WIP

bekkalokk/gitea: add some extra tabs
Merge pull request 'enable thermald on physical machines' (!61 ) from thermald into main
2024-08-15 00:13:29 +02:00 · 2024-08-14 17:36:19 +02:00 · 2024-08-14 17:31:44 +02:00 · 2024-08-14 17:31:08 +02:00 · 2024-08-11 03:42:26 +02:00 · 2024-08-10 23:55:29 +02:00
36 changed files with 240 additions and 194 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -0,0 +1,10 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.nix]
+indent_style = space
+indent_size = 2
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -0,0 +1 @@
+e00008da1afe0d760badd34bbeddff36bb08c475
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -30,7 +30,7 @@ creation_rules:
      - *user_oysteikt

  # Host specific secrets
-  
+
  - path_regex: secrets/bekkalokk/[^/]+\.yaml$
    key_groups:
    - age:
@@ -66,7 +66,7 @@ creation_rules:
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
-  
+
  - path_regex: secrets/bicep/[^/]+\.yaml$
    key_groups:
    - age:
--- a/base.nix
+++ b/base.nix
@@ -76,10 +76,19 @@
  # Trusted users on the nix builder machines
  users.groups."nix-builder-users".name = "nix-builder-users";

+  # Let's not thermal throttle
+  services.thermald.enable = lib.mkIf (lib.all (x: x) [
+      (config.nixpkgs.system == "x86_64-linux")
+      (!config.boot.isContainer or false)
+    ]) true;
+
  services.openssh = {
    enable = true;
    extraConfig = ''
      PubkeyAcceptedAlgorithms=+ssh-rsa
+      Match Group wheel
+        PasswordAuthentication no
+      Match All
    '';
    settings.PermitRootLogin = "yes";
  };
--- a/flake.nix
+++ b/flake.nix
@@ -37,8 +37,8 @@
      "aarch64-linux"
      "aarch64-darwin"
    ];
-    forAllSystems = f: nixlib.genAttrs systems (system: f system);
-    allMachines = nixlib.mapAttrsToList (name: _: name) self.nixosConfigurations;
+    forAllSystems = f: nixlib.genAttrs systems f;
+    allMachines = builtins.attrNames self.nixosConfigurations;
    importantMachines = [
      "bekkalokk"
      "bicep"
@@ -47,6 +47,8 @@
      "ildkule"
    ];
  in {
+    inherit inputs;
+
    nixosConfigurations = let
      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
      nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
@@ -124,6 +126,11 @@
      buskerud = stableNixosConfig "buskerud" { };
    };

+    nixosModules = {
+      snakeoil-certs = ./modules/snakeoil-certs.nix;
+      snappymail = ./modules/snappymail.nix;
+    };
+
    devShells = forAllSystems (system: {
      default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
    });
--- a/hosts/bekkalokk/services/gitea/ci.nix
+++ b/hosts/bekkalokk/services/gitea/ci.nix
@@ -15,9 +15,9 @@ let
        enable = true;
        name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
        labels = [
-	  "debian-latest:docker://node:18-bullseye"
-	  "ubuntu-latest:docker://node:18-bullseye"
-	];
+          "debian-latest:docker://node:18-bullseye"
+          "ubuntu-latest:docker://node:18-bullseye"
+        ];
        tokenFile = config.sops.secrets."gitea/runners/${name}".path;
      };
    };
--- a/hosts/bekkalokk/services/gitea/default.nix
+++ b/hosts/bekkalokk/services/gitea/default.nix
@@ -58,6 +58,14 @@ in {
      service = {
        DISABLE_REGISTRATION = true;
        ENABLE_NOTIFY_MAIL = true;
+
+        # Not a very commonly used feature, make opt-in
+        DEFAULT_ENABLE_TIMETRACKING = false;
+
+        # Everyone here are contributors
+        DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME = false;
+
+        DEFAULT_ORG_MEMBER_VISIBLE = true;
      };
      admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
      session.COOKIE_SECURE = true;
@@ -135,10 +143,16 @@ in {
    script = let
      logo-svg = ../../../../assets/logo_blue_regular.svg;
      logo-png = ../../../../assets/logo_blue_regular.png;
+      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
+        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
+        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
+        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
+      '';
    in ''
      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
    '';
  };
 }
--- a/hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php
@@ -112,7 +112,7 @@ class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
            array_shift($groups);
            array_shift($groups);
            array_pop($groups);
-	    
+
            $info = posix_getpwnam($uid);
            $group = $info['gid'];
            if (!in_array($group, $groups)) {
--- a/hosts/bekkalokk/services/idp-simplesamlphp/config.php
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/config.php
@@ -58,7 +58,7 @@ $config = [
    /*
     * The following settings are *filesystem paths* which define where
     * SimpleSAMLphp can find or write the following things:
-     * - 'cachedir': Where SimpleSAMLphp can write its cache. 
+     * - 'cachedir': Where SimpleSAMLphp can write its cache.
     * - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging
     *                 handler other than `file`.
     * - 'datadir': Storage of general data.
--- a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
@@ -22,62 +22,62 @@ let
      # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
      "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
        <?php
-	  $metadata['https://idp.pvv.ntnu.no/'] = array(
-	    'host' => '__DEFAULT__',
-	    'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
-	    'certificate' => '${./idp.crt}',
-	    'auth' => 'pwauth',
-	  );
-	?>
+        $metadata['https://idp.pvv.ntnu.no/'] = array(
+          'host' => '__DEFAULT__',
+          'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
+          'certificate' => '${./idp.crt}',
+          'auth' => 'pwauth',
+        );
+        ?>
      '';

      "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
        <?php
-	  ${ lib.pipe config.services.idp.sp-remote-metadata [
-             (map (url: ''
-               $metadata['${url}'] = [
-                   'SingleLogoutService' => [
-                       [
-                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-                           'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
-                       ],
-                       [
-                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
-                           'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
-                       ],
-                   ],
-                   'AssertionConsumerService' => [
-                       [
-                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-                           'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
-                           'index' => 0,
-                       ],
-                       [
-                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
-                           'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
-                           'index' => 1,
-                       ],
-                   ],
-               ];
-	     ''))
-	     (lib.concatStringsSep "\n")
-	  ]}
-	?>
+          ${ lib.pipe config.services.idp.sp-remote-metadata [
+            (map (url: ''
+              $metadata['${url}'] = [
+                'SingleLogoutService' => [
+                  [
+                    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+                    'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
+                  ],
+                  [
+                    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
+                    'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
+                  ],
+                ],
+                'AssertionConsumerService' => [
+                  [
+                    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+                    'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
+                    'index' => 0,
+                  ],
+                  [
+                    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
+                    'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
+                    'index' => 1,
+                  ],
+                ],
+              ];
+            ''))
+            (lib.concatStringsSep "\n")
+          ]}
+        ?>
      '';

      "config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
        <?php
          $config = array(
-	    'admin' => array(
-	      'core:AdminPassword'
-	    ),
+            'admin' => array(
+              'core:AdminPassword'
+            ),
            'pwauth' => array(
-               'authpwauth:PwAuth',
-               'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
-               'mail_domain' => '@pvv.ntnu.no',
+              'authpwauth:PwAuth',
+              'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
+              'mail_domain' => '@pvv.ntnu.no',
            ),
          );
-	?>
+        ?>
      '';

      "config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
@@ -108,7 +108,7 @@ in
      List of urls point to (simplesamlphp) service profiders, which the idp should trust.

      :::{.note}
-	Make sure the url ends with a `/`
+      Make sure the url ends with a `/`
      :::
    '';
  };
@@ -132,7 +132,7 @@ in
        owner = "idp";
        group = "idp";
      };
-    };  
+    };

    users.groups."idp" = { };
    users.users."idp" = {
@@ -199,9 +199,9 @@ in
          '';
        };
        "^~ /simplesaml/".extraConfig = ''
-	  rewrite ^/simplesaml/(.*)$ /$1 redirect;
-	  return 404;
-	'';
+          rewrite ^/simplesaml/(.*)$ /$1 redirect;
+          return 404;
+        '';
      };
    };
  };
--- a/hosts/bekkalokk/services/kerberos/pam.nix
+++ b/hosts/bekkalokk/services/kerberos/pam.nix
@@ -879,15 +879,15 @@ let

  inherit (pkgs) pam_krb5 pam_ccreds;

-  use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam);
+  use_ldap = config.users.ldap.enable && config.users.ldap.loginPam;
  pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap;

  # Create a limits.conf(5) file.
  makeLimitsConf = limits:
    pkgs.writeText "limits.conf"
-       (concatMapStrings ({ domain, type, item, value }:
-         "${domain} ${type} ${item} ${toString value}\n")
-         limits);
+      (concatMapStrings ({ domain, type, item, value }:
+        "${domain} ${type} ${item} ${toString value}\n")
+        limits);

  limitsType = with lib.types; listOf (submodule ({ ... }: {
    options = {
@@ -935,8 +935,8 @@ let
  }));

  motd = if config.users.motdFile == null
-         then pkgs.writeText "motd" config.users.motd
-         else config.users.motdFile;
+    then pkgs.writeText "motd" config.users.motd
+    else config.users.motdFile;

  makePAMService = name: service:
    { name = "pam.d/${name}";
@@ -976,20 +976,20 @@ in
            item   = "maxlogins";
            value  = "4";
          }
-       ];
+        ];

-     description = lib.mdDoc ''
-       Define resource limits that should apply to users or groups.
-       Each item in the list should be an attribute set with a
-       {var}`domain`, {var}`type`,
-       {var}`item`, and {var}`value`
-       attribute.  The syntax and semantics of these attributes
-       must be that described in {manpage}`limits.conf(5)`.
+      description = lib.mdDoc ''
+        Define resource limits that should apply to users or groups.
+        Each item in the list should be an attribute set with a
+        {var}`domain`, {var}`type`,
+        {var}`item`, and {var}`value`
+        attribute.  The syntax and semantics of these attributes
+        must be that described in {manpage}`limits.conf(5)`.

-       Note that these limits do not apply to systemd services,
-       whose limits can be changed via {option}`systemd.extraConfig`
-       instead.
-     '';
+        Note that these limits do not apply to systemd services,
+        whose limits can be changed via {option}`systemd.extraConfig`
+        instead.
+      '';
    };

    security.pam.services = mkOption {
@@ -1507,10 +1507,10 @@ in
        runuser = { rootOK = true; unixAuth = false; setEnvironment = false; };

        /* FIXME: should runuser -l start a systemd session? Currently
-           it complains "Cannot create session: Already running in a
-           session". */
+            it complains "Cannot create session: Already running in a
+            session". */
        runuser-l = { rootOK = true; unixAuth = false; };
-      } // optionalAttrs (config.security.pam.enableFscrypt) {
+      } // optionalAttrs config.security.pam.enableFscrypt {
        # Allow fscrypt to verify login passphrase
        fscrypt = {};
      };
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -199,7 +199,7 @@ in {
        extraConfig = ''
          location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
            include ${pkgs.nginx}/conf/fastcgi_params;
-            fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; 
+            fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
            fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;

            # Must be prepended with the baseurlpath
--- a/hosts/bekkalokk/services/mediawiki/simplesaml-config.php
+++ b/hosts/bekkalokk/services/mediawiki/simplesaml-config.php
@@ -58,7 +58,7 @@ $config = [
    /*
     * The following settings are *filesystem paths* which define where
     * SimpleSAMLphp can find or write the following things:
-     * - 'cachedir': Where SimpleSAMLphp can write its cache. 
+     * - 'cachedir': Where SimpleSAMLphp can write its cache.
     * - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging
     *                 handler other than `file`.
     * - 'datadir': Storage of general data.
--- a/hosts/bekkalokk/services/webmail/roundcube.nix
+++ b/hosts/bekkalokk/services/webmail/roundcube.nix
@@ -4,7 +4,7 @@ with lib;
 let
  cfg = config.services.roundcube;
  domain = "webmail.pvv.ntnu.no";
-in 
+in
 {
  services.roundcube = {
    enable = true;
--- a/hosts/bekkalokk/services/website/default.nix
+++ b/hosts/bekkalokk/services/website/default.nix
@@ -21,8 +21,8 @@ in {
  services.idp.sp-remote-metadata = [
    "https://www.pvv.ntnu.no/simplesaml/"
    "https://pvv.ntnu.no/simplesaml/"
-    "https://www.pvv.org/simplesaml/" 
-    "https://pvv.org/simplesaml/" 
+    "https://www.pvv.org/simplesaml/"
+    "https://pvv.org/simplesaml/"
  ];

  services.pvv-nettsiden = {
@@ -43,7 +43,7 @@ in {
                  'idp' => 'https://idp.pvv.ntnu.no/',
              ),
          );
-	'';
+        '';
      };
    };

--- a/hosts/bekkalokk/services/website/fetch-gallery.nix
+++ b/hosts/bekkalokk/services/website/fetch-gallery.nix
@@ -46,7 +46,7 @@ in {
      while IFS= read fname; do
        # Skip this file if an up-to-date thumbnail already exists
        if [ -f ".thumbnails/$fname.png" ] && \
-           [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
+          [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
        then
          continue
        fi
@@ -54,7 +54,7 @@ in {
        echo "Creating thumbnail for $fname"
        mkdir -p $(dirname ".thumbnails/$fname")
        convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
-	touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
+        touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
      done <<< "$images"
    '';

--- a/hosts/bicep/services/matrix/coturn.nix
+++ b/hosts/bicep/services/matrix/coturn.nix
@@ -26,7 +26,7 @@

        "turns:turn.pvv.ntnu.no:5349?transport=tcp"
        "turns:turn.pvv.ntnu.no:5349?transport=udp"
-        
+
        "turns:turn.pvv.ntnu.no:3478?transport=udp"
        "turns:turn.pvv.ntnu.no:3478?transport=tcp"
        "turn:turn.pvv.ntnu.no:3478?transport=udp"
@@ -69,7 +69,7 @@

    tls-listening-port = 443;
    alt-tls-listening-port = 5349;
- 
+
    listening-port = 3478;

    min-port = 49000;
@@ -116,7 +116,7 @@
      #total-quota=1200
    '';
  };
-  
+
  networking.firewall = {
    interfaces.enp6s0f0 = let
      range = with config.services.coturn; [ {
--- a/hosts/bicep/services/matrix/default.nix
+++ b/hosts/bicep/services/matrix/default.nix
@@ -12,6 +12,6 @@
    ./discord.nix
  ];

-  
+

 }
--- a/hosts/bicep/services/matrix/mjolnir.nix
+++ b/hosts/bicep/services/matrix/mjolnir.nix
@@ -11,7 +11,7 @@
  services.mjolnir = {
    enable = true;
    pantalaimon.enable = false;
-    homeserverUrl = http://127.0.0.1:8008;
+    homeserverUrl = "http://127.0.0.1:8008";
    accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
    managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
    protectedRooms = map (a: "https://matrix.to/#/${a}") [
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -141,12 +141,12 @@ in {


  services.redis.servers."".enable = true;
-  
+
  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
-  ({
+  {
    kTLS = true;
-  })
-  ({
+  }
+  {
    locations."/.well-known/matrix/server" = {
      return = ''
        200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
@@ -156,16 +156,16 @@ in {
        add_header Access-Control-Allow-Origin *;
      '';
    };
-  })
-  ({
+  }
+  {
    locations = let
      connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
-      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";
+      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";

      metricsPath = w: "/metrics/${w.type}/${toString w.index}";
      proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
    in lib.mapAttrs' (n: v: lib.nameValuePair
-      (metricsPath v) ({
+      (metricsPath v) {
        proxyPass = proxyPath v;
        extraConfig = ''
          allow ${values.hosts.ildkule.ipv4};
@@ -174,10 +174,10 @@ in {
          allow ${values.hosts.ildkule.ipv6_global};
          deny all;
        '';
-      }))
+      })
      cfg.workers.instances;
-  })
-  ({
+  }
+  {
    locations."/metrics/master/1" = {
      proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
      extraConfig = ''
@@ -202,5 +202,5 @@ in {
            labels = { };
          }]) + "/";
    };
-  })];
+  }];
 }
--- a/hosts/bicep/services/mysql.nix
+++ b/hosts/bicep/services/mysql.nix
@@ -15,12 +15,12 @@
      mysqld = {
        # PVV allows a lot of connections at the same time
        max_connect_errors = 10000;
-	bind-address = values.services.mysql.ipv4;
-	skip-networking = 0;
+        bind-address = values.services.mysql.ipv4;
+        skip-networking = 0;

-	# This was needed in order to be able to use all of the old users
-	# during migration from knakelibrak to bicep in Sep. 2023
-	secure_auth = 0;
+        # This was needed in order to be able to use all of the old users
+        # during migration from knakelibrak to bicep in Sep. 2023
+        secure_auth = 0;
      };
    };

--- a/hosts/bikkje/configuration.nix
+++ b/hosts/bikkje/configuration.nix
@@ -35,10 +35,10 @@
        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
        useHostResolvConf = mkForce false;
      };
-      
+
      system.stateVersion = "23.11";
      services.resolved.enable = true;
    };
  };

-};
+};
--- a/hosts/georg/configuration.nix
+++ b/hosts/georg/configuration.nix
@@ -7,7 +7,6 @@
      ../../misc/metrics-exporters.nix

      ../../modules/grzegorz.nix
-      ../../modules/spotifyd.nix
    ];

  boot.loader.systemd-boot.enable = true;
--- a/hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json
+++ b/hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json
@@ -23187,4 +23187,4 @@
  "uid": "rYdddlPWk",
  "version": 9,
  "weekStart": ""
-}
+}
--- a/hosts/ildkule/services/monitoring/dashboards/postgres.json
+++ b/hosts/ildkule/services/monitoring/dashboards/postgres.json
@@ -3164,4 +3164,4 @@
  "title": "PostgreSQL Database",
  "uid": "000000039",
  "version": 1
-}
+}
--- a/hosts/ildkule/services/monitoring/grafana.nix
+++ b/hosts/ildkule/services/monitoring/grafana.nix
@@ -34,13 +34,13 @@ in {
        {
          name = "Ildkule Prometheus";
          type = "prometheus";
-          url = ("http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}");
-         isDefault = true;
+          url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
+          isDefault = true;
        }
        {
          name = "Ildkule loki";
          type = "loki";
-          url = ("http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}");
+          url = "http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}";
        }
      ];
      dashboards.settings.providers = [
@@ -56,13 +56,13 @@ in {
          url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
          options.path = dashboards/synapse.json;
        }
-	# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
-	# {
-	#   name = "MySQL";
-	#   type = "file";
-	#   url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
-	#   options.path = dashboards/mysql.json;
-	# }
+        # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
+        # {
+        #   name = "MySQL";
+        #   type = "file";
+        #   url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
+        #   options.path = dashboards/mysql.json;
+        # }
        {
          name = "Postgresql";
          type = "file";
--- a/hosts/ildkule/services/monitoring/loki.nix
+++ b/hosts/ildkule/services/monitoring/loki.nix
@@ -58,7 +58,7 @@ in {
      };

      limits_config = {
-	allow_structured_metadata = false;
+        allow_structured_metadata = false;
        reject_old_samples = true;
        reject_old_samples_max_age = "72h";
      };
--- a/hosts/ildkule/services/monitoring/prometheus/postgres.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/postgres.nix
@@ -38,7 +38,7 @@ in {
  };

  systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
-    localCfg = config.services.prometheus.exporters.postgres; 
+    localCfg = config.services.prometheus.exporters.postgres;
  in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
      EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
      ExecStart = ''
--- a/21
+++ b/21
@@ -0,0 +1,21 @@
+export GUM_FILTER_HEIGHT := "15"
+nom := `if command -v nom >/dev/null; then echo nom; else echo nix; fi`
+
+@_default:
+  just "$(gum choose --ordered --header "Pick a recipie..." $(just --summary --unsorted))"
+
+check:
+  nix flake check --keep-going
+
+build-machine machine=`just _a_machine`:
+  {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel
+
+@update-inputs:
+  nix eval .#inputs --apply builtins.attrNames --json \
+    | jq '.[]' -r \
+    | gum choose --no-limit --height=15 \
+    | xargs nix flake update --commit-lock-file
+
+
+_a_machine:
+  nix eval .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r | gum filter
--- a/misc/rust-motd.nix
+++ b/misc/rust-motd.nix
@@ -32,7 +32,7 @@
            color = "red";
            command = "hostname | ${pkgs.toilet}/bin/toilet -f mono9";
          };
-          
+
          service_status = {
            Accounts = "accounts-daemon";
            Cron = "cron";
@@ -40,16 +40,16 @@
            Matrix = "matrix-synapse";
            sshd = "sshd";
          };
-          
+
          uptime = {
            prefix = "Uptime: ";
          };
-          
+
          # Not relevant for server
          # user_service_status = {
          #   Gpg-agent = "gpg-agent";
          # };
-          
+
          filesystems = let
            inherit (lib.attrsets) attrNames listToAttrs nameValuePair;
            inherit (lib.lists) imap1;
@@ -61,7 +61,7 @@
            getName = i: v: if (v.label != null) then v.label else "<? ${toString i}>";
          in
            imap1Attrs' (i: n: v: nameValuePair (getName i v) n) fileSystems;
-          
+
          memory = {
            swap_pos = "beside"; # or "below" or "none"
          };
@@ -70,14 +70,14 @@
            inherit (lib.lists) imap1;
            inherit (lib.attrsets) filterAttrs nameValuePair attrValues listToAttrs;
            inherit (config.users) users;
-            
+
            normalUsers = filterAttrs (n: v: v.isNormalUser || n == "root") users;
            userNPVs = imap1 (index: user: nameValuePair user.name index) (attrValues normalUsers);
          in listToAttrs userNPVs;

          last_run = {};
        };
-      
+
        toml = pkgs.formats.toml {};

      in toml.generate "rust-motd.toml" cfg;
--- a/modules/snakeoil-certs.nix
+++ b/modules/snakeoil-certs.nix
@@ -36,10 +36,10 @@ in
          type = lib.types.str;
          default = "${name}.key";
        };
-	subject = lib.mkOption {
-	  type = lib.types.str;
-	  default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
-	};
+        subject = lib.mkOption {
+          type = lib.types.str;
+          default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
+        };
      };
    }));
  };
@@ -54,16 +54,16 @@ in
        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
        then
-           echo "Regenerating '${value.certificate}'"
-           ${openssl} req \
-             -newkey rsa:4096 \
-             -new -x509 \
-             -days "${toString value.daysValid}" \
-             -nodes \
-             -subj "${value.subject}" \
-             -out "${value.certificate}" \
-             -keyout "${value.certificateKey}" \
-             ${lib.escapeShellArgs value.extraOpenSSLArgs}
+          echo "Regenerating '${value.certificate}'"
+          ${openssl} req \
+            -newkey rsa:4096 \
+            -new -x509 \
+            -days "${toString value.daysValid}" \
+            -nodes \
+            -subj "${value.subject}" \
+            -out "${value.certificate}" \
+            -keyout "${value.certificateKey}" \
+            ${lib.escapeShellArgs value.extraOpenSSLArgs}
        fi
        chown "${value.owner}:${value.group}" "${value.certificate}"
        chown "${value.owner}:${value.group}" "${value.certificateKey}"
--- a/modules/spotifyd.nix
+++ b/modules/spotifyd.nix
@@ -1,44 +0,0 @@
-{ lib, config, ... }:
-
-{
-
-  services.spotifyd.enable = true;
-  # https://docs.spotifyd.rs/config/File.html
-  services.spotifyd.settings = {
-    device_name = "${config.networking.hostName}-spotifyd";
-    device_type = "t_v"; # in ["unknown" "computer" "tablet" "smartphone" "speaker" "t_v"],
-    bitrate = 160; # in [96 160 320]
-    volume_normalisation = true;
-    zeroconf_port = 44677; # instead of user/password
-
-    # this is the place you add blinkenlights
-    #on_song_change_hook = "rm -rf / --no-preserve-root";
-  };
-
-  systemd.services.spotifyd.serviceConfig = {
-    SupplementaryGroups = [
-      "audio"
-      "pipewire"
-    ];
-  };
-
-  services.avahi.enable = true;
-  services.avahi.publish.enable = true;
-  services.avahi.publish.addresses = true;
-  services.avahi.publish.domain = true;
-  services.avahi.extraServiceFiles.spotifyd = ''
-    <?xml version="1.0" standalone='no'?><!--*-nxml-*-->
-    <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
-    <service-group>
-      <name replace-wildcards="yes">%h</name>
-      <service>
-        <type>_spotify-connect._tcp</type>
-        <port>${builtins.toString config.services.spotifyd.settings.zeroconf_port}</port>
-      </service>
-    </service-group>
-  '';
-
-  networking.firewall.allowedTCPPorts = [ config.services.spotifyd.settings.zeroconf_port ];
-  networking.firewall.allowedUDPPorts = [ 5353 ]; # mDNS
-
-}
--- a/shell.nix
+++ b/shell.nix
@@ -1,9 +1,14 @@
 { pkgs ? import <nixpkgs> {} }:
 pkgs.mkShellNoCC {
  packages = with pkgs; [
+    just
+    jq
+    gum
    sops
    gnupg
+    statix
    openstackclient
+    editorconfig-checker
  ];

  shellHook = ''
--- a/statix.toml
+++ b/statix.toml
@@ -0,0 +1,24 @@
+ignore = [".direnv"]
+nix_version = '2.18' # '2.4'
+disabled = [
+    # "bool_comparison", # W01
+    # "empty_let_in", # W02
+    "manual_inherit", # W03
+    "manual_inherit_from", # W04
+    # "legacy_let_syntax", # W05
+    "collapsible_let_in", # W06
+    # "eta_reduction", # W07
+    # "useless_parens", # W08
+    "empty_pattern", # W10
+    # "redundant_pattern_bind", # W11
+    # "unquoted_uri", # W12
+    # "deprecated_is_null", # W13
+    # "empty_inherit", # W14
+    # "faster_groupby", # W15
+    # "faster_zipattrswith", # W16
+    # "deprecated_to_path", # W17
+    # "bool_simplification", # W18
+    # "useless_has_attr", # W19
+    "repeated_keys", # W20
+    "empty_list_concat", # W23
+]
--- a/users/amalieem.nix
+++ b/users/amalieem.nix
@@ -3,10 +3,10 @@
 {
  users.users.amalieem = {
    isNormalUser = true;
-    extraGroups = [ "wheel" ]; 
+    extraGroups = [ "wheel" ];
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsMtFIj4Dem/onwMoWYbosOcU4y7A5nTjVwqWaU33E1 amalieem@matey-aug22"
    ];
  };
-}
+}
--- a/users/jonmro.nix
+++ b/users/jonmro.nix
@@ -3,7 +3,7 @@
 {
  users.users.jonmro = {
    isNormalUser = true;
-    extraGroups = [ "wheel" "drift" "nix-builder-users" ]; 
+    extraGroups = [ "wheel" "drift" "nix-builder-users" ];
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com"
Author	SHA1	Message	Date
h7x4	c51ecabf52	WIP	2024-08-15 00:13:29 +02:00
Øystein Tveit	d64d8edd68	bekkalokk/gitea: add some extra tabs	2024-08-14 17:36:19 +02:00
Peder Bergebakken Sundt	4de7bd09bd	Merge pull request 'enable thermald on physical machines' (!61 ) from thermald into main Reviewed-on: #61 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-08-14 17:31:44 +02:00
Peder Bergebakken Sundt	0f5c48902b	Merge pull request 'users: disable password login for users in @wheel' (!62 ) from fix-deploy into main Reviewed-on: #62 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-08-14 17:31:08 +02:00
Peder Bergebakken Sundt	36a8868f94	users: disable password login for users in @wheel	2024-08-11 03:42:26 +02:00
Peder Bergebakken Sundt	fe3e5d6a3d	enable thermald on physical machines	2024-08-10 23:55:29 +02:00
Peder Bergebakken Sundt	2f3bcaf124	shell.nix: fix typo	2024-08-10 18:15:31 +02:00
Peder Bergebakken Sundt	c6684d5146	Merge pull request 'justfile: init' (!56 ) from justfile into main Reviewed-on: #56 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-08-07 12:22:04 +02:00
Peder Bergebakken Sundt	f6cb934ffb	Merge pull request 'flake.nix: simplify allMachines' (!59 ) from attrnames into main Reviewed-on: #59 Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>	2024-08-04 23:44:54 +02:00
Peder Bergebakken Sundt	9625258942	Merge pull request 'flake.nix: export snakeoil-certs and snappymail nixos modules' (!58 ) from export-modules into main Reviewed-on: #58 Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>	2024-08-04 23:44:19 +02:00
Peder Bergebakken Sundt	34637e383a	justfile: add update-inputs recipe	2024-08-04 17:19:40 +02:00
Peder Bergebakken Sundt	0bfa6ac329	flake.nix: export inputs	2024-08-04 17:19:33 +02:00
Peder Bergebakken Sundt	2c3261de74	flake.nix: simplify allMachines	2024-08-04 17:11:21 +02:00
Peder Bergebakken Sundt	c2e6f294ea	flake.nix: export snakeoil-certs and snappymail nixos modules	2024-08-04 16:48:21 +02:00
Peder Bergebakken Sundt	41e94695f0	Merge pull request 'editorconfig' (!55 ) from editorconfig into main Reviewed-on: #55 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-08-04 16:20:23 +02:00
Peder Bergebakken Sundt	c6b4ea9929	add .git-blame-ignore-revs	2024-08-04 04:39:17 +02:00
Peder Bergebakken Sundt	9dbf5d56f5	fix whitespacing issues	2024-08-04 04:37:23 +02:00
Peder Bergebakken Sundt	64b5bb548b	editorconfig: init	2024-08-04 04:35:25 +02:00
Peder Bergebakken Sundt	261c8e0811	Merge pull request 'Run statix' (!54 ) from statix into main Reviewed-on: #54 Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>	2024-08-04 04:26:23 +02:00
Peder Bergebakken Sundt	4476cdcbbc	justfile: init	2024-08-04 03:28:17 +02:00
Peder Bergebakken Sundt	1714681532	`statix fix`	2024-08-04 01:46:00 +02:00
Peder Bergebakken Sundt	314c7960d1	statix: init	2024-08-04 01:45:20 +02:00