diff --git a/.envrc b/.envrc deleted file mode 100644 index 1d953f4..0000000 --- a/.envrc +++ /dev/null @@ -1 +0,0 @@ -use nix diff --git a/.gitignore b/.gitignore index 726d2d6..b2be92b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ result -.direnv diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md deleted file mode 100644 index 46ce2a1..0000000 --- a/CONTRIBUTING.md +++ /dev/null @@ -1 +0,0 @@ -Maurice écoute les conventions de Ryan \ No newline at end of file diff --git a/hive.nix b/hive.nix deleted file mode 100644 index fdc3708..0000000 --- a/hive.nix +++ /dev/null @@ -1,57 +0,0 @@ -let - sources = import ./npins; - metadata = import ./meta; - - lib = import (sources.nix-lib + "/trivial.nix"); - - mkNode = node: { name, nodes, ... }: { - # Import the base configuration for each node - imports = builtins.map (lib.mkRel ./machines/${node}) [ - "_configuration.nix" - "_hardware-configuration.nix" - ]; - - # Include default secrets - # dgn-secrets.sources = [ ./machines/${node}/secrets ]; - - # Deployment config is specified in meta.nodes.${node}.deployment - inherit (metadata.nodes.${node}) deployment; - - # Set NIX_PATH to the patched version of nixpkgs - nix.nixPath = [ "nixpkgs=${mkNixpkgs node}" ]; - - # Use the stateVersion declared in the metadata - system.stateVersion = metadata.nodes.${node}.stateVersion; - }; - - mkNixpkgs = node: - let version = "nixos-${metadata.nodes.${node}.nixpkgs}"; in - (import sources.${version} { }).applyPatches { - name = "${version}-patched"; - src = sources.${version}; - patches = (import ./nix-patches).${version} or [ ]; - }; - - mkNixpkgs' = node: import (mkNixpkgs node) { }; - - mkArgs = node: { - nix-lib = import sources.nix-lib { inherit ((mkNixpkgs' node)) lib; keysRoot = ./keys; }; - }; - - nodes = builtins.attrNames metadata.nodes; -in - -{ - meta = { - nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes; - - specialArgs = { inherit sources; meta = metadata; }; - - nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes; - }; - - defaults = { ... }: { - # Import the default modules - imports = [ ./modules ]; - }; -} // (lib.mapSingleFuse mkNode nodes) diff --git a/keys/gdd.keys b/keys/gdd.keys deleted file mode 100644 index b5d4e40..0000000 --- a/keys/gdd.keys +++ /dev/null @@ -1,2 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/keys/hackens-milieu.keys b/keys/hackens-milieu.keys deleted file mode 100644 index c79c039..0000000 --- a/keys/hackens-milieu.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu diff --git a/keys/hubrecht.keys b/keys/hubrecht.keys deleted file mode 100644 index 07fbe76..0000000 --- a/keys/hubrecht.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl diff --git a/keys/mrf.keys b/keys/mrf.keys deleted file mode 100644 index ebbfa68..0000000 --- a/keys/mrf.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d diff --git a/keys/raito.keys b/keys/raito.keys deleted file mode 100644 index 0f48a59..0000000 --- a/keys/raito.keys +++ /dev/null @@ -1,4 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/keys/remote-builders.keys b/keys/remote-builders.keys deleted file mode 100644 index b1b7645..0000000 --- a/keys/remote-builders.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ Raito's remote builder key diff --git a/keys/sinavir.keys b/keys/sinavir.keys deleted file mode 100644 index 471d054..0000000 --- a/keys/sinavir.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o diff --git a/krops.nix b/krops.nix new file mode 100644 index 0000000..92a2cda --- /dev/null +++ b/krops.nix @@ -0,0 +1,36 @@ +let + krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; }; + lib = import "${krops}/lib"; + pkgs = import "${krops}/pkgs" { }; + source = machine: + lib.evalSource [{ + config.file = toString ./machines; + nixos-config.symlink = "config/${machine}/configuration.nix"; + # Auto-upgrade wen? + nixpkgs.git = { + clean.exclude = [ "/.version-suffix" ]; + ref = "8d3bd93e67201a7c8238e9cbde6d07aba9500636"; # nixos-unstable + url = "https://github.com/NixOS/nixpkgs"; + }; + }]; + mkTestConfig = hostname: { + name = "test-${hostname}"; + value = pkgs.krops.writeTest "test-${hostname}" { + source = source hostname; + target = lib.mkTarget { + host = "localhost"; + path = "/tmp/src"; + }; + force = true; # force create the sentinel file. + }; + }; + mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames); + mkDeploy = hostname: target: { ${hostname} = pkgs.krops.writeDeploy "deploy-${hostname}" { + source = source hostname; + inherit target; + }; }; +in {} +// mkDeploy "core-services-01" "root@core01.rz.ens.wtf" +// mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" +// mkDeploy "public-cof" "root@beta.rz.ens.wtf" +// mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] diff --git a/machines/core-services-01/_configuration.nix b/machines/core-services-01/configuration.nix similarity index 69% rename from machines/core-services-01/_configuration.nix rename to machines/core-services-01/configuration.nix index 3c7162e..d8284fb 100644 --- a/machines/core-services-01/_configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -2,17 +2,21 @@ { imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./acme-dns.nix ./acme-ssl.nix ./backups.nix # ./dex.nix ./dns.nix + ./dokuwiki.nix ./gitea.nix ./headscale.nix ./keycloak.nix ./matterbridge.nix ./monitoring.nix - # ./netboot-server.nix + ./netboot-server.nix ./network.nix ./nginx.nix ./nur.nix @@ -74,11 +78,27 @@ services.zfs.autoScrub.enable = true; + # Enable the OpenSSH daemon. + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/mrf.keys + ../pubkeys/hubrecht.keys + ]; + # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. networking.firewall.enable = false; - system.stateVersion = "22.05"; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.05"; # Did you read the comment? + environment.variables.NIX_PATH = lib.mkForce "/var/src"; } diff --git a/machines/core-services-01/dokuwiki.nix b/machines/core-services-01/dokuwiki.nix new file mode 100644 index 0000000..1ad68e0 --- /dev/null +++ b/machines/core-services-01/dokuwiki.nix @@ -0,0 +1,28 @@ +{ config, ... }: + +let + my = config.my; +in +{ + services.dokuwiki.sites."wiki.${my.subZone}" = { + enable = true; + acl = '' + * @ALL 1 + * @admin 16 + ''; + }; + + /* + services.nginx = { + enable = true; + + virtualHosts."wiki.${my.subZone}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "htttp://127.0.0.1:${toString port}"; + }; + }; + }; + */ +} diff --git a/machines/core-services-01/gitea.nix b/machines/core-services-01/gitea.nix index 26402d0..ddfcbae 100644 --- a/machines/core-services-01/gitea.nix +++ b/machines/core-services-01/gitea.nix @@ -13,11 +13,11 @@ in httpAddress = "127.0.0.1"; httpPort = port; database.type = "postgres"; + disableRegistration = false; + log = { + level = "Warn"; + }; settings = { - service.DISABLE_REGISTRATION = false; - log = { - level = "Warn"; - }; openid = { ENABLE_OPENID_SIGNUP = true; }; diff --git a/machines/core-services-01/_hardware-configuration.nix b/machines/core-services-01/hardware-configuration.nix similarity index 100% rename from machines/core-services-01/_hardware-configuration.nix rename to machines/core-services-01/hardware-configuration.nix diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 7015efa..edf0d20 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -36,16 +36,16 @@ in { services.netdata = { enable = true; - #package = pkgs.netdata.overrideAttrs (old: { - # version = "1.36.0-185-nightly"; - # src = pkgs.fetchFromGitHub { - # owner = "netdata"; - # repo = "netdata"; - # rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; - # sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; - # fetchSubmodules = true; - # }; - #}); + package = pkgs.netdata.overrideAttrs (old: { + version = "1.36.0-185-nightly"; + src = pkgs.fetchFromGitHub { + owner = "netdata"; + repo = "netdata"; + rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; + sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; + fetchSubmodules = true; + }; + }); }; systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1"; diff --git a/machines/core-services-01/network.nix b/machines/core-services-01/network.nix index da02165..d3579be 100644 --- a/machines/core-services-01/network.nix +++ b/machines/core-services-01/network.nix @@ -29,15 +29,8 @@ in "10-ens20" = { name = "ens20"; address = my.ipv4InternalFull; + DHCP = "ipv4"; - dhcpV4Config.RouteMetric = 2048; - routes = [ - { - routeConfig = { - Destination = "10.0.0.0/8"; - }; - } - ]; }; }; } diff --git a/machines/core-services-01/system.nix b/machines/core-services-01/system.nix index 3ab02d1..827bd11 100644 --- a/machines/core-services-01/system.nix +++ b/machines/core-services-01/system.nix @@ -8,7 +8,7 @@ # Auto GC and store optimizations nix = { - settings.trusted-users = [ "root" "gab" ]; + trustedUsers = [ "root" "gab" ]; gc = { automatic = true; dates = "weekly"; diff --git a/machines/pubkeys/sinavir.keys b/machines/pubkeys/sinavir.keys deleted file mode 100644 index 471d054..0000000 --- a/machines/pubkeys/sinavir.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o diff --git a/machines/public-cof/acme.nix b/machines/public-cof/acme.nix index 9e03a21..3911368 100644 --- a/machines/public-cof/acme.nix +++ b/machines/public-cof/acme.nix @@ -1,5 +1,5 @@ { ... }: { security.acme.acceptTerms = true; - security.acme.defaults.email = "club-reseau@lists.ens.psl.eu"; + security.acme.email = "club-reseau@lists.ens.psl.eu"; } diff --git a/machines/public-cof/_configuration.nix b/machines/public-cof/configuration.nix similarity index 80% rename from machines/public-cof/_configuration.nix rename to machines/public-cof/configuration.nix index a831791..ae3fce3 100644 --- a/machines/public-cof/_configuration.nix +++ b/machines/public-cof/configuration.nix @@ -3,6 +3,7 @@ { imports = [ + ./hardware-configuration.nix ./programs.nix ./system.nix ./acme.nix @@ -48,5 +49,13 @@ enableSSHSupport = true; }; + # Enable the OpenSSH daemon. + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/mrf.keys + ]; + system.stateVersion = "21.05"; } diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix index e2a1321..7d25b0a 100644 --- a/machines/public-cof/garage.nix +++ b/machines/public-cof/garage.nix @@ -22,7 +22,6 @@ }; services.garage = { enable = true; - package = pkgs.garage_0_8; settings = { replication_mode = "none"; compression_level = 7; diff --git a/machines/public-cof/_hardware-configuration.nix b/machines/public-cof/hardware-configuration.nix similarity index 100% rename from machines/public-cof/_hardware-configuration.nix rename to machines/public-cof/hardware-configuration.nix diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index 23c8782..b4235d5 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -5,7 +5,7 @@ in { services.hedgedoc = { enable = true; - settings = { + configuration = { protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; diff --git a/machines/public-cof/lychee.nix b/machines/public-cof/lychee.nix index 137cd32..944604b 100644 --- a/machines/public-cof/lychee.nix +++ b/machines/public-cof/lychee.nix @@ -7,11 +7,4 @@ website = "photos.ens.wtf"; settings.APP_URL = "https://${config.services.lychee.website}"; }; - services.phpfpm.pools."photos.ens.wtf".settings = { - pm = "dynamic"; - "pm.max_children" = 10; - "pm.start_servers" = 3; - "pm.min_spare_servers" = 1; - "pm.max_spare_servers" = 3; - }; } diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index badd243..847affd 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,14 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud26; + package = pkgs.nextcloud25; + # OpenSSL 3.0.x breaks RC4 encryption for NextCloud + # But we enabled encryption for NextCloud + # Therefore... + phpPackage = lib.mkForce (pkgs.php81.withExtensions ({ enabled, all }: + (lib.filter (e: e != pkgs.php81.extensions.openssl) enabled) + ++ [ (all.openssl.override { buildInputs = [ pkgs.openssl_1_1 ]; }) ] + )); config = { overwriteProtocol = "https"; diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index d48cb63..c703081 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -2,7 +2,7 @@ let pkgs = import {}; lib = pkgs.lib; readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); - superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht"); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; in diff --git a/machines/public-cof/system.nix b/machines/public-cof/system.nix index b3a1d4c..997dbdd 100644 --- a/machines/public-cof/system.nix +++ b/machines/public-cof/system.nix @@ -8,7 +8,7 @@ # Auto GC and store optimizations nix = { - settings.trusted-users = [ "root" ]; + trustedUsers = [ "root" ]; gc = { automatic = true; dates = "weekly"; diff --git a/machines/remote-builder-01/_configuration.nix b/machines/remote-builder-01/configuration.nix similarity index 70% rename from machines/remote-builder-01/_configuration.nix rename to machines/remote-builder-01/configuration.nix index d5906a8..ad971fb 100644 --- a/machines/remote-builder-01/_configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -2,6 +2,7 @@ { imports = [ + ./hardware-configuration.nix ./system.nix # TODO monitoring ]; @@ -58,11 +59,27 @@ services.zfs.autoScrub.enable = true; + # Enable the OpenSSH daemon. + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/remote-builders.keys + ]; + # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. networking.firewall.enable = false; - system.stateVersion = "21.05"; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.05"; # Did you read the comment? + } + diff --git a/machines/remote-builder-01/_hardware-configuration.nix b/machines/remote-builder-01/hardware-configuration.nix similarity index 100% rename from machines/remote-builder-01/_hardware-configuration.nix rename to machines/remote-builder-01/hardware-configuration.nix diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index 81732ab..9bb13cf 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,7 +1,7 @@ { pkgs, ... }: { # Auto GC and store optimizations nix = { - settings.trusted-users = [ "root" ]; + trustedUsers = [ "root" ]; gc = { automatic = true; dates = "weekly"; diff --git a/meta/default.nix b/meta/default.nix deleted file mode 100644 index a6ccb51..0000000 --- a/meta/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -let - nodes = import ./nodes.nix; -in - -{ inherit nodes; } diff --git a/meta/nodes.nix b/meta/nodes.nix deleted file mode 100644 index c017cc4..0000000 --- a/meta/nodes.nix +++ /dev/null @@ -1,64 +0,0 @@ -### -# File specifying all the deployement options for the nodes administrated by the dgnum. -# -# Node metadata template is: -# -# NODE_NAME = { -# adminGroups = []; # List of groups that have root access -# admins = []; # List of individuals that have root access -# deployment = {}; # Colmena deployment options -# nixpkgs = "unstable" or "22.11"; # nixpkgs version -# } - -let - mkNode = _: attrs: { - access = [ ]; - - deployment = { }; - - nixpkgs = "23.05"; - } // attrs; -in - -builtins.mapAttrs mkNode { - core-services-01 = { - admins = [ - "gdd" - "hubrecht" - "mrf" - "raito" - "sinavir" - ]; - - deployment.targetHost = "core01.rz.ens.wtf"; - - stateVersion = "22.05"; - }; - - remote-builder-01 = { - admins = [ - "gdd" - "raito" - "sinavir" - "remote-builders" - ]; - - deployment.targetHost = "nix01.builders.rz.ens.wtf"; - - stateVersion = "21.05"; - }; - - public-cof = { - admins = [ - "gdd" - "hubrecht" - "mrf" - "raito" - "sinavir" - ]; - - deployment.targetHost = "beta.rz.ens.wtf"; - - stateVersion = "21.05"; - }; -} diff --git a/modules/default.nix b/modules/default.nix deleted file mode 100644 index bc98724..0000000 --- a/modules/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ nix-lib, sources, ... }: - -{ - imports = (nix-lib.mkImports ./. [ - "krz-access-control" - "krz-ssh" - ]) ++ [ - # TODO: Switch to global version of agenix via npins - # "${sources.agenix}/modules/age.nix" - ]; -} diff --git a/modules/krz-access-control.nix b/modules/krz-access-control.nix deleted file mode 100644 index 55fd2a3..0000000 --- a/modules/krz-access-control.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ config, lib, nix-lib, meta, name, ... }: - -let - inherit (lib) - mkDefault - mkEnableOption - mkIf - mkOption - - types; - - nodeMeta = meta.nodes.${name}; - inherit (nodeMeta) admins; - - cfg = config.krz-access-control; -in - -{ - options.krz-access-control = { - enable = mkEnableOption "DGNum access control." // { default = true; }; - - users = mkOption { - type = with types; attrsOf (listOf str); - default = { }; - description = '' - Attribute set describing which member has access to which user on the node. - Members must be declared in `meta/members.nix`. - ''; - example = '' - { - user1 = [ "member1" "member2" ]; - } - ''; - }; - }; - - config = mkIf cfg.enable { - # Admins have root access to the node - krz-access-control.users.root = mkDefault admins; - - users.users = builtins.mapAttrs - (u: members: { openssh.authorizedKeys.keys = nix-lib.getAllKeys members; }) - cfg.users; - }; -} - diff --git a/modules/krz-ssh.nix b/modules/krz-ssh.nix deleted file mode 100644 index 4124ada..0000000 --- a/modules/krz-ssh.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, lib, ... }: - -let - inherit (lib) - mkEnableOption - mkIf; - - cfg = config.krz-ssh; -in - -{ - options.krz-ssh = { - enable = mkEnableOption "ssh default configuration." // { default = true; }; - }; - - config = mkIf cfg.enable { - services.openssh = { - enable = true; - - settings.PasswordAuthentication = false; - }; - - programs.mosh.enable = true; - }; -} diff --git a/nix-patches/default.nix b/nix-patches/default.nix deleted file mode 100644 index 0967ef4..0000000 --- a/nix-patches/default.nix +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/npins/default.nix b/npins/default.nix deleted file mode 100644 index 4a7c372..0000000 --- a/npins/default.nix +++ /dev/null @@ -1,47 +0,0 @@ -# Generated by npins. Do not modify; will be overwritten regularly -let - data = builtins.fromJSON (builtins.readFile ./sources.json); - version = data.version; - - mkSource = spec: - assert spec ? type; let - path = - if spec.type == "Git" then mkGitSource spec - else if spec.type == "GitRelease" then mkGitSource spec - else if spec.type == "PyPi" then mkPyPiSource spec - else if spec.type == "Channel" then mkChannelSource spec - else builtins.throw "Unknown source type ${spec.type}"; - in - spec // { outPath = path; }; - - mkGitSource = { repository, revision, url ? null, hash, ... }: - assert repository ? type; - # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository - # In the latter case, there we will always be an url to the tarball - if url != null then - (builtins.fetchTarball { - inherit url; - sha256 = hash; # FIXME: check nix version & use SRI hashes - }) - else assert repository.type == "Git"; builtins.fetchGit { - url = repository.url; - rev = revision; - # hash = hash; - }; - - mkPyPiSource = { url, hash, ... }: - builtins.fetchurl { - inherit url; - sha256 = hash; - }; - - mkChannelSource = { url, hash, ... }: - builtins.fetchTarball { - inherit url; - sha256 = hash; - }; -in -if version == 3 then - builtins.mapAttrs (_: mkSource) data.pins -else - throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/npins/sources.json b/npins/sources.json deleted file mode 100644 index 1df8536..0000000 --- a/npins/sources.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "pins": { - "agenix": { - "type": "GitRelease", - "repository": { - "type": "Git", - "url": "https://github.com/ryantm/agenix" - }, - "pre_releases": false, - "version_upper_bound": null, - "version": "0.13.0", - "revision": "9c9fbfb94b2d545c7f0b78da0254ea0041595795", - "url": null, - "hash": "0k6aggy3lhqv6j11cvi4gr0i3jps8hlf262xl9ji3ffxwas46p54" - }, - "nix-lib": { - "type": "GitRelease", - "repository": { - "type": "Git", - "url": "https://git.hubrecht.ovh/hubrecht/nix-lib" - }, - "pre_releases": false, - "version_upper_bound": null, - "version": "0.1.1", - "revision": "5db2443e2cb18335375ad84ffbc066a239c054de", - "url": null, - "hash": "18xzi2yn2vk7zq79pgz8z2s1ijhyjcx5866mp21rrdi9gz37yiif" - }, - "nixos-23.05": { - "type": "Channel", - "name": "nixos-23.05", - "url": "https://releases.nixos.org/nixos/23.05/nixos-23.05.2162.6da4bc6cb07/nixexprs.tar.xz", - "hash": "198wbl9b7j3k51n0rxs09vy6x535ysqv6kbxf42d9yqr49d2n9vc" - }, - "nixpkgs": { - "type": "Channel", - "name": "nixpkgs-unstable", - "url": "https://releases.nixos.org/nixpkgs/nixpkgs-23.11pre506668.af8cd5ded77/nixexprs.tar.xz", - "hash": "0in8bgah6hz47lsa3ka2fslwks174maqdzy8mcmsj0q4wrv8h2s9" - } - }, - "version": 3 -} \ No newline at end of file diff --git a/shell.nix b/shell.nix deleted file mode 100644 index e29954b..0000000 --- a/shell.nix +++ /dev/null @@ -1,15 +0,0 @@ -let - sources = import ./npins; - pkgs = import sources.nixpkgs { }; -in - -pkgs.mkShell { - packages = with pkgs; [ - npins - colmena - nixos-generators - ] ++ (builtins.map (p: callPackage p { }) [ - ]); - - allowSubstitutes = false; -}