felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-05-24 23:31:12 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:gluttony-bluemap
Branches Tags
felixalb:main felixalb:gluttony-bluemap felixalb:mediawiki-secrets-permissions felixalb:ildkule-uptime-kuma-fix felixalb:userweb-sendmail-proxy felixalb:nixos-2605 felixalb:ildkule-sops felixalb:hashed-initial-deploy-root-password felixalb:bicep-garage-test-deployment felixalb:bicep-revival felixalb:drumknotty felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
..
compare: felixalb:skrott-cross-compile
Branches Tags
felixalb:main felixalb:gluttony-bluemap felixalb:mediawiki-secrets-permissions felixalb:ildkule-uptime-kuma-fix felixalb:userweb-sendmail-proxy felixalb:nixos-2605 felixalb:ildkule-sops felixalb:hashed-initial-deploy-root-password felixalb:bicep-garage-test-deployment felixalb:bicep-revival felixalb:drumknotty felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

1 Commits
gluttony-b ... skrott-cro

Author SHA1 Message Date
h7x4
20f9a8a582 WIP: cross compile skrott 2026-01-26 02:41:36 +09:00
124 changed files with 26899 additions and 11484 deletions
Expand all files Collapse all files

9
.gitea/workflows/build-topology-graph.yml
View File

@@ -7,13 +7,16 @@ jobs:
evals: evals:
runs-on: debian-latest runs-on: debian-latest
steps: steps:
- name: Install sudo
run: apt-get install --update --assume-yes sudo
- uses: actions/checkout@v6 - uses: actions/checkout@v6
- name: Install sudo
run: apt-get update && apt-get -y install sudo
- uses: https://github.com/cachix/install-nix-action@v31 - uses: https://github.com/cachix/install-nix-action@v31
- name: Configure Nix
run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
- name: Build topology graph - name: Build topology graph
run: nix build .#topology -L run: nix build .#topology -L

7
.gitea/workflows/eval.yml
View File

@@ -6,11 +6,8 @@ jobs:
evals: evals:
runs-on: debian-latest runs-on: debian-latest
steps: steps:
- name: Install sudo
run: apt-get install --update --assume-yes sudo
- uses: actions/checkout@v6 - uses: actions/checkout@v6
- run: apt-get update && apt-get -y install sudo
- uses: https://github.com/cachix/install-nix-action@v31 - uses: https://github.com/cachix/install-nix-action@v31
- run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
- run: nix flake check - run: nix flake check

6
.mailmap
View File

@@ -23,9 +23,3 @@ Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lau
Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no> Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com> Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>

37
.sops.yaml
View File

@@ -10,17 +10,17 @@ keys:
- &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune - &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
# Hosts # Hosts
- &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
- &host_ildkule age102e6y8gah0ntr6fxqnkpepc8ar29p6ls7ks9ka7v8w87q8scm9yqmc2u8d - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
- &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
- &host_lupine-1 age18lta9d683yekz487xwtd99da236d8mgk4ftlmv2jffx858p9qf2s9j868l - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
- &host_lupine-2 age1e0a4ru707v637wzmuxqv0xywmlkhunzgyfy4mrkjc7a23qq8msgq7nqtvt - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
- &host_lupine-3 age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
- &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
- &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
- &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
- &host_gluttony age12czfkvuw9pjk5qny5c6m2hjhd634cj9r4dsa3ss5zkux5h4vvc7s7k4urq
creation_rules: creation_rules:
# Global secrets # Global secrets
@@ -91,6 +91,19 @@ creation_rules:
pgp: pgp:
- *user_oysteikt - *user_oysteikt
- path_regex: secrets/ustetind/[^/]+\.yaml$
key_groups:
- age:
- *host_ustetind
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/lupine/[^/]+\.yaml$ - path_regex: secrets/lupine/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
@@ -108,10 +121,10 @@ creation_rules:
pgp: pgp:
- *user_oysteikt - *user_oysteikt
- path_regex: secrets/skrot/[^/]+\.yaml$ - path_regex: secrets/bakke/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *host_skrot - *host_bakke
- *user_danio - *user_danio
- *user_felixalb - *user_felixalb
- *user_pederbs_sopp - *user_pederbs_sopp
@@ -121,15 +134,13 @@ creation_rules:
pgp: pgp:
- *user_oysteikt - *user_oysteikt
- path_regex: secrets/gluttony/[^/]+\.yaml$ - path_regex: secrets/skrott/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *host_gluttony
- *user_danio - *user_danio
- *user_felixalb - *user_felixalb
- *user_pederbs_sopp - *user_pederbs_sopp
- *user_pederbs_nord - *user_pederbs_nord
- *user_pederbs_bjarte - *user_pederbs_bjarte
- *user_vegardbm
pgp: pgp:
- *user_oysteikt - *user_oysteikt

6
README.md
View File

@@ -39,12 +39,11 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
| bikkje | Virtual | Experimental login box | | bikkje | Virtual | Experimental login box |
| [brzeczyszczykiewicz][brz] | Physical | Shared music player | | [brzeczyszczykiewicz][brz] | Physical | Shared music player |
| [georg][geo] | Physical | Shared music player | | [georg][geo] | Physical | Shared music player |
| [gluttony][glu] | Virtual | General purpose compute |
| [ildkule][ild] | Virtual | Logging and monitoring host, prometheus, grafana, ... | | [ildkule][ild] | Virtual | Logging and monitoring host, prometheus, grafana, ... |
| [kommode][kom] | Virtual | Gitea + Gitea pages | | [kommode][kom] | Virtual | Gitea + Gitea pages |
| [lupine][lup] | Physical | Gitea CI/CD runners | | [lupine][lup] | Physical | Gitea CI/CD runners |
| shark | Virtual | Test host for authentication, absolutely horrendous | | shark | Virtual | Test host for authentication, absolutely horrendous |
| [skrot][skr] | Physical | Kiosk, snacks and soda | | [skrott][skr] | Physical | Kiosk, snacks and soda |
| [wenche][wen] | Virtual | Nix-builders, general purpose compute | | [wenche][wen] | Virtual | Nix-builders, general purpose compute |
## Documentation ## Documentation
@@ -58,9 +57,8 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
[bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep [bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
[brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz [brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
[geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg [geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
[glu]: https://wiki.pvv.ntnu.no/wiki/Maskiner/gluttony
[ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrot [skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche

7
base/default.nix
View File

@@ -10,10 +10,7 @@
(fp /users) (fp /users)
(fp /modules/snakeoil-certs.nix) (fp /modules/snakeoil-certs.nix)
./mitigations.nix
./flake-input-exporter.nix ./flake-input-exporter.nix
./hardening.nix
./networking.nix ./networking.nix
./nix.nix ./nix.nix
./programs.nix ./programs.nix
@@ -23,7 +20,6 @@
./services/acme.nix ./services/acme.nix
./services/auto-upgrade.nix ./services/auto-upgrade.nix
./services/dbus.nix ./services/dbus.nix
./services/fluentbit.nix
./services/fwupd.nix ./services/fwupd.nix
./services/irqbalance.nix ./services/irqbalance.nix
./services/journald-upload.nix ./services/journald-upload.nix
@@ -34,6 +30,7 @@
./services/postfix.nix ./services/postfix.nix
./services/prometheus-node-exporter.nix ./services/prometheus-node-exporter.nix
./services/prometheus-systemd-exporter.nix ./services/prometheus-systemd-exporter.nix
./services/promtail.nix
./services/roowho2.nix ./services/roowho2.nix
./services/smartd.nix ./services/smartd.nix
./services/thermald.nix ./services/thermald.nix
@@ -71,6 +68,8 @@
fi fi
''; '';
# security.lockKernelModules = true;
security.protectKernelImage = true;
security.sudo.execWheelOnly = true; security.sudo.execWheelOnly = true;
security.sudo.extraConfig = '' security.sudo.extraConfig = ''
Defaults lecture = never Defaults lecture = never

71
base/hardening.nix
View File

@@ -1,71 +0,0 @@
{ ... }:
{
boot.blacklistedKernelModules = [
# Obscure network protocols
"appletalk"
"atm"
"ax25"
"batman-adv"
"can"
"dccp"
"ipx"
"llc"
"n-hdlc"
"netrom"
"p8022"
"p8023"
"psnap"
"rds"
"rose"
"sctp"
"tipc"
# Filesystems we don't use
"adfs"
"affs"
"befs"
"bfs"
"cifs"
"cramfs"
"efs"
"exofs"
"freevxfs"
"gfs2"
"hfs"
"hfsplus"
"hpfs"
"jffs2"
"jfs"
"minix"
"nilfs2"
"ntfs"
"omfs"
"orangefs"
"qnx4"
"qnx6"
"sysv"
"ubifs"
"udf"
"ufs"
# Legacy hardware
"pcspkr"
"floppy"
"parport"
"ppdev"
# Other stuff we don't use
"firewire-core"
"firewire-ohci"
"ksmbd"
"ib_core"
"l2tp_eth"
"l2tp_netlink"
"l2tp_ppp"
"nfc"
"soundwire"
];
# security.lockKernelModules = true;
security.protectKernelImage = true;
}

24
base/mitigations.nix
View File

@@ -1,24 +0,0 @@
{ pkgs, lib, ... }:
let
modulesToBan = [
# copy.fail
"af_alg"
"algif_aead"
"algif_hash"
"algif_rng"
"algif_skcipher"
# dirtyfrag / Fragnesia
"esp4"
"esp6"
"rxrpc"
# PinTheft
"rds"
];
in
{
boot.blacklistedKernelModules = modulesToBan;
boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
}

8
base/programs.nix
View File

@@ -13,15 +13,9 @@
# Debug and find files # Debug and find files
file file
# Process json data
jq
# Check computer specs # Check computer specs
lshw lshw
# Check who is keeping open files
lsof
# Scan for open ports with netstat # Scan for open ports with netstat
net-tools net-tools
@@ -60,8 +54,6 @@
programs.nano.enable = true; programs.nano.enable = true;
# Same reasoning as nano # Same reasoning as nano
programs.vim.enable = true; programs.vim.enable = true;
# Same reasoning as vim
programs.neovim.enable = true;
# Some people like this shell for some reason # Some people like this shell for some reason
programs.zsh.enable = true; programs.zsh.enable = true;

2
base/services/acme.nix
View File

@@ -8,6 +8,8 @@
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode: # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
virtualisation.vmVariant = { virtualisation.vmVariant = {
security.acme.defaults.server = "https://127.0.0.1"; security.acme.defaults.server = "https://127.0.0.1";
security.acme.preliminarySelfsigned = true;
users.users.root.initialPassword = "root"; users.users.root.initialPassword = "root";
}; };
} }

2
base/services/auto-upgrade.nix
View File

@@ -28,7 +28,7 @@ in
# workaround for https://github.com/NixOS/nix/issues/6895 # workaround for https://github.com/NixOS/nix/issues/6895
# via https://git.lix.systems/lix-project/lix/issues/400 # via https://git.lix.systems/lix-project/lix/issues/400
environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) { environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
"current-system-flake-inputs.json".source "current-system-flake-inputs.json".source
= pkgs.writers.writeJSON "flake-inputs.json" ( = pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (name: input: lib.flip lib.mapAttrs inputs (name: input:

135
base/services/fluentbit.nix
View File

@@ -1,135 +0,0 @@
{ config, lib, ... }:
let
cfg = config.services.fluent-bit;
in
{
services.fluent-bit = {
enable = lib.mkDefault true;
settings = {
service = {
flush = 1;
log_level = "warn";
http_server = "on";
http_listen = "127.0.0.1";
http_port = 28183;
# filesystem-backed buffering so logs survives potential outages.
"storage.path" = "/var/lib/fluent-bit/storage";
"storage.sync" = "normal";
"storage.max_chunks_up" = 64;
"storage.backlog.mem_limit" = "16M";
};
pipeline = {
inputs = [{
name = "systemd";
tag = "journal.*";
db = "/var/lib/fluent-bit/journal.db";
read_from_tail = true;
strip_underscores = true;
lowercase = true;
max_entries = 1000;
"storage.type" = "filesystem";
}];
filters = [{
name = "modify";
match = "journal.*";
rename = [
"hostname host"
"priority level"
"systemd_unit unit"
];
}] ++ (lib.mapAttrsToList (k: v: {
name = "modify";
match = "journal.*";
condition = "Key_value_equals level ${k}";
set = "level ${v}";
}) {
"7" = "debug";
"6" = "info";
"5" = "notice";
"4" = "warning";
"3" = "error";
"2" = "crit";
"1" = "alert";
"0" = "emergency";
});
outputs = [{
name = "loki";
match = "*";
host = "ildkule.pvv.ntnu.no";
port = 3100;
uri = "/loki/api/v1/push";
compress = "gzip";
labels = lib.concatStringsSep ", " [
"job=systemd-journal"
];
label_keys = lib.concatMapStringsSep "," (k: "$" + k) [
"host"
"unit"
"level"
];
# JSON is probably fine for now, then we just extract the keys we want with the grafana web ui
# line_format = "key_value";
# drop_single_key = true;
"storage.total_limit_size" = "256M";
}];
};
};
};
systemd.services.fluent-bit = lib.mkIf cfg.enable {
serviceConfig = {
StateDirectory = "fluent-bit";
# NOTE: This hardening might be way too strong for general purpose use, don't upstream this.
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
# Lua JIT, maybe other things
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
UMask = "0077";
BindReadOnlyPaths = [
"/run/systemd/journal"
];
};
};
}

38
base/services/promtail.nix Normal file
View File

@@ -0,0 +1,38 @@
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.node;
in
{
services.promtail = {
enable = lib.mkDefault true;
configuration = {
server = {
http_listen_port = 28183;
grpc_listen_port = 0;
};
clients = [{
url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
}];
scrape_configs = [{
job_name = "systemd-journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = config.networking.hostName;
};
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
];
}];
};
};
}

1
base/vm.nix
View File

@@ -11,6 +11,5 @@
}; };
config.virtualisation.vmVariant = { config.virtualisation.vmVariant = {
virtualisation.isVmVariant = true; virtualisation.isVmVariant = true;
virtualisation.graphics = false;
}; };
} }

2
docs/secret-management.md
View File

@@ -151,7 +151,7 @@ is up to date, you can do the following:
```console ```console
# Fetch gpg (unless you have it already) # Fetch gpg (unless you have it already)
nix shell nixpkgs#gnupg nix-shell -p gpg
# Import oysteikts key to the gpg keychain # Import oysteikts key to the gpg keychain
gpg --import ./keys/oysteikt.pub gpg --import ./keys/oysteikt.pub

160
flake.lock generated
View File

@@ -1,32 +1,18 @@
{ {
"nodes": { "nodes": {
"crane": {
"locked": {
"lastModified": 1776635034,
"narHash": "sha256-OEOJrT3ZfwbChzODfIH4GzlNTtOFuZFWPtW7jIeR8xU=",
"owner": "ipetkov",
"repo": "crane",
"rev": "dc7496d8ea6e526b1254b55d09b966e94673750f",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"dibbler": { "dibbler": {
"inputs": { "inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1771267058, "lastModified": 1769362210,
"narHash": "sha256-EEL4SmD1b3BPJPsSJJ4wDTXWMumJqbR+BLzhJJG0skE=", "narHash": "sha256-QCQD7Ofin5UYL0i5Sv34gfJ0p5pv1hwZspE/Ufe84L8=",
"ref": "main", "ref": "main",
"rev": "e3962d02c78b9c7b4d18148d931a9a4bf22e7902", "rev": "1d01e1b2cb8fb2adee96c0b4f065c43c45eae290",
"revCount": 254, "revCount": 229,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/dibbler.git" "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
}, },
@@ -62,11 +48,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1772408722, "lastModified": 1765835352,
"narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -75,18 +61,35 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"gergle": { "gergle": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1777067150, "lastModified": 1767906545,
"narHash": "sha256-vqPz8jCS1zTQlvmgctUFpvnr6f9ISR5h7CPG/HgQvf0=", "narHash": "sha256-LOf08pcjEQFLs3dLPuep5d1bAXWOFcdfxuk3YMb5KWw=",
"ref": "main", "ref": "main",
"rev": "b452a854fb78d6df9fe062b45e23a968657d115d", "rev": "e55cbe0ce0b20fc5952ed491fa8a553c8afb1bdd",
"revCount": 35, "revCount": 23,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git" "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
}, },
@@ -99,15 +102,15 @@
"greg-ng": { "greg-ng": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs"
], ],
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1777019032, "lastModified": 1767906494,
"narHash": "sha256-29lw7THThWb5DW01rVRj1b816Apwz/P4m2wVWaSIadU=", "narHash": "sha256-Dd6gtdZfRMAD6JhdX0GdJwIHVaBikePSpQXhIdwLlWI=",
"ref": "main", "ref": "main",
"rev": "55262afca46c96f75a834d4e00e30d5fb20affb6", "rev": "7258822e2e90fea2ea00b13b5542f63699e33a9e",
"revCount": 61, "revCount": 61,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git" "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
@@ -189,11 +192,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1769500363, "lastModified": 1768749374,
"narHash": "sha256-vFxmdsLBPdTy5j2bf54gbTQi1XnWbZDmeR/BBh8MFrw=", "narHash": "sha256-dhXYLc64d7TKCnRPW4TlHGl6nLRNdabJB2DpJ8ffUw0=",
"ref": "main", "ref": "main",
"rev": "2618e434e40e109eaab6a0693313c7e0de7324a3", "rev": "040294f2e1df46e33d995add6944b25859654097",
"revCount": 47, "revCount": 37,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git" "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
}, },
@@ -210,11 +213,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1770960722, "lastModified": 1767906352,
"narHash": "sha256-IdhPsWFZUKSJh/nLjGLJvGM5d5Uta+k1FlVYPxTZi0E=", "narHash": "sha256-wYsH9MMAPFG3XTL+3DwI39XMG0F2fTmn/5lt265a3Es=",
"ref": "main", "ref": "main",
"rev": "c2e4aca7e1ba27cd09eeaeab47010d32a11841b2", "rev": "d054c5d064b8ed6d53a0adb0cf6c0a72febe212e",
"revCount": 15, "revCount": 13,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git" "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
}, },
@@ -232,11 +235,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1778407980, "lastModified": 1768955766,
"narHash": "sha256-r980BhsReZQe6FkmyNZkwCZpvzARo5jZgTl8HxjAssY=", "narHash": "sha256-V9ns1OII7sWSbIDwPkiqmJ3Xu/bHgQzj+asgH9cTpOo=",
"owner": "oddlama", "owner": "oddlama",
"repo": "nix-topology", "repo": "nix-topology",
"rev": "ca0a602f650306d00d6f3e3c76d0f4c48a5c5adc", "rev": "71f27de56a03f6d8a1a72cf4d0dfd780bcc075bc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -248,11 +251,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1778544512, "lastModified": 1768877948,
"narHash": "sha256-VIsPgfIpZ/01XUO6WN+o1NZbP5iKPKPHdHPWqfm4XIg=", "narHash": "sha256-Bq9Hd6DWCBaZ2GkwvJCWGnpGOchaD6RWPSCFxmSmupw=",
"rev": "c417517f9d525181ee5619c683419d308ee29fe8", "rev": "43b2e61c9d09cf6c1c9c192fe6da08accc9bfb1d",
"type": "tarball", "type": "tarball",
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.10745.c417517f9d52/nixexprs.tar.xz" "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4368.43b2e61c9d09/nixexprs.tar.xz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -261,11 +264,11 @@
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1772328832, "lastModified": 1765674936,
"narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=", "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742", "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -276,11 +279,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1778586796, "lastModified": 1768886240,
"narHash": "sha256-XmDljcG4x8slQDlsWOc77pCA1YVuYn8JGumkYlhfTxI=", "narHash": "sha256-HUAAI7AF+/Ov1u3Vvjs4DL91zTxMkWLC4xJgQ9QxOUQ=",
"rev": "b25e938b89759b5f9466fc53c4a970244f84dc39", "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
"type": "tarball", "type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre996582.b25e938b8975/nixexprs.tar.xz" "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre930839.80e4adbcf899/nixexprs.tar.xz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -315,11 +318,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1778960428, "lastModified": 1768636400,
"narHash": "sha256-YAs3LbFGlBLJW3xHeoQfTq2GBBXTvuSKl2WXDtloczU=", "narHash": "sha256-AiSKT4/25LS1rUlPduBMogf4EbdMQYDY1rS7AvHFcxk=",
"ref": "main", "ref": "main",
"rev": "927748790b1f7159adfe32a3ad9ec01d22e9c5a2", "rev": "3a8f82b12a44e6c4ceacd6955a290a52d1ee2856",
"revCount": 583, "revCount": 573,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git" "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
}, },
@@ -373,24 +376,22 @@
}, },
"roowho2": { "roowho2": {
"inputs": { "inputs": {
"crane": "crane",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"rust-overlay": "rust-overlay_3" "rust-overlay": "rust-overlay_3"
}, },
"locked": { "locked": {
"lastModified": 1778600367, "lastModified": 1768140181,
"narHash": "sha256-YB0b2xUf4D8792D5Ay//7C3AjHyv+9yoy8K1mTe+wvE=", "narHash": "sha256-HfZzup5/jlu8X5vMUglTovVTSwhHGHwwV1YOFIL/ksA=",
"ref": "main", "ref": "main",
"rev": "8e5f2849ff7c9616100fe928261512a7ad647939", "rev": "834463ed64773939798589ee6fd4adfe3a97dddd",
"revCount": 91, "revCount": 43,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git" "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
}, },
"original": { "original": {
"ref": "main", "ref": "main",
"rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git" "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
} }
@@ -403,11 +404,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1777000482, "lastModified": 1767840362,
"narHash": "sha256-CZ5FKUSA8FCJf0h9GWdPJXoVVDL9H5yC74GkVc5ubIM=", "narHash": "sha256-ZtsFqUhilubohNZ1TgpQIFsi4biZTwRH9rjZsDRDik8=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "403c09094a877e6c4816462d00b1a56ff8198e06", "rev": "d159ea1fc321c60f88a616ac28bab660092a227d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -445,11 +446,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776914043, "lastModified": 1767322002,
"narHash": "sha256-qug5r56yW1qOsjSI99l3Jm15JNT9CvS2otkXNRNtrPI=", "narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "2d35c4358d7de3a0e606a6e8b27925d981c01cc3", "rev": "03c6e38661c02a27ca006a284813afdc461e9f7e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -465,11 +466,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1777944972, "lastModified": 1768863606,
"narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=", "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "c591bf665727040c6cc5cb409079acb22dcce33c", "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -478,6 +479,21 @@
"repo": "sops-nix", "repo": "sops-nix",
"type": "github" "type": "github"
} }
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

520
flake.nix
View File

@@ -32,13 +32,13 @@
minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main"; minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs"; minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main&rev=8e5f2849ff7c9616100fe928261512a7ad647939"; roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main";
roowho2.inputs.nixpkgs.follows = "nixpkgs"; roowho2.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main"; greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
greg-ng.inputs.nixpkgs.follows = "nixpkgs-unstable"; greg-ng.inputs.nixpkgs.follows = "nixpkgs";
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main"; gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main";
gergle.inputs.nixpkgs.follows = "nixpkgs-unstable"; gergle.inputs.nixpkgs.follows = "nixpkgs";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master"; grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs"; grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
@@ -49,14 +49,8 @@
qotd.inputs.nixpkgs.follows = "nixpkgs"; qotd.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = { outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
self, let
nixpkgs,
nixpkgs-unstable,
sops-nix,
disko,
...
} @ inputs: let
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
systems = [ systems = [
"x86_64-linux" "x86_64-linux"
@@ -68,226 +62,201 @@
importantMachines = [ importantMachines = [
"bekkalokk" "bekkalokk"
"bicep" "bicep"
"brzeczyszczykiewicz"
"georg" "georg"
"ildkule" "ildkule"
"kommode"
"lupine-1"
"skrot"
]; ];
in { in {
inputs = lib.mapAttrs (_: src: src.outPath) inputs; inputs = lib.mapAttrs (_: src: src.outPath) inputs;
pkgs = forAllSystems (system: pkgs = forAllSystems (system: import nixpkgs {
import nixpkgs { inherit system;
inherit system; config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
config.allowUnfreePredicate = pkg: [
builtins.elem (lib.getName pkg) "nvidia-x11"
[ "nvidia-settings"
"nvidia-x11" ];
"nvidia-settings" });
];
});
nixosConfigurations = let nixosConfigurations = let
nixosConfig = nixpkgs: name: configurationPath: extraArgs @ { nixosConfig =
localSystem ? "x86_64-linux", # buildPlatform nixpkgs:
crossSystem ? "x86_64-linux", # hostPlatform name:
specialArgs ? {}, configurationPath:
modules ? [], extraArgs@{
overlays ? [], localSystem ? "x86_64-linux", # buildPlatform
enableDefaults ? true, crossSystem ? "x86_64-linux", # hostPlatform
... specialArgs ? { },
}: let modules ? [ ],
commonPkgsConfig = overlays ? [ ],
{ enableDefaults ? true,
config.allowUnfreePredicate = pkg: ...
builtins.elem (lib.getName pkg) }:
let
commonPkgsConfig = {
inherit localSystem crossSystem;
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
[ [
"nvidia-x11" "nvidia-x11"
"nvidia-settings" "nvidia-settings"
]; ];
overlays = overlays = (lib.optionals enableDefaults [
(lib.optionals enableDefaults [ # Global overlays go here
# Global overlays go here inputs.roowho2.overlays.default
inputs.roowho2.overlays.default ]) ++ overlays;
]) };
++ overlays;
} pkgs = import nixpkgs commonPkgsConfig;
// ( unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
if localSystem != crossSystem in
then { lib.nixosSystem (lib.recursiveUpdate
inherit localSystem crossSystem; {
system = crossSystem;
inherit pkgs;
specialArgs = {
inherit inputs unstablePkgs;
values = import ./values.nix;
fp = path: ./${path};
} // specialArgs;
modules = [
{
networking.hostName = lib.mkDefault name;
} }
else { configurationPath
system = crossSystem; ] ++ (lib.optionals enableDefaults [
} sops-nix.nixosModules.sops
); inputs.roowho2.nixosModules.default
pkgs = import nixpkgs commonPkgsConfig; ]) ++ modules;
unstablePkgs = import nixpkgs-unstable commonPkgsConfig; }
in (builtins.removeAttrs extraArgs [
lib.nixosSystem ( "localSystem"
lib.recursiveUpdate "crossSystem"
{ "modules"
system = crossSystem; "overlays"
"specialArgs"
inherit pkgs; "enableDefaults"
])
specialArgs = );
{
inherit inputs unstablePkgs;
values = import ./values.nix;
fp = path: ./${path};
}
// specialArgs;
modules =
[
{
networking.hostName = lib.mkDefault name;
}
configurationPath
]
++ (lib.optionals enableDefaults [
sops-nix.nixosModules.sops
inputs.roowho2.nixosModules.default
self.nixosModules.rsync-pull-targets
])
++ modules;
}
(builtins.removeAttrs extraArgs [
"localSystem"
"crossSystem"
"modules"
"overlays"
"specialArgs"
"enableDefaults"
])
);
stableNixosConfig = name: extraArgs: stableNixosConfig = name: extraArgs:
nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs; nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
in in {
{ bakke = stableNixosConfig "bakke" {
bicep = stableNixosConfig "bicep" { modules = [
modules = [ disko.nixosModules.disko
inputs.matrix-next.nixosModules.default ];
inputs.pvv-calendar-bot.nixosModules.default };
inputs.minecraft-heatmap.nixosModules.default bicep = stableNixosConfig "bicep" {
self.nixosModules.gickup modules = [
self.nixosModules.matrix-ooye inputs.matrix-next.nixosModules.default
]; inputs.pvv-calendar-bot.nixosModules.default
overlays = [ inputs.minecraft-heatmap.nixosModules.default
inputs.pvv-calendar-bot.overlays.default self.nixosModules.gickup
inputs.minecraft-heatmap.overlays.default self.nixosModules.matrix-ooye
(final: prev: { ];
inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element; overlays = [
}) inputs.pvv-calendar-bot.overlays.default
]; inputs.minecraft-heatmap.overlays.default
}; (final: prev: {
bekkalokk = stableNixosConfig "bekkalokk" { inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
overlays = [ })
(final: prev: { ];
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions {}; };
simplesamlphp = final.callPackage ./packages/simplesamlphp {}; bekkalokk = stableNixosConfig "bekkalokk" {
bluemap = final.callPackage ./packages/bluemap.nix {}; overlays = [
}) (final: prev: {
inputs.pvv-nettsiden.overlays.default mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
inputs.qotd.overlays.default simplesamlphp = final.callPackage ./packages/simplesamlphp { };
]; bluemap = final.callPackage ./packages/bluemap.nix { };
modules = [ })
inputs.pvv-nettsiden.nixosModules.default inputs.pvv-nettsiden.overlays.default
self.nixosModules.bluemap inputs.qotd.overlays.default
inputs.qotd.nixosModules.default ];
]; modules = [
}; inputs.pvv-nettsiden.nixosModules.default
ildkule = stableNixosConfig "ildkule" { self.nixosModules.bluemap
modules = [ inputs.qotd.nixosModules.default
inputs.disko.nixosModules.disko ];
]; };
}; ildkule = stableNixosConfig "ildkule" { };
skrot = stableNixosConfig "skrot" { #ildkule-unstable = unstableNixosConfig "ildkule" { };
modules = [ shark = stableNixosConfig "shark" { };
inputs.disko.nixosModules.disko wenche = stableNixosConfig "wenche" { };
inputs.dibbler.nixosModules.default temmie = stableNixosConfig "temmie" { };
]; gluttony = stableNixosConfig "gluttony" { };
overlays = [inputs.dibbler.overlays.default];
};
shark = stableNixosConfig "shark" {};
wenche = stableNixosConfig "wenche" {};
temmie = stableNixosConfig "temmie" {};
gluttony = stableNixosConfig "gluttony" {
overlays = [
(final: prev: { bluemap = final.callPackage ./packages/bluemap.nix {}; })
];
modules = [ self.nixosModules.bluemap ];
};
kommode = stableNixosConfig "kommode" { kommode = stableNixosConfig "kommode" {
overlays = [ overlays = [
inputs.nix-gitea-themes.overlays.default inputs.nix-gitea-themes.overlays.default
]; ];
modules = [ modules = [
inputs.nix-gitea-themes.nixosModules.default inputs.nix-gitea-themes.nixosModules.default
inputs.disko.nixosModules.disko ];
]; };
};
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" { ustetind = stableNixosConfig "ustetind" {
modules = [ modules = [
inputs.grzegorz-clients.nixosModules.grzegorz-webui "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
inputs.gergle.nixosModules.default ];
inputs.greg-ng.nixosModules.default };
];
overlays = [ brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
inputs.greg-ng.overlays.default modules = [
inputs.gergle.overlays.default inputs.grzegorz-clients.nixosModules.grzegorz-webui
]; inputs.gergle.nixosModules.default
}; inputs.greg-ng.nixosModules.default
georg = stableNixosConfig "georg" { ];
modules = [ overlays = [
inputs.grzegorz-clients.nixosModules.grzegorz-webui inputs.greg-ng.overlays.default
inputs.gergle.nixosModules.default inputs.gergle.overlays.default
inputs.greg-ng.nixosModules.default ];
]; };
overlays = [ georg = stableNixosConfig "georg" {
inputs.greg-ng.overlays.default modules = [
inputs.gergle.overlays.default inputs.grzegorz-clients.nixosModules.grzegorz-webui
]; inputs.gergle.nixosModules.default
}; inputs.greg-ng.nixosModules.default
} ];
// (let overlays = [
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5); inputs.greg-ng.overlays.default
stableLupineNixosConfig = name: extraArgs: inputs.gergle.overlays.default
];
};
skrott = stableNixosConfig "skrott" {
crossSystem = "aarch64-linux";
modules = [
(nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
inputs.dibbler.nixosModules.default
];
overlays = [
inputs.dibbler.overlays.default
];
};
}
//
(let
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
stableLupineNixosConfig = name: extraArgs:
nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs; nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
in in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
lib.genAttrs machineNames (name: modules = [{ networking.hostName = name; }];
stableLupineNixosConfig name { specialArgs.lupineName = name;
modules = [{networking.hostName = name;}]; }));
specialArgs.lupineName = name;
}));
nixosModules = { nixosModules = {
bluemap = ./modules/bluemap.nix; bluemap = ./modules/bluemap.nix;
gickup = ./modules/gickup;
matrix-ooye = ./modules/matrix-ooye.nix;
robots-txt = ./modules/robots-txt.nix;
rsync-pull-targets = ./modules/rsync-pull-targets.nix;
snakeoil-certs = ./modules/snakeoil-certs.nix; snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix; snappymail = ./modules/snappymail.nix;
robots-txt = ./modules/robots-txt.nix;
gickup = ./modules/gickup;
matrix-ooye = ./modules/matrix-ooye.nix;
}; };
devShells = forAllSystems (system: { devShells = forAllSystems (system: {
default = let default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
pkgs = import nixpkgs-unstable {
inherit system;
overlays = [
(final: prev: {
inherit (inputs.disko.packages.${system}) disko;
})
];
};
in
pkgs.callPackage ./shell.nix {};
cuda = let cuda = let
cuda-pkgs = import nixpkgs-unstable { cuda-pkgs = import nixpkgs-unstable {
inherit system; inherit system;
@@ -296,88 +265,85 @@
cudaSupport = true; cudaSupport = true;
}; };
}; };
in in cuda-pkgs.callPackage ./shells/cuda.nix { };
cuda-pkgs.callPackage ./shells/cuda.nix {};
}); });
packages = { packages = {
"x86_64-linux" = let "x86_64-linux" = let
system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages."x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system}; in rec {
in default = important-machines;
rec { important-machines = pkgs.linkFarm "important-machines"
default = important-machines; (lib.getAttrs importantMachines self.packages.x86_64-linux);
important-machines = all-machines = pkgs.linkFarm "all-machines"
pkgs.linkFarm "important-machines" (lib.getAttrs allMachines self.packages.x86_64-linux);
(lib.getAttrs importantMachines self.packages.${system});
all-machines =
pkgs.linkFarm "all-machines"
(lib.getAttrs allMachines self.packages.${system});
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp {}; simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
bluemap = pkgs.callPackage ./packages/bluemap.nix {}; bluemap = pkgs.callPackage ./packages/bluemap.nix { };
out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix {}; out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
} }
// //
# Mediawiki extensions # Mediawiki extensions
(lib.pipe null [ (lib.pipe null [
(_: pkgs.callPackage ./packages/mediawiki-extensions {}) (_: pkgs.callPackage ./packages/mediawiki-extensions { })
(lib.flip builtins.removeAttrs ["override" "overrideDerivation"]) (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
(lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}")) (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
]) ])
// //
# Machines # Machines
lib.genAttrs allMachines lib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel) (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
// //
# Nix-topology # Skrott is exception
(let {
topology' = import inputs.nix-topology { skrott = self.nixosConfigurations.skrott.config.system.build.sdImage;
pkgs = import nixpkgs { }
inherit system; //
overlays = [ # Nix-topology
inputs.nix-topology.overlays.default (let
(final: prev: { topology' = import inputs.nix-topology {
inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons; pkgs = import nixpkgs {
}) system = "x86_64-linux";
]; overlays = [
}; inputs.nix-topology.overlays.default
(final: prev: {
specialArgs = { inherit (nixpkgs-unstable.legacyPackages.x86_64-linux) super-tiny-icons;
values = import ./values.nix; })
};
modules = [
./topology
{
nixosConfigurations = lib.mapAttrs (_name: nixosCfg:
nixosCfg.extendModules {
modules = [
inputs.nix-topology.nixosModules.default
./topology/service-extractors/greg-ng.nix
./topology/service-extractors/postgresql.nix
./topology/service-extractors/mysql.nix
./topology/service-extractors/gitea-runners.nix
];
})
self.nixosConfigurations;
}
]; ];
}; };
in {
topology = topology'.config.output; specialArgs = {
topology-png = values = import ./values.nix;
pkgs.runCommand "pvv-config-topology-png" { };
nativeBuildInputs = [pkgs.writableTmpDirAsHomeHook];
} '' modules = [
mkdir -p "$out" ./topology
for file in '${topology'.config.output}'/*.svg; do {
${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")" nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
done modules = [
''; inputs.nix-topology.nixosModules.default
}); ./topology/service-extractors/greg-ng.nix
./topology/service-extractors/postgresql.nix
./topology/service-extractors/mysql.nix
./topology/service-extractors/gitea-runners.nix
];
}) self.nixosConfigurations;
}
];
};
in {
topology = topology'.config.output;
topology-png = pkgs.runCommand "pvv-config-topology-png" {
nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
} ''
mkdir -p "$out"
for file in '${topology'.config.output}'/*.svg; do
${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
done
'';
});
}; };
}; };
} }

18
hosts/bakke/configuration.nix Normal file
View File

@@ -0,0 +1,18 @@
{ config, pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base
./filesystems.nix
];
networking.hostId = "99609ffc";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "24.05";
}

83
hosts/bakke/disks.nix Normal file
View File

@@ -0,0 +1,83 @@
{
# https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
# Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
disko.devices = {
disk = {
one = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
two = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
};
mdadm = {
boot = {
type = "mdadm";
level = 1;
metadata = "1.0";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
raid1 = {
type = "mdadm";
level = 1;
content = {
type = "gpt";
partitions.primary = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

26
hosts/bakke/filesystems.nix Normal file
View File

@@ -0,0 +1,26 @@
{ config, pkgs, lib, ... }:
{
# Boot drives:
boot.swraid.enable = true;
# ZFS Data pool:
environment.systemPackages = with pkgs; [ zfs ];
boot = {
zfs = {
extraPools = [ "tank" ];
requestEncryptionCredentials = false;
};
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
# NFS Exports:
#TODO
# NFS Import mounts:
#TODO
}

52
hosts/bakke/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,52 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=nix" "noatime" ];
};
fileSystems."/boot" =
{ device = "/dev/sdc2";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

2
hosts/bekkalokk/configuration.nix
View File

@@ -28,5 +28,5 @@
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11"; system.stateVersion = "22.11";
} }

125
hosts/bekkalokk/services/bluemap.nix
View File

@@ -1,10 +1,105 @@
{ values, ... }: { config, lib, pkgs, inputs, ... }:
let let
webExport = "/var/lib/bluemap/web"; vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
format = pkgs.formats.hocon { };
in { in {
# NOTE: our version of the module gets added in flake.nix # NOTE: our versino of the module gets added in flake.nix
disabledModules = [ "services/web-apps/bluemap.nix" ]; disabledModules = [ "services/web-apps/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
sops.secrets."bluemap/ssh-known-hosts" = { };
services.bluemap = {
enable = true;
eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
host = "minecraft.pvv.ntnu.no";
maps = let
inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
in {
"verden" = {
extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:overworld";
name = "Verden";
sorting = 0;
start-pos = {
x = 0;
z = 0;
};
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
};
"underverden" = {
extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_nether";
name = "Underverden";
sorting = 100;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
render-mask = [{
max-y = 90;
}];
};
};
"enden" = {
extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_end";
name = "Enden";
sorting = 200;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
};
};
systemd.services."render-bluemap-maps" = {
serviceConfig = {
StateDirectory = [ "bluemap/world" ];
ExecStartPre = let
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
archive = true;
compress = true;
verbose = true;
no-owner = true;
no-group = true;
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
};
in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = { services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@@ -20,30 +115,6 @@ in {
quic_retry on; quic_retry on;
add_header Alt-Svc 'h3=":$server_port"; ma=86400'; add_header Alt-Svc 'h3=":$server_port"; ma=86400';
''; '';
root = webExport;
locations = {
"~* ^/maps/[^/]*/tiles/".extraConfig = ''
error_page 404 = @empty;
'';
"@empty".return = "204";
};
};
services.rsync-pull-targets = {
enable = true;
locations.${webExport} = {
user = "root";
rrsyncArgs.wo = true;
authorizedKeysAttrs = [
"restrict"
"from=\"gluttony.pvv.ntnu.no,${values.hosts.gluttony.ipv6},${values.hosts.gluttony.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5jrqMovXlWaFWZAV/aKyQReHvUQp5kb+7Ja4gnevSr root@gluttony bluemap";
};
}; };
networking.firewall.allowedUDPPorts = [ 443 ]; networking.firewall.allowedUDPPorts = [ 443 ];

60
hosts/bekkalokk/services/mediawiki/default.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, lib, fp, config, values, ... }: let { pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
cfg = config.services.mediawiki; cfg = config.services.mediawiki;
# "mediawiki" # "mediawiki"
@@ -34,7 +34,6 @@ in {
services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ]; services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
sops.secrets = lib.pipe [ sops.secrets = lib.pipe [
"mediawiki/secret-key"
"mediawiki/password" "mediawiki/password"
"mediawiki/postgres_password" "mediawiki/postgres_password"
"mediawiki/simplesamlphp/postgres_password" "mediawiki/simplesamlphp/postgres_password"
@@ -49,23 +48,6 @@ in {
lib.listToAttrs lib.listToAttrs
]; ];
services.rsync-pull-targets = {
enable = true;
locations.${cfg.uploadsDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHFHa3Iq1oKPhbKCAIHgOoWOTkLmIc7yqxeTbut7ig/ mediawiki rsync backup";
};
};
services.mediawiki = { services.mediawiki = {
enable = true; enable = true;
name = "Programvareverkstedet"; name = "Programvareverkstedet";
@@ -162,24 +144,6 @@ in {
$wgDBserver = "${toString cfg.database.host}"; $wgDBserver = "${toString cfg.database.host}";
$wgAllowCopyUploads = true; $wgAllowCopyUploads = true;
# Files
$wgFileExtensions = [
'bmp',
'gif',
'jpeg',
'jpg',
'mp3',
'odg',
'odp',
'ods',
'odt',
'pdf',
'png',
'tiff',
'webm',
'webp',
];
# Misc program paths # Misc program paths
$wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg'; $wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
$wgExiftool = '${pkgs.exiftool}/bin/exiftool'; $wgExiftool = '${pkgs.exiftool}/bin/exiftool';
@@ -210,22 +174,20 @@ in {
# EXT:WikiEditor # EXT:WikiEditor
$wgWikiEditorRealtimePreview = true; $wgWikiEditorRealtimePreview = true;
$wgSecretKey = file_get_contents("${config.sops.secrets."mediawiki/secret-key".path}");
''; '';
}; };
# Cache directory for simplesamlphp # Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp"; # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable { systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
user = "mediawiki"; user = "mediawiki";
group = "mediawiki"; group = "mediawiki";
mode = "0770"; mode = "0770";
}; };
users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ]; users.groups.mediawiki.members = [ "nginx" ];
services.nginx.virtualHosts."wiki.pvv.ntnu.no" = lib.mkIf cfg.enable { services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
kTLS = true; kTLS = true;
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@@ -271,18 +233,4 @@ in {
}; };
}; };
systemd.services.mediawiki-init = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ];
serviceConfig = {
UMask = lib.mkForce "0007";
};
};
systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ];
serviceConfig = {
UMask = lib.mkForce "0007";
};
};
} }

103
hosts/bekkalokk/services/vaultwarden.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, lib, values, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.services.vaultwarden; cfg = config.services.vaultwarden;
domain = "pw.pvv.ntnu.no"; domain = "pw.pvv.ntnu.no";
@@ -6,58 +6,40 @@ let
port = 3011; port = 3011;
wsPort = 3012; wsPort = 3012;
in { in {
sops.secrets."vaultwarden/rsa_key.pem" = { sops.secrets."vaultwarden/environ" = {
owner = "vaultwarden"; owner = "vaultwarden";
group = "vaultwarden"; group = "vaultwarden";
mode = "440";
restartUnits = [ "vaultwarden.service" ];
};
sops.secrets."vaultwarden/rsa_key.pub.pem" = {
owner = "vaultwarden";
group = "vaultwarden";
mode = "440";
restartUnits = [ "vaultwarden.service" ];
};
sops.secrets."vaultwarden/env/DATABASE_PASSWORD" = { };
sops.secrets."vaultwarden/env/SMTP_PASSWORD" = { };
sops.templates."vaultwarden/environment_file" = {
owner = "vaultwarden";
group = "vaultwarden";
mode = "440";
restartUnits = [ "vaultwarden.service" ];
content = ''
DATABASE_URL=postgresql://vaultwarden:${config.sops.placeholder."vaultwarden/env/DATABASE_PASSWORD"}@postgres.pvv.ntnu.no/vaultwarden
SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/env/SMTP_PASSWORD"}
'';
}; };
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
dbBackend = "postgresql"; dbBackend = "postgresql";
environmentFile = config.sops.templates."vaultwarden/environment_file".path; environmentFile = config.sops.secrets."vaultwarden/environ".path;
config = { config = {
DOMAIN = "https://${domain}"; domain = "https://${domain}";
ROCKET_ADDRESS = address; rocketAddress = address;
ROCKET_PORT = port; rocketPort = port;
WEBSOCKET_ENABLED = true; websocketEnabled = true;
WEBSOCKET_ADDRESS = address; websocketAddress = address;
WEBSOCKET_PORT = wsPort; websocketPort = wsPort;
SIGNUPS_ALLOWED = true; signupsAllowed = true;
SIGNUPS_VERIFY = true; signupsVerify = true;
SIGNUPS_DOMAINS_WHITELIST = "pvv.ntnu.no"; signupsDomainsWhitelist = "pvv.ntnu.no";
SMTP_FROM = "vaultwarden@pvv.ntnu.no"; smtpFrom = "vaultwarden@pvv.ntnu.no";
SMTP_FROM_NAME = "VaultWarden PVV"; smtpFromName = "VaultWarden PVV";
SMTP_HOST = "smtp.pvv.ntnu.no"; smtpHost = "smtp.pvv.ntnu.no";
SMTP_USERNAME = "vaultwarden"; smtpUsername = "vaultwarden";
SMTP_SECURITY = "force_tls"; smtpSecurity = "force_tls";
SMTP_AUTH_MECHANISM = "Login"; smtpAuthMechanism = "Login";
RSA_KEY_FILENAME = lib.removeSuffix ".pem" config.sops.secrets."vaultwarden/rsa_key.pem".path; # Configured in environ:
# databaseUrl = "postgresql://vaultwarden@/vaultwarden";
# smtpPassword = hemli
}; };
}; };
@@ -84,20 +66,37 @@ in {
}; };
}; };
services.rsync-pull-targets = { systemd.services.vaultwarden = lib.mkIf cfg.enable {
enable = true; serviceConfig = {
locations."/var/lib/vaultwarden" = { AmbientCapabilities = [ "" ];
user = "root"; CapabilityBoundingSet = [ "" ];
rrsyncArgs.ro = true; DeviceAllow = [ "" ];
authorizedKeysAttrs = [ LockPersonality = true;
"restrict" NoNewPrivileges = true;
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\"" # MemoryDenyWriteExecute = true;
"no-agent-forwarding" PrivateMounts = true;
"no-port-forwarding" PrivateUsers = true;
"no-pty" ProcSubset = "pid";
"no-X11-forwarding" ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
]; ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2cDaW52gBtLVaNqoGijvN2ZAVkAWlII5AXUzT3Dswj vaultwarden rsync backup";
}; };
}; };
} }

7
hosts/bekkalokk/services/webmail/roundcube.nix
View File

@@ -9,12 +9,6 @@ in
sops.secrets."roundcube/postgres_password" = { sops.secrets."roundcube/postgres_password" = {
owner = "nginx"; owner = "nginx";
group = "nginx"; group = "nginx";
restartUnits = [ "phpfpm-roundcube.service" ];
};
sops.secrets."roundcube/des_key" = {
owner = "nginx";
group = "nginx";
restartUnits = [ "phpfpm-roundcube.service" ];
}; };
services.roundcube = { services.roundcube = {
@@ -45,7 +39,6 @@ in
$config['mail_domain'] = "pvv.ntnu.no"; $config['mail_domain'] = "pvv.ntnu.no";
$config['smtp_user'] = "%u"; $config['smtp_user'] = "%u";
$config['support_url'] = ""; $config['support_url'] = "";
$config['des_key'] = "${config.sops.secrets."roundcube/des_key".path}";
''; '';
}; };

20
hosts/bekkalokk/services/webmail/snappymail.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, fp, pkgs, values, ... }: { config, lib, fp, pkgs, ... }:
let let
cfg = config.services.snappymail; cfg = config.services.snappymail;
in { in {
@@ -14,21 +14,5 @@ in {
enableACME = true; enableACME = true;
kTLS = true; kTLS = true;
}; };
services.rsync-pull-targets = {
enable = true;
locations.${cfg.dataDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJENMnuNsHEeA91oX+cj7Qpex2defSXP/lxznxCAqV03 snappymail rsync backup";
};
};
} }

33
hosts/bekkalokk/services/website/default.nix
View File

@@ -80,40 +80,9 @@ in {
}; };
services.phpfpm.pools."pvv-nettsiden".settings = { services.phpfpm.pools."pvv-nettsiden".settings = {
"php_admin_value[error_log]" = "syslog"; # "php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true; "php_admin_flag[log_errors]" = true;
"catch_workers_output" = true; "catch_workers_output" = true;
"php_admin_value[max_execution_time]" = "30";
"request_terminate_timeout" = "60s";
"php_admin_value[sendmail_path]" = let
fakeSendmail = pkgs.writeShellApplication {
name = "fake-sendmail";
text = ''
TIMESTAMP="$(date +%Y-%m-%d-%H-%M-%S-%N)"
(
echo "SENDMAIL ARGS:"
echo "$@"
echo "SENDMAIL STDIN:"
cat -
) > "/var/lib/pvv-nettsiden/emails/$TIMESTAMP.mail"
'';
};
in lib.getExe fakeSendmail;
"php_admin_value[disable_functions]" = lib.concatStringsSep "," [
"curl_exec"
"curl_multi_exec"
"exec"
"parse_ini_file"
"passthru"
"popen"
"proc_open"
"shell_exec"
"show_source"
"system"
];
}; };
services.nginx.virtualHosts."pvv.ntnu.no" = { services.nginx.virtualHosts."pvv.ntnu.no" = {

37
hosts/bekkalokk/services/website/fetch-gallery.nix
View File

@@ -1,30 +1,15 @@
{ pkgs, lib, config, values, ... }: { pkgs, lib, config, ... }:
let let
galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR; galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer"; transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
in { in {
users.users.${config.services.pvv-nettsiden.user} = { users.users.${config.services.pvv-nettsiden.user} = {
# NOTE: the user unfortunately needs a registered shell for rrsync to function...
# is there anything we can do to remove this?
useDefaultShell = true; useDefaultShell = true;
};
# This is pushed from microbel:/var/www/www-gallery/build-gallery.sh # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
services.rsync-pull-targets = { openssh.authorizedKeys.keys = [
enable = true; ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
locations.${transferDir} = { ];
user = config.services.pvv-nettsiden.user;
rrsyncArgs.wo = true;
authorizedKeysAttrs = [
"restrict"
"from=\"microbel.pvv.ntnu.no,${values.hosts.microbel.ipv6},${values.hosts.microbel.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish";
};
}; };
systemd.paths.pvv-nettsiden-gallery-update = { systemd.paths.pvv-nettsiden-gallery-update = {
@@ -40,15 +25,15 @@ in {
path = with pkgs; [ imagemagick gnutar gzip ]; path = with pkgs; [ imagemagick gnutar gzip ];
script = '' script = ''
tar ${lib.cli.toCommandLineShellGNU { } { tar ${lib.cli.toGNUCommandLineShell {} {
extract = true; extract = true;
file = "${transferDir}/gallery.tar.gz"; file = "${transferDir}/gallery.tar.gz";
directory = "."; directory = ".";
}} }}
# Delete files and directories that exists in the gallery that don't exist in the tarball # Delete files and directories that exists in the gallery that don't exist in the tarball
filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||'))) filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
while IFS= read -r fname; do while IFS= read fname; do
rm -f "$fname" ||: rm -f "$fname" ||:
rm -f ".thumbnails/$fname.png" ||: rm -f ".thumbnails/$fname.png" ||:
done <<< "$filesToRemove" done <<< "$filesToRemove"
@@ -56,9 +41,9 @@ in {
find . -type d -empty -delete find . -type d -empty -delete
mkdir -p .thumbnails mkdir -p .thumbnails
images=$(find . -type f -not -path './.thumbnails*') images=$(find . -type f -not -path "./.thumbnails*")
while IFS= read -r fname; do while IFS= read fname; do
# Skip this file if an up-to-date thumbnail already exists # Skip this file if an up-to-date thumbnail already exists
if [ -f ".thumbnails/$fname.png" ] && \ if [ -f ".thumbnails/$fname.png" ] && \
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ] [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -67,7 +52,7 @@ in {
fi fi
echo "Creating thumbnail for $fname" echo "Creating thumbnail for $fname"
mkdir -p "$(dirname ".thumbnails/$fname")" mkdir -p $(dirname ".thumbnails/$fname")
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||: magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png" touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
done <<< "$images" done <<< "$images"

6
hosts/bekkalokk/services/well-known/root/security.txt
View File

@@ -6,11 +6,7 @@ Contact: mailto:cert@pvv.ntnu.no
Preferred-Languages: no, en Preferred-Languages: no, en
Expires: 2032-12-31T23:59:59.000Z Expires: 2032-12-31T23:59:59.000Z
# This file was last updated 2026-02-27. # This file was last updated 2024-09-14.
# You can find a wikipage for our security policies at: # You can find a wikipage for our security policies at:
# https://wiki.pvv.ntnu.no/wiki/CERT # https://wiki.pvv.ntnu.no/wiki/CERT
# Please note that we are a student organization, and unfortunately we do not
# have a bug bounty program or offer monetary compensation for disclosure of
# security vulnerabilities.

6
hosts/bicep/configuration.nix
View File

@@ -9,8 +9,8 @@
./services/calendar-bot.nix ./services/calendar-bot.nix
#./services/git-mirrors #./services/git-mirrors
./services/minecraft-heatmap.nix ./services/minecraft-heatmap.nix
./services/mysql ./services/mysql.nix
./services/postgresql ./services/postgres.nix
./services/matrix ./services/matrix
]; ];
@@ -30,5 +30,5 @@
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11"; system.stateVersion = "22.11";
} }

3
hosts/bicep/services/matrix/default.nix
View File

@@ -1,9 +1,8 @@
{ config, ... }: { config, ... }:
{ {
imports = [ imports = [
./synapse-admin.nix
./synapse-auto-compressor.nix
./synapse.nix ./synapse.nix
./synapse-admin.nix
./element.nix ./element.nix
./coturn.nix ./coturn.nix
./livekit.nix ./livekit.nix

1
hosts/bicep/services/matrix/element.nix
View File

@@ -37,7 +37,6 @@ in {
# element call group calls # element call group calls
feature_group_calls = true; feature_group_calls = true;
}; };
default_country_code = "NO";
default_theme = "dark"; default_theme = "dark";
# Servers in this list should provide some sort of valuable scoping # Servers in this list should provide some sort of valuable scoping
# matrix.org is not useful compared to matrixrooms.info, # matrix.org is not useful compared to matrixrooms.info,

19
hosts/bicep/services/matrix/hookshot/default.nix
View File

@@ -14,10 +14,6 @@ in
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/hs_token"; key = "hookshot/hs_token";
}; };
sops.secrets."matrix/hookshot/passkey" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/passkey";
};
sops.templates."hookshot-registration.yaml" = { sops.templates."hookshot-registration.yaml" = {
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
@@ -48,14 +44,9 @@ in
}; };
systemd.services.matrix-hookshot = { systemd.services.matrix-hookshot = {
serviceConfig = { serviceConfig.SupplementaryGroups = [
SupplementaryGroups = [ config.users.groups.keys-matrix-registrations.name
config.users.groups.keys-matrix-registrations.name ];
];
LoadCredential = [
"passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
];
};
}; };
services.matrix-hookshot = { services.matrix-hookshot = {
@@ -63,8 +54,6 @@ in
package = unstablePkgs.matrix-hookshot; package = unstablePkgs.matrix-hookshot;
registrationFile = config.sops.templates."hookshot-registration.yaml".path; registrationFile = config.sops.templates."hookshot-registration.yaml".path;
settings = { settings = {
passFile = "/run/credentials/matrix-hookshot.service/passkey.pem";
bridge = { bridge = {
bindAddress = "127.0.0.1"; bindAddress = "127.0.0.1";
domain = "pvv.ntnu.no"; domain = "pvv.ntnu.no";
@@ -72,7 +61,6 @@ in
mediaUrl = "https://matrix.pvv.ntnu.no"; mediaUrl = "https://matrix.pvv.ntnu.no";
port = 9993; port = 9993;
}; };
listeners = [ listeners = [
{ {
bindAddress = webhookListenAddress; bindAddress = webhookListenAddress;
@@ -85,7 +73,6 @@ in
]; ];
} }
]; ];
generic = { generic = {
enabled = true; enabled = true;
outbound = true; outbound = true;

9
hosts/bicep/services/matrix/livekit.nix
View File

@@ -43,7 +43,7 @@ in
keyFile = config.sops.templates."matrix-livekit-keyfile".path; keyFile = config.sops.templates."matrix-livekit-keyfile".path;
}; };
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]); systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable matrixDomain;
services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable { services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
locations."^~ /livekit/jwt/" = { locations."^~ /livekit/jwt/" = {
@@ -64,11 +64,4 @@ in
''; '';
}; };
}; };
networking.firewall.allowedUDPPortRanges = [
{
from = cfg.settings.rtc.port_range_start;
to = cfg.settings.rtc.port_range_end;
}
];
} }

19
hosts/bicep/services/matrix/out-of-your-element.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, lib, values, fp, ... }: { config, pkgs, fp, ... }:
let let
cfg = config.services.matrix-ooye; cfg = config.services.matrix-ooye;
in in
@@ -28,23 +28,6 @@ in
}; };
}; };
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
locations."/var/lib/private/matrix-ooye" = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5koYfor5+kKB30Dugj3dAWvmj8h/akQQ2XYDvLobFL matrix_ooye rsync backup";
};
};
services.matrix-ooye = { services.matrix-ooye = {
enable = true; enable = true;
homeserver = "https://matrix.pvv.ntnu.no"; homeserver = "https://matrix.pvv.ntnu.no";

56
hosts/bicep/services/matrix/synapse-auto-compressor.nix
View File

@@ -1,56 +0,0 @@
{ config, lib, utils, ... }:
let
cfg = config.services.synapse-auto-compressor;
in
{
services.synapse-auto-compressor = {
# enable = true;
postgresUrl = "postgresql://matrix-synapse@/synapse?host=/run/postgresql";
};
# NOTE: nixpkgs has some broken asserts, vendored the entire unit
systemd.services.synapse-auto-compressor = {
description = "synapse-auto-compressor";
requires = [
"postgresql.target"
];
inherit (cfg) startAt;
serviceConfig = {
Type = "oneshot";
DynamicUser = true;
User = "matrix-synapse";
PrivateTmp = true;
ExecStart = utils.escapeSystemdExecArgs [
"${cfg.package}/bin/synapse_auto_compressor"
"-p"
cfg.postgresUrl
"-c"
cfg.settings.chunk_size
"-n"
cfg.settings.chunks_to_compress
"-l"
(lib.concatStringsSep "," (map toString cfg.settings.levels))
];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
ProcSubset = "pid";
ProtectProc = "invisible";
ProtectSystem = "strict";
ProtectHome = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
};
};
}

17
hosts/bicep/services/matrix/synapse.nix
View File

@@ -27,23 +27,6 @@ in {
''; '';
}; };
services.rsync-pull-targets = {
enable = true;
locations.${cfg.settings.media_store_path} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASnjI9b3j4ZS3BL/D1ggHfws1BkE8iS0v0cGpEmbG+k matrix_media_store rsync backup";
};
};
services.matrix-synapse-next = { services.matrix-synapse-next = {
enable = true; enable = true;

2
hosts/bicep/services/minecraft-heatmap.nix
View File

@@ -22,7 +22,7 @@ in
}; };
}; };
systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable { systemd.services.minecraft-heatmap-ingest-logs = {
serviceConfig.LoadCredential = [ serviceConfig.LoadCredential = [
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}" "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
]; ];

49
hosts/bicep/services/mysql/default.nix → hosts/bicep/services/mysql.nix
View File

@@ -1,11 +1,5 @@
{ config, pkgs, lib, values, ... }: { pkgs, lib, config, values, ... }:
let
cfg = config.services.mysql;
dataDir = "/data/mysql";
in
{ {
imports = [ ./backup.nix ];
sops.secrets."mysql/password" = { sops.secrets."mysql/password" = {
owner = "mysql"; owner = "mysql";
group = "mysql"; group = "mysql";
@@ -15,7 +9,8 @@ in
services.mysql = { services.mysql = {
enable = true; enable = true;
package = pkgs.mariadb_118; dataDir = "/data/mysql";
package = pkgs.mariadb;
settings = { settings = {
mysqld = { mysqld = {
# PVV allows a lot of connections at the same time # PVV allows a lot of connections at the same time
@@ -26,9 +21,6 @@ in
# This was needed in order to be able to use all of the old users # This was needed in order to be able to use all of the old users
# during migration from knakelibrak to bicep in Sep. 2023 # during migration from knakelibrak to bicep in Sep. 2023
secure_auth = 0; secure_auth = 0;
slow-query-log = 1;
slow-query-log-file = "/var/log/mysql/mysql-slow.log";
}; };
}; };
@@ -44,31 +36,20 @@ in
}]; }];
}; };
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ]; services.mysqlBackup = {
enable = true;
systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable { location = "/var/lib/mysql/backups";
inherit (cfg) user group;
mode = "0700";
}; };
systemd.services.mysql = lib.mkIf cfg.enable { networking.firewall.allowedTCPPorts = [ 3306 ];
after = [
"systemd-tmpfiles-setup.service" systemd.services.mysql.serviceConfig = {
"systemd-tmpfiles-resetup.service" IPAddressDeny = "any";
IPAddressAllow = [
values.ipv4-space
values.ipv6-space
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
]; ];
serviceConfig = {
BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
LogsDirectory = "mysql";
IPAddressDeny = "any";
IPAddressAllow = [
values.ipv4-space
values.ipv6-space
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
}; };
} }

83
hosts/bicep/services/mysql/backup.nix
View File

@@ -1,83 +0,0 @@
{ config, lib, pkgs, values, ... }:
let
cfg = config.services.mysql;
backupDir = "/data/mysql-backups";
in
{
# services.mysqlBackup = lib.mkIf cfg.enable {
# enable = true;
# location = "/var/lib/mysql-backups";
# };
systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
user = "mysql";
group = "mysql";
mode = "700";
};
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
locations.${backupDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgj55/7Cnj4cYMJ5sIkl+OwcGeBe039kXJTOf2wvo9j mysql rsync backup";
};
};
# NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
# another unit, it was easier to just make one ourselves.
systemd.services."backup-mysql" = lib.mkIf cfg.enable {
description = "Backup MySQL data";
requires = [ "mysql.service" ];
path = with pkgs; [
cfg.package
coreutils
zstd
];
script = let
rotations = 2;
in ''
set -euo pipefail
OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';
serviceConfig = {
Type = "oneshot";
User = "mysql";
Group = "mysql";
UMask = "0077";
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
StateDirectory = [ "mysql-backups" ];
BindPaths = [ "${backupDir}:/var/lib/mysql-backups" ];
# TODO: hardening
};
startAt = "*-*-* 02:15:00";
};
}

31
hosts/bicep/services/postgresql/default.nix → hosts/bicep/services/postgres.nix
View File

@@ -1,17 +1,8 @@
{ config, lib, pkgs, values, ... }: { config, pkgs, values, ... }:
let
cfg = config.services.postgresql;
in
{ {
imports = [
./backup.nix
./cleanup-timers.nix
];
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_18; package = pkgs.postgresql_15;
extensions = ps: with ps; [ pg_repack ];
enableTCPIP = true; enableTCPIP = true;
authentication = '' authentication = ''
@@ -83,13 +74,13 @@ in
}; };
}; };
systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = lib.mkIf cfg.enable { systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
user = config.systemd.services.postgresql.serviceConfig.User; user = config.systemd.services.postgresql.serviceConfig.User;
group = config.systemd.services.postgresql.serviceConfig.Group; group = config.systemd.services.postgresql.serviceConfig.Group;
mode = "0700"; mode = "0700";
}; };
systemd.services.postgresql-setup = lib.mkIf cfg.enable { systemd.services.postgresql-setup = {
after = [ after = [
"systemd-tmpfiles-setup.service" "systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service" "systemd-tmpfiles-resetup.service"
@@ -104,7 +95,7 @@ in
}; };
}; };
systemd.services.postgresql = lib.mkIf cfg.enable { systemd.services.postgresql = {
after = [ after = [
"systemd-tmpfiles-setup.service" "systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service" "systemd-tmpfiles-resetup.service"
@@ -119,12 +110,18 @@ in
}; };
}; };
environment.snakeoil-certs."/etc/certs/postgres" = lib.mkIf cfg.enable { environment.snakeoil-certs."/etc/certs/postgres" = {
owner = "postgres"; owner = "postgres";
group = "postgres"; group = "postgres";
subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no"; subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
}; };
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 5432 ]; networking.firewall.allowedTCPPorts = [ 5432 ];
networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable [ 5432 ]; networking.firewall.allowedUDPPorts = [ 5432 ];
services.postgresqlBackup = {
enable = true;
location = "/var/lib/postgres/backups";
backupAll = true;
};
} }

84
hosts/bicep/services/postgresql/backup.nix
View File

@@ -1,84 +0,0 @@
{ config, lib, pkgs, values, ... }:
let
cfg = config.services.postgresql;
backupDir = "/data/postgresql-backups";
in
{
# services.postgresqlBackup = lib.mkIf cfg.enable {
# enable = true;
# location = "/var/lib/postgresql-backups";
# backupAll = true;
# };
systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
user = "postgres";
group = "postgres";
mode = "700";
};
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
locations.${backupDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvO7QX7QmwSiGLXEsaxPIOpAqnJP3M+qqQRe5dzf8gJ postgresql rsync backup";
};
};
# NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
# another unit, it was easier to just make one ourselves
systemd.services."backup-postgresql" = {
description = "Backup PostgreSQL data";
requires = [ "postgresql.service" ];
path = with pkgs; [
coreutils
zstd
cfg.package
];
script = let
rotations = 2;
in ''
set -euo pipefail
OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';
serviceConfig = {
Type = "oneshot";
User = "postgres";
Group = "postgres";
UMask = "0077";
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
StateDirectory = [ "postgresql-backups" ];
BindPaths = [ "${backupDir}:/var/lib/postgresql-backups" ];
# TODO: hardening
};
startAt = "*-*-* 01:15:00";
};
}

37
hosts/bicep/services/postgresql/cleanup-timers.nix
View File

@@ -1,37 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.postgresql;
in
{
config = lib.mkIf cfg.enable {
systemd.services = {
postgresql-repack = {
requires = [ "postgresql.service" ];
after = [ "postgresql.target" ];
description = "Repack all PostgreSQL databases";
startAt = "Mon 06:00:00";
serviceConfig = {
Type = "oneshot";
User = "postgres";
Group = "postgres";
ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --host=/run/postgresql --no-kill-backend --wait-timeout=30 --all";
};
};
postgresql-vacuum-analyze = {
requires = [ "postgresql.service" ];
after = [ "postgresql.target" ];
description = "Vacuum and analyze all PostgreSQL databases";
startAt = "Tue 06:00:00";
serviceConfig = {
Type = "oneshot";
User = "postgres";
Group = "postgres";
ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
};
};
};
};
}

2
hosts/brzeczyszczykiewicz/configuration.nix
View File

@@ -17,5 +17,5 @@
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11"; system.stateVersion = "23.05";
} }

2
hosts/georg/configuration.nix
View File

@@ -32,5 +32,5 @@
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11"; system.stateVersion = "23.05";
} }

1
hosts/gluttony/configuration.nix
View File

@@ -7,7 +7,6 @@
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./services/bluemap.nix
(fp /base) (fp /base)
]; ];

4
hosts/gluttony/hardware-configuration.nix
View File

@@ -22,7 +22,7 @@
"sd_mod" "sd_mod"
]; ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" = {
@@ -31,7 +31,7 @@
}; };
fileSystems."/boot" = { fileSystems."/boot" = {
device = "/dev/disk/by-uuid/BD97-FCA0"; device = "/dev/disk/by-uuid/D00A-B488";
fsType = "vfat"; fsType = "vfat";
options = [ options = [
"fmask=0077" "fmask=0077"

113
hosts/gluttony/services/bluemap.nix
View File

@@ -1,113 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
in {
# NOTE: our version of the module gets added in flake.nix
disabledModules = [ "services/web-apps/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
sops.secrets."bluemap/ssh-known-hosts" = { };
services.bluemap = {
enable = true;
eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
enableNginx = false;
host = "minecraft.pvv.ntnu.no";
maps = let
inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
in {
"verden" = {
extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:overworld";
name = "Verden";
sorting = 0;
start-pos = {
x = 0;
z = 0;
};
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
};
"underverden" = {
extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_nether";
name = "Underverden";
sorting = 100;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
render-mask = [{
max-y = 90;
}];
};
};
"enden" = {
extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_end";
name = "Enden";
sorting = 200;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
};
};
systemd.services."render-bluemap-maps" = {
serviceConfig = {
StateDirectory = [ "bluemap/world" ];
ExecStartPre = let
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
archive = true;
compress = true;
verbose = true;
no-owner = true;
no-group = true;
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
};
in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
ExecStartPost = let
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
archive = true;
compress = true;
verbose = true;
no-owner = true;
no-group = true;
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
};
in "${lib.getExe pkgs.rsync} ${rsyncArgs} --groupmap=root:nginx ${config.services.bluemap.webRoot}/ root@bekkalokk.pvv.ntnu.no:/";
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
}

43
hosts/ildkule/configuration.nix
View File

@@ -1,23 +1,17 @@
{ config, fp, pkgs, lib, values, ... }:
{ {
config,
fp,
pkgs,
lib,
values,
...
}: {
imports = [ imports = [
./hardware-configuration.nix # Include the results of the hardware scan.
./disks.nix ./hardware-configuration.nix
(fp /base) (fp /base)
./services/monitoring ./services/monitoring
./services/nginx ./services/nginx
./services/journald-remote.nix ./services/journald-remote.nix
]; ];
boot.loader.grub.enable = true; boot.loader.systemd-boot.enable = false;
boot.loader.systemd-boot.enable = lib.mkForce false; boot.loader.grub.device = "/dev/vda";
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
@@ -33,22 +27,13 @@
nameservers = values.defaultNetworkConfig.dns; nameservers = values.defaultNetworkConfig.dns;
defaultGateway.address = hostConf.ipv4_internal_gw; defaultGateway.address = hostConf.ipv4_internal_gw;
interfaces."ens3" = { interfaces."ens4" = {
ipv4.addresses = [ ipv4.addresses = [
{ { address = hostConf.ipv4; prefixLength = 32; }
address = hostConf.ipv4; { address = hostConf.ipv4_internal; prefixLength = 24; }
prefixLength = 32;
}
{
address = hostConf.ipv4_internal;
prefixLength = 24;
}
]; ];
ipv6.addresses = [ ipv6.addresses = [
{ { address = hostConf.ipv6; prefixLength = 64; }
address = hostConf.ipv6;
prefixLength = 64;
}
]; ];
}; };
}; };

27
hosts/ildkule/disks.nix
View File

@@ -1,27 +0,0 @@
{
disko.devices = {
disk = {
sda = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
bios = {
size = "1M";
type = "EF02";
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

32
hosts/ildkule/hardware-configuration.nix
View File

@@ -1,24 +1,16 @@
# Do not modify this file! It was generated by 'nixos-generate-config' { modulesPath, lib, ... }:
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
[ (modulesPath + "/profiles/qemu-guest.nix") boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
]; boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
fsType = "ext4";
};
fileSystems."/data" = {
device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
fsType = "ext4";
};
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
} }

1009
hosts/ildkule/services/monitoring/dashboards/go-processes.json Normal file
View File

File diff suppressed because it is too large Load Diff

14
hosts/ildkule/services/monitoring/dashboards/mysql.json
View File

@@ -13,7 +13,7 @@
] ]
}, },
"description": "", "description": "",
"editable": false, "editable": true,
"gnetId": 11323, "gnetId": 11323,
"graphTooltip": 1, "graphTooltip": 1,
"id": 31, "id": 31,
@@ -1899,7 +1899,7 @@
"dashes": false, "dashes": false,
"datasource": "$datasource", "datasource": "$datasource",
"decimals": 0, "decimals": 0,
"description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool, TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB s internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.", "description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool, TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB 's internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.",
"editable": true, "editable": true,
"error": false, "error": false,
"fieldConfig": { "fieldConfig": {
@@ -3690,7 +3690,7 @@
}, },
"hide": 0, "hide": 0,
"includeAll": false, "includeAll": false,
"label": "Data source", "label": "Data Source",
"multi": false, "multi": false,
"name": "datasource", "name": "datasource",
"options": [], "options": [],
@@ -3713,12 +3713,12 @@
"definition": "label_values(mysql_up, job)", "definition": "label_values(mysql_up, job)",
"hide": 0, "hide": 0,
"includeAll": true, "includeAll": true,
"label": "Job", "label": "job",
"multi": true, "multi": true,
"name": "job", "name": "job",
"options": [], "options": [],
"query": "label_values(mysql_up, job)", "query": "label_values(mysql_up, job)",
"refresh": 2, "refresh": 1,
"regex": "", "regex": "",
"skipUrlSync": false, "skipUrlSync": false,
"sort": 0, "sort": 0,
@@ -3742,12 +3742,12 @@
"definition": "label_values(mysql_up, instance)", "definition": "label_values(mysql_up, instance)",
"hide": 0, "hide": 0,
"includeAll": true, "includeAll": true,
"label": "Instance", "label": "instance",
"multi": true, "multi": true,
"name": "instance", "name": "instance",
"options": [], "options": [],
"query": "label_values(mysql_up, instance)", "query": "label_values(mysql_up, instance)",
"refresh": 2, "refresh": 1,
"regex": "", "regex": "",
"skipUrlSync": false, "skipUrlSync": false,
"sort": 0, "sort": 0,

22402
hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json
View File

File diff suppressed because it is too large Load Diff

30
hosts/ildkule/services/monitoring/dashboards/postgres.json
View File

@@ -328,7 +328,7 @@
"rgba(50, 172, 45, 0.97)" "rgba(50, 172, 45, 0.97)"
], ],
"datasource": "${DS_PROMETHEUS}", "datasource": "${DS_PROMETHEUS}",
"format": "short", "format": "decbytes",
"gauge": { "gauge": {
"maxValue": 100, "maxValue": 100,
"minValue": 0, "minValue": 0,
@@ -411,7 +411,7 @@
"rgba(50, 172, 45, 0.97)" "rgba(50, 172, 45, 0.97)"
], ],
"datasource": "${DS_PROMETHEUS}", "datasource": "${DS_PROMETHEUS}",
"format": "short", "format": "decbytes",
"gauge": { "gauge": {
"maxValue": 100, "maxValue": 100,
"minValue": 0, "minValue": 0,
@@ -1410,7 +1410,7 @@
"tableColumn": "", "tableColumn": "",
"targets": [ "targets": [
{ {
"expr": "pg_settings_seq_page_cost{instance=\"$instance\"}", "expr": "pg_settings_seq_page_cost",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"refId": "A" "refId": "A"
@@ -1872,7 +1872,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "short", "format": "bytes",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -1966,7 +1966,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "short", "format": "bytes",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -2060,7 +2060,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "short", "format": "bytes",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -2251,7 +2251,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "short", "format": "bytes",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -2439,7 +2439,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "short", "format": "bytes",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -2589,35 +2589,35 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "irate(pg_stat_bgwriter_buffers_backend_total{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_backend{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "buffers_backend", "legendFormat": "buffers_backend",
"refId": "A" "refId": "A"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_buffers_alloc_total{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_alloc{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "buffers_alloc", "legendFormat": "buffers_alloc",
"refId": "B" "refId": "B"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_buffers_backend_fsync_total{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "backend_fsync", "legendFormat": "backend_fsync",
"refId": "C" "refId": "C"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_buffers_checkpoint_total{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_checkpoint{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "buffers_checkpoint", "legendFormat": "buffers_checkpoint",
"refId": "D" "refId": "D"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_buffers_clean_total{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_clean{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "buffers_clean", "legendFormat": "buffers_clean",
@@ -2886,14 +2886,14 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "irate(pg_stat_bgwriter_checkpoint_write_time_total{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_checkpoint_write_time{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.", "legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.",
"refId": "B" "refId": "B"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_checkpoint_sync_time_total{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.", "legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.",

8188
hosts/ildkule/services/monitoring/dashboards/synapse.json
View File

File diff suppressed because it is too large Load Diff

12
hosts/ildkule/services/monitoring/grafana.nix
View File

@@ -47,13 +47,13 @@ in {
{ {
name = "Node Exporter Full"; name = "Node Exporter Full";
type = "file"; type = "file";
url = "https://grafana.com/api/dashboards/1860/revisions/42/download"; url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
options.path = dashboards/node-exporter-full.json; options.path = dashboards/node-exporter-full.json;
} }
{ {
name = "Matrix Synapse"; name = "Matrix Synapse";
type = "file"; type = "file";
url = "https://github.com/element-hq/synapse/raw/refs/heads/develop/contrib/grafana/synapse.json"; url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
options.path = dashboards/synapse.json; options.path = dashboards/synapse.json;
} }
{ {
@@ -65,9 +65,15 @@ in {
{ {
name = "Postgresql"; name = "Postgresql";
type = "file"; type = "file";
url = "https://grafana.com/api/dashboards/9628/revisions/8/download"; url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
options.path = dashboards/postgres.json; options.path = dashboards/postgres.json;
} }
{
name = "Go Processes (gogs)";
type = "file";
url = "https://grafana.com/api/dashboards/240/revisions/3/download";
options.path = dashboards/go-processes.json;
}
{ {
name = "Gitea Dashboard"; name = "Gitea Dashboard";
type = "file"; type = "file";

1
hosts/ildkule/services/monitoring/prometheus/default.nix
View File

@@ -21,7 +21,6 @@ in {
fileSystems."/var/lib/prometheus2" = { fileSystems."/var/lib/prometheus2" = {
device = stateDir; device = stateDir;
fsType = "bind";
options = [ "bind" ]; options = [ "bind" ];
}; };
} }

8
hosts/ildkule/services/monitoring/prometheus/machines.nix
View File

@@ -19,15 +19,15 @@ in {
(mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) # (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
(mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ]) (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ]) (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])

3
hosts/ildkule/services/monitoring/uptime-kuma.nix
View File

@@ -19,9 +19,8 @@ in {
locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}"; locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
}; };
fileSystems."/var/lib/private/uptime-kuma" = { fileSystems."/var/lib/uptime-kuma" = {
device = stateDir; device = stateDir;
fsType = "bind";
options = [ "bind" ]; options = [ "bind" ];
}; };
} }

1
hosts/kommode/configuration.nix
View File

@@ -4,7 +4,6 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
./disks.nix
./services/gitea ./services/gitea
./services/nginx.nix ./services/nginx.nix

80
hosts/kommode/disks.nix
View File

@@ -1,80 +0,0 @@
{ lib, ... }:
{
disko.devices = {
disk = {
sda = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
root = {
name = "root";
label = "root";
start = "1MiB";
end = "-5G";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
# subvolumes = let
# makeSnapshottable = subvolPath: mountOptions: let
# name = lib.replaceString "/" "-" subvolPath;
# in {
# "@${name}/active" = {
# mountpoint = subvolPath;
# inherit mountOptions;
# };
# "@${name}/snapshots" = {
# mountpoint = "${subvolPath}/.snapshots";
# inherit mountOptions;
# };
# };
# in {
# "@" = { };
# "@/swap" = {
# mountpoint = "/.swapvol";
# swap.swapfile.size = "4G";
# };
# "@/root" = {
# mountpoint = "/";
# mountOptions = [ "compress=zstd" "noatime" ];
# };
# }
# // (makeSnapshottable "/home" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/nix" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/lib" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/log" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/cache" [ "compress=zstd" "noatime" ]);
# swap.swapfile.size = "4G";
mountpoint = "/";
};
};
swap = {
name = "swap";
label = "swap";
start = "-5G";
end = "-1G";
content.type = "swap";
};
ESP = {
name = "ESP";
label = "ESP";
start = "-1G";
end = "100%";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
};
};
};
};
};
}

15
hosts/kommode/hardware-configuration.nix
View File

@@ -13,6 +13,21 @@
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/86CD-4C23";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction

74
hosts/kommode/services/gitea/customization/default.nix
View File

@@ -10,59 +10,6 @@ in
catppuccin = pkgs.gitea-theme-catppuccin; catppuccin = pkgs.gitea-theme-catppuccin;
}; };
services.gitea.settings = {
ui = {
DEFAULT_THEME = "gitea-auto";
REACTIONS = lib.concatStringsSep "," [
"+1"
"-1"
"laugh"
"confused"
"heart"
"hooray"
"rocket"
"eyes"
"100"
"anger"
"astonished"
"no_good"
"ok_hand"
"pensive"
"pizza"
"point_up"
"sob"
"skull"
"upside_down_face"
"shrug"
"huh"
"bruh"
"okiedokie"
"grr"
];
CUSTOM_EMOJIS = lib.concatStringsSep "," [
"bruh"
"grr"
"huh"
"ohyeah"
];
};
"ui.meta" = {
AUTHOR = "Programvareverkstedet";
DESCRIPTION = "Bokstavelig talt programvareverkstedet";
KEYWORDS = lib.concatStringsSep "," [
"git"
"hackerspace"
"nix"
"open source"
"foss"
"organization"
"software"
"student"
];
};
};
systemd.services.gitea-customization = lib.mkIf cfg.enable { systemd.services.gitea-customization = lib.mkIf cfg.enable {
description = "Install extra customization in gitea's CUSTOM_DIR"; description = "Install extra customization in gitea's CUSTOM_DIR";
wantedBy = [ "gitea.service" ]; wantedBy = [ "gitea.service" ];
@@ -99,23 +46,18 @@ in
]; ];
} '' } ''
# Bigger icons # Bigger icons
install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl" install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl" sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
''; '';
in '' in ''
install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg' install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png' install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png' install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl' install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl' install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml' install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png' "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'
install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'
install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'
'${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/'
''; '';
}; };
} }

BIN
hosts/kommode/services/gitea/customization/emotes/bruh.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 7.3 KiB

BIN
hosts/kommode/services/gitea/customization/emotes/grr.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 28 KiB

BIN
hosts/kommode/services/gitea/customization/emotes/huh.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 206 KiB

BIN
hosts/kommode/services/gitea/customization/emotes/okiedokie.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 145 KiB

102
hosts/kommode/services/gitea/default.nix
View File

@@ -83,24 +83,11 @@ in {
AUTO_WATCH_NEW_REPOS = false; AUTO_WATCH_NEW_REPOS = false;
}; };
admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention"; admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
session.COOKIE_SECURE = true;
security = { security = {
SECRET_KEY = lib.mkForce ""; SECRET_KEY = lib.mkForce "";
SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}"; SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
}; };
cache = {
ADAPTER = "redis";
HOST = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=0";
ITEM_TTL = "72h";
};
session = {
COOKIE_SECURE = true;
PROVIDER = "redis";
PROVIDER_CONFIG = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=1";
};
queue = {
TYPE = "redis";
CONN_STR = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=2";
};
database.LOG_SQL = false; database.LOG_SQL = false;
repository = { repository = {
PREFERRED_LICENSES = lib.concatStringsSep "," [ PREFERRED_LICENSES = lib.concatStringsSep "," [
@@ -131,14 +118,41 @@ in {
"repo.pulls" "repo.pulls"
"repo.releases" "repo.releases"
]; ];
ALLOW_FORK_INTO_SAME_OWNER = true;
}; };
picture = { picture = {
DISABLE_GRAVATAR = true;
ENABLE_FEDERATED_AVATAR = false;
AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5; AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5;
# NOTE: go any bigger than this, and gitea will freeze your gif >:( # NOTE: go any bigger than this, and gitea will freeze your gif >:(
AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2; AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
}; };
actions.ENABLED = true; actions.ENABLED = true;
ui = {
REACTIONS = lib.concatStringsSep "," [
"+1"
"-1"
"laugh"
"confused"
"heart"
"hooray"
"rocket"
"eyes"
"100"
"anger"
"astonished"
"no_good"
"ok_hand"
"pensive"
"pizza"
"point_up"
"sob"
"skull"
"upside_down_face"
"shrug"
];
};
"ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
}; };
dump = { dump = {
@@ -150,26 +164,12 @@ in {
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
systemd.services.gitea = lib.mkIf cfg.enable { systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
wants = [ "redis-gitea.service" ];
after = [ "redis-gitea.service" ];
serviceConfig = { systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive";
CPUSchedulingPolicy = "batch"; systemd.services.gitea.serviceConfig.BindPaths = [
CacheDirectory = "gitea/repo-archive"; "%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
BindPaths = [ ];
"%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
];
};
};
services.redis.servers.gitea = lib.mkIf cfg.enable {
enable = true;
user = config.services.gitea.user;
save = [ ];
openFirewall = false;
port = 5698;
};
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
forceSSL = true; forceSSL = true;
@@ -195,26 +195,9 @@ in {
networking.firewall.allowedTCPPorts = [ sshPort ]; networking.firewall.allowedTCPPorts = [ sshPort ];
services.rsync-pull-targets = {
enable = true;
locations.${cfg.dump.backupDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpMVrOppyqYaDiAhqmAuOaRsubFvcQGBGyz+NHB6+0o gitea rsync backup";
};
};
systemd.services.gitea-dump = { systemd.services.gitea-dump = {
serviceConfig.ExecStart = let serviceConfig.ExecStart = let
args = lib.cli.toCommandLineShellGNU { } { args = lib.cli.toGNUCommandLineShell { } {
type = cfg.dump.type; type = cfg.dump.type;
# This should be declarative on nixos, no need to backup. # This should be declarative on nixos, no need to backup.
@@ -226,11 +209,16 @@ in {
# Logs are stored in the systemd journal # Logs are stored in the systemd journal
skip-log = true; skip-log = true;
}; };
in lib.mkForce "${lib.getExe cfg.package} dump ${args}"; in lib.mkForce "${lib.getExe cfg.package} ${args}";
# Only keep a single backup file at a time. # Only keep n backup files at a time
postStop = '' postStop = let
${lib.getExe' pkgs.coreutils "mv"} '${cfg.dump.backupDir}'/gitea-dump-*.tar.gz gitea-dump.tar.gz cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
''; backupCount = 3;
in ''
for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
${cu "rm"} "$file"
done
'';
}; };
} }

4
hosts/kommode/services/gitea/web-secret-provider/default.nix
View File

@@ -28,7 +28,7 @@ in
users.users."gitea-web" = { users.users."gitea-web" = {
group = "gitea-web"; group = "gitea-web";
isSystemUser = true; isSystemUser = true;
useDefaultShell = true; shell = pkgs.bash;
}; };
sops.secrets."gitea/web-secret-provider/token" = { sops.secrets."gitea/web-secret-provider/token" = {
@@ -53,7 +53,7 @@ in
Slice = "system-giteaweb.slice"; Slice = "system-giteaweb.slice";
Type = "oneshot"; Type = "oneshot";
ExecStart = let ExecStart = let
args = lib.cli.toCommandLineShellGNU { } { args = lib.cli.toGNUCommandLineShell { } {
org = "%i"; org = "%i";
token-path = "%d/token"; token-path = "%d/token";
api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1"; api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";

3
hosts/lupine/configuration.nix
View File

@@ -1,9 +1,10 @@
{ fp, values, lib, lupineName, ... }: { fp, values, lupineName, ... }:
{ {
imports = [ imports = [
./hardware-configuration/${lupineName}.nix ./hardware-configuration/${lupineName}.nix
(fp /base) (fp /base)
./services/gitea-runner.nix ./services/gitea-runner.nix
]; ];

21
hosts/lupine/hardware-configuration/lupine-1.nix
View File

@@ -14,28 +14,27 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/e88adbb7-de01-4f9b-b338-fffed743c259"; { device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
fsType = "btrfs"; fsType = "ext4";
options = [ "subvol=@root" "compress=zstd" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/e88adbb7-de01-4f9b-b338-fffed743c259";
fsType = "btrfs";
options = [ "subvol=@nix" "compress=zstd" "noatime" ];
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/81D6-38D3"; { device = "/dev/disk/by-uuid/81D6-38D3";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = [ "fmask=0077" "dmask=0077" ];
}; };
swapDevices = swapDevices =
[ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; } [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

20
hosts/lupine/hardware-configuration/lupine-2.nix
View File

@@ -14,27 +14,27 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/ab2e1a13-8e95-48d8-970c-64fa2fab52d0"; { device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
fsType = "btrfs"; fsType = "ext4";
options = [ "subvol=@root" "compress=zstd" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/ab2e1a13-8e95-48d8-970c-64fa2fab52d0";
fsType = "btrfs";
options = [ "subvol=@nix" "noatime" "compress=zstd" ];
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/4A34-6AE5"; { device = "/dev/disk/by-uuid/4A34-6AE5";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = [ "fmask=0077" "dmask=0077" ];
}; };
swapDevices = swapDevices =
[ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; } [ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

21
hosts/lupine/hardware-configuration/lupine-3.nix
View File

@@ -14,28 +14,27 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/0a5bda7c-af55-4d3d-9135-7f7cbb78004d"; { device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
fsType = "btrfs"; fsType = "ext4";
options = [ "subvol=@root" "compress=zstd" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/0a5bda7c-af55-4d3d-9135-7f7cbb78004d";
fsType = "btrfs";
options = [ "subvol=@nix" "noatime" "compress=zstd" ];
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/63FA-297B"; { device = "/dev/disk/by-uuid/63FA-297B";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = [ "fmask=0077" "dmask=0077" ];
}; };
swapDevices = swapDevices =
[ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; } [ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

24
hosts/lupine/hardware-configuration/lupine-4.nix
View File

@@ -14,27 +14,21 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/fcd51970-f040-4c45-94cf-2b372d4599a2"; { device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
fsType = "btrfs"; fsType = "ext4";
options = [ "subvol=@root" "compress=zstd" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/fcd51970-f040-4c45-94cf-2b372d4599a2";
fsType = "btrfs";
options = [ "subvol=@nix" "noatime" "compress=zstd" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A22E-E41A";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
}; };
swapDevices = swapDevices =
[ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; } [ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

20
hosts/lupine/hardware-configuration/lupine-5.nix
View File

@@ -14,27 +14,27 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/85830e14-e2c8-4f04-95fa-d6ab22840bc7"; { device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
fsType = "btrfs"; fsType = "ext4";
options = [ "subvol=@root" "compress=zstd" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/85830e14-e2c8-4f04-95fa-d6ab22840bc7";
fsType = "btrfs";
options = [ "subvol=@nix" "noatime" "compress=zstd" ];
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/F372-37DF"; { device = "/dev/disk/by-uuid/F372-37DF";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = [ "fmask=0077" "dmask=0077" ];
}; };
swapDevices = swapDevices =
[ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; } [ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

5
hosts/lupine/services/gitea-runner.nix
View File

@@ -39,22 +39,17 @@
"debian-bullseye-slim:docker://node:current-bullseye-slim" "debian-bullseye-slim:docker://node:current-bullseye-slim"
"alpine-latest:docker://node:current-alpine" "alpine-latest:docker://node:current-alpine"
"alpine-3.23:docker://node:current-alpine3.23"
"alpine-3.22:docker://node:current-alpine3.22" "alpine-3.22:docker://node:current-alpine3.22"
"alpine-3.21:docker://node:current-alpine3.21" "alpine-3.21:docker://node:current-alpine3.21"
# See https://gitea.com/gitea/runner-images # See https://gitea.com/gitea/runner-images
"ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest" "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
"ubuntu-26.04:docker://docker.gitea.com/runner-images:ubuntu-26.04"
"ubuntu-resolute:docker://docker.gitea.com/runner-images:ubuntu-26.04"
"ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04" "ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04"
"ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04" "ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04"
"ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04" "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
"ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04" "ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04"
"ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim" "ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim"
"ubuntu-26.04-slim:docker://docker.gitea.com/runner-images:ubuntu-26.04-slim"
"ubuntu-resolute-slim:docker://docker.gitea.com/runner-images:ubuntu-26.04-slim"
"ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim" "ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
"ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim" "ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
"ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim" "ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"

2
hosts/shark/configuration.nix
View File

@@ -15,5 +15,5 @@
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11"; system.stateVersion = "23.05";
} }

63
hosts/skrot/configuration.nix
View File

@@ -1,63 +0,0 @@
{
fp,
lib,
config,
values,
...
}:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./disk-config.nix
(fp /base)
];
boot.consoleLogLevel = 0;
sops.defaultSopsFile = fp /secrets/skrot/skrot.yaml;
systemd.network.networks."enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
address = with values.hosts.skrot; [
(ipv4 + "/25")
(ipv6 + "/64")
];
};
sops.secrets = {
"dibbler/postgresql/password" = {
owner = "dibbler";
group = "dibbler";
};
};
services.dibbler = {
enable = true;
kioskMode = true;
limitScreenWidth = 80;
limitScreenHeight = 42;
settings = {
general.quit_allowed = false;
database = {
type = "postgresql";
postgresql = {
username = "pvv_vv";
dbname = "pvv_vv";
host = "postgres.pvv.ntnu.no";
password_file = config.sops.secrets."dibbler/postgresql/password".path;
};
};
};
};
systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
enable = true;
wantedBy = [ "getty.target" ]; # to start at boot
serviceConfig.Restart = "always"; # restart when session is closed
};
system.stateVersion = "25.11"; # Did you read the comment? Nah bro
}

41
hosts/skrot/disk-config.nix
View File

@@ -1,41 +0,0 @@
{
disko.devices = {
disk = {
main = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "1G";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
plainSwap = {
size = "8G";
content = {
type = "swap";
discardPolicy = "both";
resumeDevice = false;
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

15
hosts/skrot/hardware-configuration.nix
View File

@@ -1,15 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

93
hosts/skrott/configuration.nix Normal file
View File

@@ -0,0 +1,93 @@
{ config, pkgs, lib, fp, values, ... }: {
imports = [
# ./hardware-configuration.nix
(fp /base)
];
sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
boot = {
consoleLogLevel = 0;
enableContainers = false;
loader.grub.enable = false;
loader.systemd-boot.enable = false;
kernelPackages = pkgs.linuxPackages;
};
# Now turn off a bunch of stuff lol
system.autoUpgrade.enable = lib.mkForce false;
services.irqbalance.enable = lib.mkForce false;
services.logrotate.enable = lib.mkForce false;
services.nginx.enable = lib.mkForce false;
services.postfix.enable = lib.mkForce false;
services.smartd.enable = lib.mkForce false;
services.udisks2.enable = lib.mkForce false;
services.thermald.enable = lib.mkForce false;
services.promtail.enable = lib.mkForce false;
boot.supportedFilesystems.zfs = lib.mkForce false;
documentation.enable = lib.mkForce false;
# TODO: can we reduce further?
sops.secrets = {
"dibbler/postgresql/password" = {
owner = "dibbler";
group = "dibbler";
};
};
# zramSwap.enable = true;
networking = {
hostName = "skrot";
defaultGateway = values.hosts.gateway;
defaultGateway6 = values.hosts.gateway6;
interfaces.eth0 = {
useDHCP = false;
ipv4.addresses = [{
address = values.hosts.skrott.ipv4;
prefixLength = 25;
}];
ipv6.addresses = [{
address = values.hosts.skrott.ipv6;
prefixLength = 25;
}];
};
};
services.dibbler = {
enable = true;
kioskMode = true;
limitScreenWidth = 80;
limitScreenHeight = 42;
settings = {
general.quit_allowed = false;
database = {
type = "postgresql";
postgresql = {
username = "pvv_vv";
dbname = "pvv_vv";
host = "postgres.pvv.ntnu.no";
password_file = config.sops.secrets."dibbler/postgresql/password".path;
};
};
};
};
# https://github.com/NixOS/nixpkgs/issues/84105
boot.kernelParams = [
"console=ttyUSB0,9600"
# "console=tty1" # Already part of the module
];
systemd.services."serial-getty@ttyUSB0" = {
enable = true;
wantedBy = [ "getty.target" ]; # to start at boot
serviceConfig.Restart = "always"; # restart when session is closed
};
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11";
}

2
hosts/temmie/configuration.nix
View File

@@ -6,7 +6,7 @@
(fp /base) (fp /base)
./services/nfs-mounts.nix ./services/nfs-mounts.nix
./services/userweb ./services/userweb.nix
]; ];
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {

5
hosts/temmie/services/nfs-mounts.nix
View File

@@ -1,7 +1,7 @@
{ lib, values, ... }: { lib, values, ... }:
let let
# See microbel:/etc/exports # See microbel:/etc/exports
letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ]; letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
in in
{ {
systemd.targets."pvv-homedirs" = { systemd.targets."pvv-homedirs" = {
@@ -52,6 +52,9 @@ in
# TODO: are there cgi scripts that modify stuff in peoples homedirs? # TODO: are there cgi scripts that modify stuff in peoples homedirs?
# "ro" # "ro"
"rw" "rw"
# TODO: can we enable this and still run cgi stuff?
# "noexec"
]; ];
}) letters; }) letters;
} }

29
hosts/temmie/services/userweb.nix Normal file
View File

@@ -0,0 +1,29 @@
{ ... }:
{
services.httpd = {
enable = true;
# extraModules = [];
# virtualHosts."userweb.pvv.ntnu.no" = {
virtualHosts."temmie.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
};
};
systemd.services.httpd = {
after = [ "pvv-homedirs.target" ];
requires = [ "pvv-homedirs.target" ];
serviceConfig = {
ProtectHome = "tmpfs";
BindPaths = let
letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
in map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") letters;
};
};
# TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
}

352
hosts/temmie/services/userweb/default.nix
View File

@@ -1,352 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.httpd;
homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
phpOptions = lib.concatStringsSep "\n" (lib.mapAttrsToList (k: v: "${k} = ${v}"){
display_errors = "Off";
display_startup_errors = "Off";
post_max_size = "40M";
upload_max_filesize = "40M";
});
# https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
phpEnv = pkgs.php.buildEnv {
extensions = { all, ... }: with all; [
bz2
curl
decimal
gd
imagick
mysqli
mysqlnd
pgsql
posix
protobuf sqlite3
uuid
xml
xsl
zlib
zstd
pdo
pdo_mysql
pdo_pgsql
pdo_sqlite
];
extraConfig = phpOptions;
};
perlEnv = pkgs.perl.withPackages (ps: with ps; [
pkgs.exiftool
pkgs.ikiwiki
pkgs.irssi
pkgs.nix.libs.nix-perl-bindings
CGI
DBDPg
DBDSQLite
DBDmysql
DBI
Git
ImageMagick
JSON
TemplateToolkit
]);
# https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
pythonEnv = pkgs.python3.buildEnv.override {
extraLibs = with pkgs.python3Packages; [
legacy-cgi
matplotlib
requests
];
ignoreCollisions = true;
};
sendmailWrapper = pkgs.writeShellApplication {
name = "sendmail";
runtimeInputs = [ ];
text = ''
args=("$@")
if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
# Prepend -fusername to the argument list, so bounces go to the user
args=("-f$USERDIR_USER" "''${args[@]}")
fi
exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
'';
};
# https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
fhsEnv = pkgs.buildEnv {
name = "userweb-env";
ignoreCollisions = true;
paths = with pkgs; [
bash
sendmailWrapper
perlEnv
pythonEnv
phpEnv
]
++ (with phpEnv.packages; [
# composer
])
++ [
# Useful packages for homepages
exiftool
gnuplot
ikiwiki-full
imagemagick
jhead
ruby
sbcl
sourceHighlight
# Missing packages from tom
# blosxom
# pyblosxom
# mediawiki (TODO: do people host their own mediawikis in userweb?)
# nanoblogger
# Version control
cvs
rcs
git
# Compression/Archival
bzip2
gnutar
gzip
lz4
unzip
xz
zip
zstd
# Other tools you might expect to find on a normal system
acl
coreutils-full
curl
diffutils
file
findutils
gawk
gnugrep
gnumake
gnupg
gnused
less
man
util-linux
vim
wget
which
xdg-utils
];
extraOutputsToInstall = [
"man"
"doc"
];
};
in
{
imports = [
./mail.nix
];
services.httpd = {
enable = true;
adminAddr = "drift@pvv.ntnu.no";
# TODO: consider upstreaming systemd support
# TODO: mod_log_journald in v2.5
package = pkgs.apacheHttpd.overrideAttrs (prev: {
nativeBuildInputs = prev.nativeBuildInputs ++ [ pkgs.pkg-config ];
buildInputs = prev.buildInputs ++ [ pkgs.systemdLibs ];
configureFlags = prev.configureFlags ++ [ "--enable-systemd" ];
});
enablePHP = true;
phpPackage = phpEnv;
inherit phpOptions;
enablePerl = true;
# TODO: mod_log_journald in v2.5
extraModules = [
"systemd"
"userdir"
# TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some
# incorrect or restrictive assumptions upstream, either nixpkgs or source
# {
# name = "perl";
# path = let
# mod_perl = pkgs.apacheHttpdPackages.mod_perl.override {
# apacheHttpd = cfg.package.out;
# perl = perlEnv;
# };
# in "${mod_perl}/modules/mod_perl.so";
# }
];
extraConfig = ''
TraceEnable on
LogLevel warn rewrite:trace3
ScriptLog ${cfg.logDir}/cgi.log
'';
# virtualHosts."userweb.pvv.ntnu.no" = {
virtualHosts."temmie.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
UserDir disabled root
AddHandler cgi-script .cgi
DirectoryIndex index.html index.html.var index.php index.php3 index.cgi index.phtml index.shtml meg.html
SetEnvIf Request_URI "^/~([^/]+)" USERDIR_USER=$1
<Directory "/home/pvv/?/*/web-docs">
Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec
AllowOverride All
Require all granted
</Directory>
<DirectoryMatch "^/home/pvv/.*/web-docs/(${lib.concatStringsSep "|" [
"\\.git"
"\\.hg"
"\\.svn"
"\\.ssh"
"\\.env"
"\\.envrc"
"\\.bzr"
"\\.venv"
"CVS"
"RCS"
".*\\.swp"
".*\\.bak"
".*~"
]})(/|$)">
AllowOverride All
Require all denied
</DirectoryMatch>
'';
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
# socket activation comes in v2.5
# systemd.sockets.httpd = {
# wantedBy = [ "sockets.target" ];
# description = "HTTPD socket";
# listenStreams = [
# "0.0.0.0:80"
# "0.0.0.0:443"
# ];
# };
systemd.services.httpd = {
after = [ "pvv-homedirs.target" ];
requires = [ "pvv-homedirs.target" ];
environment = {
PATH = lib.mkForce "/usr/bin";
};
serviceConfig = {
Type = lib.mkForce "notify";
ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start";
ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful";
ExecStop = lib.mkForce "";
KillMode = "mixed";
ConfigurationDirectory = [ "httpd" ];
LogsDirectory = [ "httpd" ];
LogsDirectoryMode = "0700";
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
LockPersonality = true;
PrivateDevices = true;
PrivateTmp = true;
# NOTE: this removes CAP_NET_BIND_SERVICE...
# PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = "tmpfs";
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectSystem = true;
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SocketBindDeny = "any";
SocketBindAllow = [
"tcp:80"
"tcp:443"
];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
UMask = "0077";
RuntimeDirectory = [ "httpd/root-mnt" ];
RootDirectory = "/run/httpd/root-mnt";
MountAPIVFS = true;
BindReadOnlyPaths = [
builtins.storeDir
"/etc"
# NCSD socket
"/var/run"
"/var/lib/acme"
"${fhsEnv}/bin:/bin"
"${fhsEnv}/sbin:/sbin"
"${fhsEnv}/lib:/lib"
"${fhsEnv}/share:/share"
] ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") {
parent = [
"/local"
"/opt"
"/opt/local"
"/store"
"/store/gnu"
"/usr"
"/usr/local"
];
child = [
"/bin"
"/sbin"
"/lib"
"/libexec"
"/include"
"/share"
];
});
BindPaths = map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") homeLetters;
};
};
# TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
}

12
hosts/temmie/services/userweb/mail.nix
View File

@@ -1,12 +0,0 @@
{ config, lib, ... }:
{
services.postfix.enable = lib.mkForce false;
services.nullmailer = {
enable = true;
config = {
me = config.networking.fqdn;
remotes = "mail.pvv.ntnu.no smtp --port=25";
};
};
}

40
hosts/ustetind/configuration.nix Normal file
View File

@@ -0,0 +1,40 @@
{ config, fp, pkgs, lib, values, ... }:
{
imports = [
(fp /base)
./services/gitea-runners.nix
];
boot.loader.systemd-boot.enable = false;
networking.useHostResolvConf = lib.mkForce false;
systemd.network.networks = {
"30-lxc-eth" = values.defaultNetworkConfig // {
matchConfig = {
Type = "ether";
Kind = "veth";
Name = [
"eth*"
];
};
address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
"40-podman-veth" = values.defaultNetworkConfig // {
matchConfig = {
Type = "ether";
Kind = "veth";
Name = [
"veth*"
];
};
DHCP = "yes";
};
};
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "24.11";
}

41
hosts/ustetind/services/gitea-runners.nix Normal file
View File

@@ -0,0 +1,41 @@
{ config, lib, values, ... }:
let
mkRunner = name: {
# This is unfortunately state, and has to be generated one at a time :(
# To do that, comment out all except one of the runners, fill in its token
# inside the sops file, rebuild the system, and only after this runner has
# successfully registered will gitea give you the next token.
# - oysteikt Sep 2023
sops.secrets."gitea/runners/${name}".restartUnits = [
"gitea-runner-${name}.service"
];
services.gitea-actions-runner.instances = {
${name} = {
enable = true;
name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
labels = [
"debian-latest:docker://node:current-bookworm"
"ubuntu-latest:docker://node:current-bookworm"
];
tokenFile = config.sops.secrets."gitea/runners/${name}".path;
};
};
};
in
lib.mkMerge [
(mkRunner "alpha")
(mkRunner "beta")
(mkRunner "epsilon")
{
virtualisation.podman = {
enable = true;
defaultNetwork.settings.dns_enabled = true;
autoPrune.enable = true;
};
networking.dhcpcd.IPv6rs = false;
networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
}
]

2
modules/bluemap.nix
View File

@@ -376,7 +376,7 @@ in {
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
CPUSchedulingPolicy = "batch"; CPUSchedulingPolicy = "batch";
Group = lib.mkIf cfg.enableNginx "nginx"; Group = "nginx";
UMask = "026"; UMask = "026";
ExecStart = [ ExecStart = [
# If web folder doesnt exist generate it # If web folder doesnt exist generate it

30
modules/matrix-ooye.nix
View File

@@ -77,29 +77,29 @@ in
id id
echo "Before if statement" echo "Before if statement"
stat "''${REGISTRATION_FILE}" stat ''${REGISTRATION_FILE}
if [[ ! -f "''${REGISTRATION_FILE}" ]]; then if [[ ! -f ''${REGISTRATION_FILE} ]]; then
echo "No registration file found at '$REGISTRATION_FILE'" echo "No registration file found at '$REGISTRATION_FILE'"
cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}" cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
fi fi
echo "After if statement" echo "After if statement"
stat "''${REGISTRATION_FILE}" stat ''${REGISTRATION_FILE}
AS_TOKEN="$('${lib.getExe pkgs.jq}' -r .as_token "''${REGISTRATION_FILE}")" AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE})
HS_TOKEN="$('${lib.getExe pkgs.jq}' -r .hs_token "''${REGISTRATION_FILE}")" HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE})
DISCORD_TOKEN="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)" DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)
DISCORD_CLIENT_SECRET="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)" DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)
# Check if we have all required tokens # Check if we have all required tokens
if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
AS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)" AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
echo "Generated new AS token: ''${AS_TOKEN}" echo "Generated new AS token: ''${AS_TOKEN}"
fi fi
if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
HS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)" HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
echo "Generated new HS token: ''${HS_TOKEN}" echo "Generated new HS token: ''${HS_TOKEN}"
fi fi
@@ -115,13 +115,13 @@ in
exit 1 exit 1
fi fi
shred -u "''${REGISTRATION_FILE}" shred -u ''${REGISTRATION_FILE}
cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}" cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
'${lib.getExe pkgs.jq}' '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' "''${REGISTRATION_FILE}" > "''${REGISTRATION_FILE}.tmp" ${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
shred -u "''${REGISTRATION_FILE}" shred -u ''${REGISTRATION_FILE}
mv "''${REGISTRATION_FILE}.tmp" "''${REGISTRATION_FILE}" mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE}
''; '';
in in

146
modules/rsync-pull-targets.nix
View File

@@ -1,146 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.rsync-pull-targets;
in
{
options.services.rsync-pull-targets = {
enable = lib.mkEnableOption "";
rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { };
locations = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }@submoduleArgs: {
options = {
enable = lib.mkEnableOption "" // {
default = true;
example = false;
};
user = lib.mkOption {
type = lib.types.str;
description = "Which user to use as SSH login";
example = "root";
};
location = lib.mkOption {
type = lib.types.path;
default = name;
defaultText = lib.literalExpression "<name>";
example = "/path/to/rsyncable/item";
};
# TODO: handle autogeneration of keys
# autoGenerateSSHKeypair = lib.mkOption {
# type = lib.types.bool;
# default = config.publicKey == null;
# defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.publicKey != null";
# example = true;
# };
publicKey = lib.mkOption {
type = lib.types.str;
# type = lib.types.nullOr lib.types.str;
# default = null;
example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment";
};
rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // {
default = cfg.rrsyncPackage;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage";
};
enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args";
rrsyncArgs = {
ro = lib.mkEnableOption "" // {
description = "Allow only reading from the DIR. Implies -no-del and -no-lock.";
};
wo = lib.mkEnableOption "" // {
description = "Allow only writing to the DIR.";
};
munge = lib.mkEnableOption "" // {
description = "Enable rsync's --munge-links on the server side.";
# TODO: set a default?
};
no-del = lib.mkEnableOption "" // {
description = "Disable rsync's --delete* and --remove* options.";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
no-lock = lib.mkEnableOption "" // {
description = "Avoid the single-run (per-user) lock check.";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
no-overwrite = lib.mkEnableOption "" // {
description = "Prevent overwriting existing files by enforcing --ignore-existing";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
};
authorizedKeysAttrs = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = lib.optionals submoduleArgs.config.enableRecommendedHardening [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
defaultText = lib.literalExpression ''
lib.optionals config.services.rsync-pull-targets.<name>.enableRecommendedHardening [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
]
'';
example = [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
};
};
}));
};
};
config = lib.mkIf cfg.enable {
# assertions = lib.pipe cfg.locations [
# (lib.filterAttrs (_: value: value.enable))
# TODO: assert that there are no duplicate (user, publicKey) pairs.
# if there are then ssh won't know which command to provide and might provide a random one, not sure.
# (lib.mapAttrsToList (_: { user, location, publicKey, ... }: {
# assertion =
# message = "";
# })
# ];
services.openssh.enable = true;
users.users = lib.pipe cfg.locations [
(lib.filterAttrs (_: value: value.enable))
lib.attrValues
# Index locations by SSH user
(lib.foldl (acc: location: acc // {
${location.user} = (acc.${location.user} or [ ]) ++ [ location ];
}) { })
(lib.mapAttrs (_name: locations: {
openssh.authorizedKeys.keys = map ({ user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let
rrsyncArgString = lib.cli.toCommandLineShellGNU {
isLong = _: false;
} rrsyncArgs;
# TODO: handle " in location
in "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
) locations;
}))
];
};
}

20
modules/snakeoil-certs.nix
View File

@@ -51,24 +51,24 @@ in
script = let script = let
openssl = lib.getExe pkgs.openssl; openssl = lib.getExe pkgs.openssl;
in lib.concatMapStringsSep "\n" ({ name, value }: '' in lib.concatMapStringsSep "\n" ({ name, value }: ''
mkdir -p "$(dirname '${value.certificate}')" "$(dirname '${value.certificateKey}')" mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
if ! ${openssl} x509 -checkend 86400 -noout -in '${value.certificate}' if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
then then
echo "Regenerating '${value.certificate}'" echo "Regenerating '${value.certificate}'"
${openssl} req \ ${openssl} req \
-newkey rsa:4096 \ -newkey rsa:4096 \
-new -x509 \ -new -x509 \
-days '${toString value.daysValid}' \ -days "${toString value.daysValid}" \
-nodes \ -nodes \
-subj '${value.subject}' \ -subj "${value.subject}" \
-out '${value.certificate}' \ -out "${value.certificate}" \
-keyout '${value.certificateKey}' \ -keyout "${value.certificateKey}" \
${lib.escapeShellArgs value.extraOpenSSLArgs} ${lib.escapeShellArgs value.extraOpenSSLArgs}
fi fi
chown '${value.owner}:${value.group}' '${value.certificate}' chown "${value.owner}:${value.group}" "${value.certificate}"
chown '${value.owner}:${value.group}' '${value.certificateKey}' chown "${value.owner}:${value.group}" "${value.certificateKey}"
chmod '${value.mode}' '${value.certificate}' chmod "${value.mode}" "${value.certificate}"
chmod '${value.mode}' '${value.certificateKey}' chmod "${value.mode}" "${value.certificateKey}"
echo "\n-----------------\n" echo "\n-----------------\n"
'') (lib.attrsToList cfg); '') (lib.attrsToList cfg);

15
packages/bluemap.nix
View File

@@ -1,14 +1,12 @@
{ lib, stdenvNoCC, fetchurl, makeWrapper, javaPackages }: { lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
let
jre = javaPackages.compiler.temurin-bin.jre-25;
in
stdenvNoCC.mkDerivation rec { stdenvNoCC.mkDerivation rec {
pname = "bluemap"; pname = "bluemap";
version = "5.20"; version = "5.15";
src = fetchurl { src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar"; url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-txDN/vG429BHT09TrSB8uQhmB8irrmvvOXX4OX3OSC0="; hash = "sha256-g50V/4LtHaHNRMTt+PK/ZTf4Tber2D6ZHJvuAXQLaFI=";
}; };
dontUnpack = true; dontUnpack = true;
@@ -17,10 +15,7 @@ stdenvNoCC.mkDerivation rec {
installPhase = '' installPhase = ''
runHook preInstall runHook preInstall
makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
makeWrapper ${jre}/bin/java $out/bin/bluemap \
--add-flags "-jar $src"
runHook postInstall runHook postInstall
''; '';

48
packages/mediawiki-extensions/default.nix
View File

@@ -33,63 +33,63 @@ in
lib.mergeAttrsList [ lib.mergeAttrsList [
(mw-ext { (mw-ext {
name = "CodeEditor"; name = "CodeEditor";
commit = "2db9c9cef35d88a0696b926e8e4ea2d479d0d73a"; commit = "6e5b06e8cf2d040c0abb53ac3735f9f3c96a7a4f";
hash = "sha256-f0tWJl/4hml+RCp7OoIpQ4WSGKE3/z8DTYOAOHbLA9A="; hash = "sha256-Jee+Ws9REUohywhbuemixXKaTRc54+cIlyUNDCyYcEM=";
}) })
(mw-ext { (mw-ext {
name = "CodeMirror"; name = "CodeMirror";
commit = "b16e614c3c4ba68c346b8dd7393ab005ab127441"; commit = "da9c5d4f03e6425f6f2cf68b75d21311e0f7e77e";
hash = "sha256-J/TJPo5Oxgpy6UQINivLKl8jzJp4k/mKv6br3kcCSMQ="; hash = "sha256-aL+v9xeqKHGmQVUWVczh54BkReu+fP49PT1NP7eTC6k=";
}) })
(mw-ext { (mw-ext {
name = "DeleteBatch"; name = "DeleteBatch";
commit = "1b947c0f80249cf052b58138f830b379edf080bc"; commit = "122072bbfb4eab96ed8c1451a3e74b5557054c58";
hash = "sha256-629RCz+38m2pfyJe/CrYutRoDyN1HzD0KzDdC2wwqlI="; hash = "sha256-L6AXoyFJEZoAQpLO6knJvYtQ6JJPMtaa+WhpnwbJeNU=";
}) })
(mw-ext { (mw-ext {
name = "PluggableAuth"; name = "PluggableAuth";
commit = "56893b8ee9ecd03eaee256e08c38bc82657ee0a1"; commit = "5caf605b9dfdd482cb439d1ba2000cba37f8b018";
hash = "sha256-gvoJey7YLMk+toutQTdWxpaedNDr59E+3xXWmXWCGl0="; hash = "sha256-TYJqR9ZvaWJ7i1t0XfgUS05qqqCgxAH8tRTklz/Bmlg=";
}) })
(mw-ext { (mw-ext {
name = "Popups"; name = "Popups";
commit = "6732d8d195bd8312779d8514e92bad372ef63096"; commit = "7ed940a09f83f869cbc0bc20f3ca92f85b534951";
hash = "sha256-XZzhA9UjAOUMcoGYYwiqRg2uInZ927JOZ9/IrZtarJU="; hash = "sha256-pcDPcu4kSvMHfSOuShrod694TKI9Oo3AEpMP9DXp9oY=";
}) })
(mw-ext { (mw-ext {
name = "Scribunto"; name = "Scribunto";
commit = "fc9658623bd37fad352e326ce81b2a08ef55f04d"; commit = "e755852a8e28a030a21ded2d5dd7270eb933b683";
hash = "sha256-P9WQk8O9qP+vXsBS9A5eXX+bRhnfqHetbkXwU3+c1Vk="; hash = "sha256-zyI5nSE+KuodJOWyV0CQM7G0GfkKEgfoF/czi2/qk98=";
}) })
(mw-ext { (mw-ext {
name = "SimpleSAMLphp"; name = "SimpleSAMLphp";
kebab-name = "simple-saml-php"; kebab-name = "simple-saml-php";
commit = "4c615a9203860bb908f2476a5467573e3287d224"; commit = "d41b4efd3cc44ca3f9f12e35385fc64337873c2a";
hash = "sha256-zNKvzInhdW3B101Hcghk/8m0Y+Qk/7XN7n0i/x/5hSE="; hash = "sha256-wfzXtsEEEjQlW5QE4Rf8pasAW/KSJsLkrez13baxeqA=";
}) })
(mw-ext { (mw-ext {
name = "TemplateData"; name = "TemplateData";
commit = "6884b10e603dce82ee39632f839ee5ccd8a6fbe3"; commit = "fd7cf4d95a70ef564130266f2a6b18f33a2a2ff9";
hash = "sha256-jcLe3r5fPIrQlp89N+PdIUSC7bkdd7pTmiYppSpdKVQ="; hash = "sha256-5OhDPFhIi55Eh5+ovMP1QTjNBb9Sm/3vyArNCApAgSw=";
}) })
(mw-ext { (mw-ext {
name = "TemplateStyles"; name = "TemplateStyles";
commit = "f0401a6b82528c8fd5a0375f1e55e72d1211f2ab"; commit = "0f7b94a0b094edee1c2a9063a3c42a1bdc0282d9";
hash = "sha256-tEcCNBz/i9OaE3mNrqw0J2K336BAf6it30TLhQkbtKs="; hash = "sha256-R406FgNcIip9St1hurtZoPPykRQXBrkJRKA9hapG81I=";
}) })
(mw-ext { (mw-ext {
name = "UserMerge"; name = "UserMerge";
commit = "6c138ffc65991766fd58ff4739fcb7febf097146"; commit = "d1917817dd287e7d883e879459d2d2d7bc6966f2";
hash = "sha256-366Nb0ilmXixWgk5NgCuoxj82Mf0iRu1bC/L/eofAxU="; hash = "sha256-la3/AQ38DMsrZ2f24T/z3yKzIrbyi3w6FIB5YfxGK9U=";
}) })
(mw-ext { (mw-ext {
name = "VisualEditor"; name = "VisualEditor";
commit = "9cfcca3195bf88225844f136da90ab7a1f6dd0b9"; commit = "032364cfdff33818e6ae0dfa251fe3973b0ae4f3";
hash = "sha256-jHw3RnUB3bQa1OvmzhEBqadZlFPWH62iGl5BLXi3nZ4="; hash = "sha256-AQDdq9r6rSo8h4u1ERonH14/1i1BgLGdzANEiQ065PU=";
}) })
(mw-ext { (mw-ext {
name = "WikiEditor"; name = "WikiEditor";
commit = "fe5329ba7a8c71ac8236cd0e940a64de2645b780"; commit = "cb9f7e06a9c59b6d3b31c653e5886b7f53583d01";
hash = "sha256-no6kH7esqKiZv34btidzy2zLd75SBVb8EaYVhfRPQSI="; hash = "sha256-UWi3Ac+LCOLliLkXnS8YL0rD/HguuPH5MseqOm0z7s4=";
}) })
] ]

2
packages/mediawiki-extensions/update-mediawiki-extensions.py
View File

@@ -83,7 +83,7 @@ def get_newest_commit(project_name: str, tracking_branch: str) -> str:
content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text
soup = bs4.BeautifulSoup(content, features="html.parser") soup = bs4.BeautifulSoup(content, features="html.parser")
try: try:
a = soup.find('li').find('a') a = soup.find('li').findChild('a')
commit_sha = a['href'].split('/')[-1] commit_sha = a['href'].split('/')[-1]
except AttributeError: except AttributeError:
print(f"ERROR: Could not parse page for {project_name}:") print(f"ERROR: Could not parse page for {project_name}:")

2221
packages/ooye/fix-lockfile.patch Normal file
View File

File diff suppressed because it is too large Load Diff

11
packages/ooye/package.nix
View File

@@ -10,19 +10,22 @@ let
in in
buildNpmPackage { buildNpmPackage {
pname = "delete-your-element"; pname = "delete-your-element";
version = "3.5.1"; version = "3.3-unstable-2026-01-21";
src = fetchFromGitea { src = fetchFromGitea {
domain = "git.pvv.ntnu.no"; domain = "git.pvv.ntnu.no";
owner = "Drift"; owner = "Drift";
repo = "delete-your-element"; repo = "delete-your-element";
rev = "80ac1d9d79207b6327975a264fcd9747b99a2a5d"; rev = "04d7872acb933254c0a4703064b2e08de31cfeb4";
hash = "sha256-fcBpUZ+WEMUXyyo/uaArl4D1NJmK95isWqhFSt6HzUU="; hash = "sha256-CkKt+8VYjIhNM76c3mTf7X6d4ob8tB2w8T6xYS7+LuY=";
}; };
inherit nodejs; inherit nodejs;
npmDepsHash = "sha256-EYxJi6ObJQOLyiJq4C3mV6I62ns9l64ZHcdoQxmN5Ao="; patches = [ ./fix-lockfile.patch ];
npmDepsHash = "sha256-tiGXr86x9QNAwhZcxSOox6sP9allyz9QSH3XOZOb3z8=";
dontNpmBuild = true; dontNpmBuild = true;
makeCacheWritable = true;
nativeBuildInputs = [ makeWrapper ]; nativeBuildInputs = [ makeWrapper ];

6
packages/simplesamlphp/default.nix
View File

@@ -8,18 +8,18 @@
php.buildComposerProject rec { php.buildComposerProject rec {
pname = "simplesamlphp"; pname = "simplesamlphp";
version = "2.5.0"; version = "2.4.3";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "simplesamlphp"; owner = "simplesamlphp";
repo = "simplesamlphp"; repo = "simplesamlphp";
tag = "v${version}"; tag = "v${version}";
hash = "sha256-Md07vWhB/5MDUH+SPQEs8PYiUrkEgAyqQl+LO+ap0Sw="; hash = "sha256-vv4gzcnPfMapd8gER2Vsng1SBloHKWrJJltnw2HUnX4=";
}; };
composerStrictValidation = false; composerStrictValidation = false;
vendorHash = "sha256-GrEoGJXEyI1Ib+06GIuo5eRwxQ0UMKeX5RswShu2CHM="; vendorHash = "sha256-vu3Iz6fRk3Gnh9Psn46jgRYKkmqGte+5xHBRmvdgKG4=";
# TODO: metadata could be fetched automagically with these: # TODO: metadata could be fetched automagically with these:
# - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html # - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html

Some files were not shown because too many files have changed in this diff Show More