felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-01-12 02:18:25 +01:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:misc-gitea-fixes
Branches Tags
felixalb:main felixalb:sops_add_vegardbm felixalb:syntax_error felixalb:alps felixalb:fix-bluemap-markers felixalb:nix-topology felixalb:gitea-robots-txt felixalb:bindmount-postgres-mysql-dirs felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:errorpages felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:dagali-heimdal-openldap-sasl-stack felixalb:gitea-navbar-get-started felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
...
compare: felixalb:d88dd0a45ca00ece8e81af355decc01e7b5daf44
Branches Tags
felixalb:sops_add_vegardbm felixalb:main felixalb:syntax_error felixalb:alps felixalb:fix-bluemap-markers felixalb:nix-topology felixalb:gitea-robots-txt felixalb:bindmount-postgres-mysql-dirs felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:errorpages felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:dagali-heimdal-openldap-sasl-stack felixalb:gitea-navbar-get-started felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

87 Commits
misc-gitea ... d88dd0a45c

Author SHA1 Message Date
Daniel Olsen
d88dd0a45c DROP WHEN MERGED: taler modules from #332699 2024-11-14 22:35:44 +01:00
Daniel Olsen
e6baa1c725 kvernberg: disable SMART 2024-11-14 21:56:45 +01:00
Daniel Olsen
43d4dddc48 kvernberg: temporarily autoupgrade to this branch DROP BEFORE MERGE 2024-11-14 21:56:45 +01:00
Daniel Olsen
ee3020d88d kvernberg: init 2024-11-14 21:56:45 +01:00
Felix Albrigtsen
8285d91401 Merge pull request 'Ildkule: Move monitoring state directories to data volume' (!88) from ildkule-data-volume into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/88
Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
 2024-11-10 02:30:11 +01:00
Alf Helge Jakobsen
b07cd5fbf6 systemd hardening for pvv-nettsiden-gallery-update.service (!90) 
#133

Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/90
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
Co-authored-by: Alf Helge Jakobsen <alfhj@stud.ntnu.no>
Co-committed-by: Alf Helge Jakobsen <alfhj@stud.ntnu.no>
 2024-11-09 22:22:09 +01:00
Felix Albrigtsen
2d52ebce52 Ildkule: hardware-config: use UUIDs 2024-11-09 21:42:44 +01:00
h7x4
464576e856 flake.lock: bump greg-ng 2024-11-09 19:43:07 +01:00
Oystein Kristoffer Tveit
df35715978 Merge pull request 'Add alfhj.nix' (!89) from newusersconfig into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/89
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 2024-11-09 19:40:03 +01:00
Alf Helge Jakobsen
165ff56948 Add alfhj.nix 2024-11-09 19:35:19 +01:00
Felix Albrigtsen
11f6ef0572 Ildkule: Move monitoring state directories to data volume 2024-11-09 15:21:12 +01:00
h7x4
815f48c30d flake.lock: bump greg-ng 2024-10-22 19:50:29 +02:00
h7x4
4985bac3ba flake.lock: bump greg-ng 2024-10-20 23:18:35 +02:00
Oystein Kristoffer Tveit
9e41c3374d Merge pull request 'bekkalokk/nginx: host .well-known' (!79) from move-well-known-to-bekkalokk into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/79
Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
 2024-10-20 01:35:22 +02:00
h7x4
f39fee4213 bekkalokk/nginx: host .well-known 2024-10-20 01:34:41 +02:00
Oystein Kristoffer Tveit
4c77c9fc67 Merge pull request 'greg-ng 🎉' (!86) from greg-ng-working-branch into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/86
Reviewed-by: Felix Albrigtsen <felixalb@pvv.ntnu.no>
 2024-10-20 01:30:26 +02:00
h7x4
7938e8135f flake.lock: bump 2024-10-19 23:31:29 +02:00
h7x4
cbc3490882 modules/grzegorz: use greg-ng 2024-10-19 23:31:28 +02:00
Daniel Olsen
47ed79986c bicep/matrix: use sops templates for appservice registrations 2024-10-14 15:46:58 +02:00
Daniel Olsen
5aed665cc8 flake update 2024-10-14 00:24:29 +02:00
Daniel Olsen
2c86a2d812 bicep/matrix/hookshot: More configuration 2024-10-14 00:13:15 +02:00
Daniel Olsen
d4fd3f8332 bicep/matrix/hookshot: add nginx 2024-10-13 06:03:26 +02:00
Joakim Pettersvold
c1833eb07c bicep/matrix/hookshot: Configure matrix-hookshot 
Co-authored-by: Daniel Olsen <daniel.olsen99@gmail.com>
 2024-10-13 05:50:22 +02:00
Finn Landweber
5ee23ef2e2 bicep/matrix/hookshot: Backported from nixpkgs 
Co-authored-by: Joakim Pettersvold <joakimpokemeg@hotmail.no>
 2024-10-13 05:50:22 +02:00
Oystein Kristoffer Tveit
f5c16f46f1 Merge pull request 'disable-postgres-on-bekkalokk' (!85) from disable-postgres-on-bekkalokk into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/85
Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
 2024-10-13 02:34:45 +02:00
h7x4
aa71d497f1 bekkalokk/roundcube: add postgres password 2024-10-12 23:57:27 +02:00
Daniel Olsen
c56d157c3f add registration secret 2024-10-12 23:49:10 +02:00
fredrikr79
4fbd823be6 bekkalokk/roundcube: add database.host 2024-10-12 22:53:42 +02:00
Daniel Olsen
6c9e651e59 bekkalokk/gitea: Add important emoji reactions 2024-10-12 22:42:59 +02:00
Adrian G L
f56e73548c base: openssh fix 2024-10-12 22:32:18 +02:00
Adrian Gunnar Lauterer
c62ea129ed Merge pull request 'base openssh added sleipner ssh keys' (!83) from sleipner-authorised-keys into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/83
 2024-10-12 21:48:08 +02:00
Adrian G L
4b41ddcf5d base: openssh added sleipner ssh keys 2024-10-12 21:47:31 +02:00
Daniel Olsen
abec66b287 users/danio: add to wheel 2024-10-08 14:08:17 +02:00
Felix Albrigtsen
aa884353c7 Merge pull request 'Add ipv6 gateway' (!82) from ipv6-fix into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/82
Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>
 2024-09-28 21:44:55 +02:00
Felix Albrigtsen
2147b56864 Add ipv6 gateway 2024-09-28 21:35:57 +02:00
Daniel Olsen
a7fe2aabc5 bicep/matrix/coturn: disable ipv6 to fix the service running at all 
coturn is just fundamentally broken, look at trying eturnal instead
 2024-09-27 07:30:48 +02:00
Daniel Olsen
cd23e35aac bicep/matrix: update module and remove deprecated options 2024-09-27 06:38:12 +02:00
Peder Bergebakken Sundt
06668cda79 Merge pull request 'flake.lock: Update' (!81) from sounding into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/81
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 2024-09-21 22:19:36 +02:00
Peder Bergebakken Sundt
2861f939b7 Merge pull request 'auto-upgrade: store flake input refs' (!80) from retain-flake-inputs into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/80
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 2024-09-21 22:19:18 +02:00
Peder Bergebakken Sundt
166b80988a flake.lock: Update 
Flake lock file updates:

• Updated input 'grzegorz':
    'github:Programvareverkstedet/grzegorz/0481aef6553ae9aee86e4edb4ca0ed4f2eba2058' (2024-05-18)
  → 'git+https://git.pvv.ntnu.no/Projects/grzegorz.git?ref=refs/heads/master&rev=d10db19d7df5c5c2cd2dcb878376d5d681f6c2f2' (2024-09-20)
• Updated input 'grzegorz/fix-python':
    'github:GuillaumeDesforges/fix-python/f7f4b33e22414071fc1f9cbf68072c413c3a7fdf' (2024-04-23)
  → 'github:GuillaumeDesforges/fix-python/2926402234c3f99aa8e4608c51d9ffa73ea403c0' (2024-09-04)
• Updated input 'grzegorz-clients':
    'github:Programvareverkstedet/grzegorz-clients/b9444658fbb39cd1bf1c61ee5a1d5f0641c49abe' (2024-05-19)
  → 'git+https://git.pvv.ntnu.no/Projects/grzegorz-clients.git?ref=refs/heads/master&rev=546d921ec46735dbf876e36f4af8df1064d09432' (2024-09-20)
 2024-09-20 22:49:19 +02:00
Peder Bergebakken Sundt
4913b22ab9 auto-upgrade: store flake input refs 2024-09-16 02:51:20 +02:00
Peder Bergebakken Sundt
4e81647fb6 auto-upgrade: --update-input -> --override-input 2024-09-15 19:14:03 +02:00
Felix Albrigtsen
5a76b62700 Merge pull request 'add gitea metrics' (!78) from gitea-metric into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/78
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 2024-09-14 20:33:28 +02:00
Felix Albrigtsen
0f77a42e34 Grafana: Add Gitea Dashbaord [sic] 2024-09-14 20:28:35 +02:00
Felix Albrigtsen
c64d28fc26 Prometheus: Monitor gitea metrics 2024-09-14 20:21:12 +02:00
Tony Yen
179d0743ce gitea: export metric issue #101 2024-09-14 19:26:25 +02:00
Daniel Olsen
47fa3759c3 buskerud: remove 
This is now a proxmox machine :grr:
 2024-09-05 18:00:42 +02:00
Daniel Olsen
3a37fefd4d fixup! Merge pull request 'Fix Ildkule/Openstack networking' (!75) from fix-openstack-networking into main 2024-09-05 14:24:40 +02:00
Daniel Olsen
47d7b88a05 ildkule/prometheus: consolidate scrape jobs and label with hostname for base info 2024-09-05 14:14:28 +02:00
Daniel Lovbrotte Olsen
78456063ba Merge pull request 'Fix Ildkule/Openstack networking' (!75) from fix-openstack-networking into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/75
 2024-09-05 01:58:50 +02:00
Felix Albrigtsen
ca287b95c9 Ildkule/openstack: fix networking 
Removes systemd-networkd, and configures proper ipv4 and ipv6 in
openstack.
 2024-09-05 00:24:22 +02:00
Daniel Olsen
7e95b77e15 grzegorz: follow stable nix channel 
It broke because sanic
 2024-09-03 13:28:13 +02:00
Daniel Olsen
669733309b ildkule: get systemd stats from more machines 2024-09-03 13:10:36 +02:00
Daniel Olsen
4ed12573ff ildkule: fix system activation by disabling smartd 2024-09-03 13:07:58 +02:00
Daniel Olsen
8418cc016c fix biceps systemd units failing on activation 2024-09-03 13:00:12 +02:00
Daniel Olsen
b4c602e31c metrics: install systemd exporter 2024-09-02 23:12:24 +02:00
Daniel Olsen
3a0b8e270d bekkalokk/idp: Disallow bots 2024-09-02 23:11:44 +02:00
Daniel Olsen
9505223dc9 justfile: fix flake input updating 2024-09-02 19:33:15 +02:00
Daniel Olsen
201784fa21 bluemap on bekkalokk 💀 2024-09-02 15:11:32 +02:00
Daniel Olsen
ccefcb01fa flake.lock update 2024-09-02 14:12:39 +02:00
Daniel Olsen
f7e2c74f89 base: enable rebuilding nixos-config without updating the channels used 2024-09-01 22:10:58 +02:00
Felix Albrigtsen
161265d346 Bekkalokk/Nettsiden: deploy #78 2024-09-01 20:13:56 +02:00
h7x4
f85d18769f common: clean /tmp on boot by default 2024-09-01 03:29:46 +02:00
h7x4
b47a626427 common/openssh: socket activate 2024-09-01 03:21:13 +02:00
h7x4
4d65b9fd1d common/sudo: misc config 2024-09-01 03:17:15 +02:00
h7x4
f3e094520e common/postfix: init 2024-09-01 03:13:18 +02:00
h7x4
69f98933a4 common/smartd: add smartctl to environment packages 2024-09-01 01:55:38 +02:00
h7x4
bf2959c68d common/nix: flesh out 2024-09-01 01:44:59 +02:00
h7x4
17f0268d12 common/irqbalance: init 2024-09-01 01:39:35 +02:00
h7x4
ebce0eb67a common/smartd: init 2024-09-01 01:23:15 +02:00
h7x4
b48230e811 bekkalokk/btrfs: scrubbalubba dubdub 2024-09-01 01:04:28 +02:00
Daniel Olsen
914eb35c5a add a route for /_synapse/admin, point mjolnir at it 
This is whitelisted to just bicep

As a side-effect it's also much easier to use synapse-admin now
 2024-09-01 00:34:42 +02:00
h7x4
8610a59f35 base.nix: split into multiple files 2024-08-31 22:28:17 +02:00
h7x4
bd42412b94 bekkalokk/gitea/import-users: refactor + add members to groups 2024-08-27 22:07:29 +02:00
Daniel Olsen
ef3b146b58 bekkalokk/gitea: don't autowatch all members to all projects 2024-08-27 09:26:00 +02:00
h7x4
bb4662b345 modules/snakeoil-certs: fix lmao 2024-08-26 20:43:34 +02:00
h7x4
5b1c04e4b8 bicep/postgres: use snakeoil certs 2024-08-26 20:43:34 +02:00
h7x4
3fa7f67027 bekkalokk/gitea-web: host pages 2024-08-26 20:36:03 +02:00
h7x4
b0f555667c bekkalokk/gitea: set up gitea-web sync units 2024-08-26 20:36:03 +02:00
h7x4
ef418bf125 base/logrotate: systemd hardening + more 2024-08-22 23:00:45 +02:00
h7x4
945d53cdb4 bekkalokk/vaultwarden: systemd hardening 2024-08-22 22:59:32 +02:00
h7x4
cf3b62e01e bekkalokk/phpfpm-*: systemd hardening 2024-08-22 22:58:48 +02:00
h7x4
c12a47cee0 flake.nix: bump calendar bot 2024-08-17 01:19:46 +02:00
h7x4
b9ef27565f Bump calendar-bot 2024-08-16 09:16:26 +02:00
h7x4
f5c99b58c8 bicep/calendar-bot: reactivate 2024-08-15 23:22:50 +02:00
Peder Bergebakken Sundt
c780f7954c Merge pull request 'justfile: add recipe run-vm' (!64) from run-vm into main 
Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/64
Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 2024-08-15 21:14:29 +02:00
Peder Bergebakken Sundt
2ff69dfec6 justfile: add recipe run-vm 2024-08-14 17:25:55 +02:00
88 changed files with 4661 additions and 671 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1,3 +1,4 @@
result* result*
/configuration.nix /configuration.nix
/.direnv/ /.direnv/
*.qcow2

6
README.MD
View File

@@ -26,10 +26,14 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den. Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre: Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade` `nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
som root på maskinen. som root på maskinen.
Hvis du ikke har lyst til å oppdatere alle pakkene (og kanskje måtte vente en stund!) kan du kjøre
`nixos-rebuild switch --override-input nixpkgs nixpkgs --override-input nixpkgs-unstable nixpkgs-unstable --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
## Seksjonen for hemmeligheter ## Seksjonen for hemmeligheter
For at hemmeligheter ikke skal deles med hele verden i git - eller å være world For at hemmeligheter ikke skal deles med hele verden i git - eller å være world

142
base.nix
View File

@@ -1,142 +0,0 @@
{ config, lib, pkgs, inputs, values, ... }:
{
imports = [
./users
./modules/snakeoil-certs.nix
];
networking.domain = "pvv.ntnu.no";
networking.useDHCP = false;
# networking.search = [ "pvv.ntnu.no" "pvv.org" ];
# networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
# networking.tempAddresses = lib.mkDefault "disabled";
# networking.defaultGateway = values.hosts.gateway;
systemd.network.enable = true;
services.resolved = {
enable = lib.mkDefault true;
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
};
time.timeZone = "Europe/Oslo";
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "no";
};
system.autoUpgrade = {
enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
"--update-input" "nixpkgs"
"--update-input" "nixpkgs-unstable"
"--no-write-lock-file"
];
};
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 2d";
nix.settings.experimental-features = [ "nix-command" "flakes" ];
/* This makes commandline tools like
** nix run nixpkgs#hello
** and nix-shell -p hello
** use the same channel the system
** was built with
*/
nix.registry = {
nixpkgs.flake = inputs.nixpkgs;
};
nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
environment.systemPackages = with pkgs; [
file
git
gnupg
htop
nano
ripgrep
rsync
screen
tmux
vim
wget
kitty.terminfo
];
programs.zsh.enable = true;
users.groups."drift".name = "drift";
# Trusted users on the nix builder machines
users.groups."nix-builder-users".name = "nix-builder-users";
# Let's not thermal throttle
services.thermald.enable = lib.mkIf (lib.all (x: x) [
(config.nixpkgs.system == "x86_64-linux")
(!config.boot.isContainer or false)
]) true;
services.openssh = {
enable = true;
extraConfig = ''
PubkeyAcceptedAlgorithms=+ssh-rsa
Match Group wheel
PasswordAuthentication no
Match All
'';
settings.PermitRootLogin = "yes";
};
# nginx return 444 for all nonexistent virtualhosts
systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
"/etc/certs/nginx" = {
owner = "nginx";
group = "nginx";
};
};
services.nginx = {
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
appendConfig = ''
pcre_jit on;
worker_processes auto;
worker_rlimit_nofile 100000;
'';
eventsConfig = ''
worker_connections 2048;
use epoll;
multi_accept on;
'';
};
systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
LimitNOFILE = 65536;
};
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
sslCertificate = "/etc/certs/nginx.crt";
sslCertificateKey = "/etc/certs/nginx.key";
addSSL = true;
extraConfig = "return 444;";
};
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no";
};
}

60
base/default.nix Normal file
View File

@@ -0,0 +1,60 @@
{ pkgs, lib, ... }:
{
imports = [
../users
../modules/snakeoil-certs.nix
./networking.nix
./nix.nix
./services/acme.nix
./services/auto-upgrade.nix
./services/irqbalance.nix
./services/logrotate.nix
./services/nginx.nix
./services/openssh.nix
./services/postfix.nix
./services/smartd.nix
./services/thermald.nix
];
boot.tmp.cleanOnBoot = lib.mkDefault true;
time.timeZone = "Europe/Oslo";
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "no";
};
environment.systemPackages = with pkgs; [
file
git
gnupg
htop
nano
ripgrep
rsync
screen
tmux
vim
wget
kitty.terminfo
];
programs.zsh.enable = true;
security.sudo.execWheelOnly = true;
security.sudo.extraConfig = ''
Defaults lecture = never
'';
users.groups."drift".name = "drift";
# Trusted users on the nix builder machines
users.groups."nix-builder-users".name = "nix-builder-users";
}

13
base/networking.nix Normal file
View File

@@ -0,0 +1,13 @@
{ lib, values, ... }:
{
systemd.network.enable = true;
networking.domain = "pvv.ntnu.no";
networking.useDHCP = false;
# The rest of the networking configuration is usually sourced from /values.nix
services.resolved = {
enable = lib.mkDefault true;
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
};
}

34
base/nix.nix Normal file
View File

@@ -0,0 +1,34 @@
{ inputs, ... }:
{
nix = {
gc = {
automatic = true;
options = "--delete-older-than 2d";
};
settings = {
allow-dirty = true;
auto-optimise-store = true;
builders-use-substitutes = true;
experimental-features = [ "nix-command" "flakes" ];
log-lines = 50;
use-xdg-base-directories = true;
};
/* This makes commandline tools like
** nix run nixpkgs#hello
** and nix-shell -p hello
** use the same channel the system
** was built with
*/
registry = {
"nixpkgs".flake = inputs.nixpkgs;
"nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
"pvv-nix".flake = inputs.self;
};
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"unstable=${inputs.nixpkgs-unstable}"
];
};
}

15
base/services/acme.nix Normal file
View File

@@ -0,0 +1,15 @@
{ ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no";
};
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
virtualisation.vmVariant = {
security.acme.defaults.server = "https://127.0.0.1";
security.acme.preliminarySelfsigned = true;
users.users.root.initialPassword = "root";
};
}

26
base/services/auto-upgrade.nix Normal file
View File

@@ -0,0 +1,26 @@
{ inputs, pkgs, lib, ... }:
{
system.autoUpgrade = {
enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git?ref=pvvvvv";
flags = [
# --update-input is deprecated since nix 2.22, and removed in lix 2.90
# https://git.lix.systems/lix-project/lix/issues/400
"--refresh"
"--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.05-small"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
"--no-write-lock-file"
];
};
# workaround for https://github.com/NixOS/nix/issues/6895
# via https://git.lix.systems/lix-project/lix/issues/400
environment.etc."current-system-flake-inputs.json".source
= pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (name: input:
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
// { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
)
);
}

4
base/services/irqbalance.nix Normal file
View File

@@ -0,0 +1,4 @@
{ ... }:
{
services.irqbalance.enable = true;
}

42
base/services/logrotate.nix Normal file
View File

@@ -0,0 +1,42 @@
{ ... }:
{
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
systemd.services.logrotate = {
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
unitConfig.RequiresMountsFor = "/var/log";
serviceConfig = {
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
ReadWritePaths = [ "/var/log" ];
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; # disable for third party rotate scripts
PrivateDevices = true;
PrivateNetwork = true; # disable for mail delivery
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true; # disable for userdir logs
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
};
};
}

44
base/services/nginx.nix Normal file
View File

@@ -0,0 +1,44 @@
{ config, lib, ... }:
{
# nginx return 444 for all nonexistent virtualhosts
systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
"/etc/certs/nginx" = {
owner = "nginx";
group = "nginx";
};
};
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
services.nginx = {
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
appendConfig = ''
pcre_jit on;
worker_processes auto;
worker_rlimit_nofile 100000;
'';
eventsConfig = ''
worker_connections 2048;
use epoll;
multi_accept on;
'';
};
systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
LimitNOFILE = 65536;
};
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
sslCertificate = "/etc/certs/nginx.crt";
sslCertificateKey = "/etc/certs/nginx.key";
addSSL = true;
extraConfig = "return 444;";
};
}

21
base/services/openssh.nix Normal file
View File

@@ -0,0 +1,21 @@
{ ... }:
{
services.openssh = {
enable = true;
startWhenNeeded = true;
extraConfig = ''
PubkeyAcceptedAlgorithms=+ssh-rsa
Match Group wheel
PasswordAuthentication no
Match All
'';
settings.PermitRootLogin = "yes";
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
];
}

23
base/services/postfix.nix Normal file
View File

@@ -0,0 +1,23 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.postfix;
in
{
services.postfix = {
enable = true;
hostname = "${config.networking.hostName}.pvv.ntnu.no";
domain = "pvv.ntnu.no";
relayHost = "smtp.pvv.ntnu.no";
relayPort = 465;
config = {
smtp_tls_wrappermode = "yes";
smtp_tls_security_level = "encrypt";
};
# Nothing should be delivered to this machine
destination = [ ];
};
}

8
base/services/smartd.nix Normal file
View File

@@ -0,0 +1,8 @@
{ config, pkgs, lib, ... }:
{
services.smartd.enable = lib.mkDefault true;
environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
smartmontools
]);
}

8
base/services/thermald.nix Normal file
View File

@@ -0,0 +1,8 @@
{ config, lib, ... }:
{
# Let's not thermal throttle
services.thermald.enable = lib.mkIf (lib.all (x: x) [
(config.nixpkgs.system == "x86_64-linux")
(!config.boot.isContainer or false)
]) true;
}

201
flake.lock generated
View File

@@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1715445235, "lastModified": 1729281548,
"narHash": "sha256-SUu+oIWn+xqQIOlwfwNfS9Sek4i1HKsrLJchsDReXwA=", "narHash": "sha256-MuojlSnwAJAwfhgmW8ZtZrwm2Sko4fqubCvReqbUzYw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "159d87ea5b95bbdea46f0288a33c5e1570272725", "rev": "a6a3179ddf396dfc28a078e2f169354d0c137125",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -20,64 +20,25 @@
"type": "github" "type": "github"
} }
}, },
"fix-python": { "greg-ng": {
"inputs": { "inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": [
"grzegorz",
"nixpkgs" "nixpkgs"
] ],
"rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1713887124, "lastModified": 1730249639,
"narHash": "sha256-hGTSm0p9xXUYDgsAAr/ORZICo6T6u33vLfX3tILikaQ=", "narHash": "sha256-G3URSlqCcb+GIvGyki+HHrDM5ZanX/dP9BtppD/SdfI=",
"owner": "GuillaumeDesforges", "ref": "refs/heads/main",
"repo": "fix-python", "rev": "80e0447bcb79adad4f459ada5610f3eae987b4e3",
"rev": "f7f4b33e22414071fc1f9cbf68072c413c3a7fdf", "revCount": 34,
"type": "github" "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
}, },
"original": { "original": {
"owner": "GuillaumeDesforges", "type": "git",
"repo": "fix-python", "url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1689068808,
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"grzegorz": {
"inputs": {
"fix-python": "fix-python",
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1715364232,
"narHash": "sha256-ZJC3SkanEgbV7p+LFhP+85CviRWOXJNHzZwR/Stb7hE=",
"owner": "Programvareverkstedet",
"repo": "grzegorz",
"rev": "3841cda1cdcac470440b06838d56a2eb2256378c",
"type": "github"
},
"original": {
"owner": "Programvareverkstedet",
"repo": "grzegorz",
"type": "github"
} }
}, },
"grzegorz-clients": { "grzegorz-clients": {
@@ -87,17 +48,17 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1715384651, "lastModified": 1726861934,
"narHash": "sha256-7RhckgUTjqeCjWkhiCc1iB+5CBx9fl80d/3O4Jh+5kM=", "narHash": "sha256-lOzPDwktd+pwszUTbpUdQg6iCzInS11fHLfkjmnvJrM=",
"owner": "Programvareverkstedet", "ref": "refs/heads/master",
"repo": "grzegorz-clients", "rev": "546d921ec46735dbf876e36f4af8df1064d09432",
"rev": "738a4f3dd887f7c3612e4e772b83cbfa3cde5693", "revCount": 78,
"type": "github" "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
}, },
"original": { "original": {
"owner": "Programvareverkstedet", "type": "git",
"repo": "grzegorz-clients", "url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
"type": "github"
} }
}, },
"matrix-next": { "matrix-next": {
@@ -107,20 +68,35 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717234745, "lastModified": 1727410897,
"narHash": "sha256-MFyKRdw4WQD6V3vRGbP6MYbtJhZp712zwzjW6YiOBYM=", "narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
"owner": "dali99", "owner": "dali99",
"repo": "nixos-matrix-modules", "repo": "nixos-matrix-modules",
"rev": "d7dc42c9bbb155c5e4aa2f0985d0df75ce978456", "rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "dali99", "owner": "dali99",
"ref": "v0.6.0", "ref": "v0.6.1",
"repo": "nixos-matrix-modules", "repo": "nixos-matrix-modules",
"type": "github" "type": "github"
} }
}, },
"minecraft-data": {
"locked": {
"lastModified": 1725277886,
"narHash": "sha256-Fw4VbbE3EfypQWSgPDFfvVH47BHeg3ptsO715NlUM8Q=",
"ref": "refs/heads/master",
"rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
"revCount": 2,
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
}
},
"nix-gitea-themes": { "nix-gitea-themes": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -143,48 +119,50 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1719520878, "lastModified": 1729307008,
"narHash": "sha256-5BXzNOl2RVHcfS/oxaZDKOi7gVuTyWPibQG0DHd5sSc=", "narHash": "sha256-QUvb6epgKi9pCu9CttRQW4y5NqJ+snKr1FZpG/x3Wtc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a44bedbb48c367f0476e6a3a27bf28f6330faf23", "rev": "a9b86fc2290b69375c5542b622088eb6eca2a7c3",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "owner": "NixOS",
"ref": "nixos-24.05-small", "ref": "nixos-24.05-small",
"type": "indirect" "repo": "nixpkgs",
"type": "github"
} }
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1714858427, "lastModified": 1728156290,
"narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=", "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76", "rev": "17ae88b569bb15590549ff478bab6494dde4a907",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "release-23.11", "ref": "release-24.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1715435713, "lastModified": 1729308112,
"narHash": "sha256-lb2HqDQGfTdnCCpc1pgF6fkdgIOuBQ0nP8jjVSfLFqg=", "narHash": "sha256-Ap+cPeiluam2KFZO+OWuFTl/IkIJfyGYGMgkT2pVCRY=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "52b40f6c4be12742b1504ca2eb4527e597bf2526", "rev": "61253596816c4cd65e2a0f474cbc0ac0c6e0f7cf",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "owner": "NixOS",
"ref": "nixos-unstable-small", "ref": "nixos-unstable-small",
"type": "indirect" "repo": "nixpkgs",
"type": "github"
} }
}, },
"pvv-calendar-bot": { "pvv-calendar-bot": {
@@ -194,11 +172,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1693136143, "lastModified": 1723850344,
"narHash": "sha256-amHprjftc3y/bg8yf4hITCLa+ez5HIi0yGfR7TU6UIc=", "narHash": "sha256-aT37O9l9eclWEnqxASVNBL1dKwDHZUOqdbA4VO9DJvw=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "a32894b305f042d561500f5799226afd1faf5abb", "rev": "38b66677ab8c01aee10cd59e745af9ce3ea88092",
"revCount": 9, "revCount": 19,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git" "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
}, },
@@ -214,11 +192,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1722722932, "lastModified": 1725212759,
"narHash": "sha256-K81a2GQpY2kRX+C9ek9r91THlZB674CqRTSMMb5IO7E=", "narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "6580cfe546c902cdf11e17b0b8aa30b3c412bb34", "rev": "e7b66b4bc6a89bab74bac45b87e9434f5165355f",
"revCount": 465, "revCount": 473,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git" "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
}, },
@@ -230,9 +208,10 @@
"root": { "root": {
"inputs": { "inputs": {
"disko": "disko", "disko": "disko",
"grzegorz": "grzegorz", "greg-ng": "greg-ng",
"grzegorz-clients": "grzegorz-clients", "grzegorz-clients": "grzegorz-clients",
"matrix-next": "matrix-next", "matrix-next": "matrix-next",
"minecraft-data": "minecraft-data",
"nix-gitea-themes": "nix-gitea-themes", "nix-gitea-themes": "nix-gitea-themes",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
@@ -241,6 +220,27 @@
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
}, },
"rust-overlay": {
"inputs": {
"nixpkgs": [
"greg-ng",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729391507,
"narHash": "sha256-as0I9xieJUHf7kiK2a9znDsVZQTFWhM1pLivII43Gi0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "784981a9feeba406de38c1c9a3decf966d853cca",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -249,11 +249,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1715244550, "lastModified": 1728345710,
"narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=", "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f", "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -261,21 +261,6 @@
"repo": "sops-nix", "repo": "sops-nix",
"type": "github" "type": "github"
} }
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

34
flake.nix
View File

@@ -2,8 +2,8 @@
description = "PVV System flake"; description = "PVV System flake";
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-24.05-small"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; # remember to also update the url in base/services/auto-upgrade.nix
nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -17,16 +17,18 @@
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git"; pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs"; pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.0"; matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.1";
matrix-next.inputs.nixpkgs.follows = "nixpkgs"; matrix-next.inputs.nixpkgs.follows = "nixpkgs";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"; nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs"; nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
grzegorz.url = "github:Programvareverkstedet/grzegorz"; greg-ng.url = "git+https://git.pvv.ntnu.no/Projects/greg-ng.git";
grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable"; greg-ng.inputs.nixpkgs.follows = "nixpkgs";
grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients"; grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Projects/grzegorz-clients.git";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs"; grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
}; };
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs: outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -55,7 +57,7 @@
rec { rec {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { specialArgs = {
inherit nixpkgs-unstable inputs; inherit unstablePkgs inputs;
values = import ./values.nix; values = import ./values.nix;
}; };
@@ -92,6 +94,7 @@
heimdal = unstablePkgs.heimdal; heimdal = unstablePkgs.heimdal;
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { }; mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { }; simplesamlphp = final.callPackage ./packages/simplesamlphp { };
bluemap = final.callPackage ./packages/bluemap.nix { };
}) })
inputs.nix-gitea-themes.overlays.default inputs.nix-gitea-themes.overlays.default
inputs.pvv-nettsiden.overlays.default inputs.pvv-nettsiden.overlays.default
@@ -113,17 +116,28 @@
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" { brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
modules = [ modules = [
inputs.grzegorz.nixosModules.grzegorz-kiosk
inputs.grzegorz-clients.nixosModules.grzegorz-webui inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
]; ];
}; };
georg = stableNixosConfig "georg" { georg = stableNixosConfig "georg" {
modules = [ modules = [
inputs.grzegorz.nixosModules.grzegorz-kiosk
inputs.grzegorz-clients.nixosModules.grzegorz-webui inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
];
};
kvernberg = stableNixosConfig "kvernberg" {
modules = [
disko.nixosModules.disko
{ disko.devices.disk.disk1.device = "/dev/sda"; }
]; ];
}; };
buskerud = stableNixosConfig "buskerud" { };
}; };
nixosModules = { nixosModules = {

7
hosts/bekkalokk/configuration.nix
View File

@@ -3,17 +3,20 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../base.nix ../../base
../../misc/metrics-exporters.nix ../../misc/metrics-exporters.nix
./services/bluemap/default.nix
./services/gitea/default.nix ./services/gitea/default.nix
./services/idp-simplesamlphp ./services/idp-simplesamlphp
./services/kerberos ./services/kerberos
./services/mediawiki ./services/mediawiki
./services/nginx.nix ./services/nginx.nix
./services/phpfpm.nix
./services/vaultwarden.nix ./services/vaultwarden.nix
./services/webmail ./services/webmail
./services/website ./services/website
./services/well-known
]; ];
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml; sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
@@ -31,6 +34,8 @@
address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ]; address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
}; };
services.btrfs.autoScrub.enable = true;
# Do not change, even during upgrades. # Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11"; system.stateVersion = "22.11";

83
hosts/bekkalokk/services/bluemap/default.nix Normal file
View File

@@ -0,0 +1,83 @@
{ config, lib, pkgs, inputs, ... }:
let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
in {
imports = [
./module.nix # From danio, pending upstreaming
];
disabledModules = [ "services/web-servers/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
sops.secrets."bluemap/ssh-known-hosts" = { };
services.bluemap = {
enable = true;
eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
host = "minecraft.pvv.ntnu.no";
maps = {
"verden" = {
settings = {
world = vanillaSurvival;
sorting = 0;
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.verden;
};
};
"underverden" = {
settings = {
world = "${vanillaSurvival}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.underverden;
};
};
"enden" = {
settings = {
world = "${vanillaSurvival}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
};
};
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
};
# TODO: render somewhere else lmao
systemd.services."render-bluemap-maps" = {
preStart = ''
mkdir -p /var/lib/bluemap/world
${pkgs.rsync}/bin/rsync \
-e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" \
-avz --no-owner --no-group \
root@innovation.pvv.ntnu.no:/ \
${vanillaSurvival}
'';
serviceConfig = {
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
}

343
hosts/bekkalokk/services/bluemap/module.nix Normal file
View File

@@ -0,0 +1,343 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.bluemap;
format = pkgs.formats.hocon { };
coreConfig = format.generate "core.conf" cfg.coreSettings;
webappConfig = format.generate "webapp.conf" cfg.webappSettings;
webserverConfig = format.generate "webserver.conf" cfg.webserverSettings;
storageFolder = pkgs.linkFarm "storage"
(lib.attrsets.mapAttrs' (name: value:
lib.nameValuePair "${name}.conf"
(format.generate "${name}.conf" value))
cfg.storage);
mapsFolder = pkgs.linkFarm "maps"
(lib.attrsets.mapAttrs' (name: value:
lib.nameValuePair "${name}.conf"
(format.generate "${name}.conf" value.settings))
cfg.maps);
webappConfigFolder = pkgs.linkFarm "bluemap-config" {
"maps" = mapsFolder;
"storages" = storageFolder;
"core.conf" = coreConfig;
"webapp.conf" = webappConfig;
"webserver.conf" = webserverConfig;
"packs" = cfg.resourcepacks;
"addons" = cfg.resourcepacks; # TODO
};
renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
"maps" = pkgs.linkFarm "maps" {
"${name}.conf" = (format.generate "${name}.conf" value.settings);
};
"storages" = storageFolder;
"core.conf" = coreConfig;
"webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
"webserver.conf" = webserverConfig;
"packs" = value.resourcepacks;
"addons" = cfg.resourcepacks; # TODO
};
inherit (lib) mkOption;
in {
options.services.bluemap = {
enable = lib.mkEnableOption "bluemap";
eula = mkOption {
type = lib.types.bool;
description = ''
By changing this option to true you confirm that you own a copy of minecraft Java Edition,
and that you agree to minecrafts EULA.
'';
default = false;
};
defaultWorld = mkOption {
type = lib.types.path;
description = ''
The world used by the default map ruleset.
If you configure your own maps you do not need to set this.
'';
example = lib.literalExpression "\${config.services.minecraft.dataDir}/world";
};
enableRender = mkOption {
type = lib.types.bool;
description = "Enable rendering";
default = true;
};
webRoot = mkOption {
type = lib.types.path;
default = "/var/lib/bluemap/web";
description = "The directory for saving and serving the webapp and the maps";
};
enableNginx = mkOption {
type = lib.types.bool;
default = true;
description = "Enable configuring a virtualHost for serving the bluemap webapp";
};
host = mkOption {
type = lib.types.str;
default = "bluemap.${config.networking.domain}";
defaultText = lib.literalExpression "bluemap.\${config.networking.domain}";
description = "Domain to configure nginx for";
};
onCalendar = mkOption {
type = lib.types.str;
description = ''
How often to trigger rendering the map,
in the format of a systemd timer onCalendar configuration.
See {manpage}`systemd.timer(5)`.
'';
default = "*-*-* 03:10:00";
};
coreSettings = mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
data = mkOption {
type = lib.types.path;
description = "Folder for where bluemap stores its data";
default = "/var/lib/bluemap";
};
metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use";
};
};
description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
};
webappSettings = mkOption {
type = lib.types.submodule {
freeformType = format.type;
};
default = {
enabled = true;
webroot = cfg.webRoot;
};
defaultText = lib.literalExpression ''
{
enabled = true;
webroot = config.services.bluemap.webRoot;
}
'';
description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
};
webserverSettings = mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
enabled = mkOption {
type = lib.types.bool;
description = ''
Enable bluemap's built-in webserver.
Disabled by default in nixos for use of nginx directly.
'';
default = false;
};
};
};
default = { };
description = ''
Settings for the webserver.conf file, usually not required.
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
'';
};
maps = mkOption {
type = lib.types.attrsOf (lib.types.submodule {
options = {
resourcepacks = mkOption {
type = lib.types.path;
default = cfg.resourcepacks;
defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
description = "A set of resourcepacks/mods to extract models from loaded in alphabetical order";
};
settings = mkOption {
type = (lib.types.submodule {
freeformType = format.type;
options = {
world = mkOption {
type = lib.types.path;
description = "Path to world folder containing the dimension to render";
};
};
});
description = ''
Settings for files in `maps/`.
See the default for an example with good options for the different world types.
For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
'';
};
};
});
default = {
"overworld".settings = {
world = "${cfg.defaultWorld}";
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
"nether".settings = {
world = "${cfg.defaultWorld}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
};
"end".settings = {
world = "${cfg.defaultWorld}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
defaultText = lib.literalExpression ''
{
"overworld".settings = {
world = "''${cfg.defaultWorld}";
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
"nether".settings = {
world = "''${cfg.defaultWorld}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
};
"end".settings = {
world = "''${cfg.defaultWorld}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
'';
description = ''
map-specific configuration.
These correspond to views in the webapp and are usually
different dimension of a world or different render settings of the same dimension.
If you set anything in this option you must configure all dimensions yourself!
'';
};
storage = mkOption {
type = lib.types.attrsOf (lib.types.submodule {
freeformType = format.type;
options = {
storage-type = mkOption {
type = lib.types.enum [ "FILE" "SQL" ];
description = "Type of storage config";
default = "FILE";
};
};
});
description = ''
Where the rendered map will be stored.
Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/storages)
'';
default = {
"file" = {
root = "${cfg.webRoot}/maps";
};
};
defaultText = lib.literalExpression ''
{
"file" = {
root = "''${config.services.bluemap.webRoot}/maps";
};
}
'';
};
resourcepacks = mkOption {
type = lib.types.path;
default = pkgs.linkFarm "resourcepacks" { };
description = ''
A set of resourcepacks/mods to extract models from loaded in alphabetical order.
Can be overriden on a per-map basis with `services.bluemap.maps.<name>.resourcepacks`.
'';
};
};
config = lib.mkIf cfg.enable {
assertions =
[ { assertion = config.services.bluemap.eula;
message = ''
You have enabled bluemap but have not accepted minecraft's EULA.
You can achieve this through setting `services.bluemap.eula = true`
'';
}
];
services.bluemap.coreSettings.accept-download = cfg.eula;
systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender {
serviceConfig = {
Type = "oneshot";
Group = "nginx";
UMask = "026";
};
script = lib.strings.concatStringsSep "\n" ((lib.attrsets.mapAttrsToList
(name: value: "${lib.getExe pkgs.bluemap} -c ${renderConfigFolder name value} -r")
cfg.maps) ++ [ "${lib.getExe pkgs.bluemap} -c ${webappConfigFolder} -gs" ]);
};
systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = cfg.onCalendar;
Persistent = true;
Unit = "render-bluemap-maps.service";
};
};
services.nginx.virtualHosts = lib.mkIf cfg.enableNginx {
"${cfg.host}" = {
root = config.services.bluemap.webRoot;
locations = {
"~* ^/maps/[^/]*/tiles/".extraConfig = ''
error_page 404 = @empty;
'';
"@empty".return = "204";
};
};
};
};
meta = {
maintainers = with lib.maintainers; [ dandellion h7x4 ];
};
}

52
hosts/bekkalokk/services/gitea/default.nix
View File

@@ -6,7 +6,8 @@ let
in { in {
imports = [ imports = [
./ci.nix ./ci.nix
./import-users.nix ./import-users
./web-secret-provider
]; ];
sops.secrets = { sops.secrets = {
@@ -54,10 +55,16 @@ in {
USER = "gitea@pvv.ntnu.no"; USER = "gitea@pvv.ntnu.no";
SUBJECT_PREFIX = "[pvv-git]"; SUBJECT_PREFIX = "[pvv-git]";
}; };
metrics = {
ENABLED = true;
ENABLED_ISSUE_BY_LABEL = true;
ENABLED_ISSUE_BY_REPOSITORY = true;
};
indexer.REPO_INDEXER_ENABLED = true; indexer.REPO_INDEXER_ENABLED = true;
service = { service = {
DISABLE_REGISTRATION = true; DISABLE_REGISTRATION = true;
ENABLE_NOTIFY_MAIL = true; ENABLE_NOTIFY_MAIL = true;
AUTO_WATCH_NEW_REPOS = false;
}; };
admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention"; admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
session.COOKIE_SECURE = true; session.COOKIE_SECURE = true;
@@ -97,6 +104,30 @@ in {
ENABLE_FEDERATED_AVATAR = false; ENABLE_FEDERATED_AVATAR = false;
}; };
actions.ENABLED = true; actions.ENABLED = true;
ui = {
REACTIONS = lib.concatStringsSep "," [
"+1"
"-1"
"laugh"
"confused"
"heart"
"hooray"
"rocket"
"eyes"
"100"
"anger"
"astonished"
"no_good"
"ok_hand"
"pensive"
"pizza"
"point_up"
"sob"
"skull"
"upside_down_face"
"shrug"
];
};
"ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet"; "ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
}; };
}; };
@@ -107,11 +138,20 @@ in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
kTLS = true; kTLS = true;
locations."/" = { locations = {
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}"; "/" = {
extraConfig = '' proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
client_max_body_size 512M; extraConfig = ''
''; client_max_body_size 512M;
'';
};
"/metrics" = {
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4}/32;
deny all;
'';
};
}; };
}; };

94
hosts/bekkalokk/services/gitea/gitea-import-users.py
View File

@@ -1,94 +0,0 @@
import requests
import secrets
import os
EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
if EMAIL_DOMAIN is None:
EMAIL_DOMAIN = 'pvv.ntnu.no'
API_TOKEN = os.getenv('API_TOKEN')
if API_TOKEN is None:
raise Exception('API_TOKEN not set')
GITEA_API_URL = os.getenv('GITEA_API_URL')
if GITEA_API_URL is None:
GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
BANNED_SHELLS = [
"/usr/bin/nologin",
"/usr/sbin/nologin",
"/sbin/nologin",
"/bin/false",
"/bin/msgsh",
]
existing_users = {}
# This function should only ever be called when adding users
# from the passwd file
def add_user(username, name):
user = {
"full_name": name,
"username": username,
"login_name": username,
"source_id": 1, # 1 = SMTP
}
if username not in existing_users:
user["password"] = secrets.token_urlsafe(32)
user["must_change_password"] = False
user["visibility"] = "private"
user["email"] = username + '@' + EMAIL_DOMAIN
r = requests.post(GITEA_API_URL + '/admin/users', json=user,
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 201:
print('ERR: Failed to create user ' + username + ': ' + r.text)
return
print('Created user ' + username)
existing_users[username] = user
else:
user["visibility"] = existing_users[username]["visibility"]
r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
json=user,
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 200:
print('ERR: Failed to update user ' + username + ': ' + r.text)
return
print('Updated user ' + username)
def main():
# Fetch existing users
r = requests.get(GITEA_API_URL + '/admin/users',
headers={'Authorization': 'token ' + API_TOKEN})
if r.status_code != 200:
raise Exception('Failed to get users: ' + r.text)
for user in r.json():
existing_users[user['login']] = user
# Read the file, add each user
with open("/tmp/passwd-import", 'r') as f:
for line in f.readlines():
uid = int(line.split(':')[2])
if uid < 1000:
continue
shell = line.split(':')[-1]
if shell in BANNED_SHELLS:
continue
username = line.split(':')[0]
name = line.split(':')[4].split(',')[0]
add_user(username, name)
if __name__ == '__main__':
main()

3
hosts/bekkalokk/services/gitea/import-users.nix → hosts/bekkalokk/services/gitea/import-users/default.nix
View File

@@ -14,6 +14,9 @@ in
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import''; preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
serviceConfig = { serviceConfig = {
ExecStart = pkgs.writers.writePython3 "gitea-import-users" { ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
flakeIgnore = [
"E501" # Line over 80 chars lol
];
libraries = with pkgs.python3Packages; [ requests ]; libraries = with pkgs.python3Packages; [ requests ];
} (builtins.readFile ./gitea-import-users.py); } (builtins.readFile ./gitea-import-users.py);
LoadCredential=[ LoadCredential=[

198
hosts/bekkalokk/services/gitea/import-users/gitea-import-users.py Normal file
View File

@@ -0,0 +1,198 @@
import requests
import secrets
import os
EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
if EMAIL_DOMAIN is None:
EMAIL_DOMAIN = 'pvv.ntnu.no'
API_TOKEN = os.getenv('API_TOKEN')
if API_TOKEN is None:
raise Exception('API_TOKEN not set')
GITEA_API_URL = os.getenv('GITEA_API_URL')
if GITEA_API_URL is None:
GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
r = requests.get(
GITEA_API_URL + '/admin/users',
headers={'Authorization': 'token ' + API_TOKEN}
)
if r.status_code != 200:
print('Failed to get users:', r.text)
return None
return {user['login']: user for user in r.json()}
def gitea_create_user(username: str, userdata: dict[str, any]) -> bool:
r = requests.post(
GITEA_API_URL + '/admin/users',
json=userdata,
headers={'Authorization': 'token ' + API_TOKEN},
)
if r.status_code != 201:
print(f'ERR: Failed to create user {username}:', r.text)
return False
return True
def gitea_edit_user(username: str, userdata: dict[str, any]) -> bool:
r = requests.patch(
GITEA_API_URL + f'/admin/users/{username}',
json=userdata,
headers={'Authorization': 'token ' + API_TOKEN},
)
if r.status_code != 200:
print(f'ERR: Failed to update user {username}:', r.text)
return False
return True
def gitea_list_teams_for_organization(org: str) -> dict[str, any] | None:
r = requests.get(
GITEA_API_URL + f'/orgs/{org}/teams',
headers={'Authorization': 'token ' + API_TOKEN},
)
if r.status_code != 200:
print(f"ERR: Failed to list teams for {org}:", r.text)
return None
return {team['name']: team for team in r.json()}
def gitea_add_user_to_organization_team(username: str, team_id: int) -> bool:
r = requests.put(
GITEA_API_URL + f'/teams/{team_id}/members/{username}',
headers={'Authorization': 'token ' + API_TOKEN},
)
if r.status_code != 204:
print(f'ERR: Failed to add user {username} to org team {team_id}:', r.text)
return False
return True
# If a passwd user has one of the following shells,
# it is most likely not a PVV user, but rather a system user.
# Users with these shells should thus be ignored.
BANNED_SHELLS = [
"/usr/bin/nologin",
"/usr/sbin/nologin",
"/sbin/nologin",
"/bin/false",
"/bin/msgsh",
]
# Reads out a passwd-file line for line, and filters out
# real PVV users (as opposed to system users meant for daemons and such)
def passwd_file_parser(passwd_path):
with open(passwd_path, 'r') as f:
for line in f.readlines():
uid = int(line.split(':')[2])
if uid < 1000:
continue
shell = line.split(':')[-1]
if shell in BANNED_SHELLS:
continue
username = line.split(':')[0]
name = line.split(':')[4].split(',')[0]
yield (username, name)
# This function either creates a new user in gitea
# and fills it out with some default information if
# it does not exist, or ensures that the default information
# is correct if the user already exists. All user information
# (including non-default fields) is pulled from gitea and added
# to the `existing_users` dict
def add_or_patch_gitea_user(
username: str,
name: str,
existing_users: dict[str, dict[str, any]],
) -> None:
user = {
"full_name": name,
"username": username,
"login_name": username,
"source_id": 1, # 1 = SMTP
}
if username not in existing_users:
user["password"] = secrets.token_urlsafe(32)
user["must_change_password"] = False
user["visibility"] = "private"
user["email"] = username + '@' + EMAIL_DOMAIN
if not gitea_create_user(username, user):
return
print('Created user', username)
existing_users[username] = user
else:
user["visibility"] = existing_users[username]["visibility"]
if not gitea_edit_user(username, user):
return
print('Updated user', username)
# This function adds a user to a gitea team (part of organization)
# if the user is not already part of said team.
def ensure_gitea_user_is_part_of_team(
username: str,
org: str,
team_name: str,
) -> None:
teams = gitea_list_teams_for_organization(org)
if teams is None:
return
if team_name not in teams:
print(f'ERR: could not find team "{team_name}" in organization "{org}"')
gitea_add_user_to_organization_team(username, teams[team_name]['id'])
print(f'User {username} is now part of {org}/{team_name}')
# List of teams that all users should be part of by default
COMMON_USER_TEAMS = [
("Projects", "Members"),
("Kurs", "Members"),
]
def main():
existing_users = gitea_list_all_users()
if existing_users is None:
exit(1)
for username, name in passwd_file_parser("/tmp/passwd-import"):
print(f"Processing {username}")
add_or_patch_gitea_user(username, name, existing_users)
for org, team_name in COMMON_USER_TEAMS:
ensure_gitea_user_is_part_of_team(username, org, team_name)
print()
if __name__ == '__main__':
main()

114
hosts/bekkalokk/services/gitea/web-secret-provider/default.nix Normal file
View File

@@ -0,0 +1,114 @@
{ config, pkgs, lib, ... }:
let
organizations = [
"Drift"
"Projects"
"Kurs"
];
giteaCfg = config.services.gitea;
giteaWebSecretProviderScript = pkgs.writers.writePython3 "gitea-web-secret-provider" {
libraries = with pkgs.python3Packages; [ requests ];
flakeIgnore = [
"E501" # Line over 80 chars lol
"E201" # "whitespace after {"
"E202" # "whitespace after }"
"E251" # unexpected spaces around keyword / parameter equals
"W391" # Newline at end of file
];
makeWrapperArgs = [
"--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
];
} (builtins.readFile ./gitea-web-secret-provider.py);
in
{
users.groups."gitea-web" = { };
users.users."gitea-web" = {
group = "gitea-web";
isSystemUser = true;
};
sops.secrets."gitea/web-secret-provider/token" = {
owner = "gitea-web";
group = "gitea-web";
restartUnits = [
"gitea-web-secret-provider@"
] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
};
systemd.slices.system-giteaweb = {
description = "Gitea web directories";
};
# https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
# %i - instance name (after the @)
# %d - secrets directory
systemd.services."gitea-web-secret-provider@" = {
description = "Ensure all repos in %i has an SSH key to push web content";
requires = [ "gitea.service" "network.target" ];
serviceConfig = {
Slice = "system-giteaweb.slice";
Type = "oneshot";
ExecStart = let
args = lib.cli.toGNUCommandLineShell { } {
org = "%i";
token-path = "%d/token";
api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
key-dir = "/var/lib/gitea-web/keys/%i";
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
${lib.getExe pkgs.rrsync} -wo "$1"
${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
'';
web-dir = "/var/lib/gitea-web/web";
};
in "${giteaWebSecretProviderScript} ${args}";
User = "gitea-web";
Group = "gitea-web";
StateDirectory = "gitea-web";
StateDirectoryMode = "0750";
LoadCredential = [
"token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
];
NoNewPrivileges = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectSystem = true;
ProtectHome = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictRealtime = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
};
};
systemd.timers."gitea-web-secret-provider@" = {
description = "Ensure all repos in %i has an SSH key to push web content";
timerConfig = {
RandomizedDelaySec = "1h";
Persistent = true;
Unit = "gitea-web-secret-provider@%i.service";
OnCalendar = "daily";
};
};
systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
users.users.nginx.extraGroups = [ "gitea-web" ];
services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
kTLS = true;
forceSSL = true;
enableACME = true;
root = "/var/lib/gitea-web/web";
};
}

112
hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py Normal file
View File

@@ -0,0 +1,112 @@
import argparse
import hashlib
import os
import requests
import subprocess
from pathlib import Path
def parse_args():
parser = argparse.ArgumentParser(description="Generate SSH keys for Gitea repositories and add them as secrets")
parser.add_argument("--org", required=True, type=str, help="The organization to generate keys for")
parser.add_argument("--token-path", metavar='PATH', required=True, type=Path, help="Path to a file containing the Gitea API token")
parser.add_argument("--api-url", metavar='URL', type=str, help="The URL of the Gitea API", default="https://git.pvv.ntnu.no/api/v1")
parser.add_argument("--key-dir", metavar='PATH', type=Path, help="The directory to store the generated keys in", default="/run/gitea-web-secret-provider")
parser.add_argument("--authorized-keys-path", metavar='PATH', type=Path, help="The path to the resulting authorized_keys file", default="/etc/ssh/authorized_keys.d/gitea-web-secret-provider")
parser.add_argument("--rrsync-script", metavar='PATH', type=Path, help="The path to a rrsync script, taking the destination path as its single argument")
parser.add_argument("--web-dir", metavar='PATH', type=Path, help="The directory to sync the repositories to", default="/var/www")
parser.add_argument("--force", action="store_true", help="Overwrite existing keys")
return parser.parse_args()
def add_secret(args: argparse.Namespace, token: str, repo: str, name: str, secret: str):
result = requests.put(
f"{args.api_url}/repos/{args.org}/{repo}/actions/secrets/{name}",
json = { 'data': secret },
headers = { 'Authorization': 'token ' + token },
)
if result.status_code not in (201, 204):
raise Exception(f"Failed to add secret: {result.json()}")
def get_org_repo_list(args: argparse.Namespace, token: str):
result = requests.get(
f"{args.api_url}/orgs/{args.org}/repos",
headers = { 'Authorization': 'token ' + token },
)
return [repo["name"] for repo in result.json()]
def generate_ssh_key(args: argparse.Namespace, repository: str):
keyname = hashlib.sha256(args.org.encode() + repository.encode()).hexdigest()
key_path = args.key_dir / keyname
if not key_path.is_file() or args.force:
subprocess.run(
[
"ssh-keygen",
*("-t", "ed25519"),
*("-f", key_path),
*("-N", ""),
*("-C", f"{args.org}/{repository}"),
],
check=True,
stdin=subprocess.DEVNULL,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
)
print(f"Generated SSH key for `{args.org}/{repository}`")
with open(key_path, "r") as f:
private_key = f.read()
pub_key_path = args.key_dir / (keyname + '.pub')
with open(pub_key_path, "r") as f:
public_key = f.read()
return private_key, public_key
SSH_OPTS = ",".join([
"restrict",
"no-agent-forwarding",
"no-port-forwarding",
"no-pty",
"no-X11-forwarding",
])
def generate_authorized_keys(args: argparse.Namespace, repo_public_keys: list[tuple[str, str]]):
lines = []
for repo, public_key in repo_public_keys:
command = f"{args.rrsync_script} {args.web_dir}/{args.org}/{repo}"
lines.append(f'command="{command}",{SSH_OPTS} {public_key}')
with open(args.authorized_keys_path, "w") as f:
f.writelines(lines)
def main():
args = parse_args()
with open(args.token_path, "r") as f:
token = f.read().strip()
os.makedirs(args.key_dir, 0o700, exist_ok=True)
os.makedirs(args.authorized_keys_path.parent, 0o700, exist_ok=True)
repos = get_org_repo_list(args, token)
print(f'Found {len(repos)} repositories in `{args.org}`')
repo_public_keys = []
for repo in repos:
print(f"Locating key for `{args.org}/{repo}`")
private_key, public_key = generate_ssh_key(args, repo)
add_secret(args, token, repo, "WEB_SYNC_SSH_KEY", private_key)
repo_public_keys.append((repo, public_key))
generate_authorized_keys(args, repo_public_keys)
print(f"Wrote authorized_keys file to `{args.authorized_keys_path}`")
if __name__ == "__main__":
main()

6
hosts/bekkalokk/services/idp-simplesamlphp/default.nix
View File

@@ -202,6 +202,12 @@ in
rewrite ^/simplesaml/(.*)$ /$1 redirect; rewrite ^/simplesaml/(.*)$ /$1 redirect;
return 404; return 404;
''; '';
"/robots.txt" = {
root = pkgs.writeTextDir "robots.txt" ''
User-agent: *
Disallow: /
'';
};
}; };
}; };
}; };

51
hosts/bekkalokk/services/phpfpm.nix Normal file
View File

@@ -0,0 +1,51 @@
{ lib, ... }:
let
pools = map (pool: "phpfpm-${pool}") [
"idp"
"mediawiki"
"pvv-nettsiden"
"roundcube"
"snappymail"
];
in
{
# Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
systemd.services = lib.genAttrs pools (_: {
serviceConfig = let
caps = [
"CAP_NET_BIND_SERVICE"
"CAP_SETGID"
"CAP_SETUID"
"CAP_CHOWN"
"CAP_KILL"
"CAP_IPC_LOCK"
"CAP_DAC_OVERRIDE"
];
in {
AmbientCapabilities = caps;
CapabilityBoundingSet = caps;
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateMounts = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RemoveIPC = true;
UMask = "0077";
RestrictNamespaces = "~mnt";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
KeyringMode = "private";
SystemCallFilter = [
"@system-service"
];
};
});
}

36
hosts/bekkalokk/services/vaultwarden.nix
View File

@@ -65,4 +65,40 @@ in {
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
systemd.services.vaultwarden = lib.mkIf cfg.enable {
serviceConfig = {
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
NoNewPrivileges = true;
# MemoryDenyWriteExecute = true;
PrivateMounts = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0007";
};
};
} }

10
hosts/bekkalokk/services/webmail/roundcube.nix
View File

@@ -6,6 +6,11 @@ let
domain = "webmail.pvv.ntnu.no"; domain = "webmail.pvv.ntnu.no";
in in
{ {
sops.secrets."roundcube/postgres_password" = {
owner = "nginx";
group = "nginx";
};
services.roundcube = { services.roundcube = {
enable = true; enable = true;
@@ -20,6 +25,11 @@ in
maxAttachmentSize = 20; maxAttachmentSize = 20;
hostName = "roundcubeplaceholder.example.com"; hostName = "roundcubeplaceholder.example.com";
database = {
host = "postgres.pvv.ntnu.no";
passwordFile = config.sops.secrets."roundcube/postgres_password".path;
};
extraConfig = '' extraConfig = ''
$config['enable_installer'] = false; $config['enable_installer'] = false;
$config['default_host'] = "ssl://imap.pvv.ntnu.no"; $config['default_host'] = "ssl://imap.pvv.ntnu.no";

10
hosts/bekkalokk/services/website/default.nix
View File

@@ -116,16 +116,6 @@ in {
"/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift"; "/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift";
"/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse"; "/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
"/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza"; "/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
}; };
}; };
} }

27
hosts/bekkalokk/services/website/fetch-gallery.nix
View File

@@ -62,6 +62,33 @@ in {
WorkingDirectory = galleryDir; WorkingDirectory = galleryDir;
User = config.services.pvv-nettsiden.user; User = config.services.pvv-nettsiden.user;
Group = config.services.pvv-nettsiden.group; Group = config.services.pvv-nettsiden.group;
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; # disable for third party rotate scripts
PrivateDevices = true;
PrivateNetwork = true; # disable for mail delivery
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true; # disable for userdir logs
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
}; };
}; };
} }

18
hosts/bekkalokk/services/well-known/default.nix Normal file
View File

@@ -0,0 +1,18 @@
{ ... }:
{
services.nginx.virtualHosts."www.pvv.ntnu.no".locations = {
"^~ /.well-known/" = {
alias = (toString ./root) + "/";
};
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
}

31
hosts/bekkalokk/services/well-known/root/autoconfig/mail/config-v1.1.xml Normal file
View File

@@ -0,0 +1,31 @@
<?xml version="1.0"?>
<clientConfig version="1.1">
<emailProvider id="pvv.ntnu.no">
<domain>pvv.ntnu.no</domain>
<domain>pvv.org</domain>
<displayName>Programvareverkstedet</displayName>
<incomingServer type="imap">
<hostname>imap.pvv.ntnu.no</hostname>
<port>993</port>
<socketType>SSL</socketType>
<username>%EMAILLOCALPART%</username>
<authentication>password-cleartext</authentication>
</incomingServer>
<outgoingServer type="smtp">
<hostname>smtp.pvv.ntnu.no</hostname>
<port>587</port>
<socketType>STARTTLS</socketType>
<username>%EMAILLOCALPART%</username>
<authentication>password-cleartext</authentication>
<useGlobalPreferredServer>true</useGlobalPreferredServer>
</outgoingServer>
<documentation url="https://www.pvv.ntnu.no/pvv/Drift/Mail/IMAP_POP3">
<descr lang="en">Setup programvareverkstedet email user with IMAP or POP3</descr>
<descr lang="nb">Sett opp programvareverkstedet email bruker med IMAP eller POP3</descr>
</documentation>
</emailProvider>
</clientConfig>

12
hosts/bekkalokk/services/well-known/root/security.txt Normal file
View File

@@ -0,0 +1,12 @@
Contact: mailto:drift@pvv.ntnu.no
Contact: mailto:cert@pvv.ntnu.no
# drift@pvv.ntnu.no is read by more people and have a quicker reaction time,
# but cert@pvv.ntnu.no can be used for more severe issues.
Preferred-Languages: no, en
Expires: 2032-12-31T23:59:59.000Z
# This file was last updated 2024-09-14.
# You can find a wikipage for our security policies at:
# https://wiki.pvv.ntnu.no/wiki/CERT

24
hosts/bicep/acmeCert.nix
View File

@@ -1,24 +0,0 @@
{ values, ... }:
{
users.groups.acme.members = [ "nginx" ];
security.acme.certs."postgres.pvv.ntnu.no" = {
group = "acme";
extraDomainNames = [
# "postgres.pvv.org"
"bicep.pvv.ntnu.no"
# "bicep.pvv.org"
# values.hosts.bicep.ipv4
# values.hosts.bicep.ipv6
];
};
services.nginx = {
enable = true;
virtualHosts."postgres.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
# useACMEHost = "postgres.pvv.ntnu.no";
};
};
}

10
hosts/bicep/configuration.nix
View File

@@ -3,17 +3,14 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../base.nix ../../base
../../misc/metrics-exporters.nix ../../misc/metrics-exporters.nix
./services/nginx ./services/nginx
./acmeCert.nix
./services/mysql.nix ./services/mysql.nix
./services/postgres.nix ./services/postgres.nix
./services/mysql.nix ./services/mysql.nix
# TODO: fix the calendar bot ./services/calendar-bot.nix
# ./services/calendar-bot.nix
./services/matrix ./services/matrix
]; ];
@@ -37,6 +34,9 @@
anyInterface = true; anyInterface = true;
}; };
# There are no smart devices
services.smartd.enable = false;
# Do not change, even during upgrades. # Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11"; system.stateVersion = "22.11";

23
hosts/bicep/services/calendar-bot.nix
View File

@@ -2,11 +2,19 @@
let let
cfg = config.services.pvv-calendar-bot; cfg = config.services.pvv-calendar-bot;
in { in {
sops.secrets."calendar-bot/matrix_token" = { sops.secrets = {
sopsFile = ../../../secrets/bicep/bicep.yaml; "calendar-bot/matrix_token" = {
key = "calendar-bot/matrix_token"; sopsFile = ../../../secrets/bicep/bicep.yaml;
owner = cfg.user; key = "calendar-bot/matrix_token";
group = cfg.group; owner = cfg.user;
group = cfg.group;
};
"calendar-bot/mysql_password" = {
sopsFile = ../../../secrets/bicep/bicep.yaml;
key = "calendar-bot/mysql_password";
owner = cfg.user;
group = cfg.group;
};
}; };
services.pvv-calendar-bot = { services.pvv-calendar-bot = {
@@ -18,6 +26,11 @@ in {
user = "@bot_calendar:pvv.ntnu.no"; user = "@bot_calendar:pvv.ntnu.no";
channel = "!gkNLUIhYVpEyLatcRz:pvv.ntnu.no"; channel = "!gkNLUIhYVpEyLatcRz:pvv.ntnu.no";
}; };
database = {
host = "mysql.pvv.ntnu.no";
user = "calendar-bot";
passwordFile = config.sops.secrets."calendar-bot/mysql_password".path;
};
secretsFile = config.sops.secrets."calendar-bot/matrix_token".path; secretsFile = config.sops.secrets."calendar-bot/matrix_token".path;
onCalendar = "*-*-* 09:00:00"; onCalendar = "*-*-* 09:00:00";
}; };

8
hosts/bicep/services/matrix/coturn.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, secrets, ... }: { config, lib, pkgs, secrets, values, ... }:
{ {
sops.secrets."matrix/synapse/turnconfig" = { sops.secrets."matrix/synapse/turnconfig" = {
@@ -60,12 +60,14 @@
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
use-auth-secret = true; use-auth-secret = true;
# World readable but I dont think it's that bad
static-auth-secret-file = config.sops.secrets."matrix/coturn/static-auth-secret".path; static-auth-secret-file = config.sops.secrets."matrix/coturn/static-auth-secret".path;
secure-stun = true; secure-stun = true;
listening-ips = [ "129.241.210.213" "2001:700:300:1900::213" ]; listening-ips = [
values.services.turn.ipv4
# values.services.turn.ipv6
];
tls-listening-port = 443; tls-listening-port = 443;
alt-tls-listening-port = 5349; alt-tls-listening-port = 5349;

1
hosts/bicep/services/matrix/default.nix
View File

@@ -10,6 +10,7 @@
./mjolnir.nix ./mjolnir.nix
./discord.nix ./discord.nix
./hookshot
]; ];

42
hosts/bicep/services/matrix/discord.nix
View File

@@ -6,15 +6,42 @@ in
{ {
users.groups.keys-matrix-registrations = { }; users.groups.keys-matrix-registrations = { };
sops.secrets."matrix/registrations/mx-puppet-discord" = { sops.secrets."matrix/discord/as_token" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml; sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "registrations/mx-puppet-discord"; key = "discord/as_token";
};
sops.secrets."matrix/discord/hs_token" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "discord/hs_token";
};
sops.templates."discord-registration.yaml" = {
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name; group = config.users.groups.keys-matrix-registrations.name;
content = ''
as_token: "${config.sops.placeholder."matrix/discord/as_token"}"
hs_token: "${config.sops.placeholder."matrix/discord/hs_token"}"
id: discord-puppet
namespaces:
users:
- exclusive: true
regex: '@_discordpuppet_.*'
rooms: []
aliases:
- exclusive: true
regex: '#_discordpuppet_.*'
protocols: []
rate_limited: false
sender_localpart: _discordpuppet_bot
url: 'http://localhost:8434'
de.sorunome.msc2409.push_ephemeral: true
'';
}; };
systemd.services.mx-puppet-discord = { systemd.services.mx-puppet-discord = {
serviceConfig.SupplementaryGroups = [ config.users.groups.keys-matrix-registrations.name ]; serviceConfig.SupplementaryGroups = [
config.users.groups.keys-matrix-registrations.name
];
}; };
@@ -29,11 +56,16 @@ in
relay.whitelist = [ ".*" ]; relay.whitelist = [ ".*" ];
selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ]; selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
}; };
services.mx-puppet-discord.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ]; services.mx-puppet-discord.serviceDependencies = [
"matrix-synapse.target"
"nginx.service"
];
services.matrix-synapse-next.settings = { services.matrix-synapse-next.settings = {
app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ]; app_service_config_files = [
config.sops.templates."discord-registration.yaml".path
];
use_appservice_legacy_authorization = true; use_appservice_legacy_authorization = true;
}; };

139
hosts/bicep/services/matrix/hookshot/default.nix Normal file
View File

@@ -0,0 +1,139 @@
{ config, lib, unstablePkgs, inputs, ... }:
let
cfg = config.services.matrix-hookshot;
webhookListenAddress = "127.0.0.1";
webhookListenPort = 8435;
in
{
imports = [
./module.nix
];
sops.secrets."matrix/hookshot/as_token" = {
sopsFile = ../../../../../secrets/bicep/matrix.yaml;
key = "hookshot/as_token";
};
sops.secrets."matrix/hookshot/hs_token" = {
sopsFile = ../../../../../secrets/bicep/matrix.yaml;
key = "hookshot/hs_token";
};
sops.templates."hookshot-registration.yaml" = {
owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name;
content = ''
id: matrix-hookshot
as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}"
hs_token: "${config.sops.placeholder."matrix/hookshot/hs_token"}"
namespaces:
rooms: []
users:
- regex: "@_webhooks_.*:pvv.ntnu.no"
exclusive: true
- regex: "@bot_feeds:pvv.ntnu.no"
exclusive: true
aliases: []
sender_localpart: hookshot
url: "http://${cfg.settings.bridge.bindAddress}:${toString cfg.settings.bridge.port}"
rate_limited: false
# If enabling encryption
de.sorunome.msc2409.push_ephemeral: true
push_ephemeral: true
org.matrix.msc3202: true
'';
};
systemd.services.matrix-hookshot = {
serviceConfig.SupplementaryGroups = [
config.users.groups.keys-matrix-registrations.name
];
};
services.matrix-hookshot = {
enable = true;
package = unstablePkgs.matrix-hookshot;
registrationFile = config.sops.templates."hookshot-registration.yaml".path;
settings = {
bridge = {
bindAddress = "127.0.0.1";
domain = "pvv.ntnu.no";
url = "https://matrix.pvv.ntnu.no";
mediaUrl = "https://matrix.pvv.ntnu.no";
port = 9993;
};
listeners = [
{
bindAddress = webhookListenAddress;
port = webhookListenPort;
resources = [
"webhooks"
# "metrics"
# "provisioning"
"widgets"
];
}
];
generic = {
enabled = true;
outbound = true;
urlPrefix = "https://hookshot.pvv.ntnu.no/webhook/";
userIdPrefix = "_webhooks_";
allowJsTransformationFunctions = false;
waitForComplete = false;
};
feeds = {
enabled = true;
pollIntervalSeconds = 600;
};
serviceBots = [
{ localpart = "bot_feeds";
displayname = "Aya";
avatar = ./feeds.png;
prefix = "!aya";
service = "feeds";
}
];
permissions = [
# Users of the PVV Server
{ actor = "pvv.ntnu.no";
services = [ { service = "*"; level = "commands"; } ];
}
# Members of Medlem space (for people with their own hs)
{ actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
services = [ { service = "*"; level = "commands"; } ];
}
# Members of Drift
{ actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
services = [ { service = "*"; level = "admin"; } ];
}
# Dan bootstrap
{ actor = "@dandellion:dodsorf.as";
services = [ { service = "*"; level = "admin"; } ];
}
];
};
};
services.matrix-hookshot.serviceDependencies = [
"matrix-synapse.target"
"nginx.service"
];
services.matrix-synapse-next.settings = {
app_service_config_files = [
config.sops.templates."hookshot-registration.yaml".path
];
};
services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
enableACME = true;
locations."/" = {
proxyPass = "http://${webhookListenAddress}:${toString webhookListenPort}";
};
};
}

BIN
hosts/bicep/services/matrix/hookshot/feeds.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 MiB

127
hosts/bicep/services/matrix/hookshot/module.nix Normal file
View File

@@ -0,0 +1,127 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.matrix-hookshot;
settingsFormat = pkgs.formats.yaml { };
configFile = settingsFormat.generate "matrix-hookshot-config.yml" cfg.settings;
in
{
options = {
services.matrix-hookshot = {
enable = lib.mkEnableOption "matrix-hookshot, a bridge between Matrix and project management services";
package = lib.mkPackageOption pkgs "matrix-hookshot" { };
registrationFile = lib.mkOption {
type = lib.types.path;
description = ''
Appservice registration file.
As it contains secret tokens, you may not want to add this to the publicly readable Nix store.
'';
example = lib.literalExpression ''
pkgs.writeText "matrix-hookshot-registration" \'\'
id: matrix-hookshot
as_token: aaaaaaaaaa
hs_token: aaaaaaaaaa
namespaces:
rooms: []
users:
- regex: "@_webhooks_.*:foobar"
exclusive: true
sender_localpart: hookshot
url: "http://localhost:9993"
rate_limited: false
\'\'
'';
};
settings = lib.mkOption {
description = ''
{file}`config.yml` configuration as a Nix attribute set.
For details please see the [documentation](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html).
'';
example = {
bridge = {
domain = "example.com";
url = "http://localhost:8008";
mediaUrl = "https://example.com";
port = 9993;
bindAddress = "127.0.0.1";
};
listeners = [
{
port = 9000;
bindAddress = "0.0.0.0";
resources = [ "webhooks" ];
}
{
port = 9001;
bindAddress = "localhost";
resources = [
"metrics"
"provisioning"
];
}
];
};
default = { };
type = lib.types.submodule {
freeformType = settingsFormat.type;
options = {
passFile = lib.mkOption {
type = lib.types.path;
default = "/var/lib/matrix-hookshot/passkey.pem";
description = ''
A passkey used to encrypt tokens stored inside the bridge.
File will be generated if not found.
'';
};
};
};
};
serviceDependencies = lib.mkOption {
type = with lib.types; listOf str;
default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;
defaultText = lib.literalExpression ''
lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit
'';
description = ''
List of Systemd services to require and wait for when starting the application service,
such as the Matrix homeserver if it's running on the same host.
'';
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.matrix-hookshot = {
description = "a bridge between Matrix and multiple project management services";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
after = [ "network-online.target" ] ++ cfg.serviceDependencies;
preStart = ''
if [ ! -f '${cfg.settings.passFile}' ]; then
mkdir -p $(dirname '${cfg.settings.passFile}')
${pkgs.openssl}/bin/openssl genpkey -out '${cfg.settings.passFile}' -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096
fi
'';
serviceConfig = {
Type = "simple";
Restart = "always";
ExecStart = "${cfg.package}/bin/matrix-hookshot ${configFile} ${cfg.registrationFile}";
};
};
};
meta.maintainers = with lib.maintainers; [ flandweber ];
}

2
hosts/bicep/services/matrix/mjolnir.nix
View File

@@ -11,7 +11,7 @@
services.mjolnir = { services.mjolnir = {
enable = true; enable = true;
pantalaimon.enable = false; pantalaimon.enable = false;
homeserverUrl = "http://127.0.0.1:8008"; homeserverUrl = "https://matrix.pvv.ntnu.no";
accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path; accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no"; managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
protectedRooms = map (a: "https://matrix.to/#/${a}") [ protectedRooms = map (a: "https://matrix.to/#/${a}") [

26
hosts/bicep/services/matrix/synapse.nix
View File

@@ -22,11 +22,6 @@ in {
group = config.users.users.matrix-synapse.group; group = config.users.users.matrix-synapse.group;
}; };
sops.secrets."matrix/sliding-sync/env" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "sliding-sync/env";
};
services.matrix-synapse-next = { services.matrix-synapse-next = {
enable = true; enable = true;
@@ -43,8 +38,6 @@ in {
workers.eventPersisters = 2; workers.eventPersisters = 2;
workers.useUserDirectoryWorker = true; workers.useUserDirectoryWorker = true;
enableSlidingSync = true;
enableNginx = true; enableNginx = true;
settings = { settings = {
@@ -137,9 +130,6 @@ in {
}; };
}; };
services.matrix-synapse.sliding-sync.environmentFile = config.sops.secrets."matrix/sliding-sync/env".path;
services.redis.servers."".enable = true; services.redis.servers."".enable = true;
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [ services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
@@ -157,6 +147,18 @@ in {
''; '';
}; };
} }
{
locations."/_synapse/admin" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
allow 127.0.0.1;
allow ::1;
allow ${values.hosts.bicep.ipv4};
allow ${values.hosts.bicep.ipv6};
deny all;
'';
};
}
{ {
locations = let locations = let
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w; connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
@@ -170,8 +172,6 @@ in {
extraConfig = '' extraConfig = ''
allow ${values.hosts.ildkule.ipv4}; allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6}; allow ${values.hosts.ildkule.ipv6};
allow ${values.hosts.ildkule.ipv4_global};
allow ${values.hosts.ildkule.ipv6_global};
deny all; deny all;
''; '';
}) })
@@ -183,8 +183,6 @@ in {
extraConfig = '' extraConfig = ''
allow ${values.hosts.ildkule.ipv4}; allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6}; allow ${values.hosts.ildkule.ipv6};
allow ${values.hosts.ildkule.ipv4_global};
allow ${values.hosts.ildkule.ipv6_global};
deny all; deny all;
''; '';
}; };

13
hosts/bicep/services/postgres.nix
View File

@@ -1,7 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let
sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
in
{ {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
@@ -79,12 +76,16 @@ in
systemd.services.postgresql.serviceConfig = { systemd.services.postgresql.serviceConfig = {
LoadCredential = [ LoadCredential = [
"cert:${sslCert.directory}/cert.pem" "cert:/etc/certs/postgres.crt"
"key:${sslCert.directory}/key.pem" "key:/etc/certs/postgres.key"
]; ];
}; };
users.groups.acme.members = [ "postgres" ]; environment.snakeoil-certs."/etc/certs/postgres" = {
owner = "postgres";
group = "postgres";
subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
};
networking.firewall.allowedTCPPorts = [ 5432 ]; networking.firewall.allowedTCPPorts = [ 5432 ];
networking.firewall.allowedUDPPorts = [ 5432 ]; networking.firewall.allowedUDPPorts = [ 5432 ];

2
hosts/bob/configuration.nix
View File

@@ -3,7 +3,7 @@
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base.nix ../../base
../../misc/metrics-exporters.nix ../../misc/metrics-exporters.nix
./disks.nix ./disks.nix

2
hosts/brzeczyszczykiewicz/configuration.nix
View File

@@ -3,7 +3,7 @@
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base.nix ../../base
../../misc/metrics-exporters.nix ../../misc/metrics-exporters.nix
./services/grzegorz.nix ./services/grzegorz.nix

38
hosts/buskerud/configuration.nix
View File

@@ -1,38 +0,0 @@
{ config, pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./services/libvirt.nix
];
# buskerud does not support efi?
# boot.loader.systemd-boot.enable = true;
# boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sdb";
networking.hostName = "buskerud";
networking.search = [ "pvv.ntnu.no" "pvv.org" ];
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
networking.tempAddresses = "disabled";
systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp3s0f0";
address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

37
hosts/buskerud/hardware-configuration.nix
View File

@@ -1,37 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

10
hosts/buskerud/services/libvirt.nix
View File

@@ -1,10 +0,0 @@
{ config, pkgs, lib, ... }:
{
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
boot.kernelModules = [ "kvm-intel" ];
# On a gui-enabled machine, connect with:
# $ virt-manager --connect "qemu+ssh://buskerud/system?socket=/var/run/libvirt/libvirt-sock"
}

2
hosts/georg/configuration.nix
View File

@@ -3,7 +3,7 @@
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base.nix ../../base
../../misc/metrics-exporters.nix ../../misc/metrics-exporters.nix
../../modules/grzegorz.nix ../../modules/grzegorz.nix

46
hosts/ildkule/configuration.nix
View File

@@ -1,9 +1,9 @@
{ config, pkgs, values, ... }: { config, pkgs, lib, values, ... }:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base.nix ../../base
../../misc/metrics-exporters.nix ../../misc/metrics-exporters.nix
./services/monitoring ./services/monitoring
@@ -19,33 +19,37 @@
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
networking.hostName = "ildkule"; # Define your hostname. # Openstack Neutron and systemd-networkd are not best friends, use something else:
systemd.network.enable = lib.mkForce false;
networking = let
hostConf = values.hosts.ildkule;
in {
hostName = "ildkule";
tempAddresses = "disabled";
useDHCP = lib.mkForce true;
# Main connection, using the global/floatig IP, for communications with the world search = values.defaultNetworkConfig.domains;
systemd.network.networks."30-ntnu-global" = values.openstackGlobalNetworkConfig // { nameservers = values.defaultNetworkConfig.dns;
matchConfig.Name = "ens4"; defaultGateway.address = hostConf.ipv4_internal_gw;
# Add the global addresses in addition to the local address learned from DHCP interfaces."ens4" = {
addresses = [ ipv4.addresses = [
{ addressConfig.Address = "${values.hosts.ildkule.ipv4_global}/32"; } { address = hostConf.ipv4; prefixLength = 32; }
{ addressConfig.Address = "${values.hosts.ildkule.ipv6_global}/128"; } { address = hostConf.ipv4_internal; prefixLength = 24; }
]; ];
}; ipv6.addresses = [
{ address = hostConf.ipv6; prefixLength = 64; }
# Secondary connection only for use within the university network ];
systemd.network.networks."40-ntnu-internal" = values.openstackLocalNetworkConfig // { };
matchConfig.Name = "ens3";
# Add the ntnu-internal addresses in addition to the local address learned from DHCP
addresses = [
{ addressConfig.Address = "${values.hosts.ildkule.ipv4}/32"; }
{ addressConfig.Address = "${values.hosts.ildkule.ipv6}/128"; }
];
}; };
# List packages installed in system profile # List packages installed in system profile
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
]; ];
# No devices with SMART
services.smartd.enable = false;
system.stateVersion = "23.11"; # Did you read the comment? system.stateVersion = "23.11"; # Did you read the comment?
} }

9
hosts/ildkule/hardware-configuration.nix
View File

@@ -3,7 +3,14 @@
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ]; boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; }; fileSystems."/" = {
device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
fsType = "ext4";
};
fileSystems."/data" = {
device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
fsType = "ext4";
};
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
} }

1546
hosts/ildkule/services/monitoring/dashboards/gitea-dashbaord.json Normal file
View File

File diff suppressed because it is too large Load Diff

6
hosts/ildkule/services/monitoring/grafana.nix
View File

@@ -75,6 +75,12 @@ in {
url = "https://grafana.com/api/dashboards/240/revisions/3/download"; url = "https://grafana.com/api/dashboards/240/revisions/3/download";
options.path = dashboards/go-processes.json; options.path = dashboards/go-processes.json;
} }
{
name = "Gitea Dashbaord";
type = "file";
url = "https://grafana.com/api/dashboards/17802/revisions/3/download";
options.path = dashboards/gitea-dashbaord.json;
}
]; ];
}; };

13
hosts/ildkule/services/monitoring/loki.nix
View File

@@ -2,6 +2,7 @@
let let
cfg = config.services.loki; cfg = config.services.loki;
stateDir = "/data/monitoring/loki";
in { in {
services.loki = { services.loki = {
enable = true; enable = true;
@@ -16,7 +17,7 @@ in {
ingester = { ingester = {
wal = { wal = {
enabled = true; enabled = true;
dir = "/var/lib/loki/wal"; dir = "${stateDir}/wal";
}; };
lifecycler = { lifecycler = {
address = "127.0.0.1"; address = "127.0.0.1";
@@ -48,12 +49,12 @@ in {
storage_config = { storage_config = {
boltdb_shipper = { boltdb_shipper = {
active_index_directory = "/var/lib/loki/boltdb-shipper-index"; active_index_directory = "${stateDir}/boltdb-shipper-index";
cache_location = "/var/lib/loki/boltdb-shipper-cache"; cache_location = "${stateDir}/boltdb-shipper-cache";
cache_ttl = "24h"; cache_ttl = "24h";
}; };
filesystem = { filesystem = {
directory = "/var/lib/loki/chunks"; directory = "${stateDir}/chunks";
}; };
}; };
@@ -64,14 +65,14 @@ in {
}; };
compactor = { compactor = {
working_directory = "/var/lib/loki/compactor"; working_directory = "${stateDir}/compactor";
}; };
# ruler = { # ruler = {
# storage = { # storage = {
# type = "local"; # type = "local";
# local = { # local = {
# directory = "/var/lib/loki/rules"; # directory = "${stateDir}/rules";
# }; # };
# }; # };
# rule_path = "/etc/loki/rules"; # rule_path = "/etc/loki/rules";

14
hosts/ildkule/services/monitoring/prometheus/default.nix
View File

@@ -1,18 +1,26 @@
{ config, ... }: { { config, ... }: let
stateDir = "/data/monitoring/prometheus";
in {
imports = [ imports = [
./gogs.nix ./gitea.nix
./matrix-synapse.nix ./matrix-synapse.nix
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# ./mysqld.nix # ./mysqld.nix
./node.nix
./postgres.nix ./postgres.nix
./machines.nix
]; ];
services.prometheus = { services.prometheus = {
enable = true; enable = true;
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
port = 9001; port = 9001;
ruleFiles = [ rules/synapse-v2.rules ]; ruleFiles = [ rules/synapse-v2.rules ];
}; };
fileSystems."/var/lib/prometheus2" = {
device = stateDir;
options = [ "bind" ];
};
} }

16
hosts/ildkule/services/monitoring/prometheus/gitea.nix Normal file
View File

@@ -0,0 +1,16 @@
{ ... }:
{
services.prometheus.scrapeConfigs = [{
job_name = "gitea";
scrape_interval = "60s";
scheme = "https";
static_configs = [
{
targets = [
"git.pvv.ntnu.no:443"
];
}
];
}];
}

16
hosts/ildkule/services/monitoring/prometheus/gogs.nix
View File

@@ -1,16 +0,0 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "git-gogs";
scheme = "https";
metrics_path = "/-/metrics";
static_configs = [
{
targets = [
"essendrop.pvv.ntnu.no:443"
];
}
];
}];
}

54
hosts/ildkule/services/monitoring/prometheus/machines.nix Normal file
View File

@@ -0,0 +1,54 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "base_info";
static_configs = [
{ labels.hostname = "ildkule";
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"ildkule.pvv.ntnu.no:${toString cfg.exporters.systemd.port}"
];
}
{ labels.hostname = "bekkalokk";
targets = [
"bekkalokk.pvv.ntnu.no:9100"
"bekkalokk.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "bicep";
targets = [
"bicep.pvv.ntnu.no:9100"
"bicep.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "brzeczyszczykiewicz";
targets = [
"brzeczyszczykiewicz.pvv.ntnu.no:9100"
"brzeczyszczykiewicz.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "georg";
targets = [
"georg.pvv.ntnu.no:9100"
"georg.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "hildring";
targets = [
"hildring.pvv.ntnu.no:9100"
];
}
{ labels.hostname = "isvegg";
targets = [
"isvegg.pvv.ntnu.no:9100"
];
}
{ labels.hostname = "microbel";
targets = [
"microbel.pvv.ntnu.no:9100"
];
}
];
}];
}

22
hosts/ildkule/services/monitoring/prometheus/node.nix
View File

@@ -1,22 +0,0 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "node";
static_configs = [
{
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"microbel.pvv.ntnu.no:9100"
"isvegg.pvv.ntnu.no:9100"
"knakelibrak.pvv.ntnu.no:9100"
"hildring.pvv.ntnu.no:9100"
"bicep.pvv.ntnu.no:9100"
"essendrop.pvv.ntnu.no:9100"
"andresbu.pvv.ntnu.no:9100"
"bekkalokk.pvv.ntnu.no:9100"
];
}
];
}];
}

6
hosts/ildkule/services/monitoring/uptime-kuma.nix
View File

@@ -2,6 +2,7 @@
let let
cfg = config.services.uptime-kuma; cfg = config.services.uptime-kuma;
domain = "status.pvv.ntnu.no"; domain = "status.pvv.ntnu.no";
stateDir = "/data/monitoring/uptime-kuma";
in { in {
services.uptime-kuma = { services.uptime-kuma = {
enable = true; enable = true;
@@ -17,4 +18,9 @@ in {
kTLS = true; kTLS = true;
locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}"; locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
}; };
fileSystems."/var/lib/uptime-kuma" = {
device = stateDir;
options = [ "bind" ];
};
} }

43
hosts/kvernberg/configuration.nix Normal file
View File

@@ -0,0 +1,43 @@
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base
../../misc/metrics-exporters.nix
./disks.nix
];
sops.defaultSopsFile = ../../secrets/kvernberg/kvernberg.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "kvernberg"; # Define your hostname.
systemd.network.networks."30-all" = values.defaultNetworkConfig // {
matchConfig.Name = "en*";
address = with values.hosts.kvernberg; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# No devices with SMART
services.smartd.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
}

39
hosts/kvernberg/disks.nix Normal file
View File

@@ -0,0 +1,39 @@
# Example to create a bios compatible gpt partition
{ lib, ... }:
{
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

26
hosts/kvernberg/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,26 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

93
hosts/kvernberg/services/pvvvvvv/modules/libeufin/bank.nix Normal file
View File

@@ -0,0 +1,93 @@
{
lib,
config,
options,
...
}:
{
imports = [ (import ./common.nix "bank") ];
options.services.libeufin.bank = {
initialAccounts = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = ''
Accounts to enable before the bank service starts.
This is mainly needed for the nexus currency conversion
since the exchange's bank account is expected to be already
registered.
Don't forget to change the account passwords afterwards.
'';
default = [ ];
};
settings = lib.mkOption {
description = ''
Configuration options for the libeufin bank system config file.
For a list of all possible options, please see the man page [`libeufin-bank.conf(5)`](https://docs.taler.net/manpages/libeufin-bank.conf.5.html)
'';
type = lib.types.submodule {
inherit (options.services.libeufin.settings.type.nestedTypes) freeformType;
options = {
libeufin-bank = {
CURRENCY = lib.mkOption {
type = lib.types.str;
description = ''
The currency under which the libeufin-bank should operate.
This defaults to the GNU taler module's currency for convenience
but if you run libeufin-bank separately from taler, you must set
this yourself.
'';
};
PORT = lib.mkOption {
type = lib.types.port;
default = 8082;
description = ''
The port on which libeufin-bank should listen.
'';
};
SUGGESTED_WITHDRAWAL_EXCHANGE = lib.mkOption {
type = lib.types.str;
default = "https://exchange.demo.taler.net/";
description = ''
Exchange that is suggested to wallets when withdrawing.
Note that, in order for withdrawals to work, your libeufin-bank
must be able to communicate with and send money etc. to the bank
at which the exchange used for withdrawals has its bank account.
If you also have your own bank and taler exchange network, you
probably want to set one of your exchange's url here instead of
the demo exchange.
This setting must always be set in order for the Android app to
not crash during the withdrawal process but the exchange to be
used can always be changed in the app.
'';
};
};
libeufin-bankdb-postgres = {
CONFIG = lib.mkOption {
type = lib.types.str;
description = ''
The database connection string for the libeufin-bank database.
'';
};
};
};
};
};
};
config = {
services.libeufin.bank.settings.libeufin-bank.CURRENCY = lib.mkIf (
config.services.taler.enable && (config.services.taler.settings.taler ? CURRENCY)
) config.services.taler.settings.taler.CURRENCY;
services.libeufin.bank.settings.libeufin-bankdb-postgres.CONFIG = lib.mkIf config.services.libeufin.bank.createLocalDatabase "postgresql:///libeufin-bank";
};
}

156
hosts/kvernberg/services/pvvvvvv/modules/libeufin/common.nix Normal file
View File

@@ -0,0 +1,156 @@
# TODO: create a common module generator for Taler and Libeufin?
libeufinComponent:
{
lib,
pkgs,
config,
...
}:
{
options.services.libeufin.${libeufinComponent} = {
enable = lib.mkEnableOption "libeufin core banking system and web interface";
package = lib.mkPackageOption pkgs "libeufin" { };
debug = lib.mkEnableOption "debug logging";
createLocalDatabase = lib.mkEnableOption "automatic creation of a local postgres database";
openFirewall = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether to open ports in the firewall";
};
};
config =
let
cfgMain = config.services.libeufin;
cfg = cfgMain.${libeufinComponent};
serviceName = "libeufin-${libeufinComponent}";
isNexus = libeufinComponent == "nexus";
# get database name from config
# TODO: should this always be the same db? In which case, should this be an option directly under `services.libeufin`?
dbName =
lib.removePrefix "postgresql:///"
cfg.settings."libeufin-${libeufinComponent}db-postgres".CONFIG;
bankPort = cfg.settings."${if isNexus then "nexus-httpd" else "libeufin-bank"}".PORT;
in
lib.mkIf cfg.enable {
services.libeufin.settings = cfg.settings;
# TODO add system-libeufin.slice?
systemd.services = {
# Main service
"${serviceName}" = {
serviceConfig = {
DynamicUser = true;
ExecStart =
let
args = lib.cli.toGNUCommandLineShell { } {
c = cfgMain.configFile;
L = if cfg.debug then "debug" else null;
};
in
"${lib.getExe' cfg.package "libeufin-${libeufinComponent}"} serve ${args}";
Restart = "on-failure";
RestartSec = "10s";
};
requires = [ "libeufin-dbinit.service" ];
after = [ "libeufin-dbinit.service" ];
wantedBy = [ "multi-user.target" ];
};
# Database Initialisation
libeufin-dbinit =
let
dbScript = pkgs.writers.writeText "libeufin-db-permissions.sql" ''
GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA libeufin_bank TO "${serviceName}";
GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA libeufin_nexus TO "${serviceName}";
GRANT USAGE ON SCHEMA libeufin_bank TO "${serviceName}";
GRANT USAGE ON SCHEMA libeufin_nexus TO "${serviceName}";
'';
# Accounts to be created after the bank database initialization.
#
# For example, if the bank's currency conversion is enabled, it's
# required that the exchange account is registered before the
# service starts.
initialAccountRegistration = lib.concatMapStringsSep "\n" (
account:
let
args = lib.cli.toGNUCommandLineShell { } {
c = cfgMain.configFile;
inherit (account) username password name;
payto_uri = "payto://x-taler-bank/bank:${toString bankPort}/${account.username}?receiver-name=${account.name}";
exchange = lib.toLower account.username == "exchange";
};
in
"${lib.getExe' cfg.package "libeufin-bank"} create-account ${args}"
) cfg.initialAccounts;
args = lib.cli.toGNUCommandLineShell { } {
c = cfgMain.configFile;
L = if cfg.debug then "debug" else null;
};
in
{
path = [ config.services.postgresql.package ];
serviceConfig = {
Type = "oneshot";
DynamicUser = true;
StateDirectory = "libeufin-dbinit";
StateDirectoryMode = "0750";
User = dbName;
};
script = lib.optionalString cfg.enable ''
${lib.getExe' cfg.package "libeufin-${libeufinComponent}"} dbinit ${args}
'';
# Grant DB permissions after schemas have been created
postStart =
''
psql -U "${dbName}" -f "${dbScript}"
''
+ lib.optionalString ((!isNexus) && (cfg.initialAccounts != [ ])) ''
# only register initial accounts once
if [ ! -e /var/lib/libeufin-dbinit/init ]; then
${initialAccountRegistration}
touch /var/lib/libeufin-dbinit/init
echo "Bank initialisation complete"
fi
'';
requires = lib.optionals cfg.createLocalDatabase [ "postgresql.service" ];
after = [ "network.target" ] ++ lib.optionals cfg.createLocalDatabase [ "postgresql.service" ];
};
};
networking.firewall = lib.mkIf cfg.openFirewall {
allowedTCPPorts = [
bankPort
];
};
environment.systemPackages = [ cfg.package ];
services.postgresql = lib.mkIf cfg.createLocalDatabase {
enable = true;
ensureDatabases = [ dbName ];
ensureUsers = [
{ name = serviceName; }
{
name = dbName;
ensureDBOwnership = true;
}
];
};
assertions = [
{
assertion =
cfg.createLocalDatabase || (cfg.settings."libeufin-${libeufinComponent}db-postgres" ? CONFIG);
message = "Libeufin ${libeufinComponent} database is not configured.";
}
];
};
}

29
hosts/kvernberg/services/pvvvvvv/modules/libeufin/module.nix Normal file
View File

@@ -0,0 +1,29 @@
{
lib,
pkgs,
config,
...
}:
let
cfg = config.services.libeufin;
settingsFormat = pkgs.formats.ini { };
in
{
options.services.libeufin = {
configFile = lib.mkOption {
internal = true;
default = settingsFormat.generate "generated-libeufin.conf" cfg.settings;
};
settings = lib.mkOption {
description = "Global configuration options for the libeufin bank system config file.";
type = lib.types.submodule { freeformType = settingsFormat.type; };
default = { };
};
};
config = lib.mkIf (cfg.bank.enable || cfg.nexus.enable) {
environment.etc."libeufin/libeufin.conf".source = cfg.configFile;
};
}

127
hosts/kvernberg/services/pvvvvvv/modules/libeufin/nexus.nix Normal file
View File

@@ -0,0 +1,127 @@
{
lib,
config,
options,
...
}:
{
imports = [ (import ./common.nix "nexus") ];
options.services.libeufin.nexus.settings = lib.mkOption {
description = ''
Configuration options for the libeufin nexus config file.
For a list of all possible options, please see the man page [`libeufin-nexus.conf(5)`](https://docs.taler.net/manpages/libeufin-nexus.conf.5.html)
'';
type = lib.types.submodule {
inherit (options.services.libeufin.settings.type.nestedTypes) freeformType;
options = {
nexus-ebics = {
# Mandatory configuration values
# https://docs.taler.net/libeufin/nexus-manual.html#setting-up-the-ebics-subscriber
# https://docs.taler.net/libeufin/setup-ebics-at-postfinance.html
CURRENCY = lib.mkOption {
description = "Name of the fiat currency.";
type = lib.types.nonEmptyStr;
example = "CHF";
};
HOST_BASE_URL = lib.mkOption {
description = "URL of the EBICS server.";
type = lib.types.nonEmptyStr;
example = "https://ebics.postfinance.ch/ebics/ebics.aspx";
};
BANK_DIALECT = lib.mkOption {
description = ''
Name of the following combination: EBICS version and ISO20022
recommendations that Nexus would honor in the communication with the
bank.
Currently only the "postfinance" or "gls" value is supported.
'';
type = lib.types.enum [
"postfinance"
"gls"
];
example = "postfinance";
};
HOST_ID = lib.mkOption {
description = "Name of the EBICS host.";
type = lib.types.nonEmptyStr;
example = "PFEBICS";
};
USER_ID = lib.mkOption {
description = ''
User ID of the EBICS subscriber.
This value must be assigned by the bank after having activated a new EBICS subscriber.
'';
type = lib.types.nonEmptyStr;
example = "PFC00563";
};
PARTNER_ID = lib.mkOption {
description = ''
Partner ID of the EBICS subscriber.
This value must be assigned by the bank after having activated a new EBICS subscriber.
'';
type = lib.types.nonEmptyStr;
example = "PFC00563";
};
IBAN = lib.mkOption {
description = "IBAN of the bank account that is associated with the EBICS subscriber.";
type = lib.types.nonEmptyStr;
example = "CH7789144474425692816";
};
BIC = lib.mkOption {
description = "BIC of the bank account that is associated with the EBICS subscriber.";
type = lib.types.nonEmptyStr;
example = "POFICHBEXXX";
};
NAME = lib.mkOption {
description = "Legal entity that is associated with the EBICS subscriber.";
type = lib.types.nonEmptyStr;
example = "John Smith S.A.";
};
BANK_PUBLIC_KEYS_FILE = lib.mkOption {
type = lib.types.path;
default = "/var/lib/libeufin-nexus/bank-ebics-keys.json";
description = ''
Filesystem location where Nexus should store the bank public keys.
'';
};
CLIENT_PRIVATE_KEYS_FILE = lib.mkOption {
type = lib.types.path;
default = "/var/lib/libeufin-nexus/client-ebics-keys.json";
description = ''
Filesystem location where Nexus should store the subscriber private keys.
'';
};
};
nexus-httpd = {
PORT = lib.mkOption {
type = lib.types.port;
default = 8084;
description = ''
The port on which libeufin-bank should listen.
'';
};
};
libeufin-nexusdb-postgres = {
CONFIG = lib.mkOption {
type = lib.types.str;
description = ''
The database connection string for the libeufin-nexus database.
'';
};
};
};
};
};
config =
let
cfgMain = config.services.libeufin;
cfg = config.services.libeufin.nexus;
in
lib.mkIf cfg.enable {
services.libeufin.nexus.settings.libeufin-nexusdb-postgres.CONFIG = lib.mkIf (
cfgMain.bank.enable && cfgMain.bank.createLocalDatabase
) "postgresql:///libeufin-bank";
};
}

10
hosts/kvernberg/services/pvvvvvv/modules/module-list.nix Normal file
View File

@@ -0,0 +1,10 @@
{
imports = [
./libeufin/bank.nix
./libeufin/module.nix
./libeufin/nexus.nix
./taler/exchange.nix
./taler/merchant.nix
./taler/module.nix
];
}

117
hosts/kvernberg/services/pvvvvvv/modules/taler/common.nix Normal file
View File

@@ -0,0 +1,117 @@
# TODO: create a common module generator for Taler and Libeufin?
{
talerComponent ? "",
servicesDB ? [ ],
servicesNoDB ? [ ],
...
}:
{
lib,
pkgs,
config,
...
}:
let
cfg = cfgTaler.${talerComponent};
cfgTaler = config.services.taler;
settingsFormat = pkgs.formats.ini { };
services = servicesDB ++ servicesNoDB;
dbName = "taler-${talerComponent}-httpd";
groupName = "taler-${talerComponent}-services";
inherit (cfgTaler) runtimeDir;
in
{
options = {
services.taler.${talerComponent} = {
enable = lib.mkEnableOption "the GNU Taler ${talerComponent}";
package = lib.mkPackageOption pkgs "taler-${talerComponent}" { };
# TODO: make option accept multiple debugging levels?
debug = lib.mkEnableOption "debug logging";
openFirewall = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether to open ports in the firewall";
};
};
};
config = lib.mkIf cfg.enable {
services.taler.enable = cfg.enable;
systemd.services = lib.mergeAttrsList [
# Main services
(lib.genAttrs (map (n: "taler-${talerComponent}-${n}") services) (name: {
serviceConfig = {
DynamicUser = true;
User = name;
Group = groupName;
ExecStart = toString [
(lib.getExe' cfg.package name)
"-c /etc/taler/taler.conf"
(lib.optionalString cfg.debug " -L debug")
];
RuntimeDirectory = name;
StateDirectory = name;
CacheDirectory = name;
ReadWritePaths = [ runtimeDir ];
Restart = "always";
RestartSec = "10s";
};
requires = [ "taler-${talerComponent}-dbinit.service" ];
after = [ "taler-${talerComponent}-dbinit.service" ];
wantedBy = [ "multi-user.target" ]; # TODO slice?
}))
# Database Initialisation
{
"taler-${talerComponent}-dbinit" = {
path = [ config.services.postgresql.package ];
serviceConfig = {
Type = "oneshot";
DynamicUser = true;
User = dbName;
Restart = "on-failure";
RestartSec = "5s";
};
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
}
];
users.groups.${groupName} = { };
systemd.tmpfiles.settings = {
"10-taler-${talerComponent}" = {
"${runtimeDir}" = {
d = {
group = groupName;
user = "nobody";
mode = "070";
};
};
};
};
networking.firewall = lib.mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.settings."${talerComponent}".PORT ];
};
environment.systemPackages = [ cfg.package ];
services.taler.includes = [ "/etc/taler/conf.d/${talerComponent}.conf" ];
environment.etc."taler/conf.d/${talerComponent}.conf".source = settingsFormat.generate "generated-taler.conf" cfg.settings;
services.postgresql = {
enable = true;
ensureDatabases = [ dbName ];
ensureUsers = map (service: { name = "taler-${talerComponent}-${service}"; }) servicesDB ++ [
{
name = dbName;
ensureDBOwnership = true;
}
];
};
};
}

143
hosts/kvernberg/services/pvvvvvv/modules/taler/exchange.nix Normal file
View File

@@ -0,0 +1,143 @@
{
lib,
config,
options,
pkgs,
...
}:
let
cfg = cfgTaler.exchange;
cfgTaler = config.services.taler;
talerComponent = "exchange";
# https://docs.taler.net/taler-exchange-manual.html#services-users-groups-and-file-system-hierarchy
servicesDB = [
"httpd"
"aggregator"
"closer"
"wirewatch"
];
servicesNoDB = [
"secmod-cs"
"secmod-eddsa"
"secmod-rsa"
];
in
{
imports = [
(import ./common.nix { inherit talerComponent servicesDB servicesNoDB; })
];
options.services.taler.exchange = {
settings = lib.mkOption {
description = ''
Configuration options for the taler exchange config file.
For a list of all possible options, please see the man page [`taler.conf(5)`](https://docs.taler.net/manpages/taler.conf.5.html#exchange-options)
'';
type = lib.types.submodule {
inherit (options.services.taler.settings.type.nestedTypes) freeformType;
options = {
# TODO: do we want this to be a sub-attribute or only define the exchange set of options here
exchange = {
AML_THRESHOLD = lib.mkOption {
type = lib.types.str;
default = "${cfgTaler.settings.taler.CURRENCY}:1000000";
defaultText = "1000000 in {option}`CURRENCY`";
description = "Monthly transaction volume until an account is considered suspicious and flagged for AML review.";
};
DB = lib.mkOption {
type = lib.types.str;
internal = true;
default = "postgres";
};
MASTER_PUBLIC_KEY = lib.mkOption {
type = lib.types.str;
default = throw ''
You must provide `MASTER_PUBLIC_KEY` with the public part of your master key.
This will be used by the auditor service to get information about the exchange.
For more information, see https://docs.taler.net/taler-auditor-manual.html#initial-configuration
To generate this key, you must run `taler-exchange-offline setup`. It will print the public key.
'';
defaultText = "None, you must set this yourself.";
description = "Used by the exchange to verify information signed by the offline system.";
};
PORT = lib.mkOption {
type = lib.types.port;
default = 8081;
description = "Port on which the HTTP server listens.";
};
};
exchangedb-postgres = {
CONFIG = lib.mkOption {
type = lib.types.str;
internal = true;
default = "postgres:///taler-exchange-httpd";
description = "Database connection URI.";
};
};
};
};
default = { };
};
denominationConfig = lib.mkOption {
type = lib.types.lines;
defaultText = "None, you must set this yourself.";
example = ''
[COIN-KUDOS-n1-t1718140083]
VALUE = KUDOS:0.1
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 2 years
DURATION_LEGAL = 6 years
FEE_WITHDRAW = KUDOS:0
FEE_DEPOSIT = KUDOS:0.1
FEE_REFRESH = KUDOS:0
FEE_REFUND = KUDOS:0
RSA_KEYSIZE = 2048
CIPHER = RSA
'';
description = ''
This option configures the cash denomination for the coins that the exchange offers.
For more information, consult the [upstream docs](https://docs.taler.net/taler-exchange-manual.html#coins-denomination-keys).
You can either write these manually or you can use the `taler-harness deployment gen-coin-config`
command to generate it.
Warning: Do not modify existing denominations after deployment.
Please see the upstream docs for how to safely do that.
'';
};
};
config = lib.mkIf cfg.enable {
services.taler.includes = [
(pkgs.writers.writeText "exchange-denominations.conf" cfg.denominationConfig)
];
systemd.services.taler-exchange-wirewatch = {
requires = [ "taler-exchange-httpd.service" ];
after = [ "taler-exchange-httpd.service" ];
};
# Taken from https://docs.taler.net/taler-exchange-manual.html#exchange-database-setup
# TODO: Why does aggregator need DELETE?
systemd.services."taler-${talerComponent}-dbinit".script =
let
deletePerm = name: lib.optionalString (name == "aggregator") ",DELETE";
dbScript = pkgs.writers.writeText "taler-exchange-db-permissions.sql" (
lib.pipe servicesDB [
(map (name: ''
GRANT SELECT,INSERT,UPDATE${deletePerm name} ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-${name}";
GRANT USAGE ON SCHEMA exchange TO "taler-exchange-${name}";
''))
lib.concatStrings
]
);
in
''
${lib.getExe' cfg.package "taler-exchange-dbinit"}
psql -U taler-exchange-httpd -f ${dbScript}
'';
};
}

108
hosts/kvernberg/services/pvvvvvv/modules/taler/merchant.nix Normal file
View File

@@ -0,0 +1,108 @@
{
lib,
config,
options,
pkgs,
...
}:
let
cfg = cfgTaler.merchant;
cfgTaler = config.services.taler;
talerComponent = "merchant";
# https://docs.taler.net/taler-merchant-manual.html#launching-the-backend
servicesDB = [
"httpd"
"webhook"
"wirewatch"
"depositcheck"
"exchange"
];
in
{
imports = [
(import ./common.nix { inherit talerComponent servicesDB; })
];
options.services.taler.merchant = {
settings = lib.mkOption {
description = ''
Configuration options for the taler merchant config file.
For a list of all possible options, please see the man page [`taler.conf(5)`](https://docs.taler.net/manpages/taler.conf.5.html#merchant-options)
'';
type = lib.types.submodule {
inherit (options.services.taler.settings.type.nestedTypes) freeformType;
options = {
# TODO: do we want this to be a sub-attribute or only define the merchant set of options here
merchant = {
DB = lib.mkOption {
type = lib.types.str;
internal = true;
default = "postgres";
description = "Plugin to use for the database.";
};
PORT = lib.mkOption {
type = lib.types.port;
default = 8083;
description = "Port on which the HTTP server listens.";
};
SERVE = lib.mkOption {
type = lib.types.str;
default = "tcp";
description = ''
Whether the HTTP server should listen on a UNIX domain socket ("unix") or on a TCP socket ("tcp").
'';
};
LEGAL_PRESERVATION = lib.mkOption {
type = lib.types.str;
internal = true;
default = "10 years";
description = "How long to keep data in the database for tax audits after the transaction has completed.";
};
};
merchantdb-postgres = {
CONFIG = lib.mkOption {
type = lib.types.str;
internal = true;
default = "postgres:///taler-${talerComponent}-httpd";
description = "Database connection URI.";
};
SQL_DIR = lib.mkOption {
type = lib.types.str;
internal = true;
default = "${cfg.package}/share/taler/sql/merchant/";
description = "The location for the SQL files to setup the database tables.";
};
};
};
};
default = { };
};
};
config = lib.mkIf cfg.enable {
systemd.services.taler-merchant-depositcheck = {
# taler-merchant-depositcheck needs its executable is in the PATH
# NOTE: couldn't use `lib.getExe` to only get that single executable
path = [ cfg.package ];
};
systemd.services."taler-${talerComponent}-dbinit".script =
let
# NOTE: not documented, but is necessary
dbScript = pkgs.writers.writeText "taler-merchant-db-permissions.sql" (
lib.concatStrings (
map (name: ''
GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA merchant TO "taler-merchant-${name}";
GRANT USAGE ON SCHEMA merchant TO "taler-merchant-${name}";
'') servicesDB
)
);
in
''
${lib.getExe' cfg.package "taler-merchant-dbinit"}
psql -U taler-${talerComponent}-httpd -f ${dbScript}
'';
};
}

89
hosts/kvernberg/services/pvvvvvv/modules/taler/module.nix Normal file
View File

@@ -0,0 +1,89 @@
{
lib,
pkgs,
config,
...
}:
let
cfg = config.services.taler;
settingsFormat = pkgs.formats.ini { };
in
{
# TODO turn this into a generic taler-like service thingy?
options.services.taler = {
enable = lib.mkEnableOption "the GNU Taler system" // lib.mkOption { internal = true; };
includes = lib.mkOption {
type = lib.types.listOf lib.types.path;
default = [ ];
description = ''
Files to include into the config file using Taler's `@inline@` directive.
This allows including arbitrary INI files, including imperatively managed ones.
'';
};
settings = lib.mkOption {
description = ''
Global configuration options for the taler config file.
For a list of all possible options, please see the man page [`taler.conf(5)`](https://docs.taler.net/manpages/taler.conf.5.html)
'';
type = lib.types.submodule {
freeformType = settingsFormat.type;
options = {
taler = {
CURRENCY = lib.mkOption {
type = lib.types.nonEmptyStr;
description = ''
The currency which taler services will operate with. This cannot be changed later.
'';
};
CURRENCY_ROUND_UNIT = lib.mkOption {
type = lib.types.str;
default = "${cfg.settings.taler.CURRENCY}:0.01";
defaultText = lib.literalExpression ''
"''${config.services.taler.settings.taler.CURRENCY}:0.01"
'';
description = ''
Smallest amount in this currency that can be transferred using the underlying RTGS.
You should probably not touch this.
'';
};
};
};
};
default = { };
};
runtimeDir = lib.mkOption {
type = lib.types.str;
default = "/run/taler-system-runtime/";
description = ''
Runtime directory shared between the taler services.
Crypto helpers put their sockets here for instance and the httpd
connects to them.
'';
};
};
config = lib.mkIf cfg.enable {
services.taler.settings.PATHS = {
TALER_DATA_HOME = "\${STATE_DIRECTORY}/";
TALER_CACHE_HOME = "\${CACHE_DIRECTORY}/";
TALER_RUNTIME_DIR = cfg.runtimeDir;
};
environment.etc."taler/taler.conf".source =
let
includes = pkgs.writers.writeText "includes.conf" (
lib.concatStringsSep "\n" (map (include: "@inline@ ${include}") cfg.includes)
);
generatedConfig = settingsFormat.generate "generated-taler.conf" cfg.settings;
in
pkgs.runCommand "taler.conf" { } ''
cat ${includes} > $out
echo >> $out
echo >> $out
cat ${generatedConfig} >> $out
'';
};
}

2
hosts/shark/configuration.nix
View File

@@ -3,7 +3,7 @@
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../base.nix ../../base
../../misc/metrics-exporters.nix ../../misc/metrics-exporters.nix
]; ];

6
justfile
View File

@@ -10,11 +10,15 @@ check:
build-machine machine=`just _a_machine`: build-machine machine=`just _a_machine`:
{{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel
run-vm machine=`just _a_machine`:
nixos-rebuild build-vm --flake .#{{ machine }}
QEMU_NET_OPTS="hostfwd=tcp::8080-:80,hostfwd=tcp::8081-:443,hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
@update-inputs: @update-inputs:
nix eval .#inputs --apply builtins.attrNames --json \ nix eval .#inputs --apply builtins.attrNames --json \
| jq '.[]' -r \ | jq '.[]' -r \
| gum choose --no-limit --height=15 \ | gum choose --no-limit --height=15 \
| xargs nix flake update --commit-lock-file | xargs -L 1 nix flake lock --update-input
_a_machine: _a_machine:

24
misc/metrics-exporters.nix
View File

@@ -14,13 +14,31 @@
"::1" "::1"
values.hosts.ildkule.ipv4 values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6 values.hosts.ildkule.ipv6
values.hosts.ildkule.ipv4_global
values.hosts.ildkule.ipv6_global
]; ];
}; };
networking.firewall.allowedTCPPorts = [ 9100 ]; services.prometheus.exporters.systemd = {
enable = true;
port = 9101;
extraFlags = [
"--systemd.collector.enable-restart-count"
"--systemd.collector.enable-ip-accounting"
];
};
systemd.services.prometheus-systemd-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = [ 9100 9101 ];
services.promtail = { services.promtail = {
enable = true; enable = true;

44
modules/grzegorz.nix
View File

@@ -1,31 +1,26 @@
{config, lib, pkgs, ...}: {config, lib, pkgs, ...}:
let let
grg = config.services.grzegorz; grg = config.services.greg-ng;
grgw = config.services.grzegorz-webui; grgw = config.services.grzegorz-webui;
in { in {
services.pipewire.enable = true; services.greg-ng = {
services.pipewire.alsa.enable = true; enable = true;
services.pipewire.alsa.support32Bit = true; settings.host = "localhost";
services.pipewire.pulse.enable = true; settings.port = 31337;
enableSway = true;
users.users.pvv = { enablePipewire = true;
isNormalUser = true;
description = "pvv";
}; };
services.grzegorz.enable = true; services.grzegorz-webui = {
services.grzegorz.listenAddr = "localhost"; enable = true;
services.grzegorz.listenPort = 31337; listenAddr = "localhost";
listenPort = 42069;
services.grzegorz-webui.enable = true; listenWebsocketPort = 42042;
services.grzegorz-webui.listenAddr = "localhost"; hostName = "${config.networking.fqdn}";
services.grzegorz-webui.listenPort = 42069; apiBase = "http://${grg.settings.host}:${toString grg.settings.port}/api";
services.grzegorz-webui.listenWebsocketPort = 42042; };
services.grzegorz-webui.hostName = "${config.networking.fqdn}";
services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.virtualHosts."${config.networking.fqdn}" = { services.nginx.virtualHosts."${config.networking.fqdn}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@@ -40,20 +35,19 @@ in {
''; '';
locations."/" = { locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenPort}"; proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
}; };
# https://github.com/rawpython/remi/issues/216 # https://github.com/rawpython/remi/issues/216
locations."/websocket" = { locations."/websocket" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenWebsocketPort}"; proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
locations."/api" = { locations."/api" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}"; proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
}; };
locations."/docs" = { locations."/docs" = {
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}"; proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
}; };
}; };
} }

4
modules/snakeoil-certs.nix
View File

@@ -50,7 +50,7 @@ in
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
script = let script = let
openssl = lib.getExe pkgs.openssl; openssl = lib.getExe pkgs.openssl;
in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: '' in lib.concatMapStringsSep "\n" ({ name, value }: ''
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}") mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate} if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
then then
@@ -69,6 +69,8 @@ in
chown "${value.owner}:${value.group}" "${value.certificateKey}" chown "${value.owner}:${value.group}" "${value.certificateKey}"
chmod "${value.mode}" "${value.certificate}" chmod "${value.mode}" "${value.certificate}"
chmod "${value.mode}" "${value.certificateKey}" chmod "${value.mode}" "${value.certificateKey}"
echo "\n-----------------\n"
'') (lib.attrsToList cfg); '') (lib.attrsToList cfg);
}; };
systemd.timers."generate-snakeoil-certs" = { systemd.timers."generate-snakeoil-certs" = {

30
packages/bluemap.nix Normal file
View File

@@ -0,0 +1,30 @@
{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
stdenvNoCC.mkDerivation rec {
pname = "bluemap";
version = "5.2";
src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-4vld+NBwzBxdwbMtsKuqvO6immkbh4HB//6wdjXaxoU=";
};
dontUnpack = true;
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
runHook preInstall
makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
runHook postInstall
'';
meta = {
description = "3D minecraft map renderer";
homepage = "https://bluemap.bluecolored.de/";
sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ dandellion ];
mainProgram = "bluemap";
};
}

15
secrets/bekkalokk/bekkalokk.yaml
View File

@@ -1,10 +1,12 @@
gitea: gitea:
web-secret-provider:
token: ENC[AES256_GCM,data:pHmBKxrNcLifl4sjR44AGEElfdachja35Tl/InsqvBWturaeTv4R0w==,iv:emBWfXQs2VNqtpDp5iA5swNC+24AWDYYXo6nvN+Fwx4=,tag:lkhSVSs6IqhHpfDPOX0wQA==,type:str]
password: ENC[AES256_GCM,data:hlNzdU1ope0t50/3aztyLeXjMHd2vFPpwURX+Iu8f49DOqgSnEMtV+KtLA==,iv:qljRnSnchL5cFmaUAfCH9GQYQxcy5cyWejgk1x6bFgI=,tag:tIhboFU5kZsj5oAQR3hLbw==,type:str] password: ENC[AES256_GCM,data:hlNzdU1ope0t50/3aztyLeXjMHd2vFPpwURX+Iu8f49DOqgSnEMtV+KtLA==,iv:qljRnSnchL5cFmaUAfCH9GQYQxcy5cyWejgk1x6bFgI=,tag:tIhboFU5kZsj5oAQR3hLbw==,type:str]
database: ENC[AES256_GCM,data:UlS33IdCEyeSvT6ngpmnkBWHuSEqsB//DT+3b7C+UwbD8UXWJlsLf1X8/w==,iv:mPRW5ldyZaHP+y/0vC2JGSLZmlkhgmkvXPk4LazkSDs=,tag:gGk6Z/nbPvzE1zG+tJC8Sw==,type:str] database: ENC[AES256_GCM,data:UlS33IdCEyeSvT6ngpmnkBWHuSEqsB//DT+3b7C+UwbD8UXWJlsLf1X8/w==,iv:mPRW5ldyZaHP+y/0vC2JGSLZmlkhgmkvXPk4LazkSDs=,tag:gGk6Z/nbPvzE1zG+tJC8Sw==,type:str]
email-password: ENC[AES256_GCM,data:KRwC+aL1aPvJuXt91Oq1ttATMnFTnuUy,iv:ats8TygB/2pORkaTZzPOLufZ9UmvVAKoRcWNvYF1z6w=,tag:Do0fA+4cZ3+l7JJyu8hjBg==,type:str] email-password: ENC[AES256_GCM,data:KRwC+aL1aPvJuXt91Oq1ttATMnFTnuUy,iv:ats8TygB/2pORkaTZzPOLufZ9UmvVAKoRcWNvYF1z6w=,tag:Do0fA+4cZ3+l7JJyu8hjBg==,type:str]
passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str] passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str] ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
import-user-env: ENC[AES256_GCM,data:vfaqjGEnUM9VtOPvBurz7nFwzGZt3L2EqijrQej4wiOcGCrRA4tN6kBV6NmhHqlFPsw=,iv:viPGkyOOacCWcgTu25da4qH7DC4wz2qdeC1W2WcMUdI=,tag:BllNqGQoaxqUo3lTz9LGnw==,type:str] import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
runners: runners:
alpha: ENC[AES256_GCM,data:gARxCufePz+EMVwEwRsL2iZUfh9HUowWqtb7Juz3fImeeAdbt+k3DvL/Nwgegg==,iv:3fEaWd7v7uLGTy2J7EFQGfN0ztI0uCOJRz5Mw8V5UOU=,tag:Aa6LwWeW2hfDz1SqEhUJpA==,type:str] alpha: ENC[AES256_GCM,data:gARxCufePz+EMVwEwRsL2iZUfh9HUowWqtb7Juz3fImeeAdbt+k3DvL/Nwgegg==,iv:3fEaWd7v7uLGTy2J7EFQGfN0ztI0uCOJRz5Mw8V5UOU=,tag:Aa6LwWeW2hfDz1SqEhUJpA==,type:str]
beta: ENC[AES256_GCM,data:DVjS78IKWiWgf+PuijCZKx4ZaEJGhQr7vl+lc7QOg1JlA4p9Kux/tOD8+f2+jA==,iv:tk3Xk7lKWNdZ035+QVIhxXy2iJbHwunI4jRFM4It46E=,tag:9Mr6o//svYEyYhSvzkOXMg==,type:str] beta: ENC[AES256_GCM,data:DVjS78IKWiWgf+PuijCZKx4ZaEJGhQr7vl+lc7QOg1JlA4p9Kux/tOD8+f2+jA==,iv:tk3Xk7lKWNdZ035+QVIhxXy2iJbHwunI4jRFM4It46E=,tag:9Mr6o//svYEyYhSvzkOXMg==,type:str]
@@ -16,6 +18,8 @@ mediawiki:
postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str] postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str] cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str] admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
roundcube:
postgres_password: ENC[AES256_GCM,data:fGHmq6r/ZCeIseHL8/gmm5DfWQYorI3OJq1TW0EHvh7rHL62M4TE+Lrlrmq8AIlmGLSWtO8AQzOP3toxidL6xWX3pcwLxtTefa1gom2oQf6ZL4TbAZLidHksdiro6pWtpMOO66bb8O9eXvZmns4=,iv:Irnb2/bgx8WilDyRLleWfo6HHafZ+vlDEwxIcgm1f18=,tag:eTNBUELmLwO7DsQN9CLX7Q==,type:str]
idp: idp:
cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str] cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str] admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
@@ -30,6 +34,9 @@ nettsiden:
admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str] admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
vaultwarden: vaultwarden:
environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str] environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str]
bluemap:
ssh-key: ENC[AES256_GCM,data:nPwsT4RYbMbGp2MChLUh6NXW4ckYr7SQcd6Gy2G8CEU+ugew5pt4d6GOK1fyekspDtet3EkPL2F1AsoPFBB2Rv0boARMslAhBqwWSsbBJTXeTEgAABSMxTPJRBtfJucvv426nyIj3uApoknz6mDCQh1OI6mER0fis7MPaM1506HlDlnIT0FV9EairEsaAmbd0yddByGJSccKIza2vW0qWqrz83P+xrakEONxFz0fJlkO5PRXCcQJVBCqWQfnaHNrWeBWv0QA7vAHlT0yjqJCpDRxN2KYrPWsz7sUbB4UZOtykCRM5kKFq73GUaOKqVECJQhcJi6tERhpJELwjjS8MSqvBD90UTKTshGugfuygTaOyUx4wou3atxMR2Rah9+uZ6mBrLAOLX3JKiAtyhFewPMWjd/UhbMPuzNageVBNz2EMpa4POSVwz5MyViKNSgr9cPcNGqmrnjvr/W/lnj6Ec+W80RiXQlADSE4Q6diLLwB9nlHvKs8NTDgv6sUafcPHpJ2+N4Jkb96dE14bMffQ385SI4vLDcQ8xCQ,iv:WdJIHRzjlm8bEldolCx1Q7pZJvjxGkNZALSOy3IjizU=,tag:5ZAikiqttq/76+thG+4LMw==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:J6V+NJ9TvYUL2gmcqWWYt8X+n0M7i0RpDpBelWAbFMH64+e9ztHNnC491sm+RogDxqKk0kwQyX2Mz00iq3Gc3wDYyozGOdv3tBKrp7/LcfjUQ9T9hi0yTD3eNV0LAjlAWMTdlW65VGHqGst8ncKbUuVxbBASVlh3A321toZgD+xxUAtNz7qKFa6fDbOS0xLD1+CmTwVp+aPos//QIKzjuk1HqxfBNK82maKtD4JHPS+Y3be2wIEjGWq3H6JYN/RDojD88D/jzo9RwvEjpqLXoOVfy8uX/fbEsgkgfAmPiaG+ePCnchSExEe3a6Y0E+I6YIzvP+tGThJpu4HaT/yW2Rww/jvsxKrXSUhtBZI/SIX5ZAIFB3sFjJXQefJjfNpQTQWhbspLfdemafGaRiDnzVgKDhNL1HNMNsXKDfWa0SLs4//dqerom/QCCNsaqV+4HVzv5x44srChGERadQI/Wh4UG2R19xxbdyIsKPHzv7BhEKufJkjc5upBjWygQrGAkTRHugFpw2Tdkz9yUQSujMkaeRKhVkA+ZUAjwnY5TwqNZBj7U3K2JXoNVHAq194XmrA2dNghh0OmRrvKGwM3HKexX22SXT0bPlpdWRQpMbUgV+uHLMerlDpNMFTIueEBkaF/FWeSW2N5WUrUb1uJ91QcJ8JBgN1riuD1Oxv9RRPrY9VVNJMrYjpAAREN8i8brMTOCJ35s7jnqIei0dNmnNXOoQZPs9kUMeEtUc/Df1E8/aO2Y4yU9gHUuevXnAJWFAiu2IxssgPk6CcNxvapJEmlwkLK/JyuDsWwFxVOHfw5QIEsoDVWXt6eMhquqUgzJI1q7QrTWUQsBb5A5sQKYWQHempOaXuQn1bzA7mU3Gzsr8bNNc6tpy+6j3zTXYR067EX00yqPG+kqRn4QVIuhByxXP3cwXLUG9uD1lsqWrGzs6WCnHr7txhRBXf4WbBVmXModO3uf36cDYEwrUa6yBsARtSl8PJ0UadfY/xULcT5PFvu9+Hi2qj3vp4IU3JCJa9AvXB+11pbSdawprjuDhwQtPwkJ4CQyvZsom3/BOrmwYM5+EyMDIluEQ0z6eDE5buiIVbX6IvXnDCKbrnqVwavX2wqyiDduFLjRfWL/3U2O1yRim78smrDMJABJZvtW+a+GfmlnTd/gnFvS70Fmm/lgtY051ISL/iFx6toJRoBMMiI/Zvy13uQry+w/HbyFl42DIank8tf7kuN3E9M7ADGMubRJJ0AZOcQddrFnR4Gl2nU2+3RS5fLHaBf9QHK6W92/n//xmPkYqrkPacew4eBjUqM32jVGuBpDc964fK9kdtIdw8q5P1s/ph3I79Y24kGeuO1AVJuZvkaTv1Z7GgI9+K9TstKJ9XpRCidLpLSP+uHOWkqcNsQlt6ilTlfHj+MKoD85dKZ315QMmpiuYEvzCSP1aYTb9dpd61Su/IVuM3r2NuINNEZ166YlHQVsLNpDn8E5ahk3ZInOAg6/kaKTmjUI8KEvX4BR3PbbViAlJJb3suJ0oZBGPUlrW5uLRmADvf2mMDVO5zY7/m9DQwxjt4Miu0l8ZaUc0YJQ850lBKucQ==,iv:GI8w7h7xX8gMHuAoWUyrW+BQb85LNlASoYvGBPlCZaI=,tag:WnHNMevfFSMc0ikBZwWn/g==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@@ -90,8 +97,8 @@ sops:
UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg== 4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-26T02:07:41Z" lastmodified: "2024-10-12T21:56:27Z"
mac: ENC[AES256_GCM,data:CRaJefV1zcJc6eyzyjTLgd0+Wv46VT8o4iz2YAGU+c2b/Cr97Tj290LoEO6UXTI3uFwVfzii2yZ2l+4FK3nVVriD4Cx1O/9qWcnLa5gfK30U0zof6AsJx8qtGu1t6oiPlGUCF7sT0BW9Wp8cPumrY6cZp9QbhmIDV0o0aJNUNN4=,iv:8OSYV1eG6kYlJD4ovZZhcD1GaYnmy7vHPa/+7egM1nE=,tag:OPI13rpDh2l1ViFj8TBFWg==,type:str] mac: ENC[AES256_GCM,data:bZ1BbVC6D+B6SFze2ReeCUcQamK/O14zH3YxCjWBwMC++w3niIiEx4Bq7Ulci5yuMld0luVsfUzHoqFN/+zvZbV2rGVk8lVRiTrpFoSZ78aUUgeHG9ROLXsR7T7rVhLWbl86y1G5LcKws7G55V0wAh6f58WjYYzwR8fnBmfW1Ko=,iv:7xtMdtXQB9uZirE/CkUSmeu0qnG++R7DUR7zn/Bo0lM=,tag:DH/BJPpAp//quDqKNXyHcg==,type:str]
pgp: pgp:
- created_at: "2024-08-04T00:03:28Z" - created_at: "2024-08-04T00:03:28Z"
enc: |- enc: |-
@@ -114,4 +121,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.9.1

7
secrets/bicep/bicep.yaml
View File

@@ -1,5 +1,6 @@
calendar-bot: calendar-bot:
matrix_token: ENC[AES256_GCM,data:zJv9sw6pEzb9hxKT682wsD87HC9iejbps2wl2Z5QW1XZUSBHdcqyg1pxd+jFKTeKGQ==,iv:zDbvF1H98NsECjCtGXS+Y9HIhXowzz9HF9mltqnArog=,tag:/ftcOSQ13ElkVJBxYIMUGQ==,type:str] matrix_token: ENC[AES256_GCM,data:zJv9sw6pEzb9hxKT682wsD87HC9iejbps2wl2Z5QW1XZUSBHdcqyg1pxd+jFKTeKGQ==,iv:zDbvF1H98NsECjCtGXS+Y9HIhXowzz9HF9mltqnArog=,tag:/ftcOSQ13ElkVJBxYIMUGQ==,type:str]
mysql_password: ENC[AES256_GCM,data:Gqag8yOgPH3ntoT5TmaqJWv1j+si2qIyz5Ryfw5E2A==,iv:kQDcxnPfwJQcFovI4f87UDt18F8ah3z5xeY86KmdCyY=,tag:A1sCSNXJziAmtUWohqwJgg==,type:str]
mysql: mysql:
password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str] password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
sops: sops:
@@ -62,8 +63,8 @@ sops:
cTh5bnJ3WW90aXRCSUp6NHFYeU1tZ0kK4afdtJwGNu6wLRI0fuu+mBVeqVeB0rgX cTh5bnJ3WW90aXRCSUp6NHFYeU1tZ0kK4afdtJwGNu6wLRI0fuu+mBVeqVeB0rgX
0q5hwyzjiRnHnyjF38CmcGgydSfDRmF6P+WIMbCwXC6LwfRhAmBGPg== 0q5hwyzjiRnHnyjF38CmcGgydSfDRmF6P+WIMbCwXC6LwfRhAmBGPg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-05T23:28:56Z" lastmodified: "2024-08-15T21:18:33Z"
mac: ENC[AES256_GCM,data:pCWTkmCQgBOqhejK2sCLQ3H8bRXmXlToQxYmOG0IWDo2eGiZOLuIkZ1/1grYgfxAGiD4ysJod0nJuvo+eAsMeYAy6QJVtrOqO2d9V2NEdzLckXyYvwyJyZoFbNC5EW9471V0m4jLRSh5821ckNo/wtWFR11wfO15tI3MqtD1rtA=,iv:QDnckPl0LegaH0b7V4WAtmVXaL4LN+k3uKHQI2dkW7E=,tag:mScUQBR0ZHl1pi/YztrvFg==,type:str] mac: ENC[AES256_GCM,data:uR5HgeDAYqoqB9kk1V6p0T30+v6WpQJi4+qIeCDRnoUPnQKUVR10hvBhICck+E+Uh8p+tGhM6Uf3YrAJAV0ZCUiNJjtwDJQQLUDT53vdOAXN4xADCQqNuhgVwVMaruoTheEiwOswRuhFeEwy0gBj3Ze2pu47lueHYclmEzumLeQ=,iv:t0UyXN2YaR2m7M/pV2wTLJG5wVfqTIUs7wSQMmyeTVw=,tag:O7dIffzrDAXz3kGx5uazhw==,type:str]
pgp: pgp:
- created_at: "2024-08-04T00:03:40Z" - created_at: "2024-08-04T00:03:40Z"
enc: |- enc: |-
@@ -86,4 +87,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.9.0

16
secrets/bicep/matrix.yaml
View File

@@ -2,14 +2,16 @@ synapse:
turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str] turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str]
user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str] user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str]
signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str] signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str]
sliding-sync:
env: ENC[AES256_GCM,data:DsU1qKTy5sn06Y0S5kFUqZHML20n6HdHUdXsQRUw,iv:/TNTc+StAZbf6pBY9CeXdxkx8E+3bak/wOqHyBNMprU=,tag:er5u4FRlSmUZrOT/sj+RhQ==,type:str]
coturn: coturn:
static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str] static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
mjolnir: mjolnir:
access_token: ENC[AES256_GCM,data:ERFqZjK7MRD0xWt91FNCIxP1YC6Qj54QgnckHlCTtcQVLWaM1h2h9lHS+K8=,iv:1d7vmFkXAPcsmumzlmOT31amdrKLWtL5sJiS8G9g+LE=,tag:2l0vWzJ6P12ofuBdf5CCWw==,type:str] access_token: ENC[AES256_GCM,data:ERFqZjK7MRD0xWt91FNCIxP1YC6Qj54QgnckHlCTtcQVLWaM1h2h9lHS+K8=,iv:1d7vmFkXAPcsmumzlmOT31amdrKLWtL5sJiS8G9g+LE=,tag:2l0vWzJ6P12ofuBdf5CCWw==,type:str]
registrations: discord:
mx-puppet-discord: ENC[AES256_GCM,data:FleyXxgOmc05nTP6M2DBJlacufN3p/05eZm4kB8+K4ci0k24o3zli988wlM/kyeZmxu4pgQlJ3lNLte4uip2hBXHWG5t5Ldzmr7bNCUD+r7nM+I1lfNkrDROPZ54bHysmn9O5CHpEa16rSo6RJgncIPqsLJxTwjC7qZlkOpzqvMhkq/MHCVOpvg0M/6AUR+AlSZoggujBMoXLznQNQapN13foEsbuo/QxjszM/ObGmhYMVyaS+TDBXzQLA8Yuj50Q/gZCIINWZ4G2qmgsGxxNR4I+usUQml/jxCtIXS4zn/ettXfL9G4Fdm2F9u1v11DehtTGa5xoxDq94M9rIxOqeJpvgEQEyyKAyFUIrlINfGl7tAj4Zu7+9Z8JTRAnppjM1q8iInwn/Z2L9KgB0YFi/Go1whgXly+TH6hpreo7m5klXV/ff/aV3ghOgFCGA8nBrZFqE8Uw268q9tV1s1dxCb6TbpGf19V5c9MD6BsCIVeoq+j9I/I8iZpzg2Reb4IlHhMDwbwsL2w2ks30wiZ9XO/CFrXDY4uBlI=,iv:3vvkGvldS8Raibg6tzlV8VY1O9NCLxSuNX/lwi1QgiA=,tag:D/noIsE3xlOiYM6Pk+cc8Q==,type:str] as_token: ENC[AES256_GCM,data:cnPZjBbODZUA1p0kLNeWpKh1oGkDPxDw/g7163XnoRCIgpqk,iv:Uu4L36uDPMBgzdXE2Lt9U0qrBSl3Xuufh1313BD8B/U=,tag:nTm6s7IGd4vNzZ95mfxDpA==,type:str]
hs_token: ENC[AES256_GCM,data:UzcaNsJtJPKvFT4gQDNfat0nmyJzmQ6OcSI73pANibzOVrWl,iv:ujgRM2jb1rbeloPB4UPLBEvQ7uue4a+bHiqsZAHIqtk=,tag:uIfuaTWSTeVvpQx5o28HPA==,type:str]
hookshot:
as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@@ -70,8 +72,8 @@ sops:
WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28 WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28
pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA== pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-22T00:31:46Z" lastmodified: "2024-10-13T23:30:01Z"
mac: ENC[AES256_GCM,data:UpnaUfRxvdyzBy5x4EC3w5LQ1qWxILTQhpyVPd9whTzQMAivAHT0pVmP9aE4T9w3NcWTaghp+f70GmQXx/OCC6DsRCWtU9pFHRj12YUowM3yB5lVTOomOLZQ9m4gUXw5I2GZHWBJn8CyosDcBMlXz2tiR91v/8Ulh6sDSAO86U0=,iv:5GcgRvbpqDEslZruKHM/TcMaF52A5X7AK41DEbrsRIQ=,tag:ndDgCRyX1aDRnzEUNmpoMw==,type:str] mac: ENC[AES256_GCM,data:vdsAZmg7gPqzeucBhLhPemtRVkcxRecIdB6PXZ4paU+Uv5UorBKcTZ3jseN2cLi6ot3ycTIm+UI6uhlCy87vAJVynVJhuJS+ICFRS2+DfoVyuttLjZQGC2sr3+dEBHxIH7sZJSo9PIzbIWw3qHrpOPAZj0//1pFyp/k15k3vidM=,iv:jWtV+WAPt08lgdrVvtXOl35rDB4QflkZWuGBW1+ESyw=,tag:YxSHncZZOAW5uDxXtb/krw==,type:str]
pgp: pgp:
- created_at: "2024-08-04T00:03:46Z" - created_at: "2024-08-04T00:03:46Z"
enc: |- enc: |-
@@ -94,4 +96,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.8.1

13
users/alfhj.nix Normal file
View File

@@ -0,0 +1,13 @@
{pkgs, ...}:
{
users.users.alfhj = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCAYE0U3sFizm/NSbKCs0jEhZ1mpAWPcijFevejiFL1 alfhj"
];
};
}

2
users/danio.nix
View File

@@ -3,7 +3,7 @@
{ {
users.users.danio = { users.users.danio = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "drift" "nix-builder-users" ]; extraGroups = [ "drift" "nix-builder-users" "wheel" ];
shell = pkgs.zsh; shell = pkgs.zsh;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [

46
values.nix
View File

@@ -25,16 +25,17 @@ in rec {
hosts = { hosts = {
gateway = pvv-ipv4 129; gateway = pvv-ipv4 129;
gateway6 = pvv-ipv6 1;
bekkalokk = { bekkalokk = {
ipv4 = pvv-ipv4 168; ipv4 = pvv-ipv4 168;
ipv6 = pvv-ipv6 168; ipv6 = pvv-ipv6 168;
}; };
ildkule = { ildkule = {
ipv4 = "10.212.25.209"; ipv4 = "129.241.153.213";
ipv6 = "2001:700:300:6025:f816:3eff:feee:812d"; ipv4_internal = "192.168.12.209";
ipv4_internal_gw = "192.168.12.1";
ipv4_global = "129.241.153.213"; ipv6 = "2001:700:300:6026:f816:3eff:fe58:f1e8";
ipv6_global = "2001:700:300:6026:f816:3eff:fe58:f1e8";
}; };
bicep = { bicep = {
ipv4 = pvv-ipv4 209; ipv4 = pvv-ipv4 209;
@@ -59,39 +60,18 @@ in rec {
ipv4 = pvv-ipv4 204; ipv4 = pvv-ipv4 204;
ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
}; };
buskerud = { kvernberg = {
ipv4 = pvv-ipv4 231; ipv4 = pvv-ipv4 206;
ipv6 = pvv-ipv6 231; ipv6 = pvv-ipv6 "1:206";
}; };
}; };
defaultNetworkConfig = { defaultNetworkConfig = {
networkConfig.IPv6AcceptRA = "no"; dns = [ "129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201" ];
gateway = [ hosts.gateway ];
dns = [ "129.241.0.200" "129.241.0.201" ];
domains = [ "pvv.ntnu.no" "pvv.org" ]; domains = [ "pvv.ntnu.no" "pvv.org" ];
gateway = [ hosts.gateway hosts.gateway6 ];
networkConfig.IPv6AcceptRA = "no";
DHCP = "no"; DHCP = "no";
}; };
openstackGlobalNetworkConfig = {
networkConfig.IPv6AcceptRA = "yes";
dns = [ "129.241.0.200" "129.241.0.201" ];
domains = [ "pvv.ntnu.no" "pvv.org" ];
DHCP = "yes";
};
openstackLocalNetworkConfig = {
networkConfig.IPv6AcceptRA = "no";
dns = [ "129.241.0.200" "129.241.0.201" ];
domains = [ "pvv.ntnu.no" "pvv.org" ];
DHCP = "yes";
# Only use this network for link-local networking, not global/default routes
dhcpV4Config.UseRoutes = "no";
routes = [
{ routeConfig = { Destination = "10.0.0.0/8"; Gateway = "_dhcp4"; }; }
];
linkConfig.RequiredForOnline = "no";
};
} }