From 7fefcc0d54528f86724eed4943d2305d00ebd031 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 26 Apr 2022 23:33:59 +0200 Subject: [PATCH 01/88] core01: add headscale support --- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/headscale.nix | 8 ++++++++ machines/core-services-01/subZone.nix | 1 + 3 files changed, 10 insertions(+) create mode 100644 machines/core-services-01/headscale.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index f5ae683..8af8554 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -19,6 +19,7 @@ ./keycloak.nix ./acme-dns.nix ./backups.nix + ./headscale.nix # ./dex.nix ./oauth2_proxy.nix ./secrets diff --git a/machines/core-services-01/headscale.nix b/machines/core-services-01/headscale.nix new file mode 100644 index 0000000..e44b48a --- /dev/null +++ b/machines/core-services-01/headscale.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.headscale = { + enable = true; + serverUrl = "https://tailscale.rz.ens.wtf"; + tls.letsencrypt.hostname = "tailscale.rz.ens.wtf"; + }; +} diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 08db8c1..2738afe 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,6 +37,7 @@ dualstack // { monitoring = dualstack; auth = dualstack; push = dualstack; + tailscale = dualstack; core01 = dualstack; ns1 = dualstack; -- 2.47.0 From cce562ac9aaa802f2743f859412bc1e445866364 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 27 Apr 2022 13:24:40 +0200 Subject: [PATCH 02/88] core01: update to latest nixpkgs, fix up keycloak --- krops.nix | 2 +- machines/core-services-01/acme-ssl.nix | 4 +- machines/core-services-01/drone-runners.nix | 2 +- machines/core-services-01/keycloak.nix | 42 +++++++--- .../keycloak/keycloak-protocol-cas.nix | 26 ++++++ .../core-services-01/keycloak/package.nix | 84 +++++++++++++++++++ machines/core-services-01/monitoring.nix | 2 +- 7 files changed, 145 insertions(+), 17 deletions(-) create mode 100644 machines/core-services-01/keycloak/keycloak-protocol-cas.nix create mode 100644 machines/core-services-01/keycloak/package.nix diff --git a/krops.nix b/krops.nix index 01ee420..949b478 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "e96c668072d7c98ddf2062f6d2b37f84909a572b"; # nixos-22.05 + ref = "7f4a8f37d4621b27fc0c4eeb3880ecf1cb055371"; # nixos-22.05 url = "https://github.com/NixOS/nixpkgs"; }; }]; diff --git a/machines/core-services-01/acme-ssl.nix b/machines/core-services-01/acme-ssl.nix index 2403cd6..f111e17 100644 --- a/machines/core-services-01/acme-ssl.nix +++ b/machines/core-services-01/acme-ssl.nix @@ -5,9 +5,9 @@ let in { security.acme.acceptTerms = true; - security.acme.email = my.email; + security.acme.defaults.email = my.email; - security.acme.server = + security.acme.defaults.server = if my.acmeStaging then "https://acme-staging-v02.api.letsencrypt.org/directory" else null; diff --git a/machines/core-services-01/drone-runners.nix b/machines/core-services-01/drone-runners.nix index 6793e4b..36ecbdd 100644 --- a/machines/core-services-01/drone-runners.nix +++ b/machines/core-services-01/drone-runners.nix @@ -14,5 +14,5 @@ in envFile = config.age.secrets.droneKeyFile.path; }; - systemd.services."drone-exec-runner-nix01".after = [ "gitea" ]; + systemd.services."drone-exec-runner-nix01".after = [ "gitea.service" ]; } diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index 6f34b25..9d103ef 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -1,26 +1,44 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let my = config.my; port = 8080; + keycloak-protocol-cas = pkgs.callPackage ./keycloak/keycloak-protocol-cas.nix {}; + domain = "auth.${my.subZone}"; + certs = config.security.acme.certs."${domain}".directory; in { services.keycloak = { enable = true; - package = pkgs.keycloak.override { - jre = pkgs.jre8; - }; + /*package = pkgs.keycloak.overrideAttrs (old: rec { + version = "18.0.0"; + jre = pkgs.openjdk; + src = pkgs.fetchzip { + url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip"; + sha256 = "sha256-Tql5/yNtdctSCYgtSnz5Pa6IwZVf/HOApFdeCEpNrjs="; + }; + });*/ + package = pkgs.callPackage ./keycloak/package.nix {}; initialAdminPassword = "changemeasap"; - database.createLocally = true; - database.passwordFile = config.age.secrets.keycloakDatabasePasswordFile.path; - frontendUrl = "https://auth.${my.subZone}/auth/"; - forceBackendUrlToFrontendUrl = true; - httpPort = toString port; - extraConfig = { - "subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true; + sslCertificate = "${certs}/cert.pem"; + sslCertificateKey = "${certs}/key.pem"; + plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ]; + database = { + type = "postgresql"; + username = "keycloak"; + name = "keycloak"; + createLocally = true; + passwordFile = "${config.age.secrets.keycloakDatabasePasswordFile.path}"; + }; + settings = { + hostname-strict-backchannel = true; + http-port = port; + proxy = "edge"; + http-relative-path = "/auth"; + hostname = domain; }; }; - services.nginx.virtualHosts."auth.${my.subZone}" = { + services.nginx.virtualHosts."${domain}" = { forceSSL = true; enableACME = true; locations."/" = { diff --git a/machines/core-services-01/keycloak/keycloak-protocol-cas.nix b/machines/core-services-01/keycloak/keycloak-protocol-cas.nix new file mode 100644 index 0000000..1783749 --- /dev/null +++ b/machines/core-services-01/keycloak/keycloak-protocol-cas.nix @@ -0,0 +1,26 @@ +{ stdenv, lib, fetchurl }: + +stdenv.mkDerivation rec { + pname = "keycloak-protocol-cas"; + version = "18.0.0"; + + src = fetchurl { + url = "https://github.com/jacekkow/keycloak-protocol-cas/releases/download/${version}/keycloak-protocol-cas-${version}.jar"; + sha256 = "sha256-N+IJqD7oQ4T4MI8klt96kfHwFnPJy5l8MK6bq62nBrM="; + }; + + dontUnpack = true; + dontBuild = true; + + installPhase = '' + mkdir -p $out + install "$src" "$out" + ''; + + meta = with lib; { + homepage = "https://github.com/jacekkow/keycloak-protocol-cas"; + description = "Keycloak Service Provider that adds CAS as an authentication protocol"; + license = licenses.apsl20; + maintainers = with maintainers; [ raitobezarius ]; + }; +} diff --git a/machines/core-services-01/keycloak/package.nix b/machines/core-services-01/keycloak/package.nix new file mode 100644 index 0000000..e9a1177 --- /dev/null +++ b/machines/core-services-01/keycloak/package.nix @@ -0,0 +1,84 @@ +{ stdenv +, lib +, fetchzip +, makeWrapper +, jre +, writeText +, nixosTests +, callPackage + +, confFile ? null +, plugins ? [ ] +}: + +stdenv.mkDerivation rec { + pname = "keycloak"; + version = "18.0.0"; + + src = fetchzip { + url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip"; + sha256 = "sha256-Tql5/yNtdctSCYgtSnz5Pa6IwZVf/HOApFdeCEpNrjs="; + }; + + nativeBuildInputs = [ makeWrapper jre ]; + + buildPhase = '' + runHook preBuild + '' + lib.optionalString (confFile != null) '' + install -m 0600 ${confFile} conf/keycloak.conf + '' + '' + install_plugin() { + if [ -d "$1" ]; then + find "$1" -type f \( -iname \*.ear -o -iname \*.jar \) -exec install -m 0500 "{}" "providers/" \; + else + install -m 0500 "$1" "providers/" + fi + } + ${lib.concatMapStringsSep "\n" (pl: "install_plugin ${lib.escapeShellArg pl}") plugins} + '' + '' + export KC_HOME_DIR=$out + export KC_CONF_DIR=$out/conf + export ROOT_LOGLEVEL="DEBUG" + export KEYCLOAK_LOGLEVEL="DEBUG" + + patchShebangs bin/kc.sh + bin/kc.sh --verbose build + + runHook postBuild + ''; + + installPhase = '' + runHook preInstall + + mkdir $out + cp -r * $out + + rm $out/bin/*.{ps1,bat} + + runHook postInstall + ''; + + postFixup = '' + substituteInPlace $out/bin/kc.sh --replace '-Dkc.home.dir=$DIRNAME/../' '-Dkc.home.dir=$KC_HOME_DIR' + substituteInPlace $out/bin/kc.sh --replace '-Djboss.server.config.dir=$DIRNAME/../conf' '-Djboss.server.config.dir=$KC_CONF_DIR' + + for script in $(find $out/bin -type f -executable); do + wrapProgram "$script" --set JAVA_HOME ${jre} --prefix PATH : ${jre}/bin + done + ''; + + passthru = { + tests = nixosTests.keycloak; + plugins = callPackage ./all-plugins.nix { }; + enabledPlugins = plugins; + }; + + meta = with lib; { + homepage = "https://www.keycloak.org/"; + description = "Identity and access management for modern applications and services"; + license = licenses.asl20; + platforms = jre.meta.platforms; + maintainers = with maintainers; [ ngerstle talyz ]; + }; + +} diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index f9812f9..47b7953 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -65,7 +65,7 @@ in "health_alarm_notify" ]; - environment.etc."netdata/netdata.conf" = { + environment.etc."netdata/netdata.conf" = lib.mkForce { user = "netdata"; group = "netdata"; mode = "0600"; -- 2.47.0 From 4df131d59b36e5e58cc3c7998c0aef0b253e90d5 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 30 May 2022 00:47:46 +0200 Subject: [PATCH 03/88] core01: update to 22.05-beta --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 949b478..5647c3e 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "7f4a8f37d4621b27fc0c4eeb3880ecf1cb055371"; # nixos-22.05 + ref = "7ae60dd7068478db5d936a3850b6df859aec21d0"; # nixos-22.05 beta release url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.47.0 From 22996eddffc9840072dfd6fa47092bbdd7020623 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 4 Jun 2022 04:23:31 +0200 Subject: [PATCH 04/88] nixpkgs: update to 22.05 release --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 5647c3e..cd1f9ab 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "7ae60dd7068478db5d936a3850b6df859aec21d0"; # nixos-22.05 beta release + ref = "ce6aa13369b667ac2542593170993504932eb836"; # nixos-22.05 release url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.47.0 From 4d5ea04099139a17cb4cbb9c547b2e7f9ebcbea1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 4 Jun 2022 04:29:53 +0200 Subject: [PATCH 05/88] nixpkgs: try 22.11 unreleased --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index cd1f9ab..38c5e90 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "ce6aa13369b667ac2542593170993504932eb836"; # nixos-22.05 release + ref = "f6c4da49202d79cdab2fdf2bfa3019cde23f007e"; # nixos-22.11 pre-release url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.47.0 From 6f52987d5f6e0a2250db78588b372ba505ba49c1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 4 Jun 2022 04:35:19 +0200 Subject: [PATCH 06/88] core01(keycloak): remove customizations --- machines/core-services-01/keycloak.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index 9d103ef..a525413 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -17,10 +17,10 @@ in sha256 = "sha256-Tql5/yNtdctSCYgtSnz5Pa6IwZVf/HOApFdeCEpNrjs="; }; });*/ - package = pkgs.callPackage ./keycloak/package.nix {}; + # package = pkgs.callPackage ./keycloak/package.nix {}; initialAdminPassword = "changemeasap"; - sslCertificate = "${certs}/cert.pem"; - sslCertificateKey = "${certs}/key.pem"; + # sslCertificate = "${certs}/cert.pem"; + # sslCertificateKey = "${certs}/key.pem"; plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ]; database = { type = "postgresql"; -- 2.47.0 From aa328045a75385e4c93d63b921b0bdd6959691ed Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 7 Jun 2022 01:33:21 +0200 Subject: [PATCH 07/88] core01(keycloak): try a zlib upstream patch --- .../fix-crc-computation.patch | 51 +++++++++++++++++++ machines/core-services-01/keycloak.nix | 9 ++++ 2 files changed, 60 insertions(+) create mode 100644 machines/core-services-01/fix-crc-computation.patch diff --git a/machines/core-services-01/fix-crc-computation.patch b/machines/core-services-01/fix-crc-computation.patch new file mode 100644 index 0000000..85a6a7e --- /dev/null +++ b/machines/core-services-01/fix-crc-computation.patch @@ -0,0 +1,51 @@ +From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 30 Mar 2022 11:14:53 -0700 +Subject: [PATCH] Correct incorrect inputs provided to the CRC functions. + +The previous releases of zlib were not sensitive to incorrect CRC +inputs with bits set above the low 32. This commit restores that +behavior, so that applications with such bugs will continue to +operate as before. +--- + crc32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crc32.c b/crc32.c +index a1bdce5c2..451887bc7 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + /* Compute the CRC up to a word boundary. */ + while (len && ((z_size_t)buf & 7) != 0) { +@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + #ifdef W + +@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2) + #ifdef DYNAMIC_CRC_TABLE + once(&made, make_crc_table); + #endif /* DYNAMIC_CRC_TABLE */ +- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2; ++ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); + } + + /* ========================================================================= */ +@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op) + uLong crc2; + uLong op; + { +- return multmodp(op, crc1) ^ crc2; ++ return multmodp(op, crc1) ^ (crc2 & 0xffffffff); + } diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index a525413..3890993 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -7,6 +7,15 @@ let certs = config.security.acme.certs."${domain}".directory; in { + nixpkgs.overlays = [ + (self: super: { + zlib = zlib.overrideAttrs (old: { + patches = old.patches ++ [ + ./fix-crc-computation.patch + ]; + }); + }) + ]; services.keycloak = { enable = true; /*package = pkgs.keycloak.overrideAttrs (old: rec { -- 2.47.0 From deda24e3aeacf46635afdbe66a1c706e09dd01f1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 7 Jun 2022 01:34:18 +0200 Subject: [PATCH 08/88] core01(keycloak): oops --- machines/core-services-01/keycloak.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index 3890993..b59af18 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -9,7 +9,7 @@ in { nixpkgs.overlays = [ (self: super: { - zlib = zlib.overrideAttrs (old: { + zlib = super.zlib.overrideAttrs (old: { patches = old.patches ++ [ ./fix-crc-computation.patch ]; -- 2.47.0 From 173cdedb7cf326abcc0c95a9dea287a7656c2cc6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 21 Jun 2022 18:47:09 +0200 Subject: [PATCH 09/88] core01(keycloak): bump to nixpkgs-unstable who has the patch --- krops.nix | 2 +- machines/core-services-01/keycloak.nix | 20 -------------------- 2 files changed, 1 insertion(+), 21 deletions(-) diff --git a/krops.nix b/krops.nix index 38c5e90..a088d89 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "f6c4da49202d79cdab2fdf2bfa3019cde23f007e"; # nixos-22.11 pre-release + ref = "e0a42267f73ea52adc061a64650fddc59906fc99"; # nixpkgs-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index b59af18..e7d48e5 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -7,29 +7,9 @@ let certs = config.security.acme.certs."${domain}".directory; in { - nixpkgs.overlays = [ - (self: super: { - zlib = super.zlib.overrideAttrs (old: { - patches = old.patches ++ [ - ./fix-crc-computation.patch - ]; - }); - }) - ]; services.keycloak = { enable = true; - /*package = pkgs.keycloak.overrideAttrs (old: rec { - version = "18.0.0"; - jre = pkgs.openjdk; - src = pkgs.fetchzip { - url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip"; - sha256 = "sha256-Tql5/yNtdctSCYgtSnz5Pa6IwZVf/HOApFdeCEpNrjs="; - }; - });*/ - # package = pkgs.callPackage ./keycloak/package.nix {}; initialAdminPassword = "changemeasap"; - # sslCertificate = "${certs}/cert.pem"; - # sslCertificateKey = "${certs}/key.pem"; plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ]; database = { type = "postgresql"; -- 2.47.0 From 2e09ceabf74f0c7cd601c3d286fa3668e3af2136 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 21 Jun 2022 19:06:43 +0200 Subject: [PATCH 10/88] core01(keycloak): bump to nixos-unstable --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index a088d89..770fcff 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "e0a42267f73ea52adc061a64650fddc59906fc99"; # nixpkgs-unstable + ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.47.0 From 3b1338043c322fae7bdd4c4282a04b23d0be12da Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 21 Jun 2022 19:25:00 +0200 Subject: [PATCH 11/88] public-cof: disable cryptpad --- machines/public-cof/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index ef33c32..b47cf2c 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -14,7 +14,7 @@ ./nur.nix # ./factorio.nix # TODO ./nginx.nix - ./cryptpad.nix + # ./cryptpad.nix ./hedgedoc.nix ./secrets # TODO monitoring -- 2.47.0 From 28c3ad24298a7d330e52fb776e704aefbbcf5cdb Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 21 Jun 2022 19:27:44 +0200 Subject: [PATCH 12/88] public-cof: upgrade to NC24 --- machines/public-cof/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 99e6e17..b243afb 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud22; + package = pkgs.nextcloud23; config = { overwriteProtocol = "https"; -- 2.47.0 From dcddd19fb4d1754d3821afbfe043a26ec977dff5 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 26 Jun 2022 23:45:00 +0200 Subject: [PATCH 13/88] core01(keycloak): remove useless file --- .../core-services-01/keycloak/package.nix | 84 ------------------- 1 file changed, 84 deletions(-) delete mode 100644 machines/core-services-01/keycloak/package.nix diff --git a/machines/core-services-01/keycloak/package.nix b/machines/core-services-01/keycloak/package.nix deleted file mode 100644 index e9a1177..0000000 --- a/machines/core-services-01/keycloak/package.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ stdenv -, lib -, fetchzip -, makeWrapper -, jre -, writeText -, nixosTests -, callPackage - -, confFile ? null -, plugins ? [ ] -}: - -stdenv.mkDerivation rec { - pname = "keycloak"; - version = "18.0.0"; - - src = fetchzip { - url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip"; - sha256 = "sha256-Tql5/yNtdctSCYgtSnz5Pa6IwZVf/HOApFdeCEpNrjs="; - }; - - nativeBuildInputs = [ makeWrapper jre ]; - - buildPhase = '' - runHook preBuild - '' + lib.optionalString (confFile != null) '' - install -m 0600 ${confFile} conf/keycloak.conf - '' + '' - install_plugin() { - if [ -d "$1" ]; then - find "$1" -type f \( -iname \*.ear -o -iname \*.jar \) -exec install -m 0500 "{}" "providers/" \; - else - install -m 0500 "$1" "providers/" - fi - } - ${lib.concatMapStringsSep "\n" (pl: "install_plugin ${lib.escapeShellArg pl}") plugins} - '' + '' - export KC_HOME_DIR=$out - export KC_CONF_DIR=$out/conf - export ROOT_LOGLEVEL="DEBUG" - export KEYCLOAK_LOGLEVEL="DEBUG" - - patchShebangs bin/kc.sh - bin/kc.sh --verbose build - - runHook postBuild - ''; - - installPhase = '' - runHook preInstall - - mkdir $out - cp -r * $out - - rm $out/bin/*.{ps1,bat} - - runHook postInstall - ''; - - postFixup = '' - substituteInPlace $out/bin/kc.sh --replace '-Dkc.home.dir=$DIRNAME/../' '-Dkc.home.dir=$KC_HOME_DIR' - substituteInPlace $out/bin/kc.sh --replace '-Djboss.server.config.dir=$DIRNAME/../conf' '-Djboss.server.config.dir=$KC_CONF_DIR' - - for script in $(find $out/bin -type f -executable); do - wrapProgram "$script" --set JAVA_HOME ${jre} --prefix PATH : ${jre}/bin - done - ''; - - passthru = { - tests = nixosTests.keycloak; - plugins = callPackage ./all-plugins.nix { }; - enabledPlugins = plugins; - }; - - meta = with lib; { - homepage = "https://www.keycloak.org/"; - description = "Identity and access management for modern applications and services"; - license = licenses.asl20; - platforms = jre.meta.platforms; - maintainers = with maintainers; [ ngerstle talyz ]; - }; - -} -- 2.47.0 From 6f5fdb0317db7ad5df3258a1114ba5c1deadb29f Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sun, 26 Jun 2022 23:48:43 +0200 Subject: [PATCH 14/88] Headscale support (upgrade to latest nixpkgs) (#9) This adds Headscale support. It provides also an upgrade to Keycloak 18.0.0 (Quarkus distribution). It upgrades NextCloud from 22 to 23. Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/9 Co-authored-by: Ryan Lahfa Co-committed-by: Ryan Lahfa --- krops.nix | 2 +- machines/core-services-01/acme-ssl.nix | 4 +- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/drone-runners.nix | 2 +- .../fix-crc-computation.patch | 51 +++++++++++++++++++ machines/core-services-01/headscale.nix | 8 +++ machines/core-services-01/keycloak.nix | 31 ++++++----- .../keycloak/keycloak-protocol-cas.nix | 26 ++++++++++ machines/core-services-01/monitoring.nix | 2 +- machines/core-services-01/subZone.nix | 1 + machines/public-cof/configuration.nix | 2 +- machines/public-cof/nextcloud.nix | 2 +- 12 files changed, 113 insertions(+), 19 deletions(-) create mode 100644 machines/core-services-01/fix-crc-computation.patch create mode 100644 machines/core-services-01/headscale.nix create mode 100644 machines/core-services-01/keycloak/keycloak-protocol-cas.nix diff --git a/krops.nix b/krops.nix index 01ee420..770fcff 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "e96c668072d7c98ddf2062f6d2b37f84909a572b"; # nixos-22.05 + ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; diff --git a/machines/core-services-01/acme-ssl.nix b/machines/core-services-01/acme-ssl.nix index 2403cd6..f111e17 100644 --- a/machines/core-services-01/acme-ssl.nix +++ b/machines/core-services-01/acme-ssl.nix @@ -5,9 +5,9 @@ let in { security.acme.acceptTerms = true; - security.acme.email = my.email; + security.acme.defaults.email = my.email; - security.acme.server = + security.acme.defaults.server = if my.acmeStaging then "https://acme-staging-v02.api.letsencrypt.org/directory" else null; diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index f5ae683..8af8554 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -19,6 +19,7 @@ ./keycloak.nix ./acme-dns.nix ./backups.nix + ./headscale.nix # ./dex.nix ./oauth2_proxy.nix ./secrets diff --git a/machines/core-services-01/drone-runners.nix b/machines/core-services-01/drone-runners.nix index 6793e4b..36ecbdd 100644 --- a/machines/core-services-01/drone-runners.nix +++ b/machines/core-services-01/drone-runners.nix @@ -14,5 +14,5 @@ in envFile = config.age.secrets.droneKeyFile.path; }; - systemd.services."drone-exec-runner-nix01".after = [ "gitea" ]; + systemd.services."drone-exec-runner-nix01".after = [ "gitea.service" ]; } diff --git a/machines/core-services-01/fix-crc-computation.patch b/machines/core-services-01/fix-crc-computation.patch new file mode 100644 index 0000000..85a6a7e --- /dev/null +++ b/machines/core-services-01/fix-crc-computation.patch @@ -0,0 +1,51 @@ +From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 30 Mar 2022 11:14:53 -0700 +Subject: [PATCH] Correct incorrect inputs provided to the CRC functions. + +The previous releases of zlib were not sensitive to incorrect CRC +inputs with bits set above the low 32. This commit restores that +behavior, so that applications with such bugs will continue to +operate as before. +--- + crc32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crc32.c b/crc32.c +index a1bdce5c2..451887bc7 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + /* Compute the CRC up to a word boundary. */ + while (len && ((z_size_t)buf & 7) != 0) { +@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + #ifdef W + +@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2) + #ifdef DYNAMIC_CRC_TABLE + once(&made, make_crc_table); + #endif /* DYNAMIC_CRC_TABLE */ +- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2; ++ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); + } + + /* ========================================================================= */ +@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op) + uLong crc2; + uLong op; + { +- return multmodp(op, crc1) ^ crc2; ++ return multmodp(op, crc1) ^ (crc2 & 0xffffffff); + } diff --git a/machines/core-services-01/headscale.nix b/machines/core-services-01/headscale.nix new file mode 100644 index 0000000..e44b48a --- /dev/null +++ b/machines/core-services-01/headscale.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.headscale = { + enable = true; + serverUrl = "https://tailscale.rz.ens.wtf"; + tls.letsencrypt.hostname = "tailscale.rz.ens.wtf"; + }; +} diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index 6f34b25..e7d48e5 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -1,26 +1,33 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let my = config.my; port = 8080; + keycloak-protocol-cas = pkgs.callPackage ./keycloak/keycloak-protocol-cas.nix {}; + domain = "auth.${my.subZone}"; + certs = config.security.acme.certs."${domain}".directory; in { services.keycloak = { enable = true; - package = pkgs.keycloak.override { - jre = pkgs.jre8; - }; initialAdminPassword = "changemeasap"; - database.createLocally = true; - database.passwordFile = config.age.secrets.keycloakDatabasePasswordFile.path; - frontendUrl = "https://auth.${my.subZone}/auth/"; - forceBackendUrlToFrontendUrl = true; - httpPort = toString port; - extraConfig = { - "subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true; + plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ]; + database = { + type = "postgresql"; + username = "keycloak"; + name = "keycloak"; + createLocally = true; + passwordFile = "${config.age.secrets.keycloakDatabasePasswordFile.path}"; + }; + settings = { + hostname-strict-backchannel = true; + http-port = port; + proxy = "edge"; + http-relative-path = "/auth"; + hostname = domain; }; }; - services.nginx.virtualHosts."auth.${my.subZone}" = { + services.nginx.virtualHosts."${domain}" = { forceSSL = true; enableACME = true; locations."/" = { diff --git a/machines/core-services-01/keycloak/keycloak-protocol-cas.nix b/machines/core-services-01/keycloak/keycloak-protocol-cas.nix new file mode 100644 index 0000000..1783749 --- /dev/null +++ b/machines/core-services-01/keycloak/keycloak-protocol-cas.nix @@ -0,0 +1,26 @@ +{ stdenv, lib, fetchurl }: + +stdenv.mkDerivation rec { + pname = "keycloak-protocol-cas"; + version = "18.0.0"; + + src = fetchurl { + url = "https://github.com/jacekkow/keycloak-protocol-cas/releases/download/${version}/keycloak-protocol-cas-${version}.jar"; + sha256 = "sha256-N+IJqD7oQ4T4MI8klt96kfHwFnPJy5l8MK6bq62nBrM="; + }; + + dontUnpack = true; + dontBuild = true; + + installPhase = '' + mkdir -p $out + install "$src" "$out" + ''; + + meta = with lib; { + homepage = "https://github.com/jacekkow/keycloak-protocol-cas"; + description = "Keycloak Service Provider that adds CAS as an authentication protocol"; + license = licenses.apsl20; + maintainers = with maintainers; [ raitobezarius ]; + }; +} diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index f9812f9..47b7953 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -65,7 +65,7 @@ in "health_alarm_notify" ]; - environment.etc."netdata/netdata.conf" = { + environment.etc."netdata/netdata.conf" = lib.mkForce { user = "netdata"; group = "netdata"; mode = "0600"; diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 08db8c1..2738afe 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,6 +37,7 @@ dualstack // { monitoring = dualstack; auth = dualstack; push = dualstack; + tailscale = dualstack; core01 = dualstack; ns1 = dualstack; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index ef33c32..b47cf2c 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -14,7 +14,7 @@ ./nur.nix # ./factorio.nix # TODO ./nginx.nix - ./cryptpad.nix + # ./cryptpad.nix ./hedgedoc.nix ./secrets # TODO monitoring diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 99e6e17..b243afb 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud22; + package = pkgs.nextcloud23; config = { overwriteProtocol = "https"; -- 2.47.0 From 9d3381cafba64d1e102211997111cd517481e716 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 16:34:22 +0200 Subject: [PATCH 15/88] oauth2_proxy: add a cookie specific to *.rz.ens.wtf --- machines/core-services-01/monitoring.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 47b7953..b0872cd 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -117,6 +117,10 @@ in keyFile = config.age.secrets.oauth2ProxyKeyFile.path; provider = "keycloak"; email.domains = [ "*" ]; + cookie = { + name = "_oauth2_proxy_ensrz"; + domain = ".rz.ens.wtf"; + }; setXauthrequest = true; scope = "profile"; loginURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/auth"; -- 2.47.0 From be6e81ad46af088bde935e5e9aa282690ce4cf2d Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 17:52:21 +0200 Subject: [PATCH 16/88] monitoring: fix authentication via oauth2_proxy by moving to Keycloak-OIDC + many proxy buffer hacks --- machines/core-services-01/keycloak.nix | 7 +++++++ machines/core-services-01/monitoring.nix | 25 +++++++++++++++++------- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index e7d48e5..7bf36d0 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -32,6 +32,13 @@ in enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; + + extraConfig = '' + # For large authentication-authorization headers + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + ''; }; }; } diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index b0872cd..3aa17e9 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -115,22 +115,25 @@ in services.oauth2_proxy = { enable = true; keyFile = config.age.secrets.oauth2ProxyKeyFile.path; - provider = "keycloak"; + provider = "keycloak-oidc"; email.domains = [ "*" ]; cookie = { name = "_oauth2_proxy_ensrz"; domain = ".rz.ens.wtf"; }; setXauthrequest = true; - scope = "profile"; - loginURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/auth"; - redeemURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/token"; - profileURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo"; - validateURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo"; + scope = "openid"; redirectURL = "https://monitoring.${my.subZone}/oauth2/callback"; reverseProxy = true; passHostHeader = true; + extraConfig = { + whitelist-domain = [ ".rz.ens.wtf" ]; + oidc-issuer-url = "https://auth.${my.subZone}/auth/realms/${realm}"; + # insecure-oidc-allow-unverified-email = true; + show-debug-on-error = true; + }; + nginx = { virtualHosts = [ "monitoring.${my.subZone}" ]; }; @@ -143,7 +146,15 @@ in enableACME = true; forceSSL = true; - locations."/".proxyPass = "http://localhost:19999"; + locations."/" = { + proxyPass = "http://localhost:19999"; + extraConfig = '' + # For large authentication-authorization headers + proxy_buffer_size 256k; + proxy_buffers 4 512k; + proxy_busy_buffers_size 512k; + ''; + }; }; }; -- 2.47.0 From 6b994c8591fd5a3298061899003226ff18c5b2e6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 17:52:28 +0200 Subject: [PATCH 17/88] gitea: log only from WARN and up --- machines/core-services-01/gitea.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/machines/core-services-01/gitea.nix b/machines/core-services-01/gitea.nix index 9835ac1..ddfcbae 100644 --- a/machines/core-services-01/gitea.nix +++ b/machines/core-services-01/gitea.nix @@ -14,6 +14,9 @@ in httpPort = port; database.type = "postgres"; disableRegistration = false; + log = { + level = "Warn"; + }; settings = { openid = { ENABLE_OPENID_SIGNUP = true; -- 2.47.0 From 506e09994516c55a0910be5e994954f51187a1c9 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 18:52:06 +0200 Subject: [PATCH 18/88] monitoring: move to tiered dbengine with netdata nightly --- machines/core-services-01/monitoring.nix | 35 +++++++++++++++++++----- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 3aa17e9..2a8ac5f 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -34,7 +34,19 @@ let }; in { - services.netdata.enable = true; + services.netdata = { + enable = true; + package = pkgs.netdata.overrideAttrs (old: { + version = "1.35.0-nightly"; + src = pkgs.fetchFromGitHub { + owner = "netdata"; + repo = "netdata"; + rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; + sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; + fetchSubmodules = true; + }; + }); + }; # Allow WireGuard VPN networking.firewall.allowedUDPPorts = [ 51820 ]; @@ -70,9 +82,18 @@ in group = "netdata"; mode = "0600"; text = '' - [global] - page cache size = 32 - dbengine multihost disk space = 23058 + [db] + mode = dbengine + storage tiers = 3 + update every = 1 + dbengine multihost disk space MB = 23000 + dbengine page cache size MB = 384 + dbengine tier 1 update every iterations = 60 + dbengine tier 1 multihost disk space MB = 10000 + dbengine tier 1 page cache size MB = 384 + dbengine tier 2 update every iterations = 3600 + dbengine tier 2 multihost disk space MB = 5000 + dbengine tier 2 page cache size MB = 384 ''; }; @@ -150,9 +171,9 @@ in proxyPass = "http://localhost:19999"; extraConfig = '' # For large authentication-authorization headers - proxy_buffer_size 256k; - proxy_buffers 4 512k; - proxy_busy_buffers_size 512k; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; ''; }; }; -- 2.47.0 From ac0b6ef15b5ac440fdc10af9694869e8e77ed944 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Aug 2022 22:25:34 +0200 Subject: [PATCH 19/88] Update networking interface --- machines/remote-builder-01/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 1c6245b..6f4803c 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -26,7 +26,7 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens18.useDHCP = true; + networking.interfaces.ens19.useDHCP = true; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; -- 2.47.0 From 5170bdff650e329d808cd4012f241f2bb292b9f7 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Aug 2022 22:27:15 +0200 Subject: [PATCH 20/88] Cleanups --- machines/remote-builder-01/configuration.nix | 14 ++++----- machines/remote-builder-01/programs.nix | 24 --------------- machines/remote-builder-01/system.nix | 13 +------- machines/remote-builder-01/vim.nix | 31 -------------------- 4 files changed, 8 insertions(+), 74 deletions(-) delete mode 100644 machines/remote-builder-01/programs.nix delete mode 100644 machines/remote-builder-01/vim.nix diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 6f4803c..63a078d 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -1,13 +1,11 @@ { config, pkgs, ... }: { - imports = - [ - ./hardware-configuration.nix - ./programs.nix - ./system.nix - # TODO monitoring - ]; + imports = [ + ./hardware-configuration.nix + ./system.nix + # TODO monitoring + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; @@ -54,6 +52,8 @@ enableSSHSupport = true; }; + programs.mosh.enable = true; + # List services that you want to enable: services.zfs.autoScrub.enable = true; diff --git a/machines/remote-builder-01/programs.nix b/machines/remote-builder-01/programs.nix deleted file mode 100644 index e7e4afc..0000000 --- a/machines/remote-builder-01/programs.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ pkgs, ... }: -let pkgsList = with pkgs; [ - nix-prefetch-git - dnsutils - - unzip - zip - ripgrep - - niv - nixfmt - ]; -in -{ - imports = [ - ./vim.nix - ]; - programs = { - tmux.enable = true; - mosh.enable = true; - }; - - environment.systemPackages = pkgsList; -} diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index f2c68d1..dc2362e 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,14 +1,8 @@ { pkgs, ... }: { - # # Auto upgrades - # system.autoUpgrade = { - # enable = false; # TODO(Ryan): do not enable, it will break deployments. - # allowReboot = false; - # }; - # Auto GC and store optimizations nix = { - trustedUsers = [ "root" "gab" ]; + trustedUsers = [ "root" ]; gc = { automatic = true; dates = "weekly"; @@ -20,9 +14,4 @@ max-free = ${toString (1024 * 1024 * 1024)} ''; }; - - services.locate = { - enable = true; - interval = "04:05"; - }; } diff --git a/machines/remote-builder-01/vim.nix b/machines/remote-builder-01/vim.nix deleted file mode 100644 index bed8752..0000000 --- a/machines/remote-builder-01/vim.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ pkgs, ... }: -{ - environment.variables = { EDITOR = "vim"; }; - - environment.systemPackages = with pkgs; [ - nixfmt - git - (neovim.override { - vimAlias = true; - configure = { - packages.myPlugins = with pkgs.vimPlugins; { - start = [ vim-lastplace vim-nix ]; - opt = []; - }; - customRC = '' - set encoding=utf-8 - set wildmenu - - set nocompatible - set backspace=indent,eol,start - set cursorline - hi CursorLine term=bold cterm=bold ctermbg=darkgrey - set number - set relativenumber - set tabstop=4 - set expandtab - ''; - }; - } - )]; -} -- 2.47.0 From a5f3e0588944554ba71904bd905351e399379c4a Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Aug 2022 22:27:28 +0200 Subject: [PATCH 21/88] Formatting --- machines/remote-builder-01/configuration.nix | 12 +++--------- machines/remote-builder-01/system.nix | 3 +-- 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 63a078d..c346646 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -39,10 +39,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ - vim - wget - ]; + environment.systemPackages = with pkgs; [ vim wget ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. @@ -60,11 +57,8 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys - ./pubkeys/remote-builders.keys - ]; + users.users.root.openssh.authorizedKeys.keyFiles = + [ ./pubkeys/gdd.keys ./pubkeys/raito.keys ./pubkeys/remote-builders.keys ]; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index dc2362e..9bb13cf 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{ pkgs, ... }: { # Auto GC and store optimizations nix = { trustedUsers = [ "root" ]; -- 2.47.0 From f7b6fdf07a030563b9150df65ea5bc0431df0e96 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 00:00:55 +0200 Subject: [PATCH 22/88] Fix remote builder ip address --- machines/core-services-01/subZone.nix | 2 +- machines/remote-builder-01/configuration.nix | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 2738afe..4495c29 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -10,7 +10,7 @@ let delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; }; remoteBuilders = { - nix01 = [ "2001:470:1f13:187:1e07:c670:3958:f8f1" ]; + nix01 = [ "2001:470:1f13:187:611:4514:d93a:f80a" ]; }; dualstack = { A = my.ipv4; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index c346646..d624f04 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -24,7 +24,13 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens19.useDHCP = true; + networking.interfaces.ens19 = { + useDHCP = true; + ipv6.addresses = [{ + address = "2001:470:1f13:187:611:4514:d93a:f80a"; + prefixLength = 64; + }]; + }; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; -- 2.47.0 From 3f10516b6f4b5e2653f5a0ec386dd35f296cc698 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 00:20:07 +0200 Subject: [PATCH 23/88] Add kitty terminfo --- machines/remote-builder-01/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index d624f04..5c11e95 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -45,7 +45,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ vim wget ]; + environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. -- 2.47.0 From 816e084deb6b197e5e5aa3d0a3e0c5cba6e75e7b Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 01:20:35 +0200 Subject: [PATCH 24/88] Change rpool layout and disk id --- .../hardware-configuration.nix | 32 +++++++------------ 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/hardware-configuration.nix index f80b2c7..b68c73b 100644 --- a/machines/remote-builder-01/hardware-configuration.nix +++ b/machines/remote-builder-01/hardware-configuration.nix @@ -4,32 +4,24 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = + [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "rpool/root/nixos"; - fsType = "zfs"; - }; + fileSystems."/" = { + device = "rpool/root/nixos"; + fsType = "zfs"; + }; - fileSystems."/home" = - { device = "rpool/home"; - fsType = "zfs"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/4BC6-A750"; + fsType = "vfat"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/3341-A3B9"; - fsType = "vfat"; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/1f624fe3-1fc5-44f4-9529-812558ffba42"; } - ]; + swapDevices = [ ]; } -- 2.47.0 From 122c0deeac2cfec93c2fcb808b2b9cf7506e0c20 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 01:33:02 +0200 Subject: [PATCH 25/88] DHCP on ens19 and ens18 + set ip on ens18 --- machines/remote-builder-01/configuration.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 5c11e95..8917745 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -24,13 +24,14 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens19 = { + networking.interfaces.ens18 = { useDHCP = true; ipv6.addresses = [{ address = "2001:470:1f13:187:611:4514:d93a:f80a"; prefixLength = 64; }]; }; + networking.interfaces.ens19.useDHCP = true; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; -- 2.47.0 From bb668034b1b84e856e3d0ac17e28e9c03e7a57af Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 02:59:45 +0200 Subject: [PATCH 26/88] Cleanups --- machines/remote-builder-01/configuration.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 8917745..dc4d7bf 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -33,10 +33,6 @@ }; networking.interfaces.ens19.useDHCP = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; console = { @@ -45,7 +41,6 @@ }; # List packages installed in system profile. To search, run: - # $ nix search wget environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; # Some programs need SUID wrappers, can be configured further or are -- 2.47.0 From 4375b29d50ae64d4afe7b6d64d8b2b27fda03444 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 03:00:30 +0200 Subject: [PATCH 27/88] Aarch64 emulation --- machines/remote-builder-01/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index dc4d7bf..ebcd1a9 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -43,6 +43,8 @@ # List packages installed in system profile. To search, run: environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + # Some programs need SUID wrappers, can be configured further or are # started in user sessions. programs.mtr.enable = true; -- 2.47.0 From 85ab8d8071a2dd78c933fdc10ee3392af3e1e1c9 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 23:59:59 +0000 Subject: [PATCH 28/88] Install git Needed for deployments with krops. --- machines/remote-builder-01/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index ebcd1a9..a28068c 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -41,7 +41,7 @@ }; # List packages installed in system profile. To search, run: - environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; + environment.systemPackages = with pkgs; [ vim wget kitty.terminfo git ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; -- 2.47.0 From 16f4ad94b17bc520b5e1f55f1ca316951068fcdf Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 03:19:33 +0200 Subject: [PATCH 29/88] Add public-cof to README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0a227f8..9baf068 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Refer to wiki for details. - `core-services-01` +- `public-cof` - `remote-builder-01` ## How to deploy a machine? -- 2.47.0 From ba5086a2375d5ca9b510063f996163beb523d6dc Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 03:28:40 +0200 Subject: [PATCH 30/88] Centralize pubkeys --- machines/core-services-01/configuration.nix | 6 +++--- machines/core-services-01/netboot-server.nix | 4 ++-- machines/core-services-01/secrets/secrets.nix | 2 +- machines/public-cof/configuration.nix | 6 +++--- machines/public-cof/pubkeys/gdd.keys | 2 -- machines/public-cof/pubkeys/mrf.keys | 1 - machines/public-cof/pubkeys/raito.keys | 4 ---- machines/public-cof/secrets/secrets.nix | 2 +- machines/remote-builder-01/configuration.nix | 7 +++++-- machines/remote-builder-01/pubkeys/gdd.keys | 2 -- machines/remote-builder-01/pubkeys/hackens-milieu.keys | 1 - machines/remote-builder-01/pubkeys/raito.keys | 4 ---- {machines/core-services-01/pubkeys => pubkeys}/gdd.keys | 0 .../pubkeys => pubkeys}/hackens-milieu.keys | 0 {machines/core-services-01/pubkeys => pubkeys}/mrf.keys | 0 {machines/core-services-01/pubkeys => pubkeys}/raito.keys | 0 .../pubkeys => pubkeys}/remote-builders.keys | 0 17 files changed, 15 insertions(+), 26 deletions(-) delete mode 100644 machines/public-cof/pubkeys/gdd.keys delete mode 100644 machines/public-cof/pubkeys/mrf.keys delete mode 100644 machines/public-cof/pubkeys/raito.keys delete mode 100644 machines/remote-builder-01/pubkeys/gdd.keys delete mode 100644 machines/remote-builder-01/pubkeys/hackens-milieu.keys delete mode 100644 machines/remote-builder-01/pubkeys/raito.keys rename {machines/core-services-01/pubkeys => pubkeys}/gdd.keys (100%) rename {machines/core-services-01/pubkeys => pubkeys}/hackens-milieu.keys (100%) rename {machines/core-services-01/pubkeys => pubkeys}/mrf.keys (100%) rename {machines/core-services-01/pubkeys => pubkeys}/raito.keys (100%) rename {machines/remote-builder-01/pubkeys => pubkeys}/remote-builders.keys (100%) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 8af8554..d3f334a 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -76,9 +76,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys - ./pubkeys/mrf.keys + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys + ../../pubkeys/mrf.keys ]; # Open ports in the firewall. diff --git a/machines/core-services-01/netboot-server.nix b/machines/core-services-01/netboot-server.nix index 5b291bf..14f4d40 100644 --- a/machines/core-services-01/netboot-server.nix +++ b/machines/core-services-01/netboot-server.nix @@ -13,8 +13,8 @@ let # Enable sshd wich gets disabled by netboot-minimal.nix systemd.services.sshd.wantedBy = mkOverride 0 [ "multi-user.target" ]; users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys ]; programs.mosh.enable = true; diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 4d09d1e..a581591 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index b47cf2c..46afed6 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -45,9 +45,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys - ./pubkeys/mrf.keys + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys + ../../pubkeys/mrf.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/pubkeys/gdd.keys b/machines/public-cof/pubkeys/gdd.keys deleted file mode 100644 index b5d4e40..0000000 --- a/machines/public-cof/pubkeys/gdd.keys +++ /dev/null @@ -1,2 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/public-cof/pubkeys/mrf.keys b/machines/public-cof/pubkeys/mrf.keys deleted file mode 100644 index ebbfa68..0000000 --- a/machines/public-cof/pubkeys/mrf.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d diff --git a/machines/public-cof/pubkeys/raito.keys b/machines/public-cof/pubkeys/raito.keys deleted file mode 100644 index 0f48a59..0000000 --- a/machines/public-cof/pubkeys/raito.keys +++ /dev/null @@ -1,4 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 4fe0e66..798cb84 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index a28068c..41936bd 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -61,8 +61,11 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = - [ ./pubkeys/gdd.keys ./pubkeys/raito.keys ./pubkeys/remote-builders.keys ]; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys + ../../pubkeys/remote-builders.keys + ]; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; diff --git a/machines/remote-builder-01/pubkeys/gdd.keys b/machines/remote-builder-01/pubkeys/gdd.keys deleted file mode 100644 index b5d4e40..0000000 --- a/machines/remote-builder-01/pubkeys/gdd.keys +++ /dev/null @@ -1,2 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/remote-builder-01/pubkeys/hackens-milieu.keys b/machines/remote-builder-01/pubkeys/hackens-milieu.keys deleted file mode 100644 index c79c039..0000000 --- a/machines/remote-builder-01/pubkeys/hackens-milieu.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu diff --git a/machines/remote-builder-01/pubkeys/raito.keys b/machines/remote-builder-01/pubkeys/raito.keys deleted file mode 100644 index 0f48a59..0000000 --- a/machines/remote-builder-01/pubkeys/raito.keys +++ /dev/null @@ -1,4 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/machines/core-services-01/pubkeys/gdd.keys b/pubkeys/gdd.keys similarity index 100% rename from machines/core-services-01/pubkeys/gdd.keys rename to pubkeys/gdd.keys diff --git a/machines/core-services-01/pubkeys/hackens-milieu.keys b/pubkeys/hackens-milieu.keys similarity index 100% rename from machines/core-services-01/pubkeys/hackens-milieu.keys rename to pubkeys/hackens-milieu.keys diff --git a/machines/core-services-01/pubkeys/mrf.keys b/pubkeys/mrf.keys similarity index 100% rename from machines/core-services-01/pubkeys/mrf.keys rename to pubkeys/mrf.keys diff --git a/machines/core-services-01/pubkeys/raito.keys b/pubkeys/raito.keys similarity index 100% rename from machines/core-services-01/pubkeys/raito.keys rename to pubkeys/raito.keys diff --git a/machines/remote-builder-01/pubkeys/remote-builders.keys b/pubkeys/remote-builders.keys similarity index 100% rename from machines/remote-builder-01/pubkeys/remote-builders.keys rename to pubkeys/remote-builders.keys -- 2.47.0 From c5aa20dffabdfa1377b94cecb9842cbf1da66138 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 23:59:59 +0000 Subject: [PATCH 31/88] Move pubkeys in ./machines This is required by the current krops setup. --- machines/core-services-01/configuration.nix | 6 +++--- machines/core-services-01/netboot-server.nix | 4 ++-- machines/core-services-01/secrets/secrets.nix | 2 +- {pubkeys => machines/pubkeys}/gdd.keys | 0 {pubkeys => machines/pubkeys}/hackens-milieu.keys | 0 {pubkeys => machines/pubkeys}/mrf.keys | 0 {pubkeys => machines/pubkeys}/raito.keys | 0 {pubkeys => machines/pubkeys}/remote-builders.keys | 0 machines/public-cof/configuration.nix | 6 +++--- machines/public-cof/secrets/secrets.nix | 2 +- machines/remote-builder-01/configuration.nix | 6 +++--- 11 files changed, 13 insertions(+), 13 deletions(-) rename {pubkeys => machines/pubkeys}/gdd.keys (100%) rename {pubkeys => machines/pubkeys}/hackens-milieu.keys (100%) rename {pubkeys => machines/pubkeys}/mrf.keys (100%) rename {pubkeys => machines/pubkeys}/raito.keys (100%) rename {pubkeys => machines/pubkeys}/remote-builders.keys (100%) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index d3f334a..5f0e145 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -76,9 +76,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys - ../../pubkeys/mrf.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/mrf.keys ]; # Open ports in the firewall. diff --git a/machines/core-services-01/netboot-server.nix b/machines/core-services-01/netboot-server.nix index 14f4d40..1c28cd8 100644 --- a/machines/core-services-01/netboot-server.nix +++ b/machines/core-services-01/netboot-server.nix @@ -13,8 +13,8 @@ let # Enable sshd wich gets disabled by netboot-minimal.nix systemd.services.sshd.wantedBy = mkOverride 0 [ "multi-user.target" ]; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys ]; programs.mosh.enable = true; diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index a581591..0455e41 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; diff --git a/pubkeys/gdd.keys b/machines/pubkeys/gdd.keys similarity index 100% rename from pubkeys/gdd.keys rename to machines/pubkeys/gdd.keys diff --git a/pubkeys/hackens-milieu.keys b/machines/pubkeys/hackens-milieu.keys similarity index 100% rename from pubkeys/hackens-milieu.keys rename to machines/pubkeys/hackens-milieu.keys diff --git a/pubkeys/mrf.keys b/machines/pubkeys/mrf.keys similarity index 100% rename from pubkeys/mrf.keys rename to machines/pubkeys/mrf.keys diff --git a/pubkeys/raito.keys b/machines/pubkeys/raito.keys similarity index 100% rename from pubkeys/raito.keys rename to machines/pubkeys/raito.keys diff --git a/pubkeys/remote-builders.keys b/machines/pubkeys/remote-builders.keys similarity index 100% rename from pubkeys/remote-builders.keys rename to machines/pubkeys/remote-builders.keys diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 46afed6..a99f713 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -45,9 +45,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys - ../../pubkeys/mrf.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/mrf.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 798cb84..3f8a62a 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 41936bd..ad971fb 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -62,9 +62,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys - ../../pubkeys/remote-builders.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/remote-builders.keys ]; # Open ports in the firewall. -- 2.47.0 From 7f5f3213acb9ce03638aefdb8c0389ad2f9cee9b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 15 Aug 2022 13:31:27 +0200 Subject: [PATCH 32/88] hotfix: disable student calendar --- machines/public-cof/nginx.nix | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix index 9f62800..2d5cf61 100644 --- a/machines/public-cof/nginx.nix +++ b/machines/public-cof/nginx.nix @@ -29,14 +29,15 @@ in recommendedTlsSettings = true; virtualHosts = { - "home.beta.rz.ens.wtf" = { - serverAliases = [ "beta.rz.ens.wtf" ]; - default = true; - forceSSL = true; - enableACME = true; - root = "/var/public-cof/home"; - locations = builtins.listToAttrs (map mkCloudLocation clouds); - }; +# FIXME: factorize and remove it, it has been superseded by eleves.ens.fr/calendrier +# "home.beta.rz.ens.wtf" = { +# serverAliases = [ "beta.rz.ens.wtf" ]; +# default = true; +# forceSSL = true; +# enableACME = true; +# root = "/var/public-cof/home"; +# locations = builtins.listToAttrs (map mkCloudLocation clouds); +# }; }; }; -- 2.47.0 From 86de42442d2206435a849e8d7fe5a2d9bb878dec Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 17 Aug 2022 18:06:26 +0200 Subject: [PATCH 33/88] feat: add rstudio.beta.rz.ens.wtf basic features --- machines/core-services-01/subZone.nix | 1 + machines/public-cof/configuration.nix | 1 + .../public-cof/rstudio-server/default.nix | 34 +++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 machines/public-cof/rstudio-server/default.nix diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 4495c29..a0f9fc4 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -70,6 +70,7 @@ dualstack // { }; docs = public-cof-ips; jurisprudens = public-cof-ips; + rstudio = public-cof-ips; }; }; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index a99f713..18ae3d0 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -11,6 +11,7 @@ ./monitoring.nix ./nextcloud.nix ./minecraft.nix + ./rstudio-server ./nur.nix # ./factorio.nix # TODO ./nginx.nix diff --git a/machines/public-cof/rstudio-server/default.nix b/machines/public-cof/rstudio-server/default.nix new file mode 100644 index 0000000..3a73a6a --- /dev/null +++ b/machines/public-cof/rstudio-server/default.nix @@ -0,0 +1,34 @@ +{ pkgs, ... }: +let + port = 19000; +in +{ + services.rstudio-server = { + enable = true; + rserverExtraConfig = '' + www-port = ${toString port} + ''; + + package = pkgs.rstudioServerWrapper.override { + packages = with pkgs.rPackages; [ + ggplot2 + rmarkdown + dplyr + ]; + }; + }; + + users.users.ruser = { + isNormalUser = true; + hashedPassword = "$6$pTXXVh8NfE.M8VPc$q0fFh3Y7Y0DauLCcZLgJzFciq1wkjoHmO61XpOrZLH3a1M32ZzOMbjx2XMm2QxrUncbx6hGerY/lD8rQ8InS4."; + }; + + services.nginx.virtualHosts."rstudio.beta.rz.ens.wtf" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:${toString port}"; + proxyWebsockets = true; + }; + }; +} -- 2.47.0 From dc971eff71754648527ab7a06bd40ba6a89c2c0c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 6 Sep 2022 01:06:39 +0200 Subject: [PATCH 34/88] =?UTF-8?q?feat(core01):=20add=20inventory.rz.ens.wt?= =?UTF-8?q?f=20=E2=86=92=20snipe-it=20instance?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/secrets/default.nix | 2 ++ machines/core-services-01/secrets/secrets.nix | 2 ++ .../secrets/snipeItAppKey.age | 27 +++++++++++++++++++ .../secrets/snipeItOidcClientSecret.age | 26 ++++++++++++++++++ machines/core-services-01/snipe-it.nix | 19 +++++++++++++ machines/core-services-01/subZone.nix | 1 + 7 files changed, 78 insertions(+) create mode 100644 machines/core-services-01/secrets/snipeItAppKey.age create mode 100644 machines/core-services-01/secrets/snipeItOidcClientSecret.age create mode 100644 machines/core-services-01/snipe-it.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 5f0e145..dcf85af 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -20,6 +20,7 @@ ./acme-dns.nix ./backups.nix ./headscale.nix + ./snipe-it.nix # ./dex.nix ./oauth2_proxy.nix ./secrets diff --git a/machines/core-services-01/secrets/default.nix b/machines/core-services-01/secrets/default.nix index 452d42e..a02981b 100644 --- a/machines/core-services-01/secrets/default.nix +++ b/machines/core-services-01/secrets/default.nix @@ -5,4 +5,6 @@ age.secrets.droneKeyFile.file = ./droneKeyFile.age; age.secrets.dexGiteaClientSecret.file = ./dexGiteaClientSecret.age; age.secrets.matterbridge.file = ./matterbridge.age; + age.secrets.snipeItAppKey.file = ./snipeItAppKey.age; + age.secrets.snipeItOidcClientSecret.file = ./snipeItOidcClientSecret.age; } diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 0455e41..9925641 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -12,5 +12,7 @@ in "droneKeyFile.age".publicKeys = superadmins ++ systems; "dexGiteaClientSecret.age".publicKeys = superadmins ++ systems; "matterbridge.age".publicKeys = superadmins ++ systems; + "snipeItAppKey.age".publicKeys = superadmins ++ systems; + "snipeItOidcClientSecret.age".publicKeys = superadmins ++ systems; } diff --git a/machines/core-services-01/secrets/snipeItAppKey.age b/machines/core-services-01/secrets/snipeItAppKey.age new file mode 100644 index 0000000..3a393c2 --- /dev/null +++ b/machines/core-services-01/secrets/snipeItAppKey.age @@ -0,0 +1,27 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +i/TW/dUpeS8QL9ZJg7xKdGW65D1SWFjMpolf1BgEs3hm6uI2W3RWUb5S1PEs6HdF +l/yiJtZeBC0e0QbaQ776fiy0MSmuMgcRbJJ1rjloGwFzwwvtqhQMG8rLp70IPZoV +F6sUz4jKHaEjIVVbRokdfIKMSnhRXnbW5domOxPmZjXck7YxaR1zqD4S9PtH12Q/ +P+l/IVS6+tuWlaTs+1FY2pQ0ppPkwxBirm+4/dxD7E5MkOT0OFcpopI225u2vJAz +Hfk6SBhWuOu2GFfLDS3sS+50kvx1MNvMeb9qVYHkxE8tXhJxOpykkzwYktYp17jY +m+rh1gMPt+mZV2ELaZkGjQ +-> ssh-ed25519 85WiGg TSVInZQdH1ZbhSG+FptwCu96UX1SHAhQNculIk8nVF4 +L1ptiGhMZN78uu1TQ2qVV73+lhlgD34g7xt/AL268Dk +-> ssh-ed25519 reTIKw vrZd8hFFywOmDJxAq58Tt4Wdq2ovft1IDJqCvkpRU1o +9TmODia85CwXZmzdxk6W4LCflCybq7O1WWoqG5vxENk +-> ssh-ed25519 /vwQcQ NSJNN/lRO6TbOQTlY9bT4kdEuP2hElmNIcKRI4ilrQY +eGIr9VQSrbG4hB2XQGYXquQVZIkLRq9g9+Ap25YSWSQ +-> ssh-ed25519 cvTB5g 24UlsKN0XaA6wW87zj5PkPy90LUmdJe80FV2LVLiwzk +57VJ2pf45+r7CgMdr/78ngWll12Se7dS993i+YKp3Vg +-> ssh-ed25519 Wu8JLQ wgWSOp5VQzF+pvL338wOwaJ3RIIi1I4SNqW+vT6NQF8 +HVTfWqmf9CnEkHFpu9NWYagwwBdW8NumwFcUvSlb9i8 +-> ssh-ed25519 h6AgbA ZRjMQkjz+sw2BZh/myaSnMgz8cngGM9wxQf6L6uPxE8 +OgYfhTQe4iB9SyL8iReQByA9N5VcUC/YvpvbPIgp/3U +-> ssh-ed25519 lHr4YQ JAnhqkgzuCDsmDYnRG/DL/MDrfA/0uCZ1kpZSWiuPw4 +uMPzV/uWAozlffoqIDtTcI5CI3FAzM5fzDuupAzgE4w +-> 3[k-grease l5" cr(}p5 s{\538Js +uR+N+zPd323E/1K5MdNaPzAeNYBYfbmmsxtQRufVjMj8jobBLhHq4RVJ/E57t8yv +4Cxp +--- 1iiPH5I9CDFZwZQwRbhKnqpZ08vTMP1u4pU3+hNpubk +ےf(Tח,4\hKT džq)e+}u 'hN/䶢6B4Kң \ No newline at end of file diff --git a/machines/core-services-01/secrets/snipeItOidcClientSecret.age b/machines/core-services-01/secrets/snipeItOidcClientSecret.age new file mode 100644 index 0000000..80300cc --- /dev/null +++ b/machines/core-services-01/secrets/snipeItOidcClientSecret.age @@ -0,0 +1,26 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +gPydOcolFG+axyXPVVYYjjr0hypl/xczmMM+W+BbfZFaAL0TqXpqRgjtZSNvA+oh ++JHdr+/8IHh2qCS2vtzuH5lAsjM4h4FPPnGixX1SI9eNH14b/Otmoa/OtQD4pHcB +PYbh1yh4AILggg1ZMdttS+FUuMtu2A6y2NZYSkbBLy9dwEdZNBs0/cX/xNEqK72V +JF0BuGYvchyJ4ec4/m1od94dVva5qKUvK6mr0u5XPXObEOdZ8jJwZodJjrpDaEHJ +/yt8svY6upoXIdM4dVbY0Ab1VCwXf+tbGuwypVJF2TkeVW5tbImxuoTPE5XNdKLF +XU6RfHzLjUnG1T+dObb9gQ +-> ssh-ed25519 85WiGg lVvfjaLUhjdWgRnz0supjMNc6pDpbeEy2Z0fFOc7dkQ +srngyi1Wdi1lcXFK7MJtqt2koZkopcXX+hOFENHXJgY +-> ssh-ed25519 reTIKw ubW5n+mkAgxwHT9okMRWoE9k5ZpWN7UQDrvRwgS3Xio +O7GRq35wulhSadIAJ7C0ekLQQVk209yGiSaWg/VNgYU +-> ssh-ed25519 /vwQcQ 0FZbpEDS3xuKyPOSExt4wb/Oi0xlTivdLlpKuXicqx8 +3ZMA31MUD76KNK1+yX2473wDSv0oyheT7jAmvnbPJNg +-> ssh-ed25519 cvTB5g 04++RfeztjNzyHMW7WhxdAWoWT5NyatCN8zf7xFYiCw +OWYQ3oFR+/NjY8skMpzd0eS9fsAeugO+loiq4ZqEVWo +-> ssh-ed25519 Wu8JLQ b5BEsw8GS+LUcLZ7h36WDHp1uunlVymEcCmAcs5xaHQ +4xs/EAPRD4Z/rL3zisjGmslVt7OHx+Kh1kJmdBAxED4 +-> ssh-ed25519 h6AgbA wNeprhlhTORbN4WFxWPJO0DV5vBVteE297O73EfngD4 +sceiHAg3S0aZ9xGIsw5VaPJkAWCci03SrHM520pb+Gw +-> ssh-ed25519 lHr4YQ v6dG659zPeUqbyT8To8oGf6Kp3y15Z2YjlzdLVK3FCI +wB7EFm4tsgkaYexLfQM+lkNtUr09GWlLnh7CbgX3Ifc +-> =-grease zZ5 e./C_ +z1vYPnfdTh+G0bc+UvV1EZMSfaNDsWiDHJ+W+1CB2+Z4pOnQt2jBFPYv7rE +--- LbcSlaucZaWsTqBR9PIA46r00cfJtG5ndinWSzsnl/0 +1h~sȰ#-FX/2.ZF?wE]ic.%b-wt܌q_%} \ No newline at end of file diff --git a/machines/core-services-01/snipe-it.nix b/machines/core-services-01/snipe-it.nix new file mode 100644 index 0000000..c1f3658 --- /dev/null +++ b/machines/core-services-01/snipe-it.nix @@ -0,0 +1,19 @@ +{ pkgs, config, ... }: +{ + services.snipe-it = { + enable = true; + hostName = "inventory.rz.ens.wtf"; + database.createLocally = true; + appKeyFile = config.age.secrets.snipeItAppKey.path; + + config = { + AUTH_METHOD = "oidc"; + OIDC_NAME = "Keycloak"; + OIDC_DISPLAY_NAME_CLAIMS = "name"; + OIDC_CLIENT_ID = "snipe-it"; + OIDC_CLIENT_SECRET = { _secret = config.age.secrets.snipeItOidcClientSecret.path; }; + OIDC_ISSUER = "https://auth.rz.ens.wtf/auth/realms/ClubReseau"; + OIDC_ISSUER_DISCOVER = true; + }; + }; +} diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index a0f9fc4..a3a0573 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -38,6 +38,7 @@ dualstack // { auth = dualstack; push = dualstack; tailscale = dualstack; + inventory = dualstack; core01 = dualstack; ns1 = dualstack; -- 2.47.0 From 726bc5af0e6b599c6118aa54d929df5e1ee52a30 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 6 Sep 2022 01:33:17 +0200 Subject: [PATCH 35/88] feat(core01): enable TLS on inventory.rz.ens.wtf and fix secrets perms --- machines/core-services-01/snipe-it.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/machines/core-services-01/snipe-it.nix b/machines/core-services-01/snipe-it.nix index c1f3658..29f8530 100644 --- a/machines/core-services-01/snipe-it.nix +++ b/machines/core-services-01/snipe-it.nix @@ -1,11 +1,26 @@ { pkgs, config, ... }: { + age.secrets.snipeItAppKey = { + owner = config.services.snipe-it.user; + group = config.services.snipe-it.group; + }; + + age.secrets.snipeItOidcClientSecret = { + owner = config.services.snipe-it.user; + group = config.services.snipe-it.group; + }; + services.snipe-it = { enable = true; hostName = "inventory.rz.ens.wtf"; database.createLocally = true; appKeyFile = config.age.secrets.snipeItAppKey.path; + nginx = { + enableACME = true; + forceSSL = true; + }; + config = { AUTH_METHOD = "oidc"; OIDC_NAME = "Keycloak"; -- 2.47.0 From 7284a9a2d62d4432521d13f8fbae8b165504e997 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 6 Sep 2022 01:33:26 +0200 Subject: [PATCH 36/88] meta: use root@core01.rz.ens.wtf rather than internal IP --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 770fcff..1a3a034 100644 --- a/krops.nix +++ b/krops.nix @@ -29,7 +29,7 @@ let inherit target; }; }; in {} -// mkDeploy "core-services-01" "root@10.1.1.20" +// mkDeploy "core-services-01" "root@core01.rz.ens.wtf" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" // mkDeploy "public-cof" "root@beta.rz.ens.wtf" // mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] -- 2.47.0 From c90e89bc7ae0e4eae304f64184dcc05f3dfc3223 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 15:21:59 +0200 Subject: [PATCH 37/88] feat: add traque.beta.rz.ens.wtf --- machines/core-services-01/subZone.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index a3a0573..a56f019 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -58,6 +58,10 @@ dualstack // { beta = public-cof-ips // { subdomains = { + traque = { + inherit (public-cof-ips) A; + AAAA = [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; + }; nuage = public-cof-ips; minecraft = public-cof-ips; factorio = public-cof-ips; -- 2.47.0 From 54163ed857b0101965df8f0a3ea25ad3332bad3e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 15:29:51 +0200 Subject: [PATCH 38/88] =?UTF-8?q?feat(public-cof):=20add=20IPv4=20?= =?UTF-8?q?=E2=86=92=20IPv6=20proxy?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/subZone.nix | 6 ++--- machines/public-cof/configuration.nix | 1 + machines/public-cof/networking.nix | 4 +++- machines/public-cof/nix/sources.json | 12 ++++++++++ machines/public-cof/nix/sources.nix | 22 +++++++++++++++++- machines/public-cof/nur.nix | 3 +++ machines/public-cof/v6proxy/default.nix | 30 +++++++++++++++++++++++++ 7 files changed, 72 insertions(+), 6 deletions(-) create mode 100644 machines/public-cof/v6proxy/default.nix diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index a56f019..1655011 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -12,6 +12,7 @@ let remoteBuilders = { nix01 = [ "2001:470:1f13:187:611:4514:d93a:f80a" ]; }; + mkProxyRecord = AAAA: { inherit AAAA; A = [ "45.13.104.29" ]; }; dualstack = { A = my.ipv4; AAAA = my.ipv6.standard; @@ -58,10 +59,7 @@ dualstack // { beta = public-cof-ips // { subdomains = { - traque = { - inherit (public-cof-ips) A; - AAAA = [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; - }; + traque = mkProxyRecord [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; nuage = public-cof-ips; minecraft = public-cof-ips; factorio = public-cof-ips; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 18ae3d0..fd43e30 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -18,6 +18,7 @@ # ./cryptpad.nix ./hedgedoc.nix ./secrets + ./v6proxy # TODO monitoring ]; diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index ff648e5..a902953 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -32,7 +32,9 @@ in { }; interfaces.ens20 = { - ipv4.addresses = map mkAddress [ "45.13.104.27/32" ]; + # 1st is for public-cof + # 2nd is for IPv4 → IPv6 proxy in v6proxy/ + ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; }; firewall.allowedTCPPorts = [ 22 ]; diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index a6531e2..77826c4 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -29,6 +29,18 @@ "url": "https://github.com/nmattia/niv/archive/e0ca65c81a2d7a4d82a189f1e23a48d59ad42070.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, + "nixexprs": { + "branch": "master", + "description": "All my Nix expressions", + "homepage": null, + "owner": "RaitoBezarius", + "repo": "nixexprs", + "rev": "5fd6966844be775a272e932375d7982275ba2300", + "sha256": "1l5zgdgqbn7apw2ngqzid0sqrklx0rnj8sjid4ykx9156kdqjan5", + "type": "tarball", + "url": "https://github.com/RaitoBezarius/nixexprs/archive/5fd6966844be775a272e932375d7982275ba2300.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, "raito-nur": { "branch": "master", "description": "All my Nix expressions", diff --git a/machines/public-cof/nix/sources.nix b/machines/public-cof/nix/sources.nix index 1938409..9a01c8a 100644 --- a/machines/public-cof/nix/sources.nix +++ b/machines/public-cof/nix/sources.nix @@ -31,8 +31,28 @@ let if spec ? branch then "refs/heads/${spec.branch}" else if spec ? tag then "refs/tags/${spec.tag}" else abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; + submodules = if spec ? submodules then spec.submodules else false; + submoduleArg = + let + nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0; + emptyArgWithWarning = + if submodules == true + then + builtins.trace + ( + "The niv input \"${name}\" uses submodules " + + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " + + "does not support them" + ) + {} + else {}; + in + if nixSupportsSubmodules + then { inherit submodules; } + else emptyArgWithWarning; in - builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; + builtins.fetchGit + ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg); fetch_local = spec: spec.path; diff --git a/machines/public-cof/nur.nix b/machines/public-cof/nur.nix index 7ca9d89..130ef29 100644 --- a/machines/public-cof/nur.nix +++ b/machines/public-cof/nur.nix @@ -3,6 +3,8 @@ let nivSources = import ./nix/sources.nix; rz-src = nivSources.klubrz-nur; rz-no-pkgs = (import nivSources.klubrz-nur {}); + raitobezarius-src = nivSources.nixexprs; + raitobezarius-no-pkgs = (import raitobezarius-src {}); in { nixpkgs.config.packageOverrides = { @@ -11,6 +13,7 @@ in imports = [ "${nivSources.agenix}/modules/age.nix" + raitobezarius-no-pkgs.modules.sniproxy ] ++ lib.attrValues rz-no-pkgs.modules; nixpkgs.overlays = []; diff --git a/machines/public-cof/v6proxy/default.nix b/machines/public-cof/v6proxy/default.nix new file mode 100644 index 0000000..e4f11d9 --- /dev/null +++ b/machines/public-cof/v6proxy/default.nix @@ -0,0 +1,30 @@ +{ ... }: +let + proxyIPv4 = "45.13.104.29"; +in +{ + networking.firewall.allowedTCPPorts = [ 443 ]; + + services.sniproxy = { + enable = true; + + resolver = { + mode = "ipv6_first"; + }; + + listeners = [ + { + address = "${proxyIPv4}:443"; + table = "vhosts"; + fallback = null; + } + ]; + + tables.vhosts = [ + { + match = "traque.beta.rz.ens.wtf"; + dest = "traque.beta.rz.ens.wtf"; + } + ]; + }; +} -- 2.47.0 From 71e5dcc437ac77a742c7a9b890754a84485aa8ba Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 16:16:29 +0200 Subject: [PATCH 39/88] feat(public-cof): disable rstudio server --- machines/public-cof/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index fd43e30..7f85263 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -11,7 +11,7 @@ ./monitoring.nix ./nextcloud.nix ./minecraft.nix - ./rstudio-server + # ./rstudio-server ./nur.nix # ./factorio.nix # TODO ./nginx.nix -- 2.47.0 From c25b0f0eee7dbb4859beec94e9fc155b4f2feacd Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 16:16:47 +0200 Subject: [PATCH 40/88] feat(public-cof): ensure that hedgedocs bind on local ipv6 --- machines/public-cof/hedgedoc.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index 258973f..de7edf2 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -9,7 +9,7 @@ in protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; - host = "localhost"; + host = "[::1]"; port = port; db = { dialect = "sqlite"; @@ -25,13 +25,11 @@ in enableACME = true; locations = { "/" = { - proxyPass = "http://localhost:${toString port}"; + proxyPass = "http://[::1]:${toString port}"; proxyWebsockets = true; }; }; }; }; }; - - networking.firewall.allowedTCPPorts = [ 433 80 ]; } -- 2.47.0 From badae72a2907e1f594d6a37744d8b541beae9170 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 16:17:01 +0200 Subject: [PATCH 41/88] feat(public-cof): prevent nginx to bind on all IPv4 --- machines/public-cof/networking.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index a902953..981eff0 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -40,4 +40,6 @@ in { firewall.allowedTCPPorts = [ 22 ]; firewall.enable = true; }; + + services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; } -- 2.47.0 From 9a243163006bfb794bcb11db77db17fd20c360a7 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 13 Sep 2022 18:49:38 +0200 Subject: [PATCH 42/88] core01: add todo.beta.rz.ens.wtf DNS --- machines/core-services-01/subZone.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 1655011..256b659 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -61,6 +61,7 @@ dualstack // { subdomains = { traque = mkProxyRecord [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; nuage = public-cof-ips; + todo = public-cof-ips; minecraft = public-cof-ips; factorio = public-cof-ips; home = public-cof-ips; -- 2.47.0 From 9c006a35196edc6c3574d82153e8cf64da0cd2c6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 13 Sep 2022 18:49:49 +0200 Subject: [PATCH 43/88] public-cof: fix docs.beta.rz.ens.wtf --- machines/public-cof/hedgedoc.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index de7edf2..b4235d5 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -9,7 +9,7 @@ in protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; - host = "[::1]"; + host = "127.0.0.1"; port = port; db = { dialect = "sqlite"; @@ -25,7 +25,7 @@ in enableACME = true; locations = { "/" = { - proxyPass = "http://[::1]:${toString port}"; + proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; }; }; -- 2.47.0 From 6e94647d8e8dceeceb33bda46bedd36212fe8d6f Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Tue, 13 Sep 2022 23:59:59 +0000 Subject: [PATCH 44/88] Networkd ipv6 --- machines/public-cof/networking.nix | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 981eff0..7dc4379 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -5,9 +5,26 @@ let mkAddress = addr: let in { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; in { + systemd.network = { + enable = true; + networks."ens18" = { + DHCP = "no"; + addresses = [ + { addressConfig.Address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; } + ]; + }; + }; + networking = { hostName = "public-cof"; + useNetworkd = true; + useDHCP = false; + + firewall.allowedTCPPorts = [ 22 ]; + firewall.enable = true; + + /* # Default IPv4 exit route defaultGateway = { address = ""; @@ -15,14 +32,6 @@ in { }; localCommands = "ip route add default dev ens20 metric 10"; - useDHCP = false; - interfaces.ens18 = { - useDHCP = true; - ipv6.addresses = [{ - address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; - prefixLength = 64; - }]; - }; interfaces.ens19 = { useDHCP = false; ipv4.addresses = [{ @@ -36,9 +45,7 @@ in { # 2nd is for IPv4 → IPv6 proxy in v6proxy/ ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; }; - - firewall.allowedTCPPorts = [ 22 ]; - firewall.enable = true; + */ }; services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; -- 2.47.0 From a373803629a2060ea84f40b0afa565f2c2510ed2 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 13 Sep 2022 18:54:35 +0200 Subject: [PATCH 45/88] patch(keycloak): remove crc patch --- .../fix-crc-computation.patch | 51 ------------------- 1 file changed, 51 deletions(-) delete mode 100644 machines/core-services-01/fix-crc-computation.patch diff --git a/machines/core-services-01/fix-crc-computation.patch b/machines/core-services-01/fix-crc-computation.patch deleted file mode 100644 index 85a6a7e..0000000 --- a/machines/core-services-01/fix-crc-computation.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001 -From: Mark Adler -Date: Wed, 30 Mar 2022 11:14:53 -0700 -Subject: [PATCH] Correct incorrect inputs provided to the CRC functions. - -The previous releases of zlib were not sensitive to incorrect CRC -inputs with bits set above the low 32. This commit restores that -behavior, so that applications with such bugs will continue to -operate as before. ---- - crc32.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/crc32.c b/crc32.c -index a1bdce5c2..451887bc7 100644 ---- a/crc32.c -+++ b/crc32.c -@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) - #endif /* DYNAMIC_CRC_TABLE */ - - /* Pre-condition the CRC */ -- crc ^= 0xffffffff; -+ crc = (~crc) & 0xffffffff; - - /* Compute the CRC up to a word boundary. */ - while (len && ((z_size_t)buf & 7) != 0) { -@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) - #endif /* DYNAMIC_CRC_TABLE */ - - /* Pre-condition the CRC */ -- crc ^= 0xffffffff; -+ crc = (~crc) & 0xffffffff; - - #ifdef W - -@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2) - #ifdef DYNAMIC_CRC_TABLE - once(&made, make_crc_table); - #endif /* DYNAMIC_CRC_TABLE */ -- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2; -+ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); - } - - /* ========================================================================= */ -@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op) - uLong crc2; - uLong op; - { -- return multmodp(op, crc1) ^ crc2; -+ return multmodp(op, crc1) ^ (crc2 & 0xffffffff); - } -- 2.47.0 From d2467fe0bd5fb4074ed501ee08ec3680cc46fcf7 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 17 Sep 2022 21:26:16 +0200 Subject: [PATCH 46/88] public-cof: add kanboard --- machines/public-cof/configuration.nix | 1 + machines/public-cof/kanboard-config.php | 279 ++++++++++++++++++++++++ machines/public-cof/kanboard.nix | 71 ++++++ 3 files changed, 351 insertions(+) create mode 100644 machines/public-cof/kanboard-config.php create mode 100644 machines/public-cof/kanboard.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 7f85263..f4e4dd6 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -17,6 +17,7 @@ ./nginx.nix # ./cryptpad.nix ./hedgedoc.nix + ./kanboard.nix ./secrets ./v6proxy # TODO monitoring diff --git a/machines/public-cof/kanboard-config.php b/machines/public-cof/kanboard-config.php new file mode 100644 index 0000000..9c82452 --- /dev/null +++ b/machines/public-cof/kanboard-config.php @@ -0,0 +1,279 @@ + $out/$f + tail -n+2 ${pkgs.kanboard}/share/kanboard/$f \ + | sed 's^__DIR__^"${pkgs.kanboard}/share/kanboard"^' >> $out/$f + done + ln -s /var/lib/kanboard $out/data + ln -s ${kanboardConfig} $out/config.php + '') + { outPath = "${pkgs.kanboard}/share/kanboard"; meta.priority = 10; } + ]; + }; + locations = { + "/".index = "index.php"; + "~ \\.php$" = { + tryFiles = "$uri =404"; + extraConfig = '' + fastcgi_pass unix:${config.services.phpfpm.pools.kanboard.socket}; + ''; + }; + }; + }; + }; +} -- 2.47.0 From 001c9b0136d220aed5c96f3194fd294fa2361629 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 17 Sep 2022 21:26:34 +0200 Subject: [PATCH 47/88] all: bump to latest nixos-unstable --- krops.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 1a3a034..0102eb0 100644 --- a/krops.nix +++ b/krops.nix @@ -6,9 +6,10 @@ let lib.evalSource [{ config.file = toString ./machines; nixos-config.symlink = "config/${machine}/configuration.nix"; + # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable + ref = "823e2c9b0a0ec8b61b6583f48338072f137b6889"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.47.0 From 5a796ef74fab69e3ff745c4bddbcf33cde0dd9c2 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 17 Sep 2022 21:26:56 +0200 Subject: [PATCH 48/88] Revert "Networkd ipv6" This reverts commit 6e94647d8e8dceeceb33bda46bedd36212fe8d6f. --- machines/public-cof/networking.nix | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 7dc4379..981eff0 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -5,26 +5,9 @@ let mkAddress = addr: let in { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; in { - systemd.network = { - enable = true; - networks."ens18" = { - DHCP = "no"; - addresses = [ - { addressConfig.Address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; } - ]; - }; - }; - networking = { hostName = "public-cof"; - useNetworkd = true; - useDHCP = false; - - firewall.allowedTCPPorts = [ 22 ]; - firewall.enable = true; - - /* # Default IPv4 exit route defaultGateway = { address = ""; @@ -32,6 +15,14 @@ in { }; localCommands = "ip route add default dev ens20 metric 10"; + useDHCP = false; + interfaces.ens18 = { + useDHCP = true; + ipv6.addresses = [{ + address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; + prefixLength = 64; + }]; + }; interfaces.ens19 = { useDHCP = false; ipv4.addresses = [{ @@ -45,7 +36,9 @@ in { # 2nd is for IPv4 → IPv6 proxy in v6proxy/ ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; }; - */ + + firewall.allowedTCPPorts = [ 22 ]; + firewall.enable = true; }; services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; -- 2.47.0 From 893339ba0b8ef8807f20b02e45dca3390b8ba784 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 18 Sep 2022 18:40:55 +0200 Subject: [PATCH 49/88] feat: fully functional kanboard --- machines/public-cof/kanboard-config.php | 20 ++++++++------- machines/public-cof/kanboard.nix | 24 ++++++++++++++---- machines/public-cof/secrets/default.nix | 6 +++++ .../public-cof/secrets/kanboard-secrets.age | 25 +++++++++++++++++++ machines/public-cof/secrets/secrets.nix | 1 + 5 files changed, 62 insertions(+), 14 deletions(-) create mode 100644 machines/public-cof/secrets/kanboard-secrets.age diff --git a/machines/public-cof/kanboard-config.php b/machines/public-cof/kanboard-config.php index 9c82452..6268892 100644 --- a/machines/public-cof/kanboard-config.php +++ b/machines/public-cof/kanboard-config.php @@ -6,6 +6,9 @@ /* Make sure all paths are absolute by using __DIR__ where needed */ /*******************************************************************/ +// Require the secret file +require('@secretsPath@'); + // Data folder (must be writeable by the web server user and absolute) define('DATA_DIR', '/var/lib/kanboard/data'); @@ -13,7 +16,7 @@ define('DATA_DIR', '/var/lib/kanboard/data'); define('DEBUG', false); // Available log drivers: syslog, stderr, stdout, system or file -define('LOG_DRIVER', 'stdout'); +define('LOG_DRIVER', 'file'); // Log filename if the log driver is "file" define('LOG_FILE', DATA_DIR.DIRECTORY_SEPARATOR.'debug.log'); @@ -42,21 +45,20 @@ define('FILES_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'files'); define('MAIL_CONFIGURATION', true); // E-mail address used for the "From" header (notifications) -define('MAIL_FROM', 'replace-me@kanboard.local'); +define('MAIL_FROM', 'todo@dgnum.eu'); // E-mail address used for the "Bcc" header to send a copy of all notifications define('MAIL_BCC', ''); // Mail transport available: "smtp", "sendmail", "mail" (PHP mail function), "postmark", "mailgun", "sendgrid" -define('MAIL_TRANSPORT', 'mail'); +define('MAIL_TRANSPORT', 'smtp'); // SMTP configuration to use when the "smtp" transport is chosen -define('MAIL_SMTP_HOSTNAME', ''); -define('MAIL_SMTP_PORT', 25); -define('MAIL_SMTP_USERNAME', ''); -define('MAIL_SMTP_PASSWORD', ''); +define('MAIL_SMTP_HOSTNAME', 'kurisu.lahfa.xyz'); +define('MAIL_SMTP_PORT', 587); +define('MAIL_SMTP_USERNAME', 'todo@dgnum.eu'); define('MAIL_SMTP_HELO_NAME', null); // valid: null (default), or FQDN -define('MAIL_SMTP_ENCRYPTION', null); // Valid values are null (not a string "null"), "ssl" or "tls" +define('MAIL_SMTP_ENCRYPTION', "tls"); // Valid values are null (not a string "null"), "ssl" or "tls" // Sendmail command to use when the transport is "sendmail" define('MAIL_SENDMAIL_COMMAND', '/usr/sbin/sendmail -bs'); @@ -197,7 +199,7 @@ define('LDAP_GROUP_USER_ATTRIBUTE', 'username'); define('LDAP_GROUP_ATTRIBUTE_NAME', 'cn'); // Enable/Disable groups synchronization when external authentication is used. -define('LDAP_GROUP_SYNC', true); +define('LDAP_GROUP_SYNC', false); // Enable/disable the reverse proxy authentication define('REVERSE_PROXY_AUTH', false); diff --git a/machines/public-cof/kanboard.nix b/machines/public-cof/kanboard.nix index 3ce8a22..37d411c 100644 --- a/machines/public-cof/kanboard.nix +++ b/machines/public-cof/kanboard.nix @@ -5,22 +5,35 @@ let sha256 = if hash == null then lib.fakeHash else hash; }; plugins = map mkKanboardPlugin [ - { name = "userimport_wgroups"; url = "https://github.com/creecros/userimport_wgroups/releases/download/1.0.0/ImportWithGroup-1.0.0.zip"; hash = "sha256-iLpOxwu/atxd062z7z0T3Mkh5YH7IHmcCqiVZPAJbsA="; } + { name = "Milestone"; url = "https://github.com/oliviermaridat/kanboard-milestone-plugin/releases/download/1.1.2/Milestone-1.1.2.zip"; hash = "sha256-NrkMvk/5NdVokKQTYoZajdNEt5athjEzXVgrSHBdQ4w="; } { name = "MarkdownPlus"; url = "https://github.com/creecros/MarkdownPlus/releases/download/1.1.0/MarkdownPlus-1.1.0.zip"; hash = "sha256-BMzEaj47NnLvatEgUbKeibiWf9G+B4EFlVYhDNqk+y4="; } { name = "MetaMagik"; url = "https://github.com/creecros/MetaMagik/releases/download/1.5.1/MetaMagik-1.5.1.zip"; hash = "sha256-8y8+YvS5MAzRt4VVECQK0vQk6oA4Jbxn+2jWQ8nP3gU="; } { name = "OAuth2"; url = "https://github.com/kanboard/plugin-oauth2/releases/download/v1.0.2/OAuth2-1.0.2.zip"; hash = "sha256-L0df8bwPCxHjVOCNiVp+dqVsqJ0CEuJbHzwv5sYprIU="; } - { name = "KanboardOffline"; url = "https://github.com/ipunkt/KanboardOffline/releases/download/1.0.0/OfflineKanboardPlugin-1.0.0.zip"; hash = "sha256-zYIWKM82Em/ys75XgB/udIGk1+EeScE8jpP2HK2wHGQ="; } { name = "HighlightCodeSyntax"; url = "https://github.com/kenlog/HighlightCodeSyntax/releases/download/v1.0.3/HighlightCodeSyntax-v1.0.3.zip"; hash = "sha256-c4bV1gGVNUjHOJKBI6QxsV72mAzcEgjqv8r62ebpPdU="; } { name = "Group_assign"; url = "https://github.com/creecros/Group_assign/releases/download/1.7.12/Group_assign-1.7.12.zip"; hash = "sha256-ijI8nIIqsK8Pr1iEfCBUeUD3dlsIfmkOP0xC39JkIAs="; } ]; pluginsDirectory = pkgs.linkFarmFromDrvs "kanboard-plugins" plugins; + secretsPath = config.age.secrets.kanboard-secrets.path; kanboardConfig = pkgs.substituteAll { name = "kanboard-config.php"; src = ./kanboard-config.php; + inherit secretsPath; inherit pluginsDirectory; }; + package = pkgs.kanboard.overrideAttrs (old: { + installPhase = '' + ${(old.installPhase or "")} + runHook postInstall + ''; + + postInstall = '' + ${pkgs.xorg.lndir}/bin/lndir ${pluginsDirectory} $out/share/kanboard/plugins + ''; + }); in { + environment.systemPackages = [ + ]; services.phpfpm.pools.kanboard = { user = "kanboard"; group = "kanboard"; @@ -48,13 +61,14 @@ in mkdir -p $out for f in index.php jsonrpc.php ; do echo " $out/$f - tail -n+2 ${pkgs.kanboard}/share/kanboard/$f \ - | sed 's^__DIR__^"${pkgs.kanboard}/share/kanboard"^' >> $out/$f + tail -n+2 ${package}/share/kanboard/$f \ + | sed 's^__DIR__^"${package}/share/kanboard"^' >> $out/$f done ln -s /var/lib/kanboard $out/data + ln -s ${pluginsDirectory} $out/plugins ln -s ${kanboardConfig} $out/config.php '') - { outPath = "${pkgs.kanboard}/share/kanboard"; meta.priority = 10; } + { outPath = "${package}/share/kanboard"; meta.priority = 10; } ]; }; locations = { diff --git a/machines/public-cof/secrets/default.nix b/machines/public-cof/secrets/default.nix index a7cd5ea..861d254 100644 --- a/machines/public-cof/secrets/default.nix +++ b/machines/public-cof/secrets/default.nix @@ -10,4 +10,10 @@ group = "nextcloud"; file = ./nextcloudDatabasePasswordFile.age; }; + + age.secrets.kanboard-secrets = { + owner = "kanboard"; + group = "kanboard"; + file = ./kanboard-secrets.age; + }; } diff --git a/machines/public-cof/secrets/kanboard-secrets.age b/machines/public-cof/secrets/kanboard-secrets.age new file mode 100644 index 0000000..5bc708c --- /dev/null +++ b/machines/public-cof/secrets/kanboard-secrets.age @@ -0,0 +1,25 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +jsay8IXK6RjVULRqpfvgHOr8H3ALxQyJ3BQIkmSfRrLlJXDbYWUKBCztXc7whfb/ +XTc3Sa5bybIXXX3wLzYmxCYjUa1CoHgIb1UWAhM3KyTJ4XSw7pVti29VM5p74+ex +tJeb44hXlkD7V7C2yYp6CcBH1IgnvEL8ulVopkis/TBQtWi6QaGJBPX2yxEJ3QDh +uAn5czrrDenBZRsIYTaKrlbgCM/Oeh4mDFSaFKIqfX2g7ClbsC1ejF3PvbsXN6il +pk2YSZ/F5ivNBkvWFmQrNJyLjkcIrxoFvzcXOTk8yM9iu4BFlPbX7NcAMrHpbSIR +3ew59I0cGkbzRAtLI9p97w +-> ssh-ed25519 85WiGg XQK2huU0kqkKbVYf6SJFqcumOL8zDPfOuGwNy78dJm4 +aP8CNgS1/wfv2RB7nXZqYnZaXDORk9I5lPZy87FVmRY +-> ssh-ed25519 reTIKw jZ57SfMYyOr9P9eNK/Q2CMAWtYtfjyV/MaTVnqEHxkU +ycPo/pwC9CtYWAcrclo1b26+mPU4Z6pCPecGPMmL3ag +-> ssh-ed25519 /vwQcQ v5bvHTvld6WErGt+Vp0mivpFH5srQPHkbPd0Nk3IDy0 +27+ZreTwyaxtb5vrRpD/2C2MUT9onRcX4Yr7KHnTGOo +-> ssh-ed25519 cvTB5g gKxECDYMSja0FTqteAk39iMDsNIM+ox31sIvnY2ityk +pkUZgDWdAzuGCvuRhOE8oeazIRw+kpPhnkksF2zTjxA +-> ssh-ed25519 Wu8JLQ lMgIKw3Qzg/Lw6UtpPZWDrE0WBc71meaprrnmARqDDM +FN/S9xo22u4kMWqrPD3KmfLbDq8L0TxtfDUSBLVq+Tk +-> ssh-ed25519 xbfJnw emSflhzdsItaXULjPXre8jlnXxJuXFAaoLWGVAAej1I +4OS68AuzPr+zwp9Bqb4lYGJHjPwPMSXuprw7+8agOyU +-> Wd-grease +pdSa/JP70fd6VvSgpIJQAk8ZiZfKo8l7UpVwBib59SB9IRNVZdSbHINFUzuIozGu +Z7dyg+x6QQ +--- TjceHicjeIIKz0f7R5u7nLrCtb39MmS/vEK3w0xHbmw +QZ`?Zv~^$ct2ԓy3.+KF2OC_$]y~l%0_ ܻ REM4Hİ{r$ެ*1\2FڬBLAK!&C׋_.Om3͕hδV< z$'-s'J \ No newline at end of file diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 3f8a62a..70be48a 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -9,5 +9,6 @@ in { "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems; "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems; + "kanboard-secrets.age".publicKeys = superadmins ++ systems; } -- 2.47.0 From 124ec3ab73d52667a3b5a5a47cf62bac5a4a1823 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 1 Oct 2022 22:49:56 +0200 Subject: [PATCH 50/88] feat: bridge #dgnum over Merle --- machines/core-services-01/matterbridge.nix | 2 +- machines/core-services-01/matterbridge.toml | 21 +++++++++++++++--- .../core-services-01/secrets/matterbridge.age | Bin 1415 -> 1519 bytes 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/machines/core-services-01/matterbridge.nix b/machines/core-services-01/matterbridge.nix index 7eefba1..06b31e6 100644 --- a/machines/core-services-01/matterbridge.nix +++ b/machines/core-services-01/matterbridge.nix @@ -28,7 +28,7 @@ let startScript = pkgs.writeShellScriptBin "start" '' ${manageSecrets ./matterbridge.toml "$CREDENTIALS_DIRECTORY/secrets" "$RUNTIME_DIRECTORY/conf.toml" - [ "SECRET_MATTERMOST_WEBHOOK" ]}/bin/preStart + [ "SECRET_MATTERMOST_KLUBRZ_WEBHOOK" "SECRET_MATTERMOST_DGNUM_WEBHOOK" ]}/bin/preStart ${pkgs.matterbridge}/bin/matterbridge -conf $RUNTIME_DIRECTORY/conf.toml ''; in { diff --git a/machines/core-services-01/matterbridge.toml b/machines/core-services-01/matterbridge.toml index d4b9ab8..49116fa 100644 --- a/machines/core-services-01/matterbridge.toml +++ b/machines/core-services-01/matterbridge.toml @@ -7,11 +7,16 @@ PrefixMessagesWithNick=true RemoteNickFormat="<{NICK}> " [mattermost] - [mattermost.merle] - WebhookURL="SECRET_MATTERMOST_WEBHOOK" + [mattermost.merle_klubrz] + WebhookURL="SECRET_MATTERMOST_KLUBRZ_WEBHOOK" WebhookBindAddress="0.0.0.0:52187" PrefixMessagesWithNick=false RemoteNickFormat="{NICK}" + [mattermost.merle_klubrz] + WebhookURL="SECRET_MATTERMOST_DGNUM_WEBHOOK" + WebhookBindAddress="0.0.0.0:52188" + PrefixMessagesWithNick=false + RemoteNickFormat="{NICK}" [[gateway]] name="réseau" enable=true @@ -19,5 +24,15 @@ enable=true account="irc.ulminfo" channel="#réseau" [[gateway.inout]] - account="mattermost.merle" + account="mattermost.merle_klubrz" + channel="town-square" + +[[gateway]] +name="dgnum" +enable=true + [[gateway.inout]] + account="irc.ulminfo" + channel="#dgnum" + [[gateway.inout]] + channel="mattermost.merle_dgnum" channel="town-square" diff --git a/machines/core-services-01/secrets/matterbridge.age b/machines/core-services-01/secrets/matterbridge.age index 1071c43b33daaa3e93fae325e8d50122995c65c4..f4ea1d5e441eaa4b392dd2f255f591a06a917bdc 100644 GIT binary patch literal 1519 zcmZY7?d#lx0S9m&DoA9YwIE{_0vqTSe$D0SE5{w4C6`<-$sNkb)8*-s+$ERX zU3@~MQbb1`=nE?-zEG(MR_fRT^Tkx=CeywVwIDL-#w>MICWUTA*1g!9_8<6u_X@f~&vXTm9L@*tiLPCh_VqNQeKZGnx3KmT# zO+yPw#H`I#4(E-0mtMdoY%(i{CPfy(hH8YAJpkQpAP=JZQ$`HuTrTJ^A1-`h;J3^) z3H^RCllv?-?ypTJQM6rc6$rAKby6GE+FE0D0J90F9A1OK{ZOmYZ$9SXEdr2;uTXPrZaXStGb>Tp8FXC;QVHWO`WXN&LM`tqTrEIlm zC3!<*Si)sd)o5OgHgpnevz02EDd{>|g#hMgyz0URlH#VOV02BJ`39nfCDO|#%qAb3 zasn~VU`UBL*BvFM?ibt+tsuj$tL`!*0WnAmjA##CbR%S|b*|wZFIE4)w(p??flwex zn2`{GVpTLrMvh@FF8qLV+KkIdl{nEIy*F02u8b)NKI&`@%mpYe#7J3jIwO08ki%i> zZuQ1=qYm3@*=c37c&BI(qmc*n)mq`}y}HnwG~9GbErl!nxHIA})qrH1c%l((rE6_Ab4-D)Zx>PW2YVtU2zCVtp~ zf=OIbgJ|UobH3cA)KZ>Yt+}<%5COX!SfhQ``R}FTy5oy7+3ZL(#a)x)sb$N|uR%BmN!Me4QX-bbw zS;JY2E@-+?Y9|qO-;OXFCyas~!ZUwp(Hme*WFwYT7dXZbycl1VU2If`Jw$9{CK4tS zeQ31d3LA+ge|5L8O$QDQV!Ea1Fo7zLY}d0Af|4Lbh>Ba-?J-+P{8*clc8;3DmImy) zUK&j*jeM)_RmYu@98a$<>Dw<$)MGMC#Cl%Z(V zn+C1_bvt~>yL-{!3ku&ZeNZ?A!hkO`%Nk7+e6Y^xXcuqOOjI#ORJK(_jT^LT1}l!r zc1jP6Ih9e@5+-l$&?&Sl2d)lf_oxgD5 z2wr*%dF}qEe)GG7M=xIg!!h~Bf9&&jl8-W!_?P`ZdHk8%2gSt$&wYNj4SstZ{qmTx z@B940xBvAb_|GS=`_+rlkBQfR_Ji#wIduI8M?U@in_nC`y6=V)-(0%wvFY>gfv>)N G<9`88*AWK* literal 1415 zcmZY6$?M~E7{_sN5XXQAVZejJ6h;LpKhrd6k}8a5YnEndlBP)mB3Zs!nl@>(waLK+ zaZtQ@89nq?3`QJAzttRXs{C`4@9OpX~;*v8Nlv7}4K_oQj+z7>(ZE$2Cg1031OJeOI(*?$(uVhscTz>4%Mj9s<=K_B2{GHl)3S)y*i0k{!xaj2J373-1@oG981_ zgeRAAM;*o~<1$Bt)XaQMU0QRjDsY@sM*3~ z_ASF1)1}4@aaFf>wGaE# zuJc=>n=9j$LcxJhR+dU`ivLTNl{d&rn~`;B-DwHepsIvR&cTc_MEB(#EF_vq&S$MN z0;k&Eli`M5FHa-ZJ5aN=jmHit7(lPG4ud9&wsHw|lhKV`1A`@;BP<|mOdQqIAf*>0 zeBI*Mav!9^+DkYT=PioNOdPDsX+|xEP#ht!$DMMLksL(jOuS@cj#YPCx@lx3!x7}T zULwb1jbTbsQOli1aW*=krnSFsB#=OQ0DG=OI6cs^ey_paTFGH^WpLIcvehu5VhU|p zLa{h%-P2fQPH0ba#|xUbV6jMKNJ;!~DN`uNp}WXb7^%qB9^TH-gKA`qGxMD`soNlf zHA=|$C2u5@?+emme>fo+kpz(3`drM_I+#id-gt9kq<2XCU+vf~o;F`Ni%Z~D06O3# zTNq#;fEbLbLYl>epDW8#Z$=Bli2+Ja7%pYHV_$oT=~N{e)v&ZO6MRmK5 z(&v{i-h1i8YhV2I-HWf@`2OYe)+aweU&+5eA3XBlRsQ<9?)6s~>h#V1U%&g=mA9U1 z?zwv3Er9)c^PyipxWT;n{!4E>x;p>f^}mPMV^{7y_x8t+zw?Lq*UukadhX^EU;gvj T>Y4Ie?8oEs+6C{~Ke2xSG{e~U -- 2.47.0 From 179a628a4d578c7517b60ab6e2cf26f93cce4149 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 1 Oct 2022 23:04:19 +0200 Subject: [PATCH 51/88] feat: remove netdata package pin --- machines/core-services-01/monitoring.nix | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 2a8ac5f..53f3343 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -36,16 +36,6 @@ in { services.netdata = { enable = true; - package = pkgs.netdata.overrideAttrs (old: { - version = "1.35.0-nightly"; - src = pkgs.fetchFromGitHub { - owner = "netdata"; - repo = "netdata"; - rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; - sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; - fetchSubmodules = true; - }; - }); }; # Allow WireGuard VPN -- 2.47.0 From 4bc455054018c771d2fecc6812de4f491e75fe68 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 2 Oct 2022 00:21:16 +0200 Subject: [PATCH 52/88] Revert "feat: remove netdata package pin" This reverts commit 179a628a4d578c7517b60ab6e2cf26f93cce4149. --- machines/core-services-01/monitoring.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 53f3343..2a8ac5f 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -36,6 +36,16 @@ in { services.netdata = { enable = true; + package = pkgs.netdata.overrideAttrs (old: { + version = "1.35.0-nightly"; + src = pkgs.fetchFromGitHub { + owner = "netdata"; + repo = "netdata"; + rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; + sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; + fetchSubmodules = true; + }; + }); }; # Allow WireGuard VPN -- 2.47.0 From 964912c3d4cbb87fd27f849e139eee73d8007848 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 9 Oct 2022 14:43:29 +0200 Subject: [PATCH 53/88] core01: try latest nightly for netdata and disable cloud --- machines/core-services-01/monitoring.nix | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 2a8ac5f..edf0d20 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -37,17 +37,19 @@ in services.netdata = { enable = true; package = pkgs.netdata.overrideAttrs (old: { - version = "1.35.0-nightly"; + version = "1.36.0-185-nightly"; src = pkgs.fetchFromGitHub { owner = "netdata"; repo = "netdata"; - rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; - sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; + rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; + sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; fetchSubmodules = true; }; }); }; + systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1"; + # Allow WireGuard VPN networking.firewall.allowedUDPPorts = [ 51820 ]; # Allow access to the raw netdata @@ -71,12 +73,6 @@ in ]; }; - systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [ - "netdata" - "stream" - "health_alarm_notify" - ]; - environment.etc."netdata/netdata.conf" = lib.mkForce { user = "netdata"; group = "netdata"; @@ -122,7 +118,7 @@ in mode = "0600"; text = '' # External tools - nc="${pkgs.netcat}/bin/nc" + nc="${pkgs.nmap}/bin/nc --ssl" # IRC configuration SEND_IRC="YES" -- 2.47.0 From 6b02a84975457baf19051a51dfa85c8d802d9189 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 12 Oct 2022 01:29:08 +0200 Subject: [PATCH 54/88] core01: initialize tunnels setup --- machines/core-services-01/configuration.nix | 4 +++- machines/core-services-01/tunnels.nix | 19 +++++++++++++++++++ machines/public-cof/minecraft.nix | 4 ++-- 3 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 machines/core-services-01/tunnels.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index dcf85af..9ff2a3f 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -25,6 +25,7 @@ ./oauth2_proxy.nix ./secrets ./matterbridge.nix + ./tunnels.nix # TODO push to gitea # TODO ./gotify.nix # TODO(Raito): ./backups.nix @@ -94,5 +95,6 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.09"; # Did you read the comment? + system.stateVersion = "22.05"; # Did you read the comment? + environment.variables.NIX_PATH = lib.mkForce "/var/src"; } diff --git a/machines/core-services-01/tunnels.nix b/machines/core-services-01/tunnels.nix new file mode 100644 index 0000000..a396adc --- /dev/null +++ b/machines/core-services-01/tunnels.nix @@ -0,0 +1,19 @@ +{ ... }: { + networking.wireguard.interfaces.wgalpha = { + privateKeyFile = "/etc/secrets/wireguard/wgalpha"; + listenPort = 9999; + + ips = [ + "fdee:a536:13fa:53ab::2/128" + ]; + + peers = [ + { + publicKey = "yAdQRTHn9Yko2r24j8tlxWBz0nYzHRxryPFq8t44Xw4="; + allowedIPs = [ "fdee:a536:13fa:53ab::1/128" ]; + } + ]; + }; + + networking.firewall.allowedUDPPorts = [ 9999 ]; +} diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index c56701f..089b0ae 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -2,8 +2,8 @@ let papermc = { ram = 4; # In GB - version = "1.18.2"; - build = 270; + version = "1.19.2"; + build = 200; sha256 = "M3/z7lgHVDG+WqxPvyrxvfobEvkkPf90bDoN/Dq+VZY="; }; port = 25565; -- 2.47.0 From 570071bb715a9774b28c9d5e8c5164556a920c96 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 13 Oct 2022 21:52:40 +0200 Subject: [PATCH 55/88] feat: bump to 1.19.2 and add clem197 to allow-list --- machines/public-cof/minecraft.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 089b0ae..db78249 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -4,7 +4,7 @@ let ram = 4; # In GB version = "1.19.2"; build = 200; - sha256 = "M3/z7lgHVDG+WqxPvyrxvfobEvkkPf90bDoN/Dq+VZY="; + sha256 = "sha256-fhQ1Kukp0MDF0312y/DR3wS9wKXY2aKUyU5f64ELylM="; }; port = 25565; rconPort = 25575; @@ -42,6 +42,7 @@ in Sup3Legacy = "575ecb9f-bf28-46cb-bc50-cb6bb340c905"; Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d"; CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; + clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5"; }; serverProperties = { -- 2.47.0 From e827b28967e30579ffd69141ded9c40ce0a87915 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 27 Oct 2022 22:31:47 +0200 Subject: [PATCH 56/88] feat: deploy garage on public-cof --- machines/public-cof/configuration.nix | 3 ++- machines/public-cof/garage.nix | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 machines/public-cof/garage.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index f4e4dd6..08b929a 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -9,6 +9,7 @@ ./acme.nix ./networking.nix ./monitoring.nix + ./garage.nix ./nextcloud.nix ./minecraft.nix # ./rstudio-server @@ -17,7 +18,7 @@ ./nginx.nix # ./cryptpad.nix ./hedgedoc.nix - ./kanboard.nix + # ./kanboard.nix ./secrets ./v6proxy # TODO monitoring diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix new file mode 100644 index 0000000..f74eaca --- /dev/null +++ b/machines/public-cof/garage.nix @@ -0,0 +1,26 @@ +{ pkgs, ... }: +{ + services.garage = { + enable = true; + settings = { + replication_mode = "none"; + compression_level = 7; + + rpc_bind_addr = "10.1.1.21:3901"; + rpc_public_addr = "10.1.1.21:3901"; + rpc_secret = "76c2746530a4a27d188530a6bbf6c4613ccb8d8f129863d8c21462b84d5b998f"; + + s3_api = { + s3_region = "ens"; + api_bind_addr = "[::]:3900"; + root_domain = ".s3.rz.ens.wtf"; + }; + + s3_web = { + bind_addr = "[::]:3902"; + root_domain = ".cdn.rz.ens.wtf"; + index = "index.html"; + }; + }; + }; +} -- 2.47.0 From ccf00cdc46a78fa88938a2535e58e4de1ea2f623 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 27 Oct 2022 22:31:55 +0200 Subject: [PATCH 57/88] public-cof: nextcloud23 -> nextcloud24 --- machines/public-cof/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index b243afb..7ccf2de 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud23; + package = pkgs.nextcloud24; config = { overwriteProtocol = "https"; -- 2.47.0 From 7beba083215aea4a360a04d28914b24034735212 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 27 Oct 2022 22:40:43 +0200 Subject: [PATCH 58/88] public-cof: nextcloud24 -> nextcloud25 --- machines/public-cof/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 7ccf2de..8a9572b 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud24; + package = pkgs.nextcloud25; config = { overwriteProtocol = "https"; -- 2.47.0 From b40a49feedce631cd00c02db6e195913cdd8b4ab Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 28 Oct 2022 00:36:57 +0200 Subject: [PATCH 59/88] =?UTF-8?q?feat:=20add=20notion.rz.ens.wtf=20?= =?UTF-8?q?=E2=86=92=20public-cof?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/subZone.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 256b659..7b7a56c 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -43,6 +43,9 @@ dualstack // { core01 = dualstack; ns1 = dualstack; + # First non-beta service, our Outline. + notion = public-cof-ips; + builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; gdd = { -- 2.47.0 From 43d3367e9f267aacd725f8467a734d04ecea3f12 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:31:46 +0200 Subject: [PATCH 60/88] core01: DNS for Garage & Outline --- machines/core-services-01/subZone.nix | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 7b7a56c..b76e4f7 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -43,8 +43,28 @@ dualstack // { core01 = dualstack; ns1 = dualstack; - # First non-beta service, our Outline. + # Non-beta service + # Outline notion = public-cof-ips; + # S3 API + s3 = public-cof-ips; + # CDN API + cdn = public-cof-ips // { + CAA = [ + { issuerCritical = false; + tag = "issue"; + value = "letsencrypt.org"; + } + { + issuerCritical = false; + tag = "iodef"; + value = "mailto:${my.email}"; + } + ]; + subdomains = { + "*" = public-cof-ips; + } // delegateACMEDNSChallenge "7a9dffd8-f57b-4635-ba79-07f8b0db4fad.acme.rz.ens.wtf."; + }; builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; -- 2.47.0 From 42a569b41d906edd04d507ef91d47dd486a51310 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:32:10 +0200 Subject: [PATCH 61/88] public-cof: deploy completely Outline and Garage --- machines/public-cof/configuration.nix | 2 ++ machines/public-cof/garage.nix | 20 ++++++++++++ machines/public-cof/outline.nix | 31 +++++++++++++++++++ machines/public-cof/secrets/default.nix | 12 +++++++ .../secrets/outline-oidc-client-secret.age | 26 ++++++++++++++++ .../public-cof/secrets/outlineS3Secrets.age | 25 +++++++++++++++ machines/public-cof/secrets/secrets.nix | 2 ++ 7 files changed, 118 insertions(+) create mode 100644 machines/public-cof/outline.nix create mode 100644 machines/public-cof/secrets/outline-oidc-client-secret.age create mode 100644 machines/public-cof/secrets/outlineS3Secrets.age diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 08b929a..b4a2599 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -11,6 +11,7 @@ ./monitoring.nix ./garage.nix ./nextcloud.nix + ./outline.nix ./minecraft.nix # ./rstudio-server ./nur.nix @@ -27,6 +28,7 @@ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "minecraft-server" "factorio-headless" + "outline" ]; boot.loader.systemd-boot.enable = true; diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix index f74eaca..7d25b0a 100644 --- a/machines/public-cof/garage.nix +++ b/machines/public-cof/garage.nix @@ -1,5 +1,25 @@ { pkgs, ... }: { + security.acme.certs."cdn.rz.ens.wtf" = { + dnsProvider = "acme-dns"; + credentialsFile = pkgs.writeText "acme-dns-env" '' + ACME_DNS_API_BASE=https://acme.rz.ens.wtf + ACME_DNS_STORAGE_PATH=/var/lib/acme/lego-acme-dns-accounts.json + ''; + extraDomainNames = [ "*.cdn.rz.ens.wtf" ]; + group = "nginx"; + }; + services.nginx.virtualHosts."s3.rz.ens.wtf" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://[::1]:3900"; + }; + services.nginx.virtualHosts."cdn.rz.ens.wtf" = { + serverAliases = [ "*.cdn.rz.ens.wtf" ]; + useACMEHost = "cdn.rz.ens.wtf"; + forceSSL = true; + locations."/".proxyPass = "http://[::1]:3902"; + }; services.garage = { enable = true; settings = { diff --git a/machines/public-cof/outline.nix b/machines/public-cof/outline.nix new file mode 100644 index 0000000..aef8e12 --- /dev/null +++ b/machines/public-cof/outline.nix @@ -0,0 +1,31 @@ +{ pkgs, lib, config, ... }: +{ + services.nginx.virtualHosts."notion.rz.ens.wtf" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:3000"; + proxyWebsockets = true; + }; + }; + services.outline = { + enable = true; + publicUrl = "https://notion.rz.ens.wtf"; + defaultLanguage = "fr_FR"; + storage = { + accessKey = "GK8b32d276b2eafb999a53188a"; + secretKeyFile = config.age.secrets.outlineS3Secrets.path; + uploadBucketUrl = "https://s3.rz.ens.wtf"; + uploadBucketName = "outline"; + region = "ens"; + }; + oidcAuthentication = { + userinfoUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/userinfo"; + tokenUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/token"; + authUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/auth"; + clientSecretFile = config.age.secrets.outline-oidc-client-secret.path; + displayName = "Club réseau"; + clientId = "outline"; + }; + }; +} diff --git a/machines/public-cof/secrets/default.nix b/machines/public-cof/secrets/default.nix index 861d254..dce31c2 100644 --- a/machines/public-cof/secrets/default.nix +++ b/machines/public-cof/secrets/default.nix @@ -16,4 +16,16 @@ group = "kanboard"; file = ./kanboard-secrets.age; }; + + age.secrets.outlineS3Secrets = { + owner = "outline"; + group = "outline"; + file = ./outlineS3Secrets.age; + }; + + age.secrets.outline-oidc-client-secret = { + owner = "outline"; + group = "outline"; + file = ./outline-oidc-client-secret.age; + }; } diff --git a/machines/public-cof/secrets/outline-oidc-client-secret.age b/machines/public-cof/secrets/outline-oidc-client-secret.age new file mode 100644 index 0000000..d73537f --- /dev/null +++ b/machines/public-cof/secrets/outline-oidc-client-secret.age @@ -0,0 +1,26 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +HeTVcJxU2zRewuzQVknnxAYjlCU8+GJjBz9joGPo2j934uiM3A6PBsFmoz6I1ZfJ +pg68benaKfV+VI1sN8fMDWoEO0QrFzHYULXT9JCyQTClUzUZSlMpzmDgCmHjLPEc +qB23sbwKzgyFO9SKHsPvOqxZrEyTwAKiNYa33QuSyRxN3S4/9PxVjgJTTqLbTVqf +hhnujxviU3iHV2ACqLAV5jYSbAleiAh53vnBc0k326vXbrumQqFvQtgwcqDn4vDR +2QYzEwsj+yV9BlRrGSBZSnoHZjWtsE/ntrEaIZiItT3Ots1CCVswd7LGb3LspYbf +NheRvY7zUXppGiB0+mjZJg +-> ssh-ed25519 85WiGg tGvDzYdpKP8lql3murRlp95w7jQUhhuodIgVxDk4Lgs +aVV4b71w/nU3nBaYKdzzYjXVaxgN2EpyQiKsjO33GcI +-> ssh-ed25519 reTIKw LJJF7K8fRsSoAFDyndWP9nA5FV4w7cWSqUgGnvdB42I +wI22cL/GuyVou1robDUHzNMfCR7L6NA4UWFSeV73d88 +-> ssh-ed25519 /vwQcQ KZQSME50r4yrnyFfH6nwbmCn0UmVUMIBhhfqoicrKVY +xDdBu7/K8ZxGT2BnffAR8UsQIAVlLpSfEvo1m4k87ng +-> ssh-ed25519 cvTB5g HjLQQhFwEekFYHV5sko/x8RwcAsgvl/cCoKakX4B6yE +Ub5TWpDPYA3DSwfRT2hmgPcwoMIhsOhgdhckFuZxQ8s +-> ssh-ed25519 Wu8JLQ L0bnDPmv3Chemi/BKhux9GYXDMMLUjO6H8MQe1REpBA +qtN6IH8M8kLYAQ8a64kYCCaAPhg6VjrojTONdY4MVyA +-> ssh-ed25519 xbfJnw 94xx8KL0EWqs3HIsdY9RFvC6aRsk7cemZxciLIkVCDM +WZnyqSwpCBA8GNnu6VEJSLIRtv8rzOpGFH6e387ohpQ +-> TS-grease +D32P8/tpegDSy/xsspwpuq8EVqwDyZUzJF2Ose+3cqHAx8db4DPWnmt4z4Ch5bXw +KtmO+2eEYTmPyYUZxI+uzr93CQhVq7aFlch6cWLEaqg +--- 6kPR6tdczt01UaY4ps38dncSMFCupa9uZmSWBjm85ps +Ln4Kz>(ن=fʷPG ssh-rsa krWCLQ +nxiY5l98JhWEwLYN7sWtsgN4faDTIpgo1fiPScxXB8/ljnxIyd1vhMVRt0WCTOQV +CFTQ9MOoTAk90Zj4wjxDjoJjjsXLUBVnjqLdQy76kgR5vAvVrHzuYTYO4Y4k0/qh +S6BEFN655P0n4Gxf9kJtKxi3ipN6B46ydACAjFeyeuOPMkMdBBZq1BOLPEOC9I+O +87p+8BdL+zxkYfaWfEggYgabrE7y91EjiB1VCuT0GFm8T8iBojvThxWQlHQAybBc +gvgTlyGf8YmY82uGhGQR39okrA914mJUkr11JZ9457qL+/t5Au/dha1x6QlwcUoz +Tp5OQJAfXZc02LsICq2I7A +-> ssh-ed25519 85WiGg c6vyT96h0eVL+xZpR0Zk06l5ApUsqENY9ESeYuOG0zY +dJbQVgH41Ti/AM7WAlXCCA501h8wgx2os5yiZt+jxp8 +-> ssh-ed25519 reTIKw rVhKDqm51EMuOQnTcsdWmqoBDI/LLnFpkJW93EfcdB0 +AAOEQp0tux1vJ0bPIcB1HtLodig/J4poeu6j/Hk8KiA +-> ssh-ed25519 /vwQcQ jGLr83VDSxYd3v42ECOiTpSTDRB5TVSqx3QHRbMgfEk +k2hBCGntsqP0czKV2JvMbf8lAqpjVvnJqSxfdr00A7w +-> ssh-ed25519 cvTB5g BqVT8ytcjINNKrGAtttAtxRMpLs4LJg1Uy3zvDxTvwk +DRDEl+CNZnuT+KE1txjHgaWIYmiSeUTsesnXYq89YNQ +-> ssh-ed25519 Wu8JLQ 731ytp+gu36OvH0QbkeDUwMHj3J4u0JujJnfTUQ2C1A +KPGEKLoV9K1PPdIyla5D1lsmhRt/XUHLrCTeApbqR6c +-> ssh-ed25519 xbfJnw Ojf4cuctALx+Q/qWqSarRcnxvwrHjbAK5r4pnhKUzmo +WHp4Op3N3SeniWS7XhPmvRkTyjDIPDBBGviDaiCNbOc +-> 3P-h|3ru-grease +5icFsPwzKpnImSlgICy/wDq6YJLTcIML3EoDUOgvGOFSs+efH4bWExmd2ktGtqYd +ewEKHYlnpIFNTMtlRs7U7sR3qnLHadq3McnhR/8OlQ +--- iwVp/AYpQfFOIg/OI85nNTgdY/HKlEsCHWiBO0lOtJg +Z=eBb[3$k(2x%0+18T,;Fլ"EKeZ*$}Cpo9+|CJ- \ No newline at end of file diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 70be48a..c703081 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -10,5 +10,7 @@ in "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems; "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems; "kanboard-secrets.age".publicKeys = superadmins ++ systems; + "outlineS3Secrets.age".publicKeys = superadmins ++ systems; + "outline-oidc-client-secret.age".publicKeys = superadmins ++ systems; } -- 2.47.0 From 555aabb7984d28c38118375adfa8a9a28476fa70 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:32:19 +0200 Subject: [PATCH 62/88] krops: bump channel --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 0102eb0..92a2cda 100644 --- a/krops.nix +++ b/krops.nix @@ -9,7 +9,7 @@ let # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "823e2c9b0a0ec8b61b6583f48338072f137b6889"; # nixos-unstable + ref = "8d3bd93e67201a7c8238e9cbde6d07aba9500636"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.47.0 From 82cfe98dde2603c3d07837b39bef01f4101f1a8a Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:32:39 +0200 Subject: [PATCH 63/88] core01: fix matterbridge for DGNum --- machines/core-services-01/matterbridge.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/core-services-01/matterbridge.toml b/machines/core-services-01/matterbridge.toml index 49116fa..748d0a7 100644 --- a/machines/core-services-01/matterbridge.toml +++ b/machines/core-services-01/matterbridge.toml @@ -12,7 +12,7 @@ WebhookBindAddress="0.0.0.0:52187" PrefixMessagesWithNick=false RemoteNickFormat="{NICK}" - [mattermost.merle_klubrz] + [mattermost.merle_dgnum] WebhookURL="SECRET_MATTERMOST_DGNUM_WEBHOOK" WebhookBindAddress="0.0.0.0:52188" PrefixMessagesWithNick=false @@ -34,5 +34,5 @@ enable=true account="irc.ulminfo" channel="#dgnum" [[gateway.inout]] - channel="mattermost.merle_dgnum" + account="mattermost.merle_dgnum" channel="town-square" -- 2.47.0 From d1bc89653ce4caf47d4eb492c79d969533dc8398 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:33:05 +0200 Subject: [PATCH 64/88] public-cof: fix NC encryption --- machines/public-cof/nextcloud.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 8a9572b..847affd 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -6,6 +6,13 @@ https = true; package = pkgs.nextcloud25; + # OpenSSL 3.0.x breaks RC4 encryption for NextCloud + # But we enabled encryption for NextCloud + # Therefore... + phpPackage = lib.mkForce (pkgs.php81.withExtensions ({ enabled, all }: + (lib.filter (e: e != pkgs.php81.extensions.openssl) enabled) + ++ [ (all.openssl.override { buildInputs = [ pkgs.openssl_1_1 ]; }) ] + )); config = { overwriteProtocol = "https"; -- 2.47.0 From a2c58e4d877faaaae0d65f734df514d1c85257ec Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 5 Nov 2022 15:48:40 +0100 Subject: [PATCH 65/88] mc: add Clem's friends to whitelist --- machines/public-cof/minecraft.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index db78249..3582e49 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -43,6 +43,10 @@ in Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d"; CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5"; + Clashis = "499fdd85-bbcb-446f-9611-8b6bb9bf6965"; + epns = "a1c26328-484f-4c3f-affb-26e49b430c15"; + skidijo = "6a72a1f4-7448-4fb7-a252-b6d5ceff2d43"; + r_r = "3202beaa-7620-439b-9e91-0a9d4699b552"; }; serverProperties = { -- 2.47.0 From dbd7594d590ee5361f88283aeb7f09ab30753654 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 14 Nov 2022 23:46:55 +0100 Subject: [PATCH 66/88] mc: whitelist more players --- machines/public-cof/minecraft.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 3582e49..0030204 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -44,9 +44,12 @@ in CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5"; Clashis = "499fdd85-bbcb-446f-9611-8b6bb9bf6965"; - epns = "a1c26328-484f-4c3f-affb-26e49b430c15"; skidijo = "6a72a1f4-7448-4fb7-a252-b6d5ceff2d43"; - r_r = "3202beaa-7620-439b-9e91-0a9d4699b552"; + Tifendyll = "5dc1acf3-b214-4607-a3bd-924665e07c67"; + OknShield = "ef12e9cd-121f-4b39-886e-89b5b4bc5f4f"; + Allygon = "964a2ee3-3a0d-49c1-b8e9-60b5e69976d3"; + CheesyBiggy = "574daaed-ce9a-4b33-a3af-055e39bc32dc"; + H3raklio = "576969d4-94e7-49db-ba7e-e9e57ff5a75e"; }; serverProperties = { -- 2.47.0 From 66ae9b2d0427578e96c93ce56dcf850aea5ab278 Mon Sep 17 00:00:00 2001 From: Julien Marquet Date: Sat, 3 Dec 2022 21:15:40 +0100 Subject: [PATCH 67/88] whitelist thejohncrafter --- machines/public-cof/minecraft.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 0030204..876754a 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -50,6 +50,7 @@ in Allygon = "964a2ee3-3a0d-49c1-b8e9-60b5e69976d3"; CheesyBiggy = "574daaed-ce9a-4b33-a3af-055e39bc32dc"; H3raklio = "576969d4-94e7-49db-ba7e-e9e57ff5a75e"; + thejohncrafter = "d3959974-3a05-4ab2-8acb-d8817c140d84"; }; serverProperties = { -- 2.47.0 From 9a0c9c615c502d98a70d6f4d4e72709fb5907981 Mon Sep 17 00:00:00 2001 From: sinavir Date: Tue, 13 Dec 2022 22:23:35 +0100 Subject: [PATCH 68/88] feat: introduce photos.ens.wtf Co-authored-by: sinavir Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/15 Co-authored-by: sinavir Co-committed-by: sinavir --- machines/public-cof/configuration.nix | 1 + machines/public-cof/lychee.nix | 10 ++++++++++ machines/public-cof/nix/sources.json | 2 +- machines/public-cof/nur.nix | 2 +- 4 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 machines/public-cof/lychee.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index b4a2599..ae3fce3 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -12,6 +12,7 @@ ./garage.nix ./nextcloud.nix ./outline.nix + ./lychee.nix ./minecraft.nix # ./rstudio-server ./nur.nix diff --git a/machines/public-cof/lychee.nix b/machines/public-cof/lychee.nix new file mode 100644 index 0000000..944604b --- /dev/null +++ b/machines/public-cof/lychee.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: { + services.lychee = { + enable = true; + package = pkgs.rz.lychee-gallery; + forceSSL = true; + enableACME = true; + website = "photos.ens.wtf"; + settings.APP_URL = "https://${config.services.lychee.website}"; + }; +} diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index 77826c4..3209971 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -14,7 +14,7 @@ "klubrz-nur": { "branch": "main", "repo": "https://git.rz.ens.wtf/Klub-RZ/nur", - "rev": "98911e21fd58f00440dc8a5bd6568f2a349338bd", + "rev": "9c43904eb242455ca3db9466c5679c81aa92741f", "type": "git" }, "niv": { diff --git a/machines/public-cof/nur.nix b/machines/public-cof/nur.nix index 130ef29..ad4a2e5 100644 --- a/machines/public-cof/nur.nix +++ b/machines/public-cof/nur.nix @@ -8,7 +8,7 @@ let in { nixpkgs.config.packageOverrides = { - # rz = import rz-src { inherit pkgs; }; + rz = import rz-src { inherit pkgs; }; }; imports = [ -- 2.47.0 From 5138eb930f618573ccbe3e6394b1c13174e92248 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 24 Jan 2023 21:14:04 +0100 Subject: [PATCH 69/88] core-services-01: add hubrecht --- machines/core-services-01/configuration.nix | 1 + .../secrets/dexGiteaClientSecret.age | Bin 1424 -> 1519 bytes .../core-services-01/secrets/droneKeyFile.age | Bin 1639 -> 1778 bytes .../secrets/keycloakDatabasePasswordFile.age | 52 ++++++++++-------- .../core-services-01/secrets/matterbridge.age | Bin 1519 -> 1559 bytes .../secrets/oauth2ProxyKeyFile.age | 50 +++++++++-------- machines/core-services-01/secrets/secrets.nix | 2 +- .../secrets/snipeItAppKey.age | 51 ++++++++--------- .../secrets/snipeItOidcClientSecret.age | 52 ++++++++++-------- machines/pubkeys/hubrecht.keys | 1 + 10 files changed, 111 insertions(+), 98 deletions(-) create mode 100644 machines/pubkeys/hubrecht.keys diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 9ff2a3f..7aa5220 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -81,6 +81,7 @@ ../pubkeys/gdd.keys ../pubkeys/raito.keys ../pubkeys/mrf.keys + ../pubkeys/hubrecht.keys ]; # Open ports in the firewall. diff --git a/machines/core-services-01/secrets/dexGiteaClientSecret.age b/machines/core-services-01/secrets/dexGiteaClientSecret.age index daef2a2a00c33743ebcd5b46b39b1205e074fc61..f080423c728b87bd35aa1d842c1b19abc94ad716 100644 GIT binary patch literal 1519 zcmZY8xy$4P7zXeyv@jqDHWn^SE8%k{*Cas@a!jsCGRfqQg(R6=lT4CHCg&DbTd3Hn zwTg{kr-hZJTMCxih>eY6BX+Vbg3aeY@cwuno;OJ2ySR$lxw++a^?Kc=>j47p-duHE zcGq^ns%RZX)`1hppEgl93b}-`rHa>0F60#_H@+AwM=|u}IYAl%A`EkCodHs4IAO!W zqr0PL%#HxC;-NX_8k*`<63f~!54tXHTHN(0k*O1EYA$jj91ZRa6VA{{=OH;WBa}$9 zd~4mc2Y?_lWaM@W+s1mvmz}O#Qk1+ugwYsb=U|J^2Tz3)PXtG~#7~2?7aSBY zCY3-N7DAAsLTb5pSem`*|Fs>TU<`xE6@fW9pRO#~y0$EKng>D{#c{C~WoZg>aGOP3 zD1;D2=2=qvnjjYk zbSgSl(8fLWS*VvoS*hZEZ9R;7q_4(+fn%mV>p6Fm%>8XtIET8BSA8h8_Hf;Ua8_4+ zja6d`*gi&~JL&A>LadqfA;Z%p+n)>s_2fQd3fnz45*u5d!&nU zI9I|6IlS%-R^9ky+J%;X>Y*(%l~tT5tOaaL?1rGtRZq?`#3~+!R*nxF=}&0dAuyraBeLn3&T6Nx%hQGeoY-R{0NxSo_yD^*MynBr=76IyQBJ-fhx zHx_Y>(C0i>L3rIV4$;QhG6ZnE9N{5pyzZjjNGC+hnI7%57S{XPXLs;Ezyg|TK&srN z_qA+Gr6IK{`C(VqR-QZ?xSm@m3$5!mRCk;R7QQ19V8LV~U8M#^08S8u<80AzRNr}c~_J_B!3{h-w(;fdR&$i*F@U8}t*)0rW{vu>wH4AC`2U?oX4 zEBUH>QP=}L%hI`ChLdR1f`(UvwJxZFv8OyYa7bbDIvSa4I>)}Ep6m#?ySrOKpb;#? zys#?g9W7%PO@noc!C2(W`o?;5>!Wl*Pp%>9!0_e%gU3I-_v!Or{Q1e{(AYP-@pIk`sByYe|y;f{P621 Ie}{kk12MSvWdHyG literal 1424 zcmZY9JImw*6b4`ytkP{KR>QW#Y%;k_5*Cysll$a;nM^<-$z*b!+%ri=1#v;FE%YZ? zSZJf$EP{>xfGxBU|An=mjm5X^ImH9-dpJQ7Z{jNImS)K6>UrHI;B5OU98jg6>GR#|QwQ|nVpxacS&oNBi<{uotMPIryQ~Hd{F)G?hsA)3 z48Om*kfUZncpvMdr+Ey$RT$hjbu4kNA8YB3N@-m6O$a>U9lfOFv^%9`|Dib;yAoy#~h896F}N2-{EOS4mx?o`Y>37j5l$B~c@ z#!3<<%yMEuy(c0>;vrEbzIlju2P1E4uPCgp3MvRkg%n;>M;Gcid61E=x!+ zz-n1dfNQH5enTE+VU*B`D-NE!y;E^*o5?0Wq`yJ7!I^ zxk%a^Yh?Lby>+oI%G2t$gD6xLQUMZs%sBB{ax3*K$Tlg|l(MAv-ae3a`hYk!0GeJK z&`WpjbZmcB&phSU6|}YY+wG8w@VawzZeYnQ@88l0?3nS%3hlQAYW3_E=Q*|3mPr81 zeBH~J?BeA`Ivnp-X!xVoJan-~c5+M%hmH<0E@{J)Mq6mA@u{&-vT;9+X$%Qj*?GwS zNp^j(D!LNJxVZsyY(!Mzck25t^j5Bi#{z};1XExtOG!{s*4 zc6tWnL7kw64IxaIE1ZWZ6iqS6xHL7oh49qI$p~~TSuQL=Mx@C($*klUN4$(mE(*aE z2!qy|>3|7DXZBn2G!VO75MV**T4P}#ni%-w`5|#W;lN7Z#)L1Y6RAwwNu|b2&j9fV z<8h3-b$^p6vc89kT%^W-ce{r+Nf!rwy!!BYBv3BCdUgk7S86>mFl!R#I`EurDbJ4a zGh4#if|UmqZYg4>%!MtRCGq0K6OpkMSZ+O>2cMX8V7yh)EJQ9V8Hf`IRADzHdhcZu zw;FH`=~kQX;=>o)P3vjbH-X`DGdoLhbW(uLX0zg>T6DLOu=kMP?|CLK~#OgcK6&x!GwLHjdgss8_dkBaz4tFf<j>QTM^xugB3y64QHj(qQzM^m3MB)%g_eV~A9TL`fA` zFRcP*#5FfO-ipw*p8}fM9m}}OMhVvLu8RfGkh3Umc~LF3#;&IE+B6g-n50%I+vK`v zR6-V0rH1RRb4N0aA_ut1%tFPi&#c-)9+(E-X2Z@#t0gu(UJkO36q~l6uDpTOrE+Ro z60q)4RmB&ACUjf8tBq&tBwtYul3+lZ4#cKA^z~LzOGmWa2c|8*5#b>+SogZV5m)N~i-CUGWyk1p1sfAG zTZ|e_zv}hW03)I$=tE8)aXn64^iq~lSJp3nV4Kp?E=j{ug zbFT1Man@QpivSKX-}Yu=%^~7G6&5lOE2Akf?YD_yl)*Vq*>WebLu?cb7hp=0Shw7% z0Yy1rT@Xxmgg7%}LoWlbxErB74HH z9+zuEC>s8#15swT>`@!Wx8$(F#0r?Gt=W7kDOYMO)LKa?r$8zx_ZREgunBdT1gBw~kH&2q zLTizZ5^_5l!Ze3mnTX!Z83-m>TP$Es9l#FQTn>f|*)~}5zuDTKZMz5a{lS)>dUod3 zg)cDudVHW(#WNvPQ>V@PpqUp5V#EV}qE|M=R=$nEF$e1*7=_~}!Zzjx;S?;g7S-n-wtuzkaAFQf-gq)&eH?2~tF zpLqN6Q+vPj(CITD{qvjiM;`ps?+x-j#}A!7aK7SA%f;l+ztubcDDkCtF5LOprEB>g zo!Je4a^FApoxbgK{a?4dB^}!Rtlzrp`Hx+7-#fqf#;CH!eQ)#IE@G zzkhb*Lk~;J{L-@@xbxgEZQ$6iPYlNw*33=UeD`eGKRSQk@Sdl4Z*F{!xEvkJ@UK0v zOaI++@=9^(*5`lq;$Of2^KT9Qrrm$_2M_Oh=$!G-C;sxt8<%FUiPxXH?wP-zvbHb2 gdU4O&FMZBCdgN0TT-^ARr(gKu50@{!{^fiB1EpSZYXATM literal 1639 zcmZY8?eF6R0SEAKITENqB!UTN%*}-0;TUVXuI)TeuHCw>+xob6YirK+Wj&-0S9nPgdJhC_fpDaNFl^8Tp-Hkx=sevTIy_({WDS+3GH)4zt;6M9*{jV< znQXhY40CyvL1R@>R$NOoV8hSQybp$>87^p*@7WH&q040i#sI%c!HDH>byCg5-VC$X z7>q|fZX`4n2sH;Lwf1vpm<^WrUaeVH;#{otJE%4nbR2q5eCHjzR^KqEDVw>06aaCq*w?in~X_e)Bwak{8QB{ld zbUpCm3GEI2$wn;@Hty(g*yM(4j^$RH16gc1ov`Kx0cZmiVA%kz!gbBAt5u<#A;l)q z`&2m|!l8lm!ge3weDeP^ygl=1x7HmxI#;1xy<1X29&IKA)3OXw=0nF{c)92`ZG6d& z&AbZ&G~&ivdfrPCZ)rvoc##UQCDjF7+K$O)0p^Q(I@q#oxB0)`vfQWz*{nMj0d?y^ zyaDE}Zudg37={bfWk+>#)B^F)$w|foXVX@bskC5?W-B&X3}h7Nnv68`V+Dl)elcbw zqQzh7!KW0|5puJT*=0zo=!npxILv2Y%h#mNrjIi-kQk?|6sR(;`vf*u*(ET>O<3OY z!AOBdmKl_g(sE&DWxE8<4N^*(g_>`7bb<(TBJ=ZcQ)vg~nkFEWXRNuT1BFUCCc*J; zz*%<3l|%o^C)(*`F1z>&R%b1jDU;>aVJWH(+99G+0X_}+Yzq4biF-|eO03}+_Y%7h zCo5L&OhDYIyFp4TIydR@Q--Z~lg$XNBXorI6EG{ggdJ?xkfC;I1#1J&0G_OH9bP!j zRF@K!>0*#n{dY;9xu@Y~wvpSlLr$LqgowWqDQkJ#5jSKFh$b|?kCS{8^fEoL2%P4q zV5&!^glHZ=Y~d~+yC?|eeY3*B3r4?!^NwA?7K-gfep4$B;^nsnH zPu{+G<4X@+d*<-Xcb>XJ?GleXYQ6TGYYtz3aOd37KRztqkUsF{-wxhd zLw@vjxbNh?Pu=~}b3+%$_tRHDLffBx zLAZS1zdrWf7vF=v(Er8t_dF=Rb7miXpZ62v4&;S5Z@F|^bpK$#ck{bV;H^W)PrZKN zD;J;IfA~E5muG)`;ic2R`t=(pu30tR%=!1XzH#B?{qx-$-(5e5oImmLAO7KSX!FEX ew|?&XpLnA2wXeTey!D;Ut|4@Gzx?Foo&NxJPeYdg diff --git a/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age b/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age index 2007cba..af7c0f5 100644 --- a/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age +++ b/machines/core-services-01/secrets/keycloakDatabasePasswordFile.age @@ -1,26 +1,30 @@ age-encryption.org/v1 --> ssh-ed25519 lHr4YQ S/Kuy8PdLoLLRDvlDDyuDaGXGb0RMBJKo9XyHK2I0Bg -VFjemRE9hOc/fEol+2OAjM6d/5QLPeeo0ytdgcwa8Zs --> ssh-ed25519 h6AgbA ParmcGdbVHdvihrEuV+nLBLDnTwKR+zoxc/O0LdrUhA -L1kL6sr4ak1DTTaui9k6tpPJ1p86bKAoOcPwCJu7vr0 --> ssh-ed25519 Wu8JLQ hTPuIn+IogmX6U16p3EQ/9C/L+X7dZaQaBrEAdq4twM -QhnuGbpuqpFFujNlXSDUDMEGHK875Sr5hHX/q2ShkhU --> ssh-ed25519 cvTB5g P8av9KTsR9ccIRPz0TABQF3EfeO+cyn+Od+shxeatEk -GnExLTBOicvRs7neFPL/GLxE6hqpdqNV8P4nWRbMjKU --> ssh-ed25519 /vwQcQ WE0fxso39H7ZyYwJ8eNnmrLgf0xL5AdpHZ1mrvbiPyQ -y4GjFZuYtiGg6cY8ZTOKHbYjjFJoFI5W4IF7np/OB/8 --> ssh-ed25519 reTIKw LxM4ihcAb5u6rKqtrOUZ7/4XXoMVbf/HHhby/i9Xbn4 -O8KkO/99T2lBttsADSTJE/18ljFrUjrJWhK7peehei8 --> ssh-ed25519 85WiGg +GtCSdOR7TTwu+zTvwOoRhOE0iLwB7JuFaZkP8cP+Fk -0GCjcBgOPeynvAUDmEioWPJMhZWGchKKukGGXHCBEUU -> ssh-rsa krWCLQ -bSk43qTcHFgrS7AeXTzUbx5FO/1YrLuRlm58lcXpTTKcRMZWKmFbPTVNdIvkT4xt -B6HW0OqV/Ks1pbeJUCPRdLwYHYULEC4quRGlgeToXoUQ8zCvcPT6uikpK0Hzne7e -WI5MLdS3vvAPljlSSaPN8gb3yiPgA2IPrHjqIsMNkotGFjUQ/oIyJ8YcDsSfGE2T -Z8+TOj4ZNxPda2hX7mL2x2dJmmQW5FkOVtSpSyvwpkOqPOi6b5vZaWu/GtXzGEhD -SD6SALiqmWkCHb8n588XDqKj8Lj/741R24f8IM8qW9cBz4QClh3Bnrl4gendsUCp -PkQPjniidi/aF6sHhfrSNg --> |#4-grease y%'e^I RB nBNinf \dob -L2HkuH7S3KtuQN9AWLBL99nJPxVw ---- +QOdyAz8FR0RecYvvkzxv2IzJ9yt89/xePALK3l7sjs -&,NpJ~ ƅ˜*,؆5:i W}m"Q-FJm \ No newline at end of file +2Ak0HJ0WoUuCQkjBPjRgrFQmHSBP7Lzhwp8JZ22lSDLO4OzGLuyGnmI6f+x3mhSM +UP4X4fz98ygYaPTKHzgs+ALgoe0ZOzIRcrBYKyAmI92iuVk8QJrGBaFsi2e/quur +oRaQybPXCqbGeaFhLY74RHmtbby5zzbQnw8f5DRKn3oFDYgCUMOKdTPI3vsUDd6t +dLmFCWEhGFMwI9bve7bVeu2yKMWpOIIsVgkabSy9EQ0gEUwoXkrGNpc+QqqR2qbJ +qaLok3zO+giVKrzl6+/Z/tzHQ66mUTIZAD7HmRFMqBRBqo2heCtviGyu7NPXhb/T +vTVzgL7fsrkaYd59O7BCSg +-> ssh-ed25519 85WiGg UgubbGKRmcFV5N/Vyo/HEBtGG0GOvZS5dSDnYoWzeSk +N2CZ/ZJJLRTdwBDCVNrXGp8ic0T7ZHx+DfPcXLeEvXQ +-> ssh-ed25519 reTIKw zl6eZh6NG2Y21AElt+Ag7gzDmtzXP0h1RjhVzaiHUg0 +PJU/i8Za/JwrCLXcH0vtG8CDxv3MDHCzEYiNIhperC4 +-> ssh-ed25519 /vwQcQ RS4rv5dnajCSAdcFj96HOcMBHySk5yBrmepNdlOcsWg +M+dCeQCP3rl4oT8IrkParBnaaTfUNbWpgvbLou/qSp0 +-> ssh-ed25519 cvTB5g ZR5ayyiP10Dec6Tg2HYcl5q0dkLSvOgRxeeVxC1Plj8 +aiY/6wY4rmB75NRzcbFPKu7nTLKZhgqOuqAZm+9UnTs +-> ssh-ed25519 Wu8JLQ 4nFItVARcWbkkuyaUcgdesLSOmiomY0Ht2LxXX1/L0A +dK2/4X6OFbn4Y3gVK5zKRV3KySiCHzGnGewhZmqETrE +-> ssh-ed25519 vXYJfA k1ANIqwNaMjipiCobpBWMlhbCyudoy7vpuajDK7mLiQ +uudD1Bk1+EWmL3o7VH6YSbv1WRCw6tsDV0HoQ/zwXwg +-> ssh-ed25519 h6AgbA EvhvmT6dx3HAqioaFvT5u94cTk8okjhGgzyxXZF8LyE +R/xTeW/rJEl50kG8e0n3NOGpX9XI13Ftq7ULYNHVaCM +-> ssh-ed25519 lHr4YQ WyG8hEoGZuNvroTdmC8RST7l/Tu7UUXgeG3AfLA0p2o +qk7YeUkrOsRbqnYXFXZAkiOaW6rvKnSaZGSiBw30b5E +-> V9T>@4JS-grease @h!7BAa9 +nPtMdfgbktgg20WlJBrQlhTDMI8/i31JEDnZjF4u7RidDSJ5lxzH8zI+411CQ+K5 +exQ +--- YY6c8/qxiWxaK31KW+3QP6240bmnDJZ9EXrG7dnyJcE +N|J +ZZ6#kyH; \ No newline at end of file diff --git a/machines/core-services-01/secrets/matterbridge.age b/machines/core-services-01/secrets/matterbridge.age index f4ea1d5e441eaa4b392dd2f255f591a06a917bdc..526ab31d3e0491b21298d00e4e202bb1bec705d2 100644 GIT binary patch literal 1559 zcmZY9+soSo00nSC(GheH^FgK$R+t0rKGUR4lPCzeHkansBu$e|A#KyNNz*jfru9J- zk%6EnlPThZIECRA-EaeS=oAz$pnKaG48aRJWuh>22#Vm#=U?!Hb2!KKy)ADsO4rML z7BB9KQy(lLVC&vmmQA=}k+ zP1K4cTJjjf&?dB5`}BMkWUH_j0?bU77u^+^2z_$h3-fHL7-|&3lZdX!BAsI@T0$I> zP?#U&Sf}YQD=fo?q*0V~i|Ctxjm1nJc5qSMc-}b1D5IHi%m8-?rw}qbDlsy&?AQnU zZ9yZsjm*y1o+=Te7LJS-R1fGt?IDSEWlC4t%(NiuMXTRv=Ao^Qk;%YN_`<4Y<1|)N z4`o@9E(LEmAES&s*AO(S6F}Ur7eu9Kq?ZxWFdC|rTk`&YX?tTBK_I+_A=a$p*VJIF z)Z3NSuTPrFlC0KPLpIkDOh}d~O1-*f;g&E!aiO6B8&Hn4Nrt$B-54qsOLJ6#H-|lz z66l3oC?q83wq-1ProCNDJ%bllwF)#Rrm+#z1|g}LSdXKAFB!P;vhX~#99UgOZFkct zo^>){!<$SaWi){@Iy$&CT-Yd^ppJV5TOXxCIUzRI7#dB|Mz~!A%au0LYH+3W2Yk{c zon_&0$dFcCSH`0S+sQ>W4-jUI8i_PO<>?AA>OpFJ0VpIgS>fXLY4f? zLR+vUO7L_I6Wg^>X^@CtlV`Z;-vs)z z_C!i34NpS>)%dB1@DpyskO|q9FsHx+5k4M+-sLS*JTnI1x zueUjuwrs7IU|NCqU=9>jIp8Yag^>^xW}0racm%1amSdYyH|YnV4@6|KX_@npmf0z5 z@@cuGF(n;N)@zqAu<6JF)Bbc4!X4({y{Y@U%$A>eZsyfSL5IQa!~tMyYpdpnPy*8V zOkc)U%)(@oDM&>fw_ChZ6%5A3GzSN`;pwpn+;Q^sM}J*+_y~Plb@}+_;{L()&wac5 z#cTKM+FZGT{PehY^1WRje|YBN`A>g2xJB;#^q}#ia^#&` z@o#QFv15Mbp;J45yG%Rvr#`v=&{rqr-#>W%^kX00bkuv|z#E^vbmg2VpFMQp>Br;6 z(X*G`U4MpqZ$6d3a<204$%S+0uOeRG|L%^rzudj!{nI}^^EvYNzON4++5{w4C6`<-$sNkb)8*-s+$ERX zU3@~MQbb1`=nE?-zEG(MR_fRT^Tkx=CeywVwIDL-#w>MICWUTA*1g!9_8<6u_X@f~&vXTm9L@*tiLPCh_VqNQeKZGnx3KmT# zO+yPw#H`I#4(E-0mtMdoY%(i{CPfy(hH8YAJpkQpAP=JZQ$`HuTrTJ^A1-`h;J3^) z3H^RCllv?-?ypTJQM6rc6$rAKby6GE+FE0D0J90F9A1OK{ZOmYZ$9SXEdr2;uTXPrZaXStGb>Tp8FXC;QVHWO`WXN&LM`tqTrEIlm zC3!<*Si)sd)o5OgHgpnevz02EDd{>|g#hMgyz0URlH#VOV02BJ`39nfCDO|#%qAb3 zasn~VU`UBL*BvFM?ibt+tsuj$tL`!*0WnAmjA##CbR%S|b*|wZFIE4)w(p??flwex zn2`{GVpTLrMvh@FF8qLV+KkIdl{nEIy*F02u8b)NKI&`@%mpYe#7J3jIwO08ki%i> zZuQ1=qYm3@*=c37c&BI(qmc*n)mq`}y}HnwG~9GbErl!nxHIA})qrH1c%l((rE6_Ab4-D)Zx>PW2YVtU2zCVtp~ zf=OIbgJ|UobH3cA)KZ>Yt+}<%5COX!SfhQ``R}FTy5oy7+3ZL(#a)x)sb$N|uR%BmN!Me4QX-bbw zS;JY2E@-+?Y9|qO-;OXFCyas~!ZUwp(Hme*WFwYT7dXZbycl1VU2If`Jw$9{CK4tS zeQ31d3LA+ge|5L8O$QDQV!Ea1Fo7zLY}d0Af|4Lbh>Ba-?J-+P{8*clc8;3DmImy) zUK&j*jeM)_RmYu@98a$<>Dw<$)MGMC#Cl%Z(V zn+C1_bvt~>yL-{!3ku&ZeNZ?A!hkO`%Nk7+e6Y^xXcuqOOjI#ORJK(_jT^LT1}l!r zc1jP6Ih9e@5+-l$&?&Sl2d)lf_oxgD5 z2wr*%dF}qEe)GG7M=xIg!!h~Bf9&&jl8-W!_?P`ZdHk8%2gSt$&wYNj4SstZ{qmTx z@B940xBvAb_|GS=`_+rlkBQfR_Ji#wIduI8M?U@in_nC`y6=V)-(0%wvFY>gfv>)N G<9`88*AWK* diff --git a/machines/core-services-01/secrets/oauth2ProxyKeyFile.age b/machines/core-services-01/secrets/oauth2ProxyKeyFile.age index a62c1af..2b687e2 100644 --- a/machines/core-services-01/secrets/oauth2ProxyKeyFile.age +++ b/machines/core-services-01/secrets/oauth2ProxyKeyFile.age @@ -1,26 +1,28 @@ age-encryption.org/v1 --> ssh-ed25519 lHr4YQ f3xLHRyIx6oPATsv5yBq+pWpDkwJ2xt3axevMNjIUgA -RK2bLPZ1dwDExqbQ1Mft2Z9xGHpxSTDuTv0AgplnFzw --> ssh-ed25519 h6AgbA fPy5Lv6ZcYB9xDyeHNTueRKTvvC6OyCrkHzF85dmhh8 -VzMkn6iaC+gwDXkaCzh7ILTdWMBqUYvYmrQPbiB+82k --> ssh-ed25519 Wu8JLQ BSn5p0Wuv8CuiHJ6AdLuBLOst/2/mK1fs+zmgYao6kg -m/NfBqLzcyTad8UbiDSMI3EmcHWccpgV/wRKKeSO6bQ --> ssh-ed25519 cvTB5g GP3EP+t8uJFKGAKBwwO7CmXa3JGTFePTANSINPdQuAA -DoGUKpuZTQ36hM4B7eqwbfGGKM+pxsYtoL5UjEeVdD0 --> ssh-ed25519 /vwQcQ K8J9qbUjPPhuYZ4/2rGZWX4Fb60WZACwmFPGXUT9Yjw -N6lTZVDVxTfZTSagaOi4dbVzylljwGWAd06GbeVloRY --> ssh-ed25519 reTIKw +7n56fmzzYOkArtH0Zeh26zHlE/lWz1gqyoCZEMMRDA -E6/dLGVaryFfqf+7DmwKghtGmtUUGpMFFwaZc3OvJ/c --> ssh-ed25519 85WiGg aHBishjeSTuv/TYVcZQzALC8DHPbYHf9dj+igMnkkn4 -HwmPoIqV3Y/34Azf892K9nGJ1hh2KWAh3IzLiGVKeOs -> ssh-rsa krWCLQ -A2IHEB1lR/eHwOM1adPnvYZUmJ9Gf8ADZvOpzHmxVC54VP5EZLnzpcdzIKlM4qOe -vYs7PdGJ56iGd3JS2khyc5oCc/NEYu85i4eyK8Y8JMqSFyYVNpH5rVY1IuHhIwW4 -biLSvPhKejtcjGkJZGebm2yA3TuhS5peZRUBh2v0sf+PjblsULrpupSRYAs1IndZ -1/Brrub4BfFihZh/uCN1iq+lWxUG5K1AR4UhrX7s/qq21sIP+hlhsTzwj5WoeSPV -rrYzi7E1v8nP6YsP965PjNFq5yJYKRZdw/QosmElRF4Ar3PP+fROFLfA45LmQpLh -z2P/QZKQ7BaANqtz1ryIZQ --> :N*xgmZ-grease S 6b.gme t1.-?(l6 -JJi5KPF7Y07dJexK5CNlZVeYnM+DaRUqYjChAQO041COvkfVF1CvwLTYZAsZbw ---- RKQ3nSQxdSjoVBEtg4TrEL30ooOTpyZAXT5TcOM4qWE -zƦ6JRURh/ &5cKG%hpI;.NQq"hq|7nC92/"ɳ&uKʪmCB-Y̫jTkk Kۋ]}ˤiރF}ٟ- 82N}Ȝ(JAd_Hi0T"8}Q$ \ No newline at end of file +U2lxIvw7gRCjMGutUFyq+qGiCIFlbsPdbfzqy7b27d17aSjXds3WwMPUQajHMGXl +tmM/gDCOV8aY+EkM8nQIKdSGNZPwWHlqFyBpH7b18xTT+sWLBZnKcQqVzdF5n1yH +s6LjbcstDiCy3h20hfOjoi+qvK8AGbWnLueDI4g/BWCLBUmAC6zPX04GFAstzg8e +b8wcTCsaeVJkEVvI9caJsFpoxKttbjWUOb2jOzquyi1vIc50vWBNLlulzf0Cd523 +niyjvtEyVRmHjTqs2D97DLuKEE0U8x1ecI7FUwyDQWFj4RmmoKm7TOvGva+alol/ +mclOlWBaMuji0SWwR4GQyQ +-> ssh-ed25519 85WiGg oTAqEjy2kEYw0EEDFzmv3EYWY3gKNDGsWbztSN6DG3o ++Q5hzzJVgdtFiNtbC37n9tZsNK+onqp4P0myPLpGU0g +-> ssh-ed25519 reTIKw SOCoiYn2OZ0WbtgQFsJE6m5lbeat36SVF8Om6NHha1I +BLsO5DrNci2ShXI3wBb6u6Advjc7sOCXEBd6mSawkEs +-> ssh-ed25519 /vwQcQ zXWEMSbRm2mI4KoMj2tbqP26LTAcxeyLUv5b/UzTaiY +HMOyH5OV0XmQsLOtzIsHf3UFYKUoEswt1a6JOu/gl8w +-> ssh-ed25519 cvTB5g 1HPXsPtGaCCHPHEXQKVNLRGXb28S3hXUAyT26No80gE +NwPkRoRdd2juOWHyJV2aNwVQzGvwpf29mKtcyKSUHKc +-> ssh-ed25519 Wu8JLQ tio1Sb9rHwAvoDRH783Ts9S+mS2MWnsqw/L4/To1lgc +Tfx0a/UKGiiMsp8rkhbaLpsS4JJIgMeWCDRZ1CxWSHc +-> ssh-ed25519 vXYJfA GnXJG4bbDQxls3yLVd22CHmrrkAZYQNbXcpr0iH/8HY +uyr6VTHwfU7FjA29IJM9EP37K+QyiWIrG6CUpWyi4o0 +-> ssh-ed25519 h6AgbA p/FApRwDrQNMdSPYV2U+CyGqdYZG+enC/TJ+Ht5RtCE +T6e2S9gZVi24ayGzKGHL19Ezv//f/0+BUAnkCf6g8No +-> ssh-ed25519 lHr4YQ JQXWGrVi8YLfI0DWfdyuxKPGVa+SvHIm95YGzsyvdho +yvQpw/1GuVOqBBFwflDXvcIhuw0ABqqwByJH/VPRICg +-> J9VGuOkA-grease + +--- aKOWgh7PjxocWWeImr1UYJhhFMlzDJXvP+Jfbrl3Zzc +7T0ZH48ntjlh}J_궞PMw%tgm=[+nbeH`ёyMe\WU7ӵLB 2o]cS~է2C5Mybi62~:BFh1B'lm`fKvsy%!2~$\^ \ No newline at end of file diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 9925641..79b0d6b 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -2,7 +2,7 @@ let pkgs = import {}; lib = pkgs.lib; readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); - superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; in diff --git a/machines/core-services-01/secrets/snipeItAppKey.age b/machines/core-services-01/secrets/snipeItAppKey.age index 3a393c2..cd9bebf 100644 --- a/machines/core-services-01/secrets/snipeItAppKey.age +++ b/machines/core-services-01/secrets/snipeItAppKey.age @@ -1,27 +1,28 @@ age-encryption.org/v1 -> ssh-rsa krWCLQ -i/TW/dUpeS8QL9ZJg7xKdGW65D1SWFjMpolf1BgEs3hm6uI2W3RWUb5S1PEs6HdF -l/yiJtZeBC0e0QbaQ776fiy0MSmuMgcRbJJ1rjloGwFzwwvtqhQMG8rLp70IPZoV -F6sUz4jKHaEjIVVbRokdfIKMSnhRXnbW5domOxPmZjXck7YxaR1zqD4S9PtH12Q/ -P+l/IVS6+tuWlaTs+1FY2pQ0ppPkwxBirm+4/dxD7E5MkOT0OFcpopI225u2vJAz -Hfk6SBhWuOu2GFfLDS3sS+50kvx1MNvMeb9qVYHkxE8tXhJxOpykkzwYktYp17jY -m+rh1gMPt+mZV2ELaZkGjQ --> ssh-ed25519 85WiGg TSVInZQdH1ZbhSG+FptwCu96UX1SHAhQNculIk8nVF4 -L1ptiGhMZN78uu1TQ2qVV73+lhlgD34g7xt/AL268Dk --> ssh-ed25519 reTIKw vrZd8hFFywOmDJxAq58Tt4Wdq2ovft1IDJqCvkpRU1o -9TmODia85CwXZmzdxk6W4LCflCybq7O1WWoqG5vxENk --> ssh-ed25519 /vwQcQ NSJNN/lRO6TbOQTlY9bT4kdEuP2hElmNIcKRI4ilrQY -eGIr9VQSrbG4hB2XQGYXquQVZIkLRq9g9+Ap25YSWSQ --> ssh-ed25519 cvTB5g 24UlsKN0XaA6wW87zj5PkPy90LUmdJe80FV2LVLiwzk -57VJ2pf45+r7CgMdr/78ngWll12Se7dS993i+YKp3Vg --> ssh-ed25519 Wu8JLQ wgWSOp5VQzF+pvL338wOwaJ3RIIi1I4SNqW+vT6NQF8 -HVTfWqmf9CnEkHFpu9NWYagwwBdW8NumwFcUvSlb9i8 --> ssh-ed25519 h6AgbA ZRjMQkjz+sw2BZh/myaSnMgz8cngGM9wxQf6L6uPxE8 -OgYfhTQe4iB9SyL8iReQByA9N5VcUC/YvpvbPIgp/3U --> ssh-ed25519 lHr4YQ JAnhqkgzuCDsmDYnRG/DL/MDrfA/0uCZ1kpZSWiuPw4 -uMPzV/uWAozlffoqIDtTcI5CI3FAzM5fzDuupAzgE4w --> 3[k-grease l5" cr(}p5 s{\538Js -uR+N+zPd323E/1K5MdNaPzAeNYBYfbmmsxtQRufVjMj8jobBLhHq4RVJ/E57t8yv -4Cxp ---- 1iiPH5I9CDFZwZQwRbhKnqpZ08vTMP1u4pU3+hNpubk -ےf(Tח,4\hKT džq)e+}u 'hN/䶢6B4Kң \ No newline at end of file +gBB9yfHVs4Zgm30rbXOkQNZjOuQVFt9Mos4gBoM09M2psLLxWzsoQopWVcvbV+sY +oZAThV5F2E+RbOP2e9+o5P+rxCcJa8aAXovtmH2BZvr87jNi8tebH1l0Gjn0I85C +B+vv2/m1KCzisCR3p6yaqBiqyETacWRCuILVxKbpnKfVX5ymb//9U0tRbz3BIFH1 +i3bAD8j8H4V/5SC5RmYwVeBhdGqEaNX0Qehh8AhDkxoqMT3Xeie93eIK6tyAZuyO +oQezqkUmozq+uvo6PHZvY/auTYb17QTY0s0xf30NnQoqwtVXnyu6xPx+qlj+M99Q +Y/s8SFF+STLrAgK9MN0i8Q +-> ssh-ed25519 85WiGg zkLuTpJaBr8T0XjuC9i9NTxYUPhix9nLlShohTtgmyA +QwdgD0ihIpJF8D54x2Lg+6CE2yV9nLBZ1oOf/iwUKi4 +-> ssh-ed25519 reTIKw wB2xC902eZiPXXU9n+oQSocx6J9h5IK0jU4GqmB1XUI +awLSPDqOAOM2g7Wrg6uCMeDRVljl2cdZ40gHDON4DCU +-> ssh-ed25519 /vwQcQ adFZcuzNWIhLFDhF+FjfnMGTpijt4IKO266M8xpZTHs +WR3ig0R6ZgtYLxhN7bm5SNJ3klYvEkMlLeuC/GBxi0U +-> ssh-ed25519 cvTB5g 8Gl7qbc7VZvkjjHesgfgdvtsCntNCxyUU3hwXMaIJUA +uEJwhJJa87+EjpTE/+3jPnNtgFTHNZkah78URULI1nM +-> ssh-ed25519 Wu8JLQ buWP/UWAYd7nAAdIqJjkKq2q3Kcj/TtTm9MacGkoMh4 +g9ngALRdWC96t7FLES79gKQNK34WbKHqdw4OCryGx74 +-> ssh-ed25519 vXYJfA KT8pRDwADkV4ySKY6HejWKp57aQUWpor7x67x1Sc3wM +th+47fUL5KOak1tEeHslVg9KSxw5DPIO6T/UtfEK6kY +-> ssh-ed25519 h6AgbA 8kWKdngdG4RbvQHnkHpygz1fhzMXpGafXltQNa64mAU +hZZTmthndfMdMZiaW0bLxfiySzFgnKmd6t4u1PxLG9s +-> ssh-ed25519 lHr4YQ JBCRJtCaEH/Dp2em66/ckqFva6JpyeUAHJidVysAsmw +SGyzp26GIo+D4VQdzJZEBUZYvAhc/SZy6rdd6HXOawY +-> 1-grease +niVrY0FwL41sfeE9fB6hg+z0LWMXwce194f+IIL/F8JMIfTnFB0CRAn1OGQ +--- pMIf8bANx+QsRTqnWxPmnJm6DVMmJBEO+emeOdLeeec +.AzJQ[)s!2m  ssh-rsa krWCLQ -gPydOcolFG+axyXPVVYYjjr0hypl/xczmMM+W+BbfZFaAL0TqXpqRgjtZSNvA+oh -+JHdr+/8IHh2qCS2vtzuH5lAsjM4h4FPPnGixX1SI9eNH14b/Otmoa/OtQD4pHcB -PYbh1yh4AILggg1ZMdttS+FUuMtu2A6y2NZYSkbBLy9dwEdZNBs0/cX/xNEqK72V -JF0BuGYvchyJ4ec4/m1od94dVva5qKUvK6mr0u5XPXObEOdZ8jJwZodJjrpDaEHJ -/yt8svY6upoXIdM4dVbY0Ab1VCwXf+tbGuwypVJF2TkeVW5tbImxuoTPE5XNdKLF -XU6RfHzLjUnG1T+dObb9gQ --> ssh-ed25519 85WiGg lVvfjaLUhjdWgRnz0supjMNc6pDpbeEy2Z0fFOc7dkQ -srngyi1Wdi1lcXFK7MJtqt2koZkopcXX+hOFENHXJgY --> ssh-ed25519 reTIKw ubW5n+mkAgxwHT9okMRWoE9k5ZpWN7UQDrvRwgS3Xio -O7GRq35wulhSadIAJ7C0ekLQQVk209yGiSaWg/VNgYU --> ssh-ed25519 /vwQcQ 0FZbpEDS3xuKyPOSExt4wb/Oi0xlTivdLlpKuXicqx8 -3ZMA31MUD76KNK1+yX2473wDSv0oyheT7jAmvnbPJNg --> ssh-ed25519 cvTB5g 04++RfeztjNzyHMW7WhxdAWoWT5NyatCN8zf7xFYiCw -OWYQ3oFR+/NjY8skMpzd0eS9fsAeugO+loiq4ZqEVWo --> ssh-ed25519 Wu8JLQ b5BEsw8GS+LUcLZ7h36WDHp1uunlVymEcCmAcs5xaHQ -4xs/EAPRD4Z/rL3zisjGmslVt7OHx+Kh1kJmdBAxED4 --> ssh-ed25519 h6AgbA wNeprhlhTORbN4WFxWPJO0DV5vBVteE297O73EfngD4 -sceiHAg3S0aZ9xGIsw5VaPJkAWCci03SrHM520pb+Gw --> ssh-ed25519 lHr4YQ v6dG659zPeUqbyT8To8oGf6Kp3y15Z2YjlzdLVK3FCI -wB7EFm4tsgkaYexLfQM+lkNtUr09GWlLnh7CbgX3Ifc --> =-grease zZ5 e./C_ -z1vYPnfdTh+G0bc+UvV1EZMSfaNDsWiDHJ+W+1CB2+Z4pOnQt2jBFPYv7rE ---- LbcSlaucZaWsTqBR9PIA46r00cfJtG5ndinWSzsnl/0 -1h~sȰ#-FX/2.ZF?wE]ic.%b-wt܌q_%} \ No newline at end of file +LCJxUzS4Be2QQABzubSP5M9Ridg3Srytbb6+SLITgnRqb0fT5XkG7z4ae2lLMVxT +zJxrZX1crlg/nyibZychMwZDqNofGGKX/zSKyF6u42hqjAtaDneg6jB/T690sSpD +LcuTHUcPLw53bww4amLU5FmFcnGWMHTjmXj6oQ5lks3t3KO9izA+gDJO5kFIYgQa +Z0kMrlH21m2TdyGW7Er72qAlT0euwCKlWGGc1NAaSWyu/2gimTHJ4p+KCOpi1D7/ +cIxMEtXHUoS/vtINi1lZypETVZf9C3xfqZGCnu1xTpFcF8pBLskI/Uz4cxQGLAk3 +xd5fKuNVBnLc0Ku+oFR3zA +-> ssh-ed25519 85WiGg N5HOphuKLUksJTA29E/KHZAdyvTelqq0Lai3KtsGNi0 +6PilN36eZH8KYzQwqeLPX3wuiW4THuFef+ttoJh0BUo +-> ssh-ed25519 reTIKw epotGRShr91lRc2IKDkgfaDd4EhkDtF1jayFv/YW5nE +mMFKyzH1q8ZsUXfLnqFfHT88iz/i4WXVVuWqe3z9vx4 +-> ssh-ed25519 /vwQcQ DvVlWcbAA/xPTgDtpMmSyC2wxrnOM4H/dC1Vhh5Rmhg +JCq1yS057vqOFKZL11YhC4/rxYIRGAUI0y97Uch4tS4 +-> ssh-ed25519 cvTB5g EQ/YM5UYYp3+fS+6u+CwZxUn8Sm8vdqj5xHQf0U0MGc +mVhpObNYWSrAlh8kfADzGnhOw9O2r07v2RJH7DZhFkg +-> ssh-ed25519 Wu8JLQ k91dq2XwhgvE2Y75KAJWzFlPLXv+8+kTvH7sELmsViw +gpnxsNgbeuCYBYUt8j3mGm10rOGAoN9NDYVbObE2zXc +-> ssh-ed25519 vXYJfA fOpqzkovWF/hLUrsjrDwFUsKG3Pa7LQQ2QTiYWT4Ux0 +AM1EdbC+Sg37PZzXf6vsmeXSMMjXRVQT3mq000cmPw8 +-> ssh-ed25519 h6AgbA LWhZtBUJXu15GEIwSyKraXkaO8CO7/TuLSxsnbagQTk +1/It/vtykYe2NzG4r2J53yW+ZS2rgtUVNv8hlWYQnwY +-> ssh-ed25519 lHr4YQ zEMhvSZsUOiM+XEpuTljfKE1MqyxqxuL0yuKTj6E1Vc +J/pYqeaTK9NLIhSKeB0CFSFNLkVeV2C5enKVIRy5+Po +-> #Oj-grease fdq ltL1r ohAHn[aU QF%DKt +G2xXhW58AunOBXwtl1mD/DqdsHRoyjMvVl310MPWNFSSmLhG/UG7pQf3GUNsfThQ +lCvckvUfcYRen/hrEFhtyg +--- zwJ1Ma9A8rDbUQLAFpDNLs+2Iv6RQvEGlDFj9HVDRRg +;>qg4*b~G+x8 +,5!4:֖\go \ No newline at end of file diff --git a/machines/pubkeys/hubrecht.keys b/machines/pubkeys/hubrecht.keys new file mode 100644 index 0000000..07fbe76 --- /dev/null +++ b/machines/pubkeys/hubrecht.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl -- 2.47.0 From f410aa4c7585b563ce5cf67eef69f3fa25eaf363 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Wed, 25 Jan 2023 15:35:41 +0100 Subject: [PATCH 70/88] core-services-01: Switch to systemd-network --- machines/core-services-01/configuration.nix | 65 +++++++++++---------- machines/core-services-01/my.nix | 20 ------- machines/core-services-01/network.nix | 36 ++++++++++++ 3 files changed, 70 insertions(+), 51 deletions(-) create mode 100644 machines/core-services-01/network.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 7aa5220..d8284fb 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -1,37 +1,40 @@ { config, pkgs, lib, ... }: { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ./nur.nix - ./rz.nix - ./monitoring.nix - ./programs.nix - ./system.nix - ./acme-ssl.nix - ./dns.nix - ./netboot-server.nix - ./qemu.nix - ./gitea.nix - ./dokuwiki.nix - ./nginx.nix - ./keycloak.nix - ./acme-dns.nix - ./backups.nix - ./headscale.nix - ./snipe-it.nix - # ./dex.nix - ./oauth2_proxy.nix - ./secrets - ./matterbridge.nix - ./tunnels.nix - # TODO push to gitea - # TODO ./gotify.nix - # TODO(Raito): ./backups.nix - # TODO(Raito): ./snmp.nix - # TODO(Raito): ./sflow.nix? - ]; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + + ./acme-dns.nix + ./acme-ssl.nix + ./backups.nix + # ./dex.nix + ./dns.nix + ./dokuwiki.nix + ./gitea.nix + ./headscale.nix + ./keycloak.nix + ./matterbridge.nix + ./monitoring.nix + ./netboot-server.nix + ./network.nix + ./nginx.nix + ./nur.nix + ./oauth2_proxy.nix + ./programs.nix + ./qemu.nix + ./rz.nix + ./secrets + ./snipe-it.nix + ./system.nix + ./tunnels.nix + + # TODO push to gitea + # TODO ./gotify.nix + # TODO(Raito): ./backups.nix + # TODO(Raito): ./snmp.nix + # TODO(Raito): ./sflow.nix? + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; diff --git a/machines/core-services-01/my.nix b/machines/core-services-01/my.nix index 994190f..4ac6d20 100644 --- a/machines/core-services-01/my.nix +++ b/machines/core-services-01/my.nix @@ -99,24 +99,4 @@ in example = [ "10.1.0.0/22" ]; }; }; - - config = { - # Default IPv4 exit route - networking.defaultGateway = { - address = ""; - interface = "ens18"; - }; - - networking.interfaces.ens20 = { - ipv4.addresses = map mkAddress cfg.ipv4InternalFull; - }; - - networking.interfaces.ens19 = { - ipv6.addresses = map mkAddress (cfg.ipv6.standardFull ++ [ cfg.ipv6.acmeFull ]); - }; - - networking.interfaces.ens18 = { - ipv4.addresses = map mkAddress cfg.ipv4Full; - }; - }; } diff --git a/machines/core-services-01/network.nix b/machines/core-services-01/network.nix new file mode 100644 index 0000000..d3579be --- /dev/null +++ b/machines/core-services-01/network.nix @@ -0,0 +1,36 @@ +{ config, ... }: + +let + inherit (config) my; +in + +{ + networking.useNetworkd = true; + + systemd.network.networks = { + "10-ens18" = { + name = "ens18"; + address = my.ipv4Full; + DHCP = "ipv4"; + }; + + "10-ens19" = { + name = "ens19"; + address = with my.ipv6; standardFull ++ [ acmeFull ]; + + networkConfig.IPv6AcceptRA = true; + + ipv6AcceptRAConfig = { + UseOnLinkPrefix = false; + UseAutonomousPrefix = false; + }; + }; + + "10-ens20" = { + name = "ens20"; + address = my.ipv4InternalFull; + + DHCP = "ipv4"; + }; + }; +} -- 2.47.0 From bd22c63ec4ed133ec7668841bf3bc69584133461 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Wed, 25 Jan 2023 16:55:22 +0100 Subject: [PATCH 71/88] public-cof: Switch to systemd-network --- machines/public-cof/networking.nix | 57 +++++++++++++----------------- 1 file changed, 25 insertions(+), 32 deletions(-) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 981eff0..39d232f 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -1,44 +1,37 @@ { lib, ... }: -let mkAddress = addr: let - splitted = lib.splitString "/" addr; - elemAt = builtins.elemAt splitted; - in - { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; -in { + +{ networking = { hostName = "public-cof"; - # Default IPv4 exit route - defaultGateway = { - address = ""; - interface = "ens20"; - }; - localCommands = "ip route add default dev ens20 metric 10"; + useNetworkd = true; - useDHCP = false; - interfaces.ens18 = { - useDHCP = true; - ipv6.addresses = [{ - address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; - prefixLength = 64; - }]; - }; - interfaces.ens19 = { - useDHCP = false; - ipv4.addresses = [{ - address = "10.1.1.21"; - prefixLength = 22; - }]; + firewall = { enable = true; allowedTCPPorts = [ 22 ]; }; + }; + + systemd.network.networks = { + "10-ens18" = { + name = "ens18"; + address = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5/64" ]; + + DHCP = "ipv4"; + + dhcpV4Config.RouteMetric = 10; }; - interfaces.ens20 = { - # 1st is for public-cof - # 2nd is for IPv4 → IPv6 proxy in v6proxy/ - ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; + "10-ens19" = { + name = "ens19"; + address = [ "10.1.1.21/22" ]; + + DHCP = "ipv4"; }; - firewall.allowedTCPPorts = [ 22 ]; - firewall.enable = true; + "10-ens20" = { + name = "ens20"; + address = [ "45.13.104.27/32" "45.13.104.29/32" ]; + + DHCP = "ipv4"; + }; }; services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; -- 2.47.0 From 455fd180d2b5a656dd87b2f5973cec4ac217bb5a Mon Sep 17 00:00:00 2001 From: sinavir Date: Mon, 30 Jan 2023 21:21:29 +0100 Subject: [PATCH 72/88] pm=dynamic --- machines/public-cof/nix/sources.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index 3209971..4043d80 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -14,7 +14,7 @@ "klubrz-nur": { "branch": "main", "repo": "https://git.rz.ens.wtf/Klub-RZ/nur", - "rev": "9c43904eb242455ca3db9466c5679c81aa92741f", + "rev": "bb95bbed09ccb2ae5ab5a8e02537c4c28c46d27e", "type": "git" }, "niv": { -- 2.47.0 From 244c8027aa0adc6545a67f4f6d3d2e51ea40b08c Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 73/88] feat: Add sinavir's keys for `core-services-01` --- machines/core-services-01/configuration.nix | 1 + machines/pubkeys/sinavir.keys | 1 + 2 files changed, 2 insertions(+) create mode 100644 machines/pubkeys/sinavir.keys diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index d8284fb..819ad48 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -85,6 +85,7 @@ ../pubkeys/raito.keys ../pubkeys/mrf.keys ../pubkeys/hubrecht.keys + ../pubkeys/sinavir.keys ]; # Open ports in the firewall. diff --git a/machines/pubkeys/sinavir.keys b/machines/pubkeys/sinavir.keys new file mode 100644 index 0000000..471d054 --- /dev/null +++ b/machines/pubkeys/sinavir.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o -- 2.47.0 From 66c40b1026484c8673989babc531625d7c23e40a Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 74/88] feat: Add sinavir's keys to `public-cof` and `remote-builder-01` --- machines/public-cof/configuration.nix | 1 + machines/remote-builder-01/configuration.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index ae3fce3..cb19ba2 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -55,6 +55,7 @@ ../pubkeys/gdd.keys ../pubkeys/raito.keys ../pubkeys/mrf.keys + ../pubkeys/sinavir.keys ]; system.stateVersion = "21.05"; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index ad971fb..286062b 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -64,6 +64,7 @@ users.users.root.openssh.authorizedKeys.keyFiles = [ ../pubkeys/gdd.keys ../pubkeys/raito.keys + ../pubkeys/sinavir.keys ../pubkeys/remote-builders.keys ]; -- 2.47.0 From 3f2e795b0e1e080c90cca360c39b3fdbb26a1dc1 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 75/88] chore: Rename module options --- machines/core-services-01/gitea.nix | 8 ++++---- machines/core-services-01/system.nix | 2 +- machines/public-cof/acme.nix | 2 +- machines/public-cof/hedgedoc.nix | 2 +- machines/public-cof/system.nix | 2 +- machines/remote-builder-01/system.nix | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/machines/core-services-01/gitea.nix b/machines/core-services-01/gitea.nix index ddfcbae..26402d0 100644 --- a/machines/core-services-01/gitea.nix +++ b/machines/core-services-01/gitea.nix @@ -13,11 +13,11 @@ in httpAddress = "127.0.0.1"; httpPort = port; database.type = "postgres"; - disableRegistration = false; - log = { - level = "Warn"; - }; settings = { + service.DISABLE_REGISTRATION = false; + log = { + level = "Warn"; + }; openid = { ENABLE_OPENID_SIGNUP = true; }; diff --git a/machines/core-services-01/system.nix b/machines/core-services-01/system.nix index 827bd11..3ab02d1 100644 --- a/machines/core-services-01/system.nix +++ b/machines/core-services-01/system.nix @@ -8,7 +8,7 @@ # Auto GC and store optimizations nix = { - trustedUsers = [ "root" "gab" ]; + settings.trusted-users = [ "root" "gab" ]; gc = { automatic = true; dates = "weekly"; diff --git a/machines/public-cof/acme.nix b/machines/public-cof/acme.nix index 3911368..9e03a21 100644 --- a/machines/public-cof/acme.nix +++ b/machines/public-cof/acme.nix @@ -1,5 +1,5 @@ { ... }: { security.acme.acceptTerms = true; - security.acme.email = "club-reseau@lists.ens.psl.eu"; + security.acme.defaults.email = "club-reseau@lists.ens.psl.eu"; } diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index b4235d5..23c8782 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -5,7 +5,7 @@ in { services.hedgedoc = { enable = true; - configuration = { + settings = { protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; diff --git a/machines/public-cof/system.nix b/machines/public-cof/system.nix index 997dbdd..b3a1d4c 100644 --- a/machines/public-cof/system.nix +++ b/machines/public-cof/system.nix @@ -8,7 +8,7 @@ # Auto GC and store optimizations nix = { - trustedUsers = [ "root" ]; + settings.trusted-users = [ "root" ]; gc = { automatic = true; dates = "weekly"; diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index 9bb13cf..81732ab 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,7 +1,7 @@ { pkgs, ... }: { # Auto GC and store optimizations nix = { - trustedUsers = [ "root" ]; + settings.trusted-users = [ "root" ]; gc = { automatic = true; dates = "weekly"; -- 2.47.0 From deffb8e1fc45f4e43df5b5c44646084b86dd8009 Mon Sep 17 00:00:00 2001 From: sinavir Date: Fri, 24 Feb 2023 10:56:54 +0100 Subject: [PATCH 76/88] core-01: fix ipv4 routing issue --- machines/core-services-01/network.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/network.nix b/machines/core-services-01/network.nix index d3579be..da02165 100644 --- a/machines/core-services-01/network.nix +++ b/machines/core-services-01/network.nix @@ -29,8 +29,15 @@ in "10-ens20" = { name = "ens20"; address = my.ipv4InternalFull; - DHCP = "ipv4"; + dhcpV4Config.RouteMetric = 2048; + routes = [ + { + routeConfig = { + Destination = "10.0.0.0/8"; + }; + } + ]; }; }; } -- 2.47.0 From 2fde8ccf156c88b2200952017106a604b339bd29 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:04:42 +0200 Subject: [PATCH 77/88] deployment: upgrade to 23.05 --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 92a2cda..45c0417 100644 --- a/krops.nix +++ b/krops.nix @@ -9,7 +9,7 @@ let # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "8d3bd93e67201a7c8238e9cbde6d07aba9500636"; # nixos-unstable + ref = "23.05"; url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.47.0 From b88167f46a824194b079410b74010a03bb823207 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:21:44 +0200 Subject: [PATCH 78/88] =?UTF-8?q?deployment:=20fix=20it=20for=2023.05?= =?UTF-8?q?=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 45c0417..140772d 100644 --- a/krops.nix +++ b/krops.nix @@ -9,7 +9,7 @@ let # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "23.05"; + ref = "origin/release-23.05"; url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.47.0 From 42cd2d7b794ebd8184b98760aab945c0dc1cd5e1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:21:54 +0200 Subject: [PATCH 79/88] public-cof: add thubrecht --- machines/public-cof/configuration.nix | 1 + machines/public-cof/secrets/secrets.nix | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index cb19ba2..6bd8454 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -56,6 +56,7 @@ ../pubkeys/raito.keys ../pubkeys/mrf.keys ../pubkeys/sinavir.keys + ../pubkeys/hubrecht.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index c703081..d48cb63 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -2,7 +2,7 @@ let pkgs = import {}; lib = pkgs.lib; readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); - superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; in -- 2.47.0 From 793e4d2aeea78b56ddfe5ca3d9d21f3906a1626f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:22:03 +0200 Subject: [PATCH 80/88] public-cof: add some tuning for lychee --- machines/public-cof/lychee.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/public-cof/lychee.nix b/machines/public-cof/lychee.nix index 944604b..137cd32 100644 --- a/machines/public-cof/lychee.nix +++ b/machines/public-cof/lychee.nix @@ -7,4 +7,11 @@ website = "photos.ens.wtf"; settings.APP_URL = "https://${config.services.lychee.website}"; }; + services.phpfpm.pools."photos.ens.wtf".settings = { + pm = "dynamic"; + "pm.max_children" = 10; + "pm.start_servers" = 3; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 3; + }; } -- 2.47.0 From 55c7194022bcbe79b1ad6009e9a5a3c9cce7374d Mon Sep 17 00:00:00 2001 From: sinavir Date: Sun, 23 Jul 2023 16:55:26 +0200 Subject: [PATCH 81/88] core-01: make it work for 23.05 --- machines/core-services-01/configuration.nix | 1 - machines/core-services-01/dokuwiki.nix | 28 --------------------- machines/core-services-01/monitoring.nix | 20 +++++++-------- 3 files changed, 10 insertions(+), 39 deletions(-) delete mode 100644 machines/core-services-01/dokuwiki.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 819ad48..ac0021a 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -10,7 +10,6 @@ ./backups.nix # ./dex.nix ./dns.nix - ./dokuwiki.nix ./gitea.nix ./headscale.nix ./keycloak.nix diff --git a/machines/core-services-01/dokuwiki.nix b/machines/core-services-01/dokuwiki.nix deleted file mode 100644 index 1ad68e0..0000000 --- a/machines/core-services-01/dokuwiki.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, ... }: - -let - my = config.my; -in -{ - services.dokuwiki.sites."wiki.${my.subZone}" = { - enable = true; - acl = '' - * @ALL 1 - * @admin 16 - ''; - }; - - /* - services.nginx = { - enable = true; - - virtualHosts."wiki.${my.subZone}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "htttp://127.0.0.1:${toString port}"; - }; - }; - }; - */ -} diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index edf0d20..7015efa 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -36,16 +36,16 @@ in { services.netdata = { enable = true; - package = pkgs.netdata.overrideAttrs (old: { - version = "1.36.0-185-nightly"; - src = pkgs.fetchFromGitHub { - owner = "netdata"; - repo = "netdata"; - rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; - sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; - fetchSubmodules = true; - }; - }); + #package = pkgs.netdata.overrideAttrs (old: { + # version = "1.36.0-185-nightly"; + # src = pkgs.fetchFromGitHub { + # owner = "netdata"; + # repo = "netdata"; + # rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; + # sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; + # fetchSubmodules = true; + # }; + #}); }; systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1"; -- 2.47.0 From 2ab0cc688587772815ddd8631ec728546a8e4bd6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 23 Jul 2023 17:52:45 +0200 Subject: [PATCH 82/88] =?UTF-8?q?public-cof:=20NC25=20=E2=86=92=20NC26?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Get us rid of RC4 encryption shenigans. --- machines/public-cof/nextcloud.nix | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 847affd..badd243 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,14 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud25; - # OpenSSL 3.0.x breaks RC4 encryption for NextCloud - # But we enabled encryption for NextCloud - # Therefore... - phpPackage = lib.mkForce (pkgs.php81.withExtensions ({ enabled, all }: - (lib.filter (e: e != pkgs.php81.extensions.openssl) enabled) - ++ [ (all.openssl.override { buildInputs = [ pkgs.openssl_1_1 ]; }) ] - )); + package = pkgs.nextcloud26; config = { overwriteProtocol = "https"; -- 2.47.0 From 6fb8528a9950eb1a9177d28e04831b9c6bbd7d25 Mon Sep 17 00:00:00 2001 From: sinavir Date: Sun, 23 Jul 2023 17:58:44 +0200 Subject: [PATCH 83/88] public-cof: upgrade garage --- machines/public-cof/garage.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix index 7d25b0a..e2a1321 100644 --- a/machines/public-cof/garage.nix +++ b/machines/public-cof/garage.nix @@ -22,6 +22,7 @@ }; services.garage = { enable = true; + package = pkgs.garage_0_8; settings = { replication_mode = "none"; compression_level = 7; -- 2.47.0 From 50c17c74bb457182da4e91e8a6c4031ac6cce5cf Mon Sep 17 00:00:00 2001 From: tomate Date: Sun, 23 Jul 2023 18:04:38 +0200 Subject: [PATCH 84/88] Add 'CONTRIBUTING.md' --- CONTRIBUTING.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..46ce2a1 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1 @@ +Maurice écoute les conventions de Ryan \ No newline at end of file -- 2.47.0 From 6b6470eef94acd0b64eb2fbaa600815bb3c7fc3f Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:36:06 +0200 Subject: [PATCH 85/88] keys: Move from machines/publickeys --- keys/gdd.keys | 2 ++ keys/hackens-milieu.keys | 1 + keys/hubrecht.keys | 1 + keys/mrf.keys | 1 + keys/raito.keys | 4 ++++ keys/remote-builders.keys | 1 + keys/sinavir.keys | 1 + 7 files changed, 11 insertions(+) create mode 100644 keys/gdd.keys create mode 100644 keys/hackens-milieu.keys create mode 100644 keys/hubrecht.keys create mode 100644 keys/mrf.keys create mode 100644 keys/raito.keys create mode 100644 keys/remote-builders.keys create mode 100644 keys/sinavir.keys diff --git a/keys/gdd.keys b/keys/gdd.keys new file mode 100644 index 0000000..b5d4e40 --- /dev/null +++ b/keys/gdd.keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/keys/hackens-milieu.keys b/keys/hackens-milieu.keys new file mode 100644 index 0000000..c79c039 --- /dev/null +++ b/keys/hackens-milieu.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu diff --git a/keys/hubrecht.keys b/keys/hubrecht.keys new file mode 100644 index 0000000..07fbe76 --- /dev/null +++ b/keys/hubrecht.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl diff --git a/keys/mrf.keys b/keys/mrf.keys new file mode 100644 index 0000000..ebbfa68 --- /dev/null +++ b/keys/mrf.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d diff --git a/keys/raito.keys b/keys/raito.keys new file mode 100644 index 0000000..0f48a59 --- /dev/null +++ b/keys/raito.keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/keys/remote-builders.keys b/keys/remote-builders.keys new file mode 100644 index 0000000..b1b7645 --- /dev/null +++ b/keys/remote-builders.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ Raito's remote builder key diff --git a/keys/sinavir.keys b/keys/sinavir.keys new file mode 100644 index 0000000..471d054 --- /dev/null +++ b/keys/sinavir.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o -- 2.47.0 From 7f88c60cc22761935cbf0159e58283bf54d72a41 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:36:55 +0200 Subject: [PATCH 86/88] Switch from krops to colmena --- .envrc | 1 + .gitignore | 1 + hive.nix | 57 +++++++++++++++++ .../{configuration.nix => _configuration.nix} | 22 +------ ...ration.nix => _hardware-configuration.nix} | 0 .../{configuration.nix => _configuration.nix} | 11 ---- ...ration.nix => _hardware-configuration.nix} | 0 .../{configuration.nix => _configuration.nix} | 20 +----- ...ration.nix => _hardware-configuration.nix} | 0 meta/default.nix | 5 ++ meta/nodes.nix | 64 +++++++++++++++++++ modules/default.nix | 11 ++++ modules/krz-access-control.nix | 46 +++++++++++++ modules/krz-ssh.nix | 25 ++++++++ nix-patches/default.nix | 1 + npins/default.nix | 47 ++++++++++++++ npins/sources.json | 43 +++++++++++++ shell.nix | 15 +++++ 18 files changed, 318 insertions(+), 51 deletions(-) create mode 100644 .envrc create mode 100644 hive.nix rename machines/core-services-01/{configuration.nix => _configuration.nix} (70%) rename machines/core-services-01/{hardware-configuration.nix => _hardware-configuration.nix} (100%) rename machines/public-cof/{configuration.nix => _configuration.nix} (77%) rename machines/public-cof/{hardware-configuration.nix => _hardware-configuration.nix} (100%) rename machines/remote-builder-01/{configuration.nix => _configuration.nix} (69%) rename machines/remote-builder-01/{hardware-configuration.nix => _hardware-configuration.nix} (100%) create mode 100644 meta/default.nix create mode 100644 meta/nodes.nix create mode 100644 modules/default.nix create mode 100644 modules/krz-access-control.nix create mode 100644 modules/krz-ssh.nix create mode 100644 nix-patches/default.nix create mode 100644 npins/default.nix create mode 100644 npins/sources.json create mode 100644 shell.nix diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..1d953f4 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use nix diff --git a/.gitignore b/.gitignore index b2be92b..726d2d6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ result +.direnv diff --git a/hive.nix b/hive.nix new file mode 100644 index 0000000..fdc3708 --- /dev/null +++ b/hive.nix @@ -0,0 +1,57 @@ +let + sources = import ./npins; + metadata = import ./meta; + + lib = import (sources.nix-lib + "/trivial.nix"); + + mkNode = node: { name, nodes, ... }: { + # Import the base configuration for each node + imports = builtins.map (lib.mkRel ./machines/${node}) [ + "_configuration.nix" + "_hardware-configuration.nix" + ]; + + # Include default secrets + # dgn-secrets.sources = [ ./machines/${node}/secrets ]; + + # Deployment config is specified in meta.nodes.${node}.deployment + inherit (metadata.nodes.${node}) deployment; + + # Set NIX_PATH to the patched version of nixpkgs + nix.nixPath = [ "nixpkgs=${mkNixpkgs node}" ]; + + # Use the stateVersion declared in the metadata + system.stateVersion = metadata.nodes.${node}.stateVersion; + }; + + mkNixpkgs = node: + let version = "nixos-${metadata.nodes.${node}.nixpkgs}"; in + (import sources.${version} { }).applyPatches { + name = "${version}-patched"; + src = sources.${version}; + patches = (import ./nix-patches).${version} or [ ]; + }; + + mkNixpkgs' = node: import (mkNixpkgs node) { }; + + mkArgs = node: { + nix-lib = import sources.nix-lib { inherit ((mkNixpkgs' node)) lib; keysRoot = ./keys; }; + }; + + nodes = builtins.attrNames metadata.nodes; +in + +{ + meta = { + nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes; + + specialArgs = { inherit sources; meta = metadata; }; + + nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes; + }; + + defaults = { ... }: { + # Import the default modules + imports = [ ./modules ]; + }; +} // (lib.mapSingleFuse mkNode nodes) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/_configuration.nix similarity index 70% rename from machines/core-services-01/configuration.nix rename to machines/core-services-01/_configuration.nix index ac0021a..9bcee06 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/_configuration.nix @@ -2,9 +2,6 @@ { imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ./acme-dns.nix ./acme-ssl.nix ./backups.nix @@ -77,28 +74,11 @@ services.zfs.autoScrub.enable = true; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/mrf.keys - ../pubkeys/hubrecht.keys - ../pubkeys/sinavir.keys - ]; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. networking.firewall.enable = false; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.05"; # Did you read the comment? - environment.variables.NIX_PATH = lib.mkForce "/var/src"; + system.stateVersion = "22.05"; } diff --git a/machines/core-services-01/hardware-configuration.nix b/machines/core-services-01/_hardware-configuration.nix similarity index 100% rename from machines/core-services-01/hardware-configuration.nix rename to machines/core-services-01/_hardware-configuration.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/_configuration.nix similarity index 77% rename from machines/public-cof/configuration.nix rename to machines/public-cof/_configuration.nix index 6bd8454..a831791 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/_configuration.nix @@ -3,7 +3,6 @@ { imports = [ - ./hardware-configuration.nix ./programs.nix ./system.nix ./acme.nix @@ -49,15 +48,5 @@ enableSSHSupport = true; }; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/mrf.keys - ../pubkeys/sinavir.keys - ../pubkeys/hubrecht.keys - ]; - system.stateVersion = "21.05"; } diff --git a/machines/public-cof/hardware-configuration.nix b/machines/public-cof/_hardware-configuration.nix similarity index 100% rename from machines/public-cof/hardware-configuration.nix rename to machines/public-cof/_hardware-configuration.nix diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/_configuration.nix similarity index 69% rename from machines/remote-builder-01/configuration.nix rename to machines/remote-builder-01/_configuration.nix index 286062b..d5906a8 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/_configuration.nix @@ -2,7 +2,6 @@ { imports = [ - ./hardware-configuration.nix ./system.nix # TODO monitoring ]; @@ -59,28 +58,11 @@ services.zfs.autoScrub.enable = true; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/sinavir.keys - ../pubkeys/remote-builders.keys - ]; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. networking.firewall.enable = false; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "21.05"; # Did you read the comment? - + system.stateVersion = "21.05"; } - diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/_hardware-configuration.nix similarity index 100% rename from machines/remote-builder-01/hardware-configuration.nix rename to machines/remote-builder-01/_hardware-configuration.nix diff --git a/meta/default.nix b/meta/default.nix new file mode 100644 index 0000000..a6ccb51 --- /dev/null +++ b/meta/default.nix @@ -0,0 +1,5 @@ +let + nodes = import ./nodes.nix; +in + +{ inherit nodes; } diff --git a/meta/nodes.nix b/meta/nodes.nix new file mode 100644 index 0000000..c017cc4 --- /dev/null +++ b/meta/nodes.nix @@ -0,0 +1,64 @@ +### +# File specifying all the deployement options for the nodes administrated by the dgnum. +# +# Node metadata template is: +# +# NODE_NAME = { +# adminGroups = []; # List of groups that have root access +# admins = []; # List of individuals that have root access +# deployment = {}; # Colmena deployment options +# nixpkgs = "unstable" or "22.11"; # nixpkgs version +# } + +let + mkNode = _: attrs: { + access = [ ]; + + deployment = { }; + + nixpkgs = "23.05"; + } // attrs; +in + +builtins.mapAttrs mkNode { + core-services-01 = { + admins = [ + "gdd" + "hubrecht" + "mrf" + "raito" + "sinavir" + ]; + + deployment.targetHost = "core01.rz.ens.wtf"; + + stateVersion = "22.05"; + }; + + remote-builder-01 = { + admins = [ + "gdd" + "raito" + "sinavir" + "remote-builders" + ]; + + deployment.targetHost = "nix01.builders.rz.ens.wtf"; + + stateVersion = "21.05"; + }; + + public-cof = { + admins = [ + "gdd" + "hubrecht" + "mrf" + "raito" + "sinavir" + ]; + + deployment.targetHost = "beta.rz.ens.wtf"; + + stateVersion = "21.05"; + }; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..bc98724 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,11 @@ +{ nix-lib, sources, ... }: + +{ + imports = (nix-lib.mkImports ./. [ + "krz-access-control" + "krz-ssh" + ]) ++ [ + # TODO: Switch to global version of agenix via npins + # "${sources.agenix}/modules/age.nix" + ]; +} diff --git a/modules/krz-access-control.nix b/modules/krz-access-control.nix new file mode 100644 index 0000000..55fd2a3 --- /dev/null +++ b/modules/krz-access-control.nix @@ -0,0 +1,46 @@ +{ config, lib, nix-lib, meta, name, ... }: + +let + inherit (lib) + mkDefault + mkEnableOption + mkIf + mkOption + + types; + + nodeMeta = meta.nodes.${name}; + inherit (nodeMeta) admins; + + cfg = config.krz-access-control; +in + +{ + options.krz-access-control = { + enable = mkEnableOption "DGNum access control." // { default = true; }; + + users = mkOption { + type = with types; attrsOf (listOf str); + default = { }; + description = '' + Attribute set describing which member has access to which user on the node. + Members must be declared in `meta/members.nix`. + ''; + example = '' + { + user1 = [ "member1" "member2" ]; + } + ''; + }; + }; + + config = mkIf cfg.enable { + # Admins have root access to the node + krz-access-control.users.root = mkDefault admins; + + users.users = builtins.mapAttrs + (u: members: { openssh.authorizedKeys.keys = nix-lib.getAllKeys members; }) + cfg.users; + }; +} + diff --git a/modules/krz-ssh.nix b/modules/krz-ssh.nix new file mode 100644 index 0000000..4124ada --- /dev/null +++ b/modules/krz-ssh.nix @@ -0,0 +1,25 @@ +{ config, lib, ... }: + +let + inherit (lib) + mkEnableOption + mkIf; + + cfg = config.krz-ssh; +in + +{ + options.krz-ssh = { + enable = mkEnableOption "ssh default configuration." // { default = true; }; + }; + + config = mkIf cfg.enable { + services.openssh = { + enable = true; + + settings.PasswordAuthentication = false; + }; + + programs.mosh.enable = true; + }; +} diff --git a/nix-patches/default.nix b/nix-patches/default.nix new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/nix-patches/default.nix @@ -0,0 +1 @@ +{} diff --git a/npins/default.nix b/npins/default.nix new file mode 100644 index 0000000..4a7c372 --- /dev/null +++ b/npins/default.nix @@ -0,0 +1,47 @@ +# Generated by npins. Do not modify; will be overwritten regularly +let + data = builtins.fromJSON (builtins.readFile ./sources.json); + version = data.version; + + mkSource = spec: + assert spec ? type; let + path = + if spec.type == "Git" then mkGitSource spec + else if spec.type == "GitRelease" then mkGitSource spec + else if spec.type == "PyPi" then mkPyPiSource spec + else if spec.type == "Channel" then mkChannelSource spec + else builtins.throw "Unknown source type ${spec.type}"; + in + spec // { outPath = path; }; + + mkGitSource = { repository, revision, url ? null, hash, ... }: + assert repository ? type; + # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository + # In the latter case, there we will always be an url to the tarball + if url != null then + (builtins.fetchTarball { + inherit url; + sha256 = hash; # FIXME: check nix version & use SRI hashes + }) + else assert repository.type == "Git"; builtins.fetchGit { + url = repository.url; + rev = revision; + # hash = hash; + }; + + mkPyPiSource = { url, hash, ... }: + builtins.fetchurl { + inherit url; + sha256 = hash; + }; + + mkChannelSource = { url, hash, ... }: + builtins.fetchTarball { + inherit url; + sha256 = hash; + }; +in +if version == 3 then + builtins.mapAttrs (_: mkSource) data.pins +else + throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/npins/sources.json b/npins/sources.json new file mode 100644 index 0000000..1df8536 --- /dev/null +++ b/npins/sources.json @@ -0,0 +1,43 @@ +{ + "pins": { + "agenix": { + "type": "GitRelease", + "repository": { + "type": "Git", + "url": "https://github.com/ryantm/agenix" + }, + "pre_releases": false, + "version_upper_bound": null, + "version": "0.13.0", + "revision": "9c9fbfb94b2d545c7f0b78da0254ea0041595795", + "url": null, + "hash": "0k6aggy3lhqv6j11cvi4gr0i3jps8hlf262xl9ji3ffxwas46p54" + }, + "nix-lib": { + "type": "GitRelease", + "repository": { + "type": "Git", + "url": "https://git.hubrecht.ovh/hubrecht/nix-lib" + }, + "pre_releases": false, + "version_upper_bound": null, + "version": "0.1.1", + "revision": "5db2443e2cb18335375ad84ffbc066a239c054de", + "url": null, + "hash": "18xzi2yn2vk7zq79pgz8z2s1ijhyjcx5866mp21rrdi9gz37yiif" + }, + "nixos-23.05": { + "type": "Channel", + "name": "nixos-23.05", + "url": "https://releases.nixos.org/nixos/23.05/nixos-23.05.2162.6da4bc6cb07/nixexprs.tar.xz", + "hash": "198wbl9b7j3k51n0rxs09vy6x535ysqv6kbxf42d9yqr49d2n9vc" + }, + "nixpkgs": { + "type": "Channel", + "name": "nixpkgs-unstable", + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-23.11pre506668.af8cd5ded77/nixexprs.tar.xz", + "hash": "0in8bgah6hz47lsa3ka2fslwks174maqdzy8mcmsj0q4wrv8h2s9" + } + }, + "version": 3 +} \ No newline at end of file diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..e29954b --- /dev/null +++ b/shell.nix @@ -0,0 +1,15 @@ +let + sources = import ./npins; + pkgs = import sources.nixpkgs { }; +in + +pkgs.mkShell { + packages = with pkgs; [ + npins + colmena + nixos-generators + ] ++ (builtins.map (p: callPackage p { }) [ + ]); + + allowSubstitutes = false; +} -- 2.47.0 From 29034e605695e37086e46f9cedb77af4bc132dc8 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:50:10 +0200 Subject: [PATCH 87/88] krops.nix: Delete --- krops.nix | 36 ------------------------------------ 1 file changed, 36 deletions(-) delete mode 100644 krops.nix diff --git a/krops.nix b/krops.nix deleted file mode 100644 index 140772d..0000000 --- a/krops.nix +++ /dev/null @@ -1,36 +0,0 @@ -let - krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; }; - lib = import "${krops}/lib"; - pkgs = import "${krops}/pkgs" { }; - source = machine: - lib.evalSource [{ - config.file = toString ./machines; - nixos-config.symlink = "config/${machine}/configuration.nix"; - # Auto-upgrade wen? - nixpkgs.git = { - clean.exclude = [ "/.version-suffix" ]; - ref = "origin/release-23.05"; - url = "https://github.com/NixOS/nixpkgs"; - }; - }]; - mkTestConfig = hostname: { - name = "test-${hostname}"; - value = pkgs.krops.writeTest "test-${hostname}" { - source = source hostname; - target = lib.mkTarget { - host = "localhost"; - path = "/tmp/src"; - }; - force = true; # force create the sentinel file. - }; - }; - mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames); - mkDeploy = hostname: target: { ${hostname} = pkgs.krops.writeDeploy "deploy-${hostname}" { - source = source hostname; - inherit target; - }; }; -in {} -// mkDeploy "core-services-01" "root@core01.rz.ens.wtf" -// mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -// mkDeploy "public-cof" "root@beta.rz.ens.wtf" -// mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] -- 2.47.0 From 41fc60e1eb6fb12f896be92abb5cfd946c3480d4 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:56:33 +0200 Subject: [PATCH 88/88] core-01: Disable netboot-server --- machines/core-services-01/_configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/core-services-01/_configuration.nix b/machines/core-services-01/_configuration.nix index 9bcee06..3c7162e 100644 --- a/machines/core-services-01/_configuration.nix +++ b/machines/core-services-01/_configuration.nix @@ -12,7 +12,7 @@ ./keycloak.nix ./matterbridge.nix ./monitoring.nix - ./netboot-server.nix + # ./netboot-server.nix ./network.nix ./nginx.nix ./nur.nix -- 2.47.0