From 7e71728dc2b1b06d5533a446ffef63fed58e950e Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Fri, 13 Jun 2025 10:46:54 +0200 Subject: [PATCH 01/14] feat(build01): Upgrade to nixos-25.05 --- meta/nodes/nixos.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index 0f2d115..1f6715d 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -76,7 +76,7 @@ stateVersion = "24.11"; nixpkgs = { - version = "24.11"; + version = "25.05"; system = "nixos"; }; -- 2.47.2 From b8252d6a28c8d306e3678136cede98ee4454c7e3 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Fri, 13 Jun 2025 10:48:35 +0200 Subject: [PATCH 02/14] feat(geo*): Upgrade to nixos-25.05 --- meta/nodes/nixos.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index 1f6715d..3a2e7a0 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -139,7 +139,7 @@ stateVersion = "24.05"; nixpkgs = { - version = "24.11"; + version = "25.05"; system = "nixos"; }; }; @@ -157,7 +157,7 @@ stateVersion = "24.05"; nixpkgs = { - version = "24.11"; + version = "25.05"; system = "nixos"; }; }; -- 2.47.2 From e45a61c926f05bb558c8e3dfee3e9fc3dc919c0b Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Fri, 13 Jun 2025 10:49:15 +0200 Subject: [PATCH 03/14] fix(dgn-hardware): Don't pin zfs package We don't use advanced functionnalities anyway --- modules/nixos/dgn-hardware.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/nixos/dgn-hardware.nix b/modules/nixos/dgn-hardware.nix index 1795ec4..75b09da 100644 --- a/modules/nixos/dgn-hardware.nix +++ b/modules/nixos/dgn-hardware.nix @@ -91,7 +91,6 @@ in zfs = { forceImportRoot = false; extraPools = cfg.zfsPools; - package = pkgs.zfs_2_1; }; }; }) -- 2.47.2 From d8ef6ad81d965c2f30351e2638a1dc71b747c047 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Fri, 13 Jun 2025 10:51:22 +0200 Subject: [PATCH 04/14] feat(hypervisor*): Upgrade to nixos-25.05 --- meta/nodes/nixos.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index 3a2e7a0..29b0fd2 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -170,7 +170,7 @@ stateVersion = "24.11"; nixpkgs = { - version = "24.11"; + version = "25.05"; system = "nixos"; }; @@ -191,7 +191,7 @@ stateVersion = "24.11"; nixpkgs = { - version = "24.11"; + version = "25.05"; system = "nixos"; }; @@ -214,7 +214,7 @@ sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI" ]; nixpkgs = { - version = "24.11"; + version = "25.05"; system = "nixos"; }; -- 2.47.2 From 3ed436291fff077e8c90d41ce149e43a7052ce4a Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Fri, 13 Jun 2025 10:52:31 +0200 Subject: [PATCH 05/14] feat(rescue01): Upgrade to nixos-25.05 --- meta/nodes/nixos.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index 29b0fd2..ced69e8 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -270,7 +270,7 @@ vm-cluster = "Hyperviseur Luj"; nixpkgs = { - version = "24.11"; + version = "25.05"; system = "nixos"; }; -- 2.47.2 From c37e1fa300718444e151c985e49102d766efaea1 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Fri, 13 Jun 2025 10:55:32 +0200 Subject: [PATCH 06/14] feat(tower01): Upgrade to nixos-25.05 --- meta/nodes/nixos.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index ced69e8..749f328 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -313,7 +313,7 @@ deployment.targetHost = "tower01.dgnum"; nixpkgs = { - version = "24.11"; + version = "25.05"; system = "nixos"; }; -- 2.47.2 From 9792608742ed83fa0c003bb24bd1114075852835 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Fri, 13 Jun 2025 11:02:54 +0200 Subject: [PATCH 07/14] feat(web02): Upgrade to nixos-25.05 --- meta/nodes/nixos.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index 749f328..2cabcfc 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -367,7 +367,7 @@ vm-cluster = "Hyperviseur NPS"; nixpkgs = { - version = "24.11"; + version = "25.05"; system = "nixos"; }; }; -- 2.47.2 From 8f0608cfb57a46c4942195cb5a8478f2a039816f Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Fri, 13 Jun 2025 11:06:52 +0200 Subject: [PATCH 08/14] feat(web03): Upgrade to nixos-25.05 --- machines/nixos/web03/django-apps/wikiens.nix | 1 - meta/nodes/nixos.nix | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/machines/nixos/web03/django-apps/wikiens.nix b/machines/nixos/web03/django-apps/wikiens.nix index fd5cb9e..301a3a1 100644 --- a/machines/nixos/web03/django-apps/wikiens.nix +++ b/machines/nixos/web03/django-apps/wikiens.nix @@ -19,7 +19,6 @@ overlays.nix-pkgs = [ # Required packages - "django-allauth" "django-allauth-ens" "django-wiki" "loadcredential" diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index 2cabcfc..8f99486 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -383,7 +383,7 @@ vm-cluster = "Hyperviseur NPS"; nixpkgs = { - version = "24.11"; + version = "25.05"; system = "nixos"; }; -- 2.47.2 From 4bcd1c1adbc74a62bef358d275ce1d799e93146a Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Fri, 13 Jun 2025 11:12:25 +0200 Subject: [PATCH 09/14] feat(web01): Upgrade to nixos-25.05 --- machines/nixos/web01/netbox.nix | 2 +- meta/nodes/nixos.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/nixos/web01/netbox.nix b/machines/nixos/web01/netbox.nix index 7f0f54c..e7534cd 100644 --- a/machines/nixos/web01/netbox.nix +++ b/machines/nixos/web01/netbox.nix @@ -17,7 +17,7 @@ in services = { netbox = { enable = true; - package = pkgs.netbox_4_1; + package = pkgs.netbox_4_2; secretKeyFile = "/dev/null"; listenAddress = "127.0.0.1"; plugins = p: [ p.netbox-qrcode ]; diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index 8f99486..2649cfe 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -351,7 +351,7 @@ vm-cluster = "Hyperviseur NPS"; nixpkgs = { - version = "24.11"; + version = "25.05"; system = "nixos"; }; }; -- 2.47.2 From 913507029237595f34e2a4bfab7c1cd7dde4e7d0 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Fri, 13 Jun 2025 11:22:27 +0200 Subject: [PATCH 10/14] feat(compute01): Upgrade to nixos-25.05 - Removed `adminUser` configuration from plausible as it no longer exists upstream - Removed `signald` as it no longer exists upstream --- machines/nixos/compute01/_configuration.nix | 1 - machines/nixos/compute01/plausible.nix | 7 ------- .../secrets/plausible-admin_user_password_file | Bin 1436 -> 0 bytes machines/nixos/compute01/secrets/secrets.nix | 1 - machines/nixos/compute01/signald.nix | 13 ------------- meta/nodes/nixos.nix | 2 +- 6 files changed, 1 insertion(+), 23 deletions(-) delete mode 100644 machines/nixos/compute01/secrets/plausible-admin_user_password_file delete mode 100644 machines/nixos/compute01/signald.nix diff --git a/machines/nixos/compute01/_configuration.nix b/machines/nixos/compute01/_configuration.nix index 7e45eea..65f402a 100644 --- a/machines/nixos/compute01/_configuration.nix +++ b/machines/nixos/compute01/_configuration.nix @@ -38,7 +38,6 @@ lib.extra.mkConfig { "rstudio-server" # "satosa" "signal-irc-bridge" - "signald" "stirling-pdf" "takumi" "telegraf" diff --git a/machines/nixos/compute01/plausible.nix b/machines/nixos/compute01/plausible.nix index ebd52fd..0aaf8b0 100644 --- a/machines/nixos/compute01/plausible.nix +++ b/machines/nixos/compute01/plausible.nix @@ -33,13 +33,6 @@ in secretKeybaseFile = config.age.secrets."plausible-secret_key_base_file".path; }; - - adminUser = { - passwordFile = config.age.secrets."plausible-admin_user_password_file".path; - email = "tom.hubrecht@dgnum.eu"; - name = "thubrecht"; - activate = true; - }; }; dgn-web.simpleProxies.plausible = { diff --git a/machines/nixos/compute01/secrets/plausible-admin_user_password_file b/machines/nixos/compute01/secrets/plausible-admin_user_password_file deleted file mode 100644 index 40068d46a24702f041173f7ff351bb93a2d37be6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1436 zcmZA1Ij^h)00m%c61T#BYVkg{VSwf(!#3b`T$V-YaEQ^=HckZjR0vS(o@NL9_xVEaF`y z#Fm;dEh_cq{Fpt{L2)YbgO{3FSu|zt5Y?2Hs@t>s2ZF%(97X13b+j7X#3Nls0smmT zWoWkCFM(rMx$e;+1UZhoR-$RMi4+o@z;&XnKJ_alabQbs^fiB}^la=VB@vwyRY#?p)7%`GwB_Xp+KdZyB6K?G#wIU32wJr?n3q$oPK`;1Htz*2 z$on!~NynD>KU+UUyR!Ef#RNROJSDUWiWetEt8r$p9iFp}V0Knt3DrhQSm7tb!D$vE zHw1hbI3q;SLqS*5MG^&I-=6!Vxq3dO&rp2c7MxiLrQwy3G0b(}*M{Q2naiUWR>0P4 zOclDqH=1=sxwIfj0zkNEQuWi3n!xKMO~$ZUtv&>Hdve1P;(T7b@+1R=JaY>TK4i50 zvClQQbyE9uqO2SU(jluBYVZTIJ63zF6HIV*tGVm?B75L$zCmYZ@5(sI9X9kB#TN`s zE?3E~P`UK50w76qO%r%QYb0XB0z@;Z2w{>7=B!U_I+dkSV}z;PhX_h~s>_oI#E2z4 zq)1F>y#i=A!#J!LQKDlF4P>Pa&`vX7b_-3jnV35xW00_73*yXlhsa|h8@E{}Bbaz8 zGLccHr7}yT@pV@PD2^|4aZm+RCZ)3zGePWvWCc0?6#0q<*J2&Dq+xEh_)>!{ig;eh z{bt0xljhL_FHWvG3f^UH)H^S#l%Z(!!Y9c2gbZ_!1ps5Vf#(wT8sgL=)1A9|<}=I| zr)zf_ZuLTnOO=ghXBp?0nsizSE#I~EzF>{DW{%lKwX!PLrApJX@yIY!3-#XfXy7Gi zYGW&bGT=r|H>x`l_|_zEOC5c zrBM{}qpTS>@6pL}%l^_}DsV%tu&Q-s8%y>|)5WL;D<2PGA>0p-QV&aB z-A?5;^_BWk8`(~>@|{j(T1xhGGtlW!+^;yydYOsG3_ZeXBx1H{3J}YCx1t1iY&%@- zI6 -# -# SPDX-License-Identifier: EUPL-1.2 - -{ pkgs, ... }: -{ - # Ask Ryan for administration - # as he's using one of his N phone numbers for the registration. - services.signald = { - enable = true; - }; - environment.systemPackages = [ pkgs.signaldctl ]; -} diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index 2649cfe..6613ebd 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -121,7 +121,7 @@ ]; nixpkgs = { - version = "24.11"; + version = "25.05"; system = "nixos"; }; }; -- 2.47.2 From c255e08761ada2b77df5ae5aa9a3414490a89de6 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Fri, 13 Jun 2025 11:26:26 +0200 Subject: [PATCH 11/14] feat(storage01): Upgrade to nixos-25.05 --- meta/nodes/nixos.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index 6613ebd..983424f 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -289,7 +289,7 @@ stateVersion = "23.11"; nixpkgs = { - version = "24.11"; + version = "25.05"; system = "nixos"; }; -- 2.47.2 From 753071c9a162165eb2fff477e1c9e61c1d58e2a4 Mon Sep 17 00:00:00 2001 From: catvayor Date: Fri, 13 Jun 2025 12:36:48 +0200 Subject: [PATCH 12/14] fix(patches/kanidm-provision): feature has been upstreamed --- machines/nixos/compute01/kanidm/default.nix | 2 +- patches/default.nix | 4 - .../07-25.05-kanidm-groups-module.patch | 51 --------- .../nixpkgs/08-25.05-kanidm-groups-pkgs.patch | 104 ------------------ 4 files changed, 1 insertion(+), 160 deletions(-) delete mode 100644 patches/nixpkgs/07-25.05-kanidm-groups-module.patch delete mode 100644 patches/nixpkgs/08-25.05-kanidm-groups-pkgs.patch diff --git a/machines/nixos/compute01/kanidm/default.nix b/machines/nixos/compute01/kanidm/default.nix index 2ecdb99..eb6057b 100644 --- a/machines/nixos/compute01/kanidm/default.nix +++ b/machines/nixos/compute01/kanidm/default.nix @@ -83,7 +83,7 @@ in groups = { grp_active.members = catAttrs "username" (attrValues meta.organization.members); - grp-ext_cri.memberless = true; + grp-ext_cri.overwriteMembers = false; } // (mapAttrs' ( name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; } diff --git a/patches/default.nix b/patches/default.nix index 326daa0..b6a3e2c 100644 --- a/patches/default.nix +++ b/patches/default.nix @@ -26,10 +26,6 @@ with { # pretalx env file option (local ./nixpkgs/01-pretalx-environment-file.patch) - - # Kanidm memberless groups provisionning - (local ./nixpkgs/07-25.05-kanidm-groups-module.patch) - (local ./nixpkgs/08-25.05-kanidm-groups-pkgs.patch) ]; "nixos-24.11" = [ diff --git a/patches/nixpkgs/07-25.05-kanidm-groups-module.patch b/patches/nixpkgs/07-25.05-kanidm-groups-module.patch deleted file mode 100644 index aa55ef2..0000000 --- a/patches/nixpkgs/07-25.05-kanidm-groups-module.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix -index ab85eed34eea..48722af7332a 100644 ---- a/nixos/modules/services/security/kanidm.nix -+++ b/nixos/modules/services/security/kanidm.nix -@@ -140,6 +140,9 @@ let - - filterPresent = filterAttrs (_: v: v.present); - -+ filterMemberless = filterAttrs (_: v: v.present && v.memberless); -+ filterMemberful = filterAttrs (_: v: v.present && !v.memberless); -+ - provisionStateJson = pkgs.writeText "provision-state.json" ( - builtins.toJSON { inherit (cfg.provision) groups persons systems; } - ); -@@ -465,6 +468,12 @@ in - apply = unique; - default = [ ]; - }; -+ -+ memberless = mkOption { -+ description = "Whether this group is considered memberless, i.e. the list of members is managed imperatively."; -+ type = types.bool; -+ default = false; -+ }; - }; - config.members = concatLists ( - flip mapAttrsToList cfg.provision.persons ( -@@ -791,12 +800,22 @@ in - person: personCfg: - assertGroupsKnown "services.kanidm.provision.persons.${person}.groups" personCfg.groups - )) - ++ (optionals (cfg.provision.extraJsonFile == null) ( -- flip mapAttrsToList (filterPresent cfg.provision.groups) ( -+ flip mapAttrsToList (filterMemberful cfg.provision.groups) ( - group: groupCfg: - assertEntitiesKnown "services.kanidm.provision.groups.${group}.members" groupCfg.members - ) - )) -+ ++ (optionals (cfg.provision.extraJsonFile == null) ( -+ flip lib.mapAttrsToList (filterMemberless cfg.provision.groups) ( -+ group: groupCfg: { -+ assertion = cfg.provision.enable -> groupCfg.members == [ ]; -+ message = '' -+ services.kanidm.groups.${group} is declared as memberless but contains members: ${toString groupCfg.members} -+ ''; -+ } -+ ) -+ )) - ++ concatLists ( - flip mapAttrsToList (filterPresent cfg.provision.systems.oauth2) ( - oauth2: oauth2Cfg: diff --git a/patches/nixpkgs/08-25.05-kanidm-groups-pkgs.patch b/patches/nixpkgs/08-25.05-kanidm-groups-pkgs.patch deleted file mode 100644 index 1938927..0000000 --- a/patches/nixpkgs/08-25.05-kanidm-groups-pkgs.patch +++ /dev/null @@ -1,104 +0,0 @@ -diff --git a/pkgs/by-name/ka/kanidm-provision/01-memberless.patch b/pkgs/by-name/ka/kanidm-provision/01-memberless.patch -new file mode 100644 -index 000000000000..b501a3f16828 ---- /dev/null -+++ b/pkgs/by-name/ka/kanidm-provision/01-memberless.patch -@@ -0,0 +1,85 @@ -+From ab3fa7d59b76658ba98ccf50c2910329896dab6f Mon Sep 17 00:00:00 2001 -+From: Tom Hubrecht -+Date: Tue, 4 Feb 2025 14:32:43 +0100 -+Subject: [PATCH] feat: Allow declaring memberless groups -+ -+When a group is "memberless", then the list of members is left intact, -+which allows managing it imperatively. -+--- -+ src/main.rs | 2 +- -+ src/state.rs | 2 ++ -+ tests/kanidm.nix | 18 +++++++++++++++++- -+ 3 files changed, 20 insertions(+), 2 deletions(-) -+ -+diff --git a/src/main.rs b/src/main.rs -+index 206a86a..6e48f59 100644 -+--- a/src/main.rs -++++ b/src/main.rs -+@@ -406,7 +406,7 @@ fn main() -> Result<()> { -+ // Sync group members -+ log_status("Syncing group members"); -+ for (name, group) in &state.groups { -+- if group.present { -++ if group.present && !group.memberless { -+ update_attrs!(kanidm_client, ENDPOINT_GROUP, &existing_groups, &name, [ -+ "member": group.members.clone(), -+ ]); -+diff --git a/src/state.rs b/src/state.rs -+index 206c6f4..a8bfba2 100644 -+--- a/src/state.rs -++++ b/src/state.rs -+@@ -10,6 +10,8 @@ pub struct Group { -+ #[serde(default = "default_true")] -+ pub present: bool, -+ pub members: Vec, -++ #[serde(default = "default_false")] -++ pub memberless: bool, -+ } -+ -+ #[derive(Debug, Deserialize)] -+diff --git a/tests/kanidm.nix b/tests/kanidm.nix -+index a28beae..cb20257 100644 -+--- a/tests/kanidm.nix -++++ b/tests/kanidm.nix -+@@ -91,6 +91,8 @@ let -+ }; -+ -+ filterPresent = lib.filterAttrs (_: v: v.present); -++ filterMemberless = lib.filterAttrs (_: v: v.present && v.memberless); -++ filterMemberful = lib.filterAttrs (_: v: v.present && !v.memberless); -+ -+ provisionStateJson = pkgs.writeText "provision-state.json" ( -+ builtins.toJSON { inherit (cfg.provision) groups persons systems; } -+@@ -391,6 +393,12 @@ in -+ apply = lib.unique; -+ default = [ ]; -+ }; -++ -++ memberless = lib.mkOption { -++ description = "Whether this group is considered memberless, i.e. the list of members is managed imperatively."; -++ type = lib.types.bool; -++ default = false; -++ }; -+ }; -+ config.members = lib.concatLists ( -+ lib.flip lib.mapAttrsToList cfg.provision.persons ( -+@@ -708,10 +716,18 @@ in -+ person: personCfg: -+ assertGroupsKnown "services.kanidm.provision.persons.${person}.groups" personCfg.groups -+ ) -+- ++ lib.flip lib.mapAttrsToList (filterPresent cfg.provision.groups) ( -++ ++ lib.flip lib.mapAttrsToList (filterMemberful cfg.provision.groups) ( -+ group: groupCfg: -+ assertEntitiesKnown "services.kanidm.provision.groups.${group}.members" groupCfg.members -+ ) -++ ++ lib.flip lib.mapAttrsToList (filterMemberless cfg.provision.groups) ( -++ group: groupCfg: { -++ assertion = cfg.provision.enable -> groupCfg.members == [ ]; -++ message = '' -++ services.kanidm.groups.${group} is declared as memberless but contains members: ${toString groupCfg.members} -++ ''; -++ } -++ ) -+ ++ lib.concatLists ( -+ lib.flip lib.mapAttrsToList (filterPresent cfg.provision.systems.oauth2) ( -+ oauth2: oauth2Cfg: -diff --git a/pkgs/by-name/ka/kanidm-provision/package.nix b/pkgs/by-name/ka/kanidm-provision/package.nix -index 63d7e85ba8a8..5ebd69cb91ee 100644 ---- a/pkgs/by-name/ka/kanidm-provision/package.nix -+++ b/pkgs/by-name/ka/kanidm-provision/package.nix -@@ -18,4 +18,8 @@ rustPlatform.buildRustPackage rec { - hash = "sha256-m3bF4wFPVRc2E+E/pZc3js9T4rYbTejo/FFpysytWKw="; - }; - -+ patches = [ -+ ./01-memberless.patch -+ ]; -+ - useFetchCargoVendor = true; -- 2.47.2 From 38aec4ce014de3c19c74a0c0a98973260a22931c Mon Sep 17 00:00:00 2001 From: catvayor Date: Fri, 13 Jun 2025 12:50:03 +0200 Subject: [PATCH 13/14] feat(compute01/librenms): remove --- REUSE.toml | 2 +- default.nix | 1 - machines/nixos/compute01/_configuration.nix | 1 - machines/nixos/compute01/kanidm/default.nix | 15 - machines/nixos/compute01/librenms/default.nix | 55 -- .../nixos/compute01/librenms/kanidm.patch | 90 --- machines/nixos/compute01/librenms/module.nix | 687 ------------------ .../secrets/librenms-database_password_file | 29 - .../secrets/librenms-environment_file | Bin 2000 -> 0 bytes machines/nixos/compute01/secrets/secrets.nix | 2 - meta/dns.nix | 1 - 11 files changed, 1 insertion(+), 882 deletions(-) delete mode 100644 machines/nixos/compute01/librenms/default.nix delete mode 100644 machines/nixos/compute01/librenms/kanidm.patch delete mode 100644 machines/nixos/compute01/librenms/module.nix delete mode 100644 machines/nixos/compute01/secrets/librenms-database_password_file delete mode 100644 machines/nixos/compute01/secrets/librenms-environment_file diff --git a/REUSE.toml b/REUSE.toml index bd72fbd..8e2a0d6 100644 --- a/REUSE.toml +++ b/REUSE.toml @@ -20,7 +20,7 @@ precedence = "closest" [[annotations]] SPDX-FileCopyrightText = "2024 Tom Hubrecht " SPDX-License-Identifier = "EUPL-1.2" -path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch", "machines/nixos/vault01/k-radius/packages/03-set-log-level.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/lix/02-fetchGit-locked.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch", "patches/cas-eleves/01-ldap-settings.patch"] +path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch", "machines/nixos/vault01/k-radius/packages/03-set-log-level.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/lix/02-fetchGit-locked.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch", "patches/cas-eleves/01-ldap-settings.patch"] precedence = "closest" [[annotations]] diff --git a/default.nix b/default.nix index 9ffad4c..6dc15c2 100644 --- a/default.nix +++ b/default.nix @@ -113,7 +113,6 @@ let { path = [ "machines/nixos/compute01/ds-fr/01-smtp-tls.patch" - "machines/nixos/compute01/librenms/kanidm.patch" "machines/nixos/compute01/stirling-pdf/*.patch" "machines/nixos/vault01/k-radius/packages/01-python_path.patch" "machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch" diff --git a/machines/nixos/compute01/_configuration.nix b/machines/nixos/compute01/_configuration.nix index 65f402a..59dd27a 100644 --- a/machines/nixos/compute01/_configuration.nix +++ b/machines/nixos/compute01/_configuration.nix @@ -24,7 +24,6 @@ lib.extra.mkConfig { "grafana" "hedgedoc" "kanidm" - "librenms" "mastodon" # "netbox" "nextcloud" diff --git a/machines/nixos/compute01/kanidm/default.nix b/machines/nixos/compute01/kanidm/default.nix index eb6057b..fec245e 100644 --- a/machines/nixos/compute01/kanidm/default.nix +++ b/machines/nixos/compute01/kanidm/default.nix @@ -108,21 +108,6 @@ in ]; }; - dgn_librenms = { - allowInsecureClientDisablePkce = true; - displayName = "LibreNMS [Network]"; - enableLegacyCrypto = true; - originLanding = "https://nms.dgnum.eu"; - originUrl = "https://nms.dgnum.eu/auth/kanidm/callback"; - preferShortUsername = true; - - scopeMaps.grp_active = [ - "openid" - "profile" - "email" - ]; - }; - dgn_netbird = { displayName = "Netbird [VPN]"; enableLocalhostRedirects = true; diff --git a/machines/nixos/compute01/librenms/default.nix b/machines/nixos/compute01/librenms/default.nix deleted file mode 100644 index 36c4cc4..0000000 --- a/machines/nixos/compute01/librenms/default.nix +++ /dev/null @@ -1,55 +0,0 @@ -# SPDX-FileCopyrightText: 2024 Tom Hubrecht -# -# SPDX-License-Identifier: EUPL-1.2 - -{ config, pkgs, ... }: - -let - host = "nms.dgnum.eu"; -in - -{ - imports = [ ./module.nix ]; - - services.librenms = { - enable = true; - - package = - (pkgs.librenms.override { inherit (config.services.librenms) dataDir logDir; }).overrideAttrs - (old: { - patches = (old.patches or [ ]) ++ [ ./kanidm.patch ]; - vendorHash = "sha256-J/whSL1keEZKkfOtHpkJ2vSrN/s+DpUGb6RBXpQZQXg="; - }); - - hostname = host; - - settings = { - auth.socialite = { - configs.kanidm = { - listener = "\\SocialiteProviders\\Kanidm\\KanidmExtendSocialite"; - client_id = "$KANIDM_CLIENT_ID"; - client_secret = "$KANIDM_CLIENT_SECRET"; - redirect = "$KANIDM_REDIRECT_URI"; - base_url = "$KANIDM_BASE_URL"; - }; - default_role = "normal"; - register = true; - }; - }; - - database = { - createLocally = true; - passwordFile = config.age.secrets."librenms-database_password_file".path; - }; - - environmentFile = config.age.secrets."librenms-environment_file".path; - - nginx = { - serverName = host; - enableACME = true; - forceSSL = true; - }; - }; - - age-secrets.autoMatch = [ "librenms" ]; -} diff --git a/machines/nixos/compute01/librenms/kanidm.patch b/machines/nixos/compute01/librenms/kanidm.patch deleted file mode 100644 index d5a4d28..0000000 --- a/machines/nixos/compute01/librenms/kanidm.patch +++ /dev/null @@ -1,90 +0,0 @@ -diff --git a/composer.json b/composer.json -index af8168f4c..1775f150e 100644 ---- a/composer.json -+++ b/composer.json -@@ -54,6 +54,7 @@ - "phpmailer/phpmailer": "~6.0", - "predis/predis": "^2.0", - "silber/bouncer": "^1.0", -+ "socialiteproviders/kanidm": "^5.0", - "socialiteproviders/manager": "^4.3", - "spatie/laravel-ignition": "^2.0", - "symfony/yaml": "^6.2", -diff --git a/composer.lock b/composer.lock -index 3d89a1530..a00c5f307 100644 ---- a/composer.lock -+++ b/composer.lock -@@ -4,7 +4,7 @@ - "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", - "This file is @generated automatically" - ], -- "content-hash": "fee5d24447dced4397e26066f8c9ee59", -+ "content-hash": "b9316a47587c8e6f6b0adbe3d54777f3", - "packages": [ - { - "name": "amenadiel/jpgraph", -@@ -5906,6 +5906,56 @@ - }, - "time": "2023-02-10T16:47:25+00:00" - }, -+ { -+ "name": "socialiteproviders/kanidm", -+ "version": "5.0.0", -+ "source": { -+ "type": "git", -+ "url": "https://github.com/SocialiteProviders/Kanidm.git", -+ "reference": "111ad45941e7150e3219ddfdeb8159f758bde2fd" -+ }, -+ "dist": { -+ "type": "zip", -+ "url": "https://api.github.com/repos/SocialiteProviders/Kanidm/zipball/111ad45941e7150e3219ddfdeb8159f758bde2fd", -+ "reference": "111ad45941e7150e3219ddfdeb8159f758bde2fd", -+ "shasum": "" -+ }, -+ "require": { -+ "ext-json": "*", -+ "php": "^8.0", -+ "socialiteproviders/manager": "^4.4" -+ }, -+ "type": "library", -+ "autoload": { -+ "psr-4": { -+ "SocialiteProviders\\Kanidm\\": "" -+ } -+ }, -+ "notification-url": "https://packagist.org/downloads/", -+ "license": [ -+ "MIT" -+ ], -+ "authors": [ -+ { -+ "name": "Tom Hubrecht", -+ "email": "tom@hubrecht.ovh" -+ } -+ ], -+ "description": "Kanidm OAuth2 Provider for Laravel Socialite", -+ "keywords": [ -+ "kanidm", -+ "laravel", -+ "oauth", -+ "provider", -+ "socialite" -+ ], -+ "support": { -+ "docs": "https://socialiteproviders.com/kanidm", -+ "issues": "https://github.com/socialiteproviders/providers/issues", -+ "source": "https://github.com/socialiteproviders/providers" -+ }, -+ "time": "2024-02-19T19:49:21+00:00" -+ }, - { - "name": "socialiteproviders/manager", - "version": "v4.6.0", -index 3d89a1530..a00c5f307 100644 ---- a/app/Providers/EventServiceProvider.php -+++ b/app/Providers/EventServiceProvider.php -@@ -33,3 +33,4 @@ - \SocialiteProviders\Manager\SocialiteWasCalled::class => [ -+ \SocialiteProviders\Kanidm\KanidmExtendSocialite::class.'@handle', - \App\Listeners\SocialiteWasCalledListener::class, - ], diff --git a/machines/nixos/compute01/librenms/module.nix b/machines/nixos/compute01/librenms/module.nix deleted file mode 100644 index a8727e0..0000000 --- a/machines/nixos/compute01/librenms/module.nix +++ /dev/null @@ -1,687 +0,0 @@ -# SPDX-FileCopyrightText: 2024 Tom Hubrecht -# -# SPDX-License-Identifier: EUPL-1.2 - -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -let - inherit (lib) - literalExpression - mkEnableOption - mkOption - recursiveUpdate - types - ; - - cfg = config.services.librenms; - settingsFormat = pkgs.formats.json { }; - configJson = settingsFormat.generate "librenms-config.json" cfg.settings; - - inherit (cfg) package; - - phpOptions = '' - log_errors = on - post_max_size = 100M - upload_max_filesize = 100M - date.timezone = "${config.time.timeZone}" - ''; - - phpIni = - pkgs.runCommand "php.ini" - { - inherit (package) phpPackage; - inherit phpOptions; - preferLocalBuild = true; - passAsFile = [ "phpOptions" ]; - } - '' - cat $phpPackage/etc/php.ini $phpOptionsPath > $out - ''; - - artisanWrapper = pkgs.writeShellScriptBin "librenms-artisan" '' - cd ${package} - sudo=exec - if [[ "$USER" != ${cfg.user} ]]; then - sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}' - fi - $sudo ${package}/artisan $* - ''; - - lnmsWrapper = pkgs.writeShellScriptBin "lnms" '' - cd ${package} - exec ${package}/lnms $* - ''; - - configFile = pkgs.writeText "config.php" '' - cfg.database.host == "localhost"; - message = ''The database host must be "localhost" if services.librenms.database.createLocally is set to true.''; - } - { - assertion = !(cfg.useDistributedPollers && cfg.distributedPoller.enable); - message = "The LibreNMS instance can't be a distributed poller and a full instance at the same time."; - } - ]; - - users.users.${cfg.user} = { - group = "${cfg.group}"; - isSystemUser = true; - }; - - users.groups.${cfg.group} = { }; - - services = { - librenms.settings = - { - # basic configs - "user" = cfg.user; - "own_hostname" = cfg.hostname; - "base_url" = lib.mkDefault "/"; - "auth_mechanism" = lib.mkDefault "mysql"; - - # disable auto update function (won't work with NixOS) - "update" = false; - - # enable fast ping by default - "ping_rrd_step" = 60; - - # one minute polling - "rrd.step" = if cfg.enableOneMinutePolling then 60 else 300; - "rrd.heartbeat" = if cfg.enableOneMinutePolling then 120 else 600; - } - // (lib.optionalAttrs cfg.distributedPoller.enable { - "distributed_poller" = true; - "distributed_poller_name" = lib.mkIf ( - cfg.distributedPoller.name != null - ) cfg.distributedPoller.name; - "distributed_poller_group" = cfg.distributedPoller.group; - "distributed_billing" = cfg.distributedPoller.distributedBilling; - "distributed_poller_memcached_host" = cfg.distributedPoller.memcachedHost; - "distributed_poller_memcached_port" = cfg.distributedPoller.memcachedPort; - "rrdcached" = - "${cfg.distributedPoller.rrdcachedHost}:${toString cfg.distributedPoller.rrdcachedPort}"; - }) - // (lib.optionalAttrs cfg.useDistributedPollers { - "distributed_poller" = true; - # still enable a local poller with distributed polling - "distributed_poller_group" = lib.mkDefault "0"; - "distributed_billing" = lib.mkDefault true; - "distributed_poller_memcached_host" = "localhost"; - "distributed_poller_memcached_port" = 11211; - "rrdcached" = "localhost:42217"; - }); - - memcached = lib.mkIf cfg.useDistributedPollers { - enable = true; - listen = "0.0.0.0"; - }; - - mysql = lib.mkIf cfg.database.createLocally { - enable = true; - package = lib.mkDefault pkgs.mariadb; - settings.mysqld = { - innodb_file_per_table = 1; - lower_case_table_names = 0; - } // (lib.optionalAttrs cfg.useDistributedPollers { bind-address = "0.0.0.0"; }); - ensureDatabases = [ cfg.database.database ]; - ensureUsers = [ - { - name = cfg.database.username; - ensurePermissions = { - "${cfg.database.database}.*" = "ALL PRIVILEGES"; - }; - } - ]; - initialScript = lib.mkIf cfg.useDistributedPollers ( - pkgs.writeText "mysql-librenms-init" '' - CREATE USER IF NOT EXISTS '${cfg.database.username}'@'%'; - GRANT ALL PRIVILEGES ON ${cfg.database.database}.* TO '${cfg.database.username}'@'%'; - '' - ); - }; - - nginx = lib.mkIf (!cfg.distributedPoller.enable) { - enable = true; - virtualHosts."${cfg.hostname}" = lib.mkMerge [ - cfg.nginx - { - root = lib.mkForce "${package}/html"; - locations."/" = { - index = "index.php"; - tryFiles = "$uri $uri/ /index.php?$query_string"; - }; - locations."~ .php$".extraConfig = '' - fastcgi_pass unix:${config.services.phpfpm.pools."librenms".socket}; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - ''; - } - ]; - }; - - phpfpm.pools.librenms = lib.mkIf (!cfg.distributedPoller.enable) { - inherit (cfg) group user; - inherit (package) phpPackage; - inherit phpOptions; - settings = { - "listen.mode" = "0660"; - "listen.owner" = config.services.nginx.user; - "listen.group" = config.services.nginx.group; - } // cfg.poolConfig; - }; - - logrotate = { - enable = true; - settings."${cfg.logDir}/librenms.log" = { - su = "${cfg.user} ${cfg.group}"; - create = "0640 ${cfg.user} ${cfg.group}"; - rotate = 6; - frequency = "weekly"; - compress = true; - delaycompress = true; - missingok = true; - notifempty = true; - }; - }; - - cron = { - enable = true; - systemCronJobs = - let - env = "PHPRC=${phpIni}"; - in - [ - # based on crontab provided by LibreNMS - "33 */6 * * * ${cfg.user} ${env} ${package}/cronic ${package}/discovery-wrapper.py 1" - "*/5 * * * * ${cfg.user} ${env} ${package}/discovery.php -h new >> /dev/null 2>&1" - - "${ - if cfg.enableOneMinutePolling then "*" else "*/5" - } * * * * ${cfg.user} ${env} ${package}/cronic ${package}/poller-wrapper.py ${toString cfg.pollerThreads}" - "* * * * * ${cfg.user} ${env} ${package}/alerts.php >> /dev/null 2>&1" - - "*/5 * * * * ${cfg.user} ${env} ${package}/poll-billing.php >> /dev/null 2>&1" - "01 * * * * ${cfg.user} ${env} ${package}/billing-calculate.php >> /dev/null 2>&1" - "*/5 * * * * ${cfg.user} ${env} ${package}/check-services.php >> /dev/null 2>&1" - - # extra: fast ping - "* * * * * ${cfg.user} ${env} ${package}/ping.php >> /dev/null 2>&1" - - # daily.sh tasks are split to exclude update - "19 0 * * * ${cfg.user} ${env} ${package}/daily.sh cleanup >> /dev/null 2>&1" - "19 0 * * * ${cfg.user} ${env} ${package}/daily.sh notifications >> /dev/null 2>&1" - "19 0 * * * ${cfg.user} ${env} ${package}/daily.sh peeringdb >> /dev/null 2>&1" - "19 0 * * * ${cfg.user} ${env} ${package}/daily.sh mac_oui >> /dev/null 2>&1" - ]; - }; - }; - - systemd = { - services = { - rrdcached = lib.mkIf cfg.useDistributedPollers { - description = "rrdcached"; - after = [ "librenms-setup.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "forking"; - User = cfg.user; - Group = cfg.group; - LimitNOFILE = 16384; - RuntimeDirectory = "rrdcached"; - PidFile = "/run/rrdcached/rrdcached.pid"; - # rrdcached params from https://docs.librenms.org/Extensions/Distributed-Poller/#config-sample - ExecStart = "${pkgs.rrdtool}/bin/rrdcached -l 0:42217 -R -j ${cfg.dataDir}/rrdcached-journal/ -F -b ${cfg.dataDir}/rrd -B -w 1800 -z 900 -p /run/rrdcached/rrdcached.pid"; - }; - }; - - librenms-scheduler = { - description = "LibreNMS Scheduler"; - path = [ pkgs.unixtools.whereis ]; - serviceConfig = { - Type = "oneshot"; - WorkingDirectory = package; - User = cfg.user; - Group = cfg.group; - ExecStart = "${artisanWrapper}/bin/librenms-artisan schedule:run"; - }; - }; - - librenms-setup = { - description = "Preparation tasks for LibreNMS"; - before = [ "phpfpm-librenms.service" ]; - after = [ - "systemd-tmpfiles-setup.service" - ] ++ (lib.optional (cfg.database.host == "localhost") "mysql.service"); - wantedBy = [ "multi-user.target" ]; - restartTriggers = [ - package - configFile - ]; - path = [ - pkgs.mariadb - pkgs.unixtools.whereis - pkgs.gnused - ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - EnvironmentFile = lib.mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; - User = cfg.user; - Group = cfg.group; - ExecStartPre = lib.mkIf cfg.database.createLocally [ - "!${pkgs.writeShellScript "librenms-db-init" '' - DB_PASSWORD=$(cat ${cfg.database.passwordFile} | tr -d '\n') - echo "ALTER USER '${cfg.database.username}'@'localhost' IDENTIFIED BY '$DB_PASSWORD';" | ${pkgs.mariadb}/bin/mysql - ${lib.optionalString cfg.useDistributedPollers '' - echo "ALTER USER '${cfg.database.username}'@'%' IDENTIFIED BY '$DB_PASSWORD';" | ${pkgs.mariadb}/bin/mysql - ''} - ''}" - ]; - }; - script = '' - set -euo pipefail - - # config setup - ln -sf ${configFile} ${cfg.dataDir}/config.php - ${pkgs.envsubst}/bin/envsubst -i ${configJson} -o ${cfg.dataDir}/config.json - export PHPRC=${phpIni} - - if [[ ! -s ${cfg.dataDir}/.env ]]; then - # init .env file - echo "APP_KEY=" > ${cfg.dataDir}/.env - ${artisanWrapper}/bin/librenms-artisan key:generate --ansi - ${artisanWrapper}/bin/librenms-artisan webpush:vapid - echo "" >> ${cfg.dataDir}/.env - echo -n "NODE_ID=" >> ${cfg.dataDir}/.env - ${package.phpPackage}/bin/php -r "echo uniqid();" >> ${cfg.dataDir}/.env - echo "" >> ${cfg.dataDir}/.env - else - # .env file already exists --> only update database and cache config - ${pkgs.gnused}/bin/sed -i /^DB_/d ${cfg.dataDir}/.env - ${pkgs.gnused}/bin/sed -i /^CACHE_DRIVER/d ${cfg.dataDir}/.env - fi - ${lib.optionalString (cfg.useDistributedPollers || cfg.distributedPoller.enable) '' - echo "CACHE_DRIVER=memcached" >> ${cfg.dataDir}/.env - ''} - echo "DB_HOST=${cfg.database.host}" >> ${cfg.dataDir}/.env - echo "DB_PORT=${toString cfg.database.port}" >> ${cfg.dataDir}/.env - echo "DB_DATABASE=${cfg.database.database}" >> ${cfg.dataDir}/.env - echo "DB_USERNAME=${cfg.database.username}" >> ${cfg.dataDir}/.env - echo -n "DB_PASSWORD=" >> ${cfg.dataDir}/.env - cat ${cfg.database.passwordFile} >> ${cfg.dataDir}/.env - - # clear cache after update - OLD_VERSION=$(cat ${cfg.dataDir}/version) - if [[ $OLD_VERSION != "${package.version}" ]]; then - rm -r ${cfg.dataDir}/cache/* - echo "${package.version}" > ${cfg.dataDir}/version - fi - - # convert rrd files when the oneMinutePolling option is changed - OLD_ENABLED=$(cat ${cfg.dataDir}/one_minute_enabled) - if [[ $OLD_ENABLED != "${lib.boolToString cfg.enableOneMinutePolling}" ]]; then - ${package}/scripts/rrdstep.php -h all - echo "${lib.boolToString cfg.enableOneMinutePolling}" > ${cfg.dataDir}/one_minute_enabled - fi - - # migrate db - ${artisanWrapper}/bin/librenms-artisan migrate --force --no-interaction - ''; - }; - }; - - timers.librenms-scheduler = { - description = "LibreNMS Scheduler"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "minutely"; - AccuracySec = "1second"; - }; - }; - - tmpfiles.rules = - [ - "d ${cfg.logDir} 0750 ${cfg.user} ${cfg.group} - -" - "f ${cfg.logDir}/librenms.log 0640 ${cfg.user} ${cfg.group} - -" - "d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group} - -" - "f ${cfg.dataDir}/.env 0600 ${cfg.user} ${cfg.group} - -" - "f ${cfg.dataDir}/version 0600 ${cfg.user} ${cfg.group} - -" - "f ${cfg.dataDir}/one_minute_enabled 0600 ${cfg.user} ${cfg.group} - -" - "f ${cfg.dataDir}/config.json 0600 ${cfg.user} ${cfg.group} - -" - "d ${cfg.dataDir}/storage 0700 ${cfg.user} ${cfg.group} - -" - "d ${cfg.dataDir}/storage/app 0700 ${cfg.user} ${cfg.group} - -" - "d ${cfg.dataDir}/storage/debugbar 0700 ${cfg.user} ${cfg.group} - -" - "d ${cfg.dataDir}/storage/framework 0700 ${cfg.user} ${cfg.group} - -" - "d ${cfg.dataDir}/storage/framework/cache 0700 ${cfg.user} ${cfg.group} - -" - "d ${cfg.dataDir}/storage/framework/sessions 0700 ${cfg.user} ${cfg.group} - -" - "d ${cfg.dataDir}/storage/framework/views 0700 ${cfg.user} ${cfg.group} - -" - "d ${cfg.dataDir}/storage/logs 0700 ${cfg.user} ${cfg.group} - -" - "d ${cfg.dataDir}/rrd 0700 ${cfg.user} ${cfg.group} - -" - "d ${cfg.dataDir}/cache 0700 ${cfg.user} ${cfg.group} - -" - ] - ++ lib.optionals cfg.useDistributedPollers [ - "d ${cfg.dataDir}/rrdcached-journal 0700 ${cfg.user} ${cfg.group} - -" - ]; - }; - - programs.mtr.enable = true; - - security.wrappers = { - fping = { - setuid = true; - owner = "root"; - group = "root"; - source = "${pkgs.fping}/bin/fping"; - }; - }; - - environment.systemPackages = [ - artisanWrapper - lnmsWrapper - ]; - }; - - meta.maintainers = lib.teams.wdz.members; -} diff --git a/machines/nixos/compute01/secrets/librenms-database_password_file b/machines/nixos/compute01/secrets/librenms-database_password_file deleted file mode 100644 index 4da18c2..0000000 --- a/machines/nixos/compute01/secrets/librenms-database_password_file +++ /dev/null @@ -1,29 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 jIXfPA UxfxSZSNMeVYMYCahDmlrf3mdMpyFzcj+81nBBCECgk -lYiIx4BvqqB1CfM/Y+Y1LRZBDzGkRKdfa0HLfPCzQUE --> ssh-ed25519 QlRB9Q I13TmGvHd/x40ML386PyWmdd/ub3Q69MqPi1GzEwgVI -8ym5O+kh3JBJ91vizO8jODFN9M2OAUIOijmI5QKzguQ --> ssh-ed25519 r+nK/Q RPDuBopRVTVPKRqZgEh2XfchP9XCPjzhuW+hu2LCbBk -BYZJvcH3BQGh9CSkvREz1JzyksVN8TSuilW2ww2kXho --> ssh-rsa krWCLQ -jFEaahbYnGF9WTvaW5FmBIrhNwt/ZiaQv04VZHQnOhJRCmJViExZl2+yCqHlK4nF -X5qbe51FwJX1VyF4x74tVdTb3PR1hx1JdncEXUdr2/8DSsddAGTowQl2RA8GBpd4 -K2YiRjMPTvShmfXZUncqR8UOB97FIOMMMjXZmDN+T2D4xZ522g7mvPLq/a9T9iB6 -cvcwu4PVvTTO+oM7hWj3KYM1aMtRlNscgPaJSvZ5f3MOAEo4qdDlERC473jc/0ez -yRNz1B4AjO4YWWXmLgPrh2n+kCkv4ZI5nUHgO8kCNuHLD8bX5eeQCn1fx6F2bWuE -f5c9CI4X69z0HQDZWVSwcw --> ssh-ed25519 /vwQcQ 9iCDJiFcwJ/2GZ1fP0BiUUDfSb8ByldRGMUMNxp1gTE -khKANSZ8UIF9jCm32Y2Pn0e04Qr42eKPfTOPTQdnKEs --> ssh-ed25519 0R97PA qacag6Tw7RwyACjvRUQU25252nDQxDxepGuUg4e82QY -UAYVIwprsmpC7GYPZNlLAKjLQkbZ1DmXy5fdGyL3az4 --> ssh-ed25519 JGx7Ng Q6GFfKxfoI4rD1smg3NwD9Q8IqP9dFCmhBIcompCW2c -B+S+wCC7oe8CXH1/7n45U2XssrzB1xHYuJX0BPQa4tY --> ssh-ed25519 bUjjig ZIXCFGNK5HSrVCzXw+d89RtmVYkricFsN4ITXhZYnAI -AryndaatuETXTDqFO+PgjU6X9N56DgfhTtZA660I9zI --> ssh-ed25519 tDqJRg YyWweqs0fGEtC/t/lW2Mf8uSby7lg/p00tz51qchz2o -8bVaNX8O4+GOTvj+DVINnbQdLo0Os5nVwYygobJqLbI --> .-grease -+TO+CNhkq/HSoBucxW7tIR6mZW6vKF/Zb1zhIBB8juSR0Tu8yw0JArAmWR5dJIRH -fDlE8JfUaY67j/KXN3ZhNvtVxzzmpK1HBG8Oii8brlVCSR6dDSLxqCHXQJo ---- 0CxvM54IJkhoH/NGTqvbcnwBi7k9txCFSFyoEk15eeM -D/l,_(4 {,^Y'BUM^2yn{ܣ \ No newline at end of file diff --git a/machines/nixos/compute01/secrets/librenms-environment_file b/machines/nixos/compute01/secrets/librenms-environment_file deleted file mode 100644 index cce938275e3248c97a6e313dd91148bbfc0d06b6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2000 zcmZXU+sotz8OFupX%xgF3fhbDLc~o!Gc%c-)OAfJr|WO?%M=t5+&4x>i>az35FB))o}OA|h6_>PlN(S*RbvdhzXF@Oz)b`&gcP zOODfMQ)Kh-`b$OzZqOWw#oG#?WwlNtC&zy`Vx~FO>r9 z5U$gmHDM#+px2eiKmz9OtjG^sH&{-q1YG5sT(4r<-@)^3T^w4401?7IsV$u9TZ!nC zQz{Rg2q;v9Q&uvH>{hLtq&C($d4d#7M65BJvlPO^dc%(GM1mCD&}(qKEggJ3flS-M zfw>_B9)-a}#2EteqRday?656l1K5<*f7mvW`jPHKz5AG1IgRO@)BoUXnc~E0SOPv{UA)(HM^7P zW`hD|UM@4uvW?GSOTVm@UMDoX&l+2{wb z8aV4UK4lO5NI++4uhj{~5Jb-l7=_~m$zfoS4p0{6L57u=?PtduIrtPLZb3V3RaWLhzPyk2YB1=<%0?3mf$Ia*Mf1TnV~aR#u3%sgY@|Br-c#FrY#kOekZW_a+HsmUy%t z)tu=QqiUvXXK=03qq-#0T3u$Nyd@Y^fTjC-J7XJE^!hl8EjwlJJAyXH~6;qdBzTS^^ynQP^4 zzwJx?htW?oSRbu3UmO-^dflwdErLx23)7RC#xF%x-C(F1>^4!Fv;2CoDN1uSvZjY> zJ!0x8bXY3hRrRQ#qvH-99reW>W3i>4My3K!S+mmCb5NkHk!RSMOGnj`v{sSh*~iiM z_Os8Qkv{#`w_ZB?&JUb7o;~&S&1;X}_~Q7^;-TFg=x0~|eEOE~*>5}Fk?wx!`PY84 zyS9GfcPlNw^YrZxJ@vxX&%B4d@%v}~694fF54>^e+*fq|#rM7WGV2^KaIL@4fue8NmO#GPriBe*NMv?tbpQKfHD8qc6Vv zJ7-|9MLh_{Z@}Kln&m{`&SK!oPle_$tsm_mk@j_`+{# z`tl?H+4nb3yz5FIaIU=cz}p^s{qmhxo#O19GWG2FHy(CkcK^&nH$M5R;q%{o^&emU j>EMM|UOV?eW%;!~WEank4_ANw%a4PPK6l|8@7Mne-7dAB diff --git a/machines/nixos/compute01/secrets/secrets.nix b/machines/nixos/compute01/secrets/secrets.nix index 1ada18e..feae5a0 100644 --- a/machines/nixos/compute01/secrets/secrets.nix +++ b/machines/nixos/compute01/secrets/secrets.nix @@ -18,8 +18,6 @@ "grafana-oauth_client_secret_file" "grafana-smtp_password_file" "hedgedoc-environment_file" - "librenms-database_password_file" - "librenms-environment_file" "mastodon-extra_env_file" "mastodon-smtp-password" "netbox-environment_file" diff --git a/meta/dns.nix b/meta/dns.nix index fa3fd56..4946f1f 100644 --- a/meta/dns.nix +++ b/meta/dns.nix @@ -82,7 +82,6 @@ let "gist" # Opengist "grafana" # Grafana "netbox-v2" # Netbox - "nms" # LibreNMS "pads" # Hedgedoc "pass" # Vaultwarden "pdf" # Stirling PDF -- 2.47.2 From ea36e55c29983bd438f022f14d593f39baed2e61 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Fri, 13 Jun 2025 11:28:19 +0200 Subject: [PATCH 14/14] feat(krz01): Upgrade to nixos-unstable - Disabled whisper-cpp as the packaging changed too much and it no longer build --- machines/nixos/krz01/_configuration.nix | 2 +- meta/nodes/nixos.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/nixos/krz01/_configuration.nix b/machines/nixos/krz01/_configuration.nix index af8919b..de7d8cf 100644 --- a/machines/nixos/krz01/_configuration.nix +++ b/machines/nixos/krz01/_configuration.nix @@ -16,7 +16,7 @@ lib.extra.mkConfig { "microvm-router01" "nvidia-tesla-k80" "ollama" - "whisper" + # "whisper" "proxmox" "networking" ]; diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index 983424f..94113cd 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -237,7 +237,7 @@ stateVersion = "24.11"; nixpkgs = { - version = "24.11"; + version = "unstable"; system = "nixos"; }; }; -- 2.47.2