felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-02-20 08:57:53 +01:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:e01fd902eb431fae9f9411ec2be3889fe35c5f3f
Branches Tags
felixalb:main felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:shellcheck felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
...
compare: felixalb:temmie-userweb
Branches Tags
felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:main felixalb:skrot-new-thing felixalb:shellcheck felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

35 Commits
e01fd902eb ... temmie-use

Author SHA1 Message Date
h7x4
94841751e1 temmie/userweb: get first iteration working 2026-01-31 18:40:20 +09:00
h7x4
0131e5af6d temmie: combine homedirs in overlayfs 2026-01-30 04:00:17 +09:00
h7x4
af0bf7b254 bicep/{postgres,mysql}: fix old backup deletion 2026-01-29 14:57:46 +09:00
h7x4
bcf8b1607f bicep/{postgres,mysql}: use hardlink for latest backup file 2026-01-29 14:53:07 +09:00
h7x4
1d46fd1ec6 bicep/{postgres,mysql}: keep multiple backups, point at latest with symlink 2026-01-29 14:16:34 +09:00
h7x4
bac53be707 bicep/{postgres,mysql}: use zstd for backup compression 2026-01-29 13:50:35 +09:00
h7x4
f08bd96b74 bicep/{postgres,mysql}: move backups to /data 2026-01-29 13:41:06 +09:00
h7x4
25f2a13391 packages/mediawiki-extensions: bump all 2026-01-29 13:34:42 +09:00
h7x4
8774c81d23 bicep/{postgres,mysql}: custom backup units 2026-01-29 13:32:28 +09:00
h7x4
d6eca5c4e3 bicep/{postgres,mysql}: split config into several files 2026-01-29 13:18:25 +09:00
h7x4
49d1122ee5 bicep/mysql: enable slow query logs 2026-01-28 14:55:52 +09:00
h7x4
31bbf4b25f bicep/synapse: enable auto-compressor timer 2026-01-28 14:50:57 +09:00
h7x4
2f7e1439d0 bicep/mysql: pin version, upgrade from 11.4 -> 11.8 2026-01-28 14:01:14 +09:00
h7x4
fa31a84bd2 bicep/postgres: upgrade from 15 -> 18 2026-01-28 14:00:25 +09:00
h7x4
b77c8eb5c0 modules/rsync-pull-targets: fix multiple pull targets with same user 2026-01-27 21:10:17 +09:00
h7x4
949661113e bicep/mysql: move backup dir 2026-01-27 20:47:40 +09:00
h7x4
f442c4d65f bicep/minecraft-heatmap: gate remaining config behind cfg.enable 2026-01-27 20:44:20 +09:00
h7x4
690aee634b bicep/postgres: gate remaining config behind cfg.enable 2026-01-27 20:44:20 +09:00
h7x4
2ed1c83858 bicep/{postgres,mysql}: add rsync pull targets for backups 2026-01-27 20:39:12 +09:00
h7x4
d43de08a3b flake.lock: bump 2026-01-27 19:44:45 +09:00
h7x4
e8c7f177e8 kommode: use disko to configure disks 2026-01-27 19:00:12 +09:00
h7x4
fb59a242fb kommode/gitea: add rsync pull target for gitea dump dir 2026-01-27 18:55:25 +09:00
h7x4
65d095feb1 bekkalokk/mediawiki, bicep/matrix/synapse: add keys for rsync targets 2026-01-27 18:55:03 +09:00
h7x4
8273d98788 flake.nix: add disko to default devshell 2026-01-27 18:35:18 +09:00
h7x4
8a84069dcf bicep/mysql: use BindPaths to access dataDir 2026-01-27 17:23:38 +09:00
h7x4
cda84be5b0 bekkalokk/well-known: add note about bug bounty program to security.txt 2026-01-27 17:11:07 +09:00
h7x4
79a46ce3f6 bicep/element: set default country code 2026-01-27 04:11:40 +09:00
h7x4
19e45be83a .mailmap: further dedup 2026-01-27 04:07:25 +09:00
h7x4
a8892e2fb2 hosts/various: bump stateVersion 2026-01-27 04:00:48 +09:00
h7x4
a149f97ac0 bicep: bump stateVersion from 22.11 -> 25.11 2026-01-27 03:59:40 +09:00
h7x4
e76c656378 bekkalokk: bump stateVersion from 22.11 -> 25.11 2026-01-27 03:52:34 +09:00
h7x4
5877ef60b1 modules/rsync-pull-targets: leave TODO about assertion 2026-01-27 00:27:00 +09:00
h7x4
73456de527 bekkalokk/mediawiki, bicep/matrix/synapse: leave principal rsync target stubs 2026-01-27 00:26:42 +09:00
h7x4
2f8e9ea190 modules/rsync-pull-targets: init, migrate bekkalokk/website/fetch-gallery 2026-01-26 23:57:20 +09:00
h7x4
c3c98392ad bicep/hookshot: add passkey to sops 2026-01-26 21:52:58 +09:00
32 changed files with 893 additions and 145 deletions
Expand all files Collapse all files

6
.mailmap
View File

@@ -23,3 +23,9 @@ Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lau
Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>

66
flake.lock generated
View File

@@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1769400154,
"narHash": "sha256-K0OeXzFCUZTkCBxUDr3U3ah0odS/urtNVG09WDl+HAA=",
"lastModified": 1769510541,
"narHash": "sha256-jxuQY0anT3YpwpnYB5w7p6EPS6UWIj4vGxzfsOJvC1I=",
"ref": "main",
"rev": "8e84669d9bf963d5e46bac37fe9b0aa8e8be2d01",
"revCount": 230,
"rev": "ec43f67e58f049a709fa2c19601b8c637f38126f",
"revCount": 232,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
},
@@ -174,11 +174,11 @@
]
},
"locked": {
"lastModified": 1768749374,
"narHash": "sha256-dhXYLc64d7TKCnRPW4TlHGl6nLRNdabJB2DpJ8ffUw0=",
"lastModified": 1769500363,
"narHash": "sha256-vFxmdsLBPdTy5j2bf54gbTQi1XnWbZDmeR/BBh8MFrw=",
"ref": "main",
"rev": "040294f2e1df46e33d995add6944b25859654097",
"revCount": 37,
"rev": "2618e434e40e109eaab6a0693313c7e0de7324a3",
"revCount": 47,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
},
@@ -217,11 +217,11 @@
]
},
"locked": {
"lastModified": 1768955766,
"narHash": "sha256-V9ns1OII7sWSbIDwPkiqmJ3Xu/bHgQzj+asgH9cTpOo=",
"lastModified": 1769018862,
"narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
"owner": "oddlama",
"repo": "nix-topology",
"rev": "71f27de56a03f6d8a1a72cf4d0dfd780bcc075bc",
"rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
"type": "github"
},
"original": {
@@ -233,11 +233,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1768877948,
"narHash": "sha256-Bq9Hd6DWCBaZ2GkwvJCWGnpGOchaD6RWPSCFxmSmupw=",
"rev": "43b2e61c9d09cf6c1c9c192fe6da08accc9bfb1d",
"lastModified": 1769484787,
"narHash": "sha256-ufhG9uSA8cCEk/97D/7xQEKcO/ftr4IPRH+HQFaKNdE=",
"rev": "999ca0e5484922624254294ea1adc2b90081579e",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4368.43b2e61c9d09/nixexprs.tar.xz"
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4804.999ca0e54849/nixexprs.tar.xz"
},
"original": {
"type": "tarball",
@@ -261,11 +261,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1768886240,
"narHash": "sha256-HUAAI7AF+/Ov1u3Vvjs4DL91zTxMkWLC4xJgQ9QxOUQ=",
"rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
"lastModified": 1769434638,
"narHash": "sha256-u19M4QdjvjEySkGhP4fUNyY6rqAbPCdQf/AFw04CkQU=",
"rev": "9c2822d7024c032e66000a8b8a47e91b4e63ffc8",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre930839.80e4adbcf899/nixexprs.tar.xz"
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre935000.9c2822d7024c/nixexprs.tar.xz"
},
"original": {
"type": "tarball",
@@ -300,11 +300,11 @@
]
},
"locked": {
"lastModified": 1768636400,
"narHash": "sha256-AiSKT4/25LS1rUlPduBMogf4EbdMQYDY1rS7AvHFcxk=",
"lastModified": 1769009806,
"narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
"ref": "main",
"rev": "3a8f82b12a44e6c4ceacd6955a290a52d1ee2856",
"revCount": 573,
"rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
"revCount": 575,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
},
@@ -364,11 +364,11 @@
"rust-overlay": "rust-overlay_3"
},
"locked": {
"lastModified": 1768140181,
"narHash": "sha256-HfZzup5/jlu8X5vMUglTovVTSwhHGHwwV1YOFIL/ksA=",
"lastModified": 1769325266,
"narHash": "sha256-q2G2NG7I1tvfFK4GDnn3vt1CCg0GN4ncdo0NSY+Q2Nc=",
"ref": "main",
"rev": "834463ed64773939798589ee6fd4adfe3a97dddd",
"revCount": 43,
"rev": "23b163e828901cb981eec6f3262e922f437f850b",
"revCount": 45,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
},
@@ -428,11 +428,11 @@
]
},
"locked": {
"lastModified": 1767322002,
"narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=",
"lastModified": 1769309768,
"narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "03c6e38661c02a27ca006a284813afdc461e9f7e",
"rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5",
"type": "github"
},
"original": {
@@ -448,11 +448,11 @@
]
},
"locked": {
"lastModified": 1768863606,
"narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
"lastModified": 1769469829,
"narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
"rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
"type": "github"
},
"original": {

22
flake.nix
View File

@@ -129,6 +129,7 @@
] ++ (lib.optionals enableDefaults [
sops-nix.nixosModules.sops
inputs.roowho2.nixosModules.default
self.nixosModules.rsync-pull-targets
]) ++ modules;
}
(builtins.removeAttrs extraArgs [
@@ -146,7 +147,7 @@
in {
bakke = stableNixosConfig "bakke" {
modules = [
disko.nixosModules.disko
inputs.disko.nixosModules.disko
];
};
bicep = stableNixosConfig "bicep" {
@@ -194,6 +195,7 @@
];
modules = [
inputs.nix-gitea-themes.nixosModules.default
inputs.disko.nixosModules.disko
];
};
@@ -270,15 +272,25 @@
nixosModules = {
bluemap = ./modules/bluemap.nix;
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
robots-txt = ./modules/robots-txt.nix;
gickup = ./modules/gickup;
matrix-ooye = ./modules/matrix-ooye.nix;
robots-txt = ./modules/robots-txt.nix;
rsync-pull-targets = ./modules/rsync-pull-targets.nix;
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
};
devShells = forAllSystems (system: {
default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
default = let
pkgs = import nixpkgs-unstable {
inherit system;
overlays = [
(final: prev: {
inherit (inputs.disko.packages.${system}) disko;
})
];
};
in pkgs.callPackage ./shell.nix { };
cuda = let
cuda-pkgs = import nixpkgs-unstable {
inherit system;

2
hosts/bekkalokk/configuration.nix
View File

@@ -28,5 +28,5 @@
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";
system.stateVersion = "25.11";
}

16
hosts/bekkalokk/services/mediawiki/default.nix
View File

@@ -49,6 +49,22 @@ in {
lib.listToAttrs
];
services.rsync-pull-targets = {
enable = true;
locations.${cfg.uploadsDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHFHa3Iq1oKPhbKCAIHgOoWOTkLmIc7yqxeTbut7ig/ mediawiki rsync backup";
};
};
services.mediawiki = {
enable = true;
name = "Programvareverkstedet";

18
hosts/bekkalokk/services/website/fetch-gallery.nix
View File

@@ -3,13 +3,21 @@ let
galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
in {
users.users.${config.services.pvv-nettsiden.user} = {
useDefaultShell = true;
# This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
openssh.authorizedKeys.keys = [
''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
services.rsync-pull-targets = {
enable = true;
locations.${transferDir} = {
user = config.services.pvv-nettsiden.user;
rrsyncArgs.wo = true;
authorizedKeysAttrs = [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish";
};
};
systemd.paths.pvv-nettsiden-gallery-update = {

6
hosts/bekkalokk/services/well-known/root/security.txt
View File

@@ -6,7 +6,11 @@ Contact: mailto:cert@pvv.ntnu.no
Preferred-Languages: no, en
Expires: 2032-12-31T23:59:59.000Z
# This file was last updated 2024-09-14.
# This file was last updated 2026-02-27.
# You can find a wikipage for our security policies at:
# https://wiki.pvv.ntnu.no/wiki/CERT
# Please note that we are a student organization, and unfortunately we do not
# have a bug bounty program or offer monetary compensation for disclosure of
# security vulnerabilities.

6
hosts/bicep/configuration.nix
View File

@@ -9,8 +9,8 @@
./services/calendar-bot.nix
#./services/git-mirrors
./services/minecraft-heatmap.nix
./services/mysql.nix
./services/postgres.nix
./services/mysql
./services/postgresql
./services/matrix
];
@@ -30,5 +30,5 @@
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";
system.stateVersion = "25.11";
}

3
hosts/bicep/services/matrix/default.nix
View File

@@ -1,8 +1,9 @@
{ config, ... }:
{
imports = [
./synapse.nix
./synapse-admin.nix
./synapse-auto-compressor.nix
./synapse.nix
./element.nix
./coturn.nix
./livekit.nix

1
hosts/bicep/services/matrix/element.nix
View File

@@ -37,6 +37,7 @@ in {
# element call group calls
feature_group_calls = true;
};
default_country_code = "NO";
default_theme = "dark";
# Servers in this list should provide some sort of valuable scoping
# matrix.org is not useful compared to matrixrooms.info,

15
hosts/bicep/services/matrix/hookshot/default.nix
View File

@@ -14,6 +14,10 @@ in
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/hs_token";
};
sops.secrets."matrix/hookshot/passkey" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/passkey";
};
sops.templates."hookshot-registration.yaml" = {
owner = config.users.users.matrix-synapse.name;
@@ -44,9 +48,14 @@ in
};
systemd.services.matrix-hookshot = {
serviceConfig.SupplementaryGroups = [
serviceConfig = {
SupplementaryGroups = [
config.users.groups.keys-matrix-registrations.name
];
LoadCredential = [
"passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
];
};
};
services.matrix-hookshot = {
@@ -54,6 +63,8 @@ in
package = unstablePkgs.matrix-hookshot;
registrationFile = config.sops.templates."hookshot-registration.yaml".path;
settings = {
passFile = "/run/credentials/matrix-hookshot.service/passkey.pem";
bridge = {
bindAddress = "127.0.0.1";
domain = "pvv.ntnu.no";
@@ -61,6 +72,7 @@ in
mediaUrl = "https://matrix.pvv.ntnu.no";
port = 9993;
};
listeners = [
{
bindAddress = webhookListenAddress;
@@ -73,6 +85,7 @@ in
];
}
];
generic = {
enabled = true;
outbound = true;

56
hosts/bicep/services/matrix/synapse-auto-compressor.nix Normal file
View File

@@ -0,0 +1,56 @@
{ config, lib, utils, ... }:
let
cfg = config.services.synapse-auto-compressor;
in
{
services.synapse-auto-compressor = {
# enable = true;
postgresUrl = "postgresql://matrix-synapse@/synapse?host=/run/postgresql";
};
# NOTE: nixpkgs has some broken asserts, vendored the entire unit
systemd.services.synapse-auto-compressor = {
description = "synapse-auto-compressor";
requires = [
"postgresql.target"
];
inherit (cfg) startAt;
serviceConfig = {
Type = "oneshot";
DynamicUser = true;
User = "matrix-synapse";
PrivateTmp = true;
ExecStart = utils.escapeSystemdExecArgs [
"${cfg.package}/bin/synapse_auto_compressor"
"-p"
cfg.postgresUrl
"-c"
cfg.settings.chunk_size
"-n"
cfg.settings.chunks_to_compress
"-l"
(lib.concatStringsSep "," (map toString cfg.settings.levels))
];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
ProcSubset = "pid";
ProtectProc = "invisible";
ProtectSystem = "strict";
ProtectHome = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
};
};
}

16
hosts/bicep/services/matrix/synapse.nix
View File

@@ -27,6 +27,22 @@ in {
'';
};
services.rsync-pull-targets = {
enable = true;
locations.${cfg.settings.media_store_path} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASnjI9b3j4ZS3BL/D1ggHfws1BkE8iS0v0cGpEmbG+k matrix_media_store rsync backup";
};
};
services.matrix-synapse-next = {
enable = true;

2
hosts/bicep/services/minecraft-heatmap.nix
View File

@@ -22,7 +22,7 @@ in
};
};
systemd.services.minecraft-heatmap-ingest-logs = {
systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable {
serviceConfig.LoadCredential = [
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
];

82
hosts/bicep/services/mysql/backup.nix Normal file
View File

@@ -0,0 +1,82 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.mysql;
backupDir = "/data/mysql-backups";
in
{
# services.mysqlBackup = lib.mkIf cfg.enable {
# enable = true;
# location = "/var/lib/mysql-backups";
# };
systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
user = "mysql";
group = "mysql";
mode = "700";
};
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
locations.${backupDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgj55/7Cnj4cYMJ5sIkl+OwcGeBe039kXJTOf2wvo9j mysql rsync backup";
};
};
# NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
# another unit, it was easier to just make one ourselves.
systemd.services."backup-mysql" = lib.mkIf cfg.enable {
description = "Backup MySQL data";
requires = [ "mysql.service" ];
path = with pkgs; [
cfg.package
coreutils
zstd
];
script = let
rotations = 2;
in ''
set -euo pipefail
OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
while [ $(find -type f -printf '.' "$STATE_DIRECTORY" | wc -c) -gt ${toString (rotations + 1)} ]; do
rm $(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
done
'';
serviceConfig = {
Type = "oneshot";
User = "mysql";
Group = "mysql";
UMask = "0077";
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
StateDirectory = [ "mysql-backups" ];
BindPaths = [ "${backupDir}:/var/lib/mysql-backups" ];
# TODO: hardening
};
startAt = "*-*-* 02:15:00";
};
}

35
hosts/bicep/services/mysql.nix → hosts/bicep/services/mysql/default.nix
View File

@@ -1,5 +1,11 @@
{ pkgs, lib, config, values, ... }:
{ config, pkgs, lib, values, ... }:
let
cfg = config.services.mysql;
dataDir = "/data/mysql";
in
{
imports = [ ./backup.nix ];
sops.secrets."mysql/password" = {
owner = "mysql";
group = "mysql";
@@ -9,8 +15,7 @@
services.mysql = {
enable = true;
dataDir = "/data/mysql";
package = pkgs.mariadb;
package = pkgs.mariadb_118;
settings = {
mysqld = {
# PVV allows a lot of connections at the same time
@@ -21,6 +26,9 @@
# This was needed in order to be able to use all of the old users
# during migration from knakelibrak to bicep in Sep. 2023
secure_auth = 0;
slow-query-log = 1;
slow-query-log-file = "/var/log/mysql/mysql-slow.log";
};
};
@@ -36,14 +44,24 @@
}];
};
services.mysqlBackup = {
enable = true;
location = "/var/lib/mysql/backups";
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
inherit (cfg) user group;
mode = "0700";
};
networking.firewall.allowedTCPPorts = [ 3306 ];
systemd.services.mysql = lib.mkIf cfg.enable {
after = [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
];
serviceConfig = {
BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
LogsDirectory = "mysql";
systemd.services.mysql.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
values.ipv4-space
@@ -52,4 +70,5 @@
values.hosts.ildkule.ipv6
];
};
};
}

83
hosts/bicep/services/postgresql/backup.nix Normal file
View File

@@ -0,0 +1,83 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.postgresql;
backupDir = "/data/postgresql-backups";
in
{
# services.postgresqlBackup = lib.mkIf cfg.enable {
# enable = true;
# location = "/var/lib/postgresql-backups";
# backupAll = true;
# };
systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
user = "postgres";
group = "postgres";
mode = "700";
};
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
locations.${backupDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvO7QX7QmwSiGLXEsaxPIOpAqnJP3M+qqQRe5dzf8gJ postgresql rsync backup";
};
};
# NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
# another unit, it was easier to just make one ourselves
systemd.services."backup-postgresql" = {
description = "Backup PostgreSQL data";
requires = [ "postgresql.service" ];
path = with pkgs; [
coreutils
zstd
cfg.package
];
script = let
rotations = 2;
in ''
set -euo pipefail
OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
while [ $(find -type f -printf '.' "$STATE_DIRECTORY" | wc -c) -gt ${toString (rotations + 1)} ]; do
rm $(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
done
'';
serviceConfig = {
Type = "oneshot";
User = "postgres";
Group = "postgres";
UMask = "0077";
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
StateDirectory = [ "postgresql-backups" ];
BindPaths = [ "${backupDir}:/var/lib/postgresql-backups" ];
# TODO: hardening
};
startAt = "*-*-* 01:15:00";
};
}

27
hosts/bicep/services/postgres.nix → hosts/bicep/services/postgresql/default.nix
View File

@@ -1,8 +1,13 @@
{ config, pkgs, values, ... }:
{ config, lib, pkgs, values, ... }:
let
cfg = config.services.postgresql;
in
{
imports = [ ./backup.nix ];
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
package = pkgs.postgresql_18;
enableTCPIP = true;
authentication = ''
@@ -74,13 +79,13 @@
};
};
systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = lib.mkIf cfg.enable {
user = config.systemd.services.postgresql.serviceConfig.User;
group = config.systemd.services.postgresql.serviceConfig.Group;
mode = "0700";
};
systemd.services.postgresql-setup = {
systemd.services.postgresql-setup = lib.mkIf cfg.enable {
after = [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
@@ -95,7 +100,7 @@
};
};
systemd.services.postgresql = {
systemd.services.postgresql = lib.mkIf cfg.enable {
after = [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
@@ -110,18 +115,12 @@
};
};
environment.snakeoil-certs."/etc/certs/postgres" = {
environment.snakeoil-certs."/etc/certs/postgres" = lib.mkIf cfg.enable {
owner = "postgres";
group = "postgres";
subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
};
networking.firewall.allowedTCPPorts = [ 5432 ];
networking.firewall.allowedUDPPorts = [ 5432 ];
services.postgresqlBackup = {
enable = true;
location = "/var/lib/postgres/backups";
backupAll = true;
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 5432 ];
networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable [ 5432 ];
}

2
hosts/brzeczyszczykiewicz/configuration.nix
View File

@@ -17,5 +17,5 @@
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "23.05";
system.stateVersion = "25.11";
}

2
hosts/georg/configuration.nix
View File

@@ -32,5 +32,5 @@
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "23.05";
system.stateVersion = "25.11";
}

1
hosts/kommode/configuration.nix
View File

@@ -4,6 +4,7 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
./disks.nix
./services/gitea
./services/nginx.nix

80
hosts/kommode/disks.nix Normal file
View File

@@ -0,0 +1,80 @@
{ lib, ... }:
{
disko.devices = {
disk = {
sda = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
root = {
name = "root";
label = "root";
start = "1MiB";
end = "-5G";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
# subvolumes = let
# makeSnapshottable = subvolPath: mountOptions: let
# name = lib.replaceString "/" "-" subvolPath;
# in {
# "@${name}/active" = {
# mountpoint = subvolPath;
# inherit mountOptions;
# };
# "@${name}/snapshots" = {
# mountpoint = "${subvolPath}/.snapshots";
# inherit mountOptions;
# };
# };
# in {
# "@" = { };
# "@/swap" = {
# mountpoint = "/.swapvol";
# swap.swapfile.size = "4G";
# };
# "@/root" = {
# mountpoint = "/";
# mountOptions = [ "compress=zstd" "noatime" ];
# };
# }
# // (makeSnapshottable "/home" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/nix" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/lib" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/log" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/cache" [ "compress=zstd" "noatime" ]);
# swap.swapfile.size = "4G";
mountpoint = "/";
};
};
swap = {
name = "swap";
label = "swap";
start = "-5G";
end = "-1G";
content.type = "swap";
};
ESP = {
name = "ESP";
label = "ESP";
start = "-1G";
end = "100%";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
};
};
};
};
};
}

15
hosts/kommode/hardware-configuration.nix
View File

@@ -13,21 +13,6 @@
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/86CD-4C23";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction

16
hosts/kommode/services/gitea/default.nix
View File

@@ -195,6 +195,22 @@ in {
networking.firewall.allowedTCPPorts = [ sshPort ];
services.rsync-pull-targets = {
enable = true;
locations.${cfg.dump.backupDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpMVrOppyqYaDiAhqmAuOaRsubFvcQGBGyz+NHB6+0o gitea rsync backup";
};
};
systemd.services.gitea-dump = {
serviceConfig.ExecStart = let
args = lib.cli.toGNUCommandLineShell { } {

2
hosts/shark/configuration.nix
View File

@@ -15,5 +15,5 @@
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "23.05";
system.stateVersion = "25.11";
}

4
hosts/skrott/configuration.nix
View File

@@ -96,11 +96,11 @@
};
# https://github.com/NixOS/nixpkgs/issues/84105
boot.kernelParams = [
boot.kernelParams = lib.mkIf (!config.virtualisation.isVmVariant) [
"console=ttyUSB0,9600"
# "console=tty1" # Already part of the module
];
systemd.services."serial-getty@ttyUSB0" = {
systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
enable = true;
wantedBy = [ "getty.target" ]; # to start at boot
serviceConfig.Restart = "always"; # restart when session is closed

3
hosts/temmie/services/nfs-mounts.nix
View File

@@ -52,9 +52,6 @@ in
# TODO: are there cgi scripts that modify stuff in peoples homedirs?
# "ro"
"rw"
# TODO: can we enable this and still run cgi stuff?
# "noexec"
];
}) letters;
}

217
hosts/temmie/services/userweb.nix
View File

@@ -1,27 +1,232 @@
{ ... }:
{ config, lib, pkgs, ... }:
let
cfg = config.services.httpd;
homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
# https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
phpEnv = pkgs.php.buildEnv {
extensions = { all, ... }: with all; [
imagick
opcache
];
extraConfig = ''
display_errors=0
post_max_size = 40M
upload_max_filesize = 40M
extension=sysvsem.so
'';
};
perlEnv = pkgs.perl.withPackages (ps: with ps; [
TextPDF
CGI
LWP
XMLLibXML
]);
# https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
pythonEnv = pkgs.python3.buildEnv.override {
extraLibs = with pkgs.python3Packages; [
matplotlib
requests
];
ignoreCollisions = true;
};
# https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
fhsEnv = pkgs.buildEnv {
name = "userweb-env";
paths = with pkgs; [
bash
coreutils-full
perlEnv
phpEnv
pythonEnv
gnused
gawk
file
diffutils
gnugrep
util-linux
iproute2
curl
less
gnuplot
system-sendmail
];
extraOutputsToInstall = [
"man"
"doc"
];
};
in
{
services.httpd = {
enable = true;
adminAddr = "drift@pvv.ntnu.no";
# extraModules = [];
# TODO: consider upstreaming systemd support
# TODO: mod_log_journald in v2.5
package = pkgs.apacheHttpd.overrideAttrs (prev: {
nativeBuildInputs = prev.nativeBuildInputs ++ [ pkgs.pkg-config ];
buildInputs = prev.buildInputs ++ [ pkgs.systemdLibs ];
configureFlags = prev.configureFlags ++ [ "--enable-systemd" ];
});
enablePHP = true;
phpPackage = phpEnv;
enablePerl = true;
# TODO: mod_log_journald in v2.5
extraModules = [
"systemd"
"userdir"
# TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some
# incorrect or restrictive assumptions upstream, either nixpkgs or source
# {
# name = "perl";
# path = let
# mod_perl = pkgs.apacheHttpdPackages.mod_perl.override {
# apacheHttpd = cfg.package.out;
# perl = perlEnv;
# };
# in "${mod_perl}/modules/mod_perl.so";
# }
];
extraConfig = ''
TraceEnable on
LogLevel warn rewrite:trace3
ScriptLog ${cfg.logDir}/cgi.log
'';
# virtualHosts."userweb.pvv.ntnu.no" = {
virtualHosts."temmie.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
UserDir disabled root
AddHandler cgi-script .cgi
<Directory "/home/pvv/?/*/web-docs">
Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec
AllowOverride All
Require all granted
</Directory>
'';
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
# socket activation comes in v2.5
# systemd.sockets.httpd = {
# wantedBy = [ "sockets.target" ];
# description = "HTTPD socket";
# listenStreams = [
# "0.0.0.0:80"
# "0.0.0.0:443"
# ];
# };
systemd.services.httpd = {
after = [ "pvv-homedirs.target" ];
requires = [ "pvv-homedirs.target" ];
environment = {
PATH = lib.mkForce "/usr/bin";
};
serviceConfig = {
Type = lib.mkForce "notify";
ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start";
ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful";
ExecStop = lib.mkForce "";
KillMode = "mixed";
ConfigurationDirectory = [ "httpd" ];
LogsDirectory = [ "httpd" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
LockPersonality = true;
PrivateDevices = true;
PrivateTmp = true;
# NOTE: this removes CAP_NET_BIND_SERVICE...
# PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = "tmpfs";
BindPaths = let
letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
in map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") letters;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectSystem = true;
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SocketBindDeny = "any";
SocketBindAllow = [
"tcp:80"
"tcp:443"
];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
UMask = "0077";
RuntimeDirectory = [ "httpd/root-mnt" ];
RootDirectory = "/run/httpd/root-mnt";
MountAPIVFS = true;
BindReadOnlyPaths = [
builtins.storeDir
"/etc"
# NCSD socket
"/var/run"
"/var/lib/acme"
"${fhsEnv}/bin:/bin"
"${fhsEnv}/sbin:/sbin"
"${fhsEnv}/lib:/lib"
"${fhsEnv}/share:/share"
] ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") {
parent = [
"/local"
"/opt"
"/opt/local"
"/store"
"/store/gnu"
"/usr"
"/usr/local"
];
child = [
"/bin"
"/sbin"
"/lib"
"/libexec"
"/include"
"/share"
];
});
BindPaths = map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") homeLetters;
};
};

146
modules/rsync-pull-targets.nix Normal file
View File

@@ -0,0 +1,146 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.rsync-pull-targets;
in
{
options.services.rsync-pull-targets = {
enable = lib.mkEnableOption "";
rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { };
locations = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }@submoduleArgs: {
options = {
enable = lib.mkEnableOption "" // {
default = true;
example = false;
};
user = lib.mkOption {
type = lib.types.str;
description = "Which user to use as SSH login";
example = "root";
};
location = lib.mkOption {
type = lib.types.path;
default = name;
defaultText = lib.literalExpression "<name>";
example = "/path/to/rsyncable/item";
};
# TODO: handle autogeneration of keys
# autoGenerateSSHKeypair = lib.mkOption {
# type = lib.types.bool;
# default = config.publicKey == null;
# defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.publicKey != null";
# example = true;
# };
publicKey = lib.mkOption {
type = lib.types.str;
# type = lib.types.nullOr lib.types.str;
# default = null;
example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment";
};
rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // {
default = cfg.rrsyncPackage;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage";
};
enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args";
rrsyncArgs = {
ro = lib.mkEnableOption "" // {
description = "Allow only reading from the DIR. Implies -no-del and -no-lock.";
};
wo = lib.mkEnableOption "" // {
description = "Allow only writing to the DIR.";
};
munge = lib.mkEnableOption "" // {
description = "Enable rsync's --munge-links on the server side.";
# TODO: set a default?
};
no-del = lib.mkEnableOption "" // {
description = "Disable rsync's --delete* and --remove* options.";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
no-lock = lib.mkEnableOption "" // {
description = "Avoid the single-run (per-user) lock check.";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
no-overwrite = lib.mkEnableOption "" // {
description = "Prevent overwriting existing files by enforcing --ignore-existing";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
};
authorizedKeysAttrs = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = lib.optionals submoduleArgs.config.enableRecommendedHardening [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
defaultText = lib.literalExpression ''
lib.optionals config.services.rsync-pull-targets.<name>.enableRecommendedHardening [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
]
'';
example = [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
};
};
}));
};
};
config = lib.mkIf cfg.enable {
# assertions = lib.pipe cfg.locations [
# (lib.filterAttrs (_: value: value.enable))
# TODO: assert that there are no duplicate (user, publicKey) pairs.
# if there are then ssh won't know which command to provide and might provide a random one, not sure.
# (lib.mapAttrsToList (_: { user, location, publicKey, ... }: {
# assertion =
# message = "";
# })
# ];
services.openssh.enable = true;
users.users = lib.pipe cfg.locations [
(lib.filterAttrs (_: value: value.enable))
lib.attrValues
# Index locations by SSH user
(lib.foldl (acc: location: acc // {
${location.user} = (acc.${location.user} or [ ]) ++ [ location ];
}) { })
(lib.mapAttrs (_name: locations: {
openssh.authorizedKeys.keys = map ({ user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let
rrsyncArgString = lib.cli.toCommandLineShellGNU {
isLong = _: false;
} rrsyncArgs;
# TODO: handle " in location
in "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
) locations;
}))
];
};
}

48
packages/mediawiki-extensions/default.nix
View File

@@ -33,63 +33,63 @@ in
lib.mergeAttrsList [
(mw-ext {
name = "CodeEditor";
commit = "6e5b06e8cf2d040c0abb53ac3735f9f3c96a7a4f";
hash = "sha256-Jee+Ws9REUohywhbuemixXKaTRc54+cIlyUNDCyYcEM=";
commit = "83e1d0c13f34746f0d7049e38b00e9ab0a47c23f";
hash = "sha256-qH9fSQZGA+z6tBSh1DaTKLcujqA6K/vQmZML9w5X8mU=";
})
(mw-ext {
name = "CodeMirror";
commit = "da9c5d4f03e6425f6f2cf68b75d21311e0f7e77e";
hash = "sha256-aL+v9xeqKHGmQVUWVczh54BkReu+fP49PT1NP7eTC6k=";
commit = "af2b08b9ad2b89a64b2626cf80b026c5b45e9922";
hash = "sha256-CxXPwCKUlF9Tg4JhwLaKQyvt43owq75jCugVtb3VX+I=";
})
(mw-ext {
name = "DeleteBatch";
commit = "122072bbfb4eab96ed8c1451a3e74b5557054c58";
hash = "sha256-L6AXoyFJEZoAQpLO6knJvYtQ6JJPMtaa+WhpnwbJeNU=";
commit = "3d6f2fd0e3efdae1087dd0cc8b1f96fe0edf734f";
hash = "sha256-iD9EjDIW7AGpZan74SIRcr54dV8W7xMKIDjatjdVkKs=";
})
(mw-ext {
name = "PluggableAuth";
commit = "5caf605b9dfdd482cb439d1ba2000cba37f8b018";
hash = "sha256-TYJqR9ZvaWJ7i1t0XfgUS05qqqCgxAH8tRTklz/Bmlg=";
commit = "85e96acd1ac0ebcdaa29c20eae721767a938f426";
hash = "sha256-bMVhrg8FsfWhXF605Cj5TgI0A6Jy/MIQ5aaUcLQQ0Ss=";
})
(mw-ext {
name = "Popups";
commit = "7ed940a09f83f869cbc0bc20f3ca92f85b534951";
hash = "sha256-pcDPcu4kSvMHfSOuShrod694TKI9Oo3AEpMP9DXp9oY=";
commit = "410e2343c32a7b18dcdc2bbd995b0bfdf3bf5f37";
hash = "sha256-u2AlR75x54rCpiK9Mz00D9odJCn8fmi6DRU4QKmKqSc=";
})
(mw-ext {
name = "Scribunto";
commit = "e755852a8e28a030a21ded2d5dd7270eb933b683";
hash = "sha256-zyI5nSE+KuodJOWyV0CQM7G0GfkKEgfoF/czi2/qk98=";
commit = "904f323f343dba5ff6a6cdd143c4a8ef5b7d2c55";
hash = "sha256-ZOVYhjMMyWbqwZOBb39hMIRmzzCPEnz2y8Q2jgyeERw=";
})
(mw-ext {
name = "SimpleSAMLphp";
kebab-name = "simple-saml-php";
commit = "d41b4efd3cc44ca3f9f12e35385fc64337873c2a";
hash = "sha256-wfzXtsEEEjQlW5QE4Rf8pasAW/KSJsLkrez13baxeqA=";
commit = "a2f77374713473d594e368de24539aebcc1a800a";
hash = "sha256-5+t3VQFKcrIffDNPJ4RWBIWS6K1gTOcEleYWmM6xWms=";
})
(mw-ext {
name = "TemplateData";
commit = "fd7cf4d95a70ef564130266f2a6b18f33a2a2ff9";
hash = "sha256-5OhDPFhIi55Eh5+ovMP1QTjNBb9Sm/3vyArNCApAgSw=";
commit = "76a6a04bd13a606923847ba68750b5d98372cacd";
hash = "sha256-X2+U5PMqzkSljw2ypIvJUSaPDaonTkQx89OgKzf5scw=";
})
(mw-ext {
name = "TemplateStyles";
commit = "0f7b94a0b094edee1c2a9063a3c42a1bdc0282d9";
hash = "sha256-R406FgNcIip9St1hurtZoPPykRQXBrkJRKA9hapG81I=";
commit = "7de60a8da6576d7930f293d19ef83529abf52704";
hash = "sha256-iPmFDoO5V4964CVyd1mBSQcNlW34odbvpm2CfDBlPBU=";
})
(mw-ext {
name = "UserMerge";
commit = "d1917817dd287e7d883e879459d2d2d7bc6966f2";
hash = "sha256-la3/AQ38DMsrZ2f24T/z3yKzIrbyi3w6FIB5YfxGK9U=";
commit = "71eb53ff4289ac4efaa31685ab8b6483c165a584";
hash = "sha256-OfKSEPgctfr659oh5jf99T0Rzqn+60JhNaZq+2gfubk=";
})
(mw-ext {
name = "VisualEditor";
commit = "032364cfdff33818e6ae0dfa251fe3973b0ae4f3";
hash = "sha256-AQDdq9r6rSo8h4u1ERonH14/1i1BgLGdzANEiQ065PU=";
commit = "a6a63f53605c4d596c3df1dcc2583ffd3eb8d929";
hash = "sha256-4d8picO66uzKoxh1TdyvKLHebc6ZL7N2DdXLV2vgBL4=";
})
(mw-ext {
name = "WikiEditor";
commit = "cb9f7e06a9c59b6d3b31c653e5886b7f53583d01";
hash = "sha256-UWi3Ac+LCOLliLkXnS8YL0rD/HguuPH5MseqOm0z7s4=";
commit = "0a5719bb95326123dd0fee1f88658358321ed7be";
hash = "sha256-eQMyjhdm1E6TkktIHad1NMeMo8QNoO8z4A05FYOMCwQ=";
})
]

5
secrets/bicep/matrix.yaml
View File

@@ -17,6 +17,7 @@ ooye:
hookshot:
as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
passkey: ENC[AES256_GCM,data:sR3ZdvNe+321WalGA57Nsb7eIRnOgAWX4P4aahynS5kD8nZ40axO3H29pciTn3rgBLsKPYAbJ24Ch40SL5emlz9UL1nH//khCEAXUXR5+RA83TvRrog1BdiCTX3wYY6SvM8BRwAEcWbAavfRHyNM0stSRjamdam70OvEEHlOUafs4lfQghYXVN+YV6bT+gan9eMRwhTsuWB/V01SAUot5pgFtprpvFs/l90E9sZFxxejlLniy/4nHjO9rcXAeCz/8cw5P56AqCzqyliYxKM3qbhwp+Pz/RVH+7PKQwABP80tw4HLvBz2nwYzPHJrSejIH/lxE1sJH8ttUQ8mHIFpv0GGB0oENyfYCekoSXWL+wuFEE+xjyak1KUDfohaJ9QMZa+A4jHiGoWHAwfU083uNFNdE1NxPpa55xQ/Q5fGE58qmZVbHUoL1EFOi0Nc15vp9kRojjQoEENvEQKwZHlauhm+940s6IwBE/bHk5WBjWM6BM/7Y8dj23uo1Vj0gy5IK0xYk62+IXNINPeDnS5sZJJweOKvS9JDYNw/9oC5ptmsqkGWryWm22Mwq9AIWm1Zt+0nIZRrOM+JHWJCtCqXhD5+UL1fl6wt7IgvOqgOtsFUM39n2hS4UWyVohToLy2u8VFKDIx1yb530y+Q2HfT6oKPYtcm5+b/dgDaqph1JSuqxWoiXMdx/DvGLhM6nIfPnAi5EImXDQIxkh4tJ6P+z+4vOPiX5fKflXk2eioVL77BQ4jXLunu4zBu/bOCePHigAD/+E9IgHnVSMxpTgDQ3w7WI7FCY9wjbXqbsL3QB1BOizIFNqHDcX2COeJV7X8Aia0HBpZgQpFX5XtMJAKnO2BR2EA94xSk9/rAPgZpJkZXTHl5MpPz9+WLv4uFy0daIJ/y7jkxLXK2UNw9VVfkq/I6cteQMwHPe0V9XZc1DIXOjJ23r9qNtx11Dx7Zumh3EQvp/8D/i0G6lhW1y3xP0Uu1iuxfnvhacBTwiRTSrKhT0HKlFG9cG2SaZH5D8zLyhrQhp8V5AdAdikmQUfDigDTzd45YpWRaNEGM1wcAI5cWBdPHY6Hv3NHQoX3yx6jm3Qo1QqIVlhqHqEeM6++H1Sfd3xg8zMSSGXlQT6EYE0+raOvKrmbnGCW3GnguHEjU1vCE/w7u8LCct7IBCSL7XQpLg39SmSx/MdL5OWXaUCxbVMM38q/4PXNzRVNaHRZFXm35+q1gZ/fx9a3vY/YS9+qEhcsvNQaNyuVcbigz9fqEWoAnFh2rCIMT3XMc+N0V0+TSIF4nU/Im82wu1+ujcrJ6OpGubcf208y8giwOgdKAARTKtybInUx31+JkzMw9A4q+CxRLHcrYYhIHz0MyhAVY3JKQp6DvoRwT58/MEENv6hSvsf0PhrgIkPTYeNeasJwFt8tKPmEkFYINhigC3XPmid+hMJfp/w8MnFLAIX9Cp+7adQPPW5RZqHuuf0rV+vdVqU3nFmnet8KZd3SrZiWAXcKViyHYAWb3c60TMO2C37goHkTMd6olZ09ZEfrTpdX+MEHswW65p4rJgNZIbVquD73DpZuE30HsrUBsPeWpQy2JGNUPq8tCvcREVgmnIt7yJn8sC8D+RwgXCXHf6qDMjANi7nvD6uWTik4P68e9lVztO4QudwdZdPieflfFADH4sFPhXwCpGOkR37RSrqe6t3CR3ZI0aXqHdZ1l1JcJv+5WEXmJZfNUOPBGpvatmc7ygJYDxuQoJ5FDFsyZffrAYOcEXC6gDaq6NTGgo4JZAYQsHg8JaFWQPEToagiSQhhErMeA5nTUvNjJ4/0HHIvsjsGabAv3GiT2lcVnowt8qwEyLnQStNiAxv0bURhW82BLCHq5cHx7mtUNqDQjrc48iQZiZd20orTq7PmxwWBa6T9EwuEOQiX69inIbSU7kGbRmVUS+RPKfFoCXXOSlBjzoLM448Ymbf0FsEgATb0I5sJ6R2k9mlh3WgRur/u8ODtXJO9TLjVvAm1WmHWXn8ZSvKRS+/VSGg3RzKGyVqh2gJmpDJmF4BwzqslhaCdvdkwBW+7oZN///1h41NX6Fo68l+P/Rl/ZFvCF2VD18E1EjmnOs8sxmMjsDct3HNd7xB1PJLKtNTCLEF0vLDOM5qGaWfBVZtwHiz7fhbPxeE4ND8ygHhUUVzDsC3uHeVHwBMghSY92wnNq6SJP5HMC5knoEFxGnr5te8GcMT6iD6KMKjzqPnp7raGSFo96d5qDiug8krD3vEpbE+3L0XRye5m+2N/wVL7u888JZ0Yj9uWZoAmg41G9y5NU1g8Sns9gY1jalZFaY1+S2nCAfgZRNzx0gLa4CY7SClib1+qDCKIVLJyCqlbKRkIbNXV/B+/L6MAUwTRn8NLhm1+U1QgqD3X+cTJoys/1laSEBXcupT0CrCkR2wguGh1tfkyZ0yLJcbyIfRHzmEooMHWgL5N+mNYCwxLyIfDmBSacZI7AUBfGD+RT24W0vl976zd/sBzIZtQGFPKDtb5bzNE5FNfSfser+afqBG+S+gr1GUn2ZQMGN2095uqnYiwCUtxmczGlOLixbQMnYPbxClB7i4NFvZj2GbnX+yRgv8OFWTnp0C1aPsQHgZzWKAe0cDaRJpAOTTbaGaSJiwIIu689xqYGKej3oQLaAHqlRyRhJngUOj4panxNb/ZFbP6lfUF0fehNJFJaR3WKSiRAjv6ommtSFDQ26TrhYE9d+yG1KApzkhlPTLNA4fVRQxfZi41hbfHDg4kwZMpc86BSCq85qnzW+nMJiWTLxTKYSzjpiWSnMzBvBYf0vntz5+ltwJwyVMX/TdAoYGyHOCINLSxhKoajORJ0g6zEyBRdG+kg0qZCFi894fR4eAz5/fvbrhOhhnCOaVCJlvLo2jXiizQlsqbvLr8bTbyMF5yJPEPV8H/B8uhzzjCIxvbbc3Ac3rPX47FBdEc5869c7JgL/2HD9GZzJXfRBzyhSTFMMh7J+K7LgEIGsItTsJM9wa4BC9ZicZRifuGxBKATOIVeTpJJHA80yhmL6lsazUrrAlyA93mR4CsuInmum6QMyjkmcXBnEtybSeuUjX7aFmzSz9Il7C9iR/4QRWyzgSIh7sbqEl/v4mQtJMlydbZdd0aT65AShTHUIkNZxOg/IuEW26v8pyZi5msfPBjwmknQkXPTf1fCcgVuY6OoQBPzYR1BFTjpY5lTfAMYH9sDW+xxRTFftsNNRzIctX0IEv5haWxLDhuN7eagltf2v3GubrbsYTeVwuCFJnabgzXan4vvpPVIPhrhE2k6G0FfDhIpQL9oweNBG2hefoXoOr+piHYcc1hJSHnSUp9qRxQxXzjvaFulfRO+2GoMAg6E6pz1Fz8e8mHRubREH6NOLvz070D0u1o7Tb6LE2cmw2XdRaVqO+Jo3u7pZUUVYllF31Uxb8ngHarWQ3dOBneZQHsW3AFpRofz9BcHII6dd4BhAM+sl7+cBEFuNn9nkDBR8PLx7O0G+b99qSAnOdvY6wWTwMbWC2JLcv6QTwqe/bAdEg3hNi2GOoqwvs0e6BO/7GS88egcwqZEe2Tpvtzb+NCia/A3oc/VNWTucmQcv9K10QaloZjHMXAMsDESr3LJ0enaoqc90bbHWEuoyRJoDDuW2NXHpCILLAxCUDZnArlE78J2B15Yc2sBkgHyYrILaZo1dBVR23R+QX4bZXt69EZC74IdcELt4qw4ANK+xKtSRJ5vnVml58/71IukUp5GOwEzImEC4YG5G7O7hpMWZmM48RvOuhmqk3LvCggjHPploLqw3PY46twgbKTBai4PbYZ2NaFAHkgc4jqoKSgzQD0jqUkNxFZNSXmvC6QGksns/GaI/qZJVSWAxr95P3oEyZrsfY+KFvhpGJWAa/TIyJslTsKjSv+VFg9jm93yT6P+Jfp1sR+tnyTgrDUF3SIi1/HbM4DlgbyHon25B+4fabgbGajl0Ua/zNyFmWcGN4yRQfXgK47vhQFyfAaOliIKbvsCEnfLniDhPg9FlnxBHSVPHNxeEufocboCUJzm0pU2r2iRRN6fKiiIZubjxeXDjRHTsJAffstPp6pSDxgtZzivquUkj1669QmZaHhV6VyAhGOz/A3VWWB0FGdToeuS5FciNyYVmfJ8moHP1skV/jR4Ke3R/gHato0Un0nUr39ftB81uVomTYlVYuXAUUfJnAU/i8PbdjWCXSlAIeqCUeEf9oLq4n/xtUvJGBzxPgRJPaWxnckS2umi+6CRCs9f1EzwORgOosnQDJxALsGV3Nl4dR1o8ygAHkiBiqKyaEk0ulVM6XrfGFcQMkRgK2PVIZHNCEY72jU42/LlzWumXH2uoivR0toT7kk919VJYa5+2ac=,iv:BqwTfYEtqtFazQGfhL6rxfIUrZ2cin+jy070FDaGIuc=,tag:MMUGNmH6m4aNR4U8KAac6w==,type:str]
livekit:
keyfile:
#ENC[AES256_GCM,data:M+SfmEuhPL8sqxOl3uL8mE6Z6pC6naQNxFRskMPbVpLVWYM1Be+QOoLEiTMtWqH2PAf2NZXLcNY63Q99bYINz+BTt/ekllye,iv:DSZJxoZUlUZxPpzfpXyZ4ECeJjq6/WW8I2fvTXIjmfU=,tag:HwHhdQA8yuSKYxM5LcZV/w==,type:comment]
@@ -86,8 +87,8 @@ sops:
Qnh1djQ0ZDFhRmxsU2g0eHJZeFlkcU0Kj5H/dHrOwSgiZIzpv3nOc7AWeNMofJg7
OzSVdRry72qPqYU8YLWjAcoP3ddITZnWr53/yYBVmssW/KeyVyPy9A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-21T02:03:24Z"
mac: ENC[AES256_GCM,data:yVe+78V7zYgYveLFBghKdAeibg97DRafgsRRCZPYkWu8t2iadtD5UqRK0KS4Zcc55ojHJ11otgadaPHQyl8EIzt7Dwlm7ZOVEmmPAYdaweWfnPRdFhDAxcgj8Ejh03LAdLQK8WwlfTF/09Avub2ZUnN0aPwFCen/qD6dYmcGDNk=,iv:y4YE9AqlVVBBtRGoIdfIcNGE4chChBOR0Euy68xkQBA=,tag:/yopCpkvFaEzr2iXxLd3uw==,type:str]
lastmodified: "2026-01-26T12:49:23Z"
mac: ENC[AES256_GCM,data:+rkFq7pYZrGTtLIjjwa5DQC6WFpeV3JS80w6xADcn+kNnjg94p70GVZ3zP6p+f4PZ/Rupjg1cmm3w0g/ranx+FEmmX43N+zSY97NYOC2oxOhlNDDyrnRDElaiCOq41Jd13FxnjX3Jg9gxkD3szGS9hG+gv3wSf9NabOhFFL79GQ=,iv:+9UDVsvfr581CSNdtLRTfrjQ7rsLgMLmyK4cof0NZUU=,tag:9/xq9ThqrDzg+Snh3vSkVw==,type:str]
pgp:
- created_at: "2026-01-16T06:34:46Z"
enc: |-

11
shell.nix
View File

@@ -1,15 +1,16 @@
{ pkgs ? import <nixpkgs> {} }:
pkgs.mkShellNoCC {
packages = with pkgs; [
just
jq
disko
editorconfig-checker
gnupg
gum
jq
just
openstackclient
sops
ssh-to-age
gnupg
statix
openstackclient
editorconfig-checker
];
env = {