Compare commits
406 Commits
prometheus
...
main
|
@ -0,0 +1,10 @@
|
||||||
|
root = true
|
||||||
|
|
||||||
|
[*]
|
||||||
|
end_of_line = lf
|
||||||
|
insert_final_newline = true
|
||||||
|
trim_trailing_whitespace = true
|
||||||
|
|
||||||
|
[*.nix]
|
||||||
|
indent_style = space
|
||||||
|
indent_size = 2
|
|
@ -0,0 +1 @@
|
||||||
|
e00008da1afe0d760badd34bbeddff36bb08c475
|
|
@ -0,0 +1,13 @@
|
||||||
|
name: "Eval nix flake"
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
push:
|
||||||
|
jobs:
|
||||||
|
evals:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- run: apt-get update && apt-get -y install sudo
|
||||||
|
- uses: https://github.com/cachix/install-nix-action@v23
|
||||||
|
- run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
|
||||||
|
- run: nix flake check
|
|
@ -1,2 +1,4 @@
|
||||||
result*
|
result*
|
||||||
/configuration.nix
|
/configuration.nix
|
||||||
|
/.direnv/
|
||||||
|
*.qcow2
|
||||||
|
|
61
.sops.yaml
61
.sops.yaml
|
@ -1,33 +1,80 @@
|
||||||
keys:
|
keys:
|
||||||
|
# Users
|
||||||
- &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
|
- &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
|
||||||
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
|
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
|
||||||
- &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
|
- &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
|
||||||
- &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
|
- &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
|
||||||
- &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
|
- &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
|
||||||
|
- &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
|
||||||
|
- &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
|
||||||
|
|
||||||
|
# Hosts
|
||||||
|
- &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
|
||||||
|
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
|
||||||
|
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
|
||||||
|
- &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
# Global secrets
|
# Global secrets
|
||||||
- path_regex: secrets/[^/]+\.yaml$
|
- path_regex: secrets/[^/]+\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *user_danio
|
|
||||||
- *host_jokum
|
- *host_jokum
|
||||||
|
- *user_danio
|
||||||
|
- *user_felixalb
|
||||||
|
- *user_eirikwit
|
||||||
|
- *user_pederbs_sopp
|
||||||
|
- *user_pederbs_nord
|
||||||
|
- *user_pederbs_bjarte
|
||||||
pgp:
|
pgp:
|
||||||
- *user_oysteikt
|
- *user_oysteikt
|
||||||
|
|
||||||
# Host specific secrets
|
# Host specific secrets
|
||||||
## Jokum
|
|
||||||
|
- path_regex: secrets/bekkalokk/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *host_bekkalokk
|
||||||
|
- *user_danio
|
||||||
|
- *user_felixalb
|
||||||
|
- *user_pederbs_sopp
|
||||||
|
- *user_pederbs_nord
|
||||||
|
- *user_pederbs_bjarte
|
||||||
|
pgp:
|
||||||
|
- *user_oysteikt
|
||||||
|
|
||||||
- path_regex: secrets/jokum/[^/]+\.yaml$
|
- path_regex: secrets/jokum/[^/]+\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *user_danio
|
|
||||||
- *host_jokum
|
- *host_jokum
|
||||||
|
- *user_danio
|
||||||
|
- *user_felixalb
|
||||||
|
- *user_pederbs_sopp
|
||||||
|
- *user_pederbs_nord
|
||||||
|
- *user_pederbs_bjarte
|
||||||
pgp:
|
pgp:
|
||||||
- *user_oysteikt
|
- *user_oysteikt
|
||||||
|
|
||||||
- path_regex: secrets/ildkule/[^/]+\.yaml$
|
- path_regex: secrets/ildkule/[^/]+\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *user_felixalb
|
|
||||||
- *user_danio
|
|
||||||
- *host_ildkule
|
- *host_ildkule
|
||||||
|
- *user_danio
|
||||||
|
- *user_felixalb
|
||||||
|
- *user_pederbs_sopp
|
||||||
|
- *user_pederbs_nord
|
||||||
|
- *user_pederbs_bjarte
|
||||||
|
pgp:
|
||||||
|
- *user_oysteikt
|
||||||
|
|
||||||
|
- path_regex: secrets/bicep/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *host_bicep
|
||||||
|
- *user_danio
|
||||||
|
- *user_felixalb
|
||||||
|
- *user_pederbs_sopp
|
||||||
|
- *user_pederbs_nord
|
||||||
|
- *user_pederbs_bjarte
|
||||||
pgp:
|
pgp:
|
||||||
- *user_oysteikt
|
- *user_oysteikt
|
||||||
|
|
28
README.MD
28
README.MD
|
@ -4,9 +4,19 @@
|
||||||
|
|
||||||
Før du endrer på ting husk å ikke putte ting som skal være hemmelig uten å først lese seksjonen for hemmeligheter!
|
Før du endrer på ting husk å ikke putte ting som skal være hemmelig uten å først lese seksjonen for hemmeligheter!
|
||||||
|
|
||||||
Etter å ha klonet prosjektet ned og gjort endringer kan du bygge med:
|
Etter å ha klonet prosjektet ned og gjort endringer kan du evaluere configene med:
|
||||||
|
|
||||||
`nix build .#nixosConfigurations.jokum.config.system.build.toplevel`
|
`nix flake check --keep-going`
|
||||||
|
|
||||||
|
før du bygger en maskin med:
|
||||||
|
|
||||||
|
`nix build .#<maskinnavn>`
|
||||||
|
|
||||||
|
hvis du vil være ekstra sikker på at alt bygger så kan du kjøre:
|
||||||
|
|
||||||
|
`nix build .` for å bygge alle de viktige maskinene.
|
||||||
|
|
||||||
|
NB: Dette kan ta opp til 30 minutter avhengig av hva som ligger i caches
|
||||||
|
|
||||||
Husk å hvertfall stage nye filer om du har laget dem!
|
Husk å hvertfall stage nye filer om du har laget dem!
|
||||||
|
|
||||||
|
@ -16,10 +26,14 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
|
||||||
Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
|
Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
|
||||||
|
|
||||||
Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
|
Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
|
||||||
`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
|
`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
|
||||||
|
|
||||||
som root på maskinen.
|
som root på maskinen.
|
||||||
|
|
||||||
|
Hvis du ikke har lyst til å oppdatere alle pakkene (og kanskje måtte vente en stund!) kan du kjøre
|
||||||
|
|
||||||
|
`nixos-rebuild switch --override-input nixpkgs nixpkgs --override-input nixpkgs-unstable nixpkgs-unstable --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
|
||||||
|
|
||||||
## Seksjonen for hemmeligheter
|
## Seksjonen for hemmeligheter
|
||||||
|
|
||||||
For at hemmeligheter ikke skal deles med hele verden i git - eller å være world
|
For at hemmeligheter ikke skal deles med hele verden i git - eller å være world
|
||||||
|
@ -37,3 +51,11 @@ for å få tilgang til å lese/skrive hemmeligheter må du spørre noen/noe som
|
||||||
om å legge til age eller pgp nøkkelen din i [`.sops.yaml`](https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/.sops.yaml)
|
om å legge til age eller pgp nøkkelen din i [`.sops.yaml`](https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/.sops.yaml)
|
||||||
|
|
||||||
Denne kan du generere fra ssh-nøkkelene dine eller lage en egen nøkkel.
|
Denne kan du generere fra ssh-nøkkelene dine eller lage en egen nøkkel.
|
||||||
|
|
||||||
|
### Legge til flere keys
|
||||||
|
|
||||||
|
Gjør det som gir mening i .sops.yml
|
||||||
|
|
||||||
|
Etter det kjør `sops updatekeys secrets/host/file.yml`
|
||||||
|
|
||||||
|
MERK at det ikke er `sops -r` som BARE roterer nøkklene for de som allerede er i secretfila
|
||||||
|
|
Binary file not shown.
After Width: | Height: | Size: 254 KiB |
|
@ -0,0 +1,172 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
||||||
|
<!-- Created with Inkscape (http://www.inkscape.org/) -->
|
||||||
|
|
||||||
|
<svg
|
||||||
|
width="200mm"
|
||||||
|
height="200mm"
|
||||||
|
viewBox="0 0 200 200"
|
||||||
|
version="1.1"
|
||||||
|
id="svg5"
|
||||||
|
inkscape:version="1.1.2 (b8e25be833, 2022-02-05)"
|
||||||
|
sodipodi:docname="logo_blue_thicc.svg"
|
||||||
|
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
|
||||||
|
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
|
||||||
|
xmlns="http://www.w3.org/2000/svg"
|
||||||
|
xmlns:svg="http://www.w3.org/2000/svg">
|
||||||
|
<sodipodi:namedview
|
||||||
|
id="namedview7"
|
||||||
|
pagecolor="#505050"
|
||||||
|
bordercolor="#ffffff"
|
||||||
|
borderopacity="1"
|
||||||
|
inkscape:pageshadow="0"
|
||||||
|
inkscape:pageopacity="0"
|
||||||
|
inkscape:pagecheckerboard="1"
|
||||||
|
inkscape:document-units="mm"
|
||||||
|
showgrid="false"
|
||||||
|
inkscape:zoom="3.9730533"
|
||||||
|
inkscape:cx="359.54715"
|
||||||
|
inkscape:cy="690.40101"
|
||||||
|
inkscape:window-width="1920"
|
||||||
|
inkscape:window-height="1057"
|
||||||
|
inkscape:window-x="-8"
|
||||||
|
inkscape:window-y="-8"
|
||||||
|
inkscape:window-maximized="1"
|
||||||
|
inkscape:current-layer="Layer_4"
|
||||||
|
width="200mm" />
|
||||||
|
<defs
|
||||||
|
id="defs2" />
|
||||||
|
<g
|
||||||
|
inkscape:label="Layer 1"
|
||||||
|
inkscape:groupmode="layer"
|
||||||
|
id="layer1">
|
||||||
|
<g
|
||||||
|
id="g98"
|
||||||
|
transform="scale(0.25)">
|
||||||
|
<g
|
||||||
|
id="Layer_2"
|
||||||
|
style="fill:#283681;fill-opacity:1">
|
||||||
|
<rect
|
||||||
|
y="0"
|
||||||
|
class="st0"
|
||||||
|
width="800"
|
||||||
|
height="800"
|
||||||
|
id="rect4"
|
||||||
|
x="0"
|
||||||
|
style="fill:#283681;fill-opacity:1"
|
||||||
|
inkscape:export-filename="C:\Users\al3xk\OneDrive - NTNU\PVV\Gogs\PR\logoer\logo_blue.png"
|
||||||
|
inkscape:export-xdpi="480"
|
||||||
|
inkscape:export-ydpi="480" />
|
||||||
|
</g>
|
||||||
|
<g
|
||||||
|
id="Layer_4"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1">
|
||||||
|
<line
|
||||||
|
class="st1"
|
||||||
|
x1="478.39999"
|
||||||
|
y1="720.29999"
|
||||||
|
x2="313.20001"
|
||||||
|
y2="720.29999"
|
||||||
|
id="line9"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
|
||||||
|
<path
|
||||||
|
class="st1"
|
||||||
|
d="M 478.4,720.3"
|
||||||
|
id="path11"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
|
||||||
|
<polyline
|
||||||
|
class="st2"
|
||||||
|
points="717.1,223.3 717.1,720.3 497.3,720.3 "
|
||||||
|
id="polyline13"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
|
||||||
|
<path
|
||||||
|
class="st2"
|
||||||
|
d="m 498.39888,720.3 c 0,-5.6 -4.5,-10.1 -10.1,-10.1 -5.6,0 -10.1,4.5 -10.1,10.1 h -163.8 c 0,-5.6 -4.5,-10.1 -10.1,-10.1 -5.6,0 -10.1,4.5 -10.1,10.1 -69.7592,0 -145.68417,0 -217.599996,0 V 79.7 H 717.09888 v 120 0 h -17.3 v 24.8 h 17.3"
|
||||||
|
id="path15"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-linecap:square;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
|
||||||
|
sodipodi:nodetypes="csccsccccccccc" />
|
||||||
|
</g>
|
||||||
|
<g
|
||||||
|
id="Layer_3"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1">
|
||||||
|
<circle
|
||||||
|
class="st2"
|
||||||
|
cx="396.79999"
|
||||||
|
cy="400"
|
||||||
|
id="circle18"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
|
||||||
|
r="320.29999" />
|
||||||
|
</g>
|
||||||
|
<g
|
||||||
|
id="Layer_1"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1">
|
||||||
|
<polyline
|
||||||
|
class="st2"
|
||||||
|
points="514.5,173.5 170.2,173.5 170.3,626.6 623.3,626.5 623.3,215.7 584.4,173.4 557,173.4 548,180.6 526.5,180.7 "
|
||||||
|
id="polyline21"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
|
||||||
|
<path
|
||||||
|
class="st2"
|
||||||
|
d="m 526.5,331.8 c 0,7.6 -5.4,13.7 -12,13.7 H 227.7 c -6.6,0 -12,-6.1 -12,-13.7 V 187.2 c 0,-7.6 5.4,-13.7 12,-13.7 h 286.8 c 6.6,0 12,6.1 12,13.7 z"
|
||||||
|
id="path27"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
|
||||||
|
<path
|
||||||
|
class="st2"
|
||||||
|
d="m 526.7,333.6 c 0,6.6 -5.4,12 -12,12 H 296.8 c -6.6,0 -12,-5.4 -12,-12 V 185.5 c 0,-6.6 5.4,-12 12,-12 h 217.9 c 6.6,0 12,5.4 12,12 z"
|
||||||
|
id="path29"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
|
||||||
|
<path
|
||||||
|
class="st2"
|
||||||
|
d="m 577.9,613.7 c 0,6.6 -5.4,12 -12,12 H 227.7 c -6.6,0 -12,-5.4 -12,-12 V 381.1 c 0,-6.6 5.4,-12 12,-12 h 338.2 c 6.6,0 12,5.4 12,12 z"
|
||||||
|
id="path31"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
|
||||||
|
<rect
|
||||||
|
x="179.89999"
|
||||||
|
y="590.20001"
|
||||||
|
class="st2"
|
||||||
|
width="25.700001"
|
||||||
|
height="23"
|
||||||
|
id="rect33"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
|
||||||
|
<rect
|
||||||
|
x="587.59998"
|
||||||
|
y="590.20001"
|
||||||
|
class="st2"
|
||||||
|
width="25.700001"
|
||||||
|
height="23"
|
||||||
|
id="rect35"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
|
||||||
|
<rect
|
||||||
|
x="433.60001"
|
||||||
|
y="193.5"
|
||||||
|
class="st2"
|
||||||
|
width="64.900002"
|
||||||
|
height="137.8"
|
||||||
|
id="rect37"
|
||||||
|
style="fill:#283681;fill-opacity:0;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
|
||||||
|
</g>
|
||||||
|
<path
|
||||||
|
d="m 274.9401,541.572 c 0,3.528 2.772,6.426 6.3,6.426 3.528,0 6.426,-2.898 6.426,-6.426 v -30.996 h 30.87 c 10.458,0 19.152,-8.694 19.152,-19.152 v -22.68 c 0,-10.332 -8.694,-19.026 -19.152,-19.026 h -43.596 z m 12.726,-43.722 v -35.406 h 30.87 c 3.276,0 6.426,2.898 6.426,6.3 v 22.68 c 0,3.528 -3.024,6.426 -6.426,6.426 z"
|
||||||
|
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:126px;font-family:OCRA;-inkscape-font-specification:OCRA;fill:#ffffff;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
|
||||||
|
id="path55-2" />
|
||||||
|
<path
|
||||||
|
d="m 365.99479,478.824 25.326,65.142 c 1.008,2.394 3.276,4.032 6.048,4.032 2.646,0 4.914,-1.638 5.922,-4.032 l 25.452,-65.268 v -22.68 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 v 20.286 l -18.648,47.628 -18.648,-47.628 v -20.286 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 z"
|
||||||
|
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:126px;font-family:OCRA;-inkscape-font-specification:OCRA;fill:#ffffff;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
|
||||||
|
id="path57-8" />
|
||||||
|
<path
|
||||||
|
d="m 457.04947,478.824 25.326,65.142 c 1.008,2.394 3.276,4.032 6.048,4.032 2.646,0 4.914,-1.638 5.922,-4.032 l 25.452,-65.268 v -22.68 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 v 20.286 l -18.648,47.628 -18.648,-47.628 v -20.286 c 0,-3.402 -2.898,-6.3 -6.426,-6.3 -3.528,0 -6.3,2.898 -6.3,6.3 z"
|
||||||
|
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:126px;font-family:OCRA;-inkscape-font-specification:OCRA;fill:#ffffff;stroke:#ffffff;stroke-width:4.2;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
|
||||||
|
id="path59-1" />
|
||||||
|
</g>
|
||||||
|
</g>
|
||||||
|
<style
|
||||||
|
type="text/css"
|
||||||
|
id="style2">
|
||||||
|
.st0{fill:#ffffff;}
|
||||||
|
.st1{fill:none;stroke:#ffffff;stroke-width:2;stroke-miterlimit:10;}
|
||||||
|
.st2{fill:none;stroke:#000000;stroke-width:2;stroke-miterlimit:10;}
|
||||||
|
.st3{fill:none;}
|
||||||
|
.st4{stroke:#000000;stroke-miterlimit:10;}
|
||||||
|
.st5{font-family:'OCRAStd';}
|
||||||
|
.st6{font-size:126px;}
|
||||||
|
</style>
|
||||||
|
</svg>
|
After Width: | Height: | Size: 8.2 KiB |
73
base.nix
73
base.nix
|
@ -1,73 +0,0 @@
|
||||||
{ config, pkgs, inputs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
./users
|
|
||||||
];
|
|
||||||
|
|
||||||
networking.domain = "pvv.ntnu.no";
|
|
||||||
networking.useDHCP = false;
|
|
||||||
networking.search = [ "pvv.ntnu.no" "pvv.org" ];
|
|
||||||
|
|
||||||
services.resolved = {
|
|
||||||
enable = true;
|
|
||||||
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
|
|
||||||
};
|
|
||||||
|
|
||||||
time.timeZone = "Europe/Oslo";
|
|
||||||
|
|
||||||
i18n.defaultLocale = "en_US.UTF-8";
|
|
||||||
console = {
|
|
||||||
font = "Lat2-Terminus16";
|
|
||||||
keyMap = "no";
|
|
||||||
};
|
|
||||||
|
|
||||||
system.autoUpgrade = {
|
|
||||||
enable = true;
|
|
||||||
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
|
|
||||||
flags = [
|
|
||||||
"--update-input" "nixpkgs"
|
|
||||||
"--update-input" "unstable"
|
|
||||||
"--no-write-lock-file"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
nix.gc.automatic = true;
|
|
||||||
nix.gc.options = "--delete-older-than 2d";
|
|
||||||
|
|
||||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
|
||||||
|
|
||||||
/* This makes commandline tools like
|
|
||||||
** nix run nixpkgs#hello
|
|
||||||
** and nix-shell -p hello
|
|
||||||
** use the same channel the system
|
|
||||||
** was built with
|
|
||||||
*/
|
|
||||||
nix.registry = {
|
|
||||||
nixpkgs.flake = inputs.nixpkgs;
|
|
||||||
};
|
|
||||||
nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
file
|
|
||||||
git
|
|
||||||
htop
|
|
||||||
nano
|
|
||||||
tmux
|
|
||||||
vim
|
|
||||||
wget
|
|
||||||
|
|
||||||
kitty.terminfo
|
|
||||||
];
|
|
||||||
|
|
||||||
users.groups."drift".name = "drift";
|
|
||||||
|
|
||||||
services.openssh = {
|
|
||||||
enable = true;
|
|
||||||
permitRootLogin = "yes";
|
|
||||||
extraConfig = ''
|
|
||||||
PubkeyAcceptedAlgorithms=+ssh-rsa
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
}
|
|
|
@ -0,0 +1,60 @@
|
||||||
|
{ pkgs, lib, fp, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
(fp /users)
|
||||||
|
(fp /modules/snakeoil-certs.nix)
|
||||||
|
|
||||||
|
./networking.nix
|
||||||
|
./nix.nix
|
||||||
|
|
||||||
|
./services/acme.nix
|
||||||
|
./services/auto-upgrade.nix
|
||||||
|
./services/irqbalance.nix
|
||||||
|
./services/logrotate.nix
|
||||||
|
./services/nginx.nix
|
||||||
|
./services/openssh.nix
|
||||||
|
./services/postfix.nix
|
||||||
|
./services/smartd.nix
|
||||||
|
./services/thermald.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.tmp.cleanOnBoot = lib.mkDefault true;
|
||||||
|
|
||||||
|
time.timeZone = "Europe/Oslo";
|
||||||
|
|
||||||
|
i18n.defaultLocale = "en_US.UTF-8";
|
||||||
|
console = {
|
||||||
|
font = "Lat2-Terminus16";
|
||||||
|
keyMap = "no";
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
file
|
||||||
|
git
|
||||||
|
gnupg
|
||||||
|
htop
|
||||||
|
nano
|
||||||
|
ripgrep
|
||||||
|
rsync
|
||||||
|
screen
|
||||||
|
tmux
|
||||||
|
vim
|
||||||
|
wget
|
||||||
|
|
||||||
|
kitty.terminfo
|
||||||
|
];
|
||||||
|
|
||||||
|
programs.zsh.enable = true;
|
||||||
|
|
||||||
|
security.sudo.execWheelOnly = true;
|
||||||
|
security.sudo.extraConfig = ''
|
||||||
|
Defaults lecture = never
|
||||||
|
'';
|
||||||
|
|
||||||
|
users.groups."drift".name = "drift";
|
||||||
|
|
||||||
|
# Trusted users on the nix builder machines
|
||||||
|
users.groups."nix-builder-users".name = "nix-builder-users";
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
{ lib, values, ... }:
|
||||||
|
{
|
||||||
|
systemd.network.enable = true;
|
||||||
|
networking.domain = "pvv.ntnu.no";
|
||||||
|
networking.useDHCP = false;
|
||||||
|
|
||||||
|
# The rest of the networking configuration is usually sourced from /values.nix
|
||||||
|
|
||||||
|
services.resolved = {
|
||||||
|
enable = lib.mkDefault true;
|
||||||
|
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,34 @@
|
||||||
|
{ inputs, ... }:
|
||||||
|
{
|
||||||
|
nix = {
|
||||||
|
gc = {
|
||||||
|
automatic = true;
|
||||||
|
options = "--delete-older-than 2d";
|
||||||
|
};
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
allow-dirty = true;
|
||||||
|
auto-optimise-store = true;
|
||||||
|
builders-use-substitutes = true;
|
||||||
|
experimental-features = [ "nix-command" "flakes" ];
|
||||||
|
log-lines = 50;
|
||||||
|
use-xdg-base-directories = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
/* This makes commandline tools like
|
||||||
|
** nix run nixpkgs#hello
|
||||||
|
** and nix-shell -p hello
|
||||||
|
** use the same channel the system
|
||||||
|
** was built with
|
||||||
|
*/
|
||||||
|
registry = {
|
||||||
|
"nixpkgs".flake = inputs.nixpkgs;
|
||||||
|
"nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
|
||||||
|
"pvv-nix".flake = inputs.self;
|
||||||
|
};
|
||||||
|
nixPath = [
|
||||||
|
"nixpkgs=${inputs.nixpkgs}"
|
||||||
|
"unstable=${inputs.nixpkgs-unstable}"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,15 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = "drift@pvv.ntnu.no";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
|
||||||
|
virtualisation.vmVariant = {
|
||||||
|
security.acme.defaults.server = "https://127.0.0.1";
|
||||||
|
security.acme.preliminarySelfsigned = true;
|
||||||
|
|
||||||
|
users.users.root.initialPassword = "root";
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,26 @@
|
||||||
|
{ inputs, pkgs, lib, ... }:
|
||||||
|
{
|
||||||
|
system.autoUpgrade = {
|
||||||
|
enable = true;
|
||||||
|
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
|
||||||
|
flags = [
|
||||||
|
# --update-input is deprecated since nix 2.22, and removed in lix 2.90
|
||||||
|
# https://git.lix.systems/lix-project/lix/issues/400
|
||||||
|
"--refresh"
|
||||||
|
"--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.05-small"
|
||||||
|
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
|
||||||
|
"--no-write-lock-file"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# workaround for https://github.com/NixOS/nix/issues/6895
|
||||||
|
# via https://git.lix.systems/lix-project/lix/issues/400
|
||||||
|
environment.etc."current-system-flake-inputs.json".source
|
||||||
|
= pkgs.writers.writeJSON "flake-inputs.json" (
|
||||||
|
lib.flip lib.mapAttrs inputs (name: input:
|
||||||
|
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
|
||||||
|
lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
|
||||||
|
// { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
|
@ -0,0 +1,4 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
services.irqbalance.enable = true;
|
||||||
|
}
|
|
@ -0,0 +1,42 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
|
||||||
|
systemd.services.logrotate = {
|
||||||
|
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
|
||||||
|
unitConfig.RequiresMountsFor = "/var/log";
|
||||||
|
serviceConfig = {
|
||||||
|
Nice = 19;
|
||||||
|
IOSchedulingClass = "best-effort";
|
||||||
|
IOSchedulingPriority = 7;
|
||||||
|
|
||||||
|
ReadWritePaths = [ "/var/log" ];
|
||||||
|
|
||||||
|
AmbientCapabilities = [ "" ];
|
||||||
|
CapabilityBoundingSet = [ "" ];
|
||||||
|
DeviceAllow = [ "" ];
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
NoNewPrivileges = true; # disable for third party rotate scripts
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateNetwork = true; # disable for mail delivery
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true; # disable for userdir logs
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProtectSystem = "full";
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true; # disable for creating setgid directories
|
||||||
|
SocketBindDeny = [ "any" ];
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"@system-service"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,44 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
{
|
||||||
|
# nginx return 444 for all nonexistent virtualhosts
|
||||||
|
|
||||||
|
systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
|
||||||
|
|
||||||
|
environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
|
||||||
|
"/etc/certs/nginx" = {
|
||||||
|
owner = "nginx";
|
||||||
|
group = "nginx";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
|
||||||
|
appendConfig = ''
|
||||||
|
pcre_jit on;
|
||||||
|
worker_processes auto;
|
||||||
|
worker_rlimit_nofile 100000;
|
||||||
|
'';
|
||||||
|
eventsConfig = ''
|
||||||
|
worker_connections 2048;
|
||||||
|
use epoll;
|
||||||
|
multi_accept on;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
|
||||||
|
LimitNOFILE = 65536;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
|
||||||
|
sslCertificate = "/etc/certs/nginx.crt";
|
||||||
|
sslCertificateKey = "/etc/certs/nginx.key";
|
||||||
|
addSSL = true;
|
||||||
|
extraConfig = "return 444;";
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,21 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
startWhenNeeded = true;
|
||||||
|
extraConfig = ''
|
||||||
|
PubkeyAcceptedAlgorithms=+ssh-rsa
|
||||||
|
Match Group wheel
|
||||||
|
PasswordAuthentication no
|
||||||
|
Match All
|
||||||
|
'';
|
||||||
|
settings.PermitRootLogin = "yes";
|
||||||
|
|
||||||
|
};
|
||||||
|
users.users."root".openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
|
||||||
|
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.postfix;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.postfix = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
hostname = "${config.networking.hostName}.pvv.ntnu.no";
|
||||||
|
domain = "pvv.ntnu.no";
|
||||||
|
|
||||||
|
relayHost = "smtp.pvv.ntnu.no";
|
||||||
|
relayPort = 465;
|
||||||
|
|
||||||
|
config = {
|
||||||
|
smtp_tls_wrappermode = "yes";
|
||||||
|
smtp_tls_security_level = "encrypt";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Nothing should be delivered to this machine
|
||||||
|
destination = [ ];
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,8 @@
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
{
|
||||||
|
services.smartd.enable = lib.mkDefault true;
|
||||||
|
|
||||||
|
environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
|
||||||
|
smartmontools
|
||||||
|
]);
|
||||||
|
}
|
|
@ -0,0 +1,8 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
{
|
||||||
|
# Let's not thermal throttle
|
||||||
|
services.thermald.enable = lib.mkIf (lib.all (x: x) [
|
||||||
|
(config.nixpkgs.system == "x86_64-linux")
|
||||||
|
(!config.boot.isContainer or false)
|
||||||
|
]) true;
|
||||||
|
}
|
237
flake.lock
237
flake.lock
|
@ -1,59 +1,244 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
"matrix-next": {
|
"disko": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1671009204,
|
"lastModified": 1731746438,
|
||||||
"narHash": "sha256-gqA9po/KmHyh44XYqv/LfFJ1+MGufhaaD6DhDqBeaF8=",
|
"narHash": "sha256-f3SSp1axoOk0NAI7oFdRzbxG2XPBSIXC+/DaAXnvS1A=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "disko",
|
||||||
|
"rev": "cb64993826fa7a477490be6ccb38ba1fa1e18fa8",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "disko",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"greg-ng": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"rust-overlay": "rust-overlay"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730249639,
|
||||||
|
"narHash": "sha256-G3URSlqCcb+GIvGyki+HHrDM5ZanX/dP9BtppD/SdfI=",
|
||||||
|
"ref": "refs/heads/main",
|
||||||
|
"rev": "80e0447bcb79adad4f459ada5610f3eae987b4e3",
|
||||||
|
"revCount": 34,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"grzegorz-clients": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1726861934,
|
||||||
|
"narHash": "sha256-lOzPDwktd+pwszUTbpUdQg6iCzInS11fHLfkjmnvJrM=",
|
||||||
|
"ref": "refs/heads/master",
|
||||||
|
"rev": "546d921ec46735dbf876e36f4af8df1064d09432",
|
||||||
|
"revCount": 78,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"matrix-next": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1727410897,
|
||||||
|
"narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
|
||||||
"owner": "dali99",
|
"owner": "dali99",
|
||||||
"repo": "nixos-matrix-modules",
|
"repo": "nixos-matrix-modules",
|
||||||
"rev": "43dbc17526576cb8e0980cef51c48b6598f97550",
|
"rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "dali99",
|
"owner": "dali99",
|
||||||
"ref": "flake-experiments",
|
"ref": "v0.6.1",
|
||||||
"repo": "nixos-matrix-modules",
|
"repo": "nixos-matrix-modules",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"minecraft-data": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1725277886,
|
||||||
|
"narHash": "sha256-Fw4VbbE3EfypQWSgPDFfvVH47BHeg3ptsO715NlUM8Q=",
|
||||||
|
"ref": "refs/heads/master",
|
||||||
|
"rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
|
||||||
|
"revCount": 2,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nix-gitea-themes": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1714416973,
|
||||||
|
"narHash": "sha256-aZUcvXjdETUC6wVQpWDVjLUzwpDAEca8yR0ITDeK39o=",
|
||||||
|
"ref": "refs/heads/main",
|
||||||
|
"rev": "2b23c0ba8aae68d3cb6789f0f6e4891cef26cc6d",
|
||||||
|
"revCount": 6,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1670946965,
|
"lastModified": 1731663789,
|
||||||
"narHash": "sha256-PDJfKgK/aSV3ISnD1TbKpLPW85LO/AQI73yQjbwribA=",
|
"narHash": "sha256-x07g4NcqGP6mQn6AISXJaks9sQYDjZmTMBlKIvajvyc=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "265caf30fa0a5148395b62777389b57eb0a537fd",
|
"rev": "035d434d48f4375ac5d3a620954cf5fda7dd7c36",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"ref": "nixos-22.11-small",
|
"ref": "nixos-24.05-small",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
"nixpkgs-stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1670146390,
|
"lastModified": 1730602179,
|
||||||
"narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=",
|
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "86370507cb20c905800527539fc049a2bf09c667",
|
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"ref": "release-22.11",
|
"ref": "release-24.05",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs-unstable": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1731745710,
|
||||||
|
"narHash": "sha256-SVeiClbgqL071JpAspOu0gCkPSAL51kSIRwo4C/pghA=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "dfaa4cb76c2d450d8f396bb6b9f43cede3ade129",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixos-unstable-small",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"pvv-calendar-bot": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1723850344,
|
||||||
|
"narHash": "sha256-aT37O9l9eclWEnqxASVNBL1dKwDHZUOqdbA4VO9DJvw=",
|
||||||
|
"ref": "refs/heads/main",
|
||||||
|
"rev": "38b66677ab8c01aee10cd59e745af9ce3ea88092",
|
||||||
|
"revCount": 19,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"pvv-nettsiden": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1725212759,
|
||||||
|
"narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
|
||||||
|
"ref": "refs/heads/master",
|
||||||
|
"rev": "e7b66b4bc6a89bab74bac45b87e9434f5165355f",
|
||||||
|
"revCount": 473,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
|
||||||
|
}
|
||||||
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
|
"disko": "disko",
|
||||||
|
"greg-ng": "greg-ng",
|
||||||
|
"grzegorz-clients": "grzegorz-clients",
|
||||||
"matrix-next": "matrix-next",
|
"matrix-next": "matrix-next",
|
||||||
|
"minecraft-data": "minecraft-data",
|
||||||
|
"nix-gitea-themes": "nix-gitea-themes",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"sops-nix": "sops-nix",
|
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||||
"unstable": "unstable"
|
"pvv-calendar-bot": "pvv-calendar-bot",
|
||||||
|
"pvv-nettsiden": "pvv-nettsiden",
|
||||||
|
"sops-nix": "sops-nix"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"rust-overlay": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"greg-ng",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1729391507,
|
||||||
|
"narHash": "sha256-as0I9xieJUHf7kiK2a9znDsVZQTFWhM1pLivII43Gi0=",
|
||||||
|
"owner": "oxalica",
|
||||||
|
"repo": "rust-overlay",
|
||||||
|
"rev": "784981a9feeba406de38c1c9a3decf966d853cca",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "oxalica",
|
||||||
|
"repo": "rust-overlay",
|
||||||
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"sops-nix": {
|
"sops-nix": {
|
||||||
|
@ -64,11 +249,11 @@
|
||||||
"nixpkgs-stable": "nixpkgs-stable"
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1670149631,
|
"lastModified": 1731748189,
|
||||||
"narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=",
|
"narHash": "sha256-Zd/Uukvpcu26M6YGhpbsgqm6LUSLz+Q8mDZ5LOEGdiE=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "da98a111623101c64474a14983d83dad8f09f93d",
|
"rev": "d2bd7f433b28db6bc7ae03d5eca43564da0af054",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -76,22 +261,6 @@
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
|
||||||
"unstable": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1670918062,
|
|
||||||
"narHash": "sha256-iOhkyBYUU9Jfkk0lvI4ahpjyrTsLXj9uyJWwmjKg+gg=",
|
|
||||||
"owner": "NixOS",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"rev": "84575b0bd882be979516f4fecfe4d7c8de8f6a92",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "NixOS",
|
|
||||||
"ref": "nixos-unstable-small",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"root": "root",
|
"root": "root",
|
||||||
|
|
159
flake.nix
159
flake.nix
|
@ -2,45 +2,168 @@
|
||||||
description = "PVV System flake";
|
description = "PVV System flake";
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; # remember to also update the url in base/services/auto-upgrade.nix
|
||||||
unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
|
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
|
||||||
|
|
||||||
sops-nix.url = "github:Mic92/sops-nix";
|
sops-nix.url = "github:Mic92/sops-nix";
|
||||||
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
matrix-next.url = "github:dali99/nixos-matrix-modules/flake-experiments";
|
disko.url = "github:nix-community/disko";
|
||||||
|
disko.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git";
|
||||||
|
pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
|
||||||
|
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.1";
|
||||||
|
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
|
||||||
|
nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
greg-ng.url = "git+https://git.pvv.ntnu.no/Projects/greg-ng.git";
|
||||||
|
greg-ng.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Projects/grzegorz-clients.git";
|
||||||
|
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs:
|
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
|
||||||
let
|
let
|
||||||
|
nixlib = nixpkgs.lib;
|
||||||
systems = [
|
systems = [
|
||||||
"x86_64-linux"
|
"x86_64-linux"
|
||||||
"aarch64-linux"
|
"aarch64-linux"
|
||||||
|
"aarch64-darwin"
|
||||||
|
];
|
||||||
|
forAllSystems = f: nixlib.genAttrs systems f;
|
||||||
|
allMachines = builtins.attrNames self.nixosConfigurations;
|
||||||
|
importantMachines = [
|
||||||
|
"bekkalokk"
|
||||||
|
"bicep"
|
||||||
|
"brzeczyszczykiewicz"
|
||||||
|
"georg"
|
||||||
|
"ildkule"
|
||||||
];
|
];
|
||||||
forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
|
|
||||||
in {
|
in {
|
||||||
nixosConfigurations = {
|
inherit inputs;
|
||||||
jokum = nixpkgs.lib.nixosSystem {
|
|
||||||
system = "x86_64-linux";
|
|
||||||
specialArgs = { inherit unstable inputs; };
|
|
||||||
modules = [
|
|
||||||
./hosts/jokum/configuration.nix
|
|
||||||
sops-nix.nixosModules.sops
|
|
||||||
|
|
||||||
inputs.matrix-next.nixosModules.synapse
|
nixosConfigurations = let
|
||||||
|
unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
|
||||||
|
nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
|
||||||
|
rec {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
specialArgs = {
|
||||||
|
inherit unstablePkgs inputs;
|
||||||
|
values = import ./values.nix;
|
||||||
|
fp = path: ./${path};
|
||||||
|
};
|
||||||
|
|
||||||
|
modules = [
|
||||||
|
./hosts/${name}/configuration.nix
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
|
] ++ config.modules or [];
|
||||||
|
|
||||||
|
pkgs = import nixpkgs {
|
||||||
|
inherit system;
|
||||||
|
overlays = [
|
||||||
|
# Global overlays go here
|
||||||
|
] ++ config.overlays or [ ];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
(removeAttrs config [ "modules" "overlays" ])
|
||||||
|
);
|
||||||
|
|
||||||
|
stableNixosConfig = nixosConfig nixpkgs;
|
||||||
|
unstableNixosConfig = nixosConfig nixpkgs-unstable;
|
||||||
|
in {
|
||||||
|
bicep = stableNixosConfig "bicep" {
|
||||||
|
modules = [
|
||||||
|
inputs.matrix-next.nixosModules.default
|
||||||
|
inputs.pvv-calendar-bot.nixosModules.default
|
||||||
|
];
|
||||||
|
overlays = [
|
||||||
|
inputs.pvv-calendar-bot.overlays.x86_64-linux.default
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
ildkule = nixpkgs.lib.nixosSystem {
|
bekkalokk = stableNixosConfig "bekkalokk" {
|
||||||
system = "x86_64-linux";
|
overlays = [
|
||||||
specialArgs = { inherit unstable inputs; };
|
(final: prev: {
|
||||||
|
heimdal = unstablePkgs.heimdal;
|
||||||
|
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
|
||||||
|
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
|
||||||
|
bluemap = final.callPackage ./packages/bluemap.nix { };
|
||||||
|
})
|
||||||
|
inputs.nix-gitea-themes.overlays.default
|
||||||
|
inputs.pvv-nettsiden.overlays.default
|
||||||
|
];
|
||||||
modules = [
|
modules = [
|
||||||
./hosts/ildkule/configuration.nix
|
inputs.nix-gitea-themes.nixosModules.default
|
||||||
sops-nix.nixosModules.sops
|
inputs.pvv-nettsiden.nixosModules.default
|
||||||
|
];
|
||||||
|
};
|
||||||
|
bob = stableNixosConfig "bob" {
|
||||||
|
modules = [
|
||||||
|
disko.nixosModules.disko
|
||||||
|
{ disko.devices.disk.disk1.device = "/dev/vda"; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
ildkule = stableNixosConfig "ildkule" { };
|
||||||
|
#ildkule-unstable = unstableNixosConfig "ildkule" { };
|
||||||
|
shark = stableNixosConfig "shark" { };
|
||||||
|
|
||||||
|
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
|
||||||
|
modules = [
|
||||||
|
inputs.grzegorz-clients.nixosModules.grzegorz-webui
|
||||||
|
inputs.greg-ng.nixosModules.default
|
||||||
|
];
|
||||||
|
overlays = [
|
||||||
|
inputs.greg-ng.overlays.default
|
||||||
|
];
|
||||||
|
};
|
||||||
|
georg = stableNixosConfig "georg" {
|
||||||
|
modules = [
|
||||||
|
inputs.grzegorz-clients.nixosModules.grzegorz-webui
|
||||||
|
inputs.greg-ng.nixosModules.default
|
||||||
|
];
|
||||||
|
overlays = [
|
||||||
|
inputs.greg-ng.overlays.default
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
nixosModules = {
|
||||||
|
snakeoil-certs = ./modules/snakeoil-certs.nix;
|
||||||
|
snappymail = ./modules/snappymail.nix;
|
||||||
|
};
|
||||||
|
|
||||||
devShells = forAllSystems (system: {
|
devShells = forAllSystems (system: {
|
||||||
default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
|
default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
|
||||||
});
|
});
|
||||||
|
|
||||||
|
packages = {
|
||||||
|
"x86_64-linux" = let
|
||||||
|
pkgs = nixpkgs.legacyPackages."x86_64-linux";
|
||||||
|
in rec {
|
||||||
|
default = important-machines;
|
||||||
|
important-machines = pkgs.linkFarm "important-machines"
|
||||||
|
(nixlib.getAttrs importantMachines self.packages.x86_64-linux);
|
||||||
|
all-machines = pkgs.linkFarm "all-machines"
|
||||||
|
(nixlib.getAttrs allMachines self.packages.x86_64-linux);
|
||||||
|
|
||||||
|
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
|
||||||
|
|
||||||
|
} //
|
||||||
|
(nixlib.pipe null [
|
||||||
|
(_: pkgs.callPackage ./packages/mediawiki-extensions { })
|
||||||
|
(nixlib.flip builtins.removeAttrs ["override" "overrideDerivation"])
|
||||||
|
(nixlib.mapAttrs' (name: nixlib.nameValuePair "mediawiki-${name}"))
|
||||||
|
])
|
||||||
|
// nixlib.genAttrs allMachines
|
||||||
|
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
{ fp, pkgs, values, ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
|
|
||||||
|
(fp /base)
|
||||||
|
(fp /misc/metrics-exporters.nix)
|
||||||
|
|
||||||
|
./services/bluemap/default.nix
|
||||||
|
./services/gitea/default.nix
|
||||||
|
./services/idp-simplesamlphp
|
||||||
|
./services/kerberos
|
||||||
|
./services/mediawiki
|
||||||
|
./services/nginx.nix
|
||||||
|
./services/phpfpm.nix
|
||||||
|
./services/vaultwarden.nix
|
||||||
|
./services/webmail
|
||||||
|
./services/website
|
||||||
|
./services/well-known
|
||||||
|
];
|
||||||
|
|
||||||
|
sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||||
|
sops.age.generateKey = true;
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
networking.hostName = "bekkalokk";
|
||||||
|
|
||||||
|
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
|
||||||
|
matchConfig.Name = "enp2s0";
|
||||||
|
address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.btrfs.autoScrub.enable = true;
|
||||||
|
|
||||||
|
# Do not change, even during upgrades.
|
||||||
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
|
system.stateVersion = "22.11";
|
||||||
|
}
|
|
@ -0,0 +1,40 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/sda1";
|
||||||
|
fsType = "btrfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/CE63-3B9B";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices =
|
||||||
|
[ { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
}
|
|
@ -0,0 +1,83 @@
|
||||||
|
{ config, lib, pkgs, inputs, ... }:
|
||||||
|
let
|
||||||
|
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
./module.nix # From danio, pending upstreaming
|
||||||
|
];
|
||||||
|
|
||||||
|
disabledModules = [ "services/web-servers/bluemap.nix" ];
|
||||||
|
|
||||||
|
sops.secrets."bluemap/ssh-key" = { };
|
||||||
|
sops.secrets."bluemap/ssh-known-hosts" = { };
|
||||||
|
|
||||||
|
services.bluemap = {
|
||||||
|
enable = true;
|
||||||
|
eula = true;
|
||||||
|
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
|
||||||
|
|
||||||
|
host = "minecraft.pvv.ntnu.no";
|
||||||
|
|
||||||
|
maps = {
|
||||||
|
"verden" = {
|
||||||
|
settings = {
|
||||||
|
world = vanillaSurvival;
|
||||||
|
sorting = 0;
|
||||||
|
ambient-light = 0.1;
|
||||||
|
cave-detection-ocean-floor = -5;
|
||||||
|
marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.verden;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"underverden" = {
|
||||||
|
settings = {
|
||||||
|
world = "${vanillaSurvival}/DIM-1";
|
||||||
|
sorting = 100;
|
||||||
|
sky-color = "#290000";
|
||||||
|
void-color = "#150000";
|
||||||
|
ambient-light = 0.6;
|
||||||
|
world-sky-light = 0;
|
||||||
|
remove-caves-below-y = -10000;
|
||||||
|
cave-detection-ocean-floor = -5;
|
||||||
|
cave-detection-uses-block-light = true;
|
||||||
|
max-y = 90;
|
||||||
|
marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.underverden;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"enden" = {
|
||||||
|
settings = {
|
||||||
|
world = "${vanillaSurvival}/DIM1";
|
||||||
|
sorting = 200;
|
||||||
|
sky-color = "#080010";
|
||||||
|
void-color = "#080010";
|
||||||
|
ambient-light = 0.6;
|
||||||
|
world-sky-light = 0;
|
||||||
|
remove-caves-below-y = -10000;
|
||||||
|
cave-detection-ocean-floor = -5;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# TODO: render somewhere else lmao
|
||||||
|
systemd.services."render-bluemap-maps" = {
|
||||||
|
preStart = ''
|
||||||
|
mkdir -p /var/lib/bluemap/world
|
||||||
|
${pkgs.rsync}/bin/rsync \
|
||||||
|
-e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" \
|
||||||
|
-avz --no-owner --no-group \
|
||||||
|
root@innovation.pvv.ntnu.no:/ \
|
||||||
|
${vanillaSurvival}
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
|
LoadCredential = [
|
||||||
|
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
|
||||||
|
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,343 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.bluemap;
|
||||||
|
format = pkgs.formats.hocon { };
|
||||||
|
|
||||||
|
coreConfig = format.generate "core.conf" cfg.coreSettings;
|
||||||
|
webappConfig = format.generate "webapp.conf" cfg.webappSettings;
|
||||||
|
webserverConfig = format.generate "webserver.conf" cfg.webserverSettings;
|
||||||
|
|
||||||
|
storageFolder = pkgs.linkFarm "storage"
|
||||||
|
(lib.attrsets.mapAttrs' (name: value:
|
||||||
|
lib.nameValuePair "${name}.conf"
|
||||||
|
(format.generate "${name}.conf" value))
|
||||||
|
cfg.storage);
|
||||||
|
|
||||||
|
mapsFolder = pkgs.linkFarm "maps"
|
||||||
|
(lib.attrsets.mapAttrs' (name: value:
|
||||||
|
lib.nameValuePair "${name}.conf"
|
||||||
|
(format.generate "${name}.conf" value.settings))
|
||||||
|
cfg.maps);
|
||||||
|
|
||||||
|
webappConfigFolder = pkgs.linkFarm "bluemap-config" {
|
||||||
|
"maps" = mapsFolder;
|
||||||
|
"storages" = storageFolder;
|
||||||
|
"core.conf" = coreConfig;
|
||||||
|
"webapp.conf" = webappConfig;
|
||||||
|
"webserver.conf" = webserverConfig;
|
||||||
|
"packs" = cfg.resourcepacks;
|
||||||
|
"addons" = cfg.resourcepacks; # TODO
|
||||||
|
};
|
||||||
|
|
||||||
|
renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
|
||||||
|
"maps" = pkgs.linkFarm "maps" {
|
||||||
|
"${name}.conf" = (format.generate "${name}.conf" value.settings);
|
||||||
|
};
|
||||||
|
"storages" = storageFolder;
|
||||||
|
"core.conf" = coreConfig;
|
||||||
|
"webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
|
||||||
|
"webserver.conf" = webserverConfig;
|
||||||
|
"packs" = value.resourcepacks;
|
||||||
|
"addons" = cfg.resourcepacks; # TODO
|
||||||
|
};
|
||||||
|
|
||||||
|
inherit (lib) mkOption;
|
||||||
|
in {
|
||||||
|
options.services.bluemap = {
|
||||||
|
enable = lib.mkEnableOption "bluemap";
|
||||||
|
|
||||||
|
eula = mkOption {
|
||||||
|
type = lib.types.bool;
|
||||||
|
description = ''
|
||||||
|
By changing this option to true you confirm that you own a copy of minecraft Java Edition,
|
||||||
|
and that you agree to minecrafts EULA.
|
||||||
|
'';
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
defaultWorld = mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
description = ''
|
||||||
|
The world used by the default map ruleset.
|
||||||
|
If you configure your own maps you do not need to set this.
|
||||||
|
'';
|
||||||
|
example = lib.literalExpression "\${config.services.minecraft.dataDir}/world";
|
||||||
|
};
|
||||||
|
|
||||||
|
enableRender = mkOption {
|
||||||
|
type = lib.types.bool;
|
||||||
|
description = "Enable rendering";
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
webRoot = mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
default = "/var/lib/bluemap/web";
|
||||||
|
description = "The directory for saving and serving the webapp and the maps";
|
||||||
|
};
|
||||||
|
|
||||||
|
enableNginx = mkOption {
|
||||||
|
type = lib.types.bool;
|
||||||
|
default = true;
|
||||||
|
description = "Enable configuring a virtualHost for serving the bluemap webapp";
|
||||||
|
};
|
||||||
|
|
||||||
|
host = mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
default = "bluemap.${config.networking.domain}";
|
||||||
|
defaultText = lib.literalExpression "bluemap.\${config.networking.domain}";
|
||||||
|
description = "Domain to configure nginx for";
|
||||||
|
};
|
||||||
|
|
||||||
|
onCalendar = mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = ''
|
||||||
|
How often to trigger rendering the map,
|
||||||
|
in the format of a systemd timer onCalendar configuration.
|
||||||
|
See {manpage}`systemd.timer(5)`.
|
||||||
|
'';
|
||||||
|
default = "*-*-* 03:10:00";
|
||||||
|
};
|
||||||
|
|
||||||
|
coreSettings = mkOption {
|
||||||
|
type = lib.types.submodule {
|
||||||
|
freeformType = format.type;
|
||||||
|
options = {
|
||||||
|
data = mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
description = "Folder for where bluemap stores its data";
|
||||||
|
default = "/var/lib/bluemap";
|
||||||
|
};
|
||||||
|
metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
|
||||||
|
};
|
||||||
|
|
||||||
|
webappSettings = mkOption {
|
||||||
|
type = lib.types.submodule {
|
||||||
|
freeformType = format.type;
|
||||||
|
};
|
||||||
|
default = {
|
||||||
|
enabled = true;
|
||||||
|
webroot = cfg.webRoot;
|
||||||
|
};
|
||||||
|
defaultText = lib.literalExpression ''
|
||||||
|
{
|
||||||
|
enabled = true;
|
||||||
|
webroot = config.services.bluemap.webRoot;
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
|
||||||
|
};
|
||||||
|
|
||||||
|
webserverSettings = mkOption {
|
||||||
|
type = lib.types.submodule {
|
||||||
|
freeformType = format.type;
|
||||||
|
options = {
|
||||||
|
enabled = mkOption {
|
||||||
|
type = lib.types.bool;
|
||||||
|
description = ''
|
||||||
|
Enable bluemap's built-in webserver.
|
||||||
|
Disabled by default in nixos for use of nginx directly.
|
||||||
|
'';
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
default = { };
|
||||||
|
description = ''
|
||||||
|
Settings for the webserver.conf file, usually not required.
|
||||||
|
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
maps = mkOption {
|
||||||
|
type = lib.types.attrsOf (lib.types.submodule {
|
||||||
|
options = {
|
||||||
|
resourcepacks = mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
default = cfg.resourcepacks;
|
||||||
|
defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
|
||||||
|
description = "A set of resourcepacks/mods to extract models from loaded in alphabetical order";
|
||||||
|
};
|
||||||
|
settings = mkOption {
|
||||||
|
type = (lib.types.submodule {
|
||||||
|
freeformType = format.type;
|
||||||
|
options = {
|
||||||
|
world = mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
description = "Path to world folder containing the dimension to render";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
description = ''
|
||||||
|
Settings for files in `maps/`.
|
||||||
|
See the default for an example with good options for the different world types.
|
||||||
|
For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
default = {
|
||||||
|
"overworld".settings = {
|
||||||
|
world = "${cfg.defaultWorld}";
|
||||||
|
ambient-light = 0.1;
|
||||||
|
cave-detection-ocean-floor = -5;
|
||||||
|
};
|
||||||
|
|
||||||
|
"nether".settings = {
|
||||||
|
world = "${cfg.defaultWorld}/DIM-1";
|
||||||
|
sorting = 100;
|
||||||
|
sky-color = "#290000";
|
||||||
|
void-color = "#150000";
|
||||||
|
ambient-light = 0.6;
|
||||||
|
world-sky-light = 0;
|
||||||
|
remove-caves-below-y = -10000;
|
||||||
|
cave-detection-ocean-floor = -5;
|
||||||
|
cave-detection-uses-block-light = true;
|
||||||
|
max-y = 90;
|
||||||
|
};
|
||||||
|
|
||||||
|
"end".settings = {
|
||||||
|
world = "${cfg.defaultWorld}/DIM1";
|
||||||
|
sorting = 200;
|
||||||
|
sky-color = "#080010";
|
||||||
|
void-color = "#080010";
|
||||||
|
ambient-light = 0.6;
|
||||||
|
world-sky-light = 0;
|
||||||
|
remove-caves-below-y = -10000;
|
||||||
|
cave-detection-ocean-floor = -5;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
defaultText = lib.literalExpression ''
|
||||||
|
{
|
||||||
|
"overworld".settings = {
|
||||||
|
world = "''${cfg.defaultWorld}";
|
||||||
|
ambient-light = 0.1;
|
||||||
|
cave-detection-ocean-floor = -5;
|
||||||
|
};
|
||||||
|
|
||||||
|
"nether".settings = {
|
||||||
|
world = "''${cfg.defaultWorld}/DIM-1";
|
||||||
|
sorting = 100;
|
||||||
|
sky-color = "#290000";
|
||||||
|
void-color = "#150000";
|
||||||
|
ambient-light = 0.6;
|
||||||
|
world-sky-light = 0;
|
||||||
|
remove-caves-below-y = -10000;
|
||||||
|
cave-detection-ocean-floor = -5;
|
||||||
|
cave-detection-uses-block-light = true;
|
||||||
|
max-y = 90;
|
||||||
|
};
|
||||||
|
|
||||||
|
"end".settings = {
|
||||||
|
world = "''${cfg.defaultWorld}/DIM1";
|
||||||
|
sorting = 200;
|
||||||
|
sky-color = "#080010";
|
||||||
|
void-color = "#080010";
|
||||||
|
ambient-light = 0.6;
|
||||||
|
world-sky-light = 0;
|
||||||
|
remove-caves-below-y = -10000;
|
||||||
|
cave-detection-ocean-floor = -5;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
'';
|
||||||
|
description = ''
|
||||||
|
map-specific configuration.
|
||||||
|
These correspond to views in the webapp and are usually
|
||||||
|
different dimension of a world or different render settings of the same dimension.
|
||||||
|
If you set anything in this option you must configure all dimensions yourself!
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
storage = mkOption {
|
||||||
|
type = lib.types.attrsOf (lib.types.submodule {
|
||||||
|
freeformType = format.type;
|
||||||
|
options = {
|
||||||
|
storage-type = mkOption {
|
||||||
|
type = lib.types.enum [ "FILE" "SQL" ];
|
||||||
|
description = "Type of storage config";
|
||||||
|
default = "FILE";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
description = ''
|
||||||
|
Where the rendered map will be stored.
|
||||||
|
Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
|
||||||
|
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/storages)
|
||||||
|
'';
|
||||||
|
default = {
|
||||||
|
"file" = {
|
||||||
|
root = "${cfg.webRoot}/maps";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
defaultText = lib.literalExpression ''
|
||||||
|
{
|
||||||
|
"file" = {
|
||||||
|
root = "''${config.services.bluemap.webRoot}/maps";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
resourcepacks = mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
default = pkgs.linkFarm "resourcepacks" { };
|
||||||
|
description = ''
|
||||||
|
A set of resourcepacks/mods to extract models from loaded in alphabetical order.
|
||||||
|
Can be overriden on a per-map basis with `services.bluemap.maps.<name>.resourcepacks`.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
assertions =
|
||||||
|
[ { assertion = config.services.bluemap.eula;
|
||||||
|
message = ''
|
||||||
|
You have enabled bluemap but have not accepted minecraft's EULA.
|
||||||
|
You can achieve this through setting `services.bluemap.eula = true`
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
services.bluemap.coreSettings.accept-download = cfg.eula;
|
||||||
|
|
||||||
|
systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender {
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
Group = "nginx";
|
||||||
|
UMask = "026";
|
||||||
|
};
|
||||||
|
script = lib.strings.concatStringsSep "\n" ((lib.attrsets.mapAttrsToList
|
||||||
|
(name: value: "${lib.getExe pkgs.bluemap} -c ${renderConfigFolder name value} -r")
|
||||||
|
cfg.maps) ++ [ "${lib.getExe pkgs.bluemap} -c ${webappConfigFolder} -gs" ]);
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig = {
|
||||||
|
OnCalendar = cfg.onCalendar;
|
||||||
|
Persistent = true;
|
||||||
|
Unit = "render-bluemap-maps.service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts = lib.mkIf cfg.enableNginx {
|
||||||
|
"${cfg.host}" = {
|
||||||
|
root = config.services.bluemap.webRoot;
|
||||||
|
locations = {
|
||||||
|
"~* ^/maps/[^/]*/tiles/".extraConfig = ''
|
||||||
|
error_page 404 = @empty;
|
||||||
|
'';
|
||||||
|
"@empty".return = "204";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
meta = {
|
||||||
|
maintainers = with lib.maintainers; [ dandellion h7x4 ];
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,31 @@
|
||||||
|
{ config, lib, values, ... }:
|
||||||
|
let
|
||||||
|
mkRunner = name: {
|
||||||
|
# This is unfortunately state, and has to be generated one at a time :(
|
||||||
|
# To do that, comment out all except one of the runners, fill in its token
|
||||||
|
# inside the sops file, rebuild the system, and only after this runner has
|
||||||
|
# successfully registered will gitea give you the next token.
|
||||||
|
# - oysteikt Sep 2023
|
||||||
|
sops.secrets."gitea/runners/${name}".restartUnits = [
|
||||||
|
"gitea-runner-${name}.service"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.gitea-actions-runner.instances = {
|
||||||
|
${name} = {
|
||||||
|
enable = true;
|
||||||
|
name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
|
||||||
|
labels = [
|
||||||
|
"debian-latest:docker://node:18-bullseye"
|
||||||
|
"ubuntu-latest:docker://node:18-bullseye"
|
||||||
|
];
|
||||||
|
tokenFile = config.sops.secrets."gitea/runners/${name}".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
lib.mkMerge [
|
||||||
|
(mkRunner "alpha")
|
||||||
|
(mkRunner "beta")
|
||||||
|
(mkRunner "epsilon")
|
||||||
|
{ virtualisation.podman.enable = true; }
|
||||||
|
]
|
|
@ -0,0 +1,190 @@
|
||||||
|
{ config, values, fp, pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.gitea;
|
||||||
|
domain = "git.pvv.ntnu.no";
|
||||||
|
sshPort = 2222;
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
./ci.nix
|
||||||
|
./import-users
|
||||||
|
./web-secret-provider
|
||||||
|
];
|
||||||
|
|
||||||
|
sops.secrets = {
|
||||||
|
"gitea/database" = {
|
||||||
|
owner = "gitea";
|
||||||
|
group = "gitea";
|
||||||
|
};
|
||||||
|
"gitea/email-password" = {
|
||||||
|
owner = "gitea";
|
||||||
|
group = "gitea";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.gitea = {
|
||||||
|
enable = true;
|
||||||
|
appName = "PVV Git";
|
||||||
|
|
||||||
|
database = {
|
||||||
|
type = "postgres";
|
||||||
|
host = "postgres.pvv.ntnu.no";
|
||||||
|
port = config.services.postgresql.settings.port;
|
||||||
|
passwordFile = config.sops.secrets."gitea/database".path;
|
||||||
|
createDatabase = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
mailerPasswordFile = config.sops.secrets."gitea/email-password".path;
|
||||||
|
|
||||||
|
# https://docs.gitea.com/administration/config-cheat-sheet
|
||||||
|
settings = {
|
||||||
|
server = {
|
||||||
|
DOMAIN = domain;
|
||||||
|
ROOT_URL = "https://${domain}/";
|
||||||
|
PROTOCOL = "http+unix";
|
||||||
|
SSH_PORT = sshPort;
|
||||||
|
START_SSH_SERVER = true;
|
||||||
|
START_LFS_SERVER = true;
|
||||||
|
LANDING_PAGE = "explore";
|
||||||
|
};
|
||||||
|
mailer = {
|
||||||
|
ENABLED = true;
|
||||||
|
FROM = "gitea@pvv.ntnu.no";
|
||||||
|
PROTOCOL = "smtp";
|
||||||
|
SMTP_ADDR = "smtp.pvv.ntnu.no";
|
||||||
|
SMTP_PORT = 587;
|
||||||
|
USER = "gitea@pvv.ntnu.no";
|
||||||
|
SUBJECT_PREFIX = "[pvv-git]";
|
||||||
|
};
|
||||||
|
metrics = {
|
||||||
|
ENABLED = true;
|
||||||
|
ENABLED_ISSUE_BY_LABEL = true;
|
||||||
|
ENABLED_ISSUE_BY_REPOSITORY = true;
|
||||||
|
};
|
||||||
|
indexer.REPO_INDEXER_ENABLED = true;
|
||||||
|
service = {
|
||||||
|
DISABLE_REGISTRATION = true;
|
||||||
|
ENABLE_NOTIFY_MAIL = true;
|
||||||
|
AUTO_WATCH_NEW_REPOS = false;
|
||||||
|
};
|
||||||
|
admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
|
||||||
|
session.COOKIE_SECURE = true;
|
||||||
|
database.LOG_SQL = false;
|
||||||
|
repository = {
|
||||||
|
PREFERRED_LICENSES = lib.concatStringsSep "," [
|
||||||
|
"AGPL-3.0-only"
|
||||||
|
"AGPL-3.0-or-later"
|
||||||
|
"Apache-2.0"
|
||||||
|
"BSD-3-Clause"
|
||||||
|
"CC-BY-4.0"
|
||||||
|
"CC-BY-NC-4.0"
|
||||||
|
"CC-BY-NC-ND-4.0"
|
||||||
|
"CC-BY-NC-SA-4.0"
|
||||||
|
"CC-BY-ND-4.0"
|
||||||
|
"CC-BY-SA-4.0"
|
||||||
|
"CC0-1.0"
|
||||||
|
"GPL-2.0-only"
|
||||||
|
"GPL-3.0-only"
|
||||||
|
"GPL-3.0-or-later"
|
||||||
|
"LGPL-3.0-linking-exception"
|
||||||
|
"LGPL-3.0-only"
|
||||||
|
"LGPL-3.0-or-later"
|
||||||
|
"MIT"
|
||||||
|
"MPL-2.0"
|
||||||
|
"Unlicense"
|
||||||
|
];
|
||||||
|
DEFAULT_REPO_UNITS = lib.concatStringsSep "," [
|
||||||
|
"repo.code"
|
||||||
|
"repo.issues"
|
||||||
|
"repo.pulls"
|
||||||
|
"repo.releases"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
picture = {
|
||||||
|
DISABLE_GRAVATAR = true;
|
||||||
|
ENABLE_FEDERATED_AVATAR = false;
|
||||||
|
};
|
||||||
|
actions.ENABLED = true;
|
||||||
|
ui = {
|
||||||
|
REACTIONS = lib.concatStringsSep "," [
|
||||||
|
"+1"
|
||||||
|
"-1"
|
||||||
|
"laugh"
|
||||||
|
"confused"
|
||||||
|
"heart"
|
||||||
|
"hooray"
|
||||||
|
"rocket"
|
||||||
|
"eyes"
|
||||||
|
"100"
|
||||||
|
"anger"
|
||||||
|
"astonished"
|
||||||
|
"no_good"
|
||||||
|
"ok_hand"
|
||||||
|
"pensive"
|
||||||
|
"pizza"
|
||||||
|
"point_up"
|
||||||
|
"sob"
|
||||||
|
"skull"
|
||||||
|
"upside_down_face"
|
||||||
|
"shrug"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
"ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.systemPackages = [ cfg.package ];
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
kTLS = true;
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
|
||||||
|
extraConfig = ''
|
||||||
|
client_max_body_size 512M;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"/metrics" = {
|
||||||
|
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
|
||||||
|
extraConfig = ''
|
||||||
|
allow ${values.hosts.ildkule.ipv4}/32;
|
||||||
|
deny all;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ sshPort ];
|
||||||
|
|
||||||
|
# Extra customization
|
||||||
|
|
||||||
|
services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
|
||||||
|
|
||||||
|
systemd.services.install-gitea-customization = {
|
||||||
|
description = "Install extra customization in gitea's CUSTOM_DIR";
|
||||||
|
wantedBy = [ "gitea.service" ];
|
||||||
|
requiredBy = [ "gitea.service" ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = cfg.user;
|
||||||
|
Group = cfg.group;
|
||||||
|
};
|
||||||
|
|
||||||
|
script = let
|
||||||
|
logo-svg = fp /assets/logo_blue_regular.svg;
|
||||||
|
logo-png = fp /assets/logo_blue_regular.png;
|
||||||
|
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
|
||||||
|
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
|
||||||
|
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
|
||||||
|
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
|
||||||
|
'';
|
||||||
|
in ''
|
||||||
|
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
|
||||||
|
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
|
||||||
|
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
|
||||||
|
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,41 @@
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.gitea;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sops.secrets = {
|
||||||
|
"gitea/passwd-ssh-key" = { };
|
||||||
|
"gitea/ssh-known-hosts" = { };
|
||||||
|
"gitea/import-user-env" = { };
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.gitea-import-users = lib.mkIf cfg.enable {
|
||||||
|
enable = true;
|
||||||
|
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
|
||||||
|
flakeIgnore = [
|
||||||
|
"E501" # Line over 80 chars lol
|
||||||
|
];
|
||||||
|
libraries = with pkgs.python3Packages; [ requests ];
|
||||||
|
} (builtins.readFile ./gitea-import-users.py);
|
||||||
|
LoadCredential=[
|
||||||
|
"sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
|
||||||
|
"ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
|
||||||
|
];
|
||||||
|
DynamicUser="yes";
|
||||||
|
EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.timers.gitea-import-users = lib.mkIf cfg.enable {
|
||||||
|
requires = [ "gitea.service" ];
|
||||||
|
after = [ "gitea.service" ];
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig = {
|
||||||
|
OnCalendar = "*-*-* 02:00:00";
|
||||||
|
Persistent = true;
|
||||||
|
Unit = "gitea-import-users.service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,198 @@
|
||||||
|
import requests
|
||||||
|
import secrets
|
||||||
|
import os
|
||||||
|
|
||||||
|
|
||||||
|
EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
|
||||||
|
if EMAIL_DOMAIN is None:
|
||||||
|
EMAIL_DOMAIN = 'pvv.ntnu.no'
|
||||||
|
|
||||||
|
|
||||||
|
API_TOKEN = os.getenv('API_TOKEN')
|
||||||
|
if API_TOKEN is None:
|
||||||
|
raise Exception('API_TOKEN not set')
|
||||||
|
|
||||||
|
|
||||||
|
GITEA_API_URL = os.getenv('GITEA_API_URL')
|
||||||
|
if GITEA_API_URL is None:
|
||||||
|
GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
|
||||||
|
|
||||||
|
|
||||||
|
def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
|
||||||
|
r = requests.get(
|
||||||
|
GITEA_API_URL + '/admin/users',
|
||||||
|
headers={'Authorization': 'token ' + API_TOKEN}
|
||||||
|
)
|
||||||
|
|
||||||
|
if r.status_code != 200:
|
||||||
|
print('Failed to get users:', r.text)
|
||||||
|
return None
|
||||||
|
|
||||||
|
return {user['login']: user for user in r.json()}
|
||||||
|
|
||||||
|
|
||||||
|
def gitea_create_user(username: str, userdata: dict[str, any]) -> bool:
|
||||||
|
r = requests.post(
|
||||||
|
GITEA_API_URL + '/admin/users',
|
||||||
|
json=userdata,
|
||||||
|
headers={'Authorization': 'token ' + API_TOKEN},
|
||||||
|
)
|
||||||
|
|
||||||
|
if r.status_code != 201:
|
||||||
|
print(f'ERR: Failed to create user {username}:', r.text)
|
||||||
|
return False
|
||||||
|
|
||||||
|
return True
|
||||||
|
|
||||||
|
|
||||||
|
def gitea_edit_user(username: str, userdata: dict[str, any]) -> bool:
|
||||||
|
r = requests.patch(
|
||||||
|
GITEA_API_URL + f'/admin/users/{username}',
|
||||||
|
json=userdata,
|
||||||
|
headers={'Authorization': 'token ' + API_TOKEN},
|
||||||
|
)
|
||||||
|
|
||||||
|
if r.status_code != 200:
|
||||||
|
print(f'ERR: Failed to update user {username}:', r.text)
|
||||||
|
return False
|
||||||
|
|
||||||
|
return True
|
||||||
|
|
||||||
|
|
||||||
|
def gitea_list_teams_for_organization(org: str) -> dict[str, any] | None:
|
||||||
|
r = requests.get(
|
||||||
|
GITEA_API_URL + f'/orgs/{org}/teams',
|
||||||
|
headers={'Authorization': 'token ' + API_TOKEN},
|
||||||
|
)
|
||||||
|
|
||||||
|
if r.status_code != 200:
|
||||||
|
print(f"ERR: Failed to list teams for {org}:", r.text)
|
||||||
|
return None
|
||||||
|
|
||||||
|
return {team['name']: team for team in r.json()}
|
||||||
|
|
||||||
|
|
||||||
|
def gitea_add_user_to_organization_team(username: str, team_id: int) -> bool:
|
||||||
|
r = requests.put(
|
||||||
|
GITEA_API_URL + f'/teams/{team_id}/members/{username}',
|
||||||
|
headers={'Authorization': 'token ' + API_TOKEN},
|
||||||
|
)
|
||||||
|
|
||||||
|
if r.status_code != 204:
|
||||||
|
print(f'ERR: Failed to add user {username} to org team {team_id}:', r.text)
|
||||||
|
return False
|
||||||
|
|
||||||
|
return True
|
||||||
|
|
||||||
|
|
||||||
|
# If a passwd user has one of the following shells,
|
||||||
|
# it is most likely not a PVV user, but rather a system user.
|
||||||
|
# Users with these shells should thus be ignored.
|
||||||
|
BANNED_SHELLS = [
|
||||||
|
"/usr/bin/nologin",
|
||||||
|
"/usr/sbin/nologin",
|
||||||
|
"/sbin/nologin",
|
||||||
|
"/bin/false",
|
||||||
|
"/bin/msgsh",
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
# Reads out a passwd-file line for line, and filters out
|
||||||
|
# real PVV users (as opposed to system users meant for daemons and such)
|
||||||
|
def passwd_file_parser(passwd_path):
|
||||||
|
with open(passwd_path, 'r') as f:
|
||||||
|
for line in f.readlines():
|
||||||
|
uid = int(line.split(':')[2])
|
||||||
|
if uid < 1000:
|
||||||
|
continue
|
||||||
|
|
||||||
|
shell = line.split(':')[-1]
|
||||||
|
if shell in BANNED_SHELLS:
|
||||||
|
continue
|
||||||
|
|
||||||
|
username = line.split(':')[0]
|
||||||
|
name = line.split(':')[4].split(',')[0]
|
||||||
|
yield (username, name)
|
||||||
|
|
||||||
|
|
||||||
|
# This function either creates a new user in gitea
|
||||||
|
# and fills it out with some default information if
|
||||||
|
# it does not exist, or ensures that the default information
|
||||||
|
# is correct if the user already exists. All user information
|
||||||
|
# (including non-default fields) is pulled from gitea and added
|
||||||
|
# to the `existing_users` dict
|
||||||
|
def add_or_patch_gitea_user(
|
||||||
|
username: str,
|
||||||
|
name: str,
|
||||||
|
existing_users: dict[str, dict[str, any]],
|
||||||
|
) -> None:
|
||||||
|
user = {
|
||||||
|
"full_name": name,
|
||||||
|
"username": username,
|
||||||
|
"login_name": username,
|
||||||
|
"source_id": 1, # 1 = SMTP
|
||||||
|
}
|
||||||
|
|
||||||
|
if username not in existing_users:
|
||||||
|
user["password"] = secrets.token_urlsafe(32)
|
||||||
|
user["must_change_password"] = False
|
||||||
|
user["visibility"] = "private"
|
||||||
|
user["email"] = username + '@' + EMAIL_DOMAIN
|
||||||
|
|
||||||
|
if not gitea_create_user(username, user):
|
||||||
|
return
|
||||||
|
|
||||||
|
print('Created user', username)
|
||||||
|
existing_users[username] = user
|
||||||
|
|
||||||
|
else:
|
||||||
|
user["visibility"] = existing_users[username]["visibility"]
|
||||||
|
|
||||||
|
if not gitea_edit_user(username, user):
|
||||||
|
return
|
||||||
|
|
||||||
|
print('Updated user', username)
|
||||||
|
|
||||||
|
|
||||||
|
# This function adds a user to a gitea team (part of organization)
|
||||||
|
# if the user is not already part of said team.
|
||||||
|
def ensure_gitea_user_is_part_of_team(
|
||||||
|
username: str,
|
||||||
|
org: str,
|
||||||
|
team_name: str,
|
||||||
|
) -> None:
|
||||||
|
teams = gitea_list_teams_for_organization(org)
|
||||||
|
|
||||||
|
if teams is None:
|
||||||
|
return
|
||||||
|
|
||||||
|
if team_name not in teams:
|
||||||
|
print(f'ERR: could not find team "{team_name}" in organization "{org}"')
|
||||||
|
|
||||||
|
gitea_add_user_to_organization_team(username, teams[team_name]['id'])
|
||||||
|
|
||||||
|
print(f'User {username} is now part of {org}/{team_name}')
|
||||||
|
|
||||||
|
|
||||||
|
# List of teams that all users should be part of by default
|
||||||
|
COMMON_USER_TEAMS = [
|
||||||
|
("Projects", "Members"),
|
||||||
|
("Kurs", "Members"),
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
existing_users = gitea_list_all_users()
|
||||||
|
if existing_users is None:
|
||||||
|
exit(1)
|
||||||
|
|
||||||
|
for username, name in passwd_file_parser("/tmp/passwd-import"):
|
||||||
|
print(f"Processing {username}")
|
||||||
|
add_or_patch_gitea_user(username, name, existing_users)
|
||||||
|
for org, team_name in COMMON_USER_TEAMS:
|
||||||
|
ensure_gitea_user_is_part_of_team(username, org, team_name)
|
||||||
|
print()
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
main()
|
Binary file not shown.
After Width: | Height: | Size: 1.1 MiB |
|
@ -0,0 +1,114 @@
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
organizations = [
|
||||||
|
"Drift"
|
||||||
|
"Projects"
|
||||||
|
"Kurs"
|
||||||
|
];
|
||||||
|
|
||||||
|
giteaCfg = config.services.gitea;
|
||||||
|
|
||||||
|
giteaWebSecretProviderScript = pkgs.writers.writePython3 "gitea-web-secret-provider" {
|
||||||
|
libraries = with pkgs.python3Packages; [ requests ];
|
||||||
|
flakeIgnore = [
|
||||||
|
"E501" # Line over 80 chars lol
|
||||||
|
"E201" # "whitespace after {"
|
||||||
|
"E202" # "whitespace after }"
|
||||||
|
"E251" # unexpected spaces around keyword / parameter equals
|
||||||
|
"W391" # Newline at end of file
|
||||||
|
];
|
||||||
|
makeWrapperArgs = [
|
||||||
|
"--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
|
||||||
|
];
|
||||||
|
} (builtins.readFile ./gitea-web-secret-provider.py);
|
||||||
|
in
|
||||||
|
{
|
||||||
|
users.groups."gitea-web" = { };
|
||||||
|
users.users."gitea-web" = {
|
||||||
|
group = "gitea-web";
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets."gitea/web-secret-provider/token" = {
|
||||||
|
owner = "gitea-web";
|
||||||
|
group = "gitea-web";
|
||||||
|
restartUnits = [
|
||||||
|
"gitea-web-secret-provider@"
|
||||||
|
] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.slices.system-giteaweb = {
|
||||||
|
description = "Gitea web directories";
|
||||||
|
};
|
||||||
|
|
||||||
|
# https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
|
||||||
|
# %i - instance name (after the @)
|
||||||
|
# %d - secrets directory
|
||||||
|
systemd.services."gitea-web-secret-provider@" = {
|
||||||
|
description = "Ensure all repos in %i has an SSH key to push web content";
|
||||||
|
requires = [ "gitea.service" "network.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Slice = "system-giteaweb.slice";
|
||||||
|
Type = "oneshot";
|
||||||
|
ExecStart = let
|
||||||
|
args = lib.cli.toGNUCommandLineShell { } {
|
||||||
|
org = "%i";
|
||||||
|
token-path = "%d/token";
|
||||||
|
api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
|
||||||
|
key-dir = "/var/lib/gitea-web/keys/%i";
|
||||||
|
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
|
||||||
|
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
|
||||||
|
${lib.getExe pkgs.rrsync} -wo "$1"
|
||||||
|
${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
|
||||||
|
'';
|
||||||
|
web-dir = "/var/lib/gitea-web/web";
|
||||||
|
};
|
||||||
|
in "${giteaWebSecretProviderScript} ${args}";
|
||||||
|
|
||||||
|
User = "gitea-web";
|
||||||
|
Group = "gitea-web";
|
||||||
|
|
||||||
|
StateDirectory = "gitea-web";
|
||||||
|
StateDirectoryMode = "0750";
|
||||||
|
LoadCredential = [
|
||||||
|
"token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
|
||||||
|
];
|
||||||
|
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
ProtectSystem = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
LockPersonality = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.timers."gitea-web-secret-provider@" = {
|
||||||
|
description = "Ensure all repos in %i has an SSH key to push web content";
|
||||||
|
timerConfig = {
|
||||||
|
RandomizedDelaySec = "1h";
|
||||||
|
Persistent = true;
|
||||||
|
Unit = "gitea-web-secret-provider@%i.service";
|
||||||
|
OnCalendar = "daily";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
|
||||||
|
|
||||||
|
services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
|
||||||
|
|
||||||
|
users.users.nginx.extraGroups = [ "gitea-web" ];
|
||||||
|
services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
|
||||||
|
kTLS = true;
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
root = "/var/lib/gitea-web/web";
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,112 @@
|
||||||
|
import argparse
|
||||||
|
import hashlib
|
||||||
|
import os
|
||||||
|
import requests
|
||||||
|
import subprocess
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
|
||||||
|
def parse_args():
|
||||||
|
parser = argparse.ArgumentParser(description="Generate SSH keys for Gitea repositories and add them as secrets")
|
||||||
|
parser.add_argument("--org", required=True, type=str, help="The organization to generate keys for")
|
||||||
|
parser.add_argument("--token-path", metavar='PATH', required=True, type=Path, help="Path to a file containing the Gitea API token")
|
||||||
|
parser.add_argument("--api-url", metavar='URL', type=str, help="The URL of the Gitea API", default="https://git.pvv.ntnu.no/api/v1")
|
||||||
|
parser.add_argument("--key-dir", metavar='PATH', type=Path, help="The directory to store the generated keys in", default="/run/gitea-web-secret-provider")
|
||||||
|
parser.add_argument("--authorized-keys-path", metavar='PATH', type=Path, help="The path to the resulting authorized_keys file", default="/etc/ssh/authorized_keys.d/gitea-web-secret-provider")
|
||||||
|
parser.add_argument("--rrsync-script", metavar='PATH', type=Path, help="The path to a rrsync script, taking the destination path as its single argument")
|
||||||
|
parser.add_argument("--web-dir", metavar='PATH', type=Path, help="The directory to sync the repositories to", default="/var/www")
|
||||||
|
parser.add_argument("--force", action="store_true", help="Overwrite existing keys")
|
||||||
|
return parser.parse_args()
|
||||||
|
|
||||||
|
|
||||||
|
def add_secret(args: argparse.Namespace, token: str, repo: str, name: str, secret: str):
|
||||||
|
result = requests.put(
|
||||||
|
f"{args.api_url}/repos/{args.org}/{repo}/actions/secrets/{name}",
|
||||||
|
json = { 'data': secret },
|
||||||
|
headers = { 'Authorization': 'token ' + token },
|
||||||
|
)
|
||||||
|
if result.status_code not in (201, 204):
|
||||||
|
raise Exception(f"Failed to add secret: {result.json()}")
|
||||||
|
|
||||||
|
|
||||||
|
def get_org_repo_list(args: argparse.Namespace, token: str):
|
||||||
|
result = requests.get(
|
||||||
|
f"{args.api_url}/orgs/{args.org}/repos",
|
||||||
|
headers = { 'Authorization': 'token ' + token },
|
||||||
|
)
|
||||||
|
return [repo["name"] for repo in result.json()]
|
||||||
|
|
||||||
|
|
||||||
|
def generate_ssh_key(args: argparse.Namespace, repository: str):
|
||||||
|
keyname = hashlib.sha256(args.org.encode() + repository.encode()).hexdigest()
|
||||||
|
key_path = args.key_dir / keyname
|
||||||
|
if not key_path.is_file() or args.force:
|
||||||
|
subprocess.run(
|
||||||
|
[
|
||||||
|
"ssh-keygen",
|
||||||
|
*("-t", "ed25519"),
|
||||||
|
*("-f", key_path),
|
||||||
|
*("-N", ""),
|
||||||
|
*("-C", f"{args.org}/{repository}"),
|
||||||
|
],
|
||||||
|
check=True,
|
||||||
|
stdin=subprocess.DEVNULL,
|
||||||
|
stdout=subprocess.PIPE,
|
||||||
|
stderr=subprocess.PIPE,
|
||||||
|
)
|
||||||
|
print(f"Generated SSH key for `{args.org}/{repository}`")
|
||||||
|
|
||||||
|
with open(key_path, "r") as f:
|
||||||
|
private_key = f.read()
|
||||||
|
|
||||||
|
pub_key_path = args.key_dir / (keyname + '.pub')
|
||||||
|
with open(pub_key_path, "r") as f:
|
||||||
|
public_key = f.read()
|
||||||
|
|
||||||
|
return private_key, public_key
|
||||||
|
|
||||||
|
|
||||||
|
SSH_OPTS = ",".join([
|
||||||
|
"restrict",
|
||||||
|
"no-agent-forwarding",
|
||||||
|
"no-port-forwarding",
|
||||||
|
"no-pty",
|
||||||
|
"no-X11-forwarding",
|
||||||
|
])
|
||||||
|
|
||||||
|
|
||||||
|
def generate_authorized_keys(args: argparse.Namespace, repo_public_keys: list[tuple[str, str]]):
|
||||||
|
lines = []
|
||||||
|
for repo, public_key in repo_public_keys:
|
||||||
|
command = f"{args.rrsync_script} {args.web_dir}/{args.org}/{repo}"
|
||||||
|
lines.append(f'command="{command}",{SSH_OPTS} {public_key}')
|
||||||
|
|
||||||
|
with open(args.authorized_keys_path, "w") as f:
|
||||||
|
f.writelines(lines)
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
args = parse_args()
|
||||||
|
|
||||||
|
with open(args.token_path, "r") as f:
|
||||||
|
token = f.read().strip()
|
||||||
|
|
||||||
|
os.makedirs(args.key_dir, 0o700, exist_ok=True)
|
||||||
|
os.makedirs(args.authorized_keys_path.parent, 0o700, exist_ok=True)
|
||||||
|
|
||||||
|
repos = get_org_repo_list(args, token)
|
||||||
|
print(f'Found {len(repos)} repositories in `{args.org}`')
|
||||||
|
|
||||||
|
repo_public_keys = []
|
||||||
|
for repo in repos:
|
||||||
|
print(f"Locating key for `{args.org}/{repo}`")
|
||||||
|
private_key, public_key = generate_ssh_key(args, repo)
|
||||||
|
add_secret(args, token, repo, "WEB_SYNC_SSH_KEY", private_key)
|
||||||
|
repo_public_keys.append((repo, public_key))
|
||||||
|
|
||||||
|
generate_authorized_keys(args, repo_public_keys)
|
||||||
|
print(f"Wrote authorized_keys file to `{args.authorized_keys_path}`")
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
|
@ -0,0 +1,135 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Authenticate using HTTP login.
|
||||||
|
*
|
||||||
|
* @author Yorn de Jong
|
||||||
|
* @author Oystein Kristoffer Tveit
|
||||||
|
* @package simpleSAMLphp
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace SimpleSAML\Module\authpwauth\Auth\Source;
|
||||||
|
|
||||||
|
class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
|
||||||
|
{
|
||||||
|
protected $pwauth_bin_path;
|
||||||
|
protected $mail_domain;
|
||||||
|
|
||||||
|
public function __construct(array $info, array &$config) {
|
||||||
|
assert('is_array($info)');
|
||||||
|
assert('is_array($config)');
|
||||||
|
|
||||||
|
/* Call the parent constructor first, as required by the interface. */
|
||||||
|
parent::__construct($info, $config);
|
||||||
|
|
||||||
|
$this->pwauth_bin_path = $config['pwauth_bin_path'];
|
||||||
|
if (array_key_exists('mail_domain', $config)) {
|
||||||
|
$this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public function login(string $username, string $password): array {
|
||||||
|
$username = strtolower( $username );
|
||||||
|
|
||||||
|
if (!file_exists($this->pwauth_bin_path)) {
|
||||||
|
die("Could not find pwauth binary");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!is_executable($this->pwauth_bin_path)) {
|
||||||
|
die("pwauth binary is not executable");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$handle = popen($this->pwauth_bin_path, 'w');
|
||||||
|
if ($handle === FALSE) {
|
||||||
|
die("Error opening pipe to pwauth");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$data = "$username\n$password\n";
|
||||||
|
if (fwrite($handle, $data) !== strlen($data)) {
|
||||||
|
die("Error writing to pwauth pipe");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Is the password valid?
|
||||||
|
$result = pclose( $handle );
|
||||||
|
if ($result !== 0) {
|
||||||
|
if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
|
||||||
|
die("pwauth returned $result for username $username");
|
||||||
|
}
|
||||||
|
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
|
||||||
|
}
|
||||||
|
/*
|
||||||
|
$ldap = ldap_connect('129.241.210.159', 389);
|
||||||
|
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
|
||||||
|
ldap_start_tls($ldap);
|
||||||
|
ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
|
||||||
|
$search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
|
||||||
|
$entry = ldap_first_entry($ldap, $search);
|
||||||
|
$dn = ldap_get_dn($ldap, $entry);
|
||||||
|
$newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
|
||||||
|
ldap_modify_batch($ldap, $dn, [
|
||||||
|
#[
|
||||||
|
# 'modtype' => LDAP_MODIFY_BATCH_REMOVE,
|
||||||
|
# 'attrib' => 'unicodePwd',
|
||||||
|
# 'values' => [$password],
|
||||||
|
#],
|
||||||
|
[
|
||||||
|
#'modtype' => LDAP_MODIFY_BATCH_ADD,
|
||||||
|
'modtype' => LDAP_MODIFY_BATCH_REPLACE,
|
||||||
|
'attrib' => 'unicodePwd',
|
||||||
|
'values' => [$newpassword],
|
||||||
|
],
|
||||||
|
]);
|
||||||
|
*/
|
||||||
|
|
||||||
|
#0 - Login OK.
|
||||||
|
#1 - Nonexistant login or (for some configurations) incorrect password.
|
||||||
|
#2 - Incorrect password (for some configurations).
|
||||||
|
#3 - Uid number is below MIN_UNIX_UID value configured in config.h.
|
||||||
|
#4 - Login ID has expired.
|
||||||
|
#5 - Login's password has expired.
|
||||||
|
#6 - Logins to system have been turned off (usually by /etc/nologin file).
|
||||||
|
#7 - Limit on number of bad logins exceeded.
|
||||||
|
#50 - pwauth was not run with real uid SERVER_UID. If you get this
|
||||||
|
# this error code, you probably have SERVER_UID set incorrectly
|
||||||
|
# in pwauth's config.h file.
|
||||||
|
#51 - pwauth was not given a login & password to check. The means
|
||||||
|
# the passing of data from mod_auth_external to pwauth is messed
|
||||||
|
# up. Most likely one is trying to pass data via environment
|
||||||
|
# variables, while the other is trying to pass data via a pipe.
|
||||||
|
#52 - one of several possible internal errors occured.
|
||||||
|
|
||||||
|
|
||||||
|
$uid = $username;
|
||||||
|
# TODO: Reinstate this code once passwd is working...
|
||||||
|
/*
|
||||||
|
$cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
|
||||||
|
|
||||||
|
$groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
|
||||||
|
array_shift($groups);
|
||||||
|
array_shift($groups);
|
||||||
|
array_pop($groups);
|
||||||
|
|
||||||
|
$info = posix_getpwnam($uid);
|
||||||
|
$group = $info['gid'];
|
||||||
|
if (!in_array($group, $groups)) {
|
||||||
|
$groups[] = $group;
|
||||||
|
}
|
||||||
|
*/
|
||||||
|
$cn = "Unknown McUnknown";
|
||||||
|
$groups = array();
|
||||||
|
|
||||||
|
$result = array(
|
||||||
|
'uid' => array($uid),
|
||||||
|
'cn' => array($cn),
|
||||||
|
'group' => $groups,
|
||||||
|
);
|
||||||
|
if (isset($this->mail_domain)) {
|
||||||
|
$result['mail'] = array($uid.$this->mail_domain);
|
||||||
|
}
|
||||||
|
return $result;
|
||||||
|
}
|
||||||
|
}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,214 @@
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
pwAuthScript = pkgs.writeShellApplication {
|
||||||
|
name = "pwauth";
|
||||||
|
runtimeInputs = with pkgs; [ coreutils heimdal ];
|
||||||
|
text = ''
|
||||||
|
read -r user1
|
||||||
|
user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
|
||||||
|
if test "$user1" != "$user2"
|
||||||
|
then
|
||||||
|
read -r _
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
|
||||||
|
kdestroy >/dev/null 2>/dev/null
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
package = pkgs.simplesamlphp.override {
|
||||||
|
extra_files = {
|
||||||
|
# NOTE: Using self signed certificate created 30. march 2024, with command:
|
||||||
|
# openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
|
||||||
|
"metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
|
||||||
|
<?php
|
||||||
|
$metadata['https://idp.pvv.ntnu.no/'] = array(
|
||||||
|
'host' => '__DEFAULT__',
|
||||||
|
'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
|
||||||
|
'certificate' => '${./idp.crt}',
|
||||||
|
'auth' => 'pwauth',
|
||||||
|
);
|
||||||
|
?>
|
||||||
|
'';
|
||||||
|
|
||||||
|
"metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
|
||||||
|
<?php
|
||||||
|
${ lib.pipe config.services.idp.sp-remote-metadata [
|
||||||
|
(map (url: ''
|
||||||
|
$metadata['${url}'] = [
|
||||||
|
'SingleLogoutService' => [
|
||||||
|
[
|
||||||
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
|
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
|
||||||
|
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
|
||||||
|
],
|
||||||
|
],
|
||||||
|
'AssertionConsumerService' => [
|
||||||
|
[
|
||||||
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
|
||||||
|
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
|
||||||
|
'index' => 0,
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
|
||||||
|
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
|
||||||
|
'index' => 1,
|
||||||
|
],
|
||||||
|
],
|
||||||
|
];
|
||||||
|
''))
|
||||||
|
(lib.concatStringsSep "\n")
|
||||||
|
]}
|
||||||
|
?>
|
||||||
|
'';
|
||||||
|
|
||||||
|
"config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
|
||||||
|
<?php
|
||||||
|
$config = array(
|
||||||
|
'admin' => array(
|
||||||
|
'core:AdminPassword'
|
||||||
|
),
|
||||||
|
'pwauth' => array(
|
||||||
|
'authpwauth:PwAuth',
|
||||||
|
'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
|
||||||
|
'mail_domain' => '@pvv.ntnu.no',
|
||||||
|
),
|
||||||
|
);
|
||||||
|
?>
|
||||||
|
'';
|
||||||
|
|
||||||
|
"config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
|
||||||
|
cp ${./config.php} "$out"
|
||||||
|
|
||||||
|
substituteInPlace "$out" \
|
||||||
|
--replace-warn '$SAML_COOKIE_SECURE' 'true' \
|
||||||
|
--replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
|
||||||
|
--replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
|
||||||
|
--replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
|
||||||
|
--replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
|
||||||
|
--replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
|
||||||
|
--replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
|
||||||
|
--replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
|
||||||
|
--replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
|
||||||
|
--replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
|
||||||
|
'';
|
||||||
|
|
||||||
|
"modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.services.idp.sp-remote-metadata = lib.mkOption {
|
||||||
|
type = with lib.types; listOf str;
|
||||||
|
default = [ ];
|
||||||
|
description = ''
|
||||||
|
List of urls point to (simplesamlphp) service profiders, which the idp should trust.
|
||||||
|
|
||||||
|
:::{.note}
|
||||||
|
Make sure the url ends with a `/`
|
||||||
|
:::
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
sops.secrets = {
|
||||||
|
"idp/privatekey" = {
|
||||||
|
owner = "idp";
|
||||||
|
group = "idp";
|
||||||
|
mode = "0770";
|
||||||
|
};
|
||||||
|
"idp/admin_password" = {
|
||||||
|
owner = "idp";
|
||||||
|
group = "idp";
|
||||||
|
};
|
||||||
|
"idp/postgres_password" = {
|
||||||
|
owner = "idp";
|
||||||
|
group = "idp";
|
||||||
|
};
|
||||||
|
"idp/cookie_salt" = {
|
||||||
|
owner = "idp";
|
||||||
|
group = "idp";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users.groups."idp" = { };
|
||||||
|
users.users."idp" = {
|
||||||
|
description = "PVV Identity Provider Service User";
|
||||||
|
group = "idp";
|
||||||
|
createHome = false;
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.tmpfiles.settings."10-idp" = {
|
||||||
|
"/var/cache/idp".d = {
|
||||||
|
user = "idp";
|
||||||
|
group = "idp";
|
||||||
|
mode = "0770";
|
||||||
|
};
|
||||||
|
"/var/lib/idp".d = {
|
||||||
|
user = "idp";
|
||||||
|
group = "idp";
|
||||||
|
mode = "0770";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.phpfpm.pools.idp = {
|
||||||
|
user = "idp";
|
||||||
|
group = "idp";
|
||||||
|
settings = let
|
||||||
|
listenUser = config.services.nginx.user;
|
||||||
|
listenGroup = config.services.nginx.group;
|
||||||
|
in {
|
||||||
|
"pm" = "dynamic";
|
||||||
|
"pm.max_children" = 32;
|
||||||
|
"pm.max_requests" = 500;
|
||||||
|
"pm.start_servers" = 2;
|
||||||
|
"pm.min_spare_servers" = 2;
|
||||||
|
"pm.max_spare_servers" = 4;
|
||||||
|
"listen.owner" = listenUser;
|
||||||
|
"listen.group" = listenGroup;
|
||||||
|
|
||||||
|
"catch_workers_output" = true;
|
||||||
|
"php_admin_flag[log_errors]" = true;
|
||||||
|
# "php_admin_value[error_log]" = "stderr";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."idp.pvv.ntnu.no" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
kTLS = true;
|
||||||
|
root = "${package}/share/php/simplesamlphp/public";
|
||||||
|
locations = {
|
||||||
|
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
|
||||||
|
"/" = {
|
||||||
|
alias = "${package}/share/php/simplesamlphp/public/";
|
||||||
|
index = "index.php";
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
location ~ ^/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||||
|
fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
|
||||||
|
fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$phpfile;
|
||||||
|
fastcgi_param SCRIPT_NAME /$phpfile;
|
||||||
|
fastcgi_param PATH_INFO $pathinfo if_not_empty;
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"^~ /simplesaml/".extraConfig = ''
|
||||||
|
rewrite ^/simplesaml/(.*)$ /$1 redirect;
|
||||||
|
return 404;
|
||||||
|
'';
|
||||||
|
"/robots.txt" = {
|
||||||
|
root = pkgs.writeTextDir "robots.txt" ''
|
||||||
|
User-agent: *
|
||||||
|
Disallow: /
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,33 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIFqTCCA5GgAwIBAgIUL2+PMM9rE9wI5W2yNnJ2CmfGxh0wDQYJKoZIhvcNAQEL
|
||||||
|
BQAwZDELMAkGA1UEBhMCTk8xEzARBgNVBAgMClNvbWUtU3RhdGUxHjAcBgNVBAoM
|
||||||
|
FVByb2dyYW12YXJldmVya3N0ZWRldDEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2
|
||||||
|
Lm50bnUubm8wHhcNMjQwMzMwMDAyNjQ0WhcNMjUwMzMwMDAyNjQ0WjBkMQswCQYD
|
||||||
|
VQQGEwJOTzETMBEGA1UECAwKU29tZS1TdGF0ZTEeMBwGA1UECgwVUHJvZ3JhbXZh
|
||||||
|
cmV2ZXJrc3RlZGV0MSAwHgYJKoZIhvcNAQkBFhFkcmlmdEBwdnYubnRudS5ubzCC
|
||||||
|
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/0l0jdV+PoVxdd21F+2NLm
|
||||||
|
JN6sZmSJexOSk/sFjhhF4WMtjOfDAQYjt3hlLPyYl//jCe9WteavvtdCx1tHJitd
|
||||||
|
xjOUJ/leVjHzBttCVZR+iTlQtpsZ2TbRMJ5Fcfl82njlPecV4umJvnnFXawE4Qee
|
||||||
|
dE2OM8ODjjrK1cNaHR74tyZCwmdOxNHXZ7RN22p9kZjLD18LQyNr5igaDBeaZkyk
|
||||||
|
Gxbg4tbP51x9JFRLF7kUlyAc83geFnw6v/wBahr49m/X4y7xE0rdPb2L0moUjmOO
|
||||||
|
Zyl3hvxMI3+g/0FVMM5eKmfIIP2rIVEAa6MWMx0vPjC6h2fIyxkUqg5C8aFlpqav
|
||||||
|
+8f2rUc+JfdiFsIZNrylBXsleGzS+/wY1uB/pAy5Vg9WCp+eC75EtWMt0k2f442G
|
||||||
|
rhKa3lAZ6GIYrtEiQiNGM1aT1Cs1nqTtslfnHiuAKBefLjCXgq9uvL2yRodwe9/m
|
||||||
|
oZiqYnLHy/v1xfnF5rKTcRmOleU3tc+nlN6tZSGC1nZgMpqpoqdcbJXAkvaJ2Km4
|
||||||
|
sl0YS28VQnztgzuVPNdnv8lcS6HmkaGaNWbepKgWeaH5oT7O6u99wZIv88m+tf5m
|
||||||
|
Eu197YVpcclnojQCYKauWcQFsXS20egsVP87Qk0e2SHmGTUQp6YEYX6RLjkg7/vS
|
||||||
|
BelDBbCldraNVEiC0jmpAgMBAAGjUzBRMB0GA1UdDgQWBBSL0yofG5NEmzFIRuqC
|
||||||
|
xmyiuZW6DTAfBgNVHSMEGDAWgBSL0yofG5NEmzFIRuqCxmyiuZW6DTAPBgNVHRMB
|
||||||
|
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAZZVs7BLk/NLq3f4Ik8qH3IoDN
|
||||||
|
2m4XXRZS+xxw5RwctgSnik7AffgAfv8QQm2co8UYkHbB0whaG1PDz+L7wB1hVkWn
|
||||||
|
DVUaJcKQnn0x+sNU5LoTbjI0PlaST7PO5D0OMFab8FSNxpzzpbUcgZUhelc99Ri/
|
||||||
|
2Gh8mf4b3Y3Uzq6YKFsuFM65OuJhH8f1w6onai9x28t6tERHUSUfJ2keXzU4ytCV
|
||||||
|
EitWXwhe759VLqmdP4BATwlCOCuwa5aDeGcWRIqFpYIn0SOAmVV3o4V71JdZc1jE
|
||||||
|
fuOo/PbiHZ+R9ZGbh98aMidb0moL1ZDhmir9KbedezNyki6JJ72mVclhLqUajFxr
|
||||||
|
T39FXd5e2+QBMHPPhVFznQoHWnHEbZigTt61b0cg/TsxaxOkF4Ilmr/2DmSWysWK
|
||||||
|
TF5eq8hp6/53qVbXXSzrCjxd3wzGnRabsEVPX/L2hYDx81hluovJQCtskqTq1joI
|
||||||
|
W2R7AO5Sdyc6NfOR85kl0HXzHa+0Slsf8ZDs5nCz/mOOPoAGl7IxF7xQ6kPO7V+U
|
||||||
|
HdGE2tkblM/TrAObJH0HXySeJGI7Vfya+D1Y8IqGtyZtWyx1DmlA/OezGGf5D3rG
|
||||||
|
88LywHQQ2mQ+8aosBTE4+HQ+apLKZBprqQKuiDjT1RSUbfUHQkYuL+D1oIVmklAc
|
||||||
|
UxTpf01QJnZkMqf5NQ==
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,22 @@
|
||||||
|
''
|
||||||
|
<?php
|
||||||
|
$metadata['https://idp.pvv.ntnu.no/'] = [
|
||||||
|
'metadata-set' => 'saml20-idp-hosted',
|
||||||
|
'entityid' => 'https://idp.pvv.ntnu.no/',
|
||||||
|
'SingleSignOnService' => [
|
||||||
|
[
|
||||||
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
|
'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
|
||||||
|
],
|
||||||
|
],
|
||||||
|
'SingleLogoutService' => [
|
||||||
|
[
|
||||||
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
|
'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleLogout',
|
||||||
|
],
|
||||||
|
],
|
||||||
|
'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
|
||||||
|
'certificate' => '${./idp.crt}',
|
||||||
|
];
|
||||||
|
?>
|
||||||
|
''
|
|
@ -0,0 +1,14 @@
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
{
|
||||||
|
security.krb5 = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
libdefaults = {
|
||||||
|
default_realm = "PVV.NTNU.NO";
|
||||||
|
dns_lookup_realm = "yes";
|
||||||
|
dns_lookup_kdc = "yes";
|
||||||
|
};
|
||||||
|
realms."PVV.NTNU.NO".admin_server = "kdc.pvv.ntnu.no";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,88 @@
|
||||||
|
{ pkgs, lib, ... }:
|
||||||
|
|
||||||
|
# Based on
|
||||||
|
# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
|
||||||
|
# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
|
||||||
|
isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
|
||||||
|
inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
|
||||||
|
str submodule;
|
||||||
|
in
|
||||||
|
{ }: {
|
||||||
|
type = let
|
||||||
|
section = attrsOf relation;
|
||||||
|
relation = either (attrsOf value) value;
|
||||||
|
value = either (listOf atom) atom;
|
||||||
|
atom = oneOf [int str bool];
|
||||||
|
in submodule {
|
||||||
|
freeformType = attrsOf section;
|
||||||
|
options = {
|
||||||
|
include = mkOption {
|
||||||
|
default = [ ];
|
||||||
|
description = mdDoc ''
|
||||||
|
Files to include in the Kerberos configuration.
|
||||||
|
'';
|
||||||
|
type = coercedTo path singleton (listOf path);
|
||||||
|
};
|
||||||
|
includedir = mkOption {
|
||||||
|
default = [ ];
|
||||||
|
description = mdDoc ''
|
||||||
|
Directories containing files to include in the Kerberos configuration.
|
||||||
|
'';
|
||||||
|
type = coercedTo path singleton (listOf path);
|
||||||
|
};
|
||||||
|
module = mkOption {
|
||||||
|
default = [ ];
|
||||||
|
description = mdDoc ''
|
||||||
|
Modules to obtain Kerberos configuration from.
|
||||||
|
'';
|
||||||
|
type = coercedTo path singleton (listOf path);
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
generate = let
|
||||||
|
indent = str: concatMapStringsSep "\n" (line: " " + line) (splitString "\n" str);
|
||||||
|
|
||||||
|
formatToplevel = args @ {
|
||||||
|
include ? [ ],
|
||||||
|
includedir ? [ ],
|
||||||
|
module ? [ ],
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
sections = removeAttrs args [ "include" "includedir" "module" ];
|
||||||
|
in concatStringsSep "\n" (filter (x: x != "") [
|
||||||
|
(concatStringsSep "\n" (mapAttrsToList formatSection sections))
|
||||||
|
(concatMapStringsSep "\n" (m: "module ${m}") module)
|
||||||
|
(concatMapStringsSep "\n" (i: "include ${i}") include)
|
||||||
|
(concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
|
||||||
|
]);
|
||||||
|
|
||||||
|
formatSection = name: section: ''
|
||||||
|
[${name}]
|
||||||
|
${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
|
||||||
|
'';
|
||||||
|
|
||||||
|
formatRelation = name: relation:
|
||||||
|
if isAttrs relation
|
||||||
|
then ''
|
||||||
|
${name} = {
|
||||||
|
${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
|
||||||
|
}''
|
||||||
|
else formatValue name relation;
|
||||||
|
|
||||||
|
formatValue = name: value:
|
||||||
|
if isList value
|
||||||
|
then concatMapStringsSep "\n" (formatAtom name) value
|
||||||
|
else formatAtom name value;
|
||||||
|
|
||||||
|
formatAtom = name: atom: let
|
||||||
|
v = if isBool atom then boolToString atom else toString atom;
|
||||||
|
in "${name} = ${v}";
|
||||||
|
in
|
||||||
|
name: value: pkgs.writeText name ''
|
||||||
|
${formatToplevel value}
|
||||||
|
'';
|
||||||
|
}
|
|
@ -0,0 +1,90 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
|
||||||
|
inherit (lib.types) bool;
|
||||||
|
|
||||||
|
mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
|
||||||
|
mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
|
||||||
|
The option `krb5.${name}' has been removed. Use
|
||||||
|
`security.krb5.settings.${name}' for structured configuration.
|
||||||
|
'';
|
||||||
|
|
||||||
|
cfg = config.security.krb5;
|
||||||
|
format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
(mkRemovedOptionModuleCfg "libdefaults")
|
||||||
|
(mkRemovedOptionModuleCfg "realms")
|
||||||
|
(mkRemovedOptionModuleCfg "domain_realm")
|
||||||
|
(mkRemovedOptionModuleCfg "capaths")
|
||||||
|
(mkRemovedOptionModuleCfg "appdefaults")
|
||||||
|
(mkRemovedOptionModuleCfg "plugins")
|
||||||
|
(mkRemovedOptionModuleCfg "config")
|
||||||
|
(mkRemovedOptionModuleCfg "extraConfig")
|
||||||
|
(mkRemovedOptionModule' "kerberos" ''
|
||||||
|
The option `krb5.kerberos' has been moved to `security.krb5.package'.
|
||||||
|
'')
|
||||||
|
];
|
||||||
|
|
||||||
|
options = {
|
||||||
|
security.krb5 = {
|
||||||
|
enable = mkOption {
|
||||||
|
default = false;
|
||||||
|
description = mdDoc "Enable and configure Kerberos utilities";
|
||||||
|
type = bool;
|
||||||
|
};
|
||||||
|
|
||||||
|
package = mkPackageOption pkgs "krb5" {
|
||||||
|
example = "heimdal";
|
||||||
|
};
|
||||||
|
|
||||||
|
settings = mkOption {
|
||||||
|
default = { };
|
||||||
|
type = format.type;
|
||||||
|
description = mdDoc ''
|
||||||
|
Structured contents of the {file}`krb5.conf` file. See
|
||||||
|
{manpage}`krb5.conf(5)` for details about configuration.
|
||||||
|
'';
|
||||||
|
example = {
|
||||||
|
include = [ "/run/secrets/secret-krb5.conf" ];
|
||||||
|
includedir = [ "/run/secrets/secret-krb5.conf.d" ];
|
||||||
|
|
||||||
|
libdefaults = {
|
||||||
|
default_realm = "ATHENA.MIT.EDU";
|
||||||
|
};
|
||||||
|
|
||||||
|
realms = {
|
||||||
|
"ATHENA.MIT.EDU" = {
|
||||||
|
admin_server = "athena.mit.edu";
|
||||||
|
kdc = [
|
||||||
|
"athena01.mit.edu"
|
||||||
|
"athena02.mit.edu"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
domain_realm = {
|
||||||
|
"mit.edu" = "ATHENA.MIT.EDU";
|
||||||
|
};
|
||||||
|
|
||||||
|
logging = {
|
||||||
|
kdc = "SYSLOG:NOTICE";
|
||||||
|
admin_server = "SYSLOG:NOTICE";
|
||||||
|
default = "SYSLOG:NOTICE";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
environment = {
|
||||||
|
systemPackages = [ cfg.package ];
|
||||||
|
etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
meta.maintainers = builtins.attrValues {
|
||||||
|
inherit (lib.maintainers) dblsaiko h7x4;
|
||||||
|
};
|
||||||
|
}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,231 @@
|
||||||
|
{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
|
||||||
|
cfg = config.services.mediawiki;
|
||||||
|
|
||||||
|
# "mediawiki"
|
||||||
|
user = config.systemd.services.mediawiki-init.serviceConfig.User;
|
||||||
|
|
||||||
|
# "mediawiki"
|
||||||
|
group = config.users.users.${user}.group;
|
||||||
|
|
||||||
|
simplesamlphp = pkgs.simplesamlphp.override {
|
||||||
|
extra_files = {
|
||||||
|
"metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
|
||||||
|
|
||||||
|
"config/authsources.php" = ./simplesaml-authsources.php;
|
||||||
|
|
||||||
|
"config/config.php" = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
|
||||||
|
cp ${./simplesaml-config.php} "$out"
|
||||||
|
|
||||||
|
substituteInPlace "$out" \
|
||||||
|
--replace-warn '$SAML_COOKIE_SECURE' 'true' \
|
||||||
|
--replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
|
||||||
|
--replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
|
||||||
|
--replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
|
||||||
|
--replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
|
||||||
|
--replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
|
||||||
|
--replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
|
||||||
|
--replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
|
||||||
|
--replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
|
||||||
|
--replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
|
||||||
|
|
||||||
|
sops.secrets = lib.pipe [
|
||||||
|
"mediawiki/password"
|
||||||
|
"mediawiki/postgres_password"
|
||||||
|
"mediawiki/simplesamlphp/postgres_password"
|
||||||
|
"mediawiki/simplesamlphp/cookie_salt"
|
||||||
|
"mediawiki/simplesamlphp/admin_password"
|
||||||
|
] [
|
||||||
|
(map (key: lib.nameValuePair key {
|
||||||
|
owner = user;
|
||||||
|
group = group;
|
||||||
|
restartUnits = [ "phpfpm-mediawiki.service" ];
|
||||||
|
}))
|
||||||
|
lib.listToAttrs
|
||||||
|
];
|
||||||
|
|
||||||
|
services.mediawiki = {
|
||||||
|
enable = true;
|
||||||
|
name = "Programvareverkstedet";
|
||||||
|
passwordFile = config.sops.secrets."mediawiki/password".path;
|
||||||
|
passwordSender = "drift@pvv.ntnu.no";
|
||||||
|
|
||||||
|
database = {
|
||||||
|
type = "mysql";
|
||||||
|
host = "mysql.pvv.ntnu.no";
|
||||||
|
port = 3306;
|
||||||
|
user = "mediawiki";
|
||||||
|
passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
|
||||||
|
createLocally = false;
|
||||||
|
# TODO: create a normal database and copy over old data when the service is production ready
|
||||||
|
name = "mediawiki";
|
||||||
|
};
|
||||||
|
|
||||||
|
webserver = "nginx";
|
||||||
|
nginx.hostName = "wiki.pvv.ntnu.no";
|
||||||
|
|
||||||
|
poolConfig = {
|
||||||
|
inherit user group;
|
||||||
|
"pm" = "dynamic";
|
||||||
|
"pm.max_children" = 32;
|
||||||
|
"pm.max_requests" = 500;
|
||||||
|
"pm.start_servers" = 2;
|
||||||
|
"pm.min_spare_servers" = 2;
|
||||||
|
"pm.max_spare_servers" = 4;
|
||||||
|
|
||||||
|
"catch_workers_output" = true;
|
||||||
|
"php_admin_flag[log_errors]" = true;
|
||||||
|
# "php_admin_value[error_log]" = "stderr";
|
||||||
|
|
||||||
|
# to accept *.html file
|
||||||
|
"security.limit_extensions" = "";
|
||||||
|
};
|
||||||
|
|
||||||
|
extensions = {
|
||||||
|
inherit (pkgs.mediawiki-extensions)
|
||||||
|
CodeEditor
|
||||||
|
CodeMirror
|
||||||
|
DeleteBatch
|
||||||
|
PluggableAuth
|
||||||
|
Popups
|
||||||
|
Scribunto
|
||||||
|
SimpleSAMLphp
|
||||||
|
TemplateData
|
||||||
|
TemplateStyles
|
||||||
|
UserMerge
|
||||||
|
VisualEditor
|
||||||
|
WikiEditor
|
||||||
|
;
|
||||||
|
};
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
$wgServer = "https://wiki.pvv.ntnu.no";
|
||||||
|
$wgLocaltimezone = "Europe/Oslo";
|
||||||
|
|
||||||
|
# Only allow login through SSO
|
||||||
|
$wgEnableEmail = false;
|
||||||
|
$wgEnableUserEmail = false;
|
||||||
|
$wgEmailAuthentication = false;
|
||||||
|
$wgGroupPermissions['*']['createaccount'] = false;
|
||||||
|
$wgGroupPermissions['*']['autocreateaccount'] = true;
|
||||||
|
$wgPluggableAuth_EnableAutoLogin = false;
|
||||||
|
|
||||||
|
# Misc. permissions
|
||||||
|
$wgGroupPermissions['*']['edit'] = false;
|
||||||
|
$wgGroupPermissions['*']['read'] = true;
|
||||||
|
|
||||||
|
# Allow subdirectories in article URLs
|
||||||
|
$wgNamespacesWithSubpages[NS_MAIN] = true;
|
||||||
|
|
||||||
|
# Styling
|
||||||
|
$wgLogos = array(
|
||||||
|
"2x" => "/PNG/PVV-logo.png",
|
||||||
|
"icon" => "/PNG/PVV-logo.svg",
|
||||||
|
);
|
||||||
|
$wgDefaultSkin = "vector-2022";
|
||||||
|
# from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
|
||||||
|
$wgVectorDefaultSidebarVisibleForAnonymousUser = true;
|
||||||
|
$wgVectorResponsive = true;
|
||||||
|
|
||||||
|
# Misc
|
||||||
|
$wgEmergencyContact = "${cfg.passwordSender}";
|
||||||
|
$wgUseTeX = false;
|
||||||
|
$wgLocalInterwiki = $wgSitename;
|
||||||
|
# Fix https://github.com/NixOS/nixpkgs/issues/183097
|
||||||
|
$wgDBserver = "${toString cfg.database.host}";
|
||||||
|
$wgAllowCopyUploads = true;
|
||||||
|
|
||||||
|
# Misc program paths
|
||||||
|
$wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
|
||||||
|
$wgExiftool = '${pkgs.exiftool}/bin/exiftool';
|
||||||
|
$wgExiv2Command = '${pkgs.exiv2}/bin/exiv2';
|
||||||
|
# See https://gist.github.com/sergejmueller/088dce028b6dd120a16e
|
||||||
|
$wgJpegTran = '${pkgs.mozjpeg}/bin/jpegtran';
|
||||||
|
$wgGitBin = '${pkgs.git}/bin/git';
|
||||||
|
|
||||||
|
# Debugging
|
||||||
|
$wgShowExceptionDetails = false;
|
||||||
|
$wgShowIPinHeader = false;
|
||||||
|
|
||||||
|
# EXT:{SimpleSAML,PluggableAuth}
|
||||||
|
$wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
|
||||||
|
$wgPluggableAuth_Config['Log in using SAML'] = [
|
||||||
|
'plugin' => 'SimpleSAMLphp',
|
||||||
|
'data' => [
|
||||||
|
'authSourceId' => 'default-sp',
|
||||||
|
'usernameAttribute' => 'uid',
|
||||||
|
'emailAttribute' => 'mail',
|
||||||
|
'realNameAttribute' => 'cn',
|
||||||
|
]
|
||||||
|
];
|
||||||
|
|
||||||
|
# EXT:Scribunto
|
||||||
|
$wgScribuntoDefaultEngine = 'luastandalone';
|
||||||
|
$wgScribuntoEngineConf['luastandalone']['luaPath'] = '${pkgs.lua}/bin';
|
||||||
|
|
||||||
|
# EXT:WikiEditor
|
||||||
|
$wgWikiEditorRealtimePreview = true;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# Cache directory for simplesamlphp
|
||||||
|
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
|
||||||
|
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
|
||||||
|
user = "mediawiki";
|
||||||
|
group = "mediawiki";
|
||||||
|
mode = "0770";
|
||||||
|
};
|
||||||
|
|
||||||
|
users.groups.mediawiki.members = [ "nginx" ];
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
|
||||||
|
kTLS = true;
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations = {
|
||||||
|
"= /wiki/Main_Page" = lib.mkForce {
|
||||||
|
return = "301 /wiki/Programvareverkstedet";
|
||||||
|
};
|
||||||
|
|
||||||
|
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
|
||||||
|
"^~ /simplesaml/" = {
|
||||||
|
alias = "${simplesamlphp}/share/php/simplesamlphp/public/";
|
||||||
|
index = "index.php";
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||||
|
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
|
||||||
|
fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;
|
||||||
|
|
||||||
|
# Must be prepended with the baseurlpath
|
||||||
|
fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
|
||||||
|
|
||||||
|
fastcgi_param PATH_INFO $pathinfo if_not_empty;
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
"= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg;
|
||||||
|
"= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png;
|
||||||
|
"= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
|
||||||
|
buildInputs = with pkgs; [ imagemagick ];
|
||||||
|
} ''
|
||||||
|
convert \
|
||||||
|
-resize x64 \
|
||||||
|
-gravity center \
|
||||||
|
-crop 64x64+0+0 \
|
||||||
|
${fp /assets/logo_blue_regular.png} \
|
||||||
|
-flatten \
|
||||||
|
-colors 256 \
|
||||||
|
-background transparent \
|
||||||
|
$out
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,11 @@
|
||||||
|
<?php
|
||||||
|
$config = array(
|
||||||
|
'admin' => array(
|
||||||
|
'core:AdminPassword'
|
||||||
|
),
|
||||||
|
'default-sp' => array(
|
||||||
|
'saml:SP',
|
||||||
|
'entityID' => 'https://wiki.pvv.ntnu.no/simplesaml/',
|
||||||
|
'idp' => 'https://idp.pvv.ntnu.no/',
|
||||||
|
),
|
||||||
|
);
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,4 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,4 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,4 @@
|
||||||
|
{ pkgs, config, ... }:
|
||||||
|
{
|
||||||
|
services.nginx.enable = true;
|
||||||
|
}
|
|
@ -0,0 +1,51 @@
|
||||||
|
{ lib, ... }:
|
||||||
|
let
|
||||||
|
pools = map (pool: "phpfpm-${pool}") [
|
||||||
|
"idp"
|
||||||
|
"mediawiki"
|
||||||
|
"pvv-nettsiden"
|
||||||
|
"roundcube"
|
||||||
|
"snappymail"
|
||||||
|
];
|
||||||
|
in
|
||||||
|
{
|
||||||
|
# Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
|
||||||
|
systemd.services = lib.genAttrs pools (_: {
|
||||||
|
serviceConfig = let
|
||||||
|
caps = [
|
||||||
|
"CAP_NET_BIND_SERVICE"
|
||||||
|
"CAP_SETGID"
|
||||||
|
"CAP_SETUID"
|
||||||
|
"CAP_CHOWN"
|
||||||
|
"CAP_KILL"
|
||||||
|
"CAP_IPC_LOCK"
|
||||||
|
"CAP_DAC_OVERRIDE"
|
||||||
|
];
|
||||||
|
in {
|
||||||
|
AmbientCapabilities = caps;
|
||||||
|
CapabilityBoundingSet = caps;
|
||||||
|
DeviceAllow = [ "" ];
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = false;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
RemoveIPC = true;
|
||||||
|
UMask = "0077";
|
||||||
|
RestrictNamespaces = "~mnt";
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
KeyringMode = "private";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"@system-service"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
});
|
||||||
|
}
|
|
@ -0,0 +1,104 @@
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.vaultwarden;
|
||||||
|
domain = "pw.pvv.ntnu.no";
|
||||||
|
address = "127.0.1.2";
|
||||||
|
port = 3011;
|
||||||
|
wsPort = 3012;
|
||||||
|
in {
|
||||||
|
sops.secrets."vaultwarden/environ" = {
|
||||||
|
owner = "vaultwarden";
|
||||||
|
group = "vaultwarden";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.vaultwarden = {
|
||||||
|
enable = true;
|
||||||
|
dbBackend = "postgresql";
|
||||||
|
environmentFile = config.sops.secrets."vaultwarden/environ".path;
|
||||||
|
config = {
|
||||||
|
domain = "https://${domain}";
|
||||||
|
|
||||||
|
rocketAddress = address;
|
||||||
|
rocketPort = port;
|
||||||
|
|
||||||
|
websocketEnabled = true;
|
||||||
|
websocketAddress = address;
|
||||||
|
websocketPort = wsPort;
|
||||||
|
|
||||||
|
signupsAllowed = true;
|
||||||
|
signupsVerify = true;
|
||||||
|
signupsDomainsWhitelist = "pvv.ntnu.no";
|
||||||
|
|
||||||
|
smtpFrom = "vaultwarden@pvv.ntnu.no";
|
||||||
|
smtpFromName = "VaultWarden PVV";
|
||||||
|
|
||||||
|
smtpHost = "smtp.pvv.ntnu.no";
|
||||||
|
smtpUsername = "vaultwarden";
|
||||||
|
smtpSecurity = "force_tls";
|
||||||
|
smtpAuthMechanism = "Login";
|
||||||
|
|
||||||
|
# Configured in environ:
|
||||||
|
# databaseUrl = "postgresql://vaultwarden@/vaultwarden";
|
||||||
|
# smtpPassword = hemli
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
kTLS = true;
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
client_max_body_size 128M;
|
||||||
|
'';
|
||||||
|
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://${address}:${toString port}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
locations."/notifications/hub" = {
|
||||||
|
proxyPass = "http://${address}:${toString wsPort}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
locations."/notifications/hub/negotiate" = {
|
||||||
|
proxyPass = "http://${address}:${toString port}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.vaultwarden = lib.mkIf cfg.enable {
|
||||||
|
serviceConfig = {
|
||||||
|
AmbientCapabilities = [ "" ];
|
||||||
|
CapabilityBoundingSet = [ "" ];
|
||||||
|
DeviceAllow = [ "" ];
|
||||||
|
LockPersonality = true;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
# MemoryDenyWriteExecute = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProcSubset = "pid";
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
RestrictAddressFamilies = [
|
||||||
|
"AF_INET"
|
||||||
|
"AF_INET6"
|
||||||
|
"AF_UNIX"
|
||||||
|
];
|
||||||
|
RemoveIPC = true;
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"@system-service"
|
||||||
|
"~@privileged"
|
||||||
|
];
|
||||||
|
UMask = "0007";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,21 @@
|
||||||
|
{ config, values, pkgs, lib, ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./roundcube.nix
|
||||||
|
./snappymail.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."webmail.pvv.ntnu.no" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
kTLS = true;
|
||||||
|
locations = {
|
||||||
|
"= /".return = "302 https://webmail.pvv.ntnu.no/roundcube";
|
||||||
|
|
||||||
|
"/afterlogic_lite".return = "302 https://webmail.pvv.ntnu.no/roundcube";
|
||||||
|
"/squirrelmail".return = "302 https://webmail.pvv.ntnu.no/roundcube";
|
||||||
|
"/rainloop".return = "302 https://snappymail.pvv.ntnu.no/";
|
||||||
|
"/snappymail".return = "302 https://snappymail.pvv.ntnu.no/";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,85 @@
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
cfg = config.services.roundcube;
|
||||||
|
domain = "webmail.pvv.ntnu.no";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sops.secrets."roundcube/postgres_password" = {
|
||||||
|
owner = "nginx";
|
||||||
|
group = "nginx";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.roundcube = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
package = pkgs.roundcube.withPlugins (plugins: with plugins; [
|
||||||
|
persistent_login
|
||||||
|
thunderbird_labels
|
||||||
|
contextmenu
|
||||||
|
custom_from
|
||||||
|
]);
|
||||||
|
|
||||||
|
dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
|
||||||
|
maxAttachmentSize = 20;
|
||||||
|
hostName = "roundcubeplaceholder.example.com";
|
||||||
|
|
||||||
|
database = {
|
||||||
|
host = "postgres.pvv.ntnu.no";
|
||||||
|
passwordFile = config.sops.secrets."roundcube/postgres_password".path;
|
||||||
|
};
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
$config['enable_installer'] = false;
|
||||||
|
$config['default_host'] = "ssl://imap.pvv.ntnu.no";
|
||||||
|
$config['default_port'] = 993;
|
||||||
|
$config['smtp_server'] = "ssl://smtp.pvv.ntnu.no";
|
||||||
|
$config['smtp_port'] = 465;
|
||||||
|
$config['mail_domain'] = "pvv.ntnu.no";
|
||||||
|
$config['smtp_user'] = "%u";
|
||||||
|
$config['support_url'] = "";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
|
||||||
|
|
||||||
|
services.nginx.virtualHosts.${domain} = {
|
||||||
|
kTLS = true;
|
||||||
|
locations."/roundcube" = {
|
||||||
|
tryFiles = "$uri $uri/ =404";
|
||||||
|
index = "index.php";
|
||||||
|
root = pkgs.runCommandLocal "roundcube-dir" { } ''
|
||||||
|
mkdir -p $out
|
||||||
|
ln -s ${cfg.package} $out/roundcube
|
||||||
|
'';
|
||||||
|
extraConfig = ''
|
||||||
|
location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
|
||||||
|
# https://wiki.archlinux.org/title/Roundcube
|
||||||
|
"README"
|
||||||
|
"INSTALL"
|
||||||
|
"LICENSE"
|
||||||
|
"CHANGELOG"
|
||||||
|
"UPGRADING"
|
||||||
|
"bin"
|
||||||
|
"SQL"
|
||||||
|
".+\\.md"
|
||||||
|
"\\."
|
||||||
|
"config"
|
||||||
|
"temp"
|
||||||
|
"logs"
|
||||||
|
]})/? {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ ^/roundcube/(.+\.php)(/?.*)$ {
|
||||||
|
fastcgi_split_path_info ^/roundcube(/.+\.php)(/.+)$;
|
||||||
|
include ${config.services.nginx.package}/conf/fastcgi_params;
|
||||||
|
include ${config.services.nginx.package}/conf/fastcgi.conf;
|
||||||
|
fastcgi_index index.php;
|
||||||
|
fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket};
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,18 @@
|
||||||
|
{ config, lib, fp, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.snappymail;
|
||||||
|
in {
|
||||||
|
imports = [ (fp /modules/snappymail.nix) ];
|
||||||
|
|
||||||
|
services.snappymail = {
|
||||||
|
enable = true;
|
||||||
|
hostname = "snappymail.pvv.ntnu.no";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts.${cfg.hostname} = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
kTLS = true;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,121 @@
|
||||||
|
{ pkgs, lib, config, ... }:
|
||||||
|
let
|
||||||
|
format = pkgs.formats.php { };
|
||||||
|
cfg = config.services.pvv-nettsiden;
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
./fetch-gallery.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
sops.secrets = lib.genAttrs [
|
||||||
|
"nettsiden/door_secret"
|
||||||
|
"nettsiden/mysql_password"
|
||||||
|
"nettsiden/simplesamlphp/admin_password"
|
||||||
|
"nettsiden/simplesamlphp/cookie_salt"
|
||||||
|
] (_: {
|
||||||
|
owner = config.services.phpfpm.pools.pvv-nettsiden.user;
|
||||||
|
group = config.services.phpfpm.pools.pvv-nettsiden.group;
|
||||||
|
restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
|
||||||
|
});
|
||||||
|
|
||||||
|
services.idp.sp-remote-metadata = [
|
||||||
|
"https://www.pvv.ntnu.no/simplesaml/"
|
||||||
|
"https://pvv.ntnu.no/simplesaml/"
|
||||||
|
"https://www.pvv.org/simplesaml/"
|
||||||
|
"https://pvv.org/simplesaml/"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.pvv-nettsiden = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
package = pkgs.pvv-nettsiden.override {
|
||||||
|
extra_files = {
|
||||||
|
"${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
|
||||||
|
"${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
|
||||||
|
<?php
|
||||||
|
$config = array(
|
||||||
|
'admin' => array(
|
||||||
|
'core:AdminPassword'
|
||||||
|
),
|
||||||
|
'default-sp' => array(
|
||||||
|
'saml:SP',
|
||||||
|
'entityID' => 'https://${cfg.domainName}/simplesaml/',
|
||||||
|
'idp' => 'https://idp.pvv.ntnu.no/',
|
||||||
|
),
|
||||||
|
);
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
domainName = "www.pvv.ntnu.no";
|
||||||
|
|
||||||
|
settings = let
|
||||||
|
includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
|
||||||
|
in {
|
||||||
|
DOOR_SECRET = includeFromSops "door_secret";
|
||||||
|
|
||||||
|
DB = {
|
||||||
|
DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
|
||||||
|
USER = "www-data_nettsi";
|
||||||
|
PASS = includeFromSops "mysql_password";
|
||||||
|
};
|
||||||
|
|
||||||
|
# TODO: set up postgres session for simplesamlphp
|
||||||
|
SAML = {
|
||||||
|
COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
|
||||||
|
COOKIE_SECURE = true;
|
||||||
|
ADMIN_NAME = "PVV Drift";
|
||||||
|
ADMIN_EMAIL = "drift@pvv.ntnu.no";
|
||||||
|
ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
|
||||||
|
TRUSTED_DOMAINS = [ cfg.domainName ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.phpfpm.pools."pvv-nettsiden".settings = {
|
||||||
|
# "php_admin_value[error_log]" = "stderr";
|
||||||
|
"php_admin_flag[log_errors]" = true;
|
||||||
|
"catch_workers_output" = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts.${cfg.domainName} = {
|
||||||
|
serverAliases = [
|
||||||
|
"pvv.ntnu.no"
|
||||||
|
"www.pvv.org"
|
||||||
|
"pvv.org"
|
||||||
|
];
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
# Proxy home directories
|
||||||
|
"^~ /~" = {
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_redirect off;
|
||||||
|
proxy_pass https://tom.pvv.ntnu.no;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# Redirect the old webmail/wiki paths from spikkjeposche
|
||||||
|
"^~ /webmail".return = "301 https://webmail.pvv.ntnu.no";
|
||||||
|
"~ /pvv/([^\\n\\r]*)".return = "301 https://wiki.pvv.ntnu.no/wiki/$1";
|
||||||
|
"= /pvv".return = "301 https://wiki.pvv.ntnu.no/";
|
||||||
|
|
||||||
|
# Redirect old wiki entries
|
||||||
|
"/disk".return = "301 https://wiki.pvv.ntnu.no/wiki/Diskkjøp";
|
||||||
|
"/dok/boker.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Bokhyllen";
|
||||||
|
"/styret/lover/".return = "301 https://wiki.pvv.ntnu.no/wiki/Lover";
|
||||||
|
"/styret/".return = "301 https://wiki.pvv.ntnu.no/wiki/Styret";
|
||||||
|
"/info/".return = "301 https://wiki.pvv.ntnu.no/wiki/";
|
||||||
|
"/info/maskinpark/".return = "301 https://wiki.pvv.ntnu.no/wiki/Maskiner";
|
||||||
|
"/medlemssider/meldinn.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemskontingent";
|
||||||
|
"/diverse/medlems-sider.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemssider";
|
||||||
|
"/cert/".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT";
|
||||||
|
"/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift";
|
||||||
|
"/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
|
||||||
|
"/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,94 @@
|
||||||
|
{ pkgs, lib, config, ... }:
|
||||||
|
let
|
||||||
|
galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
|
||||||
|
transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
|
||||||
|
in {
|
||||||
|
users.users.${config.services.pvv-nettsiden.user} = {
|
||||||
|
useDefaultShell = true;
|
||||||
|
|
||||||
|
# This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.paths.pvv-nettsiden-gallery-update = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
pathConfig = {
|
||||||
|
PathChanged = "${transferDir}/gallery.tar.gz";
|
||||||
|
Unit = "pvv-nettsiden-gallery-update.service";
|
||||||
|
MakeDirectory = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.pvv-nettsiden-gallery-update = {
|
||||||
|
path = with pkgs; [ imagemagick gnutar gzip ];
|
||||||
|
|
||||||
|
script = ''
|
||||||
|
tar ${lib.cli.toGNUCommandLineShell {} {
|
||||||
|
extract = true;
|
||||||
|
file = "${transferDir}/gallery.tar.gz";
|
||||||
|
directory = ".";
|
||||||
|
}}
|
||||||
|
|
||||||
|
# Delete files and directories that exists in the gallery that don't exist in the tarball
|
||||||
|
filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
|
||||||
|
while IFS= read fname; do
|
||||||
|
rm -f "$fname" ||:
|
||||||
|
rm -f ".thumbnails/$fname.png" ||:
|
||||||
|
done <<< "$filesToRemove"
|
||||||
|
|
||||||
|
find . -type d -empty -delete
|
||||||
|
|
||||||
|
mkdir -p .thumbnails
|
||||||
|
images=$(find . -type f -not -path "./.thumbnails*")
|
||||||
|
|
||||||
|
while IFS= read fname; do
|
||||||
|
# Skip this file if an up-to-date thumbnail already exists
|
||||||
|
if [ -f ".thumbnails/$fname.png" ] && \
|
||||||
|
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
|
||||||
|
then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Creating thumbnail for $fname"
|
||||||
|
mkdir -p $(dirname ".thumbnails/$fname")
|
||||||
|
convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
|
||||||
|
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
|
||||||
|
done <<< "$images"
|
||||||
|
'';
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
WorkingDirectory = galleryDir;
|
||||||
|
User = config.services.pvv-nettsiden.user;
|
||||||
|
Group = config.services.pvv-nettsiden.group;
|
||||||
|
|
||||||
|
AmbientCapabilities = [ "" ];
|
||||||
|
CapabilityBoundingSet = [ "" ];
|
||||||
|
DeviceAllow = [ "" ];
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
NoNewPrivileges = true; # disable for third party rotate scripts
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateNetwork = true; # disable for mail delivery
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true; # disable for userdir logs
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProtectSystem = "full";
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true; # disable for creating setgid directories
|
||||||
|
SocketBindDeny = [ "any" ];
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"@system-service"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,18 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
services.nginx.virtualHosts."www.pvv.ntnu.no".locations = {
|
||||||
|
"^~ /.well-known/" = {
|
||||||
|
alias = (toString ./root) + "/";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Proxy the matrix well-known files
|
||||||
|
# Host has be set before proxy_pass
|
||||||
|
# The header must be set so nginx on the other side routes it to the right place
|
||||||
|
"^~ /.well-known/matrix/" = {
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_set_header Host matrix.pvv.ntnu.no;
|
||||||
|
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,31 @@
|
||||||
|
<?xml version="1.0"?>
|
||||||
|
<clientConfig version="1.1">
|
||||||
|
<emailProvider id="pvv.ntnu.no">
|
||||||
|
<domain>pvv.ntnu.no</domain>
|
||||||
|
<domain>pvv.org</domain>
|
||||||
|
|
||||||
|
<displayName>Programvareverkstedet</displayName>
|
||||||
|
|
||||||
|
<incomingServer type="imap">
|
||||||
|
<hostname>imap.pvv.ntnu.no</hostname>
|
||||||
|
<port>993</port>
|
||||||
|
<socketType>SSL</socketType>
|
||||||
|
<username>%EMAILLOCALPART%</username>
|
||||||
|
<authentication>password-cleartext</authentication>
|
||||||
|
</incomingServer>
|
||||||
|
|
||||||
|
<outgoingServer type="smtp">
|
||||||
|
<hostname>smtp.pvv.ntnu.no</hostname>
|
||||||
|
<port>587</port>
|
||||||
|
<socketType>STARTTLS</socketType>
|
||||||
|
<username>%EMAILLOCALPART%</username>
|
||||||
|
<authentication>password-cleartext</authentication>
|
||||||
|
<useGlobalPreferredServer>true</useGlobalPreferredServer>
|
||||||
|
</outgoingServer>
|
||||||
|
|
||||||
|
<documentation url="https://www.pvv.ntnu.no/pvv/Drift/Mail/IMAP_POP3">
|
||||||
|
<descr lang="en">Setup programvareverkstedet email user with IMAP or POP3</descr>
|
||||||
|
<descr lang="nb">Sett opp programvareverkstedet email bruker med IMAP eller POP3</descr>
|
||||||
|
</documentation>
|
||||||
|
</emailProvider>
|
||||||
|
</clientConfig>
|
|
@ -0,0 +1,12 @@
|
||||||
|
Contact: mailto:drift@pvv.ntnu.no
|
||||||
|
Contact: mailto:cert@pvv.ntnu.no
|
||||||
|
# drift@pvv.ntnu.no is read by more people and have a quicker reaction time,
|
||||||
|
# but cert@pvv.ntnu.no can be used for more severe issues.
|
||||||
|
|
||||||
|
Preferred-Languages: no, en
|
||||||
|
|
||||||
|
Expires: 2032-12-31T23:59:59.000Z
|
||||||
|
# This file was last updated 2024-09-14.
|
||||||
|
|
||||||
|
# You can find a wikipage for our security policies at:
|
||||||
|
# https://wiki.pvv.ntnu.no/wiki/CERT
|
|
@ -0,0 +1,43 @@
|
||||||
|
{ fp, pkgs, values, ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
|
|
||||||
|
(fp /base)
|
||||||
|
(fp /misc/metrics-exporters.nix)
|
||||||
|
./services/nginx
|
||||||
|
|
||||||
|
./services/mysql.nix
|
||||||
|
./services/postgres.nix
|
||||||
|
./services/mysql.nix
|
||||||
|
./services/calendar-bot.nix
|
||||||
|
|
||||||
|
./services/matrix
|
||||||
|
];
|
||||||
|
|
||||||
|
sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||||
|
sops.age.generateKey = true;
|
||||||
|
|
||||||
|
boot.loader.grub.enable = true;
|
||||||
|
boot.loader.grub.device = "/dev/disk/by-id/scsi-3600508b1001cb1a8751c137b30610682";
|
||||||
|
|
||||||
|
networking.hostName = "bicep";
|
||||||
|
|
||||||
|
systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
|
||||||
|
matchConfig.Name = "enp6s0f0";
|
||||||
|
address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
|
||||||
|
++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
|
||||||
|
};
|
||||||
|
systemd.network.wait-online = {
|
||||||
|
anyInterface = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# There are no smart devices
|
||||||
|
services.smartd.enable = false;
|
||||||
|
|
||||||
|
# Do not change, even during upgrades.
|
||||||
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
|
system.stateVersion = "22.11";
|
||||||
|
}
|
|
@ -0,0 +1,40 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/31a67903-dc00-448a-a24a-36e820318fe5";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/data" =
|
||||||
|
{ device = "/dev/disk/by-uuid/79e93eed-ad95-45c9-b115-4ef92afcc8c0";
|
||||||
|
fsType = "f2fs";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp6s0f2.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp6s0f3.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
}
|
|
@ -0,0 +1,38 @@
|
||||||
|
{ config, fp, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.pvv-calendar-bot;
|
||||||
|
in {
|
||||||
|
sops.secrets = {
|
||||||
|
"calendar-bot/matrix_token" = {
|
||||||
|
sopsFile = fp /secrets/bicep/bicep.yaml;
|
||||||
|
key = "calendar-bot/matrix_token";
|
||||||
|
owner = cfg.user;
|
||||||
|
group = cfg.group;
|
||||||
|
};
|
||||||
|
"calendar-bot/mysql_password" = {
|
||||||
|
sopsFile = fp /secrets/bicep/bicep.yaml;
|
||||||
|
key = "calendar-bot/mysql_password";
|
||||||
|
owner = cfg.user;
|
||||||
|
group = cfg.group;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.pvv-calendar-bot = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
matrix = {
|
||||||
|
homeserver = "https://matrix.pvv.ntnu.no";
|
||||||
|
user = "@bot_calendar:pvv.ntnu.no";
|
||||||
|
channel = "!gkNLUIhYVpEyLatcRz:pvv.ntnu.no";
|
||||||
|
};
|
||||||
|
database = {
|
||||||
|
host = "mysql.pvv.ntnu.no";
|
||||||
|
user = "calendar-bot";
|
||||||
|
passwordFile = config.sops.secrets."calendar-bot/mysql_password".path;
|
||||||
|
};
|
||||||
|
secretsFile = config.sops.secrets."calendar-bot/matrix_token".path;
|
||||||
|
onCalendar = "*-*-* 09:00:00";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,11 +1,15 @@
|
||||||
{ config, lib, pkgs, secrets, ... }:
|
{ config, lib, fp, pkgs, secrets, values, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
sops.secrets."matrix/synapse/turnconfig" = {
|
sops.secrets."matrix/synapse/turnconfig" = {
|
||||||
|
sopsFile = fp /secrets/bicep/matrix.yaml;
|
||||||
|
key = "synapse/turnconfig";
|
||||||
owner = config.users.users.matrix-synapse.name;
|
owner = config.users.users.matrix-synapse.name;
|
||||||
group = config.users.users.matrix-synapse.group;
|
group = config.users.users.matrix-synapse.group;
|
||||||
};
|
};
|
||||||
sops.secrets."matrix/coturn/static-auth-secret" = {
|
sops.secrets."matrix/coturn/static-auth-secret" = {
|
||||||
|
sopsFile = fp /secrets/bicep/matrix.yaml;
|
||||||
|
key = "coturn/static-auth-secret";
|
||||||
owner = config.users.users.turnserver.name;
|
owner = config.users.users.turnserver.name;
|
||||||
group = config.users.users.turnserver.group;
|
group = config.users.users.turnserver.group;
|
||||||
};
|
};
|
||||||
|
@ -56,12 +60,14 @@
|
||||||
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
||||||
|
|
||||||
use-auth-secret = true;
|
use-auth-secret = true;
|
||||||
# World readable but I dont think it's that bad
|
|
||||||
static-auth-secret-file = config.sops.secrets."matrix/coturn/static-auth-secret".path;
|
static-auth-secret-file = config.sops.secrets."matrix/coturn/static-auth-secret".path;
|
||||||
|
|
||||||
secure-stun = true;
|
secure-stun = true;
|
||||||
|
|
||||||
listening-ips = [ "129.241.210.213" "2001:700:300:1900::213" ];
|
listening-ips = [
|
||||||
|
values.services.turn.ipv4
|
||||||
|
# values.services.turn.ipv6
|
||||||
|
];
|
||||||
|
|
||||||
tls-listening-port = 443;
|
tls-listening-port = 443;
|
||||||
alt-tls-listening-port = 5349;
|
alt-tls-listening-port = 5349;
|
||||||
|
@ -114,7 +120,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
interfaces.ens18 = let
|
interfaces.enp6s0f0 = let
|
||||||
range = with config.services.coturn; [ {
|
range = with config.services.coturn; [ {
|
||||||
from = min-port;
|
from = min-port;
|
||||||
to = max-port;
|
to = max-port;
|
|
@ -7,8 +7,10 @@
|
||||||
./synapse-admin.nix
|
./synapse-admin.nix
|
||||||
./element.nix
|
./element.nix
|
||||||
./coturn.nix
|
./coturn.nix
|
||||||
|
./mjolnir.nix
|
||||||
|
|
||||||
./discord.nix
|
./discord.nix
|
||||||
|
./hookshot
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,72 @@
|
||||||
|
{ config, lib, fp, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.services.mx-puppet-discord;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
users.groups.keys-matrix-registrations = { };
|
||||||
|
|
||||||
|
sops.secrets."matrix/discord/as_token" = {
|
||||||
|
sopsFile = fp /secrets/bicep/matrix.yaml;
|
||||||
|
key = "discord/as_token";
|
||||||
|
};
|
||||||
|
sops.secrets."matrix/discord/hs_token" = {
|
||||||
|
sopsFile = fp /secrets/bicep/matrix.yaml;
|
||||||
|
key = "discord/hs_token";
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.templates."discord-registration.yaml" = {
|
||||||
|
owner = config.users.users.matrix-synapse.name;
|
||||||
|
group = config.users.groups.keys-matrix-registrations.name;
|
||||||
|
content = ''
|
||||||
|
as_token: "${config.sops.placeholder."matrix/discord/as_token"}"
|
||||||
|
hs_token: "${config.sops.placeholder."matrix/discord/hs_token"}"
|
||||||
|
id: discord-puppet
|
||||||
|
namespaces:
|
||||||
|
users:
|
||||||
|
- exclusive: true
|
||||||
|
regex: '@_discordpuppet_.*'
|
||||||
|
rooms: []
|
||||||
|
aliases:
|
||||||
|
- exclusive: true
|
||||||
|
regex: '#_discordpuppet_.*'
|
||||||
|
protocols: []
|
||||||
|
rate_limited: false
|
||||||
|
sender_localpart: _discordpuppet_bot
|
||||||
|
url: 'http://localhost:8434'
|
||||||
|
de.sorunome.msc2409.push_ephemeral: true
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.mx-puppet-discord = {
|
||||||
|
serviceConfig.SupplementaryGroups = [
|
||||||
|
config.users.groups.keys-matrix-registrations.name
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
services.mx-puppet-discord.enable = true;
|
||||||
|
services.mx-puppet-discord.settings = {
|
||||||
|
bridge = {
|
||||||
|
bindAddress = "localhost";
|
||||||
|
domain = "pvv.ntnu.no";
|
||||||
|
homeserverUrl = "https://matrix.pvv.ntnu.no";
|
||||||
|
};
|
||||||
|
provisioning.whitelist = [ "@dandellion:dodsorf\\.as" "@danio:pvv\\.ntnu\\.no"];
|
||||||
|
relay.whitelist = [ ".*" ];
|
||||||
|
selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
|
||||||
|
};
|
||||||
|
services.mx-puppet-discord.serviceDependencies = [
|
||||||
|
"matrix-synapse.target"
|
||||||
|
"nginx.service"
|
||||||
|
];
|
||||||
|
|
||||||
|
|
||||||
|
services.matrix-synapse-next.settings = {
|
||||||
|
app_service_config_files = [
|
||||||
|
config.sops.templates."discord-registration.yaml".path
|
||||||
|
];
|
||||||
|
use_appservice_legacy_authorization = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
|
@ -1,9 +1,11 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
{
|
synapse-cfg = config.services.matrix-synapse-next;
|
||||||
|
in {
|
||||||
services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
|
services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
kTLS = true;
|
||||||
|
|
||||||
root = pkgs.element-web.override {
|
root = pkgs.element-web.override {
|
||||||
conf = {
|
conf = {
|
||||||
|
@ -23,25 +25,31 @@
|
||||||
features = {
|
features = {
|
||||||
feature_latex_maths = true;
|
feature_latex_maths = true;
|
||||||
feature_pinning = true;
|
feature_pinning = true;
|
||||||
|
feature_render_reaction_images = true;
|
||||||
feature_state_counters = true;
|
feature_state_counters = true;
|
||||||
feature_custom_status = false;
|
# element call group calls
|
||||||
|
feature_group_calls = true;
|
||||||
};
|
};
|
||||||
default_theme = "dark";
|
default_theme = "dark";
|
||||||
|
# Servers in this list should provide some sort of valuable scoping
|
||||||
|
# matrix.org is not useful compared to matrixrooms.info,
|
||||||
|
# because it has so many general members, rooms of all topics are on it.
|
||||||
|
# Something matrixrooms.info is already providing.
|
||||||
room_directory.servers = [
|
room_directory.servers = [
|
||||||
"pvv.ntnu.no"
|
"pvv.ntnu.no"
|
||||||
"matrix.omegav.no"
|
"matrixrooms.info" # Searches all public room directories
|
||||||
"matrix.org"
|
"matrix.omegav.no" # Friends
|
||||||
"libera.chat"
|
"gitter.im" # gitter rooms
|
||||||
"gitter.im"
|
"mozilla.org" # mozilla and friends
|
||||||
"mozilla.org"
|
"kde.org" # KDE rooms
|
||||||
"kde.org"
|
"fosdem.org" # FOSDEM
|
||||||
"t2bot.io"
|
"dodsorf.as" # PVV Member
|
||||||
"fosdem.org"
|
"nani.wtf" # PVV Member
|
||||||
"dodsorf.as"
|
|
||||||
];
|
];
|
||||||
enable_presence_by_hs_url = {
|
enable_presence_by_hs_url = {
|
||||||
"https://matrix.org" = false;
|
"https://matrix.org" = false;
|
||||||
"https://matrix.dodsorf.as" = false;
|
# "https://matrix.dodsorf.as" = false;
|
||||||
|
"${synapse-cfg.settings.public_baseurl}" = synapse-cfg.settings.presence.enabled;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
|
@ -0,0 +1,139 @@
|
||||||
|
{ config, lib, fp, unstablePkgs, inputs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.services.matrix-hookshot;
|
||||||
|
webhookListenAddress = "127.0.0.1";
|
||||||
|
webhookListenPort = 8435;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./module.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
sops.secrets."matrix/hookshot/as_token" = {
|
||||||
|
sopsFile = fp /secrets/bicep/matrix.yaml;
|
||||||
|
key = "hookshot/as_token";
|
||||||
|
};
|
||||||
|
sops.secrets."matrix/hookshot/hs_token" = {
|
||||||
|
sopsFile = fp /secrets/bicep/matrix.yaml;
|
||||||
|
key = "hookshot/hs_token";
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.templates."hookshot-registration.yaml" = {
|
||||||
|
owner = config.users.users.matrix-synapse.name;
|
||||||
|
group = config.users.groups.keys-matrix-registrations.name;
|
||||||
|
content = ''
|
||||||
|
id: matrix-hookshot
|
||||||
|
as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}"
|
||||||
|
hs_token: "${config.sops.placeholder."matrix/hookshot/hs_token"}"
|
||||||
|
namespaces:
|
||||||
|
rooms: []
|
||||||
|
users:
|
||||||
|
- regex: "@_webhooks_.*:pvv.ntnu.no"
|
||||||
|
exclusive: true
|
||||||
|
- regex: "@bot_feeds:pvv.ntnu.no"
|
||||||
|
exclusive: true
|
||||||
|
aliases: []
|
||||||
|
|
||||||
|
sender_localpart: hookshot
|
||||||
|
url: "http://${cfg.settings.bridge.bindAddress}:${toString cfg.settings.bridge.port}"
|
||||||
|
rate_limited: false
|
||||||
|
|
||||||
|
# If enabling encryption
|
||||||
|
de.sorunome.msc2409.push_ephemeral: true
|
||||||
|
push_ephemeral: true
|
||||||
|
org.matrix.msc3202: true
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.matrix-hookshot = {
|
||||||
|
serviceConfig.SupplementaryGroups = [
|
||||||
|
config.users.groups.keys-matrix-registrations.name
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.matrix-hookshot = {
|
||||||
|
enable = true;
|
||||||
|
package = unstablePkgs.matrix-hookshot;
|
||||||
|
registrationFile = config.sops.templates."hookshot-registration.yaml".path;
|
||||||
|
settings = {
|
||||||
|
bridge = {
|
||||||
|
bindAddress = "127.0.0.1";
|
||||||
|
domain = "pvv.ntnu.no";
|
||||||
|
url = "https://matrix.pvv.ntnu.no";
|
||||||
|
mediaUrl = "https://matrix.pvv.ntnu.no";
|
||||||
|
port = 9993;
|
||||||
|
};
|
||||||
|
listeners = [
|
||||||
|
{
|
||||||
|
bindAddress = webhookListenAddress;
|
||||||
|
port = webhookListenPort;
|
||||||
|
resources = [
|
||||||
|
"webhooks"
|
||||||
|
# "metrics"
|
||||||
|
# "provisioning"
|
||||||
|
"widgets"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
generic = {
|
||||||
|
enabled = true;
|
||||||
|
outbound = true;
|
||||||
|
urlPrefix = "https://hookshot.pvv.ntnu.no/webhook/";
|
||||||
|
userIdPrefix = "_webhooks_";
|
||||||
|
allowJsTransformationFunctions = false;
|
||||||
|
waitForComplete = false;
|
||||||
|
};
|
||||||
|
feeds = {
|
||||||
|
enabled = true;
|
||||||
|
pollIntervalSeconds = 600;
|
||||||
|
};
|
||||||
|
|
||||||
|
serviceBots = [
|
||||||
|
{ localpart = "bot_feeds";
|
||||||
|
displayname = "Aya";
|
||||||
|
avatar = ./feeds.png;
|
||||||
|
prefix = "!aya";
|
||||||
|
service = "feeds";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
permissions = [
|
||||||
|
# Users of the PVV Server
|
||||||
|
{ actor = "pvv.ntnu.no";
|
||||||
|
services = [ { service = "*"; level = "commands"; } ];
|
||||||
|
}
|
||||||
|
# Members of Medlem space (for people with their own hs)
|
||||||
|
{ actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
|
||||||
|
services = [ { service = "*"; level = "commands"; } ];
|
||||||
|
}
|
||||||
|
# Members of Drift
|
||||||
|
{ actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
|
||||||
|
services = [ { service = "*"; level = "admin"; } ];
|
||||||
|
}
|
||||||
|
# Dan bootstrap
|
||||||
|
{ actor = "@dandellion:dodsorf.as";
|
||||||
|
services = [ { service = "*"; level = "admin"; } ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.matrix-hookshot.serviceDependencies = [
|
||||||
|
"matrix-synapse.target"
|
||||||
|
"nginx.service"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.matrix-synapse-next.settings = {
|
||||||
|
app_service_config_files = [
|
||||||
|
config.sops.templates."hookshot-registration.yaml".path
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
|
||||||
|
enableACME = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://${webhookListenAddress}:${toString webhookListenPort}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Binary file not shown.
After Width: | Height: | Size: 1.1 MiB |
|
@ -0,0 +1,127 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
cfg = config.services.matrix-hookshot;
|
||||||
|
settingsFormat = pkgs.formats.yaml { };
|
||||||
|
configFile = settingsFormat.generate "matrix-hookshot-config.yml" cfg.settings;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
services.matrix-hookshot = {
|
||||||
|
enable = lib.mkEnableOption "matrix-hookshot, a bridge between Matrix and project management services";
|
||||||
|
|
||||||
|
package = lib.mkPackageOption pkgs "matrix-hookshot" { };
|
||||||
|
|
||||||
|
registrationFile = lib.mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
description = ''
|
||||||
|
Appservice registration file.
|
||||||
|
As it contains secret tokens, you may not want to add this to the publicly readable Nix store.
|
||||||
|
'';
|
||||||
|
example = lib.literalExpression ''
|
||||||
|
pkgs.writeText "matrix-hookshot-registration" \'\'
|
||||||
|
id: matrix-hookshot
|
||||||
|
as_token: aaaaaaaaaa
|
||||||
|
hs_token: aaaaaaaaaa
|
||||||
|
namespaces:
|
||||||
|
rooms: []
|
||||||
|
users:
|
||||||
|
- regex: "@_webhooks_.*:foobar"
|
||||||
|
exclusive: true
|
||||||
|
|
||||||
|
sender_localpart: hookshot
|
||||||
|
url: "http://localhost:9993"
|
||||||
|
rate_limited: false
|
||||||
|
\'\'
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
settings = lib.mkOption {
|
||||||
|
description = ''
|
||||||
|
{file}`config.yml` configuration as a Nix attribute set.
|
||||||
|
|
||||||
|
For details please see the [documentation](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html).
|
||||||
|
'';
|
||||||
|
example = {
|
||||||
|
bridge = {
|
||||||
|
domain = "example.com";
|
||||||
|
url = "http://localhost:8008";
|
||||||
|
mediaUrl = "https://example.com";
|
||||||
|
port = 9993;
|
||||||
|
bindAddress = "127.0.0.1";
|
||||||
|
};
|
||||||
|
listeners = [
|
||||||
|
{
|
||||||
|
port = 9000;
|
||||||
|
bindAddress = "0.0.0.0";
|
||||||
|
resources = [ "webhooks" ];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
port = 9001;
|
||||||
|
bindAddress = "localhost";
|
||||||
|
resources = [
|
||||||
|
"metrics"
|
||||||
|
"provisioning"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
default = { };
|
||||||
|
type = lib.types.submodule {
|
||||||
|
freeformType = settingsFormat.type;
|
||||||
|
options = {
|
||||||
|
passFile = lib.mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
default = "/var/lib/matrix-hookshot/passkey.pem";
|
||||||
|
description = ''
|
||||||
|
A passkey used to encrypt tokens stored inside the bridge.
|
||||||
|
File will be generated if not found.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
serviceDependencies = lib.mkOption {
|
||||||
|
type = with lib.types; listOf str;
|
||||||
|
default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;
|
||||||
|
defaultText = lib.literalExpression ''
|
||||||
|
lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit
|
||||||
|
'';
|
||||||
|
description = ''
|
||||||
|
List of Systemd services to require and wait for when starting the application service,
|
||||||
|
such as the Matrix homeserver if it's running on the same host.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
systemd.services.matrix-hookshot = {
|
||||||
|
description = "a bridge between Matrix and multiple project management services";
|
||||||
|
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
|
||||||
|
after = [ "network-online.target" ] ++ cfg.serviceDependencies;
|
||||||
|
|
||||||
|
preStart = ''
|
||||||
|
if [ ! -f '${cfg.settings.passFile}' ]; then
|
||||||
|
mkdir -p $(dirname '${cfg.settings.passFile}')
|
||||||
|
${pkgs.openssl}/bin/openssl genpkey -out '${cfg.settings.passFile}' -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "simple";
|
||||||
|
Restart = "always";
|
||||||
|
ExecStart = "${cfg.package}/bin/matrix-hookshot ${configFile} ${cfg.registrationFile}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
meta.maintainers = with lib.maintainers; [ flandweber ];
|
||||||
|
}
|
|
@ -0,0 +1,56 @@
|
||||||
|
{ config, lib, fp, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
sops.secrets."matrix/mjolnir/access_token" = {
|
||||||
|
sopsFile = fp /secrets/bicep/matrix.yaml;
|
||||||
|
key = "mjolnir/access_token";
|
||||||
|
owner = config.users.users.mjolnir.name;
|
||||||
|
group = config.users.users.mjolnir.group;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.mjolnir = {
|
||||||
|
enable = true;
|
||||||
|
pantalaimon.enable = false;
|
||||||
|
homeserverUrl = "https://matrix.pvv.ntnu.no";
|
||||||
|
accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
|
||||||
|
managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
|
||||||
|
protectedRooms = map (a: "https://matrix.to/#/${a}") [
|
||||||
|
"#pvv:pvv.ntnu.no"
|
||||||
|
"#stand:pvv.ntnu.no"
|
||||||
|
"#music:pvv.ntnu.no"
|
||||||
|
"#arts-and-crafts:pvv.ntnu.no"
|
||||||
|
"#programming:pvv.ntnu.no"
|
||||||
|
"#talks-and-texts:pvv.ntnu.no"
|
||||||
|
"#job-offers:pvv.ntnu.no"
|
||||||
|
"#vaffling:pvv.ntnu.no"
|
||||||
|
"#pvv-fadder:pvv.ntnu.no"
|
||||||
|
"#offsite:pvv.ntnu.no"
|
||||||
|
"#help:pvv.ntnu.no"
|
||||||
|
"#garniske-algoritmer:pvv.ntnu.no"
|
||||||
|
"#bouldering:pvv.ntnu.no"
|
||||||
|
"#filmclub:pvv.ntnu.no"
|
||||||
|
"#video-games:pvv.ntnu.no"
|
||||||
|
"#board-games:pvv.ntnu.no"
|
||||||
|
"#tabletop-rpgs:pvv.ntnu.no"
|
||||||
|
"#anime:pvv.ntnu.no"
|
||||||
|
"#general:pvv.ntnu.no"
|
||||||
|
"#announcements:pvv.ntnu.no"
|
||||||
|
"#memes:pvv.ntnu.no"
|
||||||
|
|
||||||
|
"#drift:pvv.ntnu.no"
|
||||||
|
"#notifikasjoner:pvv.ntnu.no"
|
||||||
|
"#forespoersler:pvv.ntnu.no"
|
||||||
|
"#krisekanalen:pvv.ntnu.no"
|
||||||
|
|
||||||
|
"#styret:pvv.ntnu.no"
|
||||||
|
];
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
admin.enableMakeRoomAdminCommand = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Module wants it even when not using pantalaimon
|
||||||
|
# TODO: Fix upstream module in nixpkgs
|
||||||
|
pantalaimon.username = "bot_admin";
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,17 @@
|
||||||
|
{ lib, buildPythonPackage, fetchFromGitHub }:
|
||||||
|
|
||||||
|
buildPythonPackage rec {
|
||||||
|
pname = "matrix-synapse-smtp-auth";
|
||||||
|
version = "0.1.0";
|
||||||
|
|
||||||
|
src = ./.;
|
||||||
|
|
||||||
|
doCheck = false;
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
description = "An SMTP auth provider for Synapse";
|
||||||
|
homepage = "pvv.ntnu.no";
|
||||||
|
license = licenses.agpl3Only;
|
||||||
|
maintainers = with maintainers; [ dandellion ];
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,11 @@
|
||||||
|
from setuptools import setup
|
||||||
|
|
||||||
|
setup(
|
||||||
|
name="matrix-synapse-smtp-auth",
|
||||||
|
version="0.1.0",
|
||||||
|
py_modules=['smtp_auth_provider'],
|
||||||
|
author="Daniel Løvbrøtte Olsen",
|
||||||
|
author_email="danio@pvv.ntnu.no",
|
||||||
|
description="An SMTP auth provider for Synapse",
|
||||||
|
license="AGPL-3.0-only"
|
||||||
|
)
|
|
@ -0,0 +1,58 @@
|
||||||
|
from typing import Awaitable, Callable, Optional, Tuple
|
||||||
|
|
||||||
|
from smtplib import SMTP_SSL as SMTP
|
||||||
|
|
||||||
|
import synapse
|
||||||
|
from synapse import module_api
|
||||||
|
|
||||||
|
import re
|
||||||
|
|
||||||
|
import logging
|
||||||
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
class SMTPAuthProvider:
|
||||||
|
def __init__(self, config: dict, api: module_api):
|
||||||
|
self.api = api
|
||||||
|
|
||||||
|
self.config = config
|
||||||
|
|
||||||
|
api.register_password_auth_provider_callbacks(
|
||||||
|
auth_checkers={
|
||||||
|
("m.login.password", ("password",)): self.check_pass,
|
||||||
|
},
|
||||||
|
)
|
||||||
|
|
||||||
|
async def check_pass(
|
||||||
|
self,
|
||||||
|
username: str,
|
||||||
|
login_type: str,
|
||||||
|
login_dict: "synapse.module_api.JsonDict",
|
||||||
|
):
|
||||||
|
if login_type != "m.login.password":
|
||||||
|
return None
|
||||||
|
|
||||||
|
# Convert `@username:server` to `username`
|
||||||
|
match = re.match(r'^@([\da-z\-\.=_\/\+]+):[\w\d\.:\[\]]+$', username)
|
||||||
|
username = match.group(1) if match else username
|
||||||
|
|
||||||
|
result = False
|
||||||
|
with SMTP(self.config["smtp_host"]) as smtp:
|
||||||
|
password = login_dict.get("password")
|
||||||
|
try:
|
||||||
|
smtp.login(username, password)
|
||||||
|
result = True
|
||||||
|
except:
|
||||||
|
return None
|
||||||
|
|
||||||
|
if result == True:
|
||||||
|
userid = self.api.get_qualified_user_id(username)
|
||||||
|
|
||||||
|
userid = await self.api.check_user_exists(userid)
|
||||||
|
if not userid:
|
||||||
|
logger.info(f"user did not exist, registering {username}")
|
||||||
|
userid = await self.api.register_user(username)
|
||||||
|
logger.info(f"registered userid: {userid}")
|
||||||
|
return (userid, None)
|
||||||
|
else:
|
||||||
|
logger.info("returning None")
|
||||||
|
return None
|
|
@ -0,0 +1,204 @@
|
||||||
|
{ config, lib, fp, pkgs, values, inputs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.services.matrix-synapse-next;
|
||||||
|
|
||||||
|
matrix-lib = inputs.matrix-next.lib;
|
||||||
|
|
||||||
|
imap0Attrs = with lib; f: set:
|
||||||
|
listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
|
||||||
|
in {
|
||||||
|
sops.secrets."matrix/synapse/signing_key" = {
|
||||||
|
key = "synapse/signing_key";
|
||||||
|
sopsFile = fp /secrets/bicep/matrix.yaml;
|
||||||
|
owner = config.users.users.matrix-synapse.name;
|
||||||
|
group = config.users.users.matrix-synapse.group;
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets."matrix/synapse/user_registration" = {
|
||||||
|
sopsFile = fp /secrets/bicep/matrix.yaml;
|
||||||
|
key = "synapse/signing_key";
|
||||||
|
owner = config.users.users.matrix-synapse.name;
|
||||||
|
group = config.users.users.matrix-synapse.group;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.matrix-synapse-next = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
plugins = [
|
||||||
|
(pkgs.python3Packages.callPackage ./smtp-authenticator { })
|
||||||
|
];
|
||||||
|
|
||||||
|
dataDir = "/data/synapse";
|
||||||
|
|
||||||
|
workers.federationSenders = 2;
|
||||||
|
workers.federationReceivers = 2;
|
||||||
|
workers.initialSyncers = 1;
|
||||||
|
workers.normalSyncers = 1;
|
||||||
|
workers.eventPersisters = 2;
|
||||||
|
workers.useUserDirectoryWorker = true;
|
||||||
|
|
||||||
|
enableNginx = true;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
server_name = "pvv.ntnu.no";
|
||||||
|
public_baseurl = "https://matrix.pvv.ntnu.no";
|
||||||
|
|
||||||
|
signing_key_path = config.sops.secrets."matrix/synapse/signing_key".path;
|
||||||
|
|
||||||
|
media_store_path = "${cfg.dataDir}/media";
|
||||||
|
|
||||||
|
database = {
|
||||||
|
name = "psycopg2";
|
||||||
|
args = {
|
||||||
|
host = "/var/run/postgresql";
|
||||||
|
dbname = "synapse";
|
||||||
|
user = "matrix-synapse";
|
||||||
|
cp_min = 1;
|
||||||
|
cp_max = 5;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
presence.enabled = false;
|
||||||
|
|
||||||
|
event_cache_size = "20K"; # Default is 10K but I can't find the factor for this cache
|
||||||
|
caches = {
|
||||||
|
per_cache_factors = {
|
||||||
|
_event_auth_cache = 2.0;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
autocreate_auto_join_rooms = false;
|
||||||
|
auto_join_rooms = [
|
||||||
|
"#pvv:pvv.ntnu.no" # Main space
|
||||||
|
"#announcements:pvv.ntnu.no"
|
||||||
|
"#general:pvv.ntnu.no"
|
||||||
|
];
|
||||||
|
|
||||||
|
allow_public_rooms_over_federation = true;
|
||||||
|
|
||||||
|
max_upload_size = "150M";
|
||||||
|
|
||||||
|
enable_metrics = true;
|
||||||
|
mau_stats_only = true;
|
||||||
|
|
||||||
|
enable_registration = false;
|
||||||
|
registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
|
||||||
|
|
||||||
|
password_config.enabled = true;
|
||||||
|
|
||||||
|
modules = [
|
||||||
|
{ module = "smtp_auth_provider.SMTPAuthProvider";
|
||||||
|
config = {
|
||||||
|
smtp_host = "smtp.pvv.ntnu.no";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
trusted_key_servers = [
|
||||||
|
{ server_name = "matrix.org"; }
|
||||||
|
{ server_name = "dodsorf.as"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
url_preview_enabled = true;
|
||||||
|
url_preview_ip_range_blacklist = [
|
||||||
|
# synapse example config
|
||||||
|
"127.0.0.0/8"
|
||||||
|
"10.0.0.0/8"
|
||||||
|
"172.16.0.0/12"
|
||||||
|
"192.168.0.0/16"
|
||||||
|
"100.64.0.0/10"
|
||||||
|
"192.0.0.0/24"
|
||||||
|
"169.254.0.0/16"
|
||||||
|
"192.88.99.0/24"
|
||||||
|
"198.18.0.0/15"
|
||||||
|
"192.0.2.0/24"
|
||||||
|
"198.51.100.0/24"
|
||||||
|
"203.0.113.0/24"
|
||||||
|
"224.0.0.0/4"
|
||||||
|
"::1/128"
|
||||||
|
"fe80::/10"
|
||||||
|
"fc00::/7"
|
||||||
|
"2001:db8::/32"
|
||||||
|
"ff00::/8"
|
||||||
|
"fec0::/10"
|
||||||
|
|
||||||
|
# NTNU
|
||||||
|
"129.241.0.0/16"
|
||||||
|
"2001:700:300::/44"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.redis.servers."".enable = true;
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
|
||||||
|
{
|
||||||
|
kTLS = true;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
locations."/.well-known/matrix/server" = {
|
||||||
|
return = ''
|
||||||
|
200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
|
||||||
|
'';
|
||||||
|
extraConfig = ''
|
||||||
|
default_type application/json;
|
||||||
|
add_header Access-Control-Allow-Origin *;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
locations."/_synapse/admin" = {
|
||||||
|
proxyPass = "http://$synapse_backend";
|
||||||
|
extraConfig = ''
|
||||||
|
allow 127.0.0.1;
|
||||||
|
allow ::1;
|
||||||
|
allow ${values.hosts.bicep.ipv4};
|
||||||
|
allow ${values.hosts.bicep.ipv6};
|
||||||
|
deny all;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
locations = let
|
||||||
|
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
|
||||||
|
socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";
|
||||||
|
|
||||||
|
metricsPath = w: "/metrics/${w.type}/${toString w.index}";
|
||||||
|
proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
|
||||||
|
in lib.mapAttrs' (n: v: lib.nameValuePair
|
||||||
|
(metricsPath v) {
|
||||||
|
proxyPass = proxyPath v;
|
||||||
|
extraConfig = ''
|
||||||
|
allow ${values.hosts.ildkule.ipv4};
|
||||||
|
allow ${values.hosts.ildkule.ipv6};
|
||||||
|
deny all;
|
||||||
|
'';
|
||||||
|
})
|
||||||
|
cfg.workers.instances;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
locations."/metrics/master/1" = {
|
||||||
|
proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
|
||||||
|
extraConfig = ''
|
||||||
|
allow ${values.hosts.ildkule.ipv4};
|
||||||
|
allow ${values.hosts.ildkule.ipv6};
|
||||||
|
deny all;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
locations."/metrics/" = let
|
||||||
|
endpoints = lib.pipe cfg.workers.instances [
|
||||||
|
(lib.mapAttrsToList (_: v: v))
|
||||||
|
(map (w: "${w.type}/${toString w.index}"))
|
||||||
|
(map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
|
||||||
|
] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
|
||||||
|
in {
|
||||||
|
alias = pkgs.writeTextDir "/config.json"
|
||||||
|
(builtins.toJSON [
|
||||||
|
{ targets = endpoints;
|
||||||
|
labels = { };
|
||||||
|
}]) + "/";
|
||||||
|
};
|
||||||
|
}];
|
||||||
|
}
|
|
@ -0,0 +1,53 @@
|
||||||
|
{ pkgs, lib, config, values, ... }:
|
||||||
|
{
|
||||||
|
sops.secrets."mysql/password" = {
|
||||||
|
owner = "mysql";
|
||||||
|
group = "mysql";
|
||||||
|
};
|
||||||
|
|
||||||
|
users.mysql.passwordFile = config.sops.secrets."mysql/password".path;
|
||||||
|
|
||||||
|
services.mysql = {
|
||||||
|
enable = true;
|
||||||
|
dataDir = "/data/mysql";
|
||||||
|
package = pkgs.mariadb;
|
||||||
|
settings = {
|
||||||
|
mysqld = {
|
||||||
|
# PVV allows a lot of connections at the same time
|
||||||
|
max_connect_errors = 10000;
|
||||||
|
bind-address = values.services.mysql.ipv4;
|
||||||
|
skip-networking = 0;
|
||||||
|
|
||||||
|
# This was needed in order to be able to use all of the old users
|
||||||
|
# during migration from knakelibrak to bicep in Sep. 2023
|
||||||
|
secure_auth = 0;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Note: This user also has MAX_USER_CONNECTIONS set to 3, and
|
||||||
|
# a password which can be found in /secrets/ildkule/ildkule.yaml
|
||||||
|
# We have also changed both the host and auth plugin of this user
|
||||||
|
# to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
|
||||||
|
ensureUsers = [{
|
||||||
|
name = "prometheus_mysqld_exporter";
|
||||||
|
ensurePermissions = {
|
||||||
|
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
|
||||||
|
};
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.mysqlBackup = {
|
||||||
|
enable = true;
|
||||||
|
location = "/var/lib/mysql/backups";
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 3306 ];
|
||||||
|
|
||||||
|
systemd.services.mysql.serviceConfig = {
|
||||||
|
IPAddressDeny = "any";
|
||||||
|
IPAddressAllow = [
|
||||||
|
values.ipv4-space
|
||||||
|
values.ipv6-space
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,15 @@
|
||||||
|
{ config, values, ... }:
|
||||||
|
{
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
enableReload = true;
|
||||||
|
defaultListenAddresses = [
|
||||||
|
values.hosts.bicep.ipv4
|
||||||
|
"[${values.hosts.bicep.ipv6}]"
|
||||||
|
|
||||||
|
"127.0.0.1"
|
||||||
|
"127.0.0.2"
|
||||||
|
"[::1]"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,98 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
{
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.postgresql_15;
|
||||||
|
enableTCPIP = true;
|
||||||
|
|
||||||
|
dataDir = "/data/postgresql";
|
||||||
|
|
||||||
|
authentication = ''
|
||||||
|
host all all 129.241.210.128/25 md5
|
||||||
|
host all all 2001:700:300:1900::/64 md5
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Hilsen https://pgconfigurator.cybertec-postgresql.com/
|
||||||
|
settings = {
|
||||||
|
# Connectivity
|
||||||
|
max_connections = 500;
|
||||||
|
superuser_reserved_connections = 3;
|
||||||
|
|
||||||
|
# Memory Settings
|
||||||
|
shared_buffers = "8192 MB";
|
||||||
|
work_mem = "32 MB";
|
||||||
|
maintenance_work_mem = "420 MB";
|
||||||
|
effective_cache_size = "22 GB";
|
||||||
|
effective_io_concurrency = 100;
|
||||||
|
random_page_cost = 1.25;
|
||||||
|
|
||||||
|
# Monitoring
|
||||||
|
shared_preload_libraries = "pg_stat_statements";
|
||||||
|
track_io_timing = true;
|
||||||
|
track_functions = "pl";
|
||||||
|
|
||||||
|
# Replication
|
||||||
|
wal_level = "replica";
|
||||||
|
max_wal_senders = 0;
|
||||||
|
synchronous_commit = false;
|
||||||
|
|
||||||
|
# Checkpointing:
|
||||||
|
checkpoint_timeout = "15 min";
|
||||||
|
checkpoint_completion_target = 0.9;
|
||||||
|
max_wal_size = "1024 MB";
|
||||||
|
min_wal_size = "512 MB";
|
||||||
|
|
||||||
|
# WAL writing
|
||||||
|
wal_compression = true;
|
||||||
|
wal_buffers = -1;
|
||||||
|
|
||||||
|
# Background writer
|
||||||
|
bgwriter_delay = "200ms";
|
||||||
|
bgwriter_lru_maxpages = 100;
|
||||||
|
bgwriter_lru_multiplier = 2.0;
|
||||||
|
bgwriter_flush_after = 0;
|
||||||
|
|
||||||
|
# Parallel queries:
|
||||||
|
max_worker_processes = 8;
|
||||||
|
max_parallel_workers_per_gather = 4;
|
||||||
|
max_parallel_maintenance_workers = 4;
|
||||||
|
max_parallel_workers = 8;
|
||||||
|
parallel_leader_participation = true;
|
||||||
|
|
||||||
|
# Advanced features
|
||||||
|
enable_partitionwise_join = true;
|
||||||
|
enable_partitionwise_aggregate = true;
|
||||||
|
max_slot_wal_keep_size = "1000 MB";
|
||||||
|
track_wal_io_timing = true;
|
||||||
|
maintenance_io_concurrency = 100;
|
||||||
|
wal_recycle = true;
|
||||||
|
|
||||||
|
# SSL
|
||||||
|
ssl = true;
|
||||||
|
ssl_cert_file = "/run/credentials/postgresql.service/cert";
|
||||||
|
ssl_key_file = "/run/credentials/postgresql.service/key";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.postgresql.serviceConfig = {
|
||||||
|
LoadCredential = [
|
||||||
|
"cert:/etc/certs/postgres.crt"
|
||||||
|
"key:/etc/certs/postgres.key"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.snakeoil-certs."/etc/certs/postgres" = {
|
||||||
|
owner = "postgres";
|
||||||
|
group = "postgres";
|
||||||
|
subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 5432 ];
|
||||||
|
networking.firewall.allowedUDPPorts = [ 5432 ];
|
||||||
|
|
||||||
|
services.postgresqlBackup = {
|
||||||
|
enable = true;
|
||||||
|
location = "/var/lib/postgres/backups";
|
||||||
|
backupAll = true;
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,44 @@
|
||||||
|
{ config, pkgs, values, ... }:
|
||||||
|
{
|
||||||
|
networking.nat = {
|
||||||
|
enable = true;
|
||||||
|
internalInterfaces = ["ve-+"];
|
||||||
|
externalInterface = "ens3";
|
||||||
|
# Lazy IPv6 connectivity for the container
|
||||||
|
enableIPv6 = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
containers.bikkje = {
|
||||||
|
autoStart = true;
|
||||||
|
config = { config, pkgs, ... }: {
|
||||||
|
#import packages
|
||||||
|
packages = with pkgs; [
|
||||||
|
alpine
|
||||||
|
mutt
|
||||||
|
mutt-ics
|
||||||
|
mutt-wizard
|
||||||
|
weechat
|
||||||
|
weechatScripts.edit
|
||||||
|
hexchat
|
||||||
|
irssi
|
||||||
|
pidgin
|
||||||
|
];
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
firewall = {
|
||||||
|
enable = true;
|
||||||
|
# Allow SSH and HTTP and ports for email and irc
|
||||||
|
allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
|
||||||
|
allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
|
||||||
|
};
|
||||||
|
# Use systemd-resolved inside the container
|
||||||
|
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
|
||||||
|
useHostResolvConf = mkForce false;
|
||||||
|
};
|
||||||
|
|
||||||
|
system.stateVersion = "23.11";
|
||||||
|
services.resolved.enable = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
|
@ -0,0 +1,46 @@
|
||||||
|
{ config, fp, pkgs, values, ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
# Include the results of the hardware scan.
|
||||||
|
./hardware-configuration.nix
|
||||||
|
(fp /base)
|
||||||
|
(fp /misc/metrics-exporters.nix)
|
||||||
|
./disks.nix
|
||||||
|
|
||||||
|
(fp /misc/builder.nix)
|
||||||
|
];
|
||||||
|
|
||||||
|
sops.defaultSopsFile = fp /secrets/bob/bob.yaml;
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||||
|
sops.age.generateKey = true;
|
||||||
|
|
||||||
|
boot.loader.grub = {
|
||||||
|
enable = true;
|
||||||
|
efiSupport = true;
|
||||||
|
efiInstallAsRemovable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.hostName = "bob"; # Define your hostname.
|
||||||
|
|
||||||
|
systemd.network.networks."30-all" = values.defaultNetworkConfig // {
|
||||||
|
matchConfig.Name = "en*";
|
||||||
|
DHCP = "yes";
|
||||||
|
gateway = [ ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# List packages installed in system profile
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
];
|
||||||
|
|
||||||
|
# List services that you want to enable:
|
||||||
|
|
||||||
|
# This value determines the NixOS release from which the default
|
||||||
|
# settings for stateful data, like file locations and database versions
|
||||||
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||||
|
# this value at the release version of the first install of this system.
|
||||||
|
# Before changing this value read the documentation for this option
|
||||||
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||||
|
system.stateVersion = "23.05"; # Did you read the comment?
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,39 @@
|
||||||
|
# Example to create a bios compatible gpt partition
|
||||||
|
{ lib, ... }:
|
||||||
|
{
|
||||||
|
disko.devices = {
|
||||||
|
disk.disk1 = {
|
||||||
|
device = lib.mkDefault "/dev/sda";
|
||||||
|
type = "disk";
|
||||||
|
content = {
|
||||||
|
type = "gpt";
|
||||||
|
partitions = {
|
||||||
|
boot = {
|
||||||
|
name = "boot";
|
||||||
|
size = "1M";
|
||||||
|
type = "EF02";
|
||||||
|
};
|
||||||
|
esp = {
|
||||||
|
name = "ESP";
|
||||||
|
size = "500M";
|
||||||
|
type = "EF00";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "vfat";
|
||||||
|
mountpoint = "/boot";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
root = {
|
||||||
|
name = "root";
|
||||||
|
size = "100%";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "ext4";
|
||||||
|
mountpoint = "/";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,24 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
}
|
|
@ -0,0 +1,36 @@
|
||||||
|
{ config, fp, pkgs, values, ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
# Include the results of the hardware scan.
|
||||||
|
./hardware-configuration.nix
|
||||||
|
(fp /base)
|
||||||
|
(fp /misc/metrics-exporters.nix)
|
||||||
|
|
||||||
|
./services/grzegorz.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
networking.hostName = "brzeczyszczykiewicz";
|
||||||
|
|
||||||
|
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
|
||||||
|
matchConfig.Name = "eno1";
|
||||||
|
address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# List packages installed in system profile
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
];
|
||||||
|
|
||||||
|
# List services that you want to enable:
|
||||||
|
|
||||||
|
# This value determines the NixOS release from which the default
|
||||||
|
# settings for stateful data, like file locations and database versions
|
||||||
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||||
|
# this value at the release version of the first install of this system.
|
||||||
|
# Before changing this value read the documentation for this option
|
||||||
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||||
|
system.stateVersion = "23.05"; # Did you read the comment?
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,39 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/82E3-3D03";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices =
|
||||||
|
[ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
}
|
|
@ -0,0 +1,11 @@
|
||||||
|
{ config, fp, ... }:
|
||||||
|
{
|
||||||
|
imports = [ (fp /modules/grzegorz.nix) ];
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."${config.networking.fqdn}" = {
|
||||||
|
serverAliases = [
|
||||||
|
"bokhylle.pvv.ntnu.no"
|
||||||
|
"bokhylle.pvv.org"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,36 @@
|
||||||
|
{ config, fp, pkgs, values, ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
# Include the results of the hardware scan.
|
||||||
|
./hardware-configuration.nix
|
||||||
|
(fp /base)
|
||||||
|
(fp /misc/metrics-exporters.nix)
|
||||||
|
|
||||||
|
(fp /modules/grzegorz.nix)
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
networking.hostName = "georg";
|
||||||
|
|
||||||
|
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
|
||||||
|
matchConfig.Name = "eno1";
|
||||||
|
address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# List packages installed in system profile
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
];
|
||||||
|
|
||||||
|
# List services that you want to enable:
|
||||||
|
|
||||||
|
# This value determines the NixOS release from which the default
|
||||||
|
# settings for stateful data, like file locations and database versions
|
||||||
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||||
|
# this value at the release version of the first install of this system.
|
||||||
|
# Before changing this value read the documentation for this option
|
||||||
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||||
|
system.stateVersion = "23.05"; # Did you read the comment?
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,40 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/145E-7362";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices =
|
||||||
|
[ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
}
|
|
@ -1,66 +0,0 @@
|
||||||
# Edit this configuration file to define what should be installed on
|
|
||||||
# your system. Help is available in the configuration.nix(5) man page
|
|
||||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
|
||||||
|
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports =
|
|
||||||
[ # Include the results of the hardware scan.
|
|
||||||
../../hardware-configuration.nix
|
|
||||||
|
|
||||||
../../base.nix
|
|
||||||
|
|
||||||
../../services/minecraft
|
|
||||||
];
|
|
||||||
|
|
||||||
nixpkgs.config.packageOverrides = pkgs: {
|
|
||||||
unstable = (import <nixos-unstable>) { };
|
|
||||||
};
|
|
||||||
|
|
||||||
# Use the GRUB 2 boot loader.
|
|
||||||
boot.loader.grub.enable = true;
|
|
||||||
boot.loader.grub.version = 2;
|
|
||||||
# boot.loader.grub.efiSupport = true;
|
|
||||||
# boot.loader.grub.efiInstallAsRemovable = true;
|
|
||||||
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
|
|
||||||
# Define on which hard drive you want to install Grub.
|
|
||||||
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
|
|
||||||
|
|
||||||
networking.hostName = "greddost"; # Define your hostname.
|
|
||||||
|
|
||||||
networking.interfaces.ens18.useDHCP = false;
|
|
||||||
|
|
||||||
networking.defaultGateway = "129.241.210.129";
|
|
||||||
networking.interfaces.ens18.ipv4 = {
|
|
||||||
addresses = [
|
|
||||||
{
|
|
||||||
address = "129.241.210.174";
|
|
||||||
prefixLength = 25;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
networking.interfaces.ens18.ipv6 = {
|
|
||||||
addresses = [
|
|
||||||
{
|
|
||||||
address = "2001:700:300:1900::174";
|
|
||||||
prefixLength = 64;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
|
|
||||||
|
|
||||||
# Open ports in the firewall.
|
|
||||||
networking.firewall.allowedTCPPorts = [ 25565 ];
|
|
||||||
networking.firewall.allowedUDPPorts = [ 25565 ];
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
|
||||||
# settings for stateful data, like file locations and database versions
|
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
||||||
# this value at the release version of the first install of this system.
|
|
||||||
# Before changing this value read the documentation for this option
|
|
||||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
|
||||||
system.stateVersion = "21.11"; # Did you read the comment?
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,158 +0,0 @@
|
||||||
{config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
|
|
||||||
imports = [ ./minecraft-server-fabric.nix ];
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
mcron
|
|
||||||
];
|
|
||||||
|
|
||||||
pvv.minecraft-server-fabric = {
|
|
||||||
enable = true;
|
|
||||||
eula = true;
|
|
||||||
|
|
||||||
package = pkgs.callPackage ../../pkgs/minecraft-server-fabric { minecraft-server = (pkgs.callPackage ../../pkgs/minecraft-server/1_18_1.nix { }); };
|
|
||||||
jvmOpts = "-Xms10G -Xmx10G -XX:+UnlockExperimentalVMOptions -XX:+UseZGC -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:+ParallelRefProcEnabled";
|
|
||||||
|
|
||||||
serverProperties = {
|
|
||||||
view-distance = 12;
|
|
||||||
simulation-distance = 12;
|
|
||||||
|
|
||||||
enable-command-block = true;
|
|
||||||
|
|
||||||
gamemode = "survival";
|
|
||||||
difficulty = "normal";
|
|
||||||
|
|
||||||
white-list = true;
|
|
||||||
|
|
||||||
enable-rcon = true;
|
|
||||||
"rcon.password" = "pvv";
|
|
||||||
};
|
|
||||||
|
|
||||||
dataDir = "/fast/minecraft-pvv";
|
|
||||||
|
|
||||||
mods = [
|
|
||||||
(pkgs.fetchurl { # Fabric API is a common dependency for fabric based mods
|
|
||||||
url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/0.44.0+1.18/fabric-api-0.44.0+1.18.jar";
|
|
||||||
sha256 = "0mlmj7mj073a48s8zgc1km0jwkphz01c1fvivn4mw37lbm2p4834";
|
|
||||||
})
|
|
||||||
(pkgs.fetchurl { # Lithium is a 100% vanilla compatible optimization mod
|
|
||||||
url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/mc1.18.1-0.7.6/lithium-fabric-mc1.18.1-0.7.6.jar";
|
|
||||||
sha256 = "1fw1ikg578v4i6bmry7810a3q53h8yspxa3awdz7d746g91g8lf7";
|
|
||||||
})
|
|
||||||
(pkgs.fetchurl { # Starlight is the lighting engine of papermc
|
|
||||||
url = "https://cdn.modrinth.com/data/H8CaAYZC/versions/Starlight%201.0.0%201.18.x/starlight-1.0.0+fabric.d0a3220.jar";
|
|
||||||
sha256 = "0bv9im45hhc8n6x57lakh2rms0g5qb7qfx8qpx8n6mbrjjz6gla1";
|
|
||||||
})
|
|
||||||
(pkgs.fetchurl { # Krypton is a linux optimized optimizer for minecrafts networking system
|
|
||||||
url = "https://cdn.modrinth.com/data/fQEb0iXm/versions/0.1.6/krypton-0.1.6.jar";
|
|
||||||
sha256 = "1ribvbww4msrfdnzlxipk8kpzz7fnwnd4q6ln6mpjlhihcjb3hni";
|
|
||||||
})
|
|
||||||
(pkgs.fetchurl { # C2ME is a parallelizer for chunk loading and generation, experimental!!!
|
|
||||||
url = "https://cdn.modrinth.com/data/VSNURh3q/versions/0.2.0+alpha.5.104%201.18.1/c2me-fabric-mc1.18.1-0.2.0+alpha.5.104-all.jar";
|
|
||||||
sha256 = "13zrpsg61fynqnnlm7dvy3ihxk8khlcqsif68ak14z7kgm4py6nw";
|
|
||||||
})
|
|
||||||
(pkgs.fetchurl { # Spark is a profiler for minecraft
|
|
||||||
url = "https://ci.lucko.me/job/spark/251/artifact/spark-fabric/build/libs/spark-fabric.jar";
|
|
||||||
sha256 = "1clvi5v7a14ba23jbka9baz99h6wcfjbadc8kkj712fmy2h0sx07";
|
|
||||||
})
|
|
||||||
#(pkgs.fetchurl { # Carpetmod gives you tps views in the tab menu,
|
|
||||||
# # but also adds a lot of optional serverside vanilla+ features (which we arent using).
|
|
||||||
# # So probably want something else
|
|
||||||
# url = "https://github.com/gnembon/fabric-carpet/releases/download/1.4.56/fabric-carpet-1.18-1.4.56+v211130.jar";
|
|
||||||
# sha256 = "0rvl2yb8xymla8c052j07gqkqfkz4h5pxf6aip2v9v0h8r84p9hf";
|
|
||||||
#})
|
|
||||||
];
|
|
||||||
|
|
||||||
whitelist = {
|
|
||||||
gunalx = "913a21ae-3a11-4178-a192-401490ca0891";
|
|
||||||
eirikwitt = "1689e626-1cc8-4b91-81c4-0632fd34eb19";
|
|
||||||
Rockj = "202c0c91-a4e0-4b45-8c1b-fc51a8956c0a";
|
|
||||||
paddishar = "326845aa-4b45-4cd9-8108-7816e10a9828";
|
|
||||||
nordyorn = "f253cddf-a520-42ab-85d3-713992746e42";
|
|
||||||
hell04 = "c681df2a-6a30-4c66-b70d-742eb68bbc04";
|
|
||||||
steinarh = "bd8c419e-e6dc-4fc5-ac62-b92f98c1abc9";
|
|
||||||
EastTown2000 = "f273ed2e-d3ba-43fc-aff4-3e800cdf25e1";
|
|
||||||
DirDanner = "5b5476a2-1138-476b-9ff1-1f39f834a428";
|
|
||||||
asgeirbj = "dbd5d89f-3d8a-4662-ad15-6c4802d0098f";
|
|
||||||
Linke03 = "0dbc661d-898a-47ff-a371-32b7bd76b78b";
|
|
||||||
somaen = "cc0bdd13-4304-4160-80e7-8f043446fa83";
|
|
||||||
einaman = "39f45df3-423d-4274-9ef9-c9b7575e3804";
|
|
||||||
liseu = "c8f4d9d8-3140-4c35-9f66-22bc351bb7e6";
|
|
||||||
torsteno = "ae1e7b15-a0de-4244-9f73-25b68427e34a";
|
|
||||||
simtind = "39c03c95-d628-4ccc-843d-ce1332462d9e";
|
|
||||||
aellaie = "c585605d-24bb-4d75-ba9c-0064f6a39328";
|
|
||||||
PerKjelsvik = "5df69f17-27c9-4426-bcae-88b435dfae73";
|
|
||||||
CelestialCry = "9e34d192-364e-4566-883a-afc868c4224d";
|
|
||||||
terjesc = "993d70e8-6f9b-4094-813c-050d1a90be62";
|
|
||||||
maxelost = "bf465915-871a-4e3e-a80c-061117b86b23";
|
|
||||||
"4ce1" = "8a9b4926-0de8-43f0-bcde-df1442dee1d0";
|
|
||||||
exponential = "1ebcca9d-0964-48f3-9154-126a9a7e64f6";
|
|
||||||
Dodsorbot = "3baa9d58-32e4-465e-80bc-9dcb34e23e1d";
|
|
||||||
HFANTOM = "cd74d407-7fb0-4454-b3f4-c0b4341fde18";
|
|
||||||
Ghostmaker = "96465eee-e665-49ab-9346-f12d5a040624";
|
|
||||||
soonhalle = "61a8e674-7c7a-4120-80d1-4453a5993350";
|
|
||||||
MasterMocca = "481e6dac-9a17-4212-9664-645c3abe232f";
|
|
||||||
soulprayfree = "cfb1fb23-5115-4fe2-9af9-00a02aea9bf8";
|
|
||||||
calibwam = "0d5d5209-bb7c-4006-9451-fb85d7d52618";
|
|
||||||
Skuggen = "f0ccee0b-741a-413a-b8e6-d04552b9d78a";
|
|
||||||
Sivertsen3 = "cefac1a6-52a7-4781-be80-e7520f758554";
|
|
||||||
vafflonaut = "4d864d5c-74e2-4f29-b57d-50dea76aaabd";
|
|
||||||
Dhila = "c71d6c23-14d7-4daf-ae59-cbf0caf45681";
|
|
||||||
remorino = "2972ab22-96b3-462d-ab4d-9b6b1775b9bb";
|
|
||||||
SamuelxJackson = "f140e4aa-0a19-48ab-b892-79b24bd82c1e";
|
|
||||||
ToanBuiDuc = "a3c54742-4caf-4334-8bbb-6402a8eb4268";
|
|
||||||
Joces123 = "ecbcfbf9-9bcc-49f0-9435-f2ac2b3217c1";
|
|
||||||
brunsviken = "75ff5f0e-8adf-4807-a7f0-4cb66f81cb7f";
|
|
||||||
oscarsb1 = "9460015a-65cc-4a2f-9f91-b940b6ce7996";
|
|
||||||
CVi = "6f5691ce-9f9c-4310-84aa-759d2f9e138e";
|
|
||||||
Tawos = "0b98e55c-10cf-4b23-85d3-d15407431ace";
|
|
||||||
evenhunn = "8751581b-cc5f-4f8b-ae1e-34d90127e074";
|
|
||||||
q41 = "a080e5b4-10ee-4d6f-957e-aa5053bb1046";
|
|
||||||
jesper001 = "fbdf3ceb-eaa9-4aeb-94c2-a587cde41774";
|
|
||||||
finninde = "f58afd00-28cd-48dd-a74a-6c1d76b57f66";
|
|
||||||
GameGuru999 = "535f2188-a4a4-4e54-bec6-74977bee09ab";
|
|
||||||
MinusOneKelvin = "b6b973bf-1e35-4a58-803b-a555fd90a172";
|
|
||||||
SuperRagna = "e2c32136-e510-41b1-84c0-41baeccfb0b9";
|
|
||||||
Zamazaki = "d4411eca-401a-4565-9451-5ced6f48f23f";
|
|
||||||
supertheodor = "610c4e86-0ecc-4e7a-bffc-35a2e7d90aa6";
|
|
||||||
Minelost = "22ae2a1f-cfd9-4f10-9e41-e7becd34aba8";
|
|
||||||
Bjand = "aed136b6-17f7-4ce1-8a7b-a09eb1694ccf";
|
|
||||||
Dandellion = "f393413b-59fc-49d7-a5c4-83a5d177132c";
|
|
||||||
Shogori = "f9d571bd-5754-46e8-aef8-e89b38a6be9b";
|
|
||||||
Caragath = "f8d34f3a-55c3-4adc-b8d8-73a277f979e8";
|
|
||||||
Shmaapqueen = "425f2eef-1a9d-4626-9ba3-cd58156943dc";
|
|
||||||
Liquidlif3 = "420482b3-885f-4951-ba1e-30c22438a7e0";
|
|
||||||
newtonseple = "7d8bf9ca-0499-4cb7-9d6a-daabf80482b6";
|
|
||||||
nainis = "2eaf3736-decc-4e11-9a44-af2df0ee7c81";
|
|
||||||
Devolan = "87016228-76b2-434f-a963-33b005ae9e42";
|
|
||||||
zSkyler = "c92169e4-ca14-4bd5-9ea2-410fe956abe2";
|
|
||||||
Cryovat = "7127d743-873e-464b-927a-d23b9ad5b74a";
|
|
||||||
cybrhuman = "14a67926-cff0-4542-a111-7f557d10cc67";
|
|
||||||
stinl = "3a08be01-1e74-4d68-88d1-07d0eb23356f";
|
|
||||||
Mirithing = "7b327f51-4f1b-4606-88c7-378eff1b92b1";
|
|
||||||
"_dextra" = "4b7b4ee7-eb5b-48fd-88c3-1cc68f06acda";
|
|
||||||
Soraryuu = "0d5ffe48-e64f-4d6d-9432-f374ea8ec10c";
|
|
||||||
klarken1 = "d6967cb8-2bc6-4db7-a093-f0770cce47df";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 25565 ];
|
|
||||||
networking.firewall.allowedUDPPorts = [ 25565 ];
|
|
||||||
|
|
||||||
systemd.services."minecraft-backup" = {
|
|
||||||
serviceConfig.Type = "oneshot";
|
|
||||||
script = ''
|
|
||||||
${pkgs.mcrcon}/bin/mcrcon -p pvv "say Starting Backup" "save-off" "save-all"
|
|
||||||
${pkgs.rsync}/bin/rsync -aiz --delete ${config.pvv.minecraft-server-fabric.dataDir}/world /fast/backup # Where to put backup
|
|
||||||
${pkgs.mcrcon}/bin/mcrcon -p pvv "save-all" "say Completed Backup" "save-on" "save-all"
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.timers."minecraft-backup" = {
|
|
||||||
wantedBy = ["timers.target"];
|
|
||||||
timerConfig.OnCalendar = [ "hourly" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
}
|
|
|
@ -1,180 +0,0 @@
|
||||||
{ lib, pkgs, config, ... }:
|
|
||||||
|
|
||||||
with lib;
|
|
||||||
|
|
||||||
let
|
|
||||||
cfg = config.pvv.minecraft-server-fabric;
|
|
||||||
|
|
||||||
# We don't allow eula=false anyways
|
|
||||||
eulaFile = builtins.toFile "eula.txt" ''
|
|
||||||
# eula.txt managed by NixOS Configuration
|
|
||||||
eula=true
|
|
||||||
'';
|
|
||||||
|
|
||||||
whitelistFile = pkgs.writeText "whitelist.json"
|
|
||||||
(builtins.toJSON
|
|
||||||
(mapAttrsToList (n: v: { name = n; uuid = v; }) cfg.whitelist));
|
|
||||||
|
|
||||||
cfgToString = v: if builtins.isBool v then boolToString v else toString v;
|
|
||||||
|
|
||||||
serverPropertiesFile = pkgs.writeText "server.properties" (''
|
|
||||||
# server.properties managed by NixOS configuration
|
|
||||||
'' + concatStringsSep "\n" (mapAttrsToList
|
|
||||||
(n: v: "${n}=${cfgToString v}") cfg.serverProperties));
|
|
||||||
|
|
||||||
defaultServerPort = 25565;
|
|
||||||
|
|
||||||
serverPort = cfg.serverProperties.server-port or defaultServerPort;
|
|
||||||
|
|
||||||
rconPort = if cfg.serverProperties.enable-rcon or false
|
|
||||||
then cfg.serverProperties."rcon.port" or 25575
|
|
||||||
else null;
|
|
||||||
|
|
||||||
queryPort = if cfg.serverProperties.enable-query or false
|
|
||||||
then cfg.serverProperties."query.port" or 25565
|
|
||||||
else null;
|
|
||||||
|
|
||||||
in
|
|
||||||
{
|
|
||||||
|
|
||||||
options.pvv.minecraft-server-fabric = {
|
|
||||||
enable = mkEnableOption "minecraft-server-fabric";
|
|
||||||
|
|
||||||
package = mkOption {
|
|
||||||
type = types.package;
|
|
||||||
};
|
|
||||||
|
|
||||||
eula = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = ''
|
|
||||||
Whether you agree to
|
|
||||||
<link xlink:href="https://account.mojang.com/documents/minecraft_eula">
|
|
||||||
Mojangs EULA</link>. This option must be set to
|
|
||||||
<literal>true</literal> to run Minecraft server.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
dataDir = mkOption {
|
|
||||||
type = types.path;
|
|
||||||
default = "/var/lib/minecraft-fabric";
|
|
||||||
description = ''
|
|
||||||
Directory to store Minecraft database and other state/data files.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
whitelist = mkOption {
|
|
||||||
type = let
|
|
||||||
minecraftUUID = types.strMatching
|
|
||||||
"[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" // {
|
|
||||||
description = "Minecraft UUID";
|
|
||||||
};
|
|
||||||
in types.attrsOf minecraftUUID;
|
|
||||||
default = {};
|
|
||||||
description = ''
|
|
||||||
Whitelisted players, only has an effect when
|
|
||||||
<option>services.minecraft-server.declarative</option> is
|
|
||||||
<literal>true</literal> and the whitelist is enabled
|
|
||||||
via <option>services.minecraft-server.serverProperties</option> by
|
|
||||||
setting <literal>white-list</literal> to <literal>true</literal>.
|
|
||||||
This is a mapping from Minecraft usernames to UUIDs.
|
|
||||||
You can use <link xlink:href="https://mcuuid.net/"/> to get a
|
|
||||||
Minecraft UUID for a username.
|
|
||||||
'';
|
|
||||||
example = literalExpression ''
|
|
||||||
{
|
|
||||||
username1 = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
|
|
||||||
username2 = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy";
|
|
||||||
};
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
serverProperties = mkOption {
|
|
||||||
type = with types; attrsOf (oneOf [ bool int str ]);
|
|
||||||
default = {};
|
|
||||||
example = literalExpression ''
|
|
||||||
{
|
|
||||||
server-port = 43000;
|
|
||||||
difficulty = 3;
|
|
||||||
gamemode = 1;
|
|
||||||
max-players = 5;
|
|
||||||
motd = "NixOS Minecraft server!";
|
|
||||||
white-list = true;
|
|
||||||
enable-rcon = true;
|
|
||||||
"rcon.password" = "hunter2";
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
description = ''
|
|
||||||
Minecraft server properties for the server.properties file. Only has
|
|
||||||
an effect when <option>services.minecraft-server.declarative</option>
|
|
||||||
is set to <literal>true</literal>. See
|
|
||||||
<link xlink:href="https://minecraft.gamepedia.com/Server.properties#Java_Edition_3"/>
|
|
||||||
for documentation on these values.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
jvmOpts = mkOption {
|
|
||||||
type = types.separatedString " ";
|
|
||||||
default = "-Xmx2048M -Xms2048M";
|
|
||||||
# Example options from https://minecraft.gamepedia.com/Tutorials/Server_startup_script
|
|
||||||
example = "-Xmx2048M -Xms4092M -XX:+UseG1GC -XX:+CMSIncrementalPacing "
|
|
||||||
+ "-XX:+CMSClassUnloadingEnabled -XX:ParallelGCThreads=2 "
|
|
||||||
+ "-XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
|
|
||||||
description = "JVM options for the Minecraft server.";
|
|
||||||
};
|
|
||||||
|
|
||||||
mods = mkOption {
|
|
||||||
type = types.listOf types.package;
|
|
||||||
example = literalExpression ''
|
|
||||||
[
|
|
||||||
(pkgs.fetchurl {
|
|
||||||
url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/0.44.0+1.18/fabric-api-0.44.0+1.18.jar";
|
|
||||||
sha256 = "0mlmj7mj073a48s8zgc1km0jwkphz01c1fvivn4mw37lbm2p4834";
|
|
||||||
})
|
|
||||||
];
|
|
||||||
'';
|
|
||||||
description = "List of mods to put in the mods folder";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
users.users.minecraft = {
|
|
||||||
description = "Minecraft server service user";
|
|
||||||
home = cfg.dataDir;
|
|
||||||
createHome = true;
|
|
||||||
isSystemUser = true;
|
|
||||||
group = "minecraft";
|
|
||||||
};
|
|
||||||
users.groups.minecraft = {};
|
|
||||||
|
|
||||||
systemd.services.minecraft-server-fabric = {
|
|
||||||
description = "Minecraft Server Service";
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
after = [ "network.target" ];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = "${cfg.package}/bin/minecraft-server ${cfg.jvmOpts}";
|
|
||||||
Restart = "always";
|
|
||||||
User = "minecraft";
|
|
||||||
WorkingDirectory = cfg.dataDir;
|
|
||||||
};
|
|
||||||
|
|
||||||
preStart = ''
|
|
||||||
ln -sf ${eulaFile} eula.txt
|
|
||||||
ln -sf ${whitelistFile} whitelist.json
|
|
||||||
cp -f ${serverPropertiesFile} server.properties
|
|
||||||
|
|
||||||
ln -sfn ${pkgs.linkFarmFromDrvs "fabric-mods" cfg.mods} mods
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
assertions = [
|
|
||||||
{ assertion = cfg.eula;
|
|
||||||
message = "You must agree to Mojangs EULA to run minecraft-server."
|
|
||||||
+ " Read https://account.mojang.com/documents/minecraft_eula and"
|
|
||||||
+ " set `services.minecraft-server.eula` to `true` if you agree.";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,58 +1,55 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, fp, pkgs, lib, values, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
# Include the results of the hardware scan.
|
# Include the results of the hardware scan.
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
../../base.nix
|
(fp /base)
|
||||||
../../misc/metrics-exporters.nix
|
(fp /misc/metrics-exporters.nix)
|
||||||
|
|
||||||
|
./services/monitoring
|
||||||
./services/nginx
|
./services/nginx
|
||||||
./services/metrics
|
|
||||||
];
|
];
|
||||||
|
|
||||||
sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml;
|
sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||||
sops.age.generateKey = true;
|
sops.age.generateKey = true;
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.grub.device = "/dev/vda";
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.tmp.cleanOnBoot = true;
|
||||||
|
zramSwap.enable = true;
|
||||||
|
|
||||||
networking.hostName = "ildkule"; # Define your hostname.
|
# Openstack Neutron and systemd-networkd are not best friends, use something else:
|
||||||
|
systemd.network.enable = lib.mkForce false;
|
||||||
|
networking = let
|
||||||
|
hostConf = values.hosts.ildkule;
|
||||||
|
in {
|
||||||
|
hostName = "ildkule";
|
||||||
|
tempAddresses = "disabled";
|
||||||
|
useDHCP = lib.mkForce true;
|
||||||
|
|
||||||
networking.interfaces.ens18.useDHCP = false;
|
search = values.defaultNetworkConfig.domains;
|
||||||
|
nameservers = values.defaultNetworkConfig.dns;
|
||||||
|
defaultGateway.address = hostConf.ipv4_internal_gw;
|
||||||
|
|
||||||
networking.defaultGateway = "129.241.210.129";
|
interfaces."ens4" = {
|
||||||
networking.interfaces.ens18.ipv4 = {
|
ipv4.addresses = [
|
||||||
addresses = [
|
{ address = hostConf.ipv4; prefixLength = 32; }
|
||||||
{
|
{ address = hostConf.ipv4_internal; prefixLength = 24; }
|
||||||
address = "129.241.210.187";
|
];
|
||||||
prefixLength = 25;
|
ipv6.addresses = [
|
||||||
}
|
{ address = hostConf.ipv6; prefixLength = 64; }
|
||||||
];
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
networking.interfaces.ens18.ipv6 = {
|
|
||||||
addresses = [
|
|
||||||
{
|
|
||||||
address = "2001:700:300:1900::187";
|
|
||||||
prefixLength = 64;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
|
|
||||||
|
|
||||||
# List packages installed in system profile
|
# List packages installed in system profile
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
];
|
];
|
||||||
|
|
||||||
# List services that you want to enable:
|
# No devices with SMART
|
||||||
|
services.smartd.enable = false;
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
system.stateVersion = "23.11"; # Did you read the comment?
|
||||||
# settings for stateful data, like file locations and database versions
|
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
||||||
# this value at the release version of the first install of this system.
|
|
||||||
# Before changing this value read the documentation for this option
|
|
||||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
|
||||||
system.stateVersion = "21.11"; # Did you read the comment?
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,37 +1,16 @@
|
||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
{ modulesPath, lib, ... }:
|
||||||
# and may be overwritten by future invocations. Please make changes
|
|
||||||
# to /etc/nixos/configuration.nix instead.
|
|
||||||
{ config, lib, pkgs, modulesPath, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
|
||||||
];
|
boot.initrd.kernelModules = [ "nvme" ];
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
fileSystems."/data" = {
|
||||||
|
device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
|
|
||||||
boot.initrd.kernelModules = [ ];
|
|
||||||
boot.kernelModules = [ ];
|
|
||||||
boot.extraModulePackages = [ ];
|
|
||||||
|
|
||||||
fileSystems."/" =
|
|
||||||
{ device = "/dev/disk/by-uuid/afe70fe4-681a-4675-8cbd-e5d08cdcf5b5";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/boot" =
|
|
||||||
{ device = "/dev/disk/by-uuid/B71A-E5CD";
|
|
||||||
fsType = "vfat";
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices = [ ];
|
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
|
||||||
networking.useDHCP = lib.mkDefault true;
|
networking.useDHCP = lib.mkDefault true;
|
||||||
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
|
||||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,60 +0,0 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
cfg = config.services.grafana;
|
|
||||||
in {
|
|
||||||
services.grafana = {
|
|
||||||
enable = true;
|
|
||||||
settings.server = {
|
|
||||||
domain = "ildkule.pvv.ntnu.no";
|
|
||||||
http_port = 2342;
|
|
||||||
http_addr = "127.0.0.1";
|
|
||||||
};
|
|
||||||
provision = {
|
|
||||||
enable = true;
|
|
||||||
datasources.settings.datasources = [
|
|
||||||
{
|
|
||||||
name = "Ildkule Prometheus";
|
|
||||||
type = "prometheus";
|
|
||||||
url = ("http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}");
|
|
||||||
isDefault = true;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
name = "Ildkule loki";
|
|
||||||
type = "loki";
|
|
||||||
url = ("http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}");
|
|
||||||
}
|
|
||||||
];
|
|
||||||
dashboards.settings.providers = [
|
|
||||||
{
|
|
||||||
name = "Node Exporter Full";
|
|
||||||
type = "file";
|
|
||||||
url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
|
|
||||||
options.path = dashboards/node-exporter-full.json;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
name = "Matrix Synapse";
|
|
||||||
type = "file";
|
|
||||||
url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
|
|
||||||
options.path = dashboards/synapse.json;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts.${cfg.settings.server.domain} = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations = {
|
|
||||||
"/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
extraConfig = ''
|
|
||||||
proxy_buffers 8 1024k;
|
|
||||||
proxy_buffer_size 1024k;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,76 +0,0 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
cfg = config.services.prometheus;
|
|
||||||
in {
|
|
||||||
services.prometheus = {
|
|
||||||
enable = true;
|
|
||||||
listenAddress = "127.0.0.1";
|
|
||||||
port = 9001;
|
|
||||||
|
|
||||||
scrapeConfigs = [
|
|
||||||
{
|
|
||||||
job_name = "node";
|
|
||||||
static_configs = [
|
|
||||||
{
|
|
||||||
targets = [
|
|
||||||
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
|
|
||||||
"microbel.pvv.ntnu.no:9100"
|
|
||||||
"isvegg.pvv.ntnu.no:9100"
|
|
||||||
"knakelibrak.pvv.ntnu.no:9100"
|
|
||||||
];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
job_name = "exim";
|
|
||||||
scrape_interval = "60s";
|
|
||||||
static_configs = [
|
|
||||||
{
|
|
||||||
targets = [
|
|
||||||
"microbel.pvv.ntnu.no:9636"
|
|
||||||
];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
job_name = "synapse";
|
|
||||||
scrape_interval = "15s";
|
|
||||||
scheme = "https";
|
|
||||||
http_sd_configs = [
|
|
||||||
{
|
|
||||||
url = "https://matrix.pvv.ntnu.no/metrics/config.json";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
relabel_configs = [
|
|
||||||
{
|
|
||||||
source_labels = [ "__address__" ];
|
|
||||||
regex = "[^/]+(/.*)";
|
|
||||||
target_label = "__metrics_path__";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
source_labels = [ "__address__" ];
|
|
||||||
regex = "([^/]+)/.*";
|
|
||||||
target_label = "instance";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
source_labels = [ "__address__" ];
|
|
||||||
regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
|
|
||||||
target_label = "job";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
source_labels = [ "__address__" ];
|
|
||||||
regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
|
|
||||||
target_label = "index";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
source_labels = [ "__address__" ];
|
|
||||||
regex = "([^/]+)/.*";
|
|
||||||
target_label = "__address__";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
ruleFiles = [ rules/synapse-v2.rules ];
|
|
||||||
};
|
|
||||||
}
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue