From 9207580a39670e2c16d3d97770837bad0e8ac6a1 Mon Sep 17 00:00:00 2001 From: Gabriel DORIATH DOHLER Date: Wed, 28 Jul 2021 23:12:58 +0200 Subject: [PATCH 001/149] Add remote-builder-01 --- machines/remote-builder-01/configuration.nix | 84 +++++++++++++++++++ .../hardware-configuration.nix | 35 ++++++++ machines/remote-builder-01/programs.nix | 24 ++++++ machines/remote-builder-01/pubkeys/gdd.keys | 2 + .../pubkeys/hackens-milieu.keys | 1 + machines/remote-builder-01/pubkeys/raito.keys | 4 + machines/remote-builder-01/system.nix | 28 +++++++ machines/remote-builder-01/vim.nix | 31 +++++++ 8 files changed, 209 insertions(+) create mode 100644 machines/remote-builder-01/configuration.nix create mode 100644 machines/remote-builder-01/hardware-configuration.nix create mode 100644 machines/remote-builder-01/programs.nix create mode 100644 machines/remote-builder-01/pubkeys/gdd.keys create mode 100644 machines/remote-builder-01/pubkeys/hackens-milieu.keys create mode 100644 machines/remote-builder-01/pubkeys/raito.keys create mode 100644 machines/remote-builder-01/system.nix create mode 100644 machines/remote-builder-01/vim.nix diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix new file mode 100644 index 0000000..199ae19 --- /dev/null +++ b/machines/remote-builder-01/configuration.nix @@ -0,0 +1,84 @@ +{ config, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./programs.nix + ./system.nix + # TODO monitoring + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + boot.initrd.supportedFilesystems = [ "zfs" ]; + boot.supportedFilesystems = [ "zfs" ]; + + networking.hostName = "remote-builder-01"; + networking.hostId = "11894198"; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.ens18.useDHCP = true; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + programs.mtr.enable = true; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # List services that you want to enable: + + services.zfs.autoScrub.enable = true; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ./pubkeys/gdd.keys + ./pubkeys/raito.keys + ./pubkeys/hackens-milieu.keys + ]; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.05"; # Did you read the comment? + +} + diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/hardware-configuration.nix new file mode 100644 index 0000000..f80b2c7 --- /dev/null +++ b/machines/remote-builder-01/hardware-configuration.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "rpool/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "rpool/home"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/3341-A3B9"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/1f624fe3-1fc5-44f4-9529-812558ffba42"; } + ]; + +} diff --git a/machines/remote-builder-01/programs.nix b/machines/remote-builder-01/programs.nix new file mode 100644 index 0000000..e7e4afc --- /dev/null +++ b/machines/remote-builder-01/programs.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: +let pkgsList = with pkgs; [ + nix-prefetch-git + dnsutils + + unzip + zip + ripgrep + + niv + nixfmt + ]; +in +{ + imports = [ + ./vim.nix + ]; + programs = { + tmux.enable = true; + mosh.enable = true; + }; + + environment.systemPackages = pkgsList; +} diff --git a/machines/remote-builder-01/pubkeys/gdd.keys b/machines/remote-builder-01/pubkeys/gdd.keys new file mode 100644 index 0000000..b5d4e40 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/gdd.keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/remote-builder-01/pubkeys/hackens-milieu.keys b/machines/remote-builder-01/pubkeys/hackens-milieu.keys new file mode 100644 index 0000000..c79c039 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/hackens-milieu.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu diff --git a/machines/remote-builder-01/pubkeys/raito.keys b/machines/remote-builder-01/pubkeys/raito.keys new file mode 100644 index 0000000..0f48a59 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/raito.keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix new file mode 100644 index 0000000..f2c68d1 --- /dev/null +++ b/machines/remote-builder-01/system.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: +{ + # # Auto upgrades + # system.autoUpgrade = { + # enable = false; # TODO(Ryan): do not enable, it will break deployments. + # allowReboot = false; + # }; + + # Auto GC and store optimizations + nix = { + trustedUsers = [ "root" "gab" ]; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 90d"; + }; + optimise.automatic = true; + extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + }; + + services.locate = { + enable = true; + interval = "04:05"; + }; +} diff --git a/machines/remote-builder-01/vim.nix b/machines/remote-builder-01/vim.nix new file mode 100644 index 0000000..bed8752 --- /dev/null +++ b/machines/remote-builder-01/vim.nix @@ -0,0 +1,31 @@ +{ pkgs, ... }: +{ + environment.variables = { EDITOR = "vim"; }; + + environment.systemPackages = with pkgs; [ + nixfmt + git + (neovim.override { + vimAlias = true; + configure = { + packages.myPlugins = with pkgs.vimPlugins; { + start = [ vim-lastplace vim-nix ]; + opt = []; + }; + customRC = '' + set encoding=utf-8 + set wildmenu + + set nocompatible + set backspace=indent,eol,start + set cursorline + hi CursorLine term=bold cterm=bold ctermbg=darkgrey + set number + set relativenumber + set tabstop=4 + set expandtab + ''; + }; + } + )]; +} -- 2.47.0 From 63edbed11fba272c265f8557fd9cfc6c9ba06b3c Mon Sep 17 00:00:00 2001 From: Gabriel DORIATH DOHLER Date: Wed, 28 Jul 2021 23:31:57 +0200 Subject: [PATCH 002/149] Test and deploy --- .drone.yml | 4 ++++ README.md | 1 + krops.nix | 23 ++++++++++++----------- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/.drone.yml b/.drone.yml index 5feb66e..fda39a8 100644 --- a/.drone.yml +++ b/.drone.yml @@ -15,5 +15,9 @@ steps: commands: - "export NIX_PATH=nixpkgs=/var/nixpkgs" - "echo Building core-services-01 && nix-build krops.nix -A test-core-services-01 && ./result" +- name: Build remote-builder-01 configuration + commands: + - "export NIX_PATH=nixpkgs=/var/nixpkgs" + - "echo Building remote-builder-01 && nix-build krops.nix -A remote-builder-01 && ./result" ... diff --git a/README.md b/README.md index d608944..0a227f8 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Refer to wiki for details. - `core-services-01` +- `remote-builder-01` ## How to deploy a machine? diff --git a/krops.nix b/krops.nix index 17ba000..cbcc956 100644 --- a/krops.nix +++ b/krops.nix @@ -15,20 +15,21 @@ let }; } ]; -in - { - core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { - source = source "core-services-01"; - target = "root@core01.internal.rz.ens.wtf"; - }; - - test-core-services-01 = pkgs.krops.writeTest "test-core-services-01" { - source = source "core-services-01"; + mkTestConfig = hostname: + test-${hostname}-01 = pkgs.krops.writeTest "test-${hostname}" { + source = source hostname; target = lib.mkTarget { host = "localhost"; path = "/tmp/src"; }; force = true; # force create the sentinel file. }; - - } + mkTestsConfig = hostnames: + builtins.listToAttrs (map (h: { name = h; value = mkTestConfig h; }) hostnames) +in + { + core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { + source = source "core-services-01"; + target = "root@core01.internal.rz.ens.wtf"; + }; + } // mkTestsConfig [ "core-services-01" "remote-builder-01" ]; -- 2.47.0 From 8cff6168b5e47581f090804a59b0ff45f1ca6adc Mon Sep 17 00:00:00 2001 From: Gabriel DORIATH DOHLER Date: Wed, 28 Jul 2021 23:35:51 +0200 Subject: [PATCH 003/149] Fix syntax errors --- krops.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/krops.nix b/krops.nix index cbcc956..3ebf006 100644 --- a/krops.nix +++ b/krops.nix @@ -25,11 +25,11 @@ let force = true; # force create the sentinel file. }; mkTestsConfig = hostnames: - builtins.listToAttrs (map (h: { name = h; value = mkTestConfig h; }) hostnames) + builtins.listToAttrs (map (h: { name = h; value = mkTestConfig h; }) hostnames); in { core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { source = source "core-services-01"; target = "root@core01.internal.rz.ens.wtf"; }; - } // mkTestsConfig [ "core-services-01" "remote-builder-01" ]; + } // mkTestsConfig [ "core-services-01" "remote-builder-01" ] -- 2.47.0 From 818c6aa5422b329207af6c27ce0bed56b167fa79 Mon Sep 17 00:00:00 2001 From: Gabriel DORIATH DOHLER Date: Wed, 28 Jul 2021 23:39:01 +0200 Subject: [PATCH 004/149] Fix errors --- krops.nix | 37 +++++++++++++++++-------------------- 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/krops.nix b/krops.nix index 3ebf006..9b5373f 100644 --- a/krops.nix +++ b/krops.nix @@ -1,22 +1,20 @@ let - krops = builtins.fetchGit { - url = "https://cgit.krebsco.de/krops/"; - }; + krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; }; lib = import "${krops}/lib"; - pkgs = import "${krops}/pkgs" {}; - source = machine: lib.evalSource [ - { + pkgs = import "${krops}/pkgs" { }; + source = machine: + lib.evalSource [{ config.file = toString ./machines; nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; ref = "973910f5c31b9ba6c171c33a8bd7199990b14c72"; # nixos-21.05 - url = https://github.com/NixOS/nixpkgs; + url = "https://github.com/NixOS/nixpkgs"; }; - } - ]; - mkTestConfig = hostname: - test-${hostname}-01 = pkgs.krops.writeTest "test-${hostname}" { + }]; + mkTestConfig = hostname: { + name = "test-${hostname}"; + value = pkgs.krops.writeTest "test-${hostname}" { source = source hostname; target = lib.mkTarget { host = "localhost"; @@ -24,12 +22,11 @@ let }; force = true; # force create the sentinel file. }; - mkTestsConfig = hostnames: - builtins.listToAttrs (map (h: { name = h; value = mkTestConfig h; }) hostnames); -in - { - core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { - source = source "core-services-01"; - target = "root@core01.internal.rz.ens.wtf"; - }; - } // mkTestsConfig [ "core-services-01" "remote-builder-01" ] + }; + mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames); +in { + core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { + source = source "core-services-01"; + target = "root@core01.internal.rz.ens.wtf"; + }; +} // mkTestsConfig [ "core-services-01" "remote-builder-01" ] -- 2.47.0 From 7c0c0a5cd9fb37f1082e7fcfbcc35efcee71df70 Mon Sep 17 00:00:00 2001 From: Gabriel DORIATH DOHLER Date: Wed, 28 Jul 2021 23:42:39 +0200 Subject: [PATCH 005/149] Fix another error --- .drone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index fda39a8..5bb8ea0 100644 --- a/.drone.yml +++ b/.drone.yml @@ -18,6 +18,6 @@ steps: - name: Build remote-builder-01 configuration commands: - "export NIX_PATH=nixpkgs=/var/nixpkgs" - - "echo Building remote-builder-01 && nix-build krops.nix -A remote-builder-01 && ./result" + - "echo Building remote-builder-01 && nix-build krops.nix -A test-remote-builder-01 && ./result" ... -- 2.47.0 From 821b1cdc31b1e6aff8f15209c291b00dc17675b1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 28 Jul 2021 23:55:23 +0200 Subject: [PATCH 006/149] dns: add nix01.builders.rz.ens.wtf --- machines/core-services-01/dns.nix | 2 +- machines/core-services-01/subZone.nix | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/machines/core-services-01/dns.nix b/machines/core-services-01/dns.nix index 2161481..6473038 100644 --- a/machines/core-services-01/dns.nix +++ b/machines/core-services-01/dns.nix @@ -21,7 +21,7 @@ in interfaces = my.ipv6.standard; zones = { ${my.subZone} = { - data = dns.lib.toString my.subZone (import ./subZone.nix { inherit dns config; }); + data = dns.lib.toString my.subZone (import ./subZone.nix { inherit dns config lib; }); }; }; }; diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 306dc68..83e143c 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -1,10 +1,14 @@ -{ config, dns, ... }: +{ config, lib, dns, ... }: with dns.lib.combinators; let my = config.my; delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; }; + + remoteBuilders = { + nix01 = [ "2001:470:1f13:187:1e07:c670:3958:f8f1" ]; + }; in with my.ipv6; # contains { standard, acme } { @@ -31,6 +35,8 @@ with my.ipv6; # contains { standard, acme } push.AAAA = standard; ns1.AAAA = standard; + builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; + # Délégation de sous zone à he.gdd pour la certification HE. gdd.subdomains.he = { NS = [ "ns1.he.gdd.${my.subZone}." ]; -- 2.47.0 From dee54e706d1eb9feda1e7d2f3a212b0c01952b28 Mon Sep 17 00:00:00 2001 From: gdd Date: Wed, 28 Jul 2021 23:55:34 +0200 Subject: [PATCH 007/149] Add remote-builder-01 (#2) Initial configuration of remote-builder-01. Co-authored-by: Gabriel DORIATH DOHLER Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/2 Co-authored-by: gdd Co-committed-by: gdd --- .drone.yml | 4 + README.md | 1 + krops.nix | 38 ++++----- machines/remote-builder-01/configuration.nix | 84 +++++++++++++++++++ .../hardware-configuration.nix | 35 ++++++++ machines/remote-builder-01/programs.nix | 24 ++++++ machines/remote-builder-01/pubkeys/gdd.keys | 2 + .../pubkeys/hackens-milieu.keys | 1 + machines/remote-builder-01/pubkeys/raito.keys | 4 + machines/remote-builder-01/system.nix | 28 +++++++ machines/remote-builder-01/vim.nix | 31 +++++++ 11 files changed, 232 insertions(+), 20 deletions(-) create mode 100644 machines/remote-builder-01/configuration.nix create mode 100644 machines/remote-builder-01/hardware-configuration.nix create mode 100644 machines/remote-builder-01/programs.nix create mode 100644 machines/remote-builder-01/pubkeys/gdd.keys create mode 100644 machines/remote-builder-01/pubkeys/hackens-milieu.keys create mode 100644 machines/remote-builder-01/pubkeys/raito.keys create mode 100644 machines/remote-builder-01/system.nix create mode 100644 machines/remote-builder-01/vim.nix diff --git a/.drone.yml b/.drone.yml index 5feb66e..5bb8ea0 100644 --- a/.drone.yml +++ b/.drone.yml @@ -15,5 +15,9 @@ steps: commands: - "export NIX_PATH=nixpkgs=/var/nixpkgs" - "echo Building core-services-01 && nix-build krops.nix -A test-core-services-01 && ./result" +- name: Build remote-builder-01 configuration + commands: + - "export NIX_PATH=nixpkgs=/var/nixpkgs" + - "echo Building remote-builder-01 && nix-build krops.nix -A test-remote-builder-01 && ./result" ... diff --git a/README.md b/README.md index d608944..0a227f8 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Refer to wiki for details. - `core-services-01` +- `remote-builder-01` ## How to deploy a machine? diff --git a/krops.nix b/krops.nix index 17ba000..9b5373f 100644 --- a/krops.nix +++ b/krops.nix @@ -1,34 +1,32 @@ let - krops = builtins.fetchGit { - url = "https://cgit.krebsco.de/krops/"; - }; + krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; }; lib = import "${krops}/lib"; - pkgs = import "${krops}/pkgs" {}; - source = machine: lib.evalSource [ - { + pkgs = import "${krops}/pkgs" { }; + source = machine: + lib.evalSource [{ config.file = toString ./machines; nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; ref = "973910f5c31b9ba6c171c33a8bd7199990b14c72"; # nixos-21.05 - url = https://github.com/NixOS/nixpkgs; + url = "https://github.com/NixOS/nixpkgs"; }; - } - ]; -in - { - core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { - source = source "core-services-01"; - target = "root@core01.internal.rz.ens.wtf"; - }; - - test-core-services-01 = pkgs.krops.writeTest "test-core-services-01" { - source = source "core-services-01"; + }]; + mkTestConfig = hostname: { + name = "test-${hostname}"; + value = pkgs.krops.writeTest "test-${hostname}" { + source = source hostname; target = lib.mkTarget { host = "localhost"; path = "/tmp/src"; }; force = true; # force create the sentinel file. }; - - } + }; + mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames); +in { + core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { + source = source "core-services-01"; + target = "root@core01.internal.rz.ens.wtf"; + }; +} // mkTestsConfig [ "core-services-01" "remote-builder-01" ] diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix new file mode 100644 index 0000000..199ae19 --- /dev/null +++ b/machines/remote-builder-01/configuration.nix @@ -0,0 +1,84 @@ +{ config, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./programs.nix + ./system.nix + # TODO monitoring + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + boot.initrd.supportedFilesystems = [ "zfs" ]; + boot.supportedFilesystems = [ "zfs" ]; + + networking.hostName = "remote-builder-01"; + networking.hostId = "11894198"; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.ens18.useDHCP = true; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + programs.mtr.enable = true; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # List services that you want to enable: + + services.zfs.autoScrub.enable = true; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ./pubkeys/gdd.keys + ./pubkeys/raito.keys + ./pubkeys/hackens-milieu.keys + ]; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.05"; # Did you read the comment? + +} + diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/hardware-configuration.nix new file mode 100644 index 0000000..f80b2c7 --- /dev/null +++ b/machines/remote-builder-01/hardware-configuration.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "rpool/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "rpool/home"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/3341-A3B9"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/1f624fe3-1fc5-44f4-9529-812558ffba42"; } + ]; + +} diff --git a/machines/remote-builder-01/programs.nix b/machines/remote-builder-01/programs.nix new file mode 100644 index 0000000..e7e4afc --- /dev/null +++ b/machines/remote-builder-01/programs.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: +let pkgsList = with pkgs; [ + nix-prefetch-git + dnsutils + + unzip + zip + ripgrep + + niv + nixfmt + ]; +in +{ + imports = [ + ./vim.nix + ]; + programs = { + tmux.enable = true; + mosh.enable = true; + }; + + environment.systemPackages = pkgsList; +} diff --git a/machines/remote-builder-01/pubkeys/gdd.keys b/machines/remote-builder-01/pubkeys/gdd.keys new file mode 100644 index 0000000..b5d4e40 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/gdd.keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/remote-builder-01/pubkeys/hackens-milieu.keys b/machines/remote-builder-01/pubkeys/hackens-milieu.keys new file mode 100644 index 0000000..c79c039 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/hackens-milieu.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu diff --git a/machines/remote-builder-01/pubkeys/raito.keys b/machines/remote-builder-01/pubkeys/raito.keys new file mode 100644 index 0000000..0f48a59 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/raito.keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix new file mode 100644 index 0000000..f2c68d1 --- /dev/null +++ b/machines/remote-builder-01/system.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: +{ + # # Auto upgrades + # system.autoUpgrade = { + # enable = false; # TODO(Ryan): do not enable, it will break deployments. + # allowReboot = false; + # }; + + # Auto GC and store optimizations + nix = { + trustedUsers = [ "root" "gab" ]; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 90d"; + }; + optimise.automatic = true; + extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + }; + + services.locate = { + enable = true; + interval = "04:05"; + }; +} diff --git a/machines/remote-builder-01/vim.nix b/machines/remote-builder-01/vim.nix new file mode 100644 index 0000000..bed8752 --- /dev/null +++ b/machines/remote-builder-01/vim.nix @@ -0,0 +1,31 @@ +{ pkgs, ... }: +{ + environment.variables = { EDITOR = "vim"; }; + + environment.systemPackages = with pkgs; [ + nixfmt + git + (neovim.override { + vimAlias = true; + configure = { + packages.myPlugins = with pkgs.vimPlugins; { + start = [ vim-lastplace vim-nix ]; + opt = []; + }; + customRC = '' + set encoding=utf-8 + set wildmenu + + set nocompatible + set backspace=indent,eol,start + set cursorline + hi CursorLine term=bold cterm=bold ctermbg=darkgrey + set number + set relativenumber + set tabstop=4 + set expandtab + ''; + }; + } + )]; +} -- 2.47.0 From 2a33516e543f5babdf2a22c3e421c092ea901dce Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 29 Jul 2021 00:08:48 +0200 Subject: [PATCH 008/149] deploy: add remote-builder-01 and my remote builder SSH key --- krops.nix | 12 +++++++----- machines/remote-builder-01/configuration.nix | 1 + .../remote-builder-01/pubkeys/remote-builders.keys | 1 + 3 files changed, 9 insertions(+), 5 deletions(-) create mode 100644 machines/remote-builder-01/pubkeys/remote-builders.keys diff --git a/krops.nix b/krops.nix index 9b5373f..8983a34 100644 --- a/krops.nix +++ b/krops.nix @@ -24,9 +24,11 @@ let }; }; mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames); -in { - core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { - source = source "core-services-01"; - target = "root@core01.internal.rz.ens.wtf"; + mkDeploy = hostname: target: { ${hostname} = pkgs.krops.writeDeploy "deploy-${hostname}" { + source = source hostname; + inherit target; }; -} // mkTestsConfig [ "core-services-01" "remote-builder-01" ] +in {} +// mkDeploy "core-services-01" "root@core01.internal.rz.ens.wtf" +// mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" +// mkTestsConfig [ "core-services-01" "remote-builder-01" ] diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 199ae19..79a6a28 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -64,6 +64,7 @@ ./pubkeys/gdd.keys ./pubkeys/raito.keys ./pubkeys/hackens-milieu.keys + ./pubkeys/remote-builders.keys ]; # Open ports in the firewall. diff --git a/machines/remote-builder-01/pubkeys/remote-builders.keys b/machines/remote-builder-01/pubkeys/remote-builders.keys new file mode 100644 index 0000000..b1b7645 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/remote-builders.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ Raito's remote builder key -- 2.47.0 From e23f00d8db52defcd0f8f71176c482f2373a7b7e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 29 Jul 2021 00:09:32 +0200 Subject: [PATCH 009/149] fix syntax error --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 8983a34..c17fe78 100644 --- a/krops.nix +++ b/krops.nix @@ -27,7 +27,7 @@ let mkDeploy = hostname: target: { ${hostname} = pkgs.krops.writeDeploy "deploy-${hostname}" { source = source hostname; inherit target; - }; + }; }; in {} // mkDeploy "core-services-01" "root@core01.internal.rz.ens.wtf" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -- 2.47.0 From 3fc1c9da86aa11483abb08ae805446a9eace821f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 4 Aug 2021 15:59:02 +0200 Subject: [PATCH 010/149] core-services-01: add backup repository for VyOS --- machines/core-services-01/backups.nix | 8 ++++++++ machines/core-services-01/configuration.nix | 1 + machines/core-services-01/subZone.nix | 11 ++++++++--- 3 files changed, 17 insertions(+), 3 deletions(-) create mode 100644 machines/core-services-01/backups.nix diff --git a/machines/core-services-01/backups.nix b/machines/core-services-01/backups.nix new file mode 100644 index 0000000..5ed318d --- /dev/null +++ b/machines/core-services-01/backups.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + users.users.backup = { + isNormalUser = true; + hashedPassword = "$6$5C4F4cz5pWpW0$oYVATIrYMTR8oAR3lWTv1/4agerPcKYJEAPMKyof2oZWMOYST.n8aQKzpFFEwsIybwSa5RJg.mL7fon6RaiSD/"; + home = "/var/lib/backup"; + }; +} diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 68de60d..466c48a 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -18,6 +18,7 @@ ./nginx.nix ./keycloak.nix ./acme-dns.nix + ./backups.nix ./secrets # TODO push to gitea # TODO ./gotify.nix diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 83e143c..a768f26 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -49,15 +49,20 @@ with my.ipv6; # contains { standard, acme } }; internal.subdomains = { - core01 = { - A = [ "10.1.1.20" ]; - }; + # Routers + router01.A = [ "10.1.1.1" ]; + router02.A = [ "10.1.1.2" ]; + + # Hypervisors pve01 = { A = [ "10.1.1.10" ]; subdomains = { idrac.A = [ "10.1.2.20" ]; } // delegateACMEDNSChallenge "7c663a49-151c-4eea-a34f-725ff9f19d41.acme.rz.ens.wtf."; }; + + # Core machines + core01.A = [ "10.1.1.20" ]; }; }; } -- 2.47.0 From aab45dbc6d952bc3ca9379723a24df95b83153f8 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 4 Aug 2021 15:59:21 +0200 Subject: [PATCH 011/149] dns: add backup.gdd.rz.ens.wtf --- machines/core-services-01/subZone.nix | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index a768f26..f4a6ddf 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,17 +37,14 @@ with my.ipv6; # contains { standard, acme } builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; - # Délégation de sous zone à he.gdd pour la certification HE. - gdd.subdomains.he = { - NS = [ "ns1.he.gdd.${my.subZone}." ]; - subdomains.ns1.AAAA = [ "2001:470:1f13:187:b80d:21ff:fe43:f1a5" ]; - }; + gdd.subdomains.backup.AAAA = [ "2001:470:1f13:187:475:9fc1:1e84:4055" "2001:470:1f13:187:e8a5:fbff:fe29:42f5" ]; acme = { NS = [ "acme.${my.subZone}." ]; AAAA = [ acme ]; }; + internal.subdomains = { # Routers router01.A = [ "10.1.1.1" ]; -- 2.47.0 From eaa209eb7bd716c090f12684276446553e5868bf Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 20 Oct 2021 23:52:58 +0200 Subject: [PATCH 012/149] core-services(dns): append 2001:470:1f13:187:350a:214a:639c:b97b backup.gdd.rz.ens.wtf AAAA --- machines/core-services-01/subZone.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index f4a6ddf..9701a13 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,7 +37,7 @@ with my.ipv6; # contains { standard, acme } builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; - gdd.subdomains.backup.AAAA = [ "2001:470:1f13:187:475:9fc1:1e84:4055" "2001:470:1f13:187:e8a5:fbff:fe29:42f5" ]; + gdd.subdomains.backup.AAAA = [ "2001:470:1f13:187:475:9fc1:1e84:4055" "2001:470:1f13:187:e8a5:fbff:fe29:42f5" "2001:470:1f13:187:350a:214a:639c:b97b" ]; acme = { NS = [ "acme.${my.subZone}." ]; -- 2.47.0 From 82ccb56fe564d4894ef928bd3dab191fd40001ba Mon Sep 17 00:00:00 2001 From: Gabriel DORIATH DOHLER Date: Fri, 5 Nov 2021 23:59:59 +0000 Subject: [PATCH 013/149] remove hackens keys from core-services and remote-builder --- machines/core-services-01/configuration.nix | 1 - machines/remote-builder-01/configuration.nix | 1 - 2 files changed, 2 deletions(-) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 466c48a..a09eec0 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -74,7 +74,6 @@ users.users.root.openssh.authorizedKeys.keyFiles = [ ./pubkeys/gdd.keys ./pubkeys/raito.keys - ./pubkeys/hackens-milieu.keys ]; # Open ports in the firewall. diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 79a6a28..1c6245b 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -63,7 +63,6 @@ users.users.root.openssh.authorizedKeys.keyFiles = [ ./pubkeys/gdd.keys ./pubkeys/raito.keys - ./pubkeys/hackens-milieu.keys ./pubkeys/remote-builders.keys ]; -- 2.47.0 From 6adb20c64f309b1e61327eaa04920418a7fdce37 Mon Sep 17 00:00:00 2001 From: Gabriel DORIATH DOHLER Date: Fri, 5 Nov 2021 23:59:59 +0000 Subject: [PATCH 014/149] remove hackens keys from netboot server --- machines/core-services-01/netboot-server.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/machines/core-services-01/netboot-server.nix b/machines/core-services-01/netboot-server.nix index ac0bd87..5b291bf 100644 --- a/machines/core-services-01/netboot-server.nix +++ b/machines/core-services-01/netboot-server.nix @@ -15,7 +15,6 @@ let users.users.root.openssh.authorizedKeys.keyFiles = [ ./pubkeys/gdd.keys ./pubkeys/raito.keys - ./pubkeys/hackens-milieu.keys ]; programs.mosh.enable = true; -- 2.47.0 From 218419732a3d3418d7b933f77b9de6da9a6fc482 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20Doriath=20D=C3=B6hler?= Date: Thu, 11 Nov 2021 23:59:59 +0000 Subject: [PATCH 015/149] remove incorrect ip adresses for the gdd subdomain --- machines/core-services-01/subZone.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 9701a13..6bcf11d 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,7 +37,7 @@ with my.ipv6; # contains { standard, acme } builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; - gdd.subdomains.backup.AAAA = [ "2001:470:1f13:187:475:9fc1:1e84:4055" "2001:470:1f13:187:e8a5:fbff:fe29:42f5" "2001:470:1f13:187:350a:214a:639c:b97b" ]; + gdd.subdomains.backup.AAAA = [ "2001:470:1f13:187:350a:214a:639c:b97b" ]; acme = { NS = [ "acme.${my.subZone}." ]; -- 2.47.0 From 95225c50558a97c9542cd599563aa230642c9eec Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 11 Nov 2021 23:59:59 +0000 Subject: [PATCH 016/149] delegate the gdd subzone --- machines/core-services-01/subZone.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 6bcf11d..2533dd8 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,7 +37,10 @@ with my.ipv6; # contains { standard, acme } builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; - gdd.subdomains.backup.AAAA = [ "2001:470:1f13:187:350a:214a:639c:b97b" ]; + gdd = { + NS = [ "ns1.gdd.${my.subZone}." ]; + subdomains.ns1.AAAA = [ "2001:470:1f13:187:350a:214a:639c:b97b" ]; + }; acme = { NS = [ "acme.${my.subZone}." ]; -- 2.47.0 From bc935ad03713af6e9e24ccab4923ab09da575df5 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 11 Nov 2021 23:59:59 +0000 Subject: [PATCH 017/149] update dns serial --- machines/core-services-01/subZone.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 2533dd8..8937940 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -15,7 +15,7 @@ with my.ipv6; # contains { standard, acme } SOA = { nameServer = "ns1.${my.subZone}."; adminEmail = my.email; - serial = 2021072400; # Y M D Version + serial = 2021111100; # Y M D Version }; NS = [ -- 2.47.0 From 9cb53cb9db27e85a1e8e9d23b0cb975870388cf9 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Fri, 12 Nov 2021 23:59:59 +0000 Subject: [PATCH 018/149] initial public-cof config --- machines/public-cof/configuration.nix | 38 +++++++++++++++++++ .../public-cof/hardware-configuration.nix | 30 +++++++++++++++ machines/public-cof/networking.nix | 19 ++++++++++ machines/public-cof/programs.nix | 27 +++++++++++++ machines/public-cof/pubkeys/gdd.keys | 2 + machines/public-cof/pubkeys/raito.keys | 4 ++ machines/public-cof/system.nix | 23 +++++++++++ machines/public-cof/vim.nix | 31 +++++++++++++++ 8 files changed, 174 insertions(+) create mode 100644 machines/public-cof/configuration.nix create mode 100644 machines/public-cof/hardware-configuration.nix create mode 100644 machines/public-cof/networking.nix create mode 100644 machines/public-cof/programs.nix create mode 100644 machines/public-cof/pubkeys/gdd.keys create mode 100644 machines/public-cof/pubkeys/raito.keys create mode 100644 machines/public-cof/system.nix create mode 100644 machines/public-cof/vim.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix new file mode 100644 index 0000000..190595f --- /dev/null +++ b/machines/public-cof/configuration.nix @@ -0,0 +1,38 @@ +{ config, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./programs.nix + ./system.nix + ./networking.nix + # TODO monitoring + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + time.timeZone = "Europe/Paris"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + programs.mtr.enable = true; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ./pubkeys/gdd.keys + ./pubkeys/raito.keys + ]; + + system.stateVersion = "21.05"; +} diff --git a/machines/public-cof/hardware-configuration.nix b/machines/public-cof/hardware-configuration.nix new file mode 100644 index 0000000..4b57edd --- /dev/null +++ b/machines/public-cof/hardware-configuration.nix @@ -0,0 +1,30 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/9147d97d-66fe-4bde-8535-aa855ebee1a8"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/AEF2-33FE"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/bd933d58-5fa1-41c6-a4a1-9c176180f0f6"; } + ]; + +} diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix new file mode 100644 index 0000000..c7c14db --- /dev/null +++ b/machines/public-cof/networking.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + networking = { + hostName = "public-cof"; + + useDHCP = false; + interfaces.ens18 = { + useDHCP = true; + ipv6.addresses = [{ + address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; + prefixLength = 64; + }]; + }; + + firewall.allowedTCPPorts = [ 22 ]; + firewall.allowedUDPPorts = [ 22 ]; + firewall.enable = true; + }; +} diff --git a/machines/public-cof/programs.nix b/machines/public-cof/programs.nix new file mode 100644 index 0000000..1f42aa6 --- /dev/null +++ b/machines/public-cof/programs.nix @@ -0,0 +1,27 @@ +{ pkgs, ... }: +let pkgsList = with pkgs; [ + curl + wget + + nix-prefetch-git + dnsutils + + unzip + zip + ripgrep + + niv + nixfmt + ]; +in +{ + imports = [ + ./vim.nix + ]; + programs = { + tmux.enable = true; + mosh.enable = true; + }; + + environment.systemPackages = pkgsList; +} diff --git a/machines/public-cof/pubkeys/gdd.keys b/machines/public-cof/pubkeys/gdd.keys new file mode 100644 index 0000000..b5d4e40 --- /dev/null +++ b/machines/public-cof/pubkeys/gdd.keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/public-cof/pubkeys/raito.keys b/machines/public-cof/pubkeys/raito.keys new file mode 100644 index 0000000..0f48a59 --- /dev/null +++ b/machines/public-cof/pubkeys/raito.keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/machines/public-cof/system.nix b/machines/public-cof/system.nix new file mode 100644 index 0000000..997dbdd --- /dev/null +++ b/machines/public-cof/system.nix @@ -0,0 +1,23 @@ +{ pkgs, ... }: +{ + # # Auto upgrades + # system.autoUpgrade = { + # enable = false; # TODO(Ryan): do not enable, it will break deployments. + # allowReboot = false; + # }; + + # Auto GC and store optimizations + nix = { + trustedUsers = [ "root" ]; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 90d"; + }; + optimise.automatic = true; + extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + }; +} diff --git a/machines/public-cof/vim.nix b/machines/public-cof/vim.nix new file mode 100644 index 0000000..bed8752 --- /dev/null +++ b/machines/public-cof/vim.nix @@ -0,0 +1,31 @@ +{ pkgs, ... }: +{ + environment.variables = { EDITOR = "vim"; }; + + environment.systemPackages = with pkgs; [ + nixfmt + git + (neovim.override { + vimAlias = true; + configure = { + packages.myPlugins = with pkgs.vimPlugins; { + start = [ vim-lastplace vim-nix ]; + opt = []; + }; + customRC = '' + set encoding=utf-8 + set wildmenu + + set nocompatible + set backspace=indent,eol,start + set cursorline + hi CursorLine term=bold cterm=bold ctermbg=darkgrey + set number + set relativenumber + set tabstop=4 + set expandtab + ''; + }; + } + )]; +} -- 2.47.0 From 9b6c56baadcc9da1d851b1a6c9eada3014716a46 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Fri, 12 Nov 2021 23:59:59 +0000 Subject: [PATCH 019/149] add DNS records for public-cof's future services --- machines/core-services-01/subZone.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 732a106..157ad87 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -4,6 +4,7 @@ with dns.lib.combinators; let my = config.my; + public-cof-ips = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5" ]; delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; }; remoteBuilders = { @@ -15,7 +16,7 @@ with my.ipv6; # contains { standard, acme } SOA = { nameServer = "ns1.${my.subZone}."; adminEmail = my.email; - serial = 2021111100; # Y M D Version + serial = 2021111200; # Y M D Version }; NS = [ @@ -48,6 +49,12 @@ with my.ipv6; # contains { standard, acme } AAAA = [ acme ]; }; + beta.subdomains = { + nuage.AAAA = public-cof-ips; + minecraft.AAAA = public-cof-ips; + factorio.AAAA = public-cof-ips; + home.AAAA = public-cof-ips; + }; internal.subdomains = { # Routers -- 2.47.0 From 394ca11d2917d28b779c9d8f754c16bb552c5d56 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Fri, 12 Nov 2021 23:59:59 +0000 Subject: [PATCH 020/149] auto deploy public-cof --- krops.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index c17fe78..ba8745b 100644 --- a/krops.nix +++ b/krops.nix @@ -31,4 +31,5 @@ let in {} // mkDeploy "core-services-01" "root@core01.internal.rz.ens.wtf" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -// mkTestsConfig [ "core-services-01" "remote-builder-01" ] +// mkDeploy "public-cof" "root@nix01.builders.rz.ens.wtf" +// mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] -- 2.47.0 From 20147f145b0305f305766dc4bade857c43a8a216 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Fri, 12 Nov 2021 23:59:59 +0000 Subject: [PATCH 021/149] add AAAA for gdd.rz.ens.wtf --- machines/core-services-01/subZone.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 8937940..732a106 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -40,6 +40,7 @@ with my.ipv6; # contains { standard, acme } gdd = { NS = [ "ns1.gdd.${my.subZone}." ]; subdomains.ns1.AAAA = [ "2001:470:1f13:187:350a:214a:639c:b97b" ]; + AAAA = [ "2001:470:1f13:187:350a:214a:639c:b97b" ]; }; acme = { -- 2.47.0 From 1309a9a91ef51e1507d87a911d62e2f4080e39b5 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 01:48:32 +0100 Subject: [PATCH 022/149] add nextcloud to plublic-cof --- machines/public-cof/acme.nix | 5 +++ machines/public-cof/configuration.nix | 2 + machines/public-cof/nextcloud.nix | 57 +++++++++++++++++++++++++++ 3 files changed, 64 insertions(+) create mode 100644 machines/public-cof/acme.nix create mode 100644 machines/public-cof/nextcloud.nix diff --git a/machines/public-cof/acme.nix b/machines/public-cof/acme.nix new file mode 100644 index 0000000..3911368 --- /dev/null +++ b/machines/public-cof/acme.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + security.acme.acceptTerms = true; + security.acme.email = "club-reseau@lists.ens.psl.eu"; +} diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 190595f..1556fd3 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -6,7 +6,9 @@ ./hardware-configuration.nix ./programs.nix ./system.nix + ./acme.nix ./networking.nix + ./nextcloud.nix # TODO monitoring ]; diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix new file mode 100644 index 0000000..4900acd --- /dev/null +++ b/machines/public-cof/nextcloud.nix @@ -0,0 +1,57 @@ +{ ... }: +{ + services.nextcloud = { + enable = true; + hostName = "nuage.beta.rz.ens.wtf"; + https = true; + + config = { + overwriteProtocol = "https"; + + dbtype = "pgsql"; + dbhost = "/run/postgresql"; + + dbpass = "TODO"; + adminpass = "TODO"; + + defaultPhoneRegion = "FR"; + }; + }; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # # Only allow PFS-enabled ciphers with AES256 + # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + virtualHosts = { + "nuage.beta.rz.ens.wtf" = { + forceSSL = true; + enableACME = true; + }; + }; + }; + + services.postgresql = { + enable = true; + + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; + }; + + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} -- 2.47.0 From 06e84b79b4be8c684bd568b8294baccf9b14d8b1 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 01:52:04 +0100 Subject: [PATCH 023/149] add minecraft server to public-cof --- machines/public-cof/configuration.nix | 6 +- machines/public-cof/minecraft.nix | 84 +++++++++++++++++++++++++++ 2 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 machines/public-cof/minecraft.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 1556fd3..049bd69 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { imports = @@ -9,9 +9,13 @@ ./acme.nix ./networking.nix ./nextcloud.nix + ./minecraft.nix # TODO monitoring ]; + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ + "minecraft-server" + ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix new file mode 100644 index 0000000..0838a64 --- /dev/null +++ b/machines/public-cof/minecraft.nix @@ -0,0 +1,84 @@ +{ lib, pkgs, ... }: +let + papermc = { + ram = 4; # In GB + version = "1.17.1"; + build = 189; + sha256 = "06g2vs8z7k9bl8asjgdz9h8fkd93xam2lbrgmzgamwjp94gvfvrn"; + }; + port = 43000; + rconPort = 25575; +in +{ + # Remote administration + environment.systemPackages = [ pkgs.mcrcon ]; + + # Use papermc + nixpkgs.overlays = [ + (self: super: { + minecraft-server = super.minecraft-server.overrideAttrs (old: { + src = pkgs.fetchurl { + url = with papermc; + "https://papermc.io/api/v2/projects/paper/versions/${version}/builds/${toString build}/downloads/paper-${version}-${toString build}.jar"; + sha256 = papermc.sha256; + }; + }); + }) + ]; + + services.minecraft-server = { + enable = true; + eula = true; + declarative = true; + + jvmOpts = with papermc; + "-Xms${toString ram}G -Xmx${toString ram}G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1"; + + # To get the uuids: https://mcuuid.net/ + whitelist = { + gabriel_dr_dl = "53fced49-da51-4c82-b1d0-37168029db08"; + aimie_dodo = "d10be020-a612-47e5-b0d0-938b9a7eb58e"; + }; + + serverProperties = { + server-port = port; + difficulty = "normal"; + gamemode = "survival"; + max-players = 42; + motd = "This is a test and it will break"; + + view-distance = 7; + + # Map settings + level-seed = "9058136630944956755"; + level-name = "Public COF"; + + level-type = "default"; + spawn-animals = true; + spawn-monsters = true; + spawn-npcs = true; + generate-structures = true; + + enable-command-block = false; + + # Whitelist + white-list = true; + enforce-whitelist = true; + + # Admin + enable-rcon = true; + "rcon.password" = + ''yQZ>O.%]fB{'E.X=HI1/En~i-''; # TODO Warning: it is written in clear in /var/lib/... with read permissions and mcrcom will transmit it without encryption + "rcon.port" = rconPort; + admin-slot = true; + + snoop-enabled = false; + public = false; + + # enable-jmx-monitoring = true; # https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html + }; + }; + + networking.firewall.allowedTCPPorts = [ port ]; + networking.firewall.allowedUDPPorts = [ port ]; +} -- 2.47.0 From 7dd205ad907320a59d1b0e2aa24ac9c4f852e17f Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 01:52:22 +0100 Subject: [PATCH 024/149] add factorio server to public-cof --- machines/public-cof/configuration.nix | 3 +++ machines/public-cof/factorio.nix | 14 ++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 machines/public-cof/factorio.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 049bd69..662d7f9 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -10,12 +10,15 @@ ./networking.nix ./nextcloud.nix ./minecraft.nix + ./factorio.nix # TODO monitoring ]; nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "minecraft-server" + "factorio-headless" ]; + boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/machines/public-cof/factorio.nix b/machines/public-cof/factorio.nix new file mode 100644 index 0000000..90630a8 --- /dev/null +++ b/machines/public-cof/factorio.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + services.factorio = { + enable = true; + admins = [ ]; + username = "AGB"; + password = "Je vais voter pour le club réseau"; + description = "This is a test and it will break"; + game-name = "Factorio for AGB"; + openFirewall = true; + }; + + networking.firewall.allowedUDPPorts = [ 34197 ]; +} -- 2.47.0 From 0dfcfe243e826bdc399c4133974c1cae3a52b582 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 02:51:54 +0100 Subject: [PATCH 025/149] create nginx virtual host for home.beta.rz.ens.wtf --- machines/core-services-01/subZone.nix | 3 ++- machines/public-cof/configuration.nix | 1 + machines/public-cof/nextcloud.nix | 10 ---------- machines/public-cof/nginx.nix | 26 ++++++++++++++++++++++++++ 4 files changed, 29 insertions(+), 11 deletions(-) create mode 100644 machines/public-cof/nginx.nix diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 157ad87..fc1e5aa 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -16,7 +16,7 @@ with my.ipv6; # contains { standard, acme } SOA = { nameServer = "ns1.${my.subZone}."; adminEmail = my.email; - serial = 2021111200; # Y M D Version + serial = 2021111300; # Y M D Version }; NS = [ @@ -35,6 +35,7 @@ with my.ipv6; # contains { standard, acme } auth.AAAA = standard; push.AAAA = standard; ns1.AAAA = standard; + beta.AAAA = public-cof-ips; builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 662d7f9..4d47552 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -11,6 +11,7 @@ ./nextcloud.nix ./minecraft.nix ./factorio.nix + ./nginx.nix # TODO monitoring ]; diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 4900acd..31c15ec 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -19,16 +19,6 @@ }; services.nginx = { - enable = true; - - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - # # Only allow PFS-enabled ciphers with AES256 - # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - virtualHosts = { "nuage.beta.rz.ens.wtf" = { forceSSL = true; diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix new file mode 100644 index 0000000..144d3b4 --- /dev/null +++ b/machines/public-cof/nginx.nix @@ -0,0 +1,26 @@ +{ ... }: +{ + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # # Only allow PFS-enabled ciphers with AES256 + # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + virtualHosts = { + "home.beta.rz.ens.wtf" = { + serverAliases = [ "beta.rz.ens.wtf" ]; + forceSSL = true; + enableACME = true; + root = "/var/public-cof/home"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 80 443 ]; +} -- 2.47.0 From 72b926a6ed52a3d657bc87464eb0bfe2625d1a45 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 02:52:16 +0100 Subject: [PATCH 026/149] disable the factorio server --- machines/public-cof/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 4d47552..d823d36 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -10,7 +10,7 @@ ./networking.nix ./nextcloud.nix ./minecraft.nix - ./factorio.nix + # ./factorio.nix # TODO ./nginx.nix # TODO monitoring ]; -- 2.47.0 From dd57d05591cfdeb4dbd369819d94fb8508475988 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 13 Nov 2021 23:35:16 +0100 Subject: [PATCH 027/149] dns: add upstream v4 proxy for {home,nuage,}.beta.rz.ens.wtf to kurisu.dual.lahfa.xyz --- machines/core-services-01/subZone.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index fc1e5aa..64a1892 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -4,6 +4,7 @@ with dns.lib.combinators; let my = config.my; + upstream-v4-proxies = [ "51.15.7.181" ]; # kurisu.dual.lahfa.xyz public-cof-ips = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5" ]; delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; }; @@ -35,6 +36,7 @@ with my.ipv6; # contains { standard, acme } auth.AAAA = standard; push.AAAA = standard; ns1.AAAA = standard; + beta.A = upstream-v4-proxies; beta.AAAA = public-cof-ips; builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; @@ -51,9 +53,11 @@ with my.ipv6; # contains { standard, acme } }; beta.subdomains = { + nuage.A = upstream-v4-proxies; nuage.AAAA = public-cof-ips; minecraft.AAAA = public-cof-ips; factorio.AAAA = public-cof-ips; + home.A = upstream-v4-proxies; home.AAAA = public-cof-ips; }; -- 2.47.0 From 0dc5bd6aad2ad0dfb5dddeb2c2bd8597b1978a84 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 23:48:21 +0100 Subject: [PATCH 028/149] add {pads,docs}.beta.rz.ens.wtf to the DNS server --- machines/core-services-01/subZone.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 64a1892..4c0d934 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -17,7 +17,7 @@ with my.ipv6; # contains { standard, acme } SOA = { nameServer = "ns1.${my.subZone}."; adminEmail = my.email; - serial = 2021111300; # Y M D Version + serial = 2021111301; # Y M D Version }; NS = [ @@ -59,6 +59,8 @@ with my.ipv6; # contains { standard, acme } factorio.AAAA = public-cof-ips; home.A = upstream-v4-proxies; home.AAAA = public-cof-ips; + pads.AAAA = public-cof-ips; + docs.AAAA = public-cof-ips; }; internal.subdomains = { -- 2.47.0 From 17484e5973f1ac5292a19fe130916d1a5d073f80 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 23:49:25 +0100 Subject: [PATCH 029/149] correct typo in krops.nix --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index ba8745b..39ec306 100644 --- a/krops.nix +++ b/krops.nix @@ -31,5 +31,5 @@ let in {} // mkDeploy "core-services-01" "root@core01.internal.rz.ens.wtf" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -// mkDeploy "public-cof" "root@nix01.builders.rz.ens.wtf" +// mkDeploy "public-cof" "root@beta.rz.ens.wtf" // mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] -- 2.47.0 From f8cc9879ef3614e5e8441854df5cc101c45fab73 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 23:54:30 +0100 Subject: [PATCH 030/149] close unused UDP port --- machines/public-cof/nginx.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix index 144d3b4..efc35f1 100644 --- a/machines/public-cof/nginx.nix +++ b/machines/public-cof/nginx.nix @@ -22,5 +22,4 @@ }; networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 80 443 ]; } -- 2.47.0 From ff0a6b450fc8eecf875b55586c629d8829ef86d2 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Nov 2021 01:28:51 +0100 Subject: [PATCH 031/149] remove space in MC level name --- machines/public-cof/minecraft.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 0838a64..6d9dc9d 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -51,7 +51,7 @@ in # Map settings level-seed = "9058136630944956755"; - level-name = "Public COF"; + level-name = "Public_COF"; level-type = "default"; spawn-animals = true; -- 2.47.0 From 10a5cef82326877ae3fe75c80af49df2cfd44c1a Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Nov 2021 23:56:00 +0100 Subject: [PATCH 032/149] add hedgedoc --- machines/public-cof/configuration.nix | 1 + machines/public-cof/hedgedoc.nix | 36 +++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 machines/public-cof/hedgedoc.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index d823d36..568fcd9 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -12,6 +12,7 @@ ./minecraft.nix # ./factorio.nix # TODO ./nginx.nix + ./hedgedoc.nix # TODO monitoring ]; diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix new file mode 100644 index 0000000..b60e25f --- /dev/null +++ b/machines/public-cof/hedgedoc.nix @@ -0,0 +1,36 @@ +{ ... }: +let + port = 3000; +in +{ + services.hedgedoc = { + enable = true; + configuration = { + protocolUseSSL = true; + # scp =; # TODO + domain = "//docs.beta.rz.ens.wtf"; + host = "localhost"; + port = port; + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; + }; + }; + }; + + services.nginx = { + virtualHosts = { + "docs.beta.rz.ens.wtf" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://localhost:${toString port}"; + }; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 433 80 ]; +} -- 2.47.0 From d0b0093ba6bbc2f02c5ff775f7f2219e70cc7e60 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Nov 2021 23:57:19 +0100 Subject: [PATCH 033/149] make home.beta.rz.ens.wtf the nginx default --- machines/public-cof/nginx.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix index efc35f1..f5c3134 100644 --- a/machines/public-cof/nginx.nix +++ b/machines/public-cof/nginx.nix @@ -14,6 +14,7 @@ virtualHosts = { "home.beta.rz.ens.wtf" = { serverAliases = [ "beta.rz.ens.wtf" ]; + default = true; forceSSL = true; enableACME = true; root = "/var/public-cof/home"; -- 2.47.0 From 71797ad07ec30f908a5d9b5158fa23730087ed22 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Nov 2021 00:09:44 +0100 Subject: [PATCH 034/149] start a cryptpad module --- machines/core-services-01/subZone.nix | 8 +- machines/public-cof/configuration.nix | 1 + machines/public-cof/cryptpad.js | 316 ++++++++++++++++++++++++++ machines/public-cof/cryptpad.nix | 190 ++++++++++++++++ 4 files changed, 514 insertions(+), 1 deletion(-) create mode 100644 machines/public-cof/cryptpad.js create mode 100644 machines/public-cof/cryptpad.nix diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 4c0d934..5c660cc 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -17,7 +17,7 @@ with my.ipv6; # contains { standard, acme } SOA = { nameServer = "ns1.${my.subZone}."; adminEmail = my.email; - serial = 2021111301; # Y M D Version + serial = 2021111400; # Y M D Version }; NS = [ @@ -60,9 +60,15 @@ with my.ipv6; # contains { standard, acme } home.A = upstream-v4-proxies; home.AAAA = public-cof-ips; pads.AAAA = public-cof-ips; + pads.subdomains = { + api.AAAA = public-cof-ips; + files.AAAA = public-cof-ips; + sandbox.AAAA = public-cof-ips; + }; docs.AAAA = public-cof-ips; }; + internal.subdomains = { # Routers router01.A = [ "10.1.1.1" ]; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 568fcd9..6f798cf 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -12,6 +12,7 @@ ./minecraft.nix # ./factorio.nix # TODO ./nginx.nix + # ./cryptpad.nix ./hedgedoc.nix # TODO monitoring ]; diff --git a/machines/public-cof/cryptpad.js b/machines/public-cof/cryptpad.js new file mode 100644 index 0000000..b08412f --- /dev/null +++ b/machines/public-cof/cryptpad.js @@ -0,0 +1,316 @@ +/* globals module */ + +/* DISCLAIMER: + There are two recommended methods of running a CryptPad instance: + 1. Using a standalone nodejs server without HTTPS (suitable for local development) + 2. Using NGINX to serve static assets and to handle HTTPS for API server's websocket traffic + We do not officially recommend or support Apache, Docker, Kubernetes, Traefik, or any other configuration. + Support requests for such setups should be directed to their authors. + If you're having difficulty difficulty configuring your instance + we suggest that you join the project's IRC/Matrix channel. + If you don't have any difficulty configuring your instance and you'd like to + support us for the work that went into making it pain-free we are quite happy + to accept donations via our opencollective page: https://opencollective.com/cryptpad +*/ +module.exports = { +/* CryptPad is designed to serve its content over two domains. + * Account passwords and cryptographic content is handled on the 'main' domain, + * while the user interface is loaded on a 'sandbox' domain + * which can only access information which the main domain willingly shares. + * + * In the event of an XSS vulnerability in the UI (that's bad) + * this system prevents attackers from gaining access to your account (that's good). + * + * Most problems with new instances are related to this system blocking access + * because of incorrectly configured sandboxes. If you only see a white screen + * when you try to load CryptPad, this is probably the cause. + * + * PLEASE READ THE FOLLOWING COMMENTS CAREFULLY. + * + */ + +/* httpUnsafeOrigin is the URL that clients will enter to load your instance. + * Any other URL that somehow points to your instance is supposed to be blocked. + * The default provided below assumes you are loading CryptPad from a server + * which is running on the same machine, using port 3000. + * + * In a production instance this should be available ONLY over HTTPS + * using the default port for HTTPS (443) ie. https://cryptpad.fr + * In such a case this should be handled by NGINX, as documented in + * cryptpad/docs/example.nginx.conf (see the $main_domain variable) + * + */ + httpUnsafeOrigin: 'http://localhost:3000/', + +/* httpSafeOrigin is the URL that is used for the 'sandbox' described above. + * If you're testing or developing with CryptPad on your local machine then + * it is appropriate to leave this blank. The default behaviour is to serve + * the main domain over port 3000 and to serve the content over port 3001. + * + * This is not appropriate in a production environment where invasive networks + * may filter traffic going over abnormal ports. + * To correctly configure your production instance you must provide a URL + * with a different domain (a subdomain is sufficient). + * It will be used to load the UI in our 'sandbox' system. + * + * This value corresponds to the $sandbox_domain variable + * in the example nginx file. + * + * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. + */ + // httpSafeOrigin: "https://some-other-domain.xyz", + +/* httpAddress specifies the address on which the nodejs server + * should be accessible. By default it will listen on 127.0.0.1 + * (IPv4 localhost on most systems). If you want it to listen on + * all addresses, including IPv6, set this to '::'. + * + */ + //httpAddress: '::', + +/* httpPort specifies on which port the nodejs server should listen. + * By default it will serve content over port 3000, which is suitable + * for both local development and for use with the provided nginx example, + * which will proxy websocket traffic to your node server. + * + */ + //httpPort: 3000, + +/* httpSafePort allows you to specify an alternative port from which + * the node process should serve sandboxed assets. The default value is + * that of your httpPort + 1. You probably don't need to change this. + * + */ + //httpSafePort: 3001, + +/* CryptPad will launch a child process for every core available + * in order to perform CPU-intensive tasks in parallel. + * Some host environments may have a very large number of cores available + * or you may want to limit how much computing power CryptPad can take. + * If so, set 'maxWorkers' to a positive integer. + */ + // maxWorkers: 4, + + /* ===================== + * Admin + * ===================== */ + + /* + * CryptPad contains an administration panel. Its access is restricted to specific + * users using the following list. + * To give access to the admin panel to a user account, just add their user id, + * which can be found on the settings page for registered users. + * Entries should be strings separated by a comma. + */ +/* + adminKeys: [ + //"https://my.awesome.website/user/#/1/cryptpad-user1/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=", + ], +*/ + + /* CryptPad's administration panel includes a "support" tab + * wherein administrators with a secret key can view messages + * sent from users via the encrypted forms on the /support/ page + * + * To enable this functionality: + * run `node ./scripts/generate-admin-keys.js` + * save the public key in your config in the value below + * add the private key via the admin panel + * and back it up in a secure manner + * + */ + // supportMailboxPublicKey: "", + + /* We're very proud that CryptPad is available to the public as free software! + * We do, however, still need to pay our bills as we develop the platform. + * + * By default CryptPad will prompt users to consider donating to + * our OpenCollective campaign. We publish the state of our finances periodically + * so you can decide for yourself whether our expenses are reasonable. + * + * You can disable any solicitations for donations by setting 'removeDonateButton' to true, + * but we'd appreciate it if you didn't! + */ + //removeDonateButton: false, + + /* CryptPad will display a point of contact for your instance on its contact page + * (/contact.html) if you provide it below. + */ + adminEmail: 'club-reseau@lists.ens.psl.eu', + + /* + * By default, CryptPad contacts one of our servers once a day. + * This check-in will also send some very basic information about your instance including its + * version and the adminEmail so we can reach you if we are aware of a serious problem. + * We will never sell it or send you marketing mail. + * + * If you want to block this check-in and remain set 'blockDailyCheck' to true. + */ + //blockDailyCheck: false, + + /* + * By default users get 50MB of storage by registering on an instance. + * You can set this value to whatever you want. + * + * hint: 50MB is 50 * 1024 * 1024 + */ + //defaultStorageLimit: 50 * 1024 * 1024, + + + /* ===================== + * STORAGE + * ===================== */ + + /* Pads that are not 'pinned' by any registered user can be set to expire + * after a configurable number of days of inactivity (default 90 days). + * The value can be changed or set to false to remove expiration. + * Expired pads can then be removed using a cron job calling the + * `evict-inactive.js` script with node + * + * defaults to 90 days if nothing is provided + */ + //inactiveTime: 90, // days + + /* CryptPad archives some data instead of deleting it outright. + * This archived data still takes up space and so you'll probably still want to + * remove these files after a brief period. + * + * cryptpad/scripts/evict-inactive.js is intended to be run daily + * from a crontab or similar scheduling service. + * + * The intent with this feature is to provide a safety net in case of accidental + * deletion. Set this value to the number of days you'd like to retain + * archived data before it's removed permanently. + * + * defaults to 15 days if nothing is provided + */ + //archiveRetentionTime: 15, + + /* Max Upload Size (bytes) + * this sets the maximum size of any one file uploaded to the server. + * anything larger than this size will be rejected + * defaults to 20MB if no value is provided + */ + //maxUploadSize: 20 * 1024 * 1024, + + /* + * CryptPad allows administrators to give custom limits to their friends. + * add an entry for each friend, identified by their user id, + * which can be found on the settings page. Include a 'limit' (number of bytes), + * a 'plan' (string), and a 'note' (string). + * + * hint: 1GB is 1024 * 1024 * 1024 bytes + */ +/* + customLimits: { + "https://my.awesome.website/user/#/1/cryptpad-user1/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=": { + limit: 20 * 1024 * 1024 * 1024, + plan: 'insider', + note: 'storage space donated by my.awesome.website' + }, + "https://my.awesome.website/user/#/1/cryptpad-user2/GdflkgdlkjeworijfkldfsdflkjeEAsdlEnkbx1vVOo=": { + limit: 10 * 1024 * 1024 * 1024, + plan: 'insider', + note: 'storage space donated by my.awesome.website' + } + }, +*/ + + /* Users with premium accounts (those with a plan included in their customLimit) + * can benefit from an increased upload size limit. By default they are restricted to the same + * upload size as any other registered user. + * + */ + //premiumUploadSize: 100 * 1024 * 1024, + + /* ===================== + * DATABASE VOLUMES + * ===================== */ + + /* + * CryptPad stores each document in an individual file on your hard drive. + * Specify a directory where files should be stored. + * It will be created automatically if it does not already exist. + */ + filePath: './datastore/', + + /* CryptPad offers the ability to archive data for a configurable period + * before deleting it, allowing a means of recovering data in the event + * that it was deleted accidentally. + * + * To set the location of this archive directory to a custom value, change + * the path below: + */ + archivePath: './data/archive', + + /* CryptPad allows logged in users to request that particular documents be + * stored by the server indefinitely. This is called 'pinning'. + * Pin requests are stored in a pin-store. The location of this store is + * defined here. + */ + pinPath: './data/pins', + + /* if you would like the list of scheduled tasks to be stored in + a custom location, change the path below: + */ + taskPath: './data/tasks', + + /* if you would like users' authenticated blocks to be stored in + a custom location, change the path below: + */ + blockPath: './block', + + /* CryptPad allows logged in users to upload encrypted files. Files/blobs + * are stored in a 'blob-store'. Set its location here. + */ + blobPath: './blob', + + /* CryptPad stores incomplete blobs in a 'staging' area until they are + * fully uploaded. Set its location here. + */ + blobStagingPath: './data/blobstage', + + /* CryptPad supports logging events directly to the disk in a 'logs' directory + * Set its location here, or set it to false (or nothing) if you'd rather not log + */ + logPath: './data/logs', + + /* ===================== + * Debugging + * ===================== */ + + /* CryptPad can log activity to stdout + * This may be useful for debugging + */ + logToStdout: false, + + /* CryptPad can be configured to log more or less + * the various settings are listed below by order of importance + * + * silly, verbose, debug, feedback, info, warn, error + * + * Choose the least important level of logging you wish to see. + * For example, a 'silly' logLevel will display everything, + * while 'info' will display 'info', 'warn', and 'error' logs + * + * This will affect both logging to the console and the disk. + */ + logLevel: 'info', + + /* clients can use the /settings/ app to opt out of usage feedback + * which informs the server of things like how much each app is being + * used, and whether certain clientside features are supported by + * the client's browser. The intent is to provide feedback to the admin + * such that the service can be improved. Enable this with `true` + * and ignore feedback with `false` or by commenting the attribute + * + * You will need to set your logLevel to include 'feedback'. Set this + * to false if you'd like to exclude feedback from your logs. + */ + logFeedback: false, + + /* CryptPad supports verbose logging + * (false by default) + */ + verbose: false, +}; diff --git a/machines/public-cof/cryptpad.nix b/machines/public-cof/cryptpad.nix new file mode 100644 index 0000000..dc27ca9 --- /dev/null +++ b/machines/public-cof/cryptpad.nix @@ -0,0 +1,190 @@ +{ ... }: +let + subZone = "beta.rz.ens.wtf"; + main_domain = "pads." + subZone; + api_domain = "api." + main_domain; + files_domain = "files." + main_domain; + sandbox_domain = "sandbox." + main_domain; +in +{ + services.cryptpad = { + enable = true; + configFile = "/etc/cryptpad/config.js"; + }; + environment.etc."cryptpad/config.js".source = ./cryptpad.js; + + services.nginx.virtualHosts = { + "docs.beta.rz.ens.wtf" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + # CryptPad serves static assets over these two domains. + # `main_domain` is what users will enter in their address bar. + # Privileged computation such as key management is handled in this scope + # UI content is loaded via the `sandbox_domain`. + # "Content Security Policy" headers prevent content loaded via the sandbox + # from accessing privileged information. + # These variables must be different to take advantage of CryptPad's sandboxing techniques. + # In the event of an XSS vulnerability in CryptPad's front-end code + # this will limit the amount of information accessible to attackers. + set $main_domain ${main_domain}; + set $sandbox_domain ${sandbox_domain}; + + # CryptPad's dynamic content (websocket traffic and encrypted blobs) + # can be served over separate domains. Using dedicated domains (or subdomains) + # for these purposes allows you to move them to a separate machine at a later date + # if you find that a single machine cannot handle all of your users. + # If you don't use dedicated domains, this can be the same as $main_domain + # If you do, they'll be added as exceptions to any rules which block connections to remote domains. + set $api_domain ${api_domain}; + set $files_domain ${files_domain}; + + + server_name ${main_domain} ${sandbox_domain}; + + # diffie-hellman parameters are used to negotiate keys for your session + # generate strong parameters using the following command + ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 + + # Speeds things up a little bit when resuming a session + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:5m; + + # You'll need nginx 1.13.0 or better to support TLSv1.3 + ssl_protocols TLSv1.2 TLSv1.3; + + # https://cipherli.st/ + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 + + # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain + set $styleSrc "'unsafe-inline' 'self' ${main_domain}"; + + # connect-src restricts URLs which can be loaded using script interfaces + set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}"; + + # fonts can be loaded from data-URLs or the main domain + set $fontSrc "'self' data: ${main_domain}"; + + # images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking + set $imgSrc "'self' data: * blob: ${main_domain}"; + + # frame-src specifies valid sources for nested browsing contexts. + # this prevents loading any iframes from anywhere other than the sandbox domain + set $frameSrc "'self' ${sandbox_domain} blob:"; + + # specifies valid sources for loading media using video or audio + set $mediaSrc "'self' data: * blob: ${main_domain}"; + + # defines valid sources for webworkers and nested browser contexts + # deprecated in favour of worker-src and frame-src + set $childSrc "https://${main_domain}"; + + # specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. + # supercedes child-src but is unfortunately not yet universally supported. + set $workerSrc "https://${main_domain}"; + + # script-src specifies valid sources for javascript, including inline handlers + set $scriptSrc "'self' resource: ${main_domain}"; + + set $unsafe 0; + # the following assets are loaded via the sandbox domain + # they unfortunately still require exceptions to the sandboxing to work correctly. + if ($uri = "/pad/inner.html") { set $unsafe 1; } + if ($uri = "/sheet/inner.html") { set $unsafe 1; } + if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; } + + # everything except the sandbox domain is a privileged scope, as they might be used to handle keys + if ($host != $sandbox_domain) { set $unsafe 0; } + + # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied + if ($unsafe) { + set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: ${main_domain}"; + } + + # The nodejs process can handle all traffic whether accessed over websocket or as static assets + # We prefer to serve static content from nginx directly and to leave the API server to handle + # the dynamic content that only it can manage. This is primarily an optimization + location ^~ /cryptpad_websocket { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # WebSocket support (nginx 1.4) + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + } + + location ^~ /customize.dist/ { + # This is needed in order to prevent infinite recursion between /customize/ and the root + } + # try to load customizeable content via /customize/ and fall back to the default content + # located at /customize.dist/ + # This is what allows you to override behaviour. + location ^~ /customize/ { + rewrite ^/customize/(.*)$ $1 break; + try_files /customize/$uri /customize.dist/$uri; + } + + # /api/config is loaded once per page load and is used to retrieve + # the caching variable which is applied to every other resource + # which is loaded during that session. + location = /api/config { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + # encrypted blobs are immutable and are thus cached for a year + location ^~ /blob/ { + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'application/octet-stream; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; + } + add_header Cache-Control max-age=31536000; + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; + add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; + try_files $uri =404; + } + + # the "block-store" serves encrypted payloads containing users' drive keys + # these payloads are unlocked via login credentials. They are mutable + # and are thus never cached. They're small enough that it doesn't matter, in any case. + location ^~ /block/ { + add_header Cache-Control max-age=0; + try_files $uri =404; + } + + # This block provides an alternative means of loading content + # otherwise only served via websocket. This is solely for debugging purposes, + # and is thus not allowed by default. + #location ^~ /datastore/ { + #add_header Cache-Control max-age=0; + #try_files $uri =404; + #} + + # The nodejs server has some built-in forwarding rules to prevent + # URLs like /pad from resulting in a 404. This simply adds a trailing slash + # to a variety of applications. + location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams)$ { + rewrite ^(.*)$ $1/ redirect; + } + + # Finally, serve anything the above exceptions don't govern. + try_files /www/$uri /www/$uri/index.html /customize/$uri; + ''; + }; + }; + + networking.firewall.allowedTCPPorts = [ 433 80 ]; +} -- 2.47.0 From ea6b47e4bd5a0aafb0c6f392ac20d7bd04f7a715 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Nov 2021 00:16:01 +0100 Subject: [PATCH 035/149] add mrf keys --- machines/public-cof/configuration.nix | 1 + machines/public-cof/pubkeys/mrf.keys | 1 + 2 files changed, 2 insertions(+) create mode 100644 machines/public-cof/pubkeys/mrf.keys diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 6f798cf..16bae00 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -44,6 +44,7 @@ users.users.root.openssh.authorizedKeys.keyFiles = [ ./pubkeys/gdd.keys ./pubkeys/raito.keys + ./pubkeys/mrf.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/pubkeys/mrf.keys b/machines/public-cof/pubkeys/mrf.keys new file mode 100644 index 0000000..ebbfa68 --- /dev/null +++ b/machines/public-cof/pubkeys/mrf.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d -- 2.47.0 From bb89a44d872623af8ed30a5cd2509ab6f2423954 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Nov 2021 00:19:27 +0100 Subject: [PATCH 036/149] add RaitoMezarius to the MC whitlist --- machines/public-cof/minecraft.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 6d9dc9d..7c0ce05 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -38,6 +38,7 @@ in whitelist = { gabriel_dr_dl = "53fced49-da51-4c82-b1d0-37168029db08"; aimie_dodo = "d10be020-a612-47e5-b0d0-938b9a7eb58e"; + RaitoMezarius = "a400686e-0f62-43d5-b5c6-4295babcc008"; }; serverProperties = { -- 2.47.0 From f5eafee41191a2c5042ff638a247553afd821b3f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 15 Nov 2021 00:11:19 +0100 Subject: [PATCH 037/149] public-cof: secure nextcloud using agenix --- machines/public-cof/nextcloud.nix | 6 ++--- machines/public-cof/secrets/default.nix | 5 ++++ .../secrets/nextcloudAdminPasswordFile.age | 24 ++++++++++++++++++ .../secrets/nextcloudDatabasePasswordFile.age | 25 +++++++++++++++++++ machines/public-cof/secrets/secrets.nix | 13 ++++++++++ 5 files changed, 70 insertions(+), 3 deletions(-) create mode 100644 machines/public-cof/secrets/default.nix create mode 100644 machines/public-cof/secrets/nextcloudAdminPasswordFile.age create mode 100644 machines/public-cof/secrets/nextcloudDatabasePasswordFile.age create mode 100644 machines/public-cof/secrets/secrets.nix diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 31c15ec..eba376b 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, ... }: { services.nextcloud = { enable = true; @@ -11,8 +11,8 @@ dbtype = "pgsql"; dbhost = "/run/postgresql"; - dbpass = "TODO"; - adminpass = "TODO"; + dbpassFile = config.age.secrets.nextcloudDatabasePassword.path; + adminpassFile = config.age.secrets.nextcloudAdminPassword.path; defaultPhoneRegion = "FR"; }; diff --git a/machines/public-cof/secrets/default.nix b/machines/public-cof/secrets/default.nix new file mode 100644 index 0000000..4c4e087 --- /dev/null +++ b/machines/public-cof/secrets/default.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + age.secrets.nextcloudAdminPassword.file = ./nextcloudAdminPasswordFile.age; + age.secrets.nextcloudDatabasePassword.file = ./nextcloudDatabasePasswordFile.age; +} diff --git a/machines/public-cof/secrets/nextcloudAdminPasswordFile.age b/machines/public-cof/secrets/nextcloudAdminPasswordFile.age new file mode 100644 index 0000000..b09f532 --- /dev/null +++ b/machines/public-cof/secrets/nextcloudAdminPasswordFile.age @@ -0,0 +1,24 @@ +age-encryption.org/v1 +-> ssh-ed25519 xbfJnw jGSrM/Yx0LnVlmBml7/7LwZeSL68CPiF7/97OyYnJj0 +66yS5TDLDpMXz6ggOeMyOhSDU2jSKDVoW5zvBvdN83I +-> ssh-ed25519 Wu8JLQ BH68DcAZ/Ruudd2QgREQ1I9YhC/JWOnn7dOkgoVdAgE +cJq/valbiW3xYyXxgmTMos9XQm/+SDIhd3cn32vcgxs +-> ssh-ed25519 cvTB5g qXCbgWmzetHsJTo/nnN9M/dRmYLW7HIHuaphMHXFB00 +WLVPkAJk2D4dca2+QlGFtCArLFjixypXV/P7VmJuK6g +-> ssh-ed25519 /vwQcQ 0aUZckwIHbXv/Uo3gyeAHGwEIzMQyPSh2Ks+s3QBPU8 +zt978+4EwedA6UTLurnjisjbrR/qFZf80IPcAxd3Qxw +-> ssh-ed25519 reTIKw jFGzhLb0YM5dJslCmp7bjRt5JYufGRAJzVmdjMKgdQw +Y9KIYgX2PHCU0/8h4Pn6YLqaZYzvrPUy1pmaLGzY8C4 +-> ssh-ed25519 85WiGg aZRVNM5iSL+BpZfundDVSpPs0mhFxssUA/t5POsi1AU +haYzRumOlDno9UdlcCr/GUoAOEqNrf+iPv9SpP76EYM +-> ssh-rsa krWCLQ +pbjqzOfXUuWlunTcCiwjKAqe5ZZdW+6jE86D3yuPz4PheDEFi6oYAnc0pIPoZOnh +9OkTTB6o9wPhoA5O+SOszvCFVOlS33EHwCFKFwy/lg3LwgsU6qon6YQAQfjOMf57 +yGlFDJhGfKfzoXzAlWIxpY6KQE15pkI2OAv9/1UWmFmGpw1vWOgcyJn0rbHK9Wtk +uGWOPCAsx7n/K4YukvVdB1pHtNlXyj6odMwRch3MmpKl4UlBMtB10NI2fMpqcWp1 +vgCcjsP2JX6zlTTQvu1afV2QMk2R9zfm4iZtk6lqhkFO9hGx12/1WfxFlww6YDyB +HDLu5vZddUtV7Wwm9Wa6Cw +-> H0-z{"-grease bic 5)(&;3`E _&UZCo7 hJ_x +5r9qRqyXOdPxqPPV8uCjaiJveaq0TLioCRMohcBamFx80I2EN/XDkPzeUNSkYyQ/ +--- gQnYjgiBjl7W2nLAvdfGcX8UVMr5RCFSysgp7iGWZlc +(}$11E-(S rlGb3`>K6Be邔 jɓo"{GG=F7 \ No newline at end of file diff --git a/machines/public-cof/secrets/nextcloudDatabasePasswordFile.age b/machines/public-cof/secrets/nextcloudDatabasePasswordFile.age new file mode 100644 index 0000000..1f89548 --- /dev/null +++ b/machines/public-cof/secrets/nextcloudDatabasePasswordFile.age @@ -0,0 +1,25 @@ +age-encryption.org/v1 +-> ssh-ed25519 xbfJnw qeyTMwQ+l90wwNiGxLCvKZ+yIzEjehcr8SIlHrHTERQ +3XTb7giFfF9l/+hDq/TlWKt/Gr1qlMxB2agi1Mzn4Bs +-> ssh-ed25519 Wu8JLQ vrqgvKp+dB2TnZrRriOvvJfqxh7vbSpTL2P+u8zORC4 +7qTNpJw8j4HpjehzoZeMUqCPDBFZRhu3bhdCVbRAUrU +-> ssh-ed25519 cvTB5g 2R6aXhN56nYrEObDuDJdhmH1kMduXUzoEg22C4QjHRA +sIRV6aTkefsy4wdJ1Ay+O/q0Y0MdTPRFKTjWGHlz5xg +-> ssh-ed25519 /vwQcQ xcSn2vFYBkYESWRZqmeWNiP0EV1zWH3SaiYG+6V8xGY +zv2yiZrBlsskeLrvco5w+QPTDRyRGQ3mjGuHFjWcfGI +-> ssh-ed25519 reTIKw Bdc7/F+nWuCQ5aqiuUPqb6mHlQCMafINyWaqVDQG5y0 +Myj64k+s/KIVOfGje3reKeRHrjGL6cE+9knBCsS+rX0 +-> ssh-ed25519 85WiGg PKpNCdpcl+aSuTx13I/Hq9annJ5FRXiONQ/4iqwyZUc +CHUHvPtA5ydOkpHfgOXtvuYMOAhM53YfXbexhW7fbJY +-> ssh-rsa krWCLQ +IhI9bg+jq5y32OaYdes7y1iBUkOAkc2dXdFP2FI0/CAthBBOGs9qyCuf39S8i4YT +pHPRniwOYUUuCjThU1zUA6cboBh13Y381mioqTF656/w8tn2ZGFRnOcOwqp9d0v4 +vPHgdyZFpmD0MUmFlw1YfTWWWMbFyhDPY6C3r4L3dftGuineY3A/+zC+Y1RuCYBw ++Kl/tbIGUBckX+Cqdt8KokPpGw3ZxkHXWx3lMlNembrPpsM44Mbz88mBiHn77Ys3 +auHE7Ff04txLiG9fGo9p3GX6nk2aCz1vT+YJB1cWZErsNSWTSRLILGLHvR37KMMv +daiVtfDwNwoGbEmpw0iVCA +-> ;LK-grease H638S/n +76dNkVvkNr1Y+O2AwEjYyUbmCog7ChnU3U54t/ZyPCAd2Q5vuGSQHe+RxtIh8fux +RvrDH2Qa7jGT0F86FTwrWK7fKQkT +--- r4tKKSFy30F9y4jQzdBB0RjCFJQmy2lFhZDr3enZjeQ +-zyl , j>8ЀԒ%>Mqo)Di0 YL̩ \ No newline at end of file diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix new file mode 100644 index 0000000..4fe0e66 --- /dev/null +++ b/machines/public-cof/secrets/secrets.nix @@ -0,0 +1,13 @@ +let + pkgs = import {}; + lib = pkgs.lib; + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); + public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; + systems = [ public-cof ]; +in + { + "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems; + "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems; + } + -- 2.47.0 From 885ba660f5cbbfc01376fc2d621c9051d3517284 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 15 Nov 2021 00:18:26 +0100 Subject: [PATCH 038/149] public-cof: get back to default port --- machines/public-cof/minecraft.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 7c0ce05..5a2f9a4 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -6,7 +6,7 @@ let build = 189; sha256 = "06g2vs8z7k9bl8asjgdz9h8fkd93xam2lbrgmzgamwjp94gvfvrn"; }; - port = 43000; + port = 25565; rconPort = 25575; in { -- 2.47.0 From 77b86de5c4ecce3a0b3977d4948474610b091764 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 15 Nov 2021 00:48:11 +0100 Subject: [PATCH 039/149] public-cof: proxy ws for hedgedoc --- machines/public-cof/hedgedoc.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index b60e25f..8a3823a 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -26,6 +26,7 @@ in locations = { "/" = { proxyPass = "http://localhost:${toString port}"; + proxyWebsockets = true; }; }; }; -- 2.47.0 From bf2ecf087464ea4240cd463f167626ee8d466a34 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 15 Nov 2021 00:54:27 +0100 Subject: [PATCH 040/149] public-cof: add agenix modules --- machines/public-cof/configuration.nix | 2 + machines/public-cof/nix/sources.json | 32 +++++ machines/public-cof/nix/sources.nix | 174 ++++++++++++++++++++++++ machines/public-cof/nur.nix | 17 +++ machines/public-cof/secrets/default.nix | 12 +- 5 files changed, 235 insertions(+), 2 deletions(-) create mode 100644 machines/public-cof/nix/sources.json create mode 100644 machines/public-cof/nix/sources.nix create mode 100644 machines/public-cof/nur.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 16bae00..bdb86ce 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -10,10 +10,12 @@ ./networking.nix ./nextcloud.nix ./minecraft.nix + ./nur.nix # ./factorio.nix # TODO ./nginx.nix # ./cryptpad.nix ./hedgedoc.nix + ./secrets # TODO monitoring ]; diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json new file mode 100644 index 0000000..234be1c --- /dev/null +++ b/machines/public-cof/nix/sources.json @@ -0,0 +1,32 @@ +{ + "agenix": { + "branch": "master", + "description": "age-encrypted secrets for NixOS", + "homepage": "", + "owner": "ryantm", + "repo": "agenix", + "rev": "fb00f178b3a49a39cc964049075439b575d36d60", + "sha256": "0rb99dbwnaf8sgjbshwk1bizs51jild3zg61a5yqw3h0vcxalzrp", + "type": "tarball", + "url": "https://github.com/ryantm/agenix/archive/fb00f178b3a49a39cc964049075439b575d36d60.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "klubrz-nur": { + "branch": "main", + "repo": "https://git.rz.ens.wtf/Klub-RZ/nur", + "rev": "901e08a94819f07499ec6cfbea1e24808e19e4b6", + "type": "git" + }, + "niv": { + "branch": "master", + "description": "Easy dependency management for Nix projects", + "homepage": "https://github.com/nmattia/niv", + "owner": "nmattia", + "repo": "niv", + "rev": "e0ca65c81a2d7a4d82a189f1e23a48d59ad42070", + "sha256": "1pq9nh1d8nn3xvbdny8fafzw87mj7gsmp6pxkdl65w2g18rmcmzx", + "type": "tarball", + "url": "https://github.com/nmattia/niv/archive/e0ca65c81a2d7a4d82a189f1e23a48d59ad42070.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + } +} diff --git a/machines/public-cof/nix/sources.nix b/machines/public-cof/nix/sources.nix new file mode 100644 index 0000000..1938409 --- /dev/null +++ b/machines/public-cof/nix/sources.nix @@ -0,0 +1,174 @@ +# This file has been generated by Niv. + +let + + # + # The fetchers. fetch_ fetches specs of type . + # + + fetch_file = pkgs: name: spec: + let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true then + builtins_fetchurl { inherit (spec) url sha256; name = name'; } + else + pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; + + fetch_tarball = pkgs: name: spec: + let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true then + builtins_fetchTarball { name = name'; inherit (spec) url sha256; } + else + pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; + + fetch_git = name: spec: + let + ref = + if spec ? ref then spec.ref else + if spec ? branch then "refs/heads/${spec.branch}" else + if spec ? tag then "refs/tags/${spec.tag}" else + abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; + in + builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; + + fetch_local = spec: spec.path; + + fetch_builtin-tarball = name: throw + ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=tarball -a builtin=true''; + + fetch_builtin-url = name: throw + ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=file -a builtin=true''; + + # + # Various helpers + # + + # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 + sanitizeName = name: + ( + concatMapStrings (s: if builtins.isList s then "-" else s) + ( + builtins.split "[^[:alnum:]+._?=-]+" + ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name) + ) + ); + + # The set of packages used when specs are fetched using non-builtins. + mkPkgs = sources: system: + let + sourcesNixpkgs = + import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; }; + hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; + hasThisAsNixpkgsPath = == ./.; + in + if builtins.hasAttr "nixpkgs" sources + then sourcesNixpkgs + else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then + import {} + else + abort + '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; + + # The actual fetching function. + fetch = pkgs: name: spec: + + if ! builtins.hasAttr "type" spec then + abort "ERROR: niv spec ${name} does not have a 'type' attribute" + else if spec.type == "file" then fetch_file pkgs name spec + else if spec.type == "tarball" then fetch_tarball pkgs name spec + else if spec.type == "git" then fetch_git name spec + else if spec.type == "local" then fetch_local spec + else if spec.type == "builtin-tarball" then fetch_builtin-tarball name + else if spec.type == "builtin-url" then fetch_builtin-url name + else + abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; + + # If the environment variable NIV_OVERRIDE_${name} is set, then use + # the path directly as opposed to the fetched source. + replace = name: drv: + let + saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; + ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; + in + if ersatz == "" then drv else + # this turns the string into an actual Nix path (for both absolute and + # relative paths) + if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}"; + + # Ports of functions for older nix versions + + # a Nix version of mapAttrs if the built-in doesn't exist + mapAttrs = builtins.mapAttrs or ( + f: set: with builtins; + listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)) + ); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 + range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 + stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 + stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); + concatMapStrings = f: list: concatStrings (map f list); + concatStrings = builtins.concatStringsSep ""; + + # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 + optionalAttrs = cond: as: if cond then as else {}; + + # fetchTarball version that is compatible between all the versions of Nix + builtins_fetchTarball = { url, name ? null, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchTarball; + in + if lessThan nixVersion "1.12" then + fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) + else + fetchTarball attrs; + + # fetchurl version that is compatible between all the versions of Nix + builtins_fetchurl = { url, name ? null, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchurl; + in + if lessThan nixVersion "1.12" then + fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) + else + fetchurl attrs; + + # Create the final "sources" from the config + mkSources = config: + mapAttrs ( + name: spec: + if builtins.hasAttr "outPath" spec + then abort + "The values in sources.json should not have an 'outPath' attribute" + else + spec // { outPath = replace name (fetch config.pkgs name spec); } + ) config.sources; + + # The "config" used by the fetchers + mkConfig = + { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null + , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile) + , system ? builtins.currentSystem + , pkgs ? mkPkgs sources system + }: rec { + # The sources, i.e. the attribute set of spec name to spec + inherit sources; + + # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers + inherit pkgs; + }; + +in +mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/machines/public-cof/nur.nix b/machines/public-cof/nur.nix new file mode 100644 index 0000000..a8abe1f --- /dev/null +++ b/machines/public-cof/nur.nix @@ -0,0 +1,17 @@ +{ lib, pkgs, ... }: +let + nivSources = import ./nix/sources.nix; + #rz-src = nivSources.klubrz-nur; + #rz-no-pkgs = (import nivSources.klubrz-nur {}); +in +{ + nixpkgs.config.packageOverrides = { + # rz = import rz-src { inherit pkgs; }; + }; + + imports = [ + "${nivSources.agenix}/modules/age.nix" + ]; #++ lib.attrValues rz-no-pkgs.modules; + + nixpkgs.overlays = []; +} diff --git a/machines/public-cof/secrets/default.nix b/machines/public-cof/secrets/default.nix index 4c4e087..a7cd5ea 100644 --- a/machines/public-cof/secrets/default.nix +++ b/machines/public-cof/secrets/default.nix @@ -1,5 +1,13 @@ { ... }: { - age.secrets.nextcloudAdminPassword.file = ./nextcloudAdminPasswordFile.age; - age.secrets.nextcloudDatabasePassword.file = ./nextcloudDatabasePasswordFile.age; + age.secrets.nextcloudAdminPassword = { + owner = "nextcloud"; + group = "nextcloud"; + file = ./nextcloudAdminPasswordFile.age; + }; + age.secrets.nextcloudDatabasePassword = { + owner = "nextcloud"; + group = "nextcloud"; + file = ./nextcloudDatabasePasswordFile.age; + }; } -- 2.47.0 From b2eb90564d01dc39f602cf34cb4f0e22cdf76ac8 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Nov 2021 01:02:47 +0100 Subject: [PATCH 041/149] change hedgedoc localhost port --- machines/public-cof/hedgedoc.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index 8a3823a..8466c4a 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -1,6 +1,6 @@ { ... }: let - port = 3000; + port = 3001; in { services.hedgedoc = { -- 2.47.0 From 5e24c6c8c7d32c45ea4c990dc92354712ebbce94 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Nov 2021 01:06:57 +0100 Subject: [PATCH 042/149] try simple cryptpad module --- machines/public-cof/cryptpad.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/machines/public-cof/cryptpad.nix b/machines/public-cof/cryptpad.nix index dc27ca9..bcf6a6d 100644 --- a/machines/public-cof/cryptpad.nix +++ b/machines/public-cof/cryptpad.nix @@ -14,9 +14,15 @@ in environment.etc."cryptpad/config.js".source = ./cryptpad.js; services.nginx.virtualHosts = { - "docs.beta.rz.ens.wtf" = { + "pads.beta.rz.ens.wtf" = { forceSSL = true; enableACME = true; + locations = { + "/" = { + proxyPass = "http://localhost:3000"; + }; + }; + /* extraConfig = '' # CryptPad serves static assets over these two domains. # `main_domain` is what users will enter in their address bar. @@ -183,6 +189,7 @@ in # Finally, serve anything the above exceptions don't govern. try_files /www/$uri /www/$uri/index.html /customize/$uri; ''; + */ }; }; -- 2.47.0 From d8a577b0786fcbb5e2452616bb6d9f5349538bb5 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 20 Nov 2021 21:01:42 +0100 Subject: [PATCH 043/149] public-cof: fix cryptpad --- machines/public-cof/configuration.nix | 2 +- machines/public-cof/cryptpad.js | 12 +++--- machines/public-cof/cryptpad.nix | 59 ++++++++++++--------------- 3 files changed, 32 insertions(+), 41 deletions(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index bdb86ce..d9ce6e5 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -13,7 +13,7 @@ ./nur.nix # ./factorio.nix # TODO ./nginx.nix - # ./cryptpad.nix + ./cryptpad.nix ./hedgedoc.nix ./secrets # TODO monitoring diff --git a/machines/public-cof/cryptpad.js b/machines/public-cof/cryptpad.js index b08412f..de93779 100644 --- a/machines/public-cof/cryptpad.js +++ b/machines/public-cof/cryptpad.js @@ -40,7 +40,7 @@ module.exports = { * cryptpad/docs/example.nginx.conf (see the $main_domain variable) * */ - httpUnsafeOrigin: 'http://localhost:3000/', + httpUnsafeOrigin: 'https://pads.beta.rz.ens.wtf/', /* httpSafeOrigin is the URL that is used for the 'sandbox' described above. * If you're testing or developing with CryptPad on your local machine then @@ -58,7 +58,7 @@ module.exports = { * * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. */ - // httpSafeOrigin: "https://some-other-domain.xyz", + httpSafeOrigin: "https://sandbox.pads.beta.rz.ens.wtf", /* httpAddress specifies the address on which the nodejs server * should be accessible. By default it will listen on 127.0.0.1 @@ -102,11 +102,11 @@ module.exports = { * which can be found on the settings page for registered users. * Entries should be strings separated by a comma. */ -/* + adminKeys: [ - //"https://my.awesome.website/user/#/1/cryptpad-user1/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=", + "https://pads.beta.rz.ens.wtf/user/#/1/raito/W1vJY5Mq+8+5SveZAYe0wYRthS88jQIV-Fwf0s36uas=" ], -*/ + /* CryptPad's administration panel includes a "support" tab * wherein administrators with a secret key can view messages @@ -154,7 +154,7 @@ module.exports = { * * hint: 50MB is 50 * 1024 * 1024 */ - //defaultStorageLimit: 50 * 1024 * 1024, + defaultStorageLimit: 50 * 1024 * 1024, /* ===================== diff --git a/machines/public-cof/cryptpad.nix b/machines/public-cof/cryptpad.nix index bcf6a6d..34ea287 100644 --- a/machines/public-cof/cryptpad.nix +++ b/machines/public-cof/cryptpad.nix @@ -1,10 +1,12 @@ -{ ... }: +{ pkgs, ... }: let subZone = "beta.rz.ens.wtf"; - main_domain = "pads." + subZone; - api_domain = "api." + main_domain; - files_domain = "files." + main_domain; - sandbox_domain = "sandbox." + main_domain; + main_domain = "pads.${subZone}"; + sandbox_domain = "sandbox.${main_domain}"; + # TODO: later + api_domain = "api.${main_domain}"; + files_domain = "files.${main_domain}"; + port = 3000; in { services.cryptpad = { @@ -13,17 +15,21 @@ in }; environment.etc."cryptpad/config.js".source = ./cryptpad.js; + systemd.services.nginx = { + serviceConfig.BindReadOnlyPaths = [ + "/var/lib/private/cryptpad:/www/cryptpad" + ]; + }; + services.nginx.virtualHosts = { - "pads.beta.rz.ens.wtf" = { + "${main_domain}" = { forceSSL = true; enableACME = true; - locations = { - "/" = { - proxyPass = "http://localhost:3000"; - }; - }; - /* + serverAliases = [ sandbox_domain ]; extraConfig = '' + root ${pkgs.cryptpad}/lib/node_modules/cryptpad; + index index.html; + # CryptPad serves static assets over these two domains. # `main_domain` is what users will enter in their address bar. # Privileged computation such as key management is handled in this scope @@ -42,27 +48,12 @@ in # if you find that a single machine cannot handle all of your users. # If you don't use dedicated domains, this can be the same as $main_domain # If you do, they'll be added as exceptions to any rules which block connections to remote domains. - set $api_domain ${api_domain}; - set $files_domain ${files_domain}; + set $api_domain ${main_domain}; + set $files_domain ${main_domain}; server_name ${main_domain} ${sandbox_domain}; - # diffie-hellman parameters are used to negotiate keys for your session - # generate strong parameters using the following command - ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 - - # Speeds things up a little bit when resuming a session - ssl_session_timeout 5m; - ssl_session_cache shared:SSL:5m; - - # You'll need nginx 1.13.0 or better to support TLSv1.3 - ssl_protocols TLSv1.2 TLSv1.3; - - # https://cipherli.st/ - ssl_ciphers EECDH+AESGCM:EDH+AESGCM; - ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 - # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain set $styleSrc "'unsafe-inline' 'self' ${main_domain}"; @@ -112,7 +103,7 @@ in # We prefer to serve static content from nginx directly and to leave the API server to handle # the dynamic content that only it can manage. This is primarily an optimization location ^~ /cryptpad_websocket { - proxy_pass http://localhost:3000; + proxy_pass http://localhost:${toString port}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -138,7 +129,7 @@ in # the caching variable which is applied to every other resource # which is loaded during that session. location = /api/config { - proxy_pass http://localhost:3000; + proxy_pass http://localhost:${toString port}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -146,6 +137,7 @@ in # encrypted blobs are immutable and are thus cached for a year location ^~ /blob/ { + root /www/cryptpad; if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; @@ -155,7 +147,6 @@ in add_header 'Content-Length' 0; return 204; } - add_header Cache-Control max-age=31536000; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; @@ -167,6 +158,7 @@ in # these payloads are unlocked via login credentials. They are mutable # and are thus never cached. They're small enough that it doesn't matter, in any case. location ^~ /block/ { + root /www/cryptpad; add_header Cache-Control max-age=0; try_files $uri =404; } @@ -189,9 +181,8 @@ in # Finally, serve anything the above exceptions don't govern. try_files /www/$uri /www/$uri/index.html /customize/$uri; ''; - */ }; }; - networking.firewall.allowedTCPPorts = [ 433 80 ]; + networking.firewall.allowedTCPPorts = [ 443 80 ]; } -- 2.47.0 From f3f4431f2c031723f0e1b8c5548918b6ff8e64e7 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 21 Nov 2021 11:53:30 +0100 Subject: [PATCH 044/149] core-services: use jre8 for keycloak, fixes LDAP federation --- machines/core-services-01/keycloak.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index 8886a75..6f34b25 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, pkgs, ... }: let my = config.my; port = 8080; @@ -6,6 +6,9 @@ in { services.keycloak = { enable = true; + package = pkgs.keycloak.override { + jre = pkgs.jre8; + }; initialAdminPassword = "changemeasap"; database.createLocally = true; database.passwordFile = config.age.secrets.keycloakDatabasePasswordFile.path; -- 2.47.0 From 916b06ad1fc4c826348dc3207f3484a4e28d6a44 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 21 Nov 2021 11:53:50 +0100 Subject: [PATCH 045/149] =?UTF-8?q?dns:=20jurisprudens.beta.rz.ens.wtf=20?= =?UTF-8?q?=E2=86=92=20public=20COF=20with=20v4=20upstream=20proxy?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/subZone.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 5c660cc..309556d 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -66,6 +66,10 @@ with my.ipv6; # contains { standard, acme } sandbox.AAAA = public-cof-ips; }; docs.AAAA = public-cof-ips; + jurisprudens = { + AAAA = public-cof-ips; + A = upstream-v4-proxies; + }; }; -- 2.47.0 From 8ac5d2e4ab74400cc17de631be13049d02d9e875 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 19 Dec 2021 14:51:12 +0100 Subject: [PATCH 046/149] core-services: adjust to our changes in IPv4 network for MWAN/local net --- machines/core-services-01/dns.nix | 4 +-- machines/core-services-01/my.nix | 25 +++++++++++++++++-- machines/core-services-01/rz.nix | 3 ++- machines/core-services-01/subZone.nix | 35 +++++++++++++++------------ 4 files changed, 46 insertions(+), 21 deletions(-) diff --git a/machines/core-services-01/dns.nix b/machines/core-services-01/dns.nix index 6473038..5b01499 100644 --- a/machines/core-services-01/dns.nix +++ b/machines/core-services-01/dns.nix @@ -12,13 +12,13 @@ in settings = { server = { access-control = [ "127.0.0.0/8 allow" "::1/128 allow" ] ++ map (v: "${v} allow") my.privateRanges; - interface = [ "127.0.0.1" ] ++ my.ipv4; + interface = [ "127.0.0.1" ] ++ my.ipv4Internal; }; }; }; services.nsd = { enable = true; - interfaces = my.ipv6.standard; + interfaces = my.ipv6.standard ++ my.ipv4; zones = { ${my.subZone} = { data = dns.lib.toString my.subZone (import ./subZone.nix { inherit dns config lib; }); diff --git a/machines/core-services-01/my.nix b/machines/core-services-01/my.nix index 5a83031..bdc2aa4 100644 --- a/machines/core-services-01/my.nix +++ b/machines/core-services-01/my.nix @@ -46,6 +46,20 @@ in default = map (v: (mkAddress v).address) cfg.ipv4Full; }; + ipv4Internal = mkOption { + description = "Private IPv4 addresses without prefix"; + type = listOf str; + example = [ "192.186.1.153" ]; + default = map (v: (mkAddress v).address) cfg.ipv4InternalFull; + }; + + ipv4InternalFull = mkOption { + description = "Private IPv4 addresses with prefix"; + type = listOf str; + default = []; + example = [ "192.168.1.153/24" ]; + }; + ipv4Full = mkOption { description = "Public IPv4 addresses with prefix"; type = listOf str; @@ -67,7 +81,7 @@ in }; ipv6.acme = mkOption { - description = "Public IPv6 address for ACME services (acme-dns) without prefi"; + description = "Public IPv6 address for ACME services (acme-dns) without prefix"; type = str; default = (mkAddress cfg.ipv6.acmeFull).address; example = "2001:470:1f13:21d:f515:b348:cd48:e064/64"; @@ -87,9 +101,16 @@ in }; config = { + networking.interfaces.ens20 = { + ipv4.addresses = map mkAddress cfg.ipv4InternalFull; + }; + networking.interfaces.ens19 = { - ipv4.addresses = map mkAddress cfg.ipv4Full; ipv6.addresses = map mkAddress (cfg.ipv6.standardFull ++ [ cfg.ipv6.acmeFull ]); }; + + networking.interfaces.ens18 = { + ipv4.addresses = map mkAddress cfg.ipv4Full; + }; }; } diff --git a/machines/core-services-01/rz.nix b/machines/core-services-01/rz.nix index 4f096e4..e76a9c5 100644 --- a/machines/core-services-01/rz.nix +++ b/machines/core-services-01/rz.nix @@ -11,7 +11,8 @@ "2001:470:1f13:187:fd34:80c3:a761:ff2/64" ]; ipv6.acmeFull = "2001:470:1f13:187:a039:c3ff:fe4f:8661/64"; - ipv4Full = [ "10.1.1.20/24" ]; + ipv4InternalFull = [ "10.1.1.20/22" ]; + ipv4Full = [ "45.13.104.26/32" ]; privateRanges = [ "10.1.0.0/22 "]; }; diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 309556d..6c2d4dc 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -1,7 +1,6 @@ { config, lib, dns, ... }: with dns.lib.combinators; - let my = config.my; upstream-v4-proxies = [ "51.15.7.181" ]; # kurisu.dual.lahfa.xyz @@ -11,9 +10,12 @@ let remoteBuilders = { nix01 = [ "2001:470:1f13:187:1e07:c670:3958:f8f1" ]; }; + dualstack = { + A = my.ipv4; + AAAA = my.ipv6.standard; + }; in -with my.ipv6; # contains { standard, acme } -{ +dualstack // { SOA = { nameServer = "ns1.${my.subZone}."; adminEmail = my.email; @@ -24,20 +26,17 @@ with my.ipv6; # contains { standard, acme } "ns1.${my.subZone}." ]; - AAAA = standard; - CAA = letsEncrypt my.email; subdomains = { - git.AAAA = standard; - drone.AAAA = standard; - wiki.AAAA = standard; - monitoring.AAAA = standard; - auth.AAAA = standard; - push.AAAA = standard; - ns1.AAAA = standard; - beta.A = upstream-v4-proxies; - beta.AAAA = public-cof-ips; + git = dualstack; + drone = dualstack; + wiki = dualstack; + monitoring = dualstack; + auth = dualstack; + push = dualstack; + core01 = dualstack; + ns1 = dualstack; builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; @@ -49,10 +48,12 @@ with my.ipv6; # contains { standard, acme } acme = { NS = [ "acme.${my.subZone}." ]; - AAAA = [ acme ]; + AAAA = [ my.ipv6.acme ]; }; - beta.subdomains = { + beta = { + AAAA = public-cof-ips; + subdomains = { nuage.A = upstream-v4-proxies; nuage.AAAA = public-cof-ips; minecraft.AAAA = public-cof-ips; @@ -66,11 +67,13 @@ with my.ipv6; # contains { standard, acme } sandbox.AAAA = public-cof-ips; }; docs.AAAA = public-cof-ips; + docs.A = upstream-v4-proxies; jurisprudens = { AAAA = public-cof-ips; A = upstream-v4-proxies; }; }; + }; internal.subdomains = { -- 2.47.0 From 2c321dd0aa116a8de9e0a20b98b4b1d4fbd6665f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 29 Dec 2021 17:33:28 +0100 Subject: [PATCH 047/149] core-services: bump dbengine disk size to 4GiB --- krops.nix | 2 +- machines/core-services-01/monitoring.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/krops.nix b/krops.nix index 39ec306..fac4e15 100644 --- a/krops.nix +++ b/krops.nix @@ -29,7 +29,7 @@ let inherit target; }; }; in {} -// mkDeploy "core-services-01" "root@core01.internal.rz.ens.wtf" +// mkDeploy "core-services-01" "root@core01.rz.ens.wtf" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" // mkDeploy "public-cof" "root@beta.rz.ens.wtf" // mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index fe9ac46..b355179 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -19,7 +19,7 @@ in text = '' [global] page cache size = 32 - dbengine multihost disk space = 2048 + dbengine multihost disk space = 4096 ''; }; -- 2.47.0 From 067ab1d7cc63ce2dd87d765aabaa20c3db03aae5 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 24 Jan 2022 22:04:43 +0100 Subject: [PATCH 048/149] =?UTF-8?q?core01/public-cof:=20flush=20changes,?= =?UTF-8?q?=20router02=20=E2=86=92=20router01?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/subZone.nix | 38 +++++++++++++-------------- machines/public-cof/hedgedoc.nix | 2 +- machines/public-cof/networking.nix | 4 ++- machines/public-cof/nix/sources.json | 2 +- machines/public-cof/nur.nix | 6 ++--- 5 files changed, 27 insertions(+), 25 deletions(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 6c2d4dc..ff98ad0 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -54,24 +54,24 @@ dualstack // { beta = { AAAA = public-cof-ips; subdomains = { - nuage.A = upstream-v4-proxies; - nuage.AAAA = public-cof-ips; - minecraft.AAAA = public-cof-ips; - factorio.AAAA = public-cof-ips; - home.A = upstream-v4-proxies; - home.AAAA = public-cof-ips; - pads.AAAA = public-cof-ips; - pads.subdomains = { - api.AAAA = public-cof-ips; - files.AAAA = public-cof-ips; - sandbox.AAAA = public-cof-ips; - }; - docs.AAAA = public-cof-ips; - docs.A = upstream-v4-proxies; - jurisprudens = { - AAAA = public-cof-ips; - A = upstream-v4-proxies; - }; + nuage.A = upstream-v4-proxies; + nuage.AAAA = public-cof-ips; + minecraft.AAAA = public-cof-ips; + factorio.AAAA = public-cof-ips; + home.A = upstream-v4-proxies; + home.AAAA = public-cof-ips; + pads.AAAA = public-cof-ips; + pads.subdomains = { + api.AAAA = public-cof-ips; + files.AAAA = public-cof-ips; + sandbox.AAAA = public-cof-ips; + }; + docs.AAAA = public-cof-ips; + docs.A = upstream-v4-proxies; + jurisprudens = { + AAAA = public-cof-ips; + A = upstream-v4-proxies; + }; }; }; @@ -79,7 +79,7 @@ dualstack // { internal.subdomains = { # Routers router01.A = [ "10.1.1.1" ]; - router02.A = [ "10.1.1.2" ]; + router02.A = [ "10.1.1.1" ]; # Hypervisors pve01 = { diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index 8466c4a..258973f 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -8,7 +8,7 @@ in configuration = { protocolUseSSL = true; # scp =; # TODO - domain = "//docs.beta.rz.ens.wtf"; + domain = "docs.beta.rz.ens.wtf"; host = "localhost"; port = port; db = { diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index c7c14db..9fb5315 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -11,9 +11,11 @@ prefixLength = 64; }]; }; + interfaces.ens19 = { + useDHCP = true; + }; firewall.allowedTCPPorts = [ 22 ]; - firewall.allowedUDPPorts = [ 22 ]; firewall.enable = true; }; } diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index 234be1c..656e9e4 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -14,7 +14,7 @@ "klubrz-nur": { "branch": "main", "repo": "https://git.rz.ens.wtf/Klub-RZ/nur", - "rev": "901e08a94819f07499ec6cfbea1e24808e19e4b6", + "rev": "98911e21fd58f00440dc8a5bd6568f2a349338bd", "type": "git" }, "niv": { diff --git a/machines/public-cof/nur.nix b/machines/public-cof/nur.nix index a8abe1f..7ca9d89 100644 --- a/machines/public-cof/nur.nix +++ b/machines/public-cof/nur.nix @@ -1,8 +1,8 @@ { lib, pkgs, ... }: let nivSources = import ./nix/sources.nix; - #rz-src = nivSources.klubrz-nur; - #rz-no-pkgs = (import nivSources.klubrz-nur {}); + rz-src = nivSources.klubrz-nur; + rz-no-pkgs = (import nivSources.klubrz-nur {}); in { nixpkgs.config.packageOverrides = { @@ -11,7 +11,7 @@ in imports = [ "${nivSources.agenix}/modules/age.nix" - ]; #++ lib.attrValues rz-no-pkgs.modules; + ] ++ lib.attrValues rz-no-pkgs.modules; nixpkgs.overlays = []; } -- 2.47.0 From cb92be5d7272026058167539f521f331ca704726 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 25 Jan 2022 00:37:12 +0100 Subject: [PATCH 049/149] core01: add MrF key, default gateway, A for acme --- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/my.nix | 6 ++++++ machines/core-services-01/subZone.nix | 1 + 3 files changed, 8 insertions(+) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index a09eec0..6fb2e79 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -74,6 +74,7 @@ users.users.root.openssh.authorizedKeys.keyFiles = [ ./pubkeys/gdd.keys ./pubkeys/raito.keys + ./pubkeys/mrf.keys ]; # Open ports in the firewall. diff --git a/machines/core-services-01/my.nix b/machines/core-services-01/my.nix index bdc2aa4..994190f 100644 --- a/machines/core-services-01/my.nix +++ b/machines/core-services-01/my.nix @@ -101,6 +101,12 @@ in }; config = { + # Default IPv4 exit route + networking.defaultGateway = { + address = ""; + interface = "ens18"; + }; + networking.interfaces.ens20 = { ipv4.addresses = map mkAddress cfg.ipv4InternalFull; }; diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index ff98ad0..41fd888 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -48,6 +48,7 @@ dualstack // { acme = { NS = [ "acme.${my.subZone}." ]; + A = my.ipv4; AAAA = [ my.ipv6.acme ]; }; -- 2.47.0 From 7e11763d747b7916e9c4730f9b3eac96cbffe18f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 25 Jan 2022 17:52:56 +0100 Subject: [PATCH 050/149] core01: Add MrF keys for real --- machines/core-services-01/pubkeys/mrf.keys | 1 + 1 file changed, 1 insertion(+) create mode 100644 machines/core-services-01/pubkeys/mrf.keys diff --git a/machines/core-services-01/pubkeys/mrf.keys b/machines/core-services-01/pubkeys/mrf.keys new file mode 100644 index 0000000..ebbfa68 --- /dev/null +++ b/machines/core-services-01/pubkeys/mrf.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d -- 2.47.0 From 3670aab5834d559231ddfe41c4440f0f49b42ced Mon Sep 17 00:00:00 2001 From: Julien Marquet Date: Tue, 25 Jan 2022 18:12:54 +0100 Subject: [PATCH 051/149] ipv4 for public-cof --- machines/core-services-01/subZone.nix | 38 ++++++++++++--------------- machines/public-cof/networking.nix | 20 ++++++++++++-- 2 files changed, 35 insertions(+), 23 deletions(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 41fd888..08db8c1 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -3,8 +3,10 @@ with dns.lib.combinators; let my = config.my; - upstream-v4-proxies = [ "51.15.7.181" ]; # kurisu.dual.lahfa.xyz - public-cof-ips = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5" ]; + public-cof-ips = { + A = [ "45.13.104.27" ]; + AAAA = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5" ]; + }; delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; }; remoteBuilders = { @@ -52,27 +54,21 @@ dualstack // { AAAA = [ my.ipv6.acme ]; }; - beta = { - AAAA = public-cof-ips; + beta = public-cof-ips // { subdomains = { - nuage.A = upstream-v4-proxies; - nuage.AAAA = public-cof-ips; - minecraft.AAAA = public-cof-ips; - factorio.AAAA = public-cof-ips; - home.A = upstream-v4-proxies; - home.AAAA = public-cof-ips; - pads.AAAA = public-cof-ips; - pads.subdomains = { - api.AAAA = public-cof-ips; - files.AAAA = public-cof-ips; - sandbox.AAAA = public-cof-ips; - }; - docs.AAAA = public-cof-ips; - docs.A = upstream-v4-proxies; - jurisprudens = { - AAAA = public-cof-ips; - A = upstream-v4-proxies; + nuage = public-cof-ips; + minecraft = public-cof-ips; + factorio = public-cof-ips; + home = public-cof-ips; + pads = public-cof-ips // { + subdomains = { + api = public-cof-ips; + files = public-cof-ips; + sandbox = public-cof-ips; + }; }; + docs = public-cof-ips; + jurisprudens = public-cof-ips; }; }; diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 9fb5315..9fc556f 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -1,8 +1,20 @@ -{ ... }: -{ +{ lib, ... }: +let mkAddress = addr: let + splitted = lib.splitString "/" addr; + elemAt = builtins.elemAt splitted; + in + { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; +in { networking = { hostName = "public-cof"; + # Default IPv4 exit route + defaultGateway = { + address = ""; + interface = "ens20"; + }; + localCommands = "ip route add default dev ens20 metric 10"; + useDHCP = false; interfaces.ens18 = { useDHCP = true; @@ -15,6 +27,10 @@ useDHCP = true; }; + interfaces.ens20 = { + ipv4.addresses = map mkAddress [ "45.13.104.27/32" ]; + }; + firewall.allowedTCPPorts = [ 22 ]; firewall.enable = true; }; -- 2.47.0 From 6535ca50aff220cd9454b4cdb8656a98734da0e8 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Tue, 25 Jan 2022 23:59:59 +0000 Subject: [PATCH 052/149] add dex --- machines/core-services-01/dex.nix | 41 +++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 machines/core-services-01/dex.nix diff --git a/machines/core-services-01/dex.nix b/machines/core-services-01/dex.nix new file mode 100644 index 0000000..6834f07 --- /dev/null +++ b/machines/core-services-01/dex.nix @@ -0,0 +1,41 @@ +{ config, ... }: +let + my = config.my +in +{ + services.dex = { + enable = true; + settings = { + issuer = ""; + storage = { + type = "sqlite3"; + config.file = "gitea/dex.db"; + }; + enablePasswordDB = true; + /* + web = { + http = ""; + }; + staticClients = [ + { + id = "oidcclient"; + name = "Client"; + redirectURIs = [ "/callback" ]; + secretFile = "/etc/dex/oidcclient"; + } + ]; + */ + connectors = { + type = "gitea"; + id = "gitea"; + name = "Gitea"; + config = { + clientID = ; + clientSecret = ; + redirectURL = "http://127.0.0.1:5556/dex/callback"; + baseURL = "https://git.${my.subZone}"; + }; + }; + }; + }; +} -- 2.47.0 From 7193ee270ac51cc84690d150e65e84aa522f7cb7 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Tue, 25 Jan 2022 23:59:59 +0000 Subject: [PATCH 053/149] add dex to confifiguration.nix --- machines/core-services-01/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 6fb2e79..8a53310 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -19,6 +19,7 @@ ./keycloak.nix ./acme-dns.nix ./backups.nix + ./dex.nix ./secrets # TODO push to gitea # TODO ./gotify.nix -- 2.47.0 From 52d0f1433a8b28ac9fcda796e8598518763bcc7a Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Tue, 25 Jan 2022 23:59:59 +0000 Subject: [PATCH 054/149] Ryan tu me doit 10k --- machines/core-services-01/dex.nix | 6 +++--- machines/core-services-01/secrets/default.nix | 1 + machines/core-services-01/secrets/secrets.nix | 1 + 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/machines/core-services-01/dex.nix b/machines/core-services-01/dex.nix index 6834f07..12c9476 100644 --- a/machines/core-services-01/dex.nix +++ b/machines/core-services-01/dex.nix @@ -1,6 +1,6 @@ { config, ... }: let - my = config.my + my = config.my; in { services.dex = { @@ -30,8 +30,8 @@ in id = "gitea"; name = "Gitea"; config = { - clientID = ; - clientSecret = ; + clientID = "Gitea"; + clientSecret = "b2a1b7ae-2f31-489d-84c3-4d429085db14"; redirectURL = "http://127.0.0.1:5556/dex/callback"; baseURL = "https://git.${my.subZone}"; }; diff --git a/machines/core-services-01/secrets/default.nix b/machines/core-services-01/secrets/default.nix index 10b41f1..3e4cb37 100644 --- a/machines/core-services-01/secrets/default.nix +++ b/machines/core-services-01/secrets/default.nix @@ -3,4 +3,5 @@ age.secrets.keycloakDatabasePasswordFile.file = ./keycloakDatabasePasswordFile.age; age.secrets.oauth2ProxyKeyFile.file = ./oauth2ProxyKeyFile.age; age.secrets.droneKeyFile.file = ./droneKeyFile.age; + age.secrets.dexGiteaClientSecret.file = ./dexGiteaClientSecret.age; } diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index cd564de..013b959 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -10,5 +10,6 @@ in "keycloakDatabasePasswordFile.age".publicKeys = superadmins ++ systems; "oauth2ProxyKeyFile.age".publicKeys = superadmins ++ systems; "droneKeyFile.age".publicKeys = superadmins ++ systems; + "dexGiteaClientSecret.age".publicKeys = superadmins ++ systems; } -- 2.47.0 From e290a918a0de684ed0ae2debc3d77c3029ffbde9 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Tue, 25 Jan 2022 23:59:59 +0000 Subject: [PATCH 055/149] progress on dex... --- krops.nix | 2 +- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/dex.nix | 18 +++---------- machines/core-services-01/dokuwiki.nix | 7 +----- machines/core-services-01/oauth2_proxy.nix | 5 ++++ .../secrets/dexGiteaClientSecret.age | 25 +++++++++++++++++++ 6 files changed, 37 insertions(+), 21 deletions(-) create mode 100644 machines/core-services-01/oauth2_proxy.nix create mode 100644 machines/core-services-01/secrets/dexGiteaClientSecret.age diff --git a/krops.nix b/krops.nix index fac4e15..351034b 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "973910f5c31b9ba6c171c33a8bd7199990b14c72"; # nixos-21.05 + ref = "e96c668072d7c98ddf2062f6d2b37f84909a572b"; # nixos-22.05 url = "https://github.com/NixOS/nixpkgs"; }; }]; diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 8a53310..ebc4718 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -20,6 +20,7 @@ ./acme-dns.nix ./backups.nix ./dex.nix + ./oauth2_proxy.nix ./secrets # TODO push to gitea # TODO ./gotify.nix diff --git a/machines/core-services-01/dex.nix b/machines/core-services-01/dex.nix index 12c9476..1b62578 100644 --- a/machines/core-services-01/dex.nix +++ b/machines/core-services-01/dex.nix @@ -6,26 +6,16 @@ in services.dex = { enable = true; settings = { - issuer = ""; + issuer = "http://127.0.0.1:5556/dex"; storage = { type = "sqlite3"; config.file = "gitea/dex.db"; }; enablePasswordDB = true; - /* web = { - http = ""; + http = "127.0.0.1:5556"; }; - staticClients = [ - { - id = "oidcclient"; - name = "Client"; - redirectURIs = [ "/callback" ]; - secretFile = "/etc/dex/oidcclient"; - } - ]; - */ - connectors = { + connectors = [ { type = "gitea"; id = "gitea"; name = "Gitea"; @@ -35,7 +25,7 @@ in redirectURL = "http://127.0.0.1:5556/dex/callback"; baseURL = "https://git.${my.subZone}"; }; - }; + } ]; }; }; } diff --git a/machines/core-services-01/dokuwiki.nix b/machines/core-services-01/dokuwiki.nix index a0be037..1ad68e0 100644 --- a/machines/core-services-01/dokuwiki.nix +++ b/machines/core-services-01/dokuwiki.nix @@ -4,17 +4,12 @@ let my = config.my; in { - services.dokuwiki."wiki.${my.subZone}" = { + services.dokuwiki.sites."wiki.${my.subZone}" = { enable = true; - hostName = "wiki.${my.subZone}"; acl = '' * @ALL 1 * @admin 16 ''; - nginx = { - enableACME = true; - forceSSL = true; - }; }; /* diff --git a/machines/core-services-01/oauth2_proxy.nix b/machines/core-services-01/oauth2_proxy.nix new file mode 100644 index 0000000..4eca6d3 --- /dev/null +++ b/machines/core-services-01/oauth2_proxy.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + users.users.oauth2_proxy.group = "oauth2_proxy"; + users.groups.oauth2_proxy = {}; +} diff --git a/machines/core-services-01/secrets/dexGiteaClientSecret.age b/machines/core-services-01/secrets/dexGiteaClientSecret.age new file mode 100644 index 0000000..41ffd35 --- /dev/null +++ b/machines/core-services-01/secrets/dexGiteaClientSecret.age @@ -0,0 +1,25 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +XmhJgoyNhXrHw08PTNMkLByPv7mmfqk2ZJ6yTihd2v4ZHdnHN9/nuWnBoK5KJod1 +9tUNwVUmlhfHO/ZDkvpRVgEUHX2SQ7YEcxMtIzocZJYY6JEh3T2+YtHqSvOOgqlV +NkQ6wLPYOHQ1Le5SVM6oQ+s+bJojn/edS5F6qPMDjiBMT7ogwqpVYm80QyaJt2xf +O8iFkzwmyxRSqTIyFX5iDb9irKpPK1fz1/YhdtYNQ+IEHLcxVUMvfMzenqxdGXir +L1vYA7BFmlgkcz60ws+Ob71LYr/edVJxrjFUojKRrMEtWQgXhTS8T20359okx2+d +MLGgVJoNeegF43+eaYIOHw +-> ssh-ed25519 85WiGg VIibrQuanG7Nqot4bebG9DXK7ThMpOwx3oQ3QR/S1zU +oQCrfWu70+Pm7pjRNTO5oiOSUCgrIvKYvuQe81US5gY +-> ssh-ed25519 reTIKw JnIrwm9UoJXoRQ8K6rWnoDDWpZq+uMNyrLl8/gdJZzc +R6ORZtogBqV8nMs86v+YVzHsrX9lXQTbNyIC0/aL+J0 +-> ssh-ed25519 /vwQcQ zWt+iAxLtWSdIbfA4+EWZBfFASkm9s3a9cRRwf3r3X0 +kYm8MXa/4DHp8ZnNblCqlPkEMqwHOfSZxoc0jewscHY +-> ssh-ed25519 cvTB5g yEewNstEZFs0GRqcMP59/+Z2OJL/l0thaZ46mwVouAE +aPmLSR/M6gO7Fvhq/MNwdTAif4bcsfiL9fmmKLnFmFU +-> ssh-ed25519 Wu8JLQ 7FHJpXe5uTNKNAXUR+G1tLkAWnsY+g4qLTAlEWVhFn8 ++A9LLbNMOQXyvKiDu1ddzSE0wB8ubHh9wWL8Zy+PmBM +-> ssh-ed25519 lHr4YQ d8JyALlCuGojdIacifRK6gMJD6jPkulln5DzH00ipSw +Ifk3ascdrChcv585jvNKb6W/EZixx0ly8YvSgDq9AxE +-> l?~i--grease }Zt #O NzbR!q $*`$T< +WMmJLFnsV7jsia2A2wdhlu0SZ3NKlEeCVbGGznlsv2FcfVmACdih0/J30OTkJ/EY +VTZ6JB4nJnldlcxxBUZ6hmtporJeUFEMjSU +--- 55FaRJUBUZoMZPmaRiVCuA+REOgpUv5Wryi2x1N2RxU +z+P'N}M b9$JeBϰ+6p3| ´^3=c \ No newline at end of file -- 2.47.0 From 075cd90fb7cc64b60e69e3e6b31804e9131c087b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 22 Feb 2022 23:25:46 +0100 Subject: [PATCH 056/149] core01: rekey with MrF, add pve01 hypervisor monitoring --- krops.nix | 4 +- machines/core-services-01/monitoring.nix | 12 ++++- .../secrets/dexGiteaClientSecret.age | Bin 1303 -> 1424 bytes .../core-services-01/secrets/droneKeyFile.age | Bin 1462 -> 1578 bytes .../secrets/keycloakDatabasePasswordFile.age | 48 +++++++++--------- .../secrets/oauth2ProxyKeyFile.age | Bin 1328 -> 1492 bytes machines/core-services-01/secrets/secrets.nix | 2 +- 7 files changed, 37 insertions(+), 29 deletions(-) diff --git a/krops.nix b/krops.nix index 351034b..24f6566 100644 --- a/krops.nix +++ b/krops.nix @@ -29,7 +29,7 @@ let inherit target; }; }; in {} -// mkDeploy "core-services-01" "root@core01.rz.ens.wtf" +// mkDeploy "core-services-01" "root@10.1.1.20" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -// mkDeploy "public-cof" "root@beta.rz.ens.wtf" +// mkDeploy "public-cof" "root@minecraft.beta.rz.ens.wtf" // mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index b355179..6149d24 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -19,7 +19,7 @@ in text = '' [global] page cache size = 32 - dbengine multihost disk space = 4096 + dbengine multihost disk space = 8192 ''; }; @@ -28,12 +28,20 @@ in group = "netdata"; mode = "0600"; text = '' + # pve01 hypervisor [e245097d-bf52-4f66-9c10-984e8d5ee178] enabled = yes - default history = 5000 + default history = 10000 default memory mode = dbengine health enabled by default = auto allow from = 10.1.1.10 + # public-cof server + [c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe] + enabled = yes + default history = 10000 + default memory mode = dbengine + health enabled by default = auto + allow from = 10.1.1.21 ''; }; diff --git a/machines/core-services-01/secrets/dexGiteaClientSecret.age b/machines/core-services-01/secrets/dexGiteaClientSecret.age index 41ffd354202ccee6cabafde5e5cd7027d76ef859..daef2a2a00c33743ebcd5b46b39b1205e074fc61 100644 GIT binary patch literal 1424 zcmZY9JImw*6b4`ytkP{KR>QW#Y%;k_5*Cysll$a;nM^<-$z*b!+%ri=1#v;FE%YZ? zSZJf$EP{>xfGxBU|An=mjm5X^ImH9-dpJQ7Z{jNImS)K6>UrHI;B5OU98jg6>GR#|QwQ|nVpxacS&oNBi<{uotMPIryQ~Hd{F)G?hsA)3 z48Om*kfUZncpvMdr+Ey$RT$hjbu4kNA8YB3N@-m6O$a>U9lfOFv^%9`|Dib;yAoy#~h896F}N2-{EOS4mx?o`Y>37j5l$B~c@ z#!3<<%yMEuy(c0>;vrEbzIlju2P1E4uPCgp3MvRkg%n;>M;Gcid61E=x!+ zz-n1dfNQH5enTE+VU*B`D-NE!y;E^*o5?0Wq`yJ7!I^ zxk%a^Yh?Lby>+oI%G2t$gD6xLQUMZs%sBB{ax3*K$Tlg|l(MAv-ae3a`hYk!0GeJK z&`WpjbZmcB&phSU6|}YY+wG8w@VawzZeYnQ@88l0?3nS%3hlQAYW3_E=Q*|3mPr81 zeBH~J?BeA`Ivnp-X!xVoJan-~c5+M%hmH<0E@{J)Mq6mA@u{&-vT;9+X$%Qj*?GwS zNp^j(D!LNJxVZsyY(!Mzck25t^j5Bi#{z};1XExtOG!{s*4 zc6tWnL7kw64IxaIE1ZWZ6iqS6xHL7oh49qI$p~~TSuQL=Mx@C($*klUN4$(mE(*aE z2!qy|>3|7DXZBn2G!VO75MV**T4P}#ni%-w`5|#W;lN7Z#)L1Y6RAwwNu|b2&j9fV z<8h3-b$^p6vc89kT%^W-ce{r+Nf!rwy!!BYBv3BCdUgk7S86>mFl!R#I`EurDbJ4a zGh4#if|UmqZYg4>%!MtRCGq0K6OpkMSZ+O>2cMX8V7yh)EJQ9V8Hf`IRADzHdhcZu zw;FH`=~kQX;=>o)P3vjbH-X`DGdoLhbW(uLX0zg>T6DLOu=kMP?|CLK~#OgcK6&x!GwLHjdgss8_dkBaz4tFf<JvA5DcHmWG0yeJjl!>lgT-`k3!6yOs>f>IR@9p%0)1x7Jor0J}`Nq@JbJZrKqbj=Ch~!e%}W>#~fS9CbN-*0VH3hn35Q6)TZ&b+M{V z&0{=QhYNu04QVuuvPffAhTUC0oK-WS4c10AW$nkU&DNgiBrWb7c>UoQlwz2!}AYEO(&pLn$u>E2QjJJmHpN0B8)*7<}&As`C- z#N=uziV|kEgd)#5$n5yv+EIvN*n$KJ%*yr&XdW`ZRW4q&UrSBhul&g0lRKMV>#2B_ z$7xwBOGSmX#nk|6W!uKqWsN|`a(zCjk}hL)CTqqvX%7SM3>PIL7KVl;&RwmI^aDSF zTy<#2k~C`0u2qHL@z$#9-Of6@4RjHuxfKcmPD0MT27rpos@vDerZI_1>GP)1EcZ)xGdkEs6l-NqQZ7p7D2MJHUft@UwT~-w%arqFakRb67S;{OuN}MA;nBMgO=4;%V8R>z0cQ zh89oS?aDVdAcirX${DwDExO0jQ!{gWp&*r(ld~~kRy$|tw2)ABGJxN%(39hv&whPD zdiMOaN6#Ps@!%!#={^6KufHXK`0^na-T!&>)#In%Lw|q%%8L(v{|o=@{N3`KFJAuW T-lso3`SF84m#@AXd~*LE7tych diff --git a/machines/core-services-01/secrets/droneKeyFile.age b/machines/core-services-01/secrets/droneKeyFile.age index 00703c2e6c4f86e7d398c31242300078cdb21abd..2c12d704a2edfc6737dc35ad655b01c9961898f5 100644 GIT binary patch literal 1578 zcmZY7>F?770LF2Rcfmvra`|S8!DIaFwYIA!$hx&%yYA?^ZtJ2Xz1DTzx~}Vb%ovZL zi7~zrV~moBcpCwUAW8^o#1MsO03~Q53Tgxs&>-;&Ch8ks{QL_(Po8{L%bYV^-A}y0 z9=W%Td3>ZL8*(gDLnX{86b3Qh8ZW&DMA~BWcYrfgwN>K{7qE@va zDABB{q-$+T@Ar%vHbAq6!-|y#;-z8MRmqST$M3A2}L4_D-C8GXb>05St&*> z*4AXYE|Q8A@R`B?v@F)LSt~_C!*XngktvHRueY)U8EcTw(wNq+8Px$1LnA$>V3S^`pl%t6Qt?#(qDdP75438>I$?`Z< z9ZxN@K#Zyu8{jgl4QsS8pe#^i+MqhldXer5^?_G)`(PS#1DwI}dJYFXwcmv7>7bBQ zBvA;^!YZoEC`%VA&cvE^qkb{( zM!?+MTncoi6*p0J4~j9Z*zWnoZ2q4=Db!UgG+XX=C}!xAoguA>!1_DyKL5}GgcUUK6~MbP5Y1E;q|_~{>6i<_iS1G_1u~10oZ1o<@X;Hmv8!X!J-X&x1IiZ zMfV=(L*(YS-+lJfTYr=u{p92IA1$qmTTQjJ3cU!rWy=LSp8c)6vT&byiaM*Td(R_Rcnc-^i}r%Xb*h<&_(MSiA_o=E@W4myVF7>sB0C!~M0B TQJAaNt-*@fQf*Y69Z9EFly9jqP+Nm@BieN@5`6JTGykx ztNEi=*Yw<^Mz1)>r ztUnMmAzTl@RF0=bp-#nv%jbl_V}RK$w~&Sv8}%fol~XmT1P$;`C|z}s!q8)V096GG zq9xBM7%pRjJl^XjV`h&@3k6fnqr>`@ny*W2W)RkWSEx3Ju*EV1FHcxn-fYkwx?7%s@lJ&CxYZ60B zCS4Ev#fqIy1i66-1X#m@$sx_~Sl+6QX-Nc4@CDE?%?4AT8ghs?7_x+6I1D=@u*uuG zCPg*6Qb|LDN}H`j@StfI5S<8Y_P=a?M-4aq5}6f3wrds9{6KZ899R}o48z6-%`{XX zwG_6mS2SUw(;uU_X3fJSWP1ts*e}j^fpTA_ysXvF)=~rEU%55nfb7bWF`ydL{0r`kj*Dp}7{-xV(eQ zA7ITIJ6iX3wWEizi52(v!a+QgT{mZX>r!IZ=IalB?*#iE zU;5sp_1oF;i8N%+-g)1$Is2!UonL+Jp;@P`dDWtCbWWdr_U-k+tPA-)3m+RDSbWvb zmsTDBddY*pqccC$-rBKa^11QrjvbTt9$EeHyjRZbfANub(Ye4co71z0Kb4!~n{Kb%YRpjyMk1uSe(7hKe^W ssh-ed25519 lHr4YQ FHOLoe1idBzwzFB5v1UqrVIgIjmyVMqhC60F+7bsslY -+4jeqlOONU712hstLOOU59dHgx48CB3+Z4xn1faH8Q0 --> ssh-ed25519 Wu8JLQ hqwTH7IVS1GTep9tNy6vrUUVtPcVXBxDnJj77S+l/Ek -gmnQhE5wnxQgEhyE18RKKemMQr4ewtRkQRt0bJo8O7Y --> ssh-ed25519 cvTB5g bw+GZVk23ok4lgUF86PqTkZOM7BPNY7foMYYMZSEemU -6BAoCmLYb1oJwPPW3X2AaS3ZOttSxAykOeKIJM/03+k --> ssh-ed25519 /vwQcQ Kqg5WdWhAuxCxMgWPpXWk77utvbIbBdcZXNSOF+a938 -4361sLVjBWOoWqTl7sIktNiulSU4gHnD2Q5gjDkZ2po --> ssh-ed25519 reTIKw abLB9hwppWQhlkAHx3AiFgePvigajethU03CjTu6SUg -sueQMp1LPmF4h1EPsyGrSDH6RoXVXoWm1i3OISZlyPw --> ssh-ed25519 85WiGg T6amGqzBiF7BLhnhPrz8BCu/NDikWBDnRv+UL2Y8mXs -xghk5e+D3O4rX4FT4TNu/bowSj7HCn3Wi4E6F7pseiw +-> ssh-ed25519 lHr4YQ S/Kuy8PdLoLLRDvlDDyuDaGXGb0RMBJKo9XyHK2I0Bg +VFjemRE9hOc/fEol+2OAjM6d/5QLPeeo0ytdgcwa8Zs +-> ssh-ed25519 h6AgbA ParmcGdbVHdvihrEuV+nLBLDnTwKR+zoxc/O0LdrUhA +L1kL6sr4ak1DTTaui9k6tpPJ1p86bKAoOcPwCJu7vr0 +-> ssh-ed25519 Wu8JLQ hTPuIn+IogmX6U16p3EQ/9C/L+X7dZaQaBrEAdq4twM +QhnuGbpuqpFFujNlXSDUDMEGHK875Sr5hHX/q2ShkhU +-> ssh-ed25519 cvTB5g P8av9KTsR9ccIRPz0TABQF3EfeO+cyn+Od+shxeatEk +GnExLTBOicvRs7neFPL/GLxE6hqpdqNV8P4nWRbMjKU +-> ssh-ed25519 /vwQcQ WE0fxso39H7ZyYwJ8eNnmrLgf0xL5AdpHZ1mrvbiPyQ +y4GjFZuYtiGg6cY8ZTOKHbYjjFJoFI5W4IF7np/OB/8 +-> ssh-ed25519 reTIKw LxM4ihcAb5u6rKqtrOUZ7/4XXoMVbf/HHhby/i9Xbn4 +O8KkO/99T2lBttsADSTJE/18ljFrUjrJWhK7peehei8 +-> ssh-ed25519 85WiGg +GtCSdOR7TTwu+zTvwOoRhOE0iLwB7JuFaZkP8cP+Fk +0GCjcBgOPeynvAUDmEioWPJMhZWGchKKukGGXHCBEUU -> ssh-rsa krWCLQ -KDsZM/5myCVtb7RL9Mo1F2WUKzBPhwillBvrIONZKH0dh3mCMjeVfyYTto1NxKxp -GsvYltgLbDggo3ittwQedB9s/JXL5z0+f3DroKVJzw82ti6w3SMpvKiCR2x+5DjH -D4Wzt/CQFujxAMOghKQGlFuCM6nVkpmL9ucgUPEp7ApbNWuc4patJgLpvkE0yj7X -Q4ScTPg86Oh5RFf4Qwa3QhG7IdnIoSSJxK+rK5qZb2vPST9zc2OKZKQXOh2h6hBy -tEAhRYBTu6oqprwYlEWL7dCsbBeHjLmBE6Zvovp51PizZhzub1jCh/fuka1VTFSq -f1oWAdTS3Ow5gXWKoH5TkQ --> +_u~Wjak-grease cU8 ?4 8Y(inxl+ -h+7nxip00iflkCYBX2HvbHYc0SjsLvn4WVYUPzhDGjyauwARfA5zCfuIbGnEcxzF -FOWG9QQzr90JDCkonUjGTJ3N+ykLpiYCvLDJgXZB4MVEONyutwM ---- dZ6ca/xXQAOh82oeOyV/EkjTzK+oUj0YgzGTqyzJ8Rs -a OvF⌞ʛ -JFjj+ \ No newline at end of file +bSk43qTcHFgrS7AeXTzUbx5FO/1YrLuRlm58lcXpTTKcRMZWKmFbPTVNdIvkT4xt +B6HW0OqV/Ks1pbeJUCPRdLwYHYULEC4quRGlgeToXoUQ8zCvcPT6uikpK0Hzne7e +WI5MLdS3vvAPljlSSaPN8gb3yiPgA2IPrHjqIsMNkotGFjUQ/oIyJ8YcDsSfGE2T +Z8+TOj4ZNxPda2hX7mL2x2dJmmQW5FkOVtSpSyvwpkOqPOi6b5vZaWu/GtXzGEhD +SD6SALiqmWkCHb8n588XDqKj8Lj/741R24f8IM8qW9cBz4QClh3Bnrl4gendsUCp +PkQPjniidi/aF6sHhfrSNg +-> |#4-grease y%'e^I RB nBNinf \dob +L2HkuH7S3KtuQN9AWLBL99nJPxVw +--- +QOdyAz8FR0RecYvvkzxv2IzJ9yt89/xePALK3l7sjs +&,NpJ~ ƅ˜*,؆5:i W}m"Q-FJm \ No newline at end of file diff --git a/machines/core-services-01/secrets/oauth2ProxyKeyFile.age b/machines/core-services-01/secrets/oauth2ProxyKeyFile.age index eb729b2e73acd38c84e188d8175df2a70cdea4dd..a62c1af71b7bdad19991f49ff4102777092cf4b4 100644 GIT binary patch literal 1492 zcmZA1&Fk9)0LF1d9kYs?A}T1X3?0MLrAd=CRZx<&Nt&c>k|yad0g=2XZIkAuNt)nL z7{0JwC%Xv4De4r2;n1t6F`Z-R1R3hYfyxjM+d&XKI0P@hzulEY3Vx)L@L*gKl7j)1r2g7Y*is0DYKze^mGx2sN4|2Ka;9k6nsJh&(`6%w0c+(Xs zgfCFt(un?cP&v#*&K-%9i-JU_6`3xXn!*q}^nI+M*5hS_1_s&k%E8XkAZx!j;$?e2 zCK5#}v@jI~Gay>BwZU?h z;%J;B%5vHx!yTi`(lX@;GCrA&CW0;IINlhnX@!e(T^75jKZc2(la!`Q)7-cfZ!>MP z<`HEvbX0rL*{uOZDOzHa!`OaeDhomIb4`ZuR-Hl=K|8J1A{B>S`@%yS3DjM_k!#^&$jy!@Aa{OFZ2$ z9o_LEv}RUAU^TBnFR9j~J{*sw0p1v*fX&mYkyezOxUJqGEIH5L(BVc==y*&~rJ-Bh zX~6>4ZVf}`0qr#nh6pl$;mqW`0Ax+Ibg{;H5*sjrsWEQfUbF&l94(g-++fO3SdS95 zs{vgYuU)JUas7y9LEneCIqr8yH6PF_=S;KzwKOxD%XCiiVgrXp%#Z+A65uf9bPO7{ z5EYuPglwO7F?^sG)3|2Btx6)WDj-9hkLuX6>k+pa!^zZX6k663Y??*TfVR8r3|jh? zg{(;nm<+WXLju^TI84LXaWbPSO`XIHlByaw${BxD&f$g`@UuejIcKr47W9(UX~ztq z3h&CfKSN?imlVQ>icaRXgoU}v6h4jfcqVCh296?IZ-4-irnw0dE*1E?59H(o43gGr zzEx<1191sf{B)<60Z9UZ*+^*lD?gL#a)Hd(&P-4nX{yyhZwMAxB%oR*^if1uOsE8@ zSdEi(y9C5_77kYu1>$?jR@nmxMLI0j>$;+?5(~CYN`&n8-oF2X zv!7$ozrA_pz~OsOpL*gC_A-9)`vX7OFCE|WF!N2&k#8S-kT literal 1328 zcmZY5NvPZe0LF2(waOekD0)$Juqf#Gn#p96NhmF5wq&wRl9_B{L9@RkljS9uWD=n* z=s`iD6{}DzqF9Rv)e3qN1Z|NPr4>C1q7@H%5EpQPTDOCj=lz2p-(Pp_4LdT^D#^V# z+7qWPP=Jk%{mm@f+_0?<41-v6Nv2&*Xv#DOiixvS=Y+i`;kr}Cz;KomQ07aUV|OgB z>C#@oj3*0?#b7as1%cBhsKw(hBIz|X8c-=sO=ENwXp)ZuP@-G)z}>DXE0kh{ro^PI zm0(0CSawKtFoUXvV6lj@0+)~wE{A~OY_=EUL?lLH7dT|#VDrBzrkMn?@A^;}NWc`gjSp3xTyyzMQzi2;o&qr5rL0o!JjJrUibZY?MQgH^9g%0CL)DyUVS#N564UnChBp7LAiY4X3y{&1)!O2t` zDw;T_T3f)nT233#bV8d^*D~})N*b-w2XM{giD`~OJwh!ay}L%B+z?`BxhT zv3B9S5K4`1)Rdw-^A>@(ThWwNhJ2S`{SmnU6FwS^O^YeIVGU0}$Tkt8U(b7$Dv>oZ zhd0y7Fk9-4e1=J~MMG-A`m@<6Fh)jP;{VnrdV{@>q#JH(>zUoC=6ZpMWVzKJ7jET% z3dX5086b1xpYg^<6PCHeuyqIZ+mI!vR-JXTjB9HPd{V{WijF%yGj1=W!7OV$adG!= zPrh~A=_5D1f6wu+@9d3F?!C-@bNs%S5-hj?p4jJq@-bB&8~qu5|H0b2esbvQHOd=5 zzIcFt`MMT*6J@maJb(YGOTyh(c3pV;!6RpHzU%RWJKe9|eU(s8e|Z@5&K-ka35iSZ zoj-i^G;#0l*PmS+{CSsk^@U&l8sGQ;{o${#U4HCy=FO)LoOpD<`0efP&huy7AKv-n wmWxLp+HvUQvFO4xXIj^ud-c1Ip8Mic {}; lib = pkgs.lib; readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); - superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; in -- 2.47.0 From 09ad6670ed1afbcaa89fbc25f8cb527a12f5ddd1 Mon Sep 17 00:00:00 2001 From: Julien Marquet Date: Wed, 23 Feb 2022 01:42:26 +0100 Subject: [PATCH 057/149] feat: Matterbridge MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit je suis fatigué --- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/matterbridge.nix | 50 +++++++++++++++++++ machines/core-services-01/matterbridge.toml | 23 +++++++++ machines/core-services-01/secrets/default.nix | 1 + .../core-services-01/secrets/matterbridge.age | 28 +++++++++++ machines/core-services-01/secrets/secrets.nix | 1 + 6 files changed, 104 insertions(+) create mode 100644 machines/core-services-01/matterbridge.nix create mode 100644 machines/core-services-01/matterbridge.toml create mode 100644 machines/core-services-01/secrets/matterbridge.age diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index ebc4718..5b18334 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -22,6 +22,7 @@ ./dex.nix ./oauth2_proxy.nix ./secrets + ./matterbridge.nix # TODO push to gitea # TODO ./gotify.nix # TODO(Raito): ./backups.nix diff --git a/machines/core-services-01/matterbridge.nix b/machines/core-services-01/matterbridge.nix new file mode 100644 index 0000000..7eefba1 --- /dev/null +++ b/machines/core-services-01/matterbridge.nix @@ -0,0 +1,50 @@ +{ config, pkgs, ... }: +let + manageSecrets = conf: secrets: output: keys: + /* + `secrets` are in the form "SECRET_1=secret\nSECRET_2=secre" + For each name in `keys` we search for a line `$NAME=`, + (`` is just everything up to the end of the line) + and we substitute `$NAME` by `` in `conf`, and we print + the result in `output`. + */ + let + check = key: '' + if grep ${key} ${secrets} > /dev/null + then + true + else + echo "Missing ${key} from secrets" + exit 1 + fi + ''; + get = key: "$(grep '${key}=' ${secrets} | sed 's/^.*=//' | sed -e 's/[\\/&]/\\\\&/g')"; + checks = pkgs.lib.concatMapStrings check; + replaces = pkgs.lib.concatMapStrings (key: "s/${key}/${get key}/;"); + in pkgs.writeShellScriptBin "preStart" '' + ${checks keys} + sed "${replaces keys}" ${conf} > ${output} + ''; + startScript = pkgs.writeShellScriptBin "start" '' + ${manageSecrets + ./matterbridge.toml "$CREDENTIALS_DIRECTORY/secrets" "$RUNTIME_DIRECTORY/conf.toml" + [ "SECRET_MATTERMOST_WEBHOOK" ]}/bin/preStart + ${pkgs.matterbridge}/bin/matterbridge -conf $RUNTIME_DIRECTORY/conf.toml + ''; +in { + networking.firewall.allowedTCPPorts = [ 52187 ]; + systemd.services.matterbridge = { + description = "Chat platform bridge"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + DynamicUser = true; + LoadCredential = "secrets:${config.age.secrets.matterbridge.path}"; + ExecStart = "${startScript}/bin/start"; + Restart = "always"; + RestartSec = "10"; + RuntimeDirectory = "matterbridge"; + }; + }; +} diff --git a/machines/core-services-01/matterbridge.toml b/machines/core-services-01/matterbridge.toml new file mode 100644 index 0000000..d4b9ab8 --- /dev/null +++ b/machines/core-services-01/matterbridge.toml @@ -0,0 +1,23 @@ +[irc] + [irc.ulminfo] + Server="ens.wtf:6697" + Nick="botte" + UseTLS=true + Charset="utf8" + PrefixMessagesWithNick=true + RemoteNickFormat="<{NICK}> " +[mattermost] + [mattermost.merle] + WebhookURL="SECRET_MATTERMOST_WEBHOOK" + WebhookBindAddress="0.0.0.0:52187" + PrefixMessagesWithNick=false + RemoteNickFormat="{NICK}" +[[gateway]] +name="réseau" +enable=true + [[gateway.inout]] + account="irc.ulminfo" + channel="#réseau" + [[gateway.inout]] + account="mattermost.merle" + channel="town-square" diff --git a/machines/core-services-01/secrets/default.nix b/machines/core-services-01/secrets/default.nix index 3e4cb37..452d42e 100644 --- a/machines/core-services-01/secrets/default.nix +++ b/machines/core-services-01/secrets/default.nix @@ -4,4 +4,5 @@ age.secrets.oauth2ProxyKeyFile.file = ./oauth2ProxyKeyFile.age; age.secrets.droneKeyFile.file = ./droneKeyFile.age; age.secrets.dexGiteaClientSecret.file = ./dexGiteaClientSecret.age; + age.secrets.matterbridge.file = ./matterbridge.age; } diff --git a/machines/core-services-01/secrets/matterbridge.age b/machines/core-services-01/secrets/matterbridge.age new file mode 100644 index 0000000..1071c43 --- /dev/null +++ b/machines/core-services-01/secrets/matterbridge.age @@ -0,0 +1,28 @@ +age-encryption.org/v1 +-> ssh-ed25519 lHr4YQ HJL96EuQl0qWnOeAR2lXroAQmAdlpqcQKseelyfExgA +xWjYiQmkgz/jOOpWpHPn/3rt7ZJdmP88Gz43E3roa6I +-> ssh-ed25519 h6AgbA 1GpBA4vLsVOUkX8J5YLQMi3Xfdhv+4u7yG7oI49u5wk +oWR+SI4hyhbcEXSm0HMwi9JfC31C9eyXnco4LEknOUk +-> ssh-ed25519 Wu8JLQ ZZB4XicZQfT7H+nKr6QJgJaKXt8QOlMBdNfuOsgtqUI +sdmNC14ORCJDLcXqWDWwZZ6Eg/oR87unKhDgbdmfWek +-> ssh-ed25519 cvTB5g 7+tI7ZXsHjInyRYKXh7Ib/GBlAggr+xmXKnbfMSiNjM +R69O8e2vhIBznrX86Duxc3sYgeiFq0dOdLBvQHeP4F4 +-> ssh-ed25519 /vwQcQ N5wmtMG7kwHRIANNlsjcRDGgkDdBaqUyFAJALXASMRg +oEU6zPMTi2e05G8TgyAq2iCZCwDDsFN1VZIbFvU4MP4 +-> ssh-ed25519 reTIKw ZqKi1btO33hUfCb4ZCX1h+ful/8safmcPwdBfh0+V3c ++agInPvfpuuQGuStNCX71dSlUJedHc7HjKDZiIh2VNk +-> ssh-ed25519 85WiGg 8VoK1DXQdNX4bjC42jsZZc3RpAkua1o/zdhI5WkR72Q +vzvCER9TOE+6NQWmtb/b9yybv7yKM2VMA/cHrsUN8jo +-> ssh-rsa krWCLQ +YyOhEu3NJ6JXqSfk1QbLm/HhOS8KFvX0extWp8djBYTx0DaqAFYW6gX8HReQsky4 +5MOVZ7NjkBuWteRD7Xw/H1Y4I0t9ciBP06Yv64TpciHYahE36GUA8kS6eYr9kAP+ +gf1/aExn8CJX1NES6rDgEDNmlBuuLMk611wYT1wwt44MhsATmOAEW35A9tbpuJeh +Qc/aZX7XzeOkzpO/aYMn/SVREU5fWNdhAgA3vD7MUEAYzB4sS5BaOZ2PBGU/IohL +MhbdTLA3EE3mfSMCJonNz/lF3qNRkCXFbXvhtvck/OAHnprGRhAbbHJPpqx147hc +LvbEgEtQe9JM6uaKR0Qy1g +-> gWo;S~-grease +q68DoRepcege0soJFgobnMTxzSfPRXge3B5CEiCywztahSXsr3ft/JVSh6KBIJG0 +pMsIk2Q +--- q1UjUMNNAe9WWCzomMsLxh7s+1USEVZsJNHrLsGVuks +H9zz ehJ>#فi +L_cGyCAx ԰ˆ:ue4C$V+4%&I#])V?r4wTa@4 \ No newline at end of file diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 9fa8644..4d09d1e 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -11,5 +11,6 @@ in "oauth2ProxyKeyFile.age".publicKeys = superadmins ++ systems; "droneKeyFile.age".publicKeys = superadmins ++ systems; "dexGiteaClientSecret.age".publicKeys = superadmins ++ systems; + "matterbridge.age".publicKeys = superadmins ++ systems; } -- 2.47.0 From b581fbcfc5345647f00b841a8c03defe649a9e9b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 5 Mar 2022 23:15:38 +0100 Subject: [PATCH 058/149] core01: fix #6, remove Dex --- machines/core-services-01/configuration.nix | 2 +- machines/core-services-01/drone-runners.nix | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 5b18334..f5ae683 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -19,7 +19,7 @@ ./keycloak.nix ./acme-dns.nix ./backups.nix - ./dex.nix + # ./dex.nix ./oauth2_proxy.nix ./secrets ./matterbridge.nix diff --git a/machines/core-services-01/drone-runners.nix b/machines/core-services-01/drone-runners.nix index 00568b1..6793e4b 100644 --- a/machines/core-services-01/drone-runners.nix +++ b/machines/core-services-01/drone-runners.nix @@ -13,4 +13,6 @@ in ]; envFile = config.age.secrets.droneKeyFile.path; }; + + systemd.services."drone-exec-runner-nix01".after = [ "gitea" ]; } -- 2.47.0 From e0167f27d3862a0425b756e749234c70070d54a0 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 5 Mar 2022 23:15:51 +0100 Subject: [PATCH 059/149] core01: open up Gitea registration and whitelist @ens.fr emails --- machines/core-services-01/gitea.nix | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/gitea.nix b/machines/core-services-01/gitea.nix index 71b46a2..9835ac1 100644 --- a/machines/core-services-01/gitea.nix +++ b/machines/core-services-01/gitea.nix @@ -13,7 +13,20 @@ in httpAddress = "127.0.0.1"; httpPort = port; database.type = "postgres"; - disableRegistration = true; + disableRegistration = false; + settings = { + openid = { + ENABLE_OPENID_SIGNUP = true; + }; + oauth2_account = { + ENABLE_AUTO_REGISTRATION = true; + USERNAME = "email"; + }; + service = { + EMAIL_DOMAIN_WHITELIST = "ens.fr"; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + }; + }; }; services.nginx = { -- 2.47.0 From e1e8401160abede2db37657cc671b210c0010cfd Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 5 Mar 2022 23:16:01 +0100 Subject: [PATCH 060/149] public-cof: update Raito's NUR --- machines/public-cof/nix/sources.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index 656e9e4..a6531e2 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -28,5 +28,17 @@ "type": "tarball", "url": "https://github.com/nmattia/niv/archive/e0ca65c81a2d7a4d82a189f1e23a48d59ad42070.tar.gz", "url_template": "https://github.com///archive/.tar.gz" + }, + "raito-nur": { + "branch": "master", + "description": "All my Nix expressions", + "homepage": null, + "owner": "RaitoBezarius", + "repo": "nixexprs", + "rev": "ead9a70ae1c15d786ee276e6be51a8d6d27baa88", + "sha256": "1wpk6rxcfgf0rvzvdbd3ay1xjc3mh6ds5mmp2w6mphskrhd9qjpq", + "type": "tarball", + "url": "https://github.com/RaitoBezarius/nixexprs/archive/ead9a70ae1c15d786ee276e6be51a8d6d27baa88.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" } } -- 2.47.0 From e03a3f16f8e395b637da4d2dd75712bb270fc3f0 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 5 Mar 2022 23:16:54 +0100 Subject: [PATCH 061/149] public-cof: add monitoring, deploy home.beta.rz.ens.wtf properly --- krops.nix | 2 +- machines/public-cof/configuration.nix | 1 + machines/public-cof/monitoring.nix | 30 +++++++++++++++++++++++++++ machines/public-cof/networking.nix | 6 +++++- machines/public-cof/nginx.nix | 23 +++++++++++++++++--- 5 files changed, 57 insertions(+), 5 deletions(-) create mode 100644 machines/public-cof/monitoring.nix diff --git a/krops.nix b/krops.nix index 24f6566..01ee420 100644 --- a/krops.nix +++ b/krops.nix @@ -31,5 +31,5 @@ let in {} // mkDeploy "core-services-01" "root@10.1.1.20" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -// mkDeploy "public-cof" "root@minecraft.beta.rz.ens.wtf" +// mkDeploy "public-cof" "root@beta.rz.ens.wtf" // mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index d9ce6e5..ef33c32 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -8,6 +8,7 @@ ./system.nix ./acme.nix ./networking.nix + ./monitoring.nix ./nextcloud.nix ./minecraft.nix ./nur.nix diff --git a/machines/public-cof/monitoring.nix b/machines/public-cof/monitoring.nix new file mode 100644 index 0000000..0f4751f --- /dev/null +++ b/machines/public-cof/monitoring.nix @@ -0,0 +1,30 @@ +{ config, ... }: +{ + services.netdata = { + enable = true; + config = { + global."memory mode" = "none"; + web = { + mode = "none"; + "accept a streaming request every seconds" = 0; + }; + }; + }; + + systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [ + "stream" + ]; + + + environment.etc."netdata/stream.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = '' + [stream] + enabled = yes + destination = 10.1.1.20:19999 + api key = c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe + ''; + }; +} diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 9fc556f..ff648e5 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -24,7 +24,11 @@ in { }]; }; interfaces.ens19 = { - useDHCP = true; + useDHCP = false; + ipv4.addresses = [{ + address = "10.1.1.21"; + prefixLength = 22; + }]; }; interfaces.ens20 = { diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix index f5c3134..be7ef3b 100644 --- a/machines/public-cof/nginx.nix +++ b/machines/public-cof/nginx.nix @@ -1,16 +1,32 @@ { ... }: +let + mkCloudLocation = { from, cloudHost }: { + name = "/cal/${from}"; + value = { + extraConfig = '' + proxy_pass https://${cloudHost}/remote.php/dav/public-calendars/; + proxy_set_header Host ${cloudHost}; + ''; + }; + }; + clouds = [ + { from = "klub-reseau"; cloudHost = "nuage.beta.rz.ens.wtf"; } + { from = "eleves-ens"; cloudHost = "cloud.eleves.ens.fr"; } + ]; +in { services.nginx = { enable = true; + resolver = { + addresses = [ "1.1.1.1" ]; + }; + recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; - # # Only allow PFS-enabled ciphers with AES256 - # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - virtualHosts = { "home.beta.rz.ens.wtf" = { serverAliases = [ "beta.rz.ens.wtf" ]; @@ -18,6 +34,7 @@ forceSSL = true; enableACME = true; root = "/var/public-cof/home"; + locations = builtins.listToAttrs (map mkCloudLocation clouds); }; }; }; -- 2.47.0 From bfdfa5a20682d46aadcfb7c949eea96042b302e4 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 6 Mar 2022 20:21:37 +0100 Subject: [PATCH 062/149] core01: rotate drone key, update swap uuid, bump netdata multihost disk space for 30d of metrics --- .../hardware-configuration.nix | 2 +- machines/core-services-01/monitoring.nix | 2 +- .../core-services-01/secrets/droneKeyFile.age | Bin 1578 -> 1639 bytes 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/core-services-01/hardware-configuration.nix b/machines/core-services-01/hardware-configuration.nix index d4aca08..31131d9 100644 --- a/machines/core-services-01/hardware-configuration.nix +++ b/machines/core-services-01/hardware-configuration.nix @@ -29,7 +29,7 @@ }; swapDevices = - [ { device = "/dev/disk/by-uuid/0fe95042-8197-4969-a549-65565cf70171"; } + [ { device = "/dev/disk/by-uuid/e32235de-f531-48ad-86b1-dc2163be5127"; } ]; } diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 6149d24..fca223d 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -19,7 +19,7 @@ in text = '' [global] page cache size = 32 - dbengine multihost disk space = 8192 + dbengine multihost disk space = 23058 ''; }; diff --git a/machines/core-services-01/secrets/droneKeyFile.age b/machines/core-services-01/secrets/droneKeyFile.age index 2c12d704a2edfc6737dc35ad655b01c9961898f5..5797e6e25cf1cd67a72235dd0d2ef6798653a367 100644 GIT binary patch literal 1639 zcmZY8?eF6R0SEAKITENqB!UTN%*}-0;TUVXuI)TeuHCw>+xob6YirK+Wj&-0S9nPgdJhC_fpDaNFl^8Tp-Hkx=sevTIy_({WDS+3GH)4zt;6M9*{jV< znQXhY40CyvL1R@>R$NOoV8hSQybp$>87^p*@7WH&q040i#sI%c!HDH>byCg5-VC$X z7>q|fZX`4n2sH;Lwf1vpm<^WrUaeVH;#{otJE%4nbR2q5eCHjzR^KqEDVw>06aaCq*w?in~X_e)Bwak{8QB{ld zbUpCm3GEI2$wn;@Hty(g*yM(4j^$RH16gc1ov`Kx0cZmiVA%kz!gbBAt5u<#A;l)q z`&2m|!l8lm!ge3weDeP^ygl=1x7HmxI#;1xy<1X29&IKA)3OXw=0nF{c)92`ZG6d& z&AbZ&G~&ivdfrPCZ)rvoc##UQCDjF7+K$O)0p^Q(I@q#oxB0)`vfQWz*{nMj0d?y^ zyaDE}Zudg37={bfWk+>#)B^F)$w|foXVX@bskC5?W-B&X3}h7Nnv68`V+Dl)elcbw zqQzh7!KW0|5puJT*=0zo=!npxILv2Y%h#mNrjIi-kQk?|6sR(;`vf*u*(ET>O<3OY z!AOBdmKl_g(sE&DWxE8<4N^*(g_>`7bb<(TBJ=ZcQ)vg~nkFEWXRNuT1BFUCCc*J; zz*%<3l|%o^C)(*`F1z>&R%b1jDU;>aVJWH(+99G+0X_}+Yzq4biF-|eO03}+_Y%7h zCo5L&OhDYIyFp4TIydR@Q--Z~lg$XNBXorI6EG{ggdJ?xkfC;I1#1J&0G_OH9bP!j zRF@K!>0*#n{dY;9xu@Y~wvpSlLr$LqgowWqDQkJ#5jSKFh$b|?kCS{8^fEoL2%P4q zV5&!^glHZ=Y~d~+yC?|eeY3*B3r4?!^NwA?7K-gfep4$B;^nsnH zPu{+G<4X@+d*<-Xcb>XJ?GleXYQ6TGYYtz3aOd37KRztqkUsF{-wxhd zLw@vjxbNh?Pu=~}b3+%$_tRHDLffBx zLAZS1zdrWf7vF=v(Er8t_dF=Rb7miXpZ62v4&;S5Z@F|^bpK$#ck{bV;H^W)PrZKN zD;J;IfA~E5muG)`;ic2R`t=(pu30tR%=!1XzH#B?{qx-$-(5e5oImmLAO7KSX!FEX ew|?&XpLnA2wXeTey!D;Ut|4@Gzx?Foo&NxJPeYdg literal 1578 zcmZY7>F?770LF2Rcfmvra`|S8!DIaFwYIA!$hx&%yYA?^ZtJ2Xz1DTzx~}Vb%ovZL zi7~zrV~moBcpCwUAW8^o#1MsO03~Q53Tgxs&>-;&Ch8ks{QL_(Po8{L%bYV^-A}y0 z9=W%Td3>ZL8*(gDLnX{86b3Qh8ZW&DMA~BWcYrfgwN>K{7qE@va zDABB{q-$+T@Ar%vHbAq6!-|y#;-z8MRmqST$M3A2}L4_D-C8GXb>05St&*> z*4AXYE|Q8A@R`B?v@F)LSt~_C!*XngktvHRueY)U8EcTw(wNq+8Px$1LnA$>V3S^`pl%t6Qt?#(qDdP75438>I$?`Z< z9ZxN@K#Zyu8{jgl4QsS8pe#^i+MqhldXer5^?_G)`(PS#1DwI}dJYFXwcmv7>7bBQ zBvA;^!YZoEC`%VA&cvE^qkb{( zM!?+MTncoi6*p0J4~j9Z*zWnoZ2q4=Db!UgG+XX=C}!xAoguA>!1_DyKL5}GgcUUK6~MbP5Y1E;q|_~{>6i<_iS1G_1u~10oZ1o<@X;Hmv8!X!J-X&x1IiZ zMfV=(L*(YS-+lJfTYr=u{p92IA1$qmTTQjJ3cU!rWy=LSp8c)6vT&byiaM*Td(R_Rcnc-^i}r%Xb*h<&_(MSiA_o=E@W4myVF7>sB0C!~M0B TQJAaNt Date: Sun, 6 Mar 2022 20:22:03 +0100 Subject: [PATCH 063/149] public-cof: improve monitoring of system and nextcloud performance --- machines/public-cof/monitoring.nix | 57 ++++++++++++++++++++++++++++-- machines/public-cof/nextcloud.nix | 12 ++++++- 2 files changed, 66 insertions(+), 3 deletions(-) diff --git a/machines/public-cof/monitoring.nix b/machines/public-cof/monitoring.nix index 0f4751f..98e4311 100644 --- a/machines/public-cof/monitoring.nix +++ b/machines/public-cof/monitoring.nix @@ -1,5 +1,7 @@ -{ config, ... }: +{ config, lib, pkgs, ... }: { + services.nginx.statusPage = true; + services.netdata = { enable = true; config = { @@ -9,13 +11,64 @@ "accept a streaming request every seconds" = 0; }; }; + python.extraPackages = ps: [ + ps.psycopg2 + ]; }; + systemd.services.netdata.serviceConfig.SupplementaryGroups = [ "nginx" ]; systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [ "stream" + "go.d/phpfpm" + "go.d/nginx" + "python.d/postgres" ]; - + services.postgresql.initialScript = pkgs.writeText "grant-pgmonitor-to-netdata" '' + GRANT pg_monitor TO netdata; + ''; + + services.postgresql.ensureUsers = [ + { name = "netdata"; } + ]; + + environment.etc."netdata/python.d/postgres.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = builtins.toJSON ( + if config.services.postgresql.enable then + { + name = "socket"; + user = "netdata"; + database = "postgres"; + } + else {} + ); + }; + + environment.etc."netdata/go.d/phpfpm.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = builtins.toJSON { + jobs = + map (pool: { name = "local_socket"; inherit (pool) socket; }) + (builtins.attrValues config.services.phpfpm.pools); + }; + }; + + environment.etc."netdata/go.d/nginx.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = builtins.toJSON { + jobs = + if config.services.nginx.statusPage then [ { name = "local"; url = "http://localhost/nginx_status"; } ] + else []; + }; + }; + environment.etc."netdata/stream.conf" = { user = "netdata"; group = "netdata"; diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index eba376b..1dc8e81 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, lib, ... }: { services.nextcloud = { enable = true; @@ -16,6 +16,15 @@ defaultPhoneRegion = "FR"; }; + + poolSettings = { + pm = "dynamic"; + "pm.max_children" = 100; + "pm.start_servers" = 16; + "pm.min_spare_servers" = 8; + "pm.max_spare_servers" = 16; + "pm.status_path" = "/status"; + }; }; services.nginx = { @@ -23,6 +32,7 @@ "nuage.beta.rz.ens.wtf" = { forceSSL = true; enableACME = true; + http2 = true; }; }; }; -- 2.47.0 From 4355c00f8e53ca66dc435db38bac372eae51ca7e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 6 Mar 2022 20:22:09 +0100 Subject: [PATCH 064/149] ci: test public-cof configuration --- .drone.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.drone.yml b/.drone.yml index 5bb8ea0..8c45562 100644 --- a/.drone.yml +++ b/.drone.yml @@ -19,5 +19,9 @@ steps: commands: - "export NIX_PATH=nixpkgs=/var/nixpkgs" - "echo Building remote-builder-01 && nix-build krops.nix -A test-remote-builder-01 && ./result" +- name: Build public-cof configuration + commands: + - "export NIX_PATH=nixpkgs=/var/nixpkgs" + - "echo Building public-cof && nix-build krops.nix -A test-public-cof && ./result" ... -- 2.47.0 From bacdad33d3bc94979471edcbbcced2eb3401343a Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 8 Mar 2022 19:47:32 +0100 Subject: [PATCH 065/149] public-cof: improve monitoring of postgresql --- machines/public-cof/monitoring.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/machines/public-cof/monitoring.nix b/machines/public-cof/monitoring.nix index 98e4311..0096d70 100644 --- a/machines/public-cof/monitoring.nix +++ b/machines/public-cof/monitoring.nix @@ -24,6 +24,12 @@ "python.d/postgres" ]; + services.postgresql.settings = { + shared_preload_libraries = "pg_stat_statements"; + track_activity_query_size = 2048; + "pg_stat_statements.track" = "all"; + }; + services.postgresql.initialScript = pkgs.writeText "grant-pgmonitor-to-netdata" '' GRANT pg_monitor TO netdata; ''; -- 2.47.0 From e472173bad105ccf960b8f0caa2df2a02c0bb2d3 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Tue, 29 Mar 2022 23:59:59 +0000 Subject: [PATCH 066/149] Update MC server --- machines/public-cof/minecraft.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 5a2f9a4..34bb7f3 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -2,9 +2,9 @@ let papermc = { ram = 4; # In GB - version = "1.17.1"; - build = 189; - sha256 = "06g2vs8z7k9bl8asjgdz9h8fkd93xam2lbrgmzgamwjp94gvfvrn"; + version = "1.18.2"; + build = 270; + sha256 = "M3/z7lgHVDG+WqxPvyrxvfobEvkkPf90bDoN/Dq+VZY="; }; port = 25565; rconPort = 25575; -- 2.47.0 From dcc0085c41ad0f3d76be0f3d21d57842c4923c70 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 29 Mar 2022 23:04:17 +0200 Subject: [PATCH 067/149] public-cof: add framagenda.org --- machines/public-cof/nginx.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix index be7ef3b..9f62800 100644 --- a/machines/public-cof/nginx.nix +++ b/machines/public-cof/nginx.nix @@ -12,6 +12,7 @@ let clouds = [ { from = "klub-reseau"; cloudHost = "nuage.beta.rz.ens.wtf"; } { from = "eleves-ens"; cloudHost = "cloud.eleves.ens.fr"; } + { from = "frama-agenda"; cloudHost = "framagenda.org"; } ]; in { -- 2.47.0 From ab9d022b330ba4cdce04a23620d65172485a7c70 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 7 Apr 2022 23:59:59 +0000 Subject: [PATCH 068/149] Add Cst1 to MC whitelist --- machines/public-cof/minecraft.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 34bb7f3..765adad 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -39,6 +39,7 @@ in gabriel_dr_dl = "53fced49-da51-4c82-b1d0-37168029db08"; aimie_dodo = "d10be020-a612-47e5-b0d0-938b9a7eb58e"; RaitoMezarius = "a400686e-0f62-43d5-b5c6-4295babcc008"; + Sup3Legacy = "575ecb9f-bf28-46cb-bc50-cb6bb340c905"; }; serverProperties = { -- 2.47.0 From 6a3af7d165b8c4551de25703ed3eacd32f7c5e3d Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Wed, 13 Apr 2022 23:59:59 +0000 Subject: [PATCH 069/149] Add Pollux to MC whitelist --- machines/public-cof/minecraft.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 765adad..5666170 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -40,6 +40,7 @@ in aimie_dodo = "d10be020-a612-47e5-b0d0-938b9a7eb58e"; RaitoMezarius = "a400686e-0f62-43d5-b5c6-4295babcc008"; Sup3Legacy = "575ecb9f-bf28-46cb-bc50-cb6bb340c905"; + Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d"; }; serverProperties = { -- 2.47.0 From df2b7e819d8553cefc3b6af9fd18bd84e656cca2 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 7 Apr 2022 23:02:58 +0200 Subject: [PATCH 070/149] =?UTF-8?q?public-cof:=20upgrade=20nextcloud=20(21?= =?UTF-8?q?=20=E2=86=92=2022)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/public-cof/nextcloud.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 1dc8e81..99e6e17 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -1,10 +1,12 @@ -{ config, lib, ... }: +{ pkgs, config, lib, ... }: { services.nextcloud = { enable = true; hostName = "nuage.beta.rz.ens.wtf"; https = true; + package = pkgs.nextcloud22; + config = { overwriteProtocol = "https"; -- 2.47.0 From 544df15eb15926057548a104389b687266da38c2 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Wed, 11 May 2022 23:59:59 +0000 Subject: [PATCH 071/149] Enable command blocks in the minecraft server --- machines/public-cof/minecraft.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 5666170..6961d5d 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -62,7 +62,7 @@ in spawn-npcs = true; generate-structures = true; - enable-command-block = false; + enable-command-block = true; # Whitelist white-list = true; -- 2.47.0 From 5f2a5ff7826f23954e29a4f5f8e6780f8c82afde Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 14 May 2022 20:21:12 +0200 Subject: [PATCH 072/149] core01: generalize monitoring, open up a wgmon for external nodes --- machines/core-services-01/monitoring.nix | 68 ++++++++++++++++++------ 1 file changed, 51 insertions(+), 17 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index fca223d..5013b2c 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -1,11 +1,48 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let my = config.my; realm = "ClubReseau"; + mkChildNode = { uuid, allowFrom }: { ... }@options: '' + [${uuid}] + enabled = yes + default history = 10000 + default memory mode = dbengine + health enabled by default = auto + allow from = ${allowFrom} + ''; + testClusterHypervisors = lib.attrValues { + pve01 = { + uuid = "ff9a34ec-2bf4-4389-a01a-6e242424e675"; + allowFrom = "fd85:27e8:0fc9::2"; + }; + pve02 = { + uuid = "ed393d76-e325-48c4-be90-3d7a1d3066ee"; + allowFrom = "fd85:27e8:0fc9::3"; + }; + pve03 = { + uuid = "abeeab1f-d4f4-4ca7-aabb-54ff28031f82"; + allowFrom = "fd85:27e8:0fc9::4"; + }; + pve04 = { + uuid = "ee0f7cec-86f8-4fa2-8258-f7bf4172eb4b"; + allowFrom = "fd85:27e8:0fc9::5"; + }; + }; in { services.netdata.enable = true; + networking.interfaces.wireguard.wgmon = { + ips = [ "fd85:27e8:0fc9::1/48" ]; + + listenPort = 51820; + + privateKeyFile = "/etc/secrets/wgmon"; + generatePrivateKeyFile = true; + + peers = []; + }; + systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [ "netdata" "stream" @@ -27,22 +64,19 @@ in user = "netdata"; group = "netdata"; mode = "0600"; - text = '' - # pve01 hypervisor - [e245097d-bf52-4f66-9c10-984e8d5ee178] - enabled = yes - default history = 10000 - default memory mode = dbengine - health enabled by default = auto - allow from = 10.1.1.10 - # public-cof server - [c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe] - enabled = yes - default history = 10000 - default memory mode = dbengine - health enabled by default = auto - allow from = 10.1.1.21 - ''; + text = (concatMapStrings map (cfg: mkChildNode cfg {}) + [ + # PVE01 hypervisor + { + uuid = "e245097d-bf52-4f66-9c10-984e8d5ee178"; + allowFrom = "10.1.1.10"; + } + # Public COF server + { + uuid = "c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe"; + allowFrom = "10.1.1.21"; + } + ]; ++ testClusterHypervisors; }; environment.etc."netdata/health_alarm_notify.conf" = { -- 2.47.0 From f842b30e0559b9639434adc9b2a6fa912879d337 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 15 May 2022 00:08:46 +0200 Subject: [PATCH 073/149] core01: allow *, unfirewall wgmon --- machines/core-services-01/monitoring.nix | 54 +++++++++++++++--------- 1 file changed, 35 insertions(+), 19 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 5013b2c..f9812f9 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -13,26 +13,35 @@ let testClusterHypervisors = lib.attrValues { pve01 = { uuid = "ff9a34ec-2bf4-4389-a01a-6e242424e675"; - allowFrom = "fd85:27e8:0fc9::2"; + allowFrom = "*"; + # allowFrom = "fd85:27e8:0fc9::2"; }; pve02 = { uuid = "ed393d76-e325-48c4-be90-3d7a1d3066ee"; - allowFrom = "fd85:27e8:0fc9::3"; + allowFrom = "*"; + # allowFrom = "fd85:27e8:0fc9::3"; }; pve03 = { uuid = "abeeab1f-d4f4-4ca7-aabb-54ff28031f82"; - allowFrom = "fd85:27e8:0fc9::4"; + allowFrom = "*"; + # allowFrom = "fd85:27e8:0fc9::4"; }; pve04 = { uuid = "ee0f7cec-86f8-4fa2-8258-f7bf4172eb4b"; - allowFrom = "fd85:27e8:0fc9::5"; + allowFrom = "*"; + # allowFrom = "fd85:27e8:0fc9::5"; }; }; in { services.netdata.enable = true; - networking.interfaces.wireguard.wgmon = { + # Allow WireGuard VPN + networking.firewall.allowedUDPPorts = [ 51820 ]; + # Allow access to the raw netdata + networking.firewall.interfaces.wgmon.allowedUDPPorts = [ 19999 ]; + networking.firewall.interfaces.wgmon.allowedTCPPorts = [ 19999 ]; + networking.wireguard.interfaces.wgmon = { ips = [ "fd85:27e8:0fc9::1/48" ]; listenPort = 51820; @@ -40,7 +49,14 @@ in privateKeyFile = "/etc/secrets/wgmon"; generatePrivateKeyFile = true; - peers = []; + peers = [ + { publicKey = "6IHA4e+UcCSx9+e5BZwLvzeZv5RWwqO1CCLJedN2nU4="; allowedIPs = [ "fd85:27e8:fc9::2/128" ]; } + { publicKey = "xRdfylDpi8c+BRwDCxenRs6i4XWesdd75keWfKItZFo="; allowedIPs = [ "fd85:27e8:fc9::3/128" ]; } + { publicKey = "rjodopHTEyD+DyDsNp8xyNC0KeZGH462Ls495NXT1VI="; allowedIPs = [ "fd85:27e8:fc9::4/128" ];} + { publicKey = "IJRsrhzCRAHpaEHLZRNdPuDp25FXzuAm+CGmZDsRThk="; allowedIPs = [ "fd85:27e8:fc9::5/128" ]; } + { publicKey = "oYsN1Qy+a7dwVOKapN5s5KJOmhSflLHZqh+GLMeNpHw="; allowedIPs = [ "fd85:27e8:fc9::6/128" ]; } + # { publicKey = ""; allowedIPs = [ "fd85:27e8:fc9::7/128" ]; } + ]; }; systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [ @@ -64,19 +80,19 @@ in user = "netdata"; group = "netdata"; mode = "0600"; - text = (concatMapStrings map (cfg: mkChildNode cfg {}) - [ - # PVE01 hypervisor - { - uuid = "e245097d-bf52-4f66-9c10-984e8d5ee178"; - allowFrom = "10.1.1.10"; - } - # Public COF server - { - uuid = "c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe"; - allowFrom = "10.1.1.21"; - } - ]; ++ testClusterHypervisors; + text = (lib.concatMapStringsSep "\n" (cfg: mkChildNode cfg {}) + ([ + # PVE01 hypervisor + { + uuid = "e245097d-bf52-4f66-9c10-984e8d5ee178"; + allowFrom = "10.1.1.10"; + } + # Public COF server + { + uuid = "c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe"; + allowFrom = "10.1.1.21"; + } + ] ++ testClusterHypervisors)); }; environment.etc."netdata/health_alarm_notify.conf" = { -- 2.47.0 From 57b5c931d1e5b7c2ef224ff18e060fda50d44d59 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 21 May 2022 23:59:59 +0000 Subject: [PATCH 074/149] Add CiterinRemy to MC whitelist --- machines/public-cof/minecraft.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 6961d5d..c56701f 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -41,6 +41,7 @@ in RaitoMezarius = "a400686e-0f62-43d5-b5c6-4295babcc008"; Sup3Legacy = "575ecb9f-bf28-46cb-bc50-cb6bb340c905"; Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d"; + CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; }; serverProperties = { -- 2.47.0 From 6f5fdb0317db7ad5df3258a1114ba5c1deadb29f Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sun, 26 Jun 2022 23:48:43 +0200 Subject: [PATCH 075/149] Headscale support (upgrade to latest nixpkgs) (#9) This adds Headscale support. It provides also an upgrade to Keycloak 18.0.0 (Quarkus distribution). It upgrades NextCloud from 22 to 23. Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/9 Co-authored-by: Ryan Lahfa Co-committed-by: Ryan Lahfa --- krops.nix | 2 +- machines/core-services-01/acme-ssl.nix | 4 +- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/drone-runners.nix | 2 +- .../fix-crc-computation.patch | 51 +++++++++++++++++++ machines/core-services-01/headscale.nix | 8 +++ machines/core-services-01/keycloak.nix | 31 ++++++----- .../keycloak/keycloak-protocol-cas.nix | 26 ++++++++++ machines/core-services-01/monitoring.nix | 2 +- machines/core-services-01/subZone.nix | 1 + machines/public-cof/configuration.nix | 2 +- machines/public-cof/nextcloud.nix | 2 +- 12 files changed, 113 insertions(+), 19 deletions(-) create mode 100644 machines/core-services-01/fix-crc-computation.patch create mode 100644 machines/core-services-01/headscale.nix create mode 100644 machines/core-services-01/keycloak/keycloak-protocol-cas.nix diff --git a/krops.nix b/krops.nix index 01ee420..770fcff 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "e96c668072d7c98ddf2062f6d2b37f84909a572b"; # nixos-22.05 + ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; diff --git a/machines/core-services-01/acme-ssl.nix b/machines/core-services-01/acme-ssl.nix index 2403cd6..f111e17 100644 --- a/machines/core-services-01/acme-ssl.nix +++ b/machines/core-services-01/acme-ssl.nix @@ -5,9 +5,9 @@ let in { security.acme.acceptTerms = true; - security.acme.email = my.email; + security.acme.defaults.email = my.email; - security.acme.server = + security.acme.defaults.server = if my.acmeStaging then "https://acme-staging-v02.api.letsencrypt.org/directory" else null; diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index f5ae683..8af8554 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -19,6 +19,7 @@ ./keycloak.nix ./acme-dns.nix ./backups.nix + ./headscale.nix # ./dex.nix ./oauth2_proxy.nix ./secrets diff --git a/machines/core-services-01/drone-runners.nix b/machines/core-services-01/drone-runners.nix index 6793e4b..36ecbdd 100644 --- a/machines/core-services-01/drone-runners.nix +++ b/machines/core-services-01/drone-runners.nix @@ -14,5 +14,5 @@ in envFile = config.age.secrets.droneKeyFile.path; }; - systemd.services."drone-exec-runner-nix01".after = [ "gitea" ]; + systemd.services."drone-exec-runner-nix01".after = [ "gitea.service" ]; } diff --git a/machines/core-services-01/fix-crc-computation.patch b/machines/core-services-01/fix-crc-computation.patch new file mode 100644 index 0000000..85a6a7e --- /dev/null +++ b/machines/core-services-01/fix-crc-computation.patch @@ -0,0 +1,51 @@ +From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 30 Mar 2022 11:14:53 -0700 +Subject: [PATCH] Correct incorrect inputs provided to the CRC functions. + +The previous releases of zlib were not sensitive to incorrect CRC +inputs with bits set above the low 32. This commit restores that +behavior, so that applications with such bugs will continue to +operate as before. +--- + crc32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crc32.c b/crc32.c +index a1bdce5c2..451887bc7 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + /* Compute the CRC up to a word boundary. */ + while (len && ((z_size_t)buf & 7) != 0) { +@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + #ifdef W + +@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2) + #ifdef DYNAMIC_CRC_TABLE + once(&made, make_crc_table); + #endif /* DYNAMIC_CRC_TABLE */ +- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2; ++ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); + } + + /* ========================================================================= */ +@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op) + uLong crc2; + uLong op; + { +- return multmodp(op, crc1) ^ crc2; ++ return multmodp(op, crc1) ^ (crc2 & 0xffffffff); + } diff --git a/machines/core-services-01/headscale.nix b/machines/core-services-01/headscale.nix new file mode 100644 index 0000000..e44b48a --- /dev/null +++ b/machines/core-services-01/headscale.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.headscale = { + enable = true; + serverUrl = "https://tailscale.rz.ens.wtf"; + tls.letsencrypt.hostname = "tailscale.rz.ens.wtf"; + }; +} diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index 6f34b25..e7d48e5 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -1,26 +1,33 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let my = config.my; port = 8080; + keycloak-protocol-cas = pkgs.callPackage ./keycloak/keycloak-protocol-cas.nix {}; + domain = "auth.${my.subZone}"; + certs = config.security.acme.certs."${domain}".directory; in { services.keycloak = { enable = true; - package = pkgs.keycloak.override { - jre = pkgs.jre8; - }; initialAdminPassword = "changemeasap"; - database.createLocally = true; - database.passwordFile = config.age.secrets.keycloakDatabasePasswordFile.path; - frontendUrl = "https://auth.${my.subZone}/auth/"; - forceBackendUrlToFrontendUrl = true; - httpPort = toString port; - extraConfig = { - "subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true; + plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ]; + database = { + type = "postgresql"; + username = "keycloak"; + name = "keycloak"; + createLocally = true; + passwordFile = "${config.age.secrets.keycloakDatabasePasswordFile.path}"; + }; + settings = { + hostname-strict-backchannel = true; + http-port = port; + proxy = "edge"; + http-relative-path = "/auth"; + hostname = domain; }; }; - services.nginx.virtualHosts."auth.${my.subZone}" = { + services.nginx.virtualHosts."${domain}" = { forceSSL = true; enableACME = true; locations."/" = { diff --git a/machines/core-services-01/keycloak/keycloak-protocol-cas.nix b/machines/core-services-01/keycloak/keycloak-protocol-cas.nix new file mode 100644 index 0000000..1783749 --- /dev/null +++ b/machines/core-services-01/keycloak/keycloak-protocol-cas.nix @@ -0,0 +1,26 @@ +{ stdenv, lib, fetchurl }: + +stdenv.mkDerivation rec { + pname = "keycloak-protocol-cas"; + version = "18.0.0"; + + src = fetchurl { + url = "https://github.com/jacekkow/keycloak-protocol-cas/releases/download/${version}/keycloak-protocol-cas-${version}.jar"; + sha256 = "sha256-N+IJqD7oQ4T4MI8klt96kfHwFnPJy5l8MK6bq62nBrM="; + }; + + dontUnpack = true; + dontBuild = true; + + installPhase = '' + mkdir -p $out + install "$src" "$out" + ''; + + meta = with lib; { + homepage = "https://github.com/jacekkow/keycloak-protocol-cas"; + description = "Keycloak Service Provider that adds CAS as an authentication protocol"; + license = licenses.apsl20; + maintainers = with maintainers; [ raitobezarius ]; + }; +} diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index f9812f9..47b7953 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -65,7 +65,7 @@ in "health_alarm_notify" ]; - environment.etc."netdata/netdata.conf" = { + environment.etc."netdata/netdata.conf" = lib.mkForce { user = "netdata"; group = "netdata"; mode = "0600"; diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 08db8c1..2738afe 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,6 +37,7 @@ dualstack // { monitoring = dualstack; auth = dualstack; push = dualstack; + tailscale = dualstack; core01 = dualstack; ns1 = dualstack; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index ef33c32..b47cf2c 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -14,7 +14,7 @@ ./nur.nix # ./factorio.nix # TODO ./nginx.nix - ./cryptpad.nix + # ./cryptpad.nix ./hedgedoc.nix ./secrets # TODO monitoring diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 99e6e17..b243afb 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud22; + package = pkgs.nextcloud23; config = { overwriteProtocol = "https"; -- 2.47.0 From 9d3381cafba64d1e102211997111cd517481e716 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 16:34:22 +0200 Subject: [PATCH 076/149] oauth2_proxy: add a cookie specific to *.rz.ens.wtf --- machines/core-services-01/monitoring.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 47b7953..b0872cd 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -117,6 +117,10 @@ in keyFile = config.age.secrets.oauth2ProxyKeyFile.path; provider = "keycloak"; email.domains = [ "*" ]; + cookie = { + name = "_oauth2_proxy_ensrz"; + domain = ".rz.ens.wtf"; + }; setXauthrequest = true; scope = "profile"; loginURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/auth"; -- 2.47.0 From be6e81ad46af088bde935e5e9aa282690ce4cf2d Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 17:52:21 +0200 Subject: [PATCH 077/149] monitoring: fix authentication via oauth2_proxy by moving to Keycloak-OIDC + many proxy buffer hacks --- machines/core-services-01/keycloak.nix | 7 +++++++ machines/core-services-01/monitoring.nix | 25 +++++++++++++++++------- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index e7d48e5..7bf36d0 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -32,6 +32,13 @@ in enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; + + extraConfig = '' + # For large authentication-authorization headers + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + ''; }; }; } diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index b0872cd..3aa17e9 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -115,22 +115,25 @@ in services.oauth2_proxy = { enable = true; keyFile = config.age.secrets.oauth2ProxyKeyFile.path; - provider = "keycloak"; + provider = "keycloak-oidc"; email.domains = [ "*" ]; cookie = { name = "_oauth2_proxy_ensrz"; domain = ".rz.ens.wtf"; }; setXauthrequest = true; - scope = "profile"; - loginURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/auth"; - redeemURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/token"; - profileURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo"; - validateURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo"; + scope = "openid"; redirectURL = "https://monitoring.${my.subZone}/oauth2/callback"; reverseProxy = true; passHostHeader = true; + extraConfig = { + whitelist-domain = [ ".rz.ens.wtf" ]; + oidc-issuer-url = "https://auth.${my.subZone}/auth/realms/${realm}"; + # insecure-oidc-allow-unverified-email = true; + show-debug-on-error = true; + }; + nginx = { virtualHosts = [ "monitoring.${my.subZone}" ]; }; @@ -143,7 +146,15 @@ in enableACME = true; forceSSL = true; - locations."/".proxyPass = "http://localhost:19999"; + locations."/" = { + proxyPass = "http://localhost:19999"; + extraConfig = '' + # For large authentication-authorization headers + proxy_buffer_size 256k; + proxy_buffers 4 512k; + proxy_busy_buffers_size 512k; + ''; + }; }; }; -- 2.47.0 From 6b994c8591fd5a3298061899003226ff18c5b2e6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 17:52:28 +0200 Subject: [PATCH 078/149] gitea: log only from WARN and up --- machines/core-services-01/gitea.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/machines/core-services-01/gitea.nix b/machines/core-services-01/gitea.nix index 9835ac1..ddfcbae 100644 --- a/machines/core-services-01/gitea.nix +++ b/machines/core-services-01/gitea.nix @@ -14,6 +14,9 @@ in httpPort = port; database.type = "postgres"; disableRegistration = false; + log = { + level = "Warn"; + }; settings = { openid = { ENABLE_OPENID_SIGNUP = true; -- 2.47.0 From 506e09994516c55a0910be5e994954f51187a1c9 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 18:52:06 +0200 Subject: [PATCH 079/149] monitoring: move to tiered dbengine with netdata nightly --- machines/core-services-01/monitoring.nix | 35 +++++++++++++++++++----- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 3aa17e9..2a8ac5f 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -34,7 +34,19 @@ let }; in { - services.netdata.enable = true; + services.netdata = { + enable = true; + package = pkgs.netdata.overrideAttrs (old: { + version = "1.35.0-nightly"; + src = pkgs.fetchFromGitHub { + owner = "netdata"; + repo = "netdata"; + rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; + sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; + fetchSubmodules = true; + }; + }); + }; # Allow WireGuard VPN networking.firewall.allowedUDPPorts = [ 51820 ]; @@ -70,9 +82,18 @@ in group = "netdata"; mode = "0600"; text = '' - [global] - page cache size = 32 - dbengine multihost disk space = 23058 + [db] + mode = dbengine + storage tiers = 3 + update every = 1 + dbengine multihost disk space MB = 23000 + dbengine page cache size MB = 384 + dbengine tier 1 update every iterations = 60 + dbengine tier 1 multihost disk space MB = 10000 + dbengine tier 1 page cache size MB = 384 + dbengine tier 2 update every iterations = 3600 + dbengine tier 2 multihost disk space MB = 5000 + dbengine tier 2 page cache size MB = 384 ''; }; @@ -150,9 +171,9 @@ in proxyPass = "http://localhost:19999"; extraConfig = '' # For large authentication-authorization headers - proxy_buffer_size 256k; - proxy_buffers 4 512k; - proxy_busy_buffers_size 512k; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; ''; }; }; -- 2.47.0 From ac0b6ef15b5ac440fdc10af9694869e8e77ed944 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Aug 2022 22:25:34 +0200 Subject: [PATCH 080/149] Update networking interface --- machines/remote-builder-01/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 1c6245b..6f4803c 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -26,7 +26,7 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens18.useDHCP = true; + networking.interfaces.ens19.useDHCP = true; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; -- 2.47.0 From 5170bdff650e329d808cd4012f241f2bb292b9f7 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Aug 2022 22:27:15 +0200 Subject: [PATCH 081/149] Cleanups --- machines/remote-builder-01/configuration.nix | 14 ++++----- machines/remote-builder-01/programs.nix | 24 --------------- machines/remote-builder-01/system.nix | 13 +------- machines/remote-builder-01/vim.nix | 31 -------------------- 4 files changed, 8 insertions(+), 74 deletions(-) delete mode 100644 machines/remote-builder-01/programs.nix delete mode 100644 machines/remote-builder-01/vim.nix diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 6f4803c..63a078d 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -1,13 +1,11 @@ { config, pkgs, ... }: { - imports = - [ - ./hardware-configuration.nix - ./programs.nix - ./system.nix - # TODO monitoring - ]; + imports = [ + ./hardware-configuration.nix + ./system.nix + # TODO monitoring + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; @@ -54,6 +52,8 @@ enableSSHSupport = true; }; + programs.mosh.enable = true; + # List services that you want to enable: services.zfs.autoScrub.enable = true; diff --git a/machines/remote-builder-01/programs.nix b/machines/remote-builder-01/programs.nix deleted file mode 100644 index e7e4afc..0000000 --- a/machines/remote-builder-01/programs.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ pkgs, ... }: -let pkgsList = with pkgs; [ - nix-prefetch-git - dnsutils - - unzip - zip - ripgrep - - niv - nixfmt - ]; -in -{ - imports = [ - ./vim.nix - ]; - programs = { - tmux.enable = true; - mosh.enable = true; - }; - - environment.systemPackages = pkgsList; -} diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index f2c68d1..dc2362e 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,14 +1,8 @@ { pkgs, ... }: { - # # Auto upgrades - # system.autoUpgrade = { - # enable = false; # TODO(Ryan): do not enable, it will break deployments. - # allowReboot = false; - # }; - # Auto GC and store optimizations nix = { - trustedUsers = [ "root" "gab" ]; + trustedUsers = [ "root" ]; gc = { automatic = true; dates = "weekly"; @@ -20,9 +14,4 @@ max-free = ${toString (1024 * 1024 * 1024)} ''; }; - - services.locate = { - enable = true; - interval = "04:05"; - }; } diff --git a/machines/remote-builder-01/vim.nix b/machines/remote-builder-01/vim.nix deleted file mode 100644 index bed8752..0000000 --- a/machines/remote-builder-01/vim.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ pkgs, ... }: -{ - environment.variables = { EDITOR = "vim"; }; - - environment.systemPackages = with pkgs; [ - nixfmt - git - (neovim.override { - vimAlias = true; - configure = { - packages.myPlugins = with pkgs.vimPlugins; { - start = [ vim-lastplace vim-nix ]; - opt = []; - }; - customRC = '' - set encoding=utf-8 - set wildmenu - - set nocompatible - set backspace=indent,eol,start - set cursorline - hi CursorLine term=bold cterm=bold ctermbg=darkgrey - set number - set relativenumber - set tabstop=4 - set expandtab - ''; - }; - } - )]; -} -- 2.47.0 From a5f3e0588944554ba71904bd905351e399379c4a Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Aug 2022 22:27:28 +0200 Subject: [PATCH 082/149] Formatting --- machines/remote-builder-01/configuration.nix | 12 +++--------- machines/remote-builder-01/system.nix | 3 +-- 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 63a078d..c346646 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -39,10 +39,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ - vim - wget - ]; + environment.systemPackages = with pkgs; [ vim wget ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. @@ -60,11 +57,8 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys - ./pubkeys/remote-builders.keys - ]; + users.users.root.openssh.authorizedKeys.keyFiles = + [ ./pubkeys/gdd.keys ./pubkeys/raito.keys ./pubkeys/remote-builders.keys ]; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index dc2362e..9bb13cf 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{ pkgs, ... }: { # Auto GC and store optimizations nix = { trustedUsers = [ "root" ]; -- 2.47.0 From f7b6fdf07a030563b9150df65ea5bc0431df0e96 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 00:00:55 +0200 Subject: [PATCH 083/149] Fix remote builder ip address --- machines/core-services-01/subZone.nix | 2 +- machines/remote-builder-01/configuration.nix | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 2738afe..4495c29 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -10,7 +10,7 @@ let delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; }; remoteBuilders = { - nix01 = [ "2001:470:1f13:187:1e07:c670:3958:f8f1" ]; + nix01 = [ "2001:470:1f13:187:611:4514:d93a:f80a" ]; }; dualstack = { A = my.ipv4; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index c346646..d624f04 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -24,7 +24,13 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens19.useDHCP = true; + networking.interfaces.ens19 = { + useDHCP = true; + ipv6.addresses = [{ + address = "2001:470:1f13:187:611:4514:d93a:f80a"; + prefixLength = 64; + }]; + }; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; -- 2.47.0 From 3f10516b6f4b5e2653f5a0ec386dd35f296cc698 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 00:20:07 +0200 Subject: [PATCH 084/149] Add kitty terminfo --- machines/remote-builder-01/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index d624f04..5c11e95 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -45,7 +45,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ vim wget ]; + environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. -- 2.47.0 From 816e084deb6b197e5e5aa3d0a3e0c5cba6e75e7b Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 01:20:35 +0200 Subject: [PATCH 085/149] Change rpool layout and disk id --- .../hardware-configuration.nix | 32 +++++++------------ 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/hardware-configuration.nix index f80b2c7..b68c73b 100644 --- a/machines/remote-builder-01/hardware-configuration.nix +++ b/machines/remote-builder-01/hardware-configuration.nix @@ -4,32 +4,24 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = + [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "rpool/root/nixos"; - fsType = "zfs"; - }; + fileSystems."/" = { + device = "rpool/root/nixos"; + fsType = "zfs"; + }; - fileSystems."/home" = - { device = "rpool/home"; - fsType = "zfs"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/4BC6-A750"; + fsType = "vfat"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/3341-A3B9"; - fsType = "vfat"; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/1f624fe3-1fc5-44f4-9529-812558ffba42"; } - ]; + swapDevices = [ ]; } -- 2.47.0 From 122c0deeac2cfec93c2fcb808b2b9cf7506e0c20 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 01:33:02 +0200 Subject: [PATCH 086/149] DHCP on ens19 and ens18 + set ip on ens18 --- machines/remote-builder-01/configuration.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 5c11e95..8917745 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -24,13 +24,14 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens19 = { + networking.interfaces.ens18 = { useDHCP = true; ipv6.addresses = [{ address = "2001:470:1f13:187:611:4514:d93a:f80a"; prefixLength = 64; }]; }; + networking.interfaces.ens19.useDHCP = true; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; -- 2.47.0 From bb668034b1b84e856e3d0ac17e28e9c03e7a57af Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 02:59:45 +0200 Subject: [PATCH 087/149] Cleanups --- machines/remote-builder-01/configuration.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 8917745..dc4d7bf 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -33,10 +33,6 @@ }; networking.interfaces.ens19.useDHCP = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; console = { @@ -45,7 +41,6 @@ }; # List packages installed in system profile. To search, run: - # $ nix search wget environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; # Some programs need SUID wrappers, can be configured further or are -- 2.47.0 From 4375b29d50ae64d4afe7b6d64d8b2b27fda03444 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 03:00:30 +0200 Subject: [PATCH 088/149] Aarch64 emulation --- machines/remote-builder-01/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index dc4d7bf..ebcd1a9 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -43,6 +43,8 @@ # List packages installed in system profile. To search, run: environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + # Some programs need SUID wrappers, can be configured further or are # started in user sessions. programs.mtr.enable = true; -- 2.47.0 From 85ab8d8071a2dd78c933fdc10ee3392af3e1e1c9 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 23:59:59 +0000 Subject: [PATCH 089/149] Install git Needed for deployments with krops. --- machines/remote-builder-01/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index ebcd1a9..a28068c 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -41,7 +41,7 @@ }; # List packages installed in system profile. To search, run: - environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; + environment.systemPackages = with pkgs; [ vim wget kitty.terminfo git ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; -- 2.47.0 From 16f4ad94b17bc520b5e1f55f1ca316951068fcdf Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 03:19:33 +0200 Subject: [PATCH 090/149] Add public-cof to README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0a227f8..9baf068 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Refer to wiki for details. - `core-services-01` +- `public-cof` - `remote-builder-01` ## How to deploy a machine? -- 2.47.0 From ba5086a2375d5ca9b510063f996163beb523d6dc Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 03:28:40 +0200 Subject: [PATCH 091/149] Centralize pubkeys --- machines/core-services-01/configuration.nix | 6 +++--- machines/core-services-01/netboot-server.nix | 4 ++-- machines/core-services-01/secrets/secrets.nix | 2 +- machines/public-cof/configuration.nix | 6 +++--- machines/public-cof/pubkeys/gdd.keys | 2 -- machines/public-cof/pubkeys/mrf.keys | 1 - machines/public-cof/pubkeys/raito.keys | 4 ---- machines/public-cof/secrets/secrets.nix | 2 +- machines/remote-builder-01/configuration.nix | 7 +++++-- machines/remote-builder-01/pubkeys/gdd.keys | 2 -- machines/remote-builder-01/pubkeys/hackens-milieu.keys | 1 - machines/remote-builder-01/pubkeys/raito.keys | 4 ---- {machines/core-services-01/pubkeys => pubkeys}/gdd.keys | 0 .../pubkeys => pubkeys}/hackens-milieu.keys | 0 {machines/core-services-01/pubkeys => pubkeys}/mrf.keys | 0 {machines/core-services-01/pubkeys => pubkeys}/raito.keys | 0 .../pubkeys => pubkeys}/remote-builders.keys | 0 17 files changed, 15 insertions(+), 26 deletions(-) delete mode 100644 machines/public-cof/pubkeys/gdd.keys delete mode 100644 machines/public-cof/pubkeys/mrf.keys delete mode 100644 machines/public-cof/pubkeys/raito.keys delete mode 100644 machines/remote-builder-01/pubkeys/gdd.keys delete mode 100644 machines/remote-builder-01/pubkeys/hackens-milieu.keys delete mode 100644 machines/remote-builder-01/pubkeys/raito.keys rename {machines/core-services-01/pubkeys => pubkeys}/gdd.keys (100%) rename {machines/core-services-01/pubkeys => pubkeys}/hackens-milieu.keys (100%) rename {machines/core-services-01/pubkeys => pubkeys}/mrf.keys (100%) rename {machines/core-services-01/pubkeys => pubkeys}/raito.keys (100%) rename {machines/remote-builder-01/pubkeys => pubkeys}/remote-builders.keys (100%) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 8af8554..d3f334a 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -76,9 +76,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys - ./pubkeys/mrf.keys + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys + ../../pubkeys/mrf.keys ]; # Open ports in the firewall. diff --git a/machines/core-services-01/netboot-server.nix b/machines/core-services-01/netboot-server.nix index 5b291bf..14f4d40 100644 --- a/machines/core-services-01/netboot-server.nix +++ b/machines/core-services-01/netboot-server.nix @@ -13,8 +13,8 @@ let # Enable sshd wich gets disabled by netboot-minimal.nix systemd.services.sshd.wantedBy = mkOverride 0 [ "multi-user.target" ]; users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys ]; programs.mosh.enable = true; diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 4d09d1e..a581591 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index b47cf2c..46afed6 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -45,9 +45,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys - ./pubkeys/mrf.keys + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys + ../../pubkeys/mrf.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/pubkeys/gdd.keys b/machines/public-cof/pubkeys/gdd.keys deleted file mode 100644 index b5d4e40..0000000 --- a/machines/public-cof/pubkeys/gdd.keys +++ /dev/null @@ -1,2 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/public-cof/pubkeys/mrf.keys b/machines/public-cof/pubkeys/mrf.keys deleted file mode 100644 index ebbfa68..0000000 --- a/machines/public-cof/pubkeys/mrf.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d diff --git a/machines/public-cof/pubkeys/raito.keys b/machines/public-cof/pubkeys/raito.keys deleted file mode 100644 index 0f48a59..0000000 --- a/machines/public-cof/pubkeys/raito.keys +++ /dev/null @@ -1,4 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 4fe0e66..798cb84 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index a28068c..41936bd 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -61,8 +61,11 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = - [ ./pubkeys/gdd.keys ./pubkeys/raito.keys ./pubkeys/remote-builders.keys ]; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys + ../../pubkeys/remote-builders.keys + ]; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; diff --git a/machines/remote-builder-01/pubkeys/gdd.keys b/machines/remote-builder-01/pubkeys/gdd.keys deleted file mode 100644 index b5d4e40..0000000 --- a/machines/remote-builder-01/pubkeys/gdd.keys +++ /dev/null @@ -1,2 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/remote-builder-01/pubkeys/hackens-milieu.keys b/machines/remote-builder-01/pubkeys/hackens-milieu.keys deleted file mode 100644 index c79c039..0000000 --- a/machines/remote-builder-01/pubkeys/hackens-milieu.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu diff --git a/machines/remote-builder-01/pubkeys/raito.keys b/machines/remote-builder-01/pubkeys/raito.keys deleted file mode 100644 index 0f48a59..0000000 --- a/machines/remote-builder-01/pubkeys/raito.keys +++ /dev/null @@ -1,4 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/machines/core-services-01/pubkeys/gdd.keys b/pubkeys/gdd.keys similarity index 100% rename from machines/core-services-01/pubkeys/gdd.keys rename to pubkeys/gdd.keys diff --git a/machines/core-services-01/pubkeys/hackens-milieu.keys b/pubkeys/hackens-milieu.keys similarity index 100% rename from machines/core-services-01/pubkeys/hackens-milieu.keys rename to pubkeys/hackens-milieu.keys diff --git a/machines/core-services-01/pubkeys/mrf.keys b/pubkeys/mrf.keys similarity index 100% rename from machines/core-services-01/pubkeys/mrf.keys rename to pubkeys/mrf.keys diff --git a/machines/core-services-01/pubkeys/raito.keys b/pubkeys/raito.keys similarity index 100% rename from machines/core-services-01/pubkeys/raito.keys rename to pubkeys/raito.keys diff --git a/machines/remote-builder-01/pubkeys/remote-builders.keys b/pubkeys/remote-builders.keys similarity index 100% rename from machines/remote-builder-01/pubkeys/remote-builders.keys rename to pubkeys/remote-builders.keys -- 2.47.0 From c5aa20dffabdfa1377b94cecb9842cbf1da66138 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 23:59:59 +0000 Subject: [PATCH 092/149] Move pubkeys in ./machines This is required by the current krops setup. --- machines/core-services-01/configuration.nix | 6 +++--- machines/core-services-01/netboot-server.nix | 4 ++-- machines/core-services-01/secrets/secrets.nix | 2 +- {pubkeys => machines/pubkeys}/gdd.keys | 0 {pubkeys => machines/pubkeys}/hackens-milieu.keys | 0 {pubkeys => machines/pubkeys}/mrf.keys | 0 {pubkeys => machines/pubkeys}/raito.keys | 0 {pubkeys => machines/pubkeys}/remote-builders.keys | 0 machines/public-cof/configuration.nix | 6 +++--- machines/public-cof/secrets/secrets.nix | 2 +- machines/remote-builder-01/configuration.nix | 6 +++--- 11 files changed, 13 insertions(+), 13 deletions(-) rename {pubkeys => machines/pubkeys}/gdd.keys (100%) rename {pubkeys => machines/pubkeys}/hackens-milieu.keys (100%) rename {pubkeys => machines/pubkeys}/mrf.keys (100%) rename {pubkeys => machines/pubkeys}/raito.keys (100%) rename {pubkeys => machines/pubkeys}/remote-builders.keys (100%) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index d3f334a..5f0e145 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -76,9 +76,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys - ../../pubkeys/mrf.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/mrf.keys ]; # Open ports in the firewall. diff --git a/machines/core-services-01/netboot-server.nix b/machines/core-services-01/netboot-server.nix index 14f4d40..1c28cd8 100644 --- a/machines/core-services-01/netboot-server.nix +++ b/machines/core-services-01/netboot-server.nix @@ -13,8 +13,8 @@ let # Enable sshd wich gets disabled by netboot-minimal.nix systemd.services.sshd.wantedBy = mkOverride 0 [ "multi-user.target" ]; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys ]; programs.mosh.enable = true; diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index a581591..0455e41 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; diff --git a/pubkeys/gdd.keys b/machines/pubkeys/gdd.keys similarity index 100% rename from pubkeys/gdd.keys rename to machines/pubkeys/gdd.keys diff --git a/pubkeys/hackens-milieu.keys b/machines/pubkeys/hackens-milieu.keys similarity index 100% rename from pubkeys/hackens-milieu.keys rename to machines/pubkeys/hackens-milieu.keys diff --git a/pubkeys/mrf.keys b/machines/pubkeys/mrf.keys similarity index 100% rename from pubkeys/mrf.keys rename to machines/pubkeys/mrf.keys diff --git a/pubkeys/raito.keys b/machines/pubkeys/raito.keys similarity index 100% rename from pubkeys/raito.keys rename to machines/pubkeys/raito.keys diff --git a/pubkeys/remote-builders.keys b/machines/pubkeys/remote-builders.keys similarity index 100% rename from pubkeys/remote-builders.keys rename to machines/pubkeys/remote-builders.keys diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 46afed6..a99f713 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -45,9 +45,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys - ../../pubkeys/mrf.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/mrf.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 798cb84..3f8a62a 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 41936bd..ad971fb 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -62,9 +62,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys - ../../pubkeys/remote-builders.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/remote-builders.keys ]; # Open ports in the firewall. -- 2.47.0 From 7f5f3213acb9ce03638aefdb8c0389ad2f9cee9b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 15 Aug 2022 13:31:27 +0200 Subject: [PATCH 093/149] hotfix: disable student calendar --- machines/public-cof/nginx.nix | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix index 9f62800..2d5cf61 100644 --- a/machines/public-cof/nginx.nix +++ b/machines/public-cof/nginx.nix @@ -29,14 +29,15 @@ in recommendedTlsSettings = true; virtualHosts = { - "home.beta.rz.ens.wtf" = { - serverAliases = [ "beta.rz.ens.wtf" ]; - default = true; - forceSSL = true; - enableACME = true; - root = "/var/public-cof/home"; - locations = builtins.listToAttrs (map mkCloudLocation clouds); - }; +# FIXME: factorize and remove it, it has been superseded by eleves.ens.fr/calendrier +# "home.beta.rz.ens.wtf" = { +# serverAliases = [ "beta.rz.ens.wtf" ]; +# default = true; +# forceSSL = true; +# enableACME = true; +# root = "/var/public-cof/home"; +# locations = builtins.listToAttrs (map mkCloudLocation clouds); +# }; }; }; -- 2.47.0 From 86de42442d2206435a849e8d7fe5a2d9bb878dec Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 17 Aug 2022 18:06:26 +0200 Subject: [PATCH 094/149] feat: add rstudio.beta.rz.ens.wtf basic features --- machines/core-services-01/subZone.nix | 1 + machines/public-cof/configuration.nix | 1 + .../public-cof/rstudio-server/default.nix | 34 +++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 machines/public-cof/rstudio-server/default.nix diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 4495c29..a0f9fc4 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -70,6 +70,7 @@ dualstack // { }; docs = public-cof-ips; jurisprudens = public-cof-ips; + rstudio = public-cof-ips; }; }; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index a99f713..18ae3d0 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -11,6 +11,7 @@ ./monitoring.nix ./nextcloud.nix ./minecraft.nix + ./rstudio-server ./nur.nix # ./factorio.nix # TODO ./nginx.nix diff --git a/machines/public-cof/rstudio-server/default.nix b/machines/public-cof/rstudio-server/default.nix new file mode 100644 index 0000000..3a73a6a --- /dev/null +++ b/machines/public-cof/rstudio-server/default.nix @@ -0,0 +1,34 @@ +{ pkgs, ... }: +let + port = 19000; +in +{ + services.rstudio-server = { + enable = true; + rserverExtraConfig = '' + www-port = ${toString port} + ''; + + package = pkgs.rstudioServerWrapper.override { + packages = with pkgs.rPackages; [ + ggplot2 + rmarkdown + dplyr + ]; + }; + }; + + users.users.ruser = { + isNormalUser = true; + hashedPassword = "$6$pTXXVh8NfE.M8VPc$q0fFh3Y7Y0DauLCcZLgJzFciq1wkjoHmO61XpOrZLH3a1M32ZzOMbjx2XMm2QxrUncbx6hGerY/lD8rQ8InS4."; + }; + + services.nginx.virtualHosts."rstudio.beta.rz.ens.wtf" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:${toString port}"; + proxyWebsockets = true; + }; + }; +} -- 2.47.0 From dc971eff71754648527ab7a06bd40ba6a89c2c0c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 6 Sep 2022 01:06:39 +0200 Subject: [PATCH 095/149] =?UTF-8?q?feat(core01):=20add=20inventory.rz.ens.?= =?UTF-8?q?wtf=20=E2=86=92=20snipe-it=20instance?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/secrets/default.nix | 2 ++ machines/core-services-01/secrets/secrets.nix | 2 ++ .../secrets/snipeItAppKey.age | 27 +++++++++++++++++++ .../secrets/snipeItOidcClientSecret.age | 26 ++++++++++++++++++ machines/core-services-01/snipe-it.nix | 19 +++++++++++++ machines/core-services-01/subZone.nix | 1 + 7 files changed, 78 insertions(+) create mode 100644 machines/core-services-01/secrets/snipeItAppKey.age create mode 100644 machines/core-services-01/secrets/snipeItOidcClientSecret.age create mode 100644 machines/core-services-01/snipe-it.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 5f0e145..dcf85af 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -20,6 +20,7 @@ ./acme-dns.nix ./backups.nix ./headscale.nix + ./snipe-it.nix # ./dex.nix ./oauth2_proxy.nix ./secrets diff --git a/machines/core-services-01/secrets/default.nix b/machines/core-services-01/secrets/default.nix index 452d42e..a02981b 100644 --- a/machines/core-services-01/secrets/default.nix +++ b/machines/core-services-01/secrets/default.nix @@ -5,4 +5,6 @@ age.secrets.droneKeyFile.file = ./droneKeyFile.age; age.secrets.dexGiteaClientSecret.file = ./dexGiteaClientSecret.age; age.secrets.matterbridge.file = ./matterbridge.age; + age.secrets.snipeItAppKey.file = ./snipeItAppKey.age; + age.secrets.snipeItOidcClientSecret.file = ./snipeItOidcClientSecret.age; } diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 0455e41..9925641 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -12,5 +12,7 @@ in "droneKeyFile.age".publicKeys = superadmins ++ systems; "dexGiteaClientSecret.age".publicKeys = superadmins ++ systems; "matterbridge.age".publicKeys = superadmins ++ systems; + "snipeItAppKey.age".publicKeys = superadmins ++ systems; + "snipeItOidcClientSecret.age".publicKeys = superadmins ++ systems; } diff --git a/machines/core-services-01/secrets/snipeItAppKey.age b/machines/core-services-01/secrets/snipeItAppKey.age new file mode 100644 index 0000000..3a393c2 --- /dev/null +++ b/machines/core-services-01/secrets/snipeItAppKey.age @@ -0,0 +1,27 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +i/TW/dUpeS8QL9ZJg7xKdGW65D1SWFjMpolf1BgEs3hm6uI2W3RWUb5S1PEs6HdF +l/yiJtZeBC0e0QbaQ776fiy0MSmuMgcRbJJ1rjloGwFzwwvtqhQMG8rLp70IPZoV +F6sUz4jKHaEjIVVbRokdfIKMSnhRXnbW5domOxPmZjXck7YxaR1zqD4S9PtH12Q/ +P+l/IVS6+tuWlaTs+1FY2pQ0ppPkwxBirm+4/dxD7E5MkOT0OFcpopI225u2vJAz +Hfk6SBhWuOu2GFfLDS3sS+50kvx1MNvMeb9qVYHkxE8tXhJxOpykkzwYktYp17jY +m+rh1gMPt+mZV2ELaZkGjQ +-> ssh-ed25519 85WiGg TSVInZQdH1ZbhSG+FptwCu96UX1SHAhQNculIk8nVF4 +L1ptiGhMZN78uu1TQ2qVV73+lhlgD34g7xt/AL268Dk +-> ssh-ed25519 reTIKw vrZd8hFFywOmDJxAq58Tt4Wdq2ovft1IDJqCvkpRU1o +9TmODia85CwXZmzdxk6W4LCflCybq7O1WWoqG5vxENk +-> ssh-ed25519 /vwQcQ NSJNN/lRO6TbOQTlY9bT4kdEuP2hElmNIcKRI4ilrQY +eGIr9VQSrbG4hB2XQGYXquQVZIkLRq9g9+Ap25YSWSQ +-> ssh-ed25519 cvTB5g 24UlsKN0XaA6wW87zj5PkPy90LUmdJe80FV2LVLiwzk +57VJ2pf45+r7CgMdr/78ngWll12Se7dS993i+YKp3Vg +-> ssh-ed25519 Wu8JLQ wgWSOp5VQzF+pvL338wOwaJ3RIIi1I4SNqW+vT6NQF8 +HVTfWqmf9CnEkHFpu9NWYagwwBdW8NumwFcUvSlb9i8 +-> ssh-ed25519 h6AgbA ZRjMQkjz+sw2BZh/myaSnMgz8cngGM9wxQf6L6uPxE8 +OgYfhTQe4iB9SyL8iReQByA9N5VcUC/YvpvbPIgp/3U +-> ssh-ed25519 lHr4YQ JAnhqkgzuCDsmDYnRG/DL/MDrfA/0uCZ1kpZSWiuPw4 +uMPzV/uWAozlffoqIDtTcI5CI3FAzM5fzDuupAzgE4w +-> 3[k-grease l5" cr(}p5 s{\538Js +uR+N+zPd323E/1K5MdNaPzAeNYBYfbmmsxtQRufVjMj8jobBLhHq4RVJ/E57t8yv +4Cxp +--- 1iiPH5I9CDFZwZQwRbhKnqpZ08vTMP1u4pU3+hNpubk +ےf(Tח,4\hKT džq)e+}u 'hN/䶢6B4Kң \ No newline at end of file diff --git a/machines/core-services-01/secrets/snipeItOidcClientSecret.age b/machines/core-services-01/secrets/snipeItOidcClientSecret.age new file mode 100644 index 0000000..80300cc --- /dev/null +++ b/machines/core-services-01/secrets/snipeItOidcClientSecret.age @@ -0,0 +1,26 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +gPydOcolFG+axyXPVVYYjjr0hypl/xczmMM+W+BbfZFaAL0TqXpqRgjtZSNvA+oh ++JHdr+/8IHh2qCS2vtzuH5lAsjM4h4FPPnGixX1SI9eNH14b/Otmoa/OtQD4pHcB +PYbh1yh4AILggg1ZMdttS+FUuMtu2A6y2NZYSkbBLy9dwEdZNBs0/cX/xNEqK72V +JF0BuGYvchyJ4ec4/m1od94dVva5qKUvK6mr0u5XPXObEOdZ8jJwZodJjrpDaEHJ +/yt8svY6upoXIdM4dVbY0Ab1VCwXf+tbGuwypVJF2TkeVW5tbImxuoTPE5XNdKLF +XU6RfHzLjUnG1T+dObb9gQ +-> ssh-ed25519 85WiGg lVvfjaLUhjdWgRnz0supjMNc6pDpbeEy2Z0fFOc7dkQ +srngyi1Wdi1lcXFK7MJtqt2koZkopcXX+hOFENHXJgY +-> ssh-ed25519 reTIKw ubW5n+mkAgxwHT9okMRWoE9k5ZpWN7UQDrvRwgS3Xio +O7GRq35wulhSadIAJ7C0ekLQQVk209yGiSaWg/VNgYU +-> ssh-ed25519 /vwQcQ 0FZbpEDS3xuKyPOSExt4wb/Oi0xlTivdLlpKuXicqx8 +3ZMA31MUD76KNK1+yX2473wDSv0oyheT7jAmvnbPJNg +-> ssh-ed25519 cvTB5g 04++RfeztjNzyHMW7WhxdAWoWT5NyatCN8zf7xFYiCw +OWYQ3oFR+/NjY8skMpzd0eS9fsAeugO+loiq4ZqEVWo +-> ssh-ed25519 Wu8JLQ b5BEsw8GS+LUcLZ7h36WDHp1uunlVymEcCmAcs5xaHQ +4xs/EAPRD4Z/rL3zisjGmslVt7OHx+Kh1kJmdBAxED4 +-> ssh-ed25519 h6AgbA wNeprhlhTORbN4WFxWPJO0DV5vBVteE297O73EfngD4 +sceiHAg3S0aZ9xGIsw5VaPJkAWCci03SrHM520pb+Gw +-> ssh-ed25519 lHr4YQ v6dG659zPeUqbyT8To8oGf6Kp3y15Z2YjlzdLVK3FCI +wB7EFm4tsgkaYexLfQM+lkNtUr09GWlLnh7CbgX3Ifc +-> =-grease zZ5 e./C_ +z1vYPnfdTh+G0bc+UvV1EZMSfaNDsWiDHJ+W+1CB2+Z4pOnQt2jBFPYv7rE +--- LbcSlaucZaWsTqBR9PIA46r00cfJtG5ndinWSzsnl/0 +1h~sȰ#-FX/2.ZF?wE]ic.%b-wt܌q_%} \ No newline at end of file diff --git a/machines/core-services-01/snipe-it.nix b/machines/core-services-01/snipe-it.nix new file mode 100644 index 0000000..c1f3658 --- /dev/null +++ b/machines/core-services-01/snipe-it.nix @@ -0,0 +1,19 @@ +{ pkgs, config, ... }: +{ + services.snipe-it = { + enable = true; + hostName = "inventory.rz.ens.wtf"; + database.createLocally = true; + appKeyFile = config.age.secrets.snipeItAppKey.path; + + config = { + AUTH_METHOD = "oidc"; + OIDC_NAME = "Keycloak"; + OIDC_DISPLAY_NAME_CLAIMS = "name"; + OIDC_CLIENT_ID = "snipe-it"; + OIDC_CLIENT_SECRET = { _secret = config.age.secrets.snipeItOidcClientSecret.path; }; + OIDC_ISSUER = "https://auth.rz.ens.wtf/auth/realms/ClubReseau"; + OIDC_ISSUER_DISCOVER = true; + }; + }; +} diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index a0f9fc4..a3a0573 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -38,6 +38,7 @@ dualstack // { auth = dualstack; push = dualstack; tailscale = dualstack; + inventory = dualstack; core01 = dualstack; ns1 = dualstack; -- 2.47.0 From 726bc5af0e6b599c6118aa54d929df5e1ee52a30 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 6 Sep 2022 01:33:17 +0200 Subject: [PATCH 096/149] feat(core01): enable TLS on inventory.rz.ens.wtf and fix secrets perms --- machines/core-services-01/snipe-it.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/machines/core-services-01/snipe-it.nix b/machines/core-services-01/snipe-it.nix index c1f3658..29f8530 100644 --- a/machines/core-services-01/snipe-it.nix +++ b/machines/core-services-01/snipe-it.nix @@ -1,11 +1,26 @@ { pkgs, config, ... }: { + age.secrets.snipeItAppKey = { + owner = config.services.snipe-it.user; + group = config.services.snipe-it.group; + }; + + age.secrets.snipeItOidcClientSecret = { + owner = config.services.snipe-it.user; + group = config.services.snipe-it.group; + }; + services.snipe-it = { enable = true; hostName = "inventory.rz.ens.wtf"; database.createLocally = true; appKeyFile = config.age.secrets.snipeItAppKey.path; + nginx = { + enableACME = true; + forceSSL = true; + }; + config = { AUTH_METHOD = "oidc"; OIDC_NAME = "Keycloak"; -- 2.47.0 From 7284a9a2d62d4432521d13f8fbae8b165504e997 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 6 Sep 2022 01:33:26 +0200 Subject: [PATCH 097/149] meta: use root@core01.rz.ens.wtf rather than internal IP --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 770fcff..1a3a034 100644 --- a/krops.nix +++ b/krops.nix @@ -29,7 +29,7 @@ let inherit target; }; }; in {} -// mkDeploy "core-services-01" "root@10.1.1.20" +// mkDeploy "core-services-01" "root@core01.rz.ens.wtf" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" // mkDeploy "public-cof" "root@beta.rz.ens.wtf" // mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] -- 2.47.0 From c90e89bc7ae0e4eae304f64184dcc05f3dfc3223 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 15:21:59 +0200 Subject: [PATCH 098/149] feat: add traque.beta.rz.ens.wtf --- machines/core-services-01/subZone.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index a3a0573..a56f019 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -58,6 +58,10 @@ dualstack // { beta = public-cof-ips // { subdomains = { + traque = { + inherit (public-cof-ips) A; + AAAA = [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; + }; nuage = public-cof-ips; minecraft = public-cof-ips; factorio = public-cof-ips; -- 2.47.0 From 54163ed857b0101965df8f0a3ea25ad3332bad3e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 15:29:51 +0200 Subject: [PATCH 099/149] =?UTF-8?q?feat(public-cof):=20add=20IPv4=20?= =?UTF-8?q?=E2=86=92=20IPv6=20proxy?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/subZone.nix | 6 ++--- machines/public-cof/configuration.nix | 1 + machines/public-cof/networking.nix | 4 +++- machines/public-cof/nix/sources.json | 12 ++++++++++ machines/public-cof/nix/sources.nix | 22 +++++++++++++++++- machines/public-cof/nur.nix | 3 +++ machines/public-cof/v6proxy/default.nix | 30 +++++++++++++++++++++++++ 7 files changed, 72 insertions(+), 6 deletions(-) create mode 100644 machines/public-cof/v6proxy/default.nix diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index a56f019..1655011 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -12,6 +12,7 @@ let remoteBuilders = { nix01 = [ "2001:470:1f13:187:611:4514:d93a:f80a" ]; }; + mkProxyRecord = AAAA: { inherit AAAA; A = [ "45.13.104.29" ]; }; dualstack = { A = my.ipv4; AAAA = my.ipv6.standard; @@ -58,10 +59,7 @@ dualstack // { beta = public-cof-ips // { subdomains = { - traque = { - inherit (public-cof-ips) A; - AAAA = [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; - }; + traque = mkProxyRecord [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; nuage = public-cof-ips; minecraft = public-cof-ips; factorio = public-cof-ips; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 18ae3d0..fd43e30 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -18,6 +18,7 @@ # ./cryptpad.nix ./hedgedoc.nix ./secrets + ./v6proxy # TODO monitoring ]; diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index ff648e5..a902953 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -32,7 +32,9 @@ in { }; interfaces.ens20 = { - ipv4.addresses = map mkAddress [ "45.13.104.27/32" ]; + # 1st is for public-cof + # 2nd is for IPv4 → IPv6 proxy in v6proxy/ + ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; }; firewall.allowedTCPPorts = [ 22 ]; diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index a6531e2..77826c4 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -29,6 +29,18 @@ "url": "https://github.com/nmattia/niv/archive/e0ca65c81a2d7a4d82a189f1e23a48d59ad42070.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, + "nixexprs": { + "branch": "master", + "description": "All my Nix expressions", + "homepage": null, + "owner": "RaitoBezarius", + "repo": "nixexprs", + "rev": "5fd6966844be775a272e932375d7982275ba2300", + "sha256": "1l5zgdgqbn7apw2ngqzid0sqrklx0rnj8sjid4ykx9156kdqjan5", + "type": "tarball", + "url": "https://github.com/RaitoBezarius/nixexprs/archive/5fd6966844be775a272e932375d7982275ba2300.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, "raito-nur": { "branch": "master", "description": "All my Nix expressions", diff --git a/machines/public-cof/nix/sources.nix b/machines/public-cof/nix/sources.nix index 1938409..9a01c8a 100644 --- a/machines/public-cof/nix/sources.nix +++ b/machines/public-cof/nix/sources.nix @@ -31,8 +31,28 @@ let if spec ? branch then "refs/heads/${spec.branch}" else if spec ? tag then "refs/tags/${spec.tag}" else abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; + submodules = if spec ? submodules then spec.submodules else false; + submoduleArg = + let + nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0; + emptyArgWithWarning = + if submodules == true + then + builtins.trace + ( + "The niv input \"${name}\" uses submodules " + + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " + + "does not support them" + ) + {} + else {}; + in + if nixSupportsSubmodules + then { inherit submodules; } + else emptyArgWithWarning; in - builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; + builtins.fetchGit + ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg); fetch_local = spec: spec.path; diff --git a/machines/public-cof/nur.nix b/machines/public-cof/nur.nix index 7ca9d89..130ef29 100644 --- a/machines/public-cof/nur.nix +++ b/machines/public-cof/nur.nix @@ -3,6 +3,8 @@ let nivSources = import ./nix/sources.nix; rz-src = nivSources.klubrz-nur; rz-no-pkgs = (import nivSources.klubrz-nur {}); + raitobezarius-src = nivSources.nixexprs; + raitobezarius-no-pkgs = (import raitobezarius-src {}); in { nixpkgs.config.packageOverrides = { @@ -11,6 +13,7 @@ in imports = [ "${nivSources.agenix}/modules/age.nix" + raitobezarius-no-pkgs.modules.sniproxy ] ++ lib.attrValues rz-no-pkgs.modules; nixpkgs.overlays = []; diff --git a/machines/public-cof/v6proxy/default.nix b/machines/public-cof/v6proxy/default.nix new file mode 100644 index 0000000..e4f11d9 --- /dev/null +++ b/machines/public-cof/v6proxy/default.nix @@ -0,0 +1,30 @@ +{ ... }: +let + proxyIPv4 = "45.13.104.29"; +in +{ + networking.firewall.allowedTCPPorts = [ 443 ]; + + services.sniproxy = { + enable = true; + + resolver = { + mode = "ipv6_first"; + }; + + listeners = [ + { + address = "${proxyIPv4}:443"; + table = "vhosts"; + fallback = null; + } + ]; + + tables.vhosts = [ + { + match = "traque.beta.rz.ens.wtf"; + dest = "traque.beta.rz.ens.wtf"; + } + ]; + }; +} -- 2.47.0 From 71e5dcc437ac77a742c7a9b890754a84485aa8ba Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 16:16:29 +0200 Subject: [PATCH 100/149] feat(public-cof): disable rstudio server --- machines/public-cof/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index fd43e30..7f85263 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -11,7 +11,7 @@ ./monitoring.nix ./nextcloud.nix ./minecraft.nix - ./rstudio-server + # ./rstudio-server ./nur.nix # ./factorio.nix # TODO ./nginx.nix -- 2.47.0 From c25b0f0eee7dbb4859beec94e9fc155b4f2feacd Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 16:16:47 +0200 Subject: [PATCH 101/149] feat(public-cof): ensure that hedgedocs bind on local ipv6 --- machines/public-cof/hedgedoc.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index 258973f..de7edf2 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -9,7 +9,7 @@ in protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; - host = "localhost"; + host = "[::1]"; port = port; db = { dialect = "sqlite"; @@ -25,13 +25,11 @@ in enableACME = true; locations = { "/" = { - proxyPass = "http://localhost:${toString port}"; + proxyPass = "http://[::1]:${toString port}"; proxyWebsockets = true; }; }; }; }; }; - - networking.firewall.allowedTCPPorts = [ 433 80 ]; } -- 2.47.0 From badae72a2907e1f594d6a37744d8b541beae9170 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 16:17:01 +0200 Subject: [PATCH 102/149] feat(public-cof): prevent nginx to bind on all IPv4 --- machines/public-cof/networking.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index a902953..981eff0 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -40,4 +40,6 @@ in { firewall.allowedTCPPorts = [ 22 ]; firewall.enable = true; }; + + services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; } -- 2.47.0 From 9a243163006bfb794bcb11db77db17fd20c360a7 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 13 Sep 2022 18:49:38 +0200 Subject: [PATCH 103/149] core01: add todo.beta.rz.ens.wtf DNS --- machines/core-services-01/subZone.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 1655011..256b659 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -61,6 +61,7 @@ dualstack // { subdomains = { traque = mkProxyRecord [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; nuage = public-cof-ips; + todo = public-cof-ips; minecraft = public-cof-ips; factorio = public-cof-ips; home = public-cof-ips; -- 2.47.0 From 9c006a35196edc6c3574d82153e8cf64da0cd2c6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 13 Sep 2022 18:49:49 +0200 Subject: [PATCH 104/149] public-cof: fix docs.beta.rz.ens.wtf --- machines/public-cof/hedgedoc.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index de7edf2..b4235d5 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -9,7 +9,7 @@ in protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; - host = "[::1]"; + host = "127.0.0.1"; port = port; db = { dialect = "sqlite"; @@ -25,7 +25,7 @@ in enableACME = true; locations = { "/" = { - proxyPass = "http://[::1]:${toString port}"; + proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; }; }; -- 2.47.0 From 6e94647d8e8dceeceb33bda46bedd36212fe8d6f Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Tue, 13 Sep 2022 23:59:59 +0000 Subject: [PATCH 105/149] Networkd ipv6 --- machines/public-cof/networking.nix | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 981eff0..7dc4379 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -5,9 +5,26 @@ let mkAddress = addr: let in { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; in { + systemd.network = { + enable = true; + networks."ens18" = { + DHCP = "no"; + addresses = [ + { addressConfig.Address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; } + ]; + }; + }; + networking = { hostName = "public-cof"; + useNetworkd = true; + useDHCP = false; + + firewall.allowedTCPPorts = [ 22 ]; + firewall.enable = true; + + /* # Default IPv4 exit route defaultGateway = { address = ""; @@ -15,14 +32,6 @@ in { }; localCommands = "ip route add default dev ens20 metric 10"; - useDHCP = false; - interfaces.ens18 = { - useDHCP = true; - ipv6.addresses = [{ - address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; - prefixLength = 64; - }]; - }; interfaces.ens19 = { useDHCP = false; ipv4.addresses = [{ @@ -36,9 +45,7 @@ in { # 2nd is for IPv4 → IPv6 proxy in v6proxy/ ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; }; - - firewall.allowedTCPPorts = [ 22 ]; - firewall.enable = true; + */ }; services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; -- 2.47.0 From a373803629a2060ea84f40b0afa565f2c2510ed2 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 13 Sep 2022 18:54:35 +0200 Subject: [PATCH 106/149] patch(keycloak): remove crc patch --- .../fix-crc-computation.patch | 51 ------------------- 1 file changed, 51 deletions(-) delete mode 100644 machines/core-services-01/fix-crc-computation.patch diff --git a/machines/core-services-01/fix-crc-computation.patch b/machines/core-services-01/fix-crc-computation.patch deleted file mode 100644 index 85a6a7e..0000000 --- a/machines/core-services-01/fix-crc-computation.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001 -From: Mark Adler -Date: Wed, 30 Mar 2022 11:14:53 -0700 -Subject: [PATCH] Correct incorrect inputs provided to the CRC functions. - -The previous releases of zlib were not sensitive to incorrect CRC -inputs with bits set above the low 32. This commit restores that -behavior, so that applications with such bugs will continue to -operate as before. ---- - crc32.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/crc32.c b/crc32.c -index a1bdce5c2..451887bc7 100644 ---- a/crc32.c -+++ b/crc32.c -@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) - #endif /* DYNAMIC_CRC_TABLE */ - - /* Pre-condition the CRC */ -- crc ^= 0xffffffff; -+ crc = (~crc) & 0xffffffff; - - /* Compute the CRC up to a word boundary. */ - while (len && ((z_size_t)buf & 7) != 0) { -@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) - #endif /* DYNAMIC_CRC_TABLE */ - - /* Pre-condition the CRC */ -- crc ^= 0xffffffff; -+ crc = (~crc) & 0xffffffff; - - #ifdef W - -@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2) - #ifdef DYNAMIC_CRC_TABLE - once(&made, make_crc_table); - #endif /* DYNAMIC_CRC_TABLE */ -- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2; -+ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); - } - - /* ========================================================================= */ -@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op) - uLong crc2; - uLong op; - { -- return multmodp(op, crc1) ^ crc2; -+ return multmodp(op, crc1) ^ (crc2 & 0xffffffff); - } -- 2.47.0 From d2467fe0bd5fb4074ed501ee08ec3680cc46fcf7 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 17 Sep 2022 21:26:16 +0200 Subject: [PATCH 107/149] public-cof: add kanboard --- machines/public-cof/configuration.nix | 1 + machines/public-cof/kanboard-config.php | 279 ++++++++++++++++++++++++ machines/public-cof/kanboard.nix | 71 ++++++ 3 files changed, 351 insertions(+) create mode 100644 machines/public-cof/kanboard-config.php create mode 100644 machines/public-cof/kanboard.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 7f85263..f4e4dd6 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -17,6 +17,7 @@ ./nginx.nix # ./cryptpad.nix ./hedgedoc.nix + ./kanboard.nix ./secrets ./v6proxy # TODO monitoring diff --git a/machines/public-cof/kanboard-config.php b/machines/public-cof/kanboard-config.php new file mode 100644 index 0000000..9c82452 --- /dev/null +++ b/machines/public-cof/kanboard-config.php @@ -0,0 +1,279 @@ + $out/$f + tail -n+2 ${pkgs.kanboard}/share/kanboard/$f \ + | sed 's^__DIR__^"${pkgs.kanboard}/share/kanboard"^' >> $out/$f + done + ln -s /var/lib/kanboard $out/data + ln -s ${kanboardConfig} $out/config.php + '') + { outPath = "${pkgs.kanboard}/share/kanboard"; meta.priority = 10; } + ]; + }; + locations = { + "/".index = "index.php"; + "~ \\.php$" = { + tryFiles = "$uri =404"; + extraConfig = '' + fastcgi_pass unix:${config.services.phpfpm.pools.kanboard.socket}; + ''; + }; + }; + }; + }; +} -- 2.47.0 From 001c9b0136d220aed5c96f3194fd294fa2361629 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 17 Sep 2022 21:26:34 +0200 Subject: [PATCH 108/149] all: bump to latest nixos-unstable --- krops.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 1a3a034..0102eb0 100644 --- a/krops.nix +++ b/krops.nix @@ -6,9 +6,10 @@ let lib.evalSource [{ config.file = toString ./machines; nixos-config.symlink = "config/${machine}/configuration.nix"; + # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable + ref = "823e2c9b0a0ec8b61b6583f48338072f137b6889"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.47.0 From 5a796ef74fab69e3ff745c4bddbcf33cde0dd9c2 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 17 Sep 2022 21:26:56 +0200 Subject: [PATCH 109/149] Revert "Networkd ipv6" This reverts commit 6e94647d8e8dceeceb33bda46bedd36212fe8d6f. --- machines/public-cof/networking.nix | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 7dc4379..981eff0 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -5,26 +5,9 @@ let mkAddress = addr: let in { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; in { - systemd.network = { - enable = true; - networks."ens18" = { - DHCP = "no"; - addresses = [ - { addressConfig.Address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; } - ]; - }; - }; - networking = { hostName = "public-cof"; - useNetworkd = true; - useDHCP = false; - - firewall.allowedTCPPorts = [ 22 ]; - firewall.enable = true; - - /* # Default IPv4 exit route defaultGateway = { address = ""; @@ -32,6 +15,14 @@ in { }; localCommands = "ip route add default dev ens20 metric 10"; + useDHCP = false; + interfaces.ens18 = { + useDHCP = true; + ipv6.addresses = [{ + address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; + prefixLength = 64; + }]; + }; interfaces.ens19 = { useDHCP = false; ipv4.addresses = [{ @@ -45,7 +36,9 @@ in { # 2nd is for IPv4 → IPv6 proxy in v6proxy/ ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; }; - */ + + firewall.allowedTCPPorts = [ 22 ]; + firewall.enable = true; }; services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; -- 2.47.0 From 893339ba0b8ef8807f20b02e45dca3390b8ba784 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 18 Sep 2022 18:40:55 +0200 Subject: [PATCH 110/149] feat: fully functional kanboard --- machines/public-cof/kanboard-config.php | 20 ++++++++------- machines/public-cof/kanboard.nix | 24 ++++++++++++++---- machines/public-cof/secrets/default.nix | 6 +++++ .../public-cof/secrets/kanboard-secrets.age | 25 +++++++++++++++++++ machines/public-cof/secrets/secrets.nix | 1 + 5 files changed, 62 insertions(+), 14 deletions(-) create mode 100644 machines/public-cof/secrets/kanboard-secrets.age diff --git a/machines/public-cof/kanboard-config.php b/machines/public-cof/kanboard-config.php index 9c82452..6268892 100644 --- a/machines/public-cof/kanboard-config.php +++ b/machines/public-cof/kanboard-config.php @@ -6,6 +6,9 @@ /* Make sure all paths are absolute by using __DIR__ where needed */ /*******************************************************************/ +// Require the secret file +require('@secretsPath@'); + // Data folder (must be writeable by the web server user and absolute) define('DATA_DIR', '/var/lib/kanboard/data'); @@ -13,7 +16,7 @@ define('DATA_DIR', '/var/lib/kanboard/data'); define('DEBUG', false); // Available log drivers: syslog, stderr, stdout, system or file -define('LOG_DRIVER', 'stdout'); +define('LOG_DRIVER', 'file'); // Log filename if the log driver is "file" define('LOG_FILE', DATA_DIR.DIRECTORY_SEPARATOR.'debug.log'); @@ -42,21 +45,20 @@ define('FILES_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'files'); define('MAIL_CONFIGURATION', true); // E-mail address used for the "From" header (notifications) -define('MAIL_FROM', 'replace-me@kanboard.local'); +define('MAIL_FROM', 'todo@dgnum.eu'); // E-mail address used for the "Bcc" header to send a copy of all notifications define('MAIL_BCC', ''); // Mail transport available: "smtp", "sendmail", "mail" (PHP mail function), "postmark", "mailgun", "sendgrid" -define('MAIL_TRANSPORT', 'mail'); +define('MAIL_TRANSPORT', 'smtp'); // SMTP configuration to use when the "smtp" transport is chosen -define('MAIL_SMTP_HOSTNAME', ''); -define('MAIL_SMTP_PORT', 25); -define('MAIL_SMTP_USERNAME', ''); -define('MAIL_SMTP_PASSWORD', ''); +define('MAIL_SMTP_HOSTNAME', 'kurisu.lahfa.xyz'); +define('MAIL_SMTP_PORT', 587); +define('MAIL_SMTP_USERNAME', 'todo@dgnum.eu'); define('MAIL_SMTP_HELO_NAME', null); // valid: null (default), or FQDN -define('MAIL_SMTP_ENCRYPTION', null); // Valid values are null (not a string "null"), "ssl" or "tls" +define('MAIL_SMTP_ENCRYPTION', "tls"); // Valid values are null (not a string "null"), "ssl" or "tls" // Sendmail command to use when the transport is "sendmail" define('MAIL_SENDMAIL_COMMAND', '/usr/sbin/sendmail -bs'); @@ -197,7 +199,7 @@ define('LDAP_GROUP_USER_ATTRIBUTE', 'username'); define('LDAP_GROUP_ATTRIBUTE_NAME', 'cn'); // Enable/Disable groups synchronization when external authentication is used. -define('LDAP_GROUP_SYNC', true); +define('LDAP_GROUP_SYNC', false); // Enable/disable the reverse proxy authentication define('REVERSE_PROXY_AUTH', false); diff --git a/machines/public-cof/kanboard.nix b/machines/public-cof/kanboard.nix index 3ce8a22..37d411c 100644 --- a/machines/public-cof/kanboard.nix +++ b/machines/public-cof/kanboard.nix @@ -5,22 +5,35 @@ let sha256 = if hash == null then lib.fakeHash else hash; }; plugins = map mkKanboardPlugin [ - { name = "userimport_wgroups"; url = "https://github.com/creecros/userimport_wgroups/releases/download/1.0.0/ImportWithGroup-1.0.0.zip"; hash = "sha256-iLpOxwu/atxd062z7z0T3Mkh5YH7IHmcCqiVZPAJbsA="; } + { name = "Milestone"; url = "https://github.com/oliviermaridat/kanboard-milestone-plugin/releases/download/1.1.2/Milestone-1.1.2.zip"; hash = "sha256-NrkMvk/5NdVokKQTYoZajdNEt5athjEzXVgrSHBdQ4w="; } { name = "MarkdownPlus"; url = "https://github.com/creecros/MarkdownPlus/releases/download/1.1.0/MarkdownPlus-1.1.0.zip"; hash = "sha256-BMzEaj47NnLvatEgUbKeibiWf9G+B4EFlVYhDNqk+y4="; } { name = "MetaMagik"; url = "https://github.com/creecros/MetaMagik/releases/download/1.5.1/MetaMagik-1.5.1.zip"; hash = "sha256-8y8+YvS5MAzRt4VVECQK0vQk6oA4Jbxn+2jWQ8nP3gU="; } { name = "OAuth2"; url = "https://github.com/kanboard/plugin-oauth2/releases/download/v1.0.2/OAuth2-1.0.2.zip"; hash = "sha256-L0df8bwPCxHjVOCNiVp+dqVsqJ0CEuJbHzwv5sYprIU="; } - { name = "KanboardOffline"; url = "https://github.com/ipunkt/KanboardOffline/releases/download/1.0.0/OfflineKanboardPlugin-1.0.0.zip"; hash = "sha256-zYIWKM82Em/ys75XgB/udIGk1+EeScE8jpP2HK2wHGQ="; } { name = "HighlightCodeSyntax"; url = "https://github.com/kenlog/HighlightCodeSyntax/releases/download/v1.0.3/HighlightCodeSyntax-v1.0.3.zip"; hash = "sha256-c4bV1gGVNUjHOJKBI6QxsV72mAzcEgjqv8r62ebpPdU="; } { name = "Group_assign"; url = "https://github.com/creecros/Group_assign/releases/download/1.7.12/Group_assign-1.7.12.zip"; hash = "sha256-ijI8nIIqsK8Pr1iEfCBUeUD3dlsIfmkOP0xC39JkIAs="; } ]; pluginsDirectory = pkgs.linkFarmFromDrvs "kanboard-plugins" plugins; + secretsPath = config.age.secrets.kanboard-secrets.path; kanboardConfig = pkgs.substituteAll { name = "kanboard-config.php"; src = ./kanboard-config.php; + inherit secretsPath; inherit pluginsDirectory; }; + package = pkgs.kanboard.overrideAttrs (old: { + installPhase = '' + ${(old.installPhase or "")} + runHook postInstall + ''; + + postInstall = '' + ${pkgs.xorg.lndir}/bin/lndir ${pluginsDirectory} $out/share/kanboard/plugins + ''; + }); in { + environment.systemPackages = [ + ]; services.phpfpm.pools.kanboard = { user = "kanboard"; group = "kanboard"; @@ -48,13 +61,14 @@ in mkdir -p $out for f in index.php jsonrpc.php ; do echo " $out/$f - tail -n+2 ${pkgs.kanboard}/share/kanboard/$f \ - | sed 's^__DIR__^"${pkgs.kanboard}/share/kanboard"^' >> $out/$f + tail -n+2 ${package}/share/kanboard/$f \ + | sed 's^__DIR__^"${package}/share/kanboard"^' >> $out/$f done ln -s /var/lib/kanboard $out/data + ln -s ${pluginsDirectory} $out/plugins ln -s ${kanboardConfig} $out/config.php '') - { outPath = "${pkgs.kanboard}/share/kanboard"; meta.priority = 10; } + { outPath = "${package}/share/kanboard"; meta.priority = 10; } ]; }; locations = { diff --git a/machines/public-cof/secrets/default.nix b/machines/public-cof/secrets/default.nix index a7cd5ea..861d254 100644 --- a/machines/public-cof/secrets/default.nix +++ b/machines/public-cof/secrets/default.nix @@ -10,4 +10,10 @@ group = "nextcloud"; file = ./nextcloudDatabasePasswordFile.age; }; + + age.secrets.kanboard-secrets = { + owner = "kanboard"; + group = "kanboard"; + file = ./kanboard-secrets.age; + }; } diff --git a/machines/public-cof/secrets/kanboard-secrets.age b/machines/public-cof/secrets/kanboard-secrets.age new file mode 100644 index 0000000..5bc708c --- /dev/null +++ b/machines/public-cof/secrets/kanboard-secrets.age @@ -0,0 +1,25 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +jsay8IXK6RjVULRqpfvgHOr8H3ALxQyJ3BQIkmSfRrLlJXDbYWUKBCztXc7whfb/ +XTc3Sa5bybIXXX3wLzYmxCYjUa1CoHgIb1UWAhM3KyTJ4XSw7pVti29VM5p74+ex +tJeb44hXlkD7V7C2yYp6CcBH1IgnvEL8ulVopkis/TBQtWi6QaGJBPX2yxEJ3QDh +uAn5czrrDenBZRsIYTaKrlbgCM/Oeh4mDFSaFKIqfX2g7ClbsC1ejF3PvbsXN6il +pk2YSZ/F5ivNBkvWFmQrNJyLjkcIrxoFvzcXOTk8yM9iu4BFlPbX7NcAMrHpbSIR +3ew59I0cGkbzRAtLI9p97w +-> ssh-ed25519 85WiGg XQK2huU0kqkKbVYf6SJFqcumOL8zDPfOuGwNy78dJm4 +aP8CNgS1/wfv2RB7nXZqYnZaXDORk9I5lPZy87FVmRY +-> ssh-ed25519 reTIKw jZ57SfMYyOr9P9eNK/Q2CMAWtYtfjyV/MaTVnqEHxkU +ycPo/pwC9CtYWAcrclo1b26+mPU4Z6pCPecGPMmL3ag +-> ssh-ed25519 /vwQcQ v5bvHTvld6WErGt+Vp0mivpFH5srQPHkbPd0Nk3IDy0 +27+ZreTwyaxtb5vrRpD/2C2MUT9onRcX4Yr7KHnTGOo +-> ssh-ed25519 cvTB5g gKxECDYMSja0FTqteAk39iMDsNIM+ox31sIvnY2ityk +pkUZgDWdAzuGCvuRhOE8oeazIRw+kpPhnkksF2zTjxA +-> ssh-ed25519 Wu8JLQ lMgIKw3Qzg/Lw6UtpPZWDrE0WBc71meaprrnmARqDDM +FN/S9xo22u4kMWqrPD3KmfLbDq8L0TxtfDUSBLVq+Tk +-> ssh-ed25519 xbfJnw emSflhzdsItaXULjPXre8jlnXxJuXFAaoLWGVAAej1I +4OS68AuzPr+zwp9Bqb4lYGJHjPwPMSXuprw7+8agOyU +-> Wd-grease +pdSa/JP70fd6VvSgpIJQAk8ZiZfKo8l7UpVwBib59SB9IRNVZdSbHINFUzuIozGu +Z7dyg+x6QQ +--- TjceHicjeIIKz0f7R5u7nLrCtb39MmS/vEK3w0xHbmw +QZ`?Zv~^$ct2ԓy3.+KF2OC_$]y~l%0_ ܻ REM4Hİ{r$ެ*1\2FڬBLAK!&C׋_.Om3͕hδV< z$'-s'J \ No newline at end of file diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 3f8a62a..70be48a 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -9,5 +9,6 @@ in { "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems; "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems; + "kanboard-secrets.age".publicKeys = superadmins ++ systems; } -- 2.47.0 From 124ec3ab73d52667a3b5a5a47cf62bac5a4a1823 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 1 Oct 2022 22:49:56 +0200 Subject: [PATCH 111/149] feat: bridge #dgnum over Merle --- machines/core-services-01/matterbridge.nix | 2 +- machines/core-services-01/matterbridge.toml | 21 +++++++++++++++--- .../core-services-01/secrets/matterbridge.age | Bin 1415 -> 1519 bytes 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/machines/core-services-01/matterbridge.nix b/machines/core-services-01/matterbridge.nix index 7eefba1..06b31e6 100644 --- a/machines/core-services-01/matterbridge.nix +++ b/machines/core-services-01/matterbridge.nix @@ -28,7 +28,7 @@ let startScript = pkgs.writeShellScriptBin "start" '' ${manageSecrets ./matterbridge.toml "$CREDENTIALS_DIRECTORY/secrets" "$RUNTIME_DIRECTORY/conf.toml" - [ "SECRET_MATTERMOST_WEBHOOK" ]}/bin/preStart + [ "SECRET_MATTERMOST_KLUBRZ_WEBHOOK" "SECRET_MATTERMOST_DGNUM_WEBHOOK" ]}/bin/preStart ${pkgs.matterbridge}/bin/matterbridge -conf $RUNTIME_DIRECTORY/conf.toml ''; in { diff --git a/machines/core-services-01/matterbridge.toml b/machines/core-services-01/matterbridge.toml index d4b9ab8..49116fa 100644 --- a/machines/core-services-01/matterbridge.toml +++ b/machines/core-services-01/matterbridge.toml @@ -7,11 +7,16 @@ PrefixMessagesWithNick=true RemoteNickFormat="<{NICK}> " [mattermost] - [mattermost.merle] - WebhookURL="SECRET_MATTERMOST_WEBHOOK" + [mattermost.merle_klubrz] + WebhookURL="SECRET_MATTERMOST_KLUBRZ_WEBHOOK" WebhookBindAddress="0.0.0.0:52187" PrefixMessagesWithNick=false RemoteNickFormat="{NICK}" + [mattermost.merle_klubrz] + WebhookURL="SECRET_MATTERMOST_DGNUM_WEBHOOK" + WebhookBindAddress="0.0.0.0:52188" + PrefixMessagesWithNick=false + RemoteNickFormat="{NICK}" [[gateway]] name="réseau" enable=true @@ -19,5 +24,15 @@ enable=true account="irc.ulminfo" channel="#réseau" [[gateway.inout]] - account="mattermost.merle" + account="mattermost.merle_klubrz" + channel="town-square" + +[[gateway]] +name="dgnum" +enable=true + [[gateway.inout]] + account="irc.ulminfo" + channel="#dgnum" + [[gateway.inout]] + channel="mattermost.merle_dgnum" channel="town-square" diff --git a/machines/core-services-01/secrets/matterbridge.age b/machines/core-services-01/secrets/matterbridge.age index 1071c43b33daaa3e93fae325e8d50122995c65c4..f4ea1d5e441eaa4b392dd2f255f591a06a917bdc 100644 GIT binary patch literal 1519 zcmZY7?d#lx0S9m&DoA9YwIE{_0vqTSe$D0SE5{w4C6`<-$sNkb)8*-s+$ERX zU3@~MQbb1`=nE?-zEG(MR_fRT^Tkx=CeywVwIDL-#w>MICWUTA*1g!9_8<6u_X@f~&vXTm9L@*tiLPCh_VqNQeKZGnx3KmT# zO+yPw#H`I#4(E-0mtMdoY%(i{CPfy(hH8YAJpkQpAP=JZQ$`HuTrTJ^A1-`h;J3^) z3H^RCllv?-?ypTJQM6rc6$rAKby6GE+FE0D0J90F9A1OK{ZOmYZ$9SXEdr2;uTXPrZaXStGb>Tp8FXC;QVHWO`WXN&LM`tqTrEIlm zC3!<*Si)sd)o5OgHgpnevz02EDd{>|g#hMgyz0URlH#VOV02BJ`39nfCDO|#%qAb3 zasn~VU`UBL*BvFM?ibt+tsuj$tL`!*0WnAmjA##CbR%S|b*|wZFIE4)w(p??flwex zn2`{GVpTLrMvh@FF8qLV+KkIdl{nEIy*F02u8b)NKI&`@%mpYe#7J3jIwO08ki%i> zZuQ1=qYm3@*=c37c&BI(qmc*n)mq`}y}HnwG~9GbErl!nxHIA})qrH1c%l((rE6_Ab4-D)Zx>PW2YVtU2zCVtp~ zf=OIbgJ|UobH3cA)KZ>Yt+}<%5COX!SfhQ``R}FTy5oy7+3ZL(#a)x)sb$N|uR%BmN!Me4QX-bbw zS;JY2E@-+?Y9|qO-;OXFCyas~!ZUwp(Hme*WFwYT7dXZbycl1VU2If`Jw$9{CK4tS zeQ31d3LA+ge|5L8O$QDQV!Ea1Fo7zLY}d0Af|4Lbh>Ba-?J-+P{8*clc8;3DmImy) zUK&j*jeM)_RmYu@98a$<>Dw<$)MGMC#Cl%Z(V zn+C1_bvt~>yL-{!3ku&ZeNZ?A!hkO`%Nk7+e6Y^xXcuqOOjI#ORJK(_jT^LT1}l!r zc1jP6Ih9e@5+-l$&?&Sl2d)lf_oxgD5 z2wr*%dF}qEe)GG7M=xIg!!h~Bf9&&jl8-W!_?P`ZdHk8%2gSt$&wYNj4SstZ{qmTx z@B940xBvAb_|GS=`_+rlkBQfR_Ji#wIduI8M?U@in_nC`y6=V)-(0%wvFY>gfv>)N G<9`88*AWK* literal 1415 zcmZY6$?M~E7{_sN5XXQAVZejJ6h;LpKhrd6k}8a5YnEndlBP)mB3Zs!nl@>(waLK+ zaZtQ@89nq?3`QJAzttRXs{C`4@9OpX~;*v8Nlv7}4K_oQj+z7>(ZE$2Cg1031OJeOI(*?$(uVhscTz>4%Mj9s<=K_B2{GHl)3S)y*i0k{!xaj2J373-1@oG981_ zgeRAAM;*o~<1$Bt)XaQMU0QRjDsY@sM*3~ z_ASF1)1}4@aaFf>wGaE# zuJc=>n=9j$LcxJhR+dU`ivLTNl{d&rn~`;B-DwHepsIvR&cTc_MEB(#EF_vq&S$MN z0;k&Eli`M5FHa-ZJ5aN=jmHit7(lPG4ud9&wsHw|lhKV`1A`@;BP<|mOdQqIAf*>0 zeBI*Mav!9^+DkYT=PioNOdPDsX+|xEP#ht!$DMMLksL(jOuS@cj#YPCx@lx3!x7}T zULwb1jbTbsQOli1aW*=krnSFsB#=OQ0DG=OI6cs^ey_paTFGH^WpLIcvehu5VhU|p zLa{h%-P2fQPH0ba#|xUbV6jMKNJ;!~DN`uNp}WXb7^%qB9^TH-gKA`qGxMD`soNlf zHA=|$C2u5@?+emme>fo+kpz(3`drM_I+#id-gt9kq<2XCU+vf~o;F`Ni%Z~D06O3# zTNq#;fEbLbLYl>epDW8#Z$=Bli2+Ja7%pYHV_$oT=~N{e)v&ZO6MRmK5 z(&v{i-h1i8YhV2I-HWf@`2OYe)+aweU&+5eA3XBlRsQ<9?)6s~>h#V1U%&g=mA9U1 z?zwv3Er9)c^PyipxWT;n{!4E>x;p>f^}mPMV^{7y_x8t+zw?Lq*UukadhX^EU;gvj T>Y4Ie?8oEs+6C{~Ke2xSG{e~U -- 2.47.0 From 179a628a4d578c7517b60ab6e2cf26f93cce4149 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 1 Oct 2022 23:04:19 +0200 Subject: [PATCH 112/149] feat: remove netdata package pin --- machines/core-services-01/monitoring.nix | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 2a8ac5f..53f3343 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -36,16 +36,6 @@ in { services.netdata = { enable = true; - package = pkgs.netdata.overrideAttrs (old: { - version = "1.35.0-nightly"; - src = pkgs.fetchFromGitHub { - owner = "netdata"; - repo = "netdata"; - rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; - sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; - fetchSubmodules = true; - }; - }); }; # Allow WireGuard VPN -- 2.47.0 From 4bc455054018c771d2fecc6812de4f491e75fe68 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 2 Oct 2022 00:21:16 +0200 Subject: [PATCH 113/149] Revert "feat: remove netdata package pin" This reverts commit 179a628a4d578c7517b60ab6e2cf26f93cce4149. --- machines/core-services-01/monitoring.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 53f3343..2a8ac5f 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -36,6 +36,16 @@ in { services.netdata = { enable = true; + package = pkgs.netdata.overrideAttrs (old: { + version = "1.35.0-nightly"; + src = pkgs.fetchFromGitHub { + owner = "netdata"; + repo = "netdata"; + rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; + sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; + fetchSubmodules = true; + }; + }); }; # Allow WireGuard VPN -- 2.47.0 From 964912c3d4cbb87fd27f849e139eee73d8007848 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 9 Oct 2022 14:43:29 +0200 Subject: [PATCH 114/149] core01: try latest nightly for netdata and disable cloud --- machines/core-services-01/monitoring.nix | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 2a8ac5f..edf0d20 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -37,17 +37,19 @@ in services.netdata = { enable = true; package = pkgs.netdata.overrideAttrs (old: { - version = "1.35.0-nightly"; + version = "1.36.0-185-nightly"; src = pkgs.fetchFromGitHub { owner = "netdata"; repo = "netdata"; - rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; - sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; + rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; + sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; fetchSubmodules = true; }; }); }; + systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1"; + # Allow WireGuard VPN networking.firewall.allowedUDPPorts = [ 51820 ]; # Allow access to the raw netdata @@ -71,12 +73,6 @@ in ]; }; - systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [ - "netdata" - "stream" - "health_alarm_notify" - ]; - environment.etc."netdata/netdata.conf" = lib.mkForce { user = "netdata"; group = "netdata"; @@ -122,7 +118,7 @@ in mode = "0600"; text = '' # External tools - nc="${pkgs.netcat}/bin/nc" + nc="${pkgs.nmap}/bin/nc --ssl" # IRC configuration SEND_IRC="YES" -- 2.47.0 From 6b02a84975457baf19051a51dfa85c8d802d9189 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 12 Oct 2022 01:29:08 +0200 Subject: [PATCH 115/149] core01: initialize tunnels setup --- machines/core-services-01/configuration.nix | 4 +++- machines/core-services-01/tunnels.nix | 19 +++++++++++++++++++ machines/public-cof/minecraft.nix | 4 ++-- 3 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 machines/core-services-01/tunnels.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index dcf85af..9ff2a3f 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -25,6 +25,7 @@ ./oauth2_proxy.nix ./secrets ./matterbridge.nix + ./tunnels.nix # TODO push to gitea # TODO ./gotify.nix # TODO(Raito): ./backups.nix @@ -94,5 +95,6 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.09"; # Did you read the comment? + system.stateVersion = "22.05"; # Did you read the comment? + environment.variables.NIX_PATH = lib.mkForce "/var/src"; } diff --git a/machines/core-services-01/tunnels.nix b/machines/core-services-01/tunnels.nix new file mode 100644 index 0000000..a396adc --- /dev/null +++ b/machines/core-services-01/tunnels.nix @@ -0,0 +1,19 @@ +{ ... }: { + networking.wireguard.interfaces.wgalpha = { + privateKeyFile = "/etc/secrets/wireguard/wgalpha"; + listenPort = 9999; + + ips = [ + "fdee:a536:13fa:53ab::2/128" + ]; + + peers = [ + { + publicKey = "yAdQRTHn9Yko2r24j8tlxWBz0nYzHRxryPFq8t44Xw4="; + allowedIPs = [ "fdee:a536:13fa:53ab::1/128" ]; + } + ]; + }; + + networking.firewall.allowedUDPPorts = [ 9999 ]; +} diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index c56701f..089b0ae 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -2,8 +2,8 @@ let papermc = { ram = 4; # In GB - version = "1.18.2"; - build = 270; + version = "1.19.2"; + build = 200; sha256 = "M3/z7lgHVDG+WqxPvyrxvfobEvkkPf90bDoN/Dq+VZY="; }; port = 25565; -- 2.47.0 From 570071bb715a9774b28c9d5e8c5164556a920c96 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 13 Oct 2022 21:52:40 +0200 Subject: [PATCH 116/149] feat: bump to 1.19.2 and add clem197 to allow-list --- machines/public-cof/minecraft.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 089b0ae..db78249 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -4,7 +4,7 @@ let ram = 4; # In GB version = "1.19.2"; build = 200; - sha256 = "M3/z7lgHVDG+WqxPvyrxvfobEvkkPf90bDoN/Dq+VZY="; + sha256 = "sha256-fhQ1Kukp0MDF0312y/DR3wS9wKXY2aKUyU5f64ELylM="; }; port = 25565; rconPort = 25575; @@ -42,6 +42,7 @@ in Sup3Legacy = "575ecb9f-bf28-46cb-bc50-cb6bb340c905"; Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d"; CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; + clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5"; }; serverProperties = { -- 2.47.0 From e827b28967e30579ffd69141ded9c40ce0a87915 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 27 Oct 2022 22:31:47 +0200 Subject: [PATCH 117/149] feat: deploy garage on public-cof --- machines/public-cof/configuration.nix | 3 ++- machines/public-cof/garage.nix | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 machines/public-cof/garage.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index f4e4dd6..08b929a 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -9,6 +9,7 @@ ./acme.nix ./networking.nix ./monitoring.nix + ./garage.nix ./nextcloud.nix ./minecraft.nix # ./rstudio-server @@ -17,7 +18,7 @@ ./nginx.nix # ./cryptpad.nix ./hedgedoc.nix - ./kanboard.nix + # ./kanboard.nix ./secrets ./v6proxy # TODO monitoring diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix new file mode 100644 index 0000000..f74eaca --- /dev/null +++ b/machines/public-cof/garage.nix @@ -0,0 +1,26 @@ +{ pkgs, ... }: +{ + services.garage = { + enable = true; + settings = { + replication_mode = "none"; + compression_level = 7; + + rpc_bind_addr = "10.1.1.21:3901"; + rpc_public_addr = "10.1.1.21:3901"; + rpc_secret = "76c2746530a4a27d188530a6bbf6c4613ccb8d8f129863d8c21462b84d5b998f"; + + s3_api = { + s3_region = "ens"; + api_bind_addr = "[::]:3900"; + root_domain = ".s3.rz.ens.wtf"; + }; + + s3_web = { + bind_addr = "[::]:3902"; + root_domain = ".cdn.rz.ens.wtf"; + index = "index.html"; + }; + }; + }; +} -- 2.47.0 From ccf00cdc46a78fa88938a2535e58e4de1ea2f623 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 27 Oct 2022 22:31:55 +0200 Subject: [PATCH 118/149] public-cof: nextcloud23 -> nextcloud24 --- machines/public-cof/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index b243afb..7ccf2de 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud23; + package = pkgs.nextcloud24; config = { overwriteProtocol = "https"; -- 2.47.0 From 7beba083215aea4a360a04d28914b24034735212 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 27 Oct 2022 22:40:43 +0200 Subject: [PATCH 119/149] public-cof: nextcloud24 -> nextcloud25 --- machines/public-cof/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 7ccf2de..8a9572b 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud24; + package = pkgs.nextcloud25; config = { overwriteProtocol = "https"; -- 2.47.0 From b40a49feedce631cd00c02db6e195913cdd8b4ab Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 28 Oct 2022 00:36:57 +0200 Subject: [PATCH 120/149] =?UTF-8?q?feat:=20add=20notion.rz.ens.wtf=20?= =?UTF-8?q?=E2=86=92=20public-cof?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/subZone.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 256b659..7b7a56c 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -43,6 +43,9 @@ dualstack // { core01 = dualstack; ns1 = dualstack; + # First non-beta service, our Outline. + notion = public-cof-ips; + builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; gdd = { -- 2.47.0 From 43d3367e9f267aacd725f8467a734d04ecea3f12 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:31:46 +0200 Subject: [PATCH 121/149] core01: DNS for Garage & Outline --- machines/core-services-01/subZone.nix | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 7b7a56c..b76e4f7 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -43,8 +43,28 @@ dualstack // { core01 = dualstack; ns1 = dualstack; - # First non-beta service, our Outline. + # Non-beta service + # Outline notion = public-cof-ips; + # S3 API + s3 = public-cof-ips; + # CDN API + cdn = public-cof-ips // { + CAA = [ + { issuerCritical = false; + tag = "issue"; + value = "letsencrypt.org"; + } + { + issuerCritical = false; + tag = "iodef"; + value = "mailto:${my.email}"; + } + ]; + subdomains = { + "*" = public-cof-ips; + } // delegateACMEDNSChallenge "7a9dffd8-f57b-4635-ba79-07f8b0db4fad.acme.rz.ens.wtf."; + }; builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; -- 2.47.0 From 42a569b41d906edd04d507ef91d47dd486a51310 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:32:10 +0200 Subject: [PATCH 122/149] public-cof: deploy completely Outline and Garage --- machines/public-cof/configuration.nix | 2 ++ machines/public-cof/garage.nix | 20 ++++++++++++ machines/public-cof/outline.nix | 31 +++++++++++++++++++ machines/public-cof/secrets/default.nix | 12 +++++++ .../secrets/outline-oidc-client-secret.age | 26 ++++++++++++++++ .../public-cof/secrets/outlineS3Secrets.age | 25 +++++++++++++++ machines/public-cof/secrets/secrets.nix | 2 ++ 7 files changed, 118 insertions(+) create mode 100644 machines/public-cof/outline.nix create mode 100644 machines/public-cof/secrets/outline-oidc-client-secret.age create mode 100644 machines/public-cof/secrets/outlineS3Secrets.age diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 08b929a..b4a2599 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -11,6 +11,7 @@ ./monitoring.nix ./garage.nix ./nextcloud.nix + ./outline.nix ./minecraft.nix # ./rstudio-server ./nur.nix @@ -27,6 +28,7 @@ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "minecraft-server" "factorio-headless" + "outline" ]; boot.loader.systemd-boot.enable = true; diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix index f74eaca..7d25b0a 100644 --- a/machines/public-cof/garage.nix +++ b/machines/public-cof/garage.nix @@ -1,5 +1,25 @@ { pkgs, ... }: { + security.acme.certs."cdn.rz.ens.wtf" = { + dnsProvider = "acme-dns"; + credentialsFile = pkgs.writeText "acme-dns-env" '' + ACME_DNS_API_BASE=https://acme.rz.ens.wtf + ACME_DNS_STORAGE_PATH=/var/lib/acme/lego-acme-dns-accounts.json + ''; + extraDomainNames = [ "*.cdn.rz.ens.wtf" ]; + group = "nginx"; + }; + services.nginx.virtualHosts."s3.rz.ens.wtf" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://[::1]:3900"; + }; + services.nginx.virtualHosts."cdn.rz.ens.wtf" = { + serverAliases = [ "*.cdn.rz.ens.wtf" ]; + useACMEHost = "cdn.rz.ens.wtf"; + forceSSL = true; + locations."/".proxyPass = "http://[::1]:3902"; + }; services.garage = { enable = true; settings = { diff --git a/machines/public-cof/outline.nix b/machines/public-cof/outline.nix new file mode 100644 index 0000000..aef8e12 --- /dev/null +++ b/machines/public-cof/outline.nix @@ -0,0 +1,31 @@ +{ pkgs, lib, config, ... }: +{ + services.nginx.virtualHosts."notion.rz.ens.wtf" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:3000"; + proxyWebsockets = true; + }; + }; + services.outline = { + enable = true; + publicUrl = "https://notion.rz.ens.wtf"; + defaultLanguage = "fr_FR"; + storage = { + accessKey = "GK8b32d276b2eafb999a53188a"; + secretKeyFile = config.age.secrets.outlineS3Secrets.path; + uploadBucketUrl = "https://s3.rz.ens.wtf"; + uploadBucketName = "outline"; + region = "ens"; + }; + oidcAuthentication = { + userinfoUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/userinfo"; + tokenUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/token"; + authUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/auth"; + clientSecretFile = config.age.secrets.outline-oidc-client-secret.path; + displayName = "Club réseau"; + clientId = "outline"; + }; + }; +} diff --git a/machines/public-cof/secrets/default.nix b/machines/public-cof/secrets/default.nix index 861d254..dce31c2 100644 --- a/machines/public-cof/secrets/default.nix +++ b/machines/public-cof/secrets/default.nix @@ -16,4 +16,16 @@ group = "kanboard"; file = ./kanboard-secrets.age; }; + + age.secrets.outlineS3Secrets = { + owner = "outline"; + group = "outline"; + file = ./outlineS3Secrets.age; + }; + + age.secrets.outline-oidc-client-secret = { + owner = "outline"; + group = "outline"; + file = ./outline-oidc-client-secret.age; + }; } diff --git a/machines/public-cof/secrets/outline-oidc-client-secret.age b/machines/public-cof/secrets/outline-oidc-client-secret.age new file mode 100644 index 0000000..d73537f --- /dev/null +++ b/machines/public-cof/secrets/outline-oidc-client-secret.age @@ -0,0 +1,26 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +HeTVcJxU2zRewuzQVknnxAYjlCU8+GJjBz9joGPo2j934uiM3A6PBsFmoz6I1ZfJ +pg68benaKfV+VI1sN8fMDWoEO0QrFzHYULXT9JCyQTClUzUZSlMpzmDgCmHjLPEc +qB23sbwKzgyFO9SKHsPvOqxZrEyTwAKiNYa33QuSyRxN3S4/9PxVjgJTTqLbTVqf +hhnujxviU3iHV2ACqLAV5jYSbAleiAh53vnBc0k326vXbrumQqFvQtgwcqDn4vDR +2QYzEwsj+yV9BlRrGSBZSnoHZjWtsE/ntrEaIZiItT3Ots1CCVswd7LGb3LspYbf +NheRvY7zUXppGiB0+mjZJg +-> ssh-ed25519 85WiGg tGvDzYdpKP8lql3murRlp95w7jQUhhuodIgVxDk4Lgs +aVV4b71w/nU3nBaYKdzzYjXVaxgN2EpyQiKsjO33GcI +-> ssh-ed25519 reTIKw LJJF7K8fRsSoAFDyndWP9nA5FV4w7cWSqUgGnvdB42I +wI22cL/GuyVou1robDUHzNMfCR7L6NA4UWFSeV73d88 +-> ssh-ed25519 /vwQcQ KZQSME50r4yrnyFfH6nwbmCn0UmVUMIBhhfqoicrKVY +xDdBu7/K8ZxGT2BnffAR8UsQIAVlLpSfEvo1m4k87ng +-> ssh-ed25519 cvTB5g HjLQQhFwEekFYHV5sko/x8RwcAsgvl/cCoKakX4B6yE +Ub5TWpDPYA3DSwfRT2hmgPcwoMIhsOhgdhckFuZxQ8s +-> ssh-ed25519 Wu8JLQ L0bnDPmv3Chemi/BKhux9GYXDMMLUjO6H8MQe1REpBA +qtN6IH8M8kLYAQ8a64kYCCaAPhg6VjrojTONdY4MVyA +-> ssh-ed25519 xbfJnw 94xx8KL0EWqs3HIsdY9RFvC6aRsk7cemZxciLIkVCDM +WZnyqSwpCBA8GNnu6VEJSLIRtv8rzOpGFH6e387ohpQ +-> TS-grease +D32P8/tpegDSy/xsspwpuq8EVqwDyZUzJF2Ose+3cqHAx8db4DPWnmt4z4Ch5bXw +KtmO+2eEYTmPyYUZxI+uzr93CQhVq7aFlch6cWLEaqg +--- 6kPR6tdczt01UaY4ps38dncSMFCupa9uZmSWBjm85ps +Ln4Kz>(ن=fʷPG ssh-rsa krWCLQ +nxiY5l98JhWEwLYN7sWtsgN4faDTIpgo1fiPScxXB8/ljnxIyd1vhMVRt0WCTOQV +CFTQ9MOoTAk90Zj4wjxDjoJjjsXLUBVnjqLdQy76kgR5vAvVrHzuYTYO4Y4k0/qh +S6BEFN655P0n4Gxf9kJtKxi3ipN6B46ydACAjFeyeuOPMkMdBBZq1BOLPEOC9I+O +87p+8BdL+zxkYfaWfEggYgabrE7y91EjiB1VCuT0GFm8T8iBojvThxWQlHQAybBc +gvgTlyGf8YmY82uGhGQR39okrA914mJUkr11JZ9457qL+/t5Au/dha1x6QlwcUoz +Tp5OQJAfXZc02LsICq2I7A +-> ssh-ed25519 85WiGg c6vyT96h0eVL+xZpR0Zk06l5ApUsqENY9ESeYuOG0zY +dJbQVgH41Ti/AM7WAlXCCA501h8wgx2os5yiZt+jxp8 +-> ssh-ed25519 reTIKw rVhKDqm51EMuOQnTcsdWmqoBDI/LLnFpkJW93EfcdB0 +AAOEQp0tux1vJ0bPIcB1HtLodig/J4poeu6j/Hk8KiA +-> ssh-ed25519 /vwQcQ jGLr83VDSxYd3v42ECOiTpSTDRB5TVSqx3QHRbMgfEk +k2hBCGntsqP0czKV2JvMbf8lAqpjVvnJqSxfdr00A7w +-> ssh-ed25519 cvTB5g BqVT8ytcjINNKrGAtttAtxRMpLs4LJg1Uy3zvDxTvwk +DRDEl+CNZnuT+KE1txjHgaWIYmiSeUTsesnXYq89YNQ +-> ssh-ed25519 Wu8JLQ 731ytp+gu36OvH0QbkeDUwMHj3J4u0JujJnfTUQ2C1A +KPGEKLoV9K1PPdIyla5D1lsmhRt/XUHLrCTeApbqR6c +-> ssh-ed25519 xbfJnw Ojf4cuctALx+Q/qWqSarRcnxvwrHjbAK5r4pnhKUzmo +WHp4Op3N3SeniWS7XhPmvRkTyjDIPDBBGviDaiCNbOc +-> 3P-h|3ru-grease +5icFsPwzKpnImSlgICy/wDq6YJLTcIML3EoDUOgvGOFSs+efH4bWExmd2ktGtqYd +ewEKHYlnpIFNTMtlRs7U7sR3qnLHadq3McnhR/8OlQ +--- iwVp/AYpQfFOIg/OI85nNTgdY/HKlEsCHWiBO0lOtJg +Z=eBb[3$k(2x%0+18T,;Fլ"EKeZ*$}Cpo9+|CJ- \ No newline at end of file diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 70be48a..c703081 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -10,5 +10,7 @@ in "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems; "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems; "kanboard-secrets.age".publicKeys = superadmins ++ systems; + "outlineS3Secrets.age".publicKeys = superadmins ++ systems; + "outline-oidc-client-secret.age".publicKeys = superadmins ++ systems; } -- 2.47.0 From 555aabb7984d28c38118375adfa8a9a28476fa70 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:32:19 +0200 Subject: [PATCH 123/149] krops: bump channel --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 0102eb0..92a2cda 100644 --- a/krops.nix +++ b/krops.nix @@ -9,7 +9,7 @@ let # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "823e2c9b0a0ec8b61b6583f48338072f137b6889"; # nixos-unstable + ref = "8d3bd93e67201a7c8238e9cbde6d07aba9500636"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.47.0 From 82cfe98dde2603c3d07837b39bef01f4101f1a8a Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:32:39 +0200 Subject: [PATCH 124/149] core01: fix matterbridge for DGNum --- machines/core-services-01/matterbridge.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/core-services-01/matterbridge.toml b/machines/core-services-01/matterbridge.toml index 49116fa..748d0a7 100644 --- a/machines/core-services-01/matterbridge.toml +++ b/machines/core-services-01/matterbridge.toml @@ -12,7 +12,7 @@ WebhookBindAddress="0.0.0.0:52187" PrefixMessagesWithNick=false RemoteNickFormat="{NICK}" - [mattermost.merle_klubrz] + [mattermost.merle_dgnum] WebhookURL="SECRET_MATTERMOST_DGNUM_WEBHOOK" WebhookBindAddress="0.0.0.0:52188" PrefixMessagesWithNick=false @@ -34,5 +34,5 @@ enable=true account="irc.ulminfo" channel="#dgnum" [[gateway.inout]] - channel="mattermost.merle_dgnum" + account="mattermost.merle_dgnum" channel="town-square" -- 2.47.0 From d1bc89653ce4caf47d4eb492c79d969533dc8398 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:33:05 +0200 Subject: [PATCH 125/149] public-cof: fix NC encryption --- machines/public-cof/nextcloud.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 8a9572b..847affd 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -6,6 +6,13 @@ https = true; package = pkgs.nextcloud25; + # OpenSSL 3.0.x breaks RC4 encryption for NextCloud + # But we enabled encryption for NextCloud + # Therefore... + phpPackage = lib.mkForce (pkgs.php81.withExtensions ({ enabled, all }: + (lib.filter (e: e != pkgs.php81.extensions.openssl) enabled) + ++ [ (all.openssl.override { buildInputs = [ pkgs.openssl_1_1 ]; }) ] + )); config = { overwriteProtocol = "https"; -- 2.47.0 From a2c58e4d877faaaae0d65f734df514d1c85257ec Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 5 Nov 2022 15:48:40 +0100 Subject: [PATCH 126/149] mc: add Clem's friends to whitelist --- machines/public-cof/minecraft.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index db78249..3582e49 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -43,6 +43,10 @@ in Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d"; CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5"; + Clashis = "499fdd85-bbcb-446f-9611-8b6bb9bf6965"; + epns = "a1c26328-484f-4c3f-affb-26e49b430c15"; + skidijo = "6a72a1f4-7448-4fb7-a252-b6d5ceff2d43"; + r_r = "3202beaa-7620-439b-9e91-0a9d4699b552"; }; serverProperties = { -- 2.47.0 From dbd7594d590ee5361f88283aeb7f09ab30753654 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 14 Nov 2022 23:46:55 +0100 Subject: [PATCH 127/149] mc: whitelist more players --- machines/public-cof/minecraft.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 3582e49..0030204 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -44,9 +44,12 @@ in CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5"; Clashis = "499fdd85-bbcb-446f-9611-8b6bb9bf6965"; - epns = "a1c26328-484f-4c3f-affb-26e49b430c15"; skidijo = "6a72a1f4-7448-4fb7-a252-b6d5ceff2d43"; - r_r = "3202beaa-7620-439b-9e91-0a9d4699b552"; + Tifendyll = "5dc1acf3-b214-4607-a3bd-924665e07c67"; + OknShield = "ef12e9cd-121f-4b39-886e-89b5b4bc5f4f"; + Allygon = "964a2ee3-3a0d-49c1-b8e9-60b5e69976d3"; + CheesyBiggy = "574daaed-ce9a-4b33-a3af-055e39bc32dc"; + H3raklio = "576969d4-94e7-49db-ba7e-e9e57ff5a75e"; }; serverProperties = { -- 2.47.0 From 66ae9b2d0427578e96c93ce56dcf850aea5ab278 Mon Sep 17 00:00:00 2001 From: Julien Marquet Date: Sat, 3 Dec 2022 21:15:40 +0100 Subject: [PATCH 128/149] whitelist thejohncrafter --- machines/public-cof/minecraft.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 0030204..876754a 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -50,6 +50,7 @@ in Allygon = "964a2ee3-3a0d-49c1-b8e9-60b5e69976d3"; CheesyBiggy = "574daaed-ce9a-4b33-a3af-055e39bc32dc"; H3raklio = "576969d4-94e7-49db-ba7e-e9e57ff5a75e"; + thejohncrafter = "d3959974-3a05-4ab2-8acb-d8817c140d84"; }; serverProperties = { -- 2.47.0 From 9a0c9c615c502d98a70d6f4d4e72709fb5907981 Mon Sep 17 00:00:00 2001 From: sinavir Date: Tue, 13 Dec 2022 22:23:35 +0100 Subject: [PATCH 129/149] feat: introduce photos.ens.wtf Co-authored-by: sinavir Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/15 Co-authored-by: sinavir Co-committed-by: sinavir --- machines/public-cof/configuration.nix | 1 + machines/public-cof/lychee.nix | 10 ++++++++++ machines/public-cof/nix/sources.json | 2 +- machines/public-cof/nur.nix | 2 +- 4 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 machines/public-cof/lychee.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index b4a2599..ae3fce3 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -12,6 +12,7 @@ ./garage.nix ./nextcloud.nix ./outline.nix + ./lychee.nix ./minecraft.nix # ./rstudio-server ./nur.nix diff --git a/machines/public-cof/lychee.nix b/machines/public-cof/lychee.nix new file mode 100644 index 0000000..944604b --- /dev/null +++ b/machines/public-cof/lychee.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: { + services.lychee = { + enable = true; + package = pkgs.rz.lychee-gallery; + forceSSL = true; + enableACME = true; + website = "photos.ens.wtf"; + settings.APP_URL = "https://${config.services.lychee.website}"; + }; +} diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index 77826c4..3209971 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -14,7 +14,7 @@ "klubrz-nur": { "branch": "main", "repo": "https://git.rz.ens.wtf/Klub-RZ/nur", - "rev": "98911e21fd58f00440dc8a5bd6568f2a349338bd", + "rev": "9c43904eb242455ca3db9466c5679c81aa92741f", "type": "git" }, "niv": { diff --git a/machines/public-cof/nur.nix b/machines/public-cof/nur.nix index 130ef29..ad4a2e5 100644 --- a/machines/public-cof/nur.nix +++ b/machines/public-cof/nur.nix @@ -8,7 +8,7 @@ let in { nixpkgs.config.packageOverrides = { - # rz = import rz-src { inherit pkgs; }; + rz = import rz-src { inherit pkgs; }; }; imports = [ -- 2.47.0 From 5138eb930f618573ccbe3e6394b1c13174e92248 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 24 Jan 2023 21:14:04 +0100 Subject: [PATCH 130/149] core-services-01: add hubrecht --- machines/core-services-01/configuration.nix | 1 + .../secrets/dexGiteaClientSecret.age | Bin 1424 -> 1519 bytes .../core-services-01/secrets/droneKeyFile.age | Bin 1639 -> 1778 bytes .../secrets/keycloakDatabasePasswordFile.age | 52 ++++++++++-------- .../core-services-01/secrets/matterbridge.age | Bin 1519 -> 1559 bytes .../secrets/oauth2ProxyKeyFile.age | 50 +++++++++-------- machines/core-services-01/secrets/secrets.nix | 2 +- .../secrets/snipeItAppKey.age | 51 ++++++++--------- .../secrets/snipeItOidcClientSecret.age | 52 ++++++++++-------- machines/pubkeys/hubrecht.keys | 1 + 10 files changed, 111 insertions(+), 98 deletions(-) create mode 100644 machines/pubkeys/hubrecht.keys diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 9ff2a3f..7aa5220 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -81,6 +81,7 @@ ../pubkeys/gdd.keys ../pubkeys/raito.keys ../pubkeys/mrf.keys + ../pubkeys/hubrecht.keys ]; # Open ports in the firewall. diff --git a/machines/core-services-01/secrets/dexGiteaClientSecret.age b/machines/core-services-01/secrets/dexGiteaClientSecret.age index daef2a2a00c33743ebcd5b46b39b1205e074fc61..f080423c728b87bd35aa1d842c1b19abc94ad716 100644 GIT binary patch literal 1519 zcmZY8xy$4P7zXeyv@jqDHWn^SE8%k{*Cas@a!jsCGRfqQg(R6=lT4CHCg&DbTd3Hn zwTg{kr-hZJTMCxih>eY6BX+Vbg3aeY@cwuno;OJ2ySR$lxw++a^?Kc=>j47p-duHE zcGq^ns%RZX)`1hppEgl93b}-`rHa>0F60#_H@+AwM=|u}IYAl%A`EkCodHs4IAO!W zqr0PL%#HxC;-NX_8k*`<63f~!54tXHTHN(0k*O1EYA$jj91ZRa6VA{{=OH;WBa}$9 zd~4mc2Y?_lWaM@W+s1mvmz}O#Qk1+ugwYsb=U|J^2Tz3)PXtG~#7~2?7aSBY zCY3-N7DAAsLTb5pSem`*|Fs>TU<`xE6@fW9pRO#~y0$EKng>D{#c{C~WoZg>aGOP3 zD1;D2=2=qvnjjYk zbSgSl(8fLWS*VvoS*hZEZ9R;7q_4(+fn%mV>p6Fm%>8XtIET8BSA8h8_Hf;Ua8_4+ zja6d`*gi&~JL&A>LadqfA;Z%p+n)>s_2fQd3fnz45*u5d!&nU zI9I|6IlS%-R^9ky+J%;X>Y*(%l~tT5tOaaL?1rGtRZq?`#3~+!R*nxF=}&0dAuyraBeLn3&T6Nx%hQGeoY-R{0NxSo_yD^*MynBr=76IyQBJ-fhx zHx_Y>(C0i>L3rIV4$;QhG6ZnE9N{5pyzZjjNGC+hnI7%57S{XPXLs;Ezyg|TK&srN z_qA+Gr6IK{`C(VqR-QZ?xSm@m3$5!mRCk;R7QQ19V8LV~U8M#^08S8u<80AzRNr}c~_J_B!3{h-w(;fdR&$i*F@U8}t*)0rW{vu>wH4AC`2U?oX4 zEBUH>QP=}L%hI`ChLdR1f`(UvwJxZFv8OyYa7bbDIvSa4I>)}Ep6m#?ySrOKpb;#? zys#?g9W7%PO@noc!C2(W`o?;5>!Wl*Pp%>9!0_e%gU3I-_v!Or{Q1e{(AYP-@pIk`sByYe|y;f{P621 Ie}{kk12MSvWdHyG literal 1424 zcmZY9JImw*6b4`ytkP{KR>QW#Y%;k_5*Cysll$a;nM^<-$z*b!+%ri=1#v;FE%YZ? zSZJf$EP{>xfGxBU|An=mjm5X^ImH9-dpJQ7Z{jNImS)K6>UrHI;B5OU98jg6>GR#|QwQ|nVpxacS&oNBi<{uotMPIryQ~Hd{F)G?hsA)3 z48Om*kfUZncpvMdr+Ey$RT$hjbu4kNA8YB3N@-m6O$a>U9lfOFv^%9`|Dib;yAoy#~h896F}N2-{EOS4mx?o`Y>37j5l$B~c@ z#!3<<%yMEuy(c0>;vrEbzIlju2P1E4uPCgp3MvRkg%n;>M;Gcid61E=x!+ zz-n1dfNQH5enTE+VU*B`D-NE!y;E^*o5?0Wq`yJ7!I^ zxk%a^Yh?Lby>+oI%G2t$gD6xLQUMZs%sBB{ax3*K$Tlg|l(MAv-ae3a`hYk!0GeJK z&`WpjbZmcB&phSU6|}YY+wG8w@VawzZeYnQ@88l0?3nS%3hlQAYW3_E=Q*|3mPr81 zeBH~J?BeA`Ivnp-X!xVoJan-~c5+M%hmH<0E@{J)Mq6mA@u{&-vT;9+X$%Qj*?GwS zNp^j(D!LNJxVZsyY(!Mzck25t^j5Bi#{z};1XExtOG!{s*4 zc6tWnL7kw64IxaIE1ZWZ6iqS6xHL7oh49qI$p~~TSuQL=Mx@C($*klUN4$(mE(*aE z2!qy|>3|7DXZBn2G!VO75MV**T4P}#ni%-w`5|#W;lN7Z#)L1Y6RAwwNu|b2&j9fV z<8h3-b$^p6vc89kT%^W-ce{r+Nf!rwy!!BYBv3BCdUgk7S86>mFl!R#I`EurDbJ4a zGh4#if|UmqZYg4>%!MtRCGq0K6OpkMSZ+O>2cMX8V7yh)EJQ9V8Hf`IRADzHdhcZu zw;FH`=~kQX;=>o)P3vjbH-X`DGdoLhbW(uLX0zg>T6DLOu=kMP?|CLK~#OgcK6&x!GwLHjdgss8_dkBaz4tFf<j>QTM^xugB3y64QHj(qQzM^m3MB)%g_eV~A9TL`fA` zFRcP*#5FfO-ipw*p8}fM9m}}OMhVvLu8RfGkh3Umc~LF3#;&IE+B6g-n50%I+vK`v zR6-V0rH1RRb4N0aA_ut1%tFPi&#c-)9+(E-X2Z@#t0gu(UJkO36q~l6uDpTOrE+Ro z60q)4RmB&ACUjf8tBq&tBwtYul3+lZ4#cKA^z~LzOGmWa2c|8*5#b>+SogZV5m)N~i-CUGWyk1p1sfAG zTZ|e_zv}hW03)I$=tE8)aXn64^iq~lSJp3nV4Kp?E=j{ug zbFT1Man@QpivSKX-}Yu=%^~7G6&5lOE2Akf?YD_yl)*Vq*>WebLu?cb7hp=0Shw7% z0Yy1rT@Xxmgg7%}LoWlbxErB74HH z9+zuEC>s8#15swT>`@!Wx8$(F#0r?Gt=W7kDOYMO)LKa?r$8zx_ZREgunBdT1gBw~kH&2q zLTizZ5^_5l!Ze3mnTX!Z83-m>TP$Es9l#FQTn>f|*)~}5zuDTKZMz5a{lS)>dUod3 zg)cDudVHW(#WNvPQ>V@PpqUp5V#EV}qE|M=R=$nEF$e1*7=_~}!Zzjx;S?;g7S-n-wtuzkaAFQf-gq)&eH?2~tF zpLqN6Q+vPj(CITD{qvjiM;`ps?+x-j#}A!7aK7SA%f;l+ztubcDDkCtF5LOprEB>g zo!Je4a^FApoxbgK{a?4dB^}!Rtlzrp`Hx+7-#fqf#;CH!eQ)#IE@G zzkhb*Lk~;J{L-@@xbxgEZQ$6iPYlNw*33=UeD`eGKRSQk@Sdl4Z*F{!xEvkJ@UK0v zOaI++@=9^(*5`lq;$Of2^KT9Qrrm$_2M_Oh=$!G-C;sxt8<%FUiPxXH?wP-zvbHb2 gdU4O&FMZBCdgN0TT-^ARr(gKu50@{!{^fiB1EpSZYXATM literal 1639 zcmZY8?eF6R0SEAKITENqB!UTN%*}-0;TUVXuI)TeuHCw>+xob6YirK+Wj&-0S9nPgdJhC_fpDaNFl^8Tp-Hkx=sevTIy_({WDS+3GH)4zt;6M9*{jV< znQXhY40CyvL1R@>R$NOoV8hSQybp$>87^p*@7WH&q040i#sI%c!HDH>byCg5-VC$X z7>q|fZX`4n2sH;Lwf1vpm<^WrUaeVH;#{otJE%4nbR2q5eCHjzR^KqEDVw>06aaCq*w?in~X_e)Bwak{8QB{ld zbUpCm3GEI2$wn;@Hty(g*yM(4j^$RH16gc1ov`Kx0cZmiVA%kz!gbBAt5u<#A;l)q z`&2m|!l8lm!ge3weDeP^ygl=1x7HmxI#;1xy<1X29&IKA)3OXw=0nF{c)92`ZG6d& z&AbZ&G~&ivdfrPCZ)rvoc##UQCDjF7+K$O)0p^Q(I@q#oxB0)`vfQWz*{nMj0d?y^ zyaDE}Zudg37={bfWk+>#)B^F)$w|foXVX@bskC5?W-B&X3}h7Nnv68`V+Dl)elcbw zqQzh7!KW0|5puJT*=0zo=!npxILv2Y%h#mNrjIi-kQk?|6sR(;`vf*u*(ET>O<3OY z!AOBdmKl_g(sE&DWxE8<4N^*(g_>`7bb<(TBJ=ZcQ)vg~nkFEWXRNuT1BFUCCc*J; zz*%<3l|%o^C)(*`F1z>&R%b1jDU;>aVJWH(+99G+0X_}+Yzq4biF-|eO03}+_Y%7h zCo5L&OhDYIyFp4TIydR@Q--Z~lg$XNBXorI6EG{ggdJ?xkfC;I1#1J&0G_OH9bP!j zRF@K!>0*#n{dY;9xu@Y~wvpSlLr$LqgowWqDQkJ#5jSKFh$b|?kCS{8^fEoL2%P4q zV5&!^glHZ=Y~d~+yC?|eeY3*B3r4?!^NwA?7K-gfep4$B;^nsnH zPu{+G<4X@+d*<-Xcb>XJ?GleXYQ6TGYYtz3aOd37KRztqkUsF{-wxhd zLw@vjxbNh?Pu=~}b3+%$_tRHDLffBx zLAZS1zdrWf7vF=v(Er8t_dF=Rb7miXpZ62v4&;S5Z@F|^bpK$#ck{bV;H^W)PrZKN zD;J;IfA~E5muG)`;ic2R`t=(pu30tR%=!1XzH#B?{qx-$-(5e5oImmLAO7KSX!FEX ew|?&XpLnA2wXeTey!D;Ut|4@Gzx?Foo&NxJPeYdg diff --git a/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age b/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age index 2007cba..af7c0f5 100644 --- a/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age +++ b/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age @@ -1,26 +1,30 @@ age-encryption.org/v1 --> ssh-ed25519 lHr4YQ S/Kuy8PdLoLLRDvlDDyuDaGXGb0RMBJKo9XyHK2I0Bg -VFjemRE9hOc/fEol+2OAjM6d/5QLPeeo0ytdgcwa8Zs --> ssh-ed25519 h6AgbA ParmcGdbVHdvihrEuV+nLBLDnTwKR+zoxc/O0LdrUhA -L1kL6sr4ak1DTTaui9k6tpPJ1p86bKAoOcPwCJu7vr0 --> ssh-ed25519 Wu8JLQ hTPuIn+IogmX6U16p3EQ/9C/L+X7dZaQaBrEAdq4twM -QhnuGbpuqpFFujNlXSDUDMEGHK875Sr5hHX/q2ShkhU --> ssh-ed25519 cvTB5g P8av9KTsR9ccIRPz0TABQF3EfeO+cyn+Od+shxeatEk -GnExLTBOicvRs7neFPL/GLxE6hqpdqNV8P4nWRbMjKU --> ssh-ed25519 /vwQcQ WE0fxso39H7ZyYwJ8eNnmrLgf0xL5AdpHZ1mrvbiPyQ -y4GjFZuYtiGg6cY8ZTOKHbYjjFJoFI5W4IF7np/OB/8 --> ssh-ed25519 reTIKw LxM4ihcAb5u6rKqtrOUZ7/4XXoMVbf/HHhby/i9Xbn4 -O8KkO/99T2lBttsADSTJE/18ljFrUjrJWhK7peehei8 --> ssh-ed25519 85WiGg +GtCSdOR7TTwu+zTvwOoRhOE0iLwB7JuFaZkP8cP+Fk -0GCjcBgOPeynvAUDmEioWPJMhZWGchKKukGGXHCBEUU -> ssh-rsa krWCLQ -bSk43qTcHFgrS7AeXTzUbx5FO/1YrLuRlm58lcXpTTKcRMZWKmFbPTVNdIvkT4xt -B6HW0OqV/Ks1pbeJUCPRdLwYHYULEC4quRGlgeToXoUQ8zCvcPT6uikpK0Hzne7e -WI5MLdS3vvAPljlSSaPN8gb3yiPgA2IPrHjqIsMNkotGFjUQ/oIyJ8YcDsSfGE2T -Z8+TOj4ZNxPda2hX7mL2x2dJmmQW5FkOVtSpSyvwpkOqPOi6b5vZaWu/GtXzGEhD -SD6SALiqmWkCHb8n588XDqKj8Lj/741R24f8IM8qW9cBz4QClh3Bnrl4gendsUCp -PkQPjniidi/aF6sHhfrSNg --> |#4-grease y%'e^I RB nBNinf \dob -L2HkuH7S3KtuQN9AWLBL99nJPxVw ---- +QOdyAz8FR0RecYvvkzxv2IzJ9yt89/xePALK3l7sjs -&,NpJ~ ƅ˜*,؆5:i W}m"Q-FJm \ No newline at end of file +2Ak0HJ0WoUuCQkjBPjRgrFQmHSBP7Lzhwp8JZ22lSDLO4OzGLuyGnmI6f+x3mhSM +UP4X4fz98ygYaPTKHzgs+ALgoe0ZOzIRcrBYKyAmI92iuVk8QJrGBaFsi2e/quur +oRaQybPXCqbGeaFhLY74RHmtbby5zzbQnw8f5DRKn3oFDYgCUMOKdTPI3vsUDd6t +dLmFCWEhGFMwI9bve7bVeu2yKMWpOIIsVgkabSy9EQ0gEUwoXkrGNpc+QqqR2qbJ +qaLok3zO+giVKrzl6+/Z/tzHQ66mUTIZAD7HmRFMqBRBqo2heCtviGyu7NPXhb/T +vTVzgL7fsrkaYd59O7BCSg +-> ssh-ed25519 85WiGg UgubbGKRmcFV5N/Vyo/HEBtGG0GOvZS5dSDnYoWzeSk +N2CZ/ZJJLRTdwBDCVNrXGp8ic0T7ZHx+DfPcXLeEvXQ +-> ssh-ed25519 reTIKw zl6eZh6NG2Y21AElt+Ag7gzDmtzXP0h1RjhVzaiHUg0 +PJU/i8Za/JwrCLXcH0vtG8CDxv3MDHCzEYiNIhperC4 +-> ssh-ed25519 /vwQcQ RS4rv5dnajCSAdcFj96HOcMBHySk5yBrmepNdlOcsWg +M+dCeQCP3rl4oT8IrkParBnaaTfUNbWpgvbLou/qSp0 +-> ssh-ed25519 cvTB5g ZR5ayyiP10Dec6Tg2HYcl5q0dkLSvOgRxeeVxC1Plj8 +aiY/6wY4rmB75NRzcbFPKu7nTLKZhgqOuqAZm+9UnTs +-> ssh-ed25519 Wu8JLQ 4nFItVARcWbkkuyaUcgdesLSOmiomY0Ht2LxXX1/L0A +dK2/4X6OFbn4Y3gVK5zKRV3KySiCHzGnGewhZmqETrE +-> ssh-ed25519 vXYJfA k1ANIqwNaMjipiCobpBWMlhbCyudoy7vpuajDK7mLiQ +uudD1Bk1+EWmL3o7VH6YSbv1WRCw6tsDV0HoQ/zwXwg +-> ssh-ed25519 h6AgbA EvhvmT6dx3HAqioaFvT5u94cTk8okjhGgzyxXZF8LyE +R/xTeW/rJEl50kG8e0n3NOGpX9XI13Ftq7ULYNHVaCM +-> ssh-ed25519 lHr4YQ WyG8hEoGZuNvroTdmC8RST7l/Tu7UUXgeG3AfLA0p2o +qk7YeUkrOsRbqnYXFXZAkiOaW6rvKnSaZGSiBw30b5E +-> V9T>@4JS-grease @h!7BAa9 +nPtMdfgbktgg20WlJBrQlhTDMI8/i31JEDnZjF4u7RidDSJ5lxzH8zI+411CQ+K5 +exQ +--- YY6c8/qxiWxaK31KW+3QP6240bmnDJZ9EXrG7dnyJcE +N|J +ZZ6#kyH; \ No newline at end of file diff --git a/machines/core-services-01/secrets/matterbridge.age b/machines/core-services-01/secrets/matterbridge.age index f4ea1d5e441eaa4b392dd2f255f591a06a917bdc..526ab31d3e0491b21298d00e4e202bb1bec705d2 100644 GIT binary patch literal 1559 zcmZY9+soSo00nSC(GheH^FgK$R+t0rKGUR4lPCzeHkansBu$e|A#KyNNz*jfru9J- zk%6EnlPThZIECRA-EaeS=oAz$pnKaG48aRJWuh>22#Vm#=U?!Hb2!KKy)ADsO4rML z7BB9KQy(lLVC&vmmQA=}k+ zP1K4cTJjjf&?dB5`}BMkWUH_j0?bU77u^+^2z_$h3-fHL7-|&3lZdX!BAsI@T0$I> zP?#U&Sf}YQD=fo?q*0V~i|Ctxjm1nJc5qSMc-}b1D5IHi%m8-?rw}qbDlsy&?AQnU zZ9yZsjm*y1o+=Te7LJS-R1fGt?IDSEWlC4t%(NiuMXTRv=Ao^Qk;%YN_`<4Y<1|)N z4`o@9E(LEmAES&s*AO(S6F}Ur7eu9Kq?ZxWFdC|rTk`&YX?tTBK_I+_A=a$p*VJIF z)Z3NSuTPrFlC0KPLpIkDOh}d~O1-*f;g&E!aiO6B8&Hn4Nrt$B-54qsOLJ6#H-|lz z66l3oC?q83wq-1ProCNDJ%bllwF)#Rrm+#z1|g}LSdXKAFB!P;vhX~#99UgOZFkct zo^>){!<$SaWi){@Iy$&CT-Yd^ppJV5TOXxCIUzRI7#dB|Mz~!A%au0LYH+3W2Yk{c zon_&0$dFcCSH`0S+sQ>W4-jUI8i_PO<>?AA>OpFJ0VpIgS>fXLY4f? zLR+vUO7L_I6Wg^>X^@CtlV`Z;-vs)z z_C!i34NpS>)%dB1@DpyskO|q9FsHx+5k4M+-sLS*JTnI1x zueUjuwrs7IU|NCqU=9>jIp8Yag^>^xW}0racm%1amSdYyH|YnV4@6|KX_@npmf0z5 z@@cuGF(n;N)@zqAu<6JF)Bbc4!X4({y{Y@U%$A>eZsyfSL5IQa!~tMyYpdpnPy*8V zOkc)U%)(@oDM&>fw_ChZ6%5A3GzSN`;pwpn+;Q^sM}J*+_y~Plb@}+_;{L()&wac5 z#cTKM+FZGT{PehY^1WRje|YBN`A>g2xJB;#^q}#ia^#&` z@o#QFv15Mbp;J45yG%Rvr#`v=&{rqr-#>W%^kX00bkuv|z#E^vbmg2VpFMQp>Br;6 z(X*G`U4MpqZ$6d3a<204$%S+0uOeRG|L%^rzudj!{nI}^^EvYNzON4++5{w4C6`<-$sNkb)8*-s+$ERX zU3@~MQbb1`=nE?-zEG(MR_fRT^Tkx=CeywVwIDL-#w>MICWUTA*1g!9_8<6u_X@f~&vXTm9L@*tiLPCh_VqNQeKZGnx3KmT# zO+yPw#H`I#4(E-0mtMdoY%(i{CPfy(hH8YAJpkQpAP=JZQ$`HuTrTJ^A1-`h;J3^) z3H^RCllv?-?ypTJQM6rc6$rAKby6GE+FE0D0J90F9A1OK{ZOmYZ$9SXEdr2;uTXPrZaXStGb>Tp8FXC;QVHWO`WXN&LM`tqTrEIlm zC3!<*Si)sd)o5OgHgpnevz02EDd{>|g#hMgyz0URlH#VOV02BJ`39nfCDO|#%qAb3 zasn~VU`UBL*BvFM?ibt+tsuj$tL`!*0WnAmjA##CbR%S|b*|wZFIE4)w(p??flwex zn2`{GVpTLrMvh@FF8qLV+KkIdl{nEIy*F02u8b)NKI&`@%mpYe#7J3jIwO08ki%i> zZuQ1=qYm3@*=c37c&BI(qmc*n)mq`}y}HnwG~9GbErl!nxHIA})qrH1c%l((rE6_Ab4-D)Zx>PW2YVtU2zCVtp~ zf=OIbgJ|UobH3cA)KZ>Yt+}<%5COX!SfhQ``R}FTy5oy7+3ZL(#a)x)sb$N|uR%BmN!Me4QX-bbw zS;JY2E@-+?Y9|qO-;OXFCyas~!ZUwp(Hme*WFwYT7dXZbycl1VU2If`Jw$9{CK4tS zeQ31d3LA+ge|5L8O$QDQV!Ea1Fo7zLY}d0Af|4Lbh>Ba-?J-+P{8*clc8;3DmImy) zUK&j*jeM)_RmYu@98a$<>Dw<$)MGMC#Cl%Z(V zn+C1_bvt~>yL-{!3ku&ZeNZ?A!hkO`%Nk7+e6Y^xXcuqOOjI#ORJK(_jT^LT1}l!r zc1jP6Ih9e@5+-l$&?&Sl2d)lf_oxgD5 z2wr*%dF}qEe)GG7M=xIg!!h~Bf9&&jl8-W!_?P`ZdHk8%2gSt$&wYNj4SstZ{qmTx z@B940xBvAb_|GS=`_+rlkBQfR_Ji#wIduI8M?U@in_nC`y6=V)-(0%wvFY>gfv>)N G<9`88*AWK* diff --git a/machines/core-services-01/secrets/oauth2ProxyKeyFile.age b/machines/core-services-01/secrets/oauth2ProxyKeyFile.age index a62c1af..2b687e2 100644 --- a/machines/core-services-01/secrets/oauth2ProxyKeyFile.age +++ b/machines/core-services-01/secrets/oauth2ProxyKeyFile.age @@ -1,26 +1,28 @@ age-encryption.org/v1 --> ssh-ed25519 lHr4YQ f3xLHRyIx6oPATsv5yBq+pWpDkwJ2xt3axevMNjIUgA -RK2bLPZ1dwDExqbQ1Mft2Z9xGHpxSTDuTv0AgplnFzw --> ssh-ed25519 h6AgbA fPy5Lv6ZcYB9xDyeHNTueRKTvvC6OyCrkHzF85dmhh8 -VzMkn6iaC+gwDXkaCzh7ILTdWMBqUYvYmrQPbiB+82k --> ssh-ed25519 Wu8JLQ BSn5p0Wuv8CuiHJ6AdLuBLOst/2/mK1fs+zmgYao6kg -m/NfBqLzcyTad8UbiDSMI3EmcHWccpgV/wRKKeSO6bQ --> ssh-ed25519 cvTB5g GP3EP+t8uJFKGAKBwwO7CmXa3JGTFePTANSINPdQuAA -DoGUKpuZTQ36hM4B7eqwbfGGKM+pxsYtoL5UjEeVdD0 --> ssh-ed25519 /vwQcQ K8J9qbUjPPhuYZ4/2rGZWX4Fb60WZACwmFPGXUT9Yjw -N6lTZVDVxTfZTSagaOi4dbVzylljwGWAd06GbeVloRY --> ssh-ed25519 reTIKw +7n56fmzzYOkArtH0Zeh26zHlE/lWz1gqyoCZEMMRDA -E6/dLGVaryFfqf+7DmwKghtGmtUUGpMFFwaZc3OvJ/c --> ssh-ed25519 85WiGg aHBishjeSTuv/TYVcZQzALC8DHPbYHf9dj+igMnkkn4 -HwmPoIqV3Y/34Azf892K9nGJ1hh2KWAh3IzLiGVKeOs -> ssh-rsa krWCLQ -A2IHEB1lR/eHwOM1adPnvYZUmJ9Gf8ADZvOpzHmxVC54VP5EZLnzpcdzIKlM4qOe -vYs7PdGJ56iGd3JS2khyc5oCc/NEYu85i4eyK8Y8JMqSFyYVNpH5rVY1IuHhIwW4 -biLSvPhKejtcjGkJZGebm2yA3TuhS5peZRUBh2v0sf+PjblsULrpupSRYAs1IndZ -1/Brrub4BfFihZh/uCN1iq+lWxUG5K1AR4UhrX7s/qq21sIP+hlhsTzwj5WoeSPV -rrYzi7E1v8nP6YsP965PjNFq5yJYKRZdw/QosmElRF4Ar3PP+fROFLfA45LmQpLh -z2P/QZKQ7BaANqtz1ryIZQ --> :N*xgmZ-grease S 6b.gme t1.-?(l6 -JJi5KPF7Y07dJexK5CNlZVeYnM+DaRUqYjChAQO041COvkfVF1CvwLTYZAsZbw ---- RKQ3nSQxdSjoVBEtg4TrEL30ooOTpyZAXT5TcOM4qWE -zƦ6JRURh/ &5cKG%hpI;.NQq"hq|7nC92/"ɳ&uKʪmCB-Y̫jTkk Kۋ]}ˤiރF}ٟ- 82N}Ȝ(JAd_Hi0T"8}Q$ \ No newline at end of file +U2lxIvw7gRCjMGutUFyq+qGiCIFlbsPdbfzqy7b27d17aSjXds3WwMPUQajHMGXl +tmM/gDCOV8aY+EkM8nQIKdSGNZPwWHlqFyBpH7b18xTT+sWLBZnKcQqVzdF5n1yH +s6LjbcstDiCy3h20hfOjoi+qvK8AGbWnLueDI4g/BWCLBUmAC6zPX04GFAstzg8e +b8wcTCsaeVJkEVvI9caJsFpoxKttbjWUOb2jOzquyi1vIc50vWBNLlulzf0Cd523 +niyjvtEyVRmHjTqs2D97DLuKEE0U8x1ecI7FUwyDQWFj4RmmoKm7TOvGva+alol/ +mclOlWBaMuji0SWwR4GQyQ +-> ssh-ed25519 85WiGg oTAqEjy2kEYw0EEDFzmv3EYWY3gKNDGsWbztSN6DG3o ++Q5hzzJVgdtFiNtbC37n9tZsNK+onqp4P0myPLpGU0g +-> ssh-ed25519 reTIKw SOCoiYn2OZ0WbtgQFsJE6m5lbeat36SVF8Om6NHha1I +BLsO5DrNci2ShXI3wBb6u6Advjc7sOCXEBd6mSawkEs +-> ssh-ed25519 /vwQcQ zXWEMSbRm2mI4KoMj2tbqP26LTAcxeyLUv5b/UzTaiY +HMOyH5OV0XmQsLOtzIsHf3UFYKUoEswt1a6JOu/gl8w +-> ssh-ed25519 cvTB5g 1HPXsPtGaCCHPHEXQKVNLRGXb28S3hXUAyT26No80gE +NwPkRoRdd2juOWHyJV2aNwVQzGvwpf29mKtcyKSUHKc +-> ssh-ed25519 Wu8JLQ tio1Sb9rHwAvoDRH783Ts9S+mS2MWnsqw/L4/To1lgc +Tfx0a/UKGiiMsp8rkhbaLpsS4JJIgMeWCDRZ1CxWSHc +-> ssh-ed25519 vXYJfA GnXJG4bbDQxls3yLVd22CHmrrkAZYQNbXcpr0iH/8HY +uyr6VTHwfU7FjA29IJM9EP37K+QyiWIrG6CUpWyi4o0 +-> ssh-ed25519 h6AgbA p/FApRwDrQNMdSPYV2U+CyGqdYZG+enC/TJ+Ht5RtCE +T6e2S9gZVi24ayGzKGHL19Ezv//f/0+BUAnkCf6g8No +-> ssh-ed25519 lHr4YQ JQXWGrVi8YLfI0DWfdyuxKPGVa+SvHIm95YGzsyvdho +yvQpw/1GuVOqBBFwflDXvcIhuw0ABqqwByJH/VPRICg +-> J9VGuOkA-grease + +--- aKOWgh7PjxocWWeImr1UYJhhFMlzDJXvP+Jfbrl3Zzc +7T0ZH48ntjlh}J_궞PMw%tgm=[+nbeH`ёyMe\WU7ӵLB 2o]cS~է2C5Mybi62~:BFh1B'lm`fKvsy%!2~$\^ \ No newline at end of file diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 9925641..79b0d6b 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -2,7 +2,7 @@ let pkgs = import {}; lib = pkgs.lib; readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); - superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; in diff --git a/machines/core-services-01/secrets/snipeItAppKey.age b/machines/core-services-01/secrets/snipeItAppKey.age index 3a393c2..cd9bebf 100644 --- a/machines/core-services-01/secrets/snipeItAppKey.age +++ b/machines/core-services-01/secrets/snipeItAppKey.age @@ -1,27 +1,28 @@ age-encryption.org/v1 -> ssh-rsa krWCLQ -i/TW/dUpeS8QL9ZJg7xKdGW65D1SWFjMpolf1BgEs3hm6uI2W3RWUb5S1PEs6HdF -l/yiJtZeBC0e0QbaQ776fiy0MSmuMgcRbJJ1rjloGwFzwwvtqhQMG8rLp70IPZoV -F6sUz4jKHaEjIVVbRokdfIKMSnhRXnbW5domOxPmZjXck7YxaR1zqD4S9PtH12Q/ -P+l/IVS6+tuWlaTs+1FY2pQ0ppPkwxBirm+4/dxD7E5MkOT0OFcpopI225u2vJAz -Hfk6SBhWuOu2GFfLDS3sS+50kvx1MNvMeb9qVYHkxE8tXhJxOpykkzwYktYp17jY -m+rh1gMPt+mZV2ELaZkGjQ --> ssh-ed25519 85WiGg TSVInZQdH1ZbhSG+FptwCu96UX1SHAhQNculIk8nVF4 -L1ptiGhMZN78uu1TQ2qVV73+lhlgD34g7xt/AL268Dk --> ssh-ed25519 reTIKw vrZd8hFFywOmDJxAq58Tt4Wdq2ovft1IDJqCvkpRU1o -9TmODia85CwXZmzdxk6W4LCflCybq7O1WWoqG5vxENk --> ssh-ed25519 /vwQcQ NSJNN/lRO6TbOQTlY9bT4kdEuP2hElmNIcKRI4ilrQY -eGIr9VQSrbG4hB2XQGYXquQVZIkLRq9g9+Ap25YSWSQ --> ssh-ed25519 cvTB5g 24UlsKN0XaA6wW87zj5PkPy90LUmdJe80FV2LVLiwzk -57VJ2pf45+r7CgMdr/78ngWll12Se7dS993i+YKp3Vg --> ssh-ed25519 Wu8JLQ wgWSOp5VQzF+pvL338wOwaJ3RIIi1I4SNqW+vT6NQF8 -HVTfWqmf9CnEkHFpu9NWYagwwBdW8NumwFcUvSlb9i8 --> ssh-ed25519 h6AgbA ZRjMQkjz+sw2BZh/myaSnMgz8cngGM9wxQf6L6uPxE8 -OgYfhTQe4iB9SyL8iReQByA9N5VcUC/YvpvbPIgp/3U --> ssh-ed25519 lHr4YQ JAnhqkgzuCDsmDYnRG/DL/MDrfA/0uCZ1kpZSWiuPw4 -uMPzV/uWAozlffoqIDtTcI5CI3FAzM5fzDuupAzgE4w --> 3[k-grease l5" cr(}p5 s{\538Js -uR+N+zPd323E/1K5MdNaPzAeNYBYfbmmsxtQRufVjMj8jobBLhHq4RVJ/E57t8yv -4Cxp ---- 1iiPH5I9CDFZwZQwRbhKnqpZ08vTMP1u4pU3+hNpubk -ےf(Tח,4\hKT džq)e+}u 'hN/䶢6B4Kң \ No newline at end of file +gBB9yfHVs4Zgm30rbXOkQNZjOuQVFt9Mos4gBoM09M2psLLxWzsoQopWVcvbV+sY +oZAThV5F2E+RbOP2e9+o5P+rxCcJa8aAXovtmH2BZvr87jNi8tebH1l0Gjn0I85C +B+vv2/m1KCzisCR3p6yaqBiqyETacWRCuILVxKbpnKfVX5ymb//9U0tRbz3BIFH1 +i3bAD8j8H4V/5SC5RmYwVeBhdGqEaNX0Qehh8AhDkxoqMT3Xeie93eIK6tyAZuyO +oQezqkUmozq+uvo6PHZvY/auTYb17QTY0s0xf30NnQoqwtVXnyu6xPx+qlj+M99Q +Y/s8SFF+STLrAgK9MN0i8Q +-> ssh-ed25519 85WiGg zkLuTpJaBr8T0XjuC9i9NTxYUPhix9nLlShohTtgmyA +QwdgD0ihIpJF8D54x2Lg+6CE2yV9nLBZ1oOf/iwUKi4 +-> ssh-ed25519 reTIKw wB2xC902eZiPXXU9n+oQSocx6J9h5IK0jU4GqmB1XUI +awLSPDqOAOM2g7Wrg6uCMeDRVljl2cdZ40gHDON4DCU +-> ssh-ed25519 /vwQcQ adFZcuzNWIhLFDhF+FjfnMGTpijt4IKO266M8xpZTHs +WR3ig0R6ZgtYLxhN7bm5SNJ3klYvEkMlLeuC/GBxi0U +-> ssh-ed25519 cvTB5g 8Gl7qbc7VZvkjjHesgfgdvtsCntNCxyUU3hwXMaIJUA +uEJwhJJa87+EjpTE/+3jPnNtgFTHNZkah78URULI1nM +-> ssh-ed25519 Wu8JLQ buWP/UWAYd7nAAdIqJjkKq2q3Kcj/TtTm9MacGkoMh4 +g9ngALRdWC96t7FLES79gKQNK34WbKHqdw4OCryGx74 +-> ssh-ed25519 vXYJfA KT8pRDwADkV4ySKY6HejWKp57aQUWpor7x67x1Sc3wM +th+47fUL5KOak1tEeHslVg9KSxw5DPIO6T/UtfEK6kY +-> ssh-ed25519 h6AgbA 8kWKdngdG4RbvQHnkHpygz1fhzMXpGafXltQNa64mAU +hZZTmthndfMdMZiaW0bLxfiySzFgnKmd6t4u1PxLG9s +-> ssh-ed25519 lHr4YQ JBCRJtCaEH/Dp2em66/ckqFva6JpyeUAHJidVysAsmw +SGyzp26GIo+D4VQdzJZEBUZYvAhc/SZy6rdd6HXOawY +-> 1-grease +niVrY0FwL41sfeE9fB6hg+z0LWMXwce194f+IIL/F8JMIfTnFB0CRAn1OGQ +--- pMIf8bANx+QsRTqnWxPmnJm6DVMmJBEO+emeOdLeeec +.AzJQ[)s!2m  ssh-rsa krWCLQ -gPydOcolFG+axyXPVVYYjjr0hypl/xczmMM+W+BbfZFaAL0TqXpqRgjtZSNvA+oh -+JHdr+/8IHh2qCS2vtzuH5lAsjM4h4FPPnGixX1SI9eNH14b/Otmoa/OtQD4pHcB -PYbh1yh4AILggg1ZMdttS+FUuMtu2A6y2NZYSkbBLy9dwEdZNBs0/cX/xNEqK72V -JF0BuGYvchyJ4ec4/m1od94dVva5qKUvK6mr0u5XPXObEOdZ8jJwZodJjrpDaEHJ -/yt8svY6upoXIdM4dVbY0Ab1VCwXf+tbGuwypVJF2TkeVW5tbImxuoTPE5XNdKLF -XU6RfHzLjUnG1T+dObb9gQ --> ssh-ed25519 85WiGg lVvfjaLUhjdWgRnz0supjMNc6pDpbeEy2Z0fFOc7dkQ -srngyi1Wdi1lcXFK7MJtqt2koZkopcXX+hOFENHXJgY --> ssh-ed25519 reTIKw ubW5n+mkAgxwHT9okMRWoE9k5ZpWN7UQDrvRwgS3Xio -O7GRq35wulhSadIAJ7C0ekLQQVk209yGiSaWg/VNgYU --> ssh-ed25519 /vwQcQ 0FZbpEDS3xuKyPOSExt4wb/Oi0xlTivdLlpKuXicqx8 -3ZMA31MUD76KNK1+yX2473wDSv0oyheT7jAmvnbPJNg --> ssh-ed25519 cvTB5g 04++RfeztjNzyHMW7WhxdAWoWT5NyatCN8zf7xFYiCw -OWYQ3oFR+/NjY8skMpzd0eS9fsAeugO+loiq4ZqEVWo --> ssh-ed25519 Wu8JLQ b5BEsw8GS+LUcLZ7h36WDHp1uunlVymEcCmAcs5xaHQ -4xs/EAPRD4Z/rL3zisjGmslVt7OHx+Kh1kJmdBAxED4 --> ssh-ed25519 h6AgbA wNeprhlhTORbN4WFxWPJO0DV5vBVteE297O73EfngD4 -sceiHAg3S0aZ9xGIsw5VaPJkAWCci03SrHM520pb+Gw --> ssh-ed25519 lHr4YQ v6dG659zPeUqbyT8To8oGf6Kp3y15Z2YjlzdLVK3FCI -wB7EFm4tsgkaYexLfQM+lkNtUr09GWlLnh7CbgX3Ifc --> =-grease zZ5 e./C_ -z1vYPnfdTh+G0bc+UvV1EZMSfaNDsWiDHJ+W+1CB2+Z4pOnQt2jBFPYv7rE ---- LbcSlaucZaWsTqBR9PIA46r00cfJtG5ndinWSzsnl/0 -1h~sȰ#-FX/2.ZF?wE]ic.%b-wt܌q_%} \ No newline at end of file +LCJxUzS4Be2QQABzubSP5M9Ridg3Srytbb6+SLITgnRqb0fT5XkG7z4ae2lLMVxT +zJxrZX1crlg/nyibZychMwZDqNofGGKX/zSKyF6u42hqjAtaDneg6jB/T690sSpD +LcuTHUcPLw53bww4amLU5FmFcnGWMHTjmXj6oQ5lks3t3KO9izA+gDJO5kFIYgQa +Z0kMrlH21m2TdyGW7Er72qAlT0euwCKlWGGc1NAaSWyu/2gimTHJ4p+KCOpi1D7/ +cIxMEtXHUoS/vtINi1lZypETVZf9C3xfqZGCnu1xTpFcF8pBLskI/Uz4cxQGLAk3 +xd5fKuNVBnLc0Ku+oFR3zA +-> ssh-ed25519 85WiGg N5HOphuKLUksJTA29E/KHZAdyvTelqq0Lai3KtsGNi0 +6PilN36eZH8KYzQwqeLPX3wuiW4THuFef+ttoJh0BUo +-> ssh-ed25519 reTIKw epotGRShr91lRc2IKDkgfaDd4EhkDtF1jayFv/YW5nE +mMFKyzH1q8ZsUXfLnqFfHT88iz/i4WXVVuWqe3z9vx4 +-> ssh-ed25519 /vwQcQ DvVlWcbAA/xPTgDtpMmSyC2wxrnOM4H/dC1Vhh5Rmhg +JCq1yS057vqOFKZL11YhC4/rxYIRGAUI0y97Uch4tS4 +-> ssh-ed25519 cvTB5g EQ/YM5UYYp3+fS+6u+CwZxUn8Sm8vdqj5xHQf0U0MGc +mVhpObNYWSrAlh8kfADzGnhOw9O2r07v2RJH7DZhFkg +-> ssh-ed25519 Wu8JLQ k91dq2XwhgvE2Y75KAJWzFlPLXv+8+kTvH7sELmsViw +gpnxsNgbeuCYBYUt8j3mGm10rOGAoN9NDYVbObE2zXc +-> ssh-ed25519 vXYJfA fOpqzkovWF/hLUrsjrDwFUsKG3Pa7LQQ2QTiYWT4Ux0 +AM1EdbC+Sg37PZzXf6vsmeXSMMjXRVQT3mq000cmPw8 +-> ssh-ed25519 h6AgbA LWhZtBUJXu15GEIwSyKraXkaO8CO7/TuLSxsnbagQTk +1/It/vtykYe2NzG4r2J53yW+ZS2rgtUVNv8hlWYQnwY +-> ssh-ed25519 lHr4YQ zEMhvSZsUOiM+XEpuTljfKE1MqyxqxuL0yuKTj6E1Vc +J/pYqeaTK9NLIhSKeB0CFSFNLkVeV2C5enKVIRy5+Po +-> #Oj-grease fdq ltL1r ohAHn[aU QF%DKt +G2xXhW58AunOBXwtl1mD/DqdsHRoyjMvVl310MPWNFSSmLhG/UG7pQf3GUNsfThQ +lCvckvUfcYRen/hrEFhtyg +--- zwJ1Ma9A8rDbUQLAFpDNLs+2Iv6RQvEGlDFj9HVDRRg +;>qg4*b~G+x8 +,5!4:֖\go \ No newline at end of file diff --git a/machines/pubkeys/hubrecht.keys b/machines/pubkeys/hubrecht.keys new file mode 100644 index 0000000..07fbe76 --- /dev/null +++ b/machines/pubkeys/hubrecht.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl -- 2.47.0 From f410aa4c7585b563ce5cf67eef69f3fa25eaf363 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Wed, 25 Jan 2023 15:35:41 +0100 Subject: [PATCH 131/149] core-services-01: Switch to systemd-network --- machines/core-services-01/configuration.nix | 65 +++++++++++---------- machines/core-services-01/my.nix | 20 ------- machines/core-services-01/network.nix | 36 ++++++++++++ 3 files changed, 70 insertions(+), 51 deletions(-) create mode 100644 machines/core-services-01/network.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 7aa5220..d8284fb 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -1,37 +1,40 @@ { config, pkgs, lib, ... }: { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ./nur.nix - ./rz.nix - ./monitoring.nix - ./programs.nix - ./system.nix - ./acme-ssl.nix - ./dns.nix - ./netboot-server.nix - ./qemu.nix - ./gitea.nix - ./dokuwiki.nix - ./nginx.nix - ./keycloak.nix - ./acme-dns.nix - ./backups.nix - ./headscale.nix - ./snipe-it.nix - # ./dex.nix - ./oauth2_proxy.nix - ./secrets - ./matterbridge.nix - ./tunnels.nix - # TODO push to gitea - # TODO ./gotify.nix - # TODO(Raito): ./backups.nix - # TODO(Raito): ./snmp.nix - # TODO(Raito): ./sflow.nix? - ]; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + + ./acme-dns.nix + ./acme-ssl.nix + ./backups.nix + # ./dex.nix + ./dns.nix + ./dokuwiki.nix + ./gitea.nix + ./headscale.nix + ./keycloak.nix + ./matterbridge.nix + ./monitoring.nix + ./netboot-server.nix + ./network.nix + ./nginx.nix + ./nur.nix + ./oauth2_proxy.nix + ./programs.nix + ./qemu.nix + ./rz.nix + ./secrets + ./snipe-it.nix + ./system.nix + ./tunnels.nix + + # TODO push to gitea + # TODO ./gotify.nix + # TODO(Raito): ./backups.nix + # TODO(Raito): ./snmp.nix + # TODO(Raito): ./sflow.nix? + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; diff --git a/machines/core-services-01/my.nix b/machines/core-services-01/my.nix index 994190f..4ac6d20 100644 --- a/machines/core-services-01/my.nix +++ b/machines/core-services-01/my.nix @@ -99,24 +99,4 @@ in example = [ "10.1.0.0/22" ]; }; }; - - config = { - # Default IPv4 exit route - networking.defaultGateway = { - address = ""; - interface = "ens18"; - }; - - networking.interfaces.ens20 = { - ipv4.addresses = map mkAddress cfg.ipv4InternalFull; - }; - - networking.interfaces.ens19 = { - ipv6.addresses = map mkAddress (cfg.ipv6.standardFull ++ [ cfg.ipv6.acmeFull ]); - }; - - networking.interfaces.ens18 = { - ipv4.addresses = map mkAddress cfg.ipv4Full; - }; - }; } diff --git a/machines/core-services-01/network.nix b/machines/core-services-01/network.nix new file mode 100644 index 0000000..d3579be --- /dev/null +++ b/machines/core-services-01/network.nix @@ -0,0 +1,36 @@ +{ config, ... }: + +let + inherit (config) my; +in + +{ + networking.useNetworkd = true; + + systemd.network.networks = { + "10-ens18" = { + name = "ens18"; + address = my.ipv4Full; + DHCP = "ipv4"; + }; + + "10-ens19" = { + name = "ens19"; + address = with my.ipv6; standardFull ++ [ acmeFull ]; + + networkConfig.IPv6AcceptRA = true; + + ipv6AcceptRAConfig = { + UseOnLinkPrefix = false; + UseAutonomousPrefix = false; + }; + }; + + "10-ens20" = { + name = "ens20"; + address = my.ipv4InternalFull; + + DHCP = "ipv4"; + }; + }; +} -- 2.47.0 From bd22c63ec4ed133ec7668841bf3bc69584133461 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Wed, 25 Jan 2023 16:55:22 +0100 Subject: [PATCH 132/149] public-cof: Switch to systemd-network --- machines/public-cof/networking.nix | 57 +++++++++++++----------------- 1 file changed, 25 insertions(+), 32 deletions(-) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 981eff0..39d232f 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -1,44 +1,37 @@ { lib, ... }: -let mkAddress = addr: let - splitted = lib.splitString "/" addr; - elemAt = builtins.elemAt splitted; - in - { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; -in { + +{ networking = { hostName = "public-cof"; - # Default IPv4 exit route - defaultGateway = { - address = ""; - interface = "ens20"; - }; - localCommands = "ip route add default dev ens20 metric 10"; + useNetworkd = true; - useDHCP = false; - interfaces.ens18 = { - useDHCP = true; - ipv6.addresses = [{ - address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; - prefixLength = 64; - }]; - }; - interfaces.ens19 = { - useDHCP = false; - ipv4.addresses = [{ - address = "10.1.1.21"; - prefixLength = 22; - }]; + firewall = { enable = true; allowedTCPPorts = [ 22 ]; }; + }; + + systemd.network.networks = { + "10-ens18" = { + name = "ens18"; + address = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5/64" ]; + + DHCP = "ipv4"; + + dhcpV4Config.RouteMetric = 10; }; - interfaces.ens20 = { - # 1st is for public-cof - # 2nd is for IPv4 → IPv6 proxy in v6proxy/ - ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; + "10-ens19" = { + name = "ens19"; + address = [ "10.1.1.21/22" ]; + + DHCP = "ipv4"; }; - firewall.allowedTCPPorts = [ 22 ]; - firewall.enable = true; + "10-ens20" = { + name = "ens20"; + address = [ "45.13.104.27/32" "45.13.104.29/32" ]; + + DHCP = "ipv4"; + }; }; services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; -- 2.47.0 From 455fd180d2b5a656dd87b2f5973cec4ac217bb5a Mon Sep 17 00:00:00 2001 From: sinavir Date: Mon, 30 Jan 2023 21:21:29 +0100 Subject: [PATCH 133/149] pm=dynamic --- machines/public-cof/nix/sources.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index 3209971..4043d80 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -14,7 +14,7 @@ "klubrz-nur": { "branch": "main", "repo": "https://git.rz.ens.wtf/Klub-RZ/nur", - "rev": "9c43904eb242455ca3db9466c5679c81aa92741f", + "rev": "bb95bbed09ccb2ae5ab5a8e02537c4c28c46d27e", "type": "git" }, "niv": { -- 2.47.0 From 244c8027aa0adc6545a67f4f6d3d2e51ea40b08c Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 134/149] feat: Add sinavir's keys for `core-services-01` --- machines/core-services-01/configuration.nix | 1 + machines/pubkeys/sinavir.keys | 1 + 2 files changed, 2 insertions(+) create mode 100644 machines/pubkeys/sinavir.keys diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index d8284fb..819ad48 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -85,6 +85,7 @@ ../pubkeys/raito.keys ../pubkeys/mrf.keys ../pubkeys/hubrecht.keys + ../pubkeys/sinavir.keys ]; # Open ports in the firewall. diff --git a/machines/pubkeys/sinavir.keys b/machines/pubkeys/sinavir.keys new file mode 100644 index 0000000..471d054 --- /dev/null +++ b/machines/pubkeys/sinavir.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o -- 2.47.0 From 66c40b1026484c8673989babc531625d7c23e40a Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 135/149] feat: Add sinavir's keys to `public-cof` and `remote-builder-01` --- machines/public-cof/configuration.nix | 1 + machines/remote-builder-01/configuration.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index ae3fce3..cb19ba2 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -55,6 +55,7 @@ ../pubkeys/gdd.keys ../pubkeys/raito.keys ../pubkeys/mrf.keys + ../pubkeys/sinavir.keys ]; system.stateVersion = "21.05"; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index ad971fb..286062b 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -64,6 +64,7 @@ users.users.root.openssh.authorizedKeys.keyFiles = [ ../pubkeys/gdd.keys ../pubkeys/raito.keys + ../pubkeys/sinavir.keys ../pubkeys/remote-builders.keys ]; -- 2.47.0 From 3f2e795b0e1e080c90cca360c39b3fdbb26a1dc1 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 136/149] chore: Rename module options --- machines/core-services-01/gitea.nix | 8 ++++---- machines/core-services-01/system.nix | 2 +- machines/public-cof/acme.nix | 2 +- machines/public-cof/hedgedoc.nix | 2 +- machines/public-cof/system.nix | 2 +- machines/remote-builder-01/system.nix | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/machines/core-services-01/gitea.nix b/machines/core-services-01/gitea.nix index ddfcbae..26402d0 100644 --- a/machines/core-services-01/gitea.nix +++ b/machines/core-services-01/gitea.nix @@ -13,11 +13,11 @@ in httpAddress = "127.0.0.1"; httpPort = port; database.type = "postgres"; - disableRegistration = false; - log = { - level = "Warn"; - }; settings = { + service.DISABLE_REGISTRATION = false; + log = { + level = "Warn"; + }; openid = { ENABLE_OPENID_SIGNUP = true; }; diff --git a/machines/core-services-01/system.nix b/machines/core-services-01/system.nix index 827bd11..3ab02d1 100644 --- a/machines/core-services-01/system.nix +++ b/machines/core-services-01/system.nix @@ -8,7 +8,7 @@ # Auto GC and store optimizations nix = { - trustedUsers = [ "root" "gab" ]; + settings.trusted-users = [ "root" "gab" ]; gc = { automatic = true; dates = "weekly"; diff --git a/machines/public-cof/acme.nix b/machines/public-cof/acme.nix index 3911368..9e03a21 100644 --- a/machines/public-cof/acme.nix +++ b/machines/public-cof/acme.nix @@ -1,5 +1,5 @@ { ... }: { security.acme.acceptTerms = true; - security.acme.email = "club-reseau@lists.ens.psl.eu"; + security.acme.defaults.email = "club-reseau@lists.ens.psl.eu"; } diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index b4235d5..23c8782 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -5,7 +5,7 @@ in { services.hedgedoc = { enable = true; - configuration = { + settings = { protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; diff --git a/machines/public-cof/system.nix b/machines/public-cof/system.nix index 997dbdd..b3a1d4c 100644 --- a/machines/public-cof/system.nix +++ b/machines/public-cof/system.nix @@ -8,7 +8,7 @@ # Auto GC and store optimizations nix = { - trustedUsers = [ "root" ]; + settings.trusted-users = [ "root" ]; gc = { automatic = true; dates = "weekly"; diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index 9bb13cf..81732ab 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,7 +1,7 @@ { pkgs, ... }: { # Auto GC and store optimizations nix = { - trustedUsers = [ "root" ]; + settings.trusted-users = [ "root" ]; gc = { automatic = true; dates = "weekly"; -- 2.47.0 From deffb8e1fc45f4e43df5b5c44646084b86dd8009 Mon Sep 17 00:00:00 2001 From: sinavir Date: Fri, 24 Feb 2023 10:56:54 +0100 Subject: [PATCH 137/149] core-01: fix ipv4 routing issue --- machines/core-services-01/network.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/network.nix b/machines/core-services-01/network.nix index d3579be..da02165 100644 --- a/machines/core-services-01/network.nix +++ b/machines/core-services-01/network.nix @@ -29,8 +29,15 @@ in "10-ens20" = { name = "ens20"; address = my.ipv4InternalFull; - DHCP = "ipv4"; + dhcpV4Config.RouteMetric = 2048; + routes = [ + { + routeConfig = { + Destination = "10.0.0.0/8"; + }; + } + ]; }; }; } -- 2.47.0 From 2fde8ccf156c88b2200952017106a604b339bd29 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:04:42 +0200 Subject: [PATCH 138/149] deployment: upgrade to 23.05 --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 92a2cda..45c0417 100644 --- a/krops.nix +++ b/krops.nix @@ -9,7 +9,7 @@ let # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "8d3bd93e67201a7c8238e9cbde6d07aba9500636"; # nixos-unstable + ref = "23.05"; url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.47.0 From b88167f46a824194b079410b74010a03bb823207 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:21:44 +0200 Subject: [PATCH 139/149] =?UTF-8?q?deployment:=20fix=20it=20for=2023.05?= =?UTF-8?q?=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 45c0417..140772d 100644 --- a/krops.nix +++ b/krops.nix @@ -9,7 +9,7 @@ let # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "23.05"; + ref = "origin/release-23.05"; url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.47.0 From 42cd2d7b794ebd8184b98760aab945c0dc1cd5e1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:21:54 +0200 Subject: [PATCH 140/149] public-cof: add thubrecht --- machines/public-cof/configuration.nix | 1 + machines/public-cof/secrets/secrets.nix | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index cb19ba2..6bd8454 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -56,6 +56,7 @@ ../pubkeys/raito.keys ../pubkeys/mrf.keys ../pubkeys/sinavir.keys + ../pubkeys/hubrecht.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index c703081..d48cb63 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -2,7 +2,7 @@ let pkgs = import {}; lib = pkgs.lib; readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); - superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; in -- 2.47.0 From 793e4d2aeea78b56ddfe5ca3d9d21f3906a1626f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:22:03 +0200 Subject: [PATCH 141/149] public-cof: add some tuning for lychee --- machines/public-cof/lychee.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/public-cof/lychee.nix b/machines/public-cof/lychee.nix index 944604b..137cd32 100644 --- a/machines/public-cof/lychee.nix +++ b/machines/public-cof/lychee.nix @@ -7,4 +7,11 @@ website = "photos.ens.wtf"; settings.APP_URL = "https://${config.services.lychee.website}"; }; + services.phpfpm.pools."photos.ens.wtf".settings = { + pm = "dynamic"; + "pm.max_children" = 10; + "pm.start_servers" = 3; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 3; + }; } -- 2.47.0 From 55c7194022bcbe79b1ad6009e9a5a3c9cce7374d Mon Sep 17 00:00:00 2001 From: sinavir Date: Sun, 23 Jul 2023 16:55:26 +0200 Subject: [PATCH 142/149] core-01: make it work for 23.05 --- machines/core-services-01/configuration.nix | 1 - machines/core-services-01/dokuwiki.nix | 28 --------------------- machines/core-services-01/monitoring.nix | 20 +++++++-------- 3 files changed, 10 insertions(+), 39 deletions(-) delete mode 100644 machines/core-services-01/dokuwiki.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 819ad48..ac0021a 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -10,7 +10,6 @@ ./backups.nix # ./dex.nix ./dns.nix - ./dokuwiki.nix ./gitea.nix ./headscale.nix ./keycloak.nix diff --git a/machines/core-services-01/dokuwiki.nix b/machines/core-services-01/dokuwiki.nix deleted file mode 100644 index 1ad68e0..0000000 --- a/machines/core-services-01/dokuwiki.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, ... }: - -let - my = config.my; -in -{ - services.dokuwiki.sites."wiki.${my.subZone}" = { - enable = true; - acl = '' - * @ALL 1 - * @admin 16 - ''; - }; - - /* - services.nginx = { - enable = true; - - virtualHosts."wiki.${my.subZone}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "htttp://127.0.0.1:${toString port}"; - }; - }; - }; - */ -} diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index edf0d20..7015efa 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -36,16 +36,16 @@ in { services.netdata = { enable = true; - package = pkgs.netdata.overrideAttrs (old: { - version = "1.36.0-185-nightly"; - src = pkgs.fetchFromGitHub { - owner = "netdata"; - repo = "netdata"; - rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; - sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; - fetchSubmodules = true; - }; - }); + #package = pkgs.netdata.overrideAttrs (old: { + # version = "1.36.0-185-nightly"; + # src = pkgs.fetchFromGitHub { + # owner = "netdata"; + # repo = "netdata"; + # rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; + # sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; + # fetchSubmodules = true; + # }; + #}); }; systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1"; -- 2.47.0 From 2ab0cc688587772815ddd8631ec728546a8e4bd6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 23 Jul 2023 17:52:45 +0200 Subject: [PATCH 143/149] =?UTF-8?q?public-cof:=20NC25=20=E2=86=92=20NC26?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Get us rid of RC4 encryption shenigans. --- machines/public-cof/nextcloud.nix | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 847affd..badd243 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,14 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud25; - # OpenSSL 3.0.x breaks RC4 encryption for NextCloud - # But we enabled encryption for NextCloud - # Therefore... - phpPackage = lib.mkForce (pkgs.php81.withExtensions ({ enabled, all }: - (lib.filter (e: e != pkgs.php81.extensions.openssl) enabled) - ++ [ (all.openssl.override { buildInputs = [ pkgs.openssl_1_1 ]; }) ] - )); + package = pkgs.nextcloud26; config = { overwriteProtocol = "https"; -- 2.47.0 From 6fb8528a9950eb1a9177d28e04831b9c6bbd7d25 Mon Sep 17 00:00:00 2001 From: sinavir Date: Sun, 23 Jul 2023 17:58:44 +0200 Subject: [PATCH 144/149] public-cof: upgrade garage --- machines/public-cof/garage.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix index 7d25b0a..e2a1321 100644 --- a/machines/public-cof/garage.nix +++ b/machines/public-cof/garage.nix @@ -22,6 +22,7 @@ }; services.garage = { enable = true; + package = pkgs.garage_0_8; settings = { replication_mode = "none"; compression_level = 7; -- 2.47.0 From 50c17c74bb457182da4e91e8a6c4031ac6cce5cf Mon Sep 17 00:00:00 2001 From: tomate Date: Sun, 23 Jul 2023 18:04:38 +0200 Subject: [PATCH 145/149] Add 'CONTRIBUTING.md' --- CONTRIBUTING.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..46ce2a1 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1 @@ +Maurice écoute les conventions de Ryan \ No newline at end of file -- 2.47.0 From 6b6470eef94acd0b64eb2fbaa600815bb3c7fc3f Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:36:06 +0200 Subject: [PATCH 146/149] keys: Move from machines/publickeys --- keys/gdd.keys | 2 ++ keys/hackens-milieu.keys | 1 + keys/hubrecht.keys | 1 + keys/mrf.keys | 1 + keys/raito.keys | 4 ++++ keys/remote-builders.keys | 1 + keys/sinavir.keys | 1 + 7 files changed, 11 insertions(+) create mode 100644 keys/gdd.keys create mode 100644 keys/hackens-milieu.keys create mode 100644 keys/hubrecht.keys create mode 100644 keys/mrf.keys create mode 100644 keys/raito.keys create mode 100644 keys/remote-builders.keys create mode 100644 keys/sinavir.keys diff --git a/keys/gdd.keys b/keys/gdd.keys new file mode 100644 index 0000000..b5d4e40 --- /dev/null +++ b/keys/gdd.keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/keys/hackens-milieu.keys b/keys/hackens-milieu.keys new file mode 100644 index 0000000..c79c039 --- /dev/null +++ b/keys/hackens-milieu.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu diff --git a/keys/hubrecht.keys b/keys/hubrecht.keys new file mode 100644 index 0000000..07fbe76 --- /dev/null +++ b/keys/hubrecht.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl diff --git a/keys/mrf.keys b/keys/mrf.keys new file mode 100644 index 0000000..ebbfa68 --- /dev/null +++ b/keys/mrf.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d diff --git a/keys/raito.keys b/keys/raito.keys new file mode 100644 index 0000000..0f48a59 --- /dev/null +++ b/keys/raito.keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/keys/remote-builders.keys b/keys/remote-builders.keys new file mode 100644 index 0000000..b1b7645 --- /dev/null +++ b/keys/remote-builders.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ Raito's remote builder key diff --git a/keys/sinavir.keys b/keys/sinavir.keys new file mode 100644 index 0000000..471d054 --- /dev/null +++ b/keys/sinavir.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o -- 2.47.0 From 7f88c60cc22761935cbf0159e58283bf54d72a41 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:36:55 +0200 Subject: [PATCH 147/149] Switch from krops to colmena --- .envrc | 1 + .gitignore | 1 + hive.nix | 57 +++++++++++++++++ .../{configuration.nix => _configuration.nix} | 22 +------ ...ration.nix => _hardware-configuration.nix} | 0 .../{configuration.nix => _configuration.nix} | 11 ---- ...ration.nix => _hardware-configuration.nix} | 0 .../{configuration.nix => _configuration.nix} | 20 +----- ...ration.nix => _hardware-configuration.nix} | 0 meta/default.nix | 5 ++ meta/nodes.nix | 64 +++++++++++++++++++ modules/default.nix | 11 ++++ modules/krz-access-control.nix | 46 +++++++++++++ modules/krz-ssh.nix | 25 ++++++++ nix-patches/default.nix | 1 + npins/default.nix | 47 ++++++++++++++ npins/sources.json | 43 +++++++++++++ shell.nix | 15 +++++ 18 files changed, 318 insertions(+), 51 deletions(-) create mode 100644 .envrc create mode 100644 hive.nix rename machines/core-services-01/{configuration.nix => _configuration.nix} (70%) rename machines/core-services-01/{hardware-configuration.nix => _hardware-configuration.nix} (100%) rename machines/public-cof/{configuration.nix => _configuration.nix} (77%) rename machines/public-cof/{hardware-configuration.nix => _hardware-configuration.nix} (100%) rename machines/remote-builder-01/{configuration.nix => _configuration.nix} (69%) rename machines/remote-builder-01/{hardware-configuration.nix => _hardware-configuration.nix} (100%) create mode 100644 meta/default.nix create mode 100644 meta/nodes.nix create mode 100644 modules/default.nix create mode 100644 modules/krz-access-control.nix create mode 100644 modules/krz-ssh.nix create mode 100644 nix-patches/default.nix create mode 100644 npins/default.nix create mode 100644 npins/sources.json create mode 100644 shell.nix diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..1d953f4 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use nix diff --git a/.gitignore b/.gitignore index b2be92b..726d2d6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ result +.direnv diff --git a/hive.nix b/hive.nix new file mode 100644 index 0000000..fdc3708 --- /dev/null +++ b/hive.nix @@ -0,0 +1,57 @@ +let + sources = import ./npins; + metadata = import ./meta; + + lib = import (sources.nix-lib + "/trivial.nix"); + + mkNode = node: { name, nodes, ... }: { + # Import the base configuration for each node + imports = builtins.map (lib.mkRel ./machines/${node}) [ + "_configuration.nix" + "_hardware-configuration.nix" + ]; + + # Include default secrets + # dgn-secrets.sources = [ ./machines/${node}/secrets ]; + + # Deployment config is specified in meta.nodes.${node}.deployment + inherit (metadata.nodes.${node}) deployment; + + # Set NIX_PATH to the patched version of nixpkgs + nix.nixPath = [ "nixpkgs=${mkNixpkgs node}" ]; + + # Use the stateVersion declared in the metadata + system.stateVersion = metadata.nodes.${node}.stateVersion; + }; + + mkNixpkgs = node: + let version = "nixos-${metadata.nodes.${node}.nixpkgs}"; in + (import sources.${version} { }).applyPatches { + name = "${version}-patched"; + src = sources.${version}; + patches = (import ./nix-patches).${version} or [ ]; + }; + + mkNixpkgs' = node: import (mkNixpkgs node) { }; + + mkArgs = node: { + nix-lib = import sources.nix-lib { inherit ((mkNixpkgs' node)) lib; keysRoot = ./keys; }; + }; + + nodes = builtins.attrNames metadata.nodes; +in + +{ + meta = { + nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes; + + specialArgs = { inherit sources; meta = metadata; }; + + nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes; + }; + + defaults = { ... }: { + # Import the default modules + imports = [ ./modules ]; + }; +} // (lib.mapSingleFuse mkNode nodes) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/_configuration.nix similarity index 70% rename from machines/core-services-01/configuration.nix rename to machines/core-services-01/_configuration.nix index ac0021a..9bcee06 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/_configuration.nix @@ -2,9 +2,6 @@ { imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ./acme-dns.nix ./acme-ssl.nix ./backups.nix @@ -77,28 +74,11 @@ services.zfs.autoScrub.enable = true; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/mrf.keys - ../pubkeys/hubrecht.keys - ../pubkeys/sinavir.keys - ]; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. networking.firewall.enable = false; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.05"; # Did you read the comment? - environment.variables.NIX_PATH = lib.mkForce "/var/src"; + system.stateVersion = "22.05"; } diff --git a/machines/core-services-01/hardware-configuration.nix b/machines/core-services-01/_hardware-configuration.nix similarity index 100% rename from machines/core-services-01/hardware-configuration.nix rename to machines/core-services-01/_hardware-configuration.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/_configuration.nix similarity index 77% rename from machines/public-cof/configuration.nix rename to machines/public-cof/_configuration.nix index 6bd8454..a831791 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/_configuration.nix @@ -3,7 +3,6 @@ { imports = [ - ./hardware-configuration.nix ./programs.nix ./system.nix ./acme.nix @@ -49,15 +48,5 @@ enableSSHSupport = true; }; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/mrf.keys - ../pubkeys/sinavir.keys - ../pubkeys/hubrecht.keys - ]; - system.stateVersion = "21.05"; } diff --git a/machines/public-cof/hardware-configuration.nix b/machines/public-cof/_hardware-configuration.nix similarity index 100% rename from machines/public-cof/hardware-configuration.nix rename to machines/public-cof/_hardware-configuration.nix diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/_configuration.nix similarity index 69% rename from machines/remote-builder-01/configuration.nix rename to machines/remote-builder-01/_configuration.nix index 286062b..d5906a8 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/_configuration.nix @@ -2,7 +2,6 @@ { imports = [ - ./hardware-configuration.nix ./system.nix # TODO monitoring ]; @@ -59,28 +58,11 @@ services.zfs.autoScrub.enable = true; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/sinavir.keys - ../pubkeys/remote-builders.keys - ]; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. networking.firewall.enable = false; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "21.05"; # Did you read the comment? - + system.stateVersion = "21.05"; } - diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/_hardware-configuration.nix similarity index 100% rename from machines/remote-builder-01/hardware-configuration.nix rename to machines/remote-builder-01/_hardware-configuration.nix diff --git a/meta/default.nix b/meta/default.nix new file mode 100644 index 0000000..a6ccb51 --- /dev/null +++ b/meta/default.nix @@ -0,0 +1,5 @@ +let + nodes = import ./nodes.nix; +in + +{ inherit nodes; } diff --git a/meta/nodes.nix b/meta/nodes.nix new file mode 100644 index 0000000..c017cc4 --- /dev/null +++ b/meta/nodes.nix @@ -0,0 +1,64 @@ +### +# File specifying all the deployement options for the nodes administrated by the dgnum. +# +# Node metadata template is: +# +# NODE_NAME = { +# adminGroups = []; # List of groups that have root access +# admins = []; # List of individuals that have root access +# deployment = {}; # Colmena deployment options +# nixpkgs = "unstable" or "22.11"; # nixpkgs version +# } + +let + mkNode = _: attrs: { + access = [ ]; + + deployment = { }; + + nixpkgs = "23.05"; + } // attrs; +in + +builtins.mapAttrs mkNode { + core-services-01 = { + admins = [ + "gdd" + "hubrecht" + "mrf" + "raito" + "sinavir" + ]; + + deployment.targetHost = "core01.rz.ens.wtf"; + + stateVersion = "22.05"; + }; + + remote-builder-01 = { + admins = [ + "gdd" + "raito" + "sinavir" + "remote-builders" + ]; + + deployment.targetHost = "nix01.builders.rz.ens.wtf"; + + stateVersion = "21.05"; + }; + + public-cof = { + admins = [ + "gdd" + "hubrecht" + "mrf" + "raito" + "sinavir" + ]; + + deployment.targetHost = "beta.rz.ens.wtf"; + + stateVersion = "21.05"; + }; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..bc98724 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,11 @@ +{ nix-lib, sources, ... }: + +{ + imports = (nix-lib.mkImports ./. [ + "krz-access-control" + "krz-ssh" + ]) ++ [ + # TODO: Switch to global version of agenix via npins + # "${sources.agenix}/modules/age.nix" + ]; +} diff --git a/modules/krz-access-control.nix b/modules/krz-access-control.nix new file mode 100644 index 0000000..55fd2a3 --- /dev/null +++ b/modules/krz-access-control.nix @@ -0,0 +1,46 @@ +{ config, lib, nix-lib, meta, name, ... }: + +let + inherit (lib) + mkDefault + mkEnableOption + mkIf + mkOption + + types; + + nodeMeta = meta.nodes.${name}; + inherit (nodeMeta) admins; + + cfg = config.krz-access-control; +in + +{ + options.krz-access-control = { + enable = mkEnableOption "DGNum access control." // { default = true; }; + + users = mkOption { + type = with types; attrsOf (listOf str); + default = { }; + description = '' + Attribute set describing which member has access to which user on the node. + Members must be declared in `meta/members.nix`. + ''; + example = '' + { + user1 = [ "member1" "member2" ]; + } + ''; + }; + }; + + config = mkIf cfg.enable { + # Admins have root access to the node + krz-access-control.users.root = mkDefault admins; + + users.users = builtins.mapAttrs + (u: members: { openssh.authorizedKeys.keys = nix-lib.getAllKeys members; }) + cfg.users; + }; +} + diff --git a/modules/krz-ssh.nix b/modules/krz-ssh.nix new file mode 100644 index 0000000..4124ada --- /dev/null +++ b/modules/krz-ssh.nix @@ -0,0 +1,25 @@ +{ config, lib, ... }: + +let + inherit (lib) + mkEnableOption + mkIf; + + cfg = config.krz-ssh; +in + +{ + options.krz-ssh = { + enable = mkEnableOption "ssh default configuration." // { default = true; }; + }; + + config = mkIf cfg.enable { + services.openssh = { + enable = true; + + settings.PasswordAuthentication = false; + }; + + programs.mosh.enable = true; + }; +} diff --git a/nix-patches/default.nix b/nix-patches/default.nix new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/nix-patches/default.nix @@ -0,0 +1 @@ +{} diff --git a/npins/default.nix b/npins/default.nix new file mode 100644 index 0000000..4a7c372 --- /dev/null +++ b/npins/default.nix @@ -0,0 +1,47 @@ +# Generated by npins. Do not modify; will be overwritten regularly +let + data = builtins.fromJSON (builtins.readFile ./sources.json); + version = data.version; + + mkSource = spec: + assert spec ? type; let + path = + if spec.type == "Git" then mkGitSource spec + else if spec.type == "GitRelease" then mkGitSource spec + else if spec.type == "PyPi" then mkPyPiSource spec + else if spec.type == "Channel" then mkChannelSource spec + else builtins.throw "Unknown source type ${spec.type}"; + in + spec // { outPath = path; }; + + mkGitSource = { repository, revision, url ? null, hash, ... }: + assert repository ? type; + # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository + # In the latter case, there we will always be an url to the tarball + if url != null then + (builtins.fetchTarball { + inherit url; + sha256 = hash; # FIXME: check nix version & use SRI hashes + }) + else assert repository.type == "Git"; builtins.fetchGit { + url = repository.url; + rev = revision; + # hash = hash; + }; + + mkPyPiSource = { url, hash, ... }: + builtins.fetchurl { + inherit url; + sha256 = hash; + }; + + mkChannelSource = { url, hash, ... }: + builtins.fetchTarball { + inherit url; + sha256 = hash; + }; +in +if version == 3 then + builtins.mapAttrs (_: mkSource) data.pins +else + throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/npins/sources.json b/npins/sources.json new file mode 100644 index 0000000..1df8536 --- /dev/null +++ b/npins/sources.json @@ -0,0 +1,43 @@ +{ + "pins": { + "agenix": { + "type": "GitRelease", + "repository": { + "type": "Git", + "url": "https://github.com/ryantm/agenix" + }, + "pre_releases": false, + "version_upper_bound": null, + "version": "0.13.0", + "revision": "9c9fbfb94b2d545c7f0b78da0254ea0041595795", + "url": null, + "hash": "0k6aggy3lhqv6j11cvi4gr0i3jps8hlf262xl9ji3ffxwas46p54" + }, + "nix-lib": { + "type": "GitRelease", + "repository": { + "type": "Git", + "url": "https://git.hubrecht.ovh/hubrecht/nix-lib" + }, + "pre_releases": false, + "version_upper_bound": null, + "version": "0.1.1", + "revision": "5db2443e2cb18335375ad84ffbc066a239c054de", + "url": null, + "hash": "18xzi2yn2vk7zq79pgz8z2s1ijhyjcx5866mp21rrdi9gz37yiif" + }, + "nixos-23.05": { + "type": "Channel", + "name": "nixos-23.05", + "url": "https://releases.nixos.org/nixos/23.05/nixos-23.05.2162.6da4bc6cb07/nixexprs.tar.xz", + "hash": "198wbl9b7j3k51n0rxs09vy6x535ysqv6kbxf42d9yqr49d2n9vc" + }, + "nixpkgs": { + "type": "Channel", + "name": "nixpkgs-unstable", + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-23.11pre506668.af8cd5ded77/nixexprs.tar.xz", + "hash": "0in8bgah6hz47lsa3ka2fslwks174maqdzy8mcmsj0q4wrv8h2s9" + } + }, + "version": 3 +} \ No newline at end of file diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..e29954b --- /dev/null +++ b/shell.nix @@ -0,0 +1,15 @@ +let + sources = import ./npins; + pkgs = import sources.nixpkgs { }; +in + +pkgs.mkShell { + packages = with pkgs; [ + npins + colmena + nixos-generators + ] ++ (builtins.map (p: callPackage p { }) [ + ]); + + allowSubstitutes = false; +} -- 2.47.0 From 29034e605695e37086e46f9cedb77af4bc132dc8 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:50:10 +0200 Subject: [PATCH 148/149] krops.nix: Delete --- krops.nix | 36 ------------------------------------ 1 file changed, 36 deletions(-) delete mode 100644 krops.nix diff --git a/krops.nix b/krops.nix deleted file mode 100644 index 140772d..0000000 --- a/krops.nix +++ /dev/null @@ -1,36 +0,0 @@ -let - krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; }; - lib = import "${krops}/lib"; - pkgs = import "${krops}/pkgs" { }; - source = machine: - lib.evalSource [{ - config.file = toString ./machines; - nixos-config.symlink = "config/${machine}/configuration.nix"; - # Auto-upgrade wen? - nixpkgs.git = { - clean.exclude = [ "/.version-suffix" ]; - ref = "origin/release-23.05"; - url = "https://github.com/NixOS/nixpkgs"; - }; - }]; - mkTestConfig = hostname: { - name = "test-${hostname}"; - value = pkgs.krops.writeTest "test-${hostname}" { - source = source hostname; - target = lib.mkTarget { - host = "localhost"; - path = "/tmp/src"; - }; - force = true; # force create the sentinel file. - }; - }; - mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames); - mkDeploy = hostname: target: { ${hostname} = pkgs.krops.writeDeploy "deploy-${hostname}" { - source = source hostname; - inherit target; - }; }; -in {} -// mkDeploy "core-services-01" "root@core01.rz.ens.wtf" -// mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -// mkDeploy "public-cof" "root@beta.rz.ens.wtf" -// mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] -- 2.47.0 From 41fc60e1eb6fb12f896be92abb5cfd946c3480d4 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:56:33 +0200 Subject: [PATCH 149/149] core-01: Disable netboot-server --- machines/core-services-01/_configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/core-services-01/_configuration.nix b/machines/core-services-01/_configuration.nix index 9bcee06..3c7162e 100644 --- a/machines/core-services-01/_configuration.nix +++ b/machines/core-services-01/_configuration.nix @@ -12,7 +12,7 @@ ./keycloak.nix ./matterbridge.nix ./monitoring.nix - ./netboot-server.nix + # ./netboot-server.nix ./network.nix ./nginx.nix ./nur.nix -- 2.47.0