Drift/pvv-nixos-config
17
5
Fork 2
Code Issues Pull Requests 9 Actions Wiki Activity

Compare commits

base: Drift:misc1
Branches Tags
Drift:main Drift:minecraft-heatmap Drift:fix-import-gitea-users-script Drift:gitea-runners-secrets Drift:gitea-runners-cluster Drift:25.05 Drift:new_nodes Drift:ooye Drift:grg-ip Drift:nom Drift:add-skrott Drift:pvvvvv Drift:setup-git-mirroring-on-bicep Drift:init-bakke Drift:gitea-show-license-in-list-view Drift:nix-topology Drift:gitea-robots-txt Drift:dagali-heimdal-openldap-sasl-stack Drift:gitea-navbar-get-started Drift:backup-databases Drift:openwebui Drift:setup-openvpn-tunnel Drift:gitea-gpg-signing Drift:sleipner-authorised-keys Drift:openstack-image-builder Drift:elysium Drift:smartd-notifs Drift:systemd-journald-remote Drift:skrot Drift:deploy-doorbell Drift:misc-gitea-fixes Drift:spotifyd Drift:remote Drift:setup-bikkje-login Drift:ozai-prod Drift:add-bluemap Drift:ozai Drift:setup-postfix-for-service-machines Drift:fix-gitea-ci-runner-network-issues Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud Drift:gitea-metrics Drift:misc1 Drift:add-simple-saml-theme Drift:misc-extra-gitea-setup Drift:setup-kerberos Drift:setup-home-areas Drift:shark-kanidm Drift:prometheusexim jonmro:main jonmro:upgrade-to-nixpkgs-23-11 jonmro:mediawiki-on-bekkalokk jonmro:setup-kerberos jonmro:setup-home-areas jonmro:richara-add-user jonmro:replace-knakelibrak-nginx-reverse-proxy jonmro:replace-knakelibrak-nginx-reverse-proxy2 jonmro:nettsiden-on-bekkalokk jonmro:setup-openvpn-tunnel jonmro:actions jonmro:configure-mediawiki jonmro:shark-kanidm jonmro:add-jackson jonmro:add-gitea jonmro:prometheusexim jonmro:apply-overlays
..
compare: jonmro:prometheusexim
Branches Tags
jonmro:main jonmro:upgrade-to-nixpkgs-23-11 jonmro:mediawiki-on-bekkalokk jonmro:setup-kerberos jonmro:setup-home-areas jonmro:richara-add-user jonmro:replace-knakelibrak-nginx-reverse-proxy jonmro:replace-knakelibrak-nginx-reverse-proxy2 jonmro:nettsiden-on-bekkalokk jonmro:setup-openvpn-tunnel jonmro:actions jonmro:configure-mediawiki jonmro:shark-kanidm jonmro:add-jackson jonmro:add-gitea jonmro:prometheusexim jonmro:apply-overlays Drift:main Drift:minecraft-heatmap Drift:fix-import-gitea-users-script Drift:gitea-runners-secrets Drift:gitea-runners-cluster Drift:25.05 Drift:new_nodes Drift:ooye Drift:grg-ip Drift:nom Drift:add-skrott Drift:pvvvvv Drift:setup-git-mirroring-on-bicep Drift:init-bakke Drift:gitea-show-license-in-list-view Drift:nix-topology Drift:gitea-robots-txt Drift:dagali-heimdal-openldap-sasl-stack Drift:gitea-navbar-get-started Drift:backup-databases Drift:openwebui Drift:setup-openvpn-tunnel Drift:gitea-gpg-signing Drift:sleipner-authorised-keys Drift:openstack-image-builder Drift:elysium Drift:smartd-notifs Drift:systemd-journald-remote Drift:skrot Drift:deploy-doorbell Drift:misc-gitea-fixes Drift:spotifyd Drift:remote Drift:setup-bikkje-login Drift:ozai-prod Drift:add-bluemap Drift:ozai Drift:setup-postfix-for-service-machines Drift:fix-gitea-ci-runner-network-issues Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud Drift:gitea-metrics Drift:misc1 Drift:add-simple-saml-theme Drift:misc-extra-gitea-setup Drift:setup-kerberos Drift:setup-home-areas Drift:shark-kanidm Drift:prometheusexim

1 Commits
misc1 ... prometheus

Author SHA1 Message Date
Felix Albrigtsen
8bef6bb33c Add exim monitoring to prometheus 2023-01-15 00:19:41 +01:00
117 changed files with 1449 additions and 17265 deletions
Expand all files Collapse all files

13
.gitea/workflows/eval.yml
View File

@@ -1,13 +0,0 @@
name: "Eval nix flake"
on:
pull_request:
push:
jobs:
evals:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: apt-get update && apt-get -y install sudo
- uses: https://github.com/cachix/install-nix-action@v23
- run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
- run: nix flake check

45
.sops.yaml
View File

@@ -1,66 +1,33 @@
keys:
# Users
- &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
- &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
- &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
# Hosts
- &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
- &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
- &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
creation_rules:
# Global secrets
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- age:
- *user_danio
- *host_jokum
- *host_ildkule
- *host_bekkalokk
- *host_bicep
- *user_danio
- *user_felixalb
- *user_eirikwit
pgp:
- *user_oysteikt
# Host specific secrets
- path_regex: secrets/bekkalokk/[^/]+\.yaml$
key_groups:
- age:
- *host_bekkalokk
- *user_danio
- *user_felixalb
pgp:
- *user_oysteikt
## Jokum
- path_regex: secrets/jokum/[^/]+\.yaml$
key_groups:
- age:
- *host_jokum
- *user_danio
- *user_felixalb
- *host_jokum
pgp:
- *user_oysteikt
- path_regex: secrets/ildkule/[^/]+\.yaml$
key_groups:
- age:
- *user_felixalb
- *user_danio
- *host_ildkule
- *user_danio
- *user_felixalb
pgp:
- *user_oysteikt
- path_regex: secrets/bicep/[^/]+\.yaml$
key_groups:
- age:
- *host_bicep
- *user_danio
- *user_felixalb
pgp:
- *user_oysteikt

24
README.MD
View File

@@ -4,19 +4,9 @@
Før du endrer på ting husk å ikke putte ting som skal være hemmelig uten å først lese seksjonen for hemmeligheter!
Etter å ha klonet prosjektet ned og gjort endringer kan du evaluere configene med:
Etter å ha klonet prosjektet ned og gjort endringer kan du bygge med:
`nix flake check --keep-going`
før du bygger en maskin med:
`nix build .#<maskinnavn>`
hvis du vil være ekstra sikker på at alt bygger så kan du kjøre:
`nix build .` for å bygge alle de viktige maskinene.
NB: Dette kan ta opp til 30 minutter avhengig av hva som ligger i caches
`nix build .#nixosConfigurations.jokum.config.system.build.toplevel`
Husk å hvertfall stage nye filer om du har laget dem!
@@ -26,7 +16,7 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
som root på maskinen.
@@ -47,11 +37,3 @@ for å få tilgang til å lese/skrive hemmeligheter må du spørre noen/noe som
om å legge til age eller pgp nøkkelen din i [`.sops.yaml`](https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/.sops.yaml)
Denne kan du generere fra ssh-nøkkelene dine eller lage en egen nøkkel.
### Legge til flere keys
Gjør det som gir mening i .sops.yml
Etter det kjør `sops updatekeys secrets/host/file.yml`
MERK at det ikke er `sops -r` som BARE roterer nøkklene for de som allerede er i secretfila

BIN
assets/logo_blue_regular.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 254 KiB

172
assets/logo_blue_regular.svg
View File

@@ -1,172 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
width="200mm"
height="200mm"
viewBox="0 0 200 200"
version="1.1"
id="svg5"
inkscape:version="1.1.2 (b8e25be833, 2022-02-05)"
sodipodi:docname="logo_blue_thicc.svg"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns="http://www.w3.org/2000/svg"
xmlns:svg="http://www.w3.org/2000/svg">
<sodipodi:namedview
id="namedview7"
pagecolor="#505050"
bordercolor="#ffffff"
borderopacity="1"
inkscape:pageshadow="0"
inkscape:pageopacity="0"
inkscape:pagecheckerboard="1"
inkscape:document-units="mm"
showgrid="false"
inkscape:zoom="3.9730533"
inkscape:cx="359.54715"
inkscape:cy="690.40101"
inkscape:window-width="1920"
inkscape:window-height="1057"
inkscape:window-x="-8"
inkscape:window-y="-8"
inkscape:window-maximized="1"
inkscape:current-layer="Layer_4"
width="200mm" />
<defs
id="defs2" />
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1">
<g
id="g98"
transform="scale(0.25)">
<g
id="Layer_2"
style="fill:#283681;fill-opacity:1">
<rect
y="0"
class="st0"
width="800"
height="800"
id="rect4"
x="0"
style="fill:#283681;fill-opacity:1"
inkscape:export-filename="C:\Users\al3xk\OneDrive - NTNU\PVV\Gogs\PR\logoer\logo_blue.png"
inkscape:export-xdpi="480"
inkscape:export-ydpi="480" />
</g>
<g
id="Layer_4"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1">
<line
class="st1"
x1="478.39999"
y1="720.29999"
x2="313.20001"
y2="720.29999"
id="line9"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<path
class="st1"
d="M 478.4,720.3"
id="path11"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<polyline
class="st2"
points="717.1,223.3 717.1,720.3 497.3,720.3 "
id="polyline13"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<path
class="st2"
d="m 498.39888,720.3 c 0,-5.6 -4.5,-10.1 -10.1,-10.1 -5.6,0 -10.1,4.5 -10.1,10.1 h -163.8 c 0,-5.6 -4.5,-10.1 -10.1,-10.1 -5.6,0 -10.1,4.5 -10.1,10.1 -69.7592,0 -145.68417,0 -217.599996,0 V 79.7 H 717.09888 v 120 0 h -17.3 v 24.8 h 17.3"
id="path15"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-linecap:square;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
sodipodi:nodetypes="csccsccccccccc" />
</g>
<g
id="Layer_3"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1">
<circle
class="st2"
cx="396.79999"
cy="400"
id="circle18"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
r="320.29999" />
</g>
<g
id="Layer_1"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1">
<polyline
class="st2"
points="514.5,173.5 170.2,173.5 170.3,626.6 623.3,626.5 623.3,215.7 584.4,173.4 557,173.4 548,180.6 526.5,180.7 "
id="polyline21"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<path
class="st2"
d="m 526.5,331.8 c 0,7.6 -5.4,13.7 -12,13.7 H 227.7 c -6.6,0 -12,-6.1 -12,-13.7 V 187.2 c 0,-7.6 5.4,-13.7 12,-13.7 h 286.8 c 6.6,0 12,6.1 12,13.7 z"
id="path27"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<path
class="st2"
d="m 526.7,333.6 c 0,6.6 -5.4,12 -12,12 H 296.8 c -6.6,0 -12,-5.4 -12,-12 V 185.5 c 0,-6.6 5.4,-12 12,-12 h 217.9 c 6.6,0 12,5.4 12,12 z"
id="path29"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<path
class="st2"
d="m 577.9,613.7 c 0,6.6 -5.4,12 -12,12 H 227.7 c -6.6,0 -12,-5.4 -12,-12 V 381.1 c 0,-6.6 5.4,-12 12,-12 h 338.2 c 6.6,0 12,5.4 12,12 z"
id="path31"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<rect
x="179.89999"
y="590.20001"
class="st2"
width="25.700001"
height="23"
id="rect33"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<rect
x="587.59998"
y="590.20001"
class="st2"
width="25.700001"
height="23"
id="rect35"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<rect
x="433.60001"
y="193.5"
class="st2"
width="64.900002"
height="137.8"
id="rect37"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
</g>
<path
d="m 274.9401,541.572 c 0,3.528 2.772,6.426 6.3,6.426 3.528,0 6.426,-2.898 6.426,-6.426 v -30.996 h 30.87 c 10.458,0 19.152,-8.694 19.152,-19.152 v -22.68 c 0,-10.332 -8.694,-19.026 -19.152,-19.026 h -43.596 z m 12.726,-43.722 v -35.406 h 30.87 c 3.276,0 6.426,2.898 6.426,6.3 v 22.68 c 0,3.528 -3.024,6.426 -6.426,6.426 z"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:126px;font-family:OCRA;-inkscape-font-specification:OCRA;fill:#ffffff;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
id="path55-2" />
<path
d="m 365.99479,478.824 25.326,65.142 c 1.008,2.394 3.276,4.032 6.048,4.032 2.646,0 4.914,-1.638 5.922,-4.032 l 25.452,-65.268 v -22.68 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 v 20.286 l -18.648,47.628 -18.648,-47.628 v -20.286 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 z"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:126px;font-family:OCRA;-inkscape-font-specification:OCRA;fill:#ffffff;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
id="path57-8" />
<path
d="m 457.04947,478.824 25.326,65.142 c 1.008,2.394 3.276,4.032 6.048,4.032 2.646,0 4.914,-1.638 5.922,-4.032 l 25.452,-65.268 v -22.68 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 v 20.286 l -18.648,47.628 -18.648,-47.628 v -20.286 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 z"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:126px;font-family:OCRA;-inkscape-font-specification:OCRA;fill:#ffffff;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
id="path59-1" />
</g>
</g>
<style
type="text/css"
id="style2">
.st0{fill:#ffffff;}
.st1{fill:none;stroke:#ffffff;stroke-width:2;stroke-miterlimit:10;}
.st2{fill:none;stroke:#000000;stroke-width:2;stroke-miterlimit:10;}
.st3{fill:none;}
.st4{stroke:#000000;stroke-miterlimit:10;}
.st5{font-family:'OCRAStd';}
.st6{font-size:126px;}
</style>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 8.2 KiB

48
base.nix
View File

@@ -1,23 +1,16 @@
{ config, lib, pkgs, inputs, values, ... }:
{ config, pkgs, inputs, ... }:
{
imports = [
./users
./modules/snakeoil-certs.nix
./modules/debug-locations.nix
];
networking.domain = "pvv.ntnu.no";
networking.useDHCP = false;
# networking.search = [ "pvv.ntnu.no" "pvv.org" ];
# networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
# networking.tempAddresses = lib.mkDefault "disabled";
# networking.defaultGateway = values.hosts.gateway;
systemd.network.enable = true;
networking.search = [ "pvv.ntnu.no" "pvv.org" ];
services.resolved = {
enable = lib.mkDefault true;
enable = true;
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
};
@@ -34,7 +27,7 @@
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
"--update-input" "nixpkgs"
"--update-input" "nixpkgs-unstable"
"--update-input" "unstable"
"--no-write-lock-file"
];
};
@@ -57,12 +50,8 @@
environment.systemPackages = with pkgs; [
file
git
gnupg
htop
nano
ripgrep
rsync
screen
tmux
vim
wget
@@ -70,42 +59,15 @@
kitty.terminfo
];
programs.zsh.enable = true;
users.groups."drift".name = "drift";
# Trusted users on the nix builder machines
users.groups."nix-builder-users".name = "nix-builder-users";
services.openssh = {
enable = true;
permitRootLogin = "yes";
extraConfig = ''
PubkeyAcceptedAlgorithms=+ssh-rsa
'';
settings.PermitRootLogin = "yes";
};
sops.age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
# nginx return 444 for all nonexistent virtualhosts
systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
environment.snakeoil-certs = lib.mkIf (config.services.nginx.enable) {
"/etc/certs/nginx" = {
owner = "nginx";
group = "nginx";
};
};
services.nginx.virtualHosts."_" = lib.mkIf (config.services.nginx.enable) {
sslCertificate = "/etc/certs/nginx.crt";
sslCertificateKey = "/etc/certs/nginx.key";
addSSL = true;
extraConfig = "return 444;";
};
}

158
flake.lock generated
View File

@@ -1,161 +1,59 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1710169806,
"narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
"owner": "nix-community",
"repo": "disko",
"rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"grzegorz": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1696346665,
"narHash": "sha256-J6Tf6a/zhFZ8SereluHLrvgPsIVm2CGHHA8wrbhZB3Y=",
"owner": "Programvareverkstedet",
"repo": "grzegorz",
"rev": "9b9c3ac7d408ac7c6d67544b201e6b169afacb03",
"type": "github"
},
"original": {
"owner": "Programvareverkstedet",
"repo": "grzegorz",
"type": "github"
}
},
"grzegorz-clients": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1693864994,
"narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=",
"owner": "Programvareverkstedet",
"repo": "grzegorz-clients",
"rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f",
"type": "github"
},
"original": {
"owner": "Programvareverkstedet",
"repo": "grzegorz-clients",
"type": "github"
}
},
"matrix-next": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1710311999,
"narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
"lastModified": 1671009204,
"narHash": "sha256-gqA9po/KmHyh44XYqv/LfFJ1+MGufhaaD6DhDqBeaF8=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "6c9b67974b839740e2a738958512c7a704481157",
"rev": "43dbc17526576cb8e0980cef51c48b6598f97550",
"type": "github"
},
"original": {
"owner": "dali99",
"ref": "flake-experiments",
"repo": "nixos-matrix-modules",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1710248792,
"narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
"lastModified": 1670946965,
"narHash": "sha256-PDJfKgK/aSV3ISnD1TbKpLPW85LO/AQI73yQjbwribA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "efbb274f364c918b9937574de879b5874b5833cc",
"rev": "265caf30fa0a5148395b62777389b57eb0a537fd",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.11-small",
"type": "indirect"
"owner": "NixOS",
"ref": "nixos-22.11-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1710033658,
"narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
"lastModified": 1670146390,
"narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
"rev": "86370507cb20c905800527539fc049a2bf09c667",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1710247538,
"narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable-small",
"type": "indirect"
}
},
"pvv-calendar-bot": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1693136143,
"narHash": "sha256-amHprjftc3y/bg8yf4hITCLa+ez5HIi0yGfR7TU6UIc=",
"ref": "refs/heads/main",
"rev": "a32894b305f042d561500f5799226afd1faf5abb",
"revCount": 9,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
}
},
"root": {
"inputs": {
"disko": "disko",
"grzegorz": "grzegorz",
"grzegorz-clients": "grzegorz-clients",
"matrix-next": "matrix-next",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"pvv-calendar-bot": "pvv-calendar-bot",
"sops-nix": "sops-nix"
"sops-nix": "sops-nix",
"unstable": "unstable"
}
},
"sops-nix": {
@@ -166,11 +64,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1710195194,
"narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
"lastModified": 1670149631,
"narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
"rev": "da98a111623101c64474a14983d83dad8f09f93d",
"type": "github"
},
"original": {
@@ -178,6 +76,22 @@
"repo": "sops-nix",
"type": "github"
}
},
"unstable": {
"locked": {
"lastModified": 1670918062,
"narHash": "sha256-iOhkyBYUU9Jfkk0lvI4ahpjyrTsLXj9uyJWwmjKg+gg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "84575b0bd882be979516f4fecfe4d7c8de8f6a92",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
}
},
"root": "root",

122
flake.nix
View File

@@ -2,133 +2,45 @@
description = "PVV System flake";
inputs = {
nixpkgs.url = "nixpkgs/nixos-23.11-small";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small";
unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules";
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
grzegorz.url = "github:Programvareverkstedet/grzegorz";
grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/flake-experiments";
};
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs:
let
nixlib = nixpkgs.lib;
systems = [
"x86_64-linux"
"aarch64-linux"
"aarch64-darwin"
];
forAllSystems = f: nixlib.genAttrs systems (system: f system);
allMachines = nixlib.mapAttrsToList (name: _: name) self.nixosConfigurations;
importantMachines = [
"bekkalokk"
"bicep"
"brzeczyszczykiewicz"
"georg"
"ildkule"
];
forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
in {
nixosConfigurations = let
unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
rec {
system = "x86_64-linux";
specialArgs = {
inherit nixpkgs-unstable inputs;
values = import ./values.nix;
};
modules = [
./hosts/${name}/configuration.nix
sops-nix.nixosModules.sops
] ++ config.modules or [];
pkgs = import nixpkgs {
inherit system;
overlays = [ ] ++ config.overlays or [ ];
};
}
(removeAttrs config [ "modules" "overlays" ])
);
stableNixosConfig = nixosConfig nixpkgs;
unstableNixosConfig = nixosConfig nixpkgs-unstable;
in {
bicep = stableNixosConfig "bicep" {
nixosConfigurations = {
jokum = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit unstable inputs; };
modules = [
inputs.matrix-next.nixosModules.default
inputs.pvv-calendar-bot.nixosModules.default
];
overlays = [
inputs.pvv-calendar-bot.overlays.x86_64-linux.default
];
};
bekkalokk = stableNixosConfig "bekkalokk" {
overlays = [
(final: prev: {
heimdal = unstablePkgs.heimdal;
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
})
];
};
bob = stableNixosConfig "bob" {
modules = [
disko.nixosModules.disko
{ disko.devices.disk.disk1.device = "/dev/vda"; }
];
};
ildkule = stableNixosConfig "ildkule" { };
#ildkule-unstable = unstableNixosConfig "ildkule" { };
shark = stableNixosConfig "shark" { };
./hosts/jokum/configuration.nix
sops-nix.nixosModules.sops
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
modules = [
inputs.grzegorz.nixosModules.grzegorz-kiosk
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.matrix-next.nixosModules.synapse
];
};
georg = stableNixosConfig "georg" {
ildkule = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit unstable inputs; };
modules = [
inputs.grzegorz.nixosModules.grzegorz-kiosk
inputs.grzegorz-clients.nixosModules.grzegorz-webui
./hosts/ildkule/configuration.nix
sops-nix.nixosModules.sops
];
};
buskerud = stableNixosConfig "buskerud" { };
};
devShells = forAllSystems (system: {
default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
});
packages = {
"x86_64-linux" = let
pkgs = nixpkgs.legacyPackages."x86_64-linux";
in rec {
default = important-machines;
important-machines = pkgs.linkFarm "important-machines"
(nixlib.getAttrs importantMachines self.packages.x86_64-linux);
all-machines = pkgs.linkFarm "all-machines"
(nixlib.getAttrs allMachines self.packages.x86_64-linux);
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
} // nixlib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
};
};
}

41
hosts/bekkalokk/configuration.nix
View File

@@ -1,41 +0,0 @@
{ pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
#./services/keycloak.nix
# TODO: set up authentication for the following:
# ./services/website.nix
./services/nginx
./services/gitea/default.nix
./services/kerberos
./services/webmail
./services/mediawiki
./services/idp-simplesamlphp
];
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
virtualisation.podman.enable = true;
networking.hostName = "bekkalokk";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";
}

40
hosts/bekkalokk/hardware-configuration.nix
View File

@@ -1,40 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/sda1";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/CE63-3B9B";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

30
hosts/bekkalokk/services/gitea/ci.nix
View File

@@ -1,30 +0,0 @@
{ config, lib, values, ... }:
let
mkRunner = name: {
# This is unfortunately state, and has to be generated one at a time :(
# To do that, comment out all except one of the runners, fill in its token
# inside the sops file, rebuild the system, and only after this runner has
# successfully registered will gitea give you the next token.
# - oysteikt Sep 2023
sops.secrets."gitea/runners/${name}".restartUnits = [
"gitea-runner-${name}.service"
];
services.gitea-actions-runner.instances = {
${name} = {
enable = true;
name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
labels = [
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:18-bullseye"
];
tokenFile = config.sops.secrets."gitea/runners/${name}".path;
};
};
};
in
lib.mkMerge [
(mkRunner "alpha")
(mkRunner "beta")
(mkRunner "epsilon")
]

105
hosts/bekkalokk/services/gitea/default.nix
View File

@@ -1,105 +0,0 @@
{ config, values, pkgs, ... }:
let
cfg = config.services.gitea;
domain = "git.pvv.ntnu.no";
sshPort = 2222;
in {
imports = [
./ci.nix
];
sops.secrets = {
"gitea/database" = {
owner = "gitea";
group = "gitea";
};
"gitea/passwd-ssh-key" = { };
"gitea/ssh-known-hosts" = { };
"gitea/import-user-env" = { };
};
services.gitea = {
enable = true;
stateDir = "/data/gitea";
appName = "PVV Git";
database = {
type = "postgres";
host = "postgres.pvv.ntnu.no";
port = config.services.postgresql.port;
passwordFile = config.sops.secrets."gitea/database".path;
createDatabase = false;
};
settings = {
server = {
DOMAIN = domain;
ROOT_URL = "https://${domain}/";
PROTOCOL = "http+unix";
SSH_PORT = sshPort;
START_SSH_SERVER = true;
};
indexer.REPO_INDEXER_ENABLED = true;
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
database.LOG_SQL = false;
picture = {
DISABLE_GRAVATAR = true;
ENABLE_FEDERATED_AVATAR = false;
};
actions.ENABLED = true;
"ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
};
};
environment.systemPackages = [ cfg.package ];
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
recommendedProxySettings = true;
extraConfig = ''
client_max_body_size 512M;
'';
};
};
networking.firewall.allowedTCPPorts = [ sshPort ];
# Automatically import users
systemd.services.gitea-import-users = {
enable = true;
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
serviceConfig = {
ExecStart = pkgs.writers.writePython3 "gitea-import-users" { libraries = [ pkgs.python3Packages.requests ]; } (builtins.readFile ./gitea-import-users.py);
LoadCredential=[
"sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
];
DynamicUser="yes";
EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
};
};
systemd.timers.gitea-import-users = {
requires = [ "gitea.service" ];
after = [ "gitea.service" ];
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*-*-* 02:00:00";
Persistent = true;
Unit = "gitea-import-users.service";
};
};
system.activationScripts.linkGiteaLogo.text = let
logo-svg = ../../../../assets/logo_blue_regular.svg;
logo-png = ../../../../assets/logo_blue_regular.png;
in ''
install -Dm444 ${logo-svg} ${cfg.stateDir}/custom/public/img/logo.svg
install -Dm444 ${logo-png} ${cfg.stateDir}/custom/public/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.stateDir}/custom/public/img/loading.png
'';
}

94
hosts/bekkalokk/services/gitea/gitea-import-users.py
View File

@@ -1,94 +0,0 @@
import requests
import secrets
import os
EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
if EMAIL_DOMAIN is None:
EMAIL_DOMAIN = 'pvv.ntnu.no'
API_TOKEN = os.getenv('API_TOKEN')
if API_TOKEN is None:
raise Exception('API_TOKEN not set')
GITEA_API_URL = os.getenv('GITEA_API_URL')
if GITEA_API_URL is None:
GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
BANNED_SHELLS = [
"/usr/bin/nologin",
"/usr/sbin/nologin",
"/sbin/nologin",
"/bin/false",
"/bin/msgsh",
]
existing_users = {}
# This function should only ever be called when adding users
# from the passwd file
def add_user(username, name):
user = {
"full_name": name,
"username": username,
"login_name": username,
"source_id": 1, # 1 = SMTP
}
if username not in existing_users:
user["password"] = secrets.token_urlsafe(32)
user["must_change_password"] = False
user["visibility"] = "private"
user["email"] = username + '@' + EMAIL_DOMAIN
r = requests.post(GITEA_API_URL + '/admin/users', json=user,
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 201:
print('ERR: Failed to create user ' + username + ': ' + r.text)
return
print('Created user ' + username)
existing_users[username] = user
else:
user["visibility"] = existing_users[username]["visibility"]
r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
json=user,
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 200:
print('ERR: Failed to update user ' + username + ': ' + r.text)
return
print('Updated user ' + username)
def main():
# Fetch existing users
r = requests.get(GITEA_API_URL + '/admin/users',
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 200:
raise Exception('Failed to get users: ' + r.text)
for user in r.json():
existing_users[user['login']] = user
# Read the file, add each user
with open("/tmp/passwd-import", 'r') as f:
for line in f.readlines():
uid = int(line.split(':')[2])
if uid < 1000:
continue
shell = line.split(':')[-1]
if shell in BANNED_SHELLS:
continue
username = line.split(':')[0]
name = line.split(':')[4].split(',')[0]
add_user(username, name)
if __name__ == '__main__':
main()

BIN
hosts/bekkalokk/services/gitea/loading.apng
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.1 MiB

135
hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php
View File

@@ -1,135 +0,0 @@
<?php
/**
* Authenticate using HTTP login.
*
* @author Yorn de Jong
* @author Oystein Kristoffer Tveit
* @package simpleSAMLphp
*/
namespace SimpleSAML\Module\authpwauth\Auth\Source;
class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
{
protected $pwauth_bin_path;
protected $mail_domain;
public function __construct(array $info, array &$config) {
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
$this->pwauth_bin_path = $config['pwauth_bin_path'];
if (array_key_exists('mail_domain', $config)) {
$this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
}
}
public function login(string $username, string $password): array {
$username = strtolower( $username );
if (!file_exists($this->pwauth_bin_path)) {
die("Could not find pwauth binary");
return false;
}
if (!is_executable($this->pwauth_bin_path)) {
die("pwauth binary is not executable");
return false;
}
$handle = popen($this->pwauth_bin_path, 'w');
if ($handle === FALSE) {
die("Error opening pipe to pwauth");
return false;
}
$data = "$username\n$password\n";
if (fwrite($handle, $data) !== strlen($data)) {
die("Error writing to pwauth pipe");
return false;
}
# Is the password valid?
$result = pclose( $handle );
if ($result !== 0) {
if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
die("pwauth returned $result for username $username");
}
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
}
/*
$ldap = ldap_connect('129.241.210.159', 389);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($ldap);
ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
$search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
$entry = ldap_first_entry($ldap, $search);
$dn = ldap_get_dn($ldap, $entry);
$newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
ldap_modify_batch($ldap, $dn, [
#[
# 'modtype' => LDAP_MODIFY_BATCH_REMOVE,
# 'attrib' => 'unicodePwd',
# 'values' => [$password],
#],
[
#'modtype' => LDAP_MODIFY_BATCH_ADD,
'modtype' => LDAP_MODIFY_BATCH_REPLACE,
'attrib' => 'unicodePwd',
'values' => [$newpassword],
],
]);
*/
#0 - Login OK.
#1 - Nonexistant login or (for some configurations) incorrect password.
#2 - Incorrect password (for some configurations).
#3 - Uid number is below MIN_UNIX_UID value configured in config.h.
#4 - Login ID has expired.
#5 - Login's password has expired.
#6 - Logins to system have been turned off (usually by /etc/nologin file).
#7 - Limit on number of bad logins exceeded.
#50 - pwauth was not run with real uid SERVER_UID. If you get this
# this error code, you probably have SERVER_UID set incorrectly
# in pwauth's config.h file.
#51 - pwauth was not given a login & password to check. The means
# the passing of data from mod_auth_external to pwauth is messed
# up. Most likely one is trying to pass data via environment
# variables, while the other is trying to pass data via a pipe.
#52 - one of several possible internal errors occured.
$uid = $username;
# TODO: Reinstate this code once passwd is working...
/*
$cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
$groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
array_shift($groups);
array_shift($groups);
array_pop($groups);
$info = posix_getpwnam($uid);
$group = $info['gid'];
if (!in_array($group, $groups)) {
$groups[] = $group;
}
*/
$cn = "Unknown McUnknown";
$groups = array();
$result = array(
'uid' => array($uid),
'cn' => array($cn),
'group' => $groups,
);
if (isset($this->mail_domain)) {
$result['mail'] = array($uid.$this->mail_domain);
}
return $result;
}
}

1293
hosts/bekkalokk/services/idp-simplesamlphp/config.php
View File

File diff suppressed because it is too large Load Diff

203
hosts/bekkalokk/services/idp-simplesamlphp/default.nix
View File

@@ -1,203 +0,0 @@
{ config, pkgs, lib, ... }:
let
pwAuthScript = pkgs.writeShellApplication {
name = "pwauth";
runtimeInputs = with pkgs; [ coreutils heimdal ];
text = ''
read -r user1
user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
if test "$user1" != "$user2"
then
read -r _
exit 2
fi
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
kdestroy >/dev/null 2>/dev/null
'';
};
package = pkgs.simplesamlphp.override {
extra_files = {
# NOTE: Using self signed certificate created 30. march 2024, with command:
# openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
"metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
<?php
$metadata['https://idp2.pvv.ntnu.no/'] = array(
'host' => '__DEFAULT__',
'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
'certificate' => '${./idp.crt}',
'auth' => 'pwauth',
);
?>
'';
"metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
<?php
${ lib.pipe config.services.idp.sp-remote-metadata [
(map (url: ''
$metadata['${url}'] = [
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
],
],
'AssertionConsumerService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 0,
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 1,
],
],
];
''))
(lib.concatStringsSep "\n")
]}
?>
'';
"config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'pwauth' => array(
'authpwauth:PwAuth',
'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
'mail_domain' => '@pvv.ntnu.no',
),
);
?>
'';
"config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
cp ${./config.php} "$out"
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
--replace '$SAML_ADMIN_NAME' '"Drift"' \
--replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
--replace '$SAML_DATABASE_USERNAME' '"idp"' \
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
--replace '$CACHE_DIRECTORY' '/var/cache/idp'
'';
"modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
};
};
in
{
options.services.idp.sp-remote-metadata = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
description = ''
List of urls point to (simplesamlphp) service profiders, which the idp should trust.
:::{.note}
Make sure the url ends with a `/`
:::
'';
};
config = {
sops.secrets = {
"idp/privatekey" = {
owner = "idp";
group = "idp";
mode = "0770";
};
"idp/admin_password" = {
owner = "idp";
group = "idp";
};
"idp/postgres_password" = {
owner = "idp";
group = "idp";
};
"idp/cookie_salt" = {
owner = "idp";
group = "idp";
};
};
users.groups."idp" = { };
users.users."idp" = {
description = "PVV Identity Provider Service User";
group = "idp";
createHome = false;
isSystemUser = true;
};
systemd.tmpfiles.settings."10-idp" = {
"/var/cache/idp".d = {
user = "idp";
group = "idp";
mode = "0770";
};
"/var/lib/idp".d = {
user = "idp";
group = "idp";
mode = "0770";
};
};
services.phpfpm.pools.idp = {
user = "idp";
group = "idp";
settings = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
};
};
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
root = "${package}/share/php/simplesamlphp/public";
locations = {
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
"/" = {
alias = "${package}/share/php/simplesamlphp/public/";
index = "index.php";
extraConfig = ''
location ~ ^/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$phpfile;
fastcgi_param SCRIPT_NAME /$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
'';
};
};
};
};
}

33
hosts/bekkalokk/services/idp-simplesamlphp/idp.crt
View File

@@ -1,33 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFqTCCA5GgAwIBAgIUL2+PMM9rE9wI5W2yNnJ2CmfGxh0wDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCTk8xEzARBgNVBAgMClNvbWUtU3RhdGUxHjAcBgNVBAoM
FVByb2dyYW12YXJldmVya3N0ZWRldDEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2
Lm50bnUubm8wHhcNMjQwMzMwMDAyNjQ0WhcNMjUwMzMwMDAyNjQ0WjBkMQswCQYD
VQQGEwJOTzETMBEGA1UECAwKU29tZS1TdGF0ZTEeMBwGA1UECgwVUHJvZ3JhbXZh
cmV2ZXJrc3RlZGV0MSAwHgYJKoZIhvcNAQkBFhFkcmlmdEBwdnYubnRudS5ubzCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/0l0jdV+PoVxdd21F+2NLm
JN6sZmSJexOSk/sFjhhF4WMtjOfDAQYjt3hlLPyYl//jCe9WteavvtdCx1tHJitd
xjOUJ/leVjHzBttCVZR+iTlQtpsZ2TbRMJ5Fcfl82njlPecV4umJvnnFXawE4Qee
dE2OM8ODjjrK1cNaHR74tyZCwmdOxNHXZ7RN22p9kZjLD18LQyNr5igaDBeaZkyk
Gxbg4tbP51x9JFRLF7kUlyAc83geFnw6v/wBahr49m/X4y7xE0rdPb2L0moUjmOO
Zyl3hvxMI3+g/0FVMM5eKmfIIP2rIVEAa6MWMx0vPjC6h2fIyxkUqg5C8aFlpqav
+8f2rUc+JfdiFsIZNrylBXsleGzS+/wY1uB/pAy5Vg9WCp+eC75EtWMt0k2f442G
rhKa3lAZ6GIYrtEiQiNGM1aT1Cs1nqTtslfnHiuAKBefLjCXgq9uvL2yRodwe9/m
oZiqYnLHy/v1xfnF5rKTcRmOleU3tc+nlN6tZSGC1nZgMpqpoqdcbJXAkvaJ2Km4
sl0YS28VQnztgzuVPNdnv8lcS6HmkaGaNWbepKgWeaH5oT7O6u99wZIv88m+tf5m
Eu197YVpcclnojQCYKauWcQFsXS20egsVP87Qk0e2SHmGTUQp6YEYX6RLjkg7/vS
BelDBbCldraNVEiC0jmpAgMBAAGjUzBRMB0GA1UdDgQWBBSL0yofG5NEmzFIRuqC
xmyiuZW6DTAfBgNVHSMEGDAWgBSL0yofG5NEmzFIRuqCxmyiuZW6DTAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAZZVs7BLk/NLq3f4Ik8qH3IoDN
2m4XXRZS+xxw5RwctgSnik7AffgAfv8QQm2co8UYkHbB0whaG1PDz+L7wB1hVkWn
DVUaJcKQnn0x+sNU5LoTbjI0PlaST7PO5D0OMFab8FSNxpzzpbUcgZUhelc99Ri/
2Gh8mf4b3Y3Uzq6YKFsuFM65OuJhH8f1w6onai9x28t6tERHUSUfJ2keXzU4ytCV
EitWXwhe759VLqmdP4BATwlCOCuwa5aDeGcWRIqFpYIn0SOAmVV3o4V71JdZc1jE
fuOo/PbiHZ+R9ZGbh98aMidb0moL1ZDhmir9KbedezNyki6JJ72mVclhLqUajFxr
T39FXd5e2+QBMHPPhVFznQoHWnHEbZigTt61b0cg/TsxaxOkF4Ilmr/2DmSWysWK
TF5eq8hp6/53qVbXXSzrCjxd3wzGnRabsEVPX/L2hYDx81hluovJQCtskqTq1joI
W2R7AO5Sdyc6NfOR85kl0HXzHa+0Slsf8ZDs5nCz/mOOPoAGl7IxF7xQ6kPO7V+U
HdGE2tkblM/TrAObJH0HXySeJGI7Vfya+D1Y8IqGtyZtWyx1DmlA/OezGGf5D3rG
88LywHQQ2mQ+8aosBTE4+HQ+apLKZBprqQKuiDjT1RSUbfUHQkYuL+D1oIVmklAc
UxTpf01QJnZkMqf5NQ==
-----END CERTIFICATE-----

22
hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix
View File

@@ -1,22 +0,0 @@
''
<?php
$metadata['https://idp2.pvv.ntnu.no/'] = [
'metadata-set' => 'saml20-idp-hosted',
'entityid' => 'https://idp2.pvv.ntnu.no/',
'SingleSignOnService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
],
],
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
],
],
'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
'certificate' => '${./idp.crt}',
];
?>
''

27
hosts/bekkalokk/services/kerberos/default.nix
View File

@@ -1,27 +0,0 @@
{ config, pkgs, lib, ... }:
{
#######################
# TODO: remove these once nixos 24.05 gets released
#######################
imports = [
./krb5.nix
./pam.nix
];
disabledModules = [
"config/krb5/default.nix"
"security/pam.nix"
];
#######################
security.krb5 = {
enable = true;
settings = {
libdefaults = {
default_realm = "PVV.NTNU.NO";
dns_lookup_realm = "yes";
dns_lookup_kdc = "yes";
};
realms."PVV.NTNU.NO".admin_server = "kdc.pvv.ntnu.no";
};
};
}

88
hosts/bekkalokk/services/kerberos/krb5-conf-format.nix
View File

@@ -1,88 +0,0 @@
{ pkgs, lib, ... }:
# Based on
# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
let
inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
str submodule;
in
{ }: {
type = let
section = attrsOf relation;
relation = either (attrsOf value) value;
value = either (listOf atom) atom;
atom = oneOf [int str bool];
in submodule {
freeformType = attrsOf section;
options = {
include = mkOption {
default = [ ];
description = mdDoc ''
Files to include in the Kerberos configuration.
'';
type = coercedTo path singleton (listOf path);
};
includedir = mkOption {
default = [ ];
description = mdDoc ''
Directories containing files to include in the Kerberos configuration.
'';
type = coercedTo path singleton (listOf path);
};
module = mkOption {
default = [ ];
description = mdDoc ''
Modules to obtain Kerberos configuration from.
'';
type = coercedTo path singleton (listOf path);
};
};
};
generate = let
indent = str: concatMapStringsSep "\n" (line: " " + line) (splitString "\n" str);
formatToplevel = args @ {
include ? [ ],
includedir ? [ ],
module ? [ ],
...
}: let
sections = removeAttrs args [ "include" "includedir" "module" ];
in concatStringsSep "\n" (filter (x: x != "") [
(concatStringsSep "\n" (mapAttrsToList formatSection sections))
(concatMapStringsSep "\n" (m: "module ${m}") module)
(concatMapStringsSep "\n" (i: "include ${i}") include)
(concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
]);
formatSection = name: section: ''
[${name}]
${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
'';
formatRelation = name: relation:
if isAttrs relation
then ''
${name} = {
${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
}''
else formatValue name relation;
formatValue = name: value:
if isList value
then concatMapStringsSep "\n" (formatAtom name) value
else formatAtom name value;
formatAtom = name: atom: let
v = if isBool atom then boolToString atom else toString atom;
in "${name} = ${v}";
in
name: value: pkgs.writeText name ''
${formatToplevel value}
'';
}

90
hosts/bekkalokk/services/kerberos/krb5.nix
View File

@@ -1,90 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
inherit (lib.types) bool;
mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
The option `krb5.${name}' has been removed. Use
`security.krb5.settings.${name}' for structured configuration.
'';
cfg = config.security.krb5;
format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
in {
imports = [
(mkRemovedOptionModuleCfg "libdefaults")
(mkRemovedOptionModuleCfg "realms")
(mkRemovedOptionModuleCfg "domain_realm")
(mkRemovedOptionModuleCfg "capaths")
(mkRemovedOptionModuleCfg "appdefaults")
(mkRemovedOptionModuleCfg "plugins")
(mkRemovedOptionModuleCfg "config")
(mkRemovedOptionModuleCfg "extraConfig")
(mkRemovedOptionModule' "kerberos" ''
The option `krb5.kerberos' has been moved to `security.krb5.package'.
'')
];
options = {
security.krb5 = {
enable = mkOption {
default = false;
description = mdDoc "Enable and configure Kerberos utilities";
type = bool;
};
package = mkPackageOption pkgs "krb5" {
example = "heimdal";
};
settings = mkOption {
default = { };
type = format.type;
description = mdDoc ''
Structured contents of the {file}`krb5.conf` file. See
{manpage}`krb5.conf(5)` for details about configuration.
'';
example = {
include = [ "/run/secrets/secret-krb5.conf" ];
includedir = [ "/run/secrets/secret-krb5.conf.d" ];
libdefaults = {
default_realm = "ATHENA.MIT.EDU";
};
realms = {
"ATHENA.MIT.EDU" = {
admin_server = "athena.mit.edu";
kdc = [
"athena01.mit.edu"
"athena02.mit.edu"
];
};
};
domain_realm = {
"mit.edu" = "ATHENA.MIT.EDU";
};
logging = {
kdc = "SYSLOG:NOTICE";
admin_server = "SYSLOG:NOTICE";
default = "SYSLOG:NOTICE";
};
};
};
};
};
config = mkIf cfg.enable {
environment = {
systemPackages = [ cfg.package ];
etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
};
};
meta.maintainers = builtins.attrValues {
inherit (lib.maintainers) dblsaiko h7x4;
};
}

1543
hosts/bekkalokk/services/kerberos/pam.nix
View File

File diff suppressed because it is too large Load Diff

24
hosts/bekkalokk/services/keycloak.nix
View File

@@ -1,24 +0,0 @@
{ pkgs, config, values, ... }:
{
sops.secrets."keys/postgres/keycloak" = {
owner = "keycloak";
group = "keycloak";
restartUnits = [ "keycloak.service" ];
};
services.keycloak = {
enable = true;
settings = {
hostname = "auth.pvv.ntnu.no";
# hostname-strict-backchannel = true;
};
database = {
host = values.hosts.bicep.ipv4;
createLocally = false;
passwordFile = config.sops.secrets."keys/postgres/keycloak".path;
caCert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
};
};
}

216
hosts/bekkalokk/services/mediawiki/default.nix
View File

@@ -1,216 +0,0 @@
{ pkgs, lib, config, values, pkgs-unstable, ... }: let
cfg = config.services.mediawiki;
# "mediawiki"
user = config.systemd.services.mediawiki-init.serviceConfig.User;
# "mediawiki"
group = config.users.users.${user}.group;
simplesamlphp = pkgs.simplesamlphp.override {
extra_files = {
"metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
"config/authsources.php" = ./simplesaml-authsources.php;
"config/config.php" = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
cp ${./simplesaml-config.php} "$out"
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
--replace '$SAML_ADMIN_NAME' '"Drift"' \
--replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
--replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
'';
};
};
in {
services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
sops.secrets = lib.pipe [
"mediawiki/password"
"mediawiki/postgres_password"
"mediawiki/simplesamlphp/postgres_password"
"mediawiki/simplesamlphp/cookie_salt"
"mediawiki/simplesamlphp/admin_password"
] [
(map (key: lib.nameValuePair key {
owner = user;
group = group;
}))
lib.listToAttrs
];
services.mediawiki = {
enable = true;
name = "Programvareverkstedet";
passwordFile = config.sops.secrets."mediawiki/password".path;
passwordSender = "drift@pvv.ntnu.no";
database = {
type = "mysql";
host = "mysql.pvv.ntnu.no";
port = 3306;
user = "mediawiki";
passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
createLocally = false;
# TODO: create a normal database and copy over old data when the service is production ready
name = "mediawiki";
};
# Host through nginx
webserver = "none";
poolConfig = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
inherit user group;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
# to accept *.html file
"security.limit_extensions" = "";
};
extensions = {
inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
};
extraConfig = ''
$wgServer = "https://wiki2.pvv.ntnu.no";
$wgLocaltimezone = "Europe/Oslo";
# Only allow login through SSO
$wgEnableEmail = false;
$wgEnableUserEmail = false;
$wgEmailAuthentication = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgPluggableAuth_EnableAutoLogin = false;
# Misc. permissions
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = true;
# Misc. URL rules
$wgUsePathInfo = true;
$wgScriptExtension = ".php";
$wgNamespacesWithSubpages[NS_MAIN] = true;
# Styling
$wgLogos = array(
"2x" => "/PNG/PVV-logo.png",
"icon" => "/PNG/PVV-logo.svg",
);
$wgDefaultSkin = "vector-2022";
# from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
$wgVectorDefaultSidebarVisibleForAnonymousUser = true;
$wgVectorResponsive = true;
# Misc
$wgEmergencyContact = "${cfg.passwordSender}";
$wgShowIPinHeader = false;
$wgUseTeX = false;
$wgLocalInterwiki = $wgSitename;
# SimpleSAML
$wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
$wgPluggableAuth_Config['Log in using my SAML'] = [
'plugin' => 'SimpleSAMLphp',
'data' => [
'authSourceId' => 'default-sp',
'usernameAttribute' => 'uid',
'emailAttribute' => 'mail',
'realNameAttribute' => 'cn',
]
];
# Fix https://github.com/NixOS/nixpkgs/issues/183097
$wgDBserver = "${toString cfg.database.host}";
'';
};
# Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
user = "mediawiki";
group = "mediawiki";
mode = "0770";
};
users.groups.mediawiki.members = [ "nginx" ];
services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
locations = {
"/" = {
index = "index.php";
};
"~ /(.+\\.php)" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
'';
};
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
"^~ /simplesaml/" = {
alias = "${simplesamlphp}/share/php/simplesamlphp/public/";
index = "index.php";
extraConfig = ''
location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;
# Must be prepended with the baseurlpath
fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
'';
};
"/images/".alias = "${config.services.mediawiki.uploadsDir}/";
"= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
"= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
buildInputs = with pkgs; [ imagemagick ];
} ''
convert \
-resize x64 \
-gravity center \
-crop 64x64+0+0 \
${../../../../assets/logo_blue_regular.png} \
-flatten \
-colors 256 \
-background transparent \
$out
'';
};
};
}

11
hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php
View File

@@ -1,11 +0,0 @@
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'default-sp' => array(
'saml:SP',
'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
'idp' => 'https://idp2.pvv.ntnu.no/',
),
);

1293
hosts/bekkalokk/services/mediawiki/simplesaml-config.php
View File

File diff suppressed because it is too large Load Diff

4
hosts/bekkalokk/services/metrics/loki.nix
View File

@@ -1,4 +0,0 @@
{ ... }:
{
}

4
hosts/bekkalokk/services/metrics/prometheus.nix
View File

@@ -1,4 +0,0 @@
{ ... }:
{
}

55
hosts/bekkalokk/services/nginx/ingress.nix
View File

@@ -1,55 +0,0 @@
{ config, lib, ... }:
{
services.nginx.virtualHosts = {
"www2.pvv.ntnu.no" = {
serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
addSSL = true;
enableACME = true;
locations = {
# Proxy home directories
"/~" = {
extraConfig = ''
proxy_redirect off;
proxy_pass https://tom.pvv.ntnu.no;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
# Redirect old wiki entries
"/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
"/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
"/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
"/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
"/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
"/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
"/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
"/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
"/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
"/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
"/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
"/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
# TODO: Redirect webmail
"/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
# Redirect everything else to the main website
"/".return = "301 https://www.pvv.ntnu.no$request_uri";
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"/.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
};
};
}

15
hosts/bekkalokk/services/webmail/default.nix
View File

@@ -1,15 +0,0 @@
{ config, values, pkgs, lib, ... }:
{
imports = [
./roundcube.nix
];
services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
#locations."/" = lib.mkForce { };
locations."= /" = {
return = "301 https://www.pvv.ntnu.no/mail/";
};
};
}

74
hosts/bekkalokk/services/webmail/roundcube.nix
View File

@@ -1,74 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.roundcube;
domain = "webmail2.pvv.ntnu.no";
in
{
services.roundcube = {
enable = true;
package = pkgs.roundcube.withPlugins (plugins: with plugins; [
persistent_login
thunderbird_labels
contextmenu
custom_from
]);
dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
maxAttachmentSize = 20;
hostName = "roundcubeplaceholder.example.com";
extraConfig = ''
$config['enable_installer'] = false;
$config['default_host'] = "ssl://imap.pvv.ntnu.no";
$config['default_port'] = 993;
$config['smtp_server'] = "ssl://smtp.pvv.ntnu.no";
$config['smtp_port'] = 465;
$config['mail_domain'] = "pvv.ntnu.no";
$config['smtp_user'] = "%u";
$config['support_url'] = "";
'';
};
services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
services.nginx.virtualHosts.${domain} = {
locations."/roundcube" = {
tryFiles = "$uri $uri/ =404";
index = "index.php";
root = pkgs.runCommandLocal "roundcube-dir" { } ''
mkdir -p $out
ln -s ${cfg.package} $out/roundcube
'';
extraConfig = ''
location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
# https://wiki.archlinux.org/title/Roundcube
"README"
"INSTALL"
"LICENSE"
"CHANGELOG"
"UPGRADING"
"bin"
"SQL"
".+\\.md"
"\\."
"config"
"temp"
"logs"
]})/? {
deny all;
}
location ~ ^/roundcube/(.+\.php)(/?.*)$ {
fastcgi_split_path_info ^/roundcube(/.+\.php)(/.+)$;
include ${config.services.nginx.package}/conf/fastcgi_params;
include ${config.services.nginx.package}/conf/fastcgi.conf;
fastcgi_index index.php;
fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket};
}
'';
};
};
}

4
hosts/bekkalokk/services/website.nix
View File

@@ -1,4 +0,0 @@
{ ... }:
{
}

24
hosts/bicep/acmeCert.nix
View File

@@ -1,24 +0,0 @@
{ values, ... }:
{
users.groups.acme.members = [ "nginx" ];
security.acme.certs."postgres.pvv.ntnu.no" = {
group = "acme";
extraDomainNames = [
# "postgres.pvv.org"
"bicep.pvv.ntnu.no"
# "bicep.pvv.org"
# values.hosts.bicep.ipv4
# values.hosts.bicep.ipv6
];
};
services.nginx = {
enable = true;
virtualHosts."postgres.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
# useACMEHost = "postgres.pvv.ntnu.no";
};
};
}

43
hosts/bicep/configuration.nix
View File

@@ -1,43 +0,0 @@
{ pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./services/nginx
./acmeCert.nix
./services/mysql.nix
./services/postgres.nix
./services/mysql.nix
# TODO: fix the calendar bot
# ./services/calendar-bot.nix
./services/matrix
];
sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/disk/by-id/scsi-3600508b1001cb1a8751c137b30610682";
networking.hostName = "bicep";
systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp6s0f0";
address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
};
systemd.network.wait-online = {
anyInterface = true;
};
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";
}

40
hosts/bicep/hardware-configuration.nix
View File

@@ -1,40 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/31a67903-dc00-448a-a24a-36e820318fe5";
fsType = "ext4";
};
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/79e93eed-ad95-45c9-b115-4ef92afcc8c0";
fsType = "f2fs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f2.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

25
hosts/bicep/services/calendar-bot.nix
View File

@@ -1,25 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.pvv-calendar-bot;
in {
sops.secrets."calendar-bot/matrix_token" = {
sopsFile = ../../../secrets/bicep/bicep.yaml;
key = "calendar-bot/matrix_token";
owner = cfg.user;
group = cfg.group;
};
services.pvv-calendar-bot = {
enable = true;
settings = {
matrix = {
homeserver = "https://matrix.pvv.ntnu.no";
user = "@bot_calendar:pvv.ntnu.no";
channel = "!gkNLUIhYVpEyLatcRz:pvv.ntnu.no";
};
secretsFile = config.sops.secrets."calendar-bot/matrix_token".path;
onCalendar = "*-*-* 09:00:00";
};
};
}

56
hosts/bicep/services/matrix/mjolnir.nix
View File

@@ -1,56 +0,0 @@
{ config, lib, ... }:
{
sops.secrets."matrix/mjolnir/access_token" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "mjolnir/access_token";
owner = config.users.users.mjolnir.name;
group = config.users.users.mjolnir.group;
};
services.mjolnir = {
enable = true;
pantalaimon.enable = false;
homeserverUrl = http://127.0.0.1:8008;
accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
protectedRooms = map (a: "https://matrix.to/#/${a}") [
"#pvv:pvv.ntnu.no"
"#stand:pvv.ntnu.no"
"#music:pvv.ntnu.no"
"#arts-and-crafts:pvv.ntnu.no"
"#programming:pvv.ntnu.no"
"#talks-and-texts:pvv.ntnu.no"
"#job-offers:pvv.ntnu.no"
"#vaffling:pvv.ntnu.no"
"#pvv-fadder:pvv.ntnu.no"
"#offsite:pvv.ntnu.no"
"#help:pvv.ntnu.no"
"#garniske-algoritmer:pvv.ntnu.no"
"#bouldering:pvv.ntnu.no"
"#filmclub:pvv.ntnu.no"
"#video-games:pvv.ntnu.no"
"#board-games:pvv.ntnu.no"
"#tabletop-rpgs:pvv.ntnu.no"
"#anime:pvv.ntnu.no"
"#general:pvv.ntnu.no"
"#announcements:pvv.ntnu.no"
"#memes:pvv.ntnu.no"
"#drift:pvv.ntnu.no"
"#notifikasjoner:pvv.ntnu.no"
"#forespoersler:pvv.ntnu.no"
"#krisekanalen:pvv.ntnu.no"
"#styret:pvv.ntnu.no"
];
settings = {
admin.enableMakeRoomAdminCommand = true;
};
# Module wants it even when not using pantalaimon
# TODO: Fix upstream module in nixpkgs
pantalaimon.username = "bot_admin";
};
}

17
hosts/bicep/services/matrix/smtp-authenticator/default.nix
View File

@@ -1,17 +0,0 @@
{ lib, buildPythonPackage, fetchFromGitHub }:
buildPythonPackage rec {
pname = "matrix-synapse-smtp-auth";
version = "0.1.0";
src = ./.;
doCheck = false;
meta = with lib; {
description = "An SMTP auth provider for Synapse";
homepage = "pvv.ntnu.no";
license = licenses.agpl3Only;
maintainers = with maintainers; [ dandellion ];
};
}

11
hosts/bicep/services/matrix/smtp-authenticator/setup.py
View File

@@ -1,11 +0,0 @@
from setuptools import setup
setup(
name="matrix-synapse-smtp-auth",
version="0.1.0",
py_modules=['smtp_auth_provider'],
author="Daniel Løvbrøtte Olsen",
author_email="danio@pvv.ntnu.no",
description="An SMTP auth provider for Synapse",
license="AGPL-3.0-only"
)

50
hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py
View File

@@ -1,50 +0,0 @@
from typing import Awaitable, Callable, Optional, Tuple
from smtplib import SMTP_SSL as SMTP
import synapse
from synapse import module_api
import re
class SMTPAuthProvider:
def __init__(self, config: dict, api: module_api):
self.api = api
self.config = config
api.register_password_auth_provider_callbacks(
auth_checkers={
("m.login.password", ("password",)): self.check_pass,
},
)
async def check_pass(
self,
username: str,
login_type: str,
login_dict: "synapse.module_api.JsonDict",
):
if login_type != "m.login.password":
return None
# Convert `@username:server` to `username`
match = re.match(r'^@([\da-z\-\.=_\/\+]+):[\w\d\.:\[\]]+$', username)
username = match.group(1) if match else username
result = False
with SMTP(self.config["smtp_host"]) as smtp:
password = login_dict.get("password")
try:
smtp.login(username, password)
result = True
except:
return None
if result == True:
userid = self.api.get_qualified_user_id(username)
if not self.api.check_user_exists(userid):
self.api.register_user(username)
return (userid, None)
else:
return None

53
hosts/bicep/services/mysql.nix
View File

@@ -1,53 +0,0 @@
{ pkgs, lib, config, values, ... }:
{
sops.secrets."mysql/password" = {
owner = "mysql";
group = "mysql";
};
users.mysql.passwordFile = config.sops.secrets."mysql/password".path;
services.mysql = {
enable = true;
dataDir = "/data/mysql";
package = pkgs.mariadb;
settings = {
mysqld = {
# PVV allows a lot of connections at the same time
max_connect_errors = 10000;
bind-address = values.services.mysql.ipv4;
skip-networking = 0;
# This was needed in order to be able to use all of the old users
# during migration from knakelibrak to bicep in Sep. 2023
secure_auth = 0;
};
};
# Note: This user also has MAX_USER_CONNECTIONS set to 3, and
# a password which can be found in /secrets/ildkule/ildkule.yaml
# We have also changed both the host and auth plugin of this user
# to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
ensureUsers = [{
name = "prometheus_mysqld_exporter";
ensurePermissions = {
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
};
}];
};
services.mysqlBackup = {
enable = true;
location = "/var/lib/mysql/backups";
};
networking.firewall.allowedTCPPorts = [ 3306 ];
systemd.services.mysql.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
values.ipv4-space
values.ipv6-space
];
};
}

45
hosts/bicep/services/nginx/default.nix
View File

@@ -1,45 +0,0 @@
{ config, values, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "danio@pvv.ntnu.no";
};
services.nginx = {
enable = true;
enableReload = true;
defaultListenAddresses = [
values.hosts.bicep.ipv4
"[${values.hosts.bicep.ipv6}]"
"127.0.0.1"
"127.0.0.2"
"[::1]"
];
appendConfig = ''
pcre_jit on;
worker_processes 8;
worker_rlimit_nofile 8192;
'';
eventsConfig = ''
multi_accept on;
worker_connections 4096;
'';
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedBrotliSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
systemd.services.nginx.serviceConfig = {
LimitNOFILE = 65536;
};
}

97
hosts/bicep/services/postgres.nix
View File

@@ -1,97 +0,0 @@
{ config, pkgs, ... }:
let
sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
in
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
enableTCPIP = true;
dataDir = "/data/postgresql";
authentication = ''
host all all 129.241.210.128/25 md5
host all all 2001:700:300:1900::/64 md5
'';
# Hilsen https://pgconfigurator.cybertec-postgresql.com/
settings = {
# Connectivity
max_connections = 500;
superuser_reserved_connections = 3;
# Memory Settings
shared_buffers = "8192 MB";
work_mem = "32 MB";
maintenance_work_mem = "420 MB";
effective_cache_size = "22 GB";
effective_io_concurrency = 100;
random_page_cost = 1.25;
# Monitoring
shared_preload_libraries = "pg_stat_statements";
track_io_timing = true;
track_functions = "pl";
# Replication
wal_level = "replica";
max_wal_senders = 0;
synchronous_commit = false;
# Checkpointing:
checkpoint_timeout = "15 min";
checkpoint_completion_target = 0.9;
max_wal_size = "1024 MB";
min_wal_size = "512 MB";
# WAL writing
wal_compression = true;
wal_buffers = -1;
# Background writer
bgwriter_delay = "200ms";
bgwriter_lru_maxpages = 100;
bgwriter_lru_multiplier = 2.0;
bgwriter_flush_after = 0;
# Parallel queries:
max_worker_processes = 8;
max_parallel_workers_per_gather = 4;
max_parallel_maintenance_workers = 4;
max_parallel_workers = 8;
parallel_leader_participation = true;
# Advanced features
enable_partitionwise_join = true;
enable_partitionwise_aggregate = true;
max_slot_wal_keep_size = "1000 MB";
track_wal_io_timing = true;
maintenance_io_concurrency = 100;
wal_recycle = true;
# SSL
ssl = true;
ssl_cert_file = "/run/credentials/postgresql.service/cert";
ssl_key_file = "/run/credentials/postgresql.service/key";
};
};
systemd.services.postgresql.serviceConfig = {
LoadCredential = [
"cert:${sslCert.directory}/cert.pem"
"key:${sslCert.directory}/key.pem"
];
};
users.groups.acme.members = [ "postgres" ];
networking.firewall.allowedTCPPorts = [ 5432 ];
networking.firewall.allowedUDPPorts = [ 5432 ];
services.postgresqlBackup = {
enable = true;
location = "/var/lib/postgres/backups";
backupAll = true;
};
}

44
hosts/bikkje/configuration.nix
View File

@@ -1,44 +0,0 @@
{ config, pkgs, values, ... }:
{
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "ens3";
# Lazy IPv6 connectivity for the container
enableIPv6 = true;
};
containers.bikkje = {
autoStart = true;
config = { config, pkgs, ... }: {
#import packages
packages = with pkgs; [
alpine
mutt
mutt-ics
mutt-wizard
weechat
weechatScripts.edit
hexchat
irssi
pidgin
];
networking = {
firewall = {
enable = true;
# Allow SSH and HTTP and ports for email and irc
allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = mkForce false;
};
system.stateVersion = "23.11";
services.resolved.enable = true;
};
};
};

46
hosts/bob/configuration.nix
View File

@@ -1,46 +0,0 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./disks.nix
../../misc/builder.nix
];
sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
};
networking.hostName = "bob"; # Define your hostname.
systemd.network.networks."30-all" = values.defaultNetworkConfig // {
matchConfig.Name = "en*";
DHCP = "yes";
gateway = [ ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

39
hosts/bob/disks.nix
View File

@@ -1,39 +0,0 @@
# Example to create a bios compatible gpt partition
{ lib, ... }:
{
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

24
hosts/bob/hardware-configuration.nix
View File

@@ -1,24 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

36
hosts/brzeczyszczykiewicz/configuration.nix
View File

@@ -1,36 +0,0 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./services/grzegorz.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "brzeczyszczykiewicz";
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1";
address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

39
hosts/brzeczyszczykiewicz/hardware-configuration.nix
View File

@@ -1,39 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/82E3-3D03";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

11
hosts/brzeczyszczykiewicz/services/grzegorz.nix
View File

@@ -1,11 +0,0 @@
{ config, ... }:
{
imports = [ ../../../modules/grzegorz.nix ];
services.nginx.virtualHosts."${config.networking.fqdn}" = {
serverAliases = [
"bokhylle.pvv.ntnu.no"
"bokhylle.pvv.org"
];
};
}

36
hosts/buskerud/configuration.nix
View File

@@ -1,36 +0,0 @@
{ config, pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
];
# buskerud does not support efi?
# boot.loader.systemd-boot.enable = true;
# boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sdb";
networking.hostName = "buskerud";
networking.search = [ "pvv.ntnu.no" "pvv.org" ];
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
networking.tempAddresses = "disabled";
systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp3s0f0";
address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

37
hosts/buskerud/hardware-configuration.nix
View File

@@ -1,37 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

36
hosts/georg/configuration.nix
View File

@@ -1,36 +0,0 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
../../modules/grzegorz.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "georg";
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1";
address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

40
hosts/georg/hardware-configuration.nix
View File

@@ -1,40 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/145E-7362";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

66
hosts/greddost/configuration.nix Normal file
View File

@@ -0,0 +1,66 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
../../hardware-configuration.nix
../../base.nix
../../services/minecraft
];
nixpkgs.config.packageOverrides = pkgs: {
unstable = (import <nixos-unstable>) { };
};
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
networking.hostName = "greddost"; # Define your hostname.
networking.interfaces.ens18.useDHCP = false;
networking.defaultGateway = "129.241.210.129";
networking.interfaces.ens18.ipv4 = {
addresses = [
{
address = "129.241.210.174";
prefixLength = 25;
}
];
};
networking.interfaces.ens18.ipv6 = {
addresses = [
{
address = "2001:700:300:1900::174";
prefixLength = 64;
}
];
};
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 25565 ];
networking.firewall.allowedUDPPorts = [ 25565 ];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

158
hosts/greddost/services/minecraft/default.nix Normal file
View File

@@ -0,0 +1,158 @@
{config, lib, pkgs, ... }:
{
imports = [ ./minecraft-server-fabric.nix ];
environment.systemPackages = with pkgs; [
mcron
];
pvv.minecraft-server-fabric = {
enable = true;
eula = true;
package = pkgs.callPackage ../../pkgs/minecraft-server-fabric { minecraft-server = (pkgs.callPackage ../../pkgs/minecraft-server/1_18_1.nix { }); };
jvmOpts = "-Xms10G -Xmx10G -XX:+UnlockExperimentalVMOptions -XX:+UseZGC -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:+ParallelRefProcEnabled";
serverProperties = {
view-distance = 12;
simulation-distance = 12;
enable-command-block = true;
gamemode = "survival";
difficulty = "normal";
white-list = true;
enable-rcon = true;
"rcon.password" = "pvv";
};
dataDir = "/fast/minecraft-pvv";
mods = [
(pkgs.fetchurl { # Fabric API is a common dependency for fabric based mods
url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/0.44.0+1.18/fabric-api-0.44.0+1.18.jar";
sha256 = "0mlmj7mj073a48s8zgc1km0jwkphz01c1fvivn4mw37lbm2p4834";
})
(pkgs.fetchurl { # Lithium is a 100% vanilla compatible optimization mod
url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/mc1.18.1-0.7.6/lithium-fabric-mc1.18.1-0.7.6.jar";
sha256 = "1fw1ikg578v4i6bmry7810a3q53h8yspxa3awdz7d746g91g8lf7";
})
(pkgs.fetchurl { # Starlight is the lighting engine of papermc
url = "https://cdn.modrinth.com/data/H8CaAYZC/versions/Starlight%201.0.0%201.18.x/starlight-1.0.0+fabric.d0a3220.jar";
sha256 = "0bv9im45hhc8n6x57lakh2rms0g5qb7qfx8qpx8n6mbrjjz6gla1";
})
(pkgs.fetchurl { # Krypton is a linux optimized optimizer for minecrafts networking system
url = "https://cdn.modrinth.com/data/fQEb0iXm/versions/0.1.6/krypton-0.1.6.jar";
sha256 = "1ribvbww4msrfdnzlxipk8kpzz7fnwnd4q6ln6mpjlhihcjb3hni";
})
(pkgs.fetchurl { # C2ME is a parallelizer for chunk loading and generation, experimental!!!
url = "https://cdn.modrinth.com/data/VSNURh3q/versions/0.2.0+alpha.5.104%201.18.1/c2me-fabric-mc1.18.1-0.2.0+alpha.5.104-all.jar";
sha256 = "13zrpsg61fynqnnlm7dvy3ihxk8khlcqsif68ak14z7kgm4py6nw";
})
(pkgs.fetchurl { # Spark is a profiler for minecraft
url = "https://ci.lucko.me/job/spark/251/artifact/spark-fabric/build/libs/spark-fabric.jar";
sha256 = "1clvi5v7a14ba23jbka9baz99h6wcfjbadc8kkj712fmy2h0sx07";
})
#(pkgs.fetchurl { # Carpetmod gives you tps views in the tab menu,
# # but also adds a lot of optional serverside vanilla+ features (which we arent using).
# # So probably want something else
# url = "https://github.com/gnembon/fabric-carpet/releases/download/1.4.56/fabric-carpet-1.18-1.4.56+v211130.jar";
# sha256 = "0rvl2yb8xymla8c052j07gqkqfkz4h5pxf6aip2v9v0h8r84p9hf";
#})
];
whitelist = {
gunalx = "913a21ae-3a11-4178-a192-401490ca0891";
eirikwitt = "1689e626-1cc8-4b91-81c4-0632fd34eb19";
Rockj = "202c0c91-a4e0-4b45-8c1b-fc51a8956c0a";
paddishar = "326845aa-4b45-4cd9-8108-7816e10a9828";
nordyorn = "f253cddf-a520-42ab-85d3-713992746e42";
hell04 = "c681df2a-6a30-4c66-b70d-742eb68bbc04";
steinarh = "bd8c419e-e6dc-4fc5-ac62-b92f98c1abc9";
EastTown2000 = "f273ed2e-d3ba-43fc-aff4-3e800cdf25e1";
DirDanner = "5b5476a2-1138-476b-9ff1-1f39f834a428";
asgeirbj = "dbd5d89f-3d8a-4662-ad15-6c4802d0098f";
Linke03 = "0dbc661d-898a-47ff-a371-32b7bd76b78b";
somaen = "cc0bdd13-4304-4160-80e7-8f043446fa83";
einaman = "39f45df3-423d-4274-9ef9-c9b7575e3804";
liseu = "c8f4d9d8-3140-4c35-9f66-22bc351bb7e6";
torsteno = "ae1e7b15-a0de-4244-9f73-25b68427e34a";
simtind = "39c03c95-d628-4ccc-843d-ce1332462d9e";
aellaie = "c585605d-24bb-4d75-ba9c-0064f6a39328";
PerKjelsvik = "5df69f17-27c9-4426-bcae-88b435dfae73";
CelestialCry = "9e34d192-364e-4566-883a-afc868c4224d";
terjesc = "993d70e8-6f9b-4094-813c-050d1a90be62";
maxelost = "bf465915-871a-4e3e-a80c-061117b86b23";
"4ce1" = "8a9b4926-0de8-43f0-bcde-df1442dee1d0";
exponential = "1ebcca9d-0964-48f3-9154-126a9a7e64f6";
Dodsorbot = "3baa9d58-32e4-465e-80bc-9dcb34e23e1d";
HFANTOM = "cd74d407-7fb0-4454-b3f4-c0b4341fde18";
Ghostmaker = "96465eee-e665-49ab-9346-f12d5a040624";
soonhalle = "61a8e674-7c7a-4120-80d1-4453a5993350";
MasterMocca = "481e6dac-9a17-4212-9664-645c3abe232f";
soulprayfree = "cfb1fb23-5115-4fe2-9af9-00a02aea9bf8";
calibwam = "0d5d5209-bb7c-4006-9451-fb85d7d52618";
Skuggen = "f0ccee0b-741a-413a-b8e6-d04552b9d78a";
Sivertsen3 = "cefac1a6-52a7-4781-be80-e7520f758554";
vafflonaut = "4d864d5c-74e2-4f29-b57d-50dea76aaabd";
Dhila = "c71d6c23-14d7-4daf-ae59-cbf0caf45681";
remorino = "2972ab22-96b3-462d-ab4d-9b6b1775b9bb";
SamuelxJackson = "f140e4aa-0a19-48ab-b892-79b24bd82c1e";
ToanBuiDuc = "a3c54742-4caf-4334-8bbb-6402a8eb4268";
Joces123 = "ecbcfbf9-9bcc-49f0-9435-f2ac2b3217c1";
brunsviken = "75ff5f0e-8adf-4807-a7f0-4cb66f81cb7f";
oscarsb1 = "9460015a-65cc-4a2f-9f91-b940b6ce7996";
CVi = "6f5691ce-9f9c-4310-84aa-759d2f9e138e";
Tawos = "0b98e55c-10cf-4b23-85d3-d15407431ace";
evenhunn = "8751581b-cc5f-4f8b-ae1e-34d90127e074";
q41 = "a080e5b4-10ee-4d6f-957e-aa5053bb1046";
jesper001 = "fbdf3ceb-eaa9-4aeb-94c2-a587cde41774";
finninde = "f58afd00-28cd-48dd-a74a-6c1d76b57f66";
GameGuru999 = "535f2188-a4a4-4e54-bec6-74977bee09ab";
MinusOneKelvin = "b6b973bf-1e35-4a58-803b-a555fd90a172";
SuperRagna = "e2c32136-e510-41b1-84c0-41baeccfb0b9";
Zamazaki = "d4411eca-401a-4565-9451-5ced6f48f23f";
supertheodor = "610c4e86-0ecc-4e7a-bffc-35a2e7d90aa6";
Minelost = "22ae2a1f-cfd9-4f10-9e41-e7becd34aba8";
Bjand = "aed136b6-17f7-4ce1-8a7b-a09eb1694ccf";
Dandellion = "f393413b-59fc-49d7-a5c4-83a5d177132c";
Shogori = "f9d571bd-5754-46e8-aef8-e89b38a6be9b";
Caragath = "f8d34f3a-55c3-4adc-b8d8-73a277f979e8";
Shmaapqueen = "425f2eef-1a9d-4626-9ba3-cd58156943dc";
Liquidlif3 = "420482b3-885f-4951-ba1e-30c22438a7e0";
newtonseple = "7d8bf9ca-0499-4cb7-9d6a-daabf80482b6";
nainis = "2eaf3736-decc-4e11-9a44-af2df0ee7c81";
Devolan = "87016228-76b2-434f-a963-33b005ae9e42";
zSkyler = "c92169e4-ca14-4bd5-9ea2-410fe956abe2";
Cryovat = "7127d743-873e-464b-927a-d23b9ad5b74a";
cybrhuman = "14a67926-cff0-4542-a111-7f557d10cc67";
stinl = "3a08be01-1e74-4d68-88d1-07d0eb23356f";
Mirithing = "7b327f51-4f1b-4606-88c7-378eff1b92b1";
"_dextra" = "4b7b4ee7-eb5b-48fd-88c3-1cc68f06acda";
Soraryuu = "0d5ffe48-e64f-4d6d-9432-f374ea8ec10c";
klarken1 = "d6967cb8-2bc6-4db7-a093-f0770cce47df";
};
};
networking.firewall.allowedTCPPorts = [ 25565 ];
networking.firewall.allowedUDPPorts = [ 25565 ];
systemd.services."minecraft-backup" = {
serviceConfig.Type = "oneshot";
script = ''
${pkgs.mcrcon}/bin/mcrcon -p pvv "say Starting Backup" "save-off" "save-all"
${pkgs.rsync}/bin/rsync -aiz --delete ${config.pvv.minecraft-server-fabric.dataDir}/world /fast/backup # Where to put backup
${pkgs.mcrcon}/bin/mcrcon -p pvv "save-all" "say Completed Backup" "save-on" "save-all"
'';
};
systemd.timers."minecraft-backup" = {
wantedBy = ["timers.target"];
timerConfig.OnCalendar = [ "hourly" ];
};
}

180
hosts/greddost/services/minecraft/minecraft-server-fabric.nix Normal file
View File

@@ -0,0 +1,180 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.pvv.minecraft-server-fabric;
# We don't allow eula=false anyways
eulaFile = builtins.toFile "eula.txt" ''
# eula.txt managed by NixOS Configuration
eula=true
'';
whitelistFile = pkgs.writeText "whitelist.json"
(builtins.toJSON
(mapAttrsToList (n: v: { name = n; uuid = v; }) cfg.whitelist));
cfgToString = v: if builtins.isBool v then boolToString v else toString v;
serverPropertiesFile = pkgs.writeText "server.properties" (''
# server.properties managed by NixOS configuration
'' + concatStringsSep "\n" (mapAttrsToList
(n: v: "${n}=${cfgToString v}") cfg.serverProperties));
defaultServerPort = 25565;
serverPort = cfg.serverProperties.server-port or defaultServerPort;
rconPort = if cfg.serverProperties.enable-rcon or false
then cfg.serverProperties."rcon.port" or 25575
else null;
queryPort = if cfg.serverProperties.enable-query or false
then cfg.serverProperties."query.port" or 25565
else null;
in
{
options.pvv.minecraft-server-fabric = {
enable = mkEnableOption "minecraft-server-fabric";
package = mkOption {
type = types.package;
};
eula = mkOption {
type = types.bool;
default = false;
description = ''
Whether you agree to
<link xlink:href="https://account.mojang.com/documents/minecraft_eula">
Mojangs EULA</link>. This option must be set to
<literal>true</literal> to run Minecraft server.
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/minecraft-fabric";
description = ''
Directory to store Minecraft database and other state/data files.
'';
};
whitelist = mkOption {
type = let
minecraftUUID = types.strMatching
"[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" // {
description = "Minecraft UUID";
};
in types.attrsOf minecraftUUID;
default = {};
description = ''
Whitelisted players, only has an effect when
<option>services.minecraft-server.declarative</option> is
<literal>true</literal> and the whitelist is enabled
via <option>services.minecraft-server.serverProperties</option> by
setting <literal>white-list</literal> to <literal>true</literal>.
This is a mapping from Minecraft usernames to UUIDs.
You can use <link xlink:href="https://mcuuid.net/"/> to get a
Minecraft UUID for a username.
'';
example = literalExpression ''
{
username1 = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
username2 = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy";
};
'';
};
serverProperties = mkOption {
type = with types; attrsOf (oneOf [ bool int str ]);
default = {};
example = literalExpression ''
{
server-port = 43000;
difficulty = 3;
gamemode = 1;
max-players = 5;
motd = "NixOS Minecraft server!";
white-list = true;
enable-rcon = true;
"rcon.password" = "hunter2";
}
'';
description = ''
Minecraft server properties for the server.properties file. Only has
an effect when <option>services.minecraft-server.declarative</option>
is set to <literal>true</literal>. See
<link xlink:href="https://minecraft.gamepedia.com/Server.properties#Java_Edition_3"/>
for documentation on these values.
'';
};
jvmOpts = mkOption {
type = types.separatedString " ";
default = "-Xmx2048M -Xms2048M";
# Example options from https://minecraft.gamepedia.com/Tutorials/Server_startup_script
example = "-Xmx2048M -Xms4092M -XX:+UseG1GC -XX:+CMSIncrementalPacing "
+ "-XX:+CMSClassUnloadingEnabled -XX:ParallelGCThreads=2 "
+ "-XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
description = "JVM options for the Minecraft server.";
};
mods = mkOption {
type = types.listOf types.package;
example = literalExpression ''
[
(pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/0.44.0+1.18/fabric-api-0.44.0+1.18.jar";
sha256 = "0mlmj7mj073a48s8zgc1km0jwkphz01c1fvivn4mw37lbm2p4834";
})
];
'';
description = "List of mods to put in the mods folder";
};
};
config = mkIf cfg.enable {
users.users.minecraft = {
description = "Minecraft server service user";
home = cfg.dataDir;
createHome = true;
isSystemUser = true;
group = "minecraft";
};
users.groups.minecraft = {};
systemd.services.minecraft-server-fabric = {
description = "Minecraft Server Service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${cfg.package}/bin/minecraft-server ${cfg.jvmOpts}";
Restart = "always";
User = "minecraft";
WorkingDirectory = cfg.dataDir;
};
preStart = ''
ln -sf ${eulaFile} eula.txt
ln -sf ${whitelistFile} whitelist.json
cp -f ${serverPropertiesFile} server.properties
ln -sfn ${pkgs.linkFarmFromDrvs "fabric-mods" cfg.mods} mods
'';
};
assertions = [
{ assertion = cfg.eula;
message = "You must agree to Mojangs EULA to run minecraft-server."
+ " Read https://account.mojang.com/documents/minecraft_eula and"
+ " set `services.minecraft-server.eula` to `true` if you agree.";
}
];
};
}

24
hosts/ildkule/configuration.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, values, ... }:
{ config, pkgs, ... }:
{
imports = [
# Include the results of the hardware scan.
@@ -20,10 +20,26 @@
networking.hostName = "ildkule"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.ildkule; [ (ipv4 + "/25") (ipv6 + "/64") ];
networking.interfaces.ens18.useDHCP = false;
networking.defaultGateway = "129.241.210.129";
networking.interfaces.ens18.ipv4 = {
addresses = [
{
address = "129.241.210.187";
prefixLength = 25;
}
];
};
networking.interfaces.ens18.ipv6 = {
addresses = [
{
address = "2001:700:300:1900::187";
prefixLength = 64;
}
];
};
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
# List packages installed in system profile
environment.systemPackages = with pkgs; [

1009
hosts/ildkule/services/metrics/dashboards/go-processes.json
View File

File diff suppressed because it is too large Load Diff

3801
hosts/ildkule/services/metrics/dashboards/mysql.json
View File

File diff suppressed because it is too large Load Diff

3167
hosts/ildkule/services/metrics/dashboards/postgres.json
View File

File diff suppressed because it is too large Load Diff

1710
hosts/ildkule/services/metrics/dashboards/synapse.json
View File

File diff suppressed because it is too large Load Diff

2
hosts/ildkule/services/metrics/default.nix
View File

@@ -2,7 +2,7 @@
{
imports = [
./prometheus
./prometheus.nix
./grafana.nix
./loki.nix
];

59
hosts/ildkule/services/metrics/grafana.nix
View File

@@ -1,41 +1,15 @@
{ config, pkgs, values, ... }: let
{ config, pkgs, ... }:
let
cfg = config.services.grafana;
in {
sops.secrets = let
owner = "grafana";
group = "grafana";
in {
"keys/grafana/secret_key" = { inherit owner group; };
"keys/grafana/admin_password" = { inherit owner group; };
"keys/postgres/grafana" = { inherit owner group; };
};
services.grafana = {
enable = true;
settings = let
# See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
secretFile = path: "$__file{${path}}";
in {
server = {
domain = "ildkule.pvv.ntnu.no";
http_port = 2342;
http_addr = "127.0.0.1";
};
security = {
secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
};
database = {
type = "postgres";
user = "grafana";
host = "${values.hosts.bicep.ipv4}:5432";
password = secretFile config.sops.secrets."keys/postgres/grafana".path;
};
settings.server = {
domain = "ildkule.pvv.ntnu.no";
http_port = 2342;
http_addr = "127.0.0.1";
};
provision = {
enable = true;
datasources.settings.datasources = [
@@ -64,25 +38,6 @@ in {
url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
options.path = dashboards/synapse.json;
}
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# {
# name = "MySQL";
# type = "file";
# url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
# options.path = dashboards/mysql.json;
# }
{
name = "Postgresql";
type = "file";
url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
options.path = dashboards/postgres.json;
}
{
name = "Go Processes (gogs)";
type = "file";
url = "https://grafana.com/api/dashboards/240/revisions/3/download";
options.path = dashboards/go-processes.json;
}
];
};

76
hosts/ildkule/services/metrics/prometheus.nix Normal file
View File

@@ -0,0 +1,76 @@
{ config, pkgs, ... }:
let
cfg = config.services.prometheus;
in {
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
port = 9001;
scrapeConfigs = [
{
job_name = "node";
static_configs = [
{
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"microbel.pvv.ntnu.no:9100"
"isvegg.pvv.ntnu.no:9100"
"knakelibrak.pvv.ntnu.no:9100"
];
}
];
}
{
job_name = "exim";
scrape_interval = "60s";
static_configs = [
{
targets = [
"microbel.pvv.ntnu.no:9636"
];
}
];
}
{
job_name = "synapse";
scrape_interval = "15s";
scheme = "https";
http_sd_configs = [
{
url = "https://matrix.pvv.ntnu.no/metrics/config.json";
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
regex = "[^/]+(/.*)";
target_label = "__metrics_path__";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "instance";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
target_label = "job";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
target_label = "index";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "__address__";
}
];
}
];
ruleFiles = [ rules/synapse-v2.rules ];
};
}

18
hosts/ildkule/services/metrics/prometheus/default.nix
View File

@@ -1,18 +0,0 @@
{ config, ... }: {
imports = [
./gogs.nix
./matrix-synapse.nix
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# ./mysqld.nix
./node.nix
./postgres.nix
];
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
port = 9001;
ruleFiles = [ rules/synapse-v2.rules ];
};
}

16
hosts/ildkule/services/metrics/prometheus/gogs.nix
View File

@@ -1,16 +0,0 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "git-gogs";
scheme = "https";
metrics_path = "/-/metrics";
static_configs = [
{
targets = [
"essendrop.pvv.ntnu.no:443"
];
}
];
}];
}

40
hosts/ildkule/services/metrics/prometheus/matrix-synapse.nix
View File

@@ -1,40 +0,0 @@
{ ... }:
{
services.prometheus.scrapeConfigs = [{
job_name = "synapse";
scrape_interval = "15s";
scheme = "https";
http_sd_configs = [{
url = "https://matrix.pvv.ntnu.no/metrics/config.json";
}];
relabel_configs = [
{
source_labels = [ "__address__" ];
regex = "[^/]+(/.*)";
target_label = "__metrics_path__";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "instance";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
target_label = "job";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
target_label = "index";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "__address__";
}
];
}];
}

25
hosts/ildkule/services/metrics/prometheus/mysqld.nix
View File

@@ -1,25 +0,0 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
sops.secrets."config/mysqld_exporter" = { };
services.prometheus = {
scrapeConfigs = [{
job_name = "mysql";
scheme = "http";
metrics_path = cfg.exporters.mysqld.telemetryPath;
static_configs = [
{
targets = [
"localhost:${toString cfg.exporters.mysqld.port}"
];
}
];
}];
exporters.mysqld = {
enable = true;
configFilePath = config.sops.secrets."config/mysqld_exporter".path;
};
};
}

22
hosts/ildkule/services/metrics/prometheus/node.nix
View File

@@ -1,22 +0,0 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "node";
static_configs = [
{
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"microbel.pvv.ntnu.no:9100"
"isvegg.pvv.ntnu.no:9100"
"knakelibrak.pvv.ntnu.no:9100"
"hildring.pvv.ntnu.no:9100"
"bicep.pvv.ntnu.no:9100"
"essendrop.pvv.ntnu.no:9100"
"andresbu.pvv.ntnu.no:9100"
"bekkalokk.pvv.ntnu.no:9100"
];
}
];
}];
}

51
hosts/ildkule/services/metrics/prometheus/postgres.nix
View File

@@ -1,51 +0,0 @@
{ pkgs, lib, config, values, ... }: let
cfg = config.services.prometheus;
in {
sops.secrets = {
"keys/postgres/postgres_exporter_env" = {};
"keys/postgres/postgres_exporter_knakelibrak_env" = {};
};
services.prometheus = {
scrapeConfigs = [
{
job_name = "postgres";
scrape_interval = "15s";
static_configs = [{
targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
labels = {
server = "bicep";
};
}];
}
{
job_name = "postgres-knakelibrak";
scrape_interval = "15s";
static_configs = [{
targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
labels = {
server = "knakelibrak";
};
}];
}
];
exporters.postgres = {
enable = true;
extraFlags = [ "--auto-discover-databases" ];
environmentFile = config.sops.secrets."keys/postgres/postgres_exporter_env".path;
};
};
systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
localCfg = config.services.prometheus.exporters.postgres;
in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
ExecStart = ''
${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \
--web.listen-address ${localCfg.listenAddress}:${toString (localCfg.port + 1)} \
--web.telemetry-path ${localCfg.telemetryPath} \
${lib.concatStringsSep " \\\n " localCfg.extraFlags}
'';
};
}

0
hosts/ildkule/services/metrics/prometheus/rules/synapse-v2.rules → hosts/ildkule/services/metrics/rules/synapse-v2.rules
View File

15
hosts/ildkule/services/nginx/default.nix
View File

@@ -1,5 +1,7 @@
{ config, values, ... }:
{config, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no";
@@ -8,17 +10,6 @@
services.nginx = {
enable = true;
enableReload = true;
defaultListenAddresses = [
values.hosts.ildkule.ipv4
"[${values.hosts.ildkule.ipv6}]"
"127.0.0.1"
"127.0.0.2"
"[::1]"
];
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;

72
hosts/jokum/configuration.nix Normal file
View File

@@ -0,0 +1,72 @@
{ config, pkgs, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
# Users can just import any configuration they want even for non-user things. Improve the users/default.nix to just load some specific attributes if this isn't wanted
../../misc/rust-motd.nix
./services/matrix
./services/nginx
];
sops.defaultSopsFile = ../../secrets/jokum/jokum.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.devices = [ "/dev/sda" ];
networking.hostName = "jokum"; # Define your hostname.
networking.interfaces.ens18.useDHCP = false;
networking.defaultGateway = "129.241.210.129";
networking.interfaces.ens18.ipv4 = {
addresses = [
{
address = "129.241.210.169";
prefixLength = 25;
}
{
address = "129.241.210.213";
prefixLength = 25;
}
];
};
networking.interfaces.ens18.ipv6 = {
addresses = [
{
address = "2001:700:300:1900::169";
prefixLength = 64;
}
{
address = "2001:700:300:1900::213";
prefixLength = 64;
}
];
};
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

29
hosts/jokum/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,29 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/1a8bf91a-5948-40c2-a9fd-7a33e46fa441";
fsType = "ext4";
};
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/c812e204-b998-4ec5-9f26-29c5808ed6ba";
fsType = "ext4";
};
swapDevices = [ ];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

6
hosts/bicep/services/matrix/coturn.nix → hosts/jokum/services/matrix/coturn.nix
View File

@@ -2,14 +2,10 @@
{
sops.secrets."matrix/synapse/turnconfig" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "synapse/turnconfig";
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/coturn/static-auth-secret" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "coturn/static-auth-secret";
owner = config.users.users.turnserver.name;
group = config.users.users.turnserver.group;
};
@@ -118,7 +114,7 @@
};
networking.firewall = {
interfaces.enp6s0f0 = let
interfaces.ens18 = let
range = with config.services.coturn; [ {
from = min-port;
to = max-port;

1
hosts/bicep/services/matrix/default.nix → hosts/jokum/services/matrix/default.nix
View File

@@ -7,7 +7,6 @@
./synapse-admin.nix
./element.nix
./coturn.nix
./mjolnir.nix
./discord.nix
];

7
hosts/bicep/services/matrix/discord.nix → hosts/jokum/services/matrix/discord.nix
View File

@@ -7,8 +7,6 @@ in
users.groups.keys-matrix-registrations = { };
sops.secrets."matrix/registrations/mx-puppet-discord" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "registrations/mx-puppet-discord";
owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name;
};
@@ -32,9 +30,6 @@ in
services.mx-puppet-discord.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ];
services.matrix-synapse-next.settings = {
app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ];
use_appservice_legacy_authorization = true;
};
services.matrix-synapse-next.settings.app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ];
}

33
hosts/bicep/services/matrix/element.nix → hosts/jokum/services/matrix/element.nix
View File

@@ -1,7 +1,6 @@
{ config, lib, pkgs, ... }:
let
synapse-cfg = config.services.matrix-synapse-next;
in {
{
services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
@@ -24,31 +23,25 @@ in {
features = {
feature_latex_maths = true;
feature_pinning = true;
feature_render_reaction_images = true;
feature_state_counters = true;
# element call group calls
feature_group_calls = true;
feature_custom_status = false;
};
default_theme = "dark";
# Servers in this list should provide some sort of valuable scoping
# matrix.org is not useful compared to matrixrooms.info,
# because it has so many general members, rooms of all topics are on it.
# Something matrixrooms.info is already providing.
room_directory.servers = [
"pvv.ntnu.no"
"matrixrooms.info" # Searches all public room directories
"matrix.omegav.no" # Friends
"gitter.im" # gitter rooms
"mozilla.org" # mozilla and friends
"kde.org" # KDE rooms
"fosdem.org" # FOSDEM
"dodsorf.as" # PVV Member
"nani.wtf" # PVV Member
"matrix.omegav.no"
"matrix.org"
"libera.chat"
"gitter.im"
"mozilla.org"
"kde.org"
"t2bot.io"
"fosdem.org"
"dodsorf.as"
];
enable_presence_by_hs_url = {
"https://matrix.org" = false;
# "https://matrix.dodsorf.as" = false;
"${synapse-cfg.settings.public_baseurl}" = synapse-cfg.settings.presence.enabled;
"https://matrix.dodsorf.as" = false;
};
};
};

0
hosts/bicep/services/matrix/synapse-admin.nix → hosts/jokum/services/matrix/synapse-admin.nix
View File

127
hosts/bicep/services/matrix/synapse.nix → hosts/jokum/services/matrix/synapse.nix
View File

@@ -1,52 +1,39 @@
{ config, lib, pkgs, values, inputs, ... }:
{ config, lib, pkgs, ... }:
let
cfg = config.services.matrix-synapse-next;
matrix-lib = inputs.matrix-next.lib;
imap0Attrs = with lib; f: set:
listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
in {
sops.secrets."matrix/synapse/dbconfig" = {
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/synapse/signing_key" = {
key = "synapse/signing_key";
sopsFile = ../../../../secrets/bicep/matrix.yaml;
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/synapse/user_registration" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "synapse/signing_key";
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/sliding-sync/env" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "sliding-sync/env";
};
services.matrix-synapse-next = {
enable = true;
plugins = [
(pkgs.python3Packages.callPackage ./smtp-authenticator { })
];
dataDir = "/data/synapse";
workers.federationSenders = 2;
workers.federationReceivers = 2;
workers.federationReceivers = 1;
workers.initialSyncers = 1;
workers.normalSyncers = 1;
workers.eventPersisters = 2;
workers.eventPersisters = 1;
workers.useUserDirectoryWorker = true;
enableSlidingSync = true;
enableNginx = true;
extraConfigFiles = [
config.sops.secrets."matrix/synapse/dbconfig".path
];
settings = {
server_name = "pvv.ntnu.no";
public_baseurl = "https://matrix.pvv.ntnu.no";
@@ -55,26 +42,6 @@ in {
media_store_path = "${cfg.dataDir}/media";
database = {
name = "psycopg2";
args = {
host = "/var/run/postgresql";
dbname = "synapse";
user = "matrix-synapse";
cp_min = 1;
cp_max = 5;
};
};
presence.enabled = false;
event_cache_size = "20K"; # Default is 10K but I can't find the factor for this cache
caches = {
per_cache_factors = {
_event_auth_cache = 2.0;
};
};
autocreate_auto_join_rooms = false;
auto_join_rooms = [
"#pvv:pvv.ntnu.no" # Main space
@@ -87,20 +54,10 @@ in {
max_upload_size = "150M";
enable_metrics = true;
mau_stats_only = true;
enable_registration = false;
registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
password_config.enabled = true;
modules = [
{ module = "smtp_auth_provider.SMTPAuthProvider";
config = {
smtp_host = "smtp.pvv.ntnu.no";
};
}
];
password_config.enabled = lib.mkForce false;
trusted_key_servers = [
{ server_name = "matrix.org"; }
@@ -211,57 +168,41 @@ in {
};
};
services.matrix-synapse.sliding-sync.environmentFile = config.sops.secrets."matrix/sliding-sync/env".path;
services.redis.servers."".enable = true;
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
({
locations."/.well-known/matrix/server" = {
return = ''
200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
'';
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
})
({
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
locations = let
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";
isListenerType = type: listener: lib.lists.any (r: lib.lists.any (n: n == type) r.names) listener.resources;
isMetricsListener = l: isListenerType "metrics" l;
firstMetricsListener = w: lib.lists.findFirst isMetricsListener (throw "No metrics endpoint on worker") w.settings.worker_listeners;
wAddress = w: lib.lists.findFirst (_: true) (throw "No address in receiver") (firstMetricsListener w).bind_addresses;
wPort = w: (firstMetricsListener w).port;
socketAddress = w: "${wAddress w}:${toString (wPort w)}";
metricsPath = w: "/metrics/${w.type}/${toString w.index}";
proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
in lib.mapAttrs' (n: v: lib.nameValuePair
(metricsPath v) ({
proxyPass = proxyPath v;
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
}))
in lib.mapAttrs' (n: v: lib.nameValuePair (metricsPath v) ({ proxyPass = proxyPath v; }))
cfg.workers.instances;
})
({
locations."/metrics/master/1" = {
proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
};
locations."/metrics/" = let
endpoints = lib.pipe cfg.workers.instances [
(lib.mapAttrsToList (_: v: v))
(map (w: "${w.type}/${toString w.index}"))
(map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
endpoints = builtins.map (x: "matrix.pvv.ntnu.no/metrics/${x}") [
"master/1"
"fed-sender/1"
"fed-sender/2"
"fed-receiver/1"
"initial-sync/1"
"normal-sync/1"
"event-persist/1"
"user-dir/1"
];
in {
alias = pkgs.writeTextDir "/config.json"
(builtins.toJSON [

14
hosts/bekkalokk/services/nginx/default.nix → hosts/jokum/services/nginx/default.nix
View File

@@ -1,21 +1,21 @@
{ pkgs, config, ... }:
{config, ... }:
{
imports = [
./ingress.nix
];
security.acme = {
acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no";
defaults.email = "danio@pvv.ntnu.no";
};
services.nginx = {
enable = true;
recommendedTlsSettings = true;
defaultListenAddresses = [ "129.241.210.169" "127.0.0.1" "127.0.0.2" "[2001:700:300:1900::169]" "[::1]" ];
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];

39
hosts/shark/configuration.nix
View File

@@ -1,39 +0,0 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
];
sops.defaultSopsFile = ../../secrets/shark/shark.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "shark"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

38
hosts/shark/hardware-configuration.nix
View File

@@ -1,38 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/224c45db-9fdc-45d4-b3ad-aaf20b3efa8a";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/CC37-F5FE";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/a1ce3234-78b1-4565-9643-f4a05004424f"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

5
misc/builder.nix
View File

@@ -1,5 +0,0 @@
{ ... }:
{
nix.settings.trusted-users = [ "@nix-builder-users" ];
}

19
misc/metrics-exporters.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, values, ... }:
{ config, pkgs, ... }:
{
services.prometheus.exporters.node = {
@@ -7,19 +7,6 @@
enabledCollectors = [ "systemd" ];
};
systemd.services.prometheus-node-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = [ 9100 ];
services.promtail = {
enable = true;
configuration = {
@@ -47,10 +34,6 @@
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
];
}
];

13
modules/debug-locations.nix
View File

@@ -1,13 +0,0 @@
{ config, lib, ... }:
let
cfg = config.environment.debug-locations;
in
{
options.environment.debug-locations = lib.mkOption {
description = "Paths and derivations to symlink in `/etc/debug`";
type = with lib.types; attrsOf path;
default = { };
};
config.environment.etc = lib.mapAttrs' (k: v: lib.nameValuePair "debug/${k}" { source = v; }) cfg;
}

62
modules/grzegorz.nix
View File

@@ -1,62 +0,0 @@
{config, lib, pkgs, ...}:
let
grg = config.services.grzegorz;
grgw = config.services.grzegorz-webui;
in {
services.pipewire.enable = true;
services.pipewire.alsa.enable = true;
services.pipewire.alsa.support32Bit = true;
services.pipewire.pulse.enable = true;
users.users.pvv = {
isNormalUser = true;
description = "pvv";
};
services.grzegorz.enable = true;
services.grzegorz.listenAddr = "localhost";
services.grzegorz.listenPort = 31337;
services.grzegorz-webui.enable = true;
services.grzegorz-webui.listenAddr = "localhost";
services.grzegorz-webui.listenPort = 42069;
services.grzegorz-webui.listenWebsocketPort = 42042;
services.grzegorz-webui.hostName = "${config.networking.fqdn}";
services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
security.acme.acceptTerms = true;
security.acme.defaults.email = "pederbs@pvv.ntnu.no";
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.virtualHosts."${config.networking.fqdn}" = {
forceSSL = true;
enableACME = true;
serverAliases = [
"${config.networking.hostName}.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenPort}";
};
# https://github.com/rawpython/remi/issues/216
locations."/websocket" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenWebsocketPort}";
proxyWebsockets = true;
};
locations."/api" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
};
locations."/docs" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
};
};
}

83
modules/snakeoil-certs.nix
View File

@@ -1,83 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.environment.snakeoil-certs;
in
{
options.environment.snakeoil-certs = lib.mkOption {
default = { };
description = "Self signed certs, which are rotated regularly";
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
owner = lib.mkOption {
type = lib.types.str;
default = "root";
};
group = lib.mkOption {
type = lib.types.str;
default = "root";
};
mode = lib.mkOption {
type = lib.types.str;
default = "0660";
};
daysValid = lib.mkOption {
type = lib.types.str;
default = "90";
};
extraOpenSSLArgs = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
};
certificate = lib.mkOption {
type = lib.types.str;
default = "${name}.crt";
};
certificateKey = lib.mkOption {
type = lib.types.str;
default = "${name}.key";
};
subject = lib.mkOption {
type = lib.types.str;
default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
};
};
}));
};
config = {
systemd.services."generate-snakeoil-certs" = {
enable = true;
serviceConfig.Type = "oneshot";
script = let
openssl = lib.getExe pkgs.openssl;
in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
then
echo "Regenerating '${value.certificate}'"
${openssl} req \
-newkey rsa:4096 \
-new -x509 \
-days "${toString value.daysValid}" \
-nodes \
-subj "${value.subject}" \
-out "${value.certificate}" \
-keyout "${value.certificateKey}" \
${lib.escapeShellArgs value.extraOpenSSLArgs}
fi
chown "${value.owner}:${value.group}" "${value.certificate}"
chown "${value.owner}:${value.group}" "${value.certificateKey}"
chmod "${value.mode}" "${value.certificate}"
chmod "${value.mode}" "${value.certificateKey}"
'') (lib.attrsToList cfg);
};
systemd.timers."generate-snakeoil-certs" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*-*-* 02:00:00";
Persistent = true;
Unit = "generate-snakeoil-certs.service";
};
};
};
}

7
packages/mediawiki-extensions/default.nix
View File

@@ -1,7 +0,0 @@
{ pkgs, lib }:
lib.makeScope pkgs.newScope (self: {
DeleteBatch = self.callPackage ./delete-batch { };
PluggableAuth = self.callPackage ./pluggable-auth { };
SimpleSAMLphp = self.callPackage ./simple-saml-php { };
UserMerge = self.callPackage ./user-merge { };
})

7
packages/mediawiki-extensions/delete-batch/default.nix
View File

@@ -1,7 +0,0 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-delete-batch";
url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_41-5774fdd.tar.gz";
hash = "sha256-ROkn93lf0mNXBvij9X2pMhd8LXZ0azOz7ZRaqZvhh8k=";
}

7
packages/mediawiki-extensions/pluggable-auth/default.nix
View File

@@ -1,7 +0,0 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-pluggable-auth-source";
url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-d5b3ad8.tar.gz";
hash = "sha256-OLlkKeSlfNgWXWwDdINrYRZpYuSGRwzZHgU8EYW6rYU=";
}

7
packages/mediawiki-extensions/simple-saml-php/default.nix
View File

@@ -1,7 +0,0 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-simple-saml-php-source";
url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_41-9ae0678.tar.gz";
hash = "sha256-AmCaG5QXMJvi3N6zFyWylwYDt8GvyIk/0GFpM1Y0vkY=";
}

66
packages/mediawiki-extensions/update-mediawiki-extensions.py
View File

@@ -1,66 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
import os
from pathlib import Path
import re
import subprocess
from collections import defaultdict
from pprint import pprint
import bs4
import requests
BASE_URL = "https://extdist.wmflabs.org/dist/extensions"
def fetch_plugin_list(skip_master=True) -> dict[str, list[str]]:
content = requests.get(BASE_URL).text
soup = bs4.BeautifulSoup(content, features="html.parser")
result = defaultdict(list)
for a in soup.find_all('a'):
if skip_master and 'master' in a.text:
continue
split = a.text.split('-')
result[split[0]].append(a.text)
return result
def update(package_file: Path, plugin_list: dict[str, list[str]]) -> None:
assert package_file.is_file()
with open(package_file) as file:
content = file.read()
tarball = re.search(f'url = "{BASE_URL}/(.+\.tar\.gz)";', content).group(1)
split = tarball.split('-')
updated_tarball = plugin_list[split[0]][-1]
_hash = re.search(f'hash = "(.+?)";', content).group(1)
out, err = subprocess.Popen(
["nix-prefetch-url", "--unpack", "--type", "sha256", f"{BASE_URL}/{updated_tarball}"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
).communicate()
out, err = subprocess.Popen(
["nix", "hash", "to-sri", "--type", "sha256", out.decode().strip()],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
).communicate()
updated_hash = out.decode().strip()
if tarball == updated_tarball and _hash == updated_hash:
return
print(f"Updating: {tarball} ({_hash[7:14]}) -> {updated_tarball} ({updated_hash[7:14]})")
updated_text = re.sub(f'url = "{BASE_URL}/.+?\.tar\.gz";', f'url = "{BASE_URL}/{updated_tarball}";', content)
updated_text = re.sub('hash = ".+";', f'hash = "{updated_hash}";', updated_text)
with open(package_file, 'w') as file:
file.write(updated_text)
if __name__ == "__main__":
plugin_list = fetch_plugin_list()
for direntry in os.scandir(Path(__file__).parent):
if direntry.is_dir():
update(Path(direntry) / "default.nix", plugin_list)

7
packages/mediawiki-extensions/user-merge/default.nix
View File

@@ -1,7 +0,0 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-user-merge-source";
url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_41-a53af3b.tar.gz";
hash = "sha256-TxUkEqMW79thYl1la2r+w9laRnd3uSYYg1xDB+1he1g=";
}

38
packages/simplesamlphp/default.nix
View File

@@ -1,38 +0,0 @@
{ lib
, php
, writeText
, fetchFromGitHub
, extra_files ? { }
}:
php.buildComposerProject rec {
pname = "simplesamlphp";
version = "2.2.1";
src = fetchFromGitHub {
owner = "simplesamlphp";
repo = "simplesamlphp";
rev = "v${version}";
hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
};
composerStrictValidation = false;
vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
# TODO: metadata could be fetched automagically with these:
# - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
# - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
postPatch = lib.pipe extra_files [
(lib.mapAttrsToList (target_path: source_path: ''
mkdir -p $(dirname "${target_path}")
cp -r "${source_path}" "${target_path}"
''))
(lib.concatStringsSep "\n")
];
postInstall = ''
ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base
'';
}

43
pkgs/minecraft-server-fabric/default.nix Normal file
View File

@@ -0,0 +1,43 @@
{ callPackage, writeTextFile, writeShellScriptBin, minecraft-server, jre_headless }:
let
loader = callPackage ./generate-loader.nix {};
log4j = writeTextFile {
name = "log4j.xml";
text = ''
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN" packages="com.mojang.util">
<Appenders>
<Console name="SysOut" target="SYSTEM_OUT">
<PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
</Console>
<Queue name="ServerGuiConsole">
<PatternLayout pattern="[%d{HH:mm:ss} %level]: %msg%n" />
</Queue>
<RollingRandomAccessFile name="File" fileName="logs/latest.log" filePattern="logs/%d{yyyy-MM-dd}-%i.log.gz">
<PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
<Policies>
<TimeBasedTriggeringPolicy />
<OnStartupTriggeringPolicy />
</Policies>
<DefaultRolloverStrategy max="1000"/>
</RollingRandomAccessFile>
</Appenders>
<Loggers>
<Root level="info">
<filters>
<MarkerFilter marker="NETWORK_PACKETS" onMatch="DENY" onMismatch="NEUTRAL" />
</filters>
<AppenderRef ref="SysOut"/>
<AppenderRef ref="File"/>
<AppenderRef ref="ServerGuiConsole"/>
</Root>
</Loggers>
</Configuration>
'';
};
in
writeShellScriptBin "minecraft-server" ''
echo "serverJar=${minecraft-server}/lib/minecraft/server.jar" >> fabric-server-launcher.properties
exec ${jre_headless}/bin/java -Dlog4j.configurationFile=${log4j} $@ -jar ${loader} nogui
''

38
pkgs/minecraft-server-fabric/generate-loader.nix Normal file
View File

@@ -0,0 +1,38 @@
{ lib, fetchurl, stdenv, unzip, zip, jre_headless }:
let
lock = import ./lock.nix;
libraries = lib.forEach lock.libraries fetchurl;
in
stdenv.mkDerivation {
name = "fabric-server-launch.jar";
nativeBuildInputs = [ unzip zip jre_headless ];
libraries = libraries;
buildPhase = ''
for i in $libraries; do
unzip -o $i
done
cat > META-INF/MANIFEST.MF << EOF
Manifest-Version: 1.0
Main-Class: net.fabricmc.loader.impl.launch.server.FabricServerLauncher
Name: org/objectweb/asm/
Implementation-Version: 9.2
EOF
cat > fabric-server-launch.properties << EOF
launch.mainClass=net.fabricmc.loader.impl.launch.knot.KnotServer
EOF
'';
installPhase = ''
jar cmvf META-INF/MANIFEST.MF "server.jar" .
zip -d server.jar 'META-INF/*.SF' 'META-INF/*.RSA' 'META-INF/*.DSA'
cp server.jar "$out"
'';
phases = [ "buildPhase" "installPhase" ];
}

22
pkgs/minecraft-server-fabric/generate-lock-nix.sh Executable file
View File

@@ -0,0 +1,22 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash curl jq
curl https://meta.fabricmc.net/v2/versions/loader/1.18.1/0.12.12/server/json \
| jq -r '
.mainClass,
(.libraries[]
| .url as $url
| .name | split(":") as [$dir, $name, $version]
|"\($name)-\($version).zip|\($url)\($dir|sub("\\.";"/";"g"))/\($name)/\($version)/\($name)-\($version).jar"
)' \
| {
echo '{'
read mainClass;
echo " mainClass = \"$mainClass\";"
echo " libraries = ["
while IFS="|" read name url; do
hash=$(nix-prefetch-url $url);
echo " { name = \"$name\"; sha256 = \"$hash\"; url = \"$url\"; }"
done
echo " ];"
echo '}'
}

Some files were not shown because too many files have changed in this diff Show More