jonmro/pvv-nixos-config
1
0
Fork 0
forked from Drift/pvv-nixos-config
Code Pull Requests Activity

Compare commits

base: jonmro:add-jackson
Branches Tags
jonmro:main jonmro:upgrade-to-nixpkgs-23-11 jonmro:mediawiki-on-bekkalokk jonmro:setup-kerberos jonmro:setup-home-areas jonmro:richara-add-user jonmro:replace-knakelibrak-nginx-reverse-proxy jonmro:replace-knakelibrak-nginx-reverse-proxy2 jonmro:nettsiden-on-bekkalokk jonmro:setup-openvpn-tunnel jonmro:actions jonmro:configure-mediawiki jonmro:shark-kanidm jonmro:add-jackson jonmro:add-gitea jonmro:prometheusexim jonmro:apply-overlays Drift:main Drift:minecraft-heatmap Drift:fix-import-gitea-users-script Drift:gitea-runners-secrets Drift:gitea-runners-cluster Drift:25.05 Drift:new_nodes Drift:ooye Drift:grg-ip Drift:nom Drift:add-skrott Drift:pvvvvv Drift:setup-git-mirroring-on-bicep Drift:init-bakke Drift:gitea-show-license-in-list-view Drift:nix-topology Drift:gitea-robots-txt Drift:dagali-heimdal-openldap-sasl-stack Drift:gitea-navbar-get-started Drift:backup-databases Drift:openwebui Drift:setup-openvpn-tunnel Drift:gitea-gpg-signing Drift:sleipner-authorised-keys Drift:openstack-image-builder Drift:elysium Drift:smartd-notifs Drift:systemd-journald-remote Drift:skrot Drift:deploy-doorbell Drift:misc-gitea-fixes Drift:spotifyd Drift:remote Drift:setup-bikkje-login Drift:ozai-prod Drift:add-bluemap Drift:ozai Drift:setup-postfix-for-service-machines Drift:fix-gitea-ci-runner-network-issues Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud Drift:gitea-metrics Drift:misc1 Drift:add-simple-saml-theme Drift:misc-extra-gitea-setup Drift:setup-kerberos Drift:setup-home-areas Drift:shark-kanidm Drift:prometheusexim
..
compare: jonmro:prometheusexim
Branches Tags
jonmro:main jonmro:upgrade-to-nixpkgs-23-11 jonmro:mediawiki-on-bekkalokk jonmro:setup-kerberos jonmro:setup-home-areas jonmro:richara-add-user jonmro:replace-knakelibrak-nginx-reverse-proxy jonmro:replace-knakelibrak-nginx-reverse-proxy2 jonmro:nettsiden-on-bekkalokk jonmro:setup-openvpn-tunnel jonmro:actions jonmro:configure-mediawiki jonmro:shark-kanidm jonmro:add-jackson jonmro:add-gitea jonmro:prometheusexim jonmro:apply-overlays Drift:main Drift:minecraft-heatmap Drift:fix-import-gitea-users-script Drift:gitea-runners-secrets Drift:gitea-runners-cluster Drift:25.05 Drift:new_nodes Drift:ooye Drift:grg-ip Drift:nom Drift:add-skrott Drift:pvvvvv Drift:setup-git-mirroring-on-bicep Drift:init-bakke Drift:gitea-show-license-in-list-view Drift:nix-topology Drift:gitea-robots-txt Drift:dagali-heimdal-openldap-sasl-stack Drift:gitea-navbar-get-started Drift:backup-databases Drift:openwebui Drift:setup-openvpn-tunnel Drift:gitea-gpg-signing Drift:sleipner-authorised-keys Drift:openstack-image-builder Drift:elysium Drift:smartd-notifs Drift:systemd-journald-remote Drift:skrot Drift:deploy-doorbell Drift:misc-gitea-fixes Drift:spotifyd Drift:remote Drift:setup-bikkje-login Drift:ozai-prod Drift:add-bluemap Drift:ozai Drift:setup-postfix-for-service-machines Drift:fix-gitea-ci-runner-network-issues Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud Drift:gitea-metrics Drift:misc1 Drift:add-simple-saml-theme Drift:misc-extra-gitea-setup Drift:setup-kerberos Drift:setup-home-areas Drift:shark-kanidm Drift:prometheusexim

1 Commits
add-jackso ... prometheus

Author SHA1 Message Date
Felix Albrigtsen
8bef6bb33c Add exim monitoring to prometheus 2023-01-15 00:19:41 +01:00
46 changed files with 909 additions and 6204 deletions
Expand all files Collapse all files

30
.sops.yaml
View File

@@ -1,51 +1,33 @@
keys:
# Users
- &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
- &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
# Hosts
- &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
- &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
- &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
- &host_bekkalokk age13t2nnr6yukmtda6wn2uggfcj0dmwce8347y8w6xzt4yje6wlgscqnahuqm
- &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
creation_rules:
# Global secrets
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- age:
- *user_danio
- *host_jokum
- *user_danio
- *user_felixalb
pgp:
- *user_oysteikt
# Host specific secrets
- path_regex: secrets/bekkalokk/[^/]+\.yaml$
key_groups:
- age:
- *host_bekkalokk
- *user_danio
- *user_felixalb
pgp:
- *user_oysteikt
## Jokum
- path_regex: secrets/jokum/[^/]+\.yaml$
key_groups:
- age:
- *host_jokum
- *user_danio
- *user_felixalb
- *host_jokum
pgp:
- *user_oysteikt
- path_regex: secrets/ildkule/[^/]+\.yaml$
key_groups:
- age:
- *host_ildkule
- *user_danio
- *user_felixalb
- *user_danio
- *host_ildkule
pgp:
- *user_oysteikt

10
README.MD
View File

@@ -16,7 +16,7 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
som root på maskinen.
@@ -37,11 +37,3 @@ for å få tilgang til å lese/skrive hemmeligheter må du spørre noen/noe som
om å legge til age eller pgp nøkkelen din i [`.sops.yaml`](https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/.sops.yaml)
Denne kan du generere fra ssh-nøkkelene dine eller lage en egen nøkkel.
### Legge til flere keys
Gjør det som gir mening i .sops.yml
Etter det kjør `sops updatekeys secrets/host/file.yml`
MERK at det ikke er `sops -r` som BARE roterer nøkklene for de som allerede er i secretfila

14
base.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, inputs, values, ... }:
{ config, pkgs, inputs, ... }:
{
imports = [
@@ -7,15 +7,10 @@
networking.domain = "pvv.ntnu.no";
networking.useDHCP = false;
# networking.search = [ "pvv.ntnu.no" "pvv.org" ];
# networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
# networking.tempAddresses = lib.mkDefault "disabled";
# networking.defaultGateway = values.hosts.gateway;
systemd.network.enable = true;
networking.search = [ "pvv.ntnu.no" "pvv.org" ];
services.resolved = {
enable = lib.mkDefault true;
enable = true;
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
};
@@ -55,11 +50,8 @@
environment.systemPackages = with pkgs; [
file
git
gnupg
htop
nano
rsync
screen
tmux
vim
wget

49
flake.lock generated
View File

@@ -1,30 +1,28 @@
{
"nodes": {
"matrix-next": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1676674799,
"narHash": "sha256-NaZWOgNrco5OT0J5VrWg02SCkKz8RV1sxRjh0/MWMEc=",
"lastModified": 1671009204,
"narHash": "sha256-gqA9po/KmHyh44XYqv/LfFJ1+MGufhaaD6DhDqBeaF8=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "362496f4aacb680406db3fad36f98d38e8285b30",
"rev": "43dbc17526576cb8e0980cef51c48b6598f97550",
"type": "github"
},
"original": {
"owner": "dali99",
"ref": "flake-experiments",
"repo": "nixos-matrix-modules",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1680879128,
"narHash": "sha256-ISFCCZ3/Dw5WK/6kFKwqA6gIEaOjqU/5NoB6Vge87sE=",
"lastModified": 1670946965,
"narHash": "sha256-PDJfKgK/aSV3ISnD1TbKpLPW85LO/AQI73yQjbwribA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fa98075869eb8264052548dde5c2ce9e68cf4cf1",
"rev": "265caf30fa0a5148395b62777389b57eb0a537fd",
"type": "github"
},
"original": {
@@ -34,28 +32,13 @@
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1673743903,
"narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1680390120,
"narHash": "sha256-RyDJcG/7mfimadlo8vO0QjW22mvYH1+cCqMuigUntr8=",
"lastModified": 1670146390,
"narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c1e2efaca8d8a3db6a36f652765d6c6ba7bb8fae",
"rev": "86370507cb20c905800527539fc049a2bf09c667",
"type": "github"
},
"original": {
@@ -81,11 +64,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1680404136,
"narHash": "sha256-06D8HJmRv4DdpEQGblMhx2Vm81SBWM61XBBIx7QQfo0=",
"lastModified": 1670149631,
"narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "b93eb910f768f9788737bfed596a598557e5625d",
"rev": "da98a111623101c64474a14983d83dad8f09f93d",
"type": "github"
},
"original": {
@@ -96,11 +79,11 @@
},
"unstable": {
"locked": {
"lastModified": 1680882415,
"narHash": "sha256-trt2pwLDu1+kEtp3bx2DiYgg8CFWNbes+ujdAtSBO/U=",
"lastModified": 1670918062,
"narHash": "sha256-iOhkyBYUU9Jfkk0lvI4ahpjyrTsLXj9uyJWwmjKg+gg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "cd07e0258cf73e1bcbd0c9abc5513baa091ee801",
"rev": "84575b0bd882be979516f4fecfe4d7c8de8f6a92",
"type": "github"
},
"original": {

38
flake.nix
View File

@@ -8,10 +8,10 @@
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules";
matrix-next.url = "github:dali99/nixos-matrix-modules/flake-experiments";
};
outputs = { self, nixpkgs, matrix-next, unstable, sops-nix, ... }@inputs:
outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs:
let
systems = [
"x86_64-linux"
@@ -19,32 +19,26 @@
];
forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
in {
nixosConfigurations = let
nixosConfig = name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
config
rec {
nixosConfigurations = {
jokum = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit unstable inputs;
values = import ./values.nix;
};
specialArgs = { inherit unstable inputs; };
modules = [
./hosts/${name}/configuration.nix
./hosts/jokum/configuration.nix
sops-nix.nixosModules.sops
inputs.matrix-next.nixosModules.synapse
];
};
ildkule = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit unstable inputs; };
modules = [
./hosts/ildkule/configuration.nix
sops-nix.nixosModules.sops
matrix-next.nixosModules.synapse
];
});
in {
bicep = nixosConfig "bicep" { };
bekkalokk = nixosConfig "bekkalokk" { };
greddost = nixosConfig "greddost" { };
ildkule = nixosConfig "ildkule" { };
jokum = nixosConfig "jokum" {
modules = [ matrix-next.nixosModules.synapse ];
};
};
devShells = forAllSystems (system: {
default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
});

33
hosts/bekkalokk/configuration.nix
View File

@@ -1,33 +0,0 @@
{ pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
# TODO: set up authentication for the following:
# ./services/website/website.nix
# ./services/website/nginx.nix
# ./services/website/gitea.nix
# ./services/website/mediawiki.nix
];
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "bekkalokk";
systemd.network.networks."30-ens33" = values.defaultNetworkConfig // {
matchConfig.Name = "ens33";
address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";
}

37
hosts/bekkalokk/hardware-configuration.nix
View File

@@ -1,37 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "uhci_hcd" "ehci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/cdcafe3a-01d8-4bdf-9a3d-78705b581090";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/1CB4-280D";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/3eaace48-91ec-4d46-be86-fd26877d8b86"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens33.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

4
hosts/bekkalokk/services/metrics/loki.nix
View File

@@ -1,4 +0,0 @@
{ ... }:
{
}

4
hosts/bekkalokk/services/metrics/prometheus.nix
View File

@@ -1,4 +0,0 @@
{ ... }:
{
}

26
hosts/bekkalokk/services/website/gitea.nix
View File

@@ -1,26 +0,0 @@
{ config, values, ... }:
{
sops.secrets."postgres/gitea/password" = { };
services.gitea = {
enable = true;
rootUrl = "https://git2.pvv.ntnu.no/";
stateDir = "/data/gitea";
appName = "PVV Git";
enableUnixSocket = true;
database = {
type = "postgres";
host = values.bicep.ipv4;
port = config.services.postgresql.port;
passwordFile = config.sops.secrets."postgres/gitea/password".path;
createDatabase = false;
};
settings = {
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
};
};
}

23
hosts/bekkalokk/services/website/mediawiki.nix
View File

@@ -1,23 +0,0 @@
{ values, config, ... }:
{
sops.secrets = {
"mediawiki/password" = { };
"postgres/mediawiki/password" = { };
};
services.mediawiki = {
enable = true;
name = "PVV";
passwordFile = config.sops.secrets."mediawiki/password".path;
virtualHost = {
};
database = {
type = "postgres";
host = values.bicep.ipv4;
port = config.services.postgresql.port;
passwordFile = config.sops.secrets."postgres/mediawiki/password".path;
};
};
}

30
hosts/bekkalokk/services/website/nginx.nix
View File

@@ -1,30 +0,0 @@
{ config, ... }:
{
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts = {
"www.pvv.ntnu.no" = {
forceSSL = true;
locations = {
"/pvv" = {
proxyPass = "http://localhost:${config.services.mediawiki.virtualHost.listen.pvv.port}";
};
};
};
"git.pvv.ntnu.no" = {
locations."/" = {
proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
proxyWebsockets = true;
};
};
};
};
}

4
hosts/bekkalokk/services/website/website.nix
View File

@@ -1,4 +0,0 @@
{ ... }:
{
}

36
hosts/bicep/configuration.nix
View File

@@ -1,36 +0,0 @@
{ pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
./services/postgres.nix
./services/jokum.nix
./services/jackson.nix
];
sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/disk/by-id/scsi-3600508b1001cb1a8751c137b30610682";
networking.hostName = "bicep";
systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp6s0f0";
address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
systemd.network.wait-online = {
ignoredInterfaces = [ "enp6s0f1" ];
anyInterface = true;
};
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";
}

40
hosts/bicep/hardware-configuration.nix
View File

@@ -1,40 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/31a67903-dc00-448a-a24a-36e820318fe5";
fsType = "ext4";
};
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/79e93eed-ad95-45c9-b115-4ef92afcc8c0";
fsType = "f2fs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f2.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

15
hosts/bicep/services/jackson.nix
View File

@@ -1,15 +0,0 @@
{ pkgs, config, secrets, inputs, ... }:
let
jackson = pkgs.callPackage ../../../pkgs/jackson { };
in {
systemd.services.jackson = {
description = "Jackson";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${jackson}/bin/jackson";
DynamicUser = true;
Restart = "always";
};
};
}

51
hosts/bicep/services/jokum.nix
View File

@@ -1,51 +0,0 @@
{config, lib, pkgs, inputs, values, ...}:
{
# lfmao
containers.jokum = {
autoStart = true;
# wtf
#path = inputs.self.nixosConfigurations.jokum.config.system.build.toplevel;
interfaces = [ "enp6s0f1" ];
bindMounts = {
"/data" = { hostPath = "/data/jokum"; isReadOnly = false; };
};
config = {config, pkgs, ...}: let
inherit values inputs;
in {
imports = [
inputs.sops-nix.nixosModules.sops
inputs.matrix-next.nixosModules.synapse
../../jokum/services/matrix
../../jokum/services/nginx
];
_module.args = {
inherit values inputs;
};
sops.defaultSopsFile = ../../../secrets/jokum/jokum.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
services.openssh = {
enable = true;
permitRootLogin = "yes";
};
systemd.network.enable = true;
networking.useHostResolvConf = false;
systemd.network.networks."30-enp6s0f1" = values.defaultNetworkConfig // {
matchConfig.Name = "enp6s0f1";
address = with values.hosts.jokum; [ (ipv4 + "/25") (ipv6 + "/64") ]
++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
};
system.stateVersion = "21.05";
};
};
}

75
hosts/bicep/services/postgres.nix
View File

@@ -1,75 +0,0 @@
{ pkgs, ... }:
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
enableTCPIP = true;
dataDir = "/data/postgresql";
authentication = ''
host all all 129.241.210.128/25 md5
host all all 2001:700:300:1900::/64 md5
'';
# Hilsen https://pgconfigurator.cybertec-postgresql.com/
settings = {
# Connectivity
max_connections = 500;
superuser_reserved_connections = 3;
# Memory Settings
shared_buffers = "2048 MB";
work_mem = "32 MB";
maintenance_work_mem = "320 MB";
effective_cache_size = "6 GB";
effective_io_concurrency = 100;
random_page_cost = 1.25;
# Monitoring
shared_preload_libraries = "pg_stat_statements";
track_io_timing = true;
track_functions = "pl";
# Replication
wal_level = "replica";
max_wal_senders = 0;
synchronous_commit = false;
# Checkpointing:
checkpoint_timeout = "15 min";
checkpoint_completion_target = 0.9;
max_wal_size = "1024 MB";
min_wal_size = "512 MB";
# WAL writing
wal_compression = true;
wal_buffers = -1;
# Background writer
bgwriter_delay = "200ms";
bgwriter_lru_maxpages = 100;
bgwriter_lru_multiplier = 2.0;
bgwriter_flush_after = 0;
# Parallel queries:
max_worker_processes = 8;
max_parallel_workers_per_gather = 4;
max_parallel_maintenance_workers = 4;
max_parallel_workers = 8;
parallel_leader_participation = true;
# Advanced features
enable_partitionwise_join = true;
enable_partitionwise_aggregate = true;
jit = true;
max_slot_wal_keep_size = "1000 MB";
track_wal_io_timing = true;
maintenance_io_concurrency = 100;
wal_recycle = true;
};
};
networking.firewall.allowedTCPPorts = [ 5432 ];
networking.firewall.allowedUDPPorts = [ 5432 ];
}

24
hosts/ildkule/configuration.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, values, ... }:
{ config, pkgs, ... }:
{
imports = [
# Include the results of the hardware scan.
@@ -20,10 +20,26 @@
networking.hostName = "ildkule"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.ildkule; [ (ipv4 + "/25") (ipv6 + "/64") ];
networking.interfaces.ens18.useDHCP = false;
networking.defaultGateway = "129.241.210.129";
networking.interfaces.ens18.ipv4 = {
addresses = [
{
address = "129.241.210.187";
prefixLength = 25;
}
];
};
networking.interfaces.ens18.ipv6 = {
addresses = [
{
address = "2001:700:300:1900::187";
prefixLength = 64;
}
];
};
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
# List packages installed in system profile
environment.systemPackages = with pkgs; [

1009
hosts/ildkule/services/metrics/dashboards/go-processes.json
View File

File diff suppressed because it is too large Load Diff

3167
hosts/ildkule/services/metrics/dashboards/postgres.json
View File

File diff suppressed because it is too large Load Diff

1522
hosts/ildkule/services/metrics/dashboards/synapse.json
View File

File diff suppressed because it is too large Load Diff

2
hosts/ildkule/services/metrics/default.nix
View File

@@ -2,7 +2,7 @@
{
imports = [
./prometheus
./prometheus.nix
./grafana.nix
./loki.nix
];

46
hosts/ildkule/services/metrics/grafana.nix
View File

@@ -1,41 +1,15 @@
{ config, pkgs, values, ... }: let
{ config, pkgs, ... }:
let
cfg = config.services.grafana;
in {
sops.secrets = let
owner = "grafana";
group = "grafana";
in {
"keys/grafana/secret_key" = { inherit owner group; };
"keys/grafana/admin_password" = { inherit owner group; };
"keys/postgres/grafana" = { inherit owner group; };
};
services.grafana = {
enable = true;
settings = let
# See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
secretFile = path: "$__file{${path}}";
in {
server = {
settings.server = {
domain = "ildkule.pvv.ntnu.no";
http_port = 2342;
http_addr = "127.0.0.1";
};
security = {
secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
};
database = {
type = "postgres";
user = "grafana";
host = "${values.hosts.bicep.ipv4}:5432";
password = secretFile config.sops.secrets."keys/postgres/grafana".path;
};
};
provision = {
enable = true;
datasources.settings.datasources = [
@@ -64,18 +38,6 @@ in {
url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
options.path = dashboards/synapse.json;
}
{
name = "Postgresql";
type = "file";
url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
options.path = dashboards/postgres.json;
}
{
name = "Go Processes (gogs)";
type = "file";
url = "https://grafana.com/api/dashboards/240/revisions/3/download";
options.path = dashboards/go-processes.json;
}
];
};

76
hosts/ildkule/services/metrics/prometheus.nix Normal file
View File

@@ -0,0 +1,76 @@
{ config, pkgs, ... }:
let
cfg = config.services.prometheus;
in {
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
port = 9001;
scrapeConfigs = [
{
job_name = "node";
static_configs = [
{
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"microbel.pvv.ntnu.no:9100"
"isvegg.pvv.ntnu.no:9100"
"knakelibrak.pvv.ntnu.no:9100"
];
}
];
}
{
job_name = "exim";
scrape_interval = "60s";
static_configs = [
{
targets = [
"microbel.pvv.ntnu.no:9636"
];
}
];
}
{
job_name = "synapse";
scrape_interval = "15s";
scheme = "https";
http_sd_configs = [
{
url = "https://matrix.pvv.ntnu.no/metrics/config.json";
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
regex = "[^/]+(/.*)";
target_label = "__metrics_path__";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "instance";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
target_label = "job";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
target_label = "index";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "__address__";
}
];
}
];
ruleFiles = [ rules/synapse-v2.rules ];
};
}

16
hosts/ildkule/services/metrics/prometheus/default.nix
View File

@@ -1,16 +0,0 @@
{ config, ... }: {
imports = [
./node.nix
./matrix-synapse.nix
./postgres.nix
./gogs.nix
];
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
port = 9001;
ruleFiles = [ rules/synapse-v2.rules ];
};
}

16
hosts/ildkule/services/metrics/prometheus/gogs.nix
View File

@@ -1,16 +0,0 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "git-gogs";
scheme = "https";
metrics_path = "/-/metrics";
static_configs = [
{
targets = [
"essendrop.pvv.ntnu.no:443"
];
}
];
}];
}

40
hosts/ildkule/services/metrics/prometheus/matrix-synapse.nix
View File

@@ -1,40 +0,0 @@
{ ... }:
{
services.prometheus.scrapeConfigs = [{
job_name = "synapse";
scrape_interval = "15s";
scheme = "https";
http_sd_configs = [{
url = "https://matrix.pvv.ntnu.no/metrics/config.json";
}];
relabel_configs = [
{
source_labels = [ "__address__" ];
regex = "[^/]+(/.*)";
target_label = "__metrics_path__";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "instance";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
target_label = "job";
}
{
source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
target_label = "index";
}
{
source_labels = [ "__address__" ];
regex = "([^/]+)/.*";
target_label = "__address__";
}
];
}];
}

22
hosts/ildkule/services/metrics/prometheus/node.nix
View File

@@ -1,22 +0,0 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "node";
static_configs = [
{
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"microbel.pvv.ntnu.no:9100"
"isvegg.pvv.ntnu.no:9100"
"knakelibrak.pvv.ntnu.no:9100"
"hildring.pvv.ntnu.no:9100"
"bicep.pvv.ntnu.no:9100"
"jokum.pvv.ntnu.no:9100"
"essendrop.pvv.ntnu.no:9100"
"andresbu.pvv.ntnu.no:9100"
];
}
];
}];
}

51
hosts/ildkule/services/metrics/prometheus/postgres.nix
View File

@@ -1,51 +0,0 @@
{ pkgs, lib, config, values, ... }: let
cfg = config.services.prometheus;
in {
sops.secrets = {
"keys/postgres/postgres_exporter_env" = {};
"keys/postgres/postgres_exporter_knakelibrak_env" = {};
};
services.prometheus = {
scrapeConfigs = [
{
job_name = "postgres";
scrape_interval = "15s";
static_configs = [{
targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
labels = {
server = "bicep";
};
}];
}
{
job_name = "postgres-knakelibrak";
scrape_interval = "15s";
static_configs = [{
targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
labels = {
server = "knakelibrak";
};
}];
}
];
exporters.postgres = {
enable = true;
extraFlags = [ "--auto-discover-databases" ];
environmentFile = config.sops.secrets."keys/postgres/postgres_exporter_env".path;
};
};
systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
localCfg = config.services.prometheus.exporters.postgres;
in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
ExecStart = ''
${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \
--web.listen-address ${localCfg.listenAddress}:${toString (localCfg.port + 1)} \
--web.telemetry-path ${localCfg.telemetryPath} \
${lib.concatStringsSep " \\\n " localCfg.extraFlags}
'';
};
}

0
hosts/ildkule/services/metrics/prometheus/rules/synapse-v2.rules → hosts/ildkule/services/metrics/rules/synapse-v2.rules
View File

15
hosts/ildkule/services/nginx/default.nix
View File

@@ -1,5 +1,7 @@
{ config, values, ... }:
{config, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no";
@@ -8,17 +10,6 @@
services.nginx = {
enable = true;
enableReload = true;
defaultListenAddresses = [
values.hosts.ildkule.ipv4
"[${values.hosts.ildkule.ipv6}]"
"127.0.0.1"
"127.0.0.2"
"[::1]"
];
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;

61
hosts/jokum/configuration.nix
View File

@@ -1,31 +1,59 @@
{ config, pkgs, values, ... }:
{ config, pkgs, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
# ../../misc/metrics-exporters.nix
# Users can just import any configuration they want even for non-user things. Improve the users/default.nix to just load some specific attributes if this isn't wanted
../../misc/rust-motd.nix
# ./services/matrix
# ./services/nginx
./services/matrix
./services/nginx
];
# sops.defaultSopsFile = ../../secrets/jokum/jokum.yaml;
# sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# sops.age.keyFile = "/var/lib/sops-nix/key.txt";
# sops.age.generateKey = true;
sops.defaultSopsFile = ../../secrets/jokum/jokum.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.kernel.enable = false;
boot.isContainer = true;
boot.loader.initScript.enable = true;
networking.useHostResolvConf = false;
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.devices = [ "/dev/sda" ];
networking.hostName = "jokum"; # Define your hostname.
systemd.network.networks."30-enp6s0f1" = values.defaultNetworkConfig // {
matchConfig.Name = "ens10f1";
address = with values.hosts.jokum; [ (ipv4 + "/25") (ipv6 + "/64") ]
++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
networking.interfaces.ens18.useDHCP = false;
networking.defaultGateway = "129.241.210.129";
networking.interfaces.ens18.ipv4 = {
addresses = [
{
address = "129.241.210.169";
prefixLength = 25;
}
{
address = "129.241.210.213";
prefixLength = 25;
}
];
};
networking.interfaces.ens18.ipv6 = {
addresses = [
{
address = "2001:700:300:1900::169";
prefixLength = 64;
}
{
address = "2001:700:300:1900::213";
prefixLength = 64;
}
];
};
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
# List packages installed in system profile
environment.systemPackages = with pkgs; [
@@ -40,4 +68,5 @@
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

29
hosts/jokum/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,29 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/1a8bf91a-5948-40c2-a9fd-7a33e46fa441";
fsType = "ext4";
};
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/c812e204-b998-4ec5-9f26-29c5808ed6ba";
fsType = "ext4";
};
swapDevices = [ ];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

1
hosts/jokum/services/matrix/default.nix
View File

@@ -7,7 +7,6 @@
./synapse-admin.nix
./element.nix
./coturn.nix
./mjolnir.nix
./discord.nix
];

8
hosts/jokum/services/matrix/element.nix
View File

@@ -1,7 +1,6 @@
{ config, lib, pkgs, ... }:
let
synapse-cfg = config.services.matrix-synapse-next;
in {
{
services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
@@ -42,8 +41,7 @@ in {
];
enable_presence_by_hs_url = {
"https://matrix.org" = false;
# "https://matrix.dodsorf.as" = false;
"${synapse-cfg.settings.public_baseurl}" = synapse-cfg.settings.presence.enabled;
"https://matrix.dodsorf.as" = false;
};
};
};

54
hosts/jokum/services/matrix/mjolnir.nix
View File

@@ -1,54 +0,0 @@
{ config, lib, ... }:
{
sops.secrets."matrix/mjolnir/access_token" = {
owner = config.users.users.mjolnir.name;
group = config.users.users.mjolnir.group;
};
services.mjolnir = {
enable = true;
pantalaimon.enable = false;
homeserverUrl = http://127.0.0.1:8008;
accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
protectedRooms = map (a: "https://matrix.to/#/${a}") [
"#pvv:pvv.ntnu.no"
"#stand:pvv.ntnu.no"
"#music:pvv.ntnu.no"
"#arts-and-crafts:pvv.ntnu.no"
"#programming:pvv.ntnu.no"
"#talks-and-texts:pvv.ntnu.no"
"#job-offers:pvv.ntnu.no"
"#vaffling:pvv.ntnu.no"
"#pvv-fadder:pvv.ntnu.no"
"#offsite:pvv.ntnu.no"
"#help:pvv.ntnu.no"
"#garniske-algoritmer:pvv.ntnu.no"
"#bouldering:pvv.ntnu.no"
"#filmclub:pvv.ntnu.no"
"#video-games:pvv.ntnu.no"
"#board-games:pvv.ntnu.no"
"#tabletop-rpgs:pvv.ntnu.no"
"#anime:pvv.ntnu.no"
"#general:pvv.ntnu.no"
"#announcements:pvv.ntnu.no"
"#memes:pvv.ntnu.no"
"#drift:pvv.ntnu.no"
"#notifikasjoner:pvv.ntnu.no"
"#forespoersler:pvv.ntnu.no"
"#krisekanalen:pvv.ntnu.no"
"#styret:pvv.ntnu.no"
];
settings = {
admin.enableMakeRoomAdminCommand = true;
};
# Module wants it even when not using pantalaimon
# TODO: Fix upstream module in nixpkgs
pantalaimon.username = "bot_admin";
};
}

64
hosts/jokum/services/matrix/synapse.nix
View File

@@ -1,10 +1,8 @@
{ config, lib, pkgs, values, inputs, ... }:
{ config, lib, pkgs, ... }:
let
cfg = config.services.matrix-synapse-next;
matrix-lib = inputs.matrix-next.lib;
imap0Attrs = with lib; f: set:
listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
in {
@@ -18,28 +16,22 @@ in {
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/synapse/user_registration" = {
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
services.matrix-synapse-next = {
enable = true;
dataDir = "/data/synapse";
workers.federationSenders = 2;
workers.federationReceivers = 2;
workers.federationReceivers = 1;
workers.initialSyncers = 1;
workers.normalSyncers = 1;
workers.eventPersisters = 2;
workers.eventPersisters = 1;
workers.useUserDirectoryWorker = true;
enableNginx = true;
extraConfigFiles = [
config.sops.secrets."matrix/synapse/dbconfig".path
config.sops.secrets."matrix/synapse/user_registration".path
];
settings = {
@@ -50,14 +42,6 @@ in {
media_store_path = "${cfg.dataDir}/media";
presence.enabled = false;
caches = {
per_cache_factors = {
_event_auth_cache = 2.0;
};
};
autocreate_auto_join_rooms = false;
auto_join_rooms = [
"#pvv:pvv.ntnu.no" # Main space
@@ -70,7 +54,6 @@ in {
max_upload_size = "150M";
enable_metrics = true;
mau_stats_only = true;
enable_registration = false;
@@ -189,38 +172,37 @@ in {
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
locations = let
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";
isListenerType = type: listener: lib.lists.any (r: lib.lists.any (n: n == type) r.names) listener.resources;
isMetricsListener = l: isListenerType "metrics" l;
firstMetricsListener = w: lib.lists.findFirst isMetricsListener (throw "No metrics endpoint on worker") w.settings.worker_listeners;
wAddress = w: lib.lists.findFirst (_: true) (throw "No address in receiver") (firstMetricsListener w).bind_addresses;
wPort = w: (firstMetricsListener w).port;
socketAddress = w: "${wAddress w}:${toString (wPort w)}";
metricsPath = w: "/metrics/${w.type}/${toString w.index}";
proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
in lib.mapAttrs' (n: v: lib.nameValuePair
(metricsPath v) ({
proxyPass = proxyPath v;
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
}))
in lib.mapAttrs' (n: v: lib.nameValuePair (metricsPath v) ({ proxyPass = proxyPath v; }))
cfg.workers.instances;
})
({
locations."/metrics/master/1" = {
proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
};
locations."/metrics/" = let
endpoints = lib.pipe cfg.workers.instances [
(lib.mapAttrsToList (_: v: v))
(map (w: "${w.type}/${toString w.index}"))
(map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
endpoints = builtins.map (x: "matrix.pvv.ntnu.no/metrics/${x}") [
"master/1"
"fed-sender/1"
"fed-sender/2"
"fed-receiver/1"
"initial-sync/1"
"normal-sync/1"
"event-persist/1"
"user-dir/1"
];
in {
alias = pkgs.writeTextDir "/config.json"
(builtins.toJSON [

15
hosts/jokum/services/nginx/default.nix
View File

@@ -1,5 +1,7 @@
{ config, values, ... }:
{config, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "danio@pvv.ntnu.no";
@@ -8,16 +10,7 @@
services.nginx = {
enable = true;
enableReload = true;
defaultListenAddresses = [
values.hosts.jokum.ipv4
"[${values.hosts.jokum.ipv6}]"
"127.0.0.1"
"127.0.0.2"
"[::1]"
];
defaultListenAddresses = [ "129.241.210.169" "127.0.0.1" "127.0.0.2" "[2001:700:300:1900::169]" "[::1]" ];
recommendedProxySettings = true;
recommendedTlsSettings = true;

19
misc/metrics-exporters.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, values, ... }:
{ config, pkgs, ... }:
{
services.prometheus.exporters.node = {
@@ -7,19 +7,6 @@
enabledCollectors = [ "systemd" ];
};
systemd.services.prometheus-node-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = [ 9100 ];
services.promtail = {
enable = true;
configuration = {
@@ -47,10 +34,6 @@
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
];
}
];

32
pkgs/jackson/default.nix
View File

@@ -1,32 +0,0 @@
{ lib, buildNpmPackage, fetchFromGitHub }:
buildNpmPackage rec {
pname = "jackson";
version = "1.9.6";
src = fetchFromGitHub {
owner = "boxyhq";
repo = pname;
rev = "v${version}";
hash = "sha256-iZKl2dBBEQLemHMSa6rXYAuCo02WhG/BcYKTmCm46hI=";
};
prePhase = ''
export HOME=$TMPDIR
'';
npmDepsHash = "sha256-pYGdbmfewdvVuNfuWLlj5TmxQGdQfqPZs6TXzttoHYo=";
# The prepack script runs the build script, which we'd rather do in the build phase.
npmFlags = [ "--loglevel silent" ];
#NODE_OPTIONS = "--openssl-legacy-provider";
meta = with lib; {
description = "Enterprise SSO made simple";
homepage = "https://github.com/boxyhq/jackson";
license = licenses.asl20;
maintainers = with maintainers; [ felixalbrigtsen ];
};
}

66
secrets/bekkalokk/bekkalokk/bekkalokk.yaml
View File

@@ -1,66 +0,0 @@
gitea:
password: ENC[AES256_GCM,data:hlNzdU1ope0t50/3aztyLeXjMHd2vFPpwURX+Iu8f49DOqgSnEMtV+KtLA==,iv:qljRnSnchL5cFmaUAfCH9GQYQxcy5cyWejgk1x6bFgI=,tag:tIhboFU5kZsj5oAQR3hLbw==,type:str]
mediawiki:
password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
keys:
postgres:
gitea: ENC[AES256_GCM,data:lG4P8kzp7Zq94WftN7p1RJqM65esPuTFZ2JJWkFFXTzlid2DRZPsG2FGIA==,iv:JvHQUgwwb7wJTNMxjLjOUw5sKKWlyMJafVaUOLUu9Sk=,tag:qE0+gDFU/YtghqCv/d2Qgw==,type:str]
mediawiki: ENC[AES256_GCM,data:p+s/uQ3ywQY9RpImFWTxjt1orzl905i9kTQPzsAIs6hAK5t3B00XVzKZgQ==,iv:xp3PRrjCGFxCsRZOlJGIonBOKWJ+3/1CByc4q7O3vDw=,tag:bfKlU2Pcoq0cQjbhp+UXag==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSYUR4TjA3WU96TzV6R1V5
TFpPUW1CdnRZck50bzJSb3VnUXFYUDhxM2hJCmI2Q0p3ZVZGS0U4UmNaQ0Z3Vmgv
MkNyS1hVUWs5UjZ3cTJRU0pWbmFSeEkKLS0tIGlIRGYxTjgzWmVWbXRwTjhHdnRx
U3JMU1ZUT1ZhT2xSbHRLVXgzODB1NXcKJ2LTJB2oKffW+aZgkEEwp+xhAY0FpnBl
5GqUdZrgkNOV0pvgVAOoXMyCdZbndYLS+dUzggnF91HJOr87wRH4uw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUmpzTVdlRlg0OHBFQ2lq
eDdmOUlxbzcxakFsS2JHK3JqU0tNTC9mOGhRCjNCbFcxWTFzeTkxcHZLQjBpb2c1
V3VHeGhuTkhNbGlsVVlMallPcTVIK0kKLS0tIHRISitSQXBENVY3ejdYa3pXRmJ1
TVNBRXQvUmRPdlMreGtzZUNUcnM4aEkKAp/Ofix26q1eeHszIJa4yYF9ycwWodeV
216hz9YUYb9aZCoJJzGPceb/ER17yvqFHQlhgEb9EiKaH3vbIu+WRQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age13t2nnr6yukmtda6wn2uggfcj0dmwce8347y8w6xzt4yje6wlgscqnahuqm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVC9Cd01HaWpyUm5mdTh4
Uk5mSlBLQTlydkpQc0Irakxmalg1WU92U0JjCnhFbDFNaThIVEVNMldiT3BtL2cw
UU4rNEhvTXkzWXlMWUZGeEdJaTg0WjQKLS0tIEZlWkI3SzFOT1NoQWpIM2poMXE4
RHN4RDJWWGV2ZDJzVUo1VVorNzhlMGMKCwdWOZOnibpbB5mZSCBGhj+yUZvk/vuK
hsiDo74vmsmNZ/zmN6cw60hNwhZ4NgtfXcKG8Axe+1rPUwEcrvWHIQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-28T23:33:14Z"
mac: ENC[AES256_GCM,data:c7YytaXdAPQmCiZHH2cojJqcZna2ilGXzpnkgxgYUOSQ0n3tryOK45uVp2JDN9OJ9gS5QsLf62AlqidE0wkYYuRC6HZnwhmlMuoY3kl2sr0/Y4kJqGeODRlZoGzUIOahHkphK1Y5GBs8GW6OYk46U54wi9+BF062pYxuOCoPwD4=,iv:ZLueZpRdaD/7uvmimDUELCAtM3e9169vmoXcHz4OKfQ=,tag:Ya8tMbUBhuypXJeZ8GQmWA==,type:str]
pgp:
- created_at: "2023-01-28T23:37:44Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ//foXRhar7kfr0PbxVjk2uWzGBoXpffjZPCoaM3D8RhIM8
kod/LMqUUkCvGjBFrmKiN2BCKf3SLDjnZp55J7zQ8x3Go133JdOAB/zZDaT+oxv1
kGQneeXRqeD51/25nFTq+ZZSzBP8fXJgmlsR/1ZM1/IjKF5m5JzD2duqNKV3fqto
IwdiqvrkMiCQICmvKxwwtbdP8+29eUbnfdOi9MO8wcXuObwz84mmpgjT30mNCWF8
Ha7PlcdjpRpYHwUp66+yO4uZ9nOAs7ygzcxKLOMwyaHDv9QJYHtXDUvLv50Jnucw
KhukMJHTURzeNgUEtTu7kR0WCEBl4IyZ6GUJhc2bX3JEbYi9xZqMHgh+lf1usd1q
bDPe3xUEKKgAPXeZRzqCQoy/MuIPErMWpqAQePtL3KOafX+vTve0lfPtLKKbne8+
Tv3eaj3chC255wq6CaJjHO+PI1nt2k29KC6XXxTzkwbRxgT6wVP9uIszeRdREpyX
+//TCsvnAwd2l3ojzXwIEv3F6/xeYpj7hur59BopDRX3yEUNZhgfDa+l6+BIHoDZ
TY3ocQrIxH40CF4IxL6dDR8OOut9vlDpfZTora7MLiQbTU1t5huGY0zBH1LpQ4u9
B/DnBKIuEhZf6eoH5DNHLnzuFYT6Q8QUHfHsM5KOnSEtx2oS2Txd/Ag7dS4FTPPS
XgEe6r+BP6ItZlDVBHN9EPkgS96xpQ5EIacTxX7qmA0ToGySIyMC3PVJkO8muIIK
/Lmmp6yaBOQN0kqQ26dTuVOMfMzI8zqnOW03Lm35nGnl3x8mGDH48j4Y05pS85k=
=t11j
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.7.3

83
secrets/ildkule/ildkule.yaml
View File

@@ -1,21 +1,13 @@
#ENC[AES256_GCM,data:oyFG9fCzJH8yLB0QY78CVOcYO6Ttp/ARqtIcXwWGYOvL6nW+yLcakrdmVA96sR5toywb32aW,iv:7o3FI0cI6GHCwmQfLYh2iAVr8sELOMoxGSzE5qvuAaI=,tag:z9F1c4dOIiy2FtKpBwm5wg==,type:comment]
#ENC[AES256_GCM,data:nhDznFCozGpXdYBfumLyhp7TnA7C/IqBCpHJ,iv:3AZN6iVBha8Qh5/X6Yn/5JWsGhDXlE/zdUh1CcO7fQc=,tag:59DaAyKTOmkKty4eyFWFqw==,type:comment]
#ENC[AES256_GCM,data:vQu+AG19Vy94xxwj196G2uk9,iv:YJGBvoMgOngjn/TeuXeoU82daRvJDxvCQMYb3XCPlw0=,tag:fU6ZhhmAh0yh3/QuXbCNkQ==,type:comment]
#ENC[AES256_GCM,data:S1UOENn/ewhw8Pb9CmKp,iv:jafOhkCoiTm5HXQ/S611L4VlQFa1Wqr5WIIRzLQm3i0=,tag:6CQ+Y9E/FxWN8K+D9J7+Fg==,type:comment]
#ENC[AES256_GCM,data:lHHmoCHyP2Tc3waRGeMPEasQiv5+,iv:W6SSFpeWBfTBOEDo4P9hox39eoAiO40Ay4T3QeiI9Tw=,tag:9bLbcEZ9/B1QolDettwcfg==,type:comment]
#ENC[AES256_GCM,data:DrF4XHSd8QAWn5h1xEGGpDKMQcLF,iv:nPCBbThQh/Aa+uccKJtmiCXSvoJKHxZMJ42yFkV+hi8=,tag:3l50mMn7cPoCnjPcHv1+Vg==,type:comment]
#ENC[AES256_GCM,data:ADUhFzufaR2xXNOLgiXKu5Cd8Zx3waYeZiLF,iv:WMK2gJwplf6r/EdijrvrOBHgPL57W+UMIQ8dBPp/DBA=,tag:E/q/ccAd7UH3BV7nut6Slg==,type:comment]
#ENC[AES256_GCM,data:IVFSM6VOWnR0YDRfecsDPlYr,iv:Jxe8pq3lxw5QUGKyspB8tWSquDSMo3mAJBAsQGKxSec=,tag:7bffwY98iTX4/De0coUIxA==,type:comment]
#ENC[AES256_GCM,data:pHSDnojWTLYXIKk=,iv:ph2xCpxbP3OiWm+B/MDboykPa2gtCWpP0b3j96YCDh4=,tag:u5hmvxHaa/m8GaSeYvONmg==,type:comment]
#ENC[AES256_GCM,data:Q0fCyyP0DJqUyJPo,iv:qwBE3c2VqF52Yq8POXhy2Qv2xJd82wL1aX4eVY6wL1w=,tag:IwmbD7XqIkemOTODBKpS0g==,type:comment]
keys:
grafana:
secret_key: ENC[AES256_GCM,data:+WoAJbDBEgKs0RoHT+7oEELAVQ+/2Xt+5RTMSXg23moCqVRx+Gzll9P5Drw=,iv:AkRn/Y20iEe5i1T+84wAgLCTFtAox2G3giyawAkltAw=,tag:BZbt5Wb5lYLIJBm/pfP4GQ==,type:str]
admin_password: ENC[AES256_GCM,data:ttKwfC4WuXeL/6x4,iv:x1X+e3z08CR992GzC62YnFIN7SGrE81/nDNrgcgVzx0=,tag:YajUoy61kYbpeGeC7yNrXQ==,type:str]
postgres:
grafana: ENC[AES256_GCM,data:D6qkg98WZYzKYegSNBb31v8o+KHisGmJ+ab5Ut7EMtsJz36kUup5RS4EbtM=,iv:rfE1uH1QycKMTpSq2p1ntQ2BIvptAh2J3l/QcQhiuLo=,tag:QxmGFcekjFRPf6orN86IxQ==,type:str]
postgres_exporter_env: ENC[AES256_GCM,data:8MEoikoA6tFNm9qZbk0DFWANd7nRs5QSqrsGLoLKPIc1xykJaXTlyP5v8ywVGR8j7bfPs4p6QfpUIWK8CCnfQ1QhsFPXUMksl8p+K+xuMakYZr9OoWigGqvOHpFb9blfBN1FBdRrk38REXWAMUn74KSRI9v+0i5lpC4=,iv:anpjWVUadKfSAm9XbkeAKu+jAk+LxcpVYQ+gUe5szYw=,tag:4tzb/8B/e1uVoqTsQGlcKA==,type:str]
postgres_exporter_knakelibrak_env: ENC[AES256_GCM,data:xjC7DGXrW2GIJq8XioIZb+jSe/Hzcz0tv9cUHmX/n1nhI+D64lYt+EKnq1+RX/vJzU4sTaKjveKBh88Qqnv6RQm+MZC//dIxcvnnAdl50qnHZyBCaFFEzSNI8I8vGyArMk8Ja72clBq3kMpUz/pLBP0qDrjblKDoWkU=,iv:ZW98hJy8A5t4Oxtu17R3tM7gou183VLbgBsHA8LFuJY=,tag:VMOvQz3X/XDylV1YFg2Jsg==,type:str]
hello: ENC[AES256_GCM,data:MmbRxfMJf9sbqseEeSWnlGI1/4zmAdlb8ZxWCvOttJ3OlYe4Nng46SCtcSDOQA==,iv:KiD5smLGdIbMg62Q+h/9Gz7ROMdOe2CA02na/f081FM=,tag:tjdO1AzwvQWFR+JGuy4PQg==,type:str]
example_key: ENC[AES256_GCM,data:yAaiu+Rpb4377U8YIQ==,iv:OE4cpTlEVNE73y6bc5TGQvAnYU8P2c2hqnMFxzL0PHI=,tag:G7D5TJdEA+F9UwaIFKC0KA==,type:str]
#ENC[AES256_GCM,data:sGYwXL05D45kmWboJUPzjg==,iv:4nOP8F7kGGl6HhuV5Jxjol12pc3f6UO+pp+IcgUrjGU=,tag:tIf9ozHCOBeDprjEv98F1Q==,type:comment]
example_array:
- ENC[AES256_GCM,data:UQ5w4scNH8E49iQo7gM=,iv:dLT/JlTWvscnYre9g9s3YgznNuvdWDyOFozxW50zdWI=,tag:jqtV8Ebfm4Y4ayIIuYGoeg==,type:str]
- ENC[AES256_GCM,data:Zfm0FeuICoe4mrSoMRM=,iv:I/IakhKYtIclPQBA8nuAouuGylzCR/RbQLSWNWBQZYs=,tag:V1/WomLShKX0yaXkBQW0rQ==,type:str]
example_number: ENC[AES256_GCM,data:9wZEFB7/jOt11Q==,iv:5RVyKZe3D9BgRDDMsxUsMMKdVA5B3Ekm2G4WWt/1EuY=,tag:MSIbensfrWKU1d/XbcNtvg==,type:float]
example_booleans:
- ENC[AES256_GCM,data:LLg+sA==,iv:WQSKdlEaQCjdrsSYz0P+pdRD/pl3QMa01d8XV/EZUzY=,tag:QIH98LcUyPXDvs36XPbyxA==,type:bool]
- ENC[AES256_GCM,data:9ZQqdg==,iv:wWRmZ0nQg76sAKiPfGUX0KG/p41VnTc1wmANv4Wt2+w=,tag:3vmvuMDTZSEeZBpAE2soAA==,type:bool]
sops:
kms: []
gcp_kms: []
@@ -25,52 +17,23 @@ sops:
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrN3lJM2xWTUZ3UkRBaENI
VmJiWDlQbHd0VUNYdllPdURyQmUvL3lKMzJzCkZlRFVxbmNLOVNqUFg1akJQQlBP
VmdOMUdjZ1M4U2lLVEpGaGI5NjNTR2MKLS0tIDRlQUtucEZhZmRYbmpadVdKK01v
cWxCQlBRR1VaZTBDQnkzNGE0WGttWm8KK5s/coWNsdCP5lKQ8LMK7/3ku179+Lg1
4ujTVn4LhvXy6JvgGTWS/UbMmJjJebVxkulzf5St3YMMs2mcIYjOtA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDM2RidW9wYUVHWHhFTmM1
c1BIazd5MTRMU3dRNEFyWHIxMzhNL21VNURZCnkzKzNNbXgrcmJtNFZjSHQyWHN1
aEpjV1dQVmJTb2F5YXJWazMxTmJUYTAKLS0tIDNRUVlTR1p3eEtRYkVMcjlYS3Ir
bWhUaDA1eTJRTGpEb3FmSTlPTFY4c3cKrrQcomMURB9dqT+aAkWbFMzMqB3AIvEl
t9Fd5puhhto5/SInssCxpH1p4kbqQZWMfDqE+eFFs2whDVuoiM/Tlg==
-----END AGE ENCRYPTED FILE-----
- recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSa25taGsxdlhrUS96cXBi
cUo3WDVmdEhKN256THJhS2tHSitDRkVraDJNCmhGZzlFUDFkN0JKNkFWUlVLVzcz
MjFhcDdmcmpxdTA3V3JRREFNVmNUbEEKLS0tIFNSU2xNZzN2Y1ZzR2hFM0dOK0Zy
Tmk4bXd0ZHhPemxDSDREb3IvSjFza1EKsjtC6J3kYGRe8oLAoUZmg1BUmpkMyC98
uYq+IQmfJt48R/MKDei00j1w3zIK5+E5GU4o8+jILzwfpzYUUZWwiA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNkllWlY4L251Z29qOEVX
Vmh2YU5BNVhwbXhDaEpYcXoxY0hCOHhPYXdNCjROQ2piWFQ2MWYwbnF4cFdKS0tv
dFUveEsrQVRpT1REQ0hib1pla2R5RkUKLS0tIFJOSXNaZitxbWk1cHNGc1k0Zk9m
NHU1elF3L2ZRZlVJZTdZU01qNER4a1EK+pvM24FDok4lbbailCspaA1vsZrtsumH
c8uHITgStobUmdqsdv9ta8gpar0nZ66N0kztyhW15sJh1vZY8Guxxg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPb09qTTc4cjRMcjIzRmxu
RzZWTDBNTGdvaEc2VFJPakYvakRMK1RnS1FnCktHRVkwZGlUUXl4UTBRcGxMQzdn
QVBCYVdlWEw5NW9tNytJTGIzRlpwa0UKLS0tIGdDdUtFMUgyT0phMXBxZE41Y1h4
a2hQVVprakt5NURpNXdQUjREczJKWTgKn60yrLqco9brlqigAolO8rEkww9z3y3u
KmefLVZCGfoko+fnKLVE9UKFS/tAowqgPS1qE76u1Mmkk6yqZoG9rg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-26T00:16:54Z"
mac: ENC[AES256_GCM,data:T13TG5fwXgAXUD4I8yIsdUQTA4MKZdEWkpVP1H734YBt5c0J0FJ5Ppxvf1n3hPcC6dcyCJ1NonbmmDBeKn0JUlxTlrK645O33RHLHlsMZGVijYyLyvxCxGo22SfdT2OdPv7tggyat9Cpd9bVLd7YdhPxTYDnZ3eNbIwx+5Fnw48=,iv:bYz6k1f30nlCjOuTRu3F2OE9iQIMd2eBGezXQx901zE=,tag:GHGGNlNg+huP6F3uyrbncQ==,type:str]
pgp:
- created_at: "2023-01-21T19:52:08Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ//Sw5EHNbC9iPXcHSULYVmSMOQCAH7GSGvaaFvey/KffPD
5gbFr00vIi1JfjYXmYfn3KKpUfs/mMMo5NzYU2Ou5fWcPsqFLXOwubebuf61X6p7
7YfLYQMnjgBzkpb972AJl2tWUlcBcOz89tIw3oMi8R5vvXjRjEdDY8Yp+Z2Apj9V
YJCoSIe6RLBlubMs4I6VIOaTaKIM1DWthg95dozlShXYsEgFTYaJ6FbN9RuZOZPa
KzFs2DXtbylXXJtiCArQCHnOgA1Jnp80VvMYLO1ldteQhqGdmnxnqwjETx/uqy4l
QE31LcRf2JFKi0BBJdQfEqBGW9LD4Mjfwi6tWbHq4Mn29u8IT6z5HJIB99JRAV/9
RfBPzF7UVLq2baWxDwG/M6TvZlVJPdAyhJ5QqhkVdrWir7D1D108u+cgtJWw+vlS
cP3hT73LWCo2bXUrHXxFnrWdDQQSDpew/x2cTHUNvqdqLZgMJWdZgh+mXOQLjzHP
xGkjt0ae5/CEnUIse/Qt3SyoKN3rGVKJgoQ4D0AeBFU5z7NEOx7Ebl9t6IgVnJIB
sDJXg+7jJ8A0V1xGan6BP8dFi7m0aAJH0xi8RB9jC1ZRVNxUjFow3Szh0JQ7u2P5
4jZ3FT4tWzPzLQsgJUd/H41QyKSd3ke4VMf97mEKULJ7prtXdyxQfRDcE93UgVXS
XAF0u7pIl+O2RlJtki+UvuwVDszPBRSmGmfiQa4vsYfXahO4fmBjhdl2hdLtz82F
dh+dPu+RSD9OKwIhUwsDLtWWlI/4BvIB1yXbQxP2MyjZm3uVf1CtgUHyjWw8
=rri5
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
lastmodified: "2022-12-17T20:25:20Z"
mac: ENC[AES256_GCM,data:KKo9xz6vQHKH6tIiU9cTA4ngwbyqeX33QwvJq5dDCJlEDm5CA+akD5Wsqyp+rGuIjiIDi01eRUONA0YRG4DcmmcRWlnmA9hrBfRWJKtV/0gR+yeYCuY95J9twu3pbOODCyMdcLJqB0tLmyqWGHowNk+mIhEw/a+kxZX+kiB8ilY=,iv:3uHmBVnuaTvnNbdtii++8FzFS7SrsO2inTBtzXmhBhU=,tag:OqpHlELdpn6mlUB544HdmA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

78
secrets/jokum/jokum.yaml
View File

@@ -1,69 +1,57 @@
matrix:
synapse:
dbconfig: ENC[AES256_GCM,data:R7y+867fwnVXHaknUj9RpBtkEATfUo9AoaNId/ODLkHCJyQP1761pJLqeSkQTZAnzZxqACYorV0P57tEQ5bE0aKLOL7tSClx82x7Tki0MiWME4FgxJC2fQk/vP0Ca2zufnw0s697zkfsnyx/1pjjo69amXc207NXAHCtxXO0ztWp0Q==,iv:BsbOLl/hlQIjOLnik8lZWO3+jhMEZ//fisxLon7HdE0=,tag:6sv6ySztGbxAgn+WV0I5NA==,type:str]
turnconfig: ENC[AES256_GCM,data:eyUQID6nHiMH1cm418ItI3DEAjAPoR9NR7DvhfYCTvYM1LyHKVg=,iv:Jz7LEOUwTI8LCMOKqB2vN/0Zs+S0IJkHY3wpAC0q5YI=,tag:4SImxB+5JI8VtsZVy0cYIQ==,type:str]
user_registration: ENC[AES256_GCM,data:qWtVuNc0YWetsVVtXt+nlaUPq7QzbsDIb+KV2jgEfLZXU/h+vS0PL+k=,iv:72fvhUo3Bhvxj9A16sTL3teLKA0tGEk7pbgKoooOJSo=,tag:Q5vl2+ZJZqtcmMH+tNqVag==,type:str]
signing_key: ENC[AES256_GCM,data:3EeV+9X9TtqhBL7QyULTS7tNyH7ayhe88B7UtNZ/TMlQSW2E1WtSVEecqs+097A1SmdKoYVr6iz0ew==,iv:TDfAdYROu7o7FIwn6oOs60surQ7zFy0+9bqhx8LtwXg=,tag:8MpNBw5TbDMxXHF9+tmZfQ==,type:str]
dbconfig: ENC[AES256_GCM,data:a0Bq2ilDZM0GddHZS1WcaSY3kdFDbau4BNMu+rumisYZy5/VQOE6LT/gq3vdwH2T7D3r1/cj7YSRcdjq+SRYHiJ9xgb1m3tx+ZlvNrY8PMaYvtmOpMoXyYlJ2iT7/IiMk5UW50cSZEcww7zS8NknZMzjiNEq3+D88J57J6WRmQqj/w==,iv:BsbOLl/hlQIjOLnik8lZWO3+jhMEZ//fisxLon7HdE0=,tag:WqMGflg5+Sh2zx5QFnjy4A==,type:str]
turnconfig: ENC[AES256_GCM,data:lHySrJUpQKAUXsl9LzYlxu4YSCz4qJF6MRLr+LprTEdhGvrnk7U=,iv:Jz7LEOUwTI8LCMOKqB2vN/0Zs+S0IJkHY3wpAC0q5YI=,tag:8KR7duN+Qqpl6B40hSEndw==,type:str]
signing_key: ENC[AES256_GCM,data:6RDZWsrRKDGTefIeZZ6UVlcoqVV3fdRas/sox4WkEgtouCh7lwwrSzpuM5R1H0cNVxA/8wBsaHG1xQ==,iv:TDfAdYROu7o7FIwn6oOs60surQ7zFy0+9bqhx8LtwXg=,tag:RNzcTYkDuyz6nz2z43CJwQ==,type:str]
coturn:
static-auth-secret: ENC[AES256_GCM,data:bDVbTU3QaanU0fPhQF4Fil4=,iv:MVoFWgqHm88JXaCYa5l57SkX3fSmP97Z7IzvwumHWY8=,tag:ZX121OshXiLC6eRxz2Be0g==,type:str]
mjolnir:
access_token: ENC[AES256_GCM,data:z+BG3nJyUTrJJq0eGNzT3tFatKXffgBzg3E608pqBaPvtJYsnEy4mo1vZig=,iv:VGdnprNYOArhLdY38B1BO/V9YiYGZEy39gnJyh8atgY=,tag:qJ+UryjNPTH0F6ZP5JJlEw==,type:str]
static-auth-secret: ENC[AES256_GCM,data:tPz4GUvJwB2osO2vwyyThms=,iv:MVoFWgqHm88JXaCYa5l57SkX3fSmP97Z7IzvwumHWY8=,tag:af7Qs4qiSYQ/OBLJbZGk2A==,type:str]
registrations:
mx-puppet-discord: ENC[AES256_GCM,data:nvWSaZ4we8BD50Op/bZMrlMXGBwzvG3IXGPGJe2paCZ10tTm9v4+aYGYhILNhcQM095AD9KdEJ44TAyPxZ/c5iYLqb/LJzEpa5X2jKoiF6r7PjNFGevKQs7fzJk4Y9MxHwZ2KJT+uHjtXF8erJvFDs3S3WgmuAQW1U9b5fYQNc4ZF0tY+BsWU2ehqMejpx7w93TkcIiZY7Uoj4kPMEp8aI6v/7VPIjM9g7b+R5KGZ1/yIpiNCzZuT+x2mxCtqGfbOynWON8PaCIojp7sbLaRWhX2bd4GG2wP3T5MsgwjJzQSfyXjK1Dyxzr8fVmh0R2mJoZHTYNQLLwYncLwqXQEHr6tXNWPTwxPslW+BdLsp/8//m0F04vUf4Z0dbf22NSaPkH9GdRLB3zXh07VxqG+B7OvAjDULHUmA5uwgtZq9h0G73TWDJ8U75eAxrTdsgQgmIsyhpLljFW2QSnOPL/93ieovh5qRgXjgyqrljDOkB+fhC0gdQalPeBM8l5zPI8aaJsVp/l15rx4nUIrFka0g+v+SRhAIPtQAKA=,iv:3gzyGz7T9PK/J92X46YXYT98bpTnx1uPiiwXuls/kOA=,tag:Vm+zNmA53HIb2dP8FIgP6Q==,type:str]
mx-puppet-discord: ENC[AES256_GCM,data:jrFvjgWG3qdM8ruIehfBP4WfSUFJHA2SabhVFNuUCWk2HR7Q+2PSGrZ0h9ikFnJhZD5JO0hK5AiYJQ34MWaFEKuOqV1DGOf6VCr3QgeIItvctQyS2DD+R1zt5a32KIJOFMFbH66c/X3POY/ZMsT7UA7BcvqX8uB0Esqa8wRqV4wmzGOmUp2v4uBTihr9O7V61m0t+kSYmMgZnJqmGf7b0/FM/dmTxcp+qXrnRPz9JCNCtYKoVjDUZFNlBKrppDC6GjN1y4cBzzVezlHKCk53x71T2yberFRcK02Ni9RLoH0yqU/1jt2gjaQHal52wF3QxSXKT9rtCGZh2o+9Txpp61LNqBiua/Ija+9ToALlP8ihsFDv7UZ04g5y8u2A5mC1HHB5wU1E94ay0NcYasfdBOwQqpwqunQxjvp1cHHnspUasXXwWoRr7faxkKhBGVoCA5yNsSmp8+4zWjkFendRVZan1UsJsJ8me1nOLji4BKAevh3FzagLjjtANIoNqKr9kGBfDzIOCgPGzBLlhJcMZPwZCV/QNbs583g=,iv:3gzyGz7T9PK/J92X46YXYT98bpTnx1uPiiwXuls/kOA=,tag:O+bfssIhPDSKRCpv0YPxTg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXY29wUXJnMURlWk4rUTRh
alZsb0xSTlI2MFFTb3B4dzhDT2l5M1pLMWg4CkgzT1h0VHBMTTNhRTJRNEZLWWlk
dyt0aCt0c3NTR1ovS1FIM1VBTW9Ha0kKLS0tIHN0eDNqbzJXQUZFcTFGaFEyME5t
djJpWDlRNGhGemZXR0tMc0RhYVZpMWcKG/Airf45TgfJ82vPfXxMLtRRLPvZR/Iu
teoToXtddxFVY675nFy0gfq9P21qHJ7MvTYwVBhQAT/TitTZ/q2u9A==
-----END AGE ENCRYPTED FILE-----
- recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQnlmMVE1aDRycXNmclk4
OWgyQzhDdzJrdlEvL2NzeURoa3hZa3lEMzJJCk11ai90L0ZGd3U2VUhHdm1mQ1VC
eCt0WjVKVEt0N0tkRHl1QW4vRWdtMG8KLS0tIEVjVER2QXlIbnZXQUNONzlGbnRl
dDZ4RGFqaktTZ05yNjhqUlhqQmpBcncKTSSe5rZhV/+tsgk3xlV7nEphS8qhxucz
0O1J0U8FEdyfrwF2AOobsf4YIgtTrb20gyXsTdPwIbsQToJ+YqVAgQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3K29HWS9ZRWxpbzQ3d1V2
OEZwYjA5eEE1Z0YrM1o0YnlGbGt3QmQ2YkdBCkpnZHN1TE45dWxqY3lndjBYcWVQ
cFdoUi9WaVNibndWdTcwTDRiOTBtWXMKLS0tIGNIYkdIZWo4cUlrM094Qi9KTnJa
ZXI1bnZlbmZZQ2dvLys4YllYRG9jNlkKn2UbGP+TOUU5+Q3OQuZTQvr8S5oDX/aN
a7iaQn2z/Y5M3tGvFBOiaWZjqtoCHgtZL56LKAaF60yLeUIPnKylbg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
- recipient: age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxeDVwdHEvUk1JTW9FSkx2
VmlxejM0ZkJmZ3JkemQ2cnkvenY2ZmRJRFZzCmFHbUJzZ0VjYWZuelZHei9SWUo2
bjhPSUNrRW5JTWhVWnRzOU9sY25BMlEKLS0tIDF3M3ZFei9qczdDaGVsV0hrTWVU
NktTc2Y4ZDV4VGlza1FVdXBQUUVPZUkKYs9b4a+yAzI5kpv0X5/Ogg8sH0zdTim7
fXnkXZfAJ9oL/0qjVzFZA3j5aQX0xKMffSE/SFcQxUY2sISnwh1Tfw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBISzh3QmlzempEMDNsaTQy
bGxFZlNLdURhY0NzcjhjdlgzZlFxV0R6cURnCnhqRUlpcFNPUWd0YmF6TjYvK0t4
UDVlcFFTbDByTkRZTW9ITC9yVVlzYUkKLS0tIGtkWHF4enhrK004RG00NUt5ZlND
TFBiblFGNkdHZkk1L2RXdkpHSGQ1U2cK/mBTDDHOWSGZRflIsxOyDWShQH2EILJr
jCrLGbIaGgphIgLCHVmMV8QLRPK+8f9t8KZg7sczRViuDwZsAx5vPA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-02-13T00:12:03Z"
mac: ENC[AES256_GCM,data:FolV94dIwYSL5r1ZHTPdmqMKVTAhrnePG+5M4S1H/wBYbED3sr6oPPmmxwiwm5E4K0YR1+ou4yR/vGTV3lfRdxIGWhfAT0WW8WGTZVIlcJCEk5H7Rels6rkma12BCjZ1zOGjZZCcFTm+4NI2KNv+zTc29zry4539jkkxk+8Skog=,iv:KBxSFVaFI3S5J9xG2Lc7FINUI8TRKxPtrbP3f2wXkHo=,tag:TWAtix03ZnB71+O7cF8b4A==,type:str]
lastmodified: "2022-12-09T05:16:09Z"
mac: ENC[AES256_GCM,data:MSKUQkCDCEOcl9Eh2VH9ccZ3Ux0eIyJFyjFVaJZ5WQA4fIB1J6Y/EoK/q7iaLFIH8YkeVPIvXVu9eCXjIyQkSugJwQXk+gSFtssjegUBTcZkRJJ0Lo48IWO4yVFXnDYzyFjcgH4TBmL0uco3BkWHfLHR46fQUJIco9yYlVKtsFU=,iv:d3uWCTVV8o1Nx6WJCF/YQHOeGjTzJk6xaDxMTWeUINU=,tag:KOi1naN2Uhe0NcMl6oW/6A==,type:str]
pgp:
- created_at: "2023-03-26T11:12:37Z"
- created_at: "2022-12-17T23:05:08Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/9GHLOAfLgTqVmfJACvt9xMqlzfrXyiACTJg+J5BD8hEtn
oe2clo/fO9u6df42hk/szQTQH4rJULdxvUNiBzYS0XbWCa+iWzpiOPN+bQZKoV3X
U4sFrHMT0ledUg62rlTbOmqpvLivoP6//DEqHAWl2weUvpplBRFzTFwICo+2+Jjo
18dzdYyBa5sxJ/KZKUoNsxRaCFgXs5L6qTuqzmZpnhnH1pKNW3D6e6Hfb0BmebUy
wt5NgxWJ/4dHFK84i93E1vxPbSusvQ++6JCSWgZtOwZJehnz5AeHgdDBzcHeJY8O
Idq+QrvRsqjisDNvd7blmBleup1Ai0l/CzEtTEYd/h/QipaT1rVaPOP4H/lnHZmO
f0HWGxhPCDfiuLK43DBExrj1QUq4LVUZf145fRGMWZfHtlzHM+4dY+/ijyUi7pFY
cenrE3/Iz8gaUWqRdaYqK/O/vrHq/siUS8IiWY53ALUF+DlBMuRrtc76T/fkSKbR
LuO7MnOnNyBy5HT+MQii1Tat7ODtPXlky+N5leVQQVAUMHrI6ETWAQlctBjDZXyT
UzXh8WVT+pijxNYDqUVMJ4d43AuHKayf2m0PftOZv+Q8n5ZqwUoQN6WbpsLvDFTU
4XweZaChhoq4K68o6vpOb5b7x+vlisiL2j+kYAgMjlWk1vkDY/GsHY8USi0Rj17S
XAGAULPvLDP+ohieT6dP2xLvzu4ghrySCTF6LjQ9sN2gHWfcV2FVw+anA3mxOLGK
P4hOgPPfiP/0O9H0KSHq0gXjhBkackFVAOPixvSAJdvkooVW+PisHjl59Jd6
=exZj
hQIMA0av/duuklWYARAAvQ3TCvGiu75Swvd9hyY8rw2TeXiKPbHESzXFSZdR3+wk
XkaRTPuxMot5IUmUhC4EWxzUrKKyPsfw685FpojHDUeOWzaAcnbTT3NVg+VoSIAl
pDnt7BUZ/23Hd0tYt+VJuX8S4Iqny6xnhzWTaFNrLFhPGvIN3XbDqEsWRLQk9s46
rMht6DJkz8itsFTJrwmg52oXP0mIlZkaGFvWBNZlLf/0PiEET4sjZ3cn4rRGRNhf
Zk7u7ZgrBFRib0OO/edN6zFh9+/zbculXucqlnvccm6BQluHj2Z66++cyyzEL2xY
eU+8sBNWWKHPusPhKNWZsUGQ30fM7Ctdri5PWOzglJ0Ah+lAFgmbqdcSHjAuF9f7
9YVA5G4b7B1vT0dCv3MZ3419Gqa9Vimi1xUw+9SbZjACpMraovUKshTsKN/9rBzY
YkojmBdaneMoFGvo+aj5vMxG8CJbPV3Oiq1+G0E/fj53W1Qi8boeqcLxw5IbJIbq
27hQYm2L1gNBg84cEJfzjtxqPkP4IMb5DOZYo8hNVbXCP4AYjgyecw4tkSnbRkB9
GaRYSx2b1HMOxrDnzRUx8cX26a/eNlLhictPUy10Dvcs/xfWzGytL/3AtiAeaIY9
4G6rWuUv6XqYMM20bMc+HnKaFpYq2Y98DuLCqddrek8UaMX2b1p1Kw1ebC1i56fS
XgFIdcQDWiMi8rsWjAoFE7CDe/FvyCNSE88pvwhH2/BQjowUeMLqqqCHbrEj8sgo
icW/6tsXZ5ShJ5bi56Hal5FsAdR6sXTTdm8nYSFdmIfSHUz+auZ41WkLJYXpuFU=
=EVJD
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted

18
users/oysteikt.nix
View File

@@ -1,23 +1,9 @@
{pkgs, ...}:
{
users.users.oysteikt = {
isNormalUser = true;
extraGroups = [
"wheel"
"drift"
];
#extraGroups = [ "wheel" ]; # Enable sudo for the user.
shell = pkgs.zsh;
packages = with pkgs; [
bottom
exa
neovim
ripgrep
tmux
];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0aYHsiqfLCA0prSmEi6hZeQPCGxZYR7gp+3U99POUWJyycSVqXMhgVZHT8VEYGf+EZ/y5nL1bvna7ChBwQBzInB2mRW+TCLL3h1w9t/27vTHe3wV+fowTooD/paOErmWFO4yDBEJ3cYFMXowAd3GfvsBSFGPSsvSxghSzWj+kfhIFkXD02LZxn/hBQyCT6irp3Hwx1cBu8ic/l2ln64SLARuEmj4ITaafNC5wD2Gr5Jf3q+T9QtJeFPXSpJD7MtVMJ1VpgpfGBvlEYKggiQjxgu2BXHv1w3KIfyltTwhrcqHvttaJSuR5TreAgQ5+dZHmMr6XX8rFG+HEa8gND6NjGjHrJBxp53qgPtLAmBddvf8xQMYiq6+XST16nlRaAsjU3yr3VqCt7XhJiS2IV8JiIV3dok8nxzDX9sjdZeGchdnAnU6lcxDgnBvAcJRaWHwMCG8Ty9sJ4otgjr5A1GxRBndJIIuKzjpdtsrCAHg/K2zqFoKPJxN/K9zDWKNy0aEy2Akl3LgHF2QIuG5pUOmbyvbF8AoTudaz6Zu6JpVwOb9T9avFJBH4RHQ3mK0faBkrEmnkAg6JnDDMIt0XLALl88rI4kbdkVvJ2kaodvq799TCCw1PwMidgWX63LemWVBx+CL9ebXrsOkOthhMhkeaFXY9Am3Ee7rfD1tq3PGU1w== h7x4"
];
};
}

46
values.nix
View File

@@ -1,46 +0,0 @@
# Feel free to change the structure of this file
let
pvv-ipv4 = suffix: "129.241.210.${toString suffix}";
pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}";
in rec {
services = {
matrix = {
ipv4 = hosts.jokum.ipv4;
ipv6 = hosts.jokum.ipv6;
};
# Also on jokum
turn = {
ipv4 = pvv-ipv4 213;
ipv6 = pvv-ipv6 213;
};
};
hosts = {
gateway = pvv-ipv4 129;
bekkalokk = {
ipv4 = pvv-ipv4 168;
ipv6 = pvv-ipv6 168;
};
jokum = {
ipv4 = pvv-ipv4 169;
ipv6 = pvv-ipv6 169;
};
ildkule = {
ipv4 = pvv-ipv4 187;
ipv6 = pvv-ipv6 "1:187";
};
bicep = {
ipv4 = pvv-ipv4 209;
ipv6 = pvv-ipv6 209;
};
};
defaultNetworkConfig = {
networkConfig.IPv6AcceptRA = "no";
gateway = [ hosts.gateway ];
dns = [ "129.241.0.200" "129.241.0.201" ];
domains = [ "pvv.ntnu.no" "pvv.org" ];
DHCP = "no";
};
}