From e660c216def1e0b8f0b1886e6e29cd7b40800d01 Mon Sep 17 00:00:00 2001 From: sinavir Date: Mon, 4 Dec 2023 17:42:06 +0100 Subject: [PATCH] big refactor --- .gitignore | 5 +- hive.nix | 59 ++ hosts/org/core-hackens/default.nix | 4 - hosts/org/core-hackens/programs.nix | 1 - hosts/org/core-hackens/static-dns.nix | 1 - hosts/org/dokuwiki.nix | 128 ---- hosts/org/physical.nix | 15 - hosts/org/static-sites.nix | 23 - {hosts => machines}/milieu/configuration.nix | 2 +- .../milieu/hardware-configuration.nix | 0 .../milieu}/shared-hackens/aarch64.nix | 0 .../milieu}/shared-hackens/audio.nix | 0 .../milieu}/shared-hackens/default.nix | 0 .../milieu}/shared-hackens/dns/default.nix | 0 .../milieu}/shared-hackens/dns/forwarding.txt | 0 .../milieu}/shared-hackens/gnome.nix | 0 .../milieu}/shared-hackens/i18n.nix | 0 .../milieu}/shared-hackens/nightworker.nix | 0 .../milieu}/shared-hackens/no-sleep.nix | 0 .../milieu}/shared-hackens/programs.nix | 0 .../milieu}/shared-hackens/system.nix | 0 .../milieu}/shared-hackens/users.nix | 8 +- .../milieu}/shared-hackens/vim.nix | 0 machines/org/_bootloader.nix | 5 + .../org/_configuration.nix | 25 +- machines/org/_networking.nix | 25 + .../ssh-server.nix => machines/org/_ssh.nix | 6 +- .../org/_users.nix | 14 +- machines/org/dokuwiki.nix | 91 +++ .../org/hardware-configuration.nix | 0 {hosts => machines}/org/matterbridge.nix | 0 {hosts => machines}/org/nginx.nix | 0 {hosts => machines}/org/orga/authens.nix | 0 {hosts => machines}/org/orga/default.nix | 0 {hosts => machines}/org/orga/mkAssets.nix | 2 +- {hosts => machines}/org/orga/module.nix | 0 {hosts => machines}/org/orga/python-cas.nix | 0 {hosts => machines}/org/orga/python.nix | 0 {hosts => machines}/org/orga/shell.nix | 0 .../org/orga/static-assets.nix | 0 machines/org/programs.nix | 5 + {secrets => machines/org/secrets}/default.nix | 4 - {secrets => machines/org/secrets}/django.age | Bin .../org/secrets}/matterbridge-env.age | 0 {secrets => machines/org/secrets}/secrets.nix | 3 - machines/org/static-sites.nix | 62 ++ {hosts => machines}/org/webpass.nix | 0 machines/router/configuration.nix | 203 ++++++ machines/router/default.nix | 5 + machines/router/npins/default.nix | 47 ++ machines/router/npins/sources.json | 22 + meta.nix | 27 + npins/default.nix | 67 ++ npins/sources.json | 55 ++ pkgs/overlays.nix | 1 + profiles/shared-hackens/result | 1 - secrets/wiki-openID.age | 31 - setup-link-from-hostname | 11 - shared/dokuwiki.nix | 94 --- shared/dokuwiki_module.nix | 613 ------------------ 60 files changed, 707 insertions(+), 958 deletions(-) create mode 100644 hive.nix delete mode 100644 hosts/org/core-hackens/default.nix delete mode 100644 hosts/org/core-hackens/programs.nix delete mode 100644 hosts/org/core-hackens/static-dns.nix delete mode 100644 hosts/org/dokuwiki.nix delete mode 100644 hosts/org/physical.nix delete mode 100644 hosts/org/static-sites.nix rename {hosts => machines}/milieu/configuration.nix (97%) rename {hosts => machines}/milieu/hardware-configuration.nix (100%) rename {profiles => machines/milieu}/shared-hackens/aarch64.nix (100%) rename {profiles => machines/milieu}/shared-hackens/audio.nix (100%) rename {profiles => machines/milieu}/shared-hackens/default.nix (100%) rename {profiles => machines/milieu}/shared-hackens/dns/default.nix (100%) rename {profiles => machines/milieu}/shared-hackens/dns/forwarding.txt (100%) rename {profiles => machines/milieu}/shared-hackens/gnome.nix (100%) rename {profiles => machines/milieu}/shared-hackens/i18n.nix (100%) rename {profiles => machines/milieu}/shared-hackens/nightworker.nix (100%) rename {profiles => machines/milieu}/shared-hackens/no-sleep.nix (100%) rename {profiles => machines/milieu}/shared-hackens/programs.nix (100%) rename {profiles => machines/milieu}/shared-hackens/system.nix (100%) rename {profiles => machines/milieu}/shared-hackens/users.nix (86%) rename {profiles => machines/milieu}/shared-hackens/vim.nix (100%) create mode 100644 machines/org/_bootloader.nix rename hosts/org/configuration.nix => machines/org/_configuration.nix (80%) create mode 100644 machines/org/_networking.nix rename hosts/org/core-hackens/ssh-server.nix => machines/org/_ssh.nix (55%) rename hosts/org/core-hackens/personal-users.nix => machines/org/_users.nix (61%) create mode 100644 machines/org/dokuwiki.nix rename {hosts => machines}/org/hardware-configuration.nix (100%) rename {hosts => machines}/org/matterbridge.nix (100%) rename {hosts => machines}/org/nginx.nix (100%) rename {hosts => machines}/org/orga/authens.nix (100%) rename {hosts => machines}/org/orga/default.nix (100%) rename {hosts => machines}/org/orga/mkAssets.nix (89%) rename {hosts => machines}/org/orga/module.nix (100%) rename {hosts => machines}/org/orga/python-cas.nix (100%) rename {hosts => machines}/org/orga/python.nix (100%) rename {hosts => machines}/org/orga/shell.nix (100%) rename {hosts => machines}/org/orga/static-assets.nix (100%) create mode 100644 machines/org/programs.nix rename {secrets => machines/org/secrets}/default.nix (73%) rename {secrets => machines/org/secrets}/django.age (100%) rename {secrets => machines/org/secrets}/matterbridge-env.age (100%) rename {secrets => machines/org/secrets}/secrets.nix (75%) create mode 100644 machines/org/static-sites.nix rename {hosts => machines}/org/webpass.nix (100%) create mode 100644 machines/router/configuration.nix create mode 100644 machines/router/default.nix create mode 100644 machines/router/npins/default.nix create mode 100644 machines/router/npins/sources.json create mode 100644 meta.nix create mode 100644 npins/default.nix create mode 100644 npins/sources.json create mode 100644 pkgs/overlays.nix delete mode 120000 profiles/shared-hackens/result delete mode 100644 secrets/wiki-openID.age delete mode 100755 setup-link-from-hostname delete mode 100644 shared/dokuwiki.nix delete mode 100644 shared/dokuwiki_module.nix diff --git a/.gitignore b/.gitignore index 40c7108..7de0f89 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ -configuration.nix +result +result-* +*.swp +/public.tar.gz diff --git a/hive.nix b/hive.nix new file mode 100644 index 0000000..a0faaea --- /dev/null +++ b/hive.nix @@ -0,0 +1,59 @@ +let + sources = import ./npins; + metadata = import ./meta.nix; + + defaultNixpkgs = importNixpkgsPath "x86_64-linux" sources."nixos-unstable"; + + inherit (defaultNixpkgs) lib; + + revision = node: (builtins.fromJSON (builtins.readFile ./npins/sources.json)).pins.${pkgsVersion node}.revision; + + mkNode = node: { + ${node} = { + name, + nodes, + ... + }: { + imports = [./machines/${node}/_configuration.nix] ++ lib.attrByPath [ "imports" ] [] metadata.nodes.${node}; + inherit (metadata.nodes.${node}) deployment; + nix.nixPath = + builtins.map (n: "${n}=${sources.${n}}") (builtins.attrNames sources) + ++ ["nixpkgs=${mkNixpkgsPath name}"]; + system.nixos.tags = [ + (revision node) + ]; + }; + }; + + pkgsVersion = node: lib.attrByPath [ node "nixpkgs" ] "nixos-unstable" metadata.nodes; + + mkNixpkgsPath = node: sources.${pkgsVersion node}; + + mkNixpkgs = node: { + ${node} = + importNixpkgsPath + (lib.attrByPath [ "arch" ] "x86_64-linux" metadata.nodes.${node}) + (mkNixpkgsPath node); + }; + + importNixpkgsPath = arch: p: import p { + config.allowUnfree = true; + overlays = import ./pkgs/overlays.nix; + system = arch; + }; + + nodes = builtins.attrNames metadata.nodes; + + concatAttrs = builtins.foldl' (x: y: x // y) {}; +in + { + meta = { + specialArgs = {inherit metadata;}; + nixpkgs = defaultNixpkgs; + nodeNixpkgs = concatAttrs (builtins.map mkNixpkgs nodes); + specialArgs = { + lib = lib; + }; + }; + } + // (concatAttrs (builtins.map mkNode nodes)) diff --git a/hosts/org/core-hackens/default.nix b/hosts/org/core-hackens/default.nix deleted file mode 100644 index afcc8a9..0000000 --- a/hosts/org/core-hackens/default.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ - imports = - [ ./personal-users.nix ./ssh-server.nix ./static-dns.nix ./programs.nix ]; -} diff --git a/hosts/org/core-hackens/programs.nix b/hosts/org/core-hackens/programs.nix deleted file mode 100644 index 47f1724..0000000 --- a/hosts/org/core-hackens/programs.nix +++ /dev/null @@ -1 +0,0 @@ -{ pkgs, ... }: { environment.systemPackages = with pkgs; [ vim git ]; } diff --git a/hosts/org/core-hackens/static-dns.nix b/hosts/org/core-hackens/static-dns.nix deleted file mode 100644 index a804274..0000000 --- a/hosts/org/core-hackens/static-dns.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: { networking.nameservers = [ "1.1.1.1" "8.8.8.8" ]; } diff --git a/hosts/org/dokuwiki.nix b/hosts/org/dokuwiki.nix deleted file mode 100644 index c369ae0..0000000 --- a/hosts/org/dokuwiki.nix +++ /dev/null @@ -1,128 +0,0 @@ -{ config, pkgs, lib, ... }: { - - services.nginx.virtualHosts."new.hackens.org" = { - enableACME = true; - forceSSL = true; - }; - - services.dokuwiki.sites."new.hackens.org" = { - enable = false; # true; - settings = { - template = "bootstrap3"; - license = "cc-by-sa"; - title = "hackENS"; - lang = "fr"; - breadcrumbs = 0; - yourarehere = true; - userewrite = 1; - useacl = true; - htmlok = 1; - target._raw = '' - array( - 'extern' => '_tab' - ); - ''; - sitemap = 7; - disableactions = "register"; - superuser = "@admin"; - start = "accueil"; - htmlmail = 0; - authtype = "oauth"; - tpl.bootstrap3 = { - showAddNewPage = "logged"; - fluidContainer = 0; - }; - plugin = { - tokenbucketauth.tba_send_mail = "hackens@clipper.ens.fr"; - oauth.register-on-auth = true; - oauthkeycloak = { - key = "wiki"; - secret._file = config.age.secrets.wikiOpenID.path; - openidurl = - "https://auth.rz.ens.wtf/auth/realms/hackENS/.well-known/openid-configuration/"; - }; - }; - - }; - pluginsConfig = { - - authad = false; - authldap = false; - authpdo = false; - authmysql = false; - authpgsql = false; - oauthkeycloak = true; - popularity = false; - }; - - plugins = [ - - (pkgs.stdenv.mkDerivation { - name = "catlist"; - src = pkgs.fetchFromGitHub { - owner = "xif-fr"; - repo = "dokuwiki-plugin-catlist"; - rev = "89e024cbf3c0e30def6db6651c72eb76de396785"; - hash = "sha256-2GAUHxK3dnDhXIftd2luxmn1b84ABZvfjHBMQWeDiTs="; - }; - installPhase = '' - mkdir -p $out - cp -R * $out/ - ''; - }) - (pkgs.stdenv.mkDerivation { - name = "commonmark"; - src = pkgs.fetchzip { - url = - "https://github.com/clockoon/dokuwiki-plugin-commonmark/releases/download/v1.2.1/release.tar.gz"; - sha256 = "sha256-3fpN7SSDDQ3QAmzRuG5UMYrtGeL3ogiooPKc6g1gxRg="; - }; - installPhase = '' - mkdir -p $out - cp -R * $out/ - ''; - }) - (pkgs.stdenv.mkDerivation { - name = "oauth"; - src = pkgs.fetchFromGitHub { - owner = "cosmocode"; - repo = "dokuwiki-plugin-oauth"; - rev = "da4733221ed7b4fb3ac0e2429499b14ece3d5f2d"; - hash = "sha256-CNRlaieYm/KCjZ9+OP9pMo5SGjJ4CUrNNdL4iVktCcU="; - }; - installPhase = '' - mkdir -p $out - cp -R * $out/ - ''; - }) - (pkgs.stdenv.mkDerivation { - name = "oauthkeycloak"; - src = pkgs.fetchFromGitHub { - owner = "YoitoFes"; - repo = "dokuwiki-plugin-oauthkeycloak"; - rev = "28892edb0207d128ddb94fa8a0bd216861a5626b"; - hash = "sha256-nZo61nW9QjJiEo3FpYt1Zt7locuIDQ88AOn/ZnjjYUc="; - }; - installPhase = '' - mkdir -p $out - cp -R * $out/ - ''; - }) - - ]; - templates = [ - (pkgs.stdenv.mkDerivation rec { - name = "bootstrap3"; - version = "2022-07-27"; - src = pkgs.fetchFromGitHub { - owner = "giterlizzi"; - repo = "dokuwiki-template-bootstrap3"; - rev = "v${version}"; - hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo="; - }; - installPhase = "mkdir -p $out; cp -R * $out/"; - }) - ]; - }; - -} diff --git a/hosts/org/physical.nix b/hosts/org/physical.nix deleted file mode 100644 index dcb3f43..0000000 --- a/hosts/org/physical.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, ... }: -{ - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/vdb"; # or "nodev" for efi only - - time.timeZone = "Europe/Paris"; - - networking.useDHCP = false; - networking.interfaces.eth0 = { - ipv4.addresses = [{ address = "129.199.129.76"; prefixLength = 24; }]; - }; - networking.defaultGateway = { address = "129.199.129.1"; interface = "eth0"; }; -} diff --git a/hosts/org/static-sites.nix b/hosts/org/static-sites.nix deleted file mode 100644 index 035c5b0..0000000 --- a/hosts/org/static-sites.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ pkgs, lib, ... }: -let - sites = [ - "/NdS" - "/2048" - "/prez" - "/known" - "/pub" - ]; -in -{ - - services.nginx.enable = true; - services.nginx.virtualHosts."new.hackens.org" = { - forceSSL = true; - enableACME = true; - locations = lib.genAttrs sites (name: { - root = "/var/www"; - extraConfig = "autoindex on;"; - }); - }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; -} diff --git a/hosts/milieu/configuration.nix b/machines/milieu/configuration.nix similarity index 97% rename from hosts/milieu/configuration.nix rename to machines/milieu/configuration.nix index b0904f4..bfedeb8 100644 --- a/hosts/milieu/configuration.nix +++ b/machines/milieu/configuration.nix @@ -9,7 +9,7 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix - ../../profiles/shared-hackens + ./shared-hackens ]; # Use the GRUB 2 boot loader. diff --git a/hosts/milieu/hardware-configuration.nix b/machines/milieu/hardware-configuration.nix similarity index 100% rename from hosts/milieu/hardware-configuration.nix rename to machines/milieu/hardware-configuration.nix diff --git a/profiles/shared-hackens/aarch64.nix b/machines/milieu/shared-hackens/aarch64.nix similarity index 100% rename from profiles/shared-hackens/aarch64.nix rename to machines/milieu/shared-hackens/aarch64.nix diff --git a/profiles/shared-hackens/audio.nix b/machines/milieu/shared-hackens/audio.nix similarity index 100% rename from profiles/shared-hackens/audio.nix rename to machines/milieu/shared-hackens/audio.nix diff --git a/profiles/shared-hackens/default.nix b/machines/milieu/shared-hackens/default.nix similarity index 100% rename from profiles/shared-hackens/default.nix rename to machines/milieu/shared-hackens/default.nix diff --git a/profiles/shared-hackens/dns/default.nix b/machines/milieu/shared-hackens/dns/default.nix similarity index 100% rename from profiles/shared-hackens/dns/default.nix rename to machines/milieu/shared-hackens/dns/default.nix diff --git a/profiles/shared-hackens/dns/forwarding.txt b/machines/milieu/shared-hackens/dns/forwarding.txt similarity index 100% rename from profiles/shared-hackens/dns/forwarding.txt rename to machines/milieu/shared-hackens/dns/forwarding.txt diff --git a/profiles/shared-hackens/gnome.nix b/machines/milieu/shared-hackens/gnome.nix similarity index 100% rename from profiles/shared-hackens/gnome.nix rename to machines/milieu/shared-hackens/gnome.nix diff --git a/profiles/shared-hackens/i18n.nix b/machines/milieu/shared-hackens/i18n.nix similarity index 100% rename from profiles/shared-hackens/i18n.nix rename to machines/milieu/shared-hackens/i18n.nix diff --git a/profiles/shared-hackens/nightworker.nix b/machines/milieu/shared-hackens/nightworker.nix similarity index 100% rename from profiles/shared-hackens/nightworker.nix rename to machines/milieu/shared-hackens/nightworker.nix diff --git a/profiles/shared-hackens/no-sleep.nix b/machines/milieu/shared-hackens/no-sleep.nix similarity index 100% rename from profiles/shared-hackens/no-sleep.nix rename to machines/milieu/shared-hackens/no-sleep.nix diff --git a/profiles/shared-hackens/programs.nix b/machines/milieu/shared-hackens/programs.nix similarity index 100% rename from profiles/shared-hackens/programs.nix rename to machines/milieu/shared-hackens/programs.nix diff --git a/profiles/shared-hackens/system.nix b/machines/milieu/shared-hackens/system.nix similarity index 100% rename from profiles/shared-hackens/system.nix rename to machines/milieu/shared-hackens/system.nix diff --git a/profiles/shared-hackens/users.nix b/machines/milieu/shared-hackens/users.nix similarity index 86% rename from profiles/shared-hackens/users.nix rename to machines/milieu/shared-hackens/users.nix index 6a1792f..201c4c4 100644 --- a/profiles/shared-hackens/users.nix +++ b/machines/milieu/shared-hackens/users.nix @@ -1,10 +1,10 @@ { pkgs, ... }: let superadmins = [ - ../../pubkeys/raito.keys - ../../pubkeys/gdd.keys - ../../pubkeys/BiBi.keys - ../../pubkeys/sinavir.keys + ../../../../pubkeys/raito.keys + ../../../../pubkeys/gdd.keys + ../../../../pubkeys/BiBi.keys + ../../../../pubkeys/sinavir.keys ]; in { diff --git a/profiles/shared-hackens/vim.nix b/machines/milieu/shared-hackens/vim.nix similarity index 100% rename from profiles/shared-hackens/vim.nix rename to machines/milieu/shared-hackens/vim.nix diff --git a/machines/org/_bootloader.nix b/machines/org/_bootloader.nix new file mode 100644 index 0000000..31d8c8a --- /dev/null +++ b/machines/org/_bootloader.nix @@ -0,0 +1,5 @@ +{ + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only +} diff --git a/hosts/org/configuration.nix b/machines/org/_configuration.nix similarity index 80% rename from hosts/org/configuration.nix rename to machines/org/_configuration.nix index 3f4310f..30db8d7 100644 --- a/hosts/org/configuration.nix +++ b/machines/org/_configuration.nix @@ -7,26 +7,23 @@ { imports = [ - ./hardware-configuration.nix - ./physical.nix - ./core-hackens - ../../secrets - ./webpass.nix - ./nginx.nix + ./_bootloader.nix + ./_networking.nix + ./_ssh.nix + ./_users.nix ./dokuwiki.nix + ./hardware-configuration.nix ./matterbridge.nix + ./nginx.nix ./orga - ./static-sites + ./secrets + ./static-sites.nix + ./webpass.nix ]; - networking.hostName = "hackens-org"; # Define your hostname. + time.timeZone = "Europe/Paris"; - # dokuwiki overlay - nixpkgs.overlays = [ - (self: super: { - dokuwiki = self.pkgs.callPackage ../../shared/dokuwiki.nix { }; - }) - ]; + networking.hostName = "hackens-org"; # Define your hostname. # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/machines/org/_networking.nix b/machines/org/_networking.nix new file mode 100644 index 0000000..afb80de --- /dev/null +++ b/machines/org/_networking.nix @@ -0,0 +1,25 @@ +{ pkgs, ... }: +{ + networking.useDHCP = false; + networking.interfaces.eth0 = { + ipv4.addresses = [{ address = "129.199.129.76"; prefixLength = 24; }]; + }; + networking.defaultGateway = { address = "129.199.129.1"; interface = "eth0"; }; + + #systemd.network = { + # enable = true; + # networks = { + # "10-uplink" = { + # name = "eth0"; + # DHCP = "no"; + # address = [ + # "129.199.129.76/24" + # ]; + # networkConfig = { + # Gateway = "129.199.129.1"; + # }; + # }; + # }; + #}; + networking.nameservers = [ "1.1.1.1" "8.8.8.8" ]; +} diff --git a/hosts/org/core-hackens/ssh-server.nix b/machines/org/_ssh.nix similarity index 55% rename from hosts/org/core-hackens/ssh-server.nix rename to machines/org/_ssh.nix index 59a1a38..fdd66bd 100644 --- a/hosts/org/core-hackens/ssh-server.nix +++ b/machines/org/_ssh.nix @@ -1,9 +1,11 @@ { ... }: { # Enable the OpenSSH daemon. services.openssh.enable = true; - services.openssh.passwordAuthentication = false; + services.openssh.settings.PasswordAuthentication = false; - # Open ports in the firewall. + # Open ports in the firewall. (In fact not needed) networking.firewall.allowedTCPPorts = [ 22 ]; + + # Mosh <3 programs.mosh.enable = true; } diff --git a/hosts/org/core-hackens/personal-users.nix b/machines/org/_users.nix similarity index 61% rename from hosts/org/core-hackens/personal-users.nix rename to machines/org/_users.nix index 8981db1..d960b37 100644 --- a/hosts/org/core-hackens/personal-users.nix +++ b/machines/org/_users.nix @@ -7,27 +7,29 @@ extraGroups = [ "wheel" ]; hashedPassword = "$6$y/I6nKCMYUku7$91vTR5kYz4nHyhbuA/j6kPsD8Vfo/Rg7ri6Ympftra9V6emOt/mPg0AScECtYjSIxretvfQ3sPUF1Ho0IWx381"; - openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/raito.keys ]; + openssh.authorizedKeys.keyFiles = [ ../../pubkeys/raito.keys ]; }; gdoriathdohler = { isNormalUser = true; extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/gdd.keys ]; + openssh.authorizedKeys.keyFiles = [ ../../pubkeys/gdd.keys ]; }; mdebray = { isNormalUser = true; extraGroups = [ "wheel" ]; hashedPassword = "$6$ujz06kXa4TgvPAbF$NaXkDuOUpf3.fBRh7JuygtS0V2U/Bz4N3DpbOznO.md44xEdlKwPH/pSbL9CQJBhI5kodaKZeSaoCyhzybBPA/"; - openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/sinavir.keys ]; + openssh.authorizedKeys.keyFiles = [ ../../pubkeys/sinavir.keys ]; }; hbarral = { isNormalUser = true; extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/backslash.keys ]; + openssh.authorizedKeys.keyFiles = [ ../../pubkeys/backslash.keys ]; }; - root.openssh.authorizedKeys.keyFiles = - [ ../../../pubkeys/beigbeder.keys ../../../pubkeys/backup.keys ]; # Jacques Beigbeder est tjrs root. + root.openssh.authorizedKeys.keyFiles = [ + ../../pubkeys/beigbeder.keys + ../../pubkeys/sinavir.keys + ]; }; }; } diff --git a/machines/org/dokuwiki.nix b/machines/org/dokuwiki.nix new file mode 100644 index 0000000..0aa4cf7 --- /dev/null +++ b/machines/org/dokuwiki.nix @@ -0,0 +1,91 @@ +{ config, pkgs, lib, ... }: { + + services.nginx.virtualHosts."new.hackens.org" = { + enableACME = true; + forceSSL = true; + }; + + # Si tu as des problèmes un jour, vide le cache avant tout + services.dokuwiki.sites."new.hackens.org" = { + enable = true; + settings = { + template = "bootstrap3"; + license = "cc-by-sa"; + title = "hackENS"; + lang = "fr"; + breadcrumbs = 0; + yourarehere = true; + userewrite = 1; + useacl = true; + htmlok = 1; + target._raw = '' + array( + 'extern' => '_tab' + ); + ''; + sitemap = 7; + disableactions = "register"; + superuser = "@admin"; + start = "accueil"; + tpl.bootstrap3 = { + showAddNewPage = "logged"; + fluidContainer = 0; + }; + plugin.htmlok.htmlok=1; + }; + pluginsConfig = { + + authad = false; + authldap = false; + authpdo = false; + authmysql = false; + authpgsql = false; + popularity = false; + + }; + + plugins = [ + (pkgs.fetchFromGitHub { + name = "catlist"; + owner = "xif-fr"; + repo = "dokuwiki-plugin-catlist"; + rev = "147793e2b41e8cb6465df888eecfbc4ee54fb68a"; + hash = "sha256-kTL0Hm4BeWpmusLnybmBM9JPpx+ss0e/cusDHu6hH2I="; + }) + (pkgs.php.buildComposerProject (finalAttrs: { + pname = "commonmark"; + name = "commonmark"; + version = "1.3.1"; + composerStrictValidation = false; + src = pkgs.fetchFromGitHub { + owner = "clockoon"; + repo = "dokuwiki-plugin-commonmark"; + rev = "671ab735193ffb1324064ff0ddb92f63408b8580"; + hash = "sha256-0WFz71O6GLVZ1Mf5eu96cQ3t+H6F6VtlC3hNtlANwBs="; + }; + vendorHash = "sha256-QnFdwc6IfdH98Hbm9jt6E/rO+u6I7kZqb7+hRnPra9I="; + postInstall = '' + rm -r $out/share + cp -r . $out + ''; + })) + (pkgs.fetchFromGitHub { + name = "htmlok"; + owner = "saggi-dw"; + repo = "dokuwiki-plugin-htmlok"; + rev = "f186dda6240c61079cd9166c1f17aabefa21c7d8"; + hash = "sha256-3s+WAb1BG2mq8+wxpQ6HgPJZ+dx6v5e+vMXaOiLYceo="; + }) + ]; + templates = [ + (pkgs.fetchFromGitHub { + name = "bootstrap3"; + owner = "giterlizzi"; + repo = "dokuwiki-template-bootstrap3"; + rev = "v2022-07-27"; + hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo="; + }) + ]; + }; + +} diff --git a/hosts/org/hardware-configuration.nix b/machines/org/hardware-configuration.nix similarity index 100% rename from hosts/org/hardware-configuration.nix rename to machines/org/hardware-configuration.nix diff --git a/hosts/org/matterbridge.nix b/machines/org/matterbridge.nix similarity index 100% rename from hosts/org/matterbridge.nix rename to machines/org/matterbridge.nix diff --git a/hosts/org/nginx.nix b/machines/org/nginx.nix similarity index 100% rename from hosts/org/nginx.nix rename to machines/org/nginx.nix diff --git a/hosts/org/orga/authens.nix b/machines/org/orga/authens.nix similarity index 100% rename from hosts/org/orga/authens.nix rename to machines/org/orga/authens.nix diff --git a/hosts/org/orga/default.nix b/machines/org/orga/default.nix similarity index 100% rename from hosts/org/orga/default.nix rename to machines/org/orga/default.nix diff --git a/hosts/org/orga/mkAssets.nix b/machines/org/orga/mkAssets.nix similarity index 89% rename from hosts/org/orga/mkAssets.nix rename to machines/org/orga/mkAssets.nix index 61e744a..3c3b85c 100644 --- a/hosts/org/orga/mkAssets.nix +++ b/machines/org/orga/mkAssets.nix @@ -9,7 +9,7 @@ let isHasAttr = s: lib.isAttrs v && lib.hasAttr s v; in if builtins.isString v then v - else if builtins.isList v && lib.any lib.strings.isCoercibleToString v then (lib.concatMapStringsSep "," toString v) + else if builtins.isList v && lib.any lib.strings.isConvertibleWithToString v then (lib.concatMapStringsSep "," toString v) else if builtins.isInt v then toString v else if builtins.isBool v then toString (if v then 1 else 0) else if isHasAttr "_file" then "$(cat ${v._file} | xargs)" diff --git a/hosts/org/orga/module.nix b/machines/org/orga/module.nix similarity index 100% rename from hosts/org/orga/module.nix rename to machines/org/orga/module.nix diff --git a/hosts/org/orga/python-cas.nix b/machines/org/orga/python-cas.nix similarity index 100% rename from hosts/org/orga/python-cas.nix rename to machines/org/orga/python-cas.nix diff --git a/hosts/org/orga/python.nix b/machines/org/orga/python.nix similarity index 100% rename from hosts/org/orga/python.nix rename to machines/org/orga/python.nix diff --git a/hosts/org/orga/shell.nix b/machines/org/orga/shell.nix similarity index 100% rename from hosts/org/orga/shell.nix rename to machines/org/orga/shell.nix diff --git a/hosts/org/orga/static-assets.nix b/machines/org/orga/static-assets.nix similarity index 100% rename from hosts/org/orga/static-assets.nix rename to machines/org/orga/static-assets.nix diff --git a/machines/org/programs.nix b/machines/org/programs.nix new file mode 100644 index 0000000..ef64971 --- /dev/null +++ b/machines/org/programs.nix @@ -0,0 +1,5 @@ +{ pkgs, ... }: { + environment.systemPackages = [ + pkgs.vim + ]; +} diff --git a/secrets/default.nix b/machines/org/secrets/default.nix similarity index 73% rename from secrets/default.nix rename to machines/org/secrets/default.nix index 5fac86f..777ea59 100644 --- a/secrets/default.nix +++ b/machines/org/secrets/default.nix @@ -1,9 +1,5 @@ { ... }: { imports = [ ]; - age.secrets."wikiOpenID" = { - file = ./wiki-openID.age; - owner = "dokuwiki"; - }; age.secrets."django" = { file = ./django.age; owner = "django-hackens_orga"; diff --git a/secrets/django.age b/machines/org/secrets/django.age similarity index 100% rename from secrets/django.age rename to machines/org/secrets/django.age diff --git a/secrets/matterbridge-env.age b/machines/org/secrets/matterbridge-env.age similarity index 100% rename from secrets/matterbridge-env.age rename to machines/org/secrets/matterbridge-env.age diff --git a/secrets/secrets.nix b/machines/org/secrets/secrets.nix similarity index 75% rename from secrets/secrets.nix rename to machines/org/secrets/secrets.nix index 51a3c91..9ef07a7 100644 --- a/secrets/secrets.nix +++ b/machines/org/secrets/secrets.nix @@ -5,9 +5,6 @@ let (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); in { - "wiki-openid.age".publicKeys = (readpubkeys "sinavir") - ++ (readpubkeys "hackens-host") ++ (readpubkeys "raito") - ++ (readpubkeys "gdd") ++ (readpubkeys "backslash"); "matterbridge-env.age".publicKeys = (readpubkeys "sinavir") ++ (readpubkeys "hackens-host") ++ (readpubkeys "raito") ++ (readpubkeys "gdd") ++ (readpubkeys "backslash"); diff --git a/machines/org/static-sites.nix b/machines/org/static-sites.nix new file mode 100644 index 0000000..561731f --- /dev/null +++ b/machines/org/static-sites.nix @@ -0,0 +1,62 @@ +{ pkgs, lib, ... }: +let + sites = [ + "/NdS" + "/2048" + "/prez" + "/known" + "/pub" + ]; +in +{ + + services.nginx.enable = true; + services.nginx.virtualHosts = { + "new.hackens.org" = { + forceSSL = true; + enableACME = true; + locations = lib.genAttrs sites (name: { + root = "/var/www"; + extraConfig = "autoindex on;"; + }); + }; + # Legacy redirections + #"known.hackens.org" = { + # forceSSL = true; + # enableACME = true; + # extraConfig = '' + # return 301 $scheme://hackens.org/known$request_uri; + # ''; + #}; + #"nds.hackens.org" = { + # forceSSL = true; + # enableACME = true; + # extraConfig = '' + # return 301 $scheme://hackens.org/known$request_uri; + # ''; + #}; + #"prez.hackens.org" = { + # forceSSL = true; + # enableACME = true; + # extraConfig = '' + # return 301 $scheme://hackens.org/prez$request_uri; + # ''; + #}; + #"pub.hackens.org" = { + # forceSSL = true; + # enableACME = true; + # extraConfig = '' + # return 301 $scheme://hackens.org/pub$request_uri; + # ''; + #}; + #"2048.hackens.org" = { + # forceSSL = true; + # enableACME = true; + # extraConfig = '' + # return 301 $scheme://hackens.org/2048$request_uri; + # ''; + #}; + + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/hosts/org/webpass.nix b/machines/org/webpass.nix similarity index 100% rename from hosts/org/webpass.nix rename to machines/org/webpass.nix diff --git a/machines/router/configuration.nix b/machines/router/configuration.nix new file mode 100644 index 0000000..22b339e --- /dev/null +++ b/machines/router/configuration.nix @@ -0,0 +1,203 @@ +# This is an example configuration for a "typical" small office/home +# router and wifi access point. + +# You need to copy it to another filename and change the configuration +# wherever the text "EDIT" appears - please consult the tutorial +# documentation for details. + +{ config, pkgs, lib, ... } : +let + inherit (pkgs.liminix.services) bundle oneshot longrun; + inherit (pkgs) serviceFns; + # EDIT: you can pick your preferred RFC1918 address space + # for NATted connections, if you don't like this one. + ipv4LocalNet = "10.8.0"; + svc = config.system.service; + +in rec { + boot = { + tftp = { + freeSpaceBytes = 3 * 1024 * 1024; + serverip = "10.0.0.1"; + ipaddr = "10.0.0.8"; + }; + }; + + imports = [ + ../modules/bridge + ../modules/dhcp6c + ../modules/dnsmasq + ../modules/firewall + ../modules/hostapd + ../modules/network + ../modules/ntp + ../modules/ppp + ../modules/ssh + ../modules/standard.nix + ../modules/vlan + ../modules/wlan.nix + ]; + rootfsType = "ubifs"; + hostname = "LeJeu"; # EDIT + + services.hostap = svc.hostapd.build { + interface = config.hardware.networkInterfaces.wlan; + # EDIT: you will want to change the obvious things + # here to values of your choice + params = { + ssid = "LeJeu"; + channel = "1"; + country_code = "FR"; + wpa_passphrase = "not a real wifi password"; + + hw_mode="g"; + ieee80211n = 1; + auth_algs = 1; # 1=wpa2, 2=wep, 3=both + wpa = 2; # 1=wpa, 2=wpa2, 3=both + wpa_key_mgmt = "WPA-PSK"; + wpa_pairwise = "TKIP CCMP"; # auth for wpa (may not need this?) + rsn_pairwise = "CCMP"; # auth for wpa2 + wmm_enabled = 1; + }; + }; + + services.int = svc.network.address.build { + interface = svc.bridge.primary.build { ifname = "int"; }; + family = "inet"; address = "${ipv4LocalNet}.1"; prefixLength = 16; + }; + + services.bridge = svc.bridge.members.build { + primary = services.int; + members = with config.hardware.networkInterfaces; + [ wlan lan ]; + }; + + services.ntp = svc.ntp.build { + pools = { "pool.ntp.org" = ["iburst"]; }; + makestep = { threshold = 1.0; limit = 3; }; + }; + + services.sshd = svc.ssh.build { }; + + users.root = { + # EDIT: choose a root password and then use + # "mkpasswd -m sha512crypt" to determine the hash. + # It should start wirh $6$. + passwd = "$6$6HG7WALLQQY1LQDE$428cnouMJ7wVmyK9.dF1uWs7t0z9ztgp3MHvN5bbeo0M4Kqg/u2ThjoSHIjCEJQlnVpDOaEKcOjXAlIClHWN21"; + openssh.authorizedKeys.keys = [ + # EDIT: you can add your ssh pubkey here + # "ssh-rsa AAAAB3NzaC1....H6hKd user@example.com"; + ]; + }; + + services.dns = + let interface = services.int; + in svc.dnsmasq.build { + resolvconf = services.resolvconf; + inherit interface; + ranges = [ + "${ipv4LocalNet}.10,${ipv4LocalNet}.249" + # EDIT: ... maybe. In this example we use "ra-stateless", + # meaning dnsmasq sends router advertisements with the O and A + # bits set, and provides a stateless DHCP service. The client + # will use a SLAAC address, and use DHCP for other + # configuration information. + # If you didn't understand the preceding sentence then + # the default is _probably_ fine, but if you need + # a DHCP-only IPv6 network or some other different + # configuration, this is the place to change it. + "::,constructor:$(output ${interface} ifname),ra-stateless" + ]; + # EDIT: choose a domain name for the DNS names issued for your + # DHCP-issued hosts + domain = "lan.example.com"; + }; + + services.wan = svc.pppoe.build { + interface = config.hardware.networkInterfaces.wan; + ppp-options = [ + "debug" "+ipv6" "noauth" + # EDIT: change the strings "chap-username" + # and "chap-secret" to match the username/password + # provided by your ISP for PPP logins + "name" "chap-username" + "password" "chap-secret" + ]; + }; + + services.resolvconf = oneshot rec { + dependencies = [ services.wan ]; + name = "resolvconf"; + up = '' + . ${serviceFns} + ( in_outputs ${name} + echo "nameserver $(output ${services.wan} ns1)" > resolv.conf + echo "nameserver $(output ${services.wan} ns2)" >> resolv.conf + chmod 0444 resolv.conf + ) + ''; + }; + + filesystem = + let inherit (pkgs.pseudofile) dir symlink; + in dir { + etc = dir { + "resolv.conf" = symlink "${services.resolvconf}/.outputs/resolv.conf"; + }; + }; + + services.defaultroute4 = svc.network.route.build { + via = "$(output ${services.wan} address)"; + target = "default"; + dependencies = [ services.wan ]; + }; + + services.defaultroute6 = svc.network.route.build { + via = "$(output ${services.wan} ipv6-peer-address)"; + target = "default"; + interface = services.wan; + }; + + services.firewall = svc.firewall.build { + ruleset = import ./demo-firewall.nix; + }; + + services.packet_forwarding = svc.network.forward.build { }; + + # We expect the ISP uses DHCP6 to issue IPv6 addresses. There is a + # service to request address information in the form of a DHCP + # lease, and two dependent services that listen for updates to the + # DHCP address information and update the addresses of the WAN and + # LAN interfaces respectively. + + services.dhcp6c = + let client = svc.dhcp6c.client.build { + interface = services.wan; + }; + in bundle { + name = "dhcp6c"; + contents = [ + (svc.dhcp6c.prefix.build { + # if your ISP provides you a real IPv6 prefix for your local + # network (usually a /64 or /48 or something in between the + # two), this service subscribes to that "prefix delegation" + # information, and uses it to assign an address to the LAN + # device. dnsmasq will notice this address and use it to + # form the addresses it hands out to devices on the lan + inherit client; + interface = services.int; + }) + (svc.dhcp6c.address.build { + # if your ISP provides you a regular global IPv6 address, + # this service subscribes to that information and assigns + # the address to the WAN device. + inherit client; + interface = services.wan; + }) + ]; + }; + + defaultProfile.packages = with pkgs; [ + min-collect-garbage + ]; +} diff --git a/machines/router/default.nix b/machines/router/default.nix new file mode 100644 index 0000000..61273b9 --- /dev/null +++ b/machines/router/default.nix @@ -0,0 +1,5 @@ +{ liminix ? (import ./npins).liminix +, nixpkgs ? (import ./npins).nixpkgs +, liminix-config ? ./configuration.nix +}: +import liminix { inherit nixpkgs liminix-config; device = import (liminix + "/devices/belkin-rt3200"); } diff --git a/machines/router/npins/default.nix b/machines/router/npins/default.nix new file mode 100644 index 0000000..4a7c372 --- /dev/null +++ b/machines/router/npins/default.nix @@ -0,0 +1,47 @@ +# Generated by npins. Do not modify; will be overwritten regularly +let + data = builtins.fromJSON (builtins.readFile ./sources.json); + version = data.version; + + mkSource = spec: + assert spec ? type; let + path = + if spec.type == "Git" then mkGitSource spec + else if spec.type == "GitRelease" then mkGitSource spec + else if spec.type == "PyPi" then mkPyPiSource spec + else if spec.type == "Channel" then mkChannelSource spec + else builtins.throw "Unknown source type ${spec.type}"; + in + spec // { outPath = path; }; + + mkGitSource = { repository, revision, url ? null, hash, ... }: + assert repository ? type; + # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository + # In the latter case, there we will always be an url to the tarball + if url != null then + (builtins.fetchTarball { + inherit url; + sha256 = hash; # FIXME: check nix version & use SRI hashes + }) + else assert repository.type == "Git"; builtins.fetchGit { + url = repository.url; + rev = revision; + # hash = hash; + }; + + mkPyPiSource = { url, hash, ... }: + builtins.fetchurl { + inherit url; + sha256 = hash; + }; + + mkChannelSource = { url, hash, ... }: + builtins.fetchTarball { + inherit url; + sha256 = hash; + }; +in +if version == 3 then + builtins.mapAttrs (_: mkSource) data.pins +else + throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/machines/router/npins/sources.json b/machines/router/npins/sources.json new file mode 100644 index 0000000..8bb04b1 --- /dev/null +++ b/machines/router/npins/sources.json @@ -0,0 +1,22 @@ +{ + "pins": { + "liminix": { + "type": "Git", + "repository": { + "type": "Git", + "url": "https://gti.telent.net/dan/liminix" + }, + "branch": "main", + "revision": "98d333692645263b5866bed254681b59dc39d196", + "url": null, + "hash": "186nx05vssly3pcdpkmrwfzhxc2dfsfvvqfgxg2gnqscj2m11ldf" + }, + "nixpkgs": { + "type": "Channel", + "name": "nixpkgs-unstable", + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.05pre555839.0c6d8c783336/nixexprs.tar.xz", + "hash": "04dykgz00bfnbxlaw00x2s5jzzh0jjqpgkb1z0ibkd1qkfq0cfcr" + } + }, + "version": 3 +} \ No newline at end of file diff --git a/meta.nix b/meta.nix new file mode 100644 index 0000000..328d860 --- /dev/null +++ b/meta.nix @@ -0,0 +1,27 @@ +let + sources = import ./npins; + + agenix = sources.agenix + "/modules/age.nix"; + + metadata = { + nodes = { + milieu = { + deployment = { + targetHost = null; #"milieu.cave.hackens.org"; + # targetPort = 4243; + allowLocalDeployment = true; + }; + imports = [agenix]; + }; + org = { + deployment = { + targetHost = "localhost"; # todo make something with ens firewall + targetPort = 2222; + }; + imports = [agenix]; + }; + + }; + }; +in + metadata diff --git a/npins/default.nix b/npins/default.nix new file mode 100644 index 0000000..e5e274a --- /dev/null +++ b/npins/default.nix @@ -0,0 +1,67 @@ +# Generated by npins. Do not modify; will be overwritten regularly +let + data = builtins.fromJSON (builtins.readFile ./sources.json); + version = data.version; + + mkSource = spec: + assert spec ? type; let + path = + if spec.type == "Git" + then mkGitSource spec + else if spec.type == "GitRelease" + then mkGitSource spec + else if spec.type == "PyPi" + then mkPyPiSource spec + else if spec.type == "Channel" + then mkChannelSource spec + else builtins.throw "Unknown source type ${spec.type}"; + in + spec // {outPath = path;}; + + mkGitSource = { + repository, + revision, + url ? null, + hash, + ... + }: + assert repository ? type; + # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository + # In the latter case, there we will always be an url to the tarball + if url != null + then + (builtins.fetchTarball { + inherit url; + sha256 = hash; # FIXME: check nix version & use SRI hashes + }) + else + assert repository.type == "Git"; + builtins.fetchGit { + url = repository.url; + rev = revision; + # hash = hash; + }; + + mkPyPiSource = { + url, + hash, + ... + }: + builtins.fetchurl { + inherit url; + sha256 = hash; + }; + + mkChannelSource = { + url, + hash, + ... + }: + builtins.fetchTarball { + inherit url; + sha256 = hash; + }; +in + if version == 3 + then builtins.mapAttrs (_: mkSource) data.pins + else throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/npins/sources.json b/npins/sources.json new file mode 100644 index 0000000..b9f932d --- /dev/null +++ b/npins/sources.json @@ -0,0 +1,55 @@ +{ + "pins": { + "agenix": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "ryantm", + "repo": "agenix" + }, + "branch": "main", + "revision": "13ac9ac6d68b9a0896e3d43a082947233189e247", + "url": "https://github.com/ryantm/agenix/archive/13ac9ac6d68b9a0896e3d43a082947233189e247.tar.gz", + "hash": "196k2gchfy4y0258j6n15zd96harinzx91yqcmfrv1dvgwk9x94c" + }, + "disko": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "nix-community", + "repo": "disko" + }, + "branch": "master", + "revision": "e74526b33421a52ce06b2ccadbe670d25012eb01", + "url": "https://github.com/nix-community/disko/archive/e74526b33421a52ce06b2ccadbe670d25012eb01.tar.gz", + "hash": "1rqyig16g7g96hw5bk7vs92y8gpfj03pivfl4aplh1j51j2i8ysr" + }, + "dns.nix": { + "type": "GitRelease", + "repository": { + "type": "GitHub", + "owner": "kirelagin", + "repo": "dns.nix" + }, + "pre_releases": false, + "version_upper_bound": null, + "version": "v1.1.2", + "revision": "c7b9645da9c0ddce4f9de4ef27ec01bb8108039a", + "url": "https://api.github.com/repos/kirelagin/dns.nix/tarball/v1.1.2", + "hash": "1b95dh15zl0qaf9fvvvvqlambm3plndpy24wwlib0sy4d0zq6y0h" + }, + "nixos-unstable": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "NixOS", + "repo": "nixpkgs" + }, + "branch": "nixos-unstable", + "revision": "a9bf124c46ef298113270b1f84a164865987a91c", + "url": "https://github.com/NixOS/nixpkgs/archive/a9bf124c46ef298113270b1f84a164865987a91c.tar.gz", + "hash": "0wdjv548d84s74wrncqqj5pdzfq7nj8xn97l0v7r82jl6124jil2" + } + }, + "version": 3 +} \ No newline at end of file diff --git a/pkgs/overlays.nix b/pkgs/overlays.nix new file mode 100644 index 0000000..fe51488 --- /dev/null +++ b/pkgs/overlays.nix @@ -0,0 +1 @@ +[] diff --git a/profiles/shared-hackens/result b/profiles/shared-hackens/result deleted file mode 120000 index 41ec79d..0000000 --- a/profiles/shared-hackens/result +++ /dev/null @@ -1 +0,0 @@ -/nix/store/q3gp3rnx0y5pxdq7jlhj1x3bqrisv7pp-nixos-system-hackens-milieu-23.05pre442253.befc83905c9 \ No newline at end of file diff --git a/secrets/wiki-openID.age b/secrets/wiki-openID.age deleted file mode 100644 index fdeec16..0000000 --- a/secrets/wiki-openID.age +++ /dev/null @@ -1,31 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 JGx7Ng krR1IYLPMfF9fR7P6ECgMy2vec2lHss0XcHuHWcZCBo -MDFLnB7DgNdlJjOxhu0Qreb17ejcZIBMnXGs0BLUN+E --> ssh-ed25519 IWJ9yA shKTCkZmyjLLIFY+ZetDqJJgx51cVHk/ZsKD/cdJ+i0 -xSblu5POmIUKVe4l+KqpGqGkk+UowRhitUdvE9BLUfM --> ssh-ed25519 7hZk0g 8WtQ/vt6MH0pIN5G1GB3RoS1fNFgFQIepR1HqyP8vWI -oSYU/uRA4lopWC8TCwWYZAGncoPOx8/sIMFt0QErDlg --> ssh-rsa krWCLQ -KkRdhsQ//wkDw4mX3RqGLSbR8hX3ehr+ZDkwDbCh9gwl17p2hGOFzwhvA8UxQJnK -O1z7Lu+hA3dvIhNlyimHp8Qt/AkoZAPnR+lf08Q4BajCqy2Z6HBjKJ6qi7c+9t2F -xy5YrBrTzpRKbmf7Fz+tm1hg392bLHhv3N+PfTSszjBs8XdUF8nWQNsdETBhZOzz -ilwDzRDFWfPuFYhjs7cAiXE+qDGgzleX0Yx+OgwBoBPB93JbmuRIPQZIJL9WQZdN -WTS5T5NJ/trZuRAx/Gx+O854G4miLE1M76E/hQ5bZuQN3EvY4Me8j9jzFlwPp3wA -M2oxFsJRvSkOmFl1WIWM0Q --> ssh-ed25519 nyw/0Q KinHAGi4K6Gls1otwc9WE+jhzujZ4EETm2Br3myWh1o -m1gVTxjs+WJeKc6NvBlqWfGmg3ZwxVO6aHqM14QFRaI --> ssh-ed25519 85WiGg P9BBlxJxxLwijrvo/XzfKh2GnkJUvjCLBhkrR27v0SQ -8o3HgtiY8DLYgrau2mfmA4QzvoFThCHqDF/7QCNew7A --> ssh-ed25519 cvTB5g HzkPfCXwsikbISCh7zZgtOaI03G2ErTWIXRk9TfSqm4 -Wqh9WYB4D2hDAe3nWxz19nZDgGMJYFvtHxrYQnuiHC4 --> ssh-ed25519 Wu8JLQ 2x1ikJnqyIkQmOwK1vP4S7n/xZZCdN7czBY1o/L8ZzY -Poj21vxJ9sUsoikfepaxbktWWIdjh24zzDRzW4Efb8c --> ssh-ed25519 EIt1vA XxwV8nTlhx7Iy77xCnTrcCEevyKnDGFHGi9JvLb4a0s -y9M2VFvUGT0GOydGDbyqpuOuIRyKXPGl1Z35nBI3i68 --> ssh-ed25519 X51wxg C6GJqoVqTLpR5L0v1c5umu0gwUEWXOEAJC9kKWV2NEs -IogBAsuZG9z8TmX0rVav14ek1qhoq38DWullPSufnWQ --> l@z=5S-grease (,5a5 T tV@xrY %e_ig -mIzNLkFaEozopcLCOyQacaU ---- 2krWnD1hHZOvN/0zuuIIcFjh2udviLZns/nTsVSPLmc -~=>YYWwpEz);d1M'=&!J$ -n_l"ډ \ No newline at end of file diff --git a/setup-link-from-hostname b/setup-link-from-hostname deleted file mode 100755 index d3c2794..0000000 --- a/setup-link-from-hostname +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env bash -echo "Setting up $(hostname)" - -HOST_FOLDER=hosts -HOSTNAME=$(hostname) -CONFIG=$HOST_FOLDER/$HOSTNAME/configuration.nix - -if [[ -n $(cmp --silent configuration.nix "$CONFIG" || echo "different") ]] -then - ln -s "$CONFIG" configuration.nix -fi diff --git a/shared/dokuwiki.nix b/shared/dokuwiki.nix deleted file mode 100644 index c999fce..0000000 --- a/shared/dokuwiki.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ lib -, stdenv -, fetchFromGitHub -, writeText -, nixosTests -, dokuwiki -}: - -stdenv.mkDerivation rec { - pname = "dokuwiki"; - version = "2022-07-31a"; - - src = fetchFromGitHub { - owner = "splitbrain"; - repo = pname; - rev = "release_stable_${version}"; - sha256 = "sha256-gtWEtc3kbMokKycTx71XXblkDF39i926uN2kU3oOeVw="; - }; - - preload = writeText "preload.php" '' - array( - 'default' => getenv('DOKUWIKI_ACL_AUTH_CONFIG'), - ), - 'plainauth.users' => array( - 'default' => getenv('DOKUWIKI_USERS_AUTH_CONFIG'), - 'protected' => "" // not used by default - ), - ); - ''; - - phpLocalConfig = writeText "local.php" '' - - ''; - - phpPluginsLocalConfig = writeText "plugins.local.php" '' - - ''; - - installPhase = '' - runHook preInstall - - mkdir -p $out/share/dokuwiki - cp -r * $out/share/dokuwiki - cp ${preload} $out/share/dokuwiki/inc/preload.php - cp ${phpLocalConfig} $out/share/dokuwiki/conf/local.php - cp ${phpPluginsLocalConfig} $out/share/dokuwiki/conf/plugins.local.php - - runHook postInstall - ''; - - passthru = { - combine = - { basePackage ? dokuwiki - , plugins ? [ ] - , templates ? [ ] - , localConfig ? null - , pluginsConfig ? null - , aclConfig ? null - , pname ? (p: "${p.pname}-combined") - }: - let - isNotEmpty = x: lib.optionalString (! builtins.elem x [ null "" ]); - in - basePackage.overrideAttrs (prev: { - pname = if builtins.isFunction pname then pname prev else pname; - - postInstall = prev.postInstall or "" + '' - ${lib.concatMapStringsSep "\n" (tpl: "cp -r ${toString tpl} $out/share/dokuwiki/lib/tpl/${tpl.name}") templates} - ${lib.concatMapStringsSep "\n" (plugin: "cp -r ${toString plugin} $out/share/dokuwiki/lib/plugins/${plugin.name}") plugins} - ${isNotEmpty localConfig "ln -sf ${localConfig} $out/share/dokuwiki/conf/local.php" } - ${isNotEmpty pluginsConfig "ln -sf ${pluginsConfig} $out/share/dokuwiki/conf/plugins.local.php" } - ${isNotEmpty aclConfig "ln -sf ${aclConfig} $out/share/dokuwiki/acl.auth.php" } - ''; - }); - tests = { - inherit (nixosTests) dokuwiki; - }; - }; - - meta = with lib; { - description = "Simple to use and highly versatile Open Source wiki software that doesn't require a database"; - license = licenses.gpl2; - homepage = "https://www.dokuwiki.org"; - platforms = platforms.all; - maintainers = with maintainers; [ _1000101 ]; - }; -} diff --git a/shared/dokuwiki_module.nix b/shared/dokuwiki_module.nix deleted file mode 100644 index f1f6548..0000000 --- a/shared/dokuwiki_module.nix +++ /dev/null @@ -1,613 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.dokuwiki; - eachSite = cfg.sites; - user = "dokuwiki"; - webserver = config.services.${cfg.webserver}; - - mkPhpIni = generators.toKeyValue { - mkKeyValue = generators.mkKeyValueDefault { } " = "; - }; - mkPhpPackage = cfg: cfg.phpPackage.buildEnv { - extraConfig = mkPhpIni cfg.phpOptions; - }; - - dokuwikiAclAuthConfig = hostName: cfg: - let - inherit (cfg) acl; - acl_gen = concatMapStringsSep "\n" (l: "${l.page} \t ${l.actor} \t ${toString l.level}"); - in - pkgs.writeText "acl.auth-${hostName}.php" '' - # acl.auth.php - # - # - # Access Control Lists - # - ${if isString acl then acl else acl_gen acl} - ''; - - mergeConfig = cfg: { - useacl = false; # Dokuwiki default - savedir = cfg.stateDir; - } // cfg.settings; - - writePhpFile = name: text: pkgs.writeTextFile { - inherit name; - text = " for explanation - ''; - example = "read"; - }; - - }; - }; - - siteOpts = { config, lib, name, ... }: - { - imports = [ - # NOTE: These will sadly not print the absolute argument path but only the name. Related to #96006 - (mkRenamedOptionModule [ "aclUse" ] [ "settings" "useacl" ]) - (mkRenamedOptionModule [ "superUser" ] [ "settings" "superuser" ]) - (mkRenamedOptionModule [ "disableActions" ] [ "settings" "disableactions" ]) - ({ config, options, name, ... }: { - config.warnings = - (optional (isString config.pluginsConfig) '' - Passing plain strings to services.dokuwiki.sites.${name}.pluginsConfig has been deprecated and will not be continue to be supported in the future. - Please pass structured settings instead. - '') - ++ (optional (isString config.acl) '' - Passing a plain string to services.dokuwiki.sites.${name}.acl has been deprecated and will not continue to be supported in the future. - Please pass structured settings instead. - '') - ++ (optional (config.extraConfig != null) '' - services.dokuwiki.sites.${name}.extraConfig is deprecated and will be removed in the future. - Please pass structured settings to services.dokuwiki.sites.${name}.settings instead. - '') - ; - }) - ]; - - options = { - enable = mkEnableOption (lib.mdDoc "DokuWiki web application."); - - package = mkOption { - type = types.package; - default = pkgs.dokuwiki; - defaultText = literalExpression "pkgs.dokuwiki"; - description = lib.mdDoc "Which DokuWiki package to use."; - }; - - stateDir = mkOption { - type = types.path; - default = "/var/lib/dokuwiki/${name}/data"; - description = lib.mdDoc "Location of the DokuWiki state directory."; - }; - - acl = mkOption { - type = with types; nullOr (oneOf [ lines (listOf (submodule aclOpts)) ]); - default = null; - example = literalExpression '' - [ - { - page = "start"; - actor = "@external"; - level = "read"; - } - { - page = "*"; - actor = "@users"; - level = "upload"; - } - ] - ''; - description = lib.mdDoc '' - Access Control Lists: see - Mutually exclusive with services.dokuwiki.aclFile - Set this to a value other than null to take precedence over aclFile option. - - Warning: Consider using aclFile instead if you do not - want to store the ACL in the world-readable Nix store. - ''; - }; - - aclFile = mkOption { - type = with types; nullOr str; - default = if (config.mergedConfig.useacl && config.acl == null) then "/var/lib/dokuwiki/${name}/acl.auth.php" else null; - description = lib.mdDoc '' - Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl - Mutually exclusive with services.dokuwiki.acl which is preferred. - Consult documentation for further instructions. - Example: - ''; - example = "/var/lib/dokuwiki/${name}/acl.auth.php"; - }; - - pluginsConfig = mkOption { - type = with types; oneOf [ lines (attrsOf bool) ]; - default = { - authad = false; - authldap = false; - authmysql = false; - authpgsql = false; - }; - description = lib.mdDoc '' - List of the dokuwiki (un)loaded plugins. - ''; - }; - - usersFile = mkOption { - type = with types; nullOr str; - default = if config.mergedConfig.useacl then "/var/lib/dokuwiki/${name}/users.auth.php" else null; - description = lib.mdDoc '' - Location of the dokuwiki users file. List of users. Format: - - login:passwordhash:Real Name:email:groups,comma,separated - - Create passwordHash easily by using: - - mkpasswd -5 password `pwgen 8 1` - - Example: - ''; - example = "/var/lib/dokuwiki/${name}/users.auth.php"; - }; - - plugins = mkOption { - type = types.listOf types.path; - default = [ ]; - description = lib.mdDoc '' - List of path(s) to respective plugin(s) which are copied from the 'plugin' directory. - - ::: {.note} - These plugins need to be packaged before use, see example. - ::: - ''; - example = literalExpression '' - let - plugin-icalevents = pkgs.stdenv.mkDerivation rec { - name = "icalevents"; - version = "2017-06-16"; - src = pkgs.fetchzip { - stripRoot = false; - url = "https://github.com/real-or-random/dokuwiki-plugin-icalevents/releases/download/''${version}/dokuwiki-plugin-icalevents-''${version}.zip"; - hash = "sha256-IPs4+qgEfe8AAWevbcCM9PnyI0uoyamtWeg4rEb+9Wc="; - }; - installPhase = "mkdir -p $out; cp -R * $out/"; - }; - # And then pass this theme to the plugin list like this: - in [ plugin-icalevents ] - ''; - }; - - templates = mkOption { - type = types.listOf types.path; - default = [ ]; - description = lib.mdDoc '' - List of path(s) to respective template(s) which are copied from the 'tpl' directory. - - ::: {.note} - These templates need to be packaged before use, see example. - ::: - ''; - example = literalExpression '' - let - template-bootstrap3 = pkgs.stdenv.mkDerivation rec { - name = "bootstrap3"; - version = "2022-07-27"; - src = pkgs.fetchFromGitHub { - owner = "giterlizzi"; - repo = "dokuwiki-template-bootstrap3"; - rev = "v''${version}"; - hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo="; - }; - installPhase = "mkdir -p $out; cp -R * $out/"; - }; - # And then pass this theme to the template list like this: - in [ template-bootstrap3 ] - ''; - }; - - poolConfig = mkOption { - type = with types; attrsOf (oneOf [ str int bool ]); - default = { - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 4; - "pm.max_requests" = 500; - }; - description = lib.mdDoc '' - Options for the DokuWiki PHP pool. See the documentation on `php-fpm.conf` - for details on configuration directives. - ''; - }; - - phpPackage = mkOption { - type = types.package; - relatedPackages = [ "php80" "php81" ]; - default = pkgs.php81; - defaultText = "pkgs.php81"; - description = lib.mdDoc '' - PHP package to use for this dokuwiki site. - ''; - }; - - phpOptions = mkOption { - type = types.attrsOf types.str; - default = { }; - description = lib.mdDoc '' - Options for PHP's php.ini file for this dokuwiki site. - ''; - example = literalExpression '' - { - "opcache.interned_strings_buffer" = "8"; - "opcache.max_accelerated_files" = "10000"; - "opcache.memory_consumption" = "128"; - "opcache.revalidate_freq" = "15"; - "opcache.fast_shutdown" = "1"; - } - ''; - }; - - settings = mkOption { - type = types.attrsOf types.anything; - default = { - useacl = true; - superuser = "admin"; - }; - description = lib.mdDoc '' - Structural DokuWiki configuration. - Refer to - for details and supported values. - Settings can either be directly set from nix, - loaded from a file using `._file` or obtained from any - PHP function calls using `._raw`. - ''; - example = literalExpression '' - { - title = "My Wiki"; - userewrite = 1; - disableactions = [ "register" ]; # Will be concatenated with commas - plugin.smtp = { - smtp_pass._file = "/var/run/secrets/dokuwiki/smtp_pass"; - smtp_user._raw = "getenv('DOKUWIKI_SMTP_USER')"; - }; - } - ''; - }; - - mergedConfig = mkOption { - readOnly = true; - default = mergeConfig config; - defaultText = literalExpression '' - { - useacl = true; - } - ''; - description = lib.mdDoc '' - Read only representation of the final configuration. - ''; - }; - - extraConfig = mkOption { - # This Option is deprecated and only kept until sometime before 23.05 for compatibility reasons - # FIXME (@e1mo): Actually remember removing this before 23.05. - visible = false; - type = types.nullOr types.lines; - default = null; - example = '' - $conf['title'] = 'My Wiki'; - $conf['userewrite'] = 1; - ''; - description = lib.mdDoc '' - DokuWiki configuration. Refer to - - for details on supported values. - - **Note**: Please pass Structured settings via - `services.dokuwiki.sites.${name}.settings` instead. - ''; - }; - - # Required for the mkRenamedOptionModule - # TODO: Remove me once https://github.com/NixOS/nixpkgs/issues/96006 is fixed - # or the aclUse, ... options are removed. - warnings = mkOption { - type = types.listOf types.unspecified; - default = [ ]; - visible = false; - internal = true; - }; - - }; - }; -in -{ - options = { - services.dokuwiki = { - - sites = mkOption { - type = types.attrsOf (types.submodule siteOpts); - default = { }; - description = lib.mdDoc "Specification of one or more DokuWiki sites to serve"; - }; - - webserver = mkOption { - type = types.enum [ "nginx" "caddy" ]; - default = "nginx"; - description = lib.mdDoc '' - Whether to use nginx or caddy for virtual host management. - - Further nginx configuration can be done by adapting `services.nginx.virtualHosts.`. - See [](#opt-services.nginx.virtualHosts) for further information. - - Further caddy configuration can be done by adapting `services.caddy.virtualHosts.`. - See [](#opt-services.caddy.virtualHosts) for further information. - ''; - }; - - }; - }; - - # implementation - config = mkIf (eachSite != { }) (mkMerge [{ - - warnings = flatten (mapAttrsToList (_: cfg: cfg.warnings) eachSite); - - assertions = flatten (mapAttrsToList - (hostName: cfg: - [{ - assertion = cfg.mergedConfig.useacl -> (cfg.acl != null || cfg.aclFile != null); - message = "Either services.dokuwiki.sites.${hostName}.acl or services.dokuwiki.sites.${hostName}.aclFile is mandatory if settings.useacl is true"; - } - { - assertion = cfg.usersFile != null -> cfg.mergedConfig.useacl != false; - message = "services.dokuwiki.sites.${hostName}.settings.useacl must must be true if usersFile is not null"; - }]) - eachSite); - - services.phpfpm.pools = mapAttrs' - (hostName: cfg: ( - nameValuePair "dokuwiki-${hostName}" { - inherit user; - group = webserver.group; - - phpPackage = mkPhpPackage cfg; - phpEnv = optionalAttrs (cfg.usersFile != null) - { - DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}"; - } // optionalAttrs (cfg.mergedConfig.useacl) { - DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig hostName cfg}" else "${toString cfg.aclFile}"; - }; - - settings = { - "listen.owner" = webserver.user; - "listen.group" = webserver.group; - } // cfg.poolConfig; - } - )) - eachSite; - - } - - { - systemd.tmpfiles.rules = flatten (mapAttrsToList - (hostName: cfg: [ - "d ${cfg.stateDir}/attic 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/cache 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/index 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/locks 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/log 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/media 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/media_attic 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/media_meta 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/meta 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/pages 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/tmp 0750 ${user} ${webserver.group} - -" - ] ++ lib.optional (cfg.aclFile != null) "C ${cfg.aclFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/acl.auth.php.dist" - ++ lib.optional (cfg.usersFile != null) "C ${cfg.usersFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/users.auth.php.dist" - ) - eachSite); - - users.users.${user} = { - group = webserver.group; - isSystemUser = true; - }; - } - - (mkIf (cfg.webserver == "nginx") { - services.nginx = { - enable = true; - virtualHosts = mapAttrs - (hostName: cfg: { - serverName = mkDefault hostName; - root = "${pkg hostName cfg}/share/dokuwiki"; - - locations = { - "~ /(conf/|bin/|inc/|install.php)" = { - extraConfig = "deny all;"; - }; - - "~ ^/data/" = { - root = "${cfg.stateDir}"; - extraConfig = "internal;"; - }; - - "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { - extraConfig = "expires 365d;"; - }; - - "/" = { - priority = 1; - index = "doku.php"; - extraConfig = ''try_files $uri $uri/ @dokuwiki;''; - }; - - "@dokuwiki" = { - extraConfig = '' - # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page - rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; - rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; - rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; - rewrite ^/(.*) /doku.php?id=$1&$args last; - ''; - }; - - "~ \\.php$" = { - extraConfig = '' - try_files $uri $uri/ /doku.php; - include ${config.services.nginx.package}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param REDIRECT_STATUS 200; - fastcgi_pass unix:${config.services.phpfpm.pools."dokuwiki-${hostName}".socket}; - ''; - }; - - }; - }) - eachSite; - }; - }) - - (mkIf (cfg.webserver == "caddy") { - services.caddy = { - enable = true; - virtualHosts = mapAttrs' - (hostName: cfg: ( - nameValuePair "http://${hostName}" { - extraConfig = '' - root * ${pkg hostName cfg}/share/dokuwiki - file_server - - encode zstd gzip - php_fastcgi unix/${config.services.phpfpm.pools."dokuwiki-${hostName}".socket} - - @restrict_files { - path /data/* /conf/* /bin/* /inc/* /vendor/* /install.php - } - - respond @restrict_files 404 - - @allow_media { - path_regexp path ^/_media/(.*)$ - } - rewrite @allow_media /lib/exe/fetch.php?media=/{http.regexp.path.1} - - @allow_detail { - path /_detail* - } - rewrite @allow_detail /lib/exe/detail.php?media={path} - - @allow_export { - path /_export* - path_regexp export /([^/]+)/(.*) - } - rewrite @allow_export /doku.php?do=export_{http.regexp.export.1}&id={http.regexp.export.2} - - try_files {path} {path}/ /doku.php?id={path}&{query} - ''; - } - )) - eachSite; - }; - })]); - - meta.maintainers = with maintainers; [ - _1000101 - onny - dandellion - ]; -}