felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-02-21 01:17:53 +01:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:selective_cross
Branches Tags
felixalb:main felixalb:selective_cross felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:shellcheck felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
..
compare: felixalb:loginpage
Branches Tags
felixalb:selective_cross felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:main felixalb:skrot-new-thing felixalb:shellcheck felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

1 Commits
selective_ ... loginpage

Author SHA1 Message Date
Adrian G L
407e95d696 Added back old ssphp login theme 2026-02-07 21:44:54 +01:00
165 changed files with 25423 additions and 13807 deletions
Expand all files Collapse all files

6
.mailmap
View File

@@ -23,9 +23,3 @@ Adrian Gunnar Lauterer <adriangl@pvv.ntnu.no> Adrian Gunnar Lauterer <adrian@lau
Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no> Fredrik Robertsen <frero@pvv.ntnu.no> frero <frero@pvv.ntnu.no>
Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com> Fredrik Robertsen <frero@pvv.ntnu.no> fredrikr79 <fredrikrobertsen7@gmail.com>
Fredrik Robertsen <frero@pvv.ntnu.no> fredrik <fredrikr79@pm.me>
Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Matthey <VegardMatthey@protonmail.com>
Vegard Bieker Matthey <vegardbm@pvv.ntnu.no> Vegard Bieker Matthey <VegardMatthey@protonmail.com>
Albert Bayazidi <albertba@pvv.ntnu.no> Albert <albert.bayazidi@gmail.com>

16
.sops.yaml
View File

@@ -20,9 +20,7 @@ keys:
- &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9 - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
- &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
- &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
- &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8 - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
- &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
creation_rules: creation_rules:
# Global secrets # Global secrets
@@ -139,24 +137,10 @@ creation_rules:
- path_regex: secrets/skrott/[^/]+\.yaml$ - path_regex: secrets/skrott/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *host_skrott
- *user_danio - *user_danio
- *user_felixalb - *user_felixalb
- *user_pederbs_sopp - *user_pederbs_sopp
- *user_pederbs_nord - *user_pederbs_nord
- *user_pederbs_bjarte - *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/skrot/[^/]+\.yaml$
key_groups:
- age:
- *host_skrot
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp: pgp:
- *user_oysteikt - *user_oysteikt

2
README.md
View File

@@ -43,7 +43,6 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
| [kommode][kom] | Virtual | Gitea + Gitea pages | | [kommode][kom] | Virtual | Gitea + Gitea pages |
| [lupine][lup] | Physical | Gitea CI/CD runners | | [lupine][lup] | Physical | Gitea CI/CD runners |
| shark | Virtual | Test host for authentication, absolutely horrendous | | shark | Virtual | Test host for authentication, absolutely horrendous |
| [skrot/skrott][skr] | Physical | Kiosk, snacks and soda |
| [wenche][wen] | Virtual | Nix-builders, general purpose compute | | [wenche][wen] | Virtual | Nix-builders, general purpose compute |
## Documentation ## Documentation
@@ -60,5 +59,4 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
[ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche

2
base/default.nix
View File

@@ -81,7 +81,7 @@
AllowHibernation=no AllowHibernation=no
''; '';
# users.mutableUsers = lib.mkDefault false; users.mutableUsers = lib.mkDefault false;
users.groups."drift".name = "drift"; users.groups."drift".name = "drift";

24
base/nix.nix
View File

@@ -1,9 +1,4 @@
{ { lib, config, inputs, ... }:
lib,
config,
inputs,
...
}:
{ {
nix = { nix = {
gc = { gc = {
@@ -16,21 +11,16 @@
allow-dirty = true; allow-dirty = true;
auto-allocate-uids = true; auto-allocate-uids = true;
builders-use-substitutes = true; builders-use-substitutes = true;
experimental-features = [ experimental-features = [ "nix-command" "flakes" "auto-allocate-uids" ];
"nix-command"
"flakes"
"auto-allocate-uids"
];
log-lines = 50; log-lines = 50;
use-xdg-base-directories = true; use-xdg-base-directories = true;
}; };
/* /* This makes commandline tools like
This makes commandline tools like ** nix run nixpkgs#hello
** nix run nixpkgs#hello ** and nix-shell -p hello
** and nix-shell -p hello ** use the same channel the system
** use the same channel the system ** was built with
** was built with
*/ */
registry = lib.mkMerge [ registry = lib.mkMerge [
{ {

8
base/programs.nix
View File

@@ -13,15 +13,9 @@
# Debug and find files # Debug and find files
file file
# Process json data
jq
# Check computer specs # Check computer specs
lshw lshw
# Check who is keeping open files
lsof
# Scan for open ports with netstat # Scan for open ports with netstat
net-tools net-tools
@@ -60,8 +54,6 @@
programs.nano.enable = true; programs.nano.enable = true;
# Same reasoning as nano # Same reasoning as nano
programs.vim.enable = true; programs.vim.enable = true;
# Same reasoning as vim
programs.neovim.enable = true;
# Some people like this shell for some reason # Some people like this shell for some reason
programs.zsh.enable = true; programs.zsh.enable = true;

4
base/services/acme.nix
View File

@@ -2,12 +2,14 @@
{ {
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "acme-drift@pvv.ntnu.no"; defaults.email = "drift@pvv.ntnu.no";
}; };
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode: # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
virtualisation.vmVariant = { virtualisation.vmVariant = {
security.acme.defaults.server = "https://127.0.0.1"; security.acme.defaults.server = "https://127.0.0.1";
security.acme.preliminarySelfsigned = true;
users.users.root.initialPassword = "root"; users.users.root.initialPassword = "root";
}; };
} }

40
base/services/auto-upgrade.nix
View File

@@ -1,10 +1,4 @@
{ { config, inputs, pkgs, lib, ... }:
config,
inputs,
pkgs,
lib,
...
}:
let let
inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs; inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
@@ -22,34 +16,26 @@ in
# --update-input is deprecated since nix 2.22, and removed in lix 2.90 # --update-input is deprecated since nix 2.22, and removed in lix 2.90
# as such we instead use --override-input combined with --refresh # as such we instead use --override-input combined with --refresh
# https://git.lix.systems/lix-project/lix/issues/400 # https://git.lix.systems/lix-project/lix/issues/400
] ] ++ (lib.pipe inputUrls [
++ (lib.pipe inputUrls [
(lib.intersectAttrs { (lib.intersectAttrs {
nixpkgs = { }; nixpkgs = { };
nixpkgs-unstable = { }; nixpkgs-unstable = { };
}) })
(lib.mapAttrsToList ( (lib.mapAttrsToList (input: url: ["--override-input" input url]))
input: url: [
"--override-input"
input
url
]
))
lib.concatLists lib.concatLists
]); ]);
}; };
# workaround for https://github.com/NixOS/nix/issues/6895 # workaround for https://github.com/NixOS/nix/issues/6895
# via https://git.lix.systems/lix-project/lix/issues/400 # via https://git.lix.systems/lix-project/lix/issues/400
environment.etc = environment.etc = lib.mkIf (!config.virtualisation.isVmVariant) {
lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) "current-system-flake-inputs.json".source
{ = pkgs.writers.writeJSON "flake-inputs.json" (
"current-system-flake-inputs.json".source = pkgs.writers.writeJSON "flake-inputs.json" ( lib.flip lib.mapAttrs inputs (name: input:
lib.flip lib.mapAttrs inputs ( # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
name: input: lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
lib.removeAttrs (input.sourceInfo or { }) [ "outPath" ] // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs )
) );
); };
};
} }

7
base/services/journald-upload.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, values, ... }:
config,
lib,
values,
...
}:
let let
cfg = config.services.journald.upload; cfg = config.services.journald.upload;
in in

5
base/services/logrotate.nix
View File

@@ -1,10 +1,7 @@
{ ... }: { ... }:
{ {
systemd.services.logrotate = { systemd.services.logrotate = {
documentation = [ documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
"man:logrotate(8)"
"man:logrotate.conf(5)"
];
unitConfig.RequiresMountsFor = "/var/log"; unitConfig.RequiresMountsFor = "/var/log";
serviceConfig.ReadWritePaths = [ "/var/log" ]; serviceConfig.ReadWritePaths = [ "/var/log" ];
}; };

5
base/services/nginx.nix
View File

@@ -11,10 +11,7 @@
}; };
}; };
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
80
443
];
services.nginx = { services.nginx = {
recommendedTlsSettings = true; recommendedTlsSettings = true;

9
base/services/openssh.nix
View File

@@ -12,9 +12,10 @@
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
}; };
users.users."root".openssh.authorizedKeys.keys = [ users.users."root".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
]; ];
} }

7
base/services/postfix.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
cfg = config.services.postfix; cfg = config.services.postfix;
in in

7
base/services/prometheus-node-exporter.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, values, ... }:
config,
lib,
values,
...
}:
let let
cfg = config.services.prometheus.exporters.node; cfg = config.services.prometheus.exporters.node;
in in

7
base/services/prometheus-systemd-exporter.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, values, ... }:
config,
lib,
values,
...
}:
let let
cfg = config.services.prometheus.exporters.systemd; cfg = config.services.prometheus.exporters.systemd;
in in

55
base/services/promtail.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, values, ... }:
config,
lib,
values,
...
}:
let let
cfg = config.services.prometheus.exporters.node; cfg = config.services.prometheus.exporters.node;
in in
@@ -15,33 +10,29 @@ in
http_listen_port = 28183; http_listen_port = 28183;
grpc_listen_port = 0; grpc_listen_port = 0;
}; };
clients = [ clients = [{
{ url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push"; }];
} scrape_configs = [{
]; job_name = "systemd-journal";
scrape_configs = [ journal = {
{ max_age = "12h";
job_name = "systemd-journal"; labels = {
journal = { job = "systemd-journal";
max_age = "12h"; host = config.networking.hostName;
labels = {
job = "systemd-journal";
host = config.networking.hostName;
};
}; };
relabel_configs = [ };
{ relabel_configs = [
source_labels = [ "__journal__systemd_unit" ]; {
target_label = "unit"; source_labels = [ "__journal__systemd_unit" ];
} target_label = "unit";
{ }
source_labels = [ "__journal_priority_keyword" ]; {
target_label = "level"; source_labels = [ "__journal_priority_keyword" ];
} target_label = "level";
]; }
} ];
]; }];
}; };
}; };
} }

16
base/services/smartd.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
{ {
services.smartd = { services.smartd = {
# NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the # NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
@@ -19,12 +14,9 @@
}; };
}; };
environment.systemPackages = lib.optionals config.services.smartd.enable ( environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
with pkgs; smartmontools
[ ]);
smartmontools
]
);
systemd.services.smartd.unitConfig.ConditionVirtualization = "no"; systemd.services.smartd.unitConfig.ConditionVirtualization = "no";
} }

6
base/services/thermald.nix
View File

@@ -2,7 +2,7 @@
{ {
# Let's not thermal throttle # Let's not thermal throttle
services.thermald.enable = lib.mkIf (lib.all (x: x) [ services.thermald.enable = lib.mkIf (lib.all (x: x) [
(config.nixpkgs.system == "x86_64-linux") (config.nixpkgs.system == "x86_64-linux")
(!config.boot.isContainer or false) (!config.boot.isContainer or false)
]) true; ]) true;
} }

76
base/services/uptimed.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
cfg = config.services.uptimed; cfg = config.services.uptimed;
in in
@@ -20,48 +15,45 @@ in
services.uptimed = { services.uptimed = {
enable = true; enable = true;
settings = settings = let
let stateDir = "/var/lib/uptimed";
stateDir = "/var/lib/uptimed"; in {
in PIDFILE = "${stateDir}/pid";
{ SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
PIDFILE = "${stateDir}/pid"; };
SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
};
}; };
systemd.services.uptimed = lib.mkIf (cfg.enable) { systemd.services.uptimed = lib.mkIf (cfg.enable) {
serviceConfig = serviceConfig = let
let uptimed = pkgs.uptimed.overrideAttrs (prev: {
uptimed = pkgs.uptimed.overrideAttrs (prev: { postPatch = ''
postPatch = '' substituteInPlace Makefile.am \
substituteInPlace Makefile.am \ --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
--replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf' substituteInPlace src/Makefile.am \
substituteInPlace src/Makefile.am \ --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
--replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf' '';
''; });
});
in in {
{ Type = "notify";
Type = "notify";
ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f"; ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
BindReadOnlyPaths = BindReadOnlyPaths = let
let configFile = lib.pipe cfg.settings [
configFile = lib.pipe cfg.settings [ (lib.mapAttrsToList
(lib.mapAttrsToList ( (k: v:
k: v: if builtins.isList v then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v else "${k}=${v}" if builtins.isList v
)) then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
(lib.concatStringsSep "\n") else "${k}=${v}")
(pkgs.writeText "uptimed.conf") )
]; (lib.concatStringsSep "\n")
in (pkgs.writeText "uptimed.conf")
[ ];
"${configFile}:/var/lib/uptimed/uptimed.conf" in [
]; "${configFile}:/var/lib/uptimed/uptimed.conf"
}; ];
};
}; };
}; };
} }

15
base/sops.nix
View File

@@ -1,15 +1,8 @@
{ config, fp, lib, ... }:
{ {
config, sops.defaultSopsFile = let
fp, secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
lib, in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
...
}:
{
sops.defaultSopsFile =
let
secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
in
lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
sops.age = lib.mkIf (config.sops.defaultSopsFile != null) { sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];

1
base/vm.nix
View File

@@ -11,6 +11,5 @@
}; };
config.virtualisation.vmVariant = { config.virtualisation.vmVariant = {
virtualisation.isVmVariant = true; virtualisation.isVmVariant = true;
virtualisation.graphics = false;
}; };
} }

2
docs/secret-management.md
View File

@@ -151,7 +151,7 @@ is up to date, you can do the following:
```console ```console
# Fetch gpg (unless you have it already) # Fetch gpg (unless you have it already)
nix shell nixpkgs#gnupg nix-shell -p gpg
# Import oysteikts key to the gpg keychain # Import oysteikts key to the gpg keychain
gpg --import ./keys/oysteikt.pub gpg --import ./keys/oysteikt.pub

107
flake.lock generated
View File

@@ -2,16 +2,17 @@
"nodes": { "nodes": {
"dibbler": { "dibbler": {
"inputs": { "inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1770133120, "lastModified": 1768138611,
"narHash": "sha256-RuAWONXb+U3omSsuIPCrPcgj0XYqv+2djG0cnPGEyKg=", "narHash": "sha256-KfZX6wpuwE2IRKLjh0DrEviE4f6kqLJWwKIE5QJSqa4=",
"ref": "main", "ref": "main",
"rev": "3123b8b474319bc75ee780e0357dcdea69dc85e6", "rev": "cb385097dcda5fb9772f903688d078b30a66ccd4",
"revCount": 244, "revCount": 221,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/dibbler.git" "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
}, },
@@ -60,6 +61,23 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"gergle": { "gergle": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -174,11 +192,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1769500363, "lastModified": 1768749374,
"narHash": "sha256-vFxmdsLBPdTy5j2bf54gbTQi1XnWbZDmeR/BBh8MFrw=", "narHash": "sha256-dhXYLc64d7TKCnRPW4TlHGl6nLRNdabJB2DpJ8ffUw0=",
"ref": "main", "ref": "main",
"rev": "2618e434e40e109eaab6a0693313c7e0de7324a3", "rev": "040294f2e1df46e33d995add6944b25859654097",
"revCount": 47, "revCount": 37,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git" "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
}, },
@@ -195,11 +213,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1770960722, "lastModified": 1767906352,
"narHash": "sha256-IdhPsWFZUKSJh/nLjGLJvGM5d5Uta+k1FlVYPxTZi0E=", "narHash": "sha256-wYsH9MMAPFG3XTL+3DwI39XMG0F2fTmn/5lt265a3Es=",
"ref": "main", "ref": "main",
"rev": "c2e4aca7e1ba27cd09eeaeab47010d32a11841b2", "rev": "d054c5d064b8ed6d53a0adb0cf6c0a72febe212e",
"revCount": 15, "revCount": 13,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git" "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
}, },
@@ -217,11 +235,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1769018862, "lastModified": 1768955766,
"narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=", "narHash": "sha256-V9ns1OII7sWSbIDwPkiqmJ3Xu/bHgQzj+asgH9cTpOo=",
"owner": "oddlama", "owner": "oddlama",
"repo": "nix-topology", "repo": "nix-topology",
"rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f", "rev": "71f27de56a03f6d8a1a72cf4d0dfd780bcc075bc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -233,11 +251,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1769724120, "lastModified": 1768877948,
"narHash": "sha256-oQBM04hQk1kotfv4qmIG1tHmuwODd1+hqRJE5TELeCE=", "narHash": "sha256-Bq9Hd6DWCBaZ2GkwvJCWGnpGOchaD6RWPSCFxmSmupw=",
"rev": "8ec59ed5093c2a742d7744e9ecf58f358aa4a87d", "rev": "43b2e61c9d09cf6c1c9c192fe6da08accc9bfb1d",
"type": "tarball", "type": "tarball",
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4961.8ec59ed5093c/nixexprs.tar.xz" "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4368.43b2e61c9d09/nixexprs.tar.xz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -261,11 +279,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1769813739, "lastModified": 1768886240,
"narHash": "sha256-RmNWW1DQczvDwBHu11P0hGwJZxbngdoymVu7qkwq/2M=", "narHash": "sha256-HUAAI7AF+/Ov1u3Vvjs4DL91zTxMkWLC4xJgQ9QxOUQ=",
"rev": "16a3cae5c2487b1afa240e5f2c1811f172419558", "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
"type": "tarball", "type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre937548.16a3cae5c248/nixexprs.tar.xz" "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre930839.80e4adbcf899/nixexprs.tar.xz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -300,11 +318,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1769009806, "lastModified": 1768636400,
"narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=", "narHash": "sha256-AiSKT4/25LS1rUlPduBMogf4EbdMQYDY1rS7AvHFcxk=",
"ref": "main", "ref": "main",
"rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e", "rev": "3a8f82b12a44e6c4ceacd6955a290a52d1ee2856",
"revCount": 575, "revCount": 573,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git" "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
}, },
@@ -364,11 +382,11 @@
"rust-overlay": "rust-overlay_3" "rust-overlay": "rust-overlay_3"
}, },
"locked": { "locked": {
"lastModified": 1769834595, "lastModified": 1768140181,
"narHash": "sha256-P1jrO7BxHyIKDuOXHuUb7bi4H2TuYnACW5eqf1gG47g=", "narHash": "sha256-HfZzup5/jlu8X5vMUglTovVTSwhHGHwwV1YOFIL/ksA=",
"ref": "main", "ref": "main",
"rev": "def4eec2d59a69b4638b3f25d6d713b703b2fa56", "rev": "834463ed64773939798589ee6fd4adfe3a97dddd",
"revCount": 49, "revCount": 43,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git" "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
}, },
@@ -428,11 +446,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1769309768, "lastModified": 1767322002,
"narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=", "narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5", "rev": "03c6e38661c02a27ca006a284813afdc461e9f7e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -448,11 +466,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1769469829, "lastModified": 1768863606,
"narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=", "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff", "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -461,6 +479,21 @@
"repo": "sops-nix", "repo": "sops-nix",
"type": "github" "type": "github"
} }
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

668
flake.nix
View File

@@ -49,403 +49,297 @@
qotd.inputs.nixpkgs.follows = "nixpkgs"; qotd.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
{ let
self, inherit (nixpkgs) lib;
nixpkgs, systems = [
nixpkgs-unstable, "x86_64-linux"
sops-nix, "aarch64-linux"
disko, "aarch64-darwin"
... ];
}@inputs: forAllSystems = f: lib.genAttrs systems f;
let allMachines = builtins.attrNames self.nixosConfigurations;
inherit (nixpkgs) lib; importantMachines = [
systems = [ "bekkalokk"
"x86_64-linux" "bicep"
"aarch64-linux" "brzeczyszczykiewicz"
"aarch64-darwin" "georg"
]; "ildkule"
forAllSystems = f: lib.genAttrs systems f; ];
allMachines = builtins.attrNames self.nixosConfigurations; in {
importantMachines = [ inputs = lib.mapAttrs (_: src: src.outPath) inputs;
"bekkalokk"
"bicep"
"brzeczyszczykiewicz"
"georg"
"ildkule"
];
in
{
inputs = lib.mapAttrs (_: src: src.outPath) inputs;
pkgs = forAllSystems ( pkgs = forAllSystems (system:
system: import nixpkgs {
import nixpkgs { inherit system;
inherit system; config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
config.allowUnfreePredicate = [
pkg: "nvidia-x11"
builtins.elem (lib.getName pkg) [ "nvidia-settings"
"nvidia-x11" ];
"nvidia-settings"
];
}
);
nixosConfigurations =
let
nixosConfig =
nixpkgs: name: configurationPath:
extraArgs@{
localSystem ? "x86_64-linux", # buildPlatform
crossSystem ? "x86_64-linux", # hostPlatform
specialArgs ? { },
modules ? [ ],
overlays ? [ ],
enableDefaults ? true,
...
}:
let
commonPkgsConfig = {
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
[
"nvidia-x11"
"nvidia-settings"
];
overlays = (lib.optionals enableDefaults [
# Global overlays go here
inputs.roowho2.overlays.default
]) ++ overlays;
} // (if localSystem != crossSystem then {
inherit localSystem crossSystem;
} else {
system = crossSystem;
});
pkgs = import nixpkgs commonPkgsConfig;
unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
in
lib.nixosSystem (
lib.recursiveUpdate
{
system = crossSystem;
inherit pkgs;
specialArgs = {
inherit inputs unstablePkgs;
values = import ./values.nix;
fp = path: ./${path};
}
// specialArgs;
modules = [
{
networking.hostName = lib.mkDefault name;
}
configurationPath
]
++ (lib.optionals enableDefaults [
sops-nix.nixosModules.sops
inputs.roowho2.nixosModules.default
self.nixosModules.rsync-pull-targets
])
++ modules;
}
(
builtins.removeAttrs extraArgs [
"localSystem"
"crossSystem"
"modules"
"overlays"
"specialArgs"
"enableDefaults"
]
)
);
stableNixosConfig =
name: extraArgs: nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
in
{
bakke = stableNixosConfig "bakke" {
modules = [
inputs.disko.nixosModules.disko
];
};
bicep = stableNixosConfig "bicep" {
modules = [
inputs.matrix-next.nixosModules.default
inputs.pvv-calendar-bot.nixosModules.default
inputs.minecraft-heatmap.nixosModules.default
self.nixosModules.gickup
self.nixosModules.matrix-ooye
];
overlays = [
inputs.pvv-calendar-bot.overlays.default
inputs.minecraft-heatmap.overlays.default
(final: prev: {
inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
})
];
};
bekkalokk = stableNixosConfig "bekkalokk" {
overlays = [
(final: prev: {
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
bluemap = final.callPackage ./packages/bluemap.nix { };
})
inputs.pvv-nettsiden.overlays.default
inputs.qotd.overlays.default
];
modules = [
inputs.pvv-nettsiden.nixosModules.default
self.nixosModules.bluemap
inputs.qotd.nixosModules.default
];
};
ildkule = stableNixosConfig "ildkule" { };
#ildkule-unstable = unstableNixosConfig "ildkule" { };
skrot = stableNixosConfig "skrot" {
modules = [
inputs.disko.nixosModules.disko
inputs.dibbler.nixosModules.default
];
overlays = [ inputs.dibbler.overlays.default ];
};
shark = stableNixosConfig "shark" { };
wenche = stableNixosConfig "wenche" { };
temmie = stableNixosConfig "temmie" { };
gluttony = stableNixosConfig "gluttony" { };
kommode = stableNixosConfig "kommode" {
overlays = [
inputs.nix-gitea-themes.overlays.default
];
modules = [
inputs.nix-gitea-themes.nixosModules.default
inputs.disko.nixosModules.disko
];
};
ustetind = stableNixosConfig "ustetind" {
modules = [
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
];
};
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
modules = [
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
];
};
georg = stableNixosConfig "georg" {
modules = [
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
];
};
}
// (
let
skrottConfig = {
modules = [
(nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
inputs.dibbler.nixosModules.default
];
overlays = [
inputs.dibbler.overlays.default
(final: prev: {
# NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
atool = prev.emptyDirectory;
micro = prev.emptyDirectory;
ncdu = prev.emptyDirectory;
})
];
};
in
{
skrott = self.nixosConfigurations.skrott-native;
skrott-native = stableNixosConfig "skrott" (
skrottConfig
// {
localSystem = "aarch64-linux";
crossSystem = "aarch64-linux";
}
);
skrott-cross = stableNixosConfig "skrott" (
skrottConfig
// {
localSystem = "x86_64-linux";
crossSystem = "aarch64-linux";
}
);
skrott-x86_64 = stableNixosConfig "skrott" (
skrottConfig
// {
localSystem = "x86_64-linux";
crossSystem = "x86_64-linux";
}
);
}
)
// (
let
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
stableLupineNixosConfig =
name: extraArgs: nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
in
lib.genAttrs machineNames (
name:
stableLupineNixosConfig name {
modules = [ { networking.hostName = name; } ];
specialArgs.lupineName = name;
}
)
);
nixosModules = {
bluemap = ./modules/bluemap.nix;
gickup = ./modules/gickup;
matrix-ooye = ./modules/matrix-ooye.nix;
robots-txt = ./modules/robots-txt.nix;
rsync-pull-targets = ./modules/rsync-pull-targets.nix;
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
};
devShells = forAllSystems (system: {
default =
let
pkgs = import nixpkgs-unstable {
inherit system;
overlays = [
(final: prev: {
inherit (inputs.disko.packages.${system}) disko;
})
];
};
in
pkgs.callPackage ./shell.nix { };
cuda =
let
cuda-pkgs = import nixpkgs-unstable {
inherit system;
config = {
allowUnfree = true;
cudaSupport = true;
};
};
in
cuda-pkgs.callPackage ./shells/cuda.nix { };
}); });
packages = { nixosConfigurations = let
"x86_64-linux" = unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
let
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
in
rec {
default = important-machines;
important-machines = pkgs.linkFarm "important-machines" (
lib.getAttrs importantMachines self.packages.${system}
);
all-machines = pkgs.linkFarm "all-machines" (lib.getAttrs allMachines self.packages.${system});
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { }; nixosConfig =
nixpkgs:
name:
configurationPath:
extraArgs@{
system ? "x86_64-linux",
specialArgs ? { },
modules ? [ ],
overlays ? [ ],
enableDefaults ? true,
...
}:
lib.nixosSystem (lib.recursiveUpdate
{
inherit system;
bluemap = pkgs.callPackage ./packages/bluemap.nix { }; specialArgs = {
inherit unstablePkgs inputs;
values = import ./values.nix;
fp = path: ./${path};
} // specialArgs;
out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { }; modules = [
}
//
# Mediawiki extensions
(lib.pipe null [
(_: pkgs.callPackage ./packages/mediawiki-extensions { })
(lib.flip builtins.removeAttrs [
"override"
"overrideDerivation"
])
(lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
])
//
# Machines
lib.genAttrs allMachines (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
//
# Skrott is exception
{ {
skrott = self.packages.${system}.skrott-native-sd; networking.hostName = lib.mkDefault name;
skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
} }
// configurationPath
# Nix-topology ] ++ (lib.optionals enableDefaults [
( sops-nix.nixosModules.sops
let inputs.roowho2.nixosModules.default
topology' = import inputs.nix-topology { ]) ++ modules;
pkgs = import nixpkgs {
inherit system;
overlays = [
inputs.nix-topology.overlays.default
(final: prev: {
inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
})
];
};
specialArgs = { pkgs = import nixpkgs {
values = import ./values.nix; inherit system;
}; config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
[
"nvidia-x11"
"nvidia-settings"
];
overlays = (lib.optionals enableDefaults [
# Global overlays go here
inputs.roowho2.overlays.default
]) ++ overlays;
};
}
(builtins.removeAttrs extraArgs [
"system"
"modules"
"overlays"
"specialArgs"
"enableDefaults"
])
);
modules = [ stableNixosConfig = name: extraArgs:
./topology nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
{ in {
nixosConfigurations = lib.mapAttrs ( bakke = stableNixosConfig "bakke" {
_name: nixosCfg: modules = [
nixosCfg.extendModules { disko.nixosModules.disko
modules = [ ];
inputs.nix-topology.nixosModules.default
./topology/service-extractors/greg-ng.nix
./topology/service-extractors/postgresql.nix
./topology/service-extractors/mysql.nix
./topology/service-extractors/gitea-runners.nix
];
}
) self.nixosConfigurations;
}
];
};
in
{
topology = topology'.config.output;
topology-png =
pkgs.runCommand "pvv-config-topology-png"
{
nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
}
''
mkdir -p "$out"
for file in '${topology'.config.output}'/*.svg; do
${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
done
'';
}
);
}; };
bicep = stableNixosConfig "bicep" {
modules = [
inputs.matrix-next.nixosModules.default
inputs.pvv-calendar-bot.nixosModules.default
inputs.minecraft-heatmap.nixosModules.default
self.nixosModules.gickup
self.nixosModules.matrix-ooye
];
overlays = [
inputs.pvv-calendar-bot.overlays.default
inputs.minecraft-heatmap.overlays.default
(final: prev: {
inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
})
];
};
bekkalokk = stableNixosConfig "bekkalokk" {
overlays = [
(final: prev: {
heimdal = unstablePkgs.heimdal;
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
bluemap = final.callPackage ./packages/bluemap.nix { };
})
inputs.pvv-nettsiden.overlays.default
inputs.qotd.overlays.default
];
modules = [
inputs.pvv-nettsiden.nixosModules.default
self.nixosModules.bluemap
inputs.qotd.nixosModules.default
];
};
ildkule = stableNixosConfig "ildkule" { };
#ildkule-unstable = unstableNixosConfig "ildkule" { };
shark = stableNixosConfig "shark" { };
wenche = stableNixosConfig "wenche" { };
temmie = stableNixosConfig "temmie" { };
gluttony = stableNixosConfig "gluttony" { };
kommode = stableNixosConfig "kommode" {
overlays = [
inputs.nix-gitea-themes.overlays.default
];
modules = [
inputs.nix-gitea-themes.nixosModules.default
];
};
ustetind = stableNixosConfig "ustetind" {
modules = [
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
];
};
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
modules = [
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
];
};
georg = stableNixosConfig "georg" {
modules = [
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.gergle.nixosModules.default
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
inputs.gergle.overlays.default
];
};
skrott = stableNixosConfig "skrott" {
system = "aarch64-linux";
modules = [
(nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
inputs.dibbler.nixosModules.default
];
overlays = [
inputs.dibbler.overlays.default
];
};
}
//
(let
machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
stableLupineNixosConfig = name: extraArgs:
nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
modules = [{ networking.hostName = name; }];
specialArgs.lupineName = name;
}));
nixosModules = {
bluemap = ./modules/bluemap.nix;
snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix;
robots-txt = ./modules/robots-txt.nix;
gickup = ./modules/gickup;
matrix-ooye = ./modules/matrix-ooye.nix;
}; };
devShells = forAllSystems (system: {
default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
cuda = let
cuda-pkgs = import nixpkgs-unstable {
inherit system;
config = {
allowUnfree = true;
cudaSupport = true;
};
};
in cuda-pkgs.callPackage ./shells/cuda.nix { };
});
packages = {
"x86_64-linux" = let
pkgs = nixpkgs.legacyPackages."x86_64-linux";
in rec {
default = important-machines;
important-machines = pkgs.linkFarm "important-machines"
(lib.getAttrs importantMachines self.packages.x86_64-linux);
all-machines = pkgs.linkFarm "all-machines"
(lib.getAttrs allMachines self.packages.x86_64-linux);
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
bluemap = pkgs.callPackage ./packages/bluemap.nix { };
out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
}
//
# Mediawiki extensions
(lib.pipe null [
(_: pkgs.callPackage ./packages/mediawiki-extensions { })
(lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
(lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
])
//
# Machines
lib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
//
# Skrott is exception
{
skrott = self.nixosConfigurations.skrott.config.system.build.sdImage;
}
//
# Nix-topology
(let
topology' = import inputs.nix-topology {
pkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [
inputs.nix-topology.overlays.default
(final: prev: {
inherit (nixpkgs-unstable.legacyPackages.x86_64-linux) super-tiny-icons;
})
];
};
specialArgs = {
values = import ./values.nix;
};
modules = [
./topology
{
nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
modules = [
inputs.nix-topology.nixosModules.default
./topology/service-extractors/greg-ng.nix
./topology/service-extractors/postgresql.nix
./topology/service-extractors/mysql.nix
./topology/service-extractors/gitea-runners.nix
];
}) self.nixosConfigurations;
}
];
};
in {
topology = topology'.config.output;
topology-png = pkgs.runCommand "pvv-config-topology-png" {
nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
} ''
mkdir -p "$out"
for file in '${topology'.config.output}'/*.svg; do
${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
done
'';
});
};
};
} }

20
hosts/bakke/configuration.nix
View File

@@ -1,23 +1,15 @@
{ { config, pkgs, values, ... }:
config,
pkgs,
values,
...
}:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../base ../../base
./filesystems.nix ./filesystems.nix
]; ];
networking.hostId = "99609ffc"; networking.hostId = "99609ffc";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // { systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0"; matchConfig.Name = "enp2s0";
address = with values.hosts.bakke; [ address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
}; };
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.

8
hosts/bakke/filesystems.nix
View File

@@ -1,17 +1,17 @@
{ pkgs, ... }: { config, pkgs, lib, ... }:
{ {
# Boot drives: # Boot drives:
boot.swraid.enable = true; boot.swraid.enable = true;
# ZFS Data pool: # ZFS Data pool:
environment.systemPackages = with pkgs; [ zfs ];
boot = { boot = {
zfs = { zfs = {
extraPools = [ "tank" ]; extraPools = [ "tank" ];
requestEncryptionCredentials = false; requestEncryptionCredentials = false;
}; };
supportedFilesystems.zfs = true; supportedFilesystems = [ "zfs" ];
# Use stable linux packages, these work with zfs kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernelPackages = pkgs.linuxPackages;
}; };
services.zfs.autoScrub = { services.zfs.autoScrub = {
enable = true; enable = true;

68
hosts/bakke/hardware-configuration.nix
View File

@@ -1,59 +1,41 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
"ehci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571"; { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=root" ]; options = [ "subvol=root" ];
}; };
fileSystems."/home" = { fileSystems."/home" =
device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571"; { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=home" ]; options = [ "subvol=home" ];
}; };
fileSystems."/nix" = { fileSystems."/nix" =
device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571"; { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs"; fsType = "btrfs";
options = [ options = [ "subvol=nix" "noatime" ];
"subvol=nix" };
"noatime"
];
};
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/sdc2"; { device = "/dev/sdc2";
fsType = "vfat"; fsType = "vfat";
options = [ options = [ "fmask=0022" "dmask=0022" ];
"fmask=0022" };
"dmask=0022"
];
};
swapDevices = [ ]; swapDevices = [ ];

14
hosts/bekkalokk/configuration.nix
View File

@@ -1,9 +1,4 @@
{ { fp, pkgs, values, ... }:
fp,
pkgs,
values,
...
}:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
@@ -26,15 +21,12 @@
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // { systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0"; matchConfig.Name = "enp2s0";
address = with values.hosts.bekkalokk; [ address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
}; };
services.btrfs.autoScrub.enable = true; services.btrfs.autoScrub.enable = true;
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11"; system.stateVersion = "22.11";
} }

44
hosts/bekkalokk/hardware-configuration.nix
View File

@@ -1,43 +1,31 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
"ehci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/sda1"; { device = "/dev/sda1";
fsType = "btrfs"; fsType = "btrfs";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/CE63-3B9B"; { device = "/dev/disk/by-uuid/CE63-3B9B";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ swapDevices =
{ device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; } [ { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

153
hosts/bekkalokk/services/bluemap.nix
View File

@@ -1,15 +1,8 @@
{ { config, lib, pkgs, inputs, ... }:
config,
lib,
pkgs,
inputs,
...
}:
let let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world"; vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
format = pkgs.formats.hocon { }; format = pkgs.formats.hocon { };
in in {
{
# NOTE: our versino of the module gets added in flake.nix # NOTE: our versino of the module gets added in flake.nix
disabledModules = [ "services/web-apps/bluemap.nix" ]; disabledModules = [ "services/web-apps/bluemap.nix" ];
@@ -24,88 +17,82 @@ in
host = "minecraft.pvv.ntnu.no"; host = "minecraft.pvv.ntnu.no";
maps = maps = let
let inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export; in {
in "verden" = {
{ extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
"verden" = { settings = {
extraHoconMarkersFile = "${bluemap-export}/overworld.hocon"; world = vanillaSurvival;
settings = { dimension = "minecraft:overworld";
world = vanillaSurvival; name = "Verden";
dimension = "minecraft:overworld"; sorting = 0;
name = "Verden"; start-pos = {
sorting = 0; x = 0;
start-pos = { z = 0;
x = 0;
z = 0;
};
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
};
"underverden" = {
extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_nether";
name = "Underverden";
sorting = 100;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
render-mask = [
{
max-y = 90;
}
];
};
};
"enden" = {
extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_end";
name = "Enden";
sorting = 200;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
}; };
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
}; };
}; };
"underverden" = {
extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_nether";
name = "Underverden";
sorting = 100;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#290000";
void-color = "#150000";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
render-mask = [{
max-y = 90;
}];
};
};
"enden" = {
extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
settings = {
world = vanillaSurvival;
dimension = "minecraft:the_end";
name = "Enden";
sorting = 200;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#080010";
void-color = "#080010";
sky-light = 1;
ambient-light = 0.6;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
};
}; };
systemd.services."render-bluemap-maps" = { systemd.services."render-bluemap-maps" = {
serviceConfig = { serviceConfig = {
StateDirectory = [ "bluemap/world" ]; StateDirectory = [ "bluemap/world" ];
ExecStartPre = ExecStartPre = let
let rsyncArgs = lib.cli.toCommandLineShellGNU { } {
rsyncArgs = lib.cli.toCommandLineShellGNU { } { archive = true;
archive = true; compress = true;
compress = true; verbose = true;
verbose = true; no-owner = true;
no-owner = true; no-group = true;
no-group = true; rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey"; };
}; in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
in
"${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
LoadCredential = [ LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}" "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}" "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"

3
hosts/bekkalokk/services/idp-simplesamlphp/config.php
View File

@@ -556,6 +556,7 @@ $config = [
'module.enable' => [ 'module.enable' => [
'admin' => true, 'admin' => true,
'authpwauth' => true, 'authpwauth' => true,
'themepvv' => true,
], ],
@@ -858,7 +859,7 @@ $config = [
/* /*
* Which theme directory should be used? * Which theme directory should be used?
*/ */
'theme.use' => 'default', 'theme.use' => 'themepvv:pvv',
/* /*
* Set this option to the text you would like to appear at the header of each page. Set to false if you don't want * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want

11
hosts/bekkalokk/services/idp-simplesamlphp/default.nix
View File

@@ -5,6 +5,14 @@
... ...
}: }:
let let
themePvv = pkgs.fetchFromGitea {
domain = "git.pvv.ntnu.no";
owner = "Drift";
repo = "ssp-theme";
rev = "bda4314030be5f81aeaf2fb1927aee582f1194d9";
hash = "sha256-naNRyPL6PAsZKW2w1Vt9wrHT9inCL/yAFnvpy4glv+c=";
};
pwAuthScript = pkgs.writeShellApplication { pwAuthScript = pkgs.writeShellApplication {
name = "pwauth"; name = "pwauth";
runtimeInputs = with pkgs; [ runtimeInputs = with pkgs; [
@@ -111,6 +119,9 @@ let
''; '';
"modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php; "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
# PVV theme module (themepvv).
"modules/themepvv" = themePvv;
}; };
}; };
in in

7
hosts/bekkalokk/services/kerberos.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
{ {
security.krb5 = { security.krb5 = {
enable = true; enable = true;

168
hosts/bekkalokk/services/mediawiki/default.nix
View File

@@ -1,12 +1,4 @@
{ { pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
pkgs,
lib,
fp,
config,
values,
...
}:
let
cfg = config.services.mediawiki; cfg = config.services.mediawiki;
# "mediawiki" # "mediawiki"
@@ -17,9 +9,7 @@ let
simplesamlphp = pkgs.simplesamlphp.override { simplesamlphp = pkgs.simplesamlphp.override {
extra_files = { extra_files = {
"metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" ( "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
import ../idp-simplesamlphp/metadata.php.nix
);
"config/authsources.php" = ./simplesaml-authsources.php; "config/authsources.php" = ./simplesaml-authsources.php;
@@ -28,66 +18,35 @@ let
substituteInPlace "$out" \ substituteInPlace "$out" \
--replace-warn '$SAML_COOKIE_SECURE' 'true' \ --replace-warn '$SAML_COOKIE_SECURE' 'true' \
--replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${ --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path
}")' \
--replace-warn '$SAML_ADMIN_NAME' '"Drift"' \ --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
--replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \ --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${ --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
config.sops.secrets."mediawiki/simplesamlphp/admin_password".path
}")' \
--replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \ --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
--replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \ --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
--replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \ --replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
--replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${ --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path
}")' \
--replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp' --replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
''; '';
}; };
}; };
in in {
{
services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ]; services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
sops.secrets = sops.secrets = lib.pipe [
lib.pipe "mediawiki/password"
[ "mediawiki/postgres_password"
"mediawiki/secret-key" "mediawiki/simplesamlphp/postgres_password"
"mediawiki/password" "mediawiki/simplesamlphp/cookie_salt"
"mediawiki/postgres_password" "mediawiki/simplesamlphp/admin_password"
"mediawiki/simplesamlphp/postgres_password" ] [
"mediawiki/simplesamlphp/cookie_salt" (map (key: lib.nameValuePair key {
"mediawiki/simplesamlphp/admin_password" owner = user;
] group = group;
[ restartUnits = [ "phpfpm-mediawiki.service" ];
(map ( }))
key: lib.listToAttrs
lib.nameValuePair key { ];
owner = user;
group = group;
restartUnits = [ "phpfpm-mediawiki.service" ];
}
))
lib.listToAttrs
];
services.rsync-pull-targets = {
enable = true;
locations.${cfg.uploadsDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHFHa3Iq1oKPhbKCAIHgOoWOTkLmIc7yqxeTbut7ig/ mediawiki rsync backup";
};
};
services.mediawiki = { services.mediawiki = {
enable = true; enable = true;
@@ -185,24 +144,6 @@ in
$wgDBserver = "${toString cfg.database.host}"; $wgDBserver = "${toString cfg.database.host}";
$wgAllowCopyUploads = true; $wgAllowCopyUploads = true;
# Files
$wgFileExtensions = [
'bmp',
'gif',
'jpeg',
'jpg',
'mp3',
'odg',
'odp',
'ods',
'odt',
'pdf',
'png',
'tiff',
'webm',
'webp',
];
# Misc program paths # Misc program paths
$wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg'; $wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
$wgExiftool = '${pkgs.exiftool}/bin/exiftool'; $wgExiftool = '${pkgs.exiftool}/bin/exiftool';
@@ -238,21 +179,19 @@ in
# Cache directory for simplesamlphp # Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp"; # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
lib.mkIf cfg.enable user = "mediawiki";
{ group = "mediawiki";
user = "mediawiki"; mode = "0770";
group = "mediawiki"; };
mode = "0770";
};
users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ]; users.groups.mediawiki.members = [ "nginx" ];
services.nginx.virtualHosts."wiki.pvv.ntnu.no" = lib.mkIf cfg.enable { services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
kTLS = true; kTLS = true;
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = {
"= /wiki/Main_Page" = lib.mkForce { "= /wiki/Main_Page" = lib.mkForce {
return = "301 /wiki/Programvareverkstedet"; return = "301 /wiki/Programvareverkstedet";
}; };
@@ -278,45 +217,20 @@ in
"= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg; "= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png; "= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png;
"= /favicon.ico".alias = "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
pkgs.runCommandLocal "mediawiki-favicon.ico" buildInputs = with pkgs; [ imagemagick ];
{ } ''
buildInputs = with pkgs; [ imagemagick ]; magick \
} ${fp /assets/logo_blue_regular.png} \
'' -resize x64 \
magick \ -gravity center \
${fp /assets/logo_blue_regular.png} \ -crop 64x64+0+0 \
-resize x64 \ -flatten \
-gravity center \ -colors 256 \
-crop 64x64+0+0 \ -background transparent \
-flatten \ $out
-colors 256 \ '';
-background transparent \
$out
'';
}; };
}; };
systemd.services.mediawiki-init = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ];
serviceConfig = {
BindReadOnlyPaths = [
"/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key"
];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007";
};
};
systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ];
serviceConfig = {
BindReadOnlyPaths = [
"/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key"
];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007";
};
};
} }

74
hosts/bekkalokk/services/phpfpm.nix
View File

@@ -11,43 +11,41 @@ in
{ {
# Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/ # Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
systemd.services = lib.genAttrs pools (_: { systemd.services = lib.genAttrs pools (_: {
serviceConfig = serviceConfig = let
let caps = [
caps = [ "CAP_NET_BIND_SERVICE"
"CAP_NET_BIND_SERVICE" "CAP_SETGID"
"CAP_SETGID" "CAP_SETUID"
"CAP_SETUID" "CAP_CHOWN"
"CAP_CHOWN" "CAP_KILL"
"CAP_KILL" "CAP_IPC_LOCK"
"CAP_IPC_LOCK" "CAP_DAC_OVERRIDE"
"CAP_DAC_OVERRIDE" ];
]; in {
in AmbientCapabilities = caps;
{ CapabilityBoundingSet = caps;
AmbientCapabilities = caps; DeviceAllow = [ "" ];
CapabilityBoundingSet = caps; LockPersonality = true;
DeviceAllow = [ "" ]; MemoryDenyWriteExecute = false;
LockPersonality = true; NoNewPrivileges = true;
MemoryDenyWriteExecute = false; PrivateMounts = true;
NoNewPrivileges = true; ProtectClock = true;
PrivateMounts = true; ProtectControlGroups = true;
ProtectClock = true; ProtectHome = true;
ProtectControlGroups = true; ProtectHostname = true;
ProtectHome = true; ProtectKernelLogs = true;
ProtectHostname = true; ProtectKernelModules = true;
ProtectKernelLogs = true; ProtectKernelTunables = true;
ProtectKernelModules = true; RemoveIPC = true;
ProtectKernelTunables = true; UMask = "0077";
RemoveIPC = true; RestrictNamespaces = "~mnt";
UMask = "0077"; RestrictRealtime = true;
RestrictNamespaces = "~mnt"; RestrictSUIDSGID = true;
RestrictRealtime = true; SystemCallArchitectures = "native";
RestrictSUIDSGID = true; KeyringMode = "private";
SystemCallArchitectures = "native"; SystemCallFilter = [
KeyringMode = "private"; "@system-service"
SystemCallFilter = [ ];
"@system-service" };
];
};
}); });
} }

28
hosts/bekkalokk/services/vaultwarden.nix
View File

@@ -1,18 +1,11 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
values,
...
}:
let let
cfg = config.services.vaultwarden; cfg = config.services.vaultwarden;
domain = "pw.pvv.ntnu.no"; domain = "pw.pvv.ntnu.no";
address = "127.0.1.2"; address = "127.0.1.2";
port = 3011; port = 3011;
wsPort = 3012; wsPort = 3012;
in in {
{
sops.secrets."vaultwarden/environ" = { sops.secrets."vaultwarden/environ" = {
owner = "vaultwarden"; owner = "vaultwarden";
group = "vaultwarden"; group = "vaultwarden";
@@ -106,21 +99,4 @@ in
]; ];
}; };
}; };
services.rsync-pull-targets = {
enable = true;
locations."/var/lib/vaultwarden" = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2cDaW52gBtLVaNqoGijvN2ZAVkAWlII5AXUzT3Dswj vaultwarden rsync backup";
};
};
} }

8
hosts/bekkalokk/services/webmail/default.nix
View File

@@ -1,10 +1,4 @@
{ { config, values, pkgs, lib, ... }:
config,
values,
pkgs,
lib,
...
}:
{ {
imports = [ imports = [
./roundcube.nix ./roundcube.nix

63
hosts/bekkalokk/services/webmail/roundcube.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
with lib; with lib;
let let
@@ -19,24 +14,14 @@ in
services.roundcube = { services.roundcube = {
enable = true; enable = true;
package = pkgs.roundcube.withPlugins ( package = pkgs.roundcube.withPlugins (plugins: with plugins; [
plugins: with plugins; [ persistent_login
persistent_login thunderbird_labels
thunderbird_labels contextmenu
contextmenu custom_from
custom_from ]);
]
);
dicts = with pkgs.aspellDicts; [ dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
en
en-computers
nb
nn
fr
de
it
];
maxAttachmentSize = 20; maxAttachmentSize = 20;
hostName = "roundcubeplaceholder.example.com"; hostName = "roundcubeplaceholder.example.com";
@@ -69,23 +54,21 @@ in
ln -s ${cfg.package} $out/roundcube ln -s ${cfg.package} $out/roundcube
''; '';
extraConfig = '' extraConfig = ''
location ~ ^/roundcube/(${ location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
builtins.concatStringsSep "|" [ # https://wiki.archlinux.org/title/Roundcube
# https://wiki.archlinux.org/title/Roundcube "README"
"README" "INSTALL"
"INSTALL" "LICENSE"
"LICENSE" "CHANGELOG"
"CHANGELOG" "UPGRADING"
"UPGRADING" "bin"
"bin" "SQL"
"SQL" ".+\\.md"
".+\\.md" "\\."
"\\." "config"
"config" "temp"
"temp" "logs"
"logs" ]})/? {
]
})/? {
deny all; deny all;
} }

30
hosts/bekkalokk/services/webmail/snappymail.nix
View File

@@ -1,15 +1,7 @@
{ { config, lib, fp, pkgs, ... }:
config,
lib,
fp,
pkgs,
values,
...
}:
let let
cfg = config.services.snappymail; cfg = config.services.snappymail;
in in {
{
imports = [ (fp /modules/snappymail.nix) ]; imports = [ (fp /modules/snappymail.nix) ];
services.snappymail = { services.snappymail = {
@@ -22,21 +14,5 @@ in
enableACME = true; enableACME = true;
kTLS = true; kTLS = true;
}; };
services.rsync-pull-targets = {
enable = true;
locations.${cfg.dataDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJENMnuNsHEeA91oX+cj7Qpex2defSXP/lxznxCAqV03 snappymail rsync backup";
};
};
} }

108
hosts/bekkalokk/services/website/default.nix
View File

@@ -1,31 +1,22 @@
{ { pkgs, lib, config, ... }:
pkgs,
lib,
config,
...
}:
let let
format = pkgs.formats.php { }; format = pkgs.formats.php { };
cfg = config.services.pvv-nettsiden; cfg = config.services.pvv-nettsiden;
in in {
{
imports = [ imports = [
./fetch-gallery.nix ./fetch-gallery.nix
]; ];
sops.secrets = sops.secrets = lib.genAttrs [
lib.genAttrs "nettsiden/door_secret"
[ "nettsiden/mysql_password"
"nettsiden/door_secret" "nettsiden/simplesamlphp/admin_password"
"nettsiden/mysql_password" "nettsiden/simplesamlphp/cookie_salt"
"nettsiden/simplesamlphp/admin_password" ] (_: {
"nettsiden/simplesamlphp/cookie_salt" owner = config.services.phpfpm.pools.pvv-nettsiden.user;
] group = config.services.phpfpm.pools.pvv-nettsiden.group;
(_: { restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
owner = config.services.phpfpm.pools.pvv-nettsiden.user; });
group = config.services.phpfpm.pools.pvv-nettsiden.group;
restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
});
security.acme.certs."www.pvv.ntnu.no" = { security.acme.certs."www.pvv.ntnu.no" = {
extraDomainNames = [ extraDomainNames = [
@@ -44,53 +35,48 @@ in
package = pkgs.pvv-nettsiden.override { package = pkgs.pvv-nettsiden.override {
extra_files = { extra_files = {
"${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix); "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
"${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = <?php
pkgs.writeText "pvv-nettsiden-authsources.php" '' $config = array(
<?php 'admin' => array(
$config = array( 'core:AdminPassword'
'admin' => array( ),
'core:AdminPassword' 'default-sp' => array(
), 'saml:SP',
'default-sp' => array( 'entityID' => 'https://${cfg.domainName}/simplesaml/',
'saml:SP', 'idp' => 'https://idp.pvv.ntnu.no/',
'entityID' => 'https://${cfg.domainName}/simplesaml/', ),
'idp' => 'https://idp.pvv.ntnu.no/', );
), '';
);
'';
}; };
}; };
domainName = "www.pvv.ntnu.no"; domainName = "www.pvv.ntnu.no";
settings = settings = let
let includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
includeFromSops = in {
path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')"; DOOR_SECRET = includeFromSops "door_secret";
in
{
DOOR_SECRET = includeFromSops "door_secret";
DB = { DB = {
DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no"; DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
USER = "www-data_nettsi"; USER = "www-data_nettsi";
PASS = includeFromSops "mysql_password"; PASS = includeFromSops "mysql_password";
};
# TODO: set up postgres session for simplesamlphp
SAML = {
COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
COOKIE_SECURE = true;
ADMIN_NAME = "PVV Drift";
ADMIN_EMAIL = "drift@pvv.ntnu.no";
ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
TRUSTED_DOMAINS = [
"www.pvv.ntnu.no"
];
};
}; };
# TODO: set up postgres session for simplesamlphp
SAML = {
COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
COOKIE_SECURE = true;
ADMIN_NAME = "PVV Drift";
ADMIN_EMAIL = "drift@pvv.ntnu.no";
ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
TRUSTED_DOMAINS = [
"www.pvv.ntnu.no"
];
};
};
}; };
services.phpfpm.pools."pvv-nettsiden".settings = { services.phpfpm.pools."pvv-nettsiden".settings = {

52
hosts/bekkalokk/services/website/fetch-gallery.nix
View File

@@ -1,37 +1,15 @@
{ { pkgs, lib, config, ... }:
pkgs,
lib,
config,
values,
...
}:
let let
galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR; galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer"; transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
in in {
{
users.users.${config.services.pvv-nettsiden.user} = { users.users.${config.services.pvv-nettsiden.user} = {
# NOTE: the user unfortunately needs a registered shell for rrsync to function...
# is there anything we can do to remove this?
useDefaultShell = true; useDefaultShell = true;
};
# This is pushed from microbel:/var/www/www-gallery/build-gallery.sh # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
services.rsync-pull-targets = { openssh.authorizedKeys.keys = [
enable = true; ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
locations.${transferDir} = { ];
user = config.services.pvv-nettsiden.user;
rrsyncArgs.wo = true;
authorizedKeysAttrs = [
"restrict"
"from=\"microbel.pvv.ntnu.no,${values.hosts.microbel.ipv6},${values.hosts.microbel.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish";
};
}; };
systemd.paths.pvv-nettsiden-gallery-update = { systemd.paths.pvv-nettsiden-gallery-update = {
@@ -44,20 +22,14 @@ in
}; };
systemd.services.pvv-nettsiden-gallery-update = { systemd.services.pvv-nettsiden-gallery-update = {
path = with pkgs; [ path = with pkgs; [ imagemagick gnutar gzip ];
imagemagick
gnutar
gzip
];
script = '' script = ''
tar ${ tar ${lib.cli.toGNUCommandLineShell {} {
lib.cli.toGNUCommandLineShell { } { extract = true;
extract = true; file = "${transferDir}/gallery.tar.gz";
file = "${transferDir}/gallery.tar.gz"; directory = ".";
directory = "."; }}
}
}
# Delete files and directories that exists in the gallery that don't exist in the tarball # Delete files and directories that exists in the gallery that don't exist in the tarball
filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||'))) filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))

45
hosts/bekkalokk/services/well-known/default.nix
View File

@@ -1,28 +1,25 @@
{ lib, ... }: { lib, ... }:
{ {
services.nginx.virtualHosts = services.nginx.virtualHosts = lib.genAttrs [
lib.genAttrs "pvv.ntnu.no"
[ "www.pvv.ntnu.no"
"pvv.ntnu.no" "pvv.org"
"www.pvv.ntnu.no" "www.pvv.org"
"pvv.org" ] (_: {
"www.pvv.org" locations = {
] "^~ /.well-known/" = {
(_: { alias = (toString ./root) + "/";
locations = { };
"^~ /.well-known/" = {
alias = (toString ./root) + "/";
};
# Proxy the matrix well-known files # Proxy the matrix well-known files
# Host has be set before proxy_pass # Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place # The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = { "^~ /.well-known/matrix/" = {
extraConfig = '' extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no; proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/; proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
''; '';
}; };
}; };
}); });
} }

6
hosts/bekkalokk/services/well-known/root/security.txt
View File

@@ -6,11 +6,7 @@ Contact: mailto:cert@pvv.ntnu.no
Preferred-Languages: no, en Preferred-Languages: no, en
Expires: 2032-12-31T23:59:59.000Z Expires: 2032-12-31T23:59:59.000Z
# This file was last updated 2026-02-27. # This file was last updated 2024-09-14.
# You can find a wikipage for our security policies at: # You can find a wikipage for our security policies at:
# https://wiki.pvv.ntnu.no/wiki/CERT # https://wiki.pvv.ntnu.no/wiki/CERT
# Please note that we are a student organization, and unfortunately we do not
# have a bug bounty program or offer monetary compensation for disclosure of
# security vulnerabilities.

25
hosts/bicep/configuration.nix
View File

@@ -1,9 +1,4 @@
{ { fp, pkgs, values, ... }:
fp,
pkgs,
values,
...
}:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
@@ -14,8 +9,8 @@
./services/calendar-bot.nix ./services/calendar-bot.nix
#./services/git-mirrors #./services/git-mirrors
./services/minecraft-heatmap.nix ./services/minecraft-heatmap.nix
./services/mysql ./services/mysql.nix
./services/postgresql ./services/postgres.nix
./services/matrix ./services/matrix
]; ];
@@ -24,16 +19,8 @@
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
#matchConfig.Name = "enp6s0f0"; #matchConfig.Name = "enp6s0f0";
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
address = address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
with values.hosts.bicep; ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
[
(ipv4 + "/25")
(ipv6 + "/64")
]
++ (with values.services.turn; [
(ipv4 + "/25")
(ipv6 + "/64")
]);
}; };
systemd.network.wait-online = { systemd.network.wait-online = {
anyInterface = true; anyInterface = true;
@@ -43,5 +30,5 @@
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11"; system.stateVersion = "22.11";
} }

51
hosts/bicep/hardware-configuration.nix
View File

@@ -1,49 +1,34 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/profiles/qemu-guest.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ahci" "sd_mod" "sr_mod" ];
"ata_piix"
"uhci_hcd"
"ahci"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a"; { device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
fsType = "ext4"; fsType = "ext4";
}; };
# temp data disk, only 128gb not enough until we can add another disk to the system. # temp data disk, only 128gb not enough until we can add another disk to the system.
fileSystems."/data" = { fileSystems."/data" =
device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba"; { device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/198B-E363"; { device = "/dev/disk/by-uuid/198B-E363";
fsType = "vfat"; fsType = "vfat";
options = [ options = [ "fmask=0022" "dmask=0022" ];
"fmask=0022" };
"dmask=0022"
];
};
swapDevices = [ ]; swapDevices = [ ];

11
hosts/bicep/services/calendar-bot.nix
View File

@@ -1,14 +1,7 @@
{ { config, fp, lib, pkgs, ... }:
config,
fp,
lib,
pkgs,
...
}:
let let
cfg = config.services.pvv-calendar-bot; cfg = config.services.pvv-calendar-bot;
in in {
{
sops.secrets = { sops.secrets = {
"calendar-bot/matrix_token" = { "calendar-bot/matrix_token" = {
sopsFile = fp /secrets/bicep/bicep.yaml; sopsFile = fp /secrets/bicep/bicep.yaml;

145
hosts/bicep/services/git-mirrors/default.nix
View File

@@ -1,10 +1,4 @@
{ { config, pkgs, lib, fp, ... }:
config,
pkgs,
lib,
fp,
...
}:
let let
cfg = config.services.gickup; cfg = config.services.gickup;
in in
@@ -26,88 +20,79 @@ in
lfs = false; lfs = false;
}; };
instances = instances = let
let defaultGithubConfig = {
defaultGithubConfig = { settings.token_file = config.sops.secrets."gickup/github-token".path;
settings.token_file = config.sops.secrets."gickup/github-token".path;
};
defaultGitlabConfig = {
# settings.token_file = ...
};
in
{
"github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
"github:NixOS/nixpkgs" = defaultGithubConfig;
"github:go-gitea/gitea" = defaultGithubConfig;
"github:heimdal/heimdal" = defaultGithubConfig;
"github:saltstack/salt" = defaultGithubConfig;
"github:typst/typst" = defaultGithubConfig;
"github:unmojang/FjordLauncher" = defaultGithubConfig;
"github:unmojang/drasl" = defaultGithubConfig;
"github:yushijinhun/authlib-injector" = defaultGithubConfig;
"gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
"gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
"gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
"any:glibc" = {
settings.url = "https://sourceware.org/git/glibc.git";
};
"any:out-of-your-element" = {
settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
};
"any:out-of-your-element-module" = {
settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
};
}; };
}; defaultGitlabConfig = {
# settings.token_file = ...
};
in {
"github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
"github:NixOS/nixpkgs" = defaultGithubConfig;
"github:go-gitea/gitea" = defaultGithubConfig;
"github:heimdal/heimdal" = defaultGithubConfig;
"github:saltstack/salt" = defaultGithubConfig;
"github:typst/typst" = defaultGithubConfig;
"github:unmojang/FjordLauncher" = defaultGithubConfig;
"github:unmojang/drasl" = defaultGithubConfig;
"github:yushijinhun/authlib-injector" = defaultGithubConfig;
services.cgit = "gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
let "gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
domain = "mirrors.pvv.ntnu.no"; "gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
in "gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
{ "gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
${domain} = {
enable = true; "any:glibc" = {
package = pkgs.callPackage (fp /packages/cgit.nix) { }; settings.url = "https://sourceware.org/git/glibc.git";
group = "gickup"; };
scanPath = "${cfg.dataDir}/linktree";
gitHttpBackend.checkExportOkFiles = false; "any:out-of-your-element" = {
settings = { settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
enable-commit-graph = true; };
enable-follow-links = true;
enable-http-clone = true; "any:out-of-your-element-module" = {
enable-remote-branches = true; settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
clone-url = "https://${domain}/$CGIT_REPO_URL";
remove-suffix = true;
root-title = "PVVSPPP";
root-desc = "PVV Speiler Praktisk og Prominent Programvare";
snapshots = "all";
logo = "/PVV-logo.png";
};
}; };
}; };
};
services.cgit = let
domain = "mirrors.pvv.ntnu.no";
in {
${domain} = {
enable = true;
package = pkgs.callPackage (fp /packages/cgit.nix) { };
group = "gickup";
scanPath = "${cfg.dataDir}/linktree";
gitHttpBackend.checkExportOkFiles = false;
settings = {
enable-commit-graph = true;
enable-follow-links = true;
enable-http-clone = true;
enable-remote-branches = true;
clone-url = "https://${domain}/$CGIT_REPO_URL";
remove-suffix = true;
root-title = "PVVSPPP";
root-desc = "PVV Speiler Praktisk og Prominent Programvare";
snapshots = "all";
logo = "/PVV-logo.png";
};
};
};
services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = { services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."= /PVV-logo.png".alias = locations."= /PVV-logo.png".alias = let
let small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
small-pvv-logo = nativeBuildInputs = [ pkgs.imagemagick ];
pkgs.runCommandLocal "pvv-logo-96x96" } ''
{ magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
nativeBuildInputs = [ pkgs.imagemagick ]; '';
} in toString small-pvv-logo;
''
magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
'';
in
toString small-pvv-logo;
}; };
systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = { systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {

47
hosts/bicep/services/matrix/coturn.nix
View File

@@ -1,12 +1,4 @@
{ { config, lib, fp, pkgs, secrets, values, ... }:
config,
lib,
fp,
pkgs,
secrets,
values,
...
}:
{ {
sops.secrets."matrix/coturn/static-auth-secret" = { sops.secrets."matrix/coturn/static-auth-secret" = {
@@ -135,31 +127,18 @@
}; };
networking.firewall = { networking.firewall = {
interfaces.enp6s0f0 = interfaces.enp6s0f0 = let
let range = with config.services.coturn; [ {
range = with config.services.coturn; [ from = min-port;
{ to = max-port;
from = min-port; } ];
to = max-port; in
} {
]; allowedUDPPortRanges = range;
in allowedUDPPorts = [ 443 3478 3479 5349 ];
{ allowedTCPPortRanges = range;
allowedUDPPortRanges = range; allowedTCPPorts = [ 443 3478 3479 5349 ];
allowedUDPPorts = [ };
443
3478
3479
5349
];
allowedTCPPortRanges = range;
allowedTCPPorts = [
443
3478
3479
5349
];
};
}; };
} }

3
hosts/bicep/services/matrix/default.nix
View File

@@ -1,9 +1,8 @@
{ config, ... }: { config, ... }:
{ {
imports = [ imports = [
./synapse-admin.nix
./synapse-auto-compressor.nix
./synapse.nix ./synapse.nix
./synapse-admin.nix
./element.nix ./element.nix
./coturn.nix ./coturn.nix
./livekit.nix ./livekit.nix

19
hosts/bicep/services/matrix/discord.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, fp, ... }:
config,
lib,
fp,
...
}:
let let
cfg = config.services.mx-puppet-discord; cfg = config.services.mx-puppet-discord;
@@ -49,6 +44,7 @@ in
]; ];
}; };
services.mx-puppet-discord.enable = false; services.mx-puppet-discord.enable = false;
services.mx-puppet-discord.settings = { services.mx-puppet-discord.settings = {
bridge = { bridge = {
@@ -56,21 +52,16 @@ in
domain = "pvv.ntnu.no"; domain = "pvv.ntnu.no";
homeserverUrl = "https://matrix.pvv.ntnu.no"; homeserverUrl = "https://matrix.pvv.ntnu.no";
}; };
provisioning.whitelist = [ provisioning.whitelist = [ "@dandellion:dodsorf\\.as" "@danio:pvv\\.ntnu\\.no"];
"@dandellion:dodsorf\\.as"
"@danio:pvv\\.ntnu\\.no"
];
relay.whitelist = [ ".*" ]; relay.whitelist = [ ".*" ];
selfService.whitelist = [ selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
"@danio:pvv\\.ntnu\\.no"
"@dandellion:dodsorf\\.as"
];
}; };
services.mx-puppet-discord.serviceDependencies = [ services.mx-puppet-discord.serviceDependencies = [
"matrix-synapse.target" "matrix-synapse.target"
"nginx.service" "nginx.service"
]; ];
services.matrix-synapse-next.settings = { services.matrix-synapse-next.settings = {
app_service_config_files = [ app_service_config_files = [
config.sops.templates."discord-registration.yaml".path config.sops.templates."discord-registration.yaml".path

23
hosts/bicep/services/matrix/element.nix
View File

@@ -1,13 +1,7 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
synapse-cfg = config.services.matrix-synapse-next; synapse-cfg = config.services.matrix-synapse-next;
in in {
{
services.pvv-matrix-well-known.client = { services.pvv-matrix-well-known.client = {
"m.homeserver" = { "m.homeserver" = {
base_url = "https://matrix.pvv.ntnu.no"; base_url = "https://matrix.pvv.ntnu.no";
@@ -27,12 +21,12 @@ in
default_server_config = config.services.pvv-matrix-well-known.client; default_server_config = config.services.pvv-matrix-well-known.client;
disable_3pid_login = true; disable_3pid_login = true;
# integrations_ui_url = "https://dimension.dodsorf.as/riot"; # integrations_ui_url = "https://dimension.dodsorf.as/riot";
# integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar"; # integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
# integrations_widgets_urls = [ # integrations_widgets_urls = [
# "https://dimension.dodsorf.as/widgets" # "https://dimension.dodsorf.as/widgets"
# ]; # ];
# integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi"; # integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
defaultCountryCode = "NO"; defaultCountryCode = "NO";
showLabsSettings = true; showLabsSettings = true;
features = { features = {
@@ -43,7 +37,6 @@ in
# element call group calls # element call group calls
feature_group_calls = true; feature_group_calls = true;
}; };
default_country_code = "NO";
default_theme = "dark"; default_theme = "dark";
# Servers in this list should provide some sort of valuable scoping # Servers in this list should provide some sort of valuable scoping
# matrix.org is not useful compared to matrixrooms.info, # matrix.org is not useful compared to matrixrooms.info,

71
hosts/bicep/services/matrix/hookshot/default.nix
View File

@@ -1,11 +1,4 @@
{ { config, lib, fp, unstablePkgs, inputs, ... }:
config,
lib,
fp,
unstablePkgs,
inputs,
...
}:
let let
cfg = config.services.matrix-hookshot; cfg = config.services.matrix-hookshot;
@@ -21,10 +14,6 @@ in
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/hs_token"; key = "hookshot/hs_token";
}; };
sops.secrets."matrix/hookshot/passkey" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/passkey";
};
sops.templates."hookshot-registration.yaml" = { sops.templates."hookshot-registration.yaml" = {
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
@@ -55,14 +44,9 @@ in
}; };
systemd.services.matrix-hookshot = { systemd.services.matrix-hookshot = {
serviceConfig = { serviceConfig.SupplementaryGroups = [
SupplementaryGroups = [ config.users.groups.keys-matrix-registrations.name
config.users.groups.keys-matrix-registrations.name ];
];
LoadCredential = [
"passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
];
};
}; };
services.matrix-hookshot = { services.matrix-hookshot = {
@@ -70,8 +54,6 @@ in
package = unstablePkgs.matrix-hookshot; package = unstablePkgs.matrix-hookshot;
registrationFile = config.sops.templates."hookshot-registration.yaml".path; registrationFile = config.sops.templates."hookshot-registration.yaml".path;
settings = { settings = {
passFile = "/run/credentials/matrix-hookshot.service/passkey.pem";
bridge = { bridge = {
bindAddress = "127.0.0.1"; bindAddress = "127.0.0.1";
domain = "pvv.ntnu.no"; domain = "pvv.ntnu.no";
@@ -79,7 +61,6 @@ in
mediaUrl = "https://matrix.pvv.ntnu.no"; mediaUrl = "https://matrix.pvv.ntnu.no";
port = 9993; port = 9993;
}; };
listeners = [ listeners = [
{ {
bindAddress = webhookListenAddress; bindAddress = webhookListenAddress;
@@ -92,7 +73,6 @@ in
]; ];
} }
]; ];
generic = { generic = {
enabled = true; enabled = true;
outbound = true; outbound = true;
@@ -107,8 +87,7 @@ in
}; };
serviceBots = [ serviceBots = [
{ { localpart = "bot_feeds";
localpart = "bot_feeds";
displayname = "Aya"; displayname = "Aya";
avatar = ./feeds.png; avatar = ./feeds.png;
prefix = "!aya"; prefix = "!aya";
@@ -123,44 +102,20 @@ in
permissions = [ permissions = [
# Users of the PVV Server # Users of the PVV Server
{ { actor = "pvv.ntnu.no";
actor = "pvv.ntnu.no"; services = [ { service = "*"; level = "commands"; } ];
services = [
{
service = "*";
level = "commands";
}
];
} }
# Members of Medlem space (for people with their own hs) # Members of Medlem space (for people with their own hs)
{ { actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no"; services = [ { service = "*"; level = "commands"; } ];
services = [
{
service = "*";
level = "commands";
}
];
} }
# Members of Drift # Members of Drift
{ { actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no"; services = [ { service = "*"; level = "admin"; } ];
services = [
{
service = "*";
level = "admin";
}
];
} }
# Dan bootstrap # Dan bootstrap
{ { actor = "@dandellion:dodsorf.as";
actor = "@dandellion:dodsorf.as"; services = [ { service = "*"; level = "admin"; } ];
services = [
{
service = "*";
level = "admin";
}
];
} }
]; ];
}; };

24
hosts/bicep/services/matrix/livekit.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, fp, ... }:
config,
lib,
fp,
...
}:
let let
synapseConfig = config.services.matrix-synapse-next; synapseConfig = config.services.matrix-synapse-next;
matrixDomain = "matrix.pvv.ntnu.no"; matrixDomain = "matrix.pvv.ntnu.no";
@@ -25,12 +20,10 @@ in
}; };
services.pvv-matrix-well-known.client = lib.mkIf cfg.enable { services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
"org.matrix.msc4143.rtc_foci" = [ "org.matrix.msc4143.rtc_foci" = [{
{ type = "livekit";
type = "livekit"; livekit_service_url = "https://${matrixDomain}/livekit/jwt";
livekit_service_url = "https://${matrixDomain}/livekit/jwt"; }];
}
];
}; };
services.livekit = { services.livekit = {
@@ -50,12 +43,7 @@ in
keyFile = config.sops.templates."matrix-livekit-keyfile".path; keyFile = config.sops.templates."matrix-livekit-keyfile".path;
}; };
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable ( systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable matrixDomain;
builtins.concatStringsSep "," [
"pvv.ntnu.no"
"dodsorf.as"
]
);
services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable { services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
locations."^~ /livekit/jwt/" = { locations."^~ /livekit/jwt/" = {

7
hosts/bicep/services/matrix/mjolnir.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, fp, ... }:
config,
lib,
fp,
...
}:
{ {
sops.secrets."matrix/mjolnir/access_token" = { sops.secrets."matrix/mjolnir/access_token" = {

26
hosts/bicep/services/matrix/out-of-your-element.nix
View File

@@ -1,11 +1,4 @@
{ { config, pkgs, fp, ... }:
config,
pkgs,
lib,
values,
fp,
...
}:
let let
cfg = config.services.matrix-ooye; cfg = config.services.matrix-ooye;
in in
@@ -35,23 +28,6 @@ in
}; };
}; };
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
locations."/var/lib/private/matrix-ooye" = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5koYfor5+kKB30Dugj3dAWvmj8h/akQQ2XYDvLobFL matrix_ooye rsync backup";
};
};
services.matrix-ooye = { services.matrix-ooye = {
enable = true; enable = true;
homeserver = "https://matrix.pvv.ntnu.no"; homeserver = "https://matrix.pvv.ntnu.no";

7
hosts/bicep/services/matrix/smtp-authenticator/default.nix
View File

@@ -1,9 +1,4 @@
{ { lib, buildPythonPackage, fetchFromGitHub, setuptools }:
lib,
buildPythonPackage,
fetchFromGitHub,
setuptools,
}:
buildPythonPackage rec { buildPythonPackage rec {
pname = "matrix-synapse-smtp-auth"; pname = "matrix-synapse-smtp-auth";

8
hosts/bicep/services/matrix/synapse-admin.nix
View File

@@ -1,9 +1,5 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
# This service requires you to have access to endpoints not available over the internet # This service requires you to have access to endpoints not available over the internet
# Use an ssh proxy or similar to access this dashboard. # Use an ssh proxy or similar to access this dashboard.

61
hosts/bicep/services/matrix/synapse-auto-compressor.nix
View File

@@ -1,61 +0,0 @@
{
config,
lib,
utils,
...
}:
let
cfg = config.services.synapse-auto-compressor;
in
{
services.synapse-auto-compressor = {
# enable = true;
postgresUrl = "postgresql://matrix-synapse@/synapse?host=/run/postgresql";
};
# NOTE: nixpkgs has some broken asserts, vendored the entire unit
systemd.services.synapse-auto-compressor = {
description = "synapse-auto-compressor";
requires = [
"postgresql.target"
];
inherit (cfg) startAt;
serviceConfig = {
Type = "oneshot";
DynamicUser = true;
User = "matrix-synapse";
PrivateTmp = true;
ExecStart = utils.escapeSystemdExecArgs [
"${cfg.package}/bin/synapse_auto_compressor"
"-p"
cfg.postgresUrl
"-c"
cfg.settings.chunk_size
"-n"
cfg.settings.chunks_to_compress
"-l"
(lib.concatStringsSep "," (map toString cfg.settings.levels))
];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
ProcSubset = "pid";
ProtectProc = "invisible";
ProtectSystem = "strict";
ProtectHome = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
};
};
}

162
hosts/bicep/services/matrix/synapse.nix
View File

@@ -1,23 +1,13 @@
{ { config, lib, fp, pkgs, values, inputs, ... }:
config,
lib,
fp,
pkgs,
values,
inputs,
...
}:
let let
cfg = config.services.matrix-synapse-next; cfg = config.services.matrix-synapse-next;
matrix-lib = inputs.matrix-next.lib; matrix-lib = inputs.matrix-next.lib;
imap0Attrs = imap0Attrs = with lib; f: set:
with lib; listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
f: set: listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set)); in {
in
{
sops.secrets."matrix/synapse/signing_key" = { sops.secrets."matrix/synapse/signing_key" = {
key = "synapse/signing_key"; key = "synapse/signing_key";
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
@@ -33,29 +23,10 @@ in
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group; group = config.users.users.matrix-synapse.group;
content = '' content = ''
registration_shared_secret: ${ registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"
}
''; '';
}; };
services.rsync-pull-targets = {
enable = true;
locations.${cfg.settings.media_store_path} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASnjI9b3j4ZS3BL/D1ggHfws1BkE8iS0v0cGpEmbG+k matrix_media_store rsync backup";
};
};
services.matrix-synapse-next = { services.matrix-synapse-next = {
enable = true; enable = true;
@@ -80,7 +51,7 @@ in
signing_key_path = config.sops.secrets."matrix/synapse/signing_key".path; signing_key_path = config.sops.secrets."matrix/synapse/signing_key".path;
media_store_path = "${cfg.dataDir}/media"; media_store_path = "${cfg.dataDir}/media";
database = { database = {
name = "psycopg2"; name = "psycopg2";
@@ -122,8 +93,7 @@ in
password_config.enabled = true; password_config.enabled = true;
modules = [ modules = [
{ { module = "smtp_auth_provider.SMTPAuthProvider";
module = "smtp_auth_provider.SMTPAuthProvider";
config = { config = {
smtp_host = "smtp.pvv.ntnu.no"; smtp_host = "smtp.pvv.ntnu.no";
}; };
@@ -196,79 +166,61 @@ in
services.pvv-matrix-well-known.server."m.server" = "matrix.pvv.ntnu.no:443"; services.pvv-matrix-well-known.server."m.server" = "matrix.pvv.ntnu.no:443";
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [ services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
{ {
kTLS = true; kTLS = true;
} }
{ {
locations."/_synapse/admin" = { locations."/_synapse/admin" = {
proxyPass = "http://$synapse_backend"; proxyPass = "http://$synapse_backend";
extraConfig = '' extraConfig = ''
allow 127.0.0.1; allow 127.0.0.1;
allow ::1; allow ::1;
allow ${values.hosts.bicep.ipv4}; allow ${values.hosts.bicep.ipv4};
allow ${values.hosts.bicep.ipv6}; allow ${values.hosts.bicep.ipv6};
deny all; deny all;
''; '';
}; };
} }
{ {
locations = locations = let
let connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w; socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";
socketAddress =
w:
let
c = connectionInfo w;
in
"${c.host}:${toString c.port}";
metricsPath = w: "/metrics/${w.type}/${toString w.index}"; metricsPath = w: "/metrics/${w.type}/${toString w.index}";
proxyPath = w: "http://${socketAddress w}/_synapse/metrics"; proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
in in lib.mapAttrs' (n: v: lib.nameValuePair
lib.mapAttrs' ( (metricsPath v) {
n: v: proxyPass = proxyPath v;
lib.nameValuePair (metricsPath v) {
proxyPass = proxyPath v;
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
}
) cfg.workers.instances;
}
{
locations."/metrics/master/1" = {
proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
extraConfig = '' extraConfig = ''
allow ${values.hosts.ildkule.ipv4}; allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6}; allow ${values.hosts.ildkule.ipv6};
deny all; deny all;
''; '';
}; })
cfg.workers.instances;
}
{
locations."/metrics/master/1" = {
proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
};
locations."/metrics/" = locations."/metrics/" = let
let endpoints = lib.pipe cfg.workers.instances [
endpoints = (lib.mapAttrsToList (_: v: v))
lib.pipe cfg.workers.instances [ (map (w: "${w.type}/${toString w.index}"))
(lib.mapAttrsToList (_: v: v)) (map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
(map (w: "${w.type}/${toString w.index}")) ] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
(map (w: "matrix.pvv.ntnu.no/metrics/${w}")) in {
] alias = pkgs.writeTextDir "/config.json"
++ [ "matrix.pvv.ntnu.no/metrics/master/1" ]; (builtins.toJSON [
in { targets = endpoints;
{ labels = { };
alias = }]) + "/";
pkgs.writeTextDir "/config.json" ( };
builtins.toJSON [ }];
{
targets = endpoints;
labels = { };
}
]
)
+ "/";
};
}
];
} }

7
hosts/bicep/services/matrix/well-known.nix
View File

@@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
cfg = config.services.pvv-matrix-well-known; cfg = config.services.pvv-matrix-well-known;
format = pkgs.formats.json { }; format = pkgs.formats.json { };

45
hosts/bicep/services/minecraft-heatmap.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
cfg = config.services.minecraft-heatmap; cfg = config.services.minecraft-heatmap;
in in
@@ -27,30 +22,28 @@ in
}; };
}; };
systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable { systemd.services.minecraft-heatmap-ingest-logs = {
serviceConfig.LoadCredential = [ serviceConfig.LoadCredential = [
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}" "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
]; ];
preStart = preStart = let
let knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" '' innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U= innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
'';
in
''
mkdir -p '${cfg.minecraftLogsDir}'
"${lib.getExe pkgs.rsync}" \
--archive \
--verbose \
--progress \
--no-owner \
--no-group \
--rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
root@innovation.pvv.ntnu.no:/ \
'${cfg.minecraftLogsDir}'/
''; '';
in ''
mkdir -p '${cfg.minecraftLogsDir}'
"${lib.getExe pkgs.rsync}" \
--archive \
--verbose \
--progress \
--no-owner \
--no-group \
--rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
root@innovation.pvv.ntnu.no:/ \
'${cfg.minecraftLogsDir}'/
'';
}; };
} }

55
hosts/bicep/services/mysql.nix Normal file
View File

@@ -0,0 +1,55 @@
{ pkgs, lib, config, values, ... }:
{
sops.secrets."mysql/password" = {
owner = "mysql";
group = "mysql";
};
users.mysql.passwordFile = config.sops.secrets."mysql/password".path;
services.mysql = {
enable = true;
dataDir = "/data/mysql";
package = pkgs.mariadb;
settings = {
mysqld = {
# PVV allows a lot of connections at the same time
max_connect_errors = 10000;
bind-address = values.services.mysql.ipv4;
skip-networking = 0;
# This was needed in order to be able to use all of the old users
# during migration from knakelibrak to bicep in Sep. 2023
secure_auth = 0;
};
};
# Note: This user also has MAX_USER_CONNECTIONS set to 3, and
# a password which can be found in /secrets/ildkule/ildkule.yaml
# We have also changed both the host and auth plugin of this user
# to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
ensureUsers = [{
name = "prometheus_mysqld_exporter";
ensurePermissions = {
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
};
}];
};
services.mysqlBackup = {
enable = true;
location = "/var/lib/mysql/backups";
};
networking.firewall.allowedTCPPorts = [ 3306 ];
systemd.services.mysql.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
values.ipv4-space
values.ipv6-space
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
}

91
hosts/bicep/services/mysql/backup.nix
View File

@@ -1,91 +0,0 @@
{
config,
lib,
pkgs,
values,
...
}:
let
cfg = config.services.mysql;
backupDir = "/data/mysql-backups";
in
{
# services.mysqlBackup = lib.mkIf cfg.enable {
# enable = true;
# location = "/var/lib/mysql-backups";
# };
systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
user = "mysql";
group = "mysql";
mode = "700";
};
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
locations.${backupDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgj55/7Cnj4cYMJ5sIkl+OwcGeBe039kXJTOf2wvo9j mysql rsync backup";
};
};
# NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
# another unit, it was easier to just make one ourselves.
systemd.services."backup-mysql" = lib.mkIf cfg.enable {
description = "Backup MySQL data";
requires = [ "mysql.service" ];
path = with pkgs; [
cfg.package
coreutils
zstd
];
script =
let
rotations = 2;
in
''
set -euo pipefail
OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';
serviceConfig = {
Type = "oneshot";
User = "mysql";
Group = "mysql";
UMask = "0077";
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
StateDirectory = [ "mysql-backups" ];
BindPaths = [ "${backupDir}:/var/lib/mysql-backups" ];
# TODO: hardening
};
startAt = "*-*-* 02:15:00";
};
}

82
hosts/bicep/services/mysql/default.nix
View File

@@ -1,82 +0,0 @@
{
config,
pkgs,
lib,
values,
...
}:
let
cfg = config.services.mysql;
dataDir = "/data/mysql";
in
{
imports = [ ./backup.nix ];
sops.secrets."mysql/password" = {
owner = "mysql";
group = "mysql";
};
users.mysql.passwordFile = config.sops.secrets."mysql/password".path;
services.mysql = {
enable = true;
package = pkgs.mariadb_118;
settings = {
mysqld = {
# PVV allows a lot of connections at the same time
max_connect_errors = 10000;
bind-address = values.services.mysql.ipv4;
skip-networking = 0;
# This was needed in order to be able to use all of the old users
# during migration from knakelibrak to bicep in Sep. 2023
secure_auth = 0;
slow-query-log = 1;
slow-query-log-file = "/var/log/mysql/mysql-slow.log";
};
};
# Note: This user also has MAX_USER_CONNECTIONS set to 3, and
# a password which can be found in /secrets/ildkule/ildkule.yaml
# We have also changed both the host and auth plugin of this user
# to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
ensureUsers = [
{
name = "prometheus_mysqld_exporter";
ensurePermissions = {
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
};
}
];
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
inherit (cfg) user group;
mode = "0700";
};
systemd.services.mysql = lib.mkIf cfg.enable {
after = [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
];
serviceConfig = {
BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
LogsDirectory = "mysql";
IPAddressDeny = "any";
IPAddressAllow = [
values.ipv4-space
values.ipv6-space
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
};
}

33
hosts/bicep/services/postgresql/default.nix → hosts/bicep/services/postgres.nix
View File

@@ -1,19 +1,8 @@
{ config, pkgs, values, ... }:
{ {
config,
lib,
pkgs,
values,
...
}:
let
cfg = config.services.postgresql;
in
{
imports = [ ./backup.nix ];
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_18; package = pkgs.postgresql_15;
enableTCPIP = true; enableTCPIP = true;
authentication = '' authentication = ''
@@ -85,13 +74,13 @@ in
}; };
}; };
systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = lib.mkIf cfg.enable { systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
user = config.systemd.services.postgresql.serviceConfig.User; user = config.systemd.services.postgresql.serviceConfig.User;
group = config.systemd.services.postgresql.serviceConfig.Group; group = config.systemd.services.postgresql.serviceConfig.Group;
mode = "0700"; mode = "0700";
}; };
systemd.services.postgresql-setup = lib.mkIf cfg.enable { systemd.services.postgresql-setup = {
after = [ after = [
"systemd-tmpfiles-setup.service" "systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service" "systemd-tmpfiles-resetup.service"
@@ -106,7 +95,7 @@ in
}; };
}; };
systemd.services.postgresql = lib.mkIf cfg.enable { systemd.services.postgresql = {
after = [ after = [
"systemd-tmpfiles-setup.service" "systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service" "systemd-tmpfiles-resetup.service"
@@ -121,12 +110,18 @@ in
}; };
}; };
environment.snakeoil-certs."/etc/certs/postgres" = lib.mkIf cfg.enable { environment.snakeoil-certs."/etc/certs/postgres" = {
owner = "postgres"; owner = "postgres";
group = "postgres"; group = "postgres";
subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no"; subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
}; };
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 5432 ]; networking.firewall.allowedTCPPorts = [ 5432 ];
networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable [ 5432 ]; networking.firewall.allowedUDPPorts = [ 5432 ];
services.postgresqlBackup = {
enable = true;
location = "/var/lib/postgres/backups";
backupAll = true;
};
} }

92
hosts/bicep/services/postgresql/backup.nix
View File

@@ -1,92 +0,0 @@
{
config,
lib,
pkgs,
values,
...
}:
let
cfg = config.services.postgresql;
backupDir = "/data/postgresql-backups";
in
{
# services.postgresqlBackup = lib.mkIf cfg.enable {
# enable = true;
# location = "/var/lib/postgresql-backups";
# backupAll = true;
# };
systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
user = "postgres";
group = "postgres";
mode = "700";
};
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
locations.${backupDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvO7QX7QmwSiGLXEsaxPIOpAqnJP3M+qqQRe5dzf8gJ postgresql rsync backup";
};
};
# NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
# another unit, it was easier to just make one ourselves
systemd.services."backup-postgresql" = {
description = "Backup PostgreSQL data";
requires = [ "postgresql.service" ];
path = with pkgs; [
coreutils
zstd
cfg.package
];
script =
let
rotations = 2;
in
''
set -euo pipefail
OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
# NOTE: this needs to be a hardlink for rrsync to allow sending it
rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done
'';
serviceConfig = {
Type = "oneshot";
User = "postgres";
Group = "postgres";
UMask = "0077";
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
StateDirectory = [ "postgresql-backups" ];
BindPaths = [ "${backupDir}:/var/lib/postgresql-backups" ];
# TODO: hardening
};
startAt = "*-*-* 01:15:00";
};
}

96
hosts/bikkje/configuration.nix
View File

@@ -1,14 +1,8 @@
{ { config, pkgs, values, ... }:
lib,
config,
pkgs,
values,
...
}:
{ {
networking.nat = { networking.nat = {
enable = true; enable = true;
internalInterfaces = [ "ve-+" ]; internalInterfaces = ["ve-+"];
externalInterface = "ens3"; externalInterface = "ens3";
# Lazy IPv6 connectivity for the container # Lazy IPv6 connectivity for the container
enableIPv6 = true; enableIPv6 = true;
@@ -16,11 +10,9 @@
containers.bikkje = { containers.bikkje = {
autoStart = true; autoStart = true;
config = config = { config, pkgs, ... }: {
{ config, pkgs, ... }: #import packages
{ packages = with pkgs; [
#import packages
packages = with pkgs; [
alpine alpine
mutt mutt
mutt-ics mutt-ics
@@ -30,66 +22,26 @@
hexchat hexchat
irssi irssi
pidgin pidgin
]; ];
networking = { networking = {
hostName = "bikkje"; hostName = "bikkje";
firewall = { firewall = {
enable = true; enable = true;
# Allow SSH and HTTP and ports for email and irc # Allow SSH and HTTP and ports for email and irc
allowedTCPPorts = [ allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
80 allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
22
194
994
6665
6666
6667
6668
6669
6697
995
993
25
465
587
110
143
993
995
];
allowedUDPPorts = [
80
22
194
994
6665
6666
6667
6668
6669
6697
995
993
25
465
587
110
143
993
995
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
}; };
# Use systemd-resolved inside the container
services.resolved.enable = true; # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = mkForce false;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "23.11";
}; };
services.resolved.enable = true;
# Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "23.11";
};
}; };
} };

25
hosts/brzeczyszczykiewicz/configuration.nix
View File

@@ -1,30 +1,21 @@
{ { config, fp, pkgs, values, ... }:
config,
fp,
pkgs,
values,
...
}:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
./services/grzegorz.nix ./services/grzegorz.nix
]; ];
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // { systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1"; matchConfig.Name = "eno1";
address = with values.hosts.brzeczyszczykiewicz; [ address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
}; };
fonts.fontconfig.enable = true; fonts.fontconfig.enable = true;
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11"; system.stateVersion = "23.05";
} }

46
hosts/brzeczyszczykiewicz/hardware-configuration.nix
View File

@@ -1,45 +1,31 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
"xhci_pci"
"ehci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204"; { device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/82E3-3D03"; { device = "/dev/disk/by-uuid/82E3-3D03";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ swapDevices =
{ device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; } [ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

25
hosts/georg/configuration.nix
View File

@@ -1,25 +1,16 @@
{ { config, fp, pkgs, values, ... }:
config,
fp,
pkgs,
values,
...
}:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
(fp /modules/grzegorz.nix) (fp /modules/grzegorz.nix)
]; ];
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // { systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1"; matchConfig.Name = "eno1";
address = with values.hosts.georg; [ address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
}; };
services.spotifyd = { services.spotifyd = {
@@ -41,5 +32,5 @@
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.11"; system.stateVersion = "23.05";
} }

45
hosts/georg/hardware-configuration.nix
View File

@@ -1,44 +1,31 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
"xhci_pci"
"ehci_pci"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0"; { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/145E-7362"; { device = "/dev/disk/by-uuid/145E-7362";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ swapDevices =
{ device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; } [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

9
hosts/gluttony/configuration.nix
View File

@@ -11,15 +11,6 @@
]; ];
systemd.network.enable = lib.mkForce false; systemd.network.enable = lib.mkForce false;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.loader = {
systemd-boot.enable = false; # no uefi support on this device
grub.device = "/dev/sda";
grub.enable = true;
};
boot.tmp.cleanOnBoot = true;
networking = networking =
let let
hostConf = values.hosts.gluttony; hostConf = values.hosts.gluttony;

2
hosts/gluttony/hardware-configuration.nix
View File

@@ -31,7 +31,7 @@
}; };
fileSystems."/boot" = { fileSystems."/boot" = {
device = "/dev/disk/by-uuid/933A-3005"; device = "/dev/disk/by-uuid/D00A-B488";
fsType = "vfat"; fsType = "vfat";
options = [ options = [
"fmask=0077" "fmask=0077"

68
hosts/ildkule/configuration.nix
View File

@@ -1,21 +1,14 @@
{ { config, fp, pkgs, lib, values, ... }:
config,
fp,
pkgs,
lib,
values,
...
}:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
./services/monitoring ./services/monitoring
./services/nginx ./services/nginx
./services/journald-remote.nix ./services/journald-remote.nix
]; ];
boot.loader.systemd-boot.enable = false; boot.loader.systemd-boot.enable = false;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
@@ -24,37 +17,26 @@
# Openstack Neutron and systemd-networkd are not best friends, use something else: # Openstack Neutron and systemd-networkd are not best friends, use something else:
systemd.network.enable = lib.mkForce false; systemd.network.enable = lib.mkForce false;
networking = networking = let
let hostConf = values.hosts.ildkule;
hostConf = values.hosts.ildkule; in {
in tempAddresses = "disabled";
{ useDHCP = lib.mkForce true;
tempAddresses = "disabled";
useDHCP = lib.mkForce true;
search = values.defaultNetworkConfig.domains; search = values.defaultNetworkConfig.domains;
nameservers = values.defaultNetworkConfig.dns; nameservers = values.defaultNetworkConfig.dns;
defaultGateway.address = hostConf.ipv4_internal_gw; defaultGateway.address = hostConf.ipv4_internal_gw;
interfaces."ens4" = { interfaces."ens4" = {
ipv4.addresses = [ ipv4.addresses = [
{ { address = hostConf.ipv4; prefixLength = 32; }
address = hostConf.ipv4; { address = hostConf.ipv4_internal; prefixLength = 24; }
prefixLength = 32; ];
} ipv6.addresses = [
{ { address = hostConf.ipv6; prefixLength = 64; }
address = hostConf.ipv4_internal; ];
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = hostConf.ipv6;
prefixLength = 64;
}
];
};
}; };
};
services.qemuGuest.enable = true; services.qemuGuest.enable = true;

7
hosts/ildkule/hardware-configuration.nix
View File

@@ -1,12 +1,7 @@
{ modulesPath, lib, ... }: { modulesPath, lib, ... }:
{ {
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
"ata_piix"
"uhci_hcd"
"xen_blkfront"
"vmw_pvscsi"
];
boot.initrd.kernelModules = [ "nvme" ]; boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942"; device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";

37
hosts/ildkule/services/journald-remote.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, values, ... }:
config,
lib,
values,
...
}:
let let
cfg = config.services.journald.remote; cfg = config.services.journald.remote;
domainName = "journald.pvv.ntnu.no"; domainName = "journald.pvv.ntnu.no";
@@ -27,15 +22,13 @@ in
services.journald.remote = { services.journald.remote = {
enable = true; enable = true;
settings.Remote = settings.Remote = let
let inherit (config.security.acme.certs.${domainName}) directory;
inherit (config.security.acme.certs.${domainName}) directory; in {
in ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
{ ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem"; TrustedCertificateFile = "-";
ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem"; };
TrustedCertificateFile = "-";
};
}; };
systemd.sockets."systemd-journal-remote" = { systemd.sockets."systemd-journal-remote" = {
@@ -54,14 +47,12 @@ in
systemd.services."systemd-journal-remote" = { systemd.services."systemd-journal-remote" = {
serviceConfig = { serviceConfig = {
LoadCredential = LoadCredential = let
let inherit (config.security.acme.certs.${domainName}) directory;
inherit (config.security.acme.certs.${domainName}) directory; in [
in "key.pem:${directory}/key.pem"
[ "cert.pem:${directory}/cert.pem"
"key.pem:${directory}/key.pem" ];
"cert.pem:${directory}/cert.pem"
];
}; };
}; };
} }

1009
hosts/ildkule/services/monitoring/dashboards/go-processes.json Normal file
View File

File diff suppressed because it is too large Load Diff

14
hosts/ildkule/services/monitoring/dashboards/mysql.json
View File

@@ -13,7 +13,7 @@
] ]
}, },
"description": "", "description": "",
"editable": false, "editable": true,
"gnetId": 11323, "gnetId": 11323,
"graphTooltip": 1, "graphTooltip": 1,
"id": 31, "id": 31,
@@ -1899,7 +1899,7 @@
"dashes": false, "dashes": false,
"datasource": "$datasource", "datasource": "$datasource",
"decimals": 0, "decimals": 0,
"description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool, TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB s internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.", "description": "***System Memory***: Total Memory for the system.\\\n***InnoDB Buffer Pool Data***: InnoDB maintains a storage area called the buffer pool for caching data and indexes in memory.\\\n***TokuDB Cache Size***: Similar in function to the InnoDB Buffer Pool, TokuDB will allocate 50% of the installed RAM for its own cache.\\\n***Key Buffer Size***: Index blocks for MYISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks.\\\n***Adaptive Hash Index Size***: When InnoDB notices that some index values are being accessed very frequently, it builds a hash index for them in memory on top of B-Tree indexes.\\\n ***Query Cache Size***: The query cache stores the text of a SELECT statement together with the corresponding result that was sent to the client. The query cache has huge scalability problems in that only one thread can do an operation in the query cache at the same time.\\\n***InnoDB Dictionary Size***: The data dictionary is InnoDB 's internal catalog of tables. InnoDB stores the data dictionary on disk, and loads entries into memory while the server is running.\\\n***InnoDB Log Buffer Size***: The MySQL InnoDB log buffer allows transactions to run without having to write the log to disk before the transactions commit.",
"editable": true, "editable": true,
"error": false, "error": false,
"fieldConfig": { "fieldConfig": {
@@ -3690,7 +3690,7 @@
}, },
"hide": 0, "hide": 0,
"includeAll": false, "includeAll": false,
"label": "Data source", "label": "Data Source",
"multi": false, "multi": false,
"name": "datasource", "name": "datasource",
"options": [], "options": [],
@@ -3713,12 +3713,12 @@
"definition": "label_values(mysql_up, job)", "definition": "label_values(mysql_up, job)",
"hide": 0, "hide": 0,
"includeAll": true, "includeAll": true,
"label": "Job", "label": "job",
"multi": true, "multi": true,
"name": "job", "name": "job",
"options": [], "options": [],
"query": "label_values(mysql_up, job)", "query": "label_values(mysql_up, job)",
"refresh": 2, "refresh": 1,
"regex": "", "regex": "",
"skipUrlSync": false, "skipUrlSync": false,
"sort": 0, "sort": 0,
@@ -3742,12 +3742,12 @@
"definition": "label_values(mysql_up, instance)", "definition": "label_values(mysql_up, instance)",
"hide": 0, "hide": 0,
"includeAll": true, "includeAll": true,
"label": "Instance", "label": "instance",
"multi": true, "multi": true,
"name": "instance", "name": "instance",
"options": [], "options": [],
"query": "label_values(mysql_up, instance)", "query": "label_values(mysql_up, instance)",
"refresh": 2, "refresh": 1,
"regex": "", "regex": "",
"skipUrlSync": false, "skipUrlSync": false,
"sort": 0, "sort": 0,

22402
hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json
View File

File diff suppressed because it is too large Load Diff

30
hosts/ildkule/services/monitoring/dashboards/postgres.json
View File

@@ -328,7 +328,7 @@
"rgba(50, 172, 45, 0.97)" "rgba(50, 172, 45, 0.97)"
], ],
"datasource": "${DS_PROMETHEUS}", "datasource": "${DS_PROMETHEUS}",
"format": "short", "format": "decbytes",
"gauge": { "gauge": {
"maxValue": 100, "maxValue": 100,
"minValue": 0, "minValue": 0,
@@ -411,7 +411,7 @@
"rgba(50, 172, 45, 0.97)" "rgba(50, 172, 45, 0.97)"
], ],
"datasource": "${DS_PROMETHEUS}", "datasource": "${DS_PROMETHEUS}",
"format": "short", "format": "decbytes",
"gauge": { "gauge": {
"maxValue": 100, "maxValue": 100,
"minValue": 0, "minValue": 0,
@@ -1410,7 +1410,7 @@
"tableColumn": "", "tableColumn": "",
"targets": [ "targets": [
{ {
"expr": "pg_settings_seq_page_cost{instance=\"$instance\"}", "expr": "pg_settings_seq_page_cost",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"refId": "A" "refId": "A"
@@ -1872,7 +1872,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "short", "format": "bytes",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -1966,7 +1966,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "short", "format": "bytes",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -2060,7 +2060,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "short", "format": "bytes",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -2251,7 +2251,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "short", "format": "bytes",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -2439,7 +2439,7 @@
}, },
"yaxes": [ "yaxes": [
{ {
"format": "short", "format": "bytes",
"label": null, "label": null,
"logBase": 1, "logBase": 1,
"max": null, "max": null,
@@ -2589,35 +2589,35 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "irate(pg_stat_bgwriter_buffers_backend_total{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_backend{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "buffers_backend", "legendFormat": "buffers_backend",
"refId": "A" "refId": "A"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_buffers_alloc_total{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_alloc{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "buffers_alloc", "legendFormat": "buffers_alloc",
"refId": "B" "refId": "B"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_buffers_backend_fsync_total{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "backend_fsync", "legendFormat": "backend_fsync",
"refId": "C" "refId": "C"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_buffers_checkpoint_total{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_checkpoint{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "buffers_checkpoint", "legendFormat": "buffers_checkpoint",
"refId": "D" "refId": "D"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_buffers_clean_total{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_buffers_clean{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "buffers_clean", "legendFormat": "buffers_clean",
@@ -2886,14 +2886,14 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "irate(pg_stat_bgwriter_checkpoint_write_time_total{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_checkpoint_write_time{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.", "legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.",
"refId": "B" "refId": "B"
}, },
{ {
"expr": "irate(pg_stat_bgwriter_checkpoint_sync_time_total{instance=\"$instance\"}[5m])", "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time{instance=\"$instance\"}[5m])",
"format": "time_series", "format": "time_series",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.", "legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.",

8188
hosts/ildkule/services/monitoring/dashboards/synapse.json
View File

File diff suppressed because it is too large Load Diff

69
hosts/ildkule/services/monitoring/grafana.nix
View File

@@ -1,44 +1,33 @@
{ { config, pkgs, values, ... }: let
config,
pkgs,
values,
...
}:
let
cfg = config.services.grafana; cfg = config.services.grafana;
in in {
{ sops.secrets = let
sops.secrets = owner = "grafana";
let group = "grafana";
owner = "grafana"; in {
group = "grafana"; "keys/grafana/secret_key" = { inherit owner group; };
in "keys/grafana/admin_password" = { inherit owner group; };
{ };
"keys/grafana/secret_key" = { inherit owner group; };
"keys/grafana/admin_password" = { inherit owner group; };
};
services.grafana = { services.grafana = {
enable = true; enable = true;
settings = settings = let
let # See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
# See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider secretFile = path: "$__file{${path}}";
secretFile = path: "$__file{${path}}"; in {
in server = {
{ domain = "grafana.pvv.ntnu.no";
server = { http_port = 2342;
domain = "grafana.pvv.ntnu.no"; http_addr = "127.0.0.1";
http_port = 2342;
http_addr = "127.0.0.1";
};
security = {
secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
};
}; };
security = {
secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
};
};
provision = { provision = {
enable = true; enable = true;
datasources.settings.datasources = [ datasources.settings.datasources = [
@@ -58,13 +47,13 @@ in
{ {
name = "Node Exporter Full"; name = "Node Exporter Full";
type = "file"; type = "file";
url = "https://grafana.com/api/dashboards/1860/revisions/42/download"; url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
options.path = dashboards/node-exporter-full.json; options.path = dashboards/node-exporter-full.json;
} }
{ {
name = "Matrix Synapse"; name = "Matrix Synapse";
type = "file"; type = "file";
url = "https://github.com/element-hq/synapse/raw/refs/heads/develop/contrib/grafana/synapse.json"; url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
options.path = dashboards/synapse.json; options.path = dashboards/synapse.json;
} }
{ {
@@ -76,9 +65,15 @@ in
{ {
name = "Postgresql"; name = "Postgresql";
type = "file"; type = "file";
url = "https://grafana.com/api/dashboards/9628/revisions/8/download"; url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
options.path = dashboards/postgres.json; options.path = dashboards/postgres.json;
} }
{
name = "Go Processes (gogs)";
type = "file";
url = "https://grafana.com/api/dashboards/240/revisions/3/download";
options.path = dashboards/go-processes.json;
}
{ {
name = "Gitea Dashboard"; name = "Gitea Dashboard";
type = "file"; type = "file";

3
hosts/ildkule/services/monitoring/loki.nix
View File

@@ -3,8 +3,7 @@
let let
cfg = config.services.loki; cfg = config.services.loki;
stateDir = "/data/monitoring/loki"; stateDir = "/data/monitoring/loki";
in in {
{
services.loki = { services.loki = {
enable = true; enable = true;
configuration = { configuration = {

6
hosts/ildkule/services/monitoring/prometheus/default.nix
View File

@@ -1,8 +1,6 @@
{ config, ... }: { config, ... }: let
let
stateDir = "/data/monitoring/prometheus"; stateDir = "/data/monitoring/prometheus";
in in {
{
imports = [ imports = [
./exim.nix ./exim.nix
./gitea.nix ./gitea.nix

8
hosts/ildkule/services/monitoring/prometheus/exim.nix
View File

@@ -5,11 +5,9 @@
{ {
job_name = "exim"; job_name = "exim";
scrape_interval = "15s"; scrape_interval = "15s";
static_configs = [ static_configs = [{
{ targets = [ "microbel.pvv.ntnu.no:9636" ];
targets = [ "microbel.pvv.ntnu.no:9636" ]; }];
}
];
} }
]; ];
}; };

26
hosts/ildkule/services/monitoring/prometheus/gitea.nix
View File

@@ -1,18 +1,16 @@
{ ... }: { ... }:
{ {
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [{
{ job_name = "gitea";
job_name = "gitea"; scrape_interval = "60s";
scrape_interval = "60s"; scheme = "https";
scheme = "https";
static_configs = [ static_configs = [
{ {
targets = [ targets = [
"git.pvv.ntnu.no:443" "git.pvv.ntnu.no:443"
]; ];
} }
]; ];
} }];
];
} }

116
hosts/ildkule/services/monitoring/prometheus/machines.nix
View File

@@ -1,5 +1,4 @@
{ config, ... }: { config, ... }: let
let
cfg = config.services.prometheus; cfg = config.services.prometheus;
mkHostScrapeConfig = name: ports: { mkHostScrapeConfig = name: ports: {
@@ -10,98 +9,29 @@ let
defaultNodeExporterPort = 9100; defaultNodeExporterPort = 9100;
defaultSystemdExporterPort = 9101; defaultSystemdExporterPort = 9101;
defaultNixosExporterPort = 9102; defaultNixosExporterPort = 9102;
in in {
{ services.prometheus.scrapeConfigs = [{
services.prometheus.scrapeConfigs = [ job_name = "base_info";
{ static_configs = [
job_name = "base_info"; (mkHostScrapeConfig "ildkule" [ cfg.exporters.node.port cfg.exporters.systemd.port defaultNixosExporterPort ])
static_configs = [
(mkHostScrapeConfig "ildkule" [
cfg.exporters.node.port
cfg.exporters.systemd.port
defaultNixosExporterPort
])
(mkHostScrapeConfig "bekkalokk" [ (mkHostScrapeConfig "bekkalokk" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultNodeExporterPort (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultSystemdExporterPort (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultNixosExporterPort (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
]) (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "bicep" [ (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultNodeExporterPort (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "brzeczyszczykiewicz" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "georg" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "gluttony" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "kommode" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-1" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-2" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-3" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-4" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "lupine-5" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "temmie" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "ustetind" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "wenche" [
defaultNodeExporterPort
defaultSystemdExporterPort
defaultNixosExporterPort
])
(mkHostScrapeConfig "skrott" [ (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
defaultNodeExporterPort # (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort ])
defaultSystemdExporterPort (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
]) (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
(mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ]) (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ]) (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
(mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ]) (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
]; ];
} }];
];
} }

74
hosts/ildkule/services/monitoring/prometheus/matrix-synapse.nix
View File

@@ -1,44 +1,40 @@
{ ... }: { ... }:
{ {
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [{
{ job_name = "synapse";
job_name = "synapse"; scrape_interval = "15s";
scrape_interval = "15s"; scheme = "https";
scheme = "https";
http_sd_configs = [ http_sd_configs = [{
{ url = "https://matrix.pvv.ntnu.no/metrics/config.json";
url = "https://matrix.pvv.ntnu.no/metrics/config.json"; }];
}
];
relabel_configs = [ relabel_configs = [
{ {
source_labels = [ "__address__" ]; source_labels = [ "__address__" ];
regex = "[^/]+(/.*)"; regex = "[^/]+(/.*)";
target_label = "__metrics_path__"; target_label = "__metrics_path__";
} }
{ {
source_labels = [ "__address__" ]; source_labels = [ "__address__" ];
regex = "([^/]+)/.*"; regex = "([^/]+)/.*";
target_label = "instance"; target_label = "instance";
} }
{ {
source_labels = [ "__address__" ]; source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/(.*)/\\d+$"; regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
target_label = "job"; target_label = "job";
} }
{ {
source_labels = [ "__address__" ]; source_labels = [ "__address__" ];
regex = "[^/]+\\/+[^/]+/.*/(\\d+)$"; regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
target_label = "index"; target_label = "index";
} }
{ {
source_labels = [ "__address__" ]; source_labels = [ "__address__" ];
regex = "([^/]+)/.*"; regex = "([^/]+)/.*";
target_label = "__address__"; target_label = "__address__";
} }
]; ];
} }];
];
} }

52
hosts/ildkule/services/monitoring/prometheus/mysqld.nix
View File

@@ -1,42 +1,36 @@
{ config, ... }: { config, ... }: let
let
cfg = config.services.prometheus; cfg = config.services.prometheus;
in in {
{
sops = { sops = {
secrets."config/mysqld_exporter_password" = { }; secrets."config/mysqld_exporter_password" = { };
templates."mysqld_exporter.conf" = { templates."mysqld_exporter.conf" = {
restartUnits = [ "prometheus-mysqld-exporter.service" ]; restartUnits = [ "prometheus-mysqld-exporter.service" ];
content = content = let
let inherit (config.sops) placeholder;
inherit (config.sops) placeholder; in ''
in [client]
'' host = mysql.pvv.ntnu.no
[client] port = 3306
host = mysql.pvv.ntnu.no user = prometheus_mysqld_exporter
port = 3306 password = ${placeholder."config/mysqld_exporter_password"}
user = prometheus_mysqld_exporter '';
password = ${placeholder."config/mysqld_exporter_password"}
'';
}; };
}; };
services.prometheus = { services.prometheus = {
scrapeConfigs = [ scrapeConfigs = [{
{ job_name = "mysql";
job_name = "mysql"; scheme = "http";
scheme = "http"; metrics_path = cfg.exporters.mysqld.telemetryPath;
metrics_path = cfg.exporters.mysqld.telemetryPath; static_configs = [
static_configs = [ {
{ targets = [
targets = [ "localhost:${toString cfg.exporters.mysqld.port}"
"localhost:${toString cfg.exporters.mysqld.port}" ];
]; }
} ];
]; }];
}
];
exporters.mysqld = { exporters.mysqld = {
enable = true; enable = true;

52
hosts/ildkule/services/monitoring/prometheus/postgres.nix
View File

@@ -1,17 +1,9 @@
{ { pkgs, lib, config, values, ... }: let
pkgs,
lib,
config,
values,
...
}:
let
cfg = config.services.prometheus; cfg = config.services.prometheus;
in in {
{
sops.secrets = { sops.secrets = {
"keys/postgres/postgres_exporter_env" = { }; "keys/postgres/postgres_exporter_env" = {};
"keys/postgres/postgres_exporter_knakelibrak_env" = { }; "keys/postgres/postgres_exporter_knakelibrak_env" = {};
}; };
services.prometheus = { services.prometheus = {
@@ -19,26 +11,22 @@ in
{ {
job_name = "postgres"; job_name = "postgres";
scrape_interval = "15s"; scrape_interval = "15s";
static_configs = [ static_configs = [{
{ targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
targets = [ "localhost:${toString cfg.exporters.postgres.port}" ]; labels = {
labels = { server = "bicep";
server = "bicep"; };
}; }];
}
];
} }
{ {
job_name = "postgres-knakelibrak"; job_name = "postgres-knakelibrak";
scrape_interval = "15s"; scrape_interval = "15s";
static_configs = [ static_configs = [{
{ targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ]; labels = {
labels = { server = "knakelibrak";
server = "knakelibrak"; };
}; }];
}
];
} }
]; ];
@@ -49,11 +37,9 @@ in
}; };
}; };
systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
let localCfg = config.services.prometheus.exporters.postgres;
localCfg = config.services.prometheus.exporters.postgres; in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
in
lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path; EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
ExecStart = '' ExecStart = ''
${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \ ${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \

10
hosts/ildkule/services/monitoring/uptime-kuma.nix
View File

@@ -1,15 +1,9 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
cfg = config.services.uptime-kuma; cfg = config.services.uptime-kuma;
domain = "status.pvv.ntnu.no"; domain = "status.pvv.ntnu.no";
stateDir = "/data/monitoring/uptime-kuma"; stateDir = "/data/monitoring/uptime-kuma";
in in {
{
services.uptime-kuma = { services.uptime-kuma = {
enable = true; enable = true;
settings = { settings = {

13
hosts/kommode/configuration.nix
View File

@@ -1,15 +1,9 @@
{ { pkgs, values, fp, ... }:
pkgs,
values,
fp,
...
}:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
./disks.nix
./services/gitea ./services/gitea
./services/nginx.nix ./services/nginx.nix
@@ -17,10 +11,7 @@
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
address = with values.hosts.kommode; [ address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
(ipv4 + "/25")
(ipv6 + "/64")
];
}; };
services.btrfs.autoScrub.enable = true; services.btrfs.autoScrub.enable = true;

80
hosts/kommode/disks.nix
View File

@@ -1,80 +0,0 @@
{ lib, ... }:
{
disko.devices = {
disk = {
sda = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
root = {
name = "root";
label = "root";
start = "1MiB";
end = "-5G";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
# subvolumes = let
# makeSnapshottable = subvolPath: mountOptions: let
# name = lib.replaceString "/" "-" subvolPath;
# in {
# "@${name}/active" = {
# mountpoint = subvolPath;
# inherit mountOptions;
# };
# "@${name}/snapshots" = {
# mountpoint = "${subvolPath}/.snapshots";
# inherit mountOptions;
# };
# };
# in {
# "@" = { };
# "@/swap" = {
# mountpoint = "/.swapvol";
# swap.swapfile.size = "4G";
# };
# "@/root" = {
# mountpoint = "/";
# mountOptions = [ "compress=zstd" "noatime" ];
# };
# }
# // (makeSnapshottable "/home" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/nix" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/lib" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/log" [ "compress=zstd" "noatime" ])
# // (makeSnapshottable "/var/cache" [ "compress=zstd" "noatime" ]);
# swap.swapfile.size = "4G";
mountpoint = "/";
};
};
swap = {
name = "swap";
label = "swap";
start = "-5G";
end = "-1G";
content.type = "swap";
};
ESP = {
name = "ESP";
label = "ESP";
start = "-1G";
end = "100%";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
};
};
};
};
};
}

38
hosts/kommode/hardware-configuration.nix
View File

@@ -1,31 +1,33 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/profiles/qemu-guest.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/86CD-4C23";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction

145
hosts/kommode/services/gitea/customization/default.nix
View File

@@ -1,10 +1,4 @@
{ { config, pkgs, lib, fp, ... }:
config,
pkgs,
lib,
fp,
...
}:
let let
cfg = config.services.gitea; cfg = config.services.gitea;
in in
@@ -16,117 +10,54 @@ in
catppuccin = pkgs.gitea-theme-catppuccin; catppuccin = pkgs.gitea-theme-catppuccin;
}; };
services.gitea.settings = {
ui = {
DEFAULT_THEME = "gitea-auto";
REACTIONS = lib.concatStringsSep "," [
"+1"
"-1"
"laugh"
"confused"
"heart"
"hooray"
"rocket"
"eyes"
"100"
"anger"
"astonished"
"no_good"
"ok_hand"
"pensive"
"pizza"
"point_up"
"sob"
"skull"
"upside_down_face"
"shrug"
"huh"
"bruh"
"okiedokie"
"grr"
];
CUSTOM_EMOJIS = lib.concatStringsSep "," [
"bruh"
"grr"
"huh"
"ohyeah"
];
};
"ui.meta" = {
AUTHOR = "Programvareverkstedet";
DESCRIPTION = "Bokstavelig talt programvareverkstedet";
KEYWORDS = lib.concatStringsSep "," [
"git"
"hackerspace"
"nix"
"open source"
"foss"
"organization"
"software"
"student"
];
};
};
systemd.services.gitea-customization = lib.mkIf cfg.enable { systemd.services.gitea-customization = lib.mkIf cfg.enable {
description = "Install extra customization in gitea's CUSTOM_DIR"; description = "Install extra customization in gitea's CUSTOM_DIR";
wantedBy = [ "gitea.service" ]; wantedBy = [ "gitea.service" ];
requiredBy = [ "gitea.service" ]; requiredBy = [ "gitea.service" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
}; };
script = script = let
let logo-svg = fp /assets/logo_blue_regular.svg;
logo-svg = fp /assets/logo_blue_regular.svg; logo-png = fp /assets/logo_blue_regular.png;
logo-png = fp /assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" '' extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a> <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
'';
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
labels = lib.importJSON ./labels/projects.json;
};
customTemplates =
pkgs.runCommandLocal "gitea-templates"
{
nativeBuildInputs = with pkgs; [
coreutils
gnused
];
}
''
# Bigger icons
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
'';
in
''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
''; '';
extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
'';
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
labels = lib.importJSON ./labels/projects.json;
};
customTemplates = pkgs.runCommandLocal "gitea-templates" {
nativeBuildInputs = with pkgs; [
coreutils
gnused
];
} ''
# Bigger icons
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
'';
in ''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
'';
}; };
} }

BIN
hosts/kommode/services/gitea/customization/emotes/bruh.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 7.3 KiB

BIN
hosts/kommode/services/gitea/customization/emotes/grr.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 28 KiB

BIN
hosts/kommode/services/gitea/customization/emotes/huh.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 206 KiB

BIN
hosts/kommode/services/gitea/customization/emotes/okiedokie.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 145 KiB

163
hosts/kommode/services/gitea/default.nix
View File

@@ -1,17 +1,9 @@
{ { config, values, lib, pkgs, unstablePkgs, ... }:
config,
values,
lib,
pkgs,
unstablePkgs,
...
}:
let let
cfg = config.services.gitea; cfg = config.services.gitea;
domain = "git.pvv.ntnu.no"; domain = "git.pvv.ntnu.no";
sshPort = 2222; sshPort = 2222;
in in {
{
imports = [ imports = [
./customization ./customization
./gpg.nix ./gpg.nix
@@ -19,21 +11,19 @@ in
./web-secret-provider ./web-secret-provider
]; ];
sops.secrets = sops.secrets = let
let defaultConfig = {
defaultConfig = { owner = "gitea";
owner = "gitea"; group = "gitea";
group = "gitea"; restartUnits = [ "gitea.service" ];
restartUnits = [ "gitea.service" ];
};
in
{
"gitea/database" = defaultConfig;
"gitea/email-password" = defaultConfig;
"gitea/lfs-jwt-secret" = defaultConfig;
"gitea/oauth2-jwt-secret" = defaultConfig;
"gitea/secret-key" = defaultConfig;
}; };
in {
"gitea/database" = defaultConfig;
"gitea/email-password" = defaultConfig;
"gitea/lfs-jwt-secret" = defaultConfig;
"gitea/oauth2-jwt-secret" = defaultConfig;
"gitea/secret-key" = defaultConfig;
};
services.gitea = { services.gitea = {
enable = true; enable = true;
@@ -54,7 +44,7 @@ in
# https://docs.gitea.com/administration/config-cheat-sheet # https://docs.gitea.com/administration/config-cheat-sheet
settings = { settings = {
server = { server = {
DOMAIN = domain; DOMAIN = domain;
ROOT_URL = "https://${domain}/"; ROOT_URL = "https://${domain}/";
PROTOCOL = "http+unix"; PROTOCOL = "http+unix";
SSH_PORT = sshPort; SSH_PORT = sshPort;
@@ -93,24 +83,11 @@ in
AUTO_WATCH_NEW_REPOS = false; AUTO_WATCH_NEW_REPOS = false;
}; };
admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention"; admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
session.COOKIE_SECURE = true;
security = { security = {
SECRET_KEY = lib.mkForce ""; SECRET_KEY = lib.mkForce "";
SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}"; SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
}; };
cache = {
ADAPTER = "redis";
HOST = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=0";
ITEM_TTL = "72h";
};
session = {
COOKIE_SECURE = true;
PROVIDER = "redis";
PROVIDER_CONFIG = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=1";
};
queue = {
TYPE = "redis";
CONN_STR = "redis+socket://${config.services.redis.servers.gitea.unixSocket}?db=2";
};
database.LOG_SQL = false; database.LOG_SQL = false;
repository = { repository = {
PREFERRED_LICENSES = lib.concatStringsSep "," [ PREFERRED_LICENSES = lib.concatStringsSep "," [
@@ -151,6 +128,31 @@ in
AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2; AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
}; };
actions.ENABLED = true; actions.ENABLED = true;
ui = {
REACTIONS = lib.concatStringsSep "," [
"+1"
"-1"
"laugh"
"confused"
"heart"
"hooray"
"rocket"
"eyes"
"100"
"anger"
"astonished"
"no_good"
"ok_hand"
"pensive"
"pizza"
"point_up"
"sob"
"skull"
"upside_down_face"
"shrug"
];
};
"ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
}; };
dump = { dump = {
@@ -162,26 +164,12 @@ in
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
systemd.services.gitea = lib.mkIf cfg.enable { systemd.services.gitea.serviceConfig.CPUSchedulingPolicy = "batch";
wants = [ "redis-gitea.service" ];
after = [ "redis-gitea.service" ];
serviceConfig = { systemd.services.gitea.serviceConfig.CacheDirectory = "gitea/repo-archive";
CPUSchedulingPolicy = "batch"; systemd.services.gitea.serviceConfig.BindPaths = [
CacheDirectory = "gitea/repo-archive"; "%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
BindPaths = [ ];
"%C/gitea/repo-archive:${cfg.stateDir}/data/repo-archive"
];
};
};
services.redis.servers.gitea = lib.mkIf cfg.enable {
enable = true;
user = config.services.gitea.user;
save = [ ];
openFirewall = false;
port = 5698;
};
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
forceSSL = true; forceSSL = true;
@@ -207,51 +195,30 @@ in
networking.firewall.allowedTCPPorts = [ sshPort ]; networking.firewall.allowedTCPPorts = [ sshPort ];
services.rsync-pull-targets = {
enable = true;
locations.${cfg.dump.backupDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpMVrOppyqYaDiAhqmAuOaRsubFvcQGBGyz+NHB6+0o gitea rsync backup";
};
};
systemd.services.gitea-dump = { systemd.services.gitea-dump = {
serviceConfig.ExecStart = serviceConfig.ExecStart = let
let args = lib.cli.toGNUCommandLineShell { } {
args = lib.cli.toGNUCommandLineShell { } { type = cfg.dump.type;
type = cfg.dump.type;
# This should be declarative on nixos, no need to backup. # This should be declarative on nixos, no need to backup.
skip-custom-dir = true; skip-custom-dir = true;
# This can be regenerated, no need to backup # This can be regenerated, no need to backup
skip-index = true; skip-index = true;
# Logs are stored in the systemd journal # Logs are stored in the systemd journal
skip-log = true; skip-log = true;
}; };
in in lib.mkForce "${lib.getExe cfg.package} ${args}";
lib.mkForce "${lib.getExe cfg.package} ${args}";
# Only keep n backup files at a time # Only keep n backup files at a time
postStop = postStop = let
let cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
cu = prog: "'${lib.getExe' pkgs.coreutils prog}'"; backupCount = 3;
backupCount = 3; in ''
in for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
'' ${cu "rm"} "$file"
for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do done
${cu "rm"} "$file"
done
''; '';
}; };
} }

Some files were not shown because too many files have changed in this diff Show More