felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-05-13 01:51:14 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

merge into: felixalb:bicep-garage-test-deployment
Branches Tags
felixalb:main felixalb:userweb-sendmail-proxy felixalb:bicep-garage-test-deployment felixalb:bicep-revival felixalb:drumknotty felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
...
pull from: felixalb:userweb-sendmail-proxy
Branches Tags
felixalb:main felixalb:userweb-sendmail-proxy felixalb:bicep-garage-test-deployment felixalb:bicep-revival felixalb:drumknotty felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

21 Commits
bicep-gara ... userweb-se

Author SHA1 Message Date
h7x4
9c6a812334 WIP: temmie/userweb: use IPC to proxy sendmail requests out of sandbox 2026-05-11 14:03:18 +09:00
h7x4
5e50b617fb temmie/userweb: switch from postfix to nullmailer 2026-05-11 13:52:58 +09:00
h7x4
258c5a7b25 temmie/userweb: set up sendmail wrapper 2026-05-11 12:26:39 +09:00
h7x4
b9eda3dc56 temmie/userweb: reduce package list 2026-05-11 10:17:09 +09:00
Vegard Bieker Matthey
2fcaf5893f fix deprecation warning for mediawiki update script 2026-05-09 20:40:14 +02:00
h7x4
b009da31af temmie/userweb: deny a bunch of spooky directories by default 
It should still be possible for the user to re-enable these with
`.htaccess`
 2026-05-10 03:33:43 +09:00
h7x4
e9a267e2a3 temmie/userweb: ignore collisions in fhs env 2026-05-10 03:02:27 +09:00
h7x4
338c2f2531 temmie/userweb: adjust perl and php env 
This adds and removes a few packages to make the environments closer to
how they are on tom
 2026-05-10 03:02:26 +09:00
Felix Albrigtsen
8db3034baf Run shellcheck 2026-05-08 09:31:35 +02:00
h7x4
f64f9c944e topology: hook skrot up to the switch at the office 2026-05-08 16:27:01 +09:00
h7x4
baeb1e5e60 base/hardening: move hardening options from base/default 2026-05-08 16:23:17 +09:00
h7x4
86ca8dcdc3 base/hardening: ban a bunch more unimportant kernel modules 2026-05-08 16:23:17 +09:00
Daniel Olsen
11d1f8b442 bakke: the owls sick motorbike 2026-05-08 03:07:09 +02:00
Felix Albrigtsen
d8115c4031 bakke: add shading 2026-05-08 03:06:06 +02:00
Felix Albrigtsen
0d41326d9f bakke: rest of the owl 2026-05-08 03:06:06 +02:00
Felix Albrigtsen
7baf3ffcb4 bakke: uninit 2026-05-08 03:06:06 +02:00
Daniel Olsen
45f10be9b4 secrets: delete skrott 2026-05-08 03:01:11 +02:00
Daniel Olsen
06cd860d2f README: change skrot link to point to skrot, not skrott 2026-05-08 02:38:54 +02:00
Daniel Olsen
ebd8b871f4 skrott: yeetus deletus 2026-05-08 01:08:48 +02:00
Daniel Olsen
14994485c5 base: mitigate dirtyfrag 2026-05-08 01:03:45 +02:00
h7x4
f2752ee9a6 .gitea/workflows/*: remove redundant config 
All of the extra config is now being included by default with the github
action
 2026-05-06 23:34:22 +09:00
29 changed files with 281 additions and 746 deletions
Expand all files Collapse all files

7
.gitea/workflows/build-topology-graph.yml
View File

@@ -13,13 +13,6 @@ jobs:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
- uses: https://github.com/cachix/install-nix-action@v31 - uses: https://github.com/cachix/install-nix-action@v31
with:
extra_nix_config: |
show-trace = true
max-jobs = auto
trusted-users = root
experimental-features = nix-command flakes
build-users-group =
- name: Build topology graph - name: Build topology graph
run: nix build .#topology -L run: nix build .#topology -L

7
.gitea/workflows/eval.yml
View File

@@ -12,12 +12,5 @@ jobs:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
- uses: https://github.com/cachix/install-nix-action@v31 - uses: https://github.com/cachix/install-nix-action@v31
with:
extra_nix_config: |
show-trace = true
max-jobs = auto
trusted-users = root
experimental-features = nix-command flakes
build-users-group =
- run: nix flake check - run: nix flake check

27
.sops.yaml
View File

@@ -10,7 +10,6 @@ keys:
- &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune - &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
# Hosts # Hosts
- &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0 - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
@@ -20,7 +19,6 @@ keys:
- &host_lupine-3 age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye - &host_lupine-3 age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye
- &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l - &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
- &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn - &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
- &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8 - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
- &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
@@ -123,31 +121,6 @@ creation_rules:
pgp: pgp:
- *user_oysteikt - *user_oysteikt
- path_regex: secrets/bakke/[^/]+\.yaml$
key_groups:
- age:
- *host_bakke
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/skrott/[^/]+\.yaml$
key_groups:
- age:
- *host_skrott
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/skrot/[^/]+\.yaml$ - path_regex: secrets/skrot/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:

4
README.md
View File

@@ -43,7 +43,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
| [kommode][kom] | Virtual | Gitea + Gitea pages | | [kommode][kom] | Virtual | Gitea + Gitea pages |
| [lupine][lup] | Physical | Gitea CI/CD runners | | [lupine][lup] | Physical | Gitea CI/CD runners |
| shark | Virtual | Test host for authentication, absolutely horrendous | | shark | Virtual | Test host for authentication, absolutely horrendous |
| [skrot/skrott][skr] | Physical | Kiosk, snacks and soda | | [skrot][skr] | Physical | Kiosk, snacks and soda |
| [wenche][wen] | Virtual | Nix-builders, general purpose compute | | [wenche][wen] | Virtual | Nix-builders, general purpose compute |
## Documentation ## Documentation
@@ -60,5 +60,5 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
[ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott [skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrot
[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche

5
base/default.nix
View File

@@ -10,7 +10,10 @@
(fp /users) (fp /users)
(fp /modules/snakeoil-certs.nix) (fp /modules/snakeoil-certs.nix)
./mitigations.nix
./flake-input-exporter.nix ./flake-input-exporter.nix
./hardening.nix
./networking.nix ./networking.nix
./nix.nix ./nix.nix
./programs.nix ./programs.nix
@@ -68,8 +71,6 @@
fi fi
''; '';
# security.lockKernelModules = true;
security.protectKernelImage = true;
security.sudo.execWheelOnly = true; security.sudo.execWheelOnly = true;
security.sudo.extraConfig = '' security.sudo.extraConfig = ''
Defaults lecture = never Defaults lecture = never

64
base/hardening.nix Normal file
View File

@@ -0,0 +1,64 @@
{ ... }:
{
boot.blacklistedKernelModules = [
# Obscure network protocols
"appletalk"
"atm"
"ax25"
"batman-adv"
"can"
"netrom"
"psnap"
"rds"
"rose"
"sctp"
"tipc"
# Filesystems we don't use
"adfs"
"affs"
"befs"
"bfs"
"cifs"
"cramfs"
"efs"
"exofs"
"orangefs"
"freevxfs"
"gfs2"
"hfs"
"hfsplus"
"hpfs"
"jffs2"
"jfs"
"minix"
"nilfs2"
"ntfs"
"omfs"
"qnx4"
"qnx6"
"sysv"
"ubifs"
"ufs"
# Legacy hardware
"pcspkr"
"floppy"
"parport"
"ppdev"
# Other stuff we don't use
"firewire-core"
"firewire-ohci"
"ksmbd"
"ib_core"
"l2tp_eth"
"l2tp_netlink"
"l2tp_ppp"
"nfc"
"soundwire"
];
# security.lockKernelModules = true;
security.protectKernelImage = true;
}

17
base/mitigations.nix Normal file
View File

@@ -0,0 +1,17 @@
{ ... }:
{
boot.blacklistedKernelModules = [
"rxrpc" # dirtyfrag
"esp6" # dirtyfrag
"esp4" # dirtyfrag
];
boot.extraModprobeConfig = ''
# dirtyfrag
install esp4 /bin/false
# dirtyfrag
install esp6 /bin/false
# dirtyfrag
install rxrpc /bin/false
'';
}

29
flake.lock generated
View File

@@ -232,11 +232,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1774824790, "lastModified": 1777808420,
"narHash": "sha256-3R2aoykbutdJ7YQaZiU7uO8w4O8b6RjztTPNo8isLTI=", "narHash": "sha256-hh9XBz0K1ypZ+neezgIPCSsnWFKEq8VfV/1aUSPu3OA=",
"owner": "oddlama", "owner": "oddlama",
"repo": "nix-topology", "repo": "nix-topology",
"rev": "5765ce41be8a4fb5471a57671c2b740a350c5da0", "rev": "28e9dc901ff38a8fa2d24bccd5f89511d6d8324e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -248,11 +248,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1775064210, "lastModified": 1778125667,
"narHash": "sha256-bEqbUNAnoyNZzd8rrhS8QETdDWr+vYzZeaggBLmFLIA=", "narHash": "sha256-swcxqlW+XrZFBqjcV3AV8AR64/eI234AZRFKs6q4DFo=",
"rev": "9d1c3efdc713c1ed9679796c08a1a8a193e4704e", "rev": "75636a69ad3115ff64d4cb3090e66c8275dda9c2",
"type": "tarball", "type": "tarball",
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.8497.9d1c3efdc713/nixexprs.tar.xz" "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.10534.75636a69ad31/nixexprs.tar.xz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -276,11 +276,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1777014002, "lastModified": 1778157832,
"narHash": "sha256-urhq48kYlNYbkGXQ/f3NjzJTGfMdG8GmJQbgFLcrcV0=", "narHash": "sha256-lSl05j1UzI5MioSJWUa7oUp5a88zzv3sXMwWC4d1N70=",
"rev": "15ebe06759175c2e98dba23c0b125913589094e7", "rev": "ec299c6a33eee9baf5b4d72881ca2f15c06b4f01",
"type": "tarball", "type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre986338.15ebe0675917/nixexprs.tar.xz" "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre993859.ec299c6a33ee/nixexprs.tar.xz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -390,6 +390,7 @@
}, },
"original": { "original": {
"ref": "main", "ref": "main",
"rev": "16b2bc5c2759e20ecb952374509f1e1f9d6c06e7",
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git" "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
} }
@@ -464,11 +465,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1774910634, "lastModified": 1777944972,
"narHash": "sha256-B+rZDPyktGEjOMt8PcHKYmgmKoF+GaNAFJhguktXAo0=", "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "19bf3d8678fbbfbc173beaa0b5b37d37938db301", "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
"type": "github" "type": "github"
}, },
"original": { "original": {

53
flake.nix
View File

@@ -32,7 +32,7 @@
minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main"; minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs"; minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main"; roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main&rev=16b2bc5c2759e20ecb952374509f1e1f9d6c06e7";
roowho2.inputs.nixpkgs.follows = "nixpkgs"; roowho2.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main"; greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
@@ -62,9 +62,11 @@
importantMachines = [ importantMachines = [
"bekkalokk" "bekkalokk"
"bicep" "bicep"
"brzeczyszczykiewicz"
"georg" "georg"
"ildkule" "ildkule"
"kommode"
"lupine-1"
"skrot"
]; ];
in { in {
inputs = lib.mapAttrs (_: src: src.outPath) inputs; inputs = lib.mapAttrs (_: src: src.outPath) inputs;
@@ -147,11 +149,6 @@
stableNixosConfig = name: extraArgs: stableNixosConfig = name: extraArgs:
nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs; nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
in { in {
bakke = stableNixosConfig "bakke" {
modules = [
inputs.disko.nixosModules.disko
];
};
bicep = stableNixosConfig "bicep" { bicep = stableNixosConfig "bicep" {
modules = [ modules = [
inputs.matrix-next.nixosModules.default inputs.matrix-next.nixosModules.default
@@ -238,38 +235,6 @@
}; };
} }
// //
(let
skrottConfig = {
modules = [
(nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
inputs.dibbler.nixosModules.default
];
overlays = [
inputs.dibbler.overlays.default
(final: prev: {
# NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
atool = prev.emptyDirectory;
micro = prev.emptyDirectory;
ncdu = prev.emptyDirectory;
})
];
};
in {
skrott = self.nixosConfigurations.skrott-native;
skrott-native = stableNixosConfig "skrott" (skrottConfig // {
localSystem = "aarch64-linux";
crossSystem = "aarch64-linux";
});
skrott-cross = stableNixosConfig "skrott" (skrottConfig // {
localSystem = "x86_64-linux";
crossSystem = "aarch64-linux";
});
skrott-x86_64 = stableNixosConfig "skrott" (skrottConfig // {
localSystem = "x86_64-linux";
crossSystem = "x86_64-linux";
});
})
//
(let (let
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5); machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
stableLupineNixosConfig = name: extraArgs: stableLupineNixosConfig = name: extraArgs:
@@ -340,16 +305,6 @@
lib.genAttrs allMachines lib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel) (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
// //
# Skrott is exception
{
skrott = self.packages.${system}.skrott-native-sd;
skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
}
//
# Nix-topology # Nix-topology
(let (let
topology' = import inputs.nix-topology { topology' = import inputs.nix-topology {

18
hosts/bakke/configuration.nix
View File

@@ -1,18 +0,0 @@
{ config, pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base
./filesystems.nix
];
networking.hostId = "99609ffc";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "24.05";
}

83
hosts/bakke/disks.nix
View File

@@ -1,83 +0,0 @@
{
# https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
# Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
disko.devices = {
disk = {
one = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
two = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
};
mdadm = {
boot = {
type = "mdadm";
level = 1;
metadata = "1.0";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
raid1 = {
type = "mdadm";
level = 1;
content = {
type = "gpt";
partitions.primary = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

26
hosts/bakke/filesystems.nix
View File

@@ -1,26 +0,0 @@
{ pkgs,... }:
{
# Boot drives:
boot.swraid.enable = true;
# ZFS Data pool:
boot = {
zfs = {
extraPools = [ "tank" ];
requestEncryptionCredentials = false;
};
supportedFilesystems.zfs = true;
# Use stable linux packages, these work with zfs
kernelPackages = pkgs.linuxPackages;
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
# NFS Exports:
#TODO
# NFS Import mounts:
#TODO
}

52
hosts/bakke/hardware-configuration.nix
View File

@@ -1,52 +0,0 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=nix" "noatime" ];
};
fileSystems."/boot" =
{ device = "/dev/sdc2";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

10
hosts/bekkalokk/services/website/fetch-gallery.nix
View File

@@ -47,8 +47,8 @@ in {
}} }}
# Delete files and directories that exists in the gallery that don't exist in the tarball # Delete files and directories that exists in the gallery that don't exist in the tarball
filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||'))) filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))
while IFS= read fname; do while IFS= read -r fname; do
rm -f "$fname" ||: rm -f "$fname" ||:
rm -f ".thumbnails/$fname.png" ||: rm -f ".thumbnails/$fname.png" ||:
done <<< "$filesToRemove" done <<< "$filesToRemove"
@@ -56,9 +56,9 @@ in {
find . -type d -empty -delete find . -type d -empty -delete
mkdir -p .thumbnails mkdir -p .thumbnails
images=$(find . -type f -not -path "./.thumbnails*") images=$(find . -type f -not -path './.thumbnails*')
while IFS= read fname; do while IFS= read -r fname; do
# Skip this file if an up-to-date thumbnail already exists # Skip this file if an up-to-date thumbnail already exists
if [ -f ".thumbnails/$fname.png" ] && \ if [ -f ".thumbnails/$fname.png" ] && \
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ] [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -67,7 +67,7 @@ in {
fi fi
echo "Creating thumbnail for $fname" echo "Creating thumbnail for $fname"
mkdir -p $(dirname ".thumbnails/$fname") mkdir -p "$(dirname ".thumbnails/$fname")"
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||: magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png" touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
done <<< "$images" done <<< "$images"

2
hosts/bicep/services/mysql/backup.nix
View File

@@ -57,7 +57,7 @@ in
rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||: rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)" rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done done
''; '';

2
hosts/bicep/services/postgresql/backup.nix
View File

@@ -58,7 +58,7 @@ in
rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||: rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)" rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done done
''; '';

2
hosts/ildkule/services/monitoring/prometheus/machines.nix
View File

@@ -30,8 +30,6 @@ in {
(mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "skrott" [ defaultNodeExporterPort defaultSystemdExporterPort ])
(mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ]) (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ]) (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ]) (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])

24
hosts/kommode/services/gitea/customization/default.nix
View File

@@ -99,23 +99,23 @@ in
]; ];
} '' } ''
# Bigger icons # Bigger icons
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl" install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl" sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
''; '';
in '' in ''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'
install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'
install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'
install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'
install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'
install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/ '${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/'
''; '';
}; };
} }

112
hosts/skrott/configuration.nix
View File

@@ -1,112 +0,0 @@
{ config, pkgs, lib, modulesPath, fp, values, ... }: {
imports = [
(modulesPath + "/profiles/perlless.nix")
(fp /base)
];
# Disable import of a bunch of tools we don't need from nixpkgs.
disabledModules = [ "profiles/base.nix" ];
sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
boot = {
consoleLogLevel = 0;
enableContainers = false;
loader.grub.enable = false;
loader.systemd-boot.enable = false;
kernelPackages = pkgs.linuxPackages;
};
hardware = {
enableAllHardware = lib.mkForce false;
firmware = [ pkgs.raspberrypiWirelessFirmware ];
};
# Now turn off a bunch of stuff lol
# TODO: can we reduce further?
# See also https://nixcademy.com/posts/minimizing-nixos-images/
system.autoUpgrade.enable = lib.mkForce false;
services.irqbalance.enable = lib.mkForce false;
services.logrotate.enable = lib.mkForce false;
services.nginx.enable = lib.mkForce false;
services.postfix.enable = lib.mkForce false;
services.smartd.enable = lib.mkForce false;
services.udisks2.enable = lib.mkForce false;
services.thermald.enable = lib.mkForce false;
services.promtail.enable = lib.mkForce false;
# There aren't really that many firmware updates for rbpi3 anyway
services.fwupd.enable = lib.mkForce false;
documentation.enable = lib.mkForce false;
environment.enableAllTerminfo = lib.mkForce false;
programs.neovim.enable = lib.mkForce false;
programs.zsh.enable = lib.mkForce false;
programs.git.package = pkgs.gitMinimal;
nix.registry = lib.mkForce { };
nix.nixPath = lib.mkForce [ ];
sops.secrets = {
"dibbler/postgresql/password" = {
owner = "dibbler";
group = "dibbler";
};
};
# zramSwap.enable = true;
networking = {
hostName = "skrott";
defaultGateway = values.hosts.gateway;
defaultGateway6 = values.hosts.gateway6;
interfaces.eth0 = {
useDHCP = false;
ipv4.addresses = [{
address = values.hosts.skrott.ipv4;
prefixLength = 25;
}];
ipv6.addresses = [{
address = values.hosts.skrott.ipv6;
prefixLength = 25;
}];
};
};
services.dibbler = {
enable = true;
kioskMode = true;
limitScreenWidth = 80;
limitScreenHeight = 42;
settings = {
general.quit_allowed = false;
database = {
type = "postgresql";
postgresql = {
username = "pvv_vv";
dbname = "pvv_vv";
host = "postgres.pvv.ntnu.no";
password_file = config.sops.secrets."dibbler/postgresql/password".path;
};
};
};
};
# https://github.com/NixOS/nixpkgs/issues/84105
boot.kernelParams = lib.mkIf (!config.virtualisation.isVmVariant) [
"console=ttyUSB0,9600"
# "console=tty1" # Already part of the module
];
systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
enable = true;
wantedBy = [ "getty.target" ]; # to start at boot
serviceConfig.Restart = "always"; # restart when session is closed
};
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11";
}

2
hosts/temmie/configuration.nix
View File

@@ -6,7 +6,7 @@
(fp /base) (fp /base)
./services/nfs-mounts.nix ./services/nfs-mounts.nix
./services/userweb.nix ./services/userweb
]; ];
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {

187
hosts/temmie/services/userweb.nix → hosts/temmie/services/userweb/default.nix
View File

@@ -7,9 +7,26 @@ let
# https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
phpEnv = pkgs.php.buildEnv { phpEnv = pkgs.php.buildEnv {
extensions = { all, ... }: with all; [ extensions = { all, ... }: with all; [
bz2
curl
decimal
gd
imagick imagick
opcache mysqli
protobuf mysqlnd
pgsql
posix
protobuf sqlite3
uuid
xml
xsl
zlib
zstd
pdo
pdo_mysql
pdo_pgsql
pdo_sqlite
]; ];
extraConfig = '' extraConfig = ''
@@ -25,38 +42,15 @@ let
pkgs.irssi pkgs.irssi
pkgs.nix.libs.nix-perl-bindings pkgs.nix.libs.nix-perl-bindings
AlgorithmDiff
AnyEvent
AnyEventI3
ArchiveZip
CGI CGI
CPAN
CPANPLUS
DBDPg DBDPg
DBDSQLite DBDSQLite
DBDmysql
DBI DBI
EmailAddress
EmailSimple
Env
Git Git
HTMLMason
HTMLParser
HTMLTagset
HTTPDAV
HTTPDaemon
ImageMagick ImageMagick
JSON JSON
LWP TemplateToolkit
MozillaCA
PathTiny
Switch
SysSyslog
TestPostgreSQL
TextPDF
TieFile
Tk
URI
XMLLibXML
]); ]);
# https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
@@ -70,102 +64,88 @@ let
ignoreCollisions = true; ignoreCollisions = true;
}; };
sendmailWrapper = pkgs.writeShellApplication {
name = "sendmail";
runtimeInputs = [ ];
text = ''
args=("$@")
if [[ "''${PWD:-}" =~ ^/home/pvv/[^/]+/([^/]+) ]] && [[ "''${BASH_REMATCH[1]}" != "pvv" ]]; then
# Prepend -fusername to the argument list, so bounces go to the user
args=("-f''${BASH_REMATCH[1]}" "''${args[@]}")
fi
exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
'';
};
# https://nixos.org/manual/nixpkgs/stable/#sec-building-environment # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
fhsEnv = pkgs.buildEnv { fhsEnv = pkgs.buildEnv {
name = "userweb-env"; name = "userweb-env";
ignoreCollisions = true;
paths = with pkgs; [ paths = with pkgs; [
bash bash
sendmailWrapper
perlEnv perlEnv
pythonEnv pythonEnv
phpEnv phpEnv
] ]
++ (with phpEnv.packages; [ ++ (with phpEnv.packages; [
# composer # composer
]) ])
++ [ ++ [
# Useful packages for homepages
exiftool
gnuplot
ikiwiki-full
imagemagick
jhead
ruby
sbcl
sourceHighlight
# Missing packages from tom
# blosxom
# pyblosxom
# mediawiki (TODO: do people host their own mediawikis in userweb?)
# nanoblogger
# Version control
cvs
rcs
git
# Compression/Archival
bzip2
gnutar
gzip
lz4
unzip
xz
zip
zstd
# Other tools you might expect to find on a normal system
acl acl
aspell
autoconf
autotrash
bazel
bintools
bison
bsd-finger
catdoc
ccache
clang
cmake
coreutils-full coreutils-full
curl curl
devcontainer
diffutils diffutils
emacs
# exiftags
exiftool
ffmpeg
file file
findutils findutils
gawk gawk
gcc
glibc
gnugrep gnugrep
gnumake gnumake
gnupg gnupg
gnuplot
gnused gnused
gnutar
gzip
html-tidy
imagemagick
inetutils
iproute2
jhead
less less
libgcc man
lndir
mailutils
man # TODO: does this one want a mandb instance?
meson
more
mpc
mpi
mplayer
ninja
nix
openssh
openssl
patchelf
pkg-config
ppp
procmail
procps
qemu
rc
rhash
rsync
ruby # TODO: does this one want systemwide packages?
salt
sccache
sourceHighlight
spamassassin
strace
subversion
system-sendmail
systemdMinimal
texliveMedium
tmux
unzip
util-linux util-linux
valgrind
vim vim
wget wget
which which
wine
xdg-utils xdg-utils
zip
zstd
]; ];
extraOutputsToInstall = [ extraOutputsToInstall = [
@@ -175,6 +155,10 @@ let
}; };
in in
{ {
imports = [
./mail.nix
];
services.httpd = { services.httpd = {
enable = true; enable = true;
adminAddr = "drift@pvv.ntnu.no"; adminAddr = "drift@pvv.ntnu.no";
@@ -231,6 +215,25 @@ in
AllowOverride All AllowOverride All
Require all granted Require all granted
</Directory> </Directory>
<DirectoryMatch "^/home/pvv/.*/web-docs/(${lib.concatStringsSep "|" [
"\\.git"
"\\.hg"
"\\.svn"
"\\.ssh"
"\\.env"
"\\.envrc"
"\\.bzr"
"\\.venv"
"CVS"
"RCS"
".*\\.swp"
".*\\.bak"
".*~"
]})(/|$)">
AllowOverride All
Require all denied
</DirectoryMatch>
''; '';
}; };
}; };

34
hosts/temmie/services/userweb/mail.nix Normal file
View File

@@ -0,0 +1,34 @@
{ config, lib, pkgs, ... }:
{
services.postfix.enable = lib.mkForce false;
services.nullmailer = {
enable = true;
config = {
me = config.networking.fqdn;
remotes = "mail.pvv.ntnu.no smtp --port=25";
};
};
systemd.sockets.userweb-sendmail-sandbox-proxy = {
wantedBy = [ "sockets.target" ];
listenStreams = [ "/run/userweb-sendmail-sandbox-proxy.sock" ];
socketConfig = {
# Accept = true;
SocketUser = "httpd";
SocketGroup = "httpd"; # TODO: is wwwrun(54) in this group?
SocketMode = "0660";
};
};
systemd.services.userweb-sendmail-sandbox-proxy = {
serviceConfig = {
User = "root";
Group = "root";
Sockets = [
"userweb-sendmail-sandbox-proxy.socket"
];
ExecStart = "${lib.getExe pkgs.hello}";
};
};
}

30
modules/matrix-ooye.nix
View File

@@ -77,29 +77,29 @@ in
id id
echo "Before if statement" echo "Before if statement"
stat ''${REGISTRATION_FILE} stat "''${REGISTRATION_FILE}"
if [[ ! -f ''${REGISTRATION_FILE} ]]; then if [[ ! -f "''${REGISTRATION_FILE}" ]]; then
echo "No registration file found at '$REGISTRATION_FILE'" echo "No registration file found at '$REGISTRATION_FILE'"
cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE} cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}"
fi fi
echo "After if statement" echo "After if statement"
stat ''${REGISTRATION_FILE} stat "''${REGISTRATION_FILE}"
AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE}) AS_TOKEN="$('${lib.getExe pkgs.jq}' -r .as_token "''${REGISTRATION_FILE}")"
HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE}) HS_TOKEN="$('${lib.getExe pkgs.jq}' -r .hs_token "''${REGISTRATION_FILE}")"
DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token) DISCORD_TOKEN="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)"
DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret) DISCORD_CLIENT_SECRET="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)"
# Check if we have all required tokens # Check if we have all required tokens
if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64) AS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)"
echo "Generated new AS token: ''${AS_TOKEN}" echo "Generated new AS token: ''${AS_TOKEN}"
fi fi
if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64) HS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)"
echo "Generated new HS token: ''${HS_TOKEN}" echo "Generated new HS token: ''${HS_TOKEN}"
fi fi
@@ -115,13 +115,13 @@ in
exit 1 exit 1
fi fi
shred -u ''${REGISTRATION_FILE} shred -u "''${REGISTRATION_FILE}"
cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE} cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}"
${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp '${lib.getExe pkgs.jq}' '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' "''${REGISTRATION_FILE}" > "''${REGISTRATION_FILE}.tmp"
shred -u ''${REGISTRATION_FILE} shred -u "''${REGISTRATION_FILE}"
mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE} mv "''${REGISTRATION_FILE}.tmp" "''${REGISTRATION_FILE}"
''; '';
in in

20
modules/snakeoil-certs.nix
View File

@@ -51,24 +51,24 @@ in
script = let script = let
openssl = lib.getExe pkgs.openssl; openssl = lib.getExe pkgs.openssl;
in lib.concatMapStringsSep "\n" ({ name, value }: '' in lib.concatMapStringsSep "\n" ({ name, value }: ''
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}") mkdir -p "$(dirname '${value.certificate}')" "$(dirname '${value.certificateKey}')"
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate} if ! ${openssl} x509 -checkend 86400 -noout -in '${value.certificate}'
then then
echo "Regenerating '${value.certificate}'" echo "Regenerating '${value.certificate}'"
${openssl} req \ ${openssl} req \
-newkey rsa:4096 \ -newkey rsa:4096 \
-new -x509 \ -new -x509 \
-days "${toString value.daysValid}" \ -days '${toString value.daysValid}' \
-nodes \ -nodes \
-subj "${value.subject}" \ -subj '${value.subject}' \
-out "${value.certificate}" \ -out '${value.certificate}' \
-keyout "${value.certificateKey}" \ -keyout '${value.certificateKey}' \
${lib.escapeShellArgs value.extraOpenSSLArgs} ${lib.escapeShellArgs value.extraOpenSSLArgs}
fi fi
chown "${value.owner}:${value.group}" "${value.certificate}" chown '${value.owner}:${value.group}' '${value.certificate}'
chown "${value.owner}:${value.group}" "${value.certificateKey}" chown '${value.owner}:${value.group}' '${value.certificateKey}'
chmod "${value.mode}" "${value.certificate}" chmod '${value.mode}' '${value.certificate}'
chmod "${value.mode}" "${value.certificateKey}" chmod '${value.mode}' '${value.certificateKey}'
echo "\n-----------------\n" echo "\n-----------------\n"
'') (lib.attrsToList cfg); '') (lib.attrsToList cfg);

2
packages/mediawiki-extensions/update-mediawiki-extensions.py
View File

@@ -83,7 +83,7 @@ def get_newest_commit(project_name: str, tracking_branch: str) -> str:
content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text
soup = bs4.BeautifulSoup(content, features="html.parser") soup = bs4.BeautifulSoup(content, features="html.parser")
try: try:
a = soup.find('li').findChild('a') a = soup.find('li').find('a')
commit_sha = a['href'].split('/')[-1] commit_sha = a['href'].split('/')[-1]
except AttributeError: except AttributeError:
print(f"ERROR: Could not parse page for {project_name}:") print(f"ERROR: Could not parse page for {project_name}:")

99
secrets/bakke/bakke.yaml
View File

@@ -1,99 +0,0 @@
hello: ENC[AES256_GCM,data:+GWORSIf9TxmJLw1ytZwPbve2yz5H9ewVE5sOpQzkrRpct6Wes+vTE19Ij8W1g==,iv:C/WhXNBBM/bidC9xynZzk34nYXF3mUjAd4nPXpUlYHs=,tag:OJXSwuI8aNDnHFFTkwyGBQ==,type:str]
example_key: ENC[AES256_GCM,data:ojSsrFYo5YD0YtiqcA==,iv:nvNtG6c0OqnQovzWQLMjcn9vbQ4PPYSv2B43Y8z0h5s=,tag:+h7YUNRA2MTvwGJq1VZW8g==,type:str]
#ENC[AES256_GCM,data:6EvhlBtrl5wqyf6UAGwY8Q==,iv:fzLUjBzyuT17FcP8jlmLrsKW46pu6/lAvAVLHBxje6k=,tag:n+qR1NUqa91uFRIpALKlmw==,type:comment]
example_array:
- ENC[AES256_GCM,data:A38KXABxJzMoKitKpHo=,iv:OlRap3R//9tvKdPLz7uP+lvBa/fD0W8xFzdxIKKFi4E=,tag:QKizPN1fYOv5zZlMVgTIOQ==,type:str]
- ENC[AES256_GCM,data:8X2iVkHQtQMReopWdgM=,iv:2Wq3QOadwd3G3ROXNe7JQD4AL/5H/WV19TBEbxijG/8=,tag:tikKT9Wvzm4Vz5aoy6w9WQ==,type:str]
example_number: ENC[AES256_GCM,data:0K05hiSPh2Ok1A==,iv:IVRo61xkKugv4OiPm0vt9ODm5DC1DzJFdlgQJb1TfTg=,tag:o3xXygVEUD4jaGSJr0Nxtw==,type:float]
example_booleans:
- ENC[AES256_GCM,data:zoykmQ==,iv:1JGy1Cg5GdAiod9qPSzW+wsG6rUgUJyYMEE4k576Tlk=,tag:RUCbytPpo78bqlAVEUsbLg==,type:bool]
sops:
age:
- recipient: age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOE50MkkxV1p0UlVUT0dE
WCtLMEk0ZSttY25UMjNHSHB1QzJ4N2l5WnpFCkNpdmlCY1VxWVo0ZStVclZ0amo4
dGhSRWY1SElRZXZzdWo5UDNjUHMzUjAKLS0tIDI3elNXSXJHQU5qb3hCSHYwWnoy
N3BhNmJQZjIrbWlVRytxZ3dFMjBtL1kKn7/DTPfJtdBomSplnBomYhsxJbX7kJQa
1Qsr+bmugWxHFIPhoDwPIBpChQkLvAo8exQpduos18FsXgvMmB0guQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXdnNSSEJoaUQwdTNTMDY4
QUxuLzRIWVNkM25QNTZ5VTBwQlYvT2p3SURzCnJmd2g1YUY0cmdLL3FkQTQ4NURL
YncyY3VROTFUeDc5ZlB1aWdXVGNNdjgKLS0tIEtXeDdRLzl4RXhpS2o5ZUE4YkpI
RjBObVhlWncrRnVidEtGN2N0ZitzNlUK/ooEeWCY5nDgny43q45wvl/e6qq/X4B/
7Q/DPj13BcrWRgoCYeHlq6VlIerz5ERNgxyR/qKuVSGAVroSVY6spA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRy9CaHY1WEEzOXdUSjd2
aFlGU3NGcW5MeHg3U2d0UEk0SXJIcmg4RVFzCkpwODhBWld6T1VNS2haSkpxL0hn
b0VRWVNFcTE5c0t3VkFZQ1R1d2dnbmMKLS0tIDdNMHBrU0RRSmlBZUJobXQxZUt2
MzZSYlM5bjYzUlRYNXkzNzZlWmx3L0UKkH6WOXHFRRbCprSjxcONSVUN/9NEQvtS
Jg+dJSMviq6GvUfUNmNvPJHfyy+CYT6a2Zd+4NdYCetRLsRJPc6p3A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUckpiMzYrU1NnNFJ4MGps
OEt0c0o3Ty9QejhEM29wZFMrNTNyMHlHWlRBCnBHUUdvcmxoL0FqVEtBSHlma25P
c2tITUtZTGVzOGdidC84OUYvRlpxSjAKLS0tIFNMVmdiWmJNZUdLS1g3T3ZINUh6
Mjg5RHdKYnV3Z2V0L3E3ZlA2WDB0WlkKJr4Vg6rnKqGpL6N143QYfLqS4lQIED/J
SYQds8mCiyCNGvV6ON4k096jXcuMAZ1w+0bA16AHlTXnqgIgfaHpKA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHL1QvSUlWUTN4OTBKOURa
VkVVb29McWgxa3gwb2lkVTdSZmUrVVZpSERjCm9oTTFRckg3SUM1a0tJRVlaU3RL
dUtsU0FpY1JyNkx6K1U1MWcrSjNYbUUKLS0tICtvTjJVdG1PSXF4TVltZ204SnVu
VE9aT3l2dGgxMWNHUXQ0bDN2RjVOek0KwOa/vczHZa+SRr8j6KvkfZZ0kajxXOq0
5AoDz2Mtcs+qBctTuogdLCZoL2ZpRVV7v1dGI+Fm1cVLoutV19IvTQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVFp0ZlRhU29DNUhMSmRy
Y3VVV2pmajJmaU9qN0tHR1E3ekFMS3o0K2pRClIwek5GYzNNZEliK2ZTT1NVZklQ
YWpqY3poN0E1ZTVOTVRhL3FQSVZmZW8KLS0tIHpuWktoa1EwcXc1bEJJYk5VbEw3
blE2VXBuTDdlbHJTVjRzOWdyem1UWTQKg5uZRhcLpmiVcadqdJoscqsBD2u6UGx+
qT0IoSVOzsBlJw2t9rH1zR7WfRSlCXT1NYzu9aTWGqQaB8qvEtyk4g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdjhMM1ZpM2xFVXlvOXZK
MlRZT2U5YzhMUVR1L0FqVVdiSTFTYUpyN25rCjB6ajMwTnNTaWk5d21vM0Zza243
dHhSOHM0c3cwS1c5dGxhbzBNVm9DeFEKLS0tIEpOY1lWVE04UkNYNDdCcUdnTUhI
NC9xOENWZUNyay9SeXRjSUdkMlE4UXcKiygSIWelRUZQPbiK2ASQya7poe1KCXmo
XIlgOaUe1+lvY8s2bjdud0+7QlPOKeyciCSFNNqIxzHMYSEKwNCbpg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-15T21:42:17Z"
mac: ENC[AES256_GCM,data:2gH/ZaxSA6ShRu53dxj7V3jk7FsVdYS+PSHQyFT8qMvKM1hsQ/nWrKt00PUl9I7Gb4uomP9Ga3SyphYOXRBzKoV+x52oEWOJE3Q4iPrwdCkyHlxEezhTd/ZRQVatG6dvHpLuDNS9Dyph4f7Mw5USI+m4WeVdgCvHTydw+4KIfP4=,iv:yimfq96WVsagvKr8HTg1RdZBSrVGcCWPvv8XOXkOfcg=,tag:zHzdrE0PX5+AeD2lpqeJVQ==,type:str]
pgp:
- created_at: "2026-01-16T06:34:38Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/+O1tft/OfS52K8cmcQE7I7aFb85P2L+7u1TdmTjHwNFkC
3jhvzPkNDQDkMIc5EPZKX5WLUS8F1UaqCw4b8zZtqoTqKDpu0S92KL500iXwBxft
D3cRMFFb6GBoSlPJVBt6LMRJjGLWCkBihlYL1AknoVV7VERj8m1cvcstdp3qbEd7
c+X6t5B+7N0/QPdh2KyrHWXyCzFc/6emVjNGy2EoXRt7idFF2yTbafobCs/hZ8LZ
RJyhpGyR9QPtAwFP9Und62tCd4ZwG5FazZBLevRrmD7AOW1WnQhyYvxBvqQp/Oz+
lFmhcirLw5CaC1AbF2k3uNoAHXVWyexaQeu2gsNYXq+lpsdCWT8WtrAtNCyC2StI
PtdrdQ9oikJptmoWQ0zEBXKXdV8AhukLSX0wtis74KbmcS+2YyNKvQksGF2ZfHBh
U9ycfJr1kwm7TAg5Lg6XOmKrdOJkPoIcUCk2QW7MfS3nwwMLt3BjhhpRVUfeUmjB
Jjjs+jUXEusnmwmvGGgEU2pT944FLuFClSI8JTnIZ61YkjF7zAtrURvsNKlqu/UG
JLrWR+dnnh1YK0qQEcqt6giNSX2IWrw5SpJ8Jekt0TWfB1HDHybQUyFC/n/je/XK
0ouAeDL9oqh0eRU3ng4KKhOXNn+WO3/HrnG//KFwokc//BNNvP8qM0CTtPQbQ1HS
XgFjhTfzV0T4LyUryuict4rLVI+DDbzWGRp0umdobvQE1CGLhKCanrd2/Ng6fAny
9G09vYF5zK95uzqFBCTh1zFr6+rhfbMI501TwBu1KxOaJdYs3vzLiTGWoyI48JM=
=5fyo
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.8.1

93
secrets/skrott/skrott.yaml
View File

@@ -1,93 +0,0 @@
dibbler:
postgresql:
password: ENC[AES256_GCM,data:2n85TO709GJc7/qoYp2RXO8Ttfo=,iv:5ZCZPEQQXPGYfDd1qPhDwDfm1Gds1M8PEX9IiCsHcrw=,tag:PAseyFBAe56pLj5Uv8Jd7A==,type:str]
sops:
age:
- recipient: age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNdjk1L1N4QU5SK3pjTit6
V0hIZHhyOW9Rc2xWdE9yN0tmMG93V0IzZzA4Ck5OSUlRTE5mVGZtMTl3NDh1QzA2
Uk9RVnRENmVnQUZuQUVSeGxBS0VaK2sKLS0tIHRHbUUzcmlQbW0weXU0eWJKVmVT
ZUxJKzV3UDVVSW11SHRrWGxOSmgrZk0KyWxjEmCvNhiZfgXfObQfQ5riscy0mLFn
3pslIN7fbxgxnEVyAhl9FOUS65GrmWrrhvN0pkIpgMw1cqtCrZHxyw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoVFh2WC9iVHpURDBzckdB
UjVGcHkyR3V6VHVMbXc4c21ob1lSMDRWeW44ClgzRXhLY2RYN2hleDNLWHoyeXVm
T2xJMlNZMml2NGZDNmlQWGp6RXJRQ1EKLS0tIGNmK0lGdjRLM3l4S3JVazZ0MkFU
SzZOMFNvcGZRcjJsU242cnZ4NU9OZmcKxlRdhZlXP4KQBHFLFt195H5R33hLuQ0O
bVHtQk00IZmMPq4R4aOc0WMkuJxcFaLi0YDQigcFtReSvWDhTHns7A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBua0cvc21qeFp4d1NZZ0Vw
aWhldXVjUm1wSmJPdnpZV1JvTVowSWw4RVU0CngzUWkrcXA1TkpZN1M4QVBCS0pX
Z0w5aURoQU9Xck1RckNsRTlGeWk2N2cKLS0tIFlSdG05V2l6eStURDJVTXEzc0Zh
U2tFemF1djFGeVFQYWg5NjFhdW13Vm8K/QztsuBUcmJNBta3R7uYHGzqKOCRus3s
bFd2AOC0PNqvAe8e5q2XYf87MUt/U6AaFjroaDpoC3IUI2+qLJDXDA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkcUVib2tsd3lNS0VmOGNS
WWR6NDE5RWw3bStqVjRtdWFSM1E2QUp2cEg0Cm0zdjE3eVpUS3M1L241akM3cyta
WGVFVGtQVnQ1d2U1QVRSYXE1YUYrTU0KLS0tIGRTK29EdzVka3hmaFIrSnVUQ1c5
c0YxcWZIRHRxZEVjVk9MckJMVisyS28KGH6+9IXIBeXrrZ3AoL3zU1v6EA5TNwN5
8DgPO9+yfVesZiEJ0MNhs6tXAA4ODInpU1CUdsjKWRA6/QXBbmEUQw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLS0RnMDNOZzBIZzF4VG1R
T083bXFOdE1JSzl0SE1SUGlxdnFFQVluWVgwCnRLMThOSU45RTRFMVZybm9YV01n
K1pCMThGUFhMMzZhUEszRlZlK2FoQXcKLS0tIHdJRGw4aEU5UkgrU3ZEZXl4bDhi
dCtIVkdSWmg1dGNzNmhjZDBiWUJVWkEKSZySabmhM3HDXdduzFGAbOPR6m1CjwWb
ttMA9hTvl+T/UqYjxSHj8hmsyTfDY7a4sfHaFcMBJMJrjuEllm/L9g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYmF6cm5xUHVKMWw3MHJD
cWsvZTNWUjRZNDQxbFdDWGh5dUpCc2lGTTNjCm1uV0FCVEgxOG5WbXJUdXlkYTZW
KzFzaDNma3RJWEtlUmFHNGxNVUFKN28KLS0tIFFCSi82Q3EvV01UeHg4bG96K1Jm
S2JrZlcwcGsrTzdFTDlHcktJd0hmUVUKt0W/8r+L1m25kHKbh5RcweKbl4JB5xqX
DYUhUW1Rh1EI63CgVzriz4HZjuNGiuqG9cFv72wIg9Hl2lBPpkC4LQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQYUtHY1djWno1MG1zQTRB
ZHNjbitQbTUwVjFkZWtHU0gwUFFMTTIrQUVZCkUwd3UrbmpyMndXcVl6MEFsSktX
L1ZBM2ZPbGMycXd0MDRyWGI1SHh2NVkKLS0tIHFKcS82cUJYZ2V6dHJ6djJSajFy
RkIzYUI3dUZjenpxRnplOTZKZmhoS0kKDw9Zuf57k+MAINMReYcCN1DoTtFMgKGJ
CWwkNN59Ojgz757xS+2cmK6oxAkDRcN+KZc3sANdj0LY//rXq/UJgw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-25T14:03:57Z"
mac: ENC[AES256_GCM,data:RBf3LjVNSclsPN7I4QPaDUjWbKlaccjk3rzsRNdRe3+OvJSd7MsS9RfpUFCqUtO7ZkkocXHmkHA8z8LNxs6vejT9czMsLLQD14qHZS6fFdTnToOx3Kt5UuviPO/2UryVI+6HWORkH1aqFJhzkSMop2TO5mzuOTfbCEBLYUUuS6s=,iv:NQs8O1hIbjzGBTZo+gCuisj3edraFGk/Y146HmfPmQY=,tag:4g9IXw2UFC5V9EIHuWJqdA==,type:str]
pgp:
- created_at: "2026-02-07T21:15:24Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYARAAsIJXQn91VrFoSuu0ppgC79T2juR6mA7H5Z2NSGypbild
BsNPlWy+q8rpctGkria2Jm37Wz8Qu+sUNQ8Y2w6Z8Bv+M5tks62wc7qBjJkcZKmw
IjumrbsEmKQsZKS2YzGFcTjuwpBTGnACAMjUTz1rqnRcaq4U8Wqfi+mmf81yRSnR
F0emN015EmGCAUQYD6YRFMAw0PGbP3HiQrXQxdmv8zObbCg9d3+ZozurqFO2RmB4
SeZIUEtxgVDuMsr87AmHgbCr8Ux9eZmHU0qv+ejgbnXE7/MaUbppa1gy3RdcwHqG
DaETVa6YLUQqP9GOuTVy4gVr3AHtaGwMYRz30gjgQuoGUlQOG1U38PRtqe/94iHF
1lo14e31BSfHTnv66vupvWdfDXZme/1rOBJw0lM8Q+wHHJrr3mKmiLus85bJsMD7
M4Cn+5n3lE4kSrup8Y5fOsYSwq1WM9GYUfkVR+x2eHNmNdXLVHS0No6kA2TpKeqg
zbTyL59i+VBPfANCPehVYxFv7JM9pTFYQXDzMEAJcFerWBmB70HUoYXPZxeDEpiC
6seUT9lXM733QGbxwZLXRhXX4sDhJ7rMQJOvrxSvVDhiJx+Arqhz5srM8FlQHdjG
kfC507phCarRqXoef55G4trYjrr3zf+sWHRnPuh1IdFch3U+2CMrBUZIRU+C1nXS
XgHnubHvfLECTWfeEZUQvZaTtio1K3NSWqv/KBivBBRMfNI20A5erQXnocCYXB7o
RYisThHMQomNI7bT8vbf5/N/xlqEra5par0SDX16jl4FuU6dgKRuQ3SrpzFjQTA=
=ySHN
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.11.0

8
topology/default.nix
View File

@@ -228,7 +228,7 @@ in {
(mkConnection "demiurgen" "eno1") (mkConnection "demiurgen" "eno1")
(mkConnection "sanctuary" "ethernet_0") (mkConnection "sanctuary" "ethernet_0")
(mkConnection "torskas" "eth0") (mkConnection "torskas" "eth0")
(mkConnection "skrott" "eth0") (mkConnection "skrot" "enp2s0")
(mkConnection "homeassistant" "eth0") (mkConnection "homeassistant" "eth0")
(mkConnection "orchid" "eth0") (mkConnection "orchid" "eth0")
(mkConnection "principal" "em0") (mkConnection "principal" "em0")
@@ -270,10 +270,4 @@ in {
interfaces.ens18.network = "pvv"; interfaces.ens18.network = "pvv";
}; };
nodes.bakke = {
guestType = "openstack";
parent = config.nodes.stackit.id;
interfaces.enp2s0.network = "pvv";
};
} }

8
values.nix
View File

@@ -32,10 +32,6 @@ in rec {
gateway = pvv-ipv4 129; gateway = pvv-ipv4 129;
gateway6 = pvv-ipv6 1; gateway6 = pvv-ipv6 1;
bakke = {
ipv4 = pvv-ipv4 173;
ipv6 = pvv-ipv6 173;
};
bekkalokk = { bekkalokk = {
ipv4 = pvv-ipv4 168; ipv4 = pvv-ipv4 168;
ipv6 = pvv-ipv6 168; ipv6 = pvv-ipv6 168;
@@ -81,10 +77,6 @@ in rec {
ipv4 = pvv-ipv4 234; ipv4 = pvv-ipv4 234;
ipv6 = pvv-ipv6 234; ipv6 = pvv-ipv6 234;
}; };
skrott = {
ipv4 = pvv-ipv4 235;
ipv6 = pvv-ipv6 235;
};
skrot = { skrot = {
ipv4 = pvv-ipv4 237; ipv4 = pvv-ipv4 237;
ipv6 = pvv-ipv6 237; ipv6 = pvv-ipv6 237;