Compare commits

..

1 Commits

Author SHA1 Message Date
7e7b576540 WIP: deploy pvv-doorbell-bot 2024-08-24 22:50:26 +02:00
106 changed files with 930 additions and 4705 deletions
.sops.yamlREADME.MDbase.nix
base
flake.lockflake.nix
hosts
justfile
keys
misc
modules
packages
bluemap.nix
mediawiki-extensions
secrets

@ -13,8 +13,6 @@ keys:
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
- &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
creation_rules:
# Global secrets
@ -45,18 +43,6 @@ creation_rules:
pgp:
- *user_oysteikt
- path_regex: secrets/kommode/[^/]+\.yaml$
key_groups:
- age:
- *host_kommode
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
- path_regex: secrets/jokum/[^/]+\.yaml$
key_groups:
- age:
@ -92,15 +78,3 @@ creation_rules:
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
- path_regex: secrets/ustetind/[^/]+\.yaml$
key_groups:
- age:
- *host_ustetind
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt

@ -26,14 +26,10 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
som root på maskinen.
Hvis du ikke har lyst til å oppdatere alle pakkene (og kanskje måtte vente en stund!) kan du kjøre
`nixos-rebuild switch --override-input nixpkgs nixpkgs --override-input nixpkgs-unstable nixpkgs-unstable --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
## Seksjonen for hemmeligheter
For at hemmeligheter ikke skal deles med hele verden i git - eller å være world

150
base.nix Normal file

@ -0,0 +1,150 @@
{ config, lib, pkgs, inputs, values, ... }:
{
imports = [
./users
./modules/snakeoil-certs.nix
];
networking.domain = "pvv.ntnu.no";
networking.useDHCP = false;
# networking.search = [ "pvv.ntnu.no" "pvv.org" ];
# networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
# networking.tempAddresses = lib.mkDefault "disabled";
# networking.defaultGateway = values.hosts.gateway;
systemd.network.enable = true;
services.resolved = {
enable = lib.mkDefault true;
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
};
time.timeZone = "Europe/Oslo";
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "no";
};
system.autoUpgrade = {
enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
"--update-input" "nixpkgs"
"--update-input" "nixpkgs-unstable"
"--no-write-lock-file"
];
};
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 2d";
nix.settings.experimental-features = [ "nix-command" "flakes" ];
/* This makes commandline tools like
** nix run nixpkgs#hello
** and nix-shell -p hello
** use the same channel the system
** was built with
*/
nix.registry = {
nixpkgs.flake = inputs.nixpkgs;
};
nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
environment.systemPackages = with pkgs; [
file
git
gnupg
htop
nano
ripgrep
rsync
screen
tmux
vim
wget
kitty.terminfo
];
programs.zsh.enable = true;
users.groups."drift".name = "drift";
# Trusted users on the nix builder machines
users.groups."nix-builder-users".name = "nix-builder-users";
# Let's not thermal throttle
services.thermald.enable = lib.mkIf (lib.all (x: x) [
(config.nixpkgs.system == "x86_64-linux")
(!config.boot.isContainer or false)
]) true;
services.openssh = {
enable = true;
extraConfig = ''
PubkeyAcceptedAlgorithms=+ssh-rsa
Match Group wheel
PasswordAuthentication no
Match All
'';
settings.PermitRootLogin = "yes";
};
# nginx return 444 for all nonexistent virtualhosts
systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
"/etc/certs/nginx" = {
owner = "nginx";
group = "nginx";
};
};
services.nginx = {
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
appendConfig = ''
pcre_jit on;
worker_processes auto;
worker_rlimit_nofile 100000;
'';
eventsConfig = ''
worker_connections 2048;
use epoll;
multi_accept on;
'';
};
systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
LimitNOFILE = 65536;
};
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
sslCertificate = "/etc/certs/nginx.crt";
sslCertificateKey = "/etc/certs/nginx.key";
addSSL = true;
extraConfig = "return 444;";
};
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no";
};
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
virtualisation.vmVariant = {
security.acme.defaults.server = "https://127.0.0.1";
security.acme.preliminarySelfsigned = true;
users.users.root.initialPassword = "root";
};
}

@ -1,79 +0,0 @@
{ pkgs, lib, fp, ... }:
{
imports = [
(fp /users)
(fp /modules/snakeoil-certs.nix)
./networking.nix
./nix.nix
./services/acme.nix
./services/auto-upgrade.nix
./services/dbus.nix
./services/fwupd.nix
./services/irqbalance.nix
./services/logrotate.nix
./services/nginx.nix
./services/openssh.nix
./services/postfix.nix
./services/smartd.nix
./services/thermald.nix
./services/userborn.nix
./services/userdbd.nix
];
boot.tmp.cleanOnBoot = lib.mkDefault true;
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
time.timeZone = "Europe/Oslo";
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "no";
};
environment.systemPackages = with pkgs; [
file
git
gnupg
htop
nano
ripgrep
rsync
screen
tmux
vim
wget
kitty.terminfo
];
# .bash_profile already works, but lets also use .bashrc like literally every other distro
# https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
# home-manager usually handles this for you: https://github.com/nix-community/home-manager/blob/22a36aa709de7dd42b562a433b9cefecf104a6ee/modules/programs/bash.nix#L203-L209
# btw, programs.bash.shellInit just goes into environment.shellInit which in turn goes into /etc/profile, spooky shit
programs.bash.shellInit = ''
if [ -n "''${BASH_VERSION:-}" ]; then
if [[ ! -f ~/.bash_profile && ! -f ~/.bash_login ]]; then
[[ -f ~/.bashrc ]] && . ~/.bashrc
fi
fi
'';
programs.zsh.enable = true;
security.lockKernelModules = true;
security.protectKernelImage = true;
security.sudo.execWheelOnly = true;
security.sudo.extraConfig = ''
Defaults lecture = never
'';
users.groups."drift".name = "drift";
# Trusted users on the nix builder machines
users.groups."nix-builder-users".name = "nix-builder-users";
}

@ -1,13 +0,0 @@
{ lib, values, ... }:
{
systemd.network.enable = true;
networking.domain = "pvv.ntnu.no";
networking.useDHCP = false;
# The rest of the networking configuration is usually sourced from /values.nix
services.resolved = {
enable = lib.mkDefault true;
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
};
}

@ -1,34 +0,0 @@
{ inputs, ... }:
{
nix = {
gc = {
automatic = true;
options = "--delete-older-than 2d";
};
optimise.automatic = true;
settings = {
allow-dirty = true;
builders-use-substitutes = true;
experimental-features = [ "nix-command" "flakes" ];
log-lines = 50;
use-xdg-base-directories = true;
};
/* This makes commandline tools like
** nix run nixpkgs#hello
** and nix-shell -p hello
** use the same channel the system
** was built with
*/
registry = {
"nixpkgs".flake = inputs.nixpkgs;
"nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
"pvv-nix".flake = inputs.self;
};
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"unstable=${inputs.nixpkgs-unstable}"
];
};
}

@ -1,15 +0,0 @@
{ ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no";
};
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
virtualisation.vmVariant = {
security.acme.defaults.server = "https://127.0.0.1";
security.acme.preliminarySelfsigned = true;
users.users.root.initialPassword = "root";
};
}

@ -1,26 +0,0 @@
{ inputs, pkgs, lib, ... }:
{
system.autoUpgrade = {
enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
# --update-input is deprecated since nix 2.22, and removed in lix 2.90
# https://git.lix.systems/lix-project/lix/issues/400
"--refresh"
"--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.11-small"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
"--no-write-lock-file"
];
};
# workaround for https://github.com/NixOS/nix/issues/6895
# via https://git.lix.systems/lix-project/lix/issues/400
environment.etc."current-system-flake-inputs.json".source
= pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (name: input:
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
// { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
)
);
}

@ -1,7 +0,0 @@
{ ... }:
{
services.dbus = {
enable = true;
implementation = "broker";
};
}

@ -1,4 +0,0 @@
{ ... }:
{
services.fwupd.enable = true;
}

@ -1,4 +0,0 @@
{ ... }:
{
services.irqbalance.enable = true;
}

@ -1,8 +0,0 @@
{ ... }:
{
systemd.services.logrotate = {
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
unitConfig.RequiresMountsFor = "/var/log";
serviceConfig.ReadWritePaths = [ "/var/log" ];
};
}

@ -1,48 +0,0 @@
{ config, lib, ... }:
{
# nginx return 444 for all nonexistent virtualhosts
systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
"/etc/certs/nginx" = {
owner = "nginx";
group = "nginx";
};
};
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
services.nginx = {
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
appendConfig = ''
pcre_jit on;
worker_processes auto;
worker_rlimit_nofile 100000;
'';
eventsConfig = ''
worker_connections 2048;
use epoll;
multi_accept on;
'';
};
systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
LimitNOFILE = 65536;
# We use jit my dudes
MemoryDenyWriteExecute = lib.mkForce false;
# What the fuck do we use that where the defaults are not enough???
SystemCallFilter = lib.mkForce null;
};
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
sslCertificate = "/etc/certs/nginx.crt";
sslCertificateKey = "/etc/certs/nginx.key";
addSSL = true;
extraConfig = "return 444;";
};
}

@ -1,21 +0,0 @@
{ ... }:
{
services.openssh = {
enable = true;
startWhenNeeded = true;
extraConfig = ''
PubkeyAcceptedAlgorithms=+ssh-rsa
Match Group wheel
PasswordAuthentication no
Match All
'';
settings.PermitRootLogin = "yes";
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
];
}

@ -1,23 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.postfix;
in
{
services.postfix = {
enable = true;
hostname = "${config.networking.hostName}.pvv.ntnu.no";
domain = "pvv.ntnu.no";
relayHost = "smtp.pvv.ntnu.no";
relayPort = 465;
config = {
smtp_tls_wrappermode = "yes";
smtp_tls_security_level = "encrypt";
};
# Nothing should be delivered to this machine
destination = [ ];
};
}

@ -1,20 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.smartd = {
enable = lib.mkDefault true;
notifications = {
mail = {
enable = true;
sender = "root@pvv.ntnu.no";
recipient = "root@pvv.ntnu.no";
};
wall.enable = false;
};
};
environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
smartmontools
]);
systemd.services.smartd.unitConfig.ConditionVirtualization = "no";
}

@ -1,8 +0,0 @@
{ config, lib, ... }:
{
# Let's not thermal throttle
services.thermald.enable = lib.mkIf (lib.all (x: x) [
(config.nixpkgs.system == "x86_64-linux")
(!config.boot.isContainer or false)
]) true;
}

@ -1,4 +0,0 @@
{ ... }:
{
services.userborn.enable = true;
}

@ -1,4 +0,0 @@
{ ... }:
{
services.userdbd.enable = true;
}

239
flake.lock generated

@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1745502102,
"narHash": "sha256-LqhRwzvIVPEjH0TaPgwzqpyhW6DtCrvz7FnUJDoUZh8=",
"lastModified": 1715445235,
"narHash": "sha256-SUu+oIWn+xqQIOlwfwNfS9Sek4i1HKsrLJchsDReXwA=",
"owner": "nix-community",
"repo": "disko",
"rev": "ca27b88c88948d96feeee9ed814cbd34f53d0d70",
"rev": "159d87ea5b95bbdea46f0288a33c5e1570272725",
"type": "github"
},
"original": {
@ -20,45 +20,64 @@
"type": "github"
}
},
"gergle": {
"fix-python": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"grzegorz",
"nixpkgs"
]
},
"locked": {
"lastModified": 1736621371,
"narHash": "sha256-45UIQSQA7R5iU4YWvilo7mQbhY1Liql9bHBvYa3qRI0=",
"ref": "refs/heads/main",
"rev": "3729796c1213fe76e568ac28f1df8de4e596950b",
"revCount": 20,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
"lastModified": 1713887124,
"narHash": "sha256-hGTSm0p9xXUYDgsAAr/ORZICo6T6u33vLfX3tILikaQ=",
"owner": "GuillaumeDesforges",
"repo": "fix-python",
"rev": "f7f4b33e22414071fc1f9cbf68072c413c3a7fdf",
"type": "github"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
"owner": "GuillaumeDesforges",
"repo": "fix-python",
"type": "github"
}
},
"greg-ng": {
"flake-utils": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay"
"systems": "systems"
},
"locked": {
"lastModified": 1736545379,
"narHash": "sha256-PeTTmGumdOX3rd6OKI7QMCrZovCDkrckZbcHr+znxWA=",
"ref": "refs/heads/main",
"rev": "74f5316121776db2769385927ec0d0c2cc2b23e4",
"revCount": 42,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
"lastModified": 1689068808,
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
"type": "github"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
"id": "flake-utils",
"type": "indirect"
}
},
"grzegorz": {
"inputs": {
"fix-python": "fix-python",
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1715364232,
"narHash": "sha256-ZJC3SkanEgbV7p+LFhP+85CviRWOXJNHzZwR/Stb7hE=",
"owner": "Programvareverkstedet",
"repo": "grzegorz",
"rev": "3841cda1cdcac470440b06838d56a2eb2256378c",
"type": "github"
},
"original": {
"owner": "Programvareverkstedet",
"repo": "grzegorz",
"type": "github"
}
},
"grzegorz-clients": {
@ -68,17 +87,17 @@
]
},
"locked": {
"lastModified": 1736178795,
"narHash": "sha256-mPdi8cgvIDYcgG3FRG7A4BOIMu2Jef96TPMnV00uXlM=",
"ref": "refs/heads/master",
"rev": "fde738910de1fd8293535a6382c2f0c2749dd7c1",
"revCount": 79,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
"lastModified": 1715384651,
"narHash": "sha256-7RhckgUTjqeCjWkhiCc1iB+5CBx9fl80d/3O4Jh+5kM=",
"owner": "Programvareverkstedet",
"repo": "grzegorz-clients",
"rev": "738a4f3dd887f7c3612e4e772b83cbfa3cde5693",
"type": "github"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
"owner": "Programvareverkstedet",
"repo": "grzegorz-clients",
"type": "github"
}
},
"matrix-next": {
@ -88,35 +107,20 @@
]
},
"locked": {
"lastModified": 1735857245,
"narHash": "sha256-AKLLPrgXTxgzll3DqVUMa4QlPlRN3QceutgFBmEf8Nk=",
"lastModified": 1717234745,
"narHash": "sha256-MFyKRdw4WQD6V3vRGbP6MYbtJhZp712zwzjW6YiOBYM=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "da9dc0479ffe22362793c87dc089035facf6ec4d",
"rev": "d7dc42c9bbb155c5e4aa2f0985d0df75ce978456",
"type": "github"
},
"original": {
"owner": "dali99",
"ref": "0.7.0",
"ref": "v0.6.0",
"repo": "nixos-matrix-modules",
"type": "github"
}
},
"minecraft-data": {
"locked": {
"lastModified": 1725277886,
"narHash": "sha256-Fw4VbbE3EfypQWSgPDFfvVH47BHeg3ptsO715NlUM8Q=",
"ref": "refs/heads/master",
"rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
"revCount": 2,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
}
},
"nix-gitea-themes": {
"inputs": {
"nixpkgs": [
@ -124,49 +128,63 @@
]
},
"locked": {
"lastModified": 1743881366,
"narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
"lastModified": 1714416973,
"narHash": "sha256-aZUcvXjdETUC6wVQpWDVjLUzwpDAEca8yR0ITDeK39o=",
"ref": "refs/heads/main",
"rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
"revCount": 11,
"rev": "2b23c0ba8aae68d3cb6789f0f6e4891cef26cc6d",
"revCount": 6,
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1745526780,
"narHash": "sha256-LXXYBmFPMQU2lTb6alKWfjgQs08BKn+txMNcgbu00hI=",
"lastModified": 1719520878,
"narHash": "sha256-5BXzNOl2RVHcfS/oxaZDKOi7gVuTyWPibQG0DHd5sSc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9204750b34cae1a8347ab4b5588115edfeebc6d7",
"rev": "a44bedbb48c367f0476e6a3a27bf28f6330faf23",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.05-small",
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1714858427,
"narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11-small",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1745688173,
"narHash": "sha256-fgvG1O5JvSSjeQx+ea0DJ3GfMbLPVhAQta/DqQ2y6jc=",
"lastModified": 1715435713,
"narHash": "sha256-lb2HqDQGfTdnCCpc1pgF6fkdgIOuBQ0nP8jjVSfLFqg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6a2957c7978b189202e03721aab901c0a9dc1e1a",
"rev": "52b40f6c4be12742b1504ca2eb4527e597bf2526",
"type": "github"
},
"original": {
"owner": "NixOS",
"id": "nixpkgs",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
"type": "indirect"
}
},
"pvv-calendar-bot": {
@ -189,6 +207,25 @@
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
}
},
"pvv-doorbell-bot": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"dirtyRev": "cec320746bbf5b5bc6618a145c1a997ebd0b5196-dirty",
"dirtyShortRev": "cec3207-dirty",
"lastModified": 1724515328,
"narHash": "sha256-Vj3ZJkCaLq+6d1LJtl7Hg5f7XV4NDPeNC1xEyu9QkOI=",
"type": "git",
"url": "file:///home/felixalb/doorbell-matrix-bot"
},
"original": {
"type": "git",
"url": "file:///home/felixalb/doorbell-matrix-bot"
}
},
"pvv-nettsiden": {
"inputs": {
"nixpkgs": [
@ -196,11 +233,11 @@
]
},
"locked": {
"lastModified": 1741738148,
"narHash": "sha256-cJo6nbcJEOjkazkZ194NDnlsZe0W0wpxeUh2/886uC8=",
"ref": "refs/heads/main",
"rev": "c1802e7cf27c7cf8b4890354c982a4eef5b11593",
"revCount": 486,
"lastModified": 1722722932,
"narHash": "sha256-K81a2GQpY2kRX+C9ek9r91THlZB674CqRTSMMb5IO7E=",
"ref": "refs/heads/master",
"rev": "6580cfe546c902cdf11e17b0b8aa30b3c412bb34",
"revCount": 465,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
},
@ -212,52 +249,31 @@
"root": {
"inputs": {
"disko": "disko",
"gergle": "gergle",
"greg-ng": "greg-ng",
"grzegorz": "grzegorz",
"grzegorz-clients": "grzegorz-clients",
"matrix-next": "matrix-next",
"minecraft-data": "minecraft-data",
"nix-gitea-themes": "nix-gitea-themes",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"pvv-calendar-bot": "pvv-calendar-bot",
"pvv-doorbell-bot": "pvv-doorbell-bot",
"pvv-nettsiden": "pvv-nettsiden",
"sops-nix": "sops-nix"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"greg-ng",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729391507,
"narHash": "sha256-as0I9xieJUHf7kiK2a9znDsVZQTFWhM1pLivII43Gi0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "784981a9feeba406de38c1c9a3decf966d853cca",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1745310711,
"narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
"lastModified": 1715244550,
"narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
"rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f",
"type": "github"
},
"original": {
@ -265,6 +281,21 @@
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

@ -2,8 +2,8 @@
description = "PVV System flake";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small"; # remember to also update the url in base/services/auto-upgrade.nix
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
nixpkgs.url = "nixpkgs/nixos-24.05-small";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@ -17,31 +17,31 @@
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/0.7.0";
pvv-doorbell-bot.url = "git+https://git.pvv.ntnu.no/Projects/doorbell-matrix-bot.git";
#pvv-doorbell-bot.url = "git+file:///home/felixalb/doorbell-matrix-bot";
pvv-doorbell-bot.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.0";
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git";
greg-ng.inputs.nixpkgs.follows = "nixpkgs";
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git";
gergle.inputs.nixpkgs.follows = "nixpkgs";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git";
grzegorz.url = "github:Programvareverkstedet/grzegorz";
grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
minecraft-data.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git";
};
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
let
inherit (nixpkgs) lib;
nixlib = nixpkgs.lib;
systems = [
"x86_64-linux"
"aarch64-linux"
"aarch64-darwin"
];
forAllSystems = f: lib.genAttrs systems f;
forAllSystems = f: nixlib.genAttrs systems f;
allMachines = builtins.attrNames self.nixosConfigurations;
importantMachines = [
"bekkalokk"
@ -51,17 +51,16 @@
"ildkule"
];
in {
inputs = lib.mapAttrs (_: src: src.outPath) inputs;
inherit inputs;
nixosConfigurations = let
unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
nixosConfig = nixpkgs: name: config: lib.nixosSystem (lib.recursiveUpdate
nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
rec {
system = "x86_64-linux";
specialArgs = {
inherit unstablePkgs inputs;
inherit nixpkgs-unstable inputs;
values = import ./values.nix;
fp = path: ./${path};
};
modules = [
@ -71,11 +70,6 @@
pkgs = import nixpkgs {
inherit system;
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
[
"nvidia-x11"
"nvidia-settings"
];
overlays = [
# Global overlays go here
] ++ config.overlays or [ ];
@ -91,9 +85,11 @@
modules = [
inputs.matrix-next.nixosModules.default
inputs.pvv-calendar-bot.nixosModules.default
inputs.pvv-doorbell-bot.nixosModules.default
];
overlays = [
inputs.pvv-calendar-bot.overlays.x86_64-linux.default
inputs.pvv-doorbell-bot.overlays.x86_64-linux.default
];
};
bekkalokk = stableNixosConfig "bekkalokk" {
@ -102,11 +98,12 @@
heimdal = unstablePkgs.heimdal;
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
bluemap = final.callPackage ./packages/bluemap.nix { };
})
inputs.nix-gitea-themes.overlays.default
inputs.pvv-nettsiden.overlays.default
];
modules = [
inputs.nix-gitea-themes.nixosModules.default
inputs.pvv-nettsiden.nixosModules.default
];
};
@ -119,64 +116,29 @@
ildkule = stableNixosConfig "ildkule" { };
#ildkule-unstable = unstableNixosConfig "ildkule" { };
shark = stableNixosConfig "shark" { };
wenche = stableNixosConfig "wenche" { };
kommode = stableNixosConfig "kommode" {
overlays = [
inputs.nix-gitea-themes.overlays.default
];
modules = [
inputs.nix-gitea-themes.nixosModules.default
];
};
ustetind = stableNixosConfig "ustetind" {
modules = [
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
];
};
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
modules = [
inputs.grzegorz.nixosModules.grzegorz-kiosk
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
];
};
georg = stableNixosConfig "georg" {
modules = [
inputs.grzegorz.nixosModules.grzegorz-kiosk
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
];
};
buskerud = stableNixosConfig "buskerud" { };
};
nixosModules = {
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
robots-txt = ./modules/robots-txt.nix;
};
devShells = forAllSystems (system: {
default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
cuda = let
cuda-pkgs = import nixpkgs {
inherit system;
config = {
allowUnfree = true;
cudaSupport = true;
};
};
in cuda-pkgs.callPackage ./shells/cuda.nix { };
});
packages = {
@ -185,19 +147,19 @@
in rec {
default = important-machines;
important-machines = pkgs.linkFarm "important-machines"
(lib.getAttrs importantMachines self.packages.x86_64-linux);
(nixlib.getAttrs importantMachines self.packages.x86_64-linux);
all-machines = pkgs.linkFarm "all-machines"
(lib.getAttrs allMachines self.packages.x86_64-linux);
(nixlib.getAttrs allMachines self.packages.x86_64-linux);
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
} //
(lib.pipe null [
(nixlib.pipe null [
(_: pkgs.callPackage ./packages/mediawiki-extensions { })
(lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
(lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
(nixlib.flip builtins.removeAttrs ["override" "overrideDerivation"])
(nixlib.mapAttrs' (name: nixlib.nameValuePair "mediawiki-${name}"))
])
// lib.genAttrs allMachines
// nixlib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
};
};

@ -1,24 +1,22 @@
{ fp, pkgs, values, ... }:
{ pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
../../base.nix
../../misc/metrics-exporters.nix
./services/bluemap/default.nix
./services/gitea/default.nix
./services/idp-simplesamlphp
./services/kerberos
./services/mediawiki
./services/nginx.nix
./services/phpfpm.nix
./services/vaultwarden.nix
./services/webmail
./services/website
./services/well-known
];
sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
@ -33,8 +31,6 @@
address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
services.btrfs.autoScrub.enable = true;
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";

@ -1,85 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
in {
imports = [
./module.nix # From danio, pending upstreaming
];
disabledModules = [ "services/web-apps/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
sops.secrets."bluemap/ssh-known-hosts" = { };
services.bluemap = {
enable = true;
package = pkgs.callPackage ./package.nix { };
eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
host = "minecraft.pvv.ntnu.no";
maps = {
"verden" = {
settings = {
world = vanillaSurvival;
sorting = 0;
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.verden;
};
};
"underverden" = {
settings = {
world = "${vanillaSurvival}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.underverden;
};
};
"enden" = {
settings = {
world = "${vanillaSurvival}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
};
};
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
};
# TODO: render somewhere else lmao
systemd.services."render-bluemap-maps" = {
preStart = ''
mkdir -p /var/lib/bluemap/world
${pkgs.rsync}/bin/rsync \
-e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" \
-avz --no-owner --no-group \
root@innovation.pvv.ntnu.no:/ \
${vanillaSurvival}
'';
serviceConfig = {
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
}

@ -1,351 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.bluemap;
format = pkgs.formats.hocon { };
coreConfig = format.generate "core.conf" cfg.coreSettings;
webappConfig = format.generate "webapp.conf" cfg.webappSettings;
webserverConfig = format.generate "webserver.conf" cfg.webserverSettings;
storageFolder = pkgs.linkFarm "storage"
(lib.attrsets.mapAttrs' (name: value:
lib.nameValuePair "${name}.conf"
(format.generate "${name}.conf" value))
cfg.storage);
mapsFolder = pkgs.linkFarm "maps"
(lib.attrsets.mapAttrs' (name: value:
lib.nameValuePair "${name}.conf"
(format.generate "${name}.conf" value.settings))
cfg.maps);
webappConfigFolder = pkgs.linkFarm "bluemap-config" {
"maps" = mapsFolder;
"storages" = storageFolder;
"core.conf" = coreConfig;
"webapp.conf" = webappConfig;
"webserver.conf" = webserverConfig;
"packs" = cfg.resourcepacks;
};
renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
"maps" = pkgs.linkFarm "maps" {
"${name}.conf" = (format.generate "${name}.conf" value.settings);
};
"storages" = storageFolder;
"core.conf" = coreConfig;
"webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
"webserver.conf" = webserverConfig;
"packs" = value.resourcepacks;
};
inherit (lib) mkOption;
in {
options.services.bluemap = {
enable = lib.mkEnableOption "bluemap";
package = lib.mkPackageOption pkgs "bluemap" { };
eula = mkOption {
type = lib.types.bool;
description = ''
By changing this option to true you confirm that you own a copy of minecraft Java Edition,
and that you agree to minecrafts EULA.
'';
default = false;
};
defaultWorld = mkOption {
type = lib.types.path;
description = ''
The world used by the default map ruleset.
If you configure your own maps you do not need to set this.
'';
example = lib.literalExpression "\${config.services.minecraft.dataDir}/world";
};
enableRender = mkOption {
type = lib.types.bool;
description = "Enable rendering";
default = true;
};
webRoot = mkOption {
type = lib.types.path;
default = "/var/lib/bluemap/web";
description = "The directory for saving and serving the webapp and the maps";
};
enableNginx = mkOption {
type = lib.types.bool;
default = true;
description = "Enable configuring a virtualHost for serving the bluemap webapp";
};
host = mkOption {
type = lib.types.str;
default = "bluemap.${config.networking.domain}";
defaultText = lib.literalExpression "bluemap.\${config.networking.domain}";
description = "Domain to configure nginx for";
};
onCalendar = mkOption {
type = lib.types.str;
description = ''
How often to trigger rendering the map,
in the format of a systemd timer onCalendar configuration.
See {manpage}`systemd.timer(5)`.
'';
default = "*-*-* 03:10:00";
};
coreSettings = mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
data = mkOption {
type = lib.types.path;
description = "Folder for where bluemap stores its data";
default = "/var/lib/bluemap";
};
metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use";
};
};
description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
};
webappSettings = mkOption {
type = lib.types.submodule {
freeformType = format.type;
};
default = {
enabled = true;
webroot = cfg.webRoot;
};
defaultText = lib.literalExpression ''
{
enabled = true;
webroot = config.services.bluemap.webRoot;
}
'';
description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
};
webserverSettings = mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
enabled = mkOption {
type = lib.types.bool;
description = ''
Enable bluemap's built-in webserver.
Disabled by default in nixos for use of nginx directly.
'';
default = false;
};
};
};
default = { };
description = ''
Settings for the webserver.conf file, usually not required.
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
'';
};
maps = mkOption {
type = lib.types.attrsOf (lib.types.submodule {
options = {
resourcepacks = mkOption {
type = lib.types.path;
default = cfg.resourcepacks;
defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
description = "A set of resourcepacks/mods/bluemap-addons to extract models from loaded in alphabetical order";
};
settings = mkOption {
type = (lib.types.submodule {
freeformType = format.type;
options = {
world = mkOption {
type = lib.types.path;
description = "Path to world folder containing the dimension to render";
};
};
});
description = ''
Settings for files in `maps/`.
See the default for an example with good options for the different world types.
For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
'';
};
};
});
default = {
"overworld".settings = {
world = "${cfg.defaultWorld}";
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
"nether".settings = {
world = "${cfg.defaultWorld}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
};
"end".settings = {
world = "${cfg.defaultWorld}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
defaultText = lib.literalExpression ''
{
"overworld".settings = {
world = "''${cfg.defaultWorld}";
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
"nether".settings = {
world = "''${cfg.defaultWorld}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
};
"end".settings = {
world = "''${cfg.defaultWorld}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
'';
description = ''
map-specific configuration.
These correspond to views in the webapp and are usually
different dimension of a world or different render settings of the same dimension.
If you set anything in this option you must configure all dimensions yourself!
'';
};
storage = mkOption {
type = lib.types.attrsOf (lib.types.submodule {
freeformType = format.type;
options = {
storage-type = mkOption {
type = lib.types.enum [ "FILE" "SQL" ];
description = "Type of storage config";
default = "FILE";
};
};
});
description = ''
Where the rendered map will be stored.
Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/storages)
'';
default = {
"file" = {
root = "${cfg.webRoot}/maps";
};
};
defaultText = lib.literalExpression ''
{
"file" = {
root = "''${config.services.bluemap.webRoot}/maps";
};
}
'';
};
resourcepacks = mkOption {
type = lib.types.path;
default = pkgs.linkFarm "resourcepacks" { };
description = ''
A set of resourcepacks/mods to extract models from loaded in alphabetical order.
Can be overriden on a per-map basis with `services.bluemap.maps.<name>.resourcepacks`.
'';
};
};
config = lib.mkIf cfg.enable {
assertions =
[ { assertion = config.services.bluemap.eula;
message = ''
You have enabled bluemap but have not accepted minecraft's EULA.
You can achieve this through setting `services.bluemap.eula = true`
'';
}
];
services.bluemap.coreSettings.accept-download = cfg.eula;
systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender {
serviceConfig = {
Type = "oneshot";
Group = "nginx";
UMask = "026";
};
script = ''
# If web folder doesnt exist generate it
test -f "${cfg.webRoot}" || ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
# Render each minecraft map
${lib.strings.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
(name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
cfg.maps)}
# Generate updated webapp
${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
'';
};
systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = cfg.onCalendar;
Persistent = true;
Unit = "render-bluemap-maps.service";
};
};
services.nginx.virtualHosts = lib.mkIf cfg.enableNginx {
"${cfg.host}" = {
root = config.services.bluemap.webRoot;
locations = {
"~* ^/maps/[^/]*/tiles/".extraConfig = ''
error_page 404 = @empty;
'';
"@empty".return = "204";
};
};
};
};
meta = {
maintainers = with lib.maintainers; [ dandellion h7x4 ];
};
}

@ -1,30 +0,0 @@
{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
stdenvNoCC.mkDerivation rec {
pname = "bluemap";
version = "5.7";
src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-8udZYJgrr4bi2mjRYrASd8JwUoUVZW1tZpOLRgafAIw=";
};
dontUnpack = true;
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
runHook preInstall
makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
runHook postInstall
'';
meta = {
description = "3D minecraft map renderer";
homepage = "https://bluemap.bluecolored.de/";
sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ dandellion h7x4 ];
mainProgram = "bluemap";
};
}

@ -15,8 +15,8 @@ let
enable = true;
name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
labels = [
"debian-latest:docker://node:current-bookworm"
"ubuntu-latest:docker://node:current-bookworm"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:18-bullseye"
];
tokenFile = config.sops.secrets."gitea/runners/${name}".path;
};
@ -27,15 +27,5 @@ lib.mkMerge [
(mkRunner "alpha")
(mkRunner "beta")
(mkRunner "epsilon")
{
virtualisation.podman = {
enable = true;
defaultNetwork.settings.dns_enabled = true;
autoPrune.enable = true;
};
networking.dhcpcd.IPv6rs = false;
networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
}
{ virtualisation.podman.enable = true; }
]

@ -1,14 +1,12 @@
{ config, values, lib, unstablePkgs, ... }:
{ config, values, pkgs, lib, ... }:
let
cfg = config.services.gitea;
domain = "git.pvv.ntnu.no";
sshPort = 2222;
in {
imports = [
./customization
./gpg.nix
./import-users
./web-secret-provider
./ci.nix
./import-users.nix
];
sops.secrets = {
@ -26,8 +24,6 @@ in {
enable = true;
appName = "PVV Git";
package = unstablePkgs.gitea;
database = {
type = "postgres";
host = "postgres.pvv.ntnu.no";
@ -49,10 +45,6 @@ in {
START_LFS_SERVER = true;
LANDING_PAGE = "explore";
};
"git.timeout" = {
MIGRATE = 3600;
MIRROR = 1800;
};
mailer = {
ENABLED = true;
FROM = "gitea@pvv.ntnu.no";
@ -62,16 +54,10 @@ in {
USER = "gitea@pvv.ntnu.no";
SUBJECT_PREFIX = "[pvv-git]";
};
metrics = {
ENABLED = true;
ENABLED_ISSUE_BY_LABEL = true;
ENABLED_ISSUE_BY_REPOSITORY = true;
};
indexer.REPO_INDEXER_ENABLED = true;
service = {
DISABLE_REGISTRATION = true;
ENABLE_NOTIFY_MAIL = true;
AUTO_WATCH_NEW_REPOS = false;
};
admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
session.COOKIE_SECURE = true;
@ -111,65 +97,54 @@ in {
ENABLE_FEDERATED_AVATAR = false;
};
actions.ENABLED = true;
ui = {
REACTIONS = lib.concatStringsSep "," [
"+1"
"-1"
"laugh"
"confused"
"heart"
"hooray"
"rocket"
"eyes"
"100"
"anger"
"astonished"
"no_good"
"ok_hand"
"pensive"
"pizza"
"point_up"
"sob"
"skull"
"upside_down_face"
"shrug"
];
};
"ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
};
dump = {
enable = true;
interval = "weekly";
type = "tar.gz";
};
};
environment.systemPackages = [ cfg.package ];
systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
kTLS = true;
locations = {
"/" = {
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
extraConfig = ''
client_max_body_size 512M;
'';
};
"/metrics" = {
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4}/32;
allow ${values.hosts.ildkule.ipv6}/128;
deny all;
'';
};
locations."/" = {
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
extraConfig = ''
client_max_body_size 512M;
'';
};
};
networking.firewall.allowedTCPPorts = [ sshPort ];
# Extra customization
services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
systemd.services.install-gitea-customization = {
description = "Install extra customization in gitea's CUSTOM_DIR";
wantedBy = [ "gitea.service" ];
requiredBy = [ "gitea.service" ];
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
};
script = let
logo-svg = ../../../../assets/logo_blue_regular.svg;
logo-png = ../../../../assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
in ''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
'';
};
}

@ -0,0 +1,94 @@
import requests
import secrets
import os
EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
if EMAIL_DOMAIN is None:
EMAIL_DOMAIN = 'pvv.ntnu.no'
API_TOKEN = os.getenv('API_TOKEN')
if API_TOKEN is None:
raise Exception('API_TOKEN not set')
GITEA_API_URL = os.getenv('GITEA_API_URL')
if GITEA_API_URL is None:
GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
BANNED_SHELLS = [
"/usr/bin/nologin",
"/usr/sbin/nologin",
"/sbin/nologin",
"/bin/false",
"/bin/msgsh",
]
existing_users = {}
# This function should only ever be called when adding users
# from the passwd file
def add_user(username, name):
user = {
"full_name": name,
"username": username,
"login_name": username,
"source_id": 1, # 1 = SMTP
}
if username not in existing_users:
user["password"] = secrets.token_urlsafe(32)
user["must_change_password"] = False
user["visibility"] = "private"
user["email"] = username + '@' + EMAIL_DOMAIN
r = requests.post(GITEA_API_URL + '/admin/users', json=user,
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 201:
print('ERR: Failed to create user ' + username + ': ' + r.text)
return
print('Created user ' + username)
existing_users[username] = user
else:
user["visibility"] = existing_users[username]["visibility"]
r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
json=user,
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 200:
print('ERR: Failed to update user ' + username + ': ' + r.text)
return
print('Updated user ' + username)
def main():
# Fetch existing users
r = requests.get(GITEA_API_URL + '/admin/users',
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 200:
raise Exception('Failed to get users: ' + r.text)
for user in r.json():
existing_users[user['login']] = user
# Read the file, add each user
with open("/tmp/passwd-import", 'r') as f:
for line in f.readlines():
uid = int(line.split(':')[2])
if uid < 1000:
continue
shell = line.split(':')[-1]
if shell in BANNED_SHELLS:
continue
username = line.split(':')[0]
name = line.split(':')[4].split(',')[0]
add_user(username, name)
if __name__ == '__main__':
main()

@ -14,9 +14,6 @@ in
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
serviceConfig = {
ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
flakeIgnore = [
"E501" # Line over 80 chars lol
];
libraries = with pkgs.python3Packages; [ requests ];
} (builtins.readFile ./gitea-import-users.py);
LoadCredential=[

@ -202,12 +202,6 @@ in
rewrite ^/simplesaml/(.*)$ /$1 redirect;
return 404;
'';
"/robots.txt" = {
root = pkgs.writeTextDir "robots.txt" ''
User-agent: *
Disallow: /
'';
};
};
};
};

@ -1,4 +1,4 @@
{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
{ pkgs, lib, config, values, pkgs-unstable, ... }: let
cfg = config.services.mediawiki;
# "mediawiki"
@ -61,6 +61,7 @@ in {
user = "mediawiki";
passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
createLocally = false;
# TODO: create a normal database and copy over old data when the service is production ready
name = "mediawiki";
};
@ -209,8 +210,8 @@ in {
'';
};
"= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png;
"= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
"= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
buildInputs = with pkgs; [ imagemagick ];
} ''
@ -218,7 +219,7 @@ in {
-resize x64 \
-gravity center \
-crop 64x64+0+0 \
${fp /assets/logo_blue_regular.png} \
${../../../../assets/logo_blue_regular.png} \
-flatten \
-colors 256 \
-background transparent \

@ -1,51 +0,0 @@
{ lib, ... }:
let
pools = map (pool: "phpfpm-${pool}") [
"idp"
"mediawiki"
"pvv-nettsiden"
"roundcube"
"snappymail"
];
in
{
# Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
systemd.services = lib.genAttrs pools (_: {
serviceConfig = let
caps = [
"CAP_NET_BIND_SERVICE"
"CAP_SETGID"
"CAP_SETUID"
"CAP_CHOWN"
"CAP_KILL"
"CAP_IPC_LOCK"
"CAP_DAC_OVERRIDE"
];
in {
AmbientCapabilities = caps;
CapabilityBoundingSet = caps;
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateMounts = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RemoveIPC = true;
UMask = "0077";
RestrictNamespaces = "~mnt";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
KeyringMode = "private";
SystemCallFilter = [
"@system-service"
];
};
});
}

@ -65,38 +65,4 @@ in {
proxyWebsockets = true;
};
};
systemd.services.vaultwarden = lib.mkIf cfg.enable {
serviceConfig = {
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
NoNewPrivileges = true;
# MemoryDenyWriteExecute = true;
PrivateMounts = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
};
};
}

@ -6,11 +6,6 @@ let
domain = "webmail.pvv.ntnu.no";
in
{
sops.secrets."roundcube/postgres_password" = {
owner = "nginx";
group = "nginx";
};
services.roundcube = {
enable = true;
@ -21,15 +16,10 @@ in
custom_from
]);
dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
maxAttachmentSize = 20;
hostName = "roundcubeplaceholder.example.com";
database = {
host = "postgres.pvv.ntnu.no";
passwordFile = config.sops.secrets."roundcube/postgres_password".path;
};
extraConfig = ''
$config['enable_installer'] = false;
$config['default_host'] = "ssl://imap.pvv.ntnu.no";

@ -1,8 +1,8 @@
{ config, lib, fp, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
cfg = config.services.snappymail;
in {
imports = [ (fp /modules/snappymail.nix) ];
imports = [ ../../../../modules/snappymail.nix ];
services.snappymail = {
enable = true;

@ -67,12 +67,7 @@ in {
ADMIN_NAME = "PVV Drift";
ADMIN_EMAIL = "drift@pvv.ntnu.no";
ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
TRUSTED_DOMAINS = [
"www.pvv.ntnu.no"
"pvv.ntnu.no"
"www.pvv.org"
"pvv.org"
];
TRUSTED_DOMAINS = [ cfg.domainName ];
};
};
};
@ -121,6 +116,16 @@ in {
"/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift";
"/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
"/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
};
}

@ -62,33 +62,6 @@ in {
WorkingDirectory = galleryDir;
User = config.services.pvv-nettsiden.user;
Group = config.services.pvv-nettsiden.group;
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; # disable for third party rotate scripts
PrivateDevices = true;
PrivateNetwork = true; # disable for mail delivery
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true; # disable for userdir logs
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
};
};
}

@ -1,18 +0,0 @@
{ ... }:
{
services.nginx.virtualHosts."www.pvv.ntnu.no".locations = {
"^~ /.well-known/" = {
alias = (toString ./root) + "/";
};
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
}

@ -1,31 +0,0 @@
<?xml version="1.0"?>
<clientConfig version="1.1">
<emailProvider id="pvv.ntnu.no">
<domain>pvv.ntnu.no</domain>
<domain>pvv.org</domain>
<displayName>Programvareverkstedet</displayName>
<incomingServer type="imap">
<hostname>imap.pvv.ntnu.no</hostname>
<port>993</port>
<socketType>SSL</socketType>
<username>%EMAILLOCALPART%</username>
<authentication>password-cleartext</authentication>
</incomingServer>
<outgoingServer type="smtp">
<hostname>smtp.pvv.ntnu.no</hostname>
<port>587</port>
<socketType>STARTTLS</socketType>
<username>%EMAILLOCALPART%</username>
<authentication>password-cleartext</authentication>
<useGlobalPreferredServer>true</useGlobalPreferredServer>
</outgoingServer>
<documentation url="https://www.pvv.ntnu.no/pvv/Drift/Mail/IMAP_POP3">
<descr lang="en">Setup programvareverkstedet email user with IMAP or POP3</descr>
<descr lang="nb">Sett opp programvareverkstedet email bruker med IMAP eller POP3</descr>
</documentation>
</emailProvider>
</clientConfig>

@ -1,12 +0,0 @@
Contact: mailto:drift@pvv.ntnu.no
Contact: mailto:cert@pvv.ntnu.no
# drift@pvv.ntnu.no is read by more people and have a quicker reaction time,
# but cert@pvv.ntnu.no can be used for more severe issues.
Preferred-Languages: no, en
Expires: 2032-12-31T23:59:59.000Z
# This file was last updated 2024-09-14.
# You can find a wikipage for our security policies at:
# https://wiki.pvv.ntnu.no/wiki/CERT

24
hosts/bicep/acmeCert.nix Normal file

@ -0,0 +1,24 @@
{ values, ... }:
{
users.groups.acme.members = [ "nginx" ];
security.acme.certs."postgres.pvv.ntnu.no" = {
group = "acme";
extraDomainNames = [
# "postgres.pvv.org"
"bicep.pvv.ntnu.no"
# "bicep.pvv.org"
# values.hosts.bicep.ipv4
# values.hosts.bicep.ipv6
];
};
services.nginx = {
enable = true;
virtualHosts."postgres.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
# useACMEHost = "postgres.pvv.ntnu.no";
};
};
}

@ -1,20 +1,24 @@
{ fp, pkgs, values, ... }:
{ pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
../../base.nix
../../misc/metrics-exporters.nix
./services/nginx
./acmeCert.nix
./services/calendar-bot.nix
./services/doorbell-bot.nix
./services/mysql.nix
./services/mysql.nix
./services/postgres.nix
./services/matrix
];
sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
@ -33,9 +37,6 @@
anyInterface = true;
};
# There are no smart devices
services.smartd.enable = false;
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";

@ -1,16 +1,16 @@
{ config, fp, lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
cfg = config.services.pvv-calendar-bot;
in {
sops.secrets = {
"calendar-bot/matrix_token" = {
sopsFile = fp /secrets/bicep/bicep.yaml;
sopsFile = ../../../secrets/bicep/bicep.yaml;
key = "calendar-bot/matrix_token";
owner = cfg.user;
group = cfg.group;
};
"calendar-bot/mysql_password" = {
sopsFile = fp /secrets/bicep/bicep.yaml;
sopsFile = ../../../secrets/bicep/bicep.yaml;
key = "calendar-bot/mysql_password";
owner = cfg.user;
group = cfg.group;

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.pvv-doorbell-bot;
in {
sops.secrets."doorbell-bot/config-json" = {
owner = cfg.user;
group = cfg.group;
};
services.pvv-doorbell-bot = {
enable = true;
settings = {
configFile = config.sops.secrets."doorbell-bot/config-json".path;
};
};
}

@ -1,14 +1,14 @@
{ config, lib, fp, pkgs, secrets, values, ... }:
{ config, lib, pkgs, secrets, ... }:
{
sops.secrets."matrix/synapse/turnconfig" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "synapse/turnconfig";
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/coturn/static-auth-secret" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "coturn/static-auth-secret";
owner = config.users.users.turnserver.name;
group = config.users.users.turnserver.group;
@ -48,9 +48,6 @@
users.users.turnserver.extraGroups = [ "acme" ];
# It needs this to be allowed to access the files with the acme group
systemd.services.coturn.serviceConfig.PrivateUsers = lib.mkForce false;
systemd.services."acme-${config.services.coturn.realm}".serviceConfig = {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
};
@ -63,14 +60,12 @@
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
use-auth-secret = true;
# World readable but I dont think it's that bad
static-auth-secret-file = config.sops.secrets."matrix/coturn/static-auth-secret".path;
secure-stun = true;
listening-ips = [
values.services.turn.ipv4
values.services.turn.ipv6
];
listening-ips = [ "129.241.210.213" "2001:700:300:1900::213" ];
tls-listening-port = 443;
alt-tls-listening-port = 5349;

@ -10,7 +10,6 @@
./mjolnir.nix
./discord.nix
./hookshot
];

@ -1,4 +1,4 @@
{ config, lib, fp, ... }:
{ config, lib, ... }:
let
cfg = config.services.mx-puppet-discord;
@ -6,42 +6,15 @@ in
{
users.groups.keys-matrix-registrations = { };
sops.secrets."matrix/discord/as_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "discord/as_token";
};
sops.secrets."matrix/discord/hs_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "discord/hs_token";
};
sops.templates."discord-registration.yaml" = {
sops.secrets."matrix/registrations/mx-puppet-discord" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "registrations/mx-puppet-discord";
owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name;
content = ''
as_token: "${config.sops.placeholder."matrix/discord/as_token"}"
hs_token: "${config.sops.placeholder."matrix/discord/hs_token"}"
id: discord-puppet
namespaces:
users:
- exclusive: true
regex: '@_discordpuppet_.*'
rooms: []
aliases:
- exclusive: true
regex: '#_discordpuppet_.*'
protocols: []
rate_limited: false
sender_localpart: _discordpuppet_bot
url: 'http://localhost:8434'
de.sorunome.msc2409.push_ephemeral: true
'';
};
systemd.services.mx-puppet-discord = {
serviceConfig.SupplementaryGroups = [
config.users.groups.keys-matrix-registrations.name
];
serviceConfig.SupplementaryGroups = [ config.users.groups.keys-matrix-registrations.name ];
};
@ -56,16 +29,11 @@ in
relay.whitelist = [ ".*" ];
selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
};
services.mx-puppet-discord.serviceDependencies = [
"matrix-synapse.target"
"nginx.service"
];
services.mx-puppet-discord.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ];
services.matrix-synapse-next.settings = {
app_service_config_files = [
config.sops.templates."discord-registration.yaml".path
];
app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ];
use_appservice_legacy_authorization = true;
};

@ -1,135 +0,0 @@
{ config, lib, fp, unstablePkgs, inputs, ... }:
let
cfg = config.services.matrix-hookshot;
webhookListenAddress = "127.0.0.1";
webhookListenPort = 8435;
in
{
sops.secrets."matrix/hookshot/as_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/as_token";
};
sops.secrets."matrix/hookshot/hs_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/hs_token";
};
sops.templates."hookshot-registration.yaml" = {
owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name;
content = ''
id: matrix-hookshot
as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}"
hs_token: "${config.sops.placeholder."matrix/hookshot/hs_token"}"
namespaces:
rooms: []
users:
- regex: "@_webhooks_.*:pvv.ntnu.no"
exclusive: true
- regex: "@bot_feeds:pvv.ntnu.no"
exclusive: true
aliases: []
sender_localpart: hookshot
url: "http://${cfg.settings.bridge.bindAddress}:${toString cfg.settings.bridge.port}"
rate_limited: false
# If enabling encryption
de.sorunome.msc2409.push_ephemeral: true
push_ephemeral: true
org.matrix.msc3202: true
'';
};
systemd.services.matrix-hookshot = {
serviceConfig.SupplementaryGroups = [
config.users.groups.keys-matrix-registrations.name
];
};
services.matrix-hookshot = {
enable = true;
package = unstablePkgs.matrix-hookshot;
registrationFile = config.sops.templates."hookshot-registration.yaml".path;
settings = {
bridge = {
bindAddress = "127.0.0.1";
domain = "pvv.ntnu.no";
url = "https://matrix.pvv.ntnu.no";
mediaUrl = "https://matrix.pvv.ntnu.no";
port = 9993;
};
listeners = [
{
bindAddress = webhookListenAddress;
port = webhookListenPort;
resources = [
"webhooks"
# "metrics"
# "provisioning"
"widgets"
];
}
];
generic = {
enabled = true;
outbound = true;
urlPrefix = "https://hookshot.pvv.ntnu.no/webhook/";
userIdPrefix = "_webhooks_";
allowJsTransformationFunctions = false;
waitForComplete = false;
};
feeds = {
enabled = true;
pollIntervalSeconds = 600;
};
serviceBots = [
{ localpart = "bot_feeds";
displayname = "Aya";
avatar = ./feeds.png;
prefix = "!aya";
service = "feeds";
}
];
permissions = [
# Users of the PVV Server
{ actor = "pvv.ntnu.no";
services = [ { service = "*"; level = "commands"; } ];
}
# Members of Medlem space (for people with their own hs)
{ actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
services = [ { service = "*"; level = "commands"; } ];
}
# Members of Drift
{ actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
services = [ { service = "*"; level = "admin"; } ];
}
# Dan bootstrap
{ actor = "@dandellion:dodsorf.as";
services = [ { service = "*"; level = "admin"; } ];
}
];
};
};
services.matrix-hookshot.serviceDependencies = [
"matrix-synapse.target"
"nginx.service"
];
services.matrix-synapse-next.settings = {
app_service_config_files = [
config.sops.templates."hookshot-registration.yaml".path
];
};
services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
enableACME = true;
locations."/" = {
proxyPass = "http://${webhookListenAddress}:${toString webhookListenPort}";
};
};
}

Binary file not shown.

Before

(image error) Size: 1.1 MiB

@ -1,8 +1,8 @@
{ config, lib, fp, ... }:
{ config, lib, ... }:
{
sops.secrets."matrix/mjolnir/access_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "mjolnir/access_token";
owner = config.users.users.mjolnir.name;
group = config.users.users.mjolnir.group;
@ -11,7 +11,7 @@
services.mjolnir = {
enable = true;
pantalaimon.enable = false;
homeserverUrl = "https://matrix.pvv.ntnu.no";
homeserverUrl = "http://127.0.0.1:8008";
accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
protectedRooms = map (a: "https://matrix.to/#/${a}") [

@ -1,4 +1,4 @@
{ config, lib, fp, pkgs, values, inputs, ... }:
{ config, lib, pkgs, values, inputs, ... }:
let
cfg = config.services.matrix-synapse-next;
@ -10,18 +10,23 @@ let
in {
sops.secrets."matrix/synapse/signing_key" = {
key = "synapse/signing_key";
sopsFile = fp /secrets/bicep/matrix.yaml;
sopsFile = ../../../../secrets/bicep/matrix.yaml;
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/synapse/user_registration" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "synapse/signing_key";
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/sliding-sync/env" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "sliding-sync/env";
};
services.matrix-synapse-next = {
enable = true;
@ -38,6 +43,8 @@ in {
workers.eventPersisters = 2;
workers.useUserDirectoryWorker = true;
enableSlidingSync = true;
enableNginx = true;
settings = {
@ -130,6 +137,9 @@ in {
};
};
services.matrix-synapse.sliding-sync.environmentFile = config.sops.secrets."matrix/sliding-sync/env".path;
services.redis.servers."".enable = true;
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
@ -147,18 +157,6 @@ in {
'';
};
}
{
locations."/_synapse/admin" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
allow 127.0.0.1;
allow ::1;
allow ${values.hosts.bicep.ipv4};
allow ${values.hosts.bicep.ipv6};
deny all;
'';
};
}
{
locations = let
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
@ -172,6 +170,8 @@ in {
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
allow ${values.hosts.ildkule.ipv4_global};
allow ${values.hosts.ildkule.ipv6_global};
deny all;
'';
})
@ -183,6 +183,8 @@ in {
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
allow ${values.hosts.ildkule.ipv4_global};
allow ${values.hosts.ildkule.ipv6_global};
deny all;
'';
};

@ -1,4 +1,7 @@
{ config, pkgs, ... }:
let
sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
in
{
services.postgresql = {
enable = true;
@ -76,16 +79,12 @@
systemd.services.postgresql.serviceConfig = {
LoadCredential = [
"cert:/etc/certs/postgres.crt"
"key:/etc/certs/postgres.key"
"cert:${sslCert.directory}/cert.pem"
"key:${sslCert.directory}/key.pem"
];
};
environment.snakeoil-certs."/etc/certs/postgres" = {
owner = "postgres";
group = "postgres";
subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
};
users.groups.acme.members = [ "postgres" ];
networking.firewall.allowedTCPPorts = [ 5432 ];
networking.firewall.allowedUDPPorts = [ 5432 ];

@ -1,16 +1,16 @@
{ config, fp, pkgs, values, ... }:
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
../../base.nix
../../misc/metrics-exporters.nix
./disks.nix
(fp /misc/builder.nix)
../../misc/builder.nix
];
sops.defaultSopsFile = fp /secrets/bob/bob.yaml;
sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;

@ -1,10 +1,10 @@
{ config, fp, pkgs, values, ... }:
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
../../base.nix
../../misc/metrics-exporters.nix
./services/grzegorz.nix
];

@ -1,6 +1,6 @@
{ config, fp, ... }:
{ config, ... }:
{
imports = [ (fp /modules/grzegorz.nix) ];
imports = [ ../../../modules/grzegorz.nix ];
services.nginx.virtualHosts."${config.networking.fqdn}" = {
serverAliases = [

@ -0,0 +1,38 @@
{ config, pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./services/libvirt.nix
];
# buskerud does not support efi?
# boot.loader.systemd-boot.enable = true;
# boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sdb";
networking.hostName = "buskerud";
networking.search = [ "pvv.ntnu.no" "pvv.org" ];
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
networking.tempAddresses = "disabled";
systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp3s0f0";
address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

@ -0,0 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

@ -0,0 +1,10 @@
{ config, pkgs, lib, ... }:
{
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
boot.kernelModules = [ "kvm-intel" ];
# On a gui-enabled machine, connect with:
# $ virt-manager --connect "qemu+ssh://buskerud/system?socket=/var/run/libvirt/libvirt-sock"
}

@ -1,12 +1,12 @@
{ config, fp, pkgs, values, ... }:
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
../../base.nix
../../misc/metrics-exporters.nix
(fp /modules/grzegorz.nix)
../../modules/grzegorz.nix
];
boot.loader.systemd-boot.enable = true;

@ -1,16 +1,16 @@
{ config, fp, pkgs, lib, values, ... }:
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
../../base.nix
../../misc/metrics-exporters.nix
./services/monitoring
./services/nginx
];
sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
@ -19,37 +19,33 @@
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
# Openstack Neutron and systemd-networkd are not best friends, use something else:
systemd.network.enable = lib.mkForce false;
networking = let
hostConf = values.hosts.ildkule;
in {
hostName = "ildkule";
tempAddresses = "disabled";
useDHCP = lib.mkForce true;
networking.hostName = "ildkule"; # Define your hostname.
search = values.defaultNetworkConfig.domains;
nameservers = values.defaultNetworkConfig.dns;
defaultGateway.address = hostConf.ipv4_internal_gw;
# Main connection, using the global/floatig IP, for communications with the world
systemd.network.networks."30-ntnu-global" = values.openstackGlobalNetworkConfig // {
matchConfig.Name = "ens4";
interfaces."ens4" = {
ipv4.addresses = [
{ address = hostConf.ipv4; prefixLength = 32; }
{ address = hostConf.ipv4_internal; prefixLength = 24; }
];
ipv6.addresses = [
{ address = hostConf.ipv6; prefixLength = 64; }
];
};
# Add the global addresses in addition to the local address learned from DHCP
addresses = [
{ addressConfig.Address = "${values.hosts.ildkule.ipv4_global}/32"; }
{ addressConfig.Address = "${values.hosts.ildkule.ipv6_global}/128"; }
];
};
# Secondary connection only for use within the university network
systemd.network.networks."40-ntnu-internal" = values.openstackLocalNetworkConfig // {
matchConfig.Name = "ens3";
# Add the ntnu-internal addresses in addition to the local address learned from DHCP
addresses = [
{ addressConfig.Address = "${values.hosts.ildkule.ipv4}/32"; }
{ addressConfig.Address = "${values.hosts.ildkule.ipv6}/128"; }
];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# No devices with SMART
services.smartd.enable = false;
system.stateVersion = "23.11"; # Did you read the comment?
}

@ -3,14 +3,7 @@
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
fsType = "ext4";
};
fileSystems."/data" = {
device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
fsType = "ext4";
};
fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
networking.useDHCP = lib.mkDefault true;
}

File diff suppressed because it is too large Load Diff

@ -56,12 +56,13 @@ in {
url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
options.path = dashboards/synapse.json;
}
{
name = "MySQL";
type = "file";
url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
options.path = dashboards/mysql.json;
}
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# {
# name = "MySQL";
# type = "file";
# url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
# options.path = dashboards/mysql.json;
# }
{
name = "Postgresql";
type = "file";
@ -74,12 +75,6 @@ in {
url = "https://grafana.com/api/dashboards/240/revisions/3/download";
options.path = dashboards/go-processes.json;
}
{
name = "Gitea Dashboard";
type = "file";
url = "https://grafana.com/api/dashboards/17802/revisions/3/download";
options.path = dashboards/gitea-dashboard.json;
}
];
};

@ -2,7 +2,6 @@
let
cfg = config.services.loki;
stateDir = "/data/monitoring/loki";
in {
services.loki = {
enable = true;
@ -17,7 +16,7 @@ in {
ingester = {
wal = {
enabled = true;
dir = "${stateDir}/wal";
dir = "/var/lib/loki/wal";
};
lifecycler = {
address = "127.0.0.1";
@ -49,12 +48,12 @@ in {
storage_config = {
boltdb_shipper = {
active_index_directory = "${stateDir}/boltdb-shipper-index";
cache_location = "${stateDir}/boltdb-shipper-cache";
active_index_directory = "/var/lib/loki/boltdb-shipper-index";
cache_location = "/var/lib/loki/boltdb-shipper-cache";
cache_ttl = "24h";
};
filesystem = {
directory = "${stateDir}/chunks";
directory = "/var/lib/loki/chunks";
};
};
@ -65,14 +64,14 @@ in {
};
compactor = {
working_directory = "${stateDir}/compactor";
working_directory = "/var/lib/loki/compactor";
};
# ruler = {
# storage = {
# type = "local";
# local = {
# directory = "${stateDir}/rules";
# directory = "/var/lib/loki/rules";
# };
# };
# rule_path = "/etc/loki/rules";

@ -1,25 +1,18 @@
{ config, ... }: let
stateDir = "/data/monitoring/prometheus";
in {
{ config, ... }: {
imports = [
./gitea.nix
./gogs.nix
./matrix-synapse.nix
./mysqld.nix
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# ./mysqld.nix
./node.nix
./postgres.nix
./machines.nix
];
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
port = 9001;
ruleFiles = [ rules/synapse-v2.rules ];
};
fileSystems."/var/lib/prometheus2" = {
device = stateDir;
options = [ "bind" ];
};
}

@ -1,16 +0,0 @@
{ ... }:
{
services.prometheus.scrapeConfigs = [{
job_name = "gitea";
scrape_interval = "60s";
scheme = "https";
static_configs = [
{
targets = [
"git.pvv.ntnu.no:443"
];
}
];
}];
}

@ -0,0 +1,16 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "git-gogs";
scheme = "https";
metrics_path = "/-/metrics";
static_configs = [
{
targets = [
"essendrop.pvv.ntnu.no:443"
];
}
];
}];
}

@ -1,66 +0,0 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "base_info";
static_configs = [
{ labels.hostname = "ildkule";
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"ildkule.pvv.ntnu.no:${toString cfg.exporters.systemd.port}"
];
}
{ labels.hostname = "bekkalokk";
targets = [
"bekkalokk.pvv.ntnu.no:9100"
"bekkalokk.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "kommode";
targets = [
"kommode.pvv.ntnu.no:9100"
"kommode.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "bicep";
targets = [
"bicep.pvv.ntnu.no:9100"
"bicep.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "brzeczyszczykiewicz";
targets = [
"brzeczyszczykiewicz.pvv.ntnu.no:9100"
"brzeczyszczykiewicz.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "georg";
targets = [
"georg.pvv.ntnu.no:9100"
"georg.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "ustetind";
targets = [
"ustetind.pvv.ntnu.no:9100"
"ustetind.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "hildring";
targets = [
"hildring.pvv.ntnu.no:9100"
];
}
{ labels.hostname = "isvegg";
targets = [
"isvegg.pvv.ntnu.no:9100"
];
}
{ labels.hostname = "microbel";
targets = [
"microbel.pvv.ntnu.no:9100"
];
}
];
}];
}

@ -1,22 +1,7 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
sops = {
secrets."config/mysqld_exporter_password" = { };
templates."mysqld_exporter.conf" = {
restartUnits = [ "prometheus-mysqld-exporter.service" ];
content = let
inherit (config.sops) placeholder;
in ''
[client]
host = bicep.pvv.ntnu.no
port = 3306
user = prometheus_mysqld_exporter
password = ${placeholder."config/mysqld_exporter_password"}
'';
};
};
sops.secrets."config/mysqld_exporter" = { };
services.prometheus = {
scrapeConfigs = [{
@ -34,7 +19,7 @@ in {
exporters.mysqld = {
enable = true;
configFile = config.sops.templates."mysqld_exporter.conf".path;
configFilePath = config.sops.secrets."config/mysqld_exporter".path;
};
};
}

@ -0,0 +1,22 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "node";
static_configs = [
{
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"microbel.pvv.ntnu.no:9100"
"isvegg.pvv.ntnu.no:9100"
"knakelibrak.pvv.ntnu.no:9100"
"hildring.pvv.ntnu.no:9100"
"bicep.pvv.ntnu.no:9100"
"essendrop.pvv.ntnu.no:9100"
"andresbu.pvv.ntnu.no:9100"
"bekkalokk.pvv.ntnu.no:9100"
];
}
];
}];
}

@ -2,7 +2,6 @@
let
cfg = config.services.uptime-kuma;
domain = "status.pvv.ntnu.no";
stateDir = "/data/monitoring/uptime-kuma";
in {
services.uptime-kuma = {
enable = true;
@ -18,9 +17,4 @@ in {
kTLS = true;
locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
};
fileSystems."/var/lib/uptime-kuma" = {
device = stateDir;
options = [ "bind" ];
};
}

@ -1,34 +0,0 @@
{ pkgs, values, fp, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea
./services/nginx.nix
];
sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "kommode"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
services.btrfs.autoScrub.enable = true;
environment.systemPackages = with pkgs; [];
system.stateVersion = "24.11";
}

@ -1,39 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/86CD-4C23";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

@ -1,52 +0,0 @@
{ config, pkgs, lib, fp, ... }:
let
cfg = config.services.gitea;
in
{
services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
systemd.services.gitea-customization = lib.mkIf cfg.enable {
description = "Install extra customization in gitea's CUSTOM_DIR";
wantedBy = [ "gitea.service" ];
requiredBy = [ "gitea.service" ];
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
};
script = let
logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = fp /assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
labels = lib.importJSON ./labels/projects.json;
};
customTemplates = pkgs.runCommandLocal "gitea-templates" {
nativeBuildInputs = with pkgs; [
coreutils
gnused
];
} ''
# Bigger icons
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
sed -i -e 's/24/48/g' "$out/repo/icon.tmpl"
'';
in ''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
'';
};
}

@ -1,116 +0,0 @@
[
{
"name": "art",
"exclusive": false,
"color": "#006b75",
"description": "Requires some creativity"
},
{
"name": "big",
"exclusive": false,
"color": "#754bc4",
"description": "This is gonna take a while"
},
{
"name": "blocked",
"exclusive": false,
"color": "#850021",
"description": "This issue/PR depends on one or more other issues/PRs"
},
{
"name": "bug",
"exclusive": false,
"color": "#f05048",
"description": "Something brokey"
},
{
"name": "ci-cd",
"exclusive": false,
"color": "#d1ff78",
"description": "Continuous integrals and continuous derivation"
},
{
"name": "crash report",
"exclusive": false,
"color": "#ed1111",
"description": "Report an oopsie"
},
{
"name": "disputed",
"exclusive": false,
"color": "#5319e7",
"description": "Kranglefanter"
},
{
"name": "documentation",
"exclusive": false,
"color": "#fbca04",
"description": "Documentation changes required"
},
{
"name": "duplicate",
"exclusive": false,
"color": "#cccccc",
"description": "This issue or pull request already exists"
},
{
"name": "feature request",
"exclusive": false,
"color": "#0052cc",
"description": ""
},
{
"name": "good first issue",
"exclusive": false,
"color": "#009800",
"description": "Get your hands dirty with a new project here"
},
{
"name": "me gusta",
"exclusive": false,
"color": "#30ff36",
"description": "( ͡° ͜ʖ ͡°)"
},
{
"name": "packaging",
"exclusive": false,
"color": "#bf642b",
"description": ""
},
{
"name": "question",
"exclusive": false,
"color": "#cc317c",
"description": ""
},
{
"name": "security",
"exclusive": false,
"color": "#ed1111",
"description": "Skommel"
},
{
"name": "techdebt spring cleaning",
"exclusive": false,
"color": "#8c6217",
"description": "The code is smelly 👃"
},
{
"name": "testing",
"exclusive": false,
"color": "#52b373",
"description": "Poke it and see if it explodes"
},
{
"name": "ui/ux",
"exclusive": false,
"color": "#f28852",
"description": "User complaints about ergonomics and economics and whatever"
},
{
"name": "wontfix",
"exclusive": false,
"color": "#ffffff",
"description": "Nei, vil ikke"
}
]

@ -1,38 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.gitea;
GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
in
{
sops.secrets."gitea/gpg-signing-key" = {
owner = cfg.user;
inherit (cfg) group;
};
systemd.services.gitea.environment = { inherit GNUPGHOME; };
systemd.tmpfiles.settings."20-gitea-gnugpg".${GNUPGHOME}.d = {
inherit (cfg) user group;
mode = "700";
};
systemd.services.gitea-ensure-gnupg-homedir = {
description = "Import gpg key for gitea";
environment = { inherit GNUPGHOME; };
serviceConfig = {
Type = "oneshot";
User = cfg.user;
PrivateNetwork = true;
};
script = ''
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path}
'';
};
services.gitea.settings."repository.signing" = {
SIGNING_KEY = "0549C43374D2253C";
SIGNING_NAME = "PVV Git";
SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
INITIAL_COMMIT = "always";
};
}

@ -1,199 +0,0 @@
import requests
import secrets
import os
EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
if EMAIL_DOMAIN is None:
EMAIL_DOMAIN = 'pvv.ntnu.no'
API_TOKEN = os.getenv('API_TOKEN')
if API_TOKEN is None:
raise Exception('API_TOKEN not set')
GITEA_API_URL = os.getenv('GITEA_API_URL')
if GITEA_API_URL is None:
GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
r = requests.get(
GITEA_API_URL + '/admin/users',
headers={'Authorization': 'token ' + API_TOKEN}
)
if r.status_code != 200:
print('Failed to get users:', r.text)
return None
return {user['login']: user for user in r.json()}
def gitea_create_user(username: str, userdata: dict[str, any]) -> bool:
r = requests.post(
GITEA_API_URL + '/admin/users',
json=userdata,
headers={'Authorization': 'token ' + API_TOKEN},
)
if r.status_code != 201:
print(f'ERR: Failed to create user {username}:', r.text)
return False
return True
def gitea_edit_user(username: str, userdata: dict[str, any]) -> bool:
r = requests.patch(
GITEA_API_URL + f'/admin/users/{username}',
json=userdata,
headers={'Authorization': 'token ' + API_TOKEN},
)
if r.status_code != 200:
print(f'ERR: Failed to update user {username}:', r.text)
return False
return True
def gitea_list_teams_for_organization(org: str) -> dict[str, any] | None:
r = requests.get(
GITEA_API_URL + f'/orgs/{org}/teams',
headers={'Authorization': 'token ' + API_TOKEN},
)
if r.status_code != 200:
print(f"ERR: Failed to list teams for {org}:", r.text)
return None
return {team['name']: team for team in r.json()}
def gitea_add_user_to_organization_team(username: str, team_id: int) -> bool:
r = requests.put(
GITEA_API_URL + f'/teams/{team_id}/members/{username}',
headers={'Authorization': 'token ' + API_TOKEN},
)
if r.status_code != 204:
print(f'ERR: Failed to add user {username} to org team {team_id}:', r.text)
return False
return True
# If a passwd user has one of the following shells,
# it is most likely not a PVV user, but rather a system user.
# Users with these shells should thus be ignored.
BANNED_SHELLS = [
"/usr/bin/nologin",
"/usr/sbin/nologin",
"/sbin/nologin",
"/bin/false",
"/bin/msgsh",
]
# Reads out a passwd-file line for line, and filters out
# real PVV users (as opposed to system users meant for daemons and such)
def passwd_file_parser(passwd_path):
with open(passwd_path, 'r') as f:
for line in f.readlines():
uid = int(line.split(':')[2])
if uid < 1000:
continue
shell = line.split(':')[-1]
if shell in BANNED_SHELLS:
continue
username = line.split(':')[0]
name = line.split(':')[4].split(',')[0]
yield (username, name)
# This function either creates a new user in gitea
# and fills it out with some default information if
# it does not exist, or ensures that the default information
# is correct if the user already exists. All user information
# (including non-default fields) is pulled from gitea and added
# to the `existing_users` dict
def add_or_patch_gitea_user(
username: str,
name: str,
existing_users: dict[str, dict[str, any]],
) -> None:
user = {
"full_name": name,
"username": username,
"login_name": username,
"source_id": 1, # 1 = SMTP
}
if username not in existing_users:
user["password"] = secrets.token_urlsafe(32)
user["must_change_password"] = False
user["visibility"] = "private"
user["email"] = username + '@' + EMAIL_DOMAIN
if not gitea_create_user(username, user):
return
print('Created user', username)
existing_users[username] = user
else:
user["visibility"] = existing_users[username]["visibility"]
if not gitea_edit_user(username, user):
return
print('Updated user', username)
# This function adds a user to a gitea team (part of organization)
# if the user is not already part of said team.
def ensure_gitea_user_is_part_of_team(
username: str,
org: str,
team_name: str,
) -> None:
teams = gitea_list_teams_for_organization(org)
if teams is None:
return
if team_name not in teams:
print(f'ERR: could not find team "{team_name}" in organization "{org}"')
gitea_add_user_to_organization_team(username, teams[team_name]['id'])
print(f'User {username} is now part of {org}/{team_name}')
# List of teams that all users should be part of by default
COMMON_USER_TEAMS = [
("Projects", "Members"),
("Grzegorz", "Members"),
("Kurs", "Members"),
]
def main():
existing_users = gitea_list_all_users()
if existing_users is None:
exit(1)
for username, name in passwd_file_parser("/tmp/passwd-import"):
print(f"Processing {username}")
add_or_patch_gitea_user(username, name, existing_users)
for org, team_name in COMMON_USER_TEAMS:
ensure_gitea_user_is_part_of_team(username, org, team_name)
print()
if __name__ == '__main__':
main()

@ -1,117 +0,0 @@
{ config, pkgs, lib, ... }:
let
organizations = [
"Drift"
"Projects"
"Grzegorz"
"Kurs"
];
giteaCfg = config.services.gitea;
giteaWebSecretProviderScript = pkgs.writers.writePython3 "gitea-web-secret-provider" {
libraries = with pkgs.python3Packages; [ requests ];
flakeIgnore = [
"E501" # Line over 80 chars lol
"E201" # "whitespace after {"
"E202" # "whitespace after }"
"E251" # unexpected spaces around keyword / parameter equals
"W391" # Newline at end of file
];
makeWrapperArgs = [
"--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
];
} (builtins.readFile ./gitea-web-secret-provider.py);
in
{
users.groups."gitea-web" = { };
users.users."gitea-web" = {
group = "gitea-web";
isSystemUser = true;
shell = pkgs.bash;
};
sops.secrets."gitea/web-secret-provider/token" = {
owner = "gitea-web";
group = "gitea-web";
restartUnits = [
"gitea-web-secret-provider@"
] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
};
systemd.slices.system-giteaweb = {
description = "Gitea web directories";
};
# https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
# %i - instance name (after the @)
# %d - secrets directory
systemd.services."gitea-web-secret-provider@" = {
description = "Ensure all repos in %i has an SSH key to push web content";
requires = [ "gitea.service" "network.target" ];
serviceConfig = {
Slice = "system-giteaweb.slice";
Type = "oneshot";
ExecStart = let
args = lib.cli.toGNUCommandLineShell { } {
org = "%i";
token-path = "%d/token";
api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
key-dir = "/var/lib/gitea-web/keys/%i";
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
mkdir -p "$1"
${lib.getExe pkgs.rrsync} -wo "$1"
${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
'';
web-dir = "/var/lib/gitea-web/web";
};
in "${giteaWebSecretProviderScript} ${args}";
User = "gitea-web";
Group = "gitea-web";
StateDirectory = "gitea-web";
StateDirectoryMode = "0750";
LoadCredential = [
"token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
];
NoNewPrivileges = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectSystem = true;
ProtectHome = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictRealtime = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
};
};
systemd.timers."gitea-web-secret-provider@" = {
description = "Ensure all repos in %i has an SSH key to push web content";
timerConfig = {
RandomizedDelaySec = "1h";
Persistent = true;
Unit = "gitea-web-secret-provider@%i.service";
OnCalendar = "daily";
};
};
systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
users.users.nginx.extraGroups = [ "gitea-web" ];
services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
kTLS = true;
forceSSL = true;
enableACME = true;
root = "/var/lib/gitea-web/web";
};
}

@ -1,126 +0,0 @@
import argparse
import hashlib
import os
import requests
import subprocess
from pathlib import Path
def parse_args():
parser = argparse.ArgumentParser(description="Generate SSH keys for Gitea repositories and add them as secrets")
parser.add_argument("--org", required=True, type=str, help="The organization to generate keys for")
parser.add_argument("--token-path", metavar='PATH', required=True, type=Path, help="Path to a file containing the Gitea API token")
parser.add_argument("--api-url", metavar='URL', type=str, help="The URL of the Gitea API", default="https://git.pvv.ntnu.no/api/v1")
parser.add_argument("--key-dir", metavar='PATH', type=Path, help="The directory to store the generated keys in", default="/run/gitea-web-secret-provider")
parser.add_argument("--authorized-keys-path", metavar='PATH', type=Path, help="The path to the resulting authorized_keys file", default="/etc/ssh/authorized_keys.d/gitea-web-secret-provider")
parser.add_argument("--rrsync-script", metavar='PATH', type=Path, help="The path to a rrsync script, taking the destination path as its single argument")
parser.add_argument("--web-dir", metavar='PATH', type=Path, help="The directory to sync the repositories to", default="/var/www")
parser.add_argument("--force", action="store_true", help="Overwrite existing keys")
return parser.parse_args()
def add_secret(args: argparse.Namespace, token: str, repo: str, name: str, secret: str):
result = requests.put(
f"{args.api_url}/repos/{args.org}/{repo}/actions/secrets/{name}",
json = { 'data': secret },
headers = { 'Authorization': 'token ' + token },
)
if result.status_code not in (201, 204):
raise Exception(f"Failed to add secret: {result.json()}")
def get_org_repo_list(args: argparse.Namespace, token: str):
result = requests.get(
f"{args.api_url}/orgs/{args.org}/repos",
headers = { 'Authorization': 'token ' + token },
)
results = [repo["name"] for repo in result.json()]
target = int(result.headers['X-Total-Count'])
i = 2
while len(results) < target:
result = requests.get(
f"{args.api_url}/orgs/{args.org}/repos",
params = { 'page': i },
headers = { 'Authorization': 'token ' + token },
)
results += [repo["name"] for repo in result.json()]
i += 1
return results
def generate_ssh_key(args: argparse.Namespace, repository: str):
keyname = hashlib.sha256(args.org.encode() + repository.encode()).hexdigest()
key_path = args.key_dir / keyname
if not key_path.is_file() or args.force:
subprocess.run(
[
"ssh-keygen",
*("-t", "ed25519"),
*("-f", key_path),
*("-N", ""),
*("-C", f"{args.org}/{repository}"),
],
check=True,
stdin=subprocess.DEVNULL,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
)
print(f"Generated SSH key for `{args.org}/{repository}`")
with open(key_path, "r") as f:
private_key = f.read()
pub_key_path = args.key_dir / (keyname + '.pub')
with open(pub_key_path, "r") as f:
public_key = f.read()
return private_key, public_key
SSH_OPTS = ",".join([
"restrict",
"no-agent-forwarding",
"no-port-forwarding",
"no-pty",
"no-X11-forwarding",
])
def generate_authorized_keys(args: argparse.Namespace, repo_public_keys: list[tuple[str, str]]):
lines = []
for repo, public_key in repo_public_keys:
command = f"{args.rrsync_script} {args.web_dir}/{args.org}/{repo}"
lines.append(f'command="{command}",{SSH_OPTS} {public_key}')
with open(args.authorized_keys_path, "w") as f:
f.writelines(lines)
def main():
args = parse_args()
with open(args.token_path, "r") as f:
token = f.read().strip()
os.makedirs(args.key_dir, 0o700, exist_ok=True)
os.makedirs(args.authorized_keys_path.parent, 0o700, exist_ok=True)
repos = get_org_repo_list(args, token)
print(f'Found {len(repos)} repositories in `{args.org}`')
repo_public_keys = []
for repo in repos:
print(f"Locating key for `{args.org}/{repo}`")
private_key, public_key = generate_ssh_key(args, repo)
add_secret(args, token, repo, "WEB_SYNC_SSH_KEY", private_key)
repo_public_keys.append((repo, public_key))
generate_authorized_keys(args, repo_public_keys)
print(f"Wrote authorized_keys file to `{args.authorized_keys_path}`")
if __name__ == "__main__":
main()

@ -1,4 +0,0 @@
{ ... }:
{
services.nginx.enable = true;
}

@ -1,13 +1,13 @@
{ config, fp, pkgs, values, ... }:
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
../../base.nix
../../misc/metrics-exporters.nix
];
sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
sops.defaultSopsFile = ../../secrets/shark/shark.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;

@ -1,44 +0,0 @@
{ config, fp, pkgs, lib, values, ... }:
{
imports = [
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea-runners.nix
];
sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
networking.hostName = "ustetind";
networking.useHostResolvConf = lib.mkForce false;
systemd.network.networks = {
"30-lxc-eth" = values.defaultNetworkConfig // {
matchConfig = {
Type = "ether";
Kind = "veth";
Name = [
"eth*"
];
};
address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
"40-podman-veth" = values.defaultNetworkConfig // {
matchConfig = {
Type = "ether";
Kind = "veth";
Name = [
"veth*"
];
};
DHCP = "yes";
};
};
system.stateVersion = "24.11";
}

@ -1,39 +0,0 @@
{ config, fp, pkgs, values, lib, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
(fp /misc/builder.nix)
];
sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "wenche"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
hardware.graphics.enable = true;
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia = {
modesetting.enable = true;
open = false;
package = config.boot.kernelPackages.nvidiaPackages.production;
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
system.stateVersion = "24.11"; # Did you read the comment?
}

@ -1,27 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "nvidia" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4e8ecdd2-d453-4fff-b952-f06da00f3b85";
fsType = "ext4";
};
swapDevices = [ {
device = "/var/lib/swapfile";
size = 16*1024;
} ];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

@ -18,7 +18,7 @@ run-vm machine=`just _a_machine`:
nix eval .#inputs --apply builtins.attrNames --json \
| jq '.[]' -r \
| gum choose --no-limit --height=15 \
| xargs -L 1 nix flake lock --update-input
| xargs nix flake update --commit-lock-file
_a_machine:

@ -8,47 +8,34 @@ FgIDAQACHgECF4AACgkQRrkijoFKKqxIlQD9F0EedrFpHAVuaVas9ZWRZb4xv3zM
N3g0IDxoN3g0QG5hbmkud3RmPoiTBBMWCgA7AhsBBQsJCAcDBRUKCQgLBRYCAwEA
Ah4BAheAFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmL7l8ACGQEACgkQRrkijoFK
KqxI4wD9EIGpb3Gt5s5e8waH7XaLSlquOrW1RID3sSuzWI4DvikBAMncfBbtkpzH
EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLiJAEExYKADgWIQT303iQIoqQdEDh/UhG
uSKOgUoqrAUCYuaF5AIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBGuSKO
gUoqrKWiAQC1yFpodz5PGsZbFgihEA0UQ5jcoXBojoAlVRgmkwm41gEA782rsvyl
87ExoluDD3eV/Z5ILp7Ex6JeaE3JUix8Sgi0Jmg3eDQgKGFsdGVybmF0aXZlKSA8
aDd4NC5hbHRAbmFuaS53dGY+iJAEExYKADgWIQT303iQIoqQdEDh/UhGuSKOgUoq
rAUCYvuPSgIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBGuSKOgUoqrK3L
AP4h0cjFuNFwMQlg6oVfWvjCvKZO+ePP+SnTNRKvKbAxSgEA/yG48r9im6M0Xr9z
DAHcDlbClaONX4X+6rZ6OoU6hw24MwRi5oZHFgkrBgEEAdpHDwEBB0CyZzQZNAiz
OmSMNjCBK3rMjzU/b6T1a8GDogQhKfK5VYj1BBgWCgAmFiEE99N4kCKKkHRA4f1I
RrkijoFKKqwFAmLmhkcCGwIFCQPCZwAAgQkQRrkijoFKKqx2IAQZFgoAHRYhBPPN
qGzFWp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323T
aM5zdJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9
CpNl4GzpD4CRDu55AP9mpAyRoKt3yjYvTaHz1TpsXHLzqfJO6sYBRXH3YXyNTAEA
prtmn/S9HltHijnsLs1PEHmRua14XQBdL1HuzFID8ASI9QQYFgoAJgIbAhYhBPfT
eJAiipB0QOH9SEa5Io6BSiqsBQJmqp4CBQkFpUs7AIF2IAQZFgoAHRYhBPPNqGzF
Wp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323TaM5z
dJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9CpNl
4GzpD4CRDgkQRrkijoFKKqwYoQEAz0D3G/dD6DBYBf7p6pGYqXd2X0Dv8nmnalol
Z6SxfUMA/jT/XjPh7c4Ui8nZO7XDzYWrbV/eZwGMd1zXq2mU42MLuQINBGLmhnoB
EADa1yBK0NKxVIto3hSh21hooYpWcEXWqMPXHO34rcAhktVFOOHIl2bFGScQAZXt
jAcqUmMyC+PMs1DZoocFk+9PJt17hAa/s6CRrw8vK+1fVqhj0XOLtevGV9iC6IRv
hPxzTsOaeOssgMGIU8xDmMKT2nGHGNUkqOXGld63E3NKsK3lnl+BCdpJ0f3GEB7a
SQ+pk6k1uzODXX/mhAUJmL1MkVZ6jJA3vhsre0Kfa9p+C5mP4hLJ6jF+oESvA4HC
+LuCSGm66gIDMC39jnLo6hwYEEjfPXD7CUAN4S2eISSFd+ZclN2vYcrKYgsCZS0h
BFOgDhKKCHBuMwP12AIM8y8L64/eOWFpR7s2StAPjjYbZeZECHLWZt1zGVvkS7Xp
6lsAg6/T8EysKG7vTl2Qq9W0BmzNgk2ODTZkhv0gqqXppdr8eRiq+h0qMfJptG0G
ycOvqb9PoEO2dfNCjjII8VfaSGfSEYo8UwsqYTtfgdoNnFCXKd1r7QmvrdbNsFDR
mkv+wWJoipwUaVquyb2KN652jSlpwMECW6fSEsT/5C3mJLgAmi6l6yosw6HdIY6j
gpCGtxnHW2zReIS6ezZdtxYBCkEHK70yASyaIHrLLDknw+DuKvXAWOAecob8GNBH
OjXZe3LzBt2rVgOCRa+W7milNgjUCsz+R3rM8XfR+wNEGwARAQABiH4EGBYKACYW
IQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaGegIbDAUJA8JnAAAKCRBGuSKOgUoq
rDE0AQDBxRsmW9L60mxGCp1CpNWBXD2T6D605PlNiNCcM+cOCgD/c2OitSSG50M0
YRbyh1LPYL6YQePL0dQkYsjm6XVmrAKIfgQYFgoAJgIbDBYhBPfTeJAiipB0QOH9
SEa5Io6BSiqsBQJmqp4FBQkFpUsIAAoJEEa5Io6BSiqsydsA/ihBulpSSLg4B9pJ
sffqphMht7yT3Dnz57iexUEgj3jBAQDedI+gwpZlMjV6IdH/Epz244j82Ta04cqk
SOz2Y63LBrgzBGLmhsUWCSsGAQQB2kcPAQEHQFg/avgj0sZbxqL58tZEpcaieeL1
OWOoVU3mZX/K7GU+iH4EGBYKACYWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaG
xQIbIAUJA8JnAAAKCRBGuSKOgUoqrN5jAP96aO0MEPQSIKdLaa9+ilpPp+glJ9du
IJ7zdR0U15tONAEA0WqeRc8Jhv10UjIz/Q3UlcfvKPzVW6yVKo+Lg1FI2QSIfgQY
FgoAJgIbIBYhBPfTeJAiipB0QOH9SEa5Io6BSiqsBQJmqp4GBQkFpUq9AAoJEEa5
Io6BSiqsjF0BAJn0EBEJfszskYiZzMshFHW5k0QUF+Ak3JNh2UG+M6FJAQCQVY/l
DkrvOytuFnKbkDrCaTrtLh/JAmBXpSERIejmDw==
=7cFp
EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLtCZoN3g0IChhbHRlcm5hdGl2ZSkgPGg3
eDQuYWx0QG5hbmkud3RmPoiQBBMWCgA4FiEE99N4kCKKkHRA4f1IRrkijoFKKqwF
AmL7j0oCGwEFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQRrkijoFKKqytywD+
IdHIxbjRcDEJYOqFX1r4wrymTvnjz/kp0zUSrymwMUoBAP8huPK/YpujNF6/cwwB
3A5WwpWjjV+F/uq2ejqFOocNuDMEYuaGRxYJKwYBBAHaRw8BAQdAsmc0GTQIszpk
jDYwgSt6zI81P2+k9WvBg6IEISnyuVWI9QQYFgoAJhYhBPfTeJAiipB0QOH9SEa5
Io6BSiqsBQJi5oZHAhsCBQkDwmcAAIEJEEa5Io6BSiqsdiAEGRYKAB0WIQTzzahs
xVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYeJt9t02jO
c3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFaazcz/QqT
ZeBs6Q+AkQ7ueQD/ZqQMkaCrd8o2L02h89U6bFxy86nyTurGAUVx92F8jUwBAKa7
Zp/0vR5bR4o57C7NTxB5kbmteF0AXS9R7sxSA/AEuQINBGLmhnoBEADa1yBK0NKx
VIto3hSh21hooYpWcEXWqMPXHO34rcAhktVFOOHIl2bFGScQAZXtjAcqUmMyC+PM
s1DZoocFk+9PJt17hAa/s6CRrw8vK+1fVqhj0XOLtevGV9iC6IRvhPxzTsOaeOss
gMGIU8xDmMKT2nGHGNUkqOXGld63E3NKsK3lnl+BCdpJ0f3GEB7aSQ+pk6k1uzOD
XX/mhAUJmL1MkVZ6jJA3vhsre0Kfa9p+C5mP4hLJ6jF+oESvA4HC+LuCSGm66gID
MC39jnLo6hwYEEjfPXD7CUAN4S2eISSFd+ZclN2vYcrKYgsCZS0hBFOgDhKKCHBu
MwP12AIM8y8L64/eOWFpR7s2StAPjjYbZeZECHLWZt1zGVvkS7Xp6lsAg6/T8Eys
KG7vTl2Qq9W0BmzNgk2ODTZkhv0gqqXppdr8eRiq+h0qMfJptG0GycOvqb9PoEO2
dfNCjjII8VfaSGfSEYo8UwsqYTtfgdoNnFCXKd1r7QmvrdbNsFDRmkv+wWJoipwU
aVquyb2KN652jSlpwMECW6fSEsT/5C3mJLgAmi6l6yosw6HdIY6jgpCGtxnHW2zR
eIS6ezZdtxYBCkEHK70yASyaIHrLLDknw+DuKvXAWOAecob8GNBHOjXZe3LzBt2r
VgOCRa+W7milNgjUCsz+R3rM8XfR+wNEGwARAQABiH4EGBYKACYWIQT303iQIoqQ
dEDh/UhGuSKOgUoqrAUCYuaGegIbDAUJA8JnAAAKCRBGuSKOgUoqrDE0AQDBxRsm
W9L60mxGCp1CpNWBXD2T6D605PlNiNCcM+cOCgD/c2OitSSG50M0YRbyh1LPYL6Y
QePL0dQkYsjm6XVmrAK4MwRi5obFFgkrBgEEAdpHDwEBB0BYP2r4I9LGW8ai+fLW
RKXGonni9TljqFVN5mV/yuxlPoh+BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFK
KqwFAmLmhsUCGyAFCQPCZwAACgkQRrkijoFKKqzeYwD/emjtDBD0EiCnS2mvfopa
T6foJSfXbiCe83UdFNebTjQBANFqnkXPCYb9dFIyM/0N1JXH7yj81VuslSqPi4NR
SNkE
=oTMO
-----END PGP PUBLIC KEY BLOCK-----

@ -2,10 +2,4 @@
{
nix.settings.trusted-users = [ "@nix-builder-users" ];
nix.daemonCPUSchedPolicy = "batch";
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"armv7l-linux"
];
}

@ -14,31 +14,13 @@
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
values.hosts.ildkule.ipv4_global
values.hosts.ildkule.ipv6_global
];
};
services.prometheus.exporters.systemd = {
enable = true;
port = 9101;
extraFlags = [
"--systemd.collector.enable-restart-count"
"--systemd.collector.enable-ip-accounting"
];
};
systemd.services.prometheus-systemd-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = [ 9100 9101 ];
networking.firewall.allowedTCPPorts = [ 9100 ];
services.promtail = {
enable = true;

@ -1,95 +1,59 @@
{config, lib, pkgs, ...}:
let
grg = config.services.greg-ng;
grg = config.services.grzegorz;
grgw = config.services.grzegorz-webui;
machine = config.networking.hostName;
in {
services.greg-ng = {
enable = true;
settings.host = "localhost";
settings.port = 31337;
enableSway = true;
enablePipewire = true;
services.pipewire.enable = true;
services.pipewire.alsa.enable = true;
services.pipewire.alsa.support32Bit = true;
services.pipewire.pulse.enable = true;
users.users.pvv = {
isNormalUser = true;
description = "pvv";
};
services.grzegorz-webui = {
enable = true;
listenAddr = "localhost";
listenPort = 42069;
listenWebsocketPort = 42042;
hostName = "${machine}-old.pvv.ntnu.no";
apiBase = "https://${machine}-backend.pvv.ntnu.no/api";
};
services.grzegorz.enable = true;
services.grzegorz.listenAddr = "localhost";
services.grzegorz.listenPort = 31337;
services.gergle = {
enable = true;
virtualHost = config.networking.fqdn;
};
services.grzegorz-webui.enable = true;
services.grzegorz-webui.listenAddr = "localhost";
services.grzegorz-webui.listenPort = 42069;
services.grzegorz-webui.listenWebsocketPort = 42042;
services.grzegorz-webui.hostName = "${config.networking.fqdn}";
services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
services.nginx.enable = true;
services.nginx.virtualHosts = {
${config.networking.fqdn} = {
forceSSL = true;
enableACME = true;
kTLS = true;
serverAliases = [
"${machine}.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
services.nginx.virtualHosts."${config.networking.fqdn}" = {
forceSSL = true;
enableACME = true;
kTLS = true;
serverAliases = [
"${config.networking.hostName}.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenPort}";
};
"${machine}-backend.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
kTLS = true;
serverAliases = [
"${machine}-backend.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
locations."/" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
proxyWebsockets = true;
};
# https://github.com/rawpython/remi/issues/216
locations."/websocket" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenWebsocketPort}";
proxyWebsockets = true;
};
"${machine}-old.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
kTLS = true;
serverAliases = [
"${machine}-old.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
locations."/" = {
proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
};
# https://github.com/rawpython/remi/issues/216
locations."/websocket" = {
proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
proxyWebsockets = true;
};
locations."/api" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
locations."/docs" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
locations."/api" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
};
locations."/docs" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
};
};
}

@ -1,116 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.environment.robots-txt;
robots-txt-format = {
type = let
coercedStrToNonEmptyListOfStr = lib.types.coercedTo lib.types.str lib.singleton (lib.types.nonEmptyListOf lib.types.str);
in lib.types.listOf (lib.types.submodule {
freeformType = lib.types.attrsOf coercedStrToNonEmptyListOfStr;
options = {
pre_comment = lib.mkOption {
description = "Comment to add before the rule";
type = lib.types.lines;
default = "";
};
post_comment = lib.mkOption {
description = "Comment to add after the rule";
type = lib.types.lines;
default = "";
};
};
});
generate = name: value: let
makeComment = comment: lib.pipe comment [
(lib.splitString "\n")
(lib.map (line: if line == "" then "#" else "# ${line}"))
(lib.concatStringsSep "\n")
];
ruleToString = rule: let
user_agent = rule.User-agent or [];
pre_comment = rule.pre_comment;
post_comment = rule.post_comment;
rest = builtins.removeAttrs rule [ "User-agent" "pre_comment" "post_comment" ];
in lib.concatStringsSep "\n" (lib.filter (x: x != null) [
(if (pre_comment != "") then makeComment pre_comment else null)
(let
user-agents = lib.concatMapStringsSep "\n" (value: "User-agent: ${value}") user_agent;
in
if user_agent == [] then null else user-agents
)
(lib.pipe rest [
(lib.mapAttrsToList (ruleName: map (value: "${ruleName}: ${value}")))
lib.concatLists
(lib.concatStringsSep "\n")
])
(if (post_comment != "") then makeComment post_comment else null)
]);
content = lib.concatMapStringsSep "\n\n" ruleToString value;
in pkgs.writeText name content;
};
in
{
options.environment.robots-txt = lib.mkOption {
default = { };
description = ''
Different instances of robots.txt to use with web services.
'';
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
enable = lib.mkEnableOption "this instance of robots.txt" // {
default = true;
};
path = lib.mkOption {
description = "The resulting path of the dir containing the robots.txt file";
type = lib.types.path;
readOnly = true;
default = "/etc/robots-txt/${name}";
};
rules = lib.mkOption {
description = "Rules to include in robots.txt";
default = [ ];
example = [
{ User-agent = "Googlebot"; Disallow = "/no-googlebot"; }
{ User-agent = "Bingbot"; Disallow = [ "/no-bingbot" "/no-bingbot2" ]; }
];
type = robots-txt-format.type;
};
virtualHost = lib.mkOption {
description = "An nginx virtual host to add the robots.txt to";
type = lib.types.nullOr lib.types.str;
default = null;
};
};
}));
};
config = {
environment.etc = lib.mapAttrs' (name: value: {
name = "robots-txt/${name}/robots.txt";
value.source = robots-txt-format.generate name value.rules;
}) cfg;
services.nginx.virtualHosts = lib.pipe cfg [
(lib.filterAttrs (_: value: value.virtualHost != null))
(lib.mapAttrs' (name: value: {
name = value.virtualHost;
value = {
locations = {
"= /robots.txt" = {
extraConfig = ''
add_header Content-Type text/plain;
'';
root = cfg.${name}.path;
};
};
};
}))
];
};
}

@ -50,7 +50,7 @@ in
serviceConfig.Type = "oneshot";
script = let
openssl = lib.getExe pkgs.openssl;
in lib.concatMapStringsSep "\n" ({ name, value }: ''
in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
then
@ -69,8 +69,6 @@ in
chown "${value.owner}:${value.group}" "${value.certificateKey}"
chmod "${value.mode}" "${value.certificate}"
chmod "${value.mode}" "${value.certificateKey}"
echo "\n-----------------\n"
'') (lib.attrsToList cfg);
};
systemd.timers."generate-snakeoil-certs" = {

@ -1,30 +0,0 @@
{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
stdenvNoCC.mkDerivation rec {
pname = "bluemap";
version = "5.2";
src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-4vld+NBwzBxdwbMtsKuqvO6immkbh4HB//6wdjXaxoU=";
};
dontUnpack = true;
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
runHook preInstall
makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
runHook postInstall
'';
meta = {
description = "3D minecraft map renderer";
homepage = "https://bluemap.bluecolored.de/";
sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ dandellion ];
mainProgram = "bluemap";
};
}

@ -12,7 +12,7 @@ let
name
, commit
, hash
, tracking-branch ? "REL1_42"
, tracking-branch ? "REL1_41"
, kebab-name ? kebab-case-name name
, fetchgit ? pkgs.fetchgit
}:
@ -33,63 +33,63 @@ in
lib.mergeAttrsList [
(mw-ext {
name = "CodeEditor";
commit = "9f69f2cf7616342d236726608a702d651b611938";
hash = "sha256-sRaYj34+7aghJUw18RoowzEiMx0aOANU1a7YT8jivBw=";
commit = "7d8447035e381d76387e38b92e4d1e2b8d373a01";
hash = "sha256-v2AlbP0vZma3qZyEAWGjZ/rLcvOpIMroyc1EixKjlAU=";
})
(mw-ext {
name = "CodeMirror";
commit = "1a1048c770795789676adcf8a33c1b69f6f5d3ae";
hash = "sha256-Y5ePrtLNiko2uU/sesm8jdYmxZkYzQDHfkIG1Q0v47I=";
commit = "a7b4541089f9b88a0b722d9d790e4cf0f13aa328";
hash = "sha256-clyzN3v3+J4GjdyhrCsytBrH7VR1tq5yd0rB+32eWCg=";
})
(mw-ext {
name = "DeleteBatch";
commit = "b76bb482e026453079104d00f9675b4ab851947e";
hash = "sha256-GebF9B3RVwpPw8CYKDDT6zHv/MrrzV6h2TEIvNlRmcw=";
commit = "cad869fbd95637902673f744581b29e0f3e3f61a";
hash = "sha256-M1ek1WdO1/uTjeYlrk3Tz+nlb/fFZH+O0Ok7b10iKak=";
})
(mw-ext {
name = "PluggableAuth";
commit = "1da98f447fd8321316d4286d8106953a6665f1cc";
hash = "sha256-DKDVcAfWL90FmZbSsdx1J5PkGu47EsDQmjlCpcgLCn4=";
commit = "4111a57c34e25bde579cce5d14ea094021e450c8";
hash = "sha256-aPtN8A9gDxLlq2+EloRZBO0DfHtE0E5kbV/adk82jvM=";
})
(mw-ext {
name = "Popups";
commit = "9b9e986316b9662b1b45ce307a58dd0320dd33cf";
hash = "sha256-rSOZHT3yFIxA3tPhIvztwMSmSef/XHKmNfQl1JtGrUA=";
commit = "f1bcadbd8b868f32ed189feff232c47966c2c49e";
hash = "sha256-PQAjq/X4ZYwnnZ6ADCp3uGWMIucJy0ZXxsTTbAyxlSE=";
})
(mw-ext {
name = "Scribunto";
commit = "eb6a987e90db47b09b0454fd06cddb69fdde9c40";
hash = "sha256-Nr0ZLIrS5jnpiBgGnd90lzi6KshcsxeC+xGmNsB/g88=";
commit = "7b99c95f588b06635ee3c487080d6cb04617d4b5";
hash = "sha256-pviueRHQAsSlv4AtnUpo2Cjci7CbJ5aM75taEXY+WrI=";
})
(mw-ext {
name = "SimpleSAMLphp";
kebab-name = "simple-saml-php";
commit = "fd4d49cf48d16efdb91ae8128cdd507efe84d311";
hash = "sha256-Qdtroew2j3AsZYlhAAUKQXXS2kUzUeQFnuR6ZHdFhAQ=";
commit = "ecb47191fecd1e0dc4c9d8b90a9118e393d82c23";
hash = "sha256-gKu+O49XrAVt6hXdt36Ru7snjsKX6g2CYJ0kk/d+CI8=";
})
(mw-ext {
name = "TemplateData";
commit = "836e3ca277301addd2578b2e746498ff6eb8e574";
hash = "sha256-UMcRLYxYn+AormwTYjKjjZZjA806goMY2TRQ4KoS5fY=";
commit = "1ec66ce80f8a4322138efa56864502d0ee069bad";
hash = "sha256-Lv3Lq9dYAtdgWcwelveTuOhkP38MTu0m5kmW8+ltRis=";
})
(mw-ext {
name = "TemplateStyles";
commit = "06a2587689eba0a17945fd9bd4bb61674d3a7853";
hash = "sha256-C7j0jCkMeVZiLKpk+55X+lLnbG4aeH+hWIm3P5fF4fw=";
commit = "581180e898d6a942e2a65c8f13435a5d50fffa67";
hash = "sha256-zW8O0mzG4jYfQoKi2KzsP+8iwRCLnWgH7qfmDE2R+HU=";
})
(mw-ext {
name = "UserMerge";
commit = "41759d0c61377074d159f7d84130a095822bc7a3";
hash = "sha256-pGjA7r30StRw4ff0QzzZYUhgD3dC3ZuiidoSEz8kA8Q=";
commit = "c17c919bdb9b67bb69f80df43e9ee9d33b1ecf1b";
hash = "sha256-+mkzTCo8RVlGoFyfCrSb5YMh4J6Pbi1PZLFu5ps8bWY=";
})
(mw-ext {
name = "VisualEditor";
commit = "a128b11fe109aa882de5a40d2be0cdd0947ab11b";
hash = "sha256-bv1TkomouOxe+DKzthyLyppdEUFSXJ9uE0zsteVU+D4=";
commit = "90bb3d455892e25317029ffd4bda93159e8faac8";
hash = "sha256-SZAVELQUKZtwSM6NVlxvIHdFPodko8fhZ/uwB0LCFDA=";
})
(mw-ext {
name = "WikiEditor";
commit = "21383e39a4c9169000acd03edfbbeec4451d7974";
hash = "sha256-aPVpE6e4qLLliN9U5TA36e8tFrIt7Fl8RT1cGPUWoNI=";
commit = "8dba5b13246d7ae09193f87e6273432b3264de5f";
hash = "sha256-vF9PBuM+VfOIs/a2X1JcPn6WH4GqP/vUJDFkfXzWyFU=";
})
]

@ -1,13 +1,14 @@
gitea:
web-secret-provider:
token: ENC[AES256_GCM,data:pHmBKxrNcLifl4sjR44AGEElfdachja35Tl/InsqvBWturaeTv4R0w==,iv:emBWfXQs2VNqtpDp5iA5swNC+24AWDYYXo6nvN+Fwx4=,tag:lkhSVSs6IqhHpfDPOX0wQA==,type:str]
password: ENC[AES256_GCM,data:hlNzdU1ope0t50/3aztyLeXjMHd2vFPpwURX+Iu8f49DOqgSnEMtV+KtLA==,iv:qljRnSnchL5cFmaUAfCH9GQYQxcy5cyWejgk1x6bFgI=,tag:tIhboFU5kZsj5oAQR3hLbw==,type:str]
database: ENC[AES256_GCM,data:UlS33IdCEyeSvT6ngpmnkBWHuSEqsB//DT+3b7C+UwbD8UXWJlsLf1X8/w==,iv:mPRW5ldyZaHP+y/0vC2JGSLZmlkhgmkvXPk4LazkSDs=,tag:gGk6Z/nbPvzE1zG+tJC8Sw==,type:str]
email-password: ENC[AES256_GCM,data:KRwC+aL1aPvJuXt91Oq1ttATMnFTnuUy,iv:ats8TygB/2pORkaTZzPOLufZ9UmvVAKoRcWNvYF1z6w=,tag:Do0fA+4cZ3+l7JJyu8hjBg==,type:str]
passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str]
gpg-signing-key: ENC[AES256_GCM,data:y/g1rpsEgiGEJ9BGii6te166ABpg1jgsyYMT1Ji5njLbT8/juBBMc7BFEM5BcIxKpQGijymsB+Htl8CZAN4Bl3FHSRyrnXGuMCnveJfw1qTVjMa6soriHv7EdTDFPCp3TYMbs1OgY/bhGJIvp8e4hCVd4F3x8eAlFmiwHhkxr62qQNHjH7SRNIyUNibf/TTttOeEcercxOy7FeUE99D+CWG4pnJNEYyRHDdddalgpSJyZIJvPpXoKmeCDk3futnxiZ15Vr7bDS5u4dqnE+no7DKoZ5fvk38f/77JH3w/Qom7NCYSG6L+unJ3r3RKuuGMRDjdz09TPZ4APpmrlyOElfGMmm134g6mdhgXmwNCo65Z7VOd1OKFA/uyZm2b7XsT3tCgRalE8gBa0R3MBMi3JK+5KUdS6ZUvYXDt8D8C68ldM3K9E7lyeeHn775rV6L4JIXcj/NL1O23sXtjeVuUPQmsUesgYlllRaiTSTfY7K+yOIG3wqqCuCDSAeILQICkvod4iw4xdVMQzd8eQtbD6bCjOzHwvBcu+rOSN6ti+xOQ7bJ9+6xhCgJJsiADkp2q09cUu8mDbUh+YJxfu+oZhPomOJVDMSqfS4qNXcVM9mbak/L9KPR4b83GqTpmXHnDMlGe4BHGXrkIUKPsBQ5TmdckXbpRDBQFrnjVvFT+Gfx3xwHxWc9fbxcFID2wp69EzQrGC77bDPCFxBT5vAVwffGYUezPQEo25bKRpCWxTFTpiIQfACrwzZc/O9cmwDgrYN7bTZyrrp8cbyBtllZGYmXxLDkDOzIqzpLG3b0yJC2jSnw0f1DkU6M2mD/j9FRTVW1MVymyLPiZQ7T9QyZ3MekHEEY1QqmyiJMIOekSzC5+3Us6Nl32MeBrIry6NuV8ewIQF5bcZEHtSmZ0k/wBtK0fpFHUuc/vETFuRUiQw/InhN5W8iH78vFvflxBfg61Qp7PzEx0k0axwEc6VAKbEg/uFNL+fhUKKt7sYiEBmwg2Vsj3pyZgdmjPZEsOQ86+psaxv+2feH94wog47jDHFRrc4iRC5w7kZ6UJXHfZt9lkBbwl4qNwiOLlPnUUcR+CpTBpPoKD9ulidQGfcYY49+iE+PM5dAI2CtisKpLQiwmrvjOzB1a/rC9QnH679frgH5Ebb57WRL4uSAVNRdIvIGzAF5MNwQOu+cxKoiW6ZmuNJSb547XUB1UO,iv:aKzrgAV30sLfPEpgdQ26ZzdM3+gYtoSpZ9mNyqCqf/M=,tag:vjywN4qxh2zsCE3RPG6Yrw==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
import-user-env: ENC[AES256_GCM,data:vfaqjGEnUM9VtOPvBurz7nFwzGZt3L2EqijrQej4wiOcGCrRA4tN6kBV6NmhHqlFPsw=,iv:viPGkyOOacCWcgTu25da4qH7DC4wz2qdeC1W2WcMUdI=,tag:BllNqGQoaxqUo3lTz9LGnw==,type:str]
runners:
alpha: ENC[AES256_GCM,data:gARxCufePz+EMVwEwRsL2iZUfh9HUowWqtb7Juz3fImeeAdbt+k3DvL/Nwgegg==,iv:3fEaWd7v7uLGTy2J7EFQGfN0ztI0uCOJRz5Mw8V5UOU=,tag:Aa6LwWeW2hfDz1SqEhUJpA==,type:str]
beta: ENC[AES256_GCM,data:DVjS78IKWiWgf+PuijCZKx4ZaEJGhQr7vl+lc7QOg1JlA4p9Kux/tOD8+f2+jA==,iv:tk3Xk7lKWNdZ035+QVIhxXy2iJbHwunI4jRFM4It46E=,tag:9Mr6o//svYEyYhSvzkOXMg==,type:str]
epsilon: ENC[AES256_GCM,data:JMnZVBdiy+5oPyXgDpfYvy7qLzIEfHy09fQSBDpNG4zDXTil2pSKBKxk09h5xg==,iv:/8oXKJW6+sMBjDt51MqVAWjQPM5nk02Lv5QqbZsZ5ms=,tag:+Rx7ursfVWc0EcExCLgLhQ==,type:str]
mediawiki:
password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
@ -15,8 +16,6 @@ mediawiki:
postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
roundcube:
postgres_password: ENC[AES256_GCM,data:fGHmq6r/ZCeIseHL8/gmm5DfWQYorI3OJq1TW0EHvh7rHL62M4TE+Lrlrmq8AIlmGLSWtO8AQzOP3toxidL6xWX3pcwLxtTefa1gom2oQf6ZL4TbAZLidHksdiro6pWtpMOO66bb8O9eXvZmns4=,iv:Irnb2/bgx8WilDyRLleWfo6HHafZ+vlDEwxIcgm1f18=,tag:eTNBUELmLwO7DsQN9CLX7Q==,type:str]
idp:
cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
@ -31,9 +30,6 @@ nettsiden:
admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
vaultwarden:
environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str]
bluemap:
ssh-key: ENC[AES256_GCM,data:nPwsT4RYbMbGp2MChLUh6NXW4ckYr7SQcd6Gy2G8CEU+ugew5pt4d6GOK1fyekspDtet3EkPL2F1AsoPFBB2Rv0boARMslAhBqwWSsbBJTXeTEgAABSMxTPJRBtfJucvv426nyIj3uApoknz6mDCQh1OI6mER0fis7MPaM1506HlDlnIT0FV9EairEsaAmbd0yddByGJSccKIza2vW0qWqrz83P+xrakEONxFz0fJlkO5PRXCcQJVBCqWQfnaHNrWeBWv0QA7vAHlT0yjqJCpDRxN2KYrPWsz7sUbB4UZOtykCRM5kKFq73GUaOKqVECJQhcJi6tERhpJELwjjS8MSqvBD90UTKTshGugfuygTaOyUx4wou3atxMR2Rah9+uZ6mBrLAOLX3JKiAtyhFewPMWjd/UhbMPuzNageVBNz2EMpa4POSVwz5MyViKNSgr9cPcNGqmrnjvr/W/lnj6Ec+W80RiXQlADSE4Q6diLLwB9nlHvKs8NTDgv6sUafcPHpJ2+N4Jkb96dE14bMffQ385SI4vLDcQ8xCQ,iv:WdJIHRzjlm8bEldolCx1Q7pZJvjxGkNZALSOy3IjizU=,tag:5ZAikiqttq/76+thG+4LMw==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:J6V+NJ9TvYUL2gmcqWWYt8X+n0M7i0RpDpBelWAbFMH64+e9ztHNnC491sm+RogDxqKk0kwQyX2Mz00iq3Gc3wDYyozGOdv3tBKrp7/LcfjUQ9T9hi0yTD3eNV0LAjlAWMTdlW65VGHqGst8ncKbUuVxbBASVlh3A321toZgD+xxUAtNz7qKFa6fDbOS0xLD1+CmTwVp+aPos//QIKzjuk1HqxfBNK82maKtD4JHPS+Y3be2wIEjGWq3H6JYN/RDojD88D/jzo9RwvEjpqLXoOVfy8uX/fbEsgkgfAmPiaG+ePCnchSExEe3a6Y0E+I6YIzvP+tGThJpu4HaT/yW2Rww/jvsxKrXSUhtBZI/SIX5ZAIFB3sFjJXQefJjfNpQTQWhbspLfdemafGaRiDnzVgKDhNL1HNMNsXKDfWa0SLs4//dqerom/QCCNsaqV+4HVzv5x44srChGERadQI/Wh4UG2R19xxbdyIsKPHzv7BhEKufJkjc5upBjWygQrGAkTRHugFpw2Tdkz9yUQSujMkaeRKhVkA+ZUAjwnY5TwqNZBj7U3K2JXoNVHAq194XmrA2dNghh0OmRrvKGwM3HKexX22SXT0bPlpdWRQpMbUgV+uHLMerlDpNMFTIueEBkaF/FWeSW2N5WUrUb1uJ91QcJ8JBgN1riuD1Oxv9RRPrY9VVNJMrYjpAAREN8i8brMTOCJ35s7jnqIei0dNmnNXOoQZPs9kUMeEtUc/Df1E8/aO2Y4yU9gHUuevXnAJWFAiu2IxssgPk6CcNxvapJEmlwkLK/JyuDsWwFxVOHfw5QIEsoDVWXt6eMhquqUgzJI1q7QrTWUQsBb5A5sQKYWQHempOaXuQn1bzA7mU3Gzsr8bNNc6tpy+6j3zTXYR067EX00yqPG+kqRn4QVIuhByxXP3cwXLUG9uD1lsqWrGzs6WCnHr7txhRBXf4WbBVmXModO3uf36cDYEwrUa6yBsARtSl8PJ0UadfY/xULcT5PFvu9+Hi2qj3vp4IU3JCJa9AvXB+11pbSdawprjuDhwQtPwkJ4CQyvZsom3/BOrmwYM5+EyMDIluEQ0z6eDE5buiIVbX6IvXnDCKbrnqVwavX2wqyiDduFLjRfWL/3U2O1yRim78smrDMJABJZvtW+a+GfmlnTd/gnFvS70Fmm/lgtY051ISL/iFx6toJRoBMMiI/Zvy13uQry+w/HbyFl42DIank8tf7kuN3E9M7ADGMubRJJ0AZOcQddrFnR4Gl2nU2+3RS5fLHaBf9QHK6W92/n//xmPkYqrkPacew4eBjUqM32jVGuBpDc964fK9kdtIdw8q5P1s/ph3I79Y24kGeuO1AVJuZvkaTv1Z7GgI9+K9TstKJ9XpRCidLpLSP+uHOWkqcNsQlt6ilTlfHj+MKoD85dKZ315QMmpiuYEvzCSP1aYTb9dpd61Su/IVuM3r2NuINNEZ166YlHQVsLNpDn8E5ahk3ZInOAg6/kaKTmjUI8KEvX4BR3PbbViAlJJb3suJ0oZBGPUlrW5uLRmADvf2mMDVO5zY7/m9DQwxjt4Miu0l8ZaUc0YJQ850lBKucQ==,iv:GI8w7h7xX8gMHuAoWUyrW+BQb85LNlASoYvGBPlCZaI=,tag:WnHNMevfFSMc0ikBZwWn/g==,type:str]
sops:
kms: []
gcp_kms: []
@ -94,8 +90,8 @@ sops:
UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-09T21:18:23Z"
mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str]
lastmodified: "2024-05-26T02:07:41Z"
mac: ENC[AES256_GCM,data:CRaJefV1zcJc6eyzyjTLgd0+Wv46VT8o4iz2YAGU+c2b/Cr97Tj290LoEO6UXTI3uFwVfzii2yZ2l+4FK3nVVriD4Cx1O/9qWcnLa5gfK30U0zof6AsJx8qtGu1t6oiPlGUCF7sT0BW9Wp8cPumrY6cZp9QbhmIDV0o0aJNUNN4=,iv:8OSYV1eG6kYlJD4ovZZhcD1GaYnmy7vHPa/+7egM1nE=,tag:OPI13rpDh2l1ViFj8TBFWg==,type:str]
pgp:
- created_at: "2024-08-04T00:03:28Z"
enc: |-
@ -118,4 +114,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.1
version: 3.8.1

@ -1,6 +1,8 @@
calendar-bot:
matrix_token: ENC[AES256_GCM,data:zJv9sw6pEzb9hxKT682wsD87HC9iejbps2wl2Z5QW1XZUSBHdcqyg1pxd+jFKTeKGQ==,iv:zDbvF1H98NsECjCtGXS+Y9HIhXowzz9HF9mltqnArog=,tag:/ftcOSQ13ElkVJBxYIMUGQ==,type:str]
mysql_password: ENC[AES256_GCM,data:Gqag8yOgPH3ntoT5TmaqJWv1j+si2qIyz5Ryfw5E2A==,iv:kQDcxnPfwJQcFovI4f87UDt18F8ah3z5xeY86KmdCyY=,tag:A1sCSNXJziAmtUWohqwJgg==,type:str]
doorbell-bot:
config-json: ENC[AES256_GCM,data:QNFHiUqaBWfW9ZRAkZo9M18AMbn/oSxvEMq1N1NsDcBjxJMo/OE36fz1Uf4TagGccCDkWy56wSVSFZm8KZnXVaQ/X0EgJkUK1JZyR7i5yiEW8ByLaVzThMWBwxQoj2cz48z53krzfddyl250rLFQRa7Fco74yTFfBWruf/1clN5O/iHFspeW7uJtQh/oyFIVb87YisjKU2+jpU3IeDNsO6VFWOoOJd+ACmfwsAY0wOz5lzBEIrdU2k/PMgSVzECMV4S5ipwIUmVUpGzbvgAWZQGtsUeVevAbvZ1QgyH6bhDIUheeUrOKN0cbgEMc/xIi7yZ+VWHOMBqb8LkyBvunG2TjK31B1HAGL/krBS+gvvQnW0ZN,iv:K0djdxNOGaHBkE4vyh/22fruAHVsZYVT68cdVoMmogw=,tag:3fjjzD3bghvGy3aZ7/Ienw==,type:str]
mysql:
password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
sops:
@ -63,8 +65,8 @@ sops:
cTh5bnJ3WW90aXRCSUp6NHFYeU1tZ0kK4afdtJwGNu6wLRI0fuu+mBVeqVeB0rgX
0q5hwyzjiRnHnyjF38CmcGgydSfDRmF6P+WIMbCwXC6LwfRhAmBGPg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-15T21:18:33Z"
mac: ENC[AES256_GCM,data:uR5HgeDAYqoqB9kk1V6p0T30+v6WpQJi4+qIeCDRnoUPnQKUVR10hvBhICck+E+Uh8p+tGhM6Uf3YrAJAV0ZCUiNJjtwDJQQLUDT53vdOAXN4xADCQqNuhgVwVMaruoTheEiwOswRuhFeEwy0gBj3Ze2pu47lueHYclmEzumLeQ=,iv:t0UyXN2YaR2m7M/pV2wTLJG5wVfqTIUs7wSQMmyeTVw=,tag:O7dIffzrDAXz3kGx5uazhw==,type:str]
lastmodified: "2024-08-24T16:49:06Z"
mac: ENC[AES256_GCM,data:A5pYM3yNt5GdlvpdDbRXxQwUccC/dr5JZwPBMjjx4ZRaJMbewpmGL/ySITnsCEuxOG1cagc1S28ti8k3z0bR4rfFlt/fZ93K8uwI9rT6KW5pSEAa1vPEz8Jq+7asfJIBMCpxFxN704JDSeOnBMaSHwQdICdmG4jfN/F+YbXTPIA=,iv:Y6gloFlYtnJZ3kzcUtZZZmJQ8KowQ29pwZaqo/ePrm8=,tag:r8XFLU5PGMr3U3K0N0cmlQ==,type:str]
pgp:
- created_at: "2024-08-04T00:03:40Z"
enc: |-

@ -2,16 +2,14 @@ synapse:
turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str]
user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str]
signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str]
sliding-sync:
env: ENC[AES256_GCM,data:DsU1qKTy5sn06Y0S5kFUqZHML20n6HdHUdXsQRUw,iv:/TNTc+StAZbf6pBY9CeXdxkx8E+3bak/wOqHyBNMprU=,tag:er5u4FRlSmUZrOT/sj+RhQ==,type:str]
coturn:
static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
mjolnir:
access_token: ENC[AES256_GCM,data:ERFqZjK7MRD0xWt91FNCIxP1YC6Qj54QgnckHlCTtcQVLWaM1h2h9lHS+K8=,iv:1d7vmFkXAPcsmumzlmOT31amdrKLWtL5sJiS8G9g+LE=,tag:2l0vWzJ6P12ofuBdf5CCWw==,type:str]
discord:
as_token: ENC[AES256_GCM,data:cnPZjBbODZUA1p0kLNeWpKh1oGkDPxDw/g7163XnoRCIgpqk,iv:Uu4L36uDPMBgzdXE2Lt9U0qrBSl3Xuufh1313BD8B/U=,tag:nTm6s7IGd4vNzZ95mfxDpA==,type:str]
hs_token: ENC[AES256_GCM,data:UzcaNsJtJPKvFT4gQDNfat0nmyJzmQ6OcSI73pANibzOVrWl,iv:ujgRM2jb1rbeloPB4UPLBEvQ7uue4a+bHiqsZAHIqtk=,tag:uIfuaTWSTeVvpQx5o28HPA==,type:str]
hookshot:
as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
registrations:
mx-puppet-discord: ENC[AES256_GCM,data:FleyXxgOmc05nTP6M2DBJlacufN3p/05eZm4kB8+K4ci0k24o3zli988wlM/kyeZmxu4pgQlJ3lNLte4uip2hBXHWG5t5Ldzmr7bNCUD+r7nM+I1lfNkrDROPZ54bHysmn9O5CHpEa16rSo6RJgncIPqsLJxTwjC7qZlkOpzqvMhkq/MHCVOpvg0M/6AUR+AlSZoggujBMoXLznQNQapN13foEsbuo/QxjszM/ObGmhYMVyaS+TDBXzQLA8Yuj50Q/gZCIINWZ4G2qmgsGxxNR4I+usUQml/jxCtIXS4zn/ettXfL9G4Fdm2F9u1v11DehtTGa5xoxDq94M9rIxOqeJpvgEQEyyKAyFUIrlINfGl7tAj4Zu7+9Z8JTRAnppjM1q8iInwn/Z2L9KgB0YFi/Go1whgXly+TH6hpreo7m5klXV/ff/aV3ghOgFCGA8nBrZFqE8Uw268q9tV1s1dxCb6TbpGf19V5c9MD6BsCIVeoq+j9I/I8iZpzg2Reb4IlHhMDwbwsL2w2ks30wiZ9XO/CFrXDY4uBlI=,iv:3vvkGvldS8Raibg6tzlV8VY1O9NCLxSuNX/lwi1QgiA=,tag:D/noIsE3xlOiYM6Pk+cc8Q==,type:str]
sops:
kms: []
gcp_kms: []
@ -72,8 +70,8 @@ sops:
WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28
pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-13T23:30:01Z"
mac: ENC[AES256_GCM,data:vdsAZmg7gPqzeucBhLhPemtRVkcxRecIdB6PXZ4paU+Uv5UorBKcTZ3jseN2cLi6ot3ycTIm+UI6uhlCy87vAJVynVJhuJS+ICFRS2+DfoVyuttLjZQGC2sr3+dEBHxIH7sZJSo9PIzbIWw3qHrpOPAZj0//1pFyp/k15k3vidM=,iv:jWtV+WAPt08lgdrVvtXOl35rDB4QflkZWuGBW1+ESyw=,tag:YxSHncZZOAW5uDxXtb/krw==,type:str]
lastmodified: "2023-10-22T00:31:46Z"
mac: ENC[AES256_GCM,data:UpnaUfRxvdyzBy5x4EC3w5LQ1qWxILTQhpyVPd9whTzQMAivAHT0pVmP9aE4T9w3NcWTaghp+f70GmQXx/OCC6DsRCWtU9pFHRj12YUowM3yB5lVTOomOLZQ9m4gUXw5I2GZHWBJn8CyosDcBMlXz2tiR91v/8Ulh6sDSAO86U0=,iv:5GcgRvbpqDEslZruKHM/TcMaF52A5X7AK41DEbrsRIQ=,tag:ndDgCRyX1aDRnzEUNmpoMw==,type:str]
pgp:
- created_at: "2024-08-04T00:03:46Z"
enc: |-
@ -96,4 +94,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.7.3

@ -1,5 +1,15 @@
#ENC[AES256_GCM,data:oyFG9fCzJH8yLB0QY78CVOcYO6Ttp/ARqtIcXwWGYOvL6nW+yLcakrdmVA96sR5toywb32aW,iv:7o3FI0cI6GHCwmQfLYh2iAVr8sELOMoxGSzE5qvuAaI=,tag:z9F1c4dOIiy2FtKpBwm5wg==,type:comment]
#ENC[AES256_GCM,data:nhDznFCozGpXdYBfumLyhp7TnA7C/IqBCpHJ,iv:3AZN6iVBha8Qh5/X6Yn/5JWsGhDXlE/zdUh1CcO7fQc=,tag:59DaAyKTOmkKty4eyFWFqw==,type:comment]
#ENC[AES256_GCM,data:vQu+AG19Vy94xxwj196G2uk9,iv:YJGBvoMgOngjn/TeuXeoU82daRvJDxvCQMYb3XCPlw0=,tag:fU6ZhhmAh0yh3/QuXbCNkQ==,type:comment]
#ENC[AES256_GCM,data:S1UOENn/ewhw8Pb9CmKp,iv:jafOhkCoiTm5HXQ/S611L4VlQFa1Wqr5WIIRzLQm3i0=,tag:6CQ+Y9E/FxWN8K+D9J7+Fg==,type:comment]
#ENC[AES256_GCM,data:lHHmoCHyP2Tc3waRGeMPEasQiv5+,iv:W6SSFpeWBfTBOEDo4P9hox39eoAiO40Ay4T3QeiI9Tw=,tag:9bLbcEZ9/B1QolDettwcfg==,type:comment]
#ENC[AES256_GCM,data:DrF4XHSd8QAWn5h1xEGGpDKMQcLF,iv:nPCBbThQh/Aa+uccKJtmiCXSvoJKHxZMJ42yFkV+hi8=,tag:3l50mMn7cPoCnjPcHv1+Vg==,type:comment]
#ENC[AES256_GCM,data:ADUhFzufaR2xXNOLgiXKu5Cd8Zx3waYeZiLF,iv:WMK2gJwplf6r/EdijrvrOBHgPL57W+UMIQ8dBPp/DBA=,tag:E/q/ccAd7UH3BV7nut6Slg==,type:comment]
#ENC[AES256_GCM,data:IVFSM6VOWnR0YDRfecsDPlYr,iv:Jxe8pq3lxw5QUGKyspB8tWSquDSMo3mAJBAsQGKxSec=,tag:7bffwY98iTX4/De0coUIxA==,type:comment]
#ENC[AES256_GCM,data:pHSDnojWTLYXIKk=,iv:ph2xCpxbP3OiWm+B/MDboykPa2gtCWpP0b3j96YCDh4=,tag:u5hmvxHaa/m8GaSeYvONmg==,type:comment]
#ENC[AES256_GCM,data:Q0fCyyP0DJqUyJPo,iv:qwBE3c2VqF52Yq8POXhy2Qv2xJd82wL1aX4eVY6wL1w=,tag:IwmbD7XqIkemOTODBKpS0g==,type:comment]
config:
mysqld_exporter_password: ENC[AES256_GCM,data:I9K+QMqaN3FOOVKzeOR9Q6UERStXX0P8WEHyN1jzzbM=,iv:UxvIdlfAyJvNuxPkU4+guKPa0fiD0vVLzHOTYktcmso=,tag:ltnIqEwESYx9HBu8UN0ZLw==,type:str]
mysqld_exporter: ENC[AES256_GCM,data:w4muNsWmsW1fPx9nqtDGPCZ9faO3W5Pagn/DfWrb5yf88GQOzOsN4z7TH3QeW0Xs6I5jDIktGmFml6RDxCjD8UX9eer1pvC7Kxyl2DQKLHwmsgx1DUFNTRUzE1Sgx8rZAJ8HM7DO7L/6aXS0ndY4J+huyhDDVd+cIetgiQ==,iv:Q4cZD9CKd/EDOm4bjAE2EOstwKpwexF2pxhMEF0/5/k=,tag:S0rOLJS+b9ualtxcHKdHlw==,type:str]
keys:
grafana:
secret_key: ENC[AES256_GCM,data:+WoAJbDBEgKs0RoHT+7oEELAVQ+/2Xt+5RTMSXg23moCqVRx+Gzll9P5Drw=,iv:AkRn/Y20iEe5i1T+84wAgLCTFtAox2G3giyawAkltAw=,tag:BZbt5Wb5lYLIJBm/pfP4GQ==,type:str]
@ -67,8 +77,8 @@ sops:
WDRSdDZRa1lIbEVTdDlhU1dwUXUzQTgK5iE4Cf/zjsPYHKcqYA0rFqY0TNcCnzNU
vTM+cEPaA+/FXTwLfPpaiSkg5Fq8k2XdeMQsjQnglTBSWCwAJin27g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-16T20:08:18Z"
mac: ENC[AES256_GCM,data:C2tpWppc13jKJq5d4nmAKQOaNWHm27TKwxAxm1fi2lejN1lqUaoz5bHfTBA7MfaWvuP5uZnfbtG32eeu48mnlWpo58XRUFFecAhb9JUpW9s5IR3/nbzLNkGU7H5C0oWPrxI4thd+bAVduIgBjjFyGj1pe6J9db3c0yUWRwNlwGU=,iv:YpoQ4psiFYOWLGipxv1QvRvr034XFsyn2Bhyy39HmOo=,tag:ByiCWygFC/VokVTbdLoLgg==,type:str]
lastmodified: "2024-04-20T23:41:59Z"
mac: ENC[AES256_GCM,data:38Ask+adT2FshF8DYEfCWeVWt4KiaJsTXhF7Ib3xxdfQ6vAixM2OXTaK/qqUvN6gQok9TFF+HMJBJ+jezV00nVcKUYn04FaU2/D2zdam44eEEYEEovmfAZ6vbC+CiDv4d/DCc3hnYtDZCEgUTfP4gsZ9rLZFAOwaOFWRJxcDi6Y=,iv:BzuWdTjn6LhscNeouHjM7IYKxTahA8PzzlHSCYZ618s=,tag:BWtPbNwzdOJb788eOO5ZNA==,type:str]
pgp:
- created_at: "2024-08-04T00:03:54Z"
enc: |-
@ -91,4 +101,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.4
version: 3.8.1

@ -1,95 +0,0 @@
gitea:
web-secret-provider:
token: ENC[AES256_GCM,data:7ljFuW0CApzvvGSpWa7fiITIXtejhZk5aed70NNup6AS2GpDOv1NMw==,iv:vi+0BM4QkpnMatlGU6rdEYnCgGUU3U8SuE3imbwKfdE=,tag:uTFaeS/56t/MfBwb1hpkvA==,type:str]
password: ENC[AES256_GCM,data:1Hr2M95xT6J4SxnQLWe9ZQ7q4BIAACnpQXEGyCEm2OgRb/kqyv2s+gJAsw==,iv:95CbOJzeGl+jT8OsSSSx+DH8KYD1HtbXOyZhR60QwnU=,tag:dheIVvgqpiFrKvLLpFlPBg==,type:str]
database: ENC[AES256_GCM,data:nDZqnSBKijyhslBjhSu9weqLVJzUiBD8Ltu/nmllicadraeISylyEk3pOA==,iv:XFzM1pGv98jehdgvlZN217LrsK8TcAMFK5eDrPi2bm0=,tag:+YpXqMmvMTrnt7cDK/Sa7A==,type:str]
email-password: ENC[AES256_GCM,data:tasMZ2Zu449o/mH6uSSPM7cFOlBg4vC+,iv:lDNMvXh5P3HNy9pW6nBsSLCyij/3HiSRunVuLeKAmbI=,tag:ApqGWYE9MSE8m6iYLK6Yww==,type:str]
passwd-ssh-key: ENC[AES256_GCM,data:VOp8vqVoX9IFJhzpKy0J+AzyX3TvxEIBvv3dXpD1f8szmUyPwd4gDOlaFpqTSDu8ebmK3m/D0FMTkfBkPVhUG6XTPo7YIV37gLhfsBF6CuwCMXxTQAd23nfpwJKcDIn3R5h8Mu4MMme2Ev/4PNDztktmIYv3KoEbPglzBMS4LrZqJsDilvIYKEIDUExhSAkESKQZiIzK1TdtWDQSUzvUZ3OsbxONZgaTw5e+xz3qk/q+IR5eRNp9fpeZQ8EkpC7aa/JDIwxzNIuMFi8W9PWh6ANmAOm6GK7JSKiHYQL8GofVifhUGUanAnjgDTYkIWpDiSsuHjfDPGupFCeONNd+Wd4NpJZsej3p9ldLOVxa01Le2tIVYY80jUWT0dpV9IJ5syp4gVaky5Vk6i2QhvjunDoEUnArSRGyMTxWfxAxZLvbLYMNAJDoWzy25vf3jteNB43lVHckEW1F8w/RtzoKzbjKYiANHg+eNLVq0HK67gX2twpblNN4OBt9d03ZbV2lZjTMXGzJXHGFT5ZPDwTkxcDooNvoRuCMe8t8dpuksHFaIp4=,iv:3sgiIgGD9pmCMLVRk0Q8+7GZajYIWsokDUx9JuNrO2c=,tag:WDXyNYtqjdAMePEsnA0hbw==,type:str]
gpg-signing-key: ENC[AES256_GCM,data:AyafTF3H8p1qDk9xsNvT68BksoKGLwE2uE3hjz0TrT2XPxCRDOIlfAVYEPSu2Ih6l5a2uruEJhHPtU2fPCB2hln3Bv3gZfFGLb3GFWkSvdePIYFxG56uqGK5dE1KaMccc2cTi+raDImKqSTbp7Qpdo/c6C0WYVglYrD+2l8Y4QOiFuazyLY9zwcX0qG7pIjJ+akCUjfE4rJDAW6H/v+OqvHpcED3q4iXOYuw9sj/UeIgZfJ5Xc/uVrRmPewP4yALnA8o9gsaaLdjWRFIILe7VRwPr0YqwQ6XGgc+pEartkV8AzxjCq6DOtifOOzmu8EI1U1yoaOViYCAMbSHfP6SIKr7pJbrdU+YDBq9mvRx8KPXWUU2uNGrMObATEzlqMYAYA/HJeOdV4w3Axvq8RG2FLkJxJJniwNP5VZRF3bbbI3w+hprRP2yAwgeQw19KBU8yF8upKga/GdMNScpKJvRyVLjZtI0rsfvSC81lHawouuje6aPXT3dH1S5ROJBHMTeV0sP0vK6liBevz9RZpvNs6JVyNCgiRRtRSSYqsgwPJonDKuPeI/Zpgih7HboA8HqhIibqpO96h5/4yO69oJAbLUYV3zlKQcMDTaqadL4Ox5Z+8ygSAL3l1ufZIFGSj73SNHGQqQlIS/a3dAccRi5fPqv0gOmGFAAUJPKfeauFn3TclwojKzu5vwmQxZ5g50txEpTSTaYOy++qq6UZa/dXEyDC7fle75dXhqXyqMCf9kDwZZl5E9eBsabNdTF+auQCp82iLQivdBy7uJX2hkJFSg84fF9MLgH4mOcMQc2E/z961uNzEgoyvVhbDY6+SIJ+6SGmnardbFW7mYrj/QqnSUiMc4tHukAB4NGQYHgjOYRZMpHfVO/6dLbjmTOljnPsnfQUCepvb9rGim8NazvnARaVzezx4t3tfbNR8uLQudSeLZzn/Fu1mKSQvpP+IjdglmyAgp6QhB4OCDPbiaMRDUtOQIzlVILdz1/geUVzhZkJ4xzkm5klGukhtv+3TqjiTcEnoVJC+A1jRvxBQUfEE92GFuupJUfrw8bIDqsWQLkHPCNUMgdoKa/q2OkrWeQz2zm2yUqMAJn1/puoLHdSH5aCELUggx1gQZoc480pSBUvSCML+Qc4B4Cd6hX2PPp+/KQeKtfqHIsKz2I+DMT6KDirReX6WHxqk+s2DtLw7Wx/j65PWCIWLCz,iv:c9BDRxQImWTmwq11+T2CW0S00Dixd8d0od5xn5zZmY8=,tag:brnMedsdTwlkbaHaLa2w2g==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:P6hKaCpcZdXIy4rE/1b1+66Md/3Kmviileb0OIT3Vz4IVsDLecBh3IiadHq66V4KocXC4LBUNFjcrxlVVGIonHJ3qd6VpQUwG0n83yhj6LD5hgxmZ5phAyR77Ri8BiH1lWUcg51L2k0U+WJFPP6JkumT9MEz1t1+JYr5Imij6GKRWRKFwTbU6QJwFH4tCA/iGw0ElrzIjSHiNiwIKfbm8yas9vlOhr4y7vCeV10hVyvV,iv:dZ8hQxhn7pokWbQG/8rQ2vFDpPYut7WCG3xy9g6kzNs=,tag:xMyPtJJoh8kjJcOT4t9aRA==,type:str]
import-user-env: ENC[AES256_GCM,data:9SE2k3/IJqbdexj0QFSQBQ1+u1AduWNjt+0XIHryJlxIEdvv9a+6hP4EXPo+31GnaE4=,iv:qZlWOBV5owr3ESTyFaV/R8VwlGl04kaui80I2zYk4zY=,tag:PhjRfEC1xoHaYyl648yCVw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWnlOa1NGME00dVhBQ3Z2
UE1HZlc0Nldrb1VwZTk0Z2I2Nm5ZazV6WndFCnNoM2JaWFJnazJaWlltVW9uNGhm
UmdPSWlsdllORFhyMzRhYXBKQjRqWmcKLS0tIC91RmRCNG91UW1xb1pETXczSDlM
aStmM20xL0hHT3VnMWpTSEltZEpqT1kKj7Io72QSR/dgggQRBZ0gjs0Q7Y3GIP9K
GPgvKGxEi8CcrUj5J9u7rDUed1/TowgWWs/ujt/8q2zfli7AjTpS1w==
-----END AGE ENCRYPTED FILE-----
- recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByclROelpuQUFPQlFpREJr
NjhlUDA0TGw4R2FKbmRwWEVCSldrem9neVI0CmU1Q29qUUNZbmZDSkx0UmZmNkVL
dmNQMEJjRjJtcWFYNE1SamV5SUozZVUKLS0tIFBMdFB5TTV4dGRoeVNnYWV5dERY
ejV3RTlSMjNlcGNreXM0YjhpUkVxUzQK2xB69WIRrMPNdZuJUzwuNM/a/Qzpyp7b
nInPmTCCOhqc3eNFSc+od6y5urMeW+r2i2iNV4B2rIdJTdLl1434eg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVFEyaWtlV0F1d0QvMGpU
KzUxdGpXRUMzOWhSODJNYU1Id1Evbm1QelVzCmNZS3NSNWZlZDhPYUVCS3ZIUXRM
aVdScUI5aFI0aXU1ZUx0VjBBQW1hRUUKLS0tIGtOcmFNTXIxdEV0RlI0akJpWEM0
bk9lWDZkS3BrM0t6V2xEbVdtZlQ1aTgKv7bIQpdGIoXMxPZDmLzqunIEaqQ5M63r
Qu1oFC+yZh2UlkjGxKE6HMlMGn0CnBcTa8XvBaEVMfchVR/2WVq8TQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQWM5dlFCbTIrSXlZYnBw
VVQzK1ZiaXpQcTcwQzV5YVV3d1A2L012K1NBCmpXNnNnenNrNTZDUjdXdzNXd2R2
T3FSc3BLdUUxWEs2OXlRNEdieXU1bEkKLS0tIFJkU0ZGcjd4bEUyOWFZeHVUMHow
dVNTbk41S0VUNndQLzRoZ2ZpVTVqNU0Kp6okYalYtbI1CFuJq/881ZyOVpFoRq0j
DvG2E2U+go6XftSaJ59DIUC6rzVBg1JKpJX3TS6SJhe+T+1paoxG/A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYVdXc2hrQ0JFQnF6NFpG
UWVMVTN5U0JuQkRxU1ExdUlpWkV4RHlvYUNZCmIzOFI5QnVrMU84VTV6WmcxdjdZ
aTZpOWZNdGNoSnJ2c0R2UzJ2cU1TRmMKLS0tIGFxTkxaYjUvaUxsRmhxRmpVeFFD
aWt5dnlUYWxoUUlHTjRnWEVBU0NzODQKQ2v9oCbXhUhRnURyHWbAIJHGjgb/eVp1
h9Tdld0TWTxxbyN8JkRa80B8JpUVwHgeqJmq2krnhDrYLN9zaugVMQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bFd5OGpvY0YxczdkVnVY
ZXExNnY1UXBtb0d4MFNYR3JrMTN1SXhNOUhrCi9xVm1HZDhHZmpEdmdJNVBFcWhv
UjI3VDNycEpKdTNnbVU1eVFUeUZuZTAKLS0tIE5GdEJ3Nk1oam9KYUVCMk9CVmpL
OCtLcUZwL084TUp0QmpSQXNtSFhHYkUKwGvXXE9AWlrlDgRl2ECCmej7IMztO+fx
852Vu610cI9FLv5oghlKM769+/A2QP82KwdxZ4MaRSDvJwXKBi16aw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-16T13:03:12Z"
mac: ENC[AES256_GCM,data:cuMHvEjR3nA/LqGHwIGOD+rWwmvg0fPiFtVTDLATKuc0Ulf+0PKogv9cddmXlmqaBOLMkmZue44egEpiLoNm38kEr7gPfP7XKj3kkwL2U4BiS43JEokt5CEq44sSETKylEMEVajgOEwyWn1od4MLxa7xsuhbvGvDpsbvjyPvzh0=,iv:zWFNpOS9cgCs36rdW9FcJ+jG3HrjRmcw2Ogz7QZuyJQ=,tag:L3x6Bsu+7n5A0/Dx0HghkA==,type:str]
pgp:
- created_at: "2025-03-16T13:02:45Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/9Ey8zpaRU7DuvVaKTaybgkLCPTKNyq6mKXAusKqC0adMu
9G4M8G18uEoo6/Oa1LpJsQneU05EFuStZPaCs9+zxe5ZU2YhcVcDGAHgCDFBbI27
7kzUVxA/n5cK61CfIslNYdJolceJeLyH9HSrS3k3eI3V6zEQL9Yz05dDz7Nlma4q
AKsnGtLY4og0j2k7HZcK39ikhJGkllZHhsM4RT8/UVeVZF9CxKzwQ2OKbHkhJZyn
LGEpioYAKuIIWm/20y/DQwIYpAilltWkg+RWQUnYeAINAZKSzFNi9vd3N4n6e41t
ikq8Ukpjbesy42w0ju9sbNWayga14OG5STg/qacrCDjp+wY55VJCcEEM/6kPj1rf
e2dBR+eN8VMgcPOlexOf1pkrVhNqz9eDfEfaEtDbFDIgznt0pmLeeYcL3NBa5+Xf
vpGXG3fmgoXvQYW05yY4efBRiex9f70lbhnnngeY9ZbmSpy3ZuzIKq8RgBxy1ve+
4B6RYC2Ag8Tndj1xYfHcrqSNfmxq+xNieFV49PMGDO1hjJF++VASqPuRtX9lz3tZ
Y7E7VPtTESaxEp9IuUgLYYnvSHh1SNIRl3OtcctL+bwbF2wNk5iBha+jC/aXNRU/
PoRv1y+G+0R6aV3hLJjoC+Hrm2JX3FIksk64LRDM9mSI7Yl7MfEFrIzcH4HEzlTS
XAHugaMjpRCntUxlaP2tq4jlrv+PQLh7+uBzzbhLBK6qSjybKiqHBKeluxfYVsDs
rJJicnclRfI1eJPfZDlCr2iggd+2ABYG7uINQVrZYuw2dfb4IvvrqCQz/fBy
=Qb5k
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.4

@ -1,90 +0,0 @@
gitea:
runners:
alpha: ENC[AES256_GCM,data:Hnq2guka4oERPIFCv1/ggrLjaePA7907VHXMStDQ7ll3hntTioT76qGOUJgfIw==,iv:wDPYuuL6VAWJakrz6asVRrzwRxqw0JDRes13MgJIT6E=,tag:ogFUeUirHVkCLN63nctxOw==,type:str]
beta: ENC[AES256_GCM,data:HmdjBvW8eO5MkzXf7KEzSNQAptF/RKN8Bh03Ru7Ru/Ky+eJJtk91aqSSIjFa+Q==,iv:Hz9HE3U6CFfZFcPmYMd6wSzZkSvszt92L2gV+pUlMis=,tag:LG3NfsS7B1EdRFvnP3XESQ==,type:str]
epsilon: ENC[AES256_GCM,data:wfGxwWwDzb6AJaFnxe/93WNZGtuTpCkLci/Cc5MTCTKJz6XlNuy3m/1Xsnw0hA==,iv:I6Zl+4BBAUTXym2qUlFfdnoLTHShu+VyxPMjRlFzMis=,tag:jjTyZs1Nzqlhjd8rAldxDw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYVl6ZnI5TkhxK0JKNnlL
WE5YZUZ2T1JEbCtvSVUxemZ1QUs4R2pjMWc0ClJ0cnU0c0d5bU5jWU1aVGd6WE45
Wm9OT0xPaTJ3Y2kxMU5RTHdRKy81b2sKLS0tIEx4SkFoV240VUJieWFlc3hRWU1Y
SWlwZnNOT3paRHRsTC9CQUp5SlBvTncKdcMI8pWtsfBpgeUagOmZUXIC6svkfmwE
QF3GpWZgeVvo8e2oT2kBjerCDlUlzd0jJ8aK+B56xifTm7ii3oCAIA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3QVBaQWlSZk43dEtHVWF1
WmFBcmx3eFUvU2lrd0RCUGx3a2hDWHEzTUR3Cm9BclM3OU9SUnpySDZJZHRudmtO
Ulp5OEZvZmMyRGJvQXJnUDVLdVRJUVkKLS0tIHE3M3MycE9pU1huYUREN3luWEZV
WlNuN3BWeHhqL1dEOUJBSVNTaVJ3eTgKb5MRfeaay22PI9V5hni5mhnb0QF8PG8H
bKWbc2SwdMNolrxhUiiIhdppEtXGHqLyBel786tuOdtEwVcy+m/rtA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaDB6enozMFpqcWxFdU93
MEg5RTRzZExzWGppenlBTlZZRlpqWDBPT0UwCnhOaXI5R3Jrd0hWY0xqc1VXaDJZ
TUxwSTZDcHd0bnZPR2N2d0JVTUJONnMKLS0tIENzOW9PM0tQSndVNmF1bTZ4anpw
b1RzL0NEOWg0dGZUa0Jpd3hiTlRGSm8KleRV5c/Xoe0B1VtnR3y0sgXpmhMS8pKl
TWaAQTRlM9X2Pk5M/J/bu369ncmw/kycJKjK6W1yluaGwBNuEP+K4Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0N1JvRVE0Y0xOMERMVXdB
enZiNk1DZTJTUnluRVBIWm9WNmFPc21rU0FZCjBIeHErSHgveFFFdk9ybWwrRXZG
WGpVcHliUW9Qb3dLb2Q0aWlrZmpiVm8KLS0tIG0wcXJVK2dMeG9NUTFQSzVtY2RG
UE1FS3MvSXlxdEtJVWxJVDRFSkRmQkkK/2z7Lu6LVd6RLZAXKs+JsPc+1kcqFAET
0zlTTTU0goTBLuXZ7uxFVZtqc1Nmoarf5Ksm/zcZ2B80P5ox9CzcWQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SFpKcVBTTlp3SXhVaGQy
QVVEV3h6dTZVcmx6aFc1eHF4UzJPbXQ2RnhvCkZiOEYydWhCYUtwcUdieGpBeTZh
Z3dYVno5bFNkOUszNHBJNTdQWS9jUTQKLS0tIEhPVEdLK0RaclVvdklFNUJCcHNi
OXVobVJCTjhQZ2RTQ21xK2dUY0h5RGcKcPBgD5FIWuyQBhmPt5aqrWgEG1tzhtr0
gVyLxgtMFGeeShjdpivgcWI/GZZlhWJilJOoZo7f6TknvCIIKsrUSA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWlhiS1dxekZGZkRCQU9O
SktHRHRXL2VhNUJSRVhBeEM5UEZ1R0pFdXdrCnZQOUZaYitpSlJ0aXFpZXFrRFJj
MmZiLytvekZtVXYzamJDakc1RjdIREEKLS0tICtiOTZMRGZuWEdHTmZwRjZ2dUNT
aU4xWjVYYlNvSmYxajVGdzk5dTQ4WG8Klq12bSegsW29xp4qteuCB5Tzis6EhVCk
53jqtYe5UG9MjFVQYiSi2jJz5/dxfqSINMZ/Y/EB5LxbwgbFws8Yuw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-12T12:20:19Z"
mac: ENC[AES256_GCM,data:D9/NAd/zrF6pHFdZjTUqI+u4WiwJqt0w5Y+SYCS1o/dAXJE/ajHzse/vCSGXZIjP0yqe+S/NyTvhf+stw2B4dk6Njtabjd+PhG0hR4L0X07FtFqzB3u5pLHCb0bH9QLG5zWcyMkwNiNTCvhRUZzbcqLEGqqJ7ZjZAEUfYSR+Jls=,iv:5xPfODPxtQjgbl8delUHsmhD0TI2gHjrxpHV+qiFE00=,tag:HHLo5G8jhy/sKB3R+sKmwQ==,type:str]
pgp:
- created_at: "2024-12-09T21:17:27Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYARAAv2XS2jzoymOzpRHquUbYpUtbIeKXhPS8i9uk2zBvSKnr
b/jZCpvtkCcSz1UFm+HzSn/i1eNkj9ghObisifvqY6JbO0DIa1jFlx1TfE9pj8dE
rrNTsYfxNwdGOvklPBHm3vKY5qPiGlE71TaKkJcO79vE5jxwhUqzWI9SWAZY3cFw
IVJN44DT0I4ctTlwPM9eAYYodL8QP8OMXHJ/mjI4SPODRsvrOyy6rpip40Q+dU/N
DwRupzrRlxJ8BDSh/x6J/AryZSwkmChX9cYyGaDknJ3ONQ0XLhVUtLkAvPWtWeow
6NVHmUOJ39ockT1clhYy2P5rQTraZESuI7vaSS9zVIuScBnJwbSRZ5xgxSD6Fj+C
Y/JyogXa8FtyG6xeMgIwW7t/m/rbXL5OkP4w8D+CJs+4I55WXz054XOZ937EisVH
XAlNBIHixjQVckbb+sS7rEmegfoC+rvOXA0irpwXFiapAbMGUePCwQHdSBMP8orC
Tb3E8kqHATN40b8CpUBcPw6HCQKmbhe8o+R8NG6TZh6JH7kSztl2+SIIuMzhDflr
1AphY047Ku2RANaWfo+xyVZMWgAQcnoaUOeYaHJ9nZ7f2klJ3fnRtdXJn1gcO3i3
NZVRjjYHJgzCVCIZJa1b1TMGep84naF7NmRkNlS4wyv6MXGqSpHHZUGUBAQOCMPS
XAEqjZt8va0LKtsPsBOTGQDuzTar+2069fu6TjS07mJM2sTp/G8bGBnvjc0TIplZ
M5FOiCilI9yX7vQ0O3LUKJW5zELWnW2d+3okpGjgkr0BFERtM7BMCp6nxR6+
=rEY5
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.2

Some files were not shown because too many files have changed in this diff Show More