felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2025-12-31 12:48:23 +01:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:fix-bluemap-markers
Branches Tags
felixalb:main felixalb:alps felixalb:fix-bluemap-markers felixalb:nix-topology felixalb:gitea-robots-txt felixalb:bindmount-postgres-mysql-dirs felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:errorpages felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:dagali-heimdal-openldap-sasl-stack felixalb:gitea-navbar-get-started felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
..
compare: felixalb:gitea-show-license-in-list-view
Branches Tags
felixalb:main felixalb:alps felixalb:fix-bluemap-markers felixalb:nix-topology felixalb:gitea-robots-txt felixalb:bindmount-postgres-mysql-dirs felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:errorpages felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:dagali-heimdal-openldap-sasl-stack felixalb:gitea-navbar-get-started felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

1 Commits
fix-bluema ... gitea-show

Author SHA1 Message Date
h7x4
11855f4c5f WIP: kommode/gitea: display license in repo list 2025-03-17 20:41:09 +01:00
119 changed files with 2956 additions and 4826 deletions
Expand all files Collapse all files

32
.gitea/workflows/build-topology-graph.yml
View File

@@ -1,32 +0,0 @@
name: "Build topology graph"
on:
push:
branches:
- main
jobs:
evals:
runs-on: debian-latest
steps:
- uses: actions/checkout@v6
- name: Install sudo
run: apt-get update && apt-get -y install sudo
- uses: https://github.com/cachix/install-nix-action@v31
- name: Configure Nix
run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
- name: Build topology graph
run: nix build .#topology -L
- name: Upload topology graph
uses: https://git.pvv.ntnu.no/Projects/rsync-action@v2
with:
source: result/*.svg
quote-source: false
target: ${{ gitea.ref_name }}/topology_graph/
username: gitea-web
ssh-key: ${{ secrets.WEB_SYNC_SSH_KEY }}
host: pages.pvv.ntnu.no
known-hosts: "pages.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH2QjfFB+city1SYqltkVqWACfo1j37k+oQQfj13mtgg"

6
.gitea/workflows/eval.yml
View File

@@ -4,10 +4,10 @@ on:
push:
jobs:
evals:
runs-on: debian-latest
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v3
- run: apt-get update && apt-get -y install sudo
- uses: https://github.com/cachix/install-nix-action@v31
- uses: https://github.com/cachix/install-nix-action@v23
- run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
- run: nix flake check

25
.mailmap
View File

@@ -1,25 +0,0 @@
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> <daniel.olsen99@gmail.com>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel <danio@pvv.ntnu.no>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@pvv.ntnu.no>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> danio <danio@pvv.ntnu.no>
Daniel Løvbrøtte Olsen <danio@pvv.ntnu.no> Daniel Olsen <danio@bicep.pvv.ntnu.no>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> h7x4 <h7x4@nani.wtf>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein Tveit <oysteikt@pvv.ntnu.no>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> oysteikt <oysteikt@pvv.ntnu.no>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Øystein <oysteikt@pvv.org>
Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
Felix Albrigtsen <felixalb@pvv.ntnu.no> <felix@albrigtsen.it>
Felix Albrigtsen <felixalb@pvv.ntnu.no> <felixalbrigtsen@gmail.com>
Felix Albrigtsen <felixalb@pvv.ntnu.no> felixalb <felixalb@pvv.ntnu.no>
Peder Bergebakken Sundt <pederbs@pvv.ntnu.no> <pbsds@hotmail.com>
Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian G L <adrian@lauterer.it>
Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lauterer.it>
Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>

62
.sops.yaml
View File

@@ -1,31 +1,27 @@
keys:
# Users
- &user_danio age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
- &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
- &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
- &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
- &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
- &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
- &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
- &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
- &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
- &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
# Hosts
- &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
- &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
- &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
- &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
- &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
- &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
- &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
- &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
- &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
creation_rules:
# Global secrets
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- age:
- *host_jokum
- *user_danio
- *user_felixalb
- *user_eirikwit
@@ -61,6 +57,18 @@ creation_rules:
pgp:
- *user_oysteikt
- path_regex: secrets/jokum/[^/]+\.yaml$
key_groups:
- age:
- *host_jokum
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
- path_regex: secrets/ildkule/[^/]+\.yaml$
key_groups:
- age:
@@ -96,31 +104,3 @@ creation_rules:
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
- path_regex: secrets/lupine/[^/]+\.yaml$
key_groups:
- age:
- *host_lupine-1
- *host_lupine-2
- *host_lupine-3
- *host_lupine-4
- *host_lupine-5
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
- path_regex: secrets/bakke/[^/]+\.yaml$
key_groups:
- age:
- *host_bakke
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt

61
README.MD Normal file
View File

@@ -0,0 +1,61 @@
# PVV NixOS configs
## Hvordan endre på ting
Før du endrer på ting husk å ikke putte ting som skal være hemmelig uten å først lese seksjonen for hemmeligheter!
Etter å ha klonet prosjektet ned og gjort endringer kan du evaluere configene med:
`nix flake check --keep-going`
før du bygger en maskin med:
`nix build .#<maskinnavn>`
hvis du vil være ekstra sikker på at alt bygger så kan du kjøre:
`nix build .` for å bygge alle de viktige maskinene.
NB: Dette kan ta opp til 30 minutter avhengig av hva som ligger i caches
Husk å hvertfall stage nye filer om du har laget dem!
Om alt bygger fint commit det og push til git repoet.
Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
som root på maskinen.
Hvis du ikke har lyst til å oppdatere alle pakkene (og kanskje måtte vente en stund!) kan du kjøre
`nixos-rebuild switch --override-input nixpkgs nixpkgs --override-input nixpkgs-unstable nixpkgs-unstable --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
## Seksjonen for hemmeligheter
For at hemmeligheter ikke skal deles med hele verden i git - eller å være world
readable i nix-storen, bruker vi [sops-nix](https://github.com/Mic92/sops-nix)
For å legge til secrets kan du kjøre f.eks. `sops secrets/jokum/jokum.yaml`
Dette vil dekryptere filen og gi deg en text-editor du kan bruke for endre hemmelighetene.
Et nix shell med dette verktøyet inkludert ligger i flaket og shell.nix og kan aktiveres med:
`nix-shell` eller `nix develop`. Vi anbefaler det siste.
I tilegg kan du sette opp [direnv](https://direnv.net/) slik at dette skjer automatisk
for å få tilgang til å lese/skrive hemmeligheter må du spørre noen/noe som har tilgang til hemmelighetene
om å legge til age eller pgp nøkkelen din i [`.sops.yaml`](https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/.sops.yaml)
Denne kan du generere fra ssh-nøkkelene dine eller lage en egen nøkkel.
### Legge til flere keys
Gjør det som gir mening i .sops.yml
Etter det kjør `sops updatekeys secrets/host/file.yml`
MERK at det ikke er `sops -r` som BARE roterer nøkklene for de som allerede er i secretfila

36
README.md
View File

@@ -1,36 +0,0 @@
# PVV NixOS config
This repository contains the NixOS configurations for Programvareverkstedet's server closet.
In addition to machine configurations, it also contains a bunch of shared modules, packages, and
more.
## Machines
| Name | Type | Description |
|----------------------------|----------|-----------------------------------------------------------|
| [bekkalokk][bek] | Physical | Our main web host, webmail, wiki, idp, minecraft map, ... |
| [bicep][bic] | Virtual | Database host, matrix, git mirrors, ... |
| bikkje | Virtual | Experimental login box |
| [brzeczyszczykiewicz][brz] | Physical | Shared music player |
| [georg][geo] | Physical | Shared music player |
| [ildkule][ild] | Virtual | Logging and monitoring host, prometheus, grafana, ... |
| [kommode][kom] | Virtual | Gitea + Gitea pages |
| [lupine][lup] | Physical | Gitea CI/CD runners |
| shark | Virtual | Test host for authentication, absolutely horrendous |
| [wenche][wen] | Virtual | Nix-builders, general purpose compute |
## Documentation
- [Development - working on the PVV machines](./docs/development.md)
- [Miscellaneous development notes](./docs/development-misc.md)
- [User management](./docs/users.md)
- [Secret management and `sops-nix`](./docs/secret-management.md)
[bek]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bekkalokk
[bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
[brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
[geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
[ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche

28
base/default.nix
View File

@@ -1,9 +1,4 @@
{
pkgs,
lib,
fp,
...
}:
{ pkgs, lib, fp, ... }:
{
imports = [
@@ -12,11 +7,8 @@
./networking.nix
./nix.nix
./vm.nix
./flake-input-exporter.nix
./services/acme.nix
./services/uptimed.nix
./services/auto-upgrade.nix
./services/dbus.nix
./services/fwupd.nix
@@ -25,9 +17,6 @@
./services/nginx.nix
./services/openssh.nix
./services/postfix.nix
./services/prometheus-node-exporter.nix
./services/prometheus-systemd-exporter.nix
./services/promtail.nix
./services/smartd.nix
./services/thermald.nix
./services/userborn.nix
@@ -61,21 +50,9 @@
kitty.terminfo
];
# .bash_profile already works, but lets also use .bashrc like literally every other distro
# https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
# home-manager usually handles this for you: https://github.com/nix-community/home-manager/blob/22a36aa709de7dd42b562a433b9cefecf104a6ee/modules/programs/bash.nix#L203-L209
# btw, programs.bash.shellInit just goes into environment.shellInit which in turn goes into /etc/profile, spooky shit
programs.bash.shellInit = ''
if [ -n "''${BASH_VERSION:-}" ]; then
if [[ ! -f ~/.bash_profile && ! -f ~/.bash_login ]]; then
[[ -f ~/.bashrc ]] && . ~/.bashrc
fi
fi
'';
programs.zsh.enable = true;
# security.lockKernelModules = true;
security.lockKernelModules = true;
security.protectKernelImage = true;
security.sudo.execWheelOnly = true;
security.sudo.extraConfig = ''
@@ -87,3 +64,4 @@
# Trusted users on the nix builder machines
users.groups."nix-builder-users".name = "nix-builder-users";
}

55
base/flake-input-exporter.nix
View File

@@ -1,55 +0,0 @@
{
config,
inputs,
lib,
pkgs,
values,
...
}:
let
data = lib.flip lib.mapAttrs inputs (
name: input: {
inherit (input)
lastModified
;
}
);
folder = pkgs.writeTextDir "share/flake-inputs" (
lib.concatMapStringsSep "\n" (
{ name, value }: ''nixos_last_modified_input{flake="${name}"} ${toString value.lastModified}''
) (lib.attrsToList data)
);
port = 9102;
in
{
services.nginx.virtualHosts."${config.networking.fqdn}-nixos-metrics" = {
serverName = config.networking.fqdn;
serverAliases = [
"${config.networking.hostName}.pvv.org"
];
locations."/metrics" = {
root = "${folder}/share";
tryFiles = "/flake-inputs =404";
extraConfig = ''
default_type text/plain;
'';
};
listen = [
{
inherit port;
addr = "0.0.0.0";
}
];
extraConfig = ''
allow ${values.hosts.ildkule.ipv4}/32;
allow ${values.hosts.ildkule.ipv6}/128;
allow 127.0.0.1/32;
allow ::1/128;
allow ${values.ipv4-space};
allow ${values.ipv6-space};
deny all;
'';
};
networking.firewall.allowedTCPPorts = [ port ];
}

20
base/nix.nix
View File

@@ -1,4 +1,4 @@
{ lib, config, inputs, ... }:
{ inputs, ... }:
{
nix = {
gc = {
@@ -9,9 +9,8 @@
settings = {
allow-dirty = true;
auto-allocate-uids = true;
builders-use-substitutes = true;
experimental-features = [ "nix-command" "flakes" "auto-allocate-uids" ];
experimental-features = [ "nix-command" "flakes" ];
log-lines = 50;
use-xdg-base-directories = true;
};
@@ -22,16 +21,11 @@
** use the same channel the system
** was built with
*/
registry = lib.mkMerge [
{
"nixpkgs".flake = inputs.nixpkgs;
"nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
}
# We avoid the reference to self in vmVariant to get a stable system .outPath for equivalence testing
(lib.mkIf (!config.virtualisation.isVmVariant) {
"pvv-nix".flake = inputs.self;
})
];
registry = {
"nixpkgs".flake = inputs.nixpkgs;
"nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
"pvv-nix".flake = inputs.self;
};
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"unstable=${inputs.nixpkgs-unstable}"

41
base/services/auto-upgrade.nix
View File

@@ -1,39 +1,26 @@
{ config, inputs, pkgs, lib, ... }:
let
inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
in
{ inputs, pkgs, lib, ... }:
{
system.autoUpgrade = {
enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
"--refresh"
"--no-write-lock-file"
# --update-input is deprecated since nix 2.22, and removed in lix 2.90
# as such we instead use --override-input combined with --refresh
# https://git.lix.systems/lix-project/lix/issues/400
] ++ (lib.pipe inputUrls [
(lib.intersectAttrs {
nixpkgs = { };
nixpkgs-unstable = { };
})
(lib.mapAttrsToList (input: url: ["--override-input" input url]))
lib.concatLists
]);
"--refresh"
"--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.11-small"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
"--no-write-lock-file"
];
};
# workaround for https://github.com/NixOS/nix/issues/6895
# via https://git.lix.systems/lix-project/lix/issues/400
environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
"current-system-flake-inputs.json".source
= pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (name: input:
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
// { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
)
);
};
environment.etc."current-system-flake-inputs.json".source
= pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (name: input:
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
// { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
)
);
}

23
base/services/nginx.nix
View File

@@ -20,14 +20,14 @@
recommendedGzipSettings = true;
appendConfig = ''
# pcre_jit on;
pcre_jit on;
worker_processes auto;
worker_rlimit_nofile 100000;
'';
eventsConfig = ''
worker_connections 2048;
use epoll;
# multi_accept on;
multi_accept on;
'';
};
@@ -40,25 +40,6 @@
};
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
listen = [
{
addr = "0.0.0.0";
extraParameters = [
"default_server"
# Seemingly the default value of net.core.somaxconn
"backlog=4096"
"deferred"
];
}
{
addr = "[::0]";
extraParameters = [
"default_server"
"backlog=4096"
"deferred"
];
}
];
sslCertificate = "/etc/certs/nginx.crt";
sslCertificateKey = "/etc/certs/nginx.key";
addSSL = true;

15
base/services/postfix.nix
View File

@@ -6,17 +6,18 @@ in
services.postfix = {
enable = true;
settings.main = {
myhostname = "${config.networking.hostName}.pvv.ntnu.no";
mydomain = "pvv.ntnu.no";
hostname = "${config.networking.hostName}.pvv.ntnu.no";
domain = "pvv.ntnu.no";
# Nothing should be delivered to this machine
mydestination = [ ];
relayhost = [ "smtp.pvv.ntnu.no:465" ];
relayHost = "smtp.pvv.ntnu.no";
relayPort = 465;
config = {
smtp_tls_wrappermode = "yes";
smtp_tls_security_level = "encrypt";
};
# Nothing should be delivered to this machine
destination = [ ];
};
}

23
base/services/prometheus-node-exporter.nix
View File

@@ -1,23 +0,0 @@
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.node;
in
{
services.prometheus.exporters.node = {
enable = lib.mkDefault true;
port = 9100;
enabledCollectors = [ "systemd" ];
};
systemd.services.prometheus-node-exporter.serviceConfig = lib.mkIf cfg.enable {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ cfg.port ];
}

26
base/services/prometheus-systemd-exporter.nix
View File

@@ -1,26 +0,0 @@
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.systemd;
in
{
services.prometheus.exporters.systemd = {
enable = lib.mkDefault true;
port = 9101;
extraFlags = [
"--systemd.collector.enable-restart-count"
"--systemd.collector.enable-ip-accounting"
];
};
systemd.services.prometheus-systemd-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ cfg.port ];
}

38
base/services/promtail.nix
View File

@@ -1,38 +0,0 @@
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.node;
in
{
services.promtail = {
enable = lib.mkDefault true;
configuration = {
server = {
http_listen_port = 28183;
grpc_listen_port = 0;
};
clients = [{
url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
}];
scrape_configs = [{
job_name = "systemd-journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = config.networking.hostName;
};
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
];
}];
};
};
}

59
base/services/uptimed.nix
View File

@@ -1,59 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.uptimed;
in
{
options.services.uptimed.settings = lib.mkOption {
description = "";
default = { };
type = lib.types.submodule {
freeformType = with lib.types; attrsOf (either str (listOf str));
};
};
config = {
services.uptimed = {
enable = true;
settings = let
stateDir = "/var/lib/uptimed";
in {
PIDFILE = "${stateDir}/pid";
SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
};
};
systemd.services.uptimed = lib.mkIf (cfg.enable) {
serviceConfig = let
uptimed = pkgs.uptimed.overrideAttrs (prev: {
postPatch = ''
substituteInPlace Makefile.am \
--replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
substituteInPlace src/Makefile.am \
--replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
'';
});
in {
Type = "notify";
ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
BindReadOnlyPaths = let
configFile = lib.pipe cfg.settings [
(lib.mapAttrsToList
(k: v:
if builtins.isList v
then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
else "${k}=${v}")
)
(lib.concatStringsSep "\n")
(pkgs.writeText "uptimed.conf")
];
in [
"${configFile}:/var/lib/uptimed/uptimed.conf"
];
};
};
};
}

15
base/vm.nix
View File

@@ -1,15 +0,0 @@
{ lib, ... }:
# This enables
# lib.mkIf (!config.virtualisation.isVmVariant) { ... }
{
options.virtualisation.isVmVariant = lib.mkOption {
description = "`true` if system is build with 'nixos-rebuild build-vm'";
type = lib.types.bool;
default = false;
};
config.virtualisation.vmVariant = {
virtualisation.isVmVariant = true;
};
}

103
docs/development-misc.md
View File

@@ -1,103 +0,0 @@
# Miscellaneous development notes
This document contains a bunch of information that is not particularly specific to the pvv nixos config,
but concerns technologies we use often or gotchas to be aware of when working with NixOS. A lot of the information
here is already public information spread around the internet, but we've collected some of the items we use often
here.
## The firewall
`networking.firewall` is a NixOS module that configures `iptables` rules on the machine. It is enabled by default on
all of our machines, and it can be easy to forget about it when setting up new services, especially when we are the
ones creating the NixOS module.
When setting up a new service that listens on a TCP or UDP port, make sure to add the appropriate ports to either
`networking.firewall.allowedTCPPorts` or `networking.firewall.allowedUDPPorts`.
You can list out the current firewall rules by running `sudo iptables -L -n -v` on the machine.
## Finding stuff
Finding stuff, both underlying implementation and usage is absolutely crucial when working on nix.
Oftentimes, the documentation will be outdated, lacking or just plain out wrong. These are some of
the techniques we have found to be quite good when working with nix.
### [ripgrep](https://github.com/BurntSushi/ripgrep)
ripgrep (or `rg` for short) is a tool that lets you recursively grep for regex patters in a directory.
It is great for finding references to configuration, and where and how certain things are used. It is
especially great when working with [nixpkgs](https://github.com/NixOS/nixpkgs), which is quite large.
### GitHub Search
When trying to set up a new service or reconfigure something, it is very common that someone has done it
before you, but it has never been documented anywhere. A lot of Nix code exists on GitHub, and you can
easily query it by using the `lang:nix` filter in the search bar.
For example: https://github.com/search?q=lang%3Anix+dibbler&type=code
## rsync
`rsync` is a tool for synchronizing files between machines. It is very useful when transferring large
amounts of data from a to b. We use it for multiple things, often when data is produced or stored on
one machine, and we want to process or convert it on another. For example, we use it to transfer gitea
artifacts, to transfer gallery pictures, to transfer minecraft world data for map rendering, and more.
Along with `rsync`, we often use a lesser known tool called `rrsync`, which you can use inside an ssh
configuration (`authorized_keys` file) to restrict what paths a user can access when connecting over ssh.
This is useful both as a security measure, but also to avoid accidental overwrites of files outside the intended
path. `rrsync` will use chroot to restrict what paths the user can access, as well as refuse to run arbitrary commands.
## `nix repl`
`nix repl` is an interactive REPL for the Nix language. It is very useful for experimenting with Nix code,
and testing out small snippets of code to make sure it behaves as expected. You can also use it to explore
NixOS machine configurations, to interactively see that the configuration evaluates to what you expect.
```
# While in the pvv-nixos-config directory
nix repl .
# Upon writing out the config path and clickin [Tab], you will get autocompletion suggestions:
nix-repl> nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts._
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.bekkalokk.pvv.ntnu.no-nixos-metrics
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.idp.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.minecraft.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pvv.org
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pw.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.roundcubeplaceholder.example.com
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.snappymail.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.webmail.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.wiki.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.www.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.www.pvv.org
```
## `nix why-depends`
If you ever wonder why a certain package is being used as a dependency of another package,
or another machine, you can use `nix why-depends` to find the dependency path from one package to another.
This is often useful after updating nixpkgs and finding an error saying that a certain package is insecure,
broken or whatnot. You can do something like the following
```bash
# Why does bekkalokk depend on openssl?
nix why-depends .#nixosConfigurations.bekkalokk.config.system.build.toplevel .#nixosConfigurations.bekkalokk.pkgs.openssl
# Why does bekkalokk's minecraft-server depend on zlib? (this is not real)
nix why-depends .#nixosConfigurations.bekkalokk.pkgs.minecraft-server .#nixosConfigurations.bekkalokk.pkgs.zlib
```
## php-fpm
php-fpm (FastCGI Process Manager) is a PHP implementation that is designed for speed and production use. We host a bunch
of different PHP applications (including our own website), and so we use php-fpm quite a bit. php-fpm typically exposes a
unix socket that nginx will connect to, and php-fpm will then render php upon web requests forwarded from nginx and return
it.
php-fpm has a tendency to be a bit hard to debug. It is not always very willing to spit out error messages and logs, and so
it can be a bit hard to figure out what's up when something goes wrong. You should see some of the commented stuff laying around
in the website code on bekkalokk for examples of how to configure php-fpm for better logging and error reporting.

190
docs/development.md
View File

@@ -1,190 +0,0 @@
# Development - working on the PVV machines
This document outlines the process of editing our NixOS configurations, and testing and deploying said changes
to the machines. Most of the information written here is specific to the PVV NixOS configuration, and the topics
will not really cover the nix code itself in detail. You can find some more resources for that by either following
the links from the *Upstream documentation* section below, or in [Miscellaneous development notes](./development-misc.md).
## Editing nix files
> [!WARN]
> Before editing any nix files, make sure to read [Secret management and `sops-nix`](./secret-management.md)!
> We do not want to add any secrets in plaintext to the nix files, and certainly not commit and publish
> them into the common public.
The files are plaintext code, written in the [`Nix` language](https://nix.dev/manual/nix/stable/language/).
Below is a list of important files and directories, and a description of what they contain.
### `flake.nix`
The `flake.nix` file is a [nix flake](https://wiki.nixos.org/wiki/Flakes) and makes up the entrypoint of the
entire configuration. It declares what inputs are used (similar to dependencies), as well as what outputs the
flake exposes. In our case, the most important outputs are the `nixosConfigurations` (our machine configs), but
we also expose custom modules, packages, devshells, and more. You can run `nix flake show` to get an overview of
the outputs (however you will need to [enable the `nix-flakes` experimental option](https://wiki.nixos.org/wiki/Flakes#Setup)).
You will find that a lot of the flake inputs are the different PVV projects that we develop, imported to be hosted
on the NixOS machines. This makes it easy to deploy changes to these projects, as we can just update the flake input
to point to a new commit or version, and then rebuild the machines.
A NixOS configuration is usually made with the `nixpkgs.lib.nixosSystem` function, however we have a few custom wrapper
functions named `nixosConfig` and `stableNixosConfig` that abstracts away some common configuration we want on all our machines.
### `values.nix`
`values.nix` is a somewhat rare pattern in NixOS configurations around the internet. It contains a bunch of constant values
that we use throughout the configuration, such as IP addresses, DNS names, paths and more. This not only makes it easier to
change the values should we need to, but it also makes the configuration more readable. Instead of caring what exact IP any
machine has, you can write `values.machines.name.ipv4` and abstract the details away.
### `base`
The `base` directory contains a bunch of NixOS configuration that is common for all or most machines. Some of the config
you will find here sets defaults for certain services without enabling them, so that when they are enabled in a machine config,
we don't need to repeat the same defaults over again. Other parts actually enable certain services that we want on all machines,
such as `openssh` or the auto upgrade timer.
### Vendoring `modules` and `packages`
Sometimes, we either find that the packages or modules provided by `nixpkgs` is not sufficient for us,
or that they are bugged in some way that can not be easily overrided. There are also cases where the
modules or packages does not exist. In these cases, we tend to either copy and modify the modules and
packages from nixpkgs, or create our own. These modules and packages end up in the top-level `modules`
and `packages` directories. They are usually exposed in `flake.nix` as flake outputs `nixosModules.<name>`
and `packages.<platform>.<name>`, and they are usually also added to the machines that need them in the flake.
In order to override or add an extra package, the easiest way is to use an [`overlay`](https://wiki.nixos.org/wiki/Overlays).
This makes it so that the package from `pkgs.<name>` now refers to the modified variant of the package.
In order to add a module, you can just register it in the modules of the nixos machine.
In order to override a module, you also have to use `disabledModules = [ "<path-relative-to-nixpkgs/modules>" ];`.
Use `rg` to find examples of the latter.
Do note that if you believe a new module to be of high enough quality, or the change you are making to be
relevant for every nix user, you should strongly consider also creating a PR towards nixpkgs. However,
getting changes made there has a bit higher threshold and takes more time than making changes in the PVV config,
so feel free to make the changes here first. We can always remove the changes again once the upstreaming is finished.
### `users`, `secrets` and `keys`
For `users`, see [User management](./users.md)
For `secrets` and `keys`, see [Secret management and `sops-nix`](./secret-management.md)
### Collaboration
We use our gitea to collaborate on changes to the nix configuration. Every PVV maintenance member should have
access to the repository. The usual workflow is that we create a branch for the change we want to make, do a bunch
of commits and changes, and then open a merge request for review (or just rebase on master if you know what you are doing).
### Upstream documentation
Here are different sources of documentation and stuff that you might find useful while
writing, editing and debugging nix code.
- [nixpkgs repository](https://github.com/NixOS/nixpkgs)
This is particularly useful to read the source code, as well as upstreaming pieces of code that we think
everyone would want
- [NixOS search](https://search.nixos.org/)
This is useful for searching for both packages and NixOS options.
- [nixpkgs documentation](https://nixos.org/manual/nixpkgs/stable/)
- [NixOS documentation](https://nixos.org/manual/nixos/stable/)
- [nix (the tool) documentation](https://nix.dev/manual/nix/stable/)
All of the three above make up the official documentation with all technical
details about the different pieces that makes up NixOS.
- [The official NixOS wiki](https://wiki.nixos.org)
User-contributed guides, tips and tricks, and whatever else.
- [nix.dev](https://nix.dev)
Additional stuff
- [Noogle](https://noogle.dev)
This is useful when looking for nix functions and packaging helpers.
## Testing and deploying changes
After editing the nix files on a certain branch, you will want to test and deploy the changes to the machines.
Unfortunately, we don't really have a good setup for testing for runtime correctness locally, but we can at least
make sure that the code evaluates and builds correctly before deploying.
To just check that the code evaluates without errors, you can run:
```bash
nix flake check
# Or if you want to keep getting all errors before it quits:
nix flake check --keep-going
```
> [!NOTE]
> If you are making changes that involves creating new nix files, remember to `git add` those files before running
> any nix commands. Nix refuses to acknowledge files that are not either commited or at least staged. It will spit
> out an error message about not finding the file in question.
### Building machine configurations
To build any specific machine configuration and look at the output, you can run:
```bash
nix build .#nixosConfigurations.<machine-name>.config.system.build.toplevel
# or just
nix build .#<machine-name>
```
This will create a symlink name `./result` to a directory containing the built NixOS system. It is oftentimes
the case that config files for certain services only end up in the nix store without being put into `/etc`. If you wish
to read those files, you can often find them by looking at the systemd unit files in `./result/etc/systemd/system/`.
(if you are using vim, `gf` or go-to-file while the cursor is over a file path is a useful trick while doing this).
If you have edited something that affects multiple machines, you can also build all important machines at once by running:
```bash
nix build .#
```
> [!NOTE]
> Building all machines at once can take a long time, depending on what has changed and whether you have already
> built some of the machines recently. Be prepared to wait for up to an hour to build all machines from scratch
> if this is the first time.
### Deploying to machines
> [!WARN]
> Be careful to think about state when testing changes against the machines. Sometimes, a certain change
> can lead to irreversible changes to the data stored on the machine. An example would be a set of database
> migrations applied when testing a newer version of a service. Unless that service also comes with downwards
> migrations, you can not go back to the previous version without losing data.
To deploy the changes to a machine, you should first SSH into the machine, and clone the pvv-nixos-config
repository unless you have already done so. After that, checkout the branch you want to deploy from, and rebuild:
```bash
# Run this while in the pvv-nixos-config directory
sudo nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake .# --upgrade
```
This will rebuild the NixOS system on the current branch and switch the system configuration to reflect the new changes.
Note that unless you eventually merge the current changes into `main`, the machine will rebuild itself automatically and
revert the changes on the next nightly rebuild (tends to happen when everybody is asleep).
### Forcefully reset to `main`
If you ever want to reset a machine to the `main` branch, you can do so by running:
```bash
nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
```
This will ignore the current branch and just pull the latest `main` from the git repository directly from gitea.
You can also use this command if there are updates on the `main` branch that you want to deploy to the machine without
waiting for the nightly rebuild.

160
docs/secret-management.md
View File

@@ -1,160 +0,0 @@
# Secret management and `sops-nix`
Nix config is love, nix config is life, and publishing said config to the
internet is not only a good deed and kinda cool, but also encourages properly
secured configuration as opposed to [security through obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity).
That being said, there are some details of the config that we really shouldn't
share with the general public. In particular, there are so-called *secrets*, that is
API keys, passwords, tokens, cookie secrets, salts, peppers and jalapenos that we'd
rather keep to ourselves. However, it is not entirely trivial to do so in the NixOS config.
For one, we'd have to keep these secrets out of the public git repo somehow, and secondly
everything that is configured via nix ends up as world readable files (i.e. any user on the
system can read the file) in `/nix/store`.
In order to solve this, we use a NixOS module called [`sops-nix`](https://github.com/Mic92/sops-nix)
which uses a technology called [`sops`](https://github.com/getsops/sops) behind the scenes.
The idea is simple: we encrypt these secrets with a bunch of different keys and store the
encrypted files in the git repo. First of all, we encrypt the secrets a bunch of time with
PVV maintenance member's keys, so that we can decrypt and edit the contents. Secondly, we
encrypt the secrets with the [host keys]() of the NixOS machines, so that they can decrypt
the secrets. The secrets will be decrypted and stored in a well-known location (usually `/run/secrets`)
so that they do not end up in the nix store, and are not world readable.
This way, we can both keep the secrets in the git repository and let multiple people edit them,
but also ensure that they don't end up in the wrong hands.
## Adding a new machine
In order to add a new machine to the nix-sops setup, you should do the following:
```console
# Create host keys (if they don't already exist)
ssh-keygen -A -b 4096
# Derive an age-key from the public host key
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# Register the age key in .sops.yaml
vim .sops.yaml
```
The contents of `.sops.yaml` should look like this:
```yaml
keys:
# Users
...
# Hosts
...
- &host_<machine_name> <public_age_key>
creation_rules:
...
- path_regex: secrets/<machine_name>/[^/]+\.yaml$
key_groups:
- age:
- *host_<machine_name>
- ... user keys
- pgp:
- ... user keys
```
> [!NOTE]
> Take care that all the keys in the `age` and `pgp` sections are prefixed
> with a `-`, or else sops might try to encrypt the secrets in a way where
> you need both keys present to decrypt the content. Also, it tends to throw
> interesting errors when it fails to do so.
```console
# While cd-ed into the repository, run this to get a shell with the `sops` tool present
nix-shell
```
Now you should also be able to edit secrets for this machine by running:
```
sops secrets/<machine_name>/<machine_name>.yaml
```
## Adding a user
Adding a user is quite similar to adding a new machine.
This guide assumes you have already set up SSH keys.
```
# Derive an age-key from your key
# (edit the path to the key if it is named something else)
nix-shell -p ssh-to-age --run 'cat ~/.ssh/id_ed25519.pub | ssh-to-age'
# Register the age key in .sops.yaml
vim .sops.yaml
```
The contents of `.sops.yaml` should look like this:
```yaml
keys:
# Users
...
- &user_<user_name> <public_age_key>
# Hosts
...
creation_rules:
...
# Do this for all the machines you are planning to edit
# (or just do it for all machines)
- path_regex: secrets/<machine_name>/[^/]+\.yaml$
key_groups:
- age:
- *host_<machine_name>
- ... user keys
- *host_<user_name>
- pgp:
- ... user keys
```
Now that sops is properly configured to recognize the key, you need someone
who already has access to decrypt all the secrets and re-encrypt them with your
key. At this point, you should probably [open a PR](https://docs.gitea.com/usage/issues-prs/pull-request)
and ask someone in PVV maintenance if they can checkout the PR branch, run the following
command and push the diff back into the PR (and maybe even ask them to merge if you're feeling
particularly needy).
```console
sops updatekeys secrets/*/*.yaml
```
## Updating keys
> [!NOTE]
> At some point, we found this flag called `sops -r` that seemed to be described to do what
> `sops updatekeys` does, do not be fooled. This only rotates the "inner key" for those who
> already have the secrets encrypted with their key.
Updating keys is done with this command:
```console
sops updatekeys secrets/*/*.yaml
```
However, there is a small catch. [oysteikt](https://git.pvv.ntnu.no/oysteikt) has kinda been
getting gray hairs lately, and refuses to use modern technology - he is still stuck using GPG.
This means that to be able to re-encrypt the sops secrets, you will need to have a gpg keychain
with his latest public key available. The key has an expiry date, so if he forgets to update it,
you should send him and angry email and tag him a bunch of times in a gitea issue. If the key
is up to date, you can do the following:
```console
# Fetch gpg (unless you have it already)
nix-shell -p gpg
# Import oysteikts key to the gpg keychain
gpg --import ./keys/oysteikt.pub
```
Now you should be able to run the `sops updatekeys` command again.

50
docs/users.md
View File

@@ -1,50 +0,0 @@
# User management
Due to some complications with how NixOS creates users compared to how we used to
create users with the salt-based setup, the NixOS machine users are created and
managed separately. We tend to create users on-demand, whenever someone in PVV
maintenance want to work on the NixOS machines.
## Setting up a new user
You can find the files for the existing users, and thereby examples of user files
in the [`users`](../users) directory. When creating a new file here, you should name it
`your-username.nix`, and add *at least* the following contents:
```nix
{ pkgs, ... }:
{
users.users."<username>" = {
isNormalUser = true;
extraGroups = [
"wheel" # In case you wanna use sudo (you probably do)
"nix-builder-users" # Arbitrary access to write to the nix store
];
# Any packages you frequently use to manage servers go here.
# Please don't pull gigantonormous packages here unless you
# absolutely need them, and remember that any package can be
# pulled via nix-shell if you only use it once in a blue moon.
packages = with pkgs; [
bottom
eza
];
# Not strictly needed, but we recommend adding your public SSH
# key here. If it is not present, you will have to log into the
# machine as 'root' before setting your password for every NixOS
# machine you have not logged into yet.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjiQ0wg4lpC7YBMAAHoGmgwqHOBi+EUz5mmCymGlIyT my-key"
];
};
}
```
The file will be picked up automatically, so creating the file and adding the
contents should be enough to get you registered. You should
[open a PR](https://docs.gitea.com/usage/issues-prs/pull-request) with the new
code so the machines will be rebuilt with your user present.
See also [Secret Management](./secret-management.md) for how to add your keys to the
system that lets us add secrets (API keys, password, etc.) to the NixOS config.

336
flake.lock generated
View File

@@ -1,26 +1,5 @@
{
"nodes": {
"devshell": {
"inputs": {
"nixpkgs": [
"nix-topology",
"nixpkgs"
]
},
"locked": {
"lastModified": 1728330715,
"narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
"owner": "numtide",
"repo": "devshell",
"rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
@@ -28,54 +7,19 @@
]
},
"locked": {
"lastModified": 1736864502,
"narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
"lastModified": 1741786315,
"narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=",
"owner": "nix-community",
"repo": "disko",
"rev": "0141aabed359f063de7413f80d906e1d98c0c123",
"rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v1.11.0",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gergle": {
"inputs": {
"nixpkgs": [
@@ -83,42 +27,19 @@
]
},
"locked": {
"lastModified": 1764868579,
"narHash": "sha256-rfTUOIc0wnC4+19gLVfPbHfXx/ilfuUix6bWY+yaM2U=",
"ref": "main",
"rev": "9c923d1d50daa6a3b28c3214ad2300bfaf6c8fcd",
"revCount": 22,
"lastModified": 1736621371,
"narHash": "sha256-45UIQSQA7R5iU4YWvilo7mQbhY1Liql9bHBvYa3qRI0=",
"ref": "refs/heads/main",
"rev": "3729796c1213fe76e568ac28f1df8de4e596950b",
"revCount": 20,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"nix-topology",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"greg-ng": {
"inputs": {
"nixpkgs": [
@@ -127,16 +48,15 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1765760377,
"narHash": "sha256-2+lgzUjVas9hPSeWn52MwuX+iidMN4RkzkHo4vrGmR8=",
"ref": "main",
"rev": "f340dc5b9c9f3b75b7aca41f56f8869b9e28cf8c",
"revCount": 58,
"lastModified": 1736545379,
"narHash": "sha256-PeTTmGumdOX3rd6OKI7QMCrZovCDkrckZbcHr+znxWA=",
"ref": "refs/heads/main",
"rev": "74f5316121776db2769385927ec0d0c2cc2b23e4",
"revCount": 42,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
}
@@ -148,16 +68,15 @@
]
},
"locked": {
"lastModified": 1764867811,
"narHash": "sha256-UWHiwr8tIcGcVxMLvAdNxDbQ8QuHf3REHboyxvFkYEI=",
"ref": "master",
"rev": "c9983e947efe047ea9d6f97157a1f90e49d0eab3",
"revCount": 81,
"lastModified": 1736178795,
"narHash": "sha256-mPdi8cgvIDYcgG3FRG7A4BOIMu2Jef96TPMnV00uXlM=",
"ref": "refs/heads/master",
"rev": "fde738910de1fd8293535a6382c2f0c2749dd7c1",
"revCount": 79,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
},
"original": {
"ref": "master",
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
}
@@ -169,59 +88,31 @@
]
},
"locked": {
"lastModified": 1764844095,
"narHash": "sha256-Drf1orxsmFDzO+UbPo85gHjXW7QzAM+6oTPvI7vOSik=",
"lastModified": 1735857245,
"narHash": "sha256-AKLLPrgXTxgzll3DqVUMa4QlPlRN3QceutgFBmEf8Nk=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "25b9f31ef1dbc3987b4c716de716239f2b283701",
"rev": "da9dc0479ffe22362793c87dc089035facf6ec4d",
"type": "github"
},
"original": {
"owner": "dali99",
"ref": "v0.8.0",
"ref": "0.7.0",
"repo": "nixos-matrix-modules",
"type": "github"
}
},
"minecraft-heatmap": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay_2"
},
"minecraft-data": {
"locked": {
"lastModified": 1766407405,
"narHash": "sha256-UEJ8F8/oG70biWRrGbL5/aB7OXzzvnYs+jxkR07UHvA=",
"ref": "main",
"rev": "e719840f72ca1b0cd169562a3a0de69899821de0",
"revCount": 16,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
}
},
"minecraft-kartverket": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1765904683,
"narHash": "sha256-uXM56y5n5GWpCiCNdKlTcCAy2IntgDB21c4gBDU30io=",
"ref": "main",
"rev": "6fae27b1659efb6774cf08a4e36ed29ab0e24105",
"revCount": 26,
"lastModified": 1725277886,
"narHash": "sha256-Fw4VbbE3EfypQWSgPDFfvVH47BHeg3ptsO715NlUM8Q=",
"ref": "refs/heads/master",
"rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
"revCount": 2,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
}
@@ -233,94 +124,48 @@
]
},
"locked": {
"lastModified": 1743881366,
"narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
"ref": "main",
"rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
"revCount": 11,
"lastModified": 1736531400,
"narHash": "sha256-+X/HVI1AwoPcud28wI35XRrc1kDgkYdDUGABJBAkxDI=",
"ref": "refs/heads/main",
"rev": "e4dafd06b3d7e9e6e07617766e9c3743134571b7",
"revCount": 7,
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
}
},
"nix-topology": {
"inputs": {
"devshell": "devshell",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1765969653,
"narHash": "sha256-qVpQxyvdByeDfb+d+jhbyNna2Ie+w85iHpt4Qu0rv/E=",
"owner": "oddlama",
"repo": "nix-topology",
"rev": "0ed73e5a1b65eb8ed388d070ebe8dedb9182f466",
"type": "github"
},
"original": {
"owner": "oddlama",
"ref": "main",
"repo": "nix-topology",
"type": "github"
"url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1767043167,
"narHash": "sha256-wN04/SL+8tV0D2HBIgt9dpX/03U18xoJ+8PT+dcn30E=",
"rev": "0b43a6ee07997a6e319e92dcbf276c2736506944",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.2789.0b43a6ee0799/nixexprs.tar.xz"
"lastModified": 1741969460,
"narHash": "sha256-SCNxTTBfMJV7XuTcLUfdAd6cgCGsazzi+DoPrceQrZ0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "68612419aa6c9fd5b178b81e6fabbdf46d300ea4",
"type": "github"
},
"original": {
"type": "tarball",
"url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
"owner": "NixOS",
"ref": "nixos-24.11-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1767031366,
"narHash": "sha256-SJz8tVEnXusU8OzN5ixAXQgzXv8fNIzp9ztzUyobh4s=",
"rev": "d23fedd87fcd067b1d160323fae0d0e4f995527d",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre918279.d23fedd87fcd/nixexprs.tar.xz"
},
"original": {
"type": "tarball",
"url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": "gitignore",
"nixpkgs": [
"nix-topology",
"nixpkgs"
],
"nixpkgs-stable": [
"nix-topology",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730797577,
"narHash": "sha256-SrID5yVpyUfknUTGWgYkTyvdr9J1LxUym4om3SVGPkg=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "1864030ed24a2b8b4e4d386a5eeaf0c5369e50a9",
"lastModified": 1741960758,
"narHash": "sha256-pSGMbfkxF7TSeco54W+B1q+g22YCVp1qXHgtrdgtyR4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "845dc1e9cbc2e48640b8968af58b4a19db67aa8f",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
@@ -331,16 +176,15 @@
]
},
"locked": {
"lastModified": 1764869785,
"narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=",
"ref": "main",
"rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2",
"revCount": 23,
"lastModified": 1723850344,
"narHash": "sha256-aT37O9l9eclWEnqxASVNBL1dKwDHZUOqdbA4VO9DJvw=",
"ref": "refs/heads/main",
"rev": "38b66677ab8c01aee10cd59e745af9ce3ea88092",
"revCount": 19,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
}
@@ -352,16 +196,15 @@
]
},
"locked": {
"lastModified": 1767080188,
"narHash": "sha256-BmyPuWeSQ9XREyi0KSerWRfJndmyzHNJLysBJld/KwA=",
"ref": "main",
"rev": "08a216f4473e26aa2a5349e72633c0ab24e8ffbd",
"revCount": 534,
"lastModified": 1741738148,
"narHash": "sha256-cJo6nbcJEOjkazkZ194NDnlsZe0W0wpxeUh2/886uC8=",
"ref": "refs/heads/main",
"rev": "c1802e7cf27c7cf8b4890354c982a4eef5b11593",
"revCount": 486,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
}
@@ -373,10 +216,8 @@
"greg-ng": "greg-ng",
"grzegorz-clients": "grzegorz-clients",
"matrix-next": "matrix-next",
"minecraft-heatmap": "minecraft-heatmap",
"minecraft-kartverket": "minecraft-kartverket",
"minecraft-data": "minecraft-data",
"nix-gitea-themes": "nix-gitea-themes",
"nix-topology": "nix-topology",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"pvv-calendar-bot": "pvv-calendar-bot",
@@ -392,32 +233,11 @@
]
},
"locked": {
"lastModified": 1765680428,
"narHash": "sha256-fyPmRof9SZeI14ChPk5rVPOm7ISiiGkwGCunkhM+eUg=",
"lastModified": 1729391507,
"narHash": "sha256-as0I9xieJUHf7kiK2a9znDsVZQTFWhM1pLivII43Gi0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "eb3898d8ef143d4bf0f7f2229105fc51c7731b2f",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"nixpkgs": [
"minecraft-heatmap",
"nixpkgs"
]
},
"locked": {
"lastModified": 1766371695,
"narHash": "sha256-W7CX9vy7H2Jj3E8NI4djHyF8iHSxKpb2c/7uNQ/vGFU=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "d81285ba8199b00dc31847258cae3c655b605e8c",
"rev": "784981a9feeba406de38c1c9a3decf966d853cca",
"type": "github"
},
"original": {
@@ -433,34 +253,18 @@
]
},
"locked": {
"lastModified": 1766894905,
"narHash": "sha256-pn8AxxfajqyR/Dmr1wnZYdUXHgM3u6z9x0Z1Ijmz2UQ=",
"lastModified": 1741861888,
"narHash": "sha256-ynOgXAyToeE1UdLNfrUn/hL7MN0OpIS2BtNdLjpjPf0=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "61b39c7b657081c2adc91b75dd3ad8a91d6f07a7",
"rev": "d016ce0365b87d848a57c12ffcfdc71da7a2b55f",
"type": "github"
},
"original": {
"owner": "Mic92",
"ref": "master",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

175
flake.nix
View File

@@ -2,42 +2,35 @@
description = "PVV System flake";
inputs = {
nixpkgs.url = "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz";
nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small"; # remember to also update the url in base/services/auto-upgrade.nix
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
sops-nix.url = "github:Mic92/sops-nix/master";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko/v1.11.0";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
nix-topology.url = "github:oddlama/nix-topology/main";
nix-topology.inputs.nixpkgs.follows = "nixpkgs";
pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git?ref=main";
pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git";
pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git?ref=main";
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0";
matrix-next.url = "github:dali99/nixos-matrix-modules/0.7.0";
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git?ref=main";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git";
greg-ng.inputs.nixpkgs.follows = "nixpkgs";
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main";
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git";
gergle.inputs.nixpkgs.follows = "nixpkgs";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git?ref=main";
minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs";
minecraft-data.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git";
};
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -60,82 +53,42 @@
in {
inputs = lib.mapAttrs (_: src: src.outPath) inputs;
pkgs = forAllSystems (system:
import nixpkgs {
inherit system;
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
[
"nvidia-x11"
"nvidia-settings"
];
});
nixosConfigurations = let
unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
nixosConfig =
nixpkgs:
name:
configurationPath:
extraArgs:
lib.nixosSystem (lib.recursiveUpdate
(let
nixosConfig = nixpkgs: name: config: lib.nixosSystem (lib.recursiveUpdate
rec {
system = "x86_64-linux";
in {
inherit system;
specialArgs = {
inherit unstablePkgs inputs;
values = import ./values.nix;
fp = path: ./${path};
} // extraArgs.specialArgs or { };
};
modules = [
configurationPath
./hosts/${name}/configuration.nix
sops-nix.nixosModules.sops
] ++ extraArgs.modules or [];
] ++ config.modules or [];
pkgs = import nixpkgs {
inherit system;
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
[
"nvidia-x11"
"nvidia-settings"
];
overlays = [
# Global overlays go here
] ++ extraArgs.overlays or [ ];
] ++ config.overlays or [ ];
};
})
(builtins.removeAttrs extraArgs [
"modules"
"overlays"
"specialArgs"
])
}
(removeAttrs config [ "modules" "overlays" ])
);
stableNixosConfig = name: extraArgs:
nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
stableNixosConfig = nixosConfig nixpkgs;
unstableNixosConfig = nixosConfig nixpkgs-unstable;
in {
bakke = stableNixosConfig "bakke" {
modules = [
disko.nixosModules.disko
];
};
bicep = stableNixosConfig "bicep" {
modules = [
inputs.matrix-next.nixosModules.default
inputs.pvv-calendar-bot.nixosModules.default
inputs.minecraft-heatmap.nixosModules.default
self.nixosModules.gickup
self.nixosModules.matrix-ooye
];
overlays = [
inputs.pvv-calendar-bot.overlays.default
inputs.minecraft-heatmap.overlays.default
(final: prev: {
inherit (self.packages.${prev.system}) out-of-your-element;
})
inputs.pvv-calendar-bot.overlays.x86_64-linux.default
];
};
bekkalokk = stableNixosConfig "bekkalokk" {
@@ -150,13 +103,17 @@
];
modules = [
inputs.pvv-nettsiden.nixosModules.default
self.nixosModules.bluemap
];
};
bob = stableNixosConfig "bob" {
modules = [
disko.nixosModules.disko
{ disko.devices.disk.disk1.device = "/dev/vda"; }
];
};
ildkule = stableNixosConfig "ildkule" { };
#ildkule-unstable = unstableNixosConfig "ildkule" { };
shark = stableNixosConfig "shark" { };
wenche = stableNixosConfig "wenche" { };
kommode = stableNixosConfig "kommode" {
overlays = [
@@ -195,37 +152,16 @@
inputs.gergle.overlays.default
];
};
}
//
(let
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
stableLupineNixosConfig = name: extraArgs:
nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
modules = [{ networking.hostName = name; }];
specialArgs.lupineName = name;
}));
};
nixosModules = {
bluemap = ./modules/bluemap.nix;
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
robots-txt = ./modules/robots-txt.nix;
gickup = ./modules/gickup;
matrix-ooye = ./modules/matrix-ooye.nix;
};
devShells = forAllSystems (system: {
default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
cuda = let
cuda-pkgs = import nixpkgs-unstable {
inherit system;
config = {
allowUnfree = true;
cudaSupport = true;
};
};
in cuda-pkgs.callPackage ./shells/cuda.nix { };
default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
});
packages = {
@@ -240,57 +176,14 @@
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
bluemap = pkgs.callPackage ./packages/bluemap.nix { };
out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
}
//
# Mediawiki extensions
} //
(lib.pipe null [
(_: pkgs.callPackage ./packages/mediawiki-extensions { })
(lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
(lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
])
//
# Machines
lib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
//
# Nix-topology
(let
topology' = import inputs.nix-topology {
pkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [ inputs.nix-topology.overlays.default ];
};
specialArgs = {
values = import ./values.nix;
};
modules = [
./topology
{
nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
modules = [
inputs.nix-topology.nixosModules.default
./topology/service-extractors/greg-ng.nix
];
}) self.nixosConfigurations;
}
];
};
in {
topology = topology'.config.output;
topology-png = pkgs.runCommand "pvv-config-topology-png" {
nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
} ''
mkdir -p "$out"
for file in '${topology'.config.output}'/*.svg; do
${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
done
'';
});
// lib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
};
};
}

25
hosts/bakke/configuration.nix
View File

@@ -1,25 +0,0 @@
{ config, pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base
./filesystems.nix
];
sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "bakke";
networking.hostId = "99609ffc";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
system.stateVersion = "24.05";
}

83
hosts/bakke/disks.nix
View File

@@ -1,83 +0,0 @@
{
# https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
# Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
disko.devices = {
disk = {
one = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
two = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
};
mdadm = {
boot = {
type = "mdadm";
level = 1;
metadata = "1.0";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
raid1 = {
type = "mdadm";
level = 1;
content = {
type = "gpt";
partitions.primary = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

26
hosts/bakke/filesystems.nix
View File

@@ -1,26 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Boot drives:
boot.swraid.enable = true;
# ZFS Data pool:
environment.systemPackages = with pkgs; [ zfs ];
boot = {
zfs = {
extraPools = [ "tank" ];
requestEncryptionCredentials = false;
};
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
# NFS Exports:
#TODO
# NFS Import mounts:
#TODO
}

52
hosts/bakke/hardware-configuration.nix
View File

@@ -1,52 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=nix" "noatime" ];
};
fileSystems."/boot" =
{ device = "/dev/sdc2";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

5
hosts/bekkalokk/configuration.nix
View File

@@ -4,10 +4,11 @@
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/bluemap.nix
./services/bluemap/default.nix
./services/idp-simplesamlphp
./services/kerberos.nix
./services/kerberos
./services/mediawiki
./services/nginx.nix
./services/phpfpm.nix

131
hosts/bekkalokk/services/bluemap.nix
View File

@@ -1,131 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
format = pkgs.formats.hocon { };
in {
# NOTE: our versino of the module gets added in flake.nix
disabledModules = [ "services/web-apps/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
sops.secrets."bluemap/ssh-known-hosts" = { };
services.bluemap = {
enable = true;
eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
host = "minecraft.pvv.ntnu.no";
maps = let
inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
in {
"verden" = {
settings = {
world = vanillaSurvival;
dimension = "minecraft:overworld";
name = "Verden";
sorting = 0;
start-pos = {
x = 0;
z = 0;
};
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
marker-sets = {
_includes = [ (format.lib.mkInclude "${bluemap-export}/overworld.hocon") ];
};
};
};
"underverden" = {
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_nether";
name = "Underverden";
sorting = 100;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
render-mask = [{
max-y = 90;
}];
marker-sets = {
_includes = [ (format.lib.mkInclude {
required = true;
type = "file";
value = "${bluemap-export}/nether.hocon";
}) ];
};
};
};
"enden" = {
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_end";
name = "Enden";
sorting = 200;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
marker-sets = {
_includes = [ (format.lib.mkInclude "${bluemap-export}/the-end.hocon") ];
};
};
};
};
};
systemd.services."render-bluemap-maps" = {
serviceConfig = {
StateDirectory = [ "bluemap/world" ];
ExecStartPre = let
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
archive = true;
compress = true;
verbose = true;
no-owner = true;
no-group = true;
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
};
in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
kTLS = true;
http3 = true;
quic = true;
http3_hq = true;
extraConfig = ''
# Enabling QUIC 0-RTT
ssl_early_data on;
quic_gso on;
quic_retry on;
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
'';
};
networking.firewall.allowedUDPPorts = [ 443 ];
}

85
hosts/bekkalokk/services/bluemap/default.nix Normal file
View File

@@ -0,0 +1,85 @@
{ config, lib, pkgs, inputs, ... }:
let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
in {
imports = [
./module.nix # From danio, pending upstreaming
];
disabledModules = [ "services/web-apps/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
sops.secrets."bluemap/ssh-known-hosts" = { };
services.bluemap = {
enable = true;
package = pkgs.callPackage ./package.nix { };
eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
host = "minecraft.pvv.ntnu.no";
maps = {
"verden" = {
settings = {
world = vanillaSurvival;
sorting = 0;
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.verden;
};
};
"underverden" = {
settings = {
world = "${vanillaSurvival}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.underverden;
};
};
"enden" = {
settings = {
world = "${vanillaSurvival}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
};
};
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
};
# TODO: render somewhere else lmao
systemd.services."render-bluemap-maps" = {
preStart = ''
mkdir -p /var/lib/bluemap/world
${pkgs.rsync}/bin/rsync \
-e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" \
-avz --no-owner --no-group \
root@innovation.pvv.ntnu.no:/ \
${vanillaSurvival}
'';
serviceConfig = {
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
}

120
modules/bluemap.nix → hosts/bekkalokk/services/bluemap/module.nix
View File

@@ -25,7 +25,7 @@ let
"core.conf" = coreConfig;
"webapp.conf" = webappConfig;
"webserver.conf" = webserverConfig;
"packs" = cfg.packs;
"packs" = cfg.resourcepacks;
};
renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
@@ -36,7 +36,7 @@ let
"core.conf" = coreConfig;
"webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
"webserver.conf" = webserverConfig;
"packs" = value.packs;
"packs" = value.resourcepacks;
};
inherit (lib) mkOption;
@@ -110,7 +110,7 @@ in {
metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use";
};
};
description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
};
webappSettings = mkOption {
@@ -127,7 +127,7 @@ in {
webroot = config.services.bluemap.webRoot;
}
'';
description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
};
webserverSettings = mkOption {
@@ -147,18 +147,18 @@ in {
default = { };
description = ''
Settings for the webserver.conf file, usually not required.
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
'';
};
maps = mkOption {
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
type = lib.types.attrsOf (lib.types.submodule {
options = {
packs = mkOption {
resourcepacks = mkOption {
type = lib.types.path;
default = cfg.packs;
defaultText = lib.literalExpression "config.services.bluemap.packs";
description = "A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.";
default = cfg.resourcepacks;
defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
description = "A set of resourcepacks/mods/bluemap-addons to extract models from loaded in alphabetical order";
};
settings = mkOption {
type = (lib.types.submodule {
@@ -168,74 +168,43 @@ in {
type = lib.types.path;
description = "Path to world folder containing the dimension to render";
};
name = mkOption {
type = lib.types.str;
description = "The display name of this map (how this map will be named on the webapp)";
default = name;
defaultText = lib.literalExpression "<name>";
};
render-mask = mkOption {
type = with lib.types; listOf (attrsOf format.type);
description = "Limits for the map render";
default = [ ];
example = [
{
min-x = -4000;
max-x = 4000;
min-z = -4000;
max-z = 4000;
min-y = 50;
max-y = 100;
}
{
subtract = true;
min-y = 90;
max-y = 127;
}
];
};
};
});
description = ''
Settings for files in `maps/`.
See the default for an example with good options for the different world types.
For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
'';
};
};
}));
});
default = {
"overworld".settings = {
world = cfg.defaultWorld;
dimension = "minecraft:overworld";
name = "Overworld";
world = "${cfg.defaultWorld}";
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
"nether".settings = {
world = cfg.defaultWorld;
dimension = "minecraft:the_nether";
name = "Nether";
world = "${cfg.defaultWorld}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
};
"end".settings = {
world = cfg.defaultWorld;
dimension = "minecraft:the_end";
name = "The End";
world = "${cfg.defaultWorld}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
@@ -243,36 +212,31 @@ in {
defaultText = lib.literalExpression ''
{
"overworld".settings = {
world = cfg.defaultWorld;
name = "Overworld";
dimension = "minecraft:overworld";
world = "''${cfg.defaultWorld}";
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
"nether".settings = {
world = cfg.defaultWorld;
dimension = "minecraft:the_nether";
name = "Nether";
world = "''${cfg.defaultWorld}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
};
"end".settings = {
world = cfg.defaultWorld;
name = "The End";
dimension = "minecraft:the_end";
world = "''${cfg.defaultWorld}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
@@ -300,7 +264,7 @@ in {
description = ''
Where the rendered map will be stored.
Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/common/src/main/resources/de/bluecolored/bluemap/config/storages)
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/storages)
'';
default = {
"file" = {
@@ -316,12 +280,12 @@ in {
'';
};
packs = mkOption {
resourcepacks = mkOption {
type = lib.types.path;
default = pkgs.linkFarm "packs" { };
default = pkgs.linkFarm "resourcepacks" { };
description = ''
A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.
Can be overriden on a per-map basis with `services.bluemap.maps.<name>.packs`.
A set of resourcepacks/mods to extract models from loaded in alphabetical order.
Can be overriden on a per-map basis with `services.bluemap.maps.<name>.resourcepacks`.
'';
};
};
@@ -342,23 +306,21 @@ in {
systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender {
serviceConfig = {
Type = "oneshot";
CPUSchedulingPolicy = "batch";
Group = "nginx";
UMask = "026";
ExecStart = [
# If web folder doesnt exist generate it
''|test -f "${cfg.webRoot}" || ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs''
]
++
# Render each minecraft map
lib.attrsets.mapAttrsToList
(name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
cfg.maps
++ [
# Generate updated webapp
"${lib.getExe cfg.package} -c ${webappConfigFolder} -gs"
];
};
script = ''
# If web folder doesnt exist generate it
test -f "${cfg.webRoot}" || ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
# Render each minecraft map
${lib.strings.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
(name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
cfg.maps)}
# Generate updated webapp
${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
'';
};
systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {

30
hosts/bekkalokk/services/bluemap/package.nix Normal file
View File

@@ -0,0 +1,30 @@
{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
stdenvNoCC.mkDerivation rec {
pname = "bluemap";
version = "5.7";
src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-8udZYJgrr4bi2mjRYrASd8JwUoUVZW1tZpOLRgafAIw=";
};
dontUnpack = true;
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
runHook preInstall
makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
runHook postInstall
'';
meta = {
description = "3D minecraft map renderer";
homepage = "https://bluemap.bluecolored.de/";
sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ dandellion h7x4 ];
mainProgram = "bluemap";
};
}

0
hosts/bekkalokk/services/kerberos.nix → hosts/bekkalokk/services/kerberos/default.nix
View File

88
hosts/bekkalokk/services/kerberos/krb5-conf-format.nix Normal file
View File

@@ -0,0 +1,88 @@
{ pkgs, lib, ... }:
# Based on
# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
let
inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
str submodule;
in
{ }: {
type = let
section = attrsOf relation;
relation = either (attrsOf value) value;
value = either (listOf atom) atom;
atom = oneOf [int str bool];
in submodule {
freeformType = attrsOf section;
options = {
include = mkOption {
default = [ ];
description = mdDoc ''
Files to include in the Kerberos configuration.
'';
type = coercedTo path singleton (listOf path);
};
includedir = mkOption {
default = [ ];
description = mdDoc ''
Directories containing files to include in the Kerberos configuration.
'';
type = coercedTo path singleton (listOf path);
};
module = mkOption {
default = [ ];
description = mdDoc ''
Modules to obtain Kerberos configuration from.
'';
type = coercedTo path singleton (listOf path);
};
};
};
generate = let
indent = str: concatMapStringsSep "\n" (line: " " + line) (splitString "\n" str);
formatToplevel = args @ {
include ? [ ],
includedir ? [ ],
module ? [ ],
...
}: let
sections = removeAttrs args [ "include" "includedir" "module" ];
in concatStringsSep "\n" (filter (x: x != "") [
(concatStringsSep "\n" (mapAttrsToList formatSection sections))
(concatMapStringsSep "\n" (m: "module ${m}") module)
(concatMapStringsSep "\n" (i: "include ${i}") include)
(concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
]);
formatSection = name: section: ''
[${name}]
${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
'';
formatRelation = name: relation:
if isAttrs relation
then ''
${name} = {
${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
}''
else formatValue name relation;
formatValue = name: value:
if isList value
then concatMapStringsSep "\n" (formatAtom name) value
else formatAtom name value;
formatAtom = name: atom: let
v = if isBool atom then boolToString atom else toString atom;
in "${name} = ${v}";
in
name: value: pkgs.writeText name ''
${formatToplevel value}
'';
}

90
hosts/bekkalokk/services/kerberos/krb5.nix Normal file
View File

@@ -0,0 +1,90 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
inherit (lib.types) bool;
mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
The option `krb5.${name}' has been removed. Use
`security.krb5.settings.${name}' for structured configuration.
'';
cfg = config.security.krb5;
format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
in {
imports = [
(mkRemovedOptionModuleCfg "libdefaults")
(mkRemovedOptionModuleCfg "realms")
(mkRemovedOptionModuleCfg "domain_realm")
(mkRemovedOptionModuleCfg "capaths")
(mkRemovedOptionModuleCfg "appdefaults")
(mkRemovedOptionModuleCfg "plugins")
(mkRemovedOptionModuleCfg "config")
(mkRemovedOptionModuleCfg "extraConfig")
(mkRemovedOptionModule' "kerberos" ''
The option `krb5.kerberos' has been moved to `security.krb5.package'.
'')
];
options = {
security.krb5 = {
enable = mkOption {
default = false;
description = mdDoc "Enable and configure Kerberos utilities";
type = bool;
};
package = mkPackageOption pkgs "krb5" {
example = "heimdal";
};
settings = mkOption {
default = { };
type = format.type;
description = mdDoc ''
Structured contents of the {file}`krb5.conf` file. See
{manpage}`krb5.conf(5)` for details about configuration.
'';
example = {
include = [ "/run/secrets/secret-krb5.conf" ];
includedir = [ "/run/secrets/secret-krb5.conf.d" ];
libdefaults = {
default_realm = "ATHENA.MIT.EDU";
};
realms = {
"ATHENA.MIT.EDU" = {
admin_server = "athena.mit.edu";
kdc = [
"athena01.mit.edu"
"athena02.mit.edu"
];
};
};
domain_realm = {
"mit.edu" = "ATHENA.MIT.EDU";
};
logging = {
kdc = "SYSLOG:NOTICE";
admin_server = "SYSLOG:NOTICE";
default = "SYSLOG:NOTICE";
};
};
};
};
};
config = mkIf cfg.enable {
environment = {
systemPackages = [ cfg.package ];
etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
};
};
meta.maintainers = builtins.attrValues {
inherit (lib.maintainers) dblsaiko h7x4;
};
}

1543
hosts/bekkalokk/services/kerberos/pam.nix Normal file
View File

File diff suppressed because it is too large Load Diff

10
hosts/bekkalokk/services/mediawiki/default.nix
View File

@@ -130,12 +130,6 @@ in {
$wgVectorDefaultSidebarVisibleForAnonymousUser = true;
$wgVectorResponsive = true;
# Experimental dark mode support for Vector 2022
$wgVectorNightMode['beta'] = true;
$wgVectorNightMode['logged_out'] = true;
$wgVectorNightMode['logged_in'] = true;
$wgDefaultUserOptions['vector-theme'] = 'os';
# Misc
$wgEmergencyContact = "${cfg.passwordSender}";
$wgUseTeX = false;
@@ -220,11 +214,11 @@ in {
"= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
buildInputs = with pkgs; [ imagemagick ];
} ''
magick \
${fp /assets/logo_blue_regular.png} \
convert \
-resize x64 \
-gravity center \
-crop 64x64+0+0 \
${fp /assets/logo_blue_regular.png} \
-flatten \
-colors 256 \
-background transparent \

42
hosts/bekkalokk/services/website/default.nix
View File

@@ -18,16 +18,11 @@ in {
restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
});
security.acme.certs."www.pvv.ntnu.no" = {
extraDomainNames = [
"pvv.ntnu.no"
"www.pvv.org"
"pvv.org"
];
};
services.idp.sp-remote-metadata = [
"https://www.pvv.ntnu.no/simplesaml/"
"https://pvv.ntnu.no/simplesaml/"
"https://www.pvv.org/simplesaml/"
"https://pvv.org/simplesaml/"
];
services.pvv-nettsiden = {
@@ -72,9 +67,7 @@ in {
ADMIN_NAME = "PVV Drift";
ADMIN_EMAIL = "drift@pvv.ntnu.no";
ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
TRUSTED_DOMAINS = [
"www.pvv.ntnu.no"
];
TRUSTED_DOMAINS = [ cfg.domainName ];
};
};
};
@@ -85,28 +78,13 @@ in {
"catch_workers_output" = true;
};
services.nginx.virtualHosts."pvv.ntnu.no" = {
globalRedirect = cfg.domainName;
redirectCode = 307;
forceSSL = true;
useACMEHost = "www.pvv.ntnu.no";
};
services.nginx.virtualHosts."www.pvv.org" = {
globalRedirect = cfg.domainName;
redirectCode = 307;
forceSSL = true;
useACMEHost = "www.pvv.ntnu.no";
};
services.nginx.virtualHosts."pvv.org" = {
globalRedirect = cfg.domainName;
redirectCode = 307;
forceSSL = true;
useACMEHost = "www.pvv.ntnu.no";
};
services.nginx.virtualHosts.${cfg.domainName} = {
serverAliases = [
"pvv.ntnu.no"
"www.pvv.org"
"pvv.org"
];
locations = {
# Proxy home directories
"^~ /~" = {

2
hosts/bekkalokk/services/website/fetch-gallery.nix
View File

@@ -53,7 +53,7 @@ in {
echo "Creating thumbnail for $fname"
mkdir -p $(dirname ".thumbnails/$fname")
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
done <<< "$images"
'';

23
hosts/bicep/configuration.nix
View File

@@ -4,13 +4,13 @@
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/nginx
./services/calendar-bot.nix
#./services/git-mirrors
./services/minecraft-heatmap.nix
./services/mysql.nix
./services/postgres.nix
./services/mysql.nix
./services/calendar-bot.nix
./services/matrix
];
@@ -20,15 +20,13 @@
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/disk/by-id/scsi-3600508b1001cb1a8751c137b30610682";
networking.hostName = "bicep";
#systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
#matchConfig.Name = "enp6s0f0";
matchConfig.Name = "ens18";
systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp6s0f0";
address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
};
@@ -39,13 +37,6 @@
# There are no smart devices
services.smartd.enable = false;
# we are a vm now
services.qemuGuest.enable = true;
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.sshguard.enable = true;
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";

25
hosts/bicep/hardware-configuration.nix
View File

@@ -5,29 +5,22 @@
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ahci" "sd_mod" "sr_mod" ];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
{ device = "/dev/disk/by-uuid/31a67903-dc00-448a-a24a-36e820318fe5";
fsType = "ext4";
};
# temp data disk, only 128gb not enough until we can add another disk to the system.
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/198B-E363";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
{ device = "/dev/disk/by-uuid/79e93eed-ad95-45c9-b115-4ef92afcc8c0";
fsType = "f2fs";
};
swapDevices = [ ];
@@ -37,7 +30,11 @@
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f2.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

100
hosts/bicep/services/git-mirrors/default.nix
View File

@@ -1,100 +0,0 @@
{ config, pkgs, lib, fp, ... }:
let
cfg = config.services.gickup;
in
{
sops.secrets."gickup/github-token" = {
owner = "gickup";
};
services.gickup = {
enable = true;
dataDir = "/data/gickup";
destinationSettings = {
structured = true;
zip = false;
keep = 10;
bare = true;
lfs = false;
};
instances = let
defaultGithubConfig = {
settings.token_file = config.sops.secrets."gickup/github-token".path;
};
defaultGitlabConfig = {
# settings.token_file = ...
};
in {
"github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
"github:NixOS/nixpkgs" = defaultGithubConfig;
"github:go-gitea/gitea" = defaultGithubConfig;
"github:heimdal/heimdal" = defaultGithubConfig;
"github:saltstack/salt" = defaultGithubConfig;
"github:typst/typst" = defaultGithubConfig;
"github:unmojang/FjordLauncher" = defaultGithubConfig;
"github:unmojang/drasl" = defaultGithubConfig;
"github:yushijinhun/authlib-injector" = defaultGithubConfig;
"gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
"gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
"any:glibc" = {
settings.url = "https://sourceware.org/git/glibc.git";
};
"any:out-of-your-element" = {
settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
};
"any:out-of-your-element-module" = {
settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
};
};
};
services.cgit = let
domain = "mirrors.pvv.ntnu.no";
in {
${domain} = {
enable = true;
package = pkgs.callPackage (fp /packages/cgit.nix) { };
group = "gickup";
scanPath = "${cfg.dataDir}/linktree";
settings = {
enable-commit-graph = true;
enable-follow-links = true;
enable-http-clone = true;
enable-remote-branches = true;
clone-url = "https://${domain}/$CGIT_REPO_URL";
remove-suffix = true;
root-title = "PVVSPPP";
root-desc = "PVV Speiler Praktisk og Prominent Programvare";
snapshots = "all";
logo = "/PVV-logo.png";
};
};
};
services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
locations."= /PVV-logo.png".alias = let
small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
nativeBuildInputs = [ pkgs.imagemagick ];
} ''
magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
'';
in toString small-pvv-logo;
};
systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {
serviceConfig.BindReadOnlyPaths = [ cfg.dataDir ];
};
}

4
hosts/bicep/services/matrix/coturn.nix
View File

@@ -6,14 +6,12 @@
key = "synapse/turnconfig";
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
restartUnits = [ "coturn.service" ];
};
sops.secrets."matrix/coturn/static-auth-secret" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "coturn/static-auth-secret";
owner = config.users.users.turnserver.name;
group = config.users.users.turnserver.group;
restartUnits = [ "coturn.service" ];
};
services.matrix-synapse-next = {
@@ -44,7 +42,7 @@
security.acme.certs.${config.services.coturn.realm} = {
email = "drift@pvv.ntnu.no";
listenHTTP = "${values.services.turn.ipv4}:80";
listenHTTP = "129.241.210.213:80";
reloadServices = [ "coturn.service" ];
};

3
hosts/bicep/services/matrix/default.nix
View File

@@ -9,8 +9,7 @@
./coturn.nix
./mjolnir.nix
# ./discord.nix
./out-of-your-element.nix
./discord.nix
./hookshot
];

2
hosts/bicep/services/matrix/discord.nix
View File

@@ -45,7 +45,7 @@ in
};
services.mx-puppet-discord.enable = false;
services.mx-puppet-discord.enable = true;
services.mx-puppet-discord.settings = {
bridge = {
bindAddress = "localhost";

9
hosts/bicep/services/matrix/hookshot/default.nix
View File

@@ -18,7 +18,6 @@ in
sops.templates."hookshot-registration.yaml" = {
owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name;
restartUnits = [ "matrix-hookshot.service" ];
content = ''
id: matrix-hookshot
as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}"
@@ -78,7 +77,7 @@ in
outbound = true;
urlPrefix = "https://hookshot.pvv.ntnu.no/webhook/";
userIdPrefix = "_webhooks_";
allowJsTransformationFunctions = true;
allowJsTransformationFunctions = false;
waitForComplete = false;
};
feeds = {
@@ -95,11 +94,6 @@ in
}
];
widgets = {
roomSetupWidget.addOnInvite = false;
publicUrl = "https://hookshot.pvv.ntnu.no/widgetapi/v1/static";
};
permissions = [
# Users of the PVV Server
{ actor = "pvv.ntnu.no";
@@ -134,7 +128,6 @@ in
services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://${webhookListenAddress}:${toString webhookListenPort}";
};

1
hosts/bicep/services/matrix/mjolnir.nix
View File

@@ -6,7 +6,6 @@
key = "mjolnir/access_token";
owner = config.users.users.mjolnir.name;
group = config.users.users.mjolnir.group;
restartUnits = [ "mjolnir.service" ];
};
services.mjolnir = {

70
hosts/bicep/services/matrix/out-of-your-element.nix
View File

@@ -1,70 +0,0 @@
{ config, pkgs, fp, ... }:
let
cfg = config.services.matrix-ooye;
in
{
users.groups.keys-matrix-registrations = { };
sops.secrets = {
"matrix/ooye/as_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/as_token";
restartUnits = [ "matrix-ooye.service" ];
};
"matrix/ooye/hs_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/hs_token";
restartUnits = [ "matrix-ooye.service" ];
};
"matrix/ooye/discord_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/discord_token";
restartUnits = [ "matrix-ooye.service" ];
};
"matrix/ooye/discord_client_secret" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/discord_client_secret";
restartUnits = [ "matrix-ooye.service" ];
};
};
services.matrix-ooye = {
enable = true;
homeserver = "https://matrix.pvv.ntnu.no";
homeserverName = "pvv.ntnu.no";
discordTokenPath = config.sops.secrets."matrix/ooye/discord_token".path;
discordClientSecretPath = config.sops.secrets."matrix/ooye/discord_client_secret".path;
bridgeOrigin = "https://ooye.pvv.ntnu.no";
enableSynapseIntegration = false;
};
systemd.services."matrix-synapse" = {
after = [
"matrix-ooye-pre-start.service"
"network-online.target"
];
requires = [ "matrix-ooye-pre-start.service" ];
serviceConfig = {
LoadCredential = [
"matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
];
ExecStartPre = [
"+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
"+${pkgs.coreutils}/bin/chown matrix-synapse:keys-matrix-registrations ${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
];
};
};
services.matrix-synapse-next.settings = {
app_service_config_files = [
"${config.services.matrix-synapse-next.dataDir}/ooye-registration.yaml"
];
};
services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:${cfg.socket}";
};
}

5
hosts/bicep/services/matrix/smtp-authenticator/default.nix
View File

@@ -1,4 +1,4 @@
{ lib, buildPythonPackage, fetchFromGitHub, setuptools }:
{ lib, buildPythonPackage, fetchFromGitHub }:
buildPythonPackage rec {
pname = "matrix-synapse-smtp-auth";
@@ -6,9 +6,6 @@ buildPythonPackage rec {
src = ./.;
pyproject = true;
build-system = [ setuptools ];
doCheck = false;
meta = with lib; {

4
hosts/bicep/services/matrix/synapse.nix
View File

@@ -124,8 +124,8 @@ in {
"fec0::/10"
# NTNU
values.ntnu.ipv4-space
values.ntnu.ipv6-space
"129.241.0.0/16"
"2001:700:300::/44"
];
};
};

49
hosts/bicep/services/minecraft-heatmap.nix
View File

@@ -1,49 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.minecraft-heatmap;
in
{
sops.secrets."minecraft-heatmap/ssh-key/private" = {
mode = "600";
};
sops.secrets."minecraft-heatmap/postgres-passwd" = {
mode = "600";
};
services.minecraft-heatmap = {
enable = true;
database = {
host = "postgres.pvv.ntnu.no";
port = 5432;
name = "minecraft_heatmap";
user = "minecraft_heatmap";
passwordFile = config.sops.secrets."minecraft-heatmap/postgres-passwd".path;
};
};
systemd.services.minecraft-heatmap-ingest-logs = {
serviceConfig.LoadCredential = [
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
];
preStart = let
knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
'';
in ''
mkdir -p '${cfg.minecraftLogsDir}'
"${lib.getExe pkgs.rsync}" \
--archive \
--verbose \
--progress \
--no-owner \
--no-group \
--rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
root@innovation.pvv.ntnu.no:/ \
'${cfg.minecraftLogsDir}'/
'';
};
}

2
hosts/bicep/services/mysql.nix
View File

@@ -48,8 +48,6 @@
IPAddressAllow = [
values.ipv4-space
values.ipv6-space
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
}

47
hosts/bicep/services/postgres.nix
View File

@@ -1,15 +1,15 @@
{ config, pkgs, values, ... }:
{ config, pkgs, ... }:
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
enableTCPIP = true;
dataDir = "/data/postgresql";
authentication = ''
host all all ${values.ipv4-space} md5
host all all ${values.ipv6-space} md5
host all all ${values.hosts.ildkule.ipv4}/32 md5
host all all ${values.hosts.ildkule.ipv6}/32 md5
host all all 129.241.210.128/25 md5
host all all 2001:700:300:1900::/64 md5
'';
# Hilsen https://pgconfigurator.cybertec-postgresql.com/
@@ -74,40 +74,11 @@
};
};
systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
user = config.systemd.services.postgresql.serviceConfig.User;
group = config.systemd.services.postgresql.serviceConfig.Group;
mode = "0700";
};
systemd.services.postgresql-setup = {
after = [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
systemd.services.postgresql.serviceConfig = {
LoadCredential = [
"cert:/etc/certs/postgres.crt"
"key:/etc/certs/postgres.key"
];
serviceConfig = {
LoadCredential = [
"cert:/etc/certs/postgres.crt"
"key:/etc/certs/postgres.key"
];
BindPaths = [ "/data/postgresql:/var/lib/postgresql" ];
};
};
systemd.services.postgresql = {
after = [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
];
serviceConfig = {
LoadCredential = [
"cert:/etc/certs/postgres.crt"
"key:/etc/certs/postgres.key"
];
BindPaths = [ "/data/postgresql:/var/lib/postgresql" ];
};
};
environment.snakeoil-certs."/etc/certs/postgres" = {

46
hosts/bob/configuration.nix Normal file
View File

@@ -0,0 +1,46 @@
{ config, fp, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./disks.nix
(fp /misc/builder.nix)
];
sops.defaultSopsFile = fp /secrets/bob/bob.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
};
networking.hostName = "bob"; # Define your hostname.
systemd.network.networks."30-all" = values.defaultNetworkConfig // {
matchConfig.Name = "en*";
DHCP = "yes";
gateway = [ ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

39
hosts/bob/disks.nix Normal file
View File

@@ -0,0 +1,39 @@
# Example to create a bios compatible gpt partition
{ lib, ... }:
{
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

18
hosts/lupine/hardware-configuration/lupine-4.nix → hosts/bob/hardware-configuration.nix
View File

@@ -5,30 +5,20 @@
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

1
hosts/brzeczyszczykiewicz/configuration.nix
View File

@@ -4,6 +4,7 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/grzegorz.nix
];

21
hosts/georg/configuration.nix
View File

@@ -4,6 +4,7 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
(fp /modules/grzegorz.nix)
];
@@ -24,26 +25,6 @@
# List services that you want to enable:
services.spotifyd = {
enable = true;
settings.global = {
device_name = "georg";
use_mpris = false;
#dbus_type = "system";
#zeroconf_port = 1234;
};
};
networking.firewall.allowedTCPPorts = [
# config.services.spotifyd.settings.zeroconf_port
5353 # spotifyd is its own mDNS service wtf
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

1
hosts/ildkule/configuration.nix
View File

@@ -4,6 +4,7 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/monitoring
./services/nginx

3
hosts/ildkule/services/monitoring/prometheus/default.nix
View File

@@ -2,12 +2,11 @@
stateDir = "/data/monitoring/prometheus";
in {
imports = [
./exim.nix
./gitea.nix
./machines.nix
./matrix-synapse.nix
./mysqld.nix
./postgres.nix
./machines.nix
];
services.prometheus = {

14
hosts/ildkule/services/monitoring/prometheus/exim.nix
View File

@@ -1,14 +0,0 @@
{ ... }:
{
services.prometheus = {
scrapeConfigs = [
{
job_name = "exim";
scrape_interval = "15s";
static_configs = [{
targets = [ "microbel.pvv.ntnu.no:9636" ];
}];
}
];
};
}

85
hosts/ildkule/services/monitoring/prometheus/machines.nix
View File

@@ -1,37 +1,66 @@
{ config, ... }: let
cfg = config.services.prometheus;
mkHostScrapeConfig = name: ports: {
labels.hostname = name;
targets = map (port: "${name}.pvv.ntnu.no:${toString port}") ports;
};
defaultNodeExporterPort = 9100;
defaultSystemdExporterPort = 9101;
defaultNixosExporterPort = 9102;
in {
services.prometheus.scrapeConfigs = [{
job_name = "base_info";
static_configs = [
(mkHostScrapeConfig "ildkule" [ cfg.exporters.node.port cfg.exporters.systemd.port defaultNixosExporterPort ])
(mkHostScrapeConfig "bekkalokk" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
# (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
(mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
{ labels.hostname = "ildkule";
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"ildkule.pvv.ntnu.no:${toString cfg.exporters.systemd.port}"
];
}
{ labels.hostname = "bekkalokk";
targets = [
"bekkalokk.pvv.ntnu.no:9100"
"bekkalokk.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "kommode";
targets = [
"kommode.pvv.ntnu.no:9100"
"kommode.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "bicep";
targets = [
"bicep.pvv.ntnu.no:9100"
"bicep.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "brzeczyszczykiewicz";
targets = [
"brzeczyszczykiewicz.pvv.ntnu.no:9100"
"brzeczyszczykiewicz.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "georg";
targets = [
"georg.pvv.ntnu.no:9100"
"georg.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "ustetind";
targets = [
"ustetind.pvv.ntnu.no:9100"
"ustetind.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "hildring";
targets = [
"hildring.pvv.ntnu.no:9100"
];
}
{ labels.hostname = "isvegg";
targets = [
"isvegg.pvv.ntnu.no:9100"
];
}
{ labels.hostname = "microbel";
targets = [
"microbel.pvv.ntnu.no:9100"
];
}
];
}];
}

2
hosts/ildkule/services/monitoring/prometheus/mysqld.nix
View File

@@ -10,7 +10,7 @@ in {
inherit (config.sops) placeholder;
in ''
[client]
host = mysql.pvv.ntnu.no
host = bicep.pvv.ntnu.no
port = 3306
user = prometheus_mysqld_exporter
password = ${placeholder."config/mysqld_exporter_password"}

2
hosts/kommode/configuration.nix
View File

@@ -4,6 +4,7 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea
./services/nginx.nix
@@ -30,3 +31,4 @@
system.stateVersion = "24.11";
}

21
hosts/kommode/services/gitea/customization/default.nix
View File

@@ -3,12 +3,7 @@ let
cfg = config.services.gitea;
in
{
services.gitea-themes = {
monokai = pkgs.gitea-theme-monokai;
earl-grey = pkgs.gitea-theme-earl-grey;
pitch-black = pkgs.gitea-theme-pitch-black;
catppuccin = pkgs.gitea-theme-catppuccin;
};
services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
systemd.services.gitea-customization = lib.mkIf cfg.enable {
description = "Install extra customization in gitea's CUSTOM_DIR";
@@ -24,15 +19,10 @@ in
script = let
logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = fp /assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
@@ -47,14 +37,17 @@ in
} ''
# Bigger icons
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
sed -i -e 's/24/48/g' "$out/repo/icon.tmpl"
# Show license in list view
patch -i ${./licenses-in-repo-list.diff} "${cfg.package.src}/templates/explore/repo_list.tmpl" -o repo_list.tmpl
install -Dm444 repo_list.tmpl "$out/explore/repo_list.tmpl"
'';
in ''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/

6
hosts/kommode/services/gitea/customization/licenses-in-repo-list.diff Normal file
View File

@@ -0,0 +1,6 @@
33a34,38
> {{if .DetectedRepoLicenses}}
> <a class="flex-text-inline" href="{{.RepoLink}}/src/{{.Repository.DefaultBranch}}/{{PathEscapeSegments .LicenseFileName}}" title="{{StringUtils.Join .DetectedRepoLicenses ", "}}">
> {{svg "octicon-law"}} {{if eq (len .DetectedRepoLicenses) 1}}{{index .DetectedRepoLicenses 0}}{{else}}{{ctx.Locale.Tr "repo.multiple_licenses"}}{{end}}
> </a>
> {{end}}

70
hosts/kommode/services/gitea/default.nix
View File

@@ -1,4 +1,4 @@
{ config, values, lib, pkgs, unstablePkgs, ... }:
{ config, values, lib, unstablePkgs, ... }:
let
cfg = config.services.gitea;
domain = "git.pvv.ntnu.no";
@@ -11,18 +11,15 @@ in {
./web-secret-provider
];
sops.secrets = let
defaultConfig = {
sops.secrets = {
"gitea/database" = {
owner = "gitea";
group = "gitea";
};
"gitea/email-password" = {
owner = "gitea";
group = "gitea";
restartUnits = [ "gitea.service" ];
};
in {
"gitea/database" = defaultConfig;
"gitea/email-password" = defaultConfig;
"gitea/lfs-jwt-secret" = defaultConfig;
"gitea/oauth2-jwt-secret" = defaultConfig;
"gitea/secret-key" = defaultConfig;
};
services.gitea = {
@@ -48,19 +45,9 @@ in {
ROOT_URL = "https://${domain}/";
PROTOCOL = "http+unix";
SSH_PORT = sshPort;
LANDING_PAGE = "explore";
START_SSH_SERVER = true;
START_LFS_SERVER = true;
LFS_JWT_SECRET = lib.mkForce "";
LFS_JWT_SECRET_URI = "file:${config.sops.secrets."gitea/lfs-jwt-secret".path}";
};
oauth2 = {
JWT_SECRET = lib.mkForce "";
JWT_SECRET_URI = "file:${config.sops.secrets."gitea/oauth2-jwt-secret".path}";
};
"git.timeout" = {
MIGRATE = 3600;
MIRROR = 1800;
LANDING_PAGE = "explore";
};
mailer = {
ENABLED = true;
@@ -84,10 +71,6 @@ in {
};
admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
session.COOKIE_SECURE = true;
security = {
SECRET_KEY = lib.mkForce "";
SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
};
database.LOG_SQL = false;
repository = {
PREFERRED_LICENSES = lib.concatStringsSep "," [
@@ -122,10 +105,6 @@ in {
picture = {
DISABLE_GRAVATAR = true;
ENABLE_FEDERATED_AVATAR = false;
AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5;
# NOTE: go any bigger than this, and gitea will freeze your gif >:(
AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
};
actions.ENABLED = true;
ui = {
@@ -157,7 +136,6 @@ in {
dump = {
enable = true;
interval = "weekly";
type = "tar.gz";
};
};
@@ -166,11 +144,6 @@ in {
systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive";
systemd.services.gitea.serviceConfig.BindPaths = [
"%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
];
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
@@ -194,31 +167,4 @@ in {
};
networking.firewall.allowedTCPPorts = [ sshPort ];
systemd.services.gitea-dump = {
serviceConfig.ExecStart = let
args = lib.cli.toGNUCommandLineShell { } {
type = cfg.dump.type;
# This should be declarative on nixos, no need to backup.
skip-custom-dir = true;
# This can be regenerated, no need to backup
skip-index = true;
# Logs are stored in the systemd journal
skip-log = true;
};
in lib.mkForce "${lib.getExe cfg.package} ${args}";
# Only keep n backup files at a time
postStop = let
cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
backupCount = 3;
in ''
for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
${cu "rm"} "$file"
done
'';
};
}

25
hosts/kommode/services/gitea/gpg.nix
View File

@@ -4,23 +4,9 @@ let
GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
in
{
sops.secrets = {
"gitea/gpg-signing-key-public" = {
owner = cfg.user;
inherit (cfg) group;
restartUnits = [
"gitea.service"
"gitea-ensure-gnupg-homedir.service"
];
};
"gitea/gpg-signing-key-private" = {
owner = cfg.user;
inherit (cfg) group;
restartUnits = [
"gitea.service"
"gitea-ensure-gnupg-homedir.service"
];
};
sops.secrets."gitea/gpg-signing-key" = {
owner = cfg.user;
inherit (cfg) group;
};
systemd.services.gitea.environment = { inherit GNUPGHOME; };
@@ -32,7 +18,6 @@ in
systemd.services.gitea-ensure-gnupg-homedir = {
description = "Import gpg key for gitea";
before = [ "gitea.service" ];
environment = { inherit GNUPGHOME; };
serviceConfig = {
Type = "oneshot";
@@ -40,8 +25,7 @@ in
PrivateNetwork = true;
};
script = ''
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-public".path}
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-private".path}
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path}
'';
};
@@ -50,6 +34,5 @@ in
SIGNING_NAME = "PVV Git";
SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
INITIAL_COMMIT = "always";
WIKI = "always";
};
}

4
hosts/kommode/services/gitea/import-users/default.nix
View File

@@ -11,8 +11,7 @@ in
systemd.services.gitea-import-users = lib.mkIf cfg.enable {
enable = true;
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
serviceConfig = {
ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
flakeIgnore = [
@@ -26,7 +25,6 @@ in
];
DynamicUser="yes";
EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
RuntimeDirectory = "gitea-import-users";
};
};

7
hosts/kommode/services/gitea/import-users/gitea-import-users.py
View File

@@ -17,10 +17,6 @@ GITEA_API_URL = os.getenv('GITEA_API_URL')
if GITEA_API_URL is None:
GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
PASSWD_FILE_PATH = os.getenv('PASSWD_FILE_PATH')
if PASSWD_FILE_PATH is None:
PASSWD_FILE_PATH = '/tmp/passwd-import'
def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
r = requests.get(
@@ -191,8 +187,7 @@ def main():
if existing_users is None:
exit(1)
print(f"Reading passwd entries from {PASSWD_FILE_PATH}")
for username, name in passwd_file_parser(PASSWD_FILE_PATH):
for username, name in passwd_file_parser("/tmp/passwd-import"):
print(f"Processing {username}")
add_or_patch_gitea_user(username, name, existing_users)
for org, team_name in COMMON_USER_TEAMS:

0
hosts/kommode/services/gitea/customization/labels/projects.json → hosts/kommode/services/gitea/labels/projects.json
View File

34
hosts/lupine/configuration.nix
View File

@@ -1,34 +0,0 @@
{ fp, values, lupineName, ... }:
{
imports = [
./hardware-configuration/${lupineName}.nix
(fp /base)
./services/gitea-runner.nix
];
sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
matchConfig.Name = "enp0s31f6";
address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ];
networkConfig.LLDP = false;
};
systemd.network.wait-online = {
anyInterface = true;
};
# There are no smart devices
services.smartd.enable = false;
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.05";
}

40
hosts/lupine/hardware-configuration/lupine-1.nix
View File

@@ -1,40 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/81D6-38D3";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

40
hosts/lupine/hardware-configuration/lupine-2.nix
View File

@@ -1,40 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/4A34-6AE5";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

40
hosts/lupine/hardware-configuration/lupine-3.nix
View File

@@ -1,40 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/63FA-297B";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

40
hosts/lupine/hardware-configuration/lupine-5.nix
View File

@@ -1,40 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/F372-37DF";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

71
hosts/lupine/services/gitea-runner.nix
View File

@@ -1,71 +0,0 @@
{ config, lupineName, ... }:
{
# This is unfortunately state, and has to be generated one at a time :(
# To do that, comment out all except one of the runners, fill in its token
# inside the sops file, rebuild the system, and only after this runner has
# successfully registered will gitea give you the next token.
# - oysteikt Sep 2023
sops = {
secrets."gitea/runners/token" = {
key = "gitea/runners/${lupineName}";
};
templates."gitea-runner-envfile" = {
restartUnits = [
"gitea-runner-${lupineName}.service"
];
content = ''
TOKEN="${config.sops.placeholder."gitea/runners/token"}"
'';
};
};
services.gitea-actions-runner.instances = {
${lupineName} = {
enable = true;
name = "git-runner-${lupineName}";
url = "https://git.pvv.ntnu.no";
# NOTE: gitea actions runners need node inside their docker images,
# so we are a bit limited here.
labels = [
"debian-latest:docker://node:current-trixie"
"debian-trixie:docker://node:current-trixie"
"debian-bookworm:docker://node:current-bookworm"
"debian-bullseye:docker://node:current-bullseye"
"debian-latest-slim:docker://node:current-trixie-slim"
"debian-trixie-slim:docker://node:current-trixie-slim"
"debian-bookworm-slim:docker://node:current-bookworm-slim"
"debian-bullseye-slim:docker://node:current-bullseye-slim"
"alpine-latest:docker://node:current-alpine"
"alpine-3.22:docker://node:current-alpine3.22"
"alpine-3.21:docker://node:current-alpine3.21"
# See https://gitea.com/gitea/runner-images
"ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
"ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04"
"ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04"
"ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
"ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04"
"ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim"
"ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
"ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
"ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"
"ubuntu-jammy-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"
];
tokenFile = config.sops.templates."gitea-runner-envfile".path;
};
};
virtualisation.podman = {
enable = true;
defaultNetwork.settings.dns_enabled = true;
autoPrune.enable = true;
};
networking.dhcpcd.IPv6rs = false;
networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
}

1
hosts/shark/configuration.nix
View File

@@ -4,6 +4,7 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
];
sops.defaultSopsFile = fp /secrets/shark/shark.yaml;

1
hosts/ustetind/configuration.nix
View File

@@ -3,6 +3,7 @@
{
imports = [
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea-runners.nix
];

44
hosts/wenche/configuration.nix
View File

@@ -1,44 +0,0 @@
{ config, fp, pkgs, values, lib, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
];
nix.settings.trusted-users = [ "@nix-builder-users" ];
nix.daemonCPUSchedPolicy = "batch";
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"armv7l-linux"
];
sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "wenche"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
hardware.graphics.enable = true;
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia = {
modesetting.enable = true;
open = false;
package = config.boot.kernelPackages.nvidiaPackages.production;
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
system.stateVersion = "24.11"; # Did you read the comment?
}

27
hosts/wenche/hardware-configuration.nix
View File

@@ -1,27 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "nvidia" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4e8ecdd2-d453-4fff-b952-f06da00f3b85";
fsType = "ext4";
};
swapDevices = [ {
device = "/var/lib/swapfile";
size = 16*1024;
} ];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

57
justfile
View File

@@ -1,56 +1,25 @@
set positional-arguments # makes variables accesible as $1 $2 $@
export GUM_FILTER_HEIGHT := "15"
nom := `if [[ -t 1 ]] && command -v nom >/dev/null; then echo nom; else echo nix; fi`
nix_eval_opts := "--log-format raw --option warn-dirty false"
nom := `if command -v nom >/dev/null; then echo nom; else echo nix; fi`
@_default:
just "$(gum choose --ordered --header "Pick a recipie..." $(just --summary --unsorted))"
check *_:
nix flake check --keep-going "$@"
check:
nix flake check --keep-going
build-machine machine=`just _a_machine` *_:
{{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel "${@:2}"
build-machine machine=`just _a_machine`:
{{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel
run-vm machine=`just _a_machine` *_:
nixos-rebuild build-vm --flake .#{{ machine }} "${@:2}"
run-vm machine=`just _a_machine`:
nixos-rebuild build-vm --flake .#{{ machine }}
QEMU_NET_OPTS="hostfwd=tcp::8080-:80,hostfwd=tcp::8081-:443,hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
@update-inputs *_:
@git reset flake.lock
@git restore flake.lock
nix eval {{nix_eval_opts}} --file flake.nix --apply 'x: builtins.attrNames x.inputs' --json \
| { printf "%s\n" --commit-lock-file; jq '.[]' -r | grep -vxF "self" ||:; } \
| gum choose --no-limit --header "Choose extra arguments:" \
| tee >(xargs -d'\n' echo + nix flake update "$@" >&2) \
| xargs -d'\n' nix flake update "$@"
@repl $machine=`just _a_machine` *_:
set -v; nixos-rebuild --flake .#"$machine" repl "${@:2}"
@eval $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
set -v; nix eval {{nix_eval_opts}} ".#nixosConfigurations.\"$machine\".config.$attrpath" --show-trace "${@:3}"
@eval-vm $machine=`just _a_machine` $attrpath="system.build.toplevel.outPath" *_:
just eval "$machine" "virtualisation.vmVariant.$attrpath" "${@:3}"
@update-inputs:
nix eval .#inputs --apply builtins.attrNames --json \
| jq '.[]' -r \
| gum choose --no-limit --height=15 \
| xargs -L 1 nix flake lock --update-input
# helpers
[no-exit-message]
_a_machine:
#!/usr/bin/env -S sh -euo pipefail
machines="$(
nix eval {{nix_eval_opts}} .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r
)"
[ -n "$machines" ] || { echo >&2 "ERROR: no machines found"; false; }
if [ -s .direnv/vars/last-machine.txt ]; then
machines="$(
grep <<<"$machines" -xF "$(cat .direnv/vars/last-machine.txt)" ||:
grep <<<"$machines" -xFv "$(cat .direnv/vars/last-machine.txt)" ||:
)"
fi
choice="$(gum filter <<<"$machines")"
mkdir -p .direnv/vars
cat <<<"$choice" >.direnv/vars/last-machine.txt
cat <<<"$choice"
nix eval .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r | gum filter

61
keys/oysteikt.pub
View File

@@ -26,40 +26,29 @@ eJAiipB0QOH9SEa5Io6BSiqsBQJmqp4CBQkFpUs7AIF2IAQZFgoAHRYhBPPNqGzF
Wp8Q16BpgZ8vfYJQ81FGBQJi5oZHAAoJEJ8vfYJQ81FGFZgBALN+Rh4m323TaM5z
dJfCTV7V0aP3J0RdKmtKvz/Y9a7uAP4oP8UlbM9ucyG252gZ8IjM0VprNzP9CpNl
4GzpD4CRDgkQRrkijoFKKqwYoQEAz0D3G/dD6DBYBf7p6pGYqXd2X0Dv8nmnalol
Z6SxfUMA/jT/XjPh7c4Ui8nZO7XDzYWrbV/eZwGMd1zXq2mU42MLiPUEGBYKACYC
GwIWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCaI6lzgUJCWqGhwCBdiAEGRYKAB0W
IQTzzahsxVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYe
Jt9t02jOc3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFa
azcz/QqTZeBs6Q+AkQ4JEEa5Io6BSiqsCG0BALDNFlploZWjQ0Xn3B9fd+1sTUmY
+e0s95lEY7XqVkF2AQCkKzMd2mHsymyVtY32bSsZ0iJxHTmxomS0uQ/TGIugB7kC
DQRi5oZ6ARAA2tcgStDSsVSLaN4UodtYaKGKVnBF1qjD1xzt+K3AIZLVRTjhyJdm
xRknEAGV7YwHKlJjMgvjzLNQ2aKHBZPvTybde4QGv7Ogka8PLyvtX1aoY9Fzi7Xr
xlfYguiEb4T8c07DmnjrLIDBiFPMQ5jCk9pxhxjVJKjlxpXetxNzSrCt5Z5fgQna
SdH9xhAe2kkPqZOpNbszg11/5oQFCZi9TJFWeoyQN74bK3tCn2vafguZj+ISyeox
fqBErwOBwvi7gkhpuuoCAzAt/Y5y6OocGBBI3z1w+wlADeEtniEkhXfmXJTdr2HK
ymILAmUtIQRToA4SighwbjMD9dgCDPMvC+uP3jlhaUe7NkrQD442G2XmRAhy1mbd
cxlb5Eu16epbAIOv0/BMrChu705dkKvVtAZszYJNjg02ZIb9IKql6aXa/HkYqvod
KjHyabRtBsnDr6m/T6BDtnXzQo4yCPFX2khn0hGKPFMLKmE7X4HaDZxQlynda+0J
r63WzbBQ0ZpL/sFiaIqcFGlarsm9ijeudo0pacDBAlun0hLE/+Qt5iS4AJoupesq
LMOh3SGOo4KQhrcZx1ts0XiEuns2XbcWAQpBByu9MgEsmiB6yyw5J8Pg7ir1wFjg
HnKG/BjQRzo12Xty8wbdq1YDgkWvlu5opTYI1ArM/kd6zPF30fsDRBsAEQEAAYh+
BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmLmhnoCGwwFCQPCZwAACgkQ
RrkijoFKKqwxNAEAwcUbJlvS+tJsRgqdQqTVgVw9k+g+tOT5TYjQnDPnDgoA/3Nj
orUkhudDNGEW8odSz2C+mEHjy9HUJGLI5ul1ZqwCiH4EGBYKACYCGwwWIQT303iQ
IoqQdEDh/UhGuSKOgUoqrAUCZqqeBQUJBaVLCAAKCRBGuSKOgUoqrMnbAP4oQbpa
Uki4OAfaSbH36qYTIbe8k9w58+e4nsVBII94wQEA3nSPoMKWZTI1eiHR/xKc9uOI
/Nk2tOHKpEjs9mOtywaIfgQYFgoAJgIbDBYhBPfTeJAiipB0QOH9SEa5Io6BSiqs
BQJojqXOBQkJaoZUAAoJEEa5Io6BSiqsiXkBAJ0JTRmdQQpEK9KSh8V7FEkblIsm
Ngko2cs+OhNSUgW9AQD0a7FHM3Dx32a7yD0zE3QwWi5VgeZZVIPyhItrOaANDbgz
BGLmhsUWCSsGAQQB2kcPAQEHQFg/avgj0sZbxqL58tZEpcaieeL1OWOoVU3mZX/K
7GU+iH4EGBYKACYWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaGxQIbIAUJA8Jn
AAAKCRBGuSKOgUoqrN5jAP96aO0MEPQSIKdLaa9+ilpPp+glJ9duIJ7zdR0U15tO
NAEA0WqeRc8Jhv10UjIz/Q3UlcfvKPzVW6yVKo+Lg1FI2QSIfgQYFgoAJgIbIBYh
BPfTeJAiipB0QOH9SEa5Io6BSiqsBQJmqp4GBQkFpUq9AAoJEEa5Io6BSiqsjF0B
AJn0EBEJfszskYiZzMshFHW5k0QUF+Ak3JNh2UG+M6FJAQCQVY/lDkrvOytuFnKb
kDrCaTrtLh/JAmBXpSERIejmD4h+BBgWCgAmAhsgFiEE99N4kCKKkHRA4f1IRrki
joFKKqwFAmiOpc4FCQlqhgkACgkQRrkijoFKKqwSMAD/bbO/uwwdFEJVgcNRexZU
6aoSxAGI1vjS92hSyfxZ9AABAK8KYO8sBGGCiVu+vWUpoUYmp3lfYTJHtf+36WMc
D5MD
=Gubf
Z6SxfUMA/jT/XjPh7c4Ui8nZO7XDzYWrbV/eZwGMd1zXq2mU42MLuQINBGLmhnoB
EADa1yBK0NKxVIto3hSh21hooYpWcEXWqMPXHO34rcAhktVFOOHIl2bFGScQAZXt
jAcqUmMyC+PMs1DZoocFk+9PJt17hAa/s6CRrw8vK+1fVqhj0XOLtevGV9iC6IRv
hPxzTsOaeOssgMGIU8xDmMKT2nGHGNUkqOXGld63E3NKsK3lnl+BCdpJ0f3GEB7a
SQ+pk6k1uzODXX/mhAUJmL1MkVZ6jJA3vhsre0Kfa9p+C5mP4hLJ6jF+oESvA4HC
+LuCSGm66gIDMC39jnLo6hwYEEjfPXD7CUAN4S2eISSFd+ZclN2vYcrKYgsCZS0h
BFOgDhKKCHBuMwP12AIM8y8L64/eOWFpR7s2StAPjjYbZeZECHLWZt1zGVvkS7Xp
6lsAg6/T8EysKG7vTl2Qq9W0BmzNgk2ODTZkhv0gqqXppdr8eRiq+h0qMfJptG0G
ycOvqb9PoEO2dfNCjjII8VfaSGfSEYo8UwsqYTtfgdoNnFCXKd1r7QmvrdbNsFDR
mkv+wWJoipwUaVquyb2KN652jSlpwMECW6fSEsT/5C3mJLgAmi6l6yosw6HdIY6j
gpCGtxnHW2zReIS6ezZdtxYBCkEHK70yASyaIHrLLDknw+DuKvXAWOAecob8GNBH
OjXZe3LzBt2rVgOCRa+W7milNgjUCsz+R3rM8XfR+wNEGwARAQABiH4EGBYKACYW
IQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaGegIbDAUJA8JnAAAKCRBGuSKOgUoq
rDE0AQDBxRsmW9L60mxGCp1CpNWBXD2T6D605PlNiNCcM+cOCgD/c2OitSSG50M0
YRbyh1LPYL6YQePL0dQkYsjm6XVmrAKIfgQYFgoAJgIbDBYhBPfTeJAiipB0QOH9
SEa5Io6BSiqsBQJmqp4FBQkFpUsIAAoJEEa5Io6BSiqsydsA/ihBulpSSLg4B9pJ
sffqphMht7yT3Dnz57iexUEgj3jBAQDedI+gwpZlMjV6IdH/Epz244j82Ta04cqk
SOz2Y63LBrgzBGLmhsUWCSsGAQQB2kcPAQEHQFg/avgj0sZbxqL58tZEpcaieeL1
OWOoVU3mZX/K7GU+iH4EGBYKACYWIQT303iQIoqQdEDh/UhGuSKOgUoqrAUCYuaG
xQIbIAUJA8JnAAAKCRBGuSKOgUoqrN5jAP96aO0MEPQSIKdLaa9+ilpPp+glJ9du
IJ7zdR0U15tONAEA0WqeRc8Jhv10UjIz/Q3UlcfvKPzVW6yVKo+Lg1FI2QSIfgQY
FgoAJgIbIBYhBPfTeJAiipB0QOH9SEa5Io6BSiqsBQJmqp4GBQkFpUq9AAoJEEa5
Io6BSiqsjF0BAJn0EBEJfszskYiZzMshFHW5k0QUF+Ak3JNh2UG+M6FJAQCQVY/l
DkrvOytuFnKbkDrCaTrtLh/JAmBXpSERIejmDw==
=7cFp
-----END PGP PUBLIC KEY BLOCK-----

11
misc/builder.nix Normal file
View File

@@ -0,0 +1,11 @@
{ ... }:
{
nix.settings.trusted-users = [ "@nix-builder-users" ];
nix.daemonCPUSchedPolicy = "batch";
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"armv7l-linux"
];
}

80
misc/metrics-exporters.nix Normal file
View File

@@ -0,0 +1,80 @@
{ config, pkgs, values, ... }:
{
services.prometheus.exporters.node = {
enable = true;
port = 9100;
enabledCollectors = [ "systemd" ];
};
systemd.services.prometheus-node-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
services.prometheus.exporters.systemd = {
enable = true;
port = 9101;
extraFlags = [
"--systemd.collector.enable-restart-count"
"--systemd.collector.enable-ip-accounting"
];
};
systemd.services.prometheus-systemd-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = [ 9100 9101 ];
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 28183;
grpc_listen_port = 0;
};
clients = [
{
url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "systemd-journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = config.networking.hostName;
};
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
];
}
];
};
};
}

86
misc/rust-motd.nix Normal file
View File

@@ -0,0 +1,86 @@
{ pkgs, lib, config, ... }:
{
environment = {
systemPackages = with pkgs; [
rust-motd
toilet
];
loginShellInit = let
motd = "${pkgs.rust-motd}/bin/rust-motd /etc/${config.environment.etc.rustMotdConfig.target}";
in ''
# Assure stdout is a terminal, so headless programs won't be broken
if [ "x''${SSH_TTY}" != "x" ]; then
${motd}
fi
'';
etc.rustMotdConfig = {
target = "rust-motd-config.toml";
source = let
cfg = {
global = {
progress_full_character = "=";
progress_empty_character = "=";
progress_prefix = "[";
progress_suffix = "]";
time_format = "%Y-%m-%d %H:%M:%S";
};
banner = {
color = "red";
command = "hostname | ${pkgs.toilet}/bin/toilet -f mono9";
};
service_status = {
Accounts = "accounts-daemon";
Cron = "cron";
Docker = "docker";
Matrix = "matrix-synapse";
sshd = "sshd";
};
uptime = {
prefix = "Uptime: ";
};
# Not relevant for server
# user_service_status = {
# Gpg-agent = "gpg-agent";
# };
filesystems = let
inherit (lib.attrsets) attrNames listToAttrs nameValuePair;
inherit (lib.lists) imap1;
inherit (config) fileSystems;
imap1Attrs' = f: set:
listToAttrs (imap1 (i: attr: f i attr set.${attr}) (attrNames set));
getName = i: v: if (v.label != null) then v.label else "<? ${toString i}>";
in
imap1Attrs' (i: n: v: nameValuePair (getName i v) n) fileSystems;
memory = {
swap_pos = "beside"; # or "below" or "none"
};
last_login = let
inherit (lib.lists) imap1;
inherit (lib.attrsets) filterAttrs nameValuePair attrValues listToAttrs;
inherit (config.users) users;
normalUsers = filterAttrs (n: v: v.isNormalUser || n == "root") users;
userNPVs = imap1 (index: user: nameValuePair user.name index) (attrValues normalUsers);
in listToAttrs userNPVs;
last_run = {};
};
toml = pkgs.formats.toml {};
in toml.generate "rust-motd.toml" cfg;
};
};
}

310
modules/gickup/default.nix
View File

@@ -1,310 +0,0 @@
{ config, pkgs, lib, utils, ... }:
let
cfg = config.services.gickup;
format = pkgs.formats.yaml { };
in
{
imports = [
./set-description.nix
./hardlink-files.nix
./import-from-toml.nix
./update-linktree.nix
];
options.services.gickup = {
enable = lib.mkEnableOption "gickup, a git repository mirroring service";
package = lib.mkPackageOption pkgs "gickup" { };
gitPackage = lib.mkPackageOption pkgs "git" { };
gitLfsPackage = lib.mkPackageOption pkgs "git-lfs" { };
dataDir = lib.mkOption {
type = lib.types.path;
description = "The directory to mirror repositories to.";
default = "/var/lib/gickup";
example = "/data/gickup";
};
destinationSettings = lib.mkOption {
description = ''
Settings for destination local, see gickup configuration file
Note that `path` will be set automatically to `/var/lib/gickup`
'';
type = lib.types.submodule {
freeformType = format.type;
};
default = { };
example = {
structured = true;
zip = false;
keep = 10;
bare = true;
lfs = true;
};
};
instances = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule (submoduleInputs@{ name, ... }: let
submoduleName = name;
nameParts = rec {
repoType = builtins.head (lib.splitString ":" submoduleName);
owner = if repoType == "any"
then null
else lib.pipe submoduleName [
(lib.removePrefix "${repoType}:")
(lib.splitString "/")
builtins.head
];
repo = if repoType == "any"
then null
else lib.pipe submoduleName [
(lib.removePrefix "${repoType}:")
(lib.splitString "/")
lib.last
];
slug = if repoType == "any"
then lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName)
else "${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}";
};
in {
options = {
interval = lib.mkOption {
type = lib.types.str;
default = "daily";
example = "weekly";
description = ''
Specification (in the format described by {manpage}`systemd.time(7)`) of the time
interval at which to run the service.
'';
};
type = lib.mkOption {
type = lib.types.enum [
"github"
"gitlab"
"gitea"
"gogs"
"bitbucket"
"onedev"
"sourcehut"
"any"
];
example = "github";
default = nameParts.repoType;
description = ''
The type of the repository to mirror.
'';
};
owner = lib.mkOption {
type = with lib.types; nullOr str;
example = "go-gitea";
default = nameParts.owner;
description = ''
The owner of the repository to mirror (if applicable)
'';
};
repo = lib.mkOption {
type = with lib.types; nullOr str;
example = "gitea";
default = nameParts.repo;
description = ''
The name of the repository to mirror (if applicable)
'';
};
slug = lib.mkOption {
type = lib.types.str;
default = nameParts.slug;
example = "github-go-gitea-gitea";
description = ''
The slug of the repository to mirror.
'';
};
description = lib.mkOption {
type = with lib.types; nullOr str;
example = "A project which does this and that";
description = ''
A description of the project. This isn't used directly by gickup for anything,
but can be useful if gickup is used together with cgit or similar.
'';
};
settings = lib.mkOption {
description = "Instance specific settings, see gickup configuration file";
type = lib.types.submodule {
freeformType = format.type;
};
default = { };
example = {
username = "gickup";
password = "hunter2";
wiki = true;
issues = true;
};
};
};
}));
};
};
config = lib.mkIf cfg.enable {
users.users.gickup = {
isSystemUser = true;
group = "gickup";
home = "/var/lib/gickup";
};
users.groups.gickup = { };
services.gickup.destinationSettings.path = "/var/lib/gickup/raw";
systemd.tmpfiles.settings."10-gickup" = lib.mkIf (cfg.dataDir != "/var/lib/gickup") {
${cfg.dataDir}.d = {
user = "gickup";
group = "gickup";
mode = "0755";
};
};
systemd.slices."system-gickup" = {
description = "Gickup git repository mirroring service";
after = [ "network.target" ];
};
systemd.targets.gickup = {
description = "Gickup git repository mirroring service";
wants = map ({ slug, ... }: "gickup@${slug}.service") (lib.attrValues cfg.instances);
};
systemd.timers = {
"gickup@" = {
description = "Gickup git repository mirroring service for %i";
timerConfig = {
OnCalendar = "daily";
RandomizedDelaySec = "1h";
Persistent = true;
AccuracySec = "1s";
};
};
}
//
# Overrides for mirrors which are not "daily"
(lib.pipe cfg.instances [
builtins.attrValues
(builtins.filter (instance: instance.interval != "daily"))
(map ({ slug, interval, ... }: {
name = "gickup@${slug}";
value = {
overrideStrategy = "asDropin";
timerConfig.OnCalendar = interval;
};
}))
builtins.listToAttrs
]);
systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") (lib.attrValues cfg.instances);
systemd.services = {
"gickup@" = let
configDir = lib.pipe cfg.instances [
(lib.mapAttrsToList (name: instance: {
name = "${instance.slug}.yml";
path = format.generate "gickup-configuration-${name}.yml" {
destination.local = [ cfg.destinationSettings ];
source.${instance.type} = [
(
(lib.optionalAttrs (instance.type != "any") {
user = instance.owner;
includeorgs = [ instance.owner ];
include = [ instance.repo ];
})
//
instance.settings
)
];
};
}))
(pkgs.linkFarm "gickup-configuration-files")
];
in {
description = "Gickup git repository mirroring service for %i";
after = [ "network.target" ];
path = [
cfg.gitPackage
cfg.gitLfsPackage
];
restartIfChanged = false;
serviceConfig = {
Type = "oneshot";
ExecStart = "'${pkgs.gickup}/bin/gickup' '${configDir}/%i.yml'";
ExecStartPost = "";
User = "gickup";
Group = "gickup";
BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
"${cfg.dataDir}:/var/lib/gickup"
];
Slice = "system-gickup.slice";
SyslogIdentifier = "gickup-%i";
StateDirectory = "gickup";
# WorkingDirectory = "gickup";
# RuntimeDirectory = "gickup";
# RuntimeDirectoryMode = "0700";
# https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431
RemainAfterExit = true;
# Hardening options
AmbientCapabilities = [];
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
# ProtectProc = "invisible";
# ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
# SystemCallFilter = [
# "@system-service"
# "~@resources"
# "~@privileged"
# ];
UMask = "0002";
CapabilityBoundingSet = [];
};
};
};
};
}

42
modules/gickup/hardlink-files.nix
View File

@@ -1,42 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.gickup;
in
{
config = lib.mkIf cfg.enable {
# TODO: add a service that will look at the backed up files and hardlink
# the ones that have a matching hash together to save space. This can
# either run routinely (i.e. trigger by systemd-timer), or be activated
# whenever a gickup@<slug>.service finishes. The latter is probably better.
# systemd.services."gickup-hardlink" = {
# serviceConfig = {
# Type = "oneshot";
# ExecStart = let
# script = pkgs.writeShellApplication {
# name = "gickup-hardlink-files.sh";
# runtimeInputs = [ pkgs.coreutils pkgs.jdupes ];
# text = ''
# '';
# };
# in lib.getExe script;
# User = "gickup";
# Group = "gickup";
# BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
# "${cfg.dataDir}:/var/lib/gickup"
# ];
# Slice = "system-gickup.slice";
# StateDirectory = "gickup";
# # Hardening options
# # TODO:
# PrivateNetwork = true;
# };
# };
};
}

11
modules/gickup/import-from-toml.nix
View File

@@ -1,11 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.gickup;
in
{
config = lib.mkIf cfg.enable {
# TODO: import cfg.instances from a toml file to make it easier for non-nix users
# to add repositories to mirror
};
}

9
modules/gickup/set-description.nix
View File

@@ -1,9 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.gickup;
in
{
config = lib.mkIf cfg.enable {
# TODO: create .git/description files for each repo where cfg.instances.<instance>.description is set
};
}

84
modules/gickup/update-linktree.nix
View File

@@ -1,84 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.gickup;
in
{
config = lib.mkIf cfg.enable {
# TODO: run upon completion of cloning a repository
systemd.timers."gickup-linktree" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
Unit = "gickup-linktree.service";
};
};
# TODO: update symlink for one repo at a time (e.g. gickup-linktree@<instance>.service)
systemd.services."gickup-linktree" = {
serviceConfig = {
Type = "oneshot";
ExecStart = let
script = pkgs.writeShellApplication {
name = "gickup-update-symlink-tree.sh";
runtimeInputs = [
pkgs.coreutils
pkgs.findutils
];
text = ''
shopt -s nullglob
for repository in ./*/*/*; do
REPOSITORY_RELATIVE_DIRS=''${repository#"./"}
echo "Checking $REPOSITORY_RELATIVE_DIRS"
declare -a REVISIONS
readarray -t REVISIONS < <(find "$repository" -mindepth 1 -maxdepth 1 -printf "%f\n" | sort --numeric-sort --reverse)
if [[ "''${#REVISIONS[@]}" == 0 ]]; then
echo "Found no revisions for $repository, continuing"
continue
fi
LAST_REVISION="''${REVISIONS[0]}"
SYMLINK_PATH="../linktree/''${REPOSITORY_RELATIVE_DIRS}"
mkdir -p "$(dirname "$SYMLINK_PATH")"
EXPECTED_SYMLINK_TARGET=$(realpath "''${repository}/''${LAST_REVISION}")
EXISTING_SYMLINK_TARGET=$(realpath "$SYMLINK_PATH" || echo "<none>")
if [[ "$EXISTING_SYMLINK_TARGET" != "$EXPECTED_SYMLINK_TARGET" ]]; then
echo "Updating symlink for $REPOSITORY_RELATIVE_DIRS"
rm "$SYMLINK_PATH" ||:
ln -rs "$EXPECTED_SYMLINK_TARGET" "$SYMLINK_PATH"
else
echo "Symlink already up to date, continuing..."
fi
echo "---"
done
'';
};
in lib.getExe script;
User = "gickup";
Group = "gickup";
BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
"${cfg.dataDir}:/var/lib/gickup"
];
Slice = "system-gickup.slice";
StateDirectory = "gickup";
WorkingDirectory = "/var/lib/gickup/raw";
# Hardening options
# TODO:
PrivateNetwork = true;
};
};
};
}

42
modules/grzegorz.nix
View File

@@ -1,4 +1,4 @@
{config, lib, pkgs, unstablePkgs, values, ...}:
{config, lib, pkgs, ...}:
let
grg = config.services.greg-ng;
grgw = config.services.grzegorz-webui;
@@ -11,13 +11,6 @@ in {
settings.port = 31337;
enableSway = true;
enablePipewire = true;
mpvPackage = unstablePkgs.mpv;
};
systemd.user.services.restart-greg-ng = {
script = "systemctl --user restart greg-ng.service";
startAt = "*-*-* 06:30:00";
};
services.grzegorz-webui = {
@@ -44,23 +37,10 @@ in {
"${machine}.pvv.org"
];
extraConfig = ''
# pvv
allow ${values.ipv4-space}
allow ${values.ipv6-space}
# ntnu
allow ${values.ntnu.ipv4-space}
allow ${values.ntnu.ipv6-space}
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
locations."/docs" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
};
locations."/api" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
proxyWebsockets = true;
};
};
"${machine}-backend.pvv.ntnu.no" = {
@@ -71,12 +51,8 @@ in {
"${machine}-backend.pvv.org"
];
extraConfig = ''
# pvv
allow ${values.ipv4-space}
allow ${values.ipv6-space}
# ntnu
allow ${values.ntnu.ipv4-space}
allow ${values.ntnu.ipv6-space}
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';
@@ -94,12 +70,8 @@ in {
"${machine}-old.pvv.org"
];
extraConfig = ''
# pvv
allow ${values.ipv4-space}
allow ${values.ipv6-space}
# ntnu
allow ${values.ntnu.ipv4-space}
allow ${values.ntnu.ipv6-space}
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
deny all;
'';

211
modules/matrix-ooye.nix
View File

@@ -1,211 +0,0 @@
# Original from: https://cgit.rory.gay/nix/OOYE-module.git/
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.matrix-ooye;
mkStringOption =
name: default:
lib.mkOption {
type = lib.types.str;
default = default;
};
in
{
options = {
services.matrix-ooye = {
enable = lib.mkEnableOption "Enable OOYE service";
package = lib.mkOption {
type = lib.types.package;
default = pkgs.out-of-your-element;
};
appserviceId = mkStringOption "The ID of the appservice." "ooye";
homeserver = mkStringOption "The homeserver to connect to." "http://localhost:8006";
homeserverName = mkStringOption "The name of the homeserver to connect to." "localhost";
namespace = mkStringOption "The prefix to use for the MXIDs/aliases of bridged users/rooms. Should end with a _!" "_ooye_";
discordTokenPath = mkStringOption "The path to the discord token file." "/etc/ooye-discord-token";
discordClientSecretPath = mkStringOption "The path to the discord token file." "/etc/ooye-discord-client-secret";
socket = mkStringOption "The socket to listen on, can either be a port number or a unix socket path." "6693";
bridgeOrigin = mkStringOption "The web frontend URL for the bridge, defaults to http://localhost:{socket}" "";
enableSynapseIntegration = lib.mkEnableOption "Enable Synapse integration";
};
};
config = lib.mkIf cfg.enable (
let
baseConfig = pkgs.writeText "matrix-ooye-config.json" (
builtins.toJSON {
id = cfg.appserviceId;
namespaces = {
users = [
{
exclusive = true;
regex = "@${cfg.namespace}.*:${cfg.homeserverName}";
}
];
aliases = [
{
exclusive = true;
regex = "#${cfg.namespace}.*:${cfg.homeserverName}";
}
];
};
protocols = [ "discord" ];
sender_localpart = "${cfg.namespace}bot";
rate_limited = false;
socket = cfg.socket; # Can either be a TCP port or a unix socket path
url = if (lib.hasPrefix "/" cfg.socket) then "unix:${cfg.socket}" else "http://localhost:${cfg.socket}";
ooye = {
server_name = cfg.homeserverName;
namespace_prefix = cfg.namespace;
max_file_size = 5000000;
content_length_workaround = false;
include_user_id_in_mxid = true;
server_origin = cfg.homeserver;
bridge_origin = if (cfg.bridgeOrigin == "") then "http://localhost:${cfg.socket}" else cfg.bridgeOrigin;
};
}
);
script = pkgs.writeScript "matrix-ooye-pre-start.sh" ''
#!${lib.getExe pkgs.bash}
REGISTRATION_FILE=registration.yaml
id
echo "Before if statement"
stat ''${REGISTRATION_FILE}
if [[ ! -f ''${REGISTRATION_FILE} ]]; then
echo "No registration file found at '$REGISTRATION_FILE'"
cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
fi
echo "After if statement"
stat ''${REGISTRATION_FILE}
AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE})
HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE})
DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)
DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)
# Check if we have all required tokens
if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
echo "Generated new AS token: ''${AS_TOKEN}"
fi
if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
echo "Generated new HS token: ''${HS_TOKEN}"
fi
if [[ -z "$DISCORD_TOKEN" ]]; then
echo "No Discord token found at '${cfg.discordTokenPath}'"
echo "You can find this on the 'Bot' tab of your Discord application."
exit 1
fi
if [[ -z "$DISCORD_CLIENT_SECRET" ]]; then
echo "No Discord client secret found at '${cfg.discordTokenPath}'"
echo "You can find this on the 'OAuth2' tab of your Discord application."
exit 1
fi
shred -u ''${REGISTRATION_FILE}
cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
shred -u ''${REGISTRATION_FILE}
mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE}
'';
in
{
warnings =
lib.optionals ((builtins.substring (lib.stringLength cfg.namespace - 1) 1 cfg.namespace) != "_") [
"OOYE namespace does not end with an underscore! This is recommended to have better ID formatting. Provided: '${cfg.namespace}'"
]
++ lib.optionals ((builtins.substring 0 1 cfg.namespace) != "_") [
"OOYE namespace does not start with an underscore! This is recommended to avoid conflicts with registered users. Provided: '${cfg.namespace}'"
];
environment.systemPackages = [ cfg.package ];
systemd.services."matrix-ooye-pre-start" = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = script;
WorkingDirectory = "/var/lib/matrix-ooye";
StateDirectory = "matrix-ooye";
DynamicUser = true;
RemainAfterExit = true;
Type = "oneshot";
LoadCredential = [
"discord_token:${cfg.discordTokenPath}"
"discord_client_secret:${cfg.discordClientSecretPath}"
];
};
};
systemd.services."matrix-ooye" = {
enable = true;
description = "Out of Your Element - a Discord bridge for Matrix.";
wants = [
"network-online.target"
"matrix-synapse.service"
"conduit.service"
"dendrite.service"
];
after = [
"matrix-ooye-pre-start.service"
"network-online.target"
];
requires = [ "matrix-ooye-pre-start.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = lib.getExe config.services.matrix-ooye.package;
WorkingDirectory = "/var/lib/matrix-ooye";
StateDirectory = "matrix-ooye";
#ProtectSystem = "strict";
#ProtectHome = true;
#PrivateTmp = true;
#NoNewPrivileges = true;
#PrivateDevices = true;
Restart = "on-failure";
DynamicUser = true;
};
};
systemd.services."matrix-synapse" = lib.mkIf cfg.enableSynapseIntegration {
after = [
"matrix-ooye-pre-start.service"
"network-online.target"
];
requires = [ "matrix-ooye-pre-start.service" ];
serviceConfig = {
LoadCredential = [
"matrix-ooye-registration:/var/lib/matrix-ooye/registration.yaml"
];
ExecStartPre = [
"+${pkgs.coreutils}/bin/cp /run/credentials/matrix-synapse.service/matrix-ooye-registration ${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
"+${pkgs.coreutils}/bin/chown matrix-synapse:matrix-synapse ${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
];
};
};
services.matrix-synapse.settings.app_service_config_files = lib.mkIf cfg.enableSynapseIntegration [
"${config.services.matrix-synapse.dataDir}/ooye-registration.yaml"
];
}
);
}

4
packages/bluemap.nix
View File

@@ -2,11 +2,11 @@
stdenvNoCC.mkDerivation rec {
pname = "bluemap";
version = "5.15";
version = "5.2";
src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-g50V/4LtHaHNRMTt+PK/ZTf4Tber2D6ZHJvuAXQLaFI=";
hash = "sha256-4vld+NBwzBxdwbMtsKuqvO6immkbh4HB//6wdjXaxoU=";
};
dontUnpack = true;

21
packages/cgit.nix
View File

@@ -1,21 +0,0 @@
{ cgit, fetchurl, ... }:
let
pname = cgit.pname;
commit = "09d24d7cd0b7e85633f2f43808b12871bb209d69";
in
cgit.overrideAttrs (_: {
version = "1.2.3-unstable-2024.07.16";
src = fetchurl {
url = "https://git.zx2c4.com/cgit/snapshot/${pname}-${commit}.tar.xz";
hash = "sha256-gfgjAXnWRqVCP+4cmYOVdB/3OFOLJl2WBOc3bFVDsjw=";
};
# cgit is tightly coupled with git and needs a git source tree to build.
# IMPORTANT: Remember to check which git version cgit needs on every version
# bump (look for "GIT_VER" in the top-level Makefile).
gitSrc = fetchurl {
url = "mirror://kernel/software/scm/git/git-2.46.0.tar.xz";
hash = "sha256-fxI0YqKLfKPr4mB0hfcWhVTCsQ38FVx+xGMAZmrCf5U=";
};
})

50
packages/mediawiki-extensions/default.nix
View File

@@ -12,7 +12,7 @@ let
name
, commit
, hash
, tracking-branch ? "REL1_44"
, tracking-branch ? "REL1_42"
, kebab-name ? kebab-case-name name
, fetchgit ? pkgs.fetchgit
}:
@@ -33,63 +33,63 @@ in
lib.mergeAttrsList [
(mw-ext {
name = "CodeEditor";
commit = "6e5b06e8cf2d040c0abb53ac3735f9f3c96a7a4f";
hash = "sha256-Jee+Ws9REUohywhbuemixXKaTRc54+cIlyUNDCyYcEM=";
commit = "9f69f2cf7616342d236726608a702d651b611938";
hash = "sha256-sRaYj34+7aghJUw18RoowzEiMx0aOANU1a7YT8jivBw=";
})
(mw-ext {
name = "CodeMirror";
commit = "da9c5d4f03e6425f6f2cf68b75d21311e0f7e77e";
hash = "sha256-aL+v9xeqKHGmQVUWVczh54BkReu+fP49PT1NP7eTC6k=";
commit = "1a1048c770795789676adcf8a33c1b69f6f5d3ae";
hash = "sha256-Y5ePrtLNiko2uU/sesm8jdYmxZkYzQDHfkIG1Q0v47I=";
})
(mw-ext {
name = "DeleteBatch";
commit = "122072bbfb4eab96ed8c1451a3e74b5557054c58";
hash = "sha256-L6AXoyFJEZoAQpLO6knJvYtQ6JJPMtaa+WhpnwbJeNU=";
commit = "b76bb482e026453079104d00f9675b4ab851947e";
hash = "sha256-GebF9B3RVwpPw8CYKDDT6zHv/MrrzV6h2TEIvNlRmcw=";
})
(mw-ext {
name = "PluggableAuth";
commit = "5caf605b9dfdd482cb439d1ba2000cba37f8b018";
hash = "sha256-TYJqR9ZvaWJ7i1t0XfgUS05qqqCgxAH8tRTklz/Bmlg=";
commit = "1da98f447fd8321316d4286d8106953a6665f1cc";
hash = "sha256-DKDVcAfWL90FmZbSsdx1J5PkGu47EsDQmjlCpcgLCn4=";
})
(mw-ext {
name = "Popups";
commit = "7ed940a09f83f869cbc0bc20f3ca92f85b534951";
hash = "sha256-pcDPcu4kSvMHfSOuShrod694TKI9Oo3AEpMP9DXp9oY=";
commit = "9b9e986316b9662b1b45ce307a58dd0320dd33cf";
hash = "sha256-rSOZHT3yFIxA3tPhIvztwMSmSef/XHKmNfQl1JtGrUA=";
})
(mw-ext {
name = "Scribunto";
commit = "e755852a8e28a030a21ded2d5dd7270eb933b683";
hash = "sha256-zyI5nSE+KuodJOWyV0CQM7G0GfkKEgfoF/czi2/qk98=";
commit = "eb6a987e90db47b09b0454fd06cddb69fdde9c40";
hash = "sha256-Nr0ZLIrS5jnpiBgGnd90lzi6KshcsxeC+xGmNsB/g88=";
})
(mw-ext {
name = "SimpleSAMLphp";
kebab-name = "simple-saml-php";
commit = "d41b4efd3cc44ca3f9f12e35385fc64337873c2a";
hash = "sha256-wfzXtsEEEjQlW5QE4Rf8pasAW/KSJsLkrez13baxeqA=";
commit = "fd4d49cf48d16efdb91ae8128cdd507efe84d311";
hash = "sha256-Qdtroew2j3AsZYlhAAUKQXXS2kUzUeQFnuR6ZHdFhAQ=";
})
(mw-ext {
name = "TemplateData";
commit = "fd7cf4d95a70ef564130266f2a6b18f33a2a2ff9";
hash = "sha256-5OhDPFhIi55Eh5+ovMP1QTjNBb9Sm/3vyArNCApAgSw=";
commit = "836e3ca277301addd2578b2e746498ff6eb8e574";
hash = "sha256-UMcRLYxYn+AormwTYjKjjZZjA806goMY2TRQ4KoS5fY=";
})
(mw-ext {
name = "TemplateStyles";
commit = "0f7b94a0b094edee1c2a9063a3c42a1bdc0282d9";
hash = "sha256-R406FgNcIip9St1hurtZoPPykRQXBrkJRKA9hapG81I=";
commit = "06a2587689eba0a17945fd9bd4bb61674d3a7853";
hash = "sha256-C7j0jCkMeVZiLKpk+55X+lLnbG4aeH+hWIm3P5fF4fw=";
})
(mw-ext {
name = "UserMerge";
commit = "d1917817dd287e7d883e879459d2d2d7bc6966f2";
hash = "sha256-la3/AQ38DMsrZ2f24T/z3yKzIrbyi3w6FIB5YfxGK9U=";
commit = "41759d0c61377074d159f7d84130a095822bc7a3";
hash = "sha256-pGjA7r30StRw4ff0QzzZYUhgD3dC3ZuiidoSEz8kA8Q=";
})
(mw-ext {
name = "VisualEditor";
commit = "032364cfdff33818e6ae0dfa251fe3973b0ae4f3";
hash = "sha256-AQDdq9r6rSo8h4u1ERonH14/1i1BgLGdzANEiQ065PU=";
commit = "a128b11fe109aa882de5a40d2be0cdd0947ab11b";
hash = "sha256-bv1TkomouOxe+DKzthyLyppdEUFSXJ9uE0zsteVU+D4=";
})
(mw-ext {
name = "WikiEditor";
commit = "cb9f7e06a9c59b6d3b31c653e5886b7f53583d01";
hash = "sha256-UWi3Ac+LCOLliLkXnS8YL0rD/HguuPH5MseqOm0z7s4=";
commit = "21383e39a4c9169000acd03edfbbeec4451d7974";
hash = "sha256-aPVpE6e4qLLliN9U5TA36e8tFrIt7Fl8RT1cGPUWoNI=";
})
]

56
packages/out-of-your-element.nix
View File

@@ -1,56 +0,0 @@
{
lib,
fetchFromGitea,
makeWrapper,
nodejs,
buildNpmPackage,
fetchpatch,
}:
buildNpmPackage {
pname = "delete-your-element";
version = "3.3-unstable-2025-12-09";
src = fetchFromGitea {
domain = "git.pvv.ntnu.no";
owner = "Drift";
repo = "delete-your-element";
rev = "1c0c545a024ef7215a1a3483c10acce853f79765";
hash = "sha256-ow/PdlHfU7PCwsjJUEzoETzONs1KoKTRMRQ9ADN0tGk=";
};
patches = [
(fetchpatch {
name = "ooye-fix-package-lock-0001.patch";
url = "https://cgit.rory.gay/nix/OOYE-module.git/plain/pl.patch?h=ee126389d997ba14be3fe3ef360ba37b3617a9b2";
hash = "sha256-dP6WEHb0KksDraYML+jcR5DftH9BiXvwevUg38ALOrc=";
})
];
npmDepsHash = "sha256-OXOyO6LxK/WYYVysSxkol0ilMUZB+osLYUE5DpJlbps=";
# npmDepsHash = "sha256-Y+vgp7+7pIDm64AYSs8ltoAiON0EPpJInbmgn3/LkVA=";
dontNpmBuild = true;
makeCacheWritable = true;
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
runHook preInstall
mkdir -p $out/share
cp -a . $out/share/ooye
makeWrapper ${nodejs}/bin/node $out/bin/matrix-ooye --add-flags $out/share/ooye/start.js
makeWrapper ${nodejs}/bin/node $out/bin/matrix-ooye-addbot --add-flags $out/share/ooye/addbot.js
runHook postInstall
'';
meta = with lib; {
description = "Matrix-Discord bridge with modern features.";
homepage = "https://gitdab.com/cadence/out-of-your-element";
longDescription = ''
Modern Matrix-to-Discord appservice bridge, created by @cadence:cadence.moe.
'';
license = licenses.gpl3;
# maintainers = with maintainers; [ RorySys ];
mainProgram = "matrix-ooye";
};
}

8
packages/simplesamlphp/default.nix
View File

@@ -8,18 +8,18 @@
php.buildComposerProject rec {
pname = "simplesamlphp";
version = "2.4.3";
version = "2.2.1";
src = fetchFromGitHub {
owner = "simplesamlphp";
repo = "simplesamlphp";
tag = "v${version}";
hash = "sha256-vv4gzcnPfMapd8gER2Vsng1SBloHKWrJJltnw2HUnX4=";
rev = "v${version}";
hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
};
composerStrictValidation = false;
vendorHash = "sha256-vu3Iz6fRk3Gnh9Psn46jgRYKkmqGte+5xHBRmvdgKG4=";
vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
# TODO: metadata could be fetched automagically with these:
# - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html

90
secrets/bakke/bakke.yaml
View File

@@ -1,90 +0,0 @@
hello: ENC[AES256_GCM,data:+GWORSIf9TxmJLw1ytZwPbve2yz5H9ewVE5sOpQzkrRpct6Wes+vTE19Ij8W1g==,iv:C/WhXNBBM/bidC9xynZzk34nYXF3mUjAd4nPXpUlYHs=,tag:OJXSwuI8aNDnHFFTkwyGBQ==,type:str]
example_key: ENC[AES256_GCM,data:ojSsrFYo5YD0YtiqcA==,iv:nvNtG6c0OqnQovzWQLMjcn9vbQ4PPYSv2B43Y8z0h5s=,tag:+h7YUNRA2MTvwGJq1VZW8g==,type:str]
#ENC[AES256_GCM,data:6EvhlBtrl5wqyf6UAGwY8Q==,iv:fzLUjBzyuT17FcP8jlmLrsKW46pu6/lAvAVLHBxje6k=,tag:n+qR1NUqa91uFRIpALKlmw==,type:comment]
example_array:
- ENC[AES256_GCM,data:A38KXABxJzMoKitKpHo=,iv:OlRap3R//9tvKdPLz7uP+lvBa/fD0W8xFzdxIKKFi4E=,tag:QKizPN1fYOv5zZlMVgTIOQ==,type:str]
- ENC[AES256_GCM,data:8X2iVkHQtQMReopWdgM=,iv:2Wq3QOadwd3G3ROXNe7JQD4AL/5H/WV19TBEbxijG/8=,tag:tikKT9Wvzm4Vz5aoy6w9WQ==,type:str]
example_number: ENC[AES256_GCM,data:0K05hiSPh2Ok1A==,iv:IVRo61xkKugv4OiPm0vt9ODm5DC1DzJFdlgQJb1TfTg=,tag:o3xXygVEUD4jaGSJr0Nxtw==,type:float]
example_booleans:
- ENC[AES256_GCM,data:zoykmQ==,iv:1JGy1Cg5GdAiod9qPSzW+wsG6rUgUJyYMEE4k576Tlk=,tag:RUCbytPpo78bqlAVEUsbLg==,type:bool]
sops:
age:
- recipient: age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM0NNRFlYaDVtY2taK2xZ
R1pJKzhzOFJJbVI1ZEtQZTJJd1JiejdwaHpJCjlyZVZLZUpVeG1HNHo1UTlaa1gz
Q2JOTmpibndlcERXaWw3Ujd3OGo2aU0KLS0tIEhKcjFKYm82VFdHWTkvcFBDam5H
bzhGbFF6ZmRPTXpzMWgzWGJJbGlkUTAKtNREtgj4kXKDymmbBt2YVFUqrAaGY72z
8fUEIz/2/kPeb4QBpYt4HQabXDLCZXZ0Q5qhHRFOSER8o+TrkJDEow==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbEJRNjVJSE5qSk1VcVR6
VTh6ZU93Q2dGclhZWXA4YTh5WXZ4MWFMRzNRCkJ6Z1F6a20za3ZxLzRsZGg2aHpn
Nll0NW9XRndIOFpzMVgwK3RxWm1BUkEKLS0tIGF0MUYwblY4a3haelJYRkNyd3lS
S0ZuSUVXWGVXbnJocm1LRjZRSGVrMFkKQcwZk7mlF96kPdvZyLNR2i5CnU/qR7/i
u897JxtxmXuuNDKPA80pFxfwkOwzcUVrYiwOlAbMENwJWH1SwFO3Cg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWa2c5d0RvR21jQ21ZRVBL
dkR2RDhMMmJKTXk4UnFTbEZCbE5vV2cwRTNnCkFFT05kYUhXREtzSGkyY1VYQ2ZE
bU0xZnlUN0draW5DZXRqQlloVi9NaFkKLS0tIDdHb05weWlzcDN4bFdzYnpUVjVV
ZkVXK01odnZJeGhoaFFLbEVSMFJsMHcK/mgeA6aMlr7T35rHL3GriYHu2DQE45sI
8RdxdErESmpx0bneFbmsBgXOYu+iT64zatPEGVSu1taW/nMa8Ucpzw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbm4wL1pHeVVRYzJrb0RZ
VHA5ZGRTUHkxbk9qenpNRGE4bjQ0SzN6UVFvCkRHQ0VDaUhRRDI3Yy90UXZCdTlo
dnBHSmU5WlBlczlBbDBZRHFvLzFBWVkKLS0tIFVNVG5qRDZlcWZ4R00zc0N5bkli
d0Z4TEJzdEFuV3NnTndFZlpPMTNYSHMK1d1Use9/w4ClrCfShBymIxHZppCXmhmQ
vIW5vI4Ui0jSX9Rwhd17CLT66mQYBbaHTGB9fiGNQpFRc/ztaFbbnw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNmF2ZTFreDdzdVZHRWt4
VW1TNXFWRW13T3VBN04wMi95VkRCeHJIalVNClRLZGFDY2ZIREkweXp5dU9yYVRD
T1N5QVh0eWczd3VIWEthbTZRVXM0L00KLS0tIFlWeDZmQzYrQXdoZ3dycS9udEFW
TGg0bGwxQjQ1UkR5OC9FajI1RHprUXMK8NRbkEjLEW6pANEkB0QyBcgMin/Aaf5A
dkFYo01G3XM7AmlnnM9UCc56Gc/ZfcsVaUhMAZoEvEvuU0++ufCIZg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNE04cmdoYnc4cGhmMmlW
aU1MNXpacVp2eGV1dU1GUUNyd3dFRDI0and3CllsSG9qR1IwaG1iU2FpWEduanhx
WVE2SWZBblp5RWd3Mi8rc2s3M2F6cXcKLS0tIFBnaCtIelBPdEtqRUIrTnY3VytC
K3dUNVgrYlVnRjRKVVRDQmxsUC9tOG8KFE/pU3tSnyohg58FTWWc2j1Yk0+QHRyH
VakZTPA8l2j7X01KOwEDaZBZrzFd8059GBUMRnylcVOCg5a5VjXpEg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-15T21:42:17Z"
mac: ENC[AES256_GCM,data:2gH/ZaxSA6ShRu53dxj7V3jk7FsVdYS+PSHQyFT8qMvKM1hsQ/nWrKt00PUl9I7Gb4uomP9Ga3SyphYOXRBzKoV+x52oEWOJE3Q4iPrwdCkyHlxEezhTd/ZRQVatG6dvHpLuDNS9Dyph4f7Mw5USI+m4WeVdgCvHTydw+4KIfP4=,iv:yimfq96WVsagvKr8HTg1RdZBSrVGcCWPvv8XOXkOfcg=,tag:zHzdrE0PX5+AeD2lpqeJVQ==,type:str]
pgp:
- created_at: "2025-12-22T06:10:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/+Jcq2EiWutguXVgFJsG0eU9CmM/ZrSfN7Of6MeGh53vw5
F125rivlWf56nEjAnW0u0Ai1MRUUvL6cSqnIxH0y0NcgllkUVrMDJPtsp4/1pFG3
pMhQuaoun7mmHbMwFD/WIGk3NeQA2WRm8vCa2yHuOHKG5rISZDgY/5WdkLGK9Vll
A3eBaz2r+jQwZNHMTu9Sgmuya7EAGCb/7oSTyE+ZyG9zDwyvbKcuS+xMx/Sqx5a+
a1a38fJCdwTHNGR293kMhVK75z0aOvGp4t92bulAe0Tp0Efc43TNGYIGjOQT7r3J
k4YQ0OcR+fezp8GSLxoewWBpCMFaRliSnLh7XJwd2jTURbzlpQFFKNXW4pLxrAIr
ZJXZ6Hloz91MRoQ8HLCs7WqhLptXGnqXsJPCwdBJEeVzutyt3cZIzq11bNgf9sNv
Ydj86FmGTMFK5d9kNYAqxwnfcVIc3/AdbyKNoky1Muu0z5XvUdgUcYu5RK9yL3DA
dUJVI5uam+ONUatFeTbS2Vz7KEbwh1H3gfQUQTrE6FOSrh8bk0lp1aG1geL69ram
XXh/uHkvzTgbq+oiyiqbodurrEQHcdhrYJwvPELLQwtIq+0iVu7xNIFz+LNuAMqK
d1lualLK7xHNqCOhihY1nKR3PjDrE4tUKjtwu1lp2Ae+VEXg1FgrqdkquxlE+0XS
XgG0jfeGqwQKM1qGkaj9UX/xXe8Io5KhOAqRhnkauU9nZ4Uaj5X1rFpbLAOT2/FZ
rHjT46gUUh1hK2TEnL14yJ8ttIntlcXh6lJ6zbkIL7G+56GlqhPmr8M6N67VEq8=
=8M3y
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.8.1

96
secrets/bekkalokk/bekkalokk.yaml
View File

@@ -35,82 +35,86 @@ bluemap:
ssh-key: ENC[AES256_GCM,data:nPwsT4RYbMbGp2MChLUh6NXW4ckYr7SQcd6Gy2G8CEU+ugew5pt4d6GOK1fyekspDtet3EkPL2F1AsoPFBB2Rv0boARMslAhBqwWSsbBJTXeTEgAABSMxTPJRBtfJucvv426nyIj3uApoknz6mDCQh1OI6mER0fis7MPaM1506HlDlnIT0FV9EairEsaAmbd0yddByGJSccKIza2vW0qWqrz83P+xrakEONxFz0fJlkO5PRXCcQJVBCqWQfnaHNrWeBWv0QA7vAHlT0yjqJCpDRxN2KYrPWsz7sUbB4UZOtykCRM5kKFq73GUaOKqVECJQhcJi6tERhpJELwjjS8MSqvBD90UTKTshGugfuygTaOyUx4wou3atxMR2Rah9+uZ6mBrLAOLX3JKiAtyhFewPMWjd/UhbMPuzNageVBNz2EMpa4POSVwz5MyViKNSgr9cPcNGqmrnjvr/W/lnj6Ec+W80RiXQlADSE4Q6diLLwB9nlHvKs8NTDgv6sUafcPHpJ2+N4Jkb96dE14bMffQ385SI4vLDcQ8xCQ,iv:WdJIHRzjlm8bEldolCx1Q7pZJvjxGkNZALSOy3IjizU=,tag:5ZAikiqttq/76+thG+4LMw==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:J6V+NJ9TvYUL2gmcqWWYt8X+n0M7i0RpDpBelWAbFMH64+e9ztHNnC491sm+RogDxqKk0kwQyX2Mz00iq3Gc3wDYyozGOdv3tBKrp7/LcfjUQ9T9hi0yTD3eNV0LAjlAWMTdlW65VGHqGst8ncKbUuVxbBASVlh3A321toZgD+xxUAtNz7qKFa6fDbOS0xLD1+CmTwVp+aPos//QIKzjuk1HqxfBNK82maKtD4JHPS+Y3be2wIEjGWq3H6JYN/RDojD88D/jzo9RwvEjpqLXoOVfy8uX/fbEsgkgfAmPiaG+ePCnchSExEe3a6Y0E+I6YIzvP+tGThJpu4HaT/yW2Rww/jvsxKrXSUhtBZI/SIX5ZAIFB3sFjJXQefJjfNpQTQWhbspLfdemafGaRiDnzVgKDhNL1HNMNsXKDfWa0SLs4//dqerom/QCCNsaqV+4HVzv5x44srChGERadQI/Wh4UG2R19xxbdyIsKPHzv7BhEKufJkjc5upBjWygQrGAkTRHugFpw2Tdkz9yUQSujMkaeRKhVkA+ZUAjwnY5TwqNZBj7U3K2JXoNVHAq194XmrA2dNghh0OmRrvKGwM3HKexX22SXT0bPlpdWRQpMbUgV+uHLMerlDpNMFTIueEBkaF/FWeSW2N5WUrUb1uJ91QcJ8JBgN1riuD1Oxv9RRPrY9VVNJMrYjpAAREN8i8brMTOCJ35s7jnqIei0dNmnNXOoQZPs9kUMeEtUc/Df1E8/aO2Y4yU9gHUuevXnAJWFAiu2IxssgPk6CcNxvapJEmlwkLK/JyuDsWwFxVOHfw5QIEsoDVWXt6eMhquqUgzJI1q7QrTWUQsBb5A5sQKYWQHempOaXuQn1bzA7mU3Gzsr8bNNc6tpy+6j3zTXYR067EX00yqPG+kqRn4QVIuhByxXP3cwXLUG9uD1lsqWrGzs6WCnHr7txhRBXf4WbBVmXModO3uf36cDYEwrUa6yBsARtSl8PJ0UadfY/xULcT5PFvu9+Hi2qj3vp4IU3JCJa9AvXB+11pbSdawprjuDhwQtPwkJ4CQyvZsom3/BOrmwYM5+EyMDIluEQ0z6eDE5buiIVbX6IvXnDCKbrnqVwavX2wqyiDduFLjRfWL/3U2O1yRim78smrDMJABJZvtW+a+GfmlnTd/gnFvS70Fmm/lgtY051ISL/iFx6toJRoBMMiI/Zvy13uQry+w/HbyFl42DIank8tf7kuN3E9M7ADGMubRJJ0AZOcQddrFnR4Gl2nU2+3RS5fLHaBf9QHK6W92/n//xmPkYqrkPacew4eBjUqM32jVGuBpDc964fK9kdtIdw8q5P1s/ph3I79Y24kGeuO1AVJuZvkaTv1Z7GgI9+K9TstKJ9XpRCidLpLSP+uHOWkqcNsQlt6ilTlfHj+MKoD85dKZ315QMmpiuYEvzCSP1aYTb9dpd61Su/IVuM3r2NuINNEZ166YlHQVsLNpDn8E5ahk3ZInOAg6/kaKTmjUI8KEvX4BR3PbbViAlJJb3suJ0oZBGPUlrW5uLRmADvf2mMDVO5zY7/m9DQwxjt4Miu0l8ZaUc0YJQ850lBKucQ==,iv:GI8w7h7xX8gMHuAoWUyrW+BQb85LNlASoYvGBPlCZaI=,tag:WnHNMevfFSMc0ikBZwWn/g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvQjZvVEplU2pMQmgrQXE2
Qy9FY1NRZEhpSTVCdy9rVEFHekM4NHJEVlRvCkNnVUlCQzdGenlKOW56ZGY4bzJm
K1c1N25ZbDFNMDY0YzlGMTlMN2htSEEKLS0tIEYvWEVoMUVtVDRkeEt5eWFZckJs
aFRsYmhNMkQwdFlDa1ROWXdhWGFKUUEKqixofKZBMXpV8q801HtVoHzZWJhsifSB
DLPHbOAWpXjKygNJ1ogi66FWBFfRL0KGffQEuaIozTA1r1NafSCLKA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNbjFxWk5lY0kxaStxcnVh
SnlYamw5WXBRTkU0ZGFEWnZvME1nZk94TlIwCmlhVGFtckJpN1RZdXRBYkxDbnVS
UmZtWENzZWNYRmptY2kwem42ek1LbXcKLS0tIElsRXBmNHNmdjdqTmFLL2ltMnFC
VG11M3ZpeUJPUGlEQmExOEdSZFJERE0KSIo1pzx8AcoJWEzNzEDoV3eM7194IHxL
4pCSSztKDCF+XdJZLh5sgudaYLJGtX5n7q1hbuL0wOmotM9bN2YLog==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
- recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1YmhFNHNuaXlFZXMxNmtR
S3ZIM25xVnYxNE5kL0RJR0lpNWo1c2ZTczFRCkRKakRNek8xdVcxcFN5Wkc1VDJ5
QjJuQjcwZ25RVkpoMXFpQXltU21MOTQKLS0tIFVrNVJ1alAwM1RtTy9zUUIzMkpi
bnFVWG5xWW1hSDZob0NzZVZNOHdqRTAKci5uPZI7K/ljVRZ1j2qQFABpf+Anuj2a
yqz92A7DbMUSUqmUNCHWg2vKmMwuRL3CXLPzZoXgIN07dpYQlk6qgg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBybXRjNEM3ZDYwa21LdWpE
dDg1MUxaeHlJSHRhWk40TndYbHZLWHVsVWk4CkxkRVJ4c1lhaXZodGxhNGhkUy9q
M0I1SHdjeXVXL1E4OXgxS2x0cU9ESFkKLS0tIFpNMjNKLzNDWWtvTkhHRDFSTklH
T1k1cXp4NXVvVGdkYXp0VVNJejVJRkkK6K31gqRRvo0mbJy6aCTKotVmrfqZoARG
w6wKe1TJLWJv8RAD3GQrub9MJwQhUG38Jtj1WrXgNMlF24zFPlZDEQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZExMODZvbUo5VWt4UWs4
ZXRXWkdDczQxcGRJbUFyU3V5bDllampVWTF3CndVSzZESmlwUFcxMjZKODhPY1pz
WHo5aC9JOUg0VndhdGIxeU1PU2t2QWMKLS0tIExQelVMSWUrMkUrY3htMVIxTHFo
blNkNG02ZTFHR1ZjL1dBbjlDNXk5VmMK+EbzW0Rdq5cxIm8EnQ2P87BTxfMKywyM
Q3LGAw4RDR/Gstj9hzpTPnNjb4D5tMcQmeQlAvBriZPFXCrmq5WCXA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2azhwMEJRZ3JQRnhDNlFR
a283MitGTTdaMTZURmFYam85TU43RkdXYTI0CnQxWnRUZ2F6MHd1TWlHMDZ4b1p0
WStOVndGTUpmdncvd1k0WlV3c0xKYmMKLS0tIFpSb1hKbHJyM1dCOVBMa1Jabndp
NWlGSFhQUngvWG5BQ1lyOFAxanlGdlEKt09a9bMErR3wqbutxhDRfSWp40mmfShJ
KAAO2TEMKkEGFvaxYu+G9rbR37h/ZttikJMvIVlfRzmVADlFwO7eHw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSGFIdjJwTkpRdzdIQ2Iz
WW1jamZFY1JrTTBZRjM5enZmNkNEMTRaQ24wCjdJY2l4OVJyU2pVR3dQZFg0cHRl
dU1xS0gwbWM0MktPL2d6dG1wN1ZsWEkKLS0tIHJscElDRVFrakJCZmtMbk0xaVp4
MDBoekhiMWZaeU9IWkcybFNWczVtUUUK4BOBttXkGhmUYTjR68ZvaT0BpbIw67rr
Ls5XV6Azkid7GAttNayqb/OjshUco1xIbAyGRz77b5uzMzM1cM6+dA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYVJLMTZma08xZVo3cEZs
Ym1FTU9ZdmxlcUxselltWDRwdUhUdU1udnpjCmh4TlJEK09UdlNFLzN0YnN3WGtt
aGpzd25Vckc1TmVCamQ0ekk2QWpraUEKLS0tIG9CNzBOM1g2aTRlQmt3WWVrTlNB
ZWsrZy9HSWt4OUdMb3ZZQmNjNGZNZjQKMhvkRnis8P2iV3hoigiN2IXeIFvFuYRK
FeMG/cNOtAUsOgHMs4xDPqpLrhpay7IEvwQukBxscd/88I8/ZdGeHQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSmVyNkNiWkxob05lakJI
N1dWVWl4bnd0cWV0bzlzQTdhMTZ6aWZJMFU4CkYwc29NTW5PODVVTU5DNFdCV0RO
RTJHaDVmbWZ1WFdSRVE4Tk9SbHhsdUkKLS0tIFhiN3M1aGJtY2ZqTkIwYjB6S095
WkpCQWlab2s5anVIa2Vlak1vNzI5U0kKRhPzmr9IW0fVDRKzfR1du7KgevNUchxJ
GDz5B/EekvwZwhcAGvkE6uwHIAIMaau49S9iwqK4NjIcBIGagoqiDQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtazZ2RUo3ZjdKeStLWW0r
bm1NVWJRbjZpZTVRcEFWTnJwYkp2YUN3OTM4CnhRa2RpOS83MW9zaWlUV1M4b21t
OG5Ub3VkK1dSMkVzN2VtT0JrWkFSTkEKLS0tIGMvOFU2U243RnpUTThRRWthaHpZ
SjBhZjJpNGlUclF3bXRKOXk0KzlHdzQKp/asp39bRfNXyetc3ySVpnzfO6it9D/e
XWyhq0yKRFAC8yMYeAuA4kIcNM4DGRc0PnwA/ce3IgHsV1ZNdvdWfg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpSXJKL3RzUEMzZXN5Qmsw
aFRrMXE2b2dNU05NeWNuaEZOdkcyMWpvUlM0ClVkMVJoS3Y5SnJxQ3RtaUtncDcw
cWRKYjdFbEJ3aWE1ei9wYnpVRGhBd00KLS0tIFFycFgyWGVvMFc3azN3T2Z4aHln
UzR0dUp5MHFWdDFya0hlRXM4M1d5YVUKhaXAFsId/SGv5wmKvjTLSAAlDNuSH80H
SahjRm7nj5Z6ZHJfBZu9cGoZ5ZdvPsr1DtLgErSndnOnh7TWA8SgGQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnT3lTUEFaN3pOMGhsQ1Ra
SVZ6cE90a1BteXgzaldsN3ZTSGZpZXlyWHdvClhJM2ZDRHR0VzVSQXd0b1drK3hG
aW8zUWlHcVFkTFpJYXpxWlAwVHV0ckUKLS0tIGVmR0g2Vk56dlZCU01Dd3NzUFZU
UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-09T21:18:23Z"
mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str]
pgp:
- created_at: "2025-12-01T10:58:17Z"
- created_at: "2024-08-04T00:03:28Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/+IxSo/UF0bv0ktR4aYDhZF/7y8Xv56jaZbW+bI8os57SY
mk7MbCqMmujf31gDlWwvytn3sEBTs69tre2rJH0JhDnfxrfL4uHJqD2Idtfhejgv
6ezh37/aFy0GgkUKUMpVG3sksZjQrKrSvJiHgfIAaiEiNU6grc6EDLPqDrgO0s1V
RBUiv2VMyg6a2MBf6TSrdoHw/HtK/PvOgrQ/C3q3jjUzVLUnScIsewwTq0zdmVf6
WPG5/sTjKoIYRdjrEZOIZglU61Q2/d0GTGkI7nkr5xl+iJicRO8O4cYmZ2NivMLt
pjsYGQ+Kyuxzmgqjh2aRv5uu7p4g1fYIBZdcqmm14Jc/IznNUAdfpgoRGUxEbnGW
R6C2eTzvhZGFj0+jssLwcWtGxa2xxPAHL8TbAvroffzx7W9IdyWkmOEaMuyHFAWT
FpsdlSkYmQs1H5YCdRnapFkNbaIPsQy/c4dQhzYakrheMdpXo6efSPmk9RdjKZrd
HvJaepwJA7Uf9+eY+LgPVTKY4ObJziJEEIM8QwmBW4h7ZujbntUHXhL1dt2Bc8nZ
5foSRmLA0lsd59QSPA3lg30TpJARC8aq4dlYsTFqQgHVTHA2W1m5gYvIgNKlhR/F
NGNaAWW0+3V6NeQF5UVp/ug4RbJK+qbrQw/+jeyRaPj3TWaFobOfs+Ad5zcL5QfS
XgG1ix1Re4pnbeGbTE0QsFQ/Ir0mwPGuNzr1CFuVQWvPUYqA4iv8nlxIj2E43gcL
4ihGEE6dKrrwLJuALNq4p7mqnCMJ7/kjLNTRUSmWY8fHaVmX/QL0uGZwYH1Y5P4=
=2j4b
hQIMA0av/duuklWYAQ/7BlyYej03uyhLheXS406h3Ew7v7D+rHHvHjiw3FCJxHoC
1revUrMa/M6iTNQteaBvBcYVR4+SpUpRyN/6BSzEQBrNhUBR+70VWL2yzeeb6Bw7
GBtuyS7O3DEd0froE3aFETR0NfQ1FfcndOBd3SDKOsCgL5nfJSyOPQtr1OMLKzoW
+CARt457xEx0KY7IIpN6e57IT7bVjJx5UuDcN0ZncUyuGUAKHdn0nAHzWqiSZV9w
bIftLJ936zvBOhhl3DkzvALnI9+//KPSMM3o/1ti07FoAx8cK2w83VA5Ia9qeNkB
wfVuE6f5a2KP/KrfnVCfvweMh/MIEUGb14XEaniyYwvlW5vwF9YgPH6HGc0c+lH6
UWy8+Iw7kXkUEJuhtNWyBPJeVKheSBieoWUBZZAK4uWUpChJxfc5M3+P3mgzTIP+
7P04xdtS0GwrNwMBiQFqc56hoYDAwMYbn9lFzM3LLq+h8Ztg2G4X9LXjD956TP5C
bPV7BFcjTSaAt1TDJcDJRxfrtx6Mo/DLknpGTMRM0UfQ/22uMz2GAH38L0C7lD9B
RrKlpDuMKzj/LUihO33Ry9J0IpZ3XF6oaSl/+P+uO9QYNxA/zkuxuSWfqoysldyN
bSo1dHGapY/+PVMjM0E/2Dkk9T2IbQUlkVxPrlvuUd3YfrJ7bCva2GDjLvXSp7LS
XgGgLgrj54YoOn4uUFsxzDIS7yVps3fCkByVtc1Lc3C8uPPF1B+jOX7O87kZOHag
XvT2ze2ITfdxPzoyZO1nWVIGO8rAtQ/vK/Iv2/hHtc4gfzL+gy7GeUWGHkvZ1Kk=
=wDmH
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted

Some files were not shown because too many files have changed in this diff Show More