felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-01-07 07:58:25 +01:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:167c889e111f434fb53dcc30bd81b1fe9bf8e784
Branches Tags
felixalb:main felixalb:alps felixalb:fix-bluemap-markers felixalb:nix-topology felixalb:gitea-robots-txt felixalb:bindmount-postgres-mysql-dirs felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:errorpages felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:dagali-heimdal-openldap-sasl-stack felixalb:gitea-navbar-get-started felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
...
compare: felixalb:gitea-robots-txt
Branches Tags
felixalb:main felixalb:alps felixalb:fix-bluemap-markers felixalb:nix-topology felixalb:gitea-robots-txt felixalb:bindmount-postgres-mysql-dirs felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:errorpages felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:dagali-heimdal-openldap-sasl-stack felixalb:gitea-navbar-get-started felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

28 Commits
167c889e11 ... gitea-robo

Author SHA1 Message Date
h7x4
f502a8ce4f kommode/gitea: add robots.txt 2025-12-30 00:34:26 +09:00
h7x4
67445dd9d4 flake.lock: bump 2025-12-30 00:33:11 +09:00
h7x4
101d40f62f flake.nix: pin git ref for all inputs 2025-12-30 00:33:03 +09:00
h7x4
16891ff521 misc/metrics-exporters: move to base 2025-12-30 00:32:25 +09:00
h7x4
1430af8dfd misc/rust-motd: drop 2025-12-30 00:23:25 +09:00
h7x4
9491a5d200 wenche: flatten builder config 2025-12-30 00:22:57 +09:00
h7x4
33b7af4e62 flake.nix: add pkgs as an output for ease of why-depends 2025-12-30 00:14:08 +09:00
h7x4
ba36db33b8 docs/{development, development-misc}: init, README: clean 2025-12-29 23:36:23 +09:00
h7x4
5158b39ec8 README: lowercase filename extension 2025-12-29 20:34:53 +09:00
h7x4
48aa9c0e7e README: add links to new docs 2025-12-29 20:34:53 +09:00
h7x4
34c5e58580 docs/secret-management.md: init 2025-12-29 20:34:53 +09:00
h7x4
8b10cac63a docs/users.md: init 2025-12-29 20:34:53 +09:00
h7x4
b90a983de0 mediawiki-extensions: bump 2025-12-24 14:27:47 +09:00
h7x4
aa6f7e3038 base/nginx: enable extra listen paramenters by default 2025-12-24 13:44:58 +09:00
h7x4
7356364983 bekkalokk/bluemap: enable kTLS, HTTP3 and QUIC for nginx 2025-12-24 13:44:58 +09:00
h7x4
0c505e9c01 bekkalokk/bluemap: rewrite prestart as StateDirectory + ExecStartPre 2025-12-24 12:26:01 +09:00
h7x4
98473ef3c6 modules/bluemap: expand script 2025-12-24 12:11:51 +09:00
h7x4
9fd4df58b1 modules/bluemap: set CPUSchedulingPolicy=batch 2025-12-24 12:03:20 +09:00
h7x4
18c8490fe4 modules/bluemap: declare render-mask option 2025-12-24 11:27:35 +09:00
h7x4
a098eda1b1 modules/bluemap: remove max-y, bekkalokk/bluemap: fix 2025-12-24 11:22:00 +09:00
h7x4
f159fbf690 bekkalokk/bluemap: fix start-pos in map configs 2025-12-24 11:15:34 +09:00
h7x4
bd1cbd730a bekkalokk/bluemap: set world names 2025-12-24 11:10:25 +09:00
h7x4
0412ed2bc7 modules/bluemap: update map config defaults 2025-12-24 11:09:14 +09:00
h7x4
1991f5a290 modules/bluemap: declare 'name' option 2025-12-24 11:01:56 +09:00
h7x4
b567a85446 bluemap: move module and package, expose through flake, bekkalokk/bluemap: use correct package version 2025-12-24 10:52:07 +09:00
h7x4
eeedcf738a bluemap: update module to reflect upstream better 2025-12-24 10:45:03 +09:00
h7x4
e6950681d5 bluemap: bump from 5.2 -> 5.15 2025-12-24 10:17:05 +09:00
h7x4
2ab25ecd45 bekkalokk/bluemap: update config 2025-12-24 10:10:28 +09:00
33 changed files with 1008 additions and 408 deletions
Expand all files Collapse all files

61
README.MD
View File

@@ -1,61 +0,0 @@
# PVV NixOS configs
## Hvordan endre på ting
Før du endrer på ting husk å ikke putte ting som skal være hemmelig uten å først lese seksjonen for hemmeligheter!
Etter å ha klonet prosjektet ned og gjort endringer kan du evaluere configene med:
`nix flake check --keep-going`
før du bygger en maskin med:
`nix build .#<maskinnavn>`
hvis du vil være ekstra sikker på at alt bygger så kan du kjøre:
`nix build .` for å bygge alle de viktige maskinene.
NB: Dette kan ta opp til 30 minutter avhengig av hva som ligger i caches
Husk å hvertfall stage nye filer om du har laget dem!
Om alt bygger fint commit det og push til git repoet.
Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
som root på maskinen.
Hvis du ikke har lyst til å oppdatere alle pakkene (og kanskje måtte vente en stund!) kan du kjøre
`nixos-rebuild switch --override-input nixpkgs nixpkgs --override-input nixpkgs-unstable nixpkgs-unstable --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
## Seksjonen for hemmeligheter
For at hemmeligheter ikke skal deles med hele verden i git - eller å være world
readable i nix-storen, bruker vi [sops-nix](https://github.com/Mic92/sops-nix)
For å legge til secrets kan du kjøre f.eks. `sops secrets/jokum/jokum.yaml`
Dette vil dekryptere filen og gi deg en text-editor du kan bruke for endre hemmelighetene.
Et nix shell med dette verktøyet inkludert ligger i flaket og shell.nix og kan aktiveres med:
`nix-shell` eller `nix develop`. Vi anbefaler det siste.
I tilegg kan du sette opp [direnv](https://direnv.net/) slik at dette skjer automatisk
for å få tilgang til å lese/skrive hemmeligheter må du spørre noen/noe som har tilgang til hemmelighetene
om å legge til age eller pgp nøkkelen din i [`.sops.yaml`](https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/.sops.yaml)
Denne kan du generere fra ssh-nøkkelene dine eller lage en egen nøkkel.
### Legge til flere keys
Gjør det som gir mening i .sops.yml
Etter det kjør `sops updatekeys secrets/host/file.yml`
MERK at det ikke er `sops -r` som BARE roterer nøkklene for de som allerede er i secretfila

36
README.md Normal file
View File

@@ -0,0 +1,36 @@
# PVV NixOS config
This repository contains the NixOS configurations for Programvareverkstedet's server closet.
In addition to machine configurations, it also contains a bunch of shared modules, packages, and
more.
## Machines
| Name | Type | Description |
|----------------------------|----------|-----------------------------------------------------------|
| [bekkalokk][bek] | Physical | Our main web host, webmail, wiki, idp, minecraft map, ... |
| [bicep][bic] | Virtual | Database host, matrix, git mirrors, ... |
| bikkje | Virtual | Experimental login box |
| [brzeczyszczykiewicz][brz] | Physical | Shared music player |
| [georg][geo] | Physical | Shared music player |
| [ildkule][ild] | Virtual | Logging and monitoring host, prometheus, grafana, ... |
| [kommode][kom] | Virtual | Gitea + Gitea pages |
| [lupine][lup] | Physical | Gitea CI/CD runners |
| shark | Virtual | Test host for authentication, absolutely horrendous |
| [wenche][wen] | Virtual | Nix-builders, general purpose compute |
## Documentation
- [Development - working on the PVV machines](./docs/development.md)
- [Miscellaneous development notes](./docs/development-misc.md)
- [User management](./docs/users.md)
- [Secret management and `sops-nix`](./docs/secret-management.md)
[bek]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bekkalokk
[bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
[brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
[geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
[ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche

3
base/default.nix
View File

@@ -25,6 +25,9 @@
./services/nginx.nix
./services/openssh.nix
./services/postfix.nix
./services/prometheus-node-exporter.nix
./services/prometheus-systemd-exporter.nix
./services/promtail.nix
./services/smartd.nix
./services/thermald.nix
./services/userborn.nix

19
base/services/nginx.nix
View File

@@ -40,6 +40,25 @@
};
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
listen = [
{
addr = "0.0.0.0";
extraParameters = [
"default_server"
# Seemingly the default value of net.core.somaxconn
"backlog=4096"
"deferred"
];
}
{
addr = "[::0]";
extraParameters = [
"default_server"
"backlog=4096"
"deferred"
];
}
];
sslCertificate = "/etc/certs/nginx.crt";
sslCertificateKey = "/etc/certs/nginx.key";
addSSL = true;

23
base/services/prometheus-node-exporter.nix Normal file
View File

@@ -0,0 +1,23 @@
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.node;
in
{
services.prometheus.exporters.node = {
enable = lib.mkDefault true;
port = 9100;
enabledCollectors = [ "systemd" ];
};
systemd.services.prometheus-node-exporter.serviceConfig = lib.mkIf cfg.enable {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ cfg.port ];
}

26
base/services/prometheus-systemd-exporter.nix Normal file
View File

@@ -0,0 +1,26 @@
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.systemd;
in
{
services.prometheus.exporters.systemd = {
enable = lib.mkDefault true;
port = 9101;
extraFlags = [
"--systemd.collector.enable-restart-count"
"--systemd.collector.enable-ip-accounting"
];
};
systemd.services.prometheus-systemd-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ cfg.port ];
}

38
base/services/promtail.nix Normal file
View File

@@ -0,0 +1,38 @@
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.node;
in
{
services.promtail = {
enable = lib.mkDefault true;
configuration = {
server = {
http_listen_port = 28183;
grpc_listen_port = 0;
};
clients = [{
url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
}];
scrape_configs = [{
job_name = "systemd-journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = config.networking.hostName;
};
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
];
}];
};
};
}

103
docs/development-misc.md Normal file
View File

@@ -0,0 +1,103 @@
# Miscellaneous development notes
This document contains a bunch of information that is not particularly specific to the pvv nixos config,
but concerns technologies we use often or gotchas to be aware of when working with NixOS. A lot of the information
here is already public information spread around the internet, but we've collected some of the items we use often
here.
## The firewall
`networking.firewall` is a NixOS module that configures `iptables` rules on the machine. It is enabled by default on
all of our machines, and it can be easy to forget about it when setting up new services, especially when we are the
ones creating the NixOS module.
When setting up a new service that listens on a TCP or UDP port, make sure to add the appropriate ports to either
`networking.firewall.allowedTCPPorts` or `networking.firewall.allowedUDPPorts`.
You can list out the current firewall rules by running `sudo iptables -L -n -v` on the machine.
## Finding stuff
Finding stuff, both underlying implementation and usage is absolutely crucial when working on nix.
Oftentimes, the documentation will be outdated, lacking or just plain out wrong. These are some of
the techniques we have found to be quite good when working with nix.
### [ripgrep](https://github.com/BurntSushi/ripgrep)
ripgrep (or `rg` for short) is a tool that lets you recursively grep for regex patters in a directory.
It is great for finding references to configuration, and where and how certain things are used. It is
especially great when working with [nixpkgs](https://github.com/NixOS/nixpkgs), which is quite large.
### GitHub Search
When trying to set up a new service or reconfigure something, it is very common that someone has done it
before you, but it has never been documented anywhere. A lot of Nix code exists on GitHub, and you can
easily query it by using the `lang:nix` filter in the search bar.
For example: https://github.com/search?q=lang%3Anix+dibbler&type=code
## rsync
`rsync` is a tool for synchronizing files between machines. It is very useful when transferring large
amounts of data from a to b. We use it for multiple things, often when data is produced or stored on
one machine, and we want to process or convert it on another. For example, we use it to transfer gitea
artifacts, to transfer gallery pictures, to transfer minecraft world data for map rendering, and more.
Along with `rsync`, we often use a lesser known tool called `rrsync`, which you can use inside an ssh
configuration (`authorized_keys` file) to restrict what paths a user can access when connecting over ssh.
This is useful both as a security measure, but also to avoid accidental overwrites of files outside the intended
path. `rrsync` will use chroot to restrict what paths the user can access, as well as refuse to run arbitrary commands.
## `nix repl`
`nix repl` is an interactive REPL for the Nix language. It is very useful for experimenting with Nix code,
and testing out small snippets of code to make sure it behaves as expected. You can also use it to explore
NixOS machine configurations, to interactively see that the configuration evaluates to what you expect.
```
# While in the pvv-nixos-config directory
nix repl .
# Upon writing out the config path and clickin [Tab], you will get autocompletion suggestions:
nix-repl> nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts._
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.bekkalokk.pvv.ntnu.no-nixos-metrics
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.idp.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.minecraft.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pvv.org
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pw.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.roundcubeplaceholder.example.com
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.snappymail.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.webmail.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.wiki.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.www.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.www.pvv.org
```
## `nix why-depends`
If you ever wonder why a certain package is being used as a dependency of another package,
or another machine, you can use `nix why-depends` to find the dependency path from one package to another.
This is often useful after updating nixpkgs and finding an error saying that a certain package is insecure,
broken or whatnot. You can do something like the following
```bash
# Why does bekkalokk depend on openssl?
nix why-depends .#nixosConfigurations.bekkalokk.config.system.build.toplevel .#nixosConfigurations.bekkalokk.pkgs.openssl
# Why does bekkalokk's minecraft-server depend on zlib? (this is not real)
nix why-depends .#nixosConfigurations.bekkalokk.pkgs.minecraft-server .#nixosConfigurations.bekkalokk.pkgs.zlib
```
## php-fpm
php-fpm (FastCGI Process Manager) is a PHP implementation that is designed for speed and production use. We host a bunch
of different PHP applications (including our own website), and so we use php-fpm quite a bit. php-fpm typically exposes a
unix socket that nginx will connect to, and php-fpm will then render php upon web requests forwarded from nginx and return
it.
php-fpm has a tendency to be a bit hard to debug. It is not always very willing to spit out error messages and logs, and so
it can be a bit hard to figure out what's up when something goes wrong. You should see some of the commented stuff laying around
in the website code on bekkalokk for examples of how to configure php-fpm for better logging and error reporting.

190
docs/development.md Normal file
View File

@@ -0,0 +1,190 @@
# Development - working on the PVV machines
This document outlines the process of editing our NixOS configurations, and testing and deploying said changes
to the machines. Most of the information written here is specific to the PVV NixOS configuration, and the topics
will not really cover the nix code itself in detail. You can find some more resources for that by either following
the links from the *Upstream documentation* section below, or in [Miscellaneous development notes](./development-misc.md).
## Editing nix files
> [!WARN]
> Before editing any nix files, make sure to read [Secret management and `sops-nix`](./secret-management.md)!
> We do not want to add any secrets in plaintext to the nix files, and certainly not commit and publish
> them into the common public.
The files are plaintext code, written in the [`Nix` language](https://nix.dev/manual/nix/stable/language/).
Below is a list of important files and directories, and a description of what they contain.
### `flake.nix`
The `flake.nix` file is a [nix flake](https://wiki.nixos.org/wiki/Flakes) and makes up the entrypoint of the
entire configuration. It declares what inputs are used (similar to dependencies), as well as what outputs the
flake exposes. In our case, the most important outputs are the `nixosConfigurations` (our machine configs), but
we also expose custom modules, packages, devshells, and more. You can run `nix flake show` to get an overview of
the outputs (however you will need to [enable the `nix-flakes` experimental option](https://wiki.nixos.org/wiki/Flakes#Setup)).
You will find that a lot of the flake inputs are the different PVV projects that we develop, imported to be hosted
on the NixOS machines. This makes it easy to deploy changes to these projects, as we can just update the flake input
to point to a new commit or version, and then rebuild the machines.
A NixOS configuration is usually made with the `nixpkgs.lib.nixosSystem` function, however we have a few custom wrapper
functions named `nixosConfig` and `stableNixosConfig` that abstracts away some common configuration we want on all our machines.
### `values.nix`
`values.nix` is a somewhat rare pattern in NixOS configurations around the internet. It contains a bunch of constant values
that we use throughout the configuration, such as IP addresses, DNS names, paths and more. This not only makes it easier to
change the values should we need to, but it also makes the configuration more readable. Instead of caring what exact IP any
machine has, you can write `values.machines.name.ipv4` and abstract the details away.
### `base`
The `base` directory contains a bunch of NixOS configuration that is common for all or most machines. Some of the config
you will find here sets defaults for certain services without enabling them, so that when they are enabled in a machine config,
we don't need to repeat the same defaults over again. Other parts actually enable certain services that we want on all machines,
such as `openssh` or the auto upgrade timer.
### Vendoring `modules` and `packages`
Sometimes, we either find that the packages or modules provided by `nixpkgs` is not sufficient for us,
or that they are bugged in some way that can not be easily overrided. There are also cases where the
modules or packages does not exist. In these cases, we tend to either copy and modify the modules and
packages from nixpkgs, or create our own. These modules and packages end up in the top-level `modules`
and `packages` directories. They are usually exposed in `flake.nix` as flake outputs `nixosModules.<name>`
and `packages.<platform>.<name>`, and they are usually also added to the machines that need them in the flake.
In order to override or add an extra package, the easiest way is to use an [`overlay`](https://wiki.nixos.org/wiki/Overlays).
This makes it so that the package from `pkgs.<name>` now refers to the modified variant of the package.
In order to add a module, you can just register it in the modules of the nixos machine.
In order to override a module, you also have to use `disabledModules = [ "<path-relative-to-nixpkgs/modules>" ];`.
Use `rg` to find examples of the latter.
Do note that if you believe a new module to be of high enough quality, or the change you are making to be
relevant for every nix user, you should strongly consider also creating a PR towards nixpkgs. However,
getting changes made there has a bit higher threshold and takes more time than making changes in the PVV config,
so feel free to make the changes here first. We can always remove the changes again once the upstreaming is finished.
### `users`, `secrets` and `keys`
For `users`, see [User management](./users.md)
For `secrets` and `keys`, see [Secret management and `sops-nix`](./secret-management.md)
### Collaboration
We use our gitea to collaborate on changes to the nix configuration. Every PVV maintenance member should have
access to the repository. The usual workflow is that we create a branch for the change we want to make, do a bunch
of commits and changes, and then open a merge request for review (or just rebase on master if you know what you are doing).
### Upstream documentation
Here are different sources of documentation and stuff that you might find useful while
writing, editing and debugging nix code.
- [nixpkgs repository](https://github.com/NixOS/nixpkgs)
This is particularly useful to read the source code, as well as upstreaming pieces of code that we think
everyone would want
- [NixOS search](https://search.nixos.org/)
This is useful for searching for both packages and NixOS options.
- [nixpkgs documentation](https://nixos.org/manual/nixpkgs/stable/)
- [NixOS documentation](https://nixos.org/manual/nixos/stable/)
- [nix (the tool) documentation](https://nix.dev/manual/nix/stable/)
All of the three above make up the official documentation with all technical
details about the different pieces that makes up NixOS.
- [The official NixOS wiki](https://wiki.nixos.org)
User-contributed guides, tips and tricks, and whatever else.
- [nix.dev](https://nix.dev)
Additional stuff
- [Noogle](https://noogle.dev)
This is useful when looking for nix functions and packaging helpers.
## Testing and deploying changes
After editing the nix files on a certain branch, you will want to test and deploy the changes to the machines.
Unfortunately, we don't really have a good setup for testing for runtime correctness locally, but we can at least
make sure that the code evaluates and builds correctly before deploying.
To just check that the code evaluates without errors, you can run:
```bash
nix flake check
# Or if you want to keep getting all errors before it quits:
nix flake check --keep-going
```
> [!NOTE]
> If you are making changes that involves creating new nix files, remember to `git add` those files before running
> any nix commands. Nix refuses to acknowledge files that are not either commited or at least staged. It will spit
> out an error message about not finding the file in question.
### Building machine configurations
To build any specific machine configuration and look at the output, you can run:
```bash
nix build .#nixosConfigurations.<machine-name>.config.system.build.toplevel
# or just
nix build .#<machine-name>
```
This will create a symlink name `./result` to a directory containing the built NixOS system. It is oftentimes
the case that config files for certain services only end up in the nix store without being put into `/etc`. If you wish
to read those files, you can often find them by looking at the systemd unit files in `./result/etc/systemd/system/`.
(if you are using vim, `gf` or go-to-file while the cursor is over a file path is a useful trick while doing this).
If you have edited something that affects multiple machines, you can also build all important machines at once by running:
```bash
nix build .#
```
> [!NOTE]
> Building all machines at once can take a long time, depending on what has changed and whether you have already
> built some of the machines recently. Be prepared to wait for up to an hour to build all machines from scratch
> if this is the first time.
### Deploying to machines
> [!WARN]
> Be careful to think about state when testing changes against the machines. Sometimes, a certain change
> can lead to irreversible changes to the data stored on the machine. An example would be a set of database
> migrations applied when testing a newer version of a service. Unless that service also comes with downwards
> migrations, you can not go back to the previous version without losing data.
To deploy the changes to a machine, you should first SSH into the machine, and clone the pvv-nixos-config
repository unless you have already done so. After that, checkout the branch you want to deploy from, and rebuild:
```bash
# Run this while in the pvv-nixos-config directory
sudo nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake .# --upgrade
```
This will rebuild the NixOS system on the current branch and switch the system configuration to reflect the new changes.
Note that unless you eventually merge the current changes into `main`, the machine will rebuild itself automatically and
revert the changes on the next nightly rebuild (tends to happen when everybody is asleep).
### Forcefully reset to `main`
If you ever want to reset a machine to the `main` branch, you can do so by running:
```bash
nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
```
This will ignore the current branch and just pull the latest `main` from the git repository directly from gitea.
You can also use this command if there are updates on the `main` branch that you want to deploy to the machine without
waiting for the nightly rebuild.

160
docs/secret-management.md Normal file
View File

@@ -0,0 +1,160 @@
# Secret management and `sops-nix`
Nix config is love, nix config is life, and publishing said config to the
internet is not only a good deed and kinda cool, but also encourages properly
secured configuration as opposed to [security through obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity).
That being said, there are some details of the config that we really shouldn't
share with the general public. In particular, there are so-called *secrets*, that is
API keys, passwords, tokens, cookie secrets, salts, peppers and jalapenos that we'd
rather keep to ourselves. However, it is not entirely trivial to do so in the NixOS config.
For one, we'd have to keep these secrets out of the public git repo somehow, and secondly
everything that is configured via nix ends up as world readable files (i.e. any user on the
system can read the file) in `/nix/store`.
In order to solve this, we use a NixOS module called [`sops-nix`](https://github.com/Mic92/sops-nix)
which uses a technology called [`sops`](https://github.com/getsops/sops) behind the scenes.
The idea is simple: we encrypt these secrets with a bunch of different keys and store the
encrypted files in the git repo. First of all, we encrypt the secrets a bunch of time with
PVV maintenance member's keys, so that we can decrypt and edit the contents. Secondly, we
encrypt the secrets with the [host keys]() of the NixOS machines, so that they can decrypt
the secrets. The secrets will be decrypted and stored in a well-known location (usually `/run/secrets`)
so that they do not end up in the nix store, and are not world readable.
This way, we can both keep the secrets in the git repository and let multiple people edit them,
but also ensure that they don't end up in the wrong hands.
## Adding a new machine
In order to add a new machine to the nix-sops setup, you should do the following:
```console
# Create host keys (if they don't already exist)
ssh-keygen -A -b 4096
# Derive an age-key from the public host key
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# Register the age key in .sops.yaml
vim .sops.yaml
```
The contents of `.sops.yaml` should look like this:
```yaml
keys:
# Users
...
# Hosts
...
- &host_<machine_name> <public_age_key>
creation_rules:
...
- path_regex: secrets/<machine_name>/[^/]+\.yaml$
key_groups:
- age:
- *host_<machine_name>
- ... user keys
- pgp:
- ... user keys
```
> [!NOTE]
> Take care that all the keys in the `age` and `pgp` sections are prefixed
> with a `-`, or else sops might try to encrypt the secrets in a way where
> you need both keys present to decrypt the content. Also, it tends to throw
> interesting errors when it fails to do so.
```console
# While cd-ed into the repository, run this to get a shell with the `sops` tool present
nix-shell
```
Now you should also be able to edit secrets for this machine by running:
```
sops secrets/<machine_name>/<machine_name>.yaml
```
## Adding a user
Adding a user is quite similar to adding a new machine.
This guide assumes you have already set up SSH keys.
```
# Derive an age-key from your key
# (edit the path to the key if it is named something else)
nix-shell -p ssh-to-age --run 'cat ~/.ssh/id_ed25519.pub | ssh-to-age'
# Register the age key in .sops.yaml
vim .sops.yaml
```
The contents of `.sops.yaml` should look like this:
```yaml
keys:
# Users
...
- &user_<user_name> <public_age_key>
# Hosts
...
creation_rules:
...
# Do this for all the machines you are planning to edit
# (or just do it for all machines)
- path_regex: secrets/<machine_name>/[^/]+\.yaml$
key_groups:
- age:
- *host_<machine_name>
- ... user keys
- *host_<user_name>
- pgp:
- ... user keys
```
Now that sops is properly configured to recognize the key, you need someone
who already has access to decrypt all the secrets and re-encrypt them with your
key. At this point, you should probably [open a PR](https://docs.gitea.com/usage/issues-prs/pull-request)
and ask someone in PVV maintenance if they can checkout the PR branch, run the following
command and push the diff back into the PR (and maybe even ask them to merge if you're feeling
particularly needy).
```console
sops updatekeys secrets/*/*.yaml
```
## Updating keys
> [!NOTE]
> At some point, we found this flag called `sops -r` that seemed to be described to do what
> `sops updatekeys` does, do not be fooled. This only rotates the "inner key" for those who
> already have the secrets encrypted with their key.
Updating keys is done with this command:
```console
sops updatekeys secrets/*/*.yaml
```
However, there is a small catch. [oysteikt](https://git.pvv.ntnu.no/oysteikt) has kinda been
getting gray hairs lately, and refuses to use modern technology - he is still stuck using GPG.
This means that to be able to re-encrypt the sops secrets, you will need to have a gpg keychain
with his latest public key available. The key has an expiry date, so if he forgets to update it,
you should send him and angry email and tag him a bunch of times in a gitea issue. If the key
is up to date, you can do the following:
```console
# Fetch gpg (unless you have it already)
nix-shell -p gpg
# Import oysteikts key to the gpg keychain
gpg --import ./keys/oysteikt.pub
```
Now you should be able to run the `sops updatekeys` command again.

50
docs/users.md Normal file
View File

@@ -0,0 +1,50 @@
# User management
Due to some complications with how NixOS creates users compared to how we used to
create users with the salt-based setup, the NixOS machine users are created and
managed separately. We tend to create users on-demand, whenever someone in PVV
maintenance want to work on the NixOS machines.
## Setting up a new user
You can find the files for the existing users, and thereby examples of user files
in the [`users`](../users) directory. When creating a new file here, you should name it
`your-username.nix`, and add *at least* the following contents:
```nix
{ pkgs, ... }:
{
users.users."<username>" = {
isNormalUser = true;
extraGroups = [
"wheel" # In case you wanna use sudo (you probably do)
"nix-builder-users" # Arbitrary access to write to the nix store
];
# Any packages you frequently use to manage servers go here.
# Please don't pull gigantonormous packages here unless you
# absolutely need them, and remember that any package can be
# pulled via nix-shell if you only use it once in a blue moon.
packages = with pkgs; [
bottom
eza
];
# Not strictly needed, but we recommend adding your public SSH
# key here. If it is not present, you will have to log into the
# machine as 'root' before setting your password for every NixOS
# machine you have not logged into yet.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjiQ0wg4lpC7YBMAAHoGmgwqHOBi+EUz5mmCymGlIyT my-key"
];
};
}
```
The file will be picked up automatically, so creating the file and adding the
contents should be enough to get you registered. You should
[open a PR](https://docs.gitea.com/usage/issues-prs/pull-request) with the new
code so the machines will be rebuilt with your user present.
See also [Secret Management](./secret-management.md) for how to add your keys to the
system that lets us add secrets (API keys, password, etc.) to the NixOS config.

100
flake.lock generated
View File

@@ -7,15 +7,16 @@
]
},
"locked": {
"lastModified": 1764627417,
"narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=",
"lastModified": 1736864502,
"narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
"owner": "nix-community",
"repo": "disko",
"rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3",
"rev": "0141aabed359f063de7413f80d906e1d98c0c123",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v1.11.0",
"repo": "disko",
"type": "github"
}
@@ -29,13 +30,14 @@
"locked": {
"lastModified": 1764868579,
"narHash": "sha256-rfTUOIc0wnC4+19gLVfPbHfXx/ilfuUix6bWY+yaM2U=",
"ref": "refs/heads/main",
"ref": "main",
"rev": "9c923d1d50daa6a3b28c3214ad2300bfaf6c8fcd",
"revCount": 22,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
}
@@ -48,15 +50,16 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1764868843,
"narHash": "sha256-ZXYLXKO+VjAJr2f5zz+7SuKFICfI2eZnmTgS/626YE0=",
"ref": "refs/heads/main",
"rev": "c095533c50e80dd18ac48046f1479cf4d83c631c",
"revCount": 52,
"lastModified": 1765760377,
"narHash": "sha256-2+lgzUjVas9hPSeWn52MwuX+iidMN4RkzkHo4vrGmR8=",
"ref": "main",
"rev": "f340dc5b9c9f3b75b7aca41f56f8869b9e28cf8c",
"revCount": 58,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
}
@@ -70,13 +73,14 @@
"locked": {
"lastModified": 1764867811,
"narHash": "sha256-UWHiwr8tIcGcVxMLvAdNxDbQ8QuHf3REHboyxvFkYEI=",
"ref": "refs/heads/master",
"ref": "master",
"rev": "c9983e947efe047ea9d6f97157a1f90e49d0eab3",
"revCount": 81,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
},
"original": {
"ref": "master",
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
}
@@ -106,18 +110,20 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
]
],
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1756124334,
"narHash": "sha256-DXFmSpgI8FrqcdqY7wg5l/lpssWjslHq5ufvyp/5k4o=",
"ref": "refs/heads/main",
"rev": "83760b1ebcd9722ddf58a4117d29555da65538ad",
"revCount": 13,
"lastModified": 1766407405,
"narHash": "sha256-UEJ8F8/oG70biWRrGbL5/aB7OXzzvnYs+jxkR07UHvA=",
"ref": "main",
"rev": "e719840f72ca1b0cd169562a3a0de69899821de0",
"revCount": 16,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
}
@@ -129,15 +135,16 @@
]
},
"locked": {
"lastModified": 1765903589,
"narHash": "sha256-JRLmckeM4G2hkH2V3VdfjHrrsWgJ8j7rZDYYjHTkRqA=",
"ref": "refs/heads/main",
"rev": "7c86d342e68506fcd83cb74af3336f99ff522a0a",
"revCount": 24,
"lastModified": 1765904683,
"narHash": "sha256-uXM56y5n5GWpCiCNdKlTcCAy2IntgDB21c4gBDU30io=",
"ref": "main",
"rev": "6fae27b1659efb6774cf08a4e36ed29ab0e24105",
"revCount": 26,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
}
@@ -151,13 +158,14 @@
"locked": {
"lastModified": 1743881366,
"narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
"ref": "refs/heads/main",
"ref": "main",
"rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
"revCount": 11,
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
}
@@ -197,13 +205,14 @@
"locked": {
"lastModified": 1764869785,
"narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=",
"ref": "refs/heads/main",
"ref": "main",
"rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2",
"revCount": 23,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
}
@@ -215,15 +224,16 @@
]
},
"locked": {
"lastModified": 1757332682,
"narHash": "sha256-4p4aVQWs7jHu3xb6TJlGik20lqbUU/Fc0/EHpzoRlO0=",
"ref": "refs/heads/main",
"rev": "da1113341ad9881d8d333d1e29790317bd7701e7",
"revCount": 518,
"lastModified": 1765978548,
"narHash": "sha256-VDSPpw+/Mgo+JujoW12CRlkTs9o0tX/FEL2AR5kl5+Q=",
"ref": "main",
"rev": "961f021d27f86b2aedd16290dbf85bdd9d50fd42",
"revCount": 532,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
}
@@ -253,11 +263,32 @@
]
},
"locked": {
"lastModified": 1764816035,
"narHash": "sha256-F0IQSmSj4t2ThkbWZooAhkCTO+YpZSd2Pqiv2uoYEHo=",
"lastModified": 1765680428,
"narHash": "sha256-fyPmRof9SZeI14ChPk5rVPOm7ISiiGkwGCunkhM+eUg=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "74d9abb7c5c030469f90d97a67d127cc5d76c238",
"rev": "eb3898d8ef143d4bf0f7f2229105fc51c7731b2f",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"nixpkgs": [
"minecraft-heatmap",
"nixpkgs"
]
},
"locked": {
"lastModified": 1766371695,
"narHash": "sha256-W7CX9vy7H2Jj3E8NI4djHyF8iHSxKpb2c/7uNQ/vGFU=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "d81285ba8199b00dc31847258cae3c655b605e8c",
"type": "github"
},
"original": {
@@ -273,15 +304,16 @@
]
},
"locked": {
"lastModified": 1764483358,
"narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
"lastModified": 1766894905,
"narHash": "sha256-pn8AxxfajqyR/Dmr1wnZYdUXHgM3u6z9x0Z1Ijmz2UQ=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "5aca6ff67264321d47856a2ed183729271107c9c",
"rev": "61b39c7b657081c2adc91b75dd3ad8a91d6f07a7",
"type": "github"
},
"original": {
"owner": "Mic92",
"ref": "master",
"repo": "sops-nix",
"type": "github"
}

41
flake.nix
View File

@@ -5,35 +5,35 @@
nixpkgs.url = "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz";
nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.url = "github:Mic92/sops-nix/master";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.url = "github:nix-community/disko/v1.11.0";
disko.inputs.nixpkgs.follows = "nixpkgs";
pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git";
pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git?ref=main";
pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git?ref=main";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0";
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git?ref=main";
nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git";
minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
greg-ng.inputs.nixpkgs.follows = "nixpkgs";
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git";
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main";
gergle.inputs.nixpkgs.follows = "nixpkgs";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git";
minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git?ref=main";
minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs";
};
@@ -57,6 +57,16 @@
in {
inputs = lib.mapAttrs (_: src: src.outPath) inputs;
pkgs = forAllSystems (system:
import nixpkgs {
inherit system;
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
[
"nvidia-x11"
"nvidia-settings"
];
});
nixosConfigurations = let
unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
@@ -137,6 +147,13 @@
];
modules = [
inputs.pvv-nettsiden.nixosModules.default
self.nixosModules.bluemap
];
};
bob = stableNixosConfig "bob" {
modules = [
disko.nixosModules.disko
{ disko.devices.disk.disk1.device = "/dev/vda"; }
];
};
ildkule = stableNixosConfig "ildkule" { };
@@ -150,6 +167,7 @@
];
modules = [
inputs.nix-gitea-themes.nixosModules.default
self.nixosModules.robots-txt
];
};
@@ -193,6 +211,7 @@
}));
nixosModules = {
bluemap = ./modules/bluemap.nix;
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
robots-txt = ./modules/robots-txt.nix;
@@ -225,6 +244,8 @@
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
bluemap = pkgs.callPackage ./packages/bluemap.nix { };
out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
} //
(lib.pipe null [

1
hosts/bakke/configuration.nix
View File

@@ -3,7 +3,6 @@
imports = [
./hardware-configuration.nix
../../base
../../misc/metrics-exporters.nix
./filesystems.nix
];

3
hosts/bekkalokk/configuration.nix
View File

@@ -4,9 +4,8 @@
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/bluemap/default.nix
./services/bluemap.nix
./services/idp-simplesamlphp
./services/kerberos.nix
./services/mediawiki

80
hosts/bekkalokk/services/bluemap/default.nix → hosts/bekkalokk/services/bluemap.nix
View File

@@ -3,10 +3,7 @@ let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
format = pkgs.formats.hocon { };
in {
imports = [
./module.nix # From danio, pending upstreaming
];
# NOTE: our versino of the module gets added in flake.nix
disabledModules = [ "services/web-apps/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
@@ -14,7 +11,6 @@ in {
services.bluemap = {
enable = true;
package = pkgs.callPackage ./package.nix { };
eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
@@ -27,7 +23,13 @@ in {
"verden" = {
settings = {
world = vanillaSurvival;
dimension = "minecraft:overworld";
name = "Verden";
sorting = 0;
start-pos = {
x = 0;
z = 0;
};
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
marker-sets = {
@@ -37,16 +39,24 @@ in {
};
"underverden" = {
settings = {
world = "${vanillaSurvival}/DIM-1";
world = vanillaSurvival;
dimension = "minecraft:the_nether";
name = "Underverden";
sorting = 100;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
render-mask = [{
max-y = 90;
}];
marker-sets = {
_includes = [ (format.lib.mkInclude "${bluemap-export}/nether.hocon") ];
};
@@ -54,12 +64,18 @@ in {
};
"enden" = {
settings = {
world = "${vanillaSurvival}/DIM1";
world = vanillaSurvival;
dimension = "minecraft:the_end";
name = "Enden";
sorting = 200;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
marker-sets = {
@@ -70,26 +86,42 @@ in {
};
};
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
};
# TODO: render somewhere else lmao
systemd.services."render-bluemap-maps" = {
preStart = ''
mkdir -p /var/lib/bluemap/world
${pkgs.rsync}/bin/rsync \
-e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" \
-avz --no-owner --no-group \
root@innovation.pvv.ntnu.no:/ \
${vanillaSurvival}
'';
serviceConfig = {
StateDirectory = [ "bluemap/world" ];
ExecStartPre = let
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
archive = true;
compress = true;
verbose = true;
no-owner = true;
no-group = true;
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
};
in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
kTLS = true;
http3 = true;
quic = true;
http3_hq = true;
extraConfig = ''
# Enabling QUIC 0-RTT
ssl_early_data on;
quic_gso on;
quic_retry on;
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
'';
};
networking.firewall.allowedUDPPorts = [ 443 ];
}

30
hosts/bekkalokk/services/bluemap/package.nix
View File

@@ -1,30 +0,0 @@
{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
stdenvNoCC.mkDerivation rec {
pname = "bluemap";
version = "5.7";
src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-8udZYJgrr4bi2mjRYrASd8JwUoUVZW1tZpOLRgafAIw=";
};
dontUnpack = true;
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
runHook preInstall
makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
runHook postInstall
'';
meta = {
description = "3D minecraft map renderer";
homepage = "https://bluemap.bluecolored.de/";
sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ dandellion h7x4 ];
mainProgram = "bluemap";
};
}

1
hosts/bicep/configuration.nix
View File

@@ -4,7 +4,6 @@
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/nginx
./services/calendar-bot.nix

1
hosts/brzeczyszczykiewicz/configuration.nix
View File

@@ -4,7 +4,6 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/grzegorz.nix
];

1
hosts/georg/configuration.nix
View File

@@ -4,7 +4,6 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
(fp /modules/grzegorz.nix)
];

1
hosts/ildkule/configuration.nix
View File

@@ -4,7 +4,6 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/monitoring
./services/nginx

2
hosts/kommode/configuration.nix
View File

@@ -4,7 +4,6 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea
./services/nginx.nix
@@ -31,4 +30,3 @@
system.stateVersion = "24.11";
}

103
hosts/kommode/services/gitea/default.nix
View File

@@ -193,6 +193,109 @@ in {
};
};
environment.robots-txt."gitea" = {
virtualHost = domain;
rules = [
{
pre_comment = ''
Gitea internals
See these for more information:
- https://gitea.com/robots.txt
- https://codeberg.org/robots.txt
'';
User-agent = "*";
Disallow = [
"/api/*"
"/avatars"
"/*/*/src/commit/*"
"/*/*/commit/*"
"/*/*/*/refs/*"
"/*/*/*/star"
"/*/*/*/watch"
"/*/*/labels"
"/*/*/activity/*"
"/vendor/*"
"/swagger.*.json"
"/repo/create"
"/repo/migrate"
"/org/create"
"/*/*/fork"
"/*/*/watchers"
"/*/*/stargazers"
"/*/*/forks"
"*/.git/"
"/*.git"
"/*.atom"
"/*.rss"
];
}
{
pre_comment = "Language Spam";
Disallow = "/*?lang=";
}
{
pre_comment = ''
AI bots
Sourced from:
- https://www.vg.no/robots.txt
- https://codeberg.org/robots.txt
'';
User-agent = [
"AI2Bot"
"Ai2Bot-Dolma"
"Amazonbot"
"Applebot-Extended"
"Bytespider"
"CCBot"
"ChatGPT-User"
"Claude-Web"
"ClaudeBot"
"Crawlspace"
"Diffbot"
"FacebookBot"
"FriendlyCrawler"
"GPTBot"
"Google-Extended"
"ICC-Crawler"
"ImagesiftBot"
"Kangaroo Bot"
"Meta-ExternalAgent"
"OAI-SearchBot"
"Omgili"
"Omgilibot"
"PanguBot"
"PerplexityBot"
"PetalBot"
"Scrapy"
"SemrushBot-OCOB"
"Sidetrade indexer bot"
"Timpibot"
"VelenPublicWebCrawler"
"Webzio-Extended"
"YouBot"
"anthropic-ai"
"cohere-ai"
"cohere-training-data-crawler"
"facebookexternalhit"
"iaskspider/2.0"
"img2dataset"
"meta-externalagent"
"omgili"
"omgilibot"
];
Disallow = "/";
}
{
Crawl-delay = "2";
}
{
Sitemap = "https://${domain}/sitemap.xml";
}
];
};
networking.firewall.allowedTCPPorts = [ sshPort ];
systemd.services.gitea-dump = {

1
hosts/lupine/configuration.nix
View File

@@ -4,7 +4,6 @@
./hardware-configuration/${lupineName}.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea-runner.nix
];

1
hosts/shark/configuration.nix
View File

@@ -4,7 +4,6 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
];
sops.defaultSopsFile = fp /secrets/shark/shark.yaml;

1
hosts/ustetind/configuration.nix
View File

@@ -3,7 +3,6 @@
{
imports = [
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea-runners.nix
];

11
hosts/wenche/configuration.nix
View File

@@ -4,11 +4,16 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
(fp /misc/builder.nix)
];
nix.settings.trusted-users = [ "@nix-builder-users" ];
nix.daemonCPUSchedPolicy = "batch";
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"armv7l-linux"
];
sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";

11
misc/builder.nix
View File

@@ -1,11 +0,0 @@
{ ... }:
{
nix.settings.trusted-users = [ "@nix-builder-users" ];
nix.daemonCPUSchedPolicy = "batch";
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"armv7l-linux"
];
}

80
misc/metrics-exporters.nix
View File

@@ -1,80 +0,0 @@
{ config, pkgs, values, ... }:
{
services.prometheus.exporters.node = {
enable = true;
port = 9100;
enabledCollectors = [ "systemd" ];
};
systemd.services.prometheus-node-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
services.prometheus.exporters.systemd = {
enable = true;
port = 9101;
extraFlags = [
"--systemd.collector.enable-restart-count"
"--systemd.collector.enable-ip-accounting"
];
};
systemd.services.prometheus-systemd-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = [ 9100 9101 ];
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 28183;
grpc_listen_port = 0;
};
clients = [
{
url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "systemd-journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = config.networking.hostName;
};
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
];
}
];
};
};
}

86
misc/rust-motd.nix
View File

@@ -1,86 +0,0 @@
{ pkgs, lib, config, ... }:
{
environment = {
systemPackages = with pkgs; [
rust-motd
toilet
];
loginShellInit = let
motd = "${pkgs.rust-motd}/bin/rust-motd /etc/${config.environment.etc.rustMotdConfig.target}";
in ''
# Assure stdout is a terminal, so headless programs won't be broken
if [ "x''${SSH_TTY}" != "x" ]; then
${motd}
fi
'';
etc.rustMotdConfig = {
target = "rust-motd-config.toml";
source = let
cfg = {
global = {
progress_full_character = "=";
progress_empty_character = "=";
progress_prefix = "[";
progress_suffix = "]";
time_format = "%Y-%m-%d %H:%M:%S";
};
banner = {
color = "red";
command = "hostname | ${pkgs.toilet}/bin/toilet -f mono9";
};
service_status = {
Accounts = "accounts-daemon";
Cron = "cron";
Docker = "docker";
Matrix = "matrix-synapse";
sshd = "sshd";
};
uptime = {
prefix = "Uptime: ";
};
# Not relevant for server
# user_service_status = {
# Gpg-agent = "gpg-agent";
# };
filesystems = let
inherit (lib.attrsets) attrNames listToAttrs nameValuePair;
inherit (lib.lists) imap1;
inherit (config) fileSystems;
imap1Attrs' = f: set:
listToAttrs (imap1 (i: attr: f i attr set.${attr}) (attrNames set));
getName = i: v: if (v.label != null) then v.label else "<? ${toString i}>";
in
imap1Attrs' (i: n: v: nameValuePair (getName i v) n) fileSystems;
memory = {
swap_pos = "beside"; # or "below" or "none"
};
last_login = let
inherit (lib.lists) imap1;
inherit (lib.attrsets) filterAttrs nameValuePair attrValues listToAttrs;
inherit (config.users) users;
normalUsers = filterAttrs (n: v: v.isNormalUser || n == "root") users;
userNPVs = imap1 (index: user: nameValuePair user.name index) (attrValues normalUsers);
in listToAttrs userNPVs;
last_run = {};
};
toml = pkgs.formats.toml {};
in toml.generate "rust-motd.toml" cfg;
};
};
}

120
hosts/bekkalokk/services/bluemap/module.nix → modules/bluemap.nix
View File

@@ -25,7 +25,7 @@ let
"core.conf" = coreConfig;
"webapp.conf" = webappConfig;
"webserver.conf" = webserverConfig;
"packs" = cfg.resourcepacks;
"packs" = cfg.packs;
};
renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
@@ -36,7 +36,7 @@ let
"core.conf" = coreConfig;
"webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
"webserver.conf" = webserverConfig;
"packs" = value.resourcepacks;
"packs" = value.packs;
};
inherit (lib) mkOption;
@@ -110,7 +110,7 @@ in {
metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use";
};
};
description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
};
webappSettings = mkOption {
@@ -127,7 +127,7 @@ in {
webroot = config.services.bluemap.webRoot;
}
'';
description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
};
webserverSettings = mkOption {
@@ -147,18 +147,18 @@ in {
default = { };
description = ''
Settings for the webserver.conf file, usually not required.
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
'';
};
maps = mkOption {
type = lib.types.attrsOf (lib.types.submodule {
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
resourcepacks = mkOption {
packs = mkOption {
type = lib.types.path;
default = cfg.resourcepacks;
defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
description = "A set of resourcepacks/mods/bluemap-addons to extract models from loaded in alphabetical order";
default = cfg.packs;
defaultText = lib.literalExpression "config.services.bluemap.packs";
description = "A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.";
};
settings = mkOption {
type = (lib.types.submodule {
@@ -168,43 +168,74 @@ in {
type = lib.types.path;
description = "Path to world folder containing the dimension to render";
};
name = mkOption {
type = lib.types.str;
description = "The display name of this map (how this map will be named on the webapp)";
default = name;
defaultText = lib.literalExpression "<name>";
};
render-mask = mkOption {
type = with lib.types; listOf (attrsOf format.type);
description = "Limits for the map render";
default = [ ];
example = [
{
min-x = -4000;
max-x = 4000;
min-z = -4000;
max-z = 4000;
min-y = 50;
max-y = 100;
}
{
subtract = true;
min-y = 90;
max-y = 127;
}
];
};
};
});
description = ''
Settings for files in `maps/`.
See the default for an example with good options for the different world types.
For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
'';
};
};
});
}));
default = {
"overworld".settings = {
world = "${cfg.defaultWorld}";
world = cfg.defaultWorld;
dimension = "minecraft:overworld";
name = "Overworld";
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
"nether".settings = {
world = "${cfg.defaultWorld}/DIM-1";
world = cfg.defaultWorld;
dimension = "minecraft:the_nether";
name = "Nether";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
};
"end".settings = {
world = "${cfg.defaultWorld}/DIM1";
world = cfg.defaultWorld;
dimension = "minecraft:the_end";
name = "The End";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
@@ -212,31 +243,36 @@ in {
defaultText = lib.literalExpression ''
{
"overworld".settings = {
world = "''${cfg.defaultWorld}";
world = cfg.defaultWorld;
name = "Overworld";
dimension = "minecraft:overworld";
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
"nether".settings = {
world = "''${cfg.defaultWorld}/DIM-1";
world = cfg.defaultWorld;
dimension = "minecraft:the_nether";
name = "Nether";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
};
"end".settings = {
world = "''${cfg.defaultWorld}/DIM1";
world = cfg.defaultWorld;
name = "The End";
dimension = "minecraft:the_end";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
@@ -264,7 +300,7 @@ in {
description = ''
Where the rendered map will be stored.
Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/storages)
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/common/src/main/resources/de/bluecolored/bluemap/config/storages)
'';
default = {
"file" = {
@@ -280,12 +316,12 @@ in {
'';
};
resourcepacks = mkOption {
packs = mkOption {
type = lib.types.path;
default = pkgs.linkFarm "resourcepacks" { };
default = pkgs.linkFarm "packs" { };
description = ''
A set of resourcepacks/mods to extract models from loaded in alphabetical order.
Can be overriden on a per-map basis with `services.bluemap.maps.<name>.resourcepacks`.
A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.
Can be overriden on a per-map basis with `services.bluemap.maps.<name>.packs`.
'';
};
};
@@ -306,21 +342,23 @@ in {
systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender {
serviceConfig = {
Type = "oneshot";
CPUSchedulingPolicy = "batch";
Group = "nginx";
UMask = "026";
ExecStart = [
# If web folder doesnt exist generate it
''|test -f "${cfg.webRoot}" || ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs''
]
++
# Render each minecraft map
lib.attrsets.mapAttrsToList
(name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
cfg.maps
++ [
# Generate updated webapp
"${lib.getExe cfg.package} -c ${webappConfigFolder} -gs"
];
};
script = ''
# If web folder doesnt exist generate it
test -f "${cfg.webRoot}" || ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
# Render each minecraft map
${lib.strings.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
(name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
cfg.maps)}
# Generate updated webapp
${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
'';
};
systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {

4
packages/bluemap.nix
View File

@@ -2,11 +2,11 @@
stdenvNoCC.mkDerivation rec {
pname = "bluemap";
version = "5.2";
version = "5.15";
src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-4vld+NBwzBxdwbMtsKuqvO6immkbh4HB//6wdjXaxoU=";
hash = "sha256-g50V/4LtHaHNRMTt+PK/ZTf4Tber2D6ZHJvuAXQLaFI=";
};
dontUnpack = true;

28
packages/mediawiki-extensions/default.nix
View File

@@ -33,13 +33,13 @@ in
lib.mergeAttrsList [
(mw-ext {
name = "CodeEditor";
commit = "9f19fe510beb671d6ea3076e2e7cbd1025451924";
hash = "sha256-Bl0evDM4TpsoU5gvZ02UaH5ehFatJcn8YJPbUWRcK9s=";
commit = "6e5b06e8cf2d040c0abb53ac3735f9f3c96a7a4f";
hash = "sha256-Jee+Ws9REUohywhbuemixXKaTRc54+cIlyUNDCyYcEM=";
})
(mw-ext {
name = "CodeMirror";
commit = "050d8257c942dfd95b98525c0a61290a89fe8ef4";
hash = "sha256-3DnY9wlaG9BrnSgt8GMM6fzp3nAAPno49vr2QAz50Ho=";
commit = "da9c5d4f03e6425f6f2cf68b75d21311e0f7e77e";
hash = "sha256-aL+v9xeqKHGmQVUWVczh54BkReu+fP49PT1NP7eTC6k=";
})
(mw-ext {
name = "DeleteBatch";
@@ -53,13 +53,13 @@ lib.mergeAttrsList [
})
(mw-ext {
name = "Popups";
commit = "4c22b8604b0dca04f001d9e2bc13b1ea4f934835";
hash = "sha256-mul9m5zPFSBCfBHZJihJrxP55kFMo/YJ18+JLt5X6zA=";
commit = "7ed940a09f83f869cbc0bc20f3ca92f85b534951";
hash = "sha256-pcDPcu4kSvMHfSOuShrod694TKI9Oo3AEpMP9DXp9oY=";
})
(mw-ext {
name = "Scribunto";
commit = "4a917ed13212f60c33dbc82d3d18c7f5b8461fdc";
hash = "sha256-3qQgXyPb00V9McN8fxgZlU+MeBzQm5ikH/vkXazibY8=";
commit = "e755852a8e28a030a21ded2d5dd7270eb933b683";
hash = "sha256-zyI5nSE+KuodJOWyV0CQM7G0GfkKEgfoF/czi2/qk98=";
})
(mw-ext {
name = "SimpleSAMLphp";
@@ -69,8 +69,8 @@ lib.mergeAttrsList [
})
(mw-ext {
name = "TemplateData";
commit = "1b02875f3e668fa9033849a663c5f5e450581071";
hash = "sha256-vQ/o7X7puTN1OQzX3bwKsW3IyVbK1IzvQKV9KtV2kRA=";
commit = "fd7cf4d95a70ef564130266f2a6b18f33a2a2ff9";
hash = "sha256-5OhDPFhIi55Eh5+ovMP1QTjNBb9Sm/3vyArNCApAgSw=";
})
(mw-ext {
name = "TemplateStyles";
@@ -84,12 +84,12 @@ lib.mergeAttrsList [
})
(mw-ext {
name = "VisualEditor";
commit = "3cca60141dec1150d3019bd14bd9865cf120362d";
hash = "sha256-HwbmRVaQObYoJdABeHn19WBoq8aw+Q6QU8xr9YvDcJU=";
commit = "032364cfdff33818e6ae0dfa251fe3973b0ae4f3";
hash = "sha256-AQDdq9r6rSo8h4u1ERonH14/1i1BgLGdzANEiQ065PU=";
})
(mw-ext {
name = "WikiEditor";
commit = "d5e6856eeba114fcd1653f3e7ae629989f5ced56";
hash = "sha256-U5ism/ni9uAxiD4wOVE0/8FFUc4zQCPqYmQ1AL5+E7Q=";
commit = "cb9f7e06a9c59b6d3b31c653e5886b7f53583d01";
hash = "sha256-UWi3Ac+LCOLliLkXnS8YL0rD/HguuPH5MseqOm0z7s4=";
})
]