Compare commits

..

170 Commits

Author SHA1 Message Date
Karoline Dyve Samuelsen 98a3c2ebcc Update hosts/bekkalokk/services/idp-simplesamlphp/default.nix 2026-02-17 11:09:41 +01:00
Karoline Dyve Samuelsen 0d0ec8be51 Update packages/simplesamlphptheme/default.nix 2026-02-17 10:56:30 +01:00
Karoline Dyve Samuelsen 181e13931b Update packages/simplesamlphptheme/default.nix 2026-02-17 10:54:44 +01:00
Karoline Dyve Samuelsen e67771fe7d Added output 2026-02-17 10:44:03 +01:00
Karoline Dyve Samuelsen da4ace6079 Added correct hash 2026-02-17 10:37:49 +01:00
Karoline Dyve Samuelsen bca735ddc9 Update packages/simplesamlphptheme/default.nix 2026-02-17 10:36:12 +01:00
Karoline Dyve Samuelsen 5ab1b45aa8 Fikset skrivetabbe 2026-02-17 10:31:46 +01:00
Karoline Dyve Samuelsen 509e6dcaba Rettet skrivetabbe 2026-02-17 10:15:46 +01:00
Karoline Dyve Samuelsen cbed6e2c43 Added stdevn pkgs 2026-02-17 10:13:08 +01:00
Karoline Dyve Samuelsen d1ace10a58 Added simplsamplphptheme. 2026-02-17 10:10:21 +01:00
Karoline Dyve Samuelsen 0fe5db2d65 Inserted filepath to module/ssp-theme 2026-02-17 09:45:20 +01:00
Karoline Dyve Samuelsen 264f147069 Initial code to import ssp-theme repo. 2026-02-17 09:43:00 +01:00
Adrian G L a070139443 copyed simplesamlphp to package simplesamlphp theme 2026-02-17 09:28:26 +01:00
Karoline Dyve Samuelsen 1a96a18fe4 Updatet filepath to theme. 2026-02-17 09:13:42 +01:00
Karoline Dyve Samuelsen 2ec17a72a4 Test run 2 for trying to implement fancy log inn page. 2026-02-16 13:59:07 +01:00
Karoline Dyve Samuelsen 3ad2fc3464 Added settings to include pvv innlogging theme. 2026-02-15 20:21:00 +01:00
Vegard Bieker Matthey 18167dca0a update README to reflect added host 2026-02-14 19:12:41 +01:00
Vegard Bieker Matthey b5fecc94a7 hosts: add skrot
Co-authored-by: System administrator <root@skrot.pvv.ntnu.no>
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/124
Co-authored-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>
Co-committed-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>
2026-02-14 18:53:54 +01:00
h7x4 0d40c7d7a7 base/acme: use different email alias for account 2026-02-13 19:45:45 +09:00
h7x4 b327582236 kommode/gitea: use redis for sessions and queue 2026-02-13 18:55:42 +09:00
h7x4 7e39bf3ba2 bicep/matrix/ooye: add rsync pull target for principal backups 2026-02-13 18:26:55 +09:00
h7x4 5bb0cd0465 kommode/gitea: set default theme 2026-02-13 14:32:36 +09:00
h7x4 9efda802cb kommode/gitea: move ui configuration to customization 2026-02-13 14:23:48 +09:00
h7x4 3c08be3d73 kommode/gitea: configure redis cache 2026-02-13 03:50:21 +09:00
Øystein Tveit b1a2836b5d kommode/gitea: custom emoji 2026-02-13 03:38:45 +09:00
h7x4 ba1f30f737 kommode/gitea: configure more meta fields 2026-02-13 03:13:49 +09:00
Daniel Olsen c455c5a7e3 bicep/matrix/livekit: fix matrix domain in livekit, allow dan's server as well 2026-02-11 22:58:19 +01:00
Vegard Bieker Matthey 35907be4f2 update sops keys for skrott 2026-02-07 22:17:09 +01:00
h7x4 210f74dc59 secrets: sops updatekeys 2026-02-08 05:19:26 +09:00
Vegard Bieker Matthey d35de940c1 update gpg install cmd for secrets 2026-02-07 21:12:03 +01:00
h7x4 daa4b9e271 bekkalokk/mediawiki: adjust umask 2026-02-07 01:46:55 +09:00
h7x4 12eb0b3f53 bekkalokk/mediawiki: allow uploading more filetypes 2026-02-07 00:56:38 +09:00
h7x4 02bdb8d45b kommode/gitea/web: use default login shell 2026-02-05 13:25:06 +09:00
h7x4 a5143c0aaa bekkalokk/nettsiden: fix gallery rsync target 2026-02-05 13:19:29 +09:00
Vegard Bieker Matthey 561404cd87 bump dibbler 2026-02-04 04:11:56 +01:00
System administrator 3338b4cd61 gluttony: fix ipv4 addr 2026-02-03 21:05:53 +01:00
Vegard Bieker Matthey 2354dcf578 gluttony: update disk id 2026-02-03 16:18:43 +01:00
h7x4 304304185c base: add lsof to list of default installed packages 2026-02-02 23:59:35 +09:00
h7x4 b712f3cda3 temmie/userweb: add a few more packages 2026-01-31 21:53:12 +09:00
h7x4 cc272a724c temmie/userweb: add directory index search path 2026-01-31 21:30:23 +09:00
h7x4 fcaa97884e temmie/userweb: add a bunch more normal packages 2026-01-31 21:20:26 +09:00
h7x4 11f2cf504f temmie/userweb: add a bunch more perl packages 2026-01-31 20:31:03 +09:00
h7x4 7ab16bc949 temmie/userweb: restrict log access 2026-01-31 19:08:02 +09:00
h7x4 c4d5cfde56 temmie/userweb: add legacy-cgi to the python package set 2026-01-31 18:53:44 +09:00
h7x4 100d09f6b7 temmie/userweb: get first iteration working 2026-01-31 18:41:17 +09:00
h7x4 3b0742bfac temmie: combine homedirs in overlayfs 2026-01-31 18:41:17 +09:00
h7x4 3ba1ea2e4f flake.lock: bump 2026-01-31 13:44:39 +09:00
h7x4 91de031896 treewide: limit rsync pull target access to principal 2026-01-31 11:14:18 +09:00
h7x4 c3ce6a40ea ildkule/grafana: update a bunch of dashboards 2026-01-31 01:07:26 +09:00
h7x4 beee0ddc75 ildkule/grafana: remove dashboard for gogs 2026-01-31 00:58:34 +09:00
h7x4 359f599655 bekkalokk/snappymail: add rsync pull target for principal 2026-01-31 00:19:09 +09:00
h7x4 5b1c6f16d1 bekkalokk/vaultwarden: add rsync pull target for principal 2026-01-31 00:18:57 +09:00
h7x4 cec69d89a8 bicep/{postgres,mysql}: fix old backup deletion (again) 2026-01-30 13:26:10 +09:00
h7x4 af0bf7b254 bicep/{postgres,mysql}: fix old backup deletion 2026-01-29 14:57:46 +09:00
h7x4 bcf8b1607f bicep/{postgres,mysql}: use hardlink for latest backup file 2026-01-29 14:53:07 +09:00
h7x4 1d46fd1ec6 bicep/{postgres,mysql}: keep multiple backups, point at latest with symlink 2026-01-29 14:16:34 +09:00
h7x4 bac53be707 bicep/{postgres,mysql}: use zstd for backup compression 2026-01-29 13:50:35 +09:00
h7x4 f08bd96b74 bicep/{postgres,mysql}: move backups to /data 2026-01-29 13:41:06 +09:00
h7x4 25f2a13391 packages/mediawiki-extensions: bump all 2026-01-29 13:34:42 +09:00
h7x4 8774c81d23 bicep/{postgres,mysql}: custom backup units 2026-01-29 13:32:28 +09:00
h7x4 d6eca5c4e3 bicep/{postgres,mysql}: split config into several files 2026-01-29 13:18:25 +09:00
h7x4 49d1122ee5 bicep/mysql: enable slow query logs 2026-01-28 14:55:52 +09:00
h7x4 31bbf4b25f bicep/synapse: enable auto-compressor timer 2026-01-28 14:50:57 +09:00
h7x4 2f7e1439d0 bicep/mysql: pin version, upgrade from 11.4 -> 11.8 2026-01-28 14:01:14 +09:00
h7x4 fa31a84bd2 bicep/postgres: upgrade from 15 -> 18 2026-01-28 14:00:25 +09:00
h7x4 b77c8eb5c0 modules/rsync-pull-targets: fix multiple pull targets with same user 2026-01-27 21:10:17 +09:00
h7x4 949661113e bicep/mysql: move backup dir 2026-01-27 20:47:40 +09:00
h7x4 f442c4d65f bicep/minecraft-heatmap: gate remaining config behind cfg.enable 2026-01-27 20:44:20 +09:00
h7x4 690aee634b bicep/postgres: gate remaining config behind cfg.enable 2026-01-27 20:44:20 +09:00
h7x4 2ed1c83858 bicep/{postgres,mysql}: add rsync pull targets for backups 2026-01-27 20:39:12 +09:00
h7x4 d43de08a3b flake.lock: bump 2026-01-27 19:44:45 +09:00
h7x4 e8c7f177e8 kommode: use disko to configure disks 2026-01-27 19:00:12 +09:00
h7x4 fb59a242fb kommode/gitea: add rsync pull target for gitea dump dir 2026-01-27 18:55:25 +09:00
h7x4 65d095feb1 bekkalokk/mediawiki, bicep/matrix/synapse: add keys for rsync targets 2026-01-27 18:55:03 +09:00
h7x4 8273d98788 flake.nix: add disko to default devshell 2026-01-27 18:35:18 +09:00
h7x4 8a84069dcf bicep/mysql: use BindPaths to access dataDir 2026-01-27 17:23:38 +09:00
h7x4 cda84be5b0 bekkalokk/well-known: add note about bug bounty program to security.txt 2026-01-27 17:11:07 +09:00
h7x4 79a46ce3f6 bicep/element: set default country code 2026-01-27 04:11:40 +09:00
h7x4 19e45be83a .mailmap: further dedup 2026-01-27 04:07:25 +09:00
h7x4 a8892e2fb2 hosts/various: bump stateVersion 2026-01-27 04:00:48 +09:00
h7x4 a149f97ac0 bicep: bump stateVersion from 22.11 -> 25.11 2026-01-27 03:59:40 +09:00
h7x4 e76c656378 bekkalokk: bump stateVersion from 22.11 -> 25.11 2026-01-27 03:52:34 +09:00
h7x4 5877ef60b1 modules/rsync-pull-targets: leave TODO about assertion 2026-01-27 00:27:00 +09:00
h7x4 73456de527 bekkalokk/mediawiki, bicep/matrix/synapse: leave principal rsync target stubs 2026-01-27 00:26:42 +09:00
h7x4 2f8e9ea190 modules/rsync-pull-targets: init, migrate bekkalokk/website/fetch-gallery 2026-01-26 23:57:20 +09:00
h7x4 c3c98392ad bicep/hookshot: add passkey to sops 2026-01-26 21:52:58 +09:00
h7x4 e01fd902eb bekkalokk/mediawiki: move secret.key to sops 2026-01-26 17:55:55 +09:00
h7x4 ce8d759f79 skrott: yeet 700MB worth of firmware, leave raspberry-specific firmware be 2026-01-26 17:09:18 +09:00
h7x4 ea6296f47a base/vm: disable graphics for vms by default 2026-01-26 17:08:35 +09:00
h7x4 c28fc3f229 ildkule/prometheus: add temmie,gluttony, re-enable lupine-2 2026-01-26 17:04:55 +09:00
h7x4 c124183d95 ildkule/prometheus: scrape skrott 2026-01-26 17:04:52 +09:00
h7x4 d7bb316056 skrott: yeetus ncdu 2026-01-26 15:45:10 +09:00
h7x4 c78c29aaa6 skrott: don't pull in nixpkgs/nixpkgs-unstable source tarballs 2026-01-26 15:43:23 +09:00
h7x4 7d451f1db5 base/auto-upgrade: don't install flake-inputs.json when disabled 2026-01-26 15:42:56 +09:00
h7x4 1d57cec04d base/acme: remove deprecated argument 2026-01-26 15:07:40 +09:00
h7x4 f50372fabd .sops.yaml: remove yet more remains of jokum 2026-01-26 13:53:30 +09:00
h7x4 0f355046de .sops.yaml: add skrott 2026-01-26 13:53:16 +09:00
h7x4 285f5b6a84 flake.nix: point skrott-x86_64 at correct nixosConfiguration, add -sd variants 2026-01-26 13:46:15 +09:00
h7x4 20eec03cd4 bakke: fix eval warnings about kernel packages 2026-01-26 13:46:14 +09:00
h7x4 fffdf77d6f skrott: disable more stuff 2026-01-26 13:46:13 +09:00
h7x4 42bbb1eca1 flake.nix: make native skrott default, misc cleaning 2026-01-26 13:28:42 +09:00
h7x4 34fdc9159c bekkalokk/mediawiki: remove nonused module import 2026-01-26 13:19:48 +09:00
h7x4 1b6ff9876d Remove global packages from users, skrott: remove neovim properly 2026-01-26 13:16:06 +09:00
h7x4 0206c159a2 skrott: cross compile and further minimize 2026-01-26 13:15:46 +09:00
h7x4 15004829a8 flake.lock: bump dibbler 2026-01-26 02:30:53 +09:00
h7x4 48ffb3cda1 skrott/dibbler: fix postgres url 2026-01-26 02:27:21 +09:00
h7x4 9bbc64afc8 skrott: disable promtail, documentation 2026-01-26 02:25:12 +09:00
h7x4 1cf956f37b skrott: disable thermald 2026-01-26 02:04:03 +09:00
h7x4 38a1d38c7f skrott: disable zfs, udisks2 2026-01-26 01:31:46 +09:00
h7x4 f1a6e47e67 skrott: disable smartd 2026-01-26 00:48:36 +09:00
h7x4 c061c5be0c base: re-enable mutableUsers (absolute state) 2026-01-26 00:25:20 +09:00
h7x4 08e3e1a287 README: add skrott to machine overview 2026-01-25 23:30:41 +09:00
h7x4 034f6540d9 secrets/skrott: add database password 2026-01-25 23:30:41 +09:00
h7x4 695fe48ba8 skrott: set gateway 2026-01-25 23:30:41 +09:00
h7x4 b37551209a flake.nix: bump dibbler 2026-01-25 22:54:52 +09:00
felixalb 19059b742e users/felixalb: update SSH keys 2026-01-25 13:17:39 +01:00
h7x4 e336c119a5 skrott: bump stateVersion 2026-01-25 21:08:28 +09:00
h7x4 52ac4ca775 skrott: update dibbler + config 2026-01-25 20:56:33 +09:00
Vegard Bieker Matthey 6b352507a3 Merge pull request 'gluttony: use grub as bootloader because of no uefi support' (!121) from gluttony-boot into main
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/121
2026-01-24 22:25:28 +01:00
Vegard Bieker Matthey 604b528dd3 use grub as bootloader because of no uefi support 2026-01-24 22:04:54 +01:00
h7x4 689d6582ae topology: fix ntnu gateway <-> knutsen connection network 2026-01-23 00:56:32 +09:00
h7x4 ccdaeaf4a3 topology: fix gluttony network interface 2026-01-23 00:51:30 +09:00
h7x4 72fdca4998 topology: more connections to powerpuff cluster 2026-01-23 00:50:16 +09:00
h7x4 9ccdeb6ac9 topology: fix new machines 2026-01-23 00:43:20 +09:00
h7x4 8072121b3c skrott: fix sops file location 2026-01-22 19:44:05 +09:00
h7x4 95f6463171 temmie: set up httpd 2026-01-22 19:41:52 +09:00
h7x4 39d3773a10 skrott: move networking config to values, add ipv6 address 2026-01-22 19:30:04 +09:00
h7x4 0e963f8cf0 gluttony: fix eval 2026-01-22 19:17:28 +09:00
h7x4 ba6c1c8205 temmie/nfs-mounts: generate systemd units ourselves 2026-01-22 19:10:30 +09:00
h7x4 1d47409d96 base: configure sops 2026-01-22 16:48:59 +09:00
h7x4 f7757d697d base: don't install dynamic loader stub 2026-01-22 16:13:36 +09:00
h7x4 9f43ea887e base: OOM early on nixos rebuilds 2026-01-22 16:13:20 +09:00
h7x4 5f94345a91 hosts/various: enable qemu guest agent, disable smartd for vms by default 2026-01-22 16:05:36 +09:00
h7x4 28baf322ce hosts/various: formatting, add consistent warnings to stateVersion 2026-01-22 15:57:12 +09:00
h7x4 12477aeb34 flake.nix: set default hostname for most nixos hosts 2026-01-22 15:49:50 +09:00
h7x4 e2d553af19 bikkje: set hostName 2026-01-22 15:49:50 +09:00
h7x4 89ea5b321a hosts/various: use systemd-boot as default bootloader 2026-01-22 15:49:50 +09:00
h7x4 3940f52760 hosts/various: remove empty environment.systemPackages lists 2026-01-22 15:45:43 +09:00
h7x4 e2f3c81ecd base: move package list to separate file 2026-01-22 15:35:18 +09:00
h7x4 a4c3aaa402 base: provide reasoning for packages, add a few new ones 2026-01-22 15:31:48 +09:00
h7x4 5714efc668 modules/grzegorz: override base certificate config 2026-01-22 15:10:50 +09:00
h7x4 d5199779a6 base: disable fontconfig by default 2026-01-22 14:57:00 +09:00
h7x4 ae3c7019ef base: disable hibernation and sleep 2026-01-22 14:54:35 +09:00
h7x4 73dc9306f1 base: no mutable users by default 2026-01-22 14:51:24 +09:00
h7x4 09d72305e2 base/nginx: return 444 on fqdn virtualHost by default 2026-01-21 23:17:47 +09:00
h7x4 2ace7b649f nix-topology: remove postgresql icon override 2026-01-21 14:56:41 +09:00
h7x4 7703a94b19 flake.lock: bump 2026-01-21 14:49:00 +09:00
h7x4 ebd40fc2d7 bekkalokk/well-known: reply to well-known for all domains 2026-01-21 14:47:31 +09:00
h7x4 9eb5cd869a bicep/element: fetch correct well-known file 2026-01-21 14:34:35 +09:00
h7x4 fa37f34028 packages/ooye: bump 2026-01-21 13:46:06 +09:00
h7x4 7111d00df8 modules/ooye: calm yo ass (set restart timer + counter) 2026-01-21 13:17:28 +09:00
h7x4 833a74a6fb bicep/matrix: remove some whitespace lol 2026-01-21 13:14:41 +09:00
h7x4 d82cc2e605 update and fix `packages.out-of-your-element 2026-01-21 12:49:13 +09:00
h7x4 93cf6f4a63 bicep/sshguard: disable
sshguard doesn't actually work as it currently stands, also the builtin
PerSourcePenalty functionality in SSH is more aggressive than sshguard
is able to catch anyway. It might've been reasonable if we were using it
for anything other than SSH, but it doesn't seem like we are.
2026-01-21 11:13:27 +09:00
h7x4 0f11cca8ec bicep/matrix: use sops templates to render structured files 2026-01-21 11:08:26 +09:00
h7x4 d892acb331 bicep/matrix: have element-web source well-known from config 2026-01-21 10:49:09 +09:00
h7x4 aa07687a94 bicep/matrix: add synapse config to help with livekit 2026-01-21 10:48:37 +09:00
h7x4 e5dd5b6325 bicep/matrix: attempt to set up livekit 2026-01-21 10:14:08 +09:00
h7x4 75c52f63cc bicep/matrix: add module for adding stuff to well-known 2026-01-21 10:14:07 +09:00
Felix Albrigtsen 6b5c12a4b8 Merge pull request 'Fix the heccin quotes - mikrobel 2026' (!120) from fix-quotes into main
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/120
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
2026-01-20 09:43:33 +01:00
h7x4 633efc1a7d ildkule: unbreak eval 2026-01-20 17:12:25 +09:00
felixalb 14e2ed7e32 Fix the heccin quotes 2026-01-19 21:09:41 +01:00
Vegard Bieker Matthey 489551a8e2 hosts/gluttony: init (!119)
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/119
Reviewed-by: Felix Albrigtsen <felixalb@pvv.ntnu.no>
Co-authored-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>
Co-committed-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>
2026-01-19 17:39:01 +01:00
h7x4 5e5a7f1969 flake.lock: bump minecraft-kartverket 2026-01-19 00:18:06 +09:00
fredrik b933d19f91 bekkalokk/qotd: init 2026-01-17 22:11:37 +01:00
h7x4 60b6cd137f flake.lock: bump pvv-nettsiden 2026-01-17 16:55:20 +09:00
h7x4 3a0ea9c338 base/polkit: default to username if in group wheel 2026-01-17 03:59:55 +09:00
h7x4 d66aab1e61 flake.lock: bump minecraft-kartverket 2026-01-17 03:59:29 +09:00
h7x4 a9b1e11eea flake.lock: bump 2026-01-16 23:25:15 +09:00
h7x4 1fc3eb24cf flake.lock: bump minecraft-kartverket 2026-01-16 19:50:51 +09:00
121 changed files with 13350 additions and 23695 deletions
+6
View File
@@ -23,3 +23,9 @@ Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lau
Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no> Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com> Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>
+16
View File
@@ -20,7 +20,9 @@ keys:
- &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9 - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
- &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
- &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
- &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8 - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
- &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
creation_rules: creation_rules:
# Global secrets # Global secrets
@@ -137,10 +139,24 @@ creation_rules:
- path_regex: secrets/skrott/[^/]+\.yaml$ - path_regex: secrets/skrott/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *host_skrott
- *user_danio - *user_danio
- *user_felixalb - *user_felixalb
- *user_pederbs_sopp - *user_pederbs_sopp
- *user_pederbs_nord - *user_pederbs_nord
- *user_pederbs_bjarte - *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/skrot/[^/]+\.yaml$
key_groups:
- age:
- *host_skrot
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp: pgp:
- *user_oysteikt - *user_oysteikt
+2
View File
@@ -43,6 +43,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
| [kommode][kom] | Virtual | Gitea + Gitea pages | | [kommode][kom] | Virtual | Gitea + Gitea pages |
| [lupine][lup] | Physical | Gitea CI/CD runners | | [lupine][lup] | Physical | Gitea CI/CD runners |
| shark | Virtual | Test host for authentication, absolutely horrendous | | shark | Virtual | Test host for authentication, absolutely horrendous |
| [skrot/skrott][skr] | Physical | Kiosk, snacks and soda |
| [wenche][wen] | Virtual | Nix-builders, general purpose compute | | [wenche][wen] | Virtual | Nix-builders, general purpose compute |
## Documentation ## Documentation
@@ -59,4 +60,5 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
[ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
+17 -19
View File
@@ -10,10 +10,12 @@
(fp /users) (fp /users)
(fp /modules/snakeoil-certs.nix) (fp /modules/snakeoil-certs.nix)
./flake-input-exporter.nix
./networking.nix ./networking.nix
./nix.nix ./nix.nix
./programs.nix
./sops.nix
./vm.nix ./vm.nix
./flake-input-exporter.nix
./services/acme.nix ./services/acme.nix
./services/auto-upgrade.nix ./services/auto-upgrade.nix
@@ -24,6 +26,7 @@
./services/logrotate.nix ./services/logrotate.nix
./services/nginx.nix ./services/nginx.nix
./services/openssh.nix ./services/openssh.nix
./services/polkit.nix
./services/postfix.nix ./services/postfix.nix
./services/prometheus-node-exporter.nix ./services/prometheus-node-exporter.nix
./services/prometheus-systemd-exporter.nix ./services/prometheus-systemd-exporter.nix
@@ -39,6 +42,9 @@
boot.tmp.cleanOnBoot = lib.mkDefault true; boot.tmp.cleanOnBoot = lib.mkDefault true;
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
boot.loader.systemd-boot.enable = lib.mkDefault true;
boot.loader.efi.canTouchEfiVariables = lib.mkDefault true;
time.timeZone = "Europe/Oslo"; time.timeZone = "Europe/Oslo";
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
@@ -47,22 +53,8 @@
keyMap = "no"; keyMap = "no";
}; };
environment.systemPackages = with pkgs; [ # Don't install the /lib/ld-linux.so.2 stub
file environment.ldso32 = null;
git
gnupg
htop
nano
net-tools
ripgrep
rsync
screen
tmux
vim
wget
kitty.terminfo
];
# .bash_profile already works, but lets also use .bashrc like literally every other distro # .bash_profile already works, but lets also use .bashrc like literally every other distro
# https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION # https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
@@ -76,8 +68,6 @@
fi fi
''; '';
programs.zsh.enable = true;
# security.lockKernelModules = true; # security.lockKernelModules = true;
security.protectKernelImage = true; security.protectKernelImage = true;
security.sudo.execWheelOnly = true; security.sudo.execWheelOnly = true;
@@ -85,6 +75,14 @@
Defaults lecture = never Defaults lecture = never
''; '';
# These are servers, sleep is for the weak
systemd.sleep.extraConfig = lib.mkDefault ''
AllowSuspend=no
AllowHibernation=no
'';
# users.mutableUsers = lib.mkDefault false;
users.groups."drift".name = "drift"; users.groups."drift".name = "drift";
# Trusted users on the nix builder machines # Trusted users on the nix builder machines
+5
View File
@@ -37,4 +37,9 @@
"unstable=${inputs.nixpkgs-unstable}" "unstable=${inputs.nixpkgs-unstable}"
]; ];
}; };
# Make builds to be more likely killed than important services.
# 100 is the default for user slices and 500 is systemd-coredumpd@
# We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = lib.mkDefault 250;
} }
+68
View File
@@ -0,0 +1,68 @@
{ pkgs, lib, ... }:
{
# We don't need fonts on headless machines
fonts.fontconfig.enable = lib.mkDefault false;
# Extra packags for better terminal emulator compatibility in SSH sessions
environment.enableAllTerminfo = true;
environment.systemPackages = with pkgs; [
# Debug dns outside resolvectl
dig
# Debug and find files
file
# Process json data
jq
# Check computer specs
lshw
# Check who is keeping open files
lsof
# Scan for open ports with netstat
net-tools
# Grep for files quickly
ripgrep
# Copy files over the network
rsync
# Access various state, often in /var/lib
sqlite-interactive
# Debug software which won't debug itself
strace
# Download files from the internet
wget
];
# Clone/push nix config and friends
programs.git.enable = true;
# Gitea gpg, oysteikt sops, etc.
programs.gnupg.agent.enable = true;
# Monitor the wellbeing of the machines
programs.htop.enable = true;
# Keep sessions running during work over SSH
programs.tmux.enable = true;
# Same reasoning as tmux
programs.screen.enable = true;
# Edit files on the system without resorting to joe(1)
programs.nano.enable = true;
# Same reasoning as nano
programs.vim.enable = true;
# Same reasoning as vim
programs.neovim.enable = true;
# Some people like this shell for some reason
programs.zsh.enable = true;
}
+2 -4
View File
@@ -2,14 +2,12 @@
{ {
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no"; defaults.email = "acme-drift@pvv.ntnu.no";
}; };
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode: # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
virtualisation.vmVariant = { virtualisation.vmVariant = {
security.acme.defaults.server = "https://127.0.0.1"; security.acme.defaults.server = "https://127.0.0.1";
security.acme.preliminarySelfsigned = true;
users.users.root.initialPassword = "root"; users.users.root.initialPassword = "root";
}; };
} }
+1 -1
View File
@@ -28,7 +28,7 @@ in
# workaround for https://github.com/NixOS/nix/issues/6895 # workaround for https://github.com/NixOS/nix/issues/6895
# via https://git.lix.systems/lix-project/lix/issues/400 # via https://git.lix.systems/lix-project/lix/issues/400
environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) { environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
"current-system-flake-inputs.json".source "current-system-flake-inputs.json".source
= pkgs.writers.writeJSON "flake-inputs.json" ( = pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (name: input: lib.flip lib.mapAttrs inputs (name: input:
+33 -24
View File
@@ -39,29 +39,38 @@
SystemCallFilter = lib.mkForce null; SystemCallFilter = lib.mkForce null;
}; };
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable { services.nginx.virtualHosts = lib.mkIf config.services.nginx.enable {
listen = [ "_" = {
{ listen = [
addr = "0.0.0.0"; {
extraParameters = [ addr = "0.0.0.0";
"default_server" extraParameters = [
# Seemingly the default value of net.core.somaxconn "default_server"
"backlog=4096" # Seemingly the default value of net.core.somaxconn
"deferred" "backlog=4096"
]; "deferred"
} ];
{ }
addr = "[::0]"; {
extraParameters = [ addr = "[::0]";
"default_server" extraParameters = [
"backlog=4096" "default_server"
"deferred" "backlog=4096"
]; "deferred"
} ];
]; }
sslCertificate = "/etc/certs/nginx.crt"; ];
sslCertificateKey = "/etc/certs/nginx.key"; sslCertificate = "/etc/certs/nginx.crt";
addSSL = true; sslCertificateKey = "/etc/certs/nginx.key";
extraConfig = "return 444;"; addSSL = true;
extraConfig = "return 444;";
};
${config.networking.fqdn} = {
sslCertificate = lib.mkDefault "/etc/certs/nginx.crt";
sslCertificateKey = lib.mkDefault "/etc/certs/nginx.key";
addSSL = lib.mkDefault true;
extraConfig = lib.mkDefault "return 444;";
};
}; };
} }
+15
View File
@@ -0,0 +1,15 @@
{ config, lib, ... }:
let
cfg = config.security.polkit;
in
{
security.polkit.enable = true;
environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
polkit.addAdminRule(function(action, subject) {
if(subject.isInGroup("wheel")) {
return ["unix-user:"+subject.user];
}
});
'';
}
+3 -1
View File
@@ -1,7 +1,9 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
services.smartd = { services.smartd = {
enable = lib.mkDefault true; # NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
# hosts with disk passthrough.
enable = lib.mkDefault (!config.services.qemuGuest.enable);
notifications = { notifications = {
mail = { mail = {
enable = true; enable = true;
+12
View File
@@ -0,0 +1,12 @@
{ config, fp, lib, ... }:
{
sops.defaultSopsFile = let
secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
}
+1
View File
@@ -11,5 +11,6 @@
}; };
config.virtualisation.vmVariant = { config.virtualisation.vmVariant = {
virtualisation.isVmVariant = true; virtualisation.isVmVariant = true;
virtualisation.graphics = false;
}; };
} }
+1 -1
View File
@@ -151,7 +151,7 @@ is up to date, you can do the following:
```console ```console
# Fetch gpg (unless you have it already) # Fetch gpg (unless you have it already)
nix-shell -p gpg nix shell nixpkgs#gnupg
# Import oysteikts key to the gpg keychain # Import oysteikts key to the gpg keychain
gpg --import ./keys/oysteikt.pub gpg --import ./keys/oysteikt.pub
Generated
+59 -70
View File
@@ -2,17 +2,16 @@
"nodes": { "nodes": {
"dibbler": { "dibbler": {
"inputs": { "inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1768138611, "lastModified": 1770133120,
"narHash": "sha256-KfZX6wpuwE2IRKLjh0DrEviE4f6kqLJWwKIE5QJSqa4=", "narHash": "sha256-RuAWONXb+U3omSsuIPCrPcgj0XYqv+2djG0cnPGEyKg=",
"ref": "main", "ref": "main",
"rev": "cb385097dcda5fb9772f903688d078b30a66ccd4", "rev": "3123b8b474319bc75ee780e0357dcdea69dc85e6",
"revCount": 221, "revCount": 244,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/dibbler.git" "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
}, },
@@ -61,23 +60,6 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"gergle": { "gergle": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -192,11 +174,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1768403146, "lastModified": 1769500363,
"narHash": "sha256-0uBkxuxlYdecwESmmITf8fi7G5IGpqX6LDNF/SMtmK8=", "narHash": "sha256-vFxmdsLBPdTy5j2bf54gbTQi1XnWbZDmeR/BBh8MFrw=",
"ref": "main", "ref": "main",
"rev": "1ca8495fa2b088c7220147ffabc80b4a611c2dcc", "rev": "2618e434e40e109eaab6a0693313c7e0de7324a3",
"revCount": 29, "revCount": 47,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git" "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
}, },
@@ -213,11 +195,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1767906352, "lastModified": 1770960722,
"narHash": "sha256-wYsH9MMAPFG3XTL+3DwI39XMG0F2fTmn/5lt265a3Es=", "narHash": "sha256-IdhPsWFZUKSJh/nLjGLJvGM5d5Uta+k1FlVYPxTZi0E=",
"ref": "main", "ref": "main",
"rev": "d054c5d064b8ed6d53a0adb0cf6c0a72febe212e", "rev": "c2e4aca7e1ba27cd09eeaeab47010d32a11841b2",
"revCount": 13, "revCount": 15,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git" "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
}, },
@@ -235,11 +217,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1768068512, "lastModified": 1769018862,
"narHash": "sha256-pH5wkcNOiXy4MBjDTe6A1gml+7m+ULC3lYMBPMqdS1w=", "narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
"owner": "oddlama", "owner": "oddlama",
"repo": "nix-topology", "repo": "nix-topology",
"rev": "4367a2093c5ff74fc478466aebf41d47ce0cacb4", "rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -251,11 +233,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1768455256, "lastModified": 1769724120,
"narHash": "sha256-SICycDVtn3ZeGlXftXZhzHvBE13OOGNfKY7M1wPN7Cg=", "narHash": "sha256-oQBM04hQk1kotfv4qmIG1tHmuwODd1+hqRJE5TELeCE=",
"rev": "0ac615ad4da024ace7fa5e0be5b01a3414c2295f", "rev": "8ec59ed5093c2a742d7744e9ecf58f358aa4a87d",
"type": "tarball", "type": "tarball",
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4038.0ac615ad4da0/nixexprs.tar.xz" "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4961.8ec59ed5093c/nixexprs.tar.xz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -279,11 +261,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1768467226, "lastModified": 1769813739,
"narHash": "sha256-XPA6XxeUhpguND9N2iMoafbWxC4hlX/XyJT/nt0tJkk=", "narHash": "sha256-RmNWW1DQczvDwBHu11P0hGwJZxbngdoymVu7qkwq/2M=",
"rev": "0827ca4b685736d2de7f7b1f80f3be996514ef59", "rev": "16a3cae5c2487b1afa240e5f2c1811f172419558",
"type": "tarball", "type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre928109.0827ca4b6857/nixexprs.tar.xz" "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre937548.16a3cae5c248/nixexprs.tar.xz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -318,11 +300,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1768302565, "lastModified": 1769009806,
"narHash": "sha256-VoH5i72/8EP53ApaNKMZD2OgkEn79nPxuxhaP9dPfLA=", "narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
"ref": "main", "ref": "main",
"rev": "f3c13b1aee073a83238ef13aceccd7dfce13d1fa", "rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
"revCount": 570, "revCount": 575,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git" "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
}, },
@@ -332,6 +314,27 @@
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git" "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
} }
}, },
"qotd": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1768684204,
"narHash": "sha256-TErBiXxTRPUtZ/Mw8a5p+KCeGCFXa0o8fzwGoo75//Y=",
"ref": "main",
"rev": "a86f361bb8cfac3845b96d49fcbb2faea669844f",
"revCount": 11,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/qotd.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/qotd.git"
}
},
"root": { "root": {
"inputs": { "inputs": {
"dibbler": "dibbler", "dibbler": "dibbler",
@@ -348,6 +351,7 @@
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"pvv-calendar-bot": "pvv-calendar-bot", "pvv-calendar-bot": "pvv-calendar-bot",
"pvv-nettsiden": "pvv-nettsiden", "pvv-nettsiden": "pvv-nettsiden",
"qotd": "qotd",
"roowho2": "roowho2", "roowho2": "roowho2",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
@@ -360,11 +364,11 @@
"rust-overlay": "rust-overlay_3" "rust-overlay": "rust-overlay_3"
}, },
"locked": { "locked": {
"lastModified": 1768140181, "lastModified": 1769834595,
"narHash": "sha256-HfZzup5/jlu8X5vMUglTovVTSwhHGHwwV1YOFIL/ksA=", "narHash": "sha256-P1jrO7BxHyIKDuOXHuUb7bi4H2TuYnACW5eqf1gG47g=",
"ref": "main", "ref": "main",
"rev": "834463ed64773939798589ee6fd4adfe3a97dddd", "rev": "def4eec2d59a69b4638b3f25d6d713b703b2fa56",
"revCount": 43, "revCount": 49,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git" "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
}, },
@@ -424,11 +428,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1767322002, "lastModified": 1769309768,
"narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=", "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "03c6e38661c02a27ca006a284813afdc461e9f7e", "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -444,11 +448,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1768481291, "lastModified": 1769469829,
"narHash": "sha256-NjKtkJraCZEnLHAJxLTI+BfdU//9coAz9p5TqveZwPU=", "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "e085e303dfcce21adcb5fec535d65aacb066f101", "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -457,21 +461,6 @@
"repo": "sops-nix", "repo": "sops-nix",
"type": "github" "type": "github"
} }
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",
+109 -48
View File
@@ -44,6 +44,9 @@
minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git?ref=main"; minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git?ref=main";
minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs"; minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs";
qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
qotd.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs: outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -66,50 +69,32 @@
in { in {
inputs = lib.mapAttrs (_: src: src.outPath) inputs; inputs = lib.mapAttrs (_: src: src.outPath) inputs;
pkgs = forAllSystems (system: pkgs = forAllSystems (system: import nixpkgs {
import nixpkgs { inherit system;
inherit system; config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
[ "nvidia-x11"
"nvidia-x11" "nvidia-settings"
"nvidia-settings" ];
]; });
});
nixosConfigurations = let nixosConfigurations = let
unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
nixosConfig = nixosConfig =
nixpkgs: nixpkgs:
name: name:
configurationPath: configurationPath:
extraArgs@{ extraArgs@{
system ? "x86_64-linux", localSystem ? "x86_64-linux", # buildPlatform
crossSystem ? "x86_64-linux", # hostPlatform
specialArgs ? { }, specialArgs ? { },
modules ? [ ], modules ? [ ],
overlays ? [ ], overlays ? [ ],
enableDefaults ? true, enableDefaults ? true,
... ...
}: }:
lib.nixosSystem (lib.recursiveUpdate let
{ commonPkgsConfig = {
inherit system; inherit localSystem crossSystem;
specialArgs = {
inherit unstablePkgs inputs;
values = import ./values.nix;
fp = path: ./${path};
} // specialArgs;
modules = [
configurationPath
] ++ (lib.optionals enableDefaults [
sops-nix.nixosModules.sops
inputs.roowho2.nixosModules.default
]) ++ modules;
pkgs = import nixpkgs {
inherit system;
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
[ [
"nvidia-x11" "nvidia-x11"
@@ -120,9 +105,36 @@
inputs.roowho2.overlays.default inputs.roowho2.overlays.default
]) ++ overlays; ]) ++ overlays;
}; };
pkgs = import nixpkgs commonPkgsConfig;
unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
in
lib.nixosSystem (lib.recursiveUpdate
{
system = crossSystem;
inherit pkgs;
specialArgs = {
inherit inputs unstablePkgs;
values = import ./values.nix;
fp = path: ./${path};
} // specialArgs;
modules = [
{
networking.hostName = lib.mkDefault name;
}
configurationPath
] ++ (lib.optionals enableDefaults [
sops-nix.nixosModules.sops
inputs.roowho2.nixosModules.default
self.nixosModules.rsync-pull-targets
]) ++ modules;
} }
(builtins.removeAttrs extraArgs [ (builtins.removeAttrs extraArgs [
"system" "localSystem"
"crossSystem"
"modules" "modules"
"overlays" "overlays"
"specialArgs" "specialArgs"
@@ -135,7 +147,7 @@
in { in {
bakke = stableNixosConfig "bakke" { bakke = stableNixosConfig "bakke" {
modules = [ modules = [
disko.nixosModules.disko inputs.disko.nixosModules.disko
]; ];
}; };
bicep = stableNixosConfig "bicep" { bicep = stableNixosConfig "bicep" {
@@ -157,23 +169,33 @@
bekkalokk = stableNixosConfig "bekkalokk" { bekkalokk = stableNixosConfig "bekkalokk" {
overlays = [ overlays = [
(final: prev: { (final: prev: {
heimdal = unstablePkgs.heimdal;
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { }; mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { }; simplesamlphp = final.callPackage ./packages/simplesamlphp { };
simplesamlphptheme = final.callPackage ./packages/simplesamlphptheme { };
bluemap = final.callPackage ./packages/bluemap.nix { }; bluemap = final.callPackage ./packages/bluemap.nix { };
}) })
inputs.pvv-nettsiden.overlays.default inputs.pvv-nettsiden.overlays.default
inputs.qotd.overlays.default
]; ];
modules = [ modules = [
inputs.pvv-nettsiden.nixosModules.default inputs.pvv-nettsiden.nixosModules.default
self.nixosModules.bluemap self.nixosModules.bluemap
inputs.qotd.nixosModules.default
]; ];
}; };
ildkule = stableNixosConfig "ildkule" { }; ildkule = stableNixosConfig "ildkule" { };
#ildkule-unstable = unstableNixosConfig "ildkule" { }; #ildkule-unstable = unstableNixosConfig "ildkule" { };
skrot = stableNixosConfig "skrot" {
modules = [
inputs.disko.nixosModules.disko
inputs.dibbler.nixosModules.default
];
overlays = [inputs.dibbler.overlays.default];
};
shark = stableNixosConfig "shark" { }; shark = stableNixosConfig "shark" { };
wenche = stableNixosConfig "wenche" { }; wenche = stableNixosConfig "wenche" { };
temmie = stableNixosConfig "temmie" { }; temmie = stableNixosConfig "temmie" { };
gluttony = stableNixosConfig "gluttony" { };
kommode = stableNixosConfig "kommode" { kommode = stableNixosConfig "kommode" {
overlays = [ overlays = [
@@ -181,6 +203,7 @@
]; ];
modules = [ modules = [
inputs.nix-gitea-themes.nixosModules.default inputs.nix-gitea-themes.nixosModules.default
inputs.disko.nixosModules.disko
]; ];
}; };
@@ -212,17 +235,39 @@
inputs.gergle.overlays.default inputs.gergle.overlays.default
]; ];
}; };
skrott = stableNixosConfig "skrott" { }
system = "aarch64-linux"; //
(let
skrottConfig = {
modules = [ modules = [
(nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix") (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
inputs.dibbler.nixosModules.default inputs.dibbler.nixosModules.default
]; ];
overlays = [ overlays = [
inputs.dibbler.overlays.default inputs.dibbler.overlays.default
(final: prev: {
# NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
atool = prev.emptyDirectory;
micro = prev.emptyDirectory;
ncdu = prev.emptyDirectory;
})
]; ];
}; };
} in {
skrott = self.nixosConfigurations.skrott-native;
skrott-native = stableNixosConfig "skrott" (skrottConfig // {
localSystem = "aarch64-linux";
crossSystem = "aarch64-linux";
});
skrott-cross = stableNixosConfig "skrott" (skrottConfig // {
localSystem = "x86_64-linux";
crossSystem = "aarch64-linux";
});
skrott-x86_64 = stableNixosConfig "skrott" (skrottConfig // {
localSystem = "x86_64-linux";
crossSystem = "x86_64-linux";
});
})
// //
(let (let
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5); machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
@@ -235,15 +280,25 @@
nixosModules = { nixosModules = {
bluemap = ./modules/bluemap.nix; bluemap = ./modules/bluemap.nix;
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
robots-txt = ./modules/robots-txt.nix;
gickup = ./modules/gickup; gickup = ./modules/gickup;
matrix-ooye = ./modules/matrix-ooye.nix; matrix-ooye = ./modules/matrix-ooye.nix;
robots-txt = ./modules/robots-txt.nix;
rsync-pull-targets = ./modules/rsync-pull-targets.nix;
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
}; };
devShells = forAllSystems (system: { devShells = forAllSystems (system: {
default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { }; default = let
pkgs = import nixpkgs-unstable {
inherit system;
overlays = [
(final: prev: {
inherit (inputs.disko.packages.${system}) disko;
})
];
};
in pkgs.callPackage ./shell.nix { };
cuda = let cuda = let
cuda-pkgs = import nixpkgs-unstable { cuda-pkgs = import nixpkgs-unstable {
inherit system; inherit system;
@@ -257,19 +312,20 @@
packages = { packages = {
"x86_64-linux" = let "x86_64-linux" = let
pkgs = nixpkgs.legacyPackages."x86_64-linux"; system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
in rec { in rec {
default = important-machines; default = important-machines;
important-machines = pkgs.linkFarm "important-machines" important-machines = pkgs.linkFarm "important-machines"
(lib.getAttrs importantMachines self.packages.x86_64-linux); (lib.getAttrs importantMachines self.packages.${system});
all-machines = pkgs.linkFarm "all-machines" all-machines = pkgs.linkFarm "all-machines"
(lib.getAttrs allMachines self.packages.x86_64-linux); (lib.getAttrs allMachines self.packages.${system});
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { }; simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
bluemap = pkgs.callPackage ./packages/bluemap.nix { }; bluemap = pkgs.callPackage ./packages/bluemap.nix { };
out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { }; out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
} }
// //
# Mediawiki extensions # Mediawiki extensions
@@ -285,18 +341,23 @@
// //
# Skrott is exception # Skrott is exception
{ {
skrott = self.nixosConfigurations.skrott.config.system.build.sdImage; skrott = self.packages.${system}.skrott-native-sd;
skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
} }
// //
# Nix-topology # Nix-topology
(let (let
topology' = import inputs.nix-topology { topology' = import inputs.nix-topology {
pkgs = import nixpkgs { pkgs = import nixpkgs {
system = "x86_64-linux"; inherit system;
overlays = [ overlays = [
inputs.nix-topology.overlays.default inputs.nix-topology.overlays.default
(final: prev: { (final: prev: {
inherit (nixpkgs-unstable.legacyPackages.x86_64-linux) super-tiny-icons; inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
}) })
]; ];
}; };
+2 -9
View File
@@ -6,20 +6,13 @@
./filesystems.nix ./filesystems.nix
]; ];
sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "bakke";
networking.hostId = "99609ffc"; networking.hostId = "99609ffc";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // { systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0"; matchConfig.Name = "enp2s0";
address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ]; address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
}; };
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "24.05"; system.stateVersion = "24.05";
} }
+4 -4
View File
@@ -1,17 +1,17 @@
{ config, pkgs, lib, ... }: { pkgs,... }:
{ {
# Boot drives: # Boot drives:
boot.swraid.enable = true; boot.swraid.enable = true;
# ZFS Data pool: # ZFS Data pool:
environment.systemPackages = with pkgs; [ zfs ];
boot = { boot = {
zfs = { zfs = {
extraPools = [ "tank" ]; extraPools = [ "tank" ];
requestEncryptionCredentials = false; requestEncryptionCredentials = false;
}; };
supportedFilesystems = [ "zfs" ]; supportedFilesystems.zfs = true;
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; # Use stable linux packages, these work with zfs
kernelPackages = pkgs.linuxPackages;
}; };
services.zfs.autoScrub = { services.zfs.autoScrub = {
enable = true; enable = true;
+1 -1
View File
@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
+3 -12
View File
@@ -16,18 +16,9 @@
./services/webmail ./services/webmail
./services/website ./services/website
./services/well-known ./services/well-known
./services/qotd
]; ];
sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "bekkalokk";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // { systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0"; matchConfig.Name = "enp2s0";
address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ]; address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -35,7 +26,7 @@
services.btrfs.autoScrub.enable = true; services.btrfs.autoScrub.enable = true;
# Do not change, even during upgrades. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11"; system.stateVersion = "25.11";
} }
+1 -1
View File
@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
@@ -858,7 +858,11 @@ $config = [
/* /*
* Which theme directory should be used? * Which theme directory should be used?
*/ */
'theme.use' => 'default', 'module.enable' => [
'pvv' => TRUE,
],
'theme.use' => 'ssp-theme:pvv',
/* /*
* Set this option to the text you would like to appear at the header of each page. Set to false if you don't want * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want
@@ -97,6 +97,7 @@ let
''; '';
"modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php; "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
#"modules/ssp-theme" = pkgs.simplesamlphptheme;
}; };
}; };
in in
+58 -4
View File
@@ -1,4 +1,4 @@
{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let { pkgs, lib, fp, config, values, ... }: let
cfg = config.services.mediawiki; cfg = config.services.mediawiki;
# "mediawiki" # "mediawiki"
@@ -34,6 +34,7 @@ in {
services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ]; services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
sops.secrets = lib.pipe [ sops.secrets = lib.pipe [
"mediawiki/secret-key"
"mediawiki/password" "mediawiki/password"
"mediawiki/postgres_password" "mediawiki/postgres_password"
"mediawiki/simplesamlphp/postgres_password" "mediawiki/simplesamlphp/postgres_password"
@@ -48,6 +49,23 @@ in {
lib.listToAttrs lib.listToAttrs
]; ];
services.rsync-pull-targets = {
enable = true;
locations.${cfg.uploadsDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHFHa3Iq1oKPhbKCAIHgOoWOTkLmIc7yqxeTbut7ig/ mediawiki rsync backup";
};
};
services.mediawiki = { services.mediawiki = {
enable = true; enable = true;
name = "Programvareverkstedet"; name = "Programvareverkstedet";
@@ -144,6 +162,24 @@ in {
$wgDBserver = "${toString cfg.database.host}"; $wgDBserver = "${toString cfg.database.host}";
$wgAllowCopyUploads = true; $wgAllowCopyUploads = true;
# Files
$wgFileExtensions = [
'bmp',
'gif',
'jpeg',
'jpg',
'mp3',
'odg',
'odp',
'ods',
'odt',
'pdf',
'png',
'tiff',
'webm',
'webp',
];
# Misc program paths # Misc program paths
$wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg'; $wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
$wgExiftool = '${pkgs.exiftool}/bin/exiftool'; $wgExiftool = '${pkgs.exiftool}/bin/exiftool';
@@ -179,15 +215,15 @@ in {
# Cache directory for simplesamlphp # Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp"; # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = { systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
user = "mediawiki"; user = "mediawiki";
group = "mediawiki"; group = "mediawiki";
mode = "0770"; mode = "0770";
}; };
users.groups.mediawiki.members = [ "nginx" ]; users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ];
services.nginx.virtualHosts."wiki.pvv.ntnu.no" = { services.nginx.virtualHosts."wiki.pvv.ntnu.no" = lib.mkIf cfg.enable {
kTLS = true; kTLS = true;
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@@ -233,4 +269,22 @@ in {
}; };
}; };
systemd.services.mediawiki-init = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ];
serviceConfig = {
BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007";
};
};
systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ];
serviceConfig = {
BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007";
};
};
} }
@@ -0,0 +1,6 @@
{
services.qotd = {
enable = true;
quotes = builtins.fromJSON (builtins.readFile ./quotes.json);
};
}
@@ -0,0 +1 @@
["quote 1", "quote 2"]
+18 -1
View File
@@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, values, ... }:
let let
cfg = config.services.vaultwarden; cfg = config.services.vaultwarden;
domain = "pw.pvv.ntnu.no"; domain = "pw.pvv.ntnu.no";
@@ -99,4 +99,21 @@ in {
]; ];
}; };
}; };
services.rsync-pull-targets = {
enable = true;
locations."/var/lib/vaultwarden" = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2cDaW52gBtLVaNqoGijvN2ZAVkAWlII5AXUzT3Dswj vaultwarden rsync backup";
};
};
} }
@@ -1,4 +1,4 @@
{ config, lib, fp, pkgs, ... }: { config, lib, fp, pkgs, values, ... }:
let let
cfg = config.services.snappymail; cfg = config.services.snappymail;
in { in {
@@ -14,5 +14,21 @@ in {
enableACME = true; enableACME = true;
kTLS = true; kTLS = true;
}; };
}
services.rsync-pull-targets = {
enable = true;
locations.${cfg.dataDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJENMnuNsHEeA91oX+cj7Qpex2defSXP/lxznxCAqV03 snappymail rsync backup";
};
};
}
@@ -1,15 +1,30 @@
{ pkgs, lib, config, ... }: { pkgs, lib, config, values, ... }:
let let
galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR; galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer"; transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
in { in {
users.users.${config.services.pvv-nettsiden.user} = { users.users.${config.services.pvv-nettsiden.user} = {
# NOTE: the user unfortunately needs a registered shell for rrsync to function...
# is there anything we can do to remove this?
useDefaultShell = true; useDefaultShell = true;
};
# This is pushed from microbel:/var/www/www-gallery/build-gallery.sh # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
openssh.authorizedKeys.keys = [ services.rsync-pull-targets = {
''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish'' enable = true;
]; locations.${transferDir} = {
user = config.services.pvv-nettsiden.user;
rrsyncArgs.wo = true;
authorizedKeysAttrs = [
"restrict"
"from=\"microbel.pvv.ntnu.no,${values.hosts.microbel.ipv6},${values.hosts.microbel.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish";
};
}; };
systemd.paths.pvv-nettsiden-gallery-update = { systemd.paths.pvv-nettsiden-gallery-update = {
+21 -14
View File
@@ -1,18 +1,25 @@
{ ... }: { lib, ... }:
{ {
services.nginx.virtualHosts."www.pvv.ntnu.no".locations = { services.nginx.virtualHosts = lib.genAttrs [
"^~ /.well-known/" = { "pvv.ntnu.no"
alias = (toString ./root) + "/"; "www.pvv.ntnu.no"
}; "pvv.org"
"www.pvv.org"
] (_: {
locations = {
"^~ /.well-known/" = {
alias = (toString ./root) + "/";
};
# Proxy the matrix well-known files # Proxy the matrix well-known files
# Host has be set before proxy_pass # Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place # The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = { "^~ /.well-known/matrix/" = {
extraConfig = '' extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no; proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/; proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
''; '';
};
}; };
}; });
} }
@@ -6,7 +6,11 @@ Contact: mailto:cert@pvv.ntnu.no
Preferred-Languages: no, en Preferred-Languages: no, en
Expires: 2032-12-31T23:59:59.000Z Expires: 2032-12-31T23:59:59.000Z
# This file was last updated 2024-09-14. # This file was last updated 2026-02-27.
# You can find a wikipage for our security policies at: # You can find a wikipage for our security policies at:
# https://wiki.pvv.ntnu.no/wiki/CERT # https://wiki.pvv.ntnu.no/wiki/CERT
# Please note that we are a student organization, and unfortunately we do not
# have a bug bounty program or offer monetary compensation for disclosure of
# security vulnerabilities.
+4 -22
View File
@@ -9,22 +9,12 @@
./services/calendar-bot.nix ./services/calendar-bot.nix
#./services/git-mirrors #./services/git-mirrors
./services/minecraft-heatmap.nix ./services/minecraft-heatmap.nix
./services/mysql.nix ./services/mysql
./services/postgres.nix ./services/postgresql
./services/matrix ./services/matrix
]; ];
sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "bicep";
#systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // { #systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
#matchConfig.Name = "enp6s0f0"; #matchConfig.Name = "enp6s0f0";
@@ -36,17 +26,9 @@
anyInterface = true; anyInterface = true;
}; };
# There are no smart devices
services.smartd.enable = false;
# we are a vm now
services.qemuGuest.enable = true; services.qemuGuest.enable = true;
# Enable the OpenSSH daemon. # Don't change (even during upgrades) unless you know what you are doing.
services.openssh.enable = true;
services.sshguard.enable = true;
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11"; system.stateVersion = "25.11";
} }
+1 -1
View File
@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
+10 -8
View File
@@ -1,13 +1,6 @@
{ config, lib, fp, pkgs, secrets, values, ... }: { config, lib, fp, pkgs, secrets, values, ... }:
{ {
sops.secrets."matrix/synapse/turnconfig" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "synapse/turnconfig";
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
restartUnits = [ "coturn.service" ];
};
sops.secrets."matrix/coturn/static-auth-secret" = { sops.secrets."matrix/coturn/static-auth-secret" = {
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "coturn/static-auth-secret"; key = "coturn/static-auth-secret";
@@ -16,9 +9,18 @@
restartUnits = [ "coturn.service" ]; restartUnits = [ "coturn.service" ];
}; };
sops.templates."matrix-synapse-turnconfig" = {
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
content = ''
turn_shared_secret: ${config.sops.placeholder."matrix/coturn/static-auth-secret"}
'';
restartUnits = [ "matrix-synapse.target" ];
};
services.matrix-synapse-next = { services.matrix-synapse-next = {
extraConfigFiles = [ extraConfigFiles = [
config.sops.secrets."matrix/synapse/turnconfig".path config.sops.templates."matrix-synapse-turnconfig".path
]; ];
settings = { settings = {
+4 -6
View File
@@ -1,19 +1,17 @@
{ config, ... }: { config, ... }:
{ {
imports = [ imports = [
./synapse.nix
./synapse-admin.nix ./synapse-admin.nix
./synapse-auto-compressor.nix
./synapse.nix
./element.nix ./element.nix
./coturn.nix ./coturn.nix
./livekit.nix
./mjolnir.nix ./mjolnir.nix
./well-known.nix
# ./discord.nix # ./discord.nix
./out-of-your-element.nix ./out-of-your-element.nix
./hookshot ./hookshot
]; ];
} }
+12 -4
View File
@@ -2,6 +2,13 @@
let let
synapse-cfg = config.services.matrix-synapse-next; synapse-cfg = config.services.matrix-synapse-next;
in { in {
services.pvv-matrix-well-known.client = {
"m.homeserver" = {
base_url = "https://matrix.pvv.ntnu.no";
server_name = "pvv.ntnu.no";
};
};
services.nginx.virtualHosts."chat.pvv.ntnu.no" = { services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@@ -9,10 +16,10 @@ in {
root = pkgs.element-web.override { root = pkgs.element-web.override {
conf = { conf = {
default_server_config."m.homeserver" = { # Tries to look up well-known first, else uses bundled config.
base_url = "https://matrix.pvv.ntnu.no"; default_server_name = "matrix.pvv.ntnu.no";
server_name = "pvv.ntnu.no"; default_server_config = config.services.pvv-matrix-well-known.client;
};
disable_3pid_login = true; disable_3pid_login = true;
# integrations_ui_url = "https://dimension.dodsorf.as/riot"; # integrations_ui_url = "https://dimension.dodsorf.as/riot";
# integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar"; # integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
@@ -30,6 +37,7 @@ in {
# element call group calls # element call group calls
feature_group_calls = true; feature_group_calls = true;
}; };
default_country_code = "NO";
default_theme = "dark"; default_theme = "dark";
# Servers in this list should provide some sort of valuable scoping # Servers in this list should provide some sort of valuable scoping
# matrix.org is not useful compared to matrixrooms.info, # matrix.org is not useful compared to matrixrooms.info,
@@ -14,6 +14,10 @@ in
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/hs_token"; key = "hookshot/hs_token";
}; };
sops.secrets."matrix/hookshot/passkey" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/passkey";
};
sops.templates."hookshot-registration.yaml" = { sops.templates."hookshot-registration.yaml" = {
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
@@ -44,9 +48,14 @@ in
}; };
systemd.services.matrix-hookshot = { systemd.services.matrix-hookshot = {
serviceConfig.SupplementaryGroups = [ serviceConfig = {
config.users.groups.keys-matrix-registrations.name SupplementaryGroups = [
]; config.users.groups.keys-matrix-registrations.name
];
LoadCredential = [
"passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
];
};
}; };
services.matrix-hookshot = { services.matrix-hookshot = {
@@ -54,6 +63,8 @@ in
package = unstablePkgs.matrix-hookshot; package = unstablePkgs.matrix-hookshot;
registrationFile = config.sops.templates."hookshot-registration.yaml".path; registrationFile = config.sops.templates."hookshot-registration.yaml".path;
settings = { settings = {
passFile = "/run/credentials/matrix-hookshot.service/passkey.pem";
bridge = { bridge = {
bindAddress = "127.0.0.1"; bindAddress = "127.0.0.1";
domain = "pvv.ntnu.no"; domain = "pvv.ntnu.no";
@@ -61,6 +72,7 @@ in
mediaUrl = "https://matrix.pvv.ntnu.no"; mediaUrl = "https://matrix.pvv.ntnu.no";
port = 9993; port = 9993;
}; };
listeners = [ listeners = [
{ {
bindAddress = webhookListenAddress; bindAddress = webhookListenAddress;
@@ -73,6 +85,7 @@ in
]; ];
} }
]; ];
generic = { generic = {
enabled = true; enabled = true;
outbound = true; outbound = true;
+67
View File
@@ -0,0 +1,67 @@
{ config, lib, fp, ... }:
let
synapseConfig = config.services.matrix-synapse-next;
matrixDomain = "matrix.pvv.ntnu.no";
cfg = config.services.livekit;
in
{
sops.secrets."matrix/livekit/keyfile/lk-jwt-service" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "livekit/keyfile/lk-jwt-service";
};
sops.templates."matrix-livekit-keyfile" = {
restartUnits = [
"livekit.service"
"lk-jwt-service.service"
];
content = ''
lk-jwt-service: ${config.sops.placeholder."matrix/livekit/keyfile/lk-jwt-service"}
'';
};
services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
"org.matrix.msc4143.rtc_foci" = [{
type = "livekit";
livekit_service_url = "https://${matrixDomain}/livekit/jwt";
}];
};
services.livekit = {
enable = true;
openFirewall = true;
keyFile = config.sops.templates."matrix-livekit-keyfile".path;
# NOTE: needed for ingress/egress workers
# redis.createLocally = true;
# settings.room.auto_create = false;
};
services.lk-jwt-service = lib.mkIf cfg.enable {
enable = true;
livekitUrl = "wss://${matrixDomain}/livekit/sfu";
keyFile = config.sops.templates."matrix-livekit-keyfile".path;
};
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]);
services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
locations."^~ /livekit/jwt/" = {
proxyPass = "http://localhost:${toString config.services.lk-jwt-service.port}/";
};
# TODO: load balance to multiple livekit ingress/egress workers
locations."^~ /livekit/sfu/" = {
proxyPass = "http://localhost:${toString config.services.livekit.settings.port}/";
proxyWebsockets = true;
extraConfig = ''
proxy_send_timeout 120;
proxy_read_timeout 120;
proxy_buffering off;
proxy_set_header Accept-Encoding gzip;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
}
@@ -1,4 +1,4 @@
{ config, pkgs, fp, ... }: { config, pkgs, lib, values, fp, ... }:
let let
cfg = config.services.matrix-ooye; cfg = config.services.matrix-ooye;
in in
@@ -28,6 +28,23 @@ in
}; };
}; };
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
locations."/var/lib/private/matrix-ooye" = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5koYfor5+kKB30Dugj3dAWvmj8h/akQQ2XYDvLobFL matrix_ooye rsync backup";
};
};
services.matrix-ooye = { services.matrix-ooye = {
enable = true; enable = true;
homeserver = "https://matrix.pvv.ntnu.no"; homeserver = "https://matrix.pvv.ntnu.no";
@@ -0,0 +1,56 @@
{ config, lib, utils, ... }:
let
cfg = config.services.synapse-auto-compressor;
in
{
services.synapse-auto-compressor = {
# enable = true;
postgresUrl = "postgresql://matrix-synapse@/synapse?host=/run/postgresql";
};
# NOTE: nixpkgs has some broken asserts, vendored the entire unit
systemd.services.synapse-auto-compressor = {
description = "synapse-auto-compressor";
requires = [
"postgresql.target"
];
inherit (cfg) startAt;
serviceConfig = {
Type = "oneshot";
DynamicUser = true;
User = "matrix-synapse";
PrivateTmp = true;
ExecStart = utils.escapeSystemdExecArgs [
"${cfg.package}/bin/synapse_auto_compressor"
"-p"
cfg.postgresUrl
"-c"
cfg.settings.chunk_size
"-n"
cfg.settings.chunks_to_compress
"-l"
(lib.concatStringsSep "," (map toString cfg.settings.levels))
];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
ProcSubset = "pid";
ProtectProc = "invisible";
ProtectSystem = "strict";
ProtectHome = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
};
};
}
+53 -14
View File
@@ -15,11 +15,33 @@ in {
group = config.users.users.matrix-synapse.group; group = config.users.users.matrix-synapse.group;
}; };
sops.secrets."matrix/synapse/user_registration" = { sops.secrets."matrix/synapse/user_registration/registration_shared_secret" = {
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "synapse/signing_key"; key = "synapse/user_registration/registration_shared_secret";
};
sops.templates."matrix-synapse-user-registration" = {
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group; group = config.users.users.matrix-synapse.group;
content = ''
registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
'';
};
services.rsync-pull-targets = {
enable = true;
locations.${cfg.settings.media_store_path} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASnjI9b3j4ZS3BL/D1ggHfws1BkE8iS0v0cGpEmbG+k matrix_media_store rsync backup";
};
}; };
services.matrix-synapse-next = { services.matrix-synapse-next = {
@@ -83,7 +105,7 @@ in {
mau_stats_only = true; mau_stats_only = true;
enable_registration = false; enable_registration = false;
registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path; registration_shared_secret_path = config.sops.templates."matrix-synapse-user-registration".path;
password_config.enabled = true; password_config.enabled = true;
@@ -95,6 +117,32 @@ in {
} }
]; ];
experimental_features = {
# MSC3266: Room summary API. Used for knocking over federation
msc3266_enabled = true;
# MSC4222 needed for syncv2 state_after. This allow clients to
# correctly track the state of the room.
msc4222_enabled = true;
};
# The maximum allowed duration by which sent events can be delayed, as
# per MSC4140.
max_event_delay_duration = "24h";
rc_message = {
# This needs to match at least e2ee key sharing frequency plus a bit of headroom
# Note key sharing events are bursty
per_second = 0.5;
burst_count = 30;
};
rc_delayed_event_mgmt = {
# This needs to match at least the heart-beat frequency plus a bit of headroom
# Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s
per_second = 1;
burst_count = 20;
};
trusted_key_servers = [ trusted_key_servers = [
{ server_name = "matrix.org"; } { server_name = "matrix.org"; }
{ server_name = "dodsorf.as"; } { server_name = "dodsorf.as"; }
@@ -132,21 +180,12 @@ in {
services.redis.servers."".enable = true; services.redis.servers."".enable = true;
services.pvv-matrix-well-known.server."m.server" = "matrix.pvv.ntnu.no:443";
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [ services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
{ {
kTLS = true; kTLS = true;
} }
{
locations."/.well-known/matrix/server" = {
return = ''
200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
'';
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
}
{ {
locations."/_synapse/admin" = { locations."/_synapse/admin" = {
proxyPass = "http://$synapse_backend"; proxyPass = "http://$synapse_backend";
@@ -0,0 +1,44 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.pvv-matrix-well-known;
format = pkgs.formats.json { };
matrixDomain = "matrix.pvv.ntnu.no";
in
{
options.services.pvv-matrix-well-known = {
client = lib.mkOption {
type = lib.types.submodule { freeformType = format.type; };
default = { };
example = {
"m.homeserver".base_url = "https://${matrixDomain}/";
};
};
server = lib.mkOption {
type = lib.types.submodule { freeformType = format.type; };
default = { };
example = {
"m.server" = "https://${matrixDomain}/";
};
};
};
config = {
services.nginx.virtualHosts.${matrixDomain} = {
locations."= /.well-known/matrix/client" = lib.mkIf (cfg.client != { }) {
alias = format.generate "nginx-well-known-matrix-server.json" cfg.client;
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
locations."= /.well-known/matrix/server" = lib.mkIf (cfg.server != { }) {
alias = format.generate "nginx-well-known-matrix-server.json" cfg.server;
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
};
};
}
+1 -1
View File
@@ -22,7 +22,7 @@ in
}; };
}; };
systemd.services.minecraft-heatmap-ingest-logs = { systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable {
serviceConfig.LoadCredential = [ serviceConfig.LoadCredential = [
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}" "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
]; ];
+83
View File
@@ -0,0 +1,83 @@
{ config, lib, pkgs, values, ... }:
let
cfg = config.services.mysql;
backupDir = "/data/mysql-backups";
in
{
# services.mysqlBackup = lib.mkIf cfg.enable {
# enable = true;
# location = "/var/lib/mysql-backups";
# };
systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
user = "mysql";
group = "mysql";
mode = "700";
};
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
locations.${backupDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgj55/7Cnj4cYMJ5sIkl+OwcGeBe039kXJTOf2wvo9j mysql rsync backup";
};
};
# NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
# another unit, it was easier to just make one ourselves.
systemd.services."backup-mysql" = lib.mkIf cfg.enable {
description = "Backup MySQL data";
requires = [ "mysql.service" ];
path = with pkgs; [
cfg.package
coreutils
zstd
];
script = let
rotations = 2;
in ''
set -euo pipefail
OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';
serviceConfig = {
Type = "oneshot";
User = "mysql";
Group = "mysql";
UMask = "0077";
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
StateDirectory = [ "mysql-backups" ];
BindPaths = [ "${backupDir}:/var/lib/mysql-backups" ];
# TODO: hardening
};
startAt = "*-*-* 02:15:00";
};
}
@@ -1,5 +1,11 @@
{ pkgs, lib, config, values, ... }: { config, pkgs, lib, values, ... }:
let
cfg = config.services.mysql;
dataDir = "/data/mysql";
in
{ {
imports = [ ./backup.nix ];
sops.secrets."mysql/password" = { sops.secrets."mysql/password" = {
owner = "mysql"; owner = "mysql";
group = "mysql"; group = "mysql";
@@ -9,8 +15,7 @@
services.mysql = { services.mysql = {
enable = true; enable = true;
dataDir = "/data/mysql"; package = pkgs.mariadb_118;
package = pkgs.mariadb;
settings = { settings = {
mysqld = { mysqld = {
# PVV allows a lot of connections at the same time # PVV allows a lot of connections at the same time
@@ -21,6 +26,9 @@
# This was needed in order to be able to use all of the old users # This was needed in order to be able to use all of the old users
# during migration from knakelibrak to bicep in Sep. 2023 # during migration from knakelibrak to bicep in Sep. 2023
secure_auth = 0; secure_auth = 0;
slow-query-log = 1;
slow-query-log-file = "/var/log/mysql/mysql-slow.log";
}; };
}; };
@@ -36,20 +44,31 @@
}]; }];
}; };
services.mysqlBackup = { networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
enable = true;
location = "/var/lib/mysql/backups"; systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
inherit (cfg) user group;
mode = "0700";
}; };
networking.firewall.allowedTCPPorts = [ 3306 ]; systemd.services.mysql = lib.mkIf cfg.enable {
after = [
systemd.services.mysql.serviceConfig = { "systemd-tmpfiles-setup.service"
IPAddressDeny = "any"; "systemd-tmpfiles-resetup.service"
IPAddressAllow = [
values.ipv4-space
values.ipv6-space
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
]; ];
serviceConfig = {
BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
LogsDirectory = "mysql";
IPAddressDeny = "any";
IPAddressAllow = [
values.ipv4-space
values.ipv6-space
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
}; };
} }
@@ -0,0 +1,84 @@
{ config, lib, pkgs, values, ... }:
let
cfg = config.services.postgresql;
backupDir = "/data/postgresql-backups";
in
{
# services.postgresqlBackup = lib.mkIf cfg.enable {
# enable = true;
# location = "/var/lib/postgresql-backups";
# backupAll = true;
# };
systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
user = "postgres";
group = "postgres";
mode = "700";
};
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
locations.${backupDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvO7QX7QmwSiGLXEsaxPIOpAqnJP3M+qqQRe5dzf8gJ postgresql rsync backup";
};
};
# NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
# another unit, it was easier to just make one ourselves
systemd.services."backup-postgresql" = {
description = "Backup PostgreSQL data";
requires = [ "postgresql.service" ];
path = with pkgs; [
coreutils
zstd
cfg.package
];
script = let
rotations = 2;
in ''
set -euo pipefail
OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';
serviceConfig = {
Type = "oneshot";
User = "postgres";
Group = "postgres";
UMask = "0077";
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
StateDirectory = [ "postgresql-backups" ];
BindPaths = [ "${backupDir}:/var/lib/postgresql-backups" ];
# TODO: hardening
};
startAt = "*-*-* 01:15:00";
};
}
@@ -1,8 +1,13 @@
{ config, pkgs, values, ... }: { config, lib, pkgs, values, ... }:
let
cfg = config.services.postgresql;
in
{ {
imports = [ ./backup.nix ];
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_15; package = pkgs.postgresql_18;
enableTCPIP = true; enableTCPIP = true;
authentication = '' authentication = ''
@@ -74,13 +79,13 @@
}; };
}; };
systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = { systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = lib.mkIf cfg.enable {
user = config.systemd.services.postgresql.serviceConfig.User; user = config.systemd.services.postgresql.serviceConfig.User;
group = config.systemd.services.postgresql.serviceConfig.Group; group = config.systemd.services.postgresql.serviceConfig.Group;
mode = "0700"; mode = "0700";
}; };
systemd.services.postgresql-setup = { systemd.services.postgresql-setup = lib.mkIf cfg.enable {
after = [ after = [
"systemd-tmpfiles-setup.service" "systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service" "systemd-tmpfiles-resetup.service"
@@ -95,7 +100,7 @@
}; };
}; };
systemd.services.postgresql = { systemd.services.postgresql = lib.mkIf cfg.enable {
after = [ after = [
"systemd-tmpfiles-setup.service" "systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service" "systemd-tmpfiles-resetup.service"
@@ -110,18 +115,12 @@
}; };
}; };
environment.snakeoil-certs."/etc/certs/postgres" = { environment.snakeoil-certs."/etc/certs/postgres" = lib.mkIf cfg.enable {
owner = "postgres"; owner = "postgres";
group = "postgres"; group = "postgres";
subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no"; subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
}; };
networking.firewall.allowedTCPPorts = [ 5432 ]; networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 5432 ];
networking.firewall.allowedUDPPorts = [ 5432 ]; networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable [ 5432 ];
services.postgresqlBackup = {
enable = true;
location = "/var/lib/postgres/backups";
backupAll = true;
};
} }
+6 -3
View File
@@ -1,6 +1,6 @@
{ config, pkgs, values, ... }: { config, pkgs, values, ... }:
{ {
networking.nat = { networking.nat = {
enable = true; enable = true;
internalInterfaces = ["ve-+"]; internalInterfaces = ["ve-+"];
externalInterface = "ens3"; externalInterface = "ens3";
@@ -25,6 +25,7 @@
]; ];
networking = { networking = {
hostName = "bikkje";
firewall = { firewall = {
enable = true; enable = true;
# Allow SSH and HTTP and ports for email and irc # Allow SSH and HTTP and ports for email and irc
@@ -36,9 +37,11 @@
useHostResolvConf = mkForce false; useHostResolvConf = mkForce false;
}; };
system.stateVersion = "23.11";
services.resolved.enable = true; services.resolved.enable = true;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "23.11";
}; };
}; };
}; };
+4 -18
View File
@@ -8,28 +8,14 @@
./services/grzegorz.nix ./services/grzegorz.nix
]; ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "brzeczyszczykiewicz";
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // { systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1"; matchConfig.Name = "eno1";
address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ]; address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
}; };
# List packages installed in system profile fonts.fontconfig.enable = true;
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11";
} }
@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
+4 -23
View File
@@ -8,24 +8,11 @@
(fp /modules/grzegorz.nix) (fp /modules/grzegorz.nix)
]; ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "georg";
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // { systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1"; matchConfig.Name = "eno1";
address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ]; address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
}; };
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
services.spotifyd = { services.spotifyd = {
enable = true; enable = true;
settings.global = { settings.global = {
@@ -41,15 +28,9 @@
5353 # spotifyd is its own mDNS service wtf 5353 # spotifyd is its own mDNS service wtf
]; ];
fonts.fontconfig.enable = true;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
# This value determines the NixOS release from which the default system.stateVersion = "25.11";
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
} }
+1 -1
View File
@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
+60
View File
@@ -0,0 +1,60 @@
{
fp,
lib,
values,
...
}:
{
imports = [
./hardware-configuration.nix
(fp /base)
];
systemd.network.enable = lib.mkForce false;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.loader = {
systemd-boot.enable = false; # no uefi support on this device
grub.device = "/dev/sda";
grub.enable = true;
};
boot.tmp.cleanOnBoot = true;
networking =
let
hostConf = values.hosts.gluttony;
in
{
tempAddresses = "disabled";
useDHCP = false;
search = values.defaultNetworkConfig.domains;
nameservers = values.defaultNetworkConfig.dns;
defaultGateway.address = hostConf.ipv4_internal_gw;
interfaces."ens3" = {
ipv4.addresses = [
{
address = hostConf.ipv4;
prefixLength = 32;
}
{
address = hostConf.ipv4_internal;
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = hostConf.ipv6;
prefixLength = 64;
}
];
};
};
services.qemuGuest.enable = true;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11";
}
+50
View File
@@ -0,0 +1,50 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/mapper/pool-root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/933A-3005";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
swapDevices = [
{
device = "/var/lib/swapfile";
size = 8 * 1024;
}
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}
+5 -14
View File
@@ -10,11 +10,7 @@
./services/journald-remote.nix ./services/journald-remote.nix
]; ];
sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml; boot.loader.systemd-boot.enable = false;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
@@ -24,7 +20,6 @@
networking = let networking = let
hostConf = values.hosts.ildkule; hostConf = values.hosts.ildkule;
in { in {
hostName = "ildkule";
tempAddresses = "disabled"; tempAddresses = "disabled";
useDHCP = lib.mkForce true; useDHCP = lib.mkForce true;
@@ -43,13 +38,9 @@
}; };
}; };
# List packages installed in system profile services.qemuGuest.enable = true;
environment.systemPackages = with pkgs; [
];
# No devices with SMART
services.smartd.enable = false;
system.stateVersion = "23.11"; # Did you read the comment?
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "23.11";
} }
+1 -1
View File
@@ -46,7 +46,7 @@ in
networking.firewall.allowedTCPPorts = [ cfg.port ]; networking.firewall.allowedTCPPorts = [ cfg.port ];
systemd.services."systemd-journal-remote" = { systemd.services."systemd-journal-remote" = {
socketConfig = { serviceConfig = {
LoadCredential = let LoadCredential = let
inherit (config.security.acme.certs.${domainName}) directory; inherit (config.security.acme.certs.${domainName}) directory;
in [ in [
File diff suppressed because it is too large Load Diff
@@ -13,7 +13,7 @@
] ]
}, },
"description": "", "description": "",
"editable": true, "editable": false,
"gnetId": 11323, "gnetId": 11323,
"graphTooltip": 1, "graphTooltip": 1,
"id": 31, "id": 31,
@@ -3690,7 +3690,7 @@
}, },
"hide": 0, "hide": 0,
"includeAll": false, "includeAll": false,
"label": "Data Source", "label": "Data source",
"multi": false, "multi": false,
"name": "datasource", "name": "datasource",
"options": [], "options": [],
@@ -3713,12 +3713,12 @@
"definition": "label_values(mysql_up, job)", "definition": "label_values(mysql_up, job)",
"hide": 0, "hide": 0,
"includeAll": true, "includeAll": true,
"label": "job", "label": "Job",
"multi": true, "multi": true,
"name": "job", "name": "job",
"options": [], "options": [],
"query": "label_values(mysql_up, job)", "query": "label_values(mysql_up, job)",
"refresh": 1, "refresh": 2,
"regex": "", "regex": "",
"skipUrlSync": false, "skipUrlSync": false,
"sort": 0, "sort": 0,
@@ -3742,12 +3742,12 @@
"definition": "label_values(mysql_up, instance)", "definition": "label_values(mysql_up, instance)",
"hide": 0, "hide": 0,
"includeAll": true, "includeAll": true,
"label": "instance", "label": "Instance",
"multi": true, "multi": true,
"name": "instance", "name": "instance",
"options": [], "options": [],
"query": "label_values(mysql_up, instance)", "query": "label_values(mysql_up, instance)",
"refresh": 1, "refresh": 2,
"regex": "", "regex": "",
"skipUrlSync": false, "skipUrlSync": false,
"sort": 0, "sort": 0,
File diff suppressed because it is too large Load Diff
@@ -328,7 +328,7 @@
"rgba(50, 172, 45, 0.97)" "rgba(50, 172, 45, 0.97)"
], ],
"datasource": "${DS_PROMETHEUS}", "datasource": "${DS_PROMETHEUS}",
"format": "decbytes", "format": "short",
"gauge": { "gauge": {
"maxValue": 100, "maxValue": 100,
"minValue": 0, "minValue": 0,
@@ -411,7 +411,7 @@
"rgba(50, 172, 45, 0.97)" "rgba(50, 172, 45, 0.97)"
], ],
"datasource": "${DS_PROMETHEUS}", "datasource": "${DS_PROMETHEUS}",
"format": "decbytes", "format": "short",
"gauge": { "gauge": {
"maxValue": 100, "maxValue": 100,
"minValue": 0, "minValue": 0,
@@ -1410,7 +1410,7 @@
"tableColumn": "", "tableColumn": "",
"targets": [ "targets": [
{ {
"expr": "pg_settings_seq_page_cost", "expr": "pg_settings_seq_page_cost{instance=\"$instance\"}",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"refId": "A" "refId": "A"
@@ -1872,7 +1872,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "bytes", "format": "short",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -1966,7 +1966,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "bytes", "format": "short",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -2060,7 +2060,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "bytes", "format": "short",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -2251,7 +2251,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "bytes", "format": "short",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -2439,7 +2439,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "bytes", "format": "short",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -2589,35 +2589,35 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "irate(pg_stat_bgwriter_buffers_backend{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_backend_total{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "buffers_backend", "legendFormat": "buffers_backend",
"refId": "A" "refId": "A"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_buffers_alloc{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_alloc_total{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "buffers_alloc", "legendFormat": "buffers_alloc",
"refId": "B" "refId": "B"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_buffers_backend_fsync{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync_total{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "backend_fsync", "legendFormat": "backend_fsync",
"refId": "C" "refId": "C"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_buffers_checkpoint{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_checkpoint_total{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "buffers_checkpoint", "legendFormat": "buffers_checkpoint",
"refId": "D" "refId": "D"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_buffers_clean{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_clean_total{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "buffers_clean", "legendFormat": "buffers_clean",
@@ -2886,14 +2886,14 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "irate(pg_stat_bgwriter_checkpoint_write_time{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_checkpoint_write_time_total{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.", "legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.",
"refId": "B" "refId": "B"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_checkpoint_sync_time{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time_total{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.", "legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.",
@@ -3164,4 +3164,4 @@
"title": "PostgreSQL Database", "title": "PostgreSQL Database",
"uid": "000000039", "uid": "000000039",
"version": 1 "version": 1
} }
File diff suppressed because it is too large Load Diff
@@ -47,13 +47,13 @@ in {
{ {
name = "Node Exporter Full"; name = "Node Exporter Full";
type = "file"; type = "file";
url = "https://grafana.com/api/dashboards/1860/revisions/29/download"; url = "https://grafana.com/api/dashboards/1860/revisions/42/download";
options.path = dashboards/node-exporter-full.json; options.path = dashboards/node-exporter-full.json;
} }
{ {
name = "Matrix Synapse"; name = "Matrix Synapse";
type = "file"; type = "file";
url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json"; url = "https://github.com/element-hq/synapse/raw/refs/heads/develop/contrib/grafana/synapse.json";
options.path = dashboards/synapse.json; options.path = dashboards/synapse.json;
} }
{ {
@@ -65,15 +65,9 @@ in {
{ {
name = "Postgresql"; name = "Postgresql";
type = "file"; type = "file";
url = "https://grafana.com/api/dashboards/9628/revisions/7/download"; url = "https://grafana.com/api/dashboards/9628/revisions/8/download";
options.path = dashboards/postgres.json; options.path = dashboards/postgres.json;
} }
{
name = "Go Processes (gogs)";
type = "file";
url = "https://grafana.com/api/dashboards/240/revisions/3/download";
options.path = dashboards/go-processes.json;
}
{ {
name = "Gitea Dashboard"; name = "Gitea Dashboard";
type = "file"; type = "file";
@@ -19,15 +19,18 @@ in {
(mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
# (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ]) (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "skrott" [ defaultNodeExporterPort defaultSystemdExporterPort ])
(mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ]) (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ]) (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
+4 -11
View File
@@ -4,21 +4,12 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
./disks.nix
./services/gitea ./services/gitea
./services/nginx.nix ./services/nginx.nix
]; ];
sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "kommode"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ]; address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -26,7 +17,9 @@
services.btrfs.autoScrub.enable = true; services.btrfs.autoScrub.enable = true;
environment.systemPackages = with pkgs; []; services.qemuGuest.enable = true;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }
+80
View File
@@ -0,0 +1,80 @@
{ lib, ... }:
{
disko.devices = {
disk = {
sda = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
root = {
name = "root";
label = "root";
start = "1MiB";
end = "-5G";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
# subvolumes = let
# makeSnapshottable = subvolPath: mountOptions: let
# name = lib.replaceString "/" "-" subvolPath;
# in {
# "@${name}/active" = {
# mountpoint = subvolPath;
# inherit mountOptions;
# };
# "@${name}/snapshots" = {
# mountpoint = "${subvolPath}/.snapshots";
# inherit mountOptions;
# };
# };
# in {
# "@" = { };
# "@/swap" = {
# mountpoint = "/.swapvol";
# swap.swapfile.size = "4G";
# };
# "@/root" = {
# mountpoint = "/";
# mountOptions = [ "compress=zstd" "noatime" ];
# };
# }
# // (makeSnapshottable "/home" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/nix" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/lib" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/log" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/cache" [ "compress=zstd" "noatime" ]);
# swap.swapfile.size = "4G";
mountpoint = "/";
};
};
swap = {
name = "swap";
label = "swap";
start = "-5G";
end = "-1G";
content.type = "swap";
};
ESP = {
name = "ESP";
label = "ESP";
start = "-1G";
end = "100%";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
};
};
};
};
};
}
+1 -16
View File
@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
@@ -13,21 +13,6 @@
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/86CD-4C23";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
@@ -10,6 +10,59 @@ in
catppuccin = pkgs.gitea-theme-catppuccin; catppuccin = pkgs.gitea-theme-catppuccin;
}; };
services.gitea.settings = {
ui = {
DEFAULT_THEME = "gitea-auto";
REACTIONS = lib.concatStringsSep "," [
"+1"
"-1"
"laugh"
"confused"
"heart"
"hooray"
"rocket"
"eyes"
"100"
"anger"
"astonished"
"no_good"
"ok_hand"
"pensive"
"pizza"
"point_up"
"sob"
"skull"
"upside_down_face"
"shrug"
"huh"
"bruh"
"okiedokie"
"grr"
];
CUSTOM_EMOJIS = lib.concatStringsSep "," [
"bruh"
"grr"
"huh"
"ohyeah"
];
};
"ui.meta" = {
AUTHOR = "Programvareverkstedet";
DESCRIPTION = "Bokstavelig talt programvareverkstedet";
KEYWORDS = lib.concatStringsSep "," [
"git"
"hackerspace"
"nix"
"open source"
"foss"
"organization"
"software"
"student"
];
};
};
systemd.services.gitea-customization = lib.mkIf cfg.enable { systemd.services.gitea-customization = lib.mkIf cfg.enable {
description = "Install extra customization in gitea's CUSTOM_DIR"; description = "Install extra customization in gitea's CUSTOM_DIR";
wantedBy = [ "gitea.service" ]; wantedBy = [ "gitea.service" ];
@@ -57,6 +110,11 @@ in
install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/ "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
''; '';
}; };
Binary file not shown.

After

Width:  |  Height:  |  Size: 7.3 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 206 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 145 KiB

+50 -31
View File
@@ -83,11 +83,24 @@ in {
AUTO_WATCH_NEW_REPOS = false; AUTO_WATCH_NEW_REPOS = false;
}; };
admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention"; admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
session.COOKIE_SECURE = true;
security = { security = {
SECRET_KEY = lib.mkForce ""; SECRET_KEY = lib.mkForce "";
SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}"; SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
}; };
cache = {
ADAPTER = "redis";
HOST = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=0";
ITEM_TTL = "72h";
};
session = {
COOKIE_SECURE = true;
PROVIDER = "redis";
PROVIDER_CONFIG = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=1";
};
queue = {
TYPE = "redis";
CONN_STR = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=2";
};
database.LOG_SQL = false; database.LOG_SQL = false;
repository = { repository = {
PREFERRED_LICENSES = lib.concatStringsSep "," [ PREFERRED_LICENSES = lib.concatStringsSep "," [
@@ -128,31 +141,6 @@ in {
AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2; AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
}; };
actions.ENABLED = true; actions.ENABLED = true;
ui = {
REACTIONS = lib.concatStringsSep "," [
"+1"
"-1"
"laugh"
"confused"
"heart"
"hooray"
"rocket"
"eyes"
"100"
"anger"
"astonished"
"no_good"
"ok_hand"
"pensive"
"pizza"
"point_up"
"sob"
"skull"
"upside_down_face"
"shrug"
];
};
"ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
}; };
dump = { dump = {
@@ -164,12 +152,26 @@ in {
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch"; systemd.services.gitea = lib.mkIf cfg.enable {
wants = [ "redis-gitea.service" ];
after = [ "redis-gitea.service" ];
systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive"; serviceConfig = {
systemd.services.gitea.serviceConfig.BindPaths = [ CPUSchedulingPolicy = "batch";
"%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive" CacheDirectory = "gitea/repo-archive";
]; BindPaths = [
"%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
];
};
};
services.redis.servers.gitea = lib.mkIf cfg.enable {
enable = true;
user = config.services.gitea.user;
save = [ ];
openFirewall = false;
port = 5698;
};
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
forceSSL = true; forceSSL = true;
@@ -195,6 +197,23 @@ in {
networking.firewall.allowedTCPPorts = [ sshPort ]; networking.firewall.allowedTCPPorts = [ sshPort ];
services.rsync-pull-targets = {
enable = true;
locations.${cfg.dump.backupDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpMVrOppyqYaDiAhqmAuOaRsubFvcQGBGyz+NHB6+0o gitea rsync backup";
};
};
systemd.services.gitea-dump = { systemd.services.gitea-dump = {
serviceConfig.ExecStart = let serviceConfig.ExecStart = let
args = lib.cli.toGNUCommandLineShell { } { args = lib.cli.toGNUCommandLineShell { } {
@@ -28,7 +28,7 @@ in
users.users."gitea-web" = { users.users."gitea-web" = {
group = "gitea-web"; group = "gitea-web";
isSystemUser = true; isSystemUser = true;
shell = pkgs.bash; useDefaultShell = true;
}; };
sops.secrets."gitea/web-secret-provider/token" = { sops.secrets."gitea/web-secret-provider/token" = {
+1 -7
View File
@@ -9,12 +9,6 @@
]; ];
sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml; sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // { systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
matchConfig.Name = "enp0s31f6"; matchConfig.Name = "enp0s31f6";
@@ -28,7 +22,7 @@
# There are no smart devices # There are no smart devices
services.smartd.enable = false; services.smartd.enable = false;
# Do not change, even during upgrades. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.05"; system.stateVersion = "25.05";
} }
@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
+4 -23
View File
@@ -6,33 +6,14 @@
(fp /base) (fp /base)
]; ];
sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "shark"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ]; address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
}; };
# List packages installed in system profile services.qemuGuest.enable = true;
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11";
} }
+1 -1
View File
@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
+63
View File
@@ -0,0 +1,63 @@
{
fp,
lib,
config,
values,
...
}:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./disk-config.nix
(fp /base)
];
boot.consoleLogLevel = 0;
sops.defaultSopsFile = fp /secrets/skrot/skrot.yaml;
systemd.network.networks."enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
address = with values.hosts.skrot; [
(ipv4 + "/25")
(ipv6 + "/64")
];
};
sops.secrets = {
"dibbler/postgresql/password" = {
owner = "dibbler";
group = "dibbler";
};
};
services.dibbler = {
enable = true;
kioskMode = true;
limitScreenWidth = 80;
limitScreenHeight = 42;
settings = {
general.quit_allowed = false;
database = {
type = "postgresql";
postgresql = {
username = "pvv_vv";
dbname = "pvv_vv";
host = "postgres.pvv.ntnu.no";
password_file = config.sops.secrets."dibbler/postgresql/password".path;
};
};
};
};
systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
enable = true;
wantedBy = [ "getty.target" ]; # to start at boot
serviceConfig.Restart = "always"; # restart when session is closed
};
system.stateVersion = "25.11"; # Did you read the comment? Nah bro
}
+41
View File
@@ -0,0 +1,41 @@
{
disko.devices = {
disk = {
main = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "1G";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
plainSwap = {
size = "8G";
content = {
type = "swap";
discardPolicy = "both";
resumeDevice = false;
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}
+15
View File
@@ -0,0 +1,15 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
+53 -14
View File
@@ -1,35 +1,56 @@
{ config, pkgs, lib, fp, ... }: { { config, pkgs, lib, modulesPath, fp, values, ... }: {
imports = [ imports = [
# ./hardware-configuration.nix (modulesPath + "/profiles/perlless.nix")
(fp /base) (fp /base)
]; ];
# Disable import of a bunch of tools we don't need from nixpkgs.
disabledModules = [ "profiles/base.nix" ];
sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
boot = { boot = {
consoleLogLevel = 0; consoleLogLevel = 0;
enableContainers = false; enableContainers = false;
loader.grub.enable = false; loader.grub.enable = false;
loader.systemd-boot.enable = false;
kernelPackages = pkgs.linuxPackages; kernelPackages = pkgs.linuxPackages;
}; };
hardware = {
enableAllHardware = lib.mkForce false;
firmware = [ pkgs.raspberrypiWirelessFirmware ];
};
# Now turn off a bunch of stuff lol # Now turn off a bunch of stuff lol
# TODO: can we reduce further?
# See also https://nixcademy.com/posts/minimizing-nixos-images/
system.autoUpgrade.enable = lib.mkForce false; system.autoUpgrade.enable = lib.mkForce false;
services.irqbalance.enable = lib.mkForce false; services.irqbalance.enable = lib.mkForce false;
services.logrotate.enable = lib.mkForce false; services.logrotate.enable = lib.mkForce false;
services.nginx.enable = lib.mkForce false; services.nginx.enable = lib.mkForce false;
services.postfix.enable = lib.mkForce false; services.postfix.enable = lib.mkForce false;
services.smartd.enable = lib.mkForce false;
services.udisks2.enable = lib.mkForce false;
services.thermald.enable = lib.mkForce false;
services.promtail.enable = lib.mkForce false;
# There aren't really that many firmware updates for rbpi3 anyway
services.fwupd.enable = lib.mkForce false;
# TODO: can we reduce further? documentation.enable = lib.mkForce false;
system.stateVersion = "25.05"; environment.enableAllTerminfo = lib.mkForce false;
sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml; programs.neovim.enable = lib.mkForce false;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; programs.zsh.enable = lib.mkForce false;
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; programs.git.package = pkgs.gitMinimal;
sops.age.generateKey = true;
nix.registry = lib.mkForce { };
nix.nixPath = lib.mkForce [ ];
sops.secrets = { sops.secrets = {
"dibbler/postgresql/url" = { "dibbler/postgresql/password" = {
owner = "dibbler"; owner = "dibbler";
group = "dibbler"; group = "dibbler";
}; };
@@ -38,11 +59,17 @@
# zramSwap.enable = true; # zramSwap.enable = true;
networking = { networking = {
hostName = "skrot"; hostName = "skrott";
defaultGateway = values.hosts.gateway;
defaultGateway6 = values.hosts.gateway6;
interfaces.eth0 = { interfaces.eth0 = {
useDHCP = false; useDHCP = false;
ipv4.addresses = [{ ipv4.addresses = [{
address = "129.241.210.235"; address = values.hosts.skrott.ipv4;
prefixLength = 25;
}];
ipv6.addresses = [{
address = values.hosts.skrott.ipv6;
prefixLength = 25; prefixLength = 25;
}]; }];
}; };
@@ -56,18 +83,30 @@
settings = { settings = {
general.quit_allowed = false; general.quit_allowed = false;
database.url = config.sops.secrets."dibbler/postgresql/url".path; database = {
type = "postgresql";
postgresql = {
username = "pvv_vv";
dbname = "pvv_vv";
host = "postgres.pvv.ntnu.no";
password_file = config.sops.secrets."dibbler/postgresql/password".path;
};
};
}; };
}; };
# https://github.com/NixOS/nixpkgs/issues/84105 # https://github.com/NixOS/nixpkgs/issues/84105
boot.kernelParams = [ boot.kernelParams = lib.mkIf (!config.virtualisation.isVmVariant) [
"console=ttyUSB0,9600" "console=ttyUSB0,9600"
# "console=tty1" # Already part of the module # "console=tty1" # Already part of the module
]; ];
systemd.services."serial-getty@ttyUSB0" = { systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
enable = true; enable = true;
wantedBy = [ "getty.target" ]; # to start at boot wantedBy = [ "getty.target" ]; # to start at boot
serviceConfig.Restart = "always"; # restart when session is closed serviceConfig.Restart = "always"; # restart when session is closed
}; };
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11";
} }
+11 -26
View File
@@ -1,39 +1,24 @@
{ config, fp, pkgs, values, ... }: { config, fp, pkgs, values, ... }:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
./services/nfs-mounts.nix ./services/nfs-mounts.nix
]; ./services/userweb.nix
];
# sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
# sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# sops.age.keyFile = "/var/lib/sops-nix/key.txt";
# sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "temmie"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ]; address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
}; };
# List packages installed in system profile services.nginx.enable = false;
environment.systemPackages = with pkgs; [
];
# List services that you want to enable: services.qemuGuest.enable = true;
# This value determines the NixOS release from which the default # Don't change (even during upgrades) unless you know what you are doing.
# settings for stateful data, like file locations and database versions # See https://search.nixos.org/options?show=system.stateVersion
# on your system were taken. Its perfectly fine and recommended to leave system.stateVersion = "25.11";
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "25.11"; # Did you read the comment?
} }
+1 -1
View File
@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
+52 -16
View File
@@ -1,21 +1,57 @@
{ pkgs, lib, ... }: { lib, values, ... }:
let
# See microbel:/etc/exports
letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
in
{ {
fileSystems = let systemd.targets."pvv-homedirs" = {
# See microbel:/etc/exports description = "PVV Homedir Partitions";
shorthandAreas = lib.listToAttrs (map };
(l: lib.nameValuePair "/run/pvv-home-mounts/${l}" "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}")
[ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ]); systemd.mounts = map (l: {
in { } description = "PVV Homedir Partition ${l}";
//
(lib.mapAttrs (_: device: { before = [ "remote-fs.target" ];
inherit device; wantedBy = [ "multi-user.target" ];
fsType = "nfs"; requiredBy = [ "pvv-homedirs.target" ];
options = [
type = "nfs";
what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
where = "/run/pvv-home-mounts/${l}";
options = lib.concatStringsSep "," [
"nfsvers=3" "nfsvers=3"
"noauto"
# NOTE: this is a bit unfortunate. The address above seems to resolve to IPv6 sometimes,
# and it doesn't seem possible to specify proto=tcp,tcp6, meaning we have to tell
# NFS which exact address to use here, despite it being specified in the `what` attr :\
"proto=tcp" "proto=tcp"
"x-systemd.automount" "addr=${values.hosts.microbel.ipv4}"
"x-systemd.idle-timeout=300" "mountproto=tcp"
"mounthost=${values.hosts.microbel.ipv4}"
"port=2049"
# NOTE: this is yet more unfortunate. When enabling locking, it will sometimes complain about connection failed.
# dmesg(1) reveals that it has something to do with registering the lockdv1 RPC service (errno: 111), not
# quite sure how to fix it. Living life on dangerous mode for now.
"nolock"
# Don't wait on every read/write
"async"
# Always keep mounted
"noauto"
# We don't want to update access time constantly
"noatime"
# No SUID/SGID, no special devices
"nosuid"
"nodev"
# TODO: are there cgi scripts that modify stuff in peoples homedirs?
# "ro"
"rw"
]; ];
}) shorthandAreas); }) letters;
} }
+344
View File
@@ -0,0 +1,344 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.httpd;
homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
# https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
phpEnv = pkgs.php.buildEnv {
extensions = { all, ... }: with all; [
imagick
opcache
protobuf
];
extraConfig = ''
display_errors=0
post_max_size = 40M
upload_max_filesize = 40M
'';
};
perlEnv = pkgs.perl.withPackages (ps: with ps; [
pkgs.exiftool
pkgs.ikiwiki
pkgs.irssi
pkgs.nix.libs.nix-perl-bindings
AlgorithmDiff
AnyEvent
AnyEventI3
ArchiveZip
CGI
CPAN
CPANPLUS
DBDPg
DBDSQLite
DBI
EmailAddress
EmailSimple
Env
Git
HTMLMason
HTMLParser
HTMLTagset
HTTPDAV
HTTPDaemon
ImageMagick
JSON
LWP
MozillaCA
PathTiny
Switch
SysSyslog
TestPostgreSQL
TextPDF
TieFile
Tk
URI
XMLLibXML
]);
# https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
pythonEnv = pkgs.python3.buildEnv.override {
extraLibs = with pkgs.python3Packages; [
legacy-cgi
matplotlib
requests
];
ignoreCollisions = true;
};
# https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
fhsEnv = pkgs.buildEnv {
name = "userweb-env";
paths = with pkgs; [
bash
perlEnv
pythonEnv
phpEnv
]
++ (with phpEnv.packages; [
# composer
])
++ [
acl
aspell
autoconf
autotrash
bazel
bintools
bison
bsd-finger
catdoc
ccache
clang
cmake
coreutils-full
curl
devcontainer
diffutils
emacs
# exiftags
exiftool
ffmpeg
file
findutils
gawk
gcc
glibc
gnugrep
gnumake
gnupg
gnuplot
gnused
gnutar
gzip
html-tidy
imagemagick
inetutils
iproute2
jhead
less
libgcc
lndir
mailutils
man # TODO: does this one want a mandb instance?
meson
more
mpc
mpi
mplayer
ninja
nix
openssh
openssl
patchelf
pkg-config
ppp
procmail
procps
qemu
rc
rhash
rsync
ruby # TODO: does this one want systemwide packages?
salt
sccache
sourceHighlight
spamassassin
strace
subversion
system-sendmail
systemdMinimal
texliveMedium
tmux
unzip
util-linux
valgrind
vim
wget
which
wine
xdg-utils
zip
zstd
];
extraOutputsToInstall = [
"man"
"doc"
];
};
in
{
services.httpd = {
enable = true;
adminAddr = "drift@pvv.ntnu.no";
# TODO: consider upstreaming systemd support
# TODO: mod_log_journald in v2.5
package = pkgs.apacheHttpd.overrideAttrs (prev: {
nativeBuildInputs = prev.nativeBuildInputs ++ [ pkgs.pkg-config ];
buildInputs = prev.buildInputs ++ [ pkgs.systemdLibs ];
configureFlags = prev.configureFlags ++ [ "--enable-systemd" ];
});
enablePHP = true;
phpPackage = phpEnv;
enablePerl = true;
# TODO: mod_log_journald in v2.5
extraModules = [
"systemd"
"userdir"
# TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some
# incorrect or restrictive assumptions upstream, either nixpkgs or source
# {
# name = "perl";
# path = let
# mod_perl = pkgs.apacheHttpdPackages.mod_perl.override {
# apacheHttpd = cfg.package.out;
# perl = perlEnv;
# };
# in "${mod_perl}/modules/mod_perl.so";
# }
];
extraConfig = ''
TraceEnable on
LogLevel warn rewrite:trace3
ScriptLog ${cfg.logDir}/cgi.log
'';
# virtualHosts."userweb.pvv.ntnu.no" = {
virtualHosts."temmie.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
UserDir disabled root
AddHandler cgi-script .cgi
DirectoryIndex index.html index.html.var index.php index.php3 index.cgi index.phtml index.shtml meg.html
<Directory "/home/pvv/?/*/web-docs">
Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec
AllowOverride All
Require all granted
</Directory>
'';
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
# socket activation comes in v2.5
# systemd.sockets.httpd = {
# wantedBy = [ "sockets.target" ];
# description = "HTTPD socket";
# listenStreams = [
# "0.0.0.0:80"
# "0.0.0.0:443"
# ];
# };
systemd.services.httpd = {
after = [ "pvv-homedirs.target" ];
requires = [ "pvv-homedirs.target" ];
environment = {
PATH = lib.mkForce "/usr/bin";
};
serviceConfig = {
Type = lib.mkForce "notify";
ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start";
ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful";
ExecStop = lib.mkForce "";
KillMode = "mixed";
ConfigurationDirectory = [ "httpd" ];
LogsDirectory = [ "httpd" ];
LogsDirectoryMode = "0700";
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
LockPersonality = true;
PrivateDevices = true;
PrivateTmp = true;
# NOTE: this removes CAP_NET_BIND_SERVICE...
# PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = "tmpfs";
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectSystem = true;
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SocketBindDeny = "any";
SocketBindAllow = [
"tcp:80"
"tcp:443"
];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
UMask = "0077";
RuntimeDirectory = [ "httpd/root-mnt" ];
RootDirectory = "/run/httpd/root-mnt";
MountAPIVFS = true;
BindReadOnlyPaths = [
builtins.storeDir
"/etc"
# NCSD socket
"/var/run"
"/var/lib/acme"
"${fhsEnv}/bin:/bin"
"${fhsEnv}/sbin:/sbin"
"${fhsEnv}/lib:/lib"
"${fhsEnv}/share:/share"
] ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") {
parent = [
"/local"
"/opt"
"/opt/local"
"/store"
"/store/gnu"
"/usr"
"/usr/local"
];
child = [
"/bin"
"/sbin"
"/lib"
"/libexec"
"/include"
"/share"
];
});
BindPaths = map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") homeLetters;
};
};
# TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
}
+3 -6
View File
@@ -7,12 +7,7 @@
./services/gitea-runners.nix ./services/gitea-runners.nix
]; ];
sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml; boot.loader.systemd-boot.enable = false;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
networking.hostName = "ustetind";
networking.useHostResolvConf = lib.mkForce false; networking.useHostResolvConf = lib.mkForce false;
@@ -39,5 +34,7 @@
}; };
}; };
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }
+5 -11
View File
@@ -14,15 +14,9 @@
"armv7l-linux" "armv7l-linux"
]; ];
sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml; boot.loader.systemd-boot.enable = false;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
networking.hostName = "wenche"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ]; address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -36,9 +30,9 @@
package = config.boot.kernelPackages.nvidiaPackages.production; package = config.boot.kernelPackages.nvidiaPackages.production;
}; };
# List packages installed in system profile services.qemuGuest.enable = true;
environment.systemPackages = with pkgs; [
];
system.stateVersion = "24.11"; # Did you read the comment? # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "24.11";
} }
+4
View File
@@ -37,9 +37,13 @@ in {
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
${config.networking.fqdn} = { ${config.networking.fqdn} = {
# NOTE: this overrides the default config in base/services/nginx.nix
addSSL = false;
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
kTLS = true; kTLS = true;
serverAliases = [ serverAliases = [
"${machine}.pvv.org" "${machine}.pvv.org"
]; ];
+3
View File
@@ -181,6 +181,9 @@ in
#NoNewPrivileges = true; #NoNewPrivileges = true;
#PrivateDevices = true; #PrivateDevices = true;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "5s";
StartLimitIntervalSec = "5s";
StartLimitBurst = "5";
DynamicUser = true; DynamicUser = true;
}; };
}; };
+146
View File
@@ -0,0 +1,146 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.rsync-pull-targets;
in
{
options.services.rsync-pull-targets = {
enable = lib.mkEnableOption "";
rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { };
locations = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }@submoduleArgs: {
options = {
enable = lib.mkEnableOption "" // {
default = true;
example = false;
};
user = lib.mkOption {
type = lib.types.str;
description = "Which user to use as SSH login";
example = "root";
};
location = lib.mkOption {
type = lib.types.path;
default = name;
defaultText = lib.literalExpression "<name>";
example = "/path/to/rsyncable/item";
};
# TODO: handle autogeneration of keys
# autoGenerateSSHKeypair = lib.mkOption {
# type = lib.types.bool;
# default = config.publicKey == null;
# defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.publicKey != null";
# example = true;
# };
publicKey = lib.mkOption {
type = lib.types.str;
# type = lib.types.nullOr lib.types.str;
# default = null;
example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment";
};
rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // {
default = cfg.rrsyncPackage;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage";
};
enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args";
rrsyncArgs = {
ro = lib.mkEnableOption "" // {
description = "Allow only reading from the DIR. Implies -no-del and -no-lock.";
};
wo = lib.mkEnableOption "" // {
description = "Allow only writing to the DIR.";
};
munge = lib.mkEnableOption "" // {
description = "Enable rsync's --munge-links on the server side.";
# TODO: set a default?
};
no-del = lib.mkEnableOption "" // {
description = "Disable rsync's --delete* and --remove* options.";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
no-lock = lib.mkEnableOption "" // {
description = "Avoid the single-run (per-user) lock check.";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
no-overwrite = lib.mkEnableOption "" // {
description = "Prevent overwriting existing files by enforcing --ignore-existing";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
};
authorizedKeysAttrs = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = lib.optionals submoduleArgs.config.enableRecommendedHardening [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
defaultText = lib.literalExpression ''
lib.optionals config.services.rsync-pull-targets.<name>.enableRecommendedHardening [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
]
'';
example = [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
};
};
}));
};
};
config = lib.mkIf cfg.enable {
# assertions = lib.pipe cfg.locations [
# (lib.filterAttrs (_: value: value.enable))
# TODO: assert that there are no duplicate (user, publicKey) pairs.
# if there are then ssh won't know which command to provide and might provide a random one, not sure.
# (lib.mapAttrsToList (_: { user, location, publicKey, ... }: {
# assertion =
# message = "";
# })
# ];
services.openssh.enable = true;
users.users = lib.pipe cfg.locations [
(lib.filterAttrs (_: value: value.enable))
lib.attrValues
# Index locations by SSH user
(lib.foldl (acc: location: acc // {
${location.user} = (acc.${location.user} or [ ]) ++ [ location ];
}) { })
(lib.mapAttrs (_name: locations: {
openssh.authorizedKeys.keys = map ({ user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let
rrsyncArgString = lib.cli.toCommandLineShellGNU {
isLong = _: false;
} rrsyncArgs;
# TODO: handle " in location
in "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
) locations;
}))
];
};
}
+24 -24
View File
@@ -33,63 +33,63 @@ in
lib.mergeAttrsList [ lib.mergeAttrsList [
(mw-ext { (mw-ext {
name = "CodeEditor"; name = "CodeEditor";
commit = "6e5b06e8cf2d040c0abb53ac3735f9f3c96a7a4f"; commit = "83e1d0c13f34746f0d7049e38b00e9ab0a47c23f";
hash = "sha256-Jee+Ws9REUohywhbuemixXKaTRc54+cIlyUNDCyYcEM="; hash = "sha256-qH9fSQZGA+z6tBSh1DaTKLcujqA6K/vQmZML9w5X8mU=";
}) })
(mw-ext { (mw-ext {
name = "CodeMirror"; name = "CodeMirror";
commit = "da9c5d4f03e6425f6f2cf68b75d21311e0f7e77e"; commit = "af2b08b9ad2b89a64b2626cf80b026c5b45e9922";
hash = "sha256-aL+v9xeqKHGmQVUWVczh54BkReu+fP49PT1NP7eTC6k="; hash = "sha256-CxXPwCKUlF9Tg4JhwLaKQyvt43owq75jCugVtb3VX+I=";
}) })
(mw-ext { (mw-ext {
name = "DeleteBatch"; name = "DeleteBatch";
commit = "122072bbfb4eab96ed8c1451a3e74b5557054c58"; commit = "3d6f2fd0e3efdae1087dd0cc8b1f96fe0edf734f";
hash = "sha256-L6AXoyFJEZoAQpLO6knJvYtQ6JJPMtaa+WhpnwbJeNU="; hash = "sha256-iD9EjDIW7AGpZan74SIRcr54dV8W7xMKIDjatjdVkKs=";
}) })
(mw-ext { (mw-ext {
name = "PluggableAuth"; name = "PluggableAuth";
commit = "5caf605b9dfdd482cb439d1ba2000cba37f8b018"; commit = "85e96acd1ac0ebcdaa29c20eae721767a938f426";
hash = "sha256-TYJqR9ZvaWJ7i1t0XfgUS05qqqCgxAH8tRTklz/Bmlg="; hash = "sha256-bMVhrg8FsfWhXF605Cj5TgI0A6Jy/MIQ5aaUcLQQ0Ss=";
}) })
(mw-ext { (mw-ext {
name = "Popups"; name = "Popups";
commit = "7ed940a09f83f869cbc0bc20f3ca92f85b534951"; commit = "410e2343c32a7b18dcdc2bbd995b0bfdf3bf5f37";
hash = "sha256-pcDPcu4kSvMHfSOuShrod694TKI9Oo3AEpMP9DXp9oY="; hash = "sha256-u2AlR75x54rCpiK9Mz00D9odJCn8fmi6DRU4QKmKqSc=";
}) })
(mw-ext { (mw-ext {
name = "Scribunto"; name = "Scribunto";
commit = "e755852a8e28a030a21ded2d5dd7270eb933b683"; commit = "904f323f343dba5ff6a6cdd143c4a8ef5b7d2c55";
hash = "sha256-zyI5nSE+KuodJOWyV0CQM7G0GfkKEgfoF/czi2/qk98="; hash = "sha256-ZOVYhjMMyWbqwZOBb39hMIRmzzCPEnz2y8Q2jgyeERw=";
}) })
(mw-ext { (mw-ext {
name = "SimpleSAMLphp"; name = "SimpleSAMLphp";
kebab-name = "simple-saml-php"; kebab-name = "simple-saml-php";
commit = "d41b4efd3cc44ca3f9f12e35385fc64337873c2a"; commit = "a2f77374713473d594e368de24539aebcc1a800a";
hash = "sha256-wfzXtsEEEjQlW5QE4Rf8pasAW/KSJsLkrez13baxeqA="; hash = "sha256-5+t3VQFKcrIffDNPJ4RWBIWS6K1gTOcEleYWmM6xWms=";
}) })
(mw-ext { (mw-ext {
name = "TemplateData"; name = "TemplateData";
commit = "fd7cf4d95a70ef564130266f2a6b18f33a2a2ff9"; commit = "76a6a04bd13a606923847ba68750b5d98372cacd";
hash = "sha256-5OhDPFhIi55Eh5+ovMP1QTjNBb9Sm/3vyArNCApAgSw="; hash = "sha256-X2+U5PMqzkSljw2ypIvJUSaPDaonTkQx89OgKzf5scw=";
}) })
(mw-ext { (mw-ext {
name = "TemplateStyles"; name = "TemplateStyles";
commit = "0f7b94a0b094edee1c2a9063a3c42a1bdc0282d9"; commit = "7de60a8da6576d7930f293d19ef83529abf52704";
hash = "sha256-R406FgNcIip9St1hurtZoPPykRQXBrkJRKA9hapG81I="; hash = "sha256-iPmFDoO5V4964CVyd1mBSQcNlW34odbvpm2CfDBlPBU=";
}) })
(mw-ext { (mw-ext {
name = "UserMerge"; name = "UserMerge";
commit = "d1917817dd287e7d883e879459d2d2d7bc6966f2"; commit = "71eb53ff4289ac4efaa31685ab8b6483c165a584";
hash = "sha256-la3/AQ38DMsrZ2f24T/z3yKzIrbyi3w6FIB5YfxGK9U="; hash = "sha256-OfKSEPgctfr659oh5jf99T0Rzqn+60JhNaZq+2gfubk=";
}) })
(mw-ext { (mw-ext {
name = "VisualEditor"; name = "VisualEditor";
commit = "032364cfdff33818e6ae0dfa251fe3973b0ae4f3"; commit = "a6a63f53605c4d596c3df1dcc2583ffd3eb8d929";
hash = "sha256-AQDdq9r6rSo8h4u1ERonH14/1i1BgLGdzANEiQ065PU="; hash = "sha256-4d8picO66uzKoxh1TdyvKLHebc6ZL7N2DdXLV2vgBL4=";
}) })
(mw-ext { (mw-ext {
name = "WikiEditor"; name = "WikiEditor";
commit = "cb9f7e06a9c59b6d3b31c653e5886b7f53583d01"; commit = "0a5719bb95326123dd0fee1f88658358321ed7be";
hash = "sha256-UWi3Ac+LCOLliLkXnS8YL0rD/HguuPH5MseqOm0z7s4="; hash = "sha256-eQMyjhdm1E6TkktIHad1NMeMo8QNoO8z4A05FYOMCwQ=";
}) })
] ]
File diff suppressed because it is too large Load Diff
+40
View File
@@ -0,0 +1,40 @@
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p bash git gnugrep gnused nodejs_24
GIT_TOPLEVEL=$(git rev-parse --show-toplevel)
PACKAGE_NIX="$GIT_TOPLEVEL/packages/ooye/package.nix"
REV="$(grep -oP '(?<=rev = ")[a-z0-9]+(?=")' "$PACKAGE_NIX")"
TMPDIR="$(mktemp -d)"
cleaning() {
rm -rf "$TMPDIR"
}
trap 'cleaning' SIGINT
git clone --depth 1 --revision="$REV" https://git.pvv.ntnu.no/Drift/delete-your-element.git "$TMPDIR/ooye"
pushd "$TMPDIR/ooye" || exit
sed -i 's/\s*"glob@<11.1": "^12"//' package.json
git diff --quiet --exit-code package.json && {
echo "Sed did't do it's job, please fix" >&2
cleaning
exit 1
}
rm -rf package-lock.json
npm install --package-lock-only
export GIT_AUTHOR_NAME='Lockinator 9000'
export GIT_AUTHOR_EMAIL='locksmith@lockal.local'
export GIT_AUTHOR_DATE='Sun, 01 Jan 1984 00:00:00 +0000'
export GIT_COMMITTER_NAME="$GIT_AUTHOR_NAME"
export GIT_COMMITTER_EMAIL="$GIT_AUTHOR_EMAIL"
export GIT_COMMITTER_DATE="$GIT_AUTHOR_DATE"
git commit -am "package-lock.json: bomp" --no-gpg-sign
git format-patch HEAD~
mv 0001-package-lock.json-bomp.patch "$GIT_TOPLEVEL/packages/ooye/fix-lockfile.patch"
git reset --hard HEAD~
popd || exit
cleaning
@@ -2,31 +2,28 @@
lib, lib,
fetchFromGitea, fetchFromGitea,
makeWrapper, makeWrapper,
nodejs, nodejs_24,
buildNpmPackage, buildNpmPackage,
fetchpatch,
}: }:
let
nodejs = nodejs_24;
in
buildNpmPackage { buildNpmPackage {
pname = "delete-your-element"; pname = "delete-your-element";
version = "3.3-unstable-2025-12-09"; version = "3.3-unstable-2026-01-21";
src = fetchFromGitea { src = fetchFromGitea {
domain = "git.pvv.ntnu.no"; domain = "git.pvv.ntnu.no";
owner = "Drift"; owner = "Drift";
repo = "delete-your-element"; repo = "delete-your-element";
rev = "1c0c545a024ef7215a1a3483c10acce853f79765"; rev = "04d7872acb933254c0a4703064b2e08de31cfeb4";
hash = "sha256-ow/PdlHfU7PCwsjJUEzoETzONs1KoKTRMRQ9ADN0tGk="; hash = "sha256-CkKt+8VYjIhNM76c3mTf7X6d4ob8tB2w8T6xYS7+LuY=";
}; };
patches = [ inherit nodejs;
(fetchpatch {
name = "ooye-fix-package-lock-0001.patch";
url = "https://cgit.rory.gay/nix/OOYE-module.git/plain/pl.patch?h=ee126389d997ba14be3fe3ef360ba37b3617a9b2";
hash = "sha256-dP6WEHb0KksDraYML+jcR5DftH9BiXvwevUg38ALOrc=";
})
];
npmDepsHash = "sha256-OXOyO6LxK/WYYVysSxkol0ilMUZB+osLYUE5DpJlbps="; patches = [ ./fix-lockfile.patch ];
# npmDepsHash = "sha256-Y+vgp7+7pIDm64AYSs8ltoAiON0EPpJInbmgn3/LkVA=";
npmDepsHash = "sha256-tiGXr86x9QNAwhZcxSOox6sP9allyz9QSH3XOZOb3z8=";
dontNpmBuild = true; dontNpmBuild = true;
makeCacheWritable = true; makeCacheWritable = true;
+29
View File
@@ -0,0 +1,29 @@
{ lib
, php
, stdenv
, writeText
, fetchFromGitea
, extra_files ? { }
}:
stdenv.mkDerivation {
pname = "ssp-theme";
version = "v1.2026";
src = fetchFromGitea {
owner = "drift";
repo = "ssp-theme";
rev = "master";
hash = "sha256-4d0TwJubfJrThctvE50HpPg0gqdJy595hewEcjfXlrs=";
domain = "git.pvv.ntnu.no";
};
installPhase = ''
mkdir -p $out/bin
cp -r ./ $out/bin/
chmod -R +x $out/bin/
'';
}
+4 -3
View File
@@ -9,6 +9,7 @@ gitea:
ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str] ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str] import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
mediawiki: mediawiki:
secret-key: ENC[AES256_GCM,data:ixG9vGifYcz44y/copU+eHIjWLcxJ4v7pi8l1P3YHIdGwAk5DNZQWlaA/L3w0g50zM0ESEXL9k2r3jNI1nLGJw==,iv:fwHV4hYDEjP9f/8Bw74EhYDUN8UV+qIwqd6yXa5KtFs=,tag:3c9J/lVoJeRE1b/TTWJNZw==,type:str]
password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str] password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str] postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
simplesamlphp: simplesamlphp:
@@ -99,8 +100,8 @@ sops:
SU5zanlva1p2QjVndVJwUnlkdkFuTDAKbQRrSfG9MGsGvF2ywoGhDSuriDsbQ+k2 SU5zanlva1p2QjVndVJwUnlkdkFuTDAKbQRrSfG9MGsGvF2ywoGhDSuriDsbQ+k2
29mxere0efSSGGq8y9YrPC8UX5hZRfqg/dfbL+PFc4NHfbxB/oSzQw== 29mxere0efSSGGq8y9YrPC8UX5hZRfqg/dfbL+PFc4NHfbxB/oSzQw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-09T21:18:23Z" lastmodified: "2026-01-26T08:40:13Z"
mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str] mac: ENC[AES256_GCM,data:ppgpARft/YDKP24QF4bLYVhxN4nRrCsf4wBug3UD4MXgQwdFyWPAHn086uONeMbVOvH8IdwlaNBc8h36I7M66cqwK1VsRc/vf9Ud2VnD/WkWijMSrJ80frIvuvREp7aMNlYbD20bjrp4sYohjcJ8KPqyPUFPj71dA+9LZvXJthQ=,iv:lr3R14lRx7RzclknKbOa/bHa6axGbMPqj1FRTjx34xE=,tag:pBHzSArxYs4bqq355T4yog==,type:str]
pgp: pgp:
- created_at: "2026-01-16T06:34:44Z" - created_at: "2026-01-16T06:34:44Z"
enc: |- enc: |-
@@ -123,4 +124,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.11.0

Some files were not shown because too many files have changed in this diff Show More