felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-02-21 09:27:51 +01:00
Code Issues Projects Releases Wiki Activity

nixfmt

Browse Source
This commit is contained in:
Vegard Bieker Matthey
2026-02-20 18:18:09 +01:00
parent 18167dca0a
commit dc8a6c8c71
127 changed files with 3804 additions and 2402 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
hosts/bicep/services/calendar-bot.nix
View File

@@ -1,7 +1,14 @@
{ config, fp, lib, pkgs, ... }:
{
config,
fp,
lib,
pkgs,
...
}:
let
cfg = config.services.pvv-calendar-bot;
in {
in
{
sops.secrets = {
"calendar-bot/matrix_token" = {
sopsFile = fp /secrets/bicep/bicep.yaml;

135
hosts/bicep/services/git-mirrors/default.nix
View File

@@ -1,4 +1,10 @@
{ config, pkgs, lib, fp, ... }:
{
config,
pkgs,
lib,
fp,
...
}:
let
cfg = config.services.gickup;
in
@@ -20,79 +26,88 @@ in
lfs = false;
};
instances = let
defaultGithubConfig = {
settings.token_file = config.sops.secrets."gickup/github-token".path;
};
defaultGitlabConfig = {
# settings.token_file = ...
};
in {
"github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
"github:NixOS/nixpkgs" = defaultGithubConfig;
"github:go-gitea/gitea" = defaultGithubConfig;
"github:heimdal/heimdal" = defaultGithubConfig;
"github:saltstack/salt" = defaultGithubConfig;
"github:typst/typst" = defaultGithubConfig;
"github:unmojang/FjordLauncher" = defaultGithubConfig;
"github:unmojang/drasl" = defaultGithubConfig;
"github:yushijinhun/authlib-injector" = defaultGithubConfig;
instances =
let
defaultGithubConfig = {
settings.token_file = config.sops.secrets."gickup/github-token".path;
};
defaultGitlabConfig = {
# settings.token_file = ...
};
in
{
"github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
"github:NixOS/nixpkgs" = defaultGithubConfig;
"github:go-gitea/gitea" = defaultGithubConfig;
"github:heimdal/heimdal" = defaultGithubConfig;
"github:saltstack/salt" = defaultGithubConfig;
"github:typst/typst" = defaultGithubConfig;
"github:unmojang/FjordLauncher" = defaultGithubConfig;
"github:unmojang/drasl" = defaultGithubConfig;
"github:yushijinhun/authlib-injector" = defaultGithubConfig;
"gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
"gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
"gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
"any:glibc" = {
settings.url = "https://sourceware.org/git/glibc.git";
};
"any:glibc" = {
settings.url = "https://sourceware.org/git/glibc.git";
};
"any:out-of-your-element" = {
settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
};
"any:out-of-your-element" = {
settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
};
"any:out-of-your-element-module" = {
settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
"any:out-of-your-element-module" = {
settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
};
};
};
};
services.cgit = let
domain = "mirrors.pvv.ntnu.no";
in {
${domain} = {
enable = true;
package = pkgs.callPackage (fp /packages/cgit.nix) { };
group = "gickup";
scanPath = "${cfg.dataDir}/linktree";
gitHttpBackend.checkExportOkFiles = false;
settings = {
enable-commit-graph = true;
enable-follow-links = true;
enable-http-clone = true;
enable-remote-branches = true;
clone-url = "https://${domain}/$CGIT_REPO_URL";
remove-suffix = true;
root-title = "PVVSPPP";
root-desc = "PVV Speiler Praktisk og Prominent Programvare";
snapshots = "all";
logo = "/PVV-logo.png";
services.cgit =
let
domain = "mirrors.pvv.ntnu.no";
in
{
${domain} = {
enable = true;
package = pkgs.callPackage (fp /packages/cgit.nix) { };
group = "gickup";
scanPath = "${cfg.dataDir}/linktree";
gitHttpBackend.checkExportOkFiles = false;
settings = {
enable-commit-graph = true;
enable-follow-links = true;
enable-http-clone = true;
enable-remote-branches = true;
clone-url = "https://${domain}/$CGIT_REPO_URL";
remove-suffix = true;
root-title = "PVVSPPP";
root-desc = "PVV Speiler Praktisk og Prominent Programvare";
snapshots = "all";
logo = "/PVV-logo.png";
};
};
};
};
services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
locations."= /PVV-logo.png".alias = let
small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
nativeBuildInputs = [ pkgs.imagemagick ];
} ''
magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
'';
in toString small-pvv-logo;
locations."= /PVV-logo.png".alias =
let
small-pvv-logo =
pkgs.runCommandLocal "pvv-logo-96x96"
{
nativeBuildInputs = [ pkgs.imagemagick ];
}
''
magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
'';
in
toString small-pvv-logo;
};
systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {

47
hosts/bicep/services/matrix/coturn.nix
View File

@@ -1,4 +1,12 @@
{ config, lib, fp, pkgs, secrets, values, ... }:
{
config,
lib,
fp,
pkgs,
secrets,
values,
...
}:
{
sops.secrets."matrix/coturn/static-auth-secret" = {
@@ -127,18 +135,31 @@
};
networking.firewall = {
interfaces.enp6s0f0 = let
range = with config.services.coturn; [ {
from = min-port;
to = max-port;
} ];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [ 443 3478 3479 5349 ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ 443 3478 3479 5349 ];
};
interfaces.enp6s0f0 =
let
range = with config.services.coturn; [
{
from = min-port;
to = max-port;
}
];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [
443
3478
3479
5349
];
allowedTCPPortRanges = range;
allowedTCPPorts = [
443
3478
3479
5349
];
};
};
}

19
hosts/bicep/services/matrix/discord.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, fp, ... }:
{
config,
lib,
fp,
...
}:
let
cfg = config.services.mx-puppet-discord;
@@ -44,7 +49,6 @@ in
];
};
services.mx-puppet-discord.enable = false;
services.mx-puppet-discord.settings = {
bridge = {
@@ -52,16 +56,21 @@ in
domain = "pvv.ntnu.no";
homeserverUrl = "https://matrix.pvv.ntnu.no";
};
provisioning.whitelist = [ "@dandellion:dodsorf\\.as" "@danio:pvv\\.ntnu\\.no"];
provisioning.whitelist = [
"@dandellion:dodsorf\\.as"
"@danio:pvv\\.ntnu\\.no"
];
relay.whitelist = [ ".*" ];
selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
selfService.whitelist = [
"@danio:pvv\\.ntnu\\.no"
"@dandellion:dodsorf\\.as"
];
};
services.mx-puppet-discord.serviceDependencies = [
"matrix-synapse.target"
"nginx.service"
];
services.matrix-synapse-next.settings = {
app_service_config_files = [
config.sops.templates."discord-registration.yaml".path

22
hosts/bicep/services/matrix/element.nix
View File

@@ -1,7 +1,13 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
synapse-cfg = config.services.matrix-synapse-next;
in {
in
{
services.pvv-matrix-well-known.client = {
"m.homeserver" = {
base_url = "https://matrix.pvv.ntnu.no";
@@ -21,12 +27,12 @@ in {
default_server_config = config.services.pvv-matrix-well-known.client;
disable_3pid_login = true;
# integrations_ui_url = "https://dimension.dodsorf.as/riot";
# integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
# integrations_widgets_urls = [
# "https://dimension.dodsorf.as/widgets"
# ];
# integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
# integrations_ui_url = "https://dimension.dodsorf.as/riot";
# integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
# integrations_widgets_urls = [
# "https://dimension.dodsorf.as/widgets"
# ];
# integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
defaultCountryCode = "NO";
showLabsSettings = true;
features = {

52
hosts/bicep/services/matrix/hookshot/default.nix
View File

@@ -1,4 +1,11 @@
{ config, lib, fp, unstablePkgs, inputs, ... }:
{
config,
lib,
fp,
unstablePkgs,
inputs,
...
}:
let
cfg = config.services.matrix-hookshot;
@@ -100,7 +107,8 @@ in
};
serviceBots = [
{ localpart = "bot_feeds";
{
localpart = "bot_feeds";
displayname = "Aya";
avatar = ./feeds.png;
prefix = "!aya";
@@ -115,20 +123,44 @@ in
permissions = [
# Users of the PVV Server
{ actor = "pvv.ntnu.no";
services = [ { service = "*"; level = "commands"; } ];
{
actor = "pvv.ntnu.no";
services = [
{
service = "*";
level = "commands";
}
];
}
# Members of Medlem space (for people with their own hs)
{ actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
services = [ { service = "*"; level = "commands"; } ];
{
actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
services = [
{
service = "*";
level = "commands";
}
];
}
# Members of Drift
{ actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
services = [ { service = "*"; level = "admin"; } ];
{
actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
services = [
{
service = "*";
level = "admin";
}
];
}
# Dan bootstrap
{ actor = "@dandellion:dodsorf.as";
services = [ { service = "*"; level = "admin"; } ];
{
actor = "@dandellion:dodsorf.as";
services = [
{
service = "*";
level = "admin";
}
];
}
];
};

24
hosts/bicep/services/matrix/livekit.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, fp, ... }:
{
config,
lib,
fp,
...
}:
let
synapseConfig = config.services.matrix-synapse-next;
matrixDomain = "matrix.pvv.ntnu.no";
@@ -20,10 +25,12 @@ in
};
services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
"org.matrix.msc4143.rtc_foci" = [{
type = "livekit";
livekit_service_url = "https://${matrixDomain}/livekit/jwt";
}];
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "https://${matrixDomain}/livekit/jwt";
}
];
};
services.livekit = {
@@ -43,7 +50,12 @@ in
keyFile = config.sops.templates."matrix-livekit-keyfile".path;
};
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]);
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (
builtins.concatStringsSep "," [
"pvv.ntnu.no"
"dodsorf.as"
]
);
services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
locations."^~ /livekit/jwt/" = {

7
hosts/bicep/services/matrix/mjolnir.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, fp, ... }:
{
config,
lib,
fp,
...
}:
{
sops.secrets."matrix/mjolnir/access_token" = {

9
hosts/bicep/services/matrix/out-of-your-element.nix
View File

@@ -1,4 +1,11 @@
{ config, pkgs, lib, values, fp, ... }:
{
config,
pkgs,
lib,
values,
fp,
...
}:
let
cfg = config.services.matrix-ooye;
in

7
hosts/bicep/services/matrix/smtp-authenticator/default.nix
View File

@@ -1,4 +1,9 @@
{ lib, buildPythonPackage, fetchFromGitHub, setuptools }:
{
lib,
buildPythonPackage,
fetchFromGitHub,
setuptools,
}:
buildPythonPackage rec {
pname = "matrix-synapse-smtp-auth";

8
hosts/bicep/services/matrix/synapse-admin.nix
View File

@@ -1,5 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
# This service requires you to have access to endpoints not available over the internet
# Use an ssh proxy or similar to access this dashboard.

7
hosts/bicep/services/matrix/synapse-auto-compressor.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, utils, ... }:
{
config,
lib,
utils,
...
}:
let
cfg = config.services.synapse-auto-compressor;
in

145
hosts/bicep/services/matrix/synapse.nix
View File

@@ -1,13 +1,23 @@
{ config, lib, fp, pkgs, values, inputs, ... }:
{
config,
lib,
fp,
pkgs,
values,
inputs,
...
}:
let
cfg = config.services.matrix-synapse-next;
matrix-lib = inputs.matrix-next.lib;
imap0Attrs = with lib; f: set:
listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
in {
imap0Attrs =
with lib;
f: set: listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
in
{
sops.secrets."matrix/synapse/signing_key" = {
key = "synapse/signing_key";
sopsFile = fp /secrets/bicep/matrix.yaml;
@@ -23,7 +33,9 @@ in {
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
content = ''
registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
registration_shared_secret: ${
config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"
}
'';
};
@@ -68,7 +80,7 @@ in {
signing_key_path = config.sops.secrets."matrix/synapse/signing_key".path;
media_store_path = "${cfg.dataDir}/media";
media_store_path = "${cfg.dataDir}/media";
database = {
name = "psycopg2";
@@ -110,7 +122,8 @@ in {
password_config.enabled = true;
modules = [
{ module = "smtp_auth_provider.SMTPAuthProvider";
{
module = "smtp_auth_provider.SMTPAuthProvider";
config = {
smtp_host = "smtp.pvv.ntnu.no";
};
@@ -183,61 +196,79 @@ in {
services.pvv-matrix-well-known.server."m.server" = "matrix.pvv.ntnu.no:443";
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
{
kTLS = true;
}
{
locations."/_synapse/admin" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
allow 127.0.0.1;
allow ::1;
allow ${values.hosts.bicep.ipv4};
allow ${values.hosts.bicep.ipv6};
deny all;
'';
};
}
{
locations = let
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";
{
kTLS = true;
}
{
locations."/_synapse/admin" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
allow 127.0.0.1;
allow ::1;
allow ${values.hosts.bicep.ipv4};
allow ${values.hosts.bicep.ipv6};
deny all;
'';
};
}
{
locations =
let
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
socketAddress =
w:
let
c = connectionInfo w;
in
"${c.host}:${toString c.port}";
metricsPath = w: "/metrics/${w.type}/${toString w.index}";
proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
in lib.mapAttrs' (n: v: lib.nameValuePair
(metricsPath v) {
proxyPass = proxyPath v;
metricsPath = w: "/metrics/${w.type}/${toString w.index}";
proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
in
lib.mapAttrs' (
n: v:
lib.nameValuePair (metricsPath v) {
proxyPass = proxyPath v;
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
}
) cfg.workers.instances;
}
{
locations."/metrics/master/1" = {
proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
})
cfg.workers.instances;
}
{
locations."/metrics/master/1" = {
proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
};
};
locations."/metrics/" = let
endpoints = lib.pipe cfg.workers.instances [
(lib.mapAttrsToList (_: v: v))
(map (w: "${w.type}/${toString w.index}"))
(map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
in {
alias = pkgs.writeTextDir "/config.json"
(builtins.toJSON [
{ targets = endpoints;
labels = { };
}]) + "/";
};
}];
locations."/metrics/" =
let
endpoints =
lib.pipe cfg.workers.instances [
(lib.mapAttrsToList (_: v: v))
(map (w: "${w.type}/${toString w.index}"))
(map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
]
++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
in
{
alias =
pkgs.writeTextDir "/config.json" (
builtins.toJSON [
{
targets = endpoints;
labels = { };
}
]
)
+ "/";
};
}
];
}

7
hosts/bicep/services/matrix/well-known.nix
View File

@@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.pvv-matrix-well-known;
format = pkgs.formats.json { };

43
hosts/bicep/services/minecraft-heatmap.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.minecraft-heatmap;
in
@@ -27,23 +32,25 @@ in
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
];
preStart = let
knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
preStart =
let
knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
'';
in
''
mkdir -p '${cfg.minecraftLogsDir}'
"${lib.getExe pkgs.rsync}" \
--archive \
--verbose \
--progress \
--no-owner \
--no-group \
--rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
root@innovation.pvv.ntnu.no:/ \
'${cfg.minecraftLogsDir}'/
'';
in ''
mkdir -p '${cfg.minecraftLogsDir}'
"${lib.getExe pkgs.rsync}" \
--archive \
--verbose \
--progress \
--no-owner \
--no-group \
--rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
root@innovation.pvv.ntnu.no:/ \
'${cfg.minecraftLogsDir}'/
'';
};
}

44
hosts/bicep/services/mysql/backup.nix
View File

@@ -1,4 +1,10 @@
{ config, lib, pkgs, values, ... }:
{
config,
lib,
pkgs,
values,
...
}:
let
cfg = config.services.mysql;
backupDir = "/data/mysql-backups";
@@ -10,10 +16,10 @@ in
# };
systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
user = "mysql";
group = "mysql";
mode = "700";
};
user = "mysql";
group = "mysql";
mode = "700";
};
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
@@ -44,23 +50,25 @@ in
zstd
];
script = let
rotations = 2;
in ''
set -euo pipefail
script =
let
rotations = 2;
in
''
set -euo pipefail
OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';
serviceConfig = {
Type = "oneshot";

22
hosts/bicep/services/mysql/default.nix
View File

@@ -1,4 +1,10 @@
{ config, pkgs, lib, values, ... }:
{
config,
pkgs,
lib,
values,
...
}:
let
cfg = config.services.mysql;
dataDir = "/data/mysql";
@@ -36,12 +42,14 @@ in
# a password which can be found in /secrets/ildkule/ildkule.yaml
# We have also changed both the host and auth plugin of this user
# to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
ensureUsers = [{
name = "prometheus_mysqld_exporter";
ensurePermissions = {
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
};
}];
ensureUsers = [
{
name = "prometheus_mysqld_exporter";
ensurePermissions = {
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
};
}
];
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];

44
hosts/bicep/services/postgresql/backup.nix
View File

@@ -1,4 +1,10 @@
{ config, lib, pkgs, values, ... }:
{
config,
lib,
pkgs,
values,
...
}:
let
cfg = config.services.postgresql;
backupDir = "/data/postgresql-backups";
@@ -11,10 +17,10 @@ in
# };
systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
user = "postgres";
group = "postgres";
mode = "700";
};
user = "postgres";
group = "postgres";
mode = "700";
};
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
@@ -45,23 +51,25 @@ in
cfg.package
];
script = let
rotations = 2;
in ''
set -euo pipefail
script =
let
rotations = 2;
in
''
set -euo pipefail
OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';
serviceConfig = {
Type = "oneshot";

8
hosts/bicep/services/postgresql/default.nix
View File

@@ -1,4 +1,10 @@
{ config, lib, pkgs, values, ... }:
{
config,
lib,
pkgs,
values,
...
}:
let
cfg = config.services.postgresql;
in