From 7fefcc0d54528f86724eed4943d2305d00ebd031 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 26 Apr 2022 23:33:59 +0200 Subject: [PATCH 01/88] core01: add headscale support --- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/headscale.nix | 8 ++++++++ machines/core-services-01/subZone.nix | 1 + 3 files changed, 10 insertions(+) create mode 100644 machines/core-services-01/headscale.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index f5ae683..8af8554 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -19,6 +19,7 @@ ./keycloak.nix ./acme-dns.nix ./backups.nix + ./headscale.nix # ./dex.nix ./oauth2_proxy.nix ./secrets diff --git a/machines/core-services-01/headscale.nix b/machines/core-services-01/headscale.nix new file mode 100644 index 0000000..e44b48a --- /dev/null +++ b/machines/core-services-01/headscale.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.headscale = { + enable = true; + serverUrl = "https://tailscale.rz.ens.wtf"; + tls.letsencrypt.hostname = "tailscale.rz.ens.wtf"; + }; +} diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 08db8c1..2738afe 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,6 +37,7 @@ dualstack // { monitoring = dualstack; auth = dualstack; push = dualstack; + tailscale = dualstack; core01 = dualstack; ns1 = dualstack; -- 2.49.0 From cce562ac9aaa802f2743f859412bc1e445866364 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 27 Apr 2022 13:24:40 +0200 Subject: [PATCH 02/88] core01: update to latest nixpkgs, fix up keycloak --- krops.nix | 2 +- machines/core-services-01/acme-ssl.nix | 4 +- machines/core-services-01/drone-runners.nix | 2 +- machines/core-services-01/keycloak.nix | 42 +++++++--- .../keycloak/keycloak-protocol-cas.nix | 26 ++++++ .../core-services-01/keycloak/package.nix | 84 +++++++++++++++++++ machines/core-services-01/monitoring.nix | 2 +- 7 files changed, 145 insertions(+), 17 deletions(-) create mode 100644 machines/core-services-01/keycloak/keycloak-protocol-cas.nix create mode 100644 machines/core-services-01/keycloak/package.nix diff --git a/krops.nix b/krops.nix index 01ee420..949b478 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "e96c668072d7c98ddf2062f6d2b37f84909a572b"; # nixos-22.05 + ref = "7f4a8f37d4621b27fc0c4eeb3880ecf1cb055371"; # nixos-22.05 url = "https://github.com/NixOS/nixpkgs"; }; }]; diff --git a/machines/core-services-01/acme-ssl.nix b/machines/core-services-01/acme-ssl.nix index 2403cd6..f111e17 100644 --- a/machines/core-services-01/acme-ssl.nix +++ b/machines/core-services-01/acme-ssl.nix @@ -5,9 +5,9 @@ let in { security.acme.acceptTerms = true; - security.acme.email = my.email; + security.acme.defaults.email = my.email; - security.acme.server = + security.acme.defaults.server = if my.acmeStaging then "https://acme-staging-v02.api.letsencrypt.org/directory" else null; diff --git a/machines/core-services-01/drone-runners.nix b/machines/core-services-01/drone-runners.nix index 6793e4b..36ecbdd 100644 --- a/machines/core-services-01/drone-runners.nix +++ b/machines/core-services-01/drone-runners.nix @@ -14,5 +14,5 @@ in envFile = config.age.secrets.droneKeyFile.path; }; - systemd.services."drone-exec-runner-nix01".after = [ "gitea" ]; + systemd.services."drone-exec-runner-nix01".after = [ "gitea.service" ]; } diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index 6f34b25..9d103ef 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -1,26 +1,44 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let my = config.my; port = 8080; + keycloak-protocol-cas = pkgs.callPackage ./keycloak/keycloak-protocol-cas.nix {}; + domain = "auth.${my.subZone}"; + certs = config.security.acme.certs."${domain}".directory; in { services.keycloak = { enable = true; - package = pkgs.keycloak.override { - jre = pkgs.jre8; - }; + /*package = pkgs.keycloak.overrideAttrs (old: rec { + version = "18.0.0"; + jre = pkgs.openjdk; + src = pkgs.fetchzip { + url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip"; + sha256 = "sha256-Tql5/yNtdctSCYgtSnz5Pa6IwZVf/HOApFdeCEpNrjs="; + }; + });*/ + package = pkgs.callPackage ./keycloak/package.nix {}; initialAdminPassword = "changemeasap"; - database.createLocally = true; - database.passwordFile = config.age.secrets.keycloakDatabasePasswordFile.path; - frontendUrl = "https://auth.${my.subZone}/auth/"; - forceBackendUrlToFrontendUrl = true; - httpPort = toString port; - extraConfig = { - "subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true; + sslCertificate = "${certs}/cert.pem"; + sslCertificateKey = "${certs}/key.pem"; + plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ]; + database = { + type = "postgresql"; + username = "keycloak"; + name = "keycloak"; + createLocally = true; + passwordFile = "${config.age.secrets.keycloakDatabasePasswordFile.path}"; + }; + settings = { + hostname-strict-backchannel = true; + http-port = port; + proxy = "edge"; + http-relative-path = "/auth"; + hostname = domain; }; }; - services.nginx.virtualHosts."auth.${my.subZone}" = { + services.nginx.virtualHosts."${domain}" = { forceSSL = true; enableACME = true; locations."/" = { diff --git a/machines/core-services-01/keycloak/keycloak-protocol-cas.nix b/machines/core-services-01/keycloak/keycloak-protocol-cas.nix new file mode 100644 index 0000000..1783749 --- /dev/null +++ b/machines/core-services-01/keycloak/keycloak-protocol-cas.nix @@ -0,0 +1,26 @@ +{ stdenv, lib, fetchurl }: + +stdenv.mkDerivation rec { + pname = "keycloak-protocol-cas"; + version = "18.0.0"; + + src = fetchurl { + url = "https://github.com/jacekkow/keycloak-protocol-cas/releases/download/${version}/keycloak-protocol-cas-${version}.jar"; + sha256 = "sha256-N+IJqD7oQ4T4MI8klt96kfHwFnPJy5l8MK6bq62nBrM="; + }; + + dontUnpack = true; + dontBuild = true; + + installPhase = '' + mkdir -p $out + install "$src" "$out" + ''; + + meta = with lib; { + homepage = "https://github.com/jacekkow/keycloak-protocol-cas"; + description = "Keycloak Service Provider that adds CAS as an authentication protocol"; + license = licenses.apsl20; + maintainers = with maintainers; [ raitobezarius ]; + }; +} diff --git a/machines/core-services-01/keycloak/package.nix b/machines/core-services-01/keycloak/package.nix new file mode 100644 index 0000000..e9a1177 --- /dev/null +++ b/machines/core-services-01/keycloak/package.nix @@ -0,0 +1,84 @@ +{ stdenv +, lib +, fetchzip +, makeWrapper +, jre +, writeText +, nixosTests +, callPackage + +, confFile ? null +, plugins ? [ ] +}: + +stdenv.mkDerivation rec { + pname = "keycloak"; + version = "18.0.0"; + + src = fetchzip { + url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip"; + sha256 = "sha256-Tql5/yNtdctSCYgtSnz5Pa6IwZVf/HOApFdeCEpNrjs="; + }; + + nativeBuildInputs = [ makeWrapper jre ]; + + buildPhase = '' + runHook preBuild + '' + lib.optionalString (confFile != null) '' + install -m 0600 ${confFile} conf/keycloak.conf + '' + '' + install_plugin() { + if [ -d "$1" ]; then + find "$1" -type f \( -iname \*.ear -o -iname \*.jar \) -exec install -m 0500 "{}" "providers/" \; + else + install -m 0500 "$1" "providers/" + fi + } + ${lib.concatMapStringsSep "\n" (pl: "install_plugin ${lib.escapeShellArg pl}") plugins} + '' + '' + export KC_HOME_DIR=$out + export KC_CONF_DIR=$out/conf + export ROOT_LOGLEVEL="DEBUG" + export KEYCLOAK_LOGLEVEL="DEBUG" + + patchShebangs bin/kc.sh + bin/kc.sh --verbose build + + runHook postBuild + ''; + + installPhase = '' + runHook preInstall + + mkdir $out + cp -r * $out + + rm $out/bin/*.{ps1,bat} + + runHook postInstall + ''; + + postFixup = '' + substituteInPlace $out/bin/kc.sh --replace '-Dkc.home.dir=$DIRNAME/../' '-Dkc.home.dir=$KC_HOME_DIR' + substituteInPlace $out/bin/kc.sh --replace '-Djboss.server.config.dir=$DIRNAME/../conf' '-Djboss.server.config.dir=$KC_CONF_DIR' + + for script in $(find $out/bin -type f -executable); do + wrapProgram "$script" --set JAVA_HOME ${jre} --prefix PATH : ${jre}/bin + done + ''; + + passthru = { + tests = nixosTests.keycloak; + plugins = callPackage ./all-plugins.nix { }; + enabledPlugins = plugins; + }; + + meta = with lib; { + homepage = "https://www.keycloak.org/"; + description = "Identity and access management for modern applications and services"; + license = licenses.asl20; + platforms = jre.meta.platforms; + maintainers = with maintainers; [ ngerstle talyz ]; + }; + +} diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index f9812f9..47b7953 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -65,7 +65,7 @@ in "health_alarm_notify" ]; - environment.etc."netdata/netdata.conf" = { + environment.etc."netdata/netdata.conf" = lib.mkForce { user = "netdata"; group = "netdata"; mode = "0600"; -- 2.49.0 From 4df131d59b36e5e58cc3c7998c0aef0b253e90d5 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 30 May 2022 00:47:46 +0200 Subject: [PATCH 03/88] core01: update to 22.05-beta --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 949b478..5647c3e 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "7f4a8f37d4621b27fc0c4eeb3880ecf1cb055371"; # nixos-22.05 + ref = "7ae60dd7068478db5d936a3850b6df859aec21d0"; # nixos-22.05 beta release url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.49.0 From 22996eddffc9840072dfd6fa47092bbdd7020623 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 4 Jun 2022 04:23:31 +0200 Subject: [PATCH 04/88] nixpkgs: update to 22.05 release --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 5647c3e..cd1f9ab 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "7ae60dd7068478db5d936a3850b6df859aec21d0"; # nixos-22.05 beta release + ref = "ce6aa13369b667ac2542593170993504932eb836"; # nixos-22.05 release url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.49.0 From 4d5ea04099139a17cb4cbb9c547b2e7f9ebcbea1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 4 Jun 2022 04:29:53 +0200 Subject: [PATCH 05/88] nixpkgs: try 22.11 unreleased --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index cd1f9ab..38c5e90 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "ce6aa13369b667ac2542593170993504932eb836"; # nixos-22.05 release + ref = "f6c4da49202d79cdab2fdf2bfa3019cde23f007e"; # nixos-22.11 pre-release url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.49.0 From 6f52987d5f6e0a2250db78588b372ba505ba49c1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 4 Jun 2022 04:35:19 +0200 Subject: [PATCH 06/88] core01(keycloak): remove customizations --- machines/core-services-01/keycloak.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index 9d103ef..a525413 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -17,10 +17,10 @@ in sha256 = "sha256-Tql5/yNtdctSCYgtSnz5Pa6IwZVf/HOApFdeCEpNrjs="; }; });*/ - package = pkgs.callPackage ./keycloak/package.nix {}; + # package = pkgs.callPackage ./keycloak/package.nix {}; initialAdminPassword = "changemeasap"; - sslCertificate = "${certs}/cert.pem"; - sslCertificateKey = "${certs}/key.pem"; + # sslCertificate = "${certs}/cert.pem"; + # sslCertificateKey = "${certs}/key.pem"; plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ]; database = { type = "postgresql"; -- 2.49.0 From aa328045a75385e4c93d63b921b0bdd6959691ed Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 7 Jun 2022 01:33:21 +0200 Subject: [PATCH 07/88] core01(keycloak): try a zlib upstream patch --- .../fix-crc-computation.patch | 51 +++++++++++++++++++ machines/core-services-01/keycloak.nix | 9 ++++ 2 files changed, 60 insertions(+) create mode 100644 machines/core-services-01/fix-crc-computation.patch diff --git a/machines/core-services-01/fix-crc-computation.patch b/machines/core-services-01/fix-crc-computation.patch new file mode 100644 index 0000000..85a6a7e --- /dev/null +++ b/machines/core-services-01/fix-crc-computation.patch @@ -0,0 +1,51 @@ +From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 30 Mar 2022 11:14:53 -0700 +Subject: [PATCH] Correct incorrect inputs provided to the CRC functions. + +The previous releases of zlib were not sensitive to incorrect CRC +inputs with bits set above the low 32. This commit restores that +behavior, so that applications with such bugs will continue to +operate as before. +--- + crc32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crc32.c b/crc32.c +index a1bdce5c2..451887bc7 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + /* Compute the CRC up to a word boundary. */ + while (len && ((z_size_t)buf & 7) != 0) { +@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + #ifdef W + +@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2) + #ifdef DYNAMIC_CRC_TABLE + once(&made, make_crc_table); + #endif /* DYNAMIC_CRC_TABLE */ +- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2; ++ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); + } + + /* ========================================================================= */ +@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op) + uLong crc2; + uLong op; + { +- return multmodp(op, crc1) ^ crc2; ++ return multmodp(op, crc1) ^ (crc2 & 0xffffffff); + } diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index a525413..3890993 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -7,6 +7,15 @@ let certs = config.security.acme.certs."${domain}".directory; in { + nixpkgs.overlays = [ + (self: super: { + zlib = zlib.overrideAttrs (old: { + patches = old.patches ++ [ + ./fix-crc-computation.patch + ]; + }); + }) + ]; services.keycloak = { enable = true; /*package = pkgs.keycloak.overrideAttrs (old: rec { -- 2.49.0 From deda24e3aeacf46635afdbe66a1c706e09dd01f1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 7 Jun 2022 01:34:18 +0200 Subject: [PATCH 08/88] core01(keycloak): oops --- machines/core-services-01/keycloak.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index 3890993..b59af18 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -9,7 +9,7 @@ in { nixpkgs.overlays = [ (self: super: { - zlib = zlib.overrideAttrs (old: { + zlib = super.zlib.overrideAttrs (old: { patches = old.patches ++ [ ./fix-crc-computation.patch ]; -- 2.49.0 From 173cdedb7cf326abcc0c95a9dea287a7656c2cc6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 21 Jun 2022 18:47:09 +0200 Subject: [PATCH 09/88] core01(keycloak): bump to nixpkgs-unstable who has the patch --- krops.nix | 2 +- machines/core-services-01/keycloak.nix | 20 -------------------- 2 files changed, 1 insertion(+), 21 deletions(-) diff --git a/krops.nix b/krops.nix index 38c5e90..a088d89 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "f6c4da49202d79cdab2fdf2bfa3019cde23f007e"; # nixos-22.11 pre-release + ref = "e0a42267f73ea52adc061a64650fddc59906fc99"; # nixpkgs-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index b59af18..e7d48e5 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -7,29 +7,9 @@ let certs = config.security.acme.certs."${domain}".directory; in { - nixpkgs.overlays = [ - (self: super: { - zlib = super.zlib.overrideAttrs (old: { - patches = old.patches ++ [ - ./fix-crc-computation.patch - ]; - }); - }) - ]; services.keycloak = { enable = true; - /*package = pkgs.keycloak.overrideAttrs (old: rec { - version = "18.0.0"; - jre = pkgs.openjdk; - src = pkgs.fetchzip { - url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip"; - sha256 = "sha256-Tql5/yNtdctSCYgtSnz5Pa6IwZVf/HOApFdeCEpNrjs="; - }; - });*/ - # package = pkgs.callPackage ./keycloak/package.nix {}; initialAdminPassword = "changemeasap"; - # sslCertificate = "${certs}/cert.pem"; - # sslCertificateKey = "${certs}/key.pem"; plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ]; database = { type = "postgresql"; -- 2.49.0 From 2e09ceabf74f0c7cd601c3d286fa3668e3af2136 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 21 Jun 2022 19:06:43 +0200 Subject: [PATCH 10/88] core01(keycloak): bump to nixos-unstable --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index a088d89..770fcff 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "e0a42267f73ea52adc061a64650fddc59906fc99"; # nixpkgs-unstable + ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.49.0 From 3b1338043c322fae7bdd4c4282a04b23d0be12da Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 21 Jun 2022 19:25:00 +0200 Subject: [PATCH 11/88] public-cof: disable cryptpad --- machines/public-cof/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index ef33c32..b47cf2c 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -14,7 +14,7 @@ ./nur.nix # ./factorio.nix # TODO ./nginx.nix - ./cryptpad.nix + # ./cryptpad.nix ./hedgedoc.nix ./secrets # TODO monitoring -- 2.49.0 From 28c3ad24298a7d330e52fb776e704aefbbcf5cdb Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 21 Jun 2022 19:27:44 +0200 Subject: [PATCH 12/88] public-cof: upgrade to NC24 --- machines/public-cof/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 99e6e17..b243afb 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud22; + package = pkgs.nextcloud23; config = { overwriteProtocol = "https"; -- 2.49.0 From dcddd19fb4d1754d3821afbfe043a26ec977dff5 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 26 Jun 2022 23:45:00 +0200 Subject: [PATCH 13/88] core01(keycloak): remove useless file --- .../core-services-01/keycloak/package.nix | 84 ------------------- 1 file changed, 84 deletions(-) delete mode 100644 machines/core-services-01/keycloak/package.nix diff --git a/machines/core-services-01/keycloak/package.nix b/machines/core-services-01/keycloak/package.nix deleted file mode 100644 index e9a1177..0000000 --- a/machines/core-services-01/keycloak/package.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ stdenv -, lib -, fetchzip -, makeWrapper -, jre -, writeText -, nixosTests -, callPackage - -, confFile ? null -, plugins ? [ ] -}: - -stdenv.mkDerivation rec { - pname = "keycloak"; - version = "18.0.0"; - - src = fetchzip { - url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip"; - sha256 = "sha256-Tql5/yNtdctSCYgtSnz5Pa6IwZVf/HOApFdeCEpNrjs="; - }; - - nativeBuildInputs = [ makeWrapper jre ]; - - buildPhase = '' - runHook preBuild - '' + lib.optionalString (confFile != null) '' - install -m 0600 ${confFile} conf/keycloak.conf - '' + '' - install_plugin() { - if [ -d "$1" ]; then - find "$1" -type f \( -iname \*.ear -o -iname \*.jar \) -exec install -m 0500 "{}" "providers/" \; - else - install -m 0500 "$1" "providers/" - fi - } - ${lib.concatMapStringsSep "\n" (pl: "install_plugin ${lib.escapeShellArg pl}") plugins} - '' + '' - export KC_HOME_DIR=$out - export KC_CONF_DIR=$out/conf - export ROOT_LOGLEVEL="DEBUG" - export KEYCLOAK_LOGLEVEL="DEBUG" - - patchShebangs bin/kc.sh - bin/kc.sh --verbose build - - runHook postBuild - ''; - - installPhase = '' - runHook preInstall - - mkdir $out - cp -r * $out - - rm $out/bin/*.{ps1,bat} - - runHook postInstall - ''; - - postFixup = '' - substituteInPlace $out/bin/kc.sh --replace '-Dkc.home.dir=$DIRNAME/../' '-Dkc.home.dir=$KC_HOME_DIR' - substituteInPlace $out/bin/kc.sh --replace '-Djboss.server.config.dir=$DIRNAME/../conf' '-Djboss.server.config.dir=$KC_CONF_DIR' - - for script in $(find $out/bin -type f -executable); do - wrapProgram "$script" --set JAVA_HOME ${jre} --prefix PATH : ${jre}/bin - done - ''; - - passthru = { - tests = nixosTests.keycloak; - plugins = callPackage ./all-plugins.nix { }; - enabledPlugins = plugins; - }; - - meta = with lib; { - homepage = "https://www.keycloak.org/"; - description = "Identity and access management for modern applications and services"; - license = licenses.asl20; - platforms = jre.meta.platforms; - maintainers = with maintainers; [ ngerstle talyz ]; - }; - -} -- 2.49.0 From 6f5fdb0317db7ad5df3258a1114ba5c1deadb29f Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sun, 26 Jun 2022 23:48:43 +0200 Subject: [PATCH 14/88] Headscale support (upgrade to latest nixpkgs) (#9) This adds Headscale support. It provides also an upgrade to Keycloak 18.0.0 (Quarkus distribution). It upgrades NextCloud from 22 to 23. Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/9 Co-authored-by: Ryan Lahfa Co-committed-by: Ryan Lahfa --- krops.nix | 2 +- machines/core-services-01/acme-ssl.nix | 4 +- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/drone-runners.nix | 2 +- .../fix-crc-computation.patch | 51 +++++++++++++++++++ machines/core-services-01/headscale.nix | 8 +++ machines/core-services-01/keycloak.nix | 31 ++++++----- .../keycloak/keycloak-protocol-cas.nix | 26 ++++++++++ machines/core-services-01/monitoring.nix | 2 +- machines/core-services-01/subZone.nix | 1 + machines/public-cof/configuration.nix | 2 +- machines/public-cof/nextcloud.nix | 2 +- 12 files changed, 113 insertions(+), 19 deletions(-) create mode 100644 machines/core-services-01/fix-crc-computation.patch create mode 100644 machines/core-services-01/headscale.nix create mode 100644 machines/core-services-01/keycloak/keycloak-protocol-cas.nix diff --git a/krops.nix b/krops.nix index 01ee420..770fcff 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "e96c668072d7c98ddf2062f6d2b37f84909a572b"; # nixos-22.05 + ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; diff --git a/machines/core-services-01/acme-ssl.nix b/machines/core-services-01/acme-ssl.nix index 2403cd6..f111e17 100644 --- a/machines/core-services-01/acme-ssl.nix +++ b/machines/core-services-01/acme-ssl.nix @@ -5,9 +5,9 @@ let in { security.acme.acceptTerms = true; - security.acme.email = my.email; + security.acme.defaults.email = my.email; - security.acme.server = + security.acme.defaults.server = if my.acmeStaging then "https://acme-staging-v02.api.letsencrypt.org/directory" else null; diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index f5ae683..8af8554 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -19,6 +19,7 @@ ./keycloak.nix ./acme-dns.nix ./backups.nix + ./headscale.nix # ./dex.nix ./oauth2_proxy.nix ./secrets diff --git a/machines/core-services-01/drone-runners.nix b/machines/core-services-01/drone-runners.nix index 6793e4b..36ecbdd 100644 --- a/machines/core-services-01/drone-runners.nix +++ b/machines/core-services-01/drone-runners.nix @@ -14,5 +14,5 @@ in envFile = config.age.secrets.droneKeyFile.path; }; - systemd.services."drone-exec-runner-nix01".after = [ "gitea" ]; + systemd.services."drone-exec-runner-nix01".after = [ "gitea.service" ]; } diff --git a/machines/core-services-01/fix-crc-computation.patch b/machines/core-services-01/fix-crc-computation.patch new file mode 100644 index 0000000..85a6a7e --- /dev/null +++ b/machines/core-services-01/fix-crc-computation.patch @@ -0,0 +1,51 @@ +From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 30 Mar 2022 11:14:53 -0700 +Subject: [PATCH] Correct incorrect inputs provided to the CRC functions. + +The previous releases of zlib were not sensitive to incorrect CRC +inputs with bits set above the low 32. This commit restores that +behavior, so that applications with such bugs will continue to +operate as before. +--- + crc32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crc32.c b/crc32.c +index a1bdce5c2..451887bc7 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + /* Compute the CRC up to a word boundary. */ + while (len && ((z_size_t)buf & 7) != 0) { +@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + #ifdef W + +@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2) + #ifdef DYNAMIC_CRC_TABLE + once(&made, make_crc_table); + #endif /* DYNAMIC_CRC_TABLE */ +- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2; ++ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); + } + + /* ========================================================================= */ +@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op) + uLong crc2; + uLong op; + { +- return multmodp(op, crc1) ^ crc2; ++ return multmodp(op, crc1) ^ (crc2 & 0xffffffff); + } diff --git a/machines/core-services-01/headscale.nix b/machines/core-services-01/headscale.nix new file mode 100644 index 0000000..e44b48a --- /dev/null +++ b/machines/core-services-01/headscale.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.headscale = { + enable = true; + serverUrl = "https://tailscale.rz.ens.wtf"; + tls.letsencrypt.hostname = "tailscale.rz.ens.wtf"; + }; +} diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index 6f34b25..e7d48e5 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -1,26 +1,33 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let my = config.my; port = 8080; + keycloak-protocol-cas = pkgs.callPackage ./keycloak/keycloak-protocol-cas.nix {}; + domain = "auth.${my.subZone}"; + certs = config.security.acme.certs."${domain}".directory; in { services.keycloak = { enable = true; - package = pkgs.keycloak.override { - jre = pkgs.jre8; - }; initialAdminPassword = "changemeasap"; - database.createLocally = true; - database.passwordFile = config.age.secrets.keycloakDatabasePasswordFile.path; - frontendUrl = "https://auth.${my.subZone}/auth/"; - forceBackendUrlToFrontendUrl = true; - httpPort = toString port; - extraConfig = { - "subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true; + plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ]; + database = { + type = "postgresql"; + username = "keycloak"; + name = "keycloak"; + createLocally = true; + passwordFile = "${config.age.secrets.keycloakDatabasePasswordFile.path}"; + }; + settings = { + hostname-strict-backchannel = true; + http-port = port; + proxy = "edge"; + http-relative-path = "/auth"; + hostname = domain; }; }; - services.nginx.virtualHosts."auth.${my.subZone}" = { + services.nginx.virtualHosts."${domain}" = { forceSSL = true; enableACME = true; locations."/" = { diff --git a/machines/core-services-01/keycloak/keycloak-protocol-cas.nix b/machines/core-services-01/keycloak/keycloak-protocol-cas.nix new file mode 100644 index 0000000..1783749 --- /dev/null +++ b/machines/core-services-01/keycloak/keycloak-protocol-cas.nix @@ -0,0 +1,26 @@ +{ stdenv, lib, fetchurl }: + +stdenv.mkDerivation rec { + pname = "keycloak-protocol-cas"; + version = "18.0.0"; + + src = fetchurl { + url = "https://github.com/jacekkow/keycloak-protocol-cas/releases/download/${version}/keycloak-protocol-cas-${version}.jar"; + sha256 = "sha256-N+IJqD7oQ4T4MI8klt96kfHwFnPJy5l8MK6bq62nBrM="; + }; + + dontUnpack = true; + dontBuild = true; + + installPhase = '' + mkdir -p $out + install "$src" "$out" + ''; + + meta = with lib; { + homepage = "https://github.com/jacekkow/keycloak-protocol-cas"; + description = "Keycloak Service Provider that adds CAS as an authentication protocol"; + license = licenses.apsl20; + maintainers = with maintainers; [ raitobezarius ]; + }; +} diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index f9812f9..47b7953 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -65,7 +65,7 @@ in "health_alarm_notify" ]; - environment.etc."netdata/netdata.conf" = { + environment.etc."netdata/netdata.conf" = lib.mkForce { user = "netdata"; group = "netdata"; mode = "0600"; diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 08db8c1..2738afe 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,6 +37,7 @@ dualstack // { monitoring = dualstack; auth = dualstack; push = dualstack; + tailscale = dualstack; core01 = dualstack; ns1 = dualstack; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index ef33c32..b47cf2c 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -14,7 +14,7 @@ ./nur.nix # ./factorio.nix # TODO ./nginx.nix - ./cryptpad.nix + # ./cryptpad.nix ./hedgedoc.nix ./secrets # TODO monitoring diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 99e6e17..b243afb 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud22; + package = pkgs.nextcloud23; config = { overwriteProtocol = "https"; -- 2.49.0 From 9d3381cafba64d1e102211997111cd517481e716 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 16:34:22 +0200 Subject: [PATCH 15/88] oauth2_proxy: add a cookie specific to *.rz.ens.wtf --- machines/core-services-01/monitoring.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 47b7953..b0872cd 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -117,6 +117,10 @@ in keyFile = config.age.secrets.oauth2ProxyKeyFile.path; provider = "keycloak"; email.domains = [ "*" ]; + cookie = { + name = "_oauth2_proxy_ensrz"; + domain = ".rz.ens.wtf"; + }; setXauthrequest = true; scope = "profile"; loginURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/auth"; -- 2.49.0 From be6e81ad46af088bde935e5e9aa282690ce4cf2d Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 17:52:21 +0200 Subject: [PATCH 16/88] monitoring: fix authentication via oauth2_proxy by moving to Keycloak-OIDC + many proxy buffer hacks --- machines/core-services-01/keycloak.nix | 7 +++++++ machines/core-services-01/monitoring.nix | 25 +++++++++++++++++------- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index e7d48e5..7bf36d0 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -32,6 +32,13 @@ in enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; + + extraConfig = '' + # For large authentication-authorization headers + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + ''; }; }; } diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index b0872cd..3aa17e9 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -115,22 +115,25 @@ in services.oauth2_proxy = { enable = true; keyFile = config.age.secrets.oauth2ProxyKeyFile.path; - provider = "keycloak"; + provider = "keycloak-oidc"; email.domains = [ "*" ]; cookie = { name = "_oauth2_proxy_ensrz"; domain = ".rz.ens.wtf"; }; setXauthrequest = true; - scope = "profile"; - loginURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/auth"; - redeemURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/token"; - profileURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo"; - validateURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo"; + scope = "openid"; redirectURL = "https://monitoring.${my.subZone}/oauth2/callback"; reverseProxy = true; passHostHeader = true; + extraConfig = { + whitelist-domain = [ ".rz.ens.wtf" ]; + oidc-issuer-url = "https://auth.${my.subZone}/auth/realms/${realm}"; + # insecure-oidc-allow-unverified-email = true; + show-debug-on-error = true; + }; + nginx = { virtualHosts = [ "monitoring.${my.subZone}" ]; }; @@ -143,7 +146,15 @@ in enableACME = true; forceSSL = true; - locations."/".proxyPass = "http://localhost:19999"; + locations."/" = { + proxyPass = "http://localhost:19999"; + extraConfig = '' + # For large authentication-authorization headers + proxy_buffer_size 256k; + proxy_buffers 4 512k; + proxy_busy_buffers_size 512k; + ''; + }; }; }; -- 2.49.0 From 6b994c8591fd5a3298061899003226ff18c5b2e6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 17:52:28 +0200 Subject: [PATCH 17/88] gitea: log only from WARN and up --- machines/core-services-01/gitea.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/machines/core-services-01/gitea.nix b/machines/core-services-01/gitea.nix index 9835ac1..ddfcbae 100644 --- a/machines/core-services-01/gitea.nix +++ b/machines/core-services-01/gitea.nix @@ -14,6 +14,9 @@ in httpPort = port; database.type = "postgres"; disableRegistration = false; + log = { + level = "Warn"; + }; settings = { openid = { ENABLE_OPENID_SIGNUP = true; -- 2.49.0 From 506e09994516c55a0910be5e994954f51187a1c9 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Aug 2022 18:52:06 +0200 Subject: [PATCH 18/88] monitoring: move to tiered dbengine with netdata nightly --- machines/core-services-01/monitoring.nix | 35 +++++++++++++++++++----- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 3aa17e9..2a8ac5f 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -34,7 +34,19 @@ let }; in { - services.netdata.enable = true; + services.netdata = { + enable = true; + package = pkgs.netdata.overrideAttrs (old: { + version = "1.35.0-nightly"; + src = pkgs.fetchFromGitHub { + owner = "netdata"; + repo = "netdata"; + rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; + sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; + fetchSubmodules = true; + }; + }); + }; # Allow WireGuard VPN networking.firewall.allowedUDPPorts = [ 51820 ]; @@ -70,9 +82,18 @@ in group = "netdata"; mode = "0600"; text = '' - [global] - page cache size = 32 - dbengine multihost disk space = 23058 + [db] + mode = dbengine + storage tiers = 3 + update every = 1 + dbengine multihost disk space MB = 23000 + dbengine page cache size MB = 384 + dbengine tier 1 update every iterations = 60 + dbengine tier 1 multihost disk space MB = 10000 + dbengine tier 1 page cache size MB = 384 + dbengine tier 2 update every iterations = 3600 + dbengine tier 2 multihost disk space MB = 5000 + dbengine tier 2 page cache size MB = 384 ''; }; @@ -150,9 +171,9 @@ in proxyPass = "http://localhost:19999"; extraConfig = '' # For large authentication-authorization headers - proxy_buffer_size 256k; - proxy_buffers 4 512k; - proxy_busy_buffers_size 512k; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; ''; }; }; -- 2.49.0 From ac0b6ef15b5ac440fdc10af9694869e8e77ed944 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Aug 2022 22:25:34 +0200 Subject: [PATCH 19/88] Update networking interface --- machines/remote-builder-01/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 1c6245b..6f4803c 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -26,7 +26,7 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens18.useDHCP = true; + networking.interfaces.ens19.useDHCP = true; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; -- 2.49.0 From 5170bdff650e329d808cd4012f241f2bb292b9f7 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Aug 2022 22:27:15 +0200 Subject: [PATCH 20/88] Cleanups --- machines/remote-builder-01/configuration.nix | 14 ++++----- machines/remote-builder-01/programs.nix | 24 --------------- machines/remote-builder-01/system.nix | 13 +------- machines/remote-builder-01/vim.nix | 31 -------------------- 4 files changed, 8 insertions(+), 74 deletions(-) delete mode 100644 machines/remote-builder-01/programs.nix delete mode 100644 machines/remote-builder-01/vim.nix diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 6f4803c..63a078d 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -1,13 +1,11 @@ { config, pkgs, ... }: { - imports = - [ - ./hardware-configuration.nix - ./programs.nix - ./system.nix - # TODO monitoring - ]; + imports = [ + ./hardware-configuration.nix + ./system.nix + # TODO monitoring + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; @@ -54,6 +52,8 @@ enableSSHSupport = true; }; + programs.mosh.enable = true; + # List services that you want to enable: services.zfs.autoScrub.enable = true; diff --git a/machines/remote-builder-01/programs.nix b/machines/remote-builder-01/programs.nix deleted file mode 100644 index e7e4afc..0000000 --- a/machines/remote-builder-01/programs.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ pkgs, ... }: -let pkgsList = with pkgs; [ - nix-prefetch-git - dnsutils - - unzip - zip - ripgrep - - niv - nixfmt - ]; -in -{ - imports = [ - ./vim.nix - ]; - programs = { - tmux.enable = true; - mosh.enable = true; - }; - - environment.systemPackages = pkgsList; -} diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index f2c68d1..dc2362e 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,14 +1,8 @@ { pkgs, ... }: { - # # Auto upgrades - # system.autoUpgrade = { - # enable = false; # TODO(Ryan): do not enable, it will break deployments. - # allowReboot = false; - # }; - # Auto GC and store optimizations nix = { - trustedUsers = [ "root" "gab" ]; + trustedUsers = [ "root" ]; gc = { automatic = true; dates = "weekly"; @@ -20,9 +14,4 @@ max-free = ${toString (1024 * 1024 * 1024)} ''; }; - - services.locate = { - enable = true; - interval = "04:05"; - }; } diff --git a/machines/remote-builder-01/vim.nix b/machines/remote-builder-01/vim.nix deleted file mode 100644 index bed8752..0000000 --- a/machines/remote-builder-01/vim.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ pkgs, ... }: -{ - environment.variables = { EDITOR = "vim"; }; - - environment.systemPackages = with pkgs; [ - nixfmt - git - (neovim.override { - vimAlias = true; - configure = { - packages.myPlugins = with pkgs.vimPlugins; { - start = [ vim-lastplace vim-nix ]; - opt = []; - }; - customRC = '' - set encoding=utf-8 - set wildmenu - - set nocompatible - set backspace=indent,eol,start - set cursorline - hi CursorLine term=bold cterm=bold ctermbg=darkgrey - set number - set relativenumber - set tabstop=4 - set expandtab - ''; - }; - } - )]; -} -- 2.49.0 From a5f3e0588944554ba71904bd905351e399379c4a Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Sun, 14 Aug 2022 22:27:28 +0200 Subject: [PATCH 21/88] Formatting --- machines/remote-builder-01/configuration.nix | 12 +++--------- machines/remote-builder-01/system.nix | 3 +-- 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 63a078d..c346646 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -39,10 +39,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ - vim - wget - ]; + environment.systemPackages = with pkgs; [ vim wget ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. @@ -60,11 +57,8 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys - ./pubkeys/remote-builders.keys - ]; + users.users.root.openssh.authorizedKeys.keyFiles = + [ ./pubkeys/gdd.keys ./pubkeys/raito.keys ./pubkeys/remote-builders.keys ]; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index dc2362e..9bb13cf 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{ pkgs, ... }: { # Auto GC and store optimizations nix = { trustedUsers = [ "root" ]; -- 2.49.0 From f7b6fdf07a030563b9150df65ea5bc0431df0e96 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 00:00:55 +0200 Subject: [PATCH 22/88] Fix remote builder ip address --- machines/core-services-01/subZone.nix | 2 +- machines/remote-builder-01/configuration.nix | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 2738afe..4495c29 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -10,7 +10,7 @@ let delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; }; remoteBuilders = { - nix01 = [ "2001:470:1f13:187:1e07:c670:3958:f8f1" ]; + nix01 = [ "2001:470:1f13:187:611:4514:d93a:f80a" ]; }; dualstack = { A = my.ipv4; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index c346646..d624f04 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -24,7 +24,13 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens19.useDHCP = true; + networking.interfaces.ens19 = { + useDHCP = true; + ipv6.addresses = [{ + address = "2001:470:1f13:187:611:4514:d93a:f80a"; + prefixLength = 64; + }]; + }; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; -- 2.49.0 From 3f10516b6f4b5e2653f5a0ec386dd35f296cc698 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 00:20:07 +0200 Subject: [PATCH 23/88] Add kitty terminfo --- machines/remote-builder-01/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index d624f04..5c11e95 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -45,7 +45,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ vim wget ]; + environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. -- 2.49.0 From 816e084deb6b197e5e5aa3d0a3e0c5cba6e75e7b Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 01:20:35 +0200 Subject: [PATCH 24/88] Change rpool layout and disk id --- .../hardware-configuration.nix | 32 +++++++------------ 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/hardware-configuration.nix index f80b2c7..b68c73b 100644 --- a/machines/remote-builder-01/hardware-configuration.nix +++ b/machines/remote-builder-01/hardware-configuration.nix @@ -4,32 +4,24 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = + [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "rpool/root/nixos"; - fsType = "zfs"; - }; + fileSystems."/" = { + device = "rpool/root/nixos"; + fsType = "zfs"; + }; - fileSystems."/home" = - { device = "rpool/home"; - fsType = "zfs"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/4BC6-A750"; + fsType = "vfat"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/3341-A3B9"; - fsType = "vfat"; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/1f624fe3-1fc5-44f4-9529-812558ffba42"; } - ]; + swapDevices = [ ]; } -- 2.49.0 From 122c0deeac2cfec93c2fcb808b2b9cf7506e0c20 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 01:33:02 +0200 Subject: [PATCH 25/88] DHCP on ens19 and ens18 + set ip on ens18 --- machines/remote-builder-01/configuration.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 5c11e95..8917745 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -24,13 +24,14 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens19 = { + networking.interfaces.ens18 = { useDHCP = true; ipv6.addresses = [{ address = "2001:470:1f13:187:611:4514:d93a:f80a"; prefixLength = 64; }]; }; + networking.interfaces.ens19.useDHCP = true; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; -- 2.49.0 From bb668034b1b84e856e3d0ac17e28e9c03e7a57af Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 02:59:45 +0200 Subject: [PATCH 26/88] Cleanups --- machines/remote-builder-01/configuration.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 8917745..dc4d7bf 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -33,10 +33,6 @@ }; networking.interfaces.ens19.useDHCP = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; console = { @@ -45,7 +41,6 @@ }; # List packages installed in system profile. To search, run: - # $ nix search wget environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; # Some programs need SUID wrappers, can be configured further or are -- 2.49.0 From 4375b29d50ae64d4afe7b6d64d8b2b27fda03444 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 03:00:30 +0200 Subject: [PATCH 27/88] Aarch64 emulation --- machines/remote-builder-01/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index dc4d7bf..ebcd1a9 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -43,6 +43,8 @@ # List packages installed in system profile. To search, run: environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + # Some programs need SUID wrappers, can be configured further or are # started in user sessions. programs.mtr.enable = true; -- 2.49.0 From 85ab8d8071a2dd78c933fdc10ee3392af3e1e1c9 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 23:59:59 +0000 Subject: [PATCH 28/88] Install git Needed for deployments with krops. --- machines/remote-builder-01/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index ebcd1a9..a28068c 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -41,7 +41,7 @@ }; # List packages installed in system profile. To search, run: - environment.systemPackages = with pkgs; [ vim wget kitty.terminfo ]; + environment.systemPackages = with pkgs; [ vim wget kitty.terminfo git ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; -- 2.49.0 From 16f4ad94b17bc520b5e1f55f1ca316951068fcdf Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 03:19:33 +0200 Subject: [PATCH 29/88] Add public-cof to README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0a227f8..9baf068 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Refer to wiki for details. - `core-services-01` +- `public-cof` - `remote-builder-01` ## How to deploy a machine? -- 2.49.0 From ba5086a2375d5ca9b510063f996163beb523d6dc Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 03:28:40 +0200 Subject: [PATCH 30/88] Centralize pubkeys --- machines/core-services-01/configuration.nix | 6 +++--- machines/core-services-01/netboot-server.nix | 4 ++-- machines/core-services-01/secrets/secrets.nix | 2 +- machines/public-cof/configuration.nix | 6 +++--- machines/public-cof/pubkeys/gdd.keys | 2 -- machines/public-cof/pubkeys/mrf.keys | 1 - machines/public-cof/pubkeys/raito.keys | 4 ---- machines/public-cof/secrets/secrets.nix | 2 +- machines/remote-builder-01/configuration.nix | 7 +++++-- machines/remote-builder-01/pubkeys/gdd.keys | 2 -- machines/remote-builder-01/pubkeys/hackens-milieu.keys | 1 - machines/remote-builder-01/pubkeys/raito.keys | 4 ---- {machines/core-services-01/pubkeys => pubkeys}/gdd.keys | 0 .../pubkeys => pubkeys}/hackens-milieu.keys | 0 {machines/core-services-01/pubkeys => pubkeys}/mrf.keys | 0 {machines/core-services-01/pubkeys => pubkeys}/raito.keys | 0 .../pubkeys => pubkeys}/remote-builders.keys | 0 17 files changed, 15 insertions(+), 26 deletions(-) delete mode 100644 machines/public-cof/pubkeys/gdd.keys delete mode 100644 machines/public-cof/pubkeys/mrf.keys delete mode 100644 machines/public-cof/pubkeys/raito.keys delete mode 100644 machines/remote-builder-01/pubkeys/gdd.keys delete mode 100644 machines/remote-builder-01/pubkeys/hackens-milieu.keys delete mode 100644 machines/remote-builder-01/pubkeys/raito.keys rename {machines/core-services-01/pubkeys => pubkeys}/gdd.keys (100%) rename {machines/core-services-01/pubkeys => pubkeys}/hackens-milieu.keys (100%) rename {machines/core-services-01/pubkeys => pubkeys}/mrf.keys (100%) rename {machines/core-services-01/pubkeys => pubkeys}/raito.keys (100%) rename {machines/remote-builder-01/pubkeys => pubkeys}/remote-builders.keys (100%) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 8af8554..d3f334a 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -76,9 +76,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys - ./pubkeys/mrf.keys + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys + ../../pubkeys/mrf.keys ]; # Open ports in the firewall. diff --git a/machines/core-services-01/netboot-server.nix b/machines/core-services-01/netboot-server.nix index 5b291bf..14f4d40 100644 --- a/machines/core-services-01/netboot-server.nix +++ b/machines/core-services-01/netboot-server.nix @@ -13,8 +13,8 @@ let # Enable sshd wich gets disabled by netboot-minimal.nix systemd.services.sshd.wantedBy = mkOverride 0 [ "multi-user.target" ]; users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys ]; programs.mosh.enable = true; diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 4d09d1e..a581591 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index b47cf2c..46afed6 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -45,9 +45,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ./pubkeys/gdd.keys - ./pubkeys/raito.keys - ./pubkeys/mrf.keys + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys + ../../pubkeys/mrf.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/pubkeys/gdd.keys b/machines/public-cof/pubkeys/gdd.keys deleted file mode 100644 index b5d4e40..0000000 --- a/machines/public-cof/pubkeys/gdd.keys +++ /dev/null @@ -1,2 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/public-cof/pubkeys/mrf.keys b/machines/public-cof/pubkeys/mrf.keys deleted file mode 100644 index ebbfa68..0000000 --- a/machines/public-cof/pubkeys/mrf.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d diff --git a/machines/public-cof/pubkeys/raito.keys b/machines/public-cof/pubkeys/raito.keys deleted file mode 100644 index 0f48a59..0000000 --- a/machines/public-cof/pubkeys/raito.keys +++ /dev/null @@ -1,4 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 4fe0e66..798cb84 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index a28068c..41936bd 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -61,8 +61,11 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = - [ ./pubkeys/gdd.keys ./pubkeys/raito.keys ./pubkeys/remote-builders.keys ]; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../pubkeys/gdd.keys + ../../pubkeys/raito.keys + ../../pubkeys/remote-builders.keys + ]; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; diff --git a/machines/remote-builder-01/pubkeys/gdd.keys b/machines/remote-builder-01/pubkeys/gdd.keys deleted file mode 100644 index b5d4e40..0000000 --- a/machines/remote-builder-01/pubkeys/gdd.keys +++ /dev/null @@ -1,2 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/machines/remote-builder-01/pubkeys/hackens-milieu.keys b/machines/remote-builder-01/pubkeys/hackens-milieu.keys deleted file mode 100644 index c79c039..0000000 --- a/machines/remote-builder-01/pubkeys/hackens-milieu.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu diff --git a/machines/remote-builder-01/pubkeys/raito.keys b/machines/remote-builder-01/pubkeys/raito.keys deleted file mode 100644 index 0f48a59..0000000 --- a/machines/remote-builder-01/pubkeys/raito.keys +++ /dev/null @@ -1,4 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/machines/core-services-01/pubkeys/gdd.keys b/pubkeys/gdd.keys similarity index 100% rename from machines/core-services-01/pubkeys/gdd.keys rename to pubkeys/gdd.keys diff --git a/machines/core-services-01/pubkeys/hackens-milieu.keys b/pubkeys/hackens-milieu.keys similarity index 100% rename from machines/core-services-01/pubkeys/hackens-milieu.keys rename to pubkeys/hackens-milieu.keys diff --git a/machines/core-services-01/pubkeys/mrf.keys b/pubkeys/mrf.keys similarity index 100% rename from machines/core-services-01/pubkeys/mrf.keys rename to pubkeys/mrf.keys diff --git a/machines/core-services-01/pubkeys/raito.keys b/pubkeys/raito.keys similarity index 100% rename from machines/core-services-01/pubkeys/raito.keys rename to pubkeys/raito.keys diff --git a/machines/remote-builder-01/pubkeys/remote-builders.keys b/pubkeys/remote-builders.keys similarity index 100% rename from machines/remote-builder-01/pubkeys/remote-builders.keys rename to pubkeys/remote-builders.keys -- 2.49.0 From c5aa20dffabdfa1377b94cecb9842cbf1da66138 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Mon, 15 Aug 2022 23:59:59 +0000 Subject: [PATCH 31/88] Move pubkeys in ./machines This is required by the current krops setup. --- machines/core-services-01/configuration.nix | 6 +++--- machines/core-services-01/netboot-server.nix | 4 ++-- machines/core-services-01/secrets/secrets.nix | 2 +- {pubkeys => machines/pubkeys}/gdd.keys | 0 {pubkeys => machines/pubkeys}/hackens-milieu.keys | 0 {pubkeys => machines/pubkeys}/mrf.keys | 0 {pubkeys => machines/pubkeys}/raito.keys | 0 {pubkeys => machines/pubkeys}/remote-builders.keys | 0 machines/public-cof/configuration.nix | 6 +++--- machines/public-cof/secrets/secrets.nix | 2 +- machines/remote-builder-01/configuration.nix | 6 +++--- 11 files changed, 13 insertions(+), 13 deletions(-) rename {pubkeys => machines/pubkeys}/gdd.keys (100%) rename {pubkeys => machines/pubkeys}/hackens-milieu.keys (100%) rename {pubkeys => machines/pubkeys}/mrf.keys (100%) rename {pubkeys => machines/pubkeys}/raito.keys (100%) rename {pubkeys => machines/pubkeys}/remote-builders.keys (100%) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index d3f334a..5f0e145 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -76,9 +76,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys - ../../pubkeys/mrf.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/mrf.keys ]; # Open ports in the firewall. diff --git a/machines/core-services-01/netboot-server.nix b/machines/core-services-01/netboot-server.nix index 14f4d40..1c28cd8 100644 --- a/machines/core-services-01/netboot-server.nix +++ b/machines/core-services-01/netboot-server.nix @@ -13,8 +13,8 @@ let # Enable sshd wich gets disabled by netboot-minimal.nix systemd.services.sshd.wantedBy = mkOverride 0 [ "multi-user.target" ]; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys ]; programs.mosh.enable = true; diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index a581591..0455e41 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; diff --git a/pubkeys/gdd.keys b/machines/pubkeys/gdd.keys similarity index 100% rename from pubkeys/gdd.keys rename to machines/pubkeys/gdd.keys diff --git a/pubkeys/hackens-milieu.keys b/machines/pubkeys/hackens-milieu.keys similarity index 100% rename from pubkeys/hackens-milieu.keys rename to machines/pubkeys/hackens-milieu.keys diff --git a/pubkeys/mrf.keys b/machines/pubkeys/mrf.keys similarity index 100% rename from pubkeys/mrf.keys rename to machines/pubkeys/mrf.keys diff --git a/pubkeys/raito.keys b/machines/pubkeys/raito.keys similarity index 100% rename from pubkeys/raito.keys rename to machines/pubkeys/raito.keys diff --git a/pubkeys/remote-builders.keys b/machines/pubkeys/remote-builders.keys similarity index 100% rename from pubkeys/remote-builders.keys rename to machines/pubkeys/remote-builders.keys diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 46afed6..a99f713 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -45,9 +45,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys - ../../pubkeys/mrf.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/mrf.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 798cb84..3f8a62a 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -1,7 +1,7 @@ let pkgs = import {}; lib = pkgs.lib; - readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index 41936bd..ad971fb 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -62,9 +62,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../pubkeys/gdd.keys - ../../pubkeys/raito.keys - ../../pubkeys/remote-builders.keys + ../pubkeys/gdd.keys + ../pubkeys/raito.keys + ../pubkeys/remote-builders.keys ]; # Open ports in the firewall. -- 2.49.0 From 7f5f3213acb9ce03638aefdb8c0389ad2f9cee9b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 15 Aug 2022 13:31:27 +0200 Subject: [PATCH 32/88] hotfix: disable student calendar --- machines/public-cof/nginx.nix | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/machines/public-cof/nginx.nix b/machines/public-cof/nginx.nix index 9f62800..2d5cf61 100644 --- a/machines/public-cof/nginx.nix +++ b/machines/public-cof/nginx.nix @@ -29,14 +29,15 @@ in recommendedTlsSettings = true; virtualHosts = { - "home.beta.rz.ens.wtf" = { - serverAliases = [ "beta.rz.ens.wtf" ]; - default = true; - forceSSL = true; - enableACME = true; - root = "/var/public-cof/home"; - locations = builtins.listToAttrs (map mkCloudLocation clouds); - }; +# FIXME: factorize and remove it, it has been superseded by eleves.ens.fr/calendrier +# "home.beta.rz.ens.wtf" = { +# serverAliases = [ "beta.rz.ens.wtf" ]; +# default = true; +# forceSSL = true; +# enableACME = true; +# root = "/var/public-cof/home"; +# locations = builtins.listToAttrs (map mkCloudLocation clouds); +# }; }; }; -- 2.49.0 From 86de42442d2206435a849e8d7fe5a2d9bb878dec Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 17 Aug 2022 18:06:26 +0200 Subject: [PATCH 33/88] feat: add rstudio.beta.rz.ens.wtf basic features --- machines/core-services-01/subZone.nix | 1 + machines/public-cof/configuration.nix | 1 + .../public-cof/rstudio-server/default.nix | 34 +++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 machines/public-cof/rstudio-server/default.nix diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 4495c29..a0f9fc4 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -70,6 +70,7 @@ dualstack // { }; docs = public-cof-ips; jurisprudens = public-cof-ips; + rstudio = public-cof-ips; }; }; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index a99f713..18ae3d0 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -11,6 +11,7 @@ ./monitoring.nix ./nextcloud.nix ./minecraft.nix + ./rstudio-server ./nur.nix # ./factorio.nix # TODO ./nginx.nix diff --git a/machines/public-cof/rstudio-server/default.nix b/machines/public-cof/rstudio-server/default.nix new file mode 100644 index 0000000..3a73a6a --- /dev/null +++ b/machines/public-cof/rstudio-server/default.nix @@ -0,0 +1,34 @@ +{ pkgs, ... }: +let + port = 19000; +in +{ + services.rstudio-server = { + enable = true; + rserverExtraConfig = '' + www-port = ${toString port} + ''; + + package = pkgs.rstudioServerWrapper.override { + packages = with pkgs.rPackages; [ + ggplot2 + rmarkdown + dplyr + ]; + }; + }; + + users.users.ruser = { + isNormalUser = true; + hashedPassword = "$6$pTXXVh8NfE.M8VPc$q0fFh3Y7Y0DauLCcZLgJzFciq1wkjoHmO61XpOrZLH3a1M32ZzOMbjx2XMm2QxrUncbx6hGerY/lD8rQ8InS4."; + }; + + services.nginx.virtualHosts."rstudio.beta.rz.ens.wtf" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:${toString port}"; + proxyWebsockets = true; + }; + }; +} -- 2.49.0 From dc971eff71754648527ab7a06bd40ba6a89c2c0c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 6 Sep 2022 01:06:39 +0200 Subject: [PATCH 34/88] =?UTF-8?q?feat(core01):=20add=20inventory.rz.ens.wt?= =?UTF-8?q?f=20=E2=86=92=20snipe-it=20instance?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/configuration.nix | 1 + machines/core-services-01/secrets/default.nix | 2 ++ machines/core-services-01/secrets/secrets.nix | 2 ++ .../secrets/snipeItAppKey.age | 27 +++++++++++++++++++ .../secrets/snipeItOidcClientSecret.age | 26 ++++++++++++++++++ machines/core-services-01/snipe-it.nix | 19 +++++++++++++ machines/core-services-01/subZone.nix | 1 + 7 files changed, 78 insertions(+) create mode 100644 machines/core-services-01/secrets/snipeItAppKey.age create mode 100644 machines/core-services-01/secrets/snipeItOidcClientSecret.age create mode 100644 machines/core-services-01/snipe-it.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 5f0e145..dcf85af 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -20,6 +20,7 @@ ./acme-dns.nix ./backups.nix ./headscale.nix + ./snipe-it.nix # ./dex.nix ./oauth2_proxy.nix ./secrets diff --git a/machines/core-services-01/secrets/default.nix b/machines/core-services-01/secrets/default.nix index 452d42e..a02981b 100644 --- a/machines/core-services-01/secrets/default.nix +++ b/machines/core-services-01/secrets/default.nix @@ -5,4 +5,6 @@ age.secrets.droneKeyFile.file = ./droneKeyFile.age; age.secrets.dexGiteaClientSecret.file = ./dexGiteaClientSecret.age; age.secrets.matterbridge.file = ./matterbridge.age; + age.secrets.snipeItAppKey.file = ./snipeItAppKey.age; + age.secrets.snipeItOidcClientSecret.file = ./snipeItOidcClientSecret.age; } diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 0455e41..9925641 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -12,5 +12,7 @@ in "droneKeyFile.age".publicKeys = superadmins ++ systems; "dexGiteaClientSecret.age".publicKeys = superadmins ++ systems; "matterbridge.age".publicKeys = superadmins ++ systems; + "snipeItAppKey.age".publicKeys = superadmins ++ systems; + "snipeItOidcClientSecret.age".publicKeys = superadmins ++ systems; } diff --git a/machines/core-services-01/secrets/snipeItAppKey.age b/machines/core-services-01/secrets/snipeItAppKey.age new file mode 100644 index 0000000..3a393c2 --- /dev/null +++ b/machines/core-services-01/secrets/snipeItAppKey.age @@ -0,0 +1,27 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +i/TW/dUpeS8QL9ZJg7xKdGW65D1SWFjMpolf1BgEs3hm6uI2W3RWUb5S1PEs6HdF +l/yiJtZeBC0e0QbaQ776fiy0MSmuMgcRbJJ1rjloGwFzwwvtqhQMG8rLp70IPZoV +F6sUz4jKHaEjIVVbRokdfIKMSnhRXnbW5domOxPmZjXck7YxaR1zqD4S9PtH12Q/ +P+l/IVS6+tuWlaTs+1FY2pQ0ppPkwxBirm+4/dxD7E5MkOT0OFcpopI225u2vJAz +Hfk6SBhWuOu2GFfLDS3sS+50kvx1MNvMeb9qVYHkxE8tXhJxOpykkzwYktYp17jY +m+rh1gMPt+mZV2ELaZkGjQ +-> ssh-ed25519 85WiGg TSVInZQdH1ZbhSG+FptwCu96UX1SHAhQNculIk8nVF4 +L1ptiGhMZN78uu1TQ2qVV73+lhlgD34g7xt/AL268Dk +-> ssh-ed25519 reTIKw vrZd8hFFywOmDJxAq58Tt4Wdq2ovft1IDJqCvkpRU1o +9TmODia85CwXZmzdxk6W4LCflCybq7O1WWoqG5vxENk +-> ssh-ed25519 /vwQcQ NSJNN/lRO6TbOQTlY9bT4kdEuP2hElmNIcKRI4ilrQY +eGIr9VQSrbG4hB2XQGYXquQVZIkLRq9g9+Ap25YSWSQ +-> ssh-ed25519 cvTB5g 24UlsKN0XaA6wW87zj5PkPy90LUmdJe80FV2LVLiwzk +57VJ2pf45+r7CgMdr/78ngWll12Se7dS993i+YKp3Vg +-> ssh-ed25519 Wu8JLQ wgWSOp5VQzF+pvL338wOwaJ3RIIi1I4SNqW+vT6NQF8 +HVTfWqmf9CnEkHFpu9NWYagwwBdW8NumwFcUvSlb9i8 +-> ssh-ed25519 h6AgbA ZRjMQkjz+sw2BZh/myaSnMgz8cngGM9wxQf6L6uPxE8 +OgYfhTQe4iB9SyL8iReQByA9N5VcUC/YvpvbPIgp/3U +-> ssh-ed25519 lHr4YQ JAnhqkgzuCDsmDYnRG/DL/MDrfA/0uCZ1kpZSWiuPw4 +uMPzV/uWAozlffoqIDtTcI5CI3FAzM5fzDuupAzgE4w +-> 3[k-grease l5" cr(}p5 s{\538Js +uR+N+zPd323E/1K5MdNaPzAeNYBYfbmmsxtQRufVjMj8jobBLhHq4RVJ/E57t8yv +4Cxp +--- 1iiPH5I9CDFZwZQwRbhKnqpZ08vTMP1u4pU3+hNpubk +ےf(Tח,4\hKT džq)e+}u 'hN/䶢6B4Kң \ No newline at end of file diff --git a/machines/core-services-01/secrets/snipeItOidcClientSecret.age b/machines/core-services-01/secrets/snipeItOidcClientSecret.age new file mode 100644 index 0000000..80300cc --- /dev/null +++ b/machines/core-services-01/secrets/snipeItOidcClientSecret.age @@ -0,0 +1,26 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +gPydOcolFG+axyXPVVYYjjr0hypl/xczmMM+W+BbfZFaAL0TqXpqRgjtZSNvA+oh ++JHdr+/8IHh2qCS2vtzuH5lAsjM4h4FPPnGixX1SI9eNH14b/Otmoa/OtQD4pHcB +PYbh1yh4AILggg1ZMdttS+FUuMtu2A6y2NZYSkbBLy9dwEdZNBs0/cX/xNEqK72V +JF0BuGYvchyJ4ec4/m1od94dVva5qKUvK6mr0u5XPXObEOdZ8jJwZodJjrpDaEHJ +/yt8svY6upoXIdM4dVbY0Ab1VCwXf+tbGuwypVJF2TkeVW5tbImxuoTPE5XNdKLF +XU6RfHzLjUnG1T+dObb9gQ +-> ssh-ed25519 85WiGg lVvfjaLUhjdWgRnz0supjMNc6pDpbeEy2Z0fFOc7dkQ +srngyi1Wdi1lcXFK7MJtqt2koZkopcXX+hOFENHXJgY +-> ssh-ed25519 reTIKw ubW5n+mkAgxwHT9okMRWoE9k5ZpWN7UQDrvRwgS3Xio +O7GRq35wulhSadIAJ7C0ekLQQVk209yGiSaWg/VNgYU +-> ssh-ed25519 /vwQcQ 0FZbpEDS3xuKyPOSExt4wb/Oi0xlTivdLlpKuXicqx8 +3ZMA31MUD76KNK1+yX2473wDSv0oyheT7jAmvnbPJNg +-> ssh-ed25519 cvTB5g 04++RfeztjNzyHMW7WhxdAWoWT5NyatCN8zf7xFYiCw +OWYQ3oFR+/NjY8skMpzd0eS9fsAeugO+loiq4ZqEVWo +-> ssh-ed25519 Wu8JLQ b5BEsw8GS+LUcLZ7h36WDHp1uunlVymEcCmAcs5xaHQ +4xs/EAPRD4Z/rL3zisjGmslVt7OHx+Kh1kJmdBAxED4 +-> ssh-ed25519 h6AgbA wNeprhlhTORbN4WFxWPJO0DV5vBVteE297O73EfngD4 +sceiHAg3S0aZ9xGIsw5VaPJkAWCci03SrHM520pb+Gw +-> ssh-ed25519 lHr4YQ v6dG659zPeUqbyT8To8oGf6Kp3y15Z2YjlzdLVK3FCI +wB7EFm4tsgkaYexLfQM+lkNtUr09GWlLnh7CbgX3Ifc +-> =-grease zZ5 e./C_ +z1vYPnfdTh+G0bc+UvV1EZMSfaNDsWiDHJ+W+1CB2+Z4pOnQt2jBFPYv7rE +--- LbcSlaucZaWsTqBR9PIA46r00cfJtG5ndinWSzsnl/0 +1h~sȰ#-FX/2.ZF?wE]ic.%b-wt܌q_%} \ No newline at end of file diff --git a/machines/core-services-01/snipe-it.nix b/machines/core-services-01/snipe-it.nix new file mode 100644 index 0000000..c1f3658 --- /dev/null +++ b/machines/core-services-01/snipe-it.nix @@ -0,0 +1,19 @@ +{ pkgs, config, ... }: +{ + services.snipe-it = { + enable = true; + hostName = "inventory.rz.ens.wtf"; + database.createLocally = true; + appKeyFile = config.age.secrets.snipeItAppKey.path; + + config = { + AUTH_METHOD = "oidc"; + OIDC_NAME = "Keycloak"; + OIDC_DISPLAY_NAME_CLAIMS = "name"; + OIDC_CLIENT_ID = "snipe-it"; + OIDC_CLIENT_SECRET = { _secret = config.age.secrets.snipeItOidcClientSecret.path; }; + OIDC_ISSUER = "https://auth.rz.ens.wtf/auth/realms/ClubReseau"; + OIDC_ISSUER_DISCOVER = true; + }; + }; +} diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index a0f9fc4..a3a0573 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -38,6 +38,7 @@ dualstack // { auth = dualstack; push = dualstack; tailscale = dualstack; + inventory = dualstack; core01 = dualstack; ns1 = dualstack; -- 2.49.0 From 726bc5af0e6b599c6118aa54d929df5e1ee52a30 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 6 Sep 2022 01:33:17 +0200 Subject: [PATCH 35/88] feat(core01): enable TLS on inventory.rz.ens.wtf and fix secrets perms --- machines/core-services-01/snipe-it.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/machines/core-services-01/snipe-it.nix b/machines/core-services-01/snipe-it.nix index c1f3658..29f8530 100644 --- a/machines/core-services-01/snipe-it.nix +++ b/machines/core-services-01/snipe-it.nix @@ -1,11 +1,26 @@ { pkgs, config, ... }: { + age.secrets.snipeItAppKey = { + owner = config.services.snipe-it.user; + group = config.services.snipe-it.group; + }; + + age.secrets.snipeItOidcClientSecret = { + owner = config.services.snipe-it.user; + group = config.services.snipe-it.group; + }; + services.snipe-it = { enable = true; hostName = "inventory.rz.ens.wtf"; database.createLocally = true; appKeyFile = config.age.secrets.snipeItAppKey.path; + nginx = { + enableACME = true; + forceSSL = true; + }; + config = { AUTH_METHOD = "oidc"; OIDC_NAME = "Keycloak"; -- 2.49.0 From 7284a9a2d62d4432521d13f8fbae8b165504e997 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 6 Sep 2022 01:33:26 +0200 Subject: [PATCH 36/88] meta: use root@core01.rz.ens.wtf rather than internal IP --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 770fcff..1a3a034 100644 --- a/krops.nix +++ b/krops.nix @@ -29,7 +29,7 @@ let inherit target; }; }; in {} -// mkDeploy "core-services-01" "root@10.1.1.20" +// mkDeploy "core-services-01" "root@core01.rz.ens.wtf" // mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" // mkDeploy "public-cof" "root@beta.rz.ens.wtf" // mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] -- 2.49.0 From c90e89bc7ae0e4eae304f64184dcc05f3dfc3223 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 15:21:59 +0200 Subject: [PATCH 37/88] feat: add traque.beta.rz.ens.wtf --- machines/core-services-01/subZone.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index a3a0573..a56f019 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -58,6 +58,10 @@ dualstack // { beta = public-cof-ips // { subdomains = { + traque = { + inherit (public-cof-ips) A; + AAAA = [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; + }; nuage = public-cof-ips; minecraft = public-cof-ips; factorio = public-cof-ips; -- 2.49.0 From 54163ed857b0101965df8f0a3ea25ad3332bad3e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 15:29:51 +0200 Subject: [PATCH 38/88] =?UTF-8?q?feat(public-cof):=20add=20IPv4=20?= =?UTF-8?q?=E2=86=92=20IPv6=20proxy?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/subZone.nix | 6 ++--- machines/public-cof/configuration.nix | 1 + machines/public-cof/networking.nix | 4 +++- machines/public-cof/nix/sources.json | 12 ++++++++++ machines/public-cof/nix/sources.nix | 22 +++++++++++++++++- machines/public-cof/nur.nix | 3 +++ machines/public-cof/v6proxy/default.nix | 30 +++++++++++++++++++++++++ 7 files changed, 72 insertions(+), 6 deletions(-) create mode 100644 machines/public-cof/v6proxy/default.nix diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index a56f019..1655011 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -12,6 +12,7 @@ let remoteBuilders = { nix01 = [ "2001:470:1f13:187:611:4514:d93a:f80a" ]; }; + mkProxyRecord = AAAA: { inherit AAAA; A = [ "45.13.104.29" ]; }; dualstack = { A = my.ipv4; AAAA = my.ipv6.standard; @@ -58,10 +59,7 @@ dualstack // { beta = public-cof-ips // { subdomains = { - traque = { - inherit (public-cof-ips) A; - AAAA = [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; - }; + traque = mkProxyRecord [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; nuage = public-cof-ips; minecraft = public-cof-ips; factorio = public-cof-ips; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 18ae3d0..fd43e30 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -18,6 +18,7 @@ # ./cryptpad.nix ./hedgedoc.nix ./secrets + ./v6proxy # TODO monitoring ]; diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index ff648e5..a902953 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -32,7 +32,9 @@ in { }; interfaces.ens20 = { - ipv4.addresses = map mkAddress [ "45.13.104.27/32" ]; + # 1st is for public-cof + # 2nd is for IPv4 → IPv6 proxy in v6proxy/ + ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; }; firewall.allowedTCPPorts = [ 22 ]; diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index a6531e2..77826c4 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -29,6 +29,18 @@ "url": "https://github.com/nmattia/niv/archive/e0ca65c81a2d7a4d82a189f1e23a48d59ad42070.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, + "nixexprs": { + "branch": "master", + "description": "All my Nix expressions", + "homepage": null, + "owner": "RaitoBezarius", + "repo": "nixexprs", + "rev": "5fd6966844be775a272e932375d7982275ba2300", + "sha256": "1l5zgdgqbn7apw2ngqzid0sqrklx0rnj8sjid4ykx9156kdqjan5", + "type": "tarball", + "url": "https://github.com/RaitoBezarius/nixexprs/archive/5fd6966844be775a272e932375d7982275ba2300.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, "raito-nur": { "branch": "master", "description": "All my Nix expressions", diff --git a/machines/public-cof/nix/sources.nix b/machines/public-cof/nix/sources.nix index 1938409..9a01c8a 100644 --- a/machines/public-cof/nix/sources.nix +++ b/machines/public-cof/nix/sources.nix @@ -31,8 +31,28 @@ let if spec ? branch then "refs/heads/${spec.branch}" else if spec ? tag then "refs/tags/${spec.tag}" else abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; + submodules = if spec ? submodules then spec.submodules else false; + submoduleArg = + let + nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0; + emptyArgWithWarning = + if submodules == true + then + builtins.trace + ( + "The niv input \"${name}\" uses submodules " + + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " + + "does not support them" + ) + {} + else {}; + in + if nixSupportsSubmodules + then { inherit submodules; } + else emptyArgWithWarning; in - builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; + builtins.fetchGit + ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg); fetch_local = spec: spec.path; diff --git a/machines/public-cof/nur.nix b/machines/public-cof/nur.nix index 7ca9d89..130ef29 100644 --- a/machines/public-cof/nur.nix +++ b/machines/public-cof/nur.nix @@ -3,6 +3,8 @@ let nivSources = import ./nix/sources.nix; rz-src = nivSources.klubrz-nur; rz-no-pkgs = (import nivSources.klubrz-nur {}); + raitobezarius-src = nivSources.nixexprs; + raitobezarius-no-pkgs = (import raitobezarius-src {}); in { nixpkgs.config.packageOverrides = { @@ -11,6 +13,7 @@ in imports = [ "${nivSources.agenix}/modules/age.nix" + raitobezarius-no-pkgs.modules.sniproxy ] ++ lib.attrValues rz-no-pkgs.modules; nixpkgs.overlays = []; diff --git a/machines/public-cof/v6proxy/default.nix b/machines/public-cof/v6proxy/default.nix new file mode 100644 index 0000000..e4f11d9 --- /dev/null +++ b/machines/public-cof/v6proxy/default.nix @@ -0,0 +1,30 @@ +{ ... }: +let + proxyIPv4 = "45.13.104.29"; +in +{ + networking.firewall.allowedTCPPorts = [ 443 ]; + + services.sniproxy = { + enable = true; + + resolver = { + mode = "ipv6_first"; + }; + + listeners = [ + { + address = "${proxyIPv4}:443"; + table = "vhosts"; + fallback = null; + } + ]; + + tables.vhosts = [ + { + match = "traque.beta.rz.ens.wtf"; + dest = "traque.beta.rz.ens.wtf"; + } + ]; + }; +} -- 2.49.0 From 71e5dcc437ac77a742c7a9b890754a84485aa8ba Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 16:16:29 +0200 Subject: [PATCH 39/88] feat(public-cof): disable rstudio server --- machines/public-cof/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index fd43e30..7f85263 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -11,7 +11,7 @@ ./monitoring.nix ./nextcloud.nix ./minecraft.nix - ./rstudio-server + # ./rstudio-server ./nur.nix # ./factorio.nix # TODO ./nginx.nix -- 2.49.0 From c25b0f0eee7dbb4859beec94e9fc155b4f2feacd Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 16:16:47 +0200 Subject: [PATCH 40/88] feat(public-cof): ensure that hedgedocs bind on local ipv6 --- machines/public-cof/hedgedoc.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index 258973f..de7edf2 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -9,7 +9,7 @@ in protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; - host = "localhost"; + host = "[::1]"; port = port; db = { dialect = "sqlite"; @@ -25,13 +25,11 @@ in enableACME = true; locations = { "/" = { - proxyPass = "http://localhost:${toString port}"; + proxyPass = "http://[::1]:${toString port}"; proxyWebsockets = true; }; }; }; }; }; - - networking.firewall.allowedTCPPorts = [ 433 80 ]; } -- 2.49.0 From badae72a2907e1f594d6a37744d8b541beae9170 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 10 Sep 2022 16:17:01 +0200 Subject: [PATCH 41/88] feat(public-cof): prevent nginx to bind on all IPv4 --- machines/public-cof/networking.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index a902953..981eff0 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -40,4 +40,6 @@ in { firewall.allowedTCPPorts = [ 22 ]; firewall.enable = true; }; + + services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; } -- 2.49.0 From 9a243163006bfb794bcb11db77db17fd20c360a7 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 13 Sep 2022 18:49:38 +0200 Subject: [PATCH 42/88] core01: add todo.beta.rz.ens.wtf DNS --- machines/core-services-01/subZone.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 1655011..256b659 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -61,6 +61,7 @@ dualstack // { subdomains = { traque = mkProxyRecord [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; nuage = public-cof-ips; + todo = public-cof-ips; minecraft = public-cof-ips; factorio = public-cof-ips; home = public-cof-ips; -- 2.49.0 From 9c006a35196edc6c3574d82153e8cf64da0cd2c6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 13 Sep 2022 18:49:49 +0200 Subject: [PATCH 43/88] public-cof: fix docs.beta.rz.ens.wtf --- machines/public-cof/hedgedoc.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index de7edf2..b4235d5 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -9,7 +9,7 @@ in protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; - host = "[::1]"; + host = "127.0.0.1"; port = port; db = { dialect = "sqlite"; @@ -25,7 +25,7 @@ in enableACME = true; locations = { "/" = { - proxyPass = "http://[::1]:${toString port}"; + proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; }; }; -- 2.49.0 From 6e94647d8e8dceeceb33bda46bedd36212fe8d6f Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Tue, 13 Sep 2022 23:59:59 +0000 Subject: [PATCH 44/88] Networkd ipv6 --- machines/public-cof/networking.nix | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 981eff0..7dc4379 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -5,9 +5,26 @@ let mkAddress = addr: let in { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; in { + systemd.network = { + enable = true; + networks."ens18" = { + DHCP = "no"; + addresses = [ + { addressConfig.Address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; } + ]; + }; + }; + networking = { hostName = "public-cof"; + useNetworkd = true; + useDHCP = false; + + firewall.allowedTCPPorts = [ 22 ]; + firewall.enable = true; + + /* # Default IPv4 exit route defaultGateway = { address = ""; @@ -15,14 +32,6 @@ in { }; localCommands = "ip route add default dev ens20 metric 10"; - useDHCP = false; - interfaces.ens18 = { - useDHCP = true; - ipv6.addresses = [{ - address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; - prefixLength = 64; - }]; - }; interfaces.ens19 = { useDHCP = false; ipv4.addresses = [{ @@ -36,9 +45,7 @@ in { # 2nd is for IPv4 → IPv6 proxy in v6proxy/ ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; }; - - firewall.allowedTCPPorts = [ 22 ]; - firewall.enable = true; + */ }; services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; -- 2.49.0 From a373803629a2060ea84f40b0afa565f2c2510ed2 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 13 Sep 2022 18:54:35 +0200 Subject: [PATCH 45/88] patch(keycloak): remove crc patch --- .../fix-crc-computation.patch | 51 ------------------- 1 file changed, 51 deletions(-) delete mode 100644 machines/core-services-01/fix-crc-computation.patch diff --git a/machines/core-services-01/fix-crc-computation.patch b/machines/core-services-01/fix-crc-computation.patch deleted file mode 100644 index 85a6a7e..0000000 --- a/machines/core-services-01/fix-crc-computation.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001 -From: Mark Adler -Date: Wed, 30 Mar 2022 11:14:53 -0700 -Subject: [PATCH] Correct incorrect inputs provided to the CRC functions. - -The previous releases of zlib were not sensitive to incorrect CRC -inputs with bits set above the low 32. This commit restores that -behavior, so that applications with such bugs will continue to -operate as before. ---- - crc32.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/crc32.c b/crc32.c -index a1bdce5c2..451887bc7 100644 ---- a/crc32.c -+++ b/crc32.c -@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) - #endif /* DYNAMIC_CRC_TABLE */ - - /* Pre-condition the CRC */ -- crc ^= 0xffffffff; -+ crc = (~crc) & 0xffffffff; - - /* Compute the CRC up to a word boundary. */ - while (len && ((z_size_t)buf & 7) != 0) { -@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) - #endif /* DYNAMIC_CRC_TABLE */ - - /* Pre-condition the CRC */ -- crc ^= 0xffffffff; -+ crc = (~crc) & 0xffffffff; - - #ifdef W - -@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2) - #ifdef DYNAMIC_CRC_TABLE - once(&made, make_crc_table); - #endif /* DYNAMIC_CRC_TABLE */ -- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2; -+ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); - } - - /* ========================================================================= */ -@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op) - uLong crc2; - uLong op; - { -- return multmodp(op, crc1) ^ crc2; -+ return multmodp(op, crc1) ^ (crc2 & 0xffffffff); - } -- 2.49.0 From d2467fe0bd5fb4074ed501ee08ec3680cc46fcf7 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 17 Sep 2022 21:26:16 +0200 Subject: [PATCH 46/88] public-cof: add kanboard --- machines/public-cof/configuration.nix | 1 + machines/public-cof/kanboard-config.php | 279 ++++++++++++++++++++++++ machines/public-cof/kanboard.nix | 71 ++++++ 3 files changed, 351 insertions(+) create mode 100644 machines/public-cof/kanboard-config.php create mode 100644 machines/public-cof/kanboard.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 7f85263..f4e4dd6 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -17,6 +17,7 @@ ./nginx.nix # ./cryptpad.nix ./hedgedoc.nix + ./kanboard.nix ./secrets ./v6proxy # TODO monitoring diff --git a/machines/public-cof/kanboard-config.php b/machines/public-cof/kanboard-config.php new file mode 100644 index 0000000..9c82452 --- /dev/null +++ b/machines/public-cof/kanboard-config.php @@ -0,0 +1,279 @@ + $out/$f + tail -n+2 ${pkgs.kanboard}/share/kanboard/$f \ + | sed 's^__DIR__^"${pkgs.kanboard}/share/kanboard"^' >> $out/$f + done + ln -s /var/lib/kanboard $out/data + ln -s ${kanboardConfig} $out/config.php + '') + { outPath = "${pkgs.kanboard}/share/kanboard"; meta.priority = 10; } + ]; + }; + locations = { + "/".index = "index.php"; + "~ \\.php$" = { + tryFiles = "$uri =404"; + extraConfig = '' + fastcgi_pass unix:${config.services.phpfpm.pools.kanboard.socket}; + ''; + }; + }; + }; + }; +} -- 2.49.0 From 001c9b0136d220aed5c96f3194fd294fa2361629 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 17 Sep 2022 21:26:34 +0200 Subject: [PATCH 47/88] all: bump to latest nixos-unstable --- krops.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 1a3a034..0102eb0 100644 --- a/krops.nix +++ b/krops.nix @@ -6,9 +6,10 @@ let lib.evalSource [{ config.file = toString ./machines; nixos-config.symlink = "config/${machine}/configuration.nix"; + # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable + ref = "823e2c9b0a0ec8b61b6583f48338072f137b6889"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.49.0 From 5a796ef74fab69e3ff745c4bddbcf33cde0dd9c2 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 17 Sep 2022 21:26:56 +0200 Subject: [PATCH 48/88] Revert "Networkd ipv6" This reverts commit 6e94647d8e8dceeceb33bda46bedd36212fe8d6f. --- machines/public-cof/networking.nix | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 7dc4379..981eff0 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -5,26 +5,9 @@ let mkAddress = addr: let in { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; in { - systemd.network = { - enable = true; - networks."ens18" = { - DHCP = "no"; - addresses = [ - { addressConfig.Address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; } - ]; - }; - }; - networking = { hostName = "public-cof"; - useNetworkd = true; - useDHCP = false; - - firewall.allowedTCPPorts = [ 22 ]; - firewall.enable = true; - - /* # Default IPv4 exit route defaultGateway = { address = ""; @@ -32,6 +15,14 @@ in { }; localCommands = "ip route add default dev ens20 metric 10"; + useDHCP = false; + interfaces.ens18 = { + useDHCP = true; + ipv6.addresses = [{ + address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; + prefixLength = 64; + }]; + }; interfaces.ens19 = { useDHCP = false; ipv4.addresses = [{ @@ -45,7 +36,9 @@ in { # 2nd is for IPv4 → IPv6 proxy in v6proxy/ ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; }; - */ + + firewall.allowedTCPPorts = [ 22 ]; + firewall.enable = true; }; services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; -- 2.49.0 From 893339ba0b8ef8807f20b02e45dca3390b8ba784 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 18 Sep 2022 18:40:55 +0200 Subject: [PATCH 49/88] feat: fully functional kanboard --- machines/public-cof/kanboard-config.php | 20 ++++++++------- machines/public-cof/kanboard.nix | 24 ++++++++++++++---- machines/public-cof/secrets/default.nix | 6 +++++ .../public-cof/secrets/kanboard-secrets.age | 25 +++++++++++++++++++ machines/public-cof/secrets/secrets.nix | 1 + 5 files changed, 62 insertions(+), 14 deletions(-) create mode 100644 machines/public-cof/secrets/kanboard-secrets.age diff --git a/machines/public-cof/kanboard-config.php b/machines/public-cof/kanboard-config.php index 9c82452..6268892 100644 --- a/machines/public-cof/kanboard-config.php +++ b/machines/public-cof/kanboard-config.php @@ -6,6 +6,9 @@ /* Make sure all paths are absolute by using __DIR__ where needed */ /*******************************************************************/ +// Require the secret file +require('@secretsPath@'); + // Data folder (must be writeable by the web server user and absolute) define('DATA_DIR', '/var/lib/kanboard/data'); @@ -13,7 +16,7 @@ define('DATA_DIR', '/var/lib/kanboard/data'); define('DEBUG', false); // Available log drivers: syslog, stderr, stdout, system or file -define('LOG_DRIVER', 'stdout'); +define('LOG_DRIVER', 'file'); // Log filename if the log driver is "file" define('LOG_FILE', DATA_DIR.DIRECTORY_SEPARATOR.'debug.log'); @@ -42,21 +45,20 @@ define('FILES_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'files'); define('MAIL_CONFIGURATION', true); // E-mail address used for the "From" header (notifications) -define('MAIL_FROM', 'replace-me@kanboard.local'); +define('MAIL_FROM', 'todo@dgnum.eu'); // E-mail address used for the "Bcc" header to send a copy of all notifications define('MAIL_BCC', ''); // Mail transport available: "smtp", "sendmail", "mail" (PHP mail function), "postmark", "mailgun", "sendgrid" -define('MAIL_TRANSPORT', 'mail'); +define('MAIL_TRANSPORT', 'smtp'); // SMTP configuration to use when the "smtp" transport is chosen -define('MAIL_SMTP_HOSTNAME', ''); -define('MAIL_SMTP_PORT', 25); -define('MAIL_SMTP_USERNAME', ''); -define('MAIL_SMTP_PASSWORD', ''); +define('MAIL_SMTP_HOSTNAME', 'kurisu.lahfa.xyz'); +define('MAIL_SMTP_PORT', 587); +define('MAIL_SMTP_USERNAME', 'todo@dgnum.eu'); define('MAIL_SMTP_HELO_NAME', null); // valid: null (default), or FQDN -define('MAIL_SMTP_ENCRYPTION', null); // Valid values are null (not a string "null"), "ssl" or "tls" +define('MAIL_SMTP_ENCRYPTION', "tls"); // Valid values are null (not a string "null"), "ssl" or "tls" // Sendmail command to use when the transport is "sendmail" define('MAIL_SENDMAIL_COMMAND', '/usr/sbin/sendmail -bs'); @@ -197,7 +199,7 @@ define('LDAP_GROUP_USER_ATTRIBUTE', 'username'); define('LDAP_GROUP_ATTRIBUTE_NAME', 'cn'); // Enable/Disable groups synchronization when external authentication is used. -define('LDAP_GROUP_SYNC', true); +define('LDAP_GROUP_SYNC', false); // Enable/disable the reverse proxy authentication define('REVERSE_PROXY_AUTH', false); diff --git a/machines/public-cof/kanboard.nix b/machines/public-cof/kanboard.nix index 3ce8a22..37d411c 100644 --- a/machines/public-cof/kanboard.nix +++ b/machines/public-cof/kanboard.nix @@ -5,22 +5,35 @@ let sha256 = if hash == null then lib.fakeHash else hash; }; plugins = map mkKanboardPlugin [ - { name = "userimport_wgroups"; url = "https://github.com/creecros/userimport_wgroups/releases/download/1.0.0/ImportWithGroup-1.0.0.zip"; hash = "sha256-iLpOxwu/atxd062z7z0T3Mkh5YH7IHmcCqiVZPAJbsA="; } + { name = "Milestone"; url = "https://github.com/oliviermaridat/kanboard-milestone-plugin/releases/download/1.1.2/Milestone-1.1.2.zip"; hash = "sha256-NrkMvk/5NdVokKQTYoZajdNEt5athjEzXVgrSHBdQ4w="; } { name = "MarkdownPlus"; url = "https://github.com/creecros/MarkdownPlus/releases/download/1.1.0/MarkdownPlus-1.1.0.zip"; hash = "sha256-BMzEaj47NnLvatEgUbKeibiWf9G+B4EFlVYhDNqk+y4="; } { name = "MetaMagik"; url = "https://github.com/creecros/MetaMagik/releases/download/1.5.1/MetaMagik-1.5.1.zip"; hash = "sha256-8y8+YvS5MAzRt4VVECQK0vQk6oA4Jbxn+2jWQ8nP3gU="; } { name = "OAuth2"; url = "https://github.com/kanboard/plugin-oauth2/releases/download/v1.0.2/OAuth2-1.0.2.zip"; hash = "sha256-L0df8bwPCxHjVOCNiVp+dqVsqJ0CEuJbHzwv5sYprIU="; } - { name = "KanboardOffline"; url = "https://github.com/ipunkt/KanboardOffline/releases/download/1.0.0/OfflineKanboardPlugin-1.0.0.zip"; hash = "sha256-zYIWKM82Em/ys75XgB/udIGk1+EeScE8jpP2HK2wHGQ="; } { name = "HighlightCodeSyntax"; url = "https://github.com/kenlog/HighlightCodeSyntax/releases/download/v1.0.3/HighlightCodeSyntax-v1.0.3.zip"; hash = "sha256-c4bV1gGVNUjHOJKBI6QxsV72mAzcEgjqv8r62ebpPdU="; } { name = "Group_assign"; url = "https://github.com/creecros/Group_assign/releases/download/1.7.12/Group_assign-1.7.12.zip"; hash = "sha256-ijI8nIIqsK8Pr1iEfCBUeUD3dlsIfmkOP0xC39JkIAs="; } ]; pluginsDirectory = pkgs.linkFarmFromDrvs "kanboard-plugins" plugins; + secretsPath = config.age.secrets.kanboard-secrets.path; kanboardConfig = pkgs.substituteAll { name = "kanboard-config.php"; src = ./kanboard-config.php; + inherit secretsPath; inherit pluginsDirectory; }; + package = pkgs.kanboard.overrideAttrs (old: { + installPhase = '' + ${(old.installPhase or "")} + runHook postInstall + ''; + + postInstall = '' + ${pkgs.xorg.lndir}/bin/lndir ${pluginsDirectory} $out/share/kanboard/plugins + ''; + }); in { + environment.systemPackages = [ + ]; services.phpfpm.pools.kanboard = { user = "kanboard"; group = "kanboard"; @@ -48,13 +61,14 @@ in mkdir -p $out for f in index.php jsonrpc.php ; do echo " $out/$f - tail -n+2 ${pkgs.kanboard}/share/kanboard/$f \ - | sed 's^__DIR__^"${pkgs.kanboard}/share/kanboard"^' >> $out/$f + tail -n+2 ${package}/share/kanboard/$f \ + | sed 's^__DIR__^"${package}/share/kanboard"^' >> $out/$f done ln -s /var/lib/kanboard $out/data + ln -s ${pluginsDirectory} $out/plugins ln -s ${kanboardConfig} $out/config.php '') - { outPath = "${pkgs.kanboard}/share/kanboard"; meta.priority = 10; } + { outPath = "${package}/share/kanboard"; meta.priority = 10; } ]; }; locations = { diff --git a/machines/public-cof/secrets/default.nix b/machines/public-cof/secrets/default.nix index a7cd5ea..861d254 100644 --- a/machines/public-cof/secrets/default.nix +++ b/machines/public-cof/secrets/default.nix @@ -10,4 +10,10 @@ group = "nextcloud"; file = ./nextcloudDatabasePasswordFile.age; }; + + age.secrets.kanboard-secrets = { + owner = "kanboard"; + group = "kanboard"; + file = ./kanboard-secrets.age; + }; } diff --git a/machines/public-cof/secrets/kanboard-secrets.age b/machines/public-cof/secrets/kanboard-secrets.age new file mode 100644 index 0000000..5bc708c --- /dev/null +++ b/machines/public-cof/secrets/kanboard-secrets.age @@ -0,0 +1,25 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +jsay8IXK6RjVULRqpfvgHOr8H3ALxQyJ3BQIkmSfRrLlJXDbYWUKBCztXc7whfb/ +XTc3Sa5bybIXXX3wLzYmxCYjUa1CoHgIb1UWAhM3KyTJ4XSw7pVti29VM5p74+ex +tJeb44hXlkD7V7C2yYp6CcBH1IgnvEL8ulVopkis/TBQtWi6QaGJBPX2yxEJ3QDh +uAn5czrrDenBZRsIYTaKrlbgCM/Oeh4mDFSaFKIqfX2g7ClbsC1ejF3PvbsXN6il +pk2YSZ/F5ivNBkvWFmQrNJyLjkcIrxoFvzcXOTk8yM9iu4BFlPbX7NcAMrHpbSIR +3ew59I0cGkbzRAtLI9p97w +-> ssh-ed25519 85WiGg XQK2huU0kqkKbVYf6SJFqcumOL8zDPfOuGwNy78dJm4 +aP8CNgS1/wfv2RB7nXZqYnZaXDORk9I5lPZy87FVmRY +-> ssh-ed25519 reTIKw jZ57SfMYyOr9P9eNK/Q2CMAWtYtfjyV/MaTVnqEHxkU +ycPo/pwC9CtYWAcrclo1b26+mPU4Z6pCPecGPMmL3ag +-> ssh-ed25519 /vwQcQ v5bvHTvld6WErGt+Vp0mivpFH5srQPHkbPd0Nk3IDy0 +27+ZreTwyaxtb5vrRpD/2C2MUT9onRcX4Yr7KHnTGOo +-> ssh-ed25519 cvTB5g gKxECDYMSja0FTqteAk39iMDsNIM+ox31sIvnY2ityk +pkUZgDWdAzuGCvuRhOE8oeazIRw+kpPhnkksF2zTjxA +-> ssh-ed25519 Wu8JLQ lMgIKw3Qzg/Lw6UtpPZWDrE0WBc71meaprrnmARqDDM +FN/S9xo22u4kMWqrPD3KmfLbDq8L0TxtfDUSBLVq+Tk +-> ssh-ed25519 xbfJnw emSflhzdsItaXULjPXre8jlnXxJuXFAaoLWGVAAej1I +4OS68AuzPr+zwp9Bqb4lYGJHjPwPMSXuprw7+8agOyU +-> Wd-grease +pdSa/JP70fd6VvSgpIJQAk8ZiZfKo8l7UpVwBib59SB9IRNVZdSbHINFUzuIozGu +Z7dyg+x6QQ +--- TjceHicjeIIKz0f7R5u7nLrCtb39MmS/vEK3w0xHbmw +QZ`?Zv~^$ct2ԓy3.+KF2OC_$]y~l%0_ ܻ REM4Hİ{r$ެ*1\2FڬBLAK!&C׋_.Om3͕hδV< z$'-s'J \ No newline at end of file diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 3f8a62a..70be48a 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -9,5 +9,6 @@ in { "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems; "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems; + "kanboard-secrets.age".publicKeys = superadmins ++ systems; } -- 2.49.0 From 124ec3ab73d52667a3b5a5a47cf62bac5a4a1823 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 1 Oct 2022 22:49:56 +0200 Subject: [PATCH 50/88] feat: bridge #dgnum over Merle --- machines/core-services-01/matterbridge.nix | 2 +- machines/core-services-01/matterbridge.toml | 21 +++++++++++++++--- .../core-services-01/secrets/matterbridge.age | Bin 1415 -> 1519 bytes 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/machines/core-services-01/matterbridge.nix b/machines/core-services-01/matterbridge.nix index 7eefba1..06b31e6 100644 --- a/machines/core-services-01/matterbridge.nix +++ b/machines/core-services-01/matterbridge.nix @@ -28,7 +28,7 @@ let startScript = pkgs.writeShellScriptBin "start" '' ${manageSecrets ./matterbridge.toml "$CREDENTIALS_DIRECTORY/secrets" "$RUNTIME_DIRECTORY/conf.toml" - [ "SECRET_MATTERMOST_WEBHOOK" ]}/bin/preStart + [ "SECRET_MATTERMOST_KLUBRZ_WEBHOOK" "SECRET_MATTERMOST_DGNUM_WEBHOOK" ]}/bin/preStart ${pkgs.matterbridge}/bin/matterbridge -conf $RUNTIME_DIRECTORY/conf.toml ''; in { diff --git a/machines/core-services-01/matterbridge.toml b/machines/core-services-01/matterbridge.toml index d4b9ab8..49116fa 100644 --- a/machines/core-services-01/matterbridge.toml +++ b/machines/core-services-01/matterbridge.toml @@ -7,11 +7,16 @@ PrefixMessagesWithNick=true RemoteNickFormat="<{NICK}> " [mattermost] - [mattermost.merle] - WebhookURL="SECRET_MATTERMOST_WEBHOOK" + [mattermost.merle_klubrz] + WebhookURL="SECRET_MATTERMOST_KLUBRZ_WEBHOOK" WebhookBindAddress="0.0.0.0:52187" PrefixMessagesWithNick=false RemoteNickFormat="{NICK}" + [mattermost.merle_klubrz] + WebhookURL="SECRET_MATTERMOST_DGNUM_WEBHOOK" + WebhookBindAddress="0.0.0.0:52188" + PrefixMessagesWithNick=false + RemoteNickFormat="{NICK}" [[gateway]] name="réseau" enable=true @@ -19,5 +24,15 @@ enable=true account="irc.ulminfo" channel="#réseau" [[gateway.inout]] - account="mattermost.merle" + account="mattermost.merle_klubrz" + channel="town-square" + +[[gateway]] +name="dgnum" +enable=true + [[gateway.inout]] + account="irc.ulminfo" + channel="#dgnum" + [[gateway.inout]] + channel="mattermost.merle_dgnum" channel="town-square" diff --git a/machines/core-services-01/secrets/matterbridge.age b/machines/core-services-01/secrets/matterbridge.age index 1071c43b33daaa3e93fae325e8d50122995c65c4..f4ea1d5e441eaa4b392dd2f255f591a06a917bdc 100644 GIT binary patch literal 1519 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!*`Do#|$E(&+{3FOK%O^@^qch5HU zaLy?y3vu;@NhOX_6^K5 zEcWCwsw~$|(RTETbn?hZbIErP(Ra2=j{w%{3?t@<{eF zEHbxn42#m&b~SblD-Q9@&i4qf2(Qe_&oawO=L*b8($@FPbWL=0a>_}Lv~aQrHb^y! z@-t4!buP^@$j+~FG&at5$;&LQ3Q8$6s&dTE3W_QW^a#(jNKOhWHRK8p2rhKf4>Qa) z2@mo&b}VxY&o9@u^er~@%nNlY&kqjw%hq;E^7gg#FmZ7U$PN!lEpn+eD%B24EGu;@ z$g|+`NY5=YHZ}82HY#_|D=f(mGBHod4TObuYKoDmsiCEUg=u)Ed%A*0X;D>no<*>} zOIA^8x=WIoQ?iRssYhr?Qix};e?_vNvA>~7fO$ojaWa>sONOz9pMR2hKw^NQg|BaJ zaz#j0cygw>vw=ZkZfT;kiFr|#VOW))w6euUCI>2*diz%@=RJppPSf-ShIt6n1g=HjH1O=L8gcxS|S7tdDx>km!W|(WIhh`O9dS@1< zx~I7oSLRw4_=Td|mRuI%WSXwv6Duto>H8i6XIFv>KE>&?PQo8?(LOU?4F*N z73%6^8R%J1;A+6-Y3}8XX55j zQjB3+c&UY#PoP4XL7|_cWk_bYUyzA&gkzDTW08MZQnp7(YGS5wqKRo(k)yAERH|=; zV>wreX($4fW8C^fM-Rl!|PL7ywt z oyC^y^0yCmN+vofn9H_s!`*vZ4cqBPSoxXP%s%Dd3TGOyC#(>Ti|&?&IQ$Jjk3 z*vHw~qR`3NETodl(kRo%!jVf?S63lCPus^YE5)#=Dl5>!%rPlAH8{=N*`UDH$S5VX zDk8-tH>JX{D#$rK(1h#oACafM5v5z+eE6`@+93GnggDHZ-VpGFRiT0me<^RBCUQxJjd?Kj!CaJGCg~!%WZk9 z*YEVlwx6d2R>e;cdg=S`_$$2UgFV2icC6W_>K)H_*voE1`Oo+#{H^i5>i%_n9GA7>lgpAg3KFTZ;0=lKfn rx)`?2&r~*Dt;Jh$HD8#&^072? zEe*^uC=Ac@Pjw73%84k-cMQyROvx!IOb+xePEF0JOmnSBcjT%F&x*_p%*{@(($Dhu zF9Nk6C8JE+q}069-8|pZ#In@1Jew;&JV-m((m+>e^ODkhgERfIe7Su#Q1?h)ka=;xPHoRu8p;+~%ElH!zD7+UG(=;i1W z;TY^2l+Km!8fsP*;2V-@lxkq=ZV{4R=~!r#=^W);?&4DH=4Tid<(cGG7HZ-ffMHuv zYKW(Ixk6N-ccx)diNCRNMrfLIl1Y?vgkgquT4|2HMR8(UZgN0*ic?yKfp(a2GM9E@ zx@TTMSz1A9X`p*)aEYIDgt=i#a89UKYKlj)xkr|_OH`(3hEbRwMo3zihG)8`D_Df( zdmFk$1g7{!m?UL6n;2ykM@1zY2NgJGmnItK>sO^@c$$W12bmiMa+Ot;IlBf~hWNW` zoB0KX=awYtCs|fjCY702dixrM`8w(+dlVIi`dMViGTbaZ!onjc zHLy6l(uB*@*FP-E+%GHJsWiMKHOR$0qFmp@Fw(@+pu{pc(<#8fEV9hZB%~lY(<3r5 z!`0Z#J=D=6JJ>8WvdA*qF+iIuJIa}Y~(Ic;*$UP{-F)7KzE1;mT z!qCJ#Bbm#mEXg(9wIndr(#zMZG|@ZAAh6Of9TeK>;rZ6Vb-L+Asfop@T!m&9F8M*J z1<9%DsRqUQUT*36NqN2@6;;7$0YMSzsm4yG&aRoxmE~0>i5bBW#YM(xCHh`r!5L=W zPM%)w23!Tc#h%$lfn2(}x(bDcp;@86etwRrmf_*fRr$HT#Xc1o=Ed5Ep~0?UQN><< z9z{OI?qQ|b#ateiRUD_Pct1<0X2^?powbu^Ro=Jx+`a4dt&eXuX1+ako9mL#m-u8E z!RhW>m@7M*ogFK#a$ebRx^0G4DbsZJx2Yx{Ux~ll``CHXj)rcPFpf=I{%V`3wy`qL jJgT<%hv%OMN0eh&E!sb$Yzm5hu Date: Sat, 1 Oct 2022 23:04:19 +0200 Subject: [PATCH 51/88] feat: remove netdata package pin --- machines/core-services-01/monitoring.nix | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 2a8ac5f..53f3343 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -36,16 +36,6 @@ in { services.netdata = { enable = true; - package = pkgs.netdata.overrideAttrs (old: { - version = "1.35.0-nightly"; - src = pkgs.fetchFromGitHub { - owner = "netdata"; - repo = "netdata"; - rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; - sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; - fetchSubmodules = true; - }; - }); }; # Allow WireGuard VPN -- 2.49.0 From 4bc455054018c771d2fecc6812de4f491e75fe68 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 2 Oct 2022 00:21:16 +0200 Subject: [PATCH 52/88] Revert "feat: remove netdata package pin" This reverts commit 179a628a4d578c7517b60ab6e2cf26f93cce4149. --- machines/core-services-01/monitoring.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 53f3343..2a8ac5f 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -36,6 +36,16 @@ in { services.netdata = { enable = true; + package = pkgs.netdata.overrideAttrs (old: { + version = "1.35.0-nightly"; + src = pkgs.fetchFromGitHub { + owner = "netdata"; + repo = "netdata"; + rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; + sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; + fetchSubmodules = true; + }; + }); }; # Allow WireGuard VPN -- 2.49.0 From 964912c3d4cbb87fd27f849e139eee73d8007848 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 9 Oct 2022 14:43:29 +0200 Subject: [PATCH 53/88] core01: try latest nightly for netdata and disable cloud --- machines/core-services-01/monitoring.nix | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index 2a8ac5f..edf0d20 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -37,17 +37,19 @@ in services.netdata = { enable = true; package = pkgs.netdata.overrideAttrs (old: { - version = "1.35.0-nightly"; + version = "1.36.0-185-nightly"; src = pkgs.fetchFromGitHub { owner = "netdata"; repo = "netdata"; - rev = "955d1a7c61f4eab802648d563f84d978ebeb8fc4"; - sha256 = "sha256-gN44Df+k384NummsHls2JY1CinBaFK3cpdmmdZMbA44="; + rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; + sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; fetchSubmodules = true; }; }); }; + systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1"; + # Allow WireGuard VPN networking.firewall.allowedUDPPorts = [ 51820 ]; # Allow access to the raw netdata @@ -71,12 +73,6 @@ in ]; }; - systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [ - "netdata" - "stream" - "health_alarm_notify" - ]; - environment.etc."netdata/netdata.conf" = lib.mkForce { user = "netdata"; group = "netdata"; @@ -122,7 +118,7 @@ in mode = "0600"; text = '' # External tools - nc="${pkgs.netcat}/bin/nc" + nc="${pkgs.nmap}/bin/nc --ssl" # IRC configuration SEND_IRC="YES" -- 2.49.0 From 6b02a84975457baf19051a51dfa85c8d802d9189 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 12 Oct 2022 01:29:08 +0200 Subject: [PATCH 54/88] core01: initialize tunnels setup --- machines/core-services-01/configuration.nix | 4 +++- machines/core-services-01/tunnels.nix | 19 +++++++++++++++++++ machines/public-cof/minecraft.nix | 4 ++-- 3 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 machines/core-services-01/tunnels.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index dcf85af..9ff2a3f 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -25,6 +25,7 @@ ./oauth2_proxy.nix ./secrets ./matterbridge.nix + ./tunnels.nix # TODO push to gitea # TODO ./gotify.nix # TODO(Raito): ./backups.nix @@ -94,5 +95,6 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.09"; # Did you read the comment? + system.stateVersion = "22.05"; # Did you read the comment? + environment.variables.NIX_PATH = lib.mkForce "/var/src"; } diff --git a/machines/core-services-01/tunnels.nix b/machines/core-services-01/tunnels.nix new file mode 100644 index 0000000..a396adc --- /dev/null +++ b/machines/core-services-01/tunnels.nix @@ -0,0 +1,19 @@ +{ ... }: { + networking.wireguard.interfaces.wgalpha = { + privateKeyFile = "/etc/secrets/wireguard/wgalpha"; + listenPort = 9999; + + ips = [ + "fdee:a536:13fa:53ab::2/128" + ]; + + peers = [ + { + publicKey = "yAdQRTHn9Yko2r24j8tlxWBz0nYzHRxryPFq8t44Xw4="; + allowedIPs = [ "fdee:a536:13fa:53ab::1/128" ]; + } + ]; + }; + + networking.firewall.allowedUDPPorts = [ 9999 ]; +} diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index c56701f..089b0ae 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -2,8 +2,8 @@ let papermc = { ram = 4; # In GB - version = "1.18.2"; - build = 270; + version = "1.19.2"; + build = 200; sha256 = "M3/z7lgHVDG+WqxPvyrxvfobEvkkPf90bDoN/Dq+VZY="; }; port = 25565; -- 2.49.0 From 570071bb715a9774b28c9d5e8c5164556a920c96 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 13 Oct 2022 21:52:40 +0200 Subject: [PATCH 55/88] feat: bump to 1.19.2 and add clem197 to allow-list --- machines/public-cof/minecraft.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 089b0ae..db78249 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -4,7 +4,7 @@ let ram = 4; # In GB version = "1.19.2"; build = 200; - sha256 = "M3/z7lgHVDG+WqxPvyrxvfobEvkkPf90bDoN/Dq+VZY="; + sha256 = "sha256-fhQ1Kukp0MDF0312y/DR3wS9wKXY2aKUyU5f64ELylM="; }; port = 25565; rconPort = 25575; @@ -42,6 +42,7 @@ in Sup3Legacy = "575ecb9f-bf28-46cb-bc50-cb6bb340c905"; Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d"; CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; + clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5"; }; serverProperties = { -- 2.49.0 From e827b28967e30579ffd69141ded9c40ce0a87915 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 27 Oct 2022 22:31:47 +0200 Subject: [PATCH 56/88] feat: deploy garage on public-cof --- machines/public-cof/configuration.nix | 3 ++- machines/public-cof/garage.nix | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 machines/public-cof/garage.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index f4e4dd6..08b929a 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -9,6 +9,7 @@ ./acme.nix ./networking.nix ./monitoring.nix + ./garage.nix ./nextcloud.nix ./minecraft.nix # ./rstudio-server @@ -17,7 +18,7 @@ ./nginx.nix # ./cryptpad.nix ./hedgedoc.nix - ./kanboard.nix + # ./kanboard.nix ./secrets ./v6proxy # TODO monitoring diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix new file mode 100644 index 0000000..f74eaca --- /dev/null +++ b/machines/public-cof/garage.nix @@ -0,0 +1,26 @@ +{ pkgs, ... }: +{ + services.garage = { + enable = true; + settings = { + replication_mode = "none"; + compression_level = 7; + + rpc_bind_addr = "10.1.1.21:3901"; + rpc_public_addr = "10.1.1.21:3901"; + rpc_secret = "76c2746530a4a27d188530a6bbf6c4613ccb8d8f129863d8c21462b84d5b998f"; + + s3_api = { + s3_region = "ens"; + api_bind_addr = "[::]:3900"; + root_domain = ".s3.rz.ens.wtf"; + }; + + s3_web = { + bind_addr = "[::]:3902"; + root_domain = ".cdn.rz.ens.wtf"; + index = "index.html"; + }; + }; + }; +} -- 2.49.0 From ccf00cdc46a78fa88938a2535e58e4de1ea2f623 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 27 Oct 2022 22:31:55 +0200 Subject: [PATCH 57/88] public-cof: nextcloud23 -> nextcloud24 --- machines/public-cof/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index b243afb..7ccf2de 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud23; + package = pkgs.nextcloud24; config = { overwriteProtocol = "https"; -- 2.49.0 From 7beba083215aea4a360a04d28914b24034735212 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 27 Oct 2022 22:40:43 +0200 Subject: [PATCH 58/88] public-cof: nextcloud24 -> nextcloud25 --- machines/public-cof/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 7ccf2de..8a9572b 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud24; + package = pkgs.nextcloud25; config = { overwriteProtocol = "https"; -- 2.49.0 From b40a49feedce631cd00c02db6e195913cdd8b4ab Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 28 Oct 2022 00:36:57 +0200 Subject: [PATCH 59/88] =?UTF-8?q?feat:=20add=20notion.rz.ens.wtf=20?= =?UTF-8?q?=E2=86=92=20public-cof?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/core-services-01/subZone.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 256b659..7b7a56c 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -43,6 +43,9 @@ dualstack // { core01 = dualstack; ns1 = dualstack; + # First non-beta service, our Outline. + notion = public-cof-ips; + builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; gdd = { -- 2.49.0 From 43d3367e9f267aacd725f8467a734d04ecea3f12 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:31:46 +0200 Subject: [PATCH 60/88] core01: DNS for Garage & Outline --- machines/core-services-01/subZone.nix | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 7b7a56c..b76e4f7 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -43,8 +43,28 @@ dualstack // { core01 = dualstack; ns1 = dualstack; - # First non-beta service, our Outline. + # Non-beta service + # Outline notion = public-cof-ips; + # S3 API + s3 = public-cof-ips; + # CDN API + cdn = public-cof-ips // { + CAA = [ + { issuerCritical = false; + tag = "issue"; + value = "letsencrypt.org"; + } + { + issuerCritical = false; + tag = "iodef"; + value = "mailto:${my.email}"; + } + ]; + subdomains = { + "*" = public-cof-ips; + } // delegateACMEDNSChallenge "7a9dffd8-f57b-4635-ba79-07f8b0db4fad.acme.rz.ens.wtf."; + }; builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders; -- 2.49.0 From 42a569b41d906edd04d507ef91d47dd486a51310 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:32:10 +0200 Subject: [PATCH 61/88] public-cof: deploy completely Outline and Garage --- machines/public-cof/configuration.nix | 2 ++ machines/public-cof/garage.nix | 20 ++++++++++++ machines/public-cof/outline.nix | 31 +++++++++++++++++++ machines/public-cof/secrets/default.nix | 12 +++++++ .../secrets/outline-oidc-client-secret.age | 26 ++++++++++++++++ .../public-cof/secrets/outlineS3Secrets.age | 25 +++++++++++++++ machines/public-cof/secrets/secrets.nix | 2 ++ 7 files changed, 118 insertions(+) create mode 100644 machines/public-cof/outline.nix create mode 100644 machines/public-cof/secrets/outline-oidc-client-secret.age create mode 100644 machines/public-cof/secrets/outlineS3Secrets.age diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 08b929a..b4a2599 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -11,6 +11,7 @@ ./monitoring.nix ./garage.nix ./nextcloud.nix + ./outline.nix ./minecraft.nix # ./rstudio-server ./nur.nix @@ -27,6 +28,7 @@ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "minecraft-server" "factorio-headless" + "outline" ]; boot.loader.systemd-boot.enable = true; diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix index f74eaca..7d25b0a 100644 --- a/machines/public-cof/garage.nix +++ b/machines/public-cof/garage.nix @@ -1,5 +1,25 @@ { pkgs, ... }: { + security.acme.certs."cdn.rz.ens.wtf" = { + dnsProvider = "acme-dns"; + credentialsFile = pkgs.writeText "acme-dns-env" '' + ACME_DNS_API_BASE=https://acme.rz.ens.wtf + ACME_DNS_STORAGE_PATH=/var/lib/acme/lego-acme-dns-accounts.json + ''; + extraDomainNames = [ "*.cdn.rz.ens.wtf" ]; + group = "nginx"; + }; + services.nginx.virtualHosts."s3.rz.ens.wtf" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://[::1]:3900"; + }; + services.nginx.virtualHosts."cdn.rz.ens.wtf" = { + serverAliases = [ "*.cdn.rz.ens.wtf" ]; + useACMEHost = "cdn.rz.ens.wtf"; + forceSSL = true; + locations."/".proxyPass = "http://[::1]:3902"; + }; services.garage = { enable = true; settings = { diff --git a/machines/public-cof/outline.nix b/machines/public-cof/outline.nix new file mode 100644 index 0000000..aef8e12 --- /dev/null +++ b/machines/public-cof/outline.nix @@ -0,0 +1,31 @@ +{ pkgs, lib, config, ... }: +{ + services.nginx.virtualHosts."notion.rz.ens.wtf" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:3000"; + proxyWebsockets = true; + }; + }; + services.outline = { + enable = true; + publicUrl = "https://notion.rz.ens.wtf"; + defaultLanguage = "fr_FR"; + storage = { + accessKey = "GK8b32d276b2eafb999a53188a"; + secretKeyFile = config.age.secrets.outlineS3Secrets.path; + uploadBucketUrl = "https://s3.rz.ens.wtf"; + uploadBucketName = "outline"; + region = "ens"; + }; + oidcAuthentication = { + userinfoUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/userinfo"; + tokenUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/token"; + authUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/auth"; + clientSecretFile = config.age.secrets.outline-oidc-client-secret.path; + displayName = "Club réseau"; + clientId = "outline"; + }; + }; +} diff --git a/machines/public-cof/secrets/default.nix b/machines/public-cof/secrets/default.nix index 861d254..dce31c2 100644 --- a/machines/public-cof/secrets/default.nix +++ b/machines/public-cof/secrets/default.nix @@ -16,4 +16,16 @@ group = "kanboard"; file = ./kanboard-secrets.age; }; + + age.secrets.outlineS3Secrets = { + owner = "outline"; + group = "outline"; + file = ./outlineS3Secrets.age; + }; + + age.secrets.outline-oidc-client-secret = { + owner = "outline"; + group = "outline"; + file = ./outline-oidc-client-secret.age; + }; } diff --git a/machines/public-cof/secrets/outline-oidc-client-secret.age b/machines/public-cof/secrets/outline-oidc-client-secret.age new file mode 100644 index 0000000..d73537f --- /dev/null +++ b/machines/public-cof/secrets/outline-oidc-client-secret.age @@ -0,0 +1,26 @@ +age-encryption.org/v1 +-> ssh-rsa krWCLQ +HeTVcJxU2zRewuzQVknnxAYjlCU8+GJjBz9joGPo2j934uiM3A6PBsFmoz6I1ZfJ +pg68benaKfV+VI1sN8fMDWoEO0QrFzHYULXT9JCyQTClUzUZSlMpzmDgCmHjLPEc +qB23sbwKzgyFO9SKHsPvOqxZrEyTwAKiNYa33QuSyRxN3S4/9PxVjgJTTqLbTVqf +hhnujxviU3iHV2ACqLAV5jYSbAleiAh53vnBc0k326vXbrumQqFvQtgwcqDn4vDR +2QYzEwsj+yV9BlRrGSBZSnoHZjWtsE/ntrEaIZiItT3Ots1CCVswd7LGb3LspYbf +NheRvY7zUXppGiB0+mjZJg +-> ssh-ed25519 85WiGg tGvDzYdpKP8lql3murRlp95w7jQUhhuodIgVxDk4Lgs +aVV4b71w/nU3nBaYKdzzYjXVaxgN2EpyQiKsjO33GcI +-> ssh-ed25519 reTIKw LJJF7K8fRsSoAFDyndWP9nA5FV4w7cWSqUgGnvdB42I +wI22cL/GuyVou1robDUHzNMfCR7L6NA4UWFSeV73d88 +-> ssh-ed25519 /vwQcQ KZQSME50r4yrnyFfH6nwbmCn0UmVUMIBhhfqoicrKVY +xDdBu7/K8ZxGT2BnffAR8UsQIAVlLpSfEvo1m4k87ng +-> ssh-ed25519 cvTB5g HjLQQhFwEekFYHV5sko/x8RwcAsgvl/cCoKakX4B6yE +Ub5TWpDPYA3DSwfRT2hmgPcwoMIhsOhgdhckFuZxQ8s +-> ssh-ed25519 Wu8JLQ L0bnDPmv3Chemi/BKhux9GYXDMMLUjO6H8MQe1REpBA +qtN6IH8M8kLYAQ8a64kYCCaAPhg6VjrojTONdY4MVyA +-> ssh-ed25519 xbfJnw 94xx8KL0EWqs3HIsdY9RFvC6aRsk7cemZxciLIkVCDM +WZnyqSwpCBA8GNnu6VEJSLIRtv8rzOpGFH6e387ohpQ +-> TS-grease +D32P8/tpegDSy/xsspwpuq8EVqwDyZUzJF2Ose+3cqHAx8db4DPWnmt4z4Ch5bXw +KtmO+2eEYTmPyYUZxI+uzr93CQhVq7aFlch6cWLEaqg +--- 6kPR6tdczt01UaY4ps38dncSMFCupa9uZmSWBjm85ps +Ln4Kz>(ن=fʷPG ssh-rsa krWCLQ +nxiY5l98JhWEwLYN7sWtsgN4faDTIpgo1fiPScxXB8/ljnxIyd1vhMVRt0WCTOQV +CFTQ9MOoTAk90Zj4wjxDjoJjjsXLUBVnjqLdQy76kgR5vAvVrHzuYTYO4Y4k0/qh +S6BEFN655P0n4Gxf9kJtKxi3ipN6B46ydACAjFeyeuOPMkMdBBZq1BOLPEOC9I+O +87p+8BdL+zxkYfaWfEggYgabrE7y91EjiB1VCuT0GFm8T8iBojvThxWQlHQAybBc +gvgTlyGf8YmY82uGhGQR39okrA914mJUkr11JZ9457qL+/t5Au/dha1x6QlwcUoz +Tp5OQJAfXZc02LsICq2I7A +-> ssh-ed25519 85WiGg c6vyT96h0eVL+xZpR0Zk06l5ApUsqENY9ESeYuOG0zY +dJbQVgH41Ti/AM7WAlXCCA501h8wgx2os5yiZt+jxp8 +-> ssh-ed25519 reTIKw rVhKDqm51EMuOQnTcsdWmqoBDI/LLnFpkJW93EfcdB0 +AAOEQp0tux1vJ0bPIcB1HtLodig/J4poeu6j/Hk8KiA +-> ssh-ed25519 /vwQcQ jGLr83VDSxYd3v42ECOiTpSTDRB5TVSqx3QHRbMgfEk +k2hBCGntsqP0czKV2JvMbf8lAqpjVvnJqSxfdr00A7w +-> ssh-ed25519 cvTB5g BqVT8ytcjINNKrGAtttAtxRMpLs4LJg1Uy3zvDxTvwk +DRDEl+CNZnuT+KE1txjHgaWIYmiSeUTsesnXYq89YNQ +-> ssh-ed25519 Wu8JLQ 731ytp+gu36OvH0QbkeDUwMHj3J4u0JujJnfTUQ2C1A +KPGEKLoV9K1PPdIyla5D1lsmhRt/XUHLrCTeApbqR6c +-> ssh-ed25519 xbfJnw Ojf4cuctALx+Q/qWqSarRcnxvwrHjbAK5r4pnhKUzmo +WHp4Op3N3SeniWS7XhPmvRkTyjDIPDBBGviDaiCNbOc +-> 3P-h|3ru-grease +5icFsPwzKpnImSlgICy/wDq6YJLTcIML3EoDUOgvGOFSs+efH4bWExmd2ktGtqYd +ewEKHYlnpIFNTMtlRs7U7sR3qnLHadq3McnhR/8OlQ +--- iwVp/AYpQfFOIg/OI85nNTgdY/HKlEsCHWiBO0lOtJg +Z=eBb[3$k(2x%0+18T,;Fլ"EKeZ*$}Cpo9+|CJ- \ No newline at end of file diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index 70be48a..c703081 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -10,5 +10,7 @@ in "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems; "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems; "kanboard-secrets.age".publicKeys = superadmins ++ systems; + "outlineS3Secrets.age".publicKeys = superadmins ++ systems; + "outline-oidc-client-secret.age".publicKeys = superadmins ++ systems; } -- 2.49.0 From 555aabb7984d28c38118375adfa8a9a28476fa70 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:32:19 +0200 Subject: [PATCH 62/88] krops: bump channel --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 0102eb0..92a2cda 100644 --- a/krops.nix +++ b/krops.nix @@ -9,7 +9,7 @@ let # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "823e2c9b0a0ec8b61b6583f48338072f137b6889"; # nixos-unstable + ref = "8d3bd93e67201a7c8238e9cbde6d07aba9500636"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.49.0 From 82cfe98dde2603c3d07837b39bef01f4101f1a8a Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:32:39 +0200 Subject: [PATCH 63/88] core01: fix matterbridge for DGNum --- machines/core-services-01/matterbridge.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/core-services-01/matterbridge.toml b/machines/core-services-01/matterbridge.toml index 49116fa..748d0a7 100644 --- a/machines/core-services-01/matterbridge.toml +++ b/machines/core-services-01/matterbridge.toml @@ -12,7 +12,7 @@ WebhookBindAddress="0.0.0.0:52187" PrefixMessagesWithNick=false RemoteNickFormat="{NICK}" - [mattermost.merle_klubrz] + [mattermost.merle_dgnum] WebhookURL="SECRET_MATTERMOST_DGNUM_WEBHOOK" WebhookBindAddress="0.0.0.0:52188" PrefixMessagesWithNick=false @@ -34,5 +34,5 @@ enable=true account="irc.ulminfo" channel="#dgnum" [[gateway.inout]] - channel="mattermost.merle_dgnum" + account="mattermost.merle_dgnum" channel="town-square" -- 2.49.0 From d1bc89653ce4caf47d4eb492c79d969533dc8398 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 17:33:05 +0200 Subject: [PATCH 64/88] public-cof: fix NC encryption --- machines/public-cof/nextcloud.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 8a9572b..847affd 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -6,6 +6,13 @@ https = true; package = pkgs.nextcloud25; + # OpenSSL 3.0.x breaks RC4 encryption for NextCloud + # But we enabled encryption for NextCloud + # Therefore... + phpPackage = lib.mkForce (pkgs.php81.withExtensions ({ enabled, all }: + (lib.filter (e: e != pkgs.php81.extensions.openssl) enabled) + ++ [ (all.openssl.override { buildInputs = [ pkgs.openssl_1_1 ]; }) ] + )); config = { overwriteProtocol = "https"; -- 2.49.0 From a2c58e4d877faaaae0d65f734df514d1c85257ec Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 5 Nov 2022 15:48:40 +0100 Subject: [PATCH 65/88] mc: add Clem's friends to whitelist --- machines/public-cof/minecraft.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index db78249..3582e49 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -43,6 +43,10 @@ in Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d"; CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5"; + Clashis = "499fdd85-bbcb-446f-9611-8b6bb9bf6965"; + epns = "a1c26328-484f-4c3f-affb-26e49b430c15"; + skidijo = "6a72a1f4-7448-4fb7-a252-b6d5ceff2d43"; + r_r = "3202beaa-7620-439b-9e91-0a9d4699b552"; }; serverProperties = { -- 2.49.0 From dbd7594d590ee5361f88283aeb7f09ab30753654 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 14 Nov 2022 23:46:55 +0100 Subject: [PATCH 66/88] mc: whitelist more players --- machines/public-cof/minecraft.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 3582e49..0030204 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -44,9 +44,12 @@ in CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5"; Clashis = "499fdd85-bbcb-446f-9611-8b6bb9bf6965"; - epns = "a1c26328-484f-4c3f-affb-26e49b430c15"; skidijo = "6a72a1f4-7448-4fb7-a252-b6d5ceff2d43"; - r_r = "3202beaa-7620-439b-9e91-0a9d4699b552"; + Tifendyll = "5dc1acf3-b214-4607-a3bd-924665e07c67"; + OknShield = "ef12e9cd-121f-4b39-886e-89b5b4bc5f4f"; + Allygon = "964a2ee3-3a0d-49c1-b8e9-60b5e69976d3"; + CheesyBiggy = "574daaed-ce9a-4b33-a3af-055e39bc32dc"; + H3raklio = "576969d4-94e7-49db-ba7e-e9e57ff5a75e"; }; serverProperties = { -- 2.49.0 From 66ae9b2d0427578e96c93ce56dcf850aea5ab278 Mon Sep 17 00:00:00 2001 From: Julien Marquet Date: Sat, 3 Dec 2022 21:15:40 +0100 Subject: [PATCH 67/88] whitelist thejohncrafter --- machines/public-cof/minecraft.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/minecraft.nix b/machines/public-cof/minecraft.nix index 0030204..876754a 100644 --- a/machines/public-cof/minecraft.nix +++ b/machines/public-cof/minecraft.nix @@ -50,6 +50,7 @@ in Allygon = "964a2ee3-3a0d-49c1-b8e9-60b5e69976d3"; CheesyBiggy = "574daaed-ce9a-4b33-a3af-055e39bc32dc"; H3raklio = "576969d4-94e7-49db-ba7e-e9e57ff5a75e"; + thejohncrafter = "d3959974-3a05-4ab2-8acb-d8817c140d84"; }; serverProperties = { -- 2.49.0 From 9a0c9c615c502d98a70d6f4d4e72709fb5907981 Mon Sep 17 00:00:00 2001 From: sinavir Date: Tue, 13 Dec 2022 22:23:35 +0100 Subject: [PATCH 68/88] feat: introduce photos.ens.wtf Co-authored-by: sinavir Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/15 Co-authored-by: sinavir Co-committed-by: sinavir --- machines/public-cof/configuration.nix | 1 + machines/public-cof/lychee.nix | 10 ++++++++++ machines/public-cof/nix/sources.json | 2 +- machines/public-cof/nur.nix | 2 +- 4 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 machines/public-cof/lychee.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index b4a2599..ae3fce3 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -12,6 +12,7 @@ ./garage.nix ./nextcloud.nix ./outline.nix + ./lychee.nix ./minecraft.nix # ./rstudio-server ./nur.nix diff --git a/machines/public-cof/lychee.nix b/machines/public-cof/lychee.nix new file mode 100644 index 0000000..944604b --- /dev/null +++ b/machines/public-cof/lychee.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: { + services.lychee = { + enable = true; + package = pkgs.rz.lychee-gallery; + forceSSL = true; + enableACME = true; + website = "photos.ens.wtf"; + settings.APP_URL = "https://${config.services.lychee.website}"; + }; +} diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index 77826c4..3209971 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -14,7 +14,7 @@ "klubrz-nur": { "branch": "main", "repo": "https://git.rz.ens.wtf/Klub-RZ/nur", - "rev": "98911e21fd58f00440dc8a5bd6568f2a349338bd", + "rev": "9c43904eb242455ca3db9466c5679c81aa92741f", "type": "git" }, "niv": { diff --git a/machines/public-cof/nur.nix b/machines/public-cof/nur.nix index 130ef29..ad4a2e5 100644 --- a/machines/public-cof/nur.nix +++ b/machines/public-cof/nur.nix @@ -8,7 +8,7 @@ let in { nixpkgs.config.packageOverrides = { - # rz = import rz-src { inherit pkgs; }; + rz = import rz-src { inherit pkgs; }; }; imports = [ -- 2.49.0 From 5138eb930f618573ccbe3e6394b1c13174e92248 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 24 Jan 2023 21:14:04 +0100 Subject: [PATCH 69/88] core-services-01: add hubrecht --- machines/core-services-01/configuration.nix | 1 + .../secrets/dexGiteaClientSecret.age | Bin 1424 -> 1519 bytes .../core-services-01/secrets/droneKeyFile.age | Bin 1639 -> 1778 bytes .../secrets/keycloakDatabasePasswordFile.age | 52 ++++++++++-------- .../core-services-01/secrets/matterbridge.age | Bin 1519 -> 1559 bytes .../secrets/oauth2ProxyKeyFile.age | 50 +++++++++-------- machines/core-services-01/secrets/secrets.nix | 2 +- .../secrets/snipeItAppKey.age | 51 ++++++++--------- .../secrets/snipeItOidcClientSecret.age | 52 ++++++++++-------- machines/pubkeys/hubrecht.keys | 1 + 10 files changed, 111 insertions(+), 98 deletions(-) create mode 100644 machines/pubkeys/hubrecht.keys diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 9ff2a3f..7aa5220 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -81,6 +81,7 @@ ../pubkeys/gdd.keys ../pubkeys/raito.keys ../pubkeys/mrf.keys + ../pubkeys/hubrecht.keys ]; # Open ports in the firewall. diff --git a/machines/core-services-01/secrets/dexGiteaClientSecret.age b/machines/core-services-01/secrets/dexGiteaClientSecret.age index daef2a2a00c33743ebcd5b46b39b1205e074fc61..f080423c728b87bd35aa1d842c1b19abc94ad716 100644 GIT binary patch literal 1519 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!*`Do#|$E(&+{3FJy~b5AiyE-v@T z^fGbD@iWga$n?m}bMq;P@=UA>@=S{IsZ292urRa;4yh;#FEjLYGD>qv%8qm@4vGw} z4ENx2@$@eU$_y|`4|GgR^$94eEDH?uG$=BUh;;OH&QEi!D9H6m^9Txd%QCVEFDv%S zDoe|9E;mf`s`M!-iqMbb($+RE%dj*vGYSjVuQac64fKvE3N&)}D~ifW3<&qo_A@Ke z){n?5FHI^A@i5U2HcdD6ugEW}%5V>L%Qh@_5GIOnPGb;|U%xo!3eV1S^>Z}zcC7St56n(acXage_D@PKPd3d;G&8UCkMuK2i}chk_sKC&Df9C7 z2shyhuJE%kDR40~HqOp7&i5$|cX4tl3511qYKoDmsiCEUg=u)Ed%8lXPiSG0i)l(_ znT1EWXL(gfdQ6T`2m?B7UtQd zxn&^{NfxPQp~-$O2F|G!j@e$x5w7LAuD)DRCAn^imf1PE8J6jR7OBaeZl(dnq3-_0 zekSF4h6WKSr5Q6euUCI>2%CpsIYI_GBvX1bMlg?N{g`?`fY=2{j8 zmgNK#`4@U?8)f9@mFAn~m8WxsMVUI9xO!zpnR}!Lgyj2Yn5S1|c&7v#n?(AQW;kbu zMFbUixuk|hdPSn!mRuI%WSXwvp`B(@8kmxv>gyKaWp3eX}8kJIN zXl7iIlb4$2>k`Uk5Mo+lY*J7dn3m;Z=;9k`YLXWoWfYuVmJ^zusOOjD;Sa_0eu$R6|h;NZ=nMtTguA6b9wr93uetu*~ zZmutvpRrq#ae7gBab%)Nv8joHx1Ui_X0c;rqJgEcd2*&jnqOI7a%qZNNwF)sZDkRW zUTKaBex7LsMviXzE(S@V5jn*M-hOV{B`(I{!AVhWkuJW*?t!7f{>cX6X3iE|LAgOj zWoZSG#kqbZmf=apA(c+$Vd?oE`ri3bF0Mx2iKdB8js@C|IR@$Iwq=+(rYAWnP?XlFZTlso062RmADRivewg+(NLMtC|J znueu^WTpC+_?4uamuLD|xFkCz29#H31e97tRpesifEcLH`jD7BOjxHl#)naLwCn8&nUCf(h9@! zG()e<$O12~M5l`4oW$asfXwvle0Ojv(XP(+)lDx-O)O4T$We&5Hs-P{E_AQZuQW}I zayBwZ5A+Ynx3q}#G^@(a^mMfdD9rN?@o~xs_B5&t3`-9(H4Y3g_Hgm?@(aoHDGZEE zPAcUpb#ZaZ49rQY@C$N2}|bE z)zwun)DBLpDyyt=@pFp|3JtFG3<-7#&n^qD^2yaNafz%fiZXG^cB+U7_6p=GTjSl^ zdZ}w6>&h<+bn821G`0VS{qOdbcwVw&%A?yX)l>Ji9*gGMJdJ^Ym-BW+Sm~l~!UAv4 Vzb`y~Ysnkg(g(6zj{i-14*)T^_GJJ7 literal 1424 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7@hCEh3{=R}j!^|-~$x*@C+$735vno{I$hSPn zz1YCH($&bVs=zHX$TZX_GTq%hB0tB^Ak;H2ESoDOJIdHs+cGN5(K$UkHzdp3+@L%# z%fw4R+%dZ%F|EMNFTE%-yTZ&%zZ~7R@KOsepFjmKk8;!C&{PkW3-;iue*Qg+OcVpA= zZ2v;Xd`DNmpzOl(@N{(BlFLGzOw$z--JQY>oP(2d-75@?OMRVl{ruBIol^@!oP5Jd z%^ZyayuFNzJ&gQv^2)iwLi|k4%Z!ZzypxjCozlZROCrJys~l7FLxR#>5(|^e+_lY% zwJS1{eT&g;(=RIzOb%4YE;jedN)1Uf%E>p#%*x6uGf(z(^ESv02z9PX^YQmCjdaU2 zHApEbHumL;$_aLIjwtstsz?eB%5p6846w)z3i8!AHOba5a@Mve%<{AhadQpK%)*Gb zqSO#i?{bAQGXqBxKaUI#1J7d9z({xh^s=0QTz%Jq41i( zl1$yw3zH)Koq|m={M|DGUD7j4UCK){QVl#ZbBZF2;UQU6oT!jp6z=R3$d%|FP#9%W znVavO;+h!Y5s;N>k!~62o|u=P>}g)$AL8j>=~0ksknfS{ZCT)G;#3gs6=s=gl}XQ#?NZ_77iC%;;F4<@>gQ)sRN!r#WKo!BkrW)5lWLk+neXds z5@F!wR+5=nlpCd8kx^z)9-7XTA5fm5A6RAKlx!GaQW=ou?ra|ARumkdUu2TxQ=aMN zQy7$CoKzAN?h~MGnWt}->tz(|p68QOl2%q)5t5O@z$nu2uimu2D<4*sfop@3if)*9*$w=3QAR6 z-eF#a5uS-b`Ibg*Mfxe3hK>;-spcuJIY$1Kra3--MumSVXj_*#-WKGj@cmvmL^rj-a+QU1^N|9PKEvzRh~xK zC1&N??_J6$NgUCYgT0 zc~Jo+sR7PqrTVFvE)mI|T-VzSJ@zoJ-_x`$?%3sAmdk>Z@|(AYSQpiPyMMglpj$?k papd%UDN>=8%|4dfx0_^F-|bi~$Y@=otD$dDs zP0isdib_ci3-b=k$o2^^val>Ia&h+XG|4G9jB=_hibzhaC`k&4h$t)3_ejf%GVv|; zb1HT7DankC@OE>_cCQNK%1<;(DfBOP56Fv5OfM=;^^fwjEV0ZeH#Z7Twydo5F7pZV z@pSc04ok_Z$S*0iOft?l)h{aY_jOJVOb>T0<0=Yu4D!>@a81|FG0Qgguki9T@h{0X zbc=GWEKbi4NH(*~cJzrb%`EaY(Raxxbu2dsGqsHHNOIIqGEVdMh~$dYHqbXQD$A>^ z$TZE<_bc~wNiiubHHt{HC@u)qc22MK@(Rf`HP0zDNHopM5b42 zg?Wg9iFt*irCCLQv$LgsX1aNHm8)lzb0E5HMX4d4-sK9J$u4OHIgy2~;U&f4h3P?N zM&bGTB^f0iWvMQ{S*{gH1(`;f#p#KuS-xCJ=6QaW*=0fcdBLF><{5r&=4GM9MkU^s zi9zo9iP@&1nSlicMUEDxp5^Ga>6euUCI>16WH>tI7=$?aI650;=7f}JmtNBKAf8<;tj z>$^DmYdgERWVoW+mRuI%WSXvE5UHJBoaYqootvIvk(80_bCs#7NpZTdw_CZfkFig7X?RpstmW2hnZDkRW zUTKaBp&k|yAprpvCgqN~DXyW(sg7C6F2=50Knu3p;3*+xD&mB!9_+To#G`d&t9 zz8OVM$!0;RnPu4p5tRi7DLJ9p#%_7xNfFr|C0XS@mT7^dKB)%iwq=+(rYAWn_-N}p zMmi-MhXtF5cok)tT1IJGh-?dQ=qUMH+=# zMx_QuK`%D%Z)- z$igMjx6H^R#NQ~%z`4*r(8I!A;$%zMoD?ftiU4g2pnovx;@ zcb^JtTrIMjRkVG<#_f7fXMNwiM0EM=6>Fs4e9fId^VPKo3x-K?8*MLFdPhbjn+C;x z^SZp$y!FRjoAr-)y?3l(Gg1`$B(_3hg~CtOZvk;^XVP68FUc_X{5U%AY0`=(`I5gE zE);)xfA1ESyh(o#)CtT92+n^zIF7p2n*2m3X%`*E)#Fs5^=f8ZE_1sr*3Ezp2 iOQN3Me{x^w`<u*@k)G%+(T^7qs>^@}XY_2eq7%=Aez3`jKh&#z1? zG_UlE@Q;kh$WL-qiB%q=yGcT(oH`CWL+dFE!CUslX}J*b&{f@KOsepFo9@v;h66Qtxo*5=+m@a3{Zjyuj3y zEGOSeKUb5$$RZaLZKHCFGFQha7Xz-;0LQeTY{$e@gLDJK;DU?-_u|5;#3&;V-yo9; z!?L8%WaGqu)F`8}Qp>B=Q7vq;=IaWkEE28M5hq{oV2Wr%;LaI{ZxxwU!SC6X9F&Gll1&5_hgrX zg3R2cykMh@!T_U`AngE)pei3H{St%X4DCXXDqmk`eR#YT6(=fW7lk|f1ad`GWg7Y? z8Wg8TrMl!~mU!i4n5FxAYdd)x8(8F|6+3xm8ia=#>wA_*W>=UMmHHNBc!Zc)`00BF zd1d8?ni+BVXZUyqIU4($hvZ}> z6*!p|1}BH4Ta+3_gd3-OmKEeyrTMzLY8#~Hm_)c{TZHBK7lj#RnK)Tw>T|gkq6&MtiIXk9iS5+7$ zMmW2NnwxT^c^CzkT0|LTq@{&L1rEg_FO&L1s}@c8a5gyPs=zSX5q8kV#~wzn8H^x_^GUnSnvE zTT;1&L6JFESaG3Wlv#m!iD!jplD20_PEfLCYPnI0nT4B6L{Vr+WL7$tuCA_vwsWqz zd8(P2OF>d;aZ#94qPACFj-O*>c1dPrpsRaEL3of?d0=6XkFhV;=Lb(4Me;Oyj&>fn zar#1zywu%i4vxmQ3qG2i{=+5k`>jqfk5BOLUBNj;J6tC6srlwP%!|KN|7X&r%9V*M z^A`0@5&ODU>a3uyZtV{5S1006v)sxEw6(NP*>^nboK^fC`|K~inKM@}o@K~ge|)}X z#{IU5oV%<=^;SQuwOz$}@zdMIj#Fo*+&RNx%`0Dj*5S#N5Wd3BcdzAD6ihaK&S9F* zWD|S!oL5@#MVI=s!jguGni{gVEEq)|y6oL`qQ~+WXW-4 ssh-ed25519 lHr4YQ S/Kuy8PdLoLLRDvlDDyuDaGXGb0RMBJKo9XyHK2I0Bg -VFjemRE9hOc/fEol+2OAjM6d/5QLPeeo0ytdgcwa8Zs --> ssh-ed25519 h6AgbA ParmcGdbVHdvihrEuV+nLBLDnTwKR+zoxc/O0LdrUhA -L1kL6sr4ak1DTTaui9k6tpPJ1p86bKAoOcPwCJu7vr0 --> ssh-ed25519 Wu8JLQ hTPuIn+IogmX6U16p3EQ/9C/L+X7dZaQaBrEAdq4twM -QhnuGbpuqpFFujNlXSDUDMEGHK875Sr5hHX/q2ShkhU --> ssh-ed25519 cvTB5g P8av9KTsR9ccIRPz0TABQF3EfeO+cyn+Od+shxeatEk -GnExLTBOicvRs7neFPL/GLxE6hqpdqNV8P4nWRbMjKU --> ssh-ed25519 /vwQcQ WE0fxso39H7ZyYwJ8eNnmrLgf0xL5AdpHZ1mrvbiPyQ -y4GjFZuYtiGg6cY8ZTOKHbYjjFJoFI5W4IF7np/OB/8 --> ssh-ed25519 reTIKw LxM4ihcAb5u6rKqtrOUZ7/4XXoMVbf/HHhby/i9Xbn4 -O8KkO/99T2lBttsADSTJE/18ljFrUjrJWhK7peehei8 --> ssh-ed25519 85WiGg +GtCSdOR7TTwu+zTvwOoRhOE0iLwB7JuFaZkP8cP+Fk -0GCjcBgOPeynvAUDmEioWPJMhZWGchKKukGGXHCBEUU -> ssh-rsa krWCLQ -bSk43qTcHFgrS7AeXTzUbx5FO/1YrLuRlm58lcXpTTKcRMZWKmFbPTVNdIvkT4xt -B6HW0OqV/Ks1pbeJUCPRdLwYHYULEC4quRGlgeToXoUQ8zCvcPT6uikpK0Hzne7e -WI5MLdS3vvAPljlSSaPN8gb3yiPgA2IPrHjqIsMNkotGFjUQ/oIyJ8YcDsSfGE2T -Z8+TOj4ZNxPda2hX7mL2x2dJmmQW5FkOVtSpSyvwpkOqPOi6b5vZaWu/GtXzGEhD -SD6SALiqmWkCHb8n588XDqKj8Lj/741R24f8IM8qW9cBz4QClh3Bnrl4gendsUCp -PkQPjniidi/aF6sHhfrSNg --> |#4-grease y%'e^I RB nBNinf \dob -L2HkuH7S3KtuQN9AWLBL99nJPxVw ---- +QOdyAz8FR0RecYvvkzxv2IzJ9yt89/xePALK3l7sjs -&,NpJ~ ƅ˜*,؆5:i W}m"Q-FJm \ No newline at end of file +2Ak0HJ0WoUuCQkjBPjRgrFQmHSBP7Lzhwp8JZ22lSDLO4OzGLuyGnmI6f+x3mhSM +UP4X4fz98ygYaPTKHzgs+ALgoe0ZOzIRcrBYKyAmI92iuVk8QJrGBaFsi2e/quur +oRaQybPXCqbGeaFhLY74RHmtbby5zzbQnw8f5DRKn3oFDYgCUMOKdTPI3vsUDd6t +dLmFCWEhGFMwI9bve7bVeu2yKMWpOIIsVgkabSy9EQ0gEUwoXkrGNpc+QqqR2qbJ +qaLok3zO+giVKrzl6+/Z/tzHQ66mUTIZAD7HmRFMqBRBqo2heCtviGyu7NPXhb/T +vTVzgL7fsrkaYd59O7BCSg +-> ssh-ed25519 85WiGg UgubbGKRmcFV5N/Vyo/HEBtGG0GOvZS5dSDnYoWzeSk +N2CZ/ZJJLRTdwBDCVNrXGp8ic0T7ZHx+DfPcXLeEvXQ +-> ssh-ed25519 reTIKw zl6eZh6NG2Y21AElt+Ag7gzDmtzXP0h1RjhVzaiHUg0 +PJU/i8Za/JwrCLXcH0vtG8CDxv3MDHCzEYiNIhperC4 +-> ssh-ed25519 /vwQcQ RS4rv5dnajCSAdcFj96HOcMBHySk5yBrmepNdlOcsWg +M+dCeQCP3rl4oT8IrkParBnaaTfUNbWpgvbLou/qSp0 +-> ssh-ed25519 cvTB5g ZR5ayyiP10Dec6Tg2HYcl5q0dkLSvOgRxeeVxC1Plj8 +aiY/6wY4rmB75NRzcbFPKu7nTLKZhgqOuqAZm+9UnTs +-> ssh-ed25519 Wu8JLQ 4nFItVARcWbkkuyaUcgdesLSOmiomY0Ht2LxXX1/L0A +dK2/4X6OFbn4Y3gVK5zKRV3KySiCHzGnGewhZmqETrE +-> ssh-ed25519 vXYJfA k1ANIqwNaMjipiCobpBWMlhbCyudoy7vpuajDK7mLiQ +uudD1Bk1+EWmL3o7VH6YSbv1WRCw6tsDV0HoQ/zwXwg +-> ssh-ed25519 h6AgbA EvhvmT6dx3HAqioaFvT5u94cTk8okjhGgzyxXZF8LyE +R/xTeW/rJEl50kG8e0n3NOGpX9XI13Ftq7ULYNHVaCM +-> ssh-ed25519 lHr4YQ WyG8hEoGZuNvroTdmC8RST7l/Tu7UUXgeG3AfLA0p2o +qk7YeUkrOsRbqnYXFXZAkiOaW6rvKnSaZGSiBw30b5E +-> V9T>@4JS-grease @h!7BAa9 +nPtMdfgbktgg20WlJBrQlhTDMI8/i31JEDnZjF4u7RidDSJ5lxzH8zI+411CQ+K5 +exQ +--- YY6c8/qxiWxaK31KW+3QP6240bmnDJZ9EXrG7dnyJcE +N|J +ZZ6#kyH; \ No newline at end of file diff --git a/machines/core-services-01/secrets/matterbridge.age b/machines/core-services-01/secrets/matterbridge.age index f4ea1d5e441eaa4b392dd2f255f591a06a917bdc..526ab31d3e0491b21298d00e4e202bb1bec705d2 100644 GIT binary patch literal 1559 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!*`Do#|$E(&+{3FPv3a&!u*40kDZ z%nEi)bSv>KD9LgP*DuQ}^mp_v_DCuS4l^*zH+QV`2ni1HbIUbwDhqJR(he{xaZ3s= z@zUptGz*CG_Ag4w56~`m^h*i$cQ^NNPj?M-$ujeHaV`!H%ufvo@eNN4sBm&L@k_C= zFgG@=s!Vsu$;>J)&koAwa?SMf%kwFBD)b6-stn35DK7923CPVgO3QVra4Idzu?R3P zGxRVmbhb#(DzR`kj&d!xD7Hv)3MnmfF>wqF<%+b(cP+_wxAYFEN=;44w{Q+IF7|MZ zu#9qyD)lOk%q_EU$_|grPuCAK^9pqGsPc2msZ0&NP4&rh*G)r=_@bPmF z_BV6QD0R{

5?F3FAzNHI-|2=VtU4X?;dDasEhN;P+L(|0NJN=?d1F?aRL2{bj& z)pq2{57RDntnd$XN-cKuP0CFQs7NgHOoxSbYKoDmsiCEUg=u)Ed%8kER*Jv2Sw(o5 zcABw&fm21Lg@IpaWv-E%t^sB~MH!aG?!{bHo}sP=MXrHf&LQr>`UN40Mj>U!`oWf| zrEc2EMOkHOj#c3)hRJC~2HEJg>6euUCI>1QRrrTRcozCNMHQ4rd6*`-_$Ma%S?1=s zxtDkclw_H@rkIBm`bL=hWt4M;L>B8CdKM-+`e*s%7L`|-6*>ikTNtM1xTiUnd1i*2 zn;33tM zUy_e*TX?C3mrtNVSzd9uzDZ9kZ(_P>sb_d$zH54URasJ$sYzZ*iMwxM zo^vr*sDDsEdT5@ZdqhU6XN7CHQ)q>sN4iC%TTpREVuh)PtFcG6p>c6!R)`6@ZDkRW zUTKaBuD%%_h89s}t_JDhUasDuN#-HNSzg%{#s%SNF2QDjDVa_s*_Qc*1`*j@rH;Drumo| z78F-FTUHu71r?c^hXz}g1bLcQn&tXZTW^CKjhEBxkw1T4-5vap~&nDnxl3 z7V5i{WCj=Hhv&N)IT^c_I{62rn3;G+Rg}6~c;vfy7-d<8qz31Qa%t{7eB>|t^d&Be z72mg3y@`(Cnf+99F`J4|)o)&>lUq}F?iD(E=<=JpC*O7GI`REnxx{Zr|FVP)PprI8dbOWFSN>9d-g%~vS+*|PUbCdH%%{(D)=eAenZSFtD{?e z>q92`FWD|{`ABsKN6zKO{d}LlyF_VEIuSSJ;!eLW2j?E{J|ey{wLfP4>7~DKd;8s* z@?dITe%{Jk-xGy?WvfZ;FIj!NBHg;g>-Jp+$92(rI5wY??Fb delta 1441 zcmbQv^PYQxMtz=XdZcf-d$y^Eb52QFh^tqIc0`0vdQO#jZf-_|VYWw}nM-MsOG-d$ zvSW^ZxPG`(VUnYThqIxvZ(ycju_u>NWw~~Wwxd_1lSf9HOTK%EzH3HKs=IfpL3nO< zMygj)l%JQgaj;iOcv7~1P-R&}k)dIElzDEVQIJ_sRehK_S9n!Mq(x*}sH>&Ek+YMp zc~ww;Vs2K6L6~1eXs$tFkVmqYVUf9oV_1~FwyUvgSaFDFcD_e=MR;XaewJBQI#*y$ zlD58QrfZ_3lT%J|q=l13utBO(l%H`*u5)RQL3VzXqp@+eOI~JaRZvQqQI%tMR!~%7 zphtMFMSXHoP^lqTctCKWn|_#Ku1R>1zp-PPV|aeKwxw^ep=VyGQ+a-HxL>xmQ~7fO$ojaWa>sONOz9pMR2hKw^NQg|BaJaz#j0cygw>vw=ZkZfT;kiFr|#VOW)) zx8vlGjN;)L#-7f(*?Fd}5dr#61}^ReCV~0o!Aa&7VZqrs1ty`%UIr;q#qPz~p`Kjc zp-D#OVTo0S$x-={AxWtLMWu!&m6=WzB`Kx)d5LNHMk&tz9wnLO$?22hnZ(0Qz5Ogp zGcqE4T-_?N68(&eeZ&32+>66}%#vKRqa3|_s$AVtEK|x$odUW1!ZMO8f&xu4LJYI~ zE3+I6T`NOVGt9NqL$iu4y)z3_-P2r)D|0Oi{6Z(6WfHG80a5dm^a?N$pPb@Mu%}&kA%kkF_4K(x$40Dbu z_i%I%k0?rY_009lGja1MDGo)Cg78ucFP}h#GJ`@tN6V1RaK9iE=Lp9l$9l&i|FWcP zkC4>FOyfio)372(U;U_5-w4NYt`gI{0B4K991~+#@02W)!eTe$fU*ovLk~0KaKnu3 z&=B7+GyPKI0FQ82bn7zA9Mh8=6^uh7{6q9jjr^1R63e2BwY9U;a}7;PU2+o5f}Kl! zT!Vw^(<~D6jl$h49Jvz9$_m1&a(x0)Bg)M4bE8s%GJ{OD{Y_o75(_I$QuDox(z8ol z-HjqsF|5n+C^Cr*RB$p6uyo1ru?$Kt&Cd^wG%@o?OZ4$K&Mk|wNHjL{2~SD)cQ1_a z3ya7u<_dKSGSsi~s86f#)%GnaGD!1uaW4*y@W^wkDhkN+PxCX&)Xp<9D)o#^Hvsw0 zRxd>($4fW8C^fM-Rl!|PL7ywt oyC^y^0yCmN+vofn9H_s!`*vZ4cqBPSoxXP%s z%Dd3TGOyC#(>Ti|&?&IQ$Jjk3*vHw~qR`3NETodl(kQdu$HI|IS65ddJWt!lFDu2c zs46Sa!pt!#I5jxU+u5MN)yOC%wJIXTB{!wQu`0+pJf@E?(;)Gw{9%a+&N zdLpfULOjRr%Z^F)uQoD0d#KB8d8^m&^vAZJrvz5TPY`}=3er_^c5!17Cw`|8ZM#*4{wZ9YJ$XL`nS$domQfZzj>|OLt zWZKOqW(pr?8{MA}#_}(}dh6%;3h%lYw$0B}HeId7TX8jCoAE^J^}QPe@3wZZFs*v~ OQ?M~|))9r}i ssh-ed25519 lHr4YQ f3xLHRyIx6oPATsv5yBq+pWpDkwJ2xt3axevMNjIUgA -RK2bLPZ1dwDExqbQ1Mft2Z9xGHpxSTDuTv0AgplnFzw --> ssh-ed25519 h6AgbA fPy5Lv6ZcYB9xDyeHNTueRKTvvC6OyCrkHzF85dmhh8 -VzMkn6iaC+gwDXkaCzh7ILTdWMBqUYvYmrQPbiB+82k --> ssh-ed25519 Wu8JLQ BSn5p0Wuv8CuiHJ6AdLuBLOst/2/mK1fs+zmgYao6kg -m/NfBqLzcyTad8UbiDSMI3EmcHWccpgV/wRKKeSO6bQ --> ssh-ed25519 cvTB5g GP3EP+t8uJFKGAKBwwO7CmXa3JGTFePTANSINPdQuAA -DoGUKpuZTQ36hM4B7eqwbfGGKM+pxsYtoL5UjEeVdD0 --> ssh-ed25519 /vwQcQ K8J9qbUjPPhuYZ4/2rGZWX4Fb60WZACwmFPGXUT9Yjw -N6lTZVDVxTfZTSagaOi4dbVzylljwGWAd06GbeVloRY --> ssh-ed25519 reTIKw +7n56fmzzYOkArtH0Zeh26zHlE/lWz1gqyoCZEMMRDA -E6/dLGVaryFfqf+7DmwKghtGmtUUGpMFFwaZc3OvJ/c --> ssh-ed25519 85WiGg aHBishjeSTuv/TYVcZQzALC8DHPbYHf9dj+igMnkkn4 -HwmPoIqV3Y/34Azf892K9nGJ1hh2KWAh3IzLiGVKeOs -> ssh-rsa krWCLQ -A2IHEB1lR/eHwOM1adPnvYZUmJ9Gf8ADZvOpzHmxVC54VP5EZLnzpcdzIKlM4qOe -vYs7PdGJ56iGd3JS2khyc5oCc/NEYu85i4eyK8Y8JMqSFyYVNpH5rVY1IuHhIwW4 -biLSvPhKejtcjGkJZGebm2yA3TuhS5peZRUBh2v0sf+PjblsULrpupSRYAs1IndZ -1/Brrub4BfFihZh/uCN1iq+lWxUG5K1AR4UhrX7s/qq21sIP+hlhsTzwj5WoeSPV -rrYzi7E1v8nP6YsP965PjNFq5yJYKRZdw/QosmElRF4Ar3PP+fROFLfA45LmQpLh -z2P/QZKQ7BaANqtz1ryIZQ --> :N*xgmZ-grease S 6b.gme t1.-?(l6 -JJi5KPF7Y07dJexK5CNlZVeYnM+DaRUqYjChAQO041COvkfVF1CvwLTYZAsZbw ---- RKQ3nSQxdSjoVBEtg4TrEL30ooOTpyZAXT5TcOM4qWE -zƦ6JRURh/ &5cKG%hpI;.NQq"hq|7nC92/"ɳ&uKʪmCB-Y̫jTkk Kۋ]}ˤiރF}ٟ- 82N}Ȝ(JAd_Hi0T"8}Q$ \ No newline at end of file +U2lxIvw7gRCjMGutUFyq+qGiCIFlbsPdbfzqy7b27d17aSjXds3WwMPUQajHMGXl +tmM/gDCOV8aY+EkM8nQIKdSGNZPwWHlqFyBpH7b18xTT+sWLBZnKcQqVzdF5n1yH +s6LjbcstDiCy3h20hfOjoi+qvK8AGbWnLueDI4g/BWCLBUmAC6zPX04GFAstzg8e +b8wcTCsaeVJkEVvI9caJsFpoxKttbjWUOb2jOzquyi1vIc50vWBNLlulzf0Cd523 +niyjvtEyVRmHjTqs2D97DLuKEE0U8x1ecI7FUwyDQWFj4RmmoKm7TOvGva+alol/ +mclOlWBaMuji0SWwR4GQyQ +-> ssh-ed25519 85WiGg oTAqEjy2kEYw0EEDFzmv3EYWY3gKNDGsWbztSN6DG3o ++Q5hzzJVgdtFiNtbC37n9tZsNK+onqp4P0myPLpGU0g +-> ssh-ed25519 reTIKw SOCoiYn2OZ0WbtgQFsJE6m5lbeat36SVF8Om6NHha1I +BLsO5DrNci2ShXI3wBb6u6Advjc7sOCXEBd6mSawkEs +-> ssh-ed25519 /vwQcQ zXWEMSbRm2mI4KoMj2tbqP26LTAcxeyLUv5b/UzTaiY +HMOyH5OV0XmQsLOtzIsHf3UFYKUoEswt1a6JOu/gl8w +-> ssh-ed25519 cvTB5g 1HPXsPtGaCCHPHEXQKVNLRGXb28S3hXUAyT26No80gE +NwPkRoRdd2juOWHyJV2aNwVQzGvwpf29mKtcyKSUHKc +-> ssh-ed25519 Wu8JLQ tio1Sb9rHwAvoDRH783Ts9S+mS2MWnsqw/L4/To1lgc +Tfx0a/UKGiiMsp8rkhbaLpsS4JJIgMeWCDRZ1CxWSHc +-> ssh-ed25519 vXYJfA GnXJG4bbDQxls3yLVd22CHmrrkAZYQNbXcpr0iH/8HY +uyr6VTHwfU7FjA29IJM9EP37K+QyiWIrG6CUpWyi4o0 +-> ssh-ed25519 h6AgbA p/FApRwDrQNMdSPYV2U+CyGqdYZG+enC/TJ+Ht5RtCE +T6e2S9gZVi24ayGzKGHL19Ezv//f/0+BUAnkCf6g8No +-> ssh-ed25519 lHr4YQ JQXWGrVi8YLfI0DWfdyuxKPGVa+SvHIm95YGzsyvdho +yvQpw/1GuVOqBBFwflDXvcIhuw0ABqqwByJH/VPRICg +-> J9VGuOkA-grease + +--- aKOWgh7PjxocWWeImr1UYJhhFMlzDJXvP+Jfbrl3Zzc +7T0ZH48ntjlh}J_궞PMw%tgm=[+nbeH`ёyMe\WU7ӵLB 2o]cS~է2C5Mybi62~:BFh1B'lm`fKvsy%!2~$\^ \ No newline at end of file diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix index 9925641..79b0d6b 100644 --- a/machines/core-services-01/secrets/secrets.nix +++ b/machines/core-services-01/secrets/secrets.nix @@ -2,7 +2,7 @@ let pkgs = import {}; lib = pkgs.lib; readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); - superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf"); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht") ++ (readPubkeys "mrf"); core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; systems = [ core-services-01 ]; in diff --git a/machines/core-services-01/secrets/snipeItAppKey.age b/machines/core-services-01/secrets/snipeItAppKey.age index 3a393c2..cd9bebf 100644 --- a/machines/core-services-01/secrets/snipeItAppKey.age +++ b/machines/core-services-01/secrets/snipeItAppKey.age @@ -1,27 +1,28 @@ age-encryption.org/v1 -> ssh-rsa krWCLQ -i/TW/dUpeS8QL9ZJg7xKdGW65D1SWFjMpolf1BgEs3hm6uI2W3RWUb5S1PEs6HdF -l/yiJtZeBC0e0QbaQ776fiy0MSmuMgcRbJJ1rjloGwFzwwvtqhQMG8rLp70IPZoV -F6sUz4jKHaEjIVVbRokdfIKMSnhRXnbW5domOxPmZjXck7YxaR1zqD4S9PtH12Q/ -P+l/IVS6+tuWlaTs+1FY2pQ0ppPkwxBirm+4/dxD7E5MkOT0OFcpopI225u2vJAz -Hfk6SBhWuOu2GFfLDS3sS+50kvx1MNvMeb9qVYHkxE8tXhJxOpykkzwYktYp17jY -m+rh1gMPt+mZV2ELaZkGjQ --> ssh-ed25519 85WiGg TSVInZQdH1ZbhSG+FptwCu96UX1SHAhQNculIk8nVF4 -L1ptiGhMZN78uu1TQ2qVV73+lhlgD34g7xt/AL268Dk --> ssh-ed25519 reTIKw vrZd8hFFywOmDJxAq58Tt4Wdq2ovft1IDJqCvkpRU1o -9TmODia85CwXZmzdxk6W4LCflCybq7O1WWoqG5vxENk --> ssh-ed25519 /vwQcQ NSJNN/lRO6TbOQTlY9bT4kdEuP2hElmNIcKRI4ilrQY -eGIr9VQSrbG4hB2XQGYXquQVZIkLRq9g9+Ap25YSWSQ --> ssh-ed25519 cvTB5g 24UlsKN0XaA6wW87zj5PkPy90LUmdJe80FV2LVLiwzk -57VJ2pf45+r7CgMdr/78ngWll12Se7dS993i+YKp3Vg --> ssh-ed25519 Wu8JLQ wgWSOp5VQzF+pvL338wOwaJ3RIIi1I4SNqW+vT6NQF8 -HVTfWqmf9CnEkHFpu9NWYagwwBdW8NumwFcUvSlb9i8 --> ssh-ed25519 h6AgbA ZRjMQkjz+sw2BZh/myaSnMgz8cngGM9wxQf6L6uPxE8 -OgYfhTQe4iB9SyL8iReQByA9N5VcUC/YvpvbPIgp/3U --> ssh-ed25519 lHr4YQ JAnhqkgzuCDsmDYnRG/DL/MDrfA/0uCZ1kpZSWiuPw4 -uMPzV/uWAozlffoqIDtTcI5CI3FAzM5fzDuupAzgE4w --> 3[k-grease l5" cr(}p5 s{\538Js -uR+N+zPd323E/1K5MdNaPzAeNYBYfbmmsxtQRufVjMj8jobBLhHq4RVJ/E57t8yv -4Cxp ---- 1iiPH5I9CDFZwZQwRbhKnqpZ08vTMP1u4pU3+hNpubk -ےf(Tח,4\hKT džq)e+}u 'hN/䶢6B4Kң \ No newline at end of file +gBB9yfHVs4Zgm30rbXOkQNZjOuQVFt9Mos4gBoM09M2psLLxWzsoQopWVcvbV+sY +oZAThV5F2E+RbOP2e9+o5P+rxCcJa8aAXovtmH2BZvr87jNi8tebH1l0Gjn0I85C +B+vv2/m1KCzisCR3p6yaqBiqyETacWRCuILVxKbpnKfVX5ymb//9U0tRbz3BIFH1 +i3bAD8j8H4V/5SC5RmYwVeBhdGqEaNX0Qehh8AhDkxoqMT3Xeie93eIK6tyAZuyO +oQezqkUmozq+uvo6PHZvY/auTYb17QTY0s0xf30NnQoqwtVXnyu6xPx+qlj+M99Q +Y/s8SFF+STLrAgK9MN0i8Q +-> ssh-ed25519 85WiGg zkLuTpJaBr8T0XjuC9i9NTxYUPhix9nLlShohTtgmyA +QwdgD0ihIpJF8D54x2Lg+6CE2yV9nLBZ1oOf/iwUKi4 +-> ssh-ed25519 reTIKw wB2xC902eZiPXXU9n+oQSocx6J9h5IK0jU4GqmB1XUI +awLSPDqOAOM2g7Wrg6uCMeDRVljl2cdZ40gHDON4DCU +-> ssh-ed25519 /vwQcQ adFZcuzNWIhLFDhF+FjfnMGTpijt4IKO266M8xpZTHs +WR3ig0R6ZgtYLxhN7bm5SNJ3klYvEkMlLeuC/GBxi0U +-> ssh-ed25519 cvTB5g 8Gl7qbc7VZvkjjHesgfgdvtsCntNCxyUU3hwXMaIJUA +uEJwhJJa87+EjpTE/+3jPnNtgFTHNZkah78URULI1nM +-> ssh-ed25519 Wu8JLQ buWP/UWAYd7nAAdIqJjkKq2q3Kcj/TtTm9MacGkoMh4 +g9ngALRdWC96t7FLES79gKQNK34WbKHqdw4OCryGx74 +-> ssh-ed25519 vXYJfA KT8pRDwADkV4ySKY6HejWKp57aQUWpor7x67x1Sc3wM +th+47fUL5KOak1tEeHslVg9KSxw5DPIO6T/UtfEK6kY +-> ssh-ed25519 h6AgbA 8kWKdngdG4RbvQHnkHpygz1fhzMXpGafXltQNa64mAU +hZZTmthndfMdMZiaW0bLxfiySzFgnKmd6t4u1PxLG9s +-> ssh-ed25519 lHr4YQ JBCRJtCaEH/Dp2em66/ckqFva6JpyeUAHJidVysAsmw +SGyzp26GIo+D4VQdzJZEBUZYvAhc/SZy6rdd6HXOawY +-> 1-grease +niVrY0FwL41sfeE9fB6hg+z0LWMXwce194f+IIL/F8JMIfTnFB0CRAn1OGQ +--- pMIf8bANx+QsRTqnWxPmnJm6DVMmJBEO+emeOdLeeec +.AzJQ[)s!2m  ssh-rsa krWCLQ -gPydOcolFG+axyXPVVYYjjr0hypl/xczmMM+W+BbfZFaAL0TqXpqRgjtZSNvA+oh -+JHdr+/8IHh2qCS2vtzuH5lAsjM4h4FPPnGixX1SI9eNH14b/Otmoa/OtQD4pHcB -PYbh1yh4AILggg1ZMdttS+FUuMtu2A6y2NZYSkbBLy9dwEdZNBs0/cX/xNEqK72V -JF0BuGYvchyJ4ec4/m1od94dVva5qKUvK6mr0u5XPXObEOdZ8jJwZodJjrpDaEHJ -/yt8svY6upoXIdM4dVbY0Ab1VCwXf+tbGuwypVJF2TkeVW5tbImxuoTPE5XNdKLF -XU6RfHzLjUnG1T+dObb9gQ --> ssh-ed25519 85WiGg lVvfjaLUhjdWgRnz0supjMNc6pDpbeEy2Z0fFOc7dkQ -srngyi1Wdi1lcXFK7MJtqt2koZkopcXX+hOFENHXJgY --> ssh-ed25519 reTIKw ubW5n+mkAgxwHT9okMRWoE9k5ZpWN7UQDrvRwgS3Xio -O7GRq35wulhSadIAJ7C0ekLQQVk209yGiSaWg/VNgYU --> ssh-ed25519 /vwQcQ 0FZbpEDS3xuKyPOSExt4wb/Oi0xlTivdLlpKuXicqx8 -3ZMA31MUD76KNK1+yX2473wDSv0oyheT7jAmvnbPJNg --> ssh-ed25519 cvTB5g 04++RfeztjNzyHMW7WhxdAWoWT5NyatCN8zf7xFYiCw -OWYQ3oFR+/NjY8skMpzd0eS9fsAeugO+loiq4ZqEVWo --> ssh-ed25519 Wu8JLQ b5BEsw8GS+LUcLZ7h36WDHp1uunlVymEcCmAcs5xaHQ -4xs/EAPRD4Z/rL3zisjGmslVt7OHx+Kh1kJmdBAxED4 --> ssh-ed25519 h6AgbA wNeprhlhTORbN4WFxWPJO0DV5vBVteE297O73EfngD4 -sceiHAg3S0aZ9xGIsw5VaPJkAWCci03SrHM520pb+Gw --> ssh-ed25519 lHr4YQ v6dG659zPeUqbyT8To8oGf6Kp3y15Z2YjlzdLVK3FCI -wB7EFm4tsgkaYexLfQM+lkNtUr09GWlLnh7CbgX3Ifc --> =-grease zZ5 e./C_ -z1vYPnfdTh+G0bc+UvV1EZMSfaNDsWiDHJ+W+1CB2+Z4pOnQt2jBFPYv7rE ---- LbcSlaucZaWsTqBR9PIA46r00cfJtG5ndinWSzsnl/0 -1h~sȰ#-FX/2.ZF?wE]ic.%b-wt܌q_%} \ No newline at end of file +LCJxUzS4Be2QQABzubSP5M9Ridg3Srytbb6+SLITgnRqb0fT5XkG7z4ae2lLMVxT +zJxrZX1crlg/nyibZychMwZDqNofGGKX/zSKyF6u42hqjAtaDneg6jB/T690sSpD +LcuTHUcPLw53bww4amLU5FmFcnGWMHTjmXj6oQ5lks3t3KO9izA+gDJO5kFIYgQa +Z0kMrlH21m2TdyGW7Er72qAlT0euwCKlWGGc1NAaSWyu/2gimTHJ4p+KCOpi1D7/ +cIxMEtXHUoS/vtINi1lZypETVZf9C3xfqZGCnu1xTpFcF8pBLskI/Uz4cxQGLAk3 +xd5fKuNVBnLc0Ku+oFR3zA +-> ssh-ed25519 85WiGg N5HOphuKLUksJTA29E/KHZAdyvTelqq0Lai3KtsGNi0 +6PilN36eZH8KYzQwqeLPX3wuiW4THuFef+ttoJh0BUo +-> ssh-ed25519 reTIKw epotGRShr91lRc2IKDkgfaDd4EhkDtF1jayFv/YW5nE +mMFKyzH1q8ZsUXfLnqFfHT88iz/i4WXVVuWqe3z9vx4 +-> ssh-ed25519 /vwQcQ DvVlWcbAA/xPTgDtpMmSyC2wxrnOM4H/dC1Vhh5Rmhg +JCq1yS057vqOFKZL11YhC4/rxYIRGAUI0y97Uch4tS4 +-> ssh-ed25519 cvTB5g EQ/YM5UYYp3+fS+6u+CwZxUn8Sm8vdqj5xHQf0U0MGc +mVhpObNYWSrAlh8kfADzGnhOw9O2r07v2RJH7DZhFkg +-> ssh-ed25519 Wu8JLQ k91dq2XwhgvE2Y75KAJWzFlPLXv+8+kTvH7sELmsViw +gpnxsNgbeuCYBYUt8j3mGm10rOGAoN9NDYVbObE2zXc +-> ssh-ed25519 vXYJfA fOpqzkovWF/hLUrsjrDwFUsKG3Pa7LQQ2QTiYWT4Ux0 +AM1EdbC+Sg37PZzXf6vsmeXSMMjXRVQT3mq000cmPw8 +-> ssh-ed25519 h6AgbA LWhZtBUJXu15GEIwSyKraXkaO8CO7/TuLSxsnbagQTk +1/It/vtykYe2NzG4r2J53yW+ZS2rgtUVNv8hlWYQnwY +-> ssh-ed25519 lHr4YQ zEMhvSZsUOiM+XEpuTljfKE1MqyxqxuL0yuKTj6E1Vc +J/pYqeaTK9NLIhSKeB0CFSFNLkVeV2C5enKVIRy5+Po +-> #Oj-grease fdq ltL1r ohAHn[aU QF%DKt +G2xXhW58AunOBXwtl1mD/DqdsHRoyjMvVl310MPWNFSSmLhG/UG7pQf3GUNsfThQ +lCvckvUfcYRen/hrEFhtyg +--- zwJ1Ma9A8rDbUQLAFpDNLs+2Iv6RQvEGlDFj9HVDRRg +;>qg4*b~G+x8 +,5!4:֖\go \ No newline at end of file diff --git a/machines/pubkeys/hubrecht.keys b/machines/pubkeys/hubrecht.keys new file mode 100644 index 0000000..07fbe76 --- /dev/null +++ b/machines/pubkeys/hubrecht.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl -- 2.49.0 From f410aa4c7585b563ce5cf67eef69f3fa25eaf363 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Wed, 25 Jan 2023 15:35:41 +0100 Subject: [PATCH 70/88] core-services-01: Switch to systemd-network --- machines/core-services-01/configuration.nix | 65 +++++++++++---------- machines/core-services-01/my.nix | 20 ------- machines/core-services-01/network.nix | 36 ++++++++++++ 3 files changed, 70 insertions(+), 51 deletions(-) create mode 100644 machines/core-services-01/network.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 7aa5220..d8284fb 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -1,37 +1,40 @@ { config, pkgs, lib, ... }: { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ./nur.nix - ./rz.nix - ./monitoring.nix - ./programs.nix - ./system.nix - ./acme-ssl.nix - ./dns.nix - ./netboot-server.nix - ./qemu.nix - ./gitea.nix - ./dokuwiki.nix - ./nginx.nix - ./keycloak.nix - ./acme-dns.nix - ./backups.nix - ./headscale.nix - ./snipe-it.nix - # ./dex.nix - ./oauth2_proxy.nix - ./secrets - ./matterbridge.nix - ./tunnels.nix - # TODO push to gitea - # TODO ./gotify.nix - # TODO(Raito): ./backups.nix - # TODO(Raito): ./snmp.nix - # TODO(Raito): ./sflow.nix? - ]; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + + ./acme-dns.nix + ./acme-ssl.nix + ./backups.nix + # ./dex.nix + ./dns.nix + ./dokuwiki.nix + ./gitea.nix + ./headscale.nix + ./keycloak.nix + ./matterbridge.nix + ./monitoring.nix + ./netboot-server.nix + ./network.nix + ./nginx.nix + ./nur.nix + ./oauth2_proxy.nix + ./programs.nix + ./qemu.nix + ./rz.nix + ./secrets + ./snipe-it.nix + ./system.nix + ./tunnels.nix + + # TODO push to gitea + # TODO ./gotify.nix + # TODO(Raito): ./backups.nix + # TODO(Raito): ./snmp.nix + # TODO(Raito): ./sflow.nix? + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; diff --git a/machines/core-services-01/my.nix b/machines/core-services-01/my.nix index 994190f..4ac6d20 100644 --- a/machines/core-services-01/my.nix +++ b/machines/core-services-01/my.nix @@ -99,24 +99,4 @@ in example = [ "10.1.0.0/22" ]; }; }; - - config = { - # Default IPv4 exit route - networking.defaultGateway = { - address = ""; - interface = "ens18"; - }; - - networking.interfaces.ens20 = { - ipv4.addresses = map mkAddress cfg.ipv4InternalFull; - }; - - networking.interfaces.ens19 = { - ipv6.addresses = map mkAddress (cfg.ipv6.standardFull ++ [ cfg.ipv6.acmeFull ]); - }; - - networking.interfaces.ens18 = { - ipv4.addresses = map mkAddress cfg.ipv4Full; - }; - }; } diff --git a/machines/core-services-01/network.nix b/machines/core-services-01/network.nix new file mode 100644 index 0000000..d3579be --- /dev/null +++ b/machines/core-services-01/network.nix @@ -0,0 +1,36 @@ +{ config, ... }: + +let + inherit (config) my; +in + +{ + networking.useNetworkd = true; + + systemd.network.networks = { + "10-ens18" = { + name = "ens18"; + address = my.ipv4Full; + DHCP = "ipv4"; + }; + + "10-ens19" = { + name = "ens19"; + address = with my.ipv6; standardFull ++ [ acmeFull ]; + + networkConfig.IPv6AcceptRA = true; + + ipv6AcceptRAConfig = { + UseOnLinkPrefix = false; + UseAutonomousPrefix = false; + }; + }; + + "10-ens20" = { + name = "ens20"; + address = my.ipv4InternalFull; + + DHCP = "ipv4"; + }; + }; +} -- 2.49.0 From bd22c63ec4ed133ec7668841bf3bc69584133461 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Wed, 25 Jan 2023 16:55:22 +0100 Subject: [PATCH 71/88] public-cof: Switch to systemd-network --- machines/public-cof/networking.nix | 57 +++++++++++++----------------- 1 file changed, 25 insertions(+), 32 deletions(-) diff --git a/machines/public-cof/networking.nix b/machines/public-cof/networking.nix index 981eff0..39d232f 100644 --- a/machines/public-cof/networking.nix +++ b/machines/public-cof/networking.nix @@ -1,44 +1,37 @@ { lib, ... }: -let mkAddress = addr: let - splitted = lib.splitString "/" addr; - elemAt = builtins.elemAt splitted; - in - { address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); }; -in { + +{ networking = { hostName = "public-cof"; - # Default IPv4 exit route - defaultGateway = { - address = ""; - interface = "ens20"; - }; - localCommands = "ip route add default dev ens20 metric 10"; + useNetworkd = true; - useDHCP = false; - interfaces.ens18 = { - useDHCP = true; - ipv6.addresses = [{ - address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5"; - prefixLength = 64; - }]; - }; - interfaces.ens19 = { - useDHCP = false; - ipv4.addresses = [{ - address = "10.1.1.21"; - prefixLength = 22; - }]; + firewall = { enable = true; allowedTCPPorts = [ 22 ]; }; + }; + + systemd.network.networks = { + "10-ens18" = { + name = "ens18"; + address = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5/64" ]; + + DHCP = "ipv4"; + + dhcpV4Config.RouteMetric = 10; }; - interfaces.ens20 = { - # 1st is for public-cof - # 2nd is for IPv4 → IPv6 proxy in v6proxy/ - ipv4.addresses = map mkAddress [ "45.13.104.27/32" "45.13.104.29/32" ]; + "10-ens19" = { + name = "ens19"; + address = [ "10.1.1.21/22" ]; + + DHCP = "ipv4"; }; - firewall.allowedTCPPorts = [ 22 ]; - firewall.enable = true; + "10-ens20" = { + name = "ens20"; + address = [ "45.13.104.27/32" "45.13.104.29/32" ]; + + DHCP = "ipv4"; + }; }; services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ]; -- 2.49.0 From 455fd180d2b5a656dd87b2f5973cec4ac217bb5a Mon Sep 17 00:00:00 2001 From: sinavir Date: Mon, 30 Jan 2023 21:21:29 +0100 Subject: [PATCH 72/88] pm=dynamic --- machines/public-cof/nix/sources.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/public-cof/nix/sources.json b/machines/public-cof/nix/sources.json index 3209971..4043d80 100644 --- a/machines/public-cof/nix/sources.json +++ b/machines/public-cof/nix/sources.json @@ -14,7 +14,7 @@ "klubrz-nur": { "branch": "main", "repo": "https://git.rz.ens.wtf/Klub-RZ/nur", - "rev": "9c43904eb242455ca3db9466c5679c81aa92741f", + "rev": "bb95bbed09ccb2ae5ab5a8e02537c4c28c46d27e", "type": "git" }, "niv": { -- 2.49.0 From 244c8027aa0adc6545a67f4f6d3d2e51ea40b08c Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 73/88] feat: Add sinavir's keys for `core-services-01` --- machines/core-services-01/configuration.nix | 1 + machines/pubkeys/sinavir.keys | 1 + 2 files changed, 2 insertions(+) create mode 100644 machines/pubkeys/sinavir.keys diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index d8284fb..819ad48 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -85,6 +85,7 @@ ../pubkeys/raito.keys ../pubkeys/mrf.keys ../pubkeys/hubrecht.keys + ../pubkeys/sinavir.keys ]; # Open ports in the firewall. diff --git a/machines/pubkeys/sinavir.keys b/machines/pubkeys/sinavir.keys new file mode 100644 index 0000000..471d054 --- /dev/null +++ b/machines/pubkeys/sinavir.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o -- 2.49.0 From 66c40b1026484c8673989babc531625d7c23e40a Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 74/88] feat: Add sinavir's keys to `public-cof` and `remote-builder-01` --- machines/public-cof/configuration.nix | 1 + machines/remote-builder-01/configuration.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index ae3fce3..cb19ba2 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -55,6 +55,7 @@ ../pubkeys/gdd.keys ../pubkeys/raito.keys ../pubkeys/mrf.keys + ../pubkeys/sinavir.keys ]; system.stateVersion = "21.05"; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index ad971fb..286062b 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -64,6 +64,7 @@ users.users.root.openssh.authorizedKeys.keyFiles = [ ../pubkeys/gdd.keys ../pubkeys/raito.keys + ../pubkeys/sinavir.keys ../pubkeys/remote-builders.keys ]; -- 2.49.0 From 3f2e795b0e1e080c90cca360c39b3fdbb26a1dc1 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 75/88] chore: Rename module options --- machines/core-services-01/gitea.nix | 8 ++++---- machines/core-services-01/system.nix | 2 +- machines/public-cof/acme.nix | 2 +- machines/public-cof/hedgedoc.nix | 2 +- machines/public-cof/system.nix | 2 +- machines/remote-builder-01/system.nix | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/machines/core-services-01/gitea.nix b/machines/core-services-01/gitea.nix index ddfcbae..26402d0 100644 --- a/machines/core-services-01/gitea.nix +++ b/machines/core-services-01/gitea.nix @@ -13,11 +13,11 @@ in httpAddress = "127.0.0.1"; httpPort = port; database.type = "postgres"; - disableRegistration = false; - log = { - level = "Warn"; - }; settings = { + service.DISABLE_REGISTRATION = false; + log = { + level = "Warn"; + }; openid = { ENABLE_OPENID_SIGNUP = true; }; diff --git a/machines/core-services-01/system.nix b/machines/core-services-01/system.nix index 827bd11..3ab02d1 100644 --- a/machines/core-services-01/system.nix +++ b/machines/core-services-01/system.nix @@ -8,7 +8,7 @@ # Auto GC and store optimizations nix = { - trustedUsers = [ "root" "gab" ]; + settings.trusted-users = [ "root" "gab" ]; gc = { automatic = true; dates = "weekly"; diff --git a/machines/public-cof/acme.nix b/machines/public-cof/acme.nix index 3911368..9e03a21 100644 --- a/machines/public-cof/acme.nix +++ b/machines/public-cof/acme.nix @@ -1,5 +1,5 @@ { ... }: { security.acme.acceptTerms = true; - security.acme.email = "club-reseau@lists.ens.psl.eu"; + security.acme.defaults.email = "club-reseau@lists.ens.psl.eu"; } diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index b4235d5..23c8782 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -5,7 +5,7 @@ in { services.hedgedoc = { enable = true; - configuration = { + settings = { protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; diff --git a/machines/public-cof/system.nix b/machines/public-cof/system.nix index 997dbdd..b3a1d4c 100644 --- a/machines/public-cof/system.nix +++ b/machines/public-cof/system.nix @@ -8,7 +8,7 @@ # Auto GC and store optimizations nix = { - trustedUsers = [ "root" ]; + settings.trusted-users = [ "root" ]; gc = { automatic = true; dates = "weekly"; diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index 9bb13cf..81732ab 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,7 +1,7 @@ { pkgs, ... }: { # Auto GC and store optimizations nix = { - trustedUsers = [ "root" ]; + settings.trusted-users = [ "root" ]; gc = { automatic = true; dates = "weekly"; -- 2.49.0 From deffb8e1fc45f4e43df5b5c44646084b86dd8009 Mon Sep 17 00:00:00 2001 From: sinavir Date: Fri, 24 Feb 2023 10:56:54 +0100 Subject: [PATCH 76/88] core-01: fix ipv4 routing issue --- machines/core-services-01/network.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/network.nix b/machines/core-services-01/network.nix index d3579be..da02165 100644 --- a/machines/core-services-01/network.nix +++ b/machines/core-services-01/network.nix @@ -29,8 +29,15 @@ in "10-ens20" = { name = "ens20"; address = my.ipv4InternalFull; - DHCP = "ipv4"; + dhcpV4Config.RouteMetric = 2048; + routes = [ + { + routeConfig = { + Destination = "10.0.0.0/8"; + }; + } + ]; }; }; } -- 2.49.0 From 2fde8ccf156c88b2200952017106a604b339bd29 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:04:42 +0200 Subject: [PATCH 77/88] deployment: upgrade to 23.05 --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 92a2cda..45c0417 100644 --- a/krops.nix +++ b/krops.nix @@ -9,7 +9,7 @@ let # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "8d3bd93e67201a7c8238e9cbde6d07aba9500636"; # nixos-unstable + ref = "23.05"; url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.49.0 From b88167f46a824194b079410b74010a03bb823207 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:21:44 +0200 Subject: [PATCH 78/88] =?UTF-8?q?deployment:=20fix=20it=20for=2023.05?= =?UTF-8?q?=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 45c0417..140772d 100644 --- a/krops.nix +++ b/krops.nix @@ -9,7 +9,7 @@ let # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "23.05"; + ref = "origin/release-23.05"; url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.49.0 From 42cd2d7b794ebd8184b98760aab945c0dc1cd5e1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:21:54 +0200 Subject: [PATCH 79/88] public-cof: add thubrecht --- machines/public-cof/configuration.nix | 1 + machines/public-cof/secrets/secrets.nix | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index cb19ba2..6bd8454 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -56,6 +56,7 @@ ../pubkeys/raito.keys ../pubkeys/mrf.keys ../pubkeys/sinavir.keys + ../pubkeys/hubrecht.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index c703081..d48cb63 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -2,7 +2,7 @@ let pkgs = import {}; lib = pkgs.lib; readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); - superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; in -- 2.49.0 From 793e4d2aeea78b56ddfe5ca3d9d21f3906a1626f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:22:03 +0200 Subject: [PATCH 80/88] public-cof: add some tuning for lychee --- machines/public-cof/lychee.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/public-cof/lychee.nix b/machines/public-cof/lychee.nix index 944604b..137cd32 100644 --- a/machines/public-cof/lychee.nix +++ b/machines/public-cof/lychee.nix @@ -7,4 +7,11 @@ website = "photos.ens.wtf"; settings.APP_URL = "https://${config.services.lychee.website}"; }; + services.phpfpm.pools."photos.ens.wtf".settings = { + pm = "dynamic"; + "pm.max_children" = 10; + "pm.start_servers" = 3; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 3; + }; } -- 2.49.0 From 55c7194022bcbe79b1ad6009e9a5a3c9cce7374d Mon Sep 17 00:00:00 2001 From: sinavir Date: Sun, 23 Jul 2023 16:55:26 +0200 Subject: [PATCH 81/88] core-01: make it work for 23.05 --- machines/core-services-01/configuration.nix | 1 - machines/core-services-01/dokuwiki.nix | 28 --------------------- machines/core-services-01/monitoring.nix | 20 +++++++-------- 3 files changed, 10 insertions(+), 39 deletions(-) delete mode 100644 machines/core-services-01/dokuwiki.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 819ad48..ac0021a 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -10,7 +10,6 @@ ./backups.nix # ./dex.nix ./dns.nix - ./dokuwiki.nix ./gitea.nix ./headscale.nix ./keycloak.nix diff --git a/machines/core-services-01/dokuwiki.nix b/machines/core-services-01/dokuwiki.nix deleted file mode 100644 index 1ad68e0..0000000 --- a/machines/core-services-01/dokuwiki.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, ... }: - -let - my = config.my; -in -{ - services.dokuwiki.sites."wiki.${my.subZone}" = { - enable = true; - acl = '' - * @ALL 1 - * @admin 16 - ''; - }; - - /* - services.nginx = { - enable = true; - - virtualHosts."wiki.${my.subZone}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "htttp://127.0.0.1:${toString port}"; - }; - }; - }; - */ -} diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index edf0d20..7015efa 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -36,16 +36,16 @@ in { services.netdata = { enable = true; - package = pkgs.netdata.overrideAttrs (old: { - version = "1.36.0-185-nightly"; - src = pkgs.fetchFromGitHub { - owner = "netdata"; - repo = "netdata"; - rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; - sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; - fetchSubmodules = true; - }; - }); + #package = pkgs.netdata.overrideAttrs (old: { + # version = "1.36.0-185-nightly"; + # src = pkgs.fetchFromGitHub { + # owner = "netdata"; + # repo = "netdata"; + # rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; + # sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; + # fetchSubmodules = true; + # }; + #}); }; systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1"; -- 2.49.0 From 2ab0cc688587772815ddd8631ec728546a8e4bd6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 23 Jul 2023 17:52:45 +0200 Subject: [PATCH 82/88] =?UTF-8?q?public-cof:=20NC25=20=E2=86=92=20NC26?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Get us rid of RC4 encryption shenigans. --- machines/public-cof/nextcloud.nix | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 847affd..badd243 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,14 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud25; - # OpenSSL 3.0.x breaks RC4 encryption for NextCloud - # But we enabled encryption for NextCloud - # Therefore... - phpPackage = lib.mkForce (pkgs.php81.withExtensions ({ enabled, all }: - (lib.filter (e: e != pkgs.php81.extensions.openssl) enabled) - ++ [ (all.openssl.override { buildInputs = [ pkgs.openssl_1_1 ]; }) ] - )); + package = pkgs.nextcloud26; config = { overwriteProtocol = "https"; -- 2.49.0 From 6fb8528a9950eb1a9177d28e04831b9c6bbd7d25 Mon Sep 17 00:00:00 2001 From: sinavir Date: Sun, 23 Jul 2023 17:58:44 +0200 Subject: [PATCH 83/88] public-cof: upgrade garage --- machines/public-cof/garage.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix index 7d25b0a..e2a1321 100644 --- a/machines/public-cof/garage.nix +++ b/machines/public-cof/garage.nix @@ -22,6 +22,7 @@ }; services.garage = { enable = true; + package = pkgs.garage_0_8; settings = { replication_mode = "none"; compression_level = 7; -- 2.49.0 From 50c17c74bb457182da4e91e8a6c4031ac6cce5cf Mon Sep 17 00:00:00 2001 From: tomate Date: Sun, 23 Jul 2023 18:04:38 +0200 Subject: [PATCH 84/88] Add 'CONTRIBUTING.md' --- CONTRIBUTING.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..46ce2a1 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1 @@ +Maurice écoute les conventions de Ryan \ No newline at end of file -- 2.49.0 From 6b6470eef94acd0b64eb2fbaa600815bb3c7fc3f Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:36:06 +0200 Subject: [PATCH 85/88] keys: Move from machines/publickeys --- keys/gdd.keys | 2 ++ keys/hackens-milieu.keys | 1 + keys/hubrecht.keys | 1 + keys/mrf.keys | 1 + keys/raito.keys | 4 ++++ keys/remote-builders.keys | 1 + keys/sinavir.keys | 1 + 7 files changed, 11 insertions(+) create mode 100644 keys/gdd.keys create mode 100644 keys/hackens-milieu.keys create mode 100644 keys/hubrecht.keys create mode 100644 keys/mrf.keys create mode 100644 keys/raito.keys create mode 100644 keys/remote-builders.keys create mode 100644 keys/sinavir.keys diff --git a/keys/gdd.keys b/keys/gdd.keys new file mode 100644 index 0000000..b5d4e40 --- /dev/null +++ b/keys/gdd.keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/keys/hackens-milieu.keys b/keys/hackens-milieu.keys new file mode 100644 index 0000000..c79c039 --- /dev/null +++ b/keys/hackens-milieu.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu diff --git a/keys/hubrecht.keys b/keys/hubrecht.keys new file mode 100644 index 0000000..07fbe76 --- /dev/null +++ b/keys/hubrecht.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl diff --git a/keys/mrf.keys b/keys/mrf.keys new file mode 100644 index 0000000..ebbfa68 --- /dev/null +++ b/keys/mrf.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d diff --git a/keys/raito.keys b/keys/raito.keys new file mode 100644 index 0000000..0f48a59 --- /dev/null +++ b/keys/raito.keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/keys/remote-builders.keys b/keys/remote-builders.keys new file mode 100644 index 0000000..b1b7645 --- /dev/null +++ b/keys/remote-builders.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ Raito's remote builder key diff --git a/keys/sinavir.keys b/keys/sinavir.keys new file mode 100644 index 0000000..471d054 --- /dev/null +++ b/keys/sinavir.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o -- 2.49.0 From 7f88c60cc22761935cbf0159e58283bf54d72a41 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:36:55 +0200 Subject: [PATCH 86/88] Switch from krops to colmena --- .envrc | 1 + .gitignore | 1 + hive.nix | 57 +++++++++++++++++ .../{configuration.nix => _configuration.nix} | 22 +------ ...ration.nix => _hardware-configuration.nix} | 0 .../{configuration.nix => _configuration.nix} | 11 ---- ...ration.nix => _hardware-configuration.nix} | 0 .../{configuration.nix => _configuration.nix} | 20 +----- ...ration.nix => _hardware-configuration.nix} | 0 meta/default.nix | 5 ++ meta/nodes.nix | 64 +++++++++++++++++++ modules/default.nix | 11 ++++ modules/krz-access-control.nix | 46 +++++++++++++ modules/krz-ssh.nix | 25 ++++++++ nix-patches/default.nix | 1 + npins/default.nix | 47 ++++++++++++++ npins/sources.json | 43 +++++++++++++ shell.nix | 15 +++++ 18 files changed, 318 insertions(+), 51 deletions(-) create mode 100644 .envrc create mode 100644 hive.nix rename machines/core-services-01/{configuration.nix => _configuration.nix} (70%) rename machines/core-services-01/{hardware-configuration.nix => _hardware-configuration.nix} (100%) rename machines/public-cof/{configuration.nix => _configuration.nix} (77%) rename machines/public-cof/{hardware-configuration.nix => _hardware-configuration.nix} (100%) rename machines/remote-builder-01/{configuration.nix => _configuration.nix} (69%) rename machines/remote-builder-01/{hardware-configuration.nix => _hardware-configuration.nix} (100%) create mode 100644 meta/default.nix create mode 100644 meta/nodes.nix create mode 100644 modules/default.nix create mode 100644 modules/krz-access-control.nix create mode 100644 modules/krz-ssh.nix create mode 100644 nix-patches/default.nix create mode 100644 npins/default.nix create mode 100644 npins/sources.json create mode 100644 shell.nix diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..1d953f4 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use nix diff --git a/.gitignore b/.gitignore index b2be92b..726d2d6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ result +.direnv diff --git a/hive.nix b/hive.nix new file mode 100644 index 0000000..fdc3708 --- /dev/null +++ b/hive.nix @@ -0,0 +1,57 @@ +let + sources = import ./npins; + metadata = import ./meta; + + lib = import (sources.nix-lib + "/trivial.nix"); + + mkNode = node: { name, nodes, ... }: { + # Import the base configuration for each node + imports = builtins.map (lib.mkRel ./machines/${node}) [ + "_configuration.nix" + "_hardware-configuration.nix" + ]; + + # Include default secrets + # dgn-secrets.sources = [ ./machines/${node}/secrets ]; + + # Deployment config is specified in meta.nodes.${node}.deployment + inherit (metadata.nodes.${node}) deployment; + + # Set NIX_PATH to the patched version of nixpkgs + nix.nixPath = [ "nixpkgs=${mkNixpkgs node}" ]; + + # Use the stateVersion declared in the metadata + system.stateVersion = metadata.nodes.${node}.stateVersion; + }; + + mkNixpkgs = node: + let version = "nixos-${metadata.nodes.${node}.nixpkgs}"; in + (import sources.${version} { }).applyPatches { + name = "${version}-patched"; + src = sources.${version}; + patches = (import ./nix-patches).${version} or [ ]; + }; + + mkNixpkgs' = node: import (mkNixpkgs node) { }; + + mkArgs = node: { + nix-lib = import sources.nix-lib { inherit ((mkNixpkgs' node)) lib; keysRoot = ./keys; }; + }; + + nodes = builtins.attrNames metadata.nodes; +in + +{ + meta = { + nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes; + + specialArgs = { inherit sources; meta = metadata; }; + + nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes; + }; + + defaults = { ... }: { + # Import the default modules + imports = [ ./modules ]; + }; +} // (lib.mapSingleFuse mkNode nodes) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/_configuration.nix similarity index 70% rename from machines/core-services-01/configuration.nix rename to machines/core-services-01/_configuration.nix index ac0021a..9bcee06 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/_configuration.nix @@ -2,9 +2,6 @@ { imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ./acme-dns.nix ./acme-ssl.nix ./backups.nix @@ -77,28 +74,11 @@ services.zfs.autoScrub.enable = true; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/mrf.keys - ../pubkeys/hubrecht.keys - ../pubkeys/sinavir.keys - ]; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. networking.firewall.enable = false; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.05"; # Did you read the comment? - environment.variables.NIX_PATH = lib.mkForce "/var/src"; + system.stateVersion = "22.05"; } diff --git a/machines/core-services-01/hardware-configuration.nix b/machines/core-services-01/_hardware-configuration.nix similarity index 100% rename from machines/core-services-01/hardware-configuration.nix rename to machines/core-services-01/_hardware-configuration.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/_configuration.nix similarity index 77% rename from machines/public-cof/configuration.nix rename to machines/public-cof/_configuration.nix index 6bd8454..a831791 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/_configuration.nix @@ -3,7 +3,6 @@ { imports = [ - ./hardware-configuration.nix ./programs.nix ./system.nix ./acme.nix @@ -49,15 +48,5 @@ enableSSHSupport = true; }; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/mrf.keys - ../pubkeys/sinavir.keys - ../pubkeys/hubrecht.keys - ]; - system.stateVersion = "21.05"; } diff --git a/machines/public-cof/hardware-configuration.nix b/machines/public-cof/_hardware-configuration.nix similarity index 100% rename from machines/public-cof/hardware-configuration.nix rename to machines/public-cof/_hardware-configuration.nix diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/_configuration.nix similarity index 69% rename from machines/remote-builder-01/configuration.nix rename to machines/remote-builder-01/_configuration.nix index 286062b..d5906a8 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/_configuration.nix @@ -2,7 +2,6 @@ { imports = [ - ./hardware-configuration.nix ./system.nix # TODO monitoring ]; @@ -59,28 +58,11 @@ services.zfs.autoScrub.enable = true; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/sinavir.keys - ../pubkeys/remote-builders.keys - ]; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. networking.firewall.enable = false; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "21.05"; # Did you read the comment? - + system.stateVersion = "21.05"; } - diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/_hardware-configuration.nix similarity index 100% rename from machines/remote-builder-01/hardware-configuration.nix rename to machines/remote-builder-01/_hardware-configuration.nix diff --git a/meta/default.nix b/meta/default.nix new file mode 100644 index 0000000..a6ccb51 --- /dev/null +++ b/meta/default.nix @@ -0,0 +1,5 @@ +let + nodes = import ./nodes.nix; +in + +{ inherit nodes; } diff --git a/meta/nodes.nix b/meta/nodes.nix new file mode 100644 index 0000000..c017cc4 --- /dev/null +++ b/meta/nodes.nix @@ -0,0 +1,64 @@ +### +# File specifying all the deployement options for the nodes administrated by the dgnum. +# +# Node metadata template is: +# +# NODE_NAME = { +# adminGroups = []; # List of groups that have root access +# admins = []; # List of individuals that have root access +# deployment = {}; # Colmena deployment options +# nixpkgs = "unstable" or "22.11"; # nixpkgs version +# } + +let + mkNode = _: attrs: { + access = [ ]; + + deployment = { }; + + nixpkgs = "23.05"; + } // attrs; +in + +builtins.mapAttrs mkNode { + core-services-01 = { + admins = [ + "gdd" + "hubrecht" + "mrf" + "raito" + "sinavir" + ]; + + deployment.targetHost = "core01.rz.ens.wtf"; + + stateVersion = "22.05"; + }; + + remote-builder-01 = { + admins = [ + "gdd" + "raito" + "sinavir" + "remote-builders" + ]; + + deployment.targetHost = "nix01.builders.rz.ens.wtf"; + + stateVersion = "21.05"; + }; + + public-cof = { + admins = [ + "gdd" + "hubrecht" + "mrf" + "raito" + "sinavir" + ]; + + deployment.targetHost = "beta.rz.ens.wtf"; + + stateVersion = "21.05"; + }; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..bc98724 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,11 @@ +{ nix-lib, sources, ... }: + +{ + imports = (nix-lib.mkImports ./. [ + "krz-access-control" + "krz-ssh" + ]) ++ [ + # TODO: Switch to global version of agenix via npins + # "${sources.agenix}/modules/age.nix" + ]; +} diff --git a/modules/krz-access-control.nix b/modules/krz-access-control.nix new file mode 100644 index 0000000..55fd2a3 --- /dev/null +++ b/modules/krz-access-control.nix @@ -0,0 +1,46 @@ +{ config, lib, nix-lib, meta, name, ... }: + +let + inherit (lib) + mkDefault + mkEnableOption + mkIf + mkOption + + types; + + nodeMeta = meta.nodes.${name}; + inherit (nodeMeta) admins; + + cfg = config.krz-access-control; +in + +{ + options.krz-access-control = { + enable = mkEnableOption "DGNum access control." // { default = true; }; + + users = mkOption { + type = with types; attrsOf (listOf str); + default = { }; + description = '' + Attribute set describing which member has access to which user on the node. + Members must be declared in `meta/members.nix`. + ''; + example = '' + { + user1 = [ "member1" "member2" ]; + } + ''; + }; + }; + + config = mkIf cfg.enable { + # Admins have root access to the node + krz-access-control.users.root = mkDefault admins; + + users.users = builtins.mapAttrs + (u: members: { openssh.authorizedKeys.keys = nix-lib.getAllKeys members; }) + cfg.users; + }; +} + diff --git a/modules/krz-ssh.nix b/modules/krz-ssh.nix new file mode 100644 index 0000000..4124ada --- /dev/null +++ b/modules/krz-ssh.nix @@ -0,0 +1,25 @@ +{ config, lib, ... }: + +let + inherit (lib) + mkEnableOption + mkIf; + + cfg = config.krz-ssh; +in + +{ + options.krz-ssh = { + enable = mkEnableOption "ssh default configuration." // { default = true; }; + }; + + config = mkIf cfg.enable { + services.openssh = { + enable = true; + + settings.PasswordAuthentication = false; + }; + + programs.mosh.enable = true; + }; +} diff --git a/nix-patches/default.nix b/nix-patches/default.nix new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/nix-patches/default.nix @@ -0,0 +1 @@ +{} diff --git a/npins/default.nix b/npins/default.nix new file mode 100644 index 0000000..4a7c372 --- /dev/null +++ b/npins/default.nix @@ -0,0 +1,47 @@ +# Generated by npins. Do not modify; will be overwritten regularly +let + data = builtins.fromJSON (builtins.readFile ./sources.json); + version = data.version; + + mkSource = spec: + assert spec ? type; let + path = + if spec.type == "Git" then mkGitSource spec + else if spec.type == "GitRelease" then mkGitSource spec + else if spec.type == "PyPi" then mkPyPiSource spec + else if spec.type == "Channel" then mkChannelSource spec + else builtins.throw "Unknown source type ${spec.type}"; + in + spec // { outPath = path; }; + + mkGitSource = { repository, revision, url ? null, hash, ... }: + assert repository ? type; + # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository + # In the latter case, there we will always be an url to the tarball + if url != null then + (builtins.fetchTarball { + inherit url; + sha256 = hash; # FIXME: check nix version & use SRI hashes + }) + else assert repository.type == "Git"; builtins.fetchGit { + url = repository.url; + rev = revision; + # hash = hash; + }; + + mkPyPiSource = { url, hash, ... }: + builtins.fetchurl { + inherit url; + sha256 = hash; + }; + + mkChannelSource = { url, hash, ... }: + builtins.fetchTarball { + inherit url; + sha256 = hash; + }; +in +if version == 3 then + builtins.mapAttrs (_: mkSource) data.pins +else + throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/npins/sources.json b/npins/sources.json new file mode 100644 index 0000000..1df8536 --- /dev/null +++ b/npins/sources.json @@ -0,0 +1,43 @@ +{ + "pins": { + "agenix": { + "type": "GitRelease", + "repository": { + "type": "Git", + "url": "https://github.com/ryantm/agenix" + }, + "pre_releases": false, + "version_upper_bound": null, + "version": "0.13.0", + "revision": "9c9fbfb94b2d545c7f0b78da0254ea0041595795", + "url": null, + "hash": "0k6aggy3lhqv6j11cvi4gr0i3jps8hlf262xl9ji3ffxwas46p54" + }, + "nix-lib": { + "type": "GitRelease", + "repository": { + "type": "Git", + "url": "https://git.hubrecht.ovh/hubrecht/nix-lib" + }, + "pre_releases": false, + "version_upper_bound": null, + "version": "0.1.1", + "revision": "5db2443e2cb18335375ad84ffbc066a239c054de", + "url": null, + "hash": "18xzi2yn2vk7zq79pgz8z2s1ijhyjcx5866mp21rrdi9gz37yiif" + }, + "nixos-23.05": { + "type": "Channel", + "name": "nixos-23.05", + "url": "https://releases.nixos.org/nixos/23.05/nixos-23.05.2162.6da4bc6cb07/nixexprs.tar.xz", + "hash": "198wbl9b7j3k51n0rxs09vy6x535ysqv6kbxf42d9yqr49d2n9vc" + }, + "nixpkgs": { + "type": "Channel", + "name": "nixpkgs-unstable", + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-23.11pre506668.af8cd5ded77/nixexprs.tar.xz", + "hash": "0in8bgah6hz47lsa3ka2fslwks174maqdzy8mcmsj0q4wrv8h2s9" + } + }, + "version": 3 +} \ No newline at end of file diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..e29954b --- /dev/null +++ b/shell.nix @@ -0,0 +1,15 @@ +let + sources = import ./npins; + pkgs = import sources.nixpkgs { }; +in + +pkgs.mkShell { + packages = with pkgs; [ + npins + colmena + nixos-generators + ] ++ (builtins.map (p: callPackage p { }) [ + ]); + + allowSubstitutes = false; +} -- 2.49.0 From 29034e605695e37086e46f9cedb77af4bc132dc8 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:50:10 +0200 Subject: [PATCH 87/88] krops.nix: Delete --- krops.nix | 36 ------------------------------------ 1 file changed, 36 deletions(-) delete mode 100644 krops.nix diff --git a/krops.nix b/krops.nix deleted file mode 100644 index 140772d..0000000 --- a/krops.nix +++ /dev/null @@ -1,36 +0,0 @@ -let - krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; }; - lib = import "${krops}/lib"; - pkgs = import "${krops}/pkgs" { }; - source = machine: - lib.evalSource [{ - config.file = toString ./machines; - nixos-config.symlink = "config/${machine}/configuration.nix"; - # Auto-upgrade wen? - nixpkgs.git = { - clean.exclude = [ "/.version-suffix" ]; - ref = "origin/release-23.05"; - url = "https://github.com/NixOS/nixpkgs"; - }; - }]; - mkTestConfig = hostname: { - name = "test-${hostname}"; - value = pkgs.krops.writeTest "test-${hostname}" { - source = source hostname; - target = lib.mkTarget { - host = "localhost"; - path = "/tmp/src"; - }; - force = true; # force create the sentinel file. - }; - }; - mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames); - mkDeploy = hostname: target: { ${hostname} = pkgs.krops.writeDeploy "deploy-${hostname}" { - source = source hostname; - inherit target; - }; }; -in {} -// mkDeploy "core-services-01" "root@core01.rz.ens.wtf" -// mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -// mkDeploy "public-cof" "root@beta.rz.ens.wtf" -// mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] -- 2.49.0 From 41fc60e1eb6fb12f896be92abb5cfd946c3480d4 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:56:33 +0200 Subject: [PATCH 88/88] core-01: Disable netboot-server --- machines/core-services-01/_configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/core-services-01/_configuration.nix b/machines/core-services-01/_configuration.nix index 9bcee06..3c7162e 100644 --- a/machines/core-services-01/_configuration.nix +++ b/machines/core-services-01/_configuration.nix @@ -12,7 +12,7 @@ ./keycloak.nix ./matterbridge.nix ./monitoring.nix - ./netboot-server.nix + # ./netboot-server.nix ./network.nix ./nginx.nix ./nur.nix -- 2.49.0