init ozai and ozai-webui services on bekkalokk

2026-01-11 18:08:25 +01:00 · 2024-06-05 17:15:07 +02:00
16 changed files with 126 additions and 136 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -107,16 +107,15 @@
        ]
      },
      "locked": {
-        "lastModified": 1717234745,
-        "narHash": "sha256-MFyKRdw4WQD6V3vRGbP6MYbtJhZp712zwzjW6YiOBYM=",
+        "lastModified": 1710311999,
+        "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
-        "rev": "d7dc42c9bbb155c5e4aa2f0985d0df75ce978456",
+        "rev": "6c9b67974b839740e2a738958512c7a704481157",
        "type": "github"
      },
      "original": {
        "owner": "dali99",
-        "ref": "v0.6.0",
        "repo": "nixos-matrix-modules",
        "type": "github"
      }
@@ -143,16 +142,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1719520878,
-        "narHash": "sha256-5BXzNOl2RVHcfS/oxaZDKOi7gVuTyWPibQG0DHd5sSc=",
+        "lastModified": 1715410392,
+        "narHash": "sha256-ltp1jQps9tym0uWNl/lTniHSQngCtNIyzlymu+ZSyts=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a44bedbb48c367f0476e6a3a27bf28f6330faf23",
+        "rev": "9f8bf7503bd85d5208575f4bd81c8b1fc999a468",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-24.05-small",
+        "ref": "nixos-23.11-small",
        "type": "indirect"
      }
    },
@@ -214,11 +213,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1718404592,
-        "narHash": "sha256-Ud8pD0mxmbfvwBXKy2q3Yp8r1EofaTcodZtI3fbnfDY=",
+        "lastModified": 1716150352,
+        "narHash": "sha256-c13lzYbLmbrcbEdPTYZYtlX2Qsz1W+2sLsIMGShPgwo=",
        "ref": "refs/heads/master",
-        "rev": "6e4a79ed3ddae8dfc80eb8af1789985d07bcf297",
-        "revCount": 463,
+        "rev": "2cab4df4b119e08a1f90ea1c944652cd78b4d478",
+        "revCount": 459,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      },
--- a/flake.nix
+++ b/flake.nix
@@ -2,7 +2,7 @@
  description = "PVV System flake";

  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.05-small";
+    nixpkgs.url = "nixpkgs/nixos-23.11-small";
    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";

    sops-nix.url = "github:Mic92/sops-nix";
@@ -17,7 +17,7 @@
    pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
    pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";

-    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.0";
+    matrix-next.url = "github:dali99/nixos-matrix-modules";
    matrix-next.inputs.nixpkgs.follows = "nixpkgs";

    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
@@ -27,6 +27,12 @@
    grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
    grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
    grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
+
+    ozai.url = "git+https://git.pvv.ntnu.no/Projects/ozai.git";
+    ozai.inputs.nixpkgs.follows = "nixpkgs";
+    ozai-webui.url = "git+https://git.pvv.ntnu.no/adriangl/ozai-webui.git";
+    ozai-webui.inputs.nixpkgs.follows = "nixpkgs";
+
  };

  outputs = { self, nixpkgs, nixpkgs-unstable, pvv-nettsiden, sops-nix, disko, ... }@inputs:
--- a/hosts/bekkalokk/services/gitea/default.nix
+++ b/hosts/bekkalokk/services/gitea/default.nix
@@ -1,4 +1,4 @@
-{ config, values, pkgs, lib, ... }:
+{ config, values, pkgs, ... }:
 let
  cfg = config.services.gitea;
  domain = "git.pvv.ntnu.no";
@@ -22,19 +22,19 @@ in {

  services.gitea = {
    enable = true;
+    stateDir = "/data/gitea";
    appName = "PVV Git";

    database = {
      type = "postgres";
      host = "postgres.pvv.ntnu.no";
-      port = config.services.postgresql.settings.port;
+      port = config.services.postgresql.port;
      passwordFile = config.sops.secrets."gitea/database".path;
      createDatabase = false;
    };

    mailerPasswordFile = config.sops.secrets."gitea/email-password".path;

-    # https://docs.gitea.com/administration/config-cheat-sheet
    settings = {
      server = {
        DOMAIN   = domain;
@@ -42,7 +42,6 @@ in {
        PROTOCOL = "http+unix";
        SSH_PORT = sshPort;
        START_SSH_SERVER = true;
-        START_LFS_SERVER = true;
      };
      mailer = {
        ENABLED = true;
@@ -51,45 +50,11 @@ in {
        SMTP_ADDR = "smtp.pvv.ntnu.no";
        SMTP_PORT = 587;
        USER = "gitea@pvv.ntnu.no";
-        SUBJECT_PREFIX = "[pvv-git]";
      };
      indexer.REPO_INDEXER_ENABLED = true;
-      service = {
-        DISABLE_REGISTRATION = true;
-        ENABLE_NOTIFY_MAIL = true;
-      };
+      service.DISABLE_REGISTRATION = true;
      session.COOKIE_SECURE = true;
      database.LOG_SQL = false;
-      repository = {
-        PREFERRED_LICENSES = lib.concatStringsSep "," [
-          "AGPL-3.0-only"
-          "AGPL-3.0-or-later"
-          "Apache-2.0"
-          "BSD-3-Clause"
-          "CC-BY-4.0"
-          "CC-BY-NC-4.0"
-          "CC-BY-NC-ND-4.0"
-          "CC-BY-NC-SA-4.0"
-          "CC-BY-ND-4.0"
-          "CC-BY-SA-4.0"
-          "CC0-1.0"
-          "GPL-2.0-only"
-          "GPL-3.0-only"
-          "GPL-3.0-or-later"
-          "LGPL-3.0-linking-exception"
-          "LGPL-3.0-only"
-          "LGPL-3.0-or-later"
-          "MIT"
-          "MPL-2.0"
-          "Unlicense"
-        ];
-        DEFAULT_REPO_UNITS = lib.concatStringsSep "," [
-          "repo.code"
-          "repo.issues"
-          "repo.pulls"
-          "repo.releases"
-        ];
-      };
      picture = {
        DISABLE_GRAVATAR = true;
        ENABLE_FEDERATED_AVATAR = false;
@@ -134,9 +99,9 @@ in {
      logo-svg = ../../../../assets/logo_blue_regular.svg;
      logo-png = ../../../../assets/logo_blue_regular.png;
    in ''
-      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
-      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
-      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+      install -Dm444 ${logo-svg} ${cfg.customDir}/public/img/logo.svg
+      install -Dm444 ${logo-png} ${cfg.customDir}/public/img/logo.png
+      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/img/loading.png
    '';
  };
 }
--- a/hosts/bekkalokk/services/kerberos/default.nix
+++ b/hosts/bekkalokk/services/kerberos/default.nix
@@ -1,5 +1,18 @@
 { config, pkgs, lib, ... }:
 {
+  #######################
+  # TODO: remove these once nixos 24.05 gets released
+  #######################
+  imports = [
+    ./krb5.nix
+    ./pam.nix
+  ];
+  disabledModules = [
+    "config/krb5/default.nix"
+    "security/pam.nix"
+  ];
+  #######################
+
  security.krb5 = {
    enable = true;
    settings = {
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -86,7 +86,8 @@ in {
    };

    extensions = {
-      inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp VisualEditor;
+      #inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp VisualEditor;
+      inherit (pkgs.mediawiki-extensions) UserMerge PluggableAuth SimpleSAMLphp VisualEditor;
    };

    extraConfig = ''
@@ -120,6 +121,7 @@ in {

      # Misc
      $wgEmergencyContact = "${cfg.passwordSender}";
+      $wgShowIPinHeader = false;
      $wgUseTeX = false;
      $wgLocalInterwiki = $wgSitename;

@@ -135,10 +137,6 @@ in {
        ]
      ];

-      # Debugging
-      $wgShowExceptionDetails = false;
-      $wgShowIPinHeader = false;
-
      # Fix https://github.com/NixOS/nixpkgs/issues/183097
      $wgDBserver = "${toString cfg.database.host}";
    '';
--- a/hosts/bekkalokk/services/ozai.nix
+++ b/hosts/bekkalokk/services/ozai.nix
@@ -0,0 +1,25 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "azul.pvv.ntnu.no";
+in
+{
+
+  services.ozai.enable = true;
+  services.ozai.host = "0.0.0.0";
+  services.ozai.port = 8000;
+
+  services.ozai-webui = {
+    enable = true;
+    port = 8085;
+    host = "127.0.0.1";
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyWebsockets = true;
+        proxyPass = "http://${config.services.ozai.host}:${config.services.ozai.port}";
+      };
+  };
+}
--- a/hosts/buskerud/configuration.nix
+++ b/hosts/buskerud/configuration.nix
@@ -4,8 +4,6 @@
    ./hardware-configuration.nix
    ../../base.nix
    ../../misc/metrics-exporters.nix
-
-    ./services/libvirt.nix
  ];

  # buskerud does not support efi?
--- a/hosts/buskerud/services/libvirt.nix
+++ b/hosts/buskerud/services/libvirt.nix
@@ -1,10 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  virtualisation.libvirtd.enable = true;
-  programs.dconf.enable = true;
-  boot.kernelModules = [ "kvm-intel" ];
-
-  # On a gui-enabled machine, connect with:
-  # $ virt-manager --connect "qemu+ssh://buskerud/system?socket=/var/run/libvirt/libvirt-sock"
-}
-
--- a/hosts/ildkule/services/monitoring/loki.nix
+++ b/hosts/ildkule/services/monitoring/loki.nix
@@ -50,6 +50,7 @@ in {
        boltdb_shipper = {
          active_index_directory = "/var/lib/loki/boltdb-shipper-index";
          cache_location = "/var/lib/loki/boltdb-shipper-cache";
+          shared_store = "filesystem";
          cache_ttl = "24h";
        };
        filesystem = {
@@ -58,13 +59,14 @@ in {
      };

      limits_config = {
-	allow_structured_metadata = false;
+        enforce_metric_name = false;
        reject_old_samples = true;
        reject_old_samples_max_age = "72h";
      };

      compactor = {
        working_directory = "/var/lib/loki/compactor";
+        shared_store = "filesystem";
      };

      # ruler = {
--- a/packages/mediawiki-extensions/delete-batch/default.nix
+++ b/packages/mediawiki-extensions/delete-batch/default.nix
@@ -1,14 +1,13 @@
-{ fetchgit }:
+{ fetchzip }:
 let
-  commit = "cad869fbd95637902673f744581b29e0f3e3f61a";
-  project-name = "DeleteBatch";
+  commit = "a53af3b8269ed19ede3cf1fa811e7ec8cb00af92";
+  project-name = "UserMerge";
  tracking-branch = "REL1_41";
 in
-(fetchgit {
-  name = "mediawiki-delete-batch-source";
-  url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/${project-name}";
-  rev = "refs/heads/${tracking-branch}";
-  hash = "sha256-M1ek1WdO1/uTjeYlrk3Tz+nlb/fFZH+O0Ok7b10iKak=";
-}).overrideAttrs (_: {
+fetchzip {
+  name = "mediawiki-delete-batch";
+  url = "https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/${project-name}/+archive/${commit}.tar.gz";
+  hash = "sha256-0ofCZhhv4aVTGq469Fdu7k0oVQu3kG3HFa8zaBbUr/M=";
+  stripRoot = false;
  passthru = { inherit project-name tracking-branch; };
-})
+}
--- a/packages/mediawiki-extensions/pluggable-auth/default.nix
+++ b/packages/mediawiki-extensions/pluggable-auth/default.nix
@@ -1,14 +1,13 @@
-{ fetchgit }:
+{ fetchzip }:
 let
-  commit = "4111a57c34e25bde579cce5d14ea094021e450c8";
+  commit = "d5b3ad8f03b65d3746e025cdd7fe3254ad6e4026";
  project-name = "PluggableAuth";
  tracking-branch = "REL1_41";
 in
-(fetchgit {
+fetchzip {
  name = "mediawiki-pluggable-auth-source";
-  url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/${project-name}";
-  rev = "refs/heads/${tracking-branch}";
-  hash = "sha256-aPtN8A9gDxLlq2+EloRZBO0DfHtE0E5kbV/adk82jvM=";
-}).overrideAttrs (_: {
+  url = "https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/${project-name}/+archive/${commit}.tar.gz";
+  hash = "sha256-mLepavgeaNUGYxrrCKVpybGO2ecjc3B5IU8q+gZTx2U=";
+  stripRoot = false;
  passthru = { inherit project-name tracking-branch; };
-})
+}
--- a/packages/mediawiki-extensions/simple-saml-php/default.nix
+++ b/packages/mediawiki-extensions/simple-saml-php/default.nix
@@ -1,14 +1,13 @@
-{ fetchgit }:
+{ fetchzip }:
 let
-  commit = "ecb47191fecd1e0dc4c9d8b90a9118e393d82c23";
+  commit = "9ae0678d77a9175285a1cfadd5adf28379dbdb3d";
  project-name = "SimpleSAMLphp";
  tracking-branch = "REL1_41";
 in
-(fetchgit {
+fetchzip {
  name = "mediawiki-simple-saml-php-source";
-  url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/${project-name}";
-  rev = "refs/heads/${tracking-branch}";
-  hash = "sha256-gKu+O49XrAVt6hXdt36Ru7snjsKX6g2CYJ0kk/d+CI8=";
-}).overrideAttrs (_: {
+  url = "https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/${project-name}/+archive/${commit}.tar.gz";
+  hash = "sha256-s6Uw1fNzGBF0HEMl0LIRLhJkOHugrCE0aTnqawYi/pE=";
+  stripRoot = false;
  passthru = { inherit project-name tracking-branch; };
-})
+}
--- a/packages/mediawiki-extensions/update-mediawiki-extensions.py
+++ b/packages/mediawiki-extensions/update-mediawiki-extensions.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])" nix-prefetch-git
+#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ beautifulsoup4 requests ])"

 import os
 from pathlib import Path
@@ -8,13 +8,11 @@ import subprocess
 from collections import defaultdict
 from pprint import pprint
 from dataclasses import dataclass
-import json

 import bs4
 import requests

-BASE_WEB_URL = "https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions"
-BASE_GIT_URL = "https://gerrit.wikimedia.org/r/mediawiki/extensions/"
+BASE_URL = "https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions"

@dataclass
 class PluginMetadata:
@@ -47,21 +45,26 @@ def get_metadata(file_content: str) -> dict[str,str] | None:


 def get_newest_commit(project_name: str, tracking_branch: str) -> str:
-    content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text
+    content = requests.get(f"{BASE_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text
    soup = bs4.BeautifulSoup(content, features="html.parser")
    a = soup.find('li').findChild('a')
    commit_sha = a['href'].split('/')[-1]
    return commit_sha


-def get_nix_hash(url: str, commit: str) -> str:
+def get_nix_hash(tar_gz_url: str) -> str:
    out, err = subprocess.Popen(
-        ["nix-prefetch-git", "--url", url, "--rev", commit, "--fetch-submodules", "--quiet"],
+        ["nix-prefetch-url", "--unpack", "--type", "sha256", tar_gz_url],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE
+    ).communicate()
+    out, err = subprocess.Popen(
+        ["nix", "hash", "to-sri", "--type", "sha256", out.decode().strip()],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE
    ).communicate()

-    return json.loads(out.decode().strip())['hash']
+    return out.decode().strip()


 def set_commit_and_hash(file_content: str, commit: str, sha256: str) -> str:
@@ -76,16 +79,16 @@ def update(package_file: Path) -> None:

    metadata = get_metadata(file_content)
    if metadata is None:
-        print(f"ERROR: could not find metadata for {package_file}")
        return
    if metadata.commit == "":
        metadata.commit = "<none>"

    new_commit = get_newest_commit(metadata.project_name, metadata.tracking_branch)
-    new_hash = get_nix_hash(f"{BASE_GIT_URL}/{metadata.project_name}", new_commit)
-    if new_hash is None or new_hash == "":
-        print(f"ERROR: could not fetch hash for {metadata.project_name}")
-        exit(1)
+    if new_commit == metadata.commit:
+        return
+
+    new_url = f"{BASE_URL}/{metadata.project_name}/+archive/{new_commit}.tar.gz"
+    new_hash = get_nix_hash(new_url)

    print(f"Updating {metadata.project_name}: {metadata.commit} -> {new_commit}")

--- a/packages/mediawiki-extensions/user-merge/default.nix
+++ b/packages/mediawiki-extensions/user-merge/default.nix
@@ -1,14 +1,13 @@
-{ fetchgit }:
+{ fetchzip }:
 let
-  commit = "c17c919bdb9b67bb69f80df43e9ee9d33b1ecf1b";
+  commit = "a53af3b8269ed19ede3cf1fa811e7ec8cb00af92";
  project-name = "UserMerge";
  tracking-branch = "REL1_41";
 in
-(fetchgit {
+fetchzip {
  name = "mediawiki-user-merge-source";
-  url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/${project-name}";
-  rev = "refs/heads/${tracking-branch}";
-  hash = "sha256-+mkzTCo8RVlGoFyfCrSb5YMh4J6Pbi1PZLFu5ps8bWY=";
-}).overrideAttrs (_: {
+  url = "https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/${project-name}/+archive/${commit}.tar.gz";
+  hash = "sha256-0ofCZhhv4aVTGq469Fdu7k0oVQu3kG3HFa8zaBbUr/M=";
+  stripRoot = false;
  passthru = { inherit project-name tracking-branch; };
-})
+}
--- a/packages/mediawiki-extensions/visual-editor/default.nix
+++ b/packages/mediawiki-extensions/visual-editor/default.nix
@@ -1,14 +1,13 @@
-{ fetchgit }:
+{ fetchzip }:
 let
-  commit = "170d19aad1f28dc6bd3f98ee277680cabba9db0c";
+  commit = "bb92d4b0bb81cebd73a3dbabfb497213dac349f2";
  project-name = "VisualEditor";
-  tracking-branch = "REL1_41";
+  tracking-branch = "REL1_40";
 in
-(fetchgit {
+fetchzip {
  name = "mediawiki-visual-editor-source";
-  url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/${project-name}";
-  rev = "refs/heads/${tracking-branch}";
-  hash = "sha256-5WVlO/OEk4eln5j/w4Tu/MXSmlvjIn7l6H+OTPaV+t4=";
-}).overrideAttrs (_: {
+  url = "https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/${project-name}/+archive/${commit}.tar.gz";
+  hash = "sha256-lShpSoR+NLfdd5i7soM6J40pq+MzCMG0M1tSYsS+jAg=";
+  stripRoot = false;
  passthru = { inherit project-name tracking-branch; };
-})
+}
--- a/users/felixalb.nix
+++ b/users/felixalb.nix
@@ -1,12 +1,8 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, ... }:
 {
  users.users.felixalb = {
    isNormalUser = true;
-    extraGroups = [
-      "wheel"
-    ] ++ lib.optionals ( config.users.groups ? "libvirtd" ) [
-      "libvirtd"
-    ];
+    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"