Compare commits
13 commits
Author | SHA1 | Date | |
---|---|---|---|
|
dcddd19fb4 | ||
|
28c3ad2429 | ||
|
3b1338043c | ||
|
2e09ceabf7 | ||
|
173cdedb7c | ||
|
deda24e3ae | ||
|
aa328045a7 | ||
|
6f52987d5f | ||
|
4d5ea04099 | ||
|
22996eddff | ||
|
4df131d59b | ||
|
cce562ac9a | ||
|
7fefcc0d54 |
91 changed files with 528 additions and 1980 deletions
1
.envrc
1
.envrc
|
@ -1 +0,0 @@
|
|||
use nix
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1,2 +1 @@
|
|||
result
|
||||
.direnv
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
Maurice écoute les conventions de Ryan
|
|
@ -5,8 +5,7 @@
|
|||
Refer to wiki for details.
|
||||
|
||||
- `core-services-01`
|
||||
- `public-cof`
|
||||
- `remote-builder-01`: **discontinued**.
|
||||
- `remote-builder-01`
|
||||
|
||||
## How to deploy a machine?
|
||||
|
||||
|
|
62
hive.nix
62
hive.nix
|
@ -1,62 +0,0 @@
|
|||
let
|
||||
sources = import ./npins;
|
||||
metadata = import ./meta;
|
||||
|
||||
lib = import (sources.nix-lib + "/src/trivial.nix");
|
||||
|
||||
mkNode = node: { name, nodes, ... }: {
|
||||
# Import the base configuration for each node
|
||||
imports = builtins.map (lib.mkRel ./machines/${node}) [
|
||||
"_configuration.nix"
|
||||
"_hardware-configuration.nix"
|
||||
];
|
||||
|
||||
# Include default secrets
|
||||
# dgn-secrets.sources = [ ./machines/${node}/secrets ];
|
||||
|
||||
# Deployment config is specified in meta.nodes.${node}.deployment
|
||||
inherit (metadata.nodes.${node}) deployment;
|
||||
|
||||
# Set NIX_PATH to the patched version of nixpkgs
|
||||
nix.nixPath = [ "nixpkgs=${mkNixpkgs node}" ];
|
||||
|
||||
# Use the stateVersion declared in the metadata
|
||||
system.stateVersion = metadata.nodes.${node}.stateVersion;
|
||||
};
|
||||
|
||||
mkNixpkgs = node:
|
||||
let version = "nixos-${metadata.nodes.${node}.nixpkgs}"; in
|
||||
(import sources.${version} { }).applyPatches {
|
||||
name = "${version}-patched";
|
||||
src = sources.${version};
|
||||
patches = (import ./nix-patches).${version} or [ ];
|
||||
};
|
||||
|
||||
mkNixpkgs' = node: import (mkNixpkgs node) { };
|
||||
|
||||
mkArgs = node:
|
||||
let lib' = (mkNixpkgs' node).lib;
|
||||
in {
|
||||
lib = import sources.nix-lib {
|
||||
lib = lib';
|
||||
keysRoot = ./keys;
|
||||
};
|
||||
};
|
||||
|
||||
nodes = builtins.attrNames metadata.nodes;
|
||||
in
|
||||
|
||||
{
|
||||
meta = {
|
||||
nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes;
|
||||
|
||||
specialArgs = { inherit sources; meta = metadata; };
|
||||
|
||||
nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
|
||||
};
|
||||
|
||||
defaults = { ... }: {
|
||||
# Import the default modules
|
||||
imports = [ ./modules ];
|
||||
};
|
||||
} // (lib.mapSingleFuse mkNode nodes)
|
|
@ -1 +0,0 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl
|
|
@ -1 +0,0 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o
|
35
krops.nix
Normal file
35
krops.nix
Normal file
|
@ -0,0 +1,35 @@
|
|||
let
|
||||
krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; };
|
||||
lib = import "${krops}/lib";
|
||||
pkgs = import "${krops}/pkgs" { };
|
||||
source = machine:
|
||||
lib.evalSource [{
|
||||
config.file = toString ./machines;
|
||||
nixos-config.symlink = "config/${machine}/configuration.nix";
|
||||
nixpkgs.git = {
|
||||
clean.exclude = [ "/.version-suffix" ];
|
||||
ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable
|
||||
url = "https://github.com/NixOS/nixpkgs";
|
||||
};
|
||||
}];
|
||||
mkTestConfig = hostname: {
|
||||
name = "test-${hostname}";
|
||||
value = pkgs.krops.writeTest "test-${hostname}" {
|
||||
source = source hostname;
|
||||
target = lib.mkTarget {
|
||||
host = "localhost";
|
||||
path = "/tmp/src";
|
||||
};
|
||||
force = true; # force create the sentinel file.
|
||||
};
|
||||
};
|
||||
mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames);
|
||||
mkDeploy = hostname: target: { ${hostname} = pkgs.krops.writeDeploy "deploy-${hostname}" {
|
||||
source = source hostname;
|
||||
inherit target;
|
||||
}; };
|
||||
in {}
|
||||
// mkDeploy "core-services-01" "root@10.1.1.20"
|
||||
// mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf"
|
||||
// mkDeploy "public-cof" "root@beta.rz.ens.wtf"
|
||||
// mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ]
|
97
machines/core-services-01/configuration.nix
Normal file
97
machines/core-services-01/configuration.nix
Normal file
|
@ -0,0 +1,97 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./nur.nix
|
||||
./rz.nix
|
||||
./monitoring.nix
|
||||
./programs.nix
|
||||
./system.nix
|
||||
./acme-ssl.nix
|
||||
./dns.nix
|
||||
./netboot-server.nix
|
||||
./qemu.nix
|
||||
./gitea.nix
|
||||
./dokuwiki.nix
|
||||
./nginx.nix
|
||||
./keycloak.nix
|
||||
./acme-dns.nix
|
||||
./backups.nix
|
||||
./headscale.nix
|
||||
# ./dex.nix
|
||||
./oauth2_proxy.nix
|
||||
./secrets
|
||||
./matterbridge.nix
|
||||
# TODO push to gitea
|
||||
# TODO ./gotify.nix
|
||||
# TODO(Raito): ./backups.nix
|
||||
# TODO(Raito): ./snmp.nix
|
||||
# TODO(Raito): ./sflow.nix?
|
||||
];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
boot.initrd.supportedFilesystems = [ "zfs" ];
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
networking.hostName = "core-services-01";
|
||||
networking.hostId = "64838310";
|
||||
|
||||
time.timeZone = "Europe/Paris";
|
||||
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.useDHCP = false;
|
||||
# Adieu, hackENS — networking.interfaces.ens18.useDHCP = true;
|
||||
networking.interfaces.ens19.useDHCP = true;
|
||||
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password@proxy:port/";
|
||||
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
||||
|
||||
# Select internationalisation properties.
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
console = {
|
||||
font = "Lat2-Terminus16";
|
||||
keyMap = "us";
|
||||
};
|
||||
|
||||
# Some programs need SUID wrappers, can be configured further or are
|
||||
# started in user sessions.
|
||||
programs.mtr.enable = true;
|
||||
programs.gnupg.agent = {
|
||||
enable = true;
|
||||
enableSSHSupport = true;
|
||||
};
|
||||
|
||||
# List services that you want to enable:
|
||||
|
||||
services.zfs.autoScrub.enable = true;
|
||||
|
||||
# Enable the OpenSSH daemon.
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [
|
||||
./pubkeys/gdd.keys
|
||||
./pubkeys/raito.keys
|
||||
./pubkeys/mrf.keys
|
||||
];
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
networking.firewall.enable = false;
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "20.09"; # Did you read the comment?
|
||||
}
|
28
machines/core-services-01/dokuwiki.nix
Normal file
28
machines/core-services-01/dokuwiki.nix
Normal file
|
@ -0,0 +1,28 @@
|
|||
{ config, ... }:
|
||||
|
||||
let
|
||||
my = config.my;
|
||||
in
|
||||
{
|
||||
services.dokuwiki.sites."wiki.${my.subZone}" = {
|
||||
enable = true;
|
||||
acl = ''
|
||||
* @ALL 1
|
||||
* @admin 16
|
||||
'';
|
||||
};
|
||||
|
||||
/*
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts."wiki.${my.subZone}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "htttp://127.0.0.1:${toString port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
*/
|
||||
}
|
51
machines/core-services-01/fix-crc-computation.patch
Normal file
51
machines/core-services-01/fix-crc-computation.patch
Normal file
|
@ -0,0 +1,51 @@
|
|||
From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Adler <madler@alumni.caltech.edu>
|
||||
Date: Wed, 30 Mar 2022 11:14:53 -0700
|
||||
Subject: [PATCH] Correct incorrect inputs provided to the CRC functions.
|
||||
|
||||
The previous releases of zlib were not sensitive to incorrect CRC
|
||||
inputs with bits set above the low 32. This commit restores that
|
||||
behavior, so that applications with such bugs will continue to
|
||||
operate as before.
|
||||
---
|
||||
crc32.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/crc32.c b/crc32.c
|
||||
index a1bdce5c2..451887bc7 100644
|
||||
--- a/crc32.c
|
||||
+++ b/crc32.c
|
||||
@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
|
||||
#endif /* DYNAMIC_CRC_TABLE */
|
||||
|
||||
/* Pre-condition the CRC */
|
||||
- crc ^= 0xffffffff;
|
||||
+ crc = (~crc) & 0xffffffff;
|
||||
|
||||
/* Compute the CRC up to a word boundary. */
|
||||
while (len && ((z_size_t)buf & 7) != 0) {
|
||||
@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
|
||||
#endif /* DYNAMIC_CRC_TABLE */
|
||||
|
||||
/* Pre-condition the CRC */
|
||||
- crc ^= 0xffffffff;
|
||||
+ crc = (~crc) & 0xffffffff;
|
||||
|
||||
#ifdef W
|
||||
|
||||
@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2)
|
||||
#ifdef DYNAMIC_CRC_TABLE
|
||||
once(&made, make_crc_table);
|
||||
#endif /* DYNAMIC_CRC_TABLE */
|
||||
- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2;
|
||||
+ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff);
|
||||
}
|
||||
|
||||
/* ========================================================================= */
|
||||
@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op)
|
||||
uLong crc2;
|
||||
uLong op;
|
||||
{
|
||||
- return multmodp(op, crc1) ^ crc2;
|
||||
+ return multmodp(op, crc1) ^ (crc2 & 0xffffffff);
|
||||
}
|
|
@ -13,11 +13,8 @@ in
|
|||
httpAddress = "127.0.0.1";
|
||||
httpPort = port;
|
||||
database.type = "postgres";
|
||||
disableRegistration = false;
|
||||
settings = {
|
||||
service.DISABLE_REGISTRATION = false;
|
||||
log = {
|
||||
level = "Warn";
|
||||
};
|
||||
openid = {
|
||||
ENABLE_OPENID_SIGNUP = true;
|
||||
};
|
||||
|
|
|
@ -32,13 +32,6 @@ in
|
|||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString port}";
|
||||
|
||||
extraConfig = ''
|
||||
# For large authentication-authorization headers
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 4 256k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -28,7 +28,7 @@ let
|
|||
startScript = pkgs.writeShellScriptBin "start" ''
|
||||
${manageSecrets
|
||||
./matterbridge.toml "$CREDENTIALS_DIRECTORY/secrets" "$RUNTIME_DIRECTORY/conf.toml"
|
||||
[ "SECRET_MATTERMOST_KLUBRZ_WEBHOOK" "SECRET_MATTERMOST_DGNUM_WEBHOOK" ]}/bin/preStart
|
||||
[ "SECRET_MATTERMOST_WEBHOOK" ]}/bin/preStart
|
||||
${pkgs.matterbridge}/bin/matterbridge -conf $RUNTIME_DIRECTORY/conf.toml
|
||||
'';
|
||||
in {
|
||||
|
|
|
@ -7,16 +7,11 @@
|
|||
PrefixMessagesWithNick=true
|
||||
RemoteNickFormat="<{NICK}> "
|
||||
[mattermost]
|
||||
[mattermost.merle_klubrz]
|
||||
WebhookURL="SECRET_MATTERMOST_KLUBRZ_WEBHOOK"
|
||||
[mattermost.merle]
|
||||
WebhookURL="SECRET_MATTERMOST_WEBHOOK"
|
||||
WebhookBindAddress="0.0.0.0:52187"
|
||||
PrefixMessagesWithNick=false
|
||||
RemoteNickFormat="{NICK}"
|
||||
[mattermost.merle_dgnum]
|
||||
WebhookURL="SECRET_MATTERMOST_DGNUM_WEBHOOK"
|
||||
WebhookBindAddress="0.0.0.0:52188"
|
||||
PrefixMessagesWithNick=false
|
||||
RemoteNickFormat="{NICK}"
|
||||
[[gateway]]
|
||||
name="réseau"
|
||||
enable=true
|
||||
|
@ -24,15 +19,5 @@ enable=true
|
|||
account="irc.ulminfo"
|
||||
channel="#réseau"
|
||||
[[gateway.inout]]
|
||||
account="mattermost.merle_klubrz"
|
||||
channel="town-square"
|
||||
|
||||
[[gateway]]
|
||||
name="dgnum"
|
||||
enable=true
|
||||
[[gateway.inout]]
|
||||
account="irc.ulminfo"
|
||||
channel="#dgnum"
|
||||
[[gateway.inout]]
|
||||
account="mattermost.merle_dgnum"
|
||||
account="mattermost.merle"
|
||||
channel="town-square"
|
||||
|
|
|
@ -34,21 +34,7 @@ let
|
|||
};
|
||||
in
|
||||
{
|
||||
services.netdata = {
|
||||
enable = true;
|
||||
#package = pkgs.netdata.overrideAttrs (old: {
|
||||
# version = "1.36.0-185-nightly";
|
||||
# src = pkgs.fetchFromGitHub {
|
||||
# owner = "netdata";
|
||||
# repo = "netdata";
|
||||
# rev = "284d5450ec938b667db9985aca6d3cd02b96487f";
|
||||
# sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc=";
|
||||
# fetchSubmodules = true;
|
||||
# };
|
||||
#});
|
||||
};
|
||||
|
||||
systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1";
|
||||
services.netdata.enable = true;
|
||||
|
||||
# Allow WireGuard VPN
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
|
@ -73,23 +59,20 @@ in
|
|||
];
|
||||
};
|
||||
|
||||
systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [
|
||||
"netdata"
|
||||
"stream"
|
||||
"health_alarm_notify"
|
||||
];
|
||||
|
||||
environment.etc."netdata/netdata.conf" = lib.mkForce {
|
||||
user = "netdata";
|
||||
group = "netdata";
|
||||
mode = "0600";
|
||||
text = ''
|
||||
[db]
|
||||
mode = dbengine
|
||||
storage tiers = 3
|
||||
update every = 1
|
||||
dbengine multihost disk space MB = 23000
|
||||
dbengine page cache size MB = 384
|
||||
dbengine tier 1 update every iterations = 60
|
||||
dbengine tier 1 multihost disk space MB = 10000
|
||||
dbengine tier 1 page cache size MB = 384
|
||||
dbengine tier 2 update every iterations = 3600
|
||||
dbengine tier 2 multihost disk space MB = 5000
|
||||
dbengine tier 2 page cache size MB = 384
|
||||
[global]
|
||||
page cache size = 32
|
||||
dbengine multihost disk space = 23058
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -118,7 +101,7 @@ in
|
|||
mode = "0600";
|
||||
text = ''
|
||||
# External tools
|
||||
nc="${pkgs.nmap}/bin/nc --ssl"
|
||||
nc="${pkgs.netcat}/bin/nc"
|
||||
|
||||
# IRC configuration
|
||||
SEND_IRC="YES"
|
||||
|
@ -132,25 +115,18 @@ in
|
|||
services.oauth2_proxy = {
|
||||
enable = true;
|
||||
keyFile = config.age.secrets.oauth2ProxyKeyFile.path;
|
||||
provider = "keycloak-oidc";
|
||||
provider = "keycloak";
|
||||
email.domains = [ "*" ];
|
||||
cookie = {
|
||||
name = "_oauth2_proxy_ensrz";
|
||||
domain = ".rz.ens.wtf";
|
||||
};
|
||||
setXauthrequest = true;
|
||||
scope = "openid";
|
||||
scope = "profile";
|
||||
loginURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/auth";
|
||||
redeemURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/token";
|
||||
profileURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo";
|
||||
validateURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo";
|
||||
redirectURL = "https://monitoring.${my.subZone}/oauth2/callback";
|
||||
reverseProxy = true;
|
||||
passHostHeader = true;
|
||||
|
||||
extraConfig = {
|
||||
whitelist-domain = [ ".rz.ens.wtf" ];
|
||||
oidc-issuer-url = "https://auth.${my.subZone}/auth/realms/${realm}";
|
||||
# insecure-oidc-allow-unverified-email = true;
|
||||
show-debug-on-error = true;
|
||||
};
|
||||
|
||||
nginx = {
|
||||
virtualHosts = [ "monitoring.${my.subZone}" ];
|
||||
};
|
||||
|
@ -163,15 +139,7 @@ in
|
|||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:19999";
|
||||
extraConfig = ''
|
||||
# For large authentication-authorization headers
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 4 256k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
'';
|
||||
};
|
||||
locations."/".proxyPass = "http://localhost:19999";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -99,4 +99,24 @@ in
|
|||
example = [ "10.1.0.0/22" ];
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
# Default IPv4 exit route
|
||||
networking.defaultGateway = {
|
||||
address = "";
|
||||
interface = "ens18";
|
||||
};
|
||||
|
||||
networking.interfaces.ens20 = {
|
||||
ipv4.addresses = map mkAddress cfg.ipv4InternalFull;
|
||||
};
|
||||
|
||||
networking.interfaces.ens19 = {
|
||||
ipv6.addresses = map mkAddress (cfg.ipv6.standardFull ++ [ cfg.ipv6.acmeFull ]);
|
||||
};
|
||||
|
||||
networking.interfaces.ens18 = {
|
||||
ipv4.addresses = map mkAddress cfg.ipv4Full;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -13,8 +13,8 @@ let
|
|||
# Enable sshd wich gets disabled by netboot-minimal.nix
|
||||
systemd.services.sshd.wantedBy = mkOverride 0 [ "multi-user.target" ];
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [
|
||||
../pubkeys/gdd.keys
|
||||
../pubkeys/raito.keys
|
||||
./pubkeys/gdd.keys
|
||||
./pubkeys/raito.keys
|
||||
];
|
||||
programs.mosh.enable = true;
|
||||
|
||||
|
|
|
@ -1,43 +0,0 @@
|
|||
{ config, ... }:
|
||||
|
||||
let
|
||||
inherit (config) my;
|
||||
in
|
||||
|
||||
{
|
||||
networking.useNetworkd = true;
|
||||
|
||||
systemd.network.networks = {
|
||||
"10-ens18" = {
|
||||
name = "ens18";
|
||||
address = my.ipv4Full;
|
||||
DHCP = "ipv4";
|
||||
};
|
||||
|
||||
"10-ens19" = {
|
||||
name = "ens19";
|
||||
address = with my.ipv6; standardFull ++ [ acmeFull ];
|
||||
|
||||
networkConfig.IPv6AcceptRA = true;
|
||||
|
||||
ipv6AcceptRAConfig = {
|
||||
UseOnLinkPrefix = false;
|
||||
UseAutonomousPrefix = false;
|
||||
};
|
||||
};
|
||||
|
||||
"10-ens20" = {
|
||||
name = "ens20";
|
||||
address = my.ipv4InternalFull;
|
||||
DHCP = "ipv4";
|
||||
dhcpV4Config.RouteMetric = 2048;
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "10.0.0.0/8";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -5,6 +5,4 @@
|
|||
age.secrets.droneKeyFile.file = ./droneKeyFile.age;
|
||||
age.secrets.dexGiteaClientSecret.file = ./dexGiteaClientSecret.age;
|
||||
age.secrets.matterbridge.file = ./matterbridge.age;
|
||||
age.secrets.snipeItAppKey.file = ./snipeItAppKey.age;
|
||||
age.secrets.snipeItOidcClientSecret.file = ./snipeItOidcClientSecret.age;
|
||||
}
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -1,30 +1,26 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 lHr4YQ S/Kuy8PdLoLLRDvlDDyuDaGXGb0RMBJKo9XyHK2I0Bg
|
||||
VFjemRE9hOc/fEol+2OAjM6d/5QLPeeo0ytdgcwa8Zs
|
||||
-> ssh-ed25519 h6AgbA ParmcGdbVHdvihrEuV+nLBLDnTwKR+zoxc/O0LdrUhA
|
||||
L1kL6sr4ak1DTTaui9k6tpPJ1p86bKAoOcPwCJu7vr0
|
||||
-> ssh-ed25519 Wu8JLQ hTPuIn+IogmX6U16p3EQ/9C/L+X7dZaQaBrEAdq4twM
|
||||
QhnuGbpuqpFFujNlXSDUDMEGHK875Sr5hHX/q2ShkhU
|
||||
-> ssh-ed25519 cvTB5g P8av9KTsR9ccIRPz0TABQF3EfeO+cyn+Od+shxeatEk
|
||||
GnExLTBOicvRs7neFPL/GLxE6hqpdqNV8P4nWRbMjKU
|
||||
-> ssh-ed25519 /vwQcQ WE0fxso39H7ZyYwJ8eNnmrLgf0xL5AdpHZ1mrvbiPyQ
|
||||
y4GjFZuYtiGg6cY8ZTOKHbYjjFJoFI5W4IF7np/OB/8
|
||||
-> ssh-ed25519 reTIKw LxM4ihcAb5u6rKqtrOUZ7/4XXoMVbf/HHhby/i9Xbn4
|
||||
O8KkO/99T2lBttsADSTJE/18ljFrUjrJWhK7peehei8
|
||||
-> ssh-ed25519 85WiGg +GtCSdOR7TTwu+zTvwOoRhOE0iLwB7JuFaZkP8cP+Fk
|
||||
0GCjcBgOPeynvAUDmEioWPJMhZWGchKKukGGXHCBEUU
|
||||
-> ssh-rsa krWCLQ
|
||||
2Ak0HJ0WoUuCQkjBPjRgrFQmHSBP7Lzhwp8JZ22lSDLO4OzGLuyGnmI6f+x3mhSM
|
||||
UP4X4fz98ygYaPTKHzgs+ALgoe0ZOzIRcrBYKyAmI92iuVk8QJrGBaFsi2e/quur
|
||||
oRaQybPXCqbGeaFhLY74RHmtbby5zzbQnw8f5DRKn3oFDYgCUMOKdTPI3vsUDd6t
|
||||
dLmFCWEhGFMwI9bve7bVeu2yKMWpOIIsVgkabSy9EQ0gEUwoXkrGNpc+QqqR2qbJ
|
||||
qaLok3zO+giVKrzl6+/Z/tzHQ66mUTIZAD7HmRFMqBRBqo2heCtviGyu7NPXhb/T
|
||||
vTVzgL7fsrkaYd59O7BCSg
|
||||
-> ssh-ed25519 85WiGg UgubbGKRmcFV5N/Vyo/HEBtGG0GOvZS5dSDnYoWzeSk
|
||||
N2CZ/ZJJLRTdwBDCVNrXGp8ic0T7ZHx+DfPcXLeEvXQ
|
||||
-> ssh-ed25519 reTIKw zl6eZh6NG2Y21AElt+Ag7gzDmtzXP0h1RjhVzaiHUg0
|
||||
PJU/i8Za/JwrCLXcH0vtG8CDxv3MDHCzEYiNIhperC4
|
||||
-> ssh-ed25519 /vwQcQ RS4rv5dnajCSAdcFj96HOcMBHySk5yBrmepNdlOcsWg
|
||||
M+dCeQCP3rl4oT8IrkParBnaaTfUNbWpgvbLou/qSp0
|
||||
-> ssh-ed25519 cvTB5g ZR5ayyiP10Dec6Tg2HYcl5q0dkLSvOgRxeeVxC1Plj8
|
||||
aiY/6wY4rmB75NRzcbFPKu7nTLKZhgqOuqAZm+9UnTs
|
||||
-> ssh-ed25519 Wu8JLQ 4nFItVARcWbkkuyaUcgdesLSOmiomY0Ht2LxXX1/L0A
|
||||
dK2/4X6OFbn4Y3gVK5zKRV3KySiCHzGnGewhZmqETrE
|
||||
-> ssh-ed25519 vXYJfA k1ANIqwNaMjipiCobpBWMlhbCyudoy7vpuajDK7mLiQ
|
||||
uudD1Bk1+EWmL3o7VH6YSbv1WRCw6tsDV0HoQ/zwXwg
|
||||
-> ssh-ed25519 h6AgbA EvhvmT6dx3HAqioaFvT5u94cTk8okjhGgzyxXZF8LyE
|
||||
R/xTeW/rJEl50kG8e0n3NOGpX9XI13Ftq7ULYNHVaCM
|
||||
-> ssh-ed25519 lHr4YQ WyG8hEoGZuNvroTdmC8RST7l/Tu7UUXgeG3AfLA0p2o
|
||||
qk7YeUkrOsRbqnYXFXZAkiOaW6rvKnSaZGSiBw30b5E
|
||||
-> V9T>@4JS-grease @h!7BAa9
|
||||
nPtMdfgbktgg20WlJBrQlhTDMI8/i31JEDnZjF4u7RidDSJ5lxzH8zI+411CQ+K5
|
||||
exQ
|
||||
--- YY6c8/qxiWxaK31KW+3QP6240bmnDJZ9EXrG7dnyJcE
|
||||
NÝÖ|JýÎ
|
||||
Z·ù…‹ZŠÔ6ÿÝ#kyHš—ô;ú<>Í ì
|
||||
bSk43qTcHFgrS7AeXTzUbx5FO/1YrLuRlm58lcXpTTKcRMZWKmFbPTVNdIvkT4xt
|
||||
B6HW0OqV/Ks1pbeJUCPRdLwYHYULEC4quRGlgeToXoUQ8zCvcPT6uikpK0Hzne7e
|
||||
WI5MLdS3vvAPljlSSaPN8gb3yiPgA2IPrHjqIsMNkotGFjUQ/oIyJ8YcDsSfGE2T
|
||||
Z8+TOj4ZNxPda2hX7mL2x2dJmmQW5FkOVtSpSyvwpkOqPOi6b5vZaWu/GtXzGEhD
|
||||
SD6SALiqmWkCHb8n588XDqKj8Lj/741R24f8IM8qW9cBz4QClh3Bnrl4gendsUCp
|
||||
PkQPjniidi/aF6sHhfrSNg
|
||||
-> |#4-grease y%'e^I RB nBNinf \dob
|
||||
L2HkuH7S3KtuQN9AWLBL99nJPxVw
|
||||
--- +QOdyAz8FR0RecYvvkzxv2IzJ9yt89/xePALK3l7sjs
|
||||
¥&,ÙN—pJ<70>î~ê
ƅߘ*,؆5:i W}Žÿm"„Q¦-FJm
|
Binary file not shown.
|
@ -1,28 +1,26 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 lHr4YQ f3xLHRyIx6oPATsv5yBq+pWpDkwJ2xt3axevMNjIUgA
|
||||
RK2bLPZ1dwDExqbQ1Mft2Z9xGHpxSTDuTv0AgplnFzw
|
||||
-> ssh-ed25519 h6AgbA fPy5Lv6ZcYB9xDyeHNTueRKTvvC6OyCrkHzF85dmhh8
|
||||
VzMkn6iaC+gwDXkaCzh7ILTdWMBqUYvYmrQPbiB+82k
|
||||
-> ssh-ed25519 Wu8JLQ BSn5p0Wuv8CuiHJ6AdLuBLOst/2/mK1fs+zmgYao6kg
|
||||
m/NfBqLzcyTad8UbiDSMI3EmcHWccpgV/wRKKeSO6bQ
|
||||
-> ssh-ed25519 cvTB5g GP3EP+t8uJFKGAKBwwO7CmXa3JGTFePTANSINPdQuAA
|
||||
DoGUKpuZTQ36hM4B7eqwbfGGKM+pxsYtoL5UjEeVdD0
|
||||
-> ssh-ed25519 /vwQcQ K8J9qbUjPPhuYZ4/2rGZWX4Fb60WZACwmFPGXUT9Yjw
|
||||
N6lTZVDVxTfZTSagaOi4dbVzylljwGWAd06GbeVloRY
|
||||
-> ssh-ed25519 reTIKw +7n56fmzzYOkArtH0Zeh26zHlE/lWz1gqyoCZEMMRDA
|
||||
E6/dLGVaryFfqf+7DmwKghtGmtUUGpMFFwaZc3OvJ/c
|
||||
-> ssh-ed25519 85WiGg aHBishjeSTuv/TYVcZQzALC8DHPbYHf9dj+igMnkkn4
|
||||
HwmPoIqV3Y/34Azf892K9nGJ1hh2KWAh3IzLiGVKeOs
|
||||
-> ssh-rsa krWCLQ
|
||||
U2lxIvw7gRCjMGutUFyq+qGiCIFlbsPdbfzqy7b27d17aSjXds3WwMPUQajHMGXl
|
||||
tmM/gDCOV8aY+EkM8nQIKdSGNZPwWHlqFyBpH7b18xTT+sWLBZnKcQqVzdF5n1yH
|
||||
s6LjbcstDiCy3h20hfOjoi+qvK8AGbWnLueDI4g/BWCLBUmAC6zPX04GFAstzg8e
|
||||
b8wcTCsaeVJkEVvI9caJsFpoxKttbjWUOb2jOzquyi1vIc50vWBNLlulzf0Cd523
|
||||
niyjvtEyVRmHjTqs2D97DLuKEE0U8x1ecI7FUwyDQWFj4RmmoKm7TOvGva+alol/
|
||||
mclOlWBaMuji0SWwR4GQyQ
|
||||
-> ssh-ed25519 85WiGg oTAqEjy2kEYw0EEDFzmv3EYWY3gKNDGsWbztSN6DG3o
|
||||
+Q5hzzJVgdtFiNtbC37n9tZsNK+onqp4P0myPLpGU0g
|
||||
-> ssh-ed25519 reTIKw SOCoiYn2OZ0WbtgQFsJE6m5lbeat36SVF8Om6NHha1I
|
||||
BLsO5DrNci2ShXI3wBb6u6Advjc7sOCXEBd6mSawkEs
|
||||
-> ssh-ed25519 /vwQcQ zXWEMSbRm2mI4KoMj2tbqP26LTAcxeyLUv5b/UzTaiY
|
||||
HMOyH5OV0XmQsLOtzIsHf3UFYKUoEswt1a6JOu/gl8w
|
||||
-> ssh-ed25519 cvTB5g 1HPXsPtGaCCHPHEXQKVNLRGXb28S3hXUAyT26No80gE
|
||||
NwPkRoRdd2juOWHyJV2aNwVQzGvwpf29mKtcyKSUHKc
|
||||
-> ssh-ed25519 Wu8JLQ tio1Sb9rHwAvoDRH783Ts9S+mS2MWnsqw/L4/To1lgc
|
||||
Tfx0a/UKGiiMsp8rkhbaLpsS4JJIgMeWCDRZ1CxWSHc
|
||||
-> ssh-ed25519 vXYJfA GnXJG4bbDQxls3yLVd22CHmrrkAZYQNbXcpr0iH/8HY
|
||||
uyr6VTHwfU7FjA29IJM9EP37K+QyiWIrG6CUpWyi4o0
|
||||
-> ssh-ed25519 h6AgbA p/FApRwDrQNMdSPYV2U+CyGqdYZG+enC/TJ+Ht5RtCE
|
||||
T6e2S9gZVi24ayGzKGHL19Ezv//f/0+BUAnkCf6g8No
|
||||
-> ssh-ed25519 lHr4YQ JQXWGrVi8YLfI0DWfdyuxKPGVa+SvHIm95YGzsyvdho
|
||||
yvQpw/1GuVOqBBFwflDXvcIhuw0ABqqwByJH/VPRICg
|
||||
-> J9VGuOkA-grease
|
||||
|
||||
--- aKOWgh7PjxocWWeImr1UYJhhFMlzDJXvP+Jfbrl3Zzc
|
||||
7T0。<EFBFBD>Hョ48<EFBFBD>ntjlァ<EFBFBD>}Jオィウロ_<EFBE9B>霸Mw%<25><>吉<1D>=サ<>ナ[+nbeH`ム惣Me\ァ<>U7√德モオL截フヤ2スヨo]靃c、經蓄榕ァ2テC5Mツトy<EFBE84>銷オクオミbi6咄卆2~<7E>裴シ<08>:ロ<>BFh1Bク'lmト`冉イ<E58689>Kvsy%コテ<EFBDBA>!コャ2~$\<5C>^<5E>タノ
|
||||
A2IHEB1lR/eHwOM1adPnvYZUmJ9Gf8ADZvOpzHmxVC54VP5EZLnzpcdzIKlM4qOe
|
||||
vYs7PdGJ56iGd3JS2khyc5oCc/NEYu85i4eyK8Y8JMqSFyYVNpH5rVY1IuHhIwW4
|
||||
biLSvPhKejtcjGkJZGebm2yA3TuhS5peZRUBh2v0sf+PjblsULrpupSRYAs1IndZ
|
||||
1/Brrub4BfFihZh/uCN1iq+lWxUG5K1AR4UhrX7s/qq21sIP+hlhsTzwj5WoeSPV
|
||||
rrYzi7E1v8nP6YsP965PjNFq5yJYKRZdw/QosmElRF4Ar3PP+fROFLfA45LmQpLh
|
||||
z2P/QZKQ7BaANqtz1ryIZQ
|
||||
-> :N*xgmZ-grease S 6b.gme t1.-?(l6
|
||||
JJi5KPF7Y07dJexK5CNlZVeYnM+DaRUqYjChAQO041COvkfVF1CvwLTYZAsZbw
|
||||
--- RKQ3nSQxdSjoVBEtg4TrEL30ooOTpyZAXT5TcOM4qWE
|
||||
zƦ6®JRURâhòé/&©5ßcKGˆ•%¢”ö¶hñp£I;á—ƒÆü.ñÓÔÆNQ”q"hÙq|†¡7n¨C9Íâ´2/Ó"ɳ…ËÏÀ&u‹KŸÊªñm€CBùÈ-åYÜÌ«jTkk ‡K±íÈÛ‹]}´Ë¤iÞƒF}ÙŸÞ-§©·82N}ÈœÒé¢(Ÿ—ëJÍAÈ×Ýd_ŠHÑi0Tò"Ë8±}QÏ$Šæç
|
|
@ -1,8 +1,8 @@
|
|||
let
|
||||
pkgs = import <nixpkgs> {};
|
||||
lib = pkgs.lib;
|
||||
readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys")));
|
||||
superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht") ++ (readPubkeys "mrf");
|
||||
readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys")));
|
||||
superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf");
|
||||
core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU";
|
||||
systems = [ core-services-01 ];
|
||||
in
|
||||
|
@ -12,7 +12,5 @@ in
|
|||
"droneKeyFile.age".publicKeys = superadmins ++ systems;
|
||||
"dexGiteaClientSecret.age".publicKeys = superadmins ++ systems;
|
||||
"matterbridge.age".publicKeys = superadmins ++ systems;
|
||||
"snipeItAppKey.age".publicKeys = superadmins ++ systems;
|
||||
"snipeItOidcClientSecret.age".publicKeys = superadmins ++ systems;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,28 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa krWCLQ
|
||||
gBB9yfHVs4Zgm30rbXOkQNZjOuQVFt9Mos4gBoM09M2psLLxWzsoQopWVcvbV+sY
|
||||
oZAThV5F2E+RbOP2e9+o5P+rxCcJa8aAXovtmH2BZvr87jNi8tebH1l0Gjn0I85C
|
||||
B+vv2/m1KCzisCR3p6yaqBiqyETacWRCuILVxKbpnKfVX5ymb//9U0tRbz3BIFH1
|
||||
i3bAD8j8H4V/5SC5RmYwVeBhdGqEaNX0Qehh8AhDkxoqMT3Xeie93eIK6tyAZuyO
|
||||
oQezqkUmozq+uvo6PHZvY/auTYb17QTY0s0xf30NnQoqwtVXnyu6xPx+qlj+M99Q
|
||||
Y/s8SFF+STLrAgK9MN0i8Q
|
||||
-> ssh-ed25519 85WiGg zkLuTpJaBr8T0XjuC9i9NTxYUPhix9nLlShohTtgmyA
|
||||
QwdgD0ihIpJF8D54x2Lg+6CE2yV9nLBZ1oOf/iwUKi4
|
||||
-> ssh-ed25519 reTIKw wB2xC902eZiPXXU9n+oQSocx6J9h5IK0jU4GqmB1XUI
|
||||
awLSPDqOAOM2g7Wrg6uCMeDRVljl2cdZ40gHDON4DCU
|
||||
-> ssh-ed25519 /vwQcQ adFZcuzNWIhLFDhF+FjfnMGTpijt4IKO266M8xpZTHs
|
||||
WR3ig0R6ZgtYLxhN7bm5SNJ3klYvEkMlLeuC/GBxi0U
|
||||
-> ssh-ed25519 cvTB5g 8Gl7qbc7VZvkjjHesgfgdvtsCntNCxyUU3hwXMaIJUA
|
||||
uEJwhJJa87+EjpTE/+3jPnNtgFTHNZkah78URULI1nM
|
||||
-> ssh-ed25519 Wu8JLQ buWP/UWAYd7nAAdIqJjkKq2q3Kcj/TtTm9MacGkoMh4
|
||||
g9ngALRdWC96t7FLES79gKQNK34WbKHqdw4OCryGx74
|
||||
-> ssh-ed25519 vXYJfA KT8pRDwADkV4ySKY6HejWKp57aQUWpor7x67x1Sc3wM
|
||||
th+47fUL5KOak1tEeHslVg9KSxw5DPIO6T/UtfEK6kY
|
||||
-> ssh-ed25519 h6AgbA 8kWKdngdG4RbvQHnkHpygz1fhzMXpGafXltQNa64mAU
|
||||
hZZTmthndfMdMZiaW0bLxfiySzFgnKmd6t4u1PxLG9s
|
||||
-> ssh-ed25519 lHr4YQ JBCRJtCaEH/Dp2em66/ckqFva6JpyeUAHJidVysAsmw
|
||||
SGyzp26GIo+D4VQdzJZEBUZYvAhc/SZy6rdd6HXOawY
|
||||
-> 1-grease
|
||||
niVrY0FwL41sfeE9fB6hg+z0LWMXwce194f+IIL/F8JMIfTnFB0CRAn1OGQ
|
||||
--- pMIf8bANx+QsRTqnWxPmnJm6DVMmJBEO+emeOdLeeec
|
||||
.Aîç±z‘¢JQ[å)s!´ö´2m
õ¤<bÛ\yÝ^7"J¢k<C2A2>Æ_Õ<½Œéoñ¿{ÿ’÷»e¢ïø©
Û8×:˜O%
|
|
@ -1,30 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa krWCLQ
|
||||
LCJxUzS4Be2QQABzubSP5M9Ridg3Srytbb6+SLITgnRqb0fT5XkG7z4ae2lLMVxT
|
||||
zJxrZX1crlg/nyibZychMwZDqNofGGKX/zSKyF6u42hqjAtaDneg6jB/T690sSpD
|
||||
LcuTHUcPLw53bww4amLU5FmFcnGWMHTjmXj6oQ5lks3t3KO9izA+gDJO5kFIYgQa
|
||||
Z0kMrlH21m2TdyGW7Er72qAlT0euwCKlWGGc1NAaSWyu/2gimTHJ4p+KCOpi1D7/
|
||||
cIxMEtXHUoS/vtINi1lZypETVZf9C3xfqZGCnu1xTpFcF8pBLskI/Uz4cxQGLAk3
|
||||
xd5fKuNVBnLc0Ku+oFR3zA
|
||||
-> ssh-ed25519 85WiGg N5HOphuKLUksJTA29E/KHZAdyvTelqq0Lai3KtsGNi0
|
||||
6PilN36eZH8KYzQwqeLPX3wuiW4THuFef+ttoJh0BUo
|
||||
-> ssh-ed25519 reTIKw epotGRShr91lRc2IKDkgfaDd4EhkDtF1jayFv/YW5nE
|
||||
mMFKyzH1q8ZsUXfLnqFfHT88iz/i4WXVVuWqe3z9vx4
|
||||
-> ssh-ed25519 /vwQcQ DvVlWcbAA/xPTgDtpMmSyC2wxrnOM4H/dC1Vhh5Rmhg
|
||||
JCq1yS057vqOFKZL11YhC4/rxYIRGAUI0y97Uch4tS4
|
||||
-> ssh-ed25519 cvTB5g EQ/YM5UYYp3+fS+6u+CwZxUn8Sm8vdqj5xHQf0U0MGc
|
||||
mVhpObNYWSrAlh8kfADzGnhOw9O2r07v2RJH7DZhFkg
|
||||
-> ssh-ed25519 Wu8JLQ k91dq2XwhgvE2Y75KAJWzFlPLXv+8+kTvH7sELmsViw
|
||||
gpnxsNgbeuCYBYUt8j3mGm10rOGAoN9NDYVbObE2zXc
|
||||
-> ssh-ed25519 vXYJfA fOpqzkovWF/hLUrsjrDwFUsKG3Pa7LQQ2QTiYWT4Ux0
|
||||
AM1EdbC+Sg37PZzXf6vsmeXSMMjXRVQT3mq000cmPw8
|
||||
-> ssh-ed25519 h6AgbA LWhZtBUJXu15GEIwSyKraXkaO8CO7/TuLSxsnbagQTk
|
||||
1/It/vtykYe2NzG4r2J53yW+ZS2rgtUVNv8hlWYQnwY
|
||||
-> ssh-ed25519 lHr4YQ zEMhvSZsUOiM+XEpuTljfKE1MqyxqxuL0yuKTj6E1Vc
|
||||
J/pYqeaTK9NLIhSKeB0CFSFNLkVeV2C5enKVIRy5+Po
|
||||
-> #Oj-grease fdq ltL1r ohAHn[aU QF%DKt
|
||||
G2xXhW58AunOBXwtl1mD/DqdsHRoyjMvVl310MPWNFSSmLhG/UG7pQf3GUNsfThQ
|
||||
lCvckvUfcYRen/hrEFhtyg
|
||||
--- zwJ1Ma9A8rDbUQLAFpDNLs+2Iv6RQvEGlDFj9HVDRRg
|
||||
;>qg4ü*¬ÄbŽˆ~G+›x8ÃÞü
|
||||
Œ,¦5õç!ãŠöž•ê4ñŸÀ¼:Ö–<C396>\g¬Ê‡î<E280A1>ßÐo
|
|
@ -1,34 +0,0 @@
|
|||
{ pkgs, config, ... }:
|
||||
{
|
||||
age.secrets.snipeItAppKey = {
|
||||
owner = config.services.snipe-it.user;
|
||||
group = config.services.snipe-it.group;
|
||||
};
|
||||
|
||||
age.secrets.snipeItOidcClientSecret = {
|
||||
owner = config.services.snipe-it.user;
|
||||
group = config.services.snipe-it.group;
|
||||
};
|
||||
|
||||
services.snipe-it = {
|
||||
enable = true;
|
||||
hostName = "inventory.rz.ens.wtf";
|
||||
database.createLocally = true;
|
||||
appKeyFile = config.age.secrets.snipeItAppKey.path;
|
||||
|
||||
nginx = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
config = {
|
||||
AUTH_METHOD = "oidc";
|
||||
OIDC_NAME = "Keycloak";
|
||||
OIDC_DISPLAY_NAME_CLAIMS = "name";
|
||||
OIDC_CLIENT_ID = "snipe-it";
|
||||
OIDC_CLIENT_SECRET = { _secret = config.age.secrets.snipeItOidcClientSecret.path; };
|
||||
OIDC_ISSUER = "https://auth.rz.ens.wtf/auth/realms/ClubReseau";
|
||||
OIDC_ISSUER_DISCOVER = true;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -3,16 +3,15 @@
|
|||
with dns.lib.combinators;
|
||||
let
|
||||
my = config.my;
|
||||
web01 = {
|
||||
CNAME = ["web01.dmi01.infra.dgnum.eu."];
|
||||
};
|
||||
public-cof-ips = {
|
||||
A = [ "45.13.104.27" ];
|
||||
AAAA = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5" ];
|
||||
};
|
||||
delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; };
|
||||
|
||||
mkProxyRecord = AAAA: { inherit AAAA; A = [ "45.13.104.29" ]; };
|
||||
remoteBuilders = {
|
||||
nix01 = [ "2001:470:1f13:187:1e07:c670:3958:f8f1" ];
|
||||
};
|
||||
dualstack = {
|
||||
A = my.ipv4;
|
||||
AAAA = my.ipv6.standard;
|
||||
|
@ -22,7 +21,7 @@ dualstack // {
|
|||
SOA = {
|
||||
nameServer = "ns1.${my.subZone}.";
|
||||
adminEmail = my.email;
|
||||
serial = 2023122101; # Y M D Version
|
||||
serial = 2021111400; # Y M D Version
|
||||
};
|
||||
|
||||
NS = [
|
||||
|
@ -32,21 +31,17 @@ dualstack // {
|
|||
CAA = letsEncrypt my.email;
|
||||
|
||||
subdomains = {
|
||||
git = web01;
|
||||
git = dualstack;
|
||||
drone = dualstack;
|
||||
wiki = dualstack;
|
||||
monitoring = dualstack;
|
||||
auth = dualstack;
|
||||
push = dualstack;
|
||||
tailscale = dualstack;
|
||||
core01 = dualstack;
|
||||
ns1 = dualstack;
|
||||
|
||||
# Non-beta service
|
||||
# Outline
|
||||
notion = web01;
|
||||
# S3 API
|
||||
s3 = web01;
|
||||
# CDN API
|
||||
cdn = web01;
|
||||
builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders;
|
||||
|
||||
gdd = {
|
||||
NS = [ "ns1.gdd.${my.subZone}." ];
|
||||
|
@ -62,22 +57,19 @@ dualstack // {
|
|||
|
||||
beta = public-cof-ips // {
|
||||
subdomains = {
|
||||
traque = mkProxyRecord [ "2001:470:1f13:187:f053:94ff:fe46:9664" ];
|
||||
nuage = web01;
|
||||
todo = web01;
|
||||
minecraft = web01;
|
||||
factorio = web01;
|
||||
home = web01;
|
||||
pads = web01 // {
|
||||
nuage = public-cof-ips;
|
||||
minecraft = public-cof-ips;
|
||||
factorio = public-cof-ips;
|
||||
home = public-cof-ips;
|
||||
pads = public-cof-ips // {
|
||||
subdomains = {
|
||||
api = web01;
|
||||
files = web01;
|
||||
sandbox = web01;
|
||||
api = public-cof-ips;
|
||||
files = public-cof-ips;
|
||||
sandbox = public-cof-ips;
|
||||
};
|
||||
};
|
||||
docs = web01;
|
||||
jurisprudens = web01;
|
||||
rstudio = web01;
|
||||
docs = public-cof-ips;
|
||||
jurisprudens = public-cof-ips;
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -86,7 +78,6 @@ dualstack // {
|
|||
# Routers
|
||||
router01.A = [ "10.1.1.1" ];
|
||||
router02.A = [ "10.1.1.1" ];
|
||||
router03.A = [ "10.1.1.120" ];
|
||||
|
||||
# Hypervisors
|
||||
pve01 = {
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
|
||||
# Auto GC and store optimizations
|
||||
nix = {
|
||||
settings.trusted-users = [ "root" "gab" ];
|
||||
trustedUsers = [ "root" "gab" ];
|
||||
gc = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
|
|
|
@ -1,19 +0,0 @@
|
|||
{ ... }: {
|
||||
networking.wireguard.interfaces.wgalpha = {
|
||||
privateKeyFile = "/etc/secrets/wireguard/wgalpha";
|
||||
listenPort = 9999;
|
||||
|
||||
ips = [
|
||||
"fdee:a536:13fa:53ab::2/128"
|
||||
];
|
||||
|
||||
peers = [
|
||||
{
|
||||
publicKey = "yAdQRTHn9Yko2r24j8tlxWBz0nYzHRxryPFq8t44Xw4=";
|
||||
allowedIPs = [ "fdee:a536:13fa:53ab::1/128" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
networking.firewall.allowedUDPPorts = [ 9999 ];
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl
|
|
@ -1 +0,0 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ Raito's remote builder key
|
|
@ -1 +0,0 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o
|
|
@ -1,5 +1,5 @@
|
|||
{ ... }:
|
||||
{
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "club-reseau@lists.ens.psl.eu";
|
||||
security.acme.email = "club-reseau@lists.ens.psl.eu";
|
||||
}
|
||||
|
|
|
@ -3,32 +3,26 @@
|
|||
{
|
||||
imports =
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
./programs.nix
|
||||
./system.nix
|
||||
./acme.nix
|
||||
./networking.nix
|
||||
./monitoring.nix
|
||||
./garage.nix
|
||||
./nextcloud.nix
|
||||
./outline.nix
|
||||
./lychee.nix
|
||||
./minecraft.nix
|
||||
# ./rstudio-server
|
||||
./nur.nix
|
||||
# ./factorio.nix # TODO
|
||||
./nginx.nix
|
||||
# ./cryptpad.nix
|
||||
./hedgedoc.nix
|
||||
# ./kanboard.nix
|
||||
./secrets
|
||||
./v6proxy
|
||||
# TODO monitoring
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
||||
"minecraft-server"
|
||||
"factorio-headless"
|
||||
"outline"
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
|
@ -48,5 +42,13 @@
|
|||
enableSSHSupport = true;
|
||||
};
|
||||
|
||||
# Enable the OpenSSH daemon.
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [
|
||||
./pubkeys/gdd.keys
|
||||
./pubkeys/raito.keys
|
||||
./pubkeys/mrf.keys
|
||||
];
|
||||
|
||||
system.stateVersion = "21.05";
|
||||
}
|
|
@ -1,47 +0,0 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
security.acme.certs."cdn.rz.ens.wtf" = {
|
||||
dnsProvider = "acme-dns";
|
||||
credentialsFile = pkgs.writeText "acme-dns-env" ''
|
||||
ACME_DNS_API_BASE=https://acme.rz.ens.wtf
|
||||
ACME_DNS_STORAGE_PATH=/var/lib/acme/lego-acme-dns-accounts.json
|
||||
'';
|
||||
extraDomainNames = [ "*.cdn.rz.ens.wtf" ];
|
||||
group = "nginx";
|
||||
};
|
||||
services.nginx.virtualHosts."s3.rz.ens.wtf" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://[::1]:3900";
|
||||
};
|
||||
services.nginx.virtualHosts."cdn.rz.ens.wtf" = {
|
||||
serverAliases = [ "*.cdn.rz.ens.wtf" ];
|
||||
useACMEHost = "cdn.rz.ens.wtf";
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://[::1]:3902";
|
||||
};
|
||||
services.garage = {
|
||||
enable = true;
|
||||
package = pkgs.garage_0_8;
|
||||
settings = {
|
||||
replication_mode = "none";
|
||||
compression_level = 7;
|
||||
|
||||
rpc_bind_addr = "10.1.1.21:3901";
|
||||
rpc_public_addr = "10.1.1.21:3901";
|
||||
rpc_secret = "76c2746530a4a27d188530a6bbf6c4613ccb8d8f129863d8c21462b84d5b998f";
|
||||
|
||||
s3_api = {
|
||||
s3_region = "ens";
|
||||
api_bind_addr = "[::]:3900";
|
||||
root_domain = ".s3.rz.ens.wtf";
|
||||
};
|
||||
|
||||
s3_web = {
|
||||
bind_addr = "[::]:3902";
|
||||
root_domain = ".cdn.rz.ens.wtf";
|
||||
index = "index.html";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -5,11 +5,11 @@ in
|
|||
{
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
settings = {
|
||||
configuration = {
|
||||
protocolUseSSL = true;
|
||||
# scp =; # TODO
|
||||
domain = "docs.beta.rz.ens.wtf";
|
||||
host = "127.0.0.1";
|
||||
host = "localhost";
|
||||
port = port;
|
||||
db = {
|
||||
dialect = "sqlite";
|
||||
|
@ -25,11 +25,13 @@ in
|
|||
enableACME = true;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString port}";
|
||||
proxyPass = "http://localhost:${toString port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 433 80 ];
|
||||
}
|
||||
|
|
|
@ -1,281 +0,0 @@
|
|||
<?php
|
||||
|
||||
/*******************************************************************/
|
||||
/* Rename this file to config.php if you want to change the values */
|
||||
/* */
|
||||
/* Make sure all paths are absolute by using __DIR__ where needed */
|
||||
/*******************************************************************/
|
||||
|
||||
// Require the secret file
|
||||
require('@secretsPath@');
|
||||
|
||||
// Data folder (must be writeable by the web server user and absolute)
|
||||
define('DATA_DIR', '/var/lib/kanboard/data');
|
||||
|
||||
// Enable/Disable debug
|
||||
define('DEBUG', false);
|
||||
|
||||
// Available log drivers: syslog, stderr, stdout, system or file
|
||||
define('LOG_DRIVER', 'file');
|
||||
|
||||
// Log filename if the log driver is "file"
|
||||
define('LOG_FILE', DATA_DIR.DIRECTORY_SEPARATOR.'debug.log');
|
||||
|
||||
// Plugins directory
|
||||
define('PLUGINS_DIR', '@pluginsDirectory@');
|
||||
|
||||
// Plugins directory URL
|
||||
define('PLUGIN_API_URL', 'https://kanboard.org/plugins.json');
|
||||
|
||||
// Enable/Disable plugin installer (Disabled by default for security reasons)
|
||||
// There is no code review or any approval process to submit a plugin.
|
||||
// This is up to the Kanboard instance owner to validate if a plugin is legit.
|
||||
define('PLUGIN_INSTALLER', false);
|
||||
|
||||
// Available cache drivers are "file" and "memory"
|
||||
define('CACHE_DRIVER', 'memory');
|
||||
|
||||
// Cache folder to use if cache driver is "file" (must be writeable by the web server user)
|
||||
define('CACHE_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'cache');
|
||||
|
||||
// Folder for uploaded files (must be writeable by the web server user)
|
||||
define('FILES_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'files');
|
||||
|
||||
// Enable/disable email configuration from the user interface
|
||||
define('MAIL_CONFIGURATION', true);
|
||||
|
||||
// E-mail address used for the "From" header (notifications)
|
||||
define('MAIL_FROM', 'todo@dgnum.eu');
|
||||
|
||||
// E-mail address used for the "Bcc" header to send a copy of all notifications
|
||||
define('MAIL_BCC', '');
|
||||
|
||||
// Mail transport available: "smtp", "sendmail", "mail" (PHP mail function), "postmark", "mailgun", "sendgrid"
|
||||
define('MAIL_TRANSPORT', 'smtp');
|
||||
|
||||
// SMTP configuration to use when the "smtp" transport is chosen
|
||||
define('MAIL_SMTP_HOSTNAME', 'kurisu.lahfa.xyz');
|
||||
define('MAIL_SMTP_PORT', 587);
|
||||
define('MAIL_SMTP_USERNAME', 'todo@dgnum.eu');
|
||||
define('MAIL_SMTP_HELO_NAME', null); // valid: null (default), or FQDN
|
||||
define('MAIL_SMTP_ENCRYPTION', "tls"); // Valid values are null (not a string "null"), "ssl" or "tls"
|
||||
|
||||
// Sendmail command to use when the transport is "sendmail"
|
||||
define('MAIL_SENDMAIL_COMMAND', '/usr/sbin/sendmail -bs');
|
||||
|
||||
// Run automatically database migrations
|
||||
// If set to false, you will have to run manually the SQL migrations from the CLI during the next Kanboard upgrade
|
||||
// Do not run the migrations from multiple processes at the same time (example: web page + background worker)
|
||||
define('DB_RUN_MIGRATIONS', true);
|
||||
|
||||
// Database driver: sqlite, mysql or postgres (sqlite by default)
|
||||
define('DB_DRIVER', 'sqlite');
|
||||
|
||||
// Mysql/Postgres username
|
||||
define('DB_USERNAME', 'root');
|
||||
|
||||
// Mysql/Postgres password
|
||||
define('DB_PASSWORD', '');
|
||||
|
||||
// Mysql/Postgres hostname
|
||||
define('DB_HOSTNAME', 'localhost');
|
||||
|
||||
// Mysql/Postgres database name
|
||||
define('DB_NAME', 'kanboard');
|
||||
|
||||
// Mysql/Postgres custom port (null = default port)
|
||||
define('DB_PORT', null);
|
||||
|
||||
// Mysql SSL key
|
||||
define('DB_SSL_KEY', null);
|
||||
|
||||
// Mysql SSL certificate
|
||||
define('DB_SSL_CERT', null);
|
||||
|
||||
// Mysql SSL CA
|
||||
define('DB_SSL_CA', null);
|
||||
|
||||
// Mysql SSL server verification, set to false if you don't want the Mysql driver to validate the certificate CN
|
||||
define('DB_VERIFY_SERVER_CERT', null);
|
||||
|
||||
// Timeout value for PDO attribute
|
||||
define('DB_TIMEOUT', null);
|
||||
|
||||
// Enable LDAP authentication (false by default)
|
||||
define('LDAP_AUTH', false);
|
||||
|
||||
// LDAP server protocol, hostname and port URL (ldap[s]://hostname:port)
|
||||
define('LDAP_SERVER', '');
|
||||
|
||||
// By default, require certificate to be verified for ldaps:// style URL. Set to false to skip the verification
|
||||
define('LDAP_SSL_VERIFY', true);
|
||||
|
||||
// Enable LDAP START_TLS
|
||||
define('LDAP_START_TLS', false);
|
||||
|
||||
// By default Kanboard lowercase the ldap username to avoid duplicate users (the database is case sensitive)
|
||||
// Set to true if you want to preserve the case
|
||||
define('LDAP_USERNAME_CASE_SENSITIVE', false);
|
||||
|
||||
// LDAP bind type: "anonymous", "user" or "proxy"
|
||||
define('LDAP_BIND_TYPE', 'anonymous');
|
||||
|
||||
// LDAP username to use with proxy mode
|
||||
// LDAP username pattern to use with user mode
|
||||
define('LDAP_USERNAME', null);
|
||||
|
||||
// LDAP password to use for proxy mode
|
||||
define('LDAP_PASSWORD', null);
|
||||
|
||||
// LDAP DN for users
|
||||
// Example for ActiveDirectory: CN=Users,DC=kanboard,DC=local
|
||||
// Example for OpenLDAP: ou=People,dc=example,dc=com
|
||||
define('LDAP_USER_BASE_DN', '');
|
||||
|
||||
// LDAP pattern to use when searching for a user account
|
||||
// Example for ActiveDirectory: '(&(objectClass=user)(sAMAccountName=%s))'
|
||||
// Example for OpenLDAP: 'uid=%s'
|
||||
define('LDAP_USER_FILTER', '');
|
||||
|
||||
// LDAP attribute for username
|
||||
// Example for ActiveDirectory: 'sAMAccountName'
|
||||
// Example for OpenLDAP: 'uid'
|
||||
define('LDAP_USER_ATTRIBUTE_USERNAME', 'uid');
|
||||
|
||||
// LDAP attribute for user full name
|
||||
// Example for ActiveDirectory: 'displayname'
|
||||
// Example for OpenLDAP: 'cn'
|
||||
define('LDAP_USER_ATTRIBUTE_FULLNAME', 'cn');
|
||||
|
||||
// LDAP attribute for user email
|
||||
define('LDAP_USER_ATTRIBUTE_EMAIL', 'mail');
|
||||
|
||||
// LDAP attribute to find groups in user profile
|
||||
define('LDAP_USER_ATTRIBUTE_GROUPS', 'memberof');
|
||||
|
||||
// LDAP attribute for user avatar image: thumbnailPhoto or jpegPhoto
|
||||
define('LDAP_USER_ATTRIBUTE_PHOTO', '');
|
||||
|
||||
// LDAP attribute for user language, example: 'preferredlanguage'
|
||||
// Put an empty string to disable language sync
|
||||
define('LDAP_USER_ATTRIBUTE_LANGUAGE', '');
|
||||
|
||||
// Automatically create a user profile when a user authenticates via LDAP.
|
||||
// If set to false, only LDAP users can log in for whom a Kanboard profile already exists.
|
||||
define('LDAP_USER_CREATION', true);
|
||||
|
||||
// Set new user as Manager
|
||||
define('LDAP_USER_DEFAULT_ROLE_MANAGER', false);
|
||||
|
||||
// LDAP DN for administrators
|
||||
// Example: CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local
|
||||
define('LDAP_GROUP_ADMIN_DN', '');
|
||||
|
||||
// LDAP DN for managers
|
||||
// Example: CN=Kanboard Managers,CN=Users,DC=kanboard,DC=local
|
||||
define('LDAP_GROUP_MANAGER_DN', '');
|
||||
|
||||
// Enable LDAP group provider for project permissions
|
||||
// The end-user will be able to browse LDAP groups from the user interface and allow access to specified projects
|
||||
define('LDAP_GROUP_PROVIDER', false);
|
||||
|
||||
// LDAP Base DN for groups
|
||||
define('LDAP_GROUP_BASE_DN', '');
|
||||
|
||||
// LDAP group filter
|
||||
// Example for ActiveDirectory: (&(objectClass=group)(sAMAccountName=%s*))
|
||||
define('LDAP_GROUP_FILTER', '');
|
||||
|
||||
// LDAP user group filter
|
||||
// If this filter is configured, Kanboard will search user groups in LDAP_GROUP_BASE_DN with this filter
|
||||
// Example for OpenLDAP: (&(objectClass=posixGroup)(memberUid=%s))
|
||||
define('LDAP_GROUP_USER_FILTER', '');
|
||||
|
||||
// LDAP attribute for the user in the group filter
|
||||
// 'username' or 'dn'
|
||||
define('LDAP_GROUP_USER_ATTRIBUTE', 'username');
|
||||
|
||||
// LDAP attribute for the group name
|
||||
define('LDAP_GROUP_ATTRIBUTE_NAME', 'cn');
|
||||
|
||||
// Enable/Disable groups synchronization when external authentication is used.
|
||||
define('LDAP_GROUP_SYNC', false);
|
||||
|
||||
// Enable/disable the reverse proxy authentication
|
||||
define('REVERSE_PROXY_AUTH', false);
|
||||
|
||||
// Header name to use for the username
|
||||
define('REVERSE_PROXY_USER_HEADER', 'REMOTE_USER');
|
||||
|
||||
// Username of the admin, by default blank
|
||||
define('REVERSE_PROXY_DEFAULT_ADMIN', '');
|
||||
|
||||
// Header name to use for the username
|
||||
define('REVERSE_PROXY_EMAIL_HEADER', 'REMOTE_EMAIL');
|
||||
|
||||
// Default domain to use for setting the email address
|
||||
define('REVERSE_PROXY_DEFAULT_DOMAIN', '');
|
||||
|
||||
// Enable/disable remember me authentication
|
||||
define('REMEMBER_ME_AUTH', true);
|
||||
|
||||
// Enable or disable "Strict-Transport-Security" HTTP header
|
||||
define('ENABLE_HSTS', true);
|
||||
|
||||
// Enable or disable "X-Frame-Options: DENY" HTTP header
|
||||
define('ENABLE_XFRAME', true);
|
||||
|
||||
// Escape html inside markdown text
|
||||
define('MARKDOWN_ESCAPE_HTML', true);
|
||||
|
||||
// API alternative authentication header, the default is HTTP Basic Authentication defined in RFC2617
|
||||
define('API_AUTHENTICATION_HEADER', '');
|
||||
|
||||
// Enable/disable url rewrite
|
||||
define('ENABLE_URL_REWRITE', false);
|
||||
|
||||
// Hide login form, useful if all your users use Google/Github/ReverseProxy authentication
|
||||
define('HIDE_LOGIN_FORM', false);
|
||||
|
||||
// Disabling logout (useful for external SSO authentication)
|
||||
define('DISABLE_LOGOUT', false);
|
||||
|
||||
// Enable captcha after 3 authentication failure
|
||||
define('BRUTEFORCE_CAPTCHA', 3);
|
||||
|
||||
// Lock the account after 6 authentication failure
|
||||
define('BRUTEFORCE_LOCKDOWN', 6);
|
||||
|
||||
// Lock account duration in minute
|
||||
define('BRUTEFORCE_LOCKDOWN_DURATION', 15);
|
||||
|
||||
// Session duration in second (0 = until the browser is closed)
|
||||
// See http://php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
|
||||
define('SESSION_DURATION', 0);
|
||||
|
||||
// Session handler: db or php
|
||||
define('SESSION_HANDLER', 'db');
|
||||
|
||||
// HTTP client proxy
|
||||
define('HTTP_PROXY_HOSTNAME', '');
|
||||
define('HTTP_PROXY_PORT', '3128');
|
||||
define('HTTP_PROXY_USERNAME', '');
|
||||
define('HTTP_PROXY_PASSWORD', '');
|
||||
define('HTTP_PROXY_EXCLUDE', 'localhost');
|
||||
|
||||
// Set to false to allow self-signed certificates
|
||||
define('HTTP_VERIFY_SSL_CERTIFICATE', true);
|
||||
|
||||
// TOTP (2FA) issuer name
|
||||
define('TOTP_ISSUER', 'Kanboard (DGNum)');
|
||||
|
||||
// Comma separated list of fields to not synchronize when using external authentication providers
|
||||
define('EXTERNAL_AUTH_EXCLUDE_FIELDS', 'username');
|
||||
|
||||
// Enable or disable displaying group-memberships in userlist (true by default)
|
||||
define('SHOW_GROUP_MEMBERSHIPS_IN_USERLIST', true);
|
||||
|
||||
// Limit number of groups to display in userlist (The full list of group-memberships is always shown, ...
|
||||
// ... when hovering the mouse over the group-icon of a given user!)
|
||||
// If set to 0 ALL group-memberships will be listed (7 by default)
|
||||
define('SHOW_GROUP_MEMBERSHIPS_IN_USERLIST_WITH_LIMIT', 7);
|
|
@ -1,85 +0,0 @@
|
|||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
mkKanboardPlugin = { name, url, hash ? null }: pkgs.fetchzip {
|
||||
inherit name url;
|
||||
sha256 = if hash == null then lib.fakeHash else hash;
|
||||
};
|
||||
plugins = map mkKanboardPlugin [
|
||||
{ name = "Milestone"; url = "https://github.com/oliviermaridat/kanboard-milestone-plugin/releases/download/1.1.2/Milestone-1.1.2.zip"; hash = "sha256-NrkMvk/5NdVokKQTYoZajdNEt5athjEzXVgrSHBdQ4w="; }
|
||||
{ name = "MarkdownPlus"; url = "https://github.com/creecros/MarkdownPlus/releases/download/1.1.0/MarkdownPlus-1.1.0.zip"; hash = "sha256-BMzEaj47NnLvatEgUbKeibiWf9G+B4EFlVYhDNqk+y4="; }
|
||||
{ name = "MetaMagik"; url = "https://github.com/creecros/MetaMagik/releases/download/1.5.1/MetaMagik-1.5.1.zip"; hash = "sha256-8y8+YvS5MAzRt4VVECQK0vQk6oA4Jbxn+2jWQ8nP3gU="; }
|
||||
{ name = "OAuth2"; url = "https://github.com/kanboard/plugin-oauth2/releases/download/v1.0.2/OAuth2-1.0.2.zip"; hash = "sha256-L0df8bwPCxHjVOCNiVp+dqVsqJ0CEuJbHzwv5sYprIU="; }
|
||||
{ name = "HighlightCodeSyntax"; url = "https://github.com/kenlog/HighlightCodeSyntax/releases/download/v1.0.3/HighlightCodeSyntax-v1.0.3.zip"; hash = "sha256-c4bV1gGVNUjHOJKBI6QxsV72mAzcEgjqv8r62ebpPdU="; }
|
||||
{ name = "Group_assign"; url = "https://github.com/creecros/Group_assign/releases/download/1.7.12/Group_assign-1.7.12.zip"; hash = "sha256-ijI8nIIqsK8Pr1iEfCBUeUD3dlsIfmkOP0xC39JkIAs="; }
|
||||
];
|
||||
pluginsDirectory = pkgs.linkFarmFromDrvs "kanboard-plugins" plugins;
|
||||
secretsPath = config.age.secrets.kanboard-secrets.path;
|
||||
kanboardConfig = pkgs.substituteAll {
|
||||
name = "kanboard-config.php";
|
||||
src = ./kanboard-config.php;
|
||||
inherit secretsPath;
|
||||
inherit pluginsDirectory;
|
||||
};
|
||||
package = pkgs.kanboard.overrideAttrs (old: {
|
||||
installPhase = ''
|
||||
${(old.installPhase or "")}
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
postInstall = ''
|
||||
${pkgs.xorg.lndir}/bin/lndir ${pluginsDirectory} $out/share/kanboard/plugins
|
||||
'';
|
||||
});
|
||||
in
|
||||
{
|
||||
environment.systemPackages = [
|
||||
];
|
||||
services.phpfpm.pools.kanboard = {
|
||||
user = "kanboard";
|
||||
group = "kanboard";
|
||||
settings = {
|
||||
"listen.group" = "nginx";
|
||||
"pm" = "static";
|
||||
"pm.max_children" = 4;
|
||||
};
|
||||
};
|
||||
users.users.kanboard = {
|
||||
isSystemUser = true;
|
||||
group = "kanboard";
|
||||
};
|
||||
users.groups.kanboard = {};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."todo.beta.rz.ens.wtf" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = pkgs.buildEnv {
|
||||
name = "kanboard-configured";
|
||||
paths = [
|
||||
(pkgs.runCommand "kanboard-over" {meta.priority = 0;} ''
|
||||
mkdir -p $out
|
||||
for f in index.php jsonrpc.php ; do
|
||||
echo "<?php require('$out/config.php');" > $out/$f
|
||||
tail -n+2 ${package}/share/kanboard/$f \
|
||||
| sed 's^__DIR__^"${package}/share/kanboard"^' >> $out/$f
|
||||
done
|
||||
ln -s /var/lib/kanboard $out/data
|
||||
ln -s ${pluginsDirectory} $out/plugins
|
||||
ln -s ${kanboardConfig} $out/config.php
|
||||
'')
|
||||
{ outPath = "${package}/share/kanboard"; meta.priority = 10; }
|
||||
];
|
||||
};
|
||||
locations = {
|
||||
"/".index = "index.php";
|
||||
"~ \\.php$" = {
|
||||
tryFiles = "$uri =404";
|
||||
extraConfig = ''
|
||||
fastcgi_pass unix:${config.services.phpfpm.pools.kanboard.socket};
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,17 +0,0 @@
|
|||
{ config, pkgs, ... }: {
|
||||
services.lychee = {
|
||||
enable = true;
|
||||
package = pkgs.rz.lychee-gallery;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
website = "photos.ens.wtf";
|
||||
settings.APP_URL = "https://${config.services.lychee.website}";
|
||||
};
|
||||
services.phpfpm.pools."photos.ens.wtf".settings = {
|
||||
pm = "dynamic";
|
||||
"pm.max_children" = 10;
|
||||
"pm.start_servers" = 3;
|
||||
"pm.min_spare_servers" = 1;
|
||||
"pm.max_spare_servers" = 3;
|
||||
};
|
||||
}
|
|
@ -2,9 +2,9 @@
|
|||
let
|
||||
papermc = {
|
||||
ram = 4; # In GB
|
||||
version = "1.19.2";
|
||||
build = 200;
|
||||
sha256 = "sha256-fhQ1Kukp0MDF0312y/DR3wS9wKXY2aKUyU5f64ELylM=";
|
||||
version = "1.18.2";
|
||||
build = 270;
|
||||
sha256 = "M3/z7lgHVDG+WqxPvyrxvfobEvkkPf90bDoN/Dq+VZY=";
|
||||
};
|
||||
port = 25565;
|
||||
rconPort = 25575;
|
||||
|
@ -42,15 +42,6 @@ in
|
|||
Sup3Legacy = "575ecb9f-bf28-46cb-bc50-cb6bb340c905";
|
||||
Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d";
|
||||
CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849";
|
||||
clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5";
|
||||
Clashis = "499fdd85-bbcb-446f-9611-8b6bb9bf6965";
|
||||
skidijo = "6a72a1f4-7448-4fb7-a252-b6d5ceff2d43";
|
||||
Tifendyll = "5dc1acf3-b214-4607-a3bd-924665e07c67";
|
||||
OknShield = "ef12e9cd-121f-4b39-886e-89b5b4bc5f4f";
|
||||
Allygon = "964a2ee3-3a0d-49c1-b8e9-60b5e69976d3";
|
||||
CheesyBiggy = "574daaed-ce9a-4b33-a3af-055e39bc32dc";
|
||||
H3raklio = "576969d4-94e7-49db-ba7e-e9e57ff5a75e";
|
||||
thejohncrafter = "d3959974-3a05-4ab2-8acb-d8817c140d84";
|
||||
};
|
||||
|
||||
serverProperties = {
|
||||
|
|
|
@ -1,38 +1,41 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
let mkAddress = addr: let
|
||||
splitted = lib.splitString "/" addr;
|
||||
elemAt = builtins.elemAt splitted;
|
||||
in
|
||||
{ address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); };
|
||||
in {
|
||||
networking = {
|
||||
hostName = "public-cof";
|
||||
|
||||
useNetworkd = true;
|
||||
# Default IPv4 exit route
|
||||
defaultGateway = {
|
||||
address = "";
|
||||
interface = "ens20";
|
||||
};
|
||||
localCommands = "ip route add default dev ens20 metric 10";
|
||||
|
||||
firewall = { enable = true; allowedTCPPorts = [ 22 ]; };
|
||||
useDHCP = false;
|
||||
interfaces.ens18 = {
|
||||
useDHCP = true;
|
||||
ipv6.addresses = [{
|
||||
address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5";
|
||||
prefixLength = 64;
|
||||
}];
|
||||
};
|
||||
interfaces.ens19 = {
|
||||
useDHCP = false;
|
||||
ipv4.addresses = [{
|
||||
address = "10.1.1.21";
|
||||
prefixLength = 22;
|
||||
}];
|
||||
};
|
||||
|
||||
interfaces.ens20 = {
|
||||
ipv4.addresses = map mkAddress [ "45.13.104.27/32" ];
|
||||
};
|
||||
|
||||
firewall.allowedTCPPorts = [ 22 ];
|
||||
firewall.enable = true;
|
||||
};
|
||||
|
||||
systemd.network.networks = {
|
||||
"10-ens18" = {
|
||||
name = "ens18";
|
||||
address = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5/64" ];
|
||||
|
||||
DHCP = "ipv4";
|
||||
|
||||
dhcpV4Config.RouteMetric = 10;
|
||||
};
|
||||
|
||||
"10-ens19" = {
|
||||
name = "ens19";
|
||||
address = [ "10.1.1.21/22" ];
|
||||
|
||||
DHCP = "ipv4";
|
||||
};
|
||||
|
||||
"10-ens20" = {
|
||||
name = "ens20";
|
||||
address = [ "45.13.104.27/32" "45.13.104.29/32" ];
|
||||
|
||||
DHCP = "ipv4";
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ];
|
||||
}
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
hostName = "nuage.beta.rz.ens.wtf";
|
||||
https = true;
|
||||
|
||||
package = pkgs.nextcloud26;
|
||||
package = pkgs.nextcloud23;
|
||||
|
||||
config = {
|
||||
overwriteProtocol = "https";
|
||||
|
|
|
@ -29,15 +29,14 @@ in
|
|||
recommendedTlsSettings = true;
|
||||
|
||||
virtualHosts = {
|
||||
# FIXME: factorize and remove it, it has been superseded by eleves.ens.fr/calendrier
|
||||
# "home.beta.rz.ens.wtf" = {
|
||||
# serverAliases = [ "beta.rz.ens.wtf" ];
|
||||
# default = true;
|
||||
# forceSSL = true;
|
||||
# enableACME = true;
|
||||
# root = "/var/public-cof/home";
|
||||
# locations = builtins.listToAttrs (map mkCloudLocation clouds);
|
||||
# };
|
||||
"home.beta.rz.ens.wtf" = {
|
||||
serverAliases = [ "beta.rz.ens.wtf" ];
|
||||
default = true;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
root = "/var/public-cof/home";
|
||||
locations = builtins.listToAttrs (map mkCloudLocation clouds);
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
"klubrz-nur": {
|
||||
"branch": "main",
|
||||
"repo": "https://git.rz.ens.wtf/Klub-RZ/nur",
|
||||
"rev": "bb95bbed09ccb2ae5ab5a8e02537c4c28c46d27e",
|
||||
"rev": "98911e21fd58f00440dc8a5bd6568f2a349338bd",
|
||||
"type": "git"
|
||||
},
|
||||
"niv": {
|
||||
|
@ -29,18 +29,6 @@
|
|||
"url": "https://github.com/nmattia/niv/archive/e0ca65c81a2d7a4d82a189f1e23a48d59ad42070.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixexprs": {
|
||||
"branch": "master",
|
||||
"description": "All my Nix expressions",
|
||||
"homepage": null,
|
||||
"owner": "RaitoBezarius",
|
||||
"repo": "nixexprs",
|
||||
"rev": "5fd6966844be775a272e932375d7982275ba2300",
|
||||
"sha256": "1l5zgdgqbn7apw2ngqzid0sqrklx0rnj8sjid4ykx9156kdqjan5",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/RaitoBezarius/nixexprs/archive/5fd6966844be775a272e932375d7982275ba2300.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"raito-nur": {
|
||||
"branch": "master",
|
||||
"description": "All my Nix expressions",
|
||||
|
|
|
@ -31,28 +31,8 @@ let
|
|||
if spec ? branch then "refs/heads/${spec.branch}" else
|
||||
if spec ? tag then "refs/tags/${spec.tag}" else
|
||||
abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
|
||||
submodules = if spec ? submodules then spec.submodules else false;
|
||||
submoduleArg =
|
||||
let
|
||||
nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
|
||||
emptyArgWithWarning =
|
||||
if submodules == true
|
||||
then
|
||||
builtins.trace
|
||||
(
|
||||
"The niv input \"${name}\" uses submodules "
|
||||
+ "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
|
||||
+ "does not support them"
|
||||
)
|
||||
{}
|
||||
else {};
|
||||
in
|
||||
if nixSupportsSubmodules
|
||||
then { inherit submodules; }
|
||||
else emptyArgWithWarning;
|
||||
in
|
||||
builtins.fetchGit
|
||||
({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
|
||||
builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
|
||||
|
||||
fetch_local = spec: spec.path;
|
||||
|
||||
|
|
|
@ -3,17 +3,14 @@ let
|
|||
nivSources = import ./nix/sources.nix;
|
||||
rz-src = nivSources.klubrz-nur;
|
||||
rz-no-pkgs = (import nivSources.klubrz-nur {});
|
||||
raitobezarius-src = nivSources.nixexprs;
|
||||
raitobezarius-no-pkgs = (import raitobezarius-src {});
|
||||
in
|
||||
{
|
||||
nixpkgs.config.packageOverrides = {
|
||||
rz = import rz-src { inherit pkgs; };
|
||||
# rz = import rz-src { inherit pkgs; };
|
||||
};
|
||||
|
||||
imports = [
|
||||
"${nivSources.agenix}/modules/age.nix"
|
||||
raitobezarius-no-pkgs.modules.sniproxy
|
||||
] ++ lib.attrValues rz-no-pkgs.modules;
|
||||
|
||||
nixpkgs.overlays = [];
|
||||
|
|
|
@ -1,31 +0,0 @@
|
|||
{ pkgs, lib, config, ... }:
|
||||
{
|
||||
services.nginx.virtualHosts."notion.rz.ens.wtf" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:3000";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
services.outline = {
|
||||
enable = true;
|
||||
publicUrl = "https://notion.rz.ens.wtf";
|
||||
defaultLanguage = "fr_FR";
|
||||
storage = {
|
||||
accessKey = "GK8b32d276b2eafb999a53188a";
|
||||
secretKeyFile = config.age.secrets.outlineS3Secrets.path;
|
||||
uploadBucketUrl = "https://s3.rz.ens.wtf";
|
||||
uploadBucketName = "outline";
|
||||
region = "ens";
|
||||
};
|
||||
oidcAuthentication = {
|
||||
userinfoUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/userinfo";
|
||||
tokenUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/token";
|
||||
authUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/auth";
|
||||
clientSecretFile = config.age.secrets.outline-oidc-client-secret.path;
|
||||
displayName = "Club réseau";
|
||||
clientId = "outline";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,34 +0,0 @@
|
|||
{ pkgs, ... }:
|
||||
let
|
||||
port = 19000;
|
||||
in
|
||||
{
|
||||
services.rstudio-server = {
|
||||
enable = true;
|
||||
rserverExtraConfig = ''
|
||||
www-port = ${toString port}
|
||||
'';
|
||||
|
||||
package = pkgs.rstudioServerWrapper.override {
|
||||
packages = with pkgs.rPackages; [
|
||||
ggplot2
|
||||
rmarkdown
|
||||
dplyr
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
users.users.ruser = {
|
||||
isNormalUser = true;
|
||||
hashedPassword = "$6$pTXXVh8NfE.M8VPc$q0fFh3Y7Y0DauLCcZLgJzFciq1wkjoHmO61XpOrZLH3a1M32ZzOMbjx2XMm2QxrUncbx6hGerY/lD8rQ8InS4.";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."rstudio.beta.rz.ens.wtf" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:${toString port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -10,22 +10,4 @@
|
|||
group = "nextcloud";
|
||||
file = ./nextcloudDatabasePasswordFile.age;
|
||||
};
|
||||
|
||||
age.secrets.kanboard-secrets = {
|
||||
owner = "kanboard";
|
||||
group = "kanboard";
|
||||
file = ./kanboard-secrets.age;
|
||||
};
|
||||
|
||||
age.secrets.outlineS3Secrets = {
|
||||
owner = "outline";
|
||||
group = "outline";
|
||||
file = ./outlineS3Secrets.age;
|
||||
};
|
||||
|
||||
age.secrets.outline-oidc-client-secret = {
|
||||
owner = "outline";
|
||||
group = "outline";
|
||||
file = ./outline-oidc-client-secret.age;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,25 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa krWCLQ
|
||||
jsay8IXK6RjVULRqpfvgHOr8H3ALxQyJ3BQIkmSfRrLlJXDbYWUKBCztXc7whfb/
|
||||
XTc3Sa5bybIXXX3wLzYmxCYjUa1CoHgIb1UWAhM3KyTJ4XSw7pVti29VM5p74+ex
|
||||
tJeb44hXlkD7V7C2yYp6CcBH1IgnvEL8ulVopkis/TBQtWi6QaGJBPX2yxEJ3QDh
|
||||
uAn5czrrDenBZRsIYTaKrlbgCM/Oeh4mDFSaFKIqfX2g7ClbsC1ejF3PvbsXN6il
|
||||
pk2YSZ/F5ivNBkvWFmQrNJyLjkcIrxoFvzcXOTk8yM9iu4BFlPbX7NcAMrHpbSIR
|
||||
3ew59I0cGkbzRAtLI9p97w
|
||||
-> ssh-ed25519 85WiGg XQK2huU0kqkKbVYf6SJFqcumOL8zDPfOuGwNy78dJm4
|
||||
aP8CNgS1/wfv2RB7nXZqYnZaXDORk9I5lPZy87FVmRY
|
||||
-> ssh-ed25519 reTIKw jZ57SfMYyOr9P9eNK/Q2CMAWtYtfjyV/MaTVnqEHxkU
|
||||
ycPo/pwC9CtYWAcrclo1b26+mPU4Z6pCPecGPMmL3ag
|
||||
-> ssh-ed25519 /vwQcQ v5bvHTvld6WErGt+Vp0mivpFH5srQPHkbPd0Nk3IDy0
|
||||
27+ZreTwyaxtb5vrRpD/2C2MUT9onRcX4Yr7KHnTGOo
|
||||
-> ssh-ed25519 cvTB5g gKxECDYMSja0FTqteAk39iMDsNIM+ox31sIvnY2ityk
|
||||
pkUZgDWdAzuGCvuRhOE8oeazIRw+kpPhnkksF2zTjxA
|
||||
-> ssh-ed25519 Wu8JLQ lMgIKw3Qzg/Lw6UtpPZWDrE0WBc71meaprrnmARqDDM
|
||||
FN/S9xo22u4kMWqrPD3KmfLbDq8L0TxtfDUSBLVq+Tk
|
||||
-> ssh-ed25519 xbfJnw emSflhzdsItaXULjPXre8jlnXxJuXFAaoLWGVAAej1I
|
||||
4OS68AuzPr+zwp9Bqb4lYGJHjPwPMSXuprw7+8agOyU
|
||||
-> Wd-grease
|
||||
pdSa/JP70fd6VvSgpIJQAk8ZiZfKo8l7UpVwBib59SB9IRNVZdSbHINFUzuIozGu
|
||||
Z7dyg+x6QQ
|
||||
--- TjceHicjeIIKz0f7R5u7nLrCtb39MmS/vEK3w0xHbmw
|
||||
¾ßQ¢ëºZ`? ZvÆ~^è¼Ø$öÒcèt§è2ÓÁÚÔ“y3Ö.+KFÊ2OC‚_$¤]y£³¬À³~ý¢×l%0ôÐ_ ð Ü»”à R·®EÆM4H’Ä°•á™{ÑrÐ$˜çÞ¬™*<2A>1\2FÚ¬BLAK!ÜÜ&Cþ׋û_Õ.Oëmœ3¬ÕÍ•©hδêµV<ü z$Š'-sø'J
|
|
@ -1,26 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa krWCLQ
|
||||
HeTVcJxU2zRewuzQVknnxAYjlCU8+GJjBz9joGPo2j934uiM3A6PBsFmoz6I1ZfJ
|
||||
pg68benaKfV+VI1sN8fMDWoEO0QrFzHYULXT9JCyQTClUzUZSlMpzmDgCmHjLPEc
|
||||
qB23sbwKzgyFO9SKHsPvOqxZrEyTwAKiNYa33QuSyRxN3S4/9PxVjgJTTqLbTVqf
|
||||
hhnujxviU3iHV2ACqLAV5jYSbAleiAh53vnBc0k326vXbrumQqFvQtgwcqDn4vDR
|
||||
2QYzEwsj+yV9BlRrGSBZSnoHZjWtsE/ntrEaIZiItT3Ots1CCVswd7LGb3LspYbf
|
||||
NheRvY7zUXppGiB0+mjZJg
|
||||
-> ssh-ed25519 85WiGg tGvDzYdpKP8lql3murRlp95w7jQUhhuodIgVxDk4Lgs
|
||||
aVV4b71w/nU3nBaYKdzzYjXVaxgN2EpyQiKsjO33GcI
|
||||
-> ssh-ed25519 reTIKw LJJF7K8fRsSoAFDyndWP9nA5FV4w7cWSqUgGnvdB42I
|
||||
wI22cL/GuyVou1robDUHzNMfCR7L6NA4UWFSeV73d88
|
||||
-> ssh-ed25519 /vwQcQ KZQSME50r4yrnyFfH6nwbmCn0UmVUMIBhhfqoicrKVY
|
||||
xDdBu7/K8ZxGT2BnffAR8UsQIAVlLpSfEvo1m4k87ng
|
||||
-> ssh-ed25519 cvTB5g HjLQQhFwEekFYHV5sko/x8RwcAsgvl/cCoKakX4B6yE
|
||||
Ub5TWpDPYA3DSwfRT2hmgPcwoMIhsOhgdhckFuZxQ8s
|
||||
-> ssh-ed25519 Wu8JLQ L0bnDPmv3Chemi/BKhux9GYXDMMLUjO6H8MQe1REpBA
|
||||
qtN6IH8M8kLYAQ8a64kYCCaAPhg6VjrojTONdY4MVyA
|
||||
-> ssh-ed25519 xbfJnw 94xx8KL0EWqs3HIsdY9RFvC6aRsk7cemZxciLIkVCDM
|
||||
WZnyqSwpCBA8GNnu6VEJSLIRtv8rzOpGFH6e387ohpQ
|
||||
-> TS-grease
|
||||
D32P8/tpegDSy/xsspwpuq8EVqwDyZUzJF2Ose+3cqHAx8db4DPWnmt4z4Ch5bXw
|
||||
KtmO+2eEYTmPyYUZxI+uzr93CQhVq7aFlch6cWLEaqg
|
||||
--- 6kPR6tdczt01UaY4ps38dncSMFCupa9uZmSWBjm85ps
|
||||
<18>LnŸÖ4¦K¬z>Ê(³Ù†°=f¼õ´ˆÊ·œ®PG<50>Þ<hÒçº×ø±uÓÖV’³Ø#–¸P
|
||||
ÑÑ&¶qý
|
|
@ -1,25 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa krWCLQ
|
||||
nxiY5l98JhWEwLYN7sWtsgN4faDTIpgo1fiPScxXB8/ljnxIyd1vhMVRt0WCTOQV
|
||||
CFTQ9MOoTAk90Zj4wjxDjoJjjsXLUBVnjqLdQy76kgR5vAvVrHzuYTYO4Y4k0/qh
|
||||
S6BEFN655P0n4Gxf9kJtKxi3ipN6B46ydACAjFeyeuOPMkMdBBZq1BOLPEOC9I+O
|
||||
87p+8BdL+zxkYfaWfEggYgabrE7y91EjiB1VCuT0GFm8T8iBojvThxWQlHQAybBc
|
||||
gvgTlyGf8YmY82uGhGQR39okrA914mJUkr11JZ9457qL+/t5Au/dha1x6QlwcUoz
|
||||
Tp5OQJAfXZc02LsICq2I7A
|
||||
-> ssh-ed25519 85WiGg c6vyT96h0eVL+xZpR0Zk06l5ApUsqENY9ESeYuOG0zY
|
||||
dJbQVgH41Ti/AM7WAlXCCA501h8wgx2os5yiZt+jxp8
|
||||
-> ssh-ed25519 reTIKw rVhKDqm51EMuOQnTcsdWmqoBDI/LLnFpkJW93EfcdB0
|
||||
AAOEQp0tux1vJ0bPIcB1HtLodig/J4poeu6j/Hk8KiA
|
||||
-> ssh-ed25519 /vwQcQ jGLr83VDSxYd3v42ECOiTpSTDRB5TVSqx3QHRbMgfEk
|
||||
k2hBCGntsqP0czKV2JvMbf8lAqpjVvnJqSxfdr00A7w
|
||||
-> ssh-ed25519 cvTB5g BqVT8ytcjINNKrGAtttAtxRMpLs4LJg1Uy3zvDxTvwk
|
||||
DRDEl+CNZnuT+KE1txjHgaWIYmiSeUTsesnXYq89YNQ
|
||||
-> ssh-ed25519 Wu8JLQ 731ytp+gu36OvH0QbkeDUwMHj3J4u0JujJnfTUQ2C1A
|
||||
KPGEKLoV9K1PPdIyla5D1lsmhRt/XUHLrCTeApbqR6c
|
||||
-> ssh-ed25519 xbfJnw Ojf4cuctALx+Q/qWqSarRcnxvwrHjbAK5r4pnhKUzmo
|
||||
WHp4Op3N3SeniWS7XhPmvRkTyjDIPDBBGviDaiCNbOc
|
||||
-> 3P-h|3ru-grease
|
||||
5icFsPwzKpnImSlgICy/wDq6YJLTcIML3EoDUOgvGOFSs+efH4bWExmd2ktGtqYd
|
||||
ewEKHYlnpIFNTMtlRs7U7sR3qnLHadq3McnhR/8OlQ
|
||||
--- iwVp/AYpQfFOIg/OI85nNTgdY/HKlEsCHWiBO0lOtJg
|
||||
Z=eBÒbÀ£›â[3‹$”Ôk‘â„(õ®²2Èöx%0ž—£+18T•,;ÅÛóFÕ¬"EÏKe³•¶óÃZø*’Òè$}ýœCp Ão9æ+À¡‡›|CJ’¹-¼
|
|
@ -1,16 +1,13 @@
|
|||
let
|
||||
pkgs = import <nixpkgs> {};
|
||||
lib = pkgs.lib;
|
||||
readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys")));
|
||||
superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht");
|
||||
readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys")));
|
||||
superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd");
|
||||
public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg";
|
||||
systems = [ public-cof ];
|
||||
in
|
||||
{
|
||||
"nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems;
|
||||
"nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems;
|
||||
"kanboard-secrets.age".publicKeys = superadmins ++ systems;
|
||||
"outlineS3Secrets.age".publicKeys = superadmins ++ systems;
|
||||
"outline-oidc-client-secret.age".publicKeys = superadmins ++ systems;
|
||||
}
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
|
||||
# Auto GC and store optimizations
|
||||
nix = {
|
||||
settings.trusted-users = [ "root" ];
|
||||
trustedUsers = [ "root" ];
|
||||
gc = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
{ ... }:
|
||||
let
|
||||
proxyIPv4 = "45.13.104.29";
|
||||
in
|
||||
{
|
||||
networking.firewall.allowedTCPPorts = [ 443 ];
|
||||
|
||||
services.sniproxy = {
|
||||
enable = true;
|
||||
|
||||
resolver = {
|
||||
mode = "ipv6_first";
|
||||
};
|
||||
|
||||
listeners = [
|
||||
{
|
||||
address = "${proxyIPv4}:443";
|
||||
table = "vhosts";
|
||||
fallback = null;
|
||||
}
|
||||
];
|
||||
|
||||
tables.vhosts = [
|
||||
{
|
||||
match = "traque.beta.rz.ens.wtf";
|
||||
dest = "traque.beta.rz.ens.wtf";
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
|
@ -1,36 +1,13 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./acme-dns.nix
|
||||
./acme-ssl.nix
|
||||
./backups.nix
|
||||
# ./dex.nix
|
||||
./dns.nix
|
||||
# ./gitea.nix
|
||||
./headscale.nix
|
||||
./keycloak.nix
|
||||
./matterbridge.nix
|
||||
# ./monitoring.nix
|
||||
# ./netboot-server.nix
|
||||
./network.nix
|
||||
./nginx.nix
|
||||
./nur.nix
|
||||
# ./oauth2_proxy.nix
|
||||
./programs.nix
|
||||
./qemu.nix
|
||||
./rz.nix
|
||||
./secrets
|
||||
./snipe-it.nix
|
||||
./system.nix
|
||||
./tunnels.nix
|
||||
|
||||
# TODO push to gitea
|
||||
# TODO ./gotify.nix
|
||||
# TODO(Raito): ./backups.nix
|
||||
# TODO(Raito): ./snmp.nix
|
||||
# TODO(Raito): ./sflow.nix?
|
||||
];
|
||||
imports =
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
./programs.nix
|
||||
./system.nix
|
||||
# TODO monitoring
|
||||
];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
|
@ -39,17 +16,17 @@
|
|||
boot.initrd.supportedFilesystems = [ "zfs" ];
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
networking.hostName = "core-services-01";
|
||||
networking.hostId = "64838310";
|
||||
networking.hostName = "remote-builder-01";
|
||||
networking.hostId = "11894198";
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Paris";
|
||||
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.useDHCP = false;
|
||||
# Adieu, hackENS — networking.interfaces.ens18.useDHCP = true;
|
||||
networking.interfaces.ens19.useDHCP = true;
|
||||
networking.interfaces.ens18.useDHCP = true;
|
||||
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password@proxy:port/";
|
||||
|
@ -62,6 +39,13 @@
|
|||
keyMap = "us";
|
||||
};
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
wget
|
||||
];
|
||||
|
||||
# Some programs need SUID wrappers, can be configured further or are
|
||||
# started in user sessions.
|
||||
programs.mtr.enable = true;
|
||||
|
@ -74,11 +58,27 @@
|
|||
|
||||
services.zfs.autoScrub.enable = true;
|
||||
|
||||
# Enable the OpenSSH daemon.
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [
|
||||
./pubkeys/gdd.keys
|
||||
./pubkeys/raito.keys
|
||||
./pubkeys/remote-builders.keys
|
||||
];
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
networking.firewall.enable = false;
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "21.05"; # Did you read the comment?
|
||||
|
||||
}
|
||||
|
|
@ -8,33 +8,28 @@
|
|||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.initrd.luks.devices.c-disk = {
|
||||
device = "/dev/disk/by-uuid/9c57dd15-b6e4-4496-84ca-6ffe41a9dd42";
|
||||
|
||||
keyFile = "/dev/zero";
|
||||
keyFileSize = 1;
|
||||
|
||||
fallbackToPassword = true;
|
||||
};
|
||||
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/a48770a7-87f0-4f95-9458-50f022d20472";
|
||||
fsType = "ext4";
|
||||
{ device = "rpool/root/nixos";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
{ device = "rpool/home";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/1FD5-AB3E";
|
||||
{ device = "/dev/disk/by-uuid/3341-A3B9";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/050ed1a8-60be-47e8-9f96-146362ea5e46"; }
|
||||
[ { device = "/dev/disk/by-uuid/1f624fe3-1fc5-44f4-9529-812558ffba42"; }
|
||||
];
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
24
machines/remote-builder-01/programs.nix
Normal file
24
machines/remote-builder-01/programs.nix
Normal file
|
@ -0,0 +1,24 @@
|
|||
{ pkgs, ... }:
|
||||
let pkgsList = with pkgs; [
|
||||
nix-prefetch-git
|
||||
dnsutils
|
||||
|
||||
unzip
|
||||
zip
|
||||
ripgrep
|
||||
|
||||
niv
|
||||
nixfmt
|
||||
];
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./vim.nix
|
||||
];
|
||||
programs = {
|
||||
tmux.enable = true;
|
||||
mosh.enable = true;
|
||||
};
|
||||
|
||||
environment.systemPackages = pkgsList;
|
||||
}
|
2
machines/remote-builder-01/pubkeys/gdd.keys
Normal file
2
machines/remote-builder-01/pubkeys/gdd.keys
Normal file
|
@ -0,0 +1,2 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ
|
4
machines/remote-builder-01/pubkeys/raito.keys
Normal file
4
machines/remote-builder-01/pubkeys/raito.keys
Normal file
|
@ -0,0 +1,4 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
|
28
machines/remote-builder-01/system.nix
Normal file
28
machines/remote-builder-01/system.nix
Normal file
|
@ -0,0 +1,28 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
# # Auto upgrades
|
||||
# system.autoUpgrade = {
|
||||
# enable = false; # TODO(Ryan): do not enable, it will break deployments.
|
||||
# allowReboot = false;
|
||||
# };
|
||||
|
||||
# Auto GC and store optimizations
|
||||
nix = {
|
||||
trustedUsers = [ "root" "gab" ];
|
||||
gc = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
options = "--delete-older-than 90d";
|
||||
};
|
||||
optimise.automatic = true;
|
||||
extraOptions = ''
|
||||
min-free = ${toString (100 * 1024 * 1024)}
|
||||
max-free = ${toString (1024 * 1024 * 1024)}
|
||||
'';
|
||||
};
|
||||
|
||||
services.locate = {
|
||||
enable = true;
|
||||
interval = "04:05";
|
||||
};
|
||||
}
|
31
machines/remote-builder-01/vim.nix
Normal file
31
machines/remote-builder-01/vim.nix
Normal file
|
@ -0,0 +1,31 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
environment.variables = { EDITOR = "vim"; };
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
nixfmt
|
||||
git
|
||||
(neovim.override {
|
||||
vimAlias = true;
|
||||
configure = {
|
||||
packages.myPlugins = with pkgs.vimPlugins; {
|
||||
start = [ vim-lastplace vim-nix ];
|
||||
opt = [];
|
||||
};
|
||||
customRC = ''
|
||||
set encoding=utf-8
|
||||
set wildmenu
|
||||
|
||||
set nocompatible
|
||||
set backspace=indent,eol,start
|
||||
set cursorline
|
||||
hi CursorLine term=bold cterm=bold ctermbg=darkgrey
|
||||
set number
|
||||
set relativenumber
|
||||
set tabstop=4
|
||||
set expandtab
|
||||
'';
|
||||
};
|
||||
}
|
||||
)];
|
||||
}
|
|
@ -1,28 +0,0 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
./router.nix
|
||||
];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
# Set your time zone.
|
||||
# time.timeZone = "Europe/Amsterdam";
|
||||
|
||||
networking.hostName = "router03";
|
||||
networking.domain = "internal.rz.ens.wtf";
|
||||
|
||||
services.getty.autologinUser = "root";
|
||||
services.openssh.enable = true;
|
||||
|
||||
system.stateVersion = "24.05"; # Did you read the comment?
|
||||
}
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.initrd.luks.devices.c-disk = {
|
||||
device = "/dev/disk/by-uuid/9c57dd15-b6e4-4496-84ca-6ffe41a9dd42";
|
||||
|
||||
keyFile = "/dev/zero";
|
||||
keyFileSize = 1;
|
||||
|
||||
fallbackToPassword = true;
|
||||
};
|
||||
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/a48770a7-87f0-4f95-9458-50f022d20472";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/1FD5-AB3E";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/050ed1a8-60be-47e8-9f96-146362ea5e46"; }
|
||||
];
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
|
@ -1,28 +0,0 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
krz-router = {
|
||||
enable = true;
|
||||
enablePrimary = true;
|
||||
routerId = 1;
|
||||
vip = "129.199.146.230";
|
||||
rip = "129.199.146.231";
|
||||
trunkPort.macAddress = "92:E3:9C:CE:EF:14";
|
||||
virtualNeighbors = [ 2 ];
|
||||
};
|
||||
|
||||
# systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
|
||||
environment.systemPackages = [ pkgs.tcpdump pkgs.wireguard-tools ];
|
||||
|
||||
# Zone based firewall
|
||||
|
||||
# Flow accounting in PostgreSQL.
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureUsers = [];
|
||||
};
|
||||
# services.ulogd = {
|
||||
# enable = true;
|
||||
# settings = {
|
||||
# };
|
||||
# };
|
||||
}
|
|
@ -1,28 +0,0 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
./router.nix
|
||||
];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
# Set your time zone.
|
||||
# time.timeZone = "Europe/Amsterdam";
|
||||
|
||||
networking.hostName = "router04";
|
||||
networking.domain = "internal.rz.ens.wtf";
|
||||
|
||||
services.getty.autologinUser = "root";
|
||||
services.openssh.enable = true;
|
||||
|
||||
system.stateVersion = "24.05"; # Did you read the comment?
|
||||
}
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
krz-router = {
|
||||
enable = true;
|
||||
enablePrimary = false;
|
||||
routerId = 2;
|
||||
vip = "129.199.146.230";
|
||||
rip = "129.199.146.232";
|
||||
trunkPort.macAddress = "92:E3:9C:CE:EF:15";
|
||||
virtualNeighbors = [ 1 ];
|
||||
};
|
||||
|
||||
# systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
|
||||
environment.systemPackages = [ pkgs.tcpdump pkgs.wireguard-tools ];
|
||||
|
||||
# Zone based firewall
|
||||
|
||||
# Flow accounting in PostgreSQL.
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureUsers = [];
|
||||
};
|
||||
# services.ulogd = {
|
||||
# enable = true;
|
||||
# settings = {
|
||||
# };
|
||||
# };
|
||||
}
|
|
@ -1,5 +0,0 @@
|
|||
let
|
||||
nodes = import ./nodes.nix;
|
||||
in
|
||||
|
||||
{ inherit nodes; }
|
|
@ -1,78 +0,0 @@
|
|||
###
|
||||
# File specifying all the deployement options for the nodes administrated by the dgnum.
|
||||
#
|
||||
# Node metadata template is:
|
||||
#
|
||||
# NODE_NAME = {
|
||||
# adminGroups = []; # List of groups that have root access
|
||||
# admins = []; # List of individuals that have root access
|
||||
# deployment = {}; # Colmena deployment options
|
||||
# nixpkgs = "unstable" or "22.11"; # nixpkgs version
|
||||
# }
|
||||
|
||||
let
|
||||
mkNode = _: attrs: {
|
||||
access = [ ];
|
||||
|
||||
deployment = { };
|
||||
|
||||
nixpkgs = "23.05";
|
||||
} // attrs;
|
||||
in
|
||||
|
||||
builtins.mapAttrs mkNode {
|
||||
core-services-01 = {
|
||||
admins = [
|
||||
"gdd"
|
||||
"hubrecht"
|
||||
"mrf"
|
||||
"raito"
|
||||
"sinavir"
|
||||
];
|
||||
|
||||
deployment.targetHost = "core01.rz.ens.wtf";
|
||||
|
||||
stateVersion = "22.05";
|
||||
};
|
||||
|
||||
public-cof = {
|
||||
admins = [
|
||||
"gdd"
|
||||
"hubrecht"
|
||||
"mrf"
|
||||
"raito"
|
||||
"sinavir"
|
||||
];
|
||||
|
||||
deployment.targetHost = "beta.rz.ens.wtf";
|
||||
|
||||
stateVersion = "21.05";
|
||||
};
|
||||
|
||||
router03 = {
|
||||
admins = [
|
||||
"gdd"
|
||||
"hubrecht"
|
||||
"raito"
|
||||
"sinavir"
|
||||
];
|
||||
|
||||
deployment.targetHost = "129.199.146.231";
|
||||
|
||||
stateVersion = "24.05";
|
||||
};
|
||||
|
||||
router04 = {
|
||||
admins = [
|
||||
"gdd"
|
||||
"hubrecht"
|
||||
"raito"
|
||||
"sinavir"
|
||||
];
|
||||
|
||||
deployment.targetHost = "129.199.146.232";
|
||||
|
||||
stateVersion = "24.05";
|
||||
};
|
||||
|
||||
}
|
|
@ -1,12 +0,0 @@
|
|||
{ lib, sources, ... }:
|
||||
|
||||
{
|
||||
imports = (lib.extra.mkImports ./. [
|
||||
"krz-access-control"
|
||||
"krz-ssh"
|
||||
"krz-router"
|
||||
]) ++ [
|
||||
# TODO: Switch to global version of agenix via npins
|
||||
# "${sources.agenix}/modules/age.nix"
|
||||
];
|
||||
}
|
|
@ -1,46 +0,0 @@
|
|||
{ config, lib, meta, name, ... }:
|
||||
|
||||
let
|
||||
inherit (lib)
|
||||
mkDefault
|
||||
mkEnableOption
|
||||
mkIf
|
||||
mkOption
|
||||
|
||||
types;
|
||||
|
||||
nodeMeta = meta.nodes.${name};
|
||||
inherit (nodeMeta) admins;
|
||||
|
||||
cfg = config.krz-access-control;
|
||||
in
|
||||
|
||||
{
|
||||
options.krz-access-control = {
|
||||
enable = mkEnableOption "DGNum access control." // { default = true; };
|
||||
|
||||
users = mkOption {
|
||||
type = with types; attrsOf (listOf str);
|
||||
default = { };
|
||||
description = ''
|
||||
Attribute set describing which member has access to which user on the node.
|
||||
Members must be declared in `meta/members.nix`.
|
||||
'';
|
||||
example = ''
|
||||
{
|
||||
user1 = [ "member1" "member2" ];
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# Admins have root access to the node
|
||||
krz-access-control.users.root = mkDefault admins;
|
||||
|
||||
users.users = builtins.mapAttrs
|
||||
(u: members: { openssh.authorizedKeys.keys = lib.extra.getAllKeys members; })
|
||||
cfg.users;
|
||||
};
|
||||
}
|
||||
|
|
@ -1,382 +0,0 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
inherit (lib)
|
||||
mkIf mkEnableOption mkOption types;
|
||||
cfg = config.krz-router;
|
||||
mkVLAN = name: id: {
|
||||
netdevConfig = {
|
||||
Kind = "vlan";
|
||||
Name = name;
|
||||
};
|
||||
vlanConfig.Id = id;
|
||||
};
|
||||
mkTunnel = kind: name: { local, remote, mtu ? 1480 }: {
|
||||
netdevConfig = {
|
||||
Kind = kind;
|
||||
Name = name;
|
||||
MTUBytes = toString mtu;
|
||||
};
|
||||
tunnelConfig = {
|
||||
Local = local;
|
||||
Remote = remote;
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
options.krz-router = {
|
||||
enable = mkEnableOption "KlubRZ router";
|
||||
enablePrimary = mkEnableOption ''primary mode for this router.
|
||||
This means that this router will assume the primary role by default.
|
||||
Do not run on the same L2 segment the same router as primary.
|
||||
'';
|
||||
enableDebug = mkEnableOption "debug mode for the various subsystems";
|
||||
trunkPort.macAddress = mkOption {
|
||||
type = types.str;
|
||||
description = "MAC address of the trunk port connected to a (virtual) switch";
|
||||
};
|
||||
vip = mkOption {
|
||||
type = types.str;
|
||||
description = "Highly-available virtual IP address of the router";
|
||||
};
|
||||
rip = mkOption {
|
||||
type = types.str;
|
||||
description = "Real IP address of the router";
|
||||
};
|
||||
routerId = mkOption {
|
||||
type = types.int;
|
||||
description = "Router ID for computing automatic IPs";
|
||||
};
|
||||
virtualPriority = mkOption {
|
||||
type = types.int;
|
||||
description = "Virtual router priority in the election";
|
||||
# As recommended per RFC.
|
||||
default = if cfg.enablePrimary then 100 else 50;
|
||||
};
|
||||
virtualNeighbors = mkOption {
|
||||
type = types.listOf types.int;
|
||||
description = "Virtual router neighbors in terms of router IDs";
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.network.links."10-swp" = {
|
||||
matchConfig.MACAddress = cfg.trunkPort.macAddress;
|
||||
linkConfig.Name = "swp";
|
||||
};
|
||||
|
||||
networking.firewall.allowedUDPPorts = [ 25351 ];
|
||||
systemd.network.enable = true;
|
||||
networking.dhcpcd.enable = false;
|
||||
systemd.network = {
|
||||
config.routeTables = {
|
||||
he = 100;
|
||||
mwan = 110;
|
||||
};
|
||||
netdevs = {
|
||||
"05-admin-vpn" = {
|
||||
netdevConfig = {
|
||||
Kind = "wireguard";
|
||||
Name = "wgadmin";
|
||||
MTUBytes = "1420";
|
||||
};
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = "/etc/secrets/wireguard/wgadmin";
|
||||
ListenPort = 25351;
|
||||
};
|
||||
wireguardPeers = [
|
||||
{
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = "obsUPq4Y1XGbl3yPUytPKkVcSP+eECpaQX+bV+ocwXg=";
|
||||
AllowedIPs = [ "fd81:fb3a:50cc::100/128" ];
|
||||
};
|
||||
}
|
||||
{
|
||||
# Julien Malka, laptop X2100
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = "P6yIXwpUtX5WABxN5wZdxjqXyb/9kDwJqhj8VGGtAW4=";
|
||||
AllowedIPs = [ "fd81:fb3a:50cc::200/128" ];
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
"10-tun-mwan" = mkTunnel "gre" "gre-mwan" {
|
||||
remote = "80.67.167.30";
|
||||
local = cfg.vip;
|
||||
};
|
||||
"10-tun-he" = mkTunnel "sit" "sit-he" {
|
||||
remote = "216.66.84.42";
|
||||
local = cfg.vip;
|
||||
};
|
||||
# VLANs
|
||||
# 401: uplink ENS
|
||||
# 3500: intranet club réseau, proxy ARP et proxy arp pvlan / 10.1.1.1/22
|
||||
# 3510: mgmt club réseau (administration network) / fd81:fb3a:50cc::/64
|
||||
# 3605: MWAN V6 DMZ / 2a0e:e701:1120:b00c::1/64
|
||||
# 3606: MWAN V4 DMZ / 45.13.104.25/29
|
||||
# 3607: Club Réseau v6 DMZ (en ASN propre)
|
||||
# 3608: DN42 DMZ
|
||||
# 3609: HE V6 DMZ / 2001:470:1f13:187::1/64
|
||||
# 3610: Free V6 DMZ
|
||||
# 3620: HE.net IPv6 /48 -> DHCP-PD /60
|
||||
# 3621: MWAN DMZ /48 PD delivery / 2a0e:e701:1120::1/48
|
||||
# 3622: Router VRRP link / $to_be_determined.
|
||||
# "10-uplink-ens" = mkVLAN "uplink-ens" 401; dysfunctional?
|
||||
"10-intranet-krz" = mkVLAN "intranet-krz" 3500;
|
||||
"10-admin" = mkVLAN "admin" 3510;
|
||||
"10-mwan-v6" = mkVLAN "mwan-v6" 3605;
|
||||
"10-mwan-dual" = mkVLAN "mwan-dual" 3606;
|
||||
"10-krz-v6" = mkVLAN "krz-v6" 3607;
|
||||
"10-dn42-dmz" = mkVLAN "dn42-dmz" 3608;
|
||||
"10-he-dmz" = mkVLAN "he-dmz" 3609;
|
||||
"10-free-dmz" = mkVLAN "free-dmz" 3610;
|
||||
"10-he-pd" = mkVLAN "he-v6-pd" 3620;
|
||||
"10-mwan-pd" = mkVLAN "mwan-v6-pd" 3621;
|
||||
"10-vrrp-router" = mkVLAN "vrrp-router" 3622;
|
||||
};
|
||||
networks = {
|
||||
"10-admin-vpn" = {
|
||||
matchConfig.Name = "wgadmin";
|
||||
networkConfig = {
|
||||
Description = "VPN d'administration système de l'infrastructure";
|
||||
Address = [ "fd81:fb3a:50cc::${toString (cfg.routerId + 1)}/64" ];
|
||||
# Give access to the rest of the network.
|
||||
IPForward = "ipv6";
|
||||
ConfigureWithoutCarrier = true;
|
||||
};
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
};
|
||||
"15-admin-vlan" = {
|
||||
matchConfig.Name = "admin";
|
||||
networkConfig = {
|
||||
Description = "VLAN d'administration système de l'infrastructure";
|
||||
Address = [ "fd81:fb3a:50cc:1::${toString (cfg.routerId + 1)}/48" ];
|
||||
# Give access to the rest of the network.
|
||||
IPForward = "ipv6";
|
||||
IPv6ProxyNDP = true;
|
||||
ConfigureWithoutCarrier = true;
|
||||
};
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
};
|
||||
"20-tun-mwan" = {
|
||||
matchConfig.Name = "gre-mwan";
|
||||
networkConfig = {
|
||||
Description = "Tunnel de livraison GRE IPv4/IPv6 de MilkyWAN";
|
||||
Address = [ "10.1.1.50/30" "2a0b:cbc0:1::216/126" ];
|
||||
ConfigureWithoutCarrier = true;
|
||||
};
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Gateway = "10.1.1.49";
|
||||
Table = "mwan";
|
||||
Scope = "global";
|
||||
# FIXME(raito): Has no effect? Upstream bug?
|
||||
Source = "45.13.104.25/29";
|
||||
};
|
||||
}
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "::/0";
|
||||
Gateway = "2a0b:cbc0:1::215";
|
||||
Table = "mwan";
|
||||
Scope = "global";
|
||||
Source = "2a0e:e701:1120::/48";
|
||||
};
|
||||
}
|
||||
];
|
||||
routingPolicyRules = [
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
From = "2a0e:e701:1120::/48";
|
||||
Table = "mwan";
|
||||
};
|
||||
}
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
From = "45.13.104.25/29";
|
||||
Table = "mwan";
|
||||
};
|
||||
}
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
To = "45.13.104.25/29";
|
||||
Table = "mwan";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
"20-tun-he" = {
|
||||
matchConfig.Name = "sit-he";
|
||||
networkConfig = {
|
||||
Description = "HE.NET IPv6 Tunnel (owned by gdd)";
|
||||
Address = [ "2001:470:1f12:187::2/64" ];
|
||||
ConfigureWithoutCarrier = true;
|
||||
};
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "::/0";
|
||||
Table = "he";
|
||||
Scope = "global";
|
||||
Source = "2001:470:1f13::/48";
|
||||
};
|
||||
}
|
||||
];
|
||||
routingPolicyRules = [
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
From = "2001:470:1f13::/48";
|
||||
Table = "he";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
"10-swp" = {
|
||||
matchConfig.Name = "swp";
|
||||
networkConfig = {
|
||||
Description = "VLAN-aware switch port";
|
||||
Address = [ "${cfg.rip}/24" ];
|
||||
Gateway = "129.199.146.254";
|
||||
LLDP = true;
|
||||
# Only to the switch we are connected to directly, e.g. the hypervisor or the switch.
|
||||
EmitLLDP = "nearest-bridge";
|
||||
# For VRRP.
|
||||
KeepConfiguration = true;
|
||||
};
|
||||
routingPolicyRules = [
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
From = "45.13.104.25/29";
|
||||
Type = "prohibit";
|
||||
};
|
||||
}
|
||||
];
|
||||
tunnel = [
|
||||
"gre-mwan"
|
||||
"sit-he"
|
||||
];
|
||||
vlan = [
|
||||
# "intranet-krz" - we don't want to keep this.
|
||||
"admin"
|
||||
# FIXME: "mwan-v6" - do we want to keep this?
|
||||
# We can achieve v6-only by enforcing MAC address isolation for IPv4.
|
||||
"mwan-dual"
|
||||
# FIXME: legacy-nat-zone.
|
||||
# FIXME: "krz-v6" - not ready yet.
|
||||
# FIXME: "dn42-dmz" - revive this if you want.
|
||||
"he-dmz"
|
||||
# FIXME: "free-dmz" - not ready yet, abandoned?
|
||||
# FIXME: "he-v6-pd" - require rework
|
||||
# FIXME: "mwan-v6-pd" - require rework
|
||||
"vrrp-router"
|
||||
];
|
||||
};
|
||||
# TODO: SIIT/NAT64/DNS64 component to avoid IPv4 dependency.
|
||||
"20-mwan-dual" = {
|
||||
matchConfig.Name = "mwan-dual";
|
||||
addresses = [
|
||||
{
|
||||
addressConfig = {
|
||||
Address = "2a0e:e701:1120:b00c::1/64";
|
||||
AddPrefixRoute = false;
|
||||
};
|
||||
}
|
||||
{
|
||||
addressConfig = {
|
||||
Address = "45.13.104.25/29";
|
||||
AddPrefixRoute = false;
|
||||
};
|
||||
}
|
||||
];
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "2a0e:e701:1120:b00c::/64";
|
||||
Metric = 256;
|
||||
Table = "mwan";
|
||||
};
|
||||
}
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "45.13.104.25/29";
|
||||
Metric = 256;
|
||||
Table = "mwan";
|
||||
};
|
||||
}
|
||||
];
|
||||
networkConfig = {
|
||||
Description = "MilkyWAN dual stack public interface";
|
||||
DHCPServer = true;
|
||||
IPv6SendRA = true;
|
||||
IPForward = true;
|
||||
ConfigureWithoutCarrier = true;
|
||||
};
|
||||
};
|
||||
"20-he-dmz" = {
|
||||
matchConfig.Name = "he-dmz";
|
||||
addresses = [
|
||||
{
|
||||
addressConfig = {
|
||||
Address = "2001:470:1f13:187::1/64";
|
||||
# This will add it in the wrong table.
|
||||
# TODO: add to systemd a `Table` option here.
|
||||
AddPrefixRoute = false;
|
||||
};
|
||||
}
|
||||
];
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "2001:470:1f13:187::/64";
|
||||
Metric = 256;
|
||||
Table = "he";
|
||||
};
|
||||
}
|
||||
];
|
||||
networkConfig = {
|
||||
Description = "Hurricane Electrical's 187 /64 unfirewalled zone";
|
||||
IPv6SendRA = true;
|
||||
ConfigureWithoutCarrier = true;
|
||||
};
|
||||
};
|
||||
"20-vrrp-router" = {
|
||||
matchConfig.Name = "vrrp-router";
|
||||
networkConfig = {
|
||||
Description = "VRRP router health network";
|
||||
Address = [ "10.0.0.${toString cfg.routerId}/24" "fe80::${toString cfg.routerId}/64" ];
|
||||
KeepConfiguration = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.keepalived = {
|
||||
enable = true;
|
||||
vrrpInstances.wan = {
|
||||
interface = "vrrp-router";
|
||||
state = if cfg.enablePrimary then "MASTER" else "BACKUP";
|
||||
# We want to start in a stable state.
|
||||
priority = cfg.virtualPriority;
|
||||
virtualIps = [{ addr = "${cfg.vip}/24"; dev = "swp"; scope = "global"; }];
|
||||
virtualRouterId = 50;
|
||||
noPreempt = !cfg.enablePrimary;
|
||||
unicastPeers = map (n: "10.0.0.${toString n}") cfg.virtualNeighbors;
|
||||
};
|
||||
vrrpInstances.admin = {
|
||||
interface = "vrrp-router";
|
||||
state = if cfg.enablePrimary then "MASTER" else "BACKUP";
|
||||
# We want to start in a stable state.
|
||||
priority = cfg.virtualPriority;
|
||||
virtualIps = [
|
||||
{ addr = "fd81:fb3a:50cc::1/64"; dev = "wgadmin"; }
|
||||
{ addr = "fd81:fb3a:50cc:1::1/48"; dev = "admin"; }
|
||||
];
|
||||
virtualRouterId = 51;
|
||||
noPreempt = !cfg.enablePrimary;
|
||||
unicastPeers = map (n: "fe80::${toString n}") cfg.virtualNeighbors;
|
||||
unicastSrcIp = "fe80::${toString cfg.routerId}";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,25 +0,0 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (lib)
|
||||
mkEnableOption
|
||||
mkIf;
|
||||
|
||||
cfg = config.krz-ssh;
|
||||
in
|
||||
|
||||
{
|
||||
options.krz-ssh = {
|
||||
enable = mkEnableOption "ssh default configuration." // { default = true; };
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
|
||||
settings.PasswordAuthentication = false;
|
||||
};
|
||||
|
||||
programs.mosh.enable = true;
|
||||
};
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
{}
|
|
@ -1,47 +0,0 @@
|
|||
# Generated by npins. Do not modify; will be overwritten regularly
|
||||
let
|
||||
data = builtins.fromJSON (builtins.readFile ./sources.json);
|
||||
version = data.version;
|
||||
|
||||
mkSource = spec:
|
||||
assert spec ? type; let
|
||||
path =
|
||||
if spec.type == "Git" then mkGitSource spec
|
||||
else if spec.type == "GitRelease" then mkGitSource spec
|
||||
else if spec.type == "PyPi" then mkPyPiSource spec
|
||||
else if spec.type == "Channel" then mkChannelSource spec
|
||||
else builtins.throw "Unknown source type ${spec.type}";
|
||||
in
|
||||
spec // { outPath = path; };
|
||||
|
||||
mkGitSource = { repository, revision, url ? null, hash, ... }:
|
||||
assert repository ? type;
|
||||
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
|
||||
# In the latter case, there we will always be an url to the tarball
|
||||
if url != null then
|
||||
(builtins.fetchTarball {
|
||||
inherit url;
|
||||
sha256 = hash; # FIXME: check nix version & use SRI hashes
|
||||
})
|
||||
else assert repository.type == "Git"; builtins.fetchGit {
|
||||
url = repository.url;
|
||||
rev = revision;
|
||||
# hash = hash;
|
||||
};
|
||||
|
||||
mkPyPiSource = { url, hash, ... }:
|
||||
builtins.fetchurl {
|
||||
inherit url;
|
||||
sha256 = hash;
|
||||
};
|
||||
|
||||
mkChannelSource = { url, hash, ... }:
|
||||
builtins.fetchTarball {
|
||||
inherit url;
|
||||
sha256 = hash;
|
||||
};
|
||||
in
|
||||
if version == 3 then
|
||||
builtins.mapAttrs (_: mkSource) data.pins
|
||||
else
|
||||
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
|
|
@ -1,43 +0,0 @@
|
|||
{
|
||||
"pins": {
|
||||
"agenix": {
|
||||
"type": "GitRelease",
|
||||
"repository": {
|
||||
"type": "Git",
|
||||
"url": "https://github.com/ryantm/agenix"
|
||||
},
|
||||
"pre_releases": false,
|
||||
"version_upper_bound": null,
|
||||
"version": "0.13.0",
|
||||
"revision": "9c9fbfb94b2d545c7f0b78da0254ea0041595795",
|
||||
"url": null,
|
||||
"hash": "0k6aggy3lhqv6j11cvi4gr0i3jps8hlf262xl9ji3ffxwas46p54"
|
||||
},
|
||||
"nix-lib": {
|
||||
"type": "GitRelease",
|
||||
"repository": {
|
||||
"type": "Git",
|
||||
"url": "https://git.hubrecht.ovh/hubrecht/nix-lib"
|
||||
},
|
||||
"pre_releases": false,
|
||||
"version_upper_bound": null,
|
||||
"version": "0.1.6",
|
||||
"revision": "ffb3dfa4c146d48300bd4fa625acfe48e091a734",
|
||||
"url": null,
|
||||
"hash": "1frsja071qqx6p7rjnijzhidqfylx0ipzqpmjdvj4jl89h34vrhr"
|
||||
},
|
||||
"nixos-23.05": {
|
||||
"type": "Channel",
|
||||
"name": "nixos-23.05",
|
||||
"url": "https://releases.nixos.org/nixos/23.05/nixos-23.05.2162.6da4bc6cb07/nixexprs.tar.xz",
|
||||
"hash": "198wbl9b7j3k51n0rxs09vy6x535ysqv6kbxf42d9yqr49d2n9vc"
|
||||
},
|
||||
"nixpkgs": {
|
||||
"type": "Channel",
|
||||
"name": "nixpkgs-unstable",
|
||||
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-23.11pre506668.af8cd5ded77/nixexprs.tar.xz",
|
||||
"hash": "0in8bgah6hz47lsa3ka2fslwks174maqdzy8mcmsj0q4wrv8h2s9"
|
||||
}
|
||||
},
|
||||
"version": 3
|
||||
}
|
15
shell.nix
15
shell.nix
|
@ -1,15 +0,0 @@
|
|||
let
|
||||
sources = import ./npins;
|
||||
pkgs = import sources.nixpkgs { };
|
||||
in
|
||||
|
||||
pkgs.mkShell {
|
||||
packages = with pkgs; [
|
||||
npins
|
||||
colmena
|
||||
nixos-generators
|
||||
] ++ (builtins.map (p: callPackage p { }) [
|
||||
]);
|
||||
|
||||
allowSubstitutes = false;
|
||||
}
|
Loading…
Reference in a new issue