diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 40c7108..0000000 --- a/.gitignore +++ /dev/null @@ -1 +0,0 @@ -configuration.nix diff --git a/hosts/milieu/configuration.nix b/hosts/hackens-milieu/configuration.nix similarity index 89% rename from hosts/milieu/configuration.nix rename to hosts/hackens-milieu/configuration.nix index b0904f4..7dbcd7b 100644 --- a/hosts/milieu/configuration.nix +++ b/hosts/hackens-milieu/configuration.nix @@ -6,10 +6,9 @@ { imports = - [ - # Include the results of the hardware scan. + [ # Include the results of the hardware scan. ./hardware-configuration.nix - ../../profiles/shared-hackens + ../../profiles/hackens ]; # Use the GRUB 2 boot loader. @@ -23,9 +22,6 @@ networking.hostName = "hackens-milieu"; # Define your hostname. - boot.kernelPackages = pkgs.linuxPackages_latest; - boot.kernelParams = [ - ]; # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config diff --git a/hosts/milieu/hardware-configuration.nix b/hosts/hackens-milieu/hardware-configuration.nix similarity index 73% rename from hosts/milieu/hardware-configuration.nix rename to hosts/hackens-milieu/hardware-configuration.nix index 3c60783..0891328 100644 --- a/hosts/milieu/hardware-configuration.nix +++ b/hosts/hackens-milieu/hardware-configuration.nix @@ -5,8 +5,7 @@ { imports = - [ - + [ ]; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "sd_mod" "sr_mod" ]; @@ -14,23 +13,20 @@ boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - # boot.kernelParams = [ "nomodeset" ]; - fileSystems."/" = - { - device = "/dev/disk/by-label/nixos-root"; + { device = "/dev/disk/by-label/nixos-root"; fsType = "btrfs"; options = [ "ssd" "noatime" "ssd_spread" "discard" "space_cache" ]; }; fileSystems."/boot" = - { - device = "/dev/disk/by-label/BOOT"; + { device = "/dev/disk/by-label/BOOT"; fsType = "vfat"; }; swapDevices = - [{ device = "/dev/disk/by-label/SWAP"; }]; + [ { device = "/dev/disk/by-label/SWAP"; } + ]; nix.maxJobs = lib.mkDefault 4; powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; diff --git a/hosts/org/configuration.nix b/hosts/hackens-org/configuration.nix similarity index 69% rename from hosts/org/configuration.nix rename to hosts/hackens-org/configuration.nix index 3f4310f..2b0e90c 100644 --- a/hosts/org/configuration.nix +++ b/hosts/hackens-org/configuration.nix @@ -9,32 +9,24 @@ [ ./hardware-configuration.nix ./physical.nix - ./core-hackens - ../../secrets - ./webpass.nix - ./nginx.nix - ./dokuwiki.nix - ./matterbridge.nix - ./orga - ./static-sites + ../../profiles/core-hackens + ./wiki.nix + # ./bridge.nix + # ./webpass.nix + # ./gha.nix + # ./sync.nix + ./misc ]; networking.hostName = "hackens-org"; # Define your hostname. - # dokuwiki overlay - nixpkgs.overlays = [ - (self: super: { - dokuwiki = self.pkgs.callPackage ../../shared/dokuwiki.nix { }; - }) - ]; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.11"; # Did you read the comment? + system.stateVersion = "21.11"; # Did you read the comment? } diff --git a/hosts/org/hardware-configuration.nix b/hosts/hackens-org/hardware-configuration.nix similarity index 69% rename from hosts/org/hardware-configuration.nix rename to hosts/hackens-org/hardware-configuration.nix index 6db90a9..20d2692 100644 --- a/hosts/org/hardware-configuration.nix +++ b/hosts/hackens-org/hardware-configuration.nix @@ -5,8 +5,7 @@ { imports = - [ - (modulesPath + "/profiles/qemu-guest.nix") + [ (modulesPath + "/profiles/qemu-guest.nix") ]; boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "virtio_pci" "virtio_blk" ]; @@ -15,18 +14,16 @@ boot.extraModulePackages = [ ]; fileSystems."/" = - { - device = "/dev/disk/by-uuid/8deb32c9-ee6a-4de8-94da-239c8ec509a2"; + { device = "/dev/disk/by-uuid/8deb32c9-ee6a-4de8-94da-239c8ec509a2"; fsType = "btrfs"; }; fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/0795-75ED"; + { device = "/dev/disk/by-uuid/0795-75ED"; fsType = "vfat"; }; swapDevices = - [{ device = "/dev/disk/by-uuid/bd7c1c01-ce31-4db3-9c06-70716020e24a"; }]; + [ { device = "/dev/disk/by-uuid/bd7c1c01-ce31-4db3-9c06-70716020e24a"; } ]; } diff --git a/hosts/hackens-org/misc/default.nix b/hosts/hackens-org/misc/default.nix new file mode 100644 index 0000000..32b76ac --- /dev/null +++ b/hosts/hackens-org/misc/default.nix @@ -0,0 +1,12 @@ +{ pkgs, ... }: +{ + imports = [ + # ./static-website.nix + # ./game2048.nix + # ./casauth.nix + # ./nds.nix + # ./prez.nix + # ./public.nix + # ./jarvis.nix + ]; +} diff --git a/hosts/org/nginx.nix b/hosts/hackens-org/modules/nginx.nix similarity index 100% rename from hosts/org/nginx.nix rename to hosts/hackens-org/modules/nginx.nix diff --git a/hosts/hackens-org/modules/static-website.nix b/hosts/hackens-org/modules/static-website.nix new file mode 100644 index 0000000..7a4a641 --- /dev/null +++ b/hosts/hackens-org/modules/static-website.nix @@ -0,0 +1,26 @@ +{ lib, config }: + +with lib; +let + cfg = config.services.static-website.config; + l = builtins.split cfg.name "/"; + name = lists.last l; +in +{ + services.static-website.config = lib.mkOption { + type = with types; attrsOf (submodule { + options.name = mkOption path; + }); + }; + + config = { + services.nginx.enable = cfg.enable; + virtualHosts."${cfg.name}" = { + root = "/var/lib/nginx/static/${name}"; + } + }; +} + +/* TODO +ACME +*/ diff --git a/hosts/org/physical.nix b/hosts/hackens-org/physical.nix similarity index 82% rename from hosts/org/physical.nix rename to hosts/hackens-org/physical.nix index dcb3f43..f1174aa 100644 --- a/hosts/org/physical.nix +++ b/hosts/hackens-org/physical.nix @@ -9,7 +9,7 @@ networking.useDHCP = false; networking.interfaces.eth0 = { - ipv4.addresses = [{ address = "129.199.129.76"; prefixLength = 24; }]; + ipv4.addresses = [ { address = "129.199.129.76"; prefixLength = 24; } ]; }; networking.defaultGateway = { address = "129.199.129.1"; interface = "eth0"; }; } diff --git a/hosts/hackens-org/wiki.nix b/hosts/hackens-org/wiki.nix new file mode 100644 index 0000000..d2c3051 --- /dev/null +++ b/hosts/hackens-org/wiki.nix @@ -0,0 +1,63 @@ +{ pkgs, ... }: +{ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + # TODO: move to hackens.org + services.dokuwiki.sites."hackens.ens.fr" = { + enable = true; + + extraConfig = '' + $conf['title'] = 'hackEns'; + $conf['start'] = 'accueil'; + $conf['lang'] = 'fr'; + $conf['template'] = 'bootstrap3'; + $conf['license'] = 'cc-by-sa'; + $conf['breadcrumbs'] = 0; # On s'en fiche de l'historique des pages visitées + $conf['youarehere'] = true; # Par contre on veut notre position dans la hiérarchie du site + # On veut que les liens externes s'ouvrent dans de nouveaux onglets + $conf['target'] = array( + 'extern' => '_tab' + ); + $conf['htmlok'] = 1; # On peut mettre du html dans les pages + $conf['sitemap'] = 7; + $conf['rss_type'] = 'rss2'; + $conf['userewrite'] = 1; # Important, sinon on casse tout avec les règles nginx définies par le module nixos + $conf['useslash'] = 1; + $conf['plugin']['tokenbucketauth']['tba_send_mail'] = 'hackens@clipper.ens.fr'; # Ban auto des IPs qui brute-forcent + $conf['htmlmail'] = 0; # On envoie les mails en plain text + $conf['useacl'] = 1; # On ne veut pas que n'importe qui écrive + ''; + + pluginsConfig = '' + $plugins['authmysql'] = 0; + $plugins['popularity'] = 0; + $plugins['authpgsql'] = 0; + $plugins['authpdo'] = 0; + $plugins['authldap'] = 0; + ''; + + disableActions = "register"; + superUser = "@admin"; + + acl = '' + * @ALL 1 + * @users 8 + ''; + + # Il faut packager les templates + templates = let + template-bootstrap3 = pkgs.stdenv.mkDerivation { + name = "bootstrap3"; + # Download the theme from the dokuwiki site + src = pkgs.fetchurl { + url = "https://github.com/giterlizzi/dokuwiki-template-bootstrap3/archive/v2019-05-22.zip"; + sha256 = "4de5ff31d54dd61bbccaf092c9e74c1af3a4c53e07aa59f60457a8f00cfb23a6"; + }; + # We need unzip to build this package + buildInputs = [ pkgs.unzip ]; + # Installing simply means copying all files to the output directory + installPhase = "mkdir -p $out; cp -R * $out/"; + }; + # And then pass this theme to the template list like this: + in [ template-bootstrap3 ]; + }; +} diff --git a/hosts/org/core-hackens/default.nix b/hosts/org/core-hackens/default.nix deleted file mode 100644 index afcc8a9..0000000 --- a/hosts/org/core-hackens/default.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ - imports = - [ ./personal-users.nix ./ssh-server.nix ./static-dns.nix ./programs.nix ]; -} diff --git a/hosts/org/core-hackens/personal-users.nix b/hosts/org/core-hackens/personal-users.nix deleted file mode 100644 index 8981db1..0000000 --- a/hosts/org/core-hackens/personal-users.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ ... }: { - users = { - mutableUsers = false; - users = { - rlahfa = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - hashedPassword = - "$6$y/I6nKCMYUku7$91vTR5kYz4nHyhbuA/j6kPsD8Vfo/Rg7ri6Ympftra9V6emOt/mPg0AScECtYjSIxretvfQ3sPUF1Ho0IWx381"; - openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/raito.keys ]; - }; - gdoriathdohler = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/gdd.keys ]; - }; - mdebray = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - hashedPassword = - "$6$ujz06kXa4TgvPAbF$NaXkDuOUpf3.fBRh7JuygtS0V2U/Bz4N3DpbOznO.md44xEdlKwPH/pSbL9CQJBhI5kodaKZeSaoCyhzybBPA/"; - openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/sinavir.keys ]; - }; - hbarral = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keyFiles = [ ../../../pubkeys/backslash.keys ]; - }; - root.openssh.authorizedKeys.keyFiles = - [ ../../../pubkeys/beigbeder.keys ../../../pubkeys/backup.keys ]; # Jacques Beigbeder est tjrs root. - }; - }; -} diff --git a/hosts/org/core-hackens/programs.nix b/hosts/org/core-hackens/programs.nix deleted file mode 100644 index 47f1724..0000000 --- a/hosts/org/core-hackens/programs.nix +++ /dev/null @@ -1 +0,0 @@ -{ pkgs, ... }: { environment.systemPackages = with pkgs; [ vim git ]; } diff --git a/hosts/org/core-hackens/static-dns.nix b/hosts/org/core-hackens/static-dns.nix deleted file mode 100644 index a804274..0000000 --- a/hosts/org/core-hackens/static-dns.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: { networking.nameservers = [ "1.1.1.1" "8.8.8.8" ]; } diff --git a/hosts/org/dokuwiki.nix b/hosts/org/dokuwiki.nix deleted file mode 100644 index c369ae0..0000000 --- a/hosts/org/dokuwiki.nix +++ /dev/null @@ -1,128 +0,0 @@ -{ config, pkgs, lib, ... }: { - - services.nginx.virtualHosts."new.hackens.org" = { - enableACME = true; - forceSSL = true; - }; - - services.dokuwiki.sites."new.hackens.org" = { - enable = false; # true; - settings = { - template = "bootstrap3"; - license = "cc-by-sa"; - title = "hackENS"; - lang = "fr"; - breadcrumbs = 0; - yourarehere = true; - userewrite = 1; - useacl = true; - htmlok = 1; - target._raw = '' - array( - 'extern' => '_tab' - ); - ''; - sitemap = 7; - disableactions = "register"; - superuser = "@admin"; - start = "accueil"; - htmlmail = 0; - authtype = "oauth"; - tpl.bootstrap3 = { - showAddNewPage = "logged"; - fluidContainer = 0; - }; - plugin = { - tokenbucketauth.tba_send_mail = "hackens@clipper.ens.fr"; - oauth.register-on-auth = true; - oauthkeycloak = { - key = "wiki"; - secret._file = config.age.secrets.wikiOpenID.path; - openidurl = - "https://auth.rz.ens.wtf/auth/realms/hackENS/.well-known/openid-configuration/"; - }; - }; - - }; - pluginsConfig = { - - authad = false; - authldap = false; - authpdo = false; - authmysql = false; - authpgsql = false; - oauthkeycloak = true; - popularity = false; - }; - - plugins = [ - - (pkgs.stdenv.mkDerivation { - name = "catlist"; - src = pkgs.fetchFromGitHub { - owner = "xif-fr"; - repo = "dokuwiki-plugin-catlist"; - rev = "89e024cbf3c0e30def6db6651c72eb76de396785"; - hash = "sha256-2GAUHxK3dnDhXIftd2luxmn1b84ABZvfjHBMQWeDiTs="; - }; - installPhase = '' - mkdir -p $out - cp -R * $out/ - ''; - }) - (pkgs.stdenv.mkDerivation { - name = "commonmark"; - src = pkgs.fetchzip { - url = - "https://github.com/clockoon/dokuwiki-plugin-commonmark/releases/download/v1.2.1/release.tar.gz"; - sha256 = "sha256-3fpN7SSDDQ3QAmzRuG5UMYrtGeL3ogiooPKc6g1gxRg="; - }; - installPhase = '' - mkdir -p $out - cp -R * $out/ - ''; - }) - (pkgs.stdenv.mkDerivation { - name = "oauth"; - src = pkgs.fetchFromGitHub { - owner = "cosmocode"; - repo = "dokuwiki-plugin-oauth"; - rev = "da4733221ed7b4fb3ac0e2429499b14ece3d5f2d"; - hash = "sha256-CNRlaieYm/KCjZ9+OP9pMo5SGjJ4CUrNNdL4iVktCcU="; - }; - installPhase = '' - mkdir -p $out - cp -R * $out/ - ''; - }) - (pkgs.stdenv.mkDerivation { - name = "oauthkeycloak"; - src = pkgs.fetchFromGitHub { - owner = "YoitoFes"; - repo = "dokuwiki-plugin-oauthkeycloak"; - rev = "28892edb0207d128ddb94fa8a0bd216861a5626b"; - hash = "sha256-nZo61nW9QjJiEo3FpYt1Zt7locuIDQ88AOn/ZnjjYUc="; - }; - installPhase = '' - mkdir -p $out - cp -R * $out/ - ''; - }) - - ]; - templates = [ - (pkgs.stdenv.mkDerivation rec { - name = "bootstrap3"; - version = "2022-07-27"; - src = pkgs.fetchFromGitHub { - owner = "giterlizzi"; - repo = "dokuwiki-template-bootstrap3"; - rev = "v${version}"; - hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo="; - }; - installPhase = "mkdir -p $out; cp -R * $out/"; - }) - ]; - }; - -} diff --git a/hosts/org/matterbridge.nix b/hosts/org/matterbridge.nix deleted file mode 100644 index b4e9237..0000000 --- a/hosts/org/matterbridge.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ pkgs, lib, config, ... }: -let - port = 52187; - configFile = pkgs.writeText "metterbridge.toml" '' - [irc] - [irc.ulminfo] - Server="ulminfo.fr:6697" # Ou ens.wtf tu choisis. - Nick="roBOT" - UseTLS=true - Charset="utf8" - PrefixMessagesWithNick=true - RemoteNickFormat="<{NICK}> " - - [mattermost] - [mattermost.merle] - WebhookBindAddress="0.0.0.0:${builtins.toString port}" - PrefixMessagesWithNick=false - RemoteNickFormat="{NICK}" - - [[gateway]] - name="hackens" - enable=true - [[gateway.inout]] - account="irc.ulminfo" - channel="#hackens" - [[gateway.inout]] - account="mattermost.merle" - channel="town-square" - ''; -in -{ - systemd.services.matterbridge = { - description = "Matterbridge chat platform bridge"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - script = '' - ${pkgs.matterbridge}/bin/matterbridge -conf ${configFile} - ''; - - - serviceConfig = { - User = "matterbridge"; - Group = "matterbridge"; - Restart = "always"; - RestartSec = "10"; - EnvironmentFile = config.age.secrets."matterbridge-env".path; - }; - }; - users.users.matterbridge = { - isSystemUser = true; - group = "matterbridge"; - - }; - users.groups.matterbridge = { }; - networking.firewall.allowedTCPPorts = [ port ]; -} diff --git a/hosts/org/orga/authens.nix b/hosts/org/orga/authens.nix deleted file mode 100644 index d7b5f82..0000000 --- a/hosts/org/orga/authens.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ lib, pythoncas, django, ldap, buildPythonPackage }: -buildPythonPackage rec { - pname = "authens"; - version = "v0.1b5"; - doCheck = false; - src = builtins.fetchGit { - url = "https://git.eleves.ens.fr/klub-dev-ens/authens.git"; - #rev = "master"; - #sha256 = "sha256-R0Nw212/BOPHfpspT5wzxtji1vxZ/JOuwr00naklWE8="; - }; - propagatedBuildInputs = [ django ldap pythoncas ]; -} diff --git a/hosts/org/orga/default.nix b/hosts/org/orga/default.nix deleted file mode 100644 index 345b86f..0000000 --- a/hosts/org/orga/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ pkgs, lib, config, ... }: -let - assets = import ./mkAssets.nix { - inherit pkgs; - app = "hackens_orga"; - settings = config.services.django.hackens_orga.settings; - source = pkgs.fetchgit { - url = "https://git.rz.ens.wtf/HackENS/hackens-orga.git"; - rev = "75fe83a41f"; - hash = "sha256-cfUjSfZrsMpGRO3HOWOk6zdc9+e+ZaJLiJQ5OpIKxos="; - }; - }; -in -{ - imports = [ - ./module.nix - ]; - services.nginx = { - enable = true; - virtualHosts."new.hackens.org" = { - locations = { - "/orga" = { - proxyPass = "http://localhost:51666/orga"; - extraConfig = '' - proxy_set_header SCRIPT_NAME /orga; - ''; - }; - "/static".root = assets.static-assets; - }; - }; - }; - services.django.hackens_orga = { - enable = true; - assets = assets; - settings = { - HACKENS_ORGA_DEBUG = "0"; - HACKENS_ORGA_ALLOWED_HOSTS = [ "new.hackens.org" ]; - HACKENS_ORGA_SECRET_KEY._file = config.age.secrets.django.path; - HACKENS_ORGA_DB_FILE = "/var/lib/hackens-orga/db.sqlite3"; - }; - }; -} diff --git a/hosts/org/orga/mkAssets.nix b/hosts/org/orga/mkAssets.nix deleted file mode 100644 index 61e744a..0000000 --- a/hosts/org/orga/mkAssets.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ pkgs, settings, source, app }: -let - manage-py-file = "${source}/${app}/manage.py"; - python = import ./python.nix { inherit pkgs; }; - static-assets = pkgs.callPackage ./static-assets.nix { inherit python source app; envPrefix = "HACKENS_ORGA_"; }; - mkEnv = settings: let # make env file to source before using manage.py and other commands - lib = pkgs.lib; - mkVarVal = v: let - isHasAttr = s: lib.isAttrs v && lib.hasAttr s v; - in - if builtins.isString v then v - else if builtins.isList v && lib.any lib.strings.isCoercibleToString v then (lib.concatMapStringsSep "," toString v) - else if builtins.isInt v then toString v - else if builtins.isBool v then toString (if v then 1 else 0) - else if isHasAttr "_file" then "$(cat ${v._file} | xargs)" - else if isHasAttr "_raw" then v._raw - else abort "The django conf value ${lib.generators.toPretty {} v} can not be encoded."; - in lib.concatStringsSep "\n" (lib.mapAttrsToList (k: v: "export ${k}=${mkVarVal v}") settings); - envFile = pkgs.writeScript "django-${app}-env.sh" (mkEnv settings); - managePy = pkgs.writeScript "manage-${app}" '' - source ${envFile} - ${python}/bin/python ${manage-py-file} $@ - ''; -in -{ - inherit managePy static-assets envFile source python; -} diff --git a/hosts/org/orga/module.nix b/hosts/org/orga/module.nix deleted file mode 100644 index 9f32a2e..0000000 --- a/hosts/org/orga/module.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ pkgs, lib, config, ... }: -let - app = "hackens_orga"; - cfg = config.services.django.${app}; - assets = cfg.assets; -in -{ - - options = { - services.django.${app} = { - enable = lib.mkEnableOption (lib.mdDoc "Enable django ${app}"); - settings = lib.mkOption { - type = lib.types.submodule { - freeformType = with lib.types; attrsOf anything; - options = { - HACKENS_ORGA_STATIC_ROOT = lib.mkOption { - type = lib.types.path; - default = builtins.toString assets.static-assets; - }; - }; - }; - }; - assets = lib.mkOption { - type = lib.types.attrsOf lib.types.anything; - description = lib.mdDoc "Assets for django"; - }; - port = lib.mkOption { - type = lib.types.port; - default = 51666; - }; - processes = lib.mkOption { - type = lib.types.int; - default = 2; - }; - threads = lib.mkOption { - type = lib.types.int; - default = 2; - }; - }; - }; - config = lib.mkIf cfg.enable { - systemd.services."django-${app}" = { - description = "${app} django service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - User = "django-${app}"; - }; - script = '' - source ${assets.envFile} - ${assets.managePy} migrate - ${assets.python}/bin/gunicorn ${app}.wsgi \ - --pythonpath ${assets.source}/${app} \ - -b 127.0.0.1:${toString cfg.port} \ - --workers=${toString cfg.processes} \ - --threads=${toString cfg.threads} - ''; - }; - users.users."django-${app}" = { - isSystemUser = true; - group = "django-${app}"; - }; - users.groups."django-${app}" = {}; - }; -} diff --git a/hosts/org/orga/python-cas.nix b/hosts/org/orga/python-cas.nix deleted file mode 100644 index e0bba1c..0000000 --- a/hosts/org/orga/python-cas.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, requests, lxml, six, buildPythonPackage, fetchFromGitHub }: -buildPythonPackage rec { - pname = "python-cas"; - version = "1.6.0"; - doCheck = false; - src = fetchFromGitHub { - owner = "python-cas"; - repo = "python-cas"; - rev = "v1.6.0"; - sha512 = "sha512-qnYzgwELUij2EdqA6H17q8vnNUsfI7DkbZSI8CCIGfXOM+cZ7vsWe7CJxzsDUw73sBPB4+zzpLxvb7tpm/IDeg=="; - }; - propagatedBuildInputs = [ requests lxml six ]; -} diff --git a/hosts/org/orga/python.nix b/hosts/org/orga/python.nix deleted file mode 100644 index dc77ffc..0000000 --- a/hosts/org/orga/python.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ pkgs ? import ../nix { }, debug ? false }: -let - python = pkgs.python310.override { - packageOverrides = self: super: { - django = super.django_4; - authens = self.callPackage ./authens.nix { }; - pythoncas = self.callPackage ./python-cas.nix { }; - }; - }; -in -python.withPackages (ps: [ - ps.django - ps.djangorestframework - ps.authens - ps.gunicorn -] ++ pkgs.lib.optionals debug [ - ps.django-debug-toolbar - ps.black - ps.isort -]) diff --git a/hosts/org/orga/shell.nix b/hosts/org/orga/shell.nix deleted file mode 100644 index 69ca0e9..0000000 --- a/hosts/org/orga/shell.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs ? import ../nix { } }: -pkgs.mkShell { - buildInputs = [ - (import ./python.nix { inherit pkgs; debug = true; }) - ]; -} diff --git a/hosts/org/orga/static-assets.nix b/hosts/org/orga/static-assets.nix deleted file mode 100644 index 4c4e128..0000000 --- a/hosts/org/orga/static-assets.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ pkgs, python, source, app, envPrefix ? ""}: -pkgs.runCommand "django-static" { } '' - mkdir -p $out/static - export ${envPrefix}SECRET_KEY="collectstatic" - export ${envPrefix}STATIC_ROOT=$out/static - export ${envPrefix}DEBUG=0 - export ${envPrefix}ALLOWED_HOSTS= - export ${envPrefix}DB_FILE= - ${python}/bin/python ${source}/${app}/manage.py collectstatic -'' diff --git a/hosts/org/static-sites.nix b/hosts/org/static-sites.nix deleted file mode 100644 index 035c5b0..0000000 --- a/hosts/org/static-sites.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ pkgs, lib, ... }: -let - sites = [ - "/NdS" - "/2048" - "/prez" - "/known" - "/pub" - ]; -in -{ - - services.nginx.enable = true; - services.nginx.virtualHosts."new.hackens.org" = { - forceSSL = true; - enableACME = true; - locations = lib.genAttrs sites (name: { - root = "/var/www"; - extraConfig = "autoindex on;"; - }); - }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; -} diff --git a/hosts/org/webpass.nix b/hosts/org/webpass.nix deleted file mode 100644 index 85d5a94..0000000 --- a/hosts/org/webpass.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ pkgs, ... }: -{ - security.acme = { - defaults.email = "hackens@clipper.ens.fr"; - acceptTerms = true; - }; - - services.vaultwarden = { - enable = true; - config = { - DOMAIN = "https://pass.new.hackens.org"; - WEBSOCKET_ENABLED = true; - WEBSOCKET_PORT = 10500; - SIGNUPS_DOMAINS_WHITELIST = "ens.fr,ens.psl.eu"; - ROCKET_PORT = 10501; - ROCKET_ADDRESS = "127.0.0.1"; - LOG_FILE = "/var/lib/bitwarden_rs/logfile"; - SIGNUPS_VERIFY = true; - }; - environmentFile = "/etc/secrets/vaultwarden.env"; - }; - - services.nginx.enable = true; - services.nginx.virtualHosts."pass.new.hackens.org" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:10501"; - proxyWebsockets = true; - }; - locations."/notifications/hub" = { - proxyPass = "http://localhost:10500"; - proxyWebsockets = true; - }; - locations."/notifications/hub/negotiate" = { - proxyPass = "http://localhost:10501"; - proxyWebsockets = true; - }; - }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; -} diff --git a/profiles/core-hackens/default.nix b/profiles/core-hackens/default.nix new file mode 100644 index 0000000..90ecd13 --- /dev/null +++ b/profiles/core-hackens/default.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./personal-users.nix + ./ssh-server.nix + ./static-dns.nix + ./programs.nix + ]; +} diff --git a/profiles/core-hackens/personal-users.nix b/profiles/core-hackens/personal-users.nix new file mode 100644 index 0000000..f20e94b --- /dev/null +++ b/profiles/core-hackens/personal-users.nix @@ -0,0 +1,22 @@ +{ ... }: +{ + users.users = { + rlahfa = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + hashedPassword = "$6$y/I6nKCMYUku7$91vTR5kYz4nHyhbuA/j6kPsD8Vfo/Rg7ri6Ympftra9V6emOt/mPg0AScECtYjSIxretvfQ3sPUF1Ho0IWx381"; + openssh.authorizedKeys.keyFiles = [ ../../pubkeys/raito.keys ]; + }; + gdoriathdohler = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keyFiles = [ ../../pubkeys/gdd.keys ]; + }; + mdebray = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keyFiles = [ ../../pubkeys/sinavir.keys ]; + }; + root.openssh.authorizedKeys.keyFiles = [ ../../pubkeys/beigbeder.keys ]; # Jacques Beigbeder est tjrs root. + }; +} diff --git a/profiles/core-hackens/programs.nix b/profiles/core-hackens/programs.nix new file mode 100644 index 0000000..1fee319 --- /dev/null +++ b/profiles/core-hackens/programs.nix @@ -0,0 +1,6 @@ +{ pkgs, ... }: { + environment.systemPackages = with pkgs; [ + vim + git + ]; +} diff --git a/hosts/org/core-hackens/ssh-server.nix b/profiles/core-hackens/ssh-server.nix similarity index 61% rename from hosts/org/core-hackens/ssh-server.nix rename to profiles/core-hackens/ssh-server.nix index 59a1a38..6ef5683 100644 --- a/hosts/org/core-hackens/ssh-server.nix +++ b/profiles/core-hackens/ssh-server.nix @@ -1,9 +1,8 @@ -{ ... }: { +{ ... }: +{ # Enable the OpenSSH daemon. services.openssh.enable = true; - services.openssh.passwordAuthentication = false; # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 22 ]; - programs.mosh.enable = true; } diff --git a/profiles/core-hackens/static-dns.nix b/profiles/core-hackens/static-dns.nix new file mode 100644 index 0000000..21f27dc --- /dev/null +++ b/profiles/core-hackens/static-dns.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + networking.nameservers = [ + "1.1.1.1" + "8.8.8.8" + ]; +} diff --git a/profiles/monitoring.nix b/profiles/monitoring.nix new file mode 100644 index 0000000..ce85023 --- /dev/null +++ b/profiles/monitoring.nix @@ -0,0 +1,72 @@ +{ pkgs, config, ... }: +{ + # Monitoring + services.netdata.enable = true; + systemd.services.netdata.restartTriggers = map (name: config.environment.etc."netdata/${name}.conf".source) [ + "health_alarm_notify" + "stream" + "fping" + ]; + environment.etc."netdata/stream.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = '' + # hackens-desktop + [074e699a-4206-4e13-baa7-e4524326f1e0] + enabled = yes + default history = 3600 + default memory mode = dbengine + health enabled by default = auto + allow from = 192.168.1.117, 2001:470:1f13:21d:49fd:1d82:d2ff:d868 + + # hackens-openwrt + [cab3fe1e-576b-420d-b301-84308e44f340] + enabled = yes + default history = 3600 + default memory mode = dbengine + health enabled by default = auto + allow from = 192.168.1.1, 2001:470:1f13:21d::1 + ''; + }; + environment.etc."netdata/health_alarm_notify.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = '' + # External tools + nc="${pkgs.netcat}/bin/nc" + + # IRC configuration + SEND_IRC="YES" + DEFAULT_RECIPIENT_IRC="#hackens-status" + IRC_NETWORK="ens.wtf" + IRC_NICKNAME="hackens" + IRC_REALNAME="hackENS netdata monitoring" + ''; + }; + environment.etc."netdata/fping.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = '' + fping="${pkgs.fping}/bin/fping" + hosts="hackens.org hack.ens.fr sas.eleves.ens.fr argonaut.ens.wtf clipper.ens.fr merle.eleves.ens.fr" + ''; + }; + services.smartd.enable = true; + services.smartd.extraOptions = [ "-A /var/log/smartd/" ]; # For netdata. + + # MQTT for every usage, notably OctoPrint events. + services.mosquitto = { + enable = true; + listeners = [ + { + address = "192.168.1.118"; + } + ]; + settings = { + # allow_anonymous = true; + }; + }; +} diff --git a/profiles/shared-hackens/backups.nix b/profiles/shared-hackens/backups.nix new file mode 100644 index 0000000..76f9b82 --- /dev/null +++ b/profiles/shared-hackens/backups.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: { + # BorgBackup repositories + services.borgbackup.repos = { + hackens-desktop = { + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcKULx/AgnqBsgwRX2BfV8waq6JXIkvZHhu9Y8paofM8awq6Om56BZoA7AV45YOcJxO/eFDOxSegXXmt22s4WjIf8I049aMdsW54BNpFpC/h18cMzm5ylKVGHl1ier/WXxpBsA8YU++YdRlGHPpKnhCtYLnBzD4Q5h+05GMIHismNZP1aGpE9s01FuP8eaDDkZUba7oSpn03AA77DBw4/2ZreSbqo96Z6WwiG09KeZvxFtEIk98EQtmiExB2fwsK3/JIxIBCoZHh4SzERcslxxGgzdppd6NhhSh7g523zhiihLaTAPNXBovGm5wcKOU9uWe+pUWEbwV04E+809aVbkJOdYBCtIf8M91meqpupA8jK38uquePHEFvpNr5UmY0qUlJCoqTvoqg9XgrfJVjlPEmYknj/QjQzkA4k19y8njsyEjnYOBL6tsztg6Igl+NZXjBAPuAzxCsfHOtWw1WM5gANwqOL0V9f7+14yST3HwweqjHRj4xky6ritxK+ujfc= hackens@hackens-desktop-1" + ]; + path = "/var/backups/hackens-desktop"; + }; + }; +} diff --git a/profiles/shared-hackens/default.nix b/profiles/shared-hackens/default.nix index 5f3efbc..e21df07 100644 --- a/profiles/shared-hackens/default.nix +++ b/profiles/shared-hackens/default.nix @@ -1,14 +1,21 @@ { pkgs, ... }: { imports = [ - ./aarch64.nix - ./audio.nix - ./dns - ./gnome.nix - ./i18n.nix - ./no-sleep.nix - ./programs.nix ./system.nix + ./backups.nix + ./vpn-network + ./hosts.nix + ./syncthing.nix + ./programs.nix + ./audio.nix + ./graphics.nix + ./monitoring.nix ./users.nix + ./i18n.nix ./vim.nix + ./dns.nix + ./nightworker.nix + ./ssd.nix + ./aarch64.nix + # ./netboot-server.nix # -- fix quick xyz mode. ]; } diff --git a/profiles/shared-hackens/dns/default.nix b/profiles/shared-hackens/dns.nix similarity index 95% rename from profiles/shared-hackens/dns/default.nix rename to profiles/shared-hackens/dns.nix index a6ccd31..18680f4 100644 --- a/profiles/shared-hackens/dns/default.nix +++ b/profiles/shared-hackens/dns.nix @@ -15,7 +15,7 @@ in ipv6_servers = true; require_dnssec = true; - forwarding_rules = ./forwarding.txt; + forwarding_rules = ./dns/forwarding.txt; query_log = if debugDNS then { file = "/dev/stdout"; diff --git a/profiles/shared-hackens/gnome.nix b/profiles/shared-hackens/gnome.nix deleted file mode 100644 index 7144b1c..0000000 --- a/profiles/shared-hackens/gnome.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: -{ - services.xserver = { - enable = true; - displayManager.gdm.enable = true; - desktopManager.gnome.enable = true; - }; - services.xserver.layout = "fr"; - services.autorandr.enable = true; -} diff --git a/profiles/shared-hackens/graphics.nix b/profiles/shared-hackens/graphics.nix new file mode 100644 index 0000000..779a669 --- /dev/null +++ b/profiles/shared-hackens/graphics.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: +{ + imports = [ ./i3.nix ]; + + # Enable the X11 windowing system. + services.xserver.enable = true; + services.xserver.layout = "fr"; + + services.autorandr.enable = true; +} diff --git a/profiles/shared-hackens/hosts.nix b/profiles/shared-hackens/hosts.nix new file mode 100644 index 0000000..6e5b8c3 --- /dev/null +++ b/profiles/shared-hackens/hosts.nix @@ -0,0 +1,3 @@ +{ pkgs, ... }: +{ +} diff --git a/profiles/shared-hackens/i3.nix b/profiles/shared-hackens/i3.nix new file mode 100644 index 0000000..3a0834f --- /dev/null +++ b/profiles/shared-hackens/i3.nix @@ -0,0 +1,52 @@ +{ pkgs, ... }: +{ + environment.pathsToLink = [ "/libexec" ]; + environment.sessionVariables.TERMINAL = [ "kitty" ]; + environment.variables = { + TERMINAL = "kitty"; + BROWSER = "firefox"; + }; + services.xserver = { + displayManager = { + autoLogin = { + enable = true; + user = "hackens"; + }; + }; + + windowManager.i3 = { + enable = true; + extraSessionCommands = '' + ${pkgs.xlibs.xset}/bin/xset r rate 200 50 + ''; + extraPackages = with pkgs; [ + rofi + dunst + i3status-rust + i3lock + kitty + ]; + }; + }; + + fonts.fonts = with pkgs; [ + hack-font + noto-fonts + noto-fonts-cjk + noto-fonts-emoji + liberation_ttf + fira-code + fira-code-symbols + mplus-outline-fonts + dina-font + proggyfonts + powerline-fonts + font-awesome + ]; + + services.picom = { + enable = true; + vSync = true; + }; +} + diff --git a/profiles/shared-hackens/kde.nix b/profiles/shared-hackens/kde.nix new file mode 100644 index 0000000..217be99 --- /dev/null +++ b/profiles/shared-hackens/kde.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + # Enable the KDE Desktop Environment. + services.xserver.displayManager.sddm.enable = true; + services.xserver.desktopManager.plasma5.enable = true; +} diff --git a/profiles/shared-hackens/monitoring.nix b/profiles/shared-hackens/monitoring.nix new file mode 100644 index 0000000..ce85023 --- /dev/null +++ b/profiles/shared-hackens/monitoring.nix @@ -0,0 +1,72 @@ +{ pkgs, config, ... }: +{ + # Monitoring + services.netdata.enable = true; + systemd.services.netdata.restartTriggers = map (name: config.environment.etc."netdata/${name}.conf".source) [ + "health_alarm_notify" + "stream" + "fping" + ]; + environment.etc."netdata/stream.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = '' + # hackens-desktop + [074e699a-4206-4e13-baa7-e4524326f1e0] + enabled = yes + default history = 3600 + default memory mode = dbengine + health enabled by default = auto + allow from = 192.168.1.117, 2001:470:1f13:21d:49fd:1d82:d2ff:d868 + + # hackens-openwrt + [cab3fe1e-576b-420d-b301-84308e44f340] + enabled = yes + default history = 3600 + default memory mode = dbengine + health enabled by default = auto + allow from = 192.168.1.1, 2001:470:1f13:21d::1 + ''; + }; + environment.etc."netdata/health_alarm_notify.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = '' + # External tools + nc="${pkgs.netcat}/bin/nc" + + # IRC configuration + SEND_IRC="YES" + DEFAULT_RECIPIENT_IRC="#hackens-status" + IRC_NETWORK="ens.wtf" + IRC_NICKNAME="hackens" + IRC_REALNAME="hackENS netdata monitoring" + ''; + }; + environment.etc."netdata/fping.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = '' + fping="${pkgs.fping}/bin/fping" + hosts="hackens.org hack.ens.fr sas.eleves.ens.fr argonaut.ens.wtf clipper.ens.fr merle.eleves.ens.fr" + ''; + }; + services.smartd.enable = true; + services.smartd.extraOptions = [ "-A /var/log/smartd/" ]; # For netdata. + + # MQTT for every usage, notably OctoPrint events. + services.mosquitto = { + enable = true; + listeners = [ + { + address = "192.168.1.118"; + } + ]; + settings = { + # allow_anonymous = true; + }; + }; +} diff --git a/profiles/shared-hackens/netboot-server.nix b/profiles/shared-hackens/netboot-server.nix new file mode 100644 index 0000000..bc31f32 --- /dev/null +++ b/profiles/shared-hackens/netboot-server.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + services.pixiecore = { + enable = true; + openFirwalle = true; + dhcpNoBind = true; + }; +} diff --git a/profiles/shared-hackens/no-sleep.nix b/profiles/shared-hackens/no-sleep.nix deleted file mode 100644 index 3b4e880..0000000 --- a/profiles/shared-hackens/no-sleep.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: { - systemd.targets = { - sleep.enable = false; - suspend.enable = false; - hibernate.enable = false; - hybrid-sleep.enable = false; - }; -} diff --git a/profiles/shared-hackens/programs.nix b/profiles/shared-hackens/programs.nix index fc81a76..d083307 100644 --- a/profiles/shared-hackens/programs.nix +++ b/profiles/shared-hackens/programs.nix @@ -6,35 +6,45 @@ programs.wireshark.enable = true; environment.systemPackages = with pkgs; [ + kitty + # Todolist + taskwarrior + + # Slicers + prusa-slicer super-slicer + + # CAD/3D + blender freecad openscad kicad-with-packages3d + # Microcontrollers + arduino arduino-cli stm32flash stm32loader + # FPGA + # python38Packages.nmigen python38Packages.nmigen-soc python38Packages.nmigen-boards + verilog verilator yosys symbiyosys mcy + # Reverse engineering + ghidra-bin apktool pwndbg + radare2 + # IRC weechat - # Latex - texlive.combined.scheme-full - # Editors - vscodium - emacs - neovim + vscodium emacs neovim + # Utilities + minicom smartmontools - wget - firefox - ungoogled-chromium - ripgrep - fd + starship + wget firefox ripgrep chromium nmap htop dnsutils - ncdu - lazygit + ncdu lazygit # Networking - speedtest-cli - iperf + speedtest-cli iperf - # Serial - minicom + # CNC + inkscape ]; programs.chromium = { diff --git a/profiles/shared-hackens/result b/profiles/shared-hackens/result deleted file mode 120000 index 41ec79d..0000000 --- a/profiles/shared-hackens/result +++ /dev/null @@ -1 +0,0 @@ -/nix/store/q3gp3rnx0y5pxdq7jlhj1x3bqrisv7pp-nixos-system-hackens-milieu-23.05pre442253.befc83905c9 \ No newline at end of file diff --git a/profiles/shared-hackens/ssd.nix b/profiles/shared-hackens/ssd.nix new file mode 100644 index 0000000..f197688 --- /dev/null +++ b/profiles/shared-hackens/ssd.nix @@ -0,0 +1,6 @@ +{ pkgs, ... }: +{ + services.fstrim = { + enable = true; + }; +} diff --git a/profiles/shared-hackens/syncthing.nix b/profiles/shared-hackens/syncthing.nix new file mode 100644 index 0000000..d666ae5 --- /dev/null +++ b/profiles/shared-hackens/syncthing.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: +{ + services.syncthing = { + enable = true; + user = "hackens"; + openDefaultPorts = true; + dataDir = "/home/hackens"; + }; +} diff --git a/profiles/shared-hackens/system.nix b/profiles/shared-hackens/system.nix index 5070118..76367d3 100644 --- a/profiles/shared-hackens/system.nix +++ b/profiles/shared-hackens/system.nix @@ -5,11 +5,6 @@ allowReboot = false; }; - # SSD stuff - services.fstrim = { - enable = true; - }; - # Auto-GC and store optimizations nix = { trustedUsers = [ "root" "hackens" ]; @@ -29,13 +24,7 @@ }; services.locate.enable = true; - - # ssh services.openssh.enable = true; - services.openssh.passwordAuthentication = false; - - # We are on a trusted network networking.firewall.enable = false; - documentation.info.enable = false; } diff --git a/profiles/shared-hackens/users.nix b/profiles/shared-hackens/users.nix index 6a1792f..6b61724 100644 --- a/profiles/shared-hackens/users.nix +++ b/profiles/shared-hackens/users.nix @@ -1,25 +1,23 @@ { pkgs, ... }: -let - superadmins = [ - ../../pubkeys/raito.keys - ../../pubkeys/gdd.keys - ../../pubkeys/BiBi.keys - ../../pubkeys/sinavir.keys - ]; -in { users.users.hackens = { isNormalUser = true; - extraGroups = [ "wheel" "dialout" "audio" "video" ]; + extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcKULx/AgnqBsgwRX2BfV8waq6JXIkvZHhu9Y8paofM8awq6Om56BZoA7AV45YOcJxO/eFDOxSegXXmt22s4WjIf8I049aMdsW54BNpFpC/h18cMzm5ylKVGHl1ier/WXxpBsA8YU++YdRlGHPpKnhCtYLnBzD4Q5h+05GMIHismNZP1aGpE9s01FuP8eaDDkZUba7oSpn03AA77DBw4/2ZreSbqo96Z6WwiG09KeZvxFtEIk98EQtmiExB2fwsK3/JIxIBCoZHh4SzERcslxxGgzdppd6NhhSh7g523zhiihLaTAPNXBovGm5wcKOU9uWe+pUWEbwV04E+809aVbkJOdYBCtIf8M91meqpupA8jK38uquePHEFvpNr5UmY0qUlJCoqTvoqg9XgrfJVjlPEmYknj/QjQzkA4k19y8njsyEjnYOBL6tsztg6Igl+NZXjBAPuAzxCsfHOtWw1WM5gANwqOL0V9f7+14yST3HwweqjHRj4xky6ritxK+ujfc= hackens@hackens-desktop" ]; - openssh.authorizedKeys.keyFiles = superadmins; + openssh.authorizedKeys.keyFiles = [ + ../../pubkeys/raito.keys + ../../pubkeys/gdd.keys + ]; }; users.users.root = { - openssh.authorizedKeys.keyFiles = superadmins; + openssh.authorizedKeys.keyFiles = [ + ./pubkeys/raito.keys + ./pubkeys/gdd.keys + ]; }; } diff --git a/profiles/shared-hackens/vim.nix b/profiles/shared-hackens/vim.nix index fbb559e..616693e 100644 --- a/profiles/shared-hackens/vim.nix +++ b/profiles/shared-hackens/vim.nix @@ -4,6 +4,7 @@ git (neovim.override { vimAlias = true; + configure.plug.plugins = with vimPlugins; [ vim-nix vim-lastplace ]; }) ]; } diff --git a/profiles/shared-hackens/vpn-network/default.nix b/profiles/shared-hackens/vpn-network/default.nix new file mode 100644 index 0000000..9f2ffec --- /dev/null +++ b/profiles/shared-hackens/vpn-network/default.nix @@ -0,0 +1,17 @@ +{ pkgs, ... }: +{ + imports = [ + ./wg-peers.nix + ]; + + networking.wireguard.interfaces.wghackens = { + ips = [ "192.168.2.1/24" ]; + listenPort = 51820; + + privateKeyFile = "/etc/secrets/wghackens"; + generatePrivateKeyFile = true; + }; + + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; +} + diff --git a/profiles/shared-hackens/vpn-network/wg-peers.nix b/profiles/shared-hackens/vpn-network/wg-peers.nix new file mode 100644 index 0000000..8c0a5e7 --- /dev/null +++ b/profiles/shared-hackens/vpn-network/wg-peers.nix @@ -0,0 +1,22 @@ +{ ... }: +let + startPrefix = "192.168.2"; + mkPeer = i: publicKey: { + inherit publicKey; + allowedIPs = [ "${startPrefix}.${toString i}/32" ]; # Only one IP. + }; +in + { + # Comment s'ajouter ? + # Ajouter un élément dans la liste sous la forme + # (mkPeer i "publicKey") + # i := c'est le i dans 192.168.2.i qui sera l'IP « allouée » sur le tunnel + # publicKey := votre clef publique WireGuard + # si on veut mettre une presharedKey, faut rajouter une entrée manuellement en suivant la doc :). + # Ne pas oublier un commentaire à la fin de l'entrée pour documenter qui est quoi. + # Clef publique actuelle: 95dW/JJDnbOelgot/yWMJMswCzHdQGCqPDvriwq9CT4= + networking.wireguard.interfaces.wghackens.peers = [ + (mkPeer 2 "ed5ib4LwK6YvRDqUPyvLnbS0onrBQpFApv5HreYuMHs=") # Raito + (mkPeer 3 "cm0G/YTSnu4sD72wMqXjNqDuauTh5XJHf/nvE0gOpFk=") # BiBi + ]; + } diff --git a/pubkeys/BiBi.keys b/pubkeys/BiBi.keys deleted file mode 100644 index 5471362..0000000 --- a/pubkeys/BiBi.keys +++ /dev/null @@ -1,3 +0,0 @@ -ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACC4RyZ/2ZTACUl5j6K1VlLu4+WUI3eUuylxqPw9DVWnKH5u5pGld/6pL3Nq0rM5W5kfDLd0SWYDL5f1FUdBr2VugDGLO8swdOK6SWM3J5TN1c2ZwDAeBsbXF4scqXqT1Fxay31LPUCAy526P6pRowxwBZwEMn6wHc7Lp//LRMOqh2DSA== -ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBABLEDU82YDUFYgji+hM1fdfpxzY2QHNRCrlSF1X9FSqLLBHYxcpIWEl6kd6bQTml+sjhIpdvbDzvr2MR4prk/zsiwDmuLrzv+j7jri7BZkBzREYYm45LQNhbJZuRaszEMpvOU902UOvEzPU2WDAtHH1G7fRnxjHsDAiVc/fUzJz9r9uXg== -ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADkJamWNY4+IdqAKI4p7NZ9EecVj3gc2oH/JpmyKREnQBBiCdNmu5HOqzplYYIEmr3HtGLZNcL8o0bvXNtX43onLQDsyOa2UuTNRYLOgx9Uq0tFLhGrDmDP1SK/v5OfcM9H+vm5NO4bFdPjqTrqwDOamUrSt83BY9XRue+JIe/nTzDX0g== diff --git a/pubkeys/backslash.keys b/pubkeys/backslash.keys deleted file mode 100644 index d6a64db..0000000 --- a/pubkeys/backslash.keys +++ /dev/null @@ -1,2 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIm4XAUjTYdipppVlerlO3ng5KijoEQzuVD7cueq48D8 -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII30ofjlQllI6SlRAZjhGO1nUYA1ciUr3qyBog+HNqVE diff --git a/pubkeys/backup.keys b/pubkeys/backup.keys deleted file mode 100644 index 6042a90..0000000 --- a/pubkeys/backup.keys +++ /dev/null @@ -1,2 +0,0 @@ -ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFOudRjw38khtJF9MM8lfGXLJlK06E26+njysWgw1wXB3t06I5BGyLKXI9STpitU7y1dN5xirMxxiI1BhP4TodM= beig@yole -ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOfTmWRWNED9gIz2lHny2X7+vLSY9H8f0kV6aFg/ASthH1pE2C8Kh14CqFyVZn0hAHtv0GnTooDxCsK0K+d0OEc= root@muguet diff --git a/pubkeys/hackens-host.keys b/pubkeys/hackens-host.keys deleted file mode 100644 index 5d96db0..0000000 --- a/pubkeys/hackens-host.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3EvmAE38YNp2pNfGbyyywInEDBpTz4yseOAqmnZS1m diff --git a/pubkeys/raito.keys b/pubkeys/raito.keys index 7a717dd..2473c6b 100644 --- a/pubkeys/raito.keys +++ b/pubkeys/raito.keys @@ -1,3 +1,3 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtS70Y1Merif66/G4bsP1/E3jyjiqjf7ZMsU07lw+Wf +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ diff --git a/pubkeys/sinavir.keys b/pubkeys/sinavir.keys index c014707..471d054 100644 --- a/pubkeys/sinavir.keys +++ b/pubkeys/sinavir.keys @@ -1,2 +1 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1FilN5OcWKTulTGs8HA0fHZMW9vpnt5tSkH3N1fI7m diff --git a/secrets/default.nix b/secrets/default.nix deleted file mode 100644 index 5fac86f..0000000 --- a/secrets/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ ... }: { - imports = [ ]; - age.secrets."wikiOpenID" = { - file = ./wiki-openID.age; - owner = "dokuwiki"; - }; - age.secrets."django" = { - file = ./django.age; - owner = "django-hackens_orga"; - }; - age.secrets."matterbridge-env" = { - file = ./matterbridge-env.age; - owner = "matterbridge"; - }; -} diff --git a/secrets/django.age b/secrets/django.age deleted file mode 100644 index a5b4e5d..0000000 Binary files a/secrets/django.age and /dev/null differ diff --git a/secrets/matterbridge-env.age b/secrets/matterbridge-env.age deleted file mode 100644 index 58099a6..0000000 --- a/secrets/matterbridge-env.age +++ /dev/null @@ -1,33 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 JGx7Ng udxfs+mQbihD5fPzAn5ni8YEJVZpy4WWsJD6lCtRC1A -KZ5YX6e6z8SWnlDlx8vA4w0YUqtzBoYwInFKuqZz7d4 --> ssh-ed25519 kXobKQ A6vHdLfZyEBJgYx41cinKBs0x0TaP331o5RMiARyeUw -BneTkDar5nxv6oZ9sCtIlrknPCNTN+/+/PF0IL+Sd48 --> ssh-ed25519 7hZk0g Zb6uedun2Z3ZKxFefDyPbro7hiBf9I0MBT4JqBNVKVQ -iowidJUNNg/i8PJzr2QaQ1CtiGuhqLiMEgAZOnNhOpg --> ssh-rsa krWCLQ -YTtOm6+MDPBNKQRhBZfhNqJV1qLJ5UDV5UdBnU0NzQz6k0IB2wowKcbgsmeoTPAo -y8Ngqaj73LsttzvBtFEQkGyfx/uN5YheUjyzpRvKSgYFAhz1MfRnJNMDSpcSQSrm -6zLZz0YP6DUPxolVhbmOMdTdcfFZj99RFDQXhuKnsKYRVm9sL5j3ucf/Ekk9PDoD -d6qvsE8Coujxhcraf80w/USnBtB1hHJWqJe+iljuZ6xXr+Piuc3Rm289NHiB5x+3 -56pvcQO6NAy4IvDnWD2KfOIgF4LNAVKNnZzUyBLYK+31N3Xq/FKZ1sreN9dy7F5Z -E6Lnak3W3E9/O3R8n7p9CA --> ssh-ed25519 /vwQcQ d9HHwpCJKqUkEkJxcX4/diGPuopw0htz0FSdy6nJoQQ -Zrh2lQSPiFZi4aSum8PvgbY4hgSaFZGxDsjCTVkLcy8 --> ssh-ed25519 0R97PA E3p80voKVJhW+lJa9BbYnmzYlCMlYdMZh9BJbwy2a0A -0FiTmlnAKlBD1/tTz1KeVgCbJ6BjEQhgdYRnnsdw9NQ --> ssh-ed25519 cvTB5g rqR6oJ+SD2P8cE9Rv5y44OilufgL8TJ/wZVQDbzyAwU -SPF2XWcwsmq93RCBysKXejLUDdRtsDEI7NgueV4DmeQ --> ssh-ed25519 Wu8JLQ pbLcWS1CB6FjR5bD/jcTC8yJAOEldPgI5tG2eYF0Onc -ghsz3bkN8vQplNXBCgRFq2lpbqs0DGeIF8IdlI93j8g --> ssh-ed25519 EIt1vA lSqRBaPgoG8n67bNIsHFu1RK5RlXWZBPkC15L2dprEw -+jtJKYpFf9O9YJFx4y/JQ2kAEj0GP8PsPtn6gg80OMw --> ssh-ed25519 X51wxg YyH0+riDtUnbeuwLE6tZyvg1WvenA7hHP2Yo5ULiRmg -QvwlfQd6VFZS/3VSbud/ApzkmjGtx2bzVWyQRMPOGeA --> 4l{!l\L-grease {6Ig( Vc~QhIg \Q:# -mRy+uiK5/EjovQZu32MubNOIg/GHh0ixYiuA7DOt+enUvwGe5ABo2JAKlZUpbHD3 -gkvFvQSHMj94zoHmK7a7pnp73QZ5uwtqUuPpm3xclXIZFDkWJQ ---- dqYRV0DCgBAI4LSzwaka+j17Ov0J27IQLQzxEcygRZA - -YU\ 8͕/0FS -΂xMZfY~C`$7dǚ7B؞kF~wX \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix deleted file mode 100644 index 51a3c91..0000000 --- a/secrets/secrets.nix +++ /dev/null @@ -1,17 +0,0 @@ -let - lib = (import { }).lib; - readpubkeys = user: - builtins.filter (k: k != "") - (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); -in -{ - "wiki-openid.age".publicKeys = (readpubkeys "sinavir") - ++ (readpubkeys "hackens-host") ++ (readpubkeys "raito") - ++ (readpubkeys "gdd") ++ (readpubkeys "backslash"); - "matterbridge-env.age".publicKeys = (readpubkeys "sinavir") - ++ (readpubkeys "hackens-host") ++ (readpubkeys "raito") - ++ (readpubkeys "gdd") ++ (readpubkeys "backslash"); - "django.age".publicKeys = (readpubkeys "sinavir") - ++ (readpubkeys "hackens-host") ++ (readpubkeys "raito") - ++ (readpubkeys "gdd") ++ (readpubkeys "backslash"); -} diff --git a/secrets/wiki-openID.age b/secrets/wiki-openID.age deleted file mode 100644 index fdeec16..0000000 --- a/secrets/wiki-openID.age +++ /dev/null @@ -1,31 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 JGx7Ng krR1IYLPMfF9fR7P6ECgMy2vec2lHss0XcHuHWcZCBo -MDFLnB7DgNdlJjOxhu0Qreb17ejcZIBMnXGs0BLUN+E --> ssh-ed25519 IWJ9yA shKTCkZmyjLLIFY+ZetDqJJgx51cVHk/ZsKD/cdJ+i0 -xSblu5POmIUKVe4l+KqpGqGkk+UowRhitUdvE9BLUfM --> ssh-ed25519 7hZk0g 8WtQ/vt6MH0pIN5G1GB3RoS1fNFgFQIepR1HqyP8vWI -oSYU/uRA4lopWC8TCwWYZAGncoPOx8/sIMFt0QErDlg --> ssh-rsa krWCLQ -KkRdhsQ//wkDw4mX3RqGLSbR8hX3ehr+ZDkwDbCh9gwl17p2hGOFzwhvA8UxQJnK -O1z7Lu+hA3dvIhNlyimHp8Qt/AkoZAPnR+lf08Q4BajCqy2Z6HBjKJ6qi7c+9t2F -xy5YrBrTzpRKbmf7Fz+tm1hg392bLHhv3N+PfTSszjBs8XdUF8nWQNsdETBhZOzz -ilwDzRDFWfPuFYhjs7cAiXE+qDGgzleX0Yx+OgwBoBPB93JbmuRIPQZIJL9WQZdN -WTS5T5NJ/trZuRAx/Gx+O854G4miLE1M76E/hQ5bZuQN3EvY4Me8j9jzFlwPp3wA -M2oxFsJRvSkOmFl1WIWM0Q --> ssh-ed25519 nyw/0Q KinHAGi4K6Gls1otwc9WE+jhzujZ4EETm2Br3myWh1o -m1gVTxjs+WJeKc6NvBlqWfGmg3ZwxVO6aHqM14QFRaI --> ssh-ed25519 85WiGg P9BBlxJxxLwijrvo/XzfKh2GnkJUvjCLBhkrR27v0SQ -8o3HgtiY8DLYgrau2mfmA4QzvoFThCHqDF/7QCNew7A --> ssh-ed25519 cvTB5g HzkPfCXwsikbISCh7zZgtOaI03G2ErTWIXRk9TfSqm4 -Wqh9WYB4D2hDAe3nWxz19nZDgGMJYFvtHxrYQnuiHC4 --> ssh-ed25519 Wu8JLQ 2x1ikJnqyIkQmOwK1vP4S7n/xZZCdN7czBY1o/L8ZzY -Poj21vxJ9sUsoikfepaxbktWWIdjh24zzDRzW4Efb8c --> ssh-ed25519 EIt1vA XxwV8nTlhx7Iy77xCnTrcCEevyKnDGFHGi9JvLb4a0s -y9M2VFvUGT0GOydGDbyqpuOuIRyKXPGl1Z35nBI3i68 --> ssh-ed25519 X51wxg C6GJqoVqTLpR5L0v1c5umu0gwUEWXOEAJC9kKWV2NEs -IogBAsuZG9z8TmX0rVav14ek1qhoq38DWullPSufnWQ --> l@z=5S-grease (,5a5 T tV@xrY %e_ig -mIzNLkFaEozopcLCOyQacaU ---- 2krWnD1hHZOvN/0zuuIIcFjh2udviLZns/nTsVSPLmc -~=>YYWwpEz);d1M'=&!J$ -n_l"ډ \ No newline at end of file diff --git a/shared/dokuwiki.nix b/shared/dokuwiki.nix deleted file mode 100644 index c999fce..0000000 --- a/shared/dokuwiki.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ lib -, stdenv -, fetchFromGitHub -, writeText -, nixosTests -, dokuwiki -}: - -stdenv.mkDerivation rec { - pname = "dokuwiki"; - version = "2022-07-31a"; - - src = fetchFromGitHub { - owner = "splitbrain"; - repo = pname; - rev = "release_stable_${version}"; - sha256 = "sha256-gtWEtc3kbMokKycTx71XXblkDF39i926uN2kU3oOeVw="; - }; - - preload = writeText "preload.php" '' - array( - 'default' => getenv('DOKUWIKI_ACL_AUTH_CONFIG'), - ), - 'plainauth.users' => array( - 'default' => getenv('DOKUWIKI_USERS_AUTH_CONFIG'), - 'protected' => "" // not used by default - ), - ); - ''; - - phpLocalConfig = writeText "local.php" '' - - ''; - - phpPluginsLocalConfig = writeText "plugins.local.php" '' - - ''; - - installPhase = '' - runHook preInstall - - mkdir -p $out/share/dokuwiki - cp -r * $out/share/dokuwiki - cp ${preload} $out/share/dokuwiki/inc/preload.php - cp ${phpLocalConfig} $out/share/dokuwiki/conf/local.php - cp ${phpPluginsLocalConfig} $out/share/dokuwiki/conf/plugins.local.php - - runHook postInstall - ''; - - passthru = { - combine = - { basePackage ? dokuwiki - , plugins ? [ ] - , templates ? [ ] - , localConfig ? null - , pluginsConfig ? null - , aclConfig ? null - , pname ? (p: "${p.pname}-combined") - }: - let - isNotEmpty = x: lib.optionalString (! builtins.elem x [ null "" ]); - in - basePackage.overrideAttrs (prev: { - pname = if builtins.isFunction pname then pname prev else pname; - - postInstall = prev.postInstall or "" + '' - ${lib.concatMapStringsSep "\n" (tpl: "cp -r ${toString tpl} $out/share/dokuwiki/lib/tpl/${tpl.name}") templates} - ${lib.concatMapStringsSep "\n" (plugin: "cp -r ${toString plugin} $out/share/dokuwiki/lib/plugins/${plugin.name}") plugins} - ${isNotEmpty localConfig "ln -sf ${localConfig} $out/share/dokuwiki/conf/local.php" } - ${isNotEmpty pluginsConfig "ln -sf ${pluginsConfig} $out/share/dokuwiki/conf/plugins.local.php" } - ${isNotEmpty aclConfig "ln -sf ${aclConfig} $out/share/dokuwiki/acl.auth.php" } - ''; - }); - tests = { - inherit (nixosTests) dokuwiki; - }; - }; - - meta = with lib; { - description = "Simple to use and highly versatile Open Source wiki software that doesn't require a database"; - license = licenses.gpl2; - homepage = "https://www.dokuwiki.org"; - platforms = platforms.all; - maintainers = with maintainers; [ _1000101 ]; - }; -} diff --git a/shared/dokuwiki_module.nix b/shared/dokuwiki_module.nix deleted file mode 100644 index f1f6548..0000000 --- a/shared/dokuwiki_module.nix +++ /dev/null @@ -1,613 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.dokuwiki; - eachSite = cfg.sites; - user = "dokuwiki"; - webserver = config.services.${cfg.webserver}; - - mkPhpIni = generators.toKeyValue { - mkKeyValue = generators.mkKeyValueDefault { } " = "; - }; - mkPhpPackage = cfg: cfg.phpPackage.buildEnv { - extraConfig = mkPhpIni cfg.phpOptions; - }; - - dokuwikiAclAuthConfig = hostName: cfg: - let - inherit (cfg) acl; - acl_gen = concatMapStringsSep "\n" (l: "${l.page} \t ${l.actor} \t ${toString l.level}"); - in - pkgs.writeText "acl.auth-${hostName}.php" '' - # acl.auth.php - # - # - # Access Control Lists - # - ${if isString acl then acl else acl_gen acl} - ''; - - mergeConfig = cfg: { - useacl = false; # Dokuwiki default - savedir = cfg.stateDir; - } // cfg.settings; - - writePhpFile = name: text: pkgs.writeTextFile { - inherit name; - text = " for explanation - ''; - example = "read"; - }; - - }; - }; - - siteOpts = { config, lib, name, ... }: - { - imports = [ - # NOTE: These will sadly not print the absolute argument path but only the name. Related to #96006 - (mkRenamedOptionModule [ "aclUse" ] [ "settings" "useacl" ]) - (mkRenamedOptionModule [ "superUser" ] [ "settings" "superuser" ]) - (mkRenamedOptionModule [ "disableActions" ] [ "settings" "disableactions" ]) - ({ config, options, name, ... }: { - config.warnings = - (optional (isString config.pluginsConfig) '' - Passing plain strings to services.dokuwiki.sites.${name}.pluginsConfig has been deprecated and will not be continue to be supported in the future. - Please pass structured settings instead. - '') - ++ (optional (isString config.acl) '' - Passing a plain string to services.dokuwiki.sites.${name}.acl has been deprecated and will not continue to be supported in the future. - Please pass structured settings instead. - '') - ++ (optional (config.extraConfig != null) '' - services.dokuwiki.sites.${name}.extraConfig is deprecated and will be removed in the future. - Please pass structured settings to services.dokuwiki.sites.${name}.settings instead. - '') - ; - }) - ]; - - options = { - enable = mkEnableOption (lib.mdDoc "DokuWiki web application."); - - package = mkOption { - type = types.package; - default = pkgs.dokuwiki; - defaultText = literalExpression "pkgs.dokuwiki"; - description = lib.mdDoc "Which DokuWiki package to use."; - }; - - stateDir = mkOption { - type = types.path; - default = "/var/lib/dokuwiki/${name}/data"; - description = lib.mdDoc "Location of the DokuWiki state directory."; - }; - - acl = mkOption { - type = with types; nullOr (oneOf [ lines (listOf (submodule aclOpts)) ]); - default = null; - example = literalExpression '' - [ - { - page = "start"; - actor = "@external"; - level = "read"; - } - { - page = "*"; - actor = "@users"; - level = "upload"; - } - ] - ''; - description = lib.mdDoc '' - Access Control Lists: see - Mutually exclusive with services.dokuwiki.aclFile - Set this to a value other than null to take precedence over aclFile option. - - Warning: Consider using aclFile instead if you do not - want to store the ACL in the world-readable Nix store. - ''; - }; - - aclFile = mkOption { - type = with types; nullOr str; - default = if (config.mergedConfig.useacl && config.acl == null) then "/var/lib/dokuwiki/${name}/acl.auth.php" else null; - description = lib.mdDoc '' - Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl - Mutually exclusive with services.dokuwiki.acl which is preferred. - Consult documentation for further instructions. - Example: - ''; - example = "/var/lib/dokuwiki/${name}/acl.auth.php"; - }; - - pluginsConfig = mkOption { - type = with types; oneOf [ lines (attrsOf bool) ]; - default = { - authad = false; - authldap = false; - authmysql = false; - authpgsql = false; - }; - description = lib.mdDoc '' - List of the dokuwiki (un)loaded plugins. - ''; - }; - - usersFile = mkOption { - type = with types; nullOr str; - default = if config.mergedConfig.useacl then "/var/lib/dokuwiki/${name}/users.auth.php" else null; - description = lib.mdDoc '' - Location of the dokuwiki users file. List of users. Format: - - login:passwordhash:Real Name:email:groups,comma,separated - - Create passwordHash easily by using: - - mkpasswd -5 password `pwgen 8 1` - - Example: - ''; - example = "/var/lib/dokuwiki/${name}/users.auth.php"; - }; - - plugins = mkOption { - type = types.listOf types.path; - default = [ ]; - description = lib.mdDoc '' - List of path(s) to respective plugin(s) which are copied from the 'plugin' directory. - - ::: {.note} - These plugins need to be packaged before use, see example. - ::: - ''; - example = literalExpression '' - let - plugin-icalevents = pkgs.stdenv.mkDerivation rec { - name = "icalevents"; - version = "2017-06-16"; - src = pkgs.fetchzip { - stripRoot = false; - url = "https://github.com/real-or-random/dokuwiki-plugin-icalevents/releases/download/''${version}/dokuwiki-plugin-icalevents-''${version}.zip"; - hash = "sha256-IPs4+qgEfe8AAWevbcCM9PnyI0uoyamtWeg4rEb+9Wc="; - }; - installPhase = "mkdir -p $out; cp -R * $out/"; - }; - # And then pass this theme to the plugin list like this: - in [ plugin-icalevents ] - ''; - }; - - templates = mkOption { - type = types.listOf types.path; - default = [ ]; - description = lib.mdDoc '' - List of path(s) to respective template(s) which are copied from the 'tpl' directory. - - ::: {.note} - These templates need to be packaged before use, see example. - ::: - ''; - example = literalExpression '' - let - template-bootstrap3 = pkgs.stdenv.mkDerivation rec { - name = "bootstrap3"; - version = "2022-07-27"; - src = pkgs.fetchFromGitHub { - owner = "giterlizzi"; - repo = "dokuwiki-template-bootstrap3"; - rev = "v''${version}"; - hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo="; - }; - installPhase = "mkdir -p $out; cp -R * $out/"; - }; - # And then pass this theme to the template list like this: - in [ template-bootstrap3 ] - ''; - }; - - poolConfig = mkOption { - type = with types; attrsOf (oneOf [ str int bool ]); - default = { - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 4; - "pm.max_requests" = 500; - }; - description = lib.mdDoc '' - Options for the DokuWiki PHP pool. See the documentation on `php-fpm.conf` - for details on configuration directives. - ''; - }; - - phpPackage = mkOption { - type = types.package; - relatedPackages = [ "php80" "php81" ]; - default = pkgs.php81; - defaultText = "pkgs.php81"; - description = lib.mdDoc '' - PHP package to use for this dokuwiki site. - ''; - }; - - phpOptions = mkOption { - type = types.attrsOf types.str; - default = { }; - description = lib.mdDoc '' - Options for PHP's php.ini file for this dokuwiki site. - ''; - example = literalExpression '' - { - "opcache.interned_strings_buffer" = "8"; - "opcache.max_accelerated_files" = "10000"; - "opcache.memory_consumption" = "128"; - "opcache.revalidate_freq" = "15"; - "opcache.fast_shutdown" = "1"; - } - ''; - }; - - settings = mkOption { - type = types.attrsOf types.anything; - default = { - useacl = true; - superuser = "admin"; - }; - description = lib.mdDoc '' - Structural DokuWiki configuration. - Refer to - for details and supported values. - Settings can either be directly set from nix, - loaded from a file using `._file` or obtained from any - PHP function calls using `._raw`. - ''; - example = literalExpression '' - { - title = "My Wiki"; - userewrite = 1; - disableactions = [ "register" ]; # Will be concatenated with commas - plugin.smtp = { - smtp_pass._file = "/var/run/secrets/dokuwiki/smtp_pass"; - smtp_user._raw = "getenv('DOKUWIKI_SMTP_USER')"; - }; - } - ''; - }; - - mergedConfig = mkOption { - readOnly = true; - default = mergeConfig config; - defaultText = literalExpression '' - { - useacl = true; - } - ''; - description = lib.mdDoc '' - Read only representation of the final configuration. - ''; - }; - - extraConfig = mkOption { - # This Option is deprecated and only kept until sometime before 23.05 for compatibility reasons - # FIXME (@e1mo): Actually remember removing this before 23.05. - visible = false; - type = types.nullOr types.lines; - default = null; - example = '' - $conf['title'] = 'My Wiki'; - $conf['userewrite'] = 1; - ''; - description = lib.mdDoc '' - DokuWiki configuration. Refer to - - for details on supported values. - - **Note**: Please pass Structured settings via - `services.dokuwiki.sites.${name}.settings` instead. - ''; - }; - - # Required for the mkRenamedOptionModule - # TODO: Remove me once https://github.com/NixOS/nixpkgs/issues/96006 is fixed - # or the aclUse, ... options are removed. - warnings = mkOption { - type = types.listOf types.unspecified; - default = [ ]; - visible = false; - internal = true; - }; - - }; - }; -in -{ - options = { - services.dokuwiki = { - - sites = mkOption { - type = types.attrsOf (types.submodule siteOpts); - default = { }; - description = lib.mdDoc "Specification of one or more DokuWiki sites to serve"; - }; - - webserver = mkOption { - type = types.enum [ "nginx" "caddy" ]; - default = "nginx"; - description = lib.mdDoc '' - Whether to use nginx or caddy for virtual host management. - - Further nginx configuration can be done by adapting `services.nginx.virtualHosts.`. - See [](#opt-services.nginx.virtualHosts) for further information. - - Further caddy configuration can be done by adapting `services.caddy.virtualHosts.`. - See [](#opt-services.caddy.virtualHosts) for further information. - ''; - }; - - }; - }; - - # implementation - config = mkIf (eachSite != { }) (mkMerge [{ - - warnings = flatten (mapAttrsToList (_: cfg: cfg.warnings) eachSite); - - assertions = flatten (mapAttrsToList - (hostName: cfg: - [{ - assertion = cfg.mergedConfig.useacl -> (cfg.acl != null || cfg.aclFile != null); - message = "Either services.dokuwiki.sites.${hostName}.acl or services.dokuwiki.sites.${hostName}.aclFile is mandatory if settings.useacl is true"; - } - { - assertion = cfg.usersFile != null -> cfg.mergedConfig.useacl != false; - message = "services.dokuwiki.sites.${hostName}.settings.useacl must must be true if usersFile is not null"; - }]) - eachSite); - - services.phpfpm.pools = mapAttrs' - (hostName: cfg: ( - nameValuePair "dokuwiki-${hostName}" { - inherit user; - group = webserver.group; - - phpPackage = mkPhpPackage cfg; - phpEnv = optionalAttrs (cfg.usersFile != null) - { - DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}"; - } // optionalAttrs (cfg.mergedConfig.useacl) { - DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig hostName cfg}" else "${toString cfg.aclFile}"; - }; - - settings = { - "listen.owner" = webserver.user; - "listen.group" = webserver.group; - } // cfg.poolConfig; - } - )) - eachSite; - - } - - { - systemd.tmpfiles.rules = flatten (mapAttrsToList - (hostName: cfg: [ - "d ${cfg.stateDir}/attic 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/cache 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/index 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/locks 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/log 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/media 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/media_attic 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/media_meta 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/meta 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/pages 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/tmp 0750 ${user} ${webserver.group} - -" - ] ++ lib.optional (cfg.aclFile != null) "C ${cfg.aclFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/acl.auth.php.dist" - ++ lib.optional (cfg.usersFile != null) "C ${cfg.usersFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/users.auth.php.dist" - ) - eachSite); - - users.users.${user} = { - group = webserver.group; - isSystemUser = true; - }; - } - - (mkIf (cfg.webserver == "nginx") { - services.nginx = { - enable = true; - virtualHosts = mapAttrs - (hostName: cfg: { - serverName = mkDefault hostName; - root = "${pkg hostName cfg}/share/dokuwiki"; - - locations = { - "~ /(conf/|bin/|inc/|install.php)" = { - extraConfig = "deny all;"; - }; - - "~ ^/data/" = { - root = "${cfg.stateDir}"; - extraConfig = "internal;"; - }; - - "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { - extraConfig = "expires 365d;"; - }; - - "/" = { - priority = 1; - index = "doku.php"; - extraConfig = ''try_files $uri $uri/ @dokuwiki;''; - }; - - "@dokuwiki" = { - extraConfig = '' - # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page - rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; - rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; - rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; - rewrite ^/(.*) /doku.php?id=$1&$args last; - ''; - }; - - "~ \\.php$" = { - extraConfig = '' - try_files $uri $uri/ /doku.php; - include ${config.services.nginx.package}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param REDIRECT_STATUS 200; - fastcgi_pass unix:${config.services.phpfpm.pools."dokuwiki-${hostName}".socket}; - ''; - }; - - }; - }) - eachSite; - }; - }) - - (mkIf (cfg.webserver == "caddy") { - services.caddy = { - enable = true; - virtualHosts = mapAttrs' - (hostName: cfg: ( - nameValuePair "http://${hostName}" { - extraConfig = '' - root * ${pkg hostName cfg}/share/dokuwiki - file_server - - encode zstd gzip - php_fastcgi unix/${config.services.phpfpm.pools."dokuwiki-${hostName}".socket} - - @restrict_files { - path /data/* /conf/* /bin/* /inc/* /vendor/* /install.php - } - - respond @restrict_files 404 - - @allow_media { - path_regexp path ^/_media/(.*)$ - } - rewrite @allow_media /lib/exe/fetch.php?media=/{http.regexp.path.1} - - @allow_detail { - path /_detail* - } - rewrite @allow_detail /lib/exe/detail.php?media={path} - - @allow_export { - path /_export* - path_regexp export /([^/]+)/(.*) - } - rewrite @allow_export /doku.php?do=export_{http.regexp.export.1}&id={http.regexp.export.2} - - try_files {path} {path}/ /doku.php?id={path}&{query} - ''; - } - )) - eachSite; - }; - })]); - - meta.maintainers = with maintainers; [ - _1000101 - onny - dandellion - ]; -}