felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-02-19 16:37:52 +01:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:gitea-vaskepersonalet
Branches Tags
felixalb:main felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:shellcheck felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
..
compare: felixalb:kommode-disko
Branches Tags
felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:main felixalb:skrot-new-thing felixalb:shellcheck felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

212 Commits
gitea-vask ... kommode-di

Author SHA1 Message Date
h7x4
f3201b2ce8 WIP: kommode: use disko to configure disks 2026-01-27 18:16:54 +09:00
h7x4
8a84069dcf bicep/mysql: use BindPaths to access dataDir 2026-01-27 17:23:38 +09:00
h7x4
cda84be5b0 bekkalokk/well-known: add note about bug bounty program to security.txt 2026-01-27 17:11:07 +09:00
h7x4
79a46ce3f6 bicep/element: set default country code 2026-01-27 04:11:40 +09:00
h7x4
19e45be83a .mailmap: further dedup 2026-01-27 04:07:25 +09:00
h7x4
a8892e2fb2 hosts/various: bump stateVersion 2026-01-27 04:00:48 +09:00
h7x4
a149f97ac0 bicep: bump stateVersion from 22.11 -> 25.11 2026-01-27 03:59:40 +09:00
h7x4
e76c656378 bekkalokk: bump stateVersion from 22.11 -> 25.11 2026-01-27 03:52:34 +09:00
h7x4
5877ef60b1 modules/rsync-pull-targets: leave TODO about assertion 2026-01-27 00:27:00 +09:00
h7x4
73456de527 bekkalokk/mediawiki, bicep/matrix/synapse: leave principal rsync target stubs 2026-01-27 00:26:42 +09:00
h7x4
2f8e9ea190 modules/rsync-pull-targets: init, migrate bekkalokk/website/fetch-gallery 2026-01-26 23:57:20 +09:00
h7x4
c3c98392ad bicep/hookshot: add passkey to sops 2026-01-26 21:52:58 +09:00
h7x4
e01fd902eb bekkalokk/mediawiki: move secret.key to sops 2026-01-26 17:55:55 +09:00
h7x4
ce8d759f79 skrott: yeet 700MB worth of firmware, leave raspberry-specific firmware be 2026-01-26 17:09:18 +09:00
h7x4
ea6296f47a base/vm: disable graphics for vms by default 2026-01-26 17:08:35 +09:00
h7x4
c28fc3f229 ildkule/prometheus: add temmie,gluttony, re-enable lupine-2 2026-01-26 17:04:55 +09:00
h7x4
c124183d95 ildkule/prometheus: scrape skrott 2026-01-26 17:04:52 +09:00
h7x4
d7bb316056 skrott: yeetus ncdu 2026-01-26 15:45:10 +09:00
h7x4
c78c29aaa6 skrott: don't pull in nixpkgs/nixpkgs-unstable source tarballs 2026-01-26 15:43:23 +09:00
h7x4
7d451f1db5 base/auto-upgrade: don't install flake-inputs.json when disabled 2026-01-26 15:42:56 +09:00
h7x4
1d57cec04d base/acme: remove deprecated argument 2026-01-26 15:07:40 +09:00
h7x4
f50372fabd .sops.yaml: remove yet more remains of jokum 2026-01-26 13:53:30 +09:00
h7x4
0f355046de .sops.yaml: add skrott 2026-01-26 13:53:16 +09:00
h7x4
285f5b6a84 flake.nix: point skrott-x86_64 at correct nixosConfiguration, add -sd variants 2026-01-26 13:46:15 +09:00
h7x4
20eec03cd4 bakke: fix eval warnings about kernel packages 2026-01-26 13:46:14 +09:00
h7x4
fffdf77d6f skrott: disable more stuff 2026-01-26 13:46:13 +09:00
h7x4
42bbb1eca1 flake.nix: make native skrott default, misc cleaning 2026-01-26 13:28:42 +09:00
h7x4
34fdc9159c bekkalokk/mediawiki: remove nonused module import 2026-01-26 13:19:48 +09:00
h7x4
1b6ff9876d Remove global packages from users, skrott: remove neovim properly 2026-01-26 13:16:06 +09:00
h7x4
0206c159a2 skrott: cross compile and further minimize 2026-01-26 13:15:46 +09:00
h7x4
15004829a8 flake.lock: bump dibbler 2026-01-26 02:30:53 +09:00
h7x4
48ffb3cda1 skrott/dibbler: fix postgres url 2026-01-26 02:27:21 +09:00
h7x4
9bbc64afc8 skrott: disable promtail, documentation 2026-01-26 02:25:12 +09:00
h7x4
1cf956f37b skrott: disable thermald 2026-01-26 02:04:03 +09:00
h7x4
38a1d38c7f skrott: disable zfs, udisks2 2026-01-26 01:31:46 +09:00
h7x4
f1a6e47e67 skrott: disable smartd 2026-01-26 00:48:36 +09:00
h7x4
c061c5be0c base: re-enable mutableUsers (absolute state) 2026-01-26 00:25:20 +09:00
h7x4
08e3e1a287 README: add skrott to machine overview 2026-01-25 23:30:41 +09:00
h7x4
034f6540d9 secrets/skrott: add database password 2026-01-25 23:30:41 +09:00
h7x4
695fe48ba8 skrott: set gateway 2026-01-25 23:30:41 +09:00
h7x4
b37551209a flake.nix: bump dibbler 2026-01-25 22:54:52 +09:00
Felix Albrigtsen
19059b742e users/felixalb: update SSH keys 2026-01-25 13:17:39 +01:00
h7x4
e336c119a5 skrott: bump stateVersion 2026-01-25 21:08:28 +09:00
h7x4
52ac4ca775 skrott: update dibbler + config 2026-01-25 20:56:33 +09:00
Vegard Bieker Matthey
6b352507a3 Merge pull request 'gluttony: use grub as bootloader because of no uefi support' (!121) from gluttony-boot into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/121
 2026-01-24 22:25:28 +01:00
Vegard Bieker Matthey
604b528dd3 use grub as bootloader because of no uefi support 2026-01-24 22:04:54 +01:00
h7x4
689d6582ae topology: fix ntnu gateway <-> knutsen connection network 2026-01-23 00:56:32 +09:00
h7x4
ccdaeaf4a3 topology: fix gluttony network interface 2026-01-23 00:51:30 +09:00
h7x4
72fdca4998 topology: more connections to powerpuff cluster 2026-01-23 00:50:16 +09:00
h7x4
9ccdeb6ac9 topology: fix new machines 2026-01-23 00:43:20 +09:00
h7x4
8072121b3c skrott: fix sops file location 2026-01-22 19:44:05 +09:00
h7x4
95f6463171 temmie: set up httpd 2026-01-22 19:41:52 +09:00
h7x4
39d3773a10 skrott: move networking config to values, add ipv6 address 2026-01-22 19:30:04 +09:00
h7x4
0e963f8cf0 gluttony: fix eval 2026-01-22 19:17:28 +09:00
h7x4
ba6c1c8205 temmie/nfs-mounts: generate systemd units ourselves 2026-01-22 19:10:30 +09:00
h7x4
1d47409d96 base: configure sops 2026-01-22 16:48:59 +09:00
h7x4
f7757d697d base: don't install dynamic loader stub 2026-01-22 16:13:36 +09:00
h7x4
9f43ea887e base: OOM early on nixos rebuilds 2026-01-22 16:13:20 +09:00
h7x4
5f94345a91 hosts/various: enable qemu guest agent, disable smartd for vms by default 2026-01-22 16:05:36 +09:00
h7x4
28baf322ce hosts/various: formatting, add consistent warnings to stateVersion 2026-01-22 15:57:12 +09:00
h7x4
12477aeb34 flake.nix: set default hostname for most nixos hosts 2026-01-22 15:49:50 +09:00
h7x4
e2d553af19 bikkje: set hostName 2026-01-22 15:49:50 +09:00
h7x4
89ea5b321a hosts/various: use systemd-boot as default bootloader 2026-01-22 15:49:50 +09:00
h7x4
3940f52760 hosts/various: remove empty environment.systemPackages lists 2026-01-22 15:45:43 +09:00
h7x4
e2f3c81ecd base: move package list to separate file 2026-01-22 15:35:18 +09:00
h7x4
a4c3aaa402 base: provide reasoning for packages, add a few new ones 2026-01-22 15:31:48 +09:00
h7x4
5714efc668 modules/grzegorz: override base certificate config 2026-01-22 15:10:50 +09:00
h7x4
d5199779a6 base: disable fontconfig by default 2026-01-22 14:57:00 +09:00
h7x4
ae3c7019ef base: disable hibernation and sleep 2026-01-22 14:54:35 +09:00
h7x4
73dc9306f1 base: no mutable users by default 2026-01-22 14:51:24 +09:00
h7x4
09d72305e2 base/nginx: return 444 on fqdn virtualHost by default 2026-01-21 23:17:47 +09:00
h7x4
2ace7b649f nix-topology: remove postgresql icon override 2026-01-21 14:56:41 +09:00
h7x4
7703a94b19 flake.lock: bump 2026-01-21 14:49:00 +09:00
h7x4
ebd40fc2d7 bekkalokk/well-known: reply to well-known for all domains 2026-01-21 14:47:31 +09:00
h7x4
9eb5cd869a bicep/element: fetch correct well-known file 2026-01-21 14:34:35 +09:00
h7x4
fa37f34028 packages/ooye: bump 2026-01-21 13:46:06 +09:00
h7x4
7111d00df8 modules/ooye: calm yo ass (set restart timer + counter) 2026-01-21 13:17:28 +09:00
h7x4
833a74a6fb bicep/matrix: remove some whitespace lol 2026-01-21 13:14:41 +09:00
h7x4
d82cc2e605 update and fix `packages.out-of-your-element 2026-01-21 12:49:13 +09:00
h7x4
93cf6f4a63 bicep/sshguard: disable 
sshguard doesn't actually work as it currently stands, also the builtin
PerSourcePenalty functionality in SSH is more aggressive than sshguard
is able to catch anyway. It might've been reasonable if we were using it
for anything other than SSH, but it doesn't seem like we are.
 2026-01-21 11:13:27 +09:00
h7x4
0f11cca8ec bicep/matrix: use sops templates to render structured files 2026-01-21 11:08:26 +09:00
h7x4
d892acb331 bicep/matrix: have element-web source well-known from config 2026-01-21 10:49:09 +09:00
h7x4
aa07687a94 bicep/matrix: add synapse config to help with livekit 2026-01-21 10:48:37 +09:00
h7x4
e5dd5b6325 bicep/matrix: attempt to set up livekit 2026-01-21 10:14:08 +09:00
h7x4
75c52f63cc bicep/matrix: add module for adding stuff to well-known 2026-01-21 10:14:07 +09:00
Felix Albrigtsen
6b5c12a4b8 Merge pull request 'Fix the heccin quotes - mikrobel 2026' (!120) from fix-quotes into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/120
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 2026-01-20 09:43:33 +01:00
h7x4
633efc1a7d ildkule: unbreak eval 2026-01-20 17:12:25 +09:00
Felix Albrigtsen
14e2ed7e32 Fix the heccin quotes 2026-01-19 21:09:41 +01:00
Vegard Bieker Matthey
489551a8e2 hosts/gluttony: init (!119) 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/119
Reviewed-by: Felix Albrigtsen <felixalb@pvv.ntnu.no>
Co-authored-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>
Co-committed-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>
 2026-01-19 17:39:01 +01:00
h7x4
5e5a7f1969 flake.lock: bump minecraft-kartverket 2026-01-19 00:18:06 +09:00
fredrik
b933d19f91 bekkalokk/qotd: init 2026-01-17 22:11:37 +01:00
h7x4
60b6cd137f flake.lock: bump pvv-nettsiden 2026-01-17 16:55:20 +09:00
h7x4
3a0ea9c338 base/polkit: default to username if in group wheel 2026-01-17 03:59:55 +09:00
h7x4
d66aab1e61 flake.lock: bump minecraft-kartverket 2026-01-17 03:59:29 +09:00
h7x4
a9b1e11eea flake.lock: bump 2026-01-16 23:25:15 +09:00
h7x4
1fc3eb24cf flake.lock: bump minecraft-kartverket 2026-01-16 19:50:51 +09:00
h7x4
9984af36f4 modules/gickup: fix linktree config eval 2026-01-16 15:38:34 +09:00
h7x4
1080589aef secrets/*/*: update keys 2026-01-16 07:36:43 +01:00
Vegard Bieker Matthey
1a62eee464 add vegardbm to sops.yaml 2026-01-16 07:36:43 +01:00
h7x4
586a7c3ee5 flake.lock: bump 2026-01-16 11:51:31 +09:00
h7x4
8ff879d830 modules/gickup: run linktree after gickup fetches are done 2026-01-16 11:51:01 +09:00
h7x4
005d987ead bicep/git-mirrors: fix cgit config 2026-01-16 11:50:31 +09:00
h7x4
e72fb76fff ildkule/journald-remote: move LoadCredential to correct unit 2026-01-15 18:37:44 +09:00
h7x4
1c021cd789 base/packages: add net-tools 2026-01-15 17:49:42 +09:00
h7x4
d93bdd8493 journald-upload: use ipv4 temporarily, restrict firewall to ildkule 2026-01-15 17:38:27 +09:00
h7x4
024dae4226 journald-{remote,upload}: init 2026-01-15 15:50:49 +09:00
h7x4
5d0b2c6e0a temmie: mount nfs shares from microbel 2026-01-15 00:47:53 +09:00
Øystein Tveit
edeed67528 hosts/temmie: init 2026-01-14 16:43:29 +01:00
h7x4
9e19d9a9bb bekkalokk/bluemap: include markers with concatenation 2026-01-14 17:40:47 +09:00
h7x4
46d7220479 Move deployment section from dev docs to README, add warning 2026-01-13 22:54:51 +09:00
h7x4
cd6f35a42d base/auto-upgrade: display build logs in journalctl 2026-01-13 19:59:43 +09:00
h7x4
643dcb091f kommode/gitea: add developer experience label 2026-01-13 19:59:43 +09:00
h7x4
06d6a08938 flake.nix: bump pvv-nettsiden 2026-01-13 19:59:43 +09:00
h7x4
f67a24648a skrott: dont allow quitting 2026-01-12 02:32:21 +09:00
h7x4
5e18855c7c skrott: register sops with dibbler db url 2026-01-12 02:32:21 +09:00
Vegard Bieker Matthey
26325c60d4 Merge pull request 'add missing ;' (!117) from syntax_error into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/117
Reviewed-by: Felix Albrigtsen <felixalb@pvv.ntnu.no>
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 2026-01-09 16:51:17 +01:00
Vegard Bieker Matthey
15c9c492cb add missing ; 2026-01-09 16:28:44 +01:00
h7x4
21d28f44e2 flake.nix: system -> stdenv.hostPlatform.system 2026-01-09 06:17:57 +09:00
h7x4
ea5850c18b skrott: use stable kernel 2026-01-09 06:17:57 +09:00
h7x4
b4a43128fb flake.lock: bump 2026-01-09 06:17:57 +09:00
h7x4
e1482ce795 docs/development: fix warning blocks 2026-01-07 22:51:24 +09:00
h7x4
0c66cff9f2 hosts/skrott: move here from the dibbler repo 2026-01-06 17:40:10 +09:00
h7x4
893de326af flake.nix: allow disabling defaults for nixosConfig func 2026-01-06 17:11:15 +09:00
h7x4
4abe86dc07 base/roowho2: traffic filter to PVV IP-space 2026-01-06 12:23:39 +09:00
h7x4
25c8171e3d base/roowho2: init 2026-01-06 12:23:39 +09:00
h7x4
7cff6b197c topology: extend some more 2025-12-31 03:42:26 +09:00
h7x4
843f8d6a02 bekkalokk/alps: init 2025-12-30 22:40:56 +09:00
h7x4
c0000a1eb6 flake.lock: bump 2025-12-30 16:39:12 +09:00
h7x4
243b665eae topology: extend some more 2025-12-30 14:23:09 +09:00
h7x4
ab5be48b1c .gitea/workflows/build-topology-graph: init 2025-12-30 13:09:59 +09:00
h7x4
f671db8a12 topology: extend 2025-12-30 13:00:52 +09:00
h7x4
ad61336a20 topology: add a bunch of non-nixos machines 2025-12-30 02:53:39 +09:00
h7x4
197433a4c3 topology: localize nixos module, add custom extractor, fix misc 2025-12-30 02:02:12 +09:00
Daniel Olsen
58be01e620 buskerud no longer nix rip 2025-12-30 00:39:56 +09:00
Daniel Olsen
0f72ea9241 topology: init with placeholder values 2025-12-30 00:38:12 +09:00
h7x4
67445dd9d4 flake.lock: bump 2025-12-30 00:33:11 +09:00
h7x4
101d40f62f flake.nix: pin git ref for all inputs 2025-12-30 00:33:03 +09:00
h7x4
16891ff521 misc/metrics-exporters: move to base 2025-12-30 00:32:25 +09:00
h7x4
1430af8dfd misc/rust-motd: drop 2025-12-30 00:23:25 +09:00
h7x4
9491a5d200 wenche: flatten builder config 2025-12-30 00:22:57 +09:00
h7x4
33b7af4e62 flake.nix: add pkgs as an output for ease of why-depends 2025-12-30 00:14:08 +09:00
h7x4
ba36db33b8 docs/{development, development-misc}: init, README: clean 2025-12-29 23:36:23 +09:00
h7x4
5158b39ec8 README: lowercase filename extension 2025-12-29 20:34:53 +09:00
h7x4
48aa9c0e7e README: add links to new docs 2025-12-29 20:34:53 +09:00
h7x4
34c5e58580 docs/secret-management.md: init 2025-12-29 20:34:53 +09:00
h7x4
8b10cac63a docs/users.md: init 2025-12-29 20:34:53 +09:00
h7x4
b90a983de0 mediawiki-extensions: bump 2025-12-24 14:27:47 +09:00
h7x4
aa6f7e3038 base/nginx: enable extra listen paramenters by default 2025-12-24 13:44:58 +09:00
h7x4
7356364983 bekkalokk/bluemap: enable kTLS, HTTP3 and QUIC for nginx 2025-12-24 13:44:58 +09:00
h7x4
0c505e9c01 bekkalokk/bluemap: rewrite prestart as StateDirectory + ExecStartPre 2025-12-24 12:26:01 +09:00
h7x4
98473ef3c6 modules/bluemap: expand script 2025-12-24 12:11:51 +09:00
h7x4
9fd4df58b1 modules/bluemap: set CPUSchedulingPolicy=batch 2025-12-24 12:03:20 +09:00
h7x4
18c8490fe4 modules/bluemap: declare render-mask option 2025-12-24 11:27:35 +09:00
h7x4
a098eda1b1 modules/bluemap: remove max-y, bekkalokk/bluemap: fix 2025-12-24 11:22:00 +09:00
h7x4
f159fbf690 bekkalokk/bluemap: fix start-pos in map configs 2025-12-24 11:15:34 +09:00
h7x4
bd1cbd730a bekkalokk/bluemap: set world names 2025-12-24 11:10:25 +09:00
h7x4
0412ed2bc7 modules/bluemap: update map config defaults 2025-12-24 11:09:14 +09:00
h7x4
1991f5a290 modules/bluemap: declare 'name' option 2025-12-24 11:01:56 +09:00
h7x4
b567a85446 bluemap: move module and package, expose through flake, bekkalokk/bluemap: use correct package version 2025-12-24 10:52:07 +09:00
h7x4
eeedcf738a bluemap: update module to reflect upstream better 2025-12-24 10:45:03 +09:00
h7x4
e6950681d5 bluemap: bump from 5.2 -> 5.15 2025-12-24 10:17:05 +09:00
h7x4
2ab25ecd45 bekkalokk/bluemap: update config 2025-12-24 10:10:28 +09:00
h7x4
167c889e11 various: set sops restartUnits 2025-12-22 15:48:13 +09:00
h7x4
6c5e8efea9 kommode/gitea: fix sops restarts and systemd ordering 2025-12-22 15:39:36 +09:00
h7x4
cedaf2a517 kommode/gitea: declarative pubkey 2025-12-22 15:35:54 +09:00
h7x4
4f24217bef kommode/gitea: add restartUnits for some sops secrets 2025-12-22 15:20:56 +09:00
h7x4
9b22b53e95 secrets/bakke: update keys 2025-12-22 15:10:22 +09:00
h7x4
0a6e50e04c secrets/kommode: update gitea signing key 2025-12-22 15:08:53 +09:00
h7x4
c66e04dd26 .sops.yaml: remove remains of jokum 2025-12-22 15:08:39 +09:00
h7x4
5df01ee6d5 bekkalokk/mediawiki: add dark mode support 2025-12-22 14:10:56 +09:00
h7x4
b0a49f87d5 bicep/postgres: bindmount datadir 2025-12-22 13:38:21 +09:00
h7x4
a619125dcb bekkalokk/nettsiden: remove old handling of alternative domains 2025-12-22 13:07:02 +09:00
h7x4
c9d90203d4 bekkalokk/nettsiden: use SSL cert for redirects 2025-12-22 13:03:14 +09:00
h7x4
bde6ebc6ad bekkalokk/nettsiden: use redirects for alternative domains 2025-12-22 12:45:58 +09:00
Felix Albrigtsen
0491df32f7 Init bakke (!87) 
New backup server just dropped!
This server is awfully slow, and the mdraid setup is awfully slow, and I doubt that this will be a good experience, but we now have a backup server again?

- Tried Disko and nixos-anywhere
- Tried using mdraid
- Found that md is ancient and bad
- Found that disko is 100% extra steps, and a lot more complicated and noisy than just formatting your disks yourself
- Found that systemd-boot doesn't support mdraid
- Found that we probably don't need to mirror the boot partition :)
- Found that old hardware is slow
- Found that old hardware can have poor support for iPXE with UEFI, and might do weird BIOS stuff on you when you least expect it
- Reaffirmed that zfs is love

Current disk layout:
- mdraid for boot/root disk
    - 4TB WD Red with 500MiB ESP with systemd-boot, Remaining mdraid - Old?
    - 4TB WD Red with 500MiB Unused partition, Remaining mdraid - Old?
- zfs pool "tank" for the actual backup data
    - 8TB Toshiba MG08 - New
    - 8TB Exos 7E10 - New

TODO:

- Document the death of Toriel on the wiki
- Document Bakke on the wiki
  - ... describing the poco loco disk layout
- Start backing stuff up
  - Restic? Borg? Rsync?
  - Make backup retention policy and zfs snapshot system
  - Document backup procedures

Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/87
Co-authored-by: Felix Albrigtsen <felix@albrigtsen.it>
Co-committed-by: Felix Albrigtsen <felix@albrigtsen.it>
 2025-12-22 04:08:30 +01:00
h7x4
f1c89fd22a kommode/gitea: move some links from top to bottom 2025-12-22 11:50:59 +09:00
h7x4
f58c935966 bekkalokk/kerberos: remove vendored module 2025-12-22 11:17:58 +09:00
h7x4
a238540e04 bicep/minecraft-heatmap: re-enable 2025-12-22 11:14:41 +09:00
h7x4
bd4b8c876f ildkule/prometheus/mysqld: use service cname 2025-12-22 10:37:26 +09:00
h7x4
88ea686b59 bicep/matrix-synapse: replace hardcoded ip space with ones from values 2025-12-22 10:32:17 +09:00
h7x4
0a8702e3ba flake-input-exporter: replace hardcoded ip space with ones from values 2025-12-22 10:30:55 +09:00
Peder Bergebakken Sundt
3a9efb2b1f values/grzegorz: migrate ntnu IPs to values.nix 2025-12-22 10:26:57 +09:00
Peder Bergebakken Sundt
f1bdd71192 grzegorz: allow all of ntnu 2025-12-22 10:26:56 +09:00
Peder Bergebakken Sundt
6d171ef0d2 grzegorz: use values.nix 2025-12-22 10:26:56 +09:00
h7x4
1d08131076 bicep/coturn: replace hardcoded ip with one fr 
om `values`
 2025-12-22 10:23:39 +09:00
h7x4
ad137081c7 bicep/mysql: allow connections from ildkule 2025-12-22 10:23:39 +09:00
h7x4
f04596b752 bicep/postgres: allow connections from ildkule 2025-12-22 10:23:39 +09:00
h7x4
f154d58f32 flake.lock: bump minecraft-kartverket 2025-12-17 02:05:54 +09:00
h7x4
22fb43fa63 kommode/gitea: increase max avatar sizes 2025-12-16 22:12:23 +09:00
h7x4
0e1ab4c85c kommode/gitea: bigger icons 2025-12-16 21:32:18 +09:00
h7x4
cdb72b972d packages/ooye: bump 2025-12-09 02:04:18 +09:00
h7x4
12dcd1551b .gitea/workflows: update actions/checkout: v3 -> v6 2025-12-08 18:50:31 +09:00
h7x4
dbbe06f628 .gitea/workflows: run on debian-latest 2025-12-08 18:50:30 +09:00
h7x4
ebff173946 flake.{nix,lock}: bumpdeedump 2025-12-05 04:20:30 +09:00
h7x4
3dc6ae6d58 flake.nix: fix pvv-calender-bot overlay attrpath 2025-12-05 02:50:00 +09:00
h7x4
ca3ab5415a packages/simplsamlphp: bump 2025-12-05 02:47:20 +09:00
h7x4
79ddc28c9f packages/mediawiki-extensions: bump all 2025-12-05 02:41:05 +09:00
h7x4
3ae26bc53f base/nix: use auto allocated users 2025-12-05 02:25:28 +09:00
h7x4
86a8d2e2f1 bekkalokk/bluemap: stdenv.hostPlatform.system 2025-12-05 02:25:15 +09:00
h7x4
b5513dd6af kommode/gitea: remove upstreamed config 2025-12-05 02:24:42 +09:00
h7x4
252f5a6f94 bicep/matrix-smtp-auth: fix python packaging 2025-12-05 02:24:20 +09:00
h7x4
d666aa6c33 base/postfix: migrate config to new format 2025-12-05 02:23:46 +09:00
h7x4
e9bebc8119 lupine: add ubuntu images from gitea-runner-images 2025-12-04 16:09:49 +09:00
h7x4
c2bc84dc6f lupine: rotate gitea registration key 2025-12-04 15:07:21 +09:00
h7x4
c722650eab lupine: make more images available 2025-12-04 15:07:21 +09:00
Daniel Olsen
30472c478b bicep: enable more services 2025-12-02 01:53:58 +01:00
Daniel Olsen
938e916025 update bicep key 2025-12-02 01:51:40 +01:00
Adrian Gunnar Lauterer
c5dce0fa0f Bicep as a vm 2025-12-02 01:47:51 +01:00
Daniel Olsen
d9a9fcfef1 danio has a new sops key 2025-12-02 01:40:54 +01:00
h7x4
ab04d573ed wenche: fix eval 2025-11-12 01:01:32 +09:00
h7x4
50e346c9bb .gitea/workflows: bump install-nix action version 2025-11-11 22:45:53 +09:00
h7x4
39977eeb5c bekkalokk: source map data from the new map data impl in python 2025-11-11 22:40:16 +09:00
148 changed files with 6767 additions and 3243 deletions
Expand all files Collapse all files

32
.gitea/workflows/build-topology-graph.yml Normal file
View File

@@ -0,0 +1,32 @@
name: "Build topology graph"
on:
push:
branches:
- main
jobs:
evals:
runs-on: debian-latest
steps:
- uses: actions/checkout@v6
- name: Install sudo
run: apt-get update && apt-get -y install sudo
- uses: https://github.com/cachix/install-nix-action@v31
- name: Configure Nix
run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
- name: Build topology graph
run: nix build .#topology -L
- name: Upload topology graph
uses: https://git.pvv.ntnu.no/Projects/rsync-action@v2
with:
source: result/*.svg
quote-source: false
target: ${{ gitea.ref_name }}/topology_graph/
username: gitea-web
ssh-key: ${{ secrets.WEB_SYNC_SSH_KEY }}
host: pages.pvv.ntnu.no
known-hosts: "pages.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH2QjfFB+city1SYqltkVqWACfo1j37k+oQQfj13mtgg"

6
.gitea/workflows/eval.yml
View File

@@ -4,10 +4,10 @@ on:
push:
jobs:
evals:
runs-on: ubuntu-latest
runs-on: debian-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v6
- run: apt-get update && apt-get -y install sudo
- uses: https://github.com/cachix/install-nix-action@v23
- uses: https://github.com/cachix/install-nix-action@v31
- run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
- run: nix flake check

6
.mailmap
View File

@@ -23,3 +23,9 @@ Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lau
Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>

63
.sops.yaml
View File

@@ -1,38 +1,40 @@
keys:
# Users
- &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
- &user_danio age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
- &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
- &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
- &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
- &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
- &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
- &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
- &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
- &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
- &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
# Hosts
- &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
- &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
- &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
- &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
- &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
- &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
- &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
- &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
- &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
- &host_skrott age1hlvwswsljxsvrtp4leuw8a8rf8l2q6y06xvxtafvzpq54xm9aegs0kqw2e
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
creation_rules:
# Global secrets
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- age:
- *host_jokum
- *user_danio
- *user_felixalb
- *user_eirikwit
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
@@ -47,6 +49,7 @@ creation_rules:
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
@@ -59,18 +62,7 @@ creation_rules:
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
- path_regex: secrets/jokum/[^/]+\.yaml$
key_groups:
- age:
- *host_jokum
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
@@ -83,6 +75,7 @@ creation_rules:
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
@@ -95,6 +88,7 @@ creation_rules:
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
@@ -107,6 +101,7 @@ creation_rules:
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
@@ -123,5 +118,31 @@ creation_rules:
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/bakke/[^/]+\.yaml$
key_groups:
- age:
- *host_bakke
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/skrott/[^/]+\.yaml$
key_groups:
- age:
- *host_skrott
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp:
- *user_oysteikt

61
README.MD
View File

@@ -1,61 +0,0 @@
# PVV NixOS configs
## Hvordan endre på ting
Før du endrer på ting husk å ikke putte ting som skal være hemmelig uten å først lese seksjonen for hemmeligheter!
Etter å ha klonet prosjektet ned og gjort endringer kan du evaluere configene med:
`nix flake check --keep-going`
før du bygger en maskin med:
`nix build .#<maskinnavn>`
hvis du vil være ekstra sikker på at alt bygger så kan du kjøre:
`nix build .` for å bygge alle de viktige maskinene.
NB: Dette kan ta opp til 30 minutter avhengig av hva som ligger i caches
Husk å hvertfall stage nye filer om du har laget dem!
Om alt bygger fint commit det og push til git repoet.
Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
som root på maskinen.
Hvis du ikke har lyst til å oppdatere alle pakkene (og kanskje måtte vente en stund!) kan du kjøre
`nixos-rebuild switch --override-input nixpkgs nixpkgs --override-input nixpkgs-unstable nixpkgs-unstable --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
## Seksjonen for hemmeligheter
For at hemmeligheter ikke skal deles med hele verden i git - eller å være world
readable i nix-storen, bruker vi [sops-nix](https://github.com/Mic92/sops-nix)
For å legge til secrets kan du kjøre f.eks. `sops secrets/jokum/jokum.yaml`
Dette vil dekryptere filen og gi deg en text-editor du kan bruke for endre hemmelighetene.
Et nix shell med dette verktøyet inkludert ligger i flaket og shell.nix og kan aktiveres med:
`nix-shell` eller `nix develop`. Vi anbefaler det siste.
I tilegg kan du sette opp [direnv](https://direnv.net/) slik at dette skjer automatisk
for å få tilgang til å lese/skrive hemmeligheter må du spørre noen/noe som har tilgang til hemmelighetene
om å legge til age eller pgp nøkkelen din i [`.sops.yaml`](https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/.sops.yaml)
Denne kan du generere fra ssh-nøkkelene dine eller lage en egen nøkkel.
### Legge til flere keys
Gjør det som gir mening i .sops.yml
Etter det kjør `sops updatekeys secrets/host/file.yml`
MERK at det ikke er `sops -r` som BARE roterer nøkklene for de som allerede er i secretfila

64
README.md Normal file
View File

@@ -0,0 +1,64 @@
# PVV NixOS config
This repository contains the NixOS configurations for Programvareverkstedet's server closet.
In addition to machine configurations, it also contains a bunch of shared modules, packages, and
more.
> [!WARNING]
> Please read [Development - working on the PVV machines](./docs/development.md) before making
> any changes, and [Secret management and `sops-nix`](./docs/secret-management.md) before adding
> any credentials such as passwords, API tokens, etc. to the configuration.
## Deploying to machines
> [!WARNING]
> Be careful to think about state when testing changes against the machines. Sometimes, a certain change
> can lead to irreversible changes to the data stored on the machine. An example would be a set of database
> migrations applied when testing a newer version of a service. Unless that service also comes with downwards
> migrations, you can not go back to the previous version without losing data.
To deploy the changes to a machine, you should first SSH into the machine, and clone the pvv-nixos-config
repository unless you have already done so. After that, checkout the branch you want to deploy from, and rebuild:
```bash
# Run this while in the pvv-nixos-config directory
sudo nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake .# --upgrade
```
This will rebuild the NixOS system on the current branch and switch the system configuration to reflect the new changes.
Note that unless you eventually merge the current changes into `main`, the machine will rebuild itself automatically and
revert the changes on the next nightly rebuild (tends to happen when everybody is asleep).
## Machine overview
| Name | Type | Description |
|----------------------------|----------|-----------------------------------------------------------|
| [bekkalokk][bek] | Physical | Our main web host, webmail, wiki, idp, minecraft map, ... |
| [bicep][bic] | Virtual | Database host, matrix, git mirrors, ... |
| bikkje | Virtual | Experimental login box |
| [brzeczyszczykiewicz][brz] | Physical | Shared music player |
| [georg][geo] | Physical | Shared music player |
| [ildkule][ild] | Virtual | Logging and monitoring host, prometheus, grafana, ... |
| [kommode][kom] | Virtual | Gitea + Gitea pages |
| [lupine][lup] | Physical | Gitea CI/CD runners |
| shark | Virtual | Test host for authentication, absolutely horrendous |
| [skrott][skr] | Physical | Kiosk, snacks and soda |
| [wenche][wen] | Virtual | Nix-builders, general purpose compute |
## Documentation
- [Development - working on the PVV machines](./docs/development.md)
- [Miscellaneous development notes](./docs/development-misc.md)
- [User management](./docs/users.md)
- [Secret management and `sops-nix`](./docs/secret-management.md)
[bek]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bekkalokk
[bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
[brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
[geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
[ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche

42
base/default.nix
View File

@@ -10,23 +10,31 @@
(fp /users)
(fp /modules/snakeoil-certs.nix)
./flake-input-exporter.nix
./networking.nix
./nix.nix
./programs.nix
./sops.nix
./vm.nix
./flake-input-exporter.nix
./services/acme.nix
./services/uptimed.nix
./services/auto-upgrade.nix
./services/dbus.nix
./services/fwupd.nix
./services/irqbalance.nix
./services/journald-upload.nix
./services/logrotate.nix
./services/nginx.nix
./services/openssh.nix
./services/polkit.nix
./services/postfix.nix
./services/prometheus-node-exporter.nix
./services/prometheus-systemd-exporter.nix
./services/promtail.nix
./services/roowho2.nix
./services/smartd.nix
./services/thermald.nix
./services/uptimed.nix
./services/userborn.nix
./services/userdbd.nix
];
@@ -34,6 +42,9 @@
boot.tmp.cleanOnBoot = lib.mkDefault true;
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
boot.loader.systemd-boot.enable = lib.mkDefault true;
boot.loader.efi.canTouchEfiVariables = lib.mkDefault true;
time.timeZone = "Europe/Oslo";
i18n.defaultLocale = "en_US.UTF-8";
@@ -42,21 +53,8 @@
keyMap = "no";
};
environment.systemPackages = with pkgs; [
file
git
gnupg
htop
nano
ripgrep
rsync
screen
tmux
vim
wget
kitty.terminfo
];
# Don't install the /lib/ld-linux.so.2 stub
environment.ldso32 = null;
# .bash_profile already works, but lets also use .bashrc like literally every other distro
# https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
@@ -70,8 +68,6 @@
fi
'';
programs.zsh.enable = true;
# security.lockKernelModules = true;
security.protectKernelImage = true;
security.sudo.execWheelOnly = true;
@@ -79,6 +75,14 @@
Defaults lecture = never
'';
# These are servers, sleep is for the weak
systemd.sleep.extraConfig = lib.mkDefault ''
AllowSuspend=no
AllowHibernation=no
'';
# users.mutableUsers = lib.mkDefault false;
users.groups."drift".name = "drift";
# Trusted users on the nix builder machines

4
base/flake-input-exporter.nix
View File

@@ -45,8 +45,8 @@ in
allow ${values.hosts.ildkule.ipv6}/128;
allow 127.0.0.1/32;
allow ::1/128;
allow 129.241.210.128/25;
allow 2001:700:300:1900::/64;
allow ${values.ipv4-space};
allow ${values.ipv6-space};
deny all;
'';
};

8
base/nix.nix
View File

@@ -9,8 +9,9 @@
settings = {
allow-dirty = true;
auto-allocate-uids = true;
builders-use-substitutes = true;
experimental-features = [ "nix-command" "flakes" ];
experimental-features = [ "nix-command" "flakes" "auto-allocate-uids" ];
log-lines = 50;
use-xdg-base-directories = true;
};
@@ -36,4 +37,9 @@
"unstable=${inputs.nixpkgs-unstable}"
];
};
# Make builds to be more likely killed than important services.
# 100 is the default for user slices and 500 is systemd-coredumpd@
# We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = lib.mkDefault 250;
}

65
base/programs.nix Normal file
View File

@@ -0,0 +1,65 @@
{ pkgs, lib, ... }:
{
# We don't need fonts on headless machines
fonts.fontconfig.enable = lib.mkDefault false;
# Extra packags for better terminal emulator compatibility in SSH sessions
environment.enableAllTerminfo = true;
environment.systemPackages = with pkgs; [
# Debug dns outside resolvectl
dig
# Debug and find files
file
# Process json data
jq
# Check computer specs
lshw
# Scan for open ports with netstat
net-tools
# Grep for files quickly
ripgrep
# Copy files over the network
rsync
# Access various state, often in /var/lib
sqlite-interactive
# Debug software which won't debug itself
strace
# Download files from the internet
wget
];
# Clone/push nix config and friends
programs.git.enable = true;
# Gitea gpg, oysteikt sops, etc.
programs.gnupg.agent.enable = true;
# Monitor the wellbeing of the machines
programs.htop.enable = true;
# Keep sessions running during work over SSH
programs.tmux.enable = true;
# Same reasoning as tmux
programs.screen.enable = true;
# Edit files on the system without resorting to joe(1)
programs.nano.enable = true;
# Same reasoning as nano
programs.vim.enable = true;
# Same reasoning as vim
programs.neovim.enable = true;
# Some people like this shell for some reason
programs.zsh.enable = true;
}

4
base/services/acme.nix
View File

@@ -8,8 +8,6 @@
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
virtualisation.vmVariant = {
security.acme.defaults.server = "https://127.0.0.1";
security.acme.preliminarySelfsigned = true;
users.users.root.initialPassword = "root";
};
}
}

4
base/services/auto-upgrade.nix
View File

@@ -9,6 +9,8 @@ in
enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
"-L"
"--refresh"
"--no-write-lock-file"
# --update-input is deprecated since nix 2.22, and removed in lix 2.90
@@ -26,7 +28,7 @@ in
# workaround for https://github.com/NixOS/nix/issues/6895
# via https://git.lix.systems/lix-project/lix/issues/400
environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
"current-system-flake-inputs.json".source
= pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (name: input:

24
base/services/journald-upload.nix Normal file
View File

@@ -0,0 +1,24 @@
{ config, lib, values, ... }:
let
cfg = config.services.journald.upload;
in
{
services.journald.upload = {
enable = lib.mkDefault true;
settings.Upload = {
# URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
URL = "https://${values.hosts.ildkule.ipv4}:${toString config.services.journald.remote.port}";
ServerKeyFile = "-";
ServerCertificateFile = "-";
TrustedCertificateFile = "-";
};
};
systemd.services."systemd-journal-upload".serviceConfig = lib.mkIf cfg.enable {
IPAddressDeny = "any";
IPAddressAllow = [
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
}

38
base/services/nginx.nix
View File

@@ -39,10 +39,38 @@
SystemCallFilter = lib.mkForce null;
};
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
sslCertificate = "/etc/certs/nginx.crt";
sslCertificateKey = "/etc/certs/nginx.key";
addSSL = true;
extraConfig = "return 444;";
services.nginx.virtualHosts = lib.mkIf config.services.nginx.enable {
"_" = {
listen = [
{
addr = "0.0.0.0";
extraParameters = [
"default_server"
# Seemingly the default value of net.core.somaxconn
"backlog=4096"
"deferred"
];
}
{
addr = "[::0]";
extraParameters = [
"default_server"
"backlog=4096"
"deferred"
];
}
];
sslCertificate = "/etc/certs/nginx.crt";
sslCertificateKey = "/etc/certs/nginx.key";
addSSL = true;
extraConfig = "return 444;";
};
${config.networking.fqdn} = {
sslCertificate = lib.mkDefault "/etc/certs/nginx.crt";
sslCertificateKey = lib.mkDefault "/etc/certs/nginx.key";
addSSL = lib.mkDefault true;
extraConfig = lib.mkDefault "return 444;";
};
};
}

15
base/services/polkit.nix Normal file
View File

@@ -0,0 +1,15 @@
{ config, lib, ... }:
let
cfg = config.security.polkit;
in
{
security.polkit.enable = true;
environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
polkit.addAdminRule(function(action, subject) {
if(subject.isInGroup("wheel")) {
return ["unix-user:"+subject.user];
}
});
'';
}

17
base/services/postfix.nix
View File

@@ -6,18 +6,17 @@ in
services.postfix = {
enable = true;
hostname = "${config.networking.hostName}.pvv.ntnu.no";
domain = "pvv.ntnu.no";
settings.main = {
myhostname = "${config.networking.hostName}.pvv.ntnu.no";
mydomain = "pvv.ntnu.no";
relayHost = "smtp.pvv.ntnu.no";
relayPort = 465;
# Nothing should be delivered to this machine
mydestination = [ ];
relayhost = [ "smtp.pvv.ntnu.no:465" ];
config = {
smtp_tls_wrappermode = "yes";
smtp_tls_security_level = "encrypt";
};
# Nothing should be delivered to this machine
destination = [ ];
};
}
}

23
base/services/prometheus-node-exporter.nix Normal file
View File

@@ -0,0 +1,23 @@
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.node;
in
{
services.prometheus.exporters.node = {
enable = lib.mkDefault true;
port = 9100;
enabledCollectors = [ "systemd" ];
};
systemd.services.prometheus-node-exporter.serviceConfig = lib.mkIf cfg.enable {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ cfg.port ];
}

26
base/services/prometheus-systemd-exporter.nix Normal file
View File

@@ -0,0 +1,26 @@
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.systemd;
in
{
services.prometheus.exporters.systemd = {
enable = lib.mkDefault true;
port = 9101;
extraFlags = [
"--systemd.collector.enable-restart-count"
"--systemd.collector.enable-ip-accounting"
];
};
systemd.services.prometheus-systemd-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ cfg.port ];
}

38
base/services/promtail.nix Normal file
View File

@@ -0,0 +1,38 @@
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.node;
in
{
services.promtail = {
enable = lib.mkDefault true;
configuration = {
server = {
http_listen_port = 28183;
grpc_listen_port = 0;
};
clients = [{
url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
}];
scrape_configs = [{
job_name = "systemd-journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = config.networking.hostName;
};
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
];
}];
};
};
}

12
base/services/roowho2.nix Normal file
View File

@@ -0,0 +1,12 @@
{ lib, values, ... }:
{
services.roowho2.enable = lib.mkDefault true;
systemd.sockets.roowho2-rwhod.socketConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
values.ipv4-space
];
};
}

4
base/services/smartd.nix
View File

@@ -1,7 +1,9 @@
{ config, pkgs, lib, ... }:
{
services.smartd = {
enable = lib.mkDefault true;
# NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
# hosts with disk passthrough.
enable = lib.mkDefault (!config.services.qemuGuest.enable);
notifications = {
mail = {
enable = true;

12
base/sops.nix Normal file
View File

@@ -0,0 +1,12 @@
{ config, fp, lib, ... }:
{
sops.defaultSopsFile = let
secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
}

1
base/vm.nix
View File

@@ -11,5 +11,6 @@
};
config.virtualisation.vmVariant = {
virtualisation.isVmVariant = true;
virtualisation.graphics = false;
};
}

103
docs/development-misc.md Normal file
View File

@@ -0,0 +1,103 @@
# Miscellaneous development notes
This document contains a bunch of information that is not particularly specific to the pvv nixos config,
but concerns technologies we use often or gotchas to be aware of when working with NixOS. A lot of the information
here is already public information spread around the internet, but we've collected some of the items we use often
here.
## The firewall
`networking.firewall` is a NixOS module that configures `iptables` rules on the machine. It is enabled by default on
all of our machines, and it can be easy to forget about it when setting up new services, especially when we are the
ones creating the NixOS module.
When setting up a new service that listens on a TCP or UDP port, make sure to add the appropriate ports to either
`networking.firewall.allowedTCPPorts` or `networking.firewall.allowedUDPPorts`.
You can list out the current firewall rules by running `sudo iptables -L -n -v` on the machine.
## Finding stuff
Finding stuff, both underlying implementation and usage is absolutely crucial when working on nix.
Oftentimes, the documentation will be outdated, lacking or just plain out wrong. These are some of
the techniques we have found to be quite good when working with nix.
### [ripgrep](https://github.com/BurntSushi/ripgrep)
ripgrep (or `rg` for short) is a tool that lets you recursively grep for regex patters in a directory.
It is great for finding references to configuration, and where and how certain things are used. It is
especially great when working with [nixpkgs](https://github.com/NixOS/nixpkgs), which is quite large.
### GitHub Search
When trying to set up a new service or reconfigure something, it is very common that someone has done it
before you, but it has never been documented anywhere. A lot of Nix code exists on GitHub, and you can
easily query it by using the `lang:nix` filter in the search bar.
For example: https://github.com/search?q=lang%3Anix+dibbler&type=code
## rsync
`rsync` is a tool for synchronizing files between machines. It is very useful when transferring large
amounts of data from a to b. We use it for multiple things, often when data is produced or stored on
one machine, and we want to process or convert it on another. For example, we use it to transfer gitea
artifacts, to transfer gallery pictures, to transfer minecraft world data for map rendering, and more.
Along with `rsync`, we often use a lesser known tool called `rrsync`, which you can use inside an ssh
configuration (`authorized_keys` file) to restrict what paths a user can access when connecting over ssh.
This is useful both as a security measure, but also to avoid accidental overwrites of files outside the intended
path. `rrsync` will use chroot to restrict what paths the user can access, as well as refuse to run arbitrary commands.
## `nix repl`
`nix repl` is an interactive REPL for the Nix language. It is very useful for experimenting with Nix code,
and testing out small snippets of code to make sure it behaves as expected. You can also use it to explore
NixOS machine configurations, to interactively see that the configuration evaluates to what you expect.
```
# While in the pvv-nixos-config directory
nix repl .
# Upon writing out the config path and clickin [Tab], you will get autocompletion suggestions:
nix-repl> nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts._
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.bekkalokk.pvv.ntnu.no-nixos-metrics
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.idp.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.minecraft.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pvv.org
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pw.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.roundcubeplaceholder.example.com
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.snappymail.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.webmail.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.wiki.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.www.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.www.pvv.org
```
## `nix why-depends`
If you ever wonder why a certain package is being used as a dependency of another package,
or another machine, you can use `nix why-depends` to find the dependency path from one package to another.
This is often useful after updating nixpkgs and finding an error saying that a certain package is insecure,
broken or whatnot. You can do something like the following
```bash
# Why does bekkalokk depend on openssl?
nix why-depends .#nixosConfigurations.bekkalokk.config.system.build.toplevel .#nixosConfigurations.bekkalokk.pkgs.openssl
# Why does bekkalokk's minecraft-server depend on zlib? (this is not real)
nix why-depends .#nixosConfigurations.bekkalokk.pkgs.minecraft-server .#nixosConfigurations.bekkalokk.pkgs.zlib
```
## php-fpm
php-fpm (FastCGI Process Manager) is a PHP implementation that is designed for speed and production use. We host a bunch
of different PHP applications (including our own website), and so we use php-fpm quite a bit. php-fpm typically exposes a
unix socket that nginx will connect to, and php-fpm will then render php upon web requests forwarded from nginx and return
it.
php-fpm has a tendency to be a bit hard to debug. It is not always very willing to spit out error messages and logs, and so
it can be a bit hard to figure out what's up when something goes wrong. You should see some of the commented stuff laying around
in the website code on bekkalokk for examples of how to configure php-fpm for better logging and error reporting.

169
docs/development.md Normal file
View File

@@ -0,0 +1,169 @@
# Development - working on the PVV machines
This document outlines the process of editing our NixOS configurations, and testing and deploying said changes
to the machines. Most of the information written here is specific to the PVV NixOS configuration, and the topics
will not really cover the nix code itself in detail. You can find some more resources for that by either following
the links from the *Upstream documentation* section below, or in [Miscellaneous development notes](./development-misc.md).
## Editing nix files
> [!WARNING]
> Before editing any nix files, make sure to read [Secret management and `sops-nix`](./secret-management.md)!
> We do not want to add any secrets in plaintext to the nix files, and certainly not commit and publish
> them into the common public.
The files are plaintext code, written in the [`Nix` language](https://nix.dev/manual/nix/stable/language/).
Below is a list of important files and directories, and a description of what they contain.
### `flake.nix`
The `flake.nix` file is a [nix flake](https://wiki.nixos.org/wiki/Flakes) and makes up the entrypoint of the
entire configuration. It declares what inputs are used (similar to dependencies), as well as what outputs the
flake exposes. In our case, the most important outputs are the `nixosConfigurations` (our machine configs), but
we also expose custom modules, packages, devshells, and more. You can run `nix flake show` to get an overview of
the outputs (however you will need to [enable the `nix-flakes` experimental option](https://wiki.nixos.org/wiki/Flakes#Setup)).
You will find that a lot of the flake inputs are the different PVV projects that we develop, imported to be hosted
on the NixOS machines. This makes it easy to deploy changes to these projects, as we can just update the flake input
to point to a new commit or version, and then rebuild the machines.
A NixOS configuration is usually made with the `nixpkgs.lib.nixosSystem` function, however we have a few custom wrapper
functions named `nixosConfig` and `stableNixosConfig` that abstracts away some common configuration we want on all our machines.
### `values.nix`
`values.nix` is a somewhat rare pattern in NixOS configurations around the internet. It contains a bunch of constant values
that we use throughout the configuration, such as IP addresses, DNS names, paths and more. This not only makes it easier to
change the values should we need to, but it also makes the configuration more readable. Instead of caring what exact IP any
machine has, you can write `values.machines.name.ipv4` and abstract the details away.
### `base`
The `base` directory contains a bunch of NixOS configuration that is common for all or most machines. Some of the config
you will find here sets defaults for certain services without enabling them, so that when they are enabled in a machine config,
we don't need to repeat the same defaults over again. Other parts actually enable certain services that we want on all machines,
such as `openssh` or the auto upgrade timer.
### Vendoring `modules` and `packages`
Sometimes, we either find that the packages or modules provided by `nixpkgs` is not sufficient for us,
or that they are bugged in some way that can not be easily overrided. There are also cases where the
modules or packages does not exist. In these cases, we tend to either copy and modify the modules and
packages from nixpkgs, or create our own. These modules and packages end up in the top-level `modules`
and `packages` directories. They are usually exposed in `flake.nix` as flake outputs `nixosModules.<name>`
and `packages.<platform>.<name>`, and they are usually also added to the machines that need them in the flake.
In order to override or add an extra package, the easiest way is to use an [`overlay`](https://wiki.nixos.org/wiki/Overlays).
This makes it so that the package from `pkgs.<name>` now refers to the modified variant of the package.
In order to add a module, you can just register it in the modules of the nixos machine.
In order to override a module, you also have to use `disabledModules = [ "<path-relative-to-nixpkgs/modules>" ];`.
Use `rg` to find examples of the latter.
Do note that if you believe a new module to be of high enough quality, or the change you are making to be
relevant for every nix user, you should strongly consider also creating a PR towards nixpkgs. However,
getting changes made there has a bit higher threshold and takes more time than making changes in the PVV config,
so feel free to make the changes here first. We can always remove the changes again once the upstreaming is finished.
### `users`, `secrets` and `keys`
For `users`, see [User management](./users.md)
For `secrets` and `keys`, see [Secret management and `sops-nix`](./secret-management.md)
### Collaboration
We use our gitea to collaborate on changes to the nix configuration. Every PVV maintenance member should have
access to the repository. The usual workflow is that we create a branch for the change we want to make, do a bunch
of commits and changes, and then open a merge request for review (or just rebase on master if you know what you are doing).
### Upstream documentation
Here are different sources of documentation and stuff that you might find useful while
writing, editing and debugging nix code.
- [nixpkgs repository](https://github.com/NixOS/nixpkgs)
This is particularly useful to read the source code, as well as upstreaming pieces of code that we think
everyone would want
- [NixOS search](https://search.nixos.org/)
This is useful for searching for both packages and NixOS options.
- [nixpkgs documentation](https://nixos.org/manual/nixpkgs/stable/)
- [NixOS documentation](https://nixos.org/manual/nixos/stable/)
- [nix (the tool) documentation](https://nix.dev/manual/nix/stable/)
All of the three above make up the official documentation with all technical
details about the different pieces that makes up NixOS.
- [The official NixOS wiki](https://wiki.nixos.org)
User-contributed guides, tips and tricks, and whatever else.
- [nix.dev](https://nix.dev)
Additional stuff
- [Noogle](https://noogle.dev)
This is useful when looking for nix functions and packaging helpers.
## Testing and deploying changes
After editing the nix files on a certain branch, you will want to test and deploy the changes to the machines.
Unfortunately, we don't really have a good setup for testing for runtime correctness locally, but we can at least
make sure that the code evaluates and builds correctly before deploying.
To just check that the code evaluates without errors, you can run:
```bash
nix flake check
# Or if you want to keep getting all errors before it quits:
nix flake check --keep-going
```
> [!NOTE]
> If you are making changes that involves creating new nix files, remember to `git add` those files before running
> any nix commands. Nix refuses to acknowledge files that are not either commited or at least staged. It will spit
> out an error message about not finding the file in question.
### Building machine configurations
To build any specific machine configuration and look at the output, you can run:
```bash
nix build .#nixosConfigurations.<machine-name>.config.system.build.toplevel
# or just
nix build .#<machine-name>
```
This will create a symlink name `./result` to a directory containing the built NixOS system. It is oftentimes
the case that config files for certain services only end up in the nix store without being put into `/etc`. If you wish
to read those files, you can often find them by looking at the systemd unit files in `./result/etc/systemd/system/`.
(if you are using vim, `gf` or go-to-file while the cursor is over a file path is a useful trick while doing this).
If you have edited something that affects multiple machines, you can also build all important machines at once by running:
```bash
nix build .#
```
> [!NOTE]
> Building all machines at once can take a long time, depending on what has changed and whether you have already
> built some of the machines recently. Be prepared to wait for up to an hour to build all machines from scratch
> if this is the first time.
### Forcefully reset to `main`
If you ever want to reset a machine to the `main` branch, you can do so by running:
```bash
nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
```
This will ignore the current branch and just pull the latest `main` from the git repository directly from gitea.
You can also use this command if there are updates on the `main` branch that you want to deploy to the machine without
waiting for the nightly rebuild.

160
docs/secret-management.md Normal file
View File

@@ -0,0 +1,160 @@
# Secret management and `sops-nix`
Nix config is love, nix config is life, and publishing said config to the
internet is not only a good deed and kinda cool, but also encourages properly
secured configuration as opposed to [security through obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity).
That being said, there are some details of the config that we really shouldn't
share with the general public. In particular, there are so-called *secrets*, that is
API keys, passwords, tokens, cookie secrets, salts, peppers and jalapenos that we'd
rather keep to ourselves. However, it is not entirely trivial to do so in the NixOS config.
For one, we'd have to keep these secrets out of the public git repo somehow, and secondly
everything that is configured via nix ends up as world readable files (i.e. any user on the
system can read the file) in `/nix/store`.
In order to solve this, we use a NixOS module called [`sops-nix`](https://github.com/Mic92/sops-nix)
which uses a technology called [`sops`](https://github.com/getsops/sops) behind the scenes.
The idea is simple: we encrypt these secrets with a bunch of different keys and store the
encrypted files in the git repo. First of all, we encrypt the secrets a bunch of time with
PVV maintenance member's keys, so that we can decrypt and edit the contents. Secondly, we
encrypt the secrets with the [host keys]() of the NixOS machines, so that they can decrypt
the secrets. The secrets will be decrypted and stored in a well-known location (usually `/run/secrets`)
so that they do not end up in the nix store, and are not world readable.
This way, we can both keep the secrets in the git repository and let multiple people edit them,
but also ensure that they don't end up in the wrong hands.
## Adding a new machine
In order to add a new machine to the nix-sops setup, you should do the following:
```console
# Create host keys (if they don't already exist)
ssh-keygen -A -b 4096
# Derive an age-key from the public host key
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# Register the age key in .sops.yaml
vim .sops.yaml
```
The contents of `.sops.yaml` should look like this:
```yaml
keys:
# Users
...
# Hosts
...
- &host_<machine_name> <public_age_key>
creation_rules:
...
- path_regex: secrets/<machine_name>/[^/]+\.yaml$
key_groups:
- age:
- *host_<machine_name>
- ... user keys
- pgp:
- ... user keys
```
> [!NOTE]
> Take care that all the keys in the `age` and `pgp` sections are prefixed
> with a `-`, or else sops might try to encrypt the secrets in a way where
> you need both keys present to decrypt the content. Also, it tends to throw
> interesting errors when it fails to do so.
```console
# While cd-ed into the repository, run this to get a shell with the `sops` tool present
nix-shell
```
Now you should also be able to edit secrets for this machine by running:
```
sops secrets/<machine_name>/<machine_name>.yaml
```
## Adding a user
Adding a user is quite similar to adding a new machine.
This guide assumes you have already set up SSH keys.
```
# Derive an age-key from your key
# (edit the path to the key if it is named something else)
nix-shell -p ssh-to-age --run 'cat ~/.ssh/id_ed25519.pub | ssh-to-age'
# Register the age key in .sops.yaml
vim .sops.yaml
```
The contents of `.sops.yaml` should look like this:
```yaml
keys:
# Users
...
- &user_<user_name> <public_age_key>
# Hosts
...
creation_rules:
...
# Do this for all the machines you are planning to edit
# (or just do it for all machines)
- path_regex: secrets/<machine_name>/[^/]+\.yaml$
key_groups:
- age:
- *host_<machine_name>
- ... user keys
- *host_<user_name>
- pgp:
- ... user keys
```
Now that sops is properly configured to recognize the key, you need someone
who already has access to decrypt all the secrets and re-encrypt them with your
key. At this point, you should probably [open a PR](https://docs.gitea.com/usage/issues-prs/pull-request)
and ask someone in PVV maintenance if they can checkout the PR branch, run the following
command and push the diff back into the PR (and maybe even ask them to merge if you're feeling
particularly needy).
```console
sops updatekeys secrets/*/*.yaml
```
## Updating keys
> [!NOTE]
> At some point, we found this flag called `sops -r` that seemed to be described to do what
> `sops updatekeys` does, do not be fooled. This only rotates the "inner key" for those who
> already have the secrets encrypted with their key.
Updating keys is done with this command:
```console
sops updatekeys secrets/*/*.yaml
```
However, there is a small catch. [oysteikt](https://git.pvv.ntnu.no/oysteikt) has kinda been
getting gray hairs lately, and refuses to use modern technology - he is still stuck using GPG.
This means that to be able to re-encrypt the sops secrets, you will need to have a gpg keychain
with his latest public key available. The key has an expiry date, so if he forgets to update it,
you should send him and angry email and tag him a bunch of times in a gitea issue. If the key
is up to date, you can do the following:
```console
# Fetch gpg (unless you have it already)
nix-shell -p gpg
# Import oysteikts key to the gpg keychain
gpg --import ./keys/oysteikt.pub
```
Now you should be able to run the `sops updatekeys` command again.

50
docs/users.md Normal file
View File

@@ -0,0 +1,50 @@
# User management
Due to some complications with how NixOS creates users compared to how we used to
create users with the salt-based setup, the NixOS machine users are created and
managed separately. We tend to create users on-demand, whenever someone in PVV
maintenance want to work on the NixOS machines.
## Setting up a new user
You can find the files for the existing users, and thereby examples of user files
in the [`users`](../users) directory. When creating a new file here, you should name it
`your-username.nix`, and add *at least* the following contents:
```nix
{ pkgs, ... }:
{
users.users."<username>" = {
isNormalUser = true;
extraGroups = [
"wheel" # In case you wanna use sudo (you probably do)
"nix-builder-users" # Arbitrary access to write to the nix store
];
# Any packages you frequently use to manage servers go here.
# Please don't pull gigantonormous packages here unless you
# absolutely need them, and remember that any package can be
# pulled via nix-shell if you only use it once in a blue moon.
packages = with pkgs; [
bottom
eza
];
# Not strictly needed, but we recommend adding your public SSH
# key here. If it is not present, you will have to log into the
# machine as 'root' before setting your password for every NixOS
# machine you have not logged into yet.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjiQ0wg4lpC7YBMAAHoGmgwqHOBi+EUz5mmCymGlIyT my-key"
];
};
}
```
The file will be picked up automatically, so creating the file and adding the
contents should be enough to get you registered. You should
[open a PR](https://docs.gitea.com/usage/issues-prs/pull-request) with the new
code so the machines will be rebuilt with your user present.
See also [Secret Management](./secret-management.md) for how to add your keys to the
system that lets us add secrets (API keys, password, etc.) to the NixOS config.

329
flake.lock generated
View File

@@ -1,5 +1,26 @@
{
"nodes": {
"dibbler": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1769400154,
"narHash": "sha256-K0OeXzFCUZTkCBxUDr3U3ah0odS/urtNVG09WDl+HAA=",
"ref": "main",
"rev": "8e84669d9bf963d5e46bac37fe9b0aa8e8be2d01",
"revCount": 230,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
}
},
"disko": {
"inputs": {
"nixpkgs": [
@@ -7,19 +28,38 @@
]
},
"locked": {
"lastModified": 1758287904,
"narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=",
"lastModified": 1736864502,
"narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
"owner": "nix-community",
"repo": "disko",
"rev": "67ff9807dd148e704baadbd4fd783b54282ca627",
"rev": "0141aabed359f063de7413f80d906e1d98c0c123",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v1.11.0",
"repo": "disko",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1765835352,
"narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "a34fae9c08a15ad73f295041fec82323541400a9",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"gergle": {
"inputs": {
"nixpkgs": [
@@ -27,15 +67,16 @@
]
},
"locked": {
"lastModified": 1758384693,
"narHash": "sha256-zakdGo9micgEXGiC5Uq0gE5GkHtX12qaRYLcstKPek4=",
"ref": "refs/heads/main",
"rev": "5f6a462d87cbe25834e8f31283f39fb46c9c3561",
"revCount": 21,
"lastModified": 1767906545,
"narHash": "sha256-LOf08pcjEQFLs3dLPuep5d1bAXWOFcdfxuk3YMb5KWw=",
"ref": "main",
"rev": "e55cbe0ce0b20fc5952ed491fa8a553c8afb1bdd",
"revCount": 23,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
}
@@ -48,15 +89,16 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1758919016,
"narHash": "sha256-TSJMOWq9dO7P1iQB4httzWwAtpM1veacLcaS7FAyTpo=",
"ref": "refs/heads/main",
"rev": "c87263b784954d20485d108e70934c9316935d75",
"revCount": 51,
"lastModified": 1767906494,
"narHash": "sha256-Dd6gtdZfRMAD6JhdX0GdJwIHVaBikePSpQXhIdwLlWI=",
"ref": "main",
"rev": "7258822e2e90fea2ea00b13b5542f63699e33a9e",
"revCount": 61,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
}
@@ -68,15 +110,16 @@
]
},
"locked": {
"lastModified": 1736178795,
"narHash": "sha256-mPdi8cgvIDYcgG3FRG7A4BOIMu2Jef96TPMnV00uXlM=",
"ref": "refs/heads/master",
"rev": "fde738910de1fd8293535a6382c2f0c2749dd7c1",
"revCount": 79,
"lastModified": 1764867811,
"narHash": "sha256-UWHiwr8tIcGcVxMLvAdNxDbQ8QuHf3REHboyxvFkYEI=",
"ref": "master",
"rev": "c9983e947efe047ea9d6f97157a1f90e49d0eab3",
"revCount": 81,
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
},
"original": {
"ref": "master",
"type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
}
@@ -88,55 +131,63 @@
]
},
"locked": {
"lastModified": 1753216555,
"narHash": "sha256-qfgVfgXjVPV7vEER4PVFiGUOUW08GHH71CVXgYW8EVc=",
"lastModified": 1764844095,
"narHash": "sha256-Drf1orxsmFDzO+UbPo85gHjXW7QzAM+6oTPvI7vOSik=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "099db715d1eba526a464f271b05cead5166fd9a9",
"rev": "25b9f31ef1dbc3987b4c716de716239f2b283701",
"type": "github"
},
"original": {
"owner": "dali99",
"ref": "v0.7.1",
"ref": "v0.8.0",
"repo": "nixos-matrix-modules",
"type": "github"
}
},
"minecraft-data": {
"locked": {
"lastModified": 1725277886,
"narHash": "sha256-Fw4VbbE3EfypQWSgPDFfvVH47BHeg3ptsO715NlUM8Q=",
"ref": "refs/heads/master",
"rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
"revCount": 2,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
}
},
"minecraft-heatmap": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
],
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1756124334,
"narHash": "sha256-DXFmSpgI8FrqcdqY7wg5l/lpssWjslHq5ufvyp/5k4o=",
"ref": "refs/heads/main",
"rev": "83760b1ebcd9722ddf58a4117d29555da65538ad",
"revCount": 13,
"lastModified": 1767906976,
"narHash": "sha256-igCg8I83eO+noF00raXVJqDxzLS2SrZN8fK5bnvO+xI=",
"ref": "main",
"rev": "626bc9b6bae6a997b347cdbe84080240884f2955",
"revCount": 17,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
}
},
"minecraft-kartverket": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1768749374,
"narHash": "sha256-dhXYLc64d7TKCnRPW4TlHGl6nLRNdabJB2DpJ8ffUw0=",
"ref": "main",
"rev": "040294f2e1df46e33d995add6944b25859654097",
"revCount": 37,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
}
},
"nix-gitea-themes": {
"inputs": {
"nixpkgs": [
@@ -144,39 +195,77 @@
]
},
"locked": {
"lastModified": 1743881366,
"narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
"ref": "refs/heads/main",
"rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
"revCount": 11,
"lastModified": 1767906352,
"narHash": "sha256-wYsH9MMAPFG3XTL+3DwI39XMG0F2fTmn/5lt265a3Es=",
"ref": "main",
"rev": "d054c5d064b8ed6d53a0adb0cf6c0a72febe212e",
"revCount": 13,
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
}
},
"nix-topology": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1768955766,
"narHash": "sha256-V9ns1OII7sWSbIDwPkiqmJ3Xu/bHgQzj+asgH9cTpOo=",
"owner": "oddlama",
"repo": "nix-topology",
"rev": "71f27de56a03f6d8a1a72cf4d0dfd780bcc075bc",
"type": "github"
},
"original": {
"owner": "oddlama",
"ref": "main",
"repo": "nix-topology",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1760254360,
"narHash": "sha256-Npp92Joy2bRyickrrVP9+85z31aGS8kVNiLlKvd5pC4=",
"rev": "bafe987a29b8bea2edbb3aba76b51464b3d222f0",
"lastModified": 1768877948,
"narHash": "sha256-Bq9Hd6DWCBaZ2GkwvJCWGnpGOchaD6RWPSCFxmSmupw=",
"rev": "43b2e61c9d09cf6c1c9c192fe6da08accc9bfb1d",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/25.05-small/nixos-25.05.811161.bafe987a29b8/nixexprs.tar.xz"
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4368.43b2e61c9d09/nixexprs.tar.xz"
},
"original": {
"type": "tarball",
"url": "https://nixos.org/channels/nixos-25.05-small/nixexprs.tar.xz"
"url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1765674936,
"narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1760252326,
"narHash": "sha256-5v32B25kSE++E+KtP4DO687r/AlWL9qOlOjtYyfcDSw=",
"rev": "66e5020bfe0af40ffa127426f8405edbdadbb40b",
"lastModified": 1768886240,
"narHash": "sha256-HUAAI7AF+/Ov1u3Vvjs4DL91zTxMkWLC4xJgQ9QxOUQ=",
"rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-25.11pre876242.66e5020bfe0a/nixexprs.tar.xz"
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre930839.80e4adbcf899/nixexprs.tar.xz"
},
"original": {
"type": "tarball",
@@ -190,15 +279,16 @@
]
},
"locked": {
"lastModified": 1742225512,
"narHash": "sha256-OB0ndlrGLE5wMUeYP4lmxly9JUEpPCeZRQyMzITKCB0=",
"ref": "refs/heads/main",
"rev": "c4a6a02c84d8227abf00305dc995d7242176e6f6",
"revCount": 21,
"lastModified": 1764869785,
"narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=",
"ref": "main",
"rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2",
"revCount": 23,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
}
@@ -210,36 +300,84 @@
]
},
"locked": {
"lastModified": 1757332682,
"narHash": "sha256-4p4aVQWs7jHu3xb6TJlGik20lqbUU/Fc0/EHpzoRlO0=",
"ref": "refs/heads/main",
"rev": "da1113341ad9881d8d333d1e29790317bd7701e7",
"revCount": 518,
"lastModified": 1768636400,
"narHash": "sha256-AiSKT4/25LS1rUlPduBMogf4EbdMQYDY1rS7AvHFcxk=",
"ref": "main",
"rev": "3a8f82b12a44e6c4ceacd6955a290a52d1ee2856",
"revCount": 573,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
}
},
"qotd": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1768684204,
"narHash": "sha256-TErBiXxTRPUtZ/Mw8a5p+KCeGCFXa0o8fzwGoo75//Y=",
"ref": "main",
"rev": "a86f361bb8cfac3845b96d49fcbb2faea669844f",
"revCount": 11,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/qotd.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/qotd.git"
}
},
"root": {
"inputs": {
"dibbler": "dibbler",
"disko": "disko",
"gergle": "gergle",
"greg-ng": "greg-ng",
"grzegorz-clients": "grzegorz-clients",
"matrix-next": "matrix-next",
"minecraft-data": "minecraft-data",
"minecraft-heatmap": "minecraft-heatmap",
"minecraft-kartverket": "minecraft-kartverket",
"nix-gitea-themes": "nix-gitea-themes",
"nix-topology": "nix-topology",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"pvv-calendar-bot": "pvv-calendar-bot",
"pvv-nettsiden": "pvv-nettsiden",
"qotd": "qotd",
"roowho2": "roowho2",
"sops-nix": "sops-nix"
}
},
"roowho2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay_3"
},
"locked": {
"lastModified": 1768140181,
"narHash": "sha256-HfZzup5/jlu8X5vMUglTovVTSwhHGHwwV1YOFIL/ksA=",
"ref": "main",
"rev": "834463ed64773939798589ee6fd4adfe3a97dddd",
"revCount": 43,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
@@ -248,11 +386,53 @@
]
},
"locked": {
"lastModified": 1758335443,
"narHash": "sha256-2jaGMj32IckpZgBjn7kG4zyJl66T+2A1Fn2ppkHh91o=",
"lastModified": 1767840362,
"narHash": "sha256-ZtsFqUhilubohNZ1TgpQIFsi4biZTwRH9rjZsDRDik8=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "f1ccb14649cf87e48051a6ac3a571b4a57d84ff3",
"rev": "d159ea1fc321c60f88a616ac28bab660092a227d",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"nixpkgs": [
"minecraft-heatmap",
"nixpkgs"
]
},
"locked": {
"lastModified": 1766371695,
"narHash": "sha256-W7CX9vy7H2Jj3E8NI4djHyF8iHSxKpb2c/7uNQ/vGFU=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "d81285ba8199b00dc31847258cae3c655b605e8c",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_3": {
"inputs": {
"nixpkgs": [
"roowho2",
"nixpkgs"
]
},
"locked": {
"lastModified": 1767322002,
"narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "03c6e38661c02a27ca006a284813afdc461e9f7e",
"type": "github"
},
"original": {
@@ -268,15 +448,16 @@
]
},
"locked": {
"lastModified": 1760240450,
"narHash": "sha256-sa9bS9jSyc4vH0jSWrUsPGdqtMvDwmkLg971ntWOo2U=",
"lastModified": 1768863606,
"narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "41fd1f7570c89f645ee0ada0be4e2d3c4b169549",
"rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
"type": "github"
},
"original": {
"owner": "Mic92",
"ref": "master",
"repo": "sops-nix",
"type": "github"
}

249
flake.nix
View File

@@ -2,38 +2,51 @@
description = "PVV System flake";
inputs = {
nixpkgs.url = "https://nixos.org/channels/nixos-25.05-small/nixexprs.tar.xz";
nixpkgs.url = "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz";
nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.url = "github:Mic92/sops-nix/master";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.url = "github:nix-community/disko/v1.11.0";
disko.inputs.nixpkgs.follows = "nixpkgs";
pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git";
nix-topology.url = "github:oddlama/nix-topology/main";
nix-topology.inputs.nixpkgs.follows = "nixpkgs";
pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git?ref=main";
pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git?ref=main";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.7.1";
dibbler.url = "git+https://git.pvv.ntnu.no/Projects/dibbler.git?ref=main";
dibbler.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0";
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git?ref=main";
nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git";
minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git";
roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main";
roowho2.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
greg-ng.inputs.nixpkgs.follows = "nixpkgs";
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git";
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main";
gergle.inputs.nixpkgs.follows = "nixpkgs";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
minecraft-data.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git";
minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git?ref=main";
minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs";
qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
qotd.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -56,53 +69,87 @@
in {
inputs = lib.mapAttrs (_: src: src.outPath) inputs;
nixosConfigurations = let
unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
pkgs = forAllSystems (system: import nixpkgs {
inherit system;
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
[
"nvidia-x11"
"nvidia-settings"
];
});
nixosConfigurations = let
nixosConfig =
nixpkgs:
name:
configurationPath:
extraArgs:
lib.nixosSystem (lib.recursiveUpdate
(let
system = "x86_64-linux";
in {
inherit system;
specialArgs = {
inherit unstablePkgs inputs;
values = import ./values.nix;
fp = path: ./${path};
} // extraArgs.specialArgs or { };
modules = [
configurationPath
sops-nix.nixosModules.sops
] ++ extraArgs.modules or [];
pkgs = import nixpkgs {
inherit system;
extraArgs.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
extraArgs@{
localSystem ? "x86_64-linux", # buildPlatform
crossSystem ? "x86_64-linux", # hostPlatform
specialArgs ? { },
modules ? [ ],
overlays ? [ ],
enableDefaults ? true,
...
}:
let
commonPkgsConfig = {
inherit localSystem crossSystem;
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
[
"nvidia-x11"
"nvidia-settings"
];
overlays = [
overlays = (lib.optionals enableDefaults [
# Global overlays go here
] ++ extraArgs.overlays or [ ];
inputs.roowho2.overlays.default
]) ++ overlays;
};
})
pkgs = import nixpkgs commonPkgsConfig;
unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
in
lib.nixosSystem (lib.recursiveUpdate
{
system = crossSystem;
inherit pkgs;
specialArgs = {
inherit inputs unstablePkgs;
values = import ./values.nix;
fp = path: ./${path};
} // specialArgs;
modules = [
{
networking.hostName = lib.mkDefault name;
}
configurationPath
] ++ (lib.optionals enableDefaults [
sops-nix.nixosModules.sops
inputs.roowho2.nixosModules.default
self.nixosModules.rsync-pull-targets
]) ++ modules;
}
(builtins.removeAttrs extraArgs [
"localSystem"
"crossSystem"
"modules"
"overlays"
"specialArgs"
"enableDefaults"
])
);
stableNixosConfig = name: extraArgs:
nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
in {
bakke = stableNixosConfig "bakke" {
modules = [
inputs.disko.nixosModules.disko
];
};
bicep = stableNixosConfig "bicep" {
modules = [
inputs.matrix-next.nixosModules.default
@@ -112,31 +159,35 @@
self.nixosModules.matrix-ooye
];
overlays = [
inputs.pvv-calendar-bot.overlays.x86_64-linux.default
inputs.pvv-calendar-bot.overlays.default
inputs.minecraft-heatmap.overlays.default
(final: prev: {
inherit (self.packages.${prev.system}) out-of-your-element;
inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
})
];
};
bekkalokk = stableNixosConfig "bekkalokk" {
overlays = [
(final: prev: {
heimdal = unstablePkgs.heimdal;
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
bluemap = final.callPackage ./packages/bluemap.nix { };
})
inputs.pvv-nettsiden.overlays.default
inputs.qotd.overlays.default
];
modules = [
inputs.pvv-nettsiden.nixosModules.default
self.nixosModules.bluemap
inputs.qotd.nixosModules.default
];
};
ildkule = stableNixosConfig "ildkule" { };
#ildkule-unstable = unstableNixosConfig "ildkule" { };
shark = stableNixosConfig "shark" { };
wenche = stableNixosConfig "wenche" { };
temmie = stableNixosConfig "temmie" { };
gluttony = stableNixosConfig "gluttony" { };
kommode = stableNixosConfig "kommode" {
overlays = [
@@ -144,6 +195,7 @@
];
modules = [
inputs.nix-gitea-themes.nixosModules.default
inputs.disko.nixosModules.disko
];
};
@@ -177,6 +229,38 @@
};
}
//
(let
skrottConfig = {
modules = [
(nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
inputs.dibbler.nixosModules.default
];
overlays = [
inputs.dibbler.overlays.default
(final: prev: {
# NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
atool = prev.emptyDirectory;
micro = prev.emptyDirectory;
ncdu = prev.emptyDirectory;
})
];
};
in {
skrott = self.nixosConfigurations.skrott-native;
skrott-native = stableNixosConfig "skrott" (skrottConfig // {
localSystem = "aarch64-linux";
crossSystem = "aarch64-linux";
});
skrott-cross = stableNixosConfig "skrott" (skrottConfig // {
localSystem = "x86_64-linux";
crossSystem = "aarch64-linux";
});
skrott-x86_64 = stableNixosConfig "skrott" (skrottConfig // {
localSystem = "x86_64-linux";
crossSystem = "x86_64-linux";
});
})
//
(let
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
stableLupineNixosConfig = name: extraArgs:
@@ -187,11 +271,13 @@
}));
nixosModules = {
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
robots-txt = ./modules/robots-txt.nix;
bluemap = ./modules/bluemap.nix;
gickup = ./modules/gickup;
matrix-ooye = ./modules/matrix-ooye.nix;
robots-txt = ./modules/robots-txt.nix;
rsync-pull-targets = ./modules/rsync-pull-targets.nix;
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
};
devShells = forAllSystems (system: {
@@ -209,25 +295,86 @@
packages = {
"x86_64-linux" = let
pkgs = nixpkgs.legacyPackages."x86_64-linux";
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
in rec {
default = important-machines;
important-machines = pkgs.linkFarm "important-machines"
(lib.getAttrs importantMachines self.packages.x86_64-linux);
(lib.getAttrs importantMachines self.packages.${system});
all-machines = pkgs.linkFarm "all-machines"
(lib.getAttrs allMachines self.packages.x86_64-linux);
(lib.getAttrs allMachines self.packages.${system});
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
} //
bluemap = pkgs.callPackage ./packages/bluemap.nix { };
out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
}
//
# Mediawiki extensions
(lib.pipe null [
(_: pkgs.callPackage ./packages/mediawiki-extensions { })
(lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
(lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
])
// lib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
//
# Machines
lib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
//
# Skrott is exception
{
skrott = self.packages.${system}.skrott-native-sd;
skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
}
//
# Nix-topology
(let
topology' = import inputs.nix-topology {
pkgs = import nixpkgs {
inherit system;
overlays = [
inputs.nix-topology.overlays.default
(final: prev: {
inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
})
];
};
specialArgs = {
values = import ./values.nix;
};
modules = [
./topology
{
nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
modules = [
inputs.nix-topology.nixosModules.default
./topology/service-extractors/greg-ng.nix
./topology/service-extractors/postgresql.nix
./topology/service-extractors/mysql.nix
./topology/service-extractors/gitea-runners.nix
];
}) self.nixosConfigurations;
}
];
};
in {
topology = topology'.config.output;
topology-png = pkgs.runCommand "pvv-config-topology-png" {
nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
} ''
mkdir -p "$out"
for file in '${topology'.config.output}'/*.svg; do
${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
done
'';
});
};
};
}

18
hosts/bakke/configuration.nix Normal file
View File

@@ -0,0 +1,18 @@
{ config, pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base
./filesystems.nix
];
networking.hostId = "99609ffc";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "24.05";
}

83
hosts/bakke/disks.nix Normal file
View File

@@ -0,0 +1,83 @@
{
# https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
# Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
disko.devices = {
disk = {
one = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
two = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
};
mdadm = {
boot = {
type = "mdadm";
level = 1;
metadata = "1.0";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
raid1 = {
type = "mdadm";
level = 1;
content = {
type = "gpt";
partitions.primary = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

26
hosts/bakke/filesystems.nix Normal file
View File

@@ -0,0 +1,26 @@
{ pkgs,... }:
{
# Boot drives:
boot.swraid.enable = true;
# ZFS Data pool:
boot = {
zfs = {
extraPools = [ "tank" ];
requestEncryptionCredentials = false;
};
supportedFilesystems.zfs = true;
# Use stable linux packages, these work with zfs
kernelPackages = pkgs.linuxPackages;
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
# NFS Exports:
#TODO
# NFS Import mounts:
#TODO
}

52
hosts/bakke/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,52 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=nix" "noatime" ];
};
fileSystems."/boot" =
{ device = "/dev/sdc2";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

21
hosts/bekkalokk/configuration.nix
View File

@@ -4,11 +4,11 @@
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/bluemap/default.nix
./services/alps.nix
./services/bluemap.nix
./services/idp-simplesamlphp
./services/kerberos
./services/kerberos.nix
./services/mediawiki
./services/nginx.nix
./services/phpfpm.nix
@@ -16,18 +16,9 @@
./services/webmail
./services/website
./services/well-known
./services/qotd
];
sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "bekkalokk";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -35,7 +26,7 @@
services.btrfs.autoScrub.enable = true;
# Do not change, even during upgrades.
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";
system.stateVersion = "25.11";
}

2
hosts/bekkalokk/hardware-configuration.nix
View File

@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:

22
hosts/bekkalokk/services/alps.nix Normal file
View File

@@ -0,0 +1,22 @@
{ config, lib, ... }:
let
cfg = config.services.alps;
in
{
services.alps = {
enable = true;
theme = "sourcehut";
smtps.host = "smtp.pvv.ntnu.no";
imaps.host = "imap.pvv.ntnu.no";
bindIP = "127.0.0.1";
};
services.nginx.virtualHosts."alps.pvv.ntnu.no" = lib.mkIf cfg.enable {
enableACME = true;
forceSSL = true;
kTLS = true;
locations."/" = {
proxyPass = "http://${cfg.bindIP}:${toString cfg.port}";
};
};
}

121
hosts/bekkalokk/services/bluemap.nix Normal file
View File

@@ -0,0 +1,121 @@
{ config, lib, pkgs, inputs, ... }:
let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
format = pkgs.formats.hocon { };
in {
# NOTE: our versino of the module gets added in flake.nix
disabledModules = [ "services/web-apps/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
sops.secrets."bluemap/ssh-known-hosts" = { };
services.bluemap = {
enable = true;
eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
host = "minecraft.pvv.ntnu.no";
maps = let
inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
in {
"verden" = {
extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:overworld";
name = "Verden";
sorting = 0;
start-pos = {
x = 0;
z = 0;
};
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
};
"underverden" = {
extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_nether";
name = "Underverden";
sorting = 100;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
render-mask = [{
max-y = 90;
}];
};
};
"enden" = {
extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_end";
name = "Enden";
sorting = 200;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
};
};
systemd.services."render-bluemap-maps" = {
serviceConfig = {
StateDirectory = [ "bluemap/world" ];
ExecStartPre = let
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
archive = true;
compress = true;
verbose = true;
no-owner = true;
no-group = true;
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
};
in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
kTLS = true;
http3 = true;
quic = true;
http3_hq = true;
extraConfig = ''
# Enabling QUIC 0-RTT
ssl_early_data on;
quic_gso on;
quic_retry on;
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
'';
};
networking.firewall.allowedUDPPorts = [ 443 ];
}

85
hosts/bekkalokk/services/bluemap/default.nix
View File

@@ -1,85 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
in {
imports = [
./module.nix # From danio, pending upstreaming
];
disabledModules = [ "services/web-apps/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
sops.secrets."bluemap/ssh-known-hosts" = { };
services.bluemap = {
enable = true;
package = pkgs.callPackage ./package.nix { };
eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
host = "minecraft.pvv.ntnu.no";
maps = {
"verden" = {
settings = {
world = vanillaSurvival;
sorting = 0;
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.verden;
};
};
"underverden" = {
settings = {
world = "${vanillaSurvival}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.underverden;
};
};
"enden" = {
settings = {
world = "${vanillaSurvival}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
};
};
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
};
# TODO: render somewhere else lmao
systemd.services."render-bluemap-maps" = {
preStart = ''
mkdir -p /var/lib/bluemap/world
${pkgs.rsync}/bin/rsync \
-e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" \
-avz --no-owner --no-group \
root@innovation.pvv.ntnu.no:/ \
${vanillaSurvival}
'';
serviceConfig = {
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
}

30
hosts/bekkalokk/services/bluemap/package.nix
View File

@@ -1,30 +0,0 @@
{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
stdenvNoCC.mkDerivation rec {
pname = "bluemap";
version = "5.7";
src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-8udZYJgrr4bi2mjRYrASd8JwUoUVZW1tZpOLRgafAIw=";
};
dontUnpack = true;
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
runHook preInstall
makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
runHook postInstall
'';
meta = {
description = "3D minecraft map renderer";
homepage = "https://bluemap.bluecolored.de/";
sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ dandellion h7x4 ];
mainProgram = "bluemap";
};
}

0
hosts/bekkalokk/services/kerberos/default.nix → hosts/bekkalokk/services/kerberos.nix
View File

88
hosts/bekkalokk/services/kerberos/krb5-conf-format.nix
View File

@@ -1,88 +0,0 @@
{ pkgs, lib, ... }:
# Based on
# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
let
inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
str submodule;
in
{ }: {
type = let
section = attrsOf relation;
relation = either (attrsOf value) value;
value = either (listOf atom) atom;
atom = oneOf [int str bool];
in submodule {
freeformType = attrsOf section;
options = {
include = mkOption {
default = [ ];
description = mdDoc ''
Files to include in the Kerberos configuration.
'';
type = coercedTo path singleton (listOf path);
};
includedir = mkOption {
default = [ ];
description = mdDoc ''
Directories containing files to include in the Kerberos configuration.
'';
type = coercedTo path singleton (listOf path);
};
module = mkOption {
default = [ ];
description = mdDoc ''
Modules to obtain Kerberos configuration from.
'';
type = coercedTo path singleton (listOf path);
};
};
};
generate = let
indent = str: concatMapStringsSep "\n" (line: " " + line) (splitString "\n" str);
formatToplevel = args @ {
include ? [ ],
includedir ? [ ],
module ? [ ],
...
}: let
sections = removeAttrs args [ "include" "includedir" "module" ];
in concatStringsSep "\n" (filter (x: x != "") [
(concatStringsSep "\n" (mapAttrsToList formatSection sections))
(concatMapStringsSep "\n" (m: "module ${m}") module)
(concatMapStringsSep "\n" (i: "include ${i}") include)
(concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
]);
formatSection = name: section: ''
[${name}]
${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
'';
formatRelation = name: relation:
if isAttrs relation
then ''
${name} = {
${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
}''
else formatValue name relation;
formatValue = name: value:
if isList value
then concatMapStringsSep "\n" (formatAtom name) value
else formatAtom name value;
formatAtom = name: atom: let
v = if isBool atom then boolToString atom else toString atom;
in "${name} = ${v}";
in
name: value: pkgs.writeText name ''
${formatToplevel value}
'';
}

90
hosts/bekkalokk/services/kerberos/krb5.nix
View File

@@ -1,90 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
inherit (lib.types) bool;
mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
The option `krb5.${name}' has been removed. Use
`security.krb5.settings.${name}' for structured configuration.
'';
cfg = config.security.krb5;
format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
in {
imports = [
(mkRemovedOptionModuleCfg "libdefaults")
(mkRemovedOptionModuleCfg "realms")
(mkRemovedOptionModuleCfg "domain_realm")
(mkRemovedOptionModuleCfg "capaths")
(mkRemovedOptionModuleCfg "appdefaults")
(mkRemovedOptionModuleCfg "plugins")
(mkRemovedOptionModuleCfg "config")
(mkRemovedOptionModuleCfg "extraConfig")
(mkRemovedOptionModule' "kerberos" ''
The option `krb5.kerberos' has been moved to `security.krb5.package'.
'')
];
options = {
security.krb5 = {
enable = mkOption {
default = false;
description = mdDoc "Enable and configure Kerberos utilities";
type = bool;
};
package = mkPackageOption pkgs "krb5" {
example = "heimdal";
};
settings = mkOption {
default = { };
type = format.type;
description = mdDoc ''
Structured contents of the {file}`krb5.conf` file. See
{manpage}`krb5.conf(5)` for details about configuration.
'';
example = {
include = [ "/run/secrets/secret-krb5.conf" ];
includedir = [ "/run/secrets/secret-krb5.conf.d" ];
libdefaults = {
default_realm = "ATHENA.MIT.EDU";
};
realms = {
"ATHENA.MIT.EDU" = {
admin_server = "athena.mit.edu";
kdc = [
"athena01.mit.edu"
"athena02.mit.edu"
];
};
};
domain_realm = {
"mit.edu" = "ATHENA.MIT.EDU";
};
logging = {
kdc = "SYSLOG:NOTICE";
admin_server = "SYSLOG:NOTICE";
default = "SYSLOG:NOTICE";
};
};
};
};
};
config = mkIf cfg.enable {
environment = {
systemPackages = [ cfg.package ];
etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
};
};
meta.maintainers = builtins.attrValues {
inherit (lib.maintainers) dblsaiko h7x4;
};
}

1543
hosts/bekkalokk/services/kerberos/pam.nix
View File

File diff suppressed because it is too large Load Diff

49
hosts/bekkalokk/services/mediawiki/default.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
{ pkgs, lib, fp, config, values, ... }: let
cfg = config.services.mediawiki;
# "mediawiki"
@@ -34,6 +34,7 @@ in {
services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
sops.secrets = lib.pipe [
"mediawiki/secret-key"
"mediawiki/password"
"mediawiki/postgres_password"
"mediawiki/simplesamlphp/postgres_password"
@@ -48,6 +49,24 @@ in {
lib.listToAttrs
];
services.rsync-pull-targets = {
enable = true;
locations.${cfg.uploadsDir} = {
user = config.services.root;
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
# TODO: create new key on principal
enable = false;
publicKey = "";
};
};
services.mediawiki = {
enable = true;
name = "Programvareverkstedet";
@@ -130,6 +149,12 @@ in {
$wgVectorDefaultSidebarVisibleForAnonymousUser = true;
$wgVectorResponsive = true;
# Experimental dark mode support for Vector 2022
$wgVectorNightMode['beta'] = true;
$wgVectorNightMode['logged_out'] = true;
$wgVectorNightMode['logged_in'] = true;
$wgDefaultUserOptions['vector-theme'] = 'os';
# Misc
$wgEmergencyContact = "${cfg.passwordSender}";
$wgUseTeX = false;
@@ -173,15 +198,15 @@ in {
# Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
user = "mediawiki";
group = "mediawiki";
mode = "0770";
};
users.groups.mediawiki.members = [ "nginx" ];
users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ];
services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
services.nginx.virtualHosts."wiki.pvv.ntnu.no" = lib.mkIf cfg.enable {
kTLS = true;
forceSSL = true;
enableACME = true;
@@ -227,4 +252,20 @@ in {
};
};
systemd.services.mediawiki-init = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ];
serviceConfig = {
BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
};
};
systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ];
serviceConfig = {
BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
};
};
}

6
hosts/bekkalokk/services/qotd/default.nix Normal file
View File

@@ -0,0 +1,6 @@
{
services.qotd = {
enable = true;
quotes = builtins.fromJSON (builtins.readFile ./quotes.json);
};
}

1
hosts/bekkalokk/services/qotd/quotes.json Normal file
View File

@@ -0,0 +1 @@
["quote 1", "quote 2"]

41
hosts/bekkalokk/services/website/default.nix
View File

@@ -18,11 +18,16 @@ in {
restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
});
security.acme.certs."www.pvv.ntnu.no" = {
extraDomainNames = [
"pvv.ntnu.no"
"www.pvv.org"
"pvv.org"
];
};
services.idp.sp-remote-metadata = [
"https://www.pvv.ntnu.no/simplesaml/"
"https://pvv.ntnu.no/simplesaml/"
"https://www.pvv.org/simplesaml/"
"https://pvv.org/simplesaml/"
];
services.pvv-nettsiden = {
@@ -69,9 +74,6 @@ in {
ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
TRUSTED_DOMAINS = [
"www.pvv.ntnu.no"
"pvv.ntnu.no"
"www.pvv.org"
"pvv.org"
];
};
};
@@ -83,13 +85,28 @@ in {
"catch_workers_output" = true;
};
services.nginx.virtualHosts.${cfg.domainName} = {
serverAliases = [
"pvv.ntnu.no"
"www.pvv.org"
"pvv.org"
];
services.nginx.virtualHosts."pvv.ntnu.no" = {
globalRedirect = cfg.domainName;
redirectCode = 307;
forceSSL = true;
useACMEHost = "www.pvv.ntnu.no";
};
services.nginx.virtualHosts."www.pvv.org" = {
globalRedirect = cfg.domainName;
redirectCode = 307;
forceSSL = true;
useACMEHost = "www.pvv.ntnu.no";
};
services.nginx.virtualHosts."pvv.org" = {
globalRedirect = cfg.domainName;
redirectCode = 307;
forceSSL = true;
useACMEHost = "www.pvv.ntnu.no";
};
services.nginx.virtualHosts.${cfg.domainName} = {
locations = {
# Proxy home directories
"^~ /~" = {

22
hosts/bekkalokk/services/website/fetch-gallery.nix
View File

@@ -3,13 +3,21 @@ let
galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
in {
users.users.${config.services.pvv-nettsiden.user} = {
useDefaultShell = true;
# This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
openssh.authorizedKeys.keys = [
''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
];
# This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
services.rsync-pull-targets = {
enable = true;
locations.${transferDir} = {
user = config.services.pvv-nettsiden.user;
rrsyncArgs.wo = true;
authorizedKeysAttrs = [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish";
};
};
systemd.paths.pvv-nettsiden-gallery-update = {

35
hosts/bekkalokk/services/well-known/default.nix
View File

@@ -1,18 +1,25 @@
{ ... }:
{ lib, ... }:
{
services.nginx.virtualHosts."www.pvv.ntnu.no".locations = {
"^~ /.well-known/" = {
alias = (toString ./root) + "/";
};
services.nginx.virtualHosts = lib.genAttrs [
"pvv.ntnu.no"
"www.pvv.ntnu.no"
"pvv.org"
"www.pvv.org"
] (_: {
locations = {
"^~ /.well-known/" = {
alias = (toString ./root) + "/";
};
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
};
});
}

6
hosts/bekkalokk/services/well-known/root/security.txt
View File

@@ -6,7 +6,11 @@ Contact: mailto:cert@pvv.ntnu.no
Preferred-Languages: no, en
Expires: 2032-12-31T23:59:59.000Z
# This file was last updated 2024-09-14.
# This file was last updated 2026-02-27.
# You can find a wikipage for our security policies at:
# https://wiki.pvv.ntnu.no/wiki/CERT
# Please note that we are a student organization, and unfortunately we do not
# have a bug bounty program or offer monetary compensation for disclosure of
# security vulnerabilities.

26
hosts/bicep/configuration.nix
View File

@@ -4,11 +4,10 @@
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/nginx
./services/calendar-bot.nix
./services/git-mirrors
#./services/git-mirrors
./services/minecraft-heatmap.nix
./services/mysql.nix
./services/postgres.nix
@@ -16,18 +15,10 @@
./services/matrix
];
sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/disk/by-id/scsi-3600508b1001cb1a8751c137b30610682";
networking.hostName = "bicep";
systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp6s0f0";
#systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
#matchConfig.Name = "enp6s0f0";
matchConfig.Name = "ens18";
address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
};
@@ -35,10 +26,9 @@
anyInterface = true;
};
# There are no smart devices
services.smartd.enable = false;
services.qemuGuest.enable = true;
# Do not change, even during upgrades.
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";
system.stateVersion = "25.11";
}

27
hosts/bicep/hardware-configuration.nix
View File

@@ -1,26 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ahci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/31a67903-dc00-448a-a24a-36e820318fe5";
{ device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
fsType = "ext4";
};
# temp data disk, only 128gb not enough until we can add another disk to the system.
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/79e93eed-ad95-45c9-b115-4ef92afcc8c0";
fsType = "f2fs";
{ device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/198B-E363";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
@@ -30,11 +37,7 @@
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f2.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f3.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

1
hosts/bicep/services/git-mirrors/default.nix
View File

@@ -66,6 +66,7 @@ in
package = pkgs.callPackage (fp /packages/cgit.nix) { };
group = "gickup";
scanPath = "${cfg.dataDir}/linktree";
gitHttpBackend.checkExportOkFiles = false;
settings = {
enable-commit-graph = true;
enable-follow-links = true;

20
hosts/bicep/services/matrix/coturn.nix
View File

@@ -1,22 +1,26 @@
{ config, lib, fp, pkgs, secrets, values, ... }:
{
sops.secrets."matrix/synapse/turnconfig" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "synapse/turnconfig";
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/coturn/static-auth-secret" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "coturn/static-auth-secret";
owner = config.users.users.turnserver.name;
group = config.users.users.turnserver.group;
restartUnits = [ "coturn.service" ];
};
sops.templates."matrix-synapse-turnconfig" = {
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
content = ''
turn_shared_secret: ${config.sops.placeholder."matrix/coturn/static-auth-secret"}
'';
restartUnits = [ "matrix-synapse.target" ];
};
services.matrix-synapse-next = {
extraConfigFiles = [
config.sops.secrets."matrix/synapse/turnconfig".path
config.sops.templates."matrix-synapse-turnconfig".path
];
settings = {
@@ -42,7 +46,7 @@
security.acme.certs.${config.services.coturn.realm} = {
email = "drift@pvv.ntnu.no";
listenHTTP = "129.241.210.213:80";
listenHTTP = "${values.services.turn.ipv4}:80";
reloadServices = [ "coturn.service" ];
};

7
hosts/bicep/services/matrix/default.nix
View File

@@ -1,19 +1,16 @@
{ config, ... }:
{
imports = [
./synapse.nix
./synapse-admin.nix
./element.nix
./coturn.nix
./livekit.nix
./mjolnir.nix
./well-known.nix
# ./discord.nix
./out-of-your-element.nix
./hookshot
];
}

16
hosts/bicep/services/matrix/element.nix
View File

@@ -2,6 +2,13 @@
let
synapse-cfg = config.services.matrix-synapse-next;
in {
services.pvv-matrix-well-known.client = {
"m.homeserver" = {
base_url = "https://matrix.pvv.ntnu.no";
server_name = "pvv.ntnu.no";
};
};
services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
@@ -9,10 +16,10 @@ in {
root = pkgs.element-web.override {
conf = {
default_server_config."m.homeserver" = {
base_url = "https://matrix.pvv.ntnu.no";
server_name = "pvv.ntnu.no";
};
# Tries to look up well-known first, else uses bundled config.
default_server_name = "matrix.pvv.ntnu.no";
default_server_config = config.services.pvv-matrix-well-known.client;
disable_3pid_login = true;
# integrations_ui_url = "https://dimension.dodsorf.as/riot";
# integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
@@ -30,6 +37,7 @@ in {
# element call group calls
feature_group_calls = true;
};
default_country_code = "NO";
default_theme = "dark";
# Servers in this list should provide some sort of valuable scoping
# matrix.org is not useful compared to matrixrooms.info,

20
hosts/bicep/services/matrix/hookshot/default.nix
View File

@@ -14,10 +14,15 @@ in
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/hs_token";
};
sops.secrets."matrix/hookshot/passkey" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/passkey";
};
sops.templates."hookshot-registration.yaml" = {
owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name;
restartUnits = [ "matrix-hookshot.service" ];
content = ''
id: matrix-hookshot
as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}"
@@ -43,9 +48,14 @@ in
};
systemd.services.matrix-hookshot = {
serviceConfig.SupplementaryGroups = [
config.users.groups.keys-matrix-registrations.name
];
serviceConfig = {
SupplementaryGroups = [
config.users.groups.keys-matrix-registrations.name
];
LoadCredential = [
"passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
];
};
};
services.matrix-hookshot = {
@@ -53,6 +63,8 @@ in
package = unstablePkgs.matrix-hookshot;
registrationFile = config.sops.templates."hookshot-registration.yaml".path;
settings = {
passFile = "/run/credentials/matrix-hookshot.service/passkey.pem";
bridge = {
bindAddress = "127.0.0.1";
domain = "pvv.ntnu.no";
@@ -60,6 +72,7 @@ in
mediaUrl = "https://matrix.pvv.ntnu.no";
port = 9993;
};
listeners = [
{
bindAddress = webhookListenAddress;
@@ -72,6 +85,7 @@ in
];
}
];
generic = {
enabled = true;
outbound = true;

67
hosts/bicep/services/matrix/livekit.nix Normal file
View File

@@ -0,0 +1,67 @@
{ config, lib, fp, ... }:
let
synapseConfig = config.services.matrix-synapse-next;
matrixDomain = "matrix.pvv.ntnu.no";
cfg = config.services.livekit;
in
{
sops.secrets."matrix/livekit/keyfile/lk-jwt-service" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "livekit/keyfile/lk-jwt-service";
};
sops.templates."matrix-livekit-keyfile" = {
restartUnits = [
"livekit.service"
"lk-jwt-service.service"
];
content = ''
lk-jwt-service: ${config.sops.placeholder."matrix/livekit/keyfile/lk-jwt-service"}
'';
};
services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
"org.matrix.msc4143.rtc_foci" = [{
type = "livekit";
livekit_service_url = "https://${matrixDomain}/livekit/jwt";
}];
};
services.livekit = {
enable = true;
openFirewall = true;
keyFile = config.sops.templates."matrix-livekit-keyfile".path;
# NOTE: needed for ingress/egress workers
# redis.createLocally = true;
# settings.room.auto_create = false;
};
services.lk-jwt-service = lib.mkIf cfg.enable {
enable = true;
livekitUrl = "wss://${matrixDomain}/livekit/sfu";
keyFile = config.sops.templates."matrix-livekit-keyfile".path;
};
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable matrixDomain;
services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
locations."^~ /livekit/jwt/" = {
proxyPass = "http://localhost:${toString config.services.lk-jwt-service.port}/";
};
# TODO: load balance to multiple livekit ingress/egress workers
locations."^~ /livekit/sfu/" = {
proxyPass = "http://localhost:${toString config.services.livekit.settings.port}/";
proxyWebsockets = true;
extraConfig = ''
proxy_send_timeout 120;
proxy_read_timeout 120;
proxy_buffering off;
proxy_set_header Accept-Encoding gzip;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
}

1
hosts/bicep/services/matrix/mjolnir.nix
View File

@@ -6,6 +6,7 @@
key = "mjolnir/access_token";
owner = config.users.users.mjolnir.name;
group = config.users.users.mjolnir.group;
restartUnits = [ "mjolnir.service" ];
};
services.mjolnir = {

4
hosts/bicep/services/matrix/out-of-your-element.nix
View File

@@ -9,18 +9,22 @@ in
"matrix/ooye/as_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/as_token";
restartUnits = [ "matrix-ooye.service" ];
};
"matrix/ooye/hs_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/hs_token";
restartUnits = [ "matrix-ooye.service" ];
};
"matrix/ooye/discord_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/discord_token";
restartUnits = [ "matrix-ooye.service" ];
};
"matrix/ooye/discord_client_secret" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/discord_client_secret";
restartUnits = [ "matrix-ooye.service" ];
};
};

5
hosts/bicep/services/matrix/smtp-authenticator/default.nix
View File

@@ -1,4 +1,4 @@
{ lib, buildPythonPackage, fetchFromGitHub }:
{ lib, buildPythonPackage, fetchFromGitHub, setuptools }:
buildPythonPackage rec {
pname = "matrix-synapse-smtp-auth";
@@ -6,6 +6,9 @@ buildPythonPackage rec {
src = ./.;
pyproject = true;
build-system = [ setuptools ];
doCheck = false;
meta = with lib; {

72
hosts/bicep/services/matrix/synapse.nix
View File

@@ -15,11 +15,34 @@ in {
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/synapse/user_registration" = {
sops.secrets."matrix/synapse/user_registration/registration_shared_secret" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "synapse/signing_key";
key = "synapse/user_registration/registration_shared_secret";
};
sops.templates."matrix-synapse-user-registration" = {
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
content = ''
registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
'';
};
services.rsync-pull-targets = {
enable = true;
locations.${cfg.settings.media_store_path} = {
user = config.services.root;
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
# TODO: create new key on principal
enable = false;
publicKey = "";
};
};
services.matrix-synapse-next = {
@@ -83,7 +106,7 @@ in {
mau_stats_only = true;
enable_registration = false;
registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
registration_shared_secret_path = config.sops.templates."matrix-synapse-user-registration".path;
password_config.enabled = true;
@@ -95,6 +118,32 @@ in {
}
];
experimental_features = {
# MSC3266: Room summary API. Used for knocking over federation
msc3266_enabled = true;
# MSC4222 needed for syncv2 state_after. This allow clients to
# correctly track the state of the room.
msc4222_enabled = true;
};
# The maximum allowed duration by which sent events can be delayed, as
# per MSC4140.
max_event_delay_duration = "24h";
rc_message = {
# This needs to match at least e2ee key sharing frequency plus a bit of headroom
# Note key sharing events are bursty
per_second = 0.5;
burst_count = 30;
};
rc_delayed_event_mgmt = {
# This needs to match at least the heart-beat frequency plus a bit of headroom
# Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s
per_second = 1;
burst_count = 20;
};
trusted_key_servers = [
{ server_name = "matrix.org"; }
{ server_name = "dodsorf.as"; }
@@ -124,29 +173,20 @@ in {
"fec0::/10"
# NTNU
"129.241.0.0/16"
"2001:700:300::/44"
values.ntnu.ipv4-space
values.ntnu.ipv6-space
];
};
};
services.redis.servers."".enable = true;
services.pvv-matrix-well-known.server."m.server" = "matrix.pvv.ntnu.no:443";
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
{
kTLS = true;
}
{
locations."/.well-known/matrix/server" = {
return = ''
200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
'';
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
}
{
locations."/_synapse/admin" = {
proxyPass = "http://$synapse_backend";

44
hosts/bicep/services/matrix/well-known.nix Normal file
View File

@@ -0,0 +1,44 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.pvv-matrix-well-known;
format = pkgs.formats.json { };
matrixDomain = "matrix.pvv.ntnu.no";
in
{
options.services.pvv-matrix-well-known = {
client = lib.mkOption {
type = lib.types.submodule { freeformType = format.type; };
default = { };
example = {
"m.homeserver".base_url = "https://${matrixDomain}/";
};
};
server = lib.mkOption {
type = lib.types.submodule { freeformType = format.type; };
default = { };
example = {
"m.server" = "https://${matrixDomain}/";
};
};
};
config = {
services.nginx.virtualHosts.${matrixDomain} = {
locations."= /.well-known/matrix/client" = lib.mkIf (cfg.client != { }) {
alias = format.generate "nginx-well-known-matrix-server.json" cfg.client;
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
locations."= /.well-known/matrix/server" = lib.mkIf (cfg.server != { }) {
alias = format.generate "nginx-well-known-matrix-server.json" cfg.server;
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
};
};
}

37
hosts/bicep/services/mysql.nix
View File

@@ -1,4 +1,8 @@
{ pkgs, lib, config, values, ... }:
{ config, pkgs, lib, values, ... }:
let
cfg = config.services.mysql;
dataDir = "/data/mysql";
in
{
sops.secrets."mysql/password" = {
owner = "mysql";
@@ -9,7 +13,6 @@
services.mysql = {
enable = true;
dataDir = "/data/mysql";
package = pkgs.mariadb;
settings = {
mysqld = {
@@ -36,18 +39,34 @@
}];
};
services.mysqlBackup = {
services.mysqlBackup = lib.mkIf cfg.enable {
enable = true;
location = "/var/lib/mysql/backups";
};
networking.firewall.allowedTCPPorts = [ 3306 ];
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
systemd.services.mysql.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
values.ipv4-space
values.ipv6-space
systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
inherit (cfg) user group;
mode = "0700";
};
systemd.services.mysql = lib.mkIf cfg.enable {
after = [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
];
serviceConfig = {
BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
IPAddressDeny = "any";
IPAddressAllow = [
values.ipv4-space
values.ipv6-space
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
};
}

47
hosts/bicep/services/postgres.nix
View File

@@ -1,15 +1,15 @@
{ config, pkgs, ... }:
{ config, pkgs, values, ... }:
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
enableTCPIP = true;
dataDir = "/data/postgresql";
authentication = ''
host all all 129.241.210.128/25 md5
host all all 2001:700:300:1900::/64 md5
host all all ${values.ipv4-space} md5
host all all ${values.ipv6-space} md5
host all all ${values.hosts.ildkule.ipv4}/32 md5
host all all ${values.hosts.ildkule.ipv6}/32 md5
'';
# Hilsen https://pgconfigurator.cybertec-postgresql.com/
@@ -74,11 +74,40 @@
};
};
systemd.services.postgresql.serviceConfig = {
LoadCredential = [
"cert:/etc/certs/postgres.crt"
"key:/etc/certs/postgres.key"
systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
user = config.systemd.services.postgresql.serviceConfig.User;
group = config.systemd.services.postgresql.serviceConfig.Group;
mode = "0700";
};
systemd.services.postgresql-setup = {
after = [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
];
serviceConfig = {
LoadCredential = [
"cert:/etc/certs/postgres.crt"
"key:/etc/certs/postgres.key"
];
BindPaths = [ "/data/postgresql:/var/lib/postgresql" ];
};
};
systemd.services.postgresql = {
after = [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
];
serviceConfig = {
LoadCredential = [
"cert:/etc/certs/postgres.crt"
"key:/etc/certs/postgres.key"
];
BindPaths = [ "/data/postgresql:/var/lib/postgresql" ];
};
};
environment.snakeoil-certs."/etc/certs/postgres" = {

9
hosts/bikkje/configuration.nix
View File

@@ -1,6 +1,6 @@
{ config, pkgs, values, ... }:
{
networking.nat = {
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "ens3";
@@ -25,6 +25,7 @@
];
networking = {
hostName = "bikkje";
firewall = {
enable = true;
# Allow SSH and HTTP and ports for email and irc
@@ -36,9 +37,11 @@
useHostResolvConf = mkForce false;
};
system.stateVersion = "23.11";
services.resolved.enable = true;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "23.11";
};
};
};

23
hosts/brzeczyszczykiewicz/configuration.nix
View File

@@ -4,33 +4,18 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/grzegorz.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "brzeczyszczykiewicz";
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1";
address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
fonts.fontconfig.enable = true;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11";
}

2
hosts/brzeczyszczykiewicz/hardware-configuration.nix
View File

@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:

28
hosts/georg/configuration.nix
View File

@@ -4,29 +4,15 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
(fp /modules/grzegorz.nix)
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "georg";
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1";
address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
services.spotifyd = {
enable = true;
settings.global = {
@@ -42,15 +28,9 @@
5353 # spotifyd is its own mDNS service wtf
];
fonts.fontconfig.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11";
}

2
hosts/georg/hardware-configuration.nix
View File

@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:

60
hosts/gluttony/configuration.nix Normal file
View File

@@ -0,0 +1,60 @@
{
fp,
lib,
values,
...
}:
{
imports = [
./hardware-configuration.nix
(fp /base)
];
systemd.network.enable = lib.mkForce false;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.loader = {
systemd-boot.enable = false; # no uefi support on this device
grub.device = "/dev/sda";
grub.enable = true;
};
boot.tmp.cleanOnBoot = true;
networking =
let
hostConf = values.hosts.gluttony;
in
{
tempAddresses = "disabled";
useDHCP = false;
search = values.defaultNetworkConfig.domains;
nameservers = values.defaultNetworkConfig.dns;
defaultGateway.address = hostConf.ipv4_internal_gw;
interfaces."ens3" = {
ipv4.addresses = [
{
address = hostConf.ipv4;
prefixLength = 32;
}
{
address = hostConf.ipv4_internal;
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = hostConf.ipv6;
prefixLength = 64;
}
];
};
};
services.qemuGuest.enable = true;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11";
}

50
hosts/gluttony/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,50 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/mapper/pool-root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/D00A-B488";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
swapDevices = [
{
device = "/var/lib/swapfile";
size = 8 * 1024;
}
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

21
hosts/ildkule/configuration.nix
View File

@@ -4,17 +4,13 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/monitoring
./services/nginx
./services/journald-remote.nix
];
sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = false;
boot.loader.grub.device = "/dev/vda";
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
@@ -24,7 +20,6 @@
networking = let
hostConf = values.hosts.ildkule;
in {
hostName = "ildkule";
tempAddresses = "disabled";
useDHCP = lib.mkForce true;
@@ -43,13 +38,9 @@
};
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# No devices with SMART
services.smartd.enable = false;
system.stateVersion = "23.11"; # Did you read the comment?
services.qemuGuest.enable = true;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "23.11";
}

58
hosts/ildkule/services/journald-remote.nix Normal file
View File

@@ -0,0 +1,58 @@
{ config, lib, values, ... }:
let
cfg = config.services.journald.remote;
domainName = "journald.pvv.ntnu.no";
in
{
security.acme.certs.${domainName} = {
webroot = "/var/lib/acme/acme-challenge/";
group = config.services.nginx.group;
};
services.nginx = {
enable = true;
virtualHosts.${domainName} = {
forceSSL = true;
useACMEHost = "${domainName}";
locations."/.well-known/".root = "/var/lib/acme/acme-challenge/";
};
};
services.journald.upload.enable = lib.mkForce false;
services.journald.remote = {
enable = true;
settings.Remote = let
inherit (config.security.acme.certs.${domainName}) directory;
in {
ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
TrustedCertificateFile = "-";
};
};
systemd.sockets."systemd-journal-remote" = {
socketConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.ipv4-space
values.ipv6-space
];
};
};
networking.firewall.allowedTCPPorts = [ cfg.port ];
systemd.services."systemd-journal-remote" = {
serviceConfig = {
LoadCredential = let
inherit (config.security.acme.certs.${domainName}) directory;
in [
"key.pem:${directory}/key.pem"
"cert.pem:${directory}/cert.pem"
];
};
};
}

2
hosts/ildkule/services/monitoring/dashboards/mysql.json
View File

@@ -1899,7 +1899,7 @@
"dashes": false,
"datasource": "$datasource",
"decimals": 0,
"description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool, TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB s internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.",
"description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool, TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB 's internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.",
"editable": true,
"error": false,
"fieldConfig": {

11
hosts/ildkule/services/monitoring/prometheus/machines.nix
View File

@@ -19,15 +19,18 @@ in {
(mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
# (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
(mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "skrott" [ defaultNodeExporterPort defaultSystemdExporterPort ])
(mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])

2
hosts/ildkule/services/monitoring/prometheus/mysqld.nix
View File

@@ -10,7 +10,7 @@ in {
inherit (config.sops) placeholder;
in ''
[client]
host = bicep.pvv.ntnu.no
host = mysql.pvv.ntnu.no
port = 3306
user = prometheus_mysqld_exporter
password = ${placeholder."config/mysqld_exporter_password"}

17
hosts/kommode/configuration.nix
View File

@@ -4,22 +4,12 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./disks.nix
./services/gitea
./services/nginx.nix
];
sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "kommode"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -27,8 +17,9 @@
services.btrfs.autoScrub.enable = true;
environment.systemPackages = with pkgs; [];
services.qemuGuest.enable = true;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "24.11";
}

80
hosts/kommode/disks.nix Normal file
View File

@@ -0,0 +1,80 @@
{ lib, ... }:
{
disko.devices = {
disk = {
sda = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
root = {
name = "root";
label = "root";
start = "1MiB";
end = "-5G";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
# subvolumes = let
# makeSnapshottable = subvolPath: mountOptions: let
# name = lib.replaceString "/" "-" subvolPath;
# in {
# "@${name}/active" = {
# mountPoint = subvolPath;
# inherit mountOptions;
# };
# "@${name}/snapshots" = {
# mountPoint = "${subvolPath}/.snapshots";
# inherit mountOptions;
# };
# };
# in {
# "@" = { };
# "@/swap" = {
# mountpoint = "/.swapvol";
# swap.swapfile.size = "4G";
# };
# "@/root" = {
# mountpoint = "/";
# mountOptions = [ "compress=zstd" "noatime" ];
# };
# }
# // (makeSnapshottable "/home" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/nix" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/lib" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/log" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/cache" [ "compress=zstd" "noatime" ]);
# swap.swapfile.size = "4G";
mountpoint = "/";
};
};
swap = {
name = "swap";
label = "swap";
start = "-5G";
end = "-1G";
content.type = "swap";
};
ESP = {
name = "ESP";
label = "ESP";
start = "-1G";
end = "100%";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
};
};
};
};
};
}

17
hosts/kommode/hardware-configuration.nix
View File

@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
@@ -13,21 +13,6 @@
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/86CD-4C23";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction

10
hosts/kommode/services/gitea/customization/default.nix
View File

@@ -24,10 +24,15 @@ in
script = let
logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = fp /assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
<a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
'';
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
@@ -42,13 +47,14 @@ in
} ''
# Bigger icons
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
sed -i -e 's/24/48/g' "$out/repo/icon.tmpl"
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
'';
in ''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/

6
hosts/kommode/services/gitea/customization/labels/projects.json
View File

@@ -35,6 +35,12 @@
"color": "#ed1111",
"description": "Report an oopsie"
},
{
"name": "developer experience",
"exclusive": false,
"color": "#eb6420",
"description": "Think about the developers"
},
{
"name": "disputed",
"exclusive": false,

10
hosts/kommode/services/gitea/default.nix
View File

@@ -8,7 +8,6 @@ in {
./customization
./gpg.nix
./import-users
./vaskepersonalet.nix
./web-secret-provider
];
@@ -16,6 +15,7 @@ in {
defaultConfig = {
owner = "gitea";
group = "gitea";
restartUnits = [ "gitea.service" ];
};
in {
"gitea/database" = defaultConfig;
@@ -122,6 +122,10 @@ in {
picture = {
DISABLE_GRAVATAR = true;
ENABLE_FEDERATED_AVATAR = false;
AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5;
# NOTE: go any bigger than this, and gitea will freeze your gif >:(
AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
};
actions.ENABLED = true;
ui = {
@@ -160,10 +164,6 @@ in {
environment.systemPackages = [ cfg.package ];
systemd.services.gitea.serviceConfig.Type = lib.mkForce "notify";
systemd.services.gitea.serviceConfig.WatchdogSec = "60";
systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive";

25
hosts/kommode/services/gitea/gpg.nix
View File

@@ -4,9 +4,23 @@ let
GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
in
{
sops.secrets."gitea/gpg-signing-key" = {
owner = cfg.user;
inherit (cfg) group;
sops.secrets = {
"gitea/gpg-signing-key-public" = {
owner = cfg.user;
inherit (cfg) group;
restartUnits = [
"gitea.service"
"gitea-ensure-gnupg-homedir.service"
];
};
"gitea/gpg-signing-key-private" = {
owner = cfg.user;
inherit (cfg) group;
restartUnits = [
"gitea.service"
"gitea-ensure-gnupg-homedir.service"
];
};
};
systemd.services.gitea.environment = { inherit GNUPGHOME; };
@@ -18,6 +32,7 @@ in
systemd.services.gitea-ensure-gnupg-homedir = {
description = "Import gpg key for gitea";
before = [ "gitea.service" ];
environment = { inherit GNUPGHOME; };
serviceConfig = {
Type = "oneshot";
@@ -25,7 +40,8 @@ in
PrivateNetwork = true;
};
script = ''
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path}
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-public".path}
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-private".path}
'';
};
@@ -34,5 +50,6 @@ in
SIGNING_NAME = "PVV Git";
SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
INITIAL_COMMIT = "always";
WIKI = "always";
};
}

59
hosts/kommode/services/gitea/vaskepersonalet.nix
View File

@@ -1,59 +0,0 @@
{ config, ... }:
let
cfg = config.services.gitea;
cacheDir = "/var/cache/${config.systemd.services.gitea.serviceConfig.CacheDirectory}";
in
{
systemd.services."gitea-vaskepersonalet" = {
description = "yeeet";
startAt = "hourly";
serviceConfig = rec {
User = cfg.user;
Group = cfg.group;
RuntimeDirectory = "gitea-vaskepersonalet";
RootDirectory = "/run/${RuntimeDirectory}";
BindPaths = [
builtins.storeDir
cacheDir
cfg.dump.backupDir
];
};
script = let
percentageLimit = 80;
in ''
USED=$(df --output=pcent '${cacheDir}' | grep '[0-9]' | tr -d '%')
if [[ $USED -lt ${toString percentageLimit} ]]; then exit 0; fi
echo "omg omg, we're running out of space, imma yeet the cache"
rm -rf '${cacheDir}'/*
echo "yeetus deletus"
USED=$(df --output=pcent '${cacheDir}' | grep '[0-9]' | tr -d '%')
if [[ $USED -lt ${toString percentageLimit} ]]; then exit 0; fi
echo ""
echo "bruh, still low on space, yeeting old backups"
echo ""
# tail -n+2 ensure we keep at least one backup.
for file in $(ls -t1 '${cfg.dump.backupDir}' | sort --reverse | tail -n+2); do
echo "> Chose $file"
echo "> Do you really want to release this pokemon? [Y/n] Y"
rm "$file"
echo "> ..."
echo "> The pokemon was released back into the wild"
echo ""
USED=$(df --output=pcent '${cacheDir}' | grep '[0-9]' | tr -d '%')
if [[ $USED -lt ${toString percentageLimit} ]]; then exit 0; fi
done
echo "No way, we're still out of space? Not my problem anymore"
'';
};
}

9
hosts/lupine/configuration.nix
View File

@@ -4,18 +4,11 @@
./hardware-configuration/${lupineName}.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea-runner.nix
];
sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
matchConfig.Name = "enp0s31f6";
@@ -29,7 +22,7 @@
# There are no smart devices
services.smartd.enable = false;
# Do not change, even during upgrades.
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.05";
}

2
hosts/lupine/hardware-configuration/lupine-1.nix
View File

@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:

2
hosts/lupine/hardware-configuration/lupine-2.nix
View File

@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:

2
hosts/lupine/hardware-configuration/lupine-3.nix
View File

@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:

2
hosts/lupine/hardware-configuration/lupine-4.nix
View File

@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:

2
hosts/lupine/hardware-configuration/lupine-5.nix
View File

@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:

30
hosts/lupine/services/gitea-runner.nix
View File

@@ -25,9 +25,35 @@
enable = true;
name = "git-runner-${lupineName}";
url = "https://git.pvv.ntnu.no";
# NOTE: gitea actions runners need node inside their docker images,
# so we are a bit limited here.
labels = [
"debian-latest:docker://node:current-bookworm"
"ubuntu-latest:docker://node:current-bookworm"
"debian-latest:docker://node:current-trixie"
"debian-trixie:docker://node:current-trixie"
"debian-bookworm:docker://node:current-bookworm"
"debian-bullseye:docker://node:current-bullseye"
"debian-latest-slim:docker://node:current-trixie-slim"
"debian-trixie-slim:docker://node:current-trixie-slim"
"debian-bookworm-slim:docker://node:current-bookworm-slim"
"debian-bullseye-slim:docker://node:current-bullseye-slim"
"alpine-latest:docker://node:current-alpine"
"alpine-3.22:docker://node:current-alpine3.22"
"alpine-3.21:docker://node:current-alpine3.21"
# See https://gitea.com/gitea/runner-images
"ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
"ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04"
"ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04"
"ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
"ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04"
"ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim"
"ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
"ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
"ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"
"ubuntu-jammy-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"
];
tokenFile = config.sops.templates."gitea-runner-envfile".path;
};

28
hosts/shark/configuration.nix
View File

@@ -4,36 +4,16 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
];
sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "shark"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
services.qemuGuest.enable = true;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11";
}

2
hosts/shark/hardware-configuration.nix
View File

@@ -1,4 +1,4 @@
# Do not modify this file! It was generated by nixos-generate-config
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:

112
hosts/skrott/configuration.nix Normal file
View File

@@ -0,0 +1,112 @@
{ config, pkgs, lib, modulesPath, fp, values, ... }: {
imports = [
(modulesPath + "/profiles/perlless.nix")
(fp /base)
];
# Disable import of a bunch of tools we don't need from nixpkgs.
disabledModules = [ "profiles/base.nix" ];
sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
boot = {
consoleLogLevel = 0;
enableContainers = false;
loader.grub.enable = false;
loader.systemd-boot.enable = false;
kernelPackages = pkgs.linuxPackages;
};
hardware = {
enableAllHardware = lib.mkForce false;
firmware = [ pkgs.raspberrypiWirelessFirmware ];
};
# Now turn off a bunch of stuff lol
# TODO: can we reduce further?
# See also https://nixcademy.com/posts/minimizing-nixos-images/
system.autoUpgrade.enable = lib.mkForce false;
services.irqbalance.enable = lib.mkForce false;
services.logrotate.enable = lib.mkForce false;
services.nginx.enable = lib.mkForce false;
services.postfix.enable = lib.mkForce false;
services.smartd.enable = lib.mkForce false;
services.udisks2.enable = lib.mkForce false;
services.thermald.enable = lib.mkForce false;
services.promtail.enable = lib.mkForce false;
# There aren't really that many firmware updates for rbpi3 anyway
services.fwupd.enable = lib.mkForce false;
documentation.enable = lib.mkForce false;
environment.enableAllTerminfo = lib.mkForce false;
programs.neovim.enable = lib.mkForce false;
programs.zsh.enable = lib.mkForce false;
programs.git.package = pkgs.gitMinimal;
nix.registry = lib.mkForce { };
nix.nixPath = lib.mkForce [ ];
sops.secrets = {
"dibbler/postgresql/password" = {
owner = "dibbler";
group = "dibbler";
};
};
# zramSwap.enable = true;
networking = {
hostName = "skrot";
defaultGateway = values.hosts.gateway;
defaultGateway6 = values.hosts.gateway6;
interfaces.eth0 = {
useDHCP = false;
ipv4.addresses = [{
address = values.hosts.skrott.ipv4;
prefixLength = 25;
}];
ipv6.addresses = [{
address = values.hosts.skrott.ipv6;
prefixLength = 25;
}];
};
};
services.dibbler = {
enable = true;
kioskMode = true;
limitScreenWidth = 80;
limitScreenHeight = 42;
settings = {
general.quit_allowed = false;
database = {
type = "postgresql";
postgresql = {
username = "pvv_vv";
dbname = "pvv_vv";
host = "postgres.pvv.ntnu.no";
password_file = config.sops.secrets."dibbler/postgresql/password".path;
};
};
};
};
# https://github.com/NixOS/nixpkgs/issues/84105
boot.kernelParams = lib.mkIf (!config.virtualisation.isVmVariant) [
"console=ttyUSB0,9600"
# "console=tty1" # Already part of the module
];
systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
enable = true;
wantedBy = [ "getty.target" ]; # to start at boot
serviceConfig.Restart = "always"; # restart when session is closed
};
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11";
}

24
hosts/temmie/configuration.nix Normal file
View File

@@ -0,0 +1,24 @@
{ config, fp, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
./services/nfs-mounts.nix
./services/userweb.nix
];
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
services.nginx.enable = false;
services.qemuGuest.enable = true;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11";
}

30
hosts/temmie/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,30 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/c3aed415-0054-4ac5-8d29-75a99cc26451";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A367-83FD";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

60
hosts/temmie/services/nfs-mounts.nix Normal file
View File

@@ -0,0 +1,60 @@
{ lib, values, ... }:
let
# See microbel:/etc/exports
letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
in
{
systemd.targets."pvv-homedirs" = {
description = "PVV Homedir Partitions";
};
systemd.mounts = map (l: {
description = "PVV Homedir Partition ${l}";
before = [ "remote-fs.target" ];
wantedBy = [ "multi-user.target" ];
requiredBy = [ "pvv-homedirs.target" ];
type = "nfs";
what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
where = "/run/pvv-home-mounts/${l}";
options = lib.concatStringsSep "," [
"nfsvers=3"
# NOTE: this is a bit unfortunate. The address above seems to resolve to IPv6 sometimes,
# and it doesn't seem possible to specify proto=tcp,tcp6, meaning we have to tell
# NFS which exact address to use here, despite it being specified in the `what` attr :\
"proto=tcp"
"addr=${values.hosts.microbel.ipv4}"
"mountproto=tcp"
"mounthost=${values.hosts.microbel.ipv4}"
"port=2049"
# NOTE: this is yet more unfortunate. When enabling locking, it will sometimes complain about connection failed.
# dmesg(1) reveals that it has something to do with registering the lockdv1 RPC service (errno: 111), not
# quite sure how to fix it. Living life on dangerous mode for now.
"nolock"
# Don't wait on every read/write
"async"
# Always keep mounted
"noauto"
# We don't want to update access time constantly
"noatime"
# No SUID/SGID, no special devices
"nosuid"
"nodev"
# TODO: are there cgi scripts that modify stuff in peoples homedirs?
# "ro"
"rw"
# TODO: can we enable this and still run cgi stuff?
# "noexec"
];
}) letters;
}

29
hosts/temmie/services/userweb.nix Normal file
View File

@@ -0,0 +1,29 @@
{ ... }:
{
services.httpd = {
enable = true;
# extraModules = [];
# virtualHosts."userweb.pvv.ntnu.no" = {
virtualHosts."temmie.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
};
};
systemd.services.httpd = {
after = [ "pvv-homedirs.target" ];
requires = [ "pvv-homedirs.target" ];
serviceConfig = {
ProtectHome = "tmpfs";
BindPaths = let
letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
in map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") letters;
};
};
# TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
}

10
hosts/ustetind/configuration.nix
View File

@@ -3,17 +3,11 @@
{
imports = [
(fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea-runners.nix
];
sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
networking.hostName = "ustetind";
boot.loader.systemd-boot.enable = false;
networking.useHostResolvConf = lib.mkForce false;
@@ -40,5 +34,7 @@
};
};
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "24.11";
}

Some files were not shown because too many files have changed in this diff Show More