Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 oysteikt
|
6bc767de6a
|
@@ -1,7 +1,6 @@
|
||||
{
|
||||
pkgs,
|
||||
lib,
|
||||
inputs,
|
||||
fp,
|
||||
...
|
||||
}:
|
||||
@@ -36,7 +35,6 @@
|
||||
./services/prometheus-node-exporter.nix
|
||||
./services/prometheus-systemd-exporter.nix
|
||||
./services/roowho2.nix
|
||||
./services/scrutiny-collector.nix
|
||||
./services/smartd.nix
|
||||
./services/thermald.nix
|
||||
./services/uptimed.nix
|
||||
@@ -44,12 +42,6 @@
|
||||
./services/userdbd.nix
|
||||
];
|
||||
|
||||
system.nixos.tags = lib.optionals (inputs.self.sourceInfo ? dirtyRev) [ "dirty" ];
|
||||
|
||||
specialisation."auto-upgrade".configuration = {
|
||||
system.nixos.tags = [ "auto" ];
|
||||
};
|
||||
|
||||
boot.tmp.cleanOnBoot = lib.mkDefault true;
|
||||
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
|
||||
|
||||
|
||||
@@ -13,7 +13,6 @@ in
|
||||
|
||||
"--refresh"
|
||||
"--no-write-lock-file"
|
||||
"--specialisation auto-upgrade"
|
||||
# --update-input is deprecated since nix 2.22, and removed in lix 2.90
|
||||
# as such we instead use --override-input combined with --refresh
|
||||
# https://git.lix.systems/lix-project/lix/issues/400
|
||||
|
||||
@@ -6,13 +6,10 @@ in
|
||||
security.polkit.enable = true;
|
||||
|
||||
environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (
|
||||
action.id.startsWith("org.freedesktop.systemd1.") &&
|
||||
subject.isInGroup("wheel")
|
||||
) {
|
||||
return polkit.Result.AUTH_SELF_KEEP;
|
||||
}
|
||||
});
|
||||
polkit.addAdminRule(function(action, subject) {
|
||||
if(subject.isInGroup("wheel")) {
|
||||
return ["unix-user:"+subject.user];
|
||||
}
|
||||
});
|
||||
'';
|
||||
}
|
||||
|
||||
@@ -1,11 +0,0 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
services.scrutiny.collector = {
|
||||
enable = !config.services.qemuGuest.enable;
|
||||
settings = {
|
||||
version = 1;
|
||||
host.id = config.networking.hostName;
|
||||
api.endpoint = "https://scrutiny.pvv.ntnu.no/";
|
||||
};
|
||||
};
|
||||
}
|
||||
Generated
+9
-53
@@ -161,27 +161,6 @@
|
||||
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
|
||||
}
|
||||
},
|
||||
"libdib": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"worblehat",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1769338528,
|
||||
"narHash": "sha256-t18ZoSt9kaI1yde26ok5s7aFLkap1Q9+/2icVh2zuaE=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "7218348163fd8d84df4a6f682c634793e67a3fed",
|
||||
"revCount": 13,
|
||||
"type": "git",
|
||||
"url": "https://git.pvv.ntnu.no/Projects/libdib.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://git.pvv.ntnu.no/Projects/libdib.git"
|
||||
}
|
||||
},
|
||||
"matrix-next": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
@@ -337,11 +316,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1779774845,
|
||||
"narHash": "sha256-QJU1J4eupwjRrtvWGzRut0GY3woql92RS9O/acWkJkk=",
|
||||
"lastModified": 1764869785,
|
||||
"narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=",
|
||||
"ref": "main",
|
||||
"rev": "13667cd216db260ab549e6f1b6281aa230d2f9e0",
|
||||
"revCount": 29,
|
||||
"rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2",
|
||||
"revCount": 23,
|
||||
"type": "git",
|
||||
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
|
||||
},
|
||||
@@ -358,11 +337,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1779903528,
|
||||
"narHash": "sha256-4rajaHeBeQ4PjbNSpslE9G3A5mZM1J/64ls+VoufWZo=",
|
||||
"lastModified": 1778960428,
|
||||
"narHash": "sha256-YAs3LbFGlBLJW3xHeoQfTq2GBBXTvuSKl2WXDtloczU=",
|
||||
"ref": "main",
|
||||
"rev": "bba7413a1c611d4918fbef4d3aa55e465ca3f3fb",
|
||||
"revCount": 585,
|
||||
"rev": "927748790b1f7159adfe32a3ad9ec01d22e9c5a2",
|
||||
"revCount": 583,
|
||||
"type": "git",
|
||||
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
|
||||
},
|
||||
@@ -412,8 +391,7 @@
|
||||
"pvv-nettsiden": "pvv-nettsiden",
|
||||
"qotd": "qotd",
|
||||
"roowho2": "roowho2",
|
||||
"sops-nix": "sops-nix",
|
||||
"worblehat": "worblehat"
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"roowho2": {
|
||||
@@ -544,28 +522,6 @@
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"worblehat": {
|
||||
"inputs": {
|
||||
"libdib": "libdib",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1773932847,
|
||||
"narHash": "sha256-IklIAdlonrmO8/lkDxNIVz9+ORL4pcVotMTxeyvxzoc=",
|
||||
"ref": "main",
|
||||
"rev": "0871a319f51d3cb0d1abb5b11edb768b39906d3f",
|
||||
"revCount": 104,
|
||||
"type": "git",
|
||||
"url": "https://git.pvv.ntnu.no/Projects/worblehat.git"
|
||||
},
|
||||
"original": {
|
||||
"ref": "main",
|
||||
"type": "git",
|
||||
"url": "https://git.pvv.ntnu.no/Projects/worblehat.git"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
|
||||
@@ -23,9 +23,6 @@
|
||||
dibbler.url = "git+https://git.pvv.ntnu.no/Projects/dibbler.git?ref=main";
|
||||
dibbler.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
worblehat.url = "git+https://git.pvv.ntnu.no/Projects/worblehat.git?ref=main";
|
||||
worblehat.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0";
|
||||
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
@@ -213,14 +210,10 @@
|
||||
};
|
||||
skrot = stableNixosConfig "skrot" {
|
||||
modules = [
|
||||
self.nixosModules.drumknotty
|
||||
inputs.disko.nixosModules.disko
|
||||
inputs.dibbler.nixosModules.default
|
||||
];
|
||||
overlays =
|
||||
[
|
||||
inputs.dibbler.overlays.default
|
||||
inputs.worblehat.overlays.default
|
||||
];
|
||||
overlays = [inputs.dibbler.overlays.default];
|
||||
};
|
||||
shark = stableNixosConfig "shark" {};
|
||||
wenche = stableNixosConfig "wenche" {};
|
||||
@@ -291,7 +284,6 @@
|
||||
rsync-pull-targets = ./modules/rsync-pull-targets.nix;
|
||||
snakeoil-certs = ./modules/snakeoil-certs.nix;
|
||||
snappymail = ./modules/snappymail.nix;
|
||||
drumknotty = ./modules/drumknotty;
|
||||
};
|
||||
|
||||
devShells = forAllSystems (system: {
|
||||
|
||||
@@ -7,7 +7,6 @@
|
||||
|
||||
./services/alps.nix
|
||||
./services/bluemap.nix
|
||||
./services/radicale.nix
|
||||
./services/idp-simplesamlphp
|
||||
./services/kerberos.nix
|
||||
./services/mediawiki
|
||||
|
||||
@@ -107,7 +107,6 @@ in {
|
||||
CodeEditor
|
||||
CodeMirror
|
||||
DeleteBatch
|
||||
PdfHandler
|
||||
PluggableAuth
|
||||
Popups
|
||||
Scribunto
|
||||
@@ -182,17 +181,12 @@ in {
|
||||
];
|
||||
|
||||
# Misc program paths
|
||||
$wgFFmpegLocation = '${lib.getExe pkgs.ffmpeg}';
|
||||
$wgExiftool = '${lib.getExe pkgs.exiftool}';
|
||||
$wgExiv2Command = '${lib.getExe pkgs.exiv2}';
|
||||
$wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
|
||||
$wgExiftool = '${pkgs.exiftool}/bin/exiftool';
|
||||
$wgExiv2Command = '${pkgs.exiv2}/bin/exiv2';
|
||||
# See https://gist.github.com/sergejmueller/088dce028b6dd120a16e
|
||||
$wgJpegTran = '${lib.getExe' pkgs.mozjpeg "jpegtran"}';
|
||||
$wgGitBin = '${lib.getExe pkgs.git}';
|
||||
$wgDiff3 = '${lib.getExe' pkgs.diffutils "diff3"}';
|
||||
$wgDiff = '${lib.getExe' pkgs.diffutils "diff"}';
|
||||
|
||||
$wgUseImageMagick = true;
|
||||
$wgImageMagickConvertCommand = '${lib.getExe pkgs.imagemagick}';
|
||||
$wgJpegTran = '${pkgs.mozjpeg}/bin/jpegtran';
|
||||
$wgGitBin = '${pkgs.git}/bin/git';
|
||||
|
||||
# Debugging
|
||||
$wgShowExceptionDetails = false;
|
||||
@@ -217,13 +211,6 @@ in {
|
||||
# EXT:WikiEditor
|
||||
$wgWikiEditorRealtimePreview = true;
|
||||
|
||||
# EXT:PdfHandler
|
||||
$wgPdfProcessor = '${lib.getExe pkgs.ghostscript_headless}';
|
||||
$wgPdfPostProcessor = $wgImageMagickConvertCommand;
|
||||
$wgPdfInfo = '${lib.getExe' pkgs.poppler-utils "pdfinfo"}';
|
||||
$wgPdftoText = '${lib.getExe' pkgs.poppler-utils "pdftotext"}';
|
||||
|
||||
# Override key from hardcoded config in nixpkgs
|
||||
$wgSecretKey = file_get_contents("${config.sops.secrets."mediawiki/secret-key".path}");
|
||||
'';
|
||||
};
|
||||
|
||||
@@ -1,40 +0,0 @@
|
||||
{ config, lib, ... }:
|
||||
let
|
||||
domain = "dav.pvv.ntnu.no";
|
||||
radicalePort = 5232;
|
||||
in {
|
||||
services.radicale = {
|
||||
enable = true;
|
||||
|
||||
settings = {
|
||||
server = {
|
||||
hosts = [ "127.0.0.1:${toString radicalePort}" ];
|
||||
};
|
||||
|
||||
auth = {
|
||||
type = "imap";
|
||||
imap_host = "imap.pvv.ntnu.no";
|
||||
imap_security = "tls";
|
||||
};
|
||||
|
||||
storage = {
|
||||
filesystem_folder = "/var/lib/radicale/collections";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
kTLS = true;
|
||||
|
||||
extraConfig = ''
|
||||
client_max_body_size 128M;
|
||||
'';
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString radicalePort}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -10,9 +10,8 @@
|
||||
enableACME = true;
|
||||
kTLS = true;
|
||||
locations = {
|
||||
# "= /".return = "302 https://webmail.pvv.ntnu.no/roundcube";
|
||||
"= /".return = "302 https://webmail.pvv.ntnu.no/roundcube";
|
||||
|
||||
"/roundcube".return = "302 https://webmail.pvv.ntnu.no/";
|
||||
"/afterlogic_lite".return = "302 https://webmail.pvv.ntnu.no/roundcube";
|
||||
"/squirrelmail".return = "302 https://webmail.pvv.ntnu.no/roundcube";
|
||||
"/rainloop".return = "302 https://snappymail.pvv.ntnu.no/";
|
||||
|
||||
@@ -29,7 +29,7 @@ in
|
||||
|
||||
dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
|
||||
maxAttachmentSize = 20;
|
||||
hostName = domain;
|
||||
hostName = "roundcubeplaceholder.example.com";
|
||||
|
||||
database = {
|
||||
host = "postgres.pvv.ntnu.no";
|
||||
@@ -49,9 +49,44 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
# TODO: move this back to `webmail.pvv.ntnu.no/roundcube` subpath
|
||||
services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
|
||||
|
||||
services.nginx.virtualHosts.${domain} = {
|
||||
kTLS = true;
|
||||
locations."/roundcube" = {
|
||||
tryFiles = "$uri $uri/ =404";
|
||||
index = "index.php";
|
||||
root = pkgs.runCommandLocal "roundcube-dir" { } ''
|
||||
mkdir -p $out
|
||||
ln -s ${cfg.package} $out/roundcube
|
||||
'';
|
||||
extraConfig = ''
|
||||
location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
|
||||
# https://wiki.archlinux.org/title/Roundcube
|
||||
"README"
|
||||
"INSTALL"
|
||||
"LICENSE"
|
||||
"CHANGELOG"
|
||||
"UPGRADING"
|
||||
"bin"
|
||||
"SQL"
|
||||
".+\\.md"
|
||||
"\\."
|
||||
"config"
|
||||
"temp"
|
||||
"logs"
|
||||
]})/? {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~ ^/roundcube/(.+\.php)(/?.*)$ {
|
||||
fastcgi_split_path_info ^/roundcube(/.+\.php)(/.+)$;
|
||||
include ${config.services.nginx.package}/conf/fastcgi_params;
|
||||
include ${config.services.nginx.package}/conf/fastcgi.conf;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket};
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -119,7 +119,6 @@ in {
|
||||
services.nginx.virtualHosts."pvv.ntnu.no" = {
|
||||
globalRedirect = cfg.domainName;
|
||||
redirectCode = 307;
|
||||
kTLS = true;
|
||||
forceSSL = true;
|
||||
useACMEHost = "www.pvv.ntnu.no";
|
||||
};
|
||||
@@ -127,7 +126,6 @@ in {
|
||||
services.nginx.virtualHosts."www.pvv.org" = {
|
||||
globalRedirect = cfg.domainName;
|
||||
redirectCode = 307;
|
||||
kTLS = true;
|
||||
forceSSL = true;
|
||||
useACMEHost = "www.pvv.ntnu.no";
|
||||
};
|
||||
@@ -135,13 +133,11 @@ in {
|
||||
services.nginx.virtualHosts."pvv.org" = {
|
||||
globalRedirect = cfg.domainName;
|
||||
redirectCode = 307;
|
||||
kTLS = true;
|
||||
forceSSL = true;
|
||||
useACMEHost = "www.pvv.ntnu.no";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts.${cfg.domainName} = {
|
||||
kTLS = true;
|
||||
locations = {
|
||||
# Proxy home directories
|
||||
"^~ /~" = {
|
||||
|
||||
@@ -37,56 +37,47 @@ in {
|
||||
};
|
||||
|
||||
systemd.services.pvv-nettsiden-gallery-update = {
|
||||
path = with pkgs; [ imagemagick gnutar gzip ];
|
||||
|
||||
script = ''
|
||||
tar ${lib.cli.toCommandLineShellGNU { } {
|
||||
extract = true;
|
||||
file = "${transferDir}/gallery.tar.gz";
|
||||
directory = ".";
|
||||
}}
|
||||
|
||||
# Delete files and directories that exists in the gallery that don't exist in the tarball
|
||||
filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))
|
||||
while IFS= read -r fname; do
|
||||
rm -f "$fname" ||:
|
||||
rm -f ".thumbnails/$fname.png" ||:
|
||||
done <<< "$filesToRemove"
|
||||
|
||||
find . -type d -empty -delete
|
||||
|
||||
mkdir -p .thumbnails
|
||||
images=$(find . -type f -not -path './.thumbnails*')
|
||||
|
||||
while IFS= read -r fname; do
|
||||
# Skip this file if an up-to-date thumbnail already exists
|
||||
if [ -f ".thumbnails/$fname.png" ] && \
|
||||
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
|
||||
then
|
||||
continue
|
||||
fi
|
||||
|
||||
echo "Creating thumbnail for $fname"
|
||||
mkdir -p "$(dirname ".thumbnails/$fname")"
|
||||
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
|
||||
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
|
||||
done <<< "$images"
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
WorkingDirectory = galleryDir;
|
||||
User = config.services.pvv-nettsiden.user;
|
||||
Group = config.services.pvv-nettsiden.group;
|
||||
|
||||
ExecStart = lib.getExe (pkgs.writeShellApplication {
|
||||
name = "pvv-nettsiden-gallery-update-exec-start.sh";
|
||||
runtimeInputs = with pkgs; [
|
||||
coreutils
|
||||
findutils
|
||||
gnused
|
||||
gnutar
|
||||
gzip
|
||||
imagemagick
|
||||
];
|
||||
text = ''
|
||||
tar ${lib.cli.toCommandLineShellGNU { } {
|
||||
extract = true;
|
||||
file = "${transferDir}/gallery.tar.gz";
|
||||
directory = ".";
|
||||
}}
|
||||
|
||||
# Delete files and directories that exists in the gallery that don't exist in the tarball
|
||||
filesToRemove="$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))"
|
||||
while IFS= read -r fname; do
|
||||
rm -f "$fname" ||:
|
||||
rm -f ".thumbnails/$fname.png" ||:
|
||||
done <<< "$filesToRemove"
|
||||
|
||||
find . -type d -empty -delete
|
||||
|
||||
mkdir -p .thumbnails
|
||||
images="$(find . -type f -not -path './.thumbnails*')"
|
||||
|
||||
while IFS= read -r fname; do
|
||||
# Skip this file if an up-to-date thumbnail already exists
|
||||
if [ -f ".thumbnails/$fname.png" ] && \
|
||||
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
|
||||
then
|
||||
continue
|
||||
fi
|
||||
|
||||
echo "Creating thumbnail for $fname"
|
||||
mkdir -p "$(dirname ".thumbnails/$fname")"
|
||||
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
|
||||
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
|
||||
done <<< "$images"
|
||||
'';
|
||||
});
|
||||
|
||||
AmbientCapabilities = [ "" ];
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DeviceAllow = [ "" ];
|
||||
|
||||
@@ -83,7 +83,6 @@ in
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
|
||||
kTLS = true;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
|
||||
@@ -22,7 +22,6 @@ in
|
||||
sops.templates."hookshot-registration.yaml" = {
|
||||
owner = config.users.users.matrix-synapse.name;
|
||||
group = config.users.groups.keys-matrix-registrations.name;
|
||||
mode = "0440";
|
||||
restartUnits = [ "matrix-hookshot.service" ];
|
||||
content = ''
|
||||
id: matrix-hookshot
|
||||
@@ -50,59 +49,12 @@ in
|
||||
|
||||
systemd.services.matrix-hookshot = {
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
SupplementaryGroups = [
|
||||
config.users.groups.keys-matrix-registrations.name
|
||||
];
|
||||
LoadCredential = [
|
||||
"passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
|
||||
];
|
||||
|
||||
RuntimeDirectory = [ "matrix-hookshot/root-mnt" ];
|
||||
RootDirectory = "/run/matrix-hookshot/root-mnt";
|
||||
BindReadOnlyPaths = [
|
||||
config.sops.templates."hookshot-registration.yaml".path
|
||||
builtins.storeDir
|
||||
"/etc"
|
||||
"/run/nscd"
|
||||
"/var/run/nscd"
|
||||
];
|
||||
|
||||
AmbientCapabilities = "";
|
||||
CapabilityBoundingSet = "";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = false; # node needs this
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProcSubset = "pid";
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_UNIX"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
"~@resources"
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
};
|
||||
|
||||
@@ -194,7 +146,6 @@ in
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
|
||||
kTLS = true;
|
||||
enableACME = true;
|
||||
addSSL = true;
|
||||
locations."/" = {
|
||||
|
||||
@@ -54,53 +54,4 @@
|
||||
# TODO: Fix upstream module in nixpkgs
|
||||
pantalaimon.username = "bot_admin";
|
||||
};
|
||||
|
||||
systemd.services.mjolnir.serviceConfig = {
|
||||
DynamicUser = true;
|
||||
RuntimeDirectory = [ "mjolnir/root-mnt" ];
|
||||
RootDirectory = "/run/mjolnir/root-mnt";
|
||||
BindReadOnlyPaths = [
|
||||
config.sops.secrets."matrix/mjolnir/access_token".path
|
||||
builtins.storeDir
|
||||
"/etc"
|
||||
"/run/nscd"
|
||||
"/var/run/nscd"
|
||||
];
|
||||
|
||||
AmbientCapabilities = "";
|
||||
CapabilityBoundingSet = "";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = false; # node needs this
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProcSubset = "pid";
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_UNIX"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
"~@resources"
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
}
|
||||
|
||||
@@ -56,55 +56,6 @@ in
|
||||
enableSynapseIntegration = false;
|
||||
};
|
||||
|
||||
systemd.services."matrix-ooye" = {
|
||||
serviceConfig = {
|
||||
RuntimeDirectory = [ "matrix-ooye/root-mnt" ];
|
||||
RootDirectory = "/run/matrix-ooye/root-mnt";
|
||||
BindReadOnlyPaths = [
|
||||
builtins.storeDir
|
||||
"/etc"
|
||||
"/run/nscd"
|
||||
"/var/run/nscd"
|
||||
];
|
||||
|
||||
AmbientCapabilities = "";
|
||||
CapabilityBoundingSet = "";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = false; # node needs this
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProcSubset = "pid";
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_UNIX"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
"~@resources"
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."matrix-synapse" = {
|
||||
after = [
|
||||
"matrix-ooye-pre-start.service"
|
||||
@@ -129,7 +80,6 @@ in
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
|
||||
kTLS = true;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://localhost:${cfg.socket}";
|
||||
|
||||
@@ -23,28 +23,27 @@ in
|
||||
};
|
||||
|
||||
systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable {
|
||||
serviceConfig = {
|
||||
LoadCredential = [
|
||||
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
|
||||
];
|
||||
ExecStartPre = let
|
||||
knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
|
||||
innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
|
||||
innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
|
||||
innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
|
||||
'';
|
||||
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
|
||||
archive = true;
|
||||
verbose = true;
|
||||
progress = true;
|
||||
no-owner = true;
|
||||
no-group = true;
|
||||
};
|
||||
sshCommand = ''${pkgs.openssh}/bin/ssh -o UserKnownHostsFile='${knownHostsFile}' -i \"$CREDENTIALS_DIRECTORY\"/sshkey'';
|
||||
in [
|
||||
"${lib.getExe' pkgs.coreutils "mkdir"} -p '${cfg.minecraftLogsDir}'"
|
||||
"${lib.getExe pkgs.rsync} ${rsyncArgs} --rsh=\"${sshCommand}\" root@innovation.pvv.ntnu.no:/ '${cfg.minecraftLogsDir}'/"
|
||||
];
|
||||
};
|
||||
serviceConfig.LoadCredential = [
|
||||
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
|
||||
];
|
||||
|
||||
preStart = let
|
||||
knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
|
||||
innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
|
||||
innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
|
||||
innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
|
||||
'';
|
||||
in ''
|
||||
mkdir -p '${cfg.minecraftLogsDir}'
|
||||
"${lib.getExe pkgs.rsync}" \
|
||||
--archive \
|
||||
--verbose \
|
||||
--progress \
|
||||
--no-owner \
|
||||
--no-group \
|
||||
--rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
|
||||
root@innovation.pvv.ntnu.no:/ \
|
||||
'${cfg.minecraftLogsDir}'/
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
||||
@@ -23,9 +23,6 @@ in
|
||||
bind-address = values.services.mysql.ipv4;
|
||||
skip-networking = 0;
|
||||
|
||||
# Useful for the mysqld prometheus exporter
|
||||
userstat = 1;
|
||||
|
||||
# This was needed in order to be able to use all of the old users
|
||||
# during migration from knakelibrak to bicep in Sep. 2023
|
||||
secure_auth = 0;
|
||||
@@ -74,16 +71,4 @@ in
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.logrotate = lib.mkIf (cfg.settings.mysqld.slow-query-log == 1) {
|
||||
enable = true;
|
||||
settings.mysql-slowlog = {
|
||||
files = [ cfg.settings.mysqld.slow-query-log-file ];
|
||||
frequency = "weekly";
|
||||
rotate = 12;
|
||||
create = "0660 mysql mysql";
|
||||
minsize = "1M";
|
||||
compress = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
./grafana.nix
|
||||
./loki.nix
|
||||
./prometheus
|
||||
./scrutiny.nix
|
||||
./uptime-kuma.nix
|
||||
];
|
||||
}
|
||||
|
||||
@@ -1,12 +1,14 @@
|
||||
{ ... }:
|
||||
{
|
||||
services.prometheus.scrapeConfigs = [{
|
||||
job_name = "exim";
|
||||
scrape_interval = "15s";
|
||||
scheme = "http";
|
||||
|
||||
static_configs = [{
|
||||
targets = [ "microbel.pvv.ntnu.no:9636" ];
|
||||
}];
|
||||
}];
|
||||
services.prometheus = {
|
||||
scrapeConfigs = [
|
||||
{
|
||||
job_name = "exim";
|
||||
scrape_interval = "15s";
|
||||
static_configs = [{
|
||||
targets = [ "microbel.pvv.ntnu.no:9636" ];
|
||||
}];
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1,40 +0,0 @@
|
||||
{ config, values, ... }:
|
||||
let
|
||||
cfg = config.services.scrutiny;
|
||||
in
|
||||
{
|
||||
services.scrutiny = {
|
||||
enable = true;
|
||||
settings = {
|
||||
web.listen = {
|
||||
host = "127.0.0.1";
|
||||
port = 18293;
|
||||
basepath = "";
|
||||
};
|
||||
|
||||
# notify.urls = [
|
||||
# "matrix://username:password@host:port/[?rooms=!roomID1[,roomAlias2]]"
|
||||
# ];
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."scrutiny.pvv.ntnu.no" = {
|
||||
kTLS = true;
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://${cfg.settings.web.listen.host}:${toString cfg.settings.web.listen.port}";
|
||||
};
|
||||
|
||||
# TODO: allow website access to the outside world, but restrict input api
|
||||
extraConfig = ''
|
||||
allow ${values.hosts.ildkule.ipv4}/32;
|
||||
allow ${values.hosts.ildkule.ipv6}/128;
|
||||
allow 127.0.0.1/32;
|
||||
allow ::1/128;
|
||||
allow ${values.ipv4-space};
|
||||
allow ${values.ipv6-space};
|
||||
deny all;
|
||||
'';
|
||||
};
|
||||
}
|
||||
@@ -1,4 +1,4 @@
|
||||
{ config, pkgs, lib, values, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.uptime-kuma;
|
||||
domain = "status.pvv.ntnu.no";
|
||||
@@ -24,21 +24,4 @@ in {
|
||||
fsType = "bind";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
|
||||
services.rsync-pull-targets = {
|
||||
enable = true;
|
||||
locations.${stateDir} = {
|
||||
user = "root";
|
||||
rrsyncArgs.ro = true;
|
||||
authorizedKeysAttrs = [
|
||||
"restrict"
|
||||
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
|
||||
"no-agent-forwarding"
|
||||
"no-port-forwarding"
|
||||
"no-pty"
|
||||
"no-X11-forwarding"
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJXzcDm6cVr4NmWzUSroy33FlielKqaG83wY0RCMC0p/ uptime_kuma rsync backup";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -72,52 +72,50 @@ in
|
||||
Type = "oneshot";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
PrivateNetwork = true;
|
||||
|
||||
ExecStart = let
|
||||
logo-svg = fp /assets/logo_blue_regular.svg;
|
||||
logo-png = fp /assets/logo_blue_regular.png;
|
||||
|
||||
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
|
||||
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
|
||||
'';
|
||||
|
||||
extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
|
||||
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
|
||||
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
|
||||
<a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
|
||||
'';
|
||||
|
||||
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
|
||||
labels = lib.importJSON ./labels/projects.json;
|
||||
};
|
||||
|
||||
customTemplates = pkgs.runCommandLocal "gitea-templates" {
|
||||
nativeBuildInputs = with pkgs; [
|
||||
coreutils
|
||||
gnused
|
||||
];
|
||||
} ''
|
||||
# Bigger icons
|
||||
install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
|
||||
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
|
||||
'';
|
||||
install = lib.getExe' pkgs.coreutils "install";
|
||||
in [
|
||||
"${install} -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'"
|
||||
"${install} -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'"
|
||||
"${install} -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'"
|
||||
"${install} -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'"
|
||||
"${install} -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'"
|
||||
"${install} -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'"
|
||||
|
||||
"${install} -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'"
|
||||
"${install} -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'"
|
||||
"${install} -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'"
|
||||
"${install} -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'"
|
||||
|
||||
"${lib.getExe pkgs.rsync} -a '${customTemplates}/' '${cfg.customDir}/templates/'"
|
||||
];
|
||||
};
|
||||
|
||||
script = let
|
||||
logo-svg = fp /assets/logo_blue_regular.svg;
|
||||
logo-png = fp /assets/logo_blue_regular.png;
|
||||
|
||||
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
|
||||
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
|
||||
'';
|
||||
|
||||
extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
|
||||
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
|
||||
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
|
||||
<a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
|
||||
'';
|
||||
|
||||
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
|
||||
labels = lib.importJSON ./labels/projects.json;
|
||||
};
|
||||
|
||||
customTemplates = pkgs.runCommandLocal "gitea-templates" {
|
||||
nativeBuildInputs = with pkgs; [
|
||||
coreutils
|
||||
gnused
|
||||
];
|
||||
} ''
|
||||
# Bigger icons
|
||||
install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
|
||||
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
|
||||
'';
|
||||
in ''
|
||||
install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'
|
||||
install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'
|
||||
install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'
|
||||
install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'
|
||||
install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'
|
||||
install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'
|
||||
|
||||
install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'
|
||||
install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'
|
||||
install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'
|
||||
install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'
|
||||
|
||||
'${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/'
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
||||
@@ -139,9 +139,6 @@ in {
|
||||
AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
|
||||
};
|
||||
actions.ENABLED = true;
|
||||
webhook.ALLOWED_HOST_LIST = lib.concatStringsSep "," [
|
||||
"external"
|
||||
];
|
||||
};
|
||||
|
||||
dump = {
|
||||
|
||||
@@ -38,11 +38,11 @@ in
|
||||
Type = "oneshot";
|
||||
User = cfg.user;
|
||||
PrivateNetwork = true;
|
||||
ExecStart = [
|
||||
"${lib.getExe pkgs.gnupg} --import '${config.sops.secrets."gitea/gpg-signing-key-public".path}'"
|
||||
"${lib.getExe pkgs.gnupg} --import '${config.sops.secrets."gitea/gpg-signing-key-private".path}'"
|
||||
];
|
||||
};
|
||||
script = ''
|
||||
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-public".path}
|
||||
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-private".path}
|
||||
'';
|
||||
};
|
||||
|
||||
services.gitea.settings."repository.signing" = {
|
||||
@@ -50,8 +50,6 @@ in
|
||||
SIGNING_NAME = "PVV Git";
|
||||
SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
|
||||
INITIAL_COMMIT = "always";
|
||||
MERGES = lib.concatStringsSep "," [ "always" ];
|
||||
CRUD_ACTIONS = lib.concatStringsSep "," [ "always" ];
|
||||
WIKI = "always";
|
||||
};
|
||||
}
|
||||
|
||||
@@ -11,9 +11,9 @@ in
|
||||
|
||||
systemd.services.gitea-import-users = lib.mkIf cfg.enable {
|
||||
enable = true;
|
||||
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
|
||||
environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
|
||||
serviceConfig = {
|
||||
ExecStartPre = ''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
|
||||
ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
|
||||
flakeIgnore = [
|
||||
"E501" # Line over 80 chars lol
|
||||
|
||||
@@ -9,12 +9,6 @@
|
||||
|
||||
sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
|
||||
|
||||
boot.binfmt.emulatedSystems = [
|
||||
"aarch64-linux"
|
||||
"armv7l-linux"
|
||||
"i686-linux"
|
||||
];
|
||||
|
||||
systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
|
||||
matchConfig.Name = "enp0s31f6";
|
||||
address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
||||
@@ -24,6 +18,9 @@
|
||||
anyInterface = true;
|
||||
};
|
||||
|
||||
# There are no smart devices
|
||||
services.smartd.enable = false;
|
||||
|
||||
# Don't change (even during upgrades) unless you know what you are doing.
|
||||
# See https://search.nixos.org/options?show=system.stateVersion
|
||||
system.stateVersion = "25.05";
|
||||
|
||||
@@ -28,52 +28,26 @@
|
||||
|
||||
sops.secrets = {
|
||||
"dibbler/postgresql/password" = {
|
||||
owner = "drumknotty";
|
||||
group = "drumknotty";
|
||||
};
|
||||
"worblehat/postgresql/password" = {
|
||||
owner = "drumknotty";
|
||||
group = "drumknotty";
|
||||
owner = "dibbler";
|
||||
group = "dibbler";
|
||||
};
|
||||
};
|
||||
|
||||
services.drumknotty = {
|
||||
services.dibbler = {
|
||||
enable = true;
|
||||
kioskMode = true;
|
||||
limitScreenWidth = 80;
|
||||
limitScreenHeight = 42;
|
||||
|
||||
screen = {
|
||||
limitWidth = 80;
|
||||
limitHeight = 42;
|
||||
};
|
||||
|
||||
dibbler = {
|
||||
enable = true;
|
||||
settings = {
|
||||
general.quit_allowed = false;
|
||||
database = {
|
||||
type = "postgresql";
|
||||
postgresql = {
|
||||
username = "pvv_vv";
|
||||
dbname = "pvv_vv";
|
||||
host = "postgres.pvv.ntnu.no";
|
||||
password_file = config.sops.secrets."dibbler/postgresql/password".path;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
worblehat = {
|
||||
enable = true;
|
||||
settings = {
|
||||
general.quit_allowed = false;
|
||||
database = {
|
||||
type = "postgresql";
|
||||
postgresql = {
|
||||
username = "worblehat";
|
||||
dbname = "worblehat";
|
||||
host = "postgres.pvv.ntnu.no";
|
||||
password = config.sops.secrets."worblehat/postgresql/password".path;
|
||||
};
|
||||
settings = {
|
||||
general.quit_allowed = false;
|
||||
database = {
|
||||
type = "postgresql";
|
||||
postgresql = {
|
||||
username = "pvv_vv";
|
||||
dbname = "pvv_vv";
|
||||
host = "postgres.pvv.ntnu.no";
|
||||
password_file = config.sops.secrets."dibbler/postgresql/password".path;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
target
|
||||
@@ -0,0 +1,171 @@
|
||||
# This file is automatically @generated by Cargo.
|
||||
# It is not intended for manual editing.
|
||||
version = 4
|
||||
|
||||
[[package]]
|
||||
name = "apache-log-processor"
|
||||
version = "0.1.0"
|
||||
dependencies = [
|
||||
"nix",
|
||||
"time",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "bitflags"
|
||||
version = "2.11.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3"
|
||||
|
||||
[[package]]
|
||||
name = "cfg-if"
|
||||
version = "1.0.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
|
||||
|
||||
[[package]]
|
||||
name = "cfg_aliases"
|
||||
version = "0.2.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
|
||||
|
||||
[[package]]
|
||||
name = "deranged"
|
||||
version = "0.5.8"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c"
|
||||
dependencies = [
|
||||
"powerfmt",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "itoa"
|
||||
version = "1.0.18"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
|
||||
|
||||
[[package]]
|
||||
name = "libc"
|
||||
version = "0.2.186"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66"
|
||||
|
||||
[[package]]
|
||||
name = "nix"
|
||||
version = "0.31.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "cf20d2fde8ff38632c426f1165ed7436270b44f199fc55284c38276f9db47c3d"
|
||||
dependencies = [
|
||||
"bitflags",
|
||||
"cfg-if",
|
||||
"cfg_aliases",
|
||||
"libc",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "num-conv"
|
||||
version = "0.2.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "521739c6d2bac4aa25192232afe6841231376b2b26d4d9fae5ecf8ca5772e441"
|
||||
|
||||
[[package]]
|
||||
name = "num_threads"
|
||||
version = "0.1.7"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "5c7398b9c8b70908f6371f47ed36737907c87c52af34c268fed0bf0ceb92ead9"
|
||||
dependencies = [
|
||||
"libc",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "powerfmt"
|
||||
version = "0.2.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
|
||||
|
||||
[[package]]
|
||||
name = "proc-macro2"
|
||||
version = "1.0.106"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
|
||||
dependencies = [
|
||||
"unicode-ident",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "quote"
|
||||
version = "1.0.45"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "serde_core"
|
||||
version = "1.0.228"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
|
||||
dependencies = [
|
||||
"serde_derive",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "serde_derive"
|
||||
version = "1.0.228"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
"syn",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "syn"
|
||||
version = "2.0.117"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
"unicode-ident",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "time"
|
||||
version = "0.3.47"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c"
|
||||
dependencies = [
|
||||
"deranged",
|
||||
"itoa",
|
||||
"libc",
|
||||
"num-conv",
|
||||
"num_threads",
|
||||
"powerfmt",
|
||||
"serde_core",
|
||||
"time-core",
|
||||
"time-macros",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "time-core"
|
||||
version = "0.1.8"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
|
||||
|
||||
[[package]]
|
||||
name = "time-macros"
|
||||
version = "0.2.27"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215"
|
||||
dependencies = [
|
||||
"num-conv",
|
||||
"time-core",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "unicode-ident"
|
||||
version = "1.0.24"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
|
||||
@@ -0,0 +1,19 @@
|
||||
[package]
|
||||
name = "apache-log-processor"
|
||||
version = "0.1.0"
|
||||
edition = "2024"
|
||||
autobins = false
|
||||
license = "MIT"
|
||||
authors = [
|
||||
"projects@pvv.ntnu.no",
|
||||
]
|
||||
|
||||
[dependencies]
|
||||
nix = { version = "0.31.3", features = ["event", "fs", "user"] }
|
||||
time = { version = "0.3.47", features = ["formatting", "local-offset"] }
|
||||
|
||||
|
||||
[[bin]]
|
||||
name = "apache-log-processor"
|
||||
bench = false
|
||||
path = "src/main.rs"
|
||||
@@ -0,0 +1,33 @@
|
||||
{
|
||||
lib
|
||||
, rustPlatform
|
||||
, stdenv
|
||||
}:
|
||||
let
|
||||
cargoToml = fromTOML (builtins.readFile ./Cargo.toml);
|
||||
cargoLock = ./Cargo.lock;
|
||||
mainProgram = (lib.head cargoToml.bin).name;
|
||||
pname = cargoToml.package.name;
|
||||
in
|
||||
rustPlatform.buildRustPackage {
|
||||
inherit pname;
|
||||
inherit (cargoToml.package) version;
|
||||
src = lib.fileset.toSource {
|
||||
root = ./.;
|
||||
fileset = lib.fileset.unions [
|
||||
./Cargo.toml
|
||||
./Cargo.lock
|
||||
./src
|
||||
];
|
||||
};
|
||||
|
||||
cargoLock.lockFile = cargoLock;
|
||||
|
||||
doCheck = true;
|
||||
|
||||
meta = with lib; {
|
||||
license = licenses.mit;
|
||||
platforms = platforms.linux;
|
||||
inherit mainProgram;
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,322 @@
|
||||
use nix::{
|
||||
errno::Errno,
|
||||
fcntl::{FcntlArg, OFlag, fcntl, open},
|
||||
sys::{
|
||||
epoll::{Epoll, EpollCreateFlags, EpollEvent, EpollFlags, EpollTimeout},
|
||||
stat::Mode,
|
||||
},
|
||||
// unistd::{User, getegid, geteuid, read, setegid, seteuid, write},
|
||||
unistd::{User, read, write},
|
||||
};
|
||||
use std::{
|
||||
collections::VecDeque,
|
||||
os::fd::{AsFd, BorrowedFd, OwnedFd},
|
||||
path::PathBuf,
|
||||
process::exit,
|
||||
};
|
||||
use time::{OffsetDateTime, format_description};
|
||||
|
||||
const READ_BUFFER_SIZE: usize = 8 * 1024;
|
||||
|
||||
#[derive(Debug, Clone, Copy)]
|
||||
enum LogMode {
|
||||
Access,
|
||||
Error,
|
||||
}
|
||||
|
||||
fn main() -> Result<(), String> {
|
||||
let log_mode = match std::env::args().nth(1).as_deref() {
|
||||
Some("access") => LogMode::Access,
|
||||
Some("error") => LogMode::Error,
|
||||
Some(other) => {
|
||||
return Err(format!(
|
||||
"invalid log mode `{other}`; expected `access` or `error`"
|
||||
));
|
||||
}
|
||||
None => return Err("missing log mode argument; expected `access` or `error`".to_string()),
|
||||
};
|
||||
|
||||
let tee_file = match log_mode {
|
||||
LogMode::Access => None,
|
||||
LogMode::Error => Some(
|
||||
open(
|
||||
&PathBuf::from("/var/log/httpd/error.log"),
|
||||
OFlag::O_WRONLY | OFlag::O_APPEND | OFlag::O_CREAT | OFlag::O_CLOEXEC,
|
||||
Mode::S_IRUSR | Mode::S_IWUSR,
|
||||
)
|
||||
.map_err(|error| format!("failed to open error log for teeing: {error}"))?,
|
||||
),
|
||||
};
|
||||
|
||||
let stdin = std::io::stdin();
|
||||
|
||||
fcntl(stdin.as_fd(), FcntlArg::F_GETFL)
|
||||
.map(OFlag::from_bits_retain)
|
||||
.map(|flags| FcntlArg::F_SETFL(flags | OFlag::O_NONBLOCK))
|
||||
.and_then(|flags| fcntl(stdin.as_fd(), flags))
|
||||
.map_err(|error| format!("failed to make stdin nonblocking: {error}"))?;
|
||||
|
||||
let epoll = Epoll::new(EpollCreateFlags::EPOLL_CLOEXEC)
|
||||
.map_err(|error| format!("failed to create epoll instance: {error}"))?;
|
||||
|
||||
epoll
|
||||
.add(
|
||||
stdin.as_fd(),
|
||||
EpollEvent::new(
|
||||
EpollFlags::EPOLLIN | EpollFlags::EPOLLERR | EpollFlags::EPOLLHUP,
|
||||
0,
|
||||
),
|
||||
)
|
||||
.map_err(|error| format!("failed to register stdin with epoll: {error}"))?;
|
||||
|
||||
if let Err(error) = event_loop(log_mode, epoll, stdin.as_fd(), tee_file) {
|
||||
eprintln!("Error: {error}");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn event_loop(
|
||||
log_mode: LogMode,
|
||||
epoll: Epoll,
|
||||
stdin_fd: BorrowedFd<'_>,
|
||||
mut tee_file: Option<OwnedFd>,
|
||||
) -> Result<(), String> {
|
||||
let mut events = [EpollEvent::empty(); 1];
|
||||
let mut pending = VecDeque::new();
|
||||
|
||||
loop {
|
||||
let ready = loop {
|
||||
match epoll.wait(&mut events, EpollTimeout::NONE) {
|
||||
Ok(ready) => break ready,
|
||||
Err(Errno::EINTR) => continue,
|
||||
Err(error) => {
|
||||
return Err(format!("epoll wait failed: {error}"));
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
if ready == 0 {
|
||||
continue;
|
||||
}
|
||||
|
||||
let mut scratch = [0u8; READ_BUFFER_SIZE];
|
||||
|
||||
let eof = loop {
|
||||
match read(stdin_fd, &mut scratch) {
|
||||
Ok(0) => break true,
|
||||
Ok(read_bytes) => pending.extend(scratch[..read_bytes].iter().copied()),
|
||||
Err(Errno::EINTR) => continue,
|
||||
Err(Errno::EAGAIN) => break false,
|
||||
Err(error) => {
|
||||
return Err(format!("failed to read from stdin: {error}"));
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
while let Some(newline_index) = pending.iter().position(|byte| *byte == b'\n') {
|
||||
let line = pending.make_contiguous();
|
||||
process_line(log_mode, &line[..=newline_index], &mut tee_file)?;
|
||||
pending.drain(..=newline_index);
|
||||
}
|
||||
|
||||
if eof {
|
||||
if !pending.is_empty() {
|
||||
process_line(log_mode, pending.make_contiguous(), &mut tee_file)?;
|
||||
pending.clear();
|
||||
}
|
||||
return Ok(());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
fn process_line(
|
||||
log_mode: LogMode,
|
||||
line: &[u8],
|
||||
tee_file: &mut Option<OwnedFd>,
|
||||
) -> Result<(), String> {
|
||||
if let Some(tee_file) = tee_file.as_ref() {
|
||||
write_all_fd(tee_file, line).map_err(|error| {
|
||||
format!("failed to append to APACHE_LOG_PROCESSOR_TEE_FILE: {error}")
|
||||
})?;
|
||||
}
|
||||
|
||||
if let Some(user) =
|
||||
parse_username_from_line(line).and_then(|name| User::from_name(name).ok().flatten())
|
||||
{
|
||||
// let identity = EffectiveIdentity::switch_to(&user).map_err(|error| {
|
||||
// format!(
|
||||
// "failed to switch effective identity to {} (uid {}, gid {}): {error}",
|
||||
// user.name, user.uid, user.gid
|
||||
// )
|
||||
// })?;
|
||||
|
||||
let result: Result<(), String> = (|| {
|
||||
let dir = user.dir.join("nobackup/weblogs");
|
||||
|
||||
if !dir.is_dir() {
|
||||
return Err(format!(
|
||||
"logs directory {} does not exist for user {}",
|
||||
dir.display(),
|
||||
user.name
|
||||
));
|
||||
}
|
||||
|
||||
let now = OffsetDateTime::now_local()
|
||||
.unwrap_or_else(|_| OffsetDateTime::now_utc())
|
||||
.format(&format_description::parse("[year]-[month]-[day]").unwrap())
|
||||
.map_err(|error| {
|
||||
format!("failed to format current date for log file name: {error}")
|
||||
})?;
|
||||
|
||||
let logfile = dir.join(match log_mode {
|
||||
LogMode::Access => format!("access-{now}.log"),
|
||||
LogMode::Error => format!("error-{now}.log"),
|
||||
});
|
||||
|
||||
let fd = open(
|
||||
&logfile,
|
||||
OFlag::O_WRONLY | OFlag::O_APPEND | OFlag::O_CREAT | OFlag::O_CLOEXEC,
|
||||
Mode::S_IRUSR
|
||||
| Mode::S_IWUSR
|
||||
| Mode::S_IRGRP
|
||||
| Mode::S_IROTH
|
||||
| Mode::S_IWGRP
|
||||
| Mode::S_IWOTH,
|
||||
)
|
||||
.map_err(|error| format!("failed to open log file for user {}: {error}", user.name))?;
|
||||
|
||||
write_all_fd(fd.as_fd(), line).map_err(|error| {
|
||||
format!(
|
||||
"failed to append to log file for user {}: {error}",
|
||||
user.name
|
||||
)
|
||||
})?;
|
||||
|
||||
Ok(())
|
||||
})();
|
||||
|
||||
if let Err(error) = result {
|
||||
eprintln!("Error processing log line for user {}: {error}", user.name);
|
||||
}
|
||||
|
||||
// identity.restore().map_err(|error| {
|
||||
// format!(
|
||||
// "failed to restore original effective identity after handling {}: {error}",
|
||||
// user.name
|
||||
// )
|
||||
// })?;
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn parse_username_from_line(line: &[u8]) -> Option<&str> {
|
||||
line.splitn(8, |&b| b == b' ')
|
||||
.nth(6)
|
||||
.and_then(|path| {
|
||||
path.strip_prefix(b"/~")
|
||||
.and_then(|rest| rest.split(|&b| b == b'/').next())
|
||||
})
|
||||
.or_else(|| {
|
||||
line.windows(b"/home/pvv/".len())
|
||||
.enumerate()
|
||||
.find_map(|(start, window)| {
|
||||
(window == b"/home/pvv/")
|
||||
.then_some(start + b"/home/pvv/".len())
|
||||
.and_then(|start| line.get(start..))
|
||||
.filter(|rest| rest.get(1) == Some(&b'/'))
|
||||
.and_then(|rest| rest.get(2..))
|
||||
.and_then(|rest| rest.split(|&b| b == b'/').next())
|
||||
})
|
||||
})
|
||||
.filter(|segment| !segment.is_empty())
|
||||
.and_then(|segment| std::str::from_utf8(segment).ok())
|
||||
}
|
||||
|
||||
fn write_all_fd<Fd: AsFd>(fd: Fd, mut buffer: &[u8]) -> nix::Result<()> {
|
||||
while !buffer.is_empty() {
|
||||
match write(fd.as_fd(), buffer) {
|
||||
Ok(0) => return Err(Errno::EIO),
|
||||
Ok(written) => buffer = &buffer[written..],
|
||||
Err(Errno::EINTR) => continue,
|
||||
Err(error) => return Err(error),
|
||||
}
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
// struct EffectiveIdentity {
|
||||
// saved_euid: nix::unistd::Uid,
|
||||
// saved_egid: nix::unistd::Gid,
|
||||
// restored: bool,
|
||||
// }
|
||||
|
||||
// impl EffectiveIdentity {
|
||||
// fn switch_to(user: &User) -> nix::Result<Self> {
|
||||
// let guard = Self {
|
||||
// saved_euid: geteuid(),
|
||||
// saved_egid: getegid(),
|
||||
// restored: false,
|
||||
// };
|
||||
|
||||
// setegid(user.gid)?;
|
||||
// if let Err(error) = seteuid(user.uid) {
|
||||
// let _ = setegid(guard.saved_egid);
|
||||
// return Err(error);
|
||||
// }
|
||||
|
||||
// Ok(guard)
|
||||
// }
|
||||
|
||||
// fn restore(mut self) -> nix::Result<()> {
|
||||
// let restore_uid = seteuid(self.saved_euid);
|
||||
// let restore_gid = setegid(self.saved_egid);
|
||||
// self.restored = true;
|
||||
|
||||
// restore_uid?;
|
||||
// restore_gid?;
|
||||
// Ok(())
|
||||
// }
|
||||
// }
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
|
||||
#[test]
|
||||
fn test_parse_user_from_access_log() {
|
||||
let inputs = [(
|
||||
"1.2.3.4 - - [25/May/2026:10:07:24 +0200] \"GET /~oysteikt/ HTTP/2.0\" 200 3708",
|
||||
"oysteikt",
|
||||
)];
|
||||
|
||||
for (line, expected_user) in inputs {
|
||||
let parsed_user = parse_username_from_line(line.as_bytes());
|
||||
assert_eq!(
|
||||
parsed_user,
|
||||
Some(expected_user),
|
||||
"Failed to parse user from line: {line}"
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_parse_user_from_error_log() {
|
||||
let inputs = [(
|
||||
"[Sat May 09 20:45:21.480016 2026] [authz_core:error] [pid 3555:tid 3617] [remote 1::2:42000] AH01630: client denied by server configuration: /home/pvv/d/oysteikt/web-docs/.git",
|
||||
"oysteikt",
|
||||
)];
|
||||
|
||||
for (line, expected_user) in inputs {
|
||||
let parsed_user = parse_username_from_line(line.as_bytes());
|
||||
assert_eq!(
|
||||
parsed_user,
|
||||
Some(expected_user),
|
||||
"Failed to parse user from line: {line}"
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -11,6 +11,8 @@ let
|
||||
upload_max_filesize = "40M";
|
||||
});
|
||||
|
||||
apache-log-processor = pkgs.callPackage ./apache-log-processor { };
|
||||
|
||||
# https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
|
||||
phpEnv = pkgs.php.buildEnv {
|
||||
extensions = { all, ... }: with all; [
|
||||
@@ -193,10 +195,11 @@ in
|
||||
}
|
||||
];
|
||||
|
||||
logPerVirtualHost = false;
|
||||
|
||||
extraConfig = ''
|
||||
TraceEnable on
|
||||
LogLevel warn rewrite:trace3
|
||||
ScriptLog ${cfg.logDir}/cgi.log
|
||||
'';
|
||||
|
||||
virtualHosts."temmie.pvv.ntnu.no" = {
|
||||
@@ -208,6 +211,11 @@ in
|
||||
];
|
||||
|
||||
extraConfig = ''
|
||||
CustomLog "${cfg.logDir}/access.log" combined
|
||||
CustomLog "|${lib.getExe apache-log-processor} access" combined
|
||||
ErrorLog "|${lib.getExe apache-log-processor} error"
|
||||
ScriptLog "${cfg.logDir}/cgi.log"
|
||||
|
||||
UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
|
||||
UserDir disabled root
|
||||
AddHandler cgi-script .cgi
|
||||
|
||||
@@ -1,198 +0,0 @@
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.services.drumknotty;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./dibbler.nix
|
||||
./worblehat.nix
|
||||
];
|
||||
|
||||
options.services.drumknotty = {
|
||||
enable = lib.mkEnableOption "DrumknoTTY";
|
||||
|
||||
kioskMode = lib.mkEnableOption "" // {
|
||||
description = ''
|
||||
Whether to let dibbler take over the entire machine.
|
||||
|
||||
This will restrict the machine to a single TTY and make the program unquittable.
|
||||
You can still get access to PTYs via SSH and similar, if enabled.
|
||||
'';
|
||||
};
|
||||
|
||||
screen = {
|
||||
package = lib.mkPackageOption pkgs "screen" { };
|
||||
|
||||
sessionName = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "drumknotty";
|
||||
example = "myscreensessionname";
|
||||
description = ''
|
||||
Sets the screen session name.
|
||||
'';
|
||||
};
|
||||
|
||||
limitHeight = lib.mkOption {
|
||||
type = with lib.types; nullOr ints.unsigned;
|
||||
default = null;
|
||||
example = 42;
|
||||
description = ''
|
||||
If set, limits the height of the screen dibbler uses to the given number of lines.
|
||||
'';
|
||||
};
|
||||
|
||||
limitWidth = lib.mkOption {
|
||||
type = with lib.types; nullOr ints.unsigned;
|
||||
default = null;
|
||||
example = 80;
|
||||
description = ''
|
||||
If set, limits the width of the screen dibbler uses to the given number of columns.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.enable -> lib.any (b: b) [
|
||||
cfg.dibbler.enable
|
||||
cfg.worblehat.enable
|
||||
];
|
||||
message = "DrumknoTTY must have at least one service enabled";
|
||||
}
|
||||
];
|
||||
|
||||
users = {
|
||||
users.drumknotty = {
|
||||
group = "drumknotty";
|
||||
extraGroups = [ "lp" ];
|
||||
isNormalUser = true;
|
||||
|
||||
# TODO: make this display the error log or error message in case that
|
||||
# the screen session service is bootlooping or otherwise off.
|
||||
shell =
|
||||
lib.mkIf cfg.kioskMode
|
||||
(pkgs.writeShellScriptBin "login-shell"
|
||||
"${lib.getExe' cfg.screen.package "screen"} -x ${cfg.screen.sessionName} -p dibbler"
|
||||
// {
|
||||
shellPath = "/bin/login-shell";
|
||||
});
|
||||
};
|
||||
groups.drumknotty = { };
|
||||
};
|
||||
|
||||
boot.kernelParams = lib.mkIf cfg.kioskMode [
|
||||
"console=tty1"
|
||||
];
|
||||
|
||||
services.getty.autologinUser = lib.mkIf cfg.kioskMode "drumknotty";
|
||||
|
||||
systemd.services.drumknotty-screen-session = lib.mkIf cfg.kioskMode {
|
||||
description = "Drumknotty Screen Session";
|
||||
wantedBy = [
|
||||
"default.target"
|
||||
];
|
||||
after =
|
||||
# TODO: this could be refined
|
||||
if (cfg.dibbler.createLocalDatabase || cfg.worblehat.createLocalDatabase) then
|
||||
[
|
||||
"postgresql.service"
|
||||
"dibbler-setup-database.service"
|
||||
"worblehat-setup-database.service"
|
||||
]
|
||||
else
|
||||
[
|
||||
"network.target"
|
||||
];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "forking";
|
||||
RemainAfterExit = false;
|
||||
Restart = "always";
|
||||
RestartSec = "5s";
|
||||
SuccessExitStatus = 1;
|
||||
|
||||
User = "drumknotty";
|
||||
Group = "drumknotty";
|
||||
|
||||
ExecStartPre =
|
||||
let
|
||||
screenArgs = lib.escapeShellArgs [
|
||||
# Send the specified command to a running screen session
|
||||
"-X"
|
||||
|
||||
# Session name
|
||||
"-S"
|
||||
"${cfg.screen.sessionName}"
|
||||
|
||||
"kill"
|
||||
];
|
||||
in
|
||||
"-${lib.getExe' cfg.screen.package "screen"} ${screenArgs}";
|
||||
|
||||
ExecStart =
|
||||
let
|
||||
screenrc = let
|
||||
convertToFile = lines: lib.pipe lines [
|
||||
lib.concatLists
|
||||
(lib.concatStringsSep "\n")
|
||||
(pkgs.writeText "drumknotty-screenrc")
|
||||
];
|
||||
in convertToFile [
|
||||
(lib.optionals (cfg.screen.limitWidth != null) [
|
||||
"screen width ${toString cfg.screen.limitWidth}"
|
||||
])
|
||||
(lib.optionals (cfg.screen.limitHeight != null) [
|
||||
"screen height ${toString cfg.screen.limitHeight}"
|
||||
])
|
||||
|
||||
(let
|
||||
dibblerArgs = lib.cli.toCommandLineShellGNU { } {
|
||||
config = "/etc/dibbler/dibbler.toml";
|
||||
};
|
||||
in lib.optionals cfg.dibbler.enable [
|
||||
"screen -t worblehat ${lib.getExe cfg.dibbler.package} ${dibblerArgs} loop"
|
||||
|
||||
])
|
||||
|
||||
(let
|
||||
worblehatArgs = lib.cli.toCommandLineShellGNU { } {
|
||||
config = "/etc/worblehat/config.toml";
|
||||
};
|
||||
in lib.optionals cfg.worblehat.enable [
|
||||
"screen -t worblehat ${lib.getExe cfg.worblehat.package} ${worblehatArgs} cli"
|
||||
])
|
||||
|
||||
[ "select 0" ]
|
||||
];
|
||||
|
||||
screenArgs = lib.escapeShellArgs [
|
||||
# -dm creates the screen in detached mode without accessing it
|
||||
"-dm"
|
||||
|
||||
# Session name
|
||||
"-S"
|
||||
"${cfg.screen.sessionName}"
|
||||
|
||||
# Set optimal output mode instead of VT100 emulation
|
||||
"-O"
|
||||
|
||||
# Enable login mode, updates utmp entries
|
||||
"-l"
|
||||
|
||||
# Config file path
|
||||
"-c"
|
||||
"${screenrc}"
|
||||
];
|
||||
in
|
||||
"${lib.getExe' cfg.screen.package "screen"} ${screenArgs}";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1,113 +0,0 @@
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
mainCfg = config.services.drumknotty;
|
||||
cfg = config.services.drumknotty.dibbler;
|
||||
|
||||
format = pkgs.formats.toml { };
|
||||
in
|
||||
{
|
||||
options.services.drumknotty.dibbler = {
|
||||
enable = lib.mkEnableOption "";
|
||||
|
||||
package = lib.mkPackageOption pkgs "dibbler" { };
|
||||
|
||||
settings = lib.mkOption {
|
||||
description = "Configuration for dibbler";
|
||||
default = { };
|
||||
type = lib.types.submodule {
|
||||
freeformType = format.type;
|
||||
};
|
||||
};
|
||||
|
||||
createLocalDatabase = lib.mkEnableOption "" // {
|
||||
description = ''
|
||||
Whether to set up a local postgres database automatically.
|
||||
|
||||
::: {.note}
|
||||
You must set up postgres manually before enabling this option.
|
||||
:::
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf (mainCfg.enable && cfg.enable) {
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.createLocalDatabase -> config.services.postgresql.enable;
|
||||
message = "PostgreSQL must be enabled for dibbler to create a local database";
|
||||
}
|
||||
];
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
environment.etc."dibbler/dibbler.toml".source = format.generate "dibbler.toml" cfg.settings;
|
||||
|
||||
services.drumknotty.dibbler.settings = {
|
||||
limits = {
|
||||
low_credit_warning_limit = lib.mkDefault (-100);
|
||||
user_recent_transaction_limit = lib.mkDefault 100;
|
||||
};
|
||||
|
||||
printer = {
|
||||
label_type = lib.mkDefault "62";
|
||||
label_rotate = lib.mkDefault false;
|
||||
};
|
||||
|
||||
database = {
|
||||
type = lib.mkIf cfg.createLocalDatabase "postgresql";
|
||||
postgresql = {
|
||||
username = lib.mkDefault "dibbler";
|
||||
dbname = lib.mkDefault "dibbler";
|
||||
|
||||
host = lib.mkIf cfg.createLocalDatabase "/run/postgresql";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.drumknotty.dibbler.settings.general = lib.mkIf mainCfg.kioskMode {
|
||||
quit_allowed = false;
|
||||
stop_allowed = false;
|
||||
};
|
||||
|
||||
services.postgresql = lib.mkIf cfg.createLocalDatabase {
|
||||
authentication = ''
|
||||
local ${cfg.settings.database.postgresql.dbname} ${cfg.settings.database.postgresql.username} peer map=${cfg.settings.database.postgresql.username}
|
||||
'';
|
||||
identMap = ''
|
||||
${cfg.settings.database.postgresql.username} drumknotty ${cfg.settings.database.postgresql.username}
|
||||
'';
|
||||
ensureDatabases = [ cfg.settings.database.postgresql.dbname ];
|
||||
ensureUsers = [{
|
||||
name = cfg.settings.database.postgresql.username;
|
||||
ensureDBOwnership = true;
|
||||
ensureClauses.login = true;
|
||||
}];
|
||||
};
|
||||
|
||||
systemd.services.dibbler-setup-database = lib.mkIf cfg.createLocalDatabase {
|
||||
description = "Dibbler database setup";
|
||||
|
||||
wantedBy = [ "default.target" ];
|
||||
requiredBy = [ "drumknotty-screen-session.service" ];
|
||||
before = [ "drumknotty-screen-session.service" ];
|
||||
after = [ "postgresql.service" ];
|
||||
|
||||
unitConfig = {
|
||||
ConditionPathExists = "!/var/lib/dibbler/.db-setup-done";
|
||||
};
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = "${lib.getExe cfg.package} --config /etc/dibbler/dibbler.toml create-db";
|
||||
ExecStartPost = "${lib.getExe' pkgs.coreutils "touch"} /var/lib/dibbler/.db-setup-done";
|
||||
StateDirectory = "dibbler";
|
||||
|
||||
User = "drumknotty";
|
||||
Group = "drumknotty";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1,209 +0,0 @@
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
mainCfg = config.services.drumknotty;
|
||||
cfg = config.services.drumknotty.worblehat;
|
||||
|
||||
format = pkgs.formats.toml { };
|
||||
in
|
||||
{
|
||||
options.services.drumknotty.worblehat = {
|
||||
enable = lib.mkEnableOption "";
|
||||
|
||||
package = lib.mkPackageOption pkgs "worblehat" { };
|
||||
|
||||
settings = lib.mkOption {
|
||||
description = "Configuration for worblehat";
|
||||
default = { };
|
||||
type = lib.types.submodule {
|
||||
freeformType = format.type;
|
||||
};
|
||||
};
|
||||
|
||||
createLocalDatabase = lib.mkEnableOption "" // {
|
||||
description = ''
|
||||
Whether to set up a local postgres database automatically.
|
||||
|
||||
::: {.note}
|
||||
You must set up postgres manually before enabling this option.
|
||||
:::
|
||||
'';
|
||||
};
|
||||
|
||||
deadline-daemon = {
|
||||
enable = lib.mkEnableOption "" // {
|
||||
description = ''
|
||||
Whether to enable the worblehat deadline-daemon service,
|
||||
which periodically checks for upcoming deadlines and notifies users.
|
||||
|
||||
Note that this service is independent of the main worblehat service,
|
||||
and must be enabled separately.
|
||||
'';
|
||||
};
|
||||
|
||||
onCalendar = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = ''
|
||||
How often to trigger rendering the map,
|
||||
in the format of a systemd timer onCalendar configuration.
|
||||
|
||||
See {manpage}`systemd.timer(5)`.
|
||||
'';
|
||||
default = "*-*-* 10:15:00";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkMerge [
|
||||
{
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.createLocalDatabase -> config.services.postgresql.enable;
|
||||
message = "PostgreSQL must be enabled for worblehat to create a local database";
|
||||
}
|
||||
];
|
||||
|
||||
# TODO: Retrieve defaults from the example config file in the project code.
|
||||
services.drumknotty.worblehat.settings = {
|
||||
logging = {
|
||||
debug = lib.mkDefault true;
|
||||
debug_sql = lib.mkDefault false;
|
||||
};
|
||||
|
||||
database = {
|
||||
type = lib.mkDefault "sqlite";
|
||||
sqlite.path = lib.mkDefault "./worblehat.sqlite";
|
||||
postgresql = {
|
||||
host = lib.mkDefault "localhost";
|
||||
port = lib.mkDefault 5432;
|
||||
username = lib.mkDefault "worblehat";
|
||||
password = lib.mkDefault "/var/lib/worblehat/db-password";
|
||||
database = lib.mkDefault "worblehat";
|
||||
};
|
||||
};
|
||||
|
||||
flask = {
|
||||
TESTING = lib.mkDefault true;
|
||||
DEBUG = lib.mkDefault true;
|
||||
FLASK_ENV = lib.mkDefault "development";
|
||||
SECRET_KEY = lib.mkDefault "change-me";
|
||||
};
|
||||
|
||||
smtp = {
|
||||
enabled = lib.mkDefault false;
|
||||
host = lib.mkDefault "smtp.pvv.ntnu.no";
|
||||
port = lib.mkDefault 587;
|
||||
username = lib.mkDefault "worblehat";
|
||||
password = lib.mkDefault "/var/lib/worblehat/smtp-password";
|
||||
from = lib.mkDefault "worblehat@pvv.ntnu.no";
|
||||
subject_prefix = lib.mkDefault "[Worblehat]";
|
||||
};
|
||||
|
||||
deadline_daemon = {
|
||||
enabled = lib.mkDefault true;
|
||||
dryrun = lib.mkDefault false;
|
||||
warn_days_before_borrowing_deadline = lib.mkDefault [
|
||||
5
|
||||
1
|
||||
];
|
||||
days_before_queue_position_expires = lib.mkDefault 14;
|
||||
warn_days_before_expiring_queue_position_deadline = lib.mkDefault [
|
||||
3
|
||||
1
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
(lib.mkIf ((mainCfg.enable && cfg.enable) || cfg.deadline-daemon.enable) {
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
environment.etc."worblehat/config.toml".source = format.generate "worblehat-config.toml" cfg.settings;
|
||||
})
|
||||
|
||||
(lib.mkIf (mainCfg.enable && cfg.enable) {
|
||||
services.drumknotty.worblehat.settings.general = lib.mkIf mainCfg.kioskMode {
|
||||
quit_allowed = false;
|
||||
stop_allowed = false;
|
||||
};
|
||||
|
||||
services.drumknotty.worblehat.settings.database = lib.mkIf cfg.createLocalDatabase {
|
||||
type = "postgresql";
|
||||
postgresql.host = "/run/postgresql";
|
||||
};
|
||||
|
||||
services.postgresql = lib.mkIf cfg.createLocalDatabase {
|
||||
authentication = ''
|
||||
local ${cfg.settings.database.postgresql.database} ${cfg.settings.database.postgresql.username} peer map=${cfg.settings.database.postgresql.username}
|
||||
'';
|
||||
identMap = ''
|
||||
${cfg.settings.database.postgresql.username} drumknotty ${cfg.settings.database.postgresql.username}
|
||||
'';
|
||||
ensureDatabases = [ cfg.settings.database.postgresql.database ];
|
||||
ensureUsers = [{
|
||||
name = cfg.settings.database.postgresql.username;
|
||||
ensureDBOwnership = true;
|
||||
ensureClauses.login = true;
|
||||
}];
|
||||
};
|
||||
|
||||
systemd.services.worblehat-setup-database = lib.mkIf cfg.createLocalDatabase {
|
||||
description = "Worblehat database setup";
|
||||
|
||||
wantedBy = [ "default.target" ];
|
||||
requiredBy = [ "drumknotty-screen-session.service" ];
|
||||
before = [ "drumknotty-screen-session.service" ];
|
||||
after = [ "postgresql.service" ];
|
||||
|
||||
unitConfig = {
|
||||
ConditionPathExists = "!/var/lib/worblehat/.db-setup-done";
|
||||
};
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = "${lib.getExe cfg.package} --config /etc/worblehat/config.toml create-db";
|
||||
ExecStartPost = "${lib.getExe' pkgs.coreutils "touch"} /var/lib/worblehat/.db-setup-done";
|
||||
StateDirectory = "worblehat";
|
||||
|
||||
User = "drumknotty";
|
||||
Group = "drumknotty";
|
||||
};
|
||||
};
|
||||
})
|
||||
|
||||
(lib.mkIf cfg.deadline-daemon.enable {
|
||||
systemd.timers.worblehat-deadline-daemon = lib.mkIf cfg.deadline-daemon.enable {
|
||||
description = "Worblehat Deadline Daemon";
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnCalendar = cfg.deadline-daemon.onCalendar;
|
||||
Persistent = true;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.worblehat-deadline-daemon = lib.mkIf cfg.deadline-daemon.enable {
|
||||
description = "Worblehat Deadline Daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
CPUSchedulingPolicy = "idle";
|
||||
IOSchedulingClass = "idle";
|
||||
|
||||
ExecStart =
|
||||
let
|
||||
worblehatArgs = lib.cli.toCommandLineShellGNU { } {
|
||||
config = "/etc/worblehat/config.toml";
|
||||
};
|
||||
in
|
||||
"${lib.getExe cfg.package} ${worblehatArgs} deadline-daemon";
|
||||
|
||||
User = "drumknotty";
|
||||
Group = "drumknotty";
|
||||
};
|
||||
};
|
||||
})
|
||||
];
|
||||
}
|
||||
@@ -16,7 +16,7 @@ in {
|
||||
};
|
||||
|
||||
systemd.user.services.restart-greg-ng = {
|
||||
serviceConfig.ExecStart = "${lib.getExe' pkgs.systemd "systemctl"} --user restart greg-ng.service";
|
||||
script = "systemctl --user restart greg-ng.service";
|
||||
startAt = "*-*-* 06:30:00";
|
||||
};
|
||||
|
||||
|
||||
@@ -171,9 +171,6 @@ in
|
||||
requires = [ "matrix-ooye-pre-start.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
startLimitIntervalSec = 5;
|
||||
startLimitBurst = 5;
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = lib.getExe config.services.matrix-ooye.package;
|
||||
WorkingDirectory = "/var/lib/matrix-ooye";
|
||||
@@ -185,6 +182,8 @@ in
|
||||
#PrivateDevices = true;
|
||||
Restart = "on-failure";
|
||||
RestartSec = "5s";
|
||||
StartLimitIntervalSec = "5s";
|
||||
StartLimitBurst = "5";
|
||||
DynamicUser = true;
|
||||
};
|
||||
};
|
||||
|
||||
@@ -38,23 +38,18 @@ lib.mergeAttrsList [
|
||||
})
|
||||
(mw-ext {
|
||||
name = "CodeMirror";
|
||||
commit = "7ab826eff8c4097589a3199c40c507717af23234";
|
||||
hash = "sha256-kMIyGW9J4OSGSetByel7hEGgxPRJmQ53it6ndpYA/Hs=";
|
||||
commit = "f06dfd40a08562a841ddf11b4ae3444ef06c98c7";
|
||||
hash = "sha256-5zXkBjOwFdoQezkPRJ2AcBZLZEEpGG6FawO2K3KzllI=";
|
||||
})
|
||||
(mw-ext {
|
||||
name = "DeleteBatch";
|
||||
commit = "b5920283cfe78b86a63a1037a81651c58ce764da";
|
||||
hash = "sha256-LwuVX2s5Q4uc6o7hlTjFzRTwvSCwTk74gBpX0HoLDMA=";
|
||||
})
|
||||
(mw-ext {
|
||||
name = "PdfHandler";
|
||||
commit = "dc1a3ca04ac6ec7d7de7ce5355803510508a2575";
|
||||
hash = "sha256-ltAQZtfTMMLRPATA7rclSNW8Yz4ctGc30CxlL3SRBWU=";
|
||||
commit = "9bc75a753efefedfc88c598fb01f18a7e4b61f00";
|
||||
hash = "sha256-1xA758fsvoioN9xuq0hRqZKtPXMQViVLtuRINDtowdk=";
|
||||
})
|
||||
(mw-ext {
|
||||
name = "PluggableAuth";
|
||||
commit = "4b57a23e32d72bd3f74184ff2734aa483a5b0c63";
|
||||
hash = "sha256-ZGw0Wgz0Sg04YDcOzkOGywmfQ6s6Ex17QbjmUDO1D8c=";
|
||||
commit = "64133683b73d8eeea8069fe7ed9cb7237fd5c212";
|
||||
hash = "sha256-wqpfgVLenZp6XC510nrsrbvK1IMEPcWVYq5YuAOt5+c=";
|
||||
})
|
||||
(mw-ext {
|
||||
name = "Popups";
|
||||
@@ -63,38 +58,38 @@ lib.mergeAttrsList [
|
||||
})
|
||||
(mw-ext {
|
||||
name = "Scribunto";
|
||||
commit = "35c85c96167922adc98e62dd6573789d906dd7d7";
|
||||
hash = "sha256-FEWADJW53cDOlLseM62VL66PENv/jNnwuCMo2Pb02ek=";
|
||||
commit = "cbab0c740e03c8e6184fd647d95e24e0826d20cb";
|
||||
hash = "sha256-vXS3+wrUBVtPsETa19pMvud9sALGt4Ao9mM5rQRbBQc=";
|
||||
})
|
||||
(mw-ext {
|
||||
name = "SimpleSAMLphp";
|
||||
kebab-name = "simple-saml-php";
|
||||
commit = "70778bb02f972abbb51e6ba3e0f6545b00dcab00";
|
||||
hash = "sha256-wfmFJKy+ih84qFM9DVcCQFAZBx45s7Hl0lRnseMPhGY=";
|
||||
commit = "fc5ad4501434fe85198f0b1f0087d798efa91f9f";
|
||||
hash = "sha256-se0krTglo1fShJXj38bPLhw65tZC5P54Ywt7oeZrLes=";
|
||||
})
|
||||
(mw-ext {
|
||||
name = "TemplateData";
|
||||
commit = "cca3b3430067f2161bf65de822f70dd38fe07bba";
|
||||
hash = "sha256-OxLwiF8FlWizkpDF9GXYfjehKtrltX8ihiCE+fNJpgw=";
|
||||
commit = "d37b02f6ed194138ac7193a0782bbf6efb9164f8";
|
||||
hash = "sha256-NpzVBzX7qfXkIE+jh33ndooS9GE8ZF3/Jynm22in7IQ=";
|
||||
})
|
||||
(mw-ext {
|
||||
name = "TemplateStyles";
|
||||
commit = "101a159dd0190759a16551a86800144c18b6ff5c";
|
||||
hash = "sha256-IGQQVAx8/76ivHq9b97ec1AlFoqbRl7uhXhwoFimsG4=";
|
||||
commit = "f85614c26a0057a9f418342f89214a04c9de9988";
|
||||
hash = "sha256-XZOtM3iadjE5vavsjkx7kfJNhLZlnnFt1CN+mv6XVHQ=";
|
||||
})
|
||||
(mw-ext {
|
||||
name = "UserMerge";
|
||||
commit = "6c0d105e07538c34bfde989bd26fa1945f8d1b79";
|
||||
hash = "sha256-w058Ihk0I98hIG1tkVJGy1bzbv7XXyUksGexXgCN540=";
|
||||
commit = "2f2432c909a36691ca0002daf6fb304d6c182beb";
|
||||
hash = "sha256-ZP8Tp6u+uJxx3I39YGMmkP0sTnjAQUSaxImAJaRv+Ek=";
|
||||
})
|
||||
(mw-ext {
|
||||
name = "VisualEditor";
|
||||
commit = "8d8c6d7f179a5f799e1fa8cba207d81f58f722d2";
|
||||
hash = "sha256-wbYHXi2vD521EMzUl7ttinG4YdLv/DwYvVUew7dka0g=";
|
||||
commit = "1508d49d0dd71fdc1d18badd23671441b3bc327b";
|
||||
hash = "sha256-VNiCVNrCAImAr1tS9T28KPPzzNsKPz5ELFRIBtng+So=";
|
||||
})
|
||||
(mw-ext {
|
||||
name = "WikiEditor";
|
||||
commit = "f53000f0499858fe74e4f5008b2f5e467d9d9382";
|
||||
hash = "sha256-+HTXZEVCwMD8z6c1kCZA3k686HzNd30pJljzRvf+gMg=";
|
||||
commit = "aba5e7c6701877a6b43583709751658fec606d47";
|
||||
hash = "sha256-XmbQy0NXuY3oVGkkgC233kkzfBfx32HDylloGYXU/Nc=";
|
||||
})
|
||||
]
|
||||
|
||||
@@ -10,18 +10,18 @@ let
|
||||
in
|
||||
buildNpmPackage {
|
||||
pname = "delete-your-element";
|
||||
version = "3.6.0";
|
||||
version = "3.5.1";
|
||||
src = fetchFromGitea {
|
||||
domain = "git.pvv.ntnu.no";
|
||||
owner = "Drift";
|
||||
repo = "delete-your-element";
|
||||
rev = "44fb6a02d3139e8ab10e9660ad931e5e70d1205f";
|
||||
hash = "sha256-wDQhPbxwdkAm0kPhaDNjbk8rVFxnGinffVdASdFrYnU=";
|
||||
rev = "80ac1d9d79207b6327975a264fcd9747b99a2a5d";
|
||||
hash = "sha256-fcBpUZ+WEMUXyyo/uaArl4D1NJmK95isWqhFSt6HzUU=";
|
||||
};
|
||||
|
||||
inherit nodejs;
|
||||
|
||||
npmDepsHash = "sha256-h1mmE0/+Y7SBwnI0vaYvV+KqRDJGzwJvDUOkigzHcOY=";
|
||||
npmDepsHash = "sha256-EYxJi6ObJQOLyiJq4C3mV6I62ns9l64ZHcdoQxmN5Ao=";
|
||||
dontNpmBuild = true;
|
||||
|
||||
nativeBuildInputs = [ makeWrapper ];
|
||||
|
||||
@@ -1,9 +1,6 @@
|
||||
dibbler:
|
||||
postgresql:
|
||||
password: ENC[AES256_GCM,data:3X9A3jOpFVRuBg0gRiCEsZVKfLI=,iv:XC7LBNUhALk9IEhItV8fO5p/m7VKL0REBY1W2IZt7G4=,tag:l18R7EhbOlucZHFQiEvpHw==,type:str]
|
||||
worblehat:
|
||||
postgresql:
|
||||
password: ENC[AES256_GCM,data:WpJR6MumY+7WUYdVVgAqv1af+NmqecTMO9aP5lidSpE=,iv:7aoN8mjXckd81LxasMSG3R2vqj0SvzSl7wrEQ1LwToo=,tag:zeeNcEpkYnqyd8be0ZS+kQ==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
|
||||
@@ -69,8 +66,8 @@ sops:
|
||||
MmxPMWNPYzJiOFRqY2VYczhvRm5IR3cKpUVV+zsMolsHI2YK9YqC6ecNT6QXv0TV
|
||||
d1SpXRAexZBeWCCHBjSdvQBl8AT4EwrAIP2M2o++6i5DaGoGiEIWZQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2026-03-18T14:56:22Z"
|
||||
mac: ENC[AES256_GCM,data:nBKtFmFKx/Mt9TIFnKuuznsPAXCQpc3+WIspNu5TN9TpIqw75nzYXpxIb2hxRfRu0nbjHXpBy4bkzeMi41BGkvkvV57CZyq11J5i/iIKwuvllaB1IWrdDT2u+6RH3jIspp3KoyxFWdRqcGfNma9dSmtI+1Dd5z7XaxVaoVK2QMI=,iv:6joviyJ2cXmGh/9HH7VEcoK3+4GK5I6i2N/1d65PAN0=,tag:0BFVPWL3BByJH8HbrBTKOw==,type:str]
|
||||
lastmodified: "2026-02-10T20:02:28Z"
|
||||
mac: ENC[AES256_GCM,data:i8CjVxoD7zdkLNJlI9DCo/tDV5DUI7JdpozLtYZzI7Cu51GayaE2Y3Wg4de6P0L7C3FER04WfRe/h+G9PLZICX/CfSipQysyrEq3Pjt9IKsjytDhP9VYJ36QFGF0PuHUQAMSLts/tAoAvLue6MP+V82l5js9ghvyBrzyBGxoyJw=,iv:QFNxvCYxrSkwy7iT+2BEacNPftDXju1cibprVPDjic0=,tag:496E+oCy/VwTylyaWhQD+A==,type:str]
|
||||
pgp:
|
||||
- created_at: "2026-02-10T20:01:32Z"
|
||||
enc: |-
|
||||
@@ -93,4 +90,4 @@ sops:
|
||||
-----END PGP MESSAGE-----
|
||||
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.12.1
|
||||
version: 3.11.0
|
||||
|
||||
+2
-2
@@ -55,11 +55,11 @@ in rec {
|
||||
};
|
||||
brzeczyszczykiewicz = {
|
||||
ipv4 = pvv-ipv4 205;
|
||||
ipv6 = pvv-ipv6 205;
|
||||
ipv6 = pvv-ipv6 "1:50"; # Wtf peder why
|
||||
};
|
||||
georg = {
|
||||
ipv4 = pvv-ipv4 204;
|
||||
ipv6 = pvv-ipv6 204;
|
||||
ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
|
||||
};
|
||||
kommode = {
|
||||
ipv4 = pvv-ipv4 223;
|
||||
|
||||
Reference in New Issue
Block a user