diff --git a/.envrc b/.envrc deleted file mode 100644 index 1d953f4..0000000 --- a/.envrc +++ /dev/null @@ -1 +0,0 @@ -use nix diff --git a/.gitignore b/.gitignore index 726d2d6..b2be92b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ result -.direnv diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md deleted file mode 100644 index 46ce2a1..0000000 --- a/CONTRIBUTING.md +++ /dev/null @@ -1 +0,0 @@ -Maurice écoute les conventions de Ryan \ No newline at end of file diff --git a/README.md b/README.md index 9baf068..0a227f8 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,6 @@ Refer to wiki for details. - `core-services-01` -- `public-cof` - `remote-builder-01` ## How to deploy a machine? diff --git a/hive.nix b/hive.nix deleted file mode 100644 index fdc3708..0000000 --- a/hive.nix +++ /dev/null @@ -1,57 +0,0 @@ -let - sources = import ./npins; - metadata = import ./meta; - - lib = import (sources.nix-lib + "/trivial.nix"); - - mkNode = node: { name, nodes, ... }: { - # Import the base configuration for each node - imports = builtins.map (lib.mkRel ./machines/${node}) [ - "_configuration.nix" - "_hardware-configuration.nix" - ]; - - # Include default secrets - # dgn-secrets.sources = [ ./machines/${node}/secrets ]; - - # Deployment config is specified in meta.nodes.${node}.deployment - inherit (metadata.nodes.${node}) deployment; - - # Set NIX_PATH to the patched version of nixpkgs - nix.nixPath = [ "nixpkgs=${mkNixpkgs node}" ]; - - # Use the stateVersion declared in the metadata - system.stateVersion = metadata.nodes.${node}.stateVersion; - }; - - mkNixpkgs = node: - let version = "nixos-${metadata.nodes.${node}.nixpkgs}"; in - (import sources.${version} { }).applyPatches { - name = "${version}-patched"; - src = sources.${version}; - patches = (import ./nix-patches).${version} or [ ]; - }; - - mkNixpkgs' = node: import (mkNixpkgs node) { }; - - mkArgs = node: { - nix-lib = import sources.nix-lib { inherit ((mkNixpkgs' node)) lib; keysRoot = ./keys; }; - }; - - nodes = builtins.attrNames metadata.nodes; -in - -{ - meta = { - nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes; - - specialArgs = { inherit sources; meta = metadata; }; - - nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes; - }; - - defaults = { ... }: { - # Import the default modules - imports = [ ./modules ]; - }; -} // (lib.mapSingleFuse mkNode nodes) diff --git a/keys/hubrecht.keys b/keys/hubrecht.keys deleted file mode 100644 index 07fbe76..0000000 --- a/keys/hubrecht.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl diff --git a/keys/sinavir.keys b/keys/sinavir.keys deleted file mode 100644 index 471d054..0000000 --- a/keys/sinavir.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o diff --git a/krops.nix b/krops.nix new file mode 100644 index 0000000..770fcff --- /dev/null +++ b/krops.nix @@ -0,0 +1,35 @@ +let + krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; }; + lib = import "${krops}/lib"; + pkgs = import "${krops}/pkgs" { }; + source = machine: + lib.evalSource [{ + config.file = toString ./machines; + nixos-config.symlink = "config/${machine}/configuration.nix"; + nixpkgs.git = { + clean.exclude = [ "/.version-suffix" ]; + ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable + url = "https://github.com/NixOS/nixpkgs"; + }; + }]; + mkTestConfig = hostname: { + name = "test-${hostname}"; + value = pkgs.krops.writeTest "test-${hostname}" { + source = source hostname; + target = lib.mkTarget { + host = "localhost"; + path = "/tmp/src"; + }; + force = true; # force create the sentinel file. + }; + }; + mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames); + mkDeploy = hostname: target: { ${hostname} = pkgs.krops.writeDeploy "deploy-${hostname}" { + source = source hostname; + inherit target; + }; }; +in {} +// mkDeploy "core-services-01" "root@10.1.1.20" +// mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" +// mkDeploy "public-cof" "root@beta.rz.ens.wtf" +// mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] diff --git a/machines/core-services-01/_configuration.nix b/machines/core-services-01/configuration.nix similarity index 53% rename from machines/core-services-01/_configuration.nix rename to machines/core-services-01/configuration.nix index 3c7162e..8af8554 100644 --- a/machines/core-services-01/_configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -1,36 +1,35 @@ { config, pkgs, lib, ... }: { - imports = [ - ./acme-dns.nix - ./acme-ssl.nix - ./backups.nix - # ./dex.nix - ./dns.nix - ./gitea.nix - ./headscale.nix - ./keycloak.nix - ./matterbridge.nix - ./monitoring.nix - # ./netboot-server.nix - ./network.nix - ./nginx.nix - ./nur.nix - ./oauth2_proxy.nix - ./programs.nix - ./qemu.nix - ./rz.nix - ./secrets - ./snipe-it.nix - ./system.nix - ./tunnels.nix - - # TODO push to gitea - # TODO ./gotify.nix - # TODO(Raito): ./backups.nix - # TODO(Raito): ./snmp.nix - # TODO(Raito): ./sflow.nix? - ]; + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./nur.nix + ./rz.nix + ./monitoring.nix + ./programs.nix + ./system.nix + ./acme-ssl.nix + ./dns.nix + ./netboot-server.nix + ./qemu.nix + ./gitea.nix + ./dokuwiki.nix + ./nginx.nix + ./keycloak.nix + ./acme-dns.nix + ./backups.nix + ./headscale.nix + # ./dex.nix + ./oauth2_proxy.nix + ./secrets + ./matterbridge.nix + # TODO push to gitea + # TODO ./gotify.nix + # TODO(Raito): ./backups.nix + # TODO(Raito): ./snmp.nix + # TODO(Raito): ./sflow.nix? + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; @@ -74,11 +73,25 @@ services.zfs.autoScrub.enable = true; + # Enable the OpenSSH daemon. + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ./pubkeys/gdd.keys + ./pubkeys/raito.keys + ./pubkeys/mrf.keys + ]; + # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. networking.firewall.enable = false; - system.stateVersion = "22.05"; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? } diff --git a/machines/core-services-01/dokuwiki.nix b/machines/core-services-01/dokuwiki.nix new file mode 100644 index 0000000..1ad68e0 --- /dev/null +++ b/machines/core-services-01/dokuwiki.nix @@ -0,0 +1,28 @@ +{ config, ... }: + +let + my = config.my; +in +{ + services.dokuwiki.sites."wiki.${my.subZone}" = { + enable = true; + acl = '' + * @ALL 1 + * @admin 16 + ''; + }; + + /* + services.nginx = { + enable = true; + + virtualHosts."wiki.${my.subZone}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "htttp://127.0.0.1:${toString port}"; + }; + }; + }; + */ +} diff --git a/machines/core-services-01/fix-crc-computation.patch b/machines/core-services-01/fix-crc-computation.patch new file mode 100644 index 0000000..85a6a7e --- /dev/null +++ b/machines/core-services-01/fix-crc-computation.patch @@ -0,0 +1,51 @@ +From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 30 Mar 2022 11:14:53 -0700 +Subject: [PATCH] Correct incorrect inputs provided to the CRC functions. + +The previous releases of zlib were not sensitive to incorrect CRC +inputs with bits set above the low 32. This commit restores that +behavior, so that applications with such bugs will continue to +operate as before. +--- + crc32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crc32.c b/crc32.c +index a1bdce5c2..451887bc7 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + /* Compute the CRC up to a word boundary. */ + while (len && ((z_size_t)buf & 7) != 0) { +@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + #ifdef W + +@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2) + #ifdef DYNAMIC_CRC_TABLE + once(&made, make_crc_table); + #endif /* DYNAMIC_CRC_TABLE */ +- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2; ++ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); + } + + /* ========================================================================= */ +@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op) + uLong crc2; + uLong op; + { +- return multmodp(op, crc1) ^ crc2; ++ return multmodp(op, crc1) ^ (crc2 & 0xffffffff); + } diff --git a/machines/core-services-01/gitea.nix b/machines/core-services-01/gitea.nix index 26402d0..9835ac1 100644 --- a/machines/core-services-01/gitea.nix +++ b/machines/core-services-01/gitea.nix @@ -13,11 +13,8 @@ in httpAddress = "127.0.0.1"; httpPort = port; database.type = "postgres"; + disableRegistration = false; settings = { - service.DISABLE_REGISTRATION = false; - log = { - level = "Warn"; - }; openid = { ENABLE_OPENID_SIGNUP = true; }; diff --git a/machines/core-services-01/_hardware-configuration.nix b/machines/core-services-01/hardware-configuration.nix similarity index 100% rename from machines/core-services-01/_hardware-configuration.nix rename to machines/core-services-01/hardware-configuration.nix diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index 7bf36d0..e7d48e5 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -32,13 +32,6 @@ in enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; - - extraConfig = '' - # For large authentication-authorization headers - proxy_buffer_size 128k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; - ''; }; }; } diff --git a/machines/core-services-01/matterbridge.nix b/machines/core-services-01/matterbridge.nix index 06b31e6..7eefba1 100644 --- a/machines/core-services-01/matterbridge.nix +++ b/machines/core-services-01/matterbridge.nix @@ -28,7 +28,7 @@ let startScript = pkgs.writeShellScriptBin "start" '' ${manageSecrets ./matterbridge.toml "$CREDENTIALS_DIRECTORY/secrets" "$RUNTIME_DIRECTORY/conf.toml" - [ "SECRET_MATTERMOST_KLUBRZ_WEBHOOK" "SECRET_MATTERMOST_DGNUM_WEBHOOK" ]}/bin/preStart + [ "SECRET_MATTERMOST_WEBHOOK" ]}/bin/preStart ${pkgs.matterbridge}/bin/matterbridge -conf $RUNTIME_DIRECTORY/conf.toml ''; in { diff --git a/machines/core-services-01/matterbridge.toml b/machines/core-services-01/matterbridge.toml index 748d0a7..d4b9ab8 100644 --- a/machines/core-services-01/matterbridge.toml +++ b/machines/core-services-01/matterbridge.toml @@ -7,16 +7,11 @@ PrefixMessagesWithNick=true RemoteNickFormat="<{NICK}> " [mattermost] - [mattermost.merle_klubrz] - WebhookURL="SECRET_MATTERMOST_KLUBRZ_WEBHOOK" + [mattermost.merle] + WebhookURL="SECRET_MATTERMOST_WEBHOOK" WebhookBindAddress="0.0.0.0:52187" PrefixMessagesWithNick=false RemoteNickFormat="{NICK}" - [mattermost.merle_dgnum] - WebhookURL="SECRET_MATTERMOST_DGNUM_WEBHOOK" - WebhookBindAddress="0.0.0.0:52188" - PrefixMessagesWithNick=false - RemoteNickFormat="{NICK}" [[gateway]] name="réseau" enable=true @@ -24,15 +19,5 @@ enable=true account="irc.ulminfo" channel="#réseau" [[gateway.inout]] - account="mattermost.merle_klubrz" - channel="town-square" - -[[gateway]] -name="dgnum" -enable=true - [[gateway.inout]] - account="irc.ulminfo" - channel="#dgnum" - [[gateway.inout]] - account="mattermost.merle_dgnum" + account="mattermost.merle" channel="town-square" diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 7015efa..47b7953 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -34,21 +34,7 @@ let }; in { - services.netdata = { - enable = true; - #package = pkgs.netdata.overrideAttrs (old: { - # version = "1.36.0-185-nightly"; - # src = pkgs.fetchFromGitHub { - # owner = "netdata"; - # repo = "netdata"; - # rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; - # sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; - # fetchSubmodules = true; - # }; - #}); - }; - - systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1"; + services.netdata.enable = true; # Allow WireGuard VPN networking.firewall.allowedUDPPorts = [ 51820 ]; @@ -73,23 +59,20 @@ in ]; }; + systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [ + "netdata" + "stream" + "health_alarm_notify" + ]; + environment.etc."netdata/netdata.conf" = lib.mkForce { user = "netdata"; group = "netdata"; mode = "0600"; text = '' - [db] - mode = dbengine - storage tiers = 3 - update every = 1 - dbengine multihost disk space MB = 23000 - dbengine page cache size MB = 384 - dbengine tier 1 update every iterations = 60 - dbengine tier 1 multihost disk space MB = 10000 - dbengine tier 1 page cache size MB = 384 - dbengine tier 2 update every iterations = 3600 - dbengine tier 2 multihost disk space MB = 5000 - dbengine tier 2 page cache size MB = 384 + [global] + page cache size = 32 + dbengine multihost disk space = 23058 ''; }; @@ -118,7 +101,7 @@ in mode = "0600"; text = '' # External tools - nc="${pkgs.nmap}/bin/nc --ssl" + nc="${pkgs.netcat}/bin/nc" # IRC configuration SEND_IRC="YES" @@ -132,25 +115,18 @@ in services.oauth2_proxy = { enable = true; keyFile = config.age.secrets.oauth2ProxyKeyFile.path; - provider = "keycloak-oidc"; + provider = "keycloak"; email.domains = [ "*" ]; - cookie = { - name = "_oauth2_proxy_ensrz"; - domain = ".rz.ens.wtf"; - }; setXauthrequest = true; - scope = "openid"; + scope = "profile"; + loginURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/auth"; + redeemURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/token"; + profileURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo"; + validateURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo"; redirectURL = "https://monitoring.${my.subZone}/oauth2/callback"; reverseProxy = true; passHostHeader = true; - extraConfig = { - whitelist-domain = [ ".rz.ens.wtf" ]; - oidc-issuer-url = "https://auth.${my.subZone}/auth/realms/${realm}"; - # insecure-oidc-allow-unverified-email = true; - show-debug-on-error = true; - }; - nginx = { virtualHosts = [ "monitoring.${my.subZone}" ]; }; @@ -163,15 +139,7 @@ in enableACME = true; forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:19999"; - extraConfig = '' - # For large authentication-authorization headers - proxy_buffer_size 128k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; - ''; - }; + locations."/".proxyPass = "http://localhost:19999"; }; }; diff --git a/machines/core-services-01/my.nix b/machines/core-services-01/my.nix index 4ac6d20..994190f 100644 --- a/machines/core-services-01/my.nix +++ b/machines/core-services-01/my.nix @@ -99,4 +99,24 @@ in example = [ "10.1.0.0/22" ]; }; }; + + config = { + # Default IPv4 exit route + networking.defaultGateway = { + address = ""; + interface = "ens18"; + }; + + networking.interfaces.ens20 = { + ipv4.addresses = map mkAddress cfg.ipv4InternalFull; + }; + + networking.interfaces.ens19 = { + ipv6.addresses = map mkAddress (cfg.ipv6.standardFull ++ [ cfg.ipv6.acmeFull ]); + }; + + networking.interfaces.ens18 = { + ipv4.addresses = map mkAddress cfg.ipv4Full; + }; + }; } diff --git a/machines/core-services-01/netboot-server.nix b/machines/core-services-01/netboot-server.nix index 1c28cd8..5b291bf 100644 --- a/machines/core-services-01/netboot-server.nix +++ b/machines/core-services-01/netboot-server.nix @@ -13,8 +13,8 @@ let # Enable sshd wich gets disabled by netboot-minimal.nix systemd.services.sshd.wantedBy = mkOverride 0 [ "multi-user.target" ]; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys + ./pubkeys/gdd.keys + ./pubkeys/raito.keys ]; programs.mosh.enable = true; diff --git a/machines/core-services-01/network.nix b/machines/core-services-01/network.nix deleted file mode 100644 index da02165..0000000 --- a/machines/core-services-01/network.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ config, ... }: - -let - inherit (config) my; -in - -{ - networking.useNetworkd = true; - - systemd.network.networks = { - "10-ens18" = { - name = "ens18"; - address = my.ipv4Full; - DHCP = "ipv4"; - }; - - "10-ens19" = { - name = "ens19"; - address = with my.ipv6; standardFull ++ [ acmeFull ]; - - networkConfig.IPv6AcceptRA = true; - - ipv6AcceptRAConfig = { - UseOnLinkPrefix = false; - UseAutonomousPrefix = false; - }; - }; - - "10-ens20" = { - name = "ens20"; - address = my.ipv4InternalFull; - DHCP = "ipv4"; - dhcpV4Config.RouteMetric = 2048; - routes = [ - { - routeConfig = { - Destination = "10.0.0.0/8"; - }; - } - ]; - }; - }; -} diff --git a/keys/gdd.keys b/machines/core-services-01/pubkeys/gdd.keys similarity index 100% rename from keys/gdd.keys rename to machines/core-services-01/pubkeys/gdd.keys diff --git a/keys/hackens-milieu.keys b/machines/core-services-01/pubkeys/hackens-milieu.keys similarity index 100% rename from keys/hackens-milieu.keys rename to machines/core-services-01/pubkeys/hackens-milieu.keys diff --git a/keys/mrf.keys b/machines/core-services-01/pubkeys/mrf.keys similarity index 100% rename from keys/mrf.keys rename to machines/core-services-01/pubkeys/mrf.keys diff --git a/keys/raito.keys b/machines/core-services-01/pubkeys/raito.keys similarity index 100% rename from keys/raito.keys rename to machines/core-services-01/pubkeys/raito.keys diff --git a/machines/core-services-01/secrets/default.nix b/machines/core-services-01/secrets/default.nix index a02981b..452d42e 100644 --- a/machines/core-services-01/secrets/default.nix +++ b/machines/core-services-01/secrets/default.nix @@ -5,6 +5,4 @@ age.secrets.droneKeyFile.file = ./droneKeyFile.age; age.secrets.dexGiteaClientSecret.file = ./dexGiteaClientSecret.age; age.secrets.matterbridge.file = ./matterbridge.age; - age.secrets.snipeItAppKey.file = ./snipeItAppKey.age; - age.secrets.snipeItOidcClientSecret.file = ./snipeItOidcClientSecret.age; } diff --git a/machines/core-services-01/secrets/dexGiteaClientSecret.age b/machines/core-services-01/secrets/dexGiteaClientSecret.age index f080423..daef2a2 100644 Binary files a/machines/core-services-01/secrets/dexGiteaClientSecret.age and b/machines/core-services-01/secrets/dexGiteaClientSecret.age differ diff --git a/machines/core-services-01/secrets/droneKeyFile.age b/machines/core-services-01/secrets/droneKeyFile.age index d002a2f..5797e6e 100644 Binary files a/machines/core-services-01/secrets/droneKeyFile.age and b/machines/core-services-01/secrets/droneKeyFile.age differ diff --git a/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age b/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age index af7c0f5..2007cba 100644 --- a/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age +++ b/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age @@ -1,30 +1,26 @@ age-encryption.org/v1 +-> ssh-ed25519 lHr4YQ S/Kuy8PdLoLLRDvlDDyuDaGXGb0RMBJKo9XyHK2I0Bg +VFjemRE9hOc/fEol+2OAjM6d/5QLPeeo0ytdgcwa8Zs +-> ssh-ed25519 h6AgbA ParmcGdbVHdvihrEuV+nLBLDnTwKR+zoxc/O0LdrUhA +L1kL6sr4ak1DTTaui9k6tpPJ1p86bKAoOcPwCJu7vr0 +-> ssh-ed25519 Wu8JLQ hTPuIn+IogmX6U16p3EQ/9C/L+X7dZaQaBrEAdq4twM +QhnuGbpuqpFFujNlXSDUDMEGHK875Sr5hHX/q2ShkhU +-> ssh-ed25519 cvTB5g P8av9KTsR9ccIRPz0TABQF3EfeO+cyn+Od+shxeatEk +GnExLTBOicvRs7neFPL/GLxE6hqpdqNV8P4nWRbMjKU +-> ssh-ed25519 /vwQcQ WE0fxso39H7ZyYwJ8eNnmrLgf0xL5AdpHZ1mrvbiPyQ +y4GjFZuYtiGg6cY8ZTOKHbYjjFJoFI5W4IF7np/OB/8 +-> ssh-ed25519 reTIKw LxM4ihcAb5u6rKqtrOUZ7/4XXoMVbf/HHhby/i9Xbn4 +O8KkO/99T2lBttsADSTJE/18ljFrUjrJWhK7peehei8 +-> ssh-ed25519 85WiGg +GtCSdOR7TTwu+zTvwOoRhOE0iLwB7JuFaZkP8cP+Fk +0GCjcBgOPeynvAUDmEioWPJMhZWGchKKukGGXHCBEUU -> ssh-rsa krWCLQ -2Ak0HJ0WoUuCQkjBPjRgrFQmHSBP7Lzhwp8JZ22lSDLO4OzGLuyGnmI6f+x3mhSM -UP4X4fz98ygYaPTKHzgs+ALgoe0ZOzIRcrBYKyAmI92iuVk8QJrGBaFsi2e/quur -oRaQybPXCqbGeaFhLY74RHmtbby5zzbQnw8f5DRKn3oFDYgCUMOKdTPI3vsUDd6t -dLmFCWEhGFMwI9bve7bVeu2yKMWpOIIsVgkabSy9EQ0gEUwoXkrGNpc+QqqR2qbJ -qaLok3zO+giVKrzl6+/Z/tzHQ66mUTIZAD7HmRFMqBRBqo2heCtviGyu7NPXhb/T -vTVzgL7fsrkaYd59O7BCSg --> ssh-ed25519 85WiGg UgubbGKRmcFV5N/Vyo/HEBtGG0GOvZS5dSDnYoWzeSk -N2CZ/ZJJLRTdwBDCVNrXGp8ic0T7ZHx+DfPcXLeEvXQ --> ssh-ed25519 reTIKw zl6eZh6NG2Y21AElt+Ag7gzDmtzXP0h1RjhVzaiHUg0 -PJU/i8Za/JwrCLXcH0vtG8CDxv3MDHCzEYiNIhperC4 --> ssh-ed25519 /vwQcQ RS4rv5dnajCSAdcFj96HOcMBHySk5yBrmepNdlOcsWg -M+dCeQCP3rl4oT8IrkParBnaaTfUNbWpgvbLou/qSp0 --> ssh-ed25519 cvTB5g ZR5ayyiP10Dec6Tg2HYcl5q0dkLSvOgRxeeVxC1Plj8 -aiY/6wY4rmB75NRzcbFPKu7nTLKZhgqOuqAZm+9UnTs --> ssh-ed25519 Wu8JLQ 4nFItVARcWbkkuyaUcgdesLSOmiomY0Ht2LxXX1/L0A -dK2/4X6OFbn4Y3gVK5zKRV3KySiCHzGnGewhZmqETrE --> ssh-ed25519 vXYJfA k1ANIqwNaMjipiCobpBWMlhbCyudoy7vpuajDK7mLiQ -uudD1Bk1+EWmL3o7VH6YSbv1WRCw6tsDV0HoQ/zwXwg --> ssh-ed25519 h6AgbA EvhvmT6dx3HAqioaFvT5u94cTk8okjhGgzyxXZF8LyE -R/xTeW/rJEl50kG8e0n3NOGpX9XI13Ftq7ULYNHVaCM --> ssh-ed25519 lHr4YQ WyG8hEoGZuNvroTdmC8RST7l/Tu7UUXgeG3AfLA0p2o -qk7YeUkrOsRbqnYXFXZAkiOaW6rvKnSaZGSiBw30b5E --> V9T>@4JS-grease @h!7BAa9 -nPtMdfgbktgg20WlJBrQlhTDMI8/i31JEDnZjF4u7RidDSJ5lxzH8zI+411CQ+K5 -exQ ---- YY6c8/qxiWxaK31KW+3QP6240bmnDJZ9EXrG7dnyJcE -N|J -ZZ6#kyH; \ No newline at end of file +bSk43qTcHFgrS7AeXTzUbx5FO/1YrLuRlm58lcXpTTKcRMZWKmFbPTVNdIvkT4xt +B6HW0OqV/Ks1pbeJUCPRdLwYHYULEC4quRGlgeToXoUQ8zCvcPT6uikpK0Hzne7e +WI5MLdS3vvAPljlSSaPN8gb3yiPgA2IPrHjqIsMNkotGFjUQ/oIyJ8YcDsSfGE2T +Z8+TOj4ZNxPda2hX7mL2x2dJmmQW5FkOVtSpSyvwpkOqPOi6b5vZaWu/GtXzGEhD +SD6SALiqmWkCHb8n588XDqKj8Lj/741R24f8IM8qW9cBz4QClh3Bnrl4gendsUCp +PkQPjniidi/aF6sHhfrSNg +-> |#4-grease y%'e^I RB nBNinf \dob +L2HkuH7S3KtuQN9AWLBL99nJPxVw +--- +QOdyAz8FR0RecYvvkzxv2IzJ9yt89/xePALK3l7sjs +&,NpJ~ ƅ˜*,؆5:i W}m"Q-FJm \ No newline at end of file diff --git a/machines/core-services-01/secrets/matterbridge.age b/machines/core-services-01/secrets/matterbridge.age index 526ab31..1071c43 100644 Binary files a/machines/core-services-01/secrets/matterbridge.age and b/machines/core-services-01/secrets/matterbridge.age differ diff --git a/machines/core-services-01/secrets/oauth2ProxyKeyFile.age b/machines/core-services-01/secrets/oauth2ProxyKeyFile.age index 2b687e2..a62c1af 100644 --- a/machines/core-services-01/secrets/oauth2ProxyKeyFile.age +++ b/machines/core-services-01/secrets/oauth2ProxyKeyFile.age @@ -1,28 +1,26 @@ age-encryption.org/v1 +-> ssh-ed25519 lHr4YQ f3xLHRyIx6oPATsv5yBq+pWpDkwJ2xt3axevMNjIUgA +RK2bLPZ1dwDExqbQ1Mft2Z9xGHpxSTDuTv0AgplnFzw +-> ssh-ed25519 h6AgbA fPy5Lv6ZcYB9xDyeHNTueRKTvvC6OyCrkHzF85dmhh8 +VzMkn6iaC+gwDXkaCzh7ILTdWMBqUYvYmrQPbiB+82k +-> ssh-ed25519 Wu8JLQ BSn5p0Wuv8CuiHJ6AdLuBLOst/2/mK1fs+zmgYao6kg +m/NfBqLzcyTad8UbiDSMI3EmcHWccpgV/wRKKeSO6bQ +-> ssh-ed25519 cvTB5g GP3EP+t8uJFKGAKBwwO7CmXa3JGTFePTANSINPdQuAA +DoGUKpuZTQ36hM4B7eqwbfGGKM+pxsYtoL5UjEeVdD0 +-> ssh-ed25519 /vwQcQ K8J9qbUjPPhuYZ4/2rGZWX4Fb60WZACwmFPGXUT9Yjw +N6lTZVDVxTfZTSagaOi4dbVzylljwGWAd06GbeVloRY +-> ssh-ed25519 reTIKw +7n56fmzzYOkArtH0Zeh26zHlE/lWz1gqyoCZEMMRDA +E6/dLGVaryFfqf+7DmwKghtGmtUUGpMFFwaZc3OvJ/c +-> ssh-ed25519 85WiGg aHBishjeSTuv/TYVcZQzALC8DHPbYHf9dj+igMnkkn4 +HwmPoIqV3Y/34Azf892K9nGJ1hh2KWAh3IzLiGVKeOs -> ssh-rsa krWCLQ -U2lxIvw7gRCjMGutUFyq+qGiCIFlbsPdbfzqy7b27d17aSjXds3WwMPUQajHMGXl -tmM/gDCOV8aY+EkM8nQIKdSGNZPwWHlqFyBpH7b18xTT+sWLBZnKcQqVzdF5n1yH -s6LjbcstDiCy3h20hfOjoi+qvK8AGbWnLueDI4g/BWCLBUmAC6zPX04GFAstzg8e -b8wcTCsaeVJkEVvI9caJsFpoxKttbjWUOb2jOzquyi1vIc50vWBNLlulzf0Cd523 -niyjvtEyVRmHjTqs2D97DLuKEE0U8x1ecI7FUwyDQWFj4RmmoKm7TOvGva+alol/ -mclOlWBaMuji0SWwR4GQyQ --> ssh-ed25519 85WiGg oTAqEjy2kEYw0EEDFzmv3EYWY3gKNDGsWbztSN6DG3o -+Q5hzzJVgdtFiNtbC37n9tZsNK+onqp4P0myPLpGU0g --> ssh-ed25519 reTIKw SOCoiYn2OZ0WbtgQFsJE6m5lbeat36SVF8Om6NHha1I -BLsO5DrNci2ShXI3wBb6u6Advjc7sOCXEBd6mSawkEs --> ssh-ed25519 /vwQcQ zXWEMSbRm2mI4KoMj2tbqP26LTAcxeyLUv5b/UzTaiY -HMOyH5OV0XmQsLOtzIsHf3UFYKUoEswt1a6JOu/gl8w --> ssh-ed25519 cvTB5g 1HPXsPtGaCCHPHEXQKVNLRGXb28S3hXUAyT26No80gE -NwPkRoRdd2juOWHyJV2aNwVQzGvwpf29mKtcyKSUHKc --> ssh-ed25519 Wu8JLQ tio1Sb9rHwAvoDRH783Ts9S+mS2MWnsqw/L4/To1lgc -Tfx0a/UKGiiMsp8rkhbaLpsS4JJIgMeWCDRZ1CxWSHc --> ssh-ed25519 vXYJfA GnXJG4bbDQxls3yLVd22CHmrrkAZYQNbXcpr0iH/8HY -uyr6VTHwfU7FjA29IJM9EP37K+QyiWIrG6CUpWyi4o0 --> ssh-ed25519 h6AgbA p/FApRwDrQNMdSPYV2U+CyGqdYZG+enC/TJ+Ht5RtCE -T6e2S9gZVi24ayGzKGHL19Ezv//f/0+BUAnkCf6g8No --> ssh-ed25519 lHr4YQ JQXWGrVi8YLfI0DWfdyuxKPGVa+SvHIm95YGzsyvdho -yvQpw/1GuVOqBBFwflDXvcIhuw0ABqqwByJH/VPRICg --> J9VGuOkA-grease - ---- aKOWgh7PjxocWWeImr1UYJhhFMlzDJXvP+Jfbrl3Zzc -7T0ZH48ntjlh}J_궞PMw%tgm=[+nbeH`ёyMe\WU7ӵLB 2o]cS~է2C5Mybi62~:BFh1B'lm`fKvsy%!2~$\^ \ No newline at end of file +A2IHEB1lR/eHwOM1adPnvYZUmJ9Gf8ADZvOpzHmxVC54VP5EZLnzpcdzIKlM4qOe +vYs7PdGJ56iGd3JS2khyc5oCc/NEYu85i4eyK8Y8JMqSFyYVNpH5rVY1IuHhIwW4 +biLSvPhKejtcjGkJZGebm2yA3TuhS5peZRUBh2v0sf+PjblsULrpupSRYAs1IndZ +1/Brrub4BfFihZh/uCN1iq+lWxUG5K1AR4UhrX7s/qq21sIP+hlhsTzwj5WoeSPV +rrYzi7E1v8nP6YsP965PjNFq5yJYKRZdw/QosmElRF4Ar3PP+fROFLfA45LmQpLh +z2P/QZKQ7BaANqtz1ryIZQ +-> :N*xgmZ-grease S 6b.gme t1.-?(l6 +JJi5KPF7Y07dJexK5CNlZVeYnM+DaRUqYjChAQO041COvkfVF1CvwLTYZAsZbw +--- RKQ3nSQxdSjoVBEtg4TrEL30ooOTpyZAXT5TcOM4qWE +zƦ6JRURh/ &5cKG%hpI;.NQq"hq|7nC92/"ɳ&uKʪmCB-Y̫jTkk Kۋ]}ˤiރF}ٟ- 82N}Ȝ(JAd_Hi0T"8}Q$ \ No newline at end of file diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 79b0d6b..4d09d1e 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -1,8 +1,8 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); - superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht") ++ (readPubkeys "mrf"); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; in @@ -12,7 +12,5 @@ in "droneKeyFile.age".publicKeys = superadmins ++ systems; "dexGiteaClientSecret.age".publicKeys = superadmins ++ systems; "matterbridge.age".publicKeys = superadmins ++ systems; - "snipeItAppKey.age".publicKeys = superadmins ++ systems; - "snipeItOidcClientSecret.age".publicKeys = superadmins ++ systems; } diff --git a/machines/core-services-01/secrets/snipeItAppKey.age b/machines/core-services-01/secrets/snipeItAppKey.age deleted file mode 100644 index cd9bebf..0000000 --- a/machines/core-services-01/secrets/snipeItAppKey.age +++ /dev/null @@ -1,28 +0,0 @@ -age-encryption.org/v1 --> ssh-rsa krWCLQ -gBB9yfHVs4Zgm30rbXOkQNZjOuQVFt9Mos4gBoM09M2psLLxWzsoQopWVcvbV+sY -oZAThV5F2E+RbOP2e9+o5P+rxCcJa8aAXovtmH2BZvr87jNi8tebH1l0Gjn0I85C -B+vv2/m1KCzisCR3p6yaqBiqyETacWRCuILVxKbpnKfVX5ymb//9U0tRbz3BIFH1 -i3bAD8j8H4V/5SC5RmYwVeBhdGqEaNX0Qehh8AhDkxoqMT3Xeie93eIK6tyAZuyO -oQezqkUmozq+uvo6PHZvY/auTYb17QTY0s0xf30NnQoqwtVXnyu6xPx+qlj+M99Q -Y/s8SFF+STLrAgK9MN0i8Q --> ssh-ed25519 85WiGg zkLuTpJaBr8T0XjuC9i9NTxYUPhix9nLlShohTtgmyA -QwdgD0ihIpJF8D54x2Lg+6CE2yV9nLBZ1oOf/iwUKi4 --> ssh-ed25519 reTIKw wB2xC902eZiPXXU9n+oQSocx6J9h5IK0jU4GqmB1XUI -awLSPDqOAOM2g7Wrg6uCMeDRVljl2cdZ40gHDON4DCU --> ssh-ed25519 /vwQcQ adFZcuzNWIhLFDhF+FjfnMGTpijt4IKO266M8xpZTHs -WR3ig0R6ZgtYLxhN7bm5SNJ3klYvEkMlLeuC/GBxi0U --> ssh-ed25519 cvTB5g 8Gl7qbc7VZvkjjHesgfgdvtsCntNCxyUU3hwXMaIJUA -uEJwhJJa87+EjpTE/+3jPnNtgFTHNZkah78URULI1nM --> ssh-ed25519 Wu8JLQ buWP/UWAYd7nAAdIqJjkKq2q3Kcj/TtTm9MacGkoMh4 -g9ngALRdWC96t7FLES79gKQNK34WbKHqdw4OCryGx74 --> ssh-ed25519 vXYJfA KT8pRDwADkV4ySKY6HejWKp57aQUWpor7x67x1Sc3wM -th+47fUL5KOak1tEeHslVg9KSxw5DPIO6T/UtfEK6kY --> ssh-ed25519 h6AgbA 8kWKdngdG4RbvQHnkHpygz1fhzMXpGafXltQNa64mAU -hZZTmthndfMdMZiaW0bLxfiySzFgnKmd6t4u1PxLG9s --> ssh-ed25519 lHr4YQ JBCRJtCaEH/Dp2em66/ckqFva6JpyeUAHJidVysAsmw -SGyzp26GIo+D4VQdzJZEBUZYvAhc/SZy6rdd6HXOawY --> 1-grease -niVrY0FwL41sfeE9fB6hg+z0LWMXwce194f+IIL/F8JMIfTnFB0CRAn1OGQ ---- pMIf8bANx+QsRTqnWxPmnJm6DVMmJBEO+emeOdLeeec -.AzJQ[)s!2m  ssh-rsa krWCLQ -LCJxUzS4Be2QQABzubSP5M9Ridg3Srytbb6+SLITgnRqb0fT5XkG7z4ae2lLMVxT -zJxrZX1crlg/nyibZychMwZDqNofGGKX/zSKyF6u42hqjAtaDneg6jB/T690sSpD -LcuTHUcPLw53bww4amLU5FmFcnGWMHTjmXj6oQ5lks3t3KO9izA+gDJO5kFIYgQa -Z0kMrlH21m2TdyGW7Er72qAlT0euwCKlWGGc1NAaSWyu/2gimTHJ4p+KCOpi1D7/ -cIxMEtXHUoS/vtINi1lZypETVZf9C3xfqZGCnu1xTpFcF8pBLskI/Uz4cxQGLAk3 -xd5fKuNVBnLc0Ku+oFR3zA --> ssh-ed25519 85WiGg N5HOphuKLUksJTA29E/KHZAdyvTelqq0Lai3KtsGNi0 -6PilN36eZH8KYzQwqeLPX3wuiW4THuFef+ttoJh0BUo --> ssh-ed25519 reTIKw epotGRShr91lRc2IKDkgfaDd4EhkDtF1jayFv/YW5nE -mMFKyzH1q8ZsUXfLnqFfHT88iz/i4WXVVuWqe3z9vx4 --> ssh-ed25519 /vwQcQ DvVlWcbAA/xPTgDtpMmSyC2wxrnOM4H/dC1Vhh5Rmhg -JCq1yS057vqOFKZL11YhC4/rxYIRGAUI0y97Uch4tS4 --> ssh-ed25519 cvTB5g EQ/YM5UYYp3+fS+6u+CwZxUn8Sm8vdqj5xHQf0U0MGc -mVhpObNYWSrAlh8kfADzGnhOw9O2r07v2RJH7DZhFkg --> ssh-ed25519 Wu8JLQ k91dq2XwhgvE2Y75KAJWzFlPLXv+8+kTvH7sELmsViw -gpnxsNgbeuCYBYUt8j3mGm10rOGAoN9NDYVbObE2zXc --> ssh-ed25519 vXYJfA fOpqzkovWF/hLUrsjrDwFUsKG3Pa7LQQ2QTiYWT4Ux0 -AM1EdbC+Sg37PZzXf6vsmeXSMMjXRVQT3mq000cmPw8 --> ssh-ed25519 h6AgbA LWhZtBUJXu15GEIwSyKraXkaO8CO7/TuLSxsnbagQTk -1/It/vtykYe2NzG4r2J53yW+ZS2rgtUVNv8hlWYQnwY --> ssh-ed25519 lHr4YQ zEMhvSZsUOiM+XEpuTljfKE1MqyxqxuL0yuKTj6E1Vc -J/pYqeaTK9NLIhSKeB0CFSFNLkVeV2C5enKVIRy5+Po --> #Oj-grease fdq ltL1r ohAHn[aU QF%DKt -G2xXhW58AunOBXwtl1mD/DqdsHRoyjMvVl310MPWNFSSmLhG/UG7pQf3GUNsfThQ -lCvckvUfcYRen/hrEFhtyg ---- zwJ1Ma9A8rDbUQLAFpDNLs+2Iv6RQvEGlDFj9HVDRRg -;>qg4*b~G+x8 -,5!4:֖\go \ No newline at end of file diff --git a/machines/core-services-01/snipe-it.nix b/machines/core-services-01/snipe-it.nix deleted file mode 100644 index 29f8530..0000000 --- a/machines/core-services-01/snipe-it.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ pkgs, config, ... }: -{ - age.secrets.snipeItAppKey = { - owner = config.services.snipe-it.user; - group = config.services.snipe-it.group; - }; - - age.secrets.snipeItOidcClientSecret = { - owner = config.services.snipe-it.user; - group = config.services.snipe-it.group; - }; - - services.snipe-it = { - enable = true; - hostName = "inventory.rz.ens.wtf"; - database.createLocally = true; - appKeyFile = config.age.secrets.snipeItAppKey.path; - - nginx = { - enableACME = true; - forceSSL = true; - }; - - config = { - AUTH_METHOD = "oidc"; - OIDC_NAME = "Keycloak"; - OIDC_DISPLAY_NAME_CLAIMS = "name"; - OIDC_CLIENT_ID = "snipe-it"; - OIDC_CLIENT_SECRET = { _secret = config.age.secrets.snipeItOidcClientSecret.path; }; - OIDC_ISSUER = "https://auth.rz.ens.wtf/auth/realms/ClubReseau"; - OIDC_ISSUER_DISCOVER = true; - }; - }; -} diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index b76e4f7..2738afe 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -10,9 +10,8 @@ let delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; }; remoteBuilders = { - nix01 = [ "2001:470:1f13:187:611:4514:d93a:f80a" ]; + nix01 = [ "2001:470:1f13:187:1e07:c670:3958:f8f1" ]; }; - mkProxyRecord = AAAA: { inherit AAAA; A = [ "45.13.104.29" ]; }; dualstack = { A = my.ipv4; AAAA = my.ipv6.standard; @@ -39,33 +38,9 @@ dualstack // { auth = dualstack; push = dualstack; tailscale = dualstack; - inventory = dualstack; core01 = dualstack; ns1 = dualstack; - # Non-beta service - # Outline - notion = public-cof-ips; - # S3 API - s3 = public-cof-ips; - # CDN API - cdn = public-cof-ips // { - CAA = [ - { issuerCritical = false; - tag = "issue"; - value = "letsencrypt.org"; - } - { - issuerCritical = false; - tag = "iodef"; - value = "mailto:${my.email}"; - } - ]; - subdomains = { - "*" = public-cof-ips; - } // delegateACMEDNSChallenge "7a9dffd8-f57b-4635-ba79-07f8b0db4fad.acme.rz.ens.wtf."; - }; - builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; gdd = { @@ -82,9 +57,7 @@ dualstack // { beta = public-cof-ips // { subdomains = { - traque = mkProxyRecord [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; nuage = public-cof-ips; - todo = public-cof-ips; minecraft = public-cof-ips; factorio = public-cof-ips; home = public-cof-ips; @@ -97,7 +70,6 @@ dualstack // { }; docs = public-cof-ips; jurisprudens = public-cof-ips; - rstudio = public-cof-ips; }; }; diff --git a/machines/core-services-01/system.nix b/machines/core-services-01/system.nix index 3ab02d1..827bd11 100644 --- a/machines/core-services-01/system.nix +++ b/machines/core-services-01/system.nix @@ -8,7 +8,7 @@ # Auto GC and store optimizations nix = { - settings.trusted-users = [ "root" "gab" ]; + trustedUsers = [ "root" "gab" ]; gc = { automatic = true; dates = "weekly"; diff --git a/machines/core-services-01/tunnels.nix b/machines/core-services-01/tunnels.nix deleted file mode 100644 index a396adc..0000000 --- a/machines/core-services-01/tunnels.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ ... }: { - networking.wireguard.interfaces.wgalpha = { - privateKeyFile = "/etc/secrets/wireguard/wgalpha"; - listenPort = 9999; - - ips = [ - "fdee:a536:13fa:53ab::2/128" - ]; - - peers = [ - { - publicKey = "yAdQRTHn9Yko2r24j8tlxWBz0nYzHRxryPFq8t44Xw4="; - allowedIPs = [ "fdee:a536:13fa:53ab::1/128" ]; - } - ]; - }; - - networking.firewall.allowedUDPPorts = [ 9999 ]; -} diff --git a/machines/pubkeys/hubrecht.keys b/machines/pubkeys/hubrecht.keys deleted file mode 100644 index 07fbe76..0000000 --- a/machines/pubkeys/hubrecht.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl diff --git a/machines/pubkeys/remote-builders.keys b/machines/pubkeys/remote-builders.keys deleted file mode 100644 index b1b7645..0000000 --- a/machines/pubkeys/remote-builders.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ Raito's remote builder key diff --git a/machines/pubkeys/sinavir.keys b/machines/pubkeys/sinavir.keys deleted file mode 100644 index 471d054..0000000 --- a/machines/pubkeys/sinavir.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o diff --git a/machines/public-cof/acme.nix b/machines/public-cof/acme.nix index 9e03a21..3911368 100644 --- a/machines/public-cof/acme.nix +++ b/machines/public-cof/acme.nix @@ -1,5 +1,5 @@ { ... }: { security.acme.acceptTerms = true; - security.acme.defaults.email = "club-reseau@lists.ens.psl.eu"; + security.acme.email = "club-reseau@lists.ens.psl.eu"; } diff --git a/machines/public-cof/_configuration.nix b/machines/public-cof/configuration.nix similarity index 78% rename from machines/public-cof/_configuration.nix rename to machines/public-cof/configuration.nix index a831791..b47cf2c 100644 --- a/machines/public-cof/_configuration.nix +++ b/machines/public-cof/configuration.nix @@ -3,32 +3,26 @@ { imports = [ + ./hardware-configuration.nix ./programs.nix ./system.nix ./acme.nix ./networking.nix ./monitoring.nix - ./garage.nix ./nextcloud.nix - ./outline.nix - ./lychee.nix ./minecraft.nix - # ./rstudio-server ./nur.nix # ./factorio.nix # TODO ./nginx.nix # ./cryptpad.nix ./hedgedoc.nix - # ./kanboard.nix ./secrets - ./v6proxy # TODO monitoring ]; nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "minecraft-server" "factorio-headless" - "outline" ]; boot.loader.systemd-boot.enable = true; @@ -48,5 +42,13 @@ enableSSHSupport = true; }; + # Enable the OpenSSH daemon. + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ./pubkeys/gdd.keys + ./pubkeys/raito.keys + ./pubkeys/mrf.keys + ]; + system.stateVersion = "21.05"; } diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix deleted file mode 100644 index e2a1321..0000000 --- a/machines/public-cof/garage.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ pkgs, ... }: -{ - security.acme.certs."cdn.rz.ens.wtf" = { - dnsProvider = "acme-dns"; - credentialsFile = pkgs.writeText "acme-dns-env" '' - ACME_DNS_API_BASE=https://acme.rz.ens.wtf - ACME_DNS_STORAGE_PATH=/var/lib/acme/lego-acme-dns-accounts.json - ''; - extraDomainNames = [ "*.cdn.rz.ens.wtf" ]; - group = "nginx"; - }; - services.nginx.virtualHosts."s3.rz.ens.wtf" = { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "http://[::1]:3900"; - }; - services.nginx.virtualHosts."cdn.rz.ens.wtf" = { - serverAliases = [ "*.cdn.rz.ens.wtf" ]; - useACMEHost = "cdn.rz.ens.wtf"; - forceSSL = true; - locations."/".proxyPass = "http://[::1]:3902"; - }; - services.garage = { - enable = true; - package = pkgs.garage_0_8; - settings = { - replication_mode = "none"; - compression_level = 7; - - rpc_bind_addr = "10.1.1.21:3901"; - rpc_public_addr = "10.1.1.21:3901"; - rpc_secret = "76c2746530a4a27d188530a6bbf6c4613ccb8d8f129863d8c21462b84d5b998f"; - - s3_api = { - s3_region = "ens"; - api_bind_addr = "[::]:3900"; - root_domain = ".s3.rz.ens.wtf"; - }; - - s3_web = { - bind_addr = "[::]:3902"; - root_domain = ".cdn.rz.ens.wtf"; - index = "index.html"; - }; - }; - }; -} diff --git a/machines/public-cof/_hardware-configuration.nix b/machines/public-cof/hardware-configuration.nix similarity index 100% rename from machines/public-cof/_hardware-configuration.nix rename to machines/public-cof/hardware-configuration.nix diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index 23c8782..258973f 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -5,11 +5,11 @@ in { services.hedgedoc = { enable = true; - settings = { + configuration = { protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; - host = "127.0.0.1"; + host = "localhost"; port = port; db = { dialect = "sqlite"; @@ -25,11 +25,13 @@ in enableACME = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:${toString port}"; + proxyPass = "http://localhost:${toString port}"; proxyWebsockets = true; }; }; }; }; }; + + networking.firewall.allowedTCPPorts = [ 433 80 ]; } diff --git a/machines/public-cof/kanboard-config.php b/machines/public-cof/kanboard-config.php deleted file mode 100644 index 6268892..0000000 --- a/machines/public-cof/kanboard-config.php +++ /dev/null @@ -1,281 +0,0 @@ - $out/$f - tail -n+2 ${package}/share/kanboard/$f \ - | sed 's^__DIR__^"${package}/share/kanboard"^' >> $out/$f - done - ln -s /var/lib/kanboard $out/data - ln -s ${pluginsDirectory} $out/plugins - ln -s ${kanboardConfig} $out/config.php - '') - { outPath = "${package}/share/kanboard"; meta.priority = 10; } - ]; - }; - locations = { - "/".index = "index.php"; - "~ \\.php$" = { - tryFiles = "$uri =404"; - extraConfig = '' - fastcgi_pass unix:${config.services.phpfpm.pools.kanboard.socket}; - ''; - }; - }; - }; - }; -} diff --git a/machines/public-cof/lychee.nix b/machines/public-cof/lychee.nix deleted file mode 100644 index 137cd32..0000000 --- a/machines/public-cof/lychee.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, ... }: { - services.lychee = { - enable = true; - package = pkgs.rz.lychee-gallery; - forceSSL = true; - enableACME = true; - website = "photos.ens.wtf"; - settings.APP_URL = "https://${config.services.lychee.website}"; - }; - services.phpfpm.pools."photos.ens.wtf".settings = { - pm = "dynamic"; - "pm.max_children" = 10; - "pm.start_servers" = 3; - "pm.min_spare_servers" = 1; - "pm.max_spare_servers" = 3; - }; -} diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 876754a..c56701f 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -2,9 +2,9 @@ let papermc = { ram = 4; # In GB - version = "1.19.2"; - build = 200; - sha256 = "sha256-fhQ1Kukp0MDF0312y/DR3wS9wKXY2aKUyU5f64ELylM="; + version = "1.18.2"; + build = 270; + sha256 = "M3/z7lgHVDG+WqxPvyrxvfobEvkkPf90bDoN/Dq+VZY="; }; port = 25565; rconPort = 25575; @@ -42,15 +42,6 @@ in Sup3Legacy = "575ecb9f-bf28-46cb-bc50-cb6bb340c905"; Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d"; CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; - clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5"; - Clashis = "499fdd85-bbcb-446f-9611-8b6bb9bf6965"; - skidijo = "6a72a1f4-7448-4fb7-a252-b6d5ceff2d43"; - Tifendyll = "5dc1acf3-b214-4607-a3bd-924665e07c67"; - OknShield = "ef12e9cd-121f-4b39-886e-89b5b4bc5f4f"; - Allygon = "964a2ee3-3a0d-49c1-b8e9-60b5e69976d3"; - CheesyBiggy = "574daaed-ce9a-4b33-a3af-055e39bc32dc"; - H3raklio = "576969d4-94e7-49db-ba7e-e9e57ff5a75e"; - thejohncrafter = "d3959974-3a05-4ab2-8acb-d8817c140d84"; }; serverProperties = { diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 39d232f..ff648e5 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -1,38 +1,41 @@ { lib, ... }: - -{ +let mkAddress = addr: let + splitted = lib.splitString "/" addr; + elemAt = builtins.elemAt splitted; + in + { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; +in { networking = { hostName = "public-cof"; - useNetworkd = true; + # Default IPv4 exit route + defaultGateway = { + address = ""; + interface = "ens20"; + }; + localCommands = "ip route add default dev ens20 metric 10"; - firewall = { enable = true; allowedTCPPorts = [ 22 ]; }; + useDHCP = false; + interfaces.ens18 = { + useDHCP = true; + ipv6.addresses = [{ + address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; + prefixLength = 64; + }]; + }; + interfaces.ens19 = { + useDHCP = false; + ipv4.addresses = [{ + address = "10.1.1.21"; + prefixLength = 22; + }]; + }; + + interfaces.ens20 = { + ipv4.addresses = map mkAddress [ "45.13.104.27/32" ]; + }; + + firewall.allowedTCPPorts = [ 22 ]; + firewall.enable = true; }; - - systemd.network.networks = { - "10-ens18" = { - name = "ens18"; - address = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5/64" ]; - - DHCP = "ipv4"; - - dhcpV4Config.RouteMetric = 10; - }; - - "10-ens19" = { - name = "ens19"; - address = [ "10.1.1.21/22" ]; - - DHCP = "ipv4"; - }; - - "10-ens20" = { - name = "ens20"; - address = [ "45.13.104.27/32" "45.13.104.29/32" ]; - - DHCP = "ipv4"; - }; - }; - - services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; } diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index badd243..b243afb 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud26; + package = pkgs.nextcloud23; config = { overwriteProtocol = "https"; diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix index 2d5cf61..9f62800 100644 --- a/machines/public-cof/nginx.nix +++ b/machines/public-cof/nginx.nix @@ -29,15 +29,14 @@ in recommendedTlsSettings = true; virtualHosts = { -# FIXME: factorize and remove it, it has been superseded by eleves.ens.fr/calendrier -# "home.beta.rz.ens.wtf" = { -# serverAliases = [ "beta.rz.ens.wtf" ]; -# default = true; -# forceSSL = true; -# enableACME = true; -# root = "/var/public-cof/home"; -# locations = builtins.listToAttrs (map mkCloudLocation clouds); -# }; + "home.beta.rz.ens.wtf" = { + serverAliases = [ "beta.rz.ens.wtf" ]; + default = true; + forceSSL = true; + enableACME = true; + root = "/var/public-cof/home"; + locations = builtins.listToAttrs (map mkCloudLocation clouds); + }; }; }; diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index 4043d80..a6531e2 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -14,7 +14,7 @@ "klubrz-nur": { "branch": "main", "repo": "https://git.rz.ens.wtf/Klub-RZ/nur", - "rev": "bb95bbed09ccb2ae5ab5a8e02537c4c28c46d27e", + "rev": "98911e21fd58f00440dc8a5bd6568f2a349338bd", "type": "git" }, "niv": { @@ -29,18 +29,6 @@ "url": "https://github.com/nmattia/niv/archive/e0ca65c81a2d7a4d82a189f1e23a48d59ad42070.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, - "nixexprs": { - "branch": "master", - "description": "All my Nix expressions", - "homepage": null, - "owner": "RaitoBezarius", - "repo": "nixexprs", - "rev": "5fd6966844be775a272e932375d7982275ba2300", - "sha256": "1l5zgdgqbn7apw2ngqzid0sqrklx0rnj8sjid4ykx9156kdqjan5", - "type": "tarball", - "url": "https://github.com/RaitoBezarius/nixexprs/archive/5fd6966844be775a272e932375d7982275ba2300.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, "raito-nur": { "branch": "master", "description": "All my Nix expressions", diff --git a/machines/public-cof/nix/sources.nix b/machines/public-cof/nix/sources.nix index 9a01c8a..1938409 100644 --- a/machines/public-cof/nix/sources.nix +++ b/machines/public-cof/nix/sources.nix @@ -31,28 +31,8 @@ let if spec ? branch then "refs/heads/${spec.branch}" else if spec ? tag then "refs/tags/${spec.tag}" else abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; - submodules = if spec ? submodules then spec.submodules else false; - submoduleArg = - let - nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0; - emptyArgWithWarning = - if submodules == true - then - builtins.trace - ( - "The niv input \"${name}\" uses submodules " - + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " - + "does not support them" - ) - {} - else {}; - in - if nixSupportsSubmodules - then { inherit submodules; } - else emptyArgWithWarning; in - builtins.fetchGit - ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg); + builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; fetch_local = spec: spec.path; diff --git a/machines/public-cof/nur.nix b/machines/public-cof/nur.nix index ad4a2e5..7ca9d89 100644 --- a/machines/public-cof/nur.nix +++ b/machines/public-cof/nur.nix @@ -3,17 +3,14 @@ let nivSources = import ./nix/sources.nix; rz-src = nivSources.klubrz-nur; rz-no-pkgs = (import nivSources.klubrz-nur {}); - raitobezarius-src = nivSources.nixexprs; - raitobezarius-no-pkgs = (import raitobezarius-src {}); in { nixpkgs.config.packageOverrides = { - rz = import rz-src { inherit pkgs; }; + # rz = import rz-src { inherit pkgs; }; }; imports = [ "${nivSources.agenix}/modules/age.nix" - raitobezarius-no-pkgs.modules.sniproxy ] ++ lib.attrValues rz-no-pkgs.modules; nixpkgs.overlays = []; diff --git a/machines/public-cof/outline.nix b/machines/public-cof/outline.nix deleted file mode 100644 index aef8e12..0000000 --- a/machines/public-cof/outline.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - services.nginx.virtualHosts."notion.rz.ens.wtf" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:3000"; - proxyWebsockets = true; - }; - }; - services.outline = { - enable = true; - publicUrl = "https://notion.rz.ens.wtf"; - defaultLanguage = "fr_FR"; - storage = { - accessKey = "GK8b32d276b2eafb999a53188a"; - secretKeyFile = config.age.secrets.outlineS3Secrets.path; - uploadBucketUrl = "https://s3.rz.ens.wtf"; - uploadBucketName = "outline"; - region = "ens"; - }; - oidcAuthentication = { - userinfoUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/userinfo"; - tokenUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/token"; - authUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/auth"; - clientSecretFile = config.age.secrets.outline-oidc-client-secret.path; - displayName = "Club réseau"; - clientId = "outline"; - }; - }; -} diff --git a/machines/pubkeys/gdd.keys b/machines/public-cof/pubkeys/gdd.keys similarity index 100% rename from machines/pubkeys/gdd.keys rename to machines/public-cof/pubkeys/gdd.keys diff --git a/machines/pubkeys/mrf.keys b/machines/public-cof/pubkeys/mrf.keys similarity index 100% rename from machines/pubkeys/mrf.keys rename to machines/public-cof/pubkeys/mrf.keys diff --git a/machines/pubkeys/raito.keys b/machines/public-cof/pubkeys/raito.keys similarity index 100% rename from machines/pubkeys/raito.keys rename to machines/public-cof/pubkeys/raito.keys diff --git a/machines/public-cof/rstudio-server/default.nix b/machines/public-cof/rstudio-server/default.nix deleted file mode 100644 index 3a73a6a..0000000 --- a/machines/public-cof/rstudio-server/default.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ pkgs, ... }: -let - port = 19000; -in -{ - services.rstudio-server = { - enable = true; - rserverExtraConfig = '' - www-port = ${toString port} - ''; - - package = pkgs.rstudioServerWrapper.override { - packages = with pkgs.rPackages; [ - ggplot2 - rmarkdown - dplyr - ]; - }; - }; - - users.users.ruser = { - isNormalUser = true; - hashedPassword = "$6$pTXXVh8NfE.M8VPc$q0fFh3Y7Y0DauLCcZLgJzFciq1wkjoHmO61XpOrZLH3a1M32ZzOMbjx2XMm2QxrUncbx6hGerY/lD8rQ8InS4."; - }; - - services.nginx.virtualHosts."rstudio.beta.rz.ens.wtf" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:${toString port}"; - proxyWebsockets = true; - }; - }; -} diff --git a/machines/public-cof/secrets/default.nix b/machines/public-cof/secrets/default.nix index dce31c2..a7cd5ea 100644 --- a/machines/public-cof/secrets/default.nix +++ b/machines/public-cof/secrets/default.nix @@ -10,22 +10,4 @@ group = "nextcloud"; file = ./nextcloudDatabasePasswordFile.age; }; - - age.secrets.kanboard-secrets = { - owner = "kanboard"; - group = "kanboard"; - file = ./kanboard-secrets.age; - }; - - age.secrets.outlineS3Secrets = { - owner = "outline"; - group = "outline"; - file = ./outlineS3Secrets.age; - }; - - age.secrets.outline-oidc-client-secret = { - owner = "outline"; - group = "outline"; - file = ./outline-oidc-client-secret.age; - }; } diff --git a/machines/public-cof/secrets/kanboard-secrets.age b/machines/public-cof/secrets/kanboard-secrets.age deleted file mode 100644 index 5bc708c..0000000 --- a/machines/public-cof/secrets/kanboard-secrets.age +++ /dev/null @@ -1,25 +0,0 @@ -age-encryption.org/v1 --> ssh-rsa krWCLQ -jsay8IXK6RjVULRqpfvgHOr8H3ALxQyJ3BQIkmSfRrLlJXDbYWUKBCztXc7whfb/ -XTc3Sa5bybIXXX3wLzYmxCYjUa1CoHgIb1UWAhM3KyTJ4XSw7pVti29VM5p74+ex -tJeb44hXlkD7V7C2yYp6CcBH1IgnvEL8ulVopkis/TBQtWi6QaGJBPX2yxEJ3QDh -uAn5czrrDenBZRsIYTaKrlbgCM/Oeh4mDFSaFKIqfX2g7ClbsC1ejF3PvbsXN6il -pk2YSZ/F5ivNBkvWFmQrNJyLjkcIrxoFvzcXOTk8yM9iu4BFlPbX7NcAMrHpbSIR -3ew59I0cGkbzRAtLI9p97w --> ssh-ed25519 85WiGg XQK2huU0kqkKbVYf6SJFqcumOL8zDPfOuGwNy78dJm4 -aP8CNgS1/wfv2RB7nXZqYnZaXDORk9I5lPZy87FVmRY --> ssh-ed25519 reTIKw jZ57SfMYyOr9P9eNK/Q2CMAWtYtfjyV/MaTVnqEHxkU -ycPo/pwC9CtYWAcrclo1b26+mPU4Z6pCPecGPMmL3ag --> ssh-ed25519 /vwQcQ v5bvHTvld6WErGt+Vp0mivpFH5srQPHkbPd0Nk3IDy0 -27+ZreTwyaxtb5vrRpD/2C2MUT9onRcX4Yr7KHnTGOo --> ssh-ed25519 cvTB5g gKxECDYMSja0FTqteAk39iMDsNIM+ox31sIvnY2ityk -pkUZgDWdAzuGCvuRhOE8oeazIRw+kpPhnkksF2zTjxA --> ssh-ed25519 Wu8JLQ lMgIKw3Qzg/Lw6UtpPZWDrE0WBc71meaprrnmARqDDM -FN/S9xo22u4kMWqrPD3KmfLbDq8L0TxtfDUSBLVq+Tk --> ssh-ed25519 xbfJnw emSflhzdsItaXULjPXre8jlnXxJuXFAaoLWGVAAej1I -4OS68AuzPr+zwp9Bqb4lYGJHjPwPMSXuprw7+8agOyU --> Wd-grease -pdSa/JP70fd6VvSgpIJQAk8ZiZfKo8l7UpVwBib59SB9IRNVZdSbHINFUzuIozGu -Z7dyg+x6QQ ---- TjceHicjeIIKz0f7R5u7nLrCtb39MmS/vEK3w0xHbmw -QZ`?Zv~^$ct2ԓy3.+KF2OC_$]y~l%0_ ܻ REM4Hİ{r$ެ*1\2FڬBLAK!&C׋_.Om3͕hδV< z$'-s'J \ No newline at end of file diff --git a/machines/public-cof/secrets/outline-oidc-client-secret.age b/machines/public-cof/secrets/outline-oidc-client-secret.age deleted file mode 100644 index d73537f..0000000 --- a/machines/public-cof/secrets/outline-oidc-client-secret.age +++ /dev/null @@ -1,26 +0,0 @@ -age-encryption.org/v1 --> ssh-rsa krWCLQ -HeTVcJxU2zRewuzQVknnxAYjlCU8+GJjBz9joGPo2j934uiM3A6PBsFmoz6I1ZfJ -pg68benaKfV+VI1sN8fMDWoEO0QrFzHYULXT9JCyQTClUzUZSlMpzmDgCmHjLPEc -qB23sbwKzgyFO9SKHsPvOqxZrEyTwAKiNYa33QuSyRxN3S4/9PxVjgJTTqLbTVqf -hhnujxviU3iHV2ACqLAV5jYSbAleiAh53vnBc0k326vXbrumQqFvQtgwcqDn4vDR -2QYzEwsj+yV9BlRrGSBZSnoHZjWtsE/ntrEaIZiItT3Ots1CCVswd7LGb3LspYbf -NheRvY7zUXppGiB0+mjZJg --> ssh-ed25519 85WiGg tGvDzYdpKP8lql3murRlp95w7jQUhhuodIgVxDk4Lgs -aVV4b71w/nU3nBaYKdzzYjXVaxgN2EpyQiKsjO33GcI --> ssh-ed25519 reTIKw LJJF7K8fRsSoAFDyndWP9nA5FV4w7cWSqUgGnvdB42I -wI22cL/GuyVou1robDUHzNMfCR7L6NA4UWFSeV73d88 --> ssh-ed25519 /vwQcQ KZQSME50r4yrnyFfH6nwbmCn0UmVUMIBhhfqoicrKVY -xDdBu7/K8ZxGT2BnffAR8UsQIAVlLpSfEvo1m4k87ng --> ssh-ed25519 cvTB5g HjLQQhFwEekFYHV5sko/x8RwcAsgvl/cCoKakX4B6yE -Ub5TWpDPYA3DSwfRT2hmgPcwoMIhsOhgdhckFuZxQ8s --> ssh-ed25519 Wu8JLQ L0bnDPmv3Chemi/BKhux9GYXDMMLUjO6H8MQe1REpBA -qtN6IH8M8kLYAQ8a64kYCCaAPhg6VjrojTONdY4MVyA --> ssh-ed25519 xbfJnw 94xx8KL0EWqs3HIsdY9RFvC6aRsk7cemZxciLIkVCDM -WZnyqSwpCBA8GNnu6VEJSLIRtv8rzOpGFH6e387ohpQ --> TS-grease -D32P8/tpegDSy/xsspwpuq8EVqwDyZUzJF2Ose+3cqHAx8db4DPWnmt4z4Ch5bXw -KtmO+2eEYTmPyYUZxI+uzr93CQhVq7aFlch6cWLEaqg ---- 6kPR6tdczt01UaY4ps38dncSMFCupa9uZmSWBjm85ps -Ln4Kz>(ن=fʷPG ssh-rsa krWCLQ -nxiY5l98JhWEwLYN7sWtsgN4faDTIpgo1fiPScxXB8/ljnxIyd1vhMVRt0WCTOQV -CFTQ9MOoTAk90Zj4wjxDjoJjjsXLUBVnjqLdQy76kgR5vAvVrHzuYTYO4Y4k0/qh -S6BEFN655P0n4Gxf9kJtKxi3ipN6B46ydACAjFeyeuOPMkMdBBZq1BOLPEOC9I+O -87p+8BdL+zxkYfaWfEggYgabrE7y91EjiB1VCuT0GFm8T8iBojvThxWQlHQAybBc -gvgTlyGf8YmY82uGhGQR39okrA914mJUkr11JZ9457qL+/t5Au/dha1x6QlwcUoz -Tp5OQJAfXZc02LsICq2I7A --> ssh-ed25519 85WiGg c6vyT96h0eVL+xZpR0Zk06l5ApUsqENY9ESeYuOG0zY -dJbQVgH41Ti/AM7WAlXCCA501h8wgx2os5yiZt+jxp8 --> ssh-ed25519 reTIKw rVhKDqm51EMuOQnTcsdWmqoBDI/LLnFpkJW93EfcdB0 -AAOEQp0tux1vJ0bPIcB1HtLodig/J4poeu6j/Hk8KiA --> ssh-ed25519 /vwQcQ jGLr83VDSxYd3v42ECOiTpSTDRB5TVSqx3QHRbMgfEk -k2hBCGntsqP0czKV2JvMbf8lAqpjVvnJqSxfdr00A7w --> ssh-ed25519 cvTB5g BqVT8ytcjINNKrGAtttAtxRMpLs4LJg1Uy3zvDxTvwk -DRDEl+CNZnuT+KE1txjHgaWIYmiSeUTsesnXYq89YNQ --> ssh-ed25519 Wu8JLQ 731ytp+gu36OvH0QbkeDUwMHj3J4u0JujJnfTUQ2C1A -KPGEKLoV9K1PPdIyla5D1lsmhRt/XUHLrCTeApbqR6c --> ssh-ed25519 xbfJnw Ojf4cuctALx+Q/qWqSarRcnxvwrHjbAK5r4pnhKUzmo -WHp4Op3N3SeniWS7XhPmvRkTyjDIPDBBGviDaiCNbOc --> 3P-h|3ru-grease -5icFsPwzKpnImSlgICy/wDq6YJLTcIML3EoDUOgvGOFSs+efH4bWExmd2ktGtqYd -ewEKHYlnpIFNTMtlRs7U7sR3qnLHadq3McnhR/8OlQ ---- iwVp/AYpQfFOIg/OI85nNTgdY/HKlEsCHWiBO0lOtJg -Z=eBb[3$k(2x%0+18T,;Fլ"EKeZ*$}Cpo9+|CJ- \ No newline at end of file diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index d48cb63..4fe0e66 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -1,16 +1,13 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); - superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht"); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; in { "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems; "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems; - "kanboard-secrets.age".publicKeys = superadmins ++ systems; - "outlineS3Secrets.age".publicKeys = superadmins ++ systems; - "outline-oidc-client-secret.age".publicKeys = superadmins ++ systems; } diff --git a/machines/public-cof/system.nix b/machines/public-cof/system.nix index b3a1d4c..997dbdd 100644 --- a/machines/public-cof/system.nix +++ b/machines/public-cof/system.nix @@ -8,7 +8,7 @@ # Auto GC and store optimizations nix = { - settings.trusted-users = [ "root" ]; + trustedUsers = [ "root" ]; gc = { automatic = true; dates = "weekly"; diff --git a/machines/public-cof/v6proxy/default.nix b/machines/public-cof/v6proxy/default.nix deleted file mode 100644 index e4f11d9..0000000 --- a/machines/public-cof/v6proxy/default.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: -let - proxyIPv4 = "45.13.104.29"; -in -{ - networking.firewall.allowedTCPPorts = [ 443 ]; - - services.sniproxy = { - enable = true; - - resolver = { - mode = "ipv6_first"; - }; - - listeners = [ - { - address = "${proxyIPv4}:443"; - table = "vhosts"; - fallback = null; - } - ]; - - tables.vhosts = [ - { - match = "traque.beta.rz.ens.wtf"; - dest = "traque.beta.rz.ens.wtf"; - } - ]; - }; -} diff --git a/machines/remote-builder-01/_hardware-configuration.nix b/machines/remote-builder-01/_hardware-configuration.nix deleted file mode 100644 index b68c73b..0000000 --- a/machines/remote-builder-01/_hardware-configuration.nix +++ /dev/null @@ -1,27 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = - [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "rpool/root/nixos"; - fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/4BC6-A750"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - -} diff --git a/machines/remote-builder-01/_configuration.nix b/machines/remote-builder-01/configuration.nix similarity index 54% rename from machines/remote-builder-01/_configuration.nix rename to machines/remote-builder-01/configuration.nix index d5906a8..1c6245b 100644 --- a/machines/remote-builder-01/_configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -1,10 +1,13 @@ { config, pkgs, ... }: { - imports = [ - ./system.nix - # TODO monitoring - ]; + imports = + [ + ./hardware-configuration.nix + ./programs.nix + ./system.nix + # TODO monitoring + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; @@ -23,14 +26,11 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens18 = { - useDHCP = true; - ipv6.addresses = [{ - address = "2001:470:1f13:187:611:4514:d93a:f80a"; - prefixLength = 64; - }]; - }; - networking.interfaces.ens19.useDHCP = true; + networking.interfaces.ens18.useDHCP = true; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; @@ -40,9 +40,11 @@ }; # List packages installed in system profile. To search, run: - environment.systemPackages = with pkgs; [ vim wget kitty.terminfo git ]; - - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. @@ -52,17 +54,31 @@ enableSSHSupport = true; }; - programs.mosh.enable = true; - # List services that you want to enable: services.zfs.autoScrub.enable = true; + # Enable the OpenSSH daemon. + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ./pubkeys/gdd.keys + ./pubkeys/raito.keys + ./pubkeys/remote-builders.keys + ]; + # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. networking.firewall.enable = false; - system.stateVersion = "21.05"; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.05"; # Did you read the comment? + } + diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/hardware-configuration.nix new file mode 100644 index 0000000..f80b2c7 --- /dev/null +++ b/machines/remote-builder-01/hardware-configuration.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "rpool/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "rpool/home"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/3341-A3B9"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/1f624fe3-1fc5-44f4-9529-812558ffba42"; } + ]; + +} diff --git a/machines/remote-builder-01/programs.nix b/machines/remote-builder-01/programs.nix new file mode 100644 index 0000000..e7e4afc --- /dev/null +++ b/machines/remote-builder-01/programs.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: +let pkgsList = with pkgs; [ + nix-prefetch-git + dnsutils + + unzip + zip + ripgrep + + niv + nixfmt + ]; +in +{ + imports = [ + ./vim.nix + ]; + programs = { + tmux.enable = true; + mosh.enable = true; + }; + + environment.systemPackages = pkgsList; +} diff --git a/machines/remote-builder-01/pubkeys/gdd.keys b/machines/remote-builder-01/pubkeys/gdd.keys new file mode 100644 index 0000000..b5d4e40 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/gdd.keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/pubkeys/hackens-milieu.keys b/machines/remote-builder-01/pubkeys/hackens-milieu.keys similarity index 100% rename from machines/pubkeys/hackens-milieu.keys rename to machines/remote-builder-01/pubkeys/hackens-milieu.keys diff --git a/machines/remote-builder-01/pubkeys/raito.keys b/machines/remote-builder-01/pubkeys/raito.keys new file mode 100644 index 0000000..0f48a59 --- /dev/null +++ b/machines/remote-builder-01/pubkeys/raito.keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/keys/remote-builders.keys b/machines/remote-builder-01/pubkeys/remote-builders.keys similarity index 100% rename from keys/remote-builders.keys rename to machines/remote-builder-01/pubkeys/remote-builders.keys diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index 81732ab..f2c68d1 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,7 +1,14 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ + # # Auto upgrades + # system.autoUpgrade = { + # enable = false; # TODO(Ryan): do not enable, it will break deployments. + # allowReboot = false; + # }; + # Auto GC and store optimizations nix = { - settings.trusted-users = [ "root" ]; + trustedUsers = [ "root" "gab" ]; gc = { automatic = true; dates = "weekly"; @@ -13,4 +20,9 @@ max-free = ${toString (1024 * 1024 * 1024)} ''; }; + + services.locate = { + enable = true; + interval = "04:05"; + }; } diff --git a/machines/remote-builder-01/vim.nix b/machines/remote-builder-01/vim.nix new file mode 100644 index 0000000..bed8752 --- /dev/null +++ b/machines/remote-builder-01/vim.nix @@ -0,0 +1,31 @@ +{ pkgs, ... }: +{ + environment.variables = { EDITOR = "vim"; }; + + environment.systemPackages = with pkgs; [ + nixfmt + git + (neovim.override { + vimAlias = true; + configure = { + packages.myPlugins = with pkgs.vimPlugins; { + start = [ vim-lastplace vim-nix ]; + opt = []; + }; + customRC = '' + set encoding=utf-8 + set wildmenu + + set nocompatible + set backspace=indent,eol,start + set cursorline + hi CursorLine term=bold cterm=bold ctermbg=darkgrey + set number + set relativenumber + set tabstop=4 + set expandtab + ''; + }; + } + )]; +} diff --git a/meta/default.nix b/meta/default.nix deleted file mode 100644 index a6ccb51..0000000 --- a/meta/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -let - nodes = import ./nodes.nix; -in - -{ inherit nodes; } diff --git a/meta/nodes.nix b/meta/nodes.nix deleted file mode 100644 index c017cc4..0000000 --- a/meta/nodes.nix +++ /dev/null @@ -1,64 +0,0 @@ -### -# File specifying all the deployement options for the nodes administrated by the dgnum. -# -# Node metadata template is: -# -# NODE_NAME = { -# adminGroups = []; # List of groups that have root access -# admins = []; # List of individuals that have root access -# deployment = {}; # Colmena deployment options -# nixpkgs = "unstable" or "22.11"; # nixpkgs version -# } - -let - mkNode = _: attrs: { - access = [ ]; - - deployment = { }; - - nixpkgs = "23.05"; - } // attrs; -in - -builtins.mapAttrs mkNode { - core-services-01 = { - admins = [ - "gdd" - "hubrecht" - "mrf" - "raito" - "sinavir" - ]; - - deployment.targetHost = "core01.rz.ens.wtf"; - - stateVersion = "22.05"; - }; - - remote-builder-01 = { - admins = [ - "gdd" - "raito" - "sinavir" - "remote-builders" - ]; - - deployment.targetHost = "nix01.builders.rz.ens.wtf"; - - stateVersion = "21.05"; - }; - - public-cof = { - admins = [ - "gdd" - "hubrecht" - "mrf" - "raito" - "sinavir" - ]; - - deployment.targetHost = "beta.rz.ens.wtf"; - - stateVersion = "21.05"; - }; -} diff --git a/modules/default.nix b/modules/default.nix deleted file mode 100644 index bc98724..0000000 --- a/modules/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ nix-lib, sources, ... }: - -{ - imports = (nix-lib.mkImports ./. [ - "krz-access-control" - "krz-ssh" - ]) ++ [ - # TODO: Switch to global version of agenix via npins - # "${sources.agenix}/modules/age.nix" - ]; -} diff --git a/modules/krz-access-control.nix b/modules/krz-access-control.nix deleted file mode 100644 index 55fd2a3..0000000 --- a/modules/krz-access-control.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ config, lib, nix-lib, meta, name, ... }: - -let - inherit (lib) - mkDefault - mkEnableOption - mkIf - mkOption - - types; - - nodeMeta = meta.nodes.${name}; - inherit (nodeMeta) admins; - - cfg = config.krz-access-control; -in - -{ - options.krz-access-control = { - enable = mkEnableOption "DGNum access control." // { default = true; }; - - users = mkOption { - type = with types; attrsOf (listOf str); - default = { }; - description = '' - Attribute set describing which member has access to which user on the node. - Members must be declared in `meta/members.nix`. - ''; - example = '' - { - user1 = [ "member1" "member2" ]; - } - ''; - }; - }; - - config = mkIf cfg.enable { - # Admins have root access to the node - krz-access-control.users.root = mkDefault admins; - - users.users = builtins.mapAttrs - (u: members: { openssh.authorizedKeys.keys = nix-lib.getAllKeys members; }) - cfg.users; - }; -} - diff --git a/modules/krz-ssh.nix b/modules/krz-ssh.nix deleted file mode 100644 index 4124ada..0000000 --- a/modules/krz-ssh.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, lib, ... }: - -let - inherit (lib) - mkEnableOption - mkIf; - - cfg = config.krz-ssh; -in - -{ - options.krz-ssh = { - enable = mkEnableOption "ssh default configuration." // { default = true; }; - }; - - config = mkIf cfg.enable { - services.openssh = { - enable = true; - - settings.PasswordAuthentication = false; - }; - - programs.mosh.enable = true; - }; -} diff --git a/nix-patches/default.nix b/nix-patches/default.nix deleted file mode 100644 index 0967ef4..0000000 --- a/nix-patches/default.nix +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/npins/default.nix b/npins/default.nix deleted file mode 100644 index 4a7c372..0000000 --- a/npins/default.nix +++ /dev/null @@ -1,47 +0,0 @@ -# Generated by npins. Do not modify; will be overwritten regularly -let - data = builtins.fromJSON (builtins.readFile ./sources.json); - version = data.version; - - mkSource = spec: - assert spec ? type; let - path = - if spec.type == "Git" then mkGitSource spec - else if spec.type == "GitRelease" then mkGitSource spec - else if spec.type == "PyPi" then mkPyPiSource spec - else if spec.type == "Channel" then mkChannelSource spec - else builtins.throw "Unknown source type ${spec.type}"; - in - spec // { outPath = path; }; - - mkGitSource = { repository, revision, url ? null, hash, ... }: - assert repository ? type; - # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository - # In the latter case, there we will always be an url to the tarball - if url != null then - (builtins.fetchTarball { - inherit url; - sha256 = hash; # FIXME: check nix version & use SRI hashes - }) - else assert repository.type == "Git"; builtins.fetchGit { - url = repository.url; - rev = revision; - # hash = hash; - }; - - mkPyPiSource = { url, hash, ... }: - builtins.fetchurl { - inherit url; - sha256 = hash; - }; - - mkChannelSource = { url, hash, ... }: - builtins.fetchTarball { - inherit url; - sha256 = hash; - }; -in -if version == 3 then - builtins.mapAttrs (_: mkSource) data.pins -else - throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/npins/sources.json b/npins/sources.json deleted file mode 100644 index 1df8536..0000000 --- a/npins/sources.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "pins": { - "agenix": { - "type": "GitRelease", - "repository": { - "type": "Git", - "url": "https://github.com/ryantm/agenix" - }, - "pre_releases": false, - "version_upper_bound": null, - "version": "0.13.0", - "revision": "9c9fbfb94b2d545c7f0b78da0254ea0041595795", - "url": null, - "hash": "0k6aggy3lhqv6j11cvi4gr0i3jps8hlf262xl9ji3ffxwas46p54" - }, - "nix-lib": { - "type": "GitRelease", - "repository": { - "type": "Git", - "url": "https://git.hubrecht.ovh/hubrecht/nix-lib" - }, - "pre_releases": false, - "version_upper_bound": null, - "version": "0.1.1", - "revision": "5db2443e2cb18335375ad84ffbc066a239c054de", - "url": null, - "hash": "18xzi2yn2vk7zq79pgz8z2s1ijhyjcx5866mp21rrdi9gz37yiif" - }, - "nixos-23.05": { - "type": "Channel", - "name": "nixos-23.05", - "url": "https://releases.nixos.org/nixos/23.05/nixos-23.05.2162.6da4bc6cb07/nixexprs.tar.xz", - "hash": "198wbl9b7j3k51n0rxs09vy6x535ysqv6kbxf42d9yqr49d2n9vc" - }, - "nixpkgs": { - "type": "Channel", - "name": "nixpkgs-unstable", - "url": "https://releases.nixos.org/nixpkgs/nixpkgs-23.11pre506668.af8cd5ded77/nixexprs.tar.xz", - "hash": "0in8bgah6hz47lsa3ka2fslwks174maqdzy8mcmsj0q4wrv8h2s9" - } - }, - "version": 3 -} \ No newline at end of file diff --git a/shell.nix b/shell.nix deleted file mode 100644 index e29954b..0000000 --- a/shell.nix +++ /dev/null @@ -1,15 +0,0 @@ -let - sources = import ./npins; - pkgs = import sources.nixpkgs { }; -in - -pkgs.mkShell { - packages = with pkgs; [ - npins - colmena - nixos-generators - ] ++ (builtins.map (p: callPackage p { }) [ - ]); - - allowSubstitutes = false; -}