Drift/pvv-nixos-config
17
4
Fork 1
Code Issues Pull Requests9 Actions Wiki Activity

Compare commits

..

1 Commits
main ... setup-open

Author SHA1 Message Date
h7x4
9dce4f58b1 WIP: grevling/tuba: init 2024-12-10 00:26:17 +01:00
76 changed files with 755 additions and 1807 deletions

25
.mailmap

@ -1,25 +0,0 @@
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> <daniel.olsen99@gmail.com>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel <danio@pvv.ntnu.no>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@pvv.ntnu.no>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> danio <danio@pvv.ntnu.no>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@bicep.pvv.ntnu.no>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> h7x4 <h7x4@nani.wtf>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein Tveit <oysteikt@pvv.ntnu.no>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> oysteikt <oysteikt@pvv.ntnu.no>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein <oysteikt@pvv.org>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
Felix Albrigtsen <felixalb@pvv.ntnu.no> <felix@albrigtsen.it>
Felix Albrigtsen <felixalb@pvv.ntnu.no> <felixalbrigtsen@gmail.com>
Felix Albrigtsen <felixalb@pvv.ntnu.no> felixalb <felixalb@pvv.ntnu.no>
Peder Bergebakken Sundt <pederbs@pvv.ntnu.no> <pbsds@hotmail.com>
Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian G L <adrian@lauterer.it>
Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lauterer.it>
Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>

13
.sops.yaml

@ -14,7 +14,6 @@ keys:
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
- &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
creation_rules:
# Global secrets
@ -45,18 +44,6 @@ creation_rules:
pgp:
- *user_oysteikt
- path_regex: secrets/kommode/[^/]+\.yaml$
key_groups:
- age:
- *host_kommode
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
- path_regex: secrets/jokum/[^/]+\.yaml$
key_groups:
- age:

22
base/default.nix

@ -7,13 +7,9 @@
./networking.nix
./nix.nix
./vm.nix
./services/acme.nix
./services/uptimed.nix
./services/auto-upgrade.nix
./services/dbus.nix
./services/fwupd.nix
./services/irqbalance.nix
./services/logrotate.nix
./services/nginx.nix
@ -21,12 +17,9 @@
./services/postfix.nix
./services/smartd.nix
./services/thermald.nix
./services/userborn.nix
./services/userdbd.nix
];
boot.tmp.cleanOnBoot = lib.mkDefault true;
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
time.timeZone = "Europe/Oslo";
@ -52,22 +45,8 @@
kitty.terminfo
];
# .bash_profile already works, but lets also use .bashrc like literally every other distro
# https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
# home-manager usually handles this for you: https://github.com/nix-community/home-manager/blob/22a36aa709de7dd42b562a433b9cefecf104a6ee/modules/programs/bash.nix#L203-L209
# btw, programs.bash.shellInit just goes into environment.shellInit which in turn goes into /etc/profile, spooky shit
programs.bash.shellInit = ''
if [ -n "''${BASH_VERSION:-}" ]; then
if [[ ! -f ~/.bash_profile && ! -f ~/.bash_login ]]; then
[[ -f ~/.bashrc ]] && . ~/.bashrc
fi
fi
'';
programs.zsh.enable = true;
security.lockKernelModules = true;
security.protectKernelImage = true;
security.sudo.execWheelOnly = true;
security.sudo.extraConfig = ''
Defaults lecture = never
@ -78,3 +57,4 @@
# Trusted users on the nix builder machines
users.groups."nix-builder-users".name = "nix-builder-users";
}

19
base/nix.nix

@ -1,14 +1,14 @@
{ lib, config, inputs, ... }:
{ inputs, ... }:
{
nix = {
gc = {
automatic = true;
options = "--delete-older-than 2d";
};
optimise.automatic = true;
settings = {
allow-dirty = true;
auto-optimise-store = true;
builders-use-substitutes = true;
experimental-features = [ "nix-command" "flakes" ];
log-lines = 50;
@ -21,16 +21,11 @@
** use the same channel the system
** was built with
*/
registry = lib.mkMerge [
{
"nixpkgs".flake = inputs.nixpkgs;
"nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
}
# We avoid the reference to self in vmVariant to get a stable system .outPath for equivalence testing
(lib.mkIf (!config.virtualisation.isVmVariant) {
"pvv-nix".flake = inputs.self;
})
];
registry = {
"nixpkgs".flake = inputs.nixpkgs;
"nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
"pvv-nix".flake = inputs.self;
};
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"unstable=${inputs.nixpkgs-unstable}"

41
base/services/auto-upgrade.nix

@ -1,39 +1,26 @@
{ config, inputs, pkgs, lib, ... }:
let
inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
in
{ inputs, pkgs, lib, ... }:
{
system.autoUpgrade = {
enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
"--refresh"
"--no-write-lock-file"
# --update-input is deprecated since nix 2.22, and removed in lix 2.90
# as such we instead use --override-input combined with --refresh
# https://git.lix.systems/lix-project/lix/issues/400
] ++ (lib.pipe inputUrls [
(lib.intersectAttrs {
nixpkgs = { };
nixpkgs-unstable = { };
})
(lib.mapAttrsToList (input: url: ["--override-input" input url]))
lib.concatLists
]);
"--refresh"
"--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.05-small"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
"--no-write-lock-file"
];
};
# workaround for https://github.com/NixOS/nix/issues/6895
# via https://git.lix.systems/lix-project/lix/issues/400
environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
"current-system-flake-inputs.json".source
= pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (name: input:
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
// { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
)
);
};
environment.etc."current-system-flake-inputs.json".source
= pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (name: input:
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
// { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
)
);
}

7
base/services/dbus.nix

@ -1,7 +0,0 @@
{ ... }:
{
services.dbus = {
enable = true;
implementation = "broker";
};
}

4
base/services/fwupd.nix

@ -1,4 +0,0 @@
{ ... }:
{
services.fwupd.enable = true;
}

38
base/services/logrotate.nix

@ -1,8 +1,42 @@
{ ... }:
{
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
systemd.services.logrotate = {
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
unitConfig.RequiresMountsFor = "/var/log";
serviceConfig.ReadWritePaths = [ "/var/log" ];
serviceConfig = {
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
ReadWritePaths = [ "/var/log" ];
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; # disable for third party rotate scripts
PrivateDevices = true;
PrivateNetwork = true; # disable for mail delivery
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true; # disable for userdir logs
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
};
};
}
}

10
base/services/nginx.nix

@ -20,23 +20,19 @@
recommendedGzipSettings = true;
appendConfig = ''
# pcre_jit on;
pcre_jit on;
worker_processes auto;
worker_rlimit_nofile 100000;
'';
eventsConfig = ''
worker_connections 2048;
use epoll;
# multi_accept on;
multi_accept on;
'';
};
systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
LimitNOFILE = 65536;
# We use jit my dudes
MemoryDenyWriteExecute = lib.mkForce false;
# What the fuck do we use that where the defaults are not enough???
SystemCallFilter = lib.mkForce null;
};
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
@ -45,4 +41,4 @@
addSSL = true;
extraConfig = "return 444;";
};
}
}

59
base/services/uptimed.nix

@ -1,59 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.uptimed;
in
{
options.services.uptimed.settings = lib.mkOption {
description = "";
default = { };
type = lib.types.submodule {
freeformType = with lib.types; attrsOf (either str (listOf str));
};
};
config = {
services.uptimed = {
enable = true;
settings = let
stateDir = "/var/lib/uptimed";
in {
PIDFILE = "${stateDir}/pid";
SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
};
};
systemd.services.uptimed = lib.mkIf (cfg.enable) {
serviceConfig = let
uptimed = pkgs.uptimed.overrideAttrs (prev: {
postPatch = ''
substituteInPlace Makefile.am \
--replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
substituteInPlace src/Makefile.am \
--replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
'';
});
in {
Type = "notify";
ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
BindReadOnlyPaths = let
configFile = lib.pipe cfg.settings [
(lib.mapAttrsToList
(k: v:
if builtins.isList v
then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
else "${k}=${v}")
)
(lib.concatStringsSep "\n")
(pkgs.writeText "uptimed.conf")
];
in [
"${configFile}:/var/lib/uptimed/uptimed.conf"
];
};
};
};
}

4
base/services/userborn.nix

@ -1,4 +0,0 @@
{ ... }:
{
services.userborn.enable = true;
}

4
base/services/userdbd.nix

@ -1,4 +0,0 @@
{ ... }:
{
services.userdbd.enable = true;
}

15
base/vm.nix

@ -1,15 +0,0 @@
{ lib, ... }:
# This enables
# lib.mkIf (!config.virtualisation.isVmVariant) { ... }
{
options.virtualisation.isVmVariant = lib.mkOption {
description = "`true` if system is build with 'nixos-rebuild build-vm'";
type = lib.types.bool;
default = false;
};
config.virtualisation.vmVariant = {
virtualisation.isVmVariant = true;
};
}

150
flake.lock generated

@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1745502102,
"narHash": "sha256-LqhRwzvIVPEjH0TaPgwzqpyhW6DtCrvz7FnUJDoUZh8=",
"lastModified": 1731746438,
"narHash": "sha256-f3SSp1axoOk0NAI7oFdRzbxG2XPBSIXC+/DaAXnvS1A=",
"owner": "nix-community",
"repo": "disko",
"rev": "ca27b88c88948d96feeee9ed814cbd34f53d0d70",
"rev": "cb64993826fa7a477490be6ccb38ba1fa1e18fa8",
"type": "github"
},
"original": {
@ -20,26 +20,6 @@
"type": "github"
}
},
"gergle": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1736621371,
"narHash": "sha256-45UIQSQA7R5iU4YWvilo7mQbhY1Liql9bHBvYa3qRI0=",
"ref": "refs/heads/main",
"rev": "3729796c1213fe76e568ac28f1df8de4e596950b",
"revCount": 20,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
}
},
"greg-ng": {
"inputs": {
"nixpkgs": [
@ -48,17 +28,17 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1746563623,
"narHash": "sha256-5DxgNFpSgxft/sWraZnHIUlb4S3Io73SVS7FZCbWSUY=",
"lastModified": 1730249639,
"narHash": "sha256-G3URSlqCcb+GIvGyki+HHrDM5ZanX/dP9BtppD/SdfI=",
"ref": "refs/heads/main",
"rev": "4e0408887f80e61a90286ff630a7855b828ae421",
"revCount": 45,
"rev": "80e0447bcb79adad4f459ada5610f3eae987b4e3",
"revCount": 34,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
"url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
"url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
}
},
"grzegorz-clients": {
@ -68,17 +48,17 @@
]
},
"locked": {
"lastModified": 1736178795,
"narHash": "sha256-mPdi8cgvIDYcgG3FRG7A4BOIMu2Jef96TPMnV00uXlM=",
"lastModified": 1726861934,
"narHash": "sha256-lOzPDwktd+pwszUTbpUdQg6iCzInS11fHLfkjmnvJrM=",
"ref": "refs/heads/master",
"rev": "fde738910de1fd8293535a6382c2f0c2749dd7c1",
"revCount": 79,
"rev": "546d921ec46735dbf876e36f4af8df1064d09432",
"revCount": 78,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
"url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
"url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
}
},
"matrix-next": {
@ -88,16 +68,16 @@
]
},
"locked": {
"lastModified": 1735857245,
"narHash": "sha256-AKLLPrgXTxgzll3DqVUMa4QlPlRN3QceutgFBmEf8Nk=",
"lastModified": 1727410897,
"narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "da9dc0479ffe22362793c87dc089035facf6ec4d",
"rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
"type": "github"
},
"original": {
"owner": "dali99",
"ref": "0.7.0",
"ref": "v0.6.1",
"repo": "nixos-matrix-modules",
"type": "github"
}
@ -110,11 +90,11 @@
"rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
"revCount": 2,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
"url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
"url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
}
},
"nix-gitea-themes": {
@ -124,43 +104,65 @@
]
},
"locked": {
"lastModified": 1743881366,
"narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
"lastModified": 1714416973,
"narHash": "sha256-aZUcvXjdETUC6wVQpWDVjLUzwpDAEca8yR0ITDeK39o=",
"ref": "refs/heads/main",
"rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
"revCount": 11,
"rev": "2b23c0ba8aae68d3cb6789f0f6e4891cef26cc6d",
"revCount": 6,
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1748615477,
"narHash": "sha256-8sjG4sNIonQPK2olCGvq3/j1qtjwPaTOFU5nkz1gj2Q=",
"rev": "97d3ce1ceb663a24184aac92b7e9e8f5452111c1",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/24.11-small/nixos-24.11.718472.97d3ce1ceb66/nixexprs.tar.xz?rev=97d3ce1ceb663a24184aac92b7e9e8f5452111c1"
"lastModified": 1731663789,
"narHash": "sha256-x07g4NcqGP6mQn6AISXJaks9sQYDjZmTMBlKIvajvyc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "035d434d48f4375ac5d3a620954cf5fda7dd7c36",
"type": "github"
},
"original": {
"type": "tarball",
"url": "https://nixos.org/channels/nixos-24.11-small/nixexprs.tar.xz"
"owner": "NixOS",
"ref": "nixos-24.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730602179,
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1748588304,
"narHash": "sha256-YCnUqO9k39p0oMIBndxYTbu8m0fOA/KVcq3IekXPy9c=",
"rev": "b8af95f4cf511c5f056b463c3a45d2b63c7cfb03",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-25.11pre807945.b8af95f4cf51/nixexprs.tar.xz?rev=b8af95f4cf511c5f056b463c3a45d2b63c7cfb03"
"lastModified": 1731745710,
"narHash": "sha256-SVeiClbgqL071JpAspOu0gCkPSAL51kSIRwo4C/pghA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dfaa4cb76c2d450d8f396bb6b9f43cede3ade129",
"type": "github"
},
"original": {
"type": "tarball",
"url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"pvv-calendar-bot": {
@ -190,11 +192,11 @@
]
},
"locked": {
"lastModified": 1741738148,
"narHash": "sha256-cJo6nbcJEOjkazkZ194NDnlsZe0W0wpxeUh2/886uC8=",
"ref": "refs/heads/main",
"rev": "c1802e7cf27c7cf8b4890354c982a4eef5b11593",
"revCount": 486,
"lastModified": 1725212759,
"narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
"ref": "refs/heads/master",
"rev": "e7b66b4bc6a89bab74bac45b87e9434f5165355f",
"revCount": 473,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
},
@ -206,7 +208,6 @@
"root": {
"inputs": {
"disko": "disko",
"gergle": "gergle",
"greg-ng": "greg-ng",
"grzegorz-clients": "grzegorz-clients",
"matrix-next": "matrix-next",
@ -227,11 +228,11 @@
]
},
"locked": {
"lastModified": 1746498961,
"narHash": "sha256-rp+oh/N88JKHu7ySPuGiA3lBUVIsrOtHbN2eWJdYCgk=",
"lastModified": 1729391507,
"narHash": "sha256-as0I9xieJUHf7kiK2a9znDsVZQTFWhM1pLivII43Gi0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "24b00064cdd1d7ba25200c4a8565dc455dc732ba",
"rev": "784981a9feeba406de38c1c9a3decf966d853cca",
"type": "github"
},
"original": {
@ -244,14 +245,15 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
]
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1745310711,
"narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
"lastModified": 1731748189,
"narHash": "sha256-Zd/Uukvpcu26M6YGhpbsgqm6LUSLz+Q8mDZ5LOEGdiE=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
"rev": "d2bd7f433b28db6bc7ae03d5eca43564da0af054",
"type": "github"
},
"original": {

65
flake.nix

@ -2,8 +2,8 @@
description = "PVV System flake";
inputs = {
nixpkgs.url = "https://nixos.org/channels/nixos-24.11-small/nixexprs.tar.xz";
nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; # remember to also update the url in base/services/auto-upgrade.nix
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@ -17,20 +17,18 @@
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/0.7.0";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.1";
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git";
greg-ng.url = "git+https://git.pvv.ntnu.no/Projects/greg-ng.git";
greg-ng.inputs.nixpkgs.follows = "nixpkgs";
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git";
gergle.inputs.nixpkgs.follows = "nixpkgs";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Projects/grzegorz-clients.git";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
minecraft-data.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git";
minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
};
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@ -71,11 +69,6 @@
pkgs = import nixpkgs {
inherit system;
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
[
"nvidia-x11"
"nvidia-settings"
];
overlays = [
# Global overlays go here
] ++ config.overlays or [ ];
@ -91,7 +84,6 @@
modules = [
inputs.matrix-next.nixosModules.default
inputs.pvv-calendar-bot.nixosModules.default
self.nixosModules.gickup
];
overlays = [
inputs.pvv-calendar-bot.overlays.x86_64-linux.default
@ -105,9 +97,11 @@
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
bluemap = final.callPackage ./packages/bluemap.nix { };
})
inputs.nix-gitea-themes.overlays.default
inputs.pvv-nettsiden.overlays.default
];
modules = [
inputs.nix-gitea-themes.nixosModules.default
inputs.pvv-nettsiden.nixosModules.default
];
};
@ -120,16 +114,6 @@
ildkule = stableNixosConfig "ildkule" { };
#ildkule-unstable = unstableNixosConfig "ildkule" { };
shark = stableNixosConfig "shark" { };
wenche = stableNixosConfig "wenche" { };
kommode = stableNixosConfig "kommode" {
overlays = [
inputs.nix-gitea-themes.overlays.default
];
modules = [
inputs.nix-gitea-themes.nixosModules.default
];
};
ustetind = stableNixosConfig "ustetind" {
modules = [
@ -140,23 +124,33 @@
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
modules = [
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
];
};
georg = stableNixosConfig "georg" {
modules = [
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
];
};
grevling = stableNixosConfig "grevling" {
modules = [
./hosts/grevling/configuration.nix
sops-nix.nixosModules.sops
];
};
tuba = stableNixosConfig "grevling" {
modules = [
./hosts/tuba/configuration.nix
sops-nix.nixosModules.sops
];
};
};
@ -164,21 +158,10 @@
nixosModules = {
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
robots-txt = ./modules/robots-txt.nix;
gickup = ./modules/gickup;
};
devShells = forAllSystems (system: {
default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
cuda = let
cuda-pkgs = import nixpkgs-unstable {
inherit system;
config = {
allowUnfree = true;
cudaSupport = true;
};
};
in cuda-pkgs.callPackage ./shells/cuda.nix { };
default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
});
packages = {

1
hosts/bekkalokk/configuration.nix

@ -7,6 +7,7 @@
(fp /misc/metrics-exporters.nix)
./services/bluemap/default.nix
./services/gitea/default.nix
./services/idp-simplesamlphp
./services/kerberos
./services/mediawiki

4
hosts/bekkalokk/services/bluemap/default.nix

@ -6,15 +6,13 @@ in {
./module.nix # From danio, pending upstreaming
];
disabledModules = [ "services/web-apps/bluemap.nix" ];
disabledModules = [ "services/web-servers/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
sops.secrets."bluemap/ssh-known-hosts" = { };
services.bluemap = {
enable = true;
package = pkgs.callPackage ./package.nix { };
eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade

20
hosts/bekkalokk/services/bluemap/module.nix

@ -26,6 +26,7 @@ let
"webapp.conf" = webappConfig;
"webserver.conf" = webserverConfig;
"packs" = cfg.resourcepacks;
"addons" = cfg.resourcepacks; # TODO
};
renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
@ -37,13 +38,13 @@ let
"webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
"webserver.conf" = webserverConfig;
"packs" = value.resourcepacks;
"addons" = cfg.resourcepacks; # TODO
};
inherit (lib) mkOption;
in {
options.services.bluemap = {
enable = lib.mkEnableOption "bluemap";
package = lib.mkPackageOption pkgs "bluemap" { };
eula = mkOption {
type = lib.types.bool;
@ -158,7 +159,7 @@ in {
type = lib.types.path;
default = cfg.resourcepacks;
defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
description = "A set of resourcepacks/mods/bluemap-addons to extract models from loaded in alphabetical order";
description = "A set of resourcepacks/mods to extract models from loaded in alphabetical order";
};
settings = mkOption {
type = (lib.types.submodule {
@ -309,18 +310,9 @@ in {
Group = "nginx";
UMask = "026";
};
script = ''
# If web folder doesnt exist generate it
test -f "${cfg.webRoot}" || ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
# Render each minecraft map
${lib.strings.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
(name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
cfg.maps)}
# Generate updated webapp
${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
'';
script = lib.strings.concatStringsSep "\n" ((lib.attrsets.mapAttrsToList
(name: value: "${lib.getExe pkgs.bluemap} -c ${renderConfigFolder name value} -r")
cfg.maps) ++ [ "${lib.getExe pkgs.bluemap} -c ${webappConfigFolder} -gs" ]);
};
systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {

30
hosts/bekkalokk/services/bluemap/package.nix

@ -1,30 +0,0 @@
{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
stdenvNoCC.mkDerivation rec {
pname = "bluemap";
version = "5.7";
src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-8udZYJgrr4bi2mjRYrASd8JwUoUVZW1tZpOLRgafAIw=";
};
dontUnpack = true;
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
runHook preInstall
makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
runHook postInstall
'';
meta = {
description = "3D minecraft map renderer";
homepage = "https://bluemap.bluecolored.de/";
sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ dandellion h7x4 ];
mainProgram = "bluemap";
};
}

49
hosts/kommode/services/gitea/default.nix → hosts/bekkalokk/services/gitea/default.nix

@ -1,11 +1,10 @@
{ config, values, lib, unstablePkgs, ... }:
{ config, values, fp, pkgs, lib, ... }:
let
cfg = config.services.gitea;
domain = "git.pvv.ntnu.no";
sshPort = 2222;
in {
imports = [
./customization
./gpg.nix
./import-users
./web-secret-provider
@ -26,8 +25,6 @@ in {
enable = true;
appName = "PVV Git";
package = unstablePkgs.gitea;
database = {
type = "postgres";
host = "postgres.pvv.ntnu.no";
@ -49,10 +46,6 @@ in {
START_LFS_SERVER = true;
LANDING_PAGE = "explore";
};
"git.timeout" = {
MIGRATE = 3600;
MIRROR = 1800;
};
mailer = {
ENABLED = true;
FROM = "gitea@pvv.ntnu.no";
@ -137,18 +130,10 @@ in {
};
"ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
};
dump = {
enable = true;
interval = "weekly";
type = "tar.gz";
};
};
environment.systemPackages = [ cfg.package ];
systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
@ -164,7 +149,6 @@ in {
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4}/32;
allow ${values.hosts.ildkule.ipv6}/128;
deny all;
'';
};
@ -172,4 +156,35 @@ in {
};
networking.firewall.allowedTCPPorts = [ sshPort ];
# Extra customization
services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
systemd.services.install-gitea-customization = {
description = "Install extra customization in gitea's CUSTOM_DIR";
wantedBy = [ "gitea.service" ];
requiredBy = [ "gitea.service" ];
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
};
script = let
logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = fp /assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
in ''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
'';
};
}

0
hosts/kommode/services/gitea/gpg.nix → hosts/bekkalokk/services/gitea/gpg.nix

0
hosts/kommode/services/gitea/import-users/default.nix → hosts/bekkalokk/services/gitea/import-users/default.nix

1
hosts/kommode/services/gitea/import-users/gitea-import-users.py → hosts/bekkalokk/services/gitea/import-users/gitea-import-users.py

@ -177,7 +177,6 @@ def ensure_gitea_user_is_part_of_team(
# List of teams that all users should be part of by default
COMMON_USER_TEAMS = [
("Projects", "Members"),
("Grzegorz", "Members"),
("Kurs", "Members"),
]

0
hosts/kommode/services/gitea/customization/loading.apng → hosts/bekkalokk/services/gitea/loading.apng

Side by Side Swipe Overlay

Before

(image error) Size: 1.1 MiB

After

(image error) Size: 1.1 MiB

3
hosts/kommode/services/gitea/web-secret-provider/default.nix → hosts/bekkalokk/services/gitea/web-secret-provider/default.nix

@ -3,7 +3,6 @@ let
organizations = [
"Drift"
"Projects"
"Grzegorz"
"Kurs"
];
@ -28,7 +27,6 @@ in
users.users."gitea-web" = {
group = "gitea-web";
isSystemUser = true;
shell = pkgs.bash;
};
sops.secrets."gitea/web-secret-provider/token" = {
@ -60,7 +58,6 @@ in
key-dir = "/var/lib/gitea-web/keys/%i";
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
mkdir -p "$1"
${lib.getExe pkgs.rrsync} -wo "$1"
${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
'';

16
hosts/kommode/services/gitea/web-secret-provider/gitea-web-secret-provider.py → hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py

@ -34,21 +34,7 @@ def get_org_repo_list(args: argparse.Namespace, token: str):
f"{args.api_url}/orgs/{args.org}/repos",
headers = { 'Authorization': 'token ' + token },
)
results = [repo["name"] for repo in result.json()]
target = int(result.headers['X-Total-Count'])
i = 2
while len(results) < target:
result = requests.get(
f"{args.api_url}/orgs/{args.org}/repos",
params = { 'page': i },
headers = { 'Authorization': 'token ' + token },
)
results += [repo["name"] for repo in result.json()]
i += 1
return results
return [repo["name"] for repo in result.json()]
def generate_ssh_key(args: argparse.Namespace, repository: str):

5
hosts/bekkalokk/services/mediawiki/default.nix

@ -61,6 +61,7 @@ in {
user = "mediawiki";
passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
createLocally = false;
# TODO: create a normal database and copy over old data when the service is production ready
name = "mediawiki";
};
@ -214,11 +215,11 @@ in {
"= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
buildInputs = with pkgs; [ imagemagick ];
} ''
magick \
${fp /assets/logo_blue_regular.png} \
convert \
-resize x64 \
-gravity center \
-crop 64x64+0+0 \
${fp /assets/logo_blue_regular.png} \
-flatten \
-colors 256 \
-background transparent \

2
hosts/bekkalokk/services/vaultwarden.nix

@ -83,6 +83,7 @@ in {
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
@ -97,6 +98,7 @@ in {
"@system-service"
"~@privileged"
];
UMask = "0007";
};
};
}

2
hosts/bekkalokk/services/webmail/roundcube.nix

@ -21,7 +21,7 @@ in
custom_from
]);
dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
maxAttachmentSize = 20;
hostName = "roundcubeplaceholder.example.com";

7
hosts/bekkalokk/services/website/default.nix

@ -67,12 +67,7 @@ in {
ADMIN_NAME = "PVV Drift";
ADMIN_EMAIL = "drift@pvv.ntnu.no";
ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
TRUSTED_DOMAINS = [
"www.pvv.ntnu.no"
"pvv.ntnu.no"
"www.pvv.org"
"pvv.org"
];
TRUSTED_DOMAINS = [ cfg.domainName ];
};
};
};

2
hosts/bekkalokk/services/website/fetch-gallery.nix

@ -53,7 +53,7 @@ in {
echo "Creating thumbnail for $fname"
mkdir -p $(dirname ".thumbnails/$fname")
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
done <<< "$images"
'';

4
hosts/bicep/configuration.nix

@ -7,10 +7,10 @@
(fp /misc/metrics-exporters.nix)
./services/nginx
./services/calendar-bot.nix
./services/git-mirrors
./services/mysql.nix
./services/postgres.nix
./services/mysql.nix
./services/calendar-bot.nix
./services/matrix
];

100
hosts/bicep/services/git-mirrors/default.nix

@ -1,100 +0,0 @@
{ config, pkgs, lib, fp, ... }:
let
cfg = config.services.gickup;
in
{
sops.secrets."gickup/github-token" = {
owner = "gickup";
};
services.gickup = {
enable = true;
dataDir = "/data/gickup";
destinationSettings = {
structured = true;
zip = false;
keep = 10;
bare = true;
lfs = false;
};
instances = let
defaultGithubConfig = {
settings.token_file = config.sops.secrets."gickup/github-token".path;
};
defaultGitlabConfig = {
# settings.token_file = ...
};
in {
"github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
"github:NixOS/nixpkgs" = defaultGithubConfig;
"github:go-gitea/gitea" = defaultGithubConfig;
"github:heimdal/heimdal" = defaultGithubConfig;
"github:saltstack/salt" = defaultGithubConfig;
"github:typst/typst" = defaultGithubConfig;
"github:unmojang/FjordLauncher" = defaultGithubConfig;
"github:unmojang/drasl" = defaultGithubConfig;
"github:yushijinhun/authlib-injector" = defaultGithubConfig;
"gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
"gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
"any:glibc" = {
settings.url = "https://sourceware.org/git/glibc.git";
};
"any:out-of-your-element" = {
settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
};
"any:out-of-your-element-module" = {
settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
};
};
};
services.cgit = let
domain = "mirrors.pvv.ntnu.no";
in {
${domain} = {
enable = true;
package = pkgs.callPackage (fp /packages/cgit.nix) { };
group = "gickup";
scanPath = "${cfg.dataDir}/linktree";
settings = {
enable-commit-graph = true;
enable-follow-links = true;
enable-http-clone = true;
enable-remote-branches = true;
clone-url = "https://${domain}/$CGIT_REPO_URL";
remove-suffix = true;
root-title = "PVVSPPP";
root-desc = "PVV Speiler Praktisk og Prominent Programvare";
snapshots = "all";
logo = "/PVV-logo.png";
};
};
};
services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
locations."= /PVV-logo.png".alias = let
small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
nativeBuildInputs = [ pkgs.imagemagick ];
} ''
magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
'';
in toString small-pvv-logo;
};
systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {
serviceConfig.BindReadOnlyPaths = [ cfg.dataDir ];
};
}

5
hosts/bicep/services/matrix/coturn.nix

@ -48,9 +48,6 @@
users.users.turnserver.extraGroups = [ "acme" ];
# It needs this to be allowed to access the files with the acme group
systemd.services.coturn.serviceConfig.PrivateUsers = lib.mkForce false;
systemd.services."acme-${config.services.coturn.realm}".serviceConfig = {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
};
@ -69,7 +66,7 @@
listening-ips = [
values.services.turn.ipv4
values.services.turn.ipv6
# values.services.turn.ipv6
];
tls-listening-port = 443;

4
hosts/bicep/services/matrix/hookshot/default.nix

@ -6,6 +6,10 @@ let
webhookListenPort = 8435;
in
{
imports = [
./module.nix
];
sops.secrets."matrix/hookshot/as_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/as_token";

127
hosts/bicep/services/matrix/hookshot/module.nix Normal file

@ -0,0 +1,127 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.matrix-hookshot;
settingsFormat = pkgs.formats.yaml { };
configFile = settingsFormat.generate "matrix-hookshot-config.yml" cfg.settings;
in
{
options = {
services.matrix-hookshot = {
enable = lib.mkEnableOption "matrix-hookshot, a bridge between Matrix and project management services";
package = lib.mkPackageOption pkgs "matrix-hookshot" { };
registrationFile = lib.mkOption {
type = lib.types.path;
description = ''
Appservice registration file.
As it contains secret tokens, you may not want to add this to the publicly readable Nix store.
'';
example = lib.literalExpression ''
pkgs.writeText "matrix-hookshot-registration" \'\'
id: matrix-hookshot
as_token: aaaaaaaaaa
hs_token: aaaaaaaaaa
namespaces:
rooms: []
users:
- regex: "@_webhooks_.*:foobar"
exclusive: true
sender_localpart: hookshot
url: "http://localhost:9993"
rate_limited: false
\'\'
'';
};
settings = lib.mkOption {
description = ''
{file}`config.yml` configuration as a Nix attribute set.
For details please see the [documentation](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html).
'';
example = {
bridge = {
domain = "example.com";
url = "http://localhost:8008";
mediaUrl = "https://example.com";
port = 9993;
bindAddress = "127.0.0.1";
};
listeners = [
{
port = 9000;
bindAddress = "0.0.0.0";
resources = [ "webhooks" ];
}
{
port = 9001;
bindAddress = "localhost";
resources = [
"metrics"
"provisioning"
];
}
];
};
default = { };
type = lib.types.submodule {
freeformType = settingsFormat.type;
options = {
passFile = lib.mkOption {
type = lib.types.path;
default = "/var/lib/matrix-hookshot/passkey.pem";
description = ''
A passkey used to encrypt tokens stored inside the bridge.
File will be generated if not found.
'';
};
};
};
};
serviceDependencies = lib.mkOption {
type = with lib.types; listOf str;
default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;
defaultText = lib.literalExpression ''
lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit
'';
description = ''
List of Systemd services to require and wait for when starting the application service,
such as the Matrix homeserver if it's running on the same host.
'';
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.matrix-hookshot = {
description = "a bridge between Matrix and multiple project management services";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
after = [ "network-online.target" ] ++ cfg.serviceDependencies;
preStart = ''
if [ ! -f '${cfg.settings.passFile}' ]; then
mkdir -p $(dirname '${cfg.settings.passFile}')
${pkgs.openssl}/bin/openssl genpkey -out '${cfg.settings.passFile}' -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096
fi
'';
serviceConfig = {
Type = "simple";
Restart = "always";
ExecStart = "${cfg.package}/bin/matrix-hookshot ${configFile} ${cfg.registrationFile}";
};
};
};
meta.maintainers = with lib.maintainers; [ flandweber ];
}

2
hosts/georg/configuration.nix

@ -8,7 +8,7 @@
(fp /modules/grzegorz.nix)
];
services.spotifyd.enable = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;

36
hosts/grevling/configuration.nix Normal file

@ -0,0 +1,36 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./services/openvpn
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "grevling";
# systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
# matchConfig.Name = "eno1";
# address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
# };
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

19
hosts/kommode/hardware-configuration.nix → hosts/grevling/hardware-configuration.nix

@ -5,27 +5,26 @@
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
fsType = "btrfs";
{ device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/86CD-4C23";
{ device = "/dev/disk/by-uuid/145E-7362";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
[ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@ -33,7 +32,9 @@
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

77
hosts/grevling/services/openvpn/default.nix Normal file

@ -0,0 +1,77 @@
{ pkgs, lib, values, ... }:
{
services.openvpn.servers."ov-tunnel" = {
config = let
conf = {
# TODO: use aliases
local = "129.241.210.191";
port = 1194;
proto = "udp";
dev = "tap";
# TODO: set up
ca = "";
cert = "";
key = "";
dh = "";
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist = ./ipp.txt;
server-bridge = builtins.concatStringsSep " " [
"129.241.210.129"
"255.255.255.128"
"129.241.210.253"
"129.241.210.254"
];
keepalive = "10 120";
cipher = "none";
user = "nobody";
group = "nobody";
status = "/var/log/openvpn-status.log";
client-config-dir = pkgs.writeTextDir "tuba" ''
# Sett IP-adr. for tap0 til tubas PVV-adr.
ifconfig-push ${values.services.tuba-tap} 255.255.255.128
# Hvordan skal man faa dette til aa funke, tro?
#ifconfig-ipv6-push 2001:700:300:1900::xxx/64
# La tuba bruke std. PVV-gateway til all trafikk (unntatt
# VPN-tunnellen).
push "redirect-gateway"
'';
persist-key = true;
persist-tun = true;
verb = 5;
explicit-exit-notify = 1;
};
in lib.pipe conf [
(lib.filterAttrs (_: value: !(builtins.isNull value || value == false)))
(builtins.mapAttrs (_: value:
if builtins.isList value then builtins.concatStringsSep " " (map toString value)
else if value == true then value
else if builtins.any (f: f value) [
builtins.isString
builtins.isInt
builtins.isFloat
lib.isPath
lib.isDerivation
] then toString value
else throw "Unknown value in grevling openvpn config, deading now\n${value}"
))
(lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}"))
(builtins.concatStringsSep "\n")
(x: x + "\n\n")
];
};
}

0
hosts/grevling/services/openvpn/ipp.txt Normal file

4
hosts/ildkule/services/monitoring/dashboards/gitea-dashboard.json → hosts/ildkule/services/monitoring/dashboards/gitea-dashbaord.json

@ -1539,8 +1539,8 @@
]
},
"timezone": "browser",
"title": "Gitea Dashboard",
"title": "Gitea Dashbaord",
"uid": "nNq1Iw5Gz",
"version": 29,
"weekStart": ""
}
}

17
hosts/ildkule/services/monitoring/grafana.nix

@ -56,12 +56,13 @@ in {
url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
options.path = dashboards/synapse.json;
}
{
name = "MySQL";
type = "file";
url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
options.path = dashboards/mysql.json;
}
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# {
# name = "MySQL";
# type = "file";
# url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
# options.path = dashboards/mysql.json;
# }
{
name = "Postgresql";
type = "file";
@ -75,10 +76,10 @@ in {
options.path = dashboards/go-processes.json;
}
{
name = "Gitea Dashboard";
name = "Gitea Dashbaord";
type = "file";
url = "https://grafana.com/api/dashboards/17802/revisions/3/download";
options.path = dashboards/gitea-dashboard.json;
options.path = dashboards/gitea-dashbaord.json;
}
];

3
hosts/ildkule/services/monitoring/prometheus/default.nix

@ -4,7 +4,8 @@ in {
imports = [
./gitea.nix
./matrix-synapse.nix
./mysqld.nix
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# ./mysqld.nix
./postgres.nix
./machines.nix
];

12
hosts/ildkule/services/monitoring/prometheus/machines.nix

@ -16,12 +16,6 @@ in {
"bekkalokk.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "kommode";
targets = [
"kommode.pvv.ntnu.no:9100"
"kommode.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "bicep";
targets = [
"bicep.pvv.ntnu.no:9100"
@ -40,12 +34,6 @@ in {
"georg.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "ustetind";
targets = [
"ustetind.pvv.ntnu.no:9100"
"ustetind.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "hildring";
targets = [
"hildring.pvv.ntnu.no:9100"

19
hosts/ildkule/services/monitoring/prometheus/mysqld.nix

@ -1,22 +1,7 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
sops = {
secrets."config/mysqld_exporter_password" = { };
templates."mysqld_exporter.conf" = {
restartUnits = [ "prometheus-mysqld-exporter.service" ];
content = let
inherit (config.sops) placeholder;
in ''
[client]
host = bicep.pvv.ntnu.no
port = 3306
user = prometheus_mysqld_exporter
password = ${placeholder."config/mysqld_exporter_password"}
'';
};
};
sops.secrets."config/mysqld_exporter" = { };
services.prometheus = {
scrapeConfigs = [{
@ -34,7 +19,7 @@ in {
exporters.mysqld = {
enable = true;
configFile = config.sops.templates."mysqld_exporter.conf".path;
configFilePath = config.sops.secrets."config/mysqld_exporter".path;
};
};
}

34
hosts/kommode/configuration.nix

@ -1,34 +0,0 @@
{ pkgs, values, fp, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea
./services/nginx.nix
];
sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "kommode"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
services.btrfs.autoScrub.enable = true;
environment.systemPackages = with pkgs; [];
system.stateVersion = "24.11";
}

57
hosts/kommode/services/gitea/customization/default.nix

@ -1,57 +0,0 @@
{ config, pkgs, lib, fp, ... }:
let
cfg = config.services.gitea;
in
{
services.gitea-themes = {
monokai = pkgs.gitea-theme-monokai;
earl-grey = pkgs.gitea-theme-earl-grey;
pitch-black = pkgs.gitea-theme-pitch-black;
catppuccin = pkgs.gitea-theme-catppuccin;
};
systemd.services.gitea-customization = lib.mkIf cfg.enable {
description = "Install extra customization in gitea's CUSTOM_DIR";
wantedBy = [ "gitea.service" ];
requiredBy = [ "gitea.service" ];
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
};
script = let
logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = fp /assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
labels = lib.importJSON ./labels/projects.json;
};
customTemplates = pkgs.runCommandLocal "gitea-templates" {
nativeBuildInputs = with pkgs; [
coreutils
gnused
];
} ''
# Bigger icons
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
sed -i -e 's/24/48/g' "$out/repo/icon.tmpl"
'';
in ''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
'';
};
}

116
hosts/kommode/services/gitea/customization/labels/projects.json

@ -1,116 +0,0 @@
[
{
"name": "art",
"exclusive": false,
"color": "#006b75",
"description": "Requires some creativity"
},
{
"name": "big",
"exclusive": false,
"color": "#754bc4",
"description": "This is gonna take a while"
},
{
"name": "blocked",
"exclusive": false,
"color": "#850021",
"description": "This issue/PR depends on one or more other issues/PRs"
},
{
"name": "bug",
"exclusive": false,
"color": "#f05048",
"description": "Something brokey"
},
{
"name": "ci-cd",
"exclusive": false,
"color": "#d1ff78",
"description": "Continuous integrals and continuous derivation"
},
{
"name": "crash report",
"exclusive": false,
"color": "#ed1111",
"description": "Report an oopsie"
},
{
"name": "disputed",
"exclusive": false,
"color": "#5319e7",
"description": "Kranglefanter"
},
{
"name": "documentation",
"exclusive": false,
"color": "#fbca04",
"description": "Documentation changes required"
},
{
"name": "duplicate",
"exclusive": false,
"color": "#cccccc",
"description": "This issue or pull request already exists"
},
{
"name": "feature request",
"exclusive": false,
"color": "#0052cc",
"description": ""
},
{
"name": "good first issue",
"exclusive": false,
"color": "#009800",
"description": "Get your hands dirty with a new project here"
},
{
"name": "me gusta",
"exclusive": false,
"color": "#30ff36",
"description": "( ͡° ͜ʖ ͡°)"
},
{
"name": "packaging",
"exclusive": false,
"color": "#bf642b",
"description": ""
},
{
"name": "question",
"exclusive": false,
"color": "#cc317c",
"description": ""
},
{
"name": "security",
"exclusive": false,
"color": "#ed1111",
"description": "Skommel"
},
{
"name": "techdebt spring cleaning",
"exclusive": false,
"color": "#8c6217",
"description": "The code is smelly 👃"
},
{
"name": "testing",
"exclusive": false,
"color": "#52b373",
"description": "Poke it and see if it explodes"
},
{
"name": "ui/ux",
"exclusive": false,
"color": "#f28852",
"description": "User complaints about ergonomics and economics and whatever"
},
{
"name": "wontfix",
"exclusive": false,
"color": "#ffffff",
"description": "Nei, vil ikke"
}
]

4
hosts/kommode/services/nginx.nix

@ -1,4 +0,0 @@
{ ... }:
{
services.nginx.enable = true;
}

36
hosts/tuba/configuration.nix Normal file

@ -0,0 +1,36 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./services/openvpn
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "tuba";
# systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
# matchConfig.Name = "eno1";
# address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
# };
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

40
hosts/tuba/hardware-configuration.nix Normal file

@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/145E-7362";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

54
hosts/tuba/services/openvpn/default.nix Normal file

@ -0,0 +1,54 @@
{ lib, values, ... }:
{
services.openvpn.servers."ov-tunnel" = {
config = let
conf = {
# TODO: use aliases
client = true;
dev = "tap";
proto = "udp";
remote = "129.241.210.191 1194";
resolv-retry = "infinite";
nobind = true;
# # TODO: set up
ca = "";
cert = "";
key = "";
remote-cert-tls = "server";
cipher = "none";
user = "nobody";
group = "nobody";
status = "/var/log/openvpn-status.log";
persist-key = true;
persist-tun = true;
verb = 5;
# script-security = 2;
# up = "systemctl restart rwhod";
};
in lib.pipe conf [
(lib.filterAttrs (_: value: !(builtins.isNull value || value == false)))
(builtins.mapAttrs (_: value:
if builtins.isList value then builtins.concatStringsSep " " (map toString value)
else if value == true then value
else if builtins.any (f: f value) [
builtins.isString
builtins.isInt
builtins.isFloat
lib.isPath
lib.isDerivation
] then toString value
else throw "Unknown value in tuba openvpn config, deading now\n${value}"
))
(lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}"))
(builtins.concatStringsSep "\n")
(x: x + "\n\n")
];
};
}

4
hosts/ustetind/services/gitea-runners.nix

@ -15,8 +15,8 @@ let
enable = true;
name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
labels = [
"debian-latest:docker://node:current-bookworm"
"ubuntu-latest:docker://node:current-bookworm"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:18-bullseye"
];
tokenFile = config.sops.secrets."gitea/runners/${name}".path;
};

39
hosts/wenche/configuration.nix

@ -1,39 +0,0 @@
{ config, fp, pkgs, values, lib, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
(fp /misc/builder.nix)
];
sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "wenche"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
hardware.graphics.enable = true;
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia = {
modesetting.enable = true;
open = false;
package = config.boot.kernelPackages.nvidiaPackages.production;
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
system.stateVersion = "24.11"; # Did you read the comment?
}

27
hosts/wenche/hardware-configuration.nix

@ -1,27 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "nvidia" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4e8ecdd2-d453-4fff-b952-f06da00f3b85";
fsType = "ext4";
};
swapDevices = [ {
device = "/var/lib/swapfile";
size = 16*1024;
} ];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

57
justfile

@ -1,56 +1,25 @@
set positional-arguments # makes variables accesible as $1 $2 $@
export GUM_FILTER_HEIGHT := "15"
nom := `if [[ -t 1 ]] && command -v nom >/dev/null; then echo nom; else echo nix; fi`
nix_eval_opts := "--log-format raw --option warn-dirty false"
nom := `if command -v nom >/dev/null; then echo nom; else echo nix; fi`
@_default:
just "$(gum choose --ordered --header "Pick a recipie..." $(just --summary --unsorted))"
check *_:
nix flake check --keep-going "$@"
check:
nix flake check --keep-going
build-machine machine=`just _a_machine` *_:
{{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel "${@:2}"
build-machine machine=`just _a_machine`:
{{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel
run-vm machine=`just _a_machine` *_:
nixos-rebuild build-vm --flake .#{{ machine }} "${@:2}"
run-vm machine=`just _a_machine`:
nixos-rebuild build-vm --flake .#{{ machine }}
QEMU_NET_OPTS="hostfwd=tcp::8080-:80,hostfwd=tcp::8081-:443,hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
@update-inputs *_:
@git reset flake.lock
@git restore flake.lock
nix eval {{nix_eval_opts}} --file flake.nix --apply 'x: builtins.attrNames x.inputs' --json \
| { printf "%s\n" --commit-lock-file; jq '.[]' -r | grep -vxF "self" ||:; } \
| gum choose --no-limit --header "Choose extra arguments:" \
| tee >(xargs -d'\n' echo + nix flake update "$@" >&2) \
| xargs -d'\n' nix flake update "$@"
@repl $machine=`just _a_machine` *_:
set -v; nixos-rebuild --flake .#"$machine" repl "${@:2}"
@eval $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
set -v; nix eval {{nix_eval_opts}} ".#nixosConfigurations.\"$machine\".config.$attrpath" --show-trace "${@:3}"
@eval-vm $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
just eval "$machine" "virtualisation.vmVariant.$attrpath" "${@:3}"
@update-inputs:
nix eval .#inputs --apply builtins.attrNames --json \
| jq '.[]' -r \
| gum choose --no-limit --height=15 \
| xargs -L 1 nix flake lock --update-input
# helpers
[no-exit-message]
_a_machine:
#!/usr/bin/env -S sh -euo pipefail
machines="$(
nix eval {{nix_eval_opts}} .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r
)"
[ -n "$machines" ] || { echo >&2 "ERROR: no machines found"; false; }
if [ -s .direnv/vars/last-machine.txt ]; then
machines="$(
grep <<<"$machines" -xF "$(cat .direnv/vars/last-machine.txt)" ||:
grep <<<"$machines" -xFv "$(cat .direnv/vars/last-machine.txt)" ||:
)"
fi
choice="$(gum filter <<<"$machines")"
mkdir -p .direnv/vars
cat <<<"$choice" >.direnv/vars/last-machine.txt
cat <<<"$choice"
nix eval .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r | gum filter

73
keys/oysteikt.pub

@ -8,47 +8,34 @@ FgIDAQACHgECF4AACgkQRrkijoFKKqxIlQD9F0EedrFpHAVuaVas9ZWRZb4xv3zM
N3g0IDxoN3g0QG5hbmkud3RmPoiTBBMWCgA7AhsBBQsJCAcDBRUKCQgLBRYCAwEA
Ah4BAheAFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmL7l8ACGQEACgkQRrkijoFK
KqxI4wD9EIGpb3Gt5s5e8waH7XaLSlquOrW1RID3sSuzWI4DvikBAMncfBbtkpzH
EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLiJAEExYKADgWIQT303iQIoqQdEDh/UhG
uSKOgUoqrAUCYuaF5AIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBGuSKO
gUoqrKWiAQC1yFpodz5PGsZbFgihEA0UQ5jcoXBojoAlVRgmkwm41gEA782rsvyl
87ExoluDD3eV/Z5ILp7Ex6JeaE3JUix8Sgi0Jmg3eDQgKGFsdGVybmF0aXZlKSA8
aDd4NC5hbHRAbmFuaS53dGY+iJAEExYKADgWIQT303iQIoqQdEDh/UhGuSKOgUoq
rAUCYvuPSgIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBGuSKOgUoqrK3L
AP4h0cjFuNFwMQlg6oVfWvjCvKZO+ePP+SnTNRKvKbAxSgEA/yG48r9im6M0Xr9z
DAHcDlbClaONX4X+6rZ6OoU6hw24MwRi5oZHFgkrBgEEAdpHDwEBB0CyZzQZNAiz
OmSMNjCBK3rMjzU/b6T1a8GDogQhKfK5VYj1BBgWCgAmFiEE99N4kCKKkHRA4f1I
RrkijoFKKqwFAmLmhkcCGwIFCQPCZwAAgQkQRrkijoFKKqx2IAQZFgoAHRYhBPPN
qGzFWp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323T
aM5zdJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9
CpNl4GzpD4CRDu55AP9mpAyRoKt3yjYvTaHz1TpsXHLzqfJO6sYBRXH3YXyNTAEA
prtmn/S9HltHijnsLs1PEHmRua14XQBdL1HuzFID8ASI9QQYFgoAJgIbAhYhBPfT
eJAiipB0QOH9SEa5Io6BSiqsBQJmqp4CBQkFpUs7AIF2IAQZFgoAHRYhBPPNqGzF
Wp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323TaM5z
dJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9CpNl
4GzpD4CRDgkQRrkijoFKKqwYoQEAz0D3G/dD6DBYBf7p6pGYqXd2X0Dv8nmnalol
Z6SxfUMA/jT/XjPh7c4Ui8nZO7XDzYWrbV/eZwGMd1zXq2mU42MLuQINBGLmhnoB
EADa1yBK0NKxVIto3hSh21hooYpWcEXWqMPXHO34rcAhktVFOOHIl2bFGScQAZXt
jAcqUmMyC+PMs1DZoocFk+9PJt17hAa/s6CRrw8vK+1fVqhj0XOLtevGV9iC6IRv
hPxzTsOaeOssgMGIU8xDmMKT2nGHGNUkqOXGld63E3NKsK3lnl+BCdpJ0f3GEB7a
SQ+pk6k1uzODXX/mhAUJmL1MkVZ6jJA3vhsre0Kfa9p+C5mP4hLJ6jF+oESvA4HC
+LuCSGm66gIDMC39jnLo6hwYEEjfPXD7CUAN4S2eISSFd+ZclN2vYcrKYgsCZS0h
BFOgDhKKCHBuMwP12AIM8y8L64/eOWFpR7s2StAPjjYbZeZECHLWZt1zGVvkS7Xp
6lsAg6/T8EysKG7vTl2Qq9W0BmzNgk2ODTZkhv0gqqXppdr8eRiq+h0qMfJptG0G
ycOvqb9PoEO2dfNCjjII8VfaSGfSEYo8UwsqYTtfgdoNnFCXKd1r7QmvrdbNsFDR
mkv+wWJoipwUaVquyb2KN652jSlpwMECW6fSEsT/5C3mJLgAmi6l6yosw6HdIY6j
gpCGtxnHW2zReIS6ezZdtxYBCkEHK70yASyaIHrLLDknw+DuKvXAWOAecob8GNBH
OjXZe3LzBt2rVgOCRa+W7milNgjUCsz+R3rM8XfR+wNEGwARAQABiH4EGBYKACYW
IQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaGegIbDAUJA8JnAAAKCRBGuSKOgUoq
rDE0AQDBxRsmW9L60mxGCp1CpNWBXD2T6D605PlNiNCcM+cOCgD/c2OitSSG50M0
YRbyh1LPYL6YQePL0dQkYsjm6XVmrAKIfgQYFgoAJgIbDBYhBPfTeJAiipB0QOH9
SEa5Io6BSiqsBQJmqp4FBQkFpUsIAAoJEEa5Io6BSiqsydsA/ihBulpSSLg4B9pJ
sffqphMht7yT3Dnz57iexUEgj3jBAQDedI+gwpZlMjV6IdH/Epz244j82Ta04cqk
SOz2Y63LBrgzBGLmhsUWCSsGAQQB2kcPAQEHQFg/avgj0sZbxqL58tZEpcaieeL1
OWOoVU3mZX/K7GU+iH4EGBYKACYWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaG
xQIbIAUJA8JnAAAKCRBGuSKOgUoqrN5jAP96aO0MEPQSIKdLaa9+ilpPp+glJ9du
IJ7zdR0U15tONAEA0WqeRc8Jhv10UjIz/Q3UlcfvKPzVW6yVKo+Lg1FI2QSIfgQY
FgoAJgIbIBYhBPfTeJAiipB0QOH9SEa5Io6BSiqsBQJmqp4GBQkFpUq9AAoJEEa5
Io6BSiqsjF0BAJn0EBEJfszskYiZzMshFHW5k0QUF+Ak3JNh2UG+M6FJAQCQVY/l
DkrvOytuFnKbkDrCaTrtLh/JAmBXpSERIejmDw==
=7cFp
EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLtCZoN3g0IChhbHRlcm5hdGl2ZSkgPGg3
eDQuYWx0QG5hbmkud3RmPoiQBBMWCgA4FiEE99N4kCKKkHRA4f1IRrkijoFKKqwF
AmL7j0oCGwEFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQRrkijoFKKqytywD+
IdHIxbjRcDEJYOqFX1r4wrymTvnjz/kp0zUSrymwMUoBAP8huPK/YpujNF6/cwwB
3A5WwpWjjV+F/uq2ejqFOocNuDMEYuaGRxYJKwYBBAHaRw8BAQdAsmc0GTQIszpk
jDYwgSt6zI81P2+k9WvBg6IEISnyuVWI9QQYFgoAJhYhBPfTeJAiipB0QOH9SEa5
Io6BSiqsBQJi5oZHAhsCBQkDwmcAAIEJEEa5Io6BSiqsdiAEGRYKAB0WIQTzzahs
xVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYeJt9t02jO
c3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFaazcz/QqT
ZeBs6Q+AkQ7ueQD/ZqQMkaCrd8o2L02h89U6bFxy86nyTurGAUVx92F8jUwBAKa7
Zp/0vR5bR4o57C7NTxB5kbmteF0AXS9R7sxSA/AEuQINBGLmhnoBEADa1yBK0NKx
VIto3hSh21hooYpWcEXWqMPXHO34rcAhktVFOOHIl2bFGScQAZXtjAcqUmMyC+PM
s1DZoocFk+9PJt17hAa/s6CRrw8vK+1fVqhj0XOLtevGV9iC6IRvhPxzTsOaeOss
gMGIU8xDmMKT2nGHGNUkqOXGld63E3NKsK3lnl+BCdpJ0f3GEB7aSQ+pk6k1uzOD
XX/mhAUJmL1MkVZ6jJA3vhsre0Kfa9p+C5mP4hLJ6jF+oESvA4HC+LuCSGm66gID
MC39jnLo6hwYEEjfPXD7CUAN4S2eISSFd+ZclN2vYcrKYgsCZS0hBFOgDhKKCHBu
MwP12AIM8y8L64/eOWFpR7s2StAPjjYbZeZECHLWZt1zGVvkS7Xp6lsAg6/T8Eys
KG7vTl2Qq9W0BmzNgk2ODTZkhv0gqqXppdr8eRiq+h0qMfJptG0GycOvqb9PoEO2
dfNCjjII8VfaSGfSEYo8UwsqYTtfgdoNnFCXKd1r7QmvrdbNsFDRmkv+wWJoipwU
aVquyb2KN652jSlpwMECW6fSEsT/5C3mJLgAmi6l6yosw6HdIY6jgpCGtxnHW2zR
eIS6ezZdtxYBCkEHK70yASyaIHrLLDknw+DuKvXAWOAecob8GNBHOjXZe3LzBt2r
VgOCRa+W7milNgjUCsz+R3rM8XfR+wNEGwARAQABiH4EGBYKACYWIQT303iQIoqQ
dEDh/UhGuSKOgUoqrAUCYuaGegIbDAUJA8JnAAAKCRBGuSKOgUoqrDE0AQDBxRsm
W9L60mxGCp1CpNWBXD2T6D605PlNiNCcM+cOCgD/c2OitSSG50M0YRbyh1LPYL6Y
QePL0dQkYsjm6XVmrAK4MwRi5obFFgkrBgEEAdpHDwEBB0BYP2r4I9LGW8ai+fLW
RKXGonni9TljqFVN5mV/yuxlPoh+BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFK
KqwFAmLmhsUCGyAFCQPCZwAACgkQRrkijoFKKqzeYwD/emjtDBD0EiCnS2mvfopa
T6foJSfXbiCe83UdFNebTjQBANFqnkXPCYb9dFIyM/0N1JXH7yj81VuslSqPi4NR
SNkE
=oTMO
-----END PGP PUBLIC KEY BLOCK-----

6
misc/builder.nix

@ -2,10 +2,4 @@
{
nix.settings.trusted-users = [ "@nix-builder-users" ];
nix.daemonCPUSchedPolicy = "batch";
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"armv7l-linux"
];
}

310
modules/gickup/default.nix

@ -1,310 +0,0 @@
{ config, pkgs, lib, utils, ... }:
let
cfg = config.services.gickup;
format = pkgs.formats.yaml { };
in
{
imports = [
./set-description.nix
./hardlink-files.nix
./import-from-toml.nix
./update-linktree.nix
];
options.services.gickup = {
enable = lib.mkEnableOption "gickup, a git repository mirroring service";
package = lib.mkPackageOption pkgs "gickup" { };
gitPackage = lib.mkPackageOption pkgs "git" { };
gitLfsPackage = lib.mkPackageOption pkgs "git-lfs" { };
dataDir = lib.mkOption {
type = lib.types.path;
description = "The directory to mirror repositories to.";
default = "/var/lib/gickup";
example = "/data/gickup";
};
destinationSettings = lib.mkOption {
description = ''
Settings for destination local, see gickup configuration file
Note that `path` will be set automatically to `/var/lib/gickup`
'';
type = lib.types.submodule {
freeformType = format.type;
};
default = { };
example = {
structured = true;
zip = false;
keep = 10;
bare = true;
lfs = true;
};
};
instances = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule (submoduleInputs@{ name, ... }: let
submoduleName = name;
nameParts = rec {
repoType = builtins.head (lib.splitString ":" submoduleName);
owner = if repoType == "any"
then null
else lib.pipe submoduleName [
(lib.removePrefix "${repoType}:")
(lib.splitString "/")
builtins.head
];
repo = if repoType == "any"
then null
else lib.pipe submoduleName [
(lib.removePrefix "${repoType}:")
(lib.splitString "/")
lib.last
];
slug = if repoType == "any"
then lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName)
else "${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}";
};
in {
options = {
interval = lib.mkOption {
type = lib.types.str;
default = "daily";
example = "weekly";
description = ''
Specification (in the format described by {manpage}`systemd.time(7)`) of the time
interval at which to run the service.
'';
};
type = lib.mkOption {
type = lib.types.enum [
"github"
"gitlab"
"gitea"
"gogs"
"bitbucket"
"onedev"
"sourcehut"
"any"
];
example = "github";
default = nameParts.repoType;
description = ''
The type of the repository to mirror.
'';
};
owner = lib.mkOption {
type = with lib.types; nullOr str;
example = "go-gitea";
default = nameParts.owner;
description = ''
The owner of the repository to mirror (if applicable)
'';
};
repo = lib.mkOption {
type = with lib.types; nullOr str;
example = "gitea";
default = nameParts.repo;
description = ''
The name of the repository to mirror (if applicable)
'';
};
slug = lib.mkOption {
type = lib.types.str;
default = nameParts.slug;
example = "github-go-gitea-gitea";
description = ''
The slug of the repository to mirror.
'';
};
description = lib.mkOption {
type = with lib.types; nullOr str;
example = "A project which does this and that";
description = ''
A description of the project. This isn't used directly by gickup for anything,
but can be useful if gickup is used together with cgit or similar.
'';
};
settings = lib.mkOption {
description = "Instance specific settings, see gickup configuration file";
type = lib.types.submodule {
freeformType = format.type;
};
default = { };
example = {
username = "gickup";
password = "hunter2";
wiki = true;
issues = true;
};
};
};
}));
};
};
config = lib.mkIf cfg.enable {
users.users.gickup = {
isSystemUser = true;
group = "gickup";
home = "/var/lib/gickup";
};
users.groups.gickup = { };
services.gickup.destinationSettings.path = "/var/lib/gickup/raw";
systemd.tmpfiles.settings."10-gickup" = lib.mkIf (cfg.dataDir != "/var/lib/gickup") {
${cfg.dataDir}.d = {
user = "gickup";
group = "gickup";
mode = "0755";
};
};
systemd.slices."system-gickup" = {
description = "Gickup git repository mirroring service";
after = [ "network.target" ];
};
systemd.targets.gickup = {
description = "Gickup git repository mirroring service";
wants = map ({ slug, ... }: "gickup@${slug}.service") (lib.attrValues cfg.instances);
};
systemd.timers = {
"gickup@" = {
description = "Gickup git repository mirroring service for %i";
timerConfig = {
OnCalendar = "daily";
RandomizedDelaySec = "1h";
Persistent = true;
AccuracySec = "1s";
};
};
}
//
# Overrides for mirrors which are not "daily"
(lib.pipe cfg.instances [
builtins.attrValues
(builtins.filter (instance: instance.interval != "daily"))
(map ({ slug, interval, ... }: {
name = "gickup@${slug}";
value = {
overrideStrategy = "asDropin";
timerConfig.OnCalendar = interval;
};
}))
builtins.listToAttrs
]);
systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") (lib.attrValues cfg.instances);
systemd.services = {
"gickup@" = let
configDir = lib.pipe cfg.instances [
(lib.mapAttrsToList (name: instance: {
name = "${instance.slug}.yml";
path = format.generate "gickup-configuration-${name}.yml" {
destination.local = [ cfg.destinationSettings ];
source.${instance.type} = [
(
(lib.optionalAttrs (instance.type != "any") {
user = instance.owner;
includeorgs = [ instance.owner ];
include = [ instance.repo ];
})
//
instance.settings
)
];
};
}))
(pkgs.linkFarm "gickup-configuration-files")
];
in {
description = "Gickup git repository mirroring service for %i";
after = [ "network.target" ];
path = [
cfg.gitPackage
cfg.gitLfsPackage
];
restartIfChanged = false;
serviceConfig = {
Type = "oneshot";
ExecStart = "'${pkgs.gickup}/bin/gickup' '${configDir}/%i.yml'";
ExecStartPost = "";
User = "gickup";
Group = "gickup";
BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
"${cfg.dataDir}:/var/lib/gickup"
];
Slice = "system-gickup.slice";
SyslogIdentifier = "gickup-%i";
StateDirectory = "gickup";
# WorkingDirectory = "gickup";
# RuntimeDirectory = "gickup";
# RuntimeDirectoryMode = "0700";
# https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431
RemainAfterExit = true;
# Hardening options
AmbientCapabilities = [];
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
# ProtectProc = "invisible";
# ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
# SystemCallFilter = [
# "@system-service"
# "~@resources"
# "~@privileged"
# ];
UMask = "0002";
CapabilityBoundingSet = [];
};
};
};
};
}

42
modules/gickup/hardlink-files.nix

@ -1,42 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.gickup;
in
{
config = lib.mkIf cfg.enable {
# TODO: add a service that will look at the backed up files and hardlink
# the ones that have a matching hash together to save space. This can
# either run routinely (i.e. trigger by systemd-timer), or be activated
# whenever a gickup@<slug>.service finishes. The latter is probably better.
# systemd.services."gickup-hardlink" = {
# serviceConfig = {
# Type = "oneshot";
# ExecStart = let
# script = pkgs.writeShellApplication {
# name = "gickup-hardlink-files.sh";
# runtimeInputs = [ pkgs.coreutils pkgs.jdupes ];
# text = ''
# '';
# };
# in lib.getExe script;
# User = "gickup";
# Group = "gickup";
# BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
# "${cfg.dataDir}:/var/lib/gickup"
# ];
# Slice = "system-gickup.slice";
# StateDirectory = "gickup";
# # Hardening options
# # TODO:
# PrivateNetwork = true;
# };
# };
};
}

11
modules/gickup/import-from-toml.nix

@ -1,11 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.gickup;
in
{
config = lib.mkIf cfg.enable {
# TODO: import cfg.instances from a toml file to make it easier for non-nix users
# to add repositories to mirror
};
}

9
modules/gickup/set-description.nix

@ -1,9 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.gickup;
in
{
config = lib.mkIf cfg.enable {
# TODO: create .git/description files for each repo where cfg.instances.<instance>.description is set
};
}

84
modules/gickup/update-linktree.nix

@ -1,84 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.gickup;
in
{
config = lib.mkIf cfg.enable {
# TODO: run upon completion of cloning a repository
systemd.timers."gickup-linktree" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
Unit = "gickup-linktree.service";
};
};
# TODO: update symlink for one repo at a time (e.g. gickup-linktree@<instance>.service)
systemd.services."gickup-linktree" = {
serviceConfig = {
Type = "oneshot";
ExecStart = let
script = pkgs.writeShellApplication {
name = "gickup-update-symlink-tree.sh";
runtimeInputs = [
pkgs.coreutils
pkgs.findutils
];
text = ''
shopt -s nullglob
for repository in ./*/*/*; do
REPOSITORY_RELATIVE_DIRS=''${repository#"./"}
echo "Checking $REPOSITORY_RELATIVE_DIRS"
declare -a REVISIONS
readarray -t REVISIONS < <(find "$repository" -mindepth 1 -maxdepth 1 -printf "%f\n" | sort --numeric-sort --reverse)
if [[ "''${#REVISIONS[@]}" == 0 ]]; then
echo "Found no revisions for $repository, continuing"
continue
fi
LAST_REVISION="''${REVISIONS[0]}"
SYMLINK_PATH="../linktree/''${REPOSITORY_RELATIVE_DIRS}"
mkdir -p "$(dirname "$SYMLINK_PATH")"
EXPECTED_SYMLINK_TARGET=$(realpath "''${repository}/''${LAST_REVISION}")
EXISTING_SYMLINK_TARGET=$(realpath "$SYMLINK_PATH" || echo "<none>")
if [[ "$EXISTING_SYMLINK_TARGET" != "$EXPECTED_SYMLINK_TARGET" ]]; then
echo "Updating symlink for $REPOSITORY_RELATIVE_DIRS"
rm "$SYMLINK_PATH" ||:
ln -rs "$EXPECTED_SYMLINK_TARGET" "$SYMLINK_PATH"
else
echo "Symlink already up to date, continuing..."
fi
echo "---"
done
'';
};
in lib.getExe script;
User = "gickup";
Group = "gickup";
BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
"${cfg.dataDir}:/var/lib/gickup"
];
Slice = "system-gickup.slice";
StateDirectory = "gickup";
WorkingDirectory = "/var/lib/gickup/raw";
# Hardening options
# TODO:
PrivateNetwork = true;
};
};
};
}

106
modules/grzegorz.nix

@ -2,8 +2,6 @@
let
grg = config.services.greg-ng;
grgw = config.services.grzegorz-webui;
machine = config.networking.hostName;
in {
services.greg-ng = {
enable = true;
@ -13,96 +11,42 @@ in {
enablePipewire = true;
};
systemd.user.services.restart-greg-ng = {
script = "systemctl --user restart greg-ng.service";
startAt = "*-*-* 06:30:00";
};
services.grzegorz-webui = {
enable = true;
listenAddr = "localhost";
listenPort = 42069;
listenWebsocketPort = 42042;
hostName = "${machine}-old.pvv.ntnu.no";
apiBase = "https://${machine}-backend.pvv.ntnu.no/api";
};
services.gergle = {
enable = true;
virtualHost = config.networking.fqdn;
hostName = "${config.networking.fqdn}";
apiBase = "http://${grg.settings.host}:${toString grg.settings.port}/api";
};
services.nginx.enable = true;
services.nginx.virtualHosts = {
${config.networking.fqdn} = {
forceSSL = true;
enableACME = true;
kTLS = true;
serverAliases = [
"${machine}.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
services.nginx.virtualHosts."${config.networking.fqdn}" = {
forceSSL = true;
enableACME = true;
kTLS = true;
serverAliases = [
"${config.networking.hostName}.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
locations."/docs" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
locations."/api" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
proxyWebsockets = true;
};
locations."/" = {
proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
};
"${machine}-backend.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
kTLS = true;
serverAliases = [
"${machine}-backend.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
locations."/" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
proxyWebsockets = true;
};
# https://github.com/rawpython/remi/issues/216
locations."/websocket" = {
proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
proxyWebsockets = true;
};
"${machine}-old.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
kTLS = true;
serverAliases = [
"${machine}-old.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
locations."/" = {
proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
};
# https://github.com/rawpython/remi/issues/216
locations."/websocket" = {
proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
proxyWebsockets = true;
};
locations."/api" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
locations."/docs" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
locations."/api" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
locations."/docs" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
};
}

116
modules/robots-txt.nix

@ -1,116 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.environment.robots-txt;
robots-txt-format = {
type = let
coercedStrToNonEmptyListOfStr = lib.types.coercedTo lib.types.str lib.singleton (lib.types.nonEmptyListOf lib.types.str);
in lib.types.listOf (lib.types.submodule {
freeformType = lib.types.attrsOf coercedStrToNonEmptyListOfStr;
options = {
pre_comment = lib.mkOption {
description = "Comment to add before the rule";
type = lib.types.lines;
default = "";
};
post_comment = lib.mkOption {
description = "Comment to add after the rule";
type = lib.types.lines;
default = "";
};
};
});
generate = name: value: let
makeComment = comment: lib.pipe comment [
(lib.splitString "\n")
(lib.map (line: if line == "" then "#" else "# ${line}"))
(lib.concatStringsSep "\n")
];
ruleToString = rule: let
user_agent = rule.User-agent or [];
pre_comment = rule.pre_comment;
post_comment = rule.post_comment;
rest = builtins.removeAttrs rule [ "User-agent" "pre_comment" "post_comment" ];
in lib.concatStringsSep "\n" (lib.filter (x: x != null) [
(if (pre_comment != "") then makeComment pre_comment else null)
(let
user-agents = lib.concatMapStringsSep "\n" (value: "User-agent: ${value}") user_agent;
in
if user_agent == [] then null else user-agents
)
(lib.pipe rest [
(lib.mapAttrsToList (ruleName: map (value: "${ruleName}: ${value}")))
lib.concatLists
(lib.concatStringsSep "\n")
])
(if (post_comment != "") then makeComment post_comment else null)
]);
content = lib.concatMapStringsSep "\n\n" ruleToString value;
in pkgs.writeText name content;
};
in
{
options.environment.robots-txt = lib.mkOption {
default = { };
description = ''
Different instances of robots.txt to use with web services.
'';
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
enable = lib.mkEnableOption "this instance of robots.txt" // {
default = true;
};
path = lib.mkOption {
description = "The resulting path of the dir containing the robots.txt file";
type = lib.types.path;
readOnly = true;
default = "/etc/robots-txt/${name}";
};
rules = lib.mkOption {
description = "Rules to include in robots.txt";
default = [ ];
example = [
{ User-agent = "Googlebot"; Disallow = "/no-googlebot"; }
{ User-agent = "Bingbot"; Disallow = [ "/no-bingbot" "/no-bingbot2" ]; }
];
type = robots-txt-format.type;
};
virtualHost = lib.mkOption {
description = "An nginx virtual host to add the robots.txt to";
type = lib.types.nullOr lib.types.str;
default = null;
};
};
}));
};
config = {
environment.etc = lib.mapAttrs' (name: value: {
name = "robots-txt/${name}/robots.txt";
value.source = robots-txt-format.generate name value.rules;
}) cfg;
services.nginx.virtualHosts = lib.pipe cfg [
(lib.filterAttrs (_: value: value.virtualHost != null))
(lib.mapAttrs' (name: value: {
name = value.virtualHost;
value = {
locations = {
"= /robots.txt" = {
extraConfig = ''
add_header Content-Type text/plain;
'';
root = cfg.${name}.path;
};
};
};
}))
];
};
}

21
packages/cgit.nix

@ -1,21 +0,0 @@
{ cgit, fetchurl, ... }:
let
pname = cgit.pname;
commit = "09d24d7cd0b7e85633f2f43808b12871bb209d69";
in
cgit.overrideAttrs (_: {
version = "1.2.3-unstable-2024.07.16";
src = fetchurl {
url = "https://git.zx2c4.com/cgit/snapshot/${pname}-${commit}.tar.xz";
hash = "sha256-gfgjAXnWRqVCP+4cmYOVdB/3OFOLJl2WBOc3bFVDsjw=";
};
# cgit is tightly coupled with git and needs a git source tree to build.
# IMPORTANT: Remember to check which git version cgit needs on every version
# bump (look for "GIT_VER" in the top-level Makefile).
gitSrc = fetchurl {
url = "mirror://kernel/software/scm/git/git-2.46.0.tar.xz";
hash = "sha256-fxI0YqKLfKPr4mB0hfcWhVTCsQ38FVx+xGMAZmrCf5U=";
};
})

50
packages/mediawiki-extensions/default.nix

@ -12,7 +12,7 @@ let
name
, commit
, hash
, tracking-branch ? "REL1_42"
, tracking-branch ? "REL1_41"
, kebab-name ? kebab-case-name name
, fetchgit ? pkgs.fetchgit
}:
@ -33,63 +33,63 @@ in
lib.mergeAttrsList [
(mw-ext {
name = "CodeEditor";
commit = "9f69f2cf7616342d236726608a702d651b611938";
hash = "sha256-sRaYj34+7aghJUw18RoowzEiMx0aOANU1a7YT8jivBw=";
commit = "7d8447035e381d76387e38b92e4d1e2b8d373a01";
hash = "sha256-v2AlbP0vZma3qZyEAWGjZ/rLcvOpIMroyc1EixKjlAU=";
})
(mw-ext {
name = "CodeMirror";
commit = "1a1048c770795789676adcf8a33c1b69f6f5d3ae";
hash = "sha256-Y5ePrtLNiko2uU/sesm8jdYmxZkYzQDHfkIG1Q0v47I=";
commit = "a7b4541089f9b88a0b722d9d790e4cf0f13aa328";
hash = "sha256-clyzN3v3+J4GjdyhrCsytBrH7VR1tq5yd0rB+32eWCg=";
})
(mw-ext {
name = "DeleteBatch";
commit = "b76bb482e026453079104d00f9675b4ab851947e";
hash = "sha256-GebF9B3RVwpPw8CYKDDT6zHv/MrrzV6h2TEIvNlRmcw=";
commit = "cad869fbd95637902673f744581b29e0f3e3f61a";
hash = "sha256-M1ek1WdO1/uTjeYlrk3Tz+nlb/fFZH+O0Ok7b10iKak=";
})
(mw-ext {
name = "PluggableAuth";
commit = "1da98f447fd8321316d4286d8106953a6665f1cc";
hash = "sha256-DKDVcAfWL90FmZbSsdx1J5PkGu47EsDQmjlCpcgLCn4=";
commit = "4111a57c34e25bde579cce5d14ea094021e450c8";
hash = "sha256-aPtN8A9gDxLlq2+EloRZBO0DfHtE0E5kbV/adk82jvM=";
})
(mw-ext {
name = "Popups";
commit = "9b9e986316b9662b1b45ce307a58dd0320dd33cf";
hash = "sha256-rSOZHT3yFIxA3tPhIvztwMSmSef/XHKmNfQl1JtGrUA=";
commit = "f1bcadbd8b868f32ed189feff232c47966c2c49e";
hash = "sha256-PQAjq/X4ZYwnnZ6ADCp3uGWMIucJy0ZXxsTTbAyxlSE=";
})
(mw-ext {
name = "Scribunto";
commit = "eb6a987e90db47b09b0454fd06cddb69fdde9c40";
hash = "sha256-Nr0ZLIrS5jnpiBgGnd90lzi6KshcsxeC+xGmNsB/g88=";
commit = "7b99c95f588b06635ee3c487080d6cb04617d4b5";
hash = "sha256-pviueRHQAsSlv4AtnUpo2Cjci7CbJ5aM75taEXY+WrI=";
})
(mw-ext {
name = "SimpleSAMLphp";
kebab-name = "simple-saml-php";
commit = "fd4d49cf48d16efdb91ae8128cdd507efe84d311";
hash = "sha256-Qdtroew2j3AsZYlhAAUKQXXS2kUzUeQFnuR6ZHdFhAQ=";
commit = "ecb47191fecd1e0dc4c9d8b90a9118e393d82c23";
hash = "sha256-gKu+O49XrAVt6hXdt36Ru7snjsKX6g2CYJ0kk/d+CI8=";
})
(mw-ext {
name = "TemplateData";
commit = "836e3ca277301addd2578b2e746498ff6eb8e574";
hash = "sha256-UMcRLYxYn+AormwTYjKjjZZjA806goMY2TRQ4KoS5fY=";
commit = "1ec66ce80f8a4322138efa56864502d0ee069bad";
hash = "sha256-Lv3Lq9dYAtdgWcwelveTuOhkP38MTu0m5kmW8+ltRis=";
})
(mw-ext {
name = "TemplateStyles";
commit = "06a2587689eba0a17945fd9bd4bb61674d3a7853";
hash = "sha256-C7j0jCkMeVZiLKpk+55X+lLnbG4aeH+hWIm3P5fF4fw=";
commit = "581180e898d6a942e2a65c8f13435a5d50fffa67";
hash = "sha256-zW8O0mzG4jYfQoKi2KzsP+8iwRCLnWgH7qfmDE2R+HU=";
})
(mw-ext {
name = "UserMerge";
commit = "41759d0c61377074d159f7d84130a095822bc7a3";
hash = "sha256-pGjA7r30StRw4ff0QzzZYUhgD3dC3ZuiidoSEz8kA8Q=";
commit = "c17c919bdb9b67bb69f80df43e9ee9d33b1ecf1b";
hash = "sha256-+mkzTCo8RVlGoFyfCrSb5YMh4J6Pbi1PZLFu5ps8bWY=";
})
(mw-ext {
name = "VisualEditor";
commit = "a128b11fe109aa882de5a40d2be0cdd0947ab11b";
hash = "sha256-bv1TkomouOxe+DKzthyLyppdEUFSXJ9uE0zsteVU+D4=";
commit = "90bb3d455892e25317029ffd4bda93159e8faac8";
hash = "sha256-SZAVELQUKZtwSM6NVlxvIHdFPodko8fhZ/uwB0LCFDA=";
})
(mw-ext {
name = "WikiEditor";
commit = "21383e39a4c9169000acd03edfbbeec4451d7974";
hash = "sha256-aPVpE6e4qLLliN9U5TA36e8tFrIt7Fl8RT1cGPUWoNI=";
commit = "8dba5b13246d7ae09193f87e6273432b3264de5f";
hash = "sha256-vF9PBuM+VfOIs/a2X1JcPn6WH4GqP/vUJDFkfXzWyFU=";
})
]

8
secrets/bicep/bicep.yaml

@ -3,8 +3,6 @@ calendar-bot:
mysql_password: ENC[AES256_GCM,data:Gqag8yOgPH3ntoT5TmaqJWv1j+si2qIyz5Ryfw5E2A==,iv:kQDcxnPfwJQcFovI4f87UDt18F8ah3z5xeY86KmdCyY=,tag:A1sCSNXJziAmtUWohqwJgg==,type:str]
mysql:
password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
gickup:
github-token: ENC[AES256_GCM,data:H/yBDLIvEXunmaUha3c2vUWKLRIbl9QrC0t13AQDRCTnrvhabeiUFLNxZ/F+4B6sZ2aPSgZoB69WwnHvh1wLdiFp1qLWKW/jQPvzZOxE4n+jXrnSOutUWktbPzVj,iv:KFW4jRru93JIl9doVFtcNkJDWp89NlzWjPDflHxcL/U=,tag:YtgyRxkoZO9MkuP3DJh7zA==,type:str]
sops:
kms: []
gcp_kms: []
@ -65,8 +63,8 @@ sops:
cTh5bnJ3WW90aXRCSUp6NHFYeU1tZ0kK4afdtJwGNu6wLRI0fuu+mBVeqVeB0rgX
0q5hwyzjiRnHnyjF38CmcGgydSfDRmF6P+WIMbCwXC6LwfRhAmBGPg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-07T21:34:48Z"
mac: ENC[AES256_GCM,data:n6GHD+nQmZL17WvUZiMCBLRHbtpoKU6U8o/Oraj0VSRi/pQ74QWGVEcIX87kFjBvR2C+UPd3KwXzjQHhjUfHpz9EjIGi6tXLTTo8K3ptd2wCL8MW418TVO4KV+BFmHGT4kwlbdoqaJ2SA7HcfXNaC68e/2CTXhtkLpIwGXtYWJA=,iv:iC5QX/JMwno4mBljPdorNmcQSD2wy/wOYvGrUoC2yzg=,tag:GuFNQ6+d6o9DYC6Do/IEqQ==,type:str]
lastmodified: "2024-08-15T21:18:33Z"
mac: ENC[AES256_GCM,data:uR5HgeDAYqoqB9kk1V6p0T30+v6WpQJi4+qIeCDRnoUPnQKUVR10hvBhICck+E+Uh8p+tGhM6Uf3YrAJAV0ZCUiNJjtwDJQQLUDT53vdOAXN4xADCQqNuhgVwVMaruoTheEiwOswRuhFeEwy0gBj3Ze2pu47lueHYclmEzumLeQ=,iv:t0UyXN2YaR2m7M/pV2wTLJG5wVfqTIUs7wSQMmyeTVw=,tag:O7dIffzrDAXz3kGx5uazhw==,type:str]
pgp:
- created_at: "2024-08-04T00:03:40Z"
enc: |-
@ -89,4 +87,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.4
version: 3.9.0

18
secrets/ildkule/ildkule.yaml

@ -1,5 +1,15 @@
#ENC[AES256_GCM,data:oyFG9fCzJH8yLB0QY78CVOcYO6Ttp/ARqtIcXwWGYOvL6nW+yLcakrdmVA96sR5toywb32aW,iv:7o3FI0cI6GHCwmQfLYh2iAVr8sELOMoxGSzE5qvuAaI=,tag:z9F1c4dOIiy2FtKpBwm5wg==,type:comment]
#ENC[AES256_GCM,data:nhDznFCozGpXdYBfumLyhp7TnA7C/IqBCpHJ,iv:3AZN6iVBha8Qh5/X6Yn/5JWsGhDXlE/zdUh1CcO7fQc=,tag:59DaAyKTOmkKty4eyFWFqw==,type:comment]
#ENC[AES256_GCM,data:vQu+AG19Vy94xxwj196G2uk9,iv:YJGBvoMgOngjn/TeuXeoU82daRvJDxvCQMYb3XCPlw0=,tag:fU6ZhhmAh0yh3/QuXbCNkQ==,type:comment]
#ENC[AES256_GCM,data:S1UOENn/ewhw8Pb9CmKp,iv:jafOhkCoiTm5HXQ/S611L4VlQFa1Wqr5WIIRzLQm3i0=,tag:6CQ+Y9E/FxWN8K+D9J7+Fg==,type:comment]
#ENC[AES256_GCM,data:lHHmoCHyP2Tc3waRGeMPEasQiv5+,iv:W6SSFpeWBfTBOEDo4P9hox39eoAiO40Ay4T3QeiI9Tw=,tag:9bLbcEZ9/B1QolDettwcfg==,type:comment]
#ENC[AES256_GCM,data:DrF4XHSd8QAWn5h1xEGGpDKMQcLF,iv:nPCBbThQh/Aa+uccKJtmiCXSvoJKHxZMJ42yFkV+hi8=,tag:3l50mMn7cPoCnjPcHv1+Vg==,type:comment]
#ENC[AES256_GCM,data:ADUhFzufaR2xXNOLgiXKu5Cd8Zx3waYeZiLF,iv:WMK2gJwplf6r/EdijrvrOBHgPL57W+UMIQ8dBPp/DBA=,tag:E/q/ccAd7UH3BV7nut6Slg==,type:comment]
#ENC[AES256_GCM,data:IVFSM6VOWnR0YDRfecsDPlYr,iv:Jxe8pq3lxw5QUGKyspB8tWSquDSMo3mAJBAsQGKxSec=,tag:7bffwY98iTX4/De0coUIxA==,type:comment]
#ENC[AES256_GCM,data:pHSDnojWTLYXIKk=,iv:ph2xCpxbP3OiWm+B/MDboykPa2gtCWpP0b3j96YCDh4=,tag:u5hmvxHaa/m8GaSeYvONmg==,type:comment]
#ENC[AES256_GCM,data:Q0fCyyP0DJqUyJPo,iv:qwBE3c2VqF52Yq8POXhy2Qv2xJd82wL1aX4eVY6wL1w=,tag:IwmbD7XqIkemOTODBKpS0g==,type:comment]
config:
mysqld_exporter_password: ENC[AES256_GCM,data:I9K+QMqaN3FOOVKzeOR9Q6UERStXX0P8WEHyN1jzzbM=,iv:UxvIdlfAyJvNuxPkU4+guKPa0fiD0vVLzHOTYktcmso=,tag:ltnIqEwESYx9HBu8UN0ZLw==,type:str]
mysqld_exporter: ENC[AES256_GCM,data:w4muNsWmsW1fPx9nqtDGPCZ9faO3W5Pagn/DfWrb5yf88GQOzOsN4z7TH3QeW0Xs6I5jDIktGmFml6RDxCjD8UX9eer1pvC7Kxyl2DQKLHwmsgx1DUFNTRUzE1Sgx8rZAJ8HM7DO7L/6aXS0ndY4J+huyhDDVd+cIetgiQ==,iv:Q4cZD9CKd/EDOm4bjAE2EOstwKpwexF2pxhMEF0/5/k=,tag:S0rOLJS+b9ualtxcHKdHlw==,type:str]
keys:
grafana:
secret_key: ENC[AES256_GCM,data:+WoAJbDBEgKs0RoHT+7oEELAVQ+/2Xt+5RTMSXg23moCqVRx+Gzll9P5Drw=,iv:AkRn/Y20iEe5i1T+84wAgLCTFtAox2G3giyawAkltAw=,tag:BZbt5Wb5lYLIJBm/pfP4GQ==,type:str]
@ -67,8 +77,8 @@ sops:
WDRSdDZRa1lIbEVTdDlhU1dwUXUzQTgK5iE4Cf/zjsPYHKcqYA0rFqY0TNcCnzNU
vTM+cEPaA+/FXTwLfPpaiSkg5Fq8k2XdeMQsjQnglTBSWCwAJin27g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-16T20:08:18Z"
mac: ENC[AES256_GCM,data:C2tpWppc13jKJq5d4nmAKQOaNWHm27TKwxAxm1fi2lejN1lqUaoz5bHfTBA7MfaWvuP5uZnfbtG32eeu48mnlWpo58XRUFFecAhb9JUpW9s5IR3/nbzLNkGU7H5C0oWPrxI4thd+bAVduIgBjjFyGj1pe6J9db3c0yUWRwNlwGU=,iv:YpoQ4psiFYOWLGipxv1QvRvr034XFsyn2Bhyy39HmOo=,tag:ByiCWygFC/VokVTbdLoLgg==,type:str]
lastmodified: "2024-04-20T23:41:59Z"
mac: ENC[AES256_GCM,data:38Ask+adT2FshF8DYEfCWeVWt4KiaJsTXhF7Ib3xxdfQ6vAixM2OXTaK/qqUvN6gQok9TFF+HMJBJ+jezV00nVcKUYn04FaU2/D2zdam44eEEYEEovmfAZ6vbC+CiDv4d/DCc3hnYtDZCEgUTfP4gsZ9rLZFAOwaOFWRJxcDi6Y=,iv:BzuWdTjn6LhscNeouHjM7IYKxTahA8PzzlHSCYZ618s=,tag:BWtPbNwzdOJb788eOO5ZNA==,type:str]
pgp:
- created_at: "2024-08-04T00:03:54Z"
enc: |-
@ -91,4 +101,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.4
version: 3.8.1

95
secrets/kommode/kommode.yaml

@ -1,95 +0,0 @@
gitea:
web-secret-provider:
token: ENC[AES256_GCM,data:7ljFuW0CApzvvGSpWa7fiITIXtejhZk5aed70NNup6AS2GpDOv1NMw==,iv:vi+0BM4QkpnMatlGU6rdEYnCgGUU3U8SuE3imbwKfdE=,tag:uTFaeS/56t/MfBwb1hpkvA==,type:str]
password: ENC[AES256_GCM,data:1Hr2M95xT6J4SxnQLWe9ZQ7q4BIAACnpQXEGyCEm2OgRb/kqyv2s+gJAsw==,iv:95CbOJzeGl+jT8OsSSSx+DH8KYD1HtbXOyZhR60QwnU=,tag:dheIVvgqpiFrKvLLpFlPBg==,type:str]
database: ENC[AES256_GCM,data:nDZqnSBKijyhslBjhSu9weqLVJzUiBD8Ltu/nmllicadraeISylyEk3pOA==,iv:XFzM1pGv98jehdgvlZN217LrsK8TcAMFK5eDrPi2bm0=,tag:+YpXqMmvMTrnt7cDK/Sa7A==,type:str]
email-password: ENC[AES256_GCM,data:tasMZ2Zu449o/mH6uSSPM7cFOlBg4vC+,iv:lDNMvXh5P3HNy9pW6nBsSLCyij/3HiSRunVuLeKAmbI=,tag:ApqGWYE9MSE8m6iYLK6Yww==,type:str]
passwd-ssh-key: ENC[AES256_GCM,data:VOp8vqVoX9IFJhzpKy0J+AzyX3TvxEIBvv3dXpD1f8szmUyPwd4gDOlaFpqTSDu8ebmK3m/D0FMTkfBkPVhUG6XTPo7YIV37gLhfsBF6CuwCMXxTQAd23nfpwJKcDIn3R5h8Mu4MMme2Ev/4PNDztktmIYv3KoEbPglzBMS4LrZqJsDilvIYKEIDUExhSAkESKQZiIzK1TdtWDQSUzvUZ3OsbxONZgaTw5e+xz3qk/q+IR5eRNp9fpeZQ8EkpC7aa/JDIwxzNIuMFi8W9PWh6ANmAOm6GK7JSKiHYQL8GofVifhUGUanAnjgDTYkIWpDiSsuHjfDPGupFCeONNd+Wd4NpJZsej3p9ldLOVxa01Le2tIVYY80jUWT0dpV9IJ5syp4gVaky5Vk6i2QhvjunDoEUnArSRGyMTxWfxAxZLvbLYMNAJDoWzy25vf3jteNB43lVHckEW1F8w/RtzoKzbjKYiANHg+eNLVq0HK67gX2twpblNN4OBt9d03ZbV2lZjTMXGzJXHGFT5ZPDwTkxcDooNvoRuCMe8t8dpuksHFaIp4=,iv:3sgiIgGD9pmCMLVRk0Q8+7GZajYIWsokDUx9JuNrO2c=,tag:WDXyNYtqjdAMePEsnA0hbw==,type:str]
gpg-signing-key: ENC[AES256_GCM,data:AyafTF3H8p1qDk9xsNvT68BksoKGLwE2uE3hjz0TrT2XPxCRDOIlfAVYEPSu2Ih6l5a2uruEJhHPtU2fPCB2hln3Bv3gZfFGLb3GFWkSvdePIYFxG56uqGK5dE1KaMccc2cTi+raDImKqSTbp7Qpdo/c6C0WYVglYrD+2l8Y4QOiFuazyLY9zwcX0qG7pIjJ+akCUjfE4rJDAW6H/v+OqvHpcED3q4iXOYuw9sj/UeIgZfJ5Xc/uVrRmPewP4yALnA8o9gsaaLdjWRFIILe7VRwPr0YqwQ6XGgc+pEartkV8AzxjCq6DOtifOOzmu8EI1U1yoaOViYCAMbSHfP6SIKr7pJbrdU+YDBq9mvRx8KPXWUU2uNGrMObATEzlqMYAYA/HJeOdV4w3Axvq8RG2FLkJxJJniwNP5VZRF3bbbI3w+hprRP2yAwgeQw19KBU8yF8upKga/GdMNScpKJvRyVLjZtI0rsfvSC81lHawouuje6aPXT3dH1S5ROJBHMTeV0sP0vK6liBevz9RZpvNs6JVyNCgiRRtRSSYqsgwPJonDKuPeI/Zpgih7HboA8HqhIibqpO96h5/4yO69oJAbLUYV3zlKQcMDTaqadL4Ox5Z+8ygSAL3l1ufZIFGSj73SNHGQqQlIS/a3dAccRi5fPqv0gOmGFAAUJPKfeauFn3TclwojKzu5vwmQxZ5g50txEpTSTaYOy++qq6UZa/dXEyDC7fle75dXhqXyqMCf9kDwZZl5E9eBsabNdTF+auQCp82iLQivdBy7uJX2hkJFSg84fF9MLgH4mOcMQc2E/z961uNzEgoyvVhbDY6+SIJ+6SGmnardbFW7mYrj/QqnSUiMc4tHukAB4NGQYHgjOYRZMpHfVO/6dLbjmTOljnPsnfQUCepvb9rGim8NazvnARaVzezx4t3tfbNR8uLQudSeLZzn/Fu1mKSQvpP+IjdglmyAgp6QhB4OCDPbiaMRDUtOQIzlVILdz1/geUVzhZkJ4xzkm5klGukhtv+3TqjiTcEnoVJC+A1jRvxBQUfEE92GFuupJUfrw8bIDqsWQLkHPCNUMgdoKa/q2OkrWeQz2zm2yUqMAJn1/puoLHdSH5aCELUggx1gQZoc480pSBUvSCML+Qc4B4Cd6hX2PPp+/KQeKtfqHIsKz2I+DMT6KDirReX6WHxqk+s2DtLw7Wx/j65PWCIWLCz,iv:c9BDRxQImWTmwq11+T2CW0S00Dixd8d0od5xn5zZmY8=,tag:brnMedsdTwlkbaHaLa2w2g==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:P6hKaCpcZdXIy4rE/1b1+66Md/3Kmviileb0OIT3Vz4IVsDLecBh3IiadHq66V4KocXC4LBUNFjcrxlVVGIonHJ3qd6VpQUwG0n83yhj6LD5hgxmZ5phAyR77Ri8BiH1lWUcg51L2k0U+WJFPP6JkumT9MEz1t1+JYr5Imij6GKRWRKFwTbU6QJwFH4tCA/iGw0ElrzIjSHiNiwIKfbm8yas9vlOhr4y7vCeV10hVyvV,iv:dZ8hQxhn7pokWbQG/8rQ2vFDpPYut7WCG3xy9g6kzNs=,tag:xMyPtJJoh8kjJcOT4t9aRA==,type:str]
import-user-env: ENC[AES256_GCM,data:9SE2k3/IJqbdexj0QFSQBQ1+u1AduWNjt+0XIHryJlxIEdvv9a+6hP4EXPo+31GnaE4=,iv:qZlWOBV5owr3ESTyFaV/R8VwlGl04kaui80I2zYk4zY=,tag:PhjRfEC1xoHaYyl648yCVw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWnlOa1NGME00dVhBQ3Z2
UE1HZlc0Nldrb1VwZTk0Z2I2Nm5ZazV6WndFCnNoM2JaWFJnazJaWlltVW9uNGhm
UmdPSWlsdllORFhyMzRhYXBKQjRqWmcKLS0tIC91RmRCNG91UW1xb1pETXczSDlM
aStmM20xL0hHT3VnMWpTSEltZEpqT1kKj7Io72QSR/dgggQRBZ0gjs0Q7Y3GIP9K
GPgvKGxEi8CcrUj5J9u7rDUed1/TowgWWs/ujt/8q2zfli7AjTpS1w==
-----END AGE ENCRYPTED FILE-----
- recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByclROelpuQUFPQlFpREJr
NjhlUDA0TGw4R2FKbmRwWEVCSldrem9neVI0CmU1Q29qUUNZbmZDSkx0UmZmNkVL
dmNQMEJjRjJtcWFYNE1SamV5SUozZVUKLS0tIFBMdFB5TTV4dGRoeVNnYWV5dERY
ejV3RTlSMjNlcGNreXM0YjhpUkVxUzQK2xB69WIRrMPNdZuJUzwuNM/a/Qzpyp7b
nInPmTCCOhqc3eNFSc+od6y5urMeW+r2i2iNV4B2rIdJTdLl1434eg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVFEyaWtlV0F1d0QvMGpU
KzUxdGpXRUMzOWhSODJNYU1Id1Evbm1QelVzCmNZS3NSNWZlZDhPYUVCS3ZIUXRM
aVdScUI5aFI0aXU1ZUx0VjBBQW1hRUUKLS0tIGtOcmFNTXIxdEV0RlI0akJpWEM0
bk9lWDZkS3BrM0t6V2xEbVdtZlQ1aTgKv7bIQpdGIoXMxPZDmLzqunIEaqQ5M63r
Qu1oFC+yZh2UlkjGxKE6HMlMGn0CnBcTa8XvBaEVMfchVR/2WVq8TQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQWM5dlFCbTIrSXlZYnBw
VVQzK1ZiaXpQcTcwQzV5YVV3d1A2L012K1NBCmpXNnNnenNrNTZDUjdXdzNXd2R2
T3FSc3BLdUUxWEs2OXlRNEdieXU1bEkKLS0tIFJkU0ZGcjd4bEUyOWFZeHVUMHow
dVNTbk41S0VUNndQLzRoZ2ZpVTVqNU0Kp6okYalYtbI1CFuJq/881ZyOVpFoRq0j
DvG2E2U+go6XftSaJ59DIUC6rzVBg1JKpJX3TS6SJhe+T+1paoxG/A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYVdXc2hrQ0JFQnF6NFpG
UWVMVTN5U0JuQkRxU1ExdUlpWkV4RHlvYUNZCmIzOFI5QnVrMU84VTV6WmcxdjdZ
aTZpOWZNdGNoSnJ2c0R2UzJ2cU1TRmMKLS0tIGFxTkxaYjUvaUxsRmhxRmpVeFFD
aWt5dnlUYWxoUUlHTjRnWEVBU0NzODQKQ2v9oCbXhUhRnURyHWbAIJHGjgb/eVp1
h9Tdld0TWTxxbyN8JkRa80B8JpUVwHgeqJmq2krnhDrYLN9zaugVMQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bFd5OGpvY0YxczdkVnVY
ZXExNnY1UXBtb0d4MFNYR3JrMTN1SXhNOUhrCi9xVm1HZDhHZmpEdmdJNVBFcWhv
UjI3VDNycEpKdTNnbVU1eVFUeUZuZTAKLS0tIE5GdEJ3Nk1oam9KYUVCMk9CVmpL
OCtLcUZwL084TUp0QmpSQXNtSFhHYkUKwGvXXE9AWlrlDgRl2ECCmej7IMztO+fx
852Vu610cI9FLv5oghlKM769+/A2QP82KwdxZ4MaRSDvJwXKBi16aw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-16T13:03:12Z"
mac: ENC[AES256_GCM,data:cuMHvEjR3nA/LqGHwIGOD+rWwmvg0fPiFtVTDLATKuc0Ulf+0PKogv9cddmXlmqaBOLMkmZue44egEpiLoNm38kEr7gPfP7XKj3kkwL2U4BiS43JEokt5CEq44sSETKylEMEVajgOEwyWn1od4MLxa7xsuhbvGvDpsbvjyPvzh0=,iv:zWFNpOS9cgCs36rdW9FcJ+jG3HrjRmcw2Ogz7QZuyJQ=,tag:L3x6Bsu+7n5A0/Dx0HghkA==,type:str]
pgp:
- created_at: "2025-03-16T13:02:45Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/9Ey8zpaRU7DuvVaKTaybgkLCPTKNyq6mKXAusKqC0adMu
9G4M8G18uEoo6/Oa1LpJsQneU05EFuStZPaCs9+zxe5ZU2YhcVcDGAHgCDFBbI27
7kzUVxA/n5cK61CfIslNYdJolceJeLyH9HSrS3k3eI3V6zEQL9Yz05dDz7Nlma4q
AKsnGtLY4og0j2k7HZcK39ikhJGkllZHhsM4RT8/UVeVZF9CxKzwQ2OKbHkhJZyn
LGEpioYAKuIIWm/20y/DQwIYpAilltWkg+RWQUnYeAINAZKSzFNi9vd3N4n6e41t
ikq8Ukpjbesy42w0ju9sbNWayga14OG5STg/qacrCDjp+wY55VJCcEEM/6kPj1rf
e2dBR+eN8VMgcPOlexOf1pkrVhNqz9eDfEfaEtDbFDIgznt0pmLeeYcL3NBa5+Xf
vpGXG3fmgoXvQYW05yY4efBRiex9f70lbhnnngeY9ZbmSpy3ZuzIKq8RgBxy1ve+
4B6RYC2Ag8Tndj1xYfHcrqSNfmxq+xNieFV49PMGDO1hjJF++VASqPuRtX9lz3tZ
Y7E7VPtTESaxEp9IuUgLYYnvSHh1SNIRl3OtcctL+bwbF2wNk5iBha+jC/aXNRU/
PoRv1y+G+0R6aV3hLJjoC+Hrm2JX3FIksk64LRDM9mSI7Yl7MfEFrIzcH4HEzlTS
XAHugaMjpRCntUxlaP2tq4jlrv+PQLh7+uBzzbhLBK6qSjybKiqHBKeluxfYVsDs
rJJicnclRfI1eJPfZDlCr2iggd+2ABYG7uINQVrZYuw2dfb4IvvrqCQz/fBy
=Qb5k
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.4

12
secrets/ustetind/ustetind.yaml

@ -1,8 +1,8 @@
gitea:
runners:
alpha: ENC[AES256_GCM,data:Hnq2guka4oERPIFCv1/ggrLjaePA7907VHXMStDQ7ll3hntTioT76qGOUJgfIw==,iv:wDPYuuL6VAWJakrz6asVRrzwRxqw0JDRes13MgJIT6E=,tag:ogFUeUirHVkCLN63nctxOw==,type:str]
beta: ENC[AES256_GCM,data:HmdjBvW8eO5MkzXf7KEzSNQAptF/RKN8Bh03Ru7Ru/Ky+eJJtk91aqSSIjFa+Q==,iv:Hz9HE3U6CFfZFcPmYMd6wSzZkSvszt92L2gV+pUlMis=,tag:LG3NfsS7B1EdRFvnP3XESQ==,type:str]
epsilon: ENC[AES256_GCM,data:wfGxwWwDzb6AJaFnxe/93WNZGtuTpCkLci/Cc5MTCTKJz6XlNuy3m/1Xsnw0hA==,iv:I6Zl+4BBAUTXym2qUlFfdnoLTHShu+VyxPMjRlFzMis=,tag:jjTyZs1Nzqlhjd8rAldxDw==,type:str]
alpha: ENC[AES256_GCM,data:aAFv+/ygC7oxGT3qnoEf+AZL3Nk1yOq3HupL9l0j8P913GefPKqlBt/mbuRVug==,iv:usXElENwbOHxUdoqHScK7PjeZavXUwoxpQWEMjxU2u4=,tag:E8OzZ9pmxIru7Glgh7v0lg==,type:str]
beta: ENC[AES256_GCM,data:riRSBDzX9DAxKl2UCds1ANddl3ij+byAgigOafJ5RjWl8cNVlowK21klBiKTxw==,iv:clijEUKX9o52p5A94eEW0f8qGGhFpy/LFe+uQG/iQLg=,tag:PchXbsZMnW//O7brEAEeWw==,type:str]
epsilon: ENC[AES256_GCM,data:lUt8uaqh9eC1IdIUfiw3dzxcDErSWaiT9lzg4ONf/QZeXj7Do7Es0GXBFd41Hw==,iv:hPm5Lez5ISHIlw1+i4z/oBsh4H5ZXPVYnXXSGq1eal0=,tag:/KcmPw30622tN9ruMUwfUw==,type:str]
sops:
kms: []
gcp_kms: []
@ -63,8 +63,8 @@ sops:
aU4xWjVYYlNvSmYxajVGdzk5dTQ4WG8Klq12bSegsW29xp4qteuCB5Tzis6EhVCk
53jqtYe5UG9MjFVQYiSi2jJz5/dxfqSINMZ/Y/EB5LxbwgbFws8Yuw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-12T12:20:19Z"
mac: ENC[AES256_GCM,data:D9/NAd/zrF6pHFdZjTUqI+u4WiwJqt0w5Y+SYCS1o/dAXJE/ajHzse/vCSGXZIjP0yqe+S/NyTvhf+stw2B4dk6Njtabjd+PhG0hR4L0X07FtFqzB3u5pLHCb0bH9QLG5zWcyMkwNiNTCvhRUZzbcqLEGqqJ7ZjZAEUfYSR+Jls=,iv:5xPfODPxtQjgbl8delUHsmhD0TI2gHjrxpHV+qiFE00=,tag:HHLo5G8jhy/sKB3R+sKmwQ==,type:str]
lastmodified: "2024-12-09T21:17:40Z"
mac: ENC[AES256_GCM,data:HensJbPU1Kx9aQNUhdtFkX/6qdxj7yby6GeSruOT+HYEtoq0py/zvMtdCqmfjc4AOptYlXdgK7w30P976dG1esjlYwF07qtVvAbUqvExkksuV4zp81VKHMXUOAyiQK79kLe3rx6cvEdUDbOjZOsxN02eRrcanN+7rJS6f7vNN88=,iv:PlePCik6JcOtVBQhhOj9khhp2LwwfXBwAGpzu4ywhTA=,tag:Clz+xX1Cffs8Zpv2LdsGVA==,type:str]
pgp:
- created_at: "2024-12-09T21:17:27Z"
enc: |-
@ -87,4 +87,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.2
version: 3.8.1

20
shell.nix

@ -11,14 +11,14 @@ pkgs.mkShellNoCC {
editorconfig-checker
];
env = {
OS_AUTH_URL = "https://api.stack.it.ntnu.no:5000";
OS_PROJECT_ID = "b78432a088954cdc850976db13cfd61c";
OS_PROJECT_NAME = "STUDORG_Programvareverkstedet";
OS_USER_DOMAIN_NAME = "NTNU";
OS_PROJECT_DOMAIN_ID = "d3f99bcdaf974685ad0c74c2e5d259db";
OS_REGION_NAME = "NTNU-IT";
OS_INTERFACE = "public";
OS_IDENTITY_API_VERSION = "3";
};
shellHook = ''
export OS_AUTH_URL=https://api.stack.it.ntnu.no:5000
export OS_PROJECT_ID=b78432a088954cdc850976db13cfd61c
export OS_PROJECT_NAME="STUDORG_Programvareverkstedet"
export OS_USER_DOMAIN_NAME="NTNU"
export OS_PROJECT_DOMAIN_ID="d3f99bcdaf974685ad0c74c2e5d259db"
export OS_REGION_NAME="NTNU-IT"
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3
'';
}

45
shells/cuda.nix

@ -1,45 +0,0 @@
# nix develop .#cuda
# Copied from https://nixos.wiki/wiki/CUDA
{ pkgs }:
pkgs.mkShell {
name = "cuda-env-shell";
buildInputs = with pkgs; [
autoconf
binutils
curl
freeglut
git
gitRepo
gnumake
gnupg
gperf
libGL
libGLU
m4
ncurses5
procps
stdenv.cc
unzip
util-linux
xorg.libX11
xorg.libXext
xorg.libXi
xorg.libXmu
xorg.libXrandr
xorg.libXv
zlib
cudatoolkit
linuxPackages.nvidia_x11
# Other applications, like
hashcat
];
env = {
CUDA_PATH = pkgs.cudatoolkit;
EXTRA_LDFLAGS = "-L/lib -L${pkgs.linuxPackages.nvidia_x11}/lib";
EXTRA_CCFLAGS = "-I/usr/include";
};
}

1
users/oysteikt.nix

@ -13,6 +13,7 @@
bottom
eza
neovim
diskonaut
ripgrep
tmux
];

20
values.nix

@ -21,6 +21,12 @@ in rec {
ipv4 = pvv-ipv4 213;
ipv6 = pvv-ipv6 213;
};
grevling-tap = {
ipv4 = pvv-ipv4 251;
};
tuba-tap = {
ipv4 = pvv-ipv4 252;
};
};
hosts = {
@ -60,17 +66,17 @@ in rec {
ipv4 = pvv-ipv4 204;
ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
};
kommode = {
ipv4 = pvv-ipv4 223;
ipv6 = pvv-ipv6 223;
};
ustetind = {
ipv4 = pvv-ipv4 234;
ipv6 = pvv-ipv6 234;
};
wenche = {
ipv4 = pvv-ipv4 240;
ipv6 = pvv-ipv6 240;
grevling = {
ipv4 = pvv-ipv4 198;
ipv6 = pvv-ipv6 198;
};
tuba = {
ipv4 = pvv-ipv4 199;
ipv6 = pvv-ipv6 199;
};
};