszrVw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVzdFdXdETEN3bjdIY0hi
TUV3YjFSUHBhNTIyUDd6MC93R2xRZmZGTkd3CkZuNWRZY25nY1FMZjV1QzJuUUZN
d0hzMUplY0w4c0hVK0dCbHVzVURvUm8KLS0tIGt2UEozYTdzMDRGUlRYeWpLY0Q3
bmFMZGRhWGZQZlpwMFZsV3VwdEljRUkKwS1gGaLCY/+wv2blCiDWHXOTl7eRVDPH
NPk33fXDa0y4AxFmwJ9caHL+UHWhSCVvi6odl1F6OA4blNLHRZAyzQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdmZXREhrUk5kWHgyMzI0
RnR0bVE1cm9GQkpwc0VWZ3ZmUjMxMzF2WVhFCkcrcEI4enlRN09wNzF4M0tTNXZi
TWg1TTkwUlNYUU1ReUVSU1dTdFoxeWcKLS0tIGZaMmVmZ1kxbFVVMmsxTzczYU9j
N3Y3Qm9SQ2Z0bWNhM043czdnWC9RR0kK61W5sqXybAbjTUR8D05dYMInLl683Rzj
G+0MZEzvfYONGU1gduRB5quHAwZLG5b9N6zorRSFON1meni+v/Ciww==
-----END AGE ENCRYPTED FILE-----
- recipient: age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBod1RDR1NLZlhQQWw4Nk8z
TTZHZitTNjFxUHVIZWY3N2VDd3pXRGt4N0JFClNzQ2REbSt5T0FXaVBhS09zcS9y
TW5PTW1mSzlyOHppSm1yMWp6by9ZUWMKLS0tIFVsYkJZbHE3K3B5TS95amJhbDYy
dFV1REdKYmIweWw1MDJ4L3p0cW9nVWMKQndDoniGQOn01SnscX7u7y6l119Eb++q
JoTZELALPIyGdI4pXd6zCfRyLFaqWd4CO0RFtl8FTcm75W+ETmqqlQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjdlhET094ZGJsZU9tZnhz
d20wcnltVU1MS09Qb3lzV2RjNi9OZjhDdFRBCndRY3hwQ3VHQWF2MVRFUU1MQkhh
bGRQdEVaSzF0YTgxTGdITGN2dDlYc1kKLS0tIEw1MmFkUHJaKzZGRU93T2VTTkxK
VU0xV0gwQ1NnbVIrS3lHTnJ5bU9IcGMKDWSWfA7iBQ+8iclmXDVf5Qjv67D2WbJg
ovrYcT1F5+qE4xkuUkzVaGn9vgT+/kkzFucBz0c0iD5KCoa52z5AlQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtV2R5VzdCbkFDTGRJUG81
bUk3Y3F6NkJGYUk1VW1XQnFOSTlwMTduL0Y0CjJ4N1Q5MXZjQXhsTk5Hbk40U1pU
aFNxeFIyaGJpd3dMZFpQL0R2M1dHbk0KLS0tIGpUVGMyRSt6aDZVOERRWnRSY1Ns
dXptcUNmeGRHcEs3WStpL3BuZUtJbjAKhqJEec4vjSC18oRl1dTNkF2Ev4YtudE4
Lp2vbcSHXwrZhqbFlQ8stCpUJvjCBEr2cT/shrG38aP0MzgeSmMacQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURXhRWEFHU2Rtd0pyZGUw
b09VQ1JhYjhJYlpnY2FCZndEcU1Ed3k1K0UwCit1NVIyL2xuZlAzbEJwY3V0UTB3
Unk1L3p6cHlVWjllMjcvcTdDcnlxcGcKLS0tIGdGa3MvTmJiSGF4YnBZbE1wdGEv
eFArZE5MaXlvOE9XN1I4eEtNMEpzcU0KVNUfcUJM+IVY/+b8mQiHKvuFnsih+zHx
ZdUD+FPjghqrzJB4MOl/PYAxJ4lga6gPbcRWD5UUDuyDGOUwRpOt7w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUnhIOHVLUG1meWFlZ24w
SVlFenR1aWZXK21HSXpHU1NSZ2llQ1EwSnpnCmJYRXR3b3IvclZvaGpGdEpOUk9D
eDg2eFFJQ0M4TEJqZDVUQUZGa2h3V3cKLS0tIEhWTzhoMVg1UEM2M1k1TVZTUDlL
RDE1RCtUV2dDR3haclBMZDFhYXcyV2sKjwEI2dY4rluumihyEggLYDDvZZAK4SZw
FWkwIUpMCZzg2fCeDMnTSAWfAZbiDcPLoCieJ2bpGXPTzyasRlOakg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxamdXMXJ4K3hMV2g1WmUy
Ry80dG5wdWlLc1paY1VoSE8vWk1ra1g5cldFClN1eXlVUGVndnovQ3dxQTdzQjRV
Wm9NNWg5VVR4NVNsRjM0VHFya1FQeWsKLS0tIG43bTdKVjNrQlBUWHJoNjIyOW85
TGd1Tng1akExRDd0TFZmQ3JnS3FtK3cKn2t7/4yIDZT2oy8fyJibF62usPjhuBOb
9qQjChRm5h5mNSWdAzyf48wID7czzJiZjqtfE4vjLYLsWKMzz9j3xg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQm5UalBhV1NWa2ZQNzVQ
OEZXODkrYXRGR2lRMzMwSk5KV01WK3pLZlZ3ClNwZTV6aGRvZlV2UXJaNm9IOVVR
VFZscVZhVkFaMlk5a1ZCcWJReVN5YWcKLS0tIEhHMnRKdWJvTkREbFlWb25YRXg3
YU5mMDlRckJCMDAzcHYyMWN1clRJRVEK77PiAQP+2+WblGYEgAf6bx6RTh0JHiSZ
/jPIN/rbAKNv36wpZDbuLV8tcMuvhleNMRSSqbIloLSzww+Z5nOU4A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-30T18:29:08Z"
mac: ENC[AES256_GCM,data:47cki5ucPTVd4JuEyK0QkDCCEqj1pW6SA5I6ihC/MEja6TIuHTcEPFpje8+LvpGjpP9uobKX4g3UcyvkJ63j/k3hU0xPYQX3Z1ee00KIMKB0GHNjUR8ENtnwd3TU7kp5ohtXeCtcyzCjdFFuXp8AINGv3vpbU2MzauctUxn5B1Y=,iv:1mpk/f1QlRtHfA9dqyNLBrvfVPgtLnZ7ibj8qNrEGD8=,tag:drEK1+qeJy97rgeQJyqucA==,type:str]
pgp:
- created_at: "2025-07-30T18:27:50Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/9HdDiIXAQjcAbokD7yliGC+p7j+RxD2FDh5aXtDIS14dM
pF7wdTdY7PvcXoSCQ5ZC7bjIY86MDfD+BT63MwjOczIgBJJ9wrGDZ2o9DnzzYsI1
XdUgQscjtbAycNlaczI6IXrYlWqjt6qpp/OADXdMXZo3W+pTR3aSdrj/FcMzJad1
AMQt8raqrD5LxIj0yWEYvob5z7NA6slBvVJRszsbYgz3aJWqG2DhlUBph6j2Rgmq
/W796+fywrunmY/dmzptT5Epp5gZ55BAqg09qHj/+crTxIt7SNpsfps2ki8JBVq0
4ooaUktBBMnhsZBA8NIauesokZkLO0MvyvjMBPGR8jun2EXoNtFmWZqUqD1fb0B5
xe0SVg8XIzS/AFnKVAWfj6h9lM4guLL/kxu3aPAJwOj+YtIAXx4vojs81Led8nlQ
jXvfy7Y94EQhKTLWuK12QC+bw2vy4V9L98nyDKB3ZuN2l3A2CN1ZLXArk/oez56d
5t/0C43qEPfzQH87kygGuuQmlZvQupnHN4iCvExmoiX362/3S9h1wS5QcKdC3Lk/
f3yr0+r1uOYuoQuofwitLZaq66aCmqYUmXhLvGujPjg8YuNXQ5k1MlOilDqoZnxk
0V8RQbTpvUcqRLgczofC0ovgE2W13khS2BGxG3ZPmAbUGiaIP9OkfebI7hJJE7LS
XgE4cU06C5jj4wLkOj3y4nEKwaFrEGRO3YQa1kl5/sExOg0Jd7fehozVh8+opGOZ
MhmVHghd/RYZzBi3NZL28xnAvsawE1m6h6WEGk6JaVEdJh9W009AQCtVyChs9Og=
=4gbo
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.10.2

View File

@@ -11,14 +11,14 @@ pkgs.mkShellNoCC {
editorconfig-checker
];
shellHook = ''
export OS_AUTH_URL=https://api.stack.it.ntnu.no:5000
export OS_PROJECT_ID=b78432a088954cdc850976db13cfd61c
export OS_PROJECT_NAME="STUDORG_Programvareverkstedet"
export OS_USER_DOMAIN_NAME="NTNU"
export OS_PROJECT_DOMAIN_ID="d3f99bcdaf974685ad0c74c2e5d259db"
export OS_REGION_NAME="NTNU-IT"
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3
'';
env = {
OS_AUTH_URL = "https://api.stack.it.ntnu.no:5000";
OS_PROJECT_ID = "b78432a088954cdc850976db13cfd61c";
OS_PROJECT_NAME = "STUDORG_Programvareverkstedet";
OS_USER_DOMAIN_NAME = "NTNU";
OS_PROJECT_DOMAIN_ID = "d3f99bcdaf974685ad0c74c2e5d259db";
OS_REGION_NAME = "NTNU-IT";
OS_INTERFACE = "public";
OS_IDENTITY_API_VERSION = "3";
};
}

45
shells/cuda.nix Normal file
View File

@@ -0,0 +1,45 @@
# nix develop .#cuda
# Copied from https://nixos.wiki/wiki/CUDA
{ pkgs }:
pkgs.mkShell {
name = "cuda-env-shell";
buildInputs = with pkgs; [
autoconf
binutils
curl
freeglut
git
gitRepo
gnumake
gnupg
gperf
libGL
libGLU
m4
ncurses5
procps
stdenv.cc
unzip
util-linux
xorg.libX11
xorg.libXext
xorg.libXi
xorg.libXmu
xorg.libXrandr
xorg.libXv
zlib
cudatoolkit
linuxPackages.nvidia_x11
# Other applications, like
hashcat
];
env = {
CUDA_PATH = pkgs.cudatoolkit;
EXTRA_LDFLAGS = "-L/lib -L${pkgs.linuxPackages.nvidia_x11}/lib";
EXTRA_CCFLAGS = "-I/usr/include";
};
}

23
users/albertba.nix Normal file
View File

@@ -0,0 +1,23 @@
{ pkgs, ... }:
{
users.users.albertba = {
isNormalUser = true;
extraGroups = [ "wheel" "drift" "nix-builder-users" ];
packages = with pkgs; [
htop
neovim
ripgrep
fd
tmux
];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICheSCAxsYc/6g8hq2lXXHoUWPjWvntzzTA7OhG8waMN albert@Arch"
];
};
}

View File

@@ -13,7 +13,6 @@
bottom
eza
neovim
diskonaut
ripgrep
tmux
];

22
users/vegardbm.nix Normal file
View File

@@ -0,0 +1,22 @@
{ pkgs, ... }:
{
users.users.vegardbm = {
isNormalUser = true;
description = "noe";
extraGroups = [
"wheel"
"drift"
"nix-builder-users"
];
packages = with pkgs; [
btop
eza
neovim
ripgrep
tmux
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVA3HqEx3je6L1AC+bP8sTxu3ZTKvTCR0npCyOVAYK5 vbm@arch-xeon"
];
};
}

View File

@@ -31,10 +31,6 @@ in rec {
ipv4 = pvv-ipv4 168;
ipv6 = pvv-ipv6 168;
};
dagali = {
ipv4 = pvv-ipv4 185;
ipv6 = pvv-ipv6 185;
};
ildkule = {
ipv4 = "129.241.153.213";
ipv4_internal = "192.168.12.209";
@@ -45,10 +41,6 @@ in rec {
ipv4 = pvv-ipv4 209;
ipv6 = pvv-ipv6 209;
};
bob = {
ipv4 = "129.241.152.254";
# ipv6 = ;
};
knutsen = {
ipv4 = pvv-ipv4 191;
};
@@ -64,10 +56,38 @@ in rec {
ipv4 = pvv-ipv4 204;
ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
};
kommode = {
ipv4 = pvv-ipv4 223;
ipv6 = pvv-ipv6 223;
};
ustetind = {
ipv4 = pvv-ipv4 234;
ipv6 = pvv-ipv6 234;
};
wenche = {
ipv4 = pvv-ipv4 240;
ipv6 = pvv-ipv6 240;
};
lupine-1 = {
ipv4 = pvv-ipv4 224;
ipv6 = pvv-ipv6 224;
};
lupine-2 = {
ipv4 = pvv-ipv4 225;
ipv6 = pvv-ipv6 225;
};
lupine-3 = {
ipv4 = pvv-ipv4 226;
ipv6 = pvv-ipv6 226;
};
lupine-4 = {
ipv4 = pvv-ipv4 227;
ipv6 = pvv-ipv6 227;
};
lupine-5 = {
ipv4 = pvv-ipv4 228;
ipv6 = pvv-ipv6 228;
};
};
defaultNetworkConfig = {