Drift/pvv-nixos-config
17
6
Fork 1
Code Issues Pull Requests 7 Actions Wiki Activity

Compare commits

merge into: Drift/pvv-nixos-config:fmt
Branches Tags
Drift/pvv-nixos-config:main Drift/pvv-nixos-config:mediawiki-secrets-permissions Drift/pvv-nixos-config:ildkule-uptime-kuma-fix Drift/pvv-nixos-config:userweb-sendmail-proxy Drift/pvv-nixos-config:nixos-2605 Drift/pvv-nixos-config:ildkule-sops Drift/pvv-nixos-config:hashed-initial-deploy-root-password Drift/pvv-nixos-config:bicep-garage-test-deployment Drift/pvv-nixos-config:bicep-revival Drift/pvv-nixos-config:drumknotty Drift/pvv-nixos-config:fmt Drift/pvv-nixos-config:errorpages Drift/pvv-nixos-config:PVVtheme2026 Drift/pvv-nixos-config:dagali-heimdal-openldap-sasl-stack Drift/pvv-nixos-config:skrot-new-thing Drift/pvv-nixos-config:loginpage Drift/pvv-nixos-config:temmie-userweb Drift/pvv-nixos-config:gitea-robots-txt Drift/pvv-nixos-config:kommode-disko Drift/pvv-nixos-config:skrott-cross-compile Drift/pvv-nixos-config:nettsiden-postgresql Drift/pvv-nixos-config:gitea-vaskepersonalet Drift/pvv-nixos-config:create-flake-input-exporter Drift/pvv-nixos-config:gitea-runners-secrets Drift/pvv-nixos-config:nom Drift/pvv-nixos-config:add-skrott Drift/pvv-nixos-config:pvvvvv Drift/pvv-nixos-config:gitea-show-license-in-list-view Drift/pvv-nixos-config:backup-databases Drift/pvv-nixos-config:openwebui Drift/pvv-nixos-config:setup-openvpn-tunnel Drift/pvv-nixos-config:gitea-gpg-signing Drift/pvv-nixos-config:sleipner-authorised-keys Drift/pvv-nixos-config:openstack-image-builder Drift/pvv-nixos-config:elysium Drift/pvv-nixos-config:smartd-notifs Drift/pvv-nixos-config:systemd-journald-remote Drift/pvv-nixos-config:skrot Drift/pvv-nixos-config:deploy-doorbell Drift/pvv-nixos-config:misc-gitea-fixes Drift/pvv-nixos-config:spotifyd Drift/pvv-nixos-config:remote Drift/pvv-nixos-config:setup-bikkje-login Drift/pvv-nixos-config:ozai-prod Drift/pvv-nixos-config:add-bluemap Drift/pvv-nixos-config:ozai Drift/pvv-nixos-config:setup-postfix-for-service-machines Drift/pvv-nixos-config:fix-gitea-ci-runner-network-issues Drift/pvv-nixos-config:heimdal-openldap-sasl-testing-on-salsa-on-buskerud Drift/pvv-nixos-config:gitea-metrics Drift/pvv-nixos-config:misc1 Drift/pvv-nixos-config:add-simple-saml-theme Drift/pvv-nixos-config:misc-extra-gitea-setup Drift/pvv-nixos-config:setup-kerberos Drift/pvv-nixos-config:setup-home-areas Drift/pvv-nixos-config:shark-kanidm Drift/pvv-nixos-config:prometheusexim
..
pull from: Drift/pvv-nixos-config:mediawiki-secrets-permissions
Branches Tags
Drift/pvv-nixos-config:main Drift/pvv-nixos-config:mediawiki-secrets-permissions Drift/pvv-nixos-config:ildkule-uptime-kuma-fix Drift/pvv-nixos-config:userweb-sendmail-proxy Drift/pvv-nixos-config:nixos-2605 Drift/pvv-nixos-config:ildkule-sops Drift/pvv-nixos-config:hashed-initial-deploy-root-password Drift/pvv-nixos-config:bicep-garage-test-deployment Drift/pvv-nixos-config:bicep-revival Drift/pvv-nixos-config:drumknotty Drift/pvv-nixos-config:fmt Drift/pvv-nixos-config:errorpages Drift/pvv-nixos-config:PVVtheme2026 Drift/pvv-nixos-config:dagali-heimdal-openldap-sasl-stack Drift/pvv-nixos-config:skrot-new-thing Drift/pvv-nixos-config:loginpage Drift/pvv-nixos-config:temmie-userweb Drift/pvv-nixos-config:gitea-robots-txt Drift/pvv-nixos-config:kommode-disko Drift/pvv-nixos-config:skrott-cross-compile Drift/pvv-nixos-config:nettsiden-postgresql Drift/pvv-nixos-config:gitea-vaskepersonalet Drift/pvv-nixos-config:create-flake-input-exporter Drift/pvv-nixos-config:gitea-runners-secrets Drift/pvv-nixos-config:nom Drift/pvv-nixos-config:add-skrott Drift/pvv-nixos-config:pvvvvv Drift/pvv-nixos-config:gitea-show-license-in-list-view Drift/pvv-nixos-config:backup-databases Drift/pvv-nixos-config:openwebui Drift/pvv-nixos-config:setup-openvpn-tunnel Drift/pvv-nixos-config:gitea-gpg-signing Drift/pvv-nixos-config:sleipner-authorised-keys Drift/pvv-nixos-config:openstack-image-builder Drift/pvv-nixos-config:elysium Drift/pvv-nixos-config:smartd-notifs Drift/pvv-nixos-config:systemd-journald-remote Drift/pvv-nixos-config:skrot Drift/pvv-nixos-config:deploy-doorbell Drift/pvv-nixos-config:misc-gitea-fixes Drift/pvv-nixos-config:spotifyd Drift/pvv-nixos-config:remote Drift/pvv-nixos-config:setup-bikkje-login Drift/pvv-nixos-config:ozai-prod Drift/pvv-nixos-config:add-bluemap Drift/pvv-nixos-config:ozai Drift/pvv-nixos-config:setup-postfix-for-service-machines Drift/pvv-nixos-config:fix-gitea-ci-runner-network-issues Drift/pvv-nixos-config:heimdal-openldap-sasl-testing-on-salsa-on-buskerud Drift/pvv-nixos-config:gitea-metrics Drift/pvv-nixos-config:misc1 Drift/pvv-nixos-config:add-simple-saml-theme Drift/pvv-nixos-config:misc-extra-gitea-setup Drift/pvv-nixos-config:setup-kerberos Drift/pvv-nixos-config:setup-home-areas Drift/pvv-nixos-config:shark-kanidm Drift/pvv-nixos-config:prometheusexim

79 Commits
fmt .. mediawiki-secrets-permissions

Author SHA1 Message Date
vegardbm 6cca1db3b3 bekkalokk: fix permissions for mediawiki secrets
Eval nix flake / evals (pull_request) Successful in 3m51s
Details
Build topology graph / evals (push) Successful in 2m29s
Details
Eval nix flake / evals (push) Successful in 4m21s
Details
2026-05-22 20:21:24 +02:00
vegardbm bfd83c4c64 uptime-kuma: wants to use /var/lib/private for state
Build topology graph / evals (push) Successful in 2m32s
Details
Eval nix flake / evals (push) Successful in 3m49s
Details
2026-05-22 17:58:00 +02:00
oysteikt 9a6fdecb03 kommode/gitea/dump: only keep a single dump at a time
Eval nix flake / evals (push) Successful in 3m54s
Details
Build topology graph / evals (push) Successful in 3m59s
Details
2026-05-22 18:27:57 +09:00
oysteikt 82ab97fb45 bekkalokk/roundcube: restart service on changed sops secrets
Build topology graph / evals (push) Successful in 3m35s
Details
Eval nix flake / evals (push) Successful in 3m49s
Details
2026-05-22 18:10:44 +09:00
oysteikt 543fd19f8d bekkalokk/vaultwarden: restart service on changed sops secrets 2026-05-22 18:10:40 +09:00
oysteikt 6f99fa575d bekkalokk/vaultwarden: render environment_file as sops template
Eval nix flake / evals (push) Successful in 4m1s
Details
2026-05-22 18:02:13 +09:00
oysteikt 3141b1f76b bekkalokk/vaultwarden: remove redundant hardening
Eval nix flake / evals (push) Successful in 3m51s
Details 
This has already been upstreamed
 2026-05-22 17:51:03 +09:00
oysteikt 475f6a8c9b bekkalokk/vaultwarden: add rsa key to sops
Eval nix flake / evals (push) Successful in 4m25s
Details
2026-05-22 17:49:31 +09:00
oysteikt 9c1687f8f2 bekkalokk/vaultwarden: use envvar keys 
It seems like the nixpkgs module is compensating for previous config
that might've ended up in a file, which are now being turned into
screaming snake case environment variables. Let's just name them as they
are supposed to be named instead of having the upstream module translate
them.
 2026-05-22 17:08:31 +09:00
oysteikt 0f53bcd731 bekkalokk/roundcube: add des_key to sops 2026-05-22 17:08:31 +09:00
felixalb f433ae1e15 ustetind: remove from sops
Build topology graph / evals (push) Successful in 2m30s
Details
Eval nix flake / evals (push) Successful in 4m45s
Details 
rg -. to the rescue
 2026-05-22 10:01:15 +02:00
oysteikt 5745648f87 bicep/postgres/repack: use local unix socket
Build topology graph / evals (push) Successful in 2m48s
Details
Eval nix flake / evals (push) Successful in 4m22s
Details
2026-05-22 15:59:59 +09:00
oysteikt 2c34a93abf bicep/postgres/repack: don't kill connections on timeout
Eval nix flake / evals (push) Successful in 3m51s
Details
Build topology graph / evals (push) Successful in 3m56s
Details
2026-05-22 15:57:57 +09:00
oysteikt 9ebc947eab ustetind: bai bai 👋
Build topology graph / evals (push) Successful in 2m48s
Details
Eval nix flake / evals (push) Successful in 6m47s
Details
2026-05-22 15:41:28 +09:00
oysteikt 6fcc19f0a2 base/fluentbit: init
Build topology graph / evals (push) Successful in 2m51s
Details
Eval nix flake / evals (push) Successful in 4m7s
Details
2026-05-22 15:32:13 +09:00
oysteikt 9224f04bd1 base/promtail: remove 2026-05-22 15:32:13 +09:00
vegardbm 9c93f15569 change agekey for ildkule and update keys
Build topology graph / evals (push) Successful in 2m31s
Details
Eval nix flake / evals (push) Successful in 5m8s
Details 
update keys
 2026-05-21 17:27:11 +02:00
oysteikt 5d6c153007 kommode/gitea: fix dump command
Build topology graph / evals (push) Successful in 2m33s
Details
Eval nix flake / evals (push) Successful in 4m1s
Details
2026-05-21 17:54:54 +09:00
oysteikt 8b483a92f8 ildkule: set fsType for bindmounts 2026-05-21 17:52:47 +09:00
oysteikt 0d7f05e56d bicep/postgres: add cleanup timers
Build topology graph / evals (push) Successful in 2m53s
Details
Eval nix flake / evals (push) Successful in 4m6s
Details
2026-05-21 04:14:34 +09:00
danio 4a67eddf52 bicep/matrix/livekit: open the rtc ports
Build topology graph / evals (push) Successful in 3m55s
Details
Eval nix flake / evals (push) Successful in 4m8s
Details
2026-05-20 20:04:33 +02:00
oysteikt 08a23bd380 base/hardening: ban a few more modules
Build topology graph / evals (push) Successful in 2m53s
Details
Eval nix flake / evals (push) Successful in 4m2s
Details
2026-05-20 23:15:25 +09:00
oysteikt 28b67c3578 base/mitigations: blacklist modules for copyfail and pintheft 2026-05-20 23:15:25 +09:00
vegardbm e5804c043a README: add gluttony
Build topology graph / evals (push) Successful in 2m52s
Details
Eval nix flake / evals (push) Successful in 4m7s
Details
2026-05-20 06:24:26 +02:00
vegardbm 9c227f3022 update gluttony IPs and boot device
Build topology graph / evals (push) Successful in 2m54s
Details
Eval nix flake / evals (push) Successful in 4m7s
Details
2026-05-20 06:07:41 +02:00
felixalb 69fdf709d7 grr: fix the heccin quotes
Build topology graph / evals (push) Successful in 3m53s
Details
Eval nix flake / evals (push) Successful in 4m7s
Details
2026-05-19 16:38:34 +02:00
adriangl 30ec70fa5f fix: ildkule grub duplicated devices, format nix files
Build topology graph / evals (push) Successful in 4m1s
Details
Eval nix flake / evals (push) Successful in 4m40s
Details
2026-05-19 16:26:36 +02:00
adriangl 1024b428ac feat: ildkule disco config
Eval nix flake / evals (push) Failing after 2m24s
Details
Build topology graph / evals (push) Successful in 2m29s
Details
2026-05-19 12:16:39 +02:00
adriangl 1e6b692fbf fix: updated ildkule config and ips to match trd1 new setup
Build topology graph / evals (push) Successful in 2m39s
Details
Eval nix flake / evals (push) Successful in 4m42s
Details
2026-05-19 11:37:05 +02:00
vegardbm beac6e91dd flake.lock: bump pvv-nettsiden
Build topology graph / evals (push) Successful in 2m55s
Details
Eval nix flake / evals (push) Successful in 4m38s
Details
2026-05-17 16:58:04 +02:00
oysteikt 0fd41c214a flake.{nix,lock}: bump deps
Eval nix flake / evals (push) Successful in 4m7s
Details
Build topology graph / evals (push) Successful in 6m27s
Details
2026-05-13 01:19:35 +09:00
oysteikt 5c1ee958ea flake.{nix,lock}: bump roowho2
Build topology graph / evals (push) Successful in 2m34s
Details
Eval nix flake / evals (push) Successful in 4m7s
Details
2026-05-12 00:25:55 +09:00
oysteikt d8e97715c9 flake.lock: bump pvv-nettsiden 2026-05-12 00:24:56 +09:00
oysteikt 33297b0436 treewide: lib.cli.toGNUCommandLineShell -> lib.cli.toCommandLineShellGNU
Build topology graph / evals (push) Successful in 2m33s
Details
Eval nix flake / evals (push) Successful in 4m7s
Details
2026-05-11 23:09:50 +09:00
oysteikt be33c95c83 bekkalokk/website: more logging, specify timeouts, ban spooky funcs, fake sendmail
Build topology graph / evals (push) Successful in 2m33s
Details
Eval nix flake / evals (push) Successful in 4m5s
Details
2026-05-11 21:14:08 +09:00
oysteikt 2abf36a9af packages/simplesamlphp: 2.4.3 -> 2.5.0
Build topology graph / evals (push) Successful in 2m52s
Details
Eval nix flake / evals (push) Successful in 4m1s
Details
2026-05-11 16:12:15 +09:00
oysteikt a60be532ce packages/mediawiki-extensions: bump all 2026-05-11 16:11:10 +09:00
oysteikt 9c142fd56f kommode/gitea: remove deprecated config options
Build topology graph / evals (push) Successful in 2m34s
Details
Eval nix flake / evals (push) Successful in 4m37s
Details
2026-05-11 16:00:51 +09:00
oysteikt b98e8679e6 temmie/userweb: set same phpOptions for env and apache
Build topology graph / evals (push) Successful in 2m30s
Details
Eval nix flake / evals (push) Successful in 4m3s
Details
2026-05-11 14:54:56 +09:00
oysteikt ea092ec0b3 temmie/userweb: pass userdir user to sendmail through custom envvar
Build topology graph / evals (push) Successful in 2m49s
Details
Eval nix flake / evals (push) Successful in 4m38s
Details
2026-05-11 14:26:47 +09:00
oysteikt 5e50b617fb temmie/userweb: switch from postfix to nullmailer
Build topology graph / evals (push) Successful in 2m51s
Details
Eval nix flake / evals (push) Successful in 4m36s
Details
2026-05-11 13:52:58 +09:00
oysteikt 258c5a7b25 temmie/userweb: set up sendmail wrapper
Build topology graph / evals (push) Successful in 3m48s
Details
Eval nix flake / evals (push) Successful in 4m5s
Details
2026-05-11 12:26:39 +09:00
oysteikt b9eda3dc56 temmie/userweb: reduce package list
Build topology graph / evals (push) Successful in 2m59s
Details
Eval nix flake / evals (push) Successful in 4m5s
Details
2026-05-11 10:17:09 +09:00
vegardbm 2fcaf5893f fix deprecation warning for mediawiki update script
Build topology graph / evals (push) Successful in 2m56s
Details
Eval nix flake / evals (push) Successful in 5m1s
Details
2026-05-09 20:40:14 +02:00
oysteikt b009da31af temmie/userweb: deny a bunch of spooky directories by default
Build topology graph / evals (push) Successful in 3m57s
Details
Eval nix flake / evals (push) Successful in 5m13s
Details 
It should still be possible for the user to re-enable these with
`.htaccess`
 2026-05-10 03:33:43 +09:00
oysteikt e9a267e2a3 temmie/userweb: ignore collisions in fhs env
Build topology graph / evals (push) Successful in 3m51s
Details
Eval nix flake / evals (push) Successful in 4m14s
Details
2026-05-10 03:02:27 +09:00
oysteikt 338c2f2531 temmie/userweb: adjust perl and php env 
This adds and removes a few packages to make the environments closer to
how they are on tom
 2026-05-10 03:02:26 +09:00
felixalb 8db3034baf Run shellcheck
Eval nix flake / evals (pull_request) Successful in 4m11s
Details
Build topology graph / evals (push) Successful in 2m53s
Details
Eval nix flake / evals (push) Successful in 4m7s
Details
2026-05-08 09:31:35 +02:00
oysteikt f64f9c944e topology: hook skrot up to the switch at the office
Build topology graph / evals (push) Successful in 2m51s
Details
Eval nix flake / evals (push) Successful in 4m9s
Details
2026-05-08 16:27:01 +09:00
oysteikt baeb1e5e60 base/hardening: move hardening options from base/default
Build topology graph / evals (push) Successful in 3m57s
Details
Eval nix flake / evals (push) Successful in 4m45s
Details
2026-05-08 16:23:17 +09:00
oysteikt 86ca8dcdc3 base/hardening: ban a bunch more unimportant kernel modules 2026-05-08 16:23:17 +09:00
danio 11d1f8b442 bakke: the owls sick motorbike
Build topology graph / evals (push) Successful in 4m7s
Details
Eval nix flake / evals (pull_request) Successful in 4m40s
Details
Eval nix flake / evals (push) Successful in 4m11s
Details
2026-05-08 03:07:09 +02:00
felixalb d8115c4031 bakke: add shading 2026-05-08 03:06:06 +02:00
felixalb 0d41326d9f bakke: rest of the owl 2026-05-08 03:06:06 +02:00
felixalb 7baf3ffcb4 bakke: uninit 2026-05-08 03:06:06 +02:00
danio 45f10be9b4 secrets: delete skrott
Build topology graph / evals (push) Successful in 3m53s
Details
Eval nix flake / evals (push) Successful in 4m26s
Details
2026-05-08 03:01:11 +02:00
danio 06cd860d2f README: change skrot link to point to skrot, not skrott
Build topology graph / evals (push) Successful in 2m33s
Details
Eval nix flake / evals (push) Successful in 4m21s
Details
2026-05-08 02:38:54 +02:00
danio ebd8b871f4 skrott: yeetus deletus
Build topology graph / evals (push) Successful in 2m43s
Details
Eval nix flake / evals (push) Successful in 4m59s
Details
2026-05-08 01:08:48 +02:00
danio 14994485c5 base: mitigate dirtyfrag 2026-05-08 01:03:45 +02:00
oysteikt f2752ee9a6 .gitea/workflows/*: remove redundant config
Build topology graph / evals (push) Successful in 2m58s
Details
Eval nix flake / evals (push) Successful in 5m7s
Details 
All of the extra config is now being included by default with the github
action
 2026-05-06 23:34:22 +09:00
oysteikt bb20f32df8 .gitea/workflows: simplify some steps
Build topology graph / evals (push) Successful in 4m34s
Details
Eval nix flake / evals (push) Successful in 5m57s
Details
2026-04-29 08:34:38 +09:00
oysteikt f83ae6de37 flake.lock: bump roowho2
Build topology graph / evals (push) Successful in 2m54s
Details
Eval nix flake / evals (push) Successful in 4m42s
Details
2026-04-29 08:29:02 +09:00
oysteikt f490e64516 flake.nix: bump greg-ng and gergle
Build topology graph / evals (push) Successful in 2m58s
Details
Eval nix flake / evals (push) Successful in 6m25s
Details 
Also follow unstable nixpkgs in order to use bleeding edge flutter
 2026-04-25 07:09:41 +09:00
vegardbm 61c6639d3a remove inactive users
Build topology graph / evals (push) Successful in 2m50s
Details
Eval nix flake / evals (push) Successful in 4m39s
Details
2026-04-23 14:18:52 +02:00
oysteikt eee7e9ad7b lupine/gitea-runner: register docker images for alpine v3.23 and ubuntu 26.04
Build topology graph / evals (push) Successful in 2m38s
Details
Eval nix flake / evals (push) Successful in 4m39s
Details
2026-04-23 21:05:23 +09:00
oysteikt 3160d64167 packages/bluemap: 5.15 -> 5.20
Build topology graph / evals (push) Successful in 2m58s
Details
Eval nix flake / evals (push) Successful in 5m6s
Details
2026-04-19 05:31:15 +09:00
oysteikt 23355317d6 lupine-3: update hardware config
Build topology graph / evals (push) Successful in 2m54s
Details
Eval nix flake / evals (push) Successful in 5m14s
Details
2026-04-19 01:26:25 +09:00
oysteikt 683e4b2dbc lupine-3: update sops key 2026-04-19 01:26:12 +09:00
oysteikt f52cf697cc lupine-5: update hardware config
Build topology graph / evals (push) Failing after 2m33s
Details
Eval nix flake / evals (push) Successful in 5m18s
Details
2026-04-19 00:38:32 +09:00
oysteikt 8a9e92c706 lupine-5: update sops key 2026-04-19 00:38:24 +09:00
oysteikt 6dce8bac0e lupine-4: re-enable gitea runner
Build topology graph / evals (push) Successful in 3m4s
Details
Eval nix flake / evals (push) Successful in 5m41s
Details
2026-04-19 00:22:30 +09:00
oysteikt e2abbf224b lupine-{1,2,4}: update hardware config
Build topology graph / evals (push) Failing after 1s
Details
Eval nix flake / evals (push) Failing after 51s
Details
2026-04-18 23:58:53 +09:00
oysteikt a399f23785 lupine-{1,2,4}: update sops keys 2026-04-18 23:58:43 +09:00
oysteikt 69a22e2ba0 flake.lock: bump
Build topology graph / evals (push) Successful in 4m4s
Details
Eval nix flake / evals (push) Successful in 10m52s
Details
2026-04-02 13:06:30 +09:00
oysteikt 6be23feeca packages/ooye: 3.3-unstable-2026-01-21 -> 3.5.1
Build topology graph / evals (push) Successful in 4m0s
Details
Eval nix flake / evals (push) Successful in 8m39s
Details
2026-04-02 12:44:43 +09:00
vegardbm 1bfd4fe595 avoid using lupine-4 for gitea actions
Build topology graph / evals (push) Successful in 3m25s
Details
Eval nix flake / evals (push) Successful in 10m2s
Details
2026-03-26 06:05:41 +01:00
felixalb 2efe4a1d1e Revert "base/acme: use different email alias for account"
Build topology graph / evals (push) Successful in 3m27s
Details
Eval nix flake / evals (push) Successful in 8m41s
Details 
This reverts commit 0d40c7d7a7.
 2026-03-22 12:52:33 +01:00
oysteikt 6ef02bd485 kommode/gitea: allow me to go fork myself
Eval nix flake / evals (push) Failing after 4m1s
Details
Build topology graph / evals (push) Successful in 4m7s
Details
2026-03-10 14:50:56 +09:00
vegardbm 6b1fb4c065 only cross-compile when necessary
Build topology graph / evals (push) Successful in 3m59s
Details
Eval nix flake / evals (push) Successful in 10m4s
Details 
This fixes issues with rebuilding georg and brzeczyszczykiewicz.

Reviewed-on: #128
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
Co-authored-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>
Co-committed-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>
 2026-02-21 21:14:04 +01:00
152 changed files with 3117 additions and 7063 deletions
Expand all files Collapse all files
.gitea/workflows/build-topology-graph.yml
+3 -6
View File
@@ -7,16 +7,13 @@ jobs:
evals:
runs-on: debian-latest
steps:
- name: Install sudo
run: apt-get install --update --assume-yes sudo
- uses: actions/checkout@v6
- name: Install sudo
run: apt-get update && apt-get -y install sudo
- uses: https://github.com/cachix/install-nix-action@v31
- name: Configure Nix
run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
- name: Build topology graph
run: nix build .#topology -L
.gitea/workflows/eval.yml
+5 -2
View File
@@ -6,8 +6,11 @@ jobs:
evals:
runs-on: debian-latest
steps:
- name: Install sudo
run: apt-get install --update --assume-yes sudo
- uses: actions/checkout@v6
- run: apt-get update && apt-get -y install sudo
- uses: https://github.com/cachix/install-nix-action@v31
- run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
- run: nix flake check
.sops.yaml
+6 -47
View File
@@ -10,18 +10,15 @@ keys:
- &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
# Hosts
- &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
- &host_ildkule age102e6y8gah0ntr6fxqnkpepc8ar29p6ls7ks9ka7v8w87q8scm9yqmc2u8d
- &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
- &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
- &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
- &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
- &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
- &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
- &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
- &host_lupine-1 age18lta9d683yekz487xwtd99da236d8mgk4ftlmv2jffx858p9qf2s9j868l
- &host_lupine-2 age1e0a4ru707v637wzmuxqv0xywmlkhunzgyfy4mrkjc7a23qq8msgq7nqtvt
- &host_lupine-3 age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye
- &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
- &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
- &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
creation_rules:
@@ -93,19 +90,6 @@ creation_rules:
pgp:
- *user_oysteikt
- path_regex: secrets/ustetind/[^/]+\.yaml$
key_groups:
- age:
- *host_ustetind
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/lupine/[^/]+\.yaml$
key_groups:
- age:
@@ -123,31 +107,6 @@ creation_rules:
pgp:
- *user_oysteikt
- path_regex: secrets/bakke/[^/]+\.yaml$
key_groups:
- age:
- *host_bakke
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/skrott/[^/]+\.yaml$
key_groups:
- age:
- *host_skrott
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/skrot/[^/]+\.yaml$
key_groups:
- age:
README.md
+4 -2
View File
@@ -39,11 +39,12 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
| bikkje | Virtual | Experimental login box |
| [brzeczyszczykiewicz][brz] | Physical | Shared music player |
| [georg][geo] | Physical | Shared music player |
| [gluttony][glu] | Virtual | General purpose compute |
| [ildkule][ild] | Virtual | Logging and monitoring host, prometheus, grafana, ... |
| [kommode][kom] | Virtual | Gitea + Gitea pages |
| [lupine][lup] | Physical | Gitea CI/CD runners |
| shark | Virtual | Test host for authentication, absolutely horrendous |
| [skrot/skrott][skr] | Physical | Kiosk, snacks and soda |
| [skrot][skr] | Physical | Kiosk, snacks and soda |
| [wenche][wen] | Virtual | Nix-builders, general purpose compute |
## Documentation
@@ -57,8 +58,9 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
[bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
[brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
[geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
[glu]: https://wiki.pvv.ntnu.no/wiki/Maskiner/gluttony
[ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrot
[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
base/default.nix
+4 -3
View File
@@ -10,7 +10,10 @@
(fp /users)
(fp /modules/snakeoil-certs.nix)
./mitigations.nix
./flake-input-exporter.nix
./hardening.nix
./networking.nix
./nix.nix
./programs.nix
@@ -20,6 +23,7 @@
./services/acme.nix
./services/auto-upgrade.nix
./services/dbus.nix
./services/fluentbit.nix
./services/fwupd.nix
./services/irqbalance.nix
./services/journald-upload.nix
@@ -30,7 +34,6 @@
./services/postfix.nix
./services/prometheus-node-exporter.nix
./services/prometheus-systemd-exporter.nix
./services/promtail.nix
./services/roowho2.nix
./services/smartd.nix
./services/thermald.nix
@@ -68,8 +71,6 @@
fi
'';
# security.lockKernelModules = true;
security.protectKernelImage = true;
security.sudo.execWheelOnly = true;
security.sudo.extraConfig = ''
Defaults lecture = never
base/hardening.nix
+71
View File
@@ -0,0 +1,71 @@
{ ... }:
{
boot.blacklistedKernelModules = [
# Obscure network protocols
"appletalk"
"atm"
"ax25"
"batman-adv"
"can"
"dccp"
"ipx"
"llc"
"n-hdlc"
"netrom"
"p8022"
"p8023"
"psnap"
"rds"
"rose"
"sctp"
"tipc"
# Filesystems we don't use
"adfs"
"affs"
"befs"
"bfs"
"cifs"
"cramfs"
"efs"
"exofs"
"freevxfs"
"gfs2"
"hfs"
"hfsplus"
"hpfs"
"jffs2"
"jfs"
"minix"
"nilfs2"
"ntfs"
"omfs"
"orangefs"
"qnx4"
"qnx6"
"sysv"
"ubifs"
"udf"
"ufs"
# Legacy hardware
"pcspkr"
"floppy"
"parport"
"ppdev"
# Other stuff we don't use
"firewire-core"
"firewire-ohci"
"ksmbd"
"ib_core"
"l2tp_eth"
"l2tp_netlink"
"l2tp_ppp"
"nfc"
"soundwire"
];
# security.lockKernelModules = true;
security.protectKernelImage = true;
}
base/mitigations.nix
+24
View File
@@ -0,0 +1,24 @@
{ pkgs, lib, ... }:
let
modulesToBan = [
# copy.fail
"af_alg"
"algif_aead"
"algif_hash"
"algif_rng"
"algif_skcipher"
# dirtyfrag / Fragnesia
"esp4"
"esp6"
"rxrpc"
# PinTheft
"rds"
];
in
{
boot.blacklistedKernelModules = modulesToBan;
boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
}
base/nix.nix
+7 -17
View File
@@ -1,9 +1,4 @@
{
lib,
config,
inputs,
...
}:
{ lib, config, inputs, ... }:
{
nix = {
gc = {
@@ -16,21 +11,16 @@
allow-dirty = true;
auto-allocate-uids = true;
builders-use-substitutes = true;
experimental-features = [
"nix-command"
"flakes"
"auto-allocate-uids"
];
experimental-features = [ "nix-command" "flakes" "auto-allocate-uids" ];
log-lines = 50;
use-xdg-base-directories = true;
};
/*
This makes commandline tools like
** nix run nixpkgs#hello
** and nix-shell -p hello
** use the same channel the system
** was built with
/* This makes commandline tools like
** nix run nixpkgs#hello
** and nix-shell -p hello
** use the same channel the system
** was built with
*/
registry = lib.mkMerge [
{
base/services/acme.nix
+1 -1
View File
@@ -2,7 +2,7 @@
{
security.acme = {
acceptTerms = true;
defaults.email = "acme-drift@pvv.ntnu.no";
defaults.email = "drift@pvv.ntnu.no";
};
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
base/services/auto-upgrade.nix
+13 -27
View File
@@ -1,10 +1,4 @@
{
config,
inputs,
pkgs,
lib,
...
}:
{ config, inputs, pkgs, lib, ... }:
let
inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
@@ -22,34 +16,26 @@ in
# --update-input is deprecated since nix 2.22, and removed in lix 2.90
# as such we instead use --override-input combined with --refresh
# https://git.lix.systems/lix-project/lix/issues/400
]
++ (lib.pipe inputUrls [
] ++ (lib.pipe inputUrls [
(lib.intersectAttrs {
nixpkgs = { };
nixpkgs-unstable = { };
})
(lib.mapAttrsToList (
input: url: [
"--override-input"
input
url
]
))
(lib.mapAttrsToList (input: url: ["--override-input" input url]))
lib.concatLists
]);
};
# workaround for https://github.com/NixOS/nix/issues/6895
# via https://git.lix.systems/lix-project/lix/issues/400
environment.etc =
lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable)
{
"current-system-flake-inputs.json".source = pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (
name: input:
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
lib.removeAttrs (input.sourceInfo or { }) [ "outPath" ] // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
)
);
};
environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
"current-system-flake-inputs.json".source
= pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (name: input:
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
// { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
)
);
};
}
base/services/fluentbit.nix
+135
View File
@@ -0,0 +1,135 @@
{ config, lib, ... }:
let
cfg = config.services.fluent-bit;
in
{
services.fluent-bit = {
enable = lib.mkDefault true;
settings = {
service = {
flush = 1;
log_level = "warn";
http_server = "on";
http_listen = "127.0.0.1";
http_port = 28183;
# filesystem-backed buffering so logs survives potential outages.
"storage.path" = "/var/lib/fluent-bit/storage";
"storage.sync" = "normal";
"storage.max_chunks_up" = 64;
"storage.backlog.mem_limit" = "16M";
};
pipeline = {
inputs = [{
name = "systemd";
tag = "journal.*";
db = "/var/lib/fluent-bit/journal.db";
read_from_tail = true;
strip_underscores = true;
lowercase = true;
max_entries = 1000;
"storage.type" = "filesystem";
}];
filters = [{
name = "modify";
match = "journal.*";
rename = [
"hostname host"
"priority level"
"systemd_unit unit"
];
}] ++ (lib.mapAttrsToList (k: v: {
name = "modify";
match = "journal.*";
condition = "Key_value_equals level ${k}";
set = "level ${v}";
}) {
"7" = "debug";
"6" = "info";
"5" = "notice";
"4" = "warning";
"3" = "error";
"2" = "crit";
"1" = "alert";
"0" = "emergency";
});
outputs = [{
name = "loki";
match = "*";
host = "ildkule.pvv.ntnu.no";
port = 3100;
uri = "/loki/api/v1/push";
compress = "gzip";
labels = lib.concatStringsSep ", " [
"job=systemd-journal"
];
label_keys = lib.concatMapStringsSep "," (k: "$" + k) [
"host"
"unit"
"level"
];
# JSON is probably fine for now, then we just extract the keys we want with the grafana web ui
# line_format = "key_value";
# drop_single_key = true;
"storage.total_limit_size" = "256M";
}];
};
};
};
systemd.services.fluent-bit = lib.mkIf cfg.enable {
serviceConfig = {
StateDirectory = "fluent-bit";
# NOTE: This hardening might be way too strong for general purpose use, don't upstream this.
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
# Lua JIT, maybe other things
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
UMask = "0077";
BindReadOnlyPaths = [
"/run/systemd/journal"
];
};
};
}
base/services/irqbalance.nix
+1 -1
View File
@@ -1,4 +1,4 @@
{ ... }:
{
services.irqbalance.enable = true;
}
}
base/services/journald-upload.nix
+1 -6
View File
@@ -1,9 +1,4 @@
{
config,
lib,
values,
...
}:
{ config, lib, values, ... }:
let
cfg = config.services.journald.upload;
in
base/services/logrotate.nix
+1 -4
View File
@@ -1,10 +1,7 @@
{ ... }:
{
systemd.services.logrotate = {
documentation = [
"man:logrotate(8)"
"man:logrotate.conf(5)"
];
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
unitConfig.RequiresMountsFor = "/var/log";
serviceConfig.ReadWritePaths = [ "/var/log" ];
};
base/services/nginx.nix
+1 -4
View File
@@ -11,10 +11,7 @@
};
};
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [
80
443
];
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
services.nginx = {
recommendedTlsSettings = true;
base/services/openssh.nix
+5 -4
View File
@@ -12,9 +12,10 @@
settings.PermitRootLogin = "yes";
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
users.users."root".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
];
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
];
}
base/services/postfix.nix
+1 -6
View File
@@ -1,9 +1,4 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
let
cfg = config.services.postfix;
in
base/services/prometheus-node-exporter.nix
+1 -6
View File
@@ -1,9 +1,4 @@
{
config,
lib,
values,
...
}:
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.node;
in
base/services/prometheus-systemd-exporter.nix
+1 -6
View File
@@ -1,9 +1,4 @@
{
config,
lib,
values,
...
}:
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.systemd;
in
base/services/promtail.nix
-47
View File
@@ -1,47 +0,0 @@
{
config,
lib,
values,
...
}:
let
cfg = config.services.prometheus.exporters.node;
in
{
services.promtail = {
enable = lib.mkDefault true;
configuration = {
server = {
http_listen_port = 28183;
grpc_listen_port = 0;
};
clients = [
{
url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "systemd-journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = config.networking.hostName;
};
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
];
}
];
};
};
}
base/services/smartd.nix
+4 -12
View File
@@ -1,9 +1,4 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
{
services.smartd = {
# NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
@@ -19,12 +14,9 @@
};
};
environment.systemPackages = lib.optionals config.services.smartd.enable (
with pkgs;
[
smartmontools
]
);
environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
smartmontools
]);
systemd.services.smartd.unitConfig.ConditionVirtualization = "no";
}
base/services/thermald.nix
+4 -4
View File
@@ -2,7 +2,7 @@
{
# Let's not thermal throttle
services.thermald.enable = lib.mkIf (lib.all (x: x) [
(config.nixpkgs.system == "x86_64-linux")
(!config.boot.isContainer or false)
]) true;
}
(config.nixpkgs.system == "x86_64-linux")
(!config.boot.isContainer or false)
]) true;
}
base/services/uptimed.nix
+34 -42
View File
@@ -1,9 +1,4 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
let
cfg = config.services.uptimed;
in
@@ -20,48 +15,45 @@ in
services.uptimed = {
enable = true;
settings =
let
stateDir = "/var/lib/uptimed";
in
{
PIDFILE = "${stateDir}/pid";
SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
};
settings = let
stateDir = "/var/lib/uptimed";
in {
PIDFILE = "${stateDir}/pid";
SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
};
};
systemd.services.uptimed = lib.mkIf (cfg.enable) {
serviceConfig =
let
uptimed = pkgs.uptimed.overrideAttrs (prev: {
postPatch = ''
substituteInPlace Makefile.am \
--replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
substituteInPlace src/Makefile.am \
--replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
'';
});
serviceConfig = let
uptimed = pkgs.uptimed.overrideAttrs (prev: {
postPatch = ''
substituteInPlace Makefile.am \
--replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
substituteInPlace src/Makefile.am \
--replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
'';
});
in
{
Type = "notify";
in {
Type = "notify";
ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
BindReadOnlyPaths =
let
configFile = lib.pipe cfg.settings [
(lib.mapAttrsToList (
k: v: if builtins.isList v then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v else "${k}=${v}"
))
(lib.concatStringsSep "\n")
(pkgs.writeText "uptimed.conf")
];
in
[
"${configFile}:/var/lib/uptimed/uptimed.conf"
];
};
BindReadOnlyPaths = let
configFile = lib.pipe cfg.settings [
(lib.mapAttrsToList
(k: v:
if builtins.isList v
then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
else "${k}=${v}")
)
(lib.concatStringsSep "\n")
(pkgs.writeText "uptimed.conf")
];
in [
"${configFile}:/var/lib/uptimed/uptimed.conf"
];
};
};
};
}
base/sops.nix
+4 -11
View File
@@ -1,15 +1,8 @@
{ config, fp, lib, ... }:
{
config,
fp,
lib,
...
}:
{
sops.defaultSopsFile =
let
secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
in
lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
sops.defaultSopsFile = let
secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
flake.lock
Generated
+60 -43
View File
@@ -1,5 +1,20 @@
{
"nodes": {
"crane": {
"locked": {
"lastModified": 1776635034,
"narHash": "sha256-OEOJrT3ZfwbChzODfIH4GzlNTtOFuZFWPtW7jIeR8xU=",
"owner": "ipetkov",
"repo": "crane",
"rev": "dc7496d8ea6e526b1254b55d09b966e94673750f",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"dibbler": {
"inputs": {
"nixpkgs": [
@@ -47,11 +62,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1765835352,
"narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
"lastModified": 1772408722,
"narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "a34fae9c08a15ad73f295041fec82323541400a9",
"rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
"type": "github"
},
"original": {
@@ -63,15 +78,15 @@
"gergle": {
"inputs": {
"nixpkgs": [
"nixpkgs"
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1767906545,
"narHash": "sha256-LOf08pcjEQFLs3dLPuep5d1bAXWOFcdfxuk3YMb5KWw=",
"lastModified": 1777067150,
"narHash": "sha256-vqPz8jCS1zTQlvmgctUFpvnr6f9ISR5h7CPG/HgQvf0=",
"ref": "main",
"rev": "e55cbe0ce0b20fc5952ed491fa8a553c8afb1bdd",
"revCount": 23,
"rev": "b452a854fb78d6df9fe062b45e23a968657d115d",
"revCount": 35,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
},
@@ -84,15 +99,15 @@
"greg-ng": {
"inputs": {
"nixpkgs": [
"nixpkgs"
"nixpkgs-unstable"
],
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1767906494,
"narHash": "sha256-Dd6gtdZfRMAD6JhdX0GdJwIHVaBikePSpQXhIdwLlWI=",
"lastModified": 1777019032,
"narHash": "sha256-29lw7THThWb5DW01rVRj1b816Apwz/P4m2wVWaSIadU=",
"ref": "main",
"rev": "7258822e2e90fea2ea00b13b5542f63699e33a9e",
"rev": "55262afca46c96f75a834d4e00e30d5fb20affb6",
"revCount": 61,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
@@ -217,11 +232,11 @@
]
},
"locked": {
"lastModified": 1769018862,
"narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
"lastModified": 1778407980,
"narHash": "sha256-r980BhsReZQe6FkmyNZkwCZpvzARo5jZgTl8HxjAssY=",
"owner": "oddlama",
"repo": "nix-topology",
"rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
"rev": "ca0a602f650306d00d6f3e3c76d0f4c48a5c5adc",
"type": "github"
},
"original": {
@@ -233,11 +248,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1769724120,
"narHash": "sha256-oQBM04hQk1kotfv4qmIG1tHmuwODd1+hqRJE5TELeCE=",
"rev": "8ec59ed5093c2a742d7744e9ecf58f358aa4a87d",
"lastModified": 1778544512,
"narHash": "sha256-VIsPgfIpZ/01XUO6WN+o1NZbP5iKPKPHdHPWqfm4XIg=",
"rev": "c417517f9d525181ee5619c683419d308ee29fe8",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4961.8ec59ed5093c/nixexprs.tar.xz"
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.10745.c417517f9d52/nixexprs.tar.xz"
},
"original": {
"type": "tarball",
@@ -246,11 +261,11 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1765674936,
"narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
"lastModified": 1772328832,
"narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
"rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
"type": "github"
},
"original": {
@@ -261,11 +276,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1769813739,
"narHash": "sha256-RmNWW1DQczvDwBHu11P0hGwJZxbngdoymVu7qkwq/2M=",
"rev": "16a3cae5c2487b1afa240e5f2c1811f172419558",
"lastModified": 1778586796,
"narHash": "sha256-XmDljcG4x8slQDlsWOc77pCA1YVuYn8JGumkYlhfTxI=",
"rev": "b25e938b89759b5f9466fc53c4a970244f84dc39",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre937548.16a3cae5c248/nixexprs.tar.xz"
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre996582.b25e938b8975/nixexprs.tar.xz"
},
"original": {
"type": "tarball",
@@ -300,11 +315,11 @@
]
},
"locked": {
"lastModified": 1769009806,
"narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
"lastModified": 1778960428,
"narHash": "sha256-YAs3LbFGlBLJW3xHeoQfTq2GBBXTvuSKl2WXDtloczU=",
"ref": "main",
"rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
"revCount": 575,
"rev": "927748790b1f7159adfe32a3ad9ec01d22e9c5a2",
"revCount": 583,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
},
@@ -358,22 +373,24 @@
},
"roowho2": {
"inputs": {
"crane": "crane",
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay_3"
},
"locked": {
"lastModified": 1769834595,
"narHash": "sha256-P1jrO7BxHyIKDuOXHuUb7bi4H2TuYnACW5eqf1gG47g=",
"lastModified": 1778600367,
"narHash": "sha256-YB0b2xUf4D8792D5Ay//7C3AjHyv+9yoy8K1mTe+wvE=",
"ref": "main",
"rev": "def4eec2d59a69b4638b3f25d6d713b703b2fa56",
"revCount": 49,
"rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
"revCount": 91,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
},
"original": {
"ref": "main",
"rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
}
@@ -386,11 +403,11 @@
]
},
"locked": {
"lastModified": 1767840362,
"narHash": "sha256-ZtsFqUhilubohNZ1TgpQIFsi4biZTwRH9rjZsDRDik8=",
"lastModified": 1777000482,
"narHash": "sha256-CZ5FKUSA8FCJf0h9GWdPJXoVVDL9H5yC74GkVc5ubIM=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "d159ea1fc321c60f88a616ac28bab660092a227d",
"rev": "403c09094a877e6c4816462d00b1a56ff8198e06",
"type": "github"
},
"original": {
@@ -428,11 +445,11 @@
]
},
"locked": {
"lastModified": 1769309768,
"narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=",
"lastModified": 1776914043,
"narHash": "sha256-qug5r56yW1qOsjSI99l3Jm15JNT9CvS2otkXNRNtrPI=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5",
"rev": "2d35c4358d7de3a0e606a6e8b27925d981c01cc3",
"type": "github"
},
"original": {
@@ -448,11 +465,11 @@
]
},
"locked": {
"lastModified": 1769469829,
"narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
"lastModified": 1777944972,
"narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
"rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
"type": "github"
},
"original": {
flake.nix
+320 -392
View File
@@ -32,13 +32,13 @@
minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main";
roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main&rev=8e5f2849ff7c9616100fe928261512a7ad647939";
roowho2.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
greg-ng.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.inputs.nixpkgs.follows = "nixpkgs-unstable";
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main";
gergle.inputs.nixpkgs.follows = "nixpkgs";
gergle.inputs.nixpkgs.follows = "nixpkgs-unstable";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
@@ -49,403 +49,331 @@
qotd.inputs.nixpkgs.follows = "nixpkgs";
};
outputs =
{
self,
nixpkgs,
nixpkgs-unstable,
sops-nix,
disko,
...
}@inputs:
let
inherit (nixpkgs) lib;
systems = [
"x86_64-linux"
"aarch64-linux"
"aarch64-darwin"
];
forAllSystems = f: lib.genAttrs systems f;
allMachines = builtins.attrNames self.nixosConfigurations;
importantMachines = [
"bekkalokk"
"bicep"
"brzeczyszczykiewicz"
"georg"
"ildkule"
];
in
{
inputs = lib.mapAttrs (_: src: src.outPath) inputs;
outputs = {
self,
nixpkgs,
nixpkgs-unstable,
sops-nix,
disko,
...
} @ inputs: let
inherit (nixpkgs) lib;
systems = [
"x86_64-linux"
"aarch64-linux"
"aarch64-darwin"
];
forAllSystems = f: lib.genAttrs systems f;
allMachines = builtins.attrNames self.nixosConfigurations;
importantMachines = [
"bekkalokk"
"bicep"
"georg"
"ildkule"
"kommode"
"lupine-1"
"skrot"
];
in {
inputs = lib.mapAttrs (_: src: src.outPath) inputs;
pkgs = forAllSystems (
system:
import nixpkgs {
inherit system;
config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
];
}
);
nixosConfigurations =
let
nixosConfig =
nixpkgs: name: configurationPath:
extraArgs@{
localSystem ? "x86_64-linux", # buildPlatform
crossSystem ? "x86_64-linux", # hostPlatform
specialArgs ? { },
modules ? [ ],
overlays ? [ ],
enableDefaults ? true,
...
}:
let
commonPkgsConfig = {
inherit localSystem crossSystem;
config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
];
overlays =
(lib.optionals enableDefaults [
# Global overlays go here
inputs.roowho2.overlays.default
])
++ overlays;
};
pkgs = import nixpkgs commonPkgsConfig;
unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
in
lib.nixosSystem (
lib.recursiveUpdate
{
system = crossSystem;
inherit pkgs;
specialArgs = {
inherit inputs unstablePkgs;
values = import ./values.nix;
fp = path: ./${path};
}
// specialArgs;
modules = [
{
networking.hostName = lib.mkDefault name;
}
configurationPath
]
++ (lib.optionals enableDefaults [
sops-nix.nixosModules.sops
inputs.roowho2.nixosModules.default
self.nixosModules.rsync-pull-targets
])
++ modules;
}
(
builtins.removeAttrs extraArgs [
"localSystem"
"crossSystem"
"modules"
"overlays"
"specialArgs"
"enableDefaults"
]
)
);
stableNixosConfig =
name: extraArgs: nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
in
{
bakke = stableNixosConfig "bakke" {
modules = [
inputs.disko.nixosModules.disko
];
};
bicep = stableNixosConfig "bicep" {
modules = [
inputs.matrix-next.nixosModules.default
inputs.pvv-calendar-bot.nixosModules.default
inputs.minecraft-heatmap.nixosModules.default
self.nixosModules.gickup
self.nixosModules.matrix-ooye
];
overlays = [
inputs.pvv-calendar-bot.overlays.default
inputs.minecraft-heatmap.overlays.default
(final: prev: {
inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
})
];
};
bekkalokk = stableNixosConfig "bekkalokk" {
overlays = [
(final: prev: {
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
bluemap = final.callPackage ./packages/bluemap.nix { };
})
inputs.pvv-nettsiden.overlays.default
inputs.qotd.overlays.default
];
modules = [
inputs.pvv-nettsiden.nixosModules.default
self.nixosModules.bluemap
inputs.qotd.nixosModules.default
];
};
ildkule = stableNixosConfig "ildkule" { };
#ildkule-unstable = unstableNixosConfig "ildkule" { };
skrot = stableNixosConfig "skrot" {
modules = [
inputs.disko.nixosModules.disko
inputs.dibbler.nixosModules.default
];
overlays = [ inputs.dibbler.overlays.default ];
};
shark = stableNixosConfig "shark" { };
wenche = stableNixosConfig "wenche" { };
temmie = stableNixosConfig "temmie" { };
gluttony = stableNixosConfig "gluttony" { };
kommode = stableNixosConfig "kommode" {
overlays = [
inputs.nix-gitea-themes.overlays.default
];
modules = [
inputs.nix-gitea-themes.nixosModules.default
inputs.disko.nixosModules.disko
];
};
ustetind = stableNixosConfig "ustetind" {
modules = [
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
];
};
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
modules = [
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
];
};
georg = stableNixosConfig "georg" {
modules = [
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
];
};
}
// (
let
skrottConfig = {
modules = [
(nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
inputs.dibbler.nixosModules.default
];
overlays = [
inputs.dibbler.overlays.default
(final: prev: {
# NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
atool = prev.emptyDirectory;
micro = prev.emptyDirectory;
ncdu = prev.emptyDirectory;
})
];
};
in
{
skrott = self.nixosConfigurations.skrott-native;
skrott-native = stableNixosConfig "skrott" (
skrottConfig
// {
localSystem = "aarch64-linux";
crossSystem = "aarch64-linux";
}
);
skrott-cross = stableNixosConfig "skrott" (
skrottConfig
// {
localSystem = "x86_64-linux";
crossSystem = "aarch64-linux";
}
);
skrott-x86_64 = stableNixosConfig "skrott" (
skrottConfig
// {
localSystem = "x86_64-linux";
crossSystem = "x86_64-linux";
}
);
}
)
// (
let
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
stableLupineNixosConfig =
name: extraArgs: nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
in
lib.genAttrs machineNames (
name:
stableLupineNixosConfig name {
modules = [ { networking.hostName = name; } ];
specialArgs.lupineName = name;
}
)
);
nixosModules = {
bluemap = ./modules/bluemap.nix;
gickup = ./modules/gickup;
matrix-ooye = ./modules/matrix-ooye.nix;
robots-txt = ./modules/robots-txt.nix;
rsync-pull-targets = ./modules/rsync-pull-targets.nix;
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
};
devShells = forAllSystems (system: {
default =
let
pkgs = import nixpkgs-unstable {
inherit system;
overlays = [
(final: prev: {
inherit (inputs.disko.packages.${system}) disko;
})
];
};
in
pkgs.callPackage ./shell.nix { };
cuda =
let
cuda-pkgs = import nixpkgs-unstable {
inherit system;
config = {
allowUnfree = true;
cudaSupport = true;
};
};
in
cuda-pkgs.callPackage ./shells/cuda.nix { };
pkgs = forAllSystems (system:
import nixpkgs {
inherit system;
config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg)
[
"nvidia-x11"
"nvidia-settings"
];
});
packages = {
"x86_64-linux" =
let
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
in
rec {
default = important-machines;
important-machines = pkgs.linkFarm "important-machines" (
lib.getAttrs importantMachines self.packages.${system}
);
all-machines = pkgs.linkFarm "all-machines" (lib.getAttrs allMachines self.packages.${system});
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
bluemap = pkgs.callPackage ./packages/bluemap.nix { };
out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
}
//
# Mediawiki extensions
(lib.pipe null [
(_: pkgs.callPackage ./packages/mediawiki-extensions { })
(lib.flip builtins.removeAttrs [
"override"
"overrideDerivation"
nixosConfigurations = let
nixosConfig = nixpkgs: name: configurationPath: extraArgs @ {
localSystem ? "x86_64-linux", # buildPlatform
crossSystem ? "x86_64-linux", # hostPlatform
specialArgs ? {},
modules ? [],
overlays ? [],
enableDefaults ? true,
...
}: let
commonPkgsConfig =
{
config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg)
[
"nvidia-x11"
"nvidia-settings"
];
overlays =
(lib.optionals enableDefaults [
# Global overlays go here
inputs.roowho2.overlays.default
])
(lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
])
//
# Machines
lib.genAttrs allMachines (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
//
# Skrott is exception
{
skrott = self.packages.${system}.skrott-native-sd;
skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
++ overlays;
}
// (
if localSystem != crossSystem
then {
inherit localSystem crossSystem;
}
//
# Nix-topology
(
let
topology' = import inputs.nix-topology {
pkgs = import nixpkgs {
inherit system;
overlays = [
inputs.nix-topology.overlays.default
(final: prev: {
inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
})
];
};
else {
system = crossSystem;
}
);
pkgs = import nixpkgs commonPkgsConfig;
unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
in
lib.nixosSystem (
lib.recursiveUpdate
{
system = crossSystem;
specialArgs = {
values = import ./values.nix;
};
inherit pkgs;
modules = [
./topology
{
nixosConfigurations = lib.mapAttrs (
_name: nixosCfg:
nixosCfg.extendModules {
modules = [
inputs.nix-topology.nixosModules.default
./topology/service-extractors/greg-ng.nix
./topology/service-extractors/postgresql.nix
./topology/service-extractors/mysql.nix
./topology/service-extractors/gitea-runners.nix
];
}
) self.nixosConfigurations;
}
];
};
in
specialArgs =
{
topology = topology'.config.output;
topology-png =
pkgs.runCommand "pvv-config-topology-png"
{
nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
}
''
mkdir -p "$out"
for file in '${topology'.config.output}'/*.svg; do
${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
done
'';
inherit inputs unstablePkgs;
values = import ./values.nix;
fp = path: ./${path};
}
);
};
// specialArgs;
modules =
[
{
networking.hostName = lib.mkDefault name;
}
configurationPath
]
++ (lib.optionals enableDefaults [
sops-nix.nixosModules.sops
inputs.roowho2.nixosModules.default
self.nixosModules.rsync-pull-targets
])
++ modules;
}
(builtins.removeAttrs extraArgs [
"localSystem"
"crossSystem"
"modules"
"overlays"
"specialArgs"
"enableDefaults"
])
);
stableNixosConfig = name: extraArgs:
nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
in
{
bicep = stableNixosConfig "bicep" {
modules = [
inputs.matrix-next.nixosModules.default
inputs.pvv-calendar-bot.nixosModules.default
inputs.minecraft-heatmap.nixosModules.default
self.nixosModules.gickup
self.nixosModules.matrix-ooye
];
overlays = [
inputs.pvv-calendar-bot.overlays.default
inputs.minecraft-heatmap.overlays.default
(final: prev: {
inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
})
];
};
bekkalokk = stableNixosConfig "bekkalokk" {
overlays = [
(final: prev: {
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions {};
simplesamlphp = final.callPackage ./packages/simplesamlphp {};
bluemap = final.callPackage ./packages/bluemap.nix {};
})
inputs.pvv-nettsiden.overlays.default
inputs.qotd.overlays.default
];
modules = [
inputs.pvv-nettsiden.nixosModules.default
self.nixosModules.bluemap
inputs.qotd.nixosModules.default
];
};
ildkule = stableNixosConfig "ildkule" {
modules = [
inputs.disko.nixosModules.disko
];
};
#ildkule-unstable = unstableNixosConfig "ildkule" { };
skrot = stableNixosConfig "skrot" {
modules = [
inputs.disko.nixosModules.disko
inputs.dibbler.nixosModules.default
];
overlays = [inputs.dibbler.overlays.default];
};
shark = stableNixosConfig "shark" {};
wenche = stableNixosConfig "wenche" {};
temmie = stableNixosConfig "temmie" {};
gluttony = stableNixosConfig "gluttony" {};
kommode = stableNixosConfig "kommode" {
overlays = [
inputs.nix-gitea-themes.overlays.default
];
modules = [
inputs.nix-gitea-themes.nixosModules.default
inputs.disko.nixosModules.disko
];
};
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
modules = [
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
];
};
georg = stableNixosConfig "georg" {
modules = [
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
];
};
}
// (let
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
stableLupineNixosConfig = name: extraArgs:
nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
in
lib.genAttrs machineNames (name:
stableLupineNixosConfig name {
modules = [{networking.hostName = name;}];
specialArgs.lupineName = name;
}));
nixosModules = {
bluemap = ./modules/bluemap.nix;
gickup = ./modules/gickup;
matrix-ooye = ./modules/matrix-ooye.nix;
robots-txt = ./modules/robots-txt.nix;
rsync-pull-targets = ./modules/rsync-pull-targets.nix;
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
};
devShells = forAllSystems (system: {
default = let
pkgs = import nixpkgs-unstable {
inherit system;
overlays = [
(final: prev: {
inherit (inputs.disko.packages.${system}) disko;
})
];
};
in
pkgs.callPackage ./shell.nix {};
cuda = let
cuda-pkgs = import nixpkgs-unstable {
inherit system;
config = {
allowUnfree = true;
cudaSupport = true;
};
};
in
cuda-pkgs.callPackage ./shells/cuda.nix {};
});
packages = {
"x86_64-linux" = let
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
in
rec {
default = important-machines;
important-machines =
pkgs.linkFarm "important-machines"
(lib.getAttrs importantMachines self.packages.${system});
all-machines =
pkgs.linkFarm "all-machines"
(lib.getAttrs allMachines self.packages.${system});
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp {};
bluemap = pkgs.callPackage ./packages/bluemap.nix {};
out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix {};
}
//
# Mediawiki extensions
(lib.pipe null [
(_: pkgs.callPackage ./packages/mediawiki-extensions {})
(lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
(lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
])
//
# Machines
lib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
//
# Nix-topology
(let
topology' = import inputs.nix-topology {
pkgs = import nixpkgs {
inherit system;
overlays = [
inputs.nix-topology.overlays.default
(final: prev: {
inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
})
];
};
specialArgs = {
values = import ./values.nix;
};
modules = [
./topology
{
nixosConfigurations = lib.mapAttrs (_name: nixosCfg:
nixosCfg.extendModules {
modules = [
inputs.nix-topology.nixosModules.default
./topology/service-extractors/greg-ng.nix
./topology/service-extractors/postgresql.nix
./topology/service-extractors/mysql.nix
./topology/service-extractors/gitea-runners.nix
];
})
self.nixosConfigurations;
}
];
};
in {
topology = topology'.config.output;
topology-png =
pkgs.runCommand "pvv-config-topology-png" {
nativeBuildInputs = [pkgs.writableTmpDirAsHomeHook];
} ''
mkdir -p "$out"
for file in '${topology'.config.output}'/*.svg; do
${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
done
'';
});
};
};
}
hosts/bakke/configuration.nix
-26
View File
@@ -1,26 +0,0 @@
{
config,
pkgs,
values,
...
}:
{
imports = [
./hardware-configuration.nix
../../base
./filesystems.nix
];
networking.hostId = "99609ffc";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
address = with values.hosts.bakke; [
(ipv4 + "/25")
(ipv6 + "/64")
];
};
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "24.05";
}
hosts/bakke/disks.nix
-83
View File
@@ -1,83 +0,0 @@
{
# https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
# Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
disko.devices = {
disk = {
one = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
two = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
};
mdadm = {
boot = {
type = "mdadm";
level = 1;
metadata = "1.0";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
raid1 = {
type = "mdadm";
level = 1;
content = {
type = "gpt";
partitions.primary = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}
hosts/bakke/filesystems.nix
-26
View File
@@ -1,26 +0,0 @@
{ pkgs, ... }:
{
# Boot drives:
boot.swraid.enable = true;
# ZFS Data pool:
boot = {
zfs = {
extraPools = [ "tank" ];
requestEncryptionCredentials = false;
};
supportedFilesystems.zfs = true;
# Use stable linux packages, these work with zfs
kernelPackages = pkgs.linuxPackages;
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
# NFS Exports:
#TODO
# NFS Import mounts:
#TODO
}
hosts/bakke/hardware-configuration.nix
-70
View File
@@ -1,70 +0,0 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"ehci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [
"subvol=nix"
"noatime"
];
};
fileSystems."/boot" = {
device = "/dev/sdc2";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
hosts/bekkalokk/configuration.nix
+2 -10
View File
@@ -1,9 +1,4 @@
{
fp,
pkgs,
values,
...
}:
{ fp, pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
@@ -26,10 +21,7 @@
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
address = with values.hosts.bekkalokk; [
(ipv4 + "/25")
(ipv6 + "/64")
];
address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
services.btrfs.autoScrub.enable = true;
hosts/bekkalokk/hardware-configuration.nix
+16 -28
View File
@@ -1,43 +1,31 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"ehci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/sda1";
fsType = "btrfs";
};
fileSystems."/" =
{ device = "/dev/sda1";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/CE63-3B9B";
fsType = "vfat";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/CE63-3B9B";
fsType = "vfat";
};
swapDevices = [
{ device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; }
];
swapDevices =
[ { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
hosts/bekkalokk/services/bluemap.nix
+70 -83
View File
@@ -1,15 +1,8 @@
{
config,
lib,
pkgs,
inputs,
...
}:
{ config, lib, pkgs, inputs, ... }:
let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
format = pkgs.formats.hocon { };
in
{
in {
# NOTE: our versino of the module gets added in flake.nix
disabledModules = [ "services/web-apps/bluemap.nix" ];
@@ -24,88 +17,82 @@ in
host = "minecraft.pvv.ntnu.no";
maps =
let
inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
in
{
"verden" = {
extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:overworld";
name = "Verden";
sorting = 0;
start-pos = {
x = 0;
z = 0;
};
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
};
"underverden" = {
extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_nether";
name = "Underverden";
sorting = 100;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
render-mask = [
{
max-y = 90;
}
];
};
};
"enden" = {
extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_end";
name = "Enden";
sorting = 200;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
maps = let
inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
in {
"verden" = {
extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:overworld";
name = "Verden";
sorting = 0;
start-pos = {
x = 0;
z = 0;
};
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
};
"underverden" = {
extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_nether";
name = "Underverden";
sorting = 100;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
render-mask = [{
max-y = 90;
}];
};
};
"enden" = {
extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_end";
name = "Enden";
sorting = 200;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
};
};
systemd.services."render-bluemap-maps" = {
serviceConfig = {
StateDirectory = [ "bluemap/world" ];
ExecStartPre =
let
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
archive = true;
compress = true;
verbose = true;
no-owner = true;
no-group = true;
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
};
in
"${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
ExecStartPre = let
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
archive = true;
compress = true;
verbose = true;
no-owner = true;
no-group = true;
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
};
in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
hosts/bekkalokk/services/idp-simplesamlphp/default.nix
+23 -39
View File
@@ -1,16 +1,8 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
let
pwAuthScript = pkgs.writeShellApplication {
name = "pwauth";
runtimeInputs = with pkgs; [
coreutils
heimdal
];
runtimeInputs = with pkgs; [ coreutils heimdal ];
text = ''
read -r user1
user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
@@ -41,7 +33,7 @@ let
"metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
<?php
${lib.pipe config.services.idp.sp-remote-metadata [
${ lib.pipe config.services.idp.sp-remote-metadata [
(map (url: ''
$metadata['${url}'] = [
'SingleLogoutService' => [
@@ -93,20 +85,14 @@ let
substituteInPlace "$out" \
--replace-warn '$SAML_COOKIE_SECURE' 'true' \
--replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${
config.sops.secrets."idp/cookie_salt".path
}")' \
--replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
--replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
--replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${
config.sops.secrets."idp/admin_password".path
}")' \
--replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
--replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
--replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
--replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
--replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${
config.sops.secrets."idp/postgres_password".path
}")' \
--replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
--replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
'';
@@ -172,25 +158,23 @@ in
services.phpfpm.pools.idp = {
user = "idp";
group = "idp";
settings =
let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in
{
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
settings = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
};
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
};
};
services.nginx.virtualHosts."idp.pvv.ntnu.no" = {
@@ -198,7 +182,7 @@ in
enableACME = true;
kTLS = true;
root = "${package}/share/php/simplesamlphp/public";
locations = {
locations = {
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
"/" = {
alias = "${package}/share/php/simplesamlphp/public/";
hosts/bekkalokk/services/kerberos.nix
+1 -6
View File
@@ -1,9 +1,4 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
{
security.krb5 = {
enable = true;
hosts/bekkalokk/services/mediawiki/default.nix
+42 -76
View File
@@ -1,12 +1,4 @@
{
pkgs,
lib,
fp,
config,
values,
...
}:
let
{ pkgs, lib, fp, config, values, ... }: let
cfg = config.services.mediawiki;
# "mediawiki"
@@ -17,9 +9,7 @@ let
simplesamlphp = pkgs.simplesamlphp.override {
extra_files = {
"metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (
import ../idp-simplesamlphp/metadata.php.nix
);
"metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
"config/authsources.php" = ./simplesaml-authsources.php;
@@ -28,49 +18,36 @@ let
substituteInPlace "$out" \
--replace-warn '$SAML_COOKIE_SECURE' 'true' \
--replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${
config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path
}")' \
--replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
--replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
--replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${
config.sops.secrets."mediawiki/simplesamlphp/admin_password".path
}")' \
--replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
--replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
--replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
--replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
--replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${
config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path
}")' \
--replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
--replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
'';
};
};
in
{
in {
services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
sops.secrets =
lib.pipe
[
"mediawiki/secret-key"
"mediawiki/password"
"mediawiki/postgres_password"
"mediawiki/simplesamlphp/postgres_password"
"mediawiki/simplesamlphp/cookie_salt"
"mediawiki/simplesamlphp/admin_password"
]
[
(map (
key:
lib.nameValuePair key {
owner = user;
group = group;
restartUnits = [ "phpfpm-mediawiki.service" ];
}
))
lib.listToAttrs
];
sops.secrets = lib.pipe [
"mediawiki/secret-key"
"mediawiki/password"
"mediawiki/postgres_password"
"mediawiki/simplesamlphp/postgres_password"
"mediawiki/simplesamlphp/cookie_salt"
"mediawiki/simplesamlphp/admin_password"
] [
(map (key: lib.nameValuePair key {
owner = user;
group = group;
restartUnits = [ "phpfpm-mediawiki.service" ];
}))
lib.listToAttrs
];
services.rsync-pull-targets = {
enable = true;
@@ -233,18 +210,18 @@ in
# EXT:WikiEditor
$wgWikiEditorRealtimePreview = true;
$wgSecretKey = file_get_contents("${config.sops.secrets."mediawiki/secret-key".path}");
'';
};
# Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d =
lib.mkIf cfg.enable
{
user = "mediawiki";
group = "mediawiki";
mode = "0770";
};
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
user = "mediawiki";
group = "mediawiki";
mode = "0770";
};
users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ];
@@ -252,7 +229,7 @@ in
kTLS = true;
forceSSL = true;
enableACME = true;
locations = {
locations = {
"= /wiki/Main_Page" = lib.mkForce {
return = "301 /wiki/Programvareverkstedet";
};
@@ -278,22 +255,19 @@ in
"= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png;
"= /favicon.ico".alias =
pkgs.runCommandLocal "mediawiki-favicon.ico"
{
buildInputs = with pkgs; [ imagemagick ];
}
''
magick \
${fp /assets/logo_blue_regular.png} \
-resize x64 \
-gravity center \
-crop 64x64+0+0 \
-flatten \
-colors 256 \
-background transparent \
$out
'';
"= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
buildInputs = with pkgs; [ imagemagick ];
} ''
magick \
${fp /assets/logo_blue_regular.png} \
-resize x64 \
-gravity center \
-crop 64x64+0+0 \
-flatten \
-colors 256 \
-background transparent \
$out
'';
};
};
@@ -301,10 +275,6 @@ in
systemd.services.mediawiki-init = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ];
serviceConfig = {
BindReadOnlyPaths = [
"/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key"
];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007";
};
};
@@ -312,10 +282,6 @@ in
systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ];
serviceConfig = {
BindReadOnlyPaths = [
"/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key"
];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007";
};
};
hosts/bekkalokk/services/phpfpm.nix
+36 -38
View File
@@ -11,43 +11,41 @@ in
{
# Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
systemd.services = lib.genAttrs pools (_: {
serviceConfig =
let
caps = [
"CAP_NET_BIND_SERVICE"
"CAP_SETGID"
"CAP_SETUID"
"CAP_CHOWN"
"CAP_KILL"
"CAP_IPC_LOCK"
"CAP_DAC_OVERRIDE"
];
in
{
AmbientCapabilities = caps;
CapabilityBoundingSet = caps;
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateMounts = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RemoveIPC = true;
UMask = "0077";
RestrictNamespaces = "~mnt";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
KeyringMode = "private";
SystemCallFilter = [
"@system-service"
];
};
serviceConfig = let
caps = [
"CAP_NET_BIND_SERVICE"
"CAP_SETGID"
"CAP_SETUID"
"CAP_CHOWN"
"CAP_KILL"
"CAP_IPC_LOCK"
"CAP_DAC_OVERRIDE"
];
in {
AmbientCapabilities = caps;
CapabilityBoundingSet = caps;
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateMounts = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RemoveIPC = true;
UMask = "0077";
RestrictNamespaces = "~mnt";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
KeyringMode = "private";
SystemCallFilter = [
"@system-service"
];
};
});
}
hosts/bekkalokk/services/vaultwarden.nix
+40 -63
View File
@@ -1,52 +1,63 @@
{
config,
pkgs,
lib,
values,
...
}:
{ config, pkgs, lib, values, ... }:
let
cfg = config.services.vaultwarden;
domain = "pw.pvv.ntnu.no";
address = "127.0.1.2";
port = 3011;
wsPort = 3012;
in
{
sops.secrets."vaultwarden/environ" = {
in {
sops.secrets."vaultwarden/rsa_key.pem" = {
owner = "vaultwarden";
group = "vaultwarden";
mode = "440";
restartUnits = [ "vaultwarden.service" ];
};
sops.secrets."vaultwarden/rsa_key.pub.pem" = {
owner = "vaultwarden";
group = "vaultwarden";
mode = "440";
restartUnits = [ "vaultwarden.service" ];
};
sops.secrets."vaultwarden/env/DATABASE_PASSWORD" = { };
sops.secrets."vaultwarden/env/SMTP_PASSWORD" = { };
sops.templates."vaultwarden/environment_file" = {
owner = "vaultwarden";
group = "vaultwarden";
mode = "440";
restartUnits = [ "vaultwarden.service" ];
content = ''
DATABASE_URL=postgresql://vaultwarden:${config.sops.placeholder."vaultwarden/env/DATABASE_PASSWORD"}@postgres.pvv.ntnu.no/vaultwarden
SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/env/SMTP_PASSWORD"}
'';
};
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = config.sops.secrets."vaultwarden/environ".path;
environmentFile = config.sops.templates."vaultwarden/environment_file".path;
config = {
domain = "https://${domain}";
DOMAIN = "https://${domain}";
rocketAddress = address;
rocketPort = port;
ROCKET_ADDRESS = address;
ROCKET_PORT = port;
websocketEnabled = true;
websocketAddress = address;
websocketPort = wsPort;
WEBSOCKET_ENABLED = true;
WEBSOCKET_ADDRESS = address;
WEBSOCKET_PORT = wsPort;
signupsAllowed = true;
signupsVerify = true;
signupsDomainsWhitelist = "pvv.ntnu.no";
SIGNUPS_ALLOWED = true;
SIGNUPS_VERIFY = true;
SIGNUPS_DOMAINS_WHITELIST = "pvv.ntnu.no";
smtpFrom = "vaultwarden@pvv.ntnu.no";
smtpFromName = "VaultWarden PVV";
SMTP_FROM = "vaultwarden@pvv.ntnu.no";
SMTP_FROM_NAME = "VaultWarden PVV";
smtpHost = "smtp.pvv.ntnu.no";
smtpUsername = "vaultwarden";
smtpSecurity = "force_tls";
smtpAuthMechanism = "Login";
SMTP_HOST = "smtp.pvv.ntnu.no";
SMTP_USERNAME = "vaultwarden";
SMTP_SECURITY = "force_tls";
SMTP_AUTH_MECHANISM = "Login";
# Configured in environ:
# databaseUrl = "postgresql://vaultwarden@/vaultwarden";
# smtpPassword = hemli
RSA_KEY_FILENAME = lib.removeSuffix ".pem" config.sops.secrets."vaultwarden/rsa_key.pem".path;
};
};
@@ -73,40 +84,6 @@ in
};
};
systemd.services.vaultwarden = lib.mkIf cfg.enable {
serviceConfig = {
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
NoNewPrivileges = true;
# MemoryDenyWriteExecute = true;
PrivateMounts = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
};
};
services.rsync-pull-targets = {
enable = true;
locations."/var/lib/vaultwarden" = {
hosts/bekkalokk/services/webmail/default.nix
+1 -7
View File
@@ -1,10 +1,4 @@
{
config,
values,
pkgs,
lib,
...
}:
{ config, values, pkgs, lib, ... }:
{
imports = [
./roundcube.nix
hosts/bekkalokk/services/webmail/roundcube.nix
+30 -40
View File
@@ -1,9 +1,4 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
with lib;
let
@@ -14,29 +9,25 @@ in
sops.secrets."roundcube/postgres_password" = {
owner = "nginx";
group = "nginx";
restartUnits = [ "phpfpm-roundcube.service" ];
};
sops.secrets."roundcube/des_key" = {
owner = "nginx";
group = "nginx";
restartUnits = [ "phpfpm-roundcube.service" ];
};
services.roundcube = {
enable = true;
package = pkgs.roundcube.withPlugins (
plugins: with plugins; [
persistent_login
thunderbird_labels
contextmenu
custom_from
]
);
package = pkgs.roundcube.withPlugins (plugins: with plugins; [
persistent_login
thunderbird_labels
contextmenu
custom_from
]);
dicts = with pkgs.aspellDicts; [
en
en-computers
nb
nn
fr
de
it
];
dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
maxAttachmentSize = 20;
hostName = "roundcubeplaceholder.example.com";
@@ -54,6 +45,7 @@ in
$config['mail_domain'] = "pvv.ntnu.no";
$config['smtp_user'] = "%u";
$config['support_url'] = "";
$config['des_key'] = "${config.sops.secrets."roundcube/des_key".path}";
'';
};
@@ -69,23 +61,21 @@ in
ln -s ${cfg.package} $out/roundcube
'';
extraConfig = ''
location ~ ^/roundcube/(${
builtins.concatStringsSep "|" [
# https://wiki.archlinux.org/title/Roundcube
"README"
"INSTALL"
"LICENSE"
"CHANGELOG"
"UPGRADING"
"bin"
"SQL"
".+\\.md"
"\\."
"config"
"temp"
"logs"
]
})/? {
location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
# https://wiki.archlinux.org/title/Roundcube
"README"
"INSTALL"
"LICENSE"
"CHANGELOG"
"UPGRADING"
"bin"
"SQL"
".+\\.md"
"\\."
"config"
"temp"
"logs"
]})/? {
deny all;
}
hosts/bekkalokk/services/webmail/snappymail.nix
+2 -10
View File
@@ -1,15 +1,7 @@
{
config,
lib,
fp,
pkgs,
values,
...
}:
{ config, lib, fp, pkgs, values, ... }:
let
cfg = config.services.snappymail;
in
{
in {
imports = [ (fp /modules/snappymail.nix) ];
services.snappymail = {
hosts/bekkalokk/services/website/default.nix
+79 -62
View File
@@ -1,31 +1,22 @@
{
pkgs,
lib,
config,
...
}:
{ pkgs, lib, config, ... }:
let
format = pkgs.formats.php { };
cfg = config.services.pvv-nettsiden;
in
{
in {
imports = [
./fetch-gallery.nix
];
sops.secrets =
lib.genAttrs
[
"nettsiden/door_secret"
"nettsiden/mysql_password"
"nettsiden/simplesamlphp/admin_password"
"nettsiden/simplesamlphp/cookie_salt"
]
(_: {
owner = config.services.phpfpm.pools.pvv-nettsiden.user;
group = config.services.phpfpm.pools.pvv-nettsiden.group;
restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
});
sops.secrets = lib.genAttrs [
"nettsiden/door_secret"
"nettsiden/mysql_password"
"nettsiden/simplesamlphp/admin_password"
"nettsiden/simplesamlphp/cookie_salt"
] (_: {
owner = config.services.phpfpm.pools.pvv-nettsiden.user;
group = config.services.phpfpm.pools.pvv-nettsiden.group;
restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
});
security.acme.certs."www.pvv.ntnu.no" = {
extraDomainNames = [
@@ -44,59 +35,85 @@ in
package = pkgs.pvv-nettsiden.override {
extra_files = {
"${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" =
pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
"${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" =
pkgs.writeText "pvv-nettsiden-authsources.php" ''
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'default-sp' => array(
'saml:SP',
'entityID' => 'https://${cfg.domainName}/simplesaml/',
'idp' => 'https://idp.pvv.ntnu.no/',
),
);
'';
"${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
"${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'default-sp' => array(
'saml:SP',
'entityID' => 'https://${cfg.domainName}/simplesaml/',
'idp' => 'https://idp.pvv.ntnu.no/',
),
);
'';
};
};
domainName = "www.pvv.ntnu.no";
settings =
let
includeFromSops =
path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
in
{
DOOR_SECRET = includeFromSops "door_secret";
settings = let
includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
in {
DOOR_SECRET = includeFromSops "door_secret";
DB = {
DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
USER = "www-data_nettsi";
PASS = includeFromSops "mysql_password";
};
# TODO: set up postgres session for simplesamlphp
SAML = {
COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
COOKIE_SECURE = true;
ADMIN_NAME = "PVV Drift";
ADMIN_EMAIL = "drift@pvv.ntnu.no";
ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
TRUSTED_DOMAINS = [
"www.pvv.ntnu.no"
];
};
DB = {
DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
USER = "www-data_nettsi";
PASS = includeFromSops "mysql_password";
};
# TODO: set up postgres session for simplesamlphp
SAML = {
COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
COOKIE_SECURE = true;
ADMIN_NAME = "PVV Drift";
ADMIN_EMAIL = "drift@pvv.ntnu.no";
ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
TRUSTED_DOMAINS = [
"www.pvv.ntnu.no"
];
};
};
};
services.phpfpm.pools."pvv-nettsiden".settings = {
# "php_admin_value[error_log]" = "stderr";
"php_admin_value[error_log]" = "syslog";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
"php_admin_value[max_execution_time]" = "30";
"request_terminate_timeout" = "60s";
"php_admin_value[sendmail_path]" = let
fakeSendmail = pkgs.writeShellApplication {
name = "fake-sendmail";
text = ''
TIMESTAMP="$(date +%Y-%m-%d-%H-%M-%S-%N)"
(
echo "SENDMAIL ARGS:"
echo "$@"
echo "SENDMAIL STDIN:"
cat -
) > "/var/lib/pvv-nettsiden/emails/$TIMESTAMP.mail"
'';
};
in lib.getExe fakeSendmail;
"php_admin_value[disable_functions]" = lib.concatStringsSep "," [
"curl_exec"
"curl_multi_exec"
"exec"
"parse_ini_file"
"passthru"
"popen"
"proc_open"
"shell_exec"
"show_source"
"system"
];
};
services.nginx.virtualHosts."pvv.ntnu.no" = {
hosts/bekkalokk/services/website/fetch-gallery.nix
+13 -26
View File
@@ -1,15 +1,8 @@
{
pkgs,
lib,
config,
values,
...
}:
{ pkgs, lib, config, values, ... }:
let
galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
in
{
in {
users.users.${config.services.pvv-nettsiden.user} = {
# NOTE: the user unfortunately needs a registered shell for rrsync to function...
# is there anything we can do to remove this?
@@ -44,24 +37,18 @@ in
};
systemd.services.pvv-nettsiden-gallery-update = {
path = with pkgs; [
imagemagick
gnutar
gzip
];
path = with pkgs; [ imagemagick gnutar gzip ];
script = ''
tar ${
lib.cli.toGNUCommandLineShell { } {
extract = true;
file = "${transferDir}/gallery.tar.gz";
directory = ".";
}
}
tar ${lib.cli.toCommandLineShellGNU { } {
extract = true;
file = "${transferDir}/gallery.tar.gz";
directory = ".";
}}
# Delete files and directories that exists in the gallery that don't exist in the tarball
filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
while IFS= read fname; do
filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))
while IFS= read -r fname; do
rm -f "$fname" ||:
rm -f ".thumbnails/$fname.png" ||:
done <<< "$filesToRemove"
@@ -69,9 +56,9 @@ in
find . -type d -empty -delete
mkdir -p .thumbnails
images=$(find . -type f -not -path "./.thumbnails*")
images=$(find . -type f -not -path './.thumbnails*')
while IFS= read fname; do
while IFS= read -r fname; do
# Skip this file if an up-to-date thumbnail already exists
if [ -f ".thumbnails/$fname.png" ] && \
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -80,7 +67,7 @@ in
fi
echo "Creating thumbnail for $fname"
mkdir -p $(dirname ".thumbnails/$fname")
mkdir -p "$(dirname ".thumbnails/$fname")"
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
done <<< "$images"
hosts/bekkalokk/services/well-known/default.nix
+21 -24
View File
@@ -1,28 +1,25 @@
{ lib, ... }:
{
services.nginx.virtualHosts =
lib.genAttrs
[
"pvv.ntnu.no"
"www.pvv.ntnu.no"
"pvv.org"
"www.pvv.org"
]
(_: {
locations = {
"^~ /.well-known/" = {
alias = (toString ./root) + "/";
};
services.nginx.virtualHosts = lib.genAttrs [
"pvv.ntnu.no"
"www.pvv.ntnu.no"
"pvv.org"
"www.pvv.org"
] (_: {
locations = {
"^~ /.well-known/" = {
alias = (toString ./root) + "/";
};
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
});
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
});
}
hosts/bicep/configuration.nix
+3 -16
View File
@@ -1,9 +1,4 @@
{
fp,
pkgs,
values,
...
}:
{ fp, pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
@@ -24,16 +19,8 @@
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
#matchConfig.Name = "enp6s0f0";
matchConfig.Name = "ens18";
address =
with values.hosts.bicep;
[
(ipv4 + "/25")
(ipv6 + "/64")
]
++ (with values.services.turn; [
(ipv4 + "/25")
(ipv6 + "/64")
]);
address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
};
systemd.network.wait-online = {
anyInterface = true;
hosts/bicep/hardware-configuration.nix
+18 -33
View File
@@ -1,49 +1,34 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"ahci"
"sd_mod"
"sr_mod"
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ahci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
fsType = "ext4";
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
fsType = "ext4";
};
# temp data disk, only 128gb not enough until we can add another disk to the system.
fileSystems."/data" = {
device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
fsType = "ext4";
};
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/198B-E363";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/198B-E363";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
hosts/bicep/services/calendar-bot.nix
+2 -9
View File
@@ -1,14 +1,7 @@
{
config,
fp,
lib,
pkgs,
...
}:
{ config, fp, lib, pkgs, ... }:
let
cfg = config.services.pvv-calendar-bot;
in
{
in {
sops.secrets = {
"calendar-bot/matrix_token" = {
sopsFile = fp /secrets/bicep/bicep.yaml;
hosts/bicep/services/git-mirrors/default.nix
+65 -80
View File
@@ -1,10 +1,4 @@
{
config,
pkgs,
lib,
fp,
...
}:
{ config, pkgs, lib, fp, ... }:
let
cfg = config.services.gickup;
in
@@ -26,88 +20,79 @@ in
lfs = false;
};
instances =
let
defaultGithubConfig = {
settings.token_file = config.sops.secrets."gickup/github-token".path;
};
defaultGitlabConfig = {
# settings.token_file = ...
};
in
{
"github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
"github:NixOS/nixpkgs" = defaultGithubConfig;
"github:go-gitea/gitea" = defaultGithubConfig;
"github:heimdal/heimdal" = defaultGithubConfig;
"github:saltstack/salt" = defaultGithubConfig;
"github:typst/typst" = defaultGithubConfig;
"github:unmojang/FjordLauncher" = defaultGithubConfig;
"github:unmojang/drasl" = defaultGithubConfig;
"github:yushijinhun/authlib-injector" = defaultGithubConfig;
"gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
"gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
"any:glibc" = {
settings.url = "https://sourceware.org/git/glibc.git";
};
"any:out-of-your-element" = {
settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
};
"any:out-of-your-element-module" = {
settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
};
instances = let
defaultGithubConfig = {
settings.token_file = config.sops.secrets."gickup/github-token".path;
};
};
defaultGitlabConfig = {
# settings.token_file = ...
};
in {
"github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
"github:NixOS/nixpkgs" = defaultGithubConfig;
"github:go-gitea/gitea" = defaultGithubConfig;
"github:heimdal/heimdal" = defaultGithubConfig;
"github:saltstack/salt" = defaultGithubConfig;
"github:typst/typst" = defaultGithubConfig;
"github:unmojang/FjordLauncher" = defaultGithubConfig;
"github:unmojang/drasl" = defaultGithubConfig;
"github:yushijinhun/authlib-injector" = defaultGithubConfig;
services.cgit =
let
domain = "mirrors.pvv.ntnu.no";
in
{
${domain} = {
enable = true;
package = pkgs.callPackage (fp /packages/cgit.nix) { };
group = "gickup";
scanPath = "${cfg.dataDir}/linktree";
gitHttpBackend.checkExportOkFiles = false;
settings = {
enable-commit-graph = true;
enable-follow-links = true;
enable-http-clone = true;
enable-remote-branches = true;
clone-url = "https://${domain}/$CGIT_REPO_URL";
remove-suffix = true;
root-title = "PVVSPPP";
root-desc = "PVV Speiler Praktisk og Prominent Programvare";
snapshots = "all";
logo = "/PVV-logo.png";
};
"gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
"gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
"any:glibc" = {
settings.url = "https://sourceware.org/git/glibc.git";
};
"any:out-of-your-element" = {
settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
};
"any:out-of-your-element-module" = {
settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
};
};
};
services.cgit = let
domain = "mirrors.pvv.ntnu.no";
in {
${domain} = {
enable = true;
package = pkgs.callPackage (fp /packages/cgit.nix) { };
group = "gickup";
scanPath = "${cfg.dataDir}/linktree";
gitHttpBackend.checkExportOkFiles = false;
settings = {
enable-commit-graph = true;
enable-follow-links = true;
enable-http-clone = true;
enable-remote-branches = true;
clone-url = "https://${domain}/$CGIT_REPO_URL";
remove-suffix = true;
root-title = "PVVSPPP";
root-desc = "PVV Speiler Praktisk og Prominent Programvare";
snapshots = "all";
logo = "/PVV-logo.png";
};
};
};
services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
locations."= /PVV-logo.png".alias =
let
small-pvv-logo =
pkgs.runCommandLocal "pvv-logo-96x96"
{
nativeBuildInputs = [ pkgs.imagemagick ];
}
''
magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
'';
in
toString small-pvv-logo;
locations."= /PVV-logo.png".alias = let
small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
nativeBuildInputs = [ pkgs.imagemagick ];
} ''
magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
'';
in toString small-pvv-logo;
};
systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {
hosts/bicep/services/matrix/coturn.nix
+13 -34
View File
@@ -1,12 +1,4 @@
{
config,
lib,
fp,
pkgs,
secrets,
values,
...
}:
{ config, lib, fp, pkgs, secrets, values, ... }:
{
sops.secrets."matrix/coturn/static-auth-secret" = {
@@ -135,31 +127,18 @@
};
networking.firewall = {
interfaces.enp6s0f0 =
let
range = with config.services.coturn; [
{
from = min-port;
to = max-port;
}
];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [
443
3478
3479
5349
];
allowedTCPPortRanges = range;
allowedTCPPorts = [
443
3478
3479
5349
];
};
interfaces.enp6s0f0 = let
range = with config.services.coturn; [ {
from = min-port;
to = max-port;
} ];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [ 443 3478 3479 5349 ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ 443 3478 3479 5349 ];
};
};
}
hosts/bicep/services/matrix/discord.nix
+5 -14
View File
@@ -1,9 +1,4 @@
{
config,
lib,
fp,
...
}:
{ config, lib, fp, ... }:
let
cfg = config.services.mx-puppet-discord;
@@ -49,6 +44,7 @@ in
];
};
services.mx-puppet-discord.enable = false;
services.mx-puppet-discord.settings = {
bridge = {
@@ -56,21 +52,16 @@ in
domain = "pvv.ntnu.no";
homeserverUrl = "https://matrix.pvv.ntnu.no";
};
provisioning.whitelist = [
"@dandellion:dodsorf\\.as"
"@danio:pvv\\.ntnu\\.no"
];
provisioning.whitelist = [ "@dandellion:dodsorf\\.as" "@danio:pvv\\.ntnu\\.no"];
relay.whitelist = [ ".*" ];
selfService.whitelist = [
"@danio:pvv\\.ntnu\\.no"
"@dandellion:dodsorf\\.as"
];
selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
};
services.mx-puppet-discord.serviceDependencies = [
"matrix-synapse.target"
"nginx.service"
];
services.matrix-synapse-next.settings = {
app_service_config_files = [
config.sops.templates."discord-registration.yaml".path
hosts/bicep/services/matrix/element.nix
+8 -14
View File
@@ -1,13 +1,7 @@
{
config,
lib,
pkgs,
...
}:
{ config, lib, pkgs, ... }:
let
synapse-cfg = config.services.matrix-synapse-next;
in
{
in {
services.pvv-matrix-well-known.client = {
"m.homeserver" = {
base_url = "https://matrix.pvv.ntnu.no";
@@ -27,12 +21,12 @@ in
default_server_config = config.services.pvv-matrix-well-known.client;
disable_3pid_login = true;
# integrations_ui_url = "https://dimension.dodsorf.as/riot";
# integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
# integrations_widgets_urls = [
# "https://dimension.dodsorf.as/widgets"
# ];
# integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
# integrations_ui_url = "https://dimension.dodsorf.as/riot";
# integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
# integrations_widgets_urls = [
# "https://dimension.dodsorf.as/widgets"
# ];
# integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
defaultCountryCode = "NO";
showLabsSettings = true;
features = {
hosts/bicep/services/matrix/hookshot/default.nix
+10 -42
View File
@@ -1,11 +1,4 @@
{
config,
lib,
fp,
unstablePkgs,
inputs,
...
}:
{ config, lib, fp, unstablePkgs, inputs, ... }:
let
cfg = config.services.matrix-hookshot;
@@ -107,8 +100,7 @@ in
};
serviceBots = [
{
localpart = "bot_feeds";
{ localpart = "bot_feeds";
displayname = "Aya";
avatar = ./feeds.png;
prefix = "!aya";
@@ -123,44 +115,20 @@ in
permissions = [
# Users of the PVV Server
{
actor = "pvv.ntnu.no";
services = [
{
service = "*";
level = "commands";
}
];
{ actor = "pvv.ntnu.no";
services = [ { service = "*"; level = "commands"; } ];
}
# Members of Medlem space (for people with their own hs)
{
actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
services = [
{
service = "*";
level = "commands";
}
];
{ actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
services = [ { service = "*"; level = "commands"; } ];
}
# Members of Drift
{
actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
services = [
{
service = "*";
level = "admin";
}
];
{ actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
services = [ { service = "*"; level = "admin"; } ];
}
# Dan bootstrap
{
actor = "@dandellion:dodsorf.as";
services = [
{
service = "*";
level = "admin";
}
];
{ actor = "@dandellion:dodsorf.as";
services = [ { service = "*"; level = "admin"; } ];
}
];
};
hosts/bicep/services/matrix/livekit.nix
+13 -18
View File
@@ -1,9 +1,4 @@
{
config,
lib,
fp,
...
}:
{ config, lib, fp, ... }:
let
synapseConfig = config.services.matrix-synapse-next;
matrixDomain = "matrix.pvv.ntnu.no";
@@ -25,12 +20,10 @@ in
};
services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "https://${matrixDomain}/livekit/jwt";
}
];
"org.matrix.msc4143.rtc_foci" = [{
type = "livekit";
livekit_service_url = "https://${matrixDomain}/livekit/jwt";
}];
};
services.livekit = {
@@ -50,12 +43,7 @@ in
keyFile = config.sops.templates."matrix-livekit-keyfile".path;
};
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (
builtins.concatStringsSep "," [
"pvv.ntnu.no"
"dodsorf.as"
]
);
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]);
services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
locations."^~ /livekit/jwt/" = {
@@ -76,4 +64,11 @@ in
'';
};
};
networking.firewall.allowedUDPPortRanges = [
{
from = cfg.settings.rtc.port_range_start;
to = cfg.settings.rtc.port_range_end;
}
];
}
hosts/bicep/services/matrix/mjolnir.nix
+1 -6
View File
@@ -1,9 +1,4 @@
{
config,
lib,
fp,
...
}:
{ config, lib, fp, ... }:
{
sops.secrets."matrix/mjolnir/access_token" = {
hosts/bicep/services/matrix/out-of-your-element.nix
+1 -8
View File
@@ -1,11 +1,4 @@
{
config,
pkgs,
lib,
values,
fp,
...
}:
{ config, pkgs, lib, values, fp, ... }:
let
cfg = config.services.matrix-ooye;
in
hosts/bicep/services/matrix/smtp-authenticator/default.nix
+1 -6
View File
@@ -1,9 +1,4 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
setuptools,
}:
{ lib, buildPythonPackage, fetchFromGitHub, setuptools }:
buildPythonPackage rec {
pname = "matrix-synapse-smtp-auth";
hosts/bicep/services/matrix/synapse-admin.nix
+2 -6
View File
@@ -1,9 +1,5 @@
{
config,
lib,
pkgs,
...
}:
{ config, lib, pkgs, ... }:
# This service requires you to have access to endpoints not available over the internet
# Use an ssh proxy or similar to access this dashboard.
hosts/bicep/services/matrix/synapse-auto-compressor.nix
+1 -6
View File
@@ -1,9 +1,4 @@
{
config,
lib,
utils,
...
}:
{ config, lib, utils, ... }:
let
cfg = config.services.synapse-auto-compressor;
in
hosts/bicep/services/matrix/synapse.nix
+57 -88
View File
@@ -1,23 +1,13 @@
{
config,
lib,
fp,
pkgs,
values,
inputs,
...
}:
{ config, lib, fp, pkgs, values, inputs, ... }:
let
cfg = config.services.matrix-synapse-next;
matrix-lib = inputs.matrix-next.lib;
imap0Attrs =
with lib;
f: set: listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
in
{
imap0Attrs = with lib; f: set:
listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
in {
sops.secrets."matrix/synapse/signing_key" = {
key = "synapse/signing_key";
sopsFile = fp /secrets/bicep/matrix.yaml;
@@ -33,9 +23,7 @@ in
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
content = ''
registration_shared_secret: ${
config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"
}
registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
'';
};
@@ -80,7 +68,7 @@ in
signing_key_path = config.sops.secrets."matrix/synapse/signing_key".path;
media_store_path = "${cfg.dataDir}/media";
media_store_path = "${cfg.dataDir}/media";
database = {
name = "psycopg2";
@@ -122,8 +110,7 @@ in
password_config.enabled = true;
modules = [
{
module = "smtp_auth_provider.SMTPAuthProvider";
{ module = "smtp_auth_provider.SMTPAuthProvider";
config = {
smtp_host = "smtp.pvv.ntnu.no";
};
@@ -196,79 +183,61 @@ in
services.pvv-matrix-well-known.server."m.server" = "matrix.pvv.ntnu.no:443";
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
{
kTLS = true;
}
{
locations."/_synapse/admin" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
allow 127.0.0.1;
allow ::1;
allow ${values.hosts.bicep.ipv4};
allow ${values.hosts.bicep.ipv6};
deny all;
'';
};
}
{
locations =
let
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
socketAddress =
w:
let
c = connectionInfo w;
in
"${c.host}:${toString c.port}";
{
kTLS = true;
}
{
locations."/_synapse/admin" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
allow 127.0.0.1;
allow ::1;
allow ${values.hosts.bicep.ipv4};
allow ${values.hosts.bicep.ipv6};
deny all;
'';
};
}
{
locations = let
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";
metricsPath = w: "/metrics/${w.type}/${toString w.index}";
proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
in
lib.mapAttrs' (
n: v:
lib.nameValuePair (metricsPath v) {
proxyPass = proxyPath v;
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
}
) cfg.workers.instances;
}
{
locations."/metrics/master/1" = {
proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
metricsPath = w: "/metrics/${w.type}/${toString w.index}";
proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
in lib.mapAttrs' (n: v: lib.nameValuePair
(metricsPath v) {
proxyPass = proxyPath v;
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
};
})
cfg.workers.instances;
}
{
locations."/metrics/master/1" = {
proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
};
locations."/metrics/" =
let
endpoints =
lib.pipe cfg.workers.instances [
(lib.mapAttrsToList (_: v: v))
(map (w: "${w.type}/${toString w.index}"))
(map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
]
++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
in
{
alias =
pkgs.writeTextDir "/config.json" (
builtins.toJSON [
{
targets = endpoints;
labels = { };
}
]
)
+ "/";
};
}
];
locations."/metrics/" = let
endpoints = lib.pipe cfg.workers.instances [
(lib.mapAttrsToList (_: v: v))
(map (w: "${w.type}/${toString w.index}"))
(map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
in {
alias = pkgs.writeTextDir "/config.json"
(builtins.toJSON [
{ targets = endpoints;
labels = { };
}]) + "/";
};
}];
}
hosts/bicep/services/matrix/well-known.nix
+1 -6
View File
@@ -1,9 +1,4 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
let
cfg = config.services.pvv-matrix-well-known;
format = pkgs.formats.json { };
hosts/bicep/services/minecraft-heatmap.nix
+18 -25
View File
@@ -1,9 +1,4 @@
{
config,
lib,
pkgs,
...
}:
{ config, lib, pkgs, ... }:
let
cfg = config.services.minecraft-heatmap;
in
@@ -32,25 +27,23 @@ in
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
];
preStart =
let
knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
'';
in
''
mkdir -p '${cfg.minecraftLogsDir}'
"${lib.getExe pkgs.rsync}" \
--archive \
--verbose \
--progress \
--no-owner \
--no-group \
--rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
root@innovation.pvv.ntnu.no:/ \
'${cfg.minecraftLogsDir}'/
preStart = let
knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
'';
in ''
mkdir -p '${cfg.minecraftLogsDir}'
"${lib.getExe pkgs.rsync}" \
--archive \
--verbose \
--progress \
--no-owner \
--no-group \
--rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
root@innovation.pvv.ntnu.no:/ \
'${cfg.minecraftLogsDir}'/
'';
};
}
hosts/bicep/services/mysql/backup.nix
+18 -26
View File
@@ -1,10 +1,4 @@
{
config,
lib,
pkgs,
values,
...
}:
{ config, lib, pkgs, values, ... }:
let
cfg = config.services.mysql;
backupDir = "/data/mysql-backups";
@@ -16,10 +10,10 @@ in
# };
systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
user = "mysql";
group = "mysql";
mode = "700";
};
user = "mysql";
group = "mysql";
mode = "700";
};
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
@@ -50,25 +44,23 @@ in
zstd
];
script =
let
rotations = 2;
in
''
set -euo pipefail
script = let
rotations = 2;
in ''
set -euo pipefail
OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';
serviceConfig = {
Type = "oneshot";
hosts/bicep/services/mysql/default.nix
+7 -15
View File
@@ -1,10 +1,4 @@
{
config,
pkgs,
lib,
values,
...
}:
{ config, pkgs, lib, values, ... }:
let
cfg = config.services.mysql;
dataDir = "/data/mysql";
@@ -42,14 +36,12 @@ in
# a password which can be found in /secrets/ildkule/ildkule.yaml
# We have also changed both the host and auth plugin of this user
# to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
ensureUsers = [
{
name = "prometheus_mysqld_exporter";
ensurePermissions = {
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
};
}
];
ensureUsers = [{
name = "prometheus_mysqld_exporter";
ensurePermissions = {
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
};
}];
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
hosts/bicep/services/postgresql/backup.nix
+18 -26
View File
@@ -1,10 +1,4 @@
{
config,
lib,
pkgs,
values,
...
}:
{ config, lib, pkgs, values, ... }:
let
cfg = config.services.postgresql;
backupDir = "/data/postgresql-backups";
@@ -17,10 +11,10 @@ in
# };
systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
user = "postgres";
group = "postgres";
mode = "700";
};
user = "postgres";
group = "postgres";
mode = "700";
};
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
@@ -51,25 +45,23 @@ in
cfg.package
];
script =
let
rotations = 2;
in
''
set -euo pipefail
script = let
rotations = 2;
in ''
set -euo pipefail
OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';
serviceConfig = {
Type = "oneshot";
hosts/bicep/services/postgresql/cleanup-timers.nix
+37
View File
@@ -0,0 +1,37 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.postgresql;
in
{
config = lib.mkIf cfg.enable {
systemd.services = {
postgresql-repack = {
requires = [ "postgresql.service" ];
after = [ "postgresql.target" ];
description = "Repack all PostgreSQL databases";
startAt = "Mon 06:00:00";
serviceConfig = {
Type = "oneshot";
User = "postgres";
Group = "postgres";
ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --host=/run/postgresql --no-kill-backend --wait-timeout=30 --all";
};
};
postgresql-vacuum-analyze = {
requires = [ "postgresql.service" ];
after = [ "postgresql.target" ];
description = "Vacuum and analyze all PostgreSQL databases";
startAt = "Tue 06:00:00";
serviceConfig = {
Type = "oneshot";
User = "postgres";
Group = "postgres";
ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
};
};
};
};
}
hosts/bicep/services/postgresql/default.nix
+6 -8
View File
@@ -1,19 +1,17 @@
{
config,
lib,
pkgs,
values,
...
}:
{ config, lib, pkgs, values, ... }:
let
cfg = config.services.postgresql;
in
{
imports = [ ./backup.nix ];
imports = [
./backup.nix
./cleanup-timers.nix
];
services.postgresql = {
enable = true;
package = pkgs.postgresql_18;
extensions = ps: with ps; [ pg_repack ];
enableTCPIP = true;
authentication = ''
hosts/bikkje/configuration.nix
+24 -72
View File
@@ -1,14 +1,8 @@
{
lib,
config,
pkgs,
values,
...
}:
{ config, pkgs, values, ... }:
{
networking.nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
internalInterfaces = ["ve-+"];
externalInterface = "ens3";
# Lazy IPv6 connectivity for the container
enableIPv6 = true;
@@ -16,11 +10,9 @@
containers.bikkje = {
autoStart = true;
config =
{ config, pkgs, ... }:
{
#import packages
packages = with pkgs; [
config = { config, pkgs, ... }: {
#import packages
packages = with pkgs; [
alpine
mutt
mutt-ics
@@ -30,66 +22,26 @@
hexchat
irssi
pidgin
];
];
networking = {
hostName = "bikkje";
firewall = {
enable = true;
# Allow SSH and HTTP and ports for email and irc
allowedTCPPorts = [
80
22
194
994
6665
6666
6667
6668
6669
6697
995
993
25
465
587
110
143
993
995
];
allowedUDPPorts = [
80
22
194
994
6665
6666
6667
6668
6669
6697
995
993
25
465
587
110
143
993
995
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
networking = {
hostName = "bikkje";
firewall = {
enable = true;
# Allow SSH and HTTP and ports for email and irc
allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
};
services.resolved.enable = true;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "23.11";
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = mkForce false;
};
services.resolved.enable = true;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "23.11";
};
};
}
};
hosts/brzeczyszczykiewicz/configuration.nix
+7 -16
View File
@@ -1,25 +1,16 @@
{
config,
fp,
pkgs,
values,
...
}:
{ config, fp, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
./services/grzegorz.nix
];
./services/grzegorz.nix
];
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1";
address = with values.hosts.brzeczyszczykiewicz; [
(ipv4 + "/25")
(ipv6 + "/64")
];
address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
fonts.fontconfig.enable = true;
hosts/brzeczyszczykiewicz/hardware-configuration.nix
+16 -30
View File
@@ -1,45 +1,31 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ehci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
"sr_mod"
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
fsType = "ext4";
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/82E3-3D03";
fsType = "vfat";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/82E3-3D03";
fsType = "vfat";
};
swapDevices = [
{ device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
];
swapDevices =
[ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
hosts/georg/configuration.nix
+7 -16
View File
@@ -1,25 +1,16 @@
{
config,
fp,
pkgs,
values,
...
}:
{ config, fp, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /modules/grzegorz.nix)
];
(fp /modules/grzegorz.nix)
];
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1";
address = with values.hosts.georg; [
(ipv4 + "/25")
(ipv6 + "/64")
];
address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
services.spotifyd = {
hosts/georg/hardware-configuration.nix
+16 -29
View File
@@ -1,44 +1,31 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ehci_pci"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
fsType = "ext4";
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/145E-7362";
fsType = "vfat";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/145E-7362";
fsType = "vfat";
};
swapDevices = [
{ device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
];
swapDevices =
[ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
hosts/gluttony/hardware-configuration.nix
+2 -2
View File
@@ -22,7 +22,7 @@
"sd_mod"
];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
@@ -31,7 +31,7 @@
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/933A-3005";
device = "/dev/disk/by-uuid/BD97-FCA0";
fsType = "vfat";
options = [
"fmask=0077"
hosts/ildkule/configuration.nix
+30 -33
View File
@@ -5,11 +5,10 @@
lib,
values,
...
}:
{
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./disks.nix
(fp /base)
./services/monitoring
@@ -17,44 +16,42 @@
./services/journald-remote.nix
];
boot.loader.systemd-boot.enable = false;
boot.loader.grub.device = "/dev/vda";
boot.loader.grub.enable = true;
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
# Openstack Neutron and systemd-networkd are not best friends, use something else:
systemd.network.enable = lib.mkForce false;
networking =
let
hostConf = values.hosts.ildkule;
in
{
tempAddresses = "disabled";
useDHCP = lib.mkForce true;
networking = let
hostConf = values.hosts.ildkule;
in {
tempAddresses = "disabled";
useDHCP = lib.mkForce true;
search = values.defaultNetworkConfig.domains;
nameservers = values.defaultNetworkConfig.dns;
defaultGateway.address = hostConf.ipv4_internal_gw;
search = values.defaultNetworkConfig.domains;
nameservers = values.defaultNetworkConfig.dns;
defaultGateway.address = hostConf.ipv4_internal_gw;
interfaces."ens4" = {
ipv4.addresses = [
{
address = hostConf.ipv4;
prefixLength = 32;
}
{
address = hostConf.ipv4_internal;
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = hostConf.ipv6;
prefixLength = 64;
}
];
};
interfaces."ens3" = {
ipv4.addresses = [
{
address = hostConf.ipv4;
prefixLength = 32;
}
{
address = hostConf.ipv4_internal;
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = hostConf.ipv6;
prefixLength = 64;
}
];
};
};
services.qemuGuest.enable = true;
hosts/ildkule/disks.nix
+27
View File
@@ -0,0 +1,27 @@
{
disko.devices = {
disk = {
sda = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
bios = {
size = "1M";
type = "EF02";
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}
hosts/ildkule/hardware-configuration.nix
+21 -18
View File
@@ -1,21 +1,24 @@
{ modulesPath, lib, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
"vmw_pvscsi"
];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
fsType = "ext4";
};
fileSystems."/data" = {
device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
fsType = "ext4";
};
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}
hosts/ildkule/services/journald-remote.nix
+14 -23
View File
@@ -1,9 +1,4 @@
{
config,
lib,
values,
...
}:
{ config, lib, values, ... }:
let
cfg = config.services.journald.remote;
domainName = "journald.pvv.ntnu.no";
@@ -27,15 +22,13 @@ in
services.journald.remote = {
enable = true;
settings.Remote =
let
inherit (config.security.acme.certs.${domainName}) directory;
in
{
ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
TrustedCertificateFile = "-";
};
settings.Remote = let
inherit (config.security.acme.certs.${domainName}) directory;
in {
ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
TrustedCertificateFile = "-";
};
};
systemd.sockets."systemd-journal-remote" = {
@@ -54,14 +47,12 @@ in
systemd.services."systemd-journal-remote" = {
serviceConfig = {
LoadCredential =
let
inherit (config.security.acme.certs.${domainName}) directory;
in
[
"key.pem:${directory}/key.pem"
"cert.pem:${directory}/cert.pem"
];
LoadCredential = let
inherit (config.security.acme.certs.${domainName}) directory;
in [
"key.pem:${directory}/key.pem"
"cert.pem:${directory}/cert.pem"
];
};
};
}
hosts/ildkule/services/monitoring/grafana.nix
+23 -34
View File
@@ -1,44 +1,33 @@
{
config,
pkgs,
values,
...
}:
let
{ config, pkgs, values, ... }: let
cfg = config.services.grafana;
in
{
sops.secrets =
let
owner = "grafana";
group = "grafana";
in
{
"keys/grafana/secret_key" = { inherit owner group; };
"keys/grafana/admin_password" = { inherit owner group; };
};
in {
sops.secrets = let
owner = "grafana";
group = "grafana";
in {
"keys/grafana/secret_key" = { inherit owner group; };
"keys/grafana/admin_password" = { inherit owner group; };
};
services.grafana = {
enable = true;
settings =
let
# See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
secretFile = path: "$__file{${path}}";
in
{
server = {
domain = "grafana.pvv.ntnu.no";
http_port = 2342;
http_addr = "127.0.0.1";
};
security = {
secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
};
settings = let
# See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
secretFile = path: "$__file{${path}}";
in {
server = {
domain = "grafana.pvv.ntnu.no";
http_port = 2342;
http_addr = "127.0.0.1";
};
security = {
secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
};
};
provision = {
enable = true;
datasources.settings.datasources = [
hosts/ildkule/services/monitoring/loki.nix
+1 -2
View File
@@ -3,8 +3,7 @@
let
cfg = config.services.loki;
stateDir = "/data/monitoring/loki";
in
{
in {
services.loki = {
enable = true;
configuration = {
hosts/ildkule/services/monitoring/prometheus/default.nix
+3 -4
View File
@@ -1,8 +1,6 @@
{ config, ... }:
let
{ config, ... }: let
stateDir = "/data/monitoring/prometheus";
in
{
in {
imports = [
./exim.nix
./gitea.nix
@@ -23,6 +21,7 @@ in
fileSystems."/var/lib/prometheus2" = {
device = stateDir;
fsType = "bind";
options = [ "bind" ];
};
}
hosts/ildkule/services/monitoring/prometheus/exim.nix
+3 -5
View File
@@ -5,11 +5,9 @@
{
job_name = "exim";
scrape_interval = "15s";
static_configs = [
{
targets = [ "microbel.pvv.ntnu.no:9636" ];
}
];
static_configs = [{
targets = [ "microbel.pvv.ntnu.no:9636" ];
}];
}
];
};
hosts/ildkule/services/monitoring/prometheus/gitea.nix
+12 -14
View File
@@ -1,18 +1,16 @@
{ ... }:
{
services.prometheus.scrapeConfigs = [
{
job_name = "gitea";
scrape_interval = "60s";
scheme = "https";
services.prometheus.scrapeConfigs = [{
job_name = "gitea";
scrape_interval = "60s";
scheme = "https";
static_configs = [
{
targets = [
"git.pvv.ntnu.no:443"
];
}
];
}
];
static_configs = [
{
targets = [
"git.pvv.ntnu.no:443"
];
}
];
}];
}
hosts/ildkule/services/monitoring/prometheus/machines.nix
+24 -94
View File
@@ -1,5 +1,4 @@
{ config, ... }:
let
{ config, ... }: let
cfg = config.services.prometheus;
mkHostScrapeConfig = name: ports: {
@@ -10,98 +9,29 @@ let
defaultNodeExporterPort = 9100;
defaultSystemdExporterPort = 9101;
defaultNixosExporterPort = 9102;
in
{
services.prometheus.scrapeConfigs = [
{
job_name = "base_info";
static_configs = [
(mkHostScrapeConfig "ildkule" [
cfg.exporters.node.port
cfg.exporters.systemd.port
defaultNixosExporterPort
])
in {
services.prometheus.scrapeConfigs = [{
job_name = "base_info";
static_configs = [
(mkHostScrapeConfig "ildkule" [ cfg.exporters.node.port cfg.exporters.systemd.port defaultNixosExporterPort ])
(mkHostScrapeConfig "bekkalokk" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "bicep" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "brzeczyszczykiewicz" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "georg" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "gluttony" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "kommode" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-1" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-2" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-3" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-4" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-5" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "temmie" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "ustetind" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "wenche" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "bekkalokk" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "skrott" [
defaultNodeExporterPort
defaultSystemdExporterPort
])
(mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
];
}
];
(mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
];
}];
}
hosts/ildkule/services/monitoring/prometheus/matrix-synapse.nix
+35 -39
View File
@@ -1,44 +1,40 @@
{ ... }:
{
services.prometheus.scrapeConfigs = [
{
job_name = "synapse";
scrape_interval = "15s";
scheme = "https";
services.prometheus.scrapeConfigs = [{
job_name = "synapse";
scrape_interval = "15s";
scheme = "https";
http_sd_configs = [
{
url = "https://matrix.pvv.ntnu.no/metrics/config.json";
}
];
http_sd_configs = [{
url = "https://matrix.pvv.ntnu.no/metrics/config.json";
}];
relabel_configs = [
{
source_labels = [ "__address__" ];
regex = "[^/]+(/.*)";
target_label = "__metrics_path__";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "instance";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
target_label = "job";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
target_label = "index";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "__address__";
}
];
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
regex = "[^/]+(/.*)";
target_label = "__metrics_path__";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "instance";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
target_label = "job";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
target_label = "index";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "__address__";
}
];
}];
}
hosts/ildkule/services/monitoring/prometheus/mysqld.nix
+23 -29
View File
@@ -1,42 +1,36 @@
{ config, ... }:
let
{ config, ... }: let
cfg = config.services.prometheus;
in
{
in {
sops = {
secrets."config/mysqld_exporter_password" = { };
templates."mysqld_exporter.conf" = {
restartUnits = [ "prometheus-mysqld-exporter.service" ];
content =
let
inherit (config.sops) placeholder;
in
''
[client]
host = mysql.pvv.ntnu.no
port = 3306
user = prometheus_mysqld_exporter
password = ${placeholder."config/mysqld_exporter_password"}
'';
content = let
inherit (config.sops) placeholder;
in ''
[client]
host = mysql.pvv.ntnu.no
port = 3306
user = prometheus_mysqld_exporter
password = ${placeholder."config/mysqld_exporter_password"}
'';
};
};
services.prometheus = {
scrapeConfigs = [
{
job_name = "mysql";
scheme = "http";
metrics_path = cfg.exporters.mysqld.telemetryPath;
static_configs = [
{
targets = [
"localhost:${toString cfg.exporters.mysqld.port}"
];
}
];
}
];
scrapeConfigs = [{
job_name = "mysql";
scheme = "http";
metrics_path = cfg.exporters.mysqld.telemetryPath;
static_configs = [
{
targets = [
"localhost:${toString cfg.exporters.mysqld.port}"
];
}
];
}];
exporters.mysqld = {
enable = true;
hosts/ildkule/services/monitoring/prometheus/postgres.nix
+19 -33
View File
@@ -1,17 +1,9 @@
{
pkgs,
lib,
config,
values,
...
}:
let
{ pkgs, lib, config, values, ... }: let
cfg = config.services.prometheus;
in
{
in {
sops.secrets = {
"keys/postgres/postgres_exporter_env" = { };
"keys/postgres/postgres_exporter_knakelibrak_env" = { };
"keys/postgres/postgres_exporter_env" = {};
"keys/postgres/postgres_exporter_knakelibrak_env" = {};
};
services.prometheus = {
@@ -19,26 +11,22 @@ in
{
job_name = "postgres";
scrape_interval = "15s";
static_configs = [
{
targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
labels = {
server = "bicep";
};
}
];
static_configs = [{
targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
labels = {
server = "bicep";
};
}];
}
{
job_name = "postgres-knakelibrak";
scrape_interval = "15s";
static_configs = [
{
targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
labels = {
server = "knakelibrak";
};
}
];
static_configs = [{
targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
labels = {
server = "knakelibrak";
};
}];
}
];
@@ -49,11 +37,9 @@ in
};
};
systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig =
let
localCfg = config.services.prometheus.exporters.postgres;
in
lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
localCfg = config.services.prometheus.exporters.postgres;
in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
ExecStart = ''
${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \
hosts/ildkule/services/monitoring/uptime-kuma.nix
+4 -9
View File
@@ -1,15 +1,9 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
let
cfg = config.services.uptime-kuma;
domain = "status.pvv.ntnu.no";
stateDir = "/data/monitoring/uptime-kuma";
in
{
in {
services.uptime-kuma = {
enable = true;
settings = {
@@ -25,8 +19,9 @@ in
locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
};
fileSystems."/var/lib/uptime-kuma" = {
fileSystems."/var/lib/private/uptime-kuma" = {
device = stateDir;
fsType = "bind";
options = [ "bind" ];
};
}
hosts/kommode/configuration.nix
+2 -10
View File
@@ -1,9 +1,4 @@
{
pkgs,
values,
fp,
...
}:
{ pkgs, values, fp, ... }:
{
imports = [
# Include the results of the hardware scan.
@@ -17,10 +12,7 @@
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.kommode; [
(ipv4 + "/25")
(ipv6 + "/64")
];
address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
services.btrfs.autoScrub.enable = true;
hosts/kommode/hardware-configuration.nix
+5 -18
View File
@@ -1,27 +1,14 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
hosts/kommode/services/gitea/customization/default.nix
+43 -54
View File
@@ -1,10 +1,4 @@
{
config,
pkgs,
lib,
fp,
...
}:
{ config, pkgs, lib, fp, ... }:
let
cfg = config.services.gitea;
in
@@ -74,59 +68,54 @@ in
wantedBy = [ "gitea.service" ];
requiredBy = [ "gitea.service" ];
serviceConfig = {
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
};
script =
let
logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = fp /assets/logo_blue_regular.png;
script = let
logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = fp /assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
'';
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
labels = lib.importJSON ./labels/projects.json;
};
customTemplates =
pkgs.runCommandLocal "gitea-templates"
{
nativeBuildInputs = with pkgs; [
coreutils
gnused
];
}
''
# Bigger icons
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
'';
in
''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
'';
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
labels = lib.importJSON ./labels/projects.json;
};
customTemplates = pkgs.runCommandLocal "gitea-templates" {
nativeBuildInputs = with pkgs; [
coreutils
gnused
];
} ''
# Bigger icons
install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
'';
in ''
install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'
install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'
install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'
install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'
install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'
install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'
install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'
install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'
install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'
install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'
'${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/'
'';
};
}
hosts/kommode/services/gitea/default.nix
+32 -53
View File
@@ -1,17 +1,9 @@
{
config,
values,
lib,
pkgs,
unstablePkgs,
...
}:
{ config, values, lib, pkgs, unstablePkgs, ... }:
let
cfg = config.services.gitea;
domain = "git.pvv.ntnu.no";
sshPort = 2222;
in
{
sshPort = 2222;
in {
imports = [
./customization
./gpg.nix
@@ -19,21 +11,19 @@ in
./web-secret-provider
];
sops.secrets =
let
defaultConfig = {
owner = "gitea";
group = "gitea";
restartUnits = [ "gitea.service" ];
};
in
{
"gitea/database" = defaultConfig;
"gitea/email-password" = defaultConfig;
"gitea/lfs-jwt-secret" = defaultConfig;
"gitea/oauth2-jwt-secret" = defaultConfig;
"gitea/secret-key" = defaultConfig;
sops.secrets = let
defaultConfig = {
owner = "gitea";
group = "gitea";
restartUnits = [ "gitea.service" ];
};
in {
"gitea/database" = defaultConfig;
"gitea/email-password" = defaultConfig;
"gitea/lfs-jwt-secret" = defaultConfig;
"gitea/oauth2-jwt-secret" = defaultConfig;
"gitea/secret-key" = defaultConfig;
};
services.gitea = {
enable = true;
@@ -54,7 +44,7 @@ in
# https://docs.gitea.com/administration/config-cheat-sheet
settings = {
server = {
DOMAIN = domain;
DOMAIN = domain;
ROOT_URL = "https://${domain}/";
PROTOCOL = "http+unix";
SSH_PORT = sshPort;
@@ -141,11 +131,9 @@ in
"repo.pulls"
"repo.releases"
];
ALLOW_FORK_INTO_SAME_OWNER = true;
};
picture = {
DISABLE_GRAVATAR = true;
ENABLE_FEDERATED_AVATAR = false;
AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5;
# NOTE: go any bigger than this, and gitea will freeze your gif >:(
AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
@@ -225,33 +213,24 @@ in
};
systemd.services.gitea-dump = {
serviceConfig.ExecStart =
let
args = lib.cli.toGNUCommandLineShell { } {
type = cfg.dump.type;
serviceConfig.ExecStart = let
args = lib.cli.toCommandLineShellGNU { } {
type = cfg.dump.type;
# This should be declarative on nixos, no need to backup.
skip-custom-dir = true;
# This should be declarative on nixos, no need to backup.
skip-custom-dir = true;
# This can be regenerated, no need to backup
skip-index = true;
# This can be regenerated, no need to backup
skip-index = true;
# Logs are stored in the systemd journal
skip-log = true;
};
in
lib.mkForce "${lib.getExe cfg.package} ${args}";
# Logs are stored in the systemd journal
skip-log = true;
};
in lib.mkForce "${lib.getExe cfg.package} dump ${args}";
# Only keep n backup files at a time
postStop =
let
cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
backupCount = 3;
in
''
for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
${cu "rm"} "$file"
done
'';
# Only keep a single backup file at a time.
postStop = ''
${lib.getExe' pkgs.coreutils "mv"} '${cfg.dump.backupDir}'/gitea-dump-*.tar.gz gitea-dump.tar.gz
'';
};
}
hosts/kommode/services/gitea/gpg.nix
+1 -6
View File
@@ -1,9 +1,4 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
let
cfg = config.services.gitea;
GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
hosts/kommode/services/gitea/import-users/default.nix
+5 -10
View File
@@ -1,9 +1,4 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
let
cfg = config.services.gitea;
in
@@ -16,7 +11,7 @@ in
systemd.services.gitea-import-users = lib.mkIf cfg.enable {
enable = true;
preStart = ''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
serviceConfig = {
ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
@@ -25,12 +20,12 @@ in
];
libraries = with pkgs.python3Packages; [ requests ];
} (builtins.readFile ./gitea-import-users.py);
LoadCredential = [
LoadCredential=[
"sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
];
DynamicUser = "yes";
EnvironmentFile = config.sops.secrets."gitea/import-user-env".path;
DynamicUser="yes";
EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
RuntimeDirectory = "gitea-import-users";
};
};
hosts/kommode/services/gitea/web-secret-provider/default.nix
+20 -36
View File
@@ -1,9 +1,4 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
let
organizations = [
"Drift"
@@ -41,8 +36,7 @@ in
group = "gitea-web";
restartUnits = [
"gitea-web-secret-provider@"
]
++ (map (org: "gitea-web-secret-provider@${org}") organizations);
] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
};
systemd.slices.system-giteaweb = {
@@ -54,30 +48,25 @@ in
# %d - secrets directory
systemd.services."gitea-web-secret-provider@" = {
description = "Ensure all repos in %i has an SSH key to push web content";
requires = [
"gitea.service"
"network.target"
];
requires = [ "gitea.service" "network.target" ];
serviceConfig = {
Slice = "system-giteaweb.slice";
Type = "oneshot";
ExecStart =
let
args = lib.cli.toGNUCommandLineShell { } {
org = "%i";
token-path = "%d/token";
api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
key-dir = "/var/lib/gitea-web/keys/%i";
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
mkdir -p "$1"
${lib.getExe pkgs.rrsync} -wo "$1"
${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
'';
web-dir = "/var/lib/gitea-web/web";
};
in
"${giteaWebSecretProviderScript} ${args}";
ExecStart = let
args = lib.cli.toCommandLineShellGNU { } {
org = "%i";
token-path = "%d/token";
api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
key-dir = "/var/lib/gitea-web/keys/%i";
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
mkdir -p "$1"
${lib.getExe pkgs.rrsync} -wo "$1"
${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
'';
web-dir = "/var/lib/gitea-web/web";
};
in "${giteaWebSecretProviderScript} ${args}";
User = "gitea-web";
Group = "gitea-web";
@@ -96,10 +85,7 @@ in
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictRealtime = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
@@ -119,9 +105,7 @@ in
systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
services.openssh.authorizedKeysFiles = map (
org: "/var/lib/gitea-web/authorized_keys.d/${org}"
) organizations;
services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
users.users.nginx.extraGroups = [ "gitea-web" ];
services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
hosts/lupine/configuration.nix
+2 -11
View File
@@ -1,15 +1,9 @@
{
fp,
values,
lupineName,
...
}:
{ fp, values, lib, lupineName, ... }:
{
imports = [
./hardware-configuration/${lupineName}.nix
(fp /base)
./services/gitea-runner.nix
];
@@ -17,10 +11,7 @@
systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
matchConfig.Name = "enp0s31f6";
address = with values.hosts.${lupineName}; [
(ipv4 + "/25")
(ipv6 + "/64")
];
address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ];
networkConfig.LLDP = false;
};
systemd.network.wait-online = {
hosts/lupine/hardware-configuration/lupine-1.nix
+25 -38
View File
@@ -1,54 +1,41 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
fsType = "ext4";
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/e88adbb7-de01-4f9b-b338-fffed743c259";
fsType = "btrfs";
options = [ "subvol=@root" "compress=zstd" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/81D6-38D3";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/e88adbb7-de01-4f9b-b338-fffed743c259";
fsType = "btrfs";
options = [ "subvol=@nix" "compress=zstd" "noatime" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/81D6-38D3";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
];
};
swapDevices = [
{ device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
hosts/lupine/hardware-configuration/lupine-2.nix
+24 -38
View File
@@ -1,53 +1,39 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
fsType = "ext4";
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/ab2e1a13-8e95-48d8-970c-64fa2fab52d0";
fsType = "btrfs";
options = [ "subvol=@root" "compress=zstd" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/4A34-6AE5";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/ab2e1a13-8e95-48d8-970c-64fa2fab52d0";
fsType = "btrfs";
options = [ "subvol=@nix" "noatime" "compress=zstd" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/4A34-6AE5";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
];
};
swapDevices = [
{ device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hosts/lupine/hardware-configuration/lupine-3.nix
+25 -38
View File
@@ -1,54 +1,41 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
fsType = "ext4";
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/0a5bda7c-af55-4d3d-9135-7f7cbb78004d";
fsType = "btrfs";
options = [ "subvol=@root" "compress=zstd" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/63FA-297B";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/0a5bda7c-af55-4d3d-9135-7f7cbb78004d";
fsType = "btrfs";
options = [ "subvol=@nix" "noatime" "compress=zstd" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/63FA-297B";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
];
};
swapDevices = [
{ device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
hosts/lupine/hardware-configuration/lupine-4.nix
+24 -29
View File
@@ -1,44 +1,39 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
fsType = "ext4";
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/fcd51970-f040-4c45-94cf-2b372d4599a2";
fsType = "btrfs";
options = [ "subvol=@root" "compress=zstd" ];
};
swapDevices = [
{ device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
];
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/fcd51970-f040-4c45-94cf-2b372d4599a2";
fsType = "btrfs";
options = [ "subvol=@nix" "noatime" "compress=zstd" ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A22E-E41A";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hosts/lupine/hardware-configuration/lupine-5.nix
+24 -38
View File
@@ -1,53 +1,39 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
fsType = "ext4";
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/85830e14-e2c8-4f04-95fa-d6ab22840bc7";
fsType = "btrfs";
options = [ "subvol=@root" "compress=zstd" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/F372-37DF";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/85830e14-e2c8-4f04-95fa-d6ab22840bc7";
fsType = "btrfs";
options = [ "subvol=@nix" "noatime" "compress=zstd" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/F372-37DF";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
];
};
swapDevices = [
{ device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hosts/lupine/services/gitea-runner.nix
+6 -4
View File
@@ -39,17 +39,22 @@
"debian-bullseye-slim:docker://node:current-bullseye-slim"
"alpine-latest:docker://node:current-alpine"
"alpine-3.23:docker://node:current-alpine3.23"
"alpine-3.22:docker://node:current-alpine3.22"
"alpine-3.21:docker://node:current-alpine3.21"
# See https://gitea.com/gitea/runner-images
"ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
"ubuntu-26.04:docker://docker.gitea.com/runner-images:ubuntu-26.04"
"ubuntu-resolute:docker://docker.gitea.com/runner-images:ubuntu-26.04"
"ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04"
"ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04"
"ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
"ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04"
"ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim"
"ubuntu-26.04-slim:docker://docker.gitea.com/runner-images:ubuntu-26.04-slim"
"ubuntu-resolute-slim:docker://docker.gitea.com/runner-images:ubuntu-26.04-slim"
"ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
"ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
"ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"
@@ -67,8 +72,5 @@
networking.dhcpcd.IPv6rs = false;
networking.firewall.interfaces."podman+".allowedUDPPorts = [
53
5353
];
networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
}

Some files were not shown because too many files have changed in this diff Show More