From 7ab97c16434ec4a0c6fb3535b4c1096bb4874e4d Mon Sep 17 00:00:00 2001 From: hackens server Date: Mon, 25 Apr 2022 01:26:15 +0200 Subject: [PATCH 01/34] =?UTF-8?q?ajouter=20prometheus=20=C3=A0=20configura?= =?UTF-8?q?tion.nix;=20changer=20l'adresse=20d'ecoute?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hosts/hackens-org/configuration.nix | 1 + hosts/hackens-org/prometheus/default.nix | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/hackens-org/configuration.nix b/hosts/hackens-org/configuration.nix index b5015ae..6add84c 100644 --- a/hosts/hackens-org/configuration.nix +++ b/hosts/hackens-org/configuration.nix @@ -13,6 +13,7 @@ ./wiki.nix ./webpass.nix ./mosquitto.nix + ./prometheus # ./bridge.nix # ./gha.nix # ./sync.nix diff --git a/hosts/hackens-org/prometheus/default.nix b/hosts/hackens-org/prometheus/default.nix index 5039baf..e671df6 100644 --- a/hosts/hackens-org/prometheus/default.nix +++ b/hosts/hackens-org/prometheus/default.nix @@ -1,10 +1,10 @@ { pkgs, lib, config, ... }: { imports = [ ../modules/mqtt2prometheus ]; - networking.firewall.allowedTCPPorts = [ 9090 ]; services = { prometheus = { enable = true; + listenAddress = "127.0.0.1"; scrapeConfigs = [ { job_name = "mqtt_listener"; -- 2.47.0 From a6fc45f8704df2b2660053dc4ab479d5b19d1302 Mon Sep 17 00:00:00 2001 From: sinavir Date: Mon, 25 Apr 2022 10:11:02 +0200 Subject: [PATCH 02/34] kfet2mqtt --- hosts/hackens-org/configuration.nix | 1 + hosts/hackens-org/kfet2mqtt.nix | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 hosts/hackens-org/kfet2mqtt.nix diff --git a/hosts/hackens-org/configuration.nix b/hosts/hackens-org/configuration.nix index 6add84c..d7083a6 100644 --- a/hosts/hackens-org/configuration.nix +++ b/hosts/hackens-org/configuration.nix @@ -14,6 +14,7 @@ ./webpass.nix ./mosquitto.nix ./prometheus + ./kfet2mqtt.nix # ./bridge.nix # ./gha.nix # ./sync.nix diff --git a/hosts/hackens-org/kfet2mqtt.nix b/hosts/hackens-org/kfet2mqtt.nix new file mode 100644 index 0000000..76262a5 --- /dev/null +++ b/hosts/hackens-org/kfet2mqtt.nix @@ -0,0 +1,25 @@ +{ pkgs, ... }: +let + python = pkgs.python39.withPackages (ps: [ + ps.asyncio-mqtt + ps.websockets + ]); + script = pkgs.fetchgit { + url = "https://git.eleves.ens.fr/hackens/kfet2mqtt.git"; + rev = "30d948dc2f7b4a0b440445ef578b6ed718a53273"; + sha256 = "0d93jc0cwx1a8rhq9m0lwzqp53jsffr9qyswdkwydji14f3kwd4d"; + }; +in +{ + systemd.services."kfet2mqtt" = { + enable = true; + description = "Programme qui indique l'ouverture de la k-fet sur le broker mqtt d'hackENS"; + after = [ "network.target" ]; + serviceConfig = { + ExecStart = "${python}/bin/python ${script}/script.py"; + Restart = "always"; + RestartSec = 10; + }; + wantedBy = [ "mulit-user.target" ]; + }; +} -- 2.47.0 From 353070ef08e201c619e6f12aa80c534ba538903f Mon Sep 17 00:00:00 2001 From: sinavir Date: Tue, 26 Apr 2022 00:55:00 +0200 Subject: [PATCH 03/34] graphana --- hosts/hackens-org/prometheus/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/hackens-org/prometheus/default.nix b/hosts/hackens-org/prometheus/default.nix index e671df6..ecd0a8c 100644 --- a/hosts/hackens-org/prometheus/default.nix +++ b/hosts/hackens-org/prometheus/default.nix @@ -24,5 +24,9 @@ package = pkgs.callPackage (import ./mqtt2prometheus.nix) { }; config = ./config.yaml; }; + grafana = { + enable = true; + }; }; + networking.firewall.allowedTCPPorts = [ 3000 ]; } -- 2.47.0 From e6e80926139d75938c0a9d5f7dfa638342544ad2 Mon Sep 17 00:00:00 2001 From: hackens server Date: Fri, 29 Apr 2022 15:09:13 +0200 Subject: [PATCH 04/34] adduser hbarral --- profiles/core-hackens/personal-users.nix | 5 +++++ profiles/core-hackens/ssh-server.nix | 1 + pubkeys/backslash.keys | 2 ++ 3 files changed, 8 insertions(+) create mode 100644 pubkeys/backslash.keys diff --git a/profiles/core-hackens/personal-users.nix b/profiles/core-hackens/personal-users.nix index f20e94b..6696eba 100644 --- a/profiles/core-hackens/personal-users.nix +++ b/profiles/core-hackens/personal-users.nix @@ -17,6 +17,11 @@ extraGroups = [ "wheel" ]; openssh.authorizedKeys.keyFiles = [ ../../pubkeys/sinavir.keys ]; }; + hbarral = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keyFiles = [ ../../pubkeys/backslash.keys ]; + }; root.openssh.authorizedKeys.keyFiles = [ ../../pubkeys/beigbeder.keys ]; # Jacques Beigbeder est tjrs root. }; } diff --git a/profiles/core-hackens/ssh-server.nix b/profiles/core-hackens/ssh-server.nix index 6ef5683..9557439 100644 --- a/profiles/core-hackens/ssh-server.nix +++ b/profiles/core-hackens/ssh-server.nix @@ -2,6 +2,7 @@ { # Enable the OpenSSH daemon. services.openssh.enable = true; + services.openssh.passwordAuthentication = false; # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 22 ]; diff --git a/pubkeys/backslash.keys b/pubkeys/backslash.keys new file mode 100644 index 0000000..d6a64db --- /dev/null +++ b/pubkeys/backslash.keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIm4XAUjTYdipppVlerlO3ng5KijoEQzuVD7cueq48D8 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII30ofjlQllI6SlRAZjhGO1nUYA1ciUr3qyBog+HNqVE -- 2.47.0 From a4a8fed358ea6a0acacb8cc68ee3ab24f450617a Mon Sep 17 00:00:00 2001 From: hackens server Date: Fri, 29 Apr 2022 15:09:56 +0200 Subject: [PATCH 05/34] monitoring de la poubelle --- hosts/hackens-org/prometheus/config.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/hosts/hackens-org/prometheus/config.yaml b/hosts/hackens-org/prometheus/config.yaml index 2914a29..ed84f2d 100644 --- a/hosts/hackens-org/prometheus/config.yaml +++ b/hosts/hackens-org/prometheus/config.yaml @@ -2,7 +2,7 @@ mqtt: # The MQTT broker to connect to server: tcp://new.hackens.org:1883 # The Topic path to subscribe to. Be aware that you have to specify the wildcard, if you want to follow topics for multiple sensors. - topic_path: kfet/open + topic_path: +/+ # The MQTT QoS level qos: 0 metric_per_topic_config: @@ -21,3 +21,11 @@ metrics: help: K-Fêt opening state # The prometheus type for this metric. Valid values are: "gauge" and "counter" type: gauge + # The name of the metric in prometheus + - prom_name: trash_filling + # The name of the metric in a MQTT JSON message + mqtt_name: trash + # The prometheus help text for this metric + help: Hackens trash filling state + # The prometheus type for this metric. Valid values are: "gauge" and "counter" + type: gauge -- 2.47.0 From 3d5b2d9dda35ede4e7fb5694b46e684d17225315 Mon Sep 17 00:00:00 2001 From: sinavir Date: Fri, 29 Apr 2022 15:20:42 +0200 Subject: [PATCH 06/34] =?UTF-8?q?grafana=20accessible=20depuis=20l'ext?= =?UTF-8?q?=C3=A9rieur?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hosts/hackens-org/configuration.nix | 2 +- hosts/hackens-org/{prometheus => monitoring}/config.yaml | 0 hosts/hackens-org/{prometheus => monitoring}/default.nix | 8 ++++++++ .../{prometheus => monitoring}/mqtt2prometheus.nix | 0 4 files changed, 9 insertions(+), 1 deletion(-) rename hosts/hackens-org/{prometheus => monitoring}/config.yaml (100%) rename hosts/hackens-org/{prometheus => monitoring}/default.nix (75%) rename hosts/hackens-org/{prometheus => monitoring}/mqtt2prometheus.nix (100%) diff --git a/hosts/hackens-org/configuration.nix b/hosts/hackens-org/configuration.nix index d7083a6..a52e139 100644 --- a/hosts/hackens-org/configuration.nix +++ b/hosts/hackens-org/configuration.nix @@ -13,7 +13,7 @@ ./wiki.nix ./webpass.nix ./mosquitto.nix - ./prometheus + ./monitoring ./kfet2mqtt.nix # ./bridge.nix # ./gha.nix diff --git a/hosts/hackens-org/prometheus/config.yaml b/hosts/hackens-org/monitoring/config.yaml similarity index 100% rename from hosts/hackens-org/prometheus/config.yaml rename to hosts/hackens-org/monitoring/config.yaml diff --git a/hosts/hackens-org/prometheus/default.nix b/hosts/hackens-org/monitoring/default.nix similarity index 75% rename from hosts/hackens-org/prometheus/default.nix rename to hosts/hackens-org/monitoring/default.nix index ecd0a8c..022c38b 100644 --- a/hosts/hackens-org/prometheus/default.nix +++ b/hosts/hackens-org/monitoring/default.nix @@ -27,6 +27,14 @@ grafana = { enable = true; }; + services.nginx.virtualHosts."monitoring.new.hackens.org" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:3000"; + proxyWebsockets = true; + }; + }; }; networking.firewall.allowedTCPPorts = [ 3000 ]; } diff --git a/hosts/hackens-org/prometheus/mqtt2prometheus.nix b/hosts/hackens-org/monitoring/mqtt2prometheus.nix similarity index 100% rename from hosts/hackens-org/prometheus/mqtt2prometheus.nix rename to hosts/hackens-org/monitoring/mqtt2prometheus.nix -- 2.47.0 From 5d23db8e143214b46758e6ec507b4766bfa8c904 Mon Sep 17 00:00:00 2001 From: hackens server Date: Thu, 5 May 2022 17:31:18 +0200 Subject: [PATCH 07/34] config nginx valide pour grafana --- hosts/hackens-org/monitoring/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/hackens-org/monitoring/default.nix b/hosts/hackens-org/monitoring/default.nix index 022c38b..3046185 100644 --- a/hosts/hackens-org/monitoring/default.nix +++ b/hosts/hackens-org/monitoring/default.nix @@ -27,7 +27,7 @@ grafana = { enable = true; }; - services.nginx.virtualHosts."monitoring.new.hackens.org" = { + nginx.virtualHosts."monitoring.new.hackens.org" = { forceSSL = true; enableACME = true; locations."/" = { -- 2.47.0 From ecfc58fecdba8d7956d059cc7108e0695d1e05c4 Mon Sep 17 00:00:00 2001 From: sinavir Date: Thu, 5 May 2022 18:02:42 +0200 Subject: [PATCH 08/34] catlist plugin for dokuwiki --- hosts/hackens-org/wiki.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/hosts/hackens-org/wiki.nix b/hosts/hackens-org/wiki.nix index b792476..9f10bd3 100644 --- a/hosts/hackens-org/wiki.nix +++ b/hosts/hackens-org/wiki.nix @@ -103,6 +103,21 @@ in cp -R * $out/ ''; }) + (pkgs.stdenv.mkDerivation { + name = "catlist"; + # Download the theme from the dokuwiki site + src = pkgs.fetchFromGitHub { + owner = "xif-fr"; + repo = "dokuwiki-plugin-catlist"; + rev = "065f8d2f4817409989b9342b901163452fb9f547"; + sha256 = "1l7bvnqkai8qkqqb67w8yy7fbs30dviqc36pyqggzfjhi558i9ih"; + }; + # Installing simply means copying all files to the output directory + installPhase = '' + mkdir -p $out + cp -R * $out/ + ''; + }) ]; }; # On veut php-xml -- 2.47.0 From 87545d9e8b627812c4599b08b0f664bf22aaa18b Mon Sep 17 00:00:00 2001 From: hackens server Date: Wed, 18 May 2022 21:37:08 +0200 Subject: [PATCH 09/34] kaycloak --- hosts/hackens-org/wiki.nix | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/hosts/hackens-org/wiki.nix b/hosts/hackens-org/wiki.nix index 9f10bd3..71d67b8 100644 --- a/hosts/hackens-org/wiki.nix +++ b/hosts/hackens-org/wiki.nix @@ -37,6 +37,10 @@ in $conf['tpl']['bootstrap3']['showAddNewPage'] = 'logged'; $conf['tpl']['bootstrap3']['fluidContainer'] = 0; $conf['htmlmail'] = 0; // On envoie les mails en plain text + $conf['authtype'] = 'oauth'; + $conf['plugin']['oauthkeycloak']['key'] = 'wiki'; + $conf['plugin']['oauthkeycloak']['secret'] = ''; + $conf['plugin']['oauthkeycloak']['openidurl'] = 'https://auth.rz.ens.wtf/auth/realms/hackENS/.well-known/openid-configuration/'; ''; pluginsConfig = '' @@ -45,6 +49,7 @@ in $plugins['authpgsql'] = 0; $plugins['authpdo'] = 0; $plugins['authldap'] = 0; + $plugins['oauthkeycloak'] = 1; ''; disableActions = "register"; @@ -118,6 +123,36 @@ in cp -R * $out/ ''; }) + (pkgs.stdenv.mkDerivation { + name = "oauth"; + # Download the theme from the dokuwiki site + src = pkgs.fetchFromGitHub { + owner = "cosmocode"; + repo = "dokuwiki-plugin-oauth"; + rev = "2022-01-13"; + sha256 = "ruaw8MqSMgopULD7vxed44nbowjVc1e4H0Q7JEL9pD0="; + }; + # Installing simply means copying all files to the output directory + installPhase = '' + mkdir -p $out + cp -R * $out/ + ''; + }) + (pkgs.stdenv.mkDerivation { + name = "oauthkeycloak"; + # Download the theme from the dokuwiki site + src = pkgs.fetchFromGitHub { + owner = "YoitoFes"; + repo = "dokuwiki-plugin-oauthkeycloak"; + rev = "2022-12-23"; + sha256 = "jV4CCVJ+4vbWE52ocsJnHR5oIM5ZM/5aYub6wxkVado="; + }; + # Installing simply means copying all files to the output directory + installPhase = '' + mkdir -p $out + cp -R * $out/ + ''; + }) ]; }; # On veut php-xml -- 2.47.0 From 96805626421f1fdbf02a32176b4fc1bc7944ba00 Mon Sep 17 00:00:00 2001 From: hackens server Date: Thu, 9 Jun 2022 22:13:12 +0200 Subject: [PATCH 10/34] age; refactor (un peu) wiki; misc --- hosts/hackens-org/configuration.nix | 2 +- hosts/hackens-org/kfet2mqtt.nix | 4 ++-- hosts/hackens-org/mosquitto.nix | 2 +- hosts/hackens-org/{wiki.nix => wiki/default.nix} | 8 +++++--- pubkeys/hackens-host.keys | 1 + secrets/default.nix | 5 +++++ secrets/secrets.nix | 7 +++++++ 7 files changed, 22 insertions(+), 7 deletions(-) rename hosts/hackens-org/{wiki.nix => wiki/default.nix} (98%) create mode 100644 pubkeys/hackens-host.keys create mode 100644 secrets/default.nix create mode 100644 secrets/secrets.nix diff --git a/hosts/hackens-org/configuration.nix b/hosts/hackens-org/configuration.nix index a52e139..65f2df1 100644 --- a/hosts/hackens-org/configuration.nix +++ b/hosts/hackens-org/configuration.nix @@ -10,7 +10,7 @@ ./hardware-configuration.nix ./physical.nix ../../profiles/core-hackens - ./wiki.nix + ./wiki ./webpass.nix ./mosquitto.nix ./monitoring diff --git a/hosts/hackens-org/kfet2mqtt.nix b/hosts/hackens-org/kfet2mqtt.nix index 76262a5..9a67286 100644 --- a/hosts/hackens-org/kfet2mqtt.nix +++ b/hosts/hackens-org/kfet2mqtt.nix @@ -6,8 +6,8 @@ let ]); script = pkgs.fetchgit { url = "https://git.eleves.ens.fr/hackens/kfet2mqtt.git"; - rev = "30d948dc2f7b4a0b440445ef578b6ed718a53273"; - sha256 = "0d93jc0cwx1a8rhq9m0lwzqp53jsffr9qyswdkwydji14f3kwd4d"; + rev = "4a9ca954fd4405ccbabdb0793f1a2f76c7561a8e"; + sha256 = "1g4gv2mc0kd108yw8y6gbskg8zhnrlwdnza8mhii2n8jidh63485"; }; in { diff --git a/hosts/hackens-org/mosquitto.nix b/hosts/hackens-org/mosquitto.nix index 5612dc1..3ce009d 100644 --- a/hosts/hackens-org/mosquitto.nix +++ b/hosts/hackens-org/mosquitto.nix @@ -5,7 +5,7 @@ in { services.mosquitto = { enable = true; - logType = [ "all" ]; + #logType = [ "all" ]; listeners = [ { address = "0.0.0.0"; diff --git a/hosts/hackens-org/wiki.nix b/hosts/hackens-org/wiki/default.nix similarity index 98% rename from hosts/hackens-org/wiki.nix rename to hosts/hackens-org/wiki/default.nix index 71d67b8..78a6883 100644 --- a/hosts/hackens-org/wiki.nix +++ b/hosts/hackens-org/wiki/default.nix @@ -1,18 +1,20 @@ { pkgs, config, ... }: let - hostname = "new.hackens.org"; #config.my.subZone; - debug = false; #config.my.debug; + hostname = "new.hackens.org"; in { imports = [ - modules/custom-dokuwiki.nix + ../modules/custom-dokuwiki.nix ]; disabledModules = [ "services/web-apps/dokuwiki.nix" ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.nginx.virtualHosts."${hostname}" = { enableACME = true; forceSSL = true; }; + services.dokuwiki.sites."${hostname}" = { enable = true; diff --git a/pubkeys/hackens-host.keys b/pubkeys/hackens-host.keys new file mode 100644 index 0000000..5d96db0 --- /dev/null +++ b/pubkeys/hackens-host.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3EvmAE38YNp2pNfGbyyywInEDBpTz4yseOAqmnZS1m diff --git a/secrets/default.nix b/secrets/default.nix new file mode 100644 index 0000000..d2a4ed6 --- /dev/null +++ b/secrets/default.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + imports = [ ]; + age.secrets."wikiOpenID".file = ./wiki-openID.age +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..e231aa6 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,7 @@ +let + lib = (import {}).lib; + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (./pubkeys + "/${user}.keys"))); +in +{ + "wiki-openID.age".publicKeys = (readPubkeys "sinavir") ++ (readPubkeys "hackens-host") ++ (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "backslash"); +} -- 2.47.0 From 936f613834adaa96bcac63d5f5e320eba3115921 Mon Sep 17 00:00:00 2001 From: hackens server Date: Sat, 11 Jun 2022 21:12:42 +0200 Subject: [PATCH 11/34] age --- hosts/hackens-org/configuration.nix | 1 + hosts/hackens-org/wiki/default.nix | 2 +- .../hackens-org/{ => wiki}/media/favicon.ico | Bin hosts/hackens-org/{ => wiki}/media/logo.png | Bin secrets/default.nix | 2 +- secrets/secrets.nix | 2 +- secrets/wiki-openID.age | 31 ++++++++++++++++++ 7 files changed, 35 insertions(+), 3 deletions(-) rename hosts/hackens-org/{ => wiki}/media/favicon.ico (100%) rename hosts/hackens-org/{ => wiki}/media/logo.png (100%) create mode 100644 secrets/wiki-openID.age diff --git a/hosts/hackens-org/configuration.nix b/hosts/hackens-org/configuration.nix index 65f2df1..5db0e5f 100644 --- a/hosts/hackens-org/configuration.nix +++ b/hosts/hackens-org/configuration.nix @@ -10,6 +10,7 @@ ./hardware-configuration.nix ./physical.nix ../../profiles/core-hackens + ../../secrets ./wiki ./webpass.nix ./mosquitto.nix diff --git a/hosts/hackens-org/wiki/default.nix b/hosts/hackens-org/wiki/default.nix index 78a6883..89f7447 100644 --- a/hosts/hackens-org/wiki/default.nix +++ b/hosts/hackens-org/wiki/default.nix @@ -41,7 +41,7 @@ in $conf['htmlmail'] = 0; // On envoie les mails en plain text $conf['authtype'] = 'oauth'; $conf['plugin']['oauthkeycloak']['key'] = 'wiki'; - $conf['plugin']['oauthkeycloak']['secret'] = ''; + $conf['plugin']['oauthkeycloak']['secret'] = file('${config.age.secrets.wikiOpenID.path}', FILE_IGNORE_NEW_LINES)[0]; $conf['plugin']['oauthkeycloak']['openidurl'] = 'https://auth.rz.ens.wtf/auth/realms/hackENS/.well-known/openid-configuration/'; ''; diff --git a/hosts/hackens-org/media/favicon.ico b/hosts/hackens-org/wiki/media/favicon.ico similarity index 100% rename from hosts/hackens-org/media/favicon.ico rename to hosts/hackens-org/wiki/media/favicon.ico diff --git a/hosts/hackens-org/media/logo.png b/hosts/hackens-org/wiki/media/logo.png similarity index 100% rename from hosts/hackens-org/media/logo.png rename to hosts/hackens-org/wiki/media/logo.png diff --git a/secrets/default.nix b/secrets/default.nix index d2a4ed6..9fd5403 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,5 +1,5 @@ { ... }: { imports = [ ]; - age.secrets."wikiOpenID".file = ./wiki-openID.age + age.secrets."wikiOpenID".file = ./wiki-openID.age; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e231aa6..2cde620 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,6 +1,6 @@ let lib = (import {}).lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (./pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); in { "wiki-openID.age".publicKeys = (readPubkeys "sinavir") ++ (readPubkeys "hackens-host") ++ (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "backslash"); diff --git a/secrets/wiki-openID.age b/secrets/wiki-openID.age new file mode 100644 index 0000000..fdeec16 --- /dev/null +++ b/secrets/wiki-openID.age @@ -0,0 +1,31 @@ +age-encryption.org/v1 +-> ssh-ed25519 JGx7Ng krR1IYLPMfF9fR7P6ECgMy2vec2lHss0XcHuHWcZCBo +MDFLnB7DgNdlJjOxhu0Qreb17ejcZIBMnXGs0BLUN+E +-> ssh-ed25519 IWJ9yA shKTCkZmyjLLIFY+ZetDqJJgx51cVHk/ZsKD/cdJ+i0 +xSblu5POmIUKVe4l+KqpGqGkk+UowRhitUdvE9BLUfM +-> ssh-ed25519 7hZk0g 8WtQ/vt6MH0pIN5G1GB3RoS1fNFgFQIepR1HqyP8vWI +oSYU/uRA4lopWC8TCwWYZAGncoPOx8/sIMFt0QErDlg +-> ssh-rsa krWCLQ +KkRdhsQ//wkDw4mX3RqGLSbR8hX3ehr+ZDkwDbCh9gwl17p2hGOFzwhvA8UxQJnK +O1z7Lu+hA3dvIhNlyimHp8Qt/AkoZAPnR+lf08Q4BajCqy2Z6HBjKJ6qi7c+9t2F +xy5YrBrTzpRKbmf7Fz+tm1hg392bLHhv3N+PfTSszjBs8XdUF8nWQNsdETBhZOzz +ilwDzRDFWfPuFYhjs7cAiXE+qDGgzleX0Yx+OgwBoBPB93JbmuRIPQZIJL9WQZdN +WTS5T5NJ/trZuRAx/Gx+O854G4miLE1M76E/hQ5bZuQN3EvY4Me8j9jzFlwPp3wA +M2oxFsJRvSkOmFl1WIWM0Q +-> ssh-ed25519 nyw/0Q KinHAGi4K6Gls1otwc9WE+jhzujZ4EETm2Br3myWh1o +m1gVTxjs+WJeKc6NvBlqWfGmg3ZwxVO6aHqM14QFRaI +-> ssh-ed25519 85WiGg P9BBlxJxxLwijrvo/XzfKh2GnkJUvjCLBhkrR27v0SQ +8o3HgtiY8DLYgrau2mfmA4QzvoFThCHqDF/7QCNew7A +-> ssh-ed25519 cvTB5g HzkPfCXwsikbISCh7zZgtOaI03G2ErTWIXRk9TfSqm4 +Wqh9WYB4D2hDAe3nWxz19nZDgGMJYFvtHxrYQnuiHC4 +-> ssh-ed25519 Wu8JLQ 2x1ikJnqyIkQmOwK1vP4S7n/xZZCdN7czBY1o/L8ZzY +Poj21vxJ9sUsoikfepaxbktWWIdjh24zzDRzW4Efb8c +-> ssh-ed25519 EIt1vA XxwV8nTlhx7Iy77xCnTrcCEevyKnDGFHGi9JvLb4a0s +y9M2VFvUGT0GOydGDbyqpuOuIRyKXPGl1Z35nBI3i68 +-> ssh-ed25519 X51wxg C6GJqoVqTLpR5L0v1c5umu0gwUEWXOEAJC9kKWV2NEs +IogBAsuZG9z8TmX0rVav14ek1qhoq38DWullPSufnWQ +-> l@z=5S-grease (,5a5 T tV@xrY %e_ig +mIzNLkFaEozopcLCOyQacaU +--- 2krWnD1hHZOvN/0zuuIIcFjh2udviLZns/nTsVSPLmc +~=>YYWwpEz);d1M'=&!J$ +n_l"ډ \ No newline at end of file -- 2.47.0 From 7613a2498167ebd28acde20213fd95c79f21bf9a Mon Sep 17 00:00:00 2001 From: HackENS milieu Date: Sat, 30 Jul 2022 08:44:32 +0200 Subject: [PATCH 12/34] milieu update --- configuration.nix | 1 + hosts/hackens-milieu/configuration.nix | 2 +- profiles/shared-hackens/default.nix | 3 +++ profiles/shared-hackens/gnome.nix | 8 +++++++ profiles/shared-hackens/i3.nix | 7 +++--- profiles/shared-hackens/latex.nix | 4 ++++ profiles/shared-hackens/monitoring.nix | 13 ----------- profiles/shared-hackens/mosquitto.nix | 30 ++++++++++++++++++++++++++ profiles/shared-hackens/programs.nix | 5 +++-- profiles/shared-hackens/system.nix | 1 + profiles/shared-hackens/users.nix | 21 +++++++++--------- pubkeys/BiBi.keys | 3 +++ 12 files changed, 68 insertions(+), 30 deletions(-) create mode 120000 configuration.nix create mode 100644 profiles/shared-hackens/gnome.nix create mode 100644 profiles/shared-hackens/latex.nix create mode 100644 profiles/shared-hackens/mosquitto.nix create mode 100644 pubkeys/BiBi.keys diff --git a/configuration.nix b/configuration.nix new file mode 120000 index 0000000..ca8cf1d --- /dev/null +++ b/configuration.nix @@ -0,0 +1 @@ +hosts/hackens-milieu/configuration.nix \ No newline at end of file diff --git a/hosts/hackens-milieu/configuration.nix b/hosts/hackens-milieu/configuration.nix index 7dbcd7b..ea61d94 100644 --- a/hosts/hackens-milieu/configuration.nix +++ b/hosts/hackens-milieu/configuration.nix @@ -8,7 +8,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ../../profiles/hackens + ../../profiles/shared-hackens ]; # Use the GRUB 2 boot loader. diff --git a/profiles/shared-hackens/default.nix b/profiles/shared-hackens/default.nix index e21df07..c89e498 100644 --- a/profiles/shared-hackens/default.nix +++ b/profiles/shared-hackens/default.nix @@ -7,6 +7,7 @@ ./syncthing.nix ./programs.nix ./audio.nix + ./mosquitto.nix ./graphics.nix ./monitoring.nix ./users.nix @@ -16,6 +17,8 @@ ./nightworker.nix ./ssd.nix ./aarch64.nix + ./latex.nix + ./gnome.nix # ./netboot-server.nix # -- fix quick xyz mode. ]; } diff --git a/profiles/shared-hackens/gnome.nix b/profiles/shared-hackens/gnome.nix new file mode 100644 index 0000000..74887ea --- /dev/null +++ b/profiles/shared-hackens/gnome.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.xserver = { + enable = true; + displayManager.gdm.enable = true; + desktopManager.gnome.enable = true; + }; +} diff --git a/profiles/shared-hackens/i3.nix b/profiles/shared-hackens/i3.nix index 3a0834f..b319d5e 100644 --- a/profiles/shared-hackens/i3.nix +++ b/profiles/shared-hackens/i3.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, config, lib, ... }: { environment.pathsToLink = [ "/libexec" ]; environment.sessionVariables.TERMINAL = [ "kitty" ]; @@ -7,7 +7,7 @@ BROWSER = "firefox"; }; services.xserver = { - displayManager = { + displayManager = lib.mkIf (!config.services.xserver.displayManager.gdm.enable) { autoLogin = { enable = true; user = "hackens"; @@ -17,7 +17,7 @@ windowManager.i3 = { enable = true; extraSessionCommands = '' - ${pkgs.xlibs.xset}/bin/xset r rate 200 50 + ${pkgs.xorg.xset}/bin/xset r rate 200 50 ''; extraPackages = with pkgs; [ rofi @@ -37,7 +37,6 @@ liberation_ttf fira-code fira-code-symbols - mplus-outline-fonts dina-font proggyfonts powerline-fonts diff --git a/profiles/shared-hackens/latex.nix b/profiles/shared-hackens/latex.nix new file mode 100644 index 0000000..f8549fb --- /dev/null +++ b/profiles/shared-hackens/latex.nix @@ -0,0 +1,4 @@ +{ pkgs, ... }: +{ + environment.systemPackages = [ pkgs.texlive.combined.scheme-full ]; +} diff --git a/profiles/shared-hackens/monitoring.nix b/profiles/shared-hackens/monitoring.nix index ce85023..b3244e6 100644 --- a/profiles/shared-hackens/monitoring.nix +++ b/profiles/shared-hackens/monitoring.nix @@ -56,17 +56,4 @@ }; services.smartd.enable = true; services.smartd.extraOptions = [ "-A /var/log/smartd/" ]; # For netdata. - - # MQTT for every usage, notably OctoPrint events. - services.mosquitto = { - enable = true; - listeners = [ - { - address = "192.168.1.118"; - } - ]; - settings = { - # allow_anonymous = true; - }; - }; } diff --git a/profiles/shared-hackens/mosquitto.nix b/profiles/shared-hackens/mosquitto.nix new file mode 100644 index 0000000..42dd8b0 --- /dev/null +++ b/profiles/shared-hackens/mosquitto.nix @@ -0,0 +1,30 @@ +{ ... }: +let + port = 1883; +in +{ + services.mosquitto = { + enable = true; + logType = [ "all" ]; + listeners = [ + { + address = "0.0.0.0"; + acl = [ "topic readwrite #" ]; + port = port; + settings = { + allow_anonymous = true; + }; + } + ]; + bridges.hackensOrg = { + topics = [ "# both" ]; + addresses = [ + { + address = "new.hackens.org"; + } + ]; + }; + }; + networking.firewall.allowedTCPPorts = [ port ]; +} + diff --git a/profiles/shared-hackens/programs.nix b/profiles/shared-hackens/programs.nix index d083307..d3f4730 100644 --- a/profiles/shared-hackens/programs.nix +++ b/profiles/shared-hackens/programs.nix @@ -11,10 +11,11 @@ taskwarrior # Slicers - prusa-slicer super-slicer + super-slicer + # prusa-slicer TODO: it is broken # CAD/3D - blender freecad openscad kicad-with-packages3d + blender openscad # kicad-with-packages3d freecad # Microcontrollers arduino arduino-cli stm32flash stm32loader # FPGA diff --git a/profiles/shared-hackens/system.nix b/profiles/shared-hackens/system.nix index 76367d3..e24c283 100644 --- a/profiles/shared-hackens/system.nix +++ b/profiles/shared-hackens/system.nix @@ -25,6 +25,7 @@ services.locate.enable = true; services.openssh.enable = true; + services.openssh.passwordAuthentication = false; networking.firewall.enable = false; documentation.info.enable = false; } diff --git a/profiles/shared-hackens/users.nix b/profiles/shared-hackens/users.nix index 6b61724..a9925af 100644 --- a/profiles/shared-hackens/users.nix +++ b/profiles/shared-hackens/users.nix @@ -1,23 +1,24 @@ { pkgs, ... }: +let + superadmins = [ + ../../pubkeys/raito.keys + ../../pubkeys/gdd.keys + ../../pubkeys/BiBi.keys + ]; +in { users.users.hackens = { isNormalUser = true; - extraGroups = [ "wheel" ]; + extraGroups = [ "wheel" "dialout" "audio" "video" ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcKULx/AgnqBsgwRX2BfV8waq6JXIkvZHhu9Y8paofM8awq6Om56BZoA7AV45YOcJxO/eFDOxSegXXmt22s4WjIf8I049aMdsW54BNpFpC/h18cMzm5ylKVGHl1ier/WXxpBsA8YU++YdRlGHPpKnhCtYLnBzD4Q5h+05GMIHismNZP1aGpE9s01FuP8eaDDkZUba7oSpn03AA77DBw4/2ZreSbqo96Z6WwiG09KeZvxFtEIk98EQtmiExB2fwsK3/JIxIBCoZHh4SzERcslxxGgzdppd6NhhSh7g523zhiihLaTAPNXBovGm5wcKOU9uWe+pUWEbwV04E+809aVbkJOdYBCtIf8M91meqpupA8jK38uquePHEFvpNr5UmY0qUlJCoqTvoqg9XgrfJVjlPEmYknj/QjQzkA4k19y8njsyEjnYOBL6tsztg6Igl+NZXjBAPuAzxCsfHOtWw1WM5gANwqOL0V9f7+14yST3HwweqjHRj4xky6ritxK+ujfc= hackens@hackens-desktop" ]; - openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/raito.keys - ../../pubkeys/gdd.keys - ]; - }; + openssh.authorizedKeys.keyFiles = superadmins; + }; users.users.root = { - openssh.authorizedKeys.keyFiles = [ - ./pubkeys/raito.keys - ./pubkeys/gdd.keys - ]; + openssh.authorizedKeys.keyFiles = superadmins; }; } diff --git a/pubkeys/BiBi.keys b/pubkeys/BiBi.keys new file mode 100644 index 0000000..5471362 --- /dev/null +++ b/pubkeys/BiBi.keys @@ -0,0 +1,3 @@ +ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACC4RyZ/2ZTACUl5j6K1VlLu4+WUI3eUuylxqPw9DVWnKH5u5pGld/6pL3Nq0rM5W5kfDLd0SWYDL5f1FUdBr2VugDGLO8swdOK6SWM3J5TN1c2ZwDAeBsbXF4scqXqT1Fxay31LPUCAy526P6pRowxwBZwEMn6wHc7Lp//LRMOqh2DSA== +ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBABLEDU82YDUFYgji+hM1fdfpxzY2QHNRCrlSF1X9FSqLLBHYxcpIWEl6kd6bQTml+sjhIpdvbDzvr2MR4prk/zsiwDmuLrzv+j7jri7BZkBzREYYm45LQNhbJZuRaszEMpvOU902UOvEzPU2WDAtHH1G7fRnxjHsDAiVc/fUzJz9r9uXg== +ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADkJamWNY4+IdqAKI4p7NZ9EecVj3gc2oH/JpmyKREnQBBiCdNmu5HOqzplYYIEmr3HtGLZNcL8o0bvXNtX43onLQDsyOa2UuTNRYLOgx9Uq0tFLhGrDmDP1SK/v5OfcM9H+vm5NO4bFdPjqTrqwDOamUrSt83BY9XRue+JIe/nTzDX0g== -- 2.47.0 From 2029a5ccb2ef146e8822b1e8d466fc4e57b188f4 Mon Sep 17 00:00:00 2001 From: HackENS milieu Date: Sat, 30 Jul 2022 08:45:54 +0200 Subject: [PATCH 13/34] gitignore --- .gitignore | 1 + configuration.nix | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 .gitignore delete mode 120000 configuration.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..40c7108 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +configuration.nix diff --git a/configuration.nix b/configuration.nix deleted file mode 120000 index ca8cf1d..0000000 --- a/configuration.nix +++ /dev/null @@ -1 +0,0 @@ -hosts/hackens-milieu/configuration.nix \ No newline at end of file -- 2.47.0 From 1c5790c0f72c1cf42d15e0f86515d92fbb5ba540 Mon Sep 17 00:00:00 2001 From: sinavir Date: Fri, 29 Jul 2022 01:53:54 +0200 Subject: [PATCH 14/34] renaming --- hosts/{hackens-milieu => milieu}/configuration.nix | 0 .../hardware-configuration.nix | 0 hosts/{hackens-org => org}/configuration.nix | 0 .../{hackens-org => org}/hardware-configuration.nix | 0 hosts/{hackens-org => org}/kfet2mqtt.nix | 0 hosts/{hackens-org => org}/misc/default.nix | 0 .../modules/custom-dokuwiki.nix | 0 .../modules/mqtt2prometheus/default.nix | 0 .../modules/mqtt2prometheus/mqtt2prometheus.nix | 0 hosts/{hackens-org => org}/modules/nginx.nix | 0 .../{hackens-org => org}/modules/static-website.nix | 0 hosts/{hackens-org => org}/monitoring/config.yaml | 0 hosts/{hackens-org => org}/monitoring/default.nix | 0 .../monitoring/mqtt2prometheus.nix | 0 hosts/{hackens-org => org}/mosquitto.nix | 0 hosts/org/orga.nix | 3 +++ hosts/{hackens-org => org}/physical.nix | 0 hosts/{hackens-org => org}/webpass.nix | 0 hosts/{hackens-org => org}/wiki/default.nix | 0 hosts/{hackens-org => org}/wiki/media/favicon.ico | Bin hosts/{hackens-org => org}/wiki/media/logo.png | Bin 21 files changed, 3 insertions(+) rename hosts/{hackens-milieu => milieu}/configuration.nix (100%) rename hosts/{hackens-milieu => milieu}/hardware-configuration.nix (100%) rename hosts/{hackens-org => org}/configuration.nix (100%) rename hosts/{hackens-org => org}/hardware-configuration.nix (100%) rename hosts/{hackens-org => org}/kfet2mqtt.nix (100%) rename hosts/{hackens-org => org}/misc/default.nix (100%) rename hosts/{hackens-org => org}/modules/custom-dokuwiki.nix (100%) rename hosts/{hackens-org => org}/modules/mqtt2prometheus/default.nix (100%) rename hosts/{hackens-org => org}/modules/mqtt2prometheus/mqtt2prometheus.nix (100%) rename hosts/{hackens-org => org}/modules/nginx.nix (100%) rename hosts/{hackens-org => org}/modules/static-website.nix (100%) rename hosts/{hackens-org => org}/monitoring/config.yaml (100%) rename hosts/{hackens-org => org}/monitoring/default.nix (100%) rename hosts/{hackens-org => org}/monitoring/mqtt2prometheus.nix (100%) rename hosts/{hackens-org => org}/mosquitto.nix (100%) create mode 100644 hosts/org/orga.nix rename hosts/{hackens-org => org}/physical.nix (100%) rename hosts/{hackens-org => org}/webpass.nix (100%) rename hosts/{hackens-org => org}/wiki/default.nix (100%) rename hosts/{hackens-org => org}/wiki/media/favicon.ico (100%) rename hosts/{hackens-org => org}/wiki/media/logo.png (100%) diff --git a/hosts/hackens-milieu/configuration.nix b/hosts/milieu/configuration.nix similarity index 100% rename from hosts/hackens-milieu/configuration.nix rename to hosts/milieu/configuration.nix diff --git a/hosts/hackens-milieu/hardware-configuration.nix b/hosts/milieu/hardware-configuration.nix similarity index 100% rename from hosts/hackens-milieu/hardware-configuration.nix rename to hosts/milieu/hardware-configuration.nix diff --git a/hosts/hackens-org/configuration.nix b/hosts/org/configuration.nix similarity index 100% rename from hosts/hackens-org/configuration.nix rename to hosts/org/configuration.nix diff --git a/hosts/hackens-org/hardware-configuration.nix b/hosts/org/hardware-configuration.nix similarity index 100% rename from hosts/hackens-org/hardware-configuration.nix rename to hosts/org/hardware-configuration.nix diff --git a/hosts/hackens-org/kfet2mqtt.nix b/hosts/org/kfet2mqtt.nix similarity index 100% rename from hosts/hackens-org/kfet2mqtt.nix rename to hosts/org/kfet2mqtt.nix diff --git a/hosts/hackens-org/misc/default.nix b/hosts/org/misc/default.nix similarity index 100% rename from hosts/hackens-org/misc/default.nix rename to hosts/org/misc/default.nix diff --git a/hosts/hackens-org/modules/custom-dokuwiki.nix b/hosts/org/modules/custom-dokuwiki.nix similarity index 100% rename from hosts/hackens-org/modules/custom-dokuwiki.nix rename to hosts/org/modules/custom-dokuwiki.nix diff --git a/hosts/hackens-org/modules/mqtt2prometheus/default.nix b/hosts/org/modules/mqtt2prometheus/default.nix similarity index 100% rename from hosts/hackens-org/modules/mqtt2prometheus/default.nix rename to hosts/org/modules/mqtt2prometheus/default.nix diff --git a/hosts/hackens-org/modules/mqtt2prometheus/mqtt2prometheus.nix b/hosts/org/modules/mqtt2prometheus/mqtt2prometheus.nix similarity index 100% rename from hosts/hackens-org/modules/mqtt2prometheus/mqtt2prometheus.nix rename to hosts/org/modules/mqtt2prometheus/mqtt2prometheus.nix diff --git a/hosts/hackens-org/modules/nginx.nix b/hosts/org/modules/nginx.nix similarity index 100% rename from hosts/hackens-org/modules/nginx.nix rename to hosts/org/modules/nginx.nix diff --git a/hosts/hackens-org/modules/static-website.nix b/hosts/org/modules/static-website.nix similarity index 100% rename from hosts/hackens-org/modules/static-website.nix rename to hosts/org/modules/static-website.nix diff --git a/hosts/hackens-org/monitoring/config.yaml b/hosts/org/monitoring/config.yaml similarity index 100% rename from hosts/hackens-org/monitoring/config.yaml rename to hosts/org/monitoring/config.yaml diff --git a/hosts/hackens-org/monitoring/default.nix b/hosts/org/monitoring/default.nix similarity index 100% rename from hosts/hackens-org/monitoring/default.nix rename to hosts/org/monitoring/default.nix diff --git a/hosts/hackens-org/monitoring/mqtt2prometheus.nix b/hosts/org/monitoring/mqtt2prometheus.nix similarity index 100% rename from hosts/hackens-org/monitoring/mqtt2prometheus.nix rename to hosts/org/monitoring/mqtt2prometheus.nix diff --git a/hosts/hackens-org/mosquitto.nix b/hosts/org/mosquitto.nix similarity index 100% rename from hosts/hackens-org/mosquitto.nix rename to hosts/org/mosquitto.nix diff --git a/hosts/org/orga.nix b/hosts/org/orga.nix new file mode 100644 index 0000000..7b036d1 --- /dev/null +++ b/hosts/org/orga.nix @@ -0,0 +1,3 @@ +{ pkgs, lib, config, ... }: +let + sources diff --git a/hosts/hackens-org/physical.nix b/hosts/org/physical.nix similarity index 100% rename from hosts/hackens-org/physical.nix rename to hosts/org/physical.nix diff --git a/hosts/hackens-org/webpass.nix b/hosts/org/webpass.nix similarity index 100% rename from hosts/hackens-org/webpass.nix rename to hosts/org/webpass.nix diff --git a/hosts/hackens-org/wiki/default.nix b/hosts/org/wiki/default.nix similarity index 100% rename from hosts/hackens-org/wiki/default.nix rename to hosts/org/wiki/default.nix diff --git a/hosts/hackens-org/wiki/media/favicon.ico b/hosts/org/wiki/media/favicon.ico similarity index 100% rename from hosts/hackens-org/wiki/media/favicon.ico rename to hosts/org/wiki/media/favicon.ico diff --git a/hosts/hackens-org/wiki/media/logo.png b/hosts/org/wiki/media/logo.png similarity index 100% rename from hosts/hackens-org/wiki/media/logo.png rename to hosts/org/wiki/media/logo.png -- 2.47.0 From dd8ec6c18e476f34798a6d9aef32e56c0c29b094 Mon Sep 17 00:00:00 2001 From: sinavir Date: Wed, 31 Aug 2022 03:30:59 +0200 Subject: [PATCH 15/34] refactorisation continuing --- hosts/org/configuration.nix | 9 +- .../org}/core-hackens/default.nix | 0 .../org}/core-hackens/personal-users.nix | 10 +-- .../org}/core-hackens/programs.nix | 0 .../org}/core-hackens/ssh-server.nix | 0 .../org}/core-hackens/static-dns.nix | 0 hosts/org/misc/default.nix | 12 --- hosts/org/modules/static-website.nix | 26 ------ hosts/org/monitoring/config.yaml | 31 ------- hosts/org/monitoring/default.nix | 40 --------- hosts/org/monitoring/mqtt2prometheus.nix | 15 ---- hosts/org/mosquitto.nix | 3 +- hosts/org/{modules => }/nginx.nix | 0 hosts/org/orga.nix | 3 - hosts/org/wiki/default.nix | 43 +--------- nur.nix | 9 ++ profiles/monitoring.nix | 72 ---------------- .../myModules}/custom-dokuwiki.nix | 83 +++---------------- shared/myModules/default.nix | 6 ++ .../myModules/mqtt2prometheus.nix | 4 +- shared/myPkgs/dokuwiki.nix | 52 ++++++++++++ shared/myPkgs/dokuwiki_deep_merge.patch | 11 +++ .../myPkgs}/mqtt2prometheus.nix | 0 shared/nur.nix | 15 ++++ 24 files changed, 115 insertions(+), 329 deletions(-) rename {profiles => hosts/org}/core-hackens/default.nix (100%) rename {profiles => hosts/org}/core-hackens/personal-users.nix (55%) rename {profiles => hosts/org}/core-hackens/programs.nix (100%) rename {profiles => hosts/org}/core-hackens/ssh-server.nix (100%) rename {profiles => hosts/org}/core-hackens/static-dns.nix (100%) delete mode 100644 hosts/org/misc/default.nix delete mode 100644 hosts/org/modules/static-website.nix delete mode 100644 hosts/org/monitoring/config.yaml delete mode 100644 hosts/org/monitoring/default.nix delete mode 100644 hosts/org/monitoring/mqtt2prometheus.nix rename hosts/org/{modules => }/nginx.nix (100%) delete mode 100644 hosts/org/orga.nix create mode 100644 nur.nix delete mode 100644 profiles/monitoring.nix rename {hosts/org/modules => shared/myModules}/custom-dokuwiki.nix (78%) create mode 100644 shared/myModules/default.nix rename hosts/org/modules/mqtt2prometheus/default.nix => shared/myModules/mqtt2prometheus.nix (92%) create mode 100644 shared/myPkgs/dokuwiki.nix create mode 100644 shared/myPkgs/dokuwiki_deep_merge.patch rename {hosts/org/modules/mqtt2prometheus => shared/myPkgs}/mqtt2prometheus.nix (100%) create mode 100644 shared/nur.nix diff --git a/hosts/org/configuration.nix b/hosts/org/configuration.nix index 5db0e5f..700ecd3 100644 --- a/hosts/org/configuration.nix +++ b/hosts/org/configuration.nix @@ -9,17 +9,10 @@ [ ./hardware-configuration.nix ./physical.nix - ../../profiles/core-hackens + ./core-hackens ../../secrets ./wiki ./webpass.nix - ./mosquitto.nix - ./monitoring - ./kfet2mqtt.nix - # ./bridge.nix - # ./gha.nix - # ./sync.nix - ./misc ]; networking.hostName = "hackens-org"; # Define your hostname. diff --git a/profiles/core-hackens/default.nix b/hosts/org/core-hackens/default.nix similarity index 100% rename from profiles/core-hackens/default.nix rename to hosts/org/core-hackens/default.nix diff --git a/profiles/core-hackens/personal-users.nix b/hosts/org/core-hackens/personal-users.nix similarity index 55% rename from profiles/core-hackens/personal-users.nix rename to hosts/org/core-hackens/personal-users.nix index 6696eba..f5ce85d 100644 --- a/profiles/core-hackens/personal-users.nix +++ b/hosts/org/core-hackens/personal-users.nix @@ -5,23 +5,23 @@ isNormalUser = true; extraGroups = [ "wheel" ]; hashedPassword = "$6$y/I6nKCMYUku7$91vTR5kYz4nHyhbuA/j6kPsD8Vfo/Rg7ri6Ympftra9V6emOt/mPg0AScECtYjSIxretvfQ3sPUF1Ho0IWx381"; - openssh.authorizedKeys.keyFiles = [ ../../pubkeys/raito.keys ]; + openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/raito.keys ]; }; gdoriathdohler = { isNormalUser = true; extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keyFiles = [ ../../pubkeys/gdd.keys ]; + openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/gdd.keys ]; }; mdebray = { isNormalUser = true; extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keyFiles = [ ../../pubkeys/sinavir.keys ]; + openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/sinavir.keys ]; }; hbarral = { isNormalUser = true; extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keyFiles = [ ../../pubkeys/backslash.keys ]; + openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/backslash.keys ]; }; - root.openssh.authorizedKeys.keyFiles = [ ../../pubkeys/beigbeder.keys ]; # Jacques Beigbeder est tjrs root. + root.openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/beigbeder.keys ]; # Jacques Beigbeder est tjrs root. }; } diff --git a/profiles/core-hackens/programs.nix b/hosts/org/core-hackens/programs.nix similarity index 100% rename from profiles/core-hackens/programs.nix rename to hosts/org/core-hackens/programs.nix diff --git a/profiles/core-hackens/ssh-server.nix b/hosts/org/core-hackens/ssh-server.nix similarity index 100% rename from profiles/core-hackens/ssh-server.nix rename to hosts/org/core-hackens/ssh-server.nix diff --git a/profiles/core-hackens/static-dns.nix b/hosts/org/core-hackens/static-dns.nix similarity index 100% rename from profiles/core-hackens/static-dns.nix rename to hosts/org/core-hackens/static-dns.nix diff --git a/hosts/org/misc/default.nix b/hosts/org/misc/default.nix deleted file mode 100644 index 32b76ac..0000000 --- a/hosts/org/misc/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - # ./static-website.nix - # ./game2048.nix - # ./casauth.nix - # ./nds.nix - # ./prez.nix - # ./public.nix - # ./jarvis.nix - ]; -} diff --git a/hosts/org/modules/static-website.nix b/hosts/org/modules/static-website.nix deleted file mode 100644 index 7a4a641..0000000 --- a/hosts/org/modules/static-website.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ lib, config }: - -with lib; -let - cfg = config.services.static-website.config; - l = builtins.split cfg.name "/"; - name = lists.last l; -in -{ - services.static-website.config = lib.mkOption { - type = with types; attrsOf (submodule { - options.name = mkOption path; - }); - }; - - config = { - services.nginx.enable = cfg.enable; - virtualHosts."${cfg.name}" = { - root = "/var/lib/nginx/static/${name}"; - } - }; -} - -/* TODO -ACME -*/ diff --git a/hosts/org/monitoring/config.yaml b/hosts/org/monitoring/config.yaml deleted file mode 100644 index ed84f2d..0000000 --- a/hosts/org/monitoring/config.yaml +++ /dev/null @@ -1,31 +0,0 @@ -mqtt: - # The MQTT broker to connect to - server: tcp://new.hackens.org:1883 - # The Topic path to subscribe to. Be aware that you have to specify the wildcard, if you want to follow topics for multiple sensors. - topic_path: +/+ - # The MQTT QoS level - qos: 0 - metric_per_topic_config: - metric_name_regex: "(?P.*)/(?P.*)" -cache: - # Timeout. Each received metric will be presented for this time if no update is send via MQTT. - # Set the timeout to -1 to disable the deletion of metrics from the cache. The exporter presents the ingest timestamp - # to prometheus. - timeout: 24h -metrics: - # The name of the metric in prometheus - - prom_name: keft_open - # The name of the metric in a MQTT JSON message - mqtt_name: open - # The prometheus help text for this metric - help: K-Fêt opening state - # The prometheus type for this metric. Valid values are: "gauge" and "counter" - type: gauge - # The name of the metric in prometheus - - prom_name: trash_filling - # The name of the metric in a MQTT JSON message - mqtt_name: trash - # The prometheus help text for this metric - help: Hackens trash filling state - # The prometheus type for this metric. Valid values are: "gauge" and "counter" - type: gauge diff --git a/hosts/org/monitoring/default.nix b/hosts/org/monitoring/default.nix deleted file mode 100644 index 3046185..0000000 --- a/hosts/org/monitoring/default.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - imports = [ ../modules/mqtt2prometheus ]; - services = { - prometheus = { - enable = true; - listenAddress = "127.0.0.1"; - scrapeConfigs = [ - { - job_name = "mqtt_listener"; - scrape_interval = "120s"; - static_configs = [ - { - targets = [ - "localhost:9641" - ]; - } - ]; - } - ]; - }; - mqtt2prometheus = { - enable = true; - package = pkgs.callPackage (import ./mqtt2prometheus.nix) { }; - config = ./config.yaml; - }; - grafana = { - enable = true; - }; - nginx.virtualHosts."monitoring.new.hackens.org" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:3000"; - proxyWebsockets = true; - }; - }; - }; - networking.firewall.allowedTCPPorts = [ 3000 ]; -} diff --git a/hosts/org/monitoring/mqtt2prometheus.nix b/hosts/org/monitoring/mqtt2prometheus.nix deleted file mode 100644 index d811dbc..0000000 --- a/hosts/org/monitoring/mqtt2prometheus.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, ... }: -pkgs.buildGoModule rec { - pname = "mqtt2prometheus"; - version = "0.1.6"; - src = pkgs.fetchFromGitHub { - owner = "hikhvar"; - repo = "mqtt2prometheus"; - rev = "v${version}"; - sha256 = "0dz5mrwm231g45i8rbmvaza8bm6cr4jg5vc87h41vnm7xsx815g7"; - }; - vendorSha256 = "1fyzij7cakhd6x2hf3rvvslvvxmfmlp881x5rz2qwm04spa18cp4"; - postInstall = '' - mv $out/bin/cmd $out/bin/mqtt2prometheus - ''; -} diff --git a/hosts/org/mosquitto.nix b/hosts/org/mosquitto.nix index 3ce009d..1fc3079 100644 --- a/hosts/org/mosquitto.nix +++ b/hosts/org/mosquitto.nix @@ -5,10 +5,9 @@ in { services.mosquitto = { enable = true; - #logType = [ "all" ]; listeners = [ { - address = "0.0.0.0"; + address = "10.158.1.1"; acl = [ "topic readwrite #" ]; port = port; settings = { diff --git a/hosts/org/modules/nginx.nix b/hosts/org/nginx.nix similarity index 100% rename from hosts/org/modules/nginx.nix rename to hosts/org/nginx.nix diff --git a/hosts/org/orga.nix b/hosts/org/orga.nix deleted file mode 100644 index 7b036d1..0000000 --- a/hosts/org/orga.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ pkgs, lib, config, ... }: -let - sources diff --git a/hosts/org/wiki/default.nix b/hosts/org/wiki/default.nix index 89f7447..8b40a34 100644 --- a/hosts/org/wiki/default.nix +++ b/hosts/org/wiki/default.nix @@ -3,10 +3,6 @@ let hostname = "new.hackens.org"; in { - imports = [ - ../modules/custom-dokuwiki.nix - ]; - disabledModules = [ "services/web-apps/dokuwiki.nix" ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; @@ -60,42 +56,7 @@ in aclUse = true; # Il faut packager les templates - templates = let - template-bootstrap3 = { version, logo, favicon, apple-touch-icon, dokuwikiPath }: - pkgs.stdenv.mkDerivation { - name = "bootstrap3"; - # Download the theme from the dokuwiki site - src = pkgs.fetchFromGitHub version; - # We need unzip to build this package - # buildInputs = [ pkgs.unzip ]; - # Installing simply means copying all files to the output directory - installPhase = '' - mkdir -p $out - cp -R * $out/ - rm $out/images/logo.png - rm $out/images/favicon.ico - rm $out/images/apple-touch-icon.png - ln -s ${logo} $out/images/logo.png - ln -s ${favicon} $out/images/favicon.ico - ln -s ${apple-touch-icon} $out/images/apple-touch-icon.png - echo " $out/doku_inc.php # Lien vers le dokuwiki - ''; - }; - # And then pass this theme to the template list like this: - in [ - (template-bootstrap3 { - version = { - owner = "giterlizzi"; - repo = "dokuwiki-template-bootstrap3"; - rev="v2020-07-29"; - sha256="05d6si1lci3a2pgd10iwpwrgl969y7gq4qsn5p1lbgxkraad17af"; - }; - logo = ./media/logo.png; - favicon = ./media/favicon.ico; - apple-touch-icon = ./media/logo.png; - dokuwikiPath = "${config.services.dokuwiki.sites."${hostname}".finalPackage}/share/dokuwiki"; - }) - ]; + templates = pkgs.hackens.dokuwikiAddons.bootstrap3; plugins = [ (pkgs.stdenv.mkDerivation { name = "commonmark"; @@ -158,7 +119,7 @@ in ]; }; # On veut php-xml - services.phpfpm.pools."dokuwiki-${hostname}".phpPackage = pkgs.lib.mkForce ( pkgs.php74.withExtensions ( + services.phpfpm.pools."dokuwiki-${hostname}".phpPackage = pkgs.lib.mkForce ( pkgs.php8.withExtensions ( { all, enabled, ... }: enabled ++ [ all.xml diff --git a/nur.nix b/nur.nix new file mode 100644 index 0000000..eee2c5e --- /dev/null +++ b/nur.nix @@ -0,0 +1,9 @@ +{ pkgs, config, lib, ... }: +{ + imports = [ + ../myModules + ]; + nixpkgs.config.packageOverrides = { + hackens = import ./myPkgs { inherit pkgs; }; + }; +} diff --git a/profiles/monitoring.nix b/profiles/monitoring.nix deleted file mode 100644 index ce85023..0000000 --- a/profiles/monitoring.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ pkgs, config, ... }: -{ - # Monitoring - services.netdata.enable = true; - systemd.services.netdata.restartTriggers = map (name: config.environment.etc."netdata/${name}.conf".source) [ - "health_alarm_notify" - "stream" - "fping" - ]; - environment.etc."netdata/stream.conf" = { - user = "netdata"; - group = "netdata"; - mode = "0600"; - text = '' - # hackens-desktop - [074e699a-4206-4e13-baa7-e4524326f1e0] - enabled = yes - default history = 3600 - default memory mode = dbengine - health enabled by default = auto - allow from = 192.168.1.117, 2001:470:1f13:21d:49fd:1d82:d2ff:d868 - - # hackens-openwrt - [cab3fe1e-576b-420d-b301-84308e44f340] - enabled = yes - default history = 3600 - default memory mode = dbengine - health enabled by default = auto - allow from = 192.168.1.1, 2001:470:1f13:21d::1 - ''; - }; - environment.etc."netdata/health_alarm_notify.conf" = { - user = "netdata"; - group = "netdata"; - mode = "0600"; - text = '' - # External tools - nc="${pkgs.netcat}/bin/nc" - - # IRC configuration - SEND_IRC="YES" - DEFAULT_RECIPIENT_IRC="#hackens-status" - IRC_NETWORK="ens.wtf" - IRC_NICKNAME="hackens" - IRC_REALNAME="hackENS netdata monitoring" - ''; - }; - environment.etc."netdata/fping.conf" = { - user = "netdata"; - group = "netdata"; - mode = "0600"; - text = '' - fping="${pkgs.fping}/bin/fping" - hosts="hackens.org hack.ens.fr sas.eleves.ens.fr argonaut.ens.wtf clipper.ens.fr merle.eleves.ens.fr" - ''; - }; - services.smartd.enable = true; - services.smartd.extraOptions = [ "-A /var/log/smartd/" ]; # For netdata. - - # MQTT for every usage, notably OctoPrint events. - services.mosquitto = { - enable = true; - listeners = [ - { - address = "192.168.1.118"; - } - ]; - settings = { - # allow_anonymous = true; - }; - }; -} diff --git a/hosts/org/modules/custom-dokuwiki.nix b/shared/myModules/custom-dokuwiki.nix similarity index 78% rename from hosts/org/modules/custom-dokuwiki.nix rename to shared/myModules/custom-dokuwiki.nix index 66318c4..525d75c 100644 --- a/hosts/org/modules/custom-dokuwiki.nix +++ b/shared/myModules/custom-dokuwiki.nix @@ -9,14 +9,7 @@ let webserver = config.services.${cfg.webserver}; stateDir = hostName: "/var/lib/dokuwiki/${hostName}/data"; - dokuwikiAclAuthConfig = hostName: cfg: pkgs.writeText "acl.auth-${hostName}.php" '' - # acl.auth.php - # - # - # Access Control Lists - # - ${toString cfg.acl} - ''; + dokuwikiAclAuthConfig = hostName: cfg: pkgs.writeText "acl.auth-${hostName}.php" "${toString cfg.acl}"; dokuwikiLocalConfig = hostName: cfg: pkgs.writeText "local-${hostName}.php" '' These plugins need to be packaged before use, see example. - ''; - example = literalExpression '' - let - # Let's package the icalevents plugin - plugin-icalevents = pkgs.stdenv.mkDerivation { - name = "icalevents"; - # Download the plugin from the dokuwiki site - src = pkgs.fetchurl { - url = "https://github.com/real-or-random/dokuwiki-plugin-icalevents/releases/download/2017-06-16/dokuwiki-plugin-icalevents-2017-06-16.zip"; - sha256 = "e40ed7dd6bbe7fe3363bbbecb4de481d5e42385b5a0f62f6a6ce6bf3a1f9dfa8"; - }; - sourceRoot = "."; - # We need unzip to build this package - buildInputs = [ pkgs.unzip ]; - # Installing simply means copying all files to the output directory - installPhase = "mkdir -p $out; cp -R * $out/"; - }; - # And then pass this theme to the plugin list like this: - in [ plugin-icalevents ] + It is a good practice to package them. ''; }; @@ -197,25 +155,7 @@ let default = []; description = '' List of path(s) to respective template(s) which are copied from the 'tpl' directory. - These templates need to be packaged before use, see example. - ''; - example = literalExpression '' - let - # Let's package the bootstrap3 theme - template-bootstrap3 = pkgs.stdenv.mkDerivation { - name = "bootstrap3"; - # Download the theme from the dokuwiki site - src = pkgs.fetchurl { - url = "https://github.com/giterlizzi/dokuwiki-template-bootstrap3/archive/v2019-05-22.zip"; - sha256 = "4de5ff31d54dd61bbccaf092c9e74c1af3a4c53e07aa59f60457a8f00cfb23a6"; - }; - # We need unzip to build this package - buildInputs = [ pkgs.unzip ]; - # Installing simply means copying all files to the output directory - installPhase = "mkdir -p $out; cp -R * $out/"; - }; - # And then pass this theme to the template list like this: - in [ template-bootstrap3 ] + It is a good practice to package them. ''; }; @@ -273,14 +213,16 @@ in Further nginx configuration can be done by adapting services.nginx.virtualHosts.<name>. See for further information. - Further apache2 configuration can be done by adapting services.httpd.virtualHosts.<name>. - See for further information. + TO COMPLETE ''; }; }; }; + + disabledModules = [ "services/web-apps/dokuwiki.nix" ]; + # implementation config = mkIf (eachSite != {}) (mkMerge [{ @@ -300,15 +242,11 @@ in inherit user; group = webserver.group; - # Not yet compatible with php 8 https://www.dokuwiki.org/requirements - # https://github.com/splitbrain/dokuwiki/issues/3545 - phpPackage = pkgs.php74; phpEnv = { DOKUWIKI_LOCAL_CONFIG = "${dokuwikiLocalConfig hostName cfg}"; DOKUWIKI_PLUGINS_LOCAL_CONFIG = "${dokuwikiPluginsLocalConfig hostName cfg}"; DOKUWIKI_ROOT = "${cfg.finalPackage}/share/dokuwiki/"; - } // optionalAttrs (cfg.usersFile != null) { - DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}"; + DOKUWIKI_USERS_AUTH_CONFIG = "${if cfg.usersFile!= {} then cfg.usersFile else ""}"; } //optionalAttrs (cfg.aclUse) { DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig hostName cfg}" else "${toString cfg.aclFile}"; }; @@ -328,6 +266,7 @@ in "d ${stateDir hostName}/cache 0750 ${user} ${webserver.group} - -" "d ${stateDir hostName}/index 0750 ${user} ${webserver.group} - -" "d ${stateDir hostName}/locks 0750 ${user} ${webserver.group} - -" + "d ${stateDir hostName}/log 0750 ${user} ${webserver.group} - -" "d ${stateDir hostName}/media 0750 ${user} ${webserver.group} - -" "d ${stateDir hostName}/media_attic 0750 ${user} ${webserver.group} - -" "d ${stateDir hostName}/media_meta 0750 ${user} ${webserver.group} - -" @@ -352,7 +291,7 @@ in root = "${pkg hostName cfg}/share/dokuwiki"; locations = { - "~ /(conf/|bin/|inc/|install.php)" = { + "~ /(conf/|bin/|inc/|vendor/|install.php)" = { extraConfig = "deny all;"; }; diff --git a/shared/myModules/default.nix b/shared/myModules/default.nix new file mode 100644 index 0000000..7802e6d --- /dev/null +++ b/shared/myModules/default.nix @@ -0,0 +1,6 @@ +{ pkgs, config, lib, ...}: +{ + imports = [ + ./custom-dokuwiki.nix + ]; +} diff --git a/hosts/org/modules/mqtt2prometheus/default.nix b/shared/myModules/mqtt2prometheus.nix similarity index 92% rename from hosts/org/modules/mqtt2prometheus/default.nix rename to shared/myModules/mqtt2prometheus.nix index f71645e..ddae505 100644 --- a/hosts/org/modules/mqtt2prometheus/default.nix +++ b/shared/myModules/mqtt2prometheus.nix @@ -19,7 +19,7 @@ in default = 9641; description = "HTTP port used to expose metrics"; }; - config = lib.mkOption { # à nixifier + config = lib.mkOption { # à nixifier (un jour) type = lib.types.path; description = "Path to config file"; }; @@ -28,7 +28,7 @@ in systemd.services."mqtt2prometheus" = { enable = true; description = "MQTT client which exposes metrics for prometheus monitoring software"; - after = [ "network.target" ]; + after = [ "network-online.target" ]; serviceConfig = { ExecStart = "${cfg.package}/bin/mqtt2prometheus -config ${cfg.config} -listen-address ${cfg.listenAddress} -listen-port ${toString cfg.listenPort}"; Restart = "always"; diff --git a/shared/myPkgs/dokuwiki.nix b/shared/myPkgs/dokuwiki.nix new file mode 100644 index 0000000..29188f5 --- /dev/null +++ b/shared/myPkgs/dokuwiki.nix @@ -0,0 +1,52 @@ +{ lib, stdenv, fetchFromGitHub, writeText, nixosTests }: + +stdenv.mkDerivation rec { + pname = "dokuwiki"; + version = "2022-07-31"; + + src = fetchFromGitHub { + owner = "splitbrain"; + repo = pname; + rev = "release_stable_${version}"; + sha256 = "sha256-FreJsajdfoefQHo6rBzkImDUvR3Zb7rBQTYhYvyRJC4="; + }; + + preload = writeText "preload.php" '' + array( + 'local' => array(getenv('DOKUWIKI_LOCAL_CONFIG')), + ), + 'acl' => array( + 'default' => getenv('DOKUWIKI_ACL_AUTH_CONFIG'), + ), + 'plainauth.users' => array( + 'default' => getenv('DOKUWIKI_USERS_AUTH_CONFIG'), + ), + 'plugins' => array( + 'local' => array(getenv('DOKUWIKI_PLUGINS_LOCAL_CONFIG')), + ), + ); + ''; + + installPhase = '' + mkdir -p $out/share/dokuwiki + cp -r * $out/share/dokuwiki + cp ${preload} $out/share/dokuwiki/inc/preload.php + ''; + + patches = [ ./dokuwiki_deep_merge.patch ]; + + passthru.tests = { + inherit (nixosTests) dokuwiki; + }; + + meta = with lib; { + description = "Simple to use and highly versatile Open Source wiki software that doesn't require a database"; + license = licenses.gpl2; + homepage = "https://www.dokuwiki.org"; + platforms = platforms.all; + maintainers = with maintainers; [ _1000101 ]; + }; +} diff --git a/shared/myPkgs/dokuwiki_deep_merge.patch b/shared/myPkgs/dokuwiki_deep_merge.patch new file mode 100644 index 0000000..2c29613 --- /dev/null +++ b/shared/myPkgs/dokuwiki_deep_merge.patch @@ -0,0 +1,11 @@ +--- a/inc/config_cascade.php ++++ b/inc/config_cascade.php +@@ -5,7 +5,7 @@ + * This array configures the default locations of various files in the + * DokuWiki directory hierarchy. It can be overriden in inc/preload.php + */ +-$config_cascade = array_merge( ++$config_cascade = array_merge_recursive( + array( + 'main' => array( + 'default' => array(DOKU_CONF . 'dokuwiki.php'), diff --git a/hosts/org/modules/mqtt2prometheus/mqtt2prometheus.nix b/shared/myPkgs/mqtt2prometheus.nix similarity index 100% rename from hosts/org/modules/mqtt2prometheus/mqtt2prometheus.nix rename to shared/myPkgs/mqtt2prometheus.nix diff --git a/shared/nur.nix b/shared/nur.nix new file mode 100644 index 0000000..8d19786 --- /dev/null +++ b/shared/nur.nix @@ -0,0 +1,15 @@ +{ lib, pkgs, ... }: +let + agenix = pkgs.fetchFromGitHub { + owner = "ryantm"; + repo = "agenix"; + rev = "7e5e58b98c3dcbf497543ff6f22591552ebfe65b"; + }; +in +{ + nixpkgs.config.packageOverrides = { + hackens = import ./myPkgs { inherit pkgs; }; + }; + imports = [ "${agenix}/modules/age.nix" ] + ++ lib.attrValues (import ./myModules); +} -- 2.47.0 From 0ac470c4933f3fb0640d225b016d5c1b2df0c635 Mon Sep 17 00:00:00 2001 From: sinavir Date: Thu, 12 Jan 2023 18:11:50 +0100 Subject: [PATCH 16/34] ~ --- default.nix | 91 +++++ hosts/milieu/configuration.nix | 1 + hosts/org/configuration.nix | 4 +- hosts/org/core-hackens/default.nix | 8 +- hosts/org/core-hackens/personal-users.nix | 54 +-- hosts/org/core-hackens/programs.nix | 7 +- hosts/org/core-hackens/ssh-server.nix | 3 +- hosts/org/core-hackens/static-dns.nix | 8 +- hosts/org/kfet2mqtt.nix | 25 -- hosts/org/mosquitto.nix | 20 -- hosts/org/wiki/default.nix | 128 ------- hosts/org/wiki/media/favicon.ico | Bin 15086 -> 0 bytes hosts/org/wiki/media/logo.png | Bin 7038 -> 0 bytes secrets/default.nix | 1 - shared/myModules/custom-dokuwiki.nix | 386 ---------------------- shared/myModules/default.nix | 6 - shared/myModules/mqtt2prometheus.nix | 39 --- shared/myPkgs/dokuwiki.nix | 52 --- shared/myPkgs/dokuwiki_deep_merge.patch | 11 - shared/myPkgs/mqtt2prometheus.nix | 15 - 20 files changed, 129 insertions(+), 730 deletions(-) create mode 100644 default.nix delete mode 100644 hosts/org/kfet2mqtt.nix delete mode 100644 hosts/org/mosquitto.nix delete mode 100644 hosts/org/wiki/default.nix delete mode 100644 hosts/org/wiki/media/favicon.ico delete mode 100644 hosts/org/wiki/media/logo.png delete mode 100644 shared/myModules/custom-dokuwiki.nix delete mode 100644 shared/myModules/default.nix delete mode 100644 shared/myModules/mqtt2prometheus.nix delete mode 100644 shared/myPkgs/dokuwiki.nix delete mode 100644 shared/myPkgs/dokuwiki_deep_merge.patch delete mode 100644 shared/myPkgs/mqtt2prometheus.nix diff --git a/default.nix b/default.nix new file mode 100644 index 0000000..b3a4851 --- /dev/null +++ b/default.nix @@ -0,0 +1,91 @@ +{ lib +, stdenv +, fetchFromGitHub +, writeText +, nixosTests +, dokuwiki +}: + +stdenv.mkDerivation rec { + pname = "dokuwiki"; + version = "2022-07-31a"; + + src = fetchFromGitHub { + owner = "splitbrain"; + repo = pname; + rev = "release_stable_${version}"; + sha256 = "sha256-gtWEtc3kbMokKycTx71XXblkDF39i926uN2kU3oOeVw="; + }; + + preload = writeText "preload.php" '' + array( + 'default' => getenv('DOKUWIKI_ACL_AUTH_CONFIG'), + ), + 'plainauth.users' => array( + 'default' => getenv('DOKUWIKI_USERS_AUTH_CONFIG'), + 'protected' => "" // not used by default + ), + ); + ''; + + phpLocalConfig = writeText "local.php" '' + + ''; + + phpPluginsLocalConfig = writeText "plugins.local.php" '' + + ''; + + installPhase = '' + runHook preInstall + + mkdir -p $out/share/dokuwiki + cp -r * $out/share/dokuwiki + cp ${preload} $out/share/dokuwiki/inc/preload.php + cp ${phpLocalConfig} $out/share/dokuwiki/conf/local.php + cp ${phpPluginsLocalConfig} $out/share/dokuwiki/conf/plugins.local.php + + runHook postInstall + ''; + + passthru = { + combine = { basePackage ? dokuwiki + , plugins ? [] + , templates ? [] + , localConfig ? null + , pluginsConfig ? null + , aclConfig ? null + , pname ? (p: "${p.pname}-combined") + }: let + isNotEmpty = x: lib.optionalString (! builtins.elem x [ null "" ]); + in basePackage.overrideAttrs (prev: { + pname = if builtins.isFunction pname then pname prev else pname; + + postInstall = prev.postInstall or "" + '' + ${lib.concatMapStringsSep "\n" (tpl: "cp -r ${toString tpl} $out/share/dokuwiki/lib/tpl/${tpl.name}") templates} + ${lib.concatMapStringsSep "\n" (plugin: "cp -r ${toString plugin} $out/share/dokuwiki/lib/plugins/${plugin.name}") plugins} + ${isNotEmpty localConfig "ln -sf ${localConfig} $out/share/dokuwiki/conf/local.php" } + ${isNotEmpty pluginsConfig "ln -sf ${pluginsConfig} $out/share/dokuwiki/conf/plugins.local.php" } + ${isNotEmpty aclConfig "ln -sf ${aclConfig} $out/share/dokuwiki/acl.auth.php" } + ''; + }); + tests = { + inherit (nixosTests) dokuwiki; + }; + }; + + meta = with lib; { + description = "Simple to use and highly versatile Open Source wiki software that doesn't require a database"; + license = licenses.gpl2; + homepage = "https://www.dokuwiki.org"; + platforms = platforms.all; + maintainers = with maintainers; [ _1000101 ]; + }; +} diff --git a/hosts/milieu/configuration.nix b/hosts/milieu/configuration.nix index ea61d94..75192d0 100644 --- a/hosts/milieu/configuration.nix +++ b/hosts/milieu/configuration.nix @@ -8,6 +8,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix + ../../shared/nur.nix ../../profiles/shared-hackens ]; diff --git a/hosts/org/configuration.nix b/hosts/org/configuration.nix index 700ecd3..39be5c1 100644 --- a/hosts/org/configuration.nix +++ b/hosts/org/configuration.nix @@ -11,8 +11,8 @@ ./physical.nix ./core-hackens ../../secrets - ./wiki ./webpass.nix + ./nginx.nix ]; networking.hostName = "hackens-org"; # Define your hostname. @@ -23,7 +23,7 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "21.11"; # Did you read the comment? + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/hosts/org/core-hackens/default.nix b/hosts/org/core-hackens/default.nix index 90ecd13..afcc8a9 100644 --- a/hosts/org/core-hackens/default.nix +++ b/hosts/org/core-hackens/default.nix @@ -1,8 +1,4 @@ { - imports = [ - ./personal-users.nix - ./ssh-server.nix - ./static-dns.nix - ./programs.nix - ]; + imports = + [ ./personal-users.nix ./ssh-server.nix ./static-dns.nix ./programs.nix ]; } diff --git a/hosts/org/core-hackens/personal-users.nix b/hosts/org/core-hackens/personal-users.nix index f5ce85d..3be399b 100644 --- a/hosts/org/core-hackens/personal-users.nix +++ b/hosts/org/core-hackens/personal-users.nix @@ -1,27 +1,33 @@ -{ ... }: -{ - users.users = { - rlahfa = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - hashedPassword = "$6$y/I6nKCMYUku7$91vTR5kYz4nHyhbuA/j6kPsD8Vfo/Rg7ri6Ympftra9V6emOt/mPg0AScECtYjSIxretvfQ3sPUF1Ho0IWx381"; - openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/raito.keys ]; +{ ... }: { + users = { + mutableUsers = false; + users = { + rlahfa = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + hashedPassword = + "$6$y/I6nKCMYUku7$91vTR5kYz4nHyhbuA/j6kPsD8Vfo/Rg7ri6Ympftra9V6emOt/mPg0AScECtYjSIxretvfQ3sPUF1Ho0IWx381"; + openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/raito.keys ]; + }; + gdoriathdohler = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/gdd.keys ]; + }; + mdebray = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + hashedPassword = + "$6$ujz06kXa4TgvPAbF$NaXkDuOUpf3.fBRh7JuygtS0V2U/Bz4N3DpbOznO.md44xEdlKwPH/pSbL9CQJBhI5kodaKZeSaoCyhzybBPA/"; + openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/sinavir.keys ]; + }; + hbarral = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/backslash.keys ]; + }; + root.openssh.authorizedKeys.keyFiles = + [ ../../../pubkeys/beigbeder.keys ]; # Jacques Beigbeder est tjrs root. }; - gdoriathdohler = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/gdd.keys ]; - }; - mdebray = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/sinavir.keys ]; - }; - hbarral = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/backslash.keys ]; - }; - root.openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/beigbeder.keys ]; # Jacques Beigbeder est tjrs root. }; } diff --git a/hosts/org/core-hackens/programs.nix b/hosts/org/core-hackens/programs.nix index 1fee319..47f1724 100644 --- a/hosts/org/core-hackens/programs.nix +++ b/hosts/org/core-hackens/programs.nix @@ -1,6 +1 @@ -{ pkgs, ... }: { - environment.systemPackages = with pkgs; [ - vim - git - ]; -} +{ pkgs, ... }: { environment.systemPackages = with pkgs; [ vim git ]; } diff --git a/hosts/org/core-hackens/ssh-server.nix b/hosts/org/core-hackens/ssh-server.nix index 9557439..784fe47 100644 --- a/hosts/org/core-hackens/ssh-server.nix +++ b/hosts/org/core-hackens/ssh-server.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{ ... }: { # Enable the OpenSSH daemon. services.openssh.enable = true; services.openssh.passwordAuthentication = false; diff --git a/hosts/org/core-hackens/static-dns.nix b/hosts/org/core-hackens/static-dns.nix index 21f27dc..a804274 100644 --- a/hosts/org/core-hackens/static-dns.nix +++ b/hosts/org/core-hackens/static-dns.nix @@ -1,7 +1 @@ -{ ... }: -{ - networking.nameservers = [ - "1.1.1.1" - "8.8.8.8" - ]; -} +{ ... }: { networking.nameservers = [ "1.1.1.1" "8.8.8.8" ]; } diff --git a/hosts/org/kfet2mqtt.nix b/hosts/org/kfet2mqtt.nix deleted file mode 100644 index 9a67286..0000000 --- a/hosts/org/kfet2mqtt.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ pkgs, ... }: -let - python = pkgs.python39.withPackages (ps: [ - ps.asyncio-mqtt - ps.websockets - ]); - script = pkgs.fetchgit { - url = "https://git.eleves.ens.fr/hackens/kfet2mqtt.git"; - rev = "4a9ca954fd4405ccbabdb0793f1a2f76c7561a8e"; - sha256 = "1g4gv2mc0kd108yw8y6gbskg8zhnrlwdnza8mhii2n8jidh63485"; - }; -in -{ - systemd.services."kfet2mqtt" = { - enable = true; - description = "Programme qui indique l'ouverture de la k-fet sur le broker mqtt d'hackENS"; - after = [ "network.target" ]; - serviceConfig = { - ExecStart = "${python}/bin/python ${script}/script.py"; - Restart = "always"; - RestartSec = 10; - }; - wantedBy = [ "mulit-user.target" ]; - }; -} diff --git a/hosts/org/mosquitto.nix b/hosts/org/mosquitto.nix deleted file mode 100644 index 1fc3079..0000000 --- a/hosts/org/mosquitto.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ ... }: -let - port = 1883; -in -{ - services.mosquitto = { - enable = true; - listeners = [ - { - address = "10.158.1.1"; - acl = [ "topic readwrite #" ]; - port = port; - settings = { - allow_anonymous = true; - }; - } - ]; - }; - networking.firewall.allowedTCPPorts = [ port ]; -} diff --git a/hosts/org/wiki/default.nix b/hosts/org/wiki/default.nix deleted file mode 100644 index 8b40a34..0000000 --- a/hosts/org/wiki/default.nix +++ /dev/null @@ -1,128 +0,0 @@ -{ pkgs, config, ... }: -let - hostname = "new.hackens.org"; -in -{ - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - services.nginx.virtualHosts."${hostname}" = { - enableACME = true; - forceSSL = true; - }; - - services.dokuwiki.sites."${hostname}" = { - enable = true; - - extraConfig = '' - $conf['template'] = 'bootstrap3'; - $conf['license'] = 'cc-by-sa'; - $conf['title'] = 'hackEns'; - $conf['start'] = 'accueil'; - $conf['lang'] = 'fr'; - $conf['breadcrumbs'] = 0; // On s'en fiche de l'historique des pages visitées - $conf['youarehere'] = true; // Par contre on veut notre position dans la hiérarchie du site - // On veut que les liens externes s'ouvrent dans de nouveaux onglets - $conf['target'] = array( - 'extern' => '_tab' - ); - $conf['htmlok'] = 1; // On peut mettre du html dans les pages - $conf['sitemap'] = 7; - $conf['rss_type'] = 'rss2'; - $conf['userewrite'] = 1; // Important, sinon on casse tout avec les règles nginx définies par le module nixos - $conf['useslash'] = 1; - $conf['plugin']['tokenbucketauth']['tba_send_mail'] = 'hackens@clipper.ens.fr'; // Ban auto des IPs qui brute-forcent - $conf['tpl']['bootstrap3']['showAddNewPage'] = 'logged'; - $conf['tpl']['bootstrap3']['fluidContainer'] = 0; - $conf['htmlmail'] = 0; // On envoie les mails en plain text - $conf['authtype'] = 'oauth'; - $conf['plugin']['oauthkeycloak']['key'] = 'wiki'; - $conf['plugin']['oauthkeycloak']['secret'] = file('${config.age.secrets.wikiOpenID.path}', FILE_IGNORE_NEW_LINES)[0]; - $conf['plugin']['oauthkeycloak']['openidurl'] = 'https://auth.rz.ens.wtf/auth/realms/hackENS/.well-known/openid-configuration/'; - ''; - - pluginsConfig = '' - $plugins['authmysql'] = 0; - $plugins['popularity'] = 0; - $plugins['authpgsql'] = 0; - $plugins['authpdo'] = 0; - $plugins['authldap'] = 0; - $plugins['oauthkeycloak'] = 1; - ''; - - disableActions = "register"; - superUser = "@admin"; - - aclUse = true; - - # Il faut packager les templates - templates = pkgs.hackens.dokuwikiAddons.bootstrap3; - plugins = [ - (pkgs.stdenv.mkDerivation { - name = "commonmark"; - # Download the theme from the dokuwiki site - src = pkgs.fetchzip { - url = "https://github.com/clockoon/dokuwiki-plugin-commonmark/releases/download/v1.2.0/release.tar.gz"; - sha256 = "10SVyqkbkwzF/m4aTHB/ssXJK5rjQbLxYOAFDKYOxTY="; - }; - # Installing simply means copying all files to the output directory - installPhase = '' - mkdir -p $out - cp -R * $out/ - ''; - }) - (pkgs.stdenv.mkDerivation { - name = "catlist"; - # Download the theme from the dokuwiki site - src = pkgs.fetchFromGitHub { - owner = "xif-fr"; - repo = "dokuwiki-plugin-catlist"; - rev = "065f8d2f4817409989b9342b901163452fb9f547"; - sha256 = "1l7bvnqkai8qkqqb67w8yy7fbs30dviqc36pyqggzfjhi558i9ih"; - }; - # Installing simply means copying all files to the output directory - installPhase = '' - mkdir -p $out - cp -R * $out/ - ''; - }) - (pkgs.stdenv.mkDerivation { - name = "oauth"; - # Download the theme from the dokuwiki site - src = pkgs.fetchFromGitHub { - owner = "cosmocode"; - repo = "dokuwiki-plugin-oauth"; - rev = "2022-01-13"; - sha256 = "ruaw8MqSMgopULD7vxed44nbowjVc1e4H0Q7JEL9pD0="; - }; - # Installing simply means copying all files to the output directory - installPhase = '' - mkdir -p $out - cp -R * $out/ - ''; - }) - (pkgs.stdenv.mkDerivation { - name = "oauthkeycloak"; - # Download the theme from the dokuwiki site - src = pkgs.fetchFromGitHub { - owner = "YoitoFes"; - repo = "dokuwiki-plugin-oauthkeycloak"; - rev = "2022-12-23"; - sha256 = "jV4CCVJ+4vbWE52ocsJnHR5oIM5ZM/5aYub6wxkVado="; - }; - # Installing simply means copying all files to the output directory - installPhase = '' - mkdir -p $out - cp -R * $out/ - ''; - }) - ]; - }; - # On veut php-xml - services.phpfpm.pools."dokuwiki-${hostname}".phpPackage = pkgs.lib.mkForce ( pkgs.php8.withExtensions ( - { all, enabled, ... }: - enabled ++ [ - all.xml - ] - )); -} diff --git a/hosts/org/wiki/media/favicon.ico b/hosts/org/wiki/media/favicon.ico deleted file mode 100644 index 72139e34003598ea53b91426685b27e1287f6575..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15086 zcmeHOd0bRimM(wEbY^-MGfU4*PfS4etwf!P-LXwnj9XL`Wf5fGq1bmyC>E_kP!N}Z z2m*>Mf*`UfTU9|pZ4|igkvO(Vo7fu1Y$hSz{?0=TO%R<)ocUww{k-0{+;`7+zI)!S zchC3W@uu-!;u#w9P#f}UUgh!T@p!!1vmYOu@_55I_bLiq4}O`)lc0eG+Ta%6A{08$ zZD^z4^bF`3&@(U<13H~9xvp}Lvb;!q>|jC4?z-|V%bwO=tJSU<8XB^C+V%g*d6iOe zV(k*+FYVr(!IsRM!5o*G+_n0v@ zt-Y=8W4Dz?%*)=0g}RurRd2t+mHe&V9lgCLe?75JX=h_;q{p1kvNvy3lhJG1 zp4jGjkHO_z<@>}RJ1j9|PD^L9jVop{uQkSO<8ni`c98+g-{P&3wO7&f{$#^=Ey$My zo_BlChKf98FnH%7*iU zgM+_)PSZS%MiqQ;f7VCq78^3M@4Rd#b6q)F$gU&KIpLhk@|kSYdnmvb?rh59+{~FL zIP!*FpLHh8-@$~1Z8T$XUN&Es?@j19RIWY`Z%Y;hEP?P{fVheCuwW^^mMk3Sk^^V| zF+0IdUQrnBJP`-RZ(Du!`$OyO3?KQ!&N^^S{`-SViUDt&i*+>z7e;K~cEKscd^`N= z8}ru>{`zk)Px0VUX?plI@=5vgWFPA{?+C zTUDAp;EMPnyX31c?73p>oge#4cH@2LU2m){?AK~k#WI=f<(}^LceW+2()h18WkF7+ zObFk}ZYX#U1J-2NrgNDA)@*CAHOmg?v#f9%wmsU0<;L>a!JIW$n+}UtD*NR_u=9-@ zY!SafF8nVk$6xLrQ7;XwjA!%YSsA@=b744$*&F;CY%g&HTyoz&yopT z%{Z>f=gnSLOzdyXBtbT8o4|(ch~l$?L|ay#@#c56h2Gck#9kOsD+YVIo6nRLq?|d? zbVx33Z#byz>y87z?@`=pG#WFdQu$YtjMrZP%Mz8MyR^Nz;!LEw*+{Cd6^qzp&Z02p zN#Hpa7!puRLabSCB%kexpT#P(SKd}BIxnFA4JhVk&Ybyc@P8ir_7iPPc8qq8J<{gN z=K3OKVRpb-VX*C2ab(Bag0ma#X~Efz1MlSXmdJTu)|4cvkCi6sq^;%WG-^eaR@?LX zWPML{POVnY=(?4vf%ed5Bv*mO{ zWw!KqOwa)rbC?o&h}rdIlzA0Pnj~ZX;=oJv5N9htspz!&iFPeIAd>!W%r^^mHEYrSxAQ zyc8OTGu@vX<|nYWXJ7k{u<;&WVnvhM9?f$8h(`&;vrw!0 zKTi~_{9+yD*SQ=wa__KD`Fua*vjd$>m_2gR_Q?MSIrHzGXe>D~SzeNmVJufP)fQZ& zdpDuDBS%hoYUGF?iNfEyyeDH_RaaMo+0W%gkE|nB(bM@~Twb0qgEO+{v(6YfX&M6~ zPCFp|fc$f?Gh}`ntR7S!Nbgql$-FRcHEA^cm-~9!&q>?sPPMljQg*dfedLL8#R(O)$3yOis$Ez3Ml`PZN71D>&8Yc%RF#Ys-LDc?S(Ef8jR*bhK%JHXL|%Zn3k z(jcfE#T4bn#R+SM^F+><12&j`;|ZUM@8I<&oEAZP1mWg#^w0=MlZb#O;E(I#*mplh zPIKs|;HP;G+;z1cE5AaqO&Zneci!OQO{}Vv(m8B9|P6Is*PA`P*!$`8tA1OKUx)|x9W zD@-0f!42%Bp9DZF6M)CDI0=Im6batOv?H2Rc4xX>(rPsia)b^yJP;@2ag%=Ki&*i4 zKMBa^r}|)A&Glcq)5QW~C(6vRy$ zaEidc7`oPuFdHTbwPrh``D|wlpY4Lqvo~oLD@e9wM|Q6Medkee5%~a{1&Eom>oJdb zfM4Qx{Bs%aYQek^%j0p=9FiJ3|4LKsUZrk8a|0Zdg7-hmj-5Sw_U}vb{3??C=YC3j zhXA)E(3*>rG2CH@anc}(ZxMV;2lg#!lL_8)fIk=7SRU~2isN(G_ieUiMJcwdSTvi} z<}d$faA06B@Za1T_udB%n8RHWBlND|1|I}&bG}KBTK;LSXyfp{9iitdi&BT0j_lQS zov1n8ujssl`+8B5Q8>MEY&<8{^6rMb_r>nl!l4~z1=|4csE$au;}A26(6|ykEjdju z9eSo1*d-y*_JDsEc+ZEXxF>NID-_ORwFTa{8Y7x8r&^_;p3SjGhzXbt1;ejuAtqxF>5K`1i!~+5VKdU$r;vq37!pyi+;=&mxTX zZ|Paa{)kf1brsi6`a&NI&`0)wMs=}Q)-qgmKy)D^a{ecztwG=8<`bGz zNXsNmF^;$g{uJ;Yk2(p@Zc3mP+X-DW53xhqX6-K5Tbll^+d8eL8^6u}HqkEZ(Kzg$ z>iu!zJ>!qj=YQb-gBo?;m6J^e&lKkdo)-qp`HbemWPf1twO}-V#CZOII|kTEhow1% zwAlQpS)4YRD}49U?zW1{P1V^$U5$k|)qNee5#yK}23)7YH`TTASjX>^?umX&H7do` z{X6_fKYchhhf{24L&HpkmMRK?Rt$Zd^xW~diSI=4Ed<}G&{{J>tw(yLP1nH1eiT0X zwn6>E^gxVTwY0tdT!O#NoizNOrT`D=`xG0y)A&pb{Z)dp1zK=Ad=LUF@jZq+1983` zb3Ezq`7yItO;Oaj!9m?EV4gmnrx&sRIA%Ug4W4_Gz6VJLE_y!W5i9#7wk#JK^7cd< zwlxwOas;@Ajw}wd=J-yAmb@7{cBTMxe6;oVJB7cy(^{8*9en=*W$BB+JF!o26oPl* zGZZIO==l_3{3~`X{OU-NIC;G6a<8=Yx<=J;MXTDvBY>lkc?fw`Tfnat8YPr0WyI)~mw2 z?5cKc4S1rfDwT4l<5l_3%$1iFW>!;<-ec8F=DC)CvmiT+`$k;W*}Nbr)b3hx=;Hm7 z)lG_|6ZKqFH7>X_&h7dnx!GvLb(Y^*sPJpN=fVK z)2Ck>^L?_q{X|uK$hb>$IxH6_BxhH{aQyuA+V)*suOtdIXs=SJrsnukWq fA5bgGFb`smOUGYl;U7NFpR5A#72daA8S|YQY0Zm z1%02F_4(B2R-JqHKKtzR+iU&SZ|zfxGj_&~(^jrr2@nO&18xG&1x5hvz-r)Yz^0;e zPs;p1_KlvgKYc3#*f`*m!21y}4%isreBcMeaXt0NzTq?Wr)@=moDcjHPysvzY(YT! zZeThB*1G|FDqa%KfbxtT!-fFz%fPRJ`+?4)(?$a`f!_nUQw1cP3EyYzt*s9D9PlXc zeRvaJJm7wY&4vY(Yu2nG9*?Ua2&^%NbIv*EZJDhzcKWOccsBuY;JzWpPn(@GC{w8v z7HWaNk3}P)LalnKxq0is-u~Q-QB{neG3T`3#2GtnHXgVh0c85^03-|pr%a_%D8-*; z3gP{S(wTT=Jhrbi7HN)ndPBt1ulle}V_UV>T?s{B)rhh%mkX$Aoc^}l;2Aq{D+1p& zz)yhBBXZAa^OQyX)(uPe)=I_u@_~QXQz=X#H*WNZs&RFd&1ToezS3PivBk z7M+&KIb(0I`A9Uq0QerzbviCm1ju>7KMo5hjkPW1u}HQw>X$XWww>4Z>__`iwAPV$ zWm$FAl*!d)x$KmR+7Tqefbx{#12G!@43*}2UAT=n-th&GI>g4FKVv2y4YQ?{aUYX&3U zaF4szeVz~ePvGk-SFSt+r^RDV1?~hE3=1f&WlP-mcFdbNcHV|yj7{cY`J zvswIx2F%vi(TN1MP{8H`$mb(yKSB_om4_|lAjqS%MtdIG^YHvAek4jo++%9ph&ks? z8GG^Mn)2(h_OpdB{Mov7>+Isii%<0yMgX4yCL<5^HADhQ5BJOuvrPd$<;HJ;HOPYv zhpGQP?lS^>95@@1gq~fwa^)5vf2!bg?I*Z#p9^I5sdPAC$+H>{0FNx4GSSOcbzC(P$4--%0-J7kxHci?i!JZE&t$(wpgqtU4Mm8G|ZaAQqPP4CH$zp1H-WHQ+ad=>%cXMpQYbzV-lxpD6R z{s#h>9|MWu=-Yusxqdre^`pgdq~XKL?m&h3=y7 zCIcS^GQhtfAP4cZw*cLUDF0(be(LuT0y_ryd@7Y{JsDswT)2=`t5(t2*tjJ$=EHSm ziOa5DFzrLjrZ$|trKP=c)9w~;+r9&|b@q_U=Liq9;8#=$@IpfnW)1^X%wkbs9XO4_ zT7%Xxym$pcu9tPM?N;;0)y3<|OTN(ApS`6dmME!=M}iRve}Bx^FB)qfT$f6%QII>? z#rFS@4QIKy0=OOc0K!pkM|S>n06C<@_y#~0{q7^c9e9wlkWCuz0Q!L@q*Unvf9*bh zgs3cmYt!K)tD(fxs=`{n-rUr*83-1hU{-t0HP-;JcJ11psP8?H$rpY-rlMrdn2OR1 zmQ5aeVS8U@&Yq5*5!+ikBHLRIvA?Z@?%rMsg#y}-qoWCowSX0_X#rIXP6V_TFoyoV zoVxef_0}p?ohM%HMG{n$_%zm(k6t#hZsDwvV9MG9Zjj!PK!{D6SZVAsem$| z8sTtVKp$X_=8cNHZVV^~N)gW5f$&z2qpc5Ay0#(WsnW-~?x~mqRw?jBL<0H<0-(O* z@Q4by1h^3?N8S%i1O5d8rbVd5XxHpIpb<$XbM8K)?z^pOT`HAp+I=um9`$LgtKOT4 zc)#_OTBG14t<+9WtKPV$3;EF4X>;eD(2X`XHIWZP5)r>lD>d0dGB9>oU%s%gBb}YJ zud}D}9!&tGm}*fb~V7I~E{4;IDwMBN6vG;J+i>d=rpDyx};6|87A< z`7Z(c9GFJ~R|9_z-0EwkvKzPWiaxWpnVFL(HcX!|?n90BBd;G>QQA`)i|&p`{C&RG z`y!s+yK%!yZ3@+`6g>*MwW3==r?Iv>G&a+n%?IVN2xl!=2tbjyO#>S?u5aGpYjsa$ zEK*$+k4~FdQ-0-=Nn>tUJF$N3_kOXOKqZJID#)h~V#6HPI(}&kSc|ptsgwtR7byia zlD31=27(;@eFgQ@)_%6Pb@85AW0GgpSKl4g>YEWyKeKtm`ba)7`Ow;J*4hrw^H{iW z;n4ZEZiRo|P1xhW4n!JRghZDMfR6$@i`vy7{Aigw-t2(Wg?QT}!pANG{ubCjWRc8q z4|f5u7FY!wa*Jb{YxkF~&x;-4jiYNt(CgZ`)qU75MYf^c0<3>4smFb< zk-e3703+R3(}90RGWYKyUa-@FatUx2@NEakg|6*tcYnVD{?k`VWy%w=@~-xF^?X|! zYu9fi9*_H#6=gM*<>fV%6=e%Xl$TLf5+@Oln?x*TO5)L=G7-<0#-o`;G}2j-h;@`k zBYVnX(U&ath32NFmkY*pdP>>ikU3Yt8Uk(mcW!U1pD^k9R8zCxmn+<2OsK6k7z@^f zV60Jg&zV++ZbJI;X6$5fK@Ey0R{~Pdn(ev=!>i!-gjeIPk z1K5m^cvIv_eME@w8cl{VActGsvx*}hJd>FuTkBwQ+mip25b<(eR)wZiuzk$5Z`sVFTe z8C6wTX(!azEt@&M{+cPHM)Zy>OKgdG-ov3WKY4NOy4{|BBRC&j{T#gk@gLsz$dx5ikI7vvnqH>a(4GWlDFV=>V!J{#@;5??2<$?mrk3blJihwm}tLRSm zsfRXa@jR6PRiZu5o--lfy6Gd|74y|9Yx#+_#SY^zC|4tbaa%EmOD2;c@R)mmHzS)C zcDQr0z%P#UARRCR=M8>_c)e;QEGH1JY=93T;{8zGX_LuhE86v9WZ1zvVw%ewPQ5s!Vyf%ipsJV5A33-F}7 zb|-*uj9E3KzIN96OBZ>M{dTn%_IKlzRulGjp+ZMZti_AOiIvrm>pnn`?IFl2vP#k2 z(ZT+``_vy^d6nNJ61uLowqnuDDQ90Wck1GC)#cawp88+L+MlFSscc0&LaL>ki6hFU zKk(f8+a6DCytef~Yq>Q7Ht`wium`jlm*g0%%>xQUAB9{Vr8M|4l-AfVMEOyyF(|F1 zGGu)4Lhw9{4KblsD1~Q?YVGRo>C9H%F}b?*v2;EdI`0bcjGrG0$RcooWRid99{vuF z!;0FrxQ8_$&@V+i=tqwN$l~@E;k19nkty9kj~1LD_Oa6Wv2tF!d0LK`u8n-Kj!J#*PXlYz1eJ* z)oXrF*w=|Q^02&UDcBH`?ImjrHs6o6Rvf6sc~Za{!faNxw6>|Aw;bTb&0E#g=PsUe z{>;WZW1gO2to=$)Ht3l*s&c`z+xGtZ<1emX(z3q=rCntQFog_3Mq|TZFw@ow>wec> z0zXnoXmX&Xyml-=fbI$iiAT1b9aS@|+qaVEFocF|{5&N5`*Qi3ipmZcow4#nM$dm8fiwe3N2wkRY0!cEEELq1Z zh?S2d*VD>@y?fL>k9KpgduhpEESd8UB@r(X_4JRn9_;+qe?8Z{WdGiMXsvM05U`kB zFD92R63solSh*|&Qy5Hkz=2RgcbMrUS~U)(AjozTX45jhAS=p}=P|mrCcB_v^n>R$ zR(|cO3zuy!?0%W(gcDN}j%7nQz|1Ktp1vHf&NKgYBI z0@`A%{oBfTwDSWOE&agAs*31CkNuY3t}gQ32gPezBbp%=FIqyZdJOq=2VsAw@H{_C zq@)^S!Q?Y&AeZjt7f-EG#u)Ft=ghm=qAp*(aa-fI?b}gUtVKAa1GRP9q_PUMM*A^r z7>d`!V!}R5HY=f9xhjv=SQAj_IUq7oz7OR`Q7A%dNhA_XpD=dk(kbKbxNOd(dtYyD zO9R6SNM}(boPQG7j#MvFh=f#db6tUW&-Wwbe&87-5YA;!?2>OViC$iB;mirXA#2CrQEYJ|(D{i51+i?Q|} z627zD|2owN?EKI0ULmd z5iK1_knP4~dxVanu=yN*BxKac+U%mK6MnsX+W4>j`31|HdRzC{nX_h{GWw2UmofN8 z-yMiYe3O?-CX+9?$sYh^fN;Yq2aMpjuJ&g09ALhL$UbQ#+t$Es$z-zg2*9jDw8a{P zf3_9@tr#>HBO5VZMndsWLA?_JW%w51Um**y7MO_0Kr<1~-hf1lFZnQ7=}4tg>Co73 zdYU~eW={I2MC9FLzxTi+wxji+Vu1Tuh0SNlcM6wPF4Wo}Am7!3@}qbqm4yABheLb5 zKh1-W|4spfg*-|rtO4bVC~gWF>;UMT=TzDw$o3Luy1=-dSW01)CR$nx))4e}5@dS_ z3t3Q#SS&_GSt)hZmBHBB>P-{sYVW*k?xY7_-LUcZ9?^OMPBvSY}&qR2uhN6Lz8ks5XJKOT5L5|&><#Pzl# zlo;Q{4U5i+BmDX-MB^Qg$V34WMRp@^LLNf6a?2ZBw)2`nAvE_zv@R^3((v7`cU@BZ z!=FA(wlD3Hivfq}sw#G1Mg&YY$P=bJoTPL3WWsD_kSjW`s3WCB%WKH@w&6ufuqGhr z@4yB*^4&i=>9#dWZ#O&E~ z_7?in%$+@((`-HxI$z-!+|2R61mcy7<(wyhzd?Zgon$h3JY~pQB=n{jtl$)zMZ&3N z5SX7xCX?+&=cF0T;NOQNcz3ytyb}>k^g~Fp^fwMbN3|kvSPRTW_Fv9KB%yrTh3nOKlS^yN+~5gZs1dEl=eV-=tzX1rwd!i zOERLA3*iIVwZ&S6ACIFw-{vzJWivfk6JUZII$DYak#&?32}ljL1%-;0fwhEvZJ<5Q zTfC6-W>0!~YF+i6Rf*W<%0zU>==xFZxkLNH*!Wq8z4!^*@$$Oj^8&=fO+|R)8@6>7 z0ck8!e!GFeeTpFR(ki4)mGMThT2>k;OeKz8e6Non0HFVrX^3g*`67+3ECi(=9 zS|EwlOUNQgAiC_eZv1tK5dNe)zO@K=LxHFr5Emh#ex93?6jF}e=&l(asgI#{L~`qZ zX{@zBh)2BTSDv%*%1zsLaIp2D^L}bzzl6v`fFG|W%=BS$Spn;ShXahYcz%R&4Gp;q z7thbsRh3sXzqX5A`wyt@o?Z%}Z}IYYS}VV#j*gBFOc)^kSCSxQErf+Z;Cc~ej2+2> zaU&m}eb&SuZrboV^^@lwC!UT7n8^+_lacIrIj}F8Om4=7G-tI47g~Vmj0=(Q^*aZY z&jJ7HgzkZgMjcWGy2(B8pCQu9IY|9{3-DDWwEYKCo_ipfOzuOxiFTlwgw(`uKs?Xq zk%dr()Yy-<$8jAZ-+atH^Sd8?^wGZd_V$f8-gx8P*4hi*7`2;&u}F35KahlJ?-4?_ zLb&Ks;GGVT2GJ?Mg4E7Cj|YT9?WnHAB|iWcf_mV-r(URe=*i!qT-GZdQ=>dB8+Mh# z=5m;P78?YILoU`5Eh%OB(#0Js=FR--{D!(M3VV4zG_!g#`MPv2Uy=_(V<8)l_+@)L zdK&(1)h|^h-RrXKfdoq=C#=B)Std13EZqFgcRV_$e#EW)`C#YCZclTdj3A!mJxIdf zBZ6-$62dkVHMs%dSTXmLLwMX55f1igB%E$Tq?RfNHV~QSUy#iQcOYO7-Gjf&0pk`# z7&i#Io_Pi-fqtZ^sp*-OD_6e9 zeLvNWXEP!#{Q}4qCqD>BoP{io%aO>i77_H zX~feNzNceKDWxII1mW!ut=;^Adw>2o7~}T)I=Ki*j4CQC?f7wHw=A7GKn|x14 zf3_p;>66-)Rs>3r>~HLlxk)2oD_3;93dx)!a9GbOAevw|vZ>-y_uxv9-9YPsXAr5# zAPLPx2DQuW3~H1f!oyY|VY(Ut{T?LLu0ymx;{Y-Z(L+H(A>= zw|bt}f5jD7fNY$ob^RVhJY}&Bc>8OS8g>itUkFEh4G4zoWwPS|B}%F5GKJvYZ`}X$ z=u4Yl!SnpV-QY?Oda`JYFw;la*Ne4KQdz}i7oNNS&z8>r$Mfe;`ae5&9}F93ygBJu zw{9I#PuKP2g2%u0(Bt!)UfztSwS;P=h{hAt*3^WJ4P&=YZK!`>dPDt>-+R&W9Xt2z zvyJ1&4a-Cfmkp^5f#Z57x(9N&`Z-xE+Lks6i6GY^!2CTThChv4NW=YR<1u%c3?x0) z+7}ZMf6w&B@sl@fdF_pfju*j;CCIh4Q0QzMh}cxr)^X_t=WcoTlDVHaf7#q$?cKW5 z90`!AR7&1$^}J=HHy5hIu|w!U|2!*qwRC~=vAY>m6d{rw>Dzmd>>%5O0q%Z~TOvHhM_o5t7GOpbV( zAQ*guQ)z=5c>l~8LItD7HgLs7E7o4NaMs^1U$W@=bn8wUrXO9jj(9rSpAW8U-my1P zUQy1h8Pl>2^`o{-9#i+!w9z$>%@|YLG;ZSLc1-`tX4GfwEvzVcnTqh}8xV?eA5su_ zg|~PwXSnQmL7B(0byRf)QKiVHyU{MW36&z>aR^%|fYvllnQE@OXvJd}&zpYhx?Kle z?b)+~vQZO{*lAN!6V_S+W9H?9@a&0WMy*{ub;64cBdb@BA5r;20j(ZU2W~{d^uvh0*~~F2HK)Ul`xRS@-BD3mV#^XS)v>S7ffB6JXg@+}WhIlQ zPVIj8c}wrVbl&tY?>X4H|0C~Qgo@W3y-!izOO55DiHP^a)$^x*cGC2jo#fM2#mbL& zXlLvctf+Q3?hH@a?Q zd&8)a&rTdO>h4PyOj~`hvp09qxyz1s4AYPj)NP&V{*E)@`R%hJz+H)C`(H#hFSiW& z{%y76_LRojwz%)@z47w%#&oS%k~h{Kj7Fn7%i^)8YsyQ0J7Ls_jp@EjX5^@`)QvtN zV7-oTm{Z1ER(jdCC9)03~!qSaf7zbY(hYa%Ew3 zWdJfTF*7YOFfB4RR5CC+GC4XmGAl4LIxsMis ]; age.secrets."wikiOpenID".file = ./wiki-openID.age; } diff --git a/shared/myModules/custom-dokuwiki.nix b/shared/myModules/custom-dokuwiki.nix deleted file mode 100644 index 525d75c..0000000 --- a/shared/myModules/custom-dokuwiki.nix +++ /dev/null @@ -1,386 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.dokuwiki; - eachSite = cfg.sites; - user = "dokuwiki"; - webserver = config.services.${cfg.webserver}; - stateDir = hostName: "/var/lib/dokuwiki/${hostName}/data"; - - dokuwikiAclAuthConfig = hostName: cfg: pkgs.writeText "acl.auth-${hostName}.php" "${toString cfg.acl}"; - - dokuwikiLocalConfig = hostName: cfg: pkgs.writeText "local-${hostName}.php" '' - - Mutually exclusive with services.dokuwiki.aclFile - Set this to a value other than null to take precedence over aclFile option. - - Warning: Consider using aclFile instead if you do not - want to store the ACL in the world-readable Nix store. - ''; - }; - - aclFile = mkOption { - type = with types; nullOr str; - default = if (config.aclUse && config.acl == null) then "/var/lib/dokuwiki/${name}/acl.auth.php" else null; - description = '' - Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl - Mutually exclusive with services.dokuwiki.acl which is preferred. - Consult documentation for further instructions. - Example: - ''; - example = "/var/lib/dokuwiki/${name}/acl.auth.php"; - }; - - aclUse = mkOption { - type = types.bool; - default = true; - description = '' - Necessary for users to log in into the system. - Also limits anonymous users. When disabled, - everyone is able to create and edit content. - ''; - }; - - pluginsConfig = mkOption { - type = types.lines; - default = '' - $plugins['authad'] = 0; - $plugins['authldap'] = 0; - $plugins['authmysql'] = 0; - $plugins['authpgsql'] = 0; - ''; - description = '' - List of the dokuwiki (un)loaded plugins. - ''; - }; - - superUser = mkOption { - type = types.nullOr types.str; - default = "@admin"; - description = '' - You can set either a username, a list of usernames (“admin1,admin2”), - or the name of a group by prepending an @ char to the groupname - Consult documentation for further instructions. - ''; - }; - - usersFile = mkOption { - type = with types; nullOr str; - default = if config.aclUse then "/var/lib/dokuwiki/${name}/users.auth.php" else null; - description = '' - Location of the dokuwiki users file. List of users. Format: - login:passwordhash:Real Name:email:groups,comma,separated - Create passwordHash easily by using:$ mkpasswd -5 password `pwgen 8 1` - Example: - ''; - example = "/var/lib/dokuwiki/${name}/users.auth.php"; - }; - - disableActions = mkOption { - type = types.nullOr types.str; - default = ""; - example = "search,register"; - description = '' - Disable individual action modes. Refer to - - for details on supported values. - ''; - }; - - plugins = mkOption { - type = types.listOf types.path; - default = []; - description = '' - List of path(s) to respective plugin(s) which are copied from the 'plugin' directory. - It is a good practice to package them. - ''; - }; - - templates = mkOption { - type = types.listOf types.path; - default = []; - description = '' - List of path(s) to respective template(s) which are copied from the 'tpl' directory. - It is a good practice to package them. - ''; - }; - - poolConfig = mkOption { - type = with types; attrsOf (oneOf [ str int bool ]); - default = { - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 4; - "pm.max_requests" = 500; - }; - description = '' - Options for the DokuWiki PHP pool. See the documentation on php-fpm.conf - for details on configuration directives. - ''; - }; - - extraConfig = mkOption { - type = types.nullOr types.lines; - default = null; - example = '' - $conf['title'] = 'My Wiki'; - $conf['userewrite'] = 1; - ''; - description = '' - DokuWiki configuration. Refer to - - for details on supported values. - ''; - }; - - }; - - }; -in -{ - # interface - options = { - services.dokuwiki = { - - sites = mkOption { - type = types.attrsOf (types.submodule siteOpts); - default = {}; - description = "Specification of one or more DokuWiki sites to serve"; - }; - - webserver = mkOption { - type = types.enum [ "nginx" "caddy" ]; - default = "nginx"; - description = '' - Whether to use nginx or caddy for virtual host management. - - Further nginx configuration can be done by adapting services.nginx.virtualHosts.<name>. - See for further information. - - TO COMPLETE - ''; - }; - - }; - }; - - - disabledModules = [ "services/web-apps/dokuwiki.nix" ]; - - # implementation - config = mkIf (eachSite != {}) (mkMerge [{ - - assertions = flatten (mapAttrsToList (hostName: cfg: - [{ - assertion = cfg.aclUse -> (cfg.acl != null || cfg.aclFile != null); - message = "Either services.dokuwiki.sites.${hostName}.acl or services.dokuwiki.sites.${hostName}.aclFile is mandatory if aclUse true"; - } - { - assertion = cfg.usersFile != null -> cfg.aclUse != false; - message = "services.dokuwiki.sites.${hostName}.aclUse must must be true if usersFile is not null"; - } - ]) eachSite); - - services.phpfpm.pools = mapAttrs' (hostName: cfg: ( - nameValuePair "dokuwiki-${hostName}" { - inherit user; - group = webserver.group; - - phpEnv = { - DOKUWIKI_LOCAL_CONFIG = "${dokuwikiLocalConfig hostName cfg}"; - DOKUWIKI_PLUGINS_LOCAL_CONFIG = "${dokuwikiPluginsLocalConfig hostName cfg}"; - DOKUWIKI_ROOT = "${cfg.finalPackage}/share/dokuwiki/"; - DOKUWIKI_USERS_AUTH_CONFIG = "${if cfg.usersFile!= {} then cfg.usersFile else ""}"; - } //optionalAttrs (cfg.aclUse) { - DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig hostName cfg}" else "${toString cfg.aclFile}"; - }; - - settings = { - "listen.owner" = webserver.user; - "listen.group" = webserver.group; - } // cfg.poolConfig; - } - )) eachSite; - - } - - { - systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [ - "d ${stateDir hostName}/attic 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/cache 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/index 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/locks 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/log 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/media 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/media_attic 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/media_meta 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/meta 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/pages 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/tmp 0750 ${user} ${webserver.group} - -" - ] ++ lib.optional (cfg.aclFile != null) "C ${cfg.aclFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/acl.auth.php.dist" - ++ lib.optional (cfg.usersFile != null) "C ${cfg.usersFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/users.auth.php.dist" - ) eachSite); - - users.users.${user} = { - group = webserver.group; - isSystemUser = true; - }; - } - - (mkIf (cfg.webserver == "nginx") { - services.nginx = { - enable = true; - virtualHosts = mapAttrs (hostName: cfg: { - serverName = mkDefault hostName; - root = "${pkg hostName cfg}/share/dokuwiki"; - - locations = { - "~ /(conf/|bin/|inc/|vendor/|install.php)" = { - extraConfig = "deny all;"; - }; - - "~ ^/data/" = { - root = "${stateDir hostName}"; - extraConfig = "internal;"; - }; - - "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { - extraConfig = "expires 365d;"; - }; - - "/" = { - priority = 1; - index = "doku.php"; - extraConfig = ''try_files $uri $uri/ @dokuwiki;''; - }; - - "@dokuwiki" = { - extraConfig = '' - # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page - rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; - rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; - rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; - rewrite ^/(.*) /doku.php?id=$1&$args last; - ''; - }; - - "~ \\.php$" = { - extraConfig = '' - try_files $uri $uri/ /doku.php; - include ${config.services.nginx.package}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param REDIRECT_STATUS 200; - fastcgi_pass unix:${config.services.phpfpm.pools."dokuwiki-${hostName}".socket}; - ''; - }; - - }; - }) eachSite; - }; - }) - - (mkIf (cfg.webserver == "caddy") { - services.caddy = { - enable = true; - virtualHosts = mapAttrs' (hostName: cfg: ( - nameValuePair "http://${hostName}" { - extraConfig = '' - root * ${pkg hostName cfg}/share/dokuwiki - file_server - - encode zstd gzip - php_fastcgi unix/${config.services.phpfpm.pools."dokuwiki-${hostName}".socket} - - @restrict_files { - path /data/* /conf/* /bin/* /inc/* /vendor/* /install.php - } - - respond @restrict_files 404 - - @allow_media { - path_regexp path ^/_media/(.*)$ - } - rewrite @allow_media /lib/exe/fetch.php?media=/{http.regexp.path.1} - - @allow_detail { - path /_detail* - } - rewrite @allow_detail /lib/exe/detail.php?media={path} - - @allow_export { - path /_export* - path_regexp export /([^/]+)/(.*) - } - rewrite @allow_export /doku.php?do=export_{http.regexp.export.1}&id={http.regexp.export.2} - - try_files {path} {path}/ /doku.php?id={path}&{query} - ''; - } - )) eachSite; - }; - }) - - ]); - - meta.maintainers = with maintainers; [ - _1000101 - onny - dandellion - ]; -} diff --git a/shared/myModules/default.nix b/shared/myModules/default.nix deleted file mode 100644 index 7802e6d..0000000 --- a/shared/myModules/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs, config, lib, ...}: -{ - imports = [ - ./custom-dokuwiki.nix - ]; -} diff --git a/shared/myModules/mqtt2prometheus.nix b/shared/myModules/mqtt2prometheus.nix deleted file mode 100644 index ddae505..0000000 --- a/shared/myModules/mqtt2prometheus.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ pkgs, lib, config, ... }: -let - cfg = config.services.mqtt2prometheus; -in -{ - options.services.mqtt2prometheus = { - enable = lib.mkEnableOption "Enable mqtt2Prometheus"; - package = lib.mkOption { - type = lib.types.package; - description = "Which mqtt2prometheus package to use"; - }; - listenAddress = lib.mkOption { - type = lib.types.str; - default = "127.0.0.1"; - description = "listen address for HTTP server used to expose metrics"; - }; - listenPort = lib.mkOption { - type = lib.types.port; - default = 9641; - description = "HTTP port used to expose metrics"; - }; - config = lib.mkOption { # à nixifier (un jour) - type = lib.types.path; - description = "Path to config file"; - }; - }; - config = lib.mkIf cfg.enable { - systemd.services."mqtt2prometheus" = { - enable = true; - description = "MQTT client which exposes metrics for prometheus monitoring software"; - after = [ "network-online.target" ]; - serviceConfig = { - ExecStart = "${cfg.package}/bin/mqtt2prometheus -config ${cfg.config} -listen-address ${cfg.listenAddress} -listen-port ${toString cfg.listenPort}"; - Restart = "always"; - }; - wantedBy = [ "multi-user.target" ]; - }; - }; -} diff --git a/shared/myPkgs/dokuwiki.nix b/shared/myPkgs/dokuwiki.nix deleted file mode 100644 index 29188f5..0000000 --- a/shared/myPkgs/dokuwiki.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ lib, stdenv, fetchFromGitHub, writeText, nixosTests }: - -stdenv.mkDerivation rec { - pname = "dokuwiki"; - version = "2022-07-31"; - - src = fetchFromGitHub { - owner = "splitbrain"; - repo = pname; - rev = "release_stable_${version}"; - sha256 = "sha256-FreJsajdfoefQHo6rBzkImDUvR3Zb7rBQTYhYvyRJC4="; - }; - - preload = writeText "preload.php" '' - array( - 'local' => array(getenv('DOKUWIKI_LOCAL_CONFIG')), - ), - 'acl' => array( - 'default' => getenv('DOKUWIKI_ACL_AUTH_CONFIG'), - ), - 'plainauth.users' => array( - 'default' => getenv('DOKUWIKI_USERS_AUTH_CONFIG'), - ), - 'plugins' => array( - 'local' => array(getenv('DOKUWIKI_PLUGINS_LOCAL_CONFIG')), - ), - ); - ''; - - installPhase = '' - mkdir -p $out/share/dokuwiki - cp -r * $out/share/dokuwiki - cp ${preload} $out/share/dokuwiki/inc/preload.php - ''; - - patches = [ ./dokuwiki_deep_merge.patch ]; - - passthru.tests = { - inherit (nixosTests) dokuwiki; - }; - - meta = with lib; { - description = "Simple to use and highly versatile Open Source wiki software that doesn't require a database"; - license = licenses.gpl2; - homepage = "https://www.dokuwiki.org"; - platforms = platforms.all; - maintainers = with maintainers; [ _1000101 ]; - }; -} diff --git a/shared/myPkgs/dokuwiki_deep_merge.patch b/shared/myPkgs/dokuwiki_deep_merge.patch deleted file mode 100644 index 2c29613..0000000 --- a/shared/myPkgs/dokuwiki_deep_merge.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/inc/config_cascade.php -+++ b/inc/config_cascade.php -@@ -5,7 +5,7 @@ - * This array configures the default locations of various files in the - * DokuWiki directory hierarchy. It can be overriden in inc/preload.php - */ --$config_cascade = array_merge( -+$config_cascade = array_merge_recursive( - array( - 'main' => array( - 'default' => array(DOKU_CONF . 'dokuwiki.php'), diff --git a/shared/myPkgs/mqtt2prometheus.nix b/shared/myPkgs/mqtt2prometheus.nix deleted file mode 100644 index d811dbc..0000000 --- a/shared/myPkgs/mqtt2prometheus.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, ... }: -pkgs.buildGoModule rec { - pname = "mqtt2prometheus"; - version = "0.1.6"; - src = pkgs.fetchFromGitHub { - owner = "hikhvar"; - repo = "mqtt2prometheus"; - rev = "v${version}"; - sha256 = "0dz5mrwm231g45i8rbmvaza8bm6cr4jg5vc87h41vnm7xsx815g7"; - }; - vendorSha256 = "1fyzij7cakhd6x2hf3rvvslvvxmfmlp881x5rz2qwm04spa18cp4"; - postInstall = '' - mv $out/bin/cmd $out/bin/mqtt2prometheus - ''; -} -- 2.47.0 From f7337345f4ff43666790bd2cdc3deadd48d5fc42 Mon Sep 17 00:00:00 2001 From: hackens server Date: Thu, 12 Jan 2023 18:39:33 +0100 Subject: [PATCH 17/34] bugfix --- hosts/org/webpass.nix | 4 +++- secrets/default.nix | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts/org/webpass.nix b/hosts/org/webpass.nix index aaac537..15f8628 100644 --- a/hosts/org/webpass.nix +++ b/hosts/org/webpass.nix @@ -1,7 +1,7 @@ { pkgs, ... }: { security.acme = { - email = "hackens@clipper.ens.fr"; + defaults.email = "hackens@clipper.ens.fr"; acceptTerms = true; }; @@ -20,6 +20,7 @@ environmentFile = "/etc/secrets/vaultwarden.env"; }; + services.nginx.enable = true; services.nginx.virtualHosts."pass.new.hackens.org" = { forceSSL = true; enableACME = true; @@ -36,4 +37,5 @@ proxyWebsockets = true; }; }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/secrets/default.nix b/secrets/default.nix index 0a283f6..9fd5403 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,4 +1,5 @@ { ... }: { + imports = [ ]; age.secrets."wikiOpenID".file = ./wiki-openID.age; } -- 2.47.0 From 648ab4aea89db4d9ce38f48a8b6c7f45016649a8 Mon Sep 17 00:00:00 2001 From: hackens server Date: Thu, 12 Jan 2023 18:40:38 +0100 Subject: [PATCH 18/34] nixfmt --- secrets/default.nix | 3 +-- secrets/secrets.nix | 13 ++++++++----- shared/nur.nix | 3 +-- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/secrets/default.nix b/secrets/default.nix index 9fd5403..e091eea 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{ ... }: { imports = [ ]; age.secrets."wikiOpenID".file = ./wiki-openID.age; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2cde620..df3cc0b 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,7 +1,10 @@ let - lib = (import {}).lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); -in -{ - "wiki-openID.age".publicKeys = (readPubkeys "sinavir") ++ (readPubkeys "hackens-host") ++ (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "backslash"); + lib = (import { }).lib; + readPubkeys = user: + builtins.filter (k: k != "") + (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); +in { + "wiki-openID.age".publicKeys = (readPubkeys "sinavir") + ++ (readPubkeys "hackens-host") ++ (readPubkeys "raito") + ++ (readPubkeys "gdd") ++ (readPubkeys "backslash"); } diff --git a/shared/nur.nix b/shared/nur.nix index 8d19786..206862c 100644 --- a/shared/nur.nix +++ b/shared/nur.nix @@ -5,8 +5,7 @@ let repo = "agenix"; rev = "7e5e58b98c3dcbf497543ff6f22591552ebfe65b"; }; -in -{ +in { nixpkgs.config.packageOverrides = { hackens = import ./myPkgs { inherit pkgs; }; }; -- 2.47.0 From 75fd47230d2d5d0b1799ea71dc33132f05535115 Mon Sep 17 00:00:00 2001 From: sinavir Date: Fri, 13 Jan 2023 13:27:38 +0100 Subject: [PATCH 19/34] wiki --- hosts/org/configuration.nix | 8 ++++ hosts/org/dokuwiki.nix | 68 ++++++++++++++++++++++++++++++ default.nix => shared/dokuwiki.nix | 0 3 files changed, 76 insertions(+) create mode 100644 hosts/org/dokuwiki.nix rename default.nix => shared/dokuwiki.nix (100%) diff --git a/hosts/org/configuration.nix b/hosts/org/configuration.nix index 39be5c1..3d27d26 100644 --- a/hosts/org/configuration.nix +++ b/hosts/org/configuration.nix @@ -13,10 +13,18 @@ ../../secrets ./webpass.nix ./nginx.nix + ./dokuwiki.nix ]; networking.hostName = "hackens-org"; # Define your hostname. + # dokuwiki overlay + nixpkgs.overlays = [ + (self: super: { + dokuwiki = self.pkgs.callPackage ../../shared/dokuwiki.nix {}; + }) + ]; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/hosts/org/dokuwiki.nix b/hosts/org/dokuwiki.nix new file mode 100644 index 0000000..d04f95c --- /dev/null +++ b/hosts/org/dokuwiki.nix @@ -0,0 +1,68 @@ +{ config, pkgs, lib, ... }: { + services.nginx.virtualHosts."new.hackens.org" = { + enableACME = true; + forceSSL = true; + }; + + services.dokuwiki.sites."new.hackens.org" = { + enable = true; + settings = { + template = "bootstrap3"; + license = "cc-by-sa"; + title = "hackENS"; + lang = "fr"; + breadcrumbs = 0; + yourarehere = true; + userewrite = 1; + htmlok = 1; + }; + + package = pkgs.dokuwiki.combine { + plugins = [ + + (pkgs.stdenv.mkDerivation { + name = "catlist"; + src = pkgs.fetchFromGitHub { + owner = "xif-fr"; + repo = "dokuwiki-plugin-catlist"; + rev = "89e024cbf3c0e30def6db6651c72eb76de396785"; + hash = "sha256-2GAUHxK3dnDhXIftd2luxmn1b84ABZvfjHBMQWeDiTs="; + }; + installPhase = '' + mkdir -p $out + cp -R * $out/ + ''; + }) + (pkgs.stdenv.mkDerivation { + name = "commonmark"; + # Download the theme from the dokuwiki site + src = pkgs.fetchFromGitHub { + owner = "clockoon"; + repo = "dokuwiki-plugin-commonmark"; + rev = "v1.2.1"; + hash = "sha256-epqyrKlubDY/vq/1IWbPyuMwLZ2TcH47MPW0aywwiyE="; + }; + installPhase = '' + mkdir -p $out + cp -R * $out/ + ''; + }) + + ]; + templates = [ + (pkgs.stdenv.mkDerivation rec { + name = "bootstrap3"; + version = "2022-07-27"; + src = pkgs.fetchFromGitHub { + owner = "giterlizzi"; + repo = "dokuwiki-template-bootstrap3"; + rev = "v${version}"; + hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo="; + }; + installPhase = "mkdir -p $out; cp -R * $out/"; + }) + ]; + }; + }; + +} diff --git a/default.nix b/shared/dokuwiki.nix similarity index 100% rename from default.nix rename to shared/dokuwiki.nix -- 2.47.0 From b6e90593a1bb5476c19c9baa08923a57288394ea Mon Sep 17 00:00:00 2001 From: hackens server Date: Fri, 13 Jan 2023 13:47:35 +0100 Subject: [PATCH 20/34] fix wrong wiki plugin version --- hosts/org/dokuwiki.nix | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/hosts/org/dokuwiki.nix b/hosts/org/dokuwiki.nix index d04f95c..28bdff9 100644 --- a/hosts/org/dokuwiki.nix +++ b/hosts/org/dokuwiki.nix @@ -36,12 +36,10 @@ (pkgs.stdenv.mkDerivation { name = "commonmark"; # Download the theme from the dokuwiki site - src = pkgs.fetchFromGitHub { - owner = "clockoon"; - repo = "dokuwiki-plugin-commonmark"; - rev = "v1.2.1"; - hash = "sha256-epqyrKlubDY/vq/1IWbPyuMwLZ2TcH47MPW0aywwiyE="; - }; + src = pkgs.fetchzip { +url = "https://github.com/clockoon/dokuwiki-plugin-commonmark/releases/download/v1.2.1/release.tar.gz"; +sha256 = "sha256-3fpN7SSDDQ3QAmzRuG5UMYrtGeL3ogiooPKc6g1gxRg="; +}; installPhase = '' mkdir -p $out cp -R * $out/ -- 2.47.0 From bbcadab7075e6acc37062b0f37cb0a2d31523be7 Mon Sep 17 00:00:00 2001 From: hackens server Date: Sat, 14 Jan 2023 15:45:32 +0100 Subject: [PATCH 21/34] better conf for wiki --- hosts/org/dokuwiki.nix | 29 +- shared/dokuwiki_module.nix | 593 +++++++++++++++++++++++++++++++++++++ 2 files changed, 616 insertions(+), 6 deletions(-) create mode 100644 shared/dokuwiki_module.nix diff --git a/hosts/org/dokuwiki.nix b/hosts/org/dokuwiki.nix index 28bdff9..117e339 100644 --- a/hosts/org/dokuwiki.nix +++ b/hosts/org/dokuwiki.nix @@ -1,11 +1,14 @@ { config, pkgs, lib, ... }: { + + imports = [ ../../shared/dokuwiki_module.nix ]; + disabledModules = [ ]; services.nginx.virtualHosts."new.hackens.org" = { enableACME = true; forceSSL = true; }; services.dokuwiki.sites."new.hackens.org" = { - enable = true; + enable = false; # true; settings = { template = "bootstrap3"; license = "cc-by-sa"; @@ -14,10 +17,24 @@ breadcrumbs = 0; yourarehere = true; userewrite = 1; + useacl = true; htmlok = 1; + target._raw = '' + array( + 'extern' => '_tab' + ); + ''; + sitemap = 7; + disableactions = "register"; + superuser = "@admin"; + start = "accueil"; + htmlmail = 0; + tpl.bootstrap3 = { + showAddNewPage = "logged"; + fluidContainer = 0; + }; }; - package = pkgs.dokuwiki.combine { plugins = [ (pkgs.stdenv.mkDerivation { @@ -37,9 +54,10 @@ name = "commonmark"; # Download the theme from the dokuwiki site src = pkgs.fetchzip { -url = "https://github.com/clockoon/dokuwiki-plugin-commonmark/releases/download/v1.2.1/release.tar.gz"; -sha256 = "sha256-3fpN7SSDDQ3QAmzRuG5UMYrtGeL3ogiooPKc6g1gxRg="; -}; + url = + "https://github.com/clockoon/dokuwiki-plugin-commonmark/releases/download/v1.2.1/release.tar.gz"; + sha256 = "sha256-3fpN7SSDDQ3QAmzRuG5UMYrtGeL3ogiooPKc6g1gxRg="; + }; installPhase = '' mkdir -p $out cp -R * $out/ @@ -60,7 +78,6 @@ sha256 = "sha256-3fpN7SSDDQ3QAmzRuG5UMYrtGeL3ogiooPKc6g1gxRg="; installPhase = "mkdir -p $out; cp -R * $out/"; }) ]; - }; }; } diff --git a/shared/dokuwiki_module.nix b/shared/dokuwiki_module.nix new file mode 100644 index 0000000..d4d8839 --- /dev/null +++ b/shared/dokuwiki_module.nix @@ -0,0 +1,593 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.dokuwiki; + eachSite = cfg.sites; + user = "dokuwiki"; + webserver = config.services.${cfg.webserver}; + + mkPhpIni = generators.toKeyValue { + mkKeyValue = generators.mkKeyValueDefault {} " = "; + }; + mkPhpPackage = cfg: cfg.phpPackage.buildEnv { + extraConfig = mkPhpIni cfg.phpOptions; + }; + + dokuwikiAclAuthConfig = hostName: cfg: let + inherit (cfg) acl; + acl_gen = concatMapStringsSep "\n" (l: "${l.page} \t ${l.actor} \t ${toString l.level}"); + in pkgs.writeText "acl.auth-${hostName}.php" '' + # acl.auth.php + # + # + # Access Control Lists + # + ${if isString acl then acl else acl_gen acl} + ''; + + mergeConfig = cfg: { + useacl = false; # Dokuwiki default + savedir = cfg.stateDir; + } // cfg.settings; + + writePhpFile = name: text: pkgs.writeTextFile { + inherit name; + text = " for explanation + ''; + example = "read"; + }; + + }; + }; + + siteOpts = { config, lib, name, ... }: + { + imports = [ + # NOTE: These will sadly not print the absolute argument path but only the name. Related to #96006 + (mkRenamedOptionModule [ "aclUse" ] [ "settings" "useacl" ] ) + (mkRenamedOptionModule [ "superUser" ] [ "settings" "superuser" ] ) + (mkRenamedOptionModule [ "disableActions" ] [ "settings" "disableactions" ] ) + ({ config, options, name, ...}: { + config.warnings = + (optional (isString config.pluginsConfig) '' + Passing plain strings to services.dokuwiki.sites.${name}.pluginsConfig has been deprecated and will not be continue to be supported in the future. + Please pass structured settings instead. + '') + ++ (optional (isString config.acl) '' + Passing a plain string to services.dokuwiki.sites.${name}.acl has been deprecated and will not continue to be supported in the future. + Please pass structured settings instead. + '') + ++ (optional (config.extraConfig != null) '' + services.dokuwiki.sites.${name}.extraConfig is deprecated and will be removed in the future. + Please pass structured settings to services.dokuwiki.sites.${name}.settings instead. + '') + ; + }) + ]; + + options = { + enable = mkEnableOption (lib.mdDoc "DokuWiki web application."); + + package = mkOption { + type = types.package; + default = pkgs.dokuwiki; + defaultText = literalExpression "pkgs.dokuwiki"; + description = lib.mdDoc "Which DokuWiki package to use."; + }; + + stateDir = mkOption { + type = types.path; + default = "/var/lib/dokuwiki/${name}/data"; + description = lib.mdDoc "Location of the DokuWiki state directory."; + }; + + acl = mkOption { + type = with types; nullOr (oneOf [ lines (listOf (submodule aclOpts)) ]); + default = null; + example = literalExpression '' + [ + { + page = "start"; + actor = "@external"; + level = "read"; + } + { + page = "*"; + actor = "@users"; + level = "upload"; + } + ] + ''; + description = lib.mdDoc '' + Access Control Lists: see + Mutually exclusive with services.dokuwiki.aclFile + Set this to a value other than null to take precedence over aclFile option. + + Warning: Consider using aclFile instead if you do not + want to store the ACL in the world-readable Nix store. + ''; + }; + + aclFile = mkOption { + type = with types; nullOr str; + default = if (config.mergedConfig.useacl && config.acl == null) then "/var/lib/dokuwiki/${name}/acl.auth.php" else null; + description = lib.mdDoc '' + Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl + Mutually exclusive with services.dokuwiki.acl which is preferred. + Consult documentation for further instructions. + Example: + ''; + example = "/var/lib/dokuwiki/${name}/acl.auth.php"; + }; + + pluginsConfig = mkOption { + type = with types; oneOf [lines (attrsOf bool)]; + default = { + authad = false; + authldap = false; + authmysql = false; + authpgsql = false; + }; + description = lib.mdDoc '' + List of the dokuwiki (un)loaded plugins. + ''; + }; + + usersFile = mkOption { + type = with types; nullOr str; + default = if config.mergedConfig.useacl then "/var/lib/dokuwiki/${name}/users.auth.php" else null; + description = lib.mdDoc '' + Location of the dokuwiki users file. List of users. Format: + + login:passwordhash:Real Name:email:groups,comma,separated + + Create passwordHash easily by using: + + mkpasswd -5 password `pwgen 8 1` + + Example: + ''; + example = "/var/lib/dokuwiki/${name}/users.auth.php"; + }; + + plugins = mkOption { + type = types.listOf types.path; + default = []; + description = lib.mdDoc '' + List of path(s) to respective plugin(s) which are copied from the 'plugin' directory. + + ::: {.note} + These plugins need to be packaged before use, see example. + ::: + ''; + example = literalExpression '' + let + plugin-icalevents = pkgs.stdenv.mkDerivation rec { + name = "icalevents"; + version = "2017-06-16"; + src = pkgs.fetchzip { + stripRoot = false; + url = "https://github.com/real-or-random/dokuwiki-plugin-icalevents/releases/download/''${version}/dokuwiki-plugin-icalevents-''${version}.zip"; + hash = "sha256-IPs4+qgEfe8AAWevbcCM9PnyI0uoyamtWeg4rEb+9Wc="; + }; + installPhase = "mkdir -p $out; cp -R * $out/"; + }; + # And then pass this theme to the plugin list like this: + in [ plugin-icalevents ] + ''; + }; + + templates = mkOption { + type = types.listOf types.path; + default = []; + description = lib.mdDoc '' + List of path(s) to respective template(s) which are copied from the 'tpl' directory. + + ::: {.note} + These templates need to be packaged before use, see example. + ::: + ''; + example = literalExpression '' + let + template-bootstrap3 = pkgs.stdenv.mkDerivation rec { + name = "bootstrap3"; + version = "2022-07-27"; + src = pkgs.fetchFromGitHub { + owner = "giterlizzi"; + repo = "dokuwiki-template-bootstrap3"; + rev = "v''${version}"; + hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo="; + }; + installPhase = "mkdir -p $out; cp -R * $out/"; + }; + # And then pass this theme to the template list like this: + in [ template-bootstrap3 ] + ''; + }; + + poolConfig = mkOption { + type = with types; attrsOf (oneOf [ str int bool ]); + default = { + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 4; + "pm.max_requests" = 500; + }; + description = lib.mdDoc '' + Options for the DokuWiki PHP pool. See the documentation on `php-fpm.conf` + for details on configuration directives. + ''; + }; + + phpPackage = mkOption { + type = types.package; + relatedPackages = [ "php80" "php81" ]; + default = pkgs.php81; + defaultText = "pkgs.php81"; + description = lib.mdDoc '' + PHP package to use for this dokuwiki site. + ''; + }; + + phpOptions = mkOption { + type = types.attrsOf types.str; + default = {}; + description = lib.mdDoc '' + Options for PHP's php.ini file for this dokuwiki site. + ''; + example = literalExpression '' + { + "opcache.interned_strings_buffer" = "8"; + "opcache.max_accelerated_files" = "10000"; + "opcache.memory_consumption" = "128"; + "opcache.revalidate_freq" = "15"; + "opcache.fast_shutdown" = "1"; + } + ''; + }; + + settings = mkOption { + type = types.attrsOf types.anything; + default = { + useacl = true; + superuser = "admin"; + }; + description = lib.mdDoc '' + Structural DokuWiki configuration. + Refer to + for details and supported values. + Settings can either be directly set from nix, + loaded from a file using `._file` or obtained from any + PHP function calls using `._raw`. + ''; + example = literalExpression '' + { + title = "My Wiki"; + userewrite = 1; + disableactions = [ "register" ]; # Will be concatenated with commas + plugin.smtp = { + smtp_pass._file = "/var/run/secrets/dokuwiki/smtp_pass"; + smtp_user._raw = "getenv('DOKUWIKI_SMTP_USER')"; + }; + } + ''; + }; + + mergedConfig = mkOption { + readOnly = true; + default = mergeConfig config; + defaultText = literalExpression '' + { + useacl = true; + } + ''; + description = lib.mdDoc '' + Read only representation of the final configuration. + ''; + }; + + extraConfig = mkOption { + # This Option is deprecated and only kept until sometime before 23.05 for compatibility reasons + # FIXME (@e1mo): Actually remember removing this before 23.05. + visible = false; + type = types.nullOr types.lines; + default = null; + example = '' + $conf['title'] = 'My Wiki'; + $conf['userewrite'] = 1; + ''; + description = lib.mdDoc '' + DokuWiki configuration. Refer to + + for details on supported values. + + **Note**: Please pass Structured settings via + `services.dokuwiki.sites.${name}.settings` instead. + ''; + }; + + # Required for the mkRenamedOptionModule + # TODO: Remove me once https://github.com/NixOS/nixpkgs/issues/96006 is fixed + # or the aclUse, ... options are removed. + warnings = mkOption { + type = types.listOf types.unspecified; + default = [ ]; + visible = false; + internal = true; + }; + + }; + }; +in +{ + options = { + services.dokuwiki = { + + sites = mkOption { + type = types.attrsOf (types.submodule siteOpts); + default = {}; + description = lib.mdDoc "Specification of one or more DokuWiki sites to serve"; + }; + + webserver = mkOption { + type = types.enum [ "nginx" "caddy" ]; + default = "nginx"; + description = lib.mdDoc '' + Whether to use nginx or caddy for virtual host management. + + Further nginx configuration can be done by adapting `services.nginx.virtualHosts.`. + See [](#opt-services.nginx.virtualHosts) for further information. + + Further caddy configuration can be done by adapting `services.caddy.virtualHosts.`. + See [](#opt-services.caddy.virtualHosts) for further information. + ''; + }; + + }; + }; + + # implementation + config = mkIf (eachSite != {}) (mkMerge [{ + + warnings = flatten (mapAttrsToList (_: cfg: cfg.warnings) eachSite); + + assertions = flatten (mapAttrsToList (hostName: cfg: + [{ + assertion = cfg.mergedConfig.useacl -> (cfg.acl != null || cfg.aclFile != null); + message = "Either services.dokuwiki.sites.${hostName}.acl or services.dokuwiki.sites.${hostName}.aclFile is mandatory if settings.useacl is true"; + } + { + assertion = cfg.usersFile != null -> cfg.mergedConfig.useacl != false; + message = "services.dokuwiki.sites.${hostName}.settings.useacl must must be true if usersFile is not null"; + } + ]) eachSite); + + services.phpfpm.pools = mapAttrs' (hostName: cfg: ( + nameValuePair "dokuwiki-${hostName}" { + inherit user; + group = webserver.group; + + phpPackage = mkPhpPackage cfg; + phpEnv = optionalAttrs (cfg.usersFile != null) { + DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}"; + } // optionalAttrs (cfg.mergedConfig.useacl) { + DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig hostName cfg}" else "${toString cfg.aclFile}"; + }; + + settings = { + "listen.owner" = webserver.user; + "listen.group" = webserver.group; + } // cfg.poolConfig; + } + )) eachSite; + + } + + { + systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [ + "d ${cfg.stateDir}/attic 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/cache 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/index 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/locks 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/log 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/media 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/media_attic 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/media_meta 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/meta 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/pages 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/tmp 0750 ${user} ${webserver.group} - -" + ] ++ lib.optional (cfg.aclFile != null) "C ${cfg.aclFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/acl.auth.php.dist" + ++ lib.optional (cfg.usersFile != null) "C ${cfg.usersFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/users.auth.php.dist" + ) eachSite); + + users.users.${user} = { + group = webserver.group; + isSystemUser = true; + }; + } + + (mkIf (cfg.webserver == "nginx") { + services.nginx = { + enable = true; + virtualHosts = mapAttrs (hostName: cfg: { + serverName = mkDefault hostName; + root = "${pkg hostName cfg}/share/dokuwiki"; + + locations = { + "~ /(conf/|bin/|inc/|install.php)" = { + extraConfig = "deny all;"; + }; + + "~ ^/data/" = { + root = "${cfg.stateDir}"; + extraConfig = "internal;"; + }; + + "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { + extraConfig = "expires 365d;"; + }; + + "/" = { + priority = 1; + index = "doku.php"; + extraConfig = ''try_files $uri $uri/ @dokuwiki;''; + }; + + "@dokuwiki" = { + extraConfig = '' + # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; + rewrite ^/(.*) /doku.php?id=$1&$args last; + ''; + }; + + "~ \\.php$" = { + extraConfig = '' + try_files $uri $uri/ /doku.php; + include ${config.services.nginx.package}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param REDIRECT_STATUS 200; + fastcgi_pass unix:${config.services.phpfpm.pools."dokuwiki-${hostName}".socket}; + ''; + }; + + }; + }) eachSite; + }; + }) + + (mkIf (cfg.webserver == "caddy") { + services.caddy = { + enable = true; + virtualHosts = mapAttrs' (hostName: cfg: ( + nameValuePair "http://${hostName}" { + extraConfig = '' + root * ${pkg hostName cfg}/share/dokuwiki + file_server + + encode zstd gzip + php_fastcgi unix/${config.services.phpfpm.pools."dokuwiki-${hostName}".socket} + + @restrict_files { + path /data/* /conf/* /bin/* /inc/* /vendor/* /install.php + } + + respond @restrict_files 404 + + @allow_media { + path_regexp path ^/_media/(.*)$ + } + rewrite @allow_media /lib/exe/fetch.php?media=/{http.regexp.path.1} + + @allow_detail { + path /_detail* + } + rewrite @allow_detail /lib/exe/detail.php?media={path} + + @allow_export { + path /_export* + path_regexp export /([^/]+)/(.*) + } + rewrite @allow_export /doku.php?do=export_{http.regexp.export.1}&id={http.regexp.export.2} + + try_files {path} {path}/ /doku.php?id={path}&{query} + ''; + } + )) eachSite; + }; + }) + + ]); + + meta.maintainers = with maintainers; [ + _1000101 + onny + dandellion + ]; +} -- 2.47.0 From 2aadb17158be90be85e01aa089419550d7d1ced4 Mon Sep 17 00:00:00 2001 From: sinavir Date: Sat, 14 Jan 2023 19:14:54 +0100 Subject: [PATCH 22/34] oauth for wiki --- hosts/org/dokuwiki.nix | 126 +++++++++++++++++++++++++++-------------- 1 file changed, 85 insertions(+), 41 deletions(-) diff --git a/hosts/org/dokuwiki.nix b/hosts/org/dokuwiki.nix index 117e339..b142230 100644 --- a/hosts/org/dokuwiki.nix +++ b/hosts/org/dokuwiki.nix @@ -33,51 +33,95 @@ showAddNewPage = "logged"; fluidContainer = 0; }; + plugin = { + tokenbucketauth.tba_send_mail = "hackens@clipper.ens.fr"; + oauthkeycloak = { + key = "wiki"; + secret._file = config.age.secrets.wikiOpenID.path; + openidurl = + "https://auth.rz.ens.wtf/auth/realms/hackENS/.well-known/openid-configuration/"; + }; + }; + + }; + pluginsConfig = { + + authad = false; + authldap = false; + authmysql = false; + authpgsql = false; + oauthkeycloak = true; + popularity = false; }; - plugins = [ + plugins = [ - (pkgs.stdenv.mkDerivation { - name = "catlist"; - src = pkgs.fetchFromGitHub { - owner = "xif-fr"; - repo = "dokuwiki-plugin-catlist"; - rev = "89e024cbf3c0e30def6db6651c72eb76de396785"; - hash = "sha256-2GAUHxK3dnDhXIftd2luxmn1b84ABZvfjHBMQWeDiTs="; - }; - installPhase = '' - mkdir -p $out - cp -R * $out/ - ''; - }) - (pkgs.stdenv.mkDerivation { - name = "commonmark"; - # Download the theme from the dokuwiki site - src = pkgs.fetchzip { - url = - "https://github.com/clockoon/dokuwiki-plugin-commonmark/releases/download/v1.2.1/release.tar.gz"; - sha256 = "sha256-3fpN7SSDDQ3QAmzRuG5UMYrtGeL3ogiooPKc6g1gxRg="; - }; - installPhase = '' - mkdir -p $out - cp -R * $out/ - ''; - }) + (pkgs.stdenv.mkDerivation { + name = "catlist"; + src = pkgs.fetchFromGitHub { + owner = "xif-fr"; + repo = "dokuwiki-plugin-catlist"; + rev = "89e024cbf3c0e30def6db6651c72eb76de396785"; + hash = "sha256-2GAUHxK3dnDhXIftd2luxmn1b84ABZvfjHBMQWeDiTs="; + }; + installPhase = '' + mkdir -p $out + cp -R * $out/ + ''; + }) + (pkgs.stdenv.mkDerivation { + name = "commonmark"; + src = pkgs.fetchzip { + url = + "https://github.com/clockoon/dokuwiki-plugin-commonmark/releases/download/v1.2.1/release.tar.gz"; + sha256 = "sha256-3fpN7SSDDQ3QAmzRuG5UMYrtGeL3ogiooPKc6g1gxRg="; + }; + installPhase = '' + mkdir -p $out + cp -R * $out/ + ''; + }) + (pkgs.stdenv.mkDerivation { + name = "oauth"; + src = pkgs.fetchFromGitHub { + owner = "cosmocode"; + repo = "dokuwiki-plugin-oauth"; + rev = "da4733221ed7b4fb3ac0e2429499b14ece3d5f2d"; + hash = "sha256-CNRlaieYm/KCjZ9+OP9pMo5SGjJ4CUrNNdL4iVktCcU="; + }; + installPhase = '' + mkdir -p $out + cp -R * $out/ + ''; + }) + (pkgs.stdenv.mkDerivation { + name = "oauth"; + src = pkgs.fetchFromGitHub { + owner = "YoitoFes"; + repo = "dokuwiki-plugin-oauthkeycloak"; + rev = "28892edb0207d128ddb94fa8a0bd216861a5626b"; + hash = "sha256-nZo61nW9QjJiEo3FpYt1Zt7locuIDQ88AOn/ZnjjYUc="; + }; + installPhase = '' + mkdir -p $out + cp -R * $out/ + ''; + }) - ]; - templates = [ - (pkgs.stdenv.mkDerivation rec { - name = "bootstrap3"; - version = "2022-07-27"; - src = pkgs.fetchFromGitHub { - owner = "giterlizzi"; - repo = "dokuwiki-template-bootstrap3"; - rev = "v${version}"; - hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo="; - }; - installPhase = "mkdir -p $out; cp -R * $out/"; - }) - ]; + ]; + templates = [ + (pkgs.stdenv.mkDerivation rec { + name = "bootstrap3"; + version = "2022-07-27"; + src = pkgs.fetchFromGitHub { + owner = "giterlizzi"; + repo = "dokuwiki-template-bootstrap3"; + rev = "v${version}"; + hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo="; + }; + installPhase = "mkdir -p $out; cp -R * $out/"; + }) + ]; }; } -- 2.47.0 From a9f9bd0cc5a17440cc325b3e1fb4b730357c3d24 Mon Sep 17 00:00:00 2001 From: HackENS milieu Date: Sun, 15 Jan 2023 18:34:00 +0100 Subject: [PATCH 23/34] gros menage chez hackens milieu --- hosts/milieu/configuration.nix | 2 +- hosts/milieu/hardware-configuration.nix | 2 + nur.nix | 9 --- profiles/shared-hackens/backups.nix | 11 ---- profiles/shared-hackens/default.nix | 25 +++----- .../{dns.nix => dns/default.nix} | 2 +- profiles/shared-hackens/gnome.nix | 2 + profiles/shared-hackens/graphics.nix | 10 ---- profiles/shared-hackens/hosts.nix | 3 - profiles/shared-hackens/i3.nix | 51 ---------------- profiles/shared-hackens/kde.nix | 6 -- profiles/shared-hackens/latex.nix | 4 -- profiles/shared-hackens/monitoring.nix | 59 ------------------- profiles/shared-hackens/mosquitto.nix | 30 ---------- profiles/shared-hackens/netboot-server.nix | 8 --- profiles/shared-hackens/programs.nix | 37 ++++-------- profiles/shared-hackens/result | 1 + profiles/shared-hackens/ssd.nix | 6 -- profiles/shared-hackens/syncthing.nix | 9 --- profiles/shared-hackens/system.nix | 10 ++++ profiles/shared-hackens/users.nix | 1 + profiles/shared-hackens/vim.nix | 1 - .../shared-hackens/vpn-network/default.nix | 17 ------ .../shared-hackens/vpn-network/wg-peers.nix | 22 ------- pubkeys/raito.keys | 4 +- shared/nur.nix | 14 ----- 26 files changed, 37 insertions(+), 309 deletions(-) delete mode 100644 nur.nix delete mode 100644 profiles/shared-hackens/backups.nix rename profiles/shared-hackens/{dns.nix => dns/default.nix} (95%) delete mode 100644 profiles/shared-hackens/graphics.nix delete mode 100644 profiles/shared-hackens/hosts.nix delete mode 100644 profiles/shared-hackens/i3.nix delete mode 100644 profiles/shared-hackens/kde.nix delete mode 100644 profiles/shared-hackens/latex.nix delete mode 100644 profiles/shared-hackens/monitoring.nix delete mode 100644 profiles/shared-hackens/mosquitto.nix delete mode 100644 profiles/shared-hackens/netboot-server.nix create mode 120000 profiles/shared-hackens/result delete mode 100644 profiles/shared-hackens/ssd.nix delete mode 100644 profiles/shared-hackens/syncthing.nix delete mode 100644 profiles/shared-hackens/vpn-network/default.nix delete mode 100644 profiles/shared-hackens/vpn-network/wg-peers.nix delete mode 100644 shared/nur.nix diff --git a/hosts/milieu/configuration.nix b/hosts/milieu/configuration.nix index 75192d0..6e5fe5f 100644 --- a/hosts/milieu/configuration.nix +++ b/hosts/milieu/configuration.nix @@ -8,7 +8,6 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ../../shared/nur.nix ../../profiles/shared-hackens ]; @@ -23,6 +22,7 @@ networking.hostName = "hackens-milieu"; # Define your hostname. + boot.kernelPackages = pkgs.linuxPackages_5_15; # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config diff --git a/hosts/milieu/hardware-configuration.nix b/hosts/milieu/hardware-configuration.nix index 0891328..f3b47cf 100644 --- a/hosts/milieu/hardware-configuration.nix +++ b/hosts/milieu/hardware-configuration.nix @@ -13,6 +13,8 @@ boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; + # boot.kernelParams = [ "nomodeset" ]; + fileSystems."/" = { device = "/dev/disk/by-label/nixos-root"; fsType = "btrfs"; diff --git a/nur.nix b/nur.nix deleted file mode 100644 index eee2c5e..0000000 --- a/nur.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, config, lib, ... }: -{ - imports = [ - ../myModules - ]; - nixpkgs.config.packageOverrides = { - hackens = import ./myPkgs { inherit pkgs; }; - }; -} diff --git a/profiles/shared-hackens/backups.nix b/profiles/shared-hackens/backups.nix deleted file mode 100644 index 76f9b82..0000000 --- a/profiles/shared-hackens/backups.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ pkgs, ... }: { - # BorgBackup repositories - services.borgbackup.repos = { - hackens-desktop = { - authorizedKeys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcKULx/AgnqBsgwRX2BfV8waq6JXIkvZHhu9Y8paofM8awq6Om56BZoA7AV45YOcJxO/eFDOxSegXXmt22s4WjIf8I049aMdsW54BNpFpC/h18cMzm5ylKVGHl1ier/WXxpBsA8YU++YdRlGHPpKnhCtYLnBzD4Q5h+05GMIHismNZP1aGpE9s01FuP8eaDDkZUba7oSpn03AA77DBw4/2ZreSbqo96Z6WwiG09KeZvxFtEIk98EQtmiExB2fwsK3/JIxIBCoZHh4SzERcslxxGgzdppd6NhhSh7g523zhiihLaTAPNXBovGm5wcKOU9uWe+pUWEbwV04E+809aVbkJOdYBCtIf8M91meqpupA8jK38uquePHEFvpNr5UmY0qUlJCoqTvoqg9XgrfJVjlPEmYknj/QjQzkA4k19y8njsyEjnYOBL6tsztg6Igl+NZXjBAPuAzxCsfHOtWw1WM5gANwqOL0V9f7+14yST3HwweqjHRj4xky6ritxK+ujfc= hackens@hackens-desktop-1" - ]; - path = "/var/backups/hackens-desktop"; - }; - }; -} diff --git a/profiles/shared-hackens/default.nix b/profiles/shared-hackens/default.nix index c89e498..17a196f 100644 --- a/profiles/shared-hackens/default.nix +++ b/profiles/shared-hackens/default.nix @@ -1,24 +1,13 @@ { pkgs, ... }: { imports = [ - ./system.nix - ./backups.nix - ./vpn-network - ./hosts.nix - ./syncthing.nix - ./programs.nix - ./audio.nix - ./mosquitto.nix - ./graphics.nix - ./monitoring.nix - ./users.nix - ./i18n.nix - ./vim.nix - ./dns.nix - ./nightworker.nix - ./ssd.nix ./aarch64.nix - ./latex.nix + ./audio.nix + ./dns ./gnome.nix - # ./netboot-server.nix # -- fix quick xyz mode. + ./i18n.nix + ./programs.nix + ./system.nix + ./users.nix + ./vim.nix ]; } diff --git a/profiles/shared-hackens/dns.nix b/profiles/shared-hackens/dns/default.nix similarity index 95% rename from profiles/shared-hackens/dns.nix rename to profiles/shared-hackens/dns/default.nix index 18680f4..a6ccd31 100644 --- a/profiles/shared-hackens/dns.nix +++ b/profiles/shared-hackens/dns/default.nix @@ -15,7 +15,7 @@ in ipv6_servers = true; require_dnssec = true; - forwarding_rules = ./dns/forwarding.txt; + forwarding_rules = ./forwarding.txt; query_log = if debugDNS then { file = "/dev/stdout"; diff --git a/profiles/shared-hackens/gnome.nix b/profiles/shared-hackens/gnome.nix index 74887ea..7144b1c 100644 --- a/profiles/shared-hackens/gnome.nix +++ b/profiles/shared-hackens/gnome.nix @@ -5,4 +5,6 @@ displayManager.gdm.enable = true; desktopManager.gnome.enable = true; }; + services.xserver.layout = "fr"; + services.autorandr.enable = true; } diff --git a/profiles/shared-hackens/graphics.nix b/profiles/shared-hackens/graphics.nix deleted file mode 100644 index 779a669..0000000 --- a/profiles/shared-hackens/graphics.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ ./i3.nix ]; - - # Enable the X11 windowing system. - services.xserver.enable = true; - services.xserver.layout = "fr"; - - services.autorandr.enable = true; -} diff --git a/profiles/shared-hackens/hosts.nix b/profiles/shared-hackens/hosts.nix deleted file mode 100644 index 6e5b8c3..0000000 --- a/profiles/shared-hackens/hosts.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ pkgs, ... }: -{ -} diff --git a/profiles/shared-hackens/i3.nix b/profiles/shared-hackens/i3.nix deleted file mode 100644 index b319d5e..0000000 --- a/profiles/shared-hackens/i3.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ pkgs, config, lib, ... }: -{ - environment.pathsToLink = [ "/libexec" ]; - environment.sessionVariables.TERMINAL = [ "kitty" ]; - environment.variables = { - TERMINAL = "kitty"; - BROWSER = "firefox"; - }; - services.xserver = { - displayManager = lib.mkIf (!config.services.xserver.displayManager.gdm.enable) { - autoLogin = { - enable = true; - user = "hackens"; - }; - }; - - windowManager.i3 = { - enable = true; - extraSessionCommands = '' - ${pkgs.xorg.xset}/bin/xset r rate 200 50 - ''; - extraPackages = with pkgs; [ - rofi - dunst - i3status-rust - i3lock - kitty - ]; - }; - }; - - fonts.fonts = with pkgs; [ - hack-font - noto-fonts - noto-fonts-cjk - noto-fonts-emoji - liberation_ttf - fira-code - fira-code-symbols - dina-font - proggyfonts - powerline-fonts - font-awesome - ]; - - services.picom = { - enable = true; - vSync = true; - }; -} - diff --git a/profiles/shared-hackens/kde.nix b/profiles/shared-hackens/kde.nix deleted file mode 100644 index 217be99..0000000 --- a/profiles/shared-hackens/kde.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - # Enable the KDE Desktop Environment. - services.xserver.displayManager.sddm.enable = true; - services.xserver.desktopManager.plasma5.enable = true; -} diff --git a/profiles/shared-hackens/latex.nix b/profiles/shared-hackens/latex.nix deleted file mode 100644 index f8549fb..0000000 --- a/profiles/shared-hackens/latex.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = [ pkgs.texlive.combined.scheme-full ]; -} diff --git a/profiles/shared-hackens/monitoring.nix b/profiles/shared-hackens/monitoring.nix deleted file mode 100644 index b3244e6..0000000 --- a/profiles/shared-hackens/monitoring.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ pkgs, config, ... }: -{ - # Monitoring - services.netdata.enable = true; - systemd.services.netdata.restartTriggers = map (name: config.environment.etc."netdata/${name}.conf".source) [ - "health_alarm_notify" - "stream" - "fping" - ]; - environment.etc."netdata/stream.conf" = { - user = "netdata"; - group = "netdata"; - mode = "0600"; - text = '' - # hackens-desktop - [074e699a-4206-4e13-baa7-e4524326f1e0] - enabled = yes - default history = 3600 - default memory mode = dbengine - health enabled by default = auto - allow from = 192.168.1.117, 2001:470:1f13:21d:49fd:1d82:d2ff:d868 - - # hackens-openwrt - [cab3fe1e-576b-420d-b301-84308e44f340] - enabled = yes - default history = 3600 - default memory mode = dbengine - health enabled by default = auto - allow from = 192.168.1.1, 2001:470:1f13:21d::1 - ''; - }; - environment.etc."netdata/health_alarm_notify.conf" = { - user = "netdata"; - group = "netdata"; - mode = "0600"; - text = '' - # External tools - nc="${pkgs.netcat}/bin/nc" - - # IRC configuration - SEND_IRC="YES" - DEFAULT_RECIPIENT_IRC="#hackens-status" - IRC_NETWORK="ens.wtf" - IRC_NICKNAME="hackens" - IRC_REALNAME="hackENS netdata monitoring" - ''; - }; - environment.etc."netdata/fping.conf" = { - user = "netdata"; - group = "netdata"; - mode = "0600"; - text = '' - fping="${pkgs.fping}/bin/fping" - hosts="hackens.org hack.ens.fr sas.eleves.ens.fr argonaut.ens.wtf clipper.ens.fr merle.eleves.ens.fr" - ''; - }; - services.smartd.enable = true; - services.smartd.extraOptions = [ "-A /var/log/smartd/" ]; # For netdata. -} diff --git a/profiles/shared-hackens/mosquitto.nix b/profiles/shared-hackens/mosquitto.nix deleted file mode 100644 index 42dd8b0..0000000 --- a/profiles/shared-hackens/mosquitto.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: -let - port = 1883; -in -{ - services.mosquitto = { - enable = true; - logType = [ "all" ]; - listeners = [ - { - address = "0.0.0.0"; - acl = [ "topic readwrite #" ]; - port = port; - settings = { - allow_anonymous = true; - }; - } - ]; - bridges.hackensOrg = { - topics = [ "# both" ]; - addresses = [ - { - address = "new.hackens.org"; - } - ]; - }; - }; - networking.firewall.allowedTCPPorts = [ port ]; -} - diff --git a/profiles/shared-hackens/netboot-server.nix b/profiles/shared-hackens/netboot-server.nix deleted file mode 100644 index bc31f32..0000000 --- a/profiles/shared-hackens/netboot-server.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ pkgs, ... }: -{ - services.pixiecore = { - enable = true; - openFirwalle = true; - dhcpNoBind = true; - }; -} diff --git a/profiles/shared-hackens/programs.nix b/profiles/shared-hackens/programs.nix index d3f4730..58f87de 100644 --- a/profiles/shared-hackens/programs.nix +++ b/profiles/shared-hackens/programs.nix @@ -6,46 +6,29 @@ programs.wireshark.enable = true; environment.systemPackages = with pkgs; [ - kitty - # Todolist - taskwarrior - - # Slicers - super-slicer - # prusa-slicer TODO: it is broken - - # CAD/3D - blender openscad # kicad-with-packages3d freecad - # Microcontrollers - arduino arduino-cli stm32flash stm32loader - # FPGA - # python38Packages.nmigen python38Packages.nmigen-soc python38Packages.nmigen-boards - verilog verilator yosys symbiyosys mcy - # Reverse engineering - ghidra-bin apktool pwndbg - radare2 - # IRC weechat + # Latex + texlive.combined.scheme-full + # Editors vscodium emacs neovim - # Utilities - minicom smartmontools - starship - wget firefox ripgrep chromium + wget + firefox + ripgrep nmap htop dnsutils - ncdu lazygit + ncdu + lazygit # Networking - speedtest-cli iperf + speedtest-cli + iperf - # CNC - inkscape ]; programs.chromium = { diff --git a/profiles/shared-hackens/result b/profiles/shared-hackens/result new file mode 120000 index 0000000..41ec79d --- /dev/null +++ b/profiles/shared-hackens/result @@ -0,0 +1 @@ +/nix/store/q3gp3rnx0y5pxdq7jlhj1x3bqrisv7pp-nixos-system-hackens-milieu-23.05pre442253.befc83905c9 \ No newline at end of file diff --git a/profiles/shared-hackens/ssd.nix b/profiles/shared-hackens/ssd.nix deleted file mode 100644 index f197688..0000000 --- a/profiles/shared-hackens/ssd.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs, ... }: -{ - services.fstrim = { - enable = true; - }; -} diff --git a/profiles/shared-hackens/syncthing.nix b/profiles/shared-hackens/syncthing.nix deleted file mode 100644 index d666ae5..0000000 --- a/profiles/shared-hackens/syncthing.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, ... }: -{ - services.syncthing = { - enable = true; - user = "hackens"; - openDefaultPorts = true; - dataDir = "/home/hackens"; - }; -} diff --git a/profiles/shared-hackens/system.nix b/profiles/shared-hackens/system.nix index e24c283..5070118 100644 --- a/profiles/shared-hackens/system.nix +++ b/profiles/shared-hackens/system.nix @@ -5,6 +5,11 @@ allowReboot = false; }; + # SSD stuff + services.fstrim = { + enable = true; + }; + # Auto-GC and store optimizations nix = { trustedUsers = [ "root" "hackens" ]; @@ -24,8 +29,13 @@ }; services.locate.enable = true; + + # ssh services.openssh.enable = true; services.openssh.passwordAuthentication = false; + + # We are on a trusted network networking.firewall.enable = false; + documentation.info.enable = false; } diff --git a/profiles/shared-hackens/users.nix b/profiles/shared-hackens/users.nix index a9925af..529e041 100644 --- a/profiles/shared-hackens/users.nix +++ b/profiles/shared-hackens/users.nix @@ -4,6 +4,7 @@ let ../../pubkeys/raito.keys ../../pubkeys/gdd.keys ../../pubkeys/BiBi.keys + ../../pubkeys/sinavir.keys ]; in { diff --git a/profiles/shared-hackens/vim.nix b/profiles/shared-hackens/vim.nix index 616693e..fbb559e 100644 --- a/profiles/shared-hackens/vim.nix +++ b/profiles/shared-hackens/vim.nix @@ -4,7 +4,6 @@ git (neovim.override { vimAlias = true; - configure.plug.plugins = with vimPlugins; [ vim-nix vim-lastplace ]; }) ]; } diff --git a/profiles/shared-hackens/vpn-network/default.nix b/profiles/shared-hackens/vpn-network/default.nix deleted file mode 100644 index 9f2ffec..0000000 --- a/profiles/shared-hackens/vpn-network/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - ./wg-peers.nix - ]; - - networking.wireguard.interfaces.wghackens = { - ips = [ "192.168.2.1/24" ]; - listenPort = 51820; - - privateKeyFile = "/etc/secrets/wghackens"; - generatePrivateKeyFile = true; - }; - - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; -} - diff --git a/profiles/shared-hackens/vpn-network/wg-peers.nix b/profiles/shared-hackens/vpn-network/wg-peers.nix deleted file mode 100644 index 8c0a5e7..0000000 --- a/profiles/shared-hackens/vpn-network/wg-peers.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: -let - startPrefix = "192.168.2"; - mkPeer = i: publicKey: { - inherit publicKey; - allowedIPs = [ "${startPrefix}.${toString i}/32" ]; # Only one IP. - }; -in - { - # Comment s'ajouter ? - # Ajouter un élément dans la liste sous la forme - # (mkPeer i "publicKey") - # i := c'est le i dans 192.168.2.i qui sera l'IP « allouée » sur le tunnel - # publicKey := votre clef publique WireGuard - # si on veut mettre une presharedKey, faut rajouter une entrée manuellement en suivant la doc :). - # Ne pas oublier un commentaire à la fin de l'entrée pour documenter qui est quoi. - # Clef publique actuelle: 95dW/JJDnbOelgot/yWMJMswCzHdQGCqPDvriwq9CT4= - networking.wireguard.interfaces.wghackens.peers = [ - (mkPeer 2 "ed5ib4LwK6YvRDqUPyvLnbS0onrBQpFApv5HreYuMHs=") # Raito - (mkPeer 3 "cm0G/YTSnu4sD72wMqXjNqDuauTh5XJHf/nvE0gOpFk=") # BiBi - ]; - } diff --git a/pubkeys/raito.keys b/pubkeys/raito.keys index 2473c6b..0f679c8 100644 --- a/pubkeys/raito.keys +++ b/pubkeys/raito.keys @@ -1,3 +1,3 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtS70Y1Merif66/G4bsP1/E3jyjiqjf7ZMsU07lw+Wf -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4m2d+oCEWCceZMC1Th4IT7HO2/Z6DyJOXYLbCc8GGn diff --git a/shared/nur.nix b/shared/nur.nix deleted file mode 100644 index 206862c..0000000 --- a/shared/nur.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ lib, pkgs, ... }: -let - agenix = pkgs.fetchFromGitHub { - owner = "ryantm"; - repo = "agenix"; - rev = "7e5e58b98c3dcbf497543ff6f22591552ebfe65b"; - }; -in { - nixpkgs.config.packageOverrides = { - hackens = import ./myPkgs { inherit pkgs; }; - }; - imports = [ "${agenix}/modules/age.nix" ] - ++ lib.attrValues (import ./myModules); -} -- 2.47.0 From 733f868d0c42f44abc73863b1f03dd992089a04f Mon Sep 17 00:00:00 2001 From: HackENS milieu Date: Tue, 17 Jan 2023 20:55:22 +0100 Subject: [PATCH 24/34] programs: add fd, flush sinavir work --- profiles/shared-hackens/default.nix | 1 + profiles/shared-hackens/no-sleep.nix | 8 ++++++++ profiles/shared-hackens/programs.nix | 1 + pubkeys/sinavir.keys | 2 +- 4 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 profiles/shared-hackens/no-sleep.nix diff --git a/profiles/shared-hackens/default.nix b/profiles/shared-hackens/default.nix index 17a196f..5f3efbc 100644 --- a/profiles/shared-hackens/default.nix +++ b/profiles/shared-hackens/default.nix @@ -5,6 +5,7 @@ ./dns ./gnome.nix ./i18n.nix + ./no-sleep.nix ./programs.nix ./system.nix ./users.nix diff --git a/profiles/shared-hackens/no-sleep.nix b/profiles/shared-hackens/no-sleep.nix new file mode 100644 index 0000000..3b4e880 --- /dev/null +++ b/profiles/shared-hackens/no-sleep.nix @@ -0,0 +1,8 @@ +{ ... }: { + systemd.targets = { + sleep.enable = false; + suspend.enable = false; + hibernate.enable = false; + hybrid-sleep.enable = false; + }; +} diff --git a/profiles/shared-hackens/programs.nix b/profiles/shared-hackens/programs.nix index 58f87de..851df8c 100644 --- a/profiles/shared-hackens/programs.nix +++ b/profiles/shared-hackens/programs.nix @@ -19,6 +19,7 @@ wget firefox ripgrep + fd nmap htop dnsutils diff --git a/pubkeys/sinavir.keys b/pubkeys/sinavir.keys index 49ee6cc..c014707 100644 --- a/pubkeys/sinavir.keys +++ b/pubkeys/sinavir.keys @@ -1,2 +1,2 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhbmHSjCtPvGRDd0Bfw/jFZb/OnO0yN5cHdy1CSZV8O +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1FilN5OcWKTulTGs8HA0fHZMW9vpnt5tSkH3N1fI7m -- 2.47.0 From 7a5d85ec7916142c5afee3abd39c75b22a9a2421 Mon Sep 17 00:00:00 2001 From: HackENS milieu Date: Tue, 31 Jan 2023 22:48:10 +0100 Subject: [PATCH 25/34] milieu: add ungoogled-chromium, move to kernel 6, update raito.keys --- hosts/milieu/configuration.nix | 4 +++- profiles/shared-hackens/programs.nix | 2 +- pubkeys/raito.keys | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/hosts/milieu/configuration.nix b/hosts/milieu/configuration.nix index 6e5fe5f..2e0a913 100644 --- a/hosts/milieu/configuration.nix +++ b/hosts/milieu/configuration.nix @@ -22,7 +22,9 @@ networking.hostName = "hackens-milieu"; # Define your hostname. - boot.kernelPackages = pkgs.linuxPackages_5_15; + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.kernelParams = [ + ]; # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config diff --git a/profiles/shared-hackens/programs.nix b/profiles/shared-hackens/programs.nix index 851df8c..9b9713f 100644 --- a/profiles/shared-hackens/programs.nix +++ b/profiles/shared-hackens/programs.nix @@ -17,7 +17,7 @@ smartmontools wget - firefox + firefox ungoogled-chromium ripgrep fd nmap diff --git a/pubkeys/raito.keys b/pubkeys/raito.keys index 0f679c8..7a717dd 100644 --- a/pubkeys/raito.keys +++ b/pubkeys/raito.keys @@ -1,3 +1,3 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4m2d+oCEWCceZMC1Th4IT7HO2/Z6DyJOXYLbCc8GGn +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU -- 2.47.0 From ccafd8797a51974faef3afdde6a21198bbe42dc7 Mon Sep 17 00:00:00 2001 From: HackENS milieu Date: Mon, 6 Feb 2023 18:20:02 +0100 Subject: [PATCH 26/34] RYAN commit les changements de la config bordel --- profiles/shared-hackens/programs.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/profiles/shared-hackens/programs.nix b/profiles/shared-hackens/programs.nix index 9b9713f..6508c68 100644 --- a/profiles/shared-hackens/programs.nix +++ b/profiles/shared-hackens/programs.nix @@ -30,6 +30,8 @@ speedtest-cli iperf + # Serial + minicom ]; programs.chromium = { -- 2.47.0 From 42d63b428a378a3f6db6b0ef126c4688d5f8ee4f Mon Sep 17 00:00:00 2001 From: hackens server Date: Fri, 24 Feb 2023 14:40:14 +0100 Subject: [PATCH 27/34] working wiki --- hosts/org/dokuwiki.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts/org/dokuwiki.nix b/hosts/org/dokuwiki.nix index b142230..75ac971 100644 --- a/hosts/org/dokuwiki.nix +++ b/hosts/org/dokuwiki.nix @@ -29,12 +29,14 @@ superuser = "@admin"; start = "accueil"; htmlmail = 0; + authtype = "oauth"; tpl.bootstrap3 = { showAddNewPage = "logged"; fluidContainer = 0; }; plugin = { tokenbucketauth.tba_send_mail = "hackens@clipper.ens.fr"; + oauth.register-on-auth = true; oauthkeycloak = { key = "wiki"; secret._file = config.age.secrets.wikiOpenID.path; @@ -48,6 +50,7 @@ authad = false; authldap = false; + authpdo = false; authmysql = false; authpgsql = false; oauthkeycloak = true; @@ -95,7 +98,7 @@ ''; }) (pkgs.stdenv.mkDerivation { - name = "oauth"; + name = "oauthkeycloak"; src = pkgs.fetchFromGitHub { owner = "YoitoFes"; repo = "dokuwiki-plugin-oauthkeycloak"; -- 2.47.0 From 2693fbf8cbe2562699a6bccc07b3762527a022c2 Mon Sep 17 00:00:00 2001 From: hackens server Date: Fri, 24 Feb 2023 14:43:18 +0100 Subject: [PATCH 28/34] matterbridge --- hosts/org/configuration.nix | 3 +- hosts/org/matterbridge.nix | 56 ++++++++++++++++++++++++++++++++++++ secrets/default.nix | 9 +++++- secrets/matterbridge-env.age | 33 +++++++++++++++++++++ secrets/secrets.nix | 16 +++++++---- 5 files changed, 109 insertions(+), 8 deletions(-) create mode 100644 hosts/org/matterbridge.nix create mode 100644 secrets/matterbridge-env.age diff --git a/hosts/org/configuration.nix b/hosts/org/configuration.nix index 3d27d26..0f6dd94 100644 --- a/hosts/org/configuration.nix +++ b/hosts/org/configuration.nix @@ -14,6 +14,7 @@ ./webpass.nix ./nginx.nix ./dokuwiki.nix + ./matterbridge.nix ]; networking.hostName = "hackens-org"; # Define your hostname. @@ -21,7 +22,7 @@ # dokuwiki overlay nixpkgs.overlays = [ (self: super: { - dokuwiki = self.pkgs.callPackage ../../shared/dokuwiki.nix {}; + dokuwiki = self.pkgs.callPackage ../../shared/dokuwiki.nix { }; }) ]; diff --git a/hosts/org/matterbridge.nix b/hosts/org/matterbridge.nix new file mode 100644 index 0000000..b4e9237 --- /dev/null +++ b/hosts/org/matterbridge.nix @@ -0,0 +1,56 @@ +{ pkgs, lib, config, ... }: +let + port = 52187; + configFile = pkgs.writeText "metterbridge.toml" '' + [irc] + [irc.ulminfo] + Server="ulminfo.fr:6697" # Ou ens.wtf tu choisis. + Nick="roBOT" + UseTLS=true + Charset="utf8" + PrefixMessagesWithNick=true + RemoteNickFormat="<{NICK}> " + + [mattermost] + [mattermost.merle] + WebhookBindAddress="0.0.0.0:${builtins.toString port}" + PrefixMessagesWithNick=false + RemoteNickFormat="{NICK}" + + [[gateway]] + name="hackens" + enable=true + [[gateway.inout]] + account="irc.ulminfo" + channel="#hackens" + [[gateway.inout]] + account="mattermost.merle" + channel="town-square" + ''; +in +{ + systemd.services.matterbridge = { + description = "Matterbridge chat platform bridge"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + script = '' + ${pkgs.matterbridge}/bin/matterbridge -conf ${configFile} + ''; + + + serviceConfig = { + User = "matterbridge"; + Group = "matterbridge"; + Restart = "always"; + RestartSec = "10"; + EnvironmentFile = config.age.secrets."matterbridge-env".path; + }; + }; + users.users.matterbridge = { + isSystemUser = true; + group = "matterbridge"; + + }; + users.groups.matterbridge = { }; + networking.firewall.allowedTCPPorts = [ port ]; +} diff --git a/secrets/default.nix b/secrets/default.nix index e091eea..9853933 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,4 +1,11 @@ { ... }: { imports = [ ]; - age.secrets."wikiOpenID".file = ./wiki-openID.age; + age.secrets."wikiOpenID" = { + file = ./wiki-openID.age; + owner = "dokuwiki"; + }; + age.secrets."matterbridge-env" = { + file = ./matterbridge-env.age; + owner = "matterbridge"; + }; } diff --git a/secrets/matterbridge-env.age b/secrets/matterbridge-env.age new file mode 100644 index 0000000..58099a6 --- /dev/null +++ b/secrets/matterbridge-env.age @@ -0,0 +1,33 @@ +age-encryption.org/v1 +-> ssh-ed25519 JGx7Ng udxfs+mQbihD5fPzAn5ni8YEJVZpy4WWsJD6lCtRC1A +KZ5YX6e6z8SWnlDlx8vA4w0YUqtzBoYwInFKuqZz7d4 +-> ssh-ed25519 kXobKQ A6vHdLfZyEBJgYx41cinKBs0x0TaP331o5RMiARyeUw +BneTkDar5nxv6oZ9sCtIlrknPCNTN+/+/PF0IL+Sd48 +-> ssh-ed25519 7hZk0g Zb6uedun2Z3ZKxFefDyPbro7hiBf9I0MBT4JqBNVKVQ +iowidJUNNg/i8PJzr2QaQ1CtiGuhqLiMEgAZOnNhOpg +-> ssh-rsa krWCLQ +YTtOm6+MDPBNKQRhBZfhNqJV1qLJ5UDV5UdBnU0NzQz6k0IB2wowKcbgsmeoTPAo +y8Ngqaj73LsttzvBtFEQkGyfx/uN5YheUjyzpRvKSgYFAhz1MfRnJNMDSpcSQSrm +6zLZz0YP6DUPxolVhbmOMdTdcfFZj99RFDQXhuKnsKYRVm9sL5j3ucf/Ekk9PDoD +d6qvsE8Coujxhcraf80w/USnBtB1hHJWqJe+iljuZ6xXr+Piuc3Rm289NHiB5x+3 +56pvcQO6NAy4IvDnWD2KfOIgF4LNAVKNnZzUyBLYK+31N3Xq/FKZ1sreN9dy7F5Z +E6Lnak3W3E9/O3R8n7p9CA +-> ssh-ed25519 /vwQcQ d9HHwpCJKqUkEkJxcX4/diGPuopw0htz0FSdy6nJoQQ +Zrh2lQSPiFZi4aSum8PvgbY4hgSaFZGxDsjCTVkLcy8 +-> ssh-ed25519 0R97PA E3p80voKVJhW+lJa9BbYnmzYlCMlYdMZh9BJbwy2a0A +0FiTmlnAKlBD1/tTz1KeVgCbJ6BjEQhgdYRnnsdw9NQ +-> ssh-ed25519 cvTB5g rqR6oJ+SD2P8cE9Rv5y44OilufgL8TJ/wZVQDbzyAwU +SPF2XWcwsmq93RCBysKXejLUDdRtsDEI7NgueV4DmeQ +-> ssh-ed25519 Wu8JLQ pbLcWS1CB6FjR5bD/jcTC8yJAOEldPgI5tG2eYF0Onc +ghsz3bkN8vQplNXBCgRFq2lpbqs0DGeIF8IdlI93j8g +-> ssh-ed25519 EIt1vA lSqRBaPgoG8n67bNIsHFu1RK5RlXWZBPkC15L2dprEw ++jtJKYpFf9O9YJFx4y/JQ2kAEj0GP8PsPtn6gg80OMw +-> ssh-ed25519 X51wxg YyH0+riDtUnbeuwLE6tZyvg1WvenA7hHP2Yo5ULiRmg +QvwlfQd6VFZS/3VSbud/ApzkmjGtx2bzVWyQRMPOGeA +-> 4l{!l\L-grease {6Ig( Vc~QhIg \Q:# +mRy+uiK5/EjovQZu32MubNOIg/GHh0ixYiuA7DOt+enUvwGe5ABo2JAKlZUpbHD3 +gkvFvQSHMj94zoHmK7a7pnp73QZ5uwtqUuPpm3xclXIZFDkWJQ +--- dqYRV0DCgBAI4LSzwaka+j17Ov0J27IQLQzxEcygRZA + +YU\ 8͕/0FS +΂xMZfY~C`$7dǚ7B؞kF~wX \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index df3cc0b..f9c06e8 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,10 +1,14 @@ let lib = (import { }).lib; - readPubkeys = user: + readpubkeys = user: builtins.filter (k: k != "") - (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); -in { - "wiki-openID.age".publicKeys = (readPubkeys "sinavir") - ++ (readPubkeys "hackens-host") ++ (readPubkeys "raito") - ++ (readPubkeys "gdd") ++ (readPubkeys "backslash"); + (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); +in +{ + "wiki-openid.age".publicKeys = (readpubkeys "sinavir") + ++ (readpubkeys "hackens-host") ++ (readpubkeys "raito") + ++ (readpubkeys "gdd") ++ (readpubkeys "backslash"); + "matterbridge-env.age".publicKeys = (readpubkeys "sinavir") + ++ (readpubkeys "hackens-host") ++ (readpubkeys "raito") + ++ (readpubkeys "gdd") ++ (readpubkeys "backslash"); } -- 2.47.0 From 141e1ce8dd96127f65c9f85268f456070945d5f5 Mon Sep 17 00:00:00 2001 From: hackens server Date: Fri, 24 Feb 2023 14:43:35 +0100 Subject: [PATCH 29/34] nixpkgs-fmt --- hosts/milieu/configuration.nix | 3 +- hosts/milieu/hardware-configuration.nix | 12 +- hosts/org/hardware-configuration.nix | 11 +- hosts/org/physical.nix | 2 +- profiles/shared-hackens/programs.nix | 9 +- profiles/shared-hackens/users.nix | 4 +- shared/dokuwiki.nix | 65 +-- shared/dokuwiki_module.nix | 542 ++++++++++++------------ 8 files changed, 340 insertions(+), 308 deletions(-) diff --git a/hosts/milieu/configuration.nix b/hosts/milieu/configuration.nix index 2e0a913..b0904f4 100644 --- a/hosts/milieu/configuration.nix +++ b/hosts/milieu/configuration.nix @@ -6,7 +6,8 @@ { imports = - [ # Include the results of the hardware scan. + [ + # Include the results of the hardware scan. ./hardware-configuration.nix ../../profiles/shared-hackens ]; diff --git a/hosts/milieu/hardware-configuration.nix b/hosts/milieu/hardware-configuration.nix index f3b47cf..3c60783 100644 --- a/hosts/milieu/hardware-configuration.nix +++ b/hosts/milieu/hardware-configuration.nix @@ -5,7 +5,8 @@ { imports = - [ + [ + ]; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "sd_mod" "sr_mod" ]; @@ -16,19 +17,20 @@ # boot.kernelParams = [ "nomodeset" ]; fileSystems."/" = - { device = "/dev/disk/by-label/nixos-root"; + { + device = "/dev/disk/by-label/nixos-root"; fsType = "btrfs"; options = [ "ssd" "noatime" "ssd_spread" "discard" "space_cache" ]; }; fileSystems."/boot" = - { device = "/dev/disk/by-label/BOOT"; + { + device = "/dev/disk/by-label/BOOT"; fsType = "vfat"; }; swapDevices = - [ { device = "/dev/disk/by-label/SWAP"; } - ]; + [{ device = "/dev/disk/by-label/SWAP"; }]; nix.maxJobs = lib.mkDefault 4; powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; diff --git a/hosts/org/hardware-configuration.nix b/hosts/org/hardware-configuration.nix index 20d2692..6db90a9 100644 --- a/hosts/org/hardware-configuration.nix +++ b/hosts/org/hardware-configuration.nix @@ -5,7 +5,8 @@ { imports = - [ (modulesPath + "/profiles/qemu-guest.nix") + [ + (modulesPath + "/profiles/qemu-guest.nix") ]; boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "virtio_pci" "virtio_blk" ]; @@ -14,16 +15,18 @@ boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/8deb32c9-ee6a-4de8-94da-239c8ec509a2"; + { + device = "/dev/disk/by-uuid/8deb32c9-ee6a-4de8-94da-239c8ec509a2"; fsType = "btrfs"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/0795-75ED"; + { + device = "/dev/disk/by-uuid/0795-75ED"; fsType = "vfat"; }; swapDevices = - [ { device = "/dev/disk/by-uuid/bd7c1c01-ce31-4db3-9c06-70716020e24a"; } ]; + [{ device = "/dev/disk/by-uuid/bd7c1c01-ce31-4db3-9c06-70716020e24a"; }]; } diff --git a/hosts/org/physical.nix b/hosts/org/physical.nix index f1174aa..dcb3f43 100644 --- a/hosts/org/physical.nix +++ b/hosts/org/physical.nix @@ -9,7 +9,7 @@ networking.useDHCP = false; networking.interfaces.eth0 = { - ipv4.addresses = [ { address = "129.199.129.76"; prefixLength = 24; } ]; + ipv4.addresses = [{ address = "129.199.129.76"; prefixLength = 24; }]; }; networking.defaultGateway = { address = "129.199.129.1"; interface = "eth0"; }; } diff --git a/profiles/shared-hackens/programs.nix b/profiles/shared-hackens/programs.nix index 6508c68..fc81a76 100644 --- a/profiles/shared-hackens/programs.nix +++ b/profiles/shared-hackens/programs.nix @@ -13,17 +13,20 @@ texlive.combined.scheme-full # Editors - vscodium emacs neovim + vscodium + emacs + neovim smartmontools wget - firefox ungoogled-chromium + firefox + ungoogled-chromium ripgrep fd nmap htop dnsutils - ncdu + ncdu lazygit # Networking diff --git a/profiles/shared-hackens/users.nix b/profiles/shared-hackens/users.nix index 529e041..6a1792f 100644 --- a/profiles/shared-hackens/users.nix +++ b/profiles/shared-hackens/users.nix @@ -12,11 +12,11 @@ in isNormalUser = true; extraGroups = [ "wheel" "dialout" "audio" "video" ]; - openssh.authorizedKeys.keys = [ + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcKULx/AgnqBsgwRX2BfV8waq6JXIkvZHhu9Y8paofM8awq6Om56BZoA7AV45YOcJxO/eFDOxSegXXmt22s4WjIf8I049aMdsW54BNpFpC/h18cMzm5ylKVGHl1ier/WXxpBsA8YU++YdRlGHPpKnhCtYLnBzD4Q5h+05GMIHismNZP1aGpE9s01FuP8eaDDkZUba7oSpn03AA77DBw4/2ZreSbqo96Z6WwiG09KeZvxFtEIk98EQtmiExB2fwsK3/JIxIBCoZHh4SzERcslxxGgzdppd6NhhSh7g523zhiihLaTAPNXBovGm5wcKOU9uWe+pUWEbwV04E+809aVbkJOdYBCtIf8M91meqpupA8jK38uquePHEFvpNr5UmY0qUlJCoqTvoqg9XgrfJVjlPEmYknj/QjQzkA4k19y8njsyEjnYOBL6tsztg6Igl+NZXjBAPuAzxCsfHOtWw1WM5gANwqOL0V9f7+14yST3HwweqjHRj4xky6ritxK+ujfc= hackens@hackens-desktop" ]; openssh.authorizedKeys.keyFiles = superadmins; - }; + }; users.users.root = { openssh.authorizedKeys.keyFiles = superadmins; diff --git a/shared/dokuwiki.nix b/shared/dokuwiki.nix index b3a4851..c999fce 100644 --- a/shared/dokuwiki.nix +++ b/shared/dokuwiki.nix @@ -18,29 +18,29 @@ stdenv.mkDerivation rec { }; preload = writeText "preload.php" '' - array( - 'default' => getenv('DOKUWIKI_ACL_AUTH_CONFIG'), - ), - 'plainauth.users' => array( - 'default' => getenv('DOKUWIKI_USERS_AUTH_CONFIG'), - 'protected' => "" // not used by default - ), - ); + $config_cascade = array( + 'acl' => array( + 'default' => getenv('DOKUWIKI_ACL_AUTH_CONFIG'), + ), + 'plainauth.users' => array( + 'default' => getenv('DOKUWIKI_USERS_AUTH_CONFIG'), + 'protected' => "" // not used by default + ), + ); ''; phpLocalConfig = writeText "local.php" '' - + ''; phpPluginsLocalConfig = writeText "plugins.local.php" '' - + ''; installPhase = '' @@ -56,26 +56,29 @@ stdenv.mkDerivation rec { ''; passthru = { - combine = { basePackage ? dokuwiki - , plugins ? [] - , templates ? [] + combine = + { basePackage ? dokuwiki + , plugins ? [ ] + , templates ? [ ] , localConfig ? null , pluginsConfig ? null , aclConfig ? null , pname ? (p: "${p.pname}-combined") - }: let - isNotEmpty = x: lib.optionalString (! builtins.elem x [ null "" ]); - in basePackage.overrideAttrs (prev: { - pname = if builtins.isFunction pname then pname prev else pname; + }: + let + isNotEmpty = x: lib.optionalString (! builtins.elem x [ null "" ]); + in + basePackage.overrideAttrs (prev: { + pname = if builtins.isFunction pname then pname prev else pname; - postInstall = prev.postInstall or "" + '' - ${lib.concatMapStringsSep "\n" (tpl: "cp -r ${toString tpl} $out/share/dokuwiki/lib/tpl/${tpl.name}") templates} - ${lib.concatMapStringsSep "\n" (plugin: "cp -r ${toString plugin} $out/share/dokuwiki/lib/plugins/${plugin.name}") plugins} - ${isNotEmpty localConfig "ln -sf ${localConfig} $out/share/dokuwiki/conf/local.php" } - ${isNotEmpty pluginsConfig "ln -sf ${pluginsConfig} $out/share/dokuwiki/conf/plugins.local.php" } - ${isNotEmpty aclConfig "ln -sf ${aclConfig} $out/share/dokuwiki/acl.auth.php" } - ''; - }); + postInstall = prev.postInstall or "" + '' + ${lib.concatMapStringsSep "\n" (tpl: "cp -r ${toString tpl} $out/share/dokuwiki/lib/tpl/${tpl.name}") templates} + ${lib.concatMapStringsSep "\n" (plugin: "cp -r ${toString plugin} $out/share/dokuwiki/lib/plugins/${plugin.name}") plugins} + ${isNotEmpty localConfig "ln -sf ${localConfig} $out/share/dokuwiki/conf/local.php" } + ${isNotEmpty pluginsConfig "ln -sf ${pluginsConfig} $out/share/dokuwiki/conf/plugins.local.php" } + ${isNotEmpty aclConfig "ln -sf ${aclConfig} $out/share/dokuwiki/acl.auth.php" } + ''; + }); tests = { inherit (nixosTests) dokuwiki; }; diff --git a/shared/dokuwiki_module.nix b/shared/dokuwiki_module.nix index d4d8839..f1f6548 100644 --- a/shared/dokuwiki_module.nix +++ b/shared/dokuwiki_module.nix @@ -9,23 +9,25 @@ let webserver = config.services.${cfg.webserver}; mkPhpIni = generators.toKeyValue { - mkKeyValue = generators.mkKeyValueDefault {} " = "; + mkKeyValue = generators.mkKeyValueDefault { } " = "; }; mkPhpPackage = cfg: cfg.phpPackage.buildEnv { extraConfig = mkPhpIni cfg.phpOptions; }; - dokuwikiAclAuthConfig = hostName: cfg: let - inherit (cfg) acl; - acl_gen = concatMapStringsSep "\n" (l: "${l.page} \t ${l.actor} \t ${toString l.level}"); - in pkgs.writeText "acl.auth-${hostName}.php" '' - # acl.auth.php - # - # - # Access Control Lists - # - ${if isString acl then acl else acl_gen acl} - ''; + dokuwikiAclAuthConfig = hostName: cfg: + let + inherit (cfg) acl; + acl_gen = concatMapStringsSep "\n" (l: "${l.page} \t ${l.actor} \t ${toString l.level}"); + in + pkgs.writeText "acl.auth-${hostName}.php" '' + # acl.auth.php + # + # + # Access Control Lists + # + ${if isString acl then acl else acl_gen acl} + ''; mergeConfig = cfg: { useacl = false; # Dokuwiki default @@ -38,9 +40,10 @@ let checkPhase = "${pkgs.php81}/bin/php --syntax-check $target"; }; - mkPhpValue = v: let - isHasAttr = s: isAttrs v && hasAttr s v; - in + mkPhpValue = v: + let + isHasAttr = s: isAttrs v && hasAttr s v; + in if isString v then escapeShellArg v # NOTE: If any value contains a , (comma) this will not get escaped else if isList v && any lib.strings.isCoercibleToString v then escapeShellArg (concatMapStringsSep "," toString v) @@ -52,26 +55,33 @@ let ; mkPhpAttrVals = v: flatten (mapAttrsToList mkPhpKeyVal v); - mkPhpKeyVal = k: v: let - values = if (isAttrs v && (hasAttr "_file" v || hasAttr "_raw" v )) || !isAttrs v then - [" = ${mkPhpValue v};"] - else - mkPhpAttrVals v; - in map (e: "[${escapeShellArg k}]${e}") (flatten values); + mkPhpKeyVal = k: v: + let + values = + if (isAttrs v && (hasAttr "_file" v || hasAttr "_raw" v)) || !isAttrs v then + [ " = ${mkPhpValue v};" ] + else + mkPhpAttrVals v; + in + map (e: "[${escapeShellArg k}]${e}") (flatten values); - dokuwikiLocalConfig = hostName: cfg: let - conf_gen = c: map (v: "$conf${v}") (mkPhpAttrVals c); - in writePhpFile "local-${hostName}.php" '' - ${concatStringsSep "\n" (conf_gen cfg.mergedConfig)} - ${toString cfg.extraConfig} - ''; + dokuwikiLocalConfig = hostName: cfg: + let + conf_gen = c: map (v: "$conf${v}") (mkPhpAttrVals c); + in + writePhpFile "local-${hostName}.php" '' + ${concatStringsSep "\n" (conf_gen cfg.mergedConfig)} + ${toString cfg.extraConfig} + ''; - dokuwikiPluginsLocalConfig = hostName: cfg: let - pc = cfg.pluginsConfig; - pc_gen = pc: concatStringsSep "\n" (mapAttrsToList (n: v: "$plugins['${n}'] = ${boolToString v};") pc); - in writePhpFile "plugins.local-${hostName}.php" '' - ${if isString pc then pc else pc_gen pc} - ''; + dokuwikiPluginsLocalConfig = hostName: cfg: + let + pc = cfg.pluginsConfig; + pc_gen = pc: concatStringsSep "\n" (mapAttrsToList (n: v: "$plugins['${n}'] = ${boolToString v};") pc); + in + writePhpFile "plugins.local-${hostName}.php" '' + ${if isString pc then pc else pc_gen pc} + ''; pkg = hostName: cfg: cfg.package.combine { @@ -82,7 +92,7 @@ let basePackage = cfg.package; localConfig = dokuwikiLocalConfig hostName cfg; pluginsConfig = dokuwikiPluginsLocalConfig hostName cfg; - aclConfig = let a = if cfg.aclUse && cfg.acl != null then dokuwikiAclAuthConfig hostName cfg else null; in builtins.trace a a; + aclConfig = let a = if cfg.aclUse && cfg.acl != null then dokuwikiAclAuthConfig hostName cfg else null; in builtins.trace a a; }; aclOpts = { ... }: { @@ -100,24 +110,26 @@ let example = "@external"; }; - level = let - available = { - "none" = 0; - "read" = 1; - "edit" = 2; - "create" = 4; - "upload" = 8; - "delete" = 16; + level = + let + available = { + "none" = 0; + "read" = 1; + "edit" = 2; + "create" = 4; + "upload" = 8; + "delete" = 16; + }; + in + mkOption { + type = types.enum ((attrValues available) ++ (attrNames available)); + apply = x: if isInt x then x else available.${x}; + description = '' + Permission level to restrict the actor(s) to. + See for explanation + ''; + example = "read"; }; - in mkOption { - type = types.enum ((attrValues available) ++ (attrNames available)); - apply = x: if isInt x then x else available.${x}; - description = '' - Permission level to restrict the actor(s) to. - See for explanation - ''; - example = "read"; - }; }; }; @@ -126,10 +138,10 @@ let { imports = [ # NOTE: These will sadly not print the absolute argument path but only the name. Related to #96006 - (mkRenamedOptionModule [ "aclUse" ] [ "settings" "useacl" ] ) - (mkRenamedOptionModule [ "superUser" ] [ "settings" "superuser" ] ) - (mkRenamedOptionModule [ "disableActions" ] [ "settings" "disableactions" ] ) - ({ config, options, name, ...}: { + (mkRenamedOptionModule [ "aclUse" ] [ "settings" "useacl" ]) + (mkRenamedOptionModule [ "superUser" ] [ "settings" "superuser" ]) + (mkRenamedOptionModule [ "disableActions" ] [ "settings" "disableactions" ]) + ({ config, options, name, ... }: { config.warnings = (optional (isString config.pluginsConfig) '' Passing plain strings to services.dokuwiki.sites.${name}.pluginsConfig has been deprecated and will not be continue to be supported in the future. @@ -203,7 +215,7 @@ let }; pluginsConfig = mkOption { - type = with types; oneOf [lines (attrsOf bool)]; + type = with types; oneOf [ lines (attrsOf bool) ]; default = { authad = false; authldap = false; @@ -228,62 +240,62 @@ let mkpasswd -5 password `pwgen 8 1` Example: - ''; + ''; example = "/var/lib/dokuwiki/${name}/users.auth.php"; }; plugins = mkOption { type = types.listOf types.path; - default = []; + default = [ ]; description = lib.mdDoc '' - List of path(s) to respective plugin(s) which are copied from the 'plugin' directory. + List of path(s) to respective plugin(s) which are copied from the 'plugin' directory. - ::: {.note} - These plugins need to be packaged before use, see example. - ::: + ::: {.note} + These plugins need to be packaged before use, see example. + ::: ''; example = literalExpression '' - let - plugin-icalevents = pkgs.stdenv.mkDerivation rec { - name = "icalevents"; - version = "2017-06-16"; - src = pkgs.fetchzip { - stripRoot = false; - url = "https://github.com/real-or-random/dokuwiki-plugin-icalevents/releases/download/''${version}/dokuwiki-plugin-icalevents-''${version}.zip"; - hash = "sha256-IPs4+qgEfe8AAWevbcCM9PnyI0uoyamtWeg4rEb+9Wc="; - }; - installPhase = "mkdir -p $out; cp -R * $out/"; - }; - # And then pass this theme to the plugin list like this: - in [ plugin-icalevents ] + let + plugin-icalevents = pkgs.stdenv.mkDerivation rec { + name = "icalevents"; + version = "2017-06-16"; + src = pkgs.fetchzip { + stripRoot = false; + url = "https://github.com/real-or-random/dokuwiki-plugin-icalevents/releases/download/''${version}/dokuwiki-plugin-icalevents-''${version}.zip"; + hash = "sha256-IPs4+qgEfe8AAWevbcCM9PnyI0uoyamtWeg4rEb+9Wc="; + }; + installPhase = "mkdir -p $out; cp -R * $out/"; + }; + # And then pass this theme to the plugin list like this: + in [ plugin-icalevents ] ''; }; templates = mkOption { type = types.listOf types.path; - default = []; + default = [ ]; description = lib.mdDoc '' - List of path(s) to respective template(s) which are copied from the 'tpl' directory. + List of path(s) to respective template(s) which are copied from the 'tpl' directory. - ::: {.note} - These templates need to be packaged before use, see example. - ::: + ::: {.note} + These templates need to be packaged before use, see example. + ::: ''; example = literalExpression '' - let - template-bootstrap3 = pkgs.stdenv.mkDerivation rec { - name = "bootstrap3"; - version = "2022-07-27"; - src = pkgs.fetchFromGitHub { - owner = "giterlizzi"; - repo = "dokuwiki-template-bootstrap3"; - rev = "v''${version}"; - hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo="; - }; - installPhase = "mkdir -p $out; cp -R * $out/"; - }; - # And then pass this theme to the template list like this: - in [ template-bootstrap3 ] + let + template-bootstrap3 = pkgs.stdenv.mkDerivation rec { + name = "bootstrap3"; + version = "2022-07-27"; + src = pkgs.fetchFromGitHub { + owner = "giterlizzi"; + repo = "dokuwiki-template-bootstrap3"; + rev = "v''${version}"; + hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo="; + }; + installPhase = "mkdir -p $out; cp -R * $out/"; + }; + # And then pass this theme to the template list like this: + in [ template-bootstrap3 ] ''; }; @@ -315,18 +327,18 @@ let phpOptions = mkOption { type = types.attrsOf types.str; - default = {}; + default = { }; description = lib.mdDoc '' Options for PHP's php.ini file for this dokuwiki site. ''; example = literalExpression '' - { - "opcache.interned_strings_buffer" = "8"; - "opcache.max_accelerated_files" = "10000"; - "opcache.memory_consumption" = "128"; - "opcache.revalidate_freq" = "15"; - "opcache.fast_shutdown" = "1"; - } + { + "opcache.interned_strings_buffer" = "8"; + "opcache.max_accelerated_files" = "10000"; + "opcache.memory_consumption" = "128"; + "opcache.revalidate_freq" = "15"; + "opcache.fast_shutdown" = "1"; + } ''; }; @@ -390,18 +402,18 @@ let ''; }; - # Required for the mkRenamedOptionModule - # TODO: Remove me once https://github.com/NixOS/nixpkgs/issues/96006 is fixed - # or the aclUse, ... options are removed. - warnings = mkOption { - type = types.listOf types.unspecified; - default = [ ]; - visible = false; - internal = true; - }; + # Required for the mkRenamedOptionModule + # TODO: Remove me once https://github.com/NixOS/nixpkgs/issues/96006 is fixed + # or the aclUse, ... options are removed. + warnings = mkOption { + type = types.listOf types.unspecified; + default = [ ]; + visible = false; + internal = true; + }; + }; }; - }; in { options = { @@ -409,7 +421,7 @@ in sites = mkOption { type = types.attrsOf (types.submodule siteOpts); - default = {}; + default = { }; description = lib.mdDoc "Specification of one or more DokuWiki sites to serve"; }; @@ -431,159 +443,167 @@ in }; # implementation - config = mkIf (eachSite != {}) (mkMerge [{ + config = mkIf (eachSite != { }) (mkMerge [{ warnings = flatten (mapAttrsToList (_: cfg: cfg.warnings) eachSite); - assertions = flatten (mapAttrsToList (hostName: cfg: - [{ - assertion = cfg.mergedConfig.useacl -> (cfg.acl != null || cfg.aclFile != null); - message = "Either services.dokuwiki.sites.${hostName}.acl or services.dokuwiki.sites.${hostName}.aclFile is mandatory if settings.useacl is true"; - } - { - assertion = cfg.usersFile != null -> cfg.mergedConfig.useacl != false; - message = "services.dokuwiki.sites.${hostName}.settings.useacl must must be true if usersFile is not null"; - } - ]) eachSite); - - services.phpfpm.pools = mapAttrs' (hostName: cfg: ( - nameValuePair "dokuwiki-${hostName}" { - inherit user; - group = webserver.group; - - phpPackage = mkPhpPackage cfg; - phpEnv = optionalAttrs (cfg.usersFile != null) { - DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}"; - } // optionalAttrs (cfg.mergedConfig.useacl) { - DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig hostName cfg}" else "${toString cfg.aclFile}"; - }; - - settings = { - "listen.owner" = webserver.user; - "listen.group" = webserver.group; - } // cfg.poolConfig; - } - )) eachSite; - - } - - { - systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [ - "d ${cfg.stateDir}/attic 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/cache 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/index 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/locks 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/log 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/media 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/media_attic 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/media_meta 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/meta 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/pages 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/tmp 0750 ${user} ${webserver.group} - -" - ] ++ lib.optional (cfg.aclFile != null) "C ${cfg.aclFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/acl.auth.php.dist" - ++ lib.optional (cfg.usersFile != null) "C ${cfg.usersFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/users.auth.php.dist" - ) eachSite); - - users.users.${user} = { - group = webserver.group; - isSystemUser = true; - }; - } - - (mkIf (cfg.webserver == "nginx") { - services.nginx = { - enable = true; - virtualHosts = mapAttrs (hostName: cfg: { - serverName = mkDefault hostName; - root = "${pkg hostName cfg}/share/dokuwiki"; - - locations = { - "~ /(conf/|bin/|inc/|install.php)" = { - extraConfig = "deny all;"; - }; - - "~ ^/data/" = { - root = "${cfg.stateDir}"; - extraConfig = "internal;"; - }; - - "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { - extraConfig = "expires 365d;"; - }; - - "/" = { - priority = 1; - index = "doku.php"; - extraConfig = ''try_files $uri $uri/ @dokuwiki;''; - }; - - "@dokuwiki" = { - extraConfig = '' - # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page - rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; - rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; - rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; - rewrite ^/(.*) /doku.php?id=$1&$args last; - ''; - }; - - "~ \\.php$" = { - extraConfig = '' - try_files $uri $uri/ /doku.php; - include ${config.services.nginx.package}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param REDIRECT_STATUS 200; - fastcgi_pass unix:${config.services.phpfpm.pools."dokuwiki-${hostName}".socket}; - ''; - }; - - }; - }) eachSite; - }; - }) - - (mkIf (cfg.webserver == "caddy") { - services.caddy = { - enable = true; - virtualHosts = mapAttrs' (hostName: cfg: ( - nameValuePair "http://${hostName}" { - extraConfig = '' - root * ${pkg hostName cfg}/share/dokuwiki - file_server - - encode zstd gzip - php_fastcgi unix/${config.services.phpfpm.pools."dokuwiki-${hostName}".socket} - - @restrict_files { - path /data/* /conf/* /bin/* /inc/* /vendor/* /install.php - } - - respond @restrict_files 404 - - @allow_media { - path_regexp path ^/_media/(.*)$ - } - rewrite @allow_media /lib/exe/fetch.php?media=/{http.regexp.path.1} - - @allow_detail { - path /_detail* - } - rewrite @allow_detail /lib/exe/detail.php?media={path} - - @allow_export { - path /_export* - path_regexp export /([^/]+)/(.*) - } - rewrite @allow_export /doku.php?do=export_{http.regexp.export.1}&id={http.regexp.export.2} - - try_files {path} {path}/ /doku.php?id={path}&{query} - ''; + assertions = flatten (mapAttrsToList + (hostName: cfg: + [{ + assertion = cfg.mergedConfig.useacl -> (cfg.acl != null || cfg.aclFile != null); + message = "Either services.dokuwiki.sites.${hostName}.acl or services.dokuwiki.sites.${hostName}.aclFile is mandatory if settings.useacl is true"; } - )) eachSite; - }; - }) + { + assertion = cfg.usersFile != null -> cfg.mergedConfig.useacl != false; + message = "services.dokuwiki.sites.${hostName}.settings.useacl must must be true if usersFile is not null"; + }]) + eachSite); - ]); + services.phpfpm.pools = mapAttrs' + (hostName: cfg: ( + nameValuePair "dokuwiki-${hostName}" { + inherit user; + group = webserver.group; + + phpPackage = mkPhpPackage cfg; + phpEnv = optionalAttrs (cfg.usersFile != null) + { + DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}"; + } // optionalAttrs (cfg.mergedConfig.useacl) { + DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig hostName cfg}" else "${toString cfg.aclFile}"; + }; + + settings = { + "listen.owner" = webserver.user; + "listen.group" = webserver.group; + } // cfg.poolConfig; + } + )) + eachSite; + + } + + { + systemd.tmpfiles.rules = flatten (mapAttrsToList + (hostName: cfg: [ + "d ${cfg.stateDir}/attic 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/cache 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/index 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/locks 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/log 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/media 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/media_attic 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/media_meta 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/meta 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/pages 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/tmp 0750 ${user} ${webserver.group} - -" + ] ++ lib.optional (cfg.aclFile != null) "C ${cfg.aclFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/acl.auth.php.dist" + ++ lib.optional (cfg.usersFile != null) "C ${cfg.usersFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/users.auth.php.dist" + ) + eachSite); + + users.users.${user} = { + group = webserver.group; + isSystemUser = true; + }; + } + + (mkIf (cfg.webserver == "nginx") { + services.nginx = { + enable = true; + virtualHosts = mapAttrs + (hostName: cfg: { + serverName = mkDefault hostName; + root = "${pkg hostName cfg}/share/dokuwiki"; + + locations = { + "~ /(conf/|bin/|inc/|install.php)" = { + extraConfig = "deny all;"; + }; + + "~ ^/data/" = { + root = "${cfg.stateDir}"; + extraConfig = "internal;"; + }; + + "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { + extraConfig = "expires 365d;"; + }; + + "/" = { + priority = 1; + index = "doku.php"; + extraConfig = ''try_files $uri $uri/ @dokuwiki;''; + }; + + "@dokuwiki" = { + extraConfig = '' + # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; + rewrite ^/(.*) /doku.php?id=$1&$args last; + ''; + }; + + "~ \\.php$" = { + extraConfig = '' + try_files $uri $uri/ /doku.php; + include ${config.services.nginx.package}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param REDIRECT_STATUS 200; + fastcgi_pass unix:${config.services.phpfpm.pools."dokuwiki-${hostName}".socket}; + ''; + }; + + }; + }) + eachSite; + }; + }) + + (mkIf (cfg.webserver == "caddy") { + services.caddy = { + enable = true; + virtualHosts = mapAttrs' + (hostName: cfg: ( + nameValuePair "http://${hostName}" { + extraConfig = '' + root * ${pkg hostName cfg}/share/dokuwiki + file_server + + encode zstd gzip + php_fastcgi unix/${config.services.phpfpm.pools."dokuwiki-${hostName}".socket} + + @restrict_files { + path /data/* /conf/* /bin/* /inc/* /vendor/* /install.php + } + + respond @restrict_files 404 + + @allow_media { + path_regexp path ^/_media/(.*)$ + } + rewrite @allow_media /lib/exe/fetch.php?media=/{http.regexp.path.1} + + @allow_detail { + path /_detail* + } + rewrite @allow_detail /lib/exe/detail.php?media={path} + + @allow_export { + path /_export* + path_regexp export /([^/]+)/(.*) + } + rewrite @allow_export /doku.php?do=export_{http.regexp.export.1}&id={http.regexp.export.2} + + try_files {path} {path}/ /doku.php?id={path}&{query} + ''; + } + )) + eachSite; + }; + })]); meta.maintainers = with maintainers; [ _1000101 -- 2.47.0 From 6f28af85767ec0fe3b2f4152bd1f470849f5ac09 Mon Sep 17 00:00:00 2001 From: hackens server Date: Fri, 24 Feb 2023 14:55:31 +0100 Subject: [PATCH 30/34] enable mosh --- hosts/org/core-hackens/ssh-server.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/org/core-hackens/ssh-server.nix b/hosts/org/core-hackens/ssh-server.nix index 784fe47..59a1a38 100644 --- a/hosts/org/core-hackens/ssh-server.nix +++ b/hosts/org/core-hackens/ssh-server.nix @@ -5,4 +5,5 @@ # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 22 ]; + programs.mosh.enable = true; } -- 2.47.0 From 3851a66193fa7cc54a56d58b150b0b473bc2c49e Mon Sep 17 00:00:00 2001 From: hackens server Date: Wed, 8 Mar 2023 00:48:11 +0100 Subject: [PATCH 31/34] add_hackens_orga --- hosts/org/configuration.nix | 1 + hosts/org/orga/authens.nix | 12 ++++++ hosts/org/orga/default.nix | 42 ++++++++++++++++++++ hosts/org/orga/mkAssets.nix | 27 +++++++++++++ hosts/org/orga/module.nix | 65 +++++++++++++++++++++++++++++++ hosts/org/orga/python-cas.nix | 13 +++++++ hosts/org/orga/python.nix | 20 ++++++++++ hosts/org/orga/shell.nix | 6 +++ hosts/org/orga/static-assets.nix | 10 +++++ secrets/default.nix | 4 ++ secrets/django.age | Bin 0 -> 1654 bytes secrets/secrets.nix | 3 ++ 12 files changed, 203 insertions(+) create mode 100644 hosts/org/orga/authens.nix create mode 100644 hosts/org/orga/default.nix create mode 100644 hosts/org/orga/mkAssets.nix create mode 100644 hosts/org/orga/module.nix create mode 100644 hosts/org/orga/python-cas.nix create mode 100644 hosts/org/orga/python.nix create mode 100644 hosts/org/orga/shell.nix create mode 100644 hosts/org/orga/static-assets.nix create mode 100644 secrets/django.age diff --git a/hosts/org/configuration.nix b/hosts/org/configuration.nix index 0f6dd94..86eb3a2 100644 --- a/hosts/org/configuration.nix +++ b/hosts/org/configuration.nix @@ -15,6 +15,7 @@ ./nginx.nix ./dokuwiki.nix ./matterbridge.nix + ./orga ]; networking.hostName = "hackens-org"; # Define your hostname. diff --git a/hosts/org/orga/authens.nix b/hosts/org/orga/authens.nix new file mode 100644 index 0000000..d7b5f82 --- /dev/null +++ b/hosts/org/orga/authens.nix @@ -0,0 +1,12 @@ +{ lib, pythoncas, django, ldap, buildPythonPackage }: +buildPythonPackage rec { + pname = "authens"; + version = "v0.1b5"; + doCheck = false; + src = builtins.fetchGit { + url = "https://git.eleves.ens.fr/klub-dev-ens/authens.git"; + #rev = "master"; + #sha256 = "sha256-R0Nw212/BOPHfpspT5wzxtji1vxZ/JOuwr00naklWE8="; + }; + propagatedBuildInputs = [ django ldap pythoncas ]; +} diff --git a/hosts/org/orga/default.nix b/hosts/org/orga/default.nix new file mode 100644 index 0000000..32ee748 --- /dev/null +++ b/hosts/org/orga/default.nix @@ -0,0 +1,42 @@ +{ pkgs, lib, config, ... }: +let + assets = import ./mkAssets.nix { + inherit pkgs; + app = "hackens_orga"; + settings = config.services.django.hackens_orga.settings; + source = pkgs.fetchgit { + url = "https://git.rz.ens.wtf/HackENS/hackens-orga.git"; + rev = "1a7a2c00d7e2efd380cc63164e6b77542c465c2e"; + hash = "sha256-tpRCy7kDqd129j882e2FtCKS/JgcckmTFaTPElLbcjg="; #lib.fakeSha256; + }; + }; +in +{ + imports = [ + ./module.nix + ]; + services.nginx = { + enable = true; + virtualHosts."new.hackens.org" = { + locations = { + "/orga" = { + proxyPass = "http://localhost:51666/orga"; + extraConfig = '' + proxy_set_header SCRIPT_NAME /orga; + ''; + }; + "/static".root = assets.static-assets; + }; + }; + }; + services.django.hackens_orga = { + enable = true; + assets = assets; + settings = { + HACKENS_ORGA_DEBUG = "0"; + HACKENS_ORGA_ALLOWED_HOSTS = [ "new.hackens.org" ]; + HACKENS_ORGA_SECRET_KEY._file = config.age.secrets.django.path; + HACKENS_ORGA_DB_FILE = "/var/lib/hackens-orga/db.sqlite3"; + }; + }; +} diff --git a/hosts/org/orga/mkAssets.nix b/hosts/org/orga/mkAssets.nix new file mode 100644 index 0000000..61e744a --- /dev/null +++ b/hosts/org/orga/mkAssets.nix @@ -0,0 +1,27 @@ +{ pkgs, settings, source, app }: +let + manage-py-file = "${source}/${app}/manage.py"; + python = import ./python.nix { inherit pkgs; }; + static-assets = pkgs.callPackage ./static-assets.nix { inherit python source app; envPrefix = "HACKENS_ORGA_"; }; + mkEnv = settings: let # make env file to source before using manage.py and other commands + lib = pkgs.lib; + mkVarVal = v: let + isHasAttr = s: lib.isAttrs v && lib.hasAttr s v; + in + if builtins.isString v then v + else if builtins.isList v && lib.any lib.strings.isCoercibleToString v then (lib.concatMapStringsSep "," toString v) + else if builtins.isInt v then toString v + else if builtins.isBool v then toString (if v then 1 else 0) + else if isHasAttr "_file" then "$(cat ${v._file} | xargs)" + else if isHasAttr "_raw" then v._raw + else abort "The django conf value ${lib.generators.toPretty {} v} can not be encoded."; + in lib.concatStringsSep "\n" (lib.mapAttrsToList (k: v: "export ${k}=${mkVarVal v}") settings); + envFile = pkgs.writeScript "django-${app}-env.sh" (mkEnv settings); + managePy = pkgs.writeScript "manage-${app}" '' + source ${envFile} + ${python}/bin/python ${manage-py-file} $@ + ''; +in +{ + inherit managePy static-assets envFile source python; +} diff --git a/hosts/org/orga/module.nix b/hosts/org/orga/module.nix new file mode 100644 index 0000000..9f32a2e --- /dev/null +++ b/hosts/org/orga/module.nix @@ -0,0 +1,65 @@ +{ pkgs, lib, config, ... }: +let + app = "hackens_orga"; + cfg = config.services.django.${app}; + assets = cfg.assets; +in +{ + + options = { + services.django.${app} = { + enable = lib.mkEnableOption (lib.mdDoc "Enable django ${app}"); + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = with lib.types; attrsOf anything; + options = { + HACKENS_ORGA_STATIC_ROOT = lib.mkOption { + type = lib.types.path; + default = builtins.toString assets.static-assets; + }; + }; + }; + }; + assets = lib.mkOption { + type = lib.types.attrsOf lib.types.anything; + description = lib.mdDoc "Assets for django"; + }; + port = lib.mkOption { + type = lib.types.port; + default = 51666; + }; + processes = lib.mkOption { + type = lib.types.int; + default = 2; + }; + threads = lib.mkOption { + type = lib.types.int; + default = 2; + }; + }; + }; + config = lib.mkIf cfg.enable { + systemd.services."django-${app}" = { + description = "${app} django service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + User = "django-${app}"; + }; + script = '' + source ${assets.envFile} + ${assets.managePy} migrate + ${assets.python}/bin/gunicorn ${app}.wsgi \ + --pythonpath ${assets.source}/${app} \ + -b 127.0.0.1:${toString cfg.port} \ + --workers=${toString cfg.processes} \ + --threads=${toString cfg.threads} + ''; + }; + users.users."django-${app}" = { + isSystemUser = true; + group = "django-${app}"; + }; + users.groups."django-${app}" = {}; + }; +} diff --git a/hosts/org/orga/python-cas.nix b/hosts/org/orga/python-cas.nix new file mode 100644 index 0000000..e0bba1c --- /dev/null +++ b/hosts/org/orga/python-cas.nix @@ -0,0 +1,13 @@ +{ lib, requests, lxml, six, buildPythonPackage, fetchFromGitHub }: +buildPythonPackage rec { + pname = "python-cas"; + version = "1.6.0"; + doCheck = false; + src = fetchFromGitHub { + owner = "python-cas"; + repo = "python-cas"; + rev = "v1.6.0"; + sha512 = "sha512-qnYzgwELUij2EdqA6H17q8vnNUsfI7DkbZSI8CCIGfXOM+cZ7vsWe7CJxzsDUw73sBPB4+zzpLxvb7tpm/IDeg=="; + }; + propagatedBuildInputs = [ requests lxml six ]; +} diff --git a/hosts/org/orga/python.nix b/hosts/org/orga/python.nix new file mode 100644 index 0000000..dc77ffc --- /dev/null +++ b/hosts/org/orga/python.nix @@ -0,0 +1,20 @@ +{ pkgs ? import ../nix { }, debug ? false }: +let + python = pkgs.python310.override { + packageOverrides = self: super: { + django = super.django_4; + authens = self.callPackage ./authens.nix { }; + pythoncas = self.callPackage ./python-cas.nix { }; + }; + }; +in +python.withPackages (ps: [ + ps.django + ps.djangorestframework + ps.authens + ps.gunicorn +] ++ pkgs.lib.optionals debug [ + ps.django-debug-toolbar + ps.black + ps.isort +]) diff --git a/hosts/org/orga/shell.nix b/hosts/org/orga/shell.nix new file mode 100644 index 0000000..69ca0e9 --- /dev/null +++ b/hosts/org/orga/shell.nix @@ -0,0 +1,6 @@ +{ pkgs ? import ../nix { } }: +pkgs.mkShell { + buildInputs = [ + (import ./python.nix { inherit pkgs; debug = true; }) + ]; +} diff --git a/hosts/org/orga/static-assets.nix b/hosts/org/orga/static-assets.nix new file mode 100644 index 0000000..4c4e128 --- /dev/null +++ b/hosts/org/orga/static-assets.nix @@ -0,0 +1,10 @@ +{ pkgs, python, source, app, envPrefix ? ""}: +pkgs.runCommand "django-static" { } '' + mkdir -p $out/static + export ${envPrefix}SECRET_KEY="collectstatic" + export ${envPrefix}STATIC_ROOT=$out/static + export ${envPrefix}DEBUG=0 + export ${envPrefix}ALLOWED_HOSTS= + export ${envPrefix}DB_FILE= + ${python}/bin/python ${source}/${app}/manage.py collectstatic +'' diff --git a/secrets/default.nix b/secrets/default.nix index 9853933..5fac86f 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -4,6 +4,10 @@ file = ./wiki-openID.age; owner = "dokuwiki"; }; + age.secrets."django" = { + file = ./django.age; + owner = "django-hackens_orga"; + }; age.secrets."matterbridge-env" = { file = ./matterbridge-env.age; owner = "matterbridge"; diff --git a/secrets/django.age b/secrets/django.age new file mode 100644 index 0000000000000000000000000000000000000000..a5b4e5daa2d7ad4bf63fa33a45fee480621a8b93 GIT binary patch literal 1654 zcmZXTJL~Lv8HEMAoW@2Dg5oG>6aMD*{NDmm(7ey}a7> zefAPZH~<*4llXuuB=D0SlWy|*j3Xd!T#!WE{Nxg;H#*CqJnPuDYl1}OeMj3v*paQd^bNtd*X^Cb1?{ zNgPKRmnr?(ATt5Umkqn1Jyg1_AZ6rYSOr-g6oQ_rw!>>B68a(^B7j^@W*ze@L%DCK z(V6!^(;XwZnKRSR(;cjQH;Ey9p9;}>UM&S~^jbj7BONqoS(hXfO!y=`4}%ogu#X0j z7GAo%>s_E@IqSv-rgmrZc^@BD{U)vJ{oSLpkBR|37A$^}Z7RR!xPnT(0h_-1RIxFti97>7zJpu0C1Qpu0R?huU_9Qo#x56%$m<40XwOzcK zRx*jygSvDhrNR@LP*FAfQqk{ zi>A`CtRpkgpL>RE;xZYtLQGkPsW3<>=Zf>a6qE7zNFdP$`@IZ^?jFM|oVlSu#avsR z3!RDaBK4$WI9#+tcQzs=ibF|&x^uvUWDW;sM=p@kI**8bddDPWnvKxdQR8r-#6ga5 zrK8D5(yr5qzA6;8&qI%A$oY7bf~FA4=K<39y{Y640h{^tuxCxs^h|l)hb6KM#Phbz zk=3*t66DtWX4^Mkf?gT=a@Yl%dfU=RW^~7S-EstJ$<>cUlT;IVu^WzV_*7g?*XC5n zHAOLO&ofVnNqOOX^rE$taFS^6&IwFkk3>cz8tcpYJKl!VjRonhLIY*>RDf{Ijh46? zmtmh$_S{6o#E9uuQ73Z87sSQ1AlJ3qZlzMYm=r!=c!9YqNlqNF={3n^Kg_BrHWTa7T8QqSW2DT38-PGg zXu8Fl)!L{H(@uMcuajXZ^A+om5IEFk+QMNS)hT;)CC-<2DHO#cvcdLv#}Wr%^OEiq zR=Hlr>Du8ai}(}gIe3Zr*WlQ@VPG+nq+RoiYNh^WK{$IcU?;(f?RHe2jKaHjaUj?N zsAzc&hdaouT4b?ft^R+v=q2r9zmIqKwsUt?x5K{tP4gSy`H}%inm9_9<8ekk^A7Gy zjYLw`bOf=I;ymoNx6sGI>zmue5*f}Zt48af9_zxPs@7>+$mu>iH0 zC#CsgLs8S5O~9kNK<6rlV-8Jj@at$oFE1~W`p&wGe{?})|{o4<|`mHa#`up#``$g@SpAG+Mf922L4?p_v&p!UihhP82 zAEyWZt3Q4G;om;_-t;N_FT~H8_ul{9k2LW9UqAW7kALv$Hy{1`ANmKsfA7=!e?I?H H* Date: Wed, 5 Apr 2023 09:36:42 +0200 Subject: [PATCH 32/34] update orga; add bk spi --- hosts/org/core-hackens/personal-users.nix | 2 +- hosts/org/orga/default.nix | 4 ++-- pubkeys/backup.keys | 2 ++ 3 files changed, 5 insertions(+), 3 deletions(-) create mode 100644 pubkeys/backup.keys diff --git a/hosts/org/core-hackens/personal-users.nix b/hosts/org/core-hackens/personal-users.nix index 3be399b..8981db1 100644 --- a/hosts/org/core-hackens/personal-users.nix +++ b/hosts/org/core-hackens/personal-users.nix @@ -27,7 +27,7 @@ openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/backslash.keys ]; }; root.openssh.authorizedKeys.keyFiles = - [ ../../../pubkeys/beigbeder.keys ]; # Jacques Beigbeder est tjrs root. + [ ../../../pubkeys/beigbeder.keys ../../../pubkeys/backup.keys ]; # Jacques Beigbeder est tjrs root. }; }; } diff --git a/hosts/org/orga/default.nix b/hosts/org/orga/default.nix index 32ee748..815f995 100644 --- a/hosts/org/orga/default.nix +++ b/hosts/org/orga/default.nix @@ -6,8 +6,8 @@ let settings = config.services.django.hackens_orga.settings; source = pkgs.fetchgit { url = "https://git.rz.ens.wtf/HackENS/hackens-orga.git"; - rev = "1a7a2c00d7e2efd380cc63164e6b77542c465c2e"; - hash = "sha256-tpRCy7kDqd129j882e2FtCKS/JgcckmTFaTPElLbcjg="; #lib.fakeSha256; + rev = "3c22af193327cd13e9cdfa0463e2b34bda840756"; + hash = "sha256-8+jA/vn1SUpceQTshgsi7Ea97HAmSeCGZdFbopGECck="; }; }; in diff --git a/pubkeys/backup.keys b/pubkeys/backup.keys new file mode 100644 index 0000000..6042a90 --- /dev/null +++ b/pubkeys/backup.keys @@ -0,0 +1,2 @@ +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFOudRjw38khtJF9MM8lfGXLJlK06E26+njysWgw1wXB3t06I5BGyLKXI9STpitU7y1dN5xirMxxiI1BhP4TodM= beig@yole +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOfTmWRWNED9gIz2lHny2X7+vLSY9H8f0kV6aFg/ASthH1pE2C8Kh14CqFyVZn0hAHtv0GnTooDxCsK0K+d0OEc= root@muguet -- 2.47.0 From ae0ab8a439206f864ccce6361c910f13d90bfa74 Mon Sep 17 00:00:00 2001 From: hackens server Date: Tue, 25 Jul 2023 18:59:13 +0200 Subject: [PATCH 33/34] Add static sites --- hosts/org/configuration.nix | 1 + hosts/org/dokuwiki.nix | 2 -- hosts/org/static-sites.nix | 23 +++++++++++++++++++++++ hosts/org/webpass.nix | 2 +- 4 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 hosts/org/static-sites.nix diff --git a/hosts/org/configuration.nix b/hosts/org/configuration.nix index 86eb3a2..3f4310f 100644 --- a/hosts/org/configuration.nix +++ b/hosts/org/configuration.nix @@ -16,6 +16,7 @@ ./dokuwiki.nix ./matterbridge.nix ./orga + ./static-sites ]; networking.hostName = "hackens-org"; # Define your hostname. diff --git a/hosts/org/dokuwiki.nix b/hosts/org/dokuwiki.nix index 75ac971..c369ae0 100644 --- a/hosts/org/dokuwiki.nix +++ b/hosts/org/dokuwiki.nix @@ -1,7 +1,5 @@ { config, pkgs, lib, ... }: { - imports = [ ../../shared/dokuwiki_module.nix ]; - disabledModules = [ ]; services.nginx.virtualHosts."new.hackens.org" = { enableACME = true; forceSSL = true; diff --git a/hosts/org/static-sites.nix b/hosts/org/static-sites.nix new file mode 100644 index 0000000..035c5b0 --- /dev/null +++ b/hosts/org/static-sites.nix @@ -0,0 +1,23 @@ +{ pkgs, lib, ... }: +let + sites = [ + "/NdS" + "/2048" + "/prez" + "/known" + "/pub" + ]; +in +{ + + services.nginx.enable = true; + services.nginx.virtualHosts."new.hackens.org" = { + forceSSL = true; + enableACME = true; + locations = lib.genAttrs sites (name: { + root = "/var/www"; + extraConfig = "autoindex on;"; + }); + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/hosts/org/webpass.nix b/hosts/org/webpass.nix index 15f8628..85d5a94 100644 --- a/hosts/org/webpass.nix +++ b/hosts/org/webpass.nix @@ -14,7 +14,7 @@ SIGNUPS_DOMAINS_WHITELIST = "ens.fr,ens.psl.eu"; ROCKET_PORT = 10501; ROCKET_ADDRESS = "127.0.0.1"; - LOG_FILE = "/var/log/vaultwarden"; + LOG_FILE = "/var/lib/bitwarden_rs/logfile"; SIGNUPS_VERIFY = true; }; environmentFile = "/etc/secrets/vaultwarden.env"; -- 2.47.0 From 4d681f5f93e965c871d3e23509bdd74638e3c5e3 Mon Sep 17 00:00:00 2001 From: hackens server Date: Wed, 27 Sep 2023 14:33:26 +0200 Subject: [PATCH 34/34] Update hackens-orga --- hosts/org/orga/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/org/orga/default.nix b/hosts/org/orga/default.nix index 815f995..345b86f 100644 --- a/hosts/org/orga/default.nix +++ b/hosts/org/orga/default.nix @@ -6,8 +6,8 @@ let settings = config.services.django.hackens_orga.settings; source = pkgs.fetchgit { url = "https://git.rz.ens.wtf/HackENS/hackens-orga.git"; - rev = "3c22af193327cd13e9cdfa0463e2b34bda840756"; - hash = "sha256-8+jA/vn1SUpceQTshgsi7Ea97HAmSeCGZdFbopGECck="; + rev = "75fe83a41f"; + hash = "sha256-cfUjSfZrsMpGRO3HOWOk6zdc9+e+ZaJLiJQ5OpIKxos="; }; }; in -- 2.47.0