WIP: Add bluemap

Co-authored-by: Daniel Olsen <daniel.olsen99@gmail.com>
WIP: fix loki
2024-06-09 07:33:43 +02:00 · 2024-06-08 20:58:25 +02:00 · 2024-06-08 20:58:10 +02:00
12 changed files with 115 additions and 1760 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -10,6 +10,7 @@ keys:
  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
  - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
  - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
  - &host_buskerud age1tmn5qahlyf0e579e4camckdyxrexjzffv54hdzdnrw7lzqs7kyqq0f2fr3
 creation_rules:
  # Global secrets
@@ -60,3 +61,10 @@ creation_rules:
      - *user_felixalb
      pgp:
      - *user_oysteikt
  - path_regex: secrets/buskerud/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_buskerud
      - *user_danio
      - *user_eirikwit
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715445235,
+        "lastModified": 1716431128,
-        "narHash": "sha256-SUu+oIWn+xqQIOlwfwNfS9Sek4i1HKsrLJchsDReXwA=",
+        "narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "159d87ea5b95bbdea46f0288a33c5e1570272725",
+        "rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
        "type": "github"
      },
      "original": {
@@ -67,11 +67,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715364232,
+        "lastModified": 1716065905,
-        "narHash": "sha256-ZJC3SkanEgbV7p+LFhP+85CviRWOXJNHzZwR/Stb7hE=",
+        "narHash": "sha256-08uhxBzfakfhl/ooc+gMzDupWKYvTeyQZwuvB1SBS7A=",
        "owner": "Programvareverkstedet",
        "repo": "grzegorz",
-        "rev": "3841cda1cdcac470440b06838d56a2eb2256378c",
+        "rev": "0481aef6553ae9aee86e4edb4ca0ed4f2eba2058",
        "type": "github"
      },
      "original": {
@@ -87,11 +87,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715384651,
+        "lastModified": 1716115695,
-        "narHash": "sha256-7RhckgUTjqeCjWkhiCc1iB+5CBx9fl80d/3O4Jh+5kM=",
+        "narHash": "sha256-aI65l4x+U5v3i/nfn6N3eW5IZodmf4pyAByE7vTJh8I=",
        "owner": "Programvareverkstedet",
        "repo": "grzegorz-clients",
-        "rev": "738a4f3dd887f7c3612e4e772b83cbfa3cde5693",
+        "rev": "b9444658fbb39cd1bf1c61ee5a1d5f0641c49abe",
        "type": "github"
      },
      "original": {
@@ -107,15 +107,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1710311999,
+        "lastModified": 1717234745,
-        "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
+        "narHash": "sha256-MFyKRdw4WQD6V3vRGbP6MYbtJhZp712zwzjW6YiOBYM=",
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
-        "rev": "6c9b67974b839740e2a738958512c7a704481157",
+        "rev": "d7dc42c9bbb155c5e4aa2f0985d0df75ce978456",
        "type": "github"
      },
      "original": {
        "owner": "dali99",
        "ref": "v0.6.0",
        "repo": "nixos-matrix-modules",
        "type": "github"
      }
@@ -142,26 +143,26 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1715410392,
+        "lastModified": 1716586607,
-        "narHash": "sha256-ltp1jQps9tym0uWNl/lTniHSQngCtNIyzlymu+ZSyts=",
+        "narHash": "sha256-PzpeC/xi0+YTGJS5rdbcOqVgIryuWHkimMVXoCIidgA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9f8bf7503bd85d5208575f4bd81c8b1fc999a468",
+        "rev": "03309929e115bba1339308814f8b6e63f250fedf",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-23.11-small",
+        "ref": "nixos-24.05-small",
        "type": "indirect"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1714858427,
+        "lastModified": 1716061101,
-        "narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
+        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
+        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
        "type": "github"
      },
      "original": {
@@ -173,11 +174,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1715435713,
+        "lastModified": 1716660083,
-        "narHash": "sha256-lb2HqDQGfTdnCCpc1pgF6fkdgIOuBQ0nP8jjVSfLFqg=",
+        "narHash": "sha256-QO7cdjtDhx72KEw6m0NOtuE5FS4asaRExZ65uFR/q8g=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "52b40f6c4be12742b1504ca2eb4527e597bf2526",
+        "rev": "6de51d98ec2ae46730f11845e221aab9d2470a8a",
        "type": "github"
      },
      "original": {
@@ -248,11 +249,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1715244550,
+        "lastModified": 1716400300,
-        "narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=",
+        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f",
+        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -2,7 +2,7 @@
  description = "PVV System flake";
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-23.11-small";
+    nixpkgs.url = "nixpkgs/nixos-24.05-small";
    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
    sops-nix.url = "github:Mic92/sops-nix";
@@ -17,7 +17,7 @@
    pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
    pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
-    matrix-next.url = "github:dali99/nixos-matrix-modules";
+    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.0";
    matrix-next.inputs.nixpkgs.follows = "nixpkgs";
    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
--- a/hosts/bekkalokk/services/gitea/default.nix
+++ b/hosts/bekkalokk/services/gitea/default.nix
@@ -28,7 +28,7 @@ in {
    database = {
      type = "postgres";
      host = "postgres.pvv.ntnu.no";
-      port = config.services.postgresql.port;
+      port = config.services.postgresql.settings.port;
      passwordFile = config.sops.secrets."gitea/database".path;
      createDatabase = false;
    };
--- a/hosts/bekkalokk/services/kerberos/default.nix
+++ b/hosts/bekkalokk/services/kerberos/default.nix
@@ -3,14 +3,14 @@
  #######################
  # TODO: remove these once nixos 24.05 gets released
  #######################
-  imports = [
+  # imports = [
-    ./krb5.nix
+  #   ./krb5.nix
-    ./pam.nix
+  #   ./pam.nix
-  ];
+  # ];
-  disabledModules = [
+  # disabledModules = [
-    "config/krb5/default.nix"
+  #   "config/krb5/default.nix"
-    "security/pam.nix"
+  #   "security/pam.nix"
-  ];
+  # ];
  #######################
  security.krb5 = {
--- a/hosts/bekkalokk/services/kerberos/krb5-conf-format.nix
+++ b/hosts/bekkalokk/services/kerberos/krb5-conf-format.nix
@@ -1,88 +0,0 @@
 { pkgs, lib, ... }:
 # Based on
 # - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
 # - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
 let
  inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
    isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
  inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
    str submodule;
 in
 { }: {
  type = let
    section = attrsOf relation;
    relation = either (attrsOf value) value;
    value = either (listOf atom) atom;
    atom = oneOf [int str bool];
  in submodule {
    freeformType = attrsOf section;
    options = {
      include = mkOption {
        default = [ ];
        description = mdDoc ''
          Files to include in the Kerberos configuration.
        '';
        type = coercedTo path singleton (listOf path);
      };
      includedir = mkOption {
        default = [ ];
        description = mdDoc ''
          Directories containing files to include in the Kerberos configuration.
        '';
        type = coercedTo path singleton (listOf path);
      };
      module = mkOption {
        default = [ ];
        description = mdDoc ''
          Modules to obtain Kerberos configuration from.
        '';
        type = coercedTo path singleton (listOf path);
      };
    };
  };
  generate = let
    indent = str: concatMapStringsSep "\n" (line: "  " + line) (splitString "\n" str);
    formatToplevel = args @ {
      include ? [ ],
      includedir ? [ ],
      module ? [ ],
      ...
    }: let
      sections = removeAttrs args [ "include" "includedir" "module" ];
    in concatStringsSep "\n" (filter (x: x != "") [
      (concatStringsSep "\n" (mapAttrsToList formatSection sections))
      (concatMapStringsSep "\n" (m: "module ${m}") module)
      (concatMapStringsSep "\n" (i: "include ${i}") include)
      (concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
    ]);
    formatSection = name: section: ''
      [${name}]
      ${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
    '';
    formatRelation = name: relation:
      if isAttrs relation
      then ''
        ${name} = {
        ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
        }''
      else formatValue name relation;
    formatValue = name: value:
      if isList value
      then concatMapStringsSep "\n" (formatAtom name) value
      else formatAtom name value;
    formatAtom = name: atom: let
      v = if isBool atom then boolToString atom else toString atom;
    in "${name} = ${v}";
  in
    name: value: pkgs.writeText name ''
      ${formatToplevel value}
    '';
 }
--- a/hosts/bekkalokk/services/kerberos/krb5.nix
+++ b/hosts/bekkalokk/services/kerberos/krb5.nix
@@ -1,90 +0,0 @@
 { config, lib, pkgs, ... }:
 let
  inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
  inherit (lib.types) bool;
  mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
  mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
    The option `krb5.${name}' has been removed. Use
    `security.krb5.settings.${name}' for structured configuration.
  '';
  cfg = config.security.krb5;
  format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
 in {
  imports = [
    (mkRemovedOptionModuleCfg "libdefaults")
    (mkRemovedOptionModuleCfg "realms")
    (mkRemovedOptionModuleCfg "domain_realm")
    (mkRemovedOptionModuleCfg "capaths")
    (mkRemovedOptionModuleCfg "appdefaults")
    (mkRemovedOptionModuleCfg "plugins")
    (mkRemovedOptionModuleCfg "config")
    (mkRemovedOptionModuleCfg "extraConfig")
    (mkRemovedOptionModule' "kerberos" ''
      The option `krb5.kerberos' has been moved to `security.krb5.package'.
    '')
  ];
  options = {
    security.krb5 = {
      enable = mkOption {
        default = false;
        description = mdDoc "Enable and configure Kerberos utilities";
        type = bool;
      };
      package = mkPackageOption pkgs "krb5" {
        example = "heimdal";
      };
      settings = mkOption {
        default = { };
        type = format.type;
        description = mdDoc ''
          Structured contents of the {file}`krb5.conf` file. See
          {manpage}`krb5.conf(5)` for details about configuration.
        '';
        example = {
          include = [ "/run/secrets/secret-krb5.conf" ];
          includedir = [ "/run/secrets/secret-krb5.conf.d" ];
          libdefaults = {
            default_realm = "ATHENA.MIT.EDU";
          };
          realms = {
            "ATHENA.MIT.EDU" = {
              admin_server = "athena.mit.edu";
              kdc = [
                "athena01.mit.edu"
                "athena02.mit.edu"
              ];
            };
          };
          domain_realm = {
            "mit.edu" = "ATHENA.MIT.EDU";
          };
          logging = {
            kdc = "SYSLOG:NOTICE";
            admin_server = "SYSLOG:NOTICE";
            default = "SYSLOG:NOTICE";
          };
        };
      };
    };
  };
  config = mkIf cfg.enable {
    environment = {
      systemPackages = [ cfg.package ];
      etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
    };
  };
  meta.maintainers = builtins.attrValues {
    inherit (lib.maintainers) dblsaiko h7x4;
  };
 }
--- a/hosts/bekkalokk/services/kerberos/pam.nix
+++ b/hosts/bekkalokk/services/kerberos/pam.nix
--- a/hosts/buskerud/configuration.nix
+++ b/hosts/buskerud/configuration.nix
@@ -6,6 +6,12 @@
    ../../misc/metrics-exporters.nix
  ];
  sops.defaultSopsFile = ../../secrets/buskerud/buskerud.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  # buskerud does not support efi?
  # boot.loader.systemd-boot.enable = true;
  # boot.loader.efi.canTouchEfiVariables = true;
--- a/hosts/buskerud/services/bluemap.nix
+++ b/hosts/buskerud/services/bluemap.nix
@@ -0,0 +1,21 @@
 {config, ...}:
 {
  sops.secrets."bluemap_ssh_key" = {
    owner = "root";
    mode = "0400";
  };
  services.bluemap = {
    enable = true;
    eula = true;
    defaultWorld = "/var/lib/bluemap/vanilla";
    host = "minecraft.pvv.ntnu.no";
  };
  systemd.services."render-bluemap-maps".preStart = ''
    rsync -e 'ssh -i ${config.sops.secrets."bluemap_ssh_key".path} -o "StrictHostKeyChecking accept-new"' \
      root@innovation.pvv.ntnu.no:/var/backups/minecraft/current/ \
      /var/lib/bluemap/vanilla"
    '';
 }
--- a/hosts/ildkule/services/monitoring/loki.nix
+++ b/hosts/ildkule/services/monitoring/loki.nix
@@ -50,7 +50,7 @@ in {
        boltdb_shipper = {
          active_index_directory = "/var/lib/loki/boltdb-shipper-index";
          cache_location = "/var/lib/loki/boltdb-shipper-cache";
-          shared_store = "filesystem";
+          # shared_store = "filesystem";
          cache_ttl = "24h";
        };
        filesystem = {
@@ -59,14 +59,15 @@ in {
      };
      limits_config = {
-        enforce_metric_name = false;
+        allow_structured_metadata = false;
        # enforce_metric_name = false;
        reject_old_samples = true;
        reject_old_samples_max_age = "72h";
      };
      compactor = {
        working_directory = "/var/lib/loki/compactor";
-        shared_store = "filesystem";
+        # shared_store = "filesystem";
      };
      # ruler = {
--- a/secrets/buskerud/buskerud.yaml
+++ b/secrets/buskerud/buskerud.yaml
@@ -0,0 +1,39 @@
 bluemap_ssh_key: ENC[AES256_GCM,data:2kv/cDEEQMHJdwTmmTxtyxOZz8duggaT61U69IuiOJ2yuwqkujOHZ2gkCtGa1VyFPn6wg4OTiSA/Loz+QmTSKz+8HqvY/Lybks+offDZ1mukL5NiWLUVmNZdfdHaMeEyiZsxiMoWEgFtMiKvgmdMMPa/BCHZCMCxMWFAcuiZgbhGyGukdo0wQd5RcEDaY4JZ7q95ndAn4K7gi9q1K7MLOvI5t2hGibj8DrqriXqg9mahsiFZdKWxjf3tBX0MzS85wAtleQWXmH5FRvECmdOj3OSp92JMqU/WDlQih3xjnw1Ci3L/hdwgGLHZTf/RzuPpGh2OD26A7gUjOFh+M5z2dVVtZ40F8tQFxpQxkkJBsqTNbDKuw7/KPpZUJkn4UYBkhzraG/62md/9sS9+GjTHBhfYQYHbDU8ZbPO5ZSoZfshRDUuP0qYXiQw7cxA5BQIhwYdn26uy2ghiHsP713Tz91ESVjlCZLLduGySWEQNAxSdzFu9yEyp4xdl8l9udlnxVV2/5Xm5kQEdiUMwiBpUhrghdEl6lOzome5h,iv:uiYaQgOnhFvWze/oHGSpAu8+m89l4tGCgRauDzU3ZqE=,tag:eCYgCH+e8hNYpBIFWFOTbA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1tmn5qahlyf0e579e4camckdyxrexjzffv54hdzdnrw7lzqs7kyqq0f2fr3
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvL2dqdHFwWURFSWJEUkVl
            eXR2cTQyTXpzUEFra0drdUgzRUNmSXA4eGc0CmRoWnp5UUUyQy9kK0dHVjF3WkFp
            M0loS1RXeWxHSGNTQUljS05jaDBxMDQKLS0tIDhyUGdvcE1iMWxJeWhYb3JFTi9q
            Y0RrVHNhcVU3WFd2NitlQ3l4Ry9JTkEKALBawjOt7hChok/cHRa38HkB0KVEKvik
            r2jO26j9AUU5mqjR/dIko3jvfcXoNUNRYrMwaBfRa6AFnNBoN3g0ng==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzV1R0cWxoTXNKNnpsUjE5
            c01Oc3J5M2F2cDVKOTNma0J3eFVwa0pXQmpjCkdxRjJZTlFWSlh2UFR2emx4OVVY
            T3gzSWdXNTlyS0VJSXRnTXZweER6V00KLS0tIGdFU3oxZ3lzQTBjU0hyYjV5M2cr
            VnUvcGZDbEZuZitQS1g1NmRtb3JnNDAKV6otQlYUSF5ScyYL6LlstPU1pkLMY8r0
            /NEuN9A7l2m9Wy8iItx+ZhwGp9pEPsgdsQLJQtJFfaA6lNuFhbgqfg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNbmpMaWhpQTQzR05Cd0cw
            b3dJRXVoUmFzZGxMeC9tVk9acndMemlrTHhzCkVtMHJ1bE94T25wRmpTZnpHbUdq
            NzQ4T0pLZW56TEV2emQ5RHVXTDAvdmsKLS0tIFJ0OWxNYkIxOVBVV1hmZDdoeEhm
            blB3M2JIMmk3Tmh6WjIzQjlHSW9GNDAKB3gdJL9AlF4fsCMujd/6HnieDwhCZnex
            QDU87yTePHAppnqLp+ZuVdSbqcsnQclmbm92M3S6LuKpoDhGxeHrEw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-06-08T23:34:34Z"
    mac: ENC[AES256_GCM,data:CLsz6UgS1LO/5SArmT7utald3TzQUWwEiSRw3dF1RaCwyb0Fc16/5DxJSk0KGLiJRlDXses/ynSjoyaBdTagijJPKQZCpx3fHZFqEJk6Wne4zQ4EoFbY1SpPrkhGVGMYaUg/H/NapoAEiq619YudR9W6GqF8ZkauXE76wls63FM=,iv:I09LFoSkeMAWHmvXtIF4+FURZ4tOQGCXQqbNrKz5t7s=,tag:xauT9sah+26A9pRrwXlsiQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
Author	SHA1	Message	Date
Eirik Wittersø	60e1bbfd08	WIP: Add bluemap Co-authored-by: Daniel Olsen <daniel.olsen99@gmail.com>	2024-06-09 07:33:43 +02:00
h7x4	ceaa67fc19	WIP: fix loki	2024-06-08 20:58:25 +02:00
h7x4	375e0f1486	treewide: fix issues for 24.05 upgrade	2024-06-08 20:58:10 +02:00