mirror of
https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
synced 2026-07-05 10:11:48 +02:00
Compare commits
240 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| bc7d598fed | |||
| 7429b334ca | |||
| 1595f67c55 | |||
| 3f5eadcb87 | |||
| 70c0ad8724 | |||
| 61ea0181a1 | |||
| 3e22c1a47e | |||
| 0319858cad | |||
| efd50868e0 | |||
| 7a23cf7f25 | |||
| 57963fadd7 | |||
| 792f111a5d | |||
| b27859c0fa | |||
| eb0eb6d93b | |||
| 6a943dd7b0 | |||
| c59c00f3fc | |||
| 53670b4d05 | |||
| d92a5f13ad | |||
| 16d3251ee2 | |||
| 09163b77da | |||
| 6cca1db3b3 | |||
| bfd83c4c64 | |||
| 9a6fdecb03 | |||
| 82ab97fb45 | |||
| 543fd19f8d | |||
| 6f99fa575d | |||
| 3141b1f76b | |||
| 475f6a8c9b | |||
| 9c1687f8f2 | |||
| 0f53bcd731 | |||
| f433ae1e15 | |||
| 5745648f87 | |||
| 2c34a93abf | |||
| 9ebc947eab | |||
| 6fcc19f0a2 | |||
| 9224f04bd1 | |||
| 9c93f15569 | |||
| 5d6c153007 | |||
| 8b483a92f8 | |||
| 0d7f05e56d | |||
| 4a67eddf52 | |||
| 08a23bd380 | |||
| 28b67c3578 | |||
| e5804c043a | |||
| 9c227f3022 | |||
| 69fdf709d7 | |||
| 30ec70fa5f | |||
| 1024b428ac | |||
| 1e6b692fbf | |||
| beac6e91dd | |||
| 0fd41c214a | |||
| 5c1ee958ea | |||
| d8e97715c9 | |||
| 33297b0436 | |||
| be33c95c83 | |||
| 2abf36a9af | |||
| a60be532ce | |||
| 9c142fd56f | |||
| b98e8679e6 | |||
| ea092ec0b3 | |||
| 5e50b617fb | |||
| 258c5a7b25 | |||
| b9eda3dc56 | |||
| 2fcaf5893f | |||
| b009da31af | |||
| e9a267e2a3 | |||
| 338c2f2531 | |||
| 8db3034baf | |||
| f64f9c944e | |||
| baeb1e5e60 | |||
| 86ca8dcdc3 | |||
| 11d1f8b442 | |||
| d8115c4031 | |||
| 0d41326d9f | |||
| 7baf3ffcb4 | |||
| 45f10be9b4 | |||
| 06cd860d2f | |||
| ebd8b871f4 | |||
| 14994485c5 | |||
| f2752ee9a6 | |||
| bb20f32df8 | |||
| f83ae6de37 | |||
| f490e64516 | |||
| 61c6639d3a | |||
| eee7e9ad7b | |||
| 3160d64167 | |||
| 23355317d6 | |||
| 683e4b2dbc | |||
| f52cf697cc | |||
| 8a9e92c706 | |||
| 6dce8bac0e | |||
| e2abbf224b | |||
| a399f23785 | |||
| 69a22e2ba0 | |||
| 6be23feeca | |||
| 1bfd4fe595 | |||
| 2efe4a1d1e | |||
| 6ef02bd485 | |||
| 6b1fb4c065 | |||
| 18167dca0a | |||
| b5fecc94a7 | |||
| 0d40c7d7a7 | |||
| b327582236 | |||
| 7e39bf3ba2 | |||
| 5bb0cd0465 | |||
| 9efda802cb | |||
| 3c08be3d73 | |||
| b1a2836b5d | |||
| ba1f30f737 | |||
| c455c5a7e3 | |||
| 35907be4f2 | |||
| 210f74dc59 | |||
| d35de940c1 | |||
| daa4b9e271 | |||
| 12eb0b3f53 | |||
| 02bdb8d45b | |||
| a5143c0aaa | |||
| 561404cd87 | |||
| 3338b4cd61 | |||
| 2354dcf578 | |||
| 304304185c | |||
| b712f3cda3 | |||
| cc272a724c | |||
| fcaa97884e | |||
| 11f2cf504f | |||
| 7ab16bc949 | |||
| c4d5cfde56 | |||
| 100d09f6b7 | |||
| 3b0742bfac | |||
| 3ba1ea2e4f | |||
| 91de031896 | |||
| c3ce6a40ea | |||
| beee0ddc75 | |||
| 359f599655 | |||
| 5b1c6f16d1 | |||
| cec69d89a8 | |||
| af0bf7b254 | |||
| bcf8b1607f | |||
| 1d46fd1ec6 | |||
| bac53be707 | |||
| f08bd96b74 | |||
| 25f2a13391 | |||
| 8774c81d23 | |||
| d6eca5c4e3 | |||
| 49d1122ee5 | |||
| 31bbf4b25f | |||
| 2f7e1439d0 | |||
| fa31a84bd2 | |||
| b77c8eb5c0 | |||
| 949661113e | |||
| f442c4d65f | |||
| 690aee634b | |||
| 2ed1c83858 | |||
| d43de08a3b | |||
| e8c7f177e8 | |||
| fb59a242fb | |||
| 65d095feb1 | |||
| 8273d98788 | |||
| 8a84069dcf | |||
| cda84be5b0 | |||
| 79a46ce3f6 | |||
| 19e45be83a | |||
| a8892e2fb2 | |||
| a149f97ac0 | |||
| e76c656378 | |||
| 5877ef60b1 | |||
| 73456de527 | |||
| 2f8e9ea190 | |||
| c3c98392ad | |||
| e01fd902eb | |||
| ce8d759f79 | |||
| ea6296f47a | |||
| c28fc3f229 | |||
| c124183d95 | |||
| d7bb316056 | |||
| c78c29aaa6 | |||
| 7d451f1db5 | |||
| 1d57cec04d | |||
| f50372fabd | |||
| 0f355046de | |||
| 285f5b6a84 | |||
| 20eec03cd4 | |||
| fffdf77d6f | |||
| 42bbb1eca1 | |||
| 34fdc9159c | |||
| 1b6ff9876d | |||
| 0206c159a2 | |||
| 15004829a8 | |||
| 48ffb3cda1 | |||
| 9bbc64afc8 | |||
| 1cf956f37b | |||
| 38a1d38c7f | |||
| f1a6e47e67 | |||
| c061c5be0c | |||
| 08e3e1a287 | |||
| 034f6540d9 | |||
| 695fe48ba8 | |||
| b37551209a | |||
| 19059b742e | |||
| e336c119a5 | |||
| 52ac4ca775 | |||
| 6b352507a3 | |||
| 604b528dd3 | |||
| 689d6582ae | |||
| ccdaeaf4a3 | |||
| 72fdca4998 | |||
| 9ccdeb6ac9 | |||
| 8072121b3c | |||
| 95f6463171 | |||
| 39d3773a10 | |||
| 0e963f8cf0 | |||
| ba6c1c8205 | |||
| 1d47409d96 | |||
| f7757d697d | |||
| 9f43ea887e | |||
| 5f94345a91 | |||
| 28baf322ce | |||
| 12477aeb34 | |||
| e2d553af19 | |||
| 89ea5b321a | |||
| 3940f52760 | |||
| e2f3c81ecd | |||
| a4c3aaa402 | |||
| 5714efc668 | |||
| d5199779a6 | |||
| ae3c7019ef | |||
| 73dc9306f1 | |||
| 09d72305e2 | |||
| 2ace7b649f | |||
| 7703a94b19 | |||
| ebd40fc2d7 | |||
| 9eb5cd869a | |||
| fa37f34028 | |||
| 7111d00df8 | |||
| 833a74a6fb | |||
| d82cc2e605 | |||
| 93cf6f4a63 | |||
| 0f11cca8ec | |||
| d892acb331 | |||
| aa07687a94 |
@@ -7,16 +7,13 @@ jobs:
|
|||||||
evals:
|
evals:
|
||||||
runs-on: debian-latest
|
runs-on: debian-latest
|
||||||
steps:
|
steps:
|
||||||
|
- name: Install sudo
|
||||||
|
run: apt-get install --update --assume-yes sudo
|
||||||
|
|
||||||
- uses: actions/checkout@v6
|
- uses: actions/checkout@v6
|
||||||
|
|
||||||
- name: Install sudo
|
|
||||||
run: apt-get update && apt-get -y install sudo
|
|
||||||
|
|
||||||
- uses: https://github.com/cachix/install-nix-action@v31
|
- uses: https://github.com/cachix/install-nix-action@v31
|
||||||
|
|
||||||
- name: Configure Nix
|
|
||||||
run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
|
|
||||||
|
|
||||||
- name: Build topology graph
|
- name: Build topology graph
|
||||||
run: nix build .#topology -L
|
run: nix build .#topology -L
|
||||||
|
|
||||||
|
|||||||
@@ -6,8 +6,11 @@ jobs:
|
|||||||
evals:
|
evals:
|
||||||
runs-on: debian-latest
|
runs-on: debian-latest
|
||||||
steps:
|
steps:
|
||||||
|
- name: Install sudo
|
||||||
|
run: apt-get install --update --assume-yes sudo
|
||||||
|
|
||||||
- uses: actions/checkout@v6
|
- uses: actions/checkout@v6
|
||||||
- run: apt-get update && apt-get -y install sudo
|
|
||||||
- uses: https://github.com/cachix/install-nix-action@v31
|
- uses: https://github.com/cachix/install-nix-action@v31
|
||||||
- run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
|
|
||||||
- run: nix flake check
|
- run: nix flake check
|
||||||
|
|||||||
@@ -23,3 +23,9 @@ Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lau
|
|||||||
|
|
||||||
Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
|
Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
|
||||||
Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
|
Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
|
||||||
|
Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
|
||||||
|
|
||||||
|
Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
|
||||||
|
Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
|
||||||
|
|
||||||
|
Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>
|
||||||
|
|||||||
+13
-24
@@ -10,17 +10,17 @@ keys:
|
|||||||
- &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
|
- &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
|
||||||
|
|
||||||
# Hosts
|
# Hosts
|
||||||
- &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
|
|
||||||
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
|
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
|
||||||
- &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
|
- &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
|
||||||
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
|
- &host_ildkule age102e6y8gah0ntr6fxqnkpepc8ar29p6ls7ks9ka7v8w87q8scm9yqmc2u8d
|
||||||
- &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
|
- &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
|
||||||
- &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
|
- &host_lupine-1 age18lta9d683yekz487xwtd99da236d8mgk4ftlmv2jffx858p9qf2s9j868l
|
||||||
- &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
|
- &host_lupine-2 age1e0a4ru707v637wzmuxqv0xywmlkhunzgyfy4mrkjc7a23qq8msgq7nqtvt
|
||||||
- &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
|
- &host_lupine-3 age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye
|
||||||
- &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
|
- &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
|
||||||
- &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
|
- &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
|
||||||
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
|
- &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
|
||||||
|
- &host_gluttony age12czfkvuw9pjk5qny5c6m2hjhd634cj9r4dsa3ss5zkux5h4vvc7s7k4urq
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
# Global secrets
|
# Global secrets
|
||||||
@@ -91,19 +91,6 @@ creation_rules:
|
|||||||
pgp:
|
pgp:
|
||||||
- *user_oysteikt
|
- *user_oysteikt
|
||||||
|
|
||||||
- path_regex: secrets/ustetind/[^/]+\.yaml$
|
|
||||||
key_groups:
|
|
||||||
- age:
|
|
||||||
- *host_ustetind
|
|
||||||
- *user_danio
|
|
||||||
- *user_felixalb
|
|
||||||
- *user_pederbs_sopp
|
|
||||||
- *user_pederbs_nord
|
|
||||||
- *user_pederbs_bjarte
|
|
||||||
- *user_vegardbm
|
|
||||||
pgp:
|
|
||||||
- *user_oysteikt
|
|
||||||
|
|
||||||
- path_regex: secrets/lupine/[^/]+\.yaml$
|
- path_regex: secrets/lupine/[^/]+\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
@@ -121,10 +108,10 @@ creation_rules:
|
|||||||
pgp:
|
pgp:
|
||||||
- *user_oysteikt
|
- *user_oysteikt
|
||||||
|
|
||||||
- path_regex: secrets/bakke/[^/]+\.yaml$
|
- path_regex: secrets/skrot/[^/]+\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *host_bakke
|
- *host_skrot
|
||||||
- *user_danio
|
- *user_danio
|
||||||
- *user_felixalb
|
- *user_felixalb
|
||||||
- *user_pederbs_sopp
|
- *user_pederbs_sopp
|
||||||
@@ -134,13 +121,15 @@ creation_rules:
|
|||||||
pgp:
|
pgp:
|
||||||
- *user_oysteikt
|
- *user_oysteikt
|
||||||
|
|
||||||
- path_regex: secrets/skrott/[^/]+\.yaml$
|
- path_regex: secrets/gluttony/[^/]+\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
|
- *host_gluttony
|
||||||
- *user_danio
|
- *user_danio
|
||||||
- *user_felixalb
|
- *user_felixalb
|
||||||
- *user_pederbs_sopp
|
- *user_pederbs_sopp
|
||||||
- *user_pederbs_nord
|
- *user_pederbs_nord
|
||||||
- *user_pederbs_bjarte
|
- *user_pederbs_bjarte
|
||||||
|
- *user_vegardbm
|
||||||
pgp:
|
pgp:
|
||||||
- *user_oysteikt
|
- *user_oysteikt
|
||||||
|
|||||||
@@ -39,10 +39,13 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
|
|||||||
| bikkje | Virtual | Experimental login box |
|
| bikkje | Virtual | Experimental login box |
|
||||||
| [brzeczyszczykiewicz][brz] | Physical | Shared music player |
|
| [brzeczyszczykiewicz][brz] | Physical | Shared music player |
|
||||||
| [georg][geo] | Physical | Shared music player |
|
| [georg][geo] | Physical | Shared music player |
|
||||||
|
| [gluttony][glu] | Virtual | General purpose compute |
|
||||||
| [ildkule][ild] | Virtual | Logging and monitoring host, prometheus, grafana, ... |
|
| [ildkule][ild] | Virtual | Logging and monitoring host, prometheus, grafana, ... |
|
||||||
| [kommode][kom] | Virtual | Gitea + Gitea pages |
|
| [kommode][kom] | Virtual | Gitea + Gitea pages |
|
||||||
| [lupine][lup] | Physical | Gitea CI/CD runners |
|
| [lupine][lup] | Physical | Gitea CI/CD runners |
|
||||||
| shark | Virtual | Test host for authentication, absolutely horrendous |
|
| shark | Virtual | Test host for authentication, absolutely horrendous |
|
||||||
|
| [skrot][skr] | Physical | Kiosk, snacks and soda |
|
||||||
|
| [temmie][tem] | Virtual | User websites |
|
||||||
| [wenche][wen] | Virtual | Nix-builders, general purpose compute |
|
| [wenche][wen] | Virtual | Nix-builders, general purpose compute |
|
||||||
|
|
||||||
## Documentation
|
## Documentation
|
||||||
@@ -56,7 +59,10 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
|
|||||||
[bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
|
[bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
|
||||||
[brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
|
[brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
|
||||||
[geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
|
[geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
|
||||||
|
[glu]: https://wiki.pvv.ntnu.no/wiki/Maskiner/gluttony
|
||||||
[ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
|
[ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
|
||||||
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
|
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
|
||||||
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
|
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
|
||||||
|
[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrot
|
||||||
|
[tem]: https://wiki.pvv.ntnu.no/wiki/Maskiner/temmie
|
||||||
[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
|
[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
|
||||||
|
|||||||
+20
-22
@@ -10,14 +10,20 @@
|
|||||||
(fp /users)
|
(fp /users)
|
||||||
(fp /modules/snakeoil-certs.nix)
|
(fp /modules/snakeoil-certs.nix)
|
||||||
|
|
||||||
|
./mitigations.nix
|
||||||
|
|
||||||
|
./flake-input-exporter.nix
|
||||||
|
./hardening.nix
|
||||||
./networking.nix
|
./networking.nix
|
||||||
./nix.nix
|
./nix.nix
|
||||||
|
./programs.nix
|
||||||
|
./sops.nix
|
||||||
./vm.nix
|
./vm.nix
|
||||||
./flake-input-exporter.nix
|
|
||||||
|
|
||||||
./services/acme.nix
|
./services/acme.nix
|
||||||
./services/auto-upgrade.nix
|
./services/auto-upgrade.nix
|
||||||
./services/dbus.nix
|
./services/dbus.nix
|
||||||
|
./services/fluentbit.nix
|
||||||
./services/fwupd.nix
|
./services/fwupd.nix
|
||||||
./services/irqbalance.nix
|
./services/irqbalance.nix
|
||||||
./services/journald-upload.nix
|
./services/journald-upload.nix
|
||||||
@@ -28,7 +34,6 @@
|
|||||||
./services/postfix.nix
|
./services/postfix.nix
|
||||||
./services/prometheus-node-exporter.nix
|
./services/prometheus-node-exporter.nix
|
||||||
./services/prometheus-systemd-exporter.nix
|
./services/prometheus-systemd-exporter.nix
|
||||||
./services/promtail.nix
|
|
||||||
./services/roowho2.nix
|
./services/roowho2.nix
|
||||||
./services/smartd.nix
|
./services/smartd.nix
|
||||||
./services/thermald.nix
|
./services/thermald.nix
|
||||||
@@ -40,6 +45,9 @@
|
|||||||
boot.tmp.cleanOnBoot = lib.mkDefault true;
|
boot.tmp.cleanOnBoot = lib.mkDefault true;
|
||||||
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
|
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = lib.mkDefault true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = lib.mkDefault true;
|
||||||
|
|
||||||
time.timeZone = "Europe/Oslo";
|
time.timeZone = "Europe/Oslo";
|
||||||
|
|
||||||
i18n.defaultLocale = "en_US.UTF-8";
|
i18n.defaultLocale = "en_US.UTF-8";
|
||||||
@@ -48,22 +56,8 @@
|
|||||||
keyMap = "no";
|
keyMap = "no";
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
# Don't install the /lib/ld-linux.so.2 stub
|
||||||
file
|
environment.ldso32 = null;
|
||||||
git
|
|
||||||
gnupg
|
|
||||||
htop
|
|
||||||
nano
|
|
||||||
net-tools
|
|
||||||
ripgrep
|
|
||||||
rsync
|
|
||||||
screen
|
|
||||||
tmux
|
|
||||||
vim
|
|
||||||
wget
|
|
||||||
|
|
||||||
kitty.terminfo
|
|
||||||
];
|
|
||||||
|
|
||||||
# .bash_profile already works, but lets also use .bashrc like literally every other distro
|
# .bash_profile already works, but lets also use .bashrc like literally every other distro
|
||||||
# https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
|
# https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
|
||||||
@@ -77,15 +71,19 @@
|
|||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
|
|
||||||
programs.zsh.enable = true;
|
|
||||||
|
|
||||||
# security.lockKernelModules = true;
|
|
||||||
security.protectKernelImage = true;
|
|
||||||
security.sudo.execWheelOnly = true;
|
security.sudo.execWheelOnly = true;
|
||||||
security.sudo.extraConfig = ''
|
security.sudo.extraConfig = ''
|
||||||
Defaults lecture = never
|
Defaults lecture = never
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
# These are servers, sleep is for the weak
|
||||||
|
systemd.sleep.settings.Sleep = {
|
||||||
|
AllowSuspend = lib.mkDefault false;
|
||||||
|
AllowHibernation = lib.mkDefault false;
|
||||||
|
};
|
||||||
|
|
||||||
|
# users.mutableUsers = lib.mkDefault false;
|
||||||
|
|
||||||
users.groups."drift".name = "drift";
|
users.groups."drift".name = "drift";
|
||||||
|
|
||||||
# Trusted users on the nix builder machines
|
# Trusted users on the nix builder machines
|
||||||
|
|||||||
@@ -0,0 +1,71 @@
|
|||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
boot.blacklistedKernelModules = [
|
||||||
|
# Obscure network protocols
|
||||||
|
"appletalk"
|
||||||
|
"atm"
|
||||||
|
"ax25"
|
||||||
|
"batman-adv"
|
||||||
|
"can"
|
||||||
|
"dccp"
|
||||||
|
"ipx"
|
||||||
|
"llc"
|
||||||
|
"n-hdlc"
|
||||||
|
"netrom"
|
||||||
|
"p8022"
|
||||||
|
"p8023"
|
||||||
|
"psnap"
|
||||||
|
"rds"
|
||||||
|
"rose"
|
||||||
|
"sctp"
|
||||||
|
"tipc"
|
||||||
|
|
||||||
|
# Filesystems we don't use
|
||||||
|
"adfs"
|
||||||
|
"affs"
|
||||||
|
"befs"
|
||||||
|
"bfs"
|
||||||
|
"cifs"
|
||||||
|
"cramfs"
|
||||||
|
"efs"
|
||||||
|
"exofs"
|
||||||
|
"freevxfs"
|
||||||
|
"gfs2"
|
||||||
|
"hfs"
|
||||||
|
"hfsplus"
|
||||||
|
"hpfs"
|
||||||
|
"jffs2"
|
||||||
|
"jfs"
|
||||||
|
"minix"
|
||||||
|
"nilfs2"
|
||||||
|
"ntfs"
|
||||||
|
"omfs"
|
||||||
|
"orangefs"
|
||||||
|
"qnx4"
|
||||||
|
"qnx6"
|
||||||
|
"sysv"
|
||||||
|
"ubifs"
|
||||||
|
"udf"
|
||||||
|
"ufs"
|
||||||
|
|
||||||
|
# Legacy hardware
|
||||||
|
"pcspkr"
|
||||||
|
"floppy"
|
||||||
|
"parport"
|
||||||
|
"ppdev"
|
||||||
|
|
||||||
|
# Other stuff we don't use
|
||||||
|
"firewire-core"
|
||||||
|
"firewire-ohci"
|
||||||
|
"ksmbd"
|
||||||
|
"ib_core"
|
||||||
|
"l2tp_eth"
|
||||||
|
"l2tp_netlink"
|
||||||
|
"l2tp_ppp"
|
||||||
|
"nfc"
|
||||||
|
"soundwire"
|
||||||
|
];
|
||||||
|
|
||||||
|
# security.lockKernelModules = true;
|
||||||
|
security.protectKernelImage = true;
|
||||||
|
}
|
||||||
@@ -0,0 +1,24 @@
|
|||||||
|
{ pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
modulesToBan = [
|
||||||
|
# copy.fail
|
||||||
|
"af_alg"
|
||||||
|
"algif_aead"
|
||||||
|
"algif_hash"
|
||||||
|
"algif_rng"
|
||||||
|
"algif_skcipher"
|
||||||
|
|
||||||
|
# dirtyfrag / Fragnesia
|
||||||
|
"esp4"
|
||||||
|
"esp6"
|
||||||
|
"rxrpc"
|
||||||
|
|
||||||
|
# PinTheft
|
||||||
|
"rds"
|
||||||
|
];
|
||||||
|
in
|
||||||
|
{
|
||||||
|
boot.blacklistedKernelModules = modulesToBan;
|
||||||
|
|
||||||
|
boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
|
||||||
|
}
|
||||||
+1
-1
@@ -8,6 +8,6 @@
|
|||||||
|
|
||||||
services.resolved = {
|
services.resolved = {
|
||||||
enable = lib.mkDefault true;
|
enable = lib.mkDefault true;
|
||||||
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
|
settings.Resolve.DNSSEC = false; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -37,4 +37,9 @@
|
|||||||
"unstable=${inputs.nixpkgs-unstable}"
|
"unstable=${inputs.nixpkgs-unstable}"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Make builds to be more likely killed than important services.
|
||||||
|
# 100 is the default for user slices and 500 is systemd-coredumpd@
|
||||||
|
# We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
|
||||||
|
systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = lib.mkDefault 250;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,68 @@
|
|||||||
|
{ pkgs, lib, ... }:
|
||||||
|
{
|
||||||
|
# We don't need fonts on headless machines
|
||||||
|
fonts.fontconfig.enable = lib.mkDefault false;
|
||||||
|
|
||||||
|
# Extra packags for better terminal emulator compatibility in SSH sessions
|
||||||
|
environment.enableAllTerminfo = true;
|
||||||
|
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
# Debug dns outside resolvectl
|
||||||
|
dig
|
||||||
|
|
||||||
|
# Debug and find files
|
||||||
|
file
|
||||||
|
|
||||||
|
# Process json data
|
||||||
|
jq
|
||||||
|
|
||||||
|
# Check computer specs
|
||||||
|
lshw
|
||||||
|
|
||||||
|
# Check who is keeping open files
|
||||||
|
lsof
|
||||||
|
|
||||||
|
# Scan for open ports with netstat
|
||||||
|
net-tools
|
||||||
|
|
||||||
|
# Grep for files quickly
|
||||||
|
ripgrep
|
||||||
|
|
||||||
|
# Copy files over the network
|
||||||
|
rsync
|
||||||
|
|
||||||
|
# Access various state, often in /var/lib
|
||||||
|
sqlite-interactive
|
||||||
|
|
||||||
|
# Debug software which won't debug itself
|
||||||
|
strace
|
||||||
|
|
||||||
|
# Download files from the internet
|
||||||
|
wget
|
||||||
|
];
|
||||||
|
|
||||||
|
# Clone/push nix config and friends
|
||||||
|
programs.git.enable = true;
|
||||||
|
|
||||||
|
# Gitea gpg, oysteikt sops, etc.
|
||||||
|
programs.gnupg.agent.enable = true;
|
||||||
|
|
||||||
|
# Monitor the wellbeing of the machines
|
||||||
|
programs.htop.enable = true;
|
||||||
|
|
||||||
|
# Keep sessions running during work over SSH
|
||||||
|
programs.tmux.enable = true;
|
||||||
|
|
||||||
|
# Same reasoning as tmux
|
||||||
|
programs.screen.enable = true;
|
||||||
|
|
||||||
|
# Edit files on the system without resorting to joe(1)
|
||||||
|
programs.nano.enable = true;
|
||||||
|
# Same reasoning as nano
|
||||||
|
programs.vim.enable = true;
|
||||||
|
# Same reasoning as vim
|
||||||
|
programs.neovim.enable = true;
|
||||||
|
|
||||||
|
# Some people like this shell for some reason
|
||||||
|
programs.zsh.enable = true;
|
||||||
|
}
|
||||||
@@ -8,8 +8,6 @@
|
|||||||
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
|
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
|
||||||
virtualisation.vmVariant = {
|
virtualisation.vmVariant = {
|
||||||
security.acme.defaults.server = "https://127.0.0.1";
|
security.acme.defaults.server = "https://127.0.0.1";
|
||||||
security.acme.preliminarySelfsigned = true;
|
|
||||||
|
|
||||||
users.users.root.initialPassword = "root";
|
users.users.root.initialPassword = "root";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
@@ -28,7 +28,7 @@ in
|
|||||||
|
|
||||||
# workaround for https://github.com/NixOS/nix/issues/6895
|
# workaround for https://github.com/NixOS/nix/issues/6895
|
||||||
# via https://git.lix.systems/lix-project/lix/issues/400
|
# via https://git.lix.systems/lix-project/lix/issues/400
|
||||||
environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
|
environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
|
||||||
"current-system-flake-inputs.json".source
|
"current-system-flake-inputs.json".source
|
||||||
= pkgs.writers.writeJSON "flake-inputs.json" (
|
= pkgs.writers.writeJSON "flake-inputs.json" (
|
||||||
lib.flip lib.mapAttrs inputs (name: input:
|
lib.flip lib.mapAttrs inputs (name: input:
|
||||||
|
|||||||
@@ -0,0 +1,135 @@
|
|||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.fluent-bit;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.fluent-bit = {
|
||||||
|
enable = lib.mkDefault true;
|
||||||
|
settings = {
|
||||||
|
service = {
|
||||||
|
flush = 1;
|
||||||
|
log_level = "warn";
|
||||||
|
|
||||||
|
http_server = "on";
|
||||||
|
http_listen = "127.0.0.1";
|
||||||
|
http_port = 28183;
|
||||||
|
|
||||||
|
# filesystem-backed buffering so logs survives potential outages.
|
||||||
|
"storage.path" = "/var/lib/fluent-bit/storage";
|
||||||
|
"storage.sync" = "normal";
|
||||||
|
"storage.max_chunks_up" = 64;
|
||||||
|
"storage.backlog.mem_limit" = "16M";
|
||||||
|
};
|
||||||
|
|
||||||
|
pipeline = {
|
||||||
|
inputs = [{
|
||||||
|
name = "systemd";
|
||||||
|
tag = "journal.*";
|
||||||
|
|
||||||
|
db = "/var/lib/fluent-bit/journal.db";
|
||||||
|
read_from_tail = true;
|
||||||
|
strip_underscores = true;
|
||||||
|
lowercase = true;
|
||||||
|
max_entries = 1000;
|
||||||
|
"storage.type" = "filesystem";
|
||||||
|
}];
|
||||||
|
|
||||||
|
filters = [{
|
||||||
|
name = "modify";
|
||||||
|
match = "journal.*";
|
||||||
|
rename = [
|
||||||
|
"hostname host"
|
||||||
|
"priority level"
|
||||||
|
"systemd_unit unit"
|
||||||
|
];
|
||||||
|
}] ++ (lib.mapAttrsToList (k: v: {
|
||||||
|
name = "modify";
|
||||||
|
match = "journal.*";
|
||||||
|
condition = "Key_value_equals level ${k}";
|
||||||
|
set = "level ${v}";
|
||||||
|
}) {
|
||||||
|
"7" = "debug";
|
||||||
|
"6" = "info";
|
||||||
|
"5" = "notice";
|
||||||
|
"4" = "warning";
|
||||||
|
"3" = "error";
|
||||||
|
"2" = "crit";
|
||||||
|
"1" = "alert";
|
||||||
|
"0" = "emergency";
|
||||||
|
});
|
||||||
|
|
||||||
|
outputs = [{
|
||||||
|
name = "loki";
|
||||||
|
match = "*";
|
||||||
|
|
||||||
|
host = "ildkule.pvv.ntnu.no";
|
||||||
|
port = 3100;
|
||||||
|
uri = "/loki/api/v1/push";
|
||||||
|
compress = "gzip";
|
||||||
|
|
||||||
|
labels = lib.concatStringsSep ", " [
|
||||||
|
"job=systemd-journal"
|
||||||
|
];
|
||||||
|
label_keys = lib.concatMapStringsSep "," (k: "$" + k) [
|
||||||
|
"host"
|
||||||
|
"unit"
|
||||||
|
"level"
|
||||||
|
];
|
||||||
|
|
||||||
|
# JSON is probably fine for now, then we just extract the keys we want with the grafana web ui
|
||||||
|
# line_format = "key_value";
|
||||||
|
# drop_single_key = true;
|
||||||
|
|
||||||
|
"storage.total_limit_size" = "256M";
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.fluent-bit = lib.mkIf cfg.enable {
|
||||||
|
serviceConfig = {
|
||||||
|
StateDirectory = "fluent-bit";
|
||||||
|
|
||||||
|
# NOTE: This hardening might be way too strong for general purpose use, don't upstream this.
|
||||||
|
AmbientCapabilities = [ "" ];
|
||||||
|
CapabilityBoundingSet = [ "" ];
|
||||||
|
DeviceAllow = [ "" ];
|
||||||
|
LockPersonality = true;
|
||||||
|
# Lua JIT, maybe other things
|
||||||
|
MemoryDenyWriteExecute = false;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
RestrictAddressFamilies = [
|
||||||
|
"AF_INET"
|
||||||
|
"AF_INET6"
|
||||||
|
"AF_UNIX"
|
||||||
|
];
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"@system-service"
|
||||||
|
"~@privileged"
|
||||||
|
"~@resources"
|
||||||
|
];
|
||||||
|
UMask = "0077";
|
||||||
|
|
||||||
|
BindReadOnlyPaths = [
|
||||||
|
"/run/systemd/journal"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -6,8 +6,7 @@ in
|
|||||||
services.journald.upload = {
|
services.journald.upload = {
|
||||||
enable = lib.mkDefault true;
|
enable = lib.mkDefault true;
|
||||||
settings.Upload = {
|
settings.Upload = {
|
||||||
# URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
|
URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
|
||||||
URL = "https://${values.hosts.ildkule.ipv4}:${toString config.services.journald.remote.port}";
|
|
||||||
ServerKeyFile = "-";
|
ServerKeyFile = "-";
|
||||||
ServerCertificateFile = "-";
|
ServerCertificateFile = "-";
|
||||||
TrustedCertificateFile = "-";
|
TrustedCertificateFile = "-";
|
||||||
|
|||||||
+10
-1
@@ -39,7 +39,8 @@
|
|||||||
SystemCallFilter = lib.mkForce null;
|
SystemCallFilter = lib.mkForce null;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
|
services.nginx.virtualHosts = lib.mkIf config.services.nginx.enable {
|
||||||
|
"_" = {
|
||||||
listen = [
|
listen = [
|
||||||
{
|
{
|
||||||
addr = "0.0.0.0";
|
addr = "0.0.0.0";
|
||||||
@@ -64,4 +65,12 @@
|
|||||||
addSSL = true;
|
addSSL = true;
|
||||||
extraConfig = "return 444;";
|
extraConfig = "return 444;";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
${config.networking.fqdn} = {
|
||||||
|
sslCertificate = lib.mkDefault "/etc/certs/nginx.crt";
|
||||||
|
sslCertificateKey = lib.mkDefault "/etc/certs/nginx.key";
|
||||||
|
addSSL = lib.mkDefault true;
|
||||||
|
extraConfig = lib.mkDefault "return 444;";
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,38 +0,0 @@
|
|||||||
{ config, lib, values, ... }:
|
|
||||||
let
|
|
||||||
cfg = config.services.prometheus.exporters.node;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
services.promtail = {
|
|
||||||
enable = lib.mkDefault true;
|
|
||||||
configuration = {
|
|
||||||
server = {
|
|
||||||
http_listen_port = 28183;
|
|
||||||
grpc_listen_port = 0;
|
|
||||||
};
|
|
||||||
clients = [{
|
|
||||||
url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
|
|
||||||
}];
|
|
||||||
scrape_configs = [{
|
|
||||||
job_name = "systemd-journal";
|
|
||||||
journal = {
|
|
||||||
max_age = "12h";
|
|
||||||
labels = {
|
|
||||||
job = "systemd-journal";
|
|
||||||
host = config.networking.hostName;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
relabel_configs = [
|
|
||||||
{
|
|
||||||
source_labels = [ "__journal__systemd_unit" ];
|
|
||||||
target_label = "unit";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
source_labels = [ "__journal_priority_keyword" ];
|
|
||||||
target_label = "level";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
@@ -1,7 +1,9 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
{
|
{
|
||||||
services.smartd = {
|
services.smartd = {
|
||||||
enable = lib.mkDefault true;
|
# NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
|
||||||
|
# hosts with disk passthrough.
|
||||||
|
enable = lib.mkDefault (!config.services.qemuGuest.enable);
|
||||||
notifications = {
|
notifications = {
|
||||||
mail = {
|
mail = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|||||||
@@ -0,0 +1,12 @@
|
|||||||
|
{ config, fp, lib, ... }:
|
||||||
|
{
|
||||||
|
sops.defaultSopsFile = let
|
||||||
|
secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
|
||||||
|
in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
|
||||||
|
|
||||||
|
sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
|
||||||
|
sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
keyFile = "/var/lib/sops-nix/key.txt";
|
||||||
|
generateKey = true;
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -11,5 +11,6 @@
|
|||||||
};
|
};
|
||||||
config.virtualisation.vmVariant = {
|
config.virtualisation.vmVariant = {
|
||||||
virtualisation.isVmVariant = true;
|
virtualisation.isVmVariant = true;
|
||||||
|
virtualisation.graphics = false;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -151,7 +151,7 @@ is up to date, you can do the following:
|
|||||||
|
|
||||||
```console
|
```console
|
||||||
# Fetch gpg (unless you have it already)
|
# Fetch gpg (unless you have it already)
|
||||||
nix-shell -p gpg
|
nix shell nixpkgs#gnupg
|
||||||
|
|
||||||
# Import oysteikts key to the gpg keychain
|
# Import oysteikts key to the gpg keychain
|
||||||
gpg --import ./keys/oysteikt.pub
|
gpg --import ./keys/oysteikt.pub
|
||||||
|
|||||||
Generated
+77
-93
@@ -1,18 +1,32 @@
|
|||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
|
"crane": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1776635034,
|
||||||
|
"narHash": "sha256-OEOJrT3ZfwbChzODfIH4GzlNTtOFuZFWPtW7jIeR8xU=",
|
||||||
|
"owner": "ipetkov",
|
||||||
|
"repo": "crane",
|
||||||
|
"rev": "dc7496d8ea6e526b1254b55d09b966e94673750f",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "ipetkov",
|
||||||
|
"repo": "crane",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"dibbler": {
|
"dibbler": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-utils": "flake-utils",
|
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1768138611,
|
"lastModified": 1771267058,
|
||||||
"narHash": "sha256-KfZX6wpuwE2IRKLjh0DrEviE4f6kqLJWwKIE5QJSqa4=",
|
"narHash": "sha256-EEL4SmD1b3BPJPsSJJ4wDTXWMumJqbR+BLzhJJG0skE=",
|
||||||
"ref": "main",
|
"ref": "main",
|
||||||
"rev": "cb385097dcda5fb9772f903688d078b30a66ccd4",
|
"rev": "e3962d02c78b9c7b4d18148d931a9a4bf22e7902",
|
||||||
"revCount": 221,
|
"revCount": 254,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
|
"url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
|
||||||
},
|
},
|
||||||
@@ -29,16 +43,16 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1736864502,
|
"lastModified": 1768920986,
|
||||||
"narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
|
"narHash": "sha256-CNzzBsRhq7gg4BMBuTDObiWDH/rFYHEuDRVOwCcwXw4=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "disko",
|
"repo": "disko",
|
||||||
"rev": "0141aabed359f063de7413f80d906e1d98c0c123",
|
"rev": "de5708739256238fb912c62f03988815db89ec9a",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"ref": "v1.11.0",
|
"ref": "v1.13.0",
|
||||||
"repo": "disko",
|
"repo": "disko",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
@@ -48,11 +62,11 @@
|
|||||||
"nixpkgs-lib": "nixpkgs-lib"
|
"nixpkgs-lib": "nixpkgs-lib"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1765835352,
|
"lastModified": 1772408722,
|
||||||
"narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
|
"narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
|
||||||
"owner": "hercules-ci",
|
"owner": "hercules-ci",
|
||||||
"repo": "flake-parts",
|
"repo": "flake-parts",
|
||||||
"rev": "a34fae9c08a15ad73f295041fec82323541400a9",
|
"rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -61,35 +75,18 @@
|
|||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"flake-utils": {
|
|
||||||
"inputs": {
|
|
||||||
"systems": "systems"
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1731533236,
|
|
||||||
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
|
|
||||||
"owner": "numtide",
|
|
||||||
"repo": "flake-utils",
|
|
||||||
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"id": "flake-utils",
|
|
||||||
"type": "indirect"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"gergle": {
|
"gergle": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs-unstable"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1767906545,
|
"lastModified": 1777067150,
|
||||||
"narHash": "sha256-LOf08pcjEQFLs3dLPuep5d1bAXWOFcdfxuk3YMb5KWw=",
|
"narHash": "sha256-vqPz8jCS1zTQlvmgctUFpvnr6f9ISR5h7CPG/HgQvf0=",
|
||||||
"ref": "main",
|
"ref": "main",
|
||||||
"rev": "e55cbe0ce0b20fc5952ed491fa8a553c8afb1bdd",
|
"rev": "b452a854fb78d6df9fe062b45e23a968657d115d",
|
||||||
"revCount": 23,
|
"revCount": 35,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
|
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
|
||||||
},
|
},
|
||||||
@@ -102,15 +99,15 @@
|
|||||||
"greg-ng": {
|
"greg-ng": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs-unstable"
|
||||||
],
|
],
|
||||||
"rust-overlay": "rust-overlay"
|
"rust-overlay": "rust-overlay"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1767906494,
|
"lastModified": 1777019032,
|
||||||
"narHash": "sha256-Dd6gtdZfRMAD6JhdX0GdJwIHVaBikePSpQXhIdwLlWI=",
|
"narHash": "sha256-29lw7THThWb5DW01rVRj1b816Apwz/P4m2wVWaSIadU=",
|
||||||
"ref": "main",
|
"ref": "main",
|
||||||
"rev": "7258822e2e90fea2ea00b13b5542f63699e33a9e",
|
"rev": "55262afca46c96f75a834d4e00e30d5fb20affb6",
|
||||||
"revCount": 61,
|
"revCount": 61,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
|
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
|
||||||
@@ -192,11 +189,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1768749374,
|
"lastModified": 1769500363,
|
||||||
"narHash": "sha256-dhXYLc64d7TKCnRPW4TlHGl6nLRNdabJB2DpJ8ffUw0=",
|
"narHash": "sha256-vFxmdsLBPdTy5j2bf54gbTQi1XnWbZDmeR/BBh8MFrw=",
|
||||||
"ref": "main",
|
"ref": "main",
|
||||||
"rev": "040294f2e1df46e33d995add6944b25859654097",
|
"rev": "2618e434e40e109eaab6a0693313c7e0de7324a3",
|
||||||
"revCount": 37,
|
"revCount": 47,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
|
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
|
||||||
},
|
},
|
||||||
@@ -213,11 +210,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1767906352,
|
"lastModified": 1770960722,
|
||||||
"narHash": "sha256-wYsH9MMAPFG3XTL+3DwI39XMG0F2fTmn/5lt265a3Es=",
|
"narHash": "sha256-IdhPsWFZUKSJh/nLjGLJvGM5d5Uta+k1FlVYPxTZi0E=",
|
||||||
"ref": "main",
|
"ref": "main",
|
||||||
"rev": "d054c5d064b8ed6d53a0adb0cf6c0a72febe212e",
|
"rev": "c2e4aca7e1ba27cd09eeaeab47010d32a11841b2",
|
||||||
"revCount": 13,
|
"revCount": 15,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
|
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
|
||||||
},
|
},
|
||||||
@@ -235,11 +232,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1768068512,
|
"lastModified": 1778407980,
|
||||||
"narHash": "sha256-pH5wkcNOiXy4MBjDTe6A1gml+7m+ULC3lYMBPMqdS1w=",
|
"narHash": "sha256-r980BhsReZQe6FkmyNZkwCZpvzARo5jZgTl8HxjAssY=",
|
||||||
"owner": "oddlama",
|
"owner": "oddlama",
|
||||||
"repo": "nix-topology",
|
"repo": "nix-topology",
|
||||||
"rev": "4367a2093c5ff74fc478466aebf41d47ce0cacb4",
|
"rev": "ca0a602f650306d00d6f3e3c76d0f4c48a5c5adc",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -251,24 +248,24 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1768555036,
|
"lastModified": 1779622335,
|
||||||
"narHash": "sha256-qJTh3xrFsqrXDzUmjPGV0VC70vpsq/YP25Jo6Fh7PTs=",
|
"narHash": "sha256-06G98ieM6l+OI7EMhlvchgDBDn+DvIWCNj40LDhKpmc=",
|
||||||
"rev": "1d2851ebcd64734ef057e8c80e05dd5600323792",
|
"rev": "705e9929918b43bd7b715dc0a878ac870449bb03",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4104.1d2851ebcd64/nixexprs.tar.xz"
|
"url": "https://releases.nixos.org/nixos/26.05-small/nixos-26.05beta1.705e9929918b/nixexprs.tar.xz"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
|
"url": "https://nixos.org/channels/nixos-26.05-small/nixexprs.tar.xz"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-lib": {
|
"nixpkgs-lib": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1765674936,
|
"lastModified": 1772328832,
|
||||||
"narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
|
"narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "nixpkgs.lib",
|
"repo": "nixpkgs.lib",
|
||||||
"rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
|
"rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -279,11 +276,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1768553552,
|
"lastModified": 1778586796,
|
||||||
"narHash": "sha256-YeNMZDAxdQUMLcqZmoc+/WzYrJxTEg6Y7uNALUcF1dE=",
|
"narHash": "sha256-XmDljcG4x8slQDlsWOc77pCA1YVuYn8JGumkYlhfTxI=",
|
||||||
"rev": "a6b8b0f0ceb6d4f5da70808e26c68044099460fd",
|
"rev": "b25e938b89759b5f9466fc53c4a970244f84dc39",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre928681.a6b8b0f0ceb6/nixexprs.tar.xz"
|
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre996582.b25e938b8975/nixexprs.tar.xz"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
@@ -318,11 +315,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1768636400,
|
"lastModified": 1778960428,
|
||||||
"narHash": "sha256-AiSKT4/25LS1rUlPduBMogf4EbdMQYDY1rS7AvHFcxk=",
|
"narHash": "sha256-YAs3LbFGlBLJW3xHeoQfTq2GBBXTvuSKl2WXDtloczU=",
|
||||||
"ref": "main",
|
"ref": "main",
|
||||||
"rev": "3a8f82b12a44e6c4ceacd6955a290a52d1ee2856",
|
"rev": "927748790b1f7159adfe32a3ad9ec01d22e9c5a2",
|
||||||
"revCount": 573,
|
"revCount": 583,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
|
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
|
||||||
},
|
},
|
||||||
@@ -376,22 +373,24 @@
|
|||||||
},
|
},
|
||||||
"roowho2": {
|
"roowho2": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
|
"crane": "crane",
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
],
|
],
|
||||||
"rust-overlay": "rust-overlay_3"
|
"rust-overlay": "rust-overlay_3"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1768140181,
|
"lastModified": 1778600367,
|
||||||
"narHash": "sha256-HfZzup5/jlu8X5vMUglTovVTSwhHGHwwV1YOFIL/ksA=",
|
"narHash": "sha256-YB0b2xUf4D8792D5Ay//7C3AjHyv+9yoy8K1mTe+wvE=",
|
||||||
"ref": "main",
|
"ref": "main",
|
||||||
"rev": "834463ed64773939798589ee6fd4adfe3a97dddd",
|
"rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
|
||||||
"revCount": 43,
|
"revCount": 91,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
|
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"ref": "main",
|
"ref": "main",
|
||||||
|
"rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
|
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
|
||||||
}
|
}
|
||||||
@@ -404,11 +403,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1767840362,
|
"lastModified": 1777000482,
|
||||||
"narHash": "sha256-ZtsFqUhilubohNZ1TgpQIFsi4biZTwRH9rjZsDRDik8=",
|
"narHash": "sha256-CZ5FKUSA8FCJf0h9GWdPJXoVVDL9H5yC74GkVc5ubIM=",
|
||||||
"owner": "oxalica",
|
"owner": "oxalica",
|
||||||
"repo": "rust-overlay",
|
"repo": "rust-overlay",
|
||||||
"rev": "d159ea1fc321c60f88a616ac28bab660092a227d",
|
"rev": "403c09094a877e6c4816462d00b1a56ff8198e06",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -446,11 +445,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1767322002,
|
"lastModified": 1776914043,
|
||||||
"narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=",
|
"narHash": "sha256-qug5r56yW1qOsjSI99l3Jm15JNT9CvS2otkXNRNtrPI=",
|
||||||
"owner": "oxalica",
|
"owner": "oxalica",
|
||||||
"repo": "rust-overlay",
|
"repo": "rust-overlay",
|
||||||
"rev": "03c6e38661c02a27ca006a284813afdc461e9f7e",
|
"rev": "2d35c4358d7de3a0e606a6e8b27925d981c01cc3",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -466,11 +465,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1768481291,
|
"lastModified": 1777944972,
|
||||||
"narHash": "sha256-NjKtkJraCZEnLHAJxLTI+BfdU//9coAz9p5TqveZwPU=",
|
"narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "e085e303dfcce21adcb5fec535d65aacb066f101",
|
"rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -479,21 +478,6 @@
|
|||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
|
||||||
"systems": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1681028828,
|
|
||||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
|
||||||
"owner": "nix-systems",
|
|
||||||
"repo": "default",
|
|
||||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nix-systems",
|
|
||||||
"repo": "default",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"root": "root",
|
"root": "root",
|
||||||
|
|||||||
@@ -2,13 +2,13 @@
|
|||||||
description = "PVV System flake";
|
description = "PVV System flake";
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz";
|
nixpkgs.url = "https://nixos.org/channels/nixos-26.05-small/nixexprs.tar.xz";
|
||||||
nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
|
nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
|
||||||
|
|
||||||
sops-nix.url = "github:Mic92/sops-nix/master";
|
sops-nix.url = "github:Mic92/sops-nix/master";
|
||||||
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
disko.url = "github:nix-community/disko/v1.11.0";
|
disko.url = "github:nix-community/disko/v1.13.0";
|
||||||
disko.inputs.nixpkgs.follows = "nixpkgs";
|
disko.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
nix-topology.url = "github:oddlama/nix-topology/main";
|
nix-topology.url = "github:oddlama/nix-topology/main";
|
||||||
@@ -32,13 +32,13 @@
|
|||||||
minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
|
minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
|
||||||
minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
|
minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main";
|
roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main&rev=8e5f2849ff7c9616100fe928261512a7ad647939";
|
||||||
roowho2.inputs.nixpkgs.follows = "nixpkgs";
|
roowho2.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
|
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
|
||||||
greg-ng.inputs.nixpkgs.follows = "nixpkgs";
|
greg-ng.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||||
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main";
|
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main";
|
||||||
gergle.inputs.nixpkgs.follows = "nixpkgs";
|
gergle.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||||
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master";
|
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master";
|
||||||
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
|
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
@@ -49,8 +49,14 @@
|
|||||||
qotd.inputs.nixpkgs.follows = "nixpkgs";
|
qotd.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
|
outputs = {
|
||||||
let
|
self,
|
||||||
|
nixpkgs,
|
||||||
|
nixpkgs-unstable,
|
||||||
|
sops-nix,
|
||||||
|
disko,
|
||||||
|
...
|
||||||
|
} @ inputs: let
|
||||||
inherit (nixpkgs) lib;
|
inherit (nixpkgs) lib;
|
||||||
systems = [
|
systems = [
|
||||||
"x86_64-linux"
|
"x86_64-linux"
|
||||||
@@ -62,9 +68,11 @@
|
|||||||
importantMachines = [
|
importantMachines = [
|
||||||
"bekkalokk"
|
"bekkalokk"
|
||||||
"bicep"
|
"bicep"
|
||||||
"brzeczyszczykiewicz"
|
|
||||||
"georg"
|
"georg"
|
||||||
"ildkule"
|
"ildkule"
|
||||||
|
"kommode"
|
||||||
|
"lupine-1"
|
||||||
|
"skrot"
|
||||||
];
|
];
|
||||||
in {
|
in {
|
||||||
inputs = lib.mapAttrs (_: src: src.outPath) inputs;
|
inputs = lib.mapAttrs (_: src: src.outPath) inputs;
|
||||||
@@ -72,60 +80,85 @@
|
|||||||
pkgs = forAllSystems (system:
|
pkgs = forAllSystems (system:
|
||||||
import nixpkgs {
|
import nixpkgs {
|
||||||
inherit system;
|
inherit system;
|
||||||
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
|
config.allowUnfreePredicate = pkg:
|
||||||
|
builtins.elem (lib.getName pkg)
|
||||||
[
|
[
|
||||||
"nvidia-x11"
|
"nvidia-x11"
|
||||||
"nvidia-settings"
|
"nvidia-settings"
|
||||||
|
"nvidia-kernel-modules"
|
||||||
];
|
];
|
||||||
});
|
});
|
||||||
|
|
||||||
nixosConfigurations = let
|
nixosConfigurations = let
|
||||||
unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
|
nixosConfig = nixpkgs: name: configurationPath: extraArgs @ {
|
||||||
|
localSystem ? "x86_64-linux", # buildPlatform
|
||||||
nixosConfig =
|
crossSystem ? "x86_64-linux", # hostPlatform
|
||||||
nixpkgs:
|
specialArgs ? {},
|
||||||
name:
|
modules ? [],
|
||||||
configurationPath:
|
overlays ? [],
|
||||||
extraArgs@{
|
|
||||||
system ? "x86_64-linux",
|
|
||||||
specialArgs ? { },
|
|
||||||
modules ? [ ],
|
|
||||||
overlays ? [ ],
|
|
||||||
enableDefaults ? true,
|
enableDefaults ? true,
|
||||||
...
|
...
|
||||||
}:
|
}: let
|
||||||
lib.nixosSystem (lib.recursiveUpdate
|
commonPkgsConfig =
|
||||||
{
|
{
|
||||||
inherit system;
|
config.allowUnfreePredicate = pkg:
|
||||||
|
builtins.elem (lib.getName pkg)
|
||||||
specialArgs = {
|
|
||||||
inherit unstablePkgs inputs;
|
|
||||||
values = import ./values.nix;
|
|
||||||
fp = path: ./${path};
|
|
||||||
} // specialArgs;
|
|
||||||
|
|
||||||
modules = [
|
|
||||||
configurationPath
|
|
||||||
] ++ (lib.optionals enableDefaults [
|
|
||||||
sops-nix.nixosModules.sops
|
|
||||||
inputs.roowho2.nixosModules.default
|
|
||||||
]) ++ modules;
|
|
||||||
|
|
||||||
pkgs = import nixpkgs {
|
|
||||||
inherit system;
|
|
||||||
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
|
|
||||||
[
|
[
|
||||||
"nvidia-x11"
|
"nvidia-x11"
|
||||||
"nvidia-settings"
|
"nvidia-settings"
|
||||||
|
"nvidia-kernel-modules"
|
||||||
];
|
];
|
||||||
overlays = (lib.optionals enableDefaults [
|
overlays =
|
||||||
|
(lib.optionals enableDefaults [
|
||||||
# Global overlays go here
|
# Global overlays go here
|
||||||
inputs.roowho2.overlays.default
|
inputs.roowho2.overlays.default
|
||||||
]) ++ overlays;
|
])
|
||||||
};
|
++ overlays;
|
||||||
|
}
|
||||||
|
// (
|
||||||
|
if localSystem != crossSystem
|
||||||
|
then {
|
||||||
|
inherit localSystem crossSystem;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
system = crossSystem;
|
||||||
|
}
|
||||||
|
);
|
||||||
|
pkgs = import nixpkgs commonPkgsConfig;
|
||||||
|
unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
|
||||||
|
in
|
||||||
|
lib.nixosSystem (
|
||||||
|
lib.recursiveUpdate
|
||||||
|
{
|
||||||
|
system = crossSystem;
|
||||||
|
|
||||||
|
inherit pkgs;
|
||||||
|
|
||||||
|
specialArgs =
|
||||||
|
{
|
||||||
|
inherit inputs unstablePkgs;
|
||||||
|
values = import ./values.nix;
|
||||||
|
fp = path: ./${path};
|
||||||
|
}
|
||||||
|
// specialArgs;
|
||||||
|
|
||||||
|
modules =
|
||||||
|
[
|
||||||
|
{
|
||||||
|
networking.hostName = lib.mkDefault name;
|
||||||
|
}
|
||||||
|
configurationPath
|
||||||
|
]
|
||||||
|
++ (lib.optionals enableDefaults [
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
|
inputs.roowho2.nixosModules.default
|
||||||
|
self.nixosModules.rsync-pull-targets
|
||||||
|
])
|
||||||
|
++ modules;
|
||||||
}
|
}
|
||||||
(builtins.removeAttrs extraArgs [
|
(builtins.removeAttrs extraArgs [
|
||||||
"system"
|
"localSystem"
|
||||||
|
"crossSystem"
|
||||||
"modules"
|
"modules"
|
||||||
"overlays"
|
"overlays"
|
||||||
"specialArgs"
|
"specialArgs"
|
||||||
@@ -135,12 +168,8 @@
|
|||||||
|
|
||||||
stableNixosConfig = name: extraArgs:
|
stableNixosConfig = name: extraArgs:
|
||||||
nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
|
nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
|
||||||
in {
|
in
|
||||||
bakke = stableNixosConfig "bakke" {
|
{
|
||||||
modules = [
|
|
||||||
disko.nixosModules.disko
|
|
||||||
];
|
|
||||||
};
|
|
||||||
bicep = stableNixosConfig "bicep" {
|
bicep = stableNixosConfig "bicep" {
|
||||||
modules = [
|
modules = [
|
||||||
inputs.matrix-next.nixosModules.default
|
inputs.matrix-next.nixosModules.default
|
||||||
@@ -160,26 +189,38 @@
|
|||||||
bekkalokk = stableNixosConfig "bekkalokk" {
|
bekkalokk = stableNixosConfig "bekkalokk" {
|
||||||
overlays = [
|
overlays = [
|
||||||
(final: prev: {
|
(final: prev: {
|
||||||
heimdal = unstablePkgs.heimdal;
|
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions {};
|
||||||
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
|
simplesamlphp = final.callPackage ./packages/simplesamlphp {};
|
||||||
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
|
|
||||||
bluemap = final.callPackage ./packages/bluemap.nix { };
|
|
||||||
})
|
})
|
||||||
inputs.pvv-nettsiden.overlays.default
|
inputs.pvv-nettsiden.overlays.default
|
||||||
inputs.qotd.overlays.default
|
inputs.qotd.overlays.default
|
||||||
];
|
];
|
||||||
modules = [
|
modules = [
|
||||||
inputs.pvv-nettsiden.nixosModules.default
|
inputs.pvv-nettsiden.nixosModules.default
|
||||||
self.nixosModules.bluemap
|
|
||||||
inputs.qotd.nixosModules.default
|
inputs.qotd.nixosModules.default
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
ildkule = stableNixosConfig "ildkule" { };
|
ildkule = stableNixosConfig "ildkule" {
|
||||||
#ildkule-unstable = unstableNixosConfig "ildkule" { };
|
modules = [
|
||||||
shark = stableNixosConfig "shark" { };
|
inputs.disko.nixosModules.disko
|
||||||
wenche = stableNixosConfig "wenche" { };
|
];
|
||||||
temmie = stableNixosConfig "temmie" { };
|
};
|
||||||
gluttony = stableNixosConfig "gluttony" { };
|
skrot = stableNixosConfig "skrot" {
|
||||||
|
modules = [
|
||||||
|
inputs.disko.nixosModules.disko
|
||||||
|
inputs.dibbler.nixosModules.default
|
||||||
|
];
|
||||||
|
overlays = [inputs.dibbler.overlays.default];
|
||||||
|
};
|
||||||
|
shark = stableNixosConfig "shark" {};
|
||||||
|
wenche = stableNixosConfig "wenche" {};
|
||||||
|
temmie = stableNixosConfig "temmie" {};
|
||||||
|
gluttony = stableNixosConfig "gluttony" {
|
||||||
|
overlays = [
|
||||||
|
(final: prev: { bluemap = final.callPackage ./packages/bluemap.nix {}; })
|
||||||
|
];
|
||||||
|
modules = [ self.nixosModules.bluemap ];
|
||||||
|
};
|
||||||
|
|
||||||
kommode = stableNixosConfig "kommode" {
|
kommode = stableNixosConfig "kommode" {
|
||||||
overlays = [
|
overlays = [
|
||||||
@@ -187,12 +228,8 @@
|
|||||||
];
|
];
|
||||||
modules = [
|
modules = [
|
||||||
inputs.nix-gitea-themes.nixosModules.default
|
inputs.nix-gitea-themes.nixosModules.default
|
||||||
];
|
inputs.disko.nixosModules.disko
|
||||||
};
|
self.nixosModules.robots-txt
|
||||||
|
|
||||||
ustetind = stableNixosConfig "ustetind" {
|
|
||||||
modules = [
|
|
||||||
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -218,38 +255,40 @@
|
|||||||
inputs.gergle.overlays.default
|
inputs.gergle.overlays.default
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
skrott = stableNixosConfig "skrott" {
|
|
||||||
system = "aarch64-linux";
|
|
||||||
modules = [
|
|
||||||
(nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
|
|
||||||
inputs.dibbler.nixosModules.default
|
|
||||||
];
|
|
||||||
overlays = [
|
|
||||||
inputs.dibbler.overlays.default
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
//
|
// (let
|
||||||
(let
|
|
||||||
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
|
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
|
||||||
stableLupineNixosConfig = name: extraArgs:
|
stableLupineNixosConfig = name: extraArgs:
|
||||||
nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
|
nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
|
||||||
in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
|
in
|
||||||
modules = [{ networking.hostName = name; }];
|
lib.genAttrs machineNames (name:
|
||||||
|
stableLupineNixosConfig name {
|
||||||
|
modules = [{networking.hostName = name;}];
|
||||||
specialArgs.lupineName = name;
|
specialArgs.lupineName = name;
|
||||||
}));
|
}));
|
||||||
|
|
||||||
nixosModules = {
|
nixosModules = {
|
||||||
bluemap = ./modules/bluemap.nix;
|
bluemap = ./modules/bluemap.nix;
|
||||||
snakeoil-certs = ./modules/snakeoil-certs.nix;
|
|
||||||
snappymail = ./modules/snappymail.nix;
|
|
||||||
robots-txt = ./modules/robots-txt.nix;
|
|
||||||
gickup = ./modules/gickup;
|
gickup = ./modules/gickup;
|
||||||
matrix-ooye = ./modules/matrix-ooye.nix;
|
matrix-ooye = ./modules/matrix-ooye.nix;
|
||||||
|
robots-txt = ./modules/robots-txt.nix;
|
||||||
|
rsync-pull-targets = ./modules/rsync-pull-targets.nix;
|
||||||
|
snakeoil-certs = ./modules/snakeoil-certs.nix;
|
||||||
|
snappymail = ./modules/snappymail.nix;
|
||||||
};
|
};
|
||||||
|
|
||||||
devShells = forAllSystems (system: {
|
devShells = forAllSystems (system: {
|
||||||
default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
|
default = let
|
||||||
|
pkgs = import nixpkgs-unstable {
|
||||||
|
inherit system;
|
||||||
|
overlays = [
|
||||||
|
(final: prev: {
|
||||||
|
inherit (inputs.disko.packages.${system}) disko;
|
||||||
|
})
|
||||||
|
];
|
||||||
|
};
|
||||||
|
in
|
||||||
|
pkgs.callPackage ./shell.nix {};
|
||||||
cuda = let
|
cuda = let
|
||||||
cuda-pkgs = import nixpkgs-unstable {
|
cuda-pkgs = import nixpkgs-unstable {
|
||||||
inherit system;
|
inherit system;
|
||||||
@@ -258,29 +297,34 @@
|
|||||||
cudaSupport = true;
|
cudaSupport = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
in cuda-pkgs.callPackage ./shells/cuda.nix { };
|
in
|
||||||
|
cuda-pkgs.callPackage ./shells/cuda.nix {};
|
||||||
});
|
});
|
||||||
|
|
||||||
packages = {
|
packages = {
|
||||||
"x86_64-linux" = let
|
"x86_64-linux" = let
|
||||||
pkgs = nixpkgs.legacyPackages."x86_64-linux";
|
system = "x86_64-linux";
|
||||||
in rec {
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
|
in
|
||||||
|
rec {
|
||||||
default = important-machines;
|
default = important-machines;
|
||||||
important-machines = pkgs.linkFarm "important-machines"
|
important-machines =
|
||||||
(lib.getAttrs importantMachines self.packages.x86_64-linux);
|
pkgs.linkFarm "important-machines"
|
||||||
all-machines = pkgs.linkFarm "all-machines"
|
(lib.getAttrs importantMachines self.packages.${system});
|
||||||
(lib.getAttrs allMachines self.packages.x86_64-linux);
|
all-machines =
|
||||||
|
pkgs.linkFarm "all-machines"
|
||||||
|
(lib.getAttrs allMachines self.packages.${system});
|
||||||
|
|
||||||
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
|
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp {};
|
||||||
|
|
||||||
bluemap = pkgs.callPackage ./packages/bluemap.nix { };
|
bluemap = pkgs.callPackage ./packages/bluemap.nix {};
|
||||||
|
|
||||||
out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
|
out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix {};
|
||||||
}
|
}
|
||||||
//
|
//
|
||||||
# Mediawiki extensions
|
# Mediawiki extensions
|
||||||
(lib.pipe null [
|
(lib.pipe null [
|
||||||
(_: pkgs.callPackage ./packages/mediawiki-extensions { })
|
(_: pkgs.callPackage ./packages/mediawiki-extensions {})
|
||||||
(lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
|
(lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
|
||||||
(lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
|
(lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
|
||||||
])
|
])
|
||||||
@@ -289,20 +333,15 @@
|
|||||||
lib.genAttrs allMachines
|
lib.genAttrs allMachines
|
||||||
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
|
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
|
||||||
//
|
//
|
||||||
# Skrott is exception
|
|
||||||
{
|
|
||||||
skrott = self.nixosConfigurations.skrott.config.system.build.sdImage;
|
|
||||||
}
|
|
||||||
//
|
|
||||||
# Nix-topology
|
# Nix-topology
|
||||||
(let
|
(let
|
||||||
topology' = import inputs.nix-topology {
|
topology' = import inputs.nix-topology {
|
||||||
pkgs = import nixpkgs {
|
pkgs = import nixpkgs {
|
||||||
system = "x86_64-linux";
|
inherit system;
|
||||||
overlays = [
|
overlays = [
|
||||||
inputs.nix-topology.overlays.default
|
inputs.nix-topology.overlays.default
|
||||||
(final: prev: {
|
(final: prev: {
|
||||||
inherit (nixpkgs-unstable.legacyPackages.x86_64-linux) super-tiny-icons;
|
inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
|
||||||
})
|
})
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
@@ -314,7 +353,8 @@
|
|||||||
modules = [
|
modules = [
|
||||||
./topology
|
./topology
|
||||||
{
|
{
|
||||||
nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
|
nixosConfigurations = lib.mapAttrs (_name: nixosCfg:
|
||||||
|
nixosCfg.extendModules {
|
||||||
modules = [
|
modules = [
|
||||||
inputs.nix-topology.nixosModules.default
|
inputs.nix-topology.nixosModules.default
|
||||||
./topology/service-extractors/greg-ng.nix
|
./topology/service-extractors/greg-ng.nix
|
||||||
@@ -322,14 +362,16 @@
|
|||||||
./topology/service-extractors/mysql.nix
|
./topology/service-extractors/mysql.nix
|
||||||
./topology/service-extractors/gitea-runners.nix
|
./topology/service-extractors/gitea-runners.nix
|
||||||
];
|
];
|
||||||
}) self.nixosConfigurations;
|
})
|
||||||
|
self.nixosConfigurations;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
topology = topology'.config.output;
|
topology = topology'.config.output;
|
||||||
topology-png = pkgs.runCommand "pvv-config-topology-png" {
|
topology-png =
|
||||||
nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
|
pkgs.runCommand "pvv-config-topology-png" {
|
||||||
|
nativeBuildInputs = [pkgs.writableTmpDirAsHomeHook];
|
||||||
} ''
|
} ''
|
||||||
mkdir -p "$out"
|
mkdir -p "$out"
|
||||||
for file in '${topology'.config.output}'/*.svg; do
|
for file in '${topology'.config.output}'/*.svg; do
|
||||||
|
|||||||
@@ -1,25 +0,0 @@
|
|||||||
{ config, pkgs, values, ... }:
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
./hardware-configuration.nix
|
|
||||||
../../base
|
|
||||||
./filesystems.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
|
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
||||||
sops.age.generateKey = true;
|
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
|
|
||||||
networking.hostName = "bakke";
|
|
||||||
networking.hostId = "99609ffc";
|
|
||||||
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
|
|
||||||
matchConfig.Name = "enp2s0";
|
|
||||||
address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
|
||||||
};
|
|
||||||
|
|
||||||
system.stateVersion = "24.05";
|
|
||||||
}
|
|
||||||
@@ -1,83 +0,0 @@
|
|||||||
{
|
|
||||||
# https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
|
|
||||||
# Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
|
|
||||||
disko.devices = {
|
|
||||||
disk = {
|
|
||||||
one = {
|
|
||||||
type = "disk";
|
|
||||||
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
|
|
||||||
content = {
|
|
||||||
type = "gpt";
|
|
||||||
partitions = {
|
|
||||||
ESP = {
|
|
||||||
size = "500M";
|
|
||||||
type = "EF00";
|
|
||||||
content = {
|
|
||||||
type = "mdraid";
|
|
||||||
name = "boot";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
mdadm = {
|
|
||||||
size = "100%";
|
|
||||||
content = {
|
|
||||||
type = "mdraid";
|
|
||||||
name = "raid1";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
two = {
|
|
||||||
type = "disk";
|
|
||||||
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
|
|
||||||
content = {
|
|
||||||
type = "gpt";
|
|
||||||
partitions = {
|
|
||||||
ESP = {
|
|
||||||
size = "500M";
|
|
||||||
type = "EF00";
|
|
||||||
content = {
|
|
||||||
type = "mdraid";
|
|
||||||
name = "boot";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
mdadm = {
|
|
||||||
size = "100%";
|
|
||||||
content = {
|
|
||||||
type = "mdraid";
|
|
||||||
name = "raid1";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
mdadm = {
|
|
||||||
boot = {
|
|
||||||
type = "mdadm";
|
|
||||||
level = 1;
|
|
||||||
metadata = "1.0";
|
|
||||||
content = {
|
|
||||||
type = "filesystem";
|
|
||||||
format = "vfat";
|
|
||||||
mountpoint = "/boot";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
raid1 = {
|
|
||||||
type = "mdadm";
|
|
||||||
level = 1;
|
|
||||||
content = {
|
|
||||||
type = "gpt";
|
|
||||||
partitions.primary = {
|
|
||||||
size = "100%";
|
|
||||||
content = {
|
|
||||||
type = "filesystem";
|
|
||||||
format = "ext4";
|
|
||||||
mountpoint = "/";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
@@ -1,26 +0,0 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
|
||||||
{
|
|
||||||
# Boot drives:
|
|
||||||
boot.swraid.enable = true;
|
|
||||||
|
|
||||||
# ZFS Data pool:
|
|
||||||
environment.systemPackages = with pkgs; [ zfs ];
|
|
||||||
boot = {
|
|
||||||
zfs = {
|
|
||||||
extraPools = [ "tank" ];
|
|
||||||
requestEncryptionCredentials = false;
|
|
||||||
};
|
|
||||||
supportedFilesystems = [ "zfs" ];
|
|
||||||
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
|
||||||
};
|
|
||||||
services.zfs.autoScrub = {
|
|
||||||
enable = true;
|
|
||||||
interval = "Wed *-*-8..14 00:00:00";
|
|
||||||
};
|
|
||||||
|
|
||||||
# NFS Exports:
|
|
||||||
#TODO
|
|
||||||
|
|
||||||
# NFS Import mounts:
|
|
||||||
#TODO
|
|
||||||
}
|
|
||||||
@@ -1,52 +0,0 @@
|
|||||||
# Do not modify this file! It was generated by 'nixos-generate-config'
|
|
||||||
# and may be overwritten by future invocations. Please make changes
|
|
||||||
# to /etc/nixos/configuration.nix instead.
|
|
||||||
{ config, lib, pkgs, modulesPath, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports =
|
|
||||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
|
||||||
];
|
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
|
||||||
boot.initrd.kernelModules = [ ];
|
|
||||||
boot.kernelModules = [ "kvm-intel" ];
|
|
||||||
boot.extraModulePackages = [ ];
|
|
||||||
|
|
||||||
fileSystems."/" =
|
|
||||||
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
|
|
||||||
fsType = "btrfs";
|
|
||||||
options = [ "subvol=root" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/home" =
|
|
||||||
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
|
|
||||||
fsType = "btrfs";
|
|
||||||
options = [ "subvol=home" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/nix" =
|
|
||||||
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
|
|
||||||
fsType = "btrfs";
|
|
||||||
options = [ "subvol=nix" "noatime" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/boot" =
|
|
||||||
{ device = "/dev/sdc2";
|
|
||||||
fsType = "vfat";
|
|
||||||
options = [ "fmask=0022" "dmask=0022" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices = [ ];
|
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
|
||||||
networking.useDHCP = lib.mkDefault false;
|
|
||||||
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
|
|
||||||
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
|
||||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
|
||||||
}
|
|
||||||
@@ -19,16 +19,6 @@
|
|||||||
./services/qotd
|
./services/qotd
|
||||||
];
|
];
|
||||||
|
|
||||||
sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
|
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
||||||
sops.age.generateKey = true;
|
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
|
|
||||||
networking.hostName = "bekkalokk";
|
|
||||||
|
|
||||||
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
|
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
|
||||||
matchConfig.Name = "enp2s0";
|
matchConfig.Name = "enp2s0";
|
||||||
address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
||||||
@@ -36,7 +26,7 @@
|
|||||||
|
|
||||||
services.btrfs.autoScrub.enable = true;
|
services.btrfs.autoScrub.enable = true;
|
||||||
|
|
||||||
# Do not change, even during upgrades.
|
# Don't change (even during upgrades) unless you know what you are doing.
|
||||||
# See https://search.nixos.org/options?show=system.stateVersion
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
system.stateVersion = "22.11";
|
system.stateVersion = "25.11";
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,105 +1,10 @@
|
|||||||
{ config, lib, pkgs, inputs, ... }:
|
{ values, ... }:
|
||||||
let
|
let
|
||||||
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
|
webExport = "/var/lib/bluemap/web";
|
||||||
format = pkgs.formats.hocon { };
|
|
||||||
in {
|
in {
|
||||||
# NOTE: our versino of the module gets added in flake.nix
|
# NOTE: our version of the module gets added in flake.nix
|
||||||
disabledModules = [ "services/web-apps/bluemap.nix" ];
|
disabledModules = [ "services/web-apps/bluemap.nix" ];
|
||||||
|
|
||||||
sops.secrets."bluemap/ssh-key" = { };
|
|
||||||
sops.secrets."bluemap/ssh-known-hosts" = { };
|
|
||||||
|
|
||||||
services.bluemap = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
eula = true;
|
|
||||||
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
|
|
||||||
|
|
||||||
host = "minecraft.pvv.ntnu.no";
|
|
||||||
|
|
||||||
maps = let
|
|
||||||
inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
|
|
||||||
in {
|
|
||||||
"verden" = {
|
|
||||||
extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
|
|
||||||
settings = {
|
|
||||||
world = vanillaSurvival;
|
|
||||||
dimension = "minecraft:overworld";
|
|
||||||
name = "Verden";
|
|
||||||
sorting = 0;
|
|
||||||
start-pos = {
|
|
||||||
x = 0;
|
|
||||||
z = 0;
|
|
||||||
};
|
|
||||||
ambient-light = 0.1;
|
|
||||||
cave-detection-ocean-floor = -5;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
"underverden" = {
|
|
||||||
extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
|
|
||||||
settings = {
|
|
||||||
world = vanillaSurvival;
|
|
||||||
dimension = "minecraft:the_nether";
|
|
||||||
name = "Underverden";
|
|
||||||
sorting = 100;
|
|
||||||
start-pos = {
|
|
||||||
x = 0;
|
|
||||||
z = 0;
|
|
||||||
};
|
|
||||||
sky-color = "#290000";
|
|
||||||
void-color = "#150000";
|
|
||||||
sky-light = 1;
|
|
||||||
ambient-light = 0.6;
|
|
||||||
remove-caves-below-y = -10000;
|
|
||||||
cave-detection-ocean-floor = -5;
|
|
||||||
cave-detection-uses-block-light = true;
|
|
||||||
render-mask = [{
|
|
||||||
max-y = 90;
|
|
||||||
}];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
"enden" = {
|
|
||||||
extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
|
|
||||||
settings = {
|
|
||||||
world = vanillaSurvival;
|
|
||||||
dimension = "minecraft:the_end";
|
|
||||||
name = "Enden";
|
|
||||||
sorting = 200;
|
|
||||||
start-pos = {
|
|
||||||
x = 0;
|
|
||||||
z = 0;
|
|
||||||
};
|
|
||||||
sky-color = "#080010";
|
|
||||||
void-color = "#080010";
|
|
||||||
sky-light = 1;
|
|
||||||
ambient-light = 0.6;
|
|
||||||
remove-caves-below-y = -10000;
|
|
||||||
cave-detection-ocean-floor = -5;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services."render-bluemap-maps" = {
|
|
||||||
serviceConfig = {
|
|
||||||
StateDirectory = [ "bluemap/world" ];
|
|
||||||
ExecStartPre = let
|
|
||||||
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
|
|
||||||
archive = true;
|
|
||||||
compress = true;
|
|
||||||
verbose = true;
|
|
||||||
no-owner = true;
|
|
||||||
no-group = true;
|
|
||||||
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
|
|
||||||
};
|
|
||||||
in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
|
|
||||||
LoadCredential = [
|
|
||||||
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
|
|
||||||
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
|
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
@@ -115,6 +20,30 @@ in {
|
|||||||
quic_retry on;
|
quic_retry on;
|
||||||
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
|
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
|
||||||
'';
|
'';
|
||||||
|
root = webExport;
|
||||||
|
locations = {
|
||||||
|
"~* ^/maps/[^/]*/tiles/".extraConfig = ''
|
||||||
|
error_page 404 = @empty;
|
||||||
|
'';
|
||||||
|
"@empty".return = "204";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.rsync-pull-targets = {
|
||||||
|
enable = true;
|
||||||
|
locations.${webExport} = {
|
||||||
|
user = "root";
|
||||||
|
rrsyncArgs.wo = true;
|
||||||
|
authorizedKeysAttrs = [
|
||||||
|
"restrict"
|
||||||
|
"from=\"gluttony.pvv.ntnu.no,${values.hosts.gluttony.ipv6},${values.hosts.gluttony.ipv4}\""
|
||||||
|
"no-agent-forwarding"
|
||||||
|
"no-port-forwarding"
|
||||||
|
"no-pty"
|
||||||
|
"no-X11-forwarding"
|
||||||
|
];
|
||||||
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5jrqMovXlWaFWZAV/aKyQReHvUQp5kb+7Ja4gnevSr root@gluttony bluemap";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedUDPPorts = [ 443 ];
|
networking.firewall.allowedUDPPorts = [ 443 ];
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
|
{ pkgs, lib, fp, config, values, ... }: let
|
||||||
cfg = config.services.mediawiki;
|
cfg = config.services.mediawiki;
|
||||||
|
|
||||||
# "mediawiki"
|
# "mediawiki"
|
||||||
@@ -34,6 +34,7 @@ in {
|
|||||||
services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
|
services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
|
||||||
|
|
||||||
sops.secrets = lib.pipe [
|
sops.secrets = lib.pipe [
|
||||||
|
"mediawiki/secret-key"
|
||||||
"mediawiki/password"
|
"mediawiki/password"
|
||||||
"mediawiki/postgres_password"
|
"mediawiki/postgres_password"
|
||||||
"mediawiki/simplesamlphp/postgres_password"
|
"mediawiki/simplesamlphp/postgres_password"
|
||||||
@@ -48,6 +49,23 @@ in {
|
|||||||
lib.listToAttrs
|
lib.listToAttrs
|
||||||
];
|
];
|
||||||
|
|
||||||
|
services.rsync-pull-targets = {
|
||||||
|
enable = true;
|
||||||
|
locations.${cfg.uploadsDir} = {
|
||||||
|
user = "root";
|
||||||
|
rrsyncArgs.ro = true;
|
||||||
|
authorizedKeysAttrs = [
|
||||||
|
"restrict"
|
||||||
|
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
|
||||||
|
"no-agent-forwarding"
|
||||||
|
"no-port-forwarding"
|
||||||
|
"no-pty"
|
||||||
|
"no-X11-forwarding"
|
||||||
|
];
|
||||||
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHFHa3Iq1oKPhbKCAIHgOoWOTkLmIc7yqxeTbut7ig/ mediawiki rsync backup";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
services.mediawiki = {
|
services.mediawiki = {
|
||||||
enable = true;
|
enable = true;
|
||||||
name = "Programvareverkstedet";
|
name = "Programvareverkstedet";
|
||||||
@@ -144,6 +162,24 @@ in {
|
|||||||
$wgDBserver = "${toString cfg.database.host}";
|
$wgDBserver = "${toString cfg.database.host}";
|
||||||
$wgAllowCopyUploads = true;
|
$wgAllowCopyUploads = true;
|
||||||
|
|
||||||
|
# Files
|
||||||
|
$wgFileExtensions = [
|
||||||
|
'bmp',
|
||||||
|
'gif',
|
||||||
|
'jpeg',
|
||||||
|
'jpg',
|
||||||
|
'mp3',
|
||||||
|
'odg',
|
||||||
|
'odp',
|
||||||
|
'ods',
|
||||||
|
'odt',
|
||||||
|
'pdf',
|
||||||
|
'png',
|
||||||
|
'tiff',
|
||||||
|
'webm',
|
||||||
|
'webp',
|
||||||
|
];
|
||||||
|
|
||||||
# Misc program paths
|
# Misc program paths
|
||||||
$wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
|
$wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
|
||||||
$wgExiftool = '${pkgs.exiftool}/bin/exiftool';
|
$wgExiftool = '${pkgs.exiftool}/bin/exiftool';
|
||||||
@@ -174,20 +210,22 @@ in {
|
|||||||
|
|
||||||
# EXT:WikiEditor
|
# EXT:WikiEditor
|
||||||
$wgWikiEditorRealtimePreview = true;
|
$wgWikiEditorRealtimePreview = true;
|
||||||
|
|
||||||
|
$wgSecretKey = file_get_contents("${config.sops.secrets."mediawiki/secret-key".path}");
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
# Cache directory for simplesamlphp
|
# Cache directory for simplesamlphp
|
||||||
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
|
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
|
||||||
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
|
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
|
||||||
user = "mediawiki";
|
user = "mediawiki";
|
||||||
group = "mediawiki";
|
group = "mediawiki";
|
||||||
mode = "0770";
|
mode = "0770";
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups.mediawiki.members = [ "nginx" ];
|
users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ];
|
||||||
|
|
||||||
services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
|
services.nginx.virtualHosts."wiki.pvv.ntnu.no" = lib.mkIf cfg.enable {
|
||||||
kTLS = true;
|
kTLS = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
@@ -233,4 +271,18 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.mediawiki-init = lib.mkIf cfg.enable {
|
||||||
|
after = [ "sops-install-secrets.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
UMask = lib.mkForce "0007";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
|
||||||
|
after = [ "sops-install-secrets.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
UMask = lib.mkForce "0007";
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, values, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.services.vaultwarden;
|
cfg = config.services.vaultwarden;
|
||||||
domain = "pw.pvv.ntnu.no";
|
domain = "pw.pvv.ntnu.no";
|
||||||
@@ -6,40 +6,58 @@ let
|
|||||||
port = 3011;
|
port = 3011;
|
||||||
wsPort = 3012;
|
wsPort = 3012;
|
||||||
in {
|
in {
|
||||||
sops.secrets."vaultwarden/environ" = {
|
sops.secrets."vaultwarden/rsa_key.pem" = {
|
||||||
owner = "vaultwarden";
|
owner = "vaultwarden";
|
||||||
group = "vaultwarden";
|
group = "vaultwarden";
|
||||||
|
mode = "440";
|
||||||
|
restartUnits = [ "vaultwarden.service" ];
|
||||||
|
};
|
||||||
|
sops.secrets."vaultwarden/rsa_key.pub.pem" = {
|
||||||
|
owner = "vaultwarden";
|
||||||
|
group = "vaultwarden";
|
||||||
|
mode = "440";
|
||||||
|
restartUnits = [ "vaultwarden.service" ];
|
||||||
|
};
|
||||||
|
sops.secrets."vaultwarden/env/DATABASE_PASSWORD" = { };
|
||||||
|
sops.secrets."vaultwarden/env/SMTP_PASSWORD" = { };
|
||||||
|
sops.templates."vaultwarden/environment_file" = {
|
||||||
|
owner = "vaultwarden";
|
||||||
|
group = "vaultwarden";
|
||||||
|
mode = "440";
|
||||||
|
restartUnits = [ "vaultwarden.service" ];
|
||||||
|
content = ''
|
||||||
|
DATABASE_URL=postgresql://vaultwarden:${config.sops.placeholder."vaultwarden/env/DATABASE_PASSWORD"}@postgres.pvv.ntnu.no/vaultwarden
|
||||||
|
SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/env/SMTP_PASSWORD"}
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
services.vaultwarden = {
|
services.vaultwarden = {
|
||||||
enable = true;
|
enable = true;
|
||||||
dbBackend = "postgresql";
|
dbBackend = "postgresql";
|
||||||
environmentFile = config.sops.secrets."vaultwarden/environ".path;
|
environmentFile = config.sops.templates."vaultwarden/environment_file".path;
|
||||||
config = {
|
config = {
|
||||||
domain = "https://${domain}";
|
DOMAIN = "https://${domain}";
|
||||||
|
|
||||||
rocketAddress = address;
|
ROCKET_ADDRESS = address;
|
||||||
rocketPort = port;
|
ROCKET_PORT = port;
|
||||||
|
|
||||||
websocketEnabled = true;
|
WEBSOCKET_ENABLED = true;
|
||||||
websocketAddress = address;
|
WEBSOCKET_ADDRESS = address;
|
||||||
websocketPort = wsPort;
|
WEBSOCKET_PORT = wsPort;
|
||||||
|
|
||||||
signupsAllowed = true;
|
SIGNUPS_ALLOWED = true;
|
||||||
signupsVerify = true;
|
SIGNUPS_VERIFY = true;
|
||||||
signupsDomainsWhitelist = "pvv.ntnu.no";
|
SIGNUPS_DOMAINS_WHITELIST = "pvv.ntnu.no";
|
||||||
|
|
||||||
smtpFrom = "vaultwarden@pvv.ntnu.no";
|
SMTP_FROM = "vaultwarden@pvv.ntnu.no";
|
||||||
smtpFromName = "VaultWarden PVV";
|
SMTP_FROM_NAME = "VaultWarden PVV";
|
||||||
|
|
||||||
smtpHost = "smtp.pvv.ntnu.no";
|
SMTP_HOST = "smtp.pvv.ntnu.no";
|
||||||
smtpUsername = "vaultwarden";
|
SMTP_USERNAME = "vaultwarden";
|
||||||
smtpSecurity = "force_tls";
|
SMTP_SECURITY = "force_tls";
|
||||||
smtpAuthMechanism = "Login";
|
SMTP_AUTH_MECHANISM = "Login";
|
||||||
|
|
||||||
# Configured in environ:
|
RSA_KEY_FILENAME = lib.removeSuffix ".pem" config.sops.secrets."vaultwarden/rsa_key.pem".path;
|
||||||
# databaseUrl = "postgresql://vaultwarden@/vaultwarden";
|
|
||||||
# smtpPassword = hemli
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -66,37 +84,20 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.vaultwarden = lib.mkIf cfg.enable {
|
services.rsync-pull-targets = {
|
||||||
serviceConfig = {
|
enable = true;
|
||||||
AmbientCapabilities = [ "" ];
|
locations."/var/lib/vaultwarden" = {
|
||||||
CapabilityBoundingSet = [ "" ];
|
user = "root";
|
||||||
DeviceAllow = [ "" ];
|
rrsyncArgs.ro = true;
|
||||||
LockPersonality = true;
|
authorizedKeysAttrs = [
|
||||||
NoNewPrivileges = true;
|
"restrict"
|
||||||
# MemoryDenyWriteExecute = true;
|
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
|
||||||
PrivateMounts = true;
|
"no-agent-forwarding"
|
||||||
PrivateUsers = true;
|
"no-port-forwarding"
|
||||||
ProcSubset = "pid";
|
"no-pty"
|
||||||
ProtectClock = true;
|
"no-X11-forwarding"
|
||||||
ProtectControlGroups = true;
|
|
||||||
ProtectHostname = true;
|
|
||||||
ProtectKernelLogs = true;
|
|
||||||
ProtectKernelModules = true;
|
|
||||||
ProtectKernelTunables = true;
|
|
||||||
RestrictAddressFamilies = [
|
|
||||||
"AF_INET"
|
|
||||||
"AF_INET6"
|
|
||||||
"AF_UNIX"
|
|
||||||
];
|
|
||||||
RemoveIPC = true;
|
|
||||||
RestrictNamespaces = true;
|
|
||||||
RestrictRealtime = true;
|
|
||||||
RestrictSUIDSGID = true;
|
|
||||||
SystemCallArchitectures = "native";
|
|
||||||
SystemCallFilter = [
|
|
||||||
"@system-service"
|
|
||||||
"~@privileged"
|
|
||||||
];
|
];
|
||||||
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2cDaW52gBtLVaNqoGijvN2ZAVkAWlII5AXUzT3Dswj vaultwarden rsync backup";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -9,6 +9,12 @@ in
|
|||||||
sops.secrets."roundcube/postgres_password" = {
|
sops.secrets."roundcube/postgres_password" = {
|
||||||
owner = "nginx";
|
owner = "nginx";
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
|
restartUnits = [ "phpfpm-roundcube.service" ];
|
||||||
|
};
|
||||||
|
sops.secrets."roundcube/des_key" = {
|
||||||
|
owner = "nginx";
|
||||||
|
group = "nginx";
|
||||||
|
restartUnits = [ "phpfpm-roundcube.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.roundcube = {
|
services.roundcube = {
|
||||||
@@ -39,6 +45,7 @@ in
|
|||||||
$config['mail_domain'] = "pvv.ntnu.no";
|
$config['mail_domain'] = "pvv.ntnu.no";
|
||||||
$config['smtp_user'] = "%u";
|
$config['smtp_user'] = "%u";
|
||||||
$config['support_url'] = "";
|
$config['support_url'] = "";
|
||||||
|
$config['des_key'] = "${config.sops.secrets."roundcube/des_key".path}";
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
{ config, lib, fp, pkgs, ... }:
|
{ config, lib, fp, pkgs, values, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.services.snappymail;
|
cfg = config.services.snappymail;
|
||||||
in {
|
in {
|
||||||
@@ -14,5 +14,21 @@ in {
|
|||||||
enableACME = true;
|
enableACME = true;
|
||||||
kTLS = true;
|
kTLS = true;
|
||||||
};
|
};
|
||||||
}
|
|
||||||
|
|
||||||
|
services.rsync-pull-targets = {
|
||||||
|
enable = true;
|
||||||
|
locations.${cfg.dataDir} = {
|
||||||
|
user = "root";
|
||||||
|
rrsyncArgs.ro = true;
|
||||||
|
authorizedKeysAttrs = [
|
||||||
|
"restrict"
|
||||||
|
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
|
||||||
|
"no-agent-forwarding"
|
||||||
|
"no-port-forwarding"
|
||||||
|
"no-pty"
|
||||||
|
"no-X11-forwarding"
|
||||||
|
];
|
||||||
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJENMnuNsHEeA91oX+cj7Qpex2defSXP/lxznxCAqV03 snappymail rsync backup";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|||||||
@@ -80,9 +80,40 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
services.phpfpm.pools."pvv-nettsiden".settings = {
|
services.phpfpm.pools."pvv-nettsiden".settings = {
|
||||||
# "php_admin_value[error_log]" = "stderr";
|
"php_admin_value[error_log]" = "syslog";
|
||||||
"php_admin_flag[log_errors]" = true;
|
"php_admin_flag[log_errors]" = true;
|
||||||
"catch_workers_output" = true;
|
"catch_workers_output" = true;
|
||||||
|
|
||||||
|
"php_admin_value[max_execution_time]" = "30";
|
||||||
|
"request_terminate_timeout" = "60s";
|
||||||
|
|
||||||
|
"php_admin_value[sendmail_path]" = let
|
||||||
|
fakeSendmail = pkgs.writeShellApplication {
|
||||||
|
name = "fake-sendmail";
|
||||||
|
text = ''
|
||||||
|
TIMESTAMP="$(date +%Y-%m-%d-%H-%M-%S-%N)"
|
||||||
|
(
|
||||||
|
echo "SENDMAIL ARGS:"
|
||||||
|
echo "$@"
|
||||||
|
echo "SENDMAIL STDIN:"
|
||||||
|
cat -
|
||||||
|
) > "/var/lib/pvv-nettsiden/emails/$TIMESTAMP.mail"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
in lib.getExe fakeSendmail;
|
||||||
|
|
||||||
|
"php_admin_value[disable_functions]" = lib.concatStringsSep "," [
|
||||||
|
"curl_exec"
|
||||||
|
"curl_multi_exec"
|
||||||
|
"exec"
|
||||||
|
"parse_ini_file"
|
||||||
|
"passthru"
|
||||||
|
"popen"
|
||||||
|
"proc_open"
|
||||||
|
"shell_exec"
|
||||||
|
"show_source"
|
||||||
|
"system"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."pvv.ntnu.no" = {
|
services.nginx.virtualHosts."pvv.ntnu.no" = {
|
||||||
|
|||||||
@@ -1,15 +1,30 @@
|
|||||||
{ pkgs, lib, config, ... }:
|
{ pkgs, lib, config, values, ... }:
|
||||||
let
|
let
|
||||||
galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
|
galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
|
||||||
transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
|
transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
|
||||||
in {
|
in {
|
||||||
users.users.${config.services.pvv-nettsiden.user} = {
|
users.users.${config.services.pvv-nettsiden.user} = {
|
||||||
|
# NOTE: the user unfortunately needs a registered shell for rrsync to function...
|
||||||
|
# is there anything we can do to remove this?
|
||||||
useDefaultShell = true;
|
useDefaultShell = true;
|
||||||
|
};
|
||||||
|
|
||||||
# This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
|
# This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
|
||||||
openssh.authorizedKeys.keys = [
|
services.rsync-pull-targets = {
|
||||||
''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
|
enable = true;
|
||||||
|
locations.${transferDir} = {
|
||||||
|
user = config.services.pvv-nettsiden.user;
|
||||||
|
rrsyncArgs.wo = true;
|
||||||
|
authorizedKeysAttrs = [
|
||||||
|
"restrict"
|
||||||
|
"from=\"microbel.pvv.ntnu.no,${values.hosts.microbel.ipv6},${values.hosts.microbel.ipv4}\""
|
||||||
|
"no-agent-forwarding"
|
||||||
|
"no-port-forwarding"
|
||||||
|
"no-pty"
|
||||||
|
"no-X11-forwarding"
|
||||||
];
|
];
|
||||||
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.paths.pvv-nettsiden-gallery-update = {
|
systemd.paths.pvv-nettsiden-gallery-update = {
|
||||||
@@ -25,15 +40,15 @@ in {
|
|||||||
path = with pkgs; [ imagemagick gnutar gzip ];
|
path = with pkgs; [ imagemagick gnutar gzip ];
|
||||||
|
|
||||||
script = ''
|
script = ''
|
||||||
tar ${lib.cli.toGNUCommandLineShell {} {
|
tar ${lib.cli.toCommandLineShellGNU { } {
|
||||||
extract = true;
|
extract = true;
|
||||||
file = "${transferDir}/gallery.tar.gz";
|
file = "${transferDir}/gallery.tar.gz";
|
||||||
directory = ".";
|
directory = ".";
|
||||||
}}
|
}}
|
||||||
|
|
||||||
# Delete files and directories that exists in the gallery that don't exist in the tarball
|
# Delete files and directories that exists in the gallery that don't exist in the tarball
|
||||||
filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
|
filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))
|
||||||
while IFS= read fname; do
|
while IFS= read -r fname; do
|
||||||
rm -f "$fname" ||:
|
rm -f "$fname" ||:
|
||||||
rm -f ".thumbnails/$fname.png" ||:
|
rm -f ".thumbnails/$fname.png" ||:
|
||||||
done <<< "$filesToRemove"
|
done <<< "$filesToRemove"
|
||||||
@@ -41,9 +56,9 @@ in {
|
|||||||
find . -type d -empty -delete
|
find . -type d -empty -delete
|
||||||
|
|
||||||
mkdir -p .thumbnails
|
mkdir -p .thumbnails
|
||||||
images=$(find . -type f -not -path "./.thumbnails*")
|
images=$(find . -type f -not -path './.thumbnails*')
|
||||||
|
|
||||||
while IFS= read fname; do
|
while IFS= read -r fname; do
|
||||||
# Skip this file if an up-to-date thumbnail already exists
|
# Skip this file if an up-to-date thumbnail already exists
|
||||||
if [ -f ".thumbnails/$fname.png" ] && \
|
if [ -f ".thumbnails/$fname.png" ] && \
|
||||||
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
|
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
|
||||||
@@ -52,7 +67,7 @@ in {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Creating thumbnail for $fname"
|
echo "Creating thumbnail for $fname"
|
||||||
mkdir -p $(dirname ".thumbnails/$fname")
|
mkdir -p "$(dirname ".thumbnails/$fname")"
|
||||||
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
|
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
|
||||||
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
|
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
|
||||||
done <<< "$images"
|
done <<< "$images"
|
||||||
|
|||||||
@@ -1,6 +1,12 @@
|
|||||||
{ ... }:
|
{ lib, ... }:
|
||||||
{
|
{
|
||||||
services.nginx.virtualHosts."www.pvv.ntnu.no".locations = {
|
services.nginx.virtualHosts = lib.genAttrs [
|
||||||
|
"pvv.ntnu.no"
|
||||||
|
"www.pvv.ntnu.no"
|
||||||
|
"pvv.org"
|
||||||
|
"www.pvv.org"
|
||||||
|
] (_: {
|
||||||
|
locations = {
|
||||||
"^~ /.well-known/" = {
|
"^~ /.well-known/" = {
|
||||||
alias = (toString ./root) + "/";
|
alias = (toString ./root) + "/";
|
||||||
};
|
};
|
||||||
@@ -15,4 +21,5 @@
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -6,7 +6,11 @@ Contact: mailto:cert@pvv.ntnu.no
|
|||||||
Preferred-Languages: no, en
|
Preferred-Languages: no, en
|
||||||
|
|
||||||
Expires: 2032-12-31T23:59:59.000Z
|
Expires: 2032-12-31T23:59:59.000Z
|
||||||
# This file was last updated 2024-09-14.
|
# This file was last updated 2026-02-27.
|
||||||
|
|
||||||
# You can find a wikipage for our security policies at:
|
# You can find a wikipage for our security policies at:
|
||||||
# https://wiki.pvv.ntnu.no/wiki/CERT
|
# https://wiki.pvv.ntnu.no/wiki/CERT
|
||||||
|
|
||||||
|
# Please note that we are a student organization, and unfortunately we do not
|
||||||
|
# have a bug bounty program or offer monetary compensation for disclosure of
|
||||||
|
# security vulnerabilities.
|
||||||
|
|||||||
@@ -9,22 +9,12 @@
|
|||||||
./services/calendar-bot.nix
|
./services/calendar-bot.nix
|
||||||
#./services/git-mirrors
|
#./services/git-mirrors
|
||||||
./services/minecraft-heatmap.nix
|
./services/minecraft-heatmap.nix
|
||||||
./services/mysql.nix
|
./services/mysql
|
||||||
./services/postgres.nix
|
./services/postgresql
|
||||||
|
|
||||||
./services/matrix
|
./services/matrix
|
||||||
];
|
];
|
||||||
|
|
||||||
sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
|
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
||||||
sops.age.generateKey = true;
|
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
|
|
||||||
networking.hostName = "bicep";
|
|
||||||
|
|
||||||
#systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
|
#systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
|
||||||
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
|
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
|
||||||
#matchConfig.Name = "enp6s0f0";
|
#matchConfig.Name = "enp6s0f0";
|
||||||
@@ -36,17 +26,9 @@
|
|||||||
anyInterface = true;
|
anyInterface = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# There are no smart devices
|
|
||||||
services.smartd.enable = false;
|
|
||||||
|
|
||||||
# we are a vm now
|
|
||||||
services.qemuGuest.enable = true;
|
services.qemuGuest.enable = true;
|
||||||
|
|
||||||
# Enable the OpenSSH daemon.
|
# Don't change (even during upgrades) unless you know what you are doing.
|
||||||
services.openssh.enable = true;
|
|
||||||
services.sshguard.enable = true;
|
|
||||||
|
|
||||||
# Do not change, even during upgrades.
|
|
||||||
# See https://search.nixos.org/options?show=system.stateVersion
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
system.stateVersion = "22.11";
|
system.stateVersion = "25.11";
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,13 +1,6 @@
|
|||||||
{ config, lib, fp, pkgs, secrets, values, ... }:
|
{ config, lib, fp, pkgs, secrets, values, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
sops.secrets."matrix/synapse/turnconfig" = {
|
|
||||||
sopsFile = fp /secrets/bicep/matrix.yaml;
|
|
||||||
key = "synapse/turnconfig";
|
|
||||||
owner = config.users.users.matrix-synapse.name;
|
|
||||||
group = config.users.users.matrix-synapse.group;
|
|
||||||
restartUnits = [ "coturn.service" ];
|
|
||||||
};
|
|
||||||
sops.secrets."matrix/coturn/static-auth-secret" = {
|
sops.secrets."matrix/coturn/static-auth-secret" = {
|
||||||
sopsFile = fp /secrets/bicep/matrix.yaml;
|
sopsFile = fp /secrets/bicep/matrix.yaml;
|
||||||
key = "coturn/static-auth-secret";
|
key = "coturn/static-auth-secret";
|
||||||
@@ -16,9 +9,18 @@
|
|||||||
restartUnits = [ "coturn.service" ];
|
restartUnits = [ "coturn.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops.templates."matrix-synapse-turnconfig" = {
|
||||||
|
owner = config.users.users.matrix-synapse.name;
|
||||||
|
group = config.users.users.matrix-synapse.group;
|
||||||
|
content = ''
|
||||||
|
turn_shared_secret: ${config.sops.placeholder."matrix/coturn/static-auth-secret"}
|
||||||
|
'';
|
||||||
|
restartUnits = [ "matrix-synapse.target" ];
|
||||||
|
};
|
||||||
|
|
||||||
services.matrix-synapse-next = {
|
services.matrix-synapse-next = {
|
||||||
extraConfigFiles = [
|
extraConfigFiles = [
|
||||||
config.sops.secrets."matrix/synapse/turnconfig".path
|
config.sops.templates."matrix-synapse-turnconfig".path
|
||||||
];
|
];
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
|
|||||||
@@ -1,10 +1,9 @@
|
|||||||
{ config, ... }:
|
{ config, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
./synapse.nix
|
|
||||||
./synapse-admin.nix
|
./synapse-admin.nix
|
||||||
|
./synapse-auto-compressor.nix
|
||||||
|
./synapse.nix
|
||||||
./element.nix
|
./element.nix
|
||||||
./coturn.nix
|
./coturn.nix
|
||||||
./livekit.nix
|
./livekit.nix
|
||||||
@@ -15,7 +14,4 @@
|
|||||||
./out-of-your-element.nix
|
./out-of-your-element.nix
|
||||||
./hookshot
|
./hookshot
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -16,10 +16,10 @@ in {
|
|||||||
|
|
||||||
root = pkgs.element-web.override {
|
root = pkgs.element-web.override {
|
||||||
conf = {
|
conf = {
|
||||||
default_server_config."m.homeserver" = {
|
# Tries to look up well-known first, else uses bundled config.
|
||||||
base_url = "https://matrix.pvv.ntnu.no";
|
default_server_name = "matrix.pvv.ntnu.no";
|
||||||
server_name = "pvv.ntnu.no";
|
default_server_config = config.services.pvv-matrix-well-known.client;
|
||||||
};
|
|
||||||
disable_3pid_login = true;
|
disable_3pid_login = true;
|
||||||
# integrations_ui_url = "https://dimension.dodsorf.as/riot";
|
# integrations_ui_url = "https://dimension.dodsorf.as/riot";
|
||||||
# integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
|
# integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
|
||||||
@@ -37,6 +37,7 @@ in {
|
|||||||
# element call group calls
|
# element call group calls
|
||||||
feature_group_calls = true;
|
feature_group_calls = true;
|
||||||
};
|
};
|
||||||
|
default_country_code = "NO";
|
||||||
default_theme = "dark";
|
default_theme = "dark";
|
||||||
# Servers in this list should provide some sort of valuable scoping
|
# Servers in this list should provide some sort of valuable scoping
|
||||||
# matrix.org is not useful compared to matrixrooms.info,
|
# matrix.org is not useful compared to matrixrooms.info,
|
||||||
|
|||||||
@@ -14,6 +14,10 @@ in
|
|||||||
sopsFile = fp /secrets/bicep/matrix.yaml;
|
sopsFile = fp /secrets/bicep/matrix.yaml;
|
||||||
key = "hookshot/hs_token";
|
key = "hookshot/hs_token";
|
||||||
};
|
};
|
||||||
|
sops.secrets."matrix/hookshot/passkey" = {
|
||||||
|
sopsFile = fp /secrets/bicep/matrix.yaml;
|
||||||
|
key = "hookshot/passkey";
|
||||||
|
};
|
||||||
|
|
||||||
sops.templates."hookshot-registration.yaml" = {
|
sops.templates."hookshot-registration.yaml" = {
|
||||||
owner = config.users.users.matrix-synapse.name;
|
owner = config.users.users.matrix-synapse.name;
|
||||||
@@ -44,9 +48,14 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.matrix-hookshot = {
|
systemd.services.matrix-hookshot = {
|
||||||
serviceConfig.SupplementaryGroups = [
|
serviceConfig = {
|
||||||
|
SupplementaryGroups = [
|
||||||
config.users.groups.keys-matrix-registrations.name
|
config.users.groups.keys-matrix-registrations.name
|
||||||
];
|
];
|
||||||
|
LoadCredential = [
|
||||||
|
"passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.matrix-hookshot = {
|
services.matrix-hookshot = {
|
||||||
@@ -54,6 +63,8 @@ in
|
|||||||
package = unstablePkgs.matrix-hookshot;
|
package = unstablePkgs.matrix-hookshot;
|
||||||
registrationFile = config.sops.templates."hookshot-registration.yaml".path;
|
registrationFile = config.sops.templates."hookshot-registration.yaml".path;
|
||||||
settings = {
|
settings = {
|
||||||
|
passFile = "/run/credentials/matrix-hookshot.service/passkey.pem";
|
||||||
|
|
||||||
bridge = {
|
bridge = {
|
||||||
bindAddress = "127.0.0.1";
|
bindAddress = "127.0.0.1";
|
||||||
domain = "pvv.ntnu.no";
|
domain = "pvv.ntnu.no";
|
||||||
@@ -61,6 +72,7 @@ in
|
|||||||
mediaUrl = "https://matrix.pvv.ntnu.no";
|
mediaUrl = "https://matrix.pvv.ntnu.no";
|
||||||
port = 9993;
|
port = 9993;
|
||||||
};
|
};
|
||||||
|
|
||||||
listeners = [
|
listeners = [
|
||||||
{
|
{
|
||||||
bindAddress = webhookListenAddress;
|
bindAddress = webhookListenAddress;
|
||||||
@@ -73,6 +85,7 @@ in
|
|||||||
];
|
];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
generic = {
|
generic = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
outbound = true;
|
outbound = true;
|
||||||
|
|||||||
@@ -43,7 +43,7 @@ in
|
|||||||
keyFile = config.sops.templates."matrix-livekit-keyfile".path;
|
keyFile = config.sops.templates."matrix-livekit-keyfile".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable matrixDomain;
|
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]);
|
||||||
|
|
||||||
services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
|
services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
|
||||||
locations."^~ /livekit/jwt/" = {
|
locations."^~ /livekit/jwt/" = {
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
{ config, pkgs, fp, ... }:
|
{ config, pkgs, lib, values, fp, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.services.matrix-ooye;
|
cfg = config.services.matrix-ooye;
|
||||||
in
|
in
|
||||||
@@ -28,6 +28,23 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.rsync-pull-targets = lib.mkIf cfg.enable {
|
||||||
|
enable = true;
|
||||||
|
locations."/var/lib/private/matrix-ooye" = {
|
||||||
|
user = "root";
|
||||||
|
rrsyncArgs.ro = true;
|
||||||
|
authorizedKeysAttrs = [
|
||||||
|
"restrict"
|
||||||
|
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
|
||||||
|
"no-agent-forwarding"
|
||||||
|
"no-port-forwarding"
|
||||||
|
"no-pty"
|
||||||
|
"no-X11-forwarding"
|
||||||
|
];
|
||||||
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5koYfor5+kKB30Dugj3dAWvmj8h/akQQ2XYDvLobFL matrix_ooye rsync backup";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
services.matrix-ooye = {
|
services.matrix-ooye = {
|
||||||
enable = true;
|
enable = true;
|
||||||
homeserver = "https://matrix.pvv.ntnu.no";
|
homeserver = "https://matrix.pvv.ntnu.no";
|
||||||
|
|||||||
@@ -0,0 +1,56 @@
|
|||||||
|
{ config, lib, utils, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.synapse-auto-compressor;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.synapse-auto-compressor = {
|
||||||
|
# enable = true;
|
||||||
|
postgresUrl = "postgresql://matrix-synapse@/synapse?host=/run/postgresql";
|
||||||
|
};
|
||||||
|
|
||||||
|
# NOTE: nixpkgs has some broken asserts, vendored the entire unit
|
||||||
|
systemd.services.synapse-auto-compressor = {
|
||||||
|
description = "synapse-auto-compressor";
|
||||||
|
requires = [
|
||||||
|
"postgresql.target"
|
||||||
|
];
|
||||||
|
inherit (cfg) startAt;
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
DynamicUser = true;
|
||||||
|
User = "matrix-synapse";
|
||||||
|
PrivateTmp = true;
|
||||||
|
ExecStart = utils.escapeSystemdExecArgs [
|
||||||
|
"${cfg.package}/bin/synapse_auto_compressor"
|
||||||
|
"-p"
|
||||||
|
cfg.postgresUrl
|
||||||
|
"-c"
|
||||||
|
cfg.settings.chunk_size
|
||||||
|
"-n"
|
||||||
|
cfg.settings.chunks_to_compress
|
||||||
|
"-l"
|
||||||
|
(lib.concatStringsSep "," (map toString cfg.settings.levels))
|
||||||
|
];
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
RemoveIPC = true;
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
ProcSubset = "pid";
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -15,11 +15,33 @@ in {
|
|||||||
group = config.users.users.matrix-synapse.group;
|
group = config.users.users.matrix-synapse.group;
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.secrets."matrix/synapse/user_registration" = {
|
sops.secrets."matrix/synapse/user_registration/registration_shared_secret" = {
|
||||||
sopsFile = fp /secrets/bicep/matrix.yaml;
|
sopsFile = fp /secrets/bicep/matrix.yaml;
|
||||||
key = "synapse/signing_key";
|
key = "synapse/user_registration/registration_shared_secret";
|
||||||
|
};
|
||||||
|
sops.templates."matrix-synapse-user-registration" = {
|
||||||
owner = config.users.users.matrix-synapse.name;
|
owner = config.users.users.matrix-synapse.name;
|
||||||
group = config.users.users.matrix-synapse.group;
|
group = config.users.users.matrix-synapse.group;
|
||||||
|
content = ''
|
||||||
|
registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
services.rsync-pull-targets = {
|
||||||
|
enable = true;
|
||||||
|
locations.${cfg.settings.media_store_path} = {
|
||||||
|
user = "root";
|
||||||
|
rrsyncArgs.ro = true;
|
||||||
|
authorizedKeysAttrs = [
|
||||||
|
"restrict"
|
||||||
|
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
|
||||||
|
"no-agent-forwarding"
|
||||||
|
"no-port-forwarding"
|
||||||
|
"no-pty"
|
||||||
|
"no-X11-forwarding"
|
||||||
|
];
|
||||||
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASnjI9b3j4ZS3BL/D1ggHfws1BkE8iS0v0cGpEmbG+k matrix_media_store rsync backup";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.matrix-synapse-next = {
|
services.matrix-synapse-next = {
|
||||||
@@ -83,7 +105,7 @@ in {
|
|||||||
mau_stats_only = true;
|
mau_stats_only = true;
|
||||||
|
|
||||||
enable_registration = false;
|
enable_registration = false;
|
||||||
registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
|
registration_shared_secret_path = config.sops.templates."matrix-synapse-user-registration".path;
|
||||||
|
|
||||||
password_config.enabled = true;
|
password_config.enabled = true;
|
||||||
|
|
||||||
@@ -95,6 +117,32 @@ in {
|
|||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
experimental_features = {
|
||||||
|
# MSC3266: Room summary API. Used for knocking over federation
|
||||||
|
msc3266_enabled = true;
|
||||||
|
# MSC4222 needed for syncv2 state_after. This allow clients to
|
||||||
|
# correctly track the state of the room.
|
||||||
|
msc4222_enabled = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# The maximum allowed duration by which sent events can be delayed, as
|
||||||
|
# per MSC4140.
|
||||||
|
max_event_delay_duration = "24h";
|
||||||
|
|
||||||
|
rc_message = {
|
||||||
|
# This needs to match at least e2ee key sharing frequency plus a bit of headroom
|
||||||
|
# Note key sharing events are bursty
|
||||||
|
per_second = 0.5;
|
||||||
|
burst_count = 30;
|
||||||
|
};
|
||||||
|
|
||||||
|
rc_delayed_event_mgmt = {
|
||||||
|
# This needs to match at least the heart-beat frequency plus a bit of headroom
|
||||||
|
# Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s
|
||||||
|
per_second = 1;
|
||||||
|
burst_count = 20;
|
||||||
|
};
|
||||||
|
|
||||||
trusted_key_servers = [
|
trusted_key_servers = [
|
||||||
{ server_name = "matrix.org"; }
|
{ server_name = "matrix.org"; }
|
||||||
{ server_name = "dodsorf.as"; }
|
{ server_name = "dodsorf.as"; }
|
||||||
|
|||||||
@@ -22,7 +22,7 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.minecraft-heatmap-ingest-logs = {
|
systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable {
|
||||||
serviceConfig.LoadCredential = [
|
serviceConfig.LoadCredential = [
|
||||||
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
|
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
|
||||||
];
|
];
|
||||||
|
|||||||
@@ -0,0 +1,83 @@
|
|||||||
|
{ config, lib, pkgs, values, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.mysql;
|
||||||
|
backupDir = "/data/mysql-backups";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
# services.mysqlBackup = lib.mkIf cfg.enable {
|
||||||
|
# enable = true;
|
||||||
|
# location = "/var/lib/mysql-backups";
|
||||||
|
# };
|
||||||
|
|
||||||
|
systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
|
||||||
|
user = "mysql";
|
||||||
|
group = "mysql";
|
||||||
|
mode = "700";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.rsync-pull-targets = lib.mkIf cfg.enable {
|
||||||
|
enable = true;
|
||||||
|
locations.${backupDir} = {
|
||||||
|
user = "root";
|
||||||
|
rrsyncArgs.ro = true;
|
||||||
|
authorizedKeysAttrs = [
|
||||||
|
"restrict"
|
||||||
|
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
|
||||||
|
"no-agent-forwarding"
|
||||||
|
"no-port-forwarding"
|
||||||
|
"no-pty"
|
||||||
|
"no-X11-forwarding"
|
||||||
|
];
|
||||||
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgj55/7Cnj4cYMJ5sIkl+OwcGeBe039kXJTOf2wvo9j mysql rsync backup";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
|
||||||
|
# another unit, it was easier to just make one ourselves.
|
||||||
|
systemd.services."backup-mysql" = lib.mkIf cfg.enable {
|
||||||
|
description = "Backup MySQL data";
|
||||||
|
requires = [ "mysql.service" ];
|
||||||
|
|
||||||
|
path = with pkgs; [
|
||||||
|
cfg.package
|
||||||
|
coreutils
|
||||||
|
zstd
|
||||||
|
];
|
||||||
|
|
||||||
|
script = let
|
||||||
|
rotations = 2;
|
||||||
|
in ''
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
|
||||||
|
|
||||||
|
mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
|
||||||
|
|
||||||
|
# NOTE: this needs to be a hardlink for rrsync to allow sending it
|
||||||
|
rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
|
||||||
|
ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
|
||||||
|
|
||||||
|
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
|
||||||
|
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
|
||||||
|
done
|
||||||
|
'';
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "mysql";
|
||||||
|
Group = "mysql";
|
||||||
|
UMask = "0077";
|
||||||
|
|
||||||
|
Nice = 19;
|
||||||
|
IOSchedulingClass = "best-effort";
|
||||||
|
IOSchedulingPriority = 7;
|
||||||
|
|
||||||
|
StateDirectory = [ "mysql-backups" ];
|
||||||
|
BindPaths = [ "${backupDir}:/var/lib/mysql-backups" ];
|
||||||
|
|
||||||
|
# TODO: hardening
|
||||||
|
};
|
||||||
|
|
||||||
|
startAt = "*-*-* 02:15:00";
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -1,5 +1,11 @@
|
|||||||
{ pkgs, lib, config, values, ... }:
|
{ config, pkgs, lib, values, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.mysql;
|
||||||
|
dataDir = "/data/mysql";
|
||||||
|
in
|
||||||
{
|
{
|
||||||
|
imports = [ ./backup.nix ];
|
||||||
|
|
||||||
sops.secrets."mysql/password" = {
|
sops.secrets."mysql/password" = {
|
||||||
owner = "mysql";
|
owner = "mysql";
|
||||||
group = "mysql";
|
group = "mysql";
|
||||||
@@ -9,8 +15,7 @@
|
|||||||
|
|
||||||
services.mysql = {
|
services.mysql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
dataDir = "/data/mysql";
|
package = pkgs.mariadb_118;
|
||||||
package = pkgs.mariadb;
|
|
||||||
settings = {
|
settings = {
|
||||||
mysqld = {
|
mysqld = {
|
||||||
# PVV allows a lot of connections at the same time
|
# PVV allows a lot of connections at the same time
|
||||||
@@ -21,6 +26,9 @@
|
|||||||
# This was needed in order to be able to use all of the old users
|
# This was needed in order to be able to use all of the old users
|
||||||
# during migration from knakelibrak to bicep in Sep. 2023
|
# during migration from knakelibrak to bicep in Sep. 2023
|
||||||
secure_auth = 0;
|
secure_auth = 0;
|
||||||
|
|
||||||
|
slow-query-log = 1;
|
||||||
|
slow-query-log-file = "/var/log/mysql/mysql-slow.log";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -36,14 +44,24 @@
|
|||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.mysqlBackup = {
|
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
|
||||||
enable = true;
|
|
||||||
location = "/var/lib/mysql/backups";
|
systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
|
||||||
|
inherit (cfg) user group;
|
||||||
|
mode = "0700";
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 3306 ];
|
systemd.services.mysql = lib.mkIf cfg.enable {
|
||||||
|
after = [
|
||||||
|
"systemd-tmpfiles-setup.service"
|
||||||
|
"systemd-tmpfiles-resetup.service"
|
||||||
|
];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
|
||||||
|
|
||||||
|
LogsDirectory = "mysql";
|
||||||
|
|
||||||
systemd.services.mysql.serviceConfig = {
|
|
||||||
IPAddressDeny = "any";
|
IPAddressDeny = "any";
|
||||||
IPAddressAllow = [
|
IPAddressAllow = [
|
||||||
values.ipv4-space
|
values.ipv4-space
|
||||||
@@ -52,4 +70,5 @@
|
|||||||
values.hosts.ildkule.ipv6
|
values.hosts.ildkule.ipv6
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
@@ -0,0 +1,84 @@
|
|||||||
|
{ config, lib, pkgs, values, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.postgresql;
|
||||||
|
backupDir = "/data/postgresql-backups";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
# services.postgresqlBackup = lib.mkIf cfg.enable {
|
||||||
|
# enable = true;
|
||||||
|
# location = "/var/lib/postgresql-backups";
|
||||||
|
# backupAll = true;
|
||||||
|
# };
|
||||||
|
|
||||||
|
systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
|
||||||
|
user = "postgres";
|
||||||
|
group = "postgres";
|
||||||
|
mode = "700";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.rsync-pull-targets = lib.mkIf cfg.enable {
|
||||||
|
enable = true;
|
||||||
|
locations.${backupDir} = {
|
||||||
|
user = "root";
|
||||||
|
rrsyncArgs.ro = true;
|
||||||
|
authorizedKeysAttrs = [
|
||||||
|
"restrict"
|
||||||
|
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
|
||||||
|
"no-agent-forwarding"
|
||||||
|
"no-port-forwarding"
|
||||||
|
"no-pty"
|
||||||
|
"no-X11-forwarding"
|
||||||
|
];
|
||||||
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvO7QX7QmwSiGLXEsaxPIOpAqnJP3M+qqQRe5dzf8gJ postgresql rsync backup";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
|
||||||
|
# another unit, it was easier to just make one ourselves
|
||||||
|
systemd.services."backup-postgresql" = {
|
||||||
|
description = "Backup PostgreSQL data";
|
||||||
|
requires = [ "postgresql.service" ];
|
||||||
|
|
||||||
|
path = with pkgs; [
|
||||||
|
coreutils
|
||||||
|
zstd
|
||||||
|
cfg.package
|
||||||
|
];
|
||||||
|
|
||||||
|
script = let
|
||||||
|
rotations = 2;
|
||||||
|
in ''
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
|
||||||
|
|
||||||
|
pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
|
||||||
|
|
||||||
|
# NOTE: this needs to be a hardlink for rrsync to allow sending it
|
||||||
|
rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
|
||||||
|
ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
|
||||||
|
|
||||||
|
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
|
||||||
|
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
|
||||||
|
done
|
||||||
|
'';
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "postgres";
|
||||||
|
Group = "postgres";
|
||||||
|
UMask = "0077";
|
||||||
|
|
||||||
|
Nice = 19;
|
||||||
|
IOSchedulingClass = "best-effort";
|
||||||
|
IOSchedulingPriority = 7;
|
||||||
|
|
||||||
|
StateDirectory = [ "postgresql-backups" ];
|
||||||
|
BindPaths = [ "${backupDir}:/var/lib/postgresql-backups" ];
|
||||||
|
|
||||||
|
# TODO: hardening
|
||||||
|
};
|
||||||
|
|
||||||
|
startAt = "*-*-* 01:15:00";
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -0,0 +1,37 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.postgresql;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
systemd.services = {
|
||||||
|
postgresql-repack = {
|
||||||
|
requires = [ "postgresql.service" ];
|
||||||
|
after = [ "postgresql.target" ];
|
||||||
|
description = "Repack all PostgreSQL databases";
|
||||||
|
startAt = "Mon 06:00:00";
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "postgres";
|
||||||
|
Group = "postgres";
|
||||||
|
|
||||||
|
ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --host=/run/postgresql --no-kill-backend --wait-timeout=30 --all";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
postgresql-vacuum-analyze = {
|
||||||
|
requires = [ "postgresql.service" ];
|
||||||
|
after = [ "postgresql.target" ];
|
||||||
|
description = "Vacuum and analyze all PostgreSQL databases";
|
||||||
|
startAt = "Tue 06:00:00";
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "postgres";
|
||||||
|
Group = "postgres";
|
||||||
|
|
||||||
|
ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -1,8 +1,17 @@
|
|||||||
{ config, pkgs, values, ... }:
|
{ config, lib, pkgs, values, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.postgresql;
|
||||||
|
in
|
||||||
{
|
{
|
||||||
|
imports = [
|
||||||
|
./backup.nix
|
||||||
|
./cleanup-timers.nix
|
||||||
|
];
|
||||||
|
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.postgresql_15;
|
package = pkgs.postgresql_18;
|
||||||
|
extensions = ps: with ps; [ pg_repack ];
|
||||||
enableTCPIP = true;
|
enableTCPIP = true;
|
||||||
|
|
||||||
authentication = ''
|
authentication = ''
|
||||||
@@ -74,13 +83,13 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
|
systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = lib.mkIf cfg.enable {
|
||||||
user = config.systemd.services.postgresql.serviceConfig.User;
|
user = config.systemd.services.postgresql.serviceConfig.User;
|
||||||
group = config.systemd.services.postgresql.serviceConfig.Group;
|
group = config.systemd.services.postgresql.serviceConfig.Group;
|
||||||
mode = "0700";
|
mode = "0700";
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.postgresql-setup = {
|
systemd.services.postgresql-setup = lib.mkIf cfg.enable {
|
||||||
after = [
|
after = [
|
||||||
"systemd-tmpfiles-setup.service"
|
"systemd-tmpfiles-setup.service"
|
||||||
"systemd-tmpfiles-resetup.service"
|
"systemd-tmpfiles-resetup.service"
|
||||||
@@ -95,7 +104,7 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.postgresql = {
|
systemd.services.postgresql = lib.mkIf cfg.enable {
|
||||||
after = [
|
after = [
|
||||||
"systemd-tmpfiles-setup.service"
|
"systemd-tmpfiles-setup.service"
|
||||||
"systemd-tmpfiles-resetup.service"
|
"systemd-tmpfiles-resetup.service"
|
||||||
@@ -110,18 +119,12 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.snakeoil-certs."/etc/certs/postgres" = {
|
environment.snakeoil-certs."/etc/certs/postgres" = lib.mkIf cfg.enable {
|
||||||
owner = "postgres";
|
owner = "postgres";
|
||||||
group = "postgres";
|
group = "postgres";
|
||||||
subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
|
subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 5432 ];
|
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 5432 ];
|
||||||
networking.firewall.allowedUDPPorts = [ 5432 ];
|
networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable [ 5432 ];
|
||||||
|
|
||||||
services.postgresqlBackup = {
|
|
||||||
enable = true;
|
|
||||||
location = "/var/lib/postgres/backups";
|
|
||||||
backupAll = true;
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
@@ -25,6 +25,7 @@
|
|||||||
];
|
];
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
|
hostName = "bikkje";
|
||||||
firewall = {
|
firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# Allow SSH and HTTP and ports for email and irc
|
# Allow SSH and HTTP and ports for email and irc
|
||||||
@@ -36,9 +37,11 @@
|
|||||||
useHostResolvConf = mkForce false;
|
useHostResolvConf = mkForce false;
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "23.11";
|
|
||||||
services.resolved.enable = true;
|
services.resolved.enable = true;
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
|
# Don't change (even during upgrades) unless you know what you are doing.
|
||||||
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
|
system.stateVersion = "23.11";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -8,28 +8,14 @@
|
|||||||
./services/grzegorz.nix
|
./services/grzegorz.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
|
|
||||||
networking.hostName = "brzeczyszczykiewicz";
|
|
||||||
|
|
||||||
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
|
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
|
||||||
matchConfig.Name = "eno1";
|
matchConfig.Name = "eno1";
|
||||||
address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# List packages installed in system profile
|
fonts.fontconfig.enable = true;
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
];
|
|
||||||
|
|
||||||
# List services that you want to enable:
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
|
||||||
# settings for stateful data, like file locations and database versions
|
|
||||||
# on your system were taken. It's perfectly fine and recommended to leave
|
|
||||||
# this value at the release version of the first install of this system.
|
|
||||||
# Before changing this value read the documentation for this option
|
|
||||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
|
||||||
system.stateVersion = "23.05"; # Did you read the comment?
|
|
||||||
|
|
||||||
|
# Don't change (even during upgrades) unless you know what you are doing.
|
||||||
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
|
system.stateVersion = "25.11";
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -8,24 +8,11 @@
|
|||||||
(fp /modules/grzegorz.nix)
|
(fp /modules/grzegorz.nix)
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
|
|
||||||
networking.hostName = "georg";
|
|
||||||
|
|
||||||
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
|
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
|
||||||
matchConfig.Name = "eno1";
|
matchConfig.Name = "eno1";
|
||||||
address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# List packages installed in system profile
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
];
|
|
||||||
|
|
||||||
# List services that you want to enable:
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
services.spotifyd = {
|
services.spotifyd = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings.global = {
|
settings.global = {
|
||||||
@@ -41,15 +28,9 @@
|
|||||||
5353 # spotifyd is its own mDNS service wtf
|
5353 # spotifyd is its own mDNS service wtf
|
||||||
];
|
];
|
||||||
|
|
||||||
|
fonts.fontconfig.enable = true;
|
||||||
|
|
||||||
|
# Don't change (even during upgrades) unless you know what you are doing.
|
||||||
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
# This value determines the NixOS release from which the default
|
system.stateVersion = "25.11";
|
||||||
# settings for stateful data, like file locations and database versions
|
|
||||||
# on your system were taken. It's perfectly fine and recommended to leave
|
|
||||||
# this value at the release version of the first install of this system.
|
|
||||||
# Before changing this value read the documentation for this option
|
|
||||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
|
||||||
system.stateVersion = "23.05"; # Did you read the comment?
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -7,19 +7,25 @@
|
|||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
./services/bluemap.nix
|
||||||
(fp /base)
|
(fp /base)
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
|
|
||||||
systemd.network.enable = lib.mkForce false;
|
systemd.network.enable = lib.mkForce false;
|
||||||
|
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||||
|
|
||||||
|
boot.loader = {
|
||||||
|
systemd-boot.enable = false; # no uefi support on this device
|
||||||
|
grub.device = "/dev/sda";
|
||||||
|
grub.enable = true;
|
||||||
|
};
|
||||||
|
boot.tmp.cleanOnBoot = true;
|
||||||
|
|
||||||
networking =
|
networking =
|
||||||
let
|
let
|
||||||
hostConf = values.hosts.gluttony;
|
hostConf = values.hosts.gluttony;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
hostName = "gluttony";
|
|
||||||
tempAddresses = "disabled";
|
tempAddresses = "disabled";
|
||||||
useDHCP = false;
|
useDHCP = false;
|
||||||
|
|
||||||
@@ -47,5 +53,9 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "25.11"; # Don't change unless you know what you are doing.
|
services.qemuGuest.enable = true;
|
||||||
|
|
||||||
|
# Don't change (even during upgrades) unless you know what you are doing.
|
||||||
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
|
system.stateVersion = "25.11";
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -22,7 +22,7 @@
|
|||||||
"sd_mod"
|
"sd_mod"
|
||||||
];
|
];
|
||||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||||
boot.kernelModules = [ ];
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" = {
|
fileSystems."/" = {
|
||||||
@@ -31,7 +31,7 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" = {
|
fileSystems."/boot" = {
|
||||||
device = "/dev/disk/by-uuid/D00A-B488";
|
device = "/dev/disk/by-uuid/BD97-FCA0";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
options = [
|
options = [
|
||||||
"fmask=0077"
|
"fmask=0077"
|
||||||
|
|||||||
@@ -0,0 +1,113 @@
|
|||||||
|
{ config, lib, pkgs, inputs, ... }:
|
||||||
|
let
|
||||||
|
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
|
||||||
|
in {
|
||||||
|
# NOTE: our version of the module gets added in flake.nix
|
||||||
|
disabledModules = [ "services/web-apps/bluemap.nix" ];
|
||||||
|
|
||||||
|
sops.secrets."bluemap/ssh-key" = { };
|
||||||
|
sops.secrets."bluemap/ssh-known-hosts" = { };
|
||||||
|
|
||||||
|
services.bluemap = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
eula = true;
|
||||||
|
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
|
||||||
|
|
||||||
|
enableNginx = false;
|
||||||
|
|
||||||
|
host = "minecraft.pvv.ntnu.no";
|
||||||
|
|
||||||
|
maps = let
|
||||||
|
inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
|
||||||
|
in {
|
||||||
|
"verden" = {
|
||||||
|
extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
|
||||||
|
settings = {
|
||||||
|
world = vanillaSurvival;
|
||||||
|
dimension = "minecraft:overworld";
|
||||||
|
name = "Verden";
|
||||||
|
sorting = 0;
|
||||||
|
start-pos = {
|
||||||
|
x = 0;
|
||||||
|
z = 0;
|
||||||
|
};
|
||||||
|
ambient-light = 0.1;
|
||||||
|
cave-detection-ocean-floor = -5;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"underverden" = {
|
||||||
|
extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
|
||||||
|
settings = {
|
||||||
|
world = vanillaSurvival;
|
||||||
|
dimension = "minecraft:the_nether";
|
||||||
|
name = "Underverden";
|
||||||
|
sorting = 100;
|
||||||
|
start-pos = {
|
||||||
|
x = 0;
|
||||||
|
z = 0;
|
||||||
|
};
|
||||||
|
sky-color = "#290000";
|
||||||
|
void-color = "#150000";
|
||||||
|
sky-light = 1;
|
||||||
|
ambient-light = 0.6;
|
||||||
|
remove-caves-below-y = -10000;
|
||||||
|
cave-detection-ocean-floor = -5;
|
||||||
|
cave-detection-uses-block-light = true;
|
||||||
|
render-mask = [{
|
||||||
|
max-y = 90;
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"enden" = {
|
||||||
|
extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
|
||||||
|
settings = {
|
||||||
|
world = vanillaSurvival;
|
||||||
|
dimension = "minecraft:the_end";
|
||||||
|
name = "Enden";
|
||||||
|
sorting = 200;
|
||||||
|
start-pos = {
|
||||||
|
x = 0;
|
||||||
|
z = 0;
|
||||||
|
};
|
||||||
|
sky-color = "#080010";
|
||||||
|
void-color = "#080010";
|
||||||
|
sky-light = 1;
|
||||||
|
ambient-light = 0.6;
|
||||||
|
remove-caves-below-y = -10000;
|
||||||
|
cave-detection-ocean-floor = -5;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services."render-bluemap-maps" = {
|
||||||
|
serviceConfig = {
|
||||||
|
StateDirectory = [ "bluemap/world" ];
|
||||||
|
ExecStartPre = let
|
||||||
|
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
|
||||||
|
archive = true;
|
||||||
|
compress = true;
|
||||||
|
verbose = true;
|
||||||
|
no-owner = true;
|
||||||
|
no-group = true;
|
||||||
|
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
|
||||||
|
};
|
||||||
|
in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
|
||||||
|
ExecStartPost = let
|
||||||
|
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
|
||||||
|
archive = true;
|
||||||
|
compress = true;
|
||||||
|
verbose = true;
|
||||||
|
no-owner = true;
|
||||||
|
no-group = true;
|
||||||
|
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
|
||||||
|
};
|
||||||
|
in "${lib.getExe pkgs.rsync} ${rsyncArgs} --groupmap=root:nginx ${config.services.bluemap.webRoot}/ root@bekkalokk.pvv.ntnu.no:/";
|
||||||
|
LoadCredential = [
|
||||||
|
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
|
||||||
|
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -1,8 +1,14 @@
|
|||||||
{ config, fp, pkgs, lib, values, ... }:
|
|
||||||
{
|
{
|
||||||
|
config,
|
||||||
|
fp,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
values,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
# Include the results of the hardware scan.
|
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
./disks.nix
|
||||||
(fp /base)
|
(fp /base)
|
||||||
|
|
||||||
./services/monitoring
|
./services/monitoring
|
||||||
@@ -10,12 +16,8 @@
|
|||||||
./services/journald-remote.nix
|
./services/journald-remote.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
|
boot.loader.grub.enable = true;
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
boot.loader.systemd-boot.enable = lib.mkForce false;
|
||||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
||||||
sops.age.generateKey = true;
|
|
||||||
|
|
||||||
boot.loader.grub.device = "/dev/vda";
|
|
||||||
boot.tmp.cleanOnBoot = true;
|
boot.tmp.cleanOnBoot = true;
|
||||||
zramSwap.enable = true;
|
zramSwap.enable = true;
|
||||||
|
|
||||||
@@ -24,7 +26,6 @@
|
|||||||
networking = let
|
networking = let
|
||||||
hostConf = values.hosts.ildkule;
|
hostConf = values.hosts.ildkule;
|
||||||
in {
|
in {
|
||||||
hostName = "ildkule";
|
|
||||||
tempAddresses = "disabled";
|
tempAddresses = "disabled";
|
||||||
useDHCP = lib.mkForce true;
|
useDHCP = lib.mkForce true;
|
||||||
|
|
||||||
@@ -32,24 +33,29 @@
|
|||||||
nameservers = values.defaultNetworkConfig.dns;
|
nameservers = values.defaultNetworkConfig.dns;
|
||||||
defaultGateway.address = hostConf.ipv4_internal_gw;
|
defaultGateway.address = hostConf.ipv4_internal_gw;
|
||||||
|
|
||||||
interfaces."ens4" = {
|
interfaces."ens3" = {
|
||||||
ipv4.addresses = [
|
ipv4.addresses = [
|
||||||
{ address = hostConf.ipv4; prefixLength = 32; }
|
{
|
||||||
{ address = hostConf.ipv4_internal; prefixLength = 24; }
|
address = hostConf.ipv4;
|
||||||
|
prefixLength = 32;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
address = hostConf.ipv4_internal;
|
||||||
|
prefixLength = 24;
|
||||||
|
}
|
||||||
];
|
];
|
||||||
ipv6.addresses = [
|
ipv6.addresses = [
|
||||||
{ address = hostConf.ipv6; prefixLength = 64; }
|
{
|
||||||
|
address = hostConf.ipv6;
|
||||||
|
prefixLength = 64;
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# List packages installed in system profile
|
services.qemuGuest.enable = true;
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
];
|
|
||||||
|
|
||||||
# No devices with SMART
|
|
||||||
services.smartd.enable = false;
|
|
||||||
|
|
||||||
system.stateVersion = "23.11"; # Did you read the comment?
|
|
||||||
|
|
||||||
|
# Don't change (even during upgrades) unless you know what you are doing.
|
||||||
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
|
system.stateVersion = "23.11";
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,27 @@
|
|||||||
|
{
|
||||||
|
disko.devices = {
|
||||||
|
disk = {
|
||||||
|
sda = {
|
||||||
|
device = "/dev/sda";
|
||||||
|
type = "disk";
|
||||||
|
content = {
|
||||||
|
type = "gpt";
|
||||||
|
partitions = {
|
||||||
|
bios = {
|
||||||
|
size = "1M";
|
||||||
|
type = "EF02";
|
||||||
|
};
|
||||||
|
root = {
|
||||||
|
size = "100%";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "ext4";
|
||||||
|
mountpoint = "/";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -1,16 +1,24 @@
|
|||||||
{ modulesPath, lib, ... }:
|
# Do not modify this file! It was generated by 'nixos-generate-config'
|
||||||
{
|
# and may be overwritten by future invocations. Please make changes
|
||||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
# to /etc/nixos/configuration.nix instead.
|
||||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
boot.initrd.kernelModules = [ "nvme" ];
|
|
||||||
fileSystems."/" = {
|
|
||||||
device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
fileSystems."/data" = {
|
|
||||||
device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
networking.useDHCP = lib.mkDefault true;
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
}
|
}
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@@ -13,7 +13,7 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"description": "",
|
"description": "",
|
||||||
"editable": true,
|
"editable": false,
|
||||||
"gnetId": 11323,
|
"gnetId": 11323,
|
||||||
"graphTooltip": 1,
|
"graphTooltip": 1,
|
||||||
"id": 31,
|
"id": 31,
|
||||||
@@ -1899,7 +1899,7 @@
|
|||||||
"dashes": false,
|
"dashes": false,
|
||||||
"datasource": "$datasource",
|
"datasource": "$datasource",
|
||||||
"decimals": 0,
|
"decimals": 0,
|
||||||
"description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool, TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB 's internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.",
|
"description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool, TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB ‘s internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.",
|
||||||
"editable": true,
|
"editable": true,
|
||||||
"error": false,
|
"error": false,
|
||||||
"fieldConfig": {
|
"fieldConfig": {
|
||||||
@@ -3690,7 +3690,7 @@
|
|||||||
},
|
},
|
||||||
"hide": 0,
|
"hide": 0,
|
||||||
"includeAll": false,
|
"includeAll": false,
|
||||||
"label": "Data Source",
|
"label": "Data source",
|
||||||
"multi": false,
|
"multi": false,
|
||||||
"name": "datasource",
|
"name": "datasource",
|
||||||
"options": [],
|
"options": [],
|
||||||
@@ -3713,12 +3713,12 @@
|
|||||||
"definition": "label_values(mysql_up, job)",
|
"definition": "label_values(mysql_up, job)",
|
||||||
"hide": 0,
|
"hide": 0,
|
||||||
"includeAll": true,
|
"includeAll": true,
|
||||||
"label": "job",
|
"label": "Job",
|
||||||
"multi": true,
|
"multi": true,
|
||||||
"name": "job",
|
"name": "job",
|
||||||
"options": [],
|
"options": [],
|
||||||
"query": "label_values(mysql_up, job)",
|
"query": "label_values(mysql_up, job)",
|
||||||
"refresh": 1,
|
"refresh": 2,
|
||||||
"regex": "",
|
"regex": "",
|
||||||
"skipUrlSync": false,
|
"skipUrlSync": false,
|
||||||
"sort": 0,
|
"sort": 0,
|
||||||
@@ -3742,12 +3742,12 @@
|
|||||||
"definition": "label_values(mysql_up, instance)",
|
"definition": "label_values(mysql_up, instance)",
|
||||||
"hide": 0,
|
"hide": 0,
|
||||||
"includeAll": true,
|
"includeAll": true,
|
||||||
"label": "instance",
|
"label": "Instance",
|
||||||
"multi": true,
|
"multi": true,
|
||||||
"name": "instance",
|
"name": "instance",
|
||||||
"options": [],
|
"options": [],
|
||||||
"query": "label_values(mysql_up, instance)",
|
"query": "label_values(mysql_up, instance)",
|
||||||
"refresh": 1,
|
"refresh": 2,
|
||||||
"regex": "",
|
"regex": "",
|
||||||
"skipUrlSync": false,
|
"skipUrlSync": false,
|
||||||
"sort": 0,
|
"sort": 0,
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@@ -328,7 +328,7 @@
|
|||||||
"rgba(50, 172, 45, 0.97)"
|
"rgba(50, 172, 45, 0.97)"
|
||||||
],
|
],
|
||||||
"datasource": "${DS_PROMETHEUS}",
|
"datasource": "${DS_PROMETHEUS}",
|
||||||
"format": "decbytes",
|
"format": "short",
|
||||||
"gauge": {
|
"gauge": {
|
||||||
"maxValue": 100,
|
"maxValue": 100,
|
||||||
"minValue": 0,
|
"minValue": 0,
|
||||||
@@ -411,7 +411,7 @@
|
|||||||
"rgba(50, 172, 45, 0.97)"
|
"rgba(50, 172, 45, 0.97)"
|
||||||
],
|
],
|
||||||
"datasource": "${DS_PROMETHEUS}",
|
"datasource": "${DS_PROMETHEUS}",
|
||||||
"format": "decbytes",
|
"format": "short",
|
||||||
"gauge": {
|
"gauge": {
|
||||||
"maxValue": 100,
|
"maxValue": 100,
|
||||||
"minValue": 0,
|
"minValue": 0,
|
||||||
@@ -1410,7 +1410,7 @@
|
|||||||
"tableColumn": "",
|
"tableColumn": "",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "pg_settings_seq_page_cost",
|
"expr": "pg_settings_seq_page_cost{instance=\"$instance\"}",
|
||||||
"format": "time_series",
|
"format": "time_series",
|
||||||
"intervalFactor": 1,
|
"intervalFactor": 1,
|
||||||
"refId": "A"
|
"refId": "A"
|
||||||
@@ -1872,7 +1872,7 @@
|
|||||||
},
|
},
|
||||||
"yaxes": [
|
"yaxes": [
|
||||||
{
|
{
|
||||||
"format": "bytes",
|
"format": "short",
|
||||||
"label": null,
|
"label": null,
|
||||||
"logBase": 1,
|
"logBase": 1,
|
||||||
"max": null,
|
"max": null,
|
||||||
@@ -1966,7 +1966,7 @@
|
|||||||
},
|
},
|
||||||
"yaxes": [
|
"yaxes": [
|
||||||
{
|
{
|
||||||
"format": "bytes",
|
"format": "short",
|
||||||
"label": null,
|
"label": null,
|
||||||
"logBase": 1,
|
"logBase": 1,
|
||||||
"max": null,
|
"max": null,
|
||||||
@@ -2060,7 +2060,7 @@
|
|||||||
},
|
},
|
||||||
"yaxes": [
|
"yaxes": [
|
||||||
{
|
{
|
||||||
"format": "bytes",
|
"format": "short",
|
||||||
"label": null,
|
"label": null,
|
||||||
"logBase": 1,
|
"logBase": 1,
|
||||||
"max": null,
|
"max": null,
|
||||||
@@ -2251,7 +2251,7 @@
|
|||||||
},
|
},
|
||||||
"yaxes": [
|
"yaxes": [
|
||||||
{
|
{
|
||||||
"format": "bytes",
|
"format": "short",
|
||||||
"label": null,
|
"label": null,
|
||||||
"logBase": 1,
|
"logBase": 1,
|
||||||
"max": null,
|
"max": null,
|
||||||
@@ -2439,7 +2439,7 @@
|
|||||||
},
|
},
|
||||||
"yaxes": [
|
"yaxes": [
|
||||||
{
|
{
|
||||||
"format": "bytes",
|
"format": "short",
|
||||||
"label": null,
|
"label": null,
|
||||||
"logBase": 1,
|
"logBase": 1,
|
||||||
"max": null,
|
"max": null,
|
||||||
@@ -2589,35 +2589,35 @@
|
|||||||
"steppedLine": false,
|
"steppedLine": false,
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "irate(pg_stat_bgwriter_buffers_backend{instance=\"$instance\"}[5m])",
|
"expr": "irate(pg_stat_bgwriter_buffers_backend_total{instance=\"$instance\"}[5m])",
|
||||||
"format": "time_series",
|
"format": "time_series",
|
||||||
"intervalFactor": 1,
|
"intervalFactor": 1,
|
||||||
"legendFormat": "buffers_backend",
|
"legendFormat": "buffers_backend",
|
||||||
"refId": "A"
|
"refId": "A"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"expr": "irate(pg_stat_bgwriter_buffers_alloc{instance=\"$instance\"}[5m])",
|
"expr": "irate(pg_stat_bgwriter_buffers_alloc_total{instance=\"$instance\"}[5m])",
|
||||||
"format": "time_series",
|
"format": "time_series",
|
||||||
"intervalFactor": 1,
|
"intervalFactor": 1,
|
||||||
"legendFormat": "buffers_alloc",
|
"legendFormat": "buffers_alloc",
|
||||||
"refId": "B"
|
"refId": "B"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"expr": "irate(pg_stat_bgwriter_buffers_backend_fsync{instance=\"$instance\"}[5m])",
|
"expr": "irate(pg_stat_bgwriter_buffers_backend_fsync_total{instance=\"$instance\"}[5m])",
|
||||||
"format": "time_series",
|
"format": "time_series",
|
||||||
"intervalFactor": 1,
|
"intervalFactor": 1,
|
||||||
"legendFormat": "backend_fsync",
|
"legendFormat": "backend_fsync",
|
||||||
"refId": "C"
|
"refId": "C"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"expr": "irate(pg_stat_bgwriter_buffers_checkpoint{instance=\"$instance\"}[5m])",
|
"expr": "irate(pg_stat_bgwriter_buffers_checkpoint_total{instance=\"$instance\"}[5m])",
|
||||||
"format": "time_series",
|
"format": "time_series",
|
||||||
"intervalFactor": 1,
|
"intervalFactor": 1,
|
||||||
"legendFormat": "buffers_checkpoint",
|
"legendFormat": "buffers_checkpoint",
|
||||||
"refId": "D"
|
"refId": "D"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"expr": "irate(pg_stat_bgwriter_buffers_clean{instance=\"$instance\"}[5m])",
|
"expr": "irate(pg_stat_bgwriter_buffers_clean_total{instance=\"$instance\"}[5m])",
|
||||||
"format": "time_series",
|
"format": "time_series",
|
||||||
"intervalFactor": 1,
|
"intervalFactor": 1,
|
||||||
"legendFormat": "buffers_clean",
|
"legendFormat": "buffers_clean",
|
||||||
@@ -2886,14 +2886,14 @@
|
|||||||
"steppedLine": false,
|
"steppedLine": false,
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "irate(pg_stat_bgwriter_checkpoint_write_time{instance=\"$instance\"}[5m])",
|
"expr": "irate(pg_stat_bgwriter_checkpoint_write_time_total{instance=\"$instance\"}[5m])",
|
||||||
"format": "time_series",
|
"format": "time_series",
|
||||||
"intervalFactor": 1,
|
"intervalFactor": 1,
|
||||||
"legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.",
|
"legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.",
|
||||||
"refId": "B"
|
"refId": "B"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"expr": "irate(pg_stat_bgwriter_checkpoint_sync_time{instance=\"$instance\"}[5m])",
|
"expr": "irate(pg_stat_bgwriter_checkpoint_sync_time_total{instance=\"$instance\"}[5m])",
|
||||||
"format": "time_series",
|
"format": "time_series",
|
||||||
"intervalFactor": 1,
|
"intervalFactor": 1,
|
||||||
"legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.",
|
"legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.",
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@@ -47,13 +47,13 @@ in {
|
|||||||
{
|
{
|
||||||
name = "Node Exporter Full";
|
name = "Node Exporter Full";
|
||||||
type = "file";
|
type = "file";
|
||||||
url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
|
url = "https://grafana.com/api/dashboards/1860/revisions/42/download";
|
||||||
options.path = dashboards/node-exporter-full.json;
|
options.path = dashboards/node-exporter-full.json;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
name = "Matrix Synapse";
|
name = "Matrix Synapse";
|
||||||
type = "file";
|
type = "file";
|
||||||
url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
|
url = "https://github.com/element-hq/synapse/raw/refs/heads/develop/contrib/grafana/synapse.json";
|
||||||
options.path = dashboards/synapse.json;
|
options.path = dashboards/synapse.json;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
@@ -65,15 +65,9 @@ in {
|
|||||||
{
|
{
|
||||||
name = "Postgresql";
|
name = "Postgresql";
|
||||||
type = "file";
|
type = "file";
|
||||||
url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
|
url = "https://grafana.com/api/dashboards/9628/revisions/8/download";
|
||||||
options.path = dashboards/postgres.json;
|
options.path = dashboards/postgres.json;
|
||||||
}
|
}
|
||||||
{
|
|
||||||
name = "Go Processes (gogs)";
|
|
||||||
type = "file";
|
|
||||||
url = "https://grafana.com/api/dashboards/240/revisions/3/download";
|
|
||||||
options.path = dashboards/go-processes.json;
|
|
||||||
}
|
|
||||||
{
|
{
|
||||||
name = "Gitea Dashboard";
|
name = "Gitea Dashboard";
|
||||||
type = "file";
|
type = "file";
|
||||||
|
|||||||
@@ -21,6 +21,7 @@ in {
|
|||||||
|
|
||||||
fileSystems."/var/lib/prometheus2" = {
|
fileSystems."/var/lib/prometheus2" = {
|
||||||
device = stateDir;
|
device = stateDir;
|
||||||
|
fsType = "bind";
|
||||||
options = [ "bind" ];
|
options = [ "bind" ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -19,15 +19,15 @@ in {
|
|||||||
(mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
(mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
||||||
(mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
(mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
||||||
(mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
(mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
||||||
|
(mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
||||||
(mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
(mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
||||||
(mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
|
||||||
(mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
|
||||||
|
|
||||||
(mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
(mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
||||||
# (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
|
(mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
||||||
(mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
(mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
||||||
(mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
(mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
||||||
(mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
(mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
||||||
|
(mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
||||||
|
(mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
|
||||||
|
|
||||||
(mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
|
(mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
|
||||||
(mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
|
(mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
|
||||||
|
|||||||
@@ -19,8 +19,9 @@ in {
|
|||||||
locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
|
locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/var/lib/uptime-kuma" = {
|
fileSystems."/var/lib/private/uptime-kuma" = {
|
||||||
device = stateDir;
|
device = stateDir;
|
||||||
|
fsType = "bind";
|
||||||
options = [ "bind" ];
|
options = [ "bind" ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -4,21 +4,12 @@
|
|||||||
# Include the results of the hardware scan.
|
# Include the results of the hardware scan.
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
(fp /base)
|
(fp /base)
|
||||||
|
./disks.nix
|
||||||
|
|
||||||
./services/gitea
|
./services/gitea
|
||||||
./services/nginx.nix
|
./services/nginx.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
|
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
||||||
sops.age.generateKey = true;
|
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
|
|
||||||
networking.hostName = "kommode"; # Define your hostname.
|
|
||||||
|
|
||||||
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
|
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
|
||||||
matchConfig.Name = "ens18";
|
matchConfig.Name = "ens18";
|
||||||
address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
||||||
@@ -26,7 +17,9 @@
|
|||||||
|
|
||||||
services.btrfs.autoScrub.enable = true;
|
services.btrfs.autoScrub.enable = true;
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [];
|
services.qemuGuest.enable = true;
|
||||||
|
|
||||||
|
# Don't change (even during upgrades) unless you know what you are doing.
|
||||||
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
system.stateVersion = "24.11";
|
system.stateVersion = "24.11";
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,80 @@
|
|||||||
|
{ lib, ... }:
|
||||||
|
{
|
||||||
|
disko.devices = {
|
||||||
|
disk = {
|
||||||
|
sda = {
|
||||||
|
type = "disk";
|
||||||
|
device = "/dev/sda";
|
||||||
|
content = {
|
||||||
|
type = "gpt";
|
||||||
|
partitions = {
|
||||||
|
root = {
|
||||||
|
name = "root";
|
||||||
|
label = "root";
|
||||||
|
start = "1MiB";
|
||||||
|
end = "-5G";
|
||||||
|
content = {
|
||||||
|
type = "btrfs";
|
||||||
|
extraArgs = [ "-f" ]; # Override existing partition
|
||||||
|
# subvolumes = let
|
||||||
|
# makeSnapshottable = subvolPath: mountOptions: let
|
||||||
|
# name = lib.replaceString "/" "-" subvolPath;
|
||||||
|
# in {
|
||||||
|
# "@${name}/active" = {
|
||||||
|
# mountpoint = subvolPath;
|
||||||
|
# inherit mountOptions;
|
||||||
|
# };
|
||||||
|
# "@${name}/snapshots" = {
|
||||||
|
# mountpoint = "${subvolPath}/.snapshots";
|
||||||
|
# inherit mountOptions;
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
# in {
|
||||||
|
# "@" = { };
|
||||||
|
# "@/swap" = {
|
||||||
|
# mountpoint = "/.swapvol";
|
||||||
|
# swap.swapfile.size = "4G";
|
||||||
|
# };
|
||||||
|
# "@/root" = {
|
||||||
|
# mountpoint = "/";
|
||||||
|
# mountOptions = [ "compress=zstd" "noatime" ];
|
||||||
|
# };
|
||||||
|
# }
|
||||||
|
# // (makeSnapshottable "/home" [ "compress=zstd" "noatime" ])
|
||||||
|
# // (makeSnapshottable "/nix" [ "compress=zstd" "noatime" ])
|
||||||
|
# // (makeSnapshottable "/var/lib" [ "compress=zstd" "noatime" ])
|
||||||
|
# // (makeSnapshottable "/var/log" [ "compress=zstd" "noatime" ])
|
||||||
|
# // (makeSnapshottable "/var/cache" [ "compress=zstd" "noatime" ]);
|
||||||
|
|
||||||
|
# swap.swapfile.size = "4G";
|
||||||
|
mountpoint = "/";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
swap = {
|
||||||
|
name = "swap";
|
||||||
|
label = "swap";
|
||||||
|
start = "-5G";
|
||||||
|
end = "-1G";
|
||||||
|
content.type = "swap";
|
||||||
|
};
|
||||||
|
|
||||||
|
ESP = {
|
||||||
|
name = "ESP";
|
||||||
|
label = "ESP";
|
||||||
|
start = "-1G";
|
||||||
|
end = "100%";
|
||||||
|
type = "EF00";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "vfat";
|
||||||
|
mountpoint = "/boot";
|
||||||
|
mountOptions = [ "umask=0077" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -13,21 +13,6 @@
|
|||||||
boot.kernelModules = [ ];
|
boot.kernelModules = [ ];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" =
|
|
||||||
{ device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
|
|
||||||
fsType = "btrfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/boot" =
|
|
||||||
{ device = "/dev/disk/by-uuid/86CD-4C23";
|
|
||||||
fsType = "vfat";
|
|
||||||
options = [ "fmask=0077" "dmask=0077" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices =
|
|
||||||
[ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
|
|
||||||
];
|
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
|||||||
@@ -10,6 +10,59 @@ in
|
|||||||
catppuccin = pkgs.gitea-theme-catppuccin;
|
catppuccin = pkgs.gitea-theme-catppuccin;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.gitea.settings = {
|
||||||
|
ui = {
|
||||||
|
DEFAULT_THEME = "gitea-auto";
|
||||||
|
REACTIONS = lib.concatStringsSep "," [
|
||||||
|
"+1"
|
||||||
|
"-1"
|
||||||
|
"laugh"
|
||||||
|
"confused"
|
||||||
|
"heart"
|
||||||
|
"hooray"
|
||||||
|
"rocket"
|
||||||
|
"eyes"
|
||||||
|
"100"
|
||||||
|
"anger"
|
||||||
|
"astonished"
|
||||||
|
"no_good"
|
||||||
|
"ok_hand"
|
||||||
|
"pensive"
|
||||||
|
"pizza"
|
||||||
|
"point_up"
|
||||||
|
"sob"
|
||||||
|
"skull"
|
||||||
|
"upside_down_face"
|
||||||
|
"shrug"
|
||||||
|
"huh"
|
||||||
|
"bruh"
|
||||||
|
"okiedokie"
|
||||||
|
"grr"
|
||||||
|
];
|
||||||
|
|
||||||
|
CUSTOM_EMOJIS = lib.concatStringsSep "," [
|
||||||
|
"bruh"
|
||||||
|
"grr"
|
||||||
|
"huh"
|
||||||
|
"ohyeah"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
"ui.meta" = {
|
||||||
|
AUTHOR = "Programvareverkstedet";
|
||||||
|
DESCRIPTION = "Bokstavelig talt programvareverkstedet";
|
||||||
|
KEYWORDS = lib.concatStringsSep "," [
|
||||||
|
"git"
|
||||||
|
"hackerspace"
|
||||||
|
"nix"
|
||||||
|
"open source"
|
||||||
|
"foss"
|
||||||
|
"organization"
|
||||||
|
"software"
|
||||||
|
"student"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services.gitea-customization = lib.mkIf cfg.enable {
|
systemd.services.gitea-customization = lib.mkIf cfg.enable {
|
||||||
description = "Install extra customization in gitea's CUSTOM_DIR";
|
description = "Install extra customization in gitea's CUSTOM_DIR";
|
||||||
wantedBy = [ "gitea.service" ];
|
wantedBy = [ "gitea.service" ];
|
||||||
@@ -46,18 +99,23 @@ in
|
|||||||
];
|
];
|
||||||
} ''
|
} ''
|
||||||
# Bigger icons
|
# Bigger icons
|
||||||
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
|
install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
|
||||||
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
|
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
|
||||||
'';
|
'';
|
||||||
in ''
|
in ''
|
||||||
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
|
install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'
|
||||||
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
|
install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'
|
||||||
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
|
install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'
|
||||||
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
|
install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'
|
||||||
install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
|
install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'
|
||||||
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
|
install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'
|
||||||
|
|
||||||
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
|
install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'
|
||||||
|
install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'
|
||||||
|
install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'
|
||||||
|
install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'
|
||||||
|
|
||||||
|
'${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/'
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
Binary file not shown.
|
After Width: | Height: | Size: 7.3 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 28 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 206 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 145 KiB |
@@ -83,11 +83,24 @@ in {
|
|||||||
AUTO_WATCH_NEW_REPOS = false;
|
AUTO_WATCH_NEW_REPOS = false;
|
||||||
};
|
};
|
||||||
admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
|
admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
|
||||||
session.COOKIE_SECURE = true;
|
|
||||||
security = {
|
security = {
|
||||||
SECRET_KEY = lib.mkForce "";
|
SECRET_KEY = lib.mkForce "";
|
||||||
SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
|
SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
|
||||||
};
|
};
|
||||||
|
cache = {
|
||||||
|
ADAPTER = "redis";
|
||||||
|
HOST = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=0";
|
||||||
|
ITEM_TTL = "72h";
|
||||||
|
};
|
||||||
|
session = {
|
||||||
|
COOKIE_SECURE = true;
|
||||||
|
PROVIDER = "redis";
|
||||||
|
PROVIDER_CONFIG = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=1";
|
||||||
|
};
|
||||||
|
queue = {
|
||||||
|
TYPE = "redis";
|
||||||
|
CONN_STR = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=2";
|
||||||
|
};
|
||||||
database.LOG_SQL = false;
|
database.LOG_SQL = false;
|
||||||
repository = {
|
repository = {
|
||||||
PREFERRED_LICENSES = lib.concatStringsSep "," [
|
PREFERRED_LICENSES = lib.concatStringsSep "," [
|
||||||
@@ -118,41 +131,14 @@ in {
|
|||||||
"repo.pulls"
|
"repo.pulls"
|
||||||
"repo.releases"
|
"repo.releases"
|
||||||
];
|
];
|
||||||
|
ALLOW_FORK_INTO_SAME_OWNER = true;
|
||||||
};
|
};
|
||||||
picture = {
|
picture = {
|
||||||
DISABLE_GRAVATAR = true;
|
|
||||||
ENABLE_FEDERATED_AVATAR = false;
|
|
||||||
|
|
||||||
AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5;
|
AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5;
|
||||||
# NOTE: go any bigger than this, and gitea will freeze your gif >:(
|
# NOTE: go any bigger than this, and gitea will freeze your gif >:(
|
||||||
AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
|
AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
|
||||||
};
|
};
|
||||||
actions.ENABLED = true;
|
actions.ENABLED = true;
|
||||||
ui = {
|
|
||||||
REACTIONS = lib.concatStringsSep "," [
|
|
||||||
"+1"
|
|
||||||
"-1"
|
|
||||||
"laugh"
|
|
||||||
"confused"
|
|
||||||
"heart"
|
|
||||||
"hooray"
|
|
||||||
"rocket"
|
|
||||||
"eyes"
|
|
||||||
"100"
|
|
||||||
"anger"
|
|
||||||
"astonished"
|
|
||||||
"no_good"
|
|
||||||
"ok_hand"
|
|
||||||
"pensive"
|
|
||||||
"pizza"
|
|
||||||
"point_up"
|
|
||||||
"sob"
|
|
||||||
"skull"
|
|
||||||
"upside_down_face"
|
|
||||||
"shrug"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
"ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
dump = {
|
dump = {
|
||||||
@@ -164,12 +150,26 @@ in {
|
|||||||
|
|
||||||
environment.systemPackages = [ cfg.package ];
|
environment.systemPackages = [ cfg.package ];
|
||||||
|
|
||||||
systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
|
systemd.services.gitea = lib.mkIf cfg.enable {
|
||||||
|
wants = [ "redis-gitea.service" ];
|
||||||
|
after = [ "redis-gitea.service" ];
|
||||||
|
|
||||||
systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive";
|
serviceConfig = {
|
||||||
systemd.services.gitea.serviceConfig.BindPaths = [
|
CPUSchedulingPolicy = "batch";
|
||||||
|
CacheDirectory = "gitea/repo-archive";
|
||||||
|
BindPaths = [
|
||||||
"%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
|
"%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
|
||||||
];
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.redis.servers.gitea = lib.mkIf cfg.enable {
|
||||||
|
enable = true;
|
||||||
|
user = config.services.gitea.user;
|
||||||
|
save = [ ];
|
||||||
|
openFirewall = false;
|
||||||
|
port = 5698;
|
||||||
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."${domain}" = {
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
@@ -193,11 +193,131 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
environment.robots-txt."gitea" = {
|
||||||
|
virtualHost = domain;
|
||||||
|
rules = [
|
||||||
|
{
|
||||||
|
pre_comment = ''
|
||||||
|
Gitea internals
|
||||||
|
|
||||||
|
See these for more information:
|
||||||
|
- https://gitea.com/robots.txt
|
||||||
|
- https://codeberg.org/robots.txt
|
||||||
|
'';
|
||||||
|
User-agent = "*";
|
||||||
|
Disallow = [
|
||||||
|
"/api/*"
|
||||||
|
"/avatars"
|
||||||
|
"/*/*/src/commit/*"
|
||||||
|
"/*/*/commit/*"
|
||||||
|
"/*/*/*/refs/*"
|
||||||
|
"/*/*/*/star"
|
||||||
|
"/*/*/*/watch"
|
||||||
|
"/*/*/labels"
|
||||||
|
"/*/*/activity/*"
|
||||||
|
"/vendor/*"
|
||||||
|
"/swagger.*.json"
|
||||||
|
"/repo/create"
|
||||||
|
"/repo/migrate"
|
||||||
|
"/org/create"
|
||||||
|
"/*/*/fork"
|
||||||
|
"/*/*/watchers"
|
||||||
|
"/*/*/stargazers"
|
||||||
|
"/*/*/forks"
|
||||||
|
"*/.git/"
|
||||||
|
"/*.git"
|
||||||
|
"/*.atom"
|
||||||
|
"/*.rss"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
pre_comment = "Language Spam";
|
||||||
|
Disallow = "/*?lang=";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
pre_comment = ''
|
||||||
|
AI bots
|
||||||
|
|
||||||
|
Sourced from:
|
||||||
|
- https://www.vg.no/robots.txt
|
||||||
|
- https://codeberg.org/robots.txt
|
||||||
|
'';
|
||||||
|
User-agent = [
|
||||||
|
"AI2Bot"
|
||||||
|
"Ai2Bot-Dolma"
|
||||||
|
"Amazonbot"
|
||||||
|
"Applebot-Extended"
|
||||||
|
"Bytespider"
|
||||||
|
"CCBot"
|
||||||
|
"ChatGPT-User"
|
||||||
|
"Claude-Web"
|
||||||
|
"ClaudeBot"
|
||||||
|
"Crawlspace"
|
||||||
|
"Diffbot"
|
||||||
|
"FacebookBot"
|
||||||
|
"FriendlyCrawler"
|
||||||
|
"GPTBot"
|
||||||
|
"Google-Extended"
|
||||||
|
"ICC-Crawler"
|
||||||
|
"ImagesiftBot"
|
||||||
|
"Kangaroo Bot"
|
||||||
|
"Meta-ExternalAgent"
|
||||||
|
"OAI-SearchBot"
|
||||||
|
"Omgili"
|
||||||
|
"Omgilibot"
|
||||||
|
"PanguBot"
|
||||||
|
"PerplexityBot"
|
||||||
|
"PetalBot"
|
||||||
|
"Scrapy"
|
||||||
|
"SemrushBot-OCOB"
|
||||||
|
"Sidetrade indexer bot"
|
||||||
|
"Timpibot"
|
||||||
|
"VelenPublicWebCrawler"
|
||||||
|
"Webzio-Extended"
|
||||||
|
"YouBot"
|
||||||
|
"anthropic-ai"
|
||||||
|
"cohere-ai"
|
||||||
|
"cohere-training-data-crawler"
|
||||||
|
"facebookexternalhit"
|
||||||
|
"iaskspider/2.0"
|
||||||
|
"img2dataset"
|
||||||
|
"meta-externalagent"
|
||||||
|
"omgili"
|
||||||
|
"omgilibot"
|
||||||
|
];
|
||||||
|
Disallow = "/";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
Crawl-delay = "2";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
Sitemap = "https://${domain}/sitemap.xml";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ sshPort ];
|
networking.firewall.allowedTCPPorts = [ sshPort ];
|
||||||
|
|
||||||
|
services.rsync-pull-targets = {
|
||||||
|
enable = true;
|
||||||
|
locations.${cfg.dump.backupDir} = {
|
||||||
|
user = "root";
|
||||||
|
rrsyncArgs.ro = true;
|
||||||
|
authorizedKeysAttrs = [
|
||||||
|
"restrict"
|
||||||
|
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
|
||||||
|
"no-agent-forwarding"
|
||||||
|
"no-port-forwarding"
|
||||||
|
"no-pty"
|
||||||
|
"no-X11-forwarding"
|
||||||
|
];
|
||||||
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpMVrOppyqYaDiAhqmAuOaRsubFvcQGBGyz+NHB6+0o gitea rsync backup";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services.gitea-dump = {
|
systemd.services.gitea-dump = {
|
||||||
serviceConfig.ExecStart = let
|
serviceConfig.ExecStart = let
|
||||||
args = lib.cli.toGNUCommandLineShell { } {
|
args = lib.cli.toCommandLineShellGNU { } {
|
||||||
type = cfg.dump.type;
|
type = cfg.dump.type;
|
||||||
|
|
||||||
# This should be declarative on nixos, no need to backup.
|
# This should be declarative on nixos, no need to backup.
|
||||||
@@ -209,16 +329,11 @@ in {
|
|||||||
# Logs are stored in the systemd journal
|
# Logs are stored in the systemd journal
|
||||||
skip-log = true;
|
skip-log = true;
|
||||||
};
|
};
|
||||||
in lib.mkForce "${lib.getExe cfg.package} ${args}";
|
in lib.mkForce "${lib.getExe cfg.package} dump ${args}";
|
||||||
|
|
||||||
# Only keep n backup files at a time
|
# Only keep a single backup file at a time.
|
||||||
postStop = let
|
postStop = ''
|
||||||
cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
|
${lib.getExe' pkgs.coreutils "mv"} '${cfg.dump.backupDir}'/gitea-dump-*.tar.gz gitea-dump.tar.gz
|
||||||
backupCount = 3;
|
|
||||||
in ''
|
|
||||||
for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
|
|
||||||
${cu "rm"} "$file"
|
|
||||||
done
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -28,7 +28,7 @@ in
|
|||||||
users.users."gitea-web" = {
|
users.users."gitea-web" = {
|
||||||
group = "gitea-web";
|
group = "gitea-web";
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
shell = pkgs.bash;
|
useDefaultShell = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.secrets."gitea/web-secret-provider/token" = {
|
sops.secrets."gitea/web-secret-provider/token" = {
|
||||||
@@ -53,7 +53,7 @@ in
|
|||||||
Slice = "system-giteaweb.slice";
|
Slice = "system-giteaweb.slice";
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
ExecStart = let
|
ExecStart = let
|
||||||
args = lib.cli.toGNUCommandLineShell { } {
|
args = lib.cli.toCommandLineShellGNU { } {
|
||||||
org = "%i";
|
org = "%i";
|
||||||
token-path = "%d/token";
|
token-path = "%d/token";
|
||||||
api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
|
api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
|
||||||
|
|||||||
@@ -1,20 +1,13 @@
|
|||||||
{ fp, values, lupineName, ... }:
|
{ fp, values, lib, lupineName, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration/${lupineName}.nix
|
./hardware-configuration/${lupineName}.nix
|
||||||
|
|
||||||
(fp /base)
|
(fp /base)
|
||||||
|
|
||||||
./services/gitea-runner.nix
|
./services/gitea-runner.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
|
sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
||||||
sops.age.generateKey = true;
|
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
|
|
||||||
systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
|
systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
|
||||||
matchConfig.Name = "enp0s31f6";
|
matchConfig.Name = "enp0s31f6";
|
||||||
@@ -28,7 +21,7 @@
|
|||||||
# There are no smart devices
|
# There are no smart devices
|
||||||
services.smartd.enable = false;
|
services.smartd.enable = false;
|
||||||
|
|
||||||
# Do not change, even during upgrades.
|
# Don't change (even during upgrades) unless you know what you are doing.
|
||||||
# See https://search.nixos.org/options?show=system.stateVersion
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
system.stateVersion = "25.05";
|
system.stateVersion = "25.05";
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -14,27 +14,28 @@
|
|||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" =
|
||||||
{ device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
|
{ device = "/dev/disk/by-uuid/e88adbb7-de01-4f9b-b338-fffed743c259";
|
||||||
fsType = "ext4";
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=@root" "compress=zstd" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix" =
|
||||||
|
{ device = "/dev/disk/by-uuid/e88adbb7-de01-4f9b-b338-fffed743c259";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=@nix" "compress=zstd" "noatime" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/81D6-38D3";
|
{ device = "/dev/disk/by-uuid/81D6-38D3";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
options = [ "fmask=0077" "dmask=0077" ];
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices =
|
swapDevices =
|
||||||
[ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
|
[ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
|
||||||
networking.useDHCP = lib.mkDefault true;
|
|
||||||
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -14,27 +14,27 @@
|
|||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" =
|
||||||
{ device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
|
{ device = "/dev/disk/by-uuid/ab2e1a13-8e95-48d8-970c-64fa2fab52d0";
|
||||||
fsType = "ext4";
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=@root" "compress=zstd" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix" =
|
||||||
|
{ device = "/dev/disk/by-uuid/ab2e1a13-8e95-48d8-970c-64fa2fab52d0";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=@nix" "noatime" "compress=zstd" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/4A34-6AE5";
|
{ device = "/dev/disk/by-uuid/4A34-6AE5";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
options = [ "fmask=0077" "dmask=0077" ];
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices =
|
swapDevices =
|
||||||
[ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
|
[ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
|
||||||
networking.useDHCP = lib.mkDefault true;
|
|
||||||
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -14,27 +14,28 @@
|
|||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" =
|
||||||
{ device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
|
{ device = "/dev/disk/by-uuid/0a5bda7c-af55-4d3d-9135-7f7cbb78004d";
|
||||||
fsType = "ext4";
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=@root" "compress=zstd" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix" =
|
||||||
|
{ device = "/dev/disk/by-uuid/0a5bda7c-af55-4d3d-9135-7f7cbb78004d";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=@nix" "noatime" "compress=zstd" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/63FA-297B";
|
{ device = "/dev/disk/by-uuid/63FA-297B";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
options = [ "fmask=0077" "dmask=0077" ];
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices =
|
swapDevices =
|
||||||
[ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
|
[ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
|
||||||
networking.useDHCP = lib.mkDefault true;
|
|
||||||
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -14,21 +14,27 @@
|
|||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" =
|
||||||
{ device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
|
{ device = "/dev/disk/by-uuid/fcd51970-f040-4c45-94cf-2b372d4599a2";
|
||||||
fsType = "ext4";
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=@root" "compress=zstd" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix" =
|
||||||
|
{ device = "/dev/disk/by-uuid/fcd51970-f040-4c45-94cf-2b372d4599a2";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=@nix" "noatime" "compress=zstd" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/A22E-E41A";
|
||||||
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices =
|
swapDevices =
|
||||||
[ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
|
[ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
|
||||||
networking.useDHCP = lib.mkDefault true;
|
|
||||||
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -14,27 +14,27 @@
|
|||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" =
|
||||||
{ device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
|
{ device = "/dev/disk/by-uuid/85830e14-e2c8-4f04-95fa-d6ab22840bc7";
|
||||||
fsType = "ext4";
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=@root" "compress=zstd" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix" =
|
||||||
|
{ device = "/dev/disk/by-uuid/85830e14-e2c8-4f04-95fa-d6ab22840bc7";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=@nix" "noatime" "compress=zstd" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/F372-37DF";
|
{ device = "/dev/disk/by-uuid/F372-37DF";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
options = [ "fmask=0077" "dmask=0077" ];
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices =
|
swapDevices =
|
||||||
[ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
|
[ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
|
||||||
networking.useDHCP = lib.mkDefault true;
|
|
||||||
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -39,17 +39,22 @@
|
|||||||
"debian-bullseye-slim:docker://node:current-bullseye-slim"
|
"debian-bullseye-slim:docker://node:current-bullseye-slim"
|
||||||
|
|
||||||
"alpine-latest:docker://node:current-alpine"
|
"alpine-latest:docker://node:current-alpine"
|
||||||
|
"alpine-3.23:docker://node:current-alpine3.23"
|
||||||
"alpine-3.22:docker://node:current-alpine3.22"
|
"alpine-3.22:docker://node:current-alpine3.22"
|
||||||
"alpine-3.21:docker://node:current-alpine3.21"
|
"alpine-3.21:docker://node:current-alpine3.21"
|
||||||
|
|
||||||
# See https://gitea.com/gitea/runner-images
|
# See https://gitea.com/gitea/runner-images
|
||||||
"ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
|
"ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
|
||||||
|
"ubuntu-26.04:docker://docker.gitea.com/runner-images:ubuntu-26.04"
|
||||||
|
"ubuntu-resolute:docker://docker.gitea.com/runner-images:ubuntu-26.04"
|
||||||
"ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04"
|
"ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04"
|
||||||
"ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04"
|
"ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04"
|
||||||
"ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
|
"ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
|
||||||
"ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04"
|
"ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04"
|
||||||
|
|
||||||
"ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim"
|
"ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim"
|
||||||
|
"ubuntu-26.04-slim:docker://docker.gitea.com/runner-images:ubuntu-26.04-slim"
|
||||||
|
"ubuntu-resolute-slim:docker://docker.gitea.com/runner-images:ubuntu-26.04-slim"
|
||||||
"ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
|
"ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
|
||||||
"ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
|
"ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
|
||||||
"ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"
|
"ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"
|
||||||
|
|||||||
@@ -6,33 +6,14 @@
|
|||||||
(fp /base)
|
(fp /base)
|
||||||
];
|
];
|
||||||
|
|
||||||
sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
|
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
||||||
sops.age.generateKey = true;
|
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
|
|
||||||
networking.hostName = "shark"; # Define your hostname.
|
|
||||||
|
|
||||||
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
|
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
|
||||||
matchConfig.Name = "ens18";
|
matchConfig.Name = "ens18";
|
||||||
address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# List packages installed in system profile
|
services.qemuGuest.enable = true;
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
];
|
|
||||||
|
|
||||||
# List services that you want to enable:
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
|
||||||
# settings for stateful data, like file locations and database versions
|
|
||||||
# on your system were taken. It's perfectly fine and recommended to leave
|
|
||||||
# this value at the release version of the first install of this system.
|
|
||||||
# Before changing this value read the documentation for this option
|
|
||||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
|
||||||
system.stateVersion = "23.05"; # Did you read the comment?
|
|
||||||
|
|
||||||
|
# Don't change (even during upgrades) unless you know what you are doing.
|
||||||
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
|
system.stateVersion = "25.11";
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,63 @@
|
|||||||
|
{
|
||||||
|
fp,
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
values,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
# Include the results of the hardware scan.
|
||||||
|
./hardware-configuration.nix
|
||||||
|
./disk-config.nix
|
||||||
|
(fp /base)
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.consoleLogLevel = 0;
|
||||||
|
|
||||||
|
sops.defaultSopsFile = fp /secrets/skrot/skrot.yaml;
|
||||||
|
|
||||||
|
systemd.network.networks."enp2s0" = values.defaultNetworkConfig // {
|
||||||
|
matchConfig.Name = "enp2s0";
|
||||||
|
address = with values.hosts.skrot; [
|
||||||
|
(ipv4 + "/25")
|
||||||
|
(ipv6 + "/64")
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets = {
|
||||||
|
"dibbler/postgresql/password" = {
|
||||||
|
owner = "dibbler";
|
||||||
|
group = "dibbler";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.dibbler = {
|
||||||
|
enable = true;
|
||||||
|
kioskMode = true;
|
||||||
|
limitScreenWidth = 80;
|
||||||
|
limitScreenHeight = 42;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
general.quit_allowed = false;
|
||||||
|
database = {
|
||||||
|
type = "postgresql";
|
||||||
|
postgresql = {
|
||||||
|
username = "pvv_vv";
|
||||||
|
dbname = "pvv_vv";
|
||||||
|
host = "postgres.pvv.ntnu.no";
|
||||||
|
password_file = config.sops.secrets."dibbler/postgresql/password".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
|
||||||
|
enable = true;
|
||||||
|
wantedBy = [ "getty.target" ]; # to start at boot
|
||||||
|
serviceConfig.Restart = "always"; # restart when session is closed
|
||||||
|
};
|
||||||
|
|
||||||
|
system.stateVersion = "25.11"; # Did you read the comment? Nah bro
|
||||||
|
}
|
||||||
@@ -0,0 +1,41 @@
|
|||||||
|
{
|
||||||
|
disko.devices = {
|
||||||
|
disk = {
|
||||||
|
main = {
|
||||||
|
device = "/dev/sda";
|
||||||
|
type = "disk";
|
||||||
|
content = {
|
||||||
|
type = "gpt";
|
||||||
|
partitions = {
|
||||||
|
ESP = {
|
||||||
|
type = "EF00";
|
||||||
|
size = "1G";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "vfat";
|
||||||
|
mountpoint = "/boot";
|
||||||
|
mountOptions = [ "umask=0077" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
plainSwap = {
|
||||||
|
size = "8G";
|
||||||
|
content = {
|
||||||
|
type = "swap";
|
||||||
|
discardPolicy = "both";
|
||||||
|
resumeDevice = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
root = {
|
||||||
|
size = "100%";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "ext4";
|
||||||
|
mountpoint = "/";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -0,0 +1,15 @@
|
|||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-amd" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
}
|
||||||
@@ -1,73 +0,0 @@
|
|||||||
{ config, pkgs, lib, fp, ... }: {
|
|
||||||
imports = [
|
|
||||||
# ./hardware-configuration.nix
|
|
||||||
|
|
||||||
(fp /base)
|
|
||||||
];
|
|
||||||
|
|
||||||
boot = {
|
|
||||||
consoleLogLevel = 0;
|
|
||||||
enableContainers = false;
|
|
||||||
loader.grub.enable = false;
|
|
||||||
kernelPackages = pkgs.linuxPackages;
|
|
||||||
};
|
|
||||||
|
|
||||||
# Now turn off a bunch of stuff lol
|
|
||||||
system.autoUpgrade.enable = lib.mkForce false;
|
|
||||||
services.irqbalance.enable = lib.mkForce false;
|
|
||||||
services.logrotate.enable = lib.mkForce false;
|
|
||||||
services.nginx.enable = lib.mkForce false;
|
|
||||||
services.postfix.enable = lib.mkForce false;
|
|
||||||
|
|
||||||
# TODO: can we reduce further?
|
|
||||||
|
|
||||||
system.stateVersion = "25.05";
|
|
||||||
|
|
||||||
sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
|
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
||||||
sops.age.generateKey = true;
|
|
||||||
|
|
||||||
sops.secrets = {
|
|
||||||
"dibbler/postgresql/url" = {
|
|
||||||
owner = "dibbler";
|
|
||||||
group = "dibbler";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# zramSwap.enable = true;
|
|
||||||
|
|
||||||
networking = {
|
|
||||||
hostName = "skrot";
|
|
||||||
interfaces.eth0 = {
|
|
||||||
useDHCP = false;
|
|
||||||
ipv4.addresses = [{
|
|
||||||
address = "129.241.210.235";
|
|
||||||
prefixLength = 25;
|
|
||||||
}];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.dibbler = {
|
|
||||||
enable = true;
|
|
||||||
kioskMode = true;
|
|
||||||
limitScreenWidth = 80;
|
|
||||||
limitScreenHeight = 42;
|
|
||||||
|
|
||||||
settings = {
|
|
||||||
general.quit_allowed = false;
|
|
||||||
database.url = config.sops.secrets."dibbler/postgresql/url".path;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# https://github.com/NixOS/nixpkgs/issues/84105
|
|
||||||
boot.kernelParams = [
|
|
||||||
"console=ttyUSB0,9600"
|
|
||||||
# "console=tty1" # Already part of the module
|
|
||||||
];
|
|
||||||
systemd.services."serial-getty@ttyUSB0" = {
|
|
||||||
enable = true;
|
|
||||||
wantedBy = [ "getty.target" ]; # to start at boot
|
|
||||||
serviceConfig.Restart = "always"; # restart when session is closed
|
|
||||||
};
|
|
||||||
}
|
|
||||||
@@ -6,34 +6,19 @@
|
|||||||
(fp /base)
|
(fp /base)
|
||||||
|
|
||||||
./services/nfs-mounts.nix
|
./services/nfs-mounts.nix
|
||||||
|
./services/userweb
|
||||||
];
|
];
|
||||||
|
|
||||||
# sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
|
|
||||||
# sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
# sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
||||||
# sops.age.generateKey = true;
|
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
|
|
||||||
networking.hostName = "temmie"; # Define your hostname.
|
|
||||||
|
|
||||||
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
|
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
|
||||||
matchConfig.Name = "ens18";
|
matchConfig.Name = "ens18";
|
||||||
address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# List packages installed in system profile
|
services.nginx.enable = false;
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
];
|
|
||||||
|
|
||||||
# List services that you want to enable:
|
services.qemuGuest.enable = true;
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# Don't change (even during upgrades) unless you know what you are doing.
|
||||||
# settings for stateful data, like file locations and database versions
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
# on your system were taken. It's perfectly fine and recommended to leave
|
system.stateVersion = "25.11";
|
||||||
# this value at the release version of the first install of this system.
|
|
||||||
# Before changing this value read the documentation for this option
|
|
||||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
|
||||||
system.stateVersion = "25.11"; # Did you read the comment?
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,21 +1,57 @@
|
|||||||
{ pkgs, lib, ... }:
|
{ lib, values, ... }:
|
||||||
{
|
let
|
||||||
fileSystems = let
|
|
||||||
# See microbel:/etc/exports
|
# See microbel:/etc/exports
|
||||||
shorthandAreas = lib.listToAttrs (map
|
letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
|
||||||
(l: lib.nameValuePair "/run/pvv-home-mounts/${l}" "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}")
|
in
|
||||||
[ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ]);
|
{
|
||||||
in { }
|
systemd.targets."pvv-homedirs" = {
|
||||||
//
|
description = "PVV Homedir Partitions";
|
||||||
(lib.mapAttrs (_: device: {
|
};
|
||||||
inherit device;
|
|
||||||
fsType = "nfs";
|
systemd.mounts = map (l: {
|
||||||
options = [
|
description = "PVV Homedir Partition ${l}";
|
||||||
|
|
||||||
|
before = [ "remote-fs.target" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
requiredBy = [ "pvv-homedirs.target" ];
|
||||||
|
|
||||||
|
type = "nfs";
|
||||||
|
what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
|
||||||
|
where = "/run/pvv-home-mounts/${l}";
|
||||||
|
|
||||||
|
options = lib.concatStringsSep "," [
|
||||||
"nfsvers=3"
|
"nfsvers=3"
|
||||||
"noauto"
|
|
||||||
|
# NOTE: this is a bit unfortunate. The address above seems to resolve to IPv6 sometimes,
|
||||||
|
# and it doesn't seem possible to specify proto=tcp,tcp6, meaning we have to tell
|
||||||
|
# NFS which exact address to use here, despite it being specified in the `what` attr :\
|
||||||
"proto=tcp"
|
"proto=tcp"
|
||||||
"x-systemd.automount"
|
"addr=${values.hosts.microbel.ipv4}"
|
||||||
"x-systemd.idle-timeout=300"
|
"mountproto=tcp"
|
||||||
|
"mounthost=${values.hosts.microbel.ipv4}"
|
||||||
|
"port=2049"
|
||||||
|
|
||||||
|
# NOTE: this is yet more unfortunate. When enabling locking, it will sometimes complain about connection failed.
|
||||||
|
# dmesg(1) reveals that it has something to do with registering the lockdv1 RPC service (errno: 111), not
|
||||||
|
# quite sure how to fix it. Living life on dangerous mode for now.
|
||||||
|
"nolock"
|
||||||
|
|
||||||
|
# Don't wait on every read/write
|
||||||
|
"async"
|
||||||
|
|
||||||
|
# Always keep mounted
|
||||||
|
"noauto"
|
||||||
|
|
||||||
|
# We don't want to update access time constantly
|
||||||
|
"noatime"
|
||||||
|
|
||||||
|
# No SUID/SGID, no special devices
|
||||||
|
"nosuid"
|
||||||
|
"nodev"
|
||||||
|
|
||||||
|
# TODO: are there cgi scripts that modify stuff in peoples homedirs?
|
||||||
|
# "ro"
|
||||||
|
"rw"
|
||||||
];
|
];
|
||||||
}) shorthandAreas);
|
}) letters;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,352 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.httpd;
|
||||||
|
|
||||||
|
homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
|
||||||
|
|
||||||
|
phpOptions = lib.concatStringsSep "\n" (lib.mapAttrsToList (k: v: "${k} = ${v}"){
|
||||||
|
display_errors = "Off";
|
||||||
|
display_startup_errors = "Off";
|
||||||
|
post_max_size = "40M";
|
||||||
|
upload_max_filesize = "40M";
|
||||||
|
});
|
||||||
|
|
||||||
|
# https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
|
||||||
|
phpEnv = pkgs.php.buildEnv {
|
||||||
|
extensions = { all, ... }: with all; [
|
||||||
|
bz2
|
||||||
|
curl
|
||||||
|
decimal
|
||||||
|
gd
|
||||||
|
imagick
|
||||||
|
mysqli
|
||||||
|
mysqlnd
|
||||||
|
pgsql
|
||||||
|
posix
|
||||||
|
protobuf sqlite3
|
||||||
|
uuid
|
||||||
|
xml
|
||||||
|
xsl
|
||||||
|
zlib
|
||||||
|
zstd
|
||||||
|
|
||||||
|
pdo
|
||||||
|
pdo_mysql
|
||||||
|
pdo_pgsql
|
||||||
|
pdo_sqlite
|
||||||
|
];
|
||||||
|
|
||||||
|
extraConfig = phpOptions;
|
||||||
|
};
|
||||||
|
|
||||||
|
perlEnv = pkgs.perl.withPackages (ps: with ps; [
|
||||||
|
pkgs.exiftool
|
||||||
|
pkgs.ikiwiki
|
||||||
|
pkgs.irssi
|
||||||
|
pkgs.nix.libs.nix-perl-bindings
|
||||||
|
|
||||||
|
CGI
|
||||||
|
DBDPg
|
||||||
|
DBDSQLite
|
||||||
|
DBDmysql
|
||||||
|
DBI
|
||||||
|
Git
|
||||||
|
ImageMagick
|
||||||
|
JSON
|
||||||
|
TemplateToolkit
|
||||||
|
]);
|
||||||
|
|
||||||
|
# https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
|
||||||
|
pythonEnv = pkgs.python3.buildEnv.override {
|
||||||
|
extraLibs = with pkgs.python3Packages; [
|
||||||
|
legacy-cgi
|
||||||
|
|
||||||
|
matplotlib
|
||||||
|
requests
|
||||||
|
];
|
||||||
|
ignoreCollisions = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
sendmailWrapper = pkgs.writeShellApplication {
|
||||||
|
name = "sendmail";
|
||||||
|
runtimeInputs = [ ];
|
||||||
|
text = ''
|
||||||
|
args=("$@")
|
||||||
|
|
||||||
|
if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
|
||||||
|
# Prepend -fusername to the argument list, so bounces go to the user
|
||||||
|
args=("-f$USERDIR_USER" "''${args[@]}")
|
||||||
|
fi
|
||||||
|
|
||||||
|
exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
|
||||||
|
fhsEnv = pkgs.buildEnv {
|
||||||
|
name = "userweb-env";
|
||||||
|
ignoreCollisions = true;
|
||||||
|
paths = with pkgs; [
|
||||||
|
bash
|
||||||
|
|
||||||
|
sendmailWrapper
|
||||||
|
|
||||||
|
perlEnv
|
||||||
|
pythonEnv
|
||||||
|
phpEnv
|
||||||
|
]
|
||||||
|
++ (with phpEnv.packages; [
|
||||||
|
# composer
|
||||||
|
])
|
||||||
|
++ [
|
||||||
|
# Useful packages for homepages
|
||||||
|
exiftool
|
||||||
|
gnuplot
|
||||||
|
ikiwiki-full
|
||||||
|
imagemagick
|
||||||
|
jhead
|
||||||
|
ruby
|
||||||
|
sbcl
|
||||||
|
sourceHighlight
|
||||||
|
|
||||||
|
# Missing packages from tom
|
||||||
|
# blosxom
|
||||||
|
# pyblosxom
|
||||||
|
# mediawiki (TODO: do people host their own mediawikis in userweb?)
|
||||||
|
# nanoblogger
|
||||||
|
|
||||||
|
# Version control
|
||||||
|
cvs
|
||||||
|
rcs
|
||||||
|
git
|
||||||
|
|
||||||
|
# Compression/Archival
|
||||||
|
bzip2
|
||||||
|
gnutar
|
||||||
|
gzip
|
||||||
|
lz4
|
||||||
|
unzip
|
||||||
|
xz
|
||||||
|
zip
|
||||||
|
zstd
|
||||||
|
|
||||||
|
# Other tools you might expect to find on a normal system
|
||||||
|
acl
|
||||||
|
coreutils-full
|
||||||
|
curl
|
||||||
|
diffutils
|
||||||
|
file
|
||||||
|
findutils
|
||||||
|
gawk
|
||||||
|
gnugrep
|
||||||
|
gnumake
|
||||||
|
gnupg
|
||||||
|
gnused
|
||||||
|
less
|
||||||
|
man
|
||||||
|
util-linux
|
||||||
|
vim
|
||||||
|
wget
|
||||||
|
which
|
||||||
|
xdg-utils
|
||||||
|
];
|
||||||
|
|
||||||
|
extraOutputsToInstall = [
|
||||||
|
"man"
|
||||||
|
"doc"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./mail.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
services.httpd = {
|
||||||
|
enable = true;
|
||||||
|
adminAddr = "drift@pvv.ntnu.no";
|
||||||
|
|
||||||
|
# TODO: consider upstreaming systemd support
|
||||||
|
# TODO: mod_log_journald in v2.5
|
||||||
|
package = pkgs.apacheHttpd.overrideAttrs (prev: {
|
||||||
|
nativeBuildInputs = prev.nativeBuildInputs ++ [ pkgs.pkg-config ];
|
||||||
|
buildInputs = prev.buildInputs ++ [ pkgs.systemdLibs ];
|
||||||
|
configureFlags = prev.configureFlags ++ [ "--enable-systemd" ];
|
||||||
|
});
|
||||||
|
|
||||||
|
enablePHP = true;
|
||||||
|
phpPackage = phpEnv;
|
||||||
|
inherit phpOptions;
|
||||||
|
|
||||||
|
enablePerl = true;
|
||||||
|
|
||||||
|
# TODO: mod_log_journald in v2.5
|
||||||
|
extraModules = [
|
||||||
|
"systemd"
|
||||||
|
"userdir"
|
||||||
|
# TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some
|
||||||
|
# incorrect or restrictive assumptions upstream, either nixpkgs or source
|
||||||
|
# {
|
||||||
|
# name = "perl";
|
||||||
|
# path = let
|
||||||
|
# mod_perl = pkgs.apacheHttpdPackages.mod_perl.override {
|
||||||
|
# apacheHttpd = cfg.package.out;
|
||||||
|
# perl = perlEnv;
|
||||||
|
# };
|
||||||
|
# in "${mod_perl}/modules/mod_perl.so";
|
||||||
|
# }
|
||||||
|
];
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
TraceEnable on
|
||||||
|
LogLevel warn rewrite:trace3
|
||||||
|
ScriptLog ${cfg.logDir}/cgi.log
|
||||||
|
'';
|
||||||
|
|
||||||
|
# virtualHosts."userweb.pvv.ntnu.no" = {
|
||||||
|
virtualHosts."temmie.pvv.ntnu.no" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
|
||||||
|
UserDir disabled root
|
||||||
|
AddHandler cgi-script .cgi
|
||||||
|
DirectoryIndex index.html index.html.var index.php index.php3 index.cgi index.phtml index.shtml meg.html
|
||||||
|
SetEnvIf Request_URI "^/~([^/]+)" USERDIR_USER=$1
|
||||||
|
|
||||||
|
<Directory "/home/pvv/?/*/web-docs">
|
||||||
|
Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec
|
||||||
|
AllowOverride All
|
||||||
|
Require all granted
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
<DirectoryMatch "^/home/pvv/.*/web-docs/(${lib.concatStringsSep "|" [
|
||||||
|
"\\.git"
|
||||||
|
"\\.hg"
|
||||||
|
"\\.svn"
|
||||||
|
"\\.ssh"
|
||||||
|
"\\.env"
|
||||||
|
"\\.envrc"
|
||||||
|
"\\.bzr"
|
||||||
|
"\\.venv"
|
||||||
|
"CVS"
|
||||||
|
"RCS"
|
||||||
|
".*\\.swp"
|
||||||
|
".*\\.bak"
|
||||||
|
".*~"
|
||||||
|
]})(/|$)">
|
||||||
|
AllowOverride All
|
||||||
|
Require all denied
|
||||||
|
</DirectoryMatch>
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
80
|
||||||
|
443
|
||||||
|
];
|
||||||
|
|
||||||
|
# socket activation comes in v2.5
|
||||||
|
# systemd.sockets.httpd = {
|
||||||
|
# wantedBy = [ "sockets.target" ];
|
||||||
|
# description = "HTTPD socket";
|
||||||
|
# listenStreams = [
|
||||||
|
# "0.0.0.0:80"
|
||||||
|
# "0.0.0.0:443"
|
||||||
|
# ];
|
||||||
|
# };
|
||||||
|
|
||||||
|
systemd.services.httpd = {
|
||||||
|
after = [ "pvv-homedirs.target" ];
|
||||||
|
requires = [ "pvv-homedirs.target" ];
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
PATH = lib.mkForce "/usr/bin";
|
||||||
|
};
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
Type = lib.mkForce "notify";
|
||||||
|
|
||||||
|
ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start";
|
||||||
|
ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful";
|
||||||
|
ExecStop = lib.mkForce "";
|
||||||
|
KillMode = "mixed";
|
||||||
|
|
||||||
|
ConfigurationDirectory = [ "httpd" ];
|
||||||
|
LogsDirectory = [ "httpd" ];
|
||||||
|
LogsDirectoryMode = "0700";
|
||||||
|
|
||||||
|
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||||
|
LockPersonality = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
# NOTE: this removes CAP_NET_BIND_SERVICE...
|
||||||
|
# PrivateUsers = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = "tmpfs";
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectSystem = true;
|
||||||
|
RemoveIPC = true;
|
||||||
|
RestrictAddressFamilies = [
|
||||||
|
"AF_INET"
|
||||||
|
"AF_INET6"
|
||||||
|
"AF_UNIX"
|
||||||
|
"AF_NETLINK"
|
||||||
|
];
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SocketBindDeny = "any";
|
||||||
|
SocketBindAllow = [
|
||||||
|
"tcp:80"
|
||||||
|
"tcp:443"
|
||||||
|
];
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"@system-service"
|
||||||
|
];
|
||||||
|
UMask = "0077";
|
||||||
|
|
||||||
|
RuntimeDirectory = [ "httpd/root-mnt" ];
|
||||||
|
RootDirectory = "/run/httpd/root-mnt";
|
||||||
|
MountAPIVFS = true;
|
||||||
|
BindReadOnlyPaths = [
|
||||||
|
builtins.storeDir
|
||||||
|
"/etc"
|
||||||
|
# NCSD socket
|
||||||
|
"/var/run"
|
||||||
|
"/var/lib/acme"
|
||||||
|
|
||||||
|
"${fhsEnv}/bin:/bin"
|
||||||
|
"${fhsEnv}/sbin:/sbin"
|
||||||
|
"${fhsEnv}/lib:/lib"
|
||||||
|
"${fhsEnv}/share:/share"
|
||||||
|
] ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") {
|
||||||
|
parent = [
|
||||||
|
"/local"
|
||||||
|
"/opt"
|
||||||
|
"/opt/local"
|
||||||
|
"/store"
|
||||||
|
"/store/gnu"
|
||||||
|
"/usr"
|
||||||
|
"/usr/local"
|
||||||
|
];
|
||||||
|
child = [
|
||||||
|
"/bin"
|
||||||
|
"/sbin"
|
||||||
|
"/lib"
|
||||||
|
"/libexec"
|
||||||
|
"/include"
|
||||||
|
"/share"
|
||||||
|
];
|
||||||
|
});
|
||||||
|
BindPaths = map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") homeLetters;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
|
||||||
|
}
|
||||||
@@ -0,0 +1,12 @@
|
|||||||
|
{ config, lib, ... }:
|
||||||
|
{
|
||||||
|
services.postfix.enable = lib.mkForce false;
|
||||||
|
|
||||||
|
services.nullmailer = {
|
||||||
|
enable = true;
|
||||||
|
config = {
|
||||||
|
me = config.networking.fqdn;
|
||||||
|
remotes = "mail.pvv.ntnu.no smtp --port=25";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -1,43 +0,0 @@
|
|||||||
{ config, fp, pkgs, lib, values, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
(fp /base)
|
|
||||||
|
|
||||||
./services/gitea-runners.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
|
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
||||||
sops.age.generateKey = true;
|
|
||||||
|
|
||||||
networking.hostName = "ustetind";
|
|
||||||
|
|
||||||
networking.useHostResolvConf = lib.mkForce false;
|
|
||||||
|
|
||||||
systemd.network.networks = {
|
|
||||||
"30-lxc-eth" = values.defaultNetworkConfig // {
|
|
||||||
matchConfig = {
|
|
||||||
Type = "ether";
|
|
||||||
Kind = "veth";
|
|
||||||
Name = [
|
|
||||||
"eth*"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
|
||||||
};
|
|
||||||
"40-podman-veth" = values.defaultNetworkConfig // {
|
|
||||||
matchConfig = {
|
|
||||||
Type = "ether";
|
|
||||||
Kind = "veth";
|
|
||||||
Name = [
|
|
||||||
"veth*"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
DHCP = "yes";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
system.stateVersion = "24.11";
|
|
||||||
}
|
|
||||||
@@ -1,41 +0,0 @@
|
|||||||
{ config, lib, values, ... }:
|
|
||||||
let
|
|
||||||
mkRunner = name: {
|
|
||||||
# This is unfortunately state, and has to be generated one at a time :(
|
|
||||||
# To do that, comment out all except one of the runners, fill in its token
|
|
||||||
# inside the sops file, rebuild the system, and only after this runner has
|
|
||||||
# successfully registered will gitea give you the next token.
|
|
||||||
# - oysteikt Sep 2023
|
|
||||||
sops.secrets."gitea/runners/${name}".restartUnits = [
|
|
||||||
"gitea-runner-${name}.service"
|
|
||||||
];
|
|
||||||
|
|
||||||
services.gitea-actions-runner.instances = {
|
|
||||||
${name} = {
|
|
||||||
enable = true;
|
|
||||||
name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
|
|
||||||
labels = [
|
|
||||||
"debian-latest:docker://node:current-bookworm"
|
|
||||||
"ubuntu-latest:docker://node:current-bookworm"
|
|
||||||
];
|
|
||||||
tokenFile = config.sops.secrets."gitea/runners/${name}".path;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
in
|
|
||||||
lib.mkMerge [
|
|
||||||
(mkRunner "alpha")
|
|
||||||
(mkRunner "beta")
|
|
||||||
(mkRunner "epsilon")
|
|
||||||
{
|
|
||||||
virtualisation.podman = {
|
|
||||||
enable = true;
|
|
||||||
defaultNetwork.settings.dns_enabled = true;
|
|
||||||
autoPrune.enable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.dhcpcd.IPv6rs = false;
|
|
||||||
|
|
||||||
networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
|
|
||||||
}
|
|
||||||
]
|
|
||||||
@@ -14,15 +14,9 @@
|
|||||||
"armv7l-linux"
|
"armv7l-linux"
|
||||||
];
|
];
|
||||||
|
|
||||||
sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
|
boot.loader.systemd-boot.enable = false;
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
||||||
sops.age.generateKey = true;
|
|
||||||
|
|
||||||
boot.loader.grub.device = "/dev/sda";
|
boot.loader.grub.device = "/dev/sda";
|
||||||
|
|
||||||
networking.hostName = "wenche"; # Define your hostname.
|
|
||||||
|
|
||||||
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
|
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
|
||||||
matchConfig.Name = "ens18";
|
matchConfig.Name = "ens18";
|
||||||
address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
||||||
@@ -36,9 +30,9 @@
|
|||||||
package = config.boot.kernelPackages.nvidiaPackages.production;
|
package = config.boot.kernelPackages.nvidiaPackages.production;
|
||||||
};
|
};
|
||||||
|
|
||||||
# List packages installed in system profile
|
services.qemuGuest.enable = true;
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
];
|
|
||||||
|
|
||||||
system.stateVersion = "24.11"; # Did you read the comment?
|
# Don't change (even during upgrades) unless you know what you are doing.
|
||||||
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
|
system.stateVersion = "24.11";
|
||||||
}
|
}
|
||||||
|
|||||||
+1
-1
@@ -376,7 +376,7 @@ in {
|
|||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
CPUSchedulingPolicy = "batch";
|
CPUSchedulingPolicy = "batch";
|
||||||
Group = "nginx";
|
Group = lib.mkIf cfg.enableNginx "nginx";
|
||||||
UMask = "026";
|
UMask = "026";
|
||||||
ExecStart = [
|
ExecStart = [
|
||||||
# If web folder doesnt exist generate it
|
# If web folder doesnt exist generate it
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user