kvernberg/taler: move behind nginx

.sops.yaml

@@ -13,6 +13,7 @@ keys:
   - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
   - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
   - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
+  - &host_kvernberg age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz
 
 creation_rules:
   # Global secrets
@@ -78,3 +79,9 @@ creation_rules:
       - *user_pederbs_bjarte
       pgp:
       - *user_oysteikt
+  
+  - path_regex: secrets/kvernberg/[^/]+$
+    key_groups:
+      - age:
+          - *host_kvernberg
+          - *user_danio

base/services/auto-upgrade.nix

@@ -2,12 +2,12 @@
 {
   system.autoUpgrade = {
     enable = true;
-    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
+    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git?ref=pvvvvv";
     flags = [
       # --update-input is deprecated since nix 2.22, and removed in lix 2.90
       # https://git.lix.systems/lix-project/lix/issues/400
       "--refresh"
-      "--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.05-small"
+      "--override-input" "nixpkgs" "github:NixOS/nixpkgs/refs/pull/332699/merge"
       "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
       "--no-write-lock-file"
     ];

base/services/logrotate.nix

@@ -31,7 +31,6 @@
       ProtectSystem = "full";
       RestrictNamespaces = true;
       RestrictRealtime = true;
-      RestrictSUIDSGID = true; # disable for creating setgid directories
       SocketBindDeny = [ "any" ];
       SystemCallArchitectures = "native";
       SystemCallFilter = [
@@ -39,4 +38,4 @@
       ];
     };
   };
-}
+}

flake.lock

@@ -119,16 +119,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731663789,
-        "narHash": "sha256-x07g4NcqGP6mQn6AISXJaks9sQYDjZmTMBlKIvajvyc=",
+        "lastModified": 1731779898,
+        "narHash": "sha256-oxxCrYZM0WNRoaokDyVXcPIlTc8Z2yX4QjKbgXGI3IM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "035d434d48f4375ac5d3a620954cf5fda7dd7c36",
+        "rev": "9972661139e27eed0237df4dde34839e09028cd5",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.05-small",
+        "ref": "refs/pull/332699/merge",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -2,7 +2,7 @@
   description = "PVV System flake";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; # remember to also update the url in base/services/auto-upgrade.nix
+    nixpkgs.url = "github:NixOS/nixpkgs/refs/pull/332699/merge"; # remember to also update the url in base/services/auto-upgrade.nix
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
 
     sops-nix.url = "github:Mic92/sops-nix";
@@ -133,6 +133,12 @@
           inputs.greg-ng.overlays.default
         ];
       };
+      kvernberg = stableNixosConfig "kvernberg" {
+        modules = [
+          disko.nixosModules.disko
+          { disko.devices.disk.disk1.device = "/dev/sda"; }
+        ];
+      };
     };
 
     nixosModules = {

hosts/kvernberg/configuration.nix

@@ -0,0 +1,45 @@
+{ config, fp, pkgs, values, ... }:
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    (fp /base)
+    (fp /misc/metrics-exporters.nix)
+    ./disks.nix
+
+    ./services/nginx.nix
+    ./services/pvvvvvv
+  ];
+
+  sops.defaultSopsFile = fp /secrets/kvernberg/kvernberg.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+ 
+  networking.hostName = "kvernberg"; # Define your hostname.
+
+  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
+    matchConfig.Name = "en*";
+    address = with values.hosts.kvernberg; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+    
+  ];
+
+  # No devices with SMART
+  services.smartd.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+
+}

hosts/kvernberg/disks.nix

@@ -0,0 +1,39 @@
+# Example to create a bios compatible gpt partition
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/kvernberg/hardware-configuration.nix

@@ -0,0 +1,26 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/kvernberg/services/nginx.nix

@@ -0,0 +1,5 @@
+{ config, lib, ... }:
+
+{
+  services.nginx.enable = true;
+}

hosts/kvernberg/services/pvvvvvv/bank.nix

@@ -0,0 +1,47 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.libeufin.bank;
+  tcfg = config.services.taler;
+  inherit (tcfg.settings.taler) CURRENCY;
+in {
+  services.libeufin.bank = {
+    enable = true;
+    debug = true;
+    createLocalDatabase = true;
+    initialAccounts = [
+      { username = "exchange";
+        password = "exchange";
+        name = "Exchange";
+      }
+    ];
+    settings = {
+      libeufin-bank = {
+        WIRE_TYPE = "x-taler-bank";
+        X_TALER_BANK_PAYTO_HOSTNAME = "bank.kvernberg.pvv.ntnu.no";
+        BASE_URL = "bank.kvernberg.pvv.ntnu.no";
+
+        ALLOW_REGISTRATION = "yes";
+
+        REGISTRATION_BONUS_ENABLED = "yes";
+        REGISTRATION_BONUS = "${CURRENCY}:500";
+
+        DEFAULT_DEBT_LIMIT = "${CURRENCY}:0";
+
+        ALLOW_CONVERSION = "no";
+        ALLOW_EDIT_CASHOUT_PAYTO_URI = "yes";
+
+        SUGGESTED_WITHDRAWAL_EXCHANGE = "https://exchange.kvernberg.pvv.ntnu.no/";
+
+        inherit CURRENCY;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."bank.kvernberg.pvv.ntnu.no" = {
+    enableACME = true;
+    forceSSL = true;
+    kTLS = true;
+    locations."/".proxyPass = "http://127.0.0.1:8082";
+  };
+  
+}

hosts/kvernberg/services/pvvvvvv/default.nix

@@ -0,0 +1,12 @@
+{
+  imports = [
+    ./exchange.nix
+    ./bank.nix
+  ];
+
+  services.taler = {
+    settings = {
+      taler.CURRENCY = "SCHPENN";
+    };
+  };
+}

hosts/kvernberg/services/pvvvvvv/exchange.nix

@@ -0,0 +1,169 @@
+{ config, lib, fp, pkgs, ... }:
+let
+  cfg = config.services.taler;
+  inherit (cfg.settings.taler) CURRENCY;
+in {
+  sops.secrets.exchange-offline-master = {
+    format = "binary";
+    sopsFile = fp /secrets/kvernberg/exhange-offline-master.priv;
+  };
+
+  services.taler.exchange = {
+    enable = true;
+    debug = true;
+    denominationConfig = ''
+      ## Old denomination names cannot be used again
+      # [COIN-${CURRENCY}-k1-1-0]
+
+      ## NOK Denominations
+      [coin-${CURRENCY}-nok-1-0]
+      VALUE = ${CURRENCY}:1
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+      
+      [coin-${CURRENCY}-nok-5-0]
+      VALUE = ${CURRENCY}:5
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+
+      [coin-${CURRENCY}-nok-10-0]
+      VALUE = ${CURRENCY}:10
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+      
+      [coin-${CURRENCY}-nok-20-0]
+      VALUE = ${CURRENCY}:20
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+      
+      [coin-${CURRENCY}-nok-50-0]
+      VALUE = ${CURRENCY}:50
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+      
+      [coin-${CURRENCY}-nok-100-0]
+      VALUE = ${CURRENCY}:100
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+      
+      [coin-${CURRENCY}-nok-200-0]
+      VALUE = ${CURRENCY}:200
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+      
+      [coin-${CURRENCY}-nok-500-0]
+      VALUE = ${CURRENCY}:500
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+      
+      [coin-${CURRENCY}-nok-1000-0]
+      VALUE = ${CURRENCY}:1000
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+
+      ## PVV Special Prices
+      # 2024 pizza egenandel
+      [coin-${CURRENCY}-pvv-64-0]
+      VALUE = ${CURRENCY}:64
+      DURATION_WITHDRAW = 7 days
+      DURATION_SPEND = 1 years
+      DURATION_LEGAL = 3 years
+      FEE_WITHDRAW = ${CURRENCY}:0
+      FEE_DEPOSIT = ${CURRENCY}:0
+      FEE_REFRESH = ${CURRENCY}:0
+      FEE_REFUND = ${CURRENCY}:0
+      RSA_KEYSIZE = 2048
+      CIPHER = RSA
+    '';
+    settings = {
+      exchange = {
+        MASTER_PUBLIC_KEY = "J331T37C8E58P9CVE686P1JFH11DWSRJ3RE4GVDTXKES9M24ERZG";
+        BASE_URL = "http://kvernberg.pvv.ntnu.no:8081/";
+      };
+      exchange-offline = {
+        MASTER_PRIV_FILE = config.sops.secrets.exchange-offline-master.path;
+      };
+      exchange-account-test = {
+        PAYTO_URI = "payto://x-taler-bank/bank.kvernberg.pvv.ntnu.no/exchange?receiver-name=Exchange";
+        ENABLE_DEBIT = "YES";
+        ENABLE_CREDIT = "YES";
+      };
+      exchange-accountcredentials-test = {
+        WIRE_GATEWAY_URL = "http://bank.kvernberg.pvv.ntnu.no/accounts/exchange/taler-wire-gateway/";
+        WIRE_GATEWAY_AUTH_METHOD = "BASIC";
+        USERNAME = "exchange";
+        PASSWORD = "exchange";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."exchange.kvernberg.pvv.ntnu.no" = {
+    enableACME = true;
+    forceSSL = true;
+    kTLS = true;
+    locations."/".proxyPass = "http://127.0.0.1:8081";
+  };
+}

secrets/kvernberg/exhange-offline-master.priv

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:dhVo1B+ZG1B6s0bTLgph4ipPmi0mveaObbJAffDQbpY=,iv:P5plvu4DQYa99cQZQ6B/gEFcSffu3lTY3+Z80Cfoj94=,tag:4xcqCbn6fFSmCbYmmEgQEg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MzVHSE15Nk9MODQxc2g0\nbHlqNmFKclBYbUNKQTNUOGo0VThiaEZTVzJFCmU2YkYwMXlyeHM3ZzAxOWZpa3k4\nUUJLanVFbkNMa25RcGZmOTBsVmtzazQKLS0tIE1sTTBqT3VJMDFOYXl0T1JvcDRV\nRFpsZGNOZzFzMFc3YzcxeXdIK1d6QUUKzy0n7DJsOmrNvU03Tn6Zcj/l/kAylzzP\nhNnFLXfStdKl3A/qrzBPhTVbYD73yFkZuQ+bDr7/IMsHAmDsztuA9g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbEdBWjdEbmtNYWJHQnFj\nSU1yb0NYVG4xVlZkYTdUWUpDcGdmbFF6U1NrCjBlWFZkcC9FMVJLYUtDNlBTUWcw\nNHBwWFNESDBQQmJNb3NDN2tDekM4eUUKLS0tICtMVGc1L2JFQ1BqKzM3eWFPRmRQ\nWXlQUWpvdUdOUlZ1OFhtS0ErL0JKSlUKzxLKbsnXvEqnR2HVsTxNqmM7YPjWfCjG\nZ4Bf046NdseomkNuTvWuPzjzPTe4GvjudMYc4ODchkIMOo6hXyf5kw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-17T01:12:23Z",
+		"mac": "ENC[AES256_GCM,data:aXIM/pmgVmfNSa+PwpfK6Efh/kCWXUqZNcKLkyhRwl++vaIBQUIQgQjv09hWHOF77V3ZjRQjh2E1uNe2baBLEmrDT5Au+7VABW+j49KX/vKMd+1l4w47l3DukOVnoo50bsOQFtH+amSl2P2imxpO15sjVDu9/nUeu2qXrtbIUh8=,iv:BQVs3P9p86uzTH2BfuSOxycpE6di4ZIwSz7OTZdcQPg=,tag:mT4Ek8dDbVINGp4Odt62zw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

values.nix

@@ -60,6 +60,10 @@ in rec {
       ipv4 = pvv-ipv4 204;
       ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
     };
+    kvernberg = {
+      ipv4 = pvv-ipv4 206;
+      ipv6 = pvv-ipv6 "1:206";
+    };
   };
 
   defaultNetworkConfig = {