From 9207580a39670e2c16d3d97770837bad0e8ac6a1 Mon Sep 17 00:00:00 2001 From: Gabriel DORIATH DOHLER Date: Wed, 28 Jul 2021 23:12:58 +0200 Subject: [PATCH 001/149] Add remote-builder-01 --- machines/remote-builder-01/configuration.nix | 84 +++++++++++++++++++ .../hardware-configuration.nix | 35 ++++++++ machines/remote-builder-01/programs.nix | 24 ++++++ machines/remote-builder-01/pubkeys/gdd.keys | 2 + .../pubkeys/hackens-milieu.keys | 1 + machines/remote-builder-01/pubkeys/raito.keys | 4 + machines/remote-builder-01/system.nix | 28 +++++++ machines/remote-builder-01/vim.nix | 31 +++++++ 8 files changed, 209 insertions(+) create mode 100644 machines/remote-builder-01/configuration.nix create mode 100644 machines/remote-builder-01/hardware-configuration.nix create mode 100644 machines/remote-builder-01/programs.nix create mode 100644 machines/remote-builder-01/pubkeys/gdd.keys create mode 100644 machines/remote-builder-01/pubkeys/hackens-milieu.keys create mode 100644 machines/remote-builder-01/pubkeys/raito.keys create mode 100644 machines/remote-builder-01/system.nix create mode 100644 machines/remote-builder-01/vim.nix diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix new file mode 100644 index 0000000..199ae19 --- /dev/null +++ b/machines/remote-builder-01/configuration.nix @@ -0,0 +1,84 @@ +{ config, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./programs.nix + ./system.nix + # TODO monitoring + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + boot.initrd.supportedFilesystems = [ "zfs" ]; + boot.supportedFilesystems = [ "zfs" ]; + + networking.hostName = "remote-builder-01"; + networking.hostId = "11894198"; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.ens18.useDHCP = true; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + programs.mtr.enable = true; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # List services that you want to enable: + + services.zfs.autoScrub.enable = true; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ./pubkeys/gdd.keys + ./pubkeys/raito.keys + ./pubkeys/hackens-milieu.keys + ]; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.05"; # Did you read the comment? + +} + diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/hardware-configuration.nix new file mode 100644 index 0000000..f80b2c7 --- /dev/null +++ b/machines/remote-builder-01/hardware-configuration.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "rpool/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "rpool/home"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/3341-A3B9"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/1f624fe3-1fc5-44f4-9529-812558ffba42"; } + ]; + +} diff --git a/machines/remote-builder-01/programs.nix b/machines/remote-builder-01/programs.nix new file mode 100644 index 0000000..e7e4afc --- /dev/null +++ b/machines/remote-builder-01/programs.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: +let pkgsList = with pkgs; [ + nix-prefetch-git + dnsutils + + unzip + zip + ripgrep + + niv + nixfmt + ]; +in +{ + imports = [ + ./vim.nix + ]; + programs = { + tmux.enable = true; + mosh.enable = true; + }; + + environment.systemPackages = pkgsList; +} diff --git a/machines/remote-builder-01/pubkeys/gdd.keys b/machines/remote-builder-01/pubkeys/gdd.keys new file mode 100644 index 0000000..b5d4e40 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/gdd.keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/remote-builder-01/pubkeys/hackens-milieu.keys b/machines/remote-builder-01/pubkeys/hackens-milieu.keys new file mode 100644 index 0000000..c79c039 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/hackens-milieu.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu diff --git a/machines/remote-builder-01/pubkeys/raito.keys b/machines/remote-builder-01/pubkeys/raito.keys new file mode 100644 index 0000000..0f48a59 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/raito.keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix new file mode 100644 index 0000000..f2c68d1 --- /dev/null +++ b/machines/remote-builder-01/system.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: +{ + # # Auto upgrades + # system.autoUpgrade = { + # enable = false; # TODO(Ryan): do not enable, it will break deployments. + # allowReboot = false; + # }; + + # Auto GC and store optimizations + nix = { + trustedUsers = [ "root" "gab" ]; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 90d"; + }; + optimise.automatic = true; + extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + }; + + services.locate = { + enable = true; + interval = "04:05"; + }; +} diff --git a/machines/remote-builder-01/vim.nix b/machines/remote-builder-01/vim.nix new file mode 100644 index 0000000..bed8752 --- /dev/null +++ b/machines/remote-builder-01/vim.nix @@ -0,0 +1,31 @@ +{ pkgs, ... }: +{ + environment.variables = { EDITOR = "vim"; }; + + environment.systemPackages = with pkgs; [ + nixfmt + git + (neovim.override { + vimAlias = true; + configure = { + packages.myPlugins = with pkgs.vimPlugins; { + start = [ vim-lastplace vim-nix ]; + opt = []; + }; + customRC = '' + set encoding=utf-8 + set wildmenu + + set nocompatible + set backspace=indent,eol,start + set cursorline + hi CursorLine term=bold cterm=bold ctermbg=darkgrey + set number + set relativenumber + set tabstop=4 + set expandtab + ''; + }; + } + )]; +} -- 2.49.0 From 63edbed11fba272c265f8557fd9cfc6c9ba06b3c Mon Sep 17 00:00:00 2001 From: Gabriel DORIATH DOHLER Date: Wed, 28 Jul 2021 23:31:57 +0200 Subject: [PATCH 002/149] Test and deploy --- .drone.yml | 4 ++++ README.md | 1 + krops.nix | 23 ++++++++++++----------- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/.drone.yml b/.drone.yml index 5feb66e..fda39a8 100644 --- a/.drone.yml +++ b/.drone.yml @@ -15,5 +15,9 @@ steps: commands: - "export NIX_PATH=nixpkgs=/var/nixpkgs" - "echo Building core-services-01 && nix-build krops.nix -A test-core-services-01 && ./result" +- name: Build remote-builder-01 configuration + commands: + - "export NIX_PATH=nixpkgs=/var/nixpkgs" + - "echo Building remote-builder-01 && nix-build krops.nix -A remote-builder-01 && ./result" ... diff --git a/README.md b/README.md index d608944..0a227f8 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Refer to wiki for details. - `core-services-01` +- `remote-builder-01` ## How to deploy a machine? diff --git a/krops.nix b/krops.nix index 17ba000..cbcc956 100644 --- a/krops.nix +++ b/krops.nix @@ -15,20 +15,21 @@ let }; } ]; -in - { - core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { - source = source "core-services-01"; - target = "root@core01.internal.rz.ens.wtf"; - }; - - test-core-services-01 = pkgs.krops.writeTest "test-core-services-01" { - source = source "core-services-01"; + mkTestConfig = hostname: + test-${hostname}-01 = pkgs.krops.writeTest "test-${hostname}" { + source = source hostname; target = lib.mkTarget { host = "localhost"; path = "/tmp/src"; }; force = true; # force create the sentinel file. }; - - } + mkTestsConfig = hostnames: + builtins.listToAttrs (map (h: { name = h; value = mkTestConfig h; }) hostnames) +in + { + core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { + source = source "core-services-01"; + target = "root@core01.internal.rz.ens.wtf"; + }; + } // mkTestsConfig [ "core-services-01" "remote-builder-01" ]; -- 2.49.0 From 8cff6168b5e47581f090804a59b0ff45f1ca6adc Mon Sep 17 00:00:00 2001 From: Gabriel DORIATH DOHLER Date: Wed, 28 Jul 2021 23:35:51 +0200 Subject: [PATCH 003/149] Fix syntax errors --- krops.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/krops.nix b/krops.nix index cbcc956..3ebf006 100644 --- a/krops.nix +++ b/krops.nix @@ -25,11 +25,11 @@ let force = true; # force create the sentinel file. }; mkTestsConfig = hostnames: - builtins.listToAttrs (map (h: { name = h; value = mkTestConfig h; }) hostnames) + builtins.listToAttrs (map (h: { name = h; value = mkTestConfig h; }) hostnames); in { core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { source = source "core-services-01"; target = "root@core01.internal.rz.ens.wtf"; }; - } // mkTestsConfig [ "core-services-01" "remote-builder-01" ]; + } // mkTestsConfig [ "core-services-01" "remote-builder-01" ] -- 2.49.0 From 818c6aa5422b329207af6c27ce0bed56b167fa79 Mon Sep 17 00:00:00 2001 From: Gabriel DORIATH DOHLER Date: Wed, 28 Jul 2021 23:39:01 +0200 Subject: [PATCH 004/149] Fix errors --- krops.nix | 37 +++++++++++++++++-------------------- 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/krops.nix b/krops.nix index 3ebf006..9b5373f 100644 --- a/krops.nix +++ b/krops.nix @@ -1,22 +1,20 @@ let - krops = builtins.fetchGit { - url = "https://cgit.krebsco.de/krops/"; - }; + krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; }; lib = import "${krops}/lib"; - pkgs = import "${krops}/pkgs" {}; - source = machine: lib.evalSource [ - { + pkgs = import "${krops}/pkgs" { }; + source = machine: + lib.evalSource [{ config.file = toString ./machines; nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; ref = "973910f5c31b9ba6c171c33a8bd7199990b14c72"; # nixos-21.05 - url = https://github.com/NixOS/nixpkgs; + url = "https://github.com/NixOS/nixpkgs"; }; - } - ]; - mkTestConfig = hostname: - test-${hostname}-01 = pkgs.krops.writeTest "test-${hostname}" { + }]; + mkTestConfig = hostname: { + name = "test-${hostname}"; + value = pkgs.krops.writeTest "test-${hostname}" { source = source hostname; target = lib.mkTarget { host = "localhost"; @@ -24,12 +22,11 @@ let }; force = true; # force create the sentinel file. }; - mkTestsConfig = hostnames: - builtins.listToAttrs (map (h: { name = h; value = mkTestConfig h; }) hostnames); -in - { - core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { - source = source "core-services-01"; - target = "root@core01.internal.rz.ens.wtf"; - }; - } // mkTestsConfig [ "core-services-01" "remote-builder-01" ] + }; + mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames); +in { + core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { + source = source "core-services-01"; + target = "root@core01.internal.rz.ens.wtf"; + }; +} // mkTestsConfig [ "core-services-01" "remote-builder-01" ] -- 2.49.0 From 7c0c0a5cd9fb37f1082e7fcfbcc35efcee71df70 Mon Sep 17 00:00:00 2001 From: Gabriel DORIATH DOHLER Date: Wed, 28 Jul 2021 23:42:39 +0200 Subject: [PATCH 005/149] Fix another error --- .drone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index fda39a8..5bb8ea0 100644 --- a/.drone.yml +++ b/.drone.yml @@ -18,6 +18,6 @@ steps: - name: Build remote-builder-01 configuration commands: - "export NIX_PATH=nixpkgs=/var/nixpkgs" - - "echo Building remote-builder-01 && nix-build krops.nix -A remote-builder-01 && ./result" + - "echo Building remote-builder-01 && nix-build krops.nix -A test-remote-builder-01 && ./result" ... -- 2.49.0 From 821b1cdc31b1e6aff8f15209c291b00dc17675b1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 28 Jul 2021 23:55:23 +0200 Subject: [PATCH 006/149] dns: add nix01.builders.rz.ens.wtf --- machines/core-services-01/dns.nix | 2 +- machines/core-services-01/subZone.nix | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/machines/core-services-01/dns.nix b/machines/core-services-01/dns.nix index 2161481..6473038 100644 --- a/machines/core-services-01/dns.nix +++ b/machines/core-services-01/dns.nix @@ -21,7 +21,7 @@ in interfaces = my.ipv6.standard; zones = { ${my.subZone} = { - data = dns.lib.toString my.subZone (import ./subZone.nix { inherit dns config; }); + data = dns.lib.toString my.subZone (import ./subZone.nix { inherit dns config lib; }); }; }; }; diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 306dc68..83e143c 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -1,10 +1,14 @@ -{ config, dns, ... }: +{ config, lib, dns, ... }: with dns.lib.combinators; let my = config.my; delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; }; + + remoteBuilders = { + nix01 = [ "2001:470:1f13:187:1e07:c670:3958:f8f1" ]; + }; in with my.ipv6; # contains { standard, acme } { @@ -31,6 +35,8 @@ with my.ipv6; # contains { standard, acme } push.AAAA = standard; ns1.AAAA = standard; + builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; + # Délégation de sous zone à he.gdd pour la certification HE. gdd.subdomains.he = { NS = [ "ns1.he.gdd.${my.subZone}." ]; -- 2.49.0 From dee54e706d1eb9feda1e7d2f3a212b0c01952b28 Mon Sep 17 00:00:00 2001 From: gdd Date: Wed, 28 Jul 2021 23:55:34 +0200 Subject: [PATCH 007/149] Add remote-builder-01 (#2) Initial configuration of remote-builder-01. Co-authored-by: Gabriel DORIATH DOHLER Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/2 Co-authored-by: gdd Co-committed-by: gdd --- .drone.yml | 4 + README.md | 1 + krops.nix | 38 ++++----- machines/remote-builder-01/configuration.nix | 84 +++++++++++++++++++ .../hardware-configuration.nix | 35 ++++++++ machines/remote-builder-01/programs.nix | 24 ++++++ machines/remote-builder-01/pubkeys/gdd.keys | 2 + .../pubkeys/hackens-milieu.keys | 1 + machines/remote-builder-01/pubkeys/raito.keys | 4 + machines/remote-builder-01/system.nix | 28 +++++++ machines/remote-builder-01/vim.nix | 31 +++++++ 11 files changed, 232 insertions(+), 20 deletions(-) create mode 100644 machines/remote-builder-01/configuration.nix create mode 100644 machines/remote-builder-01/hardware-configuration.nix create mode 100644 machines/remote-builder-01/programs.nix create mode 100644 machines/remote-builder-01/pubkeys/gdd.keys create mode 100644 machines/remote-builder-01/pubkeys/hackens-milieu.keys create mode 100644 machines/remote-builder-01/pubkeys/raito.keys create mode 100644 machines/remote-builder-01/system.nix create mode 100644 machines/remote-builder-01/vim.nix diff --git a/.drone.yml b/.drone.yml index 5feb66e..5bb8ea0 100644 --- a/.drone.yml +++ b/.drone.yml @@ -15,5 +15,9 @@ steps: commands: - "export NIX_PATH=nixpkgs=/var/nixpkgs" - "echo Building core-services-01 && nix-build krops.nix -A test-core-services-01 && ./result" +- name: Build remote-builder-01 configuration + commands: + - "export NIX_PATH=nixpkgs=/var/nixpkgs" + - "echo Building remote-builder-01 && nix-build krops.nix -A test-remote-builder-01 && ./result" ... diff --git a/README.md b/README.md index d608944..0a227f8 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Refer to wiki for details. - `core-services-01` +- `remote-builder-01` ## How to deploy a machine? diff --git a/krops.nix b/krops.nix index 17ba000..9b5373f 100644 --- a/krops.nix +++ b/krops.nix @@ -1,34 +1,32 @@ let - krops = builtins.fetchGit { - url = "https://cgit.krebsco.de/krops/"; - }; + krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; }; lib = import "${krops}/lib"; - pkgs = import "${krops}/pkgs" {}; - source = machine: lib.evalSource [ - { + pkgs = import "${krops}/pkgs" { }; + source = machine: + lib.evalSource [{ config.file = toString ./machines; nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; ref = "973910f5c31b9ba6c171c33a8bd7199990b14c72"; # nixos-21.05 - url = https://github.com/NixOS/nixpkgs; + url = "https://github.com/NixOS/nixpkgs"; }; - } - ]; -in - { - core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { - source = source "core-services-01"; - target = "root@core01.internal.rz.ens.wtf"; - }; - - test-core-services-01 = pkgs.krops.writeTest "test-core-services-01" { - source = source "core-services-01"; + }]; + mkTestConfig = hostname: { + name = "test-${hostname}"; + value = pkgs.krops.writeTest "test-${hostname}" { + source = source hostname; target = lib.mkTarget { host = "localhost"; path = "/tmp/src"; }; force = true; # force create the sentinel file. }; - - } + }; + mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames); +in { + core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { + source = source "core-services-01"; + target = "root@core01.internal.rz.ens.wtf"; + }; +} // mkTestsConfig [ "core-services-01" "remote-builder-01" ] diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix new file mode 100644 index 0000000..199ae19 --- /dev/null +++ b/machines/remote-builder-01/configuration.nix @@ -0,0 +1,84 @@ +{ config, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./programs.nix + ./system.nix + # TODO monitoring + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + boot.initrd.supportedFilesystems = [ "zfs" ]; + boot.supportedFilesystems = [ "zfs" ]; + + networking.hostName = "remote-builder-01"; + networking.hostId = "11894198"; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.ens18.useDHCP = true; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + programs.mtr.enable = true; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # List services that you want to enable: + + services.zfs.autoScrub.enable = true; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ./pubkeys/gdd.keys + ./pubkeys/raito.keys + ./pubkeys/hackens-milieu.keys + ]; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.05"; # Did you read the comment? + +} + diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/hardware-configuration.nix new file mode 100644 index 0000000..f80b2c7 --- /dev/null +++ b/machines/remote-builder-01/hardware-configuration.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "rpool/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "rpool/home"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/3341-A3B9"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/1f624fe3-1fc5-44f4-9529-812558ffba42"; } + ]; + +} diff --git a/machines/remote-builder-01/programs.nix b/machines/remote-builder-01/programs.nix new file mode 100644 index 0000000..e7e4afc --- /dev/null +++ b/machines/remote-builder-01/programs.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: +let pkgsList = with pkgs; [ + nix-prefetch-git + dnsutils + + unzip + zip + ripgrep + + niv + nixfmt + ]; +in +{ + imports = [ + ./vim.nix + ]; + programs = { + tmux.enable = true; + mosh.enable = true; + }; + + environment.systemPackages = pkgsList; +} diff --git a/machines/remote-builder-01/pubkeys/gdd.keys b/machines/remote-builder-01/pubkeys/gdd.keys new file mode 100644 index 0000000..b5d4e40 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/gdd.keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/remote-builder-01/pubkeys/hackens-milieu.keys b/machines/remote-builder-01/pubkeys/hackens-milieu.keys new file mode 100644 index 0000000..c79c039 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/hackens-milieu.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu diff --git a/machines/remote-builder-01/pubkeys/raito.keys b/machines/remote-builder-01/pubkeys/raito.keys new file mode 100644 index 0000000..0f48a59 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/raito.keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix new file mode 100644 index 0000000..f2c68d1 --- /dev/null +++ b/machines/remote-builder-01/system.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: +{ + # # Auto upgrades + # system.autoUpgrade = { + # enable = false; # TODO(Ryan): do not enable, it will break deployments. + # allowReboot = false; + # }; + + # Auto GC and store optimizations + nix = { + trustedUsers = [ "root" "gab" ]; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 90d"; + }; + optimise.automatic = true; + extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + }; + + services.locate = { + enable = true; + interval = "04:05"; + }; +} diff --git a/machines/remote-builder-01/vim.nix b/machines/remote-builder-01/vim.nix new file mode 100644 index 0000000..bed8752 --- /dev/null +++ b/machines/remote-builder-01/vim.nix @@ -0,0 +1,31 @@ +{ pkgs, ... }: +{ + environment.variables = { EDITOR = "vim"; }; + + environment.systemPackages = with pkgs; [ + nixfmt + git + (neovim.override { + vimAlias = true; + configure = { + packages.myPlugins = with pkgs.vimPlugins; { + start = [ vim-lastplace vim-nix ]; + opt = []; + }; + customRC = '' + set encoding=utf-8 + set wildmenu + + set nocompatible + set backspace=indent,eol,start + set cursorline + hi CursorLine term=bold cterm=bold ctermbg=darkgrey + set number + set relativenumber + set tabstop=4 + set expandtab + ''; + }; + } + )]; +} -- 2.49.0 From 2a33516e543f5babdf2a22c3e421c092ea901dce Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 29 Jul 2021 00:08:48 +0200 Subject: [PATCH 008/149] deploy: add remote-builder-01 and my remote builder SSH key --- krops.nix | 12 +++++++----- machines/remote-builder-01/configuration.nix | 1 + .../remote-builder-01/pubkeys/remote-builders.keys | 1 + 3 files changed, 9 insertions(+), 5 deletions(-) create mode 100644 machines/remote-builder-01/pubkeys/remote-builders.keys diff --git a/krops.nix b/krops.nix index 9b5373f..8983a34 100644 --- a/krops.nix +++ b/krops.nix @@ -24,9 +24,11 @@ let }; }; mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames); -in { - core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" { - source = source "core-services-01"; - target = "root@core01.internal.rz.ens.wtf"; + mkDeploy = hostname: target: { ${hostname} = pkgs.krops.writeDeploy "deploy-${hostname}" { + source = source hostname; + inherit target; }; -} // mkTestsConfig [ "core-services-01" "remote-builder-01" ] +in {} +// mkDeploy "core-services-01" "root@core01.internal.rz.ens.wtf" +// mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" +// mkTestsConfig [ "core-services-01" "remote-builder-01" ] diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 199ae19..79a6a28 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -64,6 +64,7 @@ ./pubkeys/gdd.keys ./pubkeys/raito.keys ./pubkeys/hackens-milieu.keys + ./pubkeys/remote-builders.keys ]; # Open ports in the firewall. diff --git a/machines/remote-builder-01/pubkeys/remote-builders.keys b/machines/remote-builder-01/pubkeys/remote-builders.keys new file mode 100644 index 0000000..b1b7645 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/remote-builders.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ Raito's remote builder key -- 2.49.0 From e23f00d8db52defcd0f8f71176c482f2373a7b7e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 29 Jul 2021 00:09:32 +0200 Subject: [PATCH 009/149] fix syntax error --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 8983a34..c17fe78 100644 --- a/krops.nix +++ b/krops.nix @@ -27,7 +27,7 @@ let mkDeploy = hostname: target: { ${hostname} = pkgs.krops.writeDeploy "deploy-${hostname}" { source = source hostname; inherit target; - }; + }; }; in {} // mkDeploy "core-services-01" "root@core01.internal.rz.ens.wtf" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -- 2.49.0 From 3fc1c9da86aa11483abb08ae805446a9eace821f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 4 Aug 2021 15:59:02 +0200 Subject: [PATCH 010/149] core-services-01: add backup repository for VyOS --- machines/core-services-01/backups.nix | 8 ++++++++ machines/core-services-01/configuration.nix | 1 + machines/core-services-01/subZone.nix | 11 ++++++++--- 3 files changed, 17 insertions(+), 3 deletions(-) create mode 100644 machines/core-services-01/backups.nix diff --git a/machines/core-services-01/backups.nix b/machines/core-services-01/backups.nix new file mode 100644 index 0000000..5ed318d --- /dev/null +++ b/machines/core-services-01/backups.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + users.users.backup = { + isNormalUser = true; + hashedPassword = "$6$5C4F4cz5pWpW0$oYVATIrYMTR8oAR3lWTv1/4agerPcKYJEAPMKyof2oZWMOYST.n8aQKzpFFEwsIybwSa5RJg.mL7fon6RaiSD/"; + home = "/var/lib/backup"; + }; +} diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 68de60d..466c48a 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -18,6 +18,7 @@ ./nginx.nix ./keycloak.nix ./acme-dns.nix + ./backups.nix ./secrets # TODO push to gitea # TODO ./gotify.nix diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 83e143c..a768f26 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -49,15 +49,20 @@ with my.ipv6; # contains { standard, acme } }; internal.subdomains = { - core01 = { - A = [ "10.1.1.20" ]; - }; + # Routers + router01.A = [ "10.1.1.1" ]; + router02.A = [ "10.1.1.2" ]; + + # Hypervisors pve01 = { A = [ "10.1.1.10" ]; subdomains = { idrac.A = [ "10.1.2.20" ]; } // delegateACMEDNSChallenge "7c663a49-151c-4eea-a34f-725ff9f19d41.acme.rz.ens.wtf."; }; + + # Core machines + core01.A = [ "10.1.1.20" ]; }; }; } -- 2.49.0 From aab45dbc6d952bc3ca9379723a24df95b83153f8 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 4 Aug 2021 15:59:21 +0200 Subject: [PATCH 011/149] dns: add backup.gdd.rz.ens.wtf --- machines/core-services-01/subZone.nix | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index a768f26..f4a6ddf 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,17 +37,14 @@ with my.ipv6; # contains { standard, acme } builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; - # Délégation de sous zone à he.gdd pour la certification HE. - gdd.subdomains.he = { - NS = [ "ns1.he.gdd.${my.subZone}." ]; - subdomains.ns1.AAAA = [ "2001:470:1f13:187:b80d:21ff:fe43:f1a5" ]; - }; + gdd.subdomains.backup.AAAA = [ "2001:470:1f13:187:475:9fc1:1e84:4055" "2001:470:1f13:187:e8a5:fbff:fe29:42f5" ]; acme = { NS = [ "acme.${my.subZone}." ]; AAAA = [ acme ]; }; + internal.subdomains = { # Routers router01.A = [ "10.1.1.1" ]; -- 2.49.0 From eaa209eb7bd716c090f12684276446553e5868bf Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 20 Oct 2021 23:52:58 +0200 Subject: [PATCH 012/149] core-services(dns): append 2001:470:1f13:187:350a:214a:639c:b97b backup.gdd.rz.ens.wtf AAAA --- machines/core-services-01/subZone.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index f4a6ddf..9701a13 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,7 +37,7 @@ with my.ipv6; # contains { standard, acme } builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; - gdd.subdomains.backup.AAAA = [ "2001:470:1f13:187:475:9fc1:1e84:4055" "2001:470:1f13:187:e8a5:fbff:fe29:42f5" ]; + gdd.subdomains.backup.AAAA = [ "2001:470:1f13:187:475:9fc1:1e84:4055" "2001:470:1f13:187:e8a5:fbff:fe29:42f5" "2001:470:1f13:187:350a:214a:639c:b97b" ]; acme = { NS = [ "acme.${my.subZone}." ]; -- 2.49.0 From 82ccb56fe564d4894ef928bd3dab191fd40001ba Mon Sep 17 00:00:00 2001 From: Gabriel DORIATH DOHLER Date: Fri, 5 Nov 2021 23:59:59 +0000 Subject: [PATCH 013/149] remove hackens keys from core-services and remote-builder --- machines/core-services-01/configuration.nix | 1 - machines/remote-builder-01/configuration.nix | 1 - 2 files changed, 2 deletions(-) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 466c48a..a09eec0 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -74,7 +74,6 @@ users.users.root.openssh.authorizedKeys.keyFiles = [ ./pubkeys/gdd.keys ./pubkeys/raito.keys - ./pubkeys/hackens-milieu.keys ]; # Open ports in the firewall. diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 79a6a28..1c6245b 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -63,7 +63,6 @@ users.users.root.openssh.authorizedKeys.keyFiles = [ ./pubkeys/gdd.keys ./pubkeys/raito.keys - ./pubkeys/hackens-milieu.keys ./pubkeys/remote-builders.keys ]; -- 2.49.0 From 6adb20c64f309b1e61327eaa04920418a7fdce37 Mon Sep 17 00:00:00 2001 From: Gabriel DORIATH DOHLER Date: Fri, 5 Nov 2021 23:59:59 +0000 Subject: [PATCH 014/149] remove hackens keys from netboot server --- machines/core-services-01/netboot-server.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/machines/core-services-01/netboot-server.nix b/machines/core-services-01/netboot-server.nix index ac0bd87..5b291bf 100644 --- a/machines/core-services-01/netboot-server.nix +++ b/machines/core-services-01/netboot-server.nix @@ -15,7 +15,6 @@ let users.users.root.openssh.authorizedKeys.keyFiles = [ ./pubkeys/gdd.keys ./pubkeys/raito.keys - ./pubkeys/hackens-milieu.keys ]; programs.mosh.enable = true; -- 2.49.0 From 218419732a3d3418d7b933f77b9de6da9a6fc482 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20Doriath=20D=C3=B6hler?= Date: Thu, 11 Nov 2021 23:59:59 +0000 Subject: [PATCH 015/149] remove incorrect ip adresses for the gdd subdomain --- machines/core-services-01/subZone.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 9701a13..6bcf11d 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,7 +37,7 @@ with my.ipv6; # contains { standard, acme } builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; - gdd.subdomains.backup.AAAA = [ "2001:470:1f13:187:475:9fc1:1e84:4055" "2001:470:1f13:187:e8a5:fbff:fe29:42f5" "2001:470:1f13:187:350a:214a:639c:b97b" ]; + gdd.subdomains.backup.AAAA = [ "2001:470:1f13:187:350a:214a:639c:b97b" ]; acme = { NS = [ "acme.${my.subZone}." ]; -- 2.49.0 From 95225c50558a97c9542cd599563aa230642c9eec Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 11 Nov 2021 23:59:59 +0000 Subject: [PATCH 016/149] delegate the gdd subzone --- machines/core-services-01/subZone.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 6bcf11d..2533dd8 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,7 +37,10 @@ with my.ipv6; # contains { standard, acme } builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; - gdd.subdomains.backup.AAAA = [ "2001:470:1f13:187:350a:214a:639c:b97b" ]; + gdd = { + NS = [ "ns1.gdd.${my.subZone}." ]; + subdomains.ns1.AAAA = [ "2001:470:1f13:187:350a:214a:639c:b97b" ]; + }; acme = { NS = [ "acme.${my.subZone}." ]; -- 2.49.0 From bc935ad03713af6e9e24ccab4923ab09da575df5 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 11 Nov 2021 23:59:59 +0000 Subject: [PATCH 017/149] update dns serial --- machines/core-services-01/subZone.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 2533dd8..8937940 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -15,7 +15,7 @@ with my.ipv6; # contains { standard, acme } SOA = { nameServer = "ns1.${my.subZone}."; adminEmail = my.email; - serial = 2021072400; # Y M D Version + serial = 2021111100; # Y M D Version }; NS = [ -- 2.49.0 From 9cb53cb9db27e85a1e8e9d23b0cb975870388cf9 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Fri, 12 Nov 2021 23:59:59 +0000 Subject: [PATCH 018/149] initial public-cof config --- machines/public-cof/configuration.nix | 38 +++++++++++++++++++ .../public-cof/hardware-configuration.nix | 30 +++++++++++++++ machines/public-cof/networking.nix | 19 ++++++++++ machines/public-cof/programs.nix | 27 +++++++++++++ machines/public-cof/pubkeys/gdd.keys | 2 + machines/public-cof/pubkeys/raito.keys | 4 ++ machines/public-cof/system.nix | 23 +++++++++++ machines/public-cof/vim.nix | 31 +++++++++++++++ 8 files changed, 174 insertions(+) create mode 100644 machines/public-cof/configuration.nix create mode 100644 machines/public-cof/hardware-configuration.nix create mode 100644 machines/public-cof/networking.nix create mode 100644 machines/public-cof/programs.nix create mode 100644 machines/public-cof/pubkeys/gdd.keys create mode 100644 machines/public-cof/pubkeys/raito.keys create mode 100644 machines/public-cof/system.nix create mode 100644 machines/public-cof/vim.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix new file mode 100644 index 0000000..190595f --- /dev/null +++ b/machines/public-cof/configuration.nix @@ -0,0 +1,38 @@ +{ config, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./programs.nix + ./system.nix + ./networking.nix + # TODO monitoring + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + time.timeZone = "Europe/Paris"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + programs.mtr.enable = true; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ./pubkeys/gdd.keys + ./pubkeys/raito.keys + ]; + + system.stateVersion = "21.05"; +} diff --git a/machines/public-cof/hardware-configuration.nix b/machines/public-cof/hardware-configuration.nix new file mode 100644 index 0000000..4b57edd --- /dev/null +++ b/machines/public-cof/hardware-configuration.nix @@ -0,0 +1,30 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/9147d97d-66fe-4bde-8535-aa855ebee1a8"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/AEF2-33FE"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/bd933d58-5fa1-41c6-a4a1-9c176180f0f6"; } + ]; + +} diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix new file mode 100644 index 0000000..c7c14db --- /dev/null +++ b/machines/public-cof/networking.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + networking = { + hostName = "public-cof"; + + useDHCP = false; + interfaces.ens18 = { + useDHCP = true; + ipv6.addresses = [{ + address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; + prefixLength = 64; + }]; + }; + + firewall.allowedTCPPorts = [ 22 ]; + firewall.allowedUDPPorts = [ 22 ]; + firewall.enable = true; + }; +} diff --git a/machines/public-cof/programs.nix b/machines/public-cof/programs.nix new file mode 100644 index 0000000..1f42aa6 --- /dev/null +++ b/machines/public-cof/programs.nix @@ -0,0 +1,27 @@ +{ pkgs, ... }: +let pkgsList = with pkgs; [ + curl + wget + + nix-prefetch-git + dnsutils + + unzip + zip + ripgrep + + niv + nixfmt + ]; +in +{ + imports = [ + ./vim.nix + ]; + programs = { + tmux.enable = true; + mosh.enable = true; + }; + + environment.systemPackages = pkgsList; +} diff --git a/machines/public-cof/pubkeys/gdd.keys b/machines/public-cof/pubkeys/gdd.keys new file mode 100644 index 0000000..b5d4e40 --- /dev/null +++ b/machines/public-cof/pubkeys/gdd.keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/public-cof/pubkeys/raito.keys b/machines/public-cof/pubkeys/raito.keys new file mode 100644 index 0000000..0f48a59 --- /dev/null +++ b/machines/public-cof/pubkeys/raito.keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/machines/public-cof/system.nix b/machines/public-cof/system.nix new file mode 100644 index 0000000..997dbdd --- /dev/null +++ b/machines/public-cof/system.nix @@ -0,0 +1,23 @@ +{ pkgs, ... }: +{ + # # Auto upgrades + # system.autoUpgrade = { + # enable = false; # TODO(Ryan): do not enable, it will break deployments. + # allowReboot = false; + # }; + + # Auto GC and store optimizations + nix = { + trustedUsers = [ "root" ]; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 90d"; + }; + optimise.automatic = true; + extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + }; +} diff --git a/machines/public-cof/vim.nix b/machines/public-cof/vim.nix new file mode 100644 index 0000000..bed8752 --- /dev/null +++ b/machines/public-cof/vim.nix @@ -0,0 +1,31 @@ +{ pkgs, ... }: +{ + environment.variables = { EDITOR = "vim"; }; + + environment.systemPackages = with pkgs; [ + nixfmt + git + (neovim.override { + vimAlias = true; + configure = { + packages.myPlugins = with pkgs.vimPlugins; { + start = [ vim-lastplace vim-nix ]; + opt = []; + }; + customRC = '' + set encoding=utf-8 + set wildmenu + + set nocompatible + set backspace=indent,eol,start + set cursorline + hi CursorLine term=bold cterm=bold ctermbg=darkgrey + set number + set relativenumber + set tabstop=4 + set expandtab + ''; + }; + } + )]; +} -- 2.49.0 From 9b6c56baadcc9da1d851b1a6c9eada3014716a46 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Fri, 12 Nov 2021 23:59:59 +0000 Subject: [PATCH 019/149] add DNS records for public-cof's future services --- machines/core-services-01/subZone.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 732a106..157ad87 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -4,6 +4,7 @@ with dns.lib.combinators; let my = config.my; + public-cof-ips = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5" ]; delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; }; remoteBuilders = { @@ -15,7 +16,7 @@ with my.ipv6; # contains { standard, acme } SOA = { nameServer = "ns1.${my.subZone}."; adminEmail = my.email; - serial = 2021111100; # Y M D Version + serial = 2021111200; # Y M D Version }; NS = [ @@ -48,6 +49,12 @@ with my.ipv6; # contains { standard, acme } AAAA = [ acme ]; }; + beta.subdomains = { + nuage.AAAA = public-cof-ips; + minecraft.AAAA = public-cof-ips; + factorio.AAAA = public-cof-ips; + home.AAAA = public-cof-ips; + }; internal.subdomains = { # Routers -- 2.49.0 From 394ca11d2917d28b779c9d8f754c16bb552c5d56 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Fri, 12 Nov 2021 23:59:59 +0000 Subject: [PATCH 020/149] auto deploy public-cof --- krops.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index c17fe78..ba8745b 100644 --- a/krops.nix +++ b/krops.nix @@ -31,4 +31,5 @@ let in {} // mkDeploy "core-services-01" "root@core01.internal.rz.ens.wtf" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -// mkTestsConfig [ "core-services-01" "remote-builder-01" ] +// mkDeploy "public-cof" "root@nix01.builders.rz.ens.wtf" +// mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] -- 2.49.0 From 20147f145b0305f305766dc4bade857c43a8a216 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Fri, 12 Nov 2021 23:59:59 +0000 Subject: [PATCH 021/149] add AAAA for gdd.rz.ens.wtf --- machines/core-services-01/subZone.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 8937940..732a106 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -40,6 +40,7 @@ with my.ipv6; # contains { standard, acme } gdd = { NS = [ "ns1.gdd.${my.subZone}." ]; subdomains.ns1.AAAA = [ "2001:470:1f13:187:350a:214a:639c:b97b" ]; + AAAA = [ "2001:470:1f13:187:350a:214a:639c:b97b" ]; }; acme = { -- 2.49.0 From 1309a9a91ef51e1507d87a911d62e2f4080e39b5 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 01:48:32 +0100 Subject: [PATCH 022/149] add nextcloud to plublic-cof --- machines/public-cof/acme.nix | 5 +++ machines/public-cof/configuration.nix | 2 + machines/public-cof/nextcloud.nix | 57 +++++++++++++++++++++++++++ 3 files changed, 64 insertions(+) create mode 100644 machines/public-cof/acme.nix create mode 100644 machines/public-cof/nextcloud.nix diff --git a/machines/public-cof/acme.nix b/machines/public-cof/acme.nix new file mode 100644 index 0000000..3911368 --- /dev/null +++ b/machines/public-cof/acme.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + security.acme.acceptTerms = true; + security.acme.email = "club-reseau@lists.ens.psl.eu"; +} diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 190595f..1556fd3 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -6,7 +6,9 @@ ./hardware-configuration.nix ./programs.nix ./system.nix + ./acme.nix ./networking.nix + ./nextcloud.nix # TODO monitoring ]; diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix new file mode 100644 index 0000000..4900acd --- /dev/null +++ b/machines/public-cof/nextcloud.nix @@ -0,0 +1,57 @@ +{ ... }: +{ + services.nextcloud = { + enable = true; + hostName = "nuage.beta.rz.ens.wtf"; + https = true; + + config = { + overwriteProtocol = "https"; + + dbtype = "pgsql"; + dbhost = "/run/postgresql"; + + dbpass = "TODO"; + adminpass = "TODO"; + + defaultPhoneRegion = "FR"; + }; + }; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # # Only allow PFS-enabled ciphers with AES256 + # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + virtualHosts = { + "nuage.beta.rz.ens.wtf" = { + forceSSL = true; + enableACME = true; + }; + }; + }; + + services.postgresql = { + enable = true; + + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; + }; + + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} -- 2.49.0 From 06e84b79b4be8c684bd568b8294baccf9b14d8b1 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 01:52:04 +0100 Subject: [PATCH 023/149] add minecraft server to public-cof --- machines/public-cof/configuration.nix | 6 +- machines/public-cof/minecraft.nix | 84 +++++++++++++++++++++++++++ 2 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 machines/public-cof/minecraft.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 1556fd3..049bd69 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { imports = @@ -9,9 +9,13 @@ ./acme.nix ./networking.nix ./nextcloud.nix + ./minecraft.nix # TODO monitoring ]; + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ + "minecraft-server" + ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix new file mode 100644 index 0000000..0838a64 --- /dev/null +++ b/machines/public-cof/minecraft.nix @@ -0,0 +1,84 @@ +{ lib, pkgs, ... }: +let + papermc = { + ram = 4; # In GB + version = "1.17.1"; + build = 189; + sha256 = "06g2vs8z7k9bl8asjgdz9h8fkd93xam2lbrgmzgamwjp94gvfvrn"; + }; + port = 43000; + rconPort = 25575; +in +{ + # Remote administration + environment.systemPackages = [ pkgs.mcrcon ]; + + # Use papermc + nixpkgs.overlays = [ + (self: super: { + minecraft-server = super.minecraft-server.overrideAttrs (old: { + src = pkgs.fetchurl { + url = with papermc; + "https://papermc.io/api/v2/projects/paper/versions/${version}/builds/${toString build}/downloads/paper-${version}-${toString build}.jar"; + sha256 = papermc.sha256; + }; + }); + }) + ]; + + services.minecraft-server = { + enable = true; + eula = true; + declarative = true; + + jvmOpts = with papermc; + "-Xms${toString ram}G -Xmx${toString ram}G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1"; + + # To get the uuids: https://mcuuid.net/ + whitelist = { + gabriel_dr_dl = "53fced49-da51-4c82-b1d0-37168029db08"; + aimie_dodo = "d10be020-a612-47e5-b0d0-938b9a7eb58e"; + }; + + serverProperties = { + server-port = port; + difficulty = "normal"; + gamemode = "survival"; + max-players = 42; + motd = "This is a test and it will break"; + + view-distance = 7; + + # Map settings + level-seed = "9058136630944956755"; + level-name = "Public COF"; + + level-type = "default"; + spawn-animals = true; + spawn-monsters = true; + spawn-npcs = true; + generate-structures = true; + + enable-command-block = false; + + # Whitelist + white-list = true; + enforce-whitelist = true; + + # Admin + enable-rcon = true; + "rcon.password" = + ''yQZ>O.%]fB{'E.X=HI1/En~i-''; # TODO Warning: it is written in clear in /var/lib/... with read permissions and mcrcom will transmit it without encryption + "rcon.port" = rconPort; + admin-slot = true; + + snoop-enabled = false; + public = false; + + # enable-jmx-monitoring = true; # https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html + }; + }; + + networking.firewall.allowedTCPPorts = [ port ]; + networking.firewall.allowedUDPPorts = [ port ]; +} -- 2.49.0 From 7dd205ad907320a59d1b0e2aa24ac9c4f852e17f Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 01:52:22 +0100 Subject: [PATCH 024/149] add factorio server to public-cof --- machines/public-cof/configuration.nix | 3 +++ machines/public-cof/factorio.nix | 14 ++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 machines/public-cof/factorio.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 049bd69..662d7f9 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -10,12 +10,15 @@ ./networking.nix ./nextcloud.nix ./minecraft.nix + ./factorio.nix # TODO monitoring ]; nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "minecraft-server" + "factorio-headless" ]; + boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/machines/public-cof/factorio.nix b/machines/public-cof/factorio.nix new file mode 100644 index 0000000..90630a8 --- /dev/null +++ b/machines/public-cof/factorio.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + services.factorio = { + enable = true; + admins = [ ]; + username = "AGB"; + password = "Je vais voter pour le club réseau"; + description = "This is a test and it will break"; + game-name = "Factorio for AGB"; + openFirewall = true; + }; + + networking.firewall.allowedUDPPorts = [ 34197 ]; +} -- 2.49.0 From 0dfcfe243e826bdc399c4133974c1cae3a52b582 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 02:51:54 +0100 Subject: [PATCH 025/149] create nginx virtual host for home.beta.rz.ens.wtf --- machines/core-services-01/subZone.nix | 3 ++- machines/public-cof/configuration.nix | 1 + machines/public-cof/nextcloud.nix | 10 ---------- machines/public-cof/nginx.nix | 26 ++++++++++++++++++++++++++ 4 files changed, 29 insertions(+), 11 deletions(-) create mode 100644 machines/public-cof/nginx.nix diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 157ad87..fc1e5aa 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -16,7 +16,7 @@ with my.ipv6; # contains { standard, acme } SOA = { nameServer = "ns1.${my.subZone}."; adminEmail = my.email; - serial = 2021111200; # Y M D Version + serial = 2021111300; # Y M D Version }; NS = [ @@ -35,6 +35,7 @@ with my.ipv6; # contains { standard, acme } auth.AAAA = standard; push.AAAA = standard; ns1.AAAA = standard; + beta.AAAA = public-cof-ips; builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 662d7f9..4d47552 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -11,6 +11,7 @@ ./nextcloud.nix ./minecraft.nix ./factorio.nix + ./nginx.nix # TODO monitoring ]; diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 4900acd..31c15ec 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -19,16 +19,6 @@ }; services.nginx = { - enable = true; - - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - # # Only allow PFS-enabled ciphers with AES256 - # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - virtualHosts = { "nuage.beta.rz.ens.wtf" = { forceSSL = true; diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix new file mode 100644 index 0000000..144d3b4 --- /dev/null +++ b/machines/public-cof/nginx.nix @@ -0,0 +1,26 @@ +{ ... }: +{ + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # # Only allow PFS-enabled ciphers with AES256 + # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + virtualHosts = { + "home.beta.rz.ens.wtf" = { + serverAliases = [ "beta.rz.ens.wtf" ]; + forceSSL = true; + enableACME = true; + root = "/var/public-cof/home"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 80 443 ]; +} -- 2.49.0 From 72b926a6ed52a3d657bc87464eb0bfe2625d1a45 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 02:52:16 +0100 Subject: [PATCH 026/149] disable the factorio server --- machines/public-cof/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 4d47552..d823d36 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -10,7 +10,7 @@ ./networking.nix ./nextcloud.nix ./minecraft.nix - ./factorio.nix + # ./factorio.nix # TODO ./nginx.nix # TODO monitoring ]; -- 2.49.0 From dd57d05591cfdeb4dbd369819d94fb8508475988 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 13 Nov 2021 23:35:16 +0100 Subject: [PATCH 027/149] dns: add upstream v4 proxy for {home,nuage,}.beta.rz.ens.wtf to kurisu.dual.lahfa.xyz --- machines/core-services-01/subZone.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index fc1e5aa..64a1892 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -4,6 +4,7 @@ with dns.lib.combinators; let my = config.my; + upstream-v4-proxies = [ "51.15.7.181" ]; # kurisu.dual.lahfa.xyz public-cof-ips = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5" ]; delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; }; @@ -35,6 +36,7 @@ with my.ipv6; # contains { standard, acme } auth.AAAA = standard; push.AAAA = standard; ns1.AAAA = standard; + beta.A = upstream-v4-proxies; beta.AAAA = public-cof-ips; builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; @@ -51,9 +53,11 @@ with my.ipv6; # contains { standard, acme } }; beta.subdomains = { + nuage.A = upstream-v4-proxies; nuage.AAAA = public-cof-ips; minecraft.AAAA = public-cof-ips; factorio.AAAA = public-cof-ips; + home.A = upstream-v4-proxies; home.AAAA = public-cof-ips; }; -- 2.49.0 From 0dc5bd6aad2ad0dfb5dddeb2c2bd8597b1978a84 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 23:48:21 +0100 Subject: [PATCH 028/149] add {pads,docs}.beta.rz.ens.wtf to the DNS server --- machines/core-services-01/subZone.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 64a1892..4c0d934 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -17,7 +17,7 @@ with my.ipv6; # contains { standard, acme } SOA = { nameServer = "ns1.${my.subZone}."; adminEmail = my.email; - serial = 2021111300; # Y M D Version + serial = 2021111301; # Y M D Version }; NS = [ @@ -59,6 +59,8 @@ with my.ipv6; # contains { standard, acme } factorio.AAAA = public-cof-ips; home.A = upstream-v4-proxies; home.AAAA = public-cof-ips; + pads.AAAA = public-cof-ips; + docs.AAAA = public-cof-ips; }; internal.subdomains = { -- 2.49.0 From 17484e5973f1ac5292a19fe130916d1a5d073f80 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 23:49:25 +0100 Subject: [PATCH 029/149] correct typo in krops.nix --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index ba8745b..39ec306 100644 --- a/krops.nix +++ b/krops.nix @@ -31,5 +31,5 @@ let in {} // mkDeploy "core-services-01" "root@core01.internal.rz.ens.wtf" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -// mkDeploy "public-cof" "root@nix01.builders.rz.ens.wtf" +// mkDeploy "public-cof" "root@beta.rz.ens.wtf" // mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] -- 2.49.0 From f8cc9879ef3614e5e8441854df5cc101c45fab73 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 13 Nov 2021 23:54:30 +0100 Subject: [PATCH 030/149] close unused UDP port --- machines/public-cof/nginx.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix index 144d3b4..efc35f1 100644 --- a/machines/public-cof/nginx.nix +++ b/machines/public-cof/nginx.nix @@ -22,5 +22,4 @@ }; networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 80 443 ]; } -- 2.49.0 From ff0a6b450fc8eecf875b55586c629d8829ef86d2 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Nov 2021 01:28:51 +0100 Subject: [PATCH 031/149] remove space in MC level name --- machines/public-cof/minecraft.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 0838a64..6d9dc9d 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -51,7 +51,7 @@ in # Map settings level-seed = "9058136630944956755"; - level-name = "Public COF"; + level-name = "Public_COF"; level-type = "default"; spawn-animals = true; -- 2.49.0 From 10a5cef82326877ae3fe75c80af49df2cfd44c1a Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Nov 2021 23:56:00 +0100 Subject: [PATCH 032/149] add hedgedoc --- machines/public-cof/configuration.nix | 1 + machines/public-cof/hedgedoc.nix | 36 +++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 machines/public-cof/hedgedoc.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index d823d36..568fcd9 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -12,6 +12,7 @@ ./minecraft.nix # ./factorio.nix # TODO ./nginx.nix + ./hedgedoc.nix # TODO monitoring ]; diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix new file mode 100644 index 0000000..b60e25f --- /dev/null +++ b/machines/public-cof/hedgedoc.nix @@ -0,0 +1,36 @@ +{ ... }: +let + port = 3000; +in +{ + services.hedgedoc = { + enable = true; + configuration = { + protocolUseSSL = true; + # scp =; # TODO + domain = "//docs.beta.rz.ens.wtf"; + host = "localhost"; + port = port; + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; + }; + }; + }; + + services.nginx = { + virtualHosts = { + "docs.beta.rz.ens.wtf" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://localhost:${toString port}"; + }; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 433 80 ]; +} -- 2.49.0 From d0b0093ba6bbc2f02c5ff775f7f2219e70cc7e60 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Nov 2021 23:57:19 +0100 Subject: [PATCH 033/149] make home.beta.rz.ens.wtf the nginx default --- machines/public-cof/nginx.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix index efc35f1..f5c3134 100644 --- a/machines/public-cof/nginx.nix +++ b/machines/public-cof/nginx.nix @@ -14,6 +14,7 @@ virtualHosts = { "home.beta.rz.ens.wtf" = { serverAliases = [ "beta.rz.ens.wtf" ]; + default = true; forceSSL = true; enableACME = true; root = "/var/public-cof/home"; -- 2.49.0 From 71797ad07ec30f908a5d9b5158fa23730087ed22 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Nov 2021 00:09:44 +0100 Subject: [PATCH 034/149] start a cryptpad module --- machines/core-services-01/subZone.nix | 8 +- machines/public-cof/configuration.nix | 1 + machines/public-cof/cryptpad.js | 316 ++++++++++++++++++++++++++ machines/public-cof/cryptpad.nix | 190 ++++++++++++++++ 4 files changed, 514 insertions(+), 1 deletion(-) create mode 100644 machines/public-cof/cryptpad.js create mode 100644 machines/public-cof/cryptpad.nix diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 4c0d934..5c660cc 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -17,7 +17,7 @@ with my.ipv6; # contains { standard, acme } SOA = { nameServer = "ns1.${my.subZone}."; adminEmail = my.email; - serial = 2021111301; # Y M D Version + serial = 2021111400; # Y M D Version }; NS = [ @@ -60,9 +60,15 @@ with my.ipv6; # contains { standard, acme } home.A = upstream-v4-proxies; home.AAAA = public-cof-ips; pads.AAAA = public-cof-ips; + pads.subdomains = { + api.AAAA = public-cof-ips; + files.AAAA = public-cof-ips; + sandbox.AAAA = public-cof-ips; + }; docs.AAAA = public-cof-ips; }; + internal.subdomains = { # Routers router01.A = [ "10.1.1.1" ]; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 568fcd9..6f798cf 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -12,6 +12,7 @@ ./minecraft.nix # ./factorio.nix # TODO ./nginx.nix + # ./cryptpad.nix ./hedgedoc.nix # TODO monitoring ]; diff --git a/machines/public-cof/cryptpad.js b/machines/public-cof/cryptpad.js new file mode 100644 index 0000000..b08412f --- /dev/null +++ b/machines/public-cof/cryptpad.js @@ -0,0 +1,316 @@ +/* globals module */ + +/* DISCLAIMER: + There are two recommended methods of running a CryptPad instance: + 1. Using a standalone nodejs server without HTTPS (suitable for local development) + 2. Using NGINX to serve static assets and to handle HTTPS for API server's websocket traffic + We do not officially recommend or support Apache, Docker, Kubernetes, Traefik, or any other configuration. + Support requests for such setups should be directed to their authors. + If you're having difficulty difficulty configuring your instance + we suggest that you join the project's IRC/Matrix channel. + If you don't have any difficulty configuring your instance and you'd like to + support us for the work that went into making it pain-free we are quite happy + to accept donations via our opencollective page: https://opencollective.com/cryptpad +*/ +module.exports = { +/* CryptPad is designed to serve its content over two domains. + * Account passwords and cryptographic content is handled on the 'main' domain, + * while the user interface is loaded on a 'sandbox' domain + * which can only access information which the main domain willingly shares. + * + * In the event of an XSS vulnerability in the UI (that's bad) + * this system prevents attackers from gaining access to your account (that's good). + * + * Most problems with new instances are related to this system blocking access + * because of incorrectly configured sandboxes. If you only see a white screen + * when you try to load CryptPad, this is probably the cause. + * + * PLEASE READ THE FOLLOWING COMMENTS CAREFULLY. + * + */ + +/* httpUnsafeOrigin is the URL that clients will enter to load your instance. + * Any other URL that somehow points to your instance is supposed to be blocked. + * The default provided below assumes you are loading CryptPad from a server + * which is running on the same machine, using port 3000. + * + * In a production instance this should be available ONLY over HTTPS + * using the default port for HTTPS (443) ie. https://cryptpad.fr + * In such a case this should be handled by NGINX, as documented in + * cryptpad/docs/example.nginx.conf (see the $main_domain variable) + * + */ + httpUnsafeOrigin: 'http://localhost:3000/', + +/* httpSafeOrigin is the URL that is used for the 'sandbox' described above. + * If you're testing or developing with CryptPad on your local machine then + * it is appropriate to leave this blank. The default behaviour is to serve + * the main domain over port 3000 and to serve the content over port 3001. + * + * This is not appropriate in a production environment where invasive networks + * may filter traffic going over abnormal ports. + * To correctly configure your production instance you must provide a URL + * with a different domain (a subdomain is sufficient). + * It will be used to load the UI in our 'sandbox' system. + * + * This value corresponds to the $sandbox_domain variable + * in the example nginx file. + * + * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. + */ + // httpSafeOrigin: "https://some-other-domain.xyz", + +/* httpAddress specifies the address on which the nodejs server + * should be accessible. By default it will listen on 127.0.0.1 + * (IPv4 localhost on most systems). If you want it to listen on + * all addresses, including IPv6, set this to '::'. + * + */ + //httpAddress: '::', + +/* httpPort specifies on which port the nodejs server should listen. + * By default it will serve content over port 3000, which is suitable + * for both local development and for use with the provided nginx example, + * which will proxy websocket traffic to your node server. + * + */ + //httpPort: 3000, + +/* httpSafePort allows you to specify an alternative port from which + * the node process should serve sandboxed assets. The default value is + * that of your httpPort + 1. You probably don't need to change this. + * + */ + //httpSafePort: 3001, + +/* CryptPad will launch a child process for every core available + * in order to perform CPU-intensive tasks in parallel. + * Some host environments may have a very large number of cores available + * or you may want to limit how much computing power CryptPad can take. + * If so, set 'maxWorkers' to a positive integer. + */ + // maxWorkers: 4, + + /* ===================== + * Admin + * ===================== */ + + /* + * CryptPad contains an administration panel. Its access is restricted to specific + * users using the following list. + * To give access to the admin panel to a user account, just add their user id, + * which can be found on the settings page for registered users. + * Entries should be strings separated by a comma. + */ +/* + adminKeys: [ + //"https://my.awesome.website/user/#/1/cryptpad-user1/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=", + ], +*/ + + /* CryptPad's administration panel includes a "support" tab + * wherein administrators with a secret key can view messages + * sent from users via the encrypted forms on the /support/ page + * + * To enable this functionality: + * run `node ./scripts/generate-admin-keys.js` + * save the public key in your config in the value below + * add the private key via the admin panel + * and back it up in a secure manner + * + */ + // supportMailboxPublicKey: "", + + /* We're very proud that CryptPad is available to the public as free software! + * We do, however, still need to pay our bills as we develop the platform. + * + * By default CryptPad will prompt users to consider donating to + * our OpenCollective campaign. We publish the state of our finances periodically + * so you can decide for yourself whether our expenses are reasonable. + * + * You can disable any solicitations for donations by setting 'removeDonateButton' to true, + * but we'd appreciate it if you didn't! + */ + //removeDonateButton: false, + + /* CryptPad will display a point of contact for your instance on its contact page + * (/contact.html) if you provide it below. + */ + adminEmail: 'club-reseau@lists.ens.psl.eu', + + /* + * By default, CryptPad contacts one of our servers once a day. + * This check-in will also send some very basic information about your instance including its + * version and the adminEmail so we can reach you if we are aware of a serious problem. + * We will never sell it or send you marketing mail. + * + * If you want to block this check-in and remain set 'blockDailyCheck' to true. + */ + //blockDailyCheck: false, + + /* + * By default users get 50MB of storage by registering on an instance. + * You can set this value to whatever you want. + * + * hint: 50MB is 50 * 1024 * 1024 + */ + //defaultStorageLimit: 50 * 1024 * 1024, + + + /* ===================== + * STORAGE + * ===================== */ + + /* Pads that are not 'pinned' by any registered user can be set to expire + * after a configurable number of days of inactivity (default 90 days). + * The value can be changed or set to false to remove expiration. + * Expired pads can then be removed using a cron job calling the + * `evict-inactive.js` script with node + * + * defaults to 90 days if nothing is provided + */ + //inactiveTime: 90, // days + + /* CryptPad archives some data instead of deleting it outright. + * This archived data still takes up space and so you'll probably still want to + * remove these files after a brief period. + * + * cryptpad/scripts/evict-inactive.js is intended to be run daily + * from a crontab or similar scheduling service. + * + * The intent with this feature is to provide a safety net in case of accidental + * deletion. Set this value to the number of days you'd like to retain + * archived data before it's removed permanently. + * + * defaults to 15 days if nothing is provided + */ + //archiveRetentionTime: 15, + + /* Max Upload Size (bytes) + * this sets the maximum size of any one file uploaded to the server. + * anything larger than this size will be rejected + * defaults to 20MB if no value is provided + */ + //maxUploadSize: 20 * 1024 * 1024, + + /* + * CryptPad allows administrators to give custom limits to their friends. + * add an entry for each friend, identified by their user id, + * which can be found on the settings page. Include a 'limit' (number of bytes), + * a 'plan' (string), and a 'note' (string). + * + * hint: 1GB is 1024 * 1024 * 1024 bytes + */ +/* + customLimits: { + "https://my.awesome.website/user/#/1/cryptpad-user1/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=": { + limit: 20 * 1024 * 1024 * 1024, + plan: 'insider', + note: 'storage space donated by my.awesome.website' + }, + "https://my.awesome.website/user/#/1/cryptpad-user2/GdflkgdlkjeworijfkldfsdflkjeEAsdlEnkbx1vVOo=": { + limit: 10 * 1024 * 1024 * 1024, + plan: 'insider', + note: 'storage space donated by my.awesome.website' + } + }, +*/ + + /* Users with premium accounts (those with a plan included in their customLimit) + * can benefit from an increased upload size limit. By default they are restricted to the same + * upload size as any other registered user. + * + */ + //premiumUploadSize: 100 * 1024 * 1024, + + /* ===================== + * DATABASE VOLUMES + * ===================== */ + + /* + * CryptPad stores each document in an individual file on your hard drive. + * Specify a directory where files should be stored. + * It will be created automatically if it does not already exist. + */ + filePath: './datastore/', + + /* CryptPad offers the ability to archive data for a configurable period + * before deleting it, allowing a means of recovering data in the event + * that it was deleted accidentally. + * + * To set the location of this archive directory to a custom value, change + * the path below: + */ + archivePath: './data/archive', + + /* CryptPad allows logged in users to request that particular documents be + * stored by the server indefinitely. This is called 'pinning'. + * Pin requests are stored in a pin-store. The location of this store is + * defined here. + */ + pinPath: './data/pins', + + /* if you would like the list of scheduled tasks to be stored in + a custom location, change the path below: + */ + taskPath: './data/tasks', + + /* if you would like users' authenticated blocks to be stored in + a custom location, change the path below: + */ + blockPath: './block', + + /* CryptPad allows logged in users to upload encrypted files. Files/blobs + * are stored in a 'blob-store'. Set its location here. + */ + blobPath: './blob', + + /* CryptPad stores incomplete blobs in a 'staging' area until they are + * fully uploaded. Set its location here. + */ + blobStagingPath: './data/blobstage', + + /* CryptPad supports logging events directly to the disk in a 'logs' directory + * Set its location here, or set it to false (or nothing) if you'd rather not log + */ + logPath: './data/logs', + + /* ===================== + * Debugging + * ===================== */ + + /* CryptPad can log activity to stdout + * This may be useful for debugging + */ + logToStdout: false, + + /* CryptPad can be configured to log more or less + * the various settings are listed below by order of importance + * + * silly, verbose, debug, feedback, info, warn, error + * + * Choose the least important level of logging you wish to see. + * For example, a 'silly' logLevel will display everything, + * while 'info' will display 'info', 'warn', and 'error' logs + * + * This will affect both logging to the console and the disk. + */ + logLevel: 'info', + + /* clients can use the /settings/ app to opt out of usage feedback + * which informs the server of things like how much each app is being + * used, and whether certain clientside features are supported by + * the client's browser. The intent is to provide feedback to the admin + * such that the service can be improved. Enable this with `true` + * and ignore feedback with `false` or by commenting the attribute + * + * You will need to set your logLevel to include 'feedback'. Set this + * to false if you'd like to exclude feedback from your logs. + */ + logFeedback: false, + + /* CryptPad supports verbose logging + * (false by default) + */ + verbose: false, +}; diff --git a/machines/public-cof/cryptpad.nix b/machines/public-cof/cryptpad.nix new file mode 100644 index 0000000..dc27ca9 --- /dev/null +++ b/machines/public-cof/cryptpad.nix @@ -0,0 +1,190 @@ +{ ... }: +let + subZone = "beta.rz.ens.wtf"; + main_domain = "pads." + subZone; + api_domain = "api." + main_domain; + files_domain = "files." + main_domain; + sandbox_domain = "sandbox." + main_domain; +in +{ + services.cryptpad = { + enable = true; + configFile = "/etc/cryptpad/config.js"; + }; + environment.etc."cryptpad/config.js".source = ./cryptpad.js; + + services.nginx.virtualHosts = { + "docs.beta.rz.ens.wtf" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + # CryptPad serves static assets over these two domains. + # `main_domain` is what users will enter in their address bar. + # Privileged computation such as key management is handled in this scope + # UI content is loaded via the `sandbox_domain`. + # "Content Security Policy" headers prevent content loaded via the sandbox + # from accessing privileged information. + # These variables must be different to take advantage of CryptPad's sandboxing techniques. + # In the event of an XSS vulnerability in CryptPad's front-end code + # this will limit the amount of information accessible to attackers. + set $main_domain ${main_domain}; + set $sandbox_domain ${sandbox_domain}; + + # CryptPad's dynamic content (websocket traffic and encrypted blobs) + # can be served over separate domains. Using dedicated domains (or subdomains) + # for these purposes allows you to move them to a separate machine at a later date + # if you find that a single machine cannot handle all of your users. + # If you don't use dedicated domains, this can be the same as $main_domain + # If you do, they'll be added as exceptions to any rules which block connections to remote domains. + set $api_domain ${api_domain}; + set $files_domain ${files_domain}; + + + server_name ${main_domain} ${sandbox_domain}; + + # diffie-hellman parameters are used to negotiate keys for your session + # generate strong parameters using the following command + ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 + + # Speeds things up a little bit when resuming a session + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:5m; + + # You'll need nginx 1.13.0 or better to support TLSv1.3 + ssl_protocols TLSv1.2 TLSv1.3; + + # https://cipherli.st/ + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 + + # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain + set $styleSrc "'unsafe-inline' 'self' ${main_domain}"; + + # connect-src restricts URLs which can be loaded using script interfaces + set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}"; + + # fonts can be loaded from data-URLs or the main domain + set $fontSrc "'self' data: ${main_domain}"; + + # images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking + set $imgSrc "'self' data: * blob: ${main_domain}"; + + # frame-src specifies valid sources for nested browsing contexts. + # this prevents loading any iframes from anywhere other than the sandbox domain + set $frameSrc "'self' ${sandbox_domain} blob:"; + + # specifies valid sources for loading media using video or audio + set $mediaSrc "'self' data: * blob: ${main_domain}"; + + # defines valid sources for webworkers and nested browser contexts + # deprecated in favour of worker-src and frame-src + set $childSrc "https://${main_domain}"; + + # specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. + # supercedes child-src but is unfortunately not yet universally supported. + set $workerSrc "https://${main_domain}"; + + # script-src specifies valid sources for javascript, including inline handlers + set $scriptSrc "'self' resource: ${main_domain}"; + + set $unsafe 0; + # the following assets are loaded via the sandbox domain + # they unfortunately still require exceptions to the sandboxing to work correctly. + if ($uri = "/pad/inner.html") { set $unsafe 1; } + if ($uri = "/sheet/inner.html") { set $unsafe 1; } + if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; } + + # everything except the sandbox domain is a privileged scope, as they might be used to handle keys + if ($host != $sandbox_domain) { set $unsafe 0; } + + # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied + if ($unsafe) { + set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: ${main_domain}"; + } + + # The nodejs process can handle all traffic whether accessed over websocket or as static assets + # We prefer to serve static content from nginx directly and to leave the API server to handle + # the dynamic content that only it can manage. This is primarily an optimization + location ^~ /cryptpad_websocket { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # WebSocket support (nginx 1.4) + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + } + + location ^~ /customize.dist/ { + # This is needed in order to prevent infinite recursion between /customize/ and the root + } + # try to load customizeable content via /customize/ and fall back to the default content + # located at /customize.dist/ + # This is what allows you to override behaviour. + location ^~ /customize/ { + rewrite ^/customize/(.*)$ $1 break; + try_files /customize/$uri /customize.dist/$uri; + } + + # /api/config is loaded once per page load and is used to retrieve + # the caching variable which is applied to every other resource + # which is loaded during that session. + location = /api/config { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + # encrypted blobs are immutable and are thus cached for a year + location ^~ /blob/ { + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'application/octet-stream; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; + } + add_header Cache-Control max-age=31536000; + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; + add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; + try_files $uri =404; + } + + # the "block-store" serves encrypted payloads containing users' drive keys + # these payloads are unlocked via login credentials. They are mutable + # and are thus never cached. They're small enough that it doesn't matter, in any case. + location ^~ /block/ { + add_header Cache-Control max-age=0; + try_files $uri =404; + } + + # This block provides an alternative means of loading content + # otherwise only served via websocket. This is solely for debugging purposes, + # and is thus not allowed by default. + #location ^~ /datastore/ { + #add_header Cache-Control max-age=0; + #try_files $uri =404; + #} + + # The nodejs server has some built-in forwarding rules to prevent + # URLs like /pad from resulting in a 404. This simply adds a trailing slash + # to a variety of applications. + location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams)$ { + rewrite ^(.*)$ $1/ redirect; + } + + # Finally, serve anything the above exceptions don't govern. + try_files /www/$uri /www/$uri/index.html /customize/$uri; + ''; + }; + }; + + networking.firewall.allowedTCPPorts = [ 433 80 ]; +} -- 2.49.0 From ea6b47e4bd5a0aafb0c6f392ac20d7bd04f7a715 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Nov 2021 00:16:01 +0100 Subject: [PATCH 035/149] add mrf keys --- machines/public-cof/configuration.nix | 1 + machines/public-cof/pubkeys/mrf.keys | 1 + 2 files changed, 2 insertions(+) create mode 100644 machines/public-cof/pubkeys/mrf.keys diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 6f798cf..16bae00 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -44,6 +44,7 @@ users.users.root.openssh.authorizedKeys.keyFiles = [ ./pubkeys/gdd.keys ./pubkeys/raito.keys + ./pubkeys/mrf.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/pubkeys/mrf.keys b/machines/public-cof/pubkeys/mrf.keys new file mode 100644 index 0000000..ebbfa68 --- /dev/null +++ b/machines/public-cof/pubkeys/mrf.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d -- 2.49.0 From bb89a44d872623af8ed30a5cd2509ab6f2423954 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Nov 2021 00:19:27 +0100 Subject: [PATCH 036/149] add RaitoMezarius to the MC whitlist --- machines/public-cof/minecraft.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 6d9dc9d..7c0ce05 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -38,6 +38,7 @@ in whitelist = { gabriel_dr_dl = "53fced49-da51-4c82-b1d0-37168029db08"; aimie_dodo = "d10be020-a612-47e5-b0d0-938b9a7eb58e"; + RaitoMezarius = "a400686e-0f62-43d5-b5c6-4295babcc008"; }; serverProperties = { -- 2.49.0 From f5eafee41191a2c5042ff638a247553afd821b3f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 15 Nov 2021 00:11:19 +0100 Subject: [PATCH 037/149] public-cof: secure nextcloud using agenix --- machines/public-cof/nextcloud.nix | 6 ++--- machines/public-cof/secrets/default.nix | 5 ++++ .../secrets/nextcloudAdminPasswordFile.age | 24 ++++++++++++++++++ .../secrets/nextcloudDatabasePasswordFile.age | 25 +++++++++++++++++++ machines/public-cof/secrets/secrets.nix | 13 ++++++++++ 5 files changed, 70 insertions(+), 3 deletions(-) create mode 100644 machines/public-cof/secrets/default.nix create mode 100644 machines/public-cof/secrets/nextcloudAdminPasswordFile.age create mode 100644 machines/public-cof/secrets/nextcloudDatabasePasswordFile.age create mode 100644 machines/public-cof/secrets/secrets.nix diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 31c15ec..eba376b 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, ... }: { services.nextcloud = { enable = true; @@ -11,8 +11,8 @@ dbtype = "pgsql"; dbhost = "/run/postgresql"; - dbpass = "TODO"; - adminpass = "TODO"; + dbpassFile = config.age.secrets.nextcloudDatabasePassword.path; + adminpassFile = config.age.secrets.nextcloudAdminPassword.path; defaultPhoneRegion = "FR"; }; diff --git a/machines/public-cof/secrets/default.nix b/machines/public-cof/secrets/default.nix new file mode 100644 index 0000000..4c4e087 --- /dev/null +++ b/machines/public-cof/secrets/default.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + age.secrets.nextcloudAdminPassword.file = ./nextcloudAdminPasswordFile.age; + age.secrets.nextcloudDatabasePassword.file = ./nextcloudDatabasePasswordFile.age; +} diff --git a/machines/public-cof/secrets/nextcloudAdminPasswordFile.age b/machines/public-cof/secrets/nextcloudAdminPasswordFile.age new file mode 100644 index 0000000..b09f532 --- /dev/null +++ b/machines/public-cof/secrets/nextcloudAdminPasswordFile.age @@ -0,0 +1,24 @@ +age-encryption.org/v1 +-> ssh-ed25519 xbfJnw jGSrM/Yx0LnVlmBml7/7LwZeSL68CPiF7/97OyYnJj0 +66yS5TDLDpMXz6ggOeMyOhSDU2jSKDVoW5zvBvdN83I +-> ssh-ed25519 Wu8JLQ BH68DcAZ/Ruudd2QgREQ1I9YhC/JWOnn7dOkgoVdAgE +cJq/valbiW3xYyXxgmTMos9XQm/+SDIhd3cn32vcgxs +-> ssh-ed25519 cvTB5g qXCbgWmzetHsJTo/nnN9M/dRmYLW7HIHuaphMHXFB00 +WLVPkAJk2D4dca2+QlGFtCArLFjixypXV/P7VmJuK6g +-> ssh-ed25519 /vwQcQ 0aUZckwIHbXv/Uo3gyeAHGwEIzMQyPSh2Ks+s3QBPU8 +zt978+4EwedA6UTLurnjisjbrR/qFZf80IPcAxd3Qxw +-> ssh-ed25519 reTIKw jFGzhLb0YM5dJslCmp7bjRt5JYufGRAJzVmdjMKgdQw +Y9KIYgX2PHCU0/8h4Pn6YLqaZYzvrPUy1pmaLGzY8C4 +-> ssh-ed25519 85WiGg aZRVNM5iSL+BpZfundDVSpPs0mhFxssUA/t5POsi1AU +haYzRumOlDno9UdlcCr/GUoAOEqNrf+iPv9SpP76EYM +-> ssh-rsa krWCLQ +pbjqzOfXUuWlunTcCiwjKAqe5ZZdW+6jE86D3yuPz4PheDEFi6oYAnc0pIPoZOnh +9OkTTB6o9wPhoA5O+SOszvCFVOlS33EHwCFKFwy/lg3LwgsU6qon6YQAQfjOMf57 +yGlFDJhGfKfzoXzAlWIxpY6KQE15pkI2OAv9/1UWmFmGpw1vWOgcyJn0rbHK9Wtk +uGWOPCAsx7n/K4YukvVdB1pHtNlXyj6odMwRch3MmpKl4UlBMtB10NI2fMpqcWp1 +vgCcjsP2JX6zlTTQvu1afV2QMk2R9zfm4iZtk6lqhkFO9hGx12/1WfxFlww6YDyB +HDLu5vZddUtV7Wwm9Wa6Cw +-> H0-z{"-grease bic 5)(&;3`E _&UZCo7 hJ_x +5r9qRqyXOdPxqPPV8uCjaiJveaq0TLioCRMohcBamFx80I2EN/XDkPzeUNSkYyQ/ +--- gQnYjgiBjl7W2nLAvdfGcX8UVMr5RCFSysgp7iGWZlc +(}$11E-(S rlGb3`>K6Be邔 jɓo"{GG=F7 \ No newline at end of file diff --git a/machines/public-cof/secrets/nextcloudDatabasePasswordFile.age b/machines/public-cof/secrets/nextcloudDatabasePasswordFile.age new file mode 100644 index 0000000..1f89548 --- /dev/null +++ b/machines/public-cof/secrets/nextcloudDatabasePasswordFile.age @@ -0,0 +1,25 @@ +age-encryption.org/v1 +-> ssh-ed25519 xbfJnw qeyTMwQ+l90wwNiGxLCvKZ+yIzEjehcr8SIlHrHTERQ +3XTb7giFfF9l/+hDq/TlWKt/Gr1qlMxB2agi1Mzn4Bs +-> ssh-ed25519 Wu8JLQ vrqgvKp+dB2TnZrRriOvvJfqxh7vbSpTL2P+u8zORC4 +7qTNpJw8j4HpjehzoZeMUqCPDBFZRhu3bhdCVbRAUrU +-> ssh-ed25519 cvTB5g 2R6aXhN56nYrEObDuDJdhmH1kMduXUzoEg22C4QjHRA +sIRV6aTkefsy4wdJ1Ay+O/q0Y0MdTPRFKTjWGHlz5xg +-> ssh-ed25519 /vwQcQ xcSn2vFYBkYESWRZqmeWNiP0EV1zWH3SaiYG+6V8xGY +zv2yiZrBlsskeLrvco5w+QPTDRyRGQ3mjGuHFjWcfGI +-> ssh-ed25519 reTIKw Bdc7/F+nWuCQ5aqiuUPqb6mHlQCMafINyWaqVDQG5y0 +Myj64k+s/KIVOfGje3reKeRHrjGL6cE+9knBCsS+rX0 +-> ssh-ed25519 85WiGg PKpNCdpcl+aSuTx13I/Hq9annJ5FRXiONQ/4iqwyZUc +CHUHvPtA5ydOkpHfgOXtvuYMOAhM53YfXbexhW7fbJY +-> ssh-rsa krWCLQ +IhI9bg+jq5y32OaYdes7y1iBUkOAkc2dXdFP2FI0/CAthBBOGs9qyCuf39S8i4YT +pHPRniwOYUUuCjThU1zUA6cboBh13Y381mioqTF656/w8tn2ZGFRnOcOwqp9d0v4 +vPHgdyZFpmD0MUmFlw1YfTWWWMbFyhDPY6C3r4L3dftGuineY3A/+zC+Y1RuCYBw ++Kl/tbIGUBckX+Cqdt8KokPpGw3ZxkHXWx3lMlNembrPpsM44Mbz88mBiHn77Ys3 +auHE7Ff04txLiG9fGo9p3GX6nk2aCz1vT+YJB1cWZErsNSWTSRLILGLHvR37KMMv +daiVtfDwNwoGbEmpw0iVCA +-> ;LK-grease H638S/n +76dNkVvkNr1Y+O2AwEjYyUbmCog7ChnU3U54t/ZyPCAd2Q5vuGSQHe+RxtIh8fux +RvrDH2Qa7jGT0F86FTwrWK7fKQkT +--- r4tKKSFy30F9y4jQzdBB0RjCFJQmy2lFhZDr3enZjeQ +-zyl , j>8ЀԒ%>Mqo)Di0 YL̩ \ No newline at end of file diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix new file mode 100644 index 0000000..4fe0e66 --- /dev/null +++ b/machines/public-cof/secrets/secrets.nix @@ -0,0 +1,13 @@ +let + pkgs = import {}; + lib = pkgs.lib; + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); + public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; + systems = [ public-cof ]; +in + { + "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems; + "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems; + } + -- 2.49.0 From 885ba660f5cbbfc01376fc2d621c9051d3517284 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 15 Nov 2021 00:18:26 +0100 Subject: [PATCH 038/149] public-cof: get back to default port --- machines/public-cof/minecraft.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 7c0ce05..5a2f9a4 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -6,7 +6,7 @@ let build = 189; sha256 = "06g2vs8z7k9bl8asjgdz9h8fkd93xam2lbrgmzgamwjp94gvfvrn"; }; - port = 43000; + port = 25565; rconPort = 25575; in { -- 2.49.0 From 77b86de5c4ecce3a0b3977d4948474610b091764 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 15 Nov 2021 00:48:11 +0100 Subject: [PATCH 039/149] public-cof: proxy ws for hedgedoc --- machines/public-cof/hedgedoc.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index b60e25f..8a3823a 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -26,6 +26,7 @@ in locations = { "/" = { proxyPass = "http://localhost:${toString port}"; + proxyWebsockets = true; }; }; }; -- 2.49.0 From bf2ecf087464ea4240cd463f167626ee8d466a34 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 15 Nov 2021 00:54:27 +0100 Subject: [PATCH 040/149] public-cof: add agenix modules --- machines/public-cof/configuration.nix | 2 + machines/public-cof/nix/sources.json | 32 +++++ machines/public-cof/nix/sources.nix | 174 ++++++++++++++++++++++++ machines/public-cof/nur.nix | 17 +++ machines/public-cof/secrets/default.nix | 12 +- 5 files changed, 235 insertions(+), 2 deletions(-) create mode 100644 machines/public-cof/nix/sources.json create mode 100644 machines/public-cof/nix/sources.nix create mode 100644 machines/public-cof/nur.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 16bae00..bdb86ce 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -10,10 +10,12 @@ ./networking.nix ./nextcloud.nix ./minecraft.nix + ./nur.nix # ./factorio.nix # TODO ./nginx.nix # ./cryptpad.nix ./hedgedoc.nix + ./secrets # TODO monitoring ]; diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json new file mode 100644 index 0000000..234be1c --- /dev/null +++ b/machines/public-cof/nix/sources.json @@ -0,0 +1,32 @@ +{ + "agenix": { + "branch": "master", + "description": "age-encrypted secrets for NixOS", + "homepage": "", + "owner": "ryantm", + "repo": "agenix", + "rev": "fb00f178b3a49a39cc964049075439b575d36d60", + "sha256": "0rb99dbwnaf8sgjbshwk1bizs51jild3zg61a5yqw3h0vcxalzrp", + "type": "tarball", + "url": "https://github.com/ryantm/agenix/archive/fb00f178b3a49a39cc964049075439b575d36d60.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "klubrz-nur": { + "branch": "main", + "repo": "https://git.rz.ens.wtf/Klub-RZ/nur", + "rev": "901e08a94819f07499ec6cfbea1e24808e19e4b6", + "type": "git" + }, + "niv": { + "branch": "master", + "description": "Easy dependency management for Nix projects", + "homepage": "https://github.com/nmattia/niv", + "owner": "nmattia", + "repo": "niv", + "rev": "e0ca65c81a2d7a4d82a189f1e23a48d59ad42070", + "sha256": "1pq9nh1d8nn3xvbdny8fafzw87mj7gsmp6pxkdl65w2g18rmcmzx", + "type": "tarball", + "url": "https://github.com/nmattia/niv/archive/e0ca65c81a2d7a4d82a189f1e23a48d59ad42070.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + } +} diff --git a/machines/public-cof/nix/sources.nix b/machines/public-cof/nix/sources.nix new file mode 100644 index 0000000..1938409 --- /dev/null +++ b/machines/public-cof/nix/sources.nix @@ -0,0 +1,174 @@ +# This file has been generated by Niv. + +let + + # + # The fetchers. fetch_ fetches specs of type . + # + + fetch_file = pkgs: name: spec: + let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true then + builtins_fetchurl { inherit (spec) url sha256; name = name'; } + else + pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; + + fetch_tarball = pkgs: name: spec: + let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true then + builtins_fetchTarball { name = name'; inherit (spec) url sha256; } + else + pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; + + fetch_git = name: spec: + let + ref = + if spec ? ref then spec.ref else + if spec ? branch then "refs/heads/${spec.branch}" else + if spec ? tag then "refs/tags/${spec.tag}" else + abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; + in + builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; + + fetch_local = spec: spec.path; + + fetch_builtin-tarball = name: throw + ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=tarball -a builtin=true''; + + fetch_builtin-url = name: throw + ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=file -a builtin=true''; + + # + # Various helpers + # + + # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 + sanitizeName = name: + ( + concatMapStrings (s: if builtins.isList s then "-" else s) + ( + builtins.split "[^[:alnum:]+._?=-]+" + ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name) + ) + ); + + # The set of packages used when specs are fetched using non-builtins. + mkPkgs = sources: system: + let + sourcesNixpkgs = + import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; }; + hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; + hasThisAsNixpkgsPath = == ./.; + in + if builtins.hasAttr "nixpkgs" sources + then sourcesNixpkgs + else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then + import {} + else + abort + '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; + + # The actual fetching function. + fetch = pkgs: name: spec: + + if ! builtins.hasAttr "type" spec then + abort "ERROR: niv spec ${name} does not have a 'type' attribute" + else if spec.type == "file" then fetch_file pkgs name spec + else if spec.type == "tarball" then fetch_tarball pkgs name spec + else if spec.type == "git" then fetch_git name spec + else if spec.type == "local" then fetch_local spec + else if spec.type == "builtin-tarball" then fetch_builtin-tarball name + else if spec.type == "builtin-url" then fetch_builtin-url name + else + abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; + + # If the environment variable NIV_OVERRIDE_${name} is set, then use + # the path directly as opposed to the fetched source. + replace = name: drv: + let + saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; + ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; + in + if ersatz == "" then drv else + # this turns the string into an actual Nix path (for both absolute and + # relative paths) + if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}"; + + # Ports of functions for older nix versions + + # a Nix version of mapAttrs if the built-in doesn't exist + mapAttrs = builtins.mapAttrs or ( + f: set: with builtins; + listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)) + ); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 + range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 + stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 + stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); + concatMapStrings = f: list: concatStrings (map f list); + concatStrings = builtins.concatStringsSep ""; + + # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 + optionalAttrs = cond: as: if cond then as else {}; + + # fetchTarball version that is compatible between all the versions of Nix + builtins_fetchTarball = { url, name ? null, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchTarball; + in + if lessThan nixVersion "1.12" then + fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) + else + fetchTarball attrs; + + # fetchurl version that is compatible between all the versions of Nix + builtins_fetchurl = { url, name ? null, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchurl; + in + if lessThan nixVersion "1.12" then + fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) + else + fetchurl attrs; + + # Create the final "sources" from the config + mkSources = config: + mapAttrs ( + name: spec: + if builtins.hasAttr "outPath" spec + then abort + "The values in sources.json should not have an 'outPath' attribute" + else + spec // { outPath = replace name (fetch config.pkgs name spec); } + ) config.sources; + + # The "config" used by the fetchers + mkConfig = + { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null + , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile) + , system ? builtins.currentSystem + , pkgs ? mkPkgs sources system + }: rec { + # The sources, i.e. the attribute set of spec name to spec + inherit sources; + + # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers + inherit pkgs; + }; + +in +mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/machines/public-cof/nur.nix b/machines/public-cof/nur.nix new file mode 100644 index 0000000..a8abe1f --- /dev/null +++ b/machines/public-cof/nur.nix @@ -0,0 +1,17 @@ +{ lib, pkgs, ... }: +let + nivSources = import ./nix/sources.nix; + #rz-src = nivSources.klubrz-nur; + #rz-no-pkgs = (import nivSources.klubrz-nur {}); +in +{ + nixpkgs.config.packageOverrides = { + # rz = import rz-src { inherit pkgs; }; + }; + + imports = [ + "${nivSources.agenix}/modules/age.nix" + ]; #++ lib.attrValues rz-no-pkgs.modules; + + nixpkgs.overlays = []; +} diff --git a/machines/public-cof/secrets/default.nix b/machines/public-cof/secrets/default.nix index 4c4e087..a7cd5ea 100644 --- a/machines/public-cof/secrets/default.nix +++ b/machines/public-cof/secrets/default.nix @@ -1,5 +1,13 @@ { ... }: { - age.secrets.nextcloudAdminPassword.file = ./nextcloudAdminPasswordFile.age; - age.secrets.nextcloudDatabasePassword.file = ./nextcloudDatabasePasswordFile.age; + age.secrets.nextcloudAdminPassword = { + owner = "nextcloud"; + group = "nextcloud"; + file = ./nextcloudAdminPasswordFile.age; + }; + age.secrets.nextcloudDatabasePassword = { + owner = "nextcloud"; + group = "nextcloud"; + file = ./nextcloudDatabasePasswordFile.age; + }; } -- 2.49.0 From b2eb90564d01dc39f602cf34cb4f0e22cdf76ac8 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Nov 2021 01:02:47 +0100 Subject: [PATCH 041/149] change hedgedoc localhost port --- machines/public-cof/hedgedoc.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index 8a3823a..8466c4a 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -1,6 +1,6 @@ { ... }: let - port = 3000; + port = 3001; in { services.hedgedoc = { -- 2.49.0 From 5e24c6c8c7d32c45ea4c990dc92354712ebbce94 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Nov 2021 01:06:57 +0100 Subject: [PATCH 042/149] try simple cryptpad module --- machines/public-cof/cryptpad.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/machines/public-cof/cryptpad.nix b/machines/public-cof/cryptpad.nix index dc27ca9..bcf6a6d 100644 --- a/machines/public-cof/cryptpad.nix +++ b/machines/public-cof/cryptpad.nix @@ -14,9 +14,15 @@ in environment.etc."cryptpad/config.js".source = ./cryptpad.js; services.nginx.virtualHosts = { - "docs.beta.rz.ens.wtf" = { + "pads.beta.rz.ens.wtf" = { forceSSL = true; enableACME = true; + locations = { + "/" = { + proxyPass = "http://localhost:3000"; + }; + }; + /* extraConfig = '' # CryptPad serves static assets over these two domains. # `main_domain` is what users will enter in their address bar. @@ -183,6 +189,7 @@ in # Finally, serve anything the above exceptions don't govern. try_files /www/$uri /www/$uri/index.html /customize/$uri; ''; + */ }; }; -- 2.49.0 From d8a577b0786fcbb5e2452616bb6d9f5349538bb5 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 20 Nov 2021 21:01:42 +0100 Subject: [PATCH 043/149] public-cof: fix cryptpad --- machines/public-cof/configuration.nix | 2 +- machines/public-cof/cryptpad.js | 12 +++--- machines/public-cof/cryptpad.nix | 59 ++++++++++++--------------- 3 files changed, 32 insertions(+), 41 deletions(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index bdb86ce..d9ce6e5 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -13,7 +13,7 @@ ./nur.nix # ./factorio.nix # TODO ./nginx.nix - # ./cryptpad.nix + ./cryptpad.nix ./hedgedoc.nix ./secrets # TODO monitoring diff --git a/machines/public-cof/cryptpad.js b/machines/public-cof/cryptpad.js index b08412f..de93779 100644 --- a/machines/public-cof/cryptpad.js +++ b/machines/public-cof/cryptpad.js @@ -40,7 +40,7 @@ module.exports = { * cryptpad/docs/example.nginx.conf (see the $main_domain variable) * */ - httpUnsafeOrigin: 'http://localhost:3000/', + httpUnsafeOrigin: 'https://pads.beta.rz.ens.wtf/', /* httpSafeOrigin is the URL that is used for the 'sandbox' described above. * If you're testing or developing with CryptPad on your local machine then @@ -58,7 +58,7 @@ module.exports = { * * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. */ - // httpSafeOrigin: "https://some-other-domain.xyz", + httpSafeOrigin: "https://sandbox.pads.beta.rz.ens.wtf", /* httpAddress specifies the address on which the nodejs server * should be accessible. By default it will listen on 127.0.0.1 @@ -102,11 +102,11 @@ module.exports = { * which can be found on the settings page for registered users. * Entries should be strings separated by a comma. */ -/* + adminKeys: [ - //"https://my.awesome.website/user/#/1/cryptpad-user1/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=", + "https://pads.beta.rz.ens.wtf/user/#/1/raito/W1vJY5Mq+8+5SveZAYe0wYRthS88jQIV-Fwf0s36uas=" ], -*/ + /* CryptPad's administration panel includes a "support" tab * wherein administrators with a secret key can view messages @@ -154,7 +154,7 @@ module.exports = { * * hint: 50MB is 50 * 1024 * 1024 */ - //defaultStorageLimit: 50 * 1024 * 1024, + defaultStorageLimit: 50 * 1024 * 1024, /* ===================== diff --git a/machines/public-cof/cryptpad.nix b/machines/public-cof/cryptpad.nix index bcf6a6d..34ea287 100644 --- a/machines/public-cof/cryptpad.nix +++ b/machines/public-cof/cryptpad.nix @@ -1,10 +1,12 @@ -{ ... }: +{ pkgs, ... }: let subZone = "beta.rz.ens.wtf"; - main_domain = "pads." + subZone; - api_domain = "api." + main_domain; - files_domain = "files." + main_domain; - sandbox_domain = "sandbox." + main_domain; + main_domain = "pads.${subZone}"; + sandbox_domain = "sandbox.${main_domain}"; + # TODO: later + api_domain = "api.${main_domain}"; + files_domain = "files.${main_domain}"; + port = 3000; in { services.cryptpad = { @@ -13,17 +15,21 @@ in }; environment.etc."cryptpad/config.js".source = ./cryptpad.js; + systemd.services.nginx = { + serviceConfig.BindReadOnlyPaths = [ + "/var/lib/private/cryptpad:/www/cryptpad" + ]; + }; + services.nginx.virtualHosts = { - "pads.beta.rz.ens.wtf" = { + "${main_domain}" = { forceSSL = true; enableACME = true; - locations = { - "/" = { - proxyPass = "http://localhost:3000"; - }; - }; - /* + serverAliases = [ sandbox_domain ]; extraConfig = '' + root ${pkgs.cryptpad}/lib/node_modules/cryptpad; + index index.html; + # CryptPad serves static assets over these two domains. # `main_domain` is what users will enter in their address bar. # Privileged computation such as key management is handled in this scope @@ -42,27 +48,12 @@ in # if you find that a single machine cannot handle all of your users. # If you don't use dedicated domains, this can be the same as $main_domain # If you do, they'll be added as exceptions to any rules which block connections to remote domains. - set $api_domain ${api_domain}; - set $files_domain ${files_domain}; + set $api_domain ${main_domain}; + set $files_domain ${main_domain}; server_name ${main_domain} ${sandbox_domain}; - # diffie-hellman parameters are used to negotiate keys for your session - # generate strong parameters using the following command - ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 - - # Speeds things up a little bit when resuming a session - ssl_session_timeout 5m; - ssl_session_cache shared:SSL:5m; - - # You'll need nginx 1.13.0 or better to support TLSv1.3 - ssl_protocols TLSv1.2 TLSv1.3; - - # https://cipherli.st/ - ssl_ciphers EECDH+AESGCM:EDH+AESGCM; - ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 - # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain set $styleSrc "'unsafe-inline' 'self' ${main_domain}"; @@ -112,7 +103,7 @@ in # We prefer to serve static content from nginx directly and to leave the API server to handle # the dynamic content that only it can manage. This is primarily an optimization location ^~ /cryptpad_websocket { - proxy_pass http://localhost:3000; + proxy_pass http://localhost:${toString port}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -138,7 +129,7 @@ in # the caching variable which is applied to every other resource # which is loaded during that session. location = /api/config { - proxy_pass http://localhost:3000; + proxy_pass http://localhost:${toString port}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -146,6 +137,7 @@ in # encrypted blobs are immutable and are thus cached for a year location ^~ /blob/ { + root /www/cryptpad; if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; @@ -155,7 +147,6 @@ in add_header 'Content-Length' 0; return 204; } - add_header Cache-Control max-age=31536000; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; @@ -167,6 +158,7 @@ in # these payloads are unlocked via login credentials. They are mutable # and are thus never cached. They're small enough that it doesn't matter, in any case. location ^~ /block/ { + root /www/cryptpad; add_header Cache-Control max-age=0; try_files $uri =404; } @@ -189,9 +181,8 @@ in # Finally, serve anything the above exceptions don't govern. try_files /www/$uri /www/$uri/index.html /customize/$uri; ''; - */ }; }; - networking.firewall.allowedTCPPorts = [ 433 80 ]; + networking.firewall.allowedTCPPorts = [ 443 80 ]; } -- 2.49.0 From f3f4431f2c031723f0e1b8c5548918b6ff8e64e7 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 21 Nov 2021 11:53:30 +0100 Subject: [PATCH 044/149] core-services: use jre8 for keycloak, fixes LDAP federation --- machines/core-services-01/keycloak.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index 8886a75..6f34b25 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, pkgs, ... }: let my = config.my; port = 8080; @@ -6,6 +6,9 @@ in { services.keycloak = { enable = true; + package = pkgs.keycloak.override { + jre = pkgs.jre8; + }; initialAdminPassword = "changemeasap"; database.createLocally = true; database.passwordFile = config.age.secrets.keycloakDatabasePasswordFile.path; -- 2.49.0 From 916b06ad1fc4c826348dc3207f3484a4e28d6a44 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 21 Nov 2021 11:53:50 +0100 Subject: [PATCH 045/149] =?UTF-8?q?dns:=20jurisprudens.beta.rz.ens.wtf=20?= =?UTF-8?q?=E2=86=92=20public=20COF=20with=20v4=20upstream=20proxy?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/subZone.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 5c660cc..309556d 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -66,6 +66,10 @@ with my.ipv6; # contains { standard, acme } sandbox.AAAA = public-cof-ips; }; docs.AAAA = public-cof-ips; + jurisprudens = { + AAAA = public-cof-ips; + A = upstream-v4-proxies; + }; }; -- 2.49.0 From 8ac5d2e4ab74400cc17de631be13049d02d9e875 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 19 Dec 2021 14:51:12 +0100 Subject: [PATCH 046/149] core-services: adjust to our changes in IPv4 network for MWAN/local net --- machines/core-services-01/dns.nix | 4 +-- machines/core-services-01/my.nix | 25 +++++++++++++++++-- machines/core-services-01/rz.nix | 3 ++- machines/core-services-01/subZone.nix | 35 +++++++++++++++------------ 4 files changed, 46 insertions(+), 21 deletions(-) diff --git a/machines/core-services-01/dns.nix b/machines/core-services-01/dns.nix index 6473038..5b01499 100644 --- a/machines/core-services-01/dns.nix +++ b/machines/core-services-01/dns.nix @@ -12,13 +12,13 @@ in settings = { server = { access-control = [ "127.0.0.0/8 allow" "::1/128 allow" ] ++ map (v: "${v} allow") my.privateRanges; - interface = [ "127.0.0.1" ] ++ my.ipv4; + interface = [ "127.0.0.1" ] ++ my.ipv4Internal; }; }; }; services.nsd = { enable = true; - interfaces = my.ipv6.standard; + interfaces = my.ipv6.standard ++ my.ipv4; zones = { ${my.subZone} = { data = dns.lib.toString my.subZone (import ./subZone.nix { inherit dns config lib; }); diff --git a/machines/core-services-01/my.nix b/machines/core-services-01/my.nix index 5a83031..bdc2aa4 100644 --- a/machines/core-services-01/my.nix +++ b/machines/core-services-01/my.nix @@ -46,6 +46,20 @@ in default = map (v: (mkAddress v).address) cfg.ipv4Full; }; + ipv4Internal = mkOption { + description = "Private IPv4 addresses without prefix"; + type = listOf str; + example = [ "192.186.1.153" ]; + default = map (v: (mkAddress v).address) cfg.ipv4InternalFull; + }; + + ipv4InternalFull = mkOption { + description = "Private IPv4 addresses with prefix"; + type = listOf str; + default = []; + example = [ "192.168.1.153/24" ]; + }; + ipv4Full = mkOption { description = "Public IPv4 addresses with prefix"; type = listOf str; @@ -67,7 +81,7 @@ in }; ipv6.acme = mkOption { - description = "Public IPv6 address for ACME services (acme-dns) without prefi"; + description = "Public IPv6 address for ACME services (acme-dns) without prefix"; type = str; default = (mkAddress cfg.ipv6.acmeFull).address; example = "2001:470:1f13:21d:f515:b348:cd48:e064/64"; @@ -87,9 +101,16 @@ in }; config = { + networking.interfaces.ens20 = { + ipv4.addresses = map mkAddress cfg.ipv4InternalFull; + }; + networking.interfaces.ens19 = { - ipv4.addresses = map mkAddress cfg.ipv4Full; ipv6.addresses = map mkAddress (cfg.ipv6.standardFull ++ [ cfg.ipv6.acmeFull ]); }; + + networking.interfaces.ens18 = { + ipv4.addresses = map mkAddress cfg.ipv4Full; + }; }; } diff --git a/machines/core-services-01/rz.nix b/machines/core-services-01/rz.nix index 4f096e4..e76a9c5 100644 --- a/machines/core-services-01/rz.nix +++ b/machines/core-services-01/rz.nix @@ -11,7 +11,8 @@ "2001:470:1f13:187:fd34:80c3:a761:ff2/64" ]; ipv6.acmeFull = "2001:470:1f13:187:a039:c3ff:fe4f:8661/64"; - ipv4Full = [ "10.1.1.20/24" ]; + ipv4InternalFull = [ "10.1.1.20/22" ]; + ipv4Full = [ "45.13.104.26/32" ]; privateRanges = [ "10.1.0.0/22 "]; }; diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 309556d..6c2d4dc 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -1,7 +1,6 @@ { config, lib, dns, ... }: with dns.lib.combinators; - let my = config.my; upstream-v4-proxies = [ "51.15.7.181" ]; # kurisu.dual.lahfa.xyz @@ -11,9 +10,12 @@ let remoteBuilders = { nix01 = [ "2001:470:1f13:187:1e07:c670:3958:f8f1" ]; }; + dualstack = { + A = my.ipv4; + AAAA = my.ipv6.standard; + }; in -with my.ipv6; # contains { standard, acme } -{ +dualstack // { SOA = { nameServer = "ns1.${my.subZone}."; adminEmail = my.email; @@ -24,20 +26,17 @@ with my.ipv6; # contains { standard, acme } "ns1.${my.subZone}." ]; - AAAA = standard; - CAA = letsEncrypt my.email; subdomains = { - git.AAAA = standard; - drone.AAAA = standard; - wiki.AAAA = standard; - monitoring.AAAA = standard; - auth.AAAA = standard; - push.AAAA = standard; - ns1.AAAA = standard; - beta.A = upstream-v4-proxies; - beta.AAAA = public-cof-ips; + git = dualstack; + drone = dualstack; + wiki = dualstack; + monitoring = dualstack; + auth = dualstack; + push = dualstack; + core01 = dualstack; + ns1 = dualstack; builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; @@ -49,10 +48,12 @@ with my.ipv6; # contains { standard, acme } acme = { NS = [ "acme.${my.subZone}." ]; - AAAA = [ acme ]; + AAAA = [ my.ipv6.acme ]; }; - beta.subdomains = { + beta = { + AAAA = public-cof-ips; + subdomains = { nuage.A = upstream-v4-proxies; nuage.AAAA = public-cof-ips; minecraft.AAAA = public-cof-ips; @@ -66,11 +67,13 @@ with my.ipv6; # contains { standard, acme } sandbox.AAAA = public-cof-ips; }; docs.AAAA = public-cof-ips; + docs.A = upstream-v4-proxies; jurisprudens = { AAAA = public-cof-ips; A = upstream-v4-proxies; }; }; + }; internal.subdomains = { -- 2.49.0 From 2c321dd0aa116a8de9e0a20b98b4b1d4fbd6665f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 29 Dec 2021 17:33:28 +0100 Subject: [PATCH 047/149] core-services: bump dbengine disk size to 4GiB --- krops.nix | 2 +- machines/core-services-01/monitoring.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/krops.nix b/krops.nix index 39ec306..fac4e15 100644 --- a/krops.nix +++ b/krops.nix @@ -29,7 +29,7 @@ let inherit target; }; }; in {} -// mkDeploy "core-services-01" "root@core01.internal.rz.ens.wtf" +// mkDeploy "core-services-01" "root@core01.rz.ens.wtf" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" // mkDeploy "public-cof" "root@beta.rz.ens.wtf" // mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index fe9ac46..b355179 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -19,7 +19,7 @@ in text = '' [global] page cache size = 32 - dbengine multihost disk space = 2048 + dbengine multihost disk space = 4096 ''; }; -- 2.49.0 From 067ab1d7cc63ce2dd87d765aabaa20c3db03aae5 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 24 Jan 2022 22:04:43 +0100 Subject: [PATCH 048/149] =?UTF-8?q?core01/public-cof:=20flush=20changes,?= =?UTF-8?q?=20router02=20=E2=86=92=20router01?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/subZone.nix | 38 +++++++++++++-------------- machines/public-cof/hedgedoc.nix | 2 +- machines/public-cof/networking.nix | 4 ++- machines/public-cof/nix/sources.json | 2 +- machines/public-cof/nur.nix | 6 ++--- 5 files changed, 27 insertions(+), 25 deletions(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 6c2d4dc..ff98ad0 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -54,24 +54,24 @@ dualstack // { beta = { AAAA = public-cof-ips; subdomains = { - nuage.A = upstream-v4-proxies; - nuage.AAAA = public-cof-ips; - minecraft.AAAA = public-cof-ips; - factorio.AAAA = public-cof-ips; - home.A = upstream-v4-proxies; - home.AAAA = public-cof-ips; - pads.AAAA = public-cof-ips; - pads.subdomains = { - api.AAAA = public-cof-ips; - files.AAAA = public-cof-ips; - sandbox.AAAA = public-cof-ips; - }; - docs.AAAA = public-cof-ips; - docs.A = upstream-v4-proxies; - jurisprudens = { - AAAA = public-cof-ips; - A = upstream-v4-proxies; - }; + nuage.A = upstream-v4-proxies; + nuage.AAAA = public-cof-ips; + minecraft.AAAA = public-cof-ips; + factorio.AAAA = public-cof-ips; + home.A = upstream-v4-proxies; + home.AAAA = public-cof-ips; + pads.AAAA = public-cof-ips; + pads.subdomains = { + api.AAAA = public-cof-ips; + files.AAAA = public-cof-ips; + sandbox.AAAA = public-cof-ips; + }; + docs.AAAA = public-cof-ips; + docs.A = upstream-v4-proxies; + jurisprudens = { + AAAA = public-cof-ips; + A = upstream-v4-proxies; + }; }; }; @@ -79,7 +79,7 @@ dualstack // { internal.subdomains = { # Routers router01.A = [ "10.1.1.1" ]; - router02.A = [ "10.1.1.2" ]; + router02.A = [ "10.1.1.1" ]; # Hypervisors pve01 = { diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index 8466c4a..258973f 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -8,7 +8,7 @@ in configuration = { protocolUseSSL = true; # scp =; # TODO - domain = "//docs.beta.rz.ens.wtf"; + domain = "docs.beta.rz.ens.wtf"; host = "localhost"; port = port; db = { diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index c7c14db..9fb5315 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -11,9 +11,11 @@ prefixLength = 64; }]; }; + interfaces.ens19 = { + useDHCP = true; + }; firewall.allowedTCPPorts = [ 22 ]; - firewall.allowedUDPPorts = [ 22 ]; firewall.enable = true; }; } diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index 234be1c..656e9e4 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -14,7 +14,7 @@ "klubrz-nur": { "branch": "main", "repo": "https://git.rz.ens.wtf/Klub-RZ/nur", - "rev": "901e08a94819f07499ec6cfbea1e24808e19e4b6", + "rev": "98911e21fd58f00440dc8a5bd6568f2a349338bd", "type": "git" }, "niv": { diff --git a/machines/public-cof/nur.nix b/machines/public-cof/nur.nix index a8abe1f..7ca9d89 100644 --- a/machines/public-cof/nur.nix +++ b/machines/public-cof/nur.nix @@ -1,8 +1,8 @@ { lib, pkgs, ... }: let nivSources = import ./nix/sources.nix; - #rz-src = nivSources.klubrz-nur; - #rz-no-pkgs = (import nivSources.klubrz-nur {}); + rz-src = nivSources.klubrz-nur; + rz-no-pkgs = (import nivSources.klubrz-nur {}); in { nixpkgs.config.packageOverrides = { @@ -11,7 +11,7 @@ in imports = [ "${nivSources.agenix}/modules/age.nix" - ]; #++ lib.attrValues rz-no-pkgs.modules; + ] ++ lib.attrValues rz-no-pkgs.modules; nixpkgs.overlays = []; } -- 2.49.0 From cb92be5d7272026058167539f521f331ca704726 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 25 Jan 2022 00:37:12 +0100 Subject: [PATCH 049/149] core01: add MrF key, default gateway, A for acme --- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/my.nix | 6 ++++++ machines/core-services-01/subZone.nix | 1 + 3 files changed, 8 insertions(+) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index a09eec0..6fb2e79 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -74,6 +74,7 @@ users.users.root.openssh.authorizedKeys.keyFiles = [ ./pubkeys/gdd.keys ./pubkeys/raito.keys + ./pubkeys/mrf.keys ]; # Open ports in the firewall. diff --git a/machines/core-services-01/my.nix b/machines/core-services-01/my.nix index bdc2aa4..994190f 100644 --- a/machines/core-services-01/my.nix +++ b/machines/core-services-01/my.nix @@ -101,6 +101,12 @@ in }; config = { + # Default IPv4 exit route + networking.defaultGateway = { + address = ""; + interface = "ens18"; + }; + networking.interfaces.ens20 = { ipv4.addresses = map mkAddress cfg.ipv4InternalFull; }; diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index ff98ad0..41fd888 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -48,6 +48,7 @@ dualstack // { acme = { NS = [ "acme.${my.subZone}." ]; + A = my.ipv4; AAAA = [ my.ipv6.acme ]; }; -- 2.49.0 From 7e11763d747b7916e9c4730f9b3eac96cbffe18f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 25 Jan 2022 17:52:56 +0100 Subject: [PATCH 050/149] core01: Add MrF keys for real --- machines/core-services-01/pubkeys/mrf.keys | 1 + 1 file changed, 1 insertion(+) create mode 100644 machines/core-services-01/pubkeys/mrf.keys diff --git a/machines/core-services-01/pubkeys/mrf.keys b/machines/core-services-01/pubkeys/mrf.keys new file mode 100644 index 0000000..ebbfa68 --- /dev/null +++ b/machines/core-services-01/pubkeys/mrf.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d -- 2.49.0 From 3670aab5834d559231ddfe41c4440f0f49b42ced Mon Sep 17 00:00:00 2001 From: Julien Marquet Date: Tue, 25 Jan 2022 18:12:54 +0100 Subject: [PATCH 051/149] ipv4 for public-cof --- machines/core-services-01/subZone.nix | 38 ++++++++++++--------------- machines/public-cof/networking.nix | 20 ++++++++++++-- 2 files changed, 35 insertions(+), 23 deletions(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 41fd888..08db8c1 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -3,8 +3,10 @@ with dns.lib.combinators; let my = config.my; - upstream-v4-proxies = [ "51.15.7.181" ]; # kurisu.dual.lahfa.xyz - public-cof-ips = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5" ]; + public-cof-ips = { + A = [ "45.13.104.27" ]; + AAAA = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5" ]; + }; delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; }; remoteBuilders = { @@ -52,27 +54,21 @@ dualstack // { AAAA = [ my.ipv6.acme ]; }; - beta = { - AAAA = public-cof-ips; + beta = public-cof-ips // { subdomains = { - nuage.A = upstream-v4-proxies; - nuage.AAAA = public-cof-ips; - minecraft.AAAA = public-cof-ips; - factorio.AAAA = public-cof-ips; - home.A = upstream-v4-proxies; - home.AAAA = public-cof-ips; - pads.AAAA = public-cof-ips; - pads.subdomains = { - api.AAAA = public-cof-ips; - files.AAAA = public-cof-ips; - sandbox.AAAA = public-cof-ips; - }; - docs.AAAA = public-cof-ips; - docs.A = upstream-v4-proxies; - jurisprudens = { - AAAA = public-cof-ips; - A = upstream-v4-proxies; + nuage = public-cof-ips; + minecraft = public-cof-ips; + factorio = public-cof-ips; + home = public-cof-ips; + pads = public-cof-ips // { + subdomains = { + api = public-cof-ips; + files = public-cof-ips; + sandbox = public-cof-ips; + }; }; + docs = public-cof-ips; + jurisprudens = public-cof-ips; }; }; diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 9fb5315..9fc556f 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -1,8 +1,20 @@ -{ ... }: -{ +{ lib, ... }: +let mkAddress = addr: let + splitted = lib.splitString "/" addr; + elemAt = builtins.elemAt splitted; + in + { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; +in { networking = { hostName = "public-cof"; + # Default IPv4 exit route + defaultGateway = { + address = ""; + interface = "ens20"; + }; + localCommands = "ip route add default dev ens20 metric 10"; + useDHCP = false; interfaces.ens18 = { useDHCP = true; @@ -15,6 +27,10 @@ useDHCP = true; }; + interfaces.ens20 = { + ipv4.addresses = map mkAddress [ "45.13.104.27/32" ]; + }; + firewall.allowedTCPPorts = [ 22 ]; firewall.enable = true; }; -- 2.49.0 From 6535ca50aff220cd9454b4cdb8656a98734da0e8 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Tue, 25 Jan 2022 23:59:59 +0000 Subject: [PATCH 052/149] add dex --- machines/core-services-01/dex.nix | 41 +++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 machines/core-services-01/dex.nix diff --git a/machines/core-services-01/dex.nix b/machines/core-services-01/dex.nix new file mode 100644 index 0000000..6834f07 --- /dev/null +++ b/machines/core-services-01/dex.nix @@ -0,0 +1,41 @@ +{ config, ... }: +let + my = config.my +in +{ + services.dex = { + enable = true; + settings = { + issuer = ""; + storage = { + type = "sqlite3"; + config.file = "gitea/dex.db"; + }; + enablePasswordDB = true; + /* + web = { + http = ""; + }; + staticClients = [ + { + id = "oidcclient"; + name = "Client"; + redirectURIs = [ "/callback" ]; + secretFile = "/etc/dex/oidcclient"; + } + ]; + */ + connectors = { + type = "gitea"; + id = "gitea"; + name = "Gitea"; + config = { + clientID = ; + clientSecret = ; + redirectURL = "http://127.0.0.1:5556/dex/callback"; + baseURL = "https://git.${my.subZone}"; + }; + }; + }; + }; +} -- 2.49.0 From 7193ee270ac51cc84690d150e65e84aa522f7cb7 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Tue, 25 Jan 2022 23:59:59 +0000 Subject: [PATCH 053/149] add dex to confifiguration.nix --- machines/core-services-01/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 6fb2e79..8a53310 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -19,6 +19,7 @@ ./keycloak.nix ./acme-dns.nix ./backups.nix + ./dex.nix ./secrets # TODO push to gitea # TODO ./gotify.nix -- 2.49.0 From 52d0f1433a8b28ac9fcda796e8598518763bcc7a Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Tue, 25 Jan 2022 23:59:59 +0000 Subject: [PATCH 054/149] Ryan tu me doit 10k --- machines/core-services-01/dex.nix | 6 +++--- machines/core-services-01/secrets/default.nix | 1 + machines/core-services-01/secrets/secrets.nix | 1 + 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/machines/core-services-01/dex.nix b/machines/core-services-01/dex.nix index 6834f07..12c9476 100644 --- a/machines/core-services-01/dex.nix +++ b/machines/core-services-01/dex.nix @@ -1,6 +1,6 @@ { config, ... }: let - my = config.my + my = config.my; in { services.dex = { @@ -30,8 +30,8 @@ in id = "gitea"; name = "Gitea"; config = { - clientID = ; - clientSecret = ; + clientID = "Gitea"; + clientSecret = "b2a1b7ae-2f31-489d-84c3-4d429085db14"; redirectURL = "http://127.0.0.1:5556/dex/callback"; baseURL = "https://git.${my.subZone}"; }; diff --git a/machines/core-services-01/secrets/default.nix b/machines/core-services-01/secrets/default.nix index 10b41f1..3e4cb37 100644 --- a/machines/core-services-01/secrets/default.nix +++ b/machines/core-services-01/secrets/default.nix @@ -3,4 +3,5 @@ age.secrets.keycloakDatabasePasswordFile.file = ./keycloakDatabasePasswordFile.age; age.secrets.oauth2ProxyKeyFile.file = ./oauth2ProxyKeyFile.age; age.secrets.droneKeyFile.file = ./droneKeyFile.age; + age.secrets.dexGiteaClientSecret.file = ./dexGiteaClientSecret.age; } diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index cd564de..013b959 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -10,5 +10,6 @@ in "keycloakDatabasePasswordFile.age".publicKeys = superadmins ++ systems; "oauth2ProxyKeyFile.age".publicKeys = superadmins ++ systems; "droneKeyFile.age".publicKeys = superadmins ++ systems; + "dexGiteaClientSecret.age".publicKeys = superadmins ++ systems; } -- 2.49.0 From e290a918a0de684ed0ae2debc3d77c3029ffbde9 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Tue, 25 Jan 2022 23:59:59 +0000 Subject: [PATCH 055/149] progress on dex... --- krops.nix | 2 +- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/dex.nix | 18 +++---------- machines/core-services-01/dokuwiki.nix | 7 +----- machines/core-services-01/oauth2_proxy.nix | 5 ++++ .../secrets/dexGiteaClientSecret.age | 25 +++++++++++++++++++ 6 files changed, 37 insertions(+), 21 deletions(-) create mode 100644 machines/core-services-01/oauth2_proxy.nix create mode 100644 machines/core-services-01/secrets/dexGiteaClientSecret.age diff --git a/krops.nix b/krops.nix index fac4e15..351034b 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "973910f5c31b9ba6c171c33a8bd7199990b14c72"; # nixos-21.05 + ref = "e96c668072d7c98ddf2062f6d2b37f84909a572b"; # nixos-22.05 url = "https://github.com/NixOS/nixpkgs"; }; }]; diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 8a53310..ebc4718 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -20,6 +20,7 @@ ./acme-dns.nix ./backups.nix ./dex.nix + ./oauth2_proxy.nix ./secrets # TODO push to gitea # TODO ./gotify.nix diff --git a/machines/core-services-01/dex.nix b/machines/core-services-01/dex.nix index 12c9476..1b62578 100644 --- a/machines/core-services-01/dex.nix +++ b/machines/core-services-01/dex.nix @@ -6,26 +6,16 @@ in services.dex = { enable = true; settings = { - issuer = ""; + issuer = "http://127.0.0.1:5556/dex"; storage = { type = "sqlite3"; config.file = "gitea/dex.db"; }; enablePasswordDB = true; - /* web = { - http = ""; + http = "127.0.0.1:5556"; }; - staticClients = [ - { - id = "oidcclient"; - name = "Client"; - redirectURIs = [ "/callback" ]; - secretFile = "/etc/dex/oidcclient"; - } - ]; - */ - connectors = { + connectors = [ { type = "gitea"; id = "gitea"; name = "Gitea"; @@ -35,7 +25,7 @@ in redirectURL = "http://127.0.0.1:5556/dex/callback"; baseURL = "https://git.${my.subZone}"; }; - }; + } ]; }; }; } diff --git a/machines/core-services-01/dokuwiki.nix b/machines/core-services-01/dokuwiki.nix index a0be037..1ad68e0 100644 --- a/machines/core-services-01/dokuwiki.nix +++ b/machines/core-services-01/dokuwiki.nix @@ -4,17 +4,12 @@ let my = config.my; in { - services.dokuwiki."wiki.${my.subZone}" = { + services.dokuwiki.sites."wiki.${my.subZone}" = { enable = true; - hostName = "wiki.${my.subZone}"; acl = '' * @ALL 1 * @admin 16 ''; - nginx = { - enableACME = true; - forceSSL = true; - }; }; /* diff --git a/machines/core-services-01/oauth2_proxy.nix b/machines/core-services-01/oauth2_proxy.nix new file mode 100644 index 0000000..4eca6d3 --- /dev/null +++ b/machines/core-services-01/oauth2_proxy.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + users.users.oauth2_proxy.group = "oauth2_proxy"; + users.groups.oauth2_proxy = {}; +} diff --git a/machines/core-services-01/secrets/dexGiteaClientSecret.age b/machines/core-services-01/secrets/dexGiteaClientSecret.age new file mode 100644 index 0000000..41ffd35 --- /dev/null +++ b/machines/core-services-01/secrets/dexGiteaClientSecret.age @@ -0,0 +1,25 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +XmhJgoyNhXrHw08PTNMkLByPv7mmfqk2ZJ6yTihd2v4ZHdnHN9/nuWnBoK5KJod1 +9tUNwVUmlhfHO/ZDkvpRVgEUHX2SQ7YEcxMtIzocZJYY6JEh3T2+YtHqSvOOgqlV +NkQ6wLPYOHQ1Le5SVM6oQ+s+bJojn/edS5F6qPMDjiBMT7ogwqpVYm80QyaJt2xf +O8iFkzwmyxRSqTIyFX5iDb9irKpPK1fz1/YhdtYNQ+IEHLcxVUMvfMzenqxdGXir +L1vYA7BFmlgkcz60ws+Ob71LYr/edVJxrjFUojKRrMEtWQgXhTS8T20359okx2+d +MLGgVJoNeegF43+eaYIOHw +-> ssh-ed25519 85WiGg VIibrQuanG7Nqot4bebG9DXK7ThMpOwx3oQ3QR/S1zU +oQCrfWu70+Pm7pjRNTO5oiOSUCgrIvKYvuQe81US5gY +-> ssh-ed25519 reTIKw JnIrwm9UoJXoRQ8K6rWnoDDWpZq+uMNyrLl8/gdJZzc +R6ORZtogBqV8nMs86v+YVzHsrX9lXQTbNyIC0/aL+J0 +-> ssh-ed25519 /vwQcQ zWt+iAxLtWSdIbfA4+EWZBfFASkm9s3a9cRRwf3r3X0 +kYm8MXa/4DHp8ZnNblCqlPkEMqwHOfSZxoc0jewscHY +-> ssh-ed25519 cvTB5g yEewNstEZFs0GRqcMP59/+Z2OJL/l0thaZ46mwVouAE +aPmLSR/M6gO7Fvhq/MNwdTAif4bcsfiL9fmmKLnFmFU +-> ssh-ed25519 Wu8JLQ 7FHJpXe5uTNKNAXUR+G1tLkAWnsY+g4qLTAlEWVhFn8 ++A9LLbNMOQXyvKiDu1ddzSE0wB8ubHh9wWL8Zy+PmBM +-> ssh-ed25519 lHr4YQ d8JyALlCuGojdIacifRK6gMJD6jPkulln5DzH00ipSw +Ifk3ascdrChcv585jvNKb6W/EZixx0ly8YvSgDq9AxE +-> l?~i--grease }Zt #O NzbR!q $*`$T< +WMmJLFnsV7jsia2A2wdhlu0SZ3NKlEeCVbGGznlsv2FcfVmACdih0/J30OTkJ/EY +VTZ6JB4nJnldlcxxBUZ6hmtporJeUFEMjSU +--- 55FaRJUBUZoMZPmaRiVCuA+REOgpUv5Wryi2x1N2RxU +z+P'N}M b9$JeBϰ+6p3| ´^3=c \ No newline at end of file -- 2.49.0 From 075cd90fb7cc64b60e69e3e6b31804e9131c087b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 22 Feb 2022 23:25:46 +0100 Subject: [PATCH 056/149] core01: rekey with MrF, add pve01 hypervisor monitoring --- krops.nix | 4 +- machines/core-services-01/monitoring.nix | 12 ++++- .../secrets/dexGiteaClientSecret.age | Bin 1303 -> 1424 bytes .../core-services-01/secrets/droneKeyFile.age | Bin 1462 -> 1578 bytes .../secrets/keycloakDatabasePasswordFile.age | 48 +++++++++--------- .../secrets/oauth2ProxyKeyFile.age | Bin 1328 -> 1492 bytes machines/core-services-01/secrets/secrets.nix | 2 +- 7 files changed, 37 insertions(+), 29 deletions(-) diff --git a/krops.nix b/krops.nix index 351034b..24f6566 100644 --- a/krops.nix +++ b/krops.nix @@ -29,7 +29,7 @@ let inherit target; }; }; in {} -// mkDeploy "core-services-01" "root@core01.rz.ens.wtf" +// mkDeploy "core-services-01" "root@10.1.1.20" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -// mkDeploy "public-cof" "root@beta.rz.ens.wtf" +// mkDeploy "public-cof" "root@minecraft.beta.rz.ens.wtf" // mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index b355179..6149d24 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -19,7 +19,7 @@ in text = '' [global] page cache size = 32 - dbengine multihost disk space = 4096 + dbengine multihost disk space = 8192 ''; }; @@ -28,12 +28,20 @@ in group = "netdata"; mode = "0600"; text = '' + # pve01 hypervisor [e245097d-bf52-4f66-9c10-984e8d5ee178] enabled = yes - default history = 5000 + default history = 10000 default memory mode = dbengine health enabled by default = auto allow from = 10.1.1.10 + # public-cof server + [c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe] + enabled = yes + default history = 10000 + default memory mode = dbengine + health enabled by default = auto + allow from = 10.1.1.21 ''; }; diff --git a/machines/core-services-01/secrets/dexGiteaClientSecret.age b/machines/core-services-01/secrets/dexGiteaClientSecret.age index 41ffd354202ccee6cabafde5e5cd7027d76ef859..daef2a2a00c33743ebcd5b46b39b1205e074fc61 100644 GIT binary patch literal 1424 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7@hCEh3{=R}j!^|-~$x*@C+$735vno{I$hSPn zz1YCH($&bVs=zHX$TZX_GTq%hB0tB^Ak;H2ESoDOJIdHs+cGN5(K$UkHzdp3+@L%# z%fw4R+%dZ%F|EMNFTE%-yTZ&%zZ~7R@KOsepFjmKk8;!C&{PkW3-;iue*Qg+OcVpA= zZ2v;Xd`DNmpzOl(@N{(BlFLGzOw$z--JQY>oP(2d-75@?OMRVl{ruBIol^@!oP5Jd z%^ZyayuFNzJ&gQv^2)iwLi|k4%Z!ZzypxjCozlZROCrJys~l7FLxR#>5(|^e+_lY% zwJS1{eT&g;(=RIzOb%4YE;jedN)1Uf%E>p#%*x6uGf(z(^ESv02z9PX^YQmCjdaU2 zHApEbHumL;$_aLIjwtstsz?eB%5p6846w)z3i8!AHOba5a@Mve%<{AhadQpK%)*Gb zqSO#i?{bAQGXqBxKaUI#1J7d9z({xh^s=0QTz%Jq41i( zl1$yw3zH)Koq|m={M|DGUD7j4UCK){QVl#ZbBZF2;UQU6oT!jp6z=R3$d%|FP#9%W znVavO;+h!Y5s;N>k!~62o|u=P>}g)$AL8j>=~0ksknfS{ZCT)G;#3gs6=s=gl}XQ#?NZ_77iC%;;F4<@>gQ)sRN!r#WKo!BkrW)5lWLk+neXds z5@F!wR+5=nlpCd8kx^z)9-7XTA5fm5A6RAKlx!GaQW=ou?ra|ARumkdUu2TxQ=aMN zQy7$CoKzAN?h~MGnWt}->tz(|p68QOl2%q)5t5O@z$nu2uimu2D<4*sfop@3if)*9*$w=3QAR6 z-eF#a5uS-b`Ibg*Mfxe3hK>;-spcuJIY$1Kra3--MumSVXj_*#-WKGj@cmvmL^rj-a+QU1^N|9PKEvzRh~xK zC1&N??_J6$NgUCYgT0 zc~Jo+sR7PqrTVFvE)mI|T-VzSJ@zoJ-_x`$?%3sAmdk>Z@|(AYSQpiPyMMglpj$?k papd%UDN>=8%|4dfx0_^F-|bi~$Y@=oUq(ccN4bGTK!~4jwvSU~K$&@NZdzfs zQIwZiWk_a5icy(Klt)UQho7Z>UTJuqQ@*#Uw^x3OA(v%Is9$+lXl_nMnuouBluLG5 zK~Pw_Yp6$rQE;Gnq-%18Z;5ABesYvoWTcswYld-%QN4C#iAP~@nZJK}VNMvAUv{8b zxlcf(zek{Ze>MKaAAmNrCWq)rc07#W|4P6fVW{&_SokDSOhHh$#k*TSnrGkZNc&2;0LVcKLW>QgLX=0wcxnE&^iAhpwlDnl# zgtvJ}hHrs?d4+L)pmAW3ez0LxC|7=w zbWJVyD=u-3aw|4)4=POd4KTIT*N!ss_wv!tF(}DMj50CHEf32tb#&!Q49N8f4$}8E zOZPW-E6XU<_w_4J331F!Gf7G=PRsPMOv}yn_Q`Y0bqk&NQM}&V&BLo8BGt4s#LwH$ zF(Ncb+ug9lC)+VRuQ*aW-K5Yb#4*P;JS@X4&w@+a(bC5!$(hd~ z&C-3nT+FfpvP*Mv@=RT-JPZsn3xdnJJkzp`6N{5mikvf&%S!m8aBa`ep@(a_Q>o zDwvwOB?ftgI)z5%`$h%iCI)4OIhQ(W2f6yE7lf9Xh8I<48dVtj83lP%gmN9O(moWR ze*XZw-~Cr|wXeD!$O!wM=Sap=D@+S&6fEu#vf|Czr0BLUD11 zZfc5=si~o*LWY@RdXl4pSCVs>ufC;MctK^pw`Zz{OTBhhs%dyZdQ_H=yKkP zx^>~D7G6Gq3OSZWnYk4e`i{ooPKM3_VUDR$$wg)%C3zkNMUhTL>6XT(#-0{g5&3@M z*<9JKZqC6;k;xXW*}*=+rB>l_^!lLE({ENu~Ktk=pvfrk3I6krO|PhbOy~ zS~>>?_`8Obr&+pLmYVx`dT00vaRa&!(U$tiNpGpy83 zb1F{?aPkZe%rGb|Fm%*5O^t6e_lz{v zw{Z7Q@lQ3&2`lu<^VP4+^e`_CoqU#2yxuUqJlx;KC$hZCKTtkOv5wX(-kZYa(yc@%gR$j0~5WH!!69~Eh~}?irigIlOh6A{Bz7J z4Dyp5lT8DS-8{LxO`P%^-6KQ&jS5^s%kqLf(?dgyj0_B;94*p44P7dt%tAtw^^GFK z0^ku|RGg@gT@>!@6Ude9T40b`=sD9nIB}j4Dn4TL_V3K5B>0yvk;pSad>>eD<<(3idu5ad(o9Y>69Bk=T=3ACrXyEE< zY+x9bot;^n6`YsnmgHVqSCVnpYC2_7V4gq8{q1bcnpO>YtZJJkN=4NIV zlKkeC%_kXf4JQt20*mlWk&?&}%mQ)rQGsc)JZY95+dU|3vc92Di8QfU@h66RWv zRN@w38jzpo@15}xd4?pK(eSZ`jD zT$rw3nQK;HS!rQp8R}=^)#N>i{g9_6mkBE#S4-4na;w&fQyvTH83*WRTC%4=@%cxw} zq(H98_OX9j&lvG?Rm`}db?wTMDT_`&v@Xbathn@|-M)2V_jTWuo-xdH%a%%fSF-$I zQ=rtM^V}kHj%5D`>2t|j{WmrZu{xoeeTrclM+FJ>r)fGb&Qz}G}kd~t)Krr zP0gh~^%~1 zTP(liMBF;kJ7<#0%22htFSjiD<$9U(&x^3P@p~jCr+wMAVEv!a1Bv-p#p5bo-SeEo zuDE9}C>$j(A16736tEsyr7HF%#l_q`mB# drMI;583)h5+ub7F1X>)DKHrS+*C|;e002xv8EpUn delta 1378 zcmZ3*vyFR#PIy{gl)0s6xm#3@NnS{}>jVpvp0 zGFMbUfun_|w_mEZn^$qUi+P|$s)uu0nY(smN{N}Hvy->4vtzbzZe@XX=){lW;qJ!X z1_eoO<{5>dAwD@dUJ*gYX1+$gz6B;}CVmFao<+G9&Z(h^MR^&4T$UA~Zbqf~1}WyQ zg_hw(P7(TE;YsD*=AoWBB_@$(MiGG~7G`FprfC_Dlj9l1!@XRCDzki?Og;0xoKk&q z4ND`cJhX!%oJ>;+^1UnlEkc}%gG$mW9KAitxvI3Yv|U}wOmZC^L#qly5`zk~qs$`R zokB~UOC2jBbIP0w67ww5(+Wy`C!b{$uTQTsbny*v4+>0oHLfaiDsV~*urSChi7YV9 z$kMMY4aqI=O-v36H!625=5kBQHTAE^_bf6nOAO31au3PR^-s(5$T19XEG@Cr&n)$D z3-r%S^fRkS=hC%PC@#*>O-(T}H8r$UC`t|S^e$IOEy@c_%C0cU^7JSVatkX;sn0bI zFvv8k3QWv4OU!Z#cTM;64E69!4GebVa(6WGa12VR2nZ?5^6_%9EOpB^%+D?N^mEG3 z541=(@NzCT@y&_y$@g(Yx6Z;eJkvd0p(rdW$IZOTw>-$8$|57n#JR%VBf!EhDAjdb`)it9eBs|%yDyq;kO53q2 zJICKN)u}4S6J}jeaiT(YQMj{DAXiRaR+yPzd17vomtka}i-(7&etEW=k-u}Yin^#&!kauR5i9tkS zWLTA9u(5xlzju^}TUMfhk#UJ{QDlZuxpSzIYqm+Evt?GEZ&Y4#R-mPYXGDl8S45$H zkx_+LgqL|>x_^edc9M&yPg+){afOjjML>RvSBQ(HOORtqYF1g0mwtL$NT69^Kz)@( zfPbEINS=XXL;zP_rn^~kxqESuV^(NTmT6LMdSRf6UzU+}s+XyDqM1dQez#$aYTNKL71UYM7?8JVUcH6RC-p0v35XEBA2^+;fJtHDRGmA|9lfAMd&B7}S94n23 zlJmX1%ei!Qbrl@_^wW&0OubUF3!|!1U2}8G+(R?X0+N%>l6}G>^waB|QVdG7lX62% z{T;a`-aqW@n9nb_J@%UXtnVT_-oBS*>e;AsKC@5w-lNPoU4}gG#gFP9NxD7>RI9!C zvu^95*agqm#<8sEQ*>I;#=G}bZq@2u#a%sFU++d&yBTFN&v#H^*}6pKxh>m%hTB>E zNnu54#kcRy*cNZV@WyYMXm{m~dO60AA8gJ)kZ&>Qdh|MF%bYnqGo!iBoC#fi$hMt- z&7G|aJ9e6}8+>kaW3G4?nH^m(!C8-a>BFj1#r{&MDom$H-d|?0eAMPI}?D6tzFtpL`U2(zV z%|utTV!|M#4(F1k8xZ|AC8n)=nL`w#W6@HVht-@|w1 cK!5IWmn*hPn75?wCxuufb(OwHvE04QShJ^%m! diff --git a/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age b/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age index 4a352ab..2007cba 100644 --- a/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age +++ b/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age @@ -1,26 +1,26 @@ age-encryption.org/v1 --> ssh-ed25519 lHr4YQ FHOLoe1idBzwzFB5v1UqrVIgIjmyVMqhC60F+7bsslY -+4jeqlOONU712hstLOOU59dHgx48CB3+Z4xn1faH8Q0 --> ssh-ed25519 Wu8JLQ hqwTH7IVS1GTep9tNy6vrUUVtPcVXBxDnJj77S+l/Ek -gmnQhE5wnxQgEhyE18RKKemMQr4ewtRkQRt0bJo8O7Y --> ssh-ed25519 cvTB5g bw+GZVk23ok4lgUF86PqTkZOM7BPNY7foMYYMZSEemU -6BAoCmLYb1oJwPPW3X2AaS3ZOttSxAykOeKIJM/03+k --> ssh-ed25519 /vwQcQ Kqg5WdWhAuxCxMgWPpXWk77utvbIbBdcZXNSOF+a938 -4361sLVjBWOoWqTl7sIktNiulSU4gHnD2Q5gjDkZ2po --> ssh-ed25519 reTIKw abLB9hwppWQhlkAHx3AiFgePvigajethU03CjTu6SUg -sueQMp1LPmF4h1EPsyGrSDH6RoXVXoWm1i3OISZlyPw --> ssh-ed25519 85WiGg T6amGqzBiF7BLhnhPrz8BCu/NDikWBDnRv+UL2Y8mXs -xghk5e+D3O4rX4FT4TNu/bowSj7HCn3Wi4E6F7pseiw +-> ssh-ed25519 lHr4YQ S/Kuy8PdLoLLRDvlDDyuDaGXGb0RMBJKo9XyHK2I0Bg +VFjemRE9hOc/fEol+2OAjM6d/5QLPeeo0ytdgcwa8Zs +-> ssh-ed25519 h6AgbA ParmcGdbVHdvihrEuV+nLBLDnTwKR+zoxc/O0LdrUhA +L1kL6sr4ak1DTTaui9k6tpPJ1p86bKAoOcPwCJu7vr0 +-> ssh-ed25519 Wu8JLQ hTPuIn+IogmX6U16p3EQ/9C/L+X7dZaQaBrEAdq4twM +QhnuGbpuqpFFujNlXSDUDMEGHK875Sr5hHX/q2ShkhU +-> ssh-ed25519 cvTB5g P8av9KTsR9ccIRPz0TABQF3EfeO+cyn+Od+shxeatEk +GnExLTBOicvRs7neFPL/GLxE6hqpdqNV8P4nWRbMjKU +-> ssh-ed25519 /vwQcQ WE0fxso39H7ZyYwJ8eNnmrLgf0xL5AdpHZ1mrvbiPyQ +y4GjFZuYtiGg6cY8ZTOKHbYjjFJoFI5W4IF7np/OB/8 +-> ssh-ed25519 reTIKw LxM4ihcAb5u6rKqtrOUZ7/4XXoMVbf/HHhby/i9Xbn4 +O8KkO/99T2lBttsADSTJE/18ljFrUjrJWhK7peehei8 +-> ssh-ed25519 85WiGg +GtCSdOR7TTwu+zTvwOoRhOE0iLwB7JuFaZkP8cP+Fk +0GCjcBgOPeynvAUDmEioWPJMhZWGchKKukGGXHCBEUU -> ssh-rsa krWCLQ -KDsZM/5myCVtb7RL9Mo1F2WUKzBPhwillBvrIONZKH0dh3mCMjeVfyYTto1NxKxp -GsvYltgLbDggo3ittwQedB9s/JXL5z0+f3DroKVJzw82ti6w3SMpvKiCR2x+5DjH -D4Wzt/CQFujxAMOghKQGlFuCM6nVkpmL9ucgUPEp7ApbNWuc4patJgLpvkE0yj7X -Q4ScTPg86Oh5RFf4Qwa3QhG7IdnIoSSJxK+rK5qZb2vPST9zc2OKZKQXOh2h6hBy -tEAhRYBTu6oqprwYlEWL7dCsbBeHjLmBE6Zvovp51PizZhzub1jCh/fuka1VTFSq -f1oWAdTS3Ow5gXWKoH5TkQ --> +_u~Wjak-grease cU8 ?4 8Y(inxl+ -h+7nxip00iflkCYBX2HvbHYc0SjsLvn4WVYUPzhDGjyauwARfA5zCfuIbGnEcxzF -FOWG9QQzr90JDCkonUjGTJ3N+ykLpiYCvLDJgXZB4MVEONyutwM ---- dZ6ca/xXQAOh82oeOyV/EkjTzK+oUj0YgzGTqyzJ8Rs -a OvF⌞ʛ -JFjj+ \ No newline at end of file +bSk43qTcHFgrS7AeXTzUbx5FO/1YrLuRlm58lcXpTTKcRMZWKmFbPTVNdIvkT4xt +B6HW0OqV/Ks1pbeJUCPRdLwYHYULEC4quRGlgeToXoUQ8zCvcPT6uikpK0Hzne7e +WI5MLdS3vvAPljlSSaPN8gb3yiPgA2IPrHjqIsMNkotGFjUQ/oIyJ8YcDsSfGE2T +Z8+TOj4ZNxPda2hX7mL2x2dJmmQW5FkOVtSpSyvwpkOqPOi6b5vZaWu/GtXzGEhD +SD6SALiqmWkCHb8n588XDqKj8Lj/741R24f8IM8qW9cBz4QClh3Bnrl4gendsUCp +PkQPjniidi/aF6sHhfrSNg +-> |#4-grease y%'e^I RB nBNinf \dob +L2HkuH7S3KtuQN9AWLBL99nJPxVw +--- +QOdyAz8FR0RecYvvkzxv2IzJ9yt89/xePALK3l7sjs +&,NpJ~ ƅ˜*,؆5:i W}m"Q-FJm \ No newline at end of file diff --git a/machines/core-services-01/secrets/oauth2ProxyKeyFile.age b/machines/core-services-01/secrets/oauth2ProxyKeyFile.age index eb729b2e73acd38c84e188d8175df2a70cdea4dd..a62c1af71b7bdad19991f49ff4102777092cf4b4 100644 GIT binary patch delta 1409 zcmdnMb%lF^PJNnjg^x#2rDug%et=_0ahYkQQ=xW2c!5iHxtCEziE&~@YMHNJmSPM%v;IhU@TLUD11 zZfc5=si~o*LWY@RdXl3;T0o_#PnlU%a-@@Gg-d0sN4;N2X=;#nNLiV)nSZ5oQMN~w zn}umgZbpU$S6G#AcAi;gqO*2-xl2TLqH|S-xu;J^O1Q66VQ6GoWNuMlKvJfYwuMnP zx^>~D7G6Gq3Qoa!rUeG!rDYb*rI{XHW{xR7rA|Kn#U=Vi`nleQX~o*6Rk`VriTP&P z>0G(`erZmHK2^z;A&Ds#p-Gu8!M>ixuDQt`;mOGb>0$ciLEhe}!Tx4RffGN9hr0(D zy9Q{NSd@CXdAmD$JC&FFn>*)5BpQ3Uhq$E%ggE*Id-?^W1eQ8Fa=GNYhk6&3Muh|# zn`QW#IGLvwmM5jTyLEzsyTN89fFpOv5wX(-jguoHC0uvQmRXO3U;^BEypFqXMfOeVi>^JOYv;J<=>w zva~bPee<%j^Gvur%5wwqJqyE(BlV3<9IMhSERDP^^W41*Gct_4!yPk>J*#{&-NU?7 z{flAN6%{8cWEX`y`vh`18hLuSIvM5!>8E;>`}-OurUc}bMMj0@dRe-sSva~xmH8J` zdDQ1tggKj1si2&R3@9| zJ16V=xki>+m}Z)!R(e}RT6p;u2D?>8hWQnEm==Xa8hVy`WO$Z`n{Xv%`UIB+WO%1$ zl_Y1mXM07trzYhZRXQ4nlx75*7NkZ6h1NS|7?l|mr)dXdCFK-{`VlYRp85Vm6 zXlLYP6o*umXPJiQrv?XvaTOIsR%M#I8kSk)1(-z^2Uwb!24wlU6`EFhMS2HCrPP<} z2j&;&y5y(l%YI8`B7!7NEHJvUXM#86MyUL(hh%gZa%)H}e$>I4?M`A|*I0Kg`LsB;6#W$koT#AV1$fq@Xg&F(Sk?B-!8Bq%ho-i=*n;GP8AF zL7_p9GCsZ3=TTc}dOz9Qy<@8CB8e&Awq<-QSnO#n@Njy4^RYjAA1^arIp$X%IHizT zDTC!^VNKgY^Sl+#mS-PrG19-RbaHd+>GKEFO1r)J=AT;iF}K0l>E{XEr;&HW&#dOp z3X#dq=4|&C-_1` ouf5JXp13Z5HzmG{O~~V7ra{OjC6Ut>8#!wO&#QFtKNEZo0Q%GE0{{R3 delta 1243 zcmcb@y@6|jPI#ENrD0G(T24fWduoM;X_ZlVzP?LviMw%eR%nJ>x?50%cX?{5sZVBD zAXk)glxKcmpkJh?MM{8Ux>;yqm6xltSCO}uf4)U&c4TOlqrP!LVoH^B`oxdo;h{c7 zz9|Kk?nc=;MjjE)!N!$QfhoRb;iZN-#(}vxF8WDn83s{q1&N0FTt20NK^`U9zTr+u zX)Yn@US2_l7G;%r=@wy0MG;=<;bCdv`ldx5k-=#ulj9l1!`&r$y~4sX{7o#vGm`=nOY%a?C!b{$uXpnDF0IN8NJ=#bF)+5Q^71v$EY9-`%gYRo zEJ^kO-(T}H8r$UC`t|S^e$I0DRB1p_46?D3<@_3G7Ky+ug}UY z3ibDi$hWX8h^R1#&@V7@^)@L_@vSW9$_+>|Pff}%@h;6Zj4XGIs>pMT$jlB*DGvw> zs4NI7E=rEdD~NC@t}--1x6Z;eJkvd0q0~7|KR2k#!!g^)Js_(p%P~+prP8s;r$pb( z$3Mr|x45#ts4}$gn~6SGd3u$;zF$#Luzq=2qN$@< zo_V03Q+ZWJq*J7RSXz~byHBWVa!|Qfx~X}gf1aOdfq$e+cw|tBmv*6kMP-gZm$AR6 zcXFOdN>XA}kw=ntd6vFoWO9JJe~G2BxqC!eUZP2bnQ=){V7{3_ig#pAp1WnbV||`u zWx7Q`qEoSPo)1@gPEvY`x36VMN~UQ*PEdJ8Mrf2m8qwpacZ)eyHiz&d3|L>s7IAqh-pTVr%Q28B3DVUWoTH6w{b+7Z&q-y zYj%=rQhvE3D8Sv#ovjm!bkmDc6N^*1Dnk;>%z`}13!U7`(ks&p!!7+HOg*yALXsT0 zbaizVOvC&Nl2Q}XEV2xYQ^JZ;s)|jDi~S5DqZ~ae^9@VA^Nq}t^9`cvL!E<*xjN1( zfA8ERwr&FZA=O!r#`wf {}; lib = pkgs.lib; readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); - superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; in -- 2.49.0 From 09ad6670ed1afbcaa89fbc25f8cb527a12f5ddd1 Mon Sep 17 00:00:00 2001 From: Julien Marquet Date: Wed, 23 Feb 2022 01:42:26 +0100 Subject: [PATCH 057/149] feat: Matterbridge MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit je suis fatigué --- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/matterbridge.nix | 50 +++++++++++++++++++ machines/core-services-01/matterbridge.toml | 23 +++++++++ machines/core-services-01/secrets/default.nix | 1 + .../core-services-01/secrets/matterbridge.age | 28 +++++++++++ machines/core-services-01/secrets/secrets.nix | 1 + 6 files changed, 104 insertions(+) create mode 100644 machines/core-services-01/matterbridge.nix create mode 100644 machines/core-services-01/matterbridge.toml create mode 100644 machines/core-services-01/secrets/matterbridge.age diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index ebc4718..5b18334 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -22,6 +22,7 @@ ./dex.nix ./oauth2_proxy.nix ./secrets + ./matterbridge.nix # TODO push to gitea # TODO ./gotify.nix # TODO(Raito): ./backups.nix diff --git a/machines/core-services-01/matterbridge.nix b/machines/core-services-01/matterbridge.nix new file mode 100644 index 0000000..7eefba1 --- /dev/null +++ b/machines/core-services-01/matterbridge.nix @@ -0,0 +1,50 @@ +{ config, pkgs, ... }: +let + manageSecrets = conf: secrets: output: keys: + /* + `secrets` are in the form "SECRET_1=secret\nSECRET_2=secre" + For each name in `keys` we search for a line `$NAME=`, + (`` is just everything up to the end of the line) + and we substitute `$NAME` by `` in `conf`, and we print + the result in `output`. + */ + let + check = key: '' + if grep ${key} ${secrets} > /dev/null + then + true + else + echo "Missing ${key} from secrets" + exit 1 + fi + ''; + get = key: "$(grep '${key}=' ${secrets} | sed 's/^.*=//' | sed -e 's/[\\/&]/\\\\&/g')"; + checks = pkgs.lib.concatMapStrings check; + replaces = pkgs.lib.concatMapStrings (key: "s/${key}/${get key}/;"); + in pkgs.writeShellScriptBin "preStart" '' + ${checks keys} + sed "${replaces keys}" ${conf} > ${output} + ''; + startScript = pkgs.writeShellScriptBin "start" '' + ${manageSecrets + ./matterbridge.toml "$CREDENTIALS_DIRECTORY/secrets" "$RUNTIME_DIRECTORY/conf.toml" + [ "SECRET_MATTERMOST_WEBHOOK" ]}/bin/preStart + ${pkgs.matterbridge}/bin/matterbridge -conf $RUNTIME_DIRECTORY/conf.toml + ''; +in { + networking.firewall.allowedTCPPorts = [ 52187 ]; + systemd.services.matterbridge = { + description = "Chat platform bridge"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + DynamicUser = true; + LoadCredential = "secrets:${config.age.secrets.matterbridge.path}"; + ExecStart = "${startScript}/bin/start"; + Restart = "always"; + RestartSec = "10"; + RuntimeDirectory = "matterbridge"; + }; + }; +} diff --git a/machines/core-services-01/matterbridge.toml b/machines/core-services-01/matterbridge.toml new file mode 100644 index 0000000..d4b9ab8 --- /dev/null +++ b/machines/core-services-01/matterbridge.toml @@ -0,0 +1,23 @@ +[irc] + [irc.ulminfo] + Server="ens.wtf:6697" + Nick="botte" + UseTLS=true + Charset="utf8" + PrefixMessagesWithNick=true + RemoteNickFormat="<{NICK}> " +[mattermost] + [mattermost.merle] + WebhookURL="SECRET_MATTERMOST_WEBHOOK" + WebhookBindAddress="0.0.0.0:52187" + PrefixMessagesWithNick=false + RemoteNickFormat="{NICK}" +[[gateway]] +name="réseau" +enable=true + [[gateway.inout]] + account="irc.ulminfo" + channel="#réseau" + [[gateway.inout]] + account="mattermost.merle" + channel="town-square" diff --git a/machines/core-services-01/secrets/default.nix b/machines/core-services-01/secrets/default.nix index 3e4cb37..452d42e 100644 --- a/machines/core-services-01/secrets/default.nix +++ b/machines/core-services-01/secrets/default.nix @@ -4,4 +4,5 @@ age.secrets.oauth2ProxyKeyFile.file = ./oauth2ProxyKeyFile.age; age.secrets.droneKeyFile.file = ./droneKeyFile.age; age.secrets.dexGiteaClientSecret.file = ./dexGiteaClientSecret.age; + age.secrets.matterbridge.file = ./matterbridge.age; } diff --git a/machines/core-services-01/secrets/matterbridge.age b/machines/core-services-01/secrets/matterbridge.age new file mode 100644 index 0000000..1071c43 --- /dev/null +++ b/machines/core-services-01/secrets/matterbridge.age @@ -0,0 +1,28 @@ +age-encryption.org/v1 +-> ssh-ed25519 lHr4YQ HJL96EuQl0qWnOeAR2lXroAQmAdlpqcQKseelyfExgA +xWjYiQmkgz/jOOpWpHPn/3rt7ZJdmP88Gz43E3roa6I +-> ssh-ed25519 h6AgbA 1GpBA4vLsVOUkX8J5YLQMi3Xfdhv+4u7yG7oI49u5wk +oWR+SI4hyhbcEXSm0HMwi9JfC31C9eyXnco4LEknOUk +-> ssh-ed25519 Wu8JLQ ZZB4XicZQfT7H+nKr6QJgJaKXt8QOlMBdNfuOsgtqUI +sdmNC14ORCJDLcXqWDWwZZ6Eg/oR87unKhDgbdmfWek +-> ssh-ed25519 cvTB5g 7+tI7ZXsHjInyRYKXh7Ib/GBlAggr+xmXKnbfMSiNjM +R69O8e2vhIBznrX86Duxc3sYgeiFq0dOdLBvQHeP4F4 +-> ssh-ed25519 /vwQcQ N5wmtMG7kwHRIANNlsjcRDGgkDdBaqUyFAJALXASMRg +oEU6zPMTi2e05G8TgyAq2iCZCwDDsFN1VZIbFvU4MP4 +-> ssh-ed25519 reTIKw ZqKi1btO33hUfCb4ZCX1h+ful/8safmcPwdBfh0+V3c ++agInPvfpuuQGuStNCX71dSlUJedHc7HjKDZiIh2VNk +-> ssh-ed25519 85WiGg 8VoK1DXQdNX4bjC42jsZZc3RpAkua1o/zdhI5WkR72Q +vzvCER9TOE+6NQWmtb/b9yybv7yKM2VMA/cHrsUN8jo +-> ssh-rsa krWCLQ +YyOhEu3NJ6JXqSfk1QbLm/HhOS8KFvX0extWp8djBYTx0DaqAFYW6gX8HReQsky4 +5MOVZ7NjkBuWteRD7Xw/H1Y4I0t9ciBP06Yv64TpciHYahE36GUA8kS6eYr9kAP+ +gf1/aExn8CJX1NES6rDgEDNmlBuuLMk611wYT1wwt44MhsATmOAEW35A9tbpuJeh +Qc/aZX7XzeOkzpO/aYMn/SVREU5fWNdhAgA3vD7MUEAYzB4sS5BaOZ2PBGU/IohL +MhbdTLA3EE3mfSMCJonNz/lF3qNRkCXFbXvhtvck/OAHnprGRhAbbHJPpqx147hc +LvbEgEtQe9JM6uaKR0Qy1g +-> gWo;S~-grease +q68DoRepcege0soJFgobnMTxzSfPRXge3B5CEiCywztahSXsr3ft/JVSh6KBIJG0 +pMsIk2Q +--- q1UjUMNNAe9WWCzomMsLxh7s+1USEVZsJNHrLsGVuks +H9zz ehJ>#فi +L_cGyCAx ԰ˆ:ue4C$V+4%&I#])V?r4wTa@4 \ No newline at end of file diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 9fa8644..4d09d1e 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -11,5 +11,6 @@ in "oauth2ProxyKeyFile.age".publicKeys = superadmins ++ systems; "droneKeyFile.age".publicKeys = superadmins ++ systems; "dexGiteaClientSecret.age".publicKeys = superadmins ++ systems; + "matterbridge.age".publicKeys = superadmins ++ systems; } -- 2.49.0 From b581fbcfc5345647f00b841a8c03defe649a9e9b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 5 Mar 2022 23:15:38 +0100 Subject: [PATCH 058/149] core01: fix #6, remove Dex --- machines/core-services-01/configuration.nix | 2 +- machines/core-services-01/drone-runners.nix | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 5b18334..f5ae683 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -19,7 +19,7 @@ ./keycloak.nix ./acme-dns.nix ./backups.nix - ./dex.nix + # ./dex.nix ./oauth2_proxy.nix ./secrets ./matterbridge.nix diff --git a/machines/core-services-01/drone-runners.nix b/machines/core-services-01/drone-runners.nix index 00568b1..6793e4b 100644 --- a/machines/core-services-01/drone-runners.nix +++ b/machines/core-services-01/drone-runners.nix @@ -13,4 +13,6 @@ in ]; envFile = config.age.secrets.droneKeyFile.path; }; + + systemd.services."drone-exec-runner-nix01".after = [ "gitea" ]; } -- 2.49.0 From e0167f27d3862a0425b756e749234c70070d54a0 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 5 Mar 2022 23:15:51 +0100 Subject: [PATCH 059/149] core01: open up Gitea registration and whitelist @ens.fr emails --- machines/core-services-01/gitea.nix | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/gitea.nix b/machines/core-services-01/gitea.nix index 71b46a2..9835ac1 100644 --- a/machines/core-services-01/gitea.nix +++ b/machines/core-services-01/gitea.nix @@ -13,7 +13,20 @@ in httpAddress = "127.0.0.1"; httpPort = port; database.type = "postgres"; - disableRegistration = true; + disableRegistration = false; + settings = { + openid = { + ENABLE_OPENID_SIGNUP = true; + }; + oauth2_account = { + ENABLE_AUTO_REGISTRATION = true; + USERNAME = "email"; + }; + service = { + EMAIL_DOMAIN_WHITELIST = "ens.fr"; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + }; + }; }; services.nginx = { -- 2.49.0 From e1e8401160abede2db37657cc671b210c0010cfd Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 5 Mar 2022 23:16:01 +0100 Subject: [PATCH 060/149] public-cof: update Raito's NUR --- machines/public-cof/nix/sources.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index 656e9e4..a6531e2 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -28,5 +28,17 @@ "type": "tarball", "url": "https://github.com/nmattia/niv/archive/e0ca65c81a2d7a4d82a189f1e23a48d59ad42070.tar.gz", "url_template": "https://github.com///archive/.tar.gz" + }, + "raito-nur": { + "branch": "master", + "description": "All my Nix expressions", + "homepage": null, + "owner": "RaitoBezarius", + "repo": "nixexprs", + "rev": "ead9a70ae1c15d786ee276e6be51a8d6d27baa88", + "sha256": "1wpk6rxcfgf0rvzvdbd3ay1xjc3mh6ds5mmp2w6mphskrhd9qjpq", + "type": "tarball", + "url": "https://github.com/RaitoBezarius/nixexprs/archive/ead9a70ae1c15d786ee276e6be51a8d6d27baa88.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" } } -- 2.49.0 From e03a3f16f8e395b637da4d2dd75712bb270fc3f0 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 5 Mar 2022 23:16:54 +0100 Subject: [PATCH 061/149] public-cof: add monitoring, deploy home.beta.rz.ens.wtf properly --- krops.nix | 2 +- machines/public-cof/configuration.nix | 1 + machines/public-cof/monitoring.nix | 30 +++++++++++++++++++++++++++ machines/public-cof/networking.nix | 6 +++++- machines/public-cof/nginx.nix | 23 +++++++++++++++++--- 5 files changed, 57 insertions(+), 5 deletions(-) create mode 100644 machines/public-cof/monitoring.nix diff --git a/krops.nix b/krops.nix index 24f6566..01ee420 100644 --- a/krops.nix +++ b/krops.nix @@ -31,5 +31,5 @@ let in {} // mkDeploy "core-services-01" "root@10.1.1.20" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -// mkDeploy "public-cof" "root@minecraft.beta.rz.ens.wtf" +// mkDeploy "public-cof" "root@beta.rz.ens.wtf" // mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index d9ce6e5..ef33c32 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -8,6 +8,7 @@ ./system.nix ./acme.nix ./networking.nix + ./monitoring.nix ./nextcloud.nix ./minecraft.nix ./nur.nix diff --git a/machines/public-cof/monitoring.nix b/machines/public-cof/monitoring.nix new file mode 100644 index 0000000..0f4751f --- /dev/null +++ b/machines/public-cof/monitoring.nix @@ -0,0 +1,30 @@ +{ config, ... }: +{ + services.netdata = { + enable = true; + config = { + global."memory mode" = "none"; + web = { + mode = "none"; + "accept a streaming request every seconds" = 0; + }; + }; + }; + + systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [ + "stream" + ]; + + + environment.etc."netdata/stream.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = '' + [stream] + enabled = yes + destination = 10.1.1.20:19999 + api key = c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe + ''; + }; +} diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 9fc556f..ff648e5 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -24,7 +24,11 @@ in { }]; }; interfaces.ens19 = { - useDHCP = true; + useDHCP = false; + ipv4.addresses = [{ + address = "10.1.1.21"; + prefixLength = 22; + }]; }; interfaces.ens20 = { diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix index f5c3134..be7ef3b 100644 --- a/machines/public-cof/nginx.nix +++ b/machines/public-cof/nginx.nix @@ -1,16 +1,32 @@ { ... }: +let + mkCloudLocation = { from, cloudHost }: { + name = "/cal/${from}"; + value = { + extraConfig = '' + proxy_pass https://${cloudHost}/remote.php/dav/public-calendars/; + proxy_set_header Host ${cloudHost}; + ''; + }; + }; + clouds = [ + { from = "klub-reseau"; cloudHost = "nuage.beta.rz.ens.wtf"; } + { from = "eleves-ens"; cloudHost = "cloud.eleves.ens.fr"; } + ]; +in { services.nginx = { enable = true; + resolver = { + addresses = [ "1.1.1.1" ]; + }; + recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; - # # Only allow PFS-enabled ciphers with AES256 - # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - virtualHosts = { "home.beta.rz.ens.wtf" = { serverAliases = [ "beta.rz.ens.wtf" ]; @@ -18,6 +34,7 @@ forceSSL = true; enableACME = true; root = "/var/public-cof/home"; + locations = builtins.listToAttrs (map mkCloudLocation clouds); }; }; }; -- 2.49.0 From bfdfa5a20682d46aadcfb7c949eea96042b302e4 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 6 Mar 2022 20:21:37 +0100 Subject: [PATCH 062/149] core01: rotate drone key, update swap uuid, bump netdata multihost disk space for 30d of metrics --- .../hardware-configuration.nix | 2 +- machines/core-services-01/monitoring.nix | 2 +- .../core-services-01/secrets/droneKeyFile.age | Bin 1578 -> 1639 bytes 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/core-services-01/hardware-configuration.nix b/machines/core-services-01/hardware-configuration.nix index d4aca08..31131d9 100644 --- a/machines/core-services-01/hardware-configuration.nix +++ b/machines/core-services-01/hardware-configuration.nix @@ -29,7 +29,7 @@ }; swapDevices = - [ { device = "/dev/disk/by-uuid/0fe95042-8197-4969-a549-65565cf70171"; } + [ { device = "/dev/disk/by-uuid/e32235de-f531-48ad-86b1-dc2163be5127"; } ]; } diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 6149d24..fca223d 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -19,7 +19,7 @@ in text = '' [global] page cache size = 32 - dbengine multihost disk space = 8192 + dbengine multihost disk space = 23058 ''; }; diff --git a/machines/core-services-01/secrets/droneKeyFile.age b/machines/core-services-01/secrets/droneKeyFile.age index 2c12d704a2edfc6737dc35ad655b01c9961898f5..5797e6e25cf1cd67a72235dd0d2ef6798653a367 100644 GIT binary patch delta 1557 zcmZ3*^PFdbPJLifxu1!Nd3vB>enqaiV~U|uX_=M^MO9{A zR!MHAuVuIamsz%9W@))WsDW>AKw)5Jlu1fpW>R)!lABqTYhjL?xxQa&qI*(-Q>d}y z#E;_PC20ZrQKjDD&Lx(fmElf)0eOL`DOpawm42=!fssWnCfY{j7GjS{np%!=I%a=gPW0wT+^GE>w1E8WX-^9=I2{7VZB@_hX)B7)1q16{(+ zQ!C7kEb?6ZyaV(@4b74~l3XjYiVeMrJaR22pJf!Uce6B$Ob&=L$tx@h%kc{ebTbT% zu!xKZEJ^kE_DK)V%FFhw@{RQLta2;oGDtJjF33zNamw}&(A4J4>a|U zG|ewBD>6;DbPTNuD=#WWkAb4p5Kr%Ng}kW33XjbEVE0U~tl-Ls5|eu0e9Nf(9DP5p zh+^~N6jMI~UvsapVBe%l6E62evjC%zM1z!)^z^vLp@kRp?k%7Q32*D@b3qntz& zmmE_!6Td7c4C^dR!!zB}6`Z}&qWsFuoTHq}T(gVwDuX?eQc@C~Li}^mvNAG@12gsO zQ!R3ReUgfu4Y=G*((|j_lU)i5GINvif{ii?1B_CFv;!=Hs(hUEOALxLvAwN_EM}Eb+?8FiZFK)^_qXHn7M^D|YhCGzbqf z*7q!r%&ssiD)lYM@CY%p@T=GN4D!m#4>dF5^3U+`401H~H_0o^at$?03n)%13GvO% zaf&eWc8to)&nXT!FwTk$vaEEo@C-L_^eOZW%8m%Jh{|#_Pmb`-J?NX;>c zaLu*|%keJ?Gs-e?vdGluaxF;l^0CM)NG%BrF7*wu3^uSx)K1SXbPtX43wH4j^Yqnr zE~xZ2(>8I>Gj}U6D5@`Wc1+E#sxVB9aCQ$hH|0w6FbXcUh%(AZOACt%Dv0oOHa83^ z2L*U^oNjtiYGQG!f<~H~A6G!0zeTB0k#S~~x1X19qM^HEq`#YmlfS+}W>Hjjilc?Q zpKEqlR9;e$No1zKm$5~d;aZ#94qPACFj-O*>c1dPrpsRaE zL3of?d0=6XkFhV;=Lb(4Me;Oyj&>fnar#1zywu%i4vxmQ3qG2i{=+5k`>jqfk5BOL zUBNj;J6tC6srlCDIn0Z{RR3qvrOK6wEb|uiO%eOLR_d&vu5RrP?^h?{PqW<02(-1d zPuX`o?3`8n9sBGrzL_&uFP>${U4MMOX2$)tiJZHvMfFxcthHUmdhyfS#g0>FrrbHh zVa+RFf7ap2ln}nc&UdfnRTNA%ea>N;&twyO^_*8)@I{yUv%->wiS?QqvbQW4MIO5B z-F2eJ@)&2}&E2=9-BS}T2mERIrTC-yhhdZ3e%`p=z^}WQ+*>lYC+e77ekb`>Ew9~! zB~$dfKGz40p4IoHx*i^5vA$&X^5o{bS9csbe18&0seXD<+W$Gz@6K;eUM%>%qSxfo mB=rrC7Z_HqXH=ap=D@+S&6fEu#vf|Czr0BLUD11 zZfc5=si~o*LWY@RdXl4pSCVs>ufC;MctK^pw`Zz{i<@>h3mhRy+Dj;T?}MP?x-c^(BtkxoVFmd3`O7FiMbe&N|%*{*KR z!AX(H7OvUBKEdT>>0V}4K~9w^RmDN!ky%Nl`A(7A`oX4_;pUN(;~B-nlU+(JodW~> zT|>&#EZrDuUdTa$Ex^pJf!UH#YNfbPg%WDRRv-tkh0(Do+Y< z@(d2lFeoiBbksIYk8t!V&-4h3C<{;L@=Pkq^-T-TtTZd}ajNu=$Tacyj5O7^aQ9E~ zPc_R4EA-0q)vwI-FfR>7kAb4p5Kr%N1;h06aDNw{$nq-xNbP_Kr{wyqjFbS=9Ak@= zZ1+IF5TgQZL-)Ky%QEvEN3N1U{h)wiV*?)#^U4ap5VyjTBm>W~P>bLS<8=4Tq)^wO zK+DMB5-*b+4C^dR!!zB}6)X*MeJe7{%2PuF6TOndEzB(|k_?L6T}_iB0#f{Q%qtA) z^OGHuO#_YHJh{A0obnvqBSZa-3S2_V@`63nLqm*=3=E?jEz&&=T`Ho?LPC@EjUvMW zl3~6pDo#|$E(&+{3FJz4Eigze^z}|HNOCLBNb=9l%#ScLH_A&%Ee>*yN;LORDf6(% z4NY_QG*1jn&kZRsNiwhWFsM(daPuxJb`K8ba?1#J*EjRYP4x^j4z~0v^DRp*G;nn_ zHZY9J&dw~(3eL-OOL8wQ@-vP!h;p$kk2G@1P72IP%F515D>W+0;xaWW_jB`3FYq)@ zEG$h=burKPPj@dd3w2M*4RH0zaZ1+@bc@hWEVL*nPtNlR$|>;A%c|GcHq9$Bb2Bpw zax~*ANX!Z|$Sloqsq_oZON#O>_w@|(DYVG8)Hh8HH4n`!Ff1-J4vKP4sWgi$33Dw- zDsc-i4am>)_tLM@53@+;N=&INu1JgwHZpRHEKPC?H}-RK@k(<`2~T!2_bW_KG_Oc5 zOxLf>H7l^Jv@o&^^{Y4W@k%x`DR4DN@+t~SHRMWjNzXI$H1bOd2s6&kGzcj(&UVgE z2L*Vtk#2fXYGQG!LZ-fgB9~EcP+6X9Rz{_HkymDNQIShjnZI#zsIj}Ni(htedR1C^ zmWOj*IhU@ku7ZAcsb5}YVse2&g=vyUL`IQ^g>zPDvlUr_{WmK+f zQXto4``ACNXN-8cDrVf!x^`vBltrf>S{GzIR$O|~Zr?hw`?~K+&lqO9WlJT#D_MT9 zDNt(Bd2W$8M>f9wpqy5nebh)}$Nu>*xBc|)K6h&JNr|Aq^{I*8I>yWfn(G+0&i|gK z=2D+}jqxH2>*lvxW*OGAtuT1HVPC-)uZ4w;84@$3c{aY!a&20%STxypRmqK(mU}y6 z432M9n{zLDt&(fplf^GQADD}IIc~kwCT_Qy)e!003v^8R`H4 -- 2.49.0 From 2721ad9b71e63fedc65fc6d31a3deb563292924e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 6 Mar 2022 20:22:03 +0100 Subject: [PATCH 063/149] public-cof: improve monitoring of system and nextcloud performance --- machines/public-cof/monitoring.nix | 57 ++++++++++++++++++++++++++++-- machines/public-cof/nextcloud.nix | 12 ++++++- 2 files changed, 66 insertions(+), 3 deletions(-) diff --git a/machines/public-cof/monitoring.nix b/machines/public-cof/monitoring.nix index 0f4751f..98e4311 100644 --- a/machines/public-cof/monitoring.nix +++ b/machines/public-cof/monitoring.nix @@ -1,5 +1,7 @@ -{ config, ... }: +{ config, lib, pkgs, ... }: { + services.nginx.statusPage = true; + services.netdata = { enable = true; config = { @@ -9,13 +11,64 @@ "accept a streaming request every seconds" = 0; }; }; + python.extraPackages = ps: [ + ps.psycopg2 + ]; }; + systemd.services.netdata.serviceConfig.SupplementaryGroups = [ "nginx" ]; systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [ "stream" + "go.d/phpfpm" + "go.d/nginx" + "python.d/postgres" ]; - + services.postgresql.initialScript = pkgs.writeText "grant-pgmonitor-to-netdata" '' + GRANT pg_monitor TO netdata; + ''; + + services.postgresql.ensureUsers = [ + { name = "netdata"; } + ]; + + environment.etc."netdata/python.d/postgres.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = builtins.toJSON ( + if config.services.postgresql.enable then + { + name = "socket"; + user = "netdata"; + database = "postgres"; + } + else {} + ); + }; + + environment.etc."netdata/go.d/phpfpm.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = builtins.toJSON { + jobs = + map (pool: { name = "local_socket"; inherit (pool) socket; }) + (builtins.attrValues config.services.phpfpm.pools); + }; + }; + + environment.etc."netdata/go.d/nginx.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = builtins.toJSON { + jobs = + if config.services.nginx.statusPage then [ { name = "local"; url = "http://localhost/nginx_status"; } ] + else []; + }; + }; + environment.etc."netdata/stream.conf" = { user = "netdata"; group = "netdata"; diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index eba376b..1dc8e81 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, lib, ... }: { services.nextcloud = { enable = true; @@ -16,6 +16,15 @@ defaultPhoneRegion = "FR"; }; + + poolSettings = { + pm = "dynamic"; + "pm.max_children" = 100; + "pm.start_servers" = 16; + "pm.min_spare_servers" = 8; + "pm.max_spare_servers" = 16; + "pm.status_path" = "/status"; + }; }; services.nginx = { @@ -23,6 +32,7 @@ "nuage.beta.rz.ens.wtf" = { forceSSL = true; enableACME = true; + http2 = true; }; }; }; -- 2.49.0 From 4355c00f8e53ca66dc435db38bac372eae51ca7e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 6 Mar 2022 20:22:09 +0100 Subject: [PATCH 064/149] ci: test public-cof configuration --- .drone.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.drone.yml b/.drone.yml index 5bb8ea0..8c45562 100644 --- a/.drone.yml +++ b/.drone.yml @@ -19,5 +19,9 @@ steps: commands: - "export NIX_PATH=nixpkgs=/var/nixpkgs" - "echo Building remote-builder-01 && nix-build krops.nix -A test-remote-builder-01 && ./result" +- name: Build public-cof configuration + commands: + - "export NIX_PATH=nixpkgs=/var/nixpkgs" + - "echo Building public-cof && nix-build krops.nix -A test-public-cof && ./result" ... -- 2.49.0 From bacdad33d3bc94979471edcbbcced2eb3401343a Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 8 Mar 2022 19:47:32 +0100 Subject: [PATCH 065/149] public-cof: improve monitoring of postgresql --- machines/public-cof/monitoring.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/machines/public-cof/monitoring.nix b/machines/public-cof/monitoring.nix index 98e4311..0096d70 100644 --- a/machines/public-cof/monitoring.nix +++ b/machines/public-cof/monitoring.nix @@ -24,6 +24,12 @@ "python.d/postgres" ]; + services.postgresql.settings = { + shared_preload_libraries = "pg_stat_statements"; + track_activity_query_size = 2048; + "pg_stat_statements.track" = "all"; + }; + services.postgresql.initialScript = pkgs.writeText "grant-pgmonitor-to-netdata" '' GRANT pg_monitor TO netdata; ''; -- 2.49.0 From e472173bad105ccf960b8f0caa2df2a02c0bb2d3 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Tue, 29 Mar 2022 23:59:59 +0000 Subject: [PATCH 066/149] Update MC server --- machines/public-cof/minecraft.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 5a2f9a4..34bb7f3 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -2,9 +2,9 @@ let papermc = { ram = 4; # In GB - version = "1.17.1"; - build = 189; - sha256 = "06g2vs8z7k9bl8asjgdz9h8fkd93xam2lbrgmzgamwjp94gvfvrn"; + version = "1.18.2"; + build = 270; + sha256 = "M3/z7lgHVDG+WqxPvyrxvfobEvkkPf90bDoN/Dq+VZY="; }; port = 25565; rconPort = 25575; -- 2.49.0 From dcc0085c41ad0f3d76be0f3d21d57842c4923c70 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 29 Mar 2022 23:04:17 +0200 Subject: [PATCH 067/149] public-cof: add framagenda.org --- machines/public-cof/nginx.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix index be7ef3b..9f62800 100644 --- a/machines/public-cof/nginx.nix +++ b/machines/public-cof/nginx.nix @@ -12,6 +12,7 @@ let clouds = [ { from = "klub-reseau"; cloudHost = "nuage.beta.rz.ens.wtf"; } { from = "eleves-ens"; cloudHost = "cloud.eleves.ens.fr"; } + { from = "frama-agenda"; cloudHost = "framagenda.org"; } ]; in { -- 2.49.0 From ab9d022b330ba4cdce04a23620d65172485a7c70 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 7 Apr 2022 23:59:59 +0000 Subject: [PATCH 068/149] Add Cst1 to MC whitelist --- machines/public-cof/minecraft.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 34bb7f3..765adad 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -39,6 +39,7 @@ in gabriel_dr_dl = "53fced49-da51-4c82-b1d0-37168029db08"; aimie_dodo = "d10be020-a612-47e5-b0d0-938b9a7eb58e"; RaitoMezarius = "a400686e-0f62-43d5-b5c6-4295babcc008"; + Sup3Legacy = "575ecb9f-bf28-46cb-bc50-cb6bb340c905"; }; serverProperties = { -- 2.49.0 From 6a3af7d165b8c4551de25703ed3eacd32f7c5e3d Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Wed, 13 Apr 2022 23:59:59 +0000 Subject: [PATCH 069/149] Add Pollux to MC whitelist --- machines/public-cof/minecraft.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 765adad..5666170 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -40,6 +40,7 @@ in aimie_dodo = "d10be020-a612-47e5-b0d0-938b9a7eb58e"; RaitoMezarius = "a400686e-0f62-43d5-b5c6-4295babcc008"; Sup3Legacy = "575ecb9f-bf28-46cb-bc50-cb6bb340c905"; + Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d"; }; serverProperties = { -- 2.49.0 From df2b7e819d8553cefc3b6af9fd18bd84e656cca2 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 7 Apr 2022 23:02:58 +0200 Subject: [PATCH 070/149] =?UTF-8?q?public-cof:=20upgrade=20nextcloud=20(21?= =?UTF-8?q?=20=E2=86=92=2022)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/public-cof/nextcloud.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 1dc8e81..99e6e17 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -1,10 +1,12 @@ -{ config, lib, ... }: +{ pkgs, config, lib, ... }: { services.nextcloud = { enable = true; hostName = "nuage.beta.rz.ens.wtf"; https = true; + package = pkgs.nextcloud22; + config = { overwriteProtocol = "https"; -- 2.49.0 From 544df15eb15926057548a104389b687266da38c2 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Wed, 11 May 2022 23:59:59 +0000 Subject: [PATCH 071/149] Enable command blocks in the minecraft server --- machines/public-cof/minecraft.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 5666170..6961d5d 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -62,7 +62,7 @@ in spawn-npcs = true; generate-structures = true; - enable-command-block = false; + enable-command-block = true; # Whitelist white-list = true; -- 2.49.0 From 5f2a5ff7826f23954e29a4f5f8e6780f8c82afde Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 14 May 2022 20:21:12 +0200 Subject: [PATCH 072/149] core01: generalize monitoring, open up a wgmon for external nodes --- machines/core-services-01/monitoring.nix | 68 ++++++++++++++++++------ 1 file changed, 51 insertions(+), 17 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index fca223d..5013b2c 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -1,11 +1,48 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let my = config.my; realm = "ClubReseau"; + mkChildNode = { uuid, allowFrom }: { ... }@options: '' + [${uuid}] + enabled = yes + default history = 10000 + default memory mode = dbengine + health enabled by default = auto + allow from = ${allowFrom} + ''; + testClusterHypervisors = lib.attrValues { + pve01 = { + uuid = "ff9a34ec-2bf4-4389-a01a-6e242424e675"; + allowFrom = "fd85:27e8:0fc9::2"; + }; + pve02 = { + uuid = "ed393d76-e325-48c4-be90-3d7a1d3066ee"; + allowFrom = "fd85:27e8:0fc9::3"; + }; + pve03 = { + uuid = "abeeab1f-d4f4-4ca7-aabb-54ff28031f82"; + allowFrom = "fd85:27e8:0fc9::4"; + }; + pve04 = { + uuid = "ee0f7cec-86f8-4fa2-8258-f7bf4172eb4b"; + allowFrom = "fd85:27e8:0fc9::5"; + }; + }; in { services.netdata.enable = true; + networking.interfaces.wireguard.wgmon = { + ips = [ "fd85:27e8:0fc9::1/48" ]; + + listenPort = 51820; + + privateKeyFile = "/etc/secrets/wgmon"; + generatePrivateKeyFile = true; + + peers = []; + }; + systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [ "netdata" "stream" @@ -27,22 +64,19 @@ in user = "netdata"; group = "netdata"; mode = "0600"; - text = '' - # pve01 hypervisor - [e245097d-bf52-4f66-9c10-984e8d5ee178] - enabled = yes - default history = 10000 - default memory mode = dbengine - health enabled by default = auto - allow from = 10.1.1.10 - # public-cof server - [c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe] - enabled = yes - default history = 10000 - default memory mode = dbengine - health enabled by default = auto - allow from = 10.1.1.21 - ''; + text = (concatMapStrings map (cfg: mkChildNode cfg {}) + [ + # PVE01 hypervisor + { + uuid = "e245097d-bf52-4f66-9c10-984e8d5ee178"; + allowFrom = "10.1.1.10"; + } + # Public COF server + { + uuid = "c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe"; + allowFrom = "10.1.1.21"; + } + ]; ++ testClusterHypervisors; }; environment.etc."netdata/health_alarm_notify.conf" = { -- 2.49.0 From f842b30e0559b9639434adc9b2a6fa912879d337 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 15 May 2022 00:08:46 +0200 Subject: [PATCH 073/149] core01: allow *, unfirewall wgmon --- machines/core-services-01/monitoring.nix | 54 +++++++++++++++--------- 1 file changed, 35 insertions(+), 19 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 5013b2c..f9812f9 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -13,26 +13,35 @@ let testClusterHypervisors = lib.attrValues { pve01 = { uuid = "ff9a34ec-2bf4-4389-a01a-6e242424e675"; - allowFrom = "fd85:27e8:0fc9::2"; + allowFrom = "*"; + # allowFrom = "fd85:27e8:0fc9::2"; }; pve02 = { uuid = "ed393d76-e325-48c4-be90-3d7a1d3066ee"; - allowFrom = "fd85:27e8:0fc9::3"; + allowFrom = "*"; + # allowFrom = "fd85:27e8:0fc9::3"; }; pve03 = { uuid = "abeeab1f-d4f4-4ca7-aabb-54ff28031f82"; - allowFrom = "fd85:27e8:0fc9::4"; + allowFrom = "*"; + # allowFrom = "fd85:27e8:0fc9::4"; }; pve04 = { uuid = "ee0f7cec-86f8-4fa2-8258-f7bf4172eb4b"; - allowFrom = "fd85:27e8:0fc9::5"; + allowFrom = "*"; + # allowFrom = "fd85:27e8:0fc9::5"; }; }; in { services.netdata.enable = true; - networking.interfaces.wireguard.wgmon = { + # Allow WireGuard VPN + networking.firewall.allowedUDPPorts = [ 51820 ]; + # Allow access to the raw netdata + networking.firewall.interfaces.wgmon.allowedUDPPorts = [ 19999 ]; + networking.firewall.interfaces.wgmon.allowedTCPPorts = [ 19999 ]; + networking.wireguard.interfaces.wgmon = { ips = [ "fd85:27e8:0fc9::1/48" ]; listenPort = 51820; @@ -40,7 +49,14 @@ in privateKeyFile = "/etc/secrets/wgmon"; generatePrivateKeyFile = true; - peers = []; + peers = [ + { publicKey = "6IHA4e+UcCSx9+e5BZwLvzeZv5RWwqO1CCLJedN2nU4="; allowedIPs = [ "fd85:27e8:fc9::2/128" ]; } + { publicKey = "xRdfylDpi8c+BRwDCxenRs6i4XWesdd75keWfKItZFo="; allowedIPs = [ "fd85:27e8:fc9::3/128" ]; } + { publicKey = "rjodopHTEyD+DyDsNp8xyNC0KeZGH462Ls495NXT1VI="; allowedIPs = [ "fd85:27e8:fc9::4/128" ];} + { publicKey = "IJRsrhzCRAHpaEHLZRNdPuDp25FXzuAm+CGmZDsRThk="; allowedIPs = [ "fd85:27e8:fc9::5/128" ]; } + { publicKey = "oYsN1Qy+a7dwVOKapN5s5KJOmhSflLHZqh+GLMeNpHw="; allowedIPs = [ "fd85:27e8:fc9::6/128" ]; } + # { publicKey = ""; allowedIPs = [ "fd85:27e8:fc9::7/128" ]; } + ]; }; systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [ @@ -64,19 +80,19 @@ in user = "netdata"; group = "netdata"; mode = "0600"; - text = (concatMapStrings map (cfg: mkChildNode cfg {}) - [ - # PVE01 hypervisor - { - uuid = "e245097d-bf52-4f66-9c10-984e8d5ee178"; - allowFrom = "10.1.1.10"; - } - # Public COF server - { - uuid = "c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe"; - allowFrom = "10.1.1.21"; - } - ]; ++ testClusterHypervisors; + text = (lib.concatMapStringsSep "\n" (cfg: mkChildNode cfg {}) + ([ + # PVE01 hypervisor + { + uuid = "e245097d-bf52-4f66-9c10-984e8d5ee178"; + allowFrom = "10.1.1.10"; + } + # Public COF server + { + uuid = "c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe"; + allowFrom = "10.1.1.21"; + } + ] ++ testClusterHypervisors)); }; environment.etc."netdata/health_alarm_notify.conf" = { -- 2.49.0 From 57b5c931d1e5b7c2ef224ff18e060fda50d44d59 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sat, 21 May 2022 23:59:59 +0000 Subject: [PATCH 074/149] Add CiterinRemy to MC whitelist --- machines/public-cof/minecraft.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 6961d5d..c56701f 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -41,6 +41,7 @@ in RaitoMezarius = "a400686e-0f62-43d5-b5c6-4295babcc008"; Sup3Legacy = "575ecb9f-bf28-46cb-bc50-cb6bb340c905"; Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d"; + CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; }; serverProperties = { -- 2.49.0 From 6f5fdb0317db7ad5df3258a1114ba5c1deadb29f Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sun, 26 Jun 2022 23:48:43 +0200 Subject: [PATCH 075/149] Headscale support (upgrade to latest nixpkgs) (#9) This adds Headscale support. It provides also an upgrade to Keycloak 18.0.0 (Quarkus distribution). It upgrades NextCloud from 22 to 23. Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/9 Co-authored-by: Ryan Lahfa Co-committed-by: Ryan Lahfa --- krops.nix | 2 +- machines/core-services-01/acme-ssl.nix | 4 +- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/drone-runners.nix | 2 +- .../fix-crc-computation.patch | 51 +++++++++++++++++++ machines/core-services-01/headscale.nix | 8 +++ machines/core-services-01/keycloak.nix | 31 ++++++----- .../keycloak/keycloak-protocol-cas.nix | 26 ++++++++++ machines/core-services-01/monitoring.nix | 2 +- machines/core-services-01/subZone.nix | 1 + machines/public-cof/configuration.nix | 2 +- machines/public-cof/nextcloud.nix | 2 +- 12 files changed, 113 insertions(+), 19 deletions(-) create mode 100644 machines/core-services-01/fix-crc-computation.patch create mode 100644 machines/core-services-01/headscale.nix create mode 100644 machines/core-services-01/keycloak/keycloak-protocol-cas.nix diff --git a/krops.nix b/krops.nix index 01ee420..770fcff 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "e96c668072d7c98ddf2062f6d2b37f84909a572b"; # nixos-22.05 + ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; diff --git a/machines/core-services-01/acme-ssl.nix b/machines/core-services-01/acme-ssl.nix index 2403cd6..f111e17 100644 --- a/machines/core-services-01/acme-ssl.nix +++ b/machines/core-services-01/acme-ssl.nix @@ -5,9 +5,9 @@ let in { security.acme.acceptTerms = true; - security.acme.email = my.email; + security.acme.defaults.email = my.email; - security.acme.server = + security.acme.defaults.server = if my.acmeStaging then "https://acme-staging-v02.api.letsencrypt.org/directory" else null; diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index f5ae683..8af8554 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -19,6 +19,7 @@ ./keycloak.nix ./acme-dns.nix ./backups.nix + ./headscale.nix # ./dex.nix ./oauth2_proxy.nix ./secrets diff --git a/machines/core-services-01/drone-runners.nix b/machines/core-services-01/drone-runners.nix index 6793e4b..36ecbdd 100644 --- a/machines/core-services-01/drone-runners.nix +++ b/machines/core-services-01/drone-runners.nix @@ -14,5 +14,5 @@ in envFile = config.age.secrets.droneKeyFile.path; }; - systemd.services."drone-exec-runner-nix01".after = [ "gitea" ]; + systemd.services."drone-exec-runner-nix01".after = [ "gitea.service" ]; } diff --git a/machines/core-services-01/fix-crc-computation.patch b/machines/core-services-01/fix-crc-computation.patch new file mode 100644 index 0000000..85a6a7e --- /dev/null +++ b/machines/core-services-01/fix-crc-computation.patch @@ -0,0 +1,51 @@ +From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 30 Mar 2022 11:14:53 -0700 +Subject: [PATCH] Correct incorrect inputs provided to the CRC functions. + +The previous releases of zlib were not sensitive to incorrect CRC +inputs with bits set above the low 32. This commit restores that +behavior, so that applications with such bugs will continue to +operate as before. +--- + crc32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crc32.c b/crc32.c +index a1bdce5c2..451887bc7 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + /* Compute the CRC up to a word boundary. */ + while (len && ((z_size_t)buf & 7) != 0) { +@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + #ifdef W + +@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2) + #ifdef DYNAMIC_CRC_TABLE + once(&made, make_crc_table); + #endif /* DYNAMIC_CRC_TABLE */ +- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2; ++ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); + } + + /* ========================================================================= */ +@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op) + uLong crc2; + uLong op; + { +- return multmodp(op, crc1) ^ crc2; ++ return multmodp(op, crc1) ^ (crc2 & 0xffffffff); + } diff --git a/machines/core-services-01/headscale.nix b/machines/core-services-01/headscale.nix new file mode 100644 index 0000000..e44b48a --- /dev/null +++ b/machines/core-services-01/headscale.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.headscale = { + enable = true; + serverUrl = "https://tailscale.rz.ens.wtf"; + tls.letsencrypt.hostname = "tailscale.rz.ens.wtf"; + }; +} diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index 6f34b25..e7d48e5 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -1,26 +1,33 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let my = config.my; port = 8080; + keycloak-protocol-cas = pkgs.callPackage ./keycloak/keycloak-protocol-cas.nix {}; + domain = "auth.${my.subZone}"; + certs = config.security.acme.certs."${domain}".directory; in { services.keycloak = { enable = true; - package = pkgs.keycloak.override { - jre = pkgs.jre8; - }; initialAdminPassword = "changemeasap"; - database.createLocally = true; - database.passwordFile = config.age.secrets.keycloakDatabasePasswordFile.path; - frontendUrl = "https://auth.${my.subZone}/auth/"; - forceBackendUrlToFrontendUrl = true; - httpPort = toString port; - extraConfig = { - "subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true; + plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ]; + database = { + type = "postgresql"; + username = "keycloak"; + name = "keycloak"; + createLocally = true; + passwordFile = "${config.age.secrets.keycloakDatabasePasswordFile.path}"; + }; + settings = { + hostname-strict-backchannel = true; + http-port = port; + proxy = "edge"; + http-relative-path = "/auth"; + hostname = domain; }; }; - services.nginx.virtualHosts."auth.${my.subZone}" = { + services.nginx.virtualHosts."${domain}" = { forceSSL = true; enableACME = true; locations."/" = { diff --git a/machines/core-services-01/keycloak/keycloak-protocol-cas.nix b/machines/core-services-01/keycloak/keycloak-protocol-cas.nix new file mode 100644 index 0000000..1783749 --- /dev/null +++ b/machines/core-services-01/keycloak/keycloak-protocol-cas.nix @@ -0,0 +1,26 @@ +{ stdenv, lib, fetchurl }: + +stdenv.mkDerivation rec { + pname = "keycloak-protocol-cas"; + version = "18.0.0"; + + src = fetchurl { + url = "https://github.com/jacekkow/keycloak-protocol-cas/releases/download/${version}/keycloak-protocol-cas-${version}.jar"; + sha256 = "sha256-N+IJqD7oQ4T4MI8klt96kfHwFnPJy5l8MK6bq62nBrM="; + }; + + dontUnpack = true; + dontBuild = true; + + installPhase = '' + mkdir -p $out + install "$src" "$out" + ''; + + meta = with lib; { + homepage = "https://github.com/jacekkow/keycloak-protocol-cas"; + description = "Keycloak Service Provider that adds CAS as an authentication protocol"; + license = licenses.apsl20; + maintainers = with maintainers; [ raitobezarius ]; + }; +} diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index f9812f9..47b7953 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -65,7 +65,7 @@ in "health_alarm_notify" ]; - environment.etc."netdata/netdata.conf" = { + environment.etc."netdata/netdata.conf" = lib.mkForce { user = "netdata"; group = "netdata"; mode = "0600"; diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 08db8c1..2738afe 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,6 +37,7 @@ dualstack // { monitoring = dualstack; auth = dualstack; push = dualstack; + tailscale = dualstack; core01 = dualstack; ns1 = dualstack; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index ef33c32..b47cf2c 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -14,7 +14,7 @@ ./nur.nix # ./factorio.nix # TODO ./nginx.nix - ./cryptpad.nix + # ./cryptpad.nix ./hedgedoc.nix ./secrets # TODO monitoring diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 99e6e17..b243afb 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud22; + package = pkgs.nextcloud23; config = { overwriteProtocol = "https"; -- 2.49.0 From 9d3381cafba64d1e102211997111cd517481e716 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 16:34:22 +0200 Subject: [PATCH 076/149] oauth2_proxy: add a cookie specific to *.rz.ens.wtf --- machines/core-services-01/monitoring.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 47b7953..b0872cd 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -117,6 +117,10 @@ in keyFile = config.age.secrets.oauth2ProxyKeyFile.path; provider = "keycloak"; email.domains = [ "*" ]; + cookie = { + name = "_oauth2_proxy_ensrz"; + domain = ".rz.ens.wtf"; + }; setXauthrequest = true; scope = "profile"; loginURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/auth"; -- 2.49.0 From be6e81ad46af088bde935e5e9aa282690ce4cf2d Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 17:52:21 +0200 Subject: [PATCH 077/149] monitoring: fix authentication via oauth2_proxy by moving to Keycloak-OIDC + many proxy buffer hacks --- machines/core-services-01/keycloak.nix | 7 +++++++ machines/core-services-01/monitoring.nix | 25 +++++++++++++++++------- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index e7d48e5..7bf36d0 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -32,6 +32,13 @@ in enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; + + extraConfig = '' + # For large authentication-authorization headers + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + ''; }; }; } diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index b0872cd..3aa17e9 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -115,22 +115,25 @@ in services.oauth2_proxy = { enable = true; keyFile = config.age.secrets.oauth2ProxyKeyFile.path; - provider = "keycloak"; + provider = "keycloak-oidc"; email.domains = [ "*" ]; cookie = { name = "_oauth2_proxy_ensrz"; domain = ".rz.ens.wtf"; }; setXauthrequest = true; - scope = "profile"; - loginURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/auth"; - redeemURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/token"; - profileURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo"; - validateURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo"; + scope = "openid"; redirectURL = "https://monitoring.${my.subZone}/oauth2/callback"; reverseProxy = true; passHostHeader = true; + extraConfig = { + whitelist-domain = [ ".rz.ens.wtf" ]; + oidc-issuer-url = "https://auth.${my.subZone}/auth/realms/${realm}"; + # insecure-oidc-allow-unverified-email = true; + show-debug-on-error = true; + }; + nginx = { virtualHosts = [ "monitoring.${my.subZone}" ]; }; @@ -143,7 +146,15 @@ in enableACME = true; forceSSL = true; - locations."/".proxyPass = "http://localhost:19999"; + locations."/" = { + proxyPass = "http://localhost:19999"; + extraConfig = '' + # For large authentication-authorization headers + proxy_buffer_size 256k; + proxy_buffers 4 512k; + proxy_busy_buffers_size 512k; + ''; + }; }; }; -- 2.49.0 From 6b994c8591fd5a3298061899003226ff18c5b2e6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 17:52:28 +0200 Subject: [PATCH 078/149] gitea: log only from WARN and up --- machines/core-services-01/gitea.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/machines/core-services-01/gitea.nix b/machines/core-services-01/gitea.nix index 9835ac1..ddfcbae 100644 --- a/machines/core-services-01/gitea.nix +++ b/machines/core-services-01/gitea.nix @@ -14,6 +14,9 @@ in httpPort = port; database.type = "postgres"; disableRegistration = false; + log = { + level = "Warn"; + }; settings = { openid = { ENABLE_OPENID_SIGNUP = true; -- 2.49.0 From 506e09994516c55a0910be5e994954f51187a1c9 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 18:52:06 +0200 Subject: [PATCH 079/149] monitoring: move to tiered dbengine with netdata nightly --- machines/core-services-01/monitoring.nix | 35 +++++++++++++++++++----- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 3aa17e9..2a8ac5f 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -34,7 +34,19 @@ let }; in { - services.netdata.enable = true; + services.netdata = { + enable = true; + package = pkgs.netdata.overrideAttrs (old: { + version = "1.35.0-nightly"; + src = pkgs.fetchFromGitHub { + owner = "netdata"; + repo = "netdata"; + rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; + sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; + fetchSubmodules = true; + }; + }); + }; # Allow WireGuard VPN networking.firewall.allowedUDPPorts = [ 51820 ]; @@ -70,9 +82,18 @@ in group = "netdata"; mode = "0600"; text = '' - [global] - page cache size = 32 - dbengine multihost disk space = 23058 + [db] + mode = dbengine + storage tiers = 3 + update every = 1 + dbengine multihost disk space MB = 23000 + dbengine page cache size MB = 384 + dbengine tier 1 update every iterations = 60 + dbengine tier 1 multihost disk space MB = 10000 + dbengine tier 1 page cache size MB = 384 + dbengine tier 2 update every iterations = 3600 + dbengine tier 2 multihost disk space MB = 5000 + dbengine tier 2 page cache size MB = 384 ''; }; @@ -150,9 +171,9 @@ in proxyPass = "http://localhost:19999"; extraConfig = '' # For large authentication-authorization headers - proxy_buffer_size 256k; - proxy_buffers 4 512k; - proxy_busy_buffers_size 512k; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; ''; }; }; -- 2.49.0 From ac0b6ef15b5ac440fdc10af9694869e8e77ed944 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Aug 2022 22:25:34 +0200 Subject: [PATCH 080/149] Update networking interface --- machines/remote-builder-01/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 1c6245b..6f4803c 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -26,7 +26,7 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens18.useDHCP = true; + networking.interfaces.ens19.useDHCP = true; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; -- 2.49.0 From 5170bdff650e329d808cd4012f241f2bb292b9f7 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Aug 2022 22:27:15 +0200 Subject: [PATCH 081/149] Cleanups --- machines/remote-builder-01/configuration.nix | 14 ++++----- machines/remote-builder-01/programs.nix | 24 --------------- machines/remote-builder-01/system.nix | 13 +------- machines/remote-builder-01/vim.nix | 31 -------------------- 4 files changed, 8 insertions(+), 74 deletions(-) delete mode 100644 machines/remote-builder-01/programs.nix delete mode 100644 machines/remote-builder-01/vim.nix diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 6f4803c..63a078d 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -1,13 +1,11 @@ { config, pkgs, ... }: { - imports = - [ - ./hardware-configuration.nix - ./programs.nix - ./system.nix - # TODO monitoring - ]; + imports = [ + ./hardware-configuration.nix + ./system.nix + # TODO monitoring + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; @@ -54,6 +52,8 @@ enableSSHSupport = true; }; + programs.mosh.enable = true; + # List services that you want to enable: services.zfs.autoScrub.enable = true; diff --git a/machines/remote-builder-01/programs.nix b/machines/remote-builder-01/programs.nix deleted file mode 100644 index e7e4afc..0000000 --- a/machines/remote-builder-01/programs.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ pkgs, ... }: -let pkgsList = with pkgs; [ - nix-prefetch-git - dnsutils - - unzip - zip - ripgrep - - niv - nixfmt - ]; -in -{ - imports = [ - ./vim.nix - ]; - programs = { - tmux.enable = true; - mosh.enable = true; - }; - - environment.systemPackages = pkgsList; -} diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index f2c68d1..dc2362e 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,14 +1,8 @@ { pkgs, ... }: { - # # Auto upgrades - # system.autoUpgrade = { - # enable = false; # TODO(Ryan): do not enable, it will break deployments. - # allowReboot = false; - # }; - # Auto GC and store optimizations nix = { - trustedUsers = [ "root" "gab" ]; + trustedUsers = [ "root" ]; gc = { automatic = true; dates = "weekly"; @@ -20,9 +14,4 @@ max-free = ${toString (1024 * 1024 * 1024)} ''; }; - - services.locate = { - enable = true; - interval = "04:05"; - }; } diff --git a/machines/remote-builder-01/vim.nix b/machines/remote-builder-01/vim.nix deleted file mode 100644 index bed8752..0000000 --- a/machines/remote-builder-01/vim.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ pkgs, ... }: -{ - environment.variables = { EDITOR = "vim"; }; - - environment.systemPackages = with pkgs; [ - nixfmt - git - (neovim.override { - vimAlias = true; - configure = { - packages.myPlugins = with pkgs.vimPlugins; { - start = [ vim-lastplace vim-nix ]; - opt = []; - }; - customRC = '' - set encoding=utf-8 - set wildmenu - - set nocompatible - set backspace=indent,eol,start - set cursorline - hi CursorLine term=bold cterm=bold ctermbg=darkgrey - set number - set relativenumber - set tabstop=4 - set expandtab - ''; - }; - } - )]; -} -- 2.49.0 From a5f3e0588944554ba71904bd905351e399379c4a Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Aug 2022 22:27:28 +0200 Subject: [PATCH 082/149] Formatting --- machines/remote-builder-01/configuration.nix | 12 +++--------- machines/remote-builder-01/system.nix | 3 +-- 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 63a078d..c346646 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -39,10 +39,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ - vim - wget - ]; + environment.systemPackages = with pkgs; [ vim wget ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. @@ -60,11 +57,8 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys - ./pubkeys/remote-builders.keys - ]; + users.users.root.openssh.authorizedKeys.keyFiles = + [ ./pubkeys/gdd.keys ./pubkeys/raito.keys ./pubkeys/remote-builders.keys ]; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index dc2362e..9bb13cf 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{ pkgs, ... }: { # Auto GC and store optimizations nix = { trustedUsers = [ "root" ]; -- 2.49.0 From f7b6fdf07a030563b9150df65ea5bc0431df0e96 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 00:00:55 +0200 Subject: [PATCH 083/149] Fix remote builder ip address --- machines/core-services-01/subZone.nix | 2 +- machines/remote-builder-01/configuration.nix | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 2738afe..4495c29 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -10,7 +10,7 @@ let delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; }; remoteBuilders = { - nix01 = [ "2001:470:1f13:187:1e07:c670:3958:f8f1" ]; + nix01 = [ "2001:470:1f13:187:611:4514:d93a:f80a" ]; }; dualstack = { A = my.ipv4; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index c346646..d624f04 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -24,7 +24,13 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens19.useDHCP = true; + networking.interfaces.ens19 = { + useDHCP = true; + ipv6.addresses = [{ + address = "2001:470:1f13:187:611:4514:d93a:f80a"; + prefixLength = 64; + }]; + }; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; -- 2.49.0 From 3f10516b6f4b5e2653f5a0ec386dd35f296cc698 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 00:20:07 +0200 Subject: [PATCH 084/149] Add kitty terminfo --- machines/remote-builder-01/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index d624f04..5c11e95 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -45,7 +45,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ vim wget ]; + environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. -- 2.49.0 From 816e084deb6b197e5e5aa3d0a3e0c5cba6e75e7b Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 01:20:35 +0200 Subject: [PATCH 085/149] Change rpool layout and disk id --- .../hardware-configuration.nix | 32 +++++++------------ 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/hardware-configuration.nix index f80b2c7..b68c73b 100644 --- a/machines/remote-builder-01/hardware-configuration.nix +++ b/machines/remote-builder-01/hardware-configuration.nix @@ -4,32 +4,24 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = + [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "rpool/root/nixos"; - fsType = "zfs"; - }; + fileSystems."/" = { + device = "rpool/root/nixos"; + fsType = "zfs"; + }; - fileSystems."/home" = - { device = "rpool/home"; - fsType = "zfs"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/4BC6-A750"; + fsType = "vfat"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/3341-A3B9"; - fsType = "vfat"; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/1f624fe3-1fc5-44f4-9529-812558ffba42"; } - ]; + swapDevices = [ ]; } -- 2.49.0 From 122c0deeac2cfec93c2fcb808b2b9cf7506e0c20 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 01:33:02 +0200 Subject: [PATCH 086/149] DHCP on ens19 and ens18 + set ip on ens18 --- machines/remote-builder-01/configuration.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 5c11e95..8917745 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -24,13 +24,14 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens19 = { + networking.interfaces.ens18 = { useDHCP = true; ipv6.addresses = [{ address = "2001:470:1f13:187:611:4514:d93a:f80a"; prefixLength = 64; }]; }; + networking.interfaces.ens19.useDHCP = true; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; -- 2.49.0 From bb668034b1b84e856e3d0ac17e28e9c03e7a57af Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 02:59:45 +0200 Subject: [PATCH 087/149] Cleanups --- machines/remote-builder-01/configuration.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 8917745..dc4d7bf 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -33,10 +33,6 @@ }; networking.interfaces.ens19.useDHCP = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; console = { @@ -45,7 +41,6 @@ }; # List packages installed in system profile. To search, run: - # $ nix search wget environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; # Some programs need SUID wrappers, can be configured further or are -- 2.49.0 From 4375b29d50ae64d4afe7b6d64d8b2b27fda03444 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 03:00:30 +0200 Subject: [PATCH 088/149] Aarch64 emulation --- machines/remote-builder-01/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index dc4d7bf..ebcd1a9 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -43,6 +43,8 @@ # List packages installed in system profile. To search, run: environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + # Some programs need SUID wrappers, can be configured further or are # started in user sessions. programs.mtr.enable = true; -- 2.49.0 From 85ab8d8071a2dd78c933fdc10ee3392af3e1e1c9 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 23:59:59 +0000 Subject: [PATCH 089/149] Install git Needed for deployments with krops. --- machines/remote-builder-01/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index ebcd1a9..a28068c 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -41,7 +41,7 @@ }; # List packages installed in system profile. To search, run: - environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; + environment.systemPackages = with pkgs; [ vim wget kitty.terminfo git ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; -- 2.49.0 From 16f4ad94b17bc520b5e1f55f1ca316951068fcdf Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 03:19:33 +0200 Subject: [PATCH 090/149] Add public-cof to README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0a227f8..9baf068 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Refer to wiki for details. - `core-services-01` +- `public-cof` - `remote-builder-01` ## How to deploy a machine? -- 2.49.0 From ba5086a2375d5ca9b510063f996163beb523d6dc Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 03:28:40 +0200 Subject: [PATCH 091/149] Centralize pubkeys --- machines/core-services-01/configuration.nix | 6 +++--- machines/core-services-01/netboot-server.nix | 4 ++-- machines/core-services-01/secrets/secrets.nix | 2 +- machines/public-cof/configuration.nix | 6 +++--- machines/public-cof/pubkeys/gdd.keys | 2 -- machines/public-cof/pubkeys/mrf.keys | 1 - machines/public-cof/pubkeys/raito.keys | 4 ---- machines/public-cof/secrets/secrets.nix | 2 +- machines/remote-builder-01/configuration.nix | 7 +++++-- machines/remote-builder-01/pubkeys/gdd.keys | 2 -- machines/remote-builder-01/pubkeys/hackens-milieu.keys | 1 - machines/remote-builder-01/pubkeys/raito.keys | 4 ---- {machines/core-services-01/pubkeys => pubkeys}/gdd.keys | 0 .../pubkeys => pubkeys}/hackens-milieu.keys | 0 {machines/core-services-01/pubkeys => pubkeys}/mrf.keys | 0 {machines/core-services-01/pubkeys => pubkeys}/raito.keys | 0 .../pubkeys => pubkeys}/remote-builders.keys | 0 17 files changed, 15 insertions(+), 26 deletions(-) delete mode 100644 machines/public-cof/pubkeys/gdd.keys delete mode 100644 machines/public-cof/pubkeys/mrf.keys delete mode 100644 machines/public-cof/pubkeys/raito.keys delete mode 100644 machines/remote-builder-01/pubkeys/gdd.keys delete mode 100644 machines/remote-builder-01/pubkeys/hackens-milieu.keys delete mode 100644 machines/remote-builder-01/pubkeys/raito.keys rename {machines/core-services-01/pubkeys => pubkeys}/gdd.keys (100%) rename {machines/core-services-01/pubkeys => pubkeys}/hackens-milieu.keys (100%) rename {machines/core-services-01/pubkeys => pubkeys}/mrf.keys (100%) rename {machines/core-services-01/pubkeys => pubkeys}/raito.keys (100%) rename {machines/remote-builder-01/pubkeys => pubkeys}/remote-builders.keys (100%) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 8af8554..d3f334a 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -76,9 +76,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys - ./pubkeys/mrf.keys + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys + ../../pubkeys/mrf.keys ]; # Open ports in the firewall. diff --git a/machines/core-services-01/netboot-server.nix b/machines/core-services-01/netboot-server.nix index 5b291bf..14f4d40 100644 --- a/machines/core-services-01/netboot-server.nix +++ b/machines/core-services-01/netboot-server.nix @@ -13,8 +13,8 @@ let # Enable sshd wich gets disabled by netboot-minimal.nix systemd.services.sshd.wantedBy = mkOverride 0 [ "multi-user.target" ]; users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys ]; programs.mosh.enable = true; diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 4d09d1e..a581591 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index b47cf2c..46afed6 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -45,9 +45,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys - ./pubkeys/mrf.keys + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys + ../../pubkeys/mrf.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/pubkeys/gdd.keys b/machines/public-cof/pubkeys/gdd.keys deleted file mode 100644 index b5d4e40..0000000 --- a/machines/public-cof/pubkeys/gdd.keys +++ /dev/null @@ -1,2 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/public-cof/pubkeys/mrf.keys b/machines/public-cof/pubkeys/mrf.keys deleted file mode 100644 index ebbfa68..0000000 --- a/machines/public-cof/pubkeys/mrf.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d diff --git a/machines/public-cof/pubkeys/raito.keys b/machines/public-cof/pubkeys/raito.keys deleted file mode 100644 index 0f48a59..0000000 --- a/machines/public-cof/pubkeys/raito.keys +++ /dev/null @@ -1,4 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 4fe0e66..798cb84 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index a28068c..41936bd 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -61,8 +61,11 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = - [ ./pubkeys/gdd.keys ./pubkeys/raito.keys ./pubkeys/remote-builders.keys ]; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys + ../../pubkeys/remote-builders.keys + ]; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; diff --git a/machines/remote-builder-01/pubkeys/gdd.keys b/machines/remote-builder-01/pubkeys/gdd.keys deleted file mode 100644 index b5d4e40..0000000 --- a/machines/remote-builder-01/pubkeys/gdd.keys +++ /dev/null @@ -1,2 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/remote-builder-01/pubkeys/hackens-milieu.keys b/machines/remote-builder-01/pubkeys/hackens-milieu.keys deleted file mode 100644 index c79c039..0000000 --- a/machines/remote-builder-01/pubkeys/hackens-milieu.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu diff --git a/machines/remote-builder-01/pubkeys/raito.keys b/machines/remote-builder-01/pubkeys/raito.keys deleted file mode 100644 index 0f48a59..0000000 --- a/machines/remote-builder-01/pubkeys/raito.keys +++ /dev/null @@ -1,4 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/machines/core-services-01/pubkeys/gdd.keys b/pubkeys/gdd.keys similarity index 100% rename from machines/core-services-01/pubkeys/gdd.keys rename to pubkeys/gdd.keys diff --git a/machines/core-services-01/pubkeys/hackens-milieu.keys b/pubkeys/hackens-milieu.keys similarity index 100% rename from machines/core-services-01/pubkeys/hackens-milieu.keys rename to pubkeys/hackens-milieu.keys diff --git a/machines/core-services-01/pubkeys/mrf.keys b/pubkeys/mrf.keys similarity index 100% rename from machines/core-services-01/pubkeys/mrf.keys rename to pubkeys/mrf.keys diff --git a/machines/core-services-01/pubkeys/raito.keys b/pubkeys/raito.keys similarity index 100% rename from machines/core-services-01/pubkeys/raito.keys rename to pubkeys/raito.keys diff --git a/machines/remote-builder-01/pubkeys/remote-builders.keys b/pubkeys/remote-builders.keys similarity index 100% rename from machines/remote-builder-01/pubkeys/remote-builders.keys rename to pubkeys/remote-builders.keys -- 2.49.0 From c5aa20dffabdfa1377b94cecb9842cbf1da66138 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 23:59:59 +0000 Subject: [PATCH 092/149] Move pubkeys in ./machines This is required by the current krops setup. --- machines/core-services-01/configuration.nix | 6 +++--- machines/core-services-01/netboot-server.nix | 4 ++-- machines/core-services-01/secrets/secrets.nix | 2 +- {pubkeys => machines/pubkeys}/gdd.keys | 0 {pubkeys => machines/pubkeys}/hackens-milieu.keys | 0 {pubkeys => machines/pubkeys}/mrf.keys | 0 {pubkeys => machines/pubkeys}/raito.keys | 0 {pubkeys => machines/pubkeys}/remote-builders.keys | 0 machines/public-cof/configuration.nix | 6 +++--- machines/public-cof/secrets/secrets.nix | 2 +- machines/remote-builder-01/configuration.nix | 6 +++--- 11 files changed, 13 insertions(+), 13 deletions(-) rename {pubkeys => machines/pubkeys}/gdd.keys (100%) rename {pubkeys => machines/pubkeys}/hackens-milieu.keys (100%) rename {pubkeys => machines/pubkeys}/mrf.keys (100%) rename {pubkeys => machines/pubkeys}/raito.keys (100%) rename {pubkeys => machines/pubkeys}/remote-builders.keys (100%) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index d3f334a..5f0e145 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -76,9 +76,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys - ../../pubkeys/mrf.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/mrf.keys ]; # Open ports in the firewall. diff --git a/machines/core-services-01/netboot-server.nix b/machines/core-services-01/netboot-server.nix index 14f4d40..1c28cd8 100644 --- a/machines/core-services-01/netboot-server.nix +++ b/machines/core-services-01/netboot-server.nix @@ -13,8 +13,8 @@ let # Enable sshd wich gets disabled by netboot-minimal.nix systemd.services.sshd.wantedBy = mkOverride 0 [ "multi-user.target" ]; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys ]; programs.mosh.enable = true; diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index a581591..0455e41 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; diff --git a/pubkeys/gdd.keys b/machines/pubkeys/gdd.keys similarity index 100% rename from pubkeys/gdd.keys rename to machines/pubkeys/gdd.keys diff --git a/pubkeys/hackens-milieu.keys b/machines/pubkeys/hackens-milieu.keys similarity index 100% rename from pubkeys/hackens-milieu.keys rename to machines/pubkeys/hackens-milieu.keys diff --git a/pubkeys/mrf.keys b/machines/pubkeys/mrf.keys similarity index 100% rename from pubkeys/mrf.keys rename to machines/pubkeys/mrf.keys diff --git a/pubkeys/raito.keys b/machines/pubkeys/raito.keys similarity index 100% rename from pubkeys/raito.keys rename to machines/pubkeys/raito.keys diff --git a/pubkeys/remote-builders.keys b/machines/pubkeys/remote-builders.keys similarity index 100% rename from pubkeys/remote-builders.keys rename to machines/pubkeys/remote-builders.keys diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 46afed6..a99f713 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -45,9 +45,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys - ../../pubkeys/mrf.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/mrf.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 798cb84..3f8a62a 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 41936bd..ad971fb 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -62,9 +62,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys - ../../pubkeys/remote-builders.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/remote-builders.keys ]; # Open ports in the firewall. -- 2.49.0 From 7f5f3213acb9ce03638aefdb8c0389ad2f9cee9b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 15 Aug 2022 13:31:27 +0200 Subject: [PATCH 093/149] hotfix: disable student calendar --- machines/public-cof/nginx.nix | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix index 9f62800..2d5cf61 100644 --- a/machines/public-cof/nginx.nix +++ b/machines/public-cof/nginx.nix @@ -29,14 +29,15 @@ in recommendedTlsSettings = true; virtualHosts = { - "home.beta.rz.ens.wtf" = { - serverAliases = [ "beta.rz.ens.wtf" ]; - default = true; - forceSSL = true; - enableACME = true; - root = "/var/public-cof/home"; - locations = builtins.listToAttrs (map mkCloudLocation clouds); - }; +# FIXME: factorize and remove it, it has been superseded by eleves.ens.fr/calendrier +# "home.beta.rz.ens.wtf" = { +# serverAliases = [ "beta.rz.ens.wtf" ]; +# default = true; +# forceSSL = true; +# enableACME = true; +# root = "/var/public-cof/home"; +# locations = builtins.listToAttrs (map mkCloudLocation clouds); +# }; }; }; -- 2.49.0 From 86de42442d2206435a849e8d7fe5a2d9bb878dec Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 17 Aug 2022 18:06:26 +0200 Subject: [PATCH 094/149] feat: add rstudio.beta.rz.ens.wtf basic features --- machines/core-services-01/subZone.nix | 1 + machines/public-cof/configuration.nix | 1 + .../public-cof/rstudio-server/default.nix | 34 +++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 machines/public-cof/rstudio-server/default.nix diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 4495c29..a0f9fc4 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -70,6 +70,7 @@ dualstack // { }; docs = public-cof-ips; jurisprudens = public-cof-ips; + rstudio = public-cof-ips; }; }; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index a99f713..18ae3d0 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -11,6 +11,7 @@ ./monitoring.nix ./nextcloud.nix ./minecraft.nix + ./rstudio-server ./nur.nix # ./factorio.nix # TODO ./nginx.nix diff --git a/machines/public-cof/rstudio-server/default.nix b/machines/public-cof/rstudio-server/default.nix new file mode 100644 index 0000000..3a73a6a --- /dev/null +++ b/machines/public-cof/rstudio-server/default.nix @@ -0,0 +1,34 @@ +{ pkgs, ... }: +let + port = 19000; +in +{ + services.rstudio-server = { + enable = true; + rserverExtraConfig = '' + www-port = ${toString port} + ''; + + package = pkgs.rstudioServerWrapper.override { + packages = with pkgs.rPackages; [ + ggplot2 + rmarkdown + dplyr + ]; + }; + }; + + users.users.ruser = { + isNormalUser = true; + hashedPassword = "$6$pTXXVh8NfE.M8VPc$q0fFh3Y7Y0DauLCcZLgJzFciq1wkjoHmO61XpOrZLH3a1M32ZzOMbjx2XMm2QxrUncbx6hGerY/lD8rQ8InS4."; + }; + + services.nginx.virtualHosts."rstudio.beta.rz.ens.wtf" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:${toString port}"; + proxyWebsockets = true; + }; + }; +} -- 2.49.0 From dc971eff71754648527ab7a06bd40ba6a89c2c0c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 6 Sep 2022 01:06:39 +0200 Subject: [PATCH 095/149] =?UTF-8?q?feat(core01):=20add=20inventory.rz.ens.?= =?UTF-8?q?wtf=20=E2=86=92=20snipe-it=20instance?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/secrets/default.nix | 2 ++ machines/core-services-01/secrets/secrets.nix | 2 ++ .../secrets/snipeItAppKey.age | 27 +++++++++++++++++++ .../secrets/snipeItOidcClientSecret.age | 26 ++++++++++++++++++ machines/core-services-01/snipe-it.nix | 19 +++++++++++++ machines/core-services-01/subZone.nix | 1 + 7 files changed, 78 insertions(+) create mode 100644 machines/core-services-01/secrets/snipeItAppKey.age create mode 100644 machines/core-services-01/secrets/snipeItOidcClientSecret.age create mode 100644 machines/core-services-01/snipe-it.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 5f0e145..dcf85af 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -20,6 +20,7 @@ ./acme-dns.nix ./backups.nix ./headscale.nix + ./snipe-it.nix # ./dex.nix ./oauth2_proxy.nix ./secrets diff --git a/machines/core-services-01/secrets/default.nix b/machines/core-services-01/secrets/default.nix index 452d42e..a02981b 100644 --- a/machines/core-services-01/secrets/default.nix +++ b/machines/core-services-01/secrets/default.nix @@ -5,4 +5,6 @@ age.secrets.droneKeyFile.file = ./droneKeyFile.age; age.secrets.dexGiteaClientSecret.file = ./dexGiteaClientSecret.age; age.secrets.matterbridge.file = ./matterbridge.age; + age.secrets.snipeItAppKey.file = ./snipeItAppKey.age; + age.secrets.snipeItOidcClientSecret.file = ./snipeItOidcClientSecret.age; } diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 0455e41..9925641 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -12,5 +12,7 @@ in "droneKeyFile.age".publicKeys = superadmins ++ systems; "dexGiteaClientSecret.age".publicKeys = superadmins ++ systems; "matterbridge.age".publicKeys = superadmins ++ systems; + "snipeItAppKey.age".publicKeys = superadmins ++ systems; + "snipeItOidcClientSecret.age".publicKeys = superadmins ++ systems; } diff --git a/machines/core-services-01/secrets/snipeItAppKey.age b/machines/core-services-01/secrets/snipeItAppKey.age new file mode 100644 index 0000000..3a393c2 --- /dev/null +++ b/machines/core-services-01/secrets/snipeItAppKey.age @@ -0,0 +1,27 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +i/TW/dUpeS8QL9ZJg7xKdGW65D1SWFjMpolf1BgEs3hm6uI2W3RWUb5S1PEs6HdF +l/yiJtZeBC0e0QbaQ776fiy0MSmuMgcRbJJ1rjloGwFzwwvtqhQMG8rLp70IPZoV +F6sUz4jKHaEjIVVbRokdfIKMSnhRXnbW5domOxPmZjXck7YxaR1zqD4S9PtH12Q/ +P+l/IVS6+tuWlaTs+1FY2pQ0ppPkwxBirm+4/dxD7E5MkOT0OFcpopI225u2vJAz +Hfk6SBhWuOu2GFfLDS3sS+50kvx1MNvMeb9qVYHkxE8tXhJxOpykkzwYktYp17jY +m+rh1gMPt+mZV2ELaZkGjQ +-> ssh-ed25519 85WiGg TSVInZQdH1ZbhSG+FptwCu96UX1SHAhQNculIk8nVF4 +L1ptiGhMZN78uu1TQ2qVV73+lhlgD34g7xt/AL268Dk +-> ssh-ed25519 reTIKw vrZd8hFFywOmDJxAq58Tt4Wdq2ovft1IDJqCvkpRU1o +9TmODia85CwXZmzdxk6W4LCflCybq7O1WWoqG5vxENk +-> ssh-ed25519 /vwQcQ NSJNN/lRO6TbOQTlY9bT4kdEuP2hElmNIcKRI4ilrQY +eGIr9VQSrbG4hB2XQGYXquQVZIkLRq9g9+Ap25YSWSQ +-> ssh-ed25519 cvTB5g 24UlsKN0XaA6wW87zj5PkPy90LUmdJe80FV2LVLiwzk +57VJ2pf45+r7CgMdr/78ngWll12Se7dS993i+YKp3Vg +-> ssh-ed25519 Wu8JLQ wgWSOp5VQzF+pvL338wOwaJ3RIIi1I4SNqW+vT6NQF8 +HVTfWqmf9CnEkHFpu9NWYagwwBdW8NumwFcUvSlb9i8 +-> ssh-ed25519 h6AgbA ZRjMQkjz+sw2BZh/myaSnMgz8cngGM9wxQf6L6uPxE8 +OgYfhTQe4iB9SyL8iReQByA9N5VcUC/YvpvbPIgp/3U +-> ssh-ed25519 lHr4YQ JAnhqkgzuCDsmDYnRG/DL/MDrfA/0uCZ1kpZSWiuPw4 +uMPzV/uWAozlffoqIDtTcI5CI3FAzM5fzDuupAzgE4w +-> 3[k-grease l5" cr(}p5 s{\538Js +uR+N+zPd323E/1K5MdNaPzAeNYBYfbmmsxtQRufVjMj8jobBLhHq4RVJ/E57t8yv +4Cxp +--- 1iiPH5I9CDFZwZQwRbhKnqpZ08vTMP1u4pU3+hNpubk +ےf(Tח,4\hKT džq)e+}u 'hN/䶢6B4Kң \ No newline at end of file diff --git a/machines/core-services-01/secrets/snipeItOidcClientSecret.age b/machines/core-services-01/secrets/snipeItOidcClientSecret.age new file mode 100644 index 0000000..80300cc --- /dev/null +++ b/machines/core-services-01/secrets/snipeItOidcClientSecret.age @@ -0,0 +1,26 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +gPydOcolFG+axyXPVVYYjjr0hypl/xczmMM+W+BbfZFaAL0TqXpqRgjtZSNvA+oh ++JHdr+/8IHh2qCS2vtzuH5lAsjM4h4FPPnGixX1SI9eNH14b/Otmoa/OtQD4pHcB +PYbh1yh4AILggg1ZMdttS+FUuMtu2A6y2NZYSkbBLy9dwEdZNBs0/cX/xNEqK72V +JF0BuGYvchyJ4ec4/m1od94dVva5qKUvK6mr0u5XPXObEOdZ8jJwZodJjrpDaEHJ +/yt8svY6upoXIdM4dVbY0Ab1VCwXf+tbGuwypVJF2TkeVW5tbImxuoTPE5XNdKLF +XU6RfHzLjUnG1T+dObb9gQ +-> ssh-ed25519 85WiGg lVvfjaLUhjdWgRnz0supjMNc6pDpbeEy2Z0fFOc7dkQ +srngyi1Wdi1lcXFK7MJtqt2koZkopcXX+hOFENHXJgY +-> ssh-ed25519 reTIKw ubW5n+mkAgxwHT9okMRWoE9k5ZpWN7UQDrvRwgS3Xio +O7GRq35wulhSadIAJ7C0ekLQQVk209yGiSaWg/VNgYU +-> ssh-ed25519 /vwQcQ 0FZbpEDS3xuKyPOSExt4wb/Oi0xlTivdLlpKuXicqx8 +3ZMA31MUD76KNK1+yX2473wDSv0oyheT7jAmvnbPJNg +-> ssh-ed25519 cvTB5g 04++RfeztjNzyHMW7WhxdAWoWT5NyatCN8zf7xFYiCw +OWYQ3oFR+/NjY8skMpzd0eS9fsAeugO+loiq4ZqEVWo +-> ssh-ed25519 Wu8JLQ b5BEsw8GS+LUcLZ7h36WDHp1uunlVymEcCmAcs5xaHQ +4xs/EAPRD4Z/rL3zisjGmslVt7OHx+Kh1kJmdBAxED4 +-> ssh-ed25519 h6AgbA wNeprhlhTORbN4WFxWPJO0DV5vBVteE297O73EfngD4 +sceiHAg3S0aZ9xGIsw5VaPJkAWCci03SrHM520pb+Gw +-> ssh-ed25519 lHr4YQ v6dG659zPeUqbyT8To8oGf6Kp3y15Z2YjlzdLVK3FCI +wB7EFm4tsgkaYexLfQM+lkNtUr09GWlLnh7CbgX3Ifc +-> =-grease zZ5 e./C_ +z1vYPnfdTh+G0bc+UvV1EZMSfaNDsWiDHJ+W+1CB2+Z4pOnQt2jBFPYv7rE +--- LbcSlaucZaWsTqBR9PIA46r00cfJtG5ndinWSzsnl/0 +1h~sȰ#-FX/2.ZF?wE]ic.%b-wt܌q_%} \ No newline at end of file diff --git a/machines/core-services-01/snipe-it.nix b/machines/core-services-01/snipe-it.nix new file mode 100644 index 0000000..c1f3658 --- /dev/null +++ b/machines/core-services-01/snipe-it.nix @@ -0,0 +1,19 @@ +{ pkgs, config, ... }: +{ + services.snipe-it = { + enable = true; + hostName = "inventory.rz.ens.wtf"; + database.createLocally = true; + appKeyFile = config.age.secrets.snipeItAppKey.path; + + config = { + AUTH_METHOD = "oidc"; + OIDC_NAME = "Keycloak"; + OIDC_DISPLAY_NAME_CLAIMS = "name"; + OIDC_CLIENT_ID = "snipe-it"; + OIDC_CLIENT_SECRET = { _secret = config.age.secrets.snipeItOidcClientSecret.path; }; + OIDC_ISSUER = "https://auth.rz.ens.wtf/auth/realms/ClubReseau"; + OIDC_ISSUER_DISCOVER = true; + }; + }; +} diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index a0f9fc4..a3a0573 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -38,6 +38,7 @@ dualstack // { auth = dualstack; push = dualstack; tailscale = dualstack; + inventory = dualstack; core01 = dualstack; ns1 = dualstack; -- 2.49.0 From 726bc5af0e6b599c6118aa54d929df5e1ee52a30 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 6 Sep 2022 01:33:17 +0200 Subject: [PATCH 096/149] feat(core01): enable TLS on inventory.rz.ens.wtf and fix secrets perms --- machines/core-services-01/snipe-it.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/machines/core-services-01/snipe-it.nix b/machines/core-services-01/snipe-it.nix index c1f3658..29f8530 100644 --- a/machines/core-services-01/snipe-it.nix +++ b/machines/core-services-01/snipe-it.nix @@ -1,11 +1,26 @@ { pkgs, config, ... }: { + age.secrets.snipeItAppKey = { + owner = config.services.snipe-it.user; + group = config.services.snipe-it.group; + }; + + age.secrets.snipeItOidcClientSecret = { + owner = config.services.snipe-it.user; + group = config.services.snipe-it.group; + }; + services.snipe-it = { enable = true; hostName = "inventory.rz.ens.wtf"; database.createLocally = true; appKeyFile = config.age.secrets.snipeItAppKey.path; + nginx = { + enableACME = true; + forceSSL = true; + }; + config = { AUTH_METHOD = "oidc"; OIDC_NAME = "Keycloak"; -- 2.49.0 From 7284a9a2d62d4432521d13f8fbae8b165504e997 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 6 Sep 2022 01:33:26 +0200 Subject: [PATCH 097/149] meta: use root@core01.rz.ens.wtf rather than internal IP --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 770fcff..1a3a034 100644 --- a/krops.nix +++ b/krops.nix @@ -29,7 +29,7 @@ let inherit target; }; }; in {} -// mkDeploy "core-services-01" "root@10.1.1.20" +// mkDeploy "core-services-01" "root@core01.rz.ens.wtf" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" // mkDeploy "public-cof" "root@beta.rz.ens.wtf" // mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] -- 2.49.0 From c90e89bc7ae0e4eae304f64184dcc05f3dfc3223 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 15:21:59 +0200 Subject: [PATCH 098/149] feat: add traque.beta.rz.ens.wtf --- machines/core-services-01/subZone.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index a3a0573..a56f019 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -58,6 +58,10 @@ dualstack // { beta = public-cof-ips // { subdomains = { + traque = { + inherit (public-cof-ips) A; + AAAA = [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; + }; nuage = public-cof-ips; minecraft = public-cof-ips; factorio = public-cof-ips; -- 2.49.0 From 54163ed857b0101965df8f0a3ea25ad3332bad3e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 15:29:51 +0200 Subject: [PATCH 099/149] =?UTF-8?q?feat(public-cof):=20add=20IPv4=20?= =?UTF-8?q?=E2=86=92=20IPv6=20proxy?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/subZone.nix | 6 ++--- machines/public-cof/configuration.nix | 1 + machines/public-cof/networking.nix | 4 +++- machines/public-cof/nix/sources.json | 12 ++++++++++ machines/public-cof/nix/sources.nix | 22 +++++++++++++++++- machines/public-cof/nur.nix | 3 +++ machines/public-cof/v6proxy/default.nix | 30 +++++++++++++++++++++++++ 7 files changed, 72 insertions(+), 6 deletions(-) create mode 100644 machines/public-cof/v6proxy/default.nix diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index a56f019..1655011 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -12,6 +12,7 @@ let remoteBuilders = { nix01 = [ "2001:470:1f13:187:611:4514:d93a:f80a" ]; }; + mkProxyRecord = AAAA: { inherit AAAA; A = [ "45.13.104.29" ]; }; dualstack = { A = my.ipv4; AAAA = my.ipv6.standard; @@ -58,10 +59,7 @@ dualstack // { beta = public-cof-ips // { subdomains = { - traque = { - inherit (public-cof-ips) A; - AAAA = [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; - }; + traque = mkProxyRecord [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; nuage = public-cof-ips; minecraft = public-cof-ips; factorio = public-cof-ips; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 18ae3d0..fd43e30 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -18,6 +18,7 @@ # ./cryptpad.nix ./hedgedoc.nix ./secrets + ./v6proxy # TODO monitoring ]; diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index ff648e5..a902953 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -32,7 +32,9 @@ in { }; interfaces.ens20 = { - ipv4.addresses = map mkAddress [ "45.13.104.27/32" ]; + # 1st is for public-cof + # 2nd is for IPv4 → IPv6 proxy in v6proxy/ + ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; }; firewall.allowedTCPPorts = [ 22 ]; diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index a6531e2..77826c4 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -29,6 +29,18 @@ "url": "https://github.com/nmattia/niv/archive/e0ca65c81a2d7a4d82a189f1e23a48d59ad42070.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, + "nixexprs": { + "branch": "master", + "description": "All my Nix expressions", + "homepage": null, + "owner": "RaitoBezarius", + "repo": "nixexprs", + "rev": "5fd6966844be775a272e932375d7982275ba2300", + "sha256": "1l5zgdgqbn7apw2ngqzid0sqrklx0rnj8sjid4ykx9156kdqjan5", + "type": "tarball", + "url": "https://github.com/RaitoBezarius/nixexprs/archive/5fd6966844be775a272e932375d7982275ba2300.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, "raito-nur": { "branch": "master", "description": "All my Nix expressions", diff --git a/machines/public-cof/nix/sources.nix b/machines/public-cof/nix/sources.nix index 1938409..9a01c8a 100644 --- a/machines/public-cof/nix/sources.nix +++ b/machines/public-cof/nix/sources.nix @@ -31,8 +31,28 @@ let if spec ? branch then "refs/heads/${spec.branch}" else if spec ? tag then "refs/tags/${spec.tag}" else abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; + submodules = if spec ? submodules then spec.submodules else false; + submoduleArg = + let + nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0; + emptyArgWithWarning = + if submodules == true + then + builtins.trace + ( + "The niv input \"${name}\" uses submodules " + + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " + + "does not support them" + ) + {} + else {}; + in + if nixSupportsSubmodules + then { inherit submodules; } + else emptyArgWithWarning; in - builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; + builtins.fetchGit + ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg); fetch_local = spec: spec.path; diff --git a/machines/public-cof/nur.nix b/machines/public-cof/nur.nix index 7ca9d89..130ef29 100644 --- a/machines/public-cof/nur.nix +++ b/machines/public-cof/nur.nix @@ -3,6 +3,8 @@ let nivSources = import ./nix/sources.nix; rz-src = nivSources.klubrz-nur; rz-no-pkgs = (import nivSources.klubrz-nur {}); + raitobezarius-src = nivSources.nixexprs; + raitobezarius-no-pkgs = (import raitobezarius-src {}); in { nixpkgs.config.packageOverrides = { @@ -11,6 +13,7 @@ in imports = [ "${nivSources.agenix}/modules/age.nix" + raitobezarius-no-pkgs.modules.sniproxy ] ++ lib.attrValues rz-no-pkgs.modules; nixpkgs.overlays = []; diff --git a/machines/public-cof/v6proxy/default.nix b/machines/public-cof/v6proxy/default.nix new file mode 100644 index 0000000..e4f11d9 --- /dev/null +++ b/machines/public-cof/v6proxy/default.nix @@ -0,0 +1,30 @@ +{ ... }: +let + proxyIPv4 = "45.13.104.29"; +in +{ + networking.firewall.allowedTCPPorts = [ 443 ]; + + services.sniproxy = { + enable = true; + + resolver = { + mode = "ipv6_first"; + }; + + listeners = [ + { + address = "${proxyIPv4}:443"; + table = "vhosts"; + fallback = null; + } + ]; + + tables.vhosts = [ + { + match = "traque.beta.rz.ens.wtf"; + dest = "traque.beta.rz.ens.wtf"; + } + ]; + }; +} -- 2.49.0 From 71e5dcc437ac77a742c7a9b890754a84485aa8ba Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 16:16:29 +0200 Subject: [PATCH 100/149] feat(public-cof): disable rstudio server --- machines/public-cof/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index fd43e30..7f85263 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -11,7 +11,7 @@ ./monitoring.nix ./nextcloud.nix ./minecraft.nix - ./rstudio-server + # ./rstudio-server ./nur.nix # ./factorio.nix # TODO ./nginx.nix -- 2.49.0 From c25b0f0eee7dbb4859beec94e9fc155b4f2feacd Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 16:16:47 +0200 Subject: [PATCH 101/149] feat(public-cof): ensure that hedgedocs bind on local ipv6 --- machines/public-cof/hedgedoc.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index 258973f..de7edf2 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -9,7 +9,7 @@ in protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; - host = "localhost"; + host = "[::1]"; port = port; db = { dialect = "sqlite"; @@ -25,13 +25,11 @@ in enableACME = true; locations = { "/" = { - proxyPass = "http://localhost:${toString port}"; + proxyPass = "http://[::1]:${toString port}"; proxyWebsockets = true; }; }; }; }; }; - - networking.firewall.allowedTCPPorts = [ 433 80 ]; } -- 2.49.0 From badae72a2907e1f594d6a37744d8b541beae9170 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 16:17:01 +0200 Subject: [PATCH 102/149] feat(public-cof): prevent nginx to bind on all IPv4 --- machines/public-cof/networking.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index a902953..981eff0 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -40,4 +40,6 @@ in { firewall.allowedTCPPorts = [ 22 ]; firewall.enable = true; }; + + services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; } -- 2.49.0 From 9a243163006bfb794bcb11db77db17fd20c360a7 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 13 Sep 2022 18:49:38 +0200 Subject: [PATCH 103/149] core01: add todo.beta.rz.ens.wtf DNS --- machines/core-services-01/subZone.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 1655011..256b659 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -61,6 +61,7 @@ dualstack // { subdomains = { traque = mkProxyRecord [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; nuage = public-cof-ips; + todo = public-cof-ips; minecraft = public-cof-ips; factorio = public-cof-ips; home = public-cof-ips; -- 2.49.0 From 9c006a35196edc6c3574d82153e8cf64da0cd2c6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 13 Sep 2022 18:49:49 +0200 Subject: [PATCH 104/149] public-cof: fix docs.beta.rz.ens.wtf --- machines/public-cof/hedgedoc.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index de7edf2..b4235d5 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -9,7 +9,7 @@ in protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; - host = "[::1]"; + host = "127.0.0.1"; port = port; db = { dialect = "sqlite"; @@ -25,7 +25,7 @@ in enableACME = true; locations = { "/" = { - proxyPass = "http://[::1]:${toString port}"; + proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; }; }; -- 2.49.0 From 6e94647d8e8dceeceb33bda46bedd36212fe8d6f Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Tue, 13 Sep 2022 23:59:59 +0000 Subject: [PATCH 105/149] Networkd ipv6 --- machines/public-cof/networking.nix | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 981eff0..7dc4379 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -5,9 +5,26 @@ let mkAddress = addr: let in { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; in { + systemd.network = { + enable = true; + networks."ens18" = { + DHCP = "no"; + addresses = [ + { addressConfig.Address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; } + ]; + }; + }; + networking = { hostName = "public-cof"; + useNetworkd = true; + useDHCP = false; + + firewall.allowedTCPPorts = [ 22 ]; + firewall.enable = true; + + /* # Default IPv4 exit route defaultGateway = { address = ""; @@ -15,14 +32,6 @@ in { }; localCommands = "ip route add default dev ens20 metric 10"; - useDHCP = false; - interfaces.ens18 = { - useDHCP = true; - ipv6.addresses = [{ - address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; - prefixLength = 64; - }]; - }; interfaces.ens19 = { useDHCP = false; ipv4.addresses = [{ @@ -36,9 +45,7 @@ in { # 2nd is for IPv4 → IPv6 proxy in v6proxy/ ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; }; - - firewall.allowedTCPPorts = [ 22 ]; - firewall.enable = true; + */ }; services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; -- 2.49.0 From a373803629a2060ea84f40b0afa565f2c2510ed2 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 13 Sep 2022 18:54:35 +0200 Subject: [PATCH 106/149] patch(keycloak): remove crc patch --- .../fix-crc-computation.patch | 51 ------------------- 1 file changed, 51 deletions(-) delete mode 100644 machines/core-services-01/fix-crc-computation.patch diff --git a/machines/core-services-01/fix-crc-computation.patch b/machines/core-services-01/fix-crc-computation.patch deleted file mode 100644 index 85a6a7e..0000000 --- a/machines/core-services-01/fix-crc-computation.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001 -From: Mark Adler -Date: Wed, 30 Mar 2022 11:14:53 -0700 -Subject: [PATCH] Correct incorrect inputs provided to the CRC functions. - -The previous releases of zlib were not sensitive to incorrect CRC -inputs with bits set above the low 32. This commit restores that -behavior, so that applications with such bugs will continue to -operate as before. ---- - crc32.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/crc32.c b/crc32.c -index a1bdce5c2..451887bc7 100644 ---- a/crc32.c -+++ b/crc32.c -@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) - #endif /* DYNAMIC_CRC_TABLE */ - - /* Pre-condition the CRC */ -- crc ^= 0xffffffff; -+ crc = (~crc) & 0xffffffff; - - /* Compute the CRC up to a word boundary. */ - while (len && ((z_size_t)buf & 7) != 0) { -@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) - #endif /* DYNAMIC_CRC_TABLE */ - - /* Pre-condition the CRC */ -- crc ^= 0xffffffff; -+ crc = (~crc) & 0xffffffff; - - #ifdef W - -@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2) - #ifdef DYNAMIC_CRC_TABLE - once(&made, make_crc_table); - #endif /* DYNAMIC_CRC_TABLE */ -- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2; -+ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); - } - - /* ========================================================================= */ -@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op) - uLong crc2; - uLong op; - { -- return multmodp(op, crc1) ^ crc2; -+ return multmodp(op, crc1) ^ (crc2 & 0xffffffff); - } -- 2.49.0 From d2467fe0bd5fb4074ed501ee08ec3680cc46fcf7 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 17 Sep 2022 21:26:16 +0200 Subject: [PATCH 107/149] public-cof: add kanboard --- machines/public-cof/configuration.nix | 1 + machines/public-cof/kanboard-config.php | 279 ++++++++++++++++++++++++ machines/public-cof/kanboard.nix | 71 ++++++ 3 files changed, 351 insertions(+) create mode 100644 machines/public-cof/kanboard-config.php create mode 100644 machines/public-cof/kanboard.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 7f85263..f4e4dd6 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -17,6 +17,7 @@ ./nginx.nix # ./cryptpad.nix ./hedgedoc.nix + ./kanboard.nix ./secrets ./v6proxy # TODO monitoring diff --git a/machines/public-cof/kanboard-config.php b/machines/public-cof/kanboard-config.php new file mode 100644 index 0000000..9c82452 --- /dev/null +++ b/machines/public-cof/kanboard-config.php @@ -0,0 +1,279 @@ + $out/$f + tail -n+2 ${pkgs.kanboard}/share/kanboard/$f \ + | sed 's^__DIR__^"${pkgs.kanboard}/share/kanboard"^' >> $out/$f + done + ln -s /var/lib/kanboard $out/data + ln -s ${kanboardConfig} $out/config.php + '') + { outPath = "${pkgs.kanboard}/share/kanboard"; meta.priority = 10; } + ]; + }; + locations = { + "/".index = "index.php"; + "~ \\.php$" = { + tryFiles = "$uri =404"; + extraConfig = '' + fastcgi_pass unix:${config.services.phpfpm.pools.kanboard.socket}; + ''; + }; + }; + }; + }; +} -- 2.49.0 From 001c9b0136d220aed5c96f3194fd294fa2361629 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 17 Sep 2022 21:26:34 +0200 Subject: [PATCH 108/149] all: bump to latest nixos-unstable --- krops.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 1a3a034..0102eb0 100644 --- a/krops.nix +++ b/krops.nix @@ -6,9 +6,10 @@ let lib.evalSource [{ config.file = toString ./machines; nixos-config.symlink = "config/${machine}/configuration.nix"; + # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable + ref = "823e2c9b0a0ec8b61b6583f48338072f137b6889"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.49.0 From 5a796ef74fab69e3ff745c4bddbcf33cde0dd9c2 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 17 Sep 2022 21:26:56 +0200 Subject: [PATCH 109/149] Revert "Networkd ipv6" This reverts commit 6e94647d8e8dceeceb33bda46bedd36212fe8d6f. --- machines/public-cof/networking.nix | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 7dc4379..981eff0 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -5,26 +5,9 @@ let mkAddress = addr: let in { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; in { - systemd.network = { - enable = true; - networks."ens18" = { - DHCP = "no"; - addresses = [ - { addressConfig.Address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; } - ]; - }; - }; - networking = { hostName = "public-cof"; - useNetworkd = true; - useDHCP = false; - - firewall.allowedTCPPorts = [ 22 ]; - firewall.enable = true; - - /* # Default IPv4 exit route defaultGateway = { address = ""; @@ -32,6 +15,14 @@ in { }; localCommands = "ip route add default dev ens20 metric 10"; + useDHCP = false; + interfaces.ens18 = { + useDHCP = true; + ipv6.addresses = [{ + address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; + prefixLength = 64; + }]; + }; interfaces.ens19 = { useDHCP = false; ipv4.addresses = [{ @@ -45,7 +36,9 @@ in { # 2nd is for IPv4 → IPv6 proxy in v6proxy/ ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; }; - */ + + firewall.allowedTCPPorts = [ 22 ]; + firewall.enable = true; }; services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; -- 2.49.0 From 893339ba0b8ef8807f20b02e45dca3390b8ba784 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 18 Sep 2022 18:40:55 +0200 Subject: [PATCH 110/149] feat: fully functional kanboard --- machines/public-cof/kanboard-config.php | 20 ++++++++------- machines/public-cof/kanboard.nix | 24 ++++++++++++++---- machines/public-cof/secrets/default.nix | 6 +++++ .../public-cof/secrets/kanboard-secrets.age | 25 +++++++++++++++++++ machines/public-cof/secrets/secrets.nix | 1 + 5 files changed, 62 insertions(+), 14 deletions(-) create mode 100644 machines/public-cof/secrets/kanboard-secrets.age diff --git a/machines/public-cof/kanboard-config.php b/machines/public-cof/kanboard-config.php index 9c82452..6268892 100644 --- a/machines/public-cof/kanboard-config.php +++ b/machines/public-cof/kanboard-config.php @@ -6,6 +6,9 @@ /* Make sure all paths are absolute by using __DIR__ where needed */ /*******************************************************************/ +// Require the secret file +require('@secretsPath@'); + // Data folder (must be writeable by the web server user and absolute) define('DATA_DIR', '/var/lib/kanboard/data'); @@ -13,7 +16,7 @@ define('DATA_DIR', '/var/lib/kanboard/data'); define('DEBUG', false); // Available log drivers: syslog, stderr, stdout, system or file -define('LOG_DRIVER', 'stdout'); +define('LOG_DRIVER', 'file'); // Log filename if the log driver is "file" define('LOG_FILE', DATA_DIR.DIRECTORY_SEPARATOR.'debug.log'); @@ -42,21 +45,20 @@ define('FILES_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'files'); define('MAIL_CONFIGURATION', true); // E-mail address used for the "From" header (notifications) -define('MAIL_FROM', 'replace-me@kanboard.local'); +define('MAIL_FROM', 'todo@dgnum.eu'); // E-mail address used for the "Bcc" header to send a copy of all notifications define('MAIL_BCC', ''); // Mail transport available: "smtp", "sendmail", "mail" (PHP mail function), "postmark", "mailgun", "sendgrid" -define('MAIL_TRANSPORT', 'mail'); +define('MAIL_TRANSPORT', 'smtp'); // SMTP configuration to use when the "smtp" transport is chosen -define('MAIL_SMTP_HOSTNAME', ''); -define('MAIL_SMTP_PORT', 25); -define('MAIL_SMTP_USERNAME', ''); -define('MAIL_SMTP_PASSWORD', ''); +define('MAIL_SMTP_HOSTNAME', 'kurisu.lahfa.xyz'); +define('MAIL_SMTP_PORT', 587); +define('MAIL_SMTP_USERNAME', 'todo@dgnum.eu'); define('MAIL_SMTP_HELO_NAME', null); // valid: null (default), or FQDN -define('MAIL_SMTP_ENCRYPTION', null); // Valid values are null (not a string "null"), "ssl" or "tls" +define('MAIL_SMTP_ENCRYPTION', "tls"); // Valid values are null (not a string "null"), "ssl" or "tls" // Sendmail command to use when the transport is "sendmail" define('MAIL_SENDMAIL_COMMAND', '/usr/sbin/sendmail -bs'); @@ -197,7 +199,7 @@ define('LDAP_GROUP_USER_ATTRIBUTE', 'username'); define('LDAP_GROUP_ATTRIBUTE_NAME', 'cn'); // Enable/Disable groups synchronization when external authentication is used. -define('LDAP_GROUP_SYNC', true); +define('LDAP_GROUP_SYNC', false); // Enable/disable the reverse proxy authentication define('REVERSE_PROXY_AUTH', false); diff --git a/machines/public-cof/kanboard.nix b/machines/public-cof/kanboard.nix index 3ce8a22..37d411c 100644 --- a/machines/public-cof/kanboard.nix +++ b/machines/public-cof/kanboard.nix @@ -5,22 +5,35 @@ let sha256 = if hash == null then lib.fakeHash else hash; }; plugins = map mkKanboardPlugin [ - { name = "userimport_wgroups"; url = "https://github.com/creecros/userimport_wgroups/releases/download/1.0.0/ImportWithGroup-1.0.0.zip"; hash = "sha256-iLpOxwu/atxd062z7z0T3Mkh5YH7IHmcCqiVZPAJbsA="; } + { name = "Milestone"; url = "https://github.com/oliviermaridat/kanboard-milestone-plugin/releases/download/1.1.2/Milestone-1.1.2.zip"; hash = "sha256-NrkMvk/5NdVokKQTYoZajdNEt5athjEzXVgrSHBdQ4w="; } { name = "MarkdownPlus"; url = "https://github.com/creecros/MarkdownPlus/releases/download/1.1.0/MarkdownPlus-1.1.0.zip"; hash = "sha256-BMzEaj47NnLvatEgUbKeibiWf9G+B4EFlVYhDNqk+y4="; } { name = "MetaMagik"; url = "https://github.com/creecros/MetaMagik/releases/download/1.5.1/MetaMagik-1.5.1.zip"; hash = "sha256-8y8+YvS5MAzRt4VVECQK0vQk6oA4Jbxn+2jWQ8nP3gU="; } { name = "OAuth2"; url = "https://github.com/kanboard/plugin-oauth2/releases/download/v1.0.2/OAuth2-1.0.2.zip"; hash = "sha256-L0df8bwPCxHjVOCNiVp+dqVsqJ0CEuJbHzwv5sYprIU="; } - { name = "KanboardOffline"; url = "https://github.com/ipunkt/KanboardOffline/releases/download/1.0.0/OfflineKanboardPlugin-1.0.0.zip"; hash = "sha256-zYIWKM82Em/ys75XgB/udIGk1+EeScE8jpP2HK2wHGQ="; } { name = "HighlightCodeSyntax"; url = "https://github.com/kenlog/HighlightCodeSyntax/releases/download/v1.0.3/HighlightCodeSyntax-v1.0.3.zip"; hash = "sha256-c4bV1gGVNUjHOJKBI6QxsV72mAzcEgjqv8r62ebpPdU="; } { name = "Group_assign"; url = "https://github.com/creecros/Group_assign/releases/download/1.7.12/Group_assign-1.7.12.zip"; hash = "sha256-ijI8nIIqsK8Pr1iEfCBUeUD3dlsIfmkOP0xC39JkIAs="; } ]; pluginsDirectory = pkgs.linkFarmFromDrvs "kanboard-plugins" plugins; + secretsPath = config.age.secrets.kanboard-secrets.path; kanboardConfig = pkgs.substituteAll { name = "kanboard-config.php"; src = ./kanboard-config.php; + inherit secretsPath; inherit pluginsDirectory; }; + package = pkgs.kanboard.overrideAttrs (old: { + installPhase = '' + ${(old.installPhase or "")} + runHook postInstall + ''; + + postInstall = '' + ${pkgs.xorg.lndir}/bin/lndir ${pluginsDirectory} $out/share/kanboard/plugins + ''; + }); in { + environment.systemPackages = [ + ]; services.phpfpm.pools.kanboard = { user = "kanboard"; group = "kanboard"; @@ -48,13 +61,14 @@ in mkdir -p $out for f in index.php jsonrpc.php ; do echo " $out/$f - tail -n+2 ${pkgs.kanboard}/share/kanboard/$f \ - | sed 's^__DIR__^"${pkgs.kanboard}/share/kanboard"^' >> $out/$f + tail -n+2 ${package}/share/kanboard/$f \ + | sed 's^__DIR__^"${package}/share/kanboard"^' >> $out/$f done ln -s /var/lib/kanboard $out/data + ln -s ${pluginsDirectory} $out/plugins ln -s ${kanboardConfig} $out/config.php '') - { outPath = "${pkgs.kanboard}/share/kanboard"; meta.priority = 10; } + { outPath = "${package}/share/kanboard"; meta.priority = 10; } ]; }; locations = { diff --git a/machines/public-cof/secrets/default.nix b/machines/public-cof/secrets/default.nix index a7cd5ea..861d254 100644 --- a/machines/public-cof/secrets/default.nix +++ b/machines/public-cof/secrets/default.nix @@ -10,4 +10,10 @@ group = "nextcloud"; file = ./nextcloudDatabasePasswordFile.age; }; + + age.secrets.kanboard-secrets = { + owner = "kanboard"; + group = "kanboard"; + file = ./kanboard-secrets.age; + }; } diff --git a/machines/public-cof/secrets/kanboard-secrets.age b/machines/public-cof/secrets/kanboard-secrets.age new file mode 100644 index 0000000..5bc708c --- /dev/null +++ b/machines/public-cof/secrets/kanboard-secrets.age @@ -0,0 +1,25 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +jsay8IXK6RjVULRqpfvgHOr8H3ALxQyJ3BQIkmSfRrLlJXDbYWUKBCztXc7whfb/ +XTc3Sa5bybIXXX3wLzYmxCYjUa1CoHgIb1UWAhM3KyTJ4XSw7pVti29VM5p74+ex +tJeb44hXlkD7V7C2yYp6CcBH1IgnvEL8ulVopkis/TBQtWi6QaGJBPX2yxEJ3QDh +uAn5czrrDenBZRsIYTaKrlbgCM/Oeh4mDFSaFKIqfX2g7ClbsC1ejF3PvbsXN6il +pk2YSZ/F5ivNBkvWFmQrNJyLjkcIrxoFvzcXOTk8yM9iu4BFlPbX7NcAMrHpbSIR +3ew59I0cGkbzRAtLI9p97w +-> ssh-ed25519 85WiGg XQK2huU0kqkKbVYf6SJFqcumOL8zDPfOuGwNy78dJm4 +aP8CNgS1/wfv2RB7nXZqYnZaXDORk9I5lPZy87FVmRY +-> ssh-ed25519 reTIKw jZ57SfMYyOr9P9eNK/Q2CMAWtYtfjyV/MaTVnqEHxkU +ycPo/pwC9CtYWAcrclo1b26+mPU4Z6pCPecGPMmL3ag +-> ssh-ed25519 /vwQcQ v5bvHTvld6WErGt+Vp0mivpFH5srQPHkbPd0Nk3IDy0 +27+ZreTwyaxtb5vrRpD/2C2MUT9onRcX4Yr7KHnTGOo +-> ssh-ed25519 cvTB5g gKxECDYMSja0FTqteAk39iMDsNIM+ox31sIvnY2ityk +pkUZgDWdAzuGCvuRhOE8oeazIRw+kpPhnkksF2zTjxA +-> ssh-ed25519 Wu8JLQ lMgIKw3Qzg/Lw6UtpPZWDrE0WBc71meaprrnmARqDDM +FN/S9xo22u4kMWqrPD3KmfLbDq8L0TxtfDUSBLVq+Tk +-> ssh-ed25519 xbfJnw emSflhzdsItaXULjPXre8jlnXxJuXFAaoLWGVAAej1I +4OS68AuzPr+zwp9Bqb4lYGJHjPwPMSXuprw7+8agOyU +-> Wd-grease +pdSa/JP70fd6VvSgpIJQAk8ZiZfKo8l7UpVwBib59SB9IRNVZdSbHINFUzuIozGu +Z7dyg+x6QQ +--- TjceHicjeIIKz0f7R5u7nLrCtb39MmS/vEK3w0xHbmw +QZ`?Zv~^$ct2ԓy3.+KF2OC_$]y~l%0_ ܻ REM4Hİ{r$ެ*1\2FڬBLAK!&C׋_.Om3͕hδV< z$'-s'J \ No newline at end of file diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 3f8a62a..70be48a 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -9,5 +9,6 @@ in { "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems; "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems; + "kanboard-secrets.age".publicKeys = superadmins ++ systems; } -- 2.49.0 From 124ec3ab73d52667a3b5a5a47cf62bac5a4a1823 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 1 Oct 2022 22:49:56 +0200 Subject: [PATCH 111/149] feat: bridge #dgnum over Merle --- machines/core-services-01/matterbridge.nix | 2 +- machines/core-services-01/matterbridge.toml | 21 +++++++++++++++--- .../core-services-01/secrets/matterbridge.age | Bin 1415 -> 1519 bytes 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/machines/core-services-01/matterbridge.nix b/machines/core-services-01/matterbridge.nix index 7eefba1..06b31e6 100644 --- a/machines/core-services-01/matterbridge.nix +++ b/machines/core-services-01/matterbridge.nix @@ -28,7 +28,7 @@ let startScript = pkgs.writeShellScriptBin "start" '' ${manageSecrets ./matterbridge.toml "$CREDENTIALS_DIRECTORY/secrets" "$RUNTIME_DIRECTORY/conf.toml" - [ "SECRET_MATTERMOST_WEBHOOK" ]}/bin/preStart + [ "SECRET_MATTERMOST_KLUBRZ_WEBHOOK" "SECRET_MATTERMOST_DGNUM_WEBHOOK" ]}/bin/preStart ${pkgs.matterbridge}/bin/matterbridge -conf $RUNTIME_DIRECTORY/conf.toml ''; in { diff --git a/machines/core-services-01/matterbridge.toml b/machines/core-services-01/matterbridge.toml index d4b9ab8..49116fa 100644 --- a/machines/core-services-01/matterbridge.toml +++ b/machines/core-services-01/matterbridge.toml @@ -7,11 +7,16 @@ PrefixMessagesWithNick=true RemoteNickFormat="<{NICK}> " [mattermost] - [mattermost.merle] - WebhookURL="SECRET_MATTERMOST_WEBHOOK" + [mattermost.merle_klubrz] + WebhookURL="SECRET_MATTERMOST_KLUBRZ_WEBHOOK" WebhookBindAddress="0.0.0.0:52187" PrefixMessagesWithNick=false RemoteNickFormat="{NICK}" + [mattermost.merle_klubrz] + WebhookURL="SECRET_MATTERMOST_DGNUM_WEBHOOK" + WebhookBindAddress="0.0.0.0:52188" + PrefixMessagesWithNick=false + RemoteNickFormat="{NICK}" [[gateway]] name="réseau" enable=true @@ -19,5 +24,15 @@ enable=true account="irc.ulminfo" channel="#réseau" [[gateway.inout]] - account="mattermost.merle" + account="mattermost.merle_klubrz" + channel="town-square" + +[[gateway]] +name="dgnum" +enable=true + [[gateway.inout]] + account="irc.ulminfo" + channel="#dgnum" + [[gateway.inout]] + channel="mattermost.merle_dgnum" channel="town-square" diff --git a/machines/core-services-01/secrets/matterbridge.age b/machines/core-services-01/secrets/matterbridge.age index 1071c43b33daaa3e93fae325e8d50122995c65c4..f4ea1d5e441eaa4b392dd2f255f591a06a917bdc 100644 GIT binary patch literal 1519 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!*`Do#|$E(&+{3FOK%O^@^qch5HU zaLy?y3vu;@NhOX_6^K5 zEcWCwsw~$|(RTETbn?hZbIErP(Ra2=j{w%{3?t@<{eF zEHbxn42#m&b~SblD-Q9@&i4qf2(Qe_&oawO=L*b8($@FPbWL=0a>_}Lv~aQrHb^y! z@-t4!buP^@$j+~FG&at5$;&LQ3Q8$6s&dTE3W_QW^a#(jNKOhWHRK8p2rhKf4>Qa) z2@mo&b}VxY&o9@u^er~@%nNlY&kqjw%hq;E^7gg#FmZ7U$PN!lEpn+eD%B24EGu;@ z$g|+`NY5=YHZ}82HY#_|D=f(mGBHod4TObuYKoDmsiCEUg=u)Ed%A*0X;D>no<*>} zOIA^8x=WIoQ?iRssYhr?Qix};e?_vNvA>~7fO$ojaWa>sONOz9pMR2hKw^NQg|BaJ zaz#j0cygw>vw=ZkZfT;kiFr|#VOW))w6euUCI>2*diz%@=RJppPSf-ShIt6n1g=HjH1O=L8gcxS|S7tdDx>km!W|(WIhh`O9dS@1< zx~I7oSLRw4_=Td|mRuI%WSXwv6Duto>H8i6XIFv>KE>&?PQo8?(LOU?4F*N z73%6^8R%J1;A+6-Y3}8XX55j zQjB3+c&UY#PoP4XL7|_cWk_bYUyzA&gkzDTW08MZQnp7(YGS5wqKRo(k)yAERH|=; zV>wreX($4fW8C^fM-Rl!|PL7ywt z oyC^y^0yCmN+vofn9H_s!`*vZ4cqBPSoxXP%s%Dd3TGOyC#(>Ti|&?&IQ$Jjk3 z*vHw~qR`3NETodl(kRo%!jVf?S63lCPus^YE5)#=Dl5>!%rPlAH8{=N*`UDH$S5VX zDk8-tH>JX{D#$rK(1h#oACafM5v5z+eE6`@+93GnggDHZ-VpGFRiT0me<^RBCUQxJjd?Kj!CaJGCg~!%WZk9 z*YEVlwx6d2R>e;cdg=S`_$$2UgFV2icC6W_>K)H_*voE1`Oo+#{H^i5>i%_n9GA7>lgpAg3KFTZ;0=lKfn rx)`?2&r~*Dt;Jh$HD8#&^072? zEe*^uC=Ac@Pjw73%84k-cMQyROvx!IOb+xePEF0JOmnSBcjT%F&x*_p%*{@(($Dhu zF9Nk6C8JE+q}069-8|pZ#In@1Jew;&JV-m((m+>e^ODkhgERfIe7Su#Q1?h)ka=;xPHoRu8p;+~%ElH!zD7+UG(=;i1W z;TY^2l+Km!8fsP*;2V-@lxkq=ZV{4R=~!r#=^W);?&4DH=4Tid<(cGG7HZ-ffMHuv zYKW(Ixk6N-ccx)diNCRNMrfLIl1Y?vgkgquT4|2HMR8(UZgN0*ic?yKfp(a2GM9E@ zx@TTMSz1A9X`p*)aEYIDgt=i#a89UKYKlj)xkr|_OH`(3hEbRwMo3zihG)8`D_Df( zdmFk$1g7{!m?UL6n;2ykM@1zY2NgJGmnItK>sO^@c$$W12bmiMa+Ot;IlBf~hWNW` zoB0KX=awYtCs|fjCY702dixrM`8w(+dlVIi`dMViGTbaZ!onjc zHLy6l(uB*@*FP-E+%GHJsWiMKHOR$0qFmp@Fw(@+pu{pc(<#8fEV9hZB%~lY(<3r5 z!`0Z#J=D=6JJ>8WvdA*qF+iIuJIa}Y~(Ic;*$UP{-F)7KzE1;mT z!qCJ#Bbm#mEXg(9wIndr(#zMZG|@ZAAh6Of9TeK>;rZ6Vb-L+Asfop@T!m&9F8M*J z1<9%DsRqUQUT*36NqN2@6;;7$0YMSzsm4yG&aRoxmE~0>i5bBW#YM(xCHh`r!5L=W zPM%)w23!Tc#h%$lfn2(}x(bDcp;@86etwRrmf_*fRr$HT#Xc1o=Ed5Ep~0?UQN><< z9z{OI?qQ|b#ateiRUD_Pct1<0X2^?powbu^Ro=Jx+`a4dt&eXuX1+ako9mL#m-u8E z!RhW>m@7M*ogFK#a$ebRx^0G4DbsZJx2Yx{Ux~ll``CHXj)rcPFpf=I{%V`3wy`qL jJgT<%hv%OMN0eh&E!sb$Yzm5hu Date: Sat, 1 Oct 2022 23:04:19 +0200 Subject: [PATCH 112/149] feat: remove netdata package pin --- machines/core-services-01/monitoring.nix | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 2a8ac5f..53f3343 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -36,16 +36,6 @@ in { services.netdata = { enable = true; - package = pkgs.netdata.overrideAttrs (old: { - version = "1.35.0-nightly"; - src = pkgs.fetchFromGitHub { - owner = "netdata"; - repo = "netdata"; - rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; - sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; - fetchSubmodules = true; - }; - }); }; # Allow WireGuard VPN -- 2.49.0 From 4bc455054018c771d2fecc6812de4f491e75fe68 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 2 Oct 2022 00:21:16 +0200 Subject: [PATCH 113/149] Revert "feat: remove netdata package pin" This reverts commit 179a628a4d578c7517b60ab6e2cf26f93cce4149. --- machines/core-services-01/monitoring.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 53f3343..2a8ac5f 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -36,6 +36,16 @@ in { services.netdata = { enable = true; + package = pkgs.netdata.overrideAttrs (old: { + version = "1.35.0-nightly"; + src = pkgs.fetchFromGitHub { + owner = "netdata"; + repo = "netdata"; + rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; + sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; + fetchSubmodules = true; + }; + }); }; # Allow WireGuard VPN -- 2.49.0 From 964912c3d4cbb87fd27f849e139eee73d8007848 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 9 Oct 2022 14:43:29 +0200 Subject: [PATCH 114/149] core01: try latest nightly for netdata and disable cloud --- machines/core-services-01/monitoring.nix | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 2a8ac5f..edf0d20 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -37,17 +37,19 @@ in services.netdata = { enable = true; package = pkgs.netdata.overrideAttrs (old: { - version = "1.35.0-nightly"; + version = "1.36.0-185-nightly"; src = pkgs.fetchFromGitHub { owner = "netdata"; repo = "netdata"; - rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; - sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; + rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; + sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; fetchSubmodules = true; }; }); }; + systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1"; + # Allow WireGuard VPN networking.firewall.allowedUDPPorts = [ 51820 ]; # Allow access to the raw netdata @@ -71,12 +73,6 @@ in ]; }; - systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [ - "netdata" - "stream" - "health_alarm_notify" - ]; - environment.etc."netdata/netdata.conf" = lib.mkForce { user = "netdata"; group = "netdata"; @@ -122,7 +118,7 @@ in mode = "0600"; text = '' # External tools - nc="${pkgs.netcat}/bin/nc" + nc="${pkgs.nmap}/bin/nc --ssl" # IRC configuration SEND_IRC="YES" -- 2.49.0 From 6b02a84975457baf19051a51dfa85c8d802d9189 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 12 Oct 2022 01:29:08 +0200 Subject: [PATCH 115/149] core01: initialize tunnels setup --- machines/core-services-01/configuration.nix | 4 +++- machines/core-services-01/tunnels.nix | 19 +++++++++++++++++++ machines/public-cof/minecraft.nix | 4 ++-- 3 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 machines/core-services-01/tunnels.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index dcf85af..9ff2a3f 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -25,6 +25,7 @@ ./oauth2_proxy.nix ./secrets ./matterbridge.nix + ./tunnels.nix # TODO push to gitea # TODO ./gotify.nix # TODO(Raito): ./backups.nix @@ -94,5 +95,6 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.09"; # Did you read the comment? + system.stateVersion = "22.05"; # Did you read the comment? + environment.variables.NIX_PATH = lib.mkForce "/var/src"; } diff --git a/machines/core-services-01/tunnels.nix b/machines/core-services-01/tunnels.nix new file mode 100644 index 0000000..a396adc --- /dev/null +++ b/machines/core-services-01/tunnels.nix @@ -0,0 +1,19 @@ +{ ... }: { + networking.wireguard.interfaces.wgalpha = { + privateKeyFile = "/etc/secrets/wireguard/wgalpha"; + listenPort = 9999; + + ips = [ + "fdee:a536:13fa:53ab::2/128" + ]; + + peers = [ + { + publicKey = "yAdQRTHn9Yko2r24j8tlxWBz0nYzHRxryPFq8t44Xw4="; + allowedIPs = [ "fdee:a536:13fa:53ab::1/128" ]; + } + ]; + }; + + networking.firewall.allowedUDPPorts = [ 9999 ]; +} diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index c56701f..089b0ae 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -2,8 +2,8 @@ let papermc = { ram = 4; # In GB - version = "1.18.2"; - build = 270; + version = "1.19.2"; + build = 200; sha256 = "M3/z7lgHVDG+WqxPvyrxvfobEvkkPf90bDoN/Dq+VZY="; }; port = 25565; -- 2.49.0 From 570071bb715a9774b28c9d5e8c5164556a920c96 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 13 Oct 2022 21:52:40 +0200 Subject: [PATCH 116/149] feat: bump to 1.19.2 and add clem197 to allow-list --- machines/public-cof/minecraft.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 089b0ae..db78249 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -4,7 +4,7 @@ let ram = 4; # In GB version = "1.19.2"; build = 200; - sha256 = "M3/z7lgHVDG+WqxPvyrxvfobEvkkPf90bDoN/Dq+VZY="; + sha256 = "sha256-fhQ1Kukp0MDF0312y/DR3wS9wKXY2aKUyU5f64ELylM="; }; port = 25565; rconPort = 25575; @@ -42,6 +42,7 @@ in Sup3Legacy = "575ecb9f-bf28-46cb-bc50-cb6bb340c905"; Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d"; CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; + clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5"; }; serverProperties = { -- 2.49.0 From e827b28967e30579ffd69141ded9c40ce0a87915 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 27 Oct 2022 22:31:47 +0200 Subject: [PATCH 117/149] feat: deploy garage on public-cof --- machines/public-cof/configuration.nix | 3 ++- machines/public-cof/garage.nix | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 machines/public-cof/garage.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index f4e4dd6..08b929a 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -9,6 +9,7 @@ ./acme.nix ./networking.nix ./monitoring.nix + ./garage.nix ./nextcloud.nix ./minecraft.nix # ./rstudio-server @@ -17,7 +18,7 @@ ./nginx.nix # ./cryptpad.nix ./hedgedoc.nix - ./kanboard.nix + # ./kanboard.nix ./secrets ./v6proxy # TODO monitoring diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix new file mode 100644 index 0000000..f74eaca --- /dev/null +++ b/machines/public-cof/garage.nix @@ -0,0 +1,26 @@ +{ pkgs, ... }: +{ + services.garage = { + enable = true; + settings = { + replication_mode = "none"; + compression_level = 7; + + rpc_bind_addr = "10.1.1.21:3901"; + rpc_public_addr = "10.1.1.21:3901"; + rpc_secret = "76c2746530a4a27d188530a6bbf6c4613ccb8d8f129863d8c21462b84d5b998f"; + + s3_api = { + s3_region = "ens"; + api_bind_addr = "[::]:3900"; + root_domain = ".s3.rz.ens.wtf"; + }; + + s3_web = { + bind_addr = "[::]:3902"; + root_domain = ".cdn.rz.ens.wtf"; + index = "index.html"; + }; + }; + }; +} -- 2.49.0 From ccf00cdc46a78fa88938a2535e58e4de1ea2f623 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 27 Oct 2022 22:31:55 +0200 Subject: [PATCH 118/149] public-cof: nextcloud23 -> nextcloud24 --- machines/public-cof/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index b243afb..7ccf2de 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud23; + package = pkgs.nextcloud24; config = { overwriteProtocol = "https"; -- 2.49.0 From 7beba083215aea4a360a04d28914b24034735212 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 27 Oct 2022 22:40:43 +0200 Subject: [PATCH 119/149] public-cof: nextcloud24 -> nextcloud25 --- machines/public-cof/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 7ccf2de..8a9572b 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud24; + package = pkgs.nextcloud25; config = { overwriteProtocol = "https"; -- 2.49.0 From b40a49feedce631cd00c02db6e195913cdd8b4ab Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 28 Oct 2022 00:36:57 +0200 Subject: [PATCH 120/149] =?UTF-8?q?feat:=20add=20notion.rz.ens.wtf=20?= =?UTF-8?q?=E2=86=92=20public-cof?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/subZone.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 256b659..7b7a56c 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -43,6 +43,9 @@ dualstack // { core01 = dualstack; ns1 = dualstack; + # First non-beta service, our Outline. + notion = public-cof-ips; + builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; gdd = { -- 2.49.0 From 43d3367e9f267aacd725f8467a734d04ecea3f12 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:31:46 +0200 Subject: [PATCH 121/149] core01: DNS for Garage & Outline --- machines/core-services-01/subZone.nix | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 7b7a56c..b76e4f7 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -43,8 +43,28 @@ dualstack // { core01 = dualstack; ns1 = dualstack; - # First non-beta service, our Outline. + # Non-beta service + # Outline notion = public-cof-ips; + # S3 API + s3 = public-cof-ips; + # CDN API + cdn = public-cof-ips // { + CAA = [ + { issuerCritical = false; + tag = "issue"; + value = "letsencrypt.org"; + } + { + issuerCritical = false; + tag = "iodef"; + value = "mailto:${my.email}"; + } + ]; + subdomains = { + "*" = public-cof-ips; + } // delegateACMEDNSChallenge "7a9dffd8-f57b-4635-ba79-07f8b0db4fad.acme.rz.ens.wtf."; + }; builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; -- 2.49.0 From 42a569b41d906edd04d507ef91d47dd486a51310 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:32:10 +0200 Subject: [PATCH 122/149] public-cof: deploy completely Outline and Garage --- machines/public-cof/configuration.nix | 2 ++ machines/public-cof/garage.nix | 20 ++++++++++++ machines/public-cof/outline.nix | 31 +++++++++++++++++++ machines/public-cof/secrets/default.nix | 12 +++++++ .../secrets/outline-oidc-client-secret.age | 26 ++++++++++++++++ .../public-cof/secrets/outlineS3Secrets.age | 25 +++++++++++++++ machines/public-cof/secrets/secrets.nix | 2 ++ 7 files changed, 118 insertions(+) create mode 100644 machines/public-cof/outline.nix create mode 100644 machines/public-cof/secrets/outline-oidc-client-secret.age create mode 100644 machines/public-cof/secrets/outlineS3Secrets.age diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 08b929a..b4a2599 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -11,6 +11,7 @@ ./monitoring.nix ./garage.nix ./nextcloud.nix + ./outline.nix ./minecraft.nix # ./rstudio-server ./nur.nix @@ -27,6 +28,7 @@ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "minecraft-server" "factorio-headless" + "outline" ]; boot.loader.systemd-boot.enable = true; diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix index f74eaca..7d25b0a 100644 --- a/machines/public-cof/garage.nix +++ b/machines/public-cof/garage.nix @@ -1,5 +1,25 @@ { pkgs, ... }: { + security.acme.certs."cdn.rz.ens.wtf" = { + dnsProvider = "acme-dns"; + credentialsFile = pkgs.writeText "acme-dns-env" '' + ACME_DNS_API_BASE=https://acme.rz.ens.wtf + ACME_DNS_STORAGE_PATH=/var/lib/acme/lego-acme-dns-accounts.json + ''; + extraDomainNames = [ "*.cdn.rz.ens.wtf" ]; + group = "nginx"; + }; + services.nginx.virtualHosts."s3.rz.ens.wtf" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://[::1]:3900"; + }; + services.nginx.virtualHosts."cdn.rz.ens.wtf" = { + serverAliases = [ "*.cdn.rz.ens.wtf" ]; + useACMEHost = "cdn.rz.ens.wtf"; + forceSSL = true; + locations."/".proxyPass = "http://[::1]:3902"; + }; services.garage = { enable = true; settings = { diff --git a/machines/public-cof/outline.nix b/machines/public-cof/outline.nix new file mode 100644 index 0000000..aef8e12 --- /dev/null +++ b/machines/public-cof/outline.nix @@ -0,0 +1,31 @@ +{ pkgs, lib, config, ... }: +{ + services.nginx.virtualHosts."notion.rz.ens.wtf" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:3000"; + proxyWebsockets = true; + }; + }; + services.outline = { + enable = true; + publicUrl = "https://notion.rz.ens.wtf"; + defaultLanguage = "fr_FR"; + storage = { + accessKey = "GK8b32d276b2eafb999a53188a"; + secretKeyFile = config.age.secrets.outlineS3Secrets.path; + uploadBucketUrl = "https://s3.rz.ens.wtf"; + uploadBucketName = "outline"; + region = "ens"; + }; + oidcAuthentication = { + userinfoUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/userinfo"; + tokenUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/token"; + authUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/auth"; + clientSecretFile = config.age.secrets.outline-oidc-client-secret.path; + displayName = "Club réseau"; + clientId = "outline"; + }; + }; +} diff --git a/machines/public-cof/secrets/default.nix b/machines/public-cof/secrets/default.nix index 861d254..dce31c2 100644 --- a/machines/public-cof/secrets/default.nix +++ b/machines/public-cof/secrets/default.nix @@ -16,4 +16,16 @@ group = "kanboard"; file = ./kanboard-secrets.age; }; + + age.secrets.outlineS3Secrets = { + owner = "outline"; + group = "outline"; + file = ./outlineS3Secrets.age; + }; + + age.secrets.outline-oidc-client-secret = { + owner = "outline"; + group = "outline"; + file = ./outline-oidc-client-secret.age; + }; } diff --git a/machines/public-cof/secrets/outline-oidc-client-secret.age b/machines/public-cof/secrets/outline-oidc-client-secret.age new file mode 100644 index 0000000..d73537f --- /dev/null +++ b/machines/public-cof/secrets/outline-oidc-client-secret.age @@ -0,0 +1,26 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +HeTVcJxU2zRewuzQVknnxAYjlCU8+GJjBz9joGPo2j934uiM3A6PBsFmoz6I1ZfJ +pg68benaKfV+VI1sN8fMDWoEO0QrFzHYULXT9JCyQTClUzUZSlMpzmDgCmHjLPEc +qB23sbwKzgyFO9SKHsPvOqxZrEyTwAKiNYa33QuSyRxN3S4/9PxVjgJTTqLbTVqf +hhnujxviU3iHV2ACqLAV5jYSbAleiAh53vnBc0k326vXbrumQqFvQtgwcqDn4vDR +2QYzEwsj+yV9BlRrGSBZSnoHZjWtsE/ntrEaIZiItT3Ots1CCVswd7LGb3LspYbf +NheRvY7zUXppGiB0+mjZJg +-> ssh-ed25519 85WiGg tGvDzYdpKP8lql3murRlp95w7jQUhhuodIgVxDk4Lgs +aVV4b71w/nU3nBaYKdzzYjXVaxgN2EpyQiKsjO33GcI +-> ssh-ed25519 reTIKw LJJF7K8fRsSoAFDyndWP9nA5FV4w7cWSqUgGnvdB42I +wI22cL/GuyVou1robDUHzNMfCR7L6NA4UWFSeV73d88 +-> ssh-ed25519 /vwQcQ KZQSME50r4yrnyFfH6nwbmCn0UmVUMIBhhfqoicrKVY +xDdBu7/K8ZxGT2BnffAR8UsQIAVlLpSfEvo1m4k87ng +-> ssh-ed25519 cvTB5g HjLQQhFwEekFYHV5sko/x8RwcAsgvl/cCoKakX4B6yE +Ub5TWpDPYA3DSwfRT2hmgPcwoMIhsOhgdhckFuZxQ8s +-> ssh-ed25519 Wu8JLQ L0bnDPmv3Chemi/BKhux9GYXDMMLUjO6H8MQe1REpBA +qtN6IH8M8kLYAQ8a64kYCCaAPhg6VjrojTONdY4MVyA +-> ssh-ed25519 xbfJnw 94xx8KL0EWqs3HIsdY9RFvC6aRsk7cemZxciLIkVCDM +WZnyqSwpCBA8GNnu6VEJSLIRtv8rzOpGFH6e387ohpQ +-> TS-grease +D32P8/tpegDSy/xsspwpuq8EVqwDyZUzJF2Ose+3cqHAx8db4DPWnmt4z4Ch5bXw +KtmO+2eEYTmPyYUZxI+uzr93CQhVq7aFlch6cWLEaqg +--- 6kPR6tdczt01UaY4ps38dncSMFCupa9uZmSWBjm85ps +Ln4Kz>(ن=fʷPG ssh-rsa krWCLQ +nxiY5l98JhWEwLYN7sWtsgN4faDTIpgo1fiPScxXB8/ljnxIyd1vhMVRt0WCTOQV +CFTQ9MOoTAk90Zj4wjxDjoJjjsXLUBVnjqLdQy76kgR5vAvVrHzuYTYO4Y4k0/qh +S6BEFN655P0n4Gxf9kJtKxi3ipN6B46ydACAjFeyeuOPMkMdBBZq1BOLPEOC9I+O +87p+8BdL+zxkYfaWfEggYgabrE7y91EjiB1VCuT0GFm8T8iBojvThxWQlHQAybBc +gvgTlyGf8YmY82uGhGQR39okrA914mJUkr11JZ9457qL+/t5Au/dha1x6QlwcUoz +Tp5OQJAfXZc02LsICq2I7A +-> ssh-ed25519 85WiGg c6vyT96h0eVL+xZpR0Zk06l5ApUsqENY9ESeYuOG0zY +dJbQVgH41Ti/AM7WAlXCCA501h8wgx2os5yiZt+jxp8 +-> ssh-ed25519 reTIKw rVhKDqm51EMuOQnTcsdWmqoBDI/LLnFpkJW93EfcdB0 +AAOEQp0tux1vJ0bPIcB1HtLodig/J4poeu6j/Hk8KiA +-> ssh-ed25519 /vwQcQ jGLr83VDSxYd3v42ECOiTpSTDRB5TVSqx3QHRbMgfEk +k2hBCGntsqP0czKV2JvMbf8lAqpjVvnJqSxfdr00A7w +-> ssh-ed25519 cvTB5g BqVT8ytcjINNKrGAtttAtxRMpLs4LJg1Uy3zvDxTvwk +DRDEl+CNZnuT+KE1txjHgaWIYmiSeUTsesnXYq89YNQ +-> ssh-ed25519 Wu8JLQ 731ytp+gu36OvH0QbkeDUwMHj3J4u0JujJnfTUQ2C1A +KPGEKLoV9K1PPdIyla5D1lsmhRt/XUHLrCTeApbqR6c +-> ssh-ed25519 xbfJnw Ojf4cuctALx+Q/qWqSarRcnxvwrHjbAK5r4pnhKUzmo +WHp4Op3N3SeniWS7XhPmvRkTyjDIPDBBGviDaiCNbOc +-> 3P-h|3ru-grease +5icFsPwzKpnImSlgICy/wDq6YJLTcIML3EoDUOgvGOFSs+efH4bWExmd2ktGtqYd +ewEKHYlnpIFNTMtlRs7U7sR3qnLHadq3McnhR/8OlQ +--- iwVp/AYpQfFOIg/OI85nNTgdY/HKlEsCHWiBO0lOtJg +Z=eBb[3$k(2x%0+18T,;Fլ"EKeZ*$}Cpo9+|CJ- \ No newline at end of file diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 70be48a..c703081 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -10,5 +10,7 @@ in "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems; "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems; "kanboard-secrets.age".publicKeys = superadmins ++ systems; + "outlineS3Secrets.age".publicKeys = superadmins ++ systems; + "outline-oidc-client-secret.age".publicKeys = superadmins ++ systems; } -- 2.49.0 From 555aabb7984d28c38118375adfa8a9a28476fa70 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:32:19 +0200 Subject: [PATCH 123/149] krops: bump channel --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 0102eb0..92a2cda 100644 --- a/krops.nix +++ b/krops.nix @@ -9,7 +9,7 @@ let # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "823e2c9b0a0ec8b61b6583f48338072f137b6889"; # nixos-unstable + ref = "8d3bd93e67201a7c8238e9cbde6d07aba9500636"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.49.0 From 82cfe98dde2603c3d07837b39bef01f4101f1a8a Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:32:39 +0200 Subject: [PATCH 124/149] core01: fix matterbridge for DGNum --- machines/core-services-01/matterbridge.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/core-services-01/matterbridge.toml b/machines/core-services-01/matterbridge.toml index 49116fa..748d0a7 100644 --- a/machines/core-services-01/matterbridge.toml +++ b/machines/core-services-01/matterbridge.toml @@ -12,7 +12,7 @@ WebhookBindAddress="0.0.0.0:52187" PrefixMessagesWithNick=false RemoteNickFormat="{NICK}" - [mattermost.merle_klubrz] + [mattermost.merle_dgnum] WebhookURL="SECRET_MATTERMOST_DGNUM_WEBHOOK" WebhookBindAddress="0.0.0.0:52188" PrefixMessagesWithNick=false @@ -34,5 +34,5 @@ enable=true account="irc.ulminfo" channel="#dgnum" [[gateway.inout]] - channel="mattermost.merle_dgnum" + account="mattermost.merle_dgnum" channel="town-square" -- 2.49.0 From d1bc89653ce4caf47d4eb492c79d969533dc8398 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:33:05 +0200 Subject: [PATCH 125/149] public-cof: fix NC encryption --- machines/public-cof/nextcloud.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 8a9572b..847affd 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -6,6 +6,13 @@ https = true; package = pkgs.nextcloud25; + # OpenSSL 3.0.x breaks RC4 encryption for NextCloud + # But we enabled encryption for NextCloud + # Therefore... + phpPackage = lib.mkForce (pkgs.php81.withExtensions ({ enabled, all }: + (lib.filter (e: e != pkgs.php81.extensions.openssl) enabled) + ++ [ (all.openssl.override { buildInputs = [ pkgs.openssl_1_1 ]; }) ] + )); config = { overwriteProtocol = "https"; -- 2.49.0 From a2c58e4d877faaaae0d65f734df514d1c85257ec Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 5 Nov 2022 15:48:40 +0100 Subject: [PATCH 126/149] mc: add Clem's friends to whitelist --- machines/public-cof/minecraft.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index db78249..3582e49 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -43,6 +43,10 @@ in Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d"; CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5"; + Clashis = "499fdd85-bbcb-446f-9611-8b6bb9bf6965"; + epns = "a1c26328-484f-4c3f-affb-26e49b430c15"; + skidijo = "6a72a1f4-7448-4fb7-a252-b6d5ceff2d43"; + r_r = "3202beaa-7620-439b-9e91-0a9d4699b552"; }; serverProperties = { -- 2.49.0 From dbd7594d590ee5361f88283aeb7f09ab30753654 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 14 Nov 2022 23:46:55 +0100 Subject: [PATCH 127/149] mc: whitelist more players --- machines/public-cof/minecraft.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 3582e49..0030204 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -44,9 +44,12 @@ in CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5"; Clashis = "499fdd85-bbcb-446f-9611-8b6bb9bf6965"; - epns = "a1c26328-484f-4c3f-affb-26e49b430c15"; skidijo = "6a72a1f4-7448-4fb7-a252-b6d5ceff2d43"; - r_r = "3202beaa-7620-439b-9e91-0a9d4699b552"; + Tifendyll = "5dc1acf3-b214-4607-a3bd-924665e07c67"; + OknShield = "ef12e9cd-121f-4b39-886e-89b5b4bc5f4f"; + Allygon = "964a2ee3-3a0d-49c1-b8e9-60b5e69976d3"; + CheesyBiggy = "574daaed-ce9a-4b33-a3af-055e39bc32dc"; + H3raklio = "576969d4-94e7-49db-ba7e-e9e57ff5a75e"; }; serverProperties = { -- 2.49.0 From 66ae9b2d0427578e96c93ce56dcf850aea5ab278 Mon Sep 17 00:00:00 2001 From: Julien Marquet Date: Sat, 3 Dec 2022 21:15:40 +0100 Subject: [PATCH 128/149] whitelist thejohncrafter --- machines/public-cof/minecraft.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 0030204..876754a 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -50,6 +50,7 @@ in Allygon = "964a2ee3-3a0d-49c1-b8e9-60b5e69976d3"; CheesyBiggy = "574daaed-ce9a-4b33-a3af-055e39bc32dc"; H3raklio = "576969d4-94e7-49db-ba7e-e9e57ff5a75e"; + thejohncrafter = "d3959974-3a05-4ab2-8acb-d8817c140d84"; }; serverProperties = { -- 2.49.0 From 9a0c9c615c502d98a70d6f4d4e72709fb5907981 Mon Sep 17 00:00:00 2001 From: sinavir Date: Tue, 13 Dec 2022 22:23:35 +0100 Subject: [PATCH 129/149] feat: introduce photos.ens.wtf Co-authored-by: sinavir Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/15 Co-authored-by: sinavir Co-committed-by: sinavir --- machines/public-cof/configuration.nix | 1 + machines/public-cof/lychee.nix | 10 ++++++++++ machines/public-cof/nix/sources.json | 2 +- machines/public-cof/nur.nix | 2 +- 4 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 machines/public-cof/lychee.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index b4a2599..ae3fce3 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -12,6 +12,7 @@ ./garage.nix ./nextcloud.nix ./outline.nix + ./lychee.nix ./minecraft.nix # ./rstudio-server ./nur.nix diff --git a/machines/public-cof/lychee.nix b/machines/public-cof/lychee.nix new file mode 100644 index 0000000..944604b --- /dev/null +++ b/machines/public-cof/lychee.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: { + services.lychee = { + enable = true; + package = pkgs.rz.lychee-gallery; + forceSSL = true; + enableACME = true; + website = "photos.ens.wtf"; + settings.APP_URL = "https://${config.services.lychee.website}"; + }; +} diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index 77826c4..3209971 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -14,7 +14,7 @@ "klubrz-nur": { "branch": "main", "repo": "https://git.rz.ens.wtf/Klub-RZ/nur", - "rev": "98911e21fd58f00440dc8a5bd6568f2a349338bd", + "rev": "9c43904eb242455ca3db9466c5679c81aa92741f", "type": "git" }, "niv": { diff --git a/machines/public-cof/nur.nix b/machines/public-cof/nur.nix index 130ef29..ad4a2e5 100644 --- a/machines/public-cof/nur.nix +++ b/machines/public-cof/nur.nix @@ -8,7 +8,7 @@ let in { nixpkgs.config.packageOverrides = { - # rz = import rz-src { inherit pkgs; }; + rz = import rz-src { inherit pkgs; }; }; imports = [ -- 2.49.0 From 5138eb930f618573ccbe3e6394b1c13174e92248 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 24 Jan 2023 21:14:04 +0100 Subject: [PATCH 130/149] core-services-01: add hubrecht --- machines/core-services-01/configuration.nix | 1 + .../secrets/dexGiteaClientSecret.age | Bin 1424 -> 1519 bytes .../core-services-01/secrets/droneKeyFile.age | Bin 1639 -> 1778 bytes .../secrets/keycloakDatabasePasswordFile.age | 52 ++++++++++-------- .../core-services-01/secrets/matterbridge.age | Bin 1519 -> 1559 bytes .../secrets/oauth2ProxyKeyFile.age | 50 +++++++++-------- machines/core-services-01/secrets/secrets.nix | 2 +- .../secrets/snipeItAppKey.age | 51 ++++++++--------- .../secrets/snipeItOidcClientSecret.age | 52 ++++++++++-------- machines/pubkeys/hubrecht.keys | 1 + 10 files changed, 111 insertions(+), 98 deletions(-) create mode 100644 machines/pubkeys/hubrecht.keys diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 9ff2a3f..7aa5220 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -81,6 +81,7 @@ ../pubkeys/gdd.keys ../pubkeys/raito.keys ../pubkeys/mrf.keys + ../pubkeys/hubrecht.keys ]; # Open ports in the firewall. diff --git a/machines/core-services-01/secrets/dexGiteaClientSecret.age b/machines/core-services-01/secrets/dexGiteaClientSecret.age index daef2a2a00c33743ebcd5b46b39b1205e074fc61..f080423c728b87bd35aa1d842c1b19abc94ad716 100644 GIT binary patch literal 1519 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!*`Do#|$E(&+{3FJy~b5AiyE-v@T z^fGbD@iWga$n?m}bMq;P@=UA>@=S{IsZ292urRa;4yh;#FEjLYGD>qv%8qm@4vGw} z4ENx2@$@eU$_y|`4|GgR^$94eEDH?uG$=BUh;;OH&QEi!D9H6m^9Txd%QCVEFDv%S zDoe|9E;mf`s`M!-iqMbb($+RE%dj*vGYSjVuQac64fKvE3N&)}D~ifW3<&qo_A@Ke z){n?5FHI^A@i5U2HcdD6ugEW}%5V>L%Qh@_5GIOnPGb;|U%xo!3eV1S^>Z}zcC7St56n(acXage_D@PKPd3d;G&8UCkMuK2i}chk_sKC&Df9C7 z2shyhuJE%kDR40~HqOp7&i5$|cX4tl3511qYKoDmsiCEUg=u)Ed%8lXPiSG0i)l(_ znT1EWXL(gfdQ6T`2m?B7UtQd zxn&^{NfxPQp~-$O2F|G!j@e$x5w7LAuD)DRCAn^imf1PE8J6jR7OBaeZl(dnq3-_0 zekSF4h6WKSr5Q6euUCI>2%CpsIYI_GBvX1bMlg?N{g`?`fY=2{j8 zmgNK#`4@U?8)f9@mFAn~m8WxsMVUI9xO!zpnR}!Lgyj2Yn5S1|c&7v#n?(AQW;kbu zMFbUixuk|hdPSn!mRuI%WSXwvp`B(@8kmxv>gyKaWp3eX}8kJIN zXl7iIlb4$2>k`Uk5Mo+lY*J7dn3m;Z=;9k`YLXWoWfYuVmJ^zusOOjD;Sa_0eu$R6|h;NZ=nMtTguA6b9wr93uetu*~ zZmutvpRrq#ae7gBab%)Nv8joHx1Ui_X0c;rqJgEcd2*&jnqOI7a%qZNNwF)sZDkRW zUTKaBex7LsMviXzE(S@V5jn*M-hOV{B`(I{!AVhWkuJW*?t!7f{>cX6X3iE|LAgOj zWoZSG#kqbZmf=apA(c+$Vd?oE`ri3bF0Mx2iKdB8js@C|IR@$Iwq=+(rYAWnP?XlFZTlso062RmADRivewg+(NLMtC|J znueu^WTpC+_?4uamuLD|xFkCz29#H31e97tRpesifEcLH`jD7BOjxHl#)naLwCn8&nUCf(h9@! zG()e<$O12~M5l`4oW$asfXwvle0Ojv(XP(+)lDx-O)O4T$We&5Hs-P{E_AQZuQW}I zayBwZ5A+Ynx3q}#G^@(a^mMfdD9rN?@o~xs_B5&t3`-9(H4Y3g_Hgm?@(aoHDGZEE zPAcUpb#ZaZ49rQY@C$N2}|bE z)zwun)DBLpDyyt=@pFp|3JtFG3<-7#&n^qD^2yaNafz%fiZXG^cB+U7_6p=GTjSl^ zdZ}w6>&h<+bn821G`0VS{qOdbcwVw&%A?yX)l>Ji9*gGMJdJ^Ym-BW+Sm~l~!UAv4 Vzb`y~Ysnkg(g(6zj{i-14*)T^_GJJ7 literal 1424 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7@hCEh3{=R}j!^|-~$x*@C+$735vno{I$hSPn zz1YCH($&bVs=zHX$TZX_GTq%hB0tB^Ak;H2ESoDOJIdHs+cGN5(K$UkHzdp3+@L%# z%fw4R+%dZ%F|EMNFTE%-yTZ&%zZ~7R@KOsepFjmKk8;!C&{PkW3-;iue*Qg+OcVpA= zZ2v;Xd`DNmpzOl(@N{(BlFLGzOw$z--JQY>oP(2d-75@?OMRVl{ruBIol^@!oP5Jd z%^ZyayuFNzJ&gQv^2)iwLi|k4%Z!ZzypxjCozlZROCrJys~l7FLxR#>5(|^e+_lY% zwJS1{eT&g;(=RIzOb%4YE;jedN)1Uf%E>p#%*x6uGf(z(^ESv02z9PX^YQmCjdaU2 zHApEbHumL;$_aLIjwtstsz?eB%5p6846w)z3i8!AHOba5a@Mve%<{AhadQpK%)*Gb zqSO#i?{bAQGXqBxKaUI#1J7d9z({xh^s=0QTz%Jq41i( zl1$yw3zH)Koq|m={M|DGUD7j4UCK){QVl#ZbBZF2;UQU6oT!jp6z=R3$d%|FP#9%W znVavO;+h!Y5s;N>k!~62o|u=P>}g)$AL8j>=~0ksknfS{ZCT)G;#3gs6=s=gl}XQ#?NZ_77iC%;;F4<@>gQ)sRN!r#WKo!BkrW)5lWLk+neXds z5@F!wR+5=nlpCd8kx^z)9-7XTA5fm5A6RAKlx!GaQW=ou?ra|ARumkdUu2TxQ=aMN zQy7$CoKzAN?h~MGnWt}->tz(|p68QOl2%q)5t5O@z$nu2uimu2D<4*sfop@3if)*9*$w=3QAR6 z-eF#a5uS-b`Ibg*Mfxe3hK>;-spcuJIY$1Kra3--MumSVXj_*#-WKGj@cmvmL^rj-a+QU1^N|9PKEvzRh~xK zC1&N??_J6$NgUCYgT0 zc~Jo+sR7PqrTVFvE)mI|T-VzSJ@zoJ-_x`$?%3sAmdk>Z@|(AYSQpiPyMMglpj$?k papd%UDN>=8%|4dfx0_^F-|bi~$Y@=otD$dDs zP0isdib_ci3-b=k$o2^^val>Ia&h+XG|4G9jB=_hibzhaC`k&4h$t)3_ejf%GVv|; zb1HT7DankC@OE>_cCQNK%1<;(DfBOP56Fv5OfM=;^^fwjEV0ZeH#Z7Twydo5F7pZV z@pSc04ok_Z$S*0iOft?l)h{aY_jOJVOb>T0<0=Yu4D!>@a81|FG0Qgguki9T@h{0X zbc=GWEKbi4NH(*~cJzrb%`EaY(Raxxbu2dsGqsHHNOIIqGEVdMh~$dYHqbXQD$A>^ z$TZE<_bc~wNiiubHHt{HC@u)qc22MK@(Rf`HP0zDNHopM5b42 zg?Wg9iFt*irCCLQv$LgsX1aNHm8)lzb0E5HMX4d4-sK9J$u4OHIgy2~;U&f4h3P?N zM&bGTB^f0iWvMQ{S*{gH1(`;f#p#KuS-xCJ=6QaW*=0fcdBLF><{5r&=4GM9MkU^s zi9zo9iP@&1nSlicMUEDxp5^Ga>6euUCI>16WH>tI7=$?aI650;=7f}JmtNBKAf8<;tj z>$^DmYdgERWVoW+mRuI%WSXvE5UHJBoaYqootvIvk(80_bCs#7NpZTdw_CZfkFig7X?RpstmW2hnZDkRW zUTKaBp&k|yAprpvCgqN~DXyW(sg7C6F2=50Knu3p;3*+xD&mB!9_+To#G`d&t9 zz8OVM$!0;RnPu4p5tRi7DLJ9p#%_7xNfFr|C0XS@mT7^dKB)%iwq=+(rYAWn_-N}p zMmi-MhXtF5cok)tT1IJGh-?dQ=qUMH+=# zMx_QuK`%D%Z)- z$igMjx6H^R#NQ~%z`4*r(8I!A;$%zMoD?ftiU4g2pnovx;@ zcb^JtTrIMjRkVG<#_f7fXMNwiM0EM=6>Fs4e9fId^VPKo3x-K?8*MLFdPhbjn+C;x z^SZp$y!FRjoAr-)y?3l(Gg1`$B(_3hg~CtOZvk;^XVP68FUc_X{5U%AY0`=(`I5gE zE);)xfA1ESyh(o#)CtT92+n^zIF7p2n*2m3X%`*E)#Fs5^=f8ZE_1sr*3Ezp2 iOQN3Me{x^w`<u*@k)G%+(T^7qs>^@}XY_2eq7%=Aez3`jKh&#z1? zG_UlE@Q;kh$WL-qiB%q=yGcT(oH`CWL+dFE!CUslX}J*b&{f@KOsepFo9@v;h66Qtxo*5=+m@a3{Zjyuj3y zEGOSeKUb5$$RZaLZKHCFGFQha7Xz-;0LQeTY{$e@gLDJK;DU?-_u|5;#3&;V-yo9; z!?L8%WaGqu)F`8}Qp>B=Q7vq;=IaWkEE28M5hq{oV2Wr%;LaI{ZxxwU!SC6X9F&Gll1&5_hgrX zg3R2cykMh@!T_U`AngE)pei3H{St%X4DCXXDqmk`eR#YT6(=fW7lk|f1ad`GWg7Y? z8Wg8TrMl!~mU!i4n5FxAYdd)x8(8F|6+3xm8ia=#>wA_*W>=UMmHHNBc!Zc)`00BF zd1d8?ni+BVXZUyqIU4($hvZ}> z6*!p|1}BH4Ta+3_gd3-OmKEeyrTMzLY8#~Hm_)c{TZHBK7lj#RnK)Tw>T|gkq6&MtiIXk9iS5+7$ zMmW2NnwxT^c^CzkT0|LTq@{&L1rEg_FO&L1s}@c8a5gyPs=zSX5q8kV#~wzn8H^x_^GUnSnvE zTT;1&L6JFESaG3Wlv#m!iD!jplD20_PEfLCYPnI0nT4B6L{Vr+WL7$tuCA_vwsWqz zd8(P2OF>d;aZ#94qPACFj-O*>c1dPrpsRaEL3of?d0=6XkFhV;=Lb(4Me;Oyj&>fn zar#1zywu%i4vxmQ3qG2i{=+5k`>jqfk5BOLUBNj;J6tC6srlwP%!|KN|7X&r%9V*M z^A`0@5&ODU>a3uyZtV{5S1006v)sxEw6(NP*>^nboK^fC`|K~inKM@}o@K~ge|)}X z#{IU5oV%<=^;SQuwOz$}@zdMIj#Fo*+&RNx%`0Dj*5S#N5Wd3BcdzAD6ihaK&S9F* zWD|S!oL5@#MVI=s!jguGni{gVEEq)|y6oL`qQ~+WXW-4 ssh-ed25519 lHr4YQ S/Kuy8PdLoLLRDvlDDyuDaGXGb0RMBJKo9XyHK2I0Bg -VFjemRE9hOc/fEol+2OAjM6d/5QLPeeo0ytdgcwa8Zs --> ssh-ed25519 h6AgbA ParmcGdbVHdvihrEuV+nLBLDnTwKR+zoxc/O0LdrUhA -L1kL6sr4ak1DTTaui9k6tpPJ1p86bKAoOcPwCJu7vr0 --> ssh-ed25519 Wu8JLQ hTPuIn+IogmX6U16p3EQ/9C/L+X7dZaQaBrEAdq4twM -QhnuGbpuqpFFujNlXSDUDMEGHK875Sr5hHX/q2ShkhU --> ssh-ed25519 cvTB5g P8av9KTsR9ccIRPz0TABQF3EfeO+cyn+Od+shxeatEk -GnExLTBOicvRs7neFPL/GLxE6hqpdqNV8P4nWRbMjKU --> ssh-ed25519 /vwQcQ WE0fxso39H7ZyYwJ8eNnmrLgf0xL5AdpHZ1mrvbiPyQ -y4GjFZuYtiGg6cY8ZTOKHbYjjFJoFI5W4IF7np/OB/8 --> ssh-ed25519 reTIKw LxM4ihcAb5u6rKqtrOUZ7/4XXoMVbf/HHhby/i9Xbn4 -O8KkO/99T2lBttsADSTJE/18ljFrUjrJWhK7peehei8 --> ssh-ed25519 85WiGg +GtCSdOR7TTwu+zTvwOoRhOE0iLwB7JuFaZkP8cP+Fk -0GCjcBgOPeynvAUDmEioWPJMhZWGchKKukGGXHCBEUU -> ssh-rsa krWCLQ -bSk43qTcHFgrS7AeXTzUbx5FO/1YrLuRlm58lcXpTTKcRMZWKmFbPTVNdIvkT4xt -B6HW0OqV/Ks1pbeJUCPRdLwYHYULEC4quRGlgeToXoUQ8zCvcPT6uikpK0Hzne7e -WI5MLdS3vvAPljlSSaPN8gb3yiPgA2IPrHjqIsMNkotGFjUQ/oIyJ8YcDsSfGE2T -Z8+TOj4ZNxPda2hX7mL2x2dJmmQW5FkOVtSpSyvwpkOqPOi6b5vZaWu/GtXzGEhD -SD6SALiqmWkCHb8n588XDqKj8Lj/741R24f8IM8qW9cBz4QClh3Bnrl4gendsUCp -PkQPjniidi/aF6sHhfrSNg --> |#4-grease y%'e^I RB nBNinf \dob -L2HkuH7S3KtuQN9AWLBL99nJPxVw ---- +QOdyAz8FR0RecYvvkzxv2IzJ9yt89/xePALK3l7sjs -&,NpJ~ ƅ˜*,؆5:i W}m"Q-FJm \ No newline at end of file +2Ak0HJ0WoUuCQkjBPjRgrFQmHSBP7Lzhwp8JZ22lSDLO4OzGLuyGnmI6f+x3mhSM +UP4X4fz98ygYaPTKHzgs+ALgoe0ZOzIRcrBYKyAmI92iuVk8QJrGBaFsi2e/quur +oRaQybPXCqbGeaFhLY74RHmtbby5zzbQnw8f5DRKn3oFDYgCUMOKdTPI3vsUDd6t +dLmFCWEhGFMwI9bve7bVeu2yKMWpOIIsVgkabSy9EQ0gEUwoXkrGNpc+QqqR2qbJ +qaLok3zO+giVKrzl6+/Z/tzHQ66mUTIZAD7HmRFMqBRBqo2heCtviGyu7NPXhb/T +vTVzgL7fsrkaYd59O7BCSg +-> ssh-ed25519 85WiGg UgubbGKRmcFV5N/Vyo/HEBtGG0GOvZS5dSDnYoWzeSk +N2CZ/ZJJLRTdwBDCVNrXGp8ic0T7ZHx+DfPcXLeEvXQ +-> ssh-ed25519 reTIKw zl6eZh6NG2Y21AElt+Ag7gzDmtzXP0h1RjhVzaiHUg0 +PJU/i8Za/JwrCLXcH0vtG8CDxv3MDHCzEYiNIhperC4 +-> ssh-ed25519 /vwQcQ RS4rv5dnajCSAdcFj96HOcMBHySk5yBrmepNdlOcsWg +M+dCeQCP3rl4oT8IrkParBnaaTfUNbWpgvbLou/qSp0 +-> ssh-ed25519 cvTB5g ZR5ayyiP10Dec6Tg2HYcl5q0dkLSvOgRxeeVxC1Plj8 +aiY/6wY4rmB75NRzcbFPKu7nTLKZhgqOuqAZm+9UnTs +-> ssh-ed25519 Wu8JLQ 4nFItVARcWbkkuyaUcgdesLSOmiomY0Ht2LxXX1/L0A +dK2/4X6OFbn4Y3gVK5zKRV3KySiCHzGnGewhZmqETrE +-> ssh-ed25519 vXYJfA k1ANIqwNaMjipiCobpBWMlhbCyudoy7vpuajDK7mLiQ +uudD1Bk1+EWmL3o7VH6YSbv1WRCw6tsDV0HoQ/zwXwg +-> ssh-ed25519 h6AgbA EvhvmT6dx3HAqioaFvT5u94cTk8okjhGgzyxXZF8LyE +R/xTeW/rJEl50kG8e0n3NOGpX9XI13Ftq7ULYNHVaCM +-> ssh-ed25519 lHr4YQ WyG8hEoGZuNvroTdmC8RST7l/Tu7UUXgeG3AfLA0p2o +qk7YeUkrOsRbqnYXFXZAkiOaW6rvKnSaZGSiBw30b5E +-> V9T>@4JS-grease @h!7BAa9 +nPtMdfgbktgg20WlJBrQlhTDMI8/i31JEDnZjF4u7RidDSJ5lxzH8zI+411CQ+K5 +exQ +--- YY6c8/qxiWxaK31KW+3QP6240bmnDJZ9EXrG7dnyJcE +N|J +ZZ6#kyH; \ No newline at end of file diff --git a/machines/core-services-01/secrets/matterbridge.age b/machines/core-services-01/secrets/matterbridge.age index f4ea1d5e441eaa4b392dd2f255f591a06a917bdc..526ab31d3e0491b21298d00e4e202bb1bec705d2 100644 GIT binary patch literal 1559 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!*`Do#|$E(&+{3FPv3a&!u*40kDZ z%nEi)bSv>KD9LgP*DuQ}^mp_v_DCuS4l^*zH+QV`2ni1HbIUbwDhqJR(he{xaZ3s= z@zUptGz*CG_Ag4w56~`m^h*i$cQ^NNPj?M-$ujeHaV`!H%ufvo@eNN4sBm&L@k_C= zFgG@=s!Vsu$;>J)&koAwa?SMf%kwFBD)b6-stn35DK7923CPVgO3QVra4Idzu?R3P zGxRVmbhb#(DzR`kj&d!xD7Hv)3MnmfF>wqF<%+b(cP+_wxAYFEN=;44w{Q+IF7|MZ zu#9qyD)lOk%q_EU$_|grPuCAK^9pqGsPc2msZ0&NP4&rh*G)r=_@bPmF z_BV6QD0R{

5?F3FAzNHI-|2=VtU4X?;dDasEhN;P+L(|0NJN=?d1F?aRL2{bj& z)pq2{57RDntnd$XN-cKuP0CFQs7NgHOoxSbYKoDmsiCEUg=u)Ed%8kER*Jv2Sw(o5 zcABw&fm21Lg@IpaWv-E%t^sB~MH!aG?!{bHo}sP=MXrHf&LQr>`UN40Mj>U!`oWf| zrEc2EMOkHOj#c3)hRJC~2HEJg>6euUCI>1QRrrTRcozCNMHQ4rd6*`-_$Ma%S?1=s zxtDkclw_H@rkIBm`bL=hWt4M;L>B8CdKM-+`e*s%7L`|-6*>ikTNtM1xTiUnd1i*2 zn;33tM zUy_e*TX?C3mrtNVSzd9uzDZ9kZ(_P>sb_d$zH54URasJ$sYzZ*iMwxM zo^vr*sDDsEdT5@ZdqhU6XN7CHQ)q>sN4iC%TTpREVuh)PtFcG6p>c6!R)`6@ZDkRW zUTKaBuD%%_h89s}t_JDhUasDuN#-HNSzg%{#s%SNF2QDjDVa_s*_Qc*1`*j@rH;Drumo| z78F-FTUHu71r?c^hXz}g1bLcQn&tXZTW^CKjhEBxkw1T4-5vap~&nDnxl3 z7V5i{WCj=Hhv&N)IT^c_I{62rn3;G+Rg}6~c;vfy7-d<8qz31Qa%t{7eB>|t^d&Be z72mg3y@`(Cnf+99F`J4|)o)&>lUq}F?iD(E=<=JpC*O7GI`REnxx{Zr|FVP)PprI8dbOWFSN>9d-g%~vS+*|PUbCdH%%{(D)=eAenZSFtD{?e z>q92`FWD|{`ABsKN6zKO{d}LlyF_VEIuSSJ;!eLW2j?E{J|ey{wLfP4>7~DKd;8s* z@?dITe%{Jk-xGy?WvfZ;FIj!NBHg;g>-Jp+$92(rI5wY??Fb delta 1441 zcmbQv^PYQxMtz=XdZcf-d$y^Eb52QFh^tqIc0`0vdQO#jZf-_|VYWw}nM-MsOG-d$ zvSW^ZxPG`(VUnYThqIxvZ(ycju_u>NWw~~Wwxd_1lSf9HOTK%EzH3HKs=IfpL3nO< zMygj)l%JQgaj;iOcv7~1P-R&}k)dIElzDEVQIJ_sRehK_S9n!Mq(x*}sH>&Ek+YMp zc~ww;Vs2K6L6~1eXs$tFkVmqYVUf9oV_1~FwyUvgSaFDFcD_e=MR;XaewJBQI#*y$ zlD58QrfZ_3lT%J|q=l13utBO(l%H`*u5)RQL3VzXqp@+eOI~JaRZvQqQI%tMR!~%7 zphtMFMSXHoP^lqTctCKWn|_#Ku1R>1zp-PPV|aeKwxw^ep=VyGQ+a-HxL>xmQ~7fO$ojaWa>sONOz9pMR2hKw^NQg|BaJaz#j0cygw>vw=ZkZfT;kiFr|#VOW)) zx8vlGjN;)L#-7f(*?Fd}5dr#61}^ReCV~0o!Aa&7VZqrs1ty`%UIr;q#qPz~p`Kjc zp-D#OVTo0S$x-={AxWtLMWu!&m6=WzB`Kx)d5LNHMk&tz9wnLO$?22hnZ(0Qz5Ogp zGcqE4T-_?N68(&eeZ&32+>66}%#vKRqa3|_s$AVtEK|x$odUW1!ZMO8f&xu4LJYI~ zE3+I6T`NOVGt9NqL$iu4y)z3_-P2r)D|0Oi{6Z(6WfHG80a5dm^a?N$pPb@Mu%}&kA%kkF_4K(x$40Dbu z_i%I%k0?rY_009lGja1MDGo)Cg78ucFP}h#GJ`@tN6V1RaK9iE=Lp9l$9l&i|FWcP zkC4>FOyfio)372(U;U_5-w4NYt`gI{0B4K991~+#@02W)!eTe$fU*ovLk~0KaKnu3 z&=B7+GyPKI0FQ82bn7zA9Mh8=6^uh7{6q9jjr^1R63e2BwY9U;a}7;PU2+o5f}Kl! zT!Vw^(<~D6jl$h49Jvz9$_m1&a(x0)Bg)M4bE8s%GJ{OD{Y_o75(_I$QuDox(z8ol z-HjqsF|5n+C^Cr*RB$p6uyo1ru?$Kt&Cd^wG%@o?OZ4$K&Mk|wNHjL{2~SD)cQ1_a z3ya7u<_dKSGSsi~s86f#)%GnaGD!1uaW4*y@W^wkDhkN+PxCX&)Xp<9D)o#^Hvsw0 zRxd>($4fW8C^fM-Rl!|PL7ywt oyC^y^0yCmN+vofn9H_s!`*vZ4cqBPSoxXP%s z%Dd3TGOyC#(>Ti|&?&IQ$Jjk3*vHw~qR`3NETodl(kQdu$HI|IS65ddJWt!lFDu2c zs46Sa!pt!#I5jxU+u5MN)yOC%wJIXTB{!wQu`0+pJf@E?(;)Gw{9%a+&N zdLpfULOjRr%Z^F)uQoD0d#KB8d8^m&^vAZJrvz5TPY`}=3er_^c5!17Cw`|8ZM#*4{wZ9YJ$XL`nS$domQfZzj>|OLt zWZKOqW(pr?8{MA}#_}(}dh6%;3h%lYw$0B}HeId7TX8jCoAE^J^}QPe@3wZZFs*v~ OQ?M~|))9r}i ssh-ed25519 lHr4YQ f3xLHRyIx6oPATsv5yBq+pWpDkwJ2xt3axevMNjIUgA -RK2bLPZ1dwDExqbQ1Mft2Z9xGHpxSTDuTv0AgplnFzw --> ssh-ed25519 h6AgbA fPy5Lv6ZcYB9xDyeHNTueRKTvvC6OyCrkHzF85dmhh8 -VzMkn6iaC+gwDXkaCzh7ILTdWMBqUYvYmrQPbiB+82k --> ssh-ed25519 Wu8JLQ BSn5p0Wuv8CuiHJ6AdLuBLOst/2/mK1fs+zmgYao6kg -m/NfBqLzcyTad8UbiDSMI3EmcHWccpgV/wRKKeSO6bQ --> ssh-ed25519 cvTB5g GP3EP+t8uJFKGAKBwwO7CmXa3JGTFePTANSINPdQuAA -DoGUKpuZTQ36hM4B7eqwbfGGKM+pxsYtoL5UjEeVdD0 --> ssh-ed25519 /vwQcQ K8J9qbUjPPhuYZ4/2rGZWX4Fb60WZACwmFPGXUT9Yjw -N6lTZVDVxTfZTSagaOi4dbVzylljwGWAd06GbeVloRY --> ssh-ed25519 reTIKw +7n56fmzzYOkArtH0Zeh26zHlE/lWz1gqyoCZEMMRDA -E6/dLGVaryFfqf+7DmwKghtGmtUUGpMFFwaZc3OvJ/c --> ssh-ed25519 85WiGg aHBishjeSTuv/TYVcZQzALC8DHPbYHf9dj+igMnkkn4 -HwmPoIqV3Y/34Azf892K9nGJ1hh2KWAh3IzLiGVKeOs -> ssh-rsa krWCLQ -A2IHEB1lR/eHwOM1adPnvYZUmJ9Gf8ADZvOpzHmxVC54VP5EZLnzpcdzIKlM4qOe -vYs7PdGJ56iGd3JS2khyc5oCc/NEYu85i4eyK8Y8JMqSFyYVNpH5rVY1IuHhIwW4 -biLSvPhKejtcjGkJZGebm2yA3TuhS5peZRUBh2v0sf+PjblsULrpupSRYAs1IndZ -1/Brrub4BfFihZh/uCN1iq+lWxUG5K1AR4UhrX7s/qq21sIP+hlhsTzwj5WoeSPV -rrYzi7E1v8nP6YsP965PjNFq5yJYKRZdw/QosmElRF4Ar3PP+fROFLfA45LmQpLh -z2P/QZKQ7BaANqtz1ryIZQ --> :N*xgmZ-grease S 6b.gme t1.-?(l6 -JJi5KPF7Y07dJexK5CNlZVeYnM+DaRUqYjChAQO041COvkfVF1CvwLTYZAsZbw ---- RKQ3nSQxdSjoVBEtg4TrEL30ooOTpyZAXT5TcOM4qWE -zƦ6JRURh/ &5cKG%hpI;.NQq"hq|7nC92/"ɳ&uKʪmCB-Y̫jTkk Kۋ]}ˤiރF}ٟ- 82N}Ȝ(JAd_Hi0T"8}Q$ \ No newline at end of file +U2lxIvw7gRCjMGutUFyq+qGiCIFlbsPdbfzqy7b27d17aSjXds3WwMPUQajHMGXl +tmM/gDCOV8aY+EkM8nQIKdSGNZPwWHlqFyBpH7b18xTT+sWLBZnKcQqVzdF5n1yH +s6LjbcstDiCy3h20hfOjoi+qvK8AGbWnLueDI4g/BWCLBUmAC6zPX04GFAstzg8e +b8wcTCsaeVJkEVvI9caJsFpoxKttbjWUOb2jOzquyi1vIc50vWBNLlulzf0Cd523 +niyjvtEyVRmHjTqs2D97DLuKEE0U8x1ecI7FUwyDQWFj4RmmoKm7TOvGva+alol/ +mclOlWBaMuji0SWwR4GQyQ +-> ssh-ed25519 85WiGg oTAqEjy2kEYw0EEDFzmv3EYWY3gKNDGsWbztSN6DG3o ++Q5hzzJVgdtFiNtbC37n9tZsNK+onqp4P0myPLpGU0g +-> ssh-ed25519 reTIKw SOCoiYn2OZ0WbtgQFsJE6m5lbeat36SVF8Om6NHha1I +BLsO5DrNci2ShXI3wBb6u6Advjc7sOCXEBd6mSawkEs +-> ssh-ed25519 /vwQcQ zXWEMSbRm2mI4KoMj2tbqP26LTAcxeyLUv5b/UzTaiY +HMOyH5OV0XmQsLOtzIsHf3UFYKUoEswt1a6JOu/gl8w +-> ssh-ed25519 cvTB5g 1HPXsPtGaCCHPHEXQKVNLRGXb28S3hXUAyT26No80gE +NwPkRoRdd2juOWHyJV2aNwVQzGvwpf29mKtcyKSUHKc +-> ssh-ed25519 Wu8JLQ tio1Sb9rHwAvoDRH783Ts9S+mS2MWnsqw/L4/To1lgc +Tfx0a/UKGiiMsp8rkhbaLpsS4JJIgMeWCDRZ1CxWSHc +-> ssh-ed25519 vXYJfA GnXJG4bbDQxls3yLVd22CHmrrkAZYQNbXcpr0iH/8HY +uyr6VTHwfU7FjA29IJM9EP37K+QyiWIrG6CUpWyi4o0 +-> ssh-ed25519 h6AgbA p/FApRwDrQNMdSPYV2U+CyGqdYZG+enC/TJ+Ht5RtCE +T6e2S9gZVi24ayGzKGHL19Ezv//f/0+BUAnkCf6g8No +-> ssh-ed25519 lHr4YQ JQXWGrVi8YLfI0DWfdyuxKPGVa+SvHIm95YGzsyvdho +yvQpw/1GuVOqBBFwflDXvcIhuw0ABqqwByJH/VPRICg +-> J9VGuOkA-grease + +--- aKOWgh7PjxocWWeImr1UYJhhFMlzDJXvP+Jfbrl3Zzc +7T0ZH48ntjlh}J_궞PMw%tgm=[+nbeH`ёyMe\WU7ӵLB 2o]cS~է2C5Mybi62~:BFh1B'lm`fKvsy%!2~$\^ \ No newline at end of file diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 9925641..79b0d6b 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -2,7 +2,7 @@ let pkgs = import {}; lib = pkgs.lib; readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); - superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; in diff --git a/machines/core-services-01/secrets/snipeItAppKey.age b/machines/core-services-01/secrets/snipeItAppKey.age index 3a393c2..cd9bebf 100644 --- a/machines/core-services-01/secrets/snipeItAppKey.age +++ b/machines/core-services-01/secrets/snipeItAppKey.age @@ -1,27 +1,28 @@ age-encryption.org/v1 -> ssh-rsa krWCLQ -i/TW/dUpeS8QL9ZJg7xKdGW65D1SWFjMpolf1BgEs3hm6uI2W3RWUb5S1PEs6HdF -l/yiJtZeBC0e0QbaQ776fiy0MSmuMgcRbJJ1rjloGwFzwwvtqhQMG8rLp70IPZoV -F6sUz4jKHaEjIVVbRokdfIKMSnhRXnbW5domOxPmZjXck7YxaR1zqD4S9PtH12Q/ -P+l/IVS6+tuWlaTs+1FY2pQ0ppPkwxBirm+4/dxD7E5MkOT0OFcpopI225u2vJAz -Hfk6SBhWuOu2GFfLDS3sS+50kvx1MNvMeb9qVYHkxE8tXhJxOpykkzwYktYp17jY -m+rh1gMPt+mZV2ELaZkGjQ --> ssh-ed25519 85WiGg TSVInZQdH1ZbhSG+FptwCu96UX1SHAhQNculIk8nVF4 -L1ptiGhMZN78uu1TQ2qVV73+lhlgD34g7xt/AL268Dk --> ssh-ed25519 reTIKw vrZd8hFFywOmDJxAq58Tt4Wdq2ovft1IDJqCvkpRU1o -9TmODia85CwXZmzdxk6W4LCflCybq7O1WWoqG5vxENk --> ssh-ed25519 /vwQcQ NSJNN/lRO6TbOQTlY9bT4kdEuP2hElmNIcKRI4ilrQY -eGIr9VQSrbG4hB2XQGYXquQVZIkLRq9g9+Ap25YSWSQ --> ssh-ed25519 cvTB5g 24UlsKN0XaA6wW87zj5PkPy90LUmdJe80FV2LVLiwzk -57VJ2pf45+r7CgMdr/78ngWll12Se7dS993i+YKp3Vg --> ssh-ed25519 Wu8JLQ wgWSOp5VQzF+pvL338wOwaJ3RIIi1I4SNqW+vT6NQF8 -HVTfWqmf9CnEkHFpu9NWYagwwBdW8NumwFcUvSlb9i8 --> ssh-ed25519 h6AgbA ZRjMQkjz+sw2BZh/myaSnMgz8cngGM9wxQf6L6uPxE8 -OgYfhTQe4iB9SyL8iReQByA9N5VcUC/YvpvbPIgp/3U --> ssh-ed25519 lHr4YQ JAnhqkgzuCDsmDYnRG/DL/MDrfA/0uCZ1kpZSWiuPw4 -uMPzV/uWAozlffoqIDtTcI5CI3FAzM5fzDuupAzgE4w --> 3[k-grease l5" cr(}p5 s{\538Js -uR+N+zPd323E/1K5MdNaPzAeNYBYfbmmsxtQRufVjMj8jobBLhHq4RVJ/E57t8yv -4Cxp ---- 1iiPH5I9CDFZwZQwRbhKnqpZ08vTMP1u4pU3+hNpubk -ےf(Tח,4\hKT džq)e+}u 'hN/䶢6B4Kң \ No newline at end of file +gBB9yfHVs4Zgm30rbXOkQNZjOuQVFt9Mos4gBoM09M2psLLxWzsoQopWVcvbV+sY +oZAThV5F2E+RbOP2e9+o5P+rxCcJa8aAXovtmH2BZvr87jNi8tebH1l0Gjn0I85C +B+vv2/m1KCzisCR3p6yaqBiqyETacWRCuILVxKbpnKfVX5ymb//9U0tRbz3BIFH1 +i3bAD8j8H4V/5SC5RmYwVeBhdGqEaNX0Qehh8AhDkxoqMT3Xeie93eIK6tyAZuyO +oQezqkUmozq+uvo6PHZvY/auTYb17QTY0s0xf30NnQoqwtVXnyu6xPx+qlj+M99Q +Y/s8SFF+STLrAgK9MN0i8Q +-> ssh-ed25519 85WiGg zkLuTpJaBr8T0XjuC9i9NTxYUPhix9nLlShohTtgmyA +QwdgD0ihIpJF8D54x2Lg+6CE2yV9nLBZ1oOf/iwUKi4 +-> ssh-ed25519 reTIKw wB2xC902eZiPXXU9n+oQSocx6J9h5IK0jU4GqmB1XUI +awLSPDqOAOM2g7Wrg6uCMeDRVljl2cdZ40gHDON4DCU +-> ssh-ed25519 /vwQcQ adFZcuzNWIhLFDhF+FjfnMGTpijt4IKO266M8xpZTHs +WR3ig0R6ZgtYLxhN7bm5SNJ3klYvEkMlLeuC/GBxi0U +-> ssh-ed25519 cvTB5g 8Gl7qbc7VZvkjjHesgfgdvtsCntNCxyUU3hwXMaIJUA +uEJwhJJa87+EjpTE/+3jPnNtgFTHNZkah78URULI1nM +-> ssh-ed25519 Wu8JLQ buWP/UWAYd7nAAdIqJjkKq2q3Kcj/TtTm9MacGkoMh4 +g9ngALRdWC96t7FLES79gKQNK34WbKHqdw4OCryGx74 +-> ssh-ed25519 vXYJfA KT8pRDwADkV4ySKY6HejWKp57aQUWpor7x67x1Sc3wM +th+47fUL5KOak1tEeHslVg9KSxw5DPIO6T/UtfEK6kY +-> ssh-ed25519 h6AgbA 8kWKdngdG4RbvQHnkHpygz1fhzMXpGafXltQNa64mAU +hZZTmthndfMdMZiaW0bLxfiySzFgnKmd6t4u1PxLG9s +-> ssh-ed25519 lHr4YQ JBCRJtCaEH/Dp2em66/ckqFva6JpyeUAHJidVysAsmw +SGyzp26GIo+D4VQdzJZEBUZYvAhc/SZy6rdd6HXOawY +-> 1-grease +niVrY0FwL41sfeE9fB6hg+z0LWMXwce194f+IIL/F8JMIfTnFB0CRAn1OGQ +--- pMIf8bANx+QsRTqnWxPmnJm6DVMmJBEO+emeOdLeeec +.AzJQ[)s!2m  ssh-rsa krWCLQ -gPydOcolFG+axyXPVVYYjjr0hypl/xczmMM+W+BbfZFaAL0TqXpqRgjtZSNvA+oh -+JHdr+/8IHh2qCS2vtzuH5lAsjM4h4FPPnGixX1SI9eNH14b/Otmoa/OtQD4pHcB -PYbh1yh4AILggg1ZMdttS+FUuMtu2A6y2NZYSkbBLy9dwEdZNBs0/cX/xNEqK72V -JF0BuGYvchyJ4ec4/m1od94dVva5qKUvK6mr0u5XPXObEOdZ8jJwZodJjrpDaEHJ -/yt8svY6upoXIdM4dVbY0Ab1VCwXf+tbGuwypVJF2TkeVW5tbImxuoTPE5XNdKLF -XU6RfHzLjUnG1T+dObb9gQ --> ssh-ed25519 85WiGg lVvfjaLUhjdWgRnz0supjMNc6pDpbeEy2Z0fFOc7dkQ -srngyi1Wdi1lcXFK7MJtqt2koZkopcXX+hOFENHXJgY --> ssh-ed25519 reTIKw ubW5n+mkAgxwHT9okMRWoE9k5ZpWN7UQDrvRwgS3Xio -O7GRq35wulhSadIAJ7C0ekLQQVk209yGiSaWg/VNgYU --> ssh-ed25519 /vwQcQ 0FZbpEDS3xuKyPOSExt4wb/Oi0xlTivdLlpKuXicqx8 -3ZMA31MUD76KNK1+yX2473wDSv0oyheT7jAmvnbPJNg --> ssh-ed25519 cvTB5g 04++RfeztjNzyHMW7WhxdAWoWT5NyatCN8zf7xFYiCw -OWYQ3oFR+/NjY8skMpzd0eS9fsAeugO+loiq4ZqEVWo --> ssh-ed25519 Wu8JLQ b5BEsw8GS+LUcLZ7h36WDHp1uunlVymEcCmAcs5xaHQ -4xs/EAPRD4Z/rL3zisjGmslVt7OHx+Kh1kJmdBAxED4 --> ssh-ed25519 h6AgbA wNeprhlhTORbN4WFxWPJO0DV5vBVteE297O73EfngD4 -sceiHAg3S0aZ9xGIsw5VaPJkAWCci03SrHM520pb+Gw --> ssh-ed25519 lHr4YQ v6dG659zPeUqbyT8To8oGf6Kp3y15Z2YjlzdLVK3FCI -wB7EFm4tsgkaYexLfQM+lkNtUr09GWlLnh7CbgX3Ifc --> =-grease zZ5 e./C_ -z1vYPnfdTh+G0bc+UvV1EZMSfaNDsWiDHJ+W+1CB2+Z4pOnQt2jBFPYv7rE ---- LbcSlaucZaWsTqBR9PIA46r00cfJtG5ndinWSzsnl/0 -1h~sȰ#-FX/2.ZF?wE]ic.%b-wt܌q_%} \ No newline at end of file +LCJxUzS4Be2QQABzubSP5M9Ridg3Srytbb6+SLITgnRqb0fT5XkG7z4ae2lLMVxT +zJxrZX1crlg/nyibZychMwZDqNofGGKX/zSKyF6u42hqjAtaDneg6jB/T690sSpD +LcuTHUcPLw53bww4amLU5FmFcnGWMHTjmXj6oQ5lks3t3KO9izA+gDJO5kFIYgQa +Z0kMrlH21m2TdyGW7Er72qAlT0euwCKlWGGc1NAaSWyu/2gimTHJ4p+KCOpi1D7/ +cIxMEtXHUoS/vtINi1lZypETVZf9C3xfqZGCnu1xTpFcF8pBLskI/Uz4cxQGLAk3 +xd5fKuNVBnLc0Ku+oFR3zA +-> ssh-ed25519 85WiGg N5HOphuKLUksJTA29E/KHZAdyvTelqq0Lai3KtsGNi0 +6PilN36eZH8KYzQwqeLPX3wuiW4THuFef+ttoJh0BUo +-> ssh-ed25519 reTIKw epotGRShr91lRc2IKDkgfaDd4EhkDtF1jayFv/YW5nE +mMFKyzH1q8ZsUXfLnqFfHT88iz/i4WXVVuWqe3z9vx4 +-> ssh-ed25519 /vwQcQ DvVlWcbAA/xPTgDtpMmSyC2wxrnOM4H/dC1Vhh5Rmhg +JCq1yS057vqOFKZL11YhC4/rxYIRGAUI0y97Uch4tS4 +-> ssh-ed25519 cvTB5g EQ/YM5UYYp3+fS+6u+CwZxUn8Sm8vdqj5xHQf0U0MGc +mVhpObNYWSrAlh8kfADzGnhOw9O2r07v2RJH7DZhFkg +-> ssh-ed25519 Wu8JLQ k91dq2XwhgvE2Y75KAJWzFlPLXv+8+kTvH7sELmsViw +gpnxsNgbeuCYBYUt8j3mGm10rOGAoN9NDYVbObE2zXc +-> ssh-ed25519 vXYJfA fOpqzkovWF/hLUrsjrDwFUsKG3Pa7LQQ2QTiYWT4Ux0 +AM1EdbC+Sg37PZzXf6vsmeXSMMjXRVQT3mq000cmPw8 +-> ssh-ed25519 h6AgbA LWhZtBUJXu15GEIwSyKraXkaO8CO7/TuLSxsnbagQTk +1/It/vtykYe2NzG4r2J53yW+ZS2rgtUVNv8hlWYQnwY +-> ssh-ed25519 lHr4YQ zEMhvSZsUOiM+XEpuTljfKE1MqyxqxuL0yuKTj6E1Vc +J/pYqeaTK9NLIhSKeB0CFSFNLkVeV2C5enKVIRy5+Po +-> #Oj-grease fdq ltL1r ohAHn[aU QF%DKt +G2xXhW58AunOBXwtl1mD/DqdsHRoyjMvVl310MPWNFSSmLhG/UG7pQf3GUNsfThQ +lCvckvUfcYRen/hrEFhtyg +--- zwJ1Ma9A8rDbUQLAFpDNLs+2Iv6RQvEGlDFj9HVDRRg +;>qg4*b~G+x8 +,5!4:֖\go \ No newline at end of file diff --git a/machines/pubkeys/hubrecht.keys b/machines/pubkeys/hubrecht.keys new file mode 100644 index 0000000..07fbe76 --- /dev/null +++ b/machines/pubkeys/hubrecht.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl -- 2.49.0 From f410aa4c7585b563ce5cf67eef69f3fa25eaf363 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Wed, 25 Jan 2023 15:35:41 +0100 Subject: [PATCH 131/149] core-services-01: Switch to systemd-network --- machines/core-services-01/configuration.nix | 65 +++++++++++---------- machines/core-services-01/my.nix | 20 ------- machines/core-services-01/network.nix | 36 ++++++++++++ 3 files changed, 70 insertions(+), 51 deletions(-) create mode 100644 machines/core-services-01/network.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 7aa5220..d8284fb 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -1,37 +1,40 @@ { config, pkgs, lib, ... }: { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ./nur.nix - ./rz.nix - ./monitoring.nix - ./programs.nix - ./system.nix - ./acme-ssl.nix - ./dns.nix - ./netboot-server.nix - ./qemu.nix - ./gitea.nix - ./dokuwiki.nix - ./nginx.nix - ./keycloak.nix - ./acme-dns.nix - ./backups.nix - ./headscale.nix - ./snipe-it.nix - # ./dex.nix - ./oauth2_proxy.nix - ./secrets - ./matterbridge.nix - ./tunnels.nix - # TODO push to gitea - # TODO ./gotify.nix - # TODO(Raito): ./backups.nix - # TODO(Raito): ./snmp.nix - # TODO(Raito): ./sflow.nix? - ]; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + + ./acme-dns.nix + ./acme-ssl.nix + ./backups.nix + # ./dex.nix + ./dns.nix + ./dokuwiki.nix + ./gitea.nix + ./headscale.nix + ./keycloak.nix + ./matterbridge.nix + ./monitoring.nix + ./netboot-server.nix + ./network.nix + ./nginx.nix + ./nur.nix + ./oauth2_proxy.nix + ./programs.nix + ./qemu.nix + ./rz.nix + ./secrets + ./snipe-it.nix + ./system.nix + ./tunnels.nix + + # TODO push to gitea + # TODO ./gotify.nix + # TODO(Raito): ./backups.nix + # TODO(Raito): ./snmp.nix + # TODO(Raito): ./sflow.nix? + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; diff --git a/machines/core-services-01/my.nix b/machines/core-services-01/my.nix index 994190f..4ac6d20 100644 --- a/machines/core-services-01/my.nix +++ b/machines/core-services-01/my.nix @@ -99,24 +99,4 @@ in example = [ "10.1.0.0/22" ]; }; }; - - config = { - # Default IPv4 exit route - networking.defaultGateway = { - address = ""; - interface = "ens18"; - }; - - networking.interfaces.ens20 = { - ipv4.addresses = map mkAddress cfg.ipv4InternalFull; - }; - - networking.interfaces.ens19 = { - ipv6.addresses = map mkAddress (cfg.ipv6.standardFull ++ [ cfg.ipv6.acmeFull ]); - }; - - networking.interfaces.ens18 = { - ipv4.addresses = map mkAddress cfg.ipv4Full; - }; - }; } diff --git a/machines/core-services-01/network.nix b/machines/core-services-01/network.nix new file mode 100644 index 0000000..d3579be --- /dev/null +++ b/machines/core-services-01/network.nix @@ -0,0 +1,36 @@ +{ config, ... }: + +let + inherit (config) my; +in + +{ + networking.useNetworkd = true; + + systemd.network.networks = { + "10-ens18" = { + name = "ens18"; + address = my.ipv4Full; + DHCP = "ipv4"; + }; + + "10-ens19" = { + name = "ens19"; + address = with my.ipv6; standardFull ++ [ acmeFull ]; + + networkConfig.IPv6AcceptRA = true; + + ipv6AcceptRAConfig = { + UseOnLinkPrefix = false; + UseAutonomousPrefix = false; + }; + }; + + "10-ens20" = { + name = "ens20"; + address = my.ipv4InternalFull; + + DHCP = "ipv4"; + }; + }; +} -- 2.49.0 From bd22c63ec4ed133ec7668841bf3bc69584133461 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Wed, 25 Jan 2023 16:55:22 +0100 Subject: [PATCH 132/149] public-cof: Switch to systemd-network --- machines/public-cof/networking.nix | 57 +++++++++++++----------------- 1 file changed, 25 insertions(+), 32 deletions(-) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 981eff0..39d232f 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -1,44 +1,37 @@ { lib, ... }: -let mkAddress = addr: let - splitted = lib.splitString "/" addr; - elemAt = builtins.elemAt splitted; - in - { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; -in { + +{ networking = { hostName = "public-cof"; - # Default IPv4 exit route - defaultGateway = { - address = ""; - interface = "ens20"; - }; - localCommands = "ip route add default dev ens20 metric 10"; + useNetworkd = true; - useDHCP = false; - interfaces.ens18 = { - useDHCP = true; - ipv6.addresses = [{ - address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; - prefixLength = 64; - }]; - }; - interfaces.ens19 = { - useDHCP = false; - ipv4.addresses = [{ - address = "10.1.1.21"; - prefixLength = 22; - }]; + firewall = { enable = true; allowedTCPPorts = [ 22 ]; }; + }; + + systemd.network.networks = { + "10-ens18" = { + name = "ens18"; + address = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5/64" ]; + + DHCP = "ipv4"; + + dhcpV4Config.RouteMetric = 10; }; - interfaces.ens20 = { - # 1st is for public-cof - # 2nd is for IPv4 → IPv6 proxy in v6proxy/ - ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; + "10-ens19" = { + name = "ens19"; + address = [ "10.1.1.21/22" ]; + + DHCP = "ipv4"; }; - firewall.allowedTCPPorts = [ 22 ]; - firewall.enable = true; + "10-ens20" = { + name = "ens20"; + address = [ "45.13.104.27/32" "45.13.104.29/32" ]; + + DHCP = "ipv4"; + }; }; services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; -- 2.49.0 From 455fd180d2b5a656dd87b2f5973cec4ac217bb5a Mon Sep 17 00:00:00 2001 From: sinavir Date: Mon, 30 Jan 2023 21:21:29 +0100 Subject: [PATCH 133/149] pm=dynamic --- machines/public-cof/nix/sources.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index 3209971..4043d80 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -14,7 +14,7 @@ "klubrz-nur": { "branch": "main", "repo": "https://git.rz.ens.wtf/Klub-RZ/nur", - "rev": "9c43904eb242455ca3db9466c5679c81aa92741f", + "rev": "bb95bbed09ccb2ae5ab5a8e02537c4c28c46d27e", "type": "git" }, "niv": { -- 2.49.0 From 244c8027aa0adc6545a67f4f6d3d2e51ea40b08c Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 134/149] feat: Add sinavir's keys for `core-services-01` --- machines/core-services-01/configuration.nix | 1 + machines/pubkeys/sinavir.keys | 1 + 2 files changed, 2 insertions(+) create mode 100644 machines/pubkeys/sinavir.keys diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index d8284fb..819ad48 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -85,6 +85,7 @@ ../pubkeys/raito.keys ../pubkeys/mrf.keys ../pubkeys/hubrecht.keys + ../pubkeys/sinavir.keys ]; # Open ports in the firewall. diff --git a/machines/pubkeys/sinavir.keys b/machines/pubkeys/sinavir.keys new file mode 100644 index 0000000..471d054 --- /dev/null +++ b/machines/pubkeys/sinavir.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o -- 2.49.0 From 66c40b1026484c8673989babc531625d7c23e40a Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 135/149] feat: Add sinavir's keys to `public-cof` and `remote-builder-01` --- machines/public-cof/configuration.nix | 1 + machines/remote-builder-01/configuration.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index ae3fce3..cb19ba2 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -55,6 +55,7 @@ ../pubkeys/gdd.keys ../pubkeys/raito.keys ../pubkeys/mrf.keys + ../pubkeys/sinavir.keys ]; system.stateVersion = "21.05"; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index ad971fb..286062b 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -64,6 +64,7 @@ users.users.root.openssh.authorizedKeys.keyFiles = [ ../pubkeys/gdd.keys ../pubkeys/raito.keys + ../pubkeys/sinavir.keys ../pubkeys/remote-builders.keys ]; -- 2.49.0 From 3f2e795b0e1e080c90cca360c39b3fdbb26a1dc1 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 136/149] chore: Rename module options --- machines/core-services-01/gitea.nix | 8 ++++---- machines/core-services-01/system.nix | 2 +- machines/public-cof/acme.nix | 2 +- machines/public-cof/hedgedoc.nix | 2 +- machines/public-cof/system.nix | 2 +- machines/remote-builder-01/system.nix | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/machines/core-services-01/gitea.nix b/machines/core-services-01/gitea.nix index ddfcbae..26402d0 100644 --- a/machines/core-services-01/gitea.nix +++ b/machines/core-services-01/gitea.nix @@ -13,11 +13,11 @@ in httpAddress = "127.0.0.1"; httpPort = port; database.type = "postgres"; - disableRegistration = false; - log = { - level = "Warn"; - }; settings = { + service.DISABLE_REGISTRATION = false; + log = { + level = "Warn"; + }; openid = { ENABLE_OPENID_SIGNUP = true; }; diff --git a/machines/core-services-01/system.nix b/machines/core-services-01/system.nix index 827bd11..3ab02d1 100644 --- a/machines/core-services-01/system.nix +++ b/machines/core-services-01/system.nix @@ -8,7 +8,7 @@ # Auto GC and store optimizations nix = { - trustedUsers = [ "root" "gab" ]; + settings.trusted-users = [ "root" "gab" ]; gc = { automatic = true; dates = "weekly"; diff --git a/machines/public-cof/acme.nix b/machines/public-cof/acme.nix index 3911368..9e03a21 100644 --- a/machines/public-cof/acme.nix +++ b/machines/public-cof/acme.nix @@ -1,5 +1,5 @@ { ... }: { security.acme.acceptTerms = true; - security.acme.email = "club-reseau@lists.ens.psl.eu"; + security.acme.defaults.email = "club-reseau@lists.ens.psl.eu"; } diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index b4235d5..23c8782 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -5,7 +5,7 @@ in { services.hedgedoc = { enable = true; - configuration = { + settings = { protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; diff --git a/machines/public-cof/system.nix b/machines/public-cof/system.nix index 997dbdd..b3a1d4c 100644 --- a/machines/public-cof/system.nix +++ b/machines/public-cof/system.nix @@ -8,7 +8,7 @@ # Auto GC and store optimizations nix = { - trustedUsers = [ "root" ]; + settings.trusted-users = [ "root" ]; gc = { automatic = true; dates = "weekly"; diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index 9bb13cf..81732ab 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,7 +1,7 @@ { pkgs, ... }: { # Auto GC and store optimizations nix = { - trustedUsers = [ "root" ]; + settings.trusted-users = [ "root" ]; gc = { automatic = true; dates = "weekly"; -- 2.49.0 From deffb8e1fc45f4e43df5b5c44646084b86dd8009 Mon Sep 17 00:00:00 2001 From: sinavir Date: Fri, 24 Feb 2023 10:56:54 +0100 Subject: [PATCH 137/149] core-01: fix ipv4 routing issue --- machines/core-services-01/network.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/network.nix b/machines/core-services-01/network.nix index d3579be..da02165 100644 --- a/machines/core-services-01/network.nix +++ b/machines/core-services-01/network.nix @@ -29,8 +29,15 @@ in "10-ens20" = { name = "ens20"; address = my.ipv4InternalFull; - DHCP = "ipv4"; + dhcpV4Config.RouteMetric = 2048; + routes = [ + { + routeConfig = { + Destination = "10.0.0.0/8"; + }; + } + ]; }; }; } -- 2.49.0 From 2fde8ccf156c88b2200952017106a604b339bd29 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:04:42 +0200 Subject: [PATCH 138/149] deployment: upgrade to 23.05 --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 92a2cda..45c0417 100644 --- a/krops.nix +++ b/krops.nix @@ -9,7 +9,7 @@ let # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "8d3bd93e67201a7c8238e9cbde6d07aba9500636"; # nixos-unstable + ref = "23.05"; url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.49.0 From b88167f46a824194b079410b74010a03bb823207 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:21:44 +0200 Subject: [PATCH 139/149] =?UTF-8?q?deployment:=20fix=20it=20for=2023.05?= =?UTF-8?q?=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 45c0417..140772d 100644 --- a/krops.nix +++ b/krops.nix @@ -9,7 +9,7 @@ let # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "23.05"; + ref = "origin/release-23.05"; url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.49.0 From 42cd2d7b794ebd8184b98760aab945c0dc1cd5e1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:21:54 +0200 Subject: [PATCH 140/149] public-cof: add thubrecht --- machines/public-cof/configuration.nix | 1 + machines/public-cof/secrets/secrets.nix | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index cb19ba2..6bd8454 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -56,6 +56,7 @@ ../pubkeys/raito.keys ../pubkeys/mrf.keys ../pubkeys/sinavir.keys + ../pubkeys/hubrecht.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index c703081..d48cb63 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -2,7 +2,7 @@ let pkgs = import {}; lib = pkgs.lib; readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); - superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; in -- 2.49.0 From 793e4d2aeea78b56ddfe5ca3d9d21f3906a1626f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:22:03 +0200 Subject: [PATCH 141/149] public-cof: add some tuning for lychee --- machines/public-cof/lychee.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/public-cof/lychee.nix b/machines/public-cof/lychee.nix index 944604b..137cd32 100644 --- a/machines/public-cof/lychee.nix +++ b/machines/public-cof/lychee.nix @@ -7,4 +7,11 @@ website = "photos.ens.wtf"; settings.APP_URL = "https://${config.services.lychee.website}"; }; + services.phpfpm.pools."photos.ens.wtf".settings = { + pm = "dynamic"; + "pm.max_children" = 10; + "pm.start_servers" = 3; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 3; + }; } -- 2.49.0 From 55c7194022bcbe79b1ad6009e9a5a3c9cce7374d Mon Sep 17 00:00:00 2001 From: sinavir Date: Sun, 23 Jul 2023 16:55:26 +0200 Subject: [PATCH 142/149] core-01: make it work for 23.05 --- machines/core-services-01/configuration.nix | 1 - machines/core-services-01/dokuwiki.nix | 28 --------------------- machines/core-services-01/monitoring.nix | 20 +++++++-------- 3 files changed, 10 insertions(+), 39 deletions(-) delete mode 100644 machines/core-services-01/dokuwiki.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 819ad48..ac0021a 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -10,7 +10,6 @@ ./backups.nix # ./dex.nix ./dns.nix - ./dokuwiki.nix ./gitea.nix ./headscale.nix ./keycloak.nix diff --git a/machines/core-services-01/dokuwiki.nix b/machines/core-services-01/dokuwiki.nix deleted file mode 100644 index 1ad68e0..0000000 --- a/machines/core-services-01/dokuwiki.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, ... }: - -let - my = config.my; -in -{ - services.dokuwiki.sites."wiki.${my.subZone}" = { - enable = true; - acl = '' - * @ALL 1 - * @admin 16 - ''; - }; - - /* - services.nginx = { - enable = true; - - virtualHosts."wiki.${my.subZone}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "htttp://127.0.0.1:${toString port}"; - }; - }; - }; - */ -} diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index edf0d20..7015efa 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -36,16 +36,16 @@ in { services.netdata = { enable = true; - package = pkgs.netdata.overrideAttrs (old: { - version = "1.36.0-185-nightly"; - src = pkgs.fetchFromGitHub { - owner = "netdata"; - repo = "netdata"; - rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; - sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; - fetchSubmodules = true; - }; - }); + #package = pkgs.netdata.overrideAttrs (old: { + # version = "1.36.0-185-nightly"; + # src = pkgs.fetchFromGitHub { + # owner = "netdata"; + # repo = "netdata"; + # rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; + # sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; + # fetchSubmodules = true; + # }; + #}); }; systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1"; -- 2.49.0 From 2ab0cc688587772815ddd8631ec728546a8e4bd6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 23 Jul 2023 17:52:45 +0200 Subject: [PATCH 143/149] =?UTF-8?q?public-cof:=20NC25=20=E2=86=92=20NC26?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Get us rid of RC4 encryption shenigans. --- machines/public-cof/nextcloud.nix | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 847affd..badd243 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,14 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud25; - # OpenSSL 3.0.x breaks RC4 encryption for NextCloud - # But we enabled encryption for NextCloud - # Therefore... - phpPackage = lib.mkForce (pkgs.php81.withExtensions ({ enabled, all }: - (lib.filter (e: e != pkgs.php81.extensions.openssl) enabled) - ++ [ (all.openssl.override { buildInputs = [ pkgs.openssl_1_1 ]; }) ] - )); + package = pkgs.nextcloud26; config = { overwriteProtocol = "https"; -- 2.49.0 From 6fb8528a9950eb1a9177d28e04831b9c6bbd7d25 Mon Sep 17 00:00:00 2001 From: sinavir Date: Sun, 23 Jul 2023 17:58:44 +0200 Subject: [PATCH 144/149] public-cof: upgrade garage --- machines/public-cof/garage.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix index 7d25b0a..e2a1321 100644 --- a/machines/public-cof/garage.nix +++ b/machines/public-cof/garage.nix @@ -22,6 +22,7 @@ }; services.garage = { enable = true; + package = pkgs.garage_0_8; settings = { replication_mode = "none"; compression_level = 7; -- 2.49.0 From 50c17c74bb457182da4e91e8a6c4031ac6cce5cf Mon Sep 17 00:00:00 2001 From: tomate Date: Sun, 23 Jul 2023 18:04:38 +0200 Subject: [PATCH 145/149] Add 'CONTRIBUTING.md' --- CONTRIBUTING.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..46ce2a1 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1 @@ +Maurice écoute les conventions de Ryan \ No newline at end of file -- 2.49.0 From 6b6470eef94acd0b64eb2fbaa600815bb3c7fc3f Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:36:06 +0200 Subject: [PATCH 146/149] keys: Move from machines/publickeys --- keys/gdd.keys | 2 ++ keys/hackens-milieu.keys | 1 + keys/hubrecht.keys | 1 + keys/mrf.keys | 1 + keys/raito.keys | 4 ++++ keys/remote-builders.keys | 1 + keys/sinavir.keys | 1 + 7 files changed, 11 insertions(+) create mode 100644 keys/gdd.keys create mode 100644 keys/hackens-milieu.keys create mode 100644 keys/hubrecht.keys create mode 100644 keys/mrf.keys create mode 100644 keys/raito.keys create mode 100644 keys/remote-builders.keys create mode 100644 keys/sinavir.keys diff --git a/keys/gdd.keys b/keys/gdd.keys new file mode 100644 index 0000000..b5d4e40 --- /dev/null +++ b/keys/gdd.keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/keys/hackens-milieu.keys b/keys/hackens-milieu.keys new file mode 100644 index 0000000..c79c039 --- /dev/null +++ b/keys/hackens-milieu.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu diff --git a/keys/hubrecht.keys b/keys/hubrecht.keys new file mode 100644 index 0000000..07fbe76 --- /dev/null +++ b/keys/hubrecht.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl diff --git a/keys/mrf.keys b/keys/mrf.keys new file mode 100644 index 0000000..ebbfa68 --- /dev/null +++ b/keys/mrf.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d diff --git a/keys/raito.keys b/keys/raito.keys new file mode 100644 index 0000000..0f48a59 --- /dev/null +++ b/keys/raito.keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/keys/remote-builders.keys b/keys/remote-builders.keys new file mode 100644 index 0000000..b1b7645 --- /dev/null +++ b/keys/remote-builders.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ Raito's remote builder key diff --git a/keys/sinavir.keys b/keys/sinavir.keys new file mode 100644 index 0000000..471d054 --- /dev/null +++ b/keys/sinavir.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o -- 2.49.0 From 7f88c60cc22761935cbf0159e58283bf54d72a41 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:36:55 +0200 Subject: [PATCH 147/149] Switch from krops to colmena --- .envrc | 1 + .gitignore | 1 + hive.nix | 57 +++++++++++++++++ .../{configuration.nix => _configuration.nix} | 22 +------ ...ration.nix => _hardware-configuration.nix} | 0 .../{configuration.nix => _configuration.nix} | 11 ---- ...ration.nix => _hardware-configuration.nix} | 0 .../{configuration.nix => _configuration.nix} | 20 +----- ...ration.nix => _hardware-configuration.nix} | 0 meta/default.nix | 5 ++ meta/nodes.nix | 64 +++++++++++++++++++ modules/default.nix | 11 ++++ modules/krz-access-control.nix | 46 +++++++++++++ modules/krz-ssh.nix | 25 ++++++++ nix-patches/default.nix | 1 + npins/default.nix | 47 ++++++++++++++ npins/sources.json | 43 +++++++++++++ shell.nix | 15 +++++ 18 files changed, 318 insertions(+), 51 deletions(-) create mode 100644 .envrc create mode 100644 hive.nix rename machines/core-services-01/{configuration.nix => _configuration.nix} (70%) rename machines/core-services-01/{hardware-configuration.nix => _hardware-configuration.nix} (100%) rename machines/public-cof/{configuration.nix => _configuration.nix} (77%) rename machines/public-cof/{hardware-configuration.nix => _hardware-configuration.nix} (100%) rename machines/remote-builder-01/{configuration.nix => _configuration.nix} (69%) rename machines/remote-builder-01/{hardware-configuration.nix => _hardware-configuration.nix} (100%) create mode 100644 meta/default.nix create mode 100644 meta/nodes.nix create mode 100644 modules/default.nix create mode 100644 modules/krz-access-control.nix create mode 100644 modules/krz-ssh.nix create mode 100644 nix-patches/default.nix create mode 100644 npins/default.nix create mode 100644 npins/sources.json create mode 100644 shell.nix diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..1d953f4 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use nix diff --git a/.gitignore b/.gitignore index b2be92b..726d2d6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ result +.direnv diff --git a/hive.nix b/hive.nix new file mode 100644 index 0000000..fdc3708 --- /dev/null +++ b/hive.nix @@ -0,0 +1,57 @@ +let + sources = import ./npins; + metadata = import ./meta; + + lib = import (sources.nix-lib + "/trivial.nix"); + + mkNode = node: { name, nodes, ... }: { + # Import the base configuration for each node + imports = builtins.map (lib.mkRel ./machines/${node}) [ + "_configuration.nix" + "_hardware-configuration.nix" + ]; + + # Include default secrets + # dgn-secrets.sources = [ ./machines/${node}/secrets ]; + + # Deployment config is specified in meta.nodes.${node}.deployment + inherit (metadata.nodes.${node}) deployment; + + # Set NIX_PATH to the patched version of nixpkgs + nix.nixPath = [ "nixpkgs=${mkNixpkgs node}" ]; + + # Use the stateVersion declared in the metadata + system.stateVersion = metadata.nodes.${node}.stateVersion; + }; + + mkNixpkgs = node: + let version = "nixos-${metadata.nodes.${node}.nixpkgs}"; in + (import sources.${version} { }).applyPatches { + name = "${version}-patched"; + src = sources.${version}; + patches = (import ./nix-patches).${version} or [ ]; + }; + + mkNixpkgs' = node: import (mkNixpkgs node) { }; + + mkArgs = node: { + nix-lib = import sources.nix-lib { inherit ((mkNixpkgs' node)) lib; keysRoot = ./keys; }; + }; + + nodes = builtins.attrNames metadata.nodes; +in + +{ + meta = { + nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes; + + specialArgs = { inherit sources; meta = metadata; }; + + nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes; + }; + + defaults = { ... }: { + # Import the default modules + imports = [ ./modules ]; + }; +} // (lib.mapSingleFuse mkNode nodes) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/_configuration.nix similarity index 70% rename from machines/core-services-01/configuration.nix rename to machines/core-services-01/_configuration.nix index ac0021a..9bcee06 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/_configuration.nix @@ -2,9 +2,6 @@ { imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ./acme-dns.nix ./acme-ssl.nix ./backups.nix @@ -77,28 +74,11 @@ services.zfs.autoScrub.enable = true; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/mrf.keys - ../pubkeys/hubrecht.keys - ../pubkeys/sinavir.keys - ]; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. networking.firewall.enable = false; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.05"; # Did you read the comment? - environment.variables.NIX_PATH = lib.mkForce "/var/src"; + system.stateVersion = "22.05"; } diff --git a/machines/core-services-01/hardware-configuration.nix b/machines/core-services-01/_hardware-configuration.nix similarity index 100% rename from machines/core-services-01/hardware-configuration.nix rename to machines/core-services-01/_hardware-configuration.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/_configuration.nix similarity index 77% rename from machines/public-cof/configuration.nix rename to machines/public-cof/_configuration.nix index 6bd8454..a831791 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/_configuration.nix @@ -3,7 +3,6 @@ { imports = [ - ./hardware-configuration.nix ./programs.nix ./system.nix ./acme.nix @@ -49,15 +48,5 @@ enableSSHSupport = true; }; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/mrf.keys - ../pubkeys/sinavir.keys - ../pubkeys/hubrecht.keys - ]; - system.stateVersion = "21.05"; } diff --git a/machines/public-cof/hardware-configuration.nix b/machines/public-cof/_hardware-configuration.nix similarity index 100% rename from machines/public-cof/hardware-configuration.nix rename to machines/public-cof/_hardware-configuration.nix diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/_configuration.nix similarity index 69% rename from machines/remote-builder-01/configuration.nix rename to machines/remote-builder-01/_configuration.nix index 286062b..d5906a8 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/_configuration.nix @@ -2,7 +2,6 @@ { imports = [ - ./hardware-configuration.nix ./system.nix # TODO monitoring ]; @@ -59,28 +58,11 @@ services.zfs.autoScrub.enable = true; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/sinavir.keys - ../pubkeys/remote-builders.keys - ]; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. networking.firewall.enable = false; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "21.05"; # Did you read the comment? - + system.stateVersion = "21.05"; } - diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/_hardware-configuration.nix similarity index 100% rename from machines/remote-builder-01/hardware-configuration.nix rename to machines/remote-builder-01/_hardware-configuration.nix diff --git a/meta/default.nix b/meta/default.nix new file mode 100644 index 0000000..a6ccb51 --- /dev/null +++ b/meta/default.nix @@ -0,0 +1,5 @@ +let + nodes = import ./nodes.nix; +in + +{ inherit nodes; } diff --git a/meta/nodes.nix b/meta/nodes.nix new file mode 100644 index 0000000..c017cc4 --- /dev/null +++ b/meta/nodes.nix @@ -0,0 +1,64 @@ +### +# File specifying all the deployement options for the nodes administrated by the dgnum. +# +# Node metadata template is: +# +# NODE_NAME = { +# adminGroups = []; # List of groups that have root access +# admins = []; # List of individuals that have root access +# deployment = {}; # Colmena deployment options +# nixpkgs = "unstable" or "22.11"; # nixpkgs version +# } + +let + mkNode = _: attrs: { + access = [ ]; + + deployment = { }; + + nixpkgs = "23.05"; + } // attrs; +in + +builtins.mapAttrs mkNode { + core-services-01 = { + admins = [ + "gdd" + "hubrecht" + "mrf" + "raito" + "sinavir" + ]; + + deployment.targetHost = "core01.rz.ens.wtf"; + + stateVersion = "22.05"; + }; + + remote-builder-01 = { + admins = [ + "gdd" + "raito" + "sinavir" + "remote-builders" + ]; + + deployment.targetHost = "nix01.builders.rz.ens.wtf"; + + stateVersion = "21.05"; + }; + + public-cof = { + admins = [ + "gdd" + "hubrecht" + "mrf" + "raito" + "sinavir" + ]; + + deployment.targetHost = "beta.rz.ens.wtf"; + + stateVersion = "21.05"; + }; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..bc98724 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,11 @@ +{ nix-lib, sources, ... }: + +{ + imports = (nix-lib.mkImports ./. [ + "krz-access-control" + "krz-ssh" + ]) ++ [ + # TODO: Switch to global version of agenix via npins + # "${sources.agenix}/modules/age.nix" + ]; +} diff --git a/modules/krz-access-control.nix b/modules/krz-access-control.nix new file mode 100644 index 0000000..55fd2a3 --- /dev/null +++ b/modules/krz-access-control.nix @@ -0,0 +1,46 @@ +{ config, lib, nix-lib, meta, name, ... }: + +let + inherit (lib) + mkDefault + mkEnableOption + mkIf + mkOption + + types; + + nodeMeta = meta.nodes.${name}; + inherit (nodeMeta) admins; + + cfg = config.krz-access-control; +in + +{ + options.krz-access-control = { + enable = mkEnableOption "DGNum access control." // { default = true; }; + + users = mkOption { + type = with types; attrsOf (listOf str); + default = { }; + description = '' + Attribute set describing which member has access to which user on the node. + Members must be declared in `meta/members.nix`. + ''; + example = '' + { + user1 = [ "member1" "member2" ]; + } + ''; + }; + }; + + config = mkIf cfg.enable { + # Admins have root access to the node + krz-access-control.users.root = mkDefault admins; + + users.users = builtins.mapAttrs + (u: members: { openssh.authorizedKeys.keys = nix-lib.getAllKeys members; }) + cfg.users; + }; +} + diff --git a/modules/krz-ssh.nix b/modules/krz-ssh.nix new file mode 100644 index 0000000..4124ada --- /dev/null +++ b/modules/krz-ssh.nix @@ -0,0 +1,25 @@ +{ config, lib, ... }: + +let + inherit (lib) + mkEnableOption + mkIf; + + cfg = config.krz-ssh; +in + +{ + options.krz-ssh = { + enable = mkEnableOption "ssh default configuration." // { default = true; }; + }; + + config = mkIf cfg.enable { + services.openssh = { + enable = true; + + settings.PasswordAuthentication = false; + }; + + programs.mosh.enable = true; + }; +} diff --git a/nix-patches/default.nix b/nix-patches/default.nix new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/nix-patches/default.nix @@ -0,0 +1 @@ +{} diff --git a/npins/default.nix b/npins/default.nix new file mode 100644 index 0000000..4a7c372 --- /dev/null +++ b/npins/default.nix @@ -0,0 +1,47 @@ +# Generated by npins. Do not modify; will be overwritten regularly +let + data = builtins.fromJSON (builtins.readFile ./sources.json); + version = data.version; + + mkSource = spec: + assert spec ? type; let + path = + if spec.type == "Git" then mkGitSource spec + else if spec.type == "GitRelease" then mkGitSource spec + else if spec.type == "PyPi" then mkPyPiSource spec + else if spec.type == "Channel" then mkChannelSource spec + else builtins.throw "Unknown source type ${spec.type}"; + in + spec // { outPath = path; }; + + mkGitSource = { repository, revision, url ? null, hash, ... }: + assert repository ? type; + # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository + # In the latter case, there we will always be an url to the tarball + if url != null then + (builtins.fetchTarball { + inherit url; + sha256 = hash; # FIXME: check nix version & use SRI hashes + }) + else assert repository.type == "Git"; builtins.fetchGit { + url = repository.url; + rev = revision; + # hash = hash; + }; + + mkPyPiSource = { url, hash, ... }: + builtins.fetchurl { + inherit url; + sha256 = hash; + }; + + mkChannelSource = { url, hash, ... }: + builtins.fetchTarball { + inherit url; + sha256 = hash; + }; +in +if version == 3 then + builtins.mapAttrs (_: mkSource) data.pins +else + throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/npins/sources.json b/npins/sources.json new file mode 100644 index 0000000..1df8536 --- /dev/null +++ b/npins/sources.json @@ -0,0 +1,43 @@ +{ + "pins": { + "agenix": { + "type": "GitRelease", + "repository": { + "type": "Git", + "url": "https://github.com/ryantm/agenix" + }, + "pre_releases": false, + "version_upper_bound": null, + "version": "0.13.0", + "revision": "9c9fbfb94b2d545c7f0b78da0254ea0041595795", + "url": null, + "hash": "0k6aggy3lhqv6j11cvi4gr0i3jps8hlf262xl9ji3ffxwas46p54" + }, + "nix-lib": { + "type": "GitRelease", + "repository": { + "type": "Git", + "url": "https://git.hubrecht.ovh/hubrecht/nix-lib" + }, + "pre_releases": false, + "version_upper_bound": null, + "version": "0.1.1", + "revision": "5db2443e2cb18335375ad84ffbc066a239c054de", + "url": null, + "hash": "18xzi2yn2vk7zq79pgz8z2s1ijhyjcx5866mp21rrdi9gz37yiif" + }, + "nixos-23.05": { + "type": "Channel", + "name": "nixos-23.05", + "url": "https://releases.nixos.org/nixos/23.05/nixos-23.05.2162.6da4bc6cb07/nixexprs.tar.xz", + "hash": "198wbl9b7j3k51n0rxs09vy6x535ysqv6kbxf42d9yqr49d2n9vc" + }, + "nixpkgs": { + "type": "Channel", + "name": "nixpkgs-unstable", + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-23.11pre506668.af8cd5ded77/nixexprs.tar.xz", + "hash": "0in8bgah6hz47lsa3ka2fslwks174maqdzy8mcmsj0q4wrv8h2s9" + } + }, + "version": 3 +} \ No newline at end of file diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..e29954b --- /dev/null +++ b/shell.nix @@ -0,0 +1,15 @@ +let + sources = import ./npins; + pkgs = import sources.nixpkgs { }; +in + +pkgs.mkShell { + packages = with pkgs; [ + npins + colmena + nixos-generators + ] ++ (builtins.map (p: callPackage p { }) [ + ]); + + allowSubstitutes = false; +} -- 2.49.0 From 29034e605695e37086e46f9cedb77af4bc132dc8 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:50:10 +0200 Subject: [PATCH 148/149] krops.nix: Delete --- krops.nix | 36 ------------------------------------ 1 file changed, 36 deletions(-) delete mode 100644 krops.nix diff --git a/krops.nix b/krops.nix deleted file mode 100644 index 140772d..0000000 --- a/krops.nix +++ /dev/null @@ -1,36 +0,0 @@ -let - krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; }; - lib = import "${krops}/lib"; - pkgs = import "${krops}/pkgs" { }; - source = machine: - lib.evalSource [{ - config.file = toString ./machines; - nixos-config.symlink = "config/${machine}/configuration.nix"; - # Auto-upgrade wen? - nixpkgs.git = { - clean.exclude = [ "/.version-suffix" ]; - ref = "origin/release-23.05"; - url = "https://github.com/NixOS/nixpkgs"; - }; - }]; - mkTestConfig = hostname: { - name = "test-${hostname}"; - value = pkgs.krops.writeTest "test-${hostname}" { - source = source hostname; - target = lib.mkTarget { - host = "localhost"; - path = "/tmp/src"; - }; - force = true; # force create the sentinel file. - }; - }; - mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames); - mkDeploy = hostname: target: { ${hostname} = pkgs.krops.writeDeploy "deploy-${hostname}" { - source = source hostname; - inherit target; - }; }; -in {} -// mkDeploy "core-services-01" "root@core01.rz.ens.wtf" -// mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -// mkDeploy "public-cof" "root@beta.rz.ens.wtf" -// mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] -- 2.49.0 From 41fc60e1eb6fb12f896be92abb5cfd946c3480d4 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:56:33 +0200 Subject: [PATCH 149/149] core-01: Disable netboot-server --- machines/core-services-01/_configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/core-services-01/_configuration.nix b/machines/core-services-01/_configuration.nix index 9bcee06..3c7162e 100644 --- a/machines/core-services-01/_configuration.nix +++ b/machines/core-services-01/_configuration.nix @@ -12,7 +12,7 @@ ./keycloak.nix ./matterbridge.nix ./monitoring.nix - ./netboot-server.nix + # ./netboot-server.nix ./network.nix ./nginx.nix ./nur.nix -- 2.49.0