felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-01-12 10:28:25 +01:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:30e594f93c33d6e292c7d29395957c12af4ad959
Branches Tags
felixalb:main felixalb:sops_add_vegardbm felixalb:syntax_error felixalb:alps felixalb:fix-bluemap-markers felixalb:nix-topology felixalb:gitea-robots-txt felixalb:bindmount-postgres-mysql-dirs felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:errorpages felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:dagali-heimdal-openldap-sasl-stack felixalb:gitea-navbar-get-started felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
..
compare: felixalb:setup-openvpn-tunnel
Branches Tags
felixalb:sops_add_vegardbm felixalb:main felixalb:syntax_error felixalb:alps felixalb:fix-bluemap-markers felixalb:nix-topology felixalb:gitea-robots-txt felixalb:bindmount-postgres-mysql-dirs felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:errorpages felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:dagali-heimdal-openldap-sasl-stack felixalb:gitea-navbar-get-started felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

1 Commits
30e594f93c ... setup-open

Author SHA1 Message Date
h7x4
9dce4f58b1 WIP: grevling/tuba: init 2024-12-10 00:26:17 +01:00
38 changed files with 575 additions and 852 deletions
Expand all files Collapse all files

7
.sops.yaml
View File

@@ -14,7 +14,6 @@ keys:
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
- &host_kvernberg age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz
creation_rules:
# Global secrets
@@ -92,9 +91,3 @@ creation_rules:
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
- path_regex: secrets/kvernberg/[^/]+$
key_groups:
- age:
- *host_kvernberg
- *user_danio

4
base/services/auto-upgrade.nix
View File

@@ -2,12 +2,12 @@
{
system.autoUpgrade = {
enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git?ref=pvvvvv";
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
# --update-input is deprecated since nix 2.22, and removed in lix 2.90
# https://git.lix.systems/lix-project/lix/issues/400
"--refresh"
"--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-unstable-small"
"--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.05-small"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
"--no-write-lock-file"
];

38
base/services/logrotate.nix
View File

@@ -1,8 +1,42 @@
{ ... }:
{
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
systemd.services.logrotate = {
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
unitConfig.RequiresMountsFor = "/var/log";
serviceConfig.ReadWritePaths = [ "/var/log" ];
serviceConfig = {
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
ReadWritePaths = [ "/var/log" ];
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; # disable for third party rotate scripts
PrivateDevices = true;
PrivateNetwork = true; # disable for mail delivery
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true; # disable for userdir logs
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
};
};
}
}

6
base/services/nginx.nix
View File

@@ -33,10 +33,6 @@
systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
LimitNOFILE = 65536;
# We use jit my dudes
MemoryDenyWriteExecute = lib.mkForce false;
# What the fuck do we use that where the defaults are not enough???
SystemCallFilter = lib.mkForce null;
};
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
@@ -45,4 +41,4 @@
addSSL = true;
extraConfig = "return 444;";
};
}
}

104
flake.lock generated
View File

@@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1739634831,
"narHash": "sha256-xFnU+uUl48Icas2wPQ+ZzlL2O3n8f6J2LrzNK9f2nng=",
"lastModified": 1731746438,
"narHash": "sha256-f3SSp1axoOk0NAI7oFdRzbxG2XPBSIXC+/DaAXnvS1A=",
"owner": "nix-community",
"repo": "disko",
"rev": "fa5746ecea1772cf59b3f34c5816ab3531478142",
"rev": "cb64993826fa7a477490be6ccb38ba1fa1e18fa8",
"type": "github"
},
"original": {
@@ -20,26 +20,6 @@
"type": "github"
}
},
"gergle": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1736621371,
"narHash": "sha256-45UIQSQA7R5iU4YWvilo7mQbhY1Liql9bHBvYa3qRI0=",
"ref": "refs/heads/main",
"rev": "3729796c1213fe76e568ac28f1df8de4e596950b",
"revCount": 20,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
}
},
"greg-ng": {
"inputs": {
"nixpkgs": [
@@ -48,17 +28,17 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1736545379,
"narHash": "sha256-PeTTmGumdOX3rd6OKI7QMCrZovCDkrckZbcHr+znxWA=",
"lastModified": 1730249639,
"narHash": "sha256-G3URSlqCcb+GIvGyki+HHrDM5ZanX/dP9BtppD/SdfI=",
"ref": "refs/heads/main",
"rev": "74f5316121776db2769385927ec0d0c2cc2b23e4",
"revCount": 42,
"rev": "80e0447bcb79adad4f459ada5610f3eae987b4e3",
"revCount": 34,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
"url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
"url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
}
},
"grzegorz-clients": {
@@ -68,17 +48,17 @@
]
},
"locked": {
"lastModified": 1736178795,
"narHash": "sha256-mPdi8cgvIDYcgG3FRG7A4BOIMu2Jef96TPMnV00uXlM=",
"lastModified": 1726861934,
"narHash": "sha256-lOzPDwktd+pwszUTbpUdQg6iCzInS11fHLfkjmnvJrM=",
"ref": "refs/heads/master",
"rev": "fde738910de1fd8293535a6382c2f0c2749dd7c1",
"revCount": 79,
"rev": "546d921ec46735dbf876e36f4af8df1064d09432",
"revCount": 78,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
"url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
"url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
}
},
"matrix-next": {
@@ -124,11 +104,11 @@
]
},
"locked": {
"lastModified": 1736531400,
"narHash": "sha256-+X/HVI1AwoPcud28wI35XRrc1kDgkYdDUGABJBAkxDI=",
"lastModified": 1714416973,
"narHash": "sha256-aZUcvXjdETUC6wVQpWDVjLUzwpDAEca8yR0ITDeK39o=",
"ref": "refs/heads/main",
"rev": "e4dafd06b3d7e9e6e07617766e9c3743134571b7",
"revCount": 7,
"rev": "2b23c0ba8aae68d3cb6789f0f6e4891cef26cc6d",
"revCount": 6,
"type": "git",
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
},
@@ -139,27 +119,43 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1739611738,
"narHash": "sha256-3bnOIZz8KXtzcaXGuH9Eriv0HiQyr1EIfcye+VHLQZE=",
"lastModified": 1731663789,
"narHash": "sha256-x07g4NcqGP6mQn6AISXJaks9sQYDjZmTMBlKIvajvyc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "31ff66eb77d02e9ac34b7256a02edb1c43fb9998",
"rev": "035d434d48f4375ac5d3a620954cf5fda7dd7c36",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"ref": "nixos-24.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730602179,
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1739611738,
"narHash": "sha256-3bnOIZz8KXtzcaXGuH9Eriv0HiQyr1EIfcye+VHLQZE=",
"lastModified": 1731745710,
"narHash": "sha256-SVeiClbgqL071JpAspOu0gCkPSAL51kSIRwo4C/pghA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "31ff66eb77d02e9ac34b7256a02edb1c43fb9998",
"rev": "dfaa4cb76c2d450d8f396bb6b9f43cede3ade129",
"type": "github"
},
"original": {
@@ -196,11 +192,11 @@
]
},
"locked": {
"lastModified": 1737151758,
"lastModified": 1725212759,
"narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
"ref": "refs/heads/master",
"rev": "a4ebe6ded0c8c124561a41cb329ff30891914b5e",
"revCount": 475,
"rev": "e7b66b4bc6a89bab74bac45b87e9434f5165355f",
"revCount": 473,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
},
@@ -212,7 +208,6 @@
"root": {
"inputs": {
"disko": "disko",
"gergle": "gergle",
"greg-ng": "greg-ng",
"grzegorz-clients": "grzegorz-clients",
"matrix-next": "matrix-next",
@@ -250,14 +245,15 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
]
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1739262228,
"narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
"lastModified": 1731748189,
"narHash": "sha256-Zd/Uukvpcu26M6YGhpbsgqm6LUSLz+Q8mDZ5LOEGdiE=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
"rev": "d2bd7f433b28db6bc7ae03d5eca43564da0af054",
"type": "github"
},
"original": {

26
flake.nix
View File

@@ -2,7 +2,7 @@
description = "PVV System flake";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; # remember to also update the url in base/services/auto-upgrade.nix
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; # remember to also update the url in base/services/auto-upgrade.nix
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
sops-nix.url = "github:Mic92/sops-nix";
@@ -23,11 +23,9 @@
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git";
greg-ng.url = "git+https://git.pvv.ntnu.no/Projects/greg-ng.git";
greg-ng.inputs.nixpkgs.follows = "nixpkgs";
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git";
gergle.inputs.nixpkgs.follows = "nixpkgs";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Projects/grzegorz-clients.git";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
@@ -126,29 +124,33 @@
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
modules = [
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
];
};
georg = stableNixosConfig "georg" {
modules = [
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
];
};
kvernberg = stableNixosConfig "kvernberg" {
grevling = stableNixosConfig "grevling" {
modules = [
disko.nixosModules.disko
{ disko.devices.disk.disk1.device = "/dev/sda"; }
./hosts/grevling/configuration.nix
sops-nix.nixosModules.sops
];
};
tuba = stableNixosConfig "grevling" {
modules = [
./hosts/tuba/configuration.nix
sops-nix.nixosModules.sops
];
};
};

2
hosts/bekkalokk/services/bluemap/default.nix
View File

@@ -6,7 +6,7 @@ in {
./module.nix # From danio, pending upstreaming
];
disabledModules = [ "services/web-apps/bluemap.nix" ];
disabledModules = [ "services/web-servers/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
sops.secrets."bluemap/ssh-known-hosts" = { };

5
hosts/bekkalokk/services/gitea/default.nix
View File

@@ -180,16 +180,11 @@ in {
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
labels = lib.importJSON ./labels/projects.json;
};
in ''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
'';
};
}

1
hosts/bekkalokk/services/gitea/import-users/gitea-import-users.py
View File

@@ -177,7 +177,6 @@ def ensure_gitea_user_is_part_of_team(
# List of teams that all users should be part of by default
COMMON_USER_TEAMS = [
("Projects", "Members"),
("Grzegorz", "Members"),
("Kurs", "Members"),
]

116
hosts/bekkalokk/services/gitea/labels/projects.json
View File

@@ -1,116 +0,0 @@
[
{
"name": "art",
"exclusive": false,
"color": "#006b75",
"description": "Requires some creativity"
},
{
"name": "big",
"exclusive": false,
"color": "#754bc4",
"description": "This is gonna take a while"
},
{
"name": "blocked",
"exclusive": false,
"color": "#850021",
"description": "This issue/PR depends on one or more other issues/PRs"
},
{
"name": "bug",
"exclusive": false,
"color": "#f05048",
"description": "Something brokey"
},
{
"name": "ci-cd",
"exclusive": false,
"color": "#d1ff78",
"description": "Continuous integrals and continuous derivation"
},
{
"name": "crash report",
"exclusive": false,
"color": "#ed1111",
"description": "Report an oopsie"
},
{
"name": "disputed",
"exclusive": false,
"color": "#5319e7",
"description": "Kranglefanter"
},
{
"name": "documentation",
"exclusive": false,
"color": "#fbca04",
"description": "Documentation changes required"
},
{
"name": "duplicate",
"exclusive": false,
"color": "#cccccc",
"description": "This issue or pull request already exists"
},
{
"name": "feature request",
"exclusive": false,
"color": "#0052cc",
"description": ""
},
{
"name": "good first issue",
"exclusive": false,
"color": "#009800",
"description": "Get your hands dirty with a new project here"
},
{
"name": "me gusta",
"exclusive": false,
"color": "#30ff36",
"description": "( ͡° ͜ʖ ͡°)"
},
{
"name": "packaging",
"exclusive": false,
"color": "#bf642b",
"description": ""
},
{
"name": "question",
"exclusive": false,
"color": "#cc317c",
"description": ""
},
{
"name": "security",
"exclusive": false,
"color": "#ed1111",
"description": "Skommel"
},
{
"name": "techdebt spring cleaning",
"exclusive": false,
"color": "#8c6217",
"description": "The code is smelly 👃"
},
{
"name": "testing",
"exclusive": false,
"color": "#52b373",
"description": "Poke it and see if it explodes"
},
{
"name": "ui/ux",
"exclusive": false,
"color": "#f28852",
"description": "User complaints about ergonomics and economics and whatever"
},
{
"name": "wontfix",
"exclusive": false,
"color": "#ffffff",
"description": "Nei, vil ikke"
}
]

3
hosts/bekkalokk/services/gitea/web-secret-provider/default.nix
View File

@@ -3,7 +3,6 @@ let
organizations = [
"Drift"
"Projects"
"Grzegorz"
"Kurs"
];
@@ -28,7 +27,6 @@ in
users.users."gitea-web" = {
group = "gitea-web";
isSystemUser = true;
shell = pkgs.bash;
};
sops.secrets."gitea/web-secret-provider/token" = {
@@ -60,7 +58,6 @@ in
key-dir = "/var/lib/gitea-web/keys/%i";
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
mkdir -p "$1"
${lib.getExe pkgs.rrsync} -wo "$1"
${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
'';

16
hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py
View File

@@ -34,21 +34,7 @@ def get_org_repo_list(args: argparse.Namespace, token: str):
f"{args.api_url}/orgs/{args.org}/repos",
headers = { 'Authorization': 'token ' + token },
)
results = [repo["name"] for repo in result.json()]
target = int(result.headers['X-Total-Count'])
i = 2
while len(results) < target:
result = requests.get(
f"{args.api_url}/orgs/{args.org}/repos",
params = { 'page': i },
headers = { 'Authorization': 'token ' + token },
)
results += [repo["name"] for repo in result.json()]
i += 1
return results
return [repo["name"] for repo in result.json()]
def generate_ssh_key(args: argparse.Namespace, repository: str):

2
hosts/bekkalokk/services/vaultwarden.nix
View File

@@ -83,6 +83,7 @@ in {
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
@@ -97,6 +98,7 @@ in {
"@system-service"
"~@privileged"
];
UMask = "0007";
};
};
}

2
hosts/bekkalokk/services/webmail/roundcube.nix
View File

@@ -21,7 +21,7 @@ in
custom_from
]);
dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ];
maxAttachmentSize = 20;
hostName = "roundcubeplaceholder.example.com";

5
hosts/bicep/services/matrix/coturn.nix
View File

@@ -48,9 +48,6 @@
users.users.turnserver.extraGroups = [ "acme" ];
# It needs this to be allowed to access the files with the acme group
systemd.services.coturn.serviceConfig.PrivateUsers = lib.mkForce false;
systemd.services."acme-${config.services.coturn.realm}".serviceConfig = {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
};
@@ -69,7 +66,7 @@
listening-ips = [
values.services.turn.ipv4
values.services.turn.ipv6
# values.services.turn.ipv6
];
tls-listening-port = 443;

4
hosts/bicep/services/matrix/hookshot/default.nix
View File

@@ -6,6 +6,10 @@ let
webhookListenPort = 8435;
in
{
imports = [
./module.nix
];
sops.secrets."matrix/hookshot/as_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/as_token";

127
hosts/bicep/services/matrix/hookshot/module.nix Normal file
View File

@@ -0,0 +1,127 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.matrix-hookshot;
settingsFormat = pkgs.formats.yaml { };
configFile = settingsFormat.generate "matrix-hookshot-config.yml" cfg.settings;
in
{
options = {
services.matrix-hookshot = {
enable = lib.mkEnableOption "matrix-hookshot, a bridge between Matrix and project management services";
package = lib.mkPackageOption pkgs "matrix-hookshot" { };
registrationFile = lib.mkOption {
type = lib.types.path;
description = ''
Appservice registration file.
As it contains secret tokens, you may not want to add this to the publicly readable Nix store.
'';
example = lib.literalExpression ''
pkgs.writeText "matrix-hookshot-registration" \'\'
id: matrix-hookshot
as_token: aaaaaaaaaa
hs_token: aaaaaaaaaa
namespaces:
rooms: []
users:
- regex: "@_webhooks_.*:foobar"
exclusive: true
sender_localpart: hookshot
url: "http://localhost:9993"
rate_limited: false
\'\'
'';
};
settings = lib.mkOption {
description = ''
{file}`config.yml` configuration as a Nix attribute set.
For details please see the [documentation](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html).
'';
example = {
bridge = {
domain = "example.com";
url = "http://localhost:8008";
mediaUrl = "https://example.com";
port = 9993;
bindAddress = "127.0.0.1";
};
listeners = [
{
port = 9000;
bindAddress = "0.0.0.0";
resources = [ "webhooks" ];
}
{
port = 9001;
bindAddress = "localhost";
resources = [
"metrics"
"provisioning"
];
}
];
};
default = { };
type = lib.types.submodule {
freeformType = settingsFormat.type;
options = {
passFile = lib.mkOption {
type = lib.types.path;
default = "/var/lib/matrix-hookshot/passkey.pem";
description = ''
A passkey used to encrypt tokens stored inside the bridge.
File will be generated if not found.
'';
};
};
};
};
serviceDependencies = lib.mkOption {
type = with lib.types; listOf str;
default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;
defaultText = lib.literalExpression ''
lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit
'';
description = ''
List of Systemd services to require and wait for when starting the application service,
such as the Matrix homeserver if it's running on the same host.
'';
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.matrix-hookshot = {
description = "a bridge between Matrix and multiple project management services";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
after = [ "network-online.target" ] ++ cfg.serviceDependencies;
preStart = ''
if [ ! -f '${cfg.settings.passFile}' ]; then
mkdir -p $(dirname '${cfg.settings.passFile}')
${pkgs.openssl}/bin/openssl genpkey -out '${cfg.settings.passFile}' -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096
fi
'';
serviceConfig = {
Type = "simple";
Restart = "always";
ExecStart = "${cfg.package}/bin/matrix-hookshot ${configFile} ${cfg.registrationFile}";
};
};
};
meta.maintainers = with lib.maintainers; [ flandweber ];
}

36
hosts/grevling/configuration.nix Normal file
View File

@@ -0,0 +1,36 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./services/openvpn
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "grevling";
# systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
# matchConfig.Name = "eno1";
# address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
# };
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

24
hosts/kvernberg/hardware-configuration.nix → hosts/grevling/hardware-configuration.nix
View File

@@ -5,22 +5,36 @@
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
swapDevices = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/145E-7362";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

77
hosts/grevling/services/openvpn/default.nix Normal file
View File

@@ -0,0 +1,77 @@
{ pkgs, lib, values, ... }:
{
services.openvpn.servers."ov-tunnel" = {
config = let
conf = {
# TODO: use aliases
local = "129.241.210.191";
port = 1194;
proto = "udp";
dev = "tap";
# TODO: set up
ca = "";
cert = "";
key = "";
dh = "";
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist = ./ipp.txt;
server-bridge = builtins.concatStringsSep " " [
"129.241.210.129"
"255.255.255.128"
"129.241.210.253"
"129.241.210.254"
];
keepalive = "10 120";
cipher = "none";
user = "nobody";
group = "nobody";
status = "/var/log/openvpn-status.log";
client-config-dir = pkgs.writeTextDir "tuba" ''
# Sett IP-adr. for tap0 til tubas PVV-adr.
ifconfig-push ${values.services.tuba-tap} 255.255.255.128
# Hvordan skal man faa dette til aa funke, tro?
#ifconfig-ipv6-push 2001:700:300:1900::xxx/64
# La tuba bruke std. PVV-gateway til all trafikk (unntatt
# VPN-tunnellen).
push "redirect-gateway"
'';
persist-key = true;
persist-tun = true;
verb = 5;
explicit-exit-notify = 1;
};
in lib.pipe conf [
(lib.filterAttrs (_: value: !(builtins.isNull value || value == false)))
(builtins.mapAttrs (_: value:
if builtins.isList value then builtins.concatStringsSep " " (map toString value)
else if value == true then value
else if builtins.any (f: f value) [
builtins.isString
builtins.isInt
builtins.isFloat
lib.isPath
lib.isDerivation
] then toString value
else throw "Unknown value in grevling openvpn config, deading now\n${value}"
))
(lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}"))
(builtins.concatStringsSep "\n")
(x: x + "\n\n")
];
};
}

0
hosts/grevling/services/openvpn/ipp.txt Normal file
View File

45
hosts/kvernberg/configuration.nix
View File

@@ -1,45 +0,0 @@
{ config, fp, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./disks.nix
./services/nginx.nix
./services/pvvvvvv
];
sops.defaultSopsFile = fp /secrets/kvernberg/kvernberg.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "kvernberg"; # Define your hostname.
systemd.network.networks."30-all" = values.defaultNetworkConfig // {
matchConfig.Name = "en*";
address = with values.hosts.kvernberg; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# No devices with SMART
services.smartd.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
}

39
hosts/kvernberg/disks.nix
View File

@@ -1,39 +0,0 @@
# Example to create a bios compatible gpt partition
{ lib, ... }:
{
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

5
hosts/kvernberg/services/nginx.nix
View File

@@ -1,5 +0,0 @@
{ config, lib, ... }:
{
services.nginx.enable = true;
}

51
hosts/kvernberg/services/pvvvvvv/bank.nix
View File

@@ -1,51 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.libeufin.bank;
tcfg = config.services.taler;
inherit (tcfg.settings.taler) CURRENCY;
in {
services.libeufin.bank = {
enable = true;
debug = true;
createLocalDatabase = true;
initialAccounts = [
{ username = "exchange";
password = "exchange";
name = "Exchange";
}
];
settings = {
libeufin-bank = {
WIRE_TYPE = "x-taler-bank";
X_TALER_BANK_PAYTO_HOSTNAME = "bank.kvernberg.pvv.ntnu.no";
BASE_URL = "bank.kvernberg.pvv.ntnu.no/";
ALLOW_REGISTRATION = "yes";
REGISTRATION_BONUS_ENABLED = "yes";
REGISTRATION_BONUS = "${CURRENCY}:500";
DEFAULT_DEBT_LIMIT = "${CURRENCY}:0";
ALLOW_CONVERSION = "no";
ALLOW_EDIT_CASHOUT_PAYTO_URI = "yes";
SUGGESTED_WITHDRAWAL_EXCHANGE = "https://exchange.kvernberg.pvv.ntnu.no/";
inherit CURRENCY;
};
};
};
services.nginx.virtualHosts."bank.kvernberg.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
kTLS = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8082";
extraConfig = ''
proxy_read_timeout 300s;
'';
};
};
}

17
hosts/kvernberg/services/pvvvvvv/default.nix
View File

@@ -1,17 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.taler;
in
{
imports = [
./exchange.nix
./bank.nix
];
services.taler = {
settings = {
taler.CURRENCY = "SCHPENN";
taler.CURRENCY_ROUND_UNIT = "${cfg.settings.taler.CURRENCY}:1";
};
};
}

187
hosts/kvernberg/services/pvvvvvv/exchange.nix
View File

@@ -1,187 +0,0 @@
{ config, lib, fp, pkgs, ... }:
let
cfg = config.services.taler;
inherit (cfg.settings.taler) CURRENCY;
in {
sops.secrets.exchange-offline-master = {
format = "binary";
sopsFile = fp /secrets/kvernberg/exhange-offline-master.priv;
};
services.taler.exchange = {
enable = true;
debug = true;
denominationConfig = ''
## Old denomination names cannot be used again
# [COIN-${CURRENCY}-k1-1-0]
## NOK Denominations
[coin-${CURRENCY}-nok-1-0]
VALUE = ${CURRENCY}:1
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-5-0]
VALUE = ${CURRENCY}:5
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-10-0]
VALUE = ${CURRENCY}:10
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-20-0]
VALUE = ${CURRENCY}:20
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-50-0]
VALUE = ${CURRENCY}:50
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-100-0]
VALUE = ${CURRENCY}:100
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-200-0]
VALUE = ${CURRENCY}:200
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-500-0]
VALUE = ${CURRENCY}:500
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-1000-0]
VALUE = ${CURRENCY}:1000
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
## PVV Special Prices
# 2024 pizza egenandel
[coin-${CURRENCY}-pvv-64-0]
VALUE = ${CURRENCY}:64
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
'';
settings = {
exchange = {
inherit (config.services.taler.settings.taler) CURRENCY CURRENCY_ROUND_UNIT;
MASTER_PUBLIC_KEY = "J331T37C8E58P9CVE686P1JFH11DWSRJ3RE4GVDTXKES9M24ERZG";
BASE_URL = "https://exchange.kvernberg.pvv.ntnu.no/";
TERMS_DIR = "${./terms}";
TERMS_ETAG = "0";
ENABLE_KYC = "NO";
};
exchange-offline = {
MASTER_PRIV_FILE = config.sops.secrets.exchange-offline-master.path;
};
exchange-account-test = {
PAYTO_URI = "payto://x-taler-bank/bank.kvernberg.pvv.ntnu.no/exchange?receiver-name=Exchange";
ENABLE_DEBIT = "YES";
ENABLE_CREDIT = "YES";
};
exchange-accountcredentials-test = {
WIRE_GATEWAY_URL = "https://bank.kvernberg.pvv.ntnu.no/accounts/exchange/taler-wire-gateway/";
WIRE_GATEWAY_AUTH_METHOD = "BASIC";
USERNAME = "exchange";
PASSWORD = "exchange";
};
"currency-${CURRENCY}" = {
ENABLED = "YES";
CODE = "SCHPENN";
NAME = "SCHPENN";
FRACTIONAL_NORMAL_DIGITS = 0;
FRACTIONAL_INPUT_DIGITS = 0;
FRACTIONAL_TRAILING_ZERO_DIGITS = 0;
ALT_UNIT_NAMES = "{\"0\": \"S\"}";
};
};
};
services.nginx.virtualHosts."exchange.kvernberg.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
kTLS = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8081";
extraConfig = ''
proxy_read_timeout 300s;
'';
};
};
}

147
hosts/kvernberg/services/pvvvvvv/terms/en/0.txt
View File

@@ -1,147 +0,0 @@
Terms of Service
================
Last update: 19.11.2024
----------------------
Welcome! A subset of PVVers who cares about Dibbler (“we,” “our,” or “us”) provides a experimental payment service
through our Internet presence (collectively the “Services”). Before using our
Services, please read the Terms of Service (the “Terms” or the “Agreement”)
carefully.
Overview
--------
This section provides a brief summary of the highlights of this
Agreement. Please note that when you accept this Agreement, you are accepting
all of the terms and conditions and not just this section. We and possibly
other third parties provide Internet services which interact with the Taler
Wallets self-hosted personal payment application. When using the Taler Wallet
to interact with our Services, you are agreeing to our Terms, so please read
carefully.
Research
----------
This is research, any dibbler credits sent to the dibbler account could be lost at any time.
We would make an effort to send the credits back to their canonical owners, but this may be difficult.
We make no guarantees on the state of this. The dibbler economy is totally unsecured, and so are these services!
Usage is wholly on your own risk.
Highlights:
-----------
* You are responsible for keeping the data in your Taler Wallet at all times under your control. Any losses arising from you not being in control of your private information are your problem.
* For our Services, we may charge transaction fees. The specific fee structure is provided based on the Taler protocol and should be shown to you when you withdraw electronic coins using a Taler Wallet. You agree and understand that the Taler protocol allows for the fee structure to change.
* You agree to not intentionally overwhelm our systems with requests and follow responsible disclosure if you find security issues in our services.
* We cannot be held accountable for our Services not being available due to circumstances beyond our control. If we modify or terminate our services, we will try to give you the opportunity to recover your funds. However, given the experimental state of the Services today, this may not be possible. You are strongly advised to limit your use of the Service to small-scale experiments expecting total loss of all funds.
These terms outline approved uses of our Services. The Services and these
Terms are still at an experimental stage. If you have any questions or
comments related to this Agreement, please send us a message on IRC, or on our Matrix server.
If you do not agree to this Agreement, you must not use our Services.
How you accept this policy
--------------------------
By sending funds to us (to top-up your Taler Wallet), you acknowledge that you
have read, understood, and agreed to these Terms. We reserve the right to
change these Terms at any time. If you disagree with the change, we may in the
future offer you with an easy option to recover your unspent funds. However,
in the current experimental period you acknowledge that this feature is not
yet available, resulting in your funds being lost unless you accept the new
Terms. If you continue to use our Services other than to recover your unspent
funds, your continued use of our Services following any such change will
signify your acceptance to be bound by the then current Terms. Please check
the effective date above to determine if there have been any changes since you
have last reviewed these Terms.
Services
--------
We will try to transfer funds that we hold in escrow for our users to any
legal recipient to the best of our ability and within the limitations of the
law and our implementation. However, the Services offered today are highly
experimental and the set of recipients of funds is severely restricted. The
Taler Wallet can be loaded by exchanging ordinary dibbler credit for electronic
coins. We are providing this exchange service. Once your Taler Wallet is
loaded with electronic coins they can be spent for purchases if the seller is
accepting Taler as a means of payment. We are not guaranteeing that any seller
is accepting Taler at all or a particular seller. The seller or recipient of
deposits of electronic coins must specify the target account, as per the
design of the Taler protocol. They are responsible for following the protocol
and specifying the correct dibbler account, and are solely liable for any losses
that may arise from specifying the wrong account. We will allow the government
to link wire transfers to the underlying contract hash. It is the
responsibility of recipients to preserve the full contracts and to pay
whatever taxes and charges may be applicable. Technical issues may lead to
situations where we are unable to make transfers at all or lead to incorrect
transfers that cannot be reversed. We will only refuse to execute transfers if
the transfers are prohibited by a competent legal authority and we are ordered
to do so.
When using our Services, you agree to not take any action that intentionally
imposes an unreasonable load on our infrastructure. If you find security
problems in our Services, you agree to first report them to
security@taler-systems.com and grant us the right to publish your report. We
warrant that we will ourselves publicly disclose any issues reported within 3
months, and that we will not prosecute anyone reporting security issues if
they did not exploit the issue beyond a proof-of-concept, and followed the
above responsible disclosure practice.
Fees
----
You agree to pay the fees for exchanges and withdrawals completed via the
Taler Wallet ("Fees") as defined by us, which we may change from time to
time.
Copyrights and trademarks
-------------------------
The Taler Wallet is released under the terms of the GNU General Public License
(GNU GPL). You have the right to access, use, and share the Taler Wallet, in
modified or unmodified form. However, the GPL is a strong copyleft license,
which means that any derivative works must be distributed under the same
license terms as the original software. If you have any questions, you should
review the GNU GPLs full terms and conditions on the GNU GPL Licenses page
(https://www.gnu.org/licenses/). “Taler” itself is a trademark
of Taler Systems SA. You are welcome to use the name in relation to processing
payments based on the Taler protocol, assuming your use is compatible with an
official release from the GNU Project that is not older than two years.
Discontinuance of services and Force majeure
--------------------------------------------
We may, in our sole discretion and without cost to you, with or without prior
notice, and at any time, modify or discontinue, temporarily or permanently,
any portion of our Services. We will use the Taler protocols provisions to
notify Wallets if our Services are to be discontinued. It is your
responsibility to ensure that the Taler Wallet is online at least once every
three months to observe these notifications. We shall not be held responsible
or liable for any loss of funds in the event that we discontinue or depreciate
the Services and your Taler Wallet fails to transfer out the coins within a
three months notification period.
We shall not be held liable for any delays, failure in performance, or
interruptions of service which result directly or indirectly from any cause or
condition beyond our reasonable control, including but not limited to: any
delay or failure due to any act of God, act of civil or military authorities,
act of terrorism, civil disturbance, war, strike or other labor dispute, fire,
interruption in telecommunications or Internet services or network provider
services, failure of equipment and/or software, other catastrophe, or any
other occurrence which is beyond our reasonable control and shall not affect
the validity and enforceability of any remaining provisions.
Questions or comments
---------------------
We welcome comments, questions, concerns, or suggestions. Please send us a
message via the usual communication channels at PVV

36
hosts/tuba/configuration.nix Normal file
View File

@@ -0,0 +1,36 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./services/openvpn
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "tuba";
# systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
# matchConfig.Name = "eno1";
# address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
# };
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

40
hosts/tuba/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/145E-7362";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s2.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

54
hosts/tuba/services/openvpn/default.nix Normal file
View File

@@ -0,0 +1,54 @@
{ lib, values, ... }:
{
services.openvpn.servers."ov-tunnel" = {
config = let
conf = {
# TODO: use aliases
client = true;
dev = "tap";
proto = "udp";
remote = "129.241.210.191 1194";
resolv-retry = "infinite";
nobind = true;
# # TODO: set up
ca = "";
cert = "";
key = "";
remote-cert-tls = "server";
cipher = "none";
user = "nobody";
group = "nobody";
status = "/var/log/openvpn-status.log";
persist-key = true;
persist-tun = true;
verb = 5;
# script-security = 2;
# up = "systemctl restart rwhod";
};
in lib.pipe conf [
(lib.filterAttrs (_: value: !(builtins.isNull value || value == false)))
(builtins.mapAttrs (_: value:
if builtins.isList value then builtins.concatStringsSep " " (map toString value)
else if value == true then value
else if builtins.any (f: f value) [
builtins.isString
builtins.isInt
builtins.isFloat
lib.isPath
lib.isDerivation
] then toString value
else throw "Unknown value in tuba openvpn config, deading now\n${value}"
))
(lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}"))
(builtins.concatStringsSep "\n")
(x: x + "\n\n")
];
};
}

4
hosts/ustetind/services/gitea-runners.nix
View File

@@ -15,8 +15,8 @@ let
enable = true;
name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
labels = [
"debian-latest:docker://node:current-bookworm"
"ubuntu-latest:docker://node:current-bookworm"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:18-bullseye"
];
tokenFile = config.sops.secrets."gitea/runners/${name}".path;
};

94
modules/grzegorz.nix
View File

@@ -2,8 +2,6 @@
let
grg = config.services.greg-ng;
grgw = config.services.grzegorz-webui;
machine = config.networking.hostName;
in {
services.greg-ng = {
enable = true;
@@ -18,77 +16,37 @@ in {
listenAddr = "localhost";
listenPort = 42069;
listenWebsocketPort = 42042;
hostName = "${machine}-old.pvv.ntnu.no";
apiBase = "https://${machine}-backend.pvv.ntnu.no/api";
};
services.gergle = {
enable = true;
virtualHost = config.networking.fqdn;
hostName = "${config.networking.fqdn}";
apiBase = "http://${grg.settings.host}:${toString grg.settings.port}/api";
};
services.nginx.enable = true;
services.nginx.virtualHosts = {
${config.networking.fqdn} = {
forceSSL = true;
enableACME = true;
kTLS = true;
serverAliases = [
"${machine}.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
services.nginx.virtualHosts."${config.networking.fqdn}" = {
forceSSL = true;
enableACME = true;
kTLS = true;
serverAliases = [
"${config.networking.hostName}.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
locations."/" = {
proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
};
"${machine}-backend.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
kTLS = true;
serverAliases = [
"${machine}-backend.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
locations."/" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
proxyWebsockets = true;
};
# https://github.com/rawpython/remi/issues/216
locations."/websocket" = {
proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
proxyWebsockets = true;
};
"${machine}-old.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
kTLS = true;
serverAliases = [
"${machine}-old.pvv.org"
];
extraConfig = ''
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
locations."/" = {
proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
};
# https://github.com/rawpython/remi/issues/216
locations."/websocket" = {
proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
proxyWebsockets = true;
};
locations."/api" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
locations."/docs" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
locations."/api" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
locations."/docs" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
};
}

50
packages/mediawiki-extensions/default.nix
View File

@@ -12,7 +12,7 @@ let
name
, commit
, hash
, tracking-branch ? "REL1_42"
, tracking-branch ? "REL1_41"
, kebab-name ? kebab-case-name name
, fetchgit ? pkgs.fetchgit
}:
@@ -33,63 +33,63 @@ in
lib.mergeAttrsList [
(mw-ext {
name = "CodeEditor";
commit = "9f69f2cf7616342d236726608a702d651b611938";
hash = "sha256-sRaYj34+7aghJUw18RoowzEiMx0aOANU1a7YT8jivBw=";
commit = "7d8447035e381d76387e38b92e4d1e2b8d373a01";
hash = "sha256-v2AlbP0vZma3qZyEAWGjZ/rLcvOpIMroyc1EixKjlAU=";
})
(mw-ext {
name = "CodeMirror";
commit = "1a1048c770795789676adcf8a33c1b69f6f5d3ae";
hash = "sha256-Y5ePrtLNiko2uU/sesm8jdYmxZkYzQDHfkIG1Q0v47I=";
commit = "a7b4541089f9b88a0b722d9d790e4cf0f13aa328";
hash = "sha256-clyzN3v3+J4GjdyhrCsytBrH7VR1tq5yd0rB+32eWCg=";
})
(mw-ext {
name = "DeleteBatch";
commit = "b76bb482e026453079104d00f9675b4ab851947e";
hash = "sha256-GebF9B3RVwpPw8CYKDDT6zHv/MrrzV6h2TEIvNlRmcw=";
commit = "cad869fbd95637902673f744581b29e0f3e3f61a";
hash = "sha256-M1ek1WdO1/uTjeYlrk3Tz+nlb/fFZH+O0Ok7b10iKak=";
})
(mw-ext {
name = "PluggableAuth";
commit = "1da98f447fd8321316d4286d8106953a6665f1cc";
hash = "sha256-DKDVcAfWL90FmZbSsdx1J5PkGu47EsDQmjlCpcgLCn4=";
commit = "4111a57c34e25bde579cce5d14ea094021e450c8";
hash = "sha256-aPtN8A9gDxLlq2+EloRZBO0DfHtE0E5kbV/adk82jvM=";
})
(mw-ext {
name = "Popups";
commit = "9b9e986316b9662b1b45ce307a58dd0320dd33cf";
hash = "sha256-rSOZHT3yFIxA3tPhIvztwMSmSef/XHKmNfQl1JtGrUA=";
commit = "f1bcadbd8b868f32ed189feff232c47966c2c49e";
hash = "sha256-PQAjq/X4ZYwnnZ6ADCp3uGWMIucJy0ZXxsTTbAyxlSE=";
})
(mw-ext {
name = "Scribunto";
commit = "eb6a987e90db47b09b0454fd06cddb69fdde9c40";
hash = "sha256-Nr0ZLIrS5jnpiBgGnd90lzi6KshcsxeC+xGmNsB/g88=";
commit = "7b99c95f588b06635ee3c487080d6cb04617d4b5";
hash = "sha256-pviueRHQAsSlv4AtnUpo2Cjci7CbJ5aM75taEXY+WrI=";
})
(mw-ext {
name = "SimpleSAMLphp";
kebab-name = "simple-saml-php";
commit = "fd4d49cf48d16efdb91ae8128cdd507efe84d311";
hash = "sha256-Qdtroew2j3AsZYlhAAUKQXXS2kUzUeQFnuR6ZHdFhAQ=";
commit = "ecb47191fecd1e0dc4c9d8b90a9118e393d82c23";
hash = "sha256-gKu+O49XrAVt6hXdt36Ru7snjsKX6g2CYJ0kk/d+CI8=";
})
(mw-ext {
name = "TemplateData";
commit = "836e3ca277301addd2578b2e746498ff6eb8e574";
hash = "sha256-UMcRLYxYn+AormwTYjKjjZZjA806goMY2TRQ4KoS5fY=";
commit = "1ec66ce80f8a4322138efa56864502d0ee069bad";
hash = "sha256-Lv3Lq9dYAtdgWcwelveTuOhkP38MTu0m5kmW8+ltRis=";
})
(mw-ext {
name = "TemplateStyles";
commit = "06a2587689eba0a17945fd9bd4bb61674d3a7853";
hash = "sha256-C7j0jCkMeVZiLKpk+55X+lLnbG4aeH+hWIm3P5fF4fw=";
commit = "581180e898d6a942e2a65c8f13435a5d50fffa67";
hash = "sha256-zW8O0mzG4jYfQoKi2KzsP+8iwRCLnWgH7qfmDE2R+HU=";
})
(mw-ext {
name = "UserMerge";
commit = "41759d0c61377074d159f7d84130a095822bc7a3";
hash = "sha256-pGjA7r30StRw4ff0QzzZYUhgD3dC3ZuiidoSEz8kA8Q=";
commit = "c17c919bdb9b67bb69f80df43e9ee9d33b1ecf1b";
hash = "sha256-+mkzTCo8RVlGoFyfCrSb5YMh4J6Pbi1PZLFu5ps8bWY=";
})
(mw-ext {
name = "VisualEditor";
commit = "a128b11fe109aa882de5a40d2be0cdd0947ab11b";
hash = "sha256-bv1TkomouOxe+DKzthyLyppdEUFSXJ9uE0zsteVU+D4=";
commit = "90bb3d455892e25317029ffd4bda93159e8faac8";
hash = "sha256-SZAVELQUKZtwSM6NVlxvIHdFPodko8fhZ/uwB0LCFDA=";
})
(mw-ext {
name = "WikiEditor";
commit = "21383e39a4c9169000acd03edfbbeec4451d7974";
hash = "sha256-aPVpE6e4qLLliN9U5TA36e8tFrIt7Fl8RT1cGPUWoNI=";
commit = "8dba5b13246d7ae09193f87e6273432b3264de5f";
hash = "sha256-vF9PBuM+VfOIs/a2X1JcPn6WH4GqP/vUJDFkfXzWyFU=";
})
]

24
secrets/kvernberg/exhange-offline-master.priv
View File

@@ -1,24 +0,0 @@
{
"data": "ENC[AES256_GCM,data:dhVo1B+ZG1B6s0bTLgph4ipPmi0mveaObbJAffDQbpY=,iv:P5plvu4DQYa99cQZQ6B/gEFcSffu3lTY3+Z80Cfoj94=,tag:4xcqCbn6fFSmCbYmmEgQEg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MzVHSE15Nk9MODQxc2g0\nbHlqNmFKclBYbUNKQTNUOGo0VThiaEZTVzJFCmU2YkYwMXlyeHM3ZzAxOWZpa3k4\nUUJLanVFbkNMa25RcGZmOTBsVmtzazQKLS0tIE1sTTBqT3VJMDFOYXl0T1JvcDRV\nRFpsZGNOZzFzMFc3YzcxeXdIK1d6QUUKzy0n7DJsOmrNvU03Tn6Zcj/l/kAylzzP\nhNnFLXfStdKl3A/qrzBPhTVbYD73yFkZuQ+bDr7/IMsHAmDsztuA9g==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbEdBWjdEbmtNYWJHQnFj\nSU1yb0NYVG4xVlZkYTdUWUpDcGdmbFF6U1NrCjBlWFZkcC9FMVJLYUtDNlBTUWcw\nNHBwWFNESDBQQmJNb3NDN2tDekM4eUUKLS0tICtMVGc1L2JFQ1BqKzM3eWFPRmRQ\nWXlQUWpvdUdOUlZ1OFhtS0ErL0JKSlUKzxLKbsnXvEqnR2HVsTxNqmM7YPjWfCjG\nZ4Bf046NdseomkNuTvWuPzjzPTe4GvjudMYc4ODchkIMOo6hXyf5kw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-11-17T01:12:23Z",
"mac": "ENC[AES256_GCM,data:aXIM/pmgVmfNSa+PwpfK6Efh/kCWXUqZNcKLkyhRwl++vaIBQUIQgQjv09hWHOF77V3ZjRQjh2E1uNe2baBLEmrDT5Au+7VABW+j49KX/vKMd+1l4w47l3DukOVnoo50bsOQFtH+amSl2P2imxpO15sjVDu9/nUeu2qXrtbIUh8=,iv:BQVs3P9p86uzTH2BfuSOxycpE6di4ZIwSz7OTZdcQPg=,tag:mT4Ek8dDbVINGp4Odt62zw==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.1"
}
}

12
secrets/ustetind/ustetind.yaml
View File

@@ -1,8 +1,8 @@
gitea:
runners:
alpha: ENC[AES256_GCM,data:Hnq2guka4oERPIFCv1/ggrLjaePA7907VHXMStDQ7ll3hntTioT76qGOUJgfIw==,iv:wDPYuuL6VAWJakrz6asVRrzwRxqw0JDRes13MgJIT6E=,tag:ogFUeUirHVkCLN63nctxOw==,type:str]
beta: ENC[AES256_GCM,data:HmdjBvW8eO5MkzXf7KEzSNQAptF/RKN8Bh03Ru7Ru/Ky+eJJtk91aqSSIjFa+Q==,iv:Hz9HE3U6CFfZFcPmYMd6wSzZkSvszt92L2gV+pUlMis=,tag:LG3NfsS7B1EdRFvnP3XESQ==,type:str]
epsilon: ENC[AES256_GCM,data:wfGxwWwDzb6AJaFnxe/93WNZGtuTpCkLci/Cc5MTCTKJz6XlNuy3m/1Xsnw0hA==,iv:I6Zl+4BBAUTXym2qUlFfdnoLTHShu+VyxPMjRlFzMis=,tag:jjTyZs1Nzqlhjd8rAldxDw==,type:str]
alpha: ENC[AES256_GCM,data:aAFv+/ygC7oxGT3qnoEf+AZL3Nk1yOq3HupL9l0j8P913GefPKqlBt/mbuRVug==,iv:usXElENwbOHxUdoqHScK7PjeZavXUwoxpQWEMjxU2u4=,tag:E8OzZ9pmxIru7Glgh7v0lg==,type:str]
beta: ENC[AES256_GCM,data:riRSBDzX9DAxKl2UCds1ANddl3ij+byAgigOafJ5RjWl8cNVlowK21klBiKTxw==,iv:clijEUKX9o52p5A94eEW0f8qGGhFpy/LFe+uQG/iQLg=,tag:PchXbsZMnW//O7brEAEeWw==,type:str]
epsilon: ENC[AES256_GCM,data:lUt8uaqh9eC1IdIUfiw3dzxcDErSWaiT9lzg4ONf/QZeXj7Do7Es0GXBFd41Hw==,iv:hPm5Lez5ISHIlw1+i4z/oBsh4H5ZXPVYnXXSGq1eal0=,tag:/KcmPw30622tN9ruMUwfUw==,type:str]
sops:
kms: []
gcp_kms: []
@@ -63,8 +63,8 @@ sops:
aU4xWjVYYlNvSmYxajVGdzk5dTQ4WG8Klq12bSegsW29xp4qteuCB5Tzis6EhVCk
53jqtYe5UG9MjFVQYiSi2jJz5/dxfqSINMZ/Y/EB5LxbwgbFws8Yuw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-12T12:20:19Z"
mac: ENC[AES256_GCM,data:D9/NAd/zrF6pHFdZjTUqI+u4WiwJqt0w5Y+SYCS1o/dAXJE/ajHzse/vCSGXZIjP0yqe+S/NyTvhf+stw2B4dk6Njtabjd+PhG0hR4L0X07FtFqzB3u5pLHCb0bH9QLG5zWcyMkwNiNTCvhRUZzbcqLEGqqJ7ZjZAEUfYSR+Jls=,iv:5xPfODPxtQjgbl8delUHsmhD0TI2gHjrxpHV+qiFE00=,tag:HHLo5G8jhy/sKB3R+sKmwQ==,type:str]
lastmodified: "2024-12-09T21:17:40Z"
mac: ENC[AES256_GCM,data:HensJbPU1Kx9aQNUhdtFkX/6qdxj7yby6GeSruOT+HYEtoq0py/zvMtdCqmfjc4AOptYlXdgK7w30P976dG1esjlYwF07qtVvAbUqvExkksuV4zp81VKHMXUOAyiQK79kLe3rx6cvEdUDbOjZOsxN02eRrcanN+7rJS6f7vNN88=,iv:PlePCik6JcOtVBQhhOj9khhp2LwwfXBwAGpzu4ywhTA=,tag:Clz+xX1Cffs8Zpv2LdsGVA==,type:str]
pgp:
- created_at: "2024-12-09T21:17:27Z"
enc: |-
@@ -87,4 +87,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.2
version: 3.8.1

1
users/oysteikt.nix
View File

@@ -13,6 +13,7 @@
bottom
eza
neovim
diskonaut
ripgrep
tmux
];

16
values.nix
View File

@@ -21,6 +21,12 @@ in rec {
ipv4 = pvv-ipv4 213;
ipv6 = pvv-ipv6 213;
};
grevling-tap = {
ipv4 = pvv-ipv4 251;
};
tuba-tap = {
ipv4 = pvv-ipv4 252;
};
};
hosts = {
@@ -64,9 +70,13 @@ in rec {
ipv4 = pvv-ipv4 234;
ipv6 = pvv-ipv6 234;
};
kvernberg = {
ipv4 = pvv-ipv4 206;
ipv6 = pvv-ipv6 "1:206";
grevling = {
ipv4 = pvv-ipv4 198;
ipv6 = pvv-ipv6 198;
};
tuba = {
ipv4 = pvv-ipv4 199;
ipv6 = pvv-ipv6 199;
};
};