Compare commits

...

82 Commits

Author SHA1 Message Date
Vegard Bieker Matthey be87d98060 prometheus for dibbler 2026-06-08 10:54:03 +02:00
h7x4 b4582a160f skrot/dibbler: rotate database password 2026-06-07 17:58:33 +09:00
h7x4 ac094d350d base/timesyncd: specify ntp servers 2026-06-07 17:52:54 +09:00
h7x4 b848e0f1cc temmie/userweb: add log processor for apache 2026-06-07 06:03:18 +09:00
h7x4 c671329b93 temmie/userweb: inject users from passwd into httpd sandbox 2026-06-07 05:28:24 +09:00
Vegard Bieker Matthey e6a3d43493 modules/drumknotty: use correct screen window name for dibbler 2026-06-05 22:14:02 +02:00
h7x4 cafc95db8f bicep/mjolnir: use nodejs v22 2026-06-06 04:43:58 +09:00
h7x4 2d6b09cb32 bikkje: label ports in firewall port list 2026-06-06 04:08:16 +09:00
h7x4 ce0af2f6e4 flake.nix: add app for building gitea workflows locally 2026-06-06 04:05:26 +09:00
h7x4 88892115b5 base: enable autoScrub for all btrfs machine by default 2026-06-06 04:05:26 +09:00
h7x4 8a290d30e7 modules/drumknotty: split into several parts
This also fixes a few issues, such as enabling `createLocalDatabase` for
multiple programs, and wraps all the screen logic within a screenrc
file. Some assertions were also added to avoid some easy-to-make
mistakes.
2026-06-05 14:21:35 +02:00
Vegard Bieker Matthey 3197c6a5e3 attach with dibbler window selected 2026-06-05 14:21:35 +02:00
Vegard Bieker Matthey f8dcaddefb use main branch for worblehat after merge 2026-06-05 14:21:28 +02:00
Vegard Bieker Matthey 009d89f959 set default settings for worblehat and dibbler 2026-06-05 14:09:06 +02:00
Vegard Bieker Matthey 21bba3ec7e add worblehat daemons 2026-06-05 14:09:06 +02:00
Vegard Bieker Matthey 9552351776 add database password for worblehat 2026-06-05 14:09:06 +02:00
Vegard Bieker Matthey 7e754ade71 drumknotty: init 2026-06-05 14:08:58 +02:00
h7x4 fcd81aed00 packages/ooye: 3.5.1 -> 3.6.0 2026-06-04 19:17:29 +09:00
h7x4 966081ebfc bicep/mysql: enable userstat 2026-06-03 15:31:27 +09:00
h7x4 39d313579c bicep/mysql: rotate slow query logs 2026-06-03 15:21:18 +09:00
h7x4 3386153b8b ildkule/prometheus/exim: make scheme explicit 2026-06-03 13:35:13 +09:00
h7x4 56906241f6 bekkalokk/roundcube: temporary fix for webmail redirects 2026-06-01 03:52:09 +09:00
h7x4 3fe71d21f6 bekkalokk/roundcube: webdir moved to public_html within package 2026-06-01 02:57:43 +09:00
h7x4 074d240595 base: tag generation as auto if built by auto upgrade service 2026-06-01 01:00:50 +09:00
h7x4 1ce3372683 lupine/binfmt: enable 2026-06-01 01:00:50 +09:00
Adrian G L 5f14c15679 feat: add radicale to bekkalokk 2026-06-01 00:59:54 +09:00
h7x4 e05eab4ddf {georg,brzeczyszczykiewicz}: use sane IPv6 addresses 2026-05-29 16:04:52 +09:00
h7x4 64843087be kommode/gitea: only allow webhooks to external hosts
We don't have any servers with intranet IPs, and we want webhooks that
hook back to kommode to pass through its firewall.
2026-05-29 12:58:26 +09:00
h7x4 0c45345050 bicep/matrix-ooye harden 2026-05-28 16:07:36 +09:00
h7x4 788f23bf04 bicep/matrix-hookshot: harden 2026-05-28 15:58:04 +09:00
h7x4 8416014aeb bicep/mjolnir: harden 2026-05-28 15:58:04 +09:00
h7x4 654eeb83d8 base: tag generation as dirty if built from uncommitted source code 2026-05-28 04:39:49 +09:00
h7x4 5bf0de1d0d bekkalokk/website/fetch-gallery: use proper shellscript builder 2026-05-28 03:58:08 +09:00
h7x4 a550bbf1e0 bekkalokk/roundcube: use specialized builder for nginx root dir 2026-05-28 03:46:59 +09:00
h7x4 6d9bd8256f kommode/gitea/install-customization: disable networking 2026-05-28 03:15:47 +09:00
h7x4 5c859d9809 kommode/gitea/install-customization: remove ExecStart bash wrapper 2026-05-28 03:15:06 +09:00
h7x4 68481b999b modules/grzegorz: remove ExecStart bash wrapper 2026-05-28 03:09:38 +09:00
h7x4 dfbed75cd9 kommode/gitea/gpg: remove ExecStart bash wrapper 2026-05-28 03:06:07 +09:00
h7x4 6237a0a0e7 bicep/minecraft-heatmap: remove ExecStartPre bash wrapper 2026-05-28 03:03:38 +09:00
h7x4 bd2263a0a9 kommode/gitea/import-users: remove ExecStartPre bash wrapper 2026-05-28 03:02:59 +09:00
h7x4 2faff6340c flake.lock: bump pvv-nettsiden 2026-05-28 02:39:32 +09:00
h7x4 532e8b0eee bekkalokk/mediawiki: install PdfHandler extension 2026-05-28 01:22:13 +09:00
h7x4 eef3f8fe8b bekkalokk/mediawiki: cleanup executable path config 2026-05-28 01:22:13 +09:00
h7x4 e17025aca6 packages/mediawiki-extensions: add PdfHandler, bump all 2026-05-28 00:55:20 +09:00
h7x4 e062a849f3 base/scrutiny-collector: disable if machine is qemu guest 2026-05-27 23:45:30 +09:00
h7x4 b0f81c9379 lupine/smartd: reenable 2026-05-27 23:41:54 +09:00
h7x4 2c819776f8 treewide/nginx: enable kTLS for a bunch more virtualHosts 2026-05-27 23:36:18 +09:00
h7x4 c2d6989350 base/scrutiny-collector: init 2026-05-27 23:35:32 +09:00
h7x4 2b4817b75a ildkule/scrutiny: init 2026-05-27 23:33:45 +09:00
h7x4 0e2a8ed3ed base/polkit: let wheel users use AUTH_KEEP_SELF for systemd actions 2026-05-27 14:13:36 +09:00
h7x4 3372712e26 modules/ooye: move StartLimit* options to correct section 2026-05-26 15:03:27 +09:00
h7x4 7e586e082e flake.lock: bump pvv-calendar-bot 2026-05-26 14:55:58 +09:00
h7x4 47a744f68f ildkule/uptime-kuma: set up rsync pull target for principal 2026-05-26 13:37:29 +09:00
Vegard Bieker Matthey da505d4fe2 kommode: sign merge commits and sign crud actions 2026-05-25 20:21:23 +02:00
h7x4 18ab1ef982 temmie/userweb: set -i and -t in sendmail wrapper 2026-05-25 18:49:57 +09:00
h7x4 5023edeb13 temmie/userweb: install mod_perl with custom env 2026-05-25 18:24:23 +09:00
h7x4 0d8c26c548 temmie/userweb: send propagatedBuildInputs through perl env wrapper 2026-05-25 17:05:02 +09:00
h7x4 bd244e7797 temmie/userweb: add www2 server alias 2026-05-25 16:24:35 +09:00
h7x4 e9220bb31e temmie/userweb: use www-datas UID + GID for backwards compat 2026-05-25 15:25:26 +09:00
h7x4 6beb9c62c3 temmie/userweb: use bro to proxy sendmail requests out of sandbox 2026-05-25 15:02:40 +09:00
h7x4 7429b334ca README: add temmie to machine overview 2026-05-25 11:59:17 +09:00
h7x4 1595f67c55 flake.nix: allow nvidia-kernel-modules for wenche 2026-05-25 11:35:25 +09:00
h7x4 3f5eadcb87 base/resolved: use RFC42 format 2026-05-25 10:40:04 +09:00
h7x4 70c0ad8724 base: use RFC42 format for systemd.sleep 2026-05-25 10:40:04 +09:00
h7x4 61ea0181a1 packages/mediawiki-extensions: REL1_44 -> REL1_45 2026-05-25 10:40:04 +09:00
h7x4 3e22c1a47e nixpkgs 26.05 🎉 2026-05-25 10:40:02 +09:00
Vegard Bieker Matthey 0319858cad Merge branch 'gluttony-bluemap' 2026-05-25 03:32:15 +02:00
Vegard Bieker Matthey efd50868e0 bekkalokk: add back config added through bluemap module 2026-05-25 03:28:49 +02:00
Vegard Bieker Matthey 7a23cf7f25 bekkalokk: remove bluemap 2026-05-25 03:28:30 +02:00
Vegard Bieker Matthey 57963fadd7 gluttony: add private key and set public key for bekkalokk 2026-05-25 03:22:13 +02:00
Vegard Bieker Matthey 792f111a5d bekkalokk: pull rendered map from gluttony 2026-05-25 03:22:13 +02:00
Vegard Bieker Matthey b27859c0fa gluttony: export rendered bluemap to bekkalokk 2026-05-25 03:22:09 +02:00
Vegard Bieker Matthey eb0eb6d93b add bekkalokk to known_hosts 2026-05-25 03:20:25 +02:00
Vegard Bieker Matthey 6a943dd7b0 bluemap: set group to nginx only if nginx is enabled 2026-05-25 03:20:25 +02:00
Vegard Bieker Matthey c59c00f3fc gluttony: setup bluemap 2026-05-25 03:20:21 +02:00
h7x4 53670b4d05 flake.nix/inputs/disko: v1.11.0 -> v1.13.0 2026-05-24 23:05:48 +09:00
h7x4 d92a5f13ad base/journald-upload: fix target url 2026-05-24 16:41:54 +09:00
h7x4 16d3251ee2 shells/cuda: fix deprecated package attr warnings 2026-05-24 15:23:33 +09:00
Daniel Olsen 09163b77da Revert "bicep/matrix/livekit: open the rtc ports"
This reverts commit 4a67eddf52.
2026-05-23 23:23:41 +02:00
Vegard Bieker Matthey 6cca1db3b3 bekkalokk: fix permissions for mediawiki secrets 2026-05-22 20:21:24 +02:00
Vegard Bieker Matthey bfd83c4c64 uptime-kuma: wants to use /var/lib/private for state 2026-05-22 17:58:00 +02:00
h7x4 9a6fdecb03 kommode/gitea/dump: only keep a single dump at a time 2026-05-22 18:27:57 +09:00
67 changed files with 2754 additions and 466 deletions
+28
View File
@@ -20,6 +20,8 @@ keys:
- &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l - &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
- &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn - &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
- &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
- &host_temmie age10avsdvqger25z0lyzlq8v7xfzcmypkmjsswswaxwqnpnl6x9wcjq0uv2n7
- &host_gluttony age12czfkvuw9pjk5qny5c6m2hjhd634cj9r4dsa3ss5zkux5h4vvc7s7k4urq
creation_rules: creation_rules:
# Global secrets # Global secrets
@@ -119,3 +121,29 @@ creation_rules:
- *user_vegardbm - *user_vegardbm
pgp: pgp:
- *user_oysteikt - *user_oysteikt
- path_regex: secrets/temmie/[^/]+\.yaml$
key_groups:
- age:
- *host_temmie
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/gluttony/[^/]+\.yaml$
key_groups:
- age:
- *host_gluttony
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
+2
View File
@@ -45,6 +45,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
| [lupine][lup] | Physical | Gitea CI/CD runners | | [lupine][lup] | Physical | Gitea CI/CD runners |
| shark | Virtual | Test host for authentication, absolutely horrendous | | shark | Virtual | Test host for authentication, absolutely horrendous |
| [skrot][skr] | Physical | Kiosk, snacks and soda | | [skrot][skr] | Physical | Kiosk, snacks and soda |
| [temmie][tem] | Virtual | User websites |
| [wenche][wen] | Virtual | Nix-builders, general purpose compute | | [wenche][wen] | Virtual | Nix-builders, general purpose compute |
## Documentation ## Documentation
@@ -63,4 +64,5 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrot [skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrot
[tem]: https://wiki.pvv.ntnu.no/wiki/Maskiner/temmie
[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
+16 -4
View File
@@ -1,6 +1,8 @@
{ {
config,
pkgs, pkgs,
lib, lib,
inputs,
fp, fp,
... ...
}: }:
@@ -35,19 +37,29 @@
./services/prometheus-node-exporter.nix ./services/prometheus-node-exporter.nix
./services/prometheus-systemd-exporter.nix ./services/prometheus-systemd-exporter.nix
./services/roowho2.nix ./services/roowho2.nix
./services/scrutiny-collector.nix
./services/smartd.nix ./services/smartd.nix
./services/thermald.nix ./services/thermald.nix
./services/timesyncd.nix
./services/uptimed.nix ./services/uptimed.nix
./services/userborn.nix ./services/userborn.nix
./services/userdbd.nix ./services/userdbd.nix
]; ];
system.nixos.tags = lib.optionals (inputs.self.sourceInfo ? dirtyRev) [ "dirty" ];
specialisation."auto-upgrade".configuration = {
system.nixos.tags = [ "auto" ];
};
boot.tmp.cleanOnBoot = lib.mkDefault true; boot.tmp.cleanOnBoot = lib.mkDefault true;
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
boot.loader.systemd-boot.enable = lib.mkDefault true; boot.loader.systemd-boot.enable = lib.mkDefault true;
boot.loader.efi.canTouchEfiVariables = lib.mkDefault true; boot.loader.efi.canTouchEfiVariables = lib.mkDefault true;
services.btrfs.autoScrub.enable = lib.mkDefault (lib.any ({ fsType, ... }: fsType == "btrfs") (lib.attrValues config.fileSystems));
time.timeZone = "Europe/Oslo"; time.timeZone = "Europe/Oslo";
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
@@ -77,10 +89,10 @@
''; '';
# These are servers, sleep is for the weak # These are servers, sleep is for the weak
systemd.sleep.extraConfig = lib.mkDefault '' systemd.sleep.settings.Sleep = {
AllowSuspend=no AllowSuspend = lib.mkDefault false;
AllowHibernation=no AllowHibernation = lib.mkDefault false;
''; };
# users.mutableUsers = lib.mkDefault false; # users.mutableUsers = lib.mkDefault false;
+1 -1
View File
@@ -8,6 +8,6 @@
services.resolved = { services.resolved = {
enable = lib.mkDefault true; enable = lib.mkDefault true;
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways... settings.Resolve.DNSSEC = false; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
}; };
} }
+1
View File
@@ -13,6 +13,7 @@ in
"--refresh" "--refresh"
"--no-write-lock-file" "--no-write-lock-file"
"--specialisation auto-upgrade"
# --update-input is deprecated since nix 2.22, and removed in lix 2.90 # --update-input is deprecated since nix 2.22, and removed in lix 2.90
# as such we instead use --override-input combined with --refresh # as such we instead use --override-input combined with --refresh
# https://git.lix.systems/lix-project/lix/issues/400 # https://git.lix.systems/lix-project/lix/issues/400
+1 -2
View File
@@ -6,8 +6,7 @@ in
services.journald.upload = { services.journald.upload = {
enable = lib.mkDefault true; enable = lib.mkDefault true;
settings.Upload = { settings.Upload = {
# URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}"; URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
URL = "https://${values.hosts.ildkule.ipv4}:${toString config.services.journald.remote.port}";
ServerKeyFile = "-"; ServerKeyFile = "-";
ServerCertificateFile = "-"; ServerCertificateFile = "-";
TrustedCertificateFile = "-"; TrustedCertificateFile = "-";
+8 -5
View File
@@ -6,10 +6,13 @@ in
security.polkit.enable = true; security.polkit.enable = true;
environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable '' environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
polkit.addAdminRule(function(action, subject) { polkit.addRule(function(action, subject) {
if(subject.isInGroup("wheel")) { if (
return ["unix-user:"+subject.user]; action.id.startsWith("org.freedesktop.systemd1.") &&
} subject.isInGroup("wheel")
}); ) {
return polkit.Result.AUTH_SELF_KEEP;
}
});
''; '';
} }
+11
View File
@@ -0,0 +1,11 @@
{ config, ... }:
{
services.scrutiny.collector = {
enable = !config.services.qemuGuest.enable;
settings = {
version = 1;
host.id = config.networking.hostName;
api.endpoint = "https://scrutiny.pvv.ntnu.no/";
};
};
}
+12
View File
@@ -0,0 +1,12 @@
{ ... }:
{
services.timesyncd = {
servers = [ "ntp.ntnu.no" ];
fallbackServers = [
"0.pool.ntp.org"
"1.pool.ntp.org"
"0.no.pool.ntp.org"
];
};
}
Generated
+133 -23
View File
@@ -1,5 +1,27 @@
{ {
"nodes": { "nodes": {
"bro": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1779629827,
"narHash": "sha256-nrlB50/oelB8oFx9DhOoXI5z0VoTZGEA6XxYvkvpqDA=",
"ref": "main",
"rev": "7d0f35e12e4dec39f981c08fc33515589f41f4a5",
"revCount": 3,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/bro.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/bro.git"
}
},
"crane": { "crane": {
"locked": { "locked": {
"lastModified": 1776635034, "lastModified": 1776635034,
@@ -43,16 +65,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736864502, "lastModified": 1768920986,
"narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=", "narHash": "sha256-CNzzBsRhq7gg4BMBuTDObiWDH/rFYHEuDRVOwCcwXw4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "0141aabed359f063de7413f80d906e1d98c0c123", "rev": "de5708739256238fb912c62f03988815db89ec9a",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "v1.11.0", "ref": "v1.13.0",
"repo": "disko", "repo": "disko",
"type": "github" "type": "github"
} }
@@ -101,7 +123,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs-unstable"
], ],
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay_2"
}, },
"locked": { "locked": {
"lastModified": 1777019032, "lastModified": 1777019032,
@@ -139,6 +161,27 @@
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git" "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
} }
}, },
"libdib": {
"inputs": {
"nixpkgs": [
"worblehat",
"nixpkgs"
]
},
"locked": {
"lastModified": 1769338528,
"narHash": "sha256-t18ZoSt9kaI1yde26ok5s7aFLkap1Q9+/2icVh2zuaE=",
"ref": "refs/heads/main",
"rev": "7218348163fd8d84df4a6f682c634793e67a3fed",
"revCount": 13,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/libdib.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/libdib.git"
}
},
"matrix-next": { "matrix-next": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -165,7 +208,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"rust-overlay": "rust-overlay_2" "rust-overlay": "rust-overlay_3"
}, },
"locked": { "locked": {
"lastModified": 1767906976, "lastModified": 1767906976,
@@ -248,15 +291,15 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1778544512, "lastModified": 1779622335,
"narHash": "sha256-VIsPgfIpZ/01XUO6WN+o1NZbP5iKPKPHdHPWqfm4XIg=", "narHash": "sha256-06G98ieM6l+OI7EMhlvchgDBDn+DvIWCNj40LDhKpmc=",
"rev": "c417517f9d525181ee5619c683419d308ee29fe8", "rev": "705e9929918b43bd7b715dc0a878ac870449bb03",
"type": "tarball", "type": "tarball",
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.10745.c417517f9d52/nixexprs.tar.xz" "url": "https://releases.nixos.org/nixos/26.05-small/nixos-26.05beta1.705e9929918b/nixexprs.tar.xz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
"url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz" "url": "https://nixos.org/channels/nixos-26.05-small/nixexprs.tar.xz"
} }
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
@@ -287,6 +330,27 @@
"url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz" "url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
} }
}, },
"passwd2systemd-users": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1780764154,
"narHash": "sha256-Xvf9aBNLYDnbDKdtFjp5GEA/rZwVczHZWbJ0hac8Vv4=",
"ref": "main",
"rev": "8b4541be73ee3bd6c60525b2f42605efe89398c9",
"revCount": 14,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/passwd2systemd-users.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/passwd2systemd-users.git"
}
},
"pvv-calendar-bot": { "pvv-calendar-bot": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -294,11 +358,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1764869785, "lastModified": 1779774845,
"narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=", "narHash": "sha256-QJU1J4eupwjRrtvWGzRut0GY3woql92RS9O/acWkJkk=",
"ref": "main", "ref": "main",
"rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2", "rev": "13667cd216db260ab549e6f1b6281aa230d2f9e0",
"revCount": 23, "revCount": 29,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git" "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
}, },
@@ -315,11 +379,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1778960428, "lastModified": 1779903528,
"narHash": "sha256-YAs3LbFGlBLJW3xHeoQfTq2GBBXTvuSKl2WXDtloczU=", "narHash": "sha256-4rajaHeBeQ4PjbNSpslE9G3A5mZM1J/64ls+VoufWZo=",
"ref": "main", "ref": "main",
"rev": "927748790b1f7159adfe32a3ad9ec01d22e9c5a2", "rev": "bba7413a1c611d4918fbef4d3aa55e465ca3f3fb",
"revCount": 583, "revCount": 585,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git" "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
}, },
@@ -352,6 +416,7 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"bro": "bro",
"dibbler": "dibbler", "dibbler": "dibbler",
"disko": "disko", "disko": "disko",
"gergle": "gergle", "gergle": "gergle",
@@ -364,11 +429,13 @@
"nix-topology": "nix-topology", "nix-topology": "nix-topology",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"passwd2systemd-users": "passwd2systemd-users",
"pvv-calendar-bot": "pvv-calendar-bot", "pvv-calendar-bot": "pvv-calendar-bot",
"pvv-nettsiden": "pvv-nettsiden", "pvv-nettsiden": "pvv-nettsiden",
"qotd": "qotd", "qotd": "qotd",
"roowho2": "roowho2", "roowho2": "roowho2",
"sops-nix": "sops-nix" "sops-nix": "sops-nix",
"worblehat": "worblehat"
} }
}, },
"roowho2": { "roowho2": {
@@ -377,7 +444,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"rust-overlay": "rust-overlay_3" "rust-overlay": "rust-overlay_4"
}, },
"locked": { "locked": {
"lastModified": 1778600367, "lastModified": 1778600367,
@@ -396,6 +463,27 @@
} }
}, },
"rust-overlay": { "rust-overlay": {
"inputs": {
"nixpkgs": [
"bro",
"nixpkgs"
]
},
"locked": {
"lastModified": 1779419951,
"narHash": "sha256-dMX0PUslUHPajP6o8FEoRdFv9afq/dec4POR0vVfjK4=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "5b5c521d6cae9ef4aa32f888eb2c0ce595c9be52",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"greg-ng", "greg-ng",
@@ -416,7 +504,7 @@
"type": "github" "type": "github"
} }
}, },
"rust-overlay_2": { "rust-overlay_3": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"minecraft-heatmap", "minecraft-heatmap",
@@ -437,7 +525,7 @@
"type": "github" "type": "github"
} }
}, },
"rust-overlay_3": { "rust-overlay_4": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"roowho2", "roowho2",
@@ -478,6 +566,28 @@
"repo": "sops-nix", "repo": "sops-nix",
"type": "github" "type": "github"
} }
},
"worblehat": {
"inputs": {
"libdib": "libdib",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1773932847,
"narHash": "sha256-IklIAdlonrmO8/lkDxNIVz9+ORL4pcVotMTxeyvxzoc=",
"ref": "main",
"rev": "0871a319f51d3cb0d1abb5b11edb768b39906d3f",
"revCount": 104,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/worblehat.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/worblehat.git"
}
} }
}, },
"root": "root", "root": "root",
+52 -9
View File
@@ -2,13 +2,13 @@
description = "PVV System flake"; description = "PVV System flake";
inputs = { inputs = {
nixpkgs.url = "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"; nixpkgs.url = "https://nixos.org/channels/nixos-26.05-small/nixexprs.tar.xz";
nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"; nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
sops-nix.url = "github:Mic92/sops-nix/master"; sops-nix.url = "github:Mic92/sops-nix/master";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko/v1.11.0"; disko.url = "github:nix-community/disko/v1.13.0";
disko.inputs.nixpkgs.follows = "nixpkgs"; disko.inputs.nixpkgs.follows = "nixpkgs";
nix-topology.url = "github:oddlama/nix-topology/main"; nix-topology.url = "github:oddlama/nix-topology/main";
@@ -23,6 +23,9 @@
dibbler.url = "git+https://git.pvv.ntnu.no/Projects/dibbler.git?ref=main"; dibbler.url = "git+https://git.pvv.ntnu.no/Projects/dibbler.git?ref=main";
dibbler.inputs.nixpkgs.follows = "nixpkgs"; dibbler.inputs.nixpkgs.follows = "nixpkgs";
worblehat.url = "git+https://git.pvv.ntnu.no/Projects/worblehat.git?ref=main";
worblehat.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0"; matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0";
matrix-next.inputs.nixpkgs.follows = "nixpkgs"; matrix-next.inputs.nixpkgs.follows = "nixpkgs";
@@ -47,6 +50,11 @@
qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main"; qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
qotd.inputs.nixpkgs.follows = "nixpkgs"; qotd.inputs.nixpkgs.follows = "nixpkgs";
bro.url = "git+https://git.pvv.ntnu.no/Projects/bro.git?ref=main";
bro.inputs.nixpkgs.follows = "nixpkgs";
passwd2systemd-users.url = "git+https://git.pvv.ntnu.no/Projects/passwd2systemd-users.git?ref=main";
passwd2systemd-users.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = { outputs = {
@@ -85,9 +93,22 @@
[ [
"nvidia-x11" "nvidia-x11"
"nvidia-settings" "nvidia-settings"
"nvidia-kernel-modules"
]; ];
}); });
apps = forAllSystems (system: let
pkgs = nixpkgs.legacyPackages.${system};
in {
gitea-workflows = {
type = "app";
meta.description = "Run all gitea workflows locally";
program = toString (pkgs.writeShellScript "pvv-nixos-config-run-gitea-worflows" ''
${lib.getExe pkgs.gitea-actions-runner} exec -i node:current-trixie
'');
};
});
nixosConfigurations = let nixosConfigurations = let
nixosConfig = nixpkgs: name: configurationPath: extraArgs @ { nixosConfig = nixpkgs: name: configurationPath: extraArgs @ {
localSystem ? "x86_64-linux", # buildPlatform localSystem ? "x86_64-linux", # buildPlatform
@@ -105,6 +126,7 @@
[ [
"nvidia-x11" "nvidia-x11"
"nvidia-settings" "nvidia-settings"
"nvidia-kernel-modules"
]; ];
overlays = overlays =
(lib.optionals enableDefaults [ (lib.optionals enableDefaults [
@@ -182,6 +204,12 @@
(final: prev: { (final: prev: {
inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element; inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
}) })
(final: prev: {
# See https://git.pvv.ntnu.no/Drift/issues/issues/369
mjolnir = prev.mjolnir.override {
nodejs = prev.nodejs_22;
};
})
]; ];
}; };
bekkalokk = stableNixosConfig "bekkalokk" { bekkalokk = stableNixosConfig "bekkalokk" {
@@ -189,14 +217,12 @@
(final: prev: { (final: prev: {
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions {}; mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions {};
simplesamlphp = final.callPackage ./packages/simplesamlphp {}; simplesamlphp = final.callPackage ./packages/simplesamlphp {};
bluemap = final.callPackage ./packages/bluemap.nix {};
}) })
inputs.pvv-nettsiden.overlays.default inputs.pvv-nettsiden.overlays.default
inputs.qotd.overlays.default inputs.qotd.overlays.default
]; ];
modules = [ modules = [
inputs.pvv-nettsiden.nixosModules.default inputs.pvv-nettsiden.nixosModules.default
self.nixosModules.bluemap
inputs.qotd.nixosModules.default inputs.qotd.nixosModules.default
]; ];
}; };
@@ -205,18 +231,34 @@
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
]; ];
}; };
#ildkule-unstable = unstableNixosConfig "ildkule" { };
skrot = stableNixosConfig "skrot" { skrot = stableNixosConfig "skrot" {
modules = [ modules = [
self.nixosModules.drumknotty
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
inputs.dibbler.nixosModules.default
]; ];
overlays = [inputs.dibbler.overlays.default]; overlays =
[
inputs.dibbler.overlays.default
inputs.worblehat.overlays.default
];
}; };
shark = stableNixosConfig "shark" {}; shark = stableNixosConfig "shark" {};
wenche = stableNixosConfig "wenche" {}; wenche = stableNixosConfig "wenche" {};
temmie = stableNixosConfig "temmie" {}; temmie = stableNixosConfig "temmie" {
gluttony = stableNixosConfig "gluttony" {}; overlays = [
inputs.bro.overlays.default
inputs.passwd2systemd-users.overlays.default
];
modules = [
inputs.bro.nixosModules.default
];
};
gluttony = stableNixosConfig "gluttony" {
overlays = [
(final: prev: { bluemap = final.callPackage ./packages/bluemap.nix {}; })
];
modules = [ self.nixosModules.bluemap ];
};
kommode = stableNixosConfig "kommode" { kommode = stableNixosConfig "kommode" {
overlays = [ overlays = [
@@ -270,6 +312,7 @@
rsync-pull-targets = ./modules/rsync-pull-targets.nix; rsync-pull-targets = ./modules/rsync-pull-targets.nix;
snakeoil-certs = ./modules/snakeoil-certs.nix; snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix; snappymail = ./modules/snappymail.nix;
drumknotty = ./modules/drumknotty;
}; };
devShells = forAllSystems (system: { devShells = forAllSystems (system: {
+1 -2
View File
@@ -7,6 +7,7 @@
./services/alps.nix ./services/alps.nix
./services/bluemap.nix ./services/bluemap.nix
./services/radicale.nix
./services/idp-simplesamlphp ./services/idp-simplesamlphp
./services/kerberos.nix ./services/kerberos.nix
./services/mediawiki ./services/mediawiki
@@ -24,8 +25,6 @@
address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ]; address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
}; };
services.btrfs.autoScrub.enable = true;
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11"; system.stateVersion = "25.11";
+27 -98
View File
@@ -1,105 +1,10 @@
{ config, lib, pkgs, inputs, ... }: { values, ... }:
let let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world"; webExport = "/var/lib/bluemap/web";
format = pkgs.formats.hocon { };
in { in {
# NOTE: our versino of the module gets added in flake.nix # NOTE: our version of the module gets added in flake.nix
disabledModules = [ "services/web-apps/bluemap.nix" ]; disabledModules = [ "services/web-apps/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
sops.secrets."bluemap/ssh-known-hosts" = { };
services.bluemap = {
enable = true;
eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
host = "minecraft.pvv.ntnu.no";
maps = let
inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
in {
"verden" = {
extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:overworld";
name = "Verden";
sorting = 0;
start-pos = {
x = 0;
z = 0;
};
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
};
"underverden" = {
extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_nether";
name = "Underverden";
sorting = 100;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
render-mask = [{
max-y = 90;
}];
};
};
"enden" = {
extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_end";
name = "Enden";
sorting = 200;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
};
};
systemd.services."render-bluemap-maps" = {
serviceConfig = {
StateDirectory = [ "bluemap/world" ];
ExecStartPre = let
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
archive = true;
compress = true;
verbose = true;
no-owner = true;
no-group = true;
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
};
in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = { services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@@ -115,6 +20,30 @@ in {
quic_retry on; quic_retry on;
add_header Alt-Svc 'h3=":$server_port"; ma=86400'; add_header Alt-Svc 'h3=":$server_port"; ma=86400';
''; '';
root = webExport;
locations = {
"~* ^/maps/[^/]*/tiles/".extraConfig = ''
error_page 404 = @empty;
'';
"@empty".return = "204";
};
};
services.rsync-pull-targets = {
enable = true;
locations.${webExport} = {
user = "root";
rrsyncArgs.wo = true;
authorizedKeysAttrs = [
"restrict"
"from=\"gluttony.pvv.ntnu.no,${values.hosts.gluttony.ipv6},${values.hosts.gluttony.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5jrqMovXlWaFWZAV/aKyQReHvUQp5kb+7Ja4gnevSr root@gluttony bluemap";
};
}; };
networking.firewall.allowedUDPPorts = [ 443 ]; networking.firewall.allowedUDPPorts = [ 443 ];
+20 -9
View File
@@ -107,6 +107,7 @@ in {
CodeEditor CodeEditor
CodeMirror CodeMirror
DeleteBatch DeleteBatch
PdfHandler
PluggableAuth PluggableAuth
Popups Popups
Scribunto Scribunto
@@ -181,12 +182,17 @@ in {
]; ];
# Misc program paths # Misc program paths
$wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg'; $wgFFmpegLocation = '${lib.getExe pkgs.ffmpeg}';
$wgExiftool = '${pkgs.exiftool}/bin/exiftool'; $wgExiftool = '${lib.getExe pkgs.exiftool}';
$wgExiv2Command = '${pkgs.exiv2}/bin/exiv2'; $wgExiv2Command = '${lib.getExe pkgs.exiv2}';
# See https://gist.github.com/sergejmueller/088dce028b6dd120a16e # See https://gist.github.com/sergejmueller/088dce028b6dd120a16e
$wgJpegTran = '${pkgs.mozjpeg}/bin/jpegtran'; $wgJpegTran = '${lib.getExe' pkgs.mozjpeg "jpegtran"}';
$wgGitBin = '${pkgs.git}/bin/git'; $wgGitBin = '${lib.getExe pkgs.git}';
$wgDiff3 = '${lib.getExe' pkgs.diffutils "diff3"}';
$wgDiff = '${lib.getExe' pkgs.diffutils "diff"}';
$wgUseImageMagick = true;
$wgImageMagickConvertCommand = '${lib.getExe pkgs.imagemagick}';
# Debugging # Debugging
$wgShowExceptionDetails = false; $wgShowExceptionDetails = false;
@@ -210,6 +216,15 @@ in {
# EXT:WikiEditor # EXT:WikiEditor
$wgWikiEditorRealtimePreview = true; $wgWikiEditorRealtimePreview = true;
# EXT:PdfHandler
$wgPdfProcessor = '${lib.getExe pkgs.ghostscript_headless}';
$wgPdfPostProcessor = $wgImageMagickConvertCommand;
$wgPdfInfo = '${lib.getExe' pkgs.poppler-utils "pdfinfo"}';
$wgPdftoText = '${lib.getExe' pkgs.poppler-utils "pdftotext"}';
# Override key from hardcoded config in nixpkgs
$wgSecretKey = file_get_contents("${config.sops.secrets."mediawiki/secret-key".path}");
''; '';
}; };
@@ -273,8 +288,6 @@ in {
systemd.services.mediawiki-init = lib.mkIf cfg.enable { systemd.services.mediawiki-init = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ]; after = [ "sops-install-secrets.service" ];
serviceConfig = { serviceConfig = {
BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007"; UMask = lib.mkForce "0007";
}; };
}; };
@@ -282,8 +295,6 @@ in {
systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable { systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ]; after = [ "sops-install-secrets.service" ];
serviceConfig = { serviceConfig = {
BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007"; UMask = lib.mkForce "0007";
}; };
}; };
+40
View File
@@ -0,0 +1,40 @@
{ config, lib, ... }:
let
domain = "dav.pvv.ntnu.no";
radicalePort = 5232;
in {
services.radicale = {
enable = true;
settings = {
server = {
hosts = [ "127.0.0.1:${toString radicalePort}" ];
};
auth = {
type = "imap";
imap_host = "imap.pvv.ntnu.no";
imap_security = "tls";
};
storage = {
filesystem_folder = "/var/lib/radicale/collections";
};
};
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
kTLS = true;
extraConfig = ''
client_max_body_size 128M;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:${toString radicalePort}";
proxyWebsockets = true;
};
};
}
+2 -1
View File
@@ -10,8 +10,9 @@
enableACME = true; enableACME = true;
kTLS = true; kTLS = true;
locations = { locations = {
"= /".return = "302 https://webmail.pvv.ntnu.no/roundcube"; # "= /".return = "302 https://webmail.pvv.ntnu.no/roundcube";
"/roundcube".return = "302 https://webmail.pvv.ntnu.no/";
"/afterlogic_lite".return = "302 https://webmail.pvv.ntnu.no/roundcube"; "/afterlogic_lite".return = "302 https://webmail.pvv.ntnu.no/roundcube";
"/squirrelmail".return = "302 https://webmail.pvv.ntnu.no/roundcube"; "/squirrelmail".return = "302 https://webmail.pvv.ntnu.no/roundcube";
"/rainloop".return = "302 https://snappymail.pvv.ntnu.no/"; "/rainloop".return = "302 https://snappymail.pvv.ntnu.no/";
+2 -37
View File
@@ -29,7 +29,7 @@ in
dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ]; dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
maxAttachmentSize = 20; maxAttachmentSize = 20;
hostName = "roundcubeplaceholder.example.com"; hostName = domain;
database = { database = {
host = "postgres.pvv.ntnu.no"; host = "postgres.pvv.ntnu.no";
@@ -49,44 +49,9 @@ in
''; '';
}; };
services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { }; # TODO: move this back to `webmail.pvv.ntnu.no/roundcube` subpath
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {
kTLS = true; kTLS = true;
locations."/roundcube" = {
tryFiles = "$uri $uri/ =404";
index = "index.php";
root = pkgs.runCommandLocal "roundcube-dir" { } ''
mkdir -p $out
ln -s ${cfg.package} $out/roundcube
'';
extraConfig = ''
location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
# https://wiki.archlinux.org/title/Roundcube
"README"
"INSTALL"
"LICENSE"
"CHANGELOG"
"UPGRADING"
"bin"
"SQL"
".+\\.md"
"\\."
"config"
"temp"
"logs"
]})/? {
deny all;
}
location ~ ^/roundcube/(.+\.php)(/?.*)$ {
fastcgi_split_path_info ^/roundcube(/.+\.php)(/.+)$;
include ${config.services.nginx.package}/conf/fastcgi_params;
include ${config.services.nginx.package}/conf/fastcgi.conf;
fastcgi_index index.php;
fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket};
}
'';
};
}; };
} }
@@ -119,6 +119,7 @@ in {
services.nginx.virtualHosts."pvv.ntnu.no" = { services.nginx.virtualHosts."pvv.ntnu.no" = {
globalRedirect = cfg.domainName; globalRedirect = cfg.domainName;
redirectCode = 307; redirectCode = 307;
kTLS = true;
forceSSL = true; forceSSL = true;
useACMEHost = "www.pvv.ntnu.no"; useACMEHost = "www.pvv.ntnu.no";
}; };
@@ -126,6 +127,7 @@ in {
services.nginx.virtualHosts."www.pvv.org" = { services.nginx.virtualHosts."www.pvv.org" = {
globalRedirect = cfg.domainName; globalRedirect = cfg.domainName;
redirectCode = 307; redirectCode = 307;
kTLS = true;
forceSSL = true; forceSSL = true;
useACMEHost = "www.pvv.ntnu.no"; useACMEHost = "www.pvv.ntnu.no";
}; };
@@ -133,11 +135,13 @@ in {
services.nginx.virtualHosts."pvv.org" = { services.nginx.virtualHosts."pvv.org" = {
globalRedirect = cfg.domainName; globalRedirect = cfg.domainName;
redirectCode = 307; redirectCode = 307;
kTLS = true;
forceSSL = true; forceSSL = true;
useACMEHost = "www.pvv.ntnu.no"; useACMEHost = "www.pvv.ntnu.no";
}; };
services.nginx.virtualHosts.${cfg.domainName} = { services.nginx.virtualHosts.${cfg.domainName} = {
kTLS = true;
locations = { locations = {
# Proxy home directories # Proxy home directories
"^~ /~" = { "^~ /~" = {
@@ -37,47 +37,56 @@ in {
}; };
systemd.services.pvv-nettsiden-gallery-update = { systemd.services.pvv-nettsiden-gallery-update = {
path = with pkgs; [ imagemagick gnutar gzip ];
script = ''
tar ${lib.cli.toCommandLineShellGNU { } {
extract = true;
file = "${transferDir}/gallery.tar.gz";
directory = ".";
}}
# Delete files and directories that exists in the gallery that don't exist in the tarball
filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))
while IFS= read -r fname; do
rm -f "$fname" ||:
rm -f ".thumbnails/$fname.png" ||:
done <<< "$filesToRemove"
find . -type d -empty -delete
mkdir -p .thumbnails
images=$(find . -type f -not -path './.thumbnails*')
while IFS= read -r fname; do
# Skip this file if an up-to-date thumbnail already exists
if [ -f ".thumbnails/$fname.png" ] && \
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
then
continue
fi
echo "Creating thumbnail for $fname"
mkdir -p "$(dirname ".thumbnails/$fname")"
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
done <<< "$images"
'';
serviceConfig = { serviceConfig = {
WorkingDirectory = galleryDir; WorkingDirectory = galleryDir;
User = config.services.pvv-nettsiden.user; User = config.services.pvv-nettsiden.user;
Group = config.services.pvv-nettsiden.group; Group = config.services.pvv-nettsiden.group;
ExecStart = lib.getExe (pkgs.writeShellApplication {
name = "pvv-nettsiden-gallery-update-exec-start.sh";
runtimeInputs = with pkgs; [
coreutils
findutils
gnused
gnutar
gzip
imagemagick
];
text = ''
tar ${lib.cli.toCommandLineShellGNU { } {
extract = true;
file = "${transferDir}/gallery.tar.gz";
directory = ".";
}}
# Delete files and directories that exists in the gallery that don't exist in the tarball
filesToRemove="$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))"
while IFS= read -r fname; do
rm -f "$fname" ||:
rm -f ".thumbnails/$fname.png" ||:
done <<< "$filesToRemove"
find . -type d -empty -delete
mkdir -p .thumbnails
images="$(find . -type f -not -path './.thumbnails*')"
while IFS= read -r fname; do
# Skip this file if an up-to-date thumbnail already exists
if [ -f ".thumbnails/$fname.png" ] && \
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
then
continue
fi
echo "Creating thumbnail for $fname"
mkdir -p "$(dirname ".thumbnails/$fname")"
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
done <<< "$images"
'';
});
AmbientCapabilities = [ "" ]; AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ]; CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ]; DeviceAllow = [ "" ];
@@ -83,6 +83,7 @@ in
}; };
services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = { services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
kTLS = true;
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@@ -22,6 +22,7 @@ in
sops.templates."hookshot-registration.yaml" = { sops.templates."hookshot-registration.yaml" = {
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name; group = config.users.groups.keys-matrix-registrations.name;
mode = "0440";
restartUnits = [ "matrix-hookshot.service" ]; restartUnits = [ "matrix-hookshot.service" ];
content = '' content = ''
id: matrix-hookshot id: matrix-hookshot
@@ -49,12 +50,59 @@ in
systemd.services.matrix-hookshot = { systemd.services.matrix-hookshot = {
serviceConfig = { serviceConfig = {
DynamicUser = true;
SupplementaryGroups = [ SupplementaryGroups = [
config.users.groups.keys-matrix-registrations.name config.users.groups.keys-matrix-registrations.name
]; ];
LoadCredential = [ LoadCredential = [
"passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}" "passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
]; ];
RuntimeDirectory = [ "matrix-hookshot/root-mnt" ];
RootDirectory = "/run/matrix-hookshot/root-mnt";
BindReadOnlyPaths = [
config.sops.templates."hookshot-registration.yaml".path
builtins.storeDir
"/etc"
"/run/nscd"
"/var/run/nscd"
];
AmbientCapabilities = "";
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = false; # node needs this
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
UMask = "0077";
}; };
}; };
@@ -146,6 +194,7 @@ in
}; };
services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = { services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
kTLS = true;
enableACME = true; enableACME = true;
addSSL = true; addSSL = true;
locations."/" = { locations."/" = {
-7
View File
@@ -64,11 +64,4 @@ in
''; '';
}; };
}; };
networking.firewall.allowedUDPPortRanges = [
{
from = cfg.settings.rtc.port_range_start;
to = cfg.settings.rtc.port_range_end;
}
];
} }
+49
View File
@@ -54,4 +54,53 @@
# TODO: Fix upstream module in nixpkgs # TODO: Fix upstream module in nixpkgs
pantalaimon.username = "bot_admin"; pantalaimon.username = "bot_admin";
}; };
systemd.services.mjolnir.serviceConfig = {
DynamicUser = true;
RuntimeDirectory = [ "mjolnir/root-mnt" ];
RootDirectory = "/run/mjolnir/root-mnt";
BindReadOnlyPaths = [
config.sops.secrets."matrix/mjolnir/access_token".path
builtins.storeDir
"/etc"
"/run/nscd"
"/var/run/nscd"
];
AmbientCapabilities = "";
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = false; # node needs this
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
UMask = "0077";
};
} }
@@ -56,6 +56,55 @@ in
enableSynapseIntegration = false; enableSynapseIntegration = false;
}; };
systemd.services."matrix-ooye" = {
serviceConfig = {
RuntimeDirectory = [ "matrix-ooye/root-mnt" ];
RootDirectory = "/run/matrix-ooye/root-mnt";
BindReadOnlyPaths = [
builtins.storeDir
"/etc"
"/run/nscd"
"/var/run/nscd"
];
AmbientCapabilities = "";
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = false; # node needs this
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
UMask = "0077";
};
};
systemd.services."matrix-synapse" = { systemd.services."matrix-synapse" = {
after = [ after = [
"matrix-ooye-pre-start.service" "matrix-ooye-pre-start.service"
@@ -80,6 +129,7 @@ in
}; };
services.nginx.virtualHosts."ooye.pvv.ntnu.no" = { services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
kTLS = true;
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/".proxyPass = "http://localhost:${cfg.socket}"; locations."/".proxyPass = "http://localhost:${cfg.socket}";
+23 -22
View File
@@ -23,27 +23,28 @@ in
}; };
systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable { systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable {
serviceConfig.LoadCredential = [ serviceConfig = {
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}" LoadCredential = [
]; "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
];
preStart = let ExecStartPre = let
knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" '' knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U= innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8= innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
''; '';
in '' rsyncArgs = lib.cli.toCommandLineShellGNU { } {
mkdir -p '${cfg.minecraftLogsDir}' archive = true;
"${lib.getExe pkgs.rsync}" \ verbose = true;
--archive \ progress = true;
--verbose \ no-owner = true;
--progress \ no-group = true;
--no-owner \ };
--no-group \ sshCommand = ''${pkgs.openssh}/bin/ssh -o UserKnownHostsFile='${knownHostsFile}' -i \"$CREDENTIALS_DIRECTORY\"/sshkey'';
--rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \ in [
root@innovation.pvv.ntnu.no:/ \ "${lib.getExe' pkgs.coreutils "mkdir"} -p '${cfg.minecraftLogsDir}'"
'${cfg.minecraftLogsDir}'/ "${lib.getExe pkgs.rsync} ${rsyncArgs} --rsh=\"${sshCommand}\" root@innovation.pvv.ntnu.no:/ '${cfg.minecraftLogsDir}'/"
''; ];
};
}; };
} }
+15
View File
@@ -23,6 +23,9 @@ in
bind-address = values.services.mysql.ipv4; bind-address = values.services.mysql.ipv4;
skip-networking = 0; skip-networking = 0;
# Useful for the mysqld prometheus exporter
userstat = 1;
# This was needed in order to be able to use all of the old users # This was needed in order to be able to use all of the old users
# during migration from knakelibrak to bicep in Sep. 2023 # during migration from knakelibrak to bicep in Sep. 2023
secure_auth = 0; secure_auth = 0;
@@ -71,4 +74,16 @@ in
]; ];
}; };
}; };
services.logrotate = lib.mkIf (cfg.settings.mysqld.slow-query-log == 1) {
enable = true;
settings.mysql-slowlog = {
files = [ cfg.settings.mysqld.slow-query-log-file ];
frequency = "weekly";
rotate = 12;
create = "0660 mysql mysql";
minsize = "1M";
compress = true;
};
};
} }
+23 -1
View File
@@ -29,7 +29,29 @@
firewall = { firewall = {
enable = true; enable = true;
# Allow SSH and HTTP and ports for email and irc # Allow SSH and HTTP and ports for email and irc
allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ]; allowedTCPPorts = [
22 # SSH
80 # HTTP
# IRC
194 # IRC
994 # IRC (TLS)
6697 # IRC (SSL)
6665
6666
6667
6668
6669
# EMAIL
25 # STMP
465 # STMP (SSL)
587 # STMP (TLS/STARTTLS)
110 # POP3
995 # POP3 (SSL/TLS)
143 # IMAP
993 # IMAP (SSL/TLS)
];
allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ]; allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
}; };
# Use systemd-resolved inside the container # Use systemd-resolved inside the container
+1
View File
@@ -7,6 +7,7 @@
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./services/bluemap.nix
(fp /base) (fp /base)
]; ];
+113
View File
@@ -0,0 +1,113 @@
{ config, lib, pkgs, inputs, ... }:
let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
in {
# NOTE: our version of the module gets added in flake.nix
disabledModules = [ "services/web-apps/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
sops.secrets."bluemap/ssh-known-hosts" = { };
services.bluemap = {
enable = true;
eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
enableNginx = false;
host = "minecraft.pvv.ntnu.no";
maps = let
inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
in {
"verden" = {
extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:overworld";
name = "Verden";
sorting = 0;
start-pos = {
x = 0;
z = 0;
};
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
};
"underverden" = {
extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_nether";
name = "Underverden";
sorting = 100;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
render-mask = [{
max-y = 90;
}];
};
};
"enden" = {
extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_end";
name = "Enden";
sorting = 200;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
};
};
systemd.services."render-bluemap-maps" = {
serviceConfig = {
StateDirectory = [ "bluemap/world" ];
ExecStartPre = let
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
archive = true;
compress = true;
verbose = true;
no-owner = true;
no-group = true;
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
};
in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
ExecStartPost = let
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
archive = true;
compress = true;
verbose = true;
no-owner = true;
no-group = true;
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
};
in "${lib.getExe pkgs.rsync} ${rsyncArgs} --groupmap=root:nginx ${config.services.bluemap.webRoot}/ root@bekkalokk.pvv.ntnu.no:/";
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
}
@@ -5,6 +5,7 @@
./grafana.nix ./grafana.nix
./loki.nix ./loki.nix
./prometheus ./prometheus
./scrutiny.nix
./uptime-kuma.nix ./uptime-kuma.nix
]; ];
} }
@@ -8,6 +8,7 @@ in {
./matrix-synapse.nix ./matrix-synapse.nix
./mysqld.nix ./mysqld.nix
./postgres.nix ./postgres.nix
./dibbler.nix
]; ];
services.prometheus = { services.prometheus = {
@@ -0,0 +1,96 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.prometheus.exporters.sql;
configFile =
if cfg.configFile != null then
cfg.configFile
else
let
nameInline = lib.mapAttrsToList (k: v: v // { name = k; });
renameStartupSql = j: removeAttrs (j // { startup_sql = j.startupSql; }) [ "startupSql" ];
configuration = {
jobs = map renameStartupSql (
nameInline (lib.mapAttrs (k: v: (v // { queries = nameInline v.queries; })) cfg.configuration.jobs)
);
};
in
builtins.toFile "config.yaml" (builtins.toJSON configuration);
in
{
sops.secrets."config/postgresql_dibbler_password" = { };
services.prometheus.scrapeConfigs = [
{
job_name = "sql_exporter";
scrape_interval = "1m";
scheme = "http";
static_configs = [
{
targets = [ "localhost:9237" ];
}
];
}
];
services.prometheus.exporters.sql = {
enable = true;
configuration = {
jobs.dibbler = {
interval = "1m";
queries."daily_purchase_sum" = {
help = "Sum of purchases for the current day.";
labels = [ "thing" ];
values = [ "sum" ];
query = "SELECT SUM(price) FROM purchases GROUP BY DATE(time) ORDER BY DATE(time) DESC LIMIT 1";
};
queries."total_purchase_sum" = {
help = "Sum of all purchases.";
labels = [ "thing" ];
values = [ "sum" ];
query = "SELECT SUM(price) FROM purchases";
};
queries."total_stock_value" = {
help = "The value of all stock in dibbler.";
labels = [ "thing" ];
values = [ "sum" ];
query = "SELECT SUM(price * stock) FROM products";
};
queries."user_credit_sum" = {
help = "The sum of all user credit.";
labels = [ "thing" ];
values = [ "sum" ];
query = "SELECT SUM(credit) FROM users";
};
};
};
};
systemd.services."prometheus-sql-exporter".serviceConfig = {
RuntimeDirectory = "prometheus-sql-exporter";
LoadCredential = "postgresql_dibbler_password:${
config.sops.secrets."config/postgresql_dibbler_password".path
}";
ExecStartPre = ''
|${lib.getExe pkgs.jq} \
--null-input \
--compact-output \
--slurpfile config '${configFile}' \
--rawfile pw '%d/postgresql_dibbler_password' \
--from-file '${pkgs.writeText "prometheus-sql-exec-start-jq-filter" ''
("postgres://pvv_vv:\($pw | gsub("\n"; ""))@postgres.pvv.ntnu.no") as $pg_uri
| $config[0]
| .jobs[0].connections[0] = $pg_uri
''}' > /run/prometheus-sql-exporter/config.yaml
'';
};
}
@@ -1,14 +1,12 @@
{ ... }: { ... }:
{ {
services.prometheus = { services.prometheus.scrapeConfigs = [{
scrapeConfigs = [ job_name = "exim";
{ scrape_interval = "15s";
job_name = "exim"; scheme = "http";
scrape_interval = "15s";
static_configs = [{ static_configs = [{
targets = [ "microbel.pvv.ntnu.no:9636" ]; targets = [ "microbel.pvv.ntnu.no:9636" ];
}]; }];
} }];
];
};
} }
@@ -0,0 +1,40 @@
{ config, values, ... }:
let
cfg = config.services.scrutiny;
in
{
services.scrutiny = {
enable = true;
settings = {
web.listen = {
host = "127.0.0.1";
port = 18293;
basepath = "";
};
# notify.urls = [
# "matrix://username:password@host:port/[?rooms=!roomID1[,roomAlias2]]"
# ];
};
};
services.nginx.virtualHosts."scrutiny.pvv.ntnu.no" = {
kTLS = true;
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${cfg.settings.web.listen.host}:${toString cfg.settings.web.listen.port}";
};
# TODO: allow website access to the outside world, but restrict input api
extraConfig = ''
allow ${values.hosts.ildkule.ipv4}/32;
allow ${values.hosts.ildkule.ipv6}/128;
allow 127.0.0.1/32;
allow ::1/128;
allow ${values.ipv4-space};
allow ${values.ipv6-space};
deny all;
'';
};
}
@@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, values, ... }:
let let
cfg = config.services.uptime-kuma; cfg = config.services.uptime-kuma;
domain = "status.pvv.ntnu.no"; domain = "status.pvv.ntnu.no";
@@ -19,9 +19,26 @@ in {
locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}"; locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
}; };
fileSystems."/var/lib/uptime-kuma" = { fileSystems."/var/lib/private/uptime-kuma" = {
device = stateDir; device = stateDir;
fsType = "bind"; fsType = "bind";
options = [ "bind" ]; options = [ "bind" ];
}; };
services.rsync-pull-targets = {
enable = true;
locations.${stateDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJXzcDm6cVr4NmWzUSroy33FlielKqaG83wY0RCMC0p/ uptime_kuma rsync backup";
};
};
} }
-2
View File
@@ -15,8 +15,6 @@
address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ]; address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
}; };
services.btrfs.autoScrub.enable = true;
services.qemuGuest.enable = true; services.qemuGuest.enable = true;
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
@@ -72,50 +72,52 @@ in
Type = "oneshot"; Type = "oneshot";
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
PrivateNetwork = true;
ExecStart = let
logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = fp /assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
'';
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
labels = lib.importJSON ./labels/projects.json;
};
customTemplates = pkgs.runCommandLocal "gitea-templates" {
nativeBuildInputs = with pkgs; [
coreutils
gnused
];
} ''
# Bigger icons
install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
'';
install = lib.getExe' pkgs.coreutils "install";
in [
"${install} -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'"
"${install} -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'"
"${install} -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'"
"${install} -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'"
"${install} -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'"
"${install} -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'"
"${install} -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'"
"${install} -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'"
"${install} -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'"
"${install} -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'"
"${lib.getExe pkgs.rsync} -a '${customTemplates}/' '${cfg.customDir}/templates/'"
];
}; };
script = let
logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = fp /assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
'';
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
labels = lib.importJSON ./labels/projects.json;
};
customTemplates = pkgs.runCommandLocal "gitea-templates" {
nativeBuildInputs = with pkgs; [
coreutils
gnused
];
} ''
# Bigger icons
install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
'';
in ''
install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'
install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'
install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'
install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'
install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'
install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'
install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'
install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'
install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'
install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'
'${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/'
'';
}; };
} }
+7 -9
View File
@@ -139,6 +139,9 @@ in {
AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2; AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
}; };
actions.ENABLED = true; actions.ENABLED = true;
webhook.ALLOWED_HOST_LIST = lib.concatStringsSep "," [
"external"
];
}; };
dump = { dump = {
@@ -228,14 +231,9 @@ in {
}; };
in lib.mkForce "${lib.getExe cfg.package} dump ${args}"; in lib.mkForce "${lib.getExe cfg.package} dump ${args}";
# Only keep n backup files at a time # Only keep a single backup file at a time.
postStop = let postStop = ''
cu = prog: "'${lib.getExe' pkgs.coreutils prog}'"; ${lib.getExe' pkgs.coreutils "mv"} '${cfg.dump.backupDir}'/gitea-dump-*.tar.gz gitea-dump.tar.gz
backupCount = 3; '';
in ''
for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
${cu "rm"} "$file"
done
'';
}; };
} }
+6 -4
View File
@@ -38,11 +38,11 @@ in
Type = "oneshot"; Type = "oneshot";
User = cfg.user; User = cfg.user;
PrivateNetwork = true; PrivateNetwork = true;
ExecStart = [
"${lib.getExe pkgs.gnupg} --import '${config.sops.secrets."gitea/gpg-signing-key-public".path}'"
"${lib.getExe pkgs.gnupg} --import '${config.sops.secrets."gitea/gpg-signing-key-private".path}'"
];
}; };
script = ''
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-public".path}
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-private".path}
'';
}; };
services.gitea.settings."repository.signing" = { services.gitea.settings."repository.signing" = {
@@ -50,6 +50,8 @@ in
SIGNING_NAME = "PVV Git"; SIGNING_NAME = "PVV Git";
SIGNING_EMAIL = "gitea@git.pvv.ntnu.no"; SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
INITIAL_COMMIT = "always"; INITIAL_COMMIT = "always";
MERGES = lib.concatStringsSep "," [ "always" ];
CRUD_ACTIONS = lib.concatStringsSep "," [ "always" ];
WIKI = "always"; WIKI = "always";
}; };
} }
@@ -11,9 +11,9 @@ in
systemd.services.gitea-import-users = lib.mkIf cfg.enable { systemd.services.gitea-import-users = lib.mkIf cfg.enable {
enable = true; enable = true;
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd"; environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
serviceConfig = { serviceConfig = {
ExecStartPre = ''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
ExecStart = pkgs.writers.writePython3 "gitea-import-users" { ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
flakeIgnore = [ flakeIgnore = [
"E501" # Line over 80 chars lol "E501" # Line over 80 chars lol
+6 -3
View File
@@ -9,6 +9,12 @@
sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml; sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"armv7l-linux"
"i686-linux"
];
systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // { systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
matchConfig.Name = "enp0s31f6"; matchConfig.Name = "enp0s31f6";
address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ]; address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -18,9 +24,6 @@
anyInterface = true; anyInterface = true;
}; };
# There are no smart devices
services.smartd.enable = false;
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.05"; system.stateVersion = "25.05";
+40 -14
View File
@@ -28,26 +28,52 @@
sops.secrets = { sops.secrets = {
"dibbler/postgresql/password" = { "dibbler/postgresql/password" = {
owner = "dibbler"; owner = "drumknotty";
group = "dibbler"; group = "drumknotty";
};
"worblehat/postgresql/password" = {
owner = "drumknotty";
group = "drumknotty";
}; };
}; };
services.dibbler = { services.drumknotty = {
enable = true; enable = true;
kioskMode = true; kioskMode = true;
limitScreenWidth = 80;
limitScreenHeight = 42;
settings = { screen = {
general.quit_allowed = false; limitWidth = 80;
database = { limitHeight = 42;
type = "postgresql"; };
postgresql = {
username = "pvv_vv"; dibbler = {
dbname = "pvv_vv"; enable = true;
host = "postgres.pvv.ntnu.no"; settings = {
password_file = config.sops.secrets."dibbler/postgresql/password".path; general.quit_allowed = false;
database = {
type = "postgresql";
postgresql = {
username = "pvv_vv";
dbname = "pvv_vv";
host = "postgres.pvv.ntnu.no";
password_file = config.sops.secrets."dibbler/postgresql/password".path;
};
};
};
};
worblehat = {
enable = true;
settings = {
general.quit_allowed = false;
database = {
type = "postgresql";
postgresql = {
username = "worblehat";
dbname = "worblehat";
host = "postgres.pvv.ntnu.no";
password = config.sops.secrets."worblehat/postgresql/password".path;
};
}; };
}; };
}; };
@@ -0,0 +1 @@
target
@@ -0,0 +1,171 @@
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 4
[[package]]
name = "apache-log-processor"
version = "0.1.0"
dependencies = [
"nix",
"time",
]
[[package]]
name = "bitflags"
version = "2.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3"
[[package]]
name = "cfg-if"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
[[package]]
name = "cfg_aliases"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
[[package]]
name = "deranged"
version = "0.5.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c"
dependencies = [
"powerfmt",
]
[[package]]
name = "itoa"
version = "1.0.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
[[package]]
name = "libc"
version = "0.2.186"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66"
[[package]]
name = "nix"
version = "0.31.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cf20d2fde8ff38632c426f1165ed7436270b44f199fc55284c38276f9db47c3d"
dependencies = [
"bitflags",
"cfg-if",
"cfg_aliases",
"libc",
]
[[package]]
name = "num-conv"
version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "521739c6d2bac4aa25192232afe6841231376b2b26d4d9fae5ecf8ca5772e441"
[[package]]
name = "num_threads"
version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c7398b9c8b70908f6371f47ed36737907c87c52af34c268fed0bf0ceb92ead9"
dependencies = [
"libc",
]
[[package]]
name = "powerfmt"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
[[package]]
name = "proc-macro2"
version = "1.0.106"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
dependencies = [
"unicode-ident",
]
[[package]]
name = "quote"
version = "1.0.45"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
dependencies = [
"proc-macro2",
]
[[package]]
name = "serde_core"
version = "1.0.228"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
dependencies = [
"serde_derive",
]
[[package]]
name = "serde_derive"
version = "1.0.228"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "syn"
version = "2.0.117"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
dependencies = [
"proc-macro2",
"quote",
"unicode-ident",
]
[[package]]
name = "time"
version = "0.3.47"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c"
dependencies = [
"deranged",
"itoa",
"libc",
"num-conv",
"num_threads",
"powerfmt",
"serde_core",
"time-core",
"time-macros",
]
[[package]]
name = "time-core"
version = "0.1.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
[[package]]
name = "time-macros"
version = "0.2.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215"
dependencies = [
"num-conv",
"time-core",
]
[[package]]
name = "unicode-ident"
version = "1.0.24"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
@@ -0,0 +1,19 @@
[package]
name = "apache-log-processor"
version = "0.1.0"
edition = "2024"
autobins = false
license = "MIT"
authors = [
"projects@pvv.ntnu.no",
]
[dependencies]
nix = { version = "0.31.3", features = ["event", "fs", "user"] }
time = { version = "0.3.47", features = ["formatting", "local-offset"] }
[[bin]]
name = "apache-log-processor"
bench = false
path = "src/main.rs"
@@ -0,0 +1,33 @@
{
lib
, rustPlatform
, stdenv
}:
let
cargoToml = fromTOML (builtins.readFile ./Cargo.toml);
cargoLock = ./Cargo.lock;
mainProgram = (lib.head cargoToml.bin).name;
pname = cargoToml.package.name;
in
rustPlatform.buildRustPackage {
inherit pname;
inherit (cargoToml.package) version;
src = lib.fileset.toSource {
root = ./.;
fileset = lib.fileset.unions [
./Cargo.toml
./Cargo.lock
./src
];
};
cargoLock.lockFile = cargoLock;
doCheck = true;
meta = with lib; {
license = licenses.mit;
platforms = platforms.linux;
inherit mainProgram;
};
}
@@ -0,0 +1,321 @@
use nix::{
errno::Errno,
fcntl::{FcntlArg, OFlag, fcntl, open},
sys::{
epoll::{Epoll, EpollCreateFlags, EpollEvent, EpollFlags, EpollTimeout},
stat::Mode,
},
unistd::{User, getegid, geteuid, read, setegid, seteuid, write},
};
use std::{
collections::VecDeque,
os::fd::{AsFd, BorrowedFd, OwnedFd},
path::PathBuf,
process::exit,
};
use time::{OffsetDateTime, format_description};
const READ_BUFFER_SIZE: usize = 8 * 1024;
#[derive(Debug, Clone, Copy)]
enum LogMode {
Access,
Error,
}
fn main() -> Result<(), String> {
let log_mode = match std::env::args().nth(1).as_deref() {
Some("access") => LogMode::Access,
Some("error") => LogMode::Error,
Some(other) => {
return Err(format!(
"invalid log mode `{other}`; expected `access` or `error`"
));
}
None => return Err("missing log mode argument; expected `access` or `error`".to_string()),
};
let tee_file = match log_mode {
LogMode::Access => None,
LogMode::Error => Some(
open(
&PathBuf::from("/var/log/httpd/error.log"),
OFlag::O_WRONLY | OFlag::O_APPEND | OFlag::O_CREAT | OFlag::O_CLOEXEC,
Mode::S_IRUSR | Mode::S_IWUSR,
)
.map_err(|error| format!("failed to open error log for teeing: {error}"))?,
),
};
let stdin = std::io::stdin();
fcntl(stdin.as_fd(), FcntlArg::F_GETFL)
.map(OFlag::from_bits_retain)
.map(|flags| FcntlArg::F_SETFL(flags | OFlag::O_NONBLOCK))
.and_then(|flags| fcntl(stdin.as_fd(), flags))
.map_err(|error| format!("failed to make stdin nonblocking: {error}"))?;
let epoll = Epoll::new(EpollCreateFlags::EPOLL_CLOEXEC)
.map_err(|error| format!("failed to create epoll instance: {error}"))?;
epoll
.add(
stdin.as_fd(),
EpollEvent::new(
EpollFlags::EPOLLIN | EpollFlags::EPOLLERR | EpollFlags::EPOLLHUP,
0,
),
)
.map_err(|error| format!("failed to register stdin with epoll: {error}"))?;
if let Err(error) = event_loop(log_mode, epoll, stdin.as_fd(), tee_file) {
eprintln!("Error: {error}");
exit(1);
}
Ok(())
}
fn event_loop(
log_mode: LogMode,
epoll: Epoll,
stdin_fd: BorrowedFd<'_>,
mut tee_file: Option<OwnedFd>,
) -> Result<(), String> {
let mut events = [EpollEvent::empty(); 1];
let mut pending = VecDeque::new();
loop {
let ready = loop {
match epoll.wait(&mut events, EpollTimeout::NONE) {
Ok(ready) => break ready,
Err(Errno::EINTR) => continue,
Err(error) => {
return Err(format!("epoll wait failed: {error}"));
}
}
};
if ready == 0 {
continue;
}
let mut scratch = [0u8; READ_BUFFER_SIZE];
let eof = loop {
match read(stdin_fd, &mut scratch) {
Ok(0) => break true,
Ok(read_bytes) => pending.extend(scratch[..read_bytes].iter().copied()),
Err(Errno::EINTR) => continue,
Err(Errno::EAGAIN) => break false,
Err(error) => {
return Err(format!("failed to read from stdin: {error}"));
}
}
};
while let Some(newline_index) = pending.iter().position(|byte| *byte == b'\n') {
let line = pending.make_contiguous();
process_line(log_mode, &line[..=newline_index], &mut tee_file)?;
pending.drain(..=newline_index);
}
if eof {
if !pending.is_empty() {
process_line(log_mode, pending.make_contiguous(), &mut tee_file)?;
pending.clear();
}
return Ok(());
}
}
}
fn process_line(
log_mode: LogMode,
line: &[u8],
tee_file: &mut Option<OwnedFd>,
) -> Result<(), String> {
if let Some(tee_file) = tee_file.as_ref() {
write_all_fd(tee_file, line).map_err(|error| {
format!("failed to append to APACHE_LOG_PROCESSOR_TEE_FILE: {error}")
})?;
}
if let Some(user) =
parse_username_from_line(line).and_then(|name| User::from_name(name).ok().flatten())
{
let identity = EffectiveIdentity::switch_to(&user).map_err(|error| {
format!(
"failed to switch effective identity to {} (uid {}, gid {}): {error}",
user.name, user.uid, user.gid
)
})?;
let result: Result<(), String> = (|| {
let dir = user.dir.join("nobackup/weblogs");
if !dir.is_dir() {
return Err(format!(
"logs directory {} does not exist for user {}",
dir.display(),
user.name
));
}
let now = OffsetDateTime::now_local()
.unwrap_or_else(|_| OffsetDateTime::now_utc())
.format(&format_description::parse("[year]-[month]-[day]").unwrap())
.map_err(|error| {
format!("failed to format current date for log file name: {error}")
})?;
let logfile = dir.join(match log_mode {
LogMode::Access => format!("access-{now}.log"),
LogMode::Error => format!("error-{now}.log"),
});
let fd = open(
&logfile,
OFlag::O_WRONLY | OFlag::O_APPEND | OFlag::O_CREAT | OFlag::O_CLOEXEC,
Mode::S_IRUSR
| Mode::S_IWUSR
| Mode::S_IRGRP
| Mode::S_IROTH
| Mode::S_IWGRP
| Mode::S_IWOTH,
)
.map_err(|error| format!("failed to open log file for user {}: {error}", user.name))?;
write_all_fd(fd.as_fd(), line).map_err(|error| {
format!(
"failed to append to log file for user {}: {error}",
user.name
)
})?;
Ok(())
})();
if let Err(error) = result {
eprintln!("Error processing log line for user {}: {error}", user.name);
}
identity.restore().map_err(|error| {
format!(
"failed to restore original effective identity after handling {}: {error}",
user.name
)
})?;
}
Ok(())
}
fn parse_username_from_line(line: &[u8]) -> Option<&str> {
line.splitn(8, |&b| b == b' ')
.nth(6)
.and_then(|path| {
path.strip_prefix(b"/~")
.and_then(|rest| rest.split(|&b| b == b'/').next())
})
.or_else(|| {
line.windows(b"/home/pvv/".len())
.enumerate()
.find_map(|(start, window)| {
(window == b"/home/pvv/")
.then_some(start + b"/home/pvv/".len())
.and_then(|start| line.get(start..))
.filter(|rest| rest.get(1) == Some(&b'/'))
.and_then(|rest| rest.get(2..))
.and_then(|rest| rest.split(|&b| b == b'/').next())
})
})
.filter(|segment| !segment.is_empty())
.and_then(|segment| std::str::from_utf8(segment).ok())
}
fn write_all_fd<Fd: AsFd>(fd: Fd, mut buffer: &[u8]) -> nix::Result<()> {
while !buffer.is_empty() {
match write(fd.as_fd(), buffer) {
Ok(0) => return Err(Errno::EIO),
Ok(written) => buffer = &buffer[written..],
Err(Errno::EINTR) => continue,
Err(error) => return Err(error),
}
}
Ok(())
}
struct EffectiveIdentity {
saved_euid: nix::unistd::Uid,
saved_egid: nix::unistd::Gid,
restored: bool,
}
impl EffectiveIdentity {
fn switch_to(user: &User) -> nix::Result<Self> {
let guard = Self {
saved_euid: geteuid(),
saved_egid: getegid(),
restored: false,
};
setegid(user.gid)?;
if let Err(error) = seteuid(user.uid) {
let _ = setegid(guard.saved_egid);
return Err(error);
}
Ok(guard)
}
fn restore(mut self) -> nix::Result<()> {
let restore_uid = seteuid(self.saved_euid);
let restore_gid = setegid(self.saved_egid);
self.restored = true;
restore_uid?;
restore_gid?;
Ok(())
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_parse_user_from_access_log() {
let inputs = [(
"1.2.3.4 - - [25/May/2026:10:07:24 +0200] \"GET /~oysteikt/ HTTP/2.0\" 200 3708",
"oysteikt",
)];
for (line, expected_user) in inputs {
let parsed_user = parse_username_from_line(line.as_bytes());
assert_eq!(
parsed_user,
Some(expected_user),
"Failed to parse user from line: {line}"
);
}
}
#[test]
fn test_parse_user_from_error_log() {
let inputs = [(
"[Sat May 09 20:45:21.480016 2026] [authz_core:error] [pid 3555:tid 3617] [remote 1::2:42000] AH01630: client denied by server configuration: /home/pvv/d/oysteikt/web-docs/.git",
"oysteikt",
)];
for (line, expected_user) in inputs {
let parsed_user = parse_username_from_line(line.as_bytes());
assert_eq!(
parsed_user,
Some(expected_user),
"Failed to parse user from line: {line}"
);
}
}
}
+140 -37
View File
@@ -2,6 +2,9 @@
let let
cfg = config.services.httpd; cfg = config.services.httpd;
# NOTE Enable this if you want to strace stuff in the sandbox...
debug = false;
homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ]; homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
phpOptions = lib.concatStringsSep "\n" (lib.mapAttrsToList (k: v: "${k} = ${v}"){ phpOptions = lib.concatStringsSep "\n" (lib.mapAttrsToList (k: v: "${k} = ${v}"){
@@ -11,6 +14,8 @@ let
upload_max_filesize = "40M"; upload_max_filesize = "40M";
}); });
apache-log-processor = pkgs.callPackage ./apache-log-processor { };
# https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
phpEnv = pkgs.php.buildEnv { phpEnv = pkgs.php.buildEnv {
extensions = { all, ... }: with all; [ extensions = { all, ... }: with all; [
@@ -39,7 +44,7 @@ let
extraConfig = phpOptions; extraConfig = phpOptions;
}; };
perlEnv = pkgs.perl.withPackages (ps: with ps; [ perlEnv = (pkgs.perl.withPackages (ps: with ps; [
pkgs.exiftool pkgs.exiftool
pkgs.ikiwiki pkgs.ikiwiki
pkgs.irssi pkgs.irssi
@@ -54,7 +59,14 @@ let
ImageMagick ImageMagick
JSON JSON
TemplateToolkit TemplateToolkit
]); ])).overrideAttrs (prev: {
# NOTE: `pkgs.perl.propagatedBuildInputs` don't actually propagate through the
# wrapper derivation created by `withPackages`. This should compensate
# for that.
postBuild = prev.postBuild + ''
cp -r '${pkgs.perl}/nix-support' "$out"/nix-support
'';
});
# https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
pythonEnv = pkgs.python3.buildEnv.override { pythonEnv = pkgs.python3.buildEnv.override {
@@ -67,21 +79,6 @@ let
ignoreCollisions = true; ignoreCollisions = true;
}; };
sendmailWrapper = pkgs.writeShellApplication {
name = "sendmail";
runtimeInputs = [ ];
text = ''
args=("$@")
if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
# Prepend -fusername to the argument list, so bounces go to the user
args=("-f$USERDIR_USER" "''${args[@]}")
fi
exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
'';
};
# https://nixos.org/manual/nixpkgs/stable/#sec-building-environment # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
fhsEnv = pkgs.buildEnv { fhsEnv = pkgs.buildEnv {
name = "userweb-env"; name = "userweb-env";
@@ -89,7 +86,7 @@ let
paths = with pkgs; [ paths = with pkgs; [
bash bash
sendmailWrapper config.services.bro.instances.userweb-sendmail.client.package
perlEnv perlEnv
pythonEnv pythonEnv
@@ -149,6 +146,10 @@ let
wget wget
which which
xdg-utils xdg-utils
] ++ lib.optionals debug [
glibc.getent
strace
systemd
]; ];
extraOutputsToInstall = [ extraOutputsToInstall = [
@@ -162,6 +163,11 @@ in
./mail.nix ./mail.nix
]; ];
sops.secrets = {
"httpd/passwd-ssh-key" = { };
"httpd/ssh-known-hosts" = { };
};
services.httpd = { services.httpd = {
enable = true; enable = true;
adminAddr = "drift@pvv.ntnu.no"; adminAddr = "drift@pvv.ntnu.no";
@@ -184,31 +190,44 @@ in
extraModules = [ extraModules = [
"systemd" "systemd"
"userdir" "userdir"
# TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some {
# incorrect or restrictive assumptions upstream, either nixpkgs or source name = "perl";
# { path = let
# name = "perl"; mod_perl = pkgs.symlinkJoin {
# path = let name = "userweb_modperl_with_custom_perl_env";
# mod_perl = pkgs.apacheHttpdPackages.mod_perl.override { ignoreCollisions = true;
# apacheHttpd = cfg.package.out; paths = [
# perl = perlEnv; (pkgs.apacheHttpdPackages.mod_perl.override {
# }; apacheHttpd = cfg.package.out;
# in "${mod_perl}/modules/mod_perl.so"; })
# } perlEnv
];
};
in "${mod_perl}/modules/mod_perl.so";
}
]; ];
logPerVirtualHost = false;
extraConfig = '' extraConfig = ''
TraceEnable on TraceEnable on
LogLevel warn rewrite:trace3 LogLevel warn rewrite:trace3
ScriptLog ${cfg.logDir}/cgi.log
''; '';
# virtualHosts."userweb.pvv.ntnu.no" = {
virtualHosts."temmie.pvv.ntnu.no" = { virtualHosts."temmie.pvv.ntnu.no" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
serverAliases = [
"www2.pvv.ntnu.no"
];
extraConfig = '' extraConfig = ''
CustomLog "${cfg.logDir}/access.log" combined
CustomLog "|${lib.getExe apache-log-processor} access" combined
ErrorLog "|${lib.getExe apache-log-processor} error"
ScriptLog "${cfg.logDir}/cgi.log"
UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters} UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
UserDir disabled root UserDir disabled root
AddHandler cgi-script .cgi AddHandler cgi-script .cgi
@@ -258,6 +277,14 @@ in
# ]; # ];
# }; # };
# NOTE: 54 -> 33, this is the UID/GID we used for www-data on tom in the past.
# Any files accessed by or created by httpd will do so over NFS with this
# UID/GID pair as its credentials.
# This overlaps with the hardcoded `disnix` uid in nixpkgs, but we *probably*
# won't be using that for the foreseeable future.
users.users."wwwrun".uid = lib.mkForce 33;
users.groups."wwwrun".gid = lib.mkForce 33;
systemd.services.httpd = { systemd.services.httpd = {
after = [ "pvv-homedirs.target" ]; after = [ "pvv-homedirs.target" ];
requires = [ "pvv-homedirs.target" ]; requires = [ "pvv-homedirs.target" ];
@@ -269,17 +296,65 @@ in
serviceConfig = { serviceConfig = {
Type = lib.mkForce "notify"; Type = lib.mkForce "notify";
ExecStartPre = let
rsyncCommand = ''${lib.getExe pkgs.rsync} -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey" -avz'';
in lib.mkForce [
"${lib.getExe (pkgs.writeShellApplication {
name = "http-exec-start-pre-remove-old-semaphores";
text = ''
# Get rid of old semaphores. These tend to accumulate across
# server restarts, eventually preventing it from restarting
# successfully.
for i in $(${pkgs.util-linux}/bin/ipcs -s | grep ' ${cfg.user} ' | cut -f2 -d ' '); do
${pkgs.util-linux}/bin/ipcrm -s "$i"
done
'';
})}"
"${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/passwd /run/httpd/pamunix-in/"
"${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/group /run/httpd/pamunix-in/"
(let
args = lib.cli.toCommandLineShellGNU { } {
passwd-file = "/run/httpd/pamunix-in/passwd";
group-file = "/run/httpd/pamunix-in/group";
output-dir = "/run/httpd/pamunix-out";
shadow-file = pkgs.emptyFile;
output-passwd = true;
ignore-user-file = toString ./ignore_user_file.txt;
ignore-group-file = toString ./ignore_group_file.txt;
};
in ''${lib.getExe pkgs.passwd2systemd-users} ${args}'')
"${lib.getExe' pkgs.coreutils "shred"} -u /run/httpd/pamunix-in/passwd /run/httpd/pamunix-in/group"
":${lib.getExe pkgs.gnused} -i '$ a\\\\root:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash' /run/httpd/pamunix-out/passwd"
":${lib.getExe pkgs.gnused} -i '$ a\\\\wwwrun:x:54:54:Apache httpd user:/var/empty:/run/current-system/sw/bin/bash' /run/httpd/pamunix-out/passwd"
":${lib.getExe pkgs.gnused} -i '$ a\\\\root:x:0:' /run/httpd/pamunix-out/group"
":${lib.getExe pkgs.gnused} -i '$ a\\\\wwwrun:x:54:' /run/httpd/pamunix-out/group"
"${lib.getExe' pkgs.coreutils "cat"} /run/httpd/pamunix-out/passwd"
"+${lib.getExe' pkgs.coreutils "chown"} root:root /run/httpd/pamunix-out/passwd /run/httpd/pamunix-out/group"
"+${lib.getExe' pkgs.coreutils "chmod"} 0644 /run/httpd/pamunix-out/passwd /run/httpd/pamunix-out/group"
"+${lib.getExe pkgs.mount} --bind /run/httpd/pamunix-out/passwd /etc/passwd"
"+${lib.getExe pkgs.mount} --bind /run/httpd/pamunix-out/group /etc/group"
];
ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start"; ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start";
ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful"; ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful";
ExecStop = lib.mkForce ""; ExecStop = lib.mkForce "";
KillMode = "mixed"; KillMode = "mixed";
LoadCredential=[
"sshkey:${config.sops.secrets."httpd/passwd-ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."httpd/ssh-known-hosts".path}"
];
ConfigurationDirectory = [ "httpd" ]; ConfigurationDirectory = [ "httpd" ];
LogsDirectory = [ "httpd" ]; LogsDirectory = [ "httpd" ];
LogsDirectoryMode = "0700"; LogsDirectoryMode = "0700";
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETUID" "CAP_SETGID" ] ++ lib.optionals debug [ "CAP_SYS_PTRACE" ];
LockPersonality = true; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SETUID" "CAP_SETGID" ] ++ lib.optionals debug [ "CAP_SYS_PTRACE" ];
LockPersonality = !debug;
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;
# NOTE: this removes CAP_NET_BIND_SERVICE... # NOTE: this removes CAP_NET_BIND_SERVICE...
@@ -306,21 +381,48 @@ in
"tcp:443" "tcp:443"
]; ];
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ SystemCallFilter = lib.mkIf (!debug) [
"@system-service" "@system-service"
"@setuid"
]; ];
UMask = "0077"; UMask = "0077";
RuntimeDirectory = [ "httpd/root-mnt" ]; RuntimeDirectoryMode = "0750";
RuntimeDirectory = [
"httpd/root-mnt"
"httpd/pamunix-in"
"httpd/pamunix-out"
];
RootDirectory = "/run/httpd/root-mnt"; RootDirectory = "/run/httpd/root-mnt";
MountAPIVFS = true; MountAPIVFS = true;
BindReadOnlyPaths = [ BindReadOnlyPaths = [
builtins.storeDir builtins.storeDir
"/etc" "/etc"
# NCSD socket "/dev/null"
"/var/run" "/etc/resolv.conf"
"/var/lib/acme" "/var/lib/acme"
"-/run/httpd/pamunix-out/passwd:/etc/passwd"
"-/run/httpd/pamunix-out/group:/etc/group"
"${pkgs.writeText "userweb-fake-nsswitch.conf" ''
passwd: files
group: files
shadow: files
sudoers: files
hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns
networks: files
ethers: files
services: files
protocols: files
rpc: files
subuid: files
subgid: files
''}:/etc/nsswitch.conf"
"${fhsEnv}/bin:/bin" "${fhsEnv}/bin:/bin"
"${fhsEnv}/sbin:/sbin" "${fhsEnv}/sbin:/sbin"
"${fhsEnv}/lib:/lib" "${fhsEnv}/lib:/lib"
@@ -334,6 +436,7 @@ in
"/store/gnu" "/store/gnu"
"/usr" "/usr"
"/usr/local" "/usr/local"
"/run/current-system/sw"
]; ];
child = [ child = [
"/bin" "/bin"
@@ -0,0 +1,91 @@
Debian-exim
_cvsadmin
_ssh
adm
audio
avahi
backup
bin
cdrom
cl-builder
clamav
clock
colord
courier
crontab
daemon
debian-spamd
dialout
dip
dirmngr
disk
dovecot
fax
floppy
fuse
games
geoclue
gnats
input
irc
kmem
kvm
list
lock
lp
lpadmin
mail
man
messagebus
mlocate
munin
netdev
news
nogroup
ntp
ntpsec
oident
opendkim
operator
plocate
plugdev
polkitd
postdrop
postfix
postgres
prometheus
prometheus-exporter
proxy
rdma
root
# runit
salt
sambashare
saned
sasl
scanner
sgx
shadow
src
ssl-cert
staff
stunnel4
sudo
sys
systemd-coredump
systemd-journal
systemd-network
systemd-resolve
systemd-timesync
tape
tcpdump
tty
users
utempter
utmp
uucp
uuidd
video
voice
winbindd_priv
www-data
@@ -0,0 +1,74 @@
# System Users
Debian-exim
_apt
_rpc
avahi
backup
bin
cl-builder
clamav
colord
courier
daemon
debian-spamd
debian-spamd
dirmngr
distccd
dovecot
dovenull
driftsupport
fetchmail
games
geoclue
gitea
gnats
hplip
irc
list
lp
mail
mail2news
mailnews
man
messagebus
munin
news
nobody
noone
ntp
ntpsec
oident
opendkim
polkitd
postfix
postgres
prometheus
prometheus-exporter
proxy
root
rwhod
salt
saned
spamd
sshd
statd
stunnel4
sync
sys
systemd-coredump
systemd-network
systemd-resolve
systemd-timesync
tcpdump
uucp
uuidd
vaultwarden
www-data
# Misc
nuccc04
nuccc
kybkokos
kybkokos2
testbruker2309
testbruker2404
+108 -1
View File
@@ -1,4 +1,4 @@
{ config, lib, ... }: { config, lib, pkgs, ... }:
{ {
services.postfix.enable = lib.mkForce false; services.postfix.enable = lib.mkForce false;
@@ -9,4 +9,111 @@
remotes = "mail.pvv.ntnu.no smtp --port=25"; remotes = "mail.pvv.ntnu.no smtp --port=25";
}; };
}; };
services.bro = {
enable = true;
instances.userweb-sendmail = {
enable = true;
client = {
settings.BRO_FILE_FLAGS = [
"-C"
];
};
server = {
settings = {
executable = let
sendmailWrapper = pkgs.writeShellApplication {
name = "sendmail";
runtimeInputs = [ ];
bashOptions = [
"errexit"
"pipefail"
];
text = ''
args=("$@")
if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
# Prepend -fusername to the argument list, so bounces go to the user
args=("-f$USERDIR_USER" "''${args[@]}")
fi
exec '${lib.getExe pkgs.system-sendmail}' -t -i "''${args[@]}"
'';
};
in lib.getExe sendmailWrapper;
allowed-env = [ "USERDIR_USER" ];
};
};
};
};
environment.systemPackages = [
(config.services.bro.instances.userweb-sendmail.client.package.overrideAttrs (prev: {
buildCommand = prev.buildCommand + ''
mv "$out/bin/sendmail" "$out/bin/bro-sendmail"
'';
}))
];
users.users.nullmailer-user = {
enable = true;
isSystemUser = true;
group = "nullmailer-user";
};
users.groups.nullmailer-user = { };
systemd.services.bro-userweb-sendmail = {
serviceConfig = {
User = "nullmailer-user";
Group = "nullmailer-user";
ReadWritePaths = [
"/var/spool/nullmailer"
];
AmbientCapabilities = "";
CapabilityBoundingSet = "";
NoNewPrivileges = false;
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = false;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateMounts = true;
ProcSubset = "pid";
ProtectProc = "invisible";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@resources"
];
UMask = "0077";
};
};
systemd.services.httpd.serviceConfig = {
BindPaths = [ (lib.head config.systemd.sockets.bro-userweb-sendmail.listenStreams) ];
};
} }
View File
+1 -1
View File
@@ -376,7 +376,7 @@ in {
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
CPUSchedulingPolicy = "batch"; CPUSchedulingPolicy = "batch";
Group = "nginx"; Group = lib.mkIf cfg.enableNginx "nginx";
UMask = "026"; UMask = "026";
ExecStart = [ ExecStart = [
# If web folder doesnt exist generate it # If web folder doesnt exist generate it
+198
View File
@@ -0,0 +1,198 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.drumknotty;
in
{
imports = [
./dibbler.nix
./worblehat.nix
];
options.services.drumknotty = {
enable = lib.mkEnableOption "DrumknoTTY";
kioskMode = lib.mkEnableOption "" // {
description = ''
Whether to let dibbler take over the entire machine.
This will restrict the machine to a single TTY and make the program unquittable.
You can still get access to PTYs via SSH and similar, if enabled.
'';
};
screen = {
package = lib.mkPackageOption pkgs "screen" { };
sessionName = lib.mkOption {
type = lib.types.str;
default = "drumknotty";
example = "myscreensessionname";
description = ''
Sets the screen session name.
'';
};
limitHeight = lib.mkOption {
type = with lib.types; nullOr ints.unsigned;
default = null;
example = 42;
description = ''
If set, limits the height of the screen dibbler uses to the given number of lines.
'';
};
limitWidth = lib.mkOption {
type = with lib.types; nullOr ints.unsigned;
default = null;
example = 80;
description = ''
If set, limits the width of the screen dibbler uses to the given number of columns.
'';
};
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.enable -> lib.any (b: b) [
cfg.dibbler.enable
cfg.worblehat.enable
];
message = "DrumknoTTY must have at least one service enabled";
}
];
users = {
users.drumknotty = {
group = "drumknotty";
extraGroups = [ "lp" ];
isNormalUser = true;
# TODO: make this display the error log or error message in case that
# the screen session service is bootlooping or otherwise off.
shell =
lib.mkIf cfg.kioskMode
(pkgs.writeShellScriptBin "login-shell"
"${lib.getExe' cfg.screen.package "screen"} -x ${cfg.screen.sessionName} -p dibbler"
// {
shellPath = "/bin/login-shell";
});
};
groups.drumknotty = { };
};
boot.kernelParams = lib.mkIf cfg.kioskMode [
"console=tty1"
];
services.getty.autologinUser = lib.mkIf cfg.kioskMode "drumknotty";
systemd.services.drumknotty-screen-session = lib.mkIf cfg.kioskMode {
description = "Drumknotty Screen Session";
wantedBy = [
"default.target"
];
after =
# TODO: this could be refined
if (cfg.dibbler.createLocalDatabase || cfg.worblehat.createLocalDatabase) then
[
"postgresql.service"
"dibbler-setup-database.service"
"worblehat-setup-database.service"
]
else
[
"network.target"
];
serviceConfig = {
Type = "forking";
RemainAfterExit = false;
Restart = "always";
RestartSec = "5s";
SuccessExitStatus = 1;
User = "drumknotty";
Group = "drumknotty";
ExecStartPre =
let
screenArgs = lib.escapeShellArgs [
# Send the specified command to a running screen session
"-X"
# Session name
"-S"
"${cfg.screen.sessionName}"
"kill"
];
in
"-${lib.getExe' cfg.screen.package "screen"} ${screenArgs}";
ExecStart =
let
screenrc = let
convertToFile = lines: lib.pipe lines [
lib.concatLists
(lib.concatStringsSep "\n")
(pkgs.writeText "drumknotty-screenrc")
];
in convertToFile [
(lib.optionals (cfg.screen.limitWidth != null) [
"screen width ${toString cfg.screen.limitWidth}"
])
(lib.optionals (cfg.screen.limitHeight != null) [
"screen height ${toString cfg.screen.limitHeight}"
])
(let
dibblerArgs = lib.cli.toCommandLineShellGNU { } {
config = "/etc/dibbler/dibbler.toml";
};
in lib.optionals cfg.dibbler.enable [
"screen -t dibbler ${lib.getExe cfg.dibbler.package} ${dibblerArgs} loop"
])
(let
worblehatArgs = lib.cli.toCommandLineShellGNU { } {
config = "/etc/worblehat/config.toml";
};
in lib.optionals cfg.worblehat.enable [
"screen -t worblehat ${lib.getExe cfg.worblehat.package} ${worblehatArgs} cli"
])
[ "select 0" ]
];
screenArgs = lib.escapeShellArgs [
# -dm creates the screen in detached mode without accessing it
"-dm"
# Session name
"-S"
"${cfg.screen.sessionName}"
# Set optimal output mode instead of VT100 emulation
"-O"
# Enable login mode, updates utmp entries
"-l"
# Config file path
"-c"
"${screenrc}"
];
in
"${lib.getExe' cfg.screen.package "screen"} ${screenArgs}";
};
};
};
}
+113
View File
@@ -0,0 +1,113 @@
{
config,
pkgs,
lib,
...
}:
let
mainCfg = config.services.drumknotty;
cfg = config.services.drumknotty.dibbler;
format = pkgs.formats.toml { };
in
{
options.services.drumknotty.dibbler = {
enable = lib.mkEnableOption "";
package = lib.mkPackageOption pkgs "dibbler" { };
settings = lib.mkOption {
description = "Configuration for dibbler";
default = { };
type = lib.types.submodule {
freeformType = format.type;
};
};
createLocalDatabase = lib.mkEnableOption "" // {
description = ''
Whether to set up a local postgres database automatically.
::: {.note}
You must set up postgres manually before enabling this option.
:::
'';
};
};
config = lib.mkIf (mainCfg.enable && cfg.enable) {
assertions = [
{
assertion = cfg.createLocalDatabase -> config.services.postgresql.enable;
message = "PostgreSQL must be enabled for dibbler to create a local database";
}
];
environment.systemPackages = [ cfg.package ];
environment.etc."dibbler/dibbler.toml".source = format.generate "dibbler.toml" cfg.settings;
services.drumknotty.dibbler.settings = {
limits = {
low_credit_warning_limit = lib.mkDefault (-100);
user_recent_transaction_limit = lib.mkDefault 100;
};
printer = {
label_type = lib.mkDefault "62";
label_rotate = lib.mkDefault false;
};
database = {
type = lib.mkIf cfg.createLocalDatabase "postgresql";
postgresql = {
username = lib.mkDefault "dibbler";
dbname = lib.mkDefault "dibbler";
host = lib.mkIf cfg.createLocalDatabase "/run/postgresql";
};
};
};
services.drumknotty.dibbler.settings.general = lib.mkIf mainCfg.kioskMode {
quit_allowed = false;
stop_allowed = false;
};
services.postgresql = lib.mkIf cfg.createLocalDatabase {
authentication = ''
local ${cfg.settings.database.postgresql.dbname} ${cfg.settings.database.postgresql.username} peer map=${cfg.settings.database.postgresql.username}
'';
identMap = ''
${cfg.settings.database.postgresql.username} drumknotty ${cfg.settings.database.postgresql.username}
'';
ensureDatabases = [ cfg.settings.database.postgresql.dbname ];
ensureUsers = [{
name = cfg.settings.database.postgresql.username;
ensureDBOwnership = true;
ensureClauses.login = true;
}];
};
systemd.services.dibbler-setup-database = lib.mkIf cfg.createLocalDatabase {
description = "Dibbler database setup";
wantedBy = [ "default.target" ];
requiredBy = [ "drumknotty-screen-session.service" ];
before = [ "drumknotty-screen-session.service" ];
after = [ "postgresql.service" ];
unitConfig = {
ConditionPathExists = "!/var/lib/dibbler/.db-setup-done";
};
serviceConfig = {
Type = "oneshot";
ExecStart = "${lib.getExe cfg.package} --config /etc/dibbler/dibbler.toml create-db";
ExecStartPost = "${lib.getExe' pkgs.coreutils "touch"} /var/lib/dibbler/.db-setup-done";
StateDirectory = "dibbler";
User = "drumknotty";
Group = "drumknotty";
};
};
};
}
+209
View File
@@ -0,0 +1,209 @@
{
config,
pkgs,
lib,
...
}:
let
mainCfg = config.services.drumknotty;
cfg = config.services.drumknotty.worblehat;
format = pkgs.formats.toml { };
in
{
options.services.drumknotty.worblehat = {
enable = lib.mkEnableOption "";
package = lib.mkPackageOption pkgs "worblehat" { };
settings = lib.mkOption {
description = "Configuration for worblehat";
default = { };
type = lib.types.submodule {
freeformType = format.type;
};
};
createLocalDatabase = lib.mkEnableOption "" // {
description = ''
Whether to set up a local postgres database automatically.
::: {.note}
You must set up postgres manually before enabling this option.
:::
'';
};
deadline-daemon = {
enable = lib.mkEnableOption "" // {
description = ''
Whether to enable the worblehat deadline-daemon service,
which periodically checks for upcoming deadlines and notifies users.
Note that this service is independent of the main worblehat service,
and must be enabled separately.
'';
};
onCalendar = lib.mkOption {
type = lib.types.str;
description = ''
How often to trigger rendering the map,
in the format of a systemd timer onCalendar configuration.
See {manpage}`systemd.timer(5)`.
'';
default = "*-*-* 10:15:00";
};
};
};
config = lib.mkMerge [
{
assertions = [
{
assertion = cfg.createLocalDatabase -> config.services.postgresql.enable;
message = "PostgreSQL must be enabled for worblehat to create a local database";
}
];
# TODO: Retrieve defaults from the example config file in the project code.
services.drumknotty.worblehat.settings = {
logging = {
debug = lib.mkDefault true;
debug_sql = lib.mkDefault false;
};
database = {
type = lib.mkDefault "sqlite";
sqlite.path = lib.mkDefault "./worblehat.sqlite";
postgresql = {
host = lib.mkDefault "localhost";
port = lib.mkDefault 5432;
username = lib.mkDefault "worblehat";
password = lib.mkDefault "/var/lib/worblehat/db-password";
database = lib.mkDefault "worblehat";
};
};
flask = {
TESTING = lib.mkDefault true;
DEBUG = lib.mkDefault true;
FLASK_ENV = lib.mkDefault "development";
SECRET_KEY = lib.mkDefault "change-me";
};
smtp = {
enabled = lib.mkDefault false;
host = lib.mkDefault "smtp.pvv.ntnu.no";
port = lib.mkDefault 587;
username = lib.mkDefault "worblehat";
password = lib.mkDefault "/var/lib/worblehat/smtp-password";
from = lib.mkDefault "worblehat@pvv.ntnu.no";
subject_prefix = lib.mkDefault "[Worblehat]";
};
deadline_daemon = {
enabled = lib.mkDefault true;
dryrun = lib.mkDefault false;
warn_days_before_borrowing_deadline = lib.mkDefault [
5
1
];
days_before_queue_position_expires = lib.mkDefault 14;
warn_days_before_expiring_queue_position_deadline = lib.mkDefault [
3
1
];
};
};
}
(lib.mkIf ((mainCfg.enable && cfg.enable) || cfg.deadline-daemon.enable) {
environment.systemPackages = [ cfg.package ];
environment.etc."worblehat/config.toml".source = format.generate "worblehat-config.toml" cfg.settings;
})
(lib.mkIf (mainCfg.enable && cfg.enable) {
services.drumknotty.worblehat.settings.general = lib.mkIf mainCfg.kioskMode {
quit_allowed = false;
stop_allowed = false;
};
services.drumknotty.worblehat.settings.database = lib.mkIf cfg.createLocalDatabase {
type = "postgresql";
postgresql.host = "/run/postgresql";
};
services.postgresql = lib.mkIf cfg.createLocalDatabase {
authentication = ''
local ${cfg.settings.database.postgresql.database} ${cfg.settings.database.postgresql.username} peer map=${cfg.settings.database.postgresql.username}
'';
identMap = ''
${cfg.settings.database.postgresql.username} drumknotty ${cfg.settings.database.postgresql.username}
'';
ensureDatabases = [ cfg.settings.database.postgresql.database ];
ensureUsers = [{
name = cfg.settings.database.postgresql.username;
ensureDBOwnership = true;
ensureClauses.login = true;
}];
};
systemd.services.worblehat-setup-database = lib.mkIf cfg.createLocalDatabase {
description = "Worblehat database setup";
wantedBy = [ "default.target" ];
requiredBy = [ "drumknotty-screen-session.service" ];
before = [ "drumknotty-screen-session.service" ];
after = [ "postgresql.service" ];
unitConfig = {
ConditionPathExists = "!/var/lib/worblehat/.db-setup-done";
};
serviceConfig = {
Type = "oneshot";
ExecStart = "${lib.getExe cfg.package} --config /etc/worblehat/config.toml create-db";
ExecStartPost = "${lib.getExe' pkgs.coreutils "touch"} /var/lib/worblehat/.db-setup-done";
StateDirectory = "worblehat";
User = "drumknotty";
Group = "drumknotty";
};
};
})
(lib.mkIf cfg.deadline-daemon.enable {
systemd.timers.worblehat-deadline-daemon = lib.mkIf cfg.deadline-daemon.enable {
description = "Worblehat Deadline Daemon";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = cfg.deadline-daemon.onCalendar;
Persistent = true;
};
};
systemd.services.worblehat-deadline-daemon = lib.mkIf cfg.deadline-daemon.enable {
description = "Worblehat Deadline Daemon";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
CPUSchedulingPolicy = "idle";
IOSchedulingClass = "idle";
ExecStart =
let
worblehatArgs = lib.cli.toCommandLineShellGNU { } {
config = "/etc/worblehat/config.toml";
};
in
"${lib.getExe cfg.package} ${worblehatArgs} deadline-daemon";
User = "drumknotty";
Group = "drumknotty";
};
};
})
];
}
+1 -1
View File
@@ -16,7 +16,7 @@ in {
}; };
systemd.user.services.restart-greg-ng = { systemd.user.services.restart-greg-ng = {
script = "systemctl --user restart greg-ng.service"; serviceConfig.ExecStart = "${lib.getExe' pkgs.systemd "systemctl"} --user restart greg-ng.service";
startAt = "*-*-* 06:30:00"; startAt = "*-*-* 06:30:00";
}; };
+3 -2
View File
@@ -171,6 +171,9 @@ in
requires = [ "matrix-ooye-pre-start.service" ]; requires = [ "matrix-ooye-pre-start.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
startLimitIntervalSec = 5;
startLimitBurst = 5;
serviceConfig = { serviceConfig = {
ExecStart = lib.getExe config.services.matrix-ooye.package; ExecStart = lib.getExe config.services.matrix-ooye.package;
WorkingDirectory = "/var/lib/matrix-ooye"; WorkingDirectory = "/var/lib/matrix-ooye";
@@ -182,8 +185,6 @@ in
#PrivateDevices = true; #PrivateDevices = true;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "5s"; RestartSec = "5s";
StartLimitIntervalSec = "5s";
StartLimitBurst = "5";
DynamicUser = true; DynamicUser = true;
}; };
}; };
+30 -25
View File
@@ -12,7 +12,7 @@ let
name name
, commit , commit
, hash , hash
, tracking-branch ? "REL1_44" , tracking-branch ? "REL1_45"
, kebab-name ? kebab-case-name name , kebab-name ? kebab-case-name name
, fetchgit ? pkgs.fetchgit , fetchgit ? pkgs.fetchgit
}: }:
@@ -33,63 +33,68 @@ in
lib.mergeAttrsList [ lib.mergeAttrsList [
(mw-ext { (mw-ext {
name = "CodeEditor"; name = "CodeEditor";
commit = "2db9c9cef35d88a0696b926e8e4ea2d479d0d73a"; commit = "af7e82f24ba4b68393712fece6f1b5fa4bb049ec";
hash = "sha256-f0tWJl/4hml+RCp7OoIpQ4WSGKE3/z8DTYOAOHbLA9A="; hash = "sha256-XT8E4O6MEZYHSs6Q+A/dfYaUvJ4kY13Kd/cq30dA5NA=";
}) })
(mw-ext { (mw-ext {
name = "CodeMirror"; name = "CodeMirror";
commit = "b16e614c3c4ba68c346b8dd7393ab005ab127441"; commit = "7ab826eff8c4097589a3199c40c507717af23234";
hash = "sha256-J/TJPo5Oxgpy6UQINivLKl8jzJp4k/mKv6br3kcCSMQ="; hash = "sha256-kMIyGW9J4OSGSetByel7hEGgxPRJmQ53it6ndpYA/Hs=";
}) })
(mw-ext { (mw-ext {
name = "DeleteBatch"; name = "DeleteBatch";
commit = "1b947c0f80249cf052b58138f830b379edf080bc"; commit = "b5920283cfe78b86a63a1037a81651c58ce764da";
hash = "sha256-629RCz+38m2pfyJe/CrYutRoDyN1HzD0KzDdC2wwqlI="; hash = "sha256-LwuVX2s5Q4uc6o7hlTjFzRTwvSCwTk74gBpX0HoLDMA=";
})
(mw-ext {
name = "PdfHandler";
commit = "dc1a3ca04ac6ec7d7de7ce5355803510508a2575";
hash = "sha256-ltAQZtfTMMLRPATA7rclSNW8Yz4ctGc30CxlL3SRBWU=";
}) })
(mw-ext { (mw-ext {
name = "PluggableAuth"; name = "PluggableAuth";
commit = "56893b8ee9ecd03eaee256e08c38bc82657ee0a1"; commit = "4b57a23e32d72bd3f74184ff2734aa483a5b0c63";
hash = "sha256-gvoJey7YLMk+toutQTdWxpaedNDr59E+3xXWmXWCGl0="; hash = "sha256-ZGw0Wgz0Sg04YDcOzkOGywmfQ6s6Ex17QbjmUDO1D8c=";
}) })
(mw-ext { (mw-ext {
name = "Popups"; name = "Popups";
commit = "6732d8d195bd8312779d8514e92bad372ef63096"; commit = "f74a8639f57232898978d9f3792293eb2d370e40";
hash = "sha256-XZzhA9UjAOUMcoGYYwiqRg2uInZ927JOZ9/IrZtarJU="; hash = "sha256-uunUtN3M/ksW/kcbeIzDVTdb1P/PHTeTwaTsvspMLko=";
}) })
(mw-ext { (mw-ext {
name = "Scribunto"; name = "Scribunto";
commit = "fc9658623bd37fad352e326ce81b2a08ef55f04d"; commit = "35c85c96167922adc98e62dd6573789d906dd7d7";
hash = "sha256-P9WQk8O9qP+vXsBS9A5eXX+bRhnfqHetbkXwU3+c1Vk="; hash = "sha256-FEWADJW53cDOlLseM62VL66PENv/jNnwuCMo2Pb02ek=";
}) })
(mw-ext { (mw-ext {
name = "SimpleSAMLphp"; name = "SimpleSAMLphp";
kebab-name = "simple-saml-php"; kebab-name = "simple-saml-php";
commit = "4c615a9203860bb908f2476a5467573e3287d224"; commit = "70778bb02f972abbb51e6ba3e0f6545b00dcab00";
hash = "sha256-zNKvzInhdW3B101Hcghk/8m0Y+Qk/7XN7n0i/x/5hSE="; hash = "sha256-wfmFJKy+ih84qFM9DVcCQFAZBx45s7Hl0lRnseMPhGY=";
}) })
(mw-ext { (mw-ext {
name = "TemplateData"; name = "TemplateData";
commit = "6884b10e603dce82ee39632f839ee5ccd8a6fbe3"; commit = "cca3b3430067f2161bf65de822f70dd38fe07bba";
hash = "sha256-jcLe3r5fPIrQlp89N+PdIUSC7bkdd7pTmiYppSpdKVQ="; hash = "sha256-OxLwiF8FlWizkpDF9GXYfjehKtrltX8ihiCE+fNJpgw=";
}) })
(mw-ext { (mw-ext {
name = "TemplateStyles"; name = "TemplateStyles";
commit = "f0401a6b82528c8fd5a0375f1e55e72d1211f2ab"; commit = "101a159dd0190759a16551a86800144c18b6ff5c";
hash = "sha256-tEcCNBz/i9OaE3mNrqw0J2K336BAf6it30TLhQkbtKs="; hash = "sha256-IGQQVAx8/76ivHq9b97ec1AlFoqbRl7uhXhwoFimsG4=";
}) })
(mw-ext { (mw-ext {
name = "UserMerge"; name = "UserMerge";
commit = "6c138ffc65991766fd58ff4739fcb7febf097146"; commit = "6c0d105e07538c34bfde989bd26fa1945f8d1b79";
hash = "sha256-366Nb0ilmXixWgk5NgCuoxj82Mf0iRu1bC/L/eofAxU="; hash = "sha256-w058Ihk0I98hIG1tkVJGy1bzbv7XXyUksGexXgCN540=";
}) })
(mw-ext { (mw-ext {
name = "VisualEditor"; name = "VisualEditor";
commit = "9cfcca3195bf88225844f136da90ab7a1f6dd0b9"; commit = "8d8c6d7f179a5f799e1fa8cba207d81f58f722d2";
hash = "sha256-jHw3RnUB3bQa1OvmzhEBqadZlFPWH62iGl5BLXi3nZ4="; hash = "sha256-wbYHXi2vD521EMzUl7ttinG4YdLv/DwYvVUew7dka0g=";
}) })
(mw-ext { (mw-ext {
name = "WikiEditor"; name = "WikiEditor";
commit = "fe5329ba7a8c71ac8236cd0e940a64de2645b780"; commit = "f53000f0499858fe74e4f5008b2f5e467d9d9382";
hash = "sha256-no6kH7esqKiZv34btidzy2zLd75SBVb8EaYVhfRPQSI="; hash = "sha256-+HTXZEVCwMD8z6c1kCZA3k686HzNd30pJljzRvf+gMg=";
}) })
] ]
+4 -4
View File
@@ -10,18 +10,18 @@ let
in in
buildNpmPackage { buildNpmPackage {
pname = "delete-your-element"; pname = "delete-your-element";
version = "3.5.1"; version = "3.6.0";
src = fetchFromGitea { src = fetchFromGitea {
domain = "git.pvv.ntnu.no"; domain = "git.pvv.ntnu.no";
owner = "Drift"; owner = "Drift";
repo = "delete-your-element"; repo = "delete-your-element";
rev = "80ac1d9d79207b6327975a264fcd9747b99a2a5d"; rev = "44fb6a02d3139e8ab10e9660ad931e5e70d1205f";
hash = "sha256-fcBpUZ+WEMUXyyo/uaArl4D1NJmK95isWqhFSt6HzUU="; hash = "sha256-wDQhPbxwdkAm0kPhaDNjbk8rVFxnGinffVdASdFrYnU=";
}; };
inherit nodejs; inherit nodejs;
npmDepsHash = "sha256-EYxJi6ObJQOLyiJq4C3mV6I62ns9l64ZHcdoQxmN5Ao="; npmDepsHash = "sha256-h1mmE0/+Y7SBwnI0vaYvV+KqRDJGzwJvDUOkigzHcOY=";
dontNpmBuild = true; dontNpmBuild = true;
nativeBuildInputs = [ makeWrapper ]; nativeBuildInputs = [ makeWrapper ];
+16 -19
View File
@@ -37,12 +37,10 @@ vaultwarden:
SMTP_PASSWORD: ENC[AES256_GCM,data:Nr+4wZSvq6KjfzB169v4ojvWHa25Aw==,iv:HM4VYLUCI0HaBT8cDzusYA+49LpuJeg7v/Pz4nfulmM=,tag:T4TkDt+NdWnqbCDaRUERJw==,type:str] SMTP_PASSWORD: ENC[AES256_GCM,data:Nr+4wZSvq6KjfzB169v4ojvWHa25Aw==,iv:HM4VYLUCI0HaBT8cDzusYA+49LpuJeg7v/Pz4nfulmM=,tag:T4TkDt+NdWnqbCDaRUERJw==,type:str]
rsa_key.pem: ENC[AES256_GCM,data:bYZzFj2ImB0jfiIP9N9V+nk1ROjql4PEuDcJIhVV96BeE++Kq+DGORrnfCyJaubNlqT7+nlMGN/D6bfzwKWivuXDd7T5s6wXplk480anOrFU4cJ9NYXHJjoT8Cn+jKSb7JEWO42cVwraB+qGWFZevOrRtdBM328ffOH4IDqVYgIonnM+pHe7oGglg2Xc97x3GQ46ODWKFZsAqU3ZZv+4SGJXJJorPv+cOIoVvXpqec7TuD2MnfdXvLQEl6o/zsGuV/yQkbJus/BqKUUR+RZ9i/0xuzCd/hJS9yFbHHBj82fDh6+D4TG+1PM+dVRSolkkxhcBvvBJtUPqRewTe5cNO9wZP1ocf9GNmXMbvopaNdAxh6uPJNH1Z6aZ+kLShF5ddE4FuKSvucEPgUdscZw01LeJIehZ7uzHCC99jmojU8rlsWFPvJqUfp0xAZDFDJgCIGt6AbKwBCCeFGuvqYT6w5GQ8uT8OQVBmRxUCZuplcDTUMsBXDxa/Q/5Q/O2zIev7jw7Rm0cJ23ovllu40VvLD+Xu/uQVYzivOOHkvUhQkjVkfbk073ZjrhlIMO3BOuA7PDKUsMBz3UVndtrYU+OOtCI0CoCVVP/K/CamNBGGHdvBoQ13bVn04OgdgJYgz04gP6MqFkr8AWoPFHVZe8+Z/tlW5DtV6SRoUfGFlnROWhiBVZpNuUj/ef1gUY1OoFuqY4GRc3nkC/Fwxi81+lSbAQ2ZdtqroJxquoVJhoUWuSonNDBtOYU0yczvF70R84AFzWKh1eJ7hr2iwcMJPSkhTzTm7LTrr0mQqU8qMxUz4pa0yxOZW0UkC2koz6jKdYlwXHMjjyiUZqfc2y9DrRF6Sa/NUPTrzIvikYk9yr3thnh4VtcsYdqvwlsnkbM/HtGvcmmtZjT4npLyD5t/7tUOs453Ntoo1BOto7+X+0IrFs9yHheBOqfj8dA1M2am0cjrS9LyaSnqBREgBFWVJdpSB0aDdh0M8vmpCBcdrzGPLCUXhNWihiZFEVh1ZrwzXWndRtqmhFLFfXmnEAhtEQL6l/GuA5WEYPHIThq+33BDhXAUB5oBcQQSI8TGPWw0IkOci8Q+SlUd81h2JtAmek/L+1kGZwmyolg1iA9c0LVxapM9cpSNVnmON/O2q3tFisQS82/ysKnNggeyD/ByY0dGMUZILAeONBqm41UcVGoAP5N5KE6Cb7FlppBRitn4QejVvLExPtK8NwQl503Yjq+yBTjSjhuZbB2mQaFgJeKhXrm34I3ZMKKm58j+NAGVJTi7RPzSfTW3kvPvtfm8GvM+vuOOxvNzdid8jR241pQl35d6hOYS3wvbkDVmkvbcjTJBPslvq6pGmAVPyHLHshgyTvvTweX1yodoV+4Z3dtrBb9wZKADT6VfTmEo4RXNjIoZFQrTJTdBeVQbgxejySKHAy2G0/8ZipvToj7zRULSOHh6yS4no8b7U7ZY9tEdxs8uxhDob0nkGy7VQUGG8YNXuwGsjLjVsTiawXiWnqdxeFLuTkKEvtMEEmDUfIRErY2juZbra4AKKWdjegc4ayW1ZyUq5i12eRdnpNbdXBQBtBjagvo3A29bse1TMV3Hww+B7oZ0wsHFD72byD159DdEqnLYlxzRjXns3E2qX8f5xvIUFkBIFNDqkKVaq9wqCrmS0vpbHvuiEJDwyr+nu32nWYT9M+RO41Ri/W63juukd/wf75QKVNNjV5WVrJaN2lgr1+3ux0LE5qs01nZZKqv0jzk4P2SnrPJLMq9NbEgXgKjmwqABnQm8KkeHpPQ8ns4JAY7L5pV6faf1rKWQnE71t9qpKSNMlOgtcv2Jd+5HZuUYbYw5SdDYmwsd+OT0cVu0jURz22k/OmT9GY09SnYpvgHrXLNjvEtY0Tr2vpX1SL5qTx6MWDs/nr47+t/DUEMC/JmUrIOE3OSZXpS9AO4BsBmTV0DF5SlvYBDnHAqkHuJbzRdQ1FjGg/wZLFDmIUy3F7m7bGB+5NX+1ZO1BmG2f0ICpHiR1SGnaK81mY3gmfUD8al7gmmKmAltfvw2kP+Z+Hv2d+XGqVk2csRlfq9e5wu0jFKgcGIs4NuA71V0oKfwL7a3gN0Drd270frH1lYzET0NRSQkqw4oeTt0y4my5TvYGmLEHE05IORdrmHUkHefUtomTEB6YQYY+wLyxVBo6z6MFLN7eCe1HtxjUBp8LFxTT+2l7IusDgIs+6I05Krrrz5GHgNHdMBhw==,iv:CtmysYvEFew/839Gj+vZEDoqu6TvrZ9bUIg9GwejIX0=,tag:CnTEOKLYDsVGRVrQDwfFKQ==,type:str] rsa_key.pem: ENC[AES256_GCM,data:bYZzFj2ImB0jfiIP9N9V+nk1ROjql4PEuDcJIhVV96BeE++Kq+DGORrnfCyJaubNlqT7+nlMGN/D6bfzwKWivuXDd7T5s6wXplk480anOrFU4cJ9NYXHJjoT8Cn+jKSb7JEWO42cVwraB+qGWFZevOrRtdBM328ffOH4IDqVYgIonnM+pHe7oGglg2Xc97x3GQ46ODWKFZsAqU3ZZv+4SGJXJJorPv+cOIoVvXpqec7TuD2MnfdXvLQEl6o/zsGuV/yQkbJus/BqKUUR+RZ9i/0xuzCd/hJS9yFbHHBj82fDh6+D4TG+1PM+dVRSolkkxhcBvvBJtUPqRewTe5cNO9wZP1ocf9GNmXMbvopaNdAxh6uPJNH1Z6aZ+kLShF5ddE4FuKSvucEPgUdscZw01LeJIehZ7uzHCC99jmojU8rlsWFPvJqUfp0xAZDFDJgCIGt6AbKwBCCeFGuvqYT6w5GQ8uT8OQVBmRxUCZuplcDTUMsBXDxa/Q/5Q/O2zIev7jw7Rm0cJ23ovllu40VvLD+Xu/uQVYzivOOHkvUhQkjVkfbk073ZjrhlIMO3BOuA7PDKUsMBz3UVndtrYU+OOtCI0CoCVVP/K/CamNBGGHdvBoQ13bVn04OgdgJYgz04gP6MqFkr8AWoPFHVZe8+Z/tlW5DtV6SRoUfGFlnROWhiBVZpNuUj/ef1gUY1OoFuqY4GRc3nkC/Fwxi81+lSbAQ2ZdtqroJxquoVJhoUWuSonNDBtOYU0yczvF70R84AFzWKh1eJ7hr2iwcMJPSkhTzTm7LTrr0mQqU8qMxUz4pa0yxOZW0UkC2koz6jKdYlwXHMjjyiUZqfc2y9DrRF6Sa/NUPTrzIvikYk9yr3thnh4VtcsYdqvwlsnkbM/HtGvcmmtZjT4npLyD5t/7tUOs453Ntoo1BOto7+X+0IrFs9yHheBOqfj8dA1M2am0cjrS9LyaSnqBREgBFWVJdpSB0aDdh0M8vmpCBcdrzGPLCUXhNWihiZFEVh1ZrwzXWndRtqmhFLFfXmnEAhtEQL6l/GuA5WEYPHIThq+33BDhXAUB5oBcQQSI8TGPWw0IkOci8Q+SlUd81h2JtAmek/L+1kGZwmyolg1iA9c0LVxapM9cpSNVnmON/O2q3tFisQS82/ysKnNggeyD/ByY0dGMUZILAeONBqm41UcVGoAP5N5KE6Cb7FlppBRitn4QejVvLExPtK8NwQl503Yjq+yBTjSjhuZbB2mQaFgJeKhXrm34I3ZMKKm58j+NAGVJTi7RPzSfTW3kvPvtfm8GvM+vuOOxvNzdid8jR241pQl35d6hOYS3wvbkDVmkvbcjTJBPslvq6pGmAVPyHLHshgyTvvTweX1yodoV+4Z3dtrBb9wZKADT6VfTmEo4RXNjIoZFQrTJTdBeVQbgxejySKHAy2G0/8ZipvToj7zRULSOHh6yS4no8b7U7ZY9tEdxs8uxhDob0nkGy7VQUGG8YNXuwGsjLjVsTiawXiWnqdxeFLuTkKEvtMEEmDUfIRErY2juZbra4AKKWdjegc4ayW1ZyUq5i12eRdnpNbdXBQBtBjagvo3A29bse1TMV3Hww+B7oZ0wsHFD72byD159DdEqnLYlxzRjXns3E2qX8f5xvIUFkBIFNDqkKVaq9wqCrmS0vpbHvuiEJDwyr+nu32nWYT9M+RO41Ri/W63juukd/wf75QKVNNjV5WVrJaN2lgr1+3ux0LE5qs01nZZKqv0jzk4P2SnrPJLMq9NbEgXgKjmwqABnQm8KkeHpPQ8ns4JAY7L5pV6faf1rKWQnE71t9qpKSNMlOgtcv2Jd+5HZuUYbYw5SdDYmwsd+OT0cVu0jURz22k/OmT9GY09SnYpvgHrXLNjvEtY0Tr2vpX1SL5qTx6MWDs/nr47+t/DUEMC/JmUrIOE3OSZXpS9AO4BsBmTV0DF5SlvYBDnHAqkHuJbzRdQ1FjGg/wZLFDmIUy3F7m7bGB+5NX+1ZO1BmG2f0ICpHiR1SGnaK81mY3gmfUD8al7gmmKmAltfvw2kP+Z+Hv2d+XGqVk2csRlfq9e5wu0jFKgcGIs4NuA71V0oKfwL7a3gN0Drd270frH1lYzET0NRSQkqw4oeTt0y4my5TvYGmLEHE05IORdrmHUkHefUtomTEB6YQYY+wLyxVBo6z6MFLN7eCe1HtxjUBp8LFxTT+2l7IusDgIs+6I05Krrrz5GHgNHdMBhw==,iv:CtmysYvEFew/839Gj+vZEDoqu6TvrZ9bUIg9GwejIX0=,tag:CnTEOKLYDsVGRVrQDwfFKQ==,type:str]
rsa_key.pub.pem: ENC[AES256_GCM,data:B/2SQrEQ4zRie6A89jneHl5tXfHraYzVEBshY+IrRoufI9YpQw16VjGgrNVCpaG5+PSsCNjz8lXM33oQwg7HU1IWHmvrZdEgkguYv722Ngdb4D8IKHL1nsL9/gkVQFFFvty9ru3LDTfrFKF3cLX+6eIQMFk5W+qLuVO5Pbxh3LKWmN7zG8XHa/b+tvMQclHrtY2iomIThyxKi8w03uE1Fs6V80hyuMA/3TdIz9nUwl5WpiGxaelwaJyts2b5KoBzJ0zZbdR4IHCTYYqBkdjo8929M/gfPS6ZqZS2FPDReoWiujJSAyyoC9xZxglUk/g7vU/8CVwcrtVzn5DEbUot/om98p/1Hq/1Hk4zli49Ysy8nbPhlshZeH5RNSQIDkY6wT7TYD5m3QXjXV+siH7ClKAfri2zp4S4k9uEXvL27NTPqvoXKIUpSEl1b0A/ApQt761PODEMtEXx2PmlRKhg9T9cvLRNYbJavg3FMNivZ+2oQNZXeJZWUEjtqsEoPBAbEHklMtKJiQiThtIPHL3eEdTAhOVhjxBGYU2Kase2hU7g2YvgC3+8u48OarXZbZYgcJkoCHrm+hocYm5DZJ64rxURZQ==,iv:6x0vx8tiGOsQxHsp+qO+nvdUmqNKWINdFO1wXOnORVo=,tag:zuPNh7IfEG/c4lsFVNRYog==,type:str] rsa_key.pub.pem: ENC[AES256_GCM,data:B/2SQrEQ4zRie6A89jneHl5tXfHraYzVEBshY+IrRoufI9YpQw16VjGgrNVCpaG5+PSsCNjz8lXM33oQwg7HU1IWHmvrZdEgkguYv722Ngdb4D8IKHL1nsL9/gkVQFFFvty9ru3LDTfrFKF3cLX+6eIQMFk5W+qLuVO5Pbxh3LKWmN7zG8XHa/b+tvMQclHrtY2iomIThyxKi8w03uE1Fs6V80hyuMA/3TdIz9nUwl5WpiGxaelwaJyts2b5KoBzJ0zZbdR4IHCTYYqBkdjo8929M/gfPS6ZqZS2FPDReoWiujJSAyyoC9xZxglUk/g7vU/8CVwcrtVzn5DEbUot/om98p/1Hq/1Hk4zli49Ysy8nbPhlshZeH5RNSQIDkY6wT7TYD5m3QXjXV+siH7ClKAfri2zp4S4k9uEXvL27NTPqvoXKIUpSEl1b0A/ApQt761PODEMtEXx2PmlRKhg9T9cvLRNYbJavg3FMNivZ+2oQNZXeJZWUEjtqsEoPBAbEHklMtKJiQiThtIPHL3eEdTAhOVhjxBGYU2Kase2hU7g2YvgC3+8u48OarXZbZYgcJkoCHrm+hocYm5DZJ64rxURZQ==,iv:6x0vx8tiGOsQxHsp+qO+nvdUmqNKWINdFO1wXOnORVo=,tag:zuPNh7IfEG/c4lsFVNRYog==,type:str]
bluemap:
ssh-key: ENC[AES256_GCM,data:nPwsT4RYbMbGp2MChLUh6NXW4ckYr7SQcd6Gy2G8CEU+ugew5pt4d6GOK1fyekspDtet3EkPL2F1AsoPFBB2Rv0boARMslAhBqwWSsbBJTXeTEgAABSMxTPJRBtfJucvv426nyIj3uApoknz6mDCQh1OI6mER0fis7MPaM1506HlDlnIT0FV9EairEsaAmbd0yddByGJSccKIza2vW0qWqrz83P+xrakEONxFz0fJlkO5PRXCcQJVBCqWQfnaHNrWeBWv0QA7vAHlT0yjqJCpDRxN2KYrPWsz7sUbB4UZOtykCRM5kKFq73GUaOKqVECJQhcJi6tERhpJELwjjS8MSqvBD90UTKTshGugfuygTaOyUx4wou3atxMR2Rah9+uZ6mBrLAOLX3JKiAtyhFewPMWjd/UhbMPuzNageVBNz2EMpa4POSVwz5MyViKNSgr9cPcNGqmrnjvr/W/lnj6Ec+W80RiXQlADSE4Q6diLLwB9nlHvKs8NTDgv6sUafcPHpJ2+N4Jkb96dE14bMffQ385SI4vLDcQ8xCQ,iv:WdJIHRzjlm8bEldolCx1Q7pZJvjxGkNZALSOy3IjizU=,tag:5ZAikiqttq/76+thG+4LMw==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:J6V+NJ9TvYUL2gmcqWWYt8X+n0M7i0RpDpBelWAbFMH64+e9ztHNnC491sm+RogDxqKk0kwQyX2Mz00iq3Gc3wDYyozGOdv3tBKrp7/LcfjUQ9T9hi0yTD3eNV0LAjlAWMTdlW65VGHqGst8ncKbUuVxbBASVlh3A321toZgD+xxUAtNz7qKFa6fDbOS0xLD1+CmTwVp+aPos//QIKzjuk1HqxfBNK82maKtD4JHPS+Y3be2wIEjGWq3H6JYN/RDojD88D/jzo9RwvEjpqLXoOVfy8uX/fbEsgkgfAmPiaG+ePCnchSExEe3a6Y0E+I6YIzvP+tGThJpu4HaT/yW2Rww/jvsxKrXSUhtBZI/SIX5ZAIFB3sFjJXQefJjfNpQTQWhbspLfdemafGaRiDnzVgKDhNL1HNMNsXKDfWa0SLs4//dqerom/QCCNsaqV+4HVzv5x44srChGERadQI/Wh4UG2R19xxbdyIsKPHzv7BhEKufJkjc5upBjWygQrGAkTRHugFpw2Tdkz9yUQSujMkaeRKhVkA+ZUAjwnY5TwqNZBj7U3K2JXoNVHAq194XmrA2dNghh0OmRrvKGwM3HKexX22SXT0bPlpdWRQpMbUgV+uHLMerlDpNMFTIueEBkaF/FWeSW2N5WUrUb1uJ91QcJ8JBgN1riuD1Oxv9RRPrY9VVNJMrYjpAAREN8i8brMTOCJ35s7jnqIei0dNmnNXOoQZPs9kUMeEtUc/Df1E8/aO2Y4yU9gHUuevXnAJWFAiu2IxssgPk6CcNxvapJEmlwkLK/JyuDsWwFxVOHfw5QIEsoDVWXt6eMhquqUgzJI1q7QrTWUQsBb5A5sQKYWQHempOaXuQn1bzA7mU3Gzsr8bNNc6tpy+6j3zTXYR067EX00yqPG+kqRn4QVIuhByxXP3cwXLUG9uD1lsqWrGzs6WCnHr7txhRBXf4WbBVmXModO3uf36cDYEwrUa6yBsARtSl8PJ0UadfY/xULcT5PFvu9+Hi2qj3vp4IU3JCJa9AvXB+11pbSdawprjuDhwQtPwkJ4CQyvZsom3/BOrmwYM5+EyMDIluEQ0z6eDE5buiIVbX6IvXnDCKbrnqVwavX2wqyiDduFLjRfWL/3U2O1yRim78smrDMJABJZvtW+a+GfmlnTd/gnFvS70Fmm/lgtY051ISL/iFx6toJRoBMMiI/Zvy13uQry+w/HbyFl42DIank8tf7kuN3E9M7ADGMubRJJ0AZOcQddrFnR4Gl2nU2+3RS5fLHaBf9QHK6W92/n//xmPkYqrkPacew4eBjUqM32jVGuBpDc964fK9kdtIdw8q5P1s/ph3I79Y24kGeuO1AVJuZvkaTv1Z7GgI9+K9TstKJ9XpRCidLpLSP+uHOWkqcNsQlt6ilTlfHj+MKoD85dKZ315QMmpiuYEvzCSP1aYTb9dpd61Su/IVuM3r2NuINNEZ166YlHQVsLNpDn8E5ahk3ZInOAg6/kaKTmjUI8KEvX4BR3PbbViAlJJb3suJ0oZBGPUlrW5uLRmADvf2mMDVO5zY7/m9DQwxjt4Miu0l8ZaUc0YJQ850lBKucQ==,iv:GI8w7h7xX8gMHuAoWUyrW+BQb85LNlASoYvGBPlCZaI=,tag:WnHNMevfFSMc0ikBZwWn/g==,type:str]
sops: sops:
age: age:
- enc: | - recipient: age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMVM0T0Y4Wjg1OGNsR0Iv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMVM0T0Y4Wjg1OGNsR0Iv
VmxoNmRMcjlWRHFhc3l2Sy9aZnF4b0ZsTnhnCkd6UnEvWi9kRU9qSmVLZkdiWGJh VmxoNmRMcjlWRHFhc3l2Sy9aZnF4b0ZsTnhnCkd6UnEvWi9kRU9qSmVLZkdiWGJh
@@ -50,8 +48,8 @@ sops:
R0RmcXJwRlkvSVhRbGwxZytLNmlqeFkKw/0nGPzgzH39udFyJVkjNTMTmffiQh6/ R0RmcXJwRlkvSVhRbGwxZytLNmlqeFkKw/0nGPzgzH39udFyJVkjNTMTmffiQh6/
HT1O7imvPymx5kXrnfciAP9bnCV4o/HiVkuDxBP7gG5nBUgY6PIC7Q== HT1O7imvPymx5kXrnfciAP9bnCV4o/HiVkuDxBP7gG5nBUgY6PIC7Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
recipient: age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
- enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCV2ptWkhqNjcrM0hXOWEv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCV2ptWkhqNjcrM0hXOWEv
Y21GNkVJUXY3dHV1OUdUdlJZNHhka3g3QVdNCk9vak0wSDBhS3pZSWk2anVsMnVY Y21GNkVJUXY3dHV1OUdUdlJZNHhka3g3QVdNCk9vak0wSDBhS3pZSWk2anVsMnVY
@@ -59,8 +57,8 @@ sops:
cXl3S2tRdExvSjRNUHpwbFNzVXdQVmcK65zb8MPh67TyHkjLA2vLgv2eOQOSUDih cXl3S2tRdExvSjRNUHpwbFNzVXdQVmcK65zb8MPh67TyHkjLA2vLgv2eOQOSUDih
JeHkryWGQXzlYL5tZZ24ae1mqYiYQ6DsbWXopA0q0OmndYByXct6FA== JeHkryWGQXzlYL5tZZ24ae1mqYiYQ6DsbWXopA0q0OmndYByXct6FA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
- enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSnU5dml1bjY5ejZHUGRQ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSnU5dml1bjY5ejZHUGRQ
V1pNQnBXWUx0c1R5WkY5d3NFOFlKTkFrMUN3CkNqMjc5NDRMb05tSW9wV3lkUUVU V1pNQnBXWUx0c1R5WkY5d3NFOFlKTkFrMUN3CkNqMjc5NDRMb05tSW9wV3lkUUVU
@@ -68,8 +66,8 @@ sops:
SzM4Rml4dFNjMWxxYXlVdTdxTTB1ZzQKvoBpb4PPNM5yl85wTcTTqZmkXmwZGyvS SzM4Rml4dFNjMWxxYXlVdTdxTTB1ZzQKvoBpb4PPNM5yl85wTcTTqZmkXmwZGyvS
PMPFNqEkzcZFtC1BfYGIlKAuisGhQ6rFAkyTZXTLP0HjPEcH00+WMw== PMPFNqEkzcZFtC1BfYGIlKAuisGhQ6rFAkyTZXTLP0HjPEcH00+WMw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
- enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbGdTVUU3UVUwZytQancy YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbGdTVUU3UVUwZytQancy
ZXY1Ullmck9qZ0dsSmZqUHF0NGpSZlJWRjBJCndmbGh6Y3lUWmdEWUdHNkZwd0dM ZXY1Ullmck9qZ0dsSmZqUHF0NGpSZlJWRjBJCndmbGh6Y3lUWmdEWUdHNkZwd0dM
@@ -77,8 +75,8 @@ sops:
NmloODFNNXU1TG9FeWxKYTBGOG5qR1kKXGAQyRVO6Sh0LNlFD5nx0F3m2KYP8hYl NmloODFNNXU1TG9FeWxKYTBGOG5qR1kKXGAQyRVO6Sh0LNlFD5nx0F3m2KYP8hYl
/g3mwi4NI4UIR2dYXsgNJuF7axxP1IbaZ/j2NLNYbVe2+iZvscvBTw== /g3mwi4NI4UIR2dYXsgNJuF7axxP1IbaZ/j2NLNYbVe2+iZvscvBTw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
- enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWkVyLzJWM01ybHB3cmpq YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWkVyLzJWM01ybHB3cmpq
cTJTM3VWaEk3djcxb0RnbVZXUGRyMWQxcWlFCmhQUmtGZm0wczdsLzZUNHFqRnZW cTJTM3VWaEk3djcxb0RnbVZXUGRyMWQxcWlFCmhQUmtGZm0wczdsLzZUNHFqRnZW
@@ -86,8 +84,8 @@ sops:
RGs3aStCRUJmMG9JRFZyRFJWeTZKWGsK8oTccCGCXPsQEGnn57ml5IwYCHgYoBpC RGs3aStCRUJmMG9JRFZyRFJWeTZKWGsK8oTccCGCXPsQEGnn57ml5IwYCHgYoBpC
2U7uT/Z10crtrqgPGi3/jYr5IEacLBvbuGLBwSlCo7NGz/6XnVIyaQ== 2U7uT/Z10crtrqgPGi3/jYr5IEacLBvbuGLBwSlCo7NGz/6XnVIyaQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
- enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTlJPQk9DTFNKMjA2bTRj YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTlJPQk9DTFNKMjA2bTRj
OE5uaWxEQkhUdmRvT2h4TDJvREo4TlQ4MFZrCjNjd2ErOXcxQkJrNzlOdGNFSDNW OE5uaWxEQkhUdmRvT2h4TDJvREo4TlQ4MFZrCjNjd2ErOXcxQkJrNzlOdGNFSDNW
@@ -95,8 +93,8 @@ sops:
RlRMc0R3dDllUGRHcmNDTDBSS09mUUUKhdxXMEuwLviNY134uA4SELXiHo4rCC9h RlRMc0R3dDllUGRHcmNDTDBSS09mUUUKhdxXMEuwLviNY134uA4SELXiHo4rCC9h
pT2iqOV+VDquwE99h9OIo2Kfmblzje/TGpok1i4cxytg8fly3LZD+Q== pT2iqOV+VDquwE99h9OIo2Kfmblzje/TGpok1i4cxytg8fly3LZD+Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
- enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcHVjN3MvVUEwazNraXFQ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcHVjN3MvVUEwazNraXFQ
anVTbU1EY1JUQ0FyeSt3bWJ6TVcwY1UwZ1cwClRtOTE1QWNXaUdzejh5a3BUdTFv anVTbU1EY1JUQ0FyeSt3bWJ6TVcwY1UwZ1cwClRtOTE1QWNXaUdzejh5a3BUdTFv
@@ -104,9 +102,8 @@ sops:
SU5zanlva1p2QjVndVJwUnlkdkFuTDAKbQRrSfG9MGsGvF2ywoGhDSuriDsbQ+k2 SU5zanlva1p2QjVndVJwUnlkdkFuTDAKbQRrSfG9MGsGvF2ywoGhDSuriDsbQ+k2
29mxere0efSSGGq8y9YrPC8UX5hZRfqg/dfbL+PFc4NHfbxB/oSzQw== 29mxere0efSSGGq8y9YrPC8UX5hZRfqg/dfbL+PFc4NHfbxB/oSzQw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune lastmodified: "2026-05-24T07:03:34Z"
lastmodified: "2026-05-22T08:58:19Z" mac: ENC[AES256_GCM,data:J9RFBasxTwjIMIV5ou7eEytKY4YBCmGq7DEw/thDIxd5nfPmM/T8OIyFYE9130OsMJu5LabmskaypxTQ2d7sW5ovqMfs3BVCI8FNjUiCmWfmwnFZ29hlDWMD3BYShgOVxI6XTlPiY/2AakQ4T5OwvQfO0sqIGReP+zhT1FIzZFk=,iv:J6v6qhRYFKq76OctU4zOCFqiaYcHbclQcfWMlj6Tig0=,tag:TYc0JcXheOlAidBZC3D6Sg==,type:str]
mac: ENC[AES256_GCM,data:EYU8RCXRMdQn+yLB0iWBw7JULZya3PqkScAFtlP0d0zTyud4MGVCTINtrn7EgboYONvEWgi4yRvJVHUDPArRA6WlHx/tx175DJbVq6sdnl0xsL0Y9dt18HbdEgDDyOxbCjTOjAV1WPINOmpVvyXMp4+cc0oU3g+2ANjiodkU+t4=,iv:wAi+m9VkKx1bCxz5kZyEgNQcPE9aa5f9TlaYEohnwu0=,tag:3ZtP78aCmyqW0A0zvgpUTw==,type:str]
pgp: pgp:
- created_at: "2026-01-16T06:34:44Z" - created_at: "2026-01-16T06:34:44Z"
enc: |- enc: |-
+93
View File
@@ -0,0 +1,93 @@
bluemap:
ssh-key: ENC[AES256_GCM,data:UzXcgraLe6A+BjVx6Zzj4aX2M5J3mt5Rpc8iuNOYwWGz+SCzrfLNcCKGXtp5MkAu/CbxovptxqKYLb42fdjFT1TjOV4TipxUYN0e+PtKV16jfY4INJ+rqUykYXEcMTQc9Bwaor5yKxRV8+/V+T1qo9uHpr54n9o0mnU1cMZ/2yVBouSWIBuHXNxeG5STqe+0sqtFurMREUelLEHqMLIq4TtO3obf8l6vWQSUOvHBGINKjByIu38WtJ3eLKrZp+BQ6/t5vSgMUNlugrh8JQvgIyQanNCZbfT3/Q2oK4RsRJ6lLe6Z3wxsIQCvsYqgoX1/9xSZXt9JIuzJo+QP+bBEgk7JgKyW/UBdJlZnoPuRJc16fDbuJjZsWmSMNQ7wtbqNXY4gnwp9eoCUGaK6OScKBg9IzOj1tevlzg1jEcjU0em515m8mIySRWyBWlYyp4PLyyiBLgnwlCQDFHoNqL6hl3ZUO/zXxr55EFFtwsZtYMf5GttlUvaVPoxUXKOVMb33Y4CCmt1YpXzIY1NPaVQomIF8oritefL6PDm5,iv:y54tfAJqR9Qrv015wPl76jqRvfJfor+5BdsKMkYBMXY=,tag:QWNW2GsJDXl4Af64kPo42w==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:0RhRWtrj3U8ZJk40MvFwvUnbRzdAbVB7Z0DUsXJME7Hw4Gbg+CYX3JOQLwD3DZMMEKXcjyP6tkJdR9U1R2BwDs1GVUFgmIuNNE/Qz/5HTCIKHWmE3ZwMMKJhqBrEecr2wWABHMZbLscLoimvjX8CIKxxbsBFIFlsucG9PuIRMGXHE9VRhJxR/wMFVn7a6Ez0iLt8j4G8ebQQi1JJjyCvEjLCkoDvJ7XH3MoZ3PsMR2RCOvNzVACAsDE9GLIat/10/e26xTZ/C1HAC9OUDcQUSQIp6cWxcD4E3w6n02Zhl6att3sJm3eboJMp+0GfsqhC8AlUpvc/VXTeZIvmrKTN29mPv+KAcjgnHroicznVdv9rnNP5Rp0I/3fXBD9yZSedZtucNpX8O6CvYX8NOdItJMz/ya4TFuXaTrFOfuqhL5UvJ/JleU3DdELr+QStgtIUpUvIrTn/XrakSrDRprtje9d8+kFVRYM3V4nCLwWkP26xabiBeRLRrnpuiBj8e2j7g55AaDivBdYo24h57oxglgy0WrJt08+MKRPlek5QQl/E2dBCYcyh7pGaarKVYVvi4yjMlA0wvX4GPgAZkm345lWHS/pXKyGsrlRRUi9Pcghw2uO9zw2iaKecphK/Sps/zsShOQyaPd7TM8qfeUHRGPMxxbMo+N5Zxdy4X7c5z5UdgYJWrc0TZS3im9KHL4iOGQw38LisSD2hWjrzEjfQk4ijShJEDxM20TCkVsCJeIm4xlj3cODMX0c2T+PeFrqKqTlp44w4EFes/QNhsCofP4FVhxXT25mWK2pygtzspPfYb/Z9pqbFFtDC7/WZJ4sZXThkG1yMvf9SJCDWWWt/TDp5I6U7Z0525nBAyRxtvXa8T7PjS9dhBBh7nFIa8ZofRgZ2Ci0TAAuC2fD8uOvRoQTmvVr6In/6EpBpHZG9CCKvMRu3BPBOPqPEywop3fgRglRaJhnvpJ4eOQQNNQ3pgSX5hmxUQoSMM/IkOuwp6VaxyTlji0JJFUdiHIe83u17ZZ2BxYMmdqO7lRRCnEARgro6bKOnhoscbvPzcy8486DUYwwptdjUO6HVzLknFSCLd0318Tpm7fXdlrdK846mkZZ1INZ7aIB1oSnDR/0BS31oXRijJFQ/E0j8/5Cmoxqj0TP+JkLpkOnYPUXN07+HKB9Zx75StXeorGUQFuu++OZcYfyjTrparMVJDJaMEgtQ52L1dlqmdhEhS3TNMzxYmd4pQQt89Woe+mck3t2nFDj6pqC++wDJov0xhdnf+DMW/7LFT/mVdgy3/Ni6Z2/8SZd8Qh3CVdaMh8Tv/vF28uAd9ptGiE2KT2Zbu89n9wzyihrBf3DwK9mj+5DLPkCVbV048C/3SOcwuDzSrFuYZvikfhxT86bmHeHbNDi50Y3WmNoEPUuIyrDjKdUr/xp9V/i32X/OMr2IzLSeX23/pTKjLnGHnvje2MYTi+aIWJZxfFYH2Kkn5RqOt8pNZLT5c69zswsz9wRkyVbQwgwqk7VIsxiB64M44Nq2XoRwUtb3jHfGqsiS8tQmWYOUI5DM5erisqd0EKeOSUgzXEi6XmdpikSdSHiiVl1OqR3LE7/k9l4as8x3zwP9JT1Elv0Rf96fnW87s6UPrK0XU3OQiQjm+Csga5ZvHXXtQk2d+JVJ5G0bqNiQ2Oc5Exqjs6xgE4ES2bIZy/6mHd+bd0MoryOx4cs6F6tXiGw3wPgmjy20saCadICzdG2kHXu9tFK3oJCq5bgJH9XEbxvgptVlOU4MFjbaAnHs8ARo+oHHmvIFkQz2JBnhM3uwKGTraX1oHa+J1yW7Fv6wzKXKP/UDZhMaGtdu9egTpZANOzHay/l1ggdtIW6rVyUjHgUIMxpLV9qswldb1Yos+bhNofULrqV+p7CpJu/UKtP7i5luTiH2AOTiqBVxPvH79OSaG9IWLrF+6K/zxSlpCGG77LmxwTWRcMW/h0HVOYnZCvYs8QB0wnK5lriO3RSj5BHWibQLmMndOKx3+hk8RatbIIwAyGm9fGGdDX2Cuij+Ys6rQtHeEgEdnWgY9OF59TDPg8TbeCD1DjNnXpveGapDmNVlQoXkRteHmGpmI3sxmGB9hFplNJuQFJffxdoGXN9+DDqscqYwnxpre8JtGvC8AK2k5dnooOCLEUafr+XdTQa1s3I7p3v6FKI+8QcpyARIrQPLNAzO43ftRjtQf8GTeV7mjLfZiI6malOnZWTgHNhiOtbQuWN/JGfVw9KxndwkkXgt0mYjKD4heOZ4NWNMfkmWxNSp3Gr3X9tCvXgIrJKXqURDAd+y7ad0buZyuPpSiX5EbgznFGTctmTzZ/mPBwk2gQTcaLiz4RxJsmfrgA3xRv91jHWgeRbuk6eeBW9C9AlUC52b9LuUOR8EUGdo2sh0K5As9rUnqxZ0nNYc6Fg5zJW+xJ9GkcVUdBvUCOikOnMvJYmGxMtQ8VlqRcUukdGhPwLnDBjDIzOBMQlwaEYPpHNqIz4S9S4kr92VhXe0KOh9TF3HDODURt/VSdoit+FTWSHdAINjfkE0nlqfpE7fpFJbR309gnLKF8Pt/hTgweApiv3UAC4Be98Vkazs/aiuOOyML8fZykjiJboIcRqwznkoYp1AXeufyQBTn3fqRh+xU89HVyQtqyXxofaJXj2OqK6tOzbcu1JvgNGN9xK/L386SjWzLrhpmKo9fkV+JXSUBY99CClTSueLZ2H2pBOOsYfX+lwAJ491avUDVvwnWMcFL3uNNOozMAqSvz/0lCbtduhk2mSxwFYIplTgpXCKxrg=,iv:8Jcg3GQCTzOfVc47rlD9QXcsC+3Jxjsmyi6YDjQisNQ=,tag:KjZmgsi6HlVp6BiwI9BuKA==,type:str]
sops:
age:
- recipient: age12czfkvuw9pjk5qny5c6m2hjhd634cj9r4dsa3ss5zkux5h4vvc7s7k4urq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPeHFDb2xERDdQa3FDT1Ni
OFBBb1MzUXNqMktTVUlDWHhRWithYkN3OEcwCkd3OWlaSks4bnFhRzJud3AwZ1Bo
c0xNYXdDVzVxRjZna3FaMEJuR3hMbVUKLS0tIGNoZGpKUFBldDBDaGF5bG1SS3R2
VzBDc296WmFkdHcvVWVILzNFUzJKY2cKIHUNTXL28jYIgo7tMsR64gpydX6bg+1f
PntcQBsVXmjW/XOWg0XTa23BRkuL9a8wkWPKV+EvVaRAHLA+NdrCzw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMNXJnNGxEaUtvazVyWVBn
NkZLbk0zYytTcmFVek5hWElPUUZ2NDc5S0J3Cll6NkRZbHBkREVtYmxSQjRiTG1w
THJRYXE2VzhhTUtqZUQ1Q2k5d1V0c00KLS0tIEpjb3gybTVSMlpnT0pHK3U5bkFP
aW9YZVZpbXE1Ty9tZjZWRTJXcDN1UTAK7NC7zqWWfsjwsg4RC6+pHgIRSr2NYdJU
JnSODgTDeRWNWTnlOsGLVBB4G4cs3sr+G1TTU6ECNeScVHjm5LEXpA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhamk3VWVheTZOUXVwUnU3
YnAzSzF0UDFNVTJycHJTdk1zNmtkWWVHeVJBCnZTQ0xEM1hSQ3dTcHhQYmt1UDdr
TWEzeE5SZ1FUVlhsd0N0NUdzNXB1V1kKLS0tIFlzRE4wNUdYN3kremxNUHlMRzVx
WWRKRGZza0hlU3JXQkdwY2psQkdqbGsK7XHA7aO7AN+fK65phQ2Wjuoz0/CylAKb
aEo6e2DDlEKoHyel6VtncYU7IytU8vx4f2KdBQuDIsypQqOCyjpcYg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcXhaNVJrUnlSVTQvVE9T
RnpDa2JBZFQwVG5oaVpUWG9ZeGM0UkNZakF3CmhsK3ByK1JaamV2cWgweTZUVjNk
QWdtREtiVnd4TllycDQybWxSb05IaFEKLS0tIDJXZzNKZzZJL3M4bTNiV1lHQ2lq
MW9uSUo2dzR4VzhmK09yU2Y3Vkl6T0UKz9PygM7wNx+SDO4ea4RKwENSpnzGC8jP
5N7p/MQZQjclpNyIUO3OKQECMQD8jPqN+OlBmctQqDR4vTSq4HmCvw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRVVucnNNVEk1TkRvb1V0
ZjlCMjcyVHdVVzRwVUxmQnFSSThZblcxc1JFCnVPS1NKRGxERzNPUmpOOUZWd0pa
bFJGZVVObzhNdEx5ZWFlWkdaOUZrS3cKLS0tIGdqV2FaNVNJM2Z0TUV3VklodDM3
SDQ5d2p4SnB4REdTbWRRZjYxVURqNkUK3wcPruP459YHsffOw8vWHNlOleUA0Iv5
/370YCc4uA3wp8YyLvotGsjn65IWlaZ1R9wUEiQTNa3wvChBYmtLVg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTW04bUZrMFMxVTdkbDNk
Z2dWTTgrUERRT243NkZtTmY1ZkFjQ0w5bVJBCnh6cmM0Z2hwcVRyL3R0YXdSbzRa
cFc5MmowbVhTMTZTZzFsK3ZpNXdxN1EKLS0tIERxYzN4S0dsYi9mU1UvVzRNZGZw
TXlrR3FKWlJLQ0NpWDdQVEo0aHFNZWsK1lUGm0uye00S07JYBPGvIZtdNFuknZv3
bViaCBUH8GKV7w+sWtnBoQlaD1F8rpoVd+l4SIW0pouEYdze4u/v9Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RVFKdjNDMURPVHY0eFc1
c0JUbk93RlppNjg5ZTlIMEdmRWI5Q3prWlh3CjdTNXk0YUtFeWtuNkkxVGpndVBu
WTIrdFh0QThQWkJTc1llSWN0OUtzWVEKLS0tIHF1NytpSUtnQ2xoSUlMR3NIdytV
WWE5WUVPVXVwMW9QY0F4RUo4K1JJSzgKu8KUfNcYkVPTIIy+AsqmbNsRwhe2OVH+
iTBo4DixGc4XFsflBYxTmu212DE8/Mr2spqZpa4brfbblF4JAmak6A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-24T04:34:10Z"
mac: ENC[AES256_GCM,data:FUX4TsCKt41KnV1Cgo2E6ucL558fVgH0pEEoITM/5g3Pj4cMKPHIalzqt3U12pBbxzNpuQm+HIwcwx8jktsmWnb9KaSxNLSfnhf7RlyxVOS+S17yTV6O89/lyTqub9Z2tybLeEeGSTbghPrCEgNb4d2NswPYXW/rZawpvgQlc84=,iv:I+NJ0t3n9x3gA/3s0PgRMX4AI/3X8M89UqN+QKAxfoM=,tag:6X+LT5FyfL7xZUSUiz3lpw==,type:str]
pgp:
- created_at: "2026-05-23T17:17:16Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/+ISNrWiNzl986g1c2S8x65xCWuJ8ntbb9k0nm56/Ve1TI
5bkkovKFUFCBUrcVEoRPA+uVDdnd/KWkwF6BX3me8jkhe9ogXNvNJh7FVWiPa70U
nxt0wL2TGDdj0RD2gneqTEsN3GtuwNw3gUcdRBg03vG9rmmNa3eWvVmwk/XNZ7J+
7LEyG21tLicB5ZPBYiGLznsQPbGvLg+FguCRngvjmz0IgvpNkNpylmlkkc6pmHka
T5UAekNgBY0H6H22T1xmD5O4/ZVsmyETHc+6TJn4jIS2fENVtfApbwJuF5B+x+Xf
fNIx8soxYOBLjN9CdPXWw+/nAuCQVnsOYxUVcHBoNvQ3KDm8c6R4Yv8B+gndpvUN
eRo3XQTGNCX2mvEdRHDlvJjMHgmP3a8qBsFVdKnS/7138HKO4dyIX8Ca+9gWvEmz
UGdTXtYjRl8Wxp+8mePAsR6OaDGLqRfyIveCsSAJiwsQDaVqnVElXUZBp93QySxq
RPY8yNrVayiw3lPLe2Q0iHJLfpUEqvIGz0WjfqCkfhMXb93lrjTywsvMRf6ocZOY
Xb4paiRlKsJo9a6ZvyH+vuIXv75SUVtdzWs7P998TGo/C8+0Tf/dVgvGB/UfnB0p
JkGndpicaJ98Xb+vTrE+/MNpMD0hBzWIbsKs6c50Hfml7Xjb8ngewuKAqXpvdE/S
XAEl1l+gnC44ekV0CBWbyWXcsBHopt4plVC1VIH4CgsnHz5xPxTfrrJCTWAvTDpI
arHX/6qD+QOMXpT4/W37WxIyTEICBUEGtn6gMbb1xU96WJ3zqp7EYjxO/IOU
=Mkw8
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.12.2
+4 -3
View File
@@ -1,5 +1,6 @@
config: config:
mysqld_exporter_password: ENC[AES256_GCM,data:I9K+QMqaN3FOOVKzeOR9Q6UERStXX0P8WEHyN1jzzbM=,iv:UxvIdlfAyJvNuxPkU4+guKPa0fiD0vVLzHOTYktcmso=,tag:ltnIqEwESYx9HBu8UN0ZLw==,type:str] mysqld_exporter_password: ENC[AES256_GCM,data:I9K+QMqaN3FOOVKzeOR9Q6UERStXX0P8WEHyN1jzzbM=,iv:UxvIdlfAyJvNuxPkU4+guKPa0fiD0vVLzHOTYktcmso=,tag:ltnIqEwESYx9HBu8UN0ZLw==,type:str]
postgresql_dibbler_password: ENC[AES256_GCM,data:wP4CVz9qRE3CJrblWWYqOIkcH3LM5H81,iv:j8zr1TRNlPPqIppYlWhDoKlL7m2Ph2wQlU6bvFj8R9A=,tag:Cfp8zbYkoLqI7DTDpOBlJw==,type:str]
keys: keys:
grafana: grafana:
secret_key: ENC[AES256_GCM,data:+WoAJbDBEgKs0RoHT+7oEELAVQ+/2Xt+5RTMSXg23moCqVRx+Gzll9P5Drw=,iv:AkRn/Y20iEe5i1T+84wAgLCTFtAox2G3giyawAkltAw=,tag:BZbt5Wb5lYLIJBm/pfP4GQ==,type:str] secret_key: ENC[AES256_GCM,data:+WoAJbDBEgKs0RoHT+7oEELAVQ+/2Xt+5RTMSXg23moCqVRx+Gzll9P5Drw=,iv:AkRn/Y20iEe5i1T+84wAgLCTFtAox2G3giyawAkltAw=,tag:BZbt5Wb5lYLIJBm/pfP4GQ==,type:str]
@@ -72,8 +73,8 @@ sops:
dC9meDZlc3d3aUJEVjc4REF0Y1BLcGcK79LbJzc5KVgEgyJR11crGuX8YcVoJBbT dC9meDZlc3d3aUJEVjc4REF0Y1BLcGcK79LbJzc5KVgEgyJR11crGuX8YcVoJBbT
Fin7Zoon06L7qx0Zw5u27wV7RKMnYT7hOMiWs6660ZTLcYJ5M1aEZQ== Fin7Zoon06L7qx0Zw5u27wV7RKMnYT7hOMiWs6660ZTLcYJ5M1aEZQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-16T20:08:18Z" lastmodified: "2026-06-07T12:51:04Z"
mac: ENC[AES256_GCM,data:C2tpWppc13jKJq5d4nmAKQOaNWHm27TKwxAxm1fi2lejN1lqUaoz5bHfTBA7MfaWvuP5uZnfbtG32eeu48mnlWpo58XRUFFecAhb9JUpW9s5IR3/nbzLNkGU7H5C0oWPrxI4thd+bAVduIgBjjFyGj1pe6J9db3c0yUWRwNlwGU=,iv:YpoQ4psiFYOWLGipxv1QvRvr034XFsyn2Bhyy39HmOo=,tag:ByiCWygFC/VokVTbdLoLgg==,type:str] mac: ENC[AES256_GCM,data:otGwzc3Bme1PGRU4zWRRf3kmAf5EDjT8sPkDK/zDrO0ve+d3x99Qls4DBZV8G6FsFtUXbeKVo70I5VpqUgaIef+nyMl6zzWkW1wpbKIBYjh5fkaP0xxhLnw+shrB088PAXT0wkP7hJBLO0ZJgTrpprJKhmeqVj2HEXBSJ1wSjk8=,iv:cjqtdbWBVLUfpQdykb3vKDKa/VC/kGBybwYtG/eStqc=,tag:remOj4bX/H/LlAPgcXHAdA==,type:str]
pgp: pgp:
- created_at: "2026-05-20T17:35:58Z" - created_at: "2026-05-20T17:35:58Z"
enc: |- enc: |-
@@ -96,4 +97,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.12.2
+21 -18
View File
@@ -1,10 +1,12 @@
dibbler: dibbler:
postgresql: postgresql:
password: ENC[AES256_GCM,data:3X9A3jOpFVRuBg0gRiCEsZVKfLI=,iv:XC7LBNUhALk9IEhItV8fO5p/m7VKL0REBY1W2IZt7G4=,tag:l18R7EhbOlucZHFQiEvpHw==,type:str] password: ENC[AES256_GCM,data:ZeNKipcCB+z8QVGeg1iV3MUXqALjotVz,iv:xCtgOoe6Pkr6Cq3vL+T4L+GW1KAcgP/xUz3YbHs5bCc=,tag:/X5phRYDAws8Aam1j+UaTw==,type:str]
worblehat:
postgresql:
password: ENC[AES256_GCM,data:WpJR6MumY+7WUYdVVgAqv1af+NmqecTMO9aP5lidSpE=,iv:7aoN8mjXckd81LxasMSG3R2vqj0SvzSl7wrEQ1LwToo=,tag:zeeNcEpkYnqyd8be0ZS+kQ==,type:str]
sops: sops:
age: age:
- recipient: age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr - enc: |
enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTk5YU3Z2Yy9HS1R4ME5I YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTk5YU3Z2Yy9HS1R4ME5I
UU1PRWVncHJYcXY5RlFpOWVQUWZsdy93ZDFBCnlxWkpaL1g5WmNSckNYd202WE40 UU1PRWVncHJYcXY5RlFpOWVQUWZsdy93ZDFBCnlxWkpaL1g5WmNSckNYd202WE40
@@ -12,8 +14,8 @@ sops:
ZnllQzJiK1ZkRmFndmtYdW9IclFWY1EK82f1iGt3nt8dJnEQlMujNqConf6Qq6GX ZnllQzJiK1ZkRmFndmtYdW9IclFWY1EK82f1iGt3nt8dJnEQlMujNqConf6Qq6GX
hqoqPoc2EM4kun28Bbpq4pAY7eEPRrWFqOkjYVvgIRoS88D7xT3LWg== hqoqPoc2EM4kun28Bbpq4pAY7eEPRrWFqOkjYVvgIRoS88D7xT3LWg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge recipient: age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
enc: | - enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WTJIOUcxRlBuNmRrNUZo YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WTJIOUcxRlBuNmRrNUZo
MXFxeVJBTEhDK00yTUw1U2dHckNFYWZKWkhNCnYxYmtrUEVvd1RaYUI5WTRTRW16 MXFxeVJBTEhDK00yTUw1U2dHckNFYWZKWkhNCnYxYmtrUEVvd1RaYUI5WTRTRW16
@@ -21,8 +23,8 @@ sops:
eTB4WldMNW9GNUwwaEUzRThsemxRVzQKGpa0J2PBzDRdHijm0e3nFAaxQCHUjz+L eTB4WldMNW9GNUwwaEUzRThsemxRVzQKGpa0J2PBzDRdHijm0e3nFAaxQCHUjz+L
KataXJEMCijJ6k+7vpb5QMxe2jB1J2PMxNGFp0bWAy2Al3p/Ez2Kww== KataXJEMCijJ6k+7vpb5QMxe2jB1J2PMxNGFp0bWAy2Al3p/Ez2Kww==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: | - enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaW1ZSXhVeFVTQW9WYzVh YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaW1ZSXhVeFVTQW9WYzVh
WkVUM2JkOU5VNU9oQXE2Y2pvcFlOWTdvbnpJClduS0RHL2xja291a2doQ0wzbzhQ WkVUM2JkOU5VNU9oQXE2Y2pvcFlOWTdvbnpJClduS0RHL2xja291a2doQ0wzbzhQ
@@ -30,8 +32,8 @@ sops:
ZUdnS2RvOXI1dGNYQTl6ZHE1cUdMWHMK4ycAJQLyKCgJIzjQ02bPjz4Ct9eO6ivw ZUdnS2RvOXI1dGNYQTl6ZHE1cUdMWHMK4ycAJQLyKCgJIzjQ02bPjz4Ct9eO6ivw
kfWhyMaoWwM9PhFcwSak0cLpX0C/IOzSzO78pf3WhG16pV7aXapdog== kfWhyMaoWwM9PhFcwSak0cLpX0C/IOzSzO78pf3WhG16pV7aXapdog==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: | - enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqaml0OVlhcUJSU1hSY3lP YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqaml0OVlhcUJSU1hSY3lP
bkM0cUV4Z2ZLeERHZ3BUNExuYS9KSU5CekQ4CmQ3SE1vdDBtdFJ6czZYR3U5Tk1X bkM0cUV4Z2ZLeERHZ3BUNExuYS9KSU5CekQ4CmQ3SE1vdDBtdFJ6czZYR3U5Tk1X
@@ -39,8 +41,8 @@ sops:
Sy9XbjhwOFR6SFpaNHZLd3ZxdmxOVUEKBBbGmdVVlKHxO+/iODznLP3+dJGppybW Sy9XbjhwOFR6SFpaNHZLd3ZxdmxOVUEKBBbGmdVVlKHxO+/iODznLP3+dJGppybW
+1k9uenVHzie+pDKcrQpSyX2WDnmgg7hUAUiXPuz1eEWmwbRJnU/5w== +1k9uenVHzie+pDKcrQpSyX2WDnmgg7hUAUiXPuz1eEWmwbRJnU/5w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: | - enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXK01vOVV5YlhsZ2ljYS91 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXK01vOVV5YlhsZ2ljYS91
OUVEaEpTbXFKOHVNVDVoMTlrS05wRmsyM2dvCjZHOXlCUGowd0J4UlQzSzM5dWJ0 OUVEaEpTbXFKOHVNVDVoMTlrS05wRmsyM2dvCjZHOXlCUGowd0J4UlQzSzM5dWJ0
@@ -48,8 +50,8 @@ sops:
RUR6Yi9SUDFCUkZmRk5hYTVFeGloZXcKY/XtaSoW8Pu2wS4oistLSc0T5JvMnt+w RUR6Yi9SUDFCUkZmRk5hYTVFeGloZXcKY/XtaSoW8Pu2wS4oistLSc0T5JvMnt+w
s3yfe/zx9/1K6OtbeljF9FZVOB/dOamvk+Qlfl0T5qush7/WgGzErA== s3yfe/zx9/1K6OtbeljF9FZVOB/dOamvk+Qlfl0T5qush7/WgGzErA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: | - enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM0pFb2tRTURtWmp6elRN YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM0pFb2tRTURtWmp6elRN
M0xtajlzMTNPMnppcGhJMVlsNHdwWmNGbFVFCnlxM1JQTkR2elAvdytKUEJ3djBS M0xtajlzMTNPMnppcGhJMVlsNHdwWmNGbFVFCnlxM1JQTkR2elAvdytKUEJ3djBS
@@ -57,8 +59,8 @@ sops:
eWlyWGhaS1JCNitUSVVScFk2WGEvOG8K2rpYPGx5jhyyRK4UkeJR96wDFr4Frzsr eWlyWGhaS1JCNitUSVVScFk2WGEvOG8K2rpYPGx5jhyyRK4UkeJR96wDFr4Frzsr
QWz7fYZRWKWf0H0qn+bm9IfVJiBAlS5i16D1FnipZVmdWefFaZSEPg== QWz7fYZRWKWf0H0qn+bm9IfVJiBAlS5i16D1FnipZVmdWefFaZSEPg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: | - enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVFV0WVZrK0wzbnhkcmcz YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVFV0WVZrK0wzbnhkcmcz
c2lIdVlKcFpoYjZIWlNPN0M5N2g2WG9YdlRJCjg5YlNoSzQ5YW5yRUVSeTEzRThY c2lIdVlKcFpoYjZIWlNPN0M5N2g2WG9YdlRJCjg5YlNoSzQ5YW5yRUVSeTEzRThY
@@ -66,8 +68,9 @@ sops:
MmxPMWNPYzJiOFRqY2VYczhvRm5IR3cKpUVV+zsMolsHI2YK9YqC6ecNT6QXv0TV MmxPMWNPYzJiOFRqY2VYczhvRm5IR3cKpUVV+zsMolsHI2YK9YqC6ecNT6QXv0TV
d1SpXRAexZBeWCCHBjSdvQBl8AT4EwrAIP2M2o++6i5DaGoGiEIWZQ== d1SpXRAexZBeWCCHBjSdvQBl8AT4EwrAIP2M2o++6i5DaGoGiEIWZQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-10T20:02:28Z" recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
mac: ENC[AES256_GCM,data:i8CjVxoD7zdkLNJlI9DCo/tDV5DUI7JdpozLtYZzI7Cu51GayaE2Y3Wg4de6P0L7C3FER04WfRe/h+G9PLZICX/CfSipQysyrEq3Pjt9IKsjytDhP9VYJ36QFGF0PuHUQAMSLts/tAoAvLue6MP+V82l5js9ghvyBrzyBGxoyJw=,iv:QFNxvCYxrSkwy7iT+2BEacNPftDXju1cibprVPDjic0=,tag:496E+oCy/VwTylyaWhQD+A==,type:str] lastmodified: "2026-06-07T08:58:13Z"
mac: ENC[AES256_GCM,data:rchs8pGkw7dthGOQNDB5p/kgQdfdystaC+jRr0bZnA4Q41+PVMu+vBSMIZ+9zZek6oENgchmV5rRS0CEeb9UQMMiPXCk2Q2jMaDfiNCmOmjf0YYeFWRM6g2lA+IZ3RgKjwhXa6i5JOeNrNewMjtx7MFcHTn3EBlg2mztyn1xbT0=,iv:0yvoFPDxpugaBmTtXSmhNz9XusJHrU3E02tBm1hVsZo=,tag:hZ1BzqfmlT1OhPSsn+CCTg==,type:str]
pgp: pgp:
- created_at: "2026-02-10T20:01:32Z" - created_at: "2026-02-10T20:01:32Z"
enc: |- enc: |-
@@ -90,4 +93,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.13.0
+93
View File
@@ -0,0 +1,93 @@
httpd:
passwd-ssh-key: ENC[AES256_GCM,data:fXfqlhNbAIdacm7s4yirp+XS7gWhsp4jrD5yRzsU8lP+oueqS8cCkQGV4MB83OKa/D3wm1zxvjRsys9uxa+4kKL2/xOetDex5WXH7xAjzMaE0jHRNCjJMYM44L9+n3oc2c6rXz2DZ+4TEdGfJOru3pUIZx2LVYO/NB+FXSW59632PFhkuSypmpeeXRFn13ksd27W5x9fB4lOw9nrdyQkfuqvl0pD9uC6zef/sZ12rfre1JHyhN+jiowzWjJuzA9iiJpjNcek2wTyymVYZNxngfugnCkTKtWcfl+BOTgyhpEtGmL3mLs3n9r6bD725IAuoXUSzBEJqE1dCw93AvlPyrUwOXLM5lOX4h9IYS/0Izfc4w+qC+ID02XU0/cFufT8ODfTK08xF5QAOp5AdLxbcvMq3KadVPesD/5K75mzWtfC+UM4lo8TfphqnEtetL/P0DBXIJIsyY04gyTWsUVCfjcwWcliW6p3pcZZ+rkqObFs9n06uMWQq8qULa85yLq+mMsyPlBW1HE+TIV8jrLtVBqPkfXp85ZtllMOJRpeEOf/l48=,iv:1BE0moa2a4k2yqVBboS/EbNiFGLTu4Df/tnXBassls4=,tag:iPUOAEhqKbF9umsyBLaoJg==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:E2NiTUQokUDHzkfmTh5eECHZxt8v/Ug63ETA/CcO8358EpPeaFI1tAFt3q0o5rTCAUlB5cJ1ZOxX4mTeIH370wnwFN6emg+iAaK3VM+AL3Tp8Acb5EwErSOTKjAwrS5vwqb3oTYMzj42bKBk0b/qPWspGnoUfDI481+p99PS8eqpNCcGaNEDNk0BPwDvngwuur9o2RTmuWwxZO+s3wqlktQPkCguii8/FD3x3O8eow+v,iv:tJNxoY4UsRrB9k/fX9jLUc4hC3bioekpgKu4aa2o/4Q=,tag:DLj9rqse33D8PDLMxF/heQ==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrMStZRlNCem0zRWgvMytj
b2tGR0M4SmF2Z1dYR2RBK1ZTUEx4c3NhMmlnCkVwcStqZ0RPRm1EK01lTWJpUmd2
Qis2WlU2ZUpFcUVXZUdVaWVyQno4NFEKLS0tIGJZWmlSdEtaUnd1alZ6NURsSFY3
VXJGank2UlBqY0hNZ1QvUGZUdVljaXMK9P4IVuSZ8uhDXDWMOkqABWImL4mu18AU
7X+1t3nZVmPze3MOTBRWf483DBAM+69QDlio1uSzZjJQc1X0H6ePKQ==
-----END AGE ENCRYPTED FILE-----
recipient: age10avsdvqger25z0lyzlq8v7xfzcmypkmjsswswaxwqnpnl6x9wcjq0uv2n7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMGdHZ2xvdnVMbFAxYkhF
WHRPWjg3OE4vU1RhTWxPc0cxNm1RU1BPem40CnRHc0gyQVNxelBnZERMNlp2YnFk
U0xpbHN6RlVHZHdkZktnK0hCMFQ1aGcKLS0tIDVtODVvNzN0NFJ3UGFYdkpLTmZR
R0FvdzE5NDhUNFpWZTYreklCMmhCWmcKuD5nNqDSP4SK3E1AsnZtE4jzYgxfgHau
nmPKA2dgsPoA2rug/kGB9uXeUUA0oL26FyjlPi6NYDVvN4u1IHgPSw==
-----END AGE ENCRYPTED FILE-----
recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3SUdGMUgwSEV2SUhkMEJm
MWJ5Y1VMdWsyK1NWYmxUK3N1cHoydWp5eUVrCllZK3hKZjNDYzMwQTFENTg2aFFi
dXpkWGZkT0hiWGRQdjltNXZ6ZkN2S1EKLS0tIFREeDFVZkZEV0phM3dRYUVRSSsx
UVpkZ3hTd0JuWm16WnFFREt4S0hxMjAKbihmtr3/d/BbX21zkZWNarCNa4cYCM9B
HGwcEfP4fnevWdM4LbXXBBmfoVUErKjK5tiMwocVZXZrsHBYI4amPA==
-----END AGE ENCRYPTED FILE-----
recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3d3g2aHUrT0d5Kzl1RmVk
MUh4eW8vTS9qbkZ3WHNYMjFHSlZLV2M1aVgwCllWTDFwZDV1QTFkQkVrUnN0bSto
aTlvVTVaOWVldDJjSHMyaFhLNXlBcUEKLS0tIHZ6d0ZZWlo5SVJ3a0VNbjRFYnkz
dDFFT1JVN2N1cjg2TW5xOUZKZDVzZkUKjtRmm87B4AECzS8mmL6rUyVfNYlsem1w
HDFw4p0Nt9JWFFWEWamnTQ+Bq2UPsueBW4Ei/WyDj5d4EyNptoJrDQ==
-----END AGE ENCRYPTED FILE-----
recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2aWs5V0xhTzJlMi9PNks0
ZUNiOFB5TDZQUVBnVThRQjdzYTJ0Uml1blJzCjhUdTdpRURsVlIrUkxnUXVhM3Vn
cmJSL0x2Y29aMnltcWhiYmhLem1ldGsKLS0tIFpMa1lmZjZPQ0FvSUhTbUhzRlM5
bHNqMm1xRGdMd2NOdVo0Y0xFLzJCbGcKnSMBn2kp/RGDr5NL+qMoWqqdCdSu4wFz
GjjUS43nW0++TVXusGIj60sDJtK623N4srpubykZtYfEO1c1cAURpg==
-----END AGE ENCRYPTED FILE-----
recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnU2d6bFRqMk5jZ3lDdzA5
WFpsNVdLL2lXRGZ5ZjRIdGs5VjRVZ1JKdDJJCmxQeHZsZk9OQ1g4dG00MVNGeFF2
OURQUndCOTM3eUh1SnRaOGFKMi80TjQKLS0tIEE2eE8vK1dnN0dnbGNqaWZqdzJx
WGhRM2R0VzV1SlpxeGVWOXNCeWlzcVUK/nD3DWVDjVbWJmP33OC4LSKA3qrjN0hb
kZV4U44y+8uLtBVm3WnkZd/cg5wqoD/1agG7aCc9DMmOmxHUfdfrJw==
-----END AGE ENCRYPTED FILE-----
recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtczYrL3NrM295NEd4N3V0
WndPRXltZFhOUU1LdGVNM05LRzV5blhmU1JRClBpU0g2K0FJbFE0RVEyVW1ZRTJU
d2ZoeTM0QWx1NE9wSjc3c0tUa3Z3VlkKLS0tIEVrQStXSWRTUkJvK2paTU1EUkcy
ZWtMdDRhTWdLZnI2T2ZmS2VXdjFpZVkK1LAo54bl2QIx08rMJ0A8Q5bVXWcaoFPo
Y0/PSyL+vMa2Ab6b4vD6GNY5/KAE5XPlvBEKBrIe2oIAMJw38KUq8g==
-----END AGE ENCRYPTED FILE-----
recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
lastmodified: "2026-05-29T13:54:14Z"
mac: ENC[AES256_GCM,data:g1PT225ggTfHuzU9qaNfNrhIVqtTWRCSm7iFDTlCZTDr4PPGbRtUH5fIJSY1F+2mu+H2XRM9ueenhqTyyyDJGsq+Oqp6Ae4E7vp2Uo4qH8O2d/u78EL2zNVestTvCnJGJ5lPWrN2i41pqOWbNx+dXt0O+sdgS890IQkj4i8VrRU=,iv:CjBKRSCMpAT+gWEFjvqb5OBy5u6ZsDelsCg5lGNOsN0=,tag:k1ia0wkw3YQfeFdv0GTX6g==,type:str]
pgp:
- created_at: "2026-05-29T13:54:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYARAAq4qDoGJmeum8aPwO6TGOO+iIKNE3rqIdCsUsTs+SF3VL
ejSW3yB9hw5ptg3CCUH0tZRuZyvQ3fkXFh08hSBfBhICSr9NS2vllXp4ILlhNG0P
gEIq67+daK2YyWBcV3Rh8OMz5niGYDKF6WZjzlkFxinUFcqVtQrVKw9pti+Crhs9
QgZbTz5+Cph/ACSLufSUV2yyjv+zO+VhyMpHR4x/B/el/T921vAQAdGx9DprC1ed
cse2kg9ouhMQI+Aii5oSnDCAuVZGZQN23WXQBQp66l4gFmR3Av85miguEF5Gf8YW
44GiixHyul5583NDsMQuoPu1gzE8CqUPMVFVGzp5BsXbb4HzmEslxkpi7obCs7wx
fCplc2L+mLa4hTBJXYcCcRbsbopjDnYLNLfl4nvYHW5utimNej4EBdzQQg3DNf8J
zdNXlwHXUBgU8ayAyOwThQIP4s+VDSh2ASSWwEmqNMr5nkocIl7UO3J9MzkLNuc1
0S4b8rM9om755SlQTeLrOy/4aloZwCMFxQOeIoJ0fxNlgap1BS1FQ68leA+uiCcc
vCFVMlYUOwMl2wqkQ84pY3SEL6z96o9wpOyRERk/yfjBWnGjqjANNz4uSXggo4B9
LTLIqO+Li26+geyTATIMJU5SeMdP5s+Lvc2qzn0c4qr67hVo9H5Df2qzijsqIqrS
XgHQdNafa0JYSH07UKFvfmcDYU/sWRi7QrFD3/zn5HPUN2XNQj4P9OF93NV8tAqK
pFqgdJCybDSp4sQujjQOZkJ3tpVnlq/G/QjiAY2TpbYxzPUDWP0Pu0yGxVIrJ5Q=
=atHd
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.13.0
+6 -6
View File
@@ -22,12 +22,12 @@ pkgs.mkShell {
stdenv.cc stdenv.cc
unzip unzip
util-linux util-linux
xorg.libX11 libX11
xorg.libXext libXext
xorg.libXi libXi
xorg.libXmu libXmu
xorg.libXrandr libXrandr
xorg.libXv libXv
zlib zlib
cudatoolkit cudatoolkit
+2 -2
View File
@@ -55,11 +55,11 @@ in rec {
}; };
brzeczyszczykiewicz = { brzeczyszczykiewicz = {
ipv4 = pvv-ipv4 205; ipv4 = pvv-ipv4 205;
ipv6 = pvv-ipv6 "1:50"; # Wtf peder why ipv6 = pvv-ipv6 205;
}; };
georg = { georg = {
ipv4 = pvv-ipv4 204; ipv4 = pvv-ipv4 204;
ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why ipv6 = pvv-ipv6 204;
}; };
kommode = { kommode = {
ipv4 = pvv-ipv4 223; ipv4 = pvv-ipv4 223;