Drift/pvv-nixos-config
17
5
Fork 2
Code Issues Pull Requests 9 Actions Wiki Activity

Compare commits

base: Drift:prometheusexim
Branches Tags
Drift:main Drift:minecraft-heatmap Drift:fix-import-gitea-users-script Drift:gitea-runners-secrets Drift:gitea-runners-cluster Drift:25.05 Drift:new_nodes Drift:ooye Drift:grg-ip Drift:nom Drift:add-skrott Drift:pvvvvv Drift:setup-git-mirroring-on-bicep Drift:init-bakke Drift:gitea-show-license-in-list-view Drift:nix-topology Drift:gitea-robots-txt Drift:dagali-heimdal-openldap-sasl-stack Drift:gitea-navbar-get-started Drift:backup-databases Drift:openwebui Drift:setup-openvpn-tunnel Drift:gitea-gpg-signing Drift:sleipner-authorised-keys Drift:openstack-image-builder Drift:elysium Drift:smartd-notifs Drift:systemd-journald-remote Drift:skrot Drift:deploy-doorbell Drift:misc-gitea-fixes Drift:spotifyd Drift:remote Drift:setup-bikkje-login Drift:ozai-prod Drift:add-bluemap Drift:ozai Drift:setup-postfix-for-service-machines Drift:fix-gitea-ci-runner-network-issues Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud Drift:gitea-metrics Drift:misc1 Drift:add-simple-saml-theme Drift:misc-extra-gitea-setup Drift:setup-kerberos Drift:setup-home-areas Drift:shark-kanidm Drift:prometheusexim
..
compare: Drift:add-simple-saml-theme
Branches Tags
Drift:main Drift:minecraft-heatmap Drift:fix-import-gitea-users-script Drift:gitea-runners-secrets Drift:gitea-runners-cluster Drift:25.05 Drift:new_nodes Drift:ooye Drift:grg-ip Drift:nom Drift:add-skrott Drift:pvvvvv Drift:setup-git-mirroring-on-bicep Drift:init-bakke Drift:gitea-show-license-in-list-view Drift:nix-topology Drift:gitea-robots-txt Drift:dagali-heimdal-openldap-sasl-stack Drift:gitea-navbar-get-started Drift:backup-databases Drift:openwebui Drift:setup-openvpn-tunnel Drift:gitea-gpg-signing Drift:sleipner-authorised-keys Drift:openstack-image-builder Drift:elysium Drift:smartd-notifs Drift:systemd-journald-remote Drift:skrot Drift:deploy-doorbell Drift:misc-gitea-fixes Drift:spotifyd Drift:remote Drift:setup-bikkje-login Drift:ozai-prod Drift:add-bluemap Drift:ozai Drift:setup-postfix-for-service-machines Drift:fix-gitea-ci-runner-network-issues Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud Drift:gitea-metrics Drift:misc1 Drift:add-simple-saml-theme Drift:misc-extra-gitea-setup Drift:setup-kerberos Drift:setup-home-areas Drift:shark-kanidm Drift:prometheusexim

201 Commits
prometheus ... add-simple

Author SHA1 Message Date
h7x4
ee097c49a3 WIP: idp theme
Some checks failed
Eval nix flake / evals (push) Failing after 1m49s
Details
2024-03-31 05:01:24 +02:00
h7x4
ce3aeb4e08 bekkalokk: init mediawiki
Some checks failed
Eval nix flake / evals (push) Failing after 1m40s
Details
Eval nix flake / evals (pull_request) Failing after 1m39s
Details 
Co-authored-by: Jørn Åne <yorinad@pvv.ntnu.no>
 2024-03-31 05:01:24 +02:00
h7x4
49a0b1a5f7 bekkalokk: init idp-simplesamlphp 2024-03-31 04:41:45 +02:00
h7x4
4c1966365b bekkalokk: redirect bekkalokk.pvv.ntnu.no to git.pvv.ntnu.no 2024-03-31 04:41:15 +02:00
h7x4
e0b3ce9378 bekkalokk: package mediawiki extensions outside of module 2024-03-31 04:41:15 +02:00
h7x4
50df317a26 packages: init simplesamlphp 2024-03-31 04:41:15 +02:00
h7x4
1262bc7125 bekkalokk: set up kerberos client 2024-03-29 03:31:19 +01:00
h7x4
64c7e3e365 flake.nix: fix usage of common nixos module/overlay list 2024-03-29 01:51:37 +01:00
Daniel Olsen
fe4dd21acb add eirikwit to sops
Some checks failed
Eval nix flake / evals (push) Failing after 1m44s
Details
2024-03-16 22:38:16 +01:00
Daniel Olsen
0336744124 flake update: matrix module bug fix
Some checks failed
Eval nix flake / evals (push) Failing after 1m55s
Details
2024-03-13 07:41:12 +01:00
Daniel Olsen
b4d6e00622 Update flake.lock to get new matrix module
Some checks failed
Eval nix flake / evals (push) Failing after 1m51s
Details
2024-03-13 06:33:43 +01:00
Daniel Olsen
7c6d4d31c7 bicep/matrix/element: update room directories
Some checks failed
Eval nix flake / evals (push) Failing after 1m44s
Details
2024-03-05 05:52:31 +01:00
Daniel Olsen
9f46be1ca1 bicep/matrix: update element lab flags and room directoriy listings
Some checks failed
Eval nix flake / evals (push) Failing after 1m44s
Details
2024-03-05 05:28:23 +01:00
jovre
545583cf04 bekkalokk/gitea: Do not change the user visibility
Some checks failed
Eval nix flake / evals (push) Failing after 1m55s
Details
2024-03-03 00:29:24 +01:00
Felix Albrigtsen
62b269637a bekkalokk/gitea: unset visibility when updating users
Some checks failed
Eval nix flake / evals (push) Failing after 1m50s
Details
2024-02-12 11:24:14 +01:00
Adrian Gunnar Lauterer
7fd9a1e646 started on bikkje container for new loginbox - work in progress
Some checks failed
Eval nix flake / evals (push) Failing after 1m47s
Details
2024-01-07 01:21:11 +01:00
Daniel Olsen
4ea90380ad bicep/matrix: use synapse package from stable
Some checks failed
Eval nix flake / evals (push) Failing after 1m52s
Details 
It's fixed now
 2023-12-16 00:22:02 +01:00
Daniel Olsen
bcd5292f78 update flake.lock
Some checks failed
Eval nix flake / evals (push) Failing after 1m46s
Details
2023-12-13 20:02:09 +01:00
Felix Albrigtsen
1ab1b3a84e Merge pull request 'Buskerud: Comment out openvpn-client' (#23) from buskerud-no-vpn into main
Some checks failed
Eval nix flake / evals (push) Failing after 1m48s
Details 
Reviewed-on: #23
 2023-12-12 18:09:31 +01:00
Felix Albrigtsen
80ef1ce4fa Buskerud: Remove OV-link, general cleanup
Some checks failed
Eval nix flake / evals (push) Failing after 1m43s
Details
Eval nix flake / evals (pull_request) Failing after 1m42s
Details
2023-12-12 15:27:20 +01:00
Felix Albrigtsen
2b834eee14 Buskerud: Comment out openvpn-client
Some checks failed
Eval nix flake / evals (pull_request) Failing after 1m42s
Details
Eval nix flake / evals (push) Failing after 1m40s
Details
2023-12-12 11:39:33 +01:00
Daniel Lovbrotte Olsen
9ed2ca8883 Merge pull request 'Update users/jonmro.nix' (#21) from jonmro/pvv-nixos-config:main into main
Some checks failed
Eval nix flake / evals (push) Failing after 1m50s
Details 
Reviewed-on: #21
 2023-12-10 05:46:20 +01:00
Daniel Lovbrotte Olsen
fe12e5441a Merge pull request '🎉 nixpkgs 23.11' (#20) from upgrade-to-nixpkgs-23-11 into main
Some checks failed
Eval nix flake / evals (push) Failing after 1m43s
Details 
Reviewed-on: #20
 2023-12-10 05:43:01 +01:00
Daniel Olsen
2b305678df update flake.lock
Some checks failed
Eval nix flake / evals (pull_request) Failing after 1m43s
Details
Eval nix flake / evals (push) Failing after 1m48s
Details
2023-12-10 05:41:45 +01:00
Daniel Olsen
dd8b677a79 buskerud: bootloader - 3.3TB, OS - 256GB 👍
Some checks failed
Eval nix flake / evals (pull_request) Failing after 1m49s
Details
Eval nix flake / evals (push) Failing after 1m57s
Details
2023-12-10 05:27:58 +01:00
Daniel Olsen
eabd8df3d8 bicep/matrix: use package with fixed pythonEnv
Some checks failed
Eval nix flake / evals (pull_request) Failing after 1m46s
Details
Eval nix flake / evals (push) Failing after 1m52s
Details
2023-12-10 04:32:26 +01:00
Eirik Wittersø
8a0ebe761e Add user eirikwit
Some checks failed
Eval nix flake / evals (pull_request) Failing after 1m43s
Details
Eval nix flake / evals (push) Failing after 1m48s
Details
2023-12-10 02:00:18 +01:00
Jon Martinus Rodtang
0c816068fe Update users/jonmro.nix
Some checks failed
Eval nix flake / evals (pull_request) Failing after 2m1s
Details 
Added "drift" "nix-builder-users"  groups
 2023-12-10 00:25:04 +01:00
h7x4
0b5e03471f upgrade to nixpkgs 23.11
Some checks failed
Eval nix flake / evals (push) Failing after 3h8m33s
Details
Eval nix flake / evals (pull_request) Failing after 3h5m17s
Details
2023-12-05 00:36:09 +01:00
Daniel Lovbrotte Olsen
d8031ecca1 Merge pull request 'replace-knakelibrak-nginx-reverse-proxy' (#18) from replace-knakelibrak-nginx-reverse-proxy into main
All checks were successful
Eval nix flake / evals (push) Successful in 4m2s
Details 
Reviewed-on: #18
 2023-12-03 07:01:13 +01:00
Daniel Olsen
28e3f5672c pin matrix-synapse-next module to last one compatible with 23.05
All checks were successful
Eval nix flake / evals (push) Successful in 3m53s
Details 
When we upgrade we can go back to tracking master
 2023-12-02 10:05:27 +01:00
h7x4
8ced91a285 hosts/buskerud: init
All checks were successful
Eval nix flake / evals (push) Successful in 4m43s
Details 
Co-authored-by: Felix Albrigtsen <felix@albrigtsen.it>
 2023-11-30 19:42:05 +01:00
Daniel Olsen
1ef033c754 bekkalokk/ingress: proxy matrix well-known files to bicep
All checks were successful
Eval nix flake / evals (push) Successful in 3m44s
Details
Eval nix flake / evals (pull_request) Successful in 3m31s
Details
2023-11-28 10:24:18 +01:00
Felix Albrigtsen
d900dc1b1b Redirect subpages like ./well-known, add @-domains 2023-11-28 10:24:18 +01:00
h7x4
d5985e02f3 Prepare to replace knakelibrak 
Co-authored-by: Felix Albrigtsen <felix@albrigtsen.it>
 2023-11-28 10:23:02 +01:00
Daniel Olsen
2c42b120a6 Merge branch 'extend_smtp'
All checks were successful
Eval nix flake / evals (push) Successful in 3m41s
Details
2023-11-28 08:39:15 +01:00
Daniel Olsen
27ba3f7a7f bicep/matrix: serve server well-known
All checks were successful
Eval nix flake / evals (push) Successful in 3m24s
Details
2023-11-28 08:36:56 +01:00
Daniel Olsen
c1c58122ea bicep/matrix: Improve flexibility of username login
All checks were successful
Eval nix flake / evals (push) Successful in 4m34s
Details 
It should be possible to log in  with @username:pvv.ntnu.no now
That way client well-known in third party clients will work

it might also fix the weird logout of session issues in element
 2023-11-28 05:14:04 +01:00
h7x4
7ac960c5ff users/oysteikt: add to nix-builder-users
All checks were successful
Eval nix flake / evals (push) Successful in 3m15s
Details
2023-11-26 07:22:12 +01:00
Oystein Kristoffer Tveit
54a54ad0f5 Merge pull request 'Roundcube testing on bekkalokk now working.' (#14) from roundcube into main
All checks were successful
Eval nix flake / evals (push) Successful in 11m0s
Details 
Reviewed-on: https://bekkalokk.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/14
 2023-11-26 05:17:28 +01:00
Oystein Kristoffer Tveit
f7e892fad9 Merge pull request 'Added user jonmro' (#17) from jonmro-user into main
Some checks failed
Eval nix flake / evals (push) Failing after 4m10s
Details 
Reviewed-on: https://bekkalokk.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/17
 2023-11-26 05:07:22 +01:00
h7x4
2a1e649eed bekkalokk: fix roundcube, and move to webmail2.pvv.ntnu.no/roundcube
All checks were successful
Eval nix flake / evals (push) Successful in 16m1s
Details
Eval nix flake / evals (pull_request) Successful in 21m4s
Details
2023-11-26 05:05:15 +01:00
Daniel Olsen
d7638138ed brzeczyszczykiewicz: add bokhylle as alias for the grzegorz service
All checks were successful
Eval nix flake / evals (push) Successful in 8m48s
Details
2023-11-26 02:36:23 +01:00
Adrian Gunnar Lauterer
c8d383c9ab bekkalokk-roundcube init at roundcube.pvv.ntnu.no
All checks were successful
Eval nix flake / evals (pull_request) Successful in 10m54s
Details
Eval nix flake / evals (push) Successful in 12m3s
Details
2023-11-25 21:23:06 +01:00
Jon Martinus Rodtang
c807d6ec2b Added user jonmro
All checks were successful
Eval nix flake / evals (pull_request) Successful in 14m11s
Details
Eval nix flake / evals (push) Successful in 16m39s
Details
2023-11-24 18:46:14 +01:00
Daniel Olsen
42c1803c9b clean up flake input function parameters
All checks were successful
Eval nix flake / evals (push) Successful in 2m46s
Details 
We dont need thelse seldomly used things in the main function call
 2023-11-05 10:54:50 +01:00
Daniel Olsen
c4df999058 bob: init
All checks were successful
Eval nix flake / evals (push) Successful in 2m46s
Details 
Cool beeg nix builder
for now anyways
 2023-11-05 06:06:57 +01:00
h7x4
3caa66fb64 rename input: unstable -> nixpkgs-unstable
All checks were successful
Eval nix flake / evals (push) Successful in 3m3s
Details
2023-11-05 01:22:48 +01:00
Daniel Olsen
b458801f95 Revert "bekkalokk: add wackattack ctf systemd service"
All checks were successful
Eval nix flake / evals (push) Successful in 2m49s
Details 
CTF is over

This reverts commit fa843c4a59.
 2023-10-30 09:03:27 +01:00
Daniel Olsen
1a683d2a92 shell: add openstack resources 2023-10-30 09:02:09 +01:00
h7x4
fa843c4a59 bekkalokk: add wackattack ctf systemd service
All checks were successful
Eval nix flake / evals (push) Successful in 4m9s
Details
2023-10-26 22:10:30 +02:00
Daniel Olsen
e07945d49c bicep/matrix: enable sliding sync
All checks were successful
Eval nix flake / evals (push) Successful in 2m39s
Details
2023-10-22 02:33:40 +02:00
Daniel Olsen
32885891fe bicep/matrix: enable smtp auth
All checks were successful
Eval nix flake / evals (push) Successful in 2m43s
Details 
yolo lmao
 2023-10-22 01:59:25 +02:00
Daniel Olsen
a6196e67fe workflows/eval: init - evaluate flake in gitea actions
All checks were successful
Eval nix flake / evals (push) Successful in 2m40s
Details 
Building doesnt work without the sandbox
 2023-10-19 23:20:51 +02:00
Daniel Olsen
7a0946fb1c update flake.lock 2023-10-19 19:55:52 +02:00
Daniel Olsen
05cac3cb93 make packages for each system derivation 
Makes it easier to test build each machine

also makes nom go brr
 2023-10-19 18:40:24 +02:00
Daniel Olsen
b8f6aa2f62 clean up unused packages 2023-10-19 18:38:16 +02:00
Daniel Olsen
9b44087693 bekkalokk/gitea: make import user script run by default 
Systemd stuff are generally turned on by default but need to be wanted

Much like me
 2023-10-14 22:47:56 +02:00
Daniel Olsen
59008d213c update flake.lock 2023-10-14 22:47:56 +02:00
h7x4
4fc7a16909 resolve an ipv6-space bruh moment 2023-10-10 17:14:57 +02:00
Adrian Gunnar Lauterer
1e841e0397 Merge pull request 'added adriangl to users' (#13) from adriangl-add-user into main 
Reviewed-on: #13
 2023-10-05 19:01:58 +02:00
Adrian Gunnar Lauterer
6e2876f67f added adriangl to users 2023-10-05 18:56:38 +02:00
Daniel Olsen
6fd71598cb update flake.lock 
updates the matrix flake to enable sliding sync
 2023-09-24 04:42:31 +02:00
Daniel Olsen
be341622fe georg: init 2023-09-17 04:57:30 +02:00
Daniel Olsen
87a7b17b49 brzeczyszczykiewicz: init 2023-09-17 04:57:30 +02:00
h7x4
5c529a0233 Fix gitea runners, add 2 more 
The gitea runners are now activated correctly,
has support for both debian and ubuntu based systems,
and can will connect to the gitea server through the
loopback interface
 2023-09-17 04:05:08 +02:00
h7x4
b9388a31cf bekkalokk/gitea-runners: fix token env file 2023-09-17 00:28:28 +02:00
Oystein Kristoffer Tveit
bc678b5d51 Merge pull request 'Bekkalokk: Enable podman' (#11) from add-gitea-ci into main 
Reviewed-on: #11
 2023-09-16 22:38:23 +02:00
Amalie Mansåker
ade2f6f5c9 Bekkalokk: Enable podman 2023-09-16 22:38:15 +02:00
Oystein Kristoffer Tveit
5c37b71646 Merge pull request 'Setup gitea action runner' (#10) from add-gitea-ci into main 
Reviewed-on: #10
 2023-09-16 22:31:22 +02:00
Amalie Mansåker
76f18b459c Setup gitea action runner 2023-09-16 22:26:44 +02:00
Oystein Kristoffer Tveit
97cd5a235f Merge pull request 'Gitea enabled actions' (#9) from add-gitea-ci into main 
Reviewed-on: #9
 2023-09-16 21:51:43 +02:00
Amalie Mansåker
e5fac39ce8 Enabled actions 2023-09-16 21:51:13 +02:00
Daniel Olsen
f53c0c6eb5 bicep/synapse: Move database configuration out of secrets 2023-09-16 21:38:39 +02:00
Oystein Kristoffer Tveit
d4bcdeb3b3 Merge pull request 'Added user amalieem' (#8) from add-gitea-ci into main 
Reviewed-on: #8
 2023-09-16 20:31:21 +02:00
Amalie Mansåker
b080ade4be Added user amalieem 2023-09-16 20:19:15 +02:00
Daniel Olsen
7cd5b42f12 bicep/matrix/synapse: use fewer connections 2023-09-13 11:02:52 +02:00
Daniel Olsen
816997b74f bicep/nginx: increase workers and enable modern compression 
Should decrease latency
 2023-09-13 11:01:09 +02:00
Daniel Olsen
06322a26fc bicep/postgres: enable jit again, make more memory available 2023-09-13 05:22:23 +02:00
Daniel Olsen
a58101bfbc Remove deprecated hosts and clean up 2023-09-13 05:03:57 +02:00
Daniel Olsen
57d1dfd121 flake update 2023-09-13 05:01:18 +02:00
Daniel Olsen
d3b363b028 bicep: Remove deprecated grub version option 2023-09-13 04:54:46 +02:00
Daniel Olsen
4a6ea9be2d bicep/synapse: define registration secret properly 2023-09-13 04:53:56 +02:00
Daniel Olsen
f92ebbee16 bicep/synapse: use postgres unix socket 2023-09-13 04:16:22 +02:00
Daniel Olsen
201e3d306b bicep: Revert postgres socket stuff 2023-09-13 03:58:29 +02:00
Daniel Olsen
437219bb68 bicep/postgres: Enable unix socket auth 2023-09-13 00:52:27 +02:00
Daniel Olsen
b5075f48c6 bicep/matrix/synapse: switch database connection to socket 2023-09-13 00:17:10 +02:00
Felix Albrigtsen
d96c30bbd5 Fix calendar-bot timer 2023-09-12 18:23:20 +02:00
Felix Albrigtsen
36b768b3b2 ( ͡° ͜ʖ ͡°) 2023-09-08 02:33:22 +02:00
Felix Albrigtsen
9f36bd86a8 Update calendar bot details 2023-09-08 02:25:23 +02:00
Felix Albrigtsen
1370ccddf8 Initialize host: shark 2023-09-08 02:11:02 +02:00
Daniel Lovbrotte Olsen
cfcd230678 Merge pull request 'Fix gitea on bekkalokk' (#7) from configure-gitea into main 
Reviewed-on: #7
 2023-09-07 18:54:24 +02:00
h7x4
1afc8841a9 bekkalokk/nginx: remove commented virtualhost for mediawiki 2023-09-07 18:53:05 +02:00
h7x4
b4b6b4971a bekkalokk/gitea: misc changes 
- change domain from git2 to git1
- enable internal SSH serer
- enable code search
- add custom logos
- update import-user-script to ignore GECOS fields
 2023-09-07 18:53:05 +02:00
h7x4
f567199604 bekkalokk/gitea: update API key for import-user-script 2023-09-07 18:41:41 +02:00
oysteikt
b52753987d bicep: use mysql on bicep as production server 2023-09-07 18:40:13 +02:00
h7x4
6a75dbae47 Add PVV logo to repository 2023-09-07 18:39:21 +02:00
Felix Albrigtsen
3beb76e411 Add pvv-calendar-bot to bicep 2023-08-27 02:36:01 +02:00
Daniel Olsen
bfe94003c4 bicep/matrix/discord: enable legacy authorization because old mx-puppet-discord 😭 2023-08-18 00:54:06 +02:00
Felix Albrigtsen
6d6987c87a felixalb: Add SSH key 2023-08-17 22:07:00 +02:00
Felix Albrigtsen
a230914ebd Add aarch64-darwin to devShell 2023-08-17 22:05:28 +02:00
oysteikt
a5c83866ca bicep: setup ACME cert for postgres 2023-08-12 02:55:20 +02:00
Daniel Olsen
fa67504275 Update flake inputs 
Mainly to update the matrix module
 2023-07-13 04:36:43 +02:00
oysteikt
bb9f1c8b2f flake.nix: add func to build using nixpkgs unstable 2023-07-12 16:16:10 +02:00
oysteikt
34a16149f8 ildkule: add config for prometheus_mysqld_exporter 
There's a PR waiting to add this module to nixpkgs,
so we should enable this once it gets merged.
 2023-07-10 00:06:27 +02:00
oysteikt
998e66db65 bicep: enable mysql 2023-07-10 00:06:09 +02:00
Daniel Olsen
699569249a ildkule: adjust matrix version annotations for nixos matrix module 2023-06-20 14:01:44 +02:00
Daniel Olsen
e73b7d2cd1 ildule: fix upstream dashboard variables 2023-06-20 13:46:00 +02:00
Daniel Olsen
ff30477e86 ildule: Update matrix dashboard from upstream 2023-06-20 13:20:42 +02:00
Felix Albrigtsen
8f55ef3193 Bekkalokk: Configure Gitea, clean web services 
Update bekkalokk secrets format

Update gitea keys and firewall rules

Create gitea-user-import script

Fix SSH host key verification

Gitea-import-users bug squashification

Fix Gitea-import SSH problems
 2023-06-05 19:41:25 +02:00
h7x4
db44bcf4bc Upgrade to nixpkgs 23.05 2023-05-31 11:04:38 +02:00
Daniel Olsen
d694724f5c bicep/synapse: Set event cache to 20K 
This is double the cache from default
changed because we're seeing periodic cpu spikes
with this cache beeing the main one missing
 2023-05-26 02:22:18 +02:00
Daniel Olsen
68ce7acebb Revert "bicep: Emergency fix for matrix postgres auth" 
This reverts commit fdbcd8c884.

This was not it
 2023-05-23 05:12:46 +02:00
Daniel Olsen
fdbcd8c884 bicep: Emergency fix for matrix postgres auth 
I think
 2023-05-23 04:59:34 +02:00
Daniel Olsen
815063744b bicep/postgres: Remove jit setting 
The nixos build of postgres doesn't support it anyways
 2023-05-23 04:57:18 +02:00
Daniel Olsen
ede76faa79 Document nix flake check 2023-05-23 04:55:14 +02:00
Daniel Olsen
2752c26675 fix nixosConfig override 2023-05-23 04:43:39 +02:00
Daniel Olsen
dfd827ee74 Clean up jokum removal 2023-05-23 04:29:45 +02:00
Felix Albrigtsen
9ccfb6cbed Merge branch 'bekkalokk-metrics' 2023-05-21 04:04:29 +02:00
Felix Albrigtsen
1335ab1d4b Add metrics exporters to bekkalokk 2023-05-21 04:03:14 +02:00
felixalb
69be23712f Merge branch 'bicep-metrics' of Drift/pvv-nixos-config into main 2023-05-21 03:47:53 +02:00
Felix Albrigtsen
ce58f91e16 Add metrics exporters to bicep 2023-05-21 03:47:02 +02:00
felixalb
360f873c31 Merge branch 'bekkalokk-baremetal' of Drift/pvv-nixos-config into main 2023-05-21 02:31:39 +02:00
Felix Albrigtsen
8ccf9e9298 Update keys and re-enable web services 2023-05-21 02:29:14 +02:00
Felix Albrigtsen
8b70d84f41 bekkalokk: hardware-config for baremetal 2023-05-21 00:06:25 +02:00
h7x4
cd0c8c8198 bekkalokk: continue work on mediawiki service 2023-05-19 03:03:47 +02:00
h7x4
c11a804097 bicep: set up mysql/mariadb 2023-05-18 15:40:13 +02:00
h7x4
45ada78304 oysteikt: edit user settings 2023-05-17 15:38:42 +02:00
Daniel Olsen
4ff5da28c4 bicep: nginx listen on bicep ip 2023-05-08 03:38:59 +02:00
Daniel Olsen
ee73a964be move matrix to bicep 2023-05-08 03:38:59 +02:00
h7x4
dcbe6871da bekkalokk: setup keycloak 2023-05-07 00:34:42 +02:00
h7x4
0e75e0a5b9 bicep: add backup service 2023-05-06 19:07:10 +02:00
Daniel Olsen
f77a5e946f bicep: mount /data 2023-04-08 05:23:01 +02:00
Daniel Olsen
bac67ee123 bicep: don't wait for all interfaces and especially not jokums 2023-04-07 04:53:36 +02:00
Daniel Olsen
9f6020b5e7 update flake 2023-04-07 04:12:46 +02:00
Daniel Olsen
38e3202c9e Move more of jokum 
slightly less stupid this time
 2023-03-26 14:44:58 +02:00
Daniel Olsen
bddd7e438d update jokum sops secrets 2023-03-26 13:14:55 +02:00
Daniel Olsen
7620fb3dee move jokum to nixos bicep 2023-03-26 06:36:04 +02:00
h7x4
dfe8b8b44c bicep: added postgres settings 2023-03-26 01:50:00 +01:00
h7x4
169f774e81 bicep dead, but maybe soon bicep alive 2023-03-26 01:09:44 +01:00
Felix Albrigtsen
2568800794 Add andresbu to node-exporter targets 2023-03-12 00:41:36 +01:00
Daniel Olsen
d9c19385fa synapse: cache more event_auth 2023-03-08 03:18:57 +01:00
Daniel Olsen
28dad93826 open the nixos firewall for node-exporter 2023-03-04 22:47:11 +01:00
Daniel Olsen
70f4777696 fix synapse dashboard 2023-03-04 05:11:40 +01:00
Daniel Olsen
a9d04ed286 Let nodes access their own prometheus metrics 2023-03-04 04:08:46 +01:00
Daniel Olsen
db69d28b42 Revert "metrics: Fix Synapse dashboard" 
This reverts commit beb8df8fc7.
 2023-03-04 03:14:54 +01:00
Daniel Olsen
8f23d7ba06 jokum: don't use host resolv.conf 2023-03-04 03:04:32 +01:00
Daniel Olsen
e61977e497 Disable dhcp and set domain again 2023-03-04 02:13:00 +01:00
Daniel Olsen
3252a3b5d1 turn on jokum 2023-03-04 02:03:37 +01:00
Daniel Olsen
8e819b5546 fix ip for bekkalokk 2023-03-04 00:57:28 +01:00
Daniel Olsen
6cf831a347 switch to networkd 2023-03-04 00:44:30 +01:00
Daniel Olsen
af955c88f8 jokum: move to systemd-nspawn container on bicep 2023-02-26 19:23:00 +01:00
Daniel Olsen
e293d64e66 flake update 2023-02-13 04:01:09 +01:00
Daniel Olsen
eed3c9b05f matrix: Point mjolnir directly at synapse so it can use the admin api 2023-02-13 03:42:52 +01:00
Daniel Olsen
7a9759ef71 matrix: Add mjolnir as a moderation bot 2023-02-13 02:34:11 +01:00
Daniel Olsen
4684cd239a matrix: enable shared secret registration 2023-02-13 00:58:15 +01:00
Daniel Olsen
c0c0dea069 tune worker distribution post fosdem and turning off prescence 2023-02-06 02:11:07 +01:00
Daniel Olsen
9c18a87866 element: disable presence if disabled in synapse 2023-02-02 18:51:47 +01:00
Daniel Olsen
73aa42a5f5 synapse: Disable presence 
For now at least until we move to a stronger
machine.

Most large servers don't have this enabled.
 2023-02-02 18:39:08 +01:00
Daniel Olsen
eade192132 synapse: bump federation receiver count to 3 2023-02-02 00:35:26 +01:00
Daniel Olsen
beb8df8fc7 metrics: Fix Synapse dashboard 
Some of the panels were set to the wrong
datasource

Additionally since we don't do MAU limits,
I moved the relevant MAU panel to Overview
 2023-02-01 22:54:54 +01:00
Daniel Olsen
1a424c79fe synapse: track monthly active users 2023-02-01 19:42:49 +01:00
Daniel Olsen
ad7961a67b flake update 2023-02-01 19:35:33 +01:00
h7x4
796155481f Add host bekkalokk 
`bekkalokk` is a new machine, meant to host web services and eventually
miscellaneous services.
 2023-01-29 01:51:35 +01:00
h7x4
387794fbe0 Add packages for user oysteikt 2023-01-28 20:26:34 +01:00
h7x4
a136dd315a Add globally installed packages 2023-01-28 20:26:21 +01:00
h7x4
efc8eb7ffc ildkule: add postgres exporter for knakelibrak 2023-01-26 02:16:52 +01:00
felixalb
f3d143cfb9 Merge branch 'essendrop-metrics' of Drift/pvv-nixos-config into main 2023-01-23 14:48:29 +01:00
Felix Albrigtsen
84b57bb4db Provision go dashboard for gogs 2023-01-23 14:48:26 +01:00
felixalb
bef9bddca3 Merge branch 'essendrop-metrics' of Drift/pvv-nixos-config into main 2023-01-23 14:16:46 +01:00
Felix Albrigtsen
b4e74a3959 Add node and gogs metrics collection to prometheus 2023-01-23 13:12:46 +01:00
h7x4
a78f120a65 explicitly state nginx listen addresses 2023-01-22 17:46:48 +01:00
h7x4
3880190577 ildkule: add postgres dashboard to grafana 2023-01-22 02:28:19 +01:00
h7x4
171fea39bc ildkule: switch grafana db from sqlite to postgres 2023-01-22 02:18:21 +01:00
Daniel Olsen
e7786fee0c add felix to jokum secrets 2023-01-22 00:47:23 +01:00
h7x4
5d50a9807e sops: reencrypt jokum secrets with felixalb keys 2023-01-22 00:47:22 +01:00
h7x4
2bc5d7d91e ildkule: set up postgres metrics exporter 2023-01-22 00:47:22 +01:00
h7x4
a7408b8800 ildkule: restructure prometheus config 2023-01-21 20:08:36 +01:00
h7x4
ad75cb0c88 Restructure values file to separate hosts from services 2023-01-21 19:54:20 +01:00
h7x4
cb403a7aeb update settings for user oysteikt 2023-01-21 18:26:46 +01:00
Daniel Olsen
94fc936251 ildkule: use ip addressess from values.nix 2023-01-21 11:45:05 +01:00
Felix Albrigtsen
ecfde9f56a Update ildkule IPv6-address 2023-01-20 11:40:42 +01:00
Daniel Olsen
1a0880086a metrics: use matrix-lib to simplify generation of prometheus scrape config 2023-01-20 08:24:02 +01:00
Daniel Olsen
efed13c810 Revert "metrics: stop parsing prometheus labels from url" 
This reverts commit 1524b6b10c.

Prometheus doesn't allow scraping from uris only socketAddresses
The relabeling is to change the internal labels to trick it to read
from a url
 2023-01-20 05:04:16 +01:00
h7x4
1524b6b10c metrics: stop parsing prometheus labels from url 2023-01-20 01:15:45 +01:00
Daniel Olsen
90e924c083 synapse: also generate metric config for the master node 2023-01-18 04:04:42 +01:00
h7x4
c8d26e3c81 synapse: generate metric endpoints automatically 2023-01-18 02:55:05 +01:00
Daniel Olsen
e590e54862 metrics-exporters: Include loglevel as label 2023-01-17 19:25:41 +01:00
Daniel Olsen
1330c9575f metrics/dashboards/synapse: update default timeframe 2023-01-17 18:57:32 +01:00
danio
4a82d22a56 Merge branch 'jokum_logs' of Drift/pvv-nixos-config into main 2023-01-17 18:50:41 +01:00
Daniel Olsen
64d0253aa0 I dont think the nginx config verifier has caught a single configuration error ever 2023-01-17 18:47:08 +01:00
Daniel Olsen
a5bbd65757 disable ipv6 privacyExtension by default 2023-01-17 18:24:58 +01:00
Daniel Olsen
1ea40456a5 add ipv6 to allowed ip addresses for metrics exporters 2023-01-17 18:23:42 +01:00
Daniel Olsen
524bbdb78b ildkule/dashboard/synapse: Make zooming out on the cpu graph aggregate max cpu instead of avg 2023-01-17 17:37:44 +01:00
Daniel Olsen
473170cc41 update deployment command to invalidate cache 
I had fixed the issue but since it was resuing the broken commit it didnt actually get deployed
 2023-01-17 17:28:50 +01:00
Daniel Olsen
99fed59f1a update flake and point to right matrix-synapse-next branch 2023-01-17 17:28:50 +01:00
Daniel Olsen
5b798b2f1d jokum: enable metric exporters 2023-01-17 17:28:47 +01:00
Daniel Olsen
96b6dee404 Add firewalling to metric exporters 2023-01-17 17:28:11 +01:00
Daniel Olsen
e4cb215d39 Simplify networking configs 
Introduces values.nix, a place to store information relevant across systems
 2023-01-17 17:28:11 +01:00
felixalb
4e93962f1c Merge branch 'prometheustargets' of Drift/pvv-nixos-config into main 2023-01-17 13:47:51 +01:00
Felix Albrigtsen
e679c7d27a Add bicep and hildring to monitoring 2023-01-17 13:47:48 +01:00
116 changed files with 17403 additions and 1442 deletions
Expand all files Collapse all files

13
.gitea/workflows/eval.yml Normal file
View File

@@ -0,0 +1,13 @@
name: "Eval nix flake"
on:
pull_request:
push:
jobs:
evals:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: apt-get update && apt-get -y install sudo
- uses: https://github.com/cachix/install-nix-action@v23
- run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
- run: nix flake check

41
.sops.yaml
View File

@@ -1,33 +1,62 @@
keys:
# Users
- &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
- &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
- &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
- &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
# Hosts
- &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
- &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
creation_rules:
# Global secrets
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- age:
- *user_danio
- *host_jokum
- *user_danio
- *user_felixalb
- *user_eirikwit
pgp:
- *user_oysteikt
# Host specific secrets
## Jokum
- path_regex: secrets/bekkalokk/[^/]+\.yaml$
key_groups:
- age:
- *host_bekkalokk
- *user_danio
- *user_felixalb
pgp:
- *user_oysteikt
- path_regex: secrets/jokum/[^/]+\.yaml$
key_groups:
- age:
- *user_danio
- *host_jokum
- *user_danio
- *user_felixalb
pgp:
- *user_oysteikt
- path_regex: secrets/ildkule/[^/]+\.yaml$
key_groups:
- age:
- *user_felixalb
- *user_danio
- *host_ildkule
- *user_danio
- *user_felixalb
pgp:
- *user_oysteikt
- path_regex: secrets/bicep/[^/]+\.yaml$
key_groups:
- age:
- *host_bicep
- *user_danio
- *user_felixalb
pgp:
- *user_oysteikt

24
README.MD
View File

@@ -4,9 +4,19 @@
Før du endrer på ting husk å ikke putte ting som skal være hemmelig uten å først lese seksjonen for hemmeligheter!
Etter å ha klonet prosjektet ned og gjort endringer kan du bygge med:
Etter å ha klonet prosjektet ned og gjort endringer kan du evaluere configene med:
`nix build .#nixosConfigurations.jokum.config.system.build.toplevel`
`nix flake check --keep-going`
før du bygger en maskin med:
`nix build .#<maskinnavn>`
hvis du vil være ekstra sikker på at alt bygger så kan du kjøre:
`nix build .` for å bygge alle de viktige maskinene.
NB: Dette kan ta opp til 30 minutter avhengig av hva som ligger i caches
Husk å hvertfall stage nye filer om du har laget dem!
@@ -16,7 +26,7 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
som root på maskinen.
@@ -37,3 +47,11 @@ for å få tilgang til å lese/skrive hemmeligheter må du spørre noen/noe som
om å legge til age eller pgp nøkkelen din i [`.sops.yaml`](https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/.sops.yaml)
Denne kan du generere fra ssh-nøkkelene dine eller lage en egen nøkkel.
### Legge til flere keys
Gjør det som gir mening i .sops.yml
Etter det kjør `sops updatekeys secrets/host/file.yml`
MERK at det ikke er `sops -r` som BARE roterer nøkklene for de som allerede er i secretfila

BIN
assets/logo_blue_regular.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 254 KiB

172
assets/logo_blue_regular.svg Normal file
View File

@@ -0,0 +1,172 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
width="200mm"
height="200mm"
viewBox="0 0 200 200"
version="1.1"
id="svg5"
inkscape:version="1.1.2 (b8e25be833, 2022-02-05)"
sodipodi:docname="logo_blue_thicc.svg"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns="http://www.w3.org/2000/svg"
xmlns:svg="http://www.w3.org/2000/svg">
<sodipodi:namedview
id="namedview7"
pagecolor="#505050"
bordercolor="#ffffff"
borderopacity="1"
inkscape:pageshadow="0"
inkscape:pageopacity="0"
inkscape:pagecheckerboard="1"
inkscape:document-units="mm"
showgrid="false"
inkscape:zoom="3.9730533"
inkscape:cx="359.54715"
inkscape:cy="690.40101"
inkscape:window-width="1920"
inkscape:window-height="1057"
inkscape:window-x="-8"
inkscape:window-y="-8"
inkscape:window-maximized="1"
inkscape:current-layer="Layer_4"
width="200mm" />
<defs
id="defs2" />
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1">
<g
id="g98"
transform="scale(0.25)">
<g
id="Layer_2"
style="fill:#283681;fill-opacity:1">
<rect
y="0"
class="st0"
width="800"
height="800"
id="rect4"
x="0"
style="fill:#283681;fill-opacity:1"
inkscape:export-filename="C:\Users\al3xk\OneDrive - NTNU\PVV\Gogs\PR\logoer\logo_blue.png"
inkscape:export-xdpi="480"
inkscape:export-ydpi="480" />
</g>
<g
id="Layer_4"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1">
<line
class="st1"
x1="478.39999"
y1="720.29999"
x2="313.20001"
y2="720.29999"
id="line9"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<path
class="st1"
d="M 478.4,720.3"
id="path11"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<polyline
class="st2"
points="717.1,223.3 717.1,720.3 497.3,720.3 "
id="polyline13"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<path
class="st2"
d="m 498.39888,720.3 c 0,-5.6 -4.5,-10.1 -10.1,-10.1 -5.6,0 -10.1,4.5 -10.1,10.1 h -163.8 c 0,-5.6 -4.5,-10.1 -10.1,-10.1 -5.6,0 -10.1,4.5 -10.1,10.1 -69.7592,0 -145.68417,0 -217.599996,0 V 79.7 H 717.09888 v 120 0 h -17.3 v 24.8 h 17.3"
id="path15"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-linecap:square;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
sodipodi:nodetypes="csccsccccccccc" />
</g>
<g
id="Layer_3"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1">
<circle
class="st2"
cx="396.79999"
cy="400"
id="circle18"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
r="320.29999" />
</g>
<g
id="Layer_1"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1">
<polyline
class="st2"
points="514.5,173.5 170.2,173.5 170.3,626.6 623.3,626.5 623.3,215.7 584.4,173.4 557,173.4 548,180.6 526.5,180.7 "
id="polyline21"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<path
class="st2"
d="m 526.5,331.8 c 0,7.6 -5.4,13.7 -12,13.7 H 227.7 c -6.6,0 -12,-6.1 -12,-13.7 V 187.2 c 0,-7.6 5.4,-13.7 12,-13.7 h 286.8 c 6.6,0 12,6.1 12,13.7 z"
id="path27"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<path
class="st2"
d="m 526.7,333.6 c 0,6.6 -5.4,12 -12,12 H 296.8 c -6.6,0 -12,-5.4 -12,-12 V 185.5 c 0,-6.6 5.4,-12 12,-12 h 217.9 c 6.6,0 12,5.4 12,12 z"
id="path29"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<path
class="st2"
d="m 577.9,613.7 c 0,6.6 -5.4,12 -12,12 H 227.7 c -6.6,0 -12,-5.4 -12,-12 V 381.1 c 0,-6.6 5.4,-12 12,-12 h 338.2 c 6.6,0 12,5.4 12,12 z"
id="path31"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<rect
x="179.89999"
y="590.20001"
class="st2"
width="25.700001"
height="23"
id="rect33"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<rect
x="587.59998"
y="590.20001"
class="st2"
width="25.700001"
height="23"
id="rect35"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<rect
x="433.60001"
y="193.5"
class="st2"
width="64.900002"
height="137.8"
id="rect37"
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
</g>
<path
d="m 274.9401,541.572 c 0,3.528 2.772,6.426 6.3,6.426 3.528,0 6.426,-2.898 6.426,-6.426 v -30.996 h 30.87 c 10.458,0 19.152,-8.694 19.152,-19.152 v -22.68 c 0,-10.332 -8.694,-19.026 -19.152,-19.026 h -43.596 z m 12.726,-43.722 v -35.406 h 30.87 c 3.276,0 6.426,2.898 6.426,6.3 v 22.68 c 0,3.528 -3.024,6.426 -6.426,6.426 z"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:126px;font-family:OCRA;-inkscape-font-specification:OCRA;fill:#ffffff;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
id="path55-2" />
<path
d="m 365.99479,478.824 25.326,65.142 c 1.008,2.394 3.276,4.032 6.048,4.032 2.646,0 4.914,-1.638 5.922,-4.032 l 25.452,-65.268 v -22.68 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 v 20.286 l -18.648,47.628 -18.648,-47.628 v -20.286 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 z"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:126px;font-family:OCRA;-inkscape-font-specification:OCRA;fill:#ffffff;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
id="path57-8" />
<path
d="m 457.04947,478.824 25.326,65.142 c 1.008,2.394 3.276,4.032 6.048,4.032 2.646,0 4.914,-1.638 5.922,-4.032 l 25.452,-65.268 v -22.68 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 v 20.286 l -18.648,47.628 -18.648,-47.628 v -20.286 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 z"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:126px;font-family:OCRA;-inkscape-font-specification:OCRA;fill:#ffffff;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
id="path59-1" />
</g>
</g>
<style
type="text/css"
id="style2">
.st0{fill:#ffffff;}
.st1{fill:none;stroke:#ffffff;stroke-width:2;stroke-miterlimit:10;}
.st2{fill:none;stroke:#000000;stroke-width:2;stroke-miterlimit:10;}
.st3{fill:none;}
.st4{stroke:#000000;stroke-miterlimit:10;}
.st5{font-family:'OCRAStd';}
.st6{font-size:126px;}
</style>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 8.2 KiB

23
base.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, inputs, ... }:
{ config, lib, pkgs, inputs, values, ... }:
{
imports = [
@@ -7,10 +7,15 @@
networking.domain = "pvv.ntnu.no";
networking.useDHCP = false;
networking.search = [ "pvv.ntnu.no" "pvv.org" ];
# networking.search = [ "pvv.ntnu.no" "pvv.org" ];
# networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
# networking.tempAddresses = lib.mkDefault "disabled";
# networking.defaultGateway = values.hosts.gateway;
systemd.network.enable = true;
services.resolved = {
enable = true;
enable = lib.mkDefault true;
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
};
@@ -27,7 +32,7 @@
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
"--update-input" "nixpkgs"
"--update-input" "unstable"
"--update-input" "nixpkgs-unstable"
"--no-write-lock-file"
];
};
@@ -50,8 +55,11 @@
environment.systemPackages = with pkgs; [
file
git
gnupg
htop
nano
rsync
screen
tmux
vim
wget
@@ -59,14 +67,19 @@
kitty.terminfo
];
programs.zsh.enable = true;
users.groups."drift".name = "drift";
# Trusted users on the nix builder machines
users.groups."nix-builder-users".name = "nix-builder-users";
services.openssh = {
enable = true;
permitRootLogin = "yes";
extraConfig = ''
PubkeyAcceptedAlgorithms=+ssh-rsa
'';
settings.PermitRootLogin = "yes";
};

165
flake.lock generated
View File

@@ -1,59 +1,162 @@
{
"nodes": {
"matrix-next": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1671009204,
"narHash": "sha256-gqA9po/KmHyh44XYqv/LfFJ1+MGufhaaD6DhDqBeaF8=",
"lastModified": 1710169806,
"narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
"owner": "nix-community",
"repo": "disko",
"rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"grzegorz": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1696346665,
"narHash": "sha256-J6Tf6a/zhFZ8SereluHLrvgPsIVm2CGHHA8wrbhZB3Y=",
"owner": "Programvareverkstedet",
"repo": "grzegorz",
"rev": "9b9c3ac7d408ac7c6d67544b201e6b169afacb03",
"type": "github"
},
"original": {
"owner": "Programvareverkstedet",
"repo": "grzegorz",
"type": "github"
}
},
"grzegorz-clients": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1693864994,
"narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=",
"owner": "Programvareverkstedet",
"repo": "grzegorz-clients",
"rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f",
"type": "github"
},
"original": {
"owner": "Programvareverkstedet",
"repo": "grzegorz-clients",
"type": "github"
}
},
"matrix-next": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1710311999,
"narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "43dbc17526576cb8e0980cef51c48b6598f97550",
"rev": "6c9b67974b839740e2a738958512c7a704481157",
"type": "github"
},
"original": {
"owner": "dali99",
"ref": "flake-experiments",
"repo": "nixos-matrix-modules",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1670946965,
"narHash": "sha256-PDJfKgK/aSV3ISnD1TbKpLPW85LO/AQI73yQjbwribA=",
"lastModified": 1710248792,
"narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "265caf30fa0a5148395b62777389b57eb0a537fd",
"rev": "efbb274f364c918b9937574de879b5874b5833cc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11-small",
"repo": "nixpkgs",
"type": "github"
"id": "nixpkgs",
"ref": "nixos-23.11-small",
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1670146390,
"narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=",
"lastModified": 1710033658,
"narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "86370507cb20c905800527539fc049a2bf09c667",
"rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1710247538,
"narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable-small",
"type": "indirect"
}
},
"pvv-calendar-bot": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1693136143,
"narHash": "sha256-amHprjftc3y/bg8yf4hITCLa+ez5HIi0yGfR7TU6UIc=",
"ref": "refs/heads/main",
"rev": "a32894b305f042d561500f5799226afd1faf5abb",
"revCount": 9,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
}
},
"root": {
"inputs": {
"disko": "disko",
"grzegorz": "grzegorz",
"grzegorz-clients": "grzegorz-clients",
"matrix-next": "matrix-next",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"pvv-calendar-bot": "pvv-calendar-bot",
"sops-nix": "sops-nix",
"unstable": "unstable"
"ssp-theme": "ssp-theme"
}
},
"sops-nix": {
@@ -64,11 +167,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1670149631,
"narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=",
"lastModified": 1710195194,
"narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "da98a111623101c64474a14983d83dad8f09f93d",
"rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
"type": "github"
},
"original": {
@@ -77,20 +180,20 @@
"type": "github"
}
},
"unstable": {
"ssp-theme": {
"flake": false,
"locked": {
"lastModified": 1670918062,
"narHash": "sha256-iOhkyBYUU9Jfkk0lvI4ahpjyrTsLXj9uyJWwmjKg+gg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "84575b0bd882be979516f4fecfe4d7c8de8f6a92",
"type": "github"
"lastModified": 1509201641,
"narHash": "sha256-naNRyPL6PAsZKW2w1Vt9wrHT9inCL/yAFnvpy4glv+c=",
"ref": "refs/heads/master",
"rev": "bda4314030be5f81aeaf2fb1927aee582f1194d9",
"revCount": 5,
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
}
}
},

148
flake.nix
View File

@@ -2,45 +2,153 @@
description = "PVV System flake";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small";
unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
nixpkgs.url = "nixpkgs/nixos-23.11-small";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/flake-experiments";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules";
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
grzegorz.url = "github:Programvareverkstedet/grzegorz";
grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
ssp-theme.url = "git+https://git.pvv.ntnu.no/Drift/ssp-theme.git";
ssp-theme.flake = false;
};
outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs:
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ssp-theme, ... }@inputs:
let
nixlib = nixpkgs.lib;
systems = [
"x86_64-linux"
"aarch64-linux"
"aarch64-darwin"
];
forAllSystems = f: nixlib.genAttrs systems (system: f system);
allMachines = nixlib.mapAttrsToList (name: _: name) self.nixosConfigurations;
importantMachines = [
"bekkalokk"
"bicep"
"brzeczyszczykiewicz"
"georg"
"ildkule"
];
forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
in {
nixosConfigurations = {
jokum = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit unstable inputs; };
modules = [
./hosts/jokum/configuration.nix
sops-nix.nixosModules.sops
nixosConfigurations = let
nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
rec {
system = "x86_64-linux";
specialArgs = {
inherit nixpkgs-unstable inputs;
values = import ./values.nix;
};
inputs.matrix-next.nixosModules.synapse
];
};
ildkule = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit unstable inputs; };
modules = [
./hosts/${name}/configuration.nix
sops-nix.nixosModules.sops
] ++ config.modules or [];
pkgs = import nixpkgs {
inherit system;
overlays = [ ] ++ config.overlays or [ ];
};
}
(removeAttrs config [ "modules" "overlays" ])
);
stableNixosConfig = nixosConfig nixpkgs;
unstableNixosConfig = nixosConfig nixpkgs-unstable;
in {
bicep = stableNixosConfig "bicep" {
modules = [
./hosts/ildkule/configuration.nix
sops-nix.nixosModules.sops
inputs.matrix-next.nixosModules.default
inputs.pvv-calendar-bot.nixosModules.default
];
overlays = [
inputs.pvv-calendar-bot.overlays.x86_64-linux.default
];
};
bekkalokk = stableNixosConfig "bekkalokk" {
overlays = [
(final: prev: {
heimdal = final.callPackage ./packages/heimdal {
inherit (final.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
autoreconfHook = final.buildPackages.autoreconfHook269;
};
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
ssp-theme = final.runCommandLocal "ssp-theme" { } ''
ln -s ${ssp-theme} $out
'';
})
];
};
bob = stableNixosConfig "bob" {
modules = [
disko.nixosModules.disko
{ disko.devices.disk.disk1.device = "/dev/vda"; }
];
};
ildkule = stableNixosConfig "ildkule" { };
#ildkule-unstable = unstableNixosConfig "ildkule" { };
shark = stableNixosConfig "shark" { };
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
modules = [
inputs.grzegorz.nixosModules.grzegorz-kiosk
inputs.grzegorz-clients.nixosModules.grzegorz-webui
];
};
georg = stableNixosConfig "georg" {
modules = [
inputs.grzegorz.nixosModules.grzegorz-kiosk
inputs.grzegorz-clients.nixosModules.grzegorz-webui
];
};
buskerud = stableNixosConfig "buskerud" { };
};
devShells = forAllSystems (system: {
default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
});
packages = {
"x86_64-linux" = let
pkgs = nixpkgs.legacyPackages."x86_64-linux";
in {
default = self.packages.x86_64-linux.important-machines;
important-machines = pkgs.linkFarm "important-machines"
(nixlib.getAttrs importantMachines self.packages.x86_64-linux);
all-machines = pkgs.linkFarm "all-machines"
(nixlib.getAttrs allMachines self.packages.x86_64-linux);
#######################
# TODO: remove this once nixos 24.05 gets released
#######################
heimdal = pkgs.callPackage ./packages/heimdal {
inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
autoreconfHook = pkgs.buildPackages.autoreconfHook269;
};
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
ssp-theme = pkgs.runCommandLocal "ssp-theme" { } ''
ln -s ${ssp-theme} $out
'';
} // nixlib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
};
};
}

41
hosts/bekkalokk/configuration.nix Normal file
View File

@@ -0,0 +1,41 @@
{ pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
#./services/keycloak.nix
# TODO: set up authentication for the following:
# ./services/website.nix
./services/nginx
./services/gitea/default.nix
./services/kerberos
./services/webmail
./services/mediawiki
./services/idp-simplesamlphp
];
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
virtualisation.podman.enable = true;
networking.hostName = "bekkalokk";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";
}

40
hosts/bekkalokk/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/sda1";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/CE63-3B9B";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

30
hosts/bekkalokk/services/gitea/ci.nix Normal file
View File

@@ -0,0 +1,30 @@
{ config, lib, values, ... }:
let
mkRunner = name: {
# This is unfortunately state, and has to be generated one at a time :(
# To do that, comment out all except one of the runners, fill in its token
# inside the sops file, rebuild the system, and only after this runner has
# successfully registered will gitea give you the next token.
# - oysteikt Sep 2023
sops.secrets."gitea/runners/${name}".restartUnits = [
"gitea-runner-${name}.service"
];
services.gitea-actions-runner.instances = {
${name} = {
enable = true;
name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
labels = [
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:18-bullseye"
];
tokenFile = config.sops.secrets."gitea/runners/${name}".path;
};
};
};
in
lib.mkMerge [
(mkRunner "alpha")
(mkRunner "beta")
(mkRunner "epsilon")
]

105
hosts/bekkalokk/services/gitea/default.nix Normal file
View File

@@ -0,0 +1,105 @@
{ config, values, pkgs, ... }:
let
cfg = config.services.gitea;
domain = "git.pvv.ntnu.no";
sshPort = 2222;
in {
imports = [
./ci.nix
];
sops.secrets = {
"gitea/database" = {
owner = "gitea";
group = "gitea";
};
"gitea/passwd-ssh-key" = { };
"gitea/ssh-known-hosts" = { };
"gitea/import-user-env" = { };
};
services.gitea = {
enable = true;
stateDir = "/data/gitea";
appName = "PVV Git";
database = {
type = "postgres";
host = "postgres.pvv.ntnu.no";
port = config.services.postgresql.port;
passwordFile = config.sops.secrets."gitea/database".path;
createDatabase = false;
};
settings = {
server = {
DOMAIN = domain;
ROOT_URL = "https://${domain}/";
PROTOCOL = "http+unix";
SSH_PORT = sshPort;
START_SSH_SERVER = true;
};
indexer.REPO_INDEXER_ENABLED = true;
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
database.LOG_SQL = false;
picture = {
DISABLE_GRAVATAR = true;
ENABLE_FEDERATED_AVATAR = false;
};
actions.ENABLED = true;
"ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
};
};
environment.systemPackages = [ cfg.package ];
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
recommendedProxySettings = true;
extraConfig = ''
client_max_body_size 512M;
'';
};
};
networking.firewall.allowedTCPPorts = [ sshPort ];
# Automatically import users
systemd.services.gitea-import-users = {
enable = true;
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
serviceConfig = {
ExecStart = pkgs.writers.writePython3 "gitea-import-users" { libraries = [ pkgs.python3Packages.requests ]; } (builtins.readFile ./gitea-import-users.py);
LoadCredential=[
"sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
];
DynamicUser="yes";
EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
};
};
systemd.timers.gitea-import-users = {
requires = [ "gitea.service" ];
after = [ "gitea.service" ];
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*-*-* 02:00:00";
Persistent = true;
Unit = "gitea-import-users.service";
};
};
system.activationScripts.linkGiteaLogo.text = let
logo-svg = ../../../../assets/logo_blue_regular.svg;
logo-png = ../../../../assets/logo_blue_regular.png;
in ''
install -Dm444 ${logo-svg} ${cfg.stateDir}/custom/public/img/logo.svg
install -Dm444 ${logo-png} ${cfg.stateDir}/custom/public/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.stateDir}/custom/public/img/loading.png
'';
}

94
hosts/bekkalokk/services/gitea/gitea-import-users.py Normal file
View File

@@ -0,0 +1,94 @@
import requests
import secrets
import os
EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
if EMAIL_DOMAIN is None:
EMAIL_DOMAIN = 'pvv.ntnu.no'
API_TOKEN = os.getenv('API_TOKEN')
if API_TOKEN is None:
raise Exception('API_TOKEN not set')
GITEA_API_URL = os.getenv('GITEA_API_URL')
if GITEA_API_URL is None:
GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
BANNED_SHELLS = [
"/usr/bin/nologin",
"/usr/sbin/nologin",
"/sbin/nologin",
"/bin/false",
"/bin/msgsh",
]
existing_users = {}
# This function should only ever be called when adding users
# from the passwd file
def add_user(username, name):
user = {
"full_name": name,
"username": username,
"login_name": username,
"source_id": 1, # 1 = SMTP
}
if username not in existing_users:
user["password"] = secrets.token_urlsafe(32)
user["must_change_password"] = False
user["visibility"] = "private"
user["email"] = username + '@' + EMAIL_DOMAIN
r = requests.post(GITEA_API_URL + '/admin/users', json=user,
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 201:
print('ERR: Failed to create user ' + username + ': ' + r.text)
return
print('Created user ' + username)
existing_users[username] = user
else:
user["visibility"] = existing_users[username]["visibility"]
r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
json=user,
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 200:
print('ERR: Failed to update user ' + username + ': ' + r.text)
return
print('Updated user ' + username)
def main():
# Fetch existing users
r = requests.get(GITEA_API_URL + '/admin/users',
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 200:
raise Exception('Failed to get users: ' + r.text)
for user in r.json():
existing_users[user['login']] = user
# Read the file, add each user
with open("/tmp/passwd-import", 'r') as f:
for line in f.readlines():
uid = int(line.split(':')[2])
if uid < 1000:
continue
shell = line.split(':')[-1]
if shell in BANNED_SHELLS:
continue
username = line.split(':')[0]
name = line.split(':')[4].split(',')[0]
add_user(username, name)
if __name__ == '__main__':
main()

BIN
hosts/bekkalokk/services/gitea/loading.apng Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 MiB

135
hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php Normal file
View File

@@ -0,0 +1,135 @@
<?php
/**
* Authenticate using HTTP login.
*
* @author Yorn de Jong
* @author Oystein Kristoffer Tveit
* @package simpleSAMLphp
*/
namespace SimpleSAML\Module\authpwauth\Auth\Source;
class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
{
protected $pwauth_bin_path;
protected $mail_domain;
public function __construct(array $info, array &$config) {
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
$this->pwauth_bin_path = $config['pwauth_bin_path'];
if (array_key_exists('mail_domain', $config)) {
$this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
}
}
public function login(string $username, string $password): array {
$username = strtolower( $username );
if (!file_exists($this->pwauth_bin_path)) {
die("Could not find pwauth binary");
return false;
}
if (!is_executable($this->pwauth_bin_path)) {
die("pwauth binary is not executable");
return false;
}
$handle = popen($this->pwauth_bin_path, 'w');
if ($handle === FALSE) {
die("Error opening pipe to pwauth");
return false;
}
$data = "$username\n$password\n";
if (fwrite($handle, $data) !== strlen($data)) {
die("Error writing to pwauth pipe");
return false;
}
# Is the password valid?
$result = pclose( $handle );
if ($result !== 0) {
if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
die("pwauth returned $result for username $username");
}
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
}
/*
$ldap = ldap_connect('129.241.210.159', 389);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($ldap);
ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
$search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
$entry = ldap_first_entry($ldap, $search);
$dn = ldap_get_dn($ldap, $entry);
$newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
ldap_modify_batch($ldap, $dn, [
#[
# 'modtype' => LDAP_MODIFY_BATCH_REMOVE,
# 'attrib' => 'unicodePwd',
# 'values' => [$password],
#],
[
#'modtype' => LDAP_MODIFY_BATCH_ADD,
'modtype' => LDAP_MODIFY_BATCH_REPLACE,
'attrib' => 'unicodePwd',
'values' => [$newpassword],
],
]);
*/
#0 - Login OK.
#1 - Nonexistant login or (for some configurations) incorrect password.
#2 - Incorrect password (for some configurations).
#3 - Uid number is below MIN_UNIX_UID value configured in config.h.
#4 - Login ID has expired.
#5 - Login's password has expired.
#6 - Logins to system have been turned off (usually by /etc/nologin file).
#7 - Limit on number of bad logins exceeded.
#50 - pwauth was not run with real uid SERVER_UID. If you get this
# this error code, you probably have SERVER_UID set incorrectly
# in pwauth's config.h file.
#51 - pwauth was not given a login & password to check. The means
# the passing of data from mod_auth_external to pwauth is messed
# up. Most likely one is trying to pass data via environment
# variables, while the other is trying to pass data via a pipe.
#52 - one of several possible internal errors occured.
$uid = $username;
# TODO: Reinstate this code once passwd is working...
/*
$cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
$groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
array_shift($groups);
array_shift($groups);
array_pop($groups);
$info = posix_getpwnam($uid);
$group = $info['gid'];
if (!in_array($group, $groups)) {
$groups[] = $group;
}
*/
$cn = "Unknown McUnknown";
$groups = array();
$result = array(
'uid' => array($uid),
'cn' => array($cn),
'group' => $groups,
);
if (isset($this->mail_domain)) {
$result['mail'] = array($uid.$this->mail_domain);
}
return $result;
}
}

1294
hosts/bekkalokk/services/idp-simplesamlphp/config.php Normal file
View File

File diff suppressed because it is too large Load Diff

204
hosts/bekkalokk/services/idp-simplesamlphp/default.nix Normal file
View File

@@ -0,0 +1,204 @@
{ config, pkgs, lib, ... }:
let
pwAuthScript = pkgs.writeShellApplication {
name = "pwauth";
runtimeInputs = with pkgs; [ coreutils heimdal ];
text = ''
read -r user1
user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
if test "$user1" != "$user2"
then
read -r _
exit 2
fi
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
'';
};
package = pkgs.simplesamlphp.override {
extra_files = {
# NOTE: Using self signed certificate created 30. march 2024, with command:
# openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
"metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
<?php
$metadata['https://idp2.pvv.ntnu.no/'] = array(
'host' => '__DEFAULT__',
'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
'certificate' => '${./idp.crt}',
'auth' => 'pwauth',
);
?>
'';
"metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
<?php
${ lib.pipe config.services.idp.sp-remote-metadata [
(map (url: ''
$metadata['${url}'] = [
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
],
],
'AssertionConsumerService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 0,
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 1,
],
],
];
''))
(lib.concatStringsSep "\n")
]}
?>
'';
"config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'pwauth' => array(
'authpwauth:PwAuth',
'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
'mail_domain' => '@pvv.ntnu.no',
),
);
?>
'';
"config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
cp ${./config.php} "$out"
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
--replace '$SAML_ADMIN_NAME' '"Drift"' \
--replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
--replace '$SAML_DATABASE_USERNAME' '"idp"' \
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
--replace '$CACHE_DIRECTORY' '/var/cache/idp'
'';
"modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
"modules/themepvv" = pkgs.ssp-theme;
};
};
in
{
options.services.idp.sp-remote-metadata = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
description = ''
List of urls point to (simplesamlphp) service profiders, which the idp should trust.
:::{.note}
Make sure the url ends with a `/`
:::
'';
};
config = {
sops.secrets = {
"idp/privatekey" = {
owner = "idp";
group = "idp";
mode = "0770";
};
"idp/admin_password" = {
owner = "idp";
group = "idp";
};
"idp/postgres_password" = {
owner = "idp";
group = "idp";
};
"idp/cookie_salt" = {
owner = "idp";
group = "idp";
};
};
users.groups."idp" = { };
users.users."idp" = {
description = "PVV Identity Provider Service User";
group = "idp";
createHome = false;
isSystemUser = true;
};
systemd.tmpfiles.settings."10-idp" = {
"/var/cache/idp".d = {
user = "idp";
group = "idp";
mode = "0770";
};
"/var/lib/idp".d = {
user = "idp";
group = "idp";
mode = "0770";
};
};
services.phpfpm.pools.idp = {
user = "idp";
group = "idp";
settings = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
};
};
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
root = "${package}/share/php/simplesamlphp/public";
locations = {
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
"/" = {
alias = "${package}/share/php/simplesamlphp/public/";
index = "index.php";
extraConfig = ''
location ~ ^/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$phpfile;
fastcgi_param SCRIPT_NAME /$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
'';
};
};
};
};
}

33
hosts/bekkalokk/services/idp-simplesamlphp/idp.crt Normal file
View File

@@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFqTCCA5GgAwIBAgIUL2+PMM9rE9wI5W2yNnJ2CmfGxh0wDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCTk8xEzARBgNVBAgMClNvbWUtU3RhdGUxHjAcBgNVBAoM
FVByb2dyYW12YXJldmVya3N0ZWRldDEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2
Lm50bnUubm8wHhcNMjQwMzMwMDAyNjQ0WhcNMjUwMzMwMDAyNjQ0WjBkMQswCQYD
VQQGEwJOTzETMBEGA1UECAwKU29tZS1TdGF0ZTEeMBwGA1UECgwVUHJvZ3JhbXZh
cmV2ZXJrc3RlZGV0MSAwHgYJKoZIhvcNAQkBFhFkcmlmdEBwdnYubnRudS5ubzCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/0l0jdV+PoVxdd21F+2NLm
JN6sZmSJexOSk/sFjhhF4WMtjOfDAQYjt3hlLPyYl//jCe9WteavvtdCx1tHJitd
xjOUJ/leVjHzBttCVZR+iTlQtpsZ2TbRMJ5Fcfl82njlPecV4umJvnnFXawE4Qee
dE2OM8ODjjrK1cNaHR74tyZCwmdOxNHXZ7RN22p9kZjLD18LQyNr5igaDBeaZkyk
Gxbg4tbP51x9JFRLF7kUlyAc83geFnw6v/wBahr49m/X4y7xE0rdPb2L0moUjmOO
Zyl3hvxMI3+g/0FVMM5eKmfIIP2rIVEAa6MWMx0vPjC6h2fIyxkUqg5C8aFlpqav
+8f2rUc+JfdiFsIZNrylBXsleGzS+/wY1uB/pAy5Vg9WCp+eC75EtWMt0k2f442G
rhKa3lAZ6GIYrtEiQiNGM1aT1Cs1nqTtslfnHiuAKBefLjCXgq9uvL2yRodwe9/m
oZiqYnLHy/v1xfnF5rKTcRmOleU3tc+nlN6tZSGC1nZgMpqpoqdcbJXAkvaJ2Km4
sl0YS28VQnztgzuVPNdnv8lcS6HmkaGaNWbepKgWeaH5oT7O6u99wZIv88m+tf5m
Eu197YVpcclnojQCYKauWcQFsXS20egsVP87Qk0e2SHmGTUQp6YEYX6RLjkg7/vS
BelDBbCldraNVEiC0jmpAgMBAAGjUzBRMB0GA1UdDgQWBBSL0yofG5NEmzFIRuqC
xmyiuZW6DTAfBgNVHSMEGDAWgBSL0yofG5NEmzFIRuqCxmyiuZW6DTAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAZZVs7BLk/NLq3f4Ik8qH3IoDN
2m4XXRZS+xxw5RwctgSnik7AffgAfv8QQm2co8UYkHbB0whaG1PDz+L7wB1hVkWn
DVUaJcKQnn0x+sNU5LoTbjI0PlaST7PO5D0OMFab8FSNxpzzpbUcgZUhelc99Ri/
2Gh8mf4b3Y3Uzq6YKFsuFM65OuJhH8f1w6onai9x28t6tERHUSUfJ2keXzU4ytCV
EitWXwhe759VLqmdP4BATwlCOCuwa5aDeGcWRIqFpYIn0SOAmVV3o4V71JdZc1jE
fuOo/PbiHZ+R9ZGbh98aMidb0moL1ZDhmir9KbedezNyki6JJ72mVclhLqUajFxr
T39FXd5e2+QBMHPPhVFznQoHWnHEbZigTt61b0cg/TsxaxOkF4Ilmr/2DmSWysWK
TF5eq8hp6/53qVbXXSzrCjxd3wzGnRabsEVPX/L2hYDx81hluovJQCtskqTq1joI
W2R7AO5Sdyc6NfOR85kl0HXzHa+0Slsf8ZDs5nCz/mOOPoAGl7IxF7xQ6kPO7V+U
HdGE2tkblM/TrAObJH0HXySeJGI7Vfya+D1Y8IqGtyZtWyx1DmlA/OezGGf5D3rG
88LywHQQ2mQ+8aosBTE4+HQ+apLKZBprqQKuiDjT1RSUbfUHQkYuL+D1oIVmklAc
UxTpf01QJnZkMqf5NQ==
-----END CERTIFICATE-----

22
hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix Normal file
View File

@@ -0,0 +1,22 @@
''
<?php
$metadata['https://idp2.pvv.ntnu.no/'] = [
'metadata-set' => 'saml20-idp-hosted',
'entityid' => 'https://idp2.pvv.ntnu.no/',
'SingleSignOnService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
],
],
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
],
],
'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
'certificate' => '${./idp.crt}',
];
?>
''

27
hosts/bekkalokk/services/kerberos/default.nix Normal file
View File

@@ -0,0 +1,27 @@
{ config, pkgs, lib, ... }:
{
#######################
# TODO: remove these once nixos 24.05 gets released
#######################
imports = [
./krb5.nix
./pam.nix
];
disabledModules = [
"config/krb5/default.nix"
"security/pam.nix"
];
#######################
security.krb5 = {
enable = true;
settings = {
libdefaults = {
default_realm = "PVV.NTNU.NO";
dns_lookup_realm = "yes";
dns_lookup_kdc = "yes";
};
realms."PVV.NTNU.NO".admin_server = "kdc.pvv.ntnu.no";
};
};
}

88
hosts/bekkalokk/services/kerberos/krb5-conf-format.nix Normal file
View File

@@ -0,0 +1,88 @@
{ pkgs, lib, ... }:
# Based on
# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
let
inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
str submodule;
in
{ }: {
type = let
section = attrsOf relation;
relation = either (attrsOf value) value;
value = either (listOf atom) atom;
atom = oneOf [int str bool];
in submodule {
freeformType = attrsOf section;
options = {
include = mkOption {
default = [ ];
description = mdDoc ''
Files to include in the Kerberos configuration.
'';
type = coercedTo path singleton (listOf path);
};
includedir = mkOption {
default = [ ];
description = mdDoc ''
Directories containing files to include in the Kerberos configuration.
'';
type = coercedTo path singleton (listOf path);
};
module = mkOption {
default = [ ];
description = mdDoc ''
Modules to obtain Kerberos configuration from.
'';
type = coercedTo path singleton (listOf path);
};
};
};
generate = let
indent = str: concatMapStringsSep "\n" (line: " " + line) (splitString "\n" str);
formatToplevel = args @ {
include ? [ ],
includedir ? [ ],
module ? [ ],
...
}: let
sections = removeAttrs args [ "include" "includedir" "module" ];
in concatStringsSep "\n" (filter (x: x != "") [
(concatStringsSep "\n" (mapAttrsToList formatSection sections))
(concatMapStringsSep "\n" (m: "module ${m}") module)
(concatMapStringsSep "\n" (i: "include ${i}") include)
(concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
]);
formatSection = name: section: ''
[${name}]
${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
'';
formatRelation = name: relation:
if isAttrs relation
then ''
${name} = {
${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
}''
else formatValue name relation;
formatValue = name: value:
if isList value
then concatMapStringsSep "\n" (formatAtom name) value
else formatAtom name value;
formatAtom = name: atom: let
v = if isBool atom then boolToString atom else toString atom;
in "${name} = ${v}";
in
name: value: pkgs.writeText name ''
${formatToplevel value}
'';
}

90
hosts/bekkalokk/services/kerberos/krb5.nix Normal file
View File

@@ -0,0 +1,90 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
inherit (lib.types) bool;
mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
The option `krb5.${name}' has been removed. Use
`security.krb5.settings.${name}' for structured configuration.
'';
cfg = config.security.krb5;
format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
in {
imports = [
(mkRemovedOptionModuleCfg "libdefaults")
(mkRemovedOptionModuleCfg "realms")
(mkRemovedOptionModuleCfg "domain_realm")
(mkRemovedOptionModuleCfg "capaths")
(mkRemovedOptionModuleCfg "appdefaults")
(mkRemovedOptionModuleCfg "plugins")
(mkRemovedOptionModuleCfg "config")
(mkRemovedOptionModuleCfg "extraConfig")
(mkRemovedOptionModule' "kerberos" ''
The option `krb5.kerberos' has been moved to `security.krb5.package'.
'')
];
options = {
security.krb5 = {
enable = mkOption {
default = false;
description = mdDoc "Enable and configure Kerberos utilities";
type = bool;
};
package = mkPackageOption pkgs "krb5" {
example = "heimdal";
};
settings = mkOption {
default = { };
type = format.type;
description = mdDoc ''
Structured contents of the {file}`krb5.conf` file. See
{manpage}`krb5.conf(5)` for details about configuration.
'';
example = {
include = [ "/run/secrets/secret-krb5.conf" ];
includedir = [ "/run/secrets/secret-krb5.conf.d" ];
libdefaults = {
default_realm = "ATHENA.MIT.EDU";
};
realms = {
"ATHENA.MIT.EDU" = {
admin_server = "athena.mit.edu";
kdc = [
"athena01.mit.edu"
"athena02.mit.edu"
];
};
};
domain_realm = {
"mit.edu" = "ATHENA.MIT.EDU";
};
logging = {
kdc = "SYSLOG:NOTICE";
admin_server = "SYSLOG:NOTICE";
default = "SYSLOG:NOTICE";
};
};
};
};
};
config = mkIf cfg.enable {
environment = {
systemPackages = [ cfg.package ];
etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
};
};
meta.maintainers = builtins.attrValues {
inherit (lib.maintainers) dblsaiko h7x4;
};
}

1543
hosts/bekkalokk/services/kerberos/pam.nix Normal file
View File

File diff suppressed because it is too large Load Diff

24
hosts/bekkalokk/services/keycloak.nix Normal file
View File

@@ -0,0 +1,24 @@
{ pkgs, config, values, ... }:
{
sops.secrets."keys/postgres/keycloak" = {
owner = "keycloak";
group = "keycloak";
restartUnits = [ "keycloak.service" ];
};
services.keycloak = {
enable = true;
settings = {
hostname = "auth.pvv.ntnu.no";
# hostname-strict-backchannel = true;
};
database = {
host = values.hosts.bicep.ipv4;
createLocally = false;
passwordFile = config.sops.secrets."keys/postgres/keycloak".path;
caCert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
};
};
}

257
hosts/bekkalokk/services/mediawiki/default.nix Normal file
View File

@@ -0,0 +1,257 @@
{ pkgs, lib, config, values, pkgs-unstable, ... }: let
cfg = config.services.mediawiki;
# "mediawiki"
user = config.systemd.services.mediawiki-init.serviceConfig.User;
# "mediawiki"
group = config.users.users.${user}.group;
simplesamlphp = pkgs.simplesamlphp.override {
extra_files = {
"metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
"config/authsources.php" = ./simplesaml-authsources.php;
"config/config.php" = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
cp ${./simplesaml-config.php} "$out"
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
--replace '$SAML_ADMIN_NAME' '"Drift"' \
--replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
--replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
'';
};
};
in {
services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
sops.secrets = {
"mediawiki/password" = {
owner = user;
group = group;
};
"mediawiki/postgres_password" = {
owner = user;
group = group;
};
"mediawiki/simplesamlphp/postgres_password" = {
owner = user;
group = group;
};
"mediawiki/simplesamlphp/cookie_salt" = {
owner = user;
group = group;
};
"mediawiki/simplesamlphp/admin_password" = {
owner = user;
group = group;
};
};
services.mediawiki = {
enable = true;
name = "Programvareverkstedet";
passwordFile = config.sops.secrets."mediawiki/password".path;
passwordSender = "drift@pvv.ntnu.no";
database = {
type = "mysql";
host = "mysql.pvv.ntnu.no";
port = 3306;
user = "mediawiki";
passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
createLocally = false;
# TODO: create a normal database and copy over old data when the service is production ready
name = "mediawiki";
};
# Host through nginx
webserver = "none";
poolConfig = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
inherit user group;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
# to accept *.html file
"security.limit_extensions" = "";
};
extensions = {
inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
};
extraConfig = ''
$wgServer = "https://wiki2.pvv.ntnu.no";
$wgLocaltimezone = "Europe/Oslo";
# Only allow login through SSO
$wgEnableEmail = false;
$wgEnableUserEmail = false;
$wgEmailAuthentication = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgPluggableAuth_EnableAutoLogin = false;
# Misc. permissions
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = true;
# Misc. URL rules
$wgUsePathInfo = true;
$wgScriptExtension = ".php";
$wgNamespacesWithSubpages[NS_MAIN] = true;
# Styling
$wgLogos = array(
"2x" => "/PNG/PVV-logo.png",
"icon" => "/PNG/PVV-logo.svg",
);
# wfLoadSkin('Timeless');
$wgDefaultSkin = "vector-2022";
# from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
$wgVectorDefaultSidebarVisibleForAnonymousUser = true;
$wgVectorResponsive = true;
# Misc
$wgEmergencyContact = "${cfg.passwordSender}";
$wgShowIPinHeader = false;
$wgUseTeX = false;
$wgLocalInterwiki = $wgSitename;
# SimpleSAML
$wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
$wgPluggableAuth_Config['Log in using my SAML'] = [
'plugin' => 'SimpleSAMLphp',
'data' => [
'authSourceId' => 'default-sp',
'usernameAttribute' => 'uid',
'emailAttribute' => 'mail',
'realNameAttribute' => 'cn',
]
];
# Fix https://github.com/NixOS/nixpkgs/issues/183097
$wgDBserver = "${toString cfg.database.host}";
'';
};
# Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
user = "mediawiki";
group = "mediawiki";
mode = "0770";
};
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
systemd.services.mediawiki-init.script = let
# According to module
stateDir = "/var/lib/mediawiki";
pkg = cfg.finalPackage;
mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
inherit (lib) optionalString mkForce;
in mkForce ''
if ! test -e "${stateDir}/secret.key"; then
tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
fi
echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
--confpath /tmp \
--scriptpath / \
--dbserver "${cfg.database.host}" \
--dbport ${toString cfg.database.port} \
--dbname ${cfg.database.name} \
${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
--dbuser ${cfg.database.user} \
${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
--passfile ${cfg.passwordFile} \
--dbtype ${cfg.database.type} \
${cfg.name} \
admin
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
'';
users.groups.mediawiki.members = [ "nginx" ];
services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
locations = {
"/" = {
index = "index.php";
};
"~ /(.+\\.php)" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
'';
};
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
"^~ /simplesaml/" = {
alias = "${simplesamlphp}/share/php/simplesamlphp/public/";
index = "index.php";
extraConfig = ''
location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;
# Must be prepended with the baseurlpath
fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
'';
};
"/images/".alias = "${config.services.mediawiki.uploadsDir}/";
"= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
"= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
buildInputs = with pkgs; [ imagemagick ];
} ''
convert \
-resize x64 \
-gravity center \
-crop 64x64+0+0 \
${../../../../assets/logo_blue_regular.png} \
-flatten \
-colors 256 \
-background transparent \
$out
'';
};
};
}

11
hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php Normal file
View File

@@ -0,0 +1,11 @@
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'default-sp' => array(
'saml:SP',
'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
'idp' => 'https://idp2.pvv.ntnu.no/',
),
);

1293
hosts/bekkalokk/services/mediawiki/simplesaml-config.php Normal file
View File

File diff suppressed because it is too large Load Diff

4
hosts/bekkalokk/services/metrics/loki.nix Normal file
View File

@@ -0,0 +1,4 @@
{ ... }:
{
}

4
hosts/bekkalokk/services/metrics/prometheus.nix Normal file
View File

@@ -0,0 +1,4 @@
{ ... }:
{
}

20
hosts/jokum/services/nginx/default.nix → hosts/bekkalokk/services/nginx/default.nix
View File

@@ -1,21 +1,27 @@
{config, ... }:
{ pkgs, config, ... }:
{
imports = [
./ingress.nix
];
security.acme = {
acceptTerms = true;
defaults.email = "danio@pvv.ntnu.no";
defaults.email = "drift@pvv.ntnu.no";
};
services.nginx = {
enable = true;
defaultListenAddresses = [ "129.241.210.169" "127.0.0.1" "127.0.0.2" "[2001:700:300:1900::169]" "[::1]" ];
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts."bekkalokk.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
locations."/".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];

55
hosts/bekkalokk/services/nginx/ingress.nix Normal file
View File

@@ -0,0 +1,55 @@
{ config, lib, ... }:
{
services.nginx.virtualHosts = {
"www2.pvv.ntnu.no" = {
serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
addSSL = true;
enableACME = true;
locations = {
# Proxy home directories
"/~" = {
extraConfig = ''
proxy_redirect off;
proxy_pass https://tom.pvv.ntnu.no;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
# Redirect old wiki entries
"/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
"/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
"/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
"/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
"/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
"/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
"/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
"/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
"/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
"/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
"/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
"/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
# TODO: Redirect webmail
"/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
# Redirect everything else to the main website
"/".return = "301 https://www.pvv.ntnu.no$request_uri";
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"/.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
};
};
}

6
hosts/bekkalokk/services/openldap.nix Normal file
View File

@@ -0,0 +1,6 @@
{ ... }:
{
services.openldap = {
enable = true;
};
}

15
hosts/bekkalokk/services/webmail/default.nix Normal file
View File

@@ -0,0 +1,15 @@
{ config, values, pkgs, lib, ... }:
{
imports = [
./roundcube.nix
];
services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
#locations."/" = lib.mkForce { };
locations."= /" = {
return = "301 https://www.pvv.ntnu.no/mail/";
};
};
}

74
hosts/bekkalokk/services/webmail/roundcube.nix Normal file
View File

@@ -0,0 +1,74 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.roundcube;
domain = "webmail2.pvv.ntnu.no";
in
{
services.roundcube = {
enable = true;
package = pkgs.roundcube.withPlugins (plugins: with plugins; [
persistent_login
thunderbird_labels
contextmenu
custom_from
]);
dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
maxAttachmentSize = 20;
hostName = "roundcubeplaceholder.example.com";
extraConfig = ''
$config['enable_installer'] = false;
$config['default_host'] = "ssl://imap.pvv.ntnu.no";
$config['default_port'] = 993;
$config['smtp_server'] = "ssl://smtp.pvv.ntnu.no";
$config['smtp_port'] = 465;
$config['mail_domain'] = "pvv.ntnu.no";
$config['smtp_user'] = "%u";
$config['support_url'] = "";
'';
};
services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
services.nginx.virtualHosts.${domain} = {
locations."/roundcube" = {
tryFiles = "$uri $uri/ =404";
index = "index.php";
root = pkgs.runCommandLocal "roundcube-dir" { } ''
mkdir -p $out
ln -s ${cfg.package} $out/roundcube
'';
extraConfig = ''
location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
# https://wiki.archlinux.org/title/Roundcube
"README"
"INSTALL"
"LICENSE"
"CHANGELOG"
"UPGRADING"
"bin"
"SQL"
".+\\.md"
"\\."
"config"
"temp"
"logs"
]})/? {
deny all;
}
location ~ ^/roundcube/(.+\.php)(/?.*)$ {
fastcgi_split_path_info ^/roundcube(/.+\.php)(/.+)$;
include ${config.services.nginx.package}/conf/fastcgi_params;
include ${config.services.nginx.package}/conf/fastcgi.conf;
fastcgi_index index.php;
fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket};
}
'';
};
};
}

4
hosts/bekkalokk/services/website.nix Normal file
View File

@@ -0,0 +1,4 @@
{ ... }:
{
}

24
hosts/bicep/acmeCert.nix Normal file
View File

@@ -0,0 +1,24 @@
{ values, ... }:
{
users.groups.acme.members = [ "nginx" ];
security.acme.certs."postgres.pvv.ntnu.no" = {
group = "acme";
extraDomainNames = [
# "postgres.pvv.org"
"bicep.pvv.ntnu.no"
# "bicep.pvv.org"
# values.hosts.bicep.ipv4
# values.hosts.bicep.ipv6
];
};
services.nginx = {
enable = true;
virtualHosts."postgres.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
# useACMEHost = "postgres.pvv.ntnu.no";
};
};
}

43
hosts/bicep/configuration.nix Normal file
View File

@@ -0,0 +1,43 @@
{ pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./services/nginx
./acmeCert.nix
./services/mysql.nix
./services/postgres.nix
./services/mysql.nix
# TODO: fix the calendar bot
# ./services/calendar-bot.nix
./services/matrix
];
sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/disk/by-id/scsi-3600508b1001cb1a8751c137b30610682";
networking.hostName = "bicep";
systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp6s0f0";
address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
};
systemd.network.wait-online = {
anyInterface = true;
};
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";
}

40
hosts/bicep/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/31a67903-dc00-448a-a24a-36e820318fe5";
fsType = "ext4";
};
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/79e93eed-ad95-45c9-b115-4ef92afcc8c0";
fsType = "f2fs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f2.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

25
hosts/bicep/services/calendar-bot.nix Normal file
View File

@@ -0,0 +1,25 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.pvv-calendar-bot;
in {
sops.secrets."calendar-bot/matrix_token" = {
sopsFile = ../../../secrets/bicep/bicep.yaml;
key = "calendar-bot/matrix_token";
owner = cfg.user;
group = cfg.group;
};
services.pvv-calendar-bot = {
enable = true;
settings = {
matrix = {
homeserver = "https://matrix.pvv.ntnu.no";
user = "@bot_calendar:pvv.ntnu.no";
channel = "!gkNLUIhYVpEyLatcRz:pvv.ntnu.no";
};
secretsFile = config.sops.secrets."calendar-bot/matrix_token".path;
onCalendar = "*-*-* 09:00:00";
};
};
}

6
hosts/jokum/services/matrix/coturn.nix → hosts/bicep/services/matrix/coturn.nix
View File

@@ -2,10 +2,14 @@
{
sops.secrets."matrix/synapse/turnconfig" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "synapse/turnconfig";
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/coturn/static-auth-secret" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "coturn/static-auth-secret";
owner = config.users.users.turnserver.name;
group = config.users.users.turnserver.group;
};
@@ -114,7 +118,7 @@
};
networking.firewall = {
interfaces.ens18 = let
interfaces.enp6s0f0 = let
range = with config.services.coturn; [ {
from = min-port;
to = max-port;

1
hosts/jokum/services/matrix/default.nix → hosts/bicep/services/matrix/default.nix
View File

@@ -7,6 +7,7 @@
./synapse-admin.nix
./element.nix
./coturn.nix
./mjolnir.nix
./discord.nix
];

7
hosts/jokum/services/matrix/discord.nix → hosts/bicep/services/matrix/discord.nix
View File

@@ -7,6 +7,8 @@ in
users.groups.keys-matrix-registrations = { };
sops.secrets."matrix/registrations/mx-puppet-discord" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "registrations/mx-puppet-discord";
owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name;
};
@@ -30,6 +32,9 @@ in
services.mx-puppet-discord.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ];
services.matrix-synapse-next.settings.app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ];
services.matrix-synapse-next.settings = {
app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ];
use_appservice_legacy_authorization = true;
};
}

33
hosts/jokum/services/matrix/element.nix → hosts/bicep/services/matrix/element.nix
View File

@@ -1,6 +1,7 @@
{ config, lib, pkgs, ... }:
{
let
synapse-cfg = config.services.matrix-synapse-next;
in {
services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
@@ -23,25 +24,31 @@
features = {
feature_latex_maths = true;
feature_pinning = true;
feature_render_reaction_images = true;
feature_state_counters = true;
feature_custom_status = false;
# element call group calls
feature_group_calls = true;
};
default_theme = "dark";
# Servers in this list should provide some sort of valuable scoping
# matrix.org is not useful compared to matrixrooms.info,
# because it has so many general members, rooms of all topics are on it.
# Something matrixrooms.info is already providing.
room_directory.servers = [
"pvv.ntnu.no"
"matrix.omegav.no"
"matrix.org"
"libera.chat"
"gitter.im"
"mozilla.org"
"kde.org"
"t2bot.io"
"fosdem.org"
"dodsorf.as"
"matrixrooms.info" # Searches all public room directories
"matrix.omegav.no" # Friends
"gitter.im" # gitter rooms
"mozilla.org" # mozilla and friends
"kde.org" # KDE rooms
"fosdem.org" # FOSDEM
"dodsorf.as" # PVV Member
"nani.wtf" # PVV Member
];
enable_presence_by_hs_url = {
"https://matrix.org" = false;
"https://matrix.dodsorf.as" = false;
# "https://matrix.dodsorf.as" = false;
"${synapse-cfg.settings.public_baseurl}" = synapse-cfg.settings.presence.enabled;
};
};
};

56
hosts/bicep/services/matrix/mjolnir.nix Normal file
View File

@@ -0,0 +1,56 @@
{ config, lib, ... }:
{
sops.secrets."matrix/mjolnir/access_token" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "mjolnir/access_token";
owner = config.users.users.mjolnir.name;
group = config.users.users.mjolnir.group;
};
services.mjolnir = {
enable = true;
pantalaimon.enable = false;
homeserverUrl = http://127.0.0.1:8008;
accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
protectedRooms = map (a: "https://matrix.to/#/${a}") [
"#pvv:pvv.ntnu.no"
"#stand:pvv.ntnu.no"
"#music:pvv.ntnu.no"
"#arts-and-crafts:pvv.ntnu.no"
"#programming:pvv.ntnu.no"
"#talks-and-texts:pvv.ntnu.no"
"#job-offers:pvv.ntnu.no"
"#vaffling:pvv.ntnu.no"
"#pvv-fadder:pvv.ntnu.no"
"#offsite:pvv.ntnu.no"
"#help:pvv.ntnu.no"
"#garniske-algoritmer:pvv.ntnu.no"
"#bouldering:pvv.ntnu.no"
"#filmclub:pvv.ntnu.no"
"#video-games:pvv.ntnu.no"
"#board-games:pvv.ntnu.no"
"#tabletop-rpgs:pvv.ntnu.no"
"#anime:pvv.ntnu.no"
"#general:pvv.ntnu.no"
"#announcements:pvv.ntnu.no"
"#memes:pvv.ntnu.no"
"#drift:pvv.ntnu.no"
"#notifikasjoner:pvv.ntnu.no"
"#forespoersler:pvv.ntnu.no"
"#krisekanalen:pvv.ntnu.no"
"#styret:pvv.ntnu.no"
];
settings = {
admin.enableMakeRoomAdminCommand = true;
};
# Module wants it even when not using pantalaimon
# TODO: Fix upstream module in nixpkgs
pantalaimon.username = "bot_admin";
};
}

17
hosts/bicep/services/matrix/smtp-authenticator/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{ lib, buildPythonPackage, fetchFromGitHub }:
buildPythonPackage rec {
pname = "matrix-synapse-smtp-auth";
version = "0.1.0";
src = ./.;
doCheck = false;
meta = with lib; {
description = "An SMTP auth provider for Synapse";
homepage = "pvv.ntnu.no";
license = licenses.agpl3Only;
maintainers = with maintainers; [ dandellion ];
};
}

11
hosts/bicep/services/matrix/smtp-authenticator/setup.py Normal file
View File

@@ -0,0 +1,11 @@
from setuptools import setup
setup(
name="matrix-synapse-smtp-auth",
version="0.1.0",
py_modules=['smtp_auth_provider'],
author="Daniel Løvbrøtte Olsen",
author_email="danio@pvv.ntnu.no",
description="An SMTP auth provider for Synapse",
license="AGPL-3.0-only"
)

50
hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py Normal file
View File

@@ -0,0 +1,50 @@
from typing import Awaitable, Callable, Optional, Tuple
from smtplib import SMTP_SSL as SMTP
import synapse
from synapse import module_api
import re
class SMTPAuthProvider:
def __init__(self, config: dict, api: module_api):
self.api = api
self.config = config
api.register_password_auth_provider_callbacks(
auth_checkers={
("m.login.password", ("password",)): self.check_pass,
},
)
async def check_pass(
self,
username: str,
login_type: str,
login_dict: "synapse.module_api.JsonDict",
):
if login_type != "m.login.password":
return None
# Convert `@username:server` to `username`
match = re.match(r'^@([\da-z\-\.=_\/\+]+):[\w\d\.:\[\]]+$', username)
username = match.group(1) if match else username
result = False
with SMTP(self.config["smtp_host"]) as smtp:
password = login_dict.get("password")
try:
smtp.login(username, password)
result = True
except:
return None
if result == True:
userid = self.api.get_qualified_user_id(username)
if not self.api.check_user_exists(userid):
self.api.register_user(username)
return (userid, None)
else:
return None

0
hosts/jokum/services/matrix/synapse-admin.nix → hosts/bicep/services/matrix/synapse-admin.nix
View File

121
hosts/jokum/services/matrix/synapse.nix → hosts/bicep/services/matrix/synapse.nix
View File

@@ -1,38 +1,51 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, values, inputs, ... }:
let
cfg = config.services.matrix-synapse-next;
matrix-lib = inputs.matrix-next.lib;
imap0Attrs = with lib; f: set:
listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
in {
sops.secrets."matrix/synapse/dbconfig" = {
sops.secrets."matrix/synapse/signing_key" = {
key = "synapse/signing_key";
sopsFile = ../../../../secrets/bicep/matrix.yaml;
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/synapse/signing_key" = {
sops.secrets."matrix/synapse/user_registration" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "synapse/signing_key";
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/sliding-sync/env" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "sliding-sync/env";
};
services.matrix-synapse-next = {
enable = true;
plugins = [
(pkgs.python3Packages.callPackage ./smtp-authenticator { })
];
dataDir = "/data/synapse";
workers.federationSenders = 2;
workers.federationReceivers = 1;
workers.federationReceivers = 2;
workers.initialSyncers = 1;
workers.normalSyncers = 1;
workers.eventPersisters = 1;
workers.eventPersisters = 2;
workers.useUserDirectoryWorker = true;
enableNginx = true;
enableSlidingSync = true;
extraConfigFiles = [
config.sops.secrets."matrix/synapse/dbconfig".path
];
enableNginx = true;
settings = {
server_name = "pvv.ntnu.no";
@@ -42,6 +55,26 @@ in {
media_store_path = "${cfg.dataDir}/media";
database = {
name = "psycopg2";
args = {
host = "/var/run/postgresql";
dbname = "synapse";
user = "matrix-synapse";
cp_min = 1;
cp_max = 5;
};
};
presence.enabled = false;
event_cache_size = "20K"; # Default is 10K but I can't find the factor for this cache
caches = {
per_cache_factors = {
_event_auth_cache = 2.0;
};
};
autocreate_auto_join_rooms = false;
auto_join_rooms = [
"#pvv:pvv.ntnu.no" # Main space
@@ -54,10 +87,20 @@ in {
max_upload_size = "150M";
enable_metrics = true;
mau_stats_only = true;
enable_registration = false;
registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
password_config.enabled = lib.mkForce false;
password_config.enabled = true;
modules = [
{ module = "smtp_auth_provider.SMTPAuthProvider";
config = {
smtp_host = "smtp.pvv.ntnu.no";
};
}
];
trusted_key_servers = [
{ server_name = "matrix.org"; }
@@ -168,41 +211,57 @@ in {
};
};
services.matrix-synapse.sliding-sync.environmentFile = config.sops.secrets."matrix/sliding-sync/env".path;
services.redis.servers."".enable = true;
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
({
locations."/.well-known/matrix/server" = {
return = ''
200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
'';
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
})
({
locations = let
isListenerType = type: listener: lib.lists.any (r: lib.lists.any (n: n == type) r.names) listener.resources;
isMetricsListener = l: isListenerType "metrics" l;
firstMetricsListener = w: lib.lists.findFirst isMetricsListener (throw "No metrics endpoint on worker") w.settings.worker_listeners;
wAddress = w: lib.lists.findFirst (_: true) (throw "No address in receiver") (firstMetricsListener w).bind_addresses;
wPort = w: (firstMetricsListener w).port;
socketAddress = w: "${wAddress w}:${toString (wPort w)}";
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";
metricsPath = w: "/metrics/${w.type}/${toString w.index}";
proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
in lib.mapAttrs' (n: v: lib.nameValuePair (metricsPath v) ({ proxyPass = proxyPath v; }))
in lib.mapAttrs' (n: v: lib.nameValuePair
(metricsPath v) ({
proxyPass = proxyPath v;
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
}))
cfg.workers.instances;
})
({
locations."/metrics/master/1" = {
proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
};
locations."/metrics/" = let
endpoints = builtins.map (x: "matrix.pvv.ntnu.no/metrics/${x}") [
"master/1"
"fed-sender/1"
"fed-sender/2"
"fed-receiver/1"
"initial-sync/1"
"normal-sync/1"
"event-persist/1"
"user-dir/1"
];
endpoints = lib.pipe cfg.workers.instances [
(lib.mapAttrsToList (_: v: v))
(map (w: "${w.type}/${toString w.index}"))
(map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
in {
alias = pkgs.writeTextDir "/config.json"
(builtins.toJSON [

53
hosts/bicep/services/mysql.nix Normal file
View File

@@ -0,0 +1,53 @@
{ pkgs, lib, config, values, ... }:
{
sops.secrets."mysql/password" = {
owner = "mysql";
group = "mysql";
};
users.mysql.passwordFile = config.sops.secrets."mysql/password".path;
services.mysql = {
enable = true;
dataDir = "/data/mysql";
package = pkgs.mariadb;
settings = {
mysqld = {
# PVV allows a lot of connections at the same time
max_connect_errors = 10000;
bind-address = values.services.mysql.ipv4;
skip-networking = 0;
# This was needed in order to be able to use all of the old users
# during migration from knakelibrak to bicep in Sep. 2023
secure_auth = 0;
};
};
# Note: This user also has MAX_USER_CONNECTIONS set to 3, and
# a password which can be found in /secrets/ildkule/ildkule.yaml
# We have also changed both the host and auth plugin of this user
# to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
ensureUsers = [{
name = "prometheus_mysqld_exporter";
ensurePermissions = {
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
};
}];
};
services.mysqlBackup = {
enable = true;
location = "/var/lib/mysql/backups";
};
networking.firewall.allowedTCPPorts = [ 3306 ];
systemd.services.mysql.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
values.ipv4-space
values.ipv6-space
];
};
}

45
hosts/bicep/services/nginx/default.nix Normal file
View File

@@ -0,0 +1,45 @@
{ config, values, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "danio@pvv.ntnu.no";
};
services.nginx = {
enable = true;
enableReload = true;
defaultListenAddresses = [
values.hosts.bicep.ipv4
"[${values.hosts.bicep.ipv6}]"
"127.0.0.1"
"127.0.0.2"
"[::1]"
];
appendConfig = ''
pcre_jit on;
worker_processes 8;
worker_rlimit_nofile 8192;
'';
eventsConfig = ''
multi_accept on;
worker_connections 4096;
'';
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedBrotliSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
systemd.services.nginx.serviceConfig = {
LimitNOFILE = 65536;
};
}

97
hosts/bicep/services/postgres.nix Normal file
View File

@@ -0,0 +1,97 @@
{ config, pkgs, ... }:
let
sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
in
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
enableTCPIP = true;
dataDir = "/data/postgresql";
authentication = ''
host all all 129.241.210.128/25 md5
host all all 2001:700:300:1900::/64 md5
'';
# Hilsen https://pgconfigurator.cybertec-postgresql.com/
settings = {
# Connectivity
max_connections = 500;
superuser_reserved_connections = 3;
# Memory Settings
shared_buffers = "8192 MB";
work_mem = "32 MB";
maintenance_work_mem = "420 MB";
effective_cache_size = "22 GB";
effective_io_concurrency = 100;
random_page_cost = 1.25;
# Monitoring
shared_preload_libraries = "pg_stat_statements";
track_io_timing = true;
track_functions = "pl";
# Replication
wal_level = "replica";
max_wal_senders = 0;
synchronous_commit = false;
# Checkpointing:
checkpoint_timeout = "15 min";
checkpoint_completion_target = 0.9;
max_wal_size = "1024 MB";
min_wal_size = "512 MB";
# WAL writing
wal_compression = true;
wal_buffers = -1;
# Background writer
bgwriter_delay = "200ms";
bgwriter_lru_maxpages = 100;
bgwriter_lru_multiplier = 2.0;
bgwriter_flush_after = 0;
# Parallel queries:
max_worker_processes = 8;
max_parallel_workers_per_gather = 4;
max_parallel_maintenance_workers = 4;
max_parallel_workers = 8;
parallel_leader_participation = true;
# Advanced features
enable_partitionwise_join = true;
enable_partitionwise_aggregate = true;
max_slot_wal_keep_size = "1000 MB";
track_wal_io_timing = true;
maintenance_io_concurrency = 100;
wal_recycle = true;
# SSL
ssl = true;
ssl_cert_file = "/run/credentials/postgresql.service/cert";
ssl_key_file = "/run/credentials/postgresql.service/key";
};
};
systemd.services.postgresql.serviceConfig = {
LoadCredential = [
"cert:${sslCert.directory}/cert.pem"
"key:${sslCert.directory}/key.pem"
];
};
users.groups.acme.members = [ "postgres" ];
networking.firewall.allowedTCPPorts = [ 5432 ];
networking.firewall.allowedUDPPorts = [ 5432 ];
services.postgresqlBackup = {
enable = true;
location = "/var/lib/postgres/backups";
backupAll = true;
};
}

44
hosts/bikkje/configuration.nix Normal file
View File

@@ -0,0 +1,44 @@
{ config, pkgs, values, ... }:
{
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "ens3";
# Lazy IPv6 connectivity for the container
enableIPv6 = true;
};
containers.bikkje = {
autoStart = true;
config = { config, pkgs, ... }: {
#import packages
packages = with pkgs; [
alpine
mutt
mutt-ics
mutt-wizard
weechat
weechatScripts.edit
hexchat
irssi
pidgin
];
networking = {
firewall = {
enable = true;
# Allow SSH and HTTP and ports for email and irc
allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = mkForce false;
};
system.stateVersion = "23.11";
services.resolved.enable = true;
};
};
};

46
hosts/bob/configuration.nix Normal file
View File

@@ -0,0 +1,46 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./disks.nix
../../misc/builder.nix
];
sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
};
networking.hostName = "bob"; # Define your hostname.
systemd.network.networks."30-all" = values.defaultNetworkConfig // {
matchConfig.Name = "en*";
DHCP = "yes";
gateway = [ ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

39
hosts/bob/disks.nix Normal file
View File

@@ -0,0 +1,39 @@
# Example to create a bios compatible gpt partition
{ lib, ... }:
{
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

24
hosts/bob/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,24 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

36
hosts/brzeczyszczykiewicz/configuration.nix Normal file
View File

@@ -0,0 +1,36 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./services/grzegorz.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "brzeczyszczykiewicz";
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1";
address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

39
hosts/brzeczyszczykiewicz/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,39 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/82E3-3D03";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

11
hosts/brzeczyszczykiewicz/services/grzegorz.nix Normal file
View File

@@ -0,0 +1,11 @@
{ config, ... }:
{
imports = [ ../../../modules/grzegorz.nix ];
services.nginx.virtualHosts."${config.networking.fqdn}" = {
serverAliases = [
"bokhylle.pvv.ntnu.no"
"bokhylle.pvv.org"
];
};
}

36
hosts/buskerud/configuration.nix Normal file
View File

@@ -0,0 +1,36 @@
{ config, pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
];
# buskerud does not support efi?
# boot.loader.systemd-boot.enable = true;
# boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sdb";
networking.hostName = "buskerud";
networking.search = [ "pvv.ntnu.no" "pvv.org" ];
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
networking.tempAddresses = "disabled";
systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp3s0f0";
address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

37
hosts/buskerud/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

36
hosts/georg/configuration.nix Normal file
View File

@@ -0,0 +1,36 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
../../modules/grzegorz.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "georg";
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1";
address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

40
hosts/georg/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/145E-7362";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

66
hosts/greddost/configuration.nix
View File

@@ -1,66 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
../../hardware-configuration.nix
../../base.nix
../../services/minecraft
];
nixpkgs.config.packageOverrides = pkgs: {
unstable = (import <nixos-unstable>) { };
};
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
networking.hostName = "greddost"; # Define your hostname.
networking.interfaces.ens18.useDHCP = false;
networking.defaultGateway = "129.241.210.129";
networking.interfaces.ens18.ipv4 = {
addresses = [
{
address = "129.241.210.174";
prefixLength = 25;
}
];
};
networking.interfaces.ens18.ipv6 = {
addresses = [
{
address = "2001:700:300:1900::174";
prefixLength = 64;
}
];
};
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 25565 ];
networking.firewall.allowedUDPPorts = [ 25565 ];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

158
hosts/greddost/services/minecraft/default.nix
View File

@@ -1,158 +0,0 @@
{config, lib, pkgs, ... }:
{
imports = [ ./minecraft-server-fabric.nix ];
environment.systemPackages = with pkgs; [
mcron
];
pvv.minecraft-server-fabric = {
enable = true;
eula = true;
package = pkgs.callPackage ../../pkgs/minecraft-server-fabric { minecraft-server = (pkgs.callPackage ../../pkgs/minecraft-server/1_18_1.nix { }); };
jvmOpts = "-Xms10G -Xmx10G -XX:+UnlockExperimentalVMOptions -XX:+UseZGC -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:+ParallelRefProcEnabled";
serverProperties = {
view-distance = 12;
simulation-distance = 12;
enable-command-block = true;
gamemode = "survival";
difficulty = "normal";
white-list = true;
enable-rcon = true;
"rcon.password" = "pvv";
};
dataDir = "/fast/minecraft-pvv";
mods = [
(pkgs.fetchurl { # Fabric API is a common dependency for fabric based mods
url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/0.44.0+1.18/fabric-api-0.44.0+1.18.jar";
sha256 = "0mlmj7mj073a48s8zgc1km0jwkphz01c1fvivn4mw37lbm2p4834";
})
(pkgs.fetchurl { # Lithium is a 100% vanilla compatible optimization mod
url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/mc1.18.1-0.7.6/lithium-fabric-mc1.18.1-0.7.6.jar";
sha256 = "1fw1ikg578v4i6bmry7810a3q53h8yspxa3awdz7d746g91g8lf7";
})
(pkgs.fetchurl { # Starlight is the lighting engine of papermc
url = "https://cdn.modrinth.com/data/H8CaAYZC/versions/Starlight%201.0.0%201.18.x/starlight-1.0.0+fabric.d0a3220.jar";
sha256 = "0bv9im45hhc8n6x57lakh2rms0g5qb7qfx8qpx8n6mbrjjz6gla1";
})
(pkgs.fetchurl { # Krypton is a linux optimized optimizer for minecrafts networking system
url = "https://cdn.modrinth.com/data/fQEb0iXm/versions/0.1.6/krypton-0.1.6.jar";
sha256 = "1ribvbww4msrfdnzlxipk8kpzz7fnwnd4q6ln6mpjlhihcjb3hni";
})
(pkgs.fetchurl { # C2ME is a parallelizer for chunk loading and generation, experimental!!!
url = "https://cdn.modrinth.com/data/VSNURh3q/versions/0.2.0+alpha.5.104%201.18.1/c2me-fabric-mc1.18.1-0.2.0+alpha.5.104-all.jar";
sha256 = "13zrpsg61fynqnnlm7dvy3ihxk8khlcqsif68ak14z7kgm4py6nw";
})
(pkgs.fetchurl { # Spark is a profiler for minecraft
url = "https://ci.lucko.me/job/spark/251/artifact/spark-fabric/build/libs/spark-fabric.jar";
sha256 = "1clvi5v7a14ba23jbka9baz99h6wcfjbadc8kkj712fmy2h0sx07";
})
#(pkgs.fetchurl { # Carpetmod gives you tps views in the tab menu,
# # but also adds a lot of optional serverside vanilla+ features (which we arent using).
# # So probably want something else
# url = "https://github.com/gnembon/fabric-carpet/releases/download/1.4.56/fabric-carpet-1.18-1.4.56+v211130.jar";
# sha256 = "0rvl2yb8xymla8c052j07gqkqfkz4h5pxf6aip2v9v0h8r84p9hf";
#})
];
whitelist = {
gunalx = "913a21ae-3a11-4178-a192-401490ca0891";
eirikwitt = "1689e626-1cc8-4b91-81c4-0632fd34eb19";
Rockj = "202c0c91-a4e0-4b45-8c1b-fc51a8956c0a";
paddishar = "326845aa-4b45-4cd9-8108-7816e10a9828";
nordyorn = "f253cddf-a520-42ab-85d3-713992746e42";
hell04 = "c681df2a-6a30-4c66-b70d-742eb68bbc04";
steinarh = "bd8c419e-e6dc-4fc5-ac62-b92f98c1abc9";
EastTown2000 = "f273ed2e-d3ba-43fc-aff4-3e800cdf25e1";
DirDanner = "5b5476a2-1138-476b-9ff1-1f39f834a428";
asgeirbj = "dbd5d89f-3d8a-4662-ad15-6c4802d0098f";
Linke03 = "0dbc661d-898a-47ff-a371-32b7bd76b78b";
somaen = "cc0bdd13-4304-4160-80e7-8f043446fa83";
einaman = "39f45df3-423d-4274-9ef9-c9b7575e3804";
liseu = "c8f4d9d8-3140-4c35-9f66-22bc351bb7e6";
torsteno = "ae1e7b15-a0de-4244-9f73-25b68427e34a";
simtind = "39c03c95-d628-4ccc-843d-ce1332462d9e";
aellaie = "c585605d-24bb-4d75-ba9c-0064f6a39328";
PerKjelsvik = "5df69f17-27c9-4426-bcae-88b435dfae73";
CelestialCry = "9e34d192-364e-4566-883a-afc868c4224d";
terjesc = "993d70e8-6f9b-4094-813c-050d1a90be62";
maxelost = "bf465915-871a-4e3e-a80c-061117b86b23";
"4ce1" = "8a9b4926-0de8-43f0-bcde-df1442dee1d0";
exponential = "1ebcca9d-0964-48f3-9154-126a9a7e64f6";
Dodsorbot = "3baa9d58-32e4-465e-80bc-9dcb34e23e1d";
HFANTOM = "cd74d407-7fb0-4454-b3f4-c0b4341fde18";
Ghostmaker = "96465eee-e665-49ab-9346-f12d5a040624";
soonhalle = "61a8e674-7c7a-4120-80d1-4453a5993350";
MasterMocca = "481e6dac-9a17-4212-9664-645c3abe232f";
soulprayfree = "cfb1fb23-5115-4fe2-9af9-00a02aea9bf8";
calibwam = "0d5d5209-bb7c-4006-9451-fb85d7d52618";
Skuggen = "f0ccee0b-741a-413a-b8e6-d04552b9d78a";
Sivertsen3 = "cefac1a6-52a7-4781-be80-e7520f758554";
vafflonaut = "4d864d5c-74e2-4f29-b57d-50dea76aaabd";
Dhila = "c71d6c23-14d7-4daf-ae59-cbf0caf45681";
remorino = "2972ab22-96b3-462d-ab4d-9b6b1775b9bb";
SamuelxJackson = "f140e4aa-0a19-48ab-b892-79b24bd82c1e";
ToanBuiDuc = "a3c54742-4caf-4334-8bbb-6402a8eb4268";
Joces123 = "ecbcfbf9-9bcc-49f0-9435-f2ac2b3217c1";
brunsviken = "75ff5f0e-8adf-4807-a7f0-4cb66f81cb7f";
oscarsb1 = "9460015a-65cc-4a2f-9f91-b940b6ce7996";
CVi = "6f5691ce-9f9c-4310-84aa-759d2f9e138e";
Tawos = "0b98e55c-10cf-4b23-85d3-d15407431ace";
evenhunn = "8751581b-cc5f-4f8b-ae1e-34d90127e074";
q41 = "a080e5b4-10ee-4d6f-957e-aa5053bb1046";
jesper001 = "fbdf3ceb-eaa9-4aeb-94c2-a587cde41774";
finninde = "f58afd00-28cd-48dd-a74a-6c1d76b57f66";
GameGuru999 = "535f2188-a4a4-4e54-bec6-74977bee09ab";
MinusOneKelvin = "b6b973bf-1e35-4a58-803b-a555fd90a172";
SuperRagna = "e2c32136-e510-41b1-84c0-41baeccfb0b9";
Zamazaki = "d4411eca-401a-4565-9451-5ced6f48f23f";
supertheodor = "610c4e86-0ecc-4e7a-bffc-35a2e7d90aa6";
Minelost = "22ae2a1f-cfd9-4f10-9e41-e7becd34aba8";
Bjand = "aed136b6-17f7-4ce1-8a7b-a09eb1694ccf";
Dandellion = "f393413b-59fc-49d7-a5c4-83a5d177132c";
Shogori = "f9d571bd-5754-46e8-aef8-e89b38a6be9b";
Caragath = "f8d34f3a-55c3-4adc-b8d8-73a277f979e8";
Shmaapqueen = "425f2eef-1a9d-4626-9ba3-cd58156943dc";
Liquidlif3 = "420482b3-885f-4951-ba1e-30c22438a7e0";
newtonseple = "7d8bf9ca-0499-4cb7-9d6a-daabf80482b6";
nainis = "2eaf3736-decc-4e11-9a44-af2df0ee7c81";
Devolan = "87016228-76b2-434f-a963-33b005ae9e42";
zSkyler = "c92169e4-ca14-4bd5-9ea2-410fe956abe2";
Cryovat = "7127d743-873e-464b-927a-d23b9ad5b74a";
cybrhuman = "14a67926-cff0-4542-a111-7f557d10cc67";
stinl = "3a08be01-1e74-4d68-88d1-07d0eb23356f";
Mirithing = "7b327f51-4f1b-4606-88c7-378eff1b92b1";
"_dextra" = "4b7b4ee7-eb5b-48fd-88c3-1cc68f06acda";
Soraryuu = "0d5ffe48-e64f-4d6d-9432-f374ea8ec10c";
klarken1 = "d6967cb8-2bc6-4db7-a093-f0770cce47df";
};
};
networking.firewall.allowedTCPPorts = [ 25565 ];
networking.firewall.allowedUDPPorts = [ 25565 ];
systemd.services."minecraft-backup" = {
serviceConfig.Type = "oneshot";
script = ''
${pkgs.mcrcon}/bin/mcrcon -p pvv "say Starting Backup" "save-off" "save-all"
${pkgs.rsync}/bin/rsync -aiz --delete ${config.pvv.minecraft-server-fabric.dataDir}/world /fast/backup # Where to put backup
${pkgs.mcrcon}/bin/mcrcon -p pvv "save-all" "say Completed Backup" "save-on" "save-all"
'';
};
systemd.timers."minecraft-backup" = {
wantedBy = ["timers.target"];
timerConfig.OnCalendar = [ "hourly" ];
};
}

180
hosts/greddost/services/minecraft/minecraft-server-fabric.nix
View File

@@ -1,180 +0,0 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.pvv.minecraft-server-fabric;
# We don't allow eula=false anyways
eulaFile = builtins.toFile "eula.txt" ''
# eula.txt managed by NixOS Configuration
eula=true
'';
whitelistFile = pkgs.writeText "whitelist.json"
(builtins.toJSON
(mapAttrsToList (n: v: { name = n; uuid = v; }) cfg.whitelist));
cfgToString = v: if builtins.isBool v then boolToString v else toString v;
serverPropertiesFile = pkgs.writeText "server.properties" (''
# server.properties managed by NixOS configuration
'' + concatStringsSep "\n" (mapAttrsToList
(n: v: "${n}=${cfgToString v}") cfg.serverProperties));
defaultServerPort = 25565;
serverPort = cfg.serverProperties.server-port or defaultServerPort;
rconPort = if cfg.serverProperties.enable-rcon or false
then cfg.serverProperties."rcon.port" or 25575
else null;
queryPort = if cfg.serverProperties.enable-query or false
then cfg.serverProperties."query.port" or 25565
else null;
in
{
options.pvv.minecraft-server-fabric = {
enable = mkEnableOption "minecraft-server-fabric";
package = mkOption {
type = types.package;
};
eula = mkOption {
type = types.bool;
default = false;
description = ''
Whether you agree to
<link xlink:href="https://account.mojang.com/documents/minecraft_eula">
Mojangs EULA</link>. This option must be set to
<literal>true</literal> to run Minecraft server.
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/minecraft-fabric";
description = ''
Directory to store Minecraft database and other state/data files.
'';
};
whitelist = mkOption {
type = let
minecraftUUID = types.strMatching
"[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" // {
description = "Minecraft UUID";
};
in types.attrsOf minecraftUUID;
default = {};
description = ''
Whitelisted players, only has an effect when
<option>services.minecraft-server.declarative</option> is
<literal>true</literal> and the whitelist is enabled
via <option>services.minecraft-server.serverProperties</option> by
setting <literal>white-list</literal> to <literal>true</literal>.
This is a mapping from Minecraft usernames to UUIDs.
You can use <link xlink:href="https://mcuuid.net/"/> to get a
Minecraft UUID for a username.
'';
example = literalExpression ''
{
username1 = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
username2 = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy";
};
'';
};
serverProperties = mkOption {
type = with types; attrsOf (oneOf [ bool int str ]);
default = {};
example = literalExpression ''
{
server-port = 43000;
difficulty = 3;
gamemode = 1;
max-players = 5;
motd = "NixOS Minecraft server!";
white-list = true;
enable-rcon = true;
"rcon.password" = "hunter2";
}
'';
description = ''
Minecraft server properties for the server.properties file. Only has
an effect when <option>services.minecraft-server.declarative</option>
is set to <literal>true</literal>. See
<link xlink:href="https://minecraft.gamepedia.com/Server.properties#Java_Edition_3"/>
for documentation on these values.
'';
};
jvmOpts = mkOption {
type = types.separatedString " ";
default = "-Xmx2048M -Xms2048M";
# Example options from https://minecraft.gamepedia.com/Tutorials/Server_startup_script
example = "-Xmx2048M -Xms4092M -XX:+UseG1GC -XX:+CMSIncrementalPacing "
+ "-XX:+CMSClassUnloadingEnabled -XX:ParallelGCThreads=2 "
+ "-XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
description = "JVM options for the Minecraft server.";
};
mods = mkOption {
type = types.listOf types.package;
example = literalExpression ''
[
(pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/0.44.0+1.18/fabric-api-0.44.0+1.18.jar";
sha256 = "0mlmj7mj073a48s8zgc1km0jwkphz01c1fvivn4mw37lbm2p4834";
})
];
'';
description = "List of mods to put in the mods folder";
};
};
config = mkIf cfg.enable {
users.users.minecraft = {
description = "Minecraft server service user";
home = cfg.dataDir;
createHome = true;
isSystemUser = true;
group = "minecraft";
};
users.groups.minecraft = {};
systemd.services.minecraft-server-fabric = {
description = "Minecraft Server Service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${cfg.package}/bin/minecraft-server ${cfg.jvmOpts}";
Restart = "always";
User = "minecraft";
WorkingDirectory = cfg.dataDir;
};
preStart = ''
ln -sf ${eulaFile} eula.txt
ln -sf ${whitelistFile} whitelist.json
cp -f ${serverPropertiesFile} server.properties
ln -sfn ${pkgs.linkFarmFromDrvs "fabric-mods" cfg.mods} mods
'';
};
assertions = [
{ assertion = cfg.eula;
message = "You must agree to Mojangs EULA to run minecraft-server."
+ " Read https://account.mojang.com/documents/minecraft_eula and"
+ " set `services.minecraft-server.eula` to `true` if you agree.";
}
];
};
}

24
hosts/ildkule/configuration.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
@@ -20,26 +20,10 @@
networking.hostName = "ildkule"; # Define your hostname.
networking.interfaces.ens18.useDHCP = false;
networking.defaultGateway = "129.241.210.129";
networking.interfaces.ens18.ipv4 = {
addresses = [
{
address = "129.241.210.187";
prefixLength = 25;
}
];
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.ildkule; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
networking.interfaces.ens18.ipv6 = {
addresses = [
{
address = "2001:700:300:1900::187";
prefixLength = 64;
}
];
};
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
# List packages installed in system profile
environment.systemPackages = with pkgs; [

1009
hosts/ildkule/services/metrics/dashboards/go-processes.json Normal file
View File

File diff suppressed because it is too large Load Diff

3801
hosts/ildkule/services/metrics/dashboards/mysql.json Normal file
View File

File diff suppressed because it is too large Load Diff

3167
hosts/ildkule/services/metrics/dashboards/postgres.json Normal file
View File

File diff suppressed because it is too large Load Diff

1706
hosts/ildkule/services/metrics/dashboards/synapse.json
View File

File diff suppressed because it is too large Load Diff

2
hosts/ildkule/services/metrics/default.nix
View File

@@ -2,7 +2,7 @@
{
imports = [
./prometheus.nix
./prometheus
./grafana.nix
./loki.nix
];

59
hosts/ildkule/services/metrics/grafana.nix
View File

@@ -1,15 +1,41 @@
{ config, pkgs, ... }:
let
{ config, pkgs, values, ... }: let
cfg = config.services.grafana;
in {
sops.secrets = let
owner = "grafana";
group = "grafana";
in {
"keys/grafana/secret_key" = { inherit owner group; };
"keys/grafana/admin_password" = { inherit owner group; };
"keys/postgres/grafana" = { inherit owner group; };
};
services.grafana = {
enable = true;
settings.server = {
domain = "ildkule.pvv.ntnu.no";
http_port = 2342;
http_addr = "127.0.0.1";
settings = let
# See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
secretFile = path: "$__file{${path}}";
in {
server = {
domain = "ildkule.pvv.ntnu.no";
http_port = 2342;
http_addr = "127.0.0.1";
};
security = {
secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
};
database = {
type = "postgres";
user = "grafana";
host = "${values.hosts.bicep.ipv4}:5432";
password = secretFile config.sops.secrets."keys/postgres/grafana".path;
};
};
provision = {
enable = true;
datasources.settings.datasources = [
@@ -38,6 +64,25 @@ in {
url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
options.path = dashboards/synapse.json;
}
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# {
# name = "MySQL";
# type = "file";
# url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
# options.path = dashboards/mysql.json;
# }
{
name = "Postgresql";
type = "file";
url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
options.path = dashboards/postgres.json;
}
{
name = "Go Processes (gogs)";
type = "file";
url = "https://grafana.com/api/dashboards/240/revisions/3/download";
options.path = dashboards/go-processes.json;
}
];
};

76
hosts/ildkule/services/metrics/prometheus.nix
View File

@@ -1,76 +0,0 @@
{ config, pkgs, ... }:
let
cfg = config.services.prometheus;
in {
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
port = 9001;
scrapeConfigs = [
{
job_name = "node";
static_configs = [
{
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"microbel.pvv.ntnu.no:9100"
"isvegg.pvv.ntnu.no:9100"
"knakelibrak.pvv.ntnu.no:9100"
];
}
];
}
{
job_name = "exim";
scrape_interval = "60s";
static_configs = [
{
targets = [
"microbel.pvv.ntnu.no:9636"
];
}
];
}
{
job_name = "synapse";
scrape_interval = "15s";
scheme = "https";
http_sd_configs = [
{
url = "https://matrix.pvv.ntnu.no/metrics/config.json";
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
regex = "[^/]+(/.*)";
target_label = "__metrics_path__";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "instance";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
target_label = "job";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
target_label = "index";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "__address__";
}
];
}
];
ruleFiles = [ rules/synapse-v2.rules ];
};
}

18
hosts/ildkule/services/metrics/prometheus/default.nix Normal file
View File

@@ -0,0 +1,18 @@
{ config, ... }: {
imports = [
./gogs.nix
./matrix-synapse.nix
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# ./mysqld.nix
./node.nix
./postgres.nix
];
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
port = 9001;
ruleFiles = [ rules/synapse-v2.rules ];
};
}

16
hosts/ildkule/services/metrics/prometheus/gogs.nix Normal file
View File

@@ -0,0 +1,16 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "git-gogs";
scheme = "https";
metrics_path = "/-/metrics";
static_configs = [
{
targets = [
"essendrop.pvv.ntnu.no:443"
];
}
];
}];
}

40
hosts/ildkule/services/metrics/prometheus/matrix-synapse.nix Normal file
View File

@@ -0,0 +1,40 @@
{ ... }:
{
services.prometheus.scrapeConfigs = [{
job_name = "synapse";
scrape_interval = "15s";
scheme = "https";
http_sd_configs = [{
url = "https://matrix.pvv.ntnu.no/metrics/config.json";
}];
relabel_configs = [
{
source_labels = [ "__address__" ];
regex = "[^/]+(/.*)";
target_label = "__metrics_path__";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "instance";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
target_label = "job";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
target_label = "index";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "__address__";
}
];
}];
}

25
hosts/ildkule/services/metrics/prometheus/mysqld.nix Normal file
View File

@@ -0,0 +1,25 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
sops.secrets."config/mysqld_exporter" = { };
services.prometheus = {
scrapeConfigs = [{
job_name = "mysql";
scheme = "http";
metrics_path = cfg.exporters.mysqld.telemetryPath;
static_configs = [
{
targets = [
"localhost:${toString cfg.exporters.mysqld.port}"
];
}
];
}];
exporters.mysqld = {
enable = true;
configFilePath = config.sops.secrets."config/mysqld_exporter".path;
};
};
}

22
hosts/ildkule/services/metrics/prometheus/node.nix Normal file
View File

@@ -0,0 +1,22 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "node";
static_configs = [
{
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"microbel.pvv.ntnu.no:9100"
"isvegg.pvv.ntnu.no:9100"
"knakelibrak.pvv.ntnu.no:9100"
"hildring.pvv.ntnu.no:9100"
"bicep.pvv.ntnu.no:9100"
"essendrop.pvv.ntnu.no:9100"
"andresbu.pvv.ntnu.no:9100"
"bekkalokk.pvv.ntnu.no:9100"
];
}
];
}];
}

51
hosts/ildkule/services/metrics/prometheus/postgres.nix Normal file
View File

@@ -0,0 +1,51 @@
{ pkgs, lib, config, values, ... }: let
cfg = config.services.prometheus;
in {
sops.secrets = {
"keys/postgres/postgres_exporter_env" = {};
"keys/postgres/postgres_exporter_knakelibrak_env" = {};
};
services.prometheus = {
scrapeConfigs = [
{
job_name = "postgres";
scrape_interval = "15s";
static_configs = [{
targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
labels = {
server = "bicep";
};
}];
}
{
job_name = "postgres-knakelibrak";
scrape_interval = "15s";
static_configs = [{
targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
labels = {
server = "knakelibrak";
};
}];
}
];
exporters.postgres = {
enable = true;
extraFlags = [ "--auto-discover-databases" ];
environmentFile = config.sops.secrets."keys/postgres/postgres_exporter_env".path;
};
};
systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
localCfg = config.services.prometheus.exporters.postgres;
in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
ExecStart = ''
${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \
--web.listen-address ${localCfg.listenAddress}:${toString (localCfg.port + 1)} \
--web.telemetry-path ${localCfg.telemetryPath} \
${lib.concatStringsSep " \\\n " localCfg.extraFlags}
'';
};
}

0
hosts/ildkule/services/metrics/rules/synapse-v2.rules → hosts/ildkule/services/metrics/prometheus/rules/synapse-v2.rules
View File

15
hosts/ildkule/services/nginx/default.nix
View File

@@ -1,7 +1,5 @@
{config, ... }:
{ config, values, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no";
@@ -10,6 +8,17 @@
services.nginx = {
enable = true;
enableReload = true;
defaultListenAddresses = [
values.hosts.ildkule.ipv4
"[${values.hosts.ildkule.ipv6}]"
"127.0.0.1"
"127.0.0.2"
"[::1]"
];
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;

72
hosts/jokum/configuration.nix
View File

@@ -1,72 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
# Users can just import any configuration they want even for non-user things. Improve the users/default.nix to just load some specific attributes if this isn't wanted
../../misc/rust-motd.nix
./services/matrix
./services/nginx
];
sops.defaultSopsFile = ../../secrets/jokum/jokum.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.devices = [ "/dev/sda" ];
networking.hostName = "jokum"; # Define your hostname.
networking.interfaces.ens18.useDHCP = false;
networking.defaultGateway = "129.241.210.129";
networking.interfaces.ens18.ipv4 = {
addresses = [
{
address = "129.241.210.169";
prefixLength = 25;
}
{
address = "129.241.210.213";
prefixLength = 25;
}
];
};
networking.interfaces.ens18.ipv6 = {
addresses = [
{
address = "2001:700:300:1900::169";
prefixLength = 64;
}
{
address = "2001:700:300:1900::213";
prefixLength = 64;
}
];
};
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

29
hosts/jokum/hardware-configuration.nix
View File

@@ -1,29 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/1a8bf91a-5948-40c2-a9fd-7a33e46fa441";
fsType = "ext4";
};
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/c812e204-b998-4ec5-9f26-29c5808ed6ba";
fsType = "ext4";
};
swapDevices = [ ];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

39
hosts/shark/configuration.nix Normal file
View File

@@ -0,0 +1,39 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
];
sops.defaultSopsFile = ../../secrets/shark/shark.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "shark"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

38
hosts/shark/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,38 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/224c45db-9fdc-45d4-b3ad-aaf20b3efa8a";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/CC37-F5FE";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/a1ce3234-78b1-4565-9643-f4a05004424f"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

5
misc/builder.nix Normal file
View File

@@ -0,0 +1,5 @@
{ ... }:
{
nix.settings.trusted-users = [ "@nix-builder-users" ];
}

19
misc/metrics-exporters.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, pkgs, values, ... }:
{
services.prometheus.exporters.node = {
@@ -7,6 +7,19 @@
enabledCollectors = [ "systemd" ];
};
systemd.services.prometheus-node-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = [ 9100 ];
services.promtail = {
enable = true;
configuration = {
@@ -34,6 +47,10 @@
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
];
}
];

62
modules/grzegorz.nix Normal file
View File

@@ -0,0 +1,62 @@
{config, lib, pkgs, ...}:
let
grg = config.services.grzegorz;
grgw = config.services.grzegorz-webui;
in {
services.pipewire.enable = true;
services.pipewire.alsa.enable = true;
services.pipewire.alsa.support32Bit = true;
services.pipewire.pulse.enable = true;
users.users.pvv = {
isNormalUser = true;
description = "pvv";
};
services.grzegorz.enable = true;
services.grzegorz.listenAddr = "localhost";
services.grzegorz.listenPort = 31337;
services.grzegorz-webui.enable = true;
services.grzegorz-webui.listenAddr = "localhost";
services.grzegorz-webui.listenPort = 42069;
services.grzegorz-webui.listenWebsocketPort = 42042;
services.grzegorz-webui.hostName = "${config.networking.fqdn}";
services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
security.acme.acceptTerms = true;
security.acme.defaults.email = "pederbs@pvv.ntnu.no";
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.virtualHosts."${config.networking.fqdn}" = {
forceSSL = true;
enableACME = true;
serverAliases = [
"${config.networking.hostName}.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenPort}";
};
# https://github.com/rawpython/remi/issues/216
locations."/websocket" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenWebsocketPort}";
proxyWebsockets = true;
};
locations."/api" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
};
locations."/docs" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
};
};
}

178
packages/heimdal/default.nix Normal file
View File

@@ -0,0 +1,178 @@
{ lib
, stdenv
, fetchFromGitHub
, autoreconfHook
, pkg-config
, python3
, perl
, bison
, flex
, texinfo
, perlPackages
, openldap
, libcap_ng
, sqlite
, openssl
, db
, libedit
, pam
, krb5
, libmicrohttpd
, cjson
, CoreFoundation
, Security
, SystemConfiguration
, curl
, jdk
, unzip
, which
, nixosTests
, withCJSON ? true
, withCapNG ? stdenv.isLinux
# libmicrohttpd should theoretically work for darwin as well, but something is broken.
# It affects tests check-bx509d and check-httpkadmind.
, withMicroHTTPD ? stdenv.isLinux
, withOpenLDAP ? true
, withOpenLDAPAsHDBModule ? false
, withOpenSSL ? true
, withSQLite3 ? true
}:
assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
'';
stdenv.mkDerivation {
pname = "heimdal";
version = "7.8.0-unstable-2023-11-29";
src = fetchFromGitHub {
owner = "heimdal";
repo = "heimdal";
rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
};
outputs = [ "out" "dev" "man" "info" ];
nativeBuildInputs = [
autoreconfHook
pkg-config
python3
perl
bison
flex
texinfo
]
++ (with perlPackages; [ JSON ]);
buildInputs = [ db libedit pam ]
++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
++ lib.optionals (withCJSON) [ cjson ]
++ lib.optionals (withCapNG) [ libcap_ng ]
++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
++ lib.optionals (withOpenLDAP) [ openldap ]
++ lib.optionals (withOpenSSL) [ openssl ]
++ lib.optionals (withSQLite3) [ sqlite ];
doCheck = true;
nativeCheckInputs = [
curl
jdk
unzip
which
];
configureFlags = [
"--with-libedit-include=${libedit.dev}/include"
"--with-libedit-lib=${libedit}/lib"
"--with-berkeley-db-include=${db.dev}/include"
"--with-berkeley-db"
"--without-x"
"--disable-afs-string-to-key"
] ++ lib.optionals (withCapNG) [
"--with-capng"
] ++ lib.optionals (withCJSON) [
"--with-cjson=${cjson}"
] ++ lib.optionals (withOpenLDAP) [
"--with-openldap=${openldap.dev}"
] ++ lib.optionals (withOpenLDAPAsHDBModule) [
"--enable-hdb-openldap-module"
] ++ lib.optionals (withSQLite3) [
"--with-sqlite3=${sqlite.dev}"
];
# (check-ldap) slapd resides within ${openldap}/libexec,
# which is not part of $PATH by default.
# (check-ldap) prepending ${openldap}/bin to the path to avoid
# using the default installation of openldap on unsandboxed darwin systems,
# which does not support the new mdb backend at the moment (2024-01-13).
# (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
# but the heimdal tests still seem to expect bdb as the openldap backend.
# This might be fixed upstream in a future update.
patchPhase = ''
runHook prePatch
substituteInPlace tests/ldap/slapd-init.in \
--replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
substituteInPlace tests/ldap/check-ldap.in \
--replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
substituteInPlace tests/ldap/slapd.conf \
--replace 'database bdb' 'database mdb'
runHook postPatch
'';
# (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
# which expects either USER or LOGNAME to be set.
preCheck = lib.optionalString (stdenv.isDarwin) ''
export USER=nix-builder
'';
# We need to build hcrypt for applications like samba
postBuild = ''
(cd include/hcrypto; make -j $NIX_BUILD_CORES)
(cd lib/hcrypto; make -j $NIX_BUILD_CORES)
'';
postInstall = ''
# Install hcrypto
(cd include/hcrypto; make -j $NIX_BUILD_CORES install)
(cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
mkdir -p $dev/bin
mv $out/bin/krb5-config $dev/bin/
# asn1 compilers, move them to $dev
mv $out/libexec/heimdal/* $dev/bin
rmdir $out/libexec/heimdal
# compile_et is needed for cross-compiling this package and samba
mv lib/com_err/.libs/compile_et $dev/bin
'';
# Issues with hydra
# In file included from hxtool.c:34:0:
# hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
#enableParallelBuilding = true;
passthru = {
implementation = "heimdal";
tests.nixos = nixosTests.kerberos.heimdal;
};
meta = with lib; {
homepage = "https://www.heimdal.software";
changelog = "https://github.com/heimdal/heimdal/releases";
description = "An implementation of Kerberos 5 (and some more stuff)";
license = licenses.bsd3;
platforms = platforms.unix;
maintainers = with maintainers; [ h7x4 ];
};
}

7
packages/mediawiki-extensions/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{ pkgs, lib }:
lib.makeScope pkgs.newScope (self: {
DeleteBatch = self.callPackage ./delete-batch { };
PluggableAuth = self.callPackage ./pluggable-auth { };
SimpleSAMLphp = self.callPackage ./simple-saml-php { };
UserMerge = self.callPackage ./user-merge { };
})

7
packages/mediawiki-extensions/delete-batch/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-delete-batch";
url = "https://extdist.wmflabs.org/dist/extensions/DeleteBatch-REL1_41-5774fdd.tar.gz";
hash = "sha256-ROkn93lf0mNXBvij9X2pMhd8LXZ0azOz7ZRaqZvhh8k=";
}

7
packages/mediawiki-extensions/pluggable-auth/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-pluggable-auth-source";
url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-d5b3ad8.tar.gz";
hash = "sha256-OLlkKeSlfNgWXWwDdINrYRZpYuSGRwzZHgU8EYW6rYU=";
}

7
packages/mediawiki-extensions/simple-saml-php/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-simple-saml-php-source";
url = "https://extdist.wmflabs.org/dist/extensions/SimpleSAMLphp-REL1_41-9ae0678.tar.gz";
hash = "sha256-AmCaG5QXMJvi3N6zFyWylwYDt8GvyIk/0GFpM1Y0vkY=";
}

66
packages/mediawiki-extensions/update-mediawiki-extensions.py Executable file
View File

@@ -0,0 +1,66 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"
import os
from pathlib import Path
import re
import subprocess
from collections import defaultdict
from pprint import pprint
import bs4
import requests
BASE_URL = "https://extdist.wmflabs.org/dist/extensions"
def fetch_plugin_list(skip_master=True) -> dict[str, list[str]]:
content = requests.get(BASE_URL).text
soup = bs4.BeautifulSoup(content, features="html.parser")
result = defaultdict(list)
for a in soup.find_all('a'):
if skip_master and 'master' in a.text:
continue
split = a.text.split('-')
result[split[0]].append(a.text)
return result
def update(package_file: Path, plugin_list: dict[str, list[str]]) -> None:
assert package_file.is_file()
with open(package_file) as file:
content = file.read()
tarball = re.search(f'url = "{BASE_URL}/(.+\.tar\.gz)";', content).group(1)
split = tarball.split('-')
updated_tarball = plugin_list[split[0]][-1]
_hash = re.search(f'hash = "(.+?)";', content).group(1)
out, err = subprocess.Popen(
["nix-prefetch-url", "--unpack", "--type", "sha256", f"{BASE_URL}/{updated_tarball}"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
).communicate()
out, err = subprocess.Popen(
["nix", "hash", "to-sri", "--type", "sha256", out.decode().strip()],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
).communicate()
updated_hash = out.decode().strip()
if tarball == updated_tarball and _hash == updated_hash:
return
print(f"Updating: {tarball} ({_hash[7:14]}) -> {updated_tarball} ({updated_hash[7:14]})")
updated_text = re.sub(f'url = "{BASE_URL}/.+?\.tar\.gz";', f'url = "{BASE_URL}/{updated_tarball}";', content)
updated_text = re.sub('hash = ".+";', f'hash = "{updated_hash}";', updated_text)
with open(package_file, 'w') as file:
file.write(updated_text)
if __name__ == "__main__":
plugin_list = fetch_plugin_list()
for direntry in os.scandir(Path(__file__).parent):
if direntry.is_dir():
update(Path(direntry) / "default.nix", plugin_list)

7
packages/mediawiki-extensions/user-merge/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{ fetchzip }:
fetchzip {
name = "mediawiki-user-merge-source";
url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_41-a53af3b.tar.gz";
hash = "sha256-TxUkEqMW79thYl1la2r+w9laRnd3uSYYg1xDB+1he1g=";
}

38
packages/simplesamlphp/default.nix Normal file
View File

@@ -0,0 +1,38 @@
{ lib
, php
, writeText
, fetchFromGitHub
, extra_files ? { }
}:
php.buildComposerProject rec {
pname = "simplesamlphp";
version = "2.2.1";
src = fetchFromGitHub {
owner = "simplesamlphp";
repo = "simplesamlphp";
rev = "v${version}";
hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
};
composerStrictValidation = false;
vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
# TODO: metadata could be fetched automagically with these:
# - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
# - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
postPatch = lib.pipe extra_files [
(lib.mapAttrsToList (target_path: source_path: ''
mkdir -p $(dirname "${target_path}")
cp -r "${source_path}" "${target_path}"
''))
(lib.concatStringsSep "\n")
];
postInstall = ''
ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base
'';
}

43
pkgs/minecraft-server-fabric/default.nix
View File

@@ -1,43 +0,0 @@
{ callPackage, writeTextFile, writeShellScriptBin, minecraft-server, jre_headless }:
let
loader = callPackage ./generate-loader.nix {};
log4j = writeTextFile {
name = "log4j.xml";
text = ''
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN" packages="com.mojang.util">
<Appenders>
<Console name="SysOut" target="SYSTEM_OUT">
<PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
</Console>
<Queue name="ServerGuiConsole">
<PatternLayout pattern="[%d{HH:mm:ss} %level]: %msg%n" />
</Queue>
<RollingRandomAccessFile name="File" fileName="logs/latest.log" filePattern="logs/%d{yyyy-MM-dd}-%i.log.gz">
<PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
<Policies>
<TimeBasedTriggeringPolicy />
<OnStartupTriggeringPolicy />
</Policies>
<DefaultRolloverStrategy max="1000"/>
</RollingRandomAccessFile>
</Appenders>
<Loggers>
<Root level="info">
<filters>
<MarkerFilter marker="NETWORK_PACKETS" onMatch="DENY" onMismatch="NEUTRAL" />
</filters>
<AppenderRef ref="SysOut"/>
<AppenderRef ref="File"/>
<AppenderRef ref="ServerGuiConsole"/>
</Root>
</Loggers>
</Configuration>
'';
};
in
writeShellScriptBin "minecraft-server" ''
echo "serverJar=${minecraft-server}/lib/minecraft/server.jar" >> fabric-server-launcher.properties
exec ${jre_headless}/bin/java -Dlog4j.configurationFile=${log4j} $@ -jar ${loader} nogui
''

38
pkgs/minecraft-server-fabric/generate-loader.nix
View File

@@ -1,38 +0,0 @@
{ lib, fetchurl, stdenv, unzip, zip, jre_headless }:
let
lock = import ./lock.nix;
libraries = lib.forEach lock.libraries fetchurl;
in
stdenv.mkDerivation {
name = "fabric-server-launch.jar";
nativeBuildInputs = [ unzip zip jre_headless ];
libraries = libraries;
buildPhase = ''
for i in $libraries; do
unzip -o $i
done
cat > META-INF/MANIFEST.MF << EOF
Manifest-Version: 1.0
Main-Class: net.fabricmc.loader.impl.launch.server.FabricServerLauncher
Name: org/objectweb/asm/
Implementation-Version: 9.2
EOF
cat > fabric-server-launch.properties << EOF
launch.mainClass=net.fabricmc.loader.impl.launch.knot.KnotServer
EOF
'';
installPhase = ''
jar cmvf META-INF/MANIFEST.MF "server.jar" .
zip -d server.jar 'META-INF/*.SF' 'META-INF/*.RSA' 'META-INF/*.DSA'
cp server.jar "$out"
'';
phases = [ "buildPhase" "installPhase" ];
}

22
pkgs/minecraft-server-fabric/generate-lock-nix.sh
View File

@@ -1,22 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash curl jq
curl https://meta.fabricmc.net/v2/versions/loader/1.18.1/0.12.12/server/json \
| jq -r '
.mainClass,
(.libraries[]
| .url as $url
| .name | split(":") as [$dir, $name, $version]
|"\($name)-\($version).zip|\($url)\($dir|sub("\\.";"/";"g"))/\($name)/\($version)/\($name)-\($version).jar"
)' \
| {
echo '{'
read mainClass;
echo " mainClass = \"$mainClass\";"
echo " libraries = ["
while IFS="|" read name url; do
hash=$(nix-prefetch-url $url);
echo " { name = \"$name\"; sha256 = \"$hash\"; url = \"$url\"; }"
done
echo " ];"
echo '}'
}

Some files were not shown because too many files have changed in this diff Show More