felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-02-21 09:27:51 +01:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:fmt
Branches Tags
felixalb:main felixalb:selective_cross felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:shellcheck felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
..
compare: felixalb:2ec17a72a4c72a8ff8d546a7e6c3bc52b5b7dca0
Branches Tags
felixalb:selective_cross felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:main felixalb:skrot-new-thing felixalb:shellcheck felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

2 Commits
fmt ... 2ec17a72a4

Author SHA1 Message Date
Karoline Dyve Samuelsen
2ec17a72a4 Test run 2 for trying to implement fancy log inn page. 2026-02-16 13:59:07 +01:00
Karoline Dyve Samuelsen
3ad2fc3464 Added settings to include pvv innlogging theme. 2026-02-15 20:21:00 +01:00
129 changed files with 2426 additions and 3824 deletions
Expand all files Collapse all files

16
base/nix.nix
View File

@@ -1,9 +1,4 @@
{ { lib, config, inputs, ... }:
lib,
config,
inputs,
...
}:
{ {
nix = { nix = {
gc = { gc = {
@@ -16,17 +11,12 @@
allow-dirty = true; allow-dirty = true;
auto-allocate-uids = true; auto-allocate-uids = true;
builders-use-substitutes = true; builders-use-substitutes = true;
experimental-features = [ experimental-features = [ "nix-command" "flakes" "auto-allocate-uids" ];
"nix-command"
"flakes"
"auto-allocate-uids"
];
log-lines = 50; log-lines = 50;
use-xdg-base-directories = true; use-xdg-base-directories = true;
}; };
/* /* This makes commandline tools like
This makes commandline tools like
** nix run nixpkgs#hello ** nix run nixpkgs#hello
** and nix-shell -p hello ** and nix-shell -p hello
** use the same channel the system ** use the same channel the system

32
base/services/auto-upgrade.nix
View File

@@ -1,10 +1,4 @@
{ { config, inputs, pkgs, lib, ... }:
config,
inputs,
pkgs,
lib,
...
}:
let let
inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs; inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
@@ -22,33 +16,25 @@ in
# --update-input is deprecated since nix 2.22, and removed in lix 2.90 # --update-input is deprecated since nix 2.22, and removed in lix 2.90
# as such we instead use --override-input combined with --refresh # as such we instead use --override-input combined with --refresh
# https://git.lix.systems/lix-project/lix/issues/400 # https://git.lix.systems/lix-project/lix/issues/400
] ] ++ (lib.pipe inputUrls [
++ (lib.pipe inputUrls [
(lib.intersectAttrs { (lib.intersectAttrs {
nixpkgs = { }; nixpkgs = { };
nixpkgs-unstable = { }; nixpkgs-unstable = { };
}) })
(lib.mapAttrsToList ( (lib.mapAttrsToList (input: url: ["--override-input" input url]))
input: url: [
"--override-input"
input
url
]
))
lib.concatLists lib.concatLists
]); ]);
}; };
# workaround for https://github.com/NixOS/nix/issues/6895 # workaround for https://github.com/NixOS/nix/issues/6895
# via https://git.lix.systems/lix-project/lix/issues/400 # via https://git.lix.systems/lix-project/lix/issues/400
environment.etc = environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) "current-system-flake-inputs.json".source
{ = pkgs.writers.writeJSON "flake-inputs.json" (
"current-system-flake-inputs.json".source = pkgs.writers.writeJSON "flake-inputs.json" ( lib.flip lib.mapAttrs inputs (name: input:
lib.flip lib.mapAttrs inputs (
name: input:
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
lib.removeAttrs (input.sourceInfo or { }) [ "outPath" ] // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
// { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
) )
); );
}; };

7
base/services/journald-upload.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, values, ... }:
config,
lib,
values,
...
}:
let let
cfg = config.services.journald.upload; cfg = config.services.journald.upload;
in in

5
base/services/logrotate.nix
View File

@@ -1,10 +1,7 @@
{ ... }: { ... }:
{ {
systemd.services.logrotate = { systemd.services.logrotate = {
documentation = [ documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
"man:logrotate(8)"
"man:logrotate.conf(5)"
];
unitConfig.RequiresMountsFor = "/var/log"; unitConfig.RequiresMountsFor = "/var/log";
serviceConfig.ReadWritePaths = [ "/var/log" ]; serviceConfig.ReadWritePaths = [ "/var/log" ];
}; };

5
base/services/nginx.nix
View File

@@ -11,10 +11,7 @@
}; };
}; };
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
80
443
];
services.nginx = { services.nginx = {
recommendedTlsSettings = true; recommendedTlsSettings = true;

1
base/services/openssh.nix
View File

@@ -18,3 +18,4 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
]; ];
} }

7
base/services/postfix.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
cfg = config.services.postfix; cfg = config.services.postfix;
in in

7
base/services/prometheus-node-exporter.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, values, ... }:
config,
lib,
values,
...
}:
let let
cfg = config.services.prometheus.exporters.node; cfg = config.services.prometheus.exporters.node;
in in

7
base/services/prometheus-systemd-exporter.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, values, ... }:
config,
lib,
values,
...
}:
let let
cfg = config.services.prometheus.exporters.systemd; cfg = config.services.prometheus.exporters.systemd;
in in

19
base/services/promtail.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, values, ... }:
config,
lib,
values,
...
}:
let let
cfg = config.services.prometheus.exporters.node; cfg = config.services.prometheus.exporters.node;
in in
@@ -15,13 +10,10 @@ in
http_listen_port = 28183; http_listen_port = 28183;
grpc_listen_port = 0; grpc_listen_port = 0;
}; };
clients = [ clients = [{
{
url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push"; url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
} }];
]; scrape_configs = [{
scrape_configs = [
{
job_name = "systemd-journal"; job_name = "systemd-journal";
journal = { journal = {
max_age = "12h"; max_age = "12h";
@@ -40,8 +32,7 @@ in
target_label = "level"; target_label = "level";
} }
]; ];
} }];
];
}; };
}; };
} }

14
base/services/smartd.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
{ {
services.smartd = { services.smartd = {
# NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the # NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
@@ -19,12 +14,9 @@
}; };
}; };
environment.systemPackages = lib.optionals config.services.smartd.enable ( environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
with pkgs;
[
smartmontools smartmontools
] ]);
);
systemd.services.smartd.unitConfig.ConditionVirtualization = "no"; systemd.services.smartd.unitConfig.ConditionVirtualization = "no";
} }

34
base/services/uptimed.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
cfg = config.services.uptimed; cfg = config.services.uptimed;
in in
@@ -20,19 +15,16 @@ in
services.uptimed = { services.uptimed = {
enable = true; enable = true;
settings = settings = let
let
stateDir = "/var/lib/uptimed"; stateDir = "/var/lib/uptimed";
in in {
{
PIDFILE = "${stateDir}/pid"; PIDFILE = "${stateDir}/pid";
SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t"; SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
}; };
}; };
systemd.services.uptimed = lib.mkIf (cfg.enable) { systemd.services.uptimed = lib.mkIf (cfg.enable) {
serviceConfig = serviceConfig = let
let
uptimed = pkgs.uptimed.overrideAttrs (prev: { uptimed = pkgs.uptimed.overrideAttrs (prev: {
postPatch = '' postPatch = ''
substituteInPlace Makefile.am \ substituteInPlace Makefile.am \
@@ -42,23 +34,23 @@ in
''; '';
}); });
in in {
{
Type = "notify"; Type = "notify";
ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f"; ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
BindReadOnlyPaths = BindReadOnlyPaths = let
let
configFile = lib.pipe cfg.settings [ configFile = lib.pipe cfg.settings [
(lib.mapAttrsToList ( (lib.mapAttrsToList
k: v: if builtins.isList v then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v else "${k}=${v}" (k: v:
)) if builtins.isList v
then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
else "${k}=${v}")
)
(lib.concatStringsSep "\n") (lib.concatStringsSep "\n")
(pkgs.writeText "uptimed.conf") (pkgs.writeText "uptimed.conf")
]; ];
in in [
[
"${configFile}:/var/lib/uptimed/uptimed.conf" "${configFile}:/var/lib/uptimed/uptimed.conf"
]; ];
}; };

13
base/sops.nix
View File

@@ -1,15 +1,8 @@
{ config, fp, lib, ... }:
{ {
config, sops.defaultSopsFile = let
fp,
lib,
...
}:
{
sops.defaultSopsFile =
let
secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml; secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
in in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
sops.age = lib.mkIf (config.sops.defaultSopsFile != null) { sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];

8
flake.lock generated
View File

@@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1771267058, "lastModified": 1770133120,
"narHash": "sha256-EEL4SmD1b3BPJPsSJJ4wDTXWMumJqbR+BLzhJJG0skE=", "narHash": "sha256-RuAWONXb+U3omSsuIPCrPcgj0XYqv+2djG0cnPGEyKg=",
"ref": "main", "ref": "main",
"rev": "e3962d02c78b9c7b4d18148d931a9a4bf22e7902", "rev": "3123b8b474319bc75ee780e0357dcdea69dc85e6",
"revCount": 254, "revCount": 244,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/dibbler.git" "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
}, },

173
flake.nix
View File

@@ -49,15 +49,7 @@
qotd.inputs.nixpkgs.follows = "nixpkgs"; qotd.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
{
self,
nixpkgs,
nixpkgs-unstable,
sops-nix,
disko,
...
}@inputs:
let let
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
systems = [ systems = [
@@ -74,27 +66,23 @@
"georg" "georg"
"ildkule" "ildkule"
]; ];
in in {
{
inputs = lib.mapAttrs (_: src: src.outPath) inputs; inputs = lib.mapAttrs (_: src: src.outPath) inputs;
pkgs = forAllSystems ( pkgs = forAllSystems (system: import nixpkgs {
system:
import nixpkgs {
inherit system; inherit system;
config.allowUnfreePredicate = config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
pkg: [
builtins.elem (lib.getName pkg) [
"nvidia-x11" "nvidia-x11"
"nvidia-settings" "nvidia-settings"
]; ];
} });
);
nixosConfigurations = nixosConfigurations = let
let
nixosConfig = nixosConfig =
nixpkgs: name: configurationPath: nixpkgs:
name:
configurationPath:
extraArgs@{ extraArgs@{
localSystem ? "x86_64-linux", # buildPlatform localSystem ? "x86_64-linux", # buildPlatform
crossSystem ? "x86_64-linux", # hostPlatform crossSystem ? "x86_64-linux", # hostPlatform
@@ -107,25 +95,21 @@
let let
commonPkgsConfig = { commonPkgsConfig = {
inherit localSystem crossSystem; inherit localSystem crossSystem;
config.allowUnfreePredicate = config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
pkg: [
builtins.elem (lib.getName pkg) [
"nvidia-x11" "nvidia-x11"
"nvidia-settings" "nvidia-settings"
]; ];
overlays = overlays = (lib.optionals enableDefaults [
(lib.optionals enableDefaults [
# Global overlays go here # Global overlays go here
inputs.roowho2.overlays.default inputs.roowho2.overlays.default
]) ]) ++ overlays;
++ overlays;
}; };
pkgs = import nixpkgs commonPkgsConfig; pkgs = import nixpkgs commonPkgsConfig;
unstablePkgs = import nixpkgs-unstable commonPkgsConfig; unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
in in
lib.nixosSystem ( lib.nixosSystem (lib.recursiveUpdate
lib.recursiveUpdate
{ {
system = crossSystem; system = crossSystem;
@@ -135,38 +119,32 @@
inherit inputs unstablePkgs; inherit inputs unstablePkgs;
values = import ./values.nix; values = import ./values.nix;
fp = path: ./${path}; fp = path: ./${path};
} } // specialArgs;
// specialArgs;
modules = [ modules = [
{ {
networking.hostName = lib.mkDefault name; networking.hostName = lib.mkDefault name;
} }
configurationPath configurationPath
] ] ++ (lib.optionals enableDefaults [
++ (lib.optionals enableDefaults [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
inputs.roowho2.nixosModules.default inputs.roowho2.nixosModules.default
self.nixosModules.rsync-pull-targets self.nixosModules.rsync-pull-targets
]) ]) ++ modules;
++ modules;
} }
( (builtins.removeAttrs extraArgs [
builtins.removeAttrs extraArgs [
"localSystem" "localSystem"
"crossSystem" "crossSystem"
"modules" "modules"
"overlays" "overlays"
"specialArgs" "specialArgs"
"enableDefaults" "enableDefaults"
] ])
)
); );
stableNixosConfig = stableNixosConfig = name: extraArgs:
name: extraArgs: nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs; nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
in in {
{
bakke = stableNixosConfig "bakke" { bakke = stableNixosConfig "bakke" {
modules = [ modules = [
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
@@ -257,8 +235,8 @@
]; ];
}; };
} }
// ( //
let (let
skrottConfig = { skrottConfig = {
modules = [ modules = [
(nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix") (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
@@ -274,46 +252,30 @@
}) })
]; ];
}; };
in in {
{
skrott = self.nixosConfigurations.skrott-native; skrott = self.nixosConfigurations.skrott-native;
skrott-native = stableNixosConfig "skrott" ( skrott-native = stableNixosConfig "skrott" (skrottConfig // {
skrottConfig
// {
localSystem = "aarch64-linux"; localSystem = "aarch64-linux";
crossSystem = "aarch64-linux"; crossSystem = "aarch64-linux";
} });
); skrott-cross = stableNixosConfig "skrott" (skrottConfig // {
skrott-cross = stableNixosConfig "skrott" (
skrottConfig
// {
localSystem = "x86_64-linux"; localSystem = "x86_64-linux";
crossSystem = "aarch64-linux"; crossSystem = "aarch64-linux";
} });
); skrott-x86_64 = stableNixosConfig "skrott" (skrottConfig // {
skrott-x86_64 = stableNixosConfig "skrott" (
skrottConfig
// {
localSystem = "x86_64-linux"; localSystem = "x86_64-linux";
crossSystem = "x86_64-linux"; crossSystem = "x86_64-linux";
} });
); })
} //
) (let
// (
let
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5); machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
stableLupineNixosConfig = stableLupineNixosConfig = name: extraArgs:
name: extraArgs: nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs; nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
in in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
lib.genAttrs machineNames (
name:
stableLupineNixosConfig name {
modules = [{ networking.hostName = name; }]; modules = [{ networking.hostName = name; }];
specialArgs.lupineName = name; specialArgs.lupineName = name;
} }));
)
);
nixosModules = { nixosModules = {
bluemap = ./modules/bluemap.nix; bluemap = ./modules/bluemap.nix;
@@ -326,8 +288,7 @@
}; };
devShells = forAllSystems (system: { devShells = forAllSystems (system: {
default = default = let
let
pkgs = import nixpkgs-unstable { pkgs = import nixpkgs-unstable {
inherit system; inherit system;
overlays = [ overlays = [
@@ -336,10 +297,8 @@
}) })
]; ];
}; };
in in pkgs.callPackage ./shell.nix { };
pkgs.callPackage ./shell.nix { }; cuda = let
cuda =
let
cuda-pkgs = import nixpkgs-unstable { cuda-pkgs = import nixpkgs-unstable {
inherit system; inherit system;
config = { config = {
@@ -347,22 +306,19 @@
cudaSupport = true; cudaSupport = true;
}; };
}; };
in in cuda-pkgs.callPackage ./shells/cuda.nix { };
cuda-pkgs.callPackage ./shells/cuda.nix { };
}); });
packages = { packages = {
"x86_64-linux" = "x86_64-linux" = let
let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
in in rec {
rec {
default = important-machines; default = important-machines;
important-machines = pkgs.linkFarm "important-machines" ( important-machines = pkgs.linkFarm "important-machines"
lib.getAttrs importantMachines self.packages.${system} (lib.getAttrs importantMachines self.packages.${system});
); all-machines = pkgs.linkFarm "all-machines"
all-machines = pkgs.linkFarm "all-machines" (lib.getAttrs allMachines self.packages.${system}); (lib.getAttrs allMachines self.packages.${system});
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { }; simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
@@ -374,15 +330,13 @@
# Mediawiki extensions # Mediawiki extensions
(lib.pipe null [ (lib.pipe null [
(_: pkgs.callPackage ./packages/mediawiki-extensions { }) (_: pkgs.callPackage ./packages/mediawiki-extensions { })
(lib.flip builtins.removeAttrs [ (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
"override"
"overrideDerivation"
])
(lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}")) (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
]) ])
// //
# Machines # Machines
lib.genAttrs allMachines (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel) lib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
// //
# Skrott is exception # Skrott is exception
{ {
@@ -395,8 +349,7 @@
} }
// //
# Nix-topology # Nix-topology
( (let
let
topology' = import inputs.nix-topology { topology' = import inputs.nix-topology {
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit system; inherit system;
@@ -415,9 +368,7 @@
modules = [ modules = [
./topology ./topology
{ {
nixosConfigurations = lib.mapAttrs ( nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
_name: nixosCfg:
nixosCfg.extendModules {
modules = [ modules = [
inputs.nix-topology.nixosModules.default inputs.nix-topology.nixosModules.default
./topology/service-extractors/greg-ng.nix ./topology/service-extractors/greg-ng.nix
@@ -425,27 +376,21 @@
./topology/service-extractors/mysql.nix ./topology/service-extractors/mysql.nix
./topology/service-extractors/gitea-runners.nix ./topology/service-extractors/gitea-runners.nix
]; ];
} }) self.nixosConfigurations;
) self.nixosConfigurations;
} }
]; ];
}; };
in in {
{
topology = topology'.config.output; topology = topology'.config.output;
topology-png = topology-png = pkgs.runCommand "pvv-config-topology-png" {
pkgs.runCommand "pvv-config-topology-png"
{
nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ]; nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
} } ''
''
mkdir -p "$out" mkdir -p "$out"
for file in '${topology'.config.output}'/*.svg; do for file in '${topology'.config.output}'/*.svg; do
${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")" ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
done done
''; '';
} });
);
}; };
}; };
} }

12
hosts/bakke/configuration.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, values, ... }:
config,
pkgs,
values,
...
}:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
@@ -14,10 +9,7 @@
networking.hostId = "99609ffc"; networking.hostId = "99609ffc";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // { systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0"; matchConfig.Name = "enp2s0";
address = with values.hosts.bakke; [ address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
}; };
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.

46
hosts/bakke/hardware-configuration.nix
View File

@@ -1,58 +1,40 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
"ehci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571"; { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=root" ]; options = [ "subvol=root" ];
}; };
fileSystems."/home" = { fileSystems."/home" =
device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571"; { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=home" ]; options = [ "subvol=home" ];
}; };
fileSystems."/nix" = { fileSystems."/nix" =
device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571"; { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs"; fsType = "btrfs";
options = [ options = [ "subvol=nix" "noatime" ];
"subvol=nix"
"noatime"
];
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/sdc2"; { device = "/dev/sdc2";
fsType = "vfat"; fsType = "vfat";
options = [ options = [ "fmask=0022" "dmask=0022" ];
"fmask=0022"
"dmask=0022"
];
}; };
swapDevices = [ ]; swapDevices = [ ];

12
hosts/bekkalokk/configuration.nix
View File

@@ -1,9 +1,4 @@
{ { fp, pkgs, values, ... }:
fp,
pkgs,
values,
...
}:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
@@ -26,10 +21,7 @@
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // { systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0"; matchConfig.Name = "enp2s0";
address = with values.hosts.bekkalokk; [ address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
}; };
services.btrfs.autoScrub.enable = true; services.btrfs.autoScrub.enable = true;

32
hosts/bekkalokk/hardware-configuration.nix
View File

@@ -1,42 +1,30 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
"ehci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/sda1"; { device = "/dev/sda1";
fsType = "btrfs"; fsType = "btrfs";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/CE63-3B9B"; { device = "/dev/disk/by-uuid/CE63-3B9B";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ swapDevices =
{ device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; } [ { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

29
hosts/bekkalokk/services/bluemap.nix
View File

@@ -1,15 +1,8 @@
{ { config, lib, pkgs, inputs, ... }:
config,
lib,
pkgs,
inputs,
...
}:
let let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world"; vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
format = pkgs.formats.hocon { }; format = pkgs.formats.hocon { };
in in {
{
# NOTE: our versino of the module gets added in flake.nix # NOTE: our versino of the module gets added in flake.nix
disabledModules = [ "services/web-apps/bluemap.nix" ]; disabledModules = [ "services/web-apps/bluemap.nix" ];
@@ -24,11 +17,9 @@ in
host = "minecraft.pvv.ntnu.no"; host = "minecraft.pvv.ntnu.no";
maps = maps = let
let
inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export; inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
in in {
{
"verden" = { "verden" = {
extraHoconMarkersFile = "${bluemap-export}/overworld.hocon"; extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
settings = { settings = {
@@ -62,11 +53,9 @@ in
remove-caves-below-y = -10000; remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5; cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true; cave-detection-uses-block-light = true;
render-mask = [ render-mask = [{
{
max-y = 90; max-y = 90;
} }];
];
}; };
}; };
"enden" = { "enden" = {
@@ -94,8 +83,7 @@ in
systemd.services."render-bluemap-maps" = { systemd.services."render-bluemap-maps" = {
serviceConfig = { serviceConfig = {
StateDirectory = [ "bluemap/world" ]; StateDirectory = [ "bluemap/world" ];
ExecStartPre = ExecStartPre = let
let
rsyncArgs = lib.cli.toCommandLineShellGNU { } { rsyncArgs = lib.cli.toCommandLineShellGNU { } {
archive = true; archive = true;
compress = true; compress = true;
@@ -104,8 +92,7 @@ in
no-group = true; no-group = true;
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey"; rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
}; };
in in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
"${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
LoadCredential = [ LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}" "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}" "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"

6
hosts/bekkalokk/services/idp-simplesamlphp/config.php
View File

@@ -858,7 +858,11 @@ $config = [
/* /*
* Which theme directory should be used? * Which theme directory should be used?
*/ */
'theme.use' => 'default', 'module.enable' => [
'themepvv' => TRUE,
],
'theme.use' => 'themepvv:pvv',
/* /*
* Set this option to the text you would like to appear at the header of each page. Set to false if you don't want * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want

30
hosts/bekkalokk/services/idp-simplesamlphp/default.nix
View File

@@ -1,16 +1,8 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
pwAuthScript = pkgs.writeShellApplication { pwAuthScript = pkgs.writeShellApplication {
name = "pwauth"; name = "pwauth";
runtimeInputs = with pkgs; [ runtimeInputs = with pkgs; [ coreutils heimdal ];
coreutils
heimdal
];
text = '' text = ''
read -r user1 read -r user1
user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')" user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
@@ -93,20 +85,14 @@ let
substituteInPlace "$out" \ substituteInPlace "$out" \
--replace-warn '$SAML_COOKIE_SECURE' 'true' \ --replace-warn '$SAML_COOKIE_SECURE' 'true' \
--replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${ --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
config.sops.secrets."idp/cookie_salt".path
}")' \
--replace-warn '$SAML_ADMIN_NAME' '"Drift"' \ --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
--replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \ --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${ --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
config.sops.secrets."idp/admin_password".path
}")' \
--replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \ --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
--replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \ --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
--replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \ --replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
--replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${ --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
config.sops.secrets."idp/postgres_password".path
}")' \
--replace-warn '$CACHE_DIRECTORY' '/var/cache/idp' --replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
''; '';
@@ -172,12 +158,10 @@ in
services.phpfpm.pools.idp = { services.phpfpm.pools.idp = {
user = "idp"; user = "idp";
group = "idp"; group = "idp";
settings = settings = let
let
listenUser = config.services.nginx.user; listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group; listenGroup = config.services.nginx.group;
in in {
{
"pm" = "dynamic"; "pm" = "dynamic";
"pm.max_children" = 32; "pm.max_children" = 32;
"pm.max_requests" = 500; "pm.max_requests" = 500;

7
hosts/bekkalokk/services/kerberos.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
{ {
security.krb5 = { security.krb5 = {
enable = true; enable = true;

62
hosts/bekkalokk/services/mediawiki/default.nix
View File

@@ -1,12 +1,4 @@
{ { pkgs, lib, fp, config, values, ... }: let
pkgs,
lib,
fp,
config,
values,
...
}:
let
cfg = config.services.mediawiki; cfg = config.services.mediawiki;
# "mediawiki" # "mediawiki"
@@ -17,9 +9,7 @@ let
simplesamlphp = pkgs.simplesamlphp.override { simplesamlphp = pkgs.simplesamlphp.override {
extra_files = { extra_files = {
"metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" ( "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
import ../idp-simplesamlphp/metadata.php.nix
);
"config/authsources.php" = ./simplesaml-authsources.php; "config/authsources.php" = ./simplesaml-authsources.php;
@@ -28,47 +18,34 @@ let
substituteInPlace "$out" \ substituteInPlace "$out" \
--replace-warn '$SAML_COOKIE_SECURE' 'true' \ --replace-warn '$SAML_COOKIE_SECURE' 'true' \
--replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${ --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path
}")' \
--replace-warn '$SAML_ADMIN_NAME' '"Drift"' \ --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
--replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \ --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${ --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
config.sops.secrets."mediawiki/simplesamlphp/admin_password".path
}")' \
--replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \ --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
--replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \ --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
--replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \ --replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
--replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${ --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path
}")' \
--replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp' --replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
''; '';
}; };
}; };
in in {
{
services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ]; services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
sops.secrets = sops.secrets = lib.pipe [
lib.pipe
[
"mediawiki/secret-key" "mediawiki/secret-key"
"mediawiki/password" "mediawiki/password"
"mediawiki/postgres_password" "mediawiki/postgres_password"
"mediawiki/simplesamlphp/postgres_password" "mediawiki/simplesamlphp/postgres_password"
"mediawiki/simplesamlphp/cookie_salt" "mediawiki/simplesamlphp/cookie_salt"
"mediawiki/simplesamlphp/admin_password" "mediawiki/simplesamlphp/admin_password"
] ] [
[ (map (key: lib.nameValuePair key {
(map (
key:
lib.nameValuePair key {
owner = user; owner = user;
group = group; group = group;
restartUnits = [ "phpfpm-mediawiki.service" ]; restartUnits = [ "phpfpm-mediawiki.service" ];
} }))
))
lib.listToAttrs lib.listToAttrs
]; ];
@@ -238,9 +215,7 @@ in
# Cache directory for simplesamlphp # Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp"; # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
lib.mkIf cfg.enable
{
user = "mediawiki"; user = "mediawiki";
group = "mediawiki"; group = "mediawiki";
mode = "0770"; mode = "0770";
@@ -278,12 +253,9 @@ in
"= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg; "= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png; "= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png;
"= /favicon.ico".alias = "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
pkgs.runCommandLocal "mediawiki-favicon.ico"
{
buildInputs = with pkgs; [ imagemagick ]; buildInputs = with pkgs; [ imagemagick ];
} } ''
''
magick \ magick \
${fp /assets/logo_blue_regular.png} \ ${fp /assets/logo_blue_regular.png} \
-resize x64 \ -resize x64 \
@@ -301,9 +273,7 @@ in
systemd.services.mediawiki-init = lib.mkIf cfg.enable { systemd.services.mediawiki-init = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ]; after = [ "sops-install-secrets.service" ];
serviceConfig = { serviceConfig = {
BindReadOnlyPaths = [ BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
"/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key"
];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ]; LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007"; UMask = lib.mkForce "0007";
}; };
@@ -312,9 +282,7 @@ in
systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable { systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ]; after = [ "sops-install-secrets.service" ];
serviceConfig = { serviceConfig = {
BindReadOnlyPaths = [ BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
"/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key"
];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ]; LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007"; UMask = lib.mkForce "0007";
}; };

6
hosts/bekkalokk/services/phpfpm.nix
View File

@@ -11,8 +11,7 @@ in
{ {
# Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/ # Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
systemd.services = lib.genAttrs pools (_: { systemd.services = lib.genAttrs pools (_: {
serviceConfig = serviceConfig = let
let
caps = [ caps = [
"CAP_NET_BIND_SERVICE" "CAP_NET_BIND_SERVICE"
"CAP_SETGID" "CAP_SETGID"
@@ -22,8 +21,7 @@ in
"CAP_IPC_LOCK" "CAP_IPC_LOCK"
"CAP_DAC_OVERRIDE" "CAP_DAC_OVERRIDE"
]; ];
in in {
{
AmbientCapabilities = caps; AmbientCapabilities = caps;
CapabilityBoundingSet = caps; CapabilityBoundingSet = caps;
DeviceAllow = [ "" ]; DeviceAllow = [ "" ];

11
hosts/bekkalokk/services/vaultwarden.nix
View File

@@ -1,18 +1,11 @@
{ { config, pkgs, lib, values, ... }:
config,
pkgs,
lib,
values,
...
}:
let let
cfg = config.services.vaultwarden; cfg = config.services.vaultwarden;
domain = "pw.pvv.ntnu.no"; domain = "pw.pvv.ntnu.no";
address = "127.0.1.2"; address = "127.0.1.2";
port = 3011; port = 3011;
wsPort = 3012; wsPort = 3012;
in in {
{
sops.secrets."vaultwarden/environ" = { sops.secrets."vaultwarden/environ" = {
owner = "vaultwarden"; owner = "vaultwarden";
group = "vaultwarden"; group = "vaultwarden";

8
hosts/bekkalokk/services/webmail/default.nix
View File

@@ -1,10 +1,4 @@
{ { config, values, pkgs, lib, ... }:
config,
values,
pkgs,
lib,
...
}:
{ {
imports = [ imports = [
./roundcube.nix ./roundcube.nix

29
hosts/bekkalokk/services/webmail/roundcube.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
with lib; with lib;
let let
@@ -19,24 +14,14 @@ in
services.roundcube = { services.roundcube = {
enable = true; enable = true;
package = pkgs.roundcube.withPlugins ( package = pkgs.roundcube.withPlugins (plugins: with plugins; [
plugins: with plugins; [
persistent_login persistent_login
thunderbird_labels thunderbird_labels
contextmenu contextmenu
custom_from custom_from
] ]);
);
dicts = with pkgs.aspellDicts; [ dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
en
en-computers
nb
nn
fr
de
it
];
maxAttachmentSize = 20; maxAttachmentSize = 20;
hostName = "roundcubeplaceholder.example.com"; hostName = "roundcubeplaceholder.example.com";
@@ -69,8 +54,7 @@ in
ln -s ${cfg.package} $out/roundcube ln -s ${cfg.package} $out/roundcube
''; '';
extraConfig = '' extraConfig = ''
location ~ ^/roundcube/(${ location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
builtins.concatStringsSep "|" [
# https://wiki.archlinux.org/title/Roundcube # https://wiki.archlinux.org/title/Roundcube
"README" "README"
"INSTALL" "INSTALL"
@@ -84,8 +68,7 @@ in
"config" "config"
"temp" "temp"
"logs" "logs"
] ]})/? {
})/? {
deny all; deny all;
} }

12
hosts/bekkalokk/services/webmail/snappymail.nix
View File

@@ -1,15 +1,7 @@
{ { config, lib, fp, pkgs, values, ... }:
config,
lib,
fp,
pkgs,
values,
...
}:
let let
cfg = config.services.snappymail; cfg = config.services.snappymail;
in in {
{
imports = [ (fp /modules/snappymail.nix) ]; imports = [ (fp /modules/snappymail.nix) ];
services.snappymail = { services.snappymail = {

32
hosts/bekkalokk/services/website/default.nix
View File

@@ -1,27 +1,18 @@
{ { pkgs, lib, config, ... }:
pkgs,
lib,
config,
...
}:
let let
format = pkgs.formats.php { }; format = pkgs.formats.php { };
cfg = config.services.pvv-nettsiden; cfg = config.services.pvv-nettsiden;
in in {
{
imports = [ imports = [
./fetch-gallery.nix ./fetch-gallery.nix
]; ];
sops.secrets = sops.secrets = lib.genAttrs [
lib.genAttrs
[
"nettsiden/door_secret" "nettsiden/door_secret"
"nettsiden/mysql_password" "nettsiden/mysql_password"
"nettsiden/simplesamlphp/admin_password" "nettsiden/simplesamlphp/admin_password"
"nettsiden/simplesamlphp/cookie_salt" "nettsiden/simplesamlphp/cookie_salt"
] ] (_: {
(_: {
owner = config.services.phpfpm.pools.pvv-nettsiden.user; owner = config.services.phpfpm.pools.pvv-nettsiden.user;
group = config.services.phpfpm.pools.pvv-nettsiden.group; group = config.services.phpfpm.pools.pvv-nettsiden.group;
restartUnits = [ "phpfpm-pvv-nettsiden.service" ]; restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
@@ -44,10 +35,8 @@ in
package = pkgs.pvv-nettsiden.override { package = pkgs.pvv-nettsiden.override {
extra_files = { extra_files = {
"${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix); "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
"${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" =
pkgs.writeText "pvv-nettsiden-authsources.php" ''
<?php <?php
$config = array( $config = array(
'admin' => array( 'admin' => array(
@@ -65,12 +54,9 @@ in
domainName = "www.pvv.ntnu.no"; domainName = "www.pvv.ntnu.no";
settings = settings = let
let includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
includeFromSops = in {
path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
in
{
DOOR_SECRET = includeFromSops "door_secret"; DOOR_SECRET = includeFromSops "door_secret";
DB = { DB = {

23
hosts/bekkalokk/services/website/fetch-gallery.nix
View File

@@ -1,15 +1,8 @@
{ { pkgs, lib, config, values, ... }:
pkgs,
lib,
config,
values,
...
}:
let let
galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR; galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer"; transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
in in {
{
users.users.${config.services.pvv-nettsiden.user} = { users.users.${config.services.pvv-nettsiden.user} = {
# NOTE: the user unfortunately needs a registered shell for rrsync to function... # NOTE: the user unfortunately needs a registered shell for rrsync to function...
# is there anything we can do to remove this? # is there anything we can do to remove this?
@@ -44,20 +37,14 @@ in
}; };
systemd.services.pvv-nettsiden-gallery-update = { systemd.services.pvv-nettsiden-gallery-update = {
path = with pkgs; [ path = with pkgs; [ imagemagick gnutar gzip ];
imagemagick
gnutar
gzip
];
script = '' script = ''
tar ${ tar ${lib.cli.toGNUCommandLineShell {} {
lib.cli.toGNUCommandLineShell { } {
extract = true; extract = true;
file = "${transferDir}/gallery.tar.gz"; file = "${transferDir}/gallery.tar.gz";
directory = "."; directory = ".";
} }}
}
# Delete files and directories that exists in the gallery that don't exist in the tarball # Delete files and directories that exists in the gallery that don't exist in the tarball
filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||'))) filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))

7
hosts/bekkalokk/services/well-known/default.nix
View File

@@ -1,14 +1,11 @@
{ lib, ... }: { lib, ... }:
{ {
services.nginx.virtualHosts = services.nginx.virtualHosts = lib.genAttrs [
lib.genAttrs
[
"pvv.ntnu.no" "pvv.ntnu.no"
"www.pvv.ntnu.no" "www.pvv.ntnu.no"
"pvv.org" "pvv.org"
"www.pvv.org" "www.pvv.org"
] ] (_: {
(_: {
locations = { locations = {
"^~ /.well-known/" = { "^~ /.well-known/" = {
alias = (toString ./root) + "/"; alias = (toString ./root) + "/";

19
hosts/bicep/configuration.nix
View File

@@ -1,9 +1,4 @@
{ { fp, pkgs, values, ... }:
fp,
pkgs,
values,
...
}:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
@@ -24,16 +19,8 @@
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
#matchConfig.Name = "enp6s0f0"; #matchConfig.Name = "enp6s0f0";
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
address = address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
with values.hosts.bicep; ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
[
(ipv4 + "/25")
(ipv6 + "/64")
]
++ (with values.services.turn; [
(ipv4 + "/25")
(ipv6 + "/64")
]);
}; };
systemd.network.wait-online = { systemd.network.wait-online = {
anyInterface = true; anyInterface = true;

37
hosts/bicep/hardware-configuration.nix
View File

@@ -1,48 +1,33 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/profiles/qemu-guest.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ahci" "sd_mod" "sr_mod" ];
"ata_piix"
"uhci_hcd"
"ahci"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a"; { device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
fsType = "ext4"; fsType = "ext4";
}; };
# temp data disk, only 128gb not enough until we can add another disk to the system. # temp data disk, only 128gb not enough until we can add another disk to the system.
fileSystems."/data" = { fileSystems."/data" =
device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba"; { device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/198B-E363"; { device = "/dev/disk/by-uuid/198B-E363";
fsType = "vfat"; fsType = "vfat";
options = [ options = [ "fmask=0022" "dmask=0022" ];
"fmask=0022"
"dmask=0022"
];
}; };
swapDevices = [ ]; swapDevices = [ ];

11
hosts/bicep/services/calendar-bot.nix
View File

@@ -1,14 +1,7 @@
{ { config, fp, lib, pkgs, ... }:
config,
fp,
lib,
pkgs,
...
}:
let let
cfg = config.services.pvv-calendar-bot; cfg = config.services.pvv-calendar-bot;
in in {
{
sops.secrets = { sops.secrets = {
"calendar-bot/matrix_token" = { "calendar-bot/matrix_token" = {
sopsFile = fp /secrets/bicep/bicep.yaml; sopsFile = fp /secrets/bicep/bicep.yaml;

33
hosts/bicep/services/git-mirrors/default.nix
View File

@@ -1,10 +1,4 @@
{ { config, pkgs, lib, fp, ... }:
config,
pkgs,
lib,
fp,
...
}:
let let
cfg = config.services.gickup; cfg = config.services.gickup;
in in
@@ -26,16 +20,14 @@ in
lfs = false; lfs = false;
}; };
instances = instances = let
let
defaultGithubConfig = { defaultGithubConfig = {
settings.token_file = config.sops.secrets."gickup/github-token".path; settings.token_file = config.sops.secrets."gickup/github-token".path;
}; };
defaultGitlabConfig = { defaultGitlabConfig = {
# settings.token_file = ... # settings.token_file = ...
}; };
in in {
{
"github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig; "github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
"github:NixOS/nixpkgs" = defaultGithubConfig; "github:NixOS/nixpkgs" = defaultGithubConfig;
"github:go-gitea/gitea" = defaultGithubConfig; "github:go-gitea/gitea" = defaultGithubConfig;
@@ -66,11 +58,9 @@ in
}; };
}; };
services.cgit = services.cgit = let
let
domain = "mirrors.pvv.ntnu.no"; domain = "mirrors.pvv.ntnu.no";
in in {
{
${domain} = { ${domain} = {
enable = true; enable = true;
package = pkgs.callPackage (fp /packages/cgit.nix) { }; package = pkgs.callPackage (fp /packages/cgit.nix) { };
@@ -96,18 +86,13 @@ in
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."= /PVV-logo.png".alias = locations."= /PVV-logo.png".alias = let
let small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
small-pvv-logo =
pkgs.runCommandLocal "pvv-logo-96x96"
{
nativeBuildInputs = [ pkgs.imagemagick ]; nativeBuildInputs = [ pkgs.imagemagick ];
} } ''
''
magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out" magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
''; '';
in in toString small-pvv-logo;
toString small-pvv-logo;
}; };
systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = { systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {

33
hosts/bicep/services/matrix/coturn.nix
View File

@@ -1,12 +1,4 @@
{ { config, lib, fp, pkgs, secrets, values, ... }:
config,
lib,
fp,
pkgs,
secrets,
values,
...
}:
{ {
sops.secrets."matrix/coturn/static-auth-secret" = { sops.secrets."matrix/coturn/static-auth-secret" = {
@@ -135,30 +127,17 @@
}; };
networking.firewall = { networking.firewall = {
interfaces.enp6s0f0 = interfaces.enp6s0f0 = let
let range = with config.services.coturn; [ {
range = with config.services.coturn; [
{
from = min-port; from = min-port;
to = max-port; to = max-port;
} } ];
];
in in
{ {
allowedUDPPortRanges = range; allowedUDPPortRanges = range;
allowedUDPPorts = [ allowedUDPPorts = [ 443 3478 3479 5349 ];
443
3478
3479
5349
];
allowedTCPPortRanges = range; allowedTCPPortRanges = range;
allowedTCPPorts = [ allowedTCPPorts = [ 443 3478 3479 5349 ];
443
3478
3479
5349
];
}; };
}; };

19
hosts/bicep/services/matrix/discord.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, fp, ... }:
config,
lib,
fp,
...
}:
let let
cfg = config.services.mx-puppet-discord; cfg = config.services.mx-puppet-discord;
@@ -49,6 +44,7 @@ in
]; ];
}; };
services.mx-puppet-discord.enable = false; services.mx-puppet-discord.enable = false;
services.mx-puppet-discord.settings = { services.mx-puppet-discord.settings = {
bridge = { bridge = {
@@ -56,21 +52,16 @@ in
domain = "pvv.ntnu.no"; domain = "pvv.ntnu.no";
homeserverUrl = "https://matrix.pvv.ntnu.no"; homeserverUrl = "https://matrix.pvv.ntnu.no";
}; };
provisioning.whitelist = [ provisioning.whitelist = [ "@dandellion:dodsorf\\.as" "@danio:pvv\\.ntnu\\.no"];
"@dandellion:dodsorf\\.as"
"@danio:pvv\\.ntnu\\.no"
];
relay.whitelist = [ ".*" ]; relay.whitelist = [ ".*" ];
selfService.whitelist = [ selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
"@danio:pvv\\.ntnu\\.no"
"@dandellion:dodsorf\\.as"
];
}; };
services.mx-puppet-discord.serviceDependencies = [ services.mx-puppet-discord.serviceDependencies = [
"matrix-synapse.target" "matrix-synapse.target"
"nginx.service" "nginx.service"
]; ];
services.matrix-synapse-next.settings = { services.matrix-synapse-next.settings = {
app_service_config_files = [ app_service_config_files = [
config.sops.templates."discord-registration.yaml".path config.sops.templates."discord-registration.yaml".path

10
hosts/bicep/services/matrix/element.nix
View File

@@ -1,13 +1,7 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
synapse-cfg = config.services.matrix-synapse-next; synapse-cfg = config.services.matrix-synapse-next;
in in {
{
services.pvv-matrix-well-known.client = { services.pvv-matrix-well-known.client = {
"m.homeserver" = { "m.homeserver" = {
base_url = "https://matrix.pvv.ntnu.no"; base_url = "https://matrix.pvv.ntnu.no";

52
hosts/bicep/services/matrix/hookshot/default.nix
View File

@@ -1,11 +1,4 @@
{ { config, lib, fp, unstablePkgs, inputs, ... }:
config,
lib,
fp,
unstablePkgs,
inputs,
...
}:
let let
cfg = config.services.matrix-hookshot; cfg = config.services.matrix-hookshot;
@@ -107,8 +100,7 @@ in
}; };
serviceBots = [ serviceBots = [
{ { localpart = "bot_feeds";
localpart = "bot_feeds";
displayname = "Aya"; displayname = "Aya";
avatar = ./feeds.png; avatar = ./feeds.png;
prefix = "!aya"; prefix = "!aya";
@@ -123,44 +115,20 @@ in
permissions = [ permissions = [
# Users of the PVV Server # Users of the PVV Server
{ { actor = "pvv.ntnu.no";
actor = "pvv.ntnu.no"; services = [ { service = "*"; level = "commands"; } ];
services = [
{
service = "*";
level = "commands";
}
];
} }
# Members of Medlem space (for people with their own hs) # Members of Medlem space (for people with their own hs)
{ { actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no"; services = [ { service = "*"; level = "commands"; } ];
services = [
{
service = "*";
level = "commands";
}
];
} }
# Members of Drift # Members of Drift
{ { actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no"; services = [ { service = "*"; level = "admin"; } ];
services = [
{
service = "*";
level = "admin";
}
];
} }
# Dan bootstrap # Dan bootstrap
{ { actor = "@dandellion:dodsorf.as";
actor = "@dandellion:dodsorf.as"; services = [ { service = "*"; level = "admin"; } ];
services = [
{
service = "*";
level = "admin";
}
];
} }
]; ];
}; };

20
hosts/bicep/services/matrix/livekit.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, fp, ... }:
config,
lib,
fp,
...
}:
let let
synapseConfig = config.services.matrix-synapse-next; synapseConfig = config.services.matrix-synapse-next;
matrixDomain = "matrix.pvv.ntnu.no"; matrixDomain = "matrix.pvv.ntnu.no";
@@ -25,12 +20,10 @@ in
}; };
services.pvv-matrix-well-known.client = lib.mkIf cfg.enable { services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
"org.matrix.msc4143.rtc_foci" = [ "org.matrix.msc4143.rtc_foci" = [{
{
type = "livekit"; type = "livekit";
livekit_service_url = "https://${matrixDomain}/livekit/jwt"; livekit_service_url = "https://${matrixDomain}/livekit/jwt";
} }];
];
}; };
services.livekit = { services.livekit = {
@@ -50,12 +43,7 @@ in
keyFile = config.sops.templates."matrix-livekit-keyfile".path; keyFile = config.sops.templates."matrix-livekit-keyfile".path;
}; };
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable ( systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]);
builtins.concatStringsSep "," [
"pvv.ntnu.no"
"dodsorf.as"
]
);
services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable { services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
locations."^~ /livekit/jwt/" = { locations."^~ /livekit/jwt/" = {

7
hosts/bicep/services/matrix/mjolnir.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, fp, ... }:
config,
lib,
fp,
...
}:
{ {
sops.secrets."matrix/mjolnir/access_token" = { sops.secrets."matrix/mjolnir/access_token" = {

9
hosts/bicep/services/matrix/out-of-your-element.nix
View File

@@ -1,11 +1,4 @@
{ { config, pkgs, lib, values, fp, ... }:
config,
pkgs,
lib,
values,
fp,
...
}:
let let
cfg = config.services.matrix-ooye; cfg = config.services.matrix-ooye;
in in

7
hosts/bicep/services/matrix/smtp-authenticator/default.nix
View File

@@ -1,9 +1,4 @@
{ { lib, buildPythonPackage, fetchFromGitHub, setuptools }:
lib,
buildPythonPackage,
fetchFromGitHub,
setuptools,
}:
buildPythonPackage rec { buildPythonPackage rec {
pname = "matrix-synapse-smtp-auth"; pname = "matrix-synapse-smtp-auth";

8
hosts/bicep/services/matrix/synapse-admin.nix
View File

@@ -1,9 +1,5 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
# This service requires you to have access to endpoints not available over the internet # This service requires you to have access to endpoints not available over the internet
# Use an ssh proxy or similar to access this dashboard. # Use an ssh proxy or similar to access this dashboard.

7
hosts/bicep/services/matrix/synapse-auto-compressor.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, utils, ... }:
config,
lib,
utils,
...
}:
let let
cfg = config.services.synapse-auto-compressor; cfg = config.services.synapse-auto-compressor;
in in

73
hosts/bicep/services/matrix/synapse.nix
View File

@@ -1,23 +1,13 @@
{ { config, lib, fp, pkgs, values, inputs, ... }:
config,
lib,
fp,
pkgs,
values,
inputs,
...
}:
let let
cfg = config.services.matrix-synapse-next; cfg = config.services.matrix-synapse-next;
matrix-lib = inputs.matrix-next.lib; matrix-lib = inputs.matrix-next.lib;
imap0Attrs = imap0Attrs = with lib; f: set:
with lib; listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
f: set: listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set)); in {
in
{
sops.secrets."matrix/synapse/signing_key" = { sops.secrets."matrix/synapse/signing_key" = {
key = "synapse/signing_key"; key = "synapse/signing_key";
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
@@ -33,9 +23,7 @@ in
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group; group = config.users.users.matrix-synapse.group;
content = '' content = ''
registration_shared_secret: ${ registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"
}
''; '';
}; };
@@ -122,8 +110,7 @@ in
password_config.enabled = true; password_config.enabled = true;
modules = [ modules = [
{ { module = "smtp_auth_provider.SMTPAuthProvider";
module = "smtp_auth_provider.SMTPAuthProvider";
config = { config = {
smtp_host = "smtp.pvv.ntnu.no"; smtp_host = "smtp.pvv.ntnu.no";
}; };
@@ -212,30 +199,22 @@ in
}; };
} }
{ {
locations = locations = let
let
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w; connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
socketAddress = socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";
w:
let
c = connectionInfo w;
in
"${c.host}:${toString c.port}";
metricsPath = w: "/metrics/${w.type}/${toString w.index}"; metricsPath = w: "/metrics/${w.type}/${toString w.index}";
proxyPath = w: "http://${socketAddress w}/_synapse/metrics"; proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
in in lib.mapAttrs' (n: v: lib.nameValuePair
lib.mapAttrs' ( (metricsPath v) {
n: v:
lib.nameValuePair (metricsPath v) {
proxyPass = proxyPath v; proxyPass = proxyPath v;
extraConfig = '' extraConfig = ''
allow ${values.hosts.ildkule.ipv4}; allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6}; allow ${values.hosts.ildkule.ipv6};
deny all; deny all;
''; '';
} })
) cfg.workers.instances; cfg.workers.instances;
} }
{ {
locations."/metrics/master/1" = { locations."/metrics/master/1" = {
@@ -247,28 +226,18 @@ in
''; '';
}; };
locations."/metrics/" = locations."/metrics/" = let
let endpoints = lib.pipe cfg.workers.instances [
endpoints =
lib.pipe cfg.workers.instances [
(lib.mapAttrsToList (_: v: v)) (lib.mapAttrsToList (_: v: v))
(map (w: "${w.type}/${toString w.index}")) (map (w: "${w.type}/${toString w.index}"))
(map (w: "matrix.pvv.ntnu.no/metrics/${w}")) (map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
] ] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
++ [ "matrix.pvv.ntnu.no/metrics/master/1" ]; in {
in alias = pkgs.writeTextDir "/config.json"
{ (builtins.toJSON [
alias = { targets = endpoints;
pkgs.writeTextDir "/config.json" (
builtins.toJSON [
{
targets = endpoints;
labels = { }; labels = { };
} }]) + "/";
]
)
+ "/";
}; };
} }];
];
} }

7
hosts/bicep/services/matrix/well-known.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
cfg = config.services.pvv-matrix-well-known; cfg = config.services.pvv-matrix-well-known;
format = pkgs.formats.json { }; format = pkgs.formats.json { };

13
hosts/bicep/services/minecraft-heatmap.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
cfg = config.services.minecraft-heatmap; cfg = config.services.minecraft-heatmap;
in in
@@ -32,15 +27,13 @@ in
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}" "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
]; ];
preStart = preStart = let
let
knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" '' knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U= innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8= innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
''; '';
in in ''
''
mkdir -p '${cfg.minecraftLogsDir}' mkdir -p '${cfg.minecraftLogsDir}'
"${lib.getExe pkgs.rsync}" \ "${lib.getExe pkgs.rsync}" \
--archive \ --archive \

14
hosts/bicep/services/mysql/backup.nix
View File

@@ -1,10 +1,4 @@
{ { config, lib, pkgs, values, ... }:
config,
lib,
pkgs,
values,
...
}:
let let
cfg = config.services.mysql; cfg = config.services.mysql;
backupDir = "/data/mysql-backups"; backupDir = "/data/mysql-backups";
@@ -50,11 +44,9 @@ in
zstd zstd
]; ];
script = script = let
let
rotations = 2; rotations = 2;
in in ''
''
set -euo pipefail set -euo pipefail
OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst" OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"

14
hosts/bicep/services/mysql/default.nix
View File

@@ -1,10 +1,4 @@
{ { config, pkgs, lib, values, ... }:
config,
pkgs,
lib,
values,
...
}:
let let
cfg = config.services.mysql; cfg = config.services.mysql;
dataDir = "/data/mysql"; dataDir = "/data/mysql";
@@ -42,14 +36,12 @@ in
# a password which can be found in /secrets/ildkule/ildkule.yaml # a password which can be found in /secrets/ildkule/ildkule.yaml
# We have also changed both the host and auth plugin of this user # We have also changed both the host and auth plugin of this user
# to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively. # to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
ensureUsers = [ ensureUsers = [{
{
name = "prometheus_mysqld_exporter"; name = "prometheus_mysqld_exporter";
ensurePermissions = { ensurePermissions = {
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR"; "*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
}; };
} }];
];
}; };
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ]; networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];

14
hosts/bicep/services/postgresql/backup.nix
View File

@@ -1,10 +1,4 @@
{ { config, lib, pkgs, values, ... }:
config,
lib,
pkgs,
values,
...
}:
let let
cfg = config.services.postgresql; cfg = config.services.postgresql;
backupDir = "/data/postgresql-backups"; backupDir = "/data/postgresql-backups";
@@ -51,11 +45,9 @@ in
cfg.package cfg.package
]; ];
script = script = let
let
rotations = 2; rotations = 2;
in in ''
''
set -euo pipefail set -euo pipefail
OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst" OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"

8
hosts/bicep/services/postgresql/default.nix
View File

@@ -1,10 +1,4 @@
{ { config, lib, pkgs, values, ... }:
config,
lib,
pkgs,
values,
...
}:
let let
cfg = config.services.postgresql; cfg = config.services.postgresql;
in in

60
hosts/bikkje/configuration.nix
View File

@@ -1,10 +1,4 @@
{ { config, pkgs, values, ... }:
lib,
config,
pkgs,
values,
...
}:
{ {
networking.nat = { networking.nat = {
enable = true; enable = true;
@@ -16,9 +10,7 @@
containers.bikkje = { containers.bikkje = {
autoStart = true; autoStart = true;
config = config = { config, pkgs, ... }: {
{ config, pkgs, ... }:
{
#import packages #import packages
packages = with pkgs; [ packages = with pkgs; [
alpine alpine
@@ -37,52 +29,12 @@
firewall = { firewall = {
enable = true; enable = true;
# Allow SSH and HTTP and ports for email and irc # Allow SSH and HTTP and ports for email and irc
allowedTCPPorts = [ allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
80 allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
22
194
994
6665
6666
6667
6668
6669
6697
995
993
25
465
587
110
143
993
995
];
allowedUDPPorts = [
80
22
194
994
6665
6666
6667
6668
6669
6697
995
993
25
465
587
110
143
993
995
];
}; };
# Use systemd-resolved inside the container # Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false; useHostResolvConf = mkForce false;
}; };
services.resolved.enable = true; services.resolved.enable = true;
@@ -92,4 +44,4 @@
system.stateVersion = "23.11"; system.stateVersion = "23.11";
}; };
}; };
} };

13
hosts/brzeczyszczykiewicz/configuration.nix
View File

@@ -1,10 +1,4 @@
{ { config, fp, pkgs, values, ... }:
config,
fp,
pkgs,
values,
...
}:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
@@ -16,10 +10,7 @@
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // { systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1"; matchConfig.Name = "eno1";
address = with values.hosts.brzeczyszczykiewicz; [ address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
}; };
fonts.fontconfig.enable = true; fonts.fontconfig.enable = true;

34
hosts/brzeczyszczykiewicz/hardware-configuration.nix
View File

@@ -1,44 +1,30 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
"xhci_pci"
"ehci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204"; { device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/82E3-3D03"; { device = "/dev/disk/by-uuid/82E3-3D03";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ swapDevices =
{ device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; } [ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

13
hosts/georg/configuration.nix
View File

@@ -1,10 +1,4 @@
{ { config, fp, pkgs, values, ... }:
config,
fp,
pkgs,
values,
...
}:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
@@ -16,10 +10,7 @@
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // { systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1"; matchConfig.Name = "eno1";
address = with values.hosts.georg; [ address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
}; };
services.spotifyd = { services.spotifyd = {

33
hosts/georg/hardware-configuration.nix
View File

@@ -1,43 +1,30 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
"xhci_pci"
"ehci_pci"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0"; { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/145E-7362"; { device = "/dev/disk/by-uuid/145E-7362";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ swapDevices =
{ device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; } [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

30
hosts/ildkule/configuration.nix
View File

@@ -1,11 +1,4 @@
{ { config, fp, pkgs, lib, values, ... }:
config,
fp,
pkgs,
lib,
values,
...
}:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
@@ -24,11 +17,9 @@
# Openstack Neutron and systemd-networkd are not best friends, use something else: # Openstack Neutron and systemd-networkd are not best friends, use something else:
systemd.network.enable = lib.mkForce false; systemd.network.enable = lib.mkForce false;
networking = networking = let
let
hostConf = values.hosts.ildkule; hostConf = values.hosts.ildkule;
in in {
{
tempAddresses = "disabled"; tempAddresses = "disabled";
useDHCP = lib.mkForce true; useDHCP = lib.mkForce true;
@@ -38,20 +29,11 @@
interfaces."ens4" = { interfaces."ens4" = {
ipv4.addresses = [ ipv4.addresses = [
{ { address = hostConf.ipv4; prefixLength = 32; }
address = hostConf.ipv4; { address = hostConf.ipv4_internal; prefixLength = 24; }
prefixLength = 32;
}
{
address = hostConf.ipv4_internal;
prefixLength = 24;
}
]; ];
ipv6.addresses = [ ipv6.addresses = [
{ { address = hostConf.ipv6; prefixLength = 64; }
address = hostConf.ipv6;
prefixLength = 64;
}
]; ];
}; };
}; };

7
hosts/ildkule/hardware-configuration.nix
View File

@@ -1,12 +1,7 @@
{ modulesPath, lib, ... }: { modulesPath, lib, ... }:
{ {
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
"ata_piix"
"uhci_hcd"
"xen_blkfront"
"vmw_pvscsi"
];
boot.initrd.kernelModules = [ "nvme" ]; boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942"; device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";

19
hosts/ildkule/services/journald-remote.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, values, ... }:
config,
lib,
values,
...
}:
let let
cfg = config.services.journald.remote; cfg = config.services.journald.remote;
domainName = "journald.pvv.ntnu.no"; domainName = "journald.pvv.ntnu.no";
@@ -27,11 +22,9 @@ in
services.journald.remote = { services.journald.remote = {
enable = true; enable = true;
settings.Remote = settings.Remote = let
let
inherit (config.security.acme.certs.${domainName}) directory; inherit (config.security.acme.certs.${domainName}) directory;
in in {
{
ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem"; ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem"; ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
TrustedCertificateFile = "-"; TrustedCertificateFile = "-";
@@ -54,11 +47,9 @@ in
systemd.services."systemd-journal-remote" = { systemd.services."systemd-journal-remote" = {
serviceConfig = { serviceConfig = {
LoadCredential = LoadCredential = let
let
inherit (config.security.acme.certs.${domainName}) directory; inherit (config.security.acme.certs.${domainName}) directory;
in in [
[
"key.pem:${directory}/key.pem" "key.pem:${directory}/key.pem"
"cert.pem:${directory}/cert.pem" "cert.pem:${directory}/cert.pem"
]; ];

23
hosts/ildkule/services/monitoring/grafana.nix
View File

@@ -1,19 +1,10 @@
{ { config, pkgs, values, ... }: let
config,
pkgs,
values,
...
}:
let
cfg = config.services.grafana; cfg = config.services.grafana;
in in {
{ sops.secrets = let
sops.secrets =
let
owner = "grafana"; owner = "grafana";
group = "grafana"; group = "grafana";
in in {
{
"keys/grafana/secret_key" = { inherit owner group; }; "keys/grafana/secret_key" = { inherit owner group; };
"keys/grafana/admin_password" = { inherit owner group; }; "keys/grafana/admin_password" = { inherit owner group; };
}; };
@@ -21,12 +12,10 @@ in
services.grafana = { services.grafana = {
enable = true; enable = true;
settings = settings = let
let
# See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider # See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
secretFile = path: "$__file{${path}}"; secretFile = path: "$__file{${path}}";
in in {
{
server = { server = {
domain = "grafana.pvv.ntnu.no"; domain = "grafana.pvv.ntnu.no";
http_port = 2342; http_port = 2342;

3
hosts/ildkule/services/monitoring/loki.nix
View File

@@ -3,8 +3,7 @@
let let
cfg = config.services.loki; cfg = config.services.loki;
stateDir = "/data/monitoring/loki"; stateDir = "/data/monitoring/loki";
in in {
{
services.loki = { services.loki = {
enable = true; enable = true;
configuration = { configuration = {

6
hosts/ildkule/services/monitoring/prometheus/default.nix
View File

@@ -1,8 +1,6 @@
{ config, ... }: { config, ... }: let
let
stateDir = "/data/monitoring/prometheus"; stateDir = "/data/monitoring/prometheus";
in in {
{
imports = [ imports = [
./exim.nix ./exim.nix
./gitea.nix ./gitea.nix

6
hosts/ildkule/services/monitoring/prometheus/exim.nix
View File

@@ -5,11 +5,9 @@
{ {
job_name = "exim"; job_name = "exim";
scrape_interval = "15s"; scrape_interval = "15s";
static_configs = [ static_configs = [{
{
targets = [ "microbel.pvv.ntnu.no:9636" ]; targets = [ "microbel.pvv.ntnu.no:9636" ];
} }];
];
} }
]; ];
}; };

6
hosts/ildkule/services/monitoring/prometheus/gitea.nix
View File

@@ -1,7 +1,6 @@
{ ... }: { ... }:
{ {
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [{
{
job_name = "gitea"; job_name = "gitea";
scrape_interval = "60s"; scrape_interval = "60s";
scheme = "https"; scheme = "https";
@@ -13,6 +12,5 @@
]; ];
} }
]; ];
} }];
];
} }

107
hosts/ildkule/services/monitoring/prometheus/machines.nix
View File

@@ -1,5 +1,4 @@
{ config, ... }: { config, ... }: let
let
cfg = config.services.prometheus; cfg = config.services.prometheus;
mkHostScrapeConfig = name: ports: { mkHostScrapeConfig = name: ports: {
@@ -10,98 +9,32 @@ let
defaultNodeExporterPort = 9100; defaultNodeExporterPort = 9100;
defaultSystemdExporterPort = 9101; defaultSystemdExporterPort = 9101;
defaultNixosExporterPort = 9102; defaultNixosExporterPort = 9102;
in in {
{ services.prometheus.scrapeConfigs = [{
services.prometheus.scrapeConfigs = [
{
job_name = "base_info"; job_name = "base_info";
static_configs = [ static_configs = [
(mkHostScrapeConfig "ildkule" [ (mkHostScrapeConfig "ildkule" [ cfg.exporters.node.port cfg.exporters.systemd.port defaultNixosExporterPort ])
cfg.exporters.node.port
cfg.exporters.systemd.port
defaultNixosExporterPort
])
(mkHostScrapeConfig "bekkalokk" [ (mkHostScrapeConfig "bekkalokk" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultNodeExporterPort (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultSystemdExporterPort (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultNixosExporterPort (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
]) (mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "bicep" [ (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultNodeExporterPort (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultSystemdExporterPort (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultNixosExporterPort (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
]) (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "brzeczyszczykiewicz" [ (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultNodeExporterPort (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultSystemdExporterPort (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultNixosExporterPort (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
])
(mkHostScrapeConfig "georg" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "gluttony" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "kommode" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-1" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-2" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-3" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-4" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-5" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "temmie" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "ustetind" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "wenche" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "skrott" [ (mkHostScrapeConfig "skrott" [ defaultNodeExporterPort defaultSystemdExporterPort ])
defaultNodeExporterPort
defaultSystemdExporterPort
])
(mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ]) (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ]) (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ]) (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
]; ];
} }];
];
} }

12
hosts/ildkule/services/monitoring/prometheus/matrix-synapse.nix
View File

@@ -1,16 +1,13 @@
{ ... }: { ... }:
{ {
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [{
{
job_name = "synapse"; job_name = "synapse";
scrape_interval = "15s"; scrape_interval = "15s";
scheme = "https"; scheme = "https";
http_sd_configs = [ http_sd_configs = [{
{
url = "https://matrix.pvv.ntnu.no/metrics/config.json"; url = "https://matrix.pvv.ntnu.no/metrics/config.json";
} }];
];
relabel_configs = [ relabel_configs = [
{ {
@@ -39,6 +36,5 @@
target_label = "__address__"; target_label = "__address__";
} }
]; ];
} }];
];
} }

18
hosts/ildkule/services/monitoring/prometheus/mysqld.nix
View File

@@ -1,18 +1,14 @@
{ config, ... }: { config, ... }: let
let
cfg = config.services.prometheus; cfg = config.services.prometheus;
in in {
{
sops = { sops = {
secrets."config/mysqld_exporter_password" = { }; secrets."config/mysqld_exporter_password" = { };
templates."mysqld_exporter.conf" = { templates."mysqld_exporter.conf" = {
restartUnits = [ "prometheus-mysqld-exporter.service" ]; restartUnits = [ "prometheus-mysqld-exporter.service" ];
content = content = let
let
inherit (config.sops) placeholder; inherit (config.sops) placeholder;
in in ''
''
[client] [client]
host = mysql.pvv.ntnu.no host = mysql.pvv.ntnu.no
port = 3306 port = 3306
@@ -23,8 +19,7 @@ in
}; };
services.prometheus = { services.prometheus = {
scrapeConfigs = [ scrapeConfigs = [{
{
job_name = "mysql"; job_name = "mysql";
scheme = "http"; scheme = "http";
metrics_path = cfg.exporters.mysqld.telemetryPath; metrics_path = cfg.exporters.mysqld.telemetryPath;
@@ -35,8 +30,7 @@ in
]; ];
} }
]; ];
} }];
];
exporters.mysqld = { exporters.mysqld = {
enable = true; enable = true;

30
hosts/ildkule/services/monitoring/prometheus/postgres.nix
View File

@@ -1,14 +1,6 @@
{ { pkgs, lib, config, values, ... }: let
pkgs,
lib,
config,
values,
...
}:
let
cfg = config.services.prometheus; cfg = config.services.prometheus;
in in {
{
sops.secrets = { sops.secrets = {
"keys/postgres/postgres_exporter_env" = {}; "keys/postgres/postgres_exporter_env" = {};
"keys/postgres/postgres_exporter_knakelibrak_env" = {}; "keys/postgres/postgres_exporter_knakelibrak_env" = {};
@@ -19,26 +11,22 @@ in
{ {
job_name = "postgres"; job_name = "postgres";
scrape_interval = "15s"; scrape_interval = "15s";
static_configs = [ static_configs = [{
{
targets = [ "localhost:${toString cfg.exporters.postgres.port}" ]; targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
labels = { labels = {
server = "bicep"; server = "bicep";
}; };
} }];
];
} }
{ {
job_name = "postgres-knakelibrak"; job_name = "postgres-knakelibrak";
scrape_interval = "15s"; scrape_interval = "15s";
static_configs = [ static_configs = [{
{
targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ]; targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
labels = { labels = {
server = "knakelibrak"; server = "knakelibrak";
}; };
} }];
];
} }
]; ];
@@ -49,11 +37,9 @@ in
}; };
}; };
systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
let
localCfg = config.services.prometheus.exporters.postgres; localCfg = config.services.prometheus.exporters.postgres;
in in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path; EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
ExecStart = '' ExecStart = ''
${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \ ${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \

10
hosts/ildkule/services/monitoring/uptime-kuma.nix
View File

@@ -1,15 +1,9 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
cfg = config.services.uptime-kuma; cfg = config.services.uptime-kuma;
domain = "status.pvv.ntnu.no"; domain = "status.pvv.ntnu.no";
stateDir = "/data/monitoring/uptime-kuma"; stateDir = "/data/monitoring/uptime-kuma";
in in {
{
services.uptime-kuma = { services.uptime-kuma = {
enable = true; enable = true;
settings = { settings = {

12
hosts/kommode/configuration.nix
View File

@@ -1,9 +1,4 @@
{ { pkgs, values, fp, ... }:
pkgs,
values,
fp,
...
}:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
@@ -17,10 +12,7 @@
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
address = with values.hosts.kommode; [ address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
}; };
services.btrfs.autoScrub.enable = true; services.btrfs.autoScrub.enable = true;

21
hosts/kommode/hardware-configuration.nix
View File

@@ -1,27 +1,14 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/profiles/qemu-guest.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];

21
hosts/kommode/services/gitea/customization/default.nix
View File

@@ -1,10 +1,4 @@
{ { config, pkgs, lib, fp, ... }:
config,
pkgs,
lib,
fp,
...
}:
let let
cfg = config.services.gitea; cfg = config.services.gitea;
in in
@@ -80,8 +74,7 @@ in
Group = cfg.group; Group = cfg.group;
}; };
script = script = let
let
logo-svg = fp /assets/logo_blue_regular.svg; logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = fp /assets/logo_blue_regular.png; logo-png = fp /assets/logo_blue_regular.png;
@@ -99,21 +92,17 @@ in
labels = lib.importJSON ./labels/projects.json; labels = lib.importJSON ./labels/projects.json;
}; };
customTemplates = customTemplates = pkgs.runCommandLocal "gitea-templates" {
pkgs.runCommandLocal "gitea-templates"
{
nativeBuildInputs = with pkgs; [ nativeBuildInputs = with pkgs; [
coreutils coreutils
gnused gnused
]; ];
} } ''
''
# Bigger icons # Bigger icons
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl" install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl" sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
''; '';
in in ''
''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png

30
hosts/kommode/services/gitea/default.nix
View File

@@ -1,17 +1,9 @@
{ { config, values, lib, pkgs, unstablePkgs, ... }:
config,
values,
lib,
pkgs,
unstablePkgs,
...
}:
let let
cfg = config.services.gitea; cfg = config.services.gitea;
domain = "git.pvv.ntnu.no"; domain = "git.pvv.ntnu.no";
sshPort = 2222; sshPort = 2222;
in in {
{
imports = [ imports = [
./customization ./customization
./gpg.nix ./gpg.nix
@@ -19,15 +11,13 @@ in
./web-secret-provider ./web-secret-provider
]; ];
sops.secrets = sops.secrets = let
let
defaultConfig = { defaultConfig = {
owner = "gitea"; owner = "gitea";
group = "gitea"; group = "gitea";
restartUnits = [ "gitea.service" ]; restartUnits = [ "gitea.service" ];
}; };
in in {
{
"gitea/database" = defaultConfig; "gitea/database" = defaultConfig;
"gitea/email-password" = defaultConfig; "gitea/email-password" = defaultConfig;
"gitea/lfs-jwt-secret" = defaultConfig; "gitea/lfs-jwt-secret" = defaultConfig;
@@ -225,8 +215,7 @@ in
}; };
systemd.services.gitea-dump = { systemd.services.gitea-dump = {
serviceConfig.ExecStart = serviceConfig.ExecStart = let
let
args = lib.cli.toGNUCommandLineShell { } { args = lib.cli.toGNUCommandLineShell { } {
type = cfg.dump.type; type = cfg.dump.type;
@@ -239,16 +228,13 @@ in
# Logs are stored in the systemd journal # Logs are stored in the systemd journal
skip-log = true; skip-log = true;
}; };
in in lib.mkForce "${lib.getExe cfg.package} ${args}";
lib.mkForce "${lib.getExe cfg.package} ${args}";
# Only keep n backup files at a time # Only keep n backup files at a time
postStop = postStop = let
let
cu = prog: "'${lib.getExe' pkgs.coreutils prog}'"; cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
backupCount = 3; backupCount = 3;
in in ''
''
for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
${cu "rm"} "$file" ${cu "rm"} "$file"
done done

7
hosts/kommode/services/gitea/gpg.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
cfg = config.services.gitea; cfg = config.services.gitea;
GNUPGHOME = "${config.users.users.gitea.home}/gnupg"; GNUPGHOME = "${config.users.users.gitea.home}/gnupg";

7
hosts/kommode/services/gitea/import-users/default.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
cfg = config.services.gitea; cfg = config.services.gitea;
in in

30
hosts/kommode/services/gitea/web-secret-provider/default.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
organizations = [ organizations = [
"Drift" "Drift"
@@ -41,8 +36,7 @@ in
group = "gitea-web"; group = "gitea-web";
restartUnits = [ restartUnits = [
"gitea-web-secret-provider@" "gitea-web-secret-provider@"
] ] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
++ (map (org: "gitea-web-secret-provider@${org}") organizations);
}; };
systemd.slices.system-giteaweb = { systemd.slices.system-giteaweb = {
@@ -54,15 +48,11 @@ in
# %d - secrets directory # %d - secrets directory
systemd.services."gitea-web-secret-provider@" = { systemd.services."gitea-web-secret-provider@" = {
description = "Ensure all repos in %i has an SSH key to push web content"; description = "Ensure all repos in %i has an SSH key to push web content";
requires = [ requires = [ "gitea.service" "network.target" ];
"gitea.service"
"network.target"
];
serviceConfig = { serviceConfig = {
Slice = "system-giteaweb.slice"; Slice = "system-giteaweb.slice";
Type = "oneshot"; Type = "oneshot";
ExecStart = ExecStart = let
let
args = lib.cli.toGNUCommandLineShell { } { args = lib.cli.toGNUCommandLineShell { } {
org = "%i"; org = "%i";
token-path = "%d/token"; token-path = "%d/token";
@@ -76,8 +66,7 @@ in
''; '';
web-dir = "/var/lib/gitea-web/web"; web-dir = "/var/lib/gitea-web/web";
}; };
in in "${giteaWebSecretProviderScript} ${args}";
"${giteaWebSecretProviderScript} ${args}";
User = "gitea-web"; User = "gitea-web";
Group = "gitea-web"; Group = "gitea-web";
@@ -96,10 +85,7 @@ in
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
RestrictAddressFamilies = [ RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
"AF_INET"
"AF_INET6"
];
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
@@ -119,9 +105,7 @@ in
systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations; systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
services.openssh.authorizedKeysFiles = map ( services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
org: "/var/lib/gitea-web/authorized_keys.d/${org}"
) organizations;
users.users.nginx.extraGroups = [ "gitea-web" ]; users.users.nginx.extraGroups = [ "gitea-web" ];
services.nginx.virtualHosts."pages.pvv.ntnu.no" = { services.nginx.virtualHosts."pages.pvv.ntnu.no" = {

12
hosts/lupine/configuration.nix
View File

@@ -1,9 +1,4 @@
{ { fp, values, lupineName, ... }:
fp,
values,
lupineName,
...
}:
{ {
imports = [ imports = [
./hardware-configuration/${lupineName}.nix ./hardware-configuration/${lupineName}.nix
@@ -17,10 +12,7 @@
systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // { systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
matchConfig.Name = "enp0s31f6"; matchConfig.Name = "enp0s31f6";
address = with values.hosts.${lupineName}; [ address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
networkConfig.LLDP = false; networkConfig.LLDP = false;
}; };
systemd.network.wait-online = { systemd.network.wait-online = {

36
hosts/lupine/hardware-configuration/lupine-1.nix
View File

@@ -1,45 +1,31 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7"; { device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/81D6-38D3"; { device = "/dev/disk/by-uuid/81D6-38D3";
fsType = "vfat"; fsType = "vfat";
options = [ options = [ "fmask=0077" "dmask=0077" ];
"fmask=0077"
"dmask=0077"
];
}; };
swapDevices = [ swapDevices =
{ device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; } [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

36
hosts/lupine/hardware-configuration/lupine-2.nix
View File

@@ -1,45 +1,31 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0"; { device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/4A34-6AE5"; { device = "/dev/disk/by-uuid/4A34-6AE5";
fsType = "vfat"; fsType = "vfat";
options = [ options = [ "fmask=0077" "dmask=0077" ];
"fmask=0077"
"dmask=0077"
];
}; };
swapDevices = [ swapDevices =
{ device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; } [ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

36
hosts/lupine/hardware-configuration/lupine-3.nix
View File

@@ -1,45 +1,31 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88"; { device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/63FA-297B"; { device = "/dev/disk/by-uuid/63FA-297B";
fsType = "vfat"; fsType = "vfat";
options = [ options = [ "fmask=0077" "dmask=0077" ];
"fmask=0077"
"dmask=0077"
];
}; };
swapDevices = [ swapDevices =
{ device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; } [ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

27
hosts/lupine/hardware-configuration/lupine-4.nix
View File

@@ -1,36 +1,25 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd"; { device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
fsType = "ext4"; fsType = "ext4";
}; };
swapDevices = [ swapDevices =
{ device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; } [ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

36
hosts/lupine/hardware-configuration/lupine-5.nix
View File

@@ -1,45 +1,31 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343"; { device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/F372-37DF"; { device = "/dev/disk/by-uuid/F372-37DF";
fsType = "vfat"; fsType = "vfat";
options = [ options = [ "fmask=0077" "dmask=0077" ];
"fmask=0077"
"dmask=0077"
];
}; };
swapDevices = [ swapDevices =
{ device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; } [ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

5
hosts/lupine/services/gitea-runner.nix
View File

@@ -67,8 +67,5 @@
networking.dhcpcd.IPv6rs = false; networking.dhcpcd.IPv6rs = false;
networking.firewall.interfaces."podman+".allowedUDPPorts = [ networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
53
5353
];
} }

13
hosts/shark/configuration.nix
View File

@@ -1,10 +1,4 @@
{ { config, fp, pkgs, values, ... }:
config,
fp,
pkgs,
values,
...
}:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
@@ -14,10 +8,7 @@
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
address = with values.hosts.shark; [ address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
}; };
services.qemuGuest.enable = true; services.qemuGuest.enable = true;

33
hosts/shark/hardware-configuration.nix
View File

@@ -1,43 +1,30 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/profiles/qemu-guest.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/224c45db-9fdc-45d4-b3ad-aaf20b3efa8a"; { device = "/dev/disk/by-uuid/224c45db-9fdc-45d4-b3ad-aaf20b3efa8a";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/CC37-F5FE"; { device = "/dev/disk/by-uuid/CC37-F5FE";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ swapDevices =
{ device = "/dev/disk/by-uuid/a1ce3234-78b1-4565-9643-f4a05004424f"; } [ { device = "/dev/disk/by-uuid/a1ce3234-78b1-4565-9643-f4a05004424f"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

19
hosts/skrot/hardware-configuration.nix
View File

@@ -1,22 +1,11 @@
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];

23
hosts/skrott/configuration.nix
View File

@@ -1,13 +1,4 @@
{ { config, pkgs, lib, modulesPath, fp, values, ... }: {
config,
pkgs,
lib,
modulesPath,
fp,
values,
...
}:
{
imports = [ imports = [
(modulesPath + "/profiles/perlless.nix") (modulesPath + "/profiles/perlless.nix")
@@ -73,18 +64,14 @@
defaultGateway6 = values.hosts.gateway6; defaultGateway6 = values.hosts.gateway6;
interfaces.eth0 = { interfaces.eth0 = {
useDHCP = false; useDHCP = false;
ipv4.addresses = [ ipv4.addresses = [{
{
address = values.hosts.skrott.ipv4; address = values.hosts.skrott.ipv4;
prefixLength = 25; prefixLength = 25;
} }];
]; ipv6.addresses = [{
ipv6.addresses = [
{
address = values.hosts.skrott.ipv6; address = values.hosts.skrott.ipv6;
prefixLength = 25; prefixLength = 25;
} }];
];
}; };
}; };

13
hosts/temmie/configuration.nix
View File

@@ -1,10 +1,4 @@
{ { config, fp, pkgs, values, ... }:
config,
fp,
pkgs,
values,
...
}:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
@@ -17,10 +11,7 @@
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
address = with values.hosts.temmie; [ address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
}; };
services.nginx.enable = false; services.nginx.enable = false;

34
hosts/temmie/hardware-configuration.nix
View File

@@ -1,43 +1,27 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/profiles/qemu-guest.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/c3aed415-0054-4ac5-8d29-75a99cc26451"; { device = "/dev/disk/by-uuid/c3aed415-0054-4ac5-8d29-75a99cc26451";
fsType = "btrfs"; fsType = "btrfs";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/A367-83FD"; { device = "/dev/disk/by-uuid/A367-83FD";
fsType = "vfat"; fsType = "vfat";
options = [ options = [ "fmask=0022" "dmask=0022" ];
"fmask=0022"
"dmask=0022"
];
}; };
swapDevices = [ ]; swapDevices = [ ];

14
hosts/temmie/services/nfs-mounts.nix
View File

@@ -1,19 +1,7 @@
{ lib, values, ... }: { lib, values, ... }:
let let
# See microbel:/etc/exports # See microbel:/etc/exports
letters = [ letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
"a"
"b"
"c"
"d"
"h"
"i"
"j"
"k"
"l"
"m"
"z"
];
in in
{ {
systemd.targets."pvv-homedirs" = { systemd.targets."pvv-homedirs" = {

39
hosts/temmie/services/userweb.nix
View File

@@ -1,32 +1,12 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
cfg = config.services.httpd; cfg = config.services.httpd;
homeLetters = [ homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
"a"
"b"
"c"
"d"
"h"
"i"
"j"
"k"
"l"
"m"
"z"
];
# https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
phpEnv = pkgs.php.buildEnv { phpEnv = pkgs.php.buildEnv {
extensions = extensions = { all, ... }: with all; [
{ all, ... }:
with all;
[
imagick imagick
opcache opcache
protobuf protobuf
@@ -39,8 +19,7 @@ let
''; '';
}; };
perlEnv = pkgs.perl.withPackages ( perlEnv = pkgs.perl.withPackages (ps: with ps; [
ps: with ps; [
pkgs.exiftool pkgs.exiftool
pkgs.ikiwiki pkgs.ikiwiki
pkgs.irssi pkgs.irssi
@@ -78,8 +57,7 @@ let
Tk Tk
URI URI
XMLLibXML XMLLibXML
] ]);
);
# https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
pythonEnv = pkgs.python3.buildEnv.override { pythonEnv = pkgs.python3.buildEnv.override {
@@ -95,9 +73,7 @@ let
# https://nixos.org/manual/nixpkgs/stable/#sec-building-environment # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
fhsEnv = pkgs.buildEnv { fhsEnv = pkgs.buildEnv {
name = "userweb-env"; name = "userweb-env";
paths = paths = with pkgs; [
with pkgs;
[
bash bash
perlEnv perlEnv
@@ -341,8 +317,7 @@ in
"${fhsEnv}/sbin:/sbin" "${fhsEnv}/sbin:/sbin"
"${fhsEnv}/lib:/lib" "${fhsEnv}/lib:/lib"
"${fhsEnv}/share:/share" "${fhsEnv}/share:/share"
] ] ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") {
++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") {
parent = [ parent = [
"/local" "/local"
"/opt" "/opt"

14
hosts/ustetind/configuration.nix
View File

@@ -1,11 +1,4 @@
{ { config, fp, pkgs, lib, values, ... }:
config,
fp,
pkgs,
lib,
values,
...
}:
{ {
imports = [ imports = [
@@ -27,10 +20,7 @@
"eth*" "eth*"
]; ];
}; };
address = with values.hosts.ustetind; [ address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
}; };
"40-podman-veth" = values.defaultNetworkConfig // { "40-podman-veth" = values.defaultNetworkConfig // {
matchConfig = { matchConfig = {

15
hosts/ustetind/services/gitea-runners.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, values, ... }:
config,
lib,
values,
...
}:
let let
mkRunner = name: { mkRunner = name: {
# This is unfortunately state, and has to be generated one at a time :( # This is unfortunately state, and has to be generated one at a time :(
@@ -18,8 +13,7 @@ let
services.gitea-actions-runner.instances = { services.gitea-actions-runner.instances = {
${name} = { ${name} = {
enable = true; enable = true;
name = "git-runner-${name}"; name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
url = "https://git.pvv.ntnu.no";
labels = [ labels = [
"debian-latest:docker://node:current-bookworm" "debian-latest:docker://node:current-bookworm"
"ubuntu-latest:docker://node:current-bookworm" "ubuntu-latest:docker://node:current-bookworm"
@@ -42,9 +36,6 @@ lib.mkMerge [
networking.dhcpcd.IPv6rs = false; networking.dhcpcd.IPv6rs = false;
networking.firewall.interfaces."podman+".allowedUDPPorts = [ networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
53
5353
];
} }
] ]

14
hosts/wenche/configuration.nix
View File

@@ -1,11 +1,4 @@
{ { config, fp, pkgs, values, lib, ... }:
config,
fp,
pkgs,
values,
lib,
...
}:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
@@ -26,10 +19,7 @@
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
address = with values.hosts.wenche; [ address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
}; };
hardware.graphics.enable = true; hardware.graphics.enable = true;

31
hosts/wenche/hardware-configuration.nix
View File

@@ -1,39 +1,24 @@
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/profiles/qemu-guest.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "nvidia" ]; boot.kernelModules = [ "nvidia" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/4e8ecdd2-d453-4fff-b952-f06da00f3b85"; { device = "/dev/disk/by-uuid/4e8ecdd2-d453-4fff-b952-f06da00f3b85";
fsType = "ext4"; fsType = "ext4";
}; };
swapDevices = [ swapDevices = [ {
{
device = "/var/lib/swapfile"; device = "/var/lib/swapfile";
size = 16*1024; size = 16*1024;
} } ];
];
networking.useDHCP = lib.mkDefault false; networking.useDHCP = lib.mkDefault false;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true; # networking.interfaces.ens18.useDHCP = lib.mkDefault true;

101
modules/bluemap.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
cfg = config.services.bluemap; cfg = config.services.bluemap;
format = pkgs.formats.hocon { }; format = pkgs.formats.hocon { };
@@ -12,48 +7,36 @@ let
webappConfig = format.generate "webapp.conf" cfg.webappSettings; webappConfig = format.generate "webapp.conf" cfg.webappSettings;
webserverConfig = format.generate "webserver.conf" cfg.webserverSettings; webserverConfig = format.generate "webserver.conf" cfg.webserverSettings;
storageFolder = pkgs.linkFarm "storage" ( storageFolder = pkgs.linkFarm "storage"
lib.attrsets.mapAttrs' ( (lib.attrsets.mapAttrs' (name: value:
name: value: lib.nameValuePair "${name}.conf" (format.generate "${name}.conf" value) lib.nameValuePair "${name}.conf"
) cfg.storage (format.generate "${name}.conf" value))
); cfg.storage);
generateMapConfigWithMarkerData = generateMapConfigWithMarkerData = name: { extraHoconMarkersFile, settings, ... }:
name:
{ extraHoconMarkersFile, settings, ... }:
assert (extraHoconMarkersFile == null) != ((settings.marker-sets or { }) == { }); assert (extraHoconMarkersFile == null) != ((settings.marker-sets or { }) == { });
lib.pipe settings ( lib.pipe settings (
(lib.optionals (extraHoconMarkersFile != null) [ (lib.optionals (extraHoconMarkersFile != null) [
( (settings: lib.recursiveUpdate settings {
settings:
lib.recursiveUpdate settings {
marker-placeholder = "###ASDF###"; marker-placeholder = "###ASDF###";
} })
) ]) ++ [
])
++ [
(format.generate "${name}.conf") (format.generate "${name}.conf")
] ] ++ (lib.optionals (extraHoconMarkersFile != null) [
++ (lib.optionals (extraHoconMarkersFile != null) [ (hoconFile: pkgs.runCommand "${name}-patched.conf" { } ''
(
hoconFile:
pkgs.runCommand "${name}-patched.conf" { } ''
mkdir -p "$(dirname "$out")" mkdir -p "$(dirname "$out")"
cp '${hoconFile}' "$out" cp '${hoconFile}' "$out"
substituteInPlace "$out" \ substituteInPlace "$out" \
--replace-fail '"marker-placeholder" = "###ASDF###"' "\"marker-sets\" = $(cat '${extraHoconMarkersFile}')" --replace-fail '"marker-placeholder" = "###ASDF###"' "\"marker-sets\" = $(cat '${extraHoconMarkersFile}')"
'' '')
)
]) ])
); );
mapsFolder = lib.pipe cfg.maps [ mapsFolder = lib.pipe cfg.maps [
(lib.attrsets.mapAttrs' ( (lib.attrsets.mapAttrs' (name: value: {
name: value: {
name = "${name}.conf"; name = "${name}.conf";
value = generateMapConfigWithMarkerData name value; value = generateMapConfigWithMarkerData name value;
} }))
))
(pkgs.linkFarm "maps") (pkgs.linkFarm "maps")
]; ];
@@ -66,24 +49,19 @@ let
"packs" = cfg.packs; "packs" = cfg.packs;
}; };
renderConfigFolder = renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
name: value:
pkgs.linkFarm "bluemap-${name}-config" {
"maps" = pkgs.linkFarm "maps" { "maps" = pkgs.linkFarm "maps" {
"${name}.conf" = generateMapConfigWithMarkerData name value; "${name}.conf" = generateMapConfigWithMarkerData name value;
}; };
"storages" = storageFolder; "storages" = storageFolder;
"core.conf" = coreConfig; "core.conf" = coreConfig;
"webapp.conf" = format.generate "webapp.conf" ( "webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
cfg.webappSettings // { "update-settings-file" = false; }
);
"webserver.conf" = webserverConfig; "webserver.conf" = webserverConfig;
"packs" = value.packs; "packs" = value.packs;
}; };
inherit (lib) mkOption; inherit (lib) mkOption;
in in {
{
options.services.bluemap = { options.services.bluemap = {
enable = lib.mkEnableOption "bluemap"; enable = lib.mkEnableOption "bluemap";
package = lib.mkPackageOption pkgs "bluemap" { }; package = lib.mkPackageOption pkgs "bluemap" { };
@@ -195,10 +173,7 @@ in
}; };
maps = mkOption { maps = mkOption {
type = lib.types.attrsOf ( type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
lib.types.submodule (
{ name, ... }:
{
options = { options = {
packs = mkOption { packs = mkOption {
type = lib.types.path; type = lib.types.path;
@@ -219,8 +194,7 @@ in
}; };
settings = mkOption { settings = mkOption {
type = ( type = (lib.types.submodule {
lib.types.submodule {
freeformType = format.type; freeformType = format.type;
options = { options = {
world = mkOption { world = mkOption {
@@ -254,8 +228,7 @@ in
]; ];
}; };
}; };
} });
);
description = '' description = ''
Settings for files in `maps/`. Settings for files in `maps/`.
See the default for an example with good options for the different world types. See the default for an example with good options for the different world types.
@@ -263,9 +236,7 @@ in
''; '';
}; };
}; };
} }));
)
);
default = { default = {
"overworld".settings = { "overworld".settings = {
world = cfg.defaultWorld; world = cfg.defaultWorld;
@@ -349,21 +320,16 @@ in
}; };
storage = mkOption { storage = mkOption {
type = lib.types.attrsOf ( type = lib.types.attrsOf (lib.types.submodule {
lib.types.submodule {
freeformType = format.type; freeformType = format.type;
options = { options = {
storage-type = mkOption { storage-type = mkOption {
type = lib.types.enum [ type = lib.types.enum [ "FILE" "SQL" ];
"FILE"
"SQL"
];
description = "Type of storage config"; description = "Type of storage config";
default = "FILE"; default = "FILE";
}; };
}; };
} });
);
description = '' description = ''
Where the rendered map will be stored. Where the rendered map will be stored.
Unless you are doing something advanced you should probably leave this alone and configure webRoot instead. Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
@@ -393,10 +359,10 @@ in
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
assertions = [ assertions =
{ [ { assertion = config.services.bluemap.eula;
assertion = config.services.bluemap.eula;
message = '' message = ''
You have enabled bluemap but have not accepted minecraft's EULA. You have enabled bluemap but have not accepted minecraft's EULA.
You can achieve this through setting `services.bluemap.eula = true` You can achieve this through setting `services.bluemap.eula = true`
@@ -418,9 +384,9 @@ in
] ]
++ ++
# Render each minecraft map # Render each minecraft map
lib.attrsets.mapAttrsToList ( lib.attrsets.mapAttrsToList
name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r" (name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
) cfg.maps cfg.maps
++ [ ++ [
# Generate updated webapp # Generate updated webapp
"${lib.getExe cfg.package} -c ${webappConfigFolder} -gs" "${lib.getExe cfg.package} -c ${webappConfigFolder} -gs"
@@ -451,9 +417,6 @@ in
}; };
meta = { meta = {
maintainers = with lib.maintainers; [ maintainers = with lib.maintainers; [ dandellion h7x4 ];
dandellion
h7x4
];
}; };
} }

70
modules/gickup/default.nix
View File

@@ -1,10 +1,4 @@
{ { config, pkgs, lib, utils, ... }:
config,
pkgs,
lib,
utils,
...
}:
let let
cfg = config.services.gickup; cfg = config.services.gickup;
format = pkgs.formats.yaml { }; format = pkgs.formats.yaml { };
@@ -51,43 +45,33 @@ in
}; };
instances = lib.mkOption { instances = lib.mkOption {
type = lib.types.attrsOf ( type = lib.types.attrsOf (lib.types.submodule (submoduleInputs@{ name, ... }: let
lib.types.submodule (
submoduleInputs@{ name, ... }:
let
submoduleName = name; submoduleName = name;
nameParts = rec { nameParts = rec {
repoType = builtins.head (lib.splitString ":" submoduleName); repoType = builtins.head (lib.splitString ":" submoduleName);
owner = owner = if repoType == "any"
if repoType == "any" then then null
null else lib.pipe submoduleName [
else
lib.pipe submoduleName [
(lib.removePrefix "${repoType}:") (lib.removePrefix "${repoType}:")
(lib.splitString "/") (lib.splitString "/")
builtins.head builtins.head
]; ];
repo = repo = if repoType == "any"
if repoType == "any" then then null
null else lib.pipe submoduleName [
else
lib.pipe submoduleName [
(lib.removePrefix "${repoType}:") (lib.removePrefix "${repoType}:")
(lib.splitString "/") (lib.splitString "/")
lib.last lib.last
]; ];
slug = slug = if repoType == "any"
if repoType == "any" then then lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName)
lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName) else "${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}";
else
"${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}";
}; };
in in {
{
options = { options = {
interval = lib.mkOption { interval = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@@ -167,9 +151,7 @@ in
}; };
}; };
}; };
} }));
)
);
}; };
}; };
@@ -219,29 +201,22 @@ in
(lib.pipe cfg.instances [ (lib.pipe cfg.instances [
builtins.attrValues builtins.attrValues
(builtins.filter (instance: instance.interval != "daily")) (builtins.filter (instance: instance.interval != "daily"))
(map ( (map ({ slug, interval, ... }: {
{ slug, interval, ... }:
{
name = "gickup@${slug}"; name = "gickup@${slug}";
value = { value = {
overrideStrategy = "asDropin"; overrideStrategy = "asDropin";
timerConfig.OnCalendar = interval; timerConfig.OnCalendar = interval;
}; };
} }))
))
builtins.listToAttrs builtins.listToAttrs
]); ]);
systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") ( systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") (lib.attrValues cfg.instances);
lib.attrValues cfg.instances
);
systemd.services = { systemd.services = {
"gickup@" = "gickup@" = let
let
configDir = lib.pipe cfg.instances [ configDir = lib.pipe cfg.instances [
(lib.mapAttrsToList ( (lib.mapAttrsToList (name: instance: {
name: instance: {
name = "${instance.slug}.yml"; name = "${instance.slug}.yml";
path = format.generate "gickup-configuration-${name}.yml" { path = format.generate "gickup-configuration-${name}.yml" {
destination.local = [ cfg.destinationSettings ]; destination.local = [ cfg.destinationSettings ];
@@ -252,16 +227,15 @@ in
includeorgs = [ instance.owner ]; includeorgs = [ instance.owner ];
include = [ instance.repo ]; include = [ instance.repo ];
}) })
// instance.settings //
instance.settings
) )
]; ];
}; };
} }))
))
(pkgs.linkFarm "gickup-configuration-files") (pkgs.linkFarm "gickup-configuration-files")
]; ];
in in {
{
description = "Gickup git repository mirroring service for %i"; description = "Gickup git repository mirroring service for %i";
after = [ "network.target" ]; after = [ "network.target" ];

7
modules/gickup/hardlink-files.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
cfg = config.services.gickup; cfg = config.services.gickup;
in in

Some files were not shown because too many files have changed in this diff Show More